[Novalug] fun with proc and recovering deleted files

Mark Smith mark@winksmith.com
Sun Mar 29 18:46:46 EDT 2015


I felt like sharing this thing I just did so here I am.  I accidentally
deleted a file that I was writing performance data to via sar,
but I didn't want to restart the job, but I really wanted the data.
There's probably a command to do it, but I don't know it so here I go...

Basically, I did a ps to find the sadc process.  Then I chdir'd to it's
process directory and looked at the file descriptor (fd) directory.
'ls -l' clearly showed the file deleted.  The proc driver uses symlinks
with descriptive text for this purpose.

I banged this script up in a few minutes. It may lose the last second
of data, but I can live with that.

	SOURCE=/proc/32296/fd/3
	TARGET=/sar/vprobe-3000Mbps.sa
	LAST=$TARGET.last
	TMP=/tmp/3000Mbps.sa

	while [ -r /proc/32296/fd/3 ]
	do
		#
		# noise
		#
		date

		#
		# snatch from the jaws of death
		#
		cat $SOURCE > $TMP || exit 1

		#
		# not sure how the end mode is gonna work, so be a bit insane about it.
		#
		if [ -s $TMP ]
		then
			mv $TARGET $LAST
			mv $TMP $TARGET
		fi

		#
		# pause and reflect
		#
		sleep 1
	done

I recovered perfectly fine data from a file that was deleted, but left
open by the sar process.  You may correctly point out that this changes
the performance data on the system, but I have multiple disks and I'm
only interested in the disk not being used by this script.

Of course this only works if the file is owned by you or you are root.

Anyway, just a bit of Monday fun.

-- 
Hei konā mai
Mark Smith
mark@winksmith.com



More information about the Novalug mailing list