-
Linux 深入理解Linux文件系统与日志分析
在Linux系统中,文件名和文件数据是分开存储的
文件数据包含 元信息(即不包含文件名的文件属性) 和 实际数据
文件元信息存储在 inode(索引节点)里,
文件实际数据存储在 block(块)里;
文件名存储在目录块里
查看文件的元信息
stat 文件名
- [root@localhost ~]# stat anaconda-ks.cfg
- 文件:"anaconda-ks.cfg"
- 大小:2074 块:8 IO 块:4096 普通文件
- 设备:fd00h/64768d Inode:67144898 硬链接:1
- 权限:(0600/-rw-------) Uid:( 0/ root) Gid:( 0/ root)
- 环境:system_u:object_r:admin_home_t:s0
- 最近访问:2024-04-12 01:44:39.005730620 +0800
- 最近更改:2024-04-12 01:44:14.354964618 +0800
- 最近改动:2024-04-12 01:44:14.354964618 +0800
- 创建时间:-
- [root@localhost ~]#
改变ctime (修改最近文件属性时间)
- [root@localhost ~]# echo 123456 >> anaconda-ks.cfg //输入123456 到anaconda-ks.cfg 末尾
- [root@localhost ~]# cat anaconda-ks.cfg
- [root@localhost ~]# cat anaconda-ks.cfg
- #version=DEVEL
- # System authorization information
- auth --enableshadow --passalgo=sha512
- # Use CDROM installation media
- cdrom
- # Use graphical install
- graphical
- # Run the Setup Agent on first boot
- firstboot --enable
- ignoredisk --only-use=sda
- # Keyboard layouts
- keyboard --vckeymap=cn --xlayouts='cn'
- # System language
- lang zh_CN.UTF-8
- # Network information
- network --bootproto=dhcp --device=ens33 --onboot=off --ipv6=auto --no-activate
- network --hostname=localhost.localdomain
- # Root password
- rootpw --iscrypted $6$lCNsNLYBoSLgy1xJ$fLC2eqvnd./OQYO3ueDaWdIXNaTHjWCWiVdbYXDKicx7X4O5uG3TCernPM4cmO4F2T6swRQiL.QHeb2ZjSSix0
- # System services
- services --enabled="chronyd"
- # System timezone
- timezone Asia/Shanghai --isUtc
- user --name=test --password=$6$pqpVPolNrgdFy0.l$eDkOH6pHUFPKo6nLELC7oqLKyMW6VzMY5gRgTK0C.vW6S9sBu5xCvS168FgT.THqeNBoTpZYbJDWJcn.AvBUY. --iscrypted --gecos="test"
- # X Window System configuration information
- xconfig --startxonboot
- # System bootloader configuration
- bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
- # Partition clearing information
- clearpart --none --initlabel
- # Disk partitioning information
- part pv.157 --fstype="lvmpv" --ondisk=sda --size=39935
- part /boot --fstype="xfs" --ondisk=sda --size=1024
- volgroup centos --pesize=4096 pv.157
- logvol / --fstype="xfs" --grow --maxsize=51200 --size=1024 --name=root --vgname=centos
- logvol swap --fstype="swap" --size=3968 --name=swap --vgname=centos
- %packages
- @^gnome-desktop-environment
- @base
- @core
- @desktop-debugging
- @development
- @dial-up
- @directory-client
- @fonts
- @gnome-desktop
- @guest-agents
- @guest-desktop-agents
- @input-methods
- @internet-browser
- @java-platform
- @multimedia
- @network-file-system-client
- @networkmanager-submodules
- @print-client
- @x11
- chrony
- kexec-tools
- %end
- %addon com_redhat_kdump --enable --reserve-mb='auto'
- %end
- %anaconda
- pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
- pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
- pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
- %end
- 123456
- [root@localhost ~]#
查看文件的inode号
stat 文件名 ls -i 文件名
- [root@localhost ~]# ls -l //已长格式的形式查看文件
- 总用量 8
- -rw-------. 1 root root 2074 4月 12 01:44 anaconda-ks.cfg
- -rw-r--r--. 1 root root 2122 4月 12 01:45 initial-setup-ks.cfg
- drwxr-xr-x. 2 root root 6 4月 12 01:45 公共
- drwxr-xr-x. 2 root root 6 4月 12 01:45 模板
- drwxr-xr-x. 2 root root 6 4月 12 01:45 视频
- drwxr-xr-x. 2 root root 6 4月 12 01:45 图片
- drwxr-xr-x. 2 root root 6 4月 12 01:45 文档
- drwxr-xr-x. 2 root root 6 4月 12 01:45 下载
- drwxr-xr-x. 2 root root 6 4月 12 01:45 音乐
- drwxr-xr-x. 2 root root 6 4月 12 01:45 桌面
- [root@localhost ~]#
- [root@localhost ~]# ls -l -i //以长格式的形式查看文件和inode号
- 总用量 8
- 67144898 -rw-------. 1 root root 2074 4月 12 01:44 anaconda-ks.cfg
- 67144914 -rw-r--r--. 1 root root 2122 4月 12 01:45 initial-setup-ks.cfg
- 67163511 drwxr-xr-x. 2 root root 6 4月 12 01:45 公共
- 34475388 drwxr-xr-x. 2 root root 6 4月 12 01:45 模板
- 67163512 drwxr-xr-x. 2 root root 6 4月 12 01:45 视频
- 34475389 drwxr-xr-x. 2 root root 6 4月 12 01:45 图片
- 102606812 drwxr-xr-x. 2 root root 6 4月 12 01:45 文档
- 86015 drwxr-xr-x. 2 root root 6 4月 12 01:45 下载
- 86016 drwxr-xr-x. 2 root root 6 4月 12 01:45 音乐
- 102606811 drwxr-xr-x. 2 root root 6 4月 12 01:45 桌面
- [root@localhost ~]# stat anaconda-ks.cfg
- 文件:"anaconda-ks.cfg"
- 大小:2074 块:8 IO 块:4096 普通文件
- 设备:fd00h/64768d Inode:67144898 硬链接:1
- 权限:(0600/-rw-------) Uid:( 0/ root) Gid:( 0/ root)
- 环境:system_u:object_r:admin_home_t:s0
- 最近访问:2024-04-12 01:44:39.005730620 +0800
- 最近更改:2024-04-12 01:44:14.354964618 +0800
- 最近改动:2024-04-12 01:44:14.354964618 +0800
- 创建时间:-
- [root@localhost ~]#
查看每个分区的inode数量
df -i
- [root@localhost ~]# ls -i
- 85936 abc 67163512 视频
- 67163545 abc.txt 34475389 图片
- 67144898 anaconda-ks.cfg 102606812 文档
- 67144914 initial-setup-ks.cfg 86015 下载
- 67163511 公共 86016 音乐
- 34475388 模板 102606811 桌面
- [root@localhost ~]#
Linux系统不使用 文件名 识别文件,而使用 inode号 来识别文件,文件名只是 inode号 便于识别的别称,文件名和inode号是一一对应的。
用户通过文件名访问文件的过程:
- 先根据文件名找到对应的inode号;
- 再通过inode号获取inode信息;
- 再根据inode信息判断用户是否具有访问权限;
- 如果有则指向实际教据的块并读取数据,否则拒绝访问。
直接查看和vim编辑器查看
- 直接査看、修改文件内容或者改变文件名都不会影响 inode号,
- 使用 vi 编辑器修改文件保存退出后会影响 inode号
针对无法正常删除文件名含有特殊符号的文件时,可根据 inode号 来删除文件
find 目录 -inum
-delete 实验
- [root@localhost ~]# fdisk -l
- 磁盘 /dev/sdc:21.5 GB, 21474836480 字节,41943040 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘 /dev/sdb:21.5 GB, 21474836480 字节,41943040 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘 /dev/sda:42.9 GB, 42949672960 字节,83886080 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘标签类型:dos
- 磁盘标识符:0x0009ec77
- 设备 Boot Start End Blocks Id System
- /dev/sda1 * 2048 2099199 1048576 83 Linux
- /dev/sda2 2099200 83886079 40893440 8e Linux LVM
- 磁盘 /dev/mapper/centos-root:37.7 GB, 37706792960 字节,73646080 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘 /dev/mapper/centos-swap:4160 MB, 4160749568 字节,8126464 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- [root@localhost ~]#
- [root@localhost ~]#
- [root@localhost ~]# fdisk -l
- 磁盘 /dev/sdc:21.5 GB, 21474836480 字节,41943040 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘 /dev/sdb:21.5 GB, 21474836480 字节,41943040 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘标签类型:dos
- 磁盘标识符:0x635e871e
- 设备 Boot Start End Blocks Id System
- /dev/sdb1 2048 41943039 20970496 83 Linux
- 磁盘 /dev/sda:42.9 GB, 42949672960 字节,83886080 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘标签类型:dos
- 磁盘标识符:0x0009ec77
- 设备 Boot Start End Blocks Id System
- /dev/sda1 * 2048 2099199 1048576 83 Linux
- /dev/sda2 2099200 83886079 40893440 8e Linux LVM
- 磁盘 /dev/mapper/centos-root:37.7 GB, 37706792960 字节,73646080 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- 磁盘 /dev/mapper/centos-swap:4160 MB, 4160749568 字节,8126464 个扇区
- Units = 扇区 of 1 * 512 = 512 bytes
- 扇区大小(逻辑/物理):512 字节 / 512 字节
- I/O 大小(最小/最佳):512 字节 / 512 字节
- [root@localhost ~]#
- [root@localhost ~]# mkfs -t ext3 /dev/sdb1 //格式化/dev/sdb1
- mke2fs 1.42.9 (28-Dec-2013)
- 文件系统标签=
- OS type: Linux
- 块大小=4096 (log=2)
- 分块大小=4096 (log=2)
- Stride=0 blocks, Stripe width=0 blocks
- 1310720 inodes, 5242624 blocks
- 262131 blocks (5.00%) reserved for the super user
- 第一个数据块=0
- Maximum filesystem blocks=4294967296
- 160 block groups
- 32768 blocks per group, 32768 fragments per group
- 8192 inodes per group
- Superblock backups stored on blocks:
- 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
- 4096000
- Allocating group tables: 完成
- 正在写入inode表: 完成
- Creating journal (32768 blocks): 完成
- Writing superblocks and filesystem accounting information: 完成
- [root@localhost ~]
- [root@localhost ~]#
- [root@localhost ~]#
- [root@localhost ~]# mkdir /xy101 //创建
- [root@localhost ~]# mount /dev/sdb1 /xy101/ //挂载
- [root@localhost ~]# df -hT //查看
- 文件系统 类型 容量 已用 可用 已用% 挂载点
- devtmpfs devtmpfs 1.9G 0 1.9G 0% /dev
- tmpfs tmpfs 1.9G 0 1.9G 0% /dev/shm
- tmpfs tmpfs 1.9G 13M 1.9G 1% /run
- tmpfs tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
- /dev/mapper/centos-root xfs 36G 4.4G 31G 13% /
- /dev/sda1 xfs 1014M 187M 828M 19% /boot
- tmpfs tmpfs 378M 12K 378M 1% /run/user/42
- tmpfs tmpfs 378M 0 378M 0% /run/user/0
- /dev/sdb1 ext3 20G 45M 19G 1% /xy101
- [root@localhost ~]#
- [root@localhost opt]# rz -E //传输文件
- [root@localhost opt]# ls
- CentOS_7_64_位【2】.xsh rh
- extundelete-0.2.4.tar.bz2
- [root@localhost opt]#
- [root@localhost opt]# mount /dev/sr0 /mnt //挂载到光盘
- mount: /dev/sr0 写保护,将以只读方式挂载
- [root@localhost opt]# cd /etc/yum.repos.d/
- [root@localhost yum.repos.d]# ls
- local.repo repo.bak
- [root@localhost yum.repos.d]
- [root@localhost yum.repos.d]# cat local.repo
- [local]
- name=local
- baseurl=ffile:///mnt
- enabled=1
- gpgcheck=0
- #gpgkey=file:///mnt/RPM-GPG-KEY-Centos-7
- [root@localhost yum.repos.d]#
- [root@localhost ~]# yum install -y e2fsprogs-libs e2fsprogs-devel //安装依赖包
- 已加载插件:fastestmirror, langpacks
- Loading mirror speeds from cached hostfile
- 软件包 e2fsprogs-libs-1.42.9-19.el7.x86_64 已安装并且是最新版本
- 正在解决依赖关系
- --> 正在检查事务
- ---> 软件包 e2fsprogs-devel.x86_64.0.1.42.9-19.el7 将被 安装
- --> 正在处理依赖关系 libcom_err-devel(x86-64) = 1.42.9-19.el7,它被软件包 e2fsprogs-devel-1.42.9-19.el7.x86_64 需要
- --> 正在处理依赖关系 pkgconfig(com_err),它被软件包 e2fsprogs-devel-1.42.9-19.el7.x86_64 需要
- --> 正在检查事务
- ---> 软件包 libcom_err-devel.x86_64.0.1.42.9-19.el7 将被 安装
- --> 解决依赖关系完成
- 依赖关系解决
- ========================================================================================================================================================
- Package 架构 版本 源 大小
- ========================================================================================================================================================
- 正在安装:
- e2fsprogs-devel x86_64 1.42.9-19.el7 local 73 k
- 为依赖而安装:
- libcom_err-devel x86_64 1.42.9-19.el7 local 32 k
- 事务概要
- ========================================================================================================================================================
- 安装 1 软件包 (+1 依赖软件包)
- 总下载量:105 k
- 安装大小:179 k
- Downloading packages:
- --------------------------------------------------------------------------------------------------------------------------------------------------------
- 总计 3.0 MB/s | 105 kB 00:00:00
- Running transaction check
- Running transaction test
- Transaction test succeeded
- Running transaction
- 正在安装 : libcom_err-devel-1.42.9-19.el7.x86_64 1/2
- 正在安装 : e2fsprogs-devel-1.42.9-19.el7.x86_64 2/2
- 验证中 : libcom_err-devel-1.42.9-19.el7.x86_64 1/2
- 验证中 : e2fsprogs-devel-1.42.9-19.el7.x86_64 2/2
- 已安装:
- e2fsprogs-devel.x86_64 0:1.42.9-19.el7
- 作为依赖被安装:
- libcom_err-devel.x86_64 0:1.42.9-19.el7
- 完毕!
- [root@localhost yum.repos.d]#
- [root@localhost yum.repos.d]# ls
- local.repo repo.bak
- [root@localhost yum.repos.d]# cd /opt
- [root@localhost opt]# ls
- rh extundelete-0.2.4.tar.bz2
- [root@localhost opt]# tar xf extundelete-0.2.4.tar.bz2
- [root@localhost opt]# ls
- extundelete-0.2.4 extundelete-0.2.4.tar.bz2 rh
- [root@localhost opt]#
- [root@localhost opt]#
- [root@localhost opt]# cd extundelete-0.2.4/
- [root@localhost extundelete-0.2.4]# ls
- acinclude.m4 autogen.sh configure depcomp LICENSE Makefile.in README
- aclocal.m4 config.h.in configure.ac install-sh Makefile.am missing src
- [root@localhost extundelete-0.2.4]#
- [root@localhost extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete//进行配置指定安装目录
- Configuring extundelete 0.2.4
- Writing generated files to disk
- [root@localhost extundelete-0.2.4]#
- [root@localhost extundelete-0.2.4]# make && make install
- make -s all-recursive
- Making all in src
- extundelete.cc: 在函数‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’中:
- extundelete.cc:1272:29: 警告:在 {} 内将‘search_flags’从‘int’转换为较窄的类型‘ext2_ino_t {aka unsigned int}’ [-Wnarrowing]
- buf, match_name2, priv, 0};
- ^
- Making install in src
- /usr/bin/install -c extundelete '/usr/local/extundelete/bin'
- [root@localhost extundelete-0.2.4]#
- [root@localhost extundelete-0.2.4]# cd /usr/local/
- [root@localhost local]# cd /usr/local
- [root@localhost local]# ls
- bin extundelete include lib64 sbin src
- etc games lib libexec share
- [root@localhost local]#
- [root@localhost local]# cd extundelete/
- [root@localhost extundelete]# ls
- bin
- [root@localhost extundelete]#
- [root@localhost extundelete]# ls bin/
- extundelete
- [root@localhost extundelete]# ls
- bin
- [root@localhost extundelete]#
- [root@localhost extundelete]# cd bin/
- [root@localhost bin]# ls
- extundelete
- [root@localhost bin]#
- [root@localhost bin]# echo $PATH
- /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
- [root@localhost bin]# ln -s /usr/local/extundelete/bin/extundelete /usr/local/bin/
- //创建软链接放入PATH环境变量目录中
- [root@localhost bin]#
- [root@localhost bin]# cd
- [root@localhost ~]# ex
- ex exec exempi exit expand export exportfs expr extundelete
软件已经安装完毕
- [root@localhost ~]# df -hT
- 文件系统 类型 容量 已用 可用 已用% 挂载点
- devtmpfs devtmpfs 1.9G 0 1.9G 0% /dev
- tmpfs tmpfs 1.9G 0 1.9G 0% /dev/shm
- tmpfs tmpfs 1.9G 13M 1.9G 1% /run
- tmpfs tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
- /dev/mapper/centos-root xfs 36G 4.4G 31G 13% /
- /dev/sda1 xfs 1014M 187M 828M 19% /boot
- tmpfs tmpfs 378M 12K 378M 1% /run/user/42
- tmpfs tmpfs 378M 0 378M 0% /run/user/0
- /dev/sdb1 ext3 20G 45M 19G 1% /xy101
- /dev/sr0 iso9660 4.5G 4.5G 0 100% /mnt
- [root@localhost ~]#
- [root@localhost ~]# cd /xy101/
- [root@localhost xy101]# ls
- lost+found
- [root@localhost xy101]# rm -rf *
- [root@localhost xy101]#
- [root@localhost xy101]# echo 'dh like jinmao' > dh.txt
- [root@localhost xy101]# echo 'kk like dalanqiu' > kk.txt
- [root@localhost xy101]# echo 'w like bb' > w.txt
- [root@localhost xy101]# echo 'y like me' > y.txt
- [root@localhost xy101]#
- [root@localhost xy101]# ls
- dh.txt kk.txt w.txt y.txt
- [root@localhost xy101]# extundelete /dev/sdb1 --inode 2 //指定磁盘文件
- NOTICE: Extended attributes are not restored.
- WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
- The partition should be unmounted to undelete any files without further data loss.
- If the partition is not currently mounted, this message indicates
- it was improperly unmounted, and you should run fsck before continuing.
- If you decide to continue, extundelete may overwrite some of the deleted
- files and make recovering those files impossible. You should unmount the
- file system and check it with fsck before using extundelete.
- Would you like to continue? (y/n)
- y
- Loading filesystem metadata ... 160 groups loaded.
- Group: 0
- Contents of inode 2:
- 0000 | ed 41 00 00 00 10 00 00 a5 de 27 66 76 de 27 66 | .A........'fv.'f
- 0010 | 76 de 27 66 00 00 00 00 00 00 02 00 08 00 00 00 | v.'f............
- 0020 | 00 00 00 00 05 00 00 00 03 06 00 00 00 00 00 00 | ................
- 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0080 | 1c 00 00 00 38 e9 48 0f 38 e9 48 0f 4c fa e0 31 | ....8.H.8.H.L..1
- 0090 | 6a c2 27 66 00 00 00 00 00 00 00 00 00 00 00 00 | j.'f............
- 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- Inode is Allocated
- File mode: 16877
- Low 16 bits of Owner Uid: 0
- Size in bytes: 4096
- Access time: 1713888933
- Creation time: 1713888886
- Modification time: 1713888886
- Deletion Time: 0
- Low 16 bits of Group Id: 0
- Links count: 2
- Blocks count: 8
- File flags: 0
- File version (for NFS): 0
- File ACL: 0
- Directory ACL: 0
- Fragment address: 0
- Direct blocks: 1539, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
- Indirect block: 0
- Double indirect block: 0
- Triple indirect block: 0
- File name | Inode number | Deleted status
- . 2
- .. 2
- dh.txt 11
- kk.txt 12
- w.txt 13
- y.txt 14
- [root@localhost xy101]#
- [root@localhost xy101]# rm -f dh.txt w.txt y.txt //模拟误删dh.txt w.txt y.txt,这三个文件
- [root@localhost xy101]# ls
- kk.txt
- [root@localhost xy101]#
- [root@localhost xy101]# extundelete /dev/sdb1 --inode 2
- NOTICE: Extended attributes are not restored.
- WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
- The partition should be unmounted to undelete any files without further data loss.
- If the partition is not currently mounted, this message indicates
- it was improperly unmounted, and you should run fsck before continuing.
- If you decide to continue, extundelete may overwrite some of the deleted
- files and make recovering those files impossible. You should unmount the
- file system and check it with fsck before using extundelete.
- Would you like to continue? (y/n)
- y
- Loading filesystem metadata ... 160 groups loaded.
- Group: 0
- Contents of inode 2:
- 0000 | ed 41 00 00 00 10 00 00 81 96 28 66 34 96 28 66 | .A........(f4.(f
- 0010 | 34 96 28 66 00 00 00 00 00 00 02 00 08 00 00 00 | 4.(f............
- 0020 | 00 00 00 00 08 00 00 00 03 06 00 00 00 00 00 00 | ................
- 0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 0080 | 1c 00 00 00 60 67 81 c3 60 67 81 c3 ec 1c 66 cd | ....`g..`g....f.
- 0090 | 6a c2 27 66 00 00 00 00 00 00 00 00 00 00 00 00 | j.'f............
- 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- Inode is Allocated
- File mode: 16877
- Low 16 bits of Owner Uid: 0
- Size in bytes: 4096
- Access time: 1713936001
- Creation time: 1713935924
- Modification time: 1713935924
- Deletion Time: 0
- Low 16 bits of Group Id: 0
- Links count: 2
- Blocks count: 8
- File flags: 0
- File version (for NFS): 0
- File ACL: 0
- Directory ACL: 0
- Fragment address: 0
- Direct blocks: 1539, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
- Indirect block: 0
- Double indirect block: 0
- Triple indirect block: 0
- File name | Inode number | Deleted status
- . 2
- .. 2
- dh.txt 11 Deleted
- kk.txt 12
- w.txt 13 Deleted
- y.txt 14 Deleted
- [root@localhost xy101]#
- root@localhost ~]# umount /dev/sdb1 //如果磁盘被误删,第一件事就是解挂,不要让磁盘进行数据写入
- [root@localhost ~]# extundelete /dev/sdb1 --restore-all
- NOTICE: Extended attributes are not restored.
- Loading filesystem metadata ... 160 groups loaded.
- Loading journal descriptors ... 56 descriptors loaded.
- Searching for recoverable inodes in directory / ...
- 3 recoverable inodes found.
- Looking through the directory structure for deleted files ...
- 0 recoverable inodes still lost.
- [root@localhost ~]#
- [root@localhost ~]# ls
- abc abc.txt anaconda-ks.cfg initial-setup-ks.cfg RECOVERED_FILES 公共 模板 视频 图片 文档 下载 音乐 桌面
- [root@localhost ~]#
- [root@localhost ~]# cd RECOVERED_FILES
- [root@localhost RECOVERED_FILES]# ls //可以看见被删除文件
- dh.txt w.txt y.txt
- [root@localhost RECOVERED_FILES]#
- [root@localhost RECOVERED_FILES]# cat *
- dh like jinmao
- w like bb
- y like me
- [root@localhost RECOVERED_FILES]#
Linux日志
内核及系统日志
#内核及公共消息日志 /var/log/messages 记录Linux内核消息及各种应用程序的公共日志信息,包括启动、IO错误、网络错误、程序故障等。对于未使用独立日志文件的应用程序或服务,一般都可以从该日志文件中获得相关的事件记录信息。 #计划任务日志 /var/log/cron 记录crond计划任务产生的事件信息 #系统引导日志 /var/log/dmesg 记录Linux系统在引导过程中的各种事件信息 #邮件系统日志 /var/log/maillog 记录进入或发出系统的电子邮件活动 用户登录日志
/var/log/secure 记录用户认证相关的安全事件信息 /var/log/lastlog 记录每个用户最近的登录事件。二进制格式 /var/log/wtmp 记录每个用户登录、注销及系统启动和停机事件。二进制格式 /var/run/btmp 记录失败的、错误的登录尝试及验证事件。二进制格式 vim /etc/rsyslog.conf #查看rsyslog.conf配置文件,规则配置格式:【设备.级别 动作】
*.info;mail.none;authpriv.none;cron.none /var/log/messages*.info #表示info等级及以上的所有等级的信息都写到对应的日志文件里
mail.none #表示某事件的信息不写到日志文件里(这里比如是邮件)设备字段说明:
auth 用户认证时产生的日志
authpriv ssh、ftp等登录信息的验证信息
daemon 一些守护进程产生的日志
ftp FTP产生的日志
lpr 打印相关活动
mark rsyslog服务内部的信息,时间标识
news 网络新闻传输协议(nntp)产生的消息。
syslog 系统日志
uucp Unix-to-Unix Copy 两个unix之间的相关通信
console 针对系统控制台的消息。
cron 系统执行定时任务产生的日志。
kern 系统内核日志
local0~local7 自定义程序使用
mail 邮件日志
user 用户进程程序日志
由应用程序配置文件自行定义的
数字等级越小,日志级别越高,日志事件越重要
0 EMERG(紧急) 会导致主机系统不可用的情况。如系统崩溃 1 ALERT(警告) 必须马上采取措施解决的问题。如数据库被破坏 2 CRIT(严重) 比较严重的情况。如硬盘错误,可能会阻碍程序的部分功能 3 ERR(错误) 运行出现错误。不是非常紧急,尽快修复的 4 WARNING(提醒) 可能影响系统功能,需要提醒用户的重要事件。不是错误,如磁盘用了85%等 5 NOTICE(注意) 不会影响正常功能,但是需要注意的事件。无需处理 6 INFO(信息) 一般信息。正常的系统信息 7 DEBUG(调试)
程序或系统调试信息等。包含详细开发的信息,调试程序时使用 none 没有优先级,不记录任何日志消息。 日志级别:debug, info, notice, warn, error, crit, alert, emerg none
7 6 5 4 3 2 1 0举例:
mail.info /var/log/maillog :比指定级别更高的日志级别,包括指定级别自身,保存到/var/log/maillog中
mail.=info /var/log/maillog :明确指定日志级别为info,保存至/var/log/maillog
mail.!info /var/log/maillog :除了指定的日志级别(info)所有日志级别信息,保存至/var/log/maillog
*.info /var/log/maillog :所有facility的info级别,保存至/var/log/maillog
mail.* /var/log/maillog :mail的所有日志级别信息,都保存至/var/log/maillog
mail.notice;news.info /var/log/maillog :mail的notice以上记得日志级别和news的info以上的级别保存至/var/log/maillog
mail,news.crit -/var/log/maillog :mail和news的crit以上的日志级别保存/var/log/maillog中;“-”代表异步模式Linux系统日志管理服务 rsyslog
配置文件 /etc/rsyslog.conf
集中式收集管理日志方案
rsyslog shell/python脚本 ELK(elasticsearch+logstash+kibana) Loki+promtail+grafana
Linux系统日志管理
Linux系统日志管理 journalctl #查看所有日志(默认情况下,只保存本次启动的日志)
-r #-r表示倒序,从尾部看
-u 服务名 #查看某个服务的日志
-k #查看内核日志(不显示应用日志)
-b -0/-1 #查看系统本次启动的日志
-f #显示尾部指定行数的日志
_PID=<进程PID> #查看指定进程的日志
_UID=<账户UID> #查看指定用户的日志 -
相关阅读:
服务器数据恢复—异常断电导致ESXi虚拟机无法启动的数据恢复案例
git--恢复/撤销 相关命令--使用/实例
人工智能基础_机器学习030_ElasticNet弹性网络_弹性回归的使用---人工智能工作笔记0070
14:00面试,14:06就出来了,问的问题过于变态了。。。
Axure设计之引入ECharts图表
JAVA实现数组模拟队列
Java技能树-网络-UDP-DatagramSocket
阿里巴巴找黄金宝箱(V)--滑动窗口
143. 最大异或对(01字典树)
JSP自定义标签之自定义分页01
- 原文地址:https://blog.csdn.net/2301_82109773/article/details/138110511
