Article Directory
1. Deep understanding of Linux file system
1. Overview of inode and block
File data includes meta-information and actual data. The
file is stored on the hard disk. The smallest storage unit of the hard disk is a "sector". Each sector stores a 512-byte
block (block).
- Eight consecutive sectors form a block
- Is the smallest unit of file access
inode (index node)
- Chinese translation is "index node", also called i-node
- Used to store file meta information
2. Inode content
The inode contains a lot of file meta information, but does not include the file name , for example:
- File size
- UserID of the file owner
- GroupID of the file
- File read, write, and execute permissions
- File timestamp
- …
Use the stat command to view the inode information of a file
[root@localhost ~]# stat anaconda-ks.cfg
Linux system files have three main time attributes
- ctime (change time)
last time the file or directory (attribute) was changed - atime (access time)
last time the file or directory was accessed - mtime (modify time) the
last time the file or directory (content) was modified
. The structure of the directory file - Directory is also a kind of file
- The structure of the directory file is as follows:
Each inode has a number. The operating system uses the inode number to identify different files. The Linux system does not use the file name, but uses the inode number to identify the file. For users, the file name is just another name for the inode number for easy identification.
(1) The number of the inode
When a user accesses a file, it appears that the user opens the file through the file name, but the actual internal process of the system is divided into the following three steps:
- The system finds the inode number corresponding to this file name
- Get inode information by inode number
- According to the inode information, find the block where the file data is located, and read the data
There are two common ways to view the inode number:
ls -iCommand: directly view the inode number corresponding to the file namestatCommand: View the inode number by viewing the file inode information
[root@localhost ~]# stat anaconda-ks.cfg
或者
[root@localhost ~]# ls -i anaconda-ks.cfg
Therefore, when a user tries to access a file in the Linux system, the system will first find its corresponding inode based on the file name to see if the user has the permission to access the file. If there is, it points to the corresponding data block, if not, it returns Permission denied.
The structure of a hard disk after partition is as shown in the figure below:
(2) Summary of file storage
(3) The size of the inode
Inode also consumes hard disk space, so when formatting, the operating system automatically divides the hard disk into two areas. One is the data area, which stores file data; the other is the inode area, which stores the information contained in the inode. The size of each inode is generally 128 bytes or 256 bytes. Normally, there is no need to pay attention to the size of a single inode, but the total number of inodes. The total number of inodes is given when formatting, execute the "df -i" command to view the total number of inodes corresponding to each hard disk partition and the number of inodes already used.
[root@localhost ~]# df -i
Due to the separation of inode number and file name, some Unix/Linux systems have the following unique phenomena:
- The file name contains special characters and may not be deleted normally. At this time, delete the inode directly, which can play the role of deleting files
- Move files or rename files, just change the file name without affecting the inode number
- After opening a file, the system will use the inode number to identify the file, regardless of the file name
This situation makes software updates simple, and updates can be performed without shutting down the software, without restarting. Because the system recognizes the running file through the inode number, not the file name. When updating, the new version file will generate a new inode with the same file name, which will not affect the running file. When the software is run next time, the file name will automatically point to the new version file, and the inode of the old version file will be recycled.
3. Link files
There are two kinds of link files under Linux system, one is similar to the Windows shortcut function file, which can be quickly connected to the target file or directory, called soft link ; the other is through the inode link of the file system The new file name generated instead of the new file is called a hard link .
①Hard link
Generally, there is a one-to-one correspondence between file name and inode number, and each inode number corresponds to a file name. But the Linux system allows multiple file names to point to the same inode number. This means that you can access the same content with different file names.
The basic format of the hard link creation command is:
After running this command, the source file and the target file have the same inode number, and both point to the same inode. The "number of links" in the inode information will increase by 1.
When a file has multiple hard links, modifying the file content will affect all file names; but deleting one file name does not affect the access of another file name. Deleting a file name will only reduce the "number of links" in the inode by 1. It should be noted that hard links to directories are not allowed.
Use the mkdir command to create a new directory /app/kgc, the number of hard links should be 2, because the common directory itself is a hard link, and the hidden directory under the directory kgc. (dot) is another directory of this directory Hard links can also be considered as 1 connection.
②Soft connection
A soft link is to create a separate file, and this file will let the data read point to the file name of the file it is connected to. For example, although the inode numbers of file A and file B are different, the content of file A is the path of file B. When reading file A, the system will automatically direct the visitor to file B. At this time, file A is called the "soft link" or "symbolic link" of
file B. This means that file A depends on file B and exists. If file B is deleted, open file A An error will be reported. This is the biggest difference between soft links and hard links: file A points to the file name of file B, not the inode number of file B, and the inode "number of links" of file B will not change as a result.
The creation of soft links The basic format of the command is:
4. EXT type file recovery
Deleting a file does not actually clear the data of the inode node and block, but deletes the name of the file in the block in the parent directory of the file. Linux controls file deletion by the number of links. Only when there is no link in a file, the file will be deleted.
In the operation and maintenance of Linux systems, we often encounter situations where file data is lost due to careless operations and operating errors, especially for some novices in client enterprises. Of course, what is meant here is complete deletion, that is, the situation that cannot be retrieved through the "recycle bin", such as using "rm
-rf" to delete data. For the EXT file system under Linux, the available recovery tools are debugfs, ext3grep, extundelete, etc. Among them, extundelete is an open source Linux data recovery tool that supports ext3 and ext4 file systems.
After the data is deleted by mistake, the first thing to do is to uninstall the partition where the deleted data is located. If the data of the root partition is deleted by mistake, you need to enter the system into single-user mode and set the root partition in read-only mode Mount. The reason for this is very simple, because after deleting the file, only the sector pointer in the inode node of the file is cleared. The actual file is still stored on the disk. If the disk continues to be mounted in read-write mode, these deleted The data blocks of the files may be reallocated by the operating system. After these databases are overwritten by new data, these data are really lost, and the recovery tools are also weak. Therefore, mounting the disk in read-only mode can minimize the risk of data being overwritten in the database and increase the percentage of successful data recovery.
experiment
[root@localhost ~]# yum -y install e2fsprogs-devel e2fsprogs-libs
[root@localhost ~]# wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar. bz2
[root@localhost ~]# tar -jxvf extundelete-0.2.4.tar.bz2
[root@localhost ~]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete&& make && make install
[root@localhost extundelete-0.2.4]# ln -s /usr/local/extundelete/bin/* /usr/bin/
[root@localhost ~]# fdisk -l
[root@localhost ~]# fdisk /dev/sdb ###进入并创建硬盘分区
[root@localhost ~]# mkfs.ext3 /dev/sdb1
[root@localhost ~]# mkdir /data/
[root@localhost ~]# mount /dev/sdb1 /data/
[root@localhost ~]# cd /data/
[root@localhost test]# echo a > a
[root@localhost test]# echo b > b
[root@localhost test]# echo c > c
[root@localhost test]# echo d > d
[root@localhost test]# ls
[root@localhost test]# rm -rf a b ###模拟故障
[root@localhost ~]# umount /data/ ###开始恢复
[root@localhost ~]# extundelete /dev/sdb1 --restore-all
[root@localhost ~]# ls
[root@localhost ~]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ls ###可以查看到被删除的a和b
5.xfs type file backup and recovery
The extundelete tool can only restore files of EXT type, and cannot restore files of type xfs by default in CentOS 7 systems. There is currently no mature file recovery tool for the xfs file system, so it is recommended to make a data backup in advance to avoid data loss.
Files of the xfs type can be backed up and restored using the xfsdump and xfsrestore tools. If the xfsdump and xfsrestore tools are not installed in the system, you can install them through the yum install -y xfsdump command. xfsdump backs up an xfs file system in inode order. There are two backup levels for xfsdump: 0 means full backup; 1-9 means incremental backup. The default backup level of xfsdump is 0. The command format of xfsdump is: xfsdump -f backup storage location to backup path or device file.
Commonly used backup parameters include the following:
- f: Specify the backup file directory;
- L: specify the label session label;
- M: designated device label media label;
- s: Back up a single file, the path cannot be directly followed by -s.
experiment
[root@localhost ~]# fdisk /dev/sdb ###进入并创建硬盘分区
[root@localhost ~]# partprobe /dev/sdb
[root@localhost ~]# mkfs.xfs /dev/sdb1
[root@localhost ~]# mkdir /date
[root@localhost ~]# mount /dev/sdb1 /date/
[root@localhost ~]# cd /date
[root@localhost date]# cp /etc/passwd ./
[root@localhost date]# mkdir test
[root@localhost date]# touch test/a
[root@localhost date]# tree /date
[root@localhost ~]# xfsdump -f /opt/dump_sdb1 /dev/sdb1 ###使用 xfsdump 命令备份整个分区
please enter label for this dump session (timeout in 300 sec)
-> dump_sdb1 ###指定备份会话标签
please enter label for media in drive 0 (timeout in 300 sec)
-> sdb1 ###指定设备标签,就是对要备份的设备做一个描述
[root@localhost ~]# xfsdump -I ###查看备份信息与内容
[root@localhost ~]# cd /date/ ###开始删除之前创建的内容,模拟数据丢失
[root@localhost date]# ls passwd test
[root@localhost date]# rm -rf ./*
[root@localhost date]# ls
[root@localhost ~]# xfsrestore -f /opt/dump_sdb1 /date/ ###开始恢复
[root@localhost ~]# ls /date/
When using xfsdump, you need to pay attention to the following limitations:
- xfsdump does not support the file system backup that is not mounted, so only the mounted file system can be backed up;
- xfsdump must use root privileges to operate (involving file system relationships);
- xfsdump can only backup XFS file system;
- The data (files or storage media) backed up by xfsdump can only be parsed by xfsrestore;
- xfsdump distinguishes each backup file by the
UUID of the file system , so two file systems with the same UUID cannot be backed up .
Two, analyze the log file
1. Log files
2. Kernel and system logs
3. User log
4. Program log
5. Log management strategy
