从 Azure 虚拟机备份恢复文件Recover files from Azure virtual machine backup

Azure 备份提供从 Azure VM 备份(也称恢复点)还原 Azure 虚拟机 (VM) 和磁盘的功能。Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups, also known as recovery points. 本文介绍如何从 Azure VM 备份恢复文件和文件夹。This article explains how to recover files and folders from an Azure VM backup. 还原文件和文件夹仅适用于使用资源管理器模型部署的并在恢复服务保管库中受保护的 Azure VM。Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault.

备注

此功能适用于使用 Resource Manager 模型部署的、在恢复服务保管库中受保护的 Azure VM。This feature is available for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault. 不支持从加密的 VM 备份恢复文件。File recovery from an encrypted VM backup isn't supported.

文件和文件夹恢复工作流

步骤 1:生成并下载脚本以浏览和恢复文件Step 1: Generate and download script to browse and recover files

要从恢复点还原文件或文件夹,请转到虚拟机并执行以下步骤:To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:

  1. 登录到 Azure 门户,在左侧窗格中选择“虚拟机”。Sign in to the Azure portal and in the left pane, select Virtual machines. 从虚拟机列表中,选择虚拟机以打开其仪表板。From the list of virtual machines, select the virtual machine to open that virtual machine's dashboard.

  2. 在虚拟机菜单中,选择“备份”以打开“备份”仪表板。In the virtual machine's menu, select Backup to open the Backup dashboard.

    打开恢复服务保管库备份项

  3. 在“备份”仪表板菜单中,选择“文件恢复”。In the Backup dashboard menu, select File Recovery.

    选择“文件恢复”

    此时将打开“文件恢复”菜单。The File Recovery menu opens.

    文件恢复菜单

  4. 从“选择恢复点”下拉菜单中,选择存储所需文件的恢复点。From the Select recovery point drop-down menu, select the recovery point that holds the files you want. 默认已选择最新的恢复点。By default, the latest recovery point is already selected.

  5. 选择“下载可执行文件”(适用于 Azure VM)或“下载脚本”(适用于 Linux Azure VM,会生成 python 脚本),以下载用于从恢复点复制文件的软件。Select Download Executable (for Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download the software used to copy files from the recovery point.

    下载可执行文件

    Azure 会将该可执行文件或脚本下载到本地计算机。Azure downloads the executable or script to the local computer.

    可执行文件或脚本的下载消息

    若要以管理员身份运行可执行文件或脚本,建议将下载的文件保存到计算机。To run the executable or script as an administrator, it's suggested you save the downloaded file to your computer.

  6. 该可执行文件或脚本受密码保护,需要密码才能运行。The executable or script is password protected and requires a password. 在“文件恢复”菜单中,选择复制按钮以将密码加载到内存中。In the File Recovery menu, select the copy button to load the password into memory.

    生成的密码

步骤 2:执行脚本之前,请确保计算机满足要求Step 2: Ensure the machine meets the requirements before executing the script

成功下载脚本后,请确保使用满足要求的计算机来执行该脚本。After the script is successfully downloaded, make sure you have the right machine to execute this script. 你计划在其中执行脚本的 VM 不应具有以下任何不受支持的配置。The VM where you are planning to execute the script, should not have any of the following unsupported configurations. 如果是这样,则最好从同一区域中选择一个符合要求的备用计算机。If it does, then choose an alternate machine preferably from the same region that meets the requirements.

动态磁盘Dynamic disks

无法在具有以下任意特征的 VM 上运行可执行脚本:You can't run the executable script on the VM with any of the following characteristics:

  • 跨多个磁盘的卷(跨区卷和带区卷)。Volumes that span multiple disks (spanned and striped volumes).
  • 动态磁盘上的容错卷(镜像卷和 RAID-5 卷)。Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks.

Windows 存储空间Windows Storage Spaces

无法在为 Windows 存储空间配置的 VM 上运行下载的可执行文件。You cannot run the downloaded executable on the VM that is configured for Windows Storage Spaces.

具有大磁盘的虚拟机备份Virtual machine backups having large disks

如果备份的计算机上有大量磁盘(> 16 个)或大磁盘(每个磁盘 > 4 TB),则建议不要在同一台计算机上执行该脚本以进行还原,因为这会对 VM 产生重大影响。If the backed-up machine has large number of disks (>16) or large disks (> 4 TB each) it's not recommended to execute the script on the same machine for restore, since it will have a significant impact on the VM. 取而代之的是,建议仅为文件恢复使用单独的 VM (Azure VM D2v3 VM),并在不需要时将其关闭。Instead it's recommended to have a separate VM only for file recovery (Azure VM D2v3 VMs) and then shut it down when not required.

步骤 3:成功运行脚本的 OS 要求Step 3: OS requirements to successfully run the script

要在其上运行所下载脚本的 VM 必须满足以下要求。The VM on which you want to run the downloaded script must meet the following requirements.

对于 Windows OSFor Windows OS

下表显示了服务器与计算机操作系统之间的兼容性。The following table shows the compatibility between server and computer operating systems. 恢复文件时,不能将文件还原到更旧或更新的操作系统版本。When recovering files, you can't restore files to a previous or future operating system version. 例如,不能将文件从 Windows Server 2016 VM 还原到 Windows Server 2012 或 Windows 8 计算机。For example, you can't restore a file from a Windows Server 2016 VM to Windows Server 2012 or a Windows 8 computer. 可将 VM 中的文件还原到相同的服务器操作系统,或还原到兼容的客户端操作系统。You can restore files from a VM to the same server operating system, or to the compatible client operating system.

服务器 OSServer OS 兼容的客户端 OSCompatible client OS
Windows Server 2019Windows Server 2019 Windows 10Windows 10
Windows Server 2016Windows Server 2016 Windows 10Windows 10
Windows Server 2012 R2Windows Server 2012 R2 Windows 8.1Windows 8.1
Windows Server 2012Windows Server 2012 Windows 8Windows 8
Windows Server 2008 R2Windows Server 2008 R2 Windows 7Windows 7

对于 Linux OSFor Linux OS

在 Linux 中,用于还原文件的计算机的 OS 必须支持受保护虚拟机的文件系统。In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine. 选择用于运行脚本的计算机时,请确保计算机具有兼容的 OS,并使用下表中认定的版本之一:When selecting a computer to run the script, ensure the computer has a compatible OS, and uses one of the versions identified in the following table:

Linux OSLinux OS 版本Versions
UbuntuUbuntu 12.04 及更高版本12.04 and above
CentOSCentOS 6.5 及更高版本6.5 and above
DebianDebian 7 及更高版本7 and above
SLESSLES 12 及更高版本12 and above
openSUSEopenSUSE 42.2 及更高版本42.2 and above

备注

我们发现,在使用 SLES 12 SP4 OS 的计算机上运行文件恢复脚本时会出现一些问题,我们正在与 SLES 团队一起调查这些问题。We've found some issues in running the file recovery script on machines with SLES 12 SP4 OS and we're investigating with the SLES team. 目前,可在使用 SLES 12 SP2 和 SP3 OS 版本的计算机上正常运行文件恢复脚本。Currently, running the file recovery script is working on machines with SLES 12 SP2 and SP3 OS versions.

该脚本还需要 Python 和 bash 组件才能执行并安全地连接到恢复点。The script also requires Python and bash components to execute and connect securely to the recovery point.

组件Component 版本Version
bashbash 4 及更高版本4 and above
Pythonpython 2.6.6 及更高版本2.6.6 and above
TLSTLS 应支持 1.21.2 should be supported

步骤 4:成功运行脚本的访问要求Step 4: Access requirements to successfully run the script

如果在访问受限的计算机上运行该脚本,请确保能够访问:If you run the script on a computer with restricted access, ensure there's access to:

  • download.microsoft.com
  • 恢复服务 URL(地区名称指恢复服务保管库所在的区域)Recovery Service URLs (GEO-NAME refers to the region where the Recovery Services vault resides)
    • https://pod01-rec2.GEO-NAME.backup.windowsazure.cn
  • 出站端口 53 (DNS)、443、3260Outbound ports 53 (DNS), 443, 3260

备注

上文步骤 1 中下载的脚本文件的名称中将包含地区名称。The script file you downloaded in step 1 above will have the geo-name in the name of the file. 使用该地区名称填写 URL。Use that geo-name to fill in the URL. 下载的脚本名称将以如下开头:'VMname'_'geoname''GUID'。The downloaded script name will begin with: 'VMname'_'geoname''GUID'.

例如,如果脚本文件名为 ContosoVM_wcus_12345678,则地区名称为 bjb2,URL 如下所示:So for example, if the script filename is ContosoVM_wcus_12345678, the geo-name is bjb2 and the URL would be:
https://pod01-rec2.bjb2.backup.azure.cn

在 Linux 上,该脚本需要“open-iscsi”和“lshw”组件才能连接到恢复点。For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. 如果这些组件不存在于运行脚本的计算机上,该脚本会请求权限以安装组件。If the components don't exist on the computer where the script is run, the script asks for permission to install the components. 请同意安装必需组件。Provide consent to install the necessary components.

需要访问 download.microsoft.com,才能下载用于在运行脚本的计算机与恢复点中的数据之间构建安全通道的组件。The access to download.microsoft.com is required to download components used to build a secure channel between the machine where the script is run and the data in the recovery point.

步骤 5:运行脚本并标识卷Step 5: Running the script and identifying volumes

对于 WindowsFor Windows

满足步骤 2、步骤 3 和步骤 4 中列出的所有要求后,从下载位置(通常是“下载”文件夹)复制脚本,右键单击可执行文件或脚本,然后用管理员凭据运行。After you meet all the requirements listed in Step 2, Step 3 and Step 4, copy the script from the downloaded location (usually the Downloads folder), right-click the executable or script and run it with Administrator credentials. 出现提示时,键入密码或粘贴内存中的密码,然后按 Enter。When prompted, type the password or paste the password from memory, and press Enter. 输入有效的密码后,脚本将连接到恢复点。Once the valid password is entered, the script connects to the recovery point.

可执行文件输出

运行可执行文件时,操作系统将装载新卷并分配驱动器号。When you run the executable, the operating system mounts the new volumes and assigns drive letters. 可以使用 Windows 资源管理器或文件资源管理器来浏览这些驱动器。You can use Windows Explorer or File Explorer to browse those drives. 分配给卷的驱动器号不能与原始虚拟机中的驱动器号相同。The drive letters assigned to the volumes may not be the same letters as the original virtual machine. 不过,卷名会保留。However, the volume name is preserved. 例如,如果原始虚拟机上的卷为“数据磁盘(E:\)”,可在本地计算机上将该卷附加为“数据磁盘(‘任意字母’:\)”。For example, if the volume on the original virtual machine was "Data Disk (E:\)", that volume can be attached on the local computer as "Data Disk ('Any letter':\). 浏览脚本输出中所述的所有卷,直至找到文件或文件夹。Browse through all volumes mentioned in the script output until you find your files or folder.

已附加恢复卷

对于包含大磁盘的备份 VM (Windows)For backed-up VMs with large disks (Windows)

如果文件恢复进程在运行文件还原脚本后挂起(例如,如果磁盘从未装载或装载后未显示卷),请执行以下步骤:If the file recovery process hangs after you run the file-restore script (for example, if the disks are never mounted, or they're mounted but the volumes don't appear), perform the following steps:

  1. 确保 OS 为 WS 2012 或更高版本。Ensure that the OS is WS 2012 or higher.

  2. 确保在还原服务器中按以下建议设置注册表项,并确保重新启动服务器。Ensure the registry keys are set as suggested below in the restore server and make sure to reboot the server. GUID 旁边的数字的范围为 0001 - 0005。The number beside the GUID can range from 0001-0005. 下面的示例中采用的是 0004。In the following example, it's 0004. 浏览注册表项路径,直到参数部分。Navigate through the registry key path until the parameters section.

    注册表项更改

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue - change this from 60 to 1200
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\SrbTimeoutDelta - change this from 15 to 1200
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\EnableNOPOut - change this from 0 to 1
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0003\Parameters\MaxRequestHoldTime - change this from 60 to 1200

对于 LinuxFor Linux

对于 Linux 计算机,将生成一个 Python 脚本。For Linux machines, a python script is generated. 下载该脚本并将其复制到相关/兼容的 Linux 服务器。Download the script and copy it to the relevant/compatible Linux server. 你可能必须修改权限才能使用 chmod +x <python file name> 执行该脚本。You may have to modify the permissions to execute it with chmod +x <python file name>. 然后使用 ./<python file name> 运行 Python 文件。Then run the python file with ./<python file name>.

在 Linux 中,恢复点的卷会装载到运行脚本的文件夹。In Linux, the volumes of the recovery point are mounted to the folder where the script is run. 将相应地显示附加的磁盘、卷和对应装载路径。The attached disks, volumes, and the corresponding mount paths are shown accordingly. 这些装载路径对于具有根级别访问权限的用户可见。These mount paths are visible to users having root level access. 浏览脚本输出中涉及的卷。Browse through the volumes mentioned in the script output.

Linux 文件恢复菜单

对于包含大磁盘的备份 VM (Linux)**For backed-up VMs with large disks (Linux)**

如果文件恢复进程在运行文件还原脚本后挂起(例如,如果磁盘从未装载或装载后未显示卷),请执行以下步骤:If the file recovery process hangs after you run the file-restore script (for example, if the disks are never mounted, or they're mounted but the volumes don't appear), perform the following steps:

  1. 在文件 /etc/iscsi/iscsid.conf 中,将设置从In the file /etc/iscsi/iscsid.conf, change the setting from:
    • node.conn[0].timeo.noop_out_timeout = 5 更改为 node.conn[0].timeo.noop_out_timeout = 30node.conn[0].timeo.noop_out_timeout = 5 to node.conn[0].timeo.noop_out_timeout = 30
  2. 进行上述更改之后,重新运行脚本。After making the above changes, rerun the script. 如果发生暂时性故障,请确保等待 20 到 30 分钟再重新运行,以避免连续突发的请求影响目标准备。If there are transient failures, ensure there is a gap of 20 to 30 minutes between reruns to avoid successive bursts of requests impacting the target preparation. 重新运行之间的间隔时间可确保目标已准备好从脚本进行连接。This interval between re-runs will ensure the target is ready for connection from the script.
  3. 在执行文件恢复后,请务必返回门户并为无法装载卷的恢复点选择“卸载磁盘”。After file recovery, make sure you go back to the portal and select Unmount disks for recovery points where you weren't able to mount volumes. 从本质上来说,此步骤将清理所有现有进程/会话并提高恢复的可能性。Essentially, this step will clean any existing processes/sessions and increase the chance of recovery.

LVM/RAID 阵列(对于 Linux VM)LVM/RAID arrays (For Linux VMs)

在 Linux 中,逻辑卷管理器 (LVM) 和/或软件 RAID 阵列用于管理多个磁盘上的逻辑卷。In Linux, Logical Volume Manager (LVM) and/or software RAID Arrays are used to manage logical volumes over multiple disks. 如果受保护的 Linux VM 使用 LVM 和/或 RAID 阵列,则不能在同一 VM 上运行该脚本。If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM.
而应在具有兼容 OS 且支持受保护 VM 的文件系统的任何其他计算机上运行该脚本。Instead run the script on any other machine with a compatible OS and which supports the file system of the protected VM.
以下脚本输出显示了 LVM 和/或 RAID 阵列磁盘和卷,及其分区类型。The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.

Linux LVM 输出菜单

若要使这些分区联机,请运行以下各部分中的命令。To bring these partitions online, run the commands in the following sections.

对于 LVM 分区For LVM partitions

运行脚本后,LVM 分区会在脚本输出中指定的物理卷/磁盘中装载。Once the script is run, the LVM partitions are mounted in the physical volume(s)/disk(s) specified in the script output. 该过程旨在The process is to

  1. 获取物理卷或磁盘中卷组名称的唯一列表Get the unique list of volume group names from the physical volumes or disks
  2. 然后列出这些卷组中的逻辑卷Then list the logical volumes in those volume groups
  3. 然后将逻辑卷装载到所需的路径。Then mount the logical volumes to a desired path.
列出物理卷中的卷组名称Listing volume group names from physical volumes

若要列出卷组名称,请执行以下操作:To list the volume group names:

pvs -o +vguuid

此命令将列出所有物理卷(包括运行脚本之前存在的物理卷)、其相应的卷组名称以及卷组的唯一用户 ID (UUID)。This command will list all physical volumes (including the ones present before running the script), their corresponding volume group names, and the volume group's unique user IDs (UUIDs). 该命令的示例输出如下所示。A sample output of the command is shown below.

PV         VG        Fmt  Attr PSize   PFree    VG UUID

  /dev/sda4  rootvg    lvm2 a--  138.71g  113.71g EtBn0y-RlXA-pK8g-de2S-mq9K-9syx-B29OL6

  /dev/sdc   APPvg_new lvm2 a--  <75.00g   <7.50g njdUWm-6ytR-8oAm-8eN1-jiss-eQ3p-HRIhq5

  /dev/sde   APPvg_new lvm2 a--  <75.00g   <7.50g njdUWm-6ytR-8oAm-8eN1-jiss-eQ3p-HRIhq5

  /dev/sdf   datavg_db lvm2 a--   <1.50t <396.50g dhWL1i-lcZS-KPLI-o7qP-AN2n-y2f8-A1fWqN

  /dev/sdd   datavg_db lvm2 a--   <1.50t <396.50g dhWL1i-lcZS-KPLI-o7qP-AN2n-y2f8-A1fWqN

第一列 (PV) 显示物理卷,后续列显示相关的卷组名称、格式、属性、大小、可用空间以及卷组的唯一 ID。The first column (PV) shows the physical volume, the subsequent columns show the relevant volume group name, format, attributes, size, free space, and the unique ID of the volume group. 命令输出显示所有物理卷。The command output shows all physical volumes. 请参阅脚本输出,并确定与备份相关的卷。Refer to the script output and identify the volumes related to the backup. 在上面的示例中,脚本输出将显示 /dev/sdf 和 /dev/sdd。In the above example, the script output would have shown /dev/sdf and /dev/sdd. 因此,datavg_db 卷组属于脚本,而 Appvg_new 卷组属于计算机。And so, the datavg_db volume group belongs to script and the Appvg_new volume group belongs to the machine. 最终想法是确保唯一的卷组名称具有一个唯一 ID。The final idea is to make sure a unique volume group name should have one unique ID.

重复卷组Duplicate Volume groups

在某些方案中,卷组名称在运行脚本后可能具有 2 个 UUID。There are scenarios where volume group names can have 2 UUIDs after running the script. 这意味着执行脚本的计算机中的卷组名称与备份 VM 中的卷组名称相同。It means that the volume group names in the machine where the script is executed and in the backed-up VM are the same. 接下来,我们需要重命名备份 VM 卷组。Then we need to rename the backed-up VMs volume groups. 请查看下面的示例。Take a look at the example below.

PV         VG        Fmt  Attr PSize   PFree    VG UUID

  /dev/sda4  rootvg    lvm2 a--  138.71g  113.71g EtBn0y-RlXA-pK8g-de2S-mq9K-9syx-B29OL6

  /dev/sdc   APPvg_new lvm2 a--  <75.00g   <7.50g njdUWm-6ytR-8oAm-8eN1-jiss-eQ3p-HRIhq5

  /dev/sde   APPvg_new lvm2 a--  <75.00g   <7.50g njdUWm-6ytR-8oAm-8eN1-jiss-eQ3p-HRIhq5

  /dev/sdg   APPvg_new lvm2 a--  <75.00g  508.00m lCAisz-wTeJ-eqdj-S4HY-108f-b8Xh-607IuC

  /dev/sdh   APPvg_new lvm2 a--  <75.00g  508.00m lCAisz-wTeJ-eqdj-S4HY-108f-b8Xh-607IuC

  /dev/sdm2  rootvg    lvm2 a--  194.57g  127.57g efohjX-KUGB-ETaH-4JKB-MieG-EGOc-XcfLCt

脚本输出将显示附加了 /dev/sdg、/dev/sdh、/dev/sdm2。The script output would have shown /dev/sdg, /dev/sdh, /dev/sdm2 as attached. 因此,相应的 VG 名称为 Appvg_new 和 rootvg。So, the corresponding VG names are Appvg_new and rootvg. 但是,计算机的 VG 列表中也存在相同的名称。But the same names are also present in the machine's VG list. 我们可以验证一个 VG 名称是否具有两个 UUID。We can verify that one VG name has two UUIDs.

现在,我们需要为基于脚本的卷重命名 VG 名称,例如:/dev/sdg、/dev/sdh、/dev/sdm2。Now we need to rename VG names for script-based volumes, for example: /dev/sdg, /dev/sdh, /dev/sdm2. 若要重命名卷组,请使用以下命令To rename the volume group, use the following command

vgimportclone -n rootvg_new /dev/sdm2
vgimportclone -n APPVg_2 /dev/sdg /dev/sdh

现在,我们拥有所有具有唯一 ID 的 VG 名称。Now we have all VG names with unique IDs.

活动卷组Active volume groups

确保与脚本卷相对应的卷组处于活动状态。Make sure that the Volume groups corresponding to script's volumes are active. 以下命令用于显示活动卷组。The following command is used to display active volume groups. 检查此列表中是否存在脚本的相关卷组。Check whether the script's related volume groups are present in this list.

vgdisplay -a

否则,请使用以下命令激活卷组。Otherwise, activate the volume group by using the following command.

#!/bin/bash
vgchange -a y  <volume-group-name>
列出卷组中的逻辑卷Listing logical volumes within Volume groups

获得与脚本相关的 VG 的唯一活动列表后,便可以使用以下命令列出这些卷组中存在的逻辑卷。Once we get the unique, active list of VGs related to the script, then the logical volumes present in those volume groups can be listed using the following command.

#!/bin/bash
lvdisplay <volume-group-name>

此命令将每个逻辑卷的路径显示为“LV 路径”。This command displays the path of each logical volume as 'LV Path'.

装载逻辑卷Mounting logical volumes

将逻辑卷装载到所选的路径:To mount the logical volumes to the path of your choice:

#!/bin/bash
mount <LV path from the lvdisplay cmd results> </mountpath>

警告

不要使用“mount -a”。Don't use 'mount -a'. 此命令会装载“/etc/fstab”中描述的所有设备。This command mounts all devices described in '/etc/fstab'. 这可能意味着可能会装载重复的设备。This might mean duplicate devices can get mounted. 数据可以重定向到脚本创建的设备,这些设备不会保留数据,因此可能会导致数据丢失。Data can be redirected to devices created by a script, which don't persist the data, and so might result in data loss.

对于 RAID 阵列For RAID arrays

以下命令显示有关所有 RAID 磁盘的详细信息:The following command displays details about all raid disks:

#!/bin/bash
mdadm -detail -scan

相关 RAID 磁盘显示为 /dev/mdm/<RAID array name in the protected VM>The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>

如果 RAID 磁盘具有物理卷,请使用 mount 命令:Use the mount command if the RAID disk has physical volumes:

#!/bin/bash
mount [RAID Disk Path] [/mountpath]

如果 RAID 磁盘中配置了另一 LVM,请使用前述 LVM 分区相关过程,但使用卷名称代替 RAID 磁盘名称。If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the volume name in place of the RAID Disk name.

步骤 6:关闭连接Step 6: Closing the connection

识别文件并将其复制到本地存储位置后,请删除(或卸载)其他驱动器。After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives. 若要卸载驱动器,请在 Azure 门户中的“文件恢复”菜单上,选择“卸载磁盘”。 To unmount the drives, on the File Recovery menu in the Azure portal, select Unmount Disks.

卸载磁盘

卸载磁盘后,会显示一条消息。Once the disks have been unmounted, you'll receive a message. 连接可能在几分钟时间后才会刷新,以便能够删除磁盘。It may take a few minutes for the connection to refresh so that you can remove the disks.

在 Linux 中,断开与恢复点的连接后,OS 不会自动删除相应装载路径。In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount paths automatically. 装载路径作为“孤立”的卷存在并且可见,但访问/写入文件时会引发错误。The mount paths exist as "orphan" volumes and are visible, but throw an error when you access/write the files. 这些卷可以手动删除。They can be manually removed. 该脚本运行时会标识以前的任何恢复点存在的任何此类卷,并在获得许可后将其清除。The script, when run, identifies any such volumes existing from any previous recovery points and cleans them up upon consent.

备注

还原所需的文件后,请确保关闭连接。Make sure that the connection is closed after the required files are restored. 这一点很重要,尤其是在执行脚本的计算机还进行了备份配置的方案中。This is important, especially in the scenario where the machine in which the script is executed is also configured for backup. 如果连接仍处于打开状态,则后续备份可能会失败,并显示错误“UserErrorUnableToOpenMount”。If the connection is still open, the subsequent backup might fail with the error "UserErrorUnableToOpenMount". 出现这种情况是因为已装载的驱动器/卷被假定为可用,并且在访问时它们可能会因为基础存储(即 iSCSI 目标服务器)可能不可用而失败。This happens because the mounted drives/volumes are assumed to be available and when accessed they might fail because the underlying storage, that is, the iSCSI target server may not available. 清理连接将删除这些驱动器/卷,因此它们在备份期间将不可用。Cleaning up the connection will remove these drives/volumes and so they won't be available during backup.

安全性Security

本部分介绍从 Azure VM 备份进行文件恢复时采取的各种安全措施。This section discusses the various security measures taken for the implementation of file recovery from Azure VM backups.

功能流Feature flow

构建此功能是为了在不需要还原整个 VM 或 VM 磁盘的情况下访问 VM 数据,同时尽量减少步骤数。This feature was built to access the VM data without the need to restore the entire VM or VM disks and with the minimum number of steps. 对 VM 数据的访问权限由脚本(在按如下方式运行时会装载恢复卷)提供,因此它是所有安全实现的基础:Access to VM data is provided by a script (which mounts the recovery volume when run as shown below) and it forms the cornerstone of all security implementations:

安全功能流

安全实现Security implementations

选择恢复点(谁可以生成脚本)Select Recovery point (who can generate script)

此脚本可以访问 VM 数据,必须控制谁可以首先生成它,这很重要。The script provides access to VM data, so it's important to regulate who can generate it in the first place. 你需要登录到 Azure 门户,并且需要获得 Azure RBAC 授权才能生成脚本。You need to sign in into the Azure portal and be Azure RBAC authorized to generate the script.

文件恢复所需的授权级别与 VM 还原和磁盘还原相同。File recovery needs the same level of authorization as required for VM restore and disks restore. 换句话说,只有经过授权的用户才能查看 VM 数据和生成脚本。In other words, only authorized users can view the VM data can generate the script.

生成的脚本使用适用于 Azure 备份服务的 Microsoft 官方证书签名。The generated script is signed with the official Microsoft certificate for the Azure Backup service. 篡改此脚本意味着破坏签名,尝试运行此脚本会被 OS 突出显示为潜在的风险。Any tampering with the script means the signature is broken, and any attempt to run the script is highlighted as a potential risk by the OS.

装载恢复卷(谁可以运行脚本)Mount Recovery volume (who can run script)

只有管理员可以运行此脚本,并且应该以提升模式运行它。Only an Admin can run the script and it should run in elevated mode. 此脚本仅运行预先生成的一组步骤,不接受任何外部源的输入。The script only runs a pre-generated set of steps and doesn't accept input from any external source.

若要运行脚本,需要使用在 Azure 门户或 PowerShell/CLI 中生成脚本时仅向授权用户显示的密码。To run the script, a password is required that's only shown to the authorized user at the time of generation of script in the Azure portal or PowerShell/CLI. 这是为了确保下载该脚本的授权用户同时负责运行该脚本。This is to ensure the authorized user who downloads the script is also responsible for running the script.

浏览文件和文件夹Browse files and folders

为了浏览文件和文件夹,该脚本使用计算机中的 iSCSI 发起程序并连接到配置为 iSCSI 目标的恢复点。To browse files and folders, the script uses the iSCSI initiator in the machine and connects to the recovery point that's configured as an iSCSI target. 此处,你可以想象用户尝试模拟/仿冒任一/所有组件的情景。Here you can imagine scenarios where one is trying to imitate/spoof either/all components.

我们使用 CHAP 相互身份验证机制,让每个组件相互进行身份验证。We use a mutual CHAP authentication mechanism so that each component authenticates the other. 这意味着,身份虚假的发起程序很难连接到 iSCSI 目标,虚假目标也很难连接到运行脚本的计算机。This means it's extremely difficult for a fake initiator to connect to the iSCSI target and for a fake target to be connected to the machine where the script is run.

恢复服务与计算机之间的数据流由通过 TCP 构建安全 TLS 隧道提供保护(在运行脚本的计算机上应支持 TLS 1.2)。The data flow between the recovery service and the machine is protected by building a secure TLS tunnel over TCP (TLS 1.2 should be supported in the machine where script is run).

父级/备份 VM 中存在的任何文件访问控制列表 (ACL) 也会保留在已装载的文件系统中。Any file Access Control List (ACL) present in the parent/backed up VM is preserved in the mounted file system as well.

此脚本提供对恢复点的只读访问权限,并且仅在 12 小时内有效。The script gives read-only access to a recovery point and is valid for only 12 hours. 如果要提前删除访问权限,请登录 Azure 门户/PowerShell/CLI,并对特定恢复点执行“卸载磁盘”操作。If you wish to remove the access earlier, then sign into Azure portal/PowerShell/CLI and perform unmount disks for that particular recovery point. 脚本将立即失效。The script will be invalidated immediately.

后续步骤Next steps