Sometimes people delete files they shouldn't, a long-running process still has the file open, and recovering the data by catting /proc/<pid>/fd/N just isn't awesome enough. Awesome enough would be if you could "undo" the delete by running some magic option to ln that would let you re-link to the inode number (recovered through lsof).
I can't find any Linux tools to do this, least with cursory Googling.
What do you got, serverfault?
EDIT1: The reason catting the file from /proc/<pid>/fd/N isn't awesome enough is because the process which still has the file open is still writing to it. A delete removes the reference to the inode from the filesystem namespace. What I want is a way of re-creating the reference.
EDIT2: 'debugfs ln' works but the risk is too high since it frobs raw filesystem data. The recovered file is also crazy inconsistent. The link count is zero and I can't add links to it. I'm worse off this way since I can just use /proc/<pid>/fd/N to access the data without corrupting my fs.
This awesomeness was introduced to
lnin v8.0 (GNU/coreutils) with the-L|--logicaloption which causeslnto dereference a/proc/<pid>/fd/<handle>first. So a simpleis enough to relink a deleted file.
It sounds like you already understand a lot, so I won't go into excess detail. There's several methods to find the inode and you can usually cat and redirect STDOUT. You can use
debugfs. Run this command within:ln <$INODE> FILENAMEMake sure you have backups of the filesystem. You'll probably need to run a fsck afterwards. I tested this successfully with an inode still being written to and it does work to create a new hard link to a dereferenced inode.
If the file is unlinked with an unopen file in ext3, the data is lost. I'm not sure how consistently true this is but most of my data recovery experience is with ext2. From the ext3 FAQ:
There's also relevant information in this question:
I overwrote a large file with a blank one on a linux server. Can I recover the existing file?
the debugfs way as you saw doesn't really work and at best your file will be deleted automatically (due to the journal) after reboot and at worst you can trash your filesystem resulting to "reboot cycle of death". The Right Solution (TM) is to perform the undelete in the VFS level (which also has the added benefit of working with practically all current Linux filesystems). The system call way (flink) has been shot down every time it appeared in LKML so the best way is through a module + ioctl.
A project that implements this approach and has reasonably small and clean code is fdlink (https://github.com/pkt/fdlink.git for a version tested with ubuntu maverick's kernel). With it, after you insert the module (sudo insmod flink_dev.ko) you can just do "./flinkapp /proc//fd/X /my/link/path" and it will do exactly what you want.
You can also use a forward-ported version of vfs-undelete.sourceforge.net that also works (and can also automatically relink to the original name), but fdlink's code is simpler and it works just as well, so it is my preference.
Ran into the same problem today. The best I could come up with is to run
in a tmux/screen session until the process ends.
I don't know how to do exactly what you want, but what I would do is:
Not ideal, obviously, but possible. The other option is to play around with debugfs (using the
linkcommand), but that's kind of scary on a production machine!Interesting question. An interviewer asked the same question to me in a job interview. What I told him was that there was not a easy way to do this and in general was not worth the time and effort involved. I did ask him what he thought the solution to this issue was ....
Use Sleuthkit icat.
The quick solution that worked for me, without intimidating tools:
1) find the process+fd by looking directly in /proc:
2) Then a similar technique to @nickray's, with
pvthrown in:You may need to Ctrl-C when done (
ls /proc/{procnum}/fd/{fdnum}will tell you that the file no longer exists)), but if you know the exact size in bytes, you can usepv -Sto make it exit when the count is reached.