Undelete a qcow2 file

[sxlderek]

Hello,

I accidentally deleted a very important .qcow2 file via the web interface. I am looking for ways to recover it.

I know I should backup, but I didn't. T_T

Physical server:

• Proxmox VE 3.4-11/6502936f
• 2 x WD 1TB SATA HDD, mdraid1
• file system is ext3 (created by Proxmox 2.x installer)

Guest:

• Win 2003R2 KVM with 3 QCOW2 disks on local storage
• I deleted one of the QCOW2 disk, which is a part of Windows's spanned volume, so I lost all data.

I know the path of the deleted file is 'images/103/vm-103-disk-1.qcow2' and file size is exactly 200GB

What I've done:

• I shutdown the guest from web interface, then 'remove' the QCOW2 disk because I want to change it from Virtio to IDE. Perhaps I clicked a wrong button, the disk was deleted instead of become Unused.
• I (almost) immediately reboot the physical server into single user mode.

Then I use extundelete

# extundelete --restore-file 'images/103/vm-103-disk-1.qcow2' /dev/mapper/pve-data WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 6497 groups loaded.
Loading journal descriptors ... 25936 descriptors loaded.
Writing output to directory RECOVERED_FILES/
Unable to restore inode 33234953 (images/103/vm-103-disk-1.qcow2): No undeleted copies found in the journal.

It failed, but now I know the inode no is 33234953

Now I attached the physical disk to a Linux Mint computer.

Then I use ext3grep to print the inode information

ext3grep --inode 33234953 /dev/mapper/pve-data
Running ext3grep version 0.10.1
No --ls used; implying --print.

WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 6497
Minimum / maximum journal block: 106398210 / 106431525
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1452683699 = Wed Jan 13 19:14:59 2016
Number of descriptors in journal: 25935; min / max sequence numbers: 17027181 / 17038553

Hex dump of inode 33234953:
0000 | a4 81 00 00 00 00 00 00 c4 9f 97 56 55 a1 97 56 | ...........VU..V
0010 | 55 a1 97 56 55 a1 97 56 00 00 00 00 00 00 00 00 | U..VU..V........
0020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 34 2b ed e7 00 00 00 00 00 00 00 00 | ....4+..........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Unallocated
Group: 4057
Generation Id: 3891079988
uid / gid: 0 / 0
mode: rrw-r--r--
size: 0
num of links: 0
sectors: 0 (--> 0 indirect blocks).

Inode Times:
Accessed:       1452777412 = Thu Jan 14 21:16:52 2016
File Modified:  1452777813 = Thu Jan 14 21:23:33 2016
Inode Modified: 1452777813 = Thu Jan 14 21:23:33 2016
Deletion time:  1452777813 = Thu Jan 14 21:23:33 2016

Direct Blocks: 0

It says the oldest inode still in journal is older then the time I deleted the file. I think I still have a hope to restore the file.

Then I restore the inode

ext3grep --restore-inode 33234953 /dev/mapper/pve-data

It output a file only 72GB, but the deleted file was exactly 200GB.

I mounted the 72Gb file in Linux

modprobe nbd max_part=63
qemu-nbd -c /dev/nbd0 disk1.qcow2
mount /dev/nbd0p1 /mnt/image/
ls -la /mnt/image/

but it is empty

I also tried "photorec", "UFS Explorer" and "R-studio" (trail version), they all failed.
I don't know what can I do.

My questions:

• When PVE delete a file from the Web interface, does PVE zero-out the file or just delete the file with the "rm" command?
• Does anyone know other tools I should try?

Any advice is welcome. This file is really important to me.

Thank you in advance.

 

[raczajko]

Hello, have you tried ext4magic?

https://www.maketecheasier.com/recover-files-ext3-ext4-linux/

I have commited the same "issue", did you have luck?

Best reggards

 

[azop]

I can't imagine it would zero out the fIle, I'm sure it just removes the qcow file.

 

[dmoreira]

Dear, good day.

Something similar happened on a server Proxmox 3.4, the 2 vm was cleared by power failure.

You may get some specialized support in this way, which will be given access to the computer.

Thank you.
David.