A fault-tolerant (FT) server has two sets of hardware, which have the same configuration, interconnected using Ethernet (registered trademark) or the like. Accordingly, in the FT server, even in a case where one set of the hardware is broken down, the operation can be continued by the other set thereof without allowing a user to be aware of the occurrence of the breakdown. As techniques for realizing the FT server described above, there are techniques not using a hypervisor (JP 2006-178636 A, JP 2008-234141 A, and JP 2009-193504 A) and techniques using a hypervisor (JP 2009-80695 A and JP 2012-3313 A).
As an FT server not using a hypervisor, there is a server in which two sets of systems are synchronized with each other by causing two sets of central processing units (CPUs) to perform the same operation by supplying the same clock signal thereto (JP 2008-234141 A). At the time of a direct memory access (DMA), data from a CPU subsystem to a physical device (for example, an input/output controller) is transmitted from each CPU subsystem to an input/output router, and the input/output router transmits the data to a comparator that has a buffer of a first-in first-out (FIFO) type. In the comparator, it is checked that data pieces received from the two CPU subsystems coincide with each other, and one data piece is transmitted to the input/output controller. In order to realize the FT server described above, for the following reasons (a1) to (a3), the two CPU subsystems and each input/output controller need to be physically separated from each other.
(a1) As the FT server, in order to avoid a single breakdown point, the two CPU subsystems need to be physically separated from each other.
(a2) An input/output router and a comparator need to be arranged between the CPU subsystem and the input/output controller.
(a3) The two CPU subsystems need to share one input/output controller.
In addition, as an FT server not using a hypervisor, there is a server that synchronizes two sets of systems by causing two sets of CPUs (calculation units) to perform the same operation using a clock management unit by supplying mutually-different clock signals thereto (JP 2009-193504 A). At the time of a DMA, data from the CPU subsystem (calculation unit) to a physical device (input/output (IO) device) is transmitted from each CPU subsystem to an IO comparison unit. In the IO comparison unit, it is checked that data pieces received from the two CPU subsystems coincide with each other, one piece of the data is transmitted to an input/output controller. The data transmitted from the IO device is received by an FT control unit and is transmitted to each CPU subsystem (calculation unit) at timing that is set in consideration of a deviation between clock signals. In order to realize the FT server as described above, for the following reasons (b1) to (b3), the two CPU subsystems (calculation units) and the IO device need to be physically separated.
(b1) As the FT server, in order to avoid a single breakdown point, the two CPU subsystems (calculation units) need to be physically separated from each other.
(b2) An FT control unit and an IO comparison unit need to be arranged between the CPU subsystem and the IO device.
(b3) The two CPU subsystems need to share one IO device.
Recently, implementation of system on chip (SoC) in which an input/output controller (a physical device or an input/output device) is built inside the CPU subsystem has progresses. However, in the FT server not using the hypervisor as described above, two CPU subsystems (calculation units) and each input/output controller or an IO device need to be physically separated. Accordingly, as described above, the FT server not using a hypervisor cannot be applied to a configuration in which an input/output device is included inside the CPU subsystem, in other words, a configuration employing a CPU configured as the SoC.
On the other hand, in the FT server using a hypervisor, a virtual machine (VM) built on the hypervisor is set as a fault-tolerant target. In the FT server using the hypervisor, the output of data to the outside needs to be checked, so that the process is succeeded from one set (primary) of hardware to the other set (secondary) of the hardware at the time of the occurrence of a breakdown. Accordingly, the I/O device is emulated as a virtual device, and all the data outputs for the outside are output through the hypervisor. In other words, the I/O device is virtualized by the hypervisor, and the operating system (OS) on the VM is controlled to necessarily access the virtual I/O device of the hypervisor. In this way, the hypervisor can check the data output for the outside.
As described above, the FT server not using a hypervisor cannot be applied to the configuration employing a CPU configured as the SoC.
In contrast to this, the FT server using a hypervisor can be applied to the configuration using the CPU configured as the SoC. However, the output of data to the outside needs to be checked. Accordingly, the I/O device is emulated as a virtual device, and all the data outputs for the outside are output through the hypervisor. As a result, due to the overhead of the virtualization, the input/output access performance of the VM, particularly, the output performance (performance of data output for the outside) from the I/O device is degraded.