How to interpret the contents of /lost+found after serious filesystem corruption?
Linux - KernelThis forum is for all discussion relating to the Linux kernel.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to interpret the contents of /lost+found after serious filesystem corruption?
I am trying to work out whether some serious filesystem corruption is recoverable or not - however, I am struggling to find a definitive description of what i am seeing in /lost+found anywhere on the web.
Can someone describe the different fields (columns) for me in the following output please?:
Code:
/<directory>/lost+found:
total 2068
c---r----t 1 563216355 3786404617 254, 0 Mar 12 1972 #101010477
b-----x-wx 1 3760447531 3930169908 7, 161 Dec 21 1953 #101262077
pr-S---r-t 1 738401804 404783880 0 Aug 5 1979 #10134481
-r-S-wxr-T 1 1197902768 984580 45056 Aug 24 1997 #101786960
This is only part of the output, but I would like to know what columns 3, 4 and 5/6 correspond to if anyone knows? The timestamps are messed up too, but I assume that is because the metadata is too corrupt to read correctly?
The first two items are device files; they don't normally contain any real data. 254,0 is the real time clock and 7,161 is a loop device for mounting files as disks. The third line is a named pipe and contains nothing. It's the lines beginning with a hyphen (for regular file) or d (for directory) that contain bits of actual files. For those files, column 5 should give you the size.
I found this post by someone who sorted out a similar situation.
You say that '254,0' is a real time clock and '7,161' is a loop device - what about the other files above?
All of these files *should* be compressed backup archives, but I have no idea how to link them to files that existed previously (I have a backup listing from before).
What do the numbers in columns 3 and 4 corresponds to? EOF before and after, or something like that...? Where can I find a list of ALL devices and the corresponding 'code' (i.e. 254,0 for a real time clock)?
I need to know what each column represents before I decide whether it is futile to try and restore these files...
And I forgot to add that that post you added doesn't help at all unfortunately!
Last edited by mistephenso; 04-26-2016 at 06:13 AM.
Reason: Added reply to link added by previous poster
... but I assume that is because the metadata is too corrupt to read correctly?
Sounds reasonable. I would assume the entire filesystem is junk. You cannot trust that the data is either there or complete even if you do manage to "recover" it. fsck is designed to repair the filesystem to a consistent state, not the data. Sometimes you're lucky, sometimes not.
My standard response when I get an incident that leaves my data in an indeterminate state is to reformat and restore. No ifs, not buts.
Sounds reasonable. I would assume the entire filesystem is junk. You cannot trust that the data is either there or complete even if you do manage to "recover" it. fsck is designed to repair the filesystem to a consistent state, not the data. Sometimes you're lucky, sometimes not.
My standard response when I get an incident that leaves my data in an indeterminate state is to reformat and restore. No ifs, not buts.
OK, thanks syg00 - I guessed I would have to rebuild anyway, but I just wanted to find out what all of the different 'columns' in the /lost+found output actually meant...
I have searched, but I cannot find any direct reference to it. This is the main thing I would like to know!?
The columns are the same as any other "ls" command. The results are meaningless because the command is trying to make sense of random bytes - garbage in, garbage out.
T'was ever thus.
The columns are the same as any other "ls" command. The results are meaningless because the command is trying to make sense of random bytes - garbage in, garbage out.
T'was ever thus.
OK, I agree that this is probably GIGO; if that is the case though, why bother trying to save anything if you are not able to do anything with it afterwards...!?
And the columns are not the same as any other 'ls' command. Spot the difference :
You have to rebuild. The only thing that "lost+found" does is to attach non-deleted but orphaned inodes to some directory-entry somewhere. Pragmatically, there's nothing useful to be done with them.
You have to rebuild. The only thing that "lost+found" does is to attach non-deleted but orphaned inodes to some directory-entry somewhere. Pragmatically, there's nothing useful to be done with them.
OK, thank you sundialsvcs - we will rebuild! I find it strange that fsck bothers to keep the files if we cannot do anything with them though...!?
And I am still interested in the column descriptions as well. What does it all actually mean?
And the columns are not the same as any other 'ls' command. Spot the difference
Yes, they are the same as what ls prints when fed garbage. Columns 3 and 4 are the numeric UID and GID and are printed as numbers because looking up those numeric IDs in /etc/passwd and /etc/group did not find a match. For inodes with a type field that translates as character-special or block-special ("c" or "b" in the first column of the permissions), the major and minor device numbers ("51, 0", "89, 246", etc.) are printed in place of the file size normally shown in column 5. You can see similar (but non-garbage) output by running "ls -l /dev". Those inodes now linked in lost+found contain garbage, and ls is just making the most sense possible of it.
OK, thank you sundialsvcs - we will rebuild! I find it strange that fsck bothers to keep the files if we cannot do anything with them though...!?
Fsck cannot make that determination. That is up to the system administrator.
Quote:
And I am still interested in the column descriptions as well. What does it all actually mean?
As you have been told - it means the same thing it means with any ls report.
You can read the man page on ls for that.
Another command that sometimes helps is the "stat" command. Stat will give more detailed names for each field.
The purpose of the files in lost+found are to allow the administrator to decide what do to with the data blocks and inodes associated with the name. You can delete them, rename them, identify any contents and give them back to the original owner, and let the user decide what to do with them.
In the past, I have recovered source files that got lost that way.
I think sundialsvcs is being unnecessarily pessimistic. That link that I posted showed how an Ubuntu user actually recovered quite a lot of useful data from those files.
OK, thanks gents (and ladies?)! Looking at the 'ls' man pages does actually give me the information I needed before, so apologies for my earlier sarcasm...
There are so many files in /lost+found that it is just going to be easier to bite the bullet and rebuild anyway. The important files we have backed up, so we can restore those. I just wondered if it would be relatively simple to bring the other files back from the dead, rather than having to rebuild them from scratch?!
You have to compare the effort to rebuild vs. the effort to identify the files from their content among all the anonymous files in lost+found. Using "grep -r" to locate a file containing a fairly uncommon word would be straightforward. Trying to identify all the files from a missing /usr/lib directory would not. If an entire directory got disconnected and reattached in lost+found complete with its content, that's easy to recover. It's all the individual files that are the problem. And even if you recover a file, you need to have a way to check that its content did not get corrupted along with the filesystem metadata.
OK, thank you sundialsvcs - we will rebuild! I find it strange that fsck bothers to keep the files if we cannot do anything with them though...!?
And I am still interested in the column descriptions as well. What does it all actually mean?
Many file-repair utilities do this, including Windows' old chkdsk.exe. The objective is to be sure that there are no "in-use" physical files ("inodes ...") that do not have a directory-entry associated with them somewhere. A dummy directory-entry is built in "lost+found," basically so that the file can be "removed." (If you're curious what the orphaned inode contains, you can look at that now, too.)
But, the bottom line: "if a filesystem is hosed ... it's ... ... ... hosed."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.