Article catalogue
- preface
- 1, View partition types
- 2, Use centos7 software recovery tool extundelete to recover files
- 1. Install extundelete
- 2. Upload the extundelete installation package to the user-defined directory
- 3. Unzip the installation package
- 4. Enter the extracted installation package directory and execute the command
- 5. Create data directory and deletefile file
- 6. (of xfs partition)
- 6. (of ext4 partition)
- 7. Simulated deleted documents
- 8. (of xfs partition)
- 8. (ext4 partition)
- 9. View recovery files
- 10. Video Explanation and demonstration process (taking xfs as an example)
- summary
preface
Tip: Here we mainly introduce how to recover file data from centos deleted files by mistake. The video takes xfs as an example, and the blog will explain xfs and ext4 partition types.
Tip: the following is the main content of this article. The following cases can be used for reference
1, View partition types
Each partition corresponding to the centos we created has different types, which can be viewed through the following commands, and the recovery commands for different partition types are also different. This paper takes xfs partition as an example for demonstration, with video explanation.
df -T
xfs partition
ext4 partition
2, Use centos7 software recovery tool extundelete to recover files
1. Install extundelete
Download dependent packages:
yum install e2fsprogs-devel e2fsprogs e2fsprogs-libs
2. Upload the extundelete installation package to the user-defined directory
Baidu online disk link: https://pan.baidu.com/s/1UNS3TJxmnSuDWeI1sgarLQ Extraction code: d9sb
Here, I went to the / usr/local directory to create a software directory and uploaded the installation package through WinSCP
3. Unzip the installation package
Unzip the installation package in / usr/local/software directory
tar -jxvf extundelete-0.2.4.tar.bz2
4. Enter the extracted installation package directory and execute the command
yum -y install gcc yum -y install gcc-c++ cd extundelete-0.2.4 ./configure make make install which extundelete
5. Create data directory and deletefile file
cd / mkdir /data cd /data touch deletefile
6. (of xfs partition)
Backup command
xfsdump -f /tmp/dump_data /data -> dump_data -> media0
This xfsdump: Dump Status: SUCCESS indicates that the backup is successful
6. (of ext4 partition)
View delete directory
/usr/local/bin/extundelete --inode 2 /dev/sda2 NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 285 groups loaded. Group: 0 Contents of inode 2: 0000 | 6d 41 00 00 00 10 00 00 e2 b2 6a 61 66 b2 6a 61 | mA........jaf.ja 0010 | 66 b2 6a 61 00 00 00 00 00 00 13 00 08 00 00 00 | f.ja............ 0020 | 00 00 08 00 22 00 00 00 0a f3 01 00 04 00 00 00 | ...."........... 0030 | 00 00 00 00 00 00 00 00 01 00 00 00 26 24 00 00 | ............&$.. 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 d0 7f eb 7d d0 7f eb 7d 00 53 f7 34 | .......}...}.S.4 0090 | a2 be 68 61 00 00 00 00 00 00 00 00 00 00 02 ea | ..ha............ 00a0 | 07 06 44 00 00 00 00 00 1c 00 00 00 00 00 00 00 | ..D............. 00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux......... 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 73 79 73 74 65 6d 5f 75 3a 6f 62 6a | ....system_u:obj 00f0 | 65 63 74 5f 72 3a 72 6f 6f 74 5f 74 3a 73 30 00 | ect_r:root_t:s0. Inode is Allocated File mode: 16749 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1634382562 Creation time: 1634382438 Modification time: 1634382438 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 19 Blocks count: 8 File flags: 524288 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 127754, 4, 0, 0, 1, 9254, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 boot 2097153 dev 1179649 proc 1835009 run 1966081 sys 131073 etc 1310721 root 1441793 tmp 262145 var 393217 data 1048577 usr 1572865 bin 17 sbin 16 lib 13 lib64 15 home 524289 media 1703937 mnt 655361 opt 786433 srv 917505
You can find data 1048577
/usr/local/bin/extundelete --inode 1048577 /dev/sda2 NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) y Loading filesystem metadata ... 285 groups loaded. Group: 128 Contents of inode 1048577: 0000 | ed 41 00 00 00 10 00 00 98 b3 6a 61 88 b3 6a 61 | .A........ja..ja 0010 | 88 b3 6a 61 00 00 00 00 00 00 03 00 08 00 00 00 | ..ja............ 0020 | 00 00 08 00 06 00 00 00 0a f3 01 00 04 00 00 00 | ................ 0030 | 00 00 00 00 00 00 00 00 01 00 00 00 20 20 40 00 | ............ @. 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 1c 85 44 00 00 00 00 00 00 00 00 | .......D........ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 00 08 6b d0 00 08 6b d0 14 06 2c a7 | ......k...k...,. 0090 | 66 b2 6a 61 d0 76 ae 7d 00 00 00 00 00 00 02 ea | f.ja.v.}........ 00a0 | 07 06 3c 00 00 00 00 00 23 00 00 00 00 00 00 00 | ..<.....#....... 00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux......... 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 75 6e 63 6f | ............unco 00e0 | 6e 66 69 6e 65 64 5f 75 3a 6f 62 6a 65 63 74 5f | nfined_u:object_ 00f0 | 72 3a 64 65 66 61 75 6c 74 5f 74 3a 73 30 00 00 | r:default_t:s0.. Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1634382744 Creation time: 1634382728 Modification time: 1634382728 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 524288 File version (for NFS): 1149574144 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 127754, 4, 0, 0, 1, 4202528, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 1048577 .. 2 deletefile 1048578 Deleted delete 1048579 Deleted RECOVERED_FILES 1048580
You can see that the inode values of deletefile and delete are listed
7. Simulated deleted documents
Simulate deleting all contents in the / data directory
rm -rf /data/*
8. (of xfs partition)
Restore file command
xfsrestore -f /tmp/dump_data /data
8. (ext4 partition)
Command to recover the data directory:
/usr/local/bin/extundelete /dev/sda2 --restore-directory /data
If:
NOTICE: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible. You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) //The information here is caused by my experiment in the root directory and unable to uninstall. The general meaning here is that if you want to do this operation, you'd better uninstall the partition and then restore it. Otherwise, if you don't uninstall, the original inode will be overwritten if there is a write operation. If you have uninstalled the partition and report this error, use fuser -k /PATH, Then umount /PATH. If you use this word, it will lead to failure or unsuccessful recovery. Since it is a test server and an experimental operation, I choose Y. it is recommended not to do so in the production environment. y Loading filesystem metadata ... 285 groups loaded. Loading journal descriptors ... 25781 descriptors loaded. Failed to restore file 1048579 Could not find correct inode number past inode 2. Try altering the filename to one of the entries listed below. File name | Inode number | Deleted status /usr/local/bin/extundelete: Operation not permitted while restoring directory. /usr/local/bin/extundelete: Operation not permitted when trying to examine filesystem
It is generally used to recover all deleted files
sudo /usr/local/bin/extundelete /dev/sda2 --restore-all
9. View recovery files
cd /data ls
10. Video Explanation and demonstration process (taking xfs as an example)
Station B address: https://www.bilibili.com/video/BV1nq4y1d7KB?spm_id_from=333.999.0.0
summary
Tip: This article mainly explains how to recover centos files deleted by mistake (xfs type partition). The reason is that I deleted the docker image file by mistake in the test environment, resulting in the loss of all running image files and the project can not run. Therefore, I made this blog and video as a record and shared it with you.