作者:北南南北
来自:LinuxSir.Org
摘要: 本文主要是讲述在reiserfs 文件系统下,由于误操作而删除的数据的恢复方法的实践;通过猜想在reiserfs 文件系统下丢失文件的若干假设事故,来尝试恢复数据;本文用于存档之用,毕竟我个人最喜欢的是reiserfs 文件系统,以备后用;
目录索引
二、reiserfs 文件系统是否支持undelete操作来恢复数据;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
正文
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
一、关于Linux的文件系统(Filesystem)
请参考: 《Linux 文件系统概述》
二、reiserfs 文件系统是否支持undelete操作来恢复数据;
一般删除数据有两种情况,一种是通过rm 命令来删除的;另一种是通过格式化销毁数据的,在reiserfs 文件系统中,恢复这两种误操作而引起的数据损失的情况还是有点区别;
1、由于误操作rm 删除命令而造成数据的丢失的恢复情况;
通过实践来看,通过rm 删除数据,我们能通过reiserfs的修复检测工具来恢复,如果存储设备没有任何问题,或者文件系统没有坏块(bad block)的情况下是百分之百的恢复;
2、由于格式化硬盘所带来的数据损失的恢复情况;
我测试了格式化存储备来测试恢复reiserfs 文件系统所丢失的数据,我是在移动硬盘上做的实践;比如我的移动硬盘上只有一分区,并且是基于reiserfs 文件系统的;我存放了一百多M的数据,然后再用mkreiserfs或mkfs.reiserfs 工具来格式化这个硬盘分区。如果这时我们发现重建了硬盘分区的文件系统是误操作。这时想通过reiserfs的修复工具来修复,能挽回大多数数据;但并不是百分百,有时也会是百分百的成功,就看你的运气了;
如果我是把这有reiserfs 文件系统的分区,格式化为其它的文件系统了,这时如果发现是误操作,成功几率就极低了;或者说大多是不能成功;
如果我们把硬盘的分区表也重建了,如果这时再想起是误操作,恢复的reiserfs文件系统的可能性也是极低的,或者说想通过reiserfs 文件系统工具的恢复成功率为零;但有时或多或少也能恢复出一点,或者恢复的是很久很久以前的数据。呵,这事是有点怪;
如果您是由于重新分区导致的数据损失,首先可能您要恢复分区表到以前状态,可能Windows中有这方面的工具;在Linux系统下也应该有这样的工具,但都是商业的。Windows中好的数据恢复工具也应该是商业性的。
3、在reiserfs 文件系统中,undelete恢复数据情况的约定;
我们前面已经说过了,由于rm 指令的误操作而引起的数据损失,是能恢复大多数,或百分之百,也就是第一种情况;另外如果原来的硬盘分区是reiserfs 的,由于您误操作使用 mkreiserfs 或mkfs.reiserfs 格式化致使数据的损失也应该划在这个约定之内,也是可以恢复大多数数据,但这种情况应该比较少;
三、reiserfs 文件系统恢复数据流程;
1、准备修复盘和大容量存储设备;
1)支持reiserfs 文件系统的livecd 或系统修复盘;
如果您用的是移动存储,是reiserfs文件系统上的损失,您就直接用您当前用的linux系统就能修复,但得支持reiserfs 文件系统才行。呵,这不是废话吗?不支持reiserfs 文件系统的Linux,我的移动硬盘用reiserfs 有什么用。
livecd 是最好的,只要支持reiserfs文件系统的livecd 就OK;另外我发现slackware 安装盘中的第一张是也是可以用;当然不排除其它发行版的安装盘和修复盘,只要能用就行;
2)存储设备;
比如您损失数据的硬盘分区是 9G,所以您得找个最少得找个未使用空间是10G的硬盘(或硬盘分区)吧;否则怎么能容得下数据损失的镜像呢?所以最好找一个大容量的硬盘或硬盘分区做准备;
如果您只是在几百M的移动硬盘上的损失,是不是找个地方就容下了;这种情况就好办多了;
2、恢复数据的过程;
1)用livecd 开机进入系统,或者用修复盘进入系统;
livecd 比较好办,他本来就是一个在光盘上运行的系统;您可以找一个发行版本下载;
请到: http://www.frozentech.com/content/livecd.php
可以选择slax 或 Knoppix ;
您也可以用slackware的第一张盘,一路enter后,就出现 bash# 字样,这样就OK了;当然您也可以把硬盘挂在有Linux的机器上来恢复,总之方法多的是;我们无非是借助一个支持reiserfs 文件系统的Linux系统来恢复数据,这个道理我们应该理解;
2)用dd 工具来做硬盘分区的镜像;
为什么数据损失的硬盘分区的镜像,能不能直接修复?直接修复也是可以的,但如果出现错误,恢复数据的可能性就很低了。除非我们能保证损失数据的硬盘分区没有任何bad block ,或者在此硬盘分区上没有任何物理和逻辑坏道;另外我们还要确保百分之百不会再次操作失误;所以对硬盘分区镜像是极为重要的,也就是说用镜像盘来恢复数据,以保证原有数据的安全性和可靠性;
还有一点值得一说的是,请不要挂载有数据损失的硬盘分区,也不要再次向其写入数据;否则恢复数据的成功率会降低;查看是否有自动挂载分区,请用df -h 来查看;如果发现已经挂载了,就用 umount 卸载;
我们要弄明白是哪个分区的数据损失了,您可以用fdisk -l 来查看分区表;比如我十分明确的认为 /dev/sda1 的数据损失了;这时我们就要做/dev/sda1的镜像;
然后我们得准备一个有空间的分区,是linux的文件系统的,比如ext3或reiserfs都行;只是为了保存dd出来的分区镜像;我们用mount 来挂载用来存储镜像文件的分区;这在准备工作中已经提到了;比如我想用 文件系统为reiserfs 的硬盘分区/dev/hda8来存放/dev/sda1的镜像,那就挂载/dev/hda8;
bash# mkdir hda8 注:创建一个目录
bash# mount -t reiserfs /dev/hda8 hda8 注:把/dev/hda8 挂载到hda8目录上;
bash# df -h 注:查看/dev/hda8是否挂载上了;
bash# cd hda8 注:进入hda8目录;
bash# dd if=/dev/sda1 conv=noerror > sda1.img 注:做 /dev/sda1 的整个分区的镜像;
3)通过reiserfsck或fsck.reiserfs 镜像来恢复数据;
bash# losetup -f 注:查询哪个loop设备是空的;
/dev/loop0 注:发现有一个空的是/dev/loop0 ;
bash# losetup /dev/loop0 sda1.img
注:把sda1.img 镜象关联到/dev/loop0的设备中;
bash# reiserfsck --rebuild-tree -S -l undelete.log /dev/loop0
注:通过reiserfsck 来修复,-S 表示整个分区,-l 后面是接日志输出,最后是/dev/loop0设备;因为我们前面把sda1.img 关联到了/dev/loop0设备中,这样/dev/loop0就拥有了sda1.img的所有属性;这和直接通过下面命令修复的效果是一样的;但这样通过镜像装载修复的方法主要是为了安全;
bash# reiserfsck --rebuild-tree -S -l undelete.log /dev/sda1
注:这样直接操作也行,如果 /dev/sda1上有bad block就麻烦了;可能会损伤到/dev/sda1 数据的安全,明白了吧;
然后会出现类似如下的提示:
reiserfsck 3.6.19 (2003 www.namesys.com)
*************************************************************
** Do not run the program with --rebuild-tree unless **
** something is broken and MAKE A BACKUP before using it. **
** If you have bad sectors on a drive it is usually a bad **
** idea to continue using it. Then you probably should get **
** a working hard drive, copy the file system from the bad **
** drive to the good one -- dd_rescue is a good tool for **
** that -- and only then run this program. **
** If you are using the latest reiserfsprogs and it fails **
** please email bug reports to [email protected], **
** providing as much information as possible -- your **
** hardware, kernel, patches, settings, all reiserfsck **
** messages (including version), the reiserfsck logfile, **
** check the syslog file for any related information. **
** If you would like advice on using this program, support **
** is available for $25 at www.namesys.com/support.html. **
*************************************************************
Will rebuild the filesystem (/dev/loop0) tree
Will put log info to 'undelete.log'
Do you want to run this program?[N/Yes] (note need to type Yes if you do): Yes
注:请输入Yes,这样就进行修复了;
详细情况如下:
Replaying journal..
Reiserfs journal '/dev/loop0' in blocks [18..8211]: 0 transactions replayed
###########
reiserfsck --rebuild-tree started at Thu Dec 1 21:01:53 2005
###########
Pass 0:
The whole partition (251984 blocks) is to be scanned
Skipping 8218 blocks (super block, journal, bitmaps) 243766 blocks will be read
0%....20%....40%....60%....80%....100% left 0, 6588 /sec
"r5" hash is selected
Flushing..finished
Read blocks (but not data blocks) 243766
Leaves among those 56
Objectids found 77
Pass 1 (will try to insert 56 leaves):
Looking for allocable blocks .. finished
0%....20%....40%....60%....80%....100% left 0, 56 /sec
Flushing..finished
56 leaves read
45 inserted
11 not inserted
non-unique pointers in indirect items (zeroed) 633
Pass 2:
0%....20%....40%....60%....80%....100% left 0, 0 /sec
Flushing..finished
Leaves inserted item by item 11
Pass 3 (semantic):
Flushing..finished
Files found: 42
Directories found: 12
Pass 3a (looking for lost dir/files):
Looking for lost directories:
Looking for lost files:0 /sec
Flushing..finished 48, 0 /sec
Objects without names 16
Dirs linked to /lost+found: 1
Files linked to /lost+found 15
Pass 4 - finished done 44, 0 /sec
Flushing..finished
Syncing..finished
###########
reiserfsck finished at Thu Dec 1 21:02:31 2005
###########
4)挂载loop 设备,查看数据恢复情况;
bash# mkdir recoversda1 注:创建一个目录;
bash# mount /dev/loop0 recoversda1 注:把/dev/loop0挂载到 recoversda1 上;
bash# more undelete.log 注:查看恢复日志;
bash# cd recoversda1 注:进入recoversda1目录查看数据恢复情况;
一般的情况下,如果您是rm 删除的东西,大多会百分之百的恢复了,有些内容可能会恢复到lost+found的目录中,要通过恢复日志来对比查看;
如果您认为您的数据恢复的差不多了,这时就可以把损失数据的硬盘分区挂载上,然后拷贝已经恢复的数据过去;
bash# cd .. 注:从 recoversda1 退出,返回上级目录;
bash# mkdir sda1 注:创建sda1目录;
bash# mount /dev/sda1 sda1 注:挂载 /dev/sda1 到sda1目录上;
下面的就是从recoversda1目录中,把已经恢复的数据复制到数据损失的硬盘分区上;这个工作就简单了吧;cp命令应该会用吧,如果真的不会,那我也没有办法了,看来你和我的水平真的差不多;哈哈。。。。
5)恢复好数据的扫尾工作;
要正常卸载一系列挂载的盘;
bash# umount /dev/hda8
bash# umount /dev/sda1
bash# umount /dev/loop1
bash# losetup -d /dev/loop0
... ...
如果出现设备忙的提示,可能是您正处于挂载目录中;退出就好了;
四、关于本文;
这篇实践文档是根据洋人提供的方法实践而来,如果您认为北南在抄袭,那您也一样可以抄袭;
五、参考文档;
http://www.martian.org/marty/archives/000888.html
http://marc.theaimsgroup.com/?l=reiserfs&m=104861318421306&w=2
http://www.antrix.net/journal/techtalk/reiserfs_data_recovery_howto.html
六、相关文档;
参考文档4
Hi all,
I just want to thank for the tips on recovering deleted files. I've just wrongly deleted some files and been able to recover them by following your steps / steps from pages mentioned herein. Instead of finding deleted files in lost+found directory, I've ended up finding them in the original directories (from where they were deleted). I've compiled the sequence of steps for my specific case (slight changes will suit particular issues regarding unwanted file deletion), which follows:
Recover deleted files (from /home = /dev/hda7)
0. Unmount partition from where to recover deleted files
umount /home
1. Create partition copy
dd if=/dev/hda7 conv=noerror > /hda7.img
2. Set up device containing copy of partition (created in 1.)
losetup /dev/loop/0 /hda7.img
3. Rebuild FS tree, performing a thorough partition scan and logging to /recovery.log file
reiserfsck --rebuild-tree -S -l /recovery.log /dev/loop/0
(4. Check written log file)
(less /recovery.log)
5. Create directory for mounting recovered partition
mkdir /recovery
6. Mount recovered partition in directory created in 5.
mount /dev/loop/0 /recovery
7. Access recovered partition's lost+found directory and look for files
cd /recovery/lost+found
8. If not there (7.), then look for in original directory
cd /recovery/
9. Remount /home partition
mount /home
10. Copy recovered files from 7./8. to /home/
cp /recovery// /home//
11. Unmount recovered partition
umount /recovery
12. Detach recovered partition device
losetup -d /dev/loop/0
@nT$
参考文档3
Reiserfs filesystem recovery
Cleaning up after disk crashing season hasn't been fun, but I am pleased with what I've managed to recover from the worst crash.
I wanted to get the latest data from the dead webserver. It was in MySQL, and stored in /var/lib/mysql. Unfortunately, the /var/lib directory no longer existed.
I didn't want to try to recover it in place -- with so many bad blocks, things can only get worse -- so I copied the entire partition to a file on my laptop (the one with the shiny new disk): ssh deadserver dd if=/dev/hda1 conv=noerror > hda1.img (You need the conv=noerror or else dd will stop when it hits the first bad block.)
So, then I had most of a corrupt filesystem image. To make it useful I used the loop driver: losetup /dev/loop/0 hda1.img
Now I could try reiserfsck to see what I could recover. I started with reiserfsck --rebuild-sb /dev/loop/0 to rebuild the superblock: even it if hadn't been affected by the physical disk corruption, it would certainly be confused by it new home in a looped image that probably wasn't the same size as the original partition. Next step was reiserfsck --rebuild-tree /dev/loop/0 to try to find the contents of the missing directories. I finished it off with reiserfsck --check /dev/loop/0 to make sure it was happy.
Now I can just mount /dev/loop/0 /mnt and have a look in /mnt/lost+found. The data is there!
参考文档2
List: reiserfs
Subject: Re: "Unformat" a ReiserFS partition : a testimony :-)
From: Vitaly Fertman
Date: 2003-03-25 17:25:38
[Download message RAW]
Hi,
On Tuesday 25 March 2003 03:16, Yury Umanets wrote:
> Nicolas Vanderavero wrote:
> > Hello,
>
> Hello Nicolas,
>
> > while reinstalling a Debian on a new hard drive, I made the mistake to
> > format in reiserfs my good old /home which was on /dev/sda7 instead of
> > formatting the new /dev/hda7. Gasp ! Eight gigabytes lost ...
> >
> > Or ... maybe it was not totally lost :-) I immediately made a dump of
> > the partition with 'dd' and started grepping some known text on it. It
> > seemed that no data was really lost. I didn't know what to do. So I
> > read the man pages and found the reiserfsck command quite interesting :-)
>
> You have lost the super block and probably old root node. I said
> "probably" because it might be not used in teh time you did format.
superblock, bitmaps, journal content and almost always one block which usualy
> Ok, I am a total newbie to filesystems and to ReiserFS. So maybe itis not old root node, but the very first leaf on the fs with a part/the whole
root directory.
> > will sound trivial to you, but just in case it happens to anyone else,
> > I just wanted to say that running a reiserfsck --rebuild-tree -S on my
> > partition was enough to unformat it. I ended up with some file in
> > lost+found, but a 'file *' is enough to discover what they are.
Right.
The first thing you should do in cases like this is to make backup. I> hope you'll find eight gigabytes for that. Now you may feel free to do
> anything with you old partition. Then you should to do --rebuild-sb and
> try to fsck the partition with --check key. Then follow to fsck sugestions.
:)) no, Yura, reiserfs is in a good state after mkreiserfs and --rebuild-sb /
These should be enought for getting you partition back.--check will say 'all is fine, enjoy'. Plus, -S is used in cases when fs is
ok, but some data are lost, so you may want to backup not the whole partition,
but only cp important data somewhere from the mounted fs (to avoid their
corruption while rebuilding with -S option what may occure).
>
> > So, maybe it would be usefull to add an entry in the "Example of
> > using" section of the man page of reiserfsck, saying something like :
> > "If you reformatted by mistake a reiserFS partition, you can try to
> > unformat it by running reiserfsck --rebuild-tree -S on it".
--scan-whole-partition does what is written in man page - scan the whole
partition, not only used space - and brings back all what was found. That
means that have just created reiserfs partition with all copeid data on
it will be recovered, all not overwritten data from the previous reiserfs
will be recovered. There were also some data which were deleted once and
the space they occupied has not been reused - get recoved also. All data
with the same key go to the same file/dir and old versions of files will
be merged with new versions, or deleted file will be merged with the new
one - this may lead to data corruption. And while building the tree for
all these found data you can run out of disk space.
So it is not an undelete feature and not unformat feature, although can be
P.S. Please read http://www.namesys.com/support.html. Can you as forused pretty efficiently for these 2 purpose _just_after_ a wrong remove /
format. Or just after fsck --rebuild-tree, if fsck has not recovered some
important data due to bitmap corruption.
As a result, -S is more like a hack - it is not undelete, unformat, undo,
but you can try to recover smth from unused space, valid data can become
corrupted while being merged with old data, so it should be used with high
caution and it is not for wide-usage anyway.
> support?
It seems that Nicolas does not need our support as he wrote about his
result how he had successfully unformatted the fs.
--
Thanks,
Vitaly Fertman
参考文档1
UPDATE (15 June, 2004): I just found this thread which warns of possible corruption of existing files on the partition. Essentially, the recovery process may take older (deleted) versions of a current file and try and merge it with the new file resulting in data corruption. As a safety measure, make a backup of important undamaged files on another partition before you carry out the steps below.
UPDATE (31 March, 2005): Make sure you read through all the comments to this howto before starting the recovery process. Lots of tips and warnings are present in those comments!
UPDATE (11 August, 2005): For even more hopeless data loss cases, try Foremost.
NOTE: These steps are only for really bad hard disk muck-ups and accidentally deleted files. For normal filesystem inconsistencies, don't use these steps!
1. Once you realize that you've lost data, don't do anything else on that partition - you may cause that data to be overwritten by new data.
2. Unmount that partition. e.g., umount /home
3. Find out what actual device this partition refers to. You can usually get this information from the file /etc/fstab. We'll assume here that the device is /dev/hda3.
4.
Run the command: reiserfsck --rebuild-tree -S -l /root/recovery.log /dev/hda3
You need to be root to do this. Read the reiserfsck man page for what these options do and for more options. Some interesting options are '--rebuild-sb, --check'
After the command finishes, which might be a long time for a big partition, you can take a look at the logfile /root/recovery.log if you wish.
5. Mount your partition: mount /home
6. Look for the lost+found directory in the root of the partition. Here, that would be: /home/lost+found
7. This directory contains all the files that could be recovered. Unfortunately, the filenames are not preserved for a lot of files. You'll find some sub-directories - filenames within those are preserved!
8. Look through the files and copy back what you need.
Here's a useful link for more advanced tricks.
Hope that helps! Please leave a comment here if you found this page useful and/or if there should be something more on this page that I missed.
PS: For normal filesystem inconsistencies, use the --fix-fixable option with reiserfsck. See the man page for more on that.