Linux file system and log analysis
- Overview of inodes and blocks
- inode (index node)
- Simulate inode node exhaustion fault handling
- EXT file recovery
- xfs type file backup and recovery
- System log
Overview of inodes and blocks
Files and sectors
Files are stored on the hard disk. The smallest storage unit of the hard disk is called a "sector". Each sector stores 512 bytes.
Block
Generally, eight consecutive sectors form a "block", a block is 4K in size, which is the smallest unit of file access
When the operating system reads the hard disk, it reads multiple sectors at once, that is, read block by block
File data
File data includes actual data and metadata (similar to file attributes)
File data is stored in "blocks", and the area that stores file meta-information (such as file creator, creation date, file size, file permissions, etc.) is called inode
inode (index node)
A file must occupy one inode and at least one block
The inode does not contain the file name. The file name is stored in the directory. Everything in a Linux system is a file, so a directory is also a kind of file
Each inode has a number, and the operating system uses the inode number to identify different files. The file name is not used internally in the Linux system, but the inode number is used to identify the file. For the system, the file name is just another name for the easy identification of the inode number. The file name and the inode number have a one-to-one correspondence, and each inode number corresponds to a file name.
inode content
inode contains the meta information of the file
The number of bytes of the file
User ID of the file owner
Group ID of the file
File read, write, and execute permissions
File timestamp
Use the stat command to view the inode information of a file
stat aa.txt
Three main time attributes of Linux system files
ctime(change time) #The last time the file or directory (attribute) was changed
atime(access time) #The last time the file or directory was accessed
mtime(modify time) #The time when the file or directory (content) was last modified
The structure of the catalog file
Directory is also a kind of file
The structure of the catalog file
Each inode has a number, and the operating system uses the inode number to identify different files
The file name is not used internally in the Linux system, but the inode number is used to identify the file
For users, the file name is just another name for the inode number for easy identification
inode number
It is the internal process of the system when the user opens the file through the file name
The system finds the inode number corresponding to this file name
Get inode information by inode number
According to the inode information, find the block where the file data is located, and read the data
How to check the inode number
ls -i command
View the inode number corresponding to the file name
ls -i aa.txt
stat command
View the inode number in the file inode information
stat aa.txt
inode size
Inode also consumes hard disk space
The size of each inode is generally 128 bytes or 256 bytes
Formatting the file system determines the total number of inodes
Use the df -i command to view the total number of inodes and the number of inodes used for each hard disk partition
Special role of inode
Due to the separation of the inode number and the file name, the Linux system has the following unique phenomena:
*The file name contains special characters and may not be deleted normally. At this time, delete the inode directly, which can play the role of deleting the file;
Move files or rename files, just change the file name without affecting the inode number;
After opening a file, the system will use the inode number to identify the file, regardless of the file name
After the file data is modified and saved, a new inode number will be generated*
Delete files by deleting the inode number
find ./ -inum 52305140 -exec rm -i {
} \;
find ./ -inum 50464299 -delete
Simulate inode node exhaustion fault handling
The main steps
Use fdisk to create the partition /dev/sdb1, the partition size is 30M
fdisk /dev/sdb
mkfs.ext4 /dev/sdb1 #这边我们用ext4类型的文件系统进行模拟
mkdir /test
mount /dev/sdb1 /mnt
df -i
Simulate inode node exhaustion failure
for ((i=1; i<=7680; i++));do touch /test/file$i;done
或者 touch {
1..7680}.txt
df -i
df -hT
Deleted file recovery
rm -rf /test/*
df -i
df -hT
EXT file recovery
extundelete is an open source Linux data recovery tool that supports ext3 and ext4 file systems. (Ext4 can only be restored in centos6 version)
Use fdisk to create partition /dev/sdb1, format ext3 file system
fdisk /dev/sdb
mkfs.ext3 /dev/sdb1
mkdir /test
mount /dev/sdb1 /test
df -hT
Install dependencies
yum -y install e2fsprogs-devel e2fsprogs-libs
Compile and install extundelete
cd /test 切换到test目录中
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 #官网下载源
tar jxvf extundelete-0.2.4.tar.bz2 #解压tar包
cd extundelete-0.2.4/ #切换到解压出来的目录中
./configure --prefix=/usr/local/extundelete && make && make install #指定安装目录,开始安装
ln -s /usr/local/extundelete/bin/* /usr/bin/ #创建软连接,让系统识别命令
Simulate deletion and perform recovery operations
cd /test
echo a>a
echo a>b
echo a>c
echo a>d
ls
extundelete /dev/sdb1 --inode 2 #查看文件系统/dev/sdb1下存在哪些文件,i 节点是从 2 开始的,2 代表该文件系统最开始的目录。
rm -rf a b
extundelete /dev/sdb1 --inode 2
cd ~
umount /test
extundelete /dev/sdb1 --restore-all #恢复/dev/sdb1 文件系统下的所有内容
#在当前目录下会出现一个RECOVERED_FILES/目录,里面保存了已经恢复的文件
ls RECOVERED_FILES/
xfs type file backup and recovery
CentOS 7 system uses xfs type files by default, and xfs type files can be backed up and restored using xfsdump and xfsrestore tools
There are two backup levels for xfsdump: 0 means full backup; 1-9 means incremental backup. The default backup level of xfsdump is 0
Command format of xfsdump
xfsdump -f 备份存放位置 要备份的路径或设备文件
xfsdump usage restrictions
1. Only the mounted file system can be backed up
2. Must use root authority to operate
3. Only backup XFS file system
4. The data after the backup can only be parsed by xfsrestore
5. Two file systems with the same UUID cannot be backed up (you can use the blkid command to view)
Commonly used options of the xfsdump command
-f specifies the backup file directory
-L specifies the label session label
-M specifies the device label media label
-s to back up a single file, and the path cannot be directly followed by -s
The specific steps of xfs operation
Use fdisk to create partition /dev/sdb1, format xfs file system
fdisk /dev/sdb
partprobe /dev/sdb
mkfs.xfs [-f] /dev/sdb1
mkdir /data
mount /dev/sdb1 /data/
cd /data
cp /etc/passwd ./
mkdir test
touch test/a
Use the xfsdump command to back up the entire partition
rpm -qa | grep xfsdump
yum install -y xfsdump
xfsdump -f /opt/dump_sdb1 /dev/sdb1 [-L dump_sdb1 -M sdb1]
Simulate data loss and use the xfsrestore command to restore files
cd /data/
rm -rf ./*
ls
xfsrestore -f /opt/dump_sdb1 /data/
System log
Log file
Log function
Used to record various events that occur during the operation of the system and programs
By reading the log, it is helpful to diagnose and solve system failures
Classification of logs
Kernel and system logs
Unified management by the system service rsyslog, the log format is basically similar
Main configuration file /etc/rsyslog.conf
User log
Record system user login and logout related information
Main configuration file /var/log/secure
Program log
Log files independently managed by various applications, the record format is not uniform
Default save location of system logs
System log files are placed in the directory /var/log/ by default
Some common log files
Kernel and public message log
/var/log/messages: Record Linux kernel messages and public log information of various applications, including startup, To error, network error, program failure, etc.
For applications or services that do not use a separate log file, you can generally obtain related event record information from the log file.
Scheduled task log
/var/log/cron: Record event information generated by crond scheduled tasks.
System boot log
/var/log/dmesg: Record various event information of the Linux system during the boot process.
Mail system log
/var/log/maillog: Record the e-mail activity entering or sending out the system.
User login log
/var/log/security: Record security event information related to user authentication
/var/log/lastlog: record the recent login events of each user; binary format
/var/log/wtmp: Record each user login, logout and system startup and shutdown events. Binary format
/var/run/btmp: Record failed, wrong login attempts and verification events. Binary format
Kernel and system logs
Unified management by the system service rsyslog
Package: rsyslog-7.4.7-16.el7.x86_64
The main program: /sbin/rsyslogd.
Configuration file: /etc/rsyslog.cont
View the rsyslog.conf configuration file
vim /etc/rsyslog.conf #查看rsyslog.conf配置文件
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info #Indicates that all information of the info level and above is written to the corresponding log file
mail.none #Indicates that the information of an event is not written to the log file
The level of the log message
Grade number | Priority level | Description |
---|---|---|
0 | EMERG (emergency) | Will cause the host system to be unavailable |
1 | ALERT (alert) | Problems that must be resolved immediately |
2 | CRIT (serious) | More serious situation |
3 | ERR (error) | An error occurred during operation |
4 | WARNING | Important events that may affect system functions and need to remind users |
– | – | |
5 | NOTICE | Will not affect normal functions, but events that require attention |
6 | INFO (information) | General information |
7 | DEBUG (debugging) | Program or system debugging information, etc. |
General format of log records
The green boxes correspond to the time label, host name, subsystem name, and message fields respectively
User log analysis
Relevant information about user login and logout is saved
/var/log/lastlog: recent user login events
/var/log/wtmp: user login, logout and system startup and shutdown events
/var/run/utmp: detailed information of each user currently logged in
/var/log/secure: security events related to user authentication
analyzing tool
users、 who、w 、last、lastb
The last command is used to query the user records that have successfully logged in to the system
The lastb command is used to query user records that failed to log in
Program log analysis
Independently managed by the corresponding application
Web service: Nar/log/httpd/
access_log //Record customer access events
error_log //Record error events
Proxy service: /var/log/squid/
access.log、cache.log
analyzing tool
Text view, grep filter search, view in Webmin management suite
Text filtering, formatting and editing tools such as awk and sed
Webalizer, Awstats and other dedicated log analysis tools
Log management strategy
Make timely backups and archives
Extend the log retention period
Control log access
Logs may contain various sensitive information, such as accounts, passwords, etc.
Centralized management of logs
Send the server's log file to the unified log file server
Facilitate the unified collection, sorting and analysis of log information
Prevent accidental loss, malicious tampering or deletion of log information