The present invention relates to backup and incremental backup of objects stored on a mass storage device to backup mass storage devices, and, in particular, to a method for preventing potential corruption of backup mass storage devices by locking the mass storage devices.
The present invention relates to backing up a primary data object stored on a mass storage device to backup copies of the primary data object stored on backup mass storage devices so that, if a primary data object is inadvertently deleted or corrupted during subsequent input/output (xe2x80x9cI/Oxe2x80x9d) operations, the primary data object can be restored to the mass storage device by copying a backup object to the mass storage device from a backup mass storage device. The present invention is described and illustrated with reference to an embodiment included in a disk array controller that services I/O requests from a number of remote computers. However, alternative embodiments of the present invention may be employed in controllers of many other types of storage devices as well as in a general electronic data storage application.
FIG. 1 is a block diagram of a standard disk drive. The disk drive 101 receives I/O requests from remote computers via a communications medium 102 such as a computer bus, fibre channel, or other such electronic communications medium. For many types of storage devices, including the disk drive 101 illustrated in FIG. 1, the vast majority of I/O requests are either READ or WRITE requests. A READ request requests that the storage device return to the requesting remote computer some requested amount of electronic data stored within the storage device. A WRITE request requests that the storage device store electronic data furnished by the remote computer within the storage device. Thus, as a result of a READ operation carried out by the storage device, data is returned via communications medium 102 to a remote computer, and as a result of a WRITE operation, data is received from a remote computer by the storage device via communications medium 102 and stored within the storage device.
The disk drive storage device illustrated in FIG. 1 includes controller hardware and logic 103 including electronic memory, one or more processors or processing circuits, and controller firmware, and also includes a number of disk platters 104 coated with a magnetic medium for storing electronic data. The disk drive contains many other components not shown in FIG. 1, including read/write heads, a high-speed electronic motor, a drive shaft, and other electronic, mechanical, and electromechanical components. The memory within the disk drive includes a request/reply buffer 105 which stores I/O requests received from remote computers and an I/O queue 106 that stores internal I/O commands corresponding to the I/O requests stored within the request/reply buffer 105. Communication between remote computers and the disk drive, translation of I/O requests into internal I/O commands, and management of the I/O queue, among other things, are carried out by the disk drive I/O controller as specified by disk drive I/O controller firmware 107. Translation of internal I/O commands into electromechanical disk operations in which data is stored onto, or retrieved from, the disk platters 104 is carried out by the disk drive I/O controller as specified by disk media read/write management firmware 108. Thus, the disk drive I/O control firmware 107 and the disk media read/write management firmware 108, along with the processors and memory that enable execution of the firmware, compose the disk drive controller.
Individual disk drives, such as the disk drive illustrated in FIG. 1, are normally connected to, and used by, a single remote computer, although it has been common to provide dual-ported disk drives for use by two remote computers and multi-port disk drives that can be accessed by numerous remote computers via a communications medium such as a fibre channel. However, the amount of electronic data that can be stored in a single disk drive is limited. In order to provide much larger-capacity electronic data storage devices that can be efficiently accessed by numerous remote computers, disk manufacturers commonly combine many different individual disk drives, such as the disk drive illustrated in FIG. 1, into a disk array device, increasing both the storage capacity as well as increasing the capacity for parallel I/O request servicing by concurrent operation of the multiple disk drives contained within the disk array.
FIG. 2 is a simple block diagram of a disk array. The disk array 202 includes a number of disk drive devices 203, 204, and 205. In FIG. 2, for simplicity of illustration, only three individual disk drives are shown within the disk array, but disk arrays may contain many tens or hundreds of individual disk drives. A disk array contains a disk array controller 206 and cache memory 207. Generally, data retrieved from disk drives in response to READ requests may be stored within the cache memory 207 so that subsequent requests for the same data can be more quickly satisfied by reading the data from the quickly accessible cache memory rather than from the much slower electromechanical disk drives. Various elaborate mechanisms are employed to maintain, within the cache memory 207, data that has the greatest chance of being subsequently re-requested within a reasonable amount of time. The disk array controller 206 may also elect to store data received from remote computers via WRITE requests in cache memory 207 in the event that the data may be subsequently requested via READ requests or in order to defer slower writing of the data to physical storage medium.
Electronic data is stored within a disk array at specific addressable locations. Because a disk array may contain many different individual disk drives, the address space represented by a disk array is immense, generally many thousands of gigabytes. The overall address space is normally partitioned among a number of abstract data storage resources called logical units (xe2x80x9cLUNsxe2x80x9d). A LUN includes a defined amount of electronic data storage space, mapped to the data storage space of one or more disk drives within the disk array, and may be associated with various logical parameters including access privileges, backup frequencies, and mirror coordination with one or more LUNs. LUNs may also be based on random access memory (xe2x80x9cRAMxe2x80x9d), mass storage devices other than hard disks, or combinations of memory, hard disks, and/or other types of mass storage devices. Remote computers generally access data within a disk array through one of the many abstract LUNs 208-215 provided by the disk array via internal disk drives 203-205 and the disk array controller 206. Thus, a remote computer may specify a particular unit quantity of data, such as a byte, word, or block, using a bus communications media address corresponding to a disk array, a LUN specifier, normally a 64-bit integer, and a 32-bit, 64-bit, or 128-bit data address that specifies a LUN, and a data address within the logical data address partition allocated to the LUN. The disk array controller translates such a data specification into an indication of a particular disk drive within the disk array and a logical data address within the disk drive. A disk drive controller within the disk drive finally translates the logical address to a physical medium address. Normally, electronic data is read and written as one or more blocks of contiguous 32-bit or 64-bit computer words, the exact details of the granularity of access depending on the hardware and firmware capabilities within the disk array and individual disk drives as well as the operating system of the remote computers generating I/O requests and characteristics of the communication medium interconnecting the disk array with the remote computers.
In many computer applications and systems that need to reliably store and retrieve data from a mass storage device, such as a disk array, a primary data object, such as a file or database, is normally backed up to backup copies of the primary data object on physically discrete mass storage devices or media so that if, during operation of the application or system, the primary data object becomes corrupted, inaccessible, or is overwritten or deleted, the primary data object can be restored by copying a backup copy of the primary data object from the mass storage device. Many different techniques and methodologies for maintaining backup copies have been developed. In one well-known technique, a primary data object is mirrored. FIG. 3 illustrates object-level mirroring. In FIG. 3, a primary data object xe2x80x9cO3xe2x80x9d 301 is stored on LUN A 302. The mirror object, or backup copy, xe2x80x9cO3xe2x80x9d 303 is stored on LUN B 304. The arrows in FIG. 3, such as arrow 305, indicate I/O write operations directed to various objects stored on a LUN. I/O write operations directed to object xe2x80x9cO3xe2x80x9d are represented by arrow 306. When object-level mirroring is enabled, the disk array controller providing LUNs A and B automatically generates a second I/O write operation from each I/O write operation 306 directed to LUN A, and directs the second generated I/O write operation via path 307, switch xe2x80x9cS1xe2x80x9d 308, and path 309 to the mirror object xe2x80x9cO3xe2x80x9d 303 stored on LUN B 304. In FIG. 3, enablement of mirroring is logically represented by switch xe2x80x9cS1xe2x80x9d 308 being on. Thus, when object-level mirroring is enabled, any I/O write operation, or any other type of I/O operation that changes the representation of object xe2x80x9cO3xe2x80x9d 301 on LUN A, is automatically mirrored by the disk array controller to identically change the mirror object xe2x80x9cO3xe2x80x9d 303. Mirroring can be disabled, represented in FIG. 3 by switch xe2x80x9cS1xe2x80x9d 308 being in an off position. In that case, changes to the primary data object xe2x80x9cO3xe2x80x9d 301 are no longer automatically reflected in the mirror object xe2x80x9cO3xe2x80x9d 303. Thus, at the point that mirroring is disabled, the stored representation, or state, of the primary data object xe2x80x9cO3xe2x80x9d 301 may diverge from the stored representation, or state, of the mirror object xe2x80x9cO3xe2x80x9d 303. Once the primary and mirror copies of an object have diverged, the two copies can be brought back to identical representations, or states, by a resync operation represented in FIG. 3 by switch xe2x80x9cS2xe2x80x9d 310 being in an on position. In the normal mirroring operation, switch xe2x80x9cS2xe2x80x9d 310 is in the off position. During the resync operation, any I/O operations that occurred after mirroring was disabled are logically issued by the disk array controller to the mirror copy of the object via path 311, switch xe2x80x9cS2,xe2x80x9d and pass 309. During resync, switch xe2x80x9cS1xe2x80x9d is in the off position. Once the resync operation is complete, logical switch xe2x80x9cS2xe2x80x9d is disabled and logical switch xe2x80x9cS1xe2x80x9d 308 can be turned on in order to reenable mirroring so that subsequent I/O write operations or other I/O operations that change the storage state of primary data object xe2x80x9cO3xe2x80x9d, are automatically reflected to the mirror object xe2x80x9cO3xe2x80x9d 303.
FIG. 4 illustrates a common backup and incremental backup scheme that may be used for a primary data object stored within a disk array. In FIG. 4, the primary data object xe2x80x9cO3xe2x80x9d 402 is stored in LUN A 404. At some discrete point in time, object xe2x80x9cO3xe2x80x9d 402 is copied to a magnetic tape-based mass storage device to create a magnetic tape-based copy 406 of object xe2x80x9cO3T.xe2x80x9d Copying an object to tape, and restoring an object from tape, are both time-consuming operations. Magnetic tape-based backup copies of an object are, however, reliably archivable and reliably available for restoration. Generally, tape backups are therefore made at comparatively lengthy intervals of time. At the same time that the magnetic tape-based backup copy 406 is made, or shortly thereafter, a disk-based backup copy xe2x80x9cO31xe2x80x9d 407 can be made by mirroring the primary data object xe2x80x9cO3xe2x80x9d 402 to a different LUN 408 or, equivalently, if mirror copy xe2x80x9cO31xe2x80x9d 407 has previously been established and mirroring has been subsequently disabled, by resyncing mirror copy xe2x80x9cO31xe2x80x9d 407 to the primary data object xe2x80x9cO3xe2x80x9d 402. Once the mirror copy xe2x80x9cO31xe2x80x9d 407 has been established, or resynced, mirroring can be disabled so that mirror copy xe2x80x9cO31xe2x80x9d 407 is a snapshot in time of the state of primary data object xe2x80x9cO3xe2x80x9d 402. The advantage of using a disk-based backup copy of primary data object xe2x80x9cO3xe2x80x9d is that, should restoration be required, primary data object xe2x80x9cO3xe2x80x9d 402 can be restored much more quickly from the disk-based backup copy xe2x80x9cO31xe2x80x9d 407 than from the magnetic tape-based backup copy xe2x80x9cO3Txe2x80x9d 406. The mirror backup operation may be repeated at relatively shorter intervals of time than tape backups to provide incremental backup copies, such as incremental backup copies xe2x80x9cO32xe2x80x9d 409 and xe2x80x9cO33xe2x80x9d 410. In addition, of course, ongoing mirroring of object xe2x80x9cO3xe2x80x9d 402 can be undertaken to provide a hot backup copy of primary data object xe2x80x9cO3xe2x80x9d if the application or system requires immediate failover to a backup copy. If the primary data object xe2x80x9cO3xe2x80x9d 402 is corrupted, becomes inaccessible, or is deleted, and if a mirrored failover copy is either not available or has become corrupted, inaccessible, or has been deleted, then the primary data object xe2x80x9cO3xe2x80x9d can be restored from the most recently saved backup, such as backup copy xe2x80x9cO33xe2x80x9d 410. If the most recently saved backup copy is corrupted, or inaccessible for some reason, then the next most recently saved backup copy xe2x80x9cO32xe2x80x9d 409 can be used for restoring the primary data object, and so on, all the way back to the magnetic tape-based backup copy 406.
Although, as shown in FIG. 4, backup copies are often stored on different LUNS from the LUN on which the primary data object is stored, with the primary data object""s LUN and the backup copies"" LUNs all within a single disk array, mirroring operations can be implemented between a LUN provided by a first disk array and a LUN provided by a second disk array. Such systems involve additional complexity, but do not materially differ from the single-disk-array mirroring with respect to problems described in the next paragraph and with respect to various embodiments of the present invention, detailed below.
Unfortunately, disk-based backup copies may be corrupted by subsequent I/O write operations directed to the LUN on which the backup copy is stored. In many commonly-available disk arrays, once mirroring is disabled, or split, subsequent write I/O operations may change the state of the mirror copy. These subsequent I/O write operations may be accidentally generated by the application system that is using the mirror copy as a backup, or may be generated by other applications or systems. In these commonly-available disk arrays, the application or system is not guaranteed to have an uncorrupted and faithful representation of a primary data object at an earlier point of time following a restore operation from the backup copy of the primary data object taken at that point in time. In such systems, an application or system cannot reliably detect backup copies with accidental or inadvertent changes made by the application or system or by other applications and systems. Thus, application and systems designers and other users of disk arrays have recognized the need for a method and system for detecting subsequent changes to a stored object on a hard disk or other mass storage device following a point in time at which the stored object was created or updated to represent a backup copy of a primary data object stored on another mass storage device.
One embodiment of the present invention relates to facilitation of backing up primary data objects to, and restoring primary data objects from, mass storage devices. In many currently available mass storage devices, an application or system relying on a stored object, such as a file or database, as a backup object for use in restoring a primary data object cannot easily determine whether the backup object has been altered since the time that it was created or synchronized with the primary data object. In one embodiment of the present invention, a system or application can apply for and receive a lock on a particular LUN. The system or application can then store a backup object onto the locked LUN. Later, prior to employing the stored backup object in a restore operation, the system or application can determine whether the LUN is still locked by the system or application. If so, the system or application can continue with the restore operation using the backup object stored on the LUN. If, on the other hand, the system or application no longer holds a lock on the LUN, the system or application can use a slower, tape-based backup object for the restore operation. In a second embodiment of the present invention, a system or application can apply for and receive a timed lock on a particular LUN that expires after a period of time, selected by the system or application, that does not exceed a system-defined maximum period of time for holding a timed lock.