What to do after a "rm -R /*"

Question

I was working on my website under root and I commit the worst thing that a linux user can do : rm -R /* instead of rm -R ./*. I've stopped the process when I saw that it was taking too long... I manage to reinstall lubuntu with an usb key, is this a good idea or are there other ways to reverse this big mistake ?

Thanks to any answer

Answer 1

Short answer: no.

Long answer: depends on the filesystem and on how rm is implemented. It's possible that rm merely unlinks the file; the inode (marked "deleted") and data may still remain. And even if the inode is hard-deleted, the data may remain. But in either case: there is a risk that your actions since that time have already written data over your old data or over the location of the soft-deleted inode. This can happen even with temporary files, or file descriptors (such as for sockets or processes) or pagefile [well, unless that thing has its own partition].

I wouldn't recommend trying to relink soft-deleted inodes, or infer from your data how to reconstruct hard-deleted inodes. Sure, maybe for irreplaceable memories this would be worth it (take the drive to a data forensics specialist), but there's near-guaranteed corruption somewhere on the disk. I would certainly not attempt to run a production system off a disk recovered like that.

I recommend one of the following:

• restoring from your regularly-scheduled backup
• wiping everything and starting again (you have all your website files stored under source control and stored remotely, right?)
• redeploying your Docker image (this was an immutable deployment, right?)