ext4檔案系統由檔案的inode號定位其inode Table
轉載:https://blog.csdn.net/yiqiaoxihui/article/details/55683328
在ubuntu中(以16.06為例),stat filename 可以檢視檔案的inode數值,但是如何確定該inode項具體在哪個塊組下的inode Table中不是那麼容易,接下來通過一步步計算來獲取該inode具體在哪個塊組下的inode Table的第幾項。
1.首先可以通過dumpe2fs檢視當前ext4檔案系統的結構資訊,命令為
dumpe2fs /dev/sdax 其中sdax為linux系統分割槽 可獲取如下類似資訊:
Filesystem volume name: <none> Last mounted on: / Filesystem UUID: 0fbdfdd4-80ea-4962-84e8-9173c5ef1cb5 Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize Filesystem flags: signed_directory_hash Default mount options: user_xattr acl Filesystem state: clean Errors behavior: Continue Filesystem OS type: Linux Inode count: 6037504 Block count: 24146432 Reserved block count: 1207321 Free blocks: 20876199 Free inodes: 5787665 First block: 0 Block size: 4096 Fragment size: 4096 Reserved GDT blocks: 1018 Blocks per group: 32768 Fragments per group: 32768 Inodes per group: 8192 Inode blocks per group: 512 Flex block group size: 16 Filesystem created: Sun Jan 8 01:10:30 2017 Last mount time: Sat Feb 18 11:26:16 2017 Last write time: Sat Feb 18 19:26:08 2017 Mount count: 150 Maximum mount count: -1 Last checked: Sun Jan 8 01:10:30 2017 Check interval: 0 (<none>) Lifetime writes: 31 GB Reserved blocks uid: 0 (user root) Reserved blocks gid: 0 (group root) First inode: 11 Inode size: 256 Required extra isize: 28 Desired extra isize: 28 Journal inode: 8 First orphan inode: 2250909 Default directory hash: half_md4 Directory Hash Seed: 4c440967-7d09-4b9b-b3be-74a8d8bc47ca Journal backup: inode blocks Journal features: journal_incompat_revoke Journal size: 128M Journal length: 32768 Journal sequence: 0x0001f82e Journal start: 1
根據這些資訊,和檔案的inode號,基本就可以定位該檔案的inode資訊具體在哪個塊組中以及該塊組的inode Table的第幾項。
例如
[email protected]:~# stat test File: 'test' Size: 5 Blocks: 8 IO Block: 4096 regular file Device: 805h/2053d Inode: 2228474 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ heaven) Gid: ( 1000/ heaven) Access: 2017-02-18 16:22:31.496609901 +0800 Modify: 2017-02-18 16:22:07.728197004 +0800 Change: 2017-02-
可知test檔案的inode 號為2228474.
- (2228474-1)/8192(一個塊組的inode數)=272,即該inode 落在第272塊組內
- (2228474-1)%8192=249,即為該inode在某個inode Table的第249項
- 272×32768(一個塊組共有32768塊)=8912896,得該檔案inode落在第272塊組的起始塊為8912896
8912896只是第272塊組的起始塊,要想進一步定位該塊組的inode Table具體偏移位置,還需瞭解對於ext4檔案系統來說一個標準的塊組的佈局順序。這可以通過dumpe2fs命令檢視。
由於我的ubuntu 下的ext4檔案系統的塊組的block Bitmap、inode Bitmap以及inode Table是每16個塊組為單位放在16個塊組的首塊組中,比如0-15塊組的所有block Bitmap、inode Bitmap以及inode Table均放在第0塊組內,16-31塊組的block Bitmap、inode Bitmap以及inode Table均放在第16塊組內。我們知道block Bitmap和inode Bitmap佔一個block,而inode Table 佔固定大小的blocks(我的為512blocks)。而272剛好是16的倍數,所以塊組的佈局如下:
- 8912896至8912911為16個block Bitmap
- 8912912至8912927為16個inode Bitmap
- 8912928至8912928+511第272個塊組的inode Table
所以從8912928開始偏移oxf900處即為test檔案inode全部資訊存放處。通過dd命令擷取從8912928開始的512塊,命令如下:
dd if=/dev/sda5 ibs=4096 skip=8912928 count=512 of=inode_table
通過vim命令開啟inode_table檔案,發現全是亂碼,轉成16進位制後如圖所示:
從0000f900開始數,偏移第60位元組處為0xc7f5 5300,即為test檔案資料塊指標,由於ext4採用小端儲存,所以實際應該是0x0053f5cf,通過debugfs命令可以驗證,如下:
- debugfs 1.42.13 (17-May-2015)
- debugfs: open -w /dev/sda5
- debugfs: mi <2228474>
- Mode [0100664]
- User ID [1000]
- Group ID [1000]
- Size [5]
- Creation time [1487406129]
- Modification time [1487406127]
- Access time [1487406151]
- Deletion time [0]
- Link count [1]
- Block count high [0]
- Block count [8]
- File flags [0x80000]
- Generation [0x15fa265]
- File acl [0]
- High 32bits of size [0]
- Fragment address [0]
- Direct Block #0 [127754]
- Direct Block #1 [4]
- Direct Block #2 [0]
- Direct Block #3 [0]
- Direct Block #4 [1]
- Direct Block #5 [5502407]
- Direct Block #6 [0]
- Direct Block #7 [0]
- Direct Block #8 [0]
- Direct Block #9 [0]
- Direct Block #10 [0]
- Direct Block #11 [0]
- Indirect Block [0]
- Double Indirect Block [0]
- Triple Indirect Block [0]
至此,已經完成從一個檔案的inode 追蹤到起anode Table 的全過程。