Wednesday, 7 March 2012

How to recover deleted files with extundelete on RHEL6.1 Santiago

1. I had to disable SElinux for it to work, with SElinux enabled I could not get the right size of the files. 

cat /etc/syconfig/selinux
[root@rhevm]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.

2. Install e2fsprogs 

yum install  e2fsprogs-devel  e2fsprogs e2fsprogs-libs
Dependencies Resolved

Package             Arch      Version            Repository               Size
e2fsprogs-devel     x86_64    1.41.12-11.el6     rhel-x86_64-server-6    158 k
e2fsprogs           x86_64    1.41.12-11.el6     rhel-x86_64-server-6    550 k
e2fsprogs-libs      x86_64    1.41.12-11.el6     rhel-x86_64-server-6    119 k
Updating for dependencies:
libcom_err          x86_64    1.41.12-11.el6     rhel-x86_64-server-6     36 k
libcom_err-devel    x86_64    1.41.12-11.el6     rhel-x86_64-server-6     31 k
libss               x86_64    1.41.12-11.el6     rhel-x86_64-server-6     40 k
Transaction Summary
Install       1 Package(s)
Upgrade       5 Package(s)
Total download size: 934 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): e2fsprogs-1.41.12-11.el6.x86_64.rpm                                               | 550 kB     00:14    
(2/6): e2fsprogs-devel-1.41.12-11.el6.x86_64.rpm                                         | 158 kB     00:01    
(3/6): e2fsprogs-libs-1.41.12-11.el6.x86_64.rpm                                          | 119 kB     00:01    
(4/6): libcom_err-1.41.12-11.el6.x86_64.rpm                                              |  36 kB     00:00    
(5/6): libcom_err-devel-1.41.12-11.el6.x86_64.rpm                                        |  31 kB     00:01    
(6/6): libss-1.41.12-11.el6.x86_64.rpm                                                   |  40 kB     00:00    
Total                                                                            16 kB/s | 934 kB     00:59    
 Updating   : libcom_err-1.41.12-11.el6.x86_64                                                            1/11
 Updating   : e2fsprogs-libs-1.41.12-11.el6.x86_64                                                        2/11
 Updating   : libcom_err-devel-1.41.12-11.el6.x86_64                                                      3/11
 Updating   : libss-1.41.12-11.el6.x86_64                                                                 4/11
 Updating   : e2fsprogs-1.41.12-11.el6.x86_64                                                             5/11
 Installing : e2fsprogs-devel-1.41.12-11.el6.x86_64                                                       6/11
 Cleanup    : libcom_err-devel-1.41.12-7.el6.x86_64                                                       7/11
 Cleanup    : e2fsprogs-1.41.12-7.el6.x86_64                                                              8/11
 Cleanup    : e2fsprogs-libs-1.41.12-7.el6.x86_64                                                         9/11
 Cleanup    : libss-1.41.12-7.el6.x86_64                                                                 10/11
 Cleanup    : libcom_err-1.41.12-7.el6.x86_64                                                            11/11
duration: 562(ms)
Installed products updated.
 e2fsprogs-devel.x86_64 0:1.41.12-11.el6                                                                     
 e2fsprogs.x86_64 0:1.41.12-11.el6                    e2fsprogs-libs.x86_64 0:1.41.12-11.el6                  
Dependency Updated:
 libcom_err.x86_64 0:1.41.12-11.el6  libcom_err-devel.x86_64 0:1.41.12-11.el6  libss.x86_64 0:1.41.12-11.el6

3. Download extundelete from gnutoolbox website 

[root@rhevm] wget
--2012-03-06 13:13:19--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 563200 (550K) [application/x-tar]
Saving to: “extundelete-0.2.0.tar”
100%[======================================================================>] 563,200      111K/s   in 5.0s  
2012-03-06 13:13:24 (111 KB/s) - “extundelete-0.2.0.tar” saved [563200/563200]
[root@rhevm ~]# ls
anaconda-ks.cfg  extundelete-0.2.0.tar  install.log  install.log.syslog

4. Extract the archives from extundelete-0.2.0.tar

[root@rhevm ~]# tar xvf extundelete-0.2.0.tar
[root@rhevm ~]# cd extundelete-0.2.0
[root@rhevm extundelete-0.2.0]# ls
acinclude.m4  install-sh  missing  src
aclocal.m4    compile     configure    depcomp       LICENSE  README

5. Configure and make 

[root@rhevm extundelete-0.2.0]# ./configure
Configuring extundelete 0.2.0
Writing generated files to disk
[root@rhevm extundelete-0.2.0]# make && make install
make -s all-recursive
Making all in src
Making install in src
 /usr/bin/install -c 'extundelete' '/usr/local/bin/extundelete'

 6. The partition /dev/sdc1 is mounted on /backup/gnutool-delete

[root@rhevm backup# cd gnutool-delete/

7. Create some files on backup/gnutool-delete.

[root@rhevm gnutool-delete]# man man > test1.txt
[root@rhevm gnutool-delete]# man man > test2.txt
[root@rhevm gnutool-delete]# man man > test3.txt
[root@rhevm gnutool-delete]# du -hs *
16K    test1.txt
16K    test2.txt
16K    test3.txt

8. Delete the files in order to recover them later 

[root@rhevm gnutool-delete]# cd
[root@rhevm ~]# rm -rf /backup/gnutool-delete

9. Is important that we remount the partition read only as soon as possible so that the inodes are not reused.

[root@rhevm ~]# mount -o remount,ro /backup

10. Now we will use extundelete to recover the files from the partition 

[root@rhevm ~]# extundelete /dev/sdc1  --restore-all
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 63 groups loaded.
Loading journal descriptors ... 91 descriptors loaded.
Searching for recoverable inodes in directory / ...
4 recoverable inodes found.
Looking through the directory structure for deleted files ...
Failed to restore inode 32513 to file RECOVERED_FILES/gnutool-delete:Inode does not correspond to a regular file.
Restored inode 32514 to file RECOVERED_FILES/gnutool-delete/test1.txt
Restored inode 32515 to file RECOVERED_FILES/gnutool-delete/test2.txt
Restored inode 32516 to file RECOVERED_FILES/gnutool-delete/test3.txt
0 recoverable inodes still lost.

11. A directory called RECOVERED_FILES is created and inside you will find the files recovered by extundelete. 
[root@rhevm ~]# du -hs RECOVERED_FILES/gnutool-delete/
52K    RECOVERED_FILES/gnutool-delete/

12. Finally you can recover the files to his original place

[root@gibson ~]# rsync -av  RECOVERED_FILES/gnutool-delete /backup/
sending incremental file list
sent 106931 bytes  received 73 bytes  214008.00 bytes/sec
total size is 106704  speedup is 1.00
[root@gibson ~]# cd /backup/gnutool-delete/
[root@gibson gnutool-delete]# ls

[root@rhevm ~]# du -hs /backup/gnutool-delete/*
16K    RECOVERED_FILES/gnutool-delete/test1.txt
16K    RECOVERED_FILES/gnutool-delete/test2.txt
16K    RECOVERED_FILES/gnutool-delete/test3.txt

[root@rhevm ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.1 (Santiago)

