This topic describes how to use extundelete to restore data that was accidentally deleted. CentOS 7 is used in the examples.


You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.

Background information

In practice, data may be accidentally deleted. In this case, you need to restore the data quickly and effectively. Alibaba Cloud offers several ways to restore data, including the following ways:
  • In the ECS console, roll back snapshots or restore custom images to restore data.
  • Implement load balancing and high availability for your business by purchasing multiple instances. For more information, see What is Server Load Balancer?.
  • Use Object Storage Service (OSS) to store a large amount of data such as web pages, images, and videos. For more information, see What is OSS?.

There are multiple open source data recovery tools for Linux, such as debugfs, R-Linux, ext3grep, and extundelete. Although ext3grep and extundelete are both popular and adopt similar recovery techniques, extundelete has a higher performance. Linux systems do not have a Recycle Bin function built-in. You can install extundelete on Linux systems to restore data that has been deleted by accident.

extundelete can find and recover the deleted data by combining the inode information and logs to find the inode block. extundelete can recover deleted data from ext3 or ext4 partitions.

If you accidentally delete data, you must first detach the disk or disk partition on which the deleted data was stored. This is because after a file is deleted, the inode pointers of the file are cleared but the file will remain on the disk. If the disk is attached in read/write mode, data blocks of the deleted file may be reallocated by the operating system. After the data blocks are overwritten by new data, the original data will be lost completely and cannot be restored. To reduce the risk of data overwriting and improve chance of data restoration, you can store files on disks in read-only mode.
Note When you restore deleted data online, do not install extundelete on the disk where the deleted data was located. Otherwise, you may overwrite the data that you want to restore. Back up the disk by taking a snapshot before you perform any operations.
This topic is applicable to the following users:
  • Users who have accidentally deleted files from a disk and have not since performed write operations on the disk.
  • Users whose websites have low traffic and who have few ECS instances.
Required software releases: e2fsprogs-devel, e2fsprogs, gcc-c++, make (a utility for compiling and linking multi-file projects), and extundelete-0.2.4.
Note libext2fs 1.39 or later is required to run extundelete. However, to restore data from ext4 partitions, make sure that you have access to e2fsprogs 1.41 or later. You can run the dumpe2fs command and record the version of e2fsprogs.

The preceding releases were available at the time of writing. The versions that you download may be different in your actual running environment.


Perform the following operations to use extundelete to restore data that was deleted by accident:
  1. Step 1: Deploy extundelete
  2. Step 2: Use extundelete to stimulate the restoration process

Step 1: Deploy extundelete

Run the following commands to deploy extundelete:
yum -y install  bzip2  e2fsprogs-devel  e2fsprogs  gcc-c++  make    # Install related dependencies and libraries.
tar -xvjf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4                                # Go to the program directory.
./configure                                         # If the output in the following figure is generated, extundelete is installed.
Deploy extundelete
make && make install

At this point, the src directory appears. It contains an extundelete executable file and the corresponding path. The default path is usr/local/bin. The following step for data restoration is performed in the usr/local/bin directory.

Step 2: Use extundelete to stimulate the restoration process

Perform the following steps to use extundelete to stimulate the restoration process:

  1. Check the available disks and partitions of your ECS instance, and then format and partition the /dev/vdb disk. For more information, see Format a data disk for a Linux-based ECS instance.
    fdisk -l
    Check the available disks and partitions
  2. Attach the partitioned disk to the/zhuyun directory, create a file named hello in the /zhuyun directory, and then write test to the file.
    mkdir /zhuyun                                # Create the zhuyun directory.
    mount /dev/vdb1 /zhuyun                      # Attach the disk to the zhuyun directory.
    echo test > hello                            # Create a test file.
  3. Record the MD5 values of the hello file. The md5sum command is used to generate and verify the MD5 values of the file before and after deletion.
    md5sum hello
    Record the MD5 values of the file
  4. Delete the hello file in simulation mode.
    rm -rf hello
    cd ~
    fuser -k /zhuyun                     # Terminate the process tree that uses a specified partition. Skip this step if no resources are occupied.
  5. Detach a data disk.
    umount /dev/vdb1                     # Before you use any file restoration tool, unmount or mount the partitions to be restored in read-only mode to prevent their data from being overwritten.
  6. Use extundelete to restore the file.
    1. extundelete --inode 2 /dev/vdb1       # Query the content in a specified inode. The "2" indicates that the entire partition is queried. To query a directory, you can specify the inode and the directory. The deleted file and the inode are displayed.
      Restore the file
    2. /usr/local/bin/extundelete  --restore-inode 12  /dev/vdb1    # Restore the deleted file.
      At this point, the RECOVERED_FILES directory appears under the directory where the command is executed.Generate the restored file
  7. Run the md5sum command to check the MD5 value of the RECOVERED_FILES file after restoration.
    Check whether the MD5 values of the hello and RECOVERED_FILES files are the same. If they are, the data is restored.