救火专用---别再说rm -rf 不可以恢复

工作中难免因为意外或其他情况，导致rm -rf误删文件，这个时候，救火专用 extundelete 就派上了用场；

下载地址：http://extundelete.sourceforge.net/

注意：

1：此工具安装依赖e2fspogs 和 e2fslibs 两个包，在RH/Centos系列上包的名字为 e2fsprogs和   

   e2fsprogs-lib

2：此工具适用于ext3/ext4 文件系统

3：该工具基于硬盘的恢复倒是强大，但是基于目录和文件的恢复尚未测试成功过

原理：

虽然该工具用起来相当简单，但是理解其原理比使用它更重要。

1> inode概念：

首先就是inode的概念：在系统层面，文件储存在硬盘上，以扇区为最小存储单元，以块为文件存取单元，文件存储在块中，在格式化的时候自然就分为数据区和inode区，数据区存放数据，inode存放除了文件名以为的所有文件信息即元数据，包括文件大小，时间，权限等，通过 stat filename 可以查看文件的inode信息。

2> rm过程：

inode存放文件元数据，也会占用磁盘空间，df -i 可以查看inode总数和已经使用的数量，有时候会出现磁盘空间尚且足够，但是就是创建不了文件，就有可能是inode空间用完了。

据我理解 rm实际上就跟数据库中truncate一样，只是删除了该文件的元数据，真正的数据依然存储在block上，等待着被覆盖，所以做rm恢复时和做truncate恢复时一样，尽快恢复，否则一旦数据被覆盖就真的恢复不了了。

理解了inode的概念和rm后，再来理解extundele的恢复原理就相对简单了：

首先extundele会利用文件系统的inode信息获取当前文件系统下的所有文件的inode信息，包括存在的以及被删除的，再通过日志信息来获得相应inode所在的block位置，再利用dd命令将这些信息备份出来，也就恢复了文件。

安装：

[root@orclA extundelete-0.2.4]# yum install e2fsprogs* -y

[root@orclA top]# ls

extundelete-0.2.4.tar.bz2

[root@orclA top]# bunzip2  extundelete-0.2.4.tar.bz2

[root@orclA top]# ls

extundelete-0.2.4.tar

[root@orclA top]# tar -xvf extundelete-0.2.4.tar

extundelete-0.2.4/

extundelete-0.2.4/acinclude.m4

extundelete-0.2.4/missing

extundelete-0.2.4/autogen.sh

extundelete-0.2.4/aclocal.m4

extundelete-0.2.4/configure

extundelete-0.2.4/LICENSE

extundelete-0.2.4/README

extundelete-0.2.4/install-sh

extundelete-0.2.4/config.h.in

extundelete-0.2.4/src/

extundelete-0.2.4/src/extundelete.cc

extundelete-0.2.4/src/block.h

extundelete-0.2.4/src/kernel-jbd.h

extundelete-0.2.4/src/insertionops.cc

extundelete-0.2.4/src/block.c

extundelete-0.2.4/src/cli.cc

extundelete-0.2.4/src/extundelete-priv.h

extundelete-0.2.4/src/extundelete.h

extundelete-0.2.4/src/jfs_compat.h

extundelete-0.2.4/src/Makefile.in

extundelete-0.2.4/src/Makefile.am

extundelete-0.2.4/configure.ac

extundelete-0.2.4/depcomp

extundelete-0.2.4/Makefile.in

extundelete-0.2.4/Makefile.am

[root@orclA extundelete-0.2.4]# ./configure

Configuring extundelete 0.2.4

Writing generated files to disk

 [root@orclA extundelete-0.2.4]# make && make install

测试准备：

[root@orclA /]# mount /dev/sdc1  /top

[root@orclA /]# cd /top

[root@orclA top]#

[root@orclA top]# ls

lost+found

[root@orclA top]# mkdir rm

[root@orclA top]# ls

lost+found  rm

[root@orclA top]# man rm >> rm01.txt

[root@orclA top]# man rm >> rm02.txt

[root@orclA top]# ls

lost+found  rm  rm01.txt  rm02.txt

[root@orclA top]# cd rm

[root@orclA rm]# man rm >> rm03.txt

[root@orclA rm]# man rm >> rm01.txt

[root@orclA top]# pwd

/top

[root@orclA top]# ls

lost+found  rm  rm01.txt  rm02.txt

[root@orclA top]# rm -rf ./*

[root@orclA top]# ls

恢复测试：

首先需要umount该文件所在磁盘，或者以read only方式重新挂载

umount  /top

or

mount -o remount,ro /top

使用extundelete工具恢复，会在当前目录下生成一个RECOVERED_FILES目录，相应文件恢复到该目录下

1> 恢复单个文件

[root@orclA tmp]# extundelete  /dev/sdc1  --restore-file  '/top/rm01.txt'

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 40 groups loaded.

Loading journal descriptors ... 47 descriptors loaded.

Failed to restore file /top/rm01.txt

Could not find correct inode number past inode 2.

Try altering the filename to one of the entries listed below.

File name                                       | Inode number | Deleted status

.                                                 2

..                                                2

lost+found                                        11             Deleted

rm                                                131073         Deleted

rm01.txt                                          12             Deleted

rm02.txt                                          13             Deleted

extundelete: Operation not permitted while restoring file.

extundelete: Operation not permitted when trying to examine filesystem

[root@orclA tmp]# ls RECOVERED_FILES/

 恢复失败

2>恢复目录

[root@orclA tmp]# extundelete  /dev/sdc1  --restore-directory  '/top/rm'

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 40 groups loaded.

Loading journal descriptors ... 47 descriptors loaded.

Failed to restore file /top/rm

Could not find correct inode number past inode 2.

Try altering the filename to one of the entries listed below.

File name                                       | Inode number | Deleted status

.                                                 2

..                                                2

lost+found                                        11             Deleted

rm                                                131073         Deleted

rm01.txt                                          12             Deleted

rm02.txt                                          13             Deleted

extundelete: Operation not permitted while restoring directory.

extundelete: Operation not permitted when trying to examine filesystem

[root@orclA tmp]# ls RECOVERED_FILES/

恢复失败

3>恢复整个磁盘

[root@orclA tmp]# extundelete  /dev/sdc1  --restore-all

NOTICE: Extended attributes are not restored.

Loading filesystem metadata ... 40 groups loaded.

Loading journal descriptors ... 47 descriptors loaded.

Searching for recoverable inodes in directory / ...

6 recoverable inodes found.

Looking through the directory structure for deleted files ...

0 recoverable inodes still lost.

[root@orclA tmp]# ls RECOVERED_FILES/

rm  rm01.txt  rm02.txt

恢复成功