Re: I nuked my filesystem
Just want to close the loop. I ended up finding a backup of my mbox on a different machine with the disklabel in the insecurity update (thanks for the tip, Nick). I installed it on the disk and had access to everything except root! Out of curiosity, I generated a new disklabel for that same disk with disklabel -A and predictably, the offsets and sizes were all correct in that one too. Thank you all for your wisdom and reorienting my week around proper backups. Isaac > To be clear: having overwritten the starting 5GB of sd1c, > but not of the underlying sd0c, you still have the CRYPTO volume on > sd0c which you can attach with bioctl, right? If my ssd is sd0 and my bio(4) managed volume is sd1, then I dd'd over sd1 (all of sd1a, some of swap). On Wed, Sep 27, 2023 at 6:16 PM Stuart Henderson wrote: > > On 2023-09-27, Isaac Meerleo wrote: > > Thank you all for your replies. I needed to step away from my > > computer last night so I apologize for the terse email. > > sd0 is my physical hard disk with full disk encryption. I wrote a 5gb > > iso over the beginning of sd1c (my softraid volume). I rebooted. I > > installed openbsd on a separate drive, booted it, mounted the > > encrypted volume, and hopelessly ran scan_ffs. > > > > After reading Stuart's advice, I will attempt to reinstall the > > disklabel from scratch. I installed 7.2 on my second disk; the version > > I used to do the initial install. > > When I initially set up my disk, I used the auto partition defaults > > which left me with a 300gb /home directory. Later, I expanded the > > /home partition across the rest of the disk. When I recreate the > > disklabel, should I let it auto partition and then grow the file > > system like before? Or should I just set home to fill the rest of the > > disk? > > Set it to fill the rest of the disk - don't run growfs on it again. > > I would be wanting to mount filesystems read-only and try to copy data > off to another disk, then reinstall on the disk with damaged disklabel > and copy back, rather than relying on the existing filesystems long-term. > >
Re: I nuked my filesystem
On 2023-09-27, Isaac Meerleo wrote: > Thank you all for your replies. I needed to step away from my > computer last night so I apologize for the terse email. > sd0 is my physical hard disk with full disk encryption. I wrote a 5gb > iso over the beginning of sd1c (my softraid volume). I rebooted. I > installed openbsd on a separate drive, booted it, mounted the > encrypted volume, and hopelessly ran scan_ffs. > > After reading Stuart's advice, I will attempt to reinstall the > disklabel from scratch. I installed 7.2 on my second disk; the version > I used to do the initial install. > When I initially set up my disk, I used the auto partition defaults > which left me with a 300gb /home directory. Later, I expanded the > /home partition across the rest of the disk. When I recreate the > disklabel, should I let it auto partition and then grow the file > system like before? Or should I just set home to fill the rest of the > disk? Set it to fill the rest of the disk - don't run growfs on it again. I would be wanting to mount filesystems read-only and try to copy data off to another disk, then reinstall on the disk with damaged disklabel and copy back, rather than relying on the existing filesystems long-term.
Re: I nuked my filesystem
On Sep 27 09:17:47, spritskills...@gmail.com wrote: > Thank you all for your replies. I needed to step away from my > computer last night so I apologize for the terse email. > sd0 is my physical hard disk with full disk encryption. I wrote a 5gb > iso over the beginning of sd1c (my softraid volume). > > > I am using a CRYPTO RAID partition and luckily I'm smart enough not to > > > nuke that. To be clear: having overwritten the starting 5GB of sd1c, but not of the underlying sd0c, you still have the CRYPTO volume on sd0c which you can attach with bioctl, right? Can you please confirm with disklabel -pg sd0 and bioctl? > I rebooted. I > installed openbsd on a separate drive, booted it, > mounted the encrypted volume, You mean attached it at softraid0 with bioctl(8), not "mounted" anything as in mount(8)ing a filesystem, right?
Re: I nuked my filesystem
Thank you all for your replies. I needed to step away from my computer last night so I apologize for the terse email. sd0 is my physical hard disk with full disk encryption. I wrote a 5gb iso over the beginning of sd1c (my softraid volume). I rebooted. I installed openbsd on a separate drive, booted it, mounted the encrypted volume, and hopelessly ran scan_ffs. After reading Stuart's advice, I will attempt to reinstall the disklabel from scratch. I installed 7.2 on my second disk; the version I used to do the initial install. When I initially set up my disk, I used the auto partition defaults which left me with a 300gb /home directory. Later, I expanded the /home partition across the rest of the disk. When I recreate the disklabel, should I let it auto partition and then grow the file system like before? Or should I just set home to fill the rest of the disk? On Wed, Sep 27, 2023 at 5:43 AM Stuart Henderson wrote: > > On 2023-09-27, sprits killshot wrote: > > I did the thing. > > dd'd a 5gb img to my ssd instead of my usb and I want to die. > > > > dd if=file.iso of=/dev/sd1c > > > > I am using a CRYPTO RAID partition and luckily I'm smart enough not to > > nuke that. > > > > My ssd is 2TB so I believe it uses FFS2 by default. I'm hopelessly > > running scan_ffs on it in case it was silently updated or the man is > > wrong or there's a God. > > > > Any advice on how to recover what's left? > > With a typical softraid FDE setup, not going too far from the defaults, > this likely means that the partition table, disklabel, root partition > and swap on the softraid volume were overwritten, but other partitions > might be ok if you can find them. > > If you don't have a copy of the disklabel stored away somewhere, > current options are probably > > - port the scan_ffs ffs2 support from netbsd > > - hack things up so you can get something out of our scan_ffs as in > https://marc.info/?l=openbsd-misc&m=167702020925723 > > (as shown in Matthew's mail, your initial target with either of these > should be /var/backups/disklabel.sd1.* so you can restore it and skip > scanning for other filesystems) > > - brute-force likely locations for /var (try on 1G boundaries) with the > read-only mount approach from that mail > > - try to recreate disklabel from scratch (*if* you accepted auto > partition defaults when installing, you might be able to recreate them > by using disklabel from the same OpenBSD version as you used to install > with auto-partitioning again, but the default sizes have changed over > time, so that will only help if you know the version). >
Re: I nuked my filesystem
On Tue, Sep 26, 2023 at 11:14:15PM -0400, Nick Holland wrote: > To recover sd1e, you need to recreate a disklabel that matches what > was there before...exactly. To the sector. Re-creating the disklabel is obviously the primary focus in these situations - the data which has been overwritten is gone if it's not backed up elsewhere, but non-overwritten stuff can potentially be recovered. Once piece of advice, which is sadly probably too late for this particular case, but very, very useful to know and remember for the future: * The kernel keeps it's working copy of the disklabel in memory. * If you know this in advance, what this means is that if you overwrite a raw disk device and realise what you've done, just keep cool. Immediately hit ^C, and invoke disklabel. Since you were dd'ing to a raw device, you were likely already logged in as root and doing other things related to partitioning, etc. Even if you've overwritten the boot and root partitions, things like ksh and the disklabel binary are likely in the buffer cache. If you can get in to disklabel and display the label for the trashed disk, then note it down somewhere, even if that means writing it down on paper. Having this information is the key to any recovery of data that was not overwritten.
Re: I nuked my filesystem
On 2023-09-27, sprits killshot wrote: > I did the thing. > dd'd a 5gb img to my ssd instead of my usb and I want to die. > > dd if=file.iso of=/dev/sd1c > > I am using a CRYPTO RAID partition and luckily I'm smart enough not to > nuke that. > > My ssd is 2TB so I believe it uses FFS2 by default. I'm hopelessly > running scan_ffs on it in case it was silently updated or the man is > wrong or there's a God. > > Any advice on how to recover what's left? With a typical softraid FDE setup, not going too far from the defaults, this likely means that the partition table, disklabel, root partition and swap on the softraid volume were overwritten, but other partitions might be ok if you can find them. If you don't have a copy of the disklabel stored away somewhere, current options are probably - port the scan_ffs ffs2 support from netbsd - hack things up so you can get something out of our scan_ffs as in https://marc.info/?l=openbsd-misc&m=167702020925723 (as shown in Matthew's mail, your initial target with either of these should be /var/backups/disklabel.sd1.* so you can restore it and skip scanning for other filesystems) - brute-force likely locations for /var (try on 1G boundaries) with the read-only mount approach from that mail - try to recreate disklabel from scratch (*if* you accepted auto partition defaults when installing, you might be able to recreate them by using disklabel from the same OpenBSD version as you used to install with auto-partitioning again, but the default sizes have changed over time, so that will only help if you know the version).
Re: I nuked my filesystem
On Sep 26 21:42:02, spritskills...@gmail.com wrote: > I did the thing. > dd'd a 5gb img to my ssd instead of my usb and I want to die. > dd if=file.iso of=/dev/sd1c At this point, you are supposed to tell what your disk layout is (or was :-). Is sd1 your boot disk? What partitions did it contain? Or is sd0 where your system is installed? In particular, do you still have /etc and /var/backups ? > I am using a CRYPTO RAID partition > and luckily I'm smart enough not to nuke that. Pray tell, what is that unnuked partition? Is that where your untouched base system still lives? > My ssd is 2TB so I believe it uses FFS2 by default. newfs makes FFS2 by default regardless of the size. > I'm hopelessly running scan_ffs on it So you still have /sbin/scan_ffs, so you still have /sbin. What else do you still have? How exactly are you running scan_ffs? > in case it was silently updated > or the man is wrong Meaning this? scan_ffs works only on FFS file systems, not FFS2 file systems. (I have no idea.) > or there's a God. There's no God. There's only backup. > Any advice on how to recover what's left? First you have to show what actually is left, i.e. what parts of the system are still available. Was sd1 a big /data disk such as /home, with the base system living elsewhere?
Re: I nuked my filesystem
> But yeah. You need a good backup. > here's mine: https://holland-consulting.net/scripts/ibs/ > ksh shell script + rsync + another computer and big disk. I personally use rdiff. Eheh, I'm interested to know if anyone has sad story about rdiff? Thanks, -- Daniele Bonini Sep 27, 2023 05:17:35 Nick Holland : > But yeah. You need a good backup. > here's mine: https://holland-consulting.net/scripts/ibs/ > ksh shell script + rsync + another computer and big disk.
Re: I nuked my filesystem
On 9/26/23 21:42, sprits killshot wrote: I did the thing. dd'd a 5gb img to my ssd instead of my usb and I want to die. dd if=file.iso of=/dev/sd1c I am using a CRYPTO RAID partition and luckily I'm smart enough not to nuke that. My ssd is 2TB so I believe it uses FFS2 by default. I'm hopelessly running scan_ffs on it in case it was silently updated or the man is wrong or there's a God. ok...so the first 5G of sd1 is gone. So most likely, all file systems that have any bit of them in that first 5g are not practically recoverable. (here's the sad bit -- if you were trying to steal info like credit card numbers or personal ID numbers, there's probably lots still accessible, but for your uses, just consider all partitions that start in the first 5G gone. BUT ... everything after that has potential. Put in pictures ... * If you have one big 2TB partition, stop reading now, you can start crying, and wish you had a good backup system in place. ==> sd1a: 2000GB # Practically speaking, gone. Too much clobbered. * If you have multiple partitions and some of them start after 5GB, you might be in luck. Let's say you have three partitions: (start of disk) ==> sd1a: 4GB# Totally gone. ==> sd1d: 500GB # Practically gone. Too much clobbered. ==> sd1e: 1496GB # untouched. (note: the letter orders don't matter, it's the starting offsets that matter to you. If you put the 1.5TB sd1e at the front of the disk, and sd1a and sd1d after it, sd1a and sd1d are untouched, but sd1e is not (practically) recoverable.) To recover sd1e, you need to recreate a disklabel that matches what was there before...exactly. To the sector. Now..I see you clobbered sd1c, not sd0c. With a bit of luck, perhaps sd0 (or at least, not sd1!) is where your /var partition is, and with a little more luck, you have left your machine on over night enough times to let /etc/daily run and save your butt. [edit: just realized sd1 is probably your softraid encrypted drive, so you probably lost your /var. But maybe you have a copy somewhere] Take a look in /var/backups/ for disklabel.sd1*. IF they exist, they are backups of exactly the disklabel that was on that disk when they were made. Hopefully, that is recent enough for you. Drop a new MBR (or EFI) on sd1 with fdisk, then import that disklabel (disklabel -e sd1, clear it, ":r /var/backups/disklabel.sd1.current", write it, quit), and you should be in business -- your un-nuked partitions will become immediately available (but sd1a and sd1d will not be "formatted" for you at this point). Note: I haven't done exactly this, but I think it will work, based on doing enough things with OpenBSD disk layout that I think I know what you can get away with. Practicing on a spare system would be advisable. Now...what if that /var/backups directory doesn't contain a disklabel backup? Well, you MIGHT still be in business. OpenBSD disk layout stuff is very predictable. IF you know how your disk was originally laid out and you repeat that process, you will end up in the same place again. For example, if you know that you created a 4GB partition, a 500GB partition, and then the rest of the disk as a third partition, AND you know the disk was created using an MBR layout, you can probably: fdisk -iy sd0 disklabel -E sd0 > create 1G partition > create 500G partition > create "rest of disk" partition And...most likely, that 1G partition would be where it was before, the 500G would be where it was, and (ta-da) your "rest of disk" partition would be exactly where it was. Exception: a number of years ago, OpenBSD changed the default starting offset from 63 sectors to 64 sectors to better handle 4k block drives. You will need exactly the correct offset. Assuming your disks were set up at the same time, your sd0 would be a good guide there. I just reread your note and realize that you might be saying that sd1 is an encrypted disk. In which case, all the above applies, BUT you probably can't see your /var partition, so you might be out of luck. But if you know how it was created (and your daily output e-mails might be of use there), you might get lucky recreating the disklabel. You might want to start by imaging the remains of the disk to another drive before going any further so you can try again if you guess wrong. But yeah. You need a good backup. here's mine: https://holland-consulting.net/scripts/ibs/ ksh shell script + rsync + another computer and big disk. Nick.
Re: I nuked my filesystem
restore from backup. scan_ffs doesn't find ffs2 filesystems.
I nuked my filesystem
I did the thing. dd'd a 5gb img to my ssd instead of my usb and I want to die. dd if=file.iso of=/dev/sd1c I am using a CRYPTO RAID partition and luckily I'm smart enough not to nuke that. My ssd is 2TB so I believe it uses FFS2 by default. I'm hopelessly running scan_ffs on it in case it was silently updated or the man is wrong or there's a God. Any advice on how to recover what's left? I'll give you my car. Isaac