1. Field of the Invention
The present invention relates to a file management system and method. More particularly, the present invention is preferably adapted to a computer that has a snapshot facility installed therein and that reads or writes file data from or in a storage area, which a storage device provides, in response to a request sent from a host computer.
2. Description of the Related Art
The features of a network attached storage (NAS) server or a disk array apparatus include a so-called snapshot feature that holds the printout of a working volume (a logical volume from or into which a user reads or writes data) designated at a time point when a snapshot creation instruction is received. The snapshot feature is used to restore the contents of the working volume, which are obtained at a time point when a snapshot is created, in a case where data disappears because of a human error or the state of a file system attained at a desired time point has to be restored.
In the past, a method of changing the position of a data storage block of a working volume, in which a file system is stored, from snapshot to snapshot (refer to a patent document 1) or a method of copying and holding inodes in a file system to and in each snapshot (refer to a patent document 2) has been proposed as a technique for realizing snapshots.
The foregoing techniques do not copy data at a time point at which a snapshot is created. At the time point at which a snapshot is created, file data is shared by a working file system and the snapshot. When the file is overwritten with data, data obtained prior to the overwriting is copied into a volume called a difference volume.
When a snapshot is referenced, data stored in a working volume is combined with a portion of file data that is not overwritten with data, or data stored in the difference volume is combined with a portion of the file data that is overwritten with the data. Thus, a printout of data in the working volume obtained at the time point at which a snapshot is created is restored. This method is called a copy-on-write (COW) method or an allocation-on-write (AOW) method.
Incidentally, a patent document 1 refers to JP-A-2004-342050, a patent document 2 refers to JP-T-8-511367, and a patent document 3 refers to JP-A-2005-301548.
In recent years, a risk that a corporate entity or the like keeps holding unnecessary data has become controversial from the viewpoint of protecting personal information or preventing fraudulent access. The necessity of a feature for reliably deleting unnecessary data is increasing.
Normally, an unnecessary file is deleted by instructing a file system to delete the file via a file deletion interface supported by an operating system (OS).
In this case, when some file systems are instructed to delete a file, they do not delete file data itself but deletes only metadata that is management information on the file. When the metadata is deleted, a user cannot refer the data of the file that is an object of deletion. The file looks like being deleted.
However, according to the above method, data remains undeleted in a working volume in which the file system is stored. When information preserved in the working volume is directly accessed without intervention of the file system, the data of the file that is supposed to be deleted can be read out.
As general measures against the foregoing problem, a technique of overwriting data of a file with invalid data and issuing a deletion instruction relevant to the file to the file system has been proposed. In this case, as a standard rule concerning the contents of data to be used for overwriting and the number of times of overwriting, a rule recommended by the U.S. National security Agency (NSA) or a provision (DoD5200.22-M) stipulated by Pentagon can be adopted. Moreover, a method of controlling an overwriting timing so as to prevent fraudulent reading has been disclosed in the patent document 3.
However, when the foregoing method is adapted to a file system having a snapshot facility, there is a problem. Even when a certain file is deleted from the file system, the same file data may remain in a previous snapshot. Therefore, a technique of deleting all data items of a file, which is designated by a user, including file data items contained in snapshots is needed.
In a file system in which a previous snapshot cannot be modified, file data in a snapshot cannot be deleted, that is, an underlining problem cannot be solved. However, in a file system having a rewritable snapshot facility, file data in a snapshot can be detected.