Linux uses lsof/extundelete tools to restore accidentally deleted files or directories

Preface

Linux does not have a prominent Recycle Bin like Windows, so you cannot simply restore it.

There are two situations in which files can be restored after being deleted in Linux. One is that the deletion information exists in the process after deletion, and the other is that the process cannot be found after deletion and can only be restored with the help of tools. Here are the inspections and introductions

1. The situation where the process of accidentally deleting a file is still there.

This usually happens when there is an active process with continuous standard input or output. When the file is deleted, the process PID still exists. This is why some servers delete some files but the disk is not released. For example, the current example:

Use a shell terminal to append cat to a test file:

[root@21yunwei_backup ~]# echo "hello py" > testdelete.py
[root@21yunwei_backup ~]# cat >> testdelete.py 
hello delete

Viewing this file in another terminal clearly shows the content:

[root@21yunwei_backup ~]# cat testdelete.py 
hello py
hello delete

At this time, delete the file rm -f ./testdelete.py on the current server

Command to check this directory, the file no longer exists, so now we will restore it.

1. Use lsof to check whether the deleted file process still exists. Here we use a command lsof. If it is not installed, please install it by yum or apt-get. In a similar situation, we can first use lsof to check whether the deleted files are still there:

[root@21yunwei_backup ~]# lsof | grep deleted
mysqld 1512 mysql 5u REG 252,3 0 6312397 /tmp/ibzW3Lot (deleted)
cat 20464 root 1w REG 252,3 23 1310722 /root/testdelete.py (deleted)

Fortunately, the process still exists in this case, so start the recovery operation.

2. Recovery.

Restore command:

cp /proc/pid/fd/1 /specified directory/file name

Enter the process directory, usually /proc/pid/fd/, for the current situation:

[root@21yunwei_backup ~]# cd /proc/20464/fd
[root@21yunwei_backup fd]# ll
total 0
lrwx------ 1 root root 64 Nov 15 18:12 0 > /dev/pts/1
l-wx------ 1 root root 64 Nov 15 18:12 1 > /root/testdelete.py (deleted)
lrwx------ 1 root root 64 Nov 15 18:12 2 > /dev/pts/1

Recovery Operation:

cp 1 /tmp/testdelete.py

View the file:

[root@21yunwei_backup fd]# cat /tmp/testdelete.py
hello py
hello delete

Recovery is complete.

Second, the accidentally deleted file process no longer exists and can be restored with the help of tools.

Create the directory to be deleted and echo a file with its contents:

[root@21yunwei_backup 21yunwei]# tree
.
├── deletetest
│ └── mail
│ └── test.py
├── lost+found
└── passwd
 
3 directories, 2 files
[root@21yunwei_backup 21yunwei]# cat /21yunwei/deletetest/mail/test.py 
hello dj
[root@21yunwei_backup 21yunwei]# tail -2 passwd 
haproxy:x:500:502::/home/haproxy:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin

To perform a delete operation:

[root@21yunwei_backup 21yunwei]# rm -rf ./*
[root@21yunwei_backup 21yunwei]# ll
total 0

Now start to recover accidentally deleted files. This situation usually occurs when there is no daemon or background process continuously inputting it, so it is deleted and lsof cannot see it. You need to use tools. The tool we use here is the extundelete third-party tool. The recovery steps are as follows:

1. Stop any operation on the current partition to prevent the inode from being overwritten. If the inode is overwritten, you are basically done with cycling. For example, you can stop the service of the partition, uninstall the device where the directory is located, and disconnect from the network if necessary.

2. Use the dd command to back up the current partition to prevent data loss due to recovery failure of third-party software. Suitable for situations where data is very important. In this test, there is no backup. If backup is required, the following methods can be considered:

dd if=/path/filename of=/dev/vdc1

3. Use the umount command to uninstall the current device partition. Or the fuser command.

umount /dev/vdb1 or umount /21yunwei

If the device is busy, you can use the fuser command to force the uninstallation: fuser -m -v -i -k /21yunwei

4. Download the third-party tool extundelete and install it, search for accidentally deleted files and restore them.

wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure 
make
make install

Scan for accidentally deleted files:

[root@21yunwei_backup extundelete-0.2.4]# extundelete --inode 2 /dev/vdb1
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Group: 0
Contents of inode 2:
 
.
.Omit N lines File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
deletetest 12 Deleted
passwd 14 Deleted
 

The scan found the folder we deleted and now we are going to perform the recovery operation.

(1) Restore a single file passwd

[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-file passwd  
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Successfully restored file passwd
 

The recovered files are placed in the current directory RECOVERED_FILES.

View the recovered files:

[root@21yunwei_backup /]# tail -5 RECOVERED_FILES/passwd 
mysql:x:497:500::/home/mysql:/bin/false
nginx:x:496:501::/home/nginx:/sbin/nologin
zabbix:x:495:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
haproxy:x:500:502::/home/haproxy:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin

(2) Restore directory deletetest

[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-directory deletetest 
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Searching for recoverable inodes in directory deletetest ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ... 
[root@21yunwei_backup /]# cat RECOVERED_FILES/deletetest/mail/test.py 
hello dj

(3) Restore all

[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Searching for recoverable inodes in directory / ... 
5 recoverable inodes found.
Looking through the directory structure for deleted files ... 
0 recoverable inodes still lost. 
[root@21yunwei_backup /]# cd RECOVERED_FILES/
[root@21yunwei_backup RECOVERED_FILES]# tree
.
├── deletetest
│ └── mail
│ └── test.py
└── passwd
 
2 directories, 2 files

(4) Restore the specified inode.

[root@21yunwei_backup /]# extundelete /dev/vdb1 --restore-inode 14
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
[root@21yunwei_backup /]# tail -5 /RECOVERED_FILES/file.14 
mysql:x:497:500::/home/mysql:/bin/false
nginx:x:496:501::/home/nginx:/sbin/nologin
zabbix:x:495:497:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
haproxy:x:500:502::/home/haproxy:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin

Note that when restoring the inode, the restored file name will be different from the previous one and needs to be renamed separately. The content is fine.

For more usage of extundelete, please refer to the extundelete –help option parameter description. Currently, all recovery operations are completed.

Summarize

This is the end of this article about how to use the lsof/extundelete tool in Linux to recover accidentally deleted files or directories. For more information about how to recover accidentally deleted files or directories in Linux, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope you will support 123WORDPRESS.COM in the future!