Hello,
I accidentally deleted a very important .qcow2 file via the web interface. I am looking for ways to recover it.
I know I should backup, but I didn't. T_T
Physical server:
Guest:
I know the path of the deleted file is 'images/103/vm-103-disk-1.qcow2' and file size is exactly 200GB
What I've done:
Then I use extundelete
It failed, but now I know the inode no is 33234953
Now I attached the physical disk to a Linux Mint computer.
Then I use ext3grep to print the inode information
It says the oldest inode still in journal is older then the time I deleted the file. I think I still have a hope to restore the file.
Then I restore the inode
It output a file only 72GB, but the deleted file was exactly 200GB.
I mounted the 72Gb file in Linux
but it is empty
I also tried "photorec", "UFS Explorer" and "R-studio" (trail version), they all failed.
I don't know what can I do.
My questions:
Thank you in advance.
I accidentally deleted a very important .qcow2 file via the web interface. I am looking for ways to recover it.
I know I should backup, but I didn't. T_T
Physical server:
- Proxmox VE 3.4-11/6502936f
- 2 x WD 1TB SATA HDD, mdraid1
- file system is ext3 (created by Proxmox 2.x installer)
Guest:
- Win 2003R2 KVM with 3 QCOW2 disks on local storage
- I deleted one of the QCOW2 disk, which is a part of Windows's spanned volume, so I lost all data.
I know the path of the deleted file is 'images/103/vm-103-disk-1.qcow2' and file size is exactly 200GB
What I've done:
- I shutdown the guest from web interface, then 'remove' the QCOW2 disk because I want to change it from Virtio to IDE. Perhaps I clicked a wrong button, the disk was deleted instead of become Unused.
- I (almost) immediately reboot the physical server into single user mode.
Then I use extundelete
Code:
# extundelete --restore-file 'images/103/vm-103-disk-1.qcow2' /dev/mapper/pve-data WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 6497 groups loaded.
Loading journal descriptors ... 25936 descriptors loaded.
Writing output to directory RECOVERED_FILES/
Unable to restore inode 33234953 (images/103/vm-103-disk-1.qcow2): No undeleted copies found in the journal.It failed, but now I know the inode no is 33234953
Now I attached the physical disk to a Linux Mint computer.
Then I use ext3grep to print the inode information
Code:
ext3grep --inode 33234953 /dev/mapper/pve-data
Running ext3grep version 0.10.1
No --ls used; implying --print.
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 6497
Minimum / maximum journal block: 106398210 / 106431525
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1452683699 = Wed Jan 13 19:14:59 2016
Number of descriptors in journal: 25935; min / max sequence numbers: 17027181 / 17038553
Hex dump of inode 33234953:
0000 | a4 81 00 00 00 00 00 00 c4 9f 97 56 55 a1 97 56 | ...........VU..V
0010 | 55 a1 97 56 55 a1 97 56 00 00 00 00 00 00 00 00 | U..VU..V........
0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 34 2b ed e7 00 00 00 00 00 00 00 00 | ....4+..........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Unallocated
Group: 4057
Generation Id: 3891079988
uid / gid: 0 / 0
mode: rrw-r--r--
size: 0
num of links: 0
sectors: 0 (--> 0 indirect blocks).
Inode Times:
Accessed: 1452777412 = Thu Jan 14 21:16:52 2016
File Modified: 1452777813 = Thu Jan 14 21:23:33 2016
Inode Modified: 1452777813 = Thu Jan 14 21:23:33 2016
Deletion time: 1452777813 = Thu Jan 14 21:23:33 2016
Direct Blocks: 0It says the oldest inode still in journal is older then the time I deleted the file. I think I still have a hope to restore the file.
Then I restore the inode
Code:
ext3grep --restore-inode 33234953 /dev/mapper/pve-dataIt output a file only 72GB, but the deleted file was exactly 200GB.
I mounted the 72Gb file in Linux
Code:
modprobe nbd max_part=63
qemu-nbd -c /dev/nbd0 disk1.qcow2
mount /dev/nbd0p1 /mnt/image/
ls -la /mnt/image/but it is empty
I also tried "photorec", "UFS Explorer" and "R-studio" (trail version), they all failed.
I don't know what can I do.
My questions:
- When PVE delete a file from the Web interface, does PVE zero-out the file or just delete the file with the "rm" command?
- Does anyone know other tools I should try?
Thank you in advance.