xfs_metadump

xfs_metadump [ -a ] [ -g ] [ -i ] [ -o offset ] [ -r ] [ -u ] [ -v ] device outfile

-a
    Dump all metadata, including free space and unallocated block information.

-g
    Use only group-level I/O.

-i
    Invert the default dump behavior, dumping all metadata except the journal.

-o offset
    Specify the starting offset on the device for the dump.

-r
    Dump raw data blocks (not formatted metadata). Use with caution, mostly for debugging.

-u
    Dump all metadata, including unallocated blocks. This can expose previously deleted user data.

-v
    Verbose output, printing more information during the dump process.

The xfs_metadump command extracts the metadata of an XFS filesystem and writes it to an output file. This dumped metadata can then be used for various purposes, primarily debugging, analysis, or partial recovery of a corrupted XFS filesystem. It creates a self-contained, portable representation of the filesystem's structural information, including details about inodes, directories, allocation groups, and journaling. The tool is particularly useful when working with development or support teams to diagnose filesystem issues without requiring access to the original device. By default, it excludes user data, focusing solely on the structural components.

The filesystem should ideally be unmounted or mounted read-only to ensure consistent metadata capture and prevent corruption during the dump process. If mounted read-write, the dump might be inconsistent.

The output file can be very large, especially for large filesystems or when using options like -a or -u. Ensure sufficient disk space.

Using options like -u or -a can expose sensitive information (e.g., deleted file fragments) that might still reside in unallocated blocks.

The dump file is a raw binary image of the metadata, not a human-readable text file. It's typically processed by other tools like xfs_mdrestore or xfs_db.

Metadata dumps are invaluable for forensic analysis or for recreating the filesystem structure on a different system for debugging. They allow developers to examine the exact state of the filesystem's structural information without needing the original device or compromising user data.

The output file from xfs_metadump is typically processed by tools like xfs_db to navigate and inspect the metadata, or by xfs_mdrestore to restore a filesystem's metadata (e.g., after an accidental mkfs.xfs that wiped only the superblock, allowing data recovery if the data blocks are intact).

The xfs_metadump command is part of the xfsprogs suite, which provides user-space utilities for managing XFS filesystems. XFS itself was originally developed by Silicon Graphics, Inc. (SGI) for its IRIX operating system in the early 1990s. It was one of the first journaling filesystems to be widely adopted. SGI later released XFS under an open-source license, and it was merged into the Linux kernel in 2002. xfs_metadump has been a crucial tool within the xfsprogs suite for diagnostic and recovery purposes since its open-sourcing, evolving alongside the XFS filesystem itself.

xfs_mdrestore(8), xfs_db(8), xfs_check(8), xfs_repair(8), xfs_info(8)