Operation and Maintenance
Linux Operation and Maintenance
How to recover deleted files in Linux?
How to recover deleted files in Linux?
How to recover deleted files in Linux? The following article will introduce to you how to recover deleted files in Linux. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
Linux does not have a recycle bin like Windows. Basically, files cannot be retrieved using rm -rf *.
Then the question is:
For files accidentally deleted under Linux, are we really unable to recover them through software?
The answer is of course no. Deleted files can still be recovered through software. Restoration of accidentally deleted files can be divided into two situations:
One is that deletion information exists in the process after deletion
The other is deletion In the future, the process cannot be found and can only be restored with the help of tools.
Next, we will use examples to explain two different recovery methods of accidental deletion:
The situation when the process of accidentally deleting a file is still there:
This usually means that an active process has continuous standard input or output. After the file is deleted, the process PID still exists. This is also the reason why some servers delete some files but the disk is not released.
Open a terminal and perform cat append operation on a test file:
[root@docking ~]# echo "This is DeleteFile test." > deletefile.txt [root@docking ~]# ls deletefile.txt [root@docking ~]# cat >> deletefile.txt Add SomeLine into deletefile for fun.
Open another terminal to view the file and you can clearly see the content:
[root@docking ~]# ls deletefile.txt [root@docking ~]# cat deletefile.txt This is DeleteFile test. Add SomeLine into deletefile for fun.
At this time, delete the file rm -f deletefile.txt
[root@docking ~]# rm -f deletefile.txt [root@docking ~]# ls #命令查看这个目录,文件已经不存在了,那么现在我们将其恢复出来。
lsof checks whether the deleted file process still exists.
If it is not installed, please
yum install lsoforapt-get install lsof
1. In a similar situation, we can first check with lsof whether the deleted file is still there
[root@docking ~]# lsof | grep deletefile cat 21796 root 1w REG 253,1 63 138860 /root/deletefile.txt (deleted)
2. Recoverycp /proc/pid/fd/1 /specified directory/file name
Enter the process directory, usually /proc/pid/fd/, for the current situation:
[root@docking ~]# cd /proc/21796/fd [root@docking fd]# ll 总用量 0 lrwx------ 1 root root 64 1月 18 22:21 0 -> /dev/pts/0 l-wx------ 1 root root 64 1月 18 22:21 1 -> /root/deletefile.txt (deleted) lrwx------ 1 root root 64 1月 18 22:21 2 -> /dev/pts/0
Recovery operation:
[root@docking fd]# cp 1 ~/deletefile.txt.backup [root@docking fd]# cat ~/deletefile.txt.backup This is DeleteFile test. Add SomeLine into deletefile for fun.
3. Recovery is completed.
The accidentally deleted file process no longer exists, use the tool to restore it
Prepare some file directories
#准备一份挂载的盘 mkdir backuptest cd backuptest mkdir deletetest mkdir deletetest/innerfolder echo "Delete a folder test." > deletetest/innerfolder/deletefile.txt echo "tcpdump:x:172:72::/:/sbin/nologin" > tmppasswd
The finally prepared directory structure is as follows:
taroballs@taroballs-PC:/media/taroballs/taroballs/backuptest$ cd .. taroballs@taroballs-PC:/media/taroballs/taroballs$ tree backuptest/ backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd 2 directories, 2 files
Now start deleting the directoryrm -rf backuptest/
taroballs@taroballs-PC:/media/taroballs/taroballs$ rm -rf backuptest/ taroballs@taroballs-PC:/media/taroballs/taroballs$ ls -l 总用量 0
In this case, there is usually no daemon or background process continues to input it, so the deletion is really deleted. lsof can't see it either, so you need to use tools to restore it.
Now start recovering accidentally deleted files.
The tool we use is extundelete third-party tool. The recovery steps and precautions are as follows:
Stop doing any operations on the current partition to prevent the inode from being overwritten. If the inode is overwritten, it will basically be restored.
To exaggerate, for example, stop the service of the partition where it is located, uninstall the device where the directory is located, and disconnect the network if necessary.
Use the dd command to back up the current partition to prevent data loss caused by third-party software recovery failure.
Suitable for situations where the data is very important. Here is an example, so there is no backup. For backup, you can consider the following method: dd if=/path/filename of=/dev/vdc1
Use the umount command to unmount the current device partition. Or use the fuser command umount /dev/vdb1
If it prompts that the device is busy, you can use the fuser command to force the uninstall: fuser -m -v -i -k ./
Download the third-party tool extundelete installation, search for accidentally deleted files and restore them
extundelete tool installation
extundelete download address: http://extundelete.sourceforge.net/
wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
Extract the filetar jxvf extundelete-0.2.4.tar.bz2
If this error is reported
[root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 tar (child): bzip2:无法 exec: 没有那个文件或目录 tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now
Use yum -y install bzip2 to solve the problem
[root@docking ~]# tar jxvf extundelete-0.2.4.tar.bz2 extundelete-0.2.4/ extundelete-0.2.4/acinclude.m4 extundelete-0.2.4/missing extundelete-0.2.4/autogen.sh extundelete-0.2.4/aclocal.m4 extundelete-0.2.4/configure extundelete-0.2.4/LICENSE extundelete-0.2.4/README ...................................................
cd extundelete-0.2.4 ./configure
If an error is reported in this step
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: in `/root/extundelete-0.2.4': configure: error: C++ compiler cannot create executables See `config.log' for more details
Use yum -y install gcc-c Solution.
If you still get an error after executing the previous step,
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 configure: error: Can't find ext2fs library
then use yum -y install e2fsprogs e2fsprogs-devel to solve it. #The solution for Ubuntu is sudo apt-get install e2fslibs-dev e2fslibs-dev
If nothing unexpected happens, configure should be able to complete successfully here.
[root@docking extundelete-0.2.4]# ./configure Configuring extundelete 0.2.4 Writing generated files to disk [root@docking extundelete-0.2.4]#
FinallymakeThen make install
[root@docking extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: 在函数‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’中:
extundelete.cc:1272:29: 警告:在 {} 内将‘search_flags’从‘int’转换为较窄的类型‘ext2_ino_t {aka unsigned int}’ [-Wnarrowing]
buf, match_name2, priv, 0};
^
[root@docking extundelete-0.2.4]# make install
Making install in src
/usr/bin/install -c extundelete '/usr/local/bin'extundelete installation is completed.
Scan for accidentally deleted files:
Use df -lh to view the mount:
taroballs@taroballs-PC:~$ df -lh 文件系统 容量 已用 可用 已用% 挂载点 udev 1.9G 0 1.9G 0% /dev tmpfs 387M 1.8M 385M 1% /run /dev/sda2 92G 61G 26G 71% / tmpfs 1.9G 49M 1.9G 3% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup /dev/sda3 104G 56G 44G 57% /home tmpfs 387M 40K 387M 1% /run/user/1000 /dev/sda4 70G 20G 47G 30% /media/taroballs/d8423f8c-d687-4c03-a7c8-06a7fb57f96d /dev/sdb1 6.8G 4.1G 2.8G 60% /media/taroballs/taroballs /dev/sr0 4.0G 4.0G 0 100% /media/taroballs/2018-01-16-12-36-00-00 taroballs@taroballs-PC:~$ cd /media/taroballs/taroballs/ taroballs@taroballs-PC:/media/taroballs/taroballs$
You can see that our directory /media/taroballs/taroballs
is mounted to /dev/sdb1 In this file system.
umount our mounting disk
For example:
taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1 /dev/sdb1 6.8G 4.1G 2.8G 60% /media/taroballs/taroballs
umount this directory
taroballs@taroballs-PC:~$ umount /media/taroballs/taroballs taroballs@taroballs-PC:~$ df -lh | grep /dev/sdb1 taroballs@taroballs-PC:~$ #记得删除一定要后umount哦,不然二次写入谁也帮不了你呢。
Restore through inode node
taroballs@taroballs-PC:~$ mkdir recovertest taroballs@taroballs-PC:~$ cd recovertest/ taroballs@taroballs-PC:~/recovertest$
Perform recoveryextundelete /dev/sdb1 --inode 2
taroballs@taroballs-PC:/media/taroballs/taroballs$ sudo extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Group: 0 Contents of inode 2: . .省略N行 File name | Inode number | Deleted status . 2 .. 2 deletetest 12 Deleted tmppasswd 14 Deleted
The folder we deleted was discovered through scanning, now Perform recovery operations.
(1) Recover a single file tmppasswd
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-file passwd NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Successfully restored file tmppasswd
The recovered file is placed in the current directory RECOVERED_FILES.
View the recovered files:
taroballs@taroballs-PC:~/recovertest$ cat tmppasswd tcpdump:x:172:72::/:/sbin/nologin
(2) Restore directory deletetest
extundelete /dev/sdb1 --restore-directory deletetest NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Searching for recoverable inodes in directory deletetest ... 5 recoverable inodes found. Looking through the directory structure for deleted files ...
(3) Restore all
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. Searching for recoverable inodes in directory / ... 5 recoverable inodes found. Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. taroballs@taroballs-PC:~/recovertest$ tree backuptest/ ├── deletetest │ └── innerfolder │ └── deletefile.txt └── tmppasswd 2 directories, 2 files
(4) Restore specified inode
taroballs@taroballs-PC:~/recovertest$ extundelete /dev/sdb1 --restore-inode 14 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 8 groups loaded. Loading journal descriptors ... 46 descriptors loaded. taroballs@taroballs-PC:~/recovertest$ cat file.14 tcpdump:x:172:72::/:/sbin/nologin #注意恢复inode的时候,恢复 出来的文件名和之前不一样,需要单独进行改名。
Finally attached is the usage of extundelete:
$ extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or --log info,error error. Omission of the '=name' results in messages --log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.推荐:《linux教程》
The above is the detailed content of How to recover deleted files in Linux?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1382
52
Difference between centos and ubuntu
Apr 14, 2025 pm 09:09 PM
The key differences between CentOS and Ubuntu are: origin (CentOS originates from Red Hat, for enterprises; Ubuntu originates from Debian, for individuals), package management (CentOS uses yum, focusing on stability; Ubuntu uses apt, for high update frequency), support cycle (CentOS provides 10 years of support, Ubuntu provides 5 years of LTS support), community support (CentOS focuses on stability, Ubuntu provides a wide range of tutorials and documents), uses (CentOS is biased towards servers, Ubuntu is suitable for servers and desktops), other differences include installation simplicity (CentOS is thin)
How to install centos
Apr 14, 2025 pm 09:03 PM
CentOS installation steps: Download the ISO image and burn bootable media; boot and select the installation source; select the language and keyboard layout; configure the network; partition the hard disk; set the system clock; create the root user; select the software package; start the installation; restart and boot from the hard disk after the installation is completed.
Centos options after stopping maintenance
Apr 14, 2025 pm 08:51 PM
CentOS has been discontinued, alternatives include: 1. Rocky Linux (best compatibility); 2. AlmaLinux (compatible with CentOS); 3. Ubuntu Server (configuration required); 4. Red Hat Enterprise Linux (commercial version, paid license); 5. Oracle Linux (compatible with CentOS and RHEL). When migrating, considerations are: compatibility, availability, support, cost, and community support.
How to use docker desktop
Apr 15, 2025 am 11:45 AM
How to use Docker Desktop? Docker Desktop is a tool for running Docker containers on local machines. The steps to use include: 1. Install Docker Desktop; 2. Start Docker Desktop; 3. Create Docker image (using Dockerfile); 4. Build Docker image (using docker build); 5. Run Docker container (using docker run).
Detailed explanation of docker principle
Apr 14, 2025 pm 11:57 PM
Docker uses Linux kernel features to provide an efficient and isolated application running environment. Its working principle is as follows: 1. The mirror is used as a read-only template, which contains everything you need to run the application; 2. The Union File System (UnionFS) stacks multiple file systems, only storing the differences, saving space and speeding up; 3. The daemon manages the mirrors and containers, and the client uses them for interaction; 4. Namespaces and cgroups implement container isolation and resource limitations; 5. Multiple network modes support container interconnection. Only by understanding these core concepts can you better utilize Docker.
What to do after centos stops maintenance
Apr 14, 2025 pm 08:48 PM
After CentOS is stopped, users can take the following measures to deal with it: Select a compatible distribution: such as AlmaLinux, Rocky Linux, and CentOS Stream. Migrate to commercial distributions: such as Red Hat Enterprise Linux, Oracle Linux. Upgrade to CentOS 9 Stream: Rolling distribution, providing the latest technology. Select other Linux distributions: such as Ubuntu, Debian. Evaluate other options such as containers, virtual machines, or cloud platforms.
What to do if the docker image fails
Apr 15, 2025 am 11:21 AM
Troubleshooting steps for failed Docker image build: Check Dockerfile syntax and dependency version. Check if the build context contains the required source code and dependencies. View the build log for error details. Use the --target option to build a hierarchical phase to identify failure points. Make sure to use the latest version of Docker engine. Build the image with --t [image-name]:debug mode to debug the problem. Check disk space and make sure it is sufficient. Disable SELinux to prevent interference with the build process. Ask community platforms for help, provide Dockerfiles and build log descriptions for more specific suggestions.
What computer configuration is required for vscode
Apr 15, 2025 pm 09:48 PM
VS Code system requirements: Operating system: Windows 10 and above, macOS 10.12 and above, Linux distribution processor: minimum 1.6 GHz, recommended 2.0 GHz and above memory: minimum 512 MB, recommended 4 GB and above storage space: minimum 250 MB, recommended 1 GB and above other requirements: stable network connection, Xorg/Wayland (Linux)
