Foreword
Every time we execute the rm command on a production server environment, always nervous, because accidentally executed mistakenly deleted, then be prepared to run away, after all, people are not machines, not to mention the machine also has bug, huh, huh.
If you delete a file you really should not be deleted, such as database, log or execute files, you supposed to do? Information on how funeral, please carefully read this blog.
Simulation scenarios
1, delete
Accidentally deleted server directory / root / selenium / MySql.Data.dll file under Spider:
> rm -f /root/selenium/Spider/MySql.Data.dll
> ll /root/selenium/Spider/MySql.Data.dll
ls: cannot access /root/selenium/Spider/MySql.Data.dll: No such file or directory
2, recovery
(1), using the lsof command to see whether the current process open /root/selenium/Spider/MySql.Data.dll file:
> lsof | grep /root/selenium/Spider/MySql.Data.dll
As can be seen from the above, the current status of the file as deleted (deleted).
(2) to see if there is data recovery:
/ proc / 13067 / fd: file descriptor directory of the process operations.
86: file descriptor.
> cat /proc/13067/fd/86
(3), using the I / O redirection file recovery
> cat /proc/23778/fd/86 > /root/selenium/Spider/MySql.Data.dll
> ls -l /root/selenium/Spider/MySql.Data.dll
-rw-r--r-- 1 root root 702464 Feb 10 12:03 /root/selenium/Spider/MySql.Data.dll
Re-run the program:
File recovery instructions no problem.
Inquisitive
Through previous simulation scenarios that demonstrate the entire process of restoring the file, then what the principle is, under what circumstances, the file is recoverable.
In the Linux system, each running program has a host process isolated from each other, in order to / proc / process ID to reflect (on the nature of Linux is a file system), for example: LS the -l / proc / 13067 view the process as a PID 13067 of process information; when the program runs, the operating system will open up a special area of memory available to the current process used to rely on the file, the operating system will release a file descriptor to read and write files, when we execute rm -f when you delete a file, in fact, just removes the file's directory inode for a file system is not visible, but it is open for the process can still be seen, that you can still read and write files using the file descriptor previously issued, is the use of such a principle, so we can restore files using I O redirection mode /.
to sum up
如果不小心误删了文件,不要着急,首先使用 lsof 查看打开该文件的进程,然后再使用 cat /proc/进程号/fd/文件描述符 查看恢复数据,最后使用I/O重定向的方式来恢复文件。