JP2009123082A - Information processor and method and program for restarting system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To surely restore a backup file when a failure occurs. <P>SOLUTION: An information processor has an external storage means for storing backup files; a local storage means for storing files used by applications; a reboot-related information management means for managing first information to determine at reboot after a failure whether or not a backup file should be restored from the external storage means to the local storage means in the next reboot and, if restoration is needed, to determine a backup file to be restored, and second information to determine a file to be applied in the next reboot; and a restore control means for controlling the restoration of the backup file according to the first information. The reboot-related information management means serves as a functional part of an application and the restore control means serves as an external functional part of the application. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information processing apparatus, a system restart method, and a system restart program, and is suitable for application to, for example, restarting a system from a backup file.

  Generally, in a system that requires high reliability, multiple generations of backup files are managed. In such a system, when restoring a backup file, some logic is required to select the backup file from multiple generations. For example, Patent Document 1 describes that a user selects a file to be restored.

In a system that requires extremely high reliability, such as a call server that provides IP phone services, there is a mechanism for autonomously restarting processes when a failure occurs in order to minimize system downtime. ing. Furthermore, when it is determined that the current file cannot be restarted, the recovery from the backup file is carried out autonomously by the system. At this time, restoration is required to restore the file as new as possible and to minimize the system stop time. For this reason, the recovery target program needs to have a logic for selecting an optimal file from a plurality of generation files including the current file. For this reason, the restore function is generally present in the same process as other functions of the process (for example, a network communication function and failure monitoring).
JP 2006-178645 A

  The main reason for restarting from a backup file is due to an application failure. For example, if the program has been modified due to the addition of a new function or bug correction, etc., and the executable file on the running server is updated, it will start with an unproven file, so such applications will fail. It is easy to generate.

  On the other hand, the cause of the failure is that the program becomes complicated and bugs are embedded by renovation.

  The restore function described above generally exists in the same process as other functions. In this case, however, a process failure caused by embedding a bug may affect the restore function that is a means of recovery from the failure. It was.

  Therefore, there is a demand for an information processing apparatus, a system restart method, and a system restart program that can reliably execute a backup file restore that is triggered by an application failure.

  The information processing apparatus according to the first aspect of the present invention includes (1) an external storage unit storing at least one backup file, (2) a local storage unit storing a file used by the application, and (3) the application When the system is restarted after the occurrence of a failure, whether or not to restore the backup file from the external storage means to the local storage means at the next system restart time can be determined. And reboot related information management means for managing second information that can determine which of the current file and the backup file to apply at the time of the next system restart, and (4) the first managed In accordance with the information, a list of backup files from the external storage means to the local storage means (5) the reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application. Features.

  The second aspect of the present invention is a system resumption method capable of restoring one of backup files stored in an external storage means to a local storage means for storing a file used by an application and restarting the system. (1) Whether the reboot related information management means restores the backup file from the external storage means to the local storage means at the time of the next system restart after the system failure after the occurrence of the application failure, In this case, the first information that can determine which backup file is to be managed, and the second information that can determine which of the current file and the backup file are to be applied when the next system restarts are managed. ) According to the first information managed by the restore control means, the external storage device (3) The reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application. It is characterized by.

  According to a third aspect of the present invention, there is provided a system restart program comprising: (1) a failure of the application, including: an external storage unit storing at least one backup file; and a local storage unit storing a file used by the application. First information that can determine which backup file is to be restored whether or not to restore a backup file from the external storage means to the local storage means at the time of the next system restart after the occurrence of the system And reboot related information management means for managing second information capable of determining which file of the current file and the backup file to apply at the time of the next system restart, and (2) according to the managed first information Backup from the external storage means to the local storage means (3) The reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application. It is characterized by being.

  According to the present invention, the restore control unit is constructed separately from other units that tend to be complicated, so that the backup file can be restored reliably.

(A) Main Embodiment Hereinafter, an embodiment of an information processing apparatus and a process restarting method according to the present invention will be described in detail with reference to the drawings. The information processing apparatus according to the embodiment is a server that is required to have extremely high reliability, such as a call server that provides an IP telephone service.

  In this embodiment, the restore function unit is a separate process from the other function units. In addition, the restore function is simplified by providing the main function unit with generation determination logic necessary for restoration. As a result, even if a failure occurs, this is a method for reliably performing restoration as a recovery means.

(A-1) Configuration of Embodiment FIG. 1 is a block diagram illustrating a system configuration related to a restore function of a server according to the embodiment. The server includes a CPU, a ROM, a RAM, and the like, and an OS, an application, and a backup process, which will be described later, are executed by the CPU in terms of hardware.

  For example, the server 1 corresponding to the call server is equipped with an OS 2 such as Linux (registered trademark) for linking hardware having a local disk 5 or the like and software described later. Processes such as the application 3 and the backup process 4 operate on the OS 2. The application 3 executes a process related to a service process (for example, a call processing service) provided by the server 1, and starts when an executable file on the local disk 5 is executed.

  A plurality of generations of backup files are stored on the external disk 7 provided outside the server 1. The resume information file 6 managed on the local disk 5 is a file in which information related to restoration is described. The application 3 determines a generation to be restored next, executes an operation of writing to the resume information file 6, and reads the resume information file 6 again at the next startup, and further determines a generation to be restored next. To do. The backup process 4 is not resident, and is started from the OS 2 or the application 3 as necessary (when a failure occurs).

  The local disk 5 and the external disk 7 are not limited to those configured by a hard disk or an optical disk, but may be configured by other mass storage devices.

  FIG. 2 shows information (setting items) held in the resume information file 6. The resume information file 6 manages information on the next restore file F11, the next startup file F12, and the retry count F13.

  The next restore file F11 represents a file to be restored from the external disk 7 at the next system startup. As will be described later, the current file stored in the local disk 5 may be used at the next system startup. In such a case, the next restore file is “none”. The next activation file F12 represents a link destination that a symbolic link (a kind of pointer) “/ opt / application” should point to at the next system activation (see FIGS. 4 to 7). The retry count F13 represents the retry count using the backup file of the currently activated generation.

  FIG. 3 is an explanatory view showing an example of a backup file stored in the external disk 7 for each generation. In the example shown in FIG. 3, the external disk 7 shows a state where the previous file F21 and the guarantee file F22 are stored. Of course, the number of backup files is not limited to two.

  The previous file F21 is, for example, a file one generation before the currently operating file that was stored at a predetermined time on the previous day. The guarantee file F22 is a file of a generation older than the previous file, and is a file that can be guaranteed to be activated (for example, a file that has been normally activated at the time of a past failure). Here, the backup file includes an application execution file, a configuration file, various data files, and the like. By restoring the backup file on the external disk 7 to the local disk 5 and starting the application 3, the application 3 can be started in the state at the time of backup execution. In addition, when starting from a backup file, an attempt is made to start with a new backup file as much as possible. In the case of the example of FIG. 3, the activation is attempted from the previous file F21.

  4 to 7 are explanatory diagrams showing a directory structure used by the application 2 for the local disk 4.

  4 to 7, directories / data / data1 to / data / data3 indicate working files and backup files.

  For example, in FIGS. 4 to 6, directory / data / data 1 is a directory related to the current file, directory / data / data 2 is a directory related to the security file, and directory / data / data 3 is a directory related to the previous file. . On the other hand, in FIG. 7, the directory / data / data1 is a directory related to the previous file, the directory / data / data2 is a directory related to the security file, and the directory / data / data3 is a directory related to the working file. For example, when failure recovery (see FIG. 6) using the previous file of directory / data / data3 as a backup file is completed normally, the state shifts to the state shown in FIG.

  Symbolic link / apl / REAL is a symbolic link to the directory of the current file, / apl / BK0 is a symbolic link to the directory of the guarantee file, and / apl / BK1 is a symbolic link to the directory of the previous file. It is. The symbolic link opt / application / is a symbolic link to the current file / apl / REAL, a symbolic link to the security file / apl / BK0, or a symbolic link to the previous file / apl / BK1. . 4 and 7 show a case where the symbolic link opt / application / is linked to / appl / REAL, and FIG. 5 shows a case where the symbolic link opt / application / is linked to / apl / BK0. FIG. 6 shows a case where the symbolic link opt / application / is linked to / ap1 / BK1.

(A-2) Operation of Embodiment Next, the operation (process restart method) of the information processing apparatus of the embodiment will be described with reference to the drawings. In the following, a description will be given of an operation in which a failure occurs in the process using the current file and the startup with the backup file is repeated.

  First, the operation when a reboot occurs because a failure has occurred in the process using the current file will be described with reference to the sequence diagram of FIG.

  If a failure occurs in the process executed by the application 3 using the current file, the application 3 requests the OS 2 to shut down, and the OS 2 starts the shutdown process (S1). In this shutdown process, the backup process 4 is activated by the OS 2. Note that the application 3 may activate the backup process 4. Under the processing situation in which the current file is used, the initial value of the resume information file 6 (see FIG. 2) under the management of the OS 2 is “None” for the next restore file and “REAL” for the next startup file (current file). ) And the number of retries is “0” (S2). The activated backup process 4 reads such a resume information file 6 (S3), but the next activated file is REAL, and the directory pointed to by the current symbolic link / opt / application is also REAL, which is the same. Therefore, the symbolic link is not changed (S4).

  Thereafter, the OS 2 is rebooted (S5). The operation after the first reboot after the occurrence of such a failure is shown in the sequence diagram of FIG.

  After the OS 2 is rebooted, the backup process 4 is activated in the started OS 2 activation process (S6). As a result, the backup process 4 reads the resume information file 6 (S7), but since the next restore file at this time is “none”, no processing is executed (S8). After the OS 2 is rebooted, the application 3 starts autonomously (S9), and updates the contents of the resume information file 6 (S10 to S12). Thereafter, a service process (for example, a call processing process) is started (S13).

  The update process of the resume information file 6 is performed by a series of processes such as reading the resume information file 6, calculating setting contents, and writing the resume information file 6.

  FIG. 13 is an explanatory diagram (flow chart) showing the determination logic of the update content. The application 3 updates the restart information file 6 according to the determination logic of the update content.

  In FIG. 13, first, whether the number of retries (F13) of the restart information file 6 has reached the predetermined maximum number of retries executed for a file applied by rebooting (current file or restored backup file). It is determined whether or not (S100). Note that the restored backup file is an active file at the time of restoration.

  If the maximum number of retries has not been reached, the number of retries in the resume information file 6 is incremented by 1 (S101), and it is determined whether the number of retries after the increment is equal to the maximum number of retries (S102). If the number of retries after the increment is smaller than the maximum number of retries, the restart information file 6 is changed to “Result 1” in FIG. 13 (S103). That is, the next restore file is “none”, the next startup file is “no change (as it was before)”, and the number of retries is “number after increment”.

  On the other hand, if the number of retries after increment is equal to the maximum number of retries, the information as shown in FIG. 3 is further referred to to determine whether there is a generation backup file to be started next (S104). . If there is a generation backup file to be activated next, the resume information file 6 is changed to “Result 2” in FIG. 13 (S105). If there is no generation backup file to be activated next, the resume information file 6 is restored. Is set as “Result 3” in FIG. 13 (S106). In “Result 2”, the next restore file is “next generation (next generation of the current one)”, the next startup file is “no change (as it was before)”, and the retry count is “0”. In “Result 3”, the next restore file is “None”, the next startup file is “None”, the number of retries is “0”, and the application 3 is stopped. Retry is performed by applying the file of the lowest generation, and the application 3 is stopped because a normal restart could not be performed even if the maximum number of retries was applied. To do.

  When a positive result of the determination in step S100 described above is obtained, information as shown in FIG. 3 is referred to and it is determined whether there is a generation backup file to be started next (S107). If there is no generation backup file to be activated next, the resume information file 6 is changed to “Result 3” in FIG. 13 (S106).

  On the other hand, if there is a generation backup file to be activated next, it is further determined whether or not the maximum number of retries using the generation backup file to be activated next is 0 (S108). If the maximum number of retries is 0, the resume information file 6 is set as “result 4” in FIG. 13 (S109). If the maximum number of retries is not 0, the resume information file 6 is stored in “result 5” of FIG. (S110). In “Result 4”, the next restore file is “next generation”, the next startup file is “next generation”, and the retry count is “0”. In “Result 5”, the next restore file is “None”, the next startup file is “Next Generation”, and the retry count is “0”.

  Here, it is assumed that the maximum number of retries for the current file is set to 1 and the maximum number of retries for the previous file or the security file is set to 0. Such settings can be set by the user by describing them in the configuration file.

  In updating the restart information file 6 in steps S10 to S12 in FIG. 9, the number of retries is incremented from 0 to 1 in step S101 in FIG. Since the retry count “1” after the increment is equal to the maximum retry count and the previous file exists as the next generation, the restart information file 6 is updated with the contents of “Result 2” in FIG.

  If a failure occurs again during the process activation process in step S13, the OS 2 starts a shutdown process (S14). At this time, the backup process 4 reads the restart information file 6 (S15), but the next activation file is REAL. Since it is the same as it is (active file), the backup process 4 does nothing (S16), and the OS is rebooted (S17).

  After the OS 2 is rebooted (FIG. 10), the OS 2 activation process is started (S18). The backup process 4 activated during the activation process reads the resume information file 6 (S19), and the read resume information file 6 ( According to step S11 in FIG. 9, the previous file is loaded from the external disk 7 to / apl / BKF1 (S20). Since loading takes time, the OS 2 executes the activation process of the application 3 while the backup process 4 is operating (S21). In the application 3, the restart information file 6 is updated according to the determination logic shown in FIG. 13 (S22 to S24). Thereafter, the service process is activated (S25).

  In updating the restart information file 6 at this time, “Result 4” in FIG. 13 is applied, the next restore file is “2” (guaranteed file), the next startup file is “BK1” (previous file), and the retry count is “ 0 ”.

  If a failure occurs again during the activation of the service process, the OS 2 starts a shutdown process (S26). At this time, the backup process 4 reads the resume information file 6 (S27). Since the activation file is “BK1”, the symbolic link of / opt / application is changed to / apl / BK1 (S28). With this change, the symbolic link configuration is changed from FIG. 4 to FIG.

  As a result, the application 3 after the OS reboot executes the file under / opt / application as usual, so that the previous file loaded from the external disk 7 is restored.

  The operation after the OS reboot (S29) at this time (FIG. 11) will be briefly described. The backup process 4 loads the security file from the external disk 7 (S32). Further, the application 3 updates the resume information file 6 so that the next restore file is “none”, the next startup file is “BK2” (guaranteed file), and the retry count is “0” according to the determination logic of FIG. (S34 to S36). When an OS reboot is executed due to a failure, the backup process 4 changes the symbolic link of / opt / application to / apl / BK2 during the shutdown process. With this change, the symbolic link configuration is changed from FIG. 5 to FIG. As a result, the application 3 after the OS reboot is started from the guarantee file loaded from the external disk 7.

  The operation after the OS reboot (S41) at this time (FIG. 12) will be briefly described. After the OS reboot, the backup process 4 does not load from the external disk 7 because there is no restore request (S44). Further, the application 3 updates the restart information file 6 according to the determination logic of FIG. 13 (S46 to S48). At this time, no further escalation can be performed, and it is determined as “Result 3” in FIG. The restore file is updated to “None”, the next startup file is set to “None”, and the retry count is set to “0”. Although not shown in FIG. 12, if a failure occurs after this, the application 3 stops without rebooting the OS.

  FIG. 12 shows a case where the application is successfully activated with this guarantee file. If the activation is successful (S49), the application 3 changes the link destination of / opt / application to / apl / REAL and the link destination of / apl / REAL to / data / data3 by the backup process 4 (S50). With this change, the symbolic link configuration is changed from FIG. 6 to FIG.

  Also, the application 3 resets the resume information file 6 to the initial state where the next restore file is “none”, the next startup file is “REAL” (active file), and the retry count is “0” (S51, S52). ).

(A-3) Effects of the embodiment In the above embodiment, the other function unit, which tends to be complicated, and the restore function unit are set as separate processes. Therefore, even if a failure occurs in the application, the backup function includes The backup file restore failure can be avoided without influencing (in other words, the backup file restore can be executed reliably).

(B) Other Embodiments The items and configuration of the resume information file 6 are not limited to those in the above embodiment, and it is sufficient that the next generation backup file to be restored and the file to be activated next can be determined. For example, information on the previously activated file and the number of retries thereof may be stored, and based on this information, the next generation backup file to be restored and the next activated file may be determined.

  Further, without using the mechanism such as the restart information file 6, the next generation to be restored and the next file to be activated may be determined in the application 3. For example, a plurality of combinations of generations to be restored next and files to be activated next may be managed as state transition diagram information.

It is a block diagram which shows the system configuration regarding the restore function of the server which concerns on embodiment. It is explanatory drawing which shows the information (setting item) which the restart information file of embodiment hold | maintains. It is explanatory drawing which shows the example of the backup file preserve | saved according to the generation in the external disk of embodiment. It is explanatory drawing (1) which shows the directory structure which an application uses about a local disk in embodiment. It is explanatory drawing (2) which shows the directory structure which an application uses about a local disk in embodiment. It is explanatory drawing (3) which shows the directory structure which an application uses about a local disk in embodiment. It is explanatory drawing (4) which shows the directory structure which an application uses about a local disk in embodiment. It is a sequence diagram (1) which shows the backup resumption operation | movement in embodiment. It is a sequence diagram (2) which shows the backup resumption operation | movement in embodiment. It is a sequence diagram (3) which shows the backup resumption operation | movement in embodiment. It is a sequence diagram (4) which shows the backup resumption operation | movement in embodiment. It is a sequence diagram (5) which shows the backup resumption operation | movement in embodiment. It is explanatory drawing which shows the determination logic of the update content of a restart information file in embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Server, 2 ... OS, 3 ... Application, 4 ... Backup process, 5 ... Local disk, 6 ... Resume information file, 7 ... External disk.

Claims (3)

External storage means storing at least one backup file;
A local storage means for storing files used by the application;
When the system is restarted after the failure of the application, whether or not to restore the backup file from the external storage unit to the local storage unit at the next system restart can be determined. Reboot related information management means for managing the first information and the second information capable of determining which file of the current file and the backup file to be applied when the next system is restarted;
A restore control means for controlling restoration of a backup file from the external storage means to the local storage means according to the managed first information;
The information processing apparatus, wherein the reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application. In the system restart method, one of the backup files stored in the external storage means can be restored to the local storage means for storing the file used by the application and the system can be restarted.
When the reboot related information management means determines whether or not to restore the backup file from the external storage means to the local storage means at the time of the next system restart after the system failure after the failure of the application, Managing first information that can determine which backup file, and second information that can determine which of the current file and the backup file to apply when the next system restarts;
The restore control means controls the restoration of the backup file from the external storage means to the local storage means according to the managed first information,
The system resumption method, wherein the reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application. A computer comprising external storage means storing at least one backup file and local storage means storing a file used by an application;
When the system is restarted after the failure of the application, whether or not to restore the backup file from the external storage unit to the local storage unit at the next system restart can be determined. Reboot related information management means for managing the first information and the second information capable of determining which file of the current file and the backup file to be applied when the next system is restarted;
According to the managed first information, while functioning as a restore control means for controlling the restoration of the backup file from the external storage means to the local storage means,
The system resumption program, wherein the reboot related information management unit is configured as a function unit of the application, and the restore control unit is configured as a function unit external to the application.

Images