从 Azure 虚拟机备份恢复文件Recover files from Azure virtual machine backup

Azure 备份提供从 Azure VM 备份(也称恢复点)还原 Azure 虚拟机 (VM) 和磁盘的功能。Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups, also known as recovery points. 本文介绍如何从 Azure VM 备份恢复文件和文件夹。This article explains how to recover files and folders from an Azure VM backup. 还原文件和文件夹仅适用于使用资源管理器模型部署的、在恢复服务保管库中受保护的 Azure VM。Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery services vault.

备注

此功能适用于使用 Resource Manager 模型部署的、在恢复服务保管库中受保护的 Azure VM。This feature is available for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault. 不支持从加密的 VM 备份恢复文件。File recovery from an encrypted VM backup is not supported.

装载卷并复制文件Mount the volume and copy files

若要从恢复点还原文件或文件夹,请转到虚拟机并选择所需的恢复点。To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.

  1. 登录到 Azure 门户,在左侧窗格中单击“虚拟机”。Sign in to the Azure portal and in the left pane, click Virtual machines. 从虚拟机列表中,选择虚拟机以打开其仪表板。From the list of virtual machines, select the virtual machine to open that virtual machine's dashboard.

  2. 在虚拟机菜单中,单击“备份”以打开“备份”仪表板。In the virtual machine's menu, click Backup to open the Backup dashboard.

    打开恢复服务保管库备份项

  3. 在“备份”仪表板菜单上,单击“文件恢复”。In the Backup dashboard menu, click File Recovery.

    “文件恢复”按钮

    此时将打开“文件恢复”菜单。The File Recovery menu opens.

    文件恢复菜单

  4. 从“选择恢复点”下拉菜单中,选择存储所需文件的恢复点。From the Select recovery point drop-down menu, select the recovery point that holds the files you want. 默认已选择最新的恢复点。By default, the latest recovery point is already selected.

  5. 若要下载用于从恢复点复制文件的软件,请单击“下载可执行文件”(适用于 Azure VM)或“下载脚本”(适用于 Linux Azure VM,会生成 python 脚本)。To download the software used to copy files from the recovery point, click Download Executable (for Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated).

    生成的密码

    Azure 会将该可执行文件或脚本下载到本地计算机。Azure downloads the executable or script to the local computer.

    可执行文件或脚本的下载消息

    若要以管理员身份运行可执行文件或脚本,建议将下载的文件保存到计算机。To run the executable or script as an administrator, it's suggested you save the downloaded file to your computer.

  6. 该可执行文件或脚本受密码保护,需要密码才能运行。The executable or script is password protected and requires a password. 在“文件恢复”菜单上,单击复制按钮以将密码加载到内存中。In the File Recovery menu, click the copy button to load the password into memory.

    生成的密码

  7. 请确保使用符合要求的计算机来执行脚本。Make sure you have the right machine to execute the script. 如果符合要求的计算机与下载脚本的计算机相同,则可以继续下载部分的操作。If the right machine is the same machine where you downloaded the script, then you can continue to the download section. 从下载位置(通常是“下载”文件夹),右键单击可执行文件或脚本,然后用管理员凭据运行。From the download location (usually the Downloads folder), right-click the executable or script and run it with Administrator credentials. 出现提示时,键入密码或粘贴内存中的密码,然后按 Enter。When prompted, type the password or paste the password from memory, and press Enter. 输入有效的密码后,脚本将连接到恢复点。Once the valid password is entered, the script connects to the recovery point.

    文件恢复菜单

  8. 对于 Linux 计算机,将生成一个 Python 脚本。For Linux machines, a python script is generated. 用户需要下载该脚本并将其复制到相关/兼容的 Linux 服务器。One needs to download the script and copy it to the relevant/compatible Linux server. 你可能必须修改权限才能使用 chmod +x <python file name> 执行该脚本。You may have to modify the permissions to execute it with chmod +x <python file name>. 然后使用 ./<python file name> 运行 Python 文件。Then run the python file with ./<python file name>.

请参阅访问要求部分来确保脚本已成功运行。Refer to the Access requirements section to make sure the script is run successfully.

标识卷Identifying volumes

对于 WindowsFor Windows

运行可执行文件时,操作系统将装载新卷并分配驱动器号。When you run the executable, the operating system mounts the new volumes and assigns drive letters. 可以使用 Windows 资源管理器或文件资源管理器来浏览这些驱动器。You can use Windows Explorer or File Explorer to browse those drives. 分配给卷的驱动器号不能与原始虚拟机中的驱动器号相同。The drive letters assigned to the volumes may not be the same letters as the original virtual machine. 不过,卷名会保留。However, the volume name is preserved. 例如,如果原始虚拟机上的卷为“数据磁盘(E:\)”,可在本地计算机上将该卷附加为“数据磁盘(‘任意字母’:\)”。For example, if the volume on the original virtual machine was "Data Disk (E:\)", that volume can be attached on the local computer as "Data Disk ('Any letter':\). 浏览脚本输出中所述的所有卷,直至找到文件或文件夹。Browse through all volumes mentioned in the script output until you find your files or folder.

文件恢复菜单

对于 LinuxFor Linux

在 Linux 中,恢复点的卷会装载到运行脚本的文件夹。In Linux, the volumes of the recovery point are mounted to the folder where the script is run. 将相应地显示附加的磁盘、卷和对应装载路径。The attached disks, volumes, and the corresponding mount paths are shown accordingly. 这些装载路径对于具有根级别访问权限的用户可见。These mount paths are visible to users having root level access. 浏览脚本输出中涉及的卷。Browse through the volumes mentioned in the script output.

Linux 文件恢复菜单

关闭连接Closing the connection

识别文件并将其复制到本地存储位置后,请删除(或卸载)其他驱动器。After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives. 若要卸载驱动器,请在 Azure 门户中的“文件恢复”菜单上,单击“卸载磁盘”。 To unmount the drives, on the File Recovery menu in the Azure portal, click Unmount Disks.

卸载磁盘

卸载磁盘后,会显示一条消息。Once the disks have been unmounted, you receive a message. 连接可能在几分钟时间后才会刷新,以便能够删除磁盘。It may take a few minutes for the connection to refresh so that you can remove the disks.

在 Linux 中,断开与恢复点的连接后,OS 不会自动删除相应装载路径。In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount paths automatically. 装载路径作为“孤立”的卷存在并且可见,但访问/写入文件时会引发错误。The mount paths exist as "orphan" volumes and are visible, but throw an error when you access/write the files. 这些卷可以手动删除。They can be manually removed. 该脚本运行时会标识以前的任何恢复点存在的任何此类卷,并在获得许可后将其清除。The script, when run, identifies any such volumes existing from any previous recovery points and cleans them up upon consent.

选择符合要求的计算机来运行脚本Selecting the right machine to run the script

若已成功下载脚本,下一步就是验证计划在其上执行脚本的计算机是否为符合要求的计算机。If the script is successfully downloaded, then the next step is to verify whether the machine on which you plan to execute the script is the right machine. 以下是该计算机需要满足的要求。Following are the requirements to be fulfilled on the machine.

原始备份计算机与其他计算机Original backed up machine versus another machine

  1. 如果备份的计算机是大磁盘 VM(即磁盘数量大于 16 个,或者每个磁盘的大小大于 4 TB),则必须在另一台计算机上执行脚本,并且该计算机需要满足这些要求If the backed-up machine is a large disk VM - that is, the number of disks is greater than 16 disks or each disk is greater than 4 TB, then the script must be executed on another machine and these requirements have to be met.
  2. 即使备份的计算机不是大磁盘 VM,在这些情况下,也无法在同一备份 VM 上运行脚本。Even if the backed-up machine isn't a large disk VM, in these scenarios the script can't be run on the same backed-up VM.

对计算机的 OS 要求OS requirements on the machine

需要执行脚本的计算机必须满足这些 OS 要求The machine where the script needs to be executed must meet these OS requirements.

对计算机的访问要求Access requirements for the machine

需要执行脚本的计算机必须满足这些访问要求The machine where the script needs to be executed must meet these access requirements.

特殊配置Special configurations

动态磁盘Dynamic disks

如果受保护的 Azure VM 包含带有以下一个或两个特征的卷,则无法在同一 VM 上运行该可执行脚本。If the protected Azure VM has volumes with one or both of the following characteristics, you can't run the executable script on the same VM.

  • 跨多个磁盘的卷(跨区卷和带区卷)Volumes that span multiple disks (spanned and striped volumes)
  • 动态磁盘上的容错卷(镜像卷和 RAID-5 卷)Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks

而应在具有兼容操作系统的任何其他计算机上运行该可执行脚本。Instead, run the executable script on any other computer with a compatible operating system.

Windows 存储空间Windows Storage Spaces

Windows 存储空间是用于将存储器虚拟化的一种 Windows 技术。Windows Storage Spaces is a Windows technology that enables you to virtualize storage. 使用 Windows 存储空间,可将行业标准磁盘分组为存储池。With Windows Storage Spaces you can group industry-standard disks into storage pools. 然后使用这些存储池中的可用空间创建虚拟磁盘,即存储空间。Then you use the available space in those storage pools to create virtual disks, called storage spaces.

如果受保护的 Azure VM 使用 Windows 存储空间,则不能在同一 VM 上运行该可执行脚本。If the protected Azure VM uses Windows Storage Spaces, you can't run the executable script on the same VM. 而应在具有兼容操作系统的任何其他计算机上运行该可执行脚本。Instead, run the executable script on any other machine with a compatible operating system.

LVM/RAID 阵列LVM/RAID arrays

在 Linux 中,逻辑卷管理器 (LVM) 和/或软件 RAID 阵列用于管理多个磁盘上的逻辑卷。In Linux, Logical volume manager (LVM) and/or software RAID Arrays are used to manage logical volumes over multiple disks. 如果受保护的 Linux VM 使用 LVM 和/或 RAID 阵列,则不能在同一 VM 上运行该脚本。If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM. 而应在具有兼容 OS 且支持受保护 VM 的文件系统的任何其他计算机上运行该脚本。Instead run the script on any other machine with a compatible OS and which supports the file system of the protected VM.

以下脚本输出显示了 LVM 和/或 RAID 阵列磁盘和卷,及其分区类型。The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.

Linux LVM 输出菜单

若要使这些分区联机,请运行以下各部分中的命令。To bring these partitions online, run the commands in the following sections.

对于 LVM 分区For LVM partitions

列出某个物理卷下的卷组名称:To list the volume group names under a physical volume:

#!/bin/bash
pvs <volume name as shown above in the script output>

列出卷组中所有逻辑卷、名称及其路径:To list all logical volumes, names, and their paths in a volume group:

#!/bin/bash
lvdisplay <volume-group-name from the pvs commands results>

lvdisplay 命令还会显示卷组是否处于活动状态。The lvdisplay command also shows whether the volume groups are active are not. 如果卷组被标记为非活动状态,则需要再次激活该卷组才能进行装载。If the volume group is marked as inactive, it needs to be activated again to be mounted. 如果卷组显示为非活动状态,请使用以下命令进行激活。If volume-group is shown as inactive, use the following command to activate it.

#!/bin/bash
vgchange -a y  <volume-group-name from the pvs commands results>

卷组名称处于活动状态后,请再次运行 lvdisplay 命令以查看所有相关属性。After the volume group name is active, run the lvdisplay command once more to see all the relevant attributes.

将逻辑卷装载到所选的路径:To mount the logical volumes to the path of your choice:

#!/bin/bash
mount <LV path from the lvdisplay cmd results> </mountpath>

对于 RAID 阵列For RAID arrays

以下命令显示有关所有 RAID 磁盘的详细信息:The following command displays details about all raid disks:

#!/bin/bash
mdadm -detail -scan

相关 RAID 磁盘显示为 /dev/mdm/<RAID array name in the protected VM>The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>

如果 RAID 磁盘具有物理卷,请使用 mount 命令:Use the mount command if the RAID disk has physical volumes:

#!/bin/bash
mount [RAID Disk Path] [/mountpath]

如果 RAID 磁盘中配置了另一 LVM,请使用前述 LVM 分区相关过程,但使用卷名称代替 RAID 磁盘名称。If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the volume name in place of the RAID Disk name.

系统要求System requirements

对于 Windows OSFor Windows OS

下表显示了服务器与计算机操作系统之间的兼容性。The following table shows the compatibility between server and computer operating systems. 恢复文件时,不能将文件还原到更旧或更新的操作系统版本。When recovering files, you can't restore files to a previous or future operating system version. 例如,不能将文件从 Windows Server 2016 VM 还原到 Windows Server 2012 或 Windows 8 计算机。For example, you can't restore a file from a Windows Server 2016 VM to Windows Server 2012 or a Windows 8 computer. 可将 VM 中的文件还原到相同的服务器操作系统,或还原到兼容的客户端操作系统。You can restore files from a VM to the same server operating system, or to the compatible client operating system.

服务器 OSServer OS 兼容的客户端 OSCompatible client OS
Windows Server 2019Windows Server 2019 Windows 10Windows 10
Windows Server 2016Windows Server 2016 Windows 10Windows 10
Windows Server 2012 R2Windows Server 2012 R2 Windows 8.1Windows 8.1
Windows Server 2012Windows Server 2012 Windows 8Windows 8
Windows Server 2008 R2Windows Server 2008 R2 Windows 7Windows 7

对于 Linux OSFor Linux OS

在 Linux 中,用于还原文件的计算机的 OS 必须支持受保护虚拟机的文件系统。In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine. 选择用于运行脚本的计算机时,请确保计算机具有兼容的 OS,并使用下表中认定的版本之一:When selecting a computer to run the script, ensure the computer has a compatible OS, and uses one of the versions identified in the following table:

Linux OSLinux OS 版本Versions
UbuntuUbuntu 12.04 及更高版本12.04 and above
CentOSCentOS 6.5 及更高版本6.5 and above
RHELRHEL 6.7 及更高版本6.7 and above
DebianDebian 7 及更高版本7 and above
Oracle LinuxOracle Linux 6.4 及更高版本6.4 and above
SLESSLES 12 及更高版本12 and above
openSUSEopenSUSE 42.2 及更高版本42.2 and above

备注

我们在装有 SLES 12 SP4 OS 的计算机上运行文件恢复脚本时发现一些问题,我们正在与 SLES 团队一起进行调查。We have found some issues in running the file recovery script on machines with SLES 12 SP4 OS and we are investigating with the SLES team. 目前,可在使用 SLES 12 SP2 和 SP3 OS 版本的计算机上正常运行文件恢复脚本。Currently, running the file recovery script is working on machines with SLES 12 SP2 and SP3 OS versions.

该脚本还需要 Python 和 bash 组件才能执行并安全地连接到恢复点。The script also requires Python and bash components to execute and connect securely to the recovery point.

组件Component 版本Version
bashbash 4 及更高版本4 and above
Pythonpython 2.6.6 及更高版本2.6.6 and above
TLSTLS 应支持 1.21.2 should be supported

访问要求Access requirements

如果在访问受限的计算机上运行该脚本,请确保能够访问:If you run the script on a computer with restricted access, ensure there is access to:

  • download.microsoft.com
  • 恢复服务 URL(地区名称是指恢复服务保管库的区域)Recovery Service URLs (geo-name refers to the region where the recovery service vault resides)
    • https://pod01-rec2.geo-name.backup.windowsazure.cn
  • 出站端口 53 (DNS)、443、3260Outbound ports 53 (DNS), 443, 3260

备注

  • 下载的脚本文件名将具有要在 URL 中填充的地区名称。The downloaded script file name will have the geo-name to be filled in the URL. 例如:下载的脚本名称以 'VMname'_'geoname''GUID'开头,例如 ContosoVM_wcus_12345678For exampple: The downloaded script name begins with 'VMname'_'geoname''GUID', like ContosoVM_wcus_12345678
  • URL 则为“https://pod01-rec2.bjb2.backup.azure.cnThe URL would be https://pod01-rec2.bjb2.backup.azure.cn"

在 Linux 上,该脚本需要“open-iscsi”和“lshw”组件才能连接到恢复点。For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. 如果这些组件不存在于运行脚本的计算机上,该脚本会请求权限以安装组件。If the components don't exist on the computer where the script is run, the script asks for permission to install the components. 请同意安装必需组件。Provide consent to install the necessary components.

需要访问 download.microsoft.com,才能下载用于在运行脚本的计算机与恢复点中的数据之间构建安全通道的组件。The access to download.microsoft.com is required to download components used to build a secure channel between the machine where the script is run and the data in the recovery point.

从具有大磁盘的虚拟机备份恢复文件File recovery from Virtual machine backups having large disks

本部分介绍如何从包含 16 个以上磁盘(且每个磁盘大小均大于 32 TB)的 Azure 虚拟机的备份执行文件恢复。This section explains how to perform file recovery from backups of Azure Virtual machines with more than 16 disks and each disk size is greater than 32 TB.

由于文件恢复进程会附上备份中的所有磁盘,因此当使用大量磁盘(大于 16 个)或大型磁盘(每个磁盘大小大于 32 TB)时,建议使用以下操作点:Since file recovery process attaches all disks from the backup, when large number of disks (>16) or large disks (> 32 TB each) are used, the following action points are recommended:

  • 保留单独的还原服务器 (Azure VM D2v3 VM) 用于文件恢复。Keep a separate restore server (Azure VM D2v3 VMs) for file recovery. 只能将它用于文件恢复,并在不需要时将其关闭。You can use that only for file recovery and then shut it down when not required. 不建议在原始计算机上进行还原,因为它会对 VM 本身造成重大影响。Restoring on the original machine isn't recommended since it will have significant impact on the VM itself.
  • 然后运行该脚本一次,检查文件恢复操作是否成功。Then run the script once to check if the file recovery operation succeeds.
  • 如果文件恢复进程挂起(磁盘从未装载或装载后未显示卷),请执行以下步骤。If the file recovery process hangs (the disks are never mounted or they're mounted but volumes don't appear), perform the following steps.
    • 如果还原服务器是 Windows VM:If the restore server is a Windows VM:

      • 确保 OS 为 WS 2012 或更高版本。Ensure that the OS is WS 2012 or higher.
      • 确保在还原服务器中按以下建议设置注册表项,并确保重新启动服务器。Ensure the registry keys are set as suggested below in the restore server and make sure to reboot the server. GUID 旁边的数字的范围为 0001 - 0005。The number beside the GUID can range from 0001-0005. 下面的示例中采用的是 0004。In the following example, it's 0004. 浏览注册表项路径,直到参数部分。Navigate through the registry key path until the parameters section.

      iscsi-reg-key-changes.png

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue - change this from 60 to 1200
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\SrbTimeoutDelta - change this from 15 to 1200
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\EnableNOPOut - change this from 0 to 1
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\MaxRequestHoldTime - change this from 60 to 1200
  • 如果还原服务器是 Linux VM:If the restore server is a Linux VM:
    • 在文件 /etc/iscsi/iscsid.conf 中,将设置从In the file /etc/iscsi/iscsid.conf, change the setting from:
      • node.conn[0].timeo.noop_out_timeout = 5 更改为 node.conn[0].timeo.noop_out_timeout = 30node.conn[0].timeo.noop_out_timeout = 5 to node.conn[0].timeo.noop_out_timeout = 30
  • 完成上述更改后,请再次运行脚本。After making the change above, run the script again. 进行这些更改后,文件恢复成功的可能性很高。With these changes, it's highly probable that the file recovery will succeed.
  • 用户每次下载脚本时,Azure 备份将开始准备用于下载的恢复点。Each time user downloads a script, Azure Backup initiates the process of preparing the recovery point for download. 对于大磁盘,此过程需要相当长的时间。With large disks, this process will take considerable time. 如果连续出现大量请求,目标准备将造成下载激增。If there are successive bursts of requests, the target preparation will go into a download spiral. 因此,建议从门户/PowerShell/CLI 下载脚本,等待 20 - 30 分钟(探索性步骤),然后运行该脚本。Therefore, it's recommended to download a script from Portal/PowerShell/CLI, wait for 20-30 minutes (a heuristic) and then run it. 此时,目标应准备就绪,可以从脚本进行连接。By this time, the target is expected to be ready for connection from script.
  • 在文件恢复后,请务必返回门户并为无法装载卷的恢复点单击“卸载磁盘”。After file recovery, make sure you go back to the portal and click Unmount disks for recovery points where you weren't able to mount volumes. 从本质上来说,此步骤将清理所有现有进程/会话并提高恢复的可能性。Essentially, this step will clean any existing processes/sessions and increase the chance of recovery.

故障排除Troubleshooting

如果从虚拟机恢复文件时遇到问题,请查看下表了解更多信息。If you have problems while recovering files from the virtual machines, check the following table for additional information.

错误消息/情景Error Message / Scenario 可能的原因Probable Cause 建议的操作Recommended action
可执行文件输出:连接到目标时捕获到异常Exe output: Exception caught while connecting to target 脚本无法访问恢复点The script isn't able to access the recovery point 检查计算机是否满足前述访问要求Check whether the machine fulfills the previous access requirements.
可执行文件输出:已经通过 iSCSI 会话登录目标。Exe output: The target has already been logged in via an iSCSI session. 脚本已在同一台计算机上执行,并且已附加驱动器The script was already executed on the same machine and the drives have been attached 已附加恢复点所在的卷。The volumes of the recovery point have already been attached. 不能使用与原始 VM 相同的驱动器号装载这些卷。They may NOT be mounted with the same drive letters of the original VM. 在文件的文件资源管理器中浏览所有可用卷。Browse through all the available volumes in the file explorer for your file.
可执行文件输出:此脚本无效,因为磁盘已通过门户卸载/已超过 12 小时限制。请从门户下载新脚本。Exe output: This script is invalid because the disks have been dismounted via portal/exceeded the 12-hr limit. Download a new script from the portal. 磁盘已从门户卸除或已超过 12 小时的限制The disks have been dismounted from the portal or the 12-hour limit was exceeded 此特定可执行文件现已失效,无法运行。This particular exe is now invalid and can't be run. 若要访问该恢复时间点的文件,请在门户中访问新的可执行文件。If you want to access the files of that recovery point-in-time, visit the portal for a new exe.
在运行可执行文件的计算机上:单击卸载按钮后,新卷没有卸载。On the machine where the exe is run: The new volumes aren't dismounted after the dismount button is clicked 计算机上的 ISCSI 发起程序无响应/不刷新它与目标之间的连接,并且不保留缓存。The iSCSI initiator on the machine isn't responding/refreshing its connection to the target and maintaining the cache. 单击“卸载”后,请等待几分钟。After clicking Dismount, wait a few minutes. 如果新卷未卸载,请浏览所有卷。If the new volumes aren't dismounted, browse through all volumes. 浏览所有卷会强制发起程序刷新连接并卸载卷,但会出现错误消息,指出磁盘不可用。Browsing all volumes forces the initiator to refresh the connection, and the volume is dismounted with an error message that the disk isn't available.
可执行文件输出:脚本成功运行,但脚本输出中未显示“新卷已附加”Exe output: The script is run successfully but "New volumes attached" is not displayed on the script output 这是暂时性的错误This is a transient error 卷其实已附加。The volumes will have been already attached. 打开资源管理器即可浏览它们。Open Explorer to browse. 如果每次都使用同一台计算机来运行脚本,请考虑重启计算机,这样,以后运行可执行文件时应会显示列表。If you're using the same machine for running scripts every time, consider restarting the machine and the list should be displayed in the subsequent exe runs.
Linux 特定:无法查看所需的卷Linux specific: Not able to view the desired volumes 运行脚本的计算机的 OS 可能无法识别受保护 VM 的基础文件系统The OS of the machine where the script is run may not recognize the underlying filesystem of the protected VM 检查恢复点是崩溃一致还是文件一致。Check whether the recovery point is crash-consistent or file-consistent. 如果文件一致,请在 OS 可识别受保护 VM 的文件系统的另一台计算机上运行该脚本。If file-consistent, run the script on another machine whose OS recognizes the protected VM's filesystem.
Windows 特定:无法查看所需的卷Windows specific: Not able to view the desired volumes 磁盘可能已附加,但未配置卷。The disks may have been attached but the volumes weren't configured 从磁盘管理屏幕中,识别与恢复点相关的其他磁盘。From the disk management screen, identify the additional disks related to the recovery point. 如果这些磁盘有任何一个处于脱机状态,请尝试通过右键单击该磁盘并单击“联机”来使其联机。If any of these disks are in an offline state, try bringing them online by right-clicking on the disk and click Online.

安全性Security

本部分介绍从 Azure VM 备份进行文件恢复时采取的各种安全措施。This section discusses the various security measures taken for the implementation of file recovery from Azure VM backups.

功能流Feature flow

构建此功能是为了在不需要还原整个 VM 或 VM 磁盘的情况下访问 VM 数据,同时尽量减少步骤数。This feature was built to access the VM data without the need to restore the entire VM or VM disks and with the minimum number of steps. 对 VM 数据的访问权限由脚本(在按如下方式运行时会装载恢复卷)提供,因此它是所有安全实现的基础:Access to VM data is provided by a script (which mounts the recovery volume when run as shown below) and it forms the cornerstone of all security implementations:

安全功能流

安全实现Security implementations

选择恢复点(谁可以生成脚本)Select Recovery point (who can generate script)

此脚本可以访问 VM 数据,必须控制谁可以首先生成它,这很重要。The script provides access to VM data, so it's important to regulate who can generate it in the first place. 你需要登录到 Azure 门户,并且需要获得 RBAC 授权才能生成脚本。You need to sign in into the Azure portal and be RBAC authorized to generate the script.

文件恢复所需的授权级别与 VM 还原和磁盘还原相同。File recovery needs the same level of authorization as required for VM restore and disks restore. 换句话说,只有经过授权的用户才能查看 VM 数据和生成脚本。In other words, only authorized users can view the VM data can generate the script.

生成的脚本使用适用于 Azure 备份服务的 Microsoft 官方证书签名。The generated script is signed with the official Microsoft certificate for the Azure Backup service. 篡改此脚本意味着破坏签名,尝试运行此脚本会被 OS 突出显示为潜在的风险。Any tampering with the script means the signature is broken, and any attempt to run the script is highlighted as a potential risk by the OS.

装载恢复卷(谁可以运行脚本)Mount Recovery volume (who can run script)

只有管理员可以运行此脚本,并且应该以提升模式运行它。Only an Admin can run the script and it should run in elevated mode. 此脚本仅运行预先生成的一组步骤,不接受任何外部源的输入。The script only runs a pre-generated set of steps and doesn't accept input from any external source.

若要运行此脚本,需要提供密码,该密码仅在 Azure 门户或 PowerShell/CLI 中生成脚本时显示给经授权的用户。To run the script, a password is required that is only shown to the authorized user at the time of generation of script in the Azure portal or PowerShell/CLI. 这是为了确保下载该脚本的授权用户同时负责运行该脚本。This is to ensure that the authorized user who downloads the script is also responsible for running the script.

浏览文件和文件夹Browse files and folders

为了浏览文件和文件夹,该脚本使用计算机中的 iSCSI 发起程序并连接到配置为 iSCSI 目标的恢复点。To browse files and folders, the script uses the iSCSI initiator in the machine and connects to the recovery point that is configured as an iSCSI target. 此处,你可以想象用户尝试模拟/仿冒任一/所有组件的情景。Here you can imagine scenarios where one is trying to imitate/spoof either/all components.

我们使用 CHAP 相互身份验证机制,让每个组件相互进行身份验证。We use a mutual CHAP authentication mechanism so that each component authenticates the other. 这意味着,身份虚假的发起程序很难连接到 iSCSI 目标,虚假目标也很难连接到运行脚本的计算机。This means it's extremely difficult for a fake initiator to connect to the iSCSI target and for a fake target to be connected to the machine where the script is run.

恢复服务与计算机之间的数据流由通过 TCP 构建安全 TLS 隧道提供保护(在运行脚本的计算机上应支持 TLS 1.2)。The data flow between the recovery service and the machine is protected by building a secure TLS tunnel over TCP (TLS 1.2 should be supported in the machine where script is run).

父级/备份 VM 中存在的任何文件访问控制列表 (ACL) 也会保留在已装载的文件系统中。Any file Access Control List (ACL) present in the parent/backed up VM are preserved in the mounted file system as well.

此脚本提供对恢复点的只读访问权限,并且仅在 12 小时内有效。The script gives read-only access to a recovery point and is valid for only 12 hours. 如果你希望提前删除此访问权限,则可登录到 Azure 门户/PowerShell/CLI 并针对该特定恢复点执行卸载磁盘操作。If you wish to remove the access earlier, then sign into Azure Portal/PowerShell/CLI and perform unmount disks for that particular recovery point. 脚本将立即失效。The script will be invalidated immediately.

后续步骤Next steps