File system and log analysis
- 1. Overview of inode and block
-
- Two. Inode content
-
- 1.inode contains the meta information of the file
- 2. Use the stat command to view the inode information of a file
- 3. Three main times of Linux system files
- Three. Inode node is exhausted fault handling
1. Overview of inode and block
- File data includes meta information and actual data
- Files are stored on the hard disk. The smallest storage unit of the hard disk is "sector". Each sector stores 512 bytes.
- block
- -----------------Eight consecutive sectors form a block (4K)
- ------------------It is the smallest unit of file access
- inode (index node)
- --------------Chinese translation is "index node", also called i-node
- --------------The area used to store file meta-information
File data includes actual data and meta-information (similar to file attributes). File data is stored in "blocks", and the area that stores file meta-information (such as file creator, creation date, file size, file permissions, etc.) is called inode. Therefore, a file must occupy one inode, and at least one block.
The inode does not contain the file name. The file name is stored in the directory. In the Linux system-everything is a file, so a directory is also a kind of file.
Two. Inode content
1.inode contains the meta information of the file
- The number of bytes of the file
- User ID of the file owner
- Group ID of the file
- File read, write, and execute permissions
- File timestamp
2. Use the stat command to view the inode information of a file
- Example: stat aa.txt
3. Three main times of Linux system files
1.ctime(change time)
- Last changed files or directories (property) of time
2.atime (access time) - The last time the file or directory was
accessed 3.mtime(modify time) - The last time a file or directory ( content ) was modified
4. The structure of the directory file
- --------------------Directory is also a kind of file
- ----------------------The structure of the directory file
Each inode has a number, and the operating system uses the inode number to identify different files
The file name is not used internally in the Linux system, but the inode number is used to identify the file
For users, the file name is just another name for the inode number for easy identification
5. The number of the inode
When the user opens the file by the file name, the internal process of the system
- 1. The system finds the inode number corresponding to the file name
- 2. Get the inode information through the inode number
- 3. According to the inode information, find the block where the file data is located, and read the data
How to check the inode number
- ls -i command: View the inode number corresponding to the file name
- Is -i aa.txt
- stat command: View the inode number in the file inode information
- stat aa.txt
6. The size of the inode
- Inode will also consume hard disk space
-----------------------The size of each inode
---------------- ------- Generally 128 bytes or 256 bytes - Determine the total number of inodes when formatting the file system
- Use the df -i command to view the total number of inodes and the number of inodes used for each hard disk partition
7. Special role of inode
Due to the separation of the inode number and the file name, some Unix/Linux systems have the following phenomena
- When the file name contains special characters, the file may not be deleted normally, you can delete the inode directly, or you can delete the file
- When moving or renaming a file, only the file name is changed without affecting the inode number
- After opening a file, the system uses the inode number to identify the file, regardless of the file name
- After the file data is modified, a new inode number will be generated
8. Two methods to delete files by inode number:
①:find ./ -inum 52305140 -exec rm -rf { } ;
②:find ./ -inum 50464299 -delete
Three. Inode node is exhausted fault handling
Inode node exhaustion troubleshooting #Use
fdisk to create the partition /dev/sdb1, the partition size is 30M,
fdisk /dev/ sdb
mkfs.ext4 /dev/ sdbl
mkdir /test
mount /dev/sdb1 /mnt
df -i #simulate
inode node depletion failure
for ((i = 1; i <= 7680; 1 ++)); do Touch / the Test / file $ i; DONE
df -i
df -ht
# deleted file recovery
cm -rf / the Test / *
df - i
df -hT
1. Add a new hard disk:
view hard disk status:
disk partition, format:
create directory, mount:
simulate inode, node failure:
delete files can be restored:
4. Recover EXT type files (deleted files by mistake, how to recover)
1. EXT type file recovery
extundelete is an open source Linux data recovery tool that supports ext3 and ext4 file systems. (Ext4 can only be restored in centos6 version) #Use
fdisk to create partition /dev/sdc1, format ext3 file system
fdisk /dev/sdc
mkfs.ext3 /dev/sdc1
mkdir /test
mount /dev/sdc1 /test
df -hT
#Install dependency package
yum -y install e2fsprogs-devel e2fsprogs- libs
#Compile and install extundelete
cd /test
wget http://nchc.d1.sourceforge.net/project/ extunde lete/extundelete0.2.4
/extundelete-0.2.4. tar .bz
tar jxvf extundelete-0.2.4. tar .bz2
cd extundelete-0.2.4/
. /configure - - prefix=/usr/ local/extundelete && make && make install
ln -s /usr/1ocal/extundelete/bin/* /usr/bin/
#Simulate delete and perform the recovery operation
cd /test
echo a>a
echo a>b
echo a>c
echo a>d
ls
extundelete /dev/sdc1 r- -inode 2
#Check which files exist in the file system /dev/sdc1, The i-node starts from 2, and 2 represents the first directory of the file system.
rm-rf ab
extundelete /dev/sdc1 --inode 2
umount /test
extundelete /dev/sdc1 – restore-all
#Restore all contents under /dev/sdc1 file system
#In the current directory there will be--a RECOVERED FILES/ directory, which saves the recovered files
ls RECOVERED_ FILES/
Disk partition:
install dependent packages:
Create a few files
Five.xfs type file backup and recovery
Centos 7 system uses xfs type files by default, and xfs type files can be backed up and restored using the xfsdump and xfsrestore tools.
There are two backup levels for xfsdump: 0 means full backup: 1-9 means incremental backup. The default backup level of xfsdump is 0.
The command format of
xfsdump is: xfsdump-f backup storage location The path or device file to be backed up
Commonly used options of the xfsdump command:
-f: specify the backup file directory
-L: specify the label session label
-M: specify the device label media label
-s: backup a single file, -s cannot be directly followed by the path
xf sdump usage restrictions:
1. Only the mounted file system can be backed up
2. You must use root privileges to operate
3. Only the XFS file system can be backed up
4. The data after the backup can only be analyzed by xfsrestore
5. You cannot back up two File systems with the same UUID (can be viewed with the blkid command)
Steps:
#Use fdisk to create partition /dev/sdbl, format xfs file system
fdisk /dev/ sdb
partprobe /dev/ sdb ------------ refresh
mkfs.xfs [一f] /dev/sdp1- -------Format
mkdir /data
mount /dev/sdbl /data/
cd /data
cp /etc/passwd ./
mkdir test
touch test/a
#Use the xfsdump command to back up the entire partition
rpm -qaI grep xf sdump
yum install -y xfsdump
xfsdump -f /opt/dump_ sdb1 /dev/sdb1 [-L dump_ sdb1 -M sdb1]
#Simulate data loss and use the xfsrestore command to restore files
cd /data/
rm -rf ./*
ls
xfsrestore -f /opt/dump_ sdb1 /data/
Six. Log files
1. Log function
- Used to record various events that occur during the operation of the system and programs
- By reading the log, it is helpful to diagnose and solve system failures
2. Classification of log files
-
Kernel and system logs
-
----------------Unified management by the system service rsyslog, the log format is basically similar
-
-----------------Main configuration file /etc/rsyslog.conf
-
User log
-
----------------Record system user login and logout related information
-
Program log
-
------------------Log files independently managed by various applications, the record format is not uniform
3. Log save location
- The default location: /var/log directory
4. Introduction to main log files
- Kernel and public message log: /var/log/messages
- Scheduled task log: /var/log/cron
- System boot log: /var/log/dmesg
- Mail system log: /varlog/maillog
- User login log: /var/log/lastlog
- / var / log / secure
- / var / log / wtmp
- / var / run / btmp
5. Some common log files:
1. Kernel and public message log:
/var/log/messages: Record Linux kernel messages and public log information of various applications, including startup, Io errors, network errors, program failures, etc. For applications or services that do not use a separate log file, you can generally obtain related event record information from the log file.
2. Scheduled task log:
/var/log/cron: record event information generated by crond scheduled task.
3. System boot log:
/var/log/dmesg: record various event information of the Linux system during the boot process.
4. Mail system log:
/var/1og/maillog: record the e-mail activity entering or sending out the system.
5. User login log:
/var/log/secure: Record security event information related to user authentication.
/var/log/lastlog: Record the latest login events of each user. Binary format
/var/log/wtmp: record each user login, logout and system startup and shutdown events. Binary format
/var/run/btmp: Record failed, wrong login attempts and verification events. Binary format
vim /etc/rsyslog. conf # View the rsyslog. conf configuration file
*. info# indicates that all information of the info level and above is written to the corresponding log file
mail. none# indicates that the information of an event is not written to the log file (here, for example, mail)
6. Kernel and system logs
- Unified management by the system service rsyslog
- Package: rsyslog-7.4.7-16.el7.x86_ 64
- Main program/sbin/rsyslogd
- Configuration file: /etc/rsyslog.conf
7. The level of log messages
| Grade number | news | level | Description | |
|---|---|---|---|---|
| 0 | EMERG | urgent | Will cause the host system to be unavailable | |
| 1 | ALERT | caveat | Problems that must be resolved immediately | |
| 2 | CRIT | serious | More serious situation | |
| 3 | ERR | error | An error occurred during operation | |
| 4 | WARNING | remind | Events that may affect the function of the system | |
| 5 | NOTICE | note | Will not affect the system but it is worth noting | |
| 6 | INFO | information | General information |
8. The format of the log
General format of log records
9. Analysis tools
- users、who、w、last、 lastb
- The last command is used to query the user records that have successfully logged in to the system
- The lastb command is used to query user records that failed to log in
10. Log management strategy
1. Make timely backups and archives
2. Extend the log retention period
3. Control log access rights
- Logs may contain all kinds of sensitive information, such as accounts, passwords, etc.
4. Centralized management of logs - Send the server's log file to the unified-log file server
- Facilitate the unification of log information-collection, sorting and analysis
- Prevent accidental loss, malicious tampering or deletion of log information