Saturday, October 14, 2017

Recover Deleted files in RHEL 6

https://arkit.co.in/recover-deleted-files-in-rhel-6/


We may not know when we run rm -rf commands to delete the files, unexpectedly or instead of running an commands in one directory we had done in other directory so important files got deleted then how..?? See the below steps to recover deleted files in RHEL 6, which is most useful when you want to recover deleted files.
We are going to extendelete utility to recover ext3 and ext4 data files from partition. Extendelete is a complex algorithm to recover data from ext3 and ext4 data partition by running simple commands from command line.
1. Disable SELinux for it to work, with SELinux enabled I could not get the right size of the files.
You have to restart your server to effect SELinux disable state. SElinux disable is required restart until you restart your server SELinux will be in enforcing mode.
[root@arkit]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
 SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
#SELINUXTYPE=targeted
2. Install e2fsprogs packages to resolve dependencies
[root@arkit]# yum install  e2fsprogs-devel  e2fsprogs e2fsprogs-libs
Dependencies Resolved
================================================================================
Package             Arch      Version            Repository               Size
================================================================================
Installing:
e2fsprogs-devel     x86_64    1.41.12-11.el6     rhel-x86_64-server-6    158 k
Updating:
e2fsprogs           x86_64    1.41.12-11.el6     rhel-x86_64-server-6    550 k
e2fsprogs-libs      x86_64    1.41.12-11.el6     rhel-x86_64-server-6    119 k
Updating for dependencies:
libcom_err          x86_64    1.41.12-11.el6     rhel-x86_64-server-6     36 k
libcom_err-devel    x86_64    1.41.12-11.el6     rhel-x86_64-server-6     31 k
libss               x86_64    1.41.12-11.el6     rhel-x86_64-server-6     40 k
Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       5 Package(s)
Total download size: 934 k
Is this ok [y/N]: y
Downloading Packages:
(1/6): e2fsprogs-1.41.12-11.el6.x86_64.rpm                                               | 550 kB     00:14
(2/6): e2fsprogs-devel-1.41.12-11.el6.x86_64.rpm                                         | 158 kB     00:01
(3/6): e2fsprogs-libs-1.41.12-11.el6.x86_64.rpm                                          | 119 kB     00:01
(4/6): libcom_err-1.41.12-11.el6.x86_64.rpm                                              |  36 kB     00:00
(5/6): libcom_err-devel-1.41.12-11.el6.x86_64.rpm                                        |  31 kB     00:01
(6/6): libss-1.41.12-11.el6.x86_64.rpm                                                   |  40 kB     00:00
----------------------------------------------------------------------------------------------------------------
Total                                                                            16 kB/s | 934 kB     00:59
Updating   : libcom_err-1.41.12-11.el6.x86_64                                                            1/11
Updating   : e2fsprogs-libs-1.41.12-11.el6.x86_64                                                        2/11
Updating   : libcom_err-devel-1.41.12-11.el6.x86_64                                                      3/11
Updating   : libss-1.41.12-11.el6.x86_64                                                                 4/11
Updating   : e2fsprogs-1.41.12-11.el6.x86_64                                                             5/11
Installing : e2fsprogs-devel-1.41.12-11.el6.x86_64                                                       6/11
Cleanup    : libcom_err-devel-1.41.12-7.el6.x86_64                                                       7/11
Cleanup    : e2fsprogs-1.41.12-7.el6.x86_64                                                              8/11
Cleanup    : e2fsprogs-libs-1.41.12-7.el6.x86_64                                                         9/11
Cleanup    : libss-1.41.12-7.el6.x86_64                                                                 10/11
Cleanup    : libcom_err-1.41.12-7.el6.x86_64                                                            11/11
duration: 562(ms)
Installed products updated.
Installed:
e2fsprogs-devel.x86_64 0:1.41.12-11.el6
Updated:
e2fsprogs.x86_64 0:1.41.12-11.el6                    e2fsprogs-libs.x86_64 0:1.41.12-11.el6
Dependency Updated:
libcom_err.x86_64 0:1.41.12-11.el6  libcom_err-devel.x86_64 0:1.41.12-11.el6  libss.x86_64 0:1.41.12-11.el6
Complete!

How to recover deleted files in RHEL 6

3. To Download extundelete click on below link
4. Extract the archives from extundelete-0.2.0.tar
[root@arkit ~]# tar xvf extundelete-0.2.0.tar
[root@arkit ~]# cd extundelete-0.2.0
[root@arkit extundelete-0.2.0]# ls
acinclude.m4  autogen.sh  config.h.in  configure.ac  install-sh  Makefile.am  missing  src
 aclocal.m4    compile     configure    depcomp       LICENSE     Makefile.in  README
5. Configure and make
[root@arkit extundelete-0.2.0]# ./configure
Configuring extundelete 0.2.0
Writing generated files to disk
[root@arkit extundelete-0.2.0]# make && make install
make -s all-recursive
Making all in src
Making install in src
/usr/bin/install -c 'extundelete' '/usr/local/bin/extundelete'
6. The partition /dev/sdc1 is mounted on /backup/data-deleted/
[root@arkit backup]# df -h
[root@arkit backup]# cd data-deleted/
7. Create some files on backup/data-deleted.
[root@arkit data-deleted]# cat /var/log/messages > test1.txt
[root@arkit data-deleted]# du -hs *
160K    test1.txt
8. Delete the files in order to recover them later
[root@arkit data-deleted]# cd
[root@arkit ~]# rm -rf /backup/data-deleted
9. Remount partition
Note: If your files got deleted then immediately avoid the changes to the inodes because if inodes got changed then you run into the problems you may not able to recover the deleted files. mount your file system in read-only mode
[root@arkit ~]# mount -o remount,ro /backup

10. Now we will use extundelete to recover the files from the partition

in order to restore all the files which are deleted we have to use below commands
[root@arkit ~]# extundelete /dev/sdc1  --restore-all
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 63 groups loaded.
Loading journal descriptors ... 91 descriptors loaded.
Searching for recoverable inodes in directory / ...
4 recoverable inodes found.
Looking through the directory structure for deleted files ...
Failed to restore inode 32513 to file RECOVERED_FILES/data-deleted:Inode does not correspond to a regular file.
Restored inode 562514 to file RECOVERED_FILES/data-deleted/test1.txt
0 recoverable inodes still lost.
11. A directory called RECOVERED_FILES is created and inside you will find the files recovered by extundelete
[root@arkit ~]# du -hs RECOVERED_FILES/data-deleted/
520K    RECOVERED_FILES/data-deleted/
12. Finally you can recover deleted files to his original place
in order to recovery the files to the same place run the below command
[root@secondserver ~]# rsync -av  RECOVERED_FILES/data-deleted /backup/
sending incremental file list
data-deleted/
data-deleted/test1.txt
sent 106931 bytes  received 730 bytes  21400008.00 bytes/sec
total size is 1006704  speedup is 1.00
[root@secondserver ~]# cd /backup/data-deleted/
[root@secondserver data-deleted]# ls
[root@arkit ~]# du -hs /backup/data-deleted/*
160K    RECOVERED_FILES/data-deleted/test1.txt
[root@arkit ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.1 (Santiago)