We have suffered an inadvertent "rm -rf" on the toplevel directory of
one of our filesystems, this disk being a backup disk that normally
holds gzipped tarfiles of our users' home directories. It was
immediately unmounted after the error, so no writes have been done to
the disk since the event.
The question is to whether or not it is even possible in theory to
reconstruct the filesystem. The consensus seems to be, "No" even though
both kernel books tout the design for allowing such recoveries.
We have the disk at an experience recovery shop. The technician sent me
the following note this morning after a night of apparent frustration:
> The version of the kernel that you have deletes the inode number from the directory when
> it deletes the file. This makes us lose the connection between the name and the data.
> So we have names and we have inodes which point to data but the connection between the 2
> is lost. This version also deletes the indirect block. These are the blocks that point to > 63kb sections of the file. Once a file gets over 12 blocks long (about 6k) the system the
> system stores the address pointers on the disk. In indirect blocks. Each indirect block
> points to 64kb of data. Anyway these are also zeroed out. I know of no other unix that
> zeros the indirect blocks. Most of the unix recoveries I have done is where the system is > corrupted and wont mount. I have also done unixes that have been deleted and used the
> indirect blocks to recover vast amounts of data. I didn't realize that linux zeroed the
> indirect blocks.
The worrisome part, of course, is the "I know of no other Unix that does
this."
Could someone who is in the know please provide me with a source,
perhaps, for the answer to this question?
Thanks.
B.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/