Of Stack

Linux Utilizes lsof and extundelete Tools to Recover File or Directory Deleted by Mistake

  • 2021-08-21 22:04:21
  • OfStack

Preface

Linux does not have a conspicuous recycle bin like windows, so it is not a simple restore.

linux deletion file restore can be divided into two situations, one is that there is deletion information in the process after deletion, and the other is that the process cannot be found after deletion, so it can only be restored by means of tools. Check and introduce here respectively

1. The process of deleting files by mistake is still in progress.

This kind of 1 is that the active process has continuous standard input or output, and the process PID still exists after the file is deleted. This is why some servers delete some files but the disk is not released. For example, the current example:

Append cat to a test file through an shell terminal: 


[root@21yunwei_backup ~]# echo "hello py" > testdelete.py
[root@21yunwei_backup ~]# cat >> testdelete.py 
hello delete

Another terminal can see the contents clearly by viewing this file: 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete

At this point, delete the files rm-f./testdelete. py on the current server

Command to check this directory, the file no longer exists, so now we will restore it.

1. lsof checks whether the deleted file process still exists. A command lsof is used here. If you don't install it, please use your own yum or apt-get. In this case, we can first check whether the deleted file is still there by lsof: 


[root@21yunwei_backup ~]# lsof | grep deleted
mysqld  1512 mysql 5u  REG    252,3   0 6312397 /tmp/ibzW3Lot (deleted)
cat  20464 root 1w  REG    252,3   23 1310722 /root/testdelete.py (deleted)

Fortunately, this process still exists, so start the recovery operation.

2. Recovery.

Restore command: 


cp /proc/pid/fd/1 / Specify a directory / Filename

Enter the process directory, 1 is generally enumer/proc/pid/fd/, for the current situation: 


[root@21yunwei_backup ~]# cd /proc/20464/fd
[root@21yunwei_backup fd]# ll
total 0
lrwx------ 1 root root 64 Nov 15 18:12 0 > /dev/pts/1
l-wx------ 1 root root 64 Nov 15 18:12 1 > /root/testdelete.py (deleted)
lrwx------ 1 root root 64 Nov 15 18:12 2 > /dev/pts/1

Restore operation: 


cp 1 /tmp/testdelete.py

View files: 


[root@21yunwei_backup fd]# cat /tmp/testdelete.py
hello py
hello delete

Recovery complete.

2. The file process deleted by mistake no longer exists, so restore it with the help of tools.

Create a directory to be deleted and echo1 files with contents: 


[root@21yunwei_backup 21yunwei]# tree
.
 --  deletetest
 The   Off-  mail
 The    Off-  test.py
 --  lost+found
 Off-  passwd
 
3 directories, 2 files
[root@21yunwei_backup 21yunwei]# cat /21yunwei/deletetest/mail/test.py 
hello Dj
[root@21yunwei_backup 21yunwei]# tail -2 passwd 
haproxy:x:500:502::/home/haproxy:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin

Perform a delete operation: 


[root@21yunwei_backup 21yunwei]# rm -rf ./*
[root@21yunwei_backup 21yunwei]# ll
total 0

Now start the recovery of mistakenly deleted files. In this case, there is no daemon or the background process keeps inputting it, so the deletion is deleted, and lsof can't see it. With the help of tools. The tool we use here is the extundelete third-party tool. The recovery steps are as follows:

1. Stop any operation on the current partition to prevent inode from being overwritten. When inode is covered, it basically says goodbye to bicycles. For example, stop the service of the partition, uninstall the device where the directory is located, and disconnect the network if necessary.

2. Backup the current partition through dd command to prevent data loss caused by the failure of the third party software recovery. Suitable for the situation where data is very important, there is no backup in this test. For example, backup can be considered in the following ways:

dd if=/path/filename of=/dev/vdc1

3. Uninstall the current device partition through umount command. Or the fuser command.

umount/dev/vdb1 or umount/21yunwei

If the device is prompted for busy, it can be forcibly uninstalled with the fuser command: fuser-m-v-i-k/21yunwei

4. Download the third-party tool extundelete for installation, and search for files deleted by mistake for restoration. 


wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure 
make
make install

Scan files deleted by mistake: 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete
0

The folder we deleted was found through scanning, and now we will perform the recovery operation.

(1) Restore Single 1 File passwd 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete
1

The recovery file is placed in the current directory RECOVERED_FILES.

View the recovered files: 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete
2

(2) Restore directory deletetest 


[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-directory deletetest 
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Searching for recoverable inodes in directory deletetest ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ... 
[root@21yunwei_backup /]# cat RECOVERED_FILES/deletetest/mail/test.py 
hello Dj

(3) Restore all 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete
4

(4), restore the specified inode. 


[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete
5

Note that when recovering inode, the file name recovered is not the same as before, and it needs to be renamed separately. The content is no problem.

For more extundelete usage, please refer to the extundelete help option parameter description. All operations of current recovery are completed.

Summarize

Related articles: