How to recover accidentally deleted files or directories on Linux
Linux does not have such a conspicuous recycle bin as Windows, so it cannot be simply restored. The restoration of deleted files in Linux can be divided into two situations. One is that there is deletion information in the process after deletion, and the other is that the process cannot be found after deletion. It can only be restored with the help of tools. Here we will check and introduce them separately.
1. The process of accidentally deleting files is still there.
This usually means that an active process has continuous standard input or output. After the file is deleted, the process PID still exists. This is why some servers delete some files but the disk is not released. For example, the current example is: performing cat append operation on a test file through a shell terminal:
[root@21yunwei_backup ~]# echo "hello py" > testdelete.py[root@21yunwei_backup ~]# cat >> testdelete.pyhello delete
View this file in another terminal and you can clearly see the content:
[root@21yunwei_backup ~]# cat testdelete.pyhello pyhello delete
At this point, delete the file on the current server
rm -f ./testdelete.py
Command to view this directory, the file no longer exists, so now we will restore it.
1. Use lsof to check whether the deleted file process still exists.
A command lsof is used here. If it is not installed, please use yum or apt-get. In a similar situation, we can first use lsof to check whether the deleted file is still there:
[root@21yunwei_backup ~]# lsof | grep deletedmysqld 1512 mysql 5u REG 252,3 0 6312397 /tmp/ibzW3Lot (deleted)cat 20464 root 1w REG 252,3 23 1310722 /root/testdelete.py (deleted)
Fortunately, the process still exists in this situation, so start the recovery operation.
2. Recovery.
Recovery command:
cp /proc/pid/fd/1 /指定目录/文件名Enter the process directory, usually /proc/pid/fd/, for the current situation:
[root@21yunwei_backup ~]# cd /proc/20464/fd[root@21yunwei_backup fd]# lltotal 0lrwx------ 1 root root 64 Nov 15 18:12 0 > /dev/pts/1l-wx------ 1 root root 64 Nov 15 18:12 1 > /root/testdelete.py (deleted)lrwx------ 1 root root 64 Nov 15 18:12 2 > /dev/pts/1
Recovery operation:
cp 1 /tmp/testdelete.pyView Files:
[root@21yunwei_backup fd]# cat /tmp/testdelete.pyhello pyhello delete
Recovery complete.
2. The file process accidentally deleted no longer exists and can be restored with the help of tools.
Create the directory to be deleted and echo a file with the contents:
[root@21yunwei_backup 21yunwei]# tree.├── deletetest│ └── test.py├── lost+found└── passwd3 directories, 2 files[root@21yunwei_backup 21yunwei]# cat /21yunwei/deletetest/mail/test.pyhello Dj[root@21yunwei_backup 21yunwei]# tail -2 passwdhaproxy:x:500:502::/home/haproxy:/bin/bashtcpdump:x:72:72::/:/sbin/nologin
To perform a delete operation:
[root@21yunwei_backup 21yunwei]# rm -rf ./*[root@21yunwei_backup 21yunwei]# lltotal 0
Now let’s start recovering accidentally deleted files. In this case, there is generally no daemon or background process that continuously inputs it, so it is deleted when deleted, and lsof cannot see it. Just use tools. The tool we use here is extundelete third-party tool. The recovery steps are as follows:
1. Stop doing any operations on the current partition to prevent the inode from being overwritten. If the inode is overwritten, it will basically be restored. For example, stop the service of the partition where it is located, uninstall the device where the directory is located, and disconnect the network if necessary. 2. Use the dd command to back up the current partition to prevent data loss caused by third-party software recovery failure. It is suitable for situations where the data is very important. In this test, there is no backup. If the backup is done, the following methods can be considered:
dd if=/path/filename of=/dev/vdc11. Use the umount command to unmount the current device partition. Or the fuser command.
umount /dev/vdb1 或者 umount /21yunweiIf it prompts that the device is busy, you can use the fuser command to force uninstall:
fuser -m -v -i -k /21yunwei1. Download and install the third-party tool extundelete, search for accidentally deleted files and restore them.
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2tar jxvf extundelete-0.2.4.tar.bz2cd extundelete-0.2.4./configuremakemake install
Scan for accidentally deleted files:
[root@21yunwei_backup extundelete-0.2.4]# extundelete --inode 2 /dev/vdb1NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 8 groups loaded.Group: 0Contents of inode 2:..省略N行File name | Inode number | Deleted status. 2.. 2lost+found 11 Deleteddeletetest 12 Deletedpasswd 14 Deleted
The folder we deleted was discovered through scanning and now the recovery operation is performed.
1. Restore a single file passwd
[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-file passwdNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 8 groups loaded.Loading journal descriptors ... 46 descriptors loaded.Successfully restored file passwd
The recovered files are placed in the current directory RECOVERED_FILES. View recovered files:
[root@21yunwei_backup /]# tail -5 RECOVERED_FILES/passwdmysql:x:497:500::/home/mysql:/bin/falsenginx:x:496:501::/home/nginx:/sbin/nologinzabbix:x:495:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologinhaproxy:x:500:502::/home/haproxy:/bin/bashtcpdump:x:72:72::/:/sbin/nologin
2.Restore directory deletetest
[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-directory deletetestNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 8 groups loaded.Loading journal descriptors ... 46 descriptors loaded.Searching for recoverable inodes in directory deletetest ...5 recoverable inodes found.Looking through the directory structure for deleted files ...[root@21yunwei_backup /]# cat RECOVERED_FILES/deletetest/mail/test.pyhello Dj
3.Restore all
[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 8 groups loaded.Loading journal descriptors ... 46 descriptors loaded.Searching for recoverable inodes in directory / ...5 recoverable inodes found.Looking through the directory structure for deleted files ...0 recoverable inodes still lost.[root@21yunwei_backup /]# cd RECOVERED_FILES/[root@21yunwei_backup RECOVERED_FILES]# tree.├── deletetest│ └── test.py└── passwd2 directories, 2 files
4.Restore the specified inode
[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-inode 14NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 8 groups loaded.Loading journal descriptors ... 46 descriptors loaded.[root@21yunwei_backup /]# tail -5 /RECOVERED_FILES/file.14mysql:x:497:500::/home/mysql:/bin/falsenginx:x:496:501::/home/nginx:/sbin/nologinzabbix:x:495:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologinhaproxy:x:500:502::/home/haproxy:/bin/bashtcpdump:x:72:72::/:/sbin/nologin
Note that when restoring an inode, the restored file name is different from before and needs to be renamed separately. The content is fine.
For more extundelete usage, please refer to the extundelete –help option parameter description. All operations are currently restored.
Original link:
http://www.21yunwei.com/archives/6030
Original author: 21 Operation and Maintenance
Recommended reading
5T technical resources are on sale! Including but not limited to: C/C++, Linux, Python, Java, PHP, artificial intelligence, microcontroller, Raspberry Pi, etc. Reply " 1024 " in the official account to get it for free! !
京公网安备 11010802033920号