Recover Accidentally Deleted Files on RHEL with extundelete – Full Step‑by‑Step Guide

Why extundelete can recover deleted files

extundelete is an open‑source utility that restores files removed with rm on ext3/ext4 file systems. Linux deletion only clears the directory entry and marks the inode as free; the data blocks remain on disk until they are overwritten. extundelete scans the inode and superblock metadata to rebuild the missing directory entries and recover the data.

Linux deletion mechanics

When rm /path/file is executed the kernel performs two lightweight actions:

Mark the inode as free, allowing it to be reused.

Remove the directory entry, so the file no longer appears in listings.

The actual data blocks are still present on the storage device and can be re‑linked before they are overwritten.

Applicable scenarios and limitations

Recover a single file (e.g., /etc/httpd/conf/httpd.conf).

Recover an entire directory (e.g., /opt/app).

Recover all recoverable files on a partition.

Supported file systems: ext3 and ext4 only. xfs, btrfs and other file systems are not supported.

If the data blocks have been overwritten, the recovered file will be empty or corrupted.

Files that were part of a format operation or hard‑linked cannot be recovered.

Installation

RHEL 6 / CentOS 6 (ext4 by default)

# Ensure a working YUM repository (local ISO if needed)
mount /dev/cdrom /mnt/cdrom
echo "baseurl=file:///mnt/cdrom" > /etc/yum.repos.d/local.repo
yum clean all && yum makecache
# Install extundelete
yum install -y extundelete
# Verify installation
extundelete -v

RHEL 7/8/9, CentOS 7+, Rocky Linux (requires compilation)

# Install build dependencies
yum install -y gcc gcc-c++ make e2fsprogs-devel wget
# Download source
wget https://downloads.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
# Extract, configure, compile, install
tar -jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure --prefix=/usr/local/extundelete
make && make install
# Add to PATH
echo "export PATH=\$PATH:/usr/local/extundelete/bin" >> /etc/profile
source /etc/profile
# Verify
extundelete -v

Recovery workflow

Pre‑recovery: stop all writes

Unmount the affected partition if possible: umount /opt If the partition cannot be unmounted (e.g., root), remount it read‑only: mount -o remount,ro / Mount an external storage device (e.g., /mnt/usb) and recover files there to avoid further writes on the damaged partition.

Identify the affected partition

Confirm the device path and that the file system type is ext3/ext4: df -Th Example output shows /dev/sda5 mounted on /opt with type ext4.

Recover files

Single file : extundelete /dev/sda5 --restore-file config.ini Recovered files appear in a RECOVERED_FILES directory.

Entire directory : extundelete /dev/sda5 --restore-directory app All recoverable files :

extundelete /dev/sda5 --restore-all

Post‑recovery verification and restoration

Check file integrity, e.g., cat RECOVERED_FILES/config.ini Copy files back to their original locations: cp RECOVERED_FILES/config.ini /opt/ If the partition was unmounted, remount it: mount /dev/sda5 /opt Restart any services that depend on the restored files, e.g.,

systemctl restart httpd

Common pitfalls and solutions

Pitfall 1 – "Device or resource busy" when unmounting

Identify processes using the mount point with fuser -m /opt, terminate them (e.g., kill -9 1234 5678), then retry umount /opt. If the partition still cannot be unmounted, reboot into single‑user mode.

Pitfall 2 – Recovered files are empty or garbled

This occurs when the data blocks have been overwritten after deletion. The only remedy is to restore from a backup; prevent it by mounting the partition read‑only immediately after the accidental delete.

Pitfall 3 – "Can't find ext2fs library" during compilation

Install the missing development package and recompile:

yum install -y e2fsprogs-devel
cd extundelete-0.2.4
./configure && make && make install

Pitfall 4 – "Couldn't find valid superblock"

Verify the device path and file‑system type. If the superblock is corrupted, locate a backup superblock and repair:

dumpe2fs /dev/sda5 | grep -i superblock
# Example: backup at 32768
e2fsck -b 32768 /dev/sda5

Pitfall 5 – "Directory is empty" when restoring a directory

Check the inode status with extundelete /dev/sda5 --inode 2. If the inode is still marked deleted, try restoring individual files inside the directory.

Pitfall 6 – Cannot unmount the root partition on RHEL 7+

Boot from the RHEL installation ISO, choose “Rescue a Red Hat Enterprise Linux system”, let the installer mount the root at /mnt/sysimage, chroot into it ( chroot /mnt/sysimage), and run the appropriate extundelete command on the root device.

Prevention tips (reduce accidental deletions)

Immediately mount the affected partition read‑only : mount -o remount,ro /opt or umount /opt. Do not perform any write operations on the partition after a mistake.

Save recovered files to a different filesystem : use an external USB drive ( /mnt/usb) or another idle partition.

Confirm the filesystem before attempting recovery : df -Th. If the partition is xfs, use xfs‑specific tools instead of extundelete.

Add a safety alias to rm :

echo "alias rm='rm -i'" >> /etc/profile
source /etc/profile

Replace rm with a “trash” move :

mkdir -p /tmp/trash
echo "alias rm='mv -t /tmp/trash'" >> /etc/profile
source /etc/profile

Lock critical directories with the immutable attribute :

chattr +i /etc
chattr +i /opt/app/data
# Remove with chattr -i before legitimate changes

Maintain local and off‑site backups (e.g., scheduled rsync to a remote server and daily snapshots).