A file server is a computer that provides file service relating to the organization of information on writeable persistent storage devices, such memories, tapes or disks of an array. The file server or filer may be embodied as a storage system including a storage operating system that implements a file system to logically organize the information as a hierarchical structure of directories and files on the disks. Each “on-disk” file may be implemented as set of data structures, e.g., disk blocks, configured to store information, such as the actual data for the file. A directory, on the other hand, may be implemented as a specially formatted file in which information about other files and directories are stored.
A storage system may be further configured to operate according to a client/server model of information delivery to thereby allow many clients to access files stored on a server, e.g., the storage system. In this model, the client may comprise an application executing on a computer that “connects” to the storage system over a computer network, such as a point-to-point link, shared local area network, wide area network or virtual private network implemented over a public network, such as the Internet. Each client may request the services of the file system on the storage system by issuing file system protocol messages (in the form of packets) to the system over the network. It should be noted, however, that the storage system may alternatively be configured to operate as an assembly of storage devices that is directly-attached to a (e.g., client or “host”) computer. Here, a user may request the services of the file system to access (i.e., read and/or write) data from/to the storage devices.
A common type of file system is a “write in-place” file system, an example of which is the conventional Berkeley fast file system. In a write in-place file system, the locations of the data structures, such as data blocks, on disk are typically fixed. Changes to the data blocks are made “in-place” in accordance with the write in-place file system. If an update to a file extends the quantity of data for the file, an additional data block is allocated.
Another type of file system is a write-anywhere file system that does not overwrite data on disks. If a data block on disk is retrieved (read) from disk into memory and “dirtied” with new data, the data block is stored (written) to a new location on disk to thereby optimize write performance. A write-anywhere file system may initially assume an optimal layout such that the data is substantially contiguously arranged on disks. The optimal disk layout results in efficient access operations, particularly for sequential read operations, directed to the disks. An example of a write-anywhere file system that is configured to operate on a storage system, such as a filer, is the Write Anywhere File Layout (WAFL™) file system available from Network Appliance, Inc., Sunnyvale, Calif. The WAFL file system is implemented as a microkernel within an overall protocol stack of the filer and associated disk storage.
The disk storage is typically implemented as one or more storage “volumes” that comprise a cluster of physical storage disks, defining an overall logical arrangement of disk space. Each volume is generally associated with its own file system. The disks within a volume/file system are typically organized as one or more groups of Redundant Array of Independent (or Inexpensive) Disks (RAID). RAID implementations enhance the reliability/integrity of data storage through the writing of data “stripes” across a given number of physical disks in the RAID group, and the appropriate storing of redundant information with respect to the striped data. The redundant information enables recovery of data lost when a storage device fails.
In the operation of a disk array, it is fairly common that a disk will fail. A goal of a high performance storage system is to make the mean time to data loss (MTTDL) as long as possible, preferably much longer than the expected service life of the system. Data can be lost when one or more storage devices fail, making it impossible to recover data from the device. Typical schemes to avoid loss of data include mirroring, backup and parity protection. Mirroring is an expensive solution in terms of consumption of storage resources, such as hard disk drives. Backup does not protect recently modified data. Parity schemes are common because they provide a redundant encoding of the data that allows for a single erasure (loss of one disk) with the addition of just one disk drive to the system.
Parity protection is used in computer systems to protect against loss of data on a storage device, such as a disk. A parity value may be computed by summing (usually modulo 2) data of a particular word size (usually one bit) across a number of similar disks holding different data and then storing the results on an additional similar disk. That is, parity may be computed on vectors 1-bit wide, composed of bits in corresponding positions on each of the disks. When computed on vectors 1-bit wide, the parity can be either the computed sum or its complement; these are referred to as even and odd parity respectively. Addition and subtraction on 1-bit vectors are equivalent to an exclusive-OR (XOR) logical operation, and the addition and subtraction operations are replaced by XOR operations. The data is then protected against the loss of any of the disks. If the disk storing the parity is lost, the parity can be regenerated from the data. If one of the data disks is lost, the data can be regenerated by adding the contents of the surviving data disks together and then subtracting the result from the stored parity.
Typically, the disks are divided into parity groups, each of which comprises one or more data disks and a parity disk. A parity set is a set of blocks, including several data and one parity block, where the parity block is the XOR of all the data blocks. A parity group is a set of disks from which one or more parity sets are selected. The disk space is divided into stripes, with each stripe containing one block from each disk. The blocks of a stripe are usually at the same locations on each disk in the parity group. Within a stripe, all but one block are blocks containing data (“data blocks”) and one block is a block containing parity (“parity block”) computed by the XOR of all the data. If the parity blocks are all stored on one disk, thereby providing a single disk that contains all (and only) parity information, a RAID-4 implementation is provided. If the parity blocks are contained within different disks in each stripe, usually in a rotating pattern, then the implementation is RAID-5. The term “RAID” and its various implementations are well-known and disclosed in A Case for Redundant Arrays of Inexpensive Disks (RAID), by D. A. Patterson, G. A. Gibson and R. H. Katz, Proceedings of the International Conference on Management of Data (SIGMOD), June 1988.
As used herein, the term “encoding” means the computation of a redundancy value over a predetermined subset of data blocks, whereas the term “decoding” means the reconstruction of a data or parity block by the same or similar process as the redundancy computation using a subset of data blocks and redundancy values. If one disk fails in the parity group, the contents of that disk can be decoded (reconstructed) on a spare disk or disks by adding all the contents of the remaining data blocks and subtracting the result from the parity block. Since two's complement addition and subtraction over 1-bit fields are both equivalent to XOR operations, this reconstruction consists of the XOR of all the surviving data and parity blocks. Similarly, if the parity disk is lost, it can be recomputed in the same way from the surviving data.
An aspect of parity protection of data is that it provides protection against only a single disk failure within a parity group. These schemes can also protect against multiple disk failures as long as each failure occurs within a different parity group. However, in the case of multiple simultaneous failures within a parity group, no such protection is provided and an unrecoverable loss of data is suffered. Failure of two disks concurrently within a parity group is a fairly common occurrence, particularly because disks “wear out” and because of environmental factors with respect to the operation of the disks. In this context, the failure of two disks concurrently within a parity group is referred to as a “double failure”.
A double failure typically arises as a result of a failure to one disk and a subsequent failure to another disk while attempting to recover from the first failure. The recovery or reconstruction time is dependent upon the level of activity of the storage system. That is, during reconstruction of a failed disk, it is desirable that the storage system remain “online” and continue to serve requests (from clients or users) to access (i.e., read and/or write) data. If the storage system is busy serving requests, the elapsed time for reconstruction increases. The reconstruction processing time also increases as the number of disks in the storage system increases. Moreover, the double disk failure rate is proportional to the square of the number of disks in a parity group. However, having small parity groups is expensive, as each parity group requires an entire disk devoted to redundant data.
Accordingly, it is desirable to provide a technique that withstands double failures. This would allow construction of larger disk systems with larger parity groups, while ensuring that even if reconstruction after a single disk failure takes a long time (e.g., a number of hours), the system can survive a second failure. Such a technique would further allow relaxation of certain design constraints on the storage system. For example, the storage system could use lower cost disks and still maintain a high MTTDL. Lower cost disks typically have a shorter lifetime, and possibly a higher failure rate during their lifetime, than higher cost disks. Therefore, use of such disks is more acceptable if the system can withstand double disk failures within a parity group.
A known scheme for protecting against double disk failures is a distributed parity scheme disclosed in U.S. Pat. No. 5,862,158, titled Efficient Method for Providing Fault Tolerance Against Double Device Failures in Multiple Device Systems, by Baylor et al., issued Jan. 19, 1999, which patent is hereby incorporated by reference as though fully set forth herein. This distributed parity scheme, hereinafter referred to as the “Corbett-Park” scheme, provides a way of determining the assignment of each data block to exactly two parity sets, such that all parity sets are the same size. The scheme also allows recovery from any two disk failures using an optimal amount of parity information, equivalent to two disks worth, for any even number of disks 4 or greater, except 8.
The Corbett-Park technique further allows a tradeoff between the optimal amount of parity and the number of data blocks that belong to each parity set, i.e., the number of data blocks XOR'ed to compute each parity block. For a given number of disks n in the array, a ratio m may be selected, which is the number of data blocks per parity block. Thus, the redundancy is 1/(m+1) and the parity overhead is 1/m, wherein m is restricted such that 2 m+2≦n. Within each recurrence of the parity assignment pattern, each disk has m data blocks and one parity block. Without losing generality, assume that the data blocks are in m rows and the parity blocks are in a single row. A stripe is composed of m+1 rows. Therefore, there is a minimum of nl(m+1)=(2 m+2)/(m+1)=2 disks worth of parity, which is the optimal amount. If n is made larger than 2 m+2, then there is more than the minimum parity in the parity array, but the overhead and redundancy may be maintained by keeping m constant.
It should be noted that for the Corbett-Park scheme, the sizes of the blocks used in the parity computations do not have to match the sizes of any system blocks. Therefore, the blocks used for parity computation can be chosen to be some convenient size. For example, assume it is desired that each recurrence of the parity assignment pattern contain exactly 4 kilobytes (kB) of data from each disk. The sizes of the blocks used for parity computation can thus be defined as 4 k/(m+1), which works well if m=3, 7 or 15 when the block size is a larger power of two, such as 4 k (4096) bytes.
The result of the Corbett-Park parity assignment construction technique is that within each row of a stripe, the data block on disk i belongs to parity sets (i+j) mod n and (i+k) mod n, where j≠k, 0≦j≦n and 0≦k≦n. The parity block for parity set p is stored on disk p, wherein 0≦p<n. The difference between values j and k is a parity delta, wherein a parity delta is the difference in value modulo the number of disks between two parity sets to which a data block belongs. Note that this form of modulo arithmetic is preferably “wrap around” addition, which is similar to discarding carries in an XOR operation.
Specifically, parity offset is defined as, in a row, the differences j and k between a disk number d and the parity sets to which a block belongs, such that set1=(d+j) mod n and set2=(d+k) mod n. Here, j and k are the parity offsets. Parity offsets are between 1 and n−1, inclusive. Parity delta, on the other hand, is defined as the difference, modulo n, between the parity offsets j and k for a row of blocks. The parity deltas for a row are (j−k) mod n and (k−j) mod n. Parity deltas are between 1 and n−1, inclusive, and n/2 is not allowed, as are other factors of n depending on the depth of the parity blocks per stripe in the relocated parity arrangement.
Among all the m rows of data blocks, all the deltas must be unique. Furthermore, in cases of even values of n, delta of n/2 is not allowed. Therefore, for m rows, there are 2×m unique deltas required. Given n−1 possible deltas in the case of odd n, and n−2 possible deltas in the case of even n, there is a restriction on the maximum size of m and, hence, on the minimum redundancy ratio for a given number of disks. The assignment of two unique parity deltas to each row of a stripe as described herein ensures five conditions:
1. Each data block belongs to two unique parity sets.
2. The m data blocks on each disk belong to 2×m different parity sets.
3. No data block on a given disk belongs to the parity set of the parity block on that disk.
4. All parity sets are of the same size. Since each data block belongs to exactly the minimum number 2 parity sets, a corollary is that all parity sets are of minimum size.
5. On each disk, there is at least one parity set that is not represented by either a data or parity block.
These conditions are necessary, but not sufficient to ensure that the array contents is can be reconstructed after two device failures. The 5th condition is key to reconstruction. When two disks are lost, there are always at least two parity sets for which only one block is lost and which allow for reconstruction of the missing block. If n=2 m+2, there are exactly two parity sets that are only missing one member. If n>2 m+2, there are more than two parity sets that are only missing one member and, in fact, some parity sets may be complete and require no reconstruction. Therefore reconstruction can always begin by reconstructing two of the missing blocks, one from each of the failed disks. If the reconstructed blocks are data blocks, then each reconstructed data block allows reconstruction of the missing block from another parity set, since each data block belongs to two parity sets. Each reconstruction “chain” is continued until a parity block is reconstructed.
FIG. 1 is a block diagram of a prior art 4-disk array 100 configured in accordance with the Corbett-Park distributed parity arrangement. Each disk is assigned parity and data blocks that are organized into stripes and assigned to parity sets. For example, each stripe contains two blocks, a data (D) block and a parity (P) block, with the parity and data block assignment patterns repeated for each stripe. Each parity block stores the parity for one parity set and each parity set has exactly one parity block. All parity sets are of equal size and are composed, in addition to the parity block, of several data blocks. Each data block is defined to be a member of two parity sets. No two data blocks in the array are both members of the same two parity sets. No more than one data block or parity block on any given disk belongs to any one parity set.
In the case of any single failure, no parity set misses more than one block and therefore all parity sets, and consequently all missing blocks, can be reconstructed. If any one of the disks fails, the lost data and parity blocks can be reconstructed, since at most one block is missing from all parity sets. Moreover, if any two disks fail, all the missing blocks can be generated from the remaining parity and data on the other two disks.
For example, if disks 0 and 1 fail, parity sets 1 and 2 are each missing two blocks and cannot be reconstructed immediately. However, each parity set 0 and 3 is missing only one block and therefore the missing blocks of these parity sets can be reconstructed. Reconstructing data block D23 (the missing data block from parity set 3) results in the reconstruction of a data block member of parity set 2 which, in turn, allows reconstruction of data block D12 on disk 0. By reconstructing data block D12, the parity block of parity set 1 on disk 1 can be reconstructed. Note that the parity blocks end the reconstruction chains. That is, for a double failure (two disk failures) there are always two reconstruction chains; recovery is effected by reconstructing the data blocks prior to the parity blocks of those chains, and then reconstructing the two parity blocks of the two failed disks.
Assume now that disks 0 and 2 fail. Each parity set 0 and 2 is missing two blocks, while each parity set 1 and 3 is missing only one block. Therefore, the missing blocks of parity sets land 3 can be reconstructed immediately. In particular, the missing data block D12 from parity set 1 can be reconstructed which enables reconstruction of parity block 2 on disk 2. Similarly, missing data block D30 from parity set 3 can be reconstructed, which enables reconstruction of parity block 0 on disk 0. Therefore, there are again two chains that are reconstructed starting with the missing data block and ending with the parity block.
FIG. 2 is a block diagram of a prior art 6-disk array 200 configured in accordance with the Corbett-Park distributed parity arrangement. Each disk is divided into data and parity blocks that are further organized into stripes. Each stripe contains two data blocks and one parity block, and there is an optimal amount of parity information equivalent to two disks worth. Each data block belongs to two parity sets and there is only one (at most) representative member of each parity set on each disk. Notably, each disk is missing one parity set and the missing parity set is different among all the disks. Furthermore, each row of blocks within each stripe has a different parity delta. For example, row 1 has a parity delta of Δ1 and row 2 has a parity delta of Δ2. The same delta is not allowed on two different rows because it renders the system vulnerable to disk failures that distance apart.
Specifically, the Corbett-Park construction technique specifies that every row of data blocks in the parity array has a different parity delta value and that no row's delta value equals n/2. For example, in a 6-disk array, no row has a delta value of 3 (Δ3); similarly in a 10-disk array, no row has a delta value of 5 (Δ5). A parity delta cannot have a value of n/2 there cannot be a “harmonic” of parity set assignments to a data block within an array. It should be noted, however, that each row essentially has a pair of parity delta values. That is, in the case of a 10-disk array, a delta value of Δ3 is equivalent to a delta value of Δ7, and a delta value of Δ4 is equivalent to a delta value of Δ6. Similarly, in a 6-disk array, a delta value of Δ1 is equivalent to a delta value of Δ5 and a delta value of Δ2 is equivalent to a delta value of Δ4.
The Corbett-Park construction technique also requires finding a vector of n elements containing two each of the symbols from 1 to m that represent the data blocks, one symbol for parity (e.g., −1) and another set of symbols for null values (e.g., 0). The object is to find an n element vector that allows a complete marking of all symbols in the vector and all super-positions of the vector on itself. A vector that successfully meets the criteria corresponds to a solution of the parity assignment problem for a given n and m that allows recovery from any double disk failure.
FIG. 3 is a table 300 illustrating construction of parity assignments in a parity array from a successful vector in accordance with the Corbett-Park construction technique. The vector is {−1, 1, 0, 2, 2, 1}, which is one of four unique solutions for n=6, m=2 (discounting congruent solutions). Each column of the table represents a disk and each row represents a parity set. The positions of the symbols in each column indicate the assignment of the data blocks 1 and 2, along with the parity block—1, to a parity set in that disk. Symbol 1 represents the data blocks in row 1 and the symbol 2 represents the data blocks in row 2 of a stripe. The data and parity blocks may be arranged in any order within each disk. The parity assignment vector is rotated by one position in each disk ensuring that it occupies all n possible positions in the n disk array. FIG. 4 is a block diagram illustrating the parity assignment pattern resulting from the construction technique.
As noted, the Corbett-Park technique provides a means for assigning data blocks is to parity sets in a distributed parity configuration having an optimal amount or sub-optimal amount of parity and a chosen redundancy ratio. That is, for a given number of disks, an optimal amount of parity is chosen to be equal to 2/n. However for odd numbers of disks n there are solutions that are sub-optimal (i.e., more than two disks worth of parity) but that operate correctly. For example, if n=7 and each disk is divided into three blocks (two data blocks and one parity block), there is a total of 7/3 of parity which is greater than two disks worth and thus a sub-optimal solution resulting in increased redundancy. Increasing redundancy has two effects: (1) the size of the parity sets is smaller than the maximum allowed for a given number of disks, thus effectively “declustering” the parity. As n increases, there are more parity sets that are not affected at all by the failures. Particularly in the more common case of single failures, this might result in fewer disk read operations during reconstruction. (2) There are more than two parity sets that only lose one block in the event of the failures, increasing the parallelism possible during reconstruction.
A disadvantage of increasing redundancy is that there is more total parity information than the minimum two disks worth. However, in a large system, there will be many parity arrays and hence much more than the minimum two disks worth of parity in the entire system. Larger values of m allow more data blocks per parity block, decreasing the amount of redundant space on disk. Yet, the parity set size is always 2 m+1, including data and parity blocks. Therefore, the larger m, the more computation needed to compute each parity block, both during encoding and decoding (i.e., construction and deconstruction). Since each data block belongs to exactly two parity sets in all cases, the total amount of parity computation is always the same for the same amount of data.