ZFS GPT is corrupt/ZFS is lost

putin.is.a.thief

putin.is.a.thief

Accidentelly did gpart recover on ZFS partition encrypted with geli :) The disk is in GPT and has an installed geli bootloader.
After this, the disk became like it's a couple of disks (the encrypted partition is freebsd-zfs which is da1p3):

Code: 
gpart show

=> 40 2000409184 da1 GPT (954G) [CORRUPT]
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 67108864 2 freebsd-swap (32G)
67110912 1933297664 3 freebsd-zfs (922G)
2000408576 648 - free - (324K)

=> 40 2000409184 diskid/DISK-0123456789ABCDE GPT (954G) [CORRUPT]
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 67108864 2 freebsd-swap (32G)
67110912 1933297664 3 freebsd-zfs (922G)
2000408576 648 - free - (324K)

The problem is I don't remember if i did gpart recover on geli-attached (e.g. geli managed) or physical partition device.

I tried then to restore geli metadata from backup made with 'geli backup'. So I did 'geli restore'. Command succeeded. Now I can mount freebsd-zfs with my password, but there is a clear ZFS filesystem on it. No files.

Problem 2 is that I can't now boot, instead of 'Enter GELI passphrase' message I see just blank console. No reactions to keyboard.

I'm now dumping the decrypted (geli-attached) partition with hexdump:

hexdump -C /dev/da1p3 | less

and I'm seeing parts of existing files on it, including LICENSE and ReadMes. My files should be there, I believe.

zfs list says:
Code: 
zfs list

NAME    USED  AVAIL  REFER  MOUNTPOINT
z 736K 891G 88K /mnt/z

This is wrong. My filesystem was almost 500GB. Here, it looks clear.

I think I need to dig into the ZFS internals and find some ZFS raw disk parser/viewier/recoverer. Maybe someone knows a good forensic tool? What should I do ?
 
I don't know about ZFS so can't help directly.

But take a deep breath and do NOT rush in - chances are you'll only make it worse.

If you've got another machine can you try and recreate the steps you did. So set the machine up, make a couple of files, do whatever you did to trash the system, and then work on THAT system to see if you can recover anything. Rather than experimenting on the system you are trying to recover.

Any backups?

Good luck.
 
Boot from USB thumb drive. The FreeBSD install image will do, and use the live system to attempt to repair.
EDIT This reminds me to include the output of gpart list & gpart backup into any backup that does not include such information, like dump/restore. So, in the unlikely case you have this data, you can manually recover the partition table. E.g. some have fulltext sudo(8) log files, where you might find such info.
 
mjollnir said:
Get the /boot/zfs/zpool.cache from your backup might help?
Click to expand...
I didn't backup /boot. Only copied work files. No system files :(
I think I damaged FS by running multiple zpool create/zpool destroy commands. I though they operate 'in-memory' structures,
but it seems they overwrite the FS. I probably just need to recover some file's contents.

mjollnir said:
Boot from USB thumb drive. The FreeBSD install image will do, and use the live system to attempt to repair.
EDIT This reminds me to include the output of gpart list & gpart backup into any backup that does not include such information, like dump/restore. So, in the unlikely case you have this data, you can manually recover the partition table. E.g. some have fulltext sudo(8) log files, where you might find such info.
Click to expand...

No, I don't have no logs :( I backed up only work files (user files) and /etc dir.
 
You must log in or register to reply here.
Back
Top