forked from ianka/xfs_undelete
-
Notifications
You must be signed in to change notification settings - Fork 0
/
xfs_undelete.man
124 lines (103 loc) · 8.52 KB
/
xfs_undelete.man
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
'\" t
.TH xfs_undelete 8 "November 2020" "" "System Manager's Manual"
.SH NAME
xfs_undelete \- an undelete tool for the XFS filesystem
.SH SYNOPSIS
.B xfs_undelete
[
.B \-t
.I timespec
] [
.B \-r
.I filetypes
] [
.B \-i
.I filetypes
] [
.B \-z
.I filetypes
] [
.B \-o
.I output_directory
] [
.B \-s
.I start_inode
] [
.B \-m
.I magicfiles
] [
.B \--no-remount-readonly
]
.I device
.br
.B xfs_undelete -l
[
.B \-m
.I magicfiles
]
.SH DESCRIPTION
\fBxfs_undelete\fR tries to recover all files on an XFS filesystem marked as deleted. The filesystem is specified using the \fIdevice\fR argument which should be the device name of the disk partition or volume containing the filesystem.
You may also specify a date or age since deletion, and file types to ignore or to recover exclusively.
The recovered file cannot be undeleted in place and thus, it is stored on another filesystem in a subdirectory, by default \fIxfs_undeleted\fR relative to the current directory. The filename cannot be recovered and thus, it is put as the time of deletion, the inode number, and a guessed file extension. You have to check the recovered files you are interested in by hand and rename them properly. Also, the file length cannot be recovered and thus, the recovered files are padded with \fB\\0\fR characters up to the next xfs block size boundary. Most programs simply ignore those \fB\\0\fR characters but you may want to remove them by hand or automatically with the help of the \fB-z\fR option.
This tool does some sanity checks on the files to be recovered. That is to avoid "recovering" bogus petabyte sized sparse files. In addition, it does not recover anything unidentifiable (given you have the file utility installed) by default. Specify \fB-i\fR \fI""\fR on the command line if you want to recover those non-bogus but still unidentifiable files.
.SH OPTIONS
.TP
\fB\-t\fR \fItimespec\fR
Only recover files up to a maximum age. The \fItimespec\fR value may be a date as \fI2020-03-19\fR for undeleting any file deleted since March 19th, 2020, or \fI-2hour\fR for undeleting any file deleted since 2 hours before now. It accepts all values Tcl's [clock scan] function accepts. See \fBclock\fR(n). By default, deleted files of all ages are being recovered.
.TP
\fB\-T\fR \fItimespec\fR
Only recover files modified later than a certain time. This option is useful if you know the date of your latest backup. The \fItimespec\fR value may be a date as \fI2020-03-19\fR for undeleting any file modified after March 19th, 2020, or \fIyesterday\fR for undeleting any file modified since yesterday. It accepts all values Tcl's [clock scan] function accepts. See \fBclock\fR(n). By default, deleted files of all ages are being recovered.
.TP
\fB\-r\fR \fIfiletypes\fR
Only recover files with a filetype matching a pattern from this \fBcomma\fR-separated list of patterns. See section \fBFILETYPES\fR below. By default this pattern is * ; all files are being recovered, but also see the \fB-i\fR option.
.TP
\fB\-i\fR \fIfiletypes\fR
Ignore files with a filetype matching a pattern from this \fBcomma\fR-separated list of patterns. See section \fBFILETYPES\fR below. By default this list is set to \fIbin\fR ; all files of unknown type are being ignored, but also see the \fB-r\fR option.
.TP
\fB\-z\fR \fIfiletypes\fR
Remove trailing zeroes from files with a filetype matching a pattern from this \fBcomma\fR-separated list of patterns. See section \fBFILETYPES\fR below. By default this list is set to \fItext/*\fR ; all files of text/* mimetype have their trailing zeroes removed.
.TP
\fB\-o\fR \fIoutput_directory\fR
Specify the directory the recovered files are copied to. By default this is \fIxfs_undeleted\fR relative to the current directory.
.TP
\fB\-s\fR \fIstart_inode\fR
Specify the inode number the recovery should be started at. This must be an existing inode number in the source filesystem, as the inode trees are traversed until this particular number is found. This option may be used to pickup a previously interrupted recovery. By default, the recovery is started with the first inode existing.
.TP
\fB\-m\fR \fImagicfiles\fR
Specify an alternate list of files and directories containing magic. This can be a single item, or a \fBcolon\fR-separated list. If a compiled magic file is found alongside a file or directory, it will be used instead. This option is passed to the \fBfile\fR utility in verbatim if specified.
.TP
\fB\--no-remount-readonly\fR
This is a convenience option meant for the case you need to recover files from your root filesystem, which you cannot umount or remount read-only at the time you want to run \fIxfs_undelete\fR. The sane solution would be moving the harddisk with that particular file system to another computer where it isn't needed for operation.
If you refuse to be that sane, you have to make sure the filesystem was umounted or remounted read-only at least in the meantime by another means, for example by doing a reboot. Otherwise you won't be able to recover recently deleted files.
\fBUSE THIS OPTION AT YOUR OWN RISK.\fR
As the source filesystem isn't remounted read-only when you specify this option, you may accidentally overwrite your source filesystem with the recovered files. \fIXfs_undelete\fR checks if you accidentally specified your output directory within the mount hierarchy of your source filesystem and refuses to do such nonsense. However, automatic checks may fail, so better check your specification of the output directory by hand. Twice. It \fBmust\fR reside on a different filesystem.
.TP
\fB\-l\fR
Shows a list of filetypes suitable for use with the \fB-r\fR, \fB-i\fR, and \fB-z\fR options, along with common name as put by the \fBfile\fR utility.
.SH FILETYPES
The \fIfiletypes\fR as used with the \fB-r\fR, \fB-i\fR, and \fB-z\fR options are a \fBcomma\fR-separated list of patterns. Patterns of the form */* are matched against known mimetypes, all others are matched against known file extensions. The file extensions are guessed from the file contents with the help of the \fBfile\fR utility, so they don't neccessarily are the same the file had before deletion.
Start \fIxfs_undeleted\fR with the \fB-l\fR option to get a list of valid file types.
\fBNote:\fR you want to quote the list of filetypes to avoid the shell doing wildcard expansion.
.SH EXAMPLES
.BD -literal -offset indent
# cd ~ ; xfs_undelete /dev/mapper/cr_data
This stores the recovered files from /dev/mapper/cr_data in the directory ~/xfs_undeleted.
# xfs_undelete -o /mnt/external_harddisk /dev/sda3
This stores the recovered files from /dev/sda3 in the directory /mnt/external_harddisk.
# xfs_undelete -t 2020-03-19 /dev/sda3
This ignores files deleted before March 19th, 2020.
# xfs_undelete -t -1hour /dev/sda3
This ignores files deleted more than one hour ago. The -t option accepts all dates understood by Tcl’s [clock scan] command.
# xfs_undelete -i "" -t -2hour /dev/sda3
This recovers all files deleted not more than two hours ago, including "bin" files.
# xfs_undelete -r 'image/*,gimp-*' /dev/sda3
This only recovers files matching any image/ mimetype plus those getting assigned an extension starting with gimp-.
.ED
.SH TROUBLESHOOTING
When operating on devices, this program must be run as root, as it remounts the source filesystem read-only to put it into a consistent state. This remount may fail if the filesystem is busy e.g. because it's your \fI/home\fR or \fI/\fR filesystem and there are programs having files opened in read-write mode on it. Stop those programs e.g. by running \fIfuser -m /home\fR or ultimately, put your computer into single-user mode to have them stopped by init. If you need to recover files from your / filesystem, you may want to reboot, then use the \fB\--no-remount-readonly\fR option, but the sane option is to boot from a different root filesystem instead, for example by connecting the harddisk with the valueable deleted files to another computer.
You also need some space on another filesystem to put the recovered files onto as they cannot be recovered in place. If your computer only has one huge xfs filesystem, you need to connect external storage.
If the recovered files have no file extensions, or if the \fB\-r\fR, \fB\-i\fR, and \fB\-z\fR options aren't functional, check with the \fB-l\fR option if the \fBfile\fR utility functions as intended. If the returned list is very short, the \fBfile\fR utility is most likely not installed or the magic files for the \fBfile\fR utility, often shipped extra in a package named \fIfile-magic\fR are missing, or they don't feature mimetypes.
.SH SEE ALSO
\fBxfs\fR(5), \fBfuser\fR(1), \fBclock\fR(n), \fBfile\fR(1)
.SH AUTHORS
Jan Kandziora <jjj@gmx.de>