13

I deleted an important directory with rm -R command. This is an very populer host data. It was located /var/zpanel/hostdata/ayrintilih After remove ayrintilih directory has gone everything.

I tried to undelete with ext4magic program. But it need to another hdd volume for recovery.

Error message: 

ERROR: can not use "/root/recoveried" for recover directory. It's the same filesystem : "/dev/dm-0"

My ISP just replied my request:

Unfortunately there is no way to add another Volume to a virtual Instance. 
If it would be a dedicated Server, we could do it, but not in a Cloudserver. 
You could try to minimize the partition and create another one, that would 
count as another Volume. We also recommend to have allways a 
Backup for your Important files.
alchemy
  • 597
RedLEON
  • 329
  • So, did you try their suggestion? – terdon Sep 18 '13 at 20:26
  • No. If i decrese volume then It can lost data forever – RedLEON Sep 18 '13 at 20:32
  • 26
    The real question is how many more times you will have to read this: "We also recommend to have always a Backup for your Important files," before you take it seriously. – goldilocks Sep 18 '13 at 20:37
  • Is there any way to undelete files easly? – RedLEON Sep 18 '13 at 20:40
  • 2
    Another advice, always think twice before typing the Enter key, especially if the command is rm -R ... – jlliagre Sep 18 '13 at 20:40
  • 9
    "Is there any way to undelete files easly?" No. – msw Sep 18 '13 at 20:41
  • Lots of others have pointed out the importance of backups and my comment is secondary to that, but my delete command looks something like ARCHIVE_FILE=$(mktemp /tmp/XXXXXXXX.zip); rm $ARCHIVE_FILE; zip -rmT9 $ARCHIVE_FILE ${FILES_TO_DELETE} I have a couple of days to restore from the tmp directory before tmpwatch deletes them. After that, I must restore from the normal backup system. – emory Sep 19 '13 at 00:40
  • aside from backups - which are essential, not optional - you could use a filesystem like btrfs or zfs which supports snapshots. This would allow you to easily recover the most recent snapshotted version (but you'd still lose any changes made after the snapshot). A cron job could create a rolling set of hourly, daily, weekly snapshots. This will, of course, consume more disk space but it can be more convenient to quickly restore a snapshotted version of a file than to restore from a backup. – cas Sep 19 '13 at 01:30
  • @terdon Re: "Did you try their suggestion?" Obviously not the one in the very last sentence. :) – Kaz Sep 19 '13 at 01:53
  • @terdon Bet he won't. 83.71% of all users who lost data this year thanks to no backups were repeat customers of data loss. :) – Kaz Sep 19 '13 at 02:01
  • 1
    @terdon Hey wait a minute, this is in some kind of cloud??? You still have to backups? Sheesh, what good is this cloud stuff if you have to do your own backups just to be able restore deleted files? Where is the hourly and nightly snapshot you can just "cd" into? Backups should be for the situation whereby the cloud suddenly disappears, along with the data, not for these little mishaps that do not involve an actual catastrophe. – Kaz Sep 19 '13 at 02:08
  • 2
    The ISP support rep could be lying or simply ill-informed. Or, it might just be the BOFH: "There, you've got plenty of space now" – msw Sep 19 '13 at 02:32

5 Answers5

19

Undeletion is becoming more and more of a myth esp. with modern hardware (SSD) where anything that is deleted is also zeroed out (TRIM) right away, so there is zero chance of getting anything back.

Your best bet would be to make an image of whatever you have right now and then see if there is anything left to be found using whatever tools you wish. Something like:

ssh -C remoteserver dd if=/dev/theserverdisk bs=1M > local/disk.img

Best to have the box in a rescue system or otherwise freeze the entire box (read-only) for this operation as any and all writes only cause further damage at this point.

Once the image is done you can create a read-only loop device for it:

losetup --find --show --partscan --read-only disk.img

And then proceed to use whatever rescue tools of your choice on the loop device(s).

frostschutz
  • 48,978
  • thx @frostschutz. But done is done. I couldn't recover any file. – RedLEON Sep 19 '13 at 15:21
  • Helped me in recovering ~1GB of data. Server drive type: SSD. – merqlove Jul 09 '14 at 02:53
  • But, what with the attentions being paid to digital forensics and paramilitary espionage? Would recovery become easier, although requiring knowledge of the hardware redundancies and tricks? – can-ned_food Mar 29 '17 at 10:06
3

If you have access to another Linux/Unix/OSX etc machine, it might be possible to use sshfs to mount a remote folder and back up to that (instructions adapted from here).

  1. Install sshfs on the server

    yum install fuse sshfs

    You might have to enable the EPEL repo if not already enabled.

  2. Load the FUSE module (on the server)

    modprobe fuse

  3. Chose a directory from your home computer and mount that on the CentOS server

    redleon@local$ mkdir /remote_backup

    Now, on the remote server, run this

    mkdir /backup
sshfs root@1.2.3.4:/remote_backup /backup

    You will need to change 1.2.3.4to the actual IP of your local machine.

Once that is done, you will have a remote filesystem mounted locally and you can try to run ext4magic and tell it to backup to /backup. I cannot guarantee that it will work but it seems worth trying.

terdon
  • 242,166
2

You could try to use a tmpfs ramdisk for the recovery. This of course requires that you have enough free memory for the amount of data you want to recover.

Generally though, I think frostschutz's answer hits the nail on the head - "undeleting" rarely works. Let this be a lesson for you and make backups.

Community
  • 1
Martin von Wittich
  • 14,187
  • And undeleting a whole directory full of objects and subdirectory structure is going to be even more dicey than just handful of loose files. – Kaz Sep 19 '13 at 01:54
0

Many of you have belittled the victim here instead of answering the question. The victim has identified the system as being cloud based. Instead of assuming he deleted without a backup, why not assume there is a backup, and he needs to recover the directory from the backup? That's what you (the belittlers) would do if you had to undelete, isn't it?

If your system is hosted on a system that provides your ISP, they will do backups on a regular basis. You need to ask them the right question for them to understand and respond properly, but you should be able to RECOVER or RESTORE a directory from their backup. Some data might be lost, depending on the time of the last backup.

The answer here depends upon how the system is backed up, and how often. Cron and Tar is often used by small systems, and, because of its simplicity, many large systems use it too. There are other tools available, however.

If this is NOT a one man system, the likelihood is there is an IT department and a backup method in place. The IT department can help you, and you should go to them rather than trying to restore the folder/directory yourself.

If this is a home system and you ARE the IT department, and backups are strictly local, you may do backups with CRON and TAR. Check your CRON setup to see where you put your TAR files. Look in the tar file to get the exact path and name:

 tar -tvf <backup name>.tar

Untar it.

 tar -xvf <backup name>.tar <directory name>

Do a man tar for more info, or, of course, another google for tar and backup info.

Future considerations include other backup options, and a trash can type deletion instead of a real delete. A trash can type deletion involves making an alias for rm that moves items to a directory named "trash", rather than really deleting. You then empty it either with Cron or manually when you feel like it, or start getting low on space.

George Moore
  • 29
0

"ext" family file systems do support certain undelete ability, which even sometimes works. Utilities like the following ones can be handy:

http://www.mynitor.com/2010/01/19/10-tools-to-recover-deleted-files-in-linux/ http://extundelete.sourceforge.net/

(I tried some of these myself with reasonable results).

oakad
  • 524