1. The Field of the Invention
This invention relates to computer clustering systems and in particular to methods for improving the availability and reliability of computer clustering system resources and data in the event of loss of communication between computer clustering system servers.
2. Description of Related Art
A typical computer cluster includes two or more servers and one or more network devices in communication with each other across a computer network. During normal operation of a computer cluster, the servers provide the network devices with computer resources and a place to store and retrieve data. In current computer cluster configurations the computer cluster data is stored on a shared computer disk that is accessed by any of the network servers.
A typical computer cluster is illustrated in FIG. 1, which illustrates two network servers 110 and 120 in communication with network devices 130, 140, and 150 across computer network 101. Both network server 110 and network server 120 communicate with shared disk 104 across communication lines 105 and 106, respectively.
When using a computer cluster, it is often desirable to provide continuous availability of computer cluster resources, particularly where a computer cluster supports a number of user workstations, personal computers, or other network client devices. It is also often desirable to maintain uniform data between different file servers attached to a computer clustering system and maintain continuous availability of this data to client devices. To achieve reliable availability of computer cluster resources and data it is necessary for the computer cluster to be tolerant of software and hardware problems or faults. Having redundant computers and a mass storage device generally does this, such that a backup computer or disk drive is immediately available to take over in the event of a fault.
A technique currently used for implementing reliable availability of computer cluster resources and data using a shared disk configuration as shown in FIG. 1 involves the concept of quorum, which relates to a state in which one network server controls a specified minimum number of network devices such that the network server has the right to control the availability of computer resources and data in the event of a disruption of service from any other network server. The manner in which a particular network server obtains quorum can be conveniently described in terms of each server and other network devices casting xe2x80x9cvotesxe2x80x9d. For instance, in the two server computer cluster configuration of FIG. 1, network server 110 and network server 120 each casts one vote to determine which network server has quorum. If neither network server obtains a majority of the votes, shared disk 104 then casts a vote such that one of the two network servers 110 and 120 obtains a majority, with the result that quorum is obtained by one of the network servers in a mutually understood and acceptable manner. Only one network server has quorum at any time, which ensures that only one network server will assume control of the entire network if communication between the network servers 110 and 120 is lost.
The use of quorum to attempt to make network servers available in the event of a disruption will now be described. There are two general reasons for which server 110 can detect a loss of communication with server 120. The first is an event, such as a crash, at server 120, in which server 120 is no longer capable of providing network resources to clients. The second is a disruption in the communication infrastructure of network 101 between the two servers, with server 120 continuing to be capable of operating within the network. If server 110 can no longer communicate with server 120, its initial operation is to determine if it has quorum. If server 110 determines that it does not have quorum, it then attempts to get quorum by sending a command to shared disk 104 requesting the disk to cast a vote. If shared disk 104 does not vote for server 110, this server shuts itself down to avoid operating independently of server 120. In this case, server 110 assumes that network server 120 is operating with quorum and server 120 continues to control the computer cluster. However, if shared disk 104 votes for network server 110, this server takes quorum and control of the computer cluster and continues operation under the assumption that network server 120 has malfunctioned.
While the use of quorum to enable one of a plurality of network servers to continue providing network resources in the event of a disruption in the network is often satisfactory, the use of a shared disk places the entire network and the data stored on the disk at risk of being lost. For instance, if the shared disk 104, rather than one of the network servers 110 and 120 malfunctions, neither of the servers can operate, and the data may be permanently lost. Moreover, in a shared disk configuration the computer cluster servers are typically placed in close proximity to each other. This creates the possibility that natural disasters or power failures may take down the whole computer cluster.
The present invention relates to a method for improving the availability and reliability of computer cluster resources and data in a computer clustering system. Two servers each having an associated disk communicate across a computer network. Each server is capable of providing computer cluster resources and accessing computer cluster data for all network devices attached to the computer network. In the event of loss of communication, each server has the ability to determine the reason for loss of communication and determine whether or not it should continue operation.
When a network server detects that communication with another network server is lost, the loss in communication can be due to either a failure of the communication link or a failure of the other network server. Because each network server has a mirrored copy of the network data, a loss in communication is followed by execution of a series of acts at each network server that remains operating to ensure that the network servers do not begin operating independently of each other. In the absence of these acts, multiple network servers operating independently of one another could exist in an undesirable xe2x80x9csplit brainxe2x80x9d mode, in which data mirroring between the network servers is not performed, thereby resulting in potential data corruption.
When operation of the computer cluster is initiated, one server is assigned control of the computer cluster resources and data and is given a xe2x80x9cright to survivexe2x80x9d in the event that communication between the network servers is lost as a result in failure of the communication link. For convenience, the one network server that has the xe2x80x9cright to survivexe2x80x9d during normal operation is designated herein as a xe2x80x9cprimaryxe2x80x9d server and any server that is not does not have the right to survive during normal operation is designated as a xe2x80x9csecondaryxe2x80x9d server. It is noted that the terms xe2x80x9cprimaryxe2x80x9d and xe2x80x9csecondaryxe2x80x9d do not connote relative importance of the servers, nor do they refer to which server is primarily responsible for providing network resources to network devices. Under normal operation, primary and secondary servers can be interchangeable from the standpoint of providing network resources. The right to survive is used in a default protocol to ensure that the split brain problem does not arise if communication between network servers is lost.
When a primary network server detects loss of communication, the primary network server can continue operating, since it can assume that the other, secondary network server has failed or that the secondary network server will not continue operation. The series of acts performed by a secondary network server upon detecting loss of communication is somewhat more complex. Rather than simply ceasing operation, the secondary network server infers or determines whether the loss of communication is a result of a failure of the primary network server or a failure in the communication link. If the communication link is operational, the secondary network server concludes that the primary network server has failed and is not operating. In this case, the secondary network server continues operating substantially without the risk of causing the split brain problem. If, however, the secondary network server determines that communication link has failed, it assumes that the primary network server is operational. In response to this assumption, the secondary network server terminates operation to avoid operating in a split brain mode.
A significant benefit according to the invention is that a secondary server, which does not initially have right to survive, can continue operating if it determines that a loss of communication with the primary server is not caused by failure of the communication link. In the absence of any analysis of the communication link, the secondary server would be required to automatically shut down in response to a loss of communication with the primary server to avoid the split brain problem. It is noted that the foregoing methods of the invention for responding to loss of communication between servers enhances the reliability and availability of computer clusters in which each network server has a dedicated, mirrored disk or mass storage device, since the possibility of operating in a split brain mode does not force a secondary server to go off-line when a primary server fails.
Application of conventional xe2x80x9cquorumxe2x80x9d rules to computer clusters in which each network server has a dedicated, mirrored disk, is generally not optimal. For instance, in the case where a network server having quorum fails, there is no shared disk to cast a vote that would reassign quorum to the other network server. As a result, the direct application of conventional quorum rules to this type of computer cluster would result in the non-quorum network server unnecessarily shutting down upon failure of the network server having quorum.
Storing data in separate, mirrored disks greatly reduces the possibility of losing network data, which has been a problem frequently experienced in computer clusters having a single disk that is shared among network servers. Additionally, since servers do not share a single disk according to the invention, the location of the servers is not limited by the cable lengths associated with disk drive devices. Thus, network servers and their associated mirrored disks can be located remotely one from another. This reduces the chance that natural disasters or power failures may disable the entire computer cluster.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.