Blow away your disk partitions? Maybe not!

I did something kind of dopy today in my pre-coffee hours. Luckily, my officemate helped me find some clarity in dealing with a bit of a dodgy issue: partition tables.

Operating systems like Linux keep track of where different partitions start on your drive by placing “super blocks” at the beginning of each partition that tell the system how big the partition is, and what the physical boundaries of the partition are on the disk. Linux also stores a main partition table as a summary of this information to keep from having to scan the entire disk for partitions every time you boot. It uses the partition table instead to figure out how to mount the various partitions on your drive…. unless the partition table gets blown away – which happens. I know. I’ve seen me do it.

So then what? Well, in my case, I figured “all I want to do is mount the drive, it’s not important what the system thinks the partition is on the disk”. I thought this because I thought that I only had one huge partition on the drive anyway, so call it whatever you want. So I just ran fdisk on the drive, named a partition that was the size of the entire hard drive, and I was able to mount the drive. It looked like everything was there – because all of the mount points were there. But when I went to the home directories to recover the data, it was empty!! I thought it was gone, but had no idea how. I couldn’t figure out how I could’ve lost this data, but the machines I’ve been playing with have been prone to these sorts of failure, so…

My officemate reminded me that if I just created one huge partition and wrote it to the partition table, then the superblock at the beginning of the device probably says “this first partition goes up to here”. That superblock is from the old installation of the OS, for the first partition on the drive, which was the “/” directory, which holds all of my mount points. The superblock says “it goes up to here”, and so that’s all I got. It wasn’t able to address any of the other data that lived in other partitions, because there are other superblocks on the disk that define the length of those partitions, and I didn’t know where they were. So I got to see everything that was in “/”, but nothing that was mounted *under* “/” from other partitions — like the “/home” directory.

I downloaded “gpart”, which is a tool that will scan your hard drive for superblocks, and come up with an educated guess based on the superblock information as to where your partitions live. It’ll then show you all of this information, allow you to edit it, and/or write it back out to a partition table on the device. It found my other partition, wrote out a partition table, and I was immediately able to mount the partition and copy the data back into place.

  • Gye Greene

    Hey — nice recovery!