extundelete软件专门解决意外删除事件的，有时候不小心 rm -rf * 就可能毁掉有用的数据.因此就出现了这个恢复工具，但这个工具也不是万能的，删除数据后一定要停止所以的写操作.以免Inodes空间被重新分配,那样的话就永远恢复不会来拉，只能节哀了...

1.安装extundelete

yum install gcc gcc-c++ -yyum install e2fs*                    //安装extundelete软件的依赖包wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2tar jxvf  extundelete-0.2.4.tar.bz2cd extundelete-0.2.4./configure  && make && make install配置临时环境变量，如果永久则写到profile#export PATH=$PATH:/usr/local/extundelete/bin

我的服务器是centos6.8,文件系统是ext4,一但文件被删除，应马上停止所有写文件的进程或服务，最好将文件系统挂载文只读，以免数据文件被破坏无法恢复。开始恢复！

模拟数据删除及恢复操作.

1.查看挂载详细信息:

[root@localhost ~]# mount/dev/vda1 on / type ext4 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)tmpfs on /dev/shm type tmpfs (rw)/dev/vdb1 on /data type ext4 (rw,barrier=0)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)# /data目录对应的数据磁盘为/dev/vdb1,我会再/data目录进行数据删除及恢复.

2.构造数据(将local下的目录拷贝到/data目录下,将/etc/passwd文件拷贝/data目录)

[root@localhost ~]#cp /usr/local/ /data/ -rp[root@localhost data]# ls -lh /datatotal 68Kdrwxr-xr-x 7 root root 4.0K Aug 23 10:43 aegisdrwxr-xr-x 2 root root 4.0K Aug 23 10:58 bindrwxr-xr-x 2 root root 4.0K Sep 23  2011 etcdrwxr-xr-x 2 root root 4.0K Sep 23  2011 gamesdrwxr-xr-x 2 root root 4.0K Sep 23  2011 includedrwxr-xr-x 2 root root 4.0K Sep 23  2011 libdrwxr-xr-x 2 root root 4.0K Sep 23  2011 lib64drwxr-xr-x 2 root root 4.0K Sep 23  2011 libexecdrwxr-xr-x 2 root root 4.0K Aug 23 15:29 localdrwx------ 2 root root  16K Jun 28 14:38 lost+founddrwxr-xr-x 2 root root 4.0K Sep 23  2011 sbindrwxr-xr-x 5 root root 4.0K Jun  5 05:32 sharedrwxr-xr-x 2 root root 4.0K Jun 28 14:38 srcdrwxr-xr-x 2 root root 4.0K Aug 23 15:21 testdb-rw-r--r-- 1 root root 1188 Aug 23 09:46 passwd

3.模拟数据误删除：　　

[root@localhost ~]# cd /data/[root@localhost data]# rm -rf *　　

下面为数据恢复的整个过程了.

4.迅速将/data目录从读写模式恢复为只读模式. (因为将文件删除后，仅仅是将文件的inode结点中的扇区指针清零，实际文件还存储在磁盘上，如果磁盘以读写模式挂载，这些已删除的文件的数据块就可能被操作系统重新分配出去，在这些数据块被新的数据覆盖后，这些数据就真的丢失了，恢复工具也回力无天。所以，以只读模式挂载磁盘可以尽量降低数据块中数据被覆盖的风险，以提高恢复数据成功的比率。)

[root@localhost ~]#mount -r -n -o remount /data[root@localhost ~]#mount -a #挂为只读后，再写入的话会提示[root@localhost ~]#mkdir /data/testdbmkdir: cannot create directory `testdb': Read-only file system

#查看文件或文件夹的inodes

[root@localhost ~]# ls -id /data2 /data[root@localhost ~]#

#查看块设备/dev/vdb1的文件详细信息

[root@localhost ~]# extundelete  /dev/vdb1  --inode 2NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 800 groups loaded.Group: 0Contents of inode 2:0000 | ed 41 00 00 00 10 00 00 fa 2e 9d 59 92 32 9d 59 | .A.........Y.2.YFile name                                       | Inode number | Deleted status.                                                 2..                                                2lost+found                                        11             Deletedtestdb                                            2097153        Deletedlocal                                             2883585        Deletedaegis                                             2883586        Deletedbin                                               2888356        Deletedetc                                               2888353        Deletedgames                                             2888355        Deletedinclude                                           2888352        Deletedlib                                               2888360        Deletedlib64                                             2888359        Deletedlibexec                                           2888351        Deletedsbin                                              2888354        Deletedshare                                             2888328        Deletedsrc                                               2888358        Deletedpasswd                                            2888357        Deleted[root@localhost ~]#

恢复单个文件:　　

[root@localhost ~]# extundelete /dev/vdb1 --restore-file passwdNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 800 groups loaded.Loading journal descriptors ... 1292 descriptors loaded.Successfully restored file passwd[root@localhost ~]# lltotal 4drwxr-xr-x 2 root root 4096 Aug 23 16:12 RECOVERED_FILES[root@localhost ~]# cd RECOVERED_FILES/[root@localhost RECOVERED_FILES]# lltotal 4-rw-r--r-- 1 root root 1188 Aug 23 16:12 passwd[root@localhost RECOVERED_FILES]# #/dev/vdb1对象的挂载目录为/data

恢复单个目录：　　

[root@localhost ~]# extundelete /dev/vdb1 --restore-directory testdbNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 800 groups loaded.Loading journal descriptors ... 1292 descriptors loaded.Searching for recoverable inodes in directory testdb ... 4745 recoverable inodes found.Looking through the directory structure for deleted files ... 4744 recoverable inodes still lost.[root@localhost ~]# cd RECOVERED_FILES/[root@localhost RECOVERED_FILES]# lltotal 4drwxr-xr-x 2 root root 4096 Aug 23 15:58 testdb[root@localhost RECOVERED_FILES]# cd testdb/[root@localhost testdb]# lltotal 4-rw-r--r-- 1 root root 1188 Aug 23 15:58 passwd[root@localhost testdb]#

通过extundelete恢复所有误删除数据:　　

[root@localhost ~]# extundelete  /dev/vdb1 --restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 800 groups loaded.Loading journal descriptors ... 1292 descriptors loaded.Searching for recoverable inodes in directory / ... 4745 recoverable inodes found.Looking through the directory structure for deleted files ... 1 recoverable inodes still lost.[root@localhost ~]# cd RECOVERED_FILES/ [root@localhost ~]#lldrwxr-xr-x 5 root root 4096 Aug 23 16:10 localdrwxr-xr-x 2 root root 4096 Aug 23 16:10 testdbdrwxr-xr-x 7 root root 4096 Aug 23 16:10 aegisdrwxr-xr-x 2 root root 4096 Aug 23 16:10 bindrwxr-xr-x 3 root root 4096 Aug 23 16:10 share#有几个目录没有恢复出来，可能是设置只读模式时inode值已改变造成的.

5.将目录/data从只读模式恢复为读写模式.

[root@localhost ~]#mount -rw -n -o remount /data[root@localhost ~]#mount -a

6.将恢复的数据从RECOVERED_FILES目录下拷贝到/data目录，至此恢复完成，噢耶.

[root@localhost ~]#cp -rp /root/RECOVERED_FILES/testdb /data/

写这篇是我边测试边写的，数据都是恢复出来然后写的文档.希望有用.

恢复实例见参考文档：