首先,需立即将磁盘挂载为只读。 否则其他daemons 都来读写,神仙都恢复不了了。磁盘规划时一定要做功能分区。否则,误删了想恢复也很困难。比如linux安装时不分区整个装/下面,就很麻烦。 /data挂在/dev/sdb1上
[root@hs12 sh]# mount /dev/sdb1 on /data type ext4 (rw) [root@hs12 hadoop]# mount -r -n -o remount /data mount: /data is busy
这需看看有哪些进程在用:
[root@hs12 hadoop]# fuser -v -m /data
可以看到有很多java和hadoop进程在使用,杀之。
[root@hs12 hadoop]# mount -r -n -o remount /data
成功。 再到/data里touch文件,报错。
[root@hs12 data]# touch a touch: cannot touch `a’: Read-only file system
一下就放轻松了很多。因为改为只读挂载后,可以慢慢恢复,再也不用担心我的文件被覆盖。 使用debugfs 用debugfs查找被删文件的inode,再想法恢复。
[root@hs12 ~]# debugfs /dev/sdb1 debugfs 1.41.12 (17-May-2010) debugfs: debugfs: lsdel Inode Owner Mode Size Blocks Time deleted 0 deleted inodes found.
神奇的debugfs 根本没找到有文件被删除的inodes,难道是我不会用? 失败! 使用grep恢复 grep 在磁盘二进制中查找文本,把前后的字符导出来,也许可以恢复部分。
[root@hs12 hadoop]# grep -a -B 100 -A 100 ‘active.sh’ /dev/sdb1 > results.txt
只有一些乱七八糟的二进制。失败!使用ext3grep 我的是ext4系统,根本不起作用。 只好寻找专业工具 用testdisk 6.14
使用介绍:
http://www.cgsecurity.org/wiki/TestDisk%3a_undelete_file_for_ext2
下载:
wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2 [root@hs12 hadoop]# cd testdisk-6.14 [root@hs12 testdisk-6.14]# ls Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS [root@hs12 testdisk-6.14]# ./testdisk_static TestDisk 6.14, Data Recovery Utility, July 2013 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org 1 P MS Data 2048 7811889151 7811887104 [primary] Directory / >drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 . drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .. drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1 drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop Next Use Right to change directory, h to hide deleted files q to quit, : to select the current file, a to select all files C to copy the selected files, c to copy the current file 选到相应目录,enter,终于看到了删除的文件名,但是文件大小怎么都是0啊? TestDisk 6.14, Data Recovery Utility, July 2013 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org 1 P MS Data 2048 7811889151 7811887104 [primary] Directory /sh drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 . drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .. >-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print -rw-rw-r– 500 500 0 12-Sep-2013 17:40 a -rw-rw-r– 500 500 0 12-Sep-2013 17:40 a.txt -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk -rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh -rw-rw-r– 500 500 0 12-Sep-2013 17:40 hive2mysql.sh -rw-rw-r– 500 500 0 12-Sep-2013 17:40 py lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk -rw-r–r– 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv -rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan1 -rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk -rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk -rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata -rw-rw-r– 500 500 0 12-Sep-2013 17:40 0908.txt -rw-rw-r– 500 500 0 12-Sep-2013 17:40 09081.txt -rw-rw-r– 500 500 0 12-Sep-2013 17:40 09.txt drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid TestDisk 6.14, Data Recovery Utility, July 2013 Please select a destination where /sh/active.awk will be copied. Keys: Arrow keys to select another directory C when the destination is correct Q to quit
1 2
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/57819.html