在不关闭进程的前提下使用lsof (list open files)恢复文件!
需要注意的是进程的配置文件在进程运行期间是不需要打开的,因为在进程启动的时候会读取自己的配置文件,当进程运行起来之后就不需要再读取配置文件了。
1、查看打开文件message的进程
[root@tianyun ~]# lsof //查看所有进程打开的所有文件
[root@localhost ~]# ll /var/log/messages
-rw-------. 1 root root 2271683 Nov 17 13:31 /var/log/messages
[root@tianyun ~]# lsof |grep message
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/42/gvfs
Output information may be incomplete.
abrt-watc 751 root 4r REG 253,0 30056298 36565121 /var/log/messages
rsyslogd 1316 root 4w REG 253,0 30056298 36565121 /var/log/messages
in:imjour 1316 1322 root 4w REG 253,0 30056298 36565121 /var/log/messages
rs:main 1316 1323 root 4w REG 253,0 30056298 36565121 /var/log/messages
注释:
rsyslogd:进程名
1316:进程的pid
4w:进程锁打开的文件描述符
/var/log/messages:被rsyslogd进程打开的文件
2、备份后模拟误删除文件
[root@tianyun ~]# cp -rf /var/log/messages /var/log/messages.bak
[root@tianyun ~]# rm -rf /var/log/messages
3、lsof再次查看message文件状态
[root@tianyun ~]# lsof |grep message
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/42/gvfs
Output information may be incomplete.
rsyslogd 1316 root 4w REG 253,0 30063165 36565121 /var/log/messages (deleted)
in:imjour 1316 1322 root 4w REG 253,0 30063165 36565121 /var/log/messages (deleted)
rs:main 1316 1323 root 4w REG 253,0 30063165 36565121 /var/log/messages (deleted)
4、查看相应进程的文件描述符FD
[root@ansible-server log]# ll /proc/1316/fd
lr-x------ 1 root root 64 Mar 9 16:13 0 -> /dev/null
l-wx------ 1 root root 64 Mar 9 16:13 1 -> /dev/null
l-wx------ 1 root root 64 Mar 9 16:13 2 -> /dev/null
l-wx------ 1 root root 64 Mar 9 16:13 3 -> /var/log/messages (deleted)
l-wx------ 1 root root 64 Mar 9 16:13 4 -> /var/log/secure
5、通过文件描述符查看文件的内容
[root@ansible-server log]# less /proc/1316/fd/3
6、通过文件描述符回复删除的文件
[root@ansible-server log]# cp /proc/1316/fd/3 /var/log/messages
网友评论