误删除系列二：恢复已经删除文件

背景：基于对恢复的好奇心，所以写一系列相关的博客，在linux没有回收站这一说法，通过rm -rf file的操作，如何恢复

以下的讨论分为两种情况：

• 删除后进程还能找到情况
• 删除后进程找不到，需要借助外部工具来实现

进程还在的情况：

一般是有活动的进程存在持续标准输入或输出，到时文件被删除后，进程PID依然在，这也是某些服务器删除一些文件但是磁盘不释放的原因。

1.打开一个终端：
[root@node1-centos7u6 ~]# echo "delete test" > testfile
[root@node1-centos7u6 ~]# ls
testfile
[root@node1-centos7u6 ~]# cat >> testfile 
add testing words 

2.打开另一个终端：
[root@node1-centos7u6 ~]# cat testfile 
delete test
add testing words

3.进行删除操作：
[root@node1-centos7u6 ~]# rm -rf testfile

4.使用lsof查看删除文件进程是否还存在(yum install lsof)
[root@node1-centos7u6 ~]# lsof |grep testfile
cat       108850             root    1w      REG              253,0        30   34125635 /root/testfile (deleted)  <----

5.恢复操作
[root@node1-centos7u6 ~]# cd /proc/108850/fd
[root@node1-centos7u6 fd]# ll
total 0
lrwx------. 1 root root 64 Mar 30 13:04 0 -> /dev/pts/1
l-wx------. 1 root root 64 Mar 30 13:04 1 -> /root/testfile (deleted)
lrwx------. 1 root root 64 Mar 30 13:04 2 -> /dev/pts/1
[root@node1-centos7u6 fd]# cp 1 ~/testfile-restore
[root@node1-centos7u6 fd]# cat ~/testfile-restore
delete test
add testing words

进程不在的情况：需要借助工具实现

1.准备一个挂载盘和一些文件目录

[root@node1-centos7u6 ~]# lsblk 
NAME            MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda               8:0    0   20G  0 disk 
├─sda1            8:1    0    1G  0 part /boot
└─sda2            8:2    0   19G  0 part 
  ├─centos-root 253:0    0   17G  0 lvm  /
  └─centos-swap 253:1    0    2G  0 lvm  [SWAP]
sdb               8:16   0    1G  0 disk 
└─sdb1            8:17   0 1023M  0 part   <----
sr0              11:0    1  4.3G  0 rom  
[root@node1-centos7u6 ~]# mkfs.ext4 /dev/sdb1
[root@node1-centos7u6 ~]# mount /dev/sdb1 /mnt/


[root@node1-centos7u6 ~]# cd /mnt/
mkdir backup
cd backup
mkdir delete
mkdir delete/inner
echo "Delete test." > delete/inner/deletefile 
echo "reid:x:112:172::/:/sbin/nologin" > reidpasswd

目录结构：
[root@node1-centos7u6 mnt]# tree backup/
backup/
├── delete
│   └── inner
│       └── deletefile
└── reidpasswd

2.删除目录

[root@node1-centos7u6 mnt]# rm -rf backup/
[root@node1-centos7u6 mnt]# ll
total 16
drwx------. 2 root root 16384 Mar 30 13:29 lost+found

3.引用第三方恢复工具extundelete

• 停止对当前分区做任何操作，防止inode被覆盖。inode被覆盖基本就告别恢复了。
• 夸张一点讲，比如停止所在分区的服务，卸载目录所在的设备，有必要的情况下都可以断网。
• 通过dd命令对 当前分区进行备份，防止第三方软件恢复失败导致数据丢失。
• 适合数据非常重要的情况，这里是例子，所以就没有备份，如备份可以考虑如下方式：dd if=/path/filename of=/dev/vdc1
• 通过umount命令，对当前设备分区卸载。或者fuser 命令umount /dev/vdb1
• 如果提示设备busy，可以用fuser命令强制卸载：fuser -m -v -i -k ./
• 下载第三方工具extundelete安装，搜索误删除的文件进行还原

a.安装extundelete工具：

[root@node1-centos7u6 ~]# wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2

解压：
[root@node1-centos7u6 ~]# tar xf extundelete-0.2.4.tar.bz2

编译：
[root@node1-centos7u6 ~]# cd extundelete-0.2.4
[root@node1-centos7u6 extundelete-0.2.4]# ./configure 
centos configure: error: Can't find ext2fs library
解决办法：yum -y install  e2fsprogs.x86_64 e2fsprogs-devel.x86_64 e2fsprogs-libs.x86_64
顺利完成：
Configuring extundelete 0.2.4
Writing generated files to disk

安装：
[root@node1-centos7u6 extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:
extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing]
    buf, match_name2, priv, 0};      警告可以忽略
                             ^
[root@node1-centos7u6 extundelete-0.2.4]# make install

b.扫描删除文件

[root@node1-centos7u6 ~]# df -lh
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root   17G  2.0G   16G  12% /
devtmpfs                 979M     0  979M   0% /dev
tmpfs                    991M   53M  938M   6% /dev/shm
tmpfs                    991M  9.6M  981M   1% /run
tmpfs                    991M     0  991M   0% /sys/fs/cgroup
/dev/sda1               1014M  163M  852M  17% /boot
tmpfs                    199M     0  199M   0% /run/user/0
/dev/sdb1                991M  2.6M  922M   1% /test  <----

c.卸载挂载盘

[root@node1-centos7u6 ~]# umount /test/

***Note****一定要umount,防止二次写入，否则无法恢复

d.恢复单一文件

[root@node1-centos7u6 ~]# mkdir test-recover
[root@node1-centos7u6 ~]# cd test-recover
[root@node1-centos7u6 test-recover]# extundelete /dev/sdb1  --restore-file reidpasswd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 185 descriptors loaded.
Successfully restored file reidpasswd
[root@node1-centos7u6 test-recover]# cat RECOVERED_FILES/reidpasswd 
reid:x:112:172::/:/sbin/nologin

e.恢复目录

[root@node1-centos7u6 test-recover]# extundelete /dev/sdb1  --restore-directory backup
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 185 descriptors loaded.
Searching for recoverable inodes in directory backup ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ... 
1 recoverable inodes still lost.
[root@node1-centos7u6 test-recover]# ll RECOVERED_FILES/
total 4
drwxr-xr-x. 3 root root 38 Mar 30 14:21 backup
-rw-r--r--. 1 root root 32 Mar 30 14:19 reidpasswd
[root@node1-centos7u6 test-recover]# ll RECOVERED_FILES/backup/
total 4
drwxr-xr-x. 3 root root 19 Mar 30 14:21 delete
-rw-r--r--. 1 root root 32 Mar 30 14:21 reidpasswd