2014年3月31日月曜日

Linux rmコマンドで削除したファイルの復元方法

Linuxのrmコマンドで削除したファイルをextundeleteコマンドで復元(復活/復旧)する方法です。
ext3/ext4はジャーナリングファイルシステムに対応しているため今回の方法で復元できる可能性が
高いです。が、LVMを使用している場合など、完全に復元できない場合があることも念頭に置いて緊急
対応手段として活用ください。

OS: CentOS 6.5 (64-bit)
extundelete: 0.2.4


■extundelete インストーラをダウンロード
[root@centos65 ~]# wget -P /usr/local/src/ http://sourceforge.net/projects/extundelete/files/extundelete/0.2.4/extundelete-0.2.4.tar.bz2/download
(中略)
100%[===============================================================>] 108,472     --.-K/s 時間 0.07s
2014-03-30 19:00:29 (1.45 MB/s) - `/usr/local/src/extundelete-0.2.4.tar.bz2' へ保存完了 [108472/108472]
[root@centos65 ~]#
yum install extundelete したいところですが、CentOS6.5では対応していないようです。

■解凍&インストール
[root@centos65 ~]# tar -jxf /usr/local/src/extundelete-0.2.4.tar.bz2 -C /usr/local/src/
[root@centos65 ~]# cd /usr/local/src/extundelete-0.2.4
[root@centos65 extundelete-0.2.4]# ./configure --prefix=/usr/local/
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
[root@centos65 extundelete-0.2.4]#
ext2fs library がないためconfigureに失敗。

■ext2fs library をインストール
[root@centos65 extundelete-0.2.4]# yum -y install e2fsprogs-devel
(中略)
=========================================================================
 Package                 Arch       Version           Repository    Size
=========================================================================
Installing:
 e2fsprogs-devel         x86_64     1.41.12-18.el6    base         160 k

Transaction Summary
=========================================================================
Install       1 Package(s)
(以下略)

■再びインストール
[root@centos65 extundelete-0.2.4]# ./configure --prefix=/usr/local/
Configuring extundelete 0.2.4
Writing generated files to disk
[root@centos65 extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc:571: 警告: unused parameter 'flags'
[root@centos65 extundelete-0.2.4]# make install
Making install in src
  /usr/bin/install -c extundelete '/usr/local/bin'
[root@centos65 extundelete-0.2.4]#
## バージョン確認
[root@centos65 ~]# extundelete --version
extundelete version 0.2.4
libext2fs version 1.41.12
Processor is little endian.
[root@centos65 ~]#

■helpの確認
[root@centos65 ~]# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.
--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or
   --log info,error      error.  Omission of the '=name' results in messages
   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.
[root@centos65 ~]# 

■extundelete コマンドで復元
今回は /etc のすべてのファイルを /data/ 以下にコピーして /data/etc/yum.repos.d/ を削除してから extundelete コマンドで復元してみます。 復元する条件は1日以内に削除されたファイルとしてみます。

## /etc のすべてのファイルを /data/ 以下にコピー
[root@centos65 ~]# cp -pr /etc /data/
[root@centos65 ~]# ll /data/
合計 28
drwxr-xr-x 122 root root 12288  3月 30 20:08 2014 etc
drwx------   2 root root 16384  3月 30 02:23 2014 lost+found
[root@centos65 ~]#

## /data/etc/yum.repos.d/ を削除
[root@centos65 ~]# ll /data/etc/yum.repos.d/
合計 16
-rw-r--r-- 1 root root 1926  3月 30 20:20 2014 CentOS-Base.repo
-rw-r--r-- 1 root root  638  3月 30 20:20 2014 CentOS-Debuginfo.repo
-rw-r--r-- 1 root root  630  3月 30 20:20 2014 CentOS-Media.repo
-rw-r--r-- 1 root root 3664  3月 30 20:20 2014 CentOS-Vault.repo
[root@centos65 ~]# rm -rf /data/etc/yum.repos.d
[root@centos65 ~]# ll /data/etc/yum.repos.d/
ls: cannot access /data/etc/yum.repos.d/: そのようなファイルやディレクトリはありません
[root@centos65 ~]#

## 復元対象ボリュームのデバイスファイル名を確認
[root@centos65 ~]# df -hT
Filesystem                      Type   Size  Used Avail Use% Mounted on
/dev/mapper/vg_centos65-lv_root ext4    27G  4.5G   21G  19% /
tmpfs                           tmpfs  940M   72K  940M   1% /dev/shm
/dev/sda1                       ext4   485M   39M  421M   9% /boot
/dev/sdb1                       ext4    16G  211M   15G   2% /data
[root@centos65 ~]#
/data のデバイスファイル名は /dev/sdb1 を確認。

## extundelete コマンドで1日以内に削除されたファイルを復元
[root@centos65 ~]# extundelete --restore-all --after $(date +%s -d '1 days ago') /dev/sdb1
Only show and process deleted entries if they are deleted on or after 1396092940 and before 9223372036854775807.
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 128 groups loaded.
Loading journal descriptors ... 310 descriptors loaded.
Searching for recoverable inodes in directory / ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[root@centos65 ~]#
※あらかじめ対象デバイスをマウント解除しておけば、前半の確認は聞かれない。

## 復元確認
RECOVERED_FILES ディレクトリが自動作成され、その配下に復元される。
[root@centos65 ~]# ll RECOVERED_FILES/etc/yum.repos.d/
合計 16
-rw-r--r-- 1 root root 1926  3月 30 20:35 2014 CentOS-Base.repo
-rw-r--r-- 1 root root  638  3月 30 20:35 2014 CentOS-Debuginfo.repo
-rw-r--r-- 1 root root  630  3月 30 20:35 2014 CentOS-Media.repo
-rw-r--r-- 1 root root 3664  3月 30 20:35 2014 CentOS-Vault.repo
[root@centos65 ~]#

■復元対象ディレクトリを指定して復元するパターン
## /data/etc/httpd/ を削除
[root@centos65 ~]# ll /data/etc/httpd/
合計 12
drwxr-xr-x 2 root root 4096  3月 21 15:18 2014 alias
drwxr-xr-x 2 root root 4096  3月 21 15:17 2014 conf
drwxr-xr-x 2 root root 4096  3月 21 15:28 2014 conf.d
lrwxrwxrwx 1 root root   19  3月 21 15:17 2014 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29  3月 21 15:17 2014 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   19  3月 21 15:17 2014 run -> ../../var/run/httpd
[root@centos65 ~]# rm -rf /data/etc/httpd/
[root@centos65 ~]# ll /data/etc/httpd/
ls: cannot access /data/etc/httpd/: そのようなファイルやディレクトリはありません
[root@centos65 ~]#

## 今回は対象ボリュームをマウント解除してから実施
[root@centos65 ~]# umount /data

## extundelete コマンドで復元対象(マウントポイントからの相対パス)を指定
[root@centos65 ~]# extundelete --restore-directory etc/httpd/ /dev/sdb1
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 128 groups loaded.
Loading journal descriptors ... 490 descriptors loaded.
Searching for recoverable inodes in directory etc/httpd/ ...
22 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
[root@centos65 ~]# ll RECOVERED_FILES/etc/httpd/
合計 12
drwxr-xr-x 2 root root 4096  3月 30 22:56 2014 alias
drwxr-xr-x 2 root root 4096  3月 30 22:56 2014 conf
drwxr-xr-x 2 root root 4096  3月 30 22:56 2014 conf.d
[root@centos65 ~]#
シンボリックリンク、タイムスタンプまでは復元できない模様。

こちらの情報が何かのお役に立てましたら幸いです。サイト継続ご協力のほどお願い致します。m(_ _)m

0 件のコメント:

コメントを投稿