### 文章目录

• ​​前言​​
• ​​一、查看分区类型​​
• ​​二、使用centos7软件恢复工具extundelete作为文件恢复​​
• ​​1.安装extundelete​​
• ​​2.上传extundelete安装包到自定义目录下面​​
• ​​3.解压安装包​​
• ​​4.进到解压后的安装包目录下面执行命令​​
• ​​5.创建data目录和deletefile文件​​
• ​​6.（xfs分区的）​​
• ​​6.（ext4分区的）​​
• ​​7.模拟误删文件​​
• ​​8.（xfs分区的）​​
• ​​8.（ext4分区的）​​
• ​​9.查看恢复文件​​
• ​​10.视频讲解演示流程(以xfs为例)​​
• ​​总结​​

## 一、查看分区类型

df -T

xfs分区

ext4分区

## 1.安装extundelete

yum install e2fsprogs-devel e2fsprogs e2fsprogs-libs

## 3.解压安装包

tar -jxvf extundelete-0.2.4.tar.bz2

## 4.进到解压后的安装包目录下面执行命令

yum -y install gccyum -y install gcc-c++cd extundelete-0.2.4./configuremakemake installwhich extundelete

## 5.创建data目录和deletefile文件

cd /mkdir /datacd /datatouch deletefile

## 6.（xfs分区的）

xfsdump -f /tmp/dump_data /data -> dump_data -> media0

## 6.（ext4分区的）

/usr/local/bin/extundelete --inode 2 /dev/sda2NOTICE: Extended attributes are not restored.WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.The partition should be unmounted to undelete any files without further data loss.If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing.If you decide to continue, extundelete may overwrite some of the deletedfiles and make recovering those files impossible.  You should unmount thefile system and check it with fsck before using extundelete.Would you like to continue? (y/n) yLoading filesystem metadata ... 285 groups loaded.Group: 0Contents of inode 2:0000 | 6d 41 00 00 00 10 00 00 e2 b2 6a 61 66 b2 6a 61 | mA........jaf.ja0010 | 66 b2 6a 61 00 00 00 00 00 00 13 00 08 00 00 00 | f.ja............0020 | 00 00 08 00 22 00 00 00 0a f3 01 00 04 00 00 00 | ...."...........0030 | 00 00 00 00 00 00 00 00 01 00 00 00 26 24 00 00 | ............&\$..0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0080 | 1c 00 00 00 d0 7f eb 7d d0 7f eb 7d 00 53 f7 34 | .......}...}.S.40090 | a2 be 68 61 00 00 00 00 00 00 00 00 00 00 02 ea | ..ha............00a0 | 07 06 44 00 00 00 00 00 1c 00 00 00 00 00 00 00 | ..D.............00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux.........00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00e0 | 00 00 00 00 73 79 73 74 65 6d 5f 75 3a 6f 62 6a | ....system_u:obj00f0 | 65 63 74 5f 72 3a 72 6f 6f 74 5f 74 3a 73 30 00 | ect_r:root_t:s0.Inode is AllocatedFile mode: 16749Low 16 bits of Owner Uid: 0Size in bytes: 4096Access time: 1634382562Creation time: 1634382438Modification time: 1634382438Deletion Time: 0Low 16 bits of Group Id: 0Links count: 19Blocks count: 8File flags: 524288File version (for NFS): 0File ACL: 0Directory ACL: 0Fragment address: 0Direct blocks: 127754, 4, 0, 0, 1, 9254, 0, 0, 0, 0, 0, 0Indirect block: 0Double indirect block: 0Triple indirect block: 0File name                                       | Inode number | Deleted status.                                                 2..                                                2lost+found                                        11boot                                              2097153dev                                               1179649proc                                              1835009run                                               1966081sys                                               131073etc                                               1310721root                                              1441793tmp                                               262145var                                               393217data                                              1048577usr                                               1572865bin                                               17sbin                                              16lib                                               13lib64                                             15home                                              524289media                                             1703937mnt                                               655361opt                                               786433srv                                               917505

/usr/local/bin/extundelete --inode 1048577 /dev/sda2NOTICE: Extended attributes are not restored.WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.The partition should be unmounted to undelete any files without further data loss.If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing.If you decide to continue, extundelete may overwrite some of the deletedfiles and make recovering those files impossible.  You should unmount thefile system and check it with fsck before using extundelete.Would you like to continue? (y/n) yLoading filesystem metadata ... 285 groups loaded.Group: 128Contents of inode 1048577:0000 | ed 41 00 00 00 10 00 00 98 b3 6a 61 88 b3 6a 61 | .A........ja..ja0010 | 88 b3 6a 61 00 00 00 00 00 00 03 00 08 00 00 00 | ..ja............0020 | 00 00 08 00 06 00 00 00 0a f3 01 00 04 00 00 00 | ................0030 | 00 00 00 00 00 00 00 00 01 00 00 00 20 20 40 00 | ............  @.0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0060 | 00 00 00 00 00 1c 85 44 00 00 00 00 00 00 00 00 | .......D........0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................0080 | 1c 00 00 00 00 08 6b d0 00 08 6b d0 14 06 2c a7 | ......k...k...,.0090 | 66 b2 6a 61 d0 76 ae 7d 00 00 00 00 00 00 02 ea | f.ja.v.}........00a0 | 07 06 3c 00 00 00 00 00 23 00 00 00 00 00 00 00 | ..<.....#.......00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux.........00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 75 6e 63 6f | ............unco00e0 | 6e 66 69 6e 65 64 5f 75 3a 6f 62 6a 65 63 74 5f | nfined_u:object_00f0 | 72 3a 64 65 66 61 75 6c 74 5f 74 3a 73 30 00 00 | r:default_t:s0..Inode is AllocatedFile mode: 16877Low 16 bits of Owner Uid: 0Size in bytes: 4096Access time: 1634382744Creation time: 1634382728Modification time: 1634382728Deletion Time: 0Low 16 bits of Group Id: 0Links count: 3Blocks count: 8File flags: 524288File version (for NFS): 1149574144File ACL: 0Directory ACL: 0Fragment address: 0Direct blocks: 127754, 4, 0, 0, 1, 4202528, 0, 0, 0, 0, 0, 0Indirect block: 0Double indirect block: 0Triple indirect block: 0File name                                       | Inode number | Deleted status.                                                 1048577..                                                2deletefile                                        1048578        Deleteddelete                                            1048579        DeletedRECOVERED_FILES                                   1048580

## 7.模拟误删文件

rm -rf /data/*

## 8.（xfs分区的）

xfsrestore -f /tmp/dump_data /data

## 8.（ext4分区的）

/usr/local/bin/extundelete /dev/sda2 --restore-directory /data

NOTICE: Extended attributes are not restored.WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.The partition should be unmounted to undelete any files without further data loss.If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing.If you decide to continue, extundelete may overwrite some of the deletedfiles and make recovering those files impossible.  You should unmount thefile system and check it with fsck before using extundelete.Would you like to continue? (y/n) //此处的信息是因为我在根目录下做实验，无法进行卸载导致的，这儿的大概意思是说 如果你要进行这个操作的话，最好吧分区卸载掉再进行恢复，否则如果不卸载的话，如果有写操作会吧原来的inode覆盖掉，如果你已经卸载了分区，还报这个错的话用fuser -k /PATH，之后再umount /PATH，请用这样的话会导致无法恢复，或者恢复不成功，笔者鉴于是测试服务器，并且是实验操作所以选Y，生产环境建议不要这么做。 yLoading filesystem metadata ... 285 groups loaded.Loading journal descriptors ... 25781 descriptors loaded.Failed to restore file 1048579Could not find correct inode number past inode 2.Try altering the filename to one of the entries listed below.File name                                       | Inode number | Deleted status/usr/local/bin/extundelete: Operation not permitted while restoring directory./usr/local/bin/extundelete: Operation not permitted when trying to examine filesystem

sudo /usr/local/bin/extundelete /dev/sda2 --restore-all

## 9.查看恢复文件

cd /datals