Linux file system and log analysis (inode, inode node exhaustion troubleshooting, file backup and recovery, log file management)

1. Overview of inode and block

1. Files and sectors

• Files are stored on the hard disk. The smallest storage unit of the hard disk is called a "sector", and each sector stores 512 bytes.

2. Block

• Generally, eight consecutive sectors form a "block". A block is 4K in size and is the smallest unit of file access.
• When the operating system reads the hard disk, it reads multiple sectors at once, that is, read block by block.

3. File data

• File data includes actual data and metadata (similar to file attributes).
• File data is stored in "blocks", and the area that stores file meta-information (such as file creator, creation date, file size, file permissions, etc.) is called inode.

Two, inode (index node)

• A file must occupy one inode and at least one block.
• The inode does not contain the file name. The file name is stored in the directory. Everything in a Linux system is a file, so a directory is also a kind of file.
• Each inode has a number, and the operating system uses the inode number to identify different files. The file name is not used internally in the Linux system, but the inode number is used to identify the file. For the system, the file name is just another name for the easy identification of the inode number. The file name and the inode number have a one-to-one correspondence, and each inode number corresponds to a file name.

1. The content of the inode

■Inode contains the meta information of the file

• The number of bytes of the file
• User ID of the file owner
• Group ID of the file
• File read, write, and execute permissions
• File timestamp
• …

■Use the stat command to view the inode information of a file

- 示例：stat aa.txt

■ Three main time attributes of Linux system files

• ctime(change time) #The last time the file or directory (attribute) was changed
• atime(access time) #The last time the file or directory was accessed
• mtime(modify time) #The time when the file or directory (content) was last modified
  

■The structure of the catalog file

• Directory is also a kind of file
• The structure of the catalog file

■Each inode has a number, and the operating system uses the inode number to identify different files

■The file name is not used inside the Linux system, but the inode number is used to identify the file

■For users, the file name is just another name for easy identification of the inode number

2.inode number

■The internal process of the system when the user opens the file by the file name

• The system finds the inode number corresponding to this file name
• Get inode information by inode number
• According to the inode information, find the block where the file data is located, and read the data

■How to check the inode number

• ls -i command: View the inode number corresponding to the file name

ls -i aa.txt

• stat command: View the inode number in the file inode information

stat aa.txt

3. The size of the inode

■Inode also consumes hard disk space

• The size of each inode is generally 128 bytes or 256 bytes

■ Format the file system to determine the total number of inodes

■Use the df -i command to view the total number of inodes of each hard disk partition and the number that has been used

3. The special role of inode

Due to the separation of the inode number and the file name, the Linux system has the following unique phenomena:

• The file name contains special characters and may not be deleted normally. At this time, delete the inode directly, which can play the role of deleting the file;
• Move files or rename files, just change the file name without affecting the inode number;
• After opening a file, the system will use the inode number to identify the file, regardless of the file name.
• After the file data is modified and saved, a new inode number will be generated.

4. Delete the file by deleting the inode number

find ./ -inum 52305140 -exec rm -i {
    
    } \;
find ./ -inum 50464299 -delete

Demonstration:

Command 2 will not be demonstrated for the same reason

Three, simulation inode node exhaustion fault processing

Summary of steps

1、使用fdisk创建分区/dev/sdb1，分区大小30M即可
fdisk /dev/sdb  
mkfs.ext4 /dev/sdb1   #这边我们用ext4类型的文件系统进行模拟
mkdir /test
mount /dev/sdb1 /mnt
df -i

2、模拟inode节点耗尽故障
for ((i=1; i<=7680; i++));do touch /test/file$i;done  
或者   touch {
    
    1..7680}.txt
df -i
df -hT
3、删除文件恢复
rm -rf /test/*
df -i
df -hT

Demo

1. Use fdisk to create partition /dev/sdb1, format and mount it



2. Simulate inode node exhaustion failure

3. Delete the recovered files

Four, EXT type file recovery

extundelete 是一个开源的 Linux 数据恢复工具，支持 ext3、ext4文件系统。（ext4只能在centos6版本恢复）


1、使用fdisk创建分区/dev/sdb1，格式化ext3文件系统
fdisk /dev/sdb  
mkfs.ext3 /dev/sdb1
mkdir /test
mount /dev/sdb1 /test
df -hT

2、安装依赖包
yum -y install e2fsprogs-devel e2fsprogs-libs

3、编译安装 extundelete
cd /test  切换到test目录中
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2   #官网下载源
tar jxvf extundelete-0.2.4.tar.bz2               #解压tar包
cd extundelete-0.2.4/                            #切换到解压出来的目录中
./configure --prefix=/usr/local/extundelete && make && make install  #指定安装目录，开始安装   
ln -s /usr/local/extundelete/bin/* /usr/bin/          #创建软连接，让系统识别命令

4、模拟删除并执行恢复操作
cd /test
echo a>a
echo a>b
echo a>c
echo a>d
ls
extundelete /dev/sdb1 --inode 2			#查看文件系统/dev/sdb1下存在哪些文件，i 节点是从 2 开始的，2 代表该文件系统最开始的目录。

rm -rf a b
extundelete /dev/sdb1 --inode 2	
cd ~
umount /test
extundelete /dev/sdb1 --restore-all		#恢复/dev/sdb1 文件系统下的所有内容
#在当前目录下会出现一个RECOVERED_FILES/目录，里面保存了已经恢复的文件
ls RECOVERED_FILES/

Demo:
1. Create partition /dev/sdb1 with fdisk, format and mount ext3 file type

2. Install dependency package

3. Compile and install extundelete

4. Simulate deleting and recovering files

Five, xfs type file backup and recovery

• CentOS 7 system uses xfs type files by default, and xfs type files can be backed up and restored using the xfsdump and xfsrestore tools.
• There are two backup levels for xfsdump: 0 means full backup; 1-9 means incremental backup. The default backup level of xfsdump is 0.

xfsdump 的命令格式为：
xfsdump -f 备份存放位置 要备份的路径或设备文件

xfsdump使用限制:
1.只能备份已挂载的文件系统
2.必须使用root的权限才能操作
3.只能备份XFS文件系统
4.备份后的数据只能让xfsrestore解析
5.不能备份两个具有相同UUID的文件系统（可用 blkid命令查看）

xfsdump命令常用的选项：
-f	    指定备份文件目录
-L	    指定标签 session label
-M	    指定设备标签 media label
-s	    备份单个文件，-s 后面不能直接跟路径

Proceed as follows:

1、使用fdisk创建分区/dev/sdb1，格式化xfs文件系统
fdisk /dev/sdb
partprobe /dev/sdb   
mkfs.xfs [-f] /dev/sdb1
mkdir /data
mount /dev/sdb1 /data/
cd /data
cp /etc/passwd ./
mkdir test
touch test/a

2、使用 xfsdump 命令备份整个分区
rpm -qa | grep xfsdump
yum install -y xfsdump
xfsdump -f /opt/dump_sdb1 /dev/sdb1 [-L dump_sdb1 -M sdb1]

3、模拟数据丢失并使用 xfsrestore 命令恢复文件
cd /data/
rm -rf ./*
ls

xfsrestore -f /opt/dump_sdb1 /data/

Demo:
1. Use fdisk to create the partition /dev/sdb1, format the xfs file system and mount it




2. Use the xfsdump command to back up the entire partition

Six, system log

1. Log files

1.1 Log function

• Used to record various events that occur during the operation of the system and programs
• By reading the log, it is helpful to diagnose and solve system failures

1.2 Classification of logs

■Kernel and system log

• Unified management by the system service rsyslog, the log format is basically similar
• Main configuration file /etc/rsyslog.conf

■User log

• Record system user login and logout related information
• Main configuration file /var/log/secure

■Program log
The log files independently managed by various applications, the record format is not uniform

1.3 Default save location of system logs

System log files are placed in the directory /var/log/ by default

1.4 Some common log files

内核及公共消息日志：
/var/log/messages:记录Linux内核消息及各种应用程序的公共日志信息，包括启动、To错误、网络错误、程序故障等。
对于未使用独立日志文件的应用程序或服务，一般都可以从该日志文件中获得相关的事件记录信息。

#计划任务日志：
/ var/ log / cron:记录crond计划任务产生的事件信息。

#系统引导日志：
/var/log/dmesg:记录Linux系统在引导过程中的各种事件信息。

#邮件系统日志:
/var/ log/maillog:记录进入或发出系统的电子邮件活动。

#用户登录日志:
/var/log/security:记录用户认证相关的安全事件信息。
/var/log/lastlog:记录每个用户最近的登录事件。二进制格式
/var/log/wtmp:记录每个用户登录、注销及系统启动和停机事件。二进制格式
/var/run/btmp:记录失败的、错误的登录尝试及验证事件。二进制格式

2. Kernel and system logs

■ Unified management by the system service rsyslog

• Software package: rsyslog-7.4.7-16.el7.x86_64,
• Main program: /sbin/rsyslogd
• Configuration file: /etc/rsyslog.cont

2.1 View the rsyslog.conf configuration file

vim /etc/rsyslog.conf		#查看rsyslog.conf配置文件
*.info;mail.none;authpriv.none;cron.none         /var/log/messages

*.info		#表示info等级及以上的所有等级的信息都写到对应的日志文件里
mail.none	#表示某事件的信息不写到日志文件里（这里比如是邮件）

2.2 The level of log messages

Grade number	Priority level	Description
0	EMERG (emergency)	Will cause the host system to be unavailable.
1	ALERT (alert)	Problems that must be resolved immediately.
2	CRIT (serious)	More serious situation.
3	ERR (error)	An error occurred during operation.
4	WARNING	Important events that may affect system functions and need to remind users.
5	NOTICE	Will not affect normal functions, but events that require attention.
6	INFO (information)	General information.
7	DEBUG (debugging)	Program or system debugging information, etc.

2.3 General format of log records

3. User log analysis

■Save relevant information about user login and logout

• /var/log/lastlog: recent user login events
• /var/log/wtmp: user login, logout and system startup and shutdown events
• /var/run/utmp: detailed information of each user currently logged in
• /var/log/secure: security events related to user authentication

■Analysis Tools

• users、 who、w 、last、lastb
• The last command is used to query the user records that have successfully logged in to the system
• The lastb command is used to query user records that failed to log in

4. Program log analysis

■ Independently managed by the corresponding application

■Web service: Nar/log/httpd/

• access_log //Record customer access events
• error_log //Record error events

■Proxy service: /var/log/squid/

• access.log、cache.log

■Analysis Tools

• Text view, grep filter search, view in Webmin management suite
• Text filtering, formatting and editing tools such as awk and sed
• Webalizer, Awstats and other dedicated log analysis tools

5. Log management strategy

■Make backups and archives in time

■Extend the log retention period

■Control log access rights

• Logs may contain various sensitive information, such as accounts, passwords, etc.

■ Centralized management of logs

• Send the server's log file to the unified log file server
• Facilitate the unified collection, sorting and analysis of log information
• Prevent accidental loss, malicious tampering or deletion of log information