JP2023001446A - Control system, method, and program - Google Patents

Abstract

To provide a control system that suppresses simultaneous operations of a host computer of a main site and a host computer of a backup site.SOLUTION: A control system includes operation state confirmation means that compares a last transfer time of data transferred from a first storage unit included in a main site to a second storage unit included in a backup site for replication with a previous confirmation time indicating a time when an operation state was previously confirmed to confirm the operation state of the main site, and control means that controls operation of the backup site based on the operation state of the main site.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to control systems and the like.

A company that uses an information system sometimes installs a standby system from the viewpoint of business continuity in the event of a failure. For example, in addition to the main site, a backup site having a redundant configuration equivalent to that of the main site is provided as a standby system. In the event of a disaster, for example, at the main site, the company can continue operations using the backup site.

System redundancy is a costly measure. Therefore, as shown in FIG. 11, there are cases where a pricing model is prepared to reduce costs on the premise that the backup site is not used during normal times.

A conceivable method for confirming that the backup site is not in use during normal times is to perform life-and-death monitoring of the main site via the network from the backup site. If the operation of the main site is confirmed, the backup site will be controlled so that it cannot operate.

As a technique related to the present disclosure, Patent Literature 1 discloses a cluster system that reduces node operation costs. In Japanese Unexamined Patent Application Publication No. 2002-200010, after the standby node is activated, the synchronization data is acquired, and when the synchronization is completed, the standby node itself shuts down to stop the node. In Japanese Unexamined Patent Application Publication No. 2002-201000, heartbeat communication, for example, is performed in cooperation between nodes in order to confirm the operation status of other nodes.

WO2017/047065

When the main site is alive and alive monitored from the backup site via the network, there is a possibility of fraud that intentionally makes it impossible to check the operation of the main site. For example, if the cable of the network used for life-and-death monitoring is disconnected, the main site is considered to be down even though the main site is in operation. Therefore, simultaneous operation of the main site and the backup site may be possible.

Patent Document 1 does not particularly mention this point.

An object of the present disclosure is to provide a control system or the like that suppresses simultaneous operation of a host computer at a main site and a host computer at a backup site.

The control system according to the present disclosure includes the final transfer time of data transferred from the first storage unit provided at the main site to the second storage unit provided at the backup site for replication, and the time at which the operating state of the main site was last checked. and a control means for controlling the operation of the backup site based on the operation status of the main site. .

The control method according to the present disclosure includes the final transfer time of data transferred from the first storage unit provided at the main site to the second storage unit provided at the backup site for replication, and the time at which the operating status of the main site was last checked. By comparing with the previous confirmation time indicating , the operation status of the main site is confirmed, and the operation of the backup site is controlled based on the operation status of the main site.

The control program according to the present disclosure includes the final transfer time of data transferred from the first storage unit provided at the main site to the second storage unit provided at the backup site for replication, and the time at which the operating state of the main site was last checked. A computer is caused to execute a process of confirming the operating state of the main site by comparing with the previous confirmation time indicating the and a process of controlling the operation of the backup site based on the operating state of the main site.

According to the present disclosure, it is possible to provide a control system or the like that suppresses simultaneous operation of the host computer at the main site and the host computer at the backup site.

1 is a block diagram showing a system configuration according to one embodiment; FIG. 3 is a diagram showing an example of disk definition information 330. FIG. 3 is a diagram showing an example of an operating state management table 340; FIG. 3 is a diagram showing an example of a disk state management table 350; FIG. 4 is a diagram showing an example of a transfer status management table 403; FIG. 4 is a flowchart showing an operation example of the host computer 300; FIG. 13 is a diagram showing an example of an updated disk status management table 350; FIG. FIG. 12 is a diagram showing another example of the transfer status management table 403; FIG. FIG. 13 is a diagram showing an example of an updated disk status management table 350; FIG. FIG. 13 is a diagram showing another example of the operating state management table 340; FIG. It is a figure which shows the operation example of a redundancy system. 5 is a block diagram showing an example of the hardware configuration of computer 500. FIG.

A configuration of an embodiment of the present disclosure will be described with reference to the drawings. FIG. 1 is a block diagram showing the system configuration according to one embodiment. A system according to one embodiment includes two sites, a main site and a backup site. The main site is also called an active system, and the backup site is also called a standby system.

In this embodiment, operation of the backup site is permitted while the main site is not in operation. Operation of the backup site during normal operation of the main site is determined to be unauthorized use, and its operation is deterred.

The main site has a host computer 100 and main storage 200 . The host computer 100 operates under program control.

The main storage 200 comprises one or more main disks 201 . In FIG. 1, the main storage 200 comprises a plurality of main disks 201 (2011, 2012, 2013).

A network 600 connects the main site and the backup site. Note that the network 600 may be a wired network or a wireless network. The main storage 200 transfers data to the backup site via the network 600 in order to replicate data stored in the main disk 201 .

The backup site has a host computer 300 and a replication storage 400 . The host computer 300 operates under program control. The backup site operates by activating the host computer 300 at arbitrary timing. The host computer 300 is activated, for example, by a user.

In one embodiment, the host computer 300 comprises an operating status checker 310 , a storage accesser 320 and a controller 360 .

The operating state confirmation unit 310 confirms the operating state of the main site. After the backup site is put into operation, the operation status confirmation unit 310 may operate periodically. Regular operations include, for example, operations at regular intervals and operations at specified times.

The storage access unit 320 reads from and writes to the replication storage 400 .

The control unit 360 controls operation, continuation of operation, and suspension of operation of the backup site. Specifically, the control unit 360 controls operation of the host computer 300 .

The host computer 300 stores disk definition information 330 , an operating state management table 340 and a disk state management table 350 . The disk definition information 330, operating state management table 340, and disk state management table 350 are stored in, for example, non-volatile memory.

The disk definition information 330 includes disk identifiers of one or more disks to be monitored. FIG. 2 is a diagram showing an example of the disk definition information 330. As shown in FIG.

Note that the method of selecting disks to be monitored is not particularly limited. For example, a method of using a business disk to be used at a backup site in the event of a disaster, a method of using a disk for storing the access status of the disk at the main site, and a method of combining the above two methods can be considered.

The operating state management table 340 stores initial activation time and operating state confirmation time. The operating state management table 340 stores the initial startup time when the system is started, and stores the operating state confirmation time each time the operating state is confirmed. The operating state management table 340 may be initialized when the system is started. FIG. 3 is a diagram showing an example of the operating state management table 340. As shown in FIG.

The disk status management table 350 stores the disk identifier and the last transfer time of the corresponding disk. FIG. 4 is a diagram showing an example of the disk status management table 350. As shown in FIG.

The replicated storage 400 comprises one or more replicated disks 401 and a storage controller 402 . In FIG. 1, the replication storage 400 comprises multiple replication disks 401 (4011, 4012, 4013). The replication storage 400 stores a transfer status management table 403. FIG.

The storage control unit 402 controls the entire replication storage 400 and updates the transfer status management table 403 according to the transfer status of the replication disk 401 .

The transfer status management table 403 stores the replication status of the replication disk 401 and the final transfer time of data transfer from the main disk 201 to the replication disk 401 . FIG. 5 is a diagram showing an example of the transfer status management table 403. As shown in FIG.

The operating state confirmation unit 310 may further include a data transfer state acquisition unit 311 and a transfer time extraction unit 312 .

The data transfer status acquisition unit 311 acquires the transfer status of the copy disk 401 to be monitored from the transfer status management table 403 .

For example, the data transfer status acquisition unit 311 acquires disk information defined in the disk definition information 330 from the transfer status management table 403 via the storage access unit 320 . The data transfer status acquisition unit 311 stores the acquired information in the disk status management table 350, for example.

The transfer time extraction unit 312 extracts the latest transfer time from the copy disk 401 to be monitored.

For example, the transfer time extraction unit 312 extracts the transfer time of the disk with the latest transfer time among all the monitored disks from the disk status management table 350 .

The operating state confirmation unit 310 compares the transfer time extracted by the transfer time extraction unit 312 with the previous confirmation time.

If the transfer time is newer than the previous confirmation time, the operating state confirmation unit 310 determines that the main site is in the operating state, and the control unit 360 stops the host computer 300 . When the transfer time is older than the previous confirmation time, the operating state confirmation unit 310 determines that the main site is in the non-operating state. Furthermore, the operating state confirmation unit 310 updates the operating state confirmation time in the operating state management table 340, and the control unit 360 allows the host computer 300 to continue processing.

Note that the present disclosure will not particularly mention the conditions for stopping the system and the method of stopping the system when simultaneous operation with the main site is detected at the backup site, because various operations are conceivable.

Next, operation of the embodiment will be described in detail.

FIG. 6 is a flow chart showing an operation example of the host computer 300 .

For example, the host computer 300 periodically performs the processing shown in FIG. 6 after the backup site starts operating.

First, the outline of the processing shown in FIG. 6 will be described.

First, the data transfer status acquisition unit 311 refers to the disk definition information 330 and confirms the copy disk 401 to be monitored (step S1).

The data transfer state acquisition unit 311 acquires the replication state and the final transfer time of data transfer as the transfer state corresponding to the monitored disk from the transfer state management table 403 via the storage access unit 320 (step S2). The data transfer status acquisition unit 311 acquires the transfer status of all disks when there are a plurality of monitored disks.

Next, the transfer time extraction unit 312 extracts the latest transfer time from among the monitored disks whose transfer states have been acquired (step S3).

When the operating state confirmation unit 310 operates for the first time, there is no information on the previous operating state confirmation time (step S4: YES), so the transfer time extraction unit 312 sets the startup time to the previous operation state confirmation time (step S5). .

The operating state confirmation unit 310 compares the latest transfer time extracted in step S3 with the previous operation confirmation time (step S6). If the transfer time is older than the previous confirmation time, it is determined that the main site is not in operation (step S7). The operating state confirmation time in the operating state management table 340 is updated with the current time (step S8), and the control unit 360 causes the host computer 300 to continue processing. If the transfer time is newer than the previous confirmation time, it is determined that the main site is in operation (step S9), and the host computer 300 stops.

Next, the operation of FIG. 6 will be described using a specific example.

First, normal operation will be described. During normal times, the host computer 100 at the main site operates and the host computer 300 at the backup site operates while data is being transferred from the main storage 200 to the replication storage 400 .

After the backup site starts operating, in step S1, the data transfer status acquisition unit 311 refers to the disk definition information 330 in FIG. 3 and confirms that the copy disks to be monitored are DISK1 and DISK2.

In step S2, the data transfer state acquisition unit 311 acquires the transfer states of DISK1 and DISK2, which correspond to the monitored disks, from the transfer state management table 403 of FIG. Specifically, the data transfer status acquisition unit 311 acquires, for example, the replication status of the monitored disk and the final transfer time of the data transfer read by the storage access unit 320 .

The data transfer state acquisition unit 311 stores the transfer state read by the storage access unit 320 in the disk state management table 350, for example. FIG. 7 is a diagram showing an example of the updated disk status management table 350. As shown in FIG.

Next, in step S3, the transfer time extraction unit 312 extracts the latest transfer time "2020/05/20 09:05" from among the transfer states of the monitored disks DISK1 and DISK2 acquired by the data transfer state acquisition unit 311. :05”.

In step S4, in the case of the initial operation of the operating state confirmation unit 310, as shown in FIG. Therefore, in step S5, the transfer time extraction unit 312 sets the activation time "2020/05/20 09:00:00" as the previous operating state check time.

In step S6, the operation status confirmation unit 310 checks the latest transfer time "2020/05/20 09:05:05" extracted in step S3 and the previous operation confirmation time "2020/05/20 09:00:00". make a comparison. Since the transfer time is newer than the previous confirmation time, in step S<b>9 the operation state confirmation unit 310 determines that the main site is in operation state, and the control unit 360 stops the host computer 300 .

Next, the operation when a failure occurs at the main site will be described. The occurrence of a failure includes, but is not limited to, the case where the main site is damaged and becomes non-operational. When a failure occurs, the host computer 100 at the main site stops and the host computer 300 at the backup site operates while data is not being transferred from the main storage 200 to the replication storage 400 .

As in the normal operation, in step S1, the data transfer status acquisition unit 311 refers to the disk definition information 330 and confirms DISK1 and DISK2, which are copy disks to be monitored.

FIG. 8 is a diagram showing another example of the transfer status management table 403. As shown in FIG.

In step S2, the data transfer status acquisition unit 311 acquires the transfer statuses of DISK1 and DISK2, which correspond to the monitored disks, from the transfer status management table 403 shown in FIG. 8, for example. Specifically, the data transfer status acquisition unit 311 acquires the replication status of the monitored disk and the final transfer time of the data transfer read by the storage access unit 320 .

The data transfer status acquisition unit 311 stores the transfer status in the disk status management table 350, for example. FIG. 9 is a diagram showing an example of the updated disk status management table 350. As shown in FIG.

Next, in step S3, the transfer time extraction unit 312 extracts the latest transfer time "2020/06/10 13:15:00" from the monitoring target disks DISK1 and DISK2 whose transfer states have been acquired.

FIG. 10 is a diagram showing another example of the operating state management table 340. As shown in FIG. In step S4, if it is not the first operation, "2020/06/10 13:15:10" exists as the information of the last operating state confirmation time in the operating state management table 340. FIG.

In step S6, the operation status confirmation unit 310 checks the latest transfer time "2020/06/10 13:15:00" extracted in step S3 and the previous operation confirmation time "2020/06/10 13:15:10". make a comparison. Since the transfer time is older than the previous confirmation time, in step S7, the operation state confirmation unit 310 determines that the main site is not in operation. Furthermore, in step S8, the operating state confirmation unit 310 updates the operating state confirmation time in the operating state management table 340 with the current time, and the control unit 360 causes the host computer 300 to continue processing.

By the operation described above, it is possible to suppress the operation of the backup site when the main site is in operation.

According to this embodiment, it is possible to suppress unauthorized use of the backup site, which intentionally makes it impossible to check the operation of the main site.

The reason is that the state of data transfer from the main site to the backup site by storage replication is used to determine the operating state of the main site.

By intentionally stopping replication (separating), the backup site can be operated. However, if replication is intentionally stopped and the backup site is illegally used, business data updated at the main site will not be transferred to the backup site. If the main site is hit by a disaster while data is not being transferred, it will be difficult to continue operations at the backup site, and there is a risk that it will take time to restore operations, so unauthorized use can be suppressed.

As a general method of managing licenses for multiple computers, there is a method of managing usage environments through a license management server connected via a network. This method is also called floating license or network license. With this management method, it is possible to restrict the system from being used in excess of the maximum number of licenses that can be used simultaneously. Therefore, by setting the number of licenses to 1, it is possible to disable simultaneous activation at the main site and the backup site. However, in the case of this method, it is necessary to prepare a license management server separately, and there is a problem that the operation management of the server becomes complicated.

According to this embodiment, the state of data transfer by storage replication from the main site to the backup site is used to determine the operating state of the main site. Therefore, it is possible to monitor the usage status of the main site and the backup site without having to separately prepare a license management server.

[Hardware configuration]
In the above-described embodiment, each component including the operating state confirmation unit 310, the storage access unit 320, and the control unit 360 represents a functional unit block. Part or all of each component of each device including the host computers 100 and 300, the main storage 200, and the replicated storage 400 may be realized by any combination of the computer 500 and programs.

FIG. 12 is a block diagram showing an example of the hardware configuration of computer 500. As shown in FIG. Referring to FIG. 12, the computer 500 includes, for example, a CPU (Central Processing Unit) 501, a ROM (Read Only Memory) 502, a RAM (Random Access Memory) 503, a program 504, a storage device 505, a drive device 507, and a communication interface 508. , an input device 509 , an input/output interface 511 and a bus 512 .

The program 504 includes instructions for realizing each function of each device. The program 504 is stored in advance in the ROM 502 , RAM 503 and storage device 505 . The CPU 501 implements each function of each device by executing instructions included in the program 504 . For example, the functions of the host computer 300 are realized by the CPU 501 of the host computer 300 executing instructions included in the program 504 . Also, the RAM 503 may store data processed in each function of each device.

A drive device 507 reads from and writes to a recording medium 506 . Communication interface 508 provides an interface with a communication network. The input device 509 is, for example, a mouse or a keyboard, and receives input of information from the system administrator. The output device 510 is, for example, a display, and outputs (displays) information to the system administrator. The input/output interface 511 provides an interface with peripheral devices. A bus 512 connects each of these hardware components. The program 504 may be supplied to the CPU 501 via a communication network, or may be stored in the recording medium 506 in advance, read by the drive device 507 and supplied to the CPU 501 .

Note that the hardware configuration shown in FIG. 12 is an example, and components other than these may be added, or some components may be omitted.

There are various modifications in the implementation method of each device. For example, each device may be implemented by any combination of a computer and a program that are different for each component. Also, a plurality of components included in each device may be realized by any combination of a single computer and a program. For example, the functions of the operating state confirmation unit 310 and the control unit 360 may be implemented by the same computer as other functions included in the host computer 300, or may be implemented by a plurality of computers. A system having the functions of the operating state confirmation unit 310 and the control unit 360 is also called a control system.

Also, part or all of each component of each device may be realized by a general-purpose or dedicated circuit including a processor or the like, or a combination thereof. These circuits may be composed of a single chip, or may be composed of multiple chips connected via a bus. A part or all of each component of each device may be realized by a combination of the above-described circuits and the like and programs.

Further, when a part or all of each component of each device is realized by a plurality of computers, circuits, etc., the plurality of computers, circuits, etc. may be centrally arranged or distributed.

Although the present disclosure has been described with reference to the embodiments, the present disclosure is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the present disclosure. Also, the configurations in each embodiment can be combined with each other without departing from the scope of the present disclosure.

100 host computer 200 main storage 201 main disk 300 host computer 310 operating state confirmation unit 311 data transfer state acquisition unit 312 transfer time extraction unit 320 storage access unit 360 control unit 400 replication storage 401 replication disk 402 storage control unit 500 computer 600 network

Claims (9)

Comparing the final transfer time of data transferred from the first storage section provided at the main site to the second storage section provided at the backup site for replication with the previous confirmation time indicating the time at which the operation status of the main site was checked last time By doing so, operating state confirmation means for checking the operating state of the main site;
a control means for controlling the operation of the backup site based on the operation status of the main site;
A control system with 2. The control system according to claim 1, wherein said operating state confirmation means determines that the main site is in operation when the final transfer time is newer than the previous confirmation time. The control means stops the operation of the backup site when the final transfer time is newer than the previous confirmation time, and controls to continue the operation of the backup site when the final transfer time is older than the previous confirmation time.
3. Control system according to claim 1 or 2. 4. The operating state confirmation unit according to any one of claims 1 to 3, further comprising a data transfer state acquisition unit that acquires a transfer state including a data replication state and a final transfer time from the second storage unit. Control system as described. The data transfer state acquisition means acquires the final transfer time of each of the plurality of disks included in the second storage unit,
5. The control system according to claim 4, wherein said operating state confirmation means further comprises transfer time extracting means for extracting the latest final transfer time from said respective final transfer times. 6. The control system according to claim 5, wherein said operating state confirmation means compares the final transfer time extracted by said transfer time extraction means with the previous confirmation time. 7. The control system according to any one of claims 1 to 6, wherein the operating state checking means periodically checks the operating state of the main site. Comparing the final transfer time of data transferred from the first storage section provided at the main site to the second storage section provided at the backup site for replication with the previous confirmation time indicating the time at which the operation status of the main site was checked last time to check the operating status of the main site,
controlling the operation of the backup site based on the operation status of the main site;
control method. Comparing the final transfer time of data transferred from the first storage section provided at the main site to the second storage section provided at the backup site for replication with the previous confirmation time indicating the time at which the operation status of the main site was checked last time By doing so, the process of checking the operating status of the main site and
a process of controlling the operation of the backup site based on the operation status of the main site;
A control program that causes a computer to execute

Images