>>> On 11/27/2008 at 8:10 AM, "van Sleeuwen, Berry" <[EMAIL PROTECTED]> wrote: > Hello list, > > Last night we had to recover the root disk of one of our SLES9 machines. > For some unknown reason part of the root disk has disappeared. In the > end we have restored the disk from our backups but we still have no idea > why this had happend. It looks like someone has removed selected files > or directories. Some directories are stil available, such as /bin or > /boot but other have been partially or entirly removed. /etc contains > some 40 files, var/log is gone, /var/spool still exists. > > Would it be possible to recover the data from the disk? Are there any > tools available that can analyze and/or recover files? For instance the > /var/log has vanished so if we could recover that perhaps it would give > us some clue as to what happend.
The fact that you restored a bunch of files from backup makes that far less likely than if you had left the disk alone. However, you can do things like this: dd if=/dev/dasda1 bs=512 count=20 | hexdump -C dd if=/dev/dasda1 bs=512 count=20 skip=20 | hexdump -C dd if=/dev/dasda1 bs=512 count=20 skip=40 | hexdump -C and you'll get a hexidecimal dump with ASCII translation to the side. You can choose whatever blocksize you want, and whatever count you want. If you leave the count off, you'll dump the whole partition. > Do you have any thoughts as to why a part of a filesystem can just > disappear? My first thought, based on your description, was some kind of human error on the part of a Linux sysadmin, or a z/VM systems programmer. Florian's suggestion that _part_ of the minidisk may have been overlaid could produce the results you're seeing. Since there's no way to know what parts of the file system are located on what cylinders (unless you've mapped them out beforehand), you could have files from any number of directories located in the same cylinder of disk space. If you have some sort of directory management tool, then this becomes less likely a cause, although not impossible. Human error on the part of the Linux systems administrators would have been more likely to cause entire contents of directories to be deleted, not just parts of some, and all of others. Unless there is only one directory that has partial contents, and all the rest are entirely gone. When the system was rebooted and the problem discovered, did you see any console messages about file system checks being run, or journals being recovered? If not, that would indicate the file systems had been unmounted during an orderly shutdown. If you did see them, it's possible someone forced the guest off and you were just unlucky enough to lose data. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390