CentOS系统中对Ext3文件系统删除后恢复

分类:CentOS教程 阅读:78250 次

大家好,昨天有一同事在linux系统中用管理员用户(root)删除了另一用户的根目录(rm -rf /home/tong),所有的文件无法找回了,我找了百度和谷哥终于把这个问题解决了,现在我把处理的过程写出来,希望对大家以后有帮助.

1.安装软件(ext3grep依赖于系统的e2fsprogs三个软件包)

[root@redhat1 home]# mkdir /mnt/cdrom --创建光盘挂载目录

[root@redhat1 home]# mount /dev/cdrom /mnt/cdrom --挂载光盘
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@redhat1 home]# vim /etc/yum.repos.d/base.repo --配置系统的本地源

[base]
name=base
baseurl=file:///mnt/cdrom
enabled=1
gpgcheck=1
gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-REDHAT-6

[root@redhat1 home]# yum install e2fs* --安装ext3grep软件的依赖包

[root@redhat1 home]# rpm -aq |grep e2fs --检查软件包是否安装
e2fsprogs-devel-1.41.12-14.el6.i686
e2fsprogs-libs-1.41.12-14.el6.i686
e2fsprogs-1.41.12-14.el6.i686

[root@redhat1 home]#wget http://code.google.com/p/ext3grep/downloads/detail?name=ext3grep-0.10.2.tar.gz--下载ext3grep软件包

[root@redhat1 home]# tar xvf ext3grep-0.10.2.tar.gz --解压软件包

[root@redhat1 home]# cd ext3grep-0.10.2 --进入软件包

[root@redhat1 ext3grep-0.10.2]# ./configure --prefix=/usr/local/ext3grep && make && make install --安装软件

[root@redhat1 ext3grep-0.10.2]# ll /usr/local/ |grep ext3 --查看软件安装成功
drwxr-xr-x. 3 root root 4096 Dec 2 17:24 ext3grep
[root@redhat1 ext3grep-0.10.2]#

2.新建个块设备,用块设备做测试.如果你用/home目录,home目录必须是一个单独的分区,在后面要进行挂载和卸载.

[root@redhat1 home]# dd if=/dev/zero of=123 bs=1M count=100 --在home目录下新建一个块设备123
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.634943 s, 165 MB/s

[root@redhat1 home]# mkfs.ext3 123 --格式化块设备

mke2fs 1.41.12 (17-May-2010)
123 is not a block special device.
Proceed anyway? (y,n) y --输入y确定
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
25688 inodes, 102400 blocks
5120 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
13 block groups
8192 blocks per group, 8192 fragments per group
1976 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 27 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

[root@redhat1 home]#mkdir /mnt/123 --新建块设备挂载的目录

[root@redhat1 home]# mount 123 /mnt/123 -o loop --将块设备123挂载到/mnt/123中

[root@redhat1 home]# df -TH --查看目录是否挂载
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
ext4 20G 3.8G 16G 20% /
tmpfs tmpfs 262M 0 262M 0% /dev/shm
/dev/sda1 ext4 508M 32M 451M 7% /boot
df: `/mnt/cdrom': No such file or directory
/dev/sr0 iso9660 3.2G 3.2G 0 100% /mnt
/home/123 ext3 102M 5.8M 91M 7% /mnt/123 --设备已挂载

3.拷贝文件,删除文件.
[root@redhat1 home]# cp -a /etc/passwd /etc/shadow /etc/group /mnt/123/ --将文件移动到设备中

[root@redhat1 home]# ll /mnt/123/ --查看是否有文件
total 19
-rw-r--r--. 1 root root 712 Dec 2 14:39 group
drwx------. 2 root root 12288 Dec 4 11:14 lost+found
-rw-r--r--. 1 root root 1509 Dec 2 14:39 passwd
----------. 1 root root 976 Dec 2 14:39 shadow
[root@redhat1 home]# sync --文件同步一下

[root@redhat1 home]# rm -rf /mnt/123/passwd /mnt/123/shadow --删除文件

[root@redhat1 home]# sync --文件同步一下

[root@redhat1 home]# umount /mnt/123 --卸载设备

4.恢复文件

[root@redhat1 home]# cd /usr/local/ext3grep/bin/ --进入ext3grep软件的目录

[root@redhat1 bin]# ./ext3grep --ls --inode 2 /home/123
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Loading group metadata... done
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386127317 = Wed Dec 4 11:21:57 2013
Number of descriptors in journal: 22; min / max sequence numbers: 2 / 5
Inode is Allocated
Finding all blocks that might be directories.
D: block containing directory start, d: block containing more directory entries.
Each plus represents a directory start that references the same inode as a directory start that we found previously.

Searching group 0: DD
Searching group 1:
Searching group 2:
Searching group 3:
Searching group 4:
Searching group 5:
Searching group 6: ++
Searching group 7:
Searching group 8:
Searching group 9:
Searching group 10:
Searching group 11:
Searching group 12:
Writing analysis so far to '123.ext3grep.stage1'. Delete that file if you want to do this stage again.
Result of stage one:
2 inodes are referenced by one or more directory blocks, 2 of those inodes are still allocated.
1 inodes are referenced by more than one directory block, 1 of those inodes is still allocated.
0 blocks contain an extended directory.
Result of stage two:
2 of those inodes could be resolved because they are still allocated.
All directory inodes are accounted for!


Writing analysis so far to '123.ext3grep.stage2'. Delete that file if you want to do this stage again.
The first block of the directory is 508.
Inode 2 is directory "".
Directory block 508:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 5 d 11 drwx------ lost+found
3 4 r 12 D 1386127493 Wed Dec 4 11:24:53 2013 rrw-r--r-- passwd --D表示是删除的文件
4 5 r 13 D 1386127493 Wed Dec 4 11:24:53 2013 r--------- shadow
5 end r 14 rrw-r--r-- group
[root@redhat1 bin]# ./ext3grep --restore-file passwd /home/123 --restore-file用文件名来恢复文件
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386127317 = Wed Dec 4 11:21:57 2013
Number of descriptors in journal: 22; min / max sequence numbers: 2 / 5
Writing output to directory RESTORED_FILES/
Loading 123.ext3grep.stage2... done
Restoring passwd --恢复passwd文件成功
[root@redhat1 bin]# ./ext3grep --restore-inode 13 /home/123 --用节点号(--restore-inode)来恢复文件
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 13
Minimum / maximum journal block: 49402 / 53515
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1386127317 = Wed Dec 4 11:21:57 2013

Number of descriptors in journal: 22; min / max sequence numbers: 2 / 5
Restoring inode.13 --恢复成功
[root@redhat1 bin]# ll RESTORED_FILES/ --在自己当前目录下有个RESTORED_FILES目录存放恢复文件

total 8
----------. 1 root root 976 Dec 2 14:39 inode.13
-rw-r--r--. 1 root root 1509 Dec 2 14:39 passwd
[root@redhat1 bin]#

注:Linux系统中对Ext4文件系统删除后恢复:http://597011036.blog.51cto.com/6214144/1335953

重点:1.ext3grep命令参考:

ext3grep /home/123 --dump-names --查看存在的和删除的文件
ext3grep /home/123 --ls --inode 2 --详细查看存在的删除的文件(d 删除 r 存在)
ext3grep /home/123 --restore-file 文件名 --恢复文件
ext3grep /home/123 --restore-all --恢复所有文件
ext3grep /home/123 --restore-inode 节点号 --恢复指定节点号的文件
ext3grep /home/123 --ls --inode 15809 --可以进入节点为15809的文件夹中,看是否有还有的是的文件
ext3grep /home/1234--restore-file 目录/文件 --还原目录下面的文件(进入目录 ext3grep /home/1234 --ls --inode 目录节点)

2.错误处理:

1)如果执行命令报错

[root@redhat1 bin]# ./ext3grep --ls --inode 2 /home/123

解决方法:rm -rf 123.ext3grep.stage1 123.ext3grep.stage2 RESTORED_FILES就可以了