JP2005157462A - System switching method and information processing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing system performing switching, wherein the stop period of a service is shortened as much as possible even when system switching fails due to a program failure. <P>SOLUTION: A remote machine 200 is provided with a database 210 in which generation-managed software and its definition are stored and a database 220 in which the operation result of each program is associated with each other, and a first device as a current system and a second device as a stand-by system are provided with system switching functions 11 and 21, respectively, having restoration destination information storage parts 14 and 24 and program restoration functioning parts 12 and 22 having failure-categorized restoration tables 15 and 25. When the system switching to the second device is operated due to the program failure of the first device, a failure program is restored in a third device. When the system switching fails due to the generation of the identical failure of the second device, the processing is switched to the third device being the restoration destination of the program. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a system switching method and an information processing system in an information processing system composed of an active system device and a standby system device, and more particularly to a system switching method suitable for use when a software failure occurs in an active system device and The present invention relates to an information processing system.

  In general, an information processing system that performs system switching has two systems that provide the same function or service, the active system is the active system, and the other system is the standby system. It is configured to recognize each other device by communicating with the standby system device. In such an information processing system, when a failure occurs in the active device, the active device transmits failure information to the standby device, and the standby device that receives the failure information becomes the active device as a system. On the other hand, the active system device in which the failure has occurred is controlled to become the standby system device, thereby preventing the service from being stopped.

For example, the techniques described in Patent Document 1, Patent Document 2, and the like are known as conventional techniques related to an information processing system that performs system switching.
JP 11-96033 A JP-A-6-131208

  In an information processing system that performs system switching, the cause of switching between the active system device and the standby system device is a hardware failure and a software program failure. In the conventional technology described above, the same version of the program must be installed in the apparatus so that the active apparatus and the standby apparatus provide the same function or service. An information processing system in which the same version of the program is installed on both devices has a countermeasure such as restarting the program when the cause of the program failure in the active device is on the service request side such as user data. However, if a problem exists in the program itself, the software failure caused by the same cause as the failure that occurred in the active device can be changed even after the standby device is switched as the active device. As a result, there is a problem in that switching fails and service provision must be stopped until the cause is specified.

  An object of the present invention is to solve the above-described problems of the prior art, and in an information processing system, even when the cause of a failure is a program failure and switching fails, the service stop period can be shortened as much as possible. Another object is to provide a system switching method and an information processing system.

  According to the present invention, the object is configured by a first device as an active device and a second device as a standby device, and an information processing system that switches operation to the second device when the first device fails. In the system switching method in the above, when the failure due to a program failure occurs, the first device performs system switching to switch its operation to the second device, and causes the device that recovers the program to recover the failed program, After the system switchover, when the second device generates a failure similar to that of the first device and fails in the system switchover, the second device performs the system switchover that switches the operation to the device that recovers the program. Achieved.

  In addition, in the information processing system, the object is configured by a first device as an active device and a second device as a standby device, and the operation is switched to a second device when the first device fails. The first and second devices correspond to the system switching function unit having means for performing system switching when a failure occurs, holding the recovery destination state for recovering the failed program, and the failure information and the program to be recovered. Access to the recovery management database that associates the program with its recovery processing and operation results, issues a recovery command to the device that recovers the program, and receives the recovery command to define the program and definition This is achieved by providing a program recovery function having a function for setting the operating environment.

  According to the present invention, even when system switching fails due to a program failure, a program or environment that operates reliably is deployed to a specified recovery destination device, and the recovery destination device is placed in a hot standby state. Therefore, the service suspension period can be shortened by switching the system to the recovery destination apparatus.

  Embodiments of a system switching method and an information processing system according to the present invention will be described below in detail with reference to the drawings.

  FIG. 1 is a block diagram showing a configuration of an information processing system according to an embodiment of the present invention. In FIG. 1, 1 is a communication path, 11, 21, and 31 are switching function units, 12, 22, and 32 are program recovery function units, 13, 23, and 33 are operating environment units, and 14, 24, and 34 are recovery destination state holdings. 15, 25, 35 are failure recovery tables, 110 is a first device, 120 is a second device, 130 is a third device, 200 is a remote machine, 210 is a recovery resource management database, and 220 is a recovery process management database. is there.

  An information processing system according to an embodiment of the present invention is configured by connecting a first device 110, a second device 120, a third device 130, and a remote machine 200, all of which are configured by a computer, via a communication path 1. . In the system of the illustrated embodiment, the first device 110 is an active device, the second device 120 is a standby device in a hot standby state, and the third device 130 is a device that recovers a program. Further, since the third device 130 is dedicated to program recovery, it is in a cold standby state (a state in which other processing is being executed). The remote machine 200 is a dedicated device for maintaining programs, and a recovery processing management database 220 and a recovery resource management database 210 are created and held.

  The first device 110 and the second device 120 recover a program, a function for transmitting and receiving information on a device for restoring a program and failure information, a function for detecting a program failure on the operating environment units 13 and 23, and a program. Switching function units 11 and 21 having recovery destination state holding units 14 and 24 that hold the status of whether or not the device can be switched are provided. For example, when a program failure occurs in the operating environment unit 13 of the first device 110 due to the functions of the switching function units 11 and 22, the processing performed in the first device 110 is switched to the operating environment unit 23 of the second device 120. be able to. Further, the first device 110 and the second device 120 have failure recovery tables 15 and 25 in which failure information and programs to be recovered are stored in association with each other, and a failure has occurred using the information in this table. Program recovery function units 12 and 22 for recovering programs are provided. The program recovery function units 12 and 22 notify the third device 130, which is a device for recovering the program, of the recovery command via the data transfer line 42. In the program recovery function units 12 and 22, information on a device for recovering a program is set.

  As will be described later in the processing operation, the third device 130, which is a device for recovering the program, also acts as a substitute for the processing of the first device 110 or the second device 120 in which a program failure has occurred. Similar to the second apparatus, it is configured to include a switching function unit 31 having a recovery destination state holding unit 34, a program recovery function unit 32 having a failure-specific recovery table 35, and an operating environment unit 33.

  In the embodiment of the present invention, the third device 130 that is a device for recovering the above-described program is not necessarily present, and the present invention can be configured without providing the third device 130. In this case, as will be described later in the processing operation, a program failure occurs in the first device 110 as the active device, and the processing performed by the first device 110 is transferred to the second device 120 as the standby device. After the transition, the first device 110 is operated as a device for recovering the program.

  Although not shown in the drawing, the first device 110, the second device 120, the third device 130, and the remote machine 200 configured by a computer are used by the CPU that controls the entire device and the CPU. It only needs to be configured to include a memory for storing programs, data, and the like, an external storage device such as a hard disk, an input device such as a keyboard and a mouse, and a display. 1 is realized by the CPU executing a program stored in the memory.

  FIG. 2 is a diagram showing the structure of data stored in the recovery process management database 220 in the remote machine 200, which will be described next.

  Data in the recovery processing management database 220 includes a category 201 classified by function of the program, a program name 202 classified by version, version information 203 thereof, and definition information 204 necessary for operating the program. And the command 205 necessary for constructing the operating environment are associated with each other. Further, the data in the above-described database is managed for the operation results 206 and set for each program. In the case of the illustrated example, A in the operation record 206 indicates that it is in a recoverable state, B indicates that it is in operation, C indicates that there is a failure record, and although not illustrated, D Indicates that the program should not be recovered. The operation results are updated every time the system switching function in the active system detects a program failure. The associated command has a process of expanding the definition of the program shown in FIG. 3 to be described later and recovering the program, and the operating environment is constructed by this command.

  FIG. 3 is a diagram showing a structure of data stored in the recovery resource management database 210 in the remote machine 200, which will be described next.

  Data stored in the recovery resource management database 210 includes programs 221 to 224 that are generation-managed for each version of the program and configuration definitions 225 to 228 that are necessary for the program to operate. Each of the programs 221 to 224 includes a module configuration, a user application name, and a construction (setup) command necessary for the program to operate. This command differs depending on the program to be recovered, but when it is managed for each software, it may be a setup command provided by the software or a shell program combining the commands. Further, the programs 221 to 224 and the configuration definitions 225 to 228 are grouped so that the programs can be operated only by developing the associated programs and definitions. Although the form of definition varies depending on the program to be recovered, in the example of the embodiment of the present invention, the definition (development destination, configuration) is to be developed in a certain place.

  Next, regarding the switching process when a program failure occurs in the embodiment of the present invention, the first device 110 that is the active system detects the program failure, notifies the second device 120 that is the standby system, and recovers the failure. A process for notifying the third apparatus 130 as a system of a program recovery instruction, a process for specifying a program to be recovered according to the failure information, and the second apparatus 120 as a standby system receiving the failure information, and the active system The following describes four processes: a process when a program failure occurs after service provision is started, and a process for recovering a program in the third device 130 for recovering the program.

  FIG. 4 is a flowchart for explaining a switching process when the system switching function detects a program failure in the first device 110. First, this will be described.

(1) When the first device 110 detects a failure in the program, the first device 110 notifies the second device 120 of information on the third device 130 for restoring the program and the failure information, and causes the second device to execute a switching process ( Steps 401, 402, 408).

(2) Next, the first device 110 performs a process of selecting a program to be recovered based on the failure information detected in step 401, and determines whether or not a program to be recovered has been identified. The program to be recovered is identified based on the operation results in the data described with reference to FIG. 2, and when there is no recoverable or unavoidable one, it is unavoidable to select the one with a failure record ( Steps 403 and 404).

(3) If it is determined in step 404 that there is no recoverable program, the failure processing of the active system here ends.

(4) If it is determined in step 404 that there is a recoverable program, it is determined whether the apparatus that recovers the program is the own machine and whether the program specified in step 403 is in operation. In this determination, the apparatus for recovering the program is the own machine when the third apparatus 130 does not exist in the system shown in FIG. 1 or when the third apparatus 130 cannot be used for some reason ( Step 405).

(5) If it is determined in step 405 that the apparatus for recovering the program is the own machine and the program specified in step 403 is operating, the own apparatus, here, the first apparatus 110 The operating environment of the apparatus is stopped and the target program is stopped (step 406).

(6) If it is determined in step 405 that the apparatus for recovering the program is not its own machine and the program specified in step 403 is not in operation, or after the processing in step 406, the apparatus for recovering the program On the other hand, the recovery instruction including the information of the program to be recovered obtained in step 403 is notified. The notification information includes information on the second device 120 that is the switching destination, the identified program, its definition, and information on the construction command. If the process of step 406 is performed, the partner apparatus that notifies the recovery command in this process is the first apparatus 110 that is its own apparatus, and the apparatus that recovers the program by the determination of step 405 itself. If it is not a machine and the program specified in step 403 is not in operation, it is the third device 130 in the cold standby state (step 407).

  FIG. 5 is a diagram showing an example of the structure of the failure-specific recovery tables 15 and 25 included in the program recovery function. Next, this will be described.

  The failure-specific recovery table shown in FIG. 5 stores failure information and a program to be recovered in association with each other. Faults A to C in the records 501 to 503 shown in FIG. 5 are information that can be acquired from log information as in the case of the prior art, or are notified by a program calling an interface provided by the system switching function. It may be the information that was made. In the embodiment of the present invention, a plurality of programs can be associated with each other according to a failure as in the record 503.

  FIG. 6 is a flowchart for explaining the processing operation for specifying the program to be recovered corresponding to the failure information in the program recovery function unit 12 of the first device, which will be described next. This process is the details of the process of step 403 described with reference to FIG.

(1) The program recovery function unit 12 refers to the failure-specific recovery table 15 based on the failure information sent from the system switching function 11, and specifies a failure occurrence program corresponding to the failure that occurred in the active system (step) 601).

(2) Next, in order to prevent the failed program from being the target of the program to be recovered, a record in which the operation result of the recovery processing management database 220 shown in FIG. To find the corresponding program (step 602)
(3) The operation results associated with the corresponding program are reset through the data transfer line 41 shown in FIG. In the case of the embodiment of the present invention, as shown in FIG. 2, since the operation record of the version 1.1 program Prog_A is B, indicating that it is operating, the program identified in step 602 and the operation record is B. This record is searched, and the operation result of this version of the program is reset from B to C indicating that there is a failure record (step 603).

  FIG. 7 is a flowchart for explaining the processing operation for obtaining the version of the program to be recovered based on the information of the program to be recovered obtained by the processing of FIG. 6, and this will be described next.

  In this process, the program recovery function unit 12 acquires the operation results of the program to be recovered from the recovery processing management database 220, and can confirm that there is a recoverable program or that there is no program to be recovered. (Steps 1001 to 1003).

  For example, since the operation history of the version 1.1 program Prog_A has changed from B to C by the process described with reference to FIG. 6, NO is determined in step 1003. Then, the previous version is specified by the process of step 1002, and the operation results are determined by the processes of steps 1001 and 1002. Further, in the embodiment of the present invention, the recovery processing management database 220 is classified as a category for each function in addition to the version. Therefore, when there is no previous version of the program, an equivalent function is provided. Another program having (same category) can be specified. If it is determined that the program is recoverable, the process of specifying the recoverable program is terminated, and the process of step 407 in the flow of FIG. 4 is executed.

  FIG. 8 is a flowchart for explaining the processing operation of the second device 120 when the failure information transmitted from the first device 110 is received. FIG. 9 is a diagram showing the data structure of the recovery state holding units 14 and 24. These will be described below. The process shown in FIG. 8 is the details of the process in step 408 described with reference to FIG.

(1) The second device 120 uses the information of the third device 130 that is the recovery destination device and the failure information transmitted by the process of step 402 in the failure processing of the active system described with reference to FIG. The information received by the system switching function 21 of 120 is set in the recovery destination state holding unit 24. As shown in FIG. 9, the data set and held in the recovery destination state holding unit 24 is generated in the active system, information on the recovery destination device, a flag indicating whether or not to switch to the recovery destination, and the like. Failure information. Data set in this processing is the recovery destination 801 and the failure information 803 (steps 701 and 702).

(2) The system switching process is performed based on the information set in the process of step 702, and the second apparatus 120, which is the standby system, starts providing services as the active system in place of the first apparatus 110. (Step 703).

(3) When the second device 120 that has started providing the service as the active system detects the occurrence of a failure during its operation, the second device 120 checks the switchability flag 802 and the failure information 803 of the recovery destination information holding unit 24 to recover the recovery destination It is determined whether or not the program has been restored to the third device 130, that is, whether or not switching to the third device 130 is impossible (steps 704 and 705).

(4) If it is determined in step 705 that the switching to the third device 130 is possible, the switching process to the third device 130 is performed. On the other hand, if the switching is impossible, the system service is provided. Stop and identify the failure investigation (steps 707, 706).

  In the above-described processing, the processing in step 706 is stopped. However, the program recovery function 22 of the second device 120 may be used to recover the program.

  FIG. 10 is a flowchart for explaining the processing operation when the third device 130 for restoring a program receives an instruction to load a program from the first device 110, which will be described next.

(1) When the third device 130 receives a program recovery command from the first device in the process of step 407 in the flow described with reference to FIG. 4, the program for the processing of the own device is operating in the third device 130. If the program is operating, the operating environment unit is stopped and the operation of the program is stopped (steps 901 to 903).

(2) If it is determined in step 902 that the program is not in operation, or after the operating environment unit is stopped by the processing in step 903, the recovery resource management table 210 is based on the recovery information received in step 901. The program set and definition information for operating the program are acquired via the data transfer line 43 in FIG. 1 (step 904).

(3) Next, the program and definition obtained in the process of step 904 are expanded to distribute them to the operating environment unit, and further, the construction command obtained in step 901 is executed and recovered. The selected program enters the hot standby state. Since the process can be switched to the third apparatus at this stage, the fact that the switch is possible is notified using the information of the switch destination obtained in step 901. Here, the second device 120 is notified that switching is possible. Receiving this, the second device 120 sets the switchability flag of the recovery destination information holding unit 24 to enable (steps 905 to 907).

  Each processing in the above-described embodiment of the present invention can be configured as a processing program, and this processing program is stored in a recording medium such as HD, DAT, FD, MO, DVD-ROM, and CD-ROM and provided. It can also be provided via a communication line.

  The above-described embodiment of the present invention has been described as applying the present invention to an information processing system having a duplex configuration including an active system device and a standby system device. However, the present invention provides at least a program required for system switching. The present invention can be applied to an information processing system provided.

  According to the embodiment of the present invention described above, even when system switching fails due to a program failure, the program recovery function 12 deploys a program or environment that is surely operated to a specified recovery destination device for recovery. Since the destination device is in a hot standby state, the service suspension period can be shortened by switching the system to the recovery destination device.

  Further, according to the embodiment of the present invention, even when the program recovery function in the active system is a difficult failure, the program that operates reliably to the recovery destination can be expanded by using the standby program recovery function. Since it can be in the hot standby state, it is possible to recover a program that operates in a portion close to hardware such as an operating system.

It is a block diagram which shows the structure of the information processing system by one Embodiment of this invention. It is a figure which shows the structure of the data stored in the recovery process management database in a remote machine. It is a figure which shows the structure of the data stored in the recovery resource management database in a remote machine. It is a flowchart explaining the switching process when the system switching function detects a program failure in the first device. It is a figure which shows the example of the structure of the recovery table classified by failure contained in a program recovery function. It is a flowchart explaining the processing operation which specifies the program which should be recovered | restored corresponding to the failure information in the program recovery function part of a 1st apparatus. 7 is a flowchart for explaining a processing operation for obtaining a version of a program to be recovered based on information on a program to be recovered obtained by the processing of FIG. 6. It is a flowchart explaining the processing operation of the 2nd apparatus at the time of receiving the failure information transmitted from the 1st apparatus. It is a figure which shows the data structure of a recovery state holding | maintenance part. It is a flowchart explaining the processing operation when the 3rd apparatus which recovers a program receives the command which loads a program from a 1st apparatus.

Explanation of symbols

1 Communication path 11, 21, 31 Switching function unit 12, 22, 32 Program recovery function unit 13, 23, 33 Operating environment unit 14, 24, 34 Recovery destination state holding unit 15, 25, 35 Failure-specific recovery table 110 First Device 120 Second device 130 Third device 200 Remote machine 210 Recovery resource management database 220 Recovery processing management database

Claims (9)

In a system switching method in an information processing system configured by a first device as an active device and a second device as a standby device, and switching the operation to the second device when the first device fails,
When a failure due to a program failure occurs, the first device performs system switching for switching the operation of the second device, causes the device for recovering the program to recover the failed program, and after the system switching, A system switching method characterized in that when the second device generates a failure similar to that of the first device and fails in system switching, the second device performs system switching to switch the operation to the device that recovers the program. .   2. The system switching method according to claim 1, wherein the apparatus for recovering the program is an independent third apparatus or the first apparatus after system switching.   When a program failure occurs, the first device identifies a program to be recovered from the failure information, identifies an appropriate version of the program from the generation management program based on the operation results, and notifies a recovery command to the device that recovers the program The system switching method according to claim 1, wherein:   2. The system according to claim 1, wherein the second device refers to the recovery destination information sent from the first device when switching the operation to the device that recovers the program, and performs system switching to the recovery destination device. System switching method.   The apparatus for recovering the program obtains a file necessary for operation from a recovery resource management database in which generations of programs and definitions are managed, and constructs an operating environment by executing a command associated with the recovery processing management database. The system switching method according to claim 1, further comprising: notifying the first device that the construction has been completed. In an information processing system configured by a first device as an active device and a second device as a standby device, and switching the operation to the second device when the first device fails,
The first and second devices hold a recovery destination state for recovering a program in which a failure has occurred, a system switching function unit having means for performing system switching when a failure occurs, fault information and a program to be recovered It has a recovery table for each associated failure, accesses a recovery processing management database that associates the program with its recovery processing and operation results, issues a recovery command to the device that recovers the program, receives the recovery command, and defines the program and definition An information processing system comprising a program recovery function having a function of setting a computer as an operating environment.   The information processing system according to claim 6, wherein the apparatus for recovering the program is an independent third apparatus or the first apparatus after system switching.   The first device and the second device are devices that specify a program to be recovered from failure information when a program failure occurs, specify an appropriate version program from a generation-managed program based on operation results, and recover the program. The information processing system according to claim 6, wherein a recovery command is notified. A system switching processing program comprised of a first device and a second device, and possessed by the first device and the second device that switches its operation to the other device when the one device fails,
From the step of system switching to switch the operation to the other device when a failure occurs due to a program failure, the step of identifying the program to be recovered from the failure information when the program failure occurs, and the generation-managed program from the operation results A step of identifying an appropriate version of the program, a step of notifying a recovery instruction to a device for recovering the program, and a device for recovering the program when a failure occurs in the device after the system switching and the system switching fails And a system switching process program for switching the system by executing each of the processing steps.

Images