This invention relates to an improvement of a disaster recovery system, and more particularly to a disaster recovery system suitably applicable for a database.
In recent years, information technology (IT) systems are so indispensable for business that continuing business despite failures or disasters becomes more and more important. The opportunity loss accompanied by stopping IT systems will be so huge that it is said to be, for example, millions of dollars in the financial sectors or major enterprises. Against such a background, attentions have been focused on a disaster recovery (hereinafter called “DR”) technology, which provides two (primary/secondary) sites to back up business data into the secondary site in normal times, and to continue the business on the secondary site in the event of a disaster.
It is the most important requirement that a database (hereinafter called “DB”) is recovered without any loss even in the event of a disaster in DR because data of enterprises are usually stored in such a DB. Because backups are executed continuously in normal times, it is also required that the influences on on-line business in the primary site should be minimized. Further, in recent years, preparing for a wide area disaster such as an earthquake, that is, a DR system locating a secondary site at a remote area hundreds to thousands of kilometers away is demanded.
In the DR system, in the event of a disaster, the DB is recovered in the secondary site, and the business is resumed by a database management system (DBMS) in the secondary site. A conventional method of updating a DB of a DBMS and recovering a DB in the event of a failure or a disaster is described.
First, the method of updating a DB in normal operations is described. The DBMS manages logs which record differences of data in addition to a DB wherein data is stored. When a data change is instructed to the DBMS, the differences created by the change are recorded on a log file wherein the log is recorded on the storage system. However, such a change is outputted to a storage system at certain times without being reflected on the DB soon, for improving performance. About the certain times, the process called a checkpoint (hereinafter called “CP”) is well known. The CP is generally issued taking the opportunity where a predetermined period of time has passed, or, a predetermined number of transactions are conducted. Here, the logs representing updated differences have serial numbers (log sequence numbers or LSN), because the logs are added each time an update is executed. At the time of CP, CP information including CP acquired time or the LSN of the log in order to indicate up to which log is applied to the DB, is recorded. A header of a log file or an exclusive file is considered as the destination wherein CP is saved. The following describes a case where an exclusive file is used.
A DB recovery process in the event of a failure is executed with the CP as a starting point. The procedure is described with reference to FIG. 16. First, CP information is read in a step 201, and then a log reading position is decided in a step 202. In other words, reading may be started from the log after the LSN which is recorded in the CP information (ensuring that the log has been reflected to the DB at the time of CP). Next, in a step 203, log files are read to the end and the logs are applied to the DB in a sequence of reading. The log is recorded with an image after the update is applied and a destination where the update is applied (in some cases, operations are recorded instead of images). Applying the image to the corresponding destination allows reproducing the added updates. Such a log application process is called a redo process or a roll forward process.
Here, redo processes are executed while managing the commitment of transactions (hereinafter called “Tr”), that is, the transaction is committed or uncommitted are managed. Tr management can be executed, for example, by using the management table illustrated in FIG. 17. For example, a transaction table 300 may have items including a transaction identification (Tr-id) 301 which is uniquely assigned to each Tr, and an LSN 302 of the starting log of the Tr. When a starting log that belongs to a new Tr is read, its Tr-id and LSN are registered in the transaction management table. Otherwise, as shown in a transaction management table 310 in FIG. 7, the chain of information 313 (an LSN 320, a log type 321, a usage resource 323) of the log which forms the Tr, for each Tr (a Tr-id 311) may be managed. When the Tr is committed, the corresponding Tr is deleted from the table. Through this operation, when all logs are applied, the list of uncommitted Tr is obtained.
When logs are all read and there is no unapplied log, uncommitted transactions are deleted by using this Tr management table, that is, reading back the logs of relating Tr and canceling the transactions. This canceling process is called as an undo process or a rollback process. When the undo process is completed, the DB has consistency where only the updates included in committed Tr are reflected, and it is allowed to resume the business to add new updates.
It is possible, by resuming the business in parallel with the undo process, to reduce the time to restart. In other words, at the time the redo process is completed, a resource, which is used for an uncommitted Tr, is deduced, and the resource is locked while resuming the business.
In recent years, storage systems become more and more sophisticated, and storage systems including a remote copy function allowing transmission between the sites without a server have been developed. A DR system adopting this remote copy function is shown in FIG. 15. A primary site 1 and a secondary site 9 have, respectively, a primary server 100 and a secondary server 110, and a primary storage system 103 and a secondary storage system 113. The servers and storage systems are respectively connected via a server-to-server network 150 and a storage-to-storage network 120. Further, a primary DBMS 101 and a secondary DBMS 111 are installed in the primary server 100 and the secondary server 110, respectively.
In normal operations, business is conducted in the primary DBMS 101 of the primary site (hereinafter called “primary DBMS”). The storage systems 103 and 113 include a primary DB 107 and a secondary DB 117, and the volumes which store a primary log 106 and a secondary log 116, respectively. The primary log 106 and the primary DB 107 are respectively copied to the secondary log 116 and the secondary DB 117 by a remote copy 140.
In this structure, the secondary server 110 is unnecessary in normal operations because backups in normal operations are feasible only with a storage system. Only when business is conducted at the secondary site 9 because of a disaster and the like, the secondary server 110 is necessary. In that case, the process starts the DBMS 111 on the secondary site 9, executes the recovery process (redo/undo) as described in FIG. 16, and resumes receiving business. For copying method of the logs 106, 116, and the DBs 107, 117, the method of transmitting both the logs and the DBs by synchronous remote copy is well known. In the synchronous copy, writing to the primary site 1 is not completed until copying to the secondary site 9 is completed. Therefore, it is ensured that the update in the primary site 1 has been transmitted to the secondary site 9, and it is possible to recover the DB without any loss even in the event of a disaster. However, there is a problem in that the on-line performance in the primary site 1 is degraded due to delays added each time the writing is executed when the secondary site is located hundreds of kilometers away from the primary site in order to prepare for a wide area disaster.
In view of the above, there is a known method in which a log including differences to update is transmitted synchronously and a database, which is recoverable from the log, need not be transmitted in order to realize recovering without loss and sustain the on-line performance simultaneously. In other words, a method of recovering a DB in a secondary site is realized by redoing a log that is copied from a primary site is known (for example, U.S. Pat. No. 5,640,561).
Likewise, a method in which log transfer function is incorporated to a DBMS is also well known (“Oracle Data Guard”, “Overview of Oracle Data Guard Functional Components”, [online], “Searched Apr. 27 2004”, <http://otn.oracle.com/deploy/availability/htdocs/DataGuardOverview.html>).
The system construction is described referring to FIG. 18. It is the same that a primary/a secondary site comprises, respectively, a server 100/110 and a storage system 103/113, and a DBMS 101/110 is installed in the corresponding server 100/110. However, it is unnecessary for the storage system 103/113 to have a remote copy function, the connection between the sites is connected only via a network 110. Copying a log 106 is executed by the DBMS 101/111, that is, the primary DBMS 101, simultaneously, writes in the primary storage system 103 and forwards the log to the secondary DBMS 111. The secondary DBMS 111 simultaneously writes the received log to the secondary storage system 113 and updates the DB by applying the read log to the DB 117.