JP5218121B2 - Information system and disaster recovery method - Google Patents

Description

  The present invention relates to an information system and a disaster recovery method having a plurality of storage devices provided so as not to be damaged at the same time.

  Recent enterprises and public organizations play an important role in civic life, and the role of information systems operated by them has become increasingly important. For this reason, from the viewpoint of social responsibility, crisis management, and law, information system recovery that enables business to continue or be easily recovered even if a system failure occurs due to a disaster, etc. Countermeasures, so-called disaster recovery, have become important.

  Disasters in disaster recovery mean all phenomena that damage the devices installed on the site as a whole, and do not represent a specific phenomenon. That is, from small-scale things such as a fire in a single building to large-scale things such as storms and floods and earthquakes. It also includes artifacts such as unauthorized intrusion and terrorism. In this specification, “site” means a place where hardware such as a computer or a storage device is installed. In addition, “damaged” means that the device installed on the site is totally damaged by the disaster.

  For disaster recovery, set up a remote site as far as possible from the main site so that even if a large-scale disaster occurs, it can be assumed that it will not be affected at the same time, and replicate (backup) the data in the main site to the remote site, There is a method that allows business to continue at a remote site even if the main site is damaged. As a technique related to this method, there is a “backup system between host systems” disclosed in Patent Document 1.

  Disk storage replication is known as a method for reflecting main site information to a remote site. Replication is a method of creating a replica of the main site disk at the remote site.

  Hereinafter, the storage installed at the main site is referred to as main storage, and the storage installed at the remote site is referred to as replication storage.

In an information system in which a main site and a remote site are connected by a communication line as in the invention disclosed in Patent Document 1, as shown in FIG. 37, during replication, data on the main site is sent to the remote site, and the remote site Reflect to the replicated storage in the site.
Note that the transmission of information that reflects the data in the replicated storage in synchronization with the update of the storage data at the main site is referred to as “synchronous copy”. In addition, transmission of information that is not synchronized with the update of the main storage but reflects data in the duplicate storage in the same order as the main storage is referred to as “quasi-synchronous copy”. Furthermore, the transmission of information asynchronously and without guaranteeing the update order from the main storage to the replica storage is referred to as “asynchronous copy”.

  When synchronous copy is performed from main storage to replica storage, the strict consistency of information is maintained, and all data in the main storage also exists in the replica storage. There is no data loss. However, this assumes that no communication failure occurs between the main site and the remote site.

  Strict consistency means that any read operation on a data item returns a value corresponding to the newest write result.

  The information system shown in FIG. 37 stores update data in a buffer of the main storage as shown in FIG. 38 because synchronous copying cannot be performed if a communication failure occurs between the main site and the remote site. The main storage copies the contents of the buffer semi-synchronously to the replica storage after the communication failure is recovered. When all the data in the buffer is reflected in the duplicate storage, the information system is restored to a state where synchronous copying can be performed.

  However, since data is not transmitted to the remote site while the communication failure occurs, if the main site is damaged when the communication failure occurs and update data exists only in the main storage as shown in FIG. Data will be lost.

  As a technique related to coping with this problem, there is a “data replication system, relay device, data transmission / reception method, and program for replicating data in storage” disclosed in Patent Document 2. Patent Document 1 discloses a configuration in which a transmission path between storages has redundancy. According to this method, even if a communication failure occurs in one of the transmission paths, update data can be transmitted using another communication path, so the main site is damaged unless communication failure occurs in all transmission paths. However, no data is lost.

  Further, as in the invention disclosed in Patent Document 3, there is also a method of maintaining a redundancy by using a plurality of remote sites. According to this method, even if a communication failure occurs with one remote site, update data can be sent from the main site to the remaining remote sites, so as long as there is no communication failure with all remote sites. Even if the main site is damaged, no data will be lost.

JP 2000-76151 A Japanese Patent Laying-Open No. 2004-86721 (FIG. 8) JP 2004-227528 A

  However, it is not easy to provide redundancy for the transmission paths between sites that are far enough to assume that they will not be affected at the same time even if a large-scale disaster occurs. Expenses and time are required.

  Also, having multiple remote sites is expensive and not practical for many systems. In other words, not only initial investment such as preparation of a place and equipment for establishing a remote site and installation of a cable connecting each remote site and the main site, but also costs for maintaining and managing them. Furthermore, the operation of an information system becomes complicated when multiple remote sites are opened.

  Therefore, it is difficult for the inventions disclosed in Patent Documents 2 and 3 to realize disaster recovery at a low cost.

  As described above, there is no information system and disaster recovery method that can be introduced at low cost without data being lost even if the main site is damaged during a communication failure with a remote site.

  The present invention has been made in view of the above problems, and an information system and a disaster recovery method that can be introduced at a low cost without causing data loss even if a main site is damaged during a communication failure with a remote site. The purpose is to provide.

In order to achieve the above object, according to the present invention, as a first aspect, when the data of the first storage device and the first storage device is updated, the update data is synchronously copied from the first storage device. The synchronous copy is a copy that reflects the updated data in the other storage device in synchronization with the update of the data in the one storage device, If there is a third storage device connected to both the first and second storage devices, and a communication failure occurs between the first storage device and the second storage device, update data is stored. copy sync to the third storage device, the update data stored in the third storage apparatus, quasi-synchronous copy to the second storage device, quasi-synchronous copy, the one storage device In over data updates asynchronously, and a copy to reflect the updated data to another storage device in the same order as the updating of data in one storage device, between the first storage apparatus and second storage apparatus An information system is provided in which the synchronous copy destination of the update data from the first storage device is returned to the second storage device after the communication failure is resolved.

In order to achieve the above object, according to the present invention, as a second aspect, when the data of the first storage device and the first storage device is updated, the update data is synchronously copied from the first storage device. The synchronous copy is a copy that reflects the updated data in the other storage device in synchronization with the update of the data in the one storage device, a third storage apparatus connected to the first storage device, when a communication failure occurs between the first storage device and the second storage device, the update data third storage device copy synchronization to, after the communication failure between the first storage apparatus and second storage apparatus has been eliminated, the update data stored in the third storage apparatus, the first stress The second quasi-synchronous copy to the storage device via the di apparatus, quasi-synchronous copy, the data update and asynchronous one storage device, and the other in the same order as the updating of the data of one storage device A copy that reflects update data in the storage device, and returns the synchronous copy destination of the update data from the first storage device to the second storage device, and communicates between the first storage device and the second storage device. When the first storage device is damaged while a failure occurs, the data is written back from the second storage device after the first storage device is repaired, and then the update data stored in the third storage device The information system is characterized in that the quasi-synchronous copying is performed to the first storage device.

In order to achieve the above object, according to the present invention, as a third aspect, when the data of the first storage device and the first storage device are updated, the update data is synchronously copied from the first storage device. A disaster recovery method in an information system comprising a second storage device, wherein the synchronous copy reflects the updated data in another storage device in synchronization with the update of data in one storage device If the third storage device is connected to both the first and second storage devices and a communication failure occurs between the first storage device and the second storage device, the update data the copy synchronization to the third storage device, the update data stored in the third storage apparatus, quasi-synchronous copy to the second storage device, quasi-synchronous copy In one of the storage device data updates and asynchronous, and a copy to reflect the updated data in the same order as the updating of the data of one storage device to another storage device, the first storage apparatus and second storage It is an object of the present invention to provide a disaster recovery method characterized in that after a communication failure with an apparatus is resolved, a synchronous copy destination of update data from the first storage apparatus is returned to the second storage apparatus.

In order to achieve the above object, according to a fourth aspect of the present invention, the update data is synchronously copied from the first storage device when the first storage device and the data of the first storage device are updated. A disaster recovery method in an information system comprising a second storage device, wherein the synchronous copy reflects the updated data in another storage device in synchronization with the update of data in one storage device If the third storage device is connected to the first storage device and a communication failure occurs between the first storage device and the second storage device, the update data is transferred to the third storage device. synchronization copied to device, after the communication failure between the first storage apparatus and second storage apparatus has been eliminated, and stored in the third storage apparatus updates The chromatography data via the first storage device quasi-synchronous copy to the second storage device, quasi-synchronous copy, the data updates asynchronously of one storage device and the data of one storage device This is a copy in which update data is reflected in another storage device in the same order as the update, and the synchronous copy destination of the update data from the first storage device is returned to the second storage device, and the first storage device and the second storage device If the first storage device is damaged while a communication failure has occurred with the storage device, data is written back from the second storage device after the first storage device is repaired, and then the third storage device The present invention provides a disaster recovery method characterized in that update data stored in a storage device is quasi-synchronously copied to a first storage device.

  According to the present invention, it is possible to provide an information system and a disaster recovery method that can be introduced at low cost without data being lost even if the main site is damaged during a communication failure with a remote site.

It is a figure which shows the structure of the information system which concerns on 1st Embodiment which implemented this invention suitably. It is a figure which shows the detailed structure of the information system which concerns on 1st Embodiment. It is a figure which shows the normal state which performs synchronous copy from the disk of main storage to the disk of replication storage. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the remote site. It is a figure which shows the state in which the main site was damaged while the communication failure generate | occur | produced between the main site and the remote site. It is a figure which shows the state which the journal storage notified difference completion completion to the replication storage. It is a figure which shows the state from which the communication failure was eliminated without the main site being damaged after the communication failure between the main site and the remote site. It is a figure which shows the state which the journal storage notified the difference reflection completion to the main storage and the replication storage. It is a figure which shows the state which the main storage switched the synchronous copy destination to the replication storage. It is a figure which shows the state where the free space is lost in the journal storage. It is a figure which shows the state in which the update data stored in the buffer are semi-synchronously copied to the journal storage after the journal storage is vacant. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the journal site, and between the remote site and the journal site. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the remote site, and between the journal site and the remote site. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the remote site, and between the main site and the journal site. It is a figure which shows the detailed structure of the information system which concerns on 2nd Embodiment which implemented this invention suitably. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the remote site. It is a figure which shows the state from which the communication failure between a main site and a remote site was eliminated. It is a figure which shows the state which the journal storage notified difference completion completion to the replication storage. It is a figure which shows the state by which the synchronous copy from main storage to replication storage was restarted. It is a figure which shows the structure of the information system which concerns on 3rd Embodiment which implemented this invention suitably. It is a figure which shows the detailed structure of the information system which concerns on 3rd Embodiment. It is a figure which shows the state which the main storage switched the synchronous copy destination to the journal storage. It is a figure which shows the state which written in the main storage the data in replication storage. FIG. 6 is a diagram showing a state in which update data is copied from the journal storage to the main storage semi-synchronously and also from the main storage to the replica storage. It is a figure which shows the state which the replication storage notified the difference reflection completion to the main storage. It is a figure which shows the state by which the update data to main storage are synchronously copied to replication storage. It is a figure which shows the state which journal storage copies update data to a replication storage via main storage. It is a figure which shows the state which the journal storage notified the difference reflection completion to the main storage. It is a figure which shows the state which the replication storage notified to the main storage that the synchronization was completed. It is a figure which shows the state by which the synchronous copy from main storage to replication storage was restarted. It is a figure which shows the information system of the structure which provided the buffer in the replication storage. It is a figure which shows the state which accumulate | stores update data in a buffer until the semisynchronous copy from journal storage is completed. It is a figure which shows the state which the semi-synchronous copy of the update data from a journal storage to a replication storage was completed. It is a figure which shows the state in which the update data in the buffer of replication storage were reflected. FIG. 4 is a diagram illustrating a state in which journal sites are aggregated in a data center, and a plurality of main sites and their remote sites are connected to the data center. FIG. 4 is a diagram illustrating a state in which journal sites are aggregated in a data center, and a plurality of main sites and their remote sites are connected to the data center. It is a figure which shows the state which synchronously copies the update data of a main site to a remote site. It is a figure which shows the state which the communication failure generate | occur | produced between the main site and the remote site. It is a figure which shows the state which the main site was damaged while the communication failure generate | occur | produced between the main site and the remote site.

[First Embodiment]
A first embodiment in which the present invention is suitably implemented will be described.
FIG. 1 shows the configuration of the information system according to this embodiment. The information system according to the present embodiment is an information system including a main storage 110 and a duplicate storage 130 to which update data is synchronously copied from the main storage 110 when data in the main storage 110 is updated. When the main storage 110 and the replication storage 130 both have a journal storage 140 connected via the networks 151 and 153, and a communication failure occurs in the network 151 between the main storage 110 and the replication storage 130, The update data is synchronously copied to the journal storage 140, and the update data stored in the journal storage 140 is semi-synchronously copied to the replication storage 130, and after the communication failure of the network 151 is resolved, the update data from the main storage 110 is copied. Returning the synchronous copy destination data replication storage 130.

FIG. 2 shows a more detailed configuration of the information system according to the present embodiment.
The information system according to the present embodiment includes three sites: a main site, a remote site, and a journal site. Each site is set apart so that a large-scale disaster will not occur at the same time.

  At the main site, a host computer 100 and a main storage 110 that operate under program control are installed.

  The host computer 100 includes a disk access unit 101. The disk access unit 101 reads information from and writes information to the main storage 110.

  The main storage 110 includes a disk 111, a buffer 112, a bitmap 113, a storage control unit 114, and a communication unit 115. The bitmap 113 represents an area updated on the main storage 110 after consistency cannot be maintained between the main storage 110 and the duplicate storage 130. The storage control unit 114 controls the operation of each unit of the main storage 110. The communication unit 115 communicates with the replication storage 130 provided at the remote site and the journal storage 140 provided at the journal site. Further, it detects that a communication failure has occurred in the network 151 with the remote site and the network 152 with the journal site.

  At the remote site, a host computer 120 and a duplicate storage 130 that operate under program control are installed.

  The host computer 120 includes a disk access unit 121. The disk access unit 121 reads information from and writes information to the replica storage 130.

The duplicate storage 130 includes a disk 131, a storage control unit 134, and a communication unit 135. The storage control unit 134 controls the operation of each unit of the duplicate storage 130. The communication unit 135 communicates with the main storage 110 provided at the main site and the journal storage 140 provided at the journal site. Further, it detects that a communication failure has occurred in the network 152 with the main site and the network 153 with the journal site. The duplicate storage 130 is in a state in which strict consistency is maintained with the main storage 110, a state in which sequential consistency is maintained with the main storage 110, and the main storage 110 One of the states in which consistency is not maintained is taken.
Note that the order consistency means that all processes can read and write operations to the storage from any process in the same order. Order consistency does not refer to the time at which the operation was performed. However, if you close to individual processes, you can observe them in the order written in the program.

  A journal storage 140 is installed at the journal site. The journal storage 140 includes a disk 141, a communication unit 142, and a storage control unit 143. The storage control unit 143 controls the operation of each unit of the journal storage 140. The communication unit 142 communicates with the main storage 110 provided at the main site and the replication storage 130 provided at the remote site. Further, it detects that a communication failure has occurred in the network 152 with the main site and the network 153 with the remote site.

  The sites are connected by networks 151 to 153, respectively.

  Next, the recovery operation of the information system according to the present embodiment will be described. As described above, the operations of the main storage 110, the replica storage 130, and the journal storage 140 are controlled by the storage control units 114, 134, and 143, respectively, and communication between the storages is realized by the communication units 115, 135, and 142. However, for the sake of simplification of description, it is simply expressed that the storage apparatus performs an operation (copying, communication, etc.).

  In this embodiment, it is assumed that the information system is a system that requires strict consistency. However, the present invention is not intended to be limited to a system that requires strict consistency, and can be configured as a system that requires order consistency.

  In the normal state, communication is performed between the main site and the remote site via the network 151, and the synchronous copy is performed from the disk 111 of the main storage 110 to the disk 131 of the duplicate storage 130 as shown in FIG.

  A case where a communication failure occurs between the main site and the remote site as shown in FIG. 4 will be described. The main storage 110 and the duplicate storage 130 detect a communication failure by heartbeat communication or the like. When a communication failure is detected, the main storage 110 changes the synchronous copy destination to the disk 141 of the journal storage 140, and sequentially sends data that could not be sent to the remote site to the journal storage 140.

  Since the duplicate storage 130 can no longer receive a synchronous copy from the main storage 110, the replica storage 130 transitions from a state in which strict consistency is maintained to a state in which order consistency is maintained. In the present embodiment, since the information system is a system that requires strict consistency, the process of referring to the data in the disk 131 from the host computer 120 at the remote site will result in an error.

  The journal storage 140 writes update data to the disk 141 in synchronization with the main storage 110. When the synchronous copy destination from the main storage 110 is switched from the disk 131 of the replication storage 130 to the disk 141 of the journal storage 140, the journal storage 140 establishes communication with the replication storage 130. After connection, the journal storage 140 semi-synchronously copies the update data stored in the disk 141 to the disk 131 of the replication storage 130. Since the update order is maintained, order consistency between the main storage 110 and the duplicate storage 130 is maintained.

In this state, a case where the main site is damaged as shown in FIG. 5 will be described.
In this case, the journal storage 140 continues the quasi-synchronous copy of the update data existing on the disk 141 to the disk 131 of the duplicate storage 130. After all the update data existing in the disk 141 is quasi-synchronously copied to the disk 131, the journal storage 140 notifies the replication storage 130 of the completion of the difference reflection as shown in FIG. In the duplicate storage 130, all data is the latest when the notification of the difference reflection completion is received. At this time, the duplicate storage 130 is in a state in which strict consistency with the main storage 110 is maintained, and processing for referencing data in the disk 131 from the host computer 120 at the remote site is possible.

  Generally, after the storage data becomes the latest, a rollback by a journal or the like is performed, and restoration is performed so that logically consistent data is obtained from an OS (Operating System) or a higher-level application. Also in this embodiment, a known rollback is performed. The journal cannot be repaired unless order consistency is maintained. However, in the above procedure, the order consistency is always maintained, so that journal repair is possible.

  Next, after a communication failure occurs as shown in FIG. 4, a case where the main site is recovered from the communication failure without being damaged as shown in FIG. 7 will be described. The main storage 110 periodically tries to communicate with the duplicate storage 130, and recognizes that the communication failure has been resolved when the communication is successful. The main storage 130 notifies the journal storage 140 that the communication with the replication storage 130 has been recovered by sending a communication recovery notification. The main storage 110 continues to send update data to the journal storage 140 even after communication is restored.

  After the journal storage 140 receives the communication recovery notification, all the update data existing in the disk 141 is reflected in the disk 131 of the replication storage 130 and no update data exists in the disk 141, as shown in FIG. Notifies the main storage 110 and the duplicate storage 130 of the completion of the difference reflection. The journal storage 140 accepts the synchronous copy from the disk 111 and continues the semi-synchronous copy to the disk 131 until it notifies the difference reflection completion.

  Receiving the difference reflection completion notification, the main storage 110 switches the synchronous copy destination to the disk 131 of the replication storage 130 as shown in FIG. Thereafter, communication is performed between the main storage 110 and the replica storage 130 without using the journal storage 140.

  Similarly, the duplicate storage 130 that has received the difference reflection completion notification processes the synchronous copy from the disk 111 of the main storage 110 instead of the semi-synchronous copy from the disk 141 of the journal storage 140. The duplicate storage 130 is in a state in which strict consistency with the main storage 110 is maintained when a synchronous copy from the disk 111 is received. Therefore, thereafter, it is possible to refer to data in the disk 131 from the host computer 120 at the remote site.

Next, the operation when the journal storage 140 runs out of free space will be described. As shown in FIG. 10, when there is no free space in the journal storage 140, synchronous copying from the disk 111 of the main storage 110 to the disk 141 of the journal storage 140 cannot be performed, so the main storage 110 stores the update data in the buffer 112. . When the disk 141 in the journal storage 140 is free, the main storage 110 transmits the update data stored in the buffer 112 to the disk 141 in the journal storage 140 by semi-synchronous copying as shown in FIG.
Since the buffer 112 of the main storage 110 is used, the update data is lost when the main site is damaged in this state, but the data copied to the replication storage 130 or the journal storage 140 is at least in order consistency. The information system can be recovered using the remaining data.

  When the buffer 112 runs out of free space, the main storage 110 switches to a method of managing the update location on the disk 111 with the bitmap 113. The main storage 110 notifies the duplicate storage 130 that there is no more free space in the buffer 112. Then, the update data stored in the buffer 112 is transmitted to the journal storage 140 by a semi-synchronous copy, and when the update data is reflected from the journal storage 140 to the replication storage 130, the replication storage 130 is managed by the bitmap 113. The update location is reflected on the disk 131.

  A well-known technique can be applied to the method of managing the update location with a bitmap. Since the bitmap 113 does not hold the update order, when the update location managed by the bitmap 113 is reflected in the disk 131 of the replication storage 130, the copy becomes an asynchronous copy that is unrelated to the update order, and the consistency is Not kept. For this reason, when the update location managed by the bitmap is reflected in the replication storage 130, the replication storage 130 cannot be used until the reflection of all the update locations is completed.

  Next, the operation when a double network failure occurs will be described. As shown in FIG. 12, when a communication failure occurs in the network 152 between the main site and the journal site and the network 153 between the remote site and the journal site, the network 151 between the main site and the remote site is used. Therefore, synchronous copy is performed from the main storage 110 to the duplicate storage 130 as in the normal case.

  As shown in FIG. 13, when a communication failure occurs in the network 151 between the main site and the remote site and the network 153 between the journal site and the remote site, the main storage 110 synchronously copies the update data to the journal storage 140. To do. The journal storage 140 holds update data in the disk 141, and asynchronously copies the held update data to the replication storage 130 after the network 153 recovers.

  When a communication failure occurs in the network 151 between the main site and the remote site and the network 152 between the main site and the journal site, the main storage 110 cannot transmit update data. The same operation as when the free space is exhausted (the operation of holding the update data in the buffer 112) is performed.

In the present embodiment, a journal site that is connected to a main site and a remote site via a network and has a storage as a third site is provided in an information system that transmits data between the main site and the remote site. Yes. When a communication failure occurs between the main site and the remote site, the storage at the main site switches so that the update data that has been transmitted to the remote site is synchronously copied to the storage at the journal site.
By storing the update data in the journal site, even if the main site is damaged during a communication failure between the main site and the remote site, the data is not lost.
By reflecting the update data existing in the journal site to the remote site, the data recovery is completed, and the business can be continued at the remote site.

  In addition, since there is no need to provide a plurality of remote sites or to make the transmission path between the main site and the remote site redundant, it is possible to reduce initial costs for installation and costs for operation.

  As described above, the information system according to the present embodiment can be introduced at a low cost without losing data even if the main site is damaged during the occurrence of a communication failure with the remote site.

[Second Embodiment]
A second embodiment in which the present invention is suitably implemented will be described. The information system according to this embodiment is substantially the same as that of the first embodiment. FIG. 15 shows a detailed configuration of the information system according to the present embodiment. The information system according to the present embodiment is different from the first embodiment in that the duplicate storage 130 further includes a buffer 132.

A recovery operation of the information system according to the present embodiment will be described.
As shown in FIGS. 16 and 17, in the present embodiment, immediately after the communication between the main site and the remote site is recovered, the main storage 110 notifies the journal storage 140 of the communication recovery, and the update data in the main storage 110 is displayed. Is switched from the journal storage 140 to the replica storage 130.

  The duplicate storage 130 receives data from both the journal storage 140 and the main storage 110, but the update data received from the journal storage 140 is reflected on the disk 131 first, and the data received from the main storage 110 is stored in the buffer 132. For example, when the communication failure is recovered when data “7” is further written to the main storage 110 from the state shown in FIG. 16, the data “4” in the journal storage 140 is shown in FIG. The data “7” in the main storage is sent to the replication storage 130, and the replication storage 130 reflects the data “4” received from the journal storage 140 on the disk 131 and receives it from the main storage 110. The data “7” is stored in the buffer 132.

  The journal storage 140 recognizes that the synchronous copy from the main storage 110 has been completed by notifying communication recovery. In the journal storage 140, all the update data in the disk 141 is reflected in the disk 131 of the replication storage 130, and when no update data exists in the journal storage 140, the difference is reflected in the replication storage 130 as shown in FIG. Notify completion.

  The replica storage 130 reflects the update data existing in the buffer 132 on the disk 131 after receiving the notification of the difference reflection completion. When all the data has been reflected, the synchronous copy from the main storage 110 is directly reflected on the disk 131 of the duplicate storage 130 as shown in FIG.

  In the present embodiment, the update data transmission destination is switched to the remote site in response to the communication recovery between the main site and the remote site. Accordingly, since update data is transmitted from both the journal site and the main site to the remote site in parallel, the time required for reflecting the update data on the remote site can be shortened.

[Third Embodiment]
A third embodiment in which the present invention is preferably implemented will be described.
FIG. 20 shows the configuration of the information system according to this embodiment. The information system according to the present embodiment is an information system including a main storage 210 and a duplicate storage 230 to which update data is synchronously copied from the main storage 210 when the data in the main storage 210 is updated. When the communication failure occurs in the network 251 between the main storage 210 and the replication storage 230, the update data is transferred to the journal storage 240. After the communication failure of the network 251 is resolved, the update data stored in the journal storage 240 is semi-synchronously copied to the replica storage 230 via the main storage 210 and updated from the main storage 210. If the main storage 210 is damaged while a communication failure has occurred in the network 151, the data is written back from the replication storage 230 after the main storage 210 is repaired. The update data stored in the journal storage 240 is quasi-synchronously copied to the main storage 210.

FIG. 21 shows a more detailed configuration of the information system according to the present embodiment.
The information system according to the present embodiment includes three sites: a main site, a remote site, and a journal site.

A host computer 200 and a main storage 210 that operate by program control are installed at the main site.
The host computer 200 includes a disk access unit 201. The disk access unit 201 reads information from and writes information to the main storage 210.
The main storage 210 includes a disk 211, a buffer 212, a bitmap 213, a storage control unit 214, and a communication unit 215. The bitmap 213 represents an area updated on the main storage 210 after the consistency between the main storage 210 and the replication storage 230 cannot be maintained. The storage control unit 214 controls the operation of each unit of the main storage 210. The communication unit 215 communicates with the replication storage 230 provided at the remote site and the journal storage 240 provided at the journal site.

A replication storage 230 is installed at the remote site.
The duplicate storage 230 includes a disk 231, a buffer 232, a storage control unit 234, and a communication unit 235. The storage control unit 234 controls the operation of each unit of the replication storage 230. The communication unit 235 performs communication with the main storage 210 provided at the main site and the journal storage 240 provided at the journal site.

  A journal storage 240 is installed at the journal site. The journal storage 240 includes a disk 241, a communication unit 242, and a storage control unit 243. The storage control unit 243 controls the operation of each unit of the journal storage 240. The communication unit 242 performs communication with the main storage 210 provided at the main site and the replication storage 230 provided at the remote site.

  The main site and the remote site are connected by a network 251, and the main site and the journal site are connected by a network 252. In this embodiment, the journal site and the remote site are not connected.

  A recovery operation of the information system according to the present embodiment will be described.

  At normal times, the update data is synchronously copied from the main storage 210 to the duplicate storage 230. When the main storage 210 detects that a failure has occurred in communication between the main storage 210 and the duplicate storage 230, the main storage 210 switches the synchronous copy destination to the journal storage 240 as shown in FIG.

When the main site is damaged in this state, the main site is restored and all data is copied from the duplicate storage 230 to the main storage 210 as shown in FIG. Since the copy at this time is performed asynchronously and without guaranteeing the update order, it corresponds to “asynchronous copy”. Thereafter, as shown in FIG. 24, the update data from the journal storage 240 is semi-synchronously copied to the main storage 210, and is also semi-synchronously copied from the main storage 210 to the duplicate storage 230. When all the update data in the journal storage 240 is reflected in the main storage 210, the journal storage 240 notifies the main storage 210 that the difference has been reflected. In response to this, the main storage 210 notifies the replication storage 230 of the completion of the difference reflection.
As shown in FIG. 25, the duplicate storage 230 notifies the main storage 210 of the completion of synchronization when all the data has been reflected.
Thereafter, the main storage 210 can be used from the host computer 200, and updates to the main storage 210 are synchronously copied to the duplicate storage 230, as shown in FIG.

Next, a case where the communication failure shown in FIG. 22 is recovered without the main site being damaged will be described.
The main storage 210 periodically tries to communicate with the replication storage 230 and recognizes that the communication failure has been resolved by successful communication. The main storage 210 notifies the journal storage 240 that the communication failure between the main site and the remote site has been resolved by sending a communication recovery notification. The main storage 210 continues the synchronous copy to the journal storage 240 even after the communication is restored.

  As shown in FIG. 27, after receiving the communication recovery notification, the journal storage 240 performs semi-synchronous copying of the update data existing in the disk 244 to the duplicate storage 230 via the main storage 210. When there is no update data in the journal storage 240, the journal storage 240 notifies the main storage 210 of the completion of the difference reflection as shown in FIG. In response to this, the main storage 210 notifies the replication storage 230 of the completion of the difference reflection.

  The journal storage 240 continues to receive the synchronous copy from the main storage 210 until the main storage 210 is notified of the difference reflection completion. The main storage 210 does not send update data to the journal storage 240 after being notified of the completion of the difference reflection.

  When all the data has been reflected, the duplicate storage 230 notifies the main storage 210 of the completion of synchronization as shown in FIG. The main storage 210 notified of the completion of synchronization switches the synchronous copy destination to the duplicate storage 230. Thereafter, the journal storage 240 is not used, and communication is performed between the main storage 210 and the replication storage 230 as shown in FIG. 30, and the update data is synchronized from the disk 211 of the main storage to the disk 231 of the replication storage 230. make a copy.

  As shown in FIG. 31, the replica storage 230 includes a buffer 232 as in the second embodiment, and when the communication between the main storage 210 and the replica storage 230 is restored, the main storage 210 The synchronous copy destination may be changed to the replica storage 230, and update data may be accumulated in the buffer 232 until the semi-synchronous copy from the journal storage 240 is completed as shown in FIG. In this case, as shown in FIG. 33, after the semi-synchronous copy from the journal storage 240 is completed, it may be reflected on the disk 231 as shown in FIG.

  The operation when there is no more free space in the journal storage is the same as in the first embodiment, and the main storage 210 stores the update data in the buffer 212. When the journal storage 240 becomes empty, the main storage 210 transmits the update data stored in the buffer 212 to the journal storage 240 by semi-synchronous copying.

  Furthermore, the operation when the buffer 212 runs out of free space is the same as in the first embodiment, and the main storage 210 switches to a method of managing the update location on the disk 211 with the bitmap 213.

  Since the information system according to the present embodiment has a configuration in which the communication path between the remote site and the journal site is omitted, the cost for constructing the system can be further reduced.

  Each of the above embodiments is an example of a preferred embodiment of the present invention, and the present invention is not limited to these.

For example, in each of the above embodiments, the main site and the remote site are configured as a single configuration, but a configuration in which the journal sites are aggregated and a plurality of sites share the journal site is also possible.
Specifically, as shown in FIG. 35, journal sites are aggregated in a data center, and a plurality of main sites according to the first and second embodiments and their remote sites are connected to the data center. The data center prepares a pool of journal storage and dynamically allocates it to each site. By considering the geographical or network location of each site so as not to overlap, the number of sites where communication failures occur simultaneously can be reduced, and the amount of required journal storage pool can be reduced. That is, it is possible to reduce costs and use resources more effectively than when each site has a journal site individually. As shown in FIG. 36, the same effect can be obtained by consolidating journal sites in a data center and connecting a plurality of main sites according to the third embodiment to the data center.
Also, as shown in FIG. 37, by collecting a plurality of replicated storages in the data center, disaster recovery using the replicated storage and journal storage can be realized as an outsourcing service. In other words, companies can entrust the establishment of remote sites and journal sites and the maintenance and operation of replica storage and journal storage to specialized vendors, and only need to open and operate the main site. It becomes easy to introduce an information system that supports disaster recovery.
As described above, the present invention can be variously modified.

100, 120, 200 Host computer 101, 121, 201 Disk access unit 110, 210 Main storage 111, 131, 141, 211, 231, 241 Disk 112, 132, 212 Buffer 113 Bit map 114, 134, 143, 214, 234 243 Storage control unit 115, 135, 142, 215, 235, 242 Communication unit 130, 230 Replication storage 140, 240 Journal storage 151, 152, 153, 251, 252 Network

Claims (12)

An information system comprising: a first storage device; and a second storage device to which update data is synchronously copied from the first storage device when data of the first storage device is updated. The synchronous copy is a copy that reflects the updated data in another storage device in synchronization with the update of data in one storage device,
A third storage device connected to both the first and second storage devices;
When a communication failure occurs between the first storage device and the second storage device, the update data is synchronously copied to the third storage device,
The update data stored in the third storage device is quasi-synchronously copied to the second storage device, and the quasi -synchronous copy is asynchronous with update of data of one storage device and the one storage device It is a copy that reflects the update data on other storage devices in the same order as the device data update.
After the communication failure between the first storage device and the second storage device is resolved, the synchronous copy destination of the update data from the first storage device is returned to the second storage device. An information system characterized by When the communication failure between the first storage and the second storage is resolved and the update data no longer exists in the third storage device, the synchronous copy destination of the update data from the first storage device is The information system according to claim 1, wherein the information system is changed from a third storage device to the second storage device. When the communication failure between the first storage device and the second storage device is resolved, the synchronous copy destination of the update data from the first storage device is returned to the second storage device. ,
It said second storage device, a buffer of the third of its own apparatus does not reflect the updated data received from the first storage device before the reflected from the storage device quasi synchronization copied the update data is completed 2. The information system according to claim 1, wherein the update data stored in the buffer is reflected after the update data to be semi-synchronously copied from the third storage apparatus is reflected. The first storage device has a buffer for storing update data that cannot be synchronously copied to the second storage device or the third storage device, and the update data can be transmitted to a synchronous copy destination. 3. The information system according to claim 1 or 2 , wherein the data in the buffer is quasi-synchronously copied at a point in time. When the first storage device runs out of free space in the buffer, the first storage device manages subsequent update contents in a memory address map, and the update data stored in the buffer is reflected in the second storage device. After that, the update contents managed by the memory address map are reflected in the second storage device by asynchronous copy, and the asynchronous copy is asynchronous with update of data of one storage device and 5. The information system according to claim 4, wherein the information system is a copy that does not guarantee the data update order of the storage apparatus and reflects the update data in another storage apparatus . An information system comprising: a first storage device; and a second storage device to which update data is synchronously copied from the first storage device when data of the first storage device is updated. The synchronous copy is a copy that reflects the updated data in another storage device in synchronization with the update of data in one storage device,
A third storage apparatus connected to the first storage device,
When a communication failure occurs between the first storage device and the second storage device, the update data is synchronously copied to the third storage device,
After the communication failure between the first storage device and the second storage device is resolved, the update data stored in the third storage device is transferred to the third storage device via the first storage device. A semi-synchronous copy is made to the second storage device, and the semi -synchronous copy is asynchronous with update of data of one storage device and updated to another storage device in the same order as update of data of the one storage device. A copy reflecting data, and the synchronous copy destination of the update data from the first storage device is returned to the second storage device, and between the first storage device and the second storage device If the first storage device is damaged while a communication failure has occurred, the second storage device can restore the first storage device after the first storage device is repaired. Written back over data, then the information system, characterized in that the third said semi-synchronous copy the updated data to the first storage device stored in the storage device. When the update data no longer exists in the third storage device, the synchronous copy destination of the update data from the first storage device is changed from the third storage device to the second storage device. The information system according to claim 6. When the communication failure between the first storage device and the second storage device is resolved, the synchronous copy destination of the update data from the first storage device is returned to the second storage device. ,
The second storage device has received from the first storage device before the reflection of update data that is semi-synchronously copied from the third storage device via the first storage device is completed. The update data is stored in the buffer of the own device without reflecting the update data, and the update data stored in the buffer is reflected from the third storage device via the first storage device in a semi-synchronous manner. The information system according to claim 6, which is reflected after completion. The first storage device has a buffer for storing update data that cannot be synchronously copied to the second storage device or the third storage device, and the update data can be transmitted to a synchronous copy destination. 9. The information system according to claim 6, wherein the data in the buffer is quasi-synchronously copied at a point of time. A plurality of pairs of the first storage device and the second storage device;
The information system according to claim 1, wherein the third storage is shared as a storage pool by a plurality of pairs of the first and second storage apparatuses. Disaster recovery in an information system comprising a first storage device and a second storage device to which update data is synchronously copied from the first storage device when the data of the first storage device is updated In the method, the synchronous copy is a copy reflecting the updated data in another storage device in synchronization with the update of data in one storage device,
A third storage device is connected to both the first and second storage devices;
When a communication failure occurs between the first storage device and the second storage device, the update data is synchronously copied to the third storage device,
The update data stored in the third storage device is quasi-synchronously copied to the second storage device, and the quasi-synchronous copy is asynchronous with update of data of one storage device and the one storage device It is a copy that reflects the update data on other storage devices in the same order as the device data update.
After the communication failure between the first storage device and the second storage device is resolved, the synchronous copy destination of the update data from the first storage device is returned to the second storage device. Disaster recovery method characterized by this. Disaster recovery in an information system comprising a first storage device and a second storage device to which update data is synchronously copied from the first storage device when the data of the first storage device is updated In the method, the synchronous copy is a copy reflecting the updated data in another storage device in synchronization with the update of data in one storage device,
Connecting a third storage device to the first storage device;
When a communication failure occurs between the first storage device and the second storage device, the update data is synchronously copied to the third storage device,
After the communication failure between the first storage device and the second storage device is resolved, the update data stored in the third storage device is transferred to the third storage device via the first storage device. A semi-synchronous copy is made to the second storage device, and the semi -synchronous copy is asynchronous with update of data of one storage device and updated to another storage device in the same order as update of data of the one storage device. A data reflecting copy, and a synchronous copy destination of the update data from the first storage device is returned to the second storage device;
If the first storage device is damaged while a communication failure has occurred between the first storage device and the second storage device, the second storage device is restored after the first storage device is repaired. A disaster recovery method comprising: writing back data from the storage device and then semi-synchronously copying the update data stored in the third storage device to the first storage device.

Images