JPS629929B2 - - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention provides solutions for failures in data used by business jobs, particularly in online system operators.
It relates to a recovery method that performs recovery processing in parallel with operation and subsequent re-integration into a dynamic system.

Figures 1 to 3 show conventional recovery methods, with Figure 1 explaining the recovery method for the entire volume, Figure 2 explaining the recovery method for device failure, and Figure 3. FIG. 2 is a diagram illustrating a failure with respect to a partial failure.

In FIG. 1, VOO1 represents the volume, A and B represent the data sets, and _J1 to _J3 represent the users, respectively. If a failure occurs in the entire volume, the jobs of all users J ₁ to J ₃ are closed, leaving the number of users at zero. Next, set a new spare medium on the device, give the same volume name to this spare medium, and perform volume initialization. Next, the data set is restored using the backup data and log data. After the data set is restored, start up the user's job.

FIG. 2 explains a recovery method when a device failure occurs. In the figure, DV is the device,
UCB indicates a unit control block, respectively. For example, suppose a failure occurs in the device with machine number 110, then transfer the medium on the device with machine number 110 to another device, for example, the device with machine number 111, and set the volume name to the medium.
Give VOO1 and rewrite the machine number name etc. of the unit control block UCB. This process of rewriting the contents of the unit control block UCB is called swap processing.

Figure 3 explains the recovery method when a volume partial failure occurs.
REC is record, ATRI is alternate track information department,
ATR indicates each alternate track. As shown in FIG. 3, when a fault occurs in a track, the operator allocates a replacement track to the faulty track and starts the rewriting utility. If there is no free replacement track, or if a failure is detected in the replacement track, the volume must be migrated to a new volume, and recovery as a whole volume failure is required.

The conventional method shown in Figure 1 has the disadvantage that the MTBF decreases because recovery cannot be performed unless the business job using the faulty data set is stopped, and furthermore, the medium to be recovered has the same volume information. There are restrictions that you must have,
It has the disadvantage that it requires preparation of a spare medium and initialization of the volume.

The conventional method shown in Figure 2 cannot be applied to large storage devices that cannot be moved in bulk, so if a device failure occurs in a device with such characteristics, it will essentially cause the entire volume to fail. It has the disadvantage of being stored away.

The present invention is based on the above considerations, and includes:
This eliminates the need for a spare volume by making it possible to recover and store some of the extents included in the entire volume of the storage device on any active volume, and furthermore, the extents recovered in this way can be recovered and stored on any active volume. The purpose of the present invention is to provide an extent swap recovery method that enables recovery processing and operation restart processing in an open state by using a dynamic swap method with . Therefore, when a volume failure occurs during access to a data set, the extent swap recovery method of the present invention recovers the extents on the failed volume on other volumes, and then restores the extents on the failed volume. This is an extent swap recovery method that swaps the recovery source extent and the recovery destination volume and space, and when a recovery command is input that includes information about the recovery source extent and the recovery destination volume and space, the total a recovery means for restoring a recovery source extent using dump data and log data, and updating control information indicating a relationship between the extent and a volume; and after restoring the extent, when the extent is requested. , extent swapping means for switching the extent access route by referring to the updated control information so as to access the extent stored in the space of the specified recovery destination volume; That is. Hereinafter, the present invention will be explained with reference to the drawings.

The present invention realizes the re-incorporation of a recovery data set while the failed data set remains in the state in which the user exists, that is, the open state, and provides flexibility regarding the recovery mode when recovering the data set. Its purpose is sex, etc., and its characteristics are listed below.

Large storage devices that will be developed in the future will have a large capacity and will often be in the form of fixed packs, so if a device failure occurs in these devices, recovery using the conventional dynamic device reconfiguration function (possible while open) Swap recovery) cannot be applied, and the entire volume is effectively treated as a failure, making recovery during operation impossible. Therefore, an alternative recovery method is needed, and is not limited to fixed large storage devices.As a standard open state recovery function, the failed extent is recovered in parallel with operation, and then the failed extent is restored. By dynamically swapping with subsequent extents, it is possible to re-incorporate it into the system.

The contents to be swapped in the open state include extent information that manages the first track address to the last track address of data on the recovery destination volume, and unit information that determines the access route to the recovery destination volume. be. It also covers unit information regarding input/output device resources that correspond to job control statements that are managed at the initiation stage of a user's job.

The information to be swapped above is held for each job of each user, so swapping must be performed with the qualifications of each user, so the first restarted access from the user after recovery Taking this as an opportunity, we are conducting a swap.

Since large storage devices in the future are showing a tendency to increase in capacity, it is not only possible to recover data sets using the spare volume or spare spindle as in the past, but also to use free space on the current volume. For this purpose, we first created catalog information managed by AIM (the relationship between data sets and volumes) as a countermeasure against the change in the correspondence relationship with the volume to which the extent belonged (was located). Support management information) can now be changed automatically in conjunction with recovery. Note that AIM is an OS subsystem located between the operating system and user programs. Regarding AIM,
For example, it is outlined in FACOM OS TV/F4.

Furthermore, it can be applied to various types of failures such as total volume failures, fixed pack type device failures, and partial failures, making it a wide-ranging recovery method in terms of target system scale.

4 to 10 show one embodiment of the present invention, FIG. 4 is a diagram showing a data set recovery mode according to the present invention, and FIG. 5 is a diagram showing an extent swap recovery method according to the present invention. 6 is a diagram illustrating access management to extents, FIG. 7 is a diagram illustrating the process from failure occurrence to access prohibition, and Figure 8 is a diagram illustrating the data recovery process for failed extents. Figure 9 shows the extent swap process with an open data set, Figure 1.
FIG. 0 is a diagram showing the logic for allocating volumes to new user jobs after failure extent recovery.

Figure 4A shows the case where when a total volume failure occurs in volume VOO1, extent A of volume VOO1 is restored to the free space of the current volume VOO2, and extent B is restored to the free space of the current volume VOO3. . Figure 4B shows that if a volume-wide failure occurs in volume VOO1, the volume
This shows the case where extents A and B of VOO1 are restored onto the spare volume.

FIG. 5 shows the extent swap of the present invention.
An overview of recovery method processing is shown. In addition,
,,... indicate the order of event occurrence.
For example, the volume of online user jobs is
If extent A or B on VOO1 is used and a general failure occurs in volume VOO1, the user job will be notified of the failure, and at the same time the operator will also be notified of the failure. . When notified of a failure, the operator specifies a free space to recover to using a job control statement and starts the AIM recovery job.
The AIM recovery job is a total dump
The data and log data are used to restore extents A and B to free space in the current volume VOO2 and the current volume VOO3.
Next, when access to the user job is resumed, extent swap processing is performed, and the user job is executed using extent A on volume VOO2 and extent B on volume VOO3.

FIG. 6 is a diagram illustrating the correspondence between extents and volumes and access management to extents. In the figure, UCB is the unit control block, DCB is the data set control block, DEB is the data set extent block, EACB is the extent access control block, EBLT is the extent list, TCB is the task control block, and TiOT is the task. Each shows an input/output table. The unit control block UCB has a one-to-one correspondence with the volumes, and manages the corresponding volume name (for example, identification information of VOO1) and the physical machine number to which the volume is installed.

The data set control block DCB is a control block used for data management when an application program accesses a certain data set, and is chained to the data set extent block DEB. The data set extent block DEB is a control block that manages data set extent information. address) and which device its volume is located on is managed by chaining UCB addresses. The extent access control block EACB is a control table under AIM management, and manages the status of access on an extent-by-extent basis. The extent list EBLT manages all application programs (all tasks) using the same extent, and is the extent access control block.
It is associated with EACB, and access/
The correspondence is managed using the extent number which is the key. The task control block TCB is a block for managing application program tasks, and is used here to have a correspondence relationship with tasks. Although the task input/output list TiOT is called a task, it is actually a table that manages allocation information regarding the resources of the input/output devices used in the job. When the application program opens the data set (declaring the start of use, at this point a chain relationship of unit control block ← data set control block DCB ← data set extent block is established), Correspondence with input/output resources is determined based on this table. Also, data set control block DCB and task input/output table
The relationship with TiOT is based on the DD name. Job control statement JCL is a control statement used when starting a user's (application program) job.
In order to allocate the input/output device resources to be used here, the name of the data set (in the DD statement) is specified. AIM catalog information manages the correspondence between extents and volumes when allocating data sets when starting an application program job, and is stored on a management data set called the AIM directory. Furthermore, when the user specifies input/output resources, the user specifies only the data set, and does not have to worry about the volume.

The flow of processing in FIG. 6 will be explained.
Prior to accessing the data set, the application program requests open processing to establish a chain relationship of data set control block DCB → data set extent block → unit control block, and then accesses the data. The sequence is to request read/write processing.

FIG. 6 shows the flow of processing when accessing data after opening is completed.

An application program makes a read/write data access request.

AIM's access management controls which extents and which data sets are accessible.
This is done on an extent-by-extent basis by referring to the status display on the access control block EACB.
Here, it is decided whether or not to allow access to data management.

If the access is possible, an access request is made to the data management.

' If the access is not possible (for example, a failure has occurred), this will result in an abnormal return to the application program.

In data management, the requested access key information (logical data location information) is converted into physical media information by referring to the data set extent block DEB, and the access/extent information is converted to physical media information by the corresponding unit control block UCB. Decide on the route.

Access data from physical media.

FIG. 7 shows the process from the occurrence of a failure to access prohibition.

When application program APL1 accessed extent A, a total volume failure occurred in volume VOO1.

Data management notifies AIM of the error information.

AIM outputs a failure message on the console to notify the operator of the cause of the failure and the extent of the failure.

In order to prohibit subsequent access to faulty extent A, an access prohibited status is displayed on the extent access control block EACB. This access prohibition has a prohibited range depending on the type of failure; in the case of an entire volume or device failure, access to the entire extent is prohibited; in the case of a partial failure, access to only the failed track is prohibited.

AIM notifies the application program that access has ended abnormally due to the occurrence of a failure.

A failure message displayed on the console alerts the operator to the need for extent recovery processing. After this, the system will be in fallback operation with the service of extent A stopped.

FIG. 8A is a diagram showing a data recovery process for a failed extent.

Data recovery for failed extents is performed by the operator starting the data set recovery utility job provided by AIM, and this job is executed in parallel with user jobs during system operation. The recovery control statement serves as input information for the recovery utility, and specifies the extent to be recovered and the volume name of the recovery destination in which it is to be stored. The user selects a volume with free space of the same size as the failed extent, and uses this control statement to specify the volume to be swapped. The recovery job is explained below.

Space allocation for the target extent is
Perform dynamic recovery utility. This is to avoid space allocation being impossible if normal space allocation at job initiation is used because there is another job using the same data set name.

Prevent access to the entire extent to be recovered. This is done in consideration of the case where the failure type of the target extent is a partial failure.

Recover data into the allocated space using total dump data and log data. FIG. 8B is a diagram illustrating input data. Total dump data is the initial time of the extent before it goes into operation.
This is backup data that takes into account the occurrence of failures. The log data is a data group in which data updated up to failure occurrence point Y after the above-mentioned siphoning is accumulated in correspondence with the record position of the volume.

Change the volume name corresponding to extent 1 in the AIM catalog information from VOO1.
Update to VOO2.

Sets swap required status in extent list EBLT.

When the recovery is complete, the access prohibition display in the extent access control block EACB is canceled.

FIG. 9 shows the process of swapping the failed extent of the open data set and the recovery destination extent. The processing in each step will be explained below.

After the faulty extent is recovered, swap processing for the corresponding extent that was open is performed by the application program (task) that was opening the target extent, triggered by the first resumption of access from the application program. This includes the data set control block UCB and data set extent block DEB required for data set access.
This is because it holds .

The application program resumes access after recovery.

If the status of the extent access control block is normal (accessible) and a swap requirement is displayed on the extent list EBLT corresponding to the task, the swap is executed.

Extent swapping involves swapping data.
Switch (swap) the physical extent information and UCB chain on the extent block DEB to the recovery destination, and also switch the UCB chain of the task input/output table TiOT to the recovery destination only if the task input/output table TiOT has not been swapped yet. Switch. If there are multiple application programs that use the same extent within one job, one task input/output table TiOT is managed within one job, so it can be logically assumed that the task input/output table TiOT has been swapped. The task input/output table TiOT is necessary so that there will be no inconsistency even if the job is opened again after closing the data without terminating the job.

~ Data management then processes the post-recovery media, resulting in a volume
Data in the recovery destination extent in VOO2 will be accessed.

FIG. 10 is a diagram showing the logic for allocating volumes to new user jobs after failure extent recovery. As shown in this figure, the AIM data set assigns a volume name at the time of job initiation based on the catalog information on the AIM directory data set, so the user can control the job according to the volume change. Care has been taken so that there is no need to change the text.

As is clear from the above description, according to the present invention, (1) it is possible to provide a recovery means that replaces the dynamic device reconfiguration function when a device failure occurs in a fixed pack type large storage device;

(2) When allocation of a replacement track at the time of a partial failure fails, only the relevant extent is swapped.
It can be recovered.

(3) There is no need to prepare a spare volume as long as a spare space is prepared on the current volume, and if the spare space is located on the current space of multiple units, it is effectively considered that there are multiple spare volumes. is equivalent to

(4) Since volume initialization is no longer necessary, recovery time is shortened.

Effects such as this can be obtained.

[Brief explanation of the drawing]

Figures 1 to 3 show conventional recovery methods, with Figure 1 explaining the recovery method for the entire volume, Figure 2 explaining the recovery method for device failure, and Figure 3. 4 to 10 show an embodiment of the present invention. FIG. 4 is a diagram showing a data set recovery mode according to the present invention. FIG. is the extent of the present invention.
A diagram showing an overview of the processing of the swap recovery method,
Figure 6 is a diagram explaining the correspondence between extents and volumes and access management to extents, Figure 7 is a diagram showing the process from failure occurrence to access prohibition, and Figure 8 is a diagram illustrating the data recovery process for failed extents. , FIG. 9 is a diagram showing the extent swap process with an open data set, and FIG. 10 is a diagram showing the volume allocation logic for a new user job after failure extent recovery. UCB...Unit control block, DCB...Data set control block, DEB...Data set control block.
Set extent block, EACB...extent access control block, EBLT...
Extent rinse, TCB...Task control block, TiOT...Task input/output table.

Claims (1)

[Scope of Claims] 1. Extent swapping that, when a volume failure occurs during access to a data set, restores the extent on the failed volume on another volume, and then swaps the extent with the extent on the failed volume. - In the recovery method, when a recovery command is input that includes information about the recovery source extent and the recovery destination volume and space, the total dump data and log data are saved in the space of the recovery destination volume specified above. a recovery means for restoring the restoration source extent using the above-mentioned recovery method and updating control information indicating the relationship between the extent and the volume; and after restoring the extent, when the extent is requested, extent swapping means for switching an access route of an extent by referring to the updated control information so as to access an extent stored in a volume space; and an extent swap recovery characterized by comprising: method.