1. Field of the Invention
The present invention relates to a system, method, and program for ensuring data consistency across different storage areas and, in particular, coordinating similar status changes across multiple logical sessions at the appropriate consistency time.
2. Description of the Related Art
Disaster recovery systems typically address two types of failures, a sudden catastrophic failure at a single point in time or data loss over a period of time. With the gradual type of disaster, updates to volumes may be lost. To assist in recovery of data updates, a copy of data may be provided at a remote location. Such xe2x80x9cdualxe2x80x9d or xe2x80x9cshadowxe2x80x9d copies are typically made as the application system is writing new data to a primary storage device. International Business Machines Corporation (IBM), the assignee of the subject patent application, provides two systems for maintaining remote copies of data at a secondary site, extended remote copy (XRC) and peer-to-peer remote copy (PPRC).
These system recover data updates between a last, safe backup and a system failure. Such data shadowing systems can also provide an additional remote copy for non-recovery purposes, such as local access at a remote site. The XRC and PPRC systems are described in IBM publication xe2x80x9cRemote Copy: Administrator""s Guide and Reference,xe2x80x9d IBM document SC35-0 169-02 (IBM Copyright 1994, 1996), which publication is incorporated herein by reference in its entirety. In such backup systems, data is maintained in xe2x80x9cvolume pairsxe2x80x9d. A volume pair is comprised of a volume in a primary storage device and a corresponding volume in a secondary storage device that includes an identical copy of the data maintained in the primary volume. Typically, the primary volume will be maintained in a primary direct access storage device (DASD) and the secondary volume of the pair is maintained in a secondary DASD shadowing the data on the primary DASD. A primary storage controller may be provided to control access to the primary DASD and a secondary storage controller may be provided to control access to the secondary DASD.
In the IBM XRC environment, the application system writing data to the primary volumes includes a sysplex timer which provides a time-of-day (TOD) value to time stamp data writes. The application system time stamps data sets when writing such data sets to volumes in the primary DASD. The integrity of data updates depends upon performing updates at the secondary volumes in the same order as they were done at the corresponding primary volume. In systems such as XRC, the time stamp provided by the application program determines the logical sequence of data updates. In many application programs, such as database systems, certain write operations cannot occur unless a previous write operation has already occurred; otherwise the data integrity is jeopardized. A data write whose integrity depends on the occurrence of previous data writes is a xe2x80x9cdependent writexe2x80x9d. For instance, if a customer opens an account, deposits $400, and then withdraws $300, the withdrawal update to the system is dependent on the occurrence of the other writes, including the opening of the account and the $400 deposit. When such dependent transactions are copied from the primary volumes to secondary volumes, the transaction order must be maintained to preserve the integrity of dependent write operations.
Volumes in the primary and secondary DASDs are xe2x80x9cconsistentxe2x80x9d when all writes have been transferred in their logical order, i.e., all earlier writes transferred first before their corresponding dependent writes. In the banking example, this means that the $400 deposit is written to the secondary volume before the $300 withdrawal. A xe2x80x9cconsistency groupxe2x80x9d is a collection of updates to the primary volumes such that dependent writes are secured in a consistent manner. In the banking example, this means that the withdrawal transaction is in the same consistency group as the deposit or in a later group; the withdrawal cannot be in an earlier consistency group. Consistency groups maintain data consistency across volumes and storage devices. If a failure occurs, consistency groups ensure that data is recovered from the secondary volumes will be consistent.
Each consistency group has a xe2x80x9cconsistency timexe2x80x9d which is derived from the application system""s time stamps. More particularly, the consistency time is a time that is always equal to or after every time stamp from a data write of that consistency group. In the XRC environment, the consistency time is the latest time to which the system guarantees that updates to the secondary volumes are consistent. As long as the application program is writing data to the primary volume, the data writes"" time stamps increase, and so does the consistency time. However, if update activity ceases, then the consistency time does not change as there are no data sets with time stamps to provide a time reference for further consistency groups. If all the records in the consistency group are written to secondary volumes, then the reported consistency time reflects the latest time stamp of all records in the consistency group. Methods for maintaining the sequential consistency of data writes and forming consistency groups to maintain sequential consistency in the transfer of data between a primary DASD and secondary DASD are described in U.S. Pat. Nos. 5,615,329 and 5,504,861, which are assigned to IBM and incorporated herein by reference in their entirety.
Consistency groups are formed within a xe2x80x9csession.xe2x80x9d All volume pairs assigned to a session will have their updates maintained in the same consistency group. Thus, the sessions determine the volumes whose updates will form a consistency group. Consistency groups are formed within a journal. From the journal, updates from a consistency group are applied to the secondary volume. If the system fails while updates from the journal are being applied to a secondary volume, during recovery operations, the updates that did not complete writing to the secondary volume can be recovered from the journal and applied to the secondary volume.
In some data storage systems, consistency problems are possible if a database or data set spans multiple sessions. In these systems, consistency groups are not able to maintain consistency across sessions; in such systems, consistency groups are only formed within one session. This concern, namely allowing consistency across sessions or other groupings of storage areas, was addressed by U.S. patent application Ser. No. 09/422,595, entitled xe2x80x9cMethod, System, and Program For Maintaining Data Consistency Across Groups of Storage Areas,xe2x80x9d filed on Oct. 21, 1999 in the names of R. M. Kern et al., and assigned to IBM. The foregoing application is hereby incorporated herein by reference.
Although the approach of the foregoing application might be satisfactory for many applications, the present inventors are actively involved in researching possible improvements for products such as these. In this respect, one area of focus involves preserving consistency during backup operations. In this endeavor, the present inventors have recognized that status changes in one of the sessions can impede the ability of the other sessions to maintain mutual consistency. In particular, if one of the sessions is suspended (for example, with the XSUSPEND command), then this session is not processing any updates and also not incrementing its time of the last consistency group in the journal. Another situation arises when a complete set of consistent secondary devices is desired, for example, to capture a point in time backup of all of the volumes. In this case, the normal means of obtaining this condition in a single session is insufficient in the multiple session environment. Consequently, known multi-session data storage facilities may not be completely adequate for some applications due to certain unsolved consistency issues.
Broadly, the present invention concerns a multi-session data storage facility that coordinates similar status changes across all sessions at appropriate times. The data storage facility includes multiple sessions, each session having primary and secondary storage. In each session, a data mover implements data mirroring by copying updates from the primary storage to the secondary storage. A master data set, accessible by all sessions, includes a common area used by a master data mover to post xe2x80x9cuniversalxe2x80x9d commands applicable to all sessions. The master data set also includes individual session areas. Whenever a data mover receives a host-initiated command, this data mover becomes a xe2x80x9cmaster,xe2x80x9d and the remaining data movers become xe2x80x9cslavesxe2x80x9d with respect to this command. The command is initially received along with a xe2x80x9cstart time,xe2x80x9d which may be immediate or some time in the future. Initially, the master data mover lists the command in the master data set""s common area.
Whenever a slave data mover detects a command in the master data set""s common area, it suspends the formation of consistency groups and responds by posting a xe2x80x9creadyxe2x80x9d message in the slave""s session area. The xe2x80x9creadyxe2x80x9d message comprises the slave data mover""s consistency form time (i.e., the earliest most-recent update time from all controllers in that session).
After posting the command, the master data mover reviews the slave data movers"" responses. If these responses indicate all slave data movers are capable of executing the command in a consistent manner, then the master data mover instructs the slave data movers to execute the command. This is done by entering the command""s start time in the master data set""s common area. Otherwise, the master data mover enters a cancel instruction in the master data set""s common area.
In addition to commands, errors may also be entered into the master data set. When an individual data mover detects an error in its own processing, it records the type of error and the time of day in its session area to advise other data movers that the error-initiating data mover is processing its error. The error-initiating session then begins to process the errors. When other data movers detect the error listing in the error-initiating data mover""s session area, they proceed to process equivalent errors locally, such as by suspending data mirroring operations as appropriate. When the error is corrected, the error-initiating data mover resets the error handling indication in its session area to show that the error has been corrected.
The foregoing features may be implemented in a number of different forms. For example, the invention may be implemented to provide a method of distributing and locally processing commands and errors among multiple remote copy backup sessions of a data storage system. In another embodiment, the invention may be implemented to provide an apparatus, such as a data storage facility, configured to perform operations to distribute and locally process commands and errors among multiple remote copy backup sessions of a data storage system. In still another embodiment, the invention may be implemented to provide a signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital data processing apparatus to perform such operations. Another embodiment concerns logic circuitry having multiple interconnected electrically conductive elements configured to perform the foregoing operations.
The invention affords its users with a number of distinct advantages. Chiefly, the invention maintains data consistency by coordinating the local processing of errors and commands among separate storage sessions. The invention also provides a number of other advantages and benefits, which should be apparent from the following description of the invention.