Linuxサーバーで消してしまったファイルを復元してみる


はてなブックマークを見ていたところ、下記エントリーを発見しました。
[blogcard url=https://tech.aucfan.com/rm-rf-retrieval/]

彼は新卒研修時に誤って消してしまったファイル郡を自力で復元したという強者のようですが、インフラ屋さんとしては、使うことがなかったとしても(使いたくない。。。)、知っておいて損は無いなと思い、全く同じように検証してみました。

まずは事前に準備しておきます。

環境 CentOS6
ファイルシステム ext4

ext3,ext4にのみ対応しているようです。xfsは非対応の様子というか復元不可能?

$ yum -y install e2fsprogs-devel

これが無いとコンパイル時に怒られます。

extundeleteをダウンロードして、ホームディレクトリへ保存しておきます。

コンパイル手順です。

$ tar xfvj extundelete-0.2.4.tar.bz2
$ mkdir ~/mytmp
$ ./configure --prefix=/home/kazuma/mytmp
Configuring extundelete 0.2.4
Writing generated files to disk
$ make && make install
make -s all-recursive
Making all in src
extundelete.cc:571: 警告: unused parameter ‘flags’
Making install in src
/usr/bin/install -c extundelete '/home/kazuma/mytmp/bin'
$ ls -l ~/mytmp/bin/extundelete
-rwxr-xr-x 1 kazuma kazuma 1187055 4月 10 23:53 2016 /home/kazuma/mytmp/bin/extundelete

以上でコンパイルが完了です。

次に削除→復元を実施してみます。

$ cd ~/mytmp/
$ mkdir testdir
$ cd testdir
$ touch test{0..99}.txt
$ echo "hoge" > ./*.txt
$ rm -rf testdir

削除を実施してみました。
次にhistoryから削除コマンドを実施したタイミングを確認します。

# zsh
$ history -i
67 2016-04-11 00:17 rm -rf testdir

# bash
$ HISTTIMEFOMRMAT="%F %T" history
ログアウトすると設定が消える。

ファイルを復元してみます。

$ date
2016年 4月 11日 月曜日 00:22:21 JST

$ sudo bin/extundelete --restore-all --after $(date +%s -d '2016-04-11 00:16') /dev/vg01/lv_home
Only show and process deleted entries if they are deleted on or after 1460301360 and before 9223372036854775807.
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 40 groups loaded.
Loading journal descriptors ... 30565 descriptors loaded.
Searching for recoverable inodes in directory / ...
153 recoverable inodes found.
Looking through the directory structure for deleted files ...
Unable to restore inode 145199 (kazuma/Maildir/.Trash/Mob Psycho 100 v06.rar): No undeleted copies found in the journal.
Unable to restore inode 825 (kazuma/.vim/.netrwhist~): No undeleted copies found in the journal.
Unable to restore inode 145300 (kazuma/bash-config/.git/refs/heads/master.lock): No undeleted copies found in the journal.
Unable to restore inode 145277 (kazuma/bash-config/.git/refs/heads/add-install-shell.lock): No undeleted copies found
in the journal.
Unable to restore inode 145298 (kazuma/bash-config/.git/refs/heads/add-install-shell): No undeleted copies found in the journal.
Unable to restore inode 145299 (kazuma/bash-config/.git/refs/remotes/origin/master.lock): No undeleted copies found in the journal.
Unable to restore inode 145284 (kazuma/bash-config/.git/objects/pack/pack-f7f0571b9953eac493d1e32a45d01f5ee791245d.keep): No undeleted copies found in the journal.
Unable to restore inode 1083 (kazuma/bash-config/.git/logs/refs/heads/add-install-shell): No undeleted copies found in the journal.
Unable to restore inode 145362 (kazuma/bash-config/.bashrc.swp): No undeleted copies found in the journal.
Unable to restore inode 145363 (kazuma/bash-config/.bashrc.swx): No undeleted copies found in the journal.
Unable to restore inode 145202 (kazuma/drop_wpadmin_atack/log/.drop.sh.swp): No undeleted copies found in the journal.
Unable to restore inode 145205 (kazuma/drop_wpadmin_atack/log/.drop.sh.swx): No undeleted copies found in the journal.
Unable to restore inode 145204 (kazuma/drop_wpadmin_atack/drop.sh~): No undeleted copies found in the journal.
Unable to restore inode 145339 (kazuma/serverlist/lib/serverlist/.swp): No undeleted copies found in the journal.
Unable to restore inode 145358 (kazuma/serverlist/lib/serverlist/.swpx): No undeleted copies found in the journal.
Unable to restore inode 145308 (kazuma/serverlist/lib/.serverlist.rb.swp): No undeleted copies found in the journal.
Unable to restore inode 145297 (kazuma/serverlist/.git/refs/heads/test.lock): No undeleted copies found in the journal.
Unable to restore inode 145340 (kazuma/serverlist/.git/refs/remotes/origin/test.lock): No undeleted copies found in the journal.
Unable to restore inode 145341 (kazuma/serverlist/.git/config.lock): No undeleted copies found in the journal.
Unable to restore inode 145311 (kazuma/serverlist/serverlist.gemspec~): No undeleted copies found in the journal.
Unable to restore inode 144842 (postgres/data/pg_xlog/archive_status/GMT): No undeleted copies found in the journal.
Unable to restore inode 144844 (postgres/data/pg_xlog/archive_status/UCT): No undeleted copies found in the journal.
Unable to restore inode 144843 (postgres/data/pg_xlog/archive_status/UTC): No undeleted copies found in the journal.
Unable to restore inode 144845 (postgres/data/pg_subtrans/Riyadh87): No undeleted copies found in the journal.
Unable to restore inode 144837 (postgres/data/pg_multixact/offsets/Rio_Branco): No undeleted copies found in the journal.
Unable to restore inode 144840 (postgres/data/pg_multixact/offsets/Curacao): No undeleted copies found in the journal.Unable to restore inode 144841 (postgres/data/pg_multixact/offsets/Port_of_Spain): No undeleted copies found in the journal.
Unable to restore inode 145408 (lost+found/conftest.TPo): No undeleted copies found in the journal.
Unable to restore inode 145279 (lost+found/HEAD): No undeleted copies found in the journal.
Unable to restore inode 1078 (lost+found/logs): No undeleted copies found in the journal.
Unable to restore inode 145291 (lost+found/COMMIT_EDITMSG): No undeleted copies found in the journal.
Unable to restore inode 145203 (lost+found/drop.sh): No undeleted copies found in the journal.
20 recoverable inodes still lost.
Unable to restore inode 827 (file.827): No undeleted copies found in the journal.
Unable to restore inode 145192 (file.145192): No undeleted copies found in the journal.
Unable to restore inode 145197 (file.145197): No undeleted copies found in the journal.
Unable to restore inode 145200 (file.145200): No undeleted copies found in the journal.
Unable to restore inode 145209 (file.145209): No undeleted copies found in the journal.
Unable to restore inode 145210 (file.145210): No undeleted copies found in the journal.
Unable to restore inode 145257 (file.145257): No undeleted copies found in the journal.
Unable to restore inode 145289 (file.145289): No undeleted copies found in the journal.
Unable to restore inode 145293 (file.145293): No undeleted copies found in the journal.
Unable to restore inode 145295 (file.145295): No undeleted copies found in the journal.
Unable to restore inode 145296 (file.145296): No undeleted copies found in the journal.
Unable to restore inode 145342 (file.145342): No undeleted copies found in the journal.
Unable to restore inode 145343 (file.145343): No undeleted copies found in the journal.
Unable to restore inode 145355 (file.145355): No undeleted copies found in the journal.
Unable to restore inode 145359 (file.145359): No undeleted copies found in the journal.
Unable to restore inode 145360 (file.145360): No undeleted copies found in the journal.
Unable to restore inode 145364 (file.145364): No undeleted copies found in the journal.
Unable to restore inode 145365 (file.145365): No undeleted copies found in the journal.
Unable to restore inode 145366 (file.145366): No undeleted copies found in the journal.

inodeを失ったものもあるようですが、復元できていることが確認できました。

復元したファイルを確認します。

$ cd ~/mytmp/RECOVERED_FILES/kazuma/mytmp/RECOVERED_FILES
$ ls
test.txt test19.txt test3.txt test40.txt test51.txt test62.txt test73.txt test84.txt test95.txt
test0.txt test2.txt test30.txt test41.txt test52.txt test63.txt test74.txt test85.txt test96.txt
test1.txt test20.txt test31.txt test42.txt test53.txt test64.txt test75.txt test86.txt test97.txt
test10.txt test21.txt test32.txt test43.txt test54.txt test65.txt test76.txt test87.txt test98.txt
test11.txt test22.txt test33.txt test44.txt test55.txt test66.txt test77.txt test88.txt test99.txt
test12.txt test23.txt test34.txt test45.txt test56.txt test67.txt test78.txt test89.txt
test13.txt test24.txt test35.txt test46.txt test57.txt test68.txt test79.txt test9.txt
test14.txt test25.txt test36.txt test47.txt test58.txt test69.txt test8.txt test90.txt
test15.txt test26.txt test37.txt test48.txt test59.txt test7.txt test80.txt test91.txt
test16.txt test27.txt test38.txt test49.txt test6.txt test70.txt test81.txt test92.txt
test17.txt test28.txt test39.txt test5.txt test60.txt test71.txt test82.txt test93.txt
test18.txt test29.txt test4.txt test50.txt test61.txt test72.txt test83.txt test94.txt

$ cat test.txt
hoge

ファイルの復元ができたことが確認できました。

削除ファイルは書き込みさえしなければ、ファイルポインタを失っただけのため、inodeが分かれば復元できるという実験でした。
使いたくないコマンドではあれど、備忘録として頭の片隅にでも残しておきます。

以上。