A file server is a computer that provides file service relating to the organization of information on writeable persistent storage devices, such as memories, tapes or disks of an array. The file server or filer may be embodied as a storage system including an operating system that implements a file system to logically organize the information as a hierarchical structure of directories and files on, e.g., the disks. Each “on-disk” file may be implemented as set of data structures, e.g., disk blocks, configured to store information, such as the actual data for the file. A directory, on the other hand, may be implemented as a specially formatted file in which information about other files and directories are stored.
A storage system may be further configured to operate according to a client/server model of information delivery to thereby allow many clients to access files stored on a server, e.g., the storage system. In this model, the client may comprise an application executing on a computer that “connects” to the storage system over a computer network, such as a point-to-point link, shared local area network, wide area network or virtual private network implemented over a public network, such as the Internet. Each client may request the services of the file system on the storage system by issuing file system protocol messages (in the form of packets) to the system over the network. It should be noted, however, that the storage system may alternatively be configured to operate as an assembly of storage devices that is directly-attached to a (e.g., client or “host”) computer. Here, a user may request the services of the file system to access (i.e., read and/or write) data from/to the storage devices.
A common type of file system is a “write in-place” file system, an example of which is the conventional Berkeley fast file system. In a write in-place file system, the locations of the data structures, such as data blocks, on disk are typically fixed. Changes to the data blocks are made “in-place” in accordance with the write in-place file system. If an update to a file extends the quantity of data for the file, an additional data block is allocated.
Another type of file system is a write-anywhere file system that does not overwrite data on disks. If a data block on disk is retrieved (read) from disk into memory and “dirtied” with new data, the data block is stored (written) to a new location on disk to thereby optimize write performance. A write-anywhere file system may initially assume an optimal layout such that the data is substantially contiguously arranged on disks. The optimal disk layout results in efficient access operations, particularly for sequential read operations, directed to the disks. An example of a write-anywhere file system that is configured to operate on a storage system, such as a filer, is the Write Anywhere File Layout (WAFL™) file system available from Network Appliance, Inc., Sunnyvale, Calif. The WAFL file system is implemented as a microkernel within an overall protocol stack of the filer and associated disk storage.
The disk storage is typically implemented as one or more storage “volumes” that comprise a cluster of physical storage devices (disks), defining an overall logical arrangement of disk space. Each volume is generally associated with its own file system. The disks within a volume/file system are typically organized as one or more groups of Redundant Array of Independent (or Inexpensive) Disks (RAID). RAID implementations enhance the reliability/integrity of data storage through the redundant writing of data “stripes” across a given number of physical disks in the RAID group, and the appropriate storing of redundant information with respect to the striped data. The redundant information enables recovery of data lost when a storage device fails.
In the operation of a disk array, it is fairly common that a disk will fail. A goal of a high performance storage system is to make the mean time to data loss (MTTDL) as long as possible, preferably much longer than the expected service life of the system. Data can be lost when one or more storage devices fail, making it impossible to recover data from the device. Typical schemes to avoid loss of data include mirroring, backup and parity protection. Mirroring is an expensive solution in terms of consumption of storage resources, such as hard disk drives. Backup does not protect recently modified data. Parity schemes are common because they provide a redundant encoding of the data that allows for a single erasure (loss of one disk) with the addition of just one disk drive to the system.
Parity protection is used in computer systems to protect against loss of data on a storage device, such as a disk. A parity value may be computed by summing (usually modulo 2) data of a particular word size (usually one bit) across a number of similar disks holding different data and then storing the results on an additional similar disk. That is, parity may be computed on vectors 1-bit wide, composed of bits in corresponding positions on each of the disks. When computed on vectors 1-bit wide, the parity can be either the computed sum or its complement; these are referred to as even and odd parity respectively. Addition and subtraction are on 1-bit vectors equivalent to an exclusive-OR (XOR) logical operation, and the addition and subtraction operations are replaced by XOR operations. The data is then protected against the loss of any of the disks. If the disk storing the parity is lost, the parity can be regenerated from the data. If one of the data disks is lost, the data can be regenerated by adding the contents of the surviving data disks together and then subtracting the result from the stored parity.
Typically, the disks are divided into parity groups, each of which comprises one or more data disks and a parity disk. The disk space is divided into stripes, with each stripe containing one block from each disk. The blocks of a stripe are usually at the same locations on each disk in the parity group. Within a stripe, all but one block are blocks containing data (“data blocks”) and one block is a block containing parity (“parity block”) computed by the XOR of all the data. If the parity blocks are all stored on one disk, thereby providing a single disk that contains all (and only) parity information, a RAID-4 implementation is provided. If the parity blocks are contained within different disks in each stripe, usually in a rotating pattern, then the implementation is RAID-5. The term “RAID” and its various implementations are well-known and disclosed in A Case for Redundant Arrays of Inexpensive Disks (RAID), by D. A. Patterson, G. A. Gibson and R. H. Katz, Proceedings of the International Conference on Management of Data (SIGMOD), June 1988.
As used herein, the term “encoding” means the computation of a redundancy value over a predetermined subset of data blocks, whereas the term “decoding” means the reconstruction of a data or parity block by the same process as the redundancy computation using a subset of data blocks and redundancy values. If one disk fails in the parity group, the contents of that disk can be decoded (reconstructed) on a spare disk or disks by adding all the contents of the remaining data blocks and subtracting the result from the parity block. Since two's complement addition and subtraction over 1-bit fields are both equivalent to XOR operations, this reconstruction consists of the XOR of all the surviving data and parity blocks. Similarly, if the parity disk is lost, it can be recomputed in the same way from the surviving data.
Parity schemes generally provide protection against a single disk failure within a parity group. These schemes can also protect against multiple disk failures as long as each failure occurs within a different parity group. However, if two disks fail concurrently within a parity group, then an unrecoverable loss of data is suffered. Failure of two disks concurrently within a parity group is a fairly common occurrence, particularly because disks “wear out” and because of environmental factors with respect to the operation of the disks. In this context, the failure of two disks concurrently within a parity group is referred to as a “double failure”.
A double failure typically arises as a result of a failure of one disk and a subsequent failure of another disk while attempting to recover from the first failure. The recovery or reconstruction time is dependent upon the level of activity of the storage system. That is, during reconstruction of a failed disk, it is desirable that the storage system remain “online” and continue to serve requests (from clients or users) to access (i.e., read and/or write) data. If the storage system is busy serving requests, the elapsed time for reconstruction increases. The reconstruction processing time also increases as the number of disks in the storage system increases, as all of the surviving disks must be read to reconstruct the lost data. Moreover, the double disk failure rate is proportional to the square of the number of disks in a parity group. However, having small parity groups is expensive, as each parity group requires an entire disk devoted to redundant data.
Accordingly, it is desirable to provide a technique that withstands double failures. This would allow construction of larger disk systems with larger parity groups, while ensuring that even if reconstruction after a single disk failure takes a long time (e.g., a number of hours), the system can survive a second failure. Such a technique would further allow relaxation of certain design constraints on the storage system. For example, the storage system could use lower cost disks and still maintain a high MTTDL. Lower cost disks typically have a shorter lifetime, and possibly a higher failure rate during their lifetime, than higher cost disks. Therefore, use of such disks is more acceptable if the system can withstand double disk failures within a parity group.
Known techniques for protecting against double disk failures include XOR-based schemes and Reed-Solomon style encoding schemes. Broadly stated, Reed-Solomon (R-S) style encoding schemes require operations to occur on a stream consisting of one word (usually a byte) of input from each data disk at a time. While this is true of all parity schemes, in the R-S algorithm and other similar approaches, the required operations are matrix multiplies. This increases the number of operations needed to compute the redundant data and the operations needed to reconstruct lost data.
In particular for R-S encoding operations, the redundant data must be computed by performing matrix operations on the incoming byte streams. These operations are computationally intensive, requiring a large number of XOR operations. The use of an XOR operation to perform direct parity computations is relatively easy since the exclusive-OR operation is associative and commutative. The results can be accumulated in a buffer having a size of one block that becomes the parity block. Although it is possible to allow a staged summation for the R-S encoding operations that accumulate results in an output buffer, the lower bound of computation required for a given parity group size using R-S style encoding is larger than that required other schemes.
A simple double failure correcting parity scheme is two-dimensional parity wherein each disk belongs to two different parity sets of a parity array. The parity array is a self-contained set of disks that can recover from any two disk failures in the array. A parity set is a set of blocks, including several data and one parity block, such that each data block and the parity block are taken from different disks in the parity array. The parity block contains the XOR sum of all of the data blocks in the parity set. The data disks used in accordance with the two-dimensional parity scheme are numbered according to a two-dimensional array; however, it is not necessary that the disks be physically arranged in a two-dimensional array. Parity sets extend in both the horizontal and vertical directions, and each disk belongs to both a horizontal and a vertical parity set. The parity disks are logically arrayed at one horizontal and one vertical edge of the array.
Specifically, the two-dimensional parity scheme has a number of parity disks equal to r+c, where n=r×c is the number of data disks. The minimum value of r+c is 2√n. For a small number of data disks in an array, this is a relatively large amount of parity. The problems with two-dimensional parity are thus two-fold. In order to reduce redundancy and overhead, the number of disks in the parity array must increase. However, the number of disks increases at the expense of increasing total parity size. This can result in unreasonably large “large-write” operation sizes. As used herein, a “large-write” operation involves rewriting of the blocks of one or more overlapping parity sets, whereas a “small-write” operation involves modification of at least one data block and its associated parity.
Another known double failure correcting parity scheme is an EVENODD XOR-based technique that allows a serial reconstruction of lost (failed) disks. EVENODD parity requires exactly two disks worth of redundant data, which is optimal. According to this parity technique, all data disk blocks belong to two parity sets, one a typical RAID-4 style XOR computed across all the data disks and the other computed along a set of diagonally adjacent data disk blocks. Each diagonal parity set contains blocks from all but one of the data disks. For n data disks, there are n−1 rows of blocks in a stripe. Each block is on one diagonal and there are n diagonals, each n−1 blocks in length. Notably, the EVENODD scheme only works if n is a prime number. The EVENODD technique is disclosed in an article of IEEE Transactions on Computers, Vol. 44, No. 2, titled EVENODD: An Efficient Scheme for Tolerating Double Disk Failures in RAID Architectures, by Blaum et al, February, 1995. A variant of EVENODD is disclosed in U.S. Pat. No. 5,579,475, titled Method and Means for Encoding and Rebuilding the Data Contents of up to Two Unavailable DASDs in a DASD Array using Simple Non-Recursive Diagonal and Row Parity, by Blaum et al., issued on Nov. 26, 1996. The above-mentioned article and patent are hereby incorporated by reference as though fully set forth herein.
Specifically, the EVENODD technique utilizes two parity disks, a row parity disk containing all (and only) row parities for the data disks and a diagonal parity disk containing all (and only) diagonal parities for those disks. In other words, the row and diagonal parity blocks are not distributed among different disks in each stripe. In an array of n×(n−1) data blocks, there are exactly n diagonals each of length, n−1, if the diagonals “wrap around” at the edges of the array. The key to reconstruction of the EVENODD parity arrangement is that each diagonal parity set contains no information from one of the data disks. However, there is one more diagonal than there are blocks to store the parity blocks for the diagonals within a set of uniform depth stripes. That is, the EVENODD parity arrangement results in a diagonal parity set that does not have an independent parity block. To accommodate this extra “missing” parity block, the EVENODD arrangement XOR's the parity result of one diagonal into the parity blocks for each of the other diagonals.
FIG. 1 is a schematic block diagram of a prior art disk array 100 that is configured in accordance with the conventional EVENODD parity arrangement. Each data block Dab belongs to parity sets a and b, where the parity block for each parity set is denoted Pa. Note that for one distinguished diagonal (X), there is no corresponding parity set. This is where the EVENODD property arises. In order to allow reconstruction from two failures, each data disk must not contribute to at least one parity set. By avoiding a square array of n×n data blocks, the diagonal parity sets have n−1 data block members. Yet, as noted, such an arrangement does not have a location for storing the parity block for all the diagonals. Therefore, the parity of the extra (missing) diagonal parity block (X) is recorded by XOR'ing that diagonal parity into the parity of each of the other diagonal parity blocks. Specifically, the parity of the missing diagonal parity set is XOR'd into each of the parity blocks P4 through P7 such that those blocks are denoted P4X-P7X.
For reconstruction, the parity of the diagonal that does not have a parity block is initially recomputed by XOR'ing all of the parity blocks. For example, the sum of all the row parities is the sum of all the data blocks. The sum of all the diagonal parities is the sum of all the data blocks minus the sum of the missing diagonal parity block. Therefore, the XOR of all parity blocks is equivalent to the sum of all the blocks (the row parity sum) minus the sum of all the blocks except the missing diagonal, which is just a parity of the missing diagonal. Actually, n−1 copies of the missing diagonal parity are added into the result, one for each diagonal parity block. Since n is an odd prime number, n−1 is even, resulting in the XOR of a block with itself an even number of times (which is a zero block). Accordingly, the sum of the diagonal parity blocks with the additional missing parity added to each is equal to the sum of the diagonal parity blocks without the additional diagonal parity.
Next, the missing diagonal parity is subtracted from each of the diagonal parity blocks. After two data disks fail, there are at least two diagonal parity sets that are missing only one block. The missing blocks from each of those parity sets can be reconstructed, even if one of the sets is the diagonal for which there is not a parity block. In any case, there is at least one block that can be reconstructed. Once that block is reconstructed, all but one member of one of the row parity sets is available. This allows reconstruction of the missing member of that row. Reconstruction occurs on another diagonal, which provides enough information to reconstruct the last missing block on that diagonal.
Since n is prime, a cycle is not formed in the reconstruction until all the missing data blocks have been reconstructed. If n were not prime, this would not be true in all cases. If both parity disks are lost, a simple reconstruction of parity from data can be performed. If a data disk and the diagonal parity disk are lost, a simple RAID-4 style reconstruction of the data disk is performed using row parity followed by reconstruction of the diagonal parity disk. If a data disk and the row parity disk are lost, then a diagonal parity may be computed. Since all diagonals have the same parity, the missing block on each diagonal can subsequently be computed.
The EVENODD technique thus allows reconstruction of a lost block within a horizontal parity set in view of a double failure. Since each block is further organized into a diagonal parity set, when two disks are lost (a double failure), there are two parity sets that have lost only one member. Each disk has a parity set that is not represented on that disk. Accordingly, for a double failure, there are two parity sets that can be reconstructed.
Although the EVENODD technique is optimal in terms of the amount of parity information, the amount of computation required for both encoding and decoding is only asymptotically optimal. This is because of the extra computation required to add the missing diagonal parity into each of the diagonal parity blocks. That is, all diagonal parity blocks must be updated for any small write operation to a data block along the diagonal. Extra computation is also needed for a large write operation. Moreover, extra computation is required to reconstruct a lost disk after a failure, as the parity of the missing diagonal must be computed in all reconstruction scenarios. In most cases, this is done by adding all of the blocks in a stripe for the two surviving parity disks.
Therefore, the present invention is directed to a technique that protects against a double failure by allowing recovery of data from any one or combination of two lost disks within a disk array.