[ale] debugfs :: handy utility to debug an ext2 or ext3 file system

Jerry Yu jjj863 at gmail.com
Tue Nov 7 12:15:11 EST 2006 

I am learning a useful utility program named 'debugfs'. It is part of
e2fsprogs package, an essential packages containing axillary programs for
ext2 and ext3 file system under Linux. For a regular file, you can find an
inode by any data block the file or dir entry is using. Then you can turn
around and ask for the name of the inode. This could be handy when some
mysterious files causing df and du disagree whether the filie system is
full, or the file system is corrupted or can't mounted to be accessed as
usual. More advanced file system features are available too.

# to find what inode is claiming a given data block
# debugfs -R "icheck 12345" /dev/hda1
debugfs 1.35 (28-Feb-2004)
Block   Inode number
12345   340

# to find the file name given the inode number
# debugfs -R "ncheck 49153" /dev/hda1
debugfs 1.35 (28-Feb-2004)
Inode   Pathname
49153   /usr/share/locale/ar/LC_MESSAGES/libbonobo-2.0.mo

# Print the location of the inode data structure
# debugfs -R "imap /boot/vmlinuz-2.6.9-42.0.2.EL" /dev/hda1
debugfs 1.35 (28-Feb-2004)
Inode 557516 is part of block group 34
        located at block 1114128, offset 0x0580

# to dump the direntry (filespec, per man page)
debugfs -R "dump -p /boot/vmlinuz-2.6.9-42.0.2.EL /tmp/vmlinuz_dumped"
/dev/hda1
# md5sum /boot/vmlinuz-2.6.9-42.0.2.EL /tmp/vmlinuz_dumped
e5c536b539b5ffcaa03b22bd7fcc164a  /boot/vmlinuz-2.6.9-42.0.2.EL
e5c536b539b5ffcaa03b22bd7fcc164a  /tmp/vmlinuz_dumped

# to get the  contents of a file, assume the fs can't be mounted and
accessed the usually way.
# debugfs -R "cat /etc/redhat-release" /dev/hda1
debugfs 1.35 (28-Feb-2004)
CentOS release 4.4 (Final)

Noteworthy is, for files under /selinux ( a pseudo fs), it can find inode
number associated with a data block. However, it couldn't find  the file
name for the very inode number.
# debugfs -R "ncheck 8" /dev/hda1
debugfs 1.35 (28-Feb-2004)
Inode   Pathname
8       <inode not found>
# find / -inum 8
/selinux/relabel
# ls -id /selinux/relabel
8 /selinux/relabel
# debugfs -R "icheck 4567" /dev/hda1
debugfs 1.35 (28-Feb-2004)
Block   Inode number
4567    8
# / is on /dev/hda1
/dev/hda1              8127400   6738524   1306308  84% /

There's a lot of powerful (and dangerous features) such as

   - feature  you can set or clear various file system features in the
   superblock
   - freeb to mark data blocks as unallocated  vs. setb
   - freei to free the inode specified
   - clri  to clear the contents of the inode
   - chroot  to chroot to the directory
   - find_free_block
   - find_free_inode
   - init_filesys  to create an ext2 file system
   - kill_file deallocate the file and its blocks. It doesn't remove any
   direntry to this inode. not 'rm' or 'unlink'.
   - logdump to dump the ext3 journal
   - modify_inode  modify the contents of the inode structure
   - ls/mkdir/mknod/rm/rmdir

'debugfs' starts interactively by default, unless you have '-R' to request
one-time use only. An session would be like below:
# debugfs
debugfs 1.35 (28-Feb-2004)
debugfs:  open /dev/hda1
debugfs:  icheck 12345
Block   Inode number
12345   340
debugfs:  ncheck 340
Inode   Pathname
340     /usr/X11R6/lib/xscreensaver/mountain
debugfs:  close
debugfs:  quit
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Ale mailing list