如果由于某些原因误删了linux的数据文件,可以恢复的途径很多,现在介绍一个Linux本身自带的工具:debugfs,这里只是简单的介绍一下,debugfs实现的功能很多,大家有兴趣可以自己去研究研究:
[@more@]
进入debugfs模式:
debugfs /dev/sdb1
查找已经被删除的数据:
debugfs 1.39 (29-May-2006)
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
229870 0 100644 1511 1/ 1 Fri Jul 30 08:55:11 2010
229871 0 100644 1625 1/ 1 Fri Jul 30 08:55:17 2010
196613 0 40700 0 1/ 1 Fri Jul 30 08:55:30 2010
212993 0 40700 0 1/ 1 Fri Jul 30 08:55:30 2010
212994 0 100777 2282 1/ 1 Fri Jul 30 08:55:30 2010
212995 0 40700 0 1/ 1 Fri Jul 30 08:55:30 2010
229377 0 40700 0 1/ 1 Fri Jul 30 08:55:30 2010
229378 0 100777 2417 1/ 1 Fri Jul 30 08:55:30 2010
196611 0 100644 4096 1/ 1 Wed Aug 18 23:21:11 2010
查看某个已经被删除的文件:
debugfs: stat <196611>
Inode: 196611 Type: regular Mode: 0644 Flags: 0x0 Generation: 2373075787
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 0 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x4c6bfa67 -- Wed Aug 18 23:21:11 2010
atime: 0x4c6bfa64 -- Wed Aug 18 23:21:08 2010
mtime: 0x4c6bfa64 -- Wed Aug 18 23:21:08 2010
dtime: 0x4c6bfa67 -- Wed Aug 18 23:21:11 2010
BLOCKS:
(0):423936
TOTAL: 1
开始恢复:
这里以196611删除的数据为例:
debugfs: dump <196611> /tmp/196611.bak
可以看到已经恢复了
方法二:
可以通过手动修改已经被删除的inode结构来达到恢复的目的:
debugfs: mi <196611>
mi: Filesystem opened read/only
以上是因为我们将文件系统以read/only的模式进行的挂载
debugfs: close
debugfs: open -w /dev/MIDDER/weblogic
修改为可以修改的。
debugfs: mi <196611>
Mode [0100644]
User ID [0]
Group ID [0]
Size [4096]
Creation time [1282144871]
Modification time [1282144868]
Access time [1282144868]
Deletion time [1282144871] 0
Link count [0] 1
Block count [8]
File flags [0x0]
Generation [0x8d72434b]
File acl [0]
High 32bits of size [0]
Fragment address [0]
Fragment number [0]
Fragment size [0]
Direct Block #0 [423936]
Direct Block #1 [0]
Direct Block #2 [0]
Direct Block #3 [0]
Direct Block #4 [0]
Direct Block #5 [0]
Direct Block #6 [0]
Direct Block #7 [0]
Direct Block #8 [0]
Direct Block #9 [0]
Direct Block #10 [0]
Direct Block #11 [0]
Indirect Block [0]
Double Indirect Block [0]
Triple Indirect Block [0]
修改红色标示的部分
最后退出:quit
最后,使用fsck 对修改的文件系统进行扫描
[root@localhost tmp]# fsck.ext3 /dev/MIDDER/weblogic
e2fsck 1.39 (29-May-2006)
/dev/MIDDER/weblogic is mounted.
WARNING!!! Running e2fsck on a mounted filesystem may cause
SEVERE filesystem damage.
Do you really want to continue (y/n)? yes
/dev/MIDDER/weblogic was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Unattached inode 196611
Connect to /lost+found? yes
Inode 196611 ref count is 2, should be 1. Fix? yes
Pass 5: Checking group summary information
Block bitmap differences: +423936
Fix? yes
Free blocks count wrong for group #12 (32252, counted=32251).
Fix? yes
Free blocks count wrong (206716, counted=206715).
Fix? yes
Inode bitmap differences: +196611
Fix? yes
Free inodes count wrong for group #12 (16382, counted=16381).
Fix? yes
Free inodes count wrong (494680, counted=494679).
Fix? yes