背景

之所以写这篇文章，是因为切身体会，刚入门的时候做了一次在mount的情况下直接rm -rf的操作，一下子删了700G的附件，那时候直接懵了，后来跟小伙伴连夜补救，还好项目还没上线，重新做了次数据迁移~

因为上面的原因，后来专门研究了rm -rf后怎么去补救？用虚拟机做了以下的实验，采用的是extundelete这套方案，切实可行。不过小伙伴们千万别拿生产环境去试，恢复不回来不要说认识我啊！

原理

在Linux下可以通过“ls -id”命令来查看某个文件或者目录的inode值，例如查看根目录的inode值，可以输入：

在利用extundelete恢复文件时并不依赖特定文件格式，首先extundelete会通过文件系统的inode信息（根目录的inode一般为2）来获得当前文件系统下所有文件的信息，包括存在的和已经删除的文件，这些信息包括文件名和inode。

然后利用inode信息结合日志去查询该inode所在的block位置，包括直接块、间接块等信息。

最后利用dd命令将这些信息备份出来，从而恢复数据文件。

介绍extundelete

1.extundelete的文件恢复工具，该工具最给力的一点就是支持ext3/ext4双格式分区恢复。

2. 在实际线上恢复过程中，切勿将extundelete安装到你误删的文件所在硬盘，这样会有一定几率将需要恢复的数据彻底覆盖。

3. extundelete还是有很大的不完整性,基于整个磁盘的恢复功能较为强大,基于目录和文件的恢复还不够强大。

4. extundelete执行完毕后在当前目录生产一个RECOVERED_FILES目录，里面即是恢复出来的文件，还包括文件夹。

5.任何的文件恢复工具，在使用前，均要将要恢复的分区卸载或挂载为只读，防止数据被覆盖使用。

umount /dev/partition

mount -o remount,ro /dev/partition

安装extundelete

extundelete 主页：http://extundelete.sourceforge.net/

1、下载extundelete

下载地址：http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 --0.2.4版本

[root@node1 opt]# cd extundelete/

[root@node1 extundelete]# ll

总用量 108

-rw-r--r-- 1 root root 108472 5月 24 05:04 extundelete-0.2.4.tar.bz2

[root@node1 extundelete]# tar -xvf extundelete-0.2.4.tar.bz2

extundelete-0.2.4/

extundelete-0.2.4/acinclude.m4

extundelete-0.2.4/missing

extundelete-0.2.4/autogen.sh

extundelete-0.2.4/aclocal.m4

extundelete-0.2.4/configure

extundelete-0.2.4/LICENSE

extundelete-0.2.4/README

extundelete-0.2.4/install-sh

extundelete-0.2.4/config.h.in

extundelete-0.2.4/src/

extundelete-0.2.4/src/extundelete.cc

extundelete-0.2.4/src/block.h

extundelete-0.2.4/src/kernel-jbd.h

extundelete-0.2.4/src/insertionops.cc

extundelete-0.2.4/src/block.c

extundelete-0.2.4/src/cli.cc

extundelete-0.2.4/src/extundelete-priv.h

extundelete-0.2.4/src/extundelete.h

extundelete-0.2.4/src/jfs_compat.h

extundelete-0.2.4/src/Makefile.in

extundelete-0.2.4/src/Makefile.am

extundelete-0.2.4/configure.ac

extundelete-0.2.4/depcomp

extundelete-0.2.4/Makefile.in

extundelete-0.2.4/Makefile.am

2、编译安装

[root@node1 extundelete]# cd extundelete-0.2.4

[root@node1 extundelete-0.2.4]# ll

总用量 356

-rw-r--r-- 1 1000 1000 3283 11月 3 2012 acinclude.m4

-rw-r--r-- 1 1000 1000 0 1月 4 2013 aclocal.m4

-rwxr-xr-x 1 1000 1000 372 12月 31 2012 autogen.sh

-rw-r--r-- 1 1000 1000 4780 1月 4 2013 config.h.in

-rwxr--r-- 1 1000 1000 231557 1月 4 2013 configure

-rw-r--r-- 1 1000 1000 5357 12月 31 2012 configure.ac

-rwxr-xr-x 1 1000 1000 20334 1月 4 2013 depcomp

-rwxr-xr-x 1 1000 1000 13998 1月 4 2013 install-sh

-rw-r--r-- 1 1000 1000 17987 11月 3 2012 LICENSE

-rw-r--r-- 1 1000 1000 916 12月 31 2012 Makefile.am

-rw-r--r-- 1 1000 1000 23644 1月 4 2013 Makefile.in

-rwxr-xr-x 1 1000 1000 10346 1月 4 2013 missing

-rw-r--r-- 1 1000 1000 1666 11月 3 2012 README

drwxr-xr-x 2 1000 1000 4096 1月 4 2013 src

[root@node1 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete

Configuring extundelete 0.2.4

configure: error: Can't find ext2fs library

报错：configure: error: Can't find ext2fs library

由于extundelete依赖e2fsprogs，需要先安装e2fsprogs

[root@node1 extundelete-0.2.4]# yum -y install e2fsprogs e2fsprogs-devel

Loaded plugins: product-id, refresh-packagekit, security, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Setting up Install Process

Package e2fsprogs-1.41.12-18.el6.x86_64 already installed and latest version

......

安装e2fsprogs后再次configure 成功。

[root@node1 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install

Configuring extundelete 0.2.4

Writing generated files to disk

make -s all-recursive

Making all in src

extundelete.cc:571: 警告：未使用的参数‘flags’

Making install in src

/usr/bin/install -c extundelete '/usr/local/extundelete/bin'

3.查看工具版本

[root@node1 extundelete-0.2.4]# cd /usr/local/extundelete/bin/

[root@node1 bin]# ll

总用量 1160

-rwxr-xr-x 1 root root 1187055 5月 24 05:09 extundelete

[root@node1 bin]# ./extundelete -v

extundelete version 0.2.4

libext2fs version 1.41.12

Processor is little endian.

rm -rf 恢复实验

1. 创建文件系统

mkfs -t ext4 /dev/sdb1

2.查看文件系统类型

[root@node1 ~]# fdisk -l

?

Disk /dev/sda: 64.4 GB, 64424509440 bytes

255 heads, 63 sectors/track, 7832 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x000d2842

?

Device Boot Start End Blocks Id System

/dev/sda1 * 1 26 204800 83 Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2 26 287 2097152 82 Linux swap / Solaris

Partition 2 does not end on cylinder boundary.

/dev/sda3 287 7833 60611584 83 Linux

[root@node1 ~]# blkid /dev/sda1

/dev/sda1: UUID="14e9f1ea-0326-47ef-8c35-325a6fb7186d" TYPE="ext4"

[root@node1 ~]# blkid /dev/sda3

/dev/sda3: UUID="faab01ae-3d46-49dd-932f-837c8f45e5c0" TYPE="ext4"

[root@node1 ~]# blkid /dev/sda2

/dev/sda2: UUID="48b4bdaa-460e-468e-9102-fc3d4d3ca69b" TYPE="swap"

也可以用下面方法查看

[root@node1 ~]# file -s /dev/sda1

/dev/sda1: Linux rev 1.0 ext4 filesystem data (needs journal recovery) (extents) (huge files)

[root@node1 ~]# file -s /dev/sda3

/dev/sda3: Linux rev 1.0 ext4 filesystem data (needs journal recovery) (extents) (large files) (huge files)

[root@node1 ~]# file -s /dev/sda2

/dev/sda2: Linux/i386 swap file (new style) 1 (4K pages) size 524287 pages

3.创建一个delete目录，并挂载到刚创建的文件系统上，并创建文件，然后删除文件

[root@node1 home]# mkdir delete

[root@node1 home]# mount /dev/sda1 /home/delete/

[root@node1 home]# mount

/dev/sda3 on / type ext4 (rw)

proc on /proc type proc (rw)

sysfs on /sys type sysfs (rw)

devpts on /dev/pts type devpts (rw,gid=5,mode=620)

tmpfs on /dev/shm type tmpfs (rw)

/dev/sda1 on /boot type ext4 (rw)

none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

.host:/ on /mnt/hgfs type vmhgfs (rw,ttl=1)

vmware-vmblock on /var/run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,default_permissions,allow_other)

/dev/sr0 on /mnt/cdrom type iso9660 (ro)

gvfs-fuse-daemon on /root/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev)

/dev/sda1 on /home/delete type ext4 (rw)

[root@node1 delete]# ll

总用量 28333

-rw-r--r--. 1 root root 105195 11月 11 2013 config-2.6.32-431.el6.x86_64

drwxr-xr-x. 3 root root 1024 2月 6 23:46 efi

drwxr-xr-x. 2 root root 1024 2月 7 00:37 grub

-rw-------. 1 root root 17533084 2月 9 21:43 initramfs-2.6.32-431.el6.x86_64.img

-rw-------. 1 root root 4505771 2月 7 00:38 initrd-2.6.32-431.el6.x86_64kdump.img

drwx------. 2 root root 12288 2月 6 23:37 lost+found

-rw-r--r--. 1 root root 193758 11月 11 2013 symvers-2.6.32-431.el6.x86_64.gz

-rw-r--r--. 1 root root 2518236 11月 11 2013 System.map-2.6.32-431.el6.x86_64

-rwxr-xr-x. 1 root root 4128944 11月 11 2013 vmlinuz-2.6.32-431.el6.x86_64

[root@node1 delete]# vi index.txt #添加数据

[root@node1 delete]# rm -rf index.txt

4.卸载分区

注意如果是/ 根目录的删了，把磁盘挂载到其他机器做恢复

[root@node1 bin]# fuser -m -v /home/delete/

[root@node1 bin]# fuser -k /home/delete/ <-- 结束使用某分区的进程树

[root@node1 bin]# umount /home/delete/ <-- 卸载分区

[root@zw_test_26_74 ~]# umount /dev/sdb3

5.使用extundelete查看分区上存在的文件

extundelete --inode 2 /dev/sdb2

# --inode 为查找某i节点中的内容，使用2则说明为搜索，如果需要进入目录搜索，只须要指定目录I节点即可

[root@node1 bin]# ./extundelete --inode 2 /dev/sda1

NOTICE: Extended attributes are not restored.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.

The partition should be unmounted to undelete any files without further data loss.

If the partition is not currently mounted, this message indicates

it was improperly unmounted, and you should run fsck before continuing.

If you decide to continue, extundelete may overwrite some of the deleted

files and make recovering those files impossible. You should unmount the

file system and check it with fsck before using extundelete.

Would you like to continue? (y/n)

y

Loading filesystem metadata ... 25 groups loaded.

Group: 0

Contents of inode 2:

0000 | 6d 41 00 00 00 04 00 00 ae a4 24 59 97 a3 24 59 | mA........$Y..$Y

0010 | 97 a3 24 59 00 00 00 00 00 00 05 00 04 00 00 00 | ..$Y............

0020 | 00 00 00 00 1b 00 00 00 23 11 00 00 00 00 00 00 | ........#.......

0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

0060 | 00 00 00 00 00 00 00 00 31 11 00 00 00 00 00 00 | ........1.......

0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

?

Inode is Allocated

File mode: 16749

Low 16 bits of Owner Uid: 0

Size in bytes: 1024

Access time: 1495573678

Creation time: 1495573399

Modification time: 1495573399

Deletion Time: 0

Low 16 bits of Group Id: 0

Links count: 5

Blocks count: 4

File flags: 0

File version (for NFS): 0

File ACL: 4401

Directory ACL: 0

Fragment address: 0

Direct blocks: 4387, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Indirect block: 0

Double indirect block: 0

Triple indirect block: 0

?

File name | Inode number | Deleted status

. 2

.. 2

lost+found 11

grub 12

efi 19

.index.txt.swp 24 Deleted

.vmlinuz-2.6.32-431.el6.x86_64.hmac 14

System.map-2.6.32-431.el6.x86_64 15

config-2.6.32-431.el6.x86_64 16

symvers-2.6.32-431.el6.x86_64.gz 17

vmlinuz-2.6.32-431.el6.x86_64 18

initramfs-2.6.32-431.el6.x86_64.img 23

initrd-2.6.32-431.el6.x86_64kdump.img 39

index.txt 41 Deleted

上面标记为deleted的index.txt 就是误删的数据

6. 恢复

[root@node1 bin]# ./extundelete --restore-all /dev/sda1

NOTICE: Extended attributes are not restored.

WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.

The partition should be unmounted to undelete any files without further data loss.

If the partition is not currently mounted, this message indicates

it was improperly unmounted, and you should run fsck before continuing.

If you decide to continue, extundelete may overwrite some of the deleted

files and make recovering those files impossible. You should unmount the

file system and check it with fsck before using extundelete.

Would you like to continue? (y/n)

y

Loading filesystem metadata ... 25 groups loaded.

Loading journal descriptors ... 89 descriptors loaded.

Searching for recoverable inodes in directory / ...

2 recoverable inodes found.

Looking through the directory structure for deleted files ...

Unable to restore inode 24 (.index.txt.swp): Space has been reallocated.

0 recoverable inodes still lost.

[root@node1 bin]# ll

总用量 1164

-rwxr-xr-x 1 root root 1187055 5月 24 05:09 extundelete

drwxr-xr-x 2 root root 4096 5月 24 05:18 RECOVERED_FILES

[root@node1 bin]# ll RECOVERED_FILES/

总用量 4

-rw-r--r-- 1 root root 47 5月 24 05:18 index.txt

可以看到index.txt 已经恢复到RECOVERED_FILES 目录下了。

总结

当发现某个分区的数据被误删除后，要做的第一件事是立刻卸载被误删除文件所在的分区，或者重新以只读方式挂载此分区。

这么做的原因其实很简单：删除一个文件，就是将文件inode节点中的扇区指针清除，同时，释放这些数据对应的数据块，而真实的文件还存留在磁盘分区中。但是这些被删除的文件不一定会一直存留在磁盘中，当这些释放的数据块被操作系统重新分配时，那些被删除的数据就会被覆盖。因此，在数据误删除后，马上卸载文件所在分区可以降低数据块中数据被覆盖的风险，进而提高成功恢复数据的机率。

最后，祝大家永远不要用到extundelete！

觉得有用的就走波关注吧~