JP5348300B2 - Data management program and multi-node storage system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To shorten a stop period of data access which occurs during the occurrence of a failure of a storage device. <P>SOLUTION: If the operation of a storage device 1 is in a bad condition or if a lapse time (T) measured by response time calculation means 4a exceeds an operation bad condition detection time (T1), operation bad condition detection means 4b outputs operation bad condition information showing that the storage device 1 has the possibility of being in a bad condition to a control node 7. The control node 7 stores the operation bad condition information in operation bad condition information storing means 7b. When an access node 8 accesses the first slice 1a in the storage device 1 to cause an error after that, access relevant information showing that the access fails is transmitted to the control node 7. The control node 7 makes a recovery instruction of the slice 1a shown by the access relevant information to disk nodes 5, 6. <P>COPYRIGHT: (C)2013,JPO&amp;INPIT

Description

  The present invention relates to a data management program, a storage device diagnosis program, and a multi-node storage system for managing data by duplication, and in particular, a data management program for performing data recovery processing according to a diagnosis result of a storage device, and a storage device diagnosis The present invention relates to a program and a multinode storage system.

  One system for managing data on a network is a multi-node storage system. The multi-node storage system is composed of a plurality of disk nodes, at least one access node, and a control node. The disk node, access node, and control node are connected via a network.

  Within the multi-node storage system, virtual disks are defined. A virtual disk is composed of a plurality of unit storage areas called a plurality of segments. Further, the disk node manages the storage area of the connected storage device by dividing it into units called slices. Then, the correspondence relationship between the segments constituting the virtual disk and the slices managed by each disk node is managed by the control node. The metadata indicating the correspondence is notified from the control node to the access node.

  When the access node receives data access designating data in the virtual disk, the access node determines a slice corresponding to the segment in which the data is stored based on the metadata. Then, the access node transmits an access request to the disk node that manages the slice in which the data is actually stored.

  With such a multi-node storage system, a user who uses an access node can use a large number of storage devices connected to the disk node in the same way as a local disk device. Moreover, in a multi-node storage system, data can be duplicated by assigning two slices to one segment. If data is duplicated, it is not necessary to lose data even if one storage device fails.

  Even if the data is duplicated, if the storage device cannot be accessed due to a failure, the duplicated state will be lost for some segments. In that case, a recovery process is performed. In the recovery process, a new slice is assigned to the segment (recovery target segment) whose duplex state has been lost by the control node. Then, the data in the existing slice assigned to the recovery target segment is copied to the slice newly assigned by the disk node. As a result, the data duplex state is recovered.

  Further, the attributes of the primary slice and the secondary slice are given to the two slices assigned to the virtual disk segment for duplication. The access node accesses the primary slice. If a failure occurs in the storage apparatus having the primary slice, the control node changes the attribute of the secondary slice to the primary slice. As a result, the access node can access the data stored in the storage apparatus in which the failure has occurred without waiting for the completion of the recovery process.

International Publication No. WO2004 / 104845 Pamphlet

  By the way, as one of the failures that make it impossible to access data from the access node, there is a functional failure of the storage apparatus. When a failure occurs in the storage device, first, the disk node detects the failure. The disk node that detects the failure notifies the control node of the occurrence of the failure, so that the control node recognizes the occurrence of the failure. Then, recovery processing is executed under the control of the control node.

  However, in order to prevent erroneous detection of a failure, it is necessary to provide a certain grace period after the disk node detects a failure sign (operation failure) of the storage apparatus until it is determined to be a failure. For this reason, during the grace period, the process of changing the access destination of the access node to another storage device is not executed, and data access from the access node is stopped during that period.

  When a failure occurs in a storage device having a primary slice, an access from the access node to the primary slice results in an error immediately after the failure occurs. On the other hand, it is unclear whether a disk node has an unrecoverable failure or is a temporary problem and can be accessed after a certain grace period. Therefore, the disk node does not determine that there is a failure until a predetermined grace period elapses. As a result, the timing for switching the current secondary slice to the primary slice is delayed, and the access stop period by the access node is prolonged.

  The present invention has been made in view of the above points, and provides a data management program, a storage device diagnostic program, and a multi-node storage system that can shorten a data access stop period that occurs when a storage device failure occurs. Objective.

  In order to solve the above problems, a data management program for realizing the following functions by a computer is provided. This data management program causes a computer to execute management processing of data stored in duplicate in a plurality of storage devices whose storage areas are divided into a plurality of slices and managed.

  The computer that executes the data management program functions as malfunction information management means and recovery instruction means. When the malfunction information management means receives malfunction information indicating that one of the plurality of storage devices may be out of order, the malfunction information management means stores the malfunction information in the malfunction information storage means. When the recovery instruction means receives access-related information indicating that an access request has been issued with the slices of a plurality of storage devices as access target slices, the recovery instruction means refers to the operation failure information in the operation failure information storage means to determine the access target slice. A slice that has a data input / output function to the storage device that stores the redundant data with the same contents as the data in the access target slice if the storage device to which it belongs is determined whether there is a failure and if there is a failure The management unit is instructed to recover the data stored in the access target slice.

  In order to solve the above problems, a storage apparatus diagnosis program for realizing the following functions by a computer is provided. The storage device diagnosis program causes a computer connected to the control node that manages the data stored in the storage device via the network to execute the storage device operation diagnosis process while being connected locally. It is.

  The computer that executes the storage apparatus diagnosis program functions as response time measurement means, malfunction detection means, and recovery detection means. The response time measuring means issues an inspection command to the storage device and measures an elapsed time from when the inspection command is issued until there is a response. If there is no response when the elapsed time reaches a preset malfunction detection time, the malfunction detection means transmits malfunction information indicating that the storage device may be out of order to the control node. To do. When a response to the inspection command is returned from the storage apparatus after transmitting the malfunction information, the recovery detection means transmits recovery information indicating the recovery of the storage apparatus to the control node.

  The data access stop period that occurs when a storage device failure occurs can be shortened.

It is a figure which shows the outline | summary of embodiment. 1 is a diagram illustrating a configuration example of a multi-node storage system according to a first embodiment. FIG. It is a figure which shows the hardware structural example of the control node used for a 1st form. It is a figure which shows the data structure of a virtual disk. It is a block diagram which shows the function of each apparatus of a multinode storage system. It is a figure which shows the example of a data structure of a storage apparatus. It is a figure which shows the example of a data structure of a metadata memory | storage part. It is a figure which shows the example of a data structure of a virtual disk metadata storage part. It is a figure which shows the example of a data structure of a storage state memory | storage part. FIG. 11 is a sequence diagram illustrating a procedure for slice switching processing when a storage apparatus fails. It is a figure which shows the example of the storage state memory | storage part after a state change. It is a figure which shows the content of the virtual disk metadata memory | storage part after an update. FIG. 11 is a sequence diagram illustrating a procedure for slice switching processing when the load on the storage apparatus becomes excessive. It is a sequence diagram which shows the contradiction resolution process using a time stamp. It is a figure which shows the example of the reconfigure | reconstructed virtual disk metadata table. FIG. 10 is a sequence diagram illustrating a processing procedure when a disk node disconnection instruction is issued from a management node. It is a block diagram which shows the function of each apparatus of the multinode storage system in 3rd Embodiment. It is a figure which shows the example of a data structure of a metadata memory | storage part. It is a figure which shows the example of a data structure of a virtual disk metadata storage part. It is a figure which shows the example of a data structure of the allocation availability storage part. FIG. 11 is a sequence diagram illustrating a procedure for slice switching processing when a storage apparatus fails. It is a figure which shows the example of the allocation availability memory | storage part after an allocation availability update. It is a figure which shows the content of the virtual disk metadata memory | storage part after an update. FIG. 11 is a sequence diagram illustrating a procedure for slice switching processing when the load on the storage apparatus becomes excessive. It is a sequence diagram which shows slice allocation processing when T1 progress is detected by several disks. It is a flowchart which shows the procedure of a disk diagnostic process. It is a flowchart which shows the procedure of T2 / recovery detection processing.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing an outline of the embodiment. FIG. 1 shows a multi-node storage system. The multi-node storage system has a plurality of disk nodes 4 to 6, a control node 7, and an access node 8 for managing data stored in the storage apparatuses 1 to 2 in a duplex manner.

  The storage devices 1 to 3 are managed by dividing the storage area into a plurality of slices. The storage apparatuses 1 to 3 are locally connected to the disk nodes 4 to 6, respectively. Here, being connected locally means not connecting via a network.

The disk node 4 includes response time measuring means 4a, malfunction detection means 4b, failure detection means 4c, and recovery detection means 4d.
The response time measuring unit 4a issues an inspection command to the locally connected storage apparatus 1. Then, the response time measuring unit 4a measures an elapsed time “T” from when the inspection command is issued until a response to the inspection command is returned from the storage device 1.

  An operation failure detection time “T1” is preset in the operation failure detection means 4b. For example, the malfunction detection time “T1” is stored in the memory managed by the malfunction detection means 4b. In the malfunction detection time “T1”, for example, a time (for example, 1 second) that can respond to the inspection command when the operation of the storage apparatus 1 is normal is set. If there is no response from the storage apparatus 1 even if the elapsed time “T” reaches the operation malfunction detection time “T1”, the malfunctioning detection means 4b may cause the storage apparatus 1 to be out of order with respect to the control node 7. The malfunction information which shows that there exists is transmitted.

  In the failure detection means 4c, a value larger than the malfunction detection time “T1” is set as the failure detection time “T2”. For the failure detection time “T2”, for example, the maximum value (for example, 1 minute) of the time that can respond to the inspection command if there is no failure even if the processing of the storage apparatus 1 is overloaded is set. If there is no response from the storage device 1 even when the elapsed time “T” reaches the failure detection time “T2”, the failure detection unit 4 c transmits failure detection information regarding the storage device 1 to the control node 7.

  The return detection unit 4 d transmits return information indicating the return of the storage apparatus 1 to the control node 7 when a response to the inspection command is returned from the storage apparatus 1 after transmitting the malfunction information.

  The disk node 5 has slice management means 5a for inputting / outputting data to / from the storage apparatus 2. Similarly, the disk node 6 has slice management means 6 a that inputs and outputs data to the storage apparatus 3.

  Although omitted in FIG. 1, functions similar to the functions of the disk node 4 are also included in the disk nodes 5 and 6. Similarly, although omitted in FIG. 1, the disk node 4 includes functions similar to the slice management means 5 a and 6 a included in the disk nodes 5 and 6.

The control node 7 includes operation malfunction information management means 7a, operation malfunction information storage means 7b, and recovery instruction means 7c.
When the malfunction information management unit 7a receives malfunction information from one of the disk nodes 4 to 6, the malfunction information management unit 7a stores the malfunction information in the malfunction information storage unit 7b.

The malfunction information storage unit 7b stores malfunction information. For example, a part of the storage area of the memory is used as the malfunction information storage unit 7b.
When receiving the access related information indicating that an access request has been issued with the slices of the plurality of storage apparatuses 1 to 3 as the access target slice, the recovery instruction unit 7c refers to the operation failure information in the operation failure information storage unit 7b. Thus, it is determined whether there is a possibility that the storage apparatus to which the access target slice belongs is in failure. That is, if malfunction information indicating that there is a possibility of failure in the storage device to which the access target slice belongs is stored in the malfunction information storage unit 7b, it is determined that there is a possibility of failure.

  When there is a possibility of failure, the recovery instruction unit 7c recovers the data stored in the access target slice to the disk node to which the storage device storing the redundant data having the same contents as the data in the access target slice is connected. Instruct processing. The recovery process is a process for copying redundant data in the access target slice to another storage device and recovering the data duplex state.

  In the example of FIG. 1, the access related information is transmitted from the access node 8 when the access node 8 that accesses the plurality of storage apparatuses 1 to 3 fails to access the slice in the storage apparatus 1. . In this case, when receiving the access related information from the access node 8, the recovery instruction unit 7 c notifies the access node 8 of the redundant data storage location.

  According to such a multi-node storage system, when the operation of the storage apparatus 1 becomes unsatisfactory due to overload or the like, the response time from the storage apparatus 1 to the inspection command output by the response time measuring unit 4a is the operation failure detection time “ It takes longer than “T1” but shorter than the failure detection time “T2”. If the storage apparatus 1 has failed, no response to the inspection command is issued even after the failure detection time “T2”.

  Here, it is assumed that the operation time of the storage apparatus 1 becomes unstable or the elapsed time “T” measured by the response time measuring unit 4a exceeds the operation failure detection time “T1” due to a failure. Then, operation malfunction information indicating that the storage apparatus 1 may be out of order is output to the control node 7 by the operation malfunction detection means 4b. In the control node 7, the malfunction information management unit 7a stores the malfunction information in the malfunction information storage unit 7b.

  Thereafter, when the access node 8 accesses the first slice 1a in the storage device 1, the access becomes an error. Therefore, the access node 8 transmits access related information indicating that access to the first slice 1a of the storage apparatus 1 has failed to the control node 7. In the control node 7, the recovery instruction unit 7c refers to the malfunction information storage unit 7b and recognizes that there is a possibility that the storage apparatus 1 is in failure. Accordingly, the recovery instruction unit 7c issues a recovery instruction for the slice 1a indicated by the access related information to the disk nodes 5 and 6.

  Here, in the example of FIG. 1, it is assumed that redundant data of data (data [A]) in the slice 1 a is stored in the first slice 2 a of the storage device 2. Further, it is assumed that the first slice of the storage device 3 is in an empty state (a state in which valid data is not stored). In this case, the recovery instruction unit 7c instructs the slice management unit 5a of the disk node 5 to copy the data of the slice 2a to the slice 3a. Then, the slice management unit 5 a reads the data of the slice 2 a and transfers it to the disk node 6. In the disk node 6, the slice management means 6a receives the data and writes it to the slice 3a.

  The recovery instruction unit 7 c notifies the access node 8 that the redundant data of the slice 1 a is stored in the slice 2 a of the storage device 2. Thereby, the access node 8 can quickly change the access destination to the slice 2a of the storage device 2.

  Thereafter, if the response from the storage apparatus 1 is not output to the disk node 4 even after the failure detection time “T2” has elapsed, the failure detection means 4c detects the elapse of the failure detection time “T2”. Then, failure detection information indicating that the storage apparatus 1 has failed is transmitted from the failure detection means 4 c to the control node 7. In the control node 7, the recovery instruction unit 7 c issues a recovery instruction to the disk node 5 for all slices in the storage apparatus 2.

  Further, when the response from the storage apparatus 1 is output to the disk node 4 before the failure detection time “T2” elapses, the return detection unit 4d detects the return. Then, return information indicating that the storage apparatus 1 has returned is transmitted from the return detection means 4d to the control node 7. In the control node 7, the malfunction information management means 7a deletes the malfunction information indicating that the storage apparatus 1 may be out of order from the malfunction information storage means 7b.

  As described above, in the multi-node storage system shown in FIG. 1, the failure detection times of the storage apparatuses 1 to 3 are set in two stages: the malfunction detection time “T1” and the failure detection time “T2” (T1 <T2). Conventionally, only the failure detection time “T2” exists, and the recovery processing is started when the disk node detects the failure detection time “T2”. For this reason, if the failure detection time “T2” is set too long, the recovery process is delayed, and the period of inaccessibility when a failure occurs is also prolonged. In the present embodiment, as shown in FIG. 1, the disk node 4 detects the malfunction detection time “T1” and notifies the control node 7 of it. Then, the control node 7 instructs a recovery process for only the data of the slice 1a that has failed to be accessed. This prevents the inaccessible period from being prolonged.

  In FIG. 1, the storage apparatuses 1 to 3 are connected to the individual disk nodes 4 to 6, respectively. However, there is a system in which a plurality of storage apparatuses are locally connected to one node. In such a system, the functions of the control node 7 and the disk nodes 4 to 6 shown in FIG. 1 are built in one node to which the storage apparatus is connected.

  By the way, in a multi-node storage system, data access is performed via a virtual disk. At this time, the allocation relationship between the storage area in the virtual disk and the storage area in the storage device can be managed using metadata. Therefore, the details of the present embodiment will be described below using an example in which the allocation relationship is managed using metadata.

[First Embodiment]
FIG. 2 is a diagram illustrating a configuration example of a multi-node storage system according to the first embodiment. In the present embodiment, a plurality of disk nodes 100, 200, 300, a control node 500, access nodes 600, 700, and a management node 30 are connected via the network 10. Storage devices 110, 210, and 310 are connected to the disk nodes 100, 200, and 300, respectively.

  A plurality of hard disk devices (HDDs) 111, 112, 113, and 114 are mounted on the storage device 110. A plurality of HDDs 211, 212, 213, and 214 are mounted on the storage device 210. A plurality of HDDs 311, 312, 313, and 314 are mounted on the storage device 310. Each storage device 110, 210, 310 is a RAID system using a built-in HDD. In this embodiment, a RAID 5 disk management service for each storage device 110, 210, 310 is provided.

  The disk nodes 100, 200, and 300 manage data stored in the connected storage devices 110, 210, and 310, and provide the managed data to the terminal devices 21, 22, and 23 via the network 10. The disk nodes 100, 200, and 300 manage data having redundancy. That is, the same data is managed by at least two disk nodes.

  The control node 500 manages the disk nodes 100, 200, and 300. For example, when the control node 500 receives a notification of connection of a new storage device from the disk nodes 100, 200, and 300, a new virtual disk is defined and stored in the storage device connected through the virtual disk. Make the data accessible.

  A plurality of terminal devices 21, 22, and 23 are connected to the access nodes 600 and 700 through the network 20. In addition, virtual disks are defined in the access nodes 600 and 700. Then, the access nodes 600 and 700 access corresponding data in the disk nodes 100, 200, and 300 in response to virtual disk data access requests from the terminal devices 21, 22, and 23.

  The management node 30 is a computer used by an administrator to manage the operation of the multi-node storage system. For example, the management node 30 collects information such as the advanced operation level of the storage device and displays the collected information on the screen. When an administrator who uses the management node 30 refers to the information displayed on the screen and finds a storage apparatus that requires recovery processing, the administrator inputs an instruction for recovery processing of the storage apparatus to the management node 30. Then, a recovery request designating a storage device is transmitted from the management node 30 to the control node 500.

  FIG. 3 is a diagram illustrating a hardware configuration example of a control node used in the first embodiment. The control node 500 is entirely controlled by a CPU (Central Processing Unit) 501. A random access memory (RAM) 502, a hard disk drive (HDD) 503, a graphic processing device 504, an input interface 505, and a communication interface 506 are connected to the CPU 501 via a bus 507.

  The RAM 502 is used as a main storage device of the control node 500. The RAM 502 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the CPU 501. The RAM 502 stores various data necessary for processing by the CPU 501. The HDD 503 is used as a secondary storage device of the control node 500. The HDD 503 stores an OS program, application programs, and various data. Note that a semiconductor storage device such as a flash memory can also be used as the secondary storage device.

  A monitor 11 is connected to the graphic processing device 504. The graphic processing device 504 displays an image on the screen of the monitor 11 in accordance with a command from the CPU 501. Examples of the monitor 11 include a display device using a CRT (Cathode Ray Tube) and a liquid crystal display device.

  A keyboard 12 and a mouse 13 are connected to the input interface 505. The input interface 505 transmits a signal sent from the keyboard 12 or the mouse 13 to the CPU 501 via the bus 507. The mouse 13 is an example of a pointing device, and other pointing devices can also be used. Examples of other pointing devices include a touch panel, a tablet, a touch pad, and a trackball.

  The communication interface 506 is connected to the network 10. The communication interface 506 transmits and receives data to and from other computers via the network 10.

  With the hardware configuration as described above, the processing functions of the present embodiment can be realized. Although FIG. 3 shows the hardware configuration of the control node 500, the disk nodes 100, 200, 300, the access nodes 600, 700, and the management node 30 can also be realized with the same hardware configuration. However, the disk nodes 100, 200, and 300 have an interface for externally connecting the storage apparatuses 110, 210, and 310 in addition to the functions shown in FIG.

Next, the data structure of the virtual disk defined in the multi-node storage system will be described.
FIG. 4 shows the data structure of the virtual disk. In the present embodiment, a virtual disk identifier “LVOL-X” is assigned to the virtual disk 60. Node identifiers “SN-A”, “SN-B”, and “SN-C” are assigned to the three disk nodes 100, 200, and 300 connected via the network in order to identify individual nodes. Has been. The storage apparatuses 110, 210, and 310 connected to the respective disk nodes 100, 200, and 300 have the node identifiers of the disk nodes 100, 200, and 300, and the disk IDs in the respective disk nodes 100, 200, and 300. The set is uniquely identified in the network 10.

  A RAID 5 storage system is configured in each of the storage devices 110, 210, and 310 included in each of the disk nodes 100, 200, and 300. The storage function provided by each storage device 110, 210, 310 is divided into a plurality of slices 115a to 115c, 215a to 215c, and 315a to 315c and managed.

  The virtual disk 60 is configured in units of segments 61 to 63. The storage capacity of the segments 61 to 63 is the same as the storage capacity of a slice that is a management unit in the storage apparatuses 110 and 210. For example, if the storage capacity of the slice is 1 gigabyte, the storage capacity of the segment is also 1 gigabyte. The storage capacity of the virtual disk 60 is an integral multiple of the storage capacity per segment. Each of the segments 61 to 63 includes a set (slice pair) of primary slices 61a, 62a, and 63a and secondary slices 61b, 62b, and 63b.

  Two slices belonging to the same segment belong to different disk nodes. In the area for managing individual slices, there are flags in addition to the virtual disk identifier, segment information, and slice information constituting the same segment, and a value representing primary or secondary is stored in the flag.

  In the example of FIG. 4, the identifier of the slice in the virtual disk 60 is indicated by a combination of “P” or “S” alphabets and numbers. “P” indicates a primary slice. “S” indicates a secondary slice. The number following the alphabet represents what number segment it belongs to. For example, the primary slice of the first segment 61 is indicated by “P1”, and the secondary slice is indicated by “S1”.

  FIG. 5 is a block diagram illustrating functions of each device of the multi-node storage system. The access node 600 includes a metadata inquiry unit 610, an access metadata storage unit 620, and a slice access request unit 630.

  The metadata inquiry unit 610 obtains metadata defining the virtual disk 60 from the control node 500. Specifically, the metadata inquiry unit 610 transmits an inquiry request for all metadata to the control node 500 when the access node 600 is activated. Then, all metadata regarding the virtual disk 60 is sent from the control node 500. Also, the metadata inquiry unit 610 transmits a metadata inquiry request regarding the segment to which the slice to be accessed is allocated to the control node 500 when data access to an arbitrary slice by the slice access request unit 630 results in an error. To do. Then, the latest metadata of the corresponding segment is sent from the control node 500. When the metadata inquiry unit 610 acquires metadata from the control node 500, the metadata inquiry unit 610 stores the metadata in the access metadata storage unit 620.

  The access metadata storage unit 620 is a metadata storage function that defines the virtual disk 60. For example, a part of the RAM of the access node 600 is used as the access metadata storage unit 620. In the present embodiment, the access node 600 always accesses the primary slice. Therefore, the access metadata storage unit 620 only needs to store at least metadata regarding the primary slice among the metadata of the virtual disk 60.

  In response to a data access request on the virtual disk from the terminal devices 21, 22, and 23, the slice access request unit 630 sends a data access request (read request or write request) to the storage devices 110, 210, and 310. It is transmitted to the disk nodes 100, 200, 300. Specifically, when the slice access request unit 630 receives an access request specifying a virtual disk address, first, the slice access request unit 630 refers to the access metadata storage unit 620 to determine a segment to which the access target data belongs. Next, the slice access request unit 630 determines a slice assigned as a primary slice to the corresponding segment. Then, the slice access request unit 630 transmits an access request for data in the slice to the disk node that manages the corresponding slice. When the access result is returned from the disk node, the slice access request unit 630 transmits the access result to the terminal devices 21, 22, and 23.

  When an error is returned from the access destination disk node, the slice access request unit 630 notifies the metadata inquiry unit 610 of the segment in which the error has occurred. Thereafter, the slice access request unit 630 retries data access. In the retry, the access metadata storage unit 620 is referred to, and the process is performed again from the process of determining the assigned slice as the primary slice. That is, if the metadata in the access metadata storage unit 620 has been updated after the previous access request, the disk node that is the access destination at the time of retry is determined based on the updated metadata.

  The disk node 100 includes a slice access processing unit 120, a T1 / recovery detection unit 130, a T2 detection unit 140, a metadata storage unit 150, and a slice management unit 160.

  The slice access processing unit 120 performs data access to the storage apparatus 110 in response to an access request from the access node 600. Specifically, when the slice access processing unit 120 receives an access request from the access node 600, the slice access processing unit 120 refers to the metadata storage unit 150 and slices in the storage apparatus 110 allocated to the segment to be accessed. Judging.

  Next, the slice access processing unit 120 accesses the data in the corresponding slice specified by the access request. For example, if it is a data read access request, the slice access processing unit 120 reads the corresponding data from the storage device 110. If the access request is a data write request, the slice access processing unit 120 writes the data included in the access request in the corresponding storage area in the storage apparatus 110. Then, the slice access processing unit 120 transmits the access result to the access node 600. In the case of a data read access request, data read from the storage device 110 is included in the access result. When the storage apparatus 110 cannot return a response to access (similar to the situation in which a response to the inspection command cannot be returned), the slice access processing unit 120 returns an error to the access node 600 (error message Send).

  The T1 / recovery detection unit 130 periodically transmits an inspection command to the storage apparatus 110 and determines the presence or absence of a failure based on the presence or absence of a response. Specifically, the T1 / return detection unit 130 periodically issues a test command such as “test unit ready” to the storage apparatus 110. Further, the T1 / return detection unit 130 holds the value of the malfunction detection time “T1” inside. For example, the value of “T1” is set in the RAM used by the T1 / return detection unit 130. As T1, for example, a time of about several seconds to several tens of seconds is set.

  Then, the T1 / recovery detection unit 130 determines that there is a possibility of failure when no response is returned from the storage apparatus 110 even after the operation malfunction detection time has elapsed since the inspection command was issued. When it is determined that there is a possibility of failure, the T1 / recovery detection unit 130 transmits a T1 progress notification to the control node 500. Further, when a response is returned from the storage apparatus 110 after T1 has passed since the issue of the inspection command, the T1 / return detection unit 130 transmits a return notification to the control node 500.

  After determining that there is a possibility of failure, the T2 detection unit 140 performs failure determination determination. Specifically, the T2 detection unit 140 holds in advance the value of the failure detection time “T2” (T1 <T2). For example, a value of “T2” is set in the RAM used by the T2 detection unit 140. As T2, for example, a time of about 30 seconds to about 1 minute is set.

  The T2 detection unit 140 determines that the failure is confirmed when no response is returned from the storage apparatus 110 until T2 elapses after the T1 / return detection unit 130 issues the inspection command. When it is determined that the failure has been confirmed, the T2 detection unit 140 transmits a T2 progress notification to the control node 500.

  The metadata storage unit 150 is a slice metadata storage function managed by the disk node 100. For example, a part of the storage area in the RAM of the disk node 100 is used as the metadata storage unit 150.

  The slice management unit 160 manages the metadata of each slice in the storage apparatus 110. Specifically, the slice management unit 160 reads the metadata of each slice from the storage device 110 and stores it in the metadata storage unit 150 when the disk node 100 is activated. In addition, when there is a metadata collection request from the control node 500, the slice management unit 160 transmits the metadata stored in the metadata storage unit 150 to the control node 500. Further, upon receiving a metadata change request from the control node 500, the slice management unit 160 changes the content of the metadata specified in the change request. At this time, the slice management unit 160 changes the metadata in the metadata storage unit 150 and the metadata in the storage device 110.

  The control node 500 includes a virtual disk metadata storage unit 510, a metadata search unit 520, a storage state storage unit 530, a storage state management unit 540, and a slice allocation management unit 550.

  The virtual disk metadata storage unit 510 is a storage function that stores metadata indicating the allocation relationship of slices to segments constituting the virtual disk 60. For example, a part of the storage area of the RAM 502 is used as the virtual disk metadata storage unit 510.

  The metadata search unit 520 searches the virtual disk metadata storage unit 510 for the metadata of the slice assigned to the segment inquired from the access node 600, and returns the search result to the access node 600. In addition, when there is a possibility that the storage apparatus having the slice inquired from the access node 600 has a failure, the metadata search unit 520 reassigns the slice to the inquired segment from the access node 600. To request. Then, the metadata search unit 520 acquires the metadata reflecting the reassignment result from the virtual disk metadata storage unit 510 and responds to the access node 600 with the acquired metadata. Note that the metadata search unit 520 determines the status of each storage device by referring to the storage status storage unit 530.

  The storage status storage unit 530 is a storage function that stores the status of the storage apparatuses 110, 210, and 310 connected to the disk nodes 100, 200, and 300. For example, a part of the storage area of the RAM 502 is used as the storage state storage unit 530. The storage devices 110, 210, and 310 set in the storage state storage unit 530 include a normal state and a state after T1 has elapsed. The state after the elapse of T1 indicates that the non-response time to the inspection command has elapsed. If the state of the storage device is the state after the lapse of T1, it can be understood that the storage device may have failed.

  The storage state management unit 540 changes the state of the storage device 110 indicated in the storage state storage unit 530 in response to the notification from the disk node 100. Specifically, when the T1 progress notification is received from the disk node 100, the storage state management unit 540 sets the state of the storage device 110 indicated in the storage state storage unit 530 to the state after the T1 has passed. In addition, when receiving a return notification from the disk node 100, the storage state management unit 540 sets the state of the storage device 110 indicated in the storage state storage unit 530 to a normal state.

  The slice assignment management unit 550 manages the assignment of slices to the segments of the virtual disk 60. For example, when the slice allocation management unit 550 is notified from the metadata search unit 520 of a slice that is an access target in a storage device that may have a failure, for the segment to which the slice is allocated, Assign another slice.

  When the slice allocation management unit 550 receives the T2 progress notification from the disk node 100, the slice allocation management unit 550 starts recovery processing of the segment to which the slice in the storage apparatus 110 is allocated. The slice assignment management unit 550 sets all slices of the storage apparatuses 210 and 310 other than the storage apparatus 110 as primary slices among the slices assigned to the recovery target segment in the recovery process. Next, the slice allocation management unit 550 allocates slices of the storage apparatuses 210 and 310 as secondary slices of the recovery target segment. Then, the slice allocation management unit 550 transmits a metadata update request corresponding to the allocation result to the disk nodes 200 and 300. When the update of metadata is completed in the disk nodes 200 and 300, the slice allocation management unit 550 updates the metadata in the virtual disk metadata storage unit 510.

  When the metadata is updated by the recovery process, the disk node that manages the primary slice of the recovery target segment copies the data in the primary slice to the secondary slice via the network 10. Data copying accompanying the recovery process is executed by a cooperative operation of functions corresponding to the slice management unit 160 in the disk node that manages the primary slice and the disk node that manages the secondary slice.

  In FIG. 5, the function of the access node 600 out of the two access nodes 600 and 700 is shown as a representative, but the access node 700 has the same function. In addition, the function of the disk node 100 of the three disk nodes 100, 200, 300 is shown as a representative, but the other disk nodes 200, 300 also have the same function.

  Next, metadata managed in each node of the multi-node storage system will be described in detail. The metadata in the present embodiment is stored in the storage apparatuses 110, 210, and 310 while the system is stopped. When the multi-node storage system is activated, metadata in the storage apparatuses 110, 210, and 310 is read and held in each node.

Next, the structure of data managed by each node will be described.
FIG. 6 is a diagram illustrating an exemplary data structure of the storage apparatus. In addition to the slices 115a, 115b, 115c,..., A plurality of metadata 117a, 117b, 117c,.

  The metadata 117a, 117b, 117c,... Stored in the storage device 110 is read by the slice management unit 160 when the disk node 100 is activated and stored in the metadata storage unit 150.

  FIG. 7 is a diagram illustrating an example of the data structure of the metadata storage unit. A metadata table 151 is stored in the metadata storage unit 150. The metadata table 151 includes a disk node ID, a disk ID, a slice ID, a status, a virtual disk ID, a segment ID, a virtual disk address, a paired disk node ID, a paired disk ID, a paired slice ID, and a time stamp. A column is provided. Information arranged in the horizontal direction in the metadata table 151 is associated with each other to form one record indicating the metadata.

In the disk node ID column, identification information (disk node ID) of the disk node 100 that manages the storage apparatus 110 is set.
In the disk ID column, identification information (disk ID) of the storage device connected to the disk node 100 is set. In this embodiment, only one storage device 110 is connected to the disk node 100. However, when a plurality of storage devices are connected, different disk IDs are set for the respective storage devices.

In the slice ID column, identification information (slice ID) in the storage apparatus 110 of the slice corresponding to the metadata is set.
In the status column, a status flag indicating the status of the slice is set. If the slice is not assigned to a virtual disk segment, the status flag “F” is set. When the virtual disk segment is assigned to the primary storage, the status flag “P” is set. When the virtual disk segment is allocated to the secondary storage, the status flag “S” is set. If it has been decided to allocate to a segment of a virtual disk, but data has not yet been copied, a status flag “R” indicating reserved is set. When it is determined that the segment is abnormal, a status flag “B” indicating that the segment is abnormal is set.

In the virtual disk ID column, identification information (virtual disk ID) for identifying the virtual disk to which the segment corresponding to the slice belongs is set.
In the segment ID column, identification information (segment ID) of a segment to which a slice is assigned is set.

In the virtual disk address column, an address in the virtual disk indicating the head of the segment to which the slice is assigned is set.
In the paired disk node ID column, identification information (disk node ID) of a disk node that manages a storage device having a pair of slices (another slice belonging to the same segment) is set.

  In the paired disk ID column, identification information (disk ID) for identifying a storage device having a paired slice in the disk node indicated by the paired disk node ID is set.

In the pair slice ID column, identification information (slice ID) for identifying the pair slice within the storage apparatus to which the slice belongs is set.
In the time stamp column, a time (time stamp) at which a slice is assigned to a segment is set. The time stamp value in the figure indicates a new time as the number following “t” increases. “n” in tn represents a natural number.

  FIG. 7 shows the contents of the metadata storage unit 150 of the disk node 100, but the other disk nodes 200 and 300 also have the same metadata storage unit. The metadata stored in the metadata storage unit of each disk node 100, 200, 300 is transmitted to the control node 500 in response to a request from the control node 500. In the control node 500, the metadata collected from the disk nodes 100, 200, and 300 is stored in the virtual disk metadata storage unit 510 by the slice assignment management unit 550.

  FIG. 8 is a diagram illustrating an example of the data structure of the virtual disk metadata storage unit. The virtual disk metadata storage unit 510 stores a virtual disk metadata table 511. The virtual disk metadata table 511 includes a disk node ID, disk ID, slice ID, status, virtual disk ID, segment ID, virtual disk address, paired disk node ID, paired disk ID, paired slice ID, and time. A stamp field is provided. Information arranged in the horizontal direction in the virtual disk metadata table 511 is associated with each other to form one record indicating metadata. Information set in each column of the virtual disk metadata table 511 is the same type of information as the column of the same name in the metadata table 151.

  The metadata stored in the virtual disk metadata table 511 is transmitted to the access nodes 600 and 700 in response to an inquiry request from the access nodes 600 and 700. The access nodes 600 and 700 store the acquired metadata. In the case of the access node 600, metadata is stored in the access metadata storage unit 620. Also in the access node 700, metadata is stored in a storage function corresponding to the access metadata storage unit 620.

  The data structure of the access metadata storage unit 620 is the same as that of the virtual disk metadata storage unit 510. In the present embodiment, the access node 600 always accesses the primary slice. Therefore, the access metadata storage unit 620 only needs to store at least metadata regarding the primary slice. Further, the data in each column of the paired disk node ID, the paired disk ID, the paired slice ID, and the time stamp in each metadata may be omitted.

Next, data stored in the storage state storage unit 530 in the control node 500 will be described.
FIG. 9 is a diagram illustrating an example of a data structure of the storage state storage unit. The storage status storage unit 530 stores a disk management table 531. The disk management table 531 has columns for disk node ID, disk ID, and status.

  In the disk node ID column, identification information (disk node ID) for uniquely identifying a disk node is set. In the disk ID column, identification information (disk ID) of the storage apparatus connected to the disk node is set.

  In the status column, the status of each storage device is set. The state includes “normal” and “T1”. The “normal” state is a state in which the storage apparatus is operating normally. Specifically, when a response is returned from the storage apparatus to the inspection command periodically output from the disk node, the state of the storage apparatus is set to “normal”. The “T1” state is a state where there is a possibility of failure of the storage apparatus. Specifically, in the case where a response is not returned from the storage apparatus before T1 elapses with respect to the inspection command periodically output from the disk node, the state of the storage apparatus is set to “T1”.

  In the multi-node storage system having such a configuration, when the response from the storage apparatus to the inspection command is not returned even after T1, the following slice switching process is executed.

  FIG. 10 is a sequence diagram illustrating a procedure of slice switching processing when a storage apparatus fails. In this example, it is assumed that the storage apparatus 110 connected to the disk node 100 has failed. In the following, the process illustrated in FIG. 10 will be described in order of step number.

  [Step S11] The T1 / recovery detection unit 130 of the disk node 100 periodically performs disk diagnosis (operation check) of the storage apparatus 110. Specifically, the T1 / recovery detection unit 130 periodically issues a “test unit ready” test command to the storage apparatus 110. If the storage apparatus 110 is operating normally, a response is returned from the storage apparatus 110 within T1.

  When the storage device 110 is out of order or when a data regeneration process is performed within the storage device 110, no response is returned from the storage device 110 within T1.

  The data regeneration process is a process executed when a RAID 5 disk failure occurs. That is, as shown in FIG. 2, the storage apparatus 110 is mounted with a plurality of HDDs 111 to 114 and constitutes a RAID 5 system. In RAID5, striping processing is performed in which data is divided and distributedly stored in a plurality of HDDs. At that time, parity data for restoring the data is generated and stored in a separate HDD from the data. When one HDD in the storage device 110 fails, the data stored in the HDD is regenerated using the parity data.

  Such data regeneration processing is automatically executed in the storage apparatus 110. For example, when one of the four HDDs 111 to 114 in the storage apparatus 110 fails, the data stored in the failed HDD by the RAID controller in the storage apparatus 110 is regenerated. Further, the RAID controller performs data rearrangement by striping processing when the number of operating HDDs becomes three. During such data regeneration and rearrangement processing, the load on the RAID controller in the storage apparatus 110 becomes larger than usual. Therefore, if a check command is input from the disk node 100 to the storage device 110 during the data regeneration process, the response may take more time than usual. However, processing such as data regeneration is one of the normal operations of the storage apparatus 110. Therefore, even if the response to the inspection command is delayed during the regeneration process, it is not a failure of the entire storage apparatus 110.

  In the example of FIG. 10, since the storage apparatus 110 has failed, no response is returned even if T1 elapses after the inspection command is issued. In that case, first, the T1 / return detection unit 130 detects that T1 has elapsed.

  When the elapse of T1 is detected, the T1 / recovery detection unit 130 transmits a T1 elapse notification to the control node 500. The T1 progress notification includes the disk node ID of the disk node 100 and the disk ID of the storage device 110. The T1 / recovery detection unit 130 waits for a response from the storage apparatus 110 thereafter.

  When the storage state management unit 540 of the control node 500 receives the T1 progress notification, the state of the storage apparatus 110 is switched. That is, the storage state management unit 540 searches the storage state storage unit 530 for information corresponding to the combination of the disk node ID and the disk ID indicated in the T1 progress notification. Then, the storage status management unit 540 changes the status of the information related to the corresponding storage device to “T1”.

  FIG. 11 is a diagram illustrating an example of the storage state storage unit after the state change. As shown in FIG. 11, the state corresponding to the set of the disk node ID “SN-A” and the disk ID “1” is changed to “T1”. As a result, the control node 500 can recognize that the storage device 110 connected to the disk node 100 has a possibility of failure.

Returning to the description of FIG.
[Step S12] When the state switching is completed, the storage state management unit 540 transmits a switching completion response to the disk node 100.

  [Step S13] On the other hand, the slice access request unit 630 of the access node 600, when access to data in the virtual disk 60 occurs in response to an operation input to the terminal devices 21, 22, 23 by the user, etc. The data storage unit 620 is referenced to determine the disk node that manages the access target data. In the example of FIG. 10, it is assumed that a read access to a slice managed by the disk node 100 has occurred. Then, the slice access request unit 630 transmits a read request for access target data to the disk node 100. The slice access processing unit 120 of the disk node 100 refers to the metadata storage unit 150 to confirm that the access target slice is a slice in the storage device 110 managed by the slice access processing unit 120, and in the corresponding slice in the storage device 110 Read access with specified data.

  In the example of FIG. 10, a read request is issued from the access node 600 after the T1 / return detection unit 130 detects the elapse of T1. In this example, the storage device 110 has failed. For this reason, an access to the storage device 110 results in an error. Even if the storage apparatus 110 is in an overload state, data access also results in an error before detection of a response to the inspection command (before recovery).

  In the case of a read request, an error occurs only when there is a problem (failure or overload) in the storage apparatus having the primary slice. On the other hand, in the case of a write request, an error occurs when there is a problem (failure or overload) in at least one of the storage device having the primary slice and the storage device having the secondary slice. That is, in the disk node 100 that has received the data write access request, first, the slice access processing unit 120 updates the data. Thereafter, the slice management unit 160 refers to the metadata storage unit 150 and determines a slice (secondary slice) that is paired with a slice (primary slice) whose data has been updated. Then, the slice management unit 160 transmits data to be written to the disk node that manages the secondary slice, and requests data update of the secondary slice. The slice access processing unit 120 returns a write request completion response to the access node 600 after confirming that the data update has been completed for both the primary slice and the secondary slice. If the data update fails in at least one of the primary slice and the secondary slice, the slice access processing unit 120 sends an error response to the access node 600.

  In the example of FIG. 10, a read request to the first slice (slice ID “1”) of the storage device 110 (disk ID “1”) is an error due to a failure of the storage device 110 (disk node ID “SN-A”). It has become.

  [Step S14] The slice access processing unit 120 of the disk node 100 returns an error in response to the read request from the access node 600. Then, the slice access request unit 630 of the access node 600 notifies the metadata inquiry unit 610 that an error has occurred. At this time, the slice access request unit 630 also notifies the metadata inquiry unit 610 of the virtual disk ID and the segment ID related to the segment in which the access has become an error.

  [Step S15] The metadata inquiry unit 610 transmits a metadata inquiry request designating a segment to the control node 500. The segment (inquired segment) specified in the inquiry request is a segment whose access has failed due to an error. The metadata inquiry request specifying the introduction target segment means that access to the slice assigned to the introduction target segment has failed.

  The metadata search unit 520 of the control node 500 that has received the metadata inquiry request requests the slice assignment management unit 550 to reassign the slice to the inquiry target segment.

  Specifically, when receiving the inquiry request, the metadata search unit 520 searches the virtual disk metadata storage unit 510 for the metadata of the slices (primary slice and secondary slice) assigned to the inquiry target segment. Next, the metadata search unit 520 refers to the storage state storage unit 530 and confirms the state of the storage device having the slice assigned to the segment to be queried.

  Here, if the state of the storage device having each slice is “normal”, the metadata search unit 520 transmits the metadata of the primary slice among the metadata acquired by the search to the access node 600.

  If the state of the storage device having the slice is “T1”, the recovery process (duplex recovery process) of the inquiry target segment is started. In the recovery processing, first, the metadata search unit 520 reassigns slices to the inquiry target segment. For example, if the status of the storage apparatus having the primary slice of the inquiry target segment is “T1”, the primary slice is reassigned. If the state of the storage device having the secondary slice of the inquiry target segment is “T1”, the secondary slice is reassigned.

  In the example of FIG. 10, the state of the storage device 110 is “T1”, and the primary slice is reassigned. Specifically, a primary slice reassignment request specifying a virtual disk segment is output from the metadata search unit 520 to the slice assignment management unit 550. Then, the slice allocation management unit 550, from the virtual disk metadata storage unit 510, has a free (status “F”) among slices managed by disk nodes other than the disk node that manages the secondary slice of the query target segment. Search for a slice.

  Next, the slice allocation management unit 550 determines that the found empty slice is the secondary slice of the inquiry target segment. In addition, the slice assignment management unit 550 determines to change the state of the slice assigned as the secondary slice to the inquiry target segment to the primary slice.

  In the example of FIG. 10, it is determined that the slice managed by the disk node 200 is assigned as a secondary slice to the inquiry target segment, and the state of the slice managed by the disk node 300 is changed from the primary slice to the secondary slice. The slice allocation management unit 550 updates the metadata in the virtual disk metadata storage unit 510 based on the determined reallocation contents.

  [Step S16] The slice allocation management unit 550 transmits a metadata change request to the disk node 200. Specifically, the slice assignment management unit 550 transmits metadata information for the secondary slice after the reallocation to the disk node 200. Then, the disk node 200 changes the contents of the metadata held in the disk node 200 and the metadata in the storage device 210 based on the acquired information. Thereby, the empty slice in the storage device 210 is changed to the secondary slice of the inquiry target segment.

  [Step S <b> 17] The slice allocation management unit 550 transmits a metadata change request to the disk node 300. Specifically, the slice allocation management unit 550 transmits metadata information for the primary slice after the reallocation to the disk node 300. Then, the disk node 300 changes the contents of the metadata held in the disk node 300 and the metadata in the storage device 310 based on the acquired information. Thereby, the slice allocated to the inquiry target segment in the storage apparatus 310 is changed from the secondary slice to the primary slice.

[Step S18] A metadata change completion response is transmitted from the disk node 200 to the control node 500.
[Step S19] A metadata change completion response is transmitted from the disk node 300 to the control node 500.

  Although not shown in FIG. 10, when the metadata change processing is completed in each of the disk nodes 200 and 300, data copy for recovery of the duplex state for the inquiry target segment is started. Specifically, the metadata data in the disk node 300 changed to the primary slice of the inquiry target segment is transferred from the disk node 300 to the disk node 200. Then, the data sent from the disk node 300 is stored in the slice in the disk node 200 newly assigned as the secondary slice of the inquiry target segment. When the data copy is completed, the recovery process for the introduction target segment is completed.

  In this way, slice reassignment is performed due to the metadata query request. At this time, the slice allocation management unit 550 stores, in the RAM 502, the segment (reassigned segment) that has been reassigned due to the state of the storage device being “T1”. Specifically, a set of the virtual disk ID and segment ID of the reassigned segment is stored in the RAM. When the storage device is restored after the reassignment, the slice assigned to the reassigned segment among the slices of the restored storage device is changed to a free slice.

  FIG. 12 is a diagram showing the contents of the updated virtual disk metadata storage unit. As shown in FIG. 12, the status of the metadata of the slice indicated by the disk node ID “SN-A”, the disk ID “1”, and the slice ID “1” is changed to “F”. As a result, the assignment of the slice in the storage apparatus 110 to the inquiry target segment (segment ID “1”) is released.

  Further, the status of the metadata of the slice indicated by the disk node ID “SN-C”, the disk ID “1”, and the slice ID “1” is changed to “P”. Thereby, the slice in the storage apparatus 310 assigned to the inquiry target segment is changed from the secondary slice to the primary slice.

  Furthermore, the status of the metadata of the slice indicated by the disk node ID “SN-B”, the disk ID “1”, and the slice ID “2” is changed to “S”, and “VLOX-X” is set to the virtual disk ID. The segment ID is set to “1”. As a result, the slice in the storage apparatus 210 is allocated as the secondary slice of the inquiry target segment.

In addition, the time stamp of each metadata whose contents such as the state are changed is updated to “t (n + 1)”. “T (n + 1)” is a metadata update time.
Returning to the description of FIG. 10, when the update of the metadata is completed, the slice assignment management unit 550 notifies the metadata search unit 520 of the completion of the slice reassignment.

  [Step S20] The metadata search unit 520 notifies the access node 600 of the metadata of the primary slice of the query target segment. Then, the metadata inquiry unit 610 of the access node 600 updates the metadata in the access metadata storage unit 560 based on the acquired metadata. Thereafter, the metadata inquiry unit 610 notifies the slice access request unit 630 that the metadata inquiry has been completed.

  [Step S21] Upon completion of the metadata inquiry, the slice access request unit 630 refers to the access metadata storage unit 620 to determine the disk node that manages the slice to be accessed, and makes a read request to the disk node ( Send Read Retry). At the time of retry, the access target primary slice is a slice managed by the disk node 300. Therefore, the read retry is performed on the disk node 300.

  [Step S22] Upon receiving a read request, the disk node 300 reads data from a slice in the storage apparatus 310 and transmits the read data to the access node 600. Then, the slice access request unit 630 transmits the acquired data to the terminal device that issued the access instruction.

  [Step S23] In the example of FIG. 10, since the storage apparatus 110 is out of order, no response is returned from the storage apparatus 110 even if T2 has elapsed since the issuance of the inspection command. Therefore, the T2 detection unit 140 of the disk node 100 detects that T2 has elapsed since the inspection command was issued. Then, the T2 detection unit 140 transmits a T2 progress notification to the control node 500.

  [Step S24] Upon receiving the T2 progress notification, the slice allocation management unit 550 of the control node 500 recognizes that the storage apparatus 110 has become unusable due to a failure, and starts recovery processing for the entire storage apparatus 410.

  In this way, when the storage apparatus 110 fails, it becomes possible to access the data in the segment to which the slice in the storage apparatus 110 has been assigned as the primary slice without waiting for the failure detection time to elapse. As a result, the period during which access from the access node 600 becomes an error can be shortened.

Next, the slice switching process when the response to the inspection command is delayed because the load on the normally operating storage apparatus 110 is temporarily excessive will be described.
FIG. 13 is a sequence diagram illustrating a procedure of slice switching processing when the load on the storage apparatus becomes excessive. In this example, it is assumed that the load on the storage device 110 connected to the disk node 100 is temporarily excessive. In addition, the process of step S31-step S42 of FIG. 13 is the same as the process of step S11-S22 of FIG. 10, respectively. Therefore, the processing after step S43 will be described along with step numbers.

  [Step S43] The T1 / recovery detection unit 130 of the disk node 100 receives a response from the storage apparatus 110 to the inspection command. As a result, the T1 / recovery detection unit 130 detects that the storage apparatus 110 has returned to an accessible state. Then, the T1 / recovery detection unit 130 transmits a recovery notification of the storage apparatus 110 to the control node 500.

  [Step S44] Upon receiving the return notification, the slice allocation management unit 550 of the control node 500 transmits a metadata change request to the disk node 100. Specifically, the slice allocation management unit 550 refers to the virtual disk metadata storage unit 510, and among the slices of the storage apparatus 110, a segment that has been reassigned based on a metadata inquiry (reassigned segment) Extract the slice assigned to. Then, the slice allocation management unit 550 transmits a metadata change request to the disk node 100 to release the allocation of the corresponding slice to the segment (change the status to “F” to a free slice).

  [Step S45] The slice management unit 160 of the disk node 100 updates the metadata of the designated slice in the metadata storage unit 150 based on the metadata update request. The slice management unit 160 transmits a change completion response to the control node 500 after updating the metadata.

  In this way, when the overload state of the storage apparatus 110 is resolved and the storage apparatus 110 is restored, by updating the metadata on the disk node 100 side, inconsistency between the metadata is prevented. That is, due to the reallocation of metadata, a slice of a storage device different from the slice of the storage device 110 is assigned to the reassigned segment for both the primary slice and the secondary slice. For this reason, when the storage apparatus 110 is restored, the slices assigned to the reassigned segments (primary slices in the example of FIG. 13) will be duplicated. Thus, by changing the slice in the storage device 110 to a free state, occurrence of contradictions in allocation relations is prevented.

  By the way, the metadata of the storage device 110 is changed after the storage device 110 is restored, because there is a possibility that the storage device 110 has failed until the restoration can be confirmed, and the metadata cannot be updated normally. It is because there is sex. Therefore, when the slice is reallocated, the control node 500 stores the reallocated segment in the RAM. By storing the reassigned segment, it is possible to determine a slice that should be vacant when the storage apparatus 110 returns.

  Here, there is a case where a failure occurs in the control node 500 before the storage device 110 is restored, and data in the RAM 502 of the control node 500 is lost. For example, when a failure occurs in the control node 500, the function is taken over by an alternative node (file over), or the control node 500 is restarted. In such a case, the control node 500 collects metadata from each of the disk nodes 100, 200, and 300, and reconstructs the virtual disk metadata table 511. At this time, if the corresponding disk recovers while the control node 500 fails over or restarts, three pieces of metadata indicating slices assigned to the reallocated segments are collected, resulting in a contradiction. In order to prevent this, the control node 500 that has reconstructed the virtual disk metadata table 511 refers to the time stamp given to the metadata to determine a slice that should be free.

  FIG. 14 is a sequence diagram showing a conflict resolution process using a time stamp. In the following, the process illustrated in FIG. 14 will be described in order of step number. The following process is executed when the control node 500 is restarted or failed over.

[Step S51] The slice allocation management unit 550 of the control node 500 transmits a metadata request to each of the disk nodes 100, 200, and 300.
[Step S <b> 52] The slice management unit 160 of the disk node 100 that has received the metadata request acquires the metadata from the metadata storage unit 150 or the storage device 110 and transmits it to the control node 500. The other disk nodes 200 and 300 also transmit metadata to the control node 500 in the same manner.

  In the control node 500 that has collected metadata from each of the disk nodes 100, 200, and 300, the slice allocation management unit 550 reconfigures the virtual disk metadata table 511 based on the collected metadata. Then, the slice assignment management unit 550 performs a metadata consistency check. In the consistency check, it is confirmed whether there is a segment to which three or more slices are assigned. Next, when there is a corresponding segment, the slice allocation management unit 550 compares the metadata of the allocated slices. Then, the slice allocation management unit 550 determines that the slices with the same status (primary slice or secondary slice) other than the slice with the latest time stamp are the slices to be deallocated.

  [Step S53] The slice allocation management unit 550 changes the status of the corresponding slice to “F” for the disk node (disk node 100 in the example of FIG. 14) that manages the slice to be deallocated. Send metadata change request for.

  [Step S54] The slice management unit 160 of the disk node 100 updates the metadata contents of the metadata storage unit 150 and the storage device 110 in response to the metadata change request. Then, the slice management unit 160 returns a change completion response to the control node 500.

  FIG. 15 is a diagram illustrating an example of a reconfigured virtual disk metadata table. In this example, it is assumed that the control node 500 is restarted after the virtual disk metadata table 511 is updated after steps S38 and S39 and before the return notification in step S43.

  In the example of FIG. 15, the slice specified by the disk node ID “SN-A”, the disk ID “1”, and the slice ID “1”, the disk node ID “SN-C”, the disk ID “1”, and The slice identified by the slice ID “1” is assigned as the primary slice (state “P”) to the segment with the segment ID “1”. Therefore, the time stamps in the metadata of the two slices assigned redundantly by the slice assignment management unit 550 are compared.

  The time stamp of the slice with the disk node ID “SN-A” is “t1”, and the time stamp of the slice with the disk node ID “SN-C” is “t (n + 1)”. Since “t (n + 1)” has a newer time than “t1”, the slice with the disk node ID “SN-C” is the correct slice. Therefore, for the disk node 100 indicated by the disk node ID “SN-A”, the state of the slice with the slice ID “1” in the storage device 110 with the disk ID “1” is “F” (indicating a free state). A metadata change request for changing to is sent.

  In this manner, even if the control node 500 is restarted or the file is over between the reallocation of metadata due to the T1 progress notification from the disk node 100 and the return notification from the disk node 100, the time stamp Can be used to maintain the consistency of metadata. That is, it becomes possible to update metadata that could not be executed due to failover or restart after failover or restart.

As described above, according to the first embodiment, by separating the failure detection time “T2” from the malfunction detection time “T1”, the following effects are obtained.
1. Even if the failure detection time “T2” is long, the access does not stop for a long time.

  Since the disk device is switched internally, there is a disk device that does not fail but does not respond (minute order) for a while. Even when such a device is used, the access can be restored with the malfunction detection time “T1” (for example, 1 second).

2. It is not necessary to adjust the failure detection time for each disk device.
In the conventional multi-node storage, it is necessary to adjust the failure detection time for each disk device in order to restore access as soon as possible without causing erroneous detection. According to the first embodiment, the failure detection time “T2” is set to a time for which most devices respond (for example, 1 minute), and the malfunction detection time “T1” is set to, for example, 1 second. Since the failure detection time “T2” is set to be long, any type of storage device is not erroneously detected as a failure.

As described above, it is possible to achieve both the reliable failure detection and the recovery of the access environment in a short time when the operation is malfunctioning.
[Second Embodiment]
In the second embodiment, recovery processing is started based on a disk node disconnection instruction from the management node 30 without using T2.

  In the first embodiment, if the disk node 100 does not respond from the storage apparatus 110 until T2 elapses from the issuing of the inspection command, the disk node 100 outputs a T2 progress notification. However, it may be difficult to determine an appropriate value for T2. For example, when the manufacturer and performance of the connected storage apparatuses 110, 210, and 310 are different, the appropriate T2 is also different.

  In addition, as shown in the first embodiment, if there is no response until the time T1 elapses from the issue of the inspection command, the slice is reassigned so that the data is not waited for the storage device to return. Access is possible. Therefore, even if the detection of T2 is not performed, the data access from the access node is not affected.

  On the other hand, if the storage device is out of order, it is necessary to recover the data in the storage device. Therefore, in the second embodiment, when the administrator confirms the failure of the storage device, the storage device can be instructed to be disconnected via the management node 30.

  FIG. 16 is a sequence diagram illustrating a processing procedure in the case of instructing the disk node separation from the management node. Note that the processes in steps S61 to S72 and S74 shown in FIG. 16 are the same processes as steps S11 to S22 and S24 shown in FIG. 10, respectively. Therefore, the process of step S73 different from FIG. 10 will be described.

  [Step S <b> 73] The management node 30 can acquire various types of information indicating the operation status from the disk nodes 100, 200, 300 and the control node 500. The acquired information is displayed on the monitor of the management node 30. Accordingly, the fact that the storage apparatus 110 has not returned a response to the inspection command is also displayed on the screen of the management node 30.

  The administrator of the multi-node storage system recognizes that there is a possibility that the storage device 110 is out of order by the management node 30 looking at the screen. The administrator performs operations such as issuing various control commands (for example, restart) for the storage apparatus 110. As a result, when it is confirmed that the storage apparatus 110 has failed, the administrator performs an operation input that instructs the management node 30 to disconnect the disk node 100. Then, the management node 30 transmits a disk node disconnection request to the control node 500.

  In response to this disk node disconnection request, recovery processing (step S74) is executed under the control of the control node 500, and the disk node 100 is disconnected from the multi-node storage system.

In this way, it is possible to wait for the start of recovery processing for the entire storage apparatus until an instruction from the administrator is given.
[Third Embodiment]
In the third embodiment, a slice is reassigned to a segment to which a designated slice has been assigned based on a slice abnormality notification that designates a slice from a disk node.

  In the first and second embodiments, when there is a metadata inquiry request from the access node, the control node reassigns the slice to the segment that is the object of the metadata inquiry. In this case, the metadata change processing of the disk node is performed as an extension of the metadata inquiry processing. If the disk node whose metadata is changed by the slice reassignment process is operating normally, the time from the transmission of the metadata inquiry request (step S15) to the metadata notification (step S20) shown in FIG. It takes a short time.

  However, when the disk node that changes the metadata is overloaded, there is a case where the response of completion of the metadata change is not returned from the disk node to the control node. Then, metadata notification from the control node to the access node is also delayed.

  In addition, in the control node, there is a case where the metadata search process corresponding to the metadata inquiry request is executed in one process. This is because, in terms of system design, overall processing efficiency may be higher when short processes are repeatedly executed in a single process than in parallel execution in a plurality of processes. For example, when metadata search processing corresponding to a metadata inquiry request is performed in a plurality of processes, extra processing such as distribution processing of the received metadata inquiry request is required, and the processing efficiency may be lowered. Furthermore, if a large number of processes for searching for metadata are started, resources such as memory are consumed in the processes, which causes a reduction in processing efficiency of the entire control node.

  When one process takes charge of processing corresponding to a large number of metadata query requests, if one process takes time, processing corresponding to another metadata query request is awaited. Then, it takes time until the access node acquires the result of the metadata inquiry, and the service efficiency as the multi-node storage system decreases.

  Therefore, in the third embodiment, when each disk node receives an access request to a slice in the storage apparatus that has detected the malfunction detection time “T1”, it notifies the control node of a slice abnormality. To do. The control node does not perform slice reassignment as an extension of processing in response to the metadata inquiry request, but performs slice reassignment in response to a slice abnormality notification from the disk node. This makes it possible to reassign the segment to which the slice to be accessed has been assigned without delaying the response to the metadata inquiry request.

  The system configuration of the third embodiment is the same as the system configuration of the first embodiment shown in FIG. However, the functions of the disk node and the control node are different. Therefore, the functions of the disk node and the control node in the third embodiment will be described.

  FIG. 17 is a block diagram illustrating functions of each device of the multi-node storage system according to the third embodiment. The internal functions of the disk nodes 100, 200, and 300 in FIG. 2 are replaced with functions similar to those of the disk node 400 shown in FIG. 17, and the internal functions of the control node 500 in FIG. By replacing with the same function, the multi-node storage system according to the third embodiment can be constructed.

  The disk node 400 includes a slice access processing unit 420, a T1 / recovery detection unit 430, a T2 detection unit 440, a metadata storage unit 450, a slice management unit 460, and an accessed slice detection unit 470.

  The slice access processing unit 420 has the function of the T1 / recovery detection unit 130 illustrated in FIG. 5. Further, when the slice access processing unit 420 returns an error to the access request from the access node 600, an error occurs. It has a function of notifying the accessed slice detection unit 470 of information related to the slice of the storage device that has become.

  In addition to the functions of the T1 / recovery detection unit 130 shown in FIG. 5, the T1 / recovery detection unit 430 has a function of notifying the accessed slice detection unit 470 when T1 is detected. ing. In addition, the T1 / recovery detection unit 430 has a function of notifying the accessed slice detection unit 470 that the storage apparatus 410 has recovered after detection of T1.

In addition to the function of the T2 detection unit 140 shown in FIG. 5, the T2 detection unit 440 has a function of notifying the accessed slice detection unit 470 that T2 is detected.
The metadata storage unit 450 stores information indicating the duplex status of each slice in addition to the information stored in the metadata storage unit 450 illustrated in FIG. As information indicating the duplex status, the duplex status includes normal and copying. The normal state is a state in which duplication between the paired slices is maintained (identity of stored data is maintained). During copying, data is being copied to establish duplexing with a pair of slices.

  In addition to the functions of the slice management unit 160 shown in FIG. 5, the slice management unit 460 has a function of managing the duplex status of slices and setting the current duplex status of each slice in the metadata storage unit 450. Have.

  The to-be-accessed slice detection unit 470 transmits to the control node 800 a slice abnormality notification related to the slice in which the access request from the access node 600 is an error. Specifically, the accessed slice detection unit 470 recognizes from the notification from the T1 / recovery detection unit 430 that T1 of the storage device 410 has been detected and has subsequently recovered. Further, the accessed slice detection unit 470 recognizes that the T2 of the storage apparatus 410 has been detected by the notification from the T2 detection unit 440. Furthermore, the accessed slice detection unit 470 recognizes that an access to a slice in the storage apparatus 410 has an error based on the notification from the slice access processing unit 420.

  Then, the accessed slice detection unit 470 checks the state of the storage apparatus 410 when access to a slice in the storage apparatus 410 results in an error. That is, the accessed slice detection unit 470 determines whether there is no response to the inspection command of the storage apparatus 410 and is after the detection of T1 and before the detection of T2. When this condition is satisfied, the accessed slice detection unit 470 transmits a slice abnormality notification specifying the access target slice to the control node 800.

  The control node 800 includes a virtual disk metadata storage unit 810, a metadata search unit 820, an allocation availability storage unit 830, a storage state management unit 840, and a slice allocation management unit 850.

The function of the virtual disk metadata storage unit 810 is the same as the function of the virtual disk metadata storage unit 510 shown in FIG.
The function of the metadata search unit 820 is the same as the function of the metadata search unit 520 shown in FIG. However, the function of requesting the slice allocation management unit 550 to reassign slices is not necessary.

  The allocation availability storage unit 830 is a storage function that stores, for each storage device, information (allocation availability information) indicating whether a slice in the storage device can be allocated to a segment. For example, a part of the storage area in the RAM of the control node 800 is used as the allocation availability storage unit 830.

  The storage state management unit 840 changes the state of the storage device 410 indicated in the storage state storage unit 530 in response to the notification from the disk node 400. Specifically, when the T1 progress notification is received from the disk node 400, the storage status management unit 540 sets the status of the storage device 410 indicated in the allocation availability storage unit 830 to an allocation impossible status. In addition, upon receiving a return notification from the disk node 400, the storage state management unit 540 sets the state of the storage device 410 indicated in the storage state storage unit 530 to an assignable state.

  The slice assignment management unit 850 manages the assignment of slices to the segments of the virtual disk 60. For example, when the slice allocation management unit 850 receives a slice abnormality notification from the disk node 400, the slice allocation management unit 850 allocates another slice to the segment to which the slice indicated in the slice abnormality notification is allocated.

  When the slice allocation management unit 850 receives the T2 progress notification from the disk node 400, the slice allocation management unit 850 starts recovery processing of the segment to which the slice in the storage device 410 is allocated. In the recovery process, the slice assignment management unit 850 sets all slices of storage devices (normally operating storage devices) other than the storage device 410 among the slices assigned to the recovery target segment as primary slices. Next, the slice allocation management unit 850 allocates slices of the storage apparatuses 210 and 310 as secondary slices of the recovery target segment. Then, the slice allocation management unit 850 transmits a metadata update request according to the allocation result to the disk node that manages the normal operation storage apparatus. When the metadata update is completed in the disk node that has received the metadata update request, the slice allocation management unit 850 updates the metadata in the virtual disk metadata storage unit 810.

Next, the structure of data managed by each node will be described.
FIG. 18 is a diagram illustrating an example of the data structure of the metadata storage unit. A metadata table 451 is stored in the metadata storage unit 450. The metadata table 451 includes a disk node ID, disk ID, slice ID, state, virtual disk ID, segment ID, virtual disk address, paired disk node ID, paired disk ID, paired slice ID, time stamp, and A column for duplex status is provided. Information arranged in the horizontal direction in the metadata table 451 is associated with each other to form one record indicating the metadata. Information set in each column other than the duplex state of the metadata table 451 is the same type of information as the column of the same name in the metadata table 151 shown in FIG.

  The duplex status of the corresponding slice is set in the duplex status column. “Normal” is set if duplication between the paired slices is maintained, and “copying” is set if data is being copied between the paired slices.

  FIG. 19 is a diagram illustrating an example of the data structure of the virtual disk metadata storage unit. The virtual disk metadata storage unit 810 stores a virtual disk metadata table 811. The virtual disk metadata table 811 includes a disk node ID, a disk ID, a slice ID, a status, a virtual disk ID, a segment ID, a virtual disk address, a paired disk node ID, a paired disk ID, a paired slice ID, and a time stamp. , And a column for duplex status. Information arranged in the horizontal direction in the virtual disk metadata table 811 is associated with each other to form one record indicating the metadata. Information set in each column of the virtual disk metadata table 811 is the same type of information as the column of the same name in the metadata table 451.

  FIG. 20 is a diagram illustrating an example of a data structure of the allocation availability storage unit. The assignability storage unit 830 stores an assignability management table 831. The assignability management table 831 has columns for disk node ID, disk ID, and availability.

  In the disk node ID column, identification information (disk node ID) for uniquely identifying a disk node is set. In the disk ID column, identification information (disk ID) of the storage apparatus connected to the disk node is set.

  A flag indicating whether or not a slice of each storage device can be assigned to a segment is set in the possible / impossible column. When assignment is possible, a value of “permitted” is set in the field of possible / impossible. When assignment is impossible, a value of “impossible” is set in the possible / impossible column.

  In the multi-node storage system having such a configuration, when a response from the storage apparatus to the inspection command is not returned even after T1 elapses, the following slice switching process is executed.

  FIG. 21 is a sequence diagram illustrating a procedure of slice switching processing when a storage apparatus fails. In the example of FIG. 21, the disk node ID of the disk node 400 is “SN-A”, the disk node ID of the disk node 400a is “SN-C”, and the disk node ID of the disk node 400b is “SN-C”. ”. The disk nodes 400a and 400b have the same function as the disk node 400 (see FIG. 17).

  21 are the same as steps S16 to S19 and S21 to S24 shown in FIG. 10, respectively. Therefore, processing different from that in FIG. 10 will be described.

  [Step S81] The T1 / recovery detection unit 430 of the disk node 400 periodically checks the operation of the storage apparatus 410. Details thereof are the same as those described in step S11. The T1 / return detection unit 430 transmits a T1 progress notification to the control node 800 when detecting the progress of T1 by the operation check. The T1 progress notification includes the disk node ID of the disk node 400 and the disk ID of the storage device 410. The T1 / recovery detection unit 430 waits for a response from the storage apparatus 410 thereafter.

  When the storage state management unit 840 of the control node 800 receives the T1 progress notification, the storage state management unit 840 switches the state of the storage apparatus 410. In other words, the storage status management unit 840 searches the allocation availability storage unit 830 for information corresponding to the combination of the disk node ID and the disk ID indicated in the T1 progress notification. Then, the storage status management unit 840 changes the information on whether or not the information about the corresponding storage device is possible to “impossible”.

  FIG. 22 is a diagram illustrating an example of the assignment availability storage unit after the assignment availability update. As shown in FIG. 22, the state corresponding to the set of the disk node ID “SN-A” and the disk ID “1” is changed to “impossible”. Thereby, the control node 800 recognizes that the slice of the storage device 410 connected to the disk node 400 cannot be allocated to the segment thereafter.

Returning to the description of FIG.
[Step S <b> 82] When the switching of the allocation possibility is completed, the storage state management unit 840 transmits a switching completion response to the disk node 400.

  [Step S83] On the other hand, the slice access request unit 630 of the access node 600, when access to data in the virtual disk 60 occurs in response to an operation input to the terminal devices 21, 22, 23 by the user, etc. The data storage unit 620 is referenced to determine the disk node that manages the access target data. In the example of FIG. 21, it is assumed that a read access to a slice managed by the disk node 400 has occurred. Then, the slice access request unit 630 transmits a read request for access target data to the disk node 400. The slice access processing unit 420 of the disk node 400 refers to the metadata storage unit 450 to confirm that the access target slice is a slice in the storage device 410 managed by the slice access processing unit 420, and in the corresponding slice in the storage device 410 Read access with specified data.

  In the example of FIG. 21, a read request is issued from the access node 600 after the T1 / return detection unit 430 detects the passage of T1. In this case, the storage device 410 has failed or is overloaded so that a response to the inspection command cannot be returned immediately. If the storage device 410 has failed, access to the storage device 410 will result in an error. Further, if the storage device 410 is overloaded, data access also frequently causes errors. In the example of FIG. 21, a read request to the first slice (slice ID “1”) of the storage device 410 (disk ID “1”) is an error due to a failure of the storage device 410 (disk node ID “SN-A”). It has become.

  [Step S84] The slice access processing unit 420 of the disk node 400 responds an error to the read request from the access node 600. Then, the slice access request unit 630 of the access node 600 notifies the metadata inquiry unit 610 that an error has occurred. At this time, the slice access request unit 630 also notifies the metadata inquiry unit 610 of the virtual disk ID and the segment ID related to the segment in which the access has become an error.

  [Step S85] On the other hand, when the data access to the storage device 410 in response to the read request fails, the slice access processing unit 420 of the disk node 400 notifies the accessed slice detection unit 470 of the occurrence of an error. At that time, a combination of a disk ID and a slice ID indicating a slice of the storage apparatus that is the access target is passed to the accessed slice detection unit 470.

  The accessed slice detection unit 470 determines the state of the storage apparatus in which the error has occurred. That is, the accessed slice detection unit 470 has received a notification from the T1 / recovery detection unit 430 that the progress of T1 of the storage device 410 has been detected, but has not yet received a return notification, It is determined whether or not both of the second conditions for not receiving notification from the T2 detection unit 440 that the progress of T2 of the storage apparatus 410 has been detected are satisfied. If the condition is satisfied, the accessed slice detection unit 470 has determined that the storage apparatus 410 has a failure, but the storage apparatus 410 has not yet been determined (the recovery process for the entire storage apparatus 410 has started). Judgment) Therefore, when the condition is satisfied, the accessed slice detection unit 470 notifies the slice management unit 460 that the state of the accessed slice should be abnormal (Bad). Then, the slice management unit 460 searches the metadata corresponding to the access target slice in the metadata storage unit 450 and changes the state to “B (Bad)” (indicating that it is abnormal). Further, the slice management unit 460 waits for the storage apparatus 410 to recover and changes the status of the metadata corresponding to the access target slice in the storage apparatus 410 to “B”.

  Furthermore, the accessed slice detection unit 470 transmits a slice abnormality notification to the control node 800 when the first and second conditions are satisfied. The slice abnormality notification includes a combination of a disk ID and a slice ID indicating a slice of the storage apparatus that is the access target.

  In the control node 800 that has received the slice abnormality notification, the slice assignment management unit 850 performs slice reassignment processing to the segment (recovery target segment) to which the slice to be accessed is assigned. Specifically, the slice allocation management unit 850 refers to the virtual disk metadata storage unit 810 and determines whether the slice (abnormal slice) indicated by the slice abnormality notification is the primary slice or the secondary slice of the recovery target segment.

  If the abnormal slice is the primary slice, the slice allocation management unit 850 changes the current primary slice state of the recovery target segment to empty, and changes the secondary slice to the primary slice. Thereafter, the slice allocation management unit 850 allocates a free slice managed by a disk node different from the disk node that manages the new primary slice as a secondary slice of the recovery target segment.

  If the abnormal slice is a secondary slice, the slice allocation management unit 850 changes the current secondary slice state of the recovery target segment to empty. Thereafter, the slice allocation management unit 850 allocates a free slice managed by a disk node different from the disk node that manages the current primary slice as a secondary slice of the recovery target segment.

  Incidentally, in the example of FIG. 21, a slice abnormality notification is output due to a read request from the access node 600. Since the read request is made only to the primary slice, the abnormal slice detected at this time is the primary slice. The secondary slice is detected as an abnormal slice when a write request is issued. For example, when a write request is issued from the access node 600 to the disk node 400 when the operation of the storage device 410 of the disk node 400 is normal (a response is returned in T1 to the inspection command), the slice in the storage device 410 Data is written. At this time, in order to maintain duplication, the slice management unit 460 also writes the same data to the secondary slice paired with the slice to be accessed. When writing data to the secondary slice results in an error, a slice abnormality notification is issued from the disk node that manages the secondary slice to the control node 800. Then, the slice allocation management unit 850 recognizes that the abnormal slice is the secondary slice, and performs the reassignment process of the secondary slice to the recovery target segment.

The slice allocation management unit 850 updates the content of the virtual disk metadata storage unit 810 when the content of the reassignment of the slice of the recovery target segment is confirmed.
FIG. 23 is a diagram showing the contents of the updated virtual disk metadata storage unit. As shown in FIG. 23, the status of the metadata of the slice indicated by the disk node ID “SN-A”, the disk ID “1”, and the slice ID “1” is changed to “B”. The state “B” indicates that the corresponding slice is abnormal. Thereby, the assignment of the slice in the storage device 410 to the inquiry target segment (segment ID “1”) is released.

  Further, the status of the metadata of the slice indicated by the disk node ID “SN-C”, the disk ID “1”, and the slice ID “1” is changed to “P”. As a result, the slice assigned to the recovery target segment is changed from the secondary slice to the primary slice.

  Furthermore, the status of the metadata of the slice indicated by the disk node ID “SN-B”, the disk ID “1”, and the slice ID “2” is changed to “S”, and “VLOX-X” is set to the virtual disk ID. The segment ID is set to “1”. As a result, the secondary slice is assigned to the recovery target segment.

In addition, the time stamp of each metadata whose contents such as the state are changed is updated to “t (n + 1)”. “T (n + 1)” is a metadata update time.
When the metadata update is completed, the metadata search unit 820 can provide the access node 600 with metadata indicating the state after recovery of the recovery target segment if there is a metadata inquiry request to the recovery target segment. Become.

Returning to the description of FIG.
[Step S86] The metadata inquiry unit 610 transmits a metadata inquiry request designating a segment to the control node 800. The segment (inquired segment) specified in the inquiry request is a segment whose access has failed due to an error.

  [Step S87] The metadata search unit 820 of the control node 800 refers to the virtual disk metadata storage unit 810 and notifies the access node 600 of the metadata of the primary slice of the inquiry target segment.

  On the other hand, the slice allocation management unit 850 continues the recovery process for the recovery target segment in a process different from the metadata search for the metadata inquiry. That is, following the slice assignment, the processing of step S88 to step S91 is performed. When the access node 600 makes a read retry to the disk node 400b in step S92, the target data is returned in step S93. Further, when the progress of T2 is notified in step S94, recovery processing is performed in step S95.

  As described above, it is possible to perform the recovery process only for the segment to which the slice to be accessed is allocated before the passage of T2 is detected. In addition, segment recovery processing is performed based on the slice abnormality notification from the disk node 400. Therefore, it is not necessary to inhibit execution of the metadata search process according to the metadata inquiry request, and it is possible to prevent the processing efficiency of the entire system from being lowered.

Next, the slice switching process when the response to the inspection command is delayed because the load on the normally operating storage apparatus 410 is temporarily excessive will be described.
FIG. 24 is a sequence diagram illustrating a procedure of slice switching processing when the load on the storage apparatus becomes excessive. In this example, it is assumed that the load on the storage apparatus 410 connected to the disk node 400 temporarily becomes excessive. Note that the processing in steps S101 to S113 in FIG. 24 is the same as the processing in steps S81 to S93 in FIG. Therefore, the processing after step S114 will be described along with step numbers.

  [Step S114] The T1 / recovery detection unit 430 of the disk node 400 receives a response from the storage apparatus 410 to the inspection command. As a result, the T1 / recovery detection unit 430 detects that the storage apparatus 410 has returned to an accessible state. Then, the T1 / recovery detection unit 430 transmits a return notification of the storage apparatus 410 to the control node 800.

  When the storage status management unit 840 of the control node 800 receives the return notification, the storage state management unit 840 changes the information on whether or not the restored storage device is allocated in the allocation availability storage unit 830 to “permitted”.

[Step S <b> 115] The storage state management unit 840 transmits an acknowledgment to the disk node 400 after changing the allocation permission / inhibition storage unit 830.
In the first embodiment, when the storage apparatus returns, the slice assigned to the segment for which the recovery process has been performed (“query target segment” in the first embodiment) is changed to a free state. ing. On the other hand, in the third embodiment, the state of the slice that has been accessed after the elapse of T1 is changed to “B (Bad)” at the time of access. Therefore, even if the storage device is restored, the metadata change process is unnecessary.

  Incidentally, the failure diagnosis of the storage apparatus by the inspection command is performed in all the disk nodes 400, 400a, 400b. The example of FIG. 21 is a case where the progress of T1 is detected in only one storage device. On the other hand, it is possible that the progress of T1 is detected simultaneously by two storage apparatuses. At this time, if there is a segment that constitutes a slice pair in the slices of each of the two storage devices for which the progress of T1 has been detected, if both slices are in an abnormal state (state “B”), the segment Data will be lost. Therefore, in such a case, a disk abnormality notification is not performed in the disk node where the progress of T1 is detected later.

  FIG. 25 is a sequence diagram showing slice allocation processing when T1 progress is detected in a plurality of disks. In this example, it is assumed that the storage device 410 connected to the disk node 400 has failed, and the load on the storage device connected to the disk node 400b is temporarily excessive. Note that the processes in steps S121 to S131 in FIG. 25 are the same as the processes in steps S81 to S91 in FIG. Therefore, the processing after step S132 will be described along with step numbers.

  [Step S132] The disk node 400b periodically performs disk diagnosis of the storage apparatus. If the storage apparatus is operating normally, a response is returned from the storage apparatus within T1. In the example of FIG. 25, the storage device of the disk node 400b was operating normally until the processing of step S131 was executed, but the storage device was overloaded before the copy processing due to the change of metadata was completed. Suppose that it is in a state. Due to the overload of the storage device, the disk node 400b does not return a normal response even after T1 has elapsed after issuing the inspection command. Therefore, the disk node 400b detects T1 and transmits a T1 progress notification to the control node 800.

  Upon receiving the T1 progress notification, the storage state management unit 840 of the control node 800 receives the T1 progress notification and assigns the state of the storage device connected to the disk node 400b to switch to “impossible”.

[Step S133] When the switching of the state is completed, the storage state management unit 840 transmits a switching completion response to the disk node 400b.
[Step S134] After that, when the metadata inquiry is completed, the slice access request unit 630 of the access node 600 refers to the access metadata storage unit 620 to determine the disk node that manages the slice to be accessed. Send a read request (read retry) to the disk node.

  At this time, in the disk node 400b, it is assumed that the detection of T2 and the return have not been detected yet. In this case, the disk node 400b confirms the state of the access target slice in the read request based on the metadata. The metadata referred to at this time is the same as each metadata whose disk node ID is “SN-C” in the virtual disk metadata table 811 shown in FIG. Then, the corresponding slice (in this example, the disk node ID “SN-C”, the disk ID “1”, and the slice with the slice ID “1” illustrated in FIG. 23) is set as a secondary by the metadata update request in step S129. The slice has been changed to the primary slice. Then, the data in the corresponding slice is being copied to the secondary slice forming a pair in the disk node 400a.

Since the slice to be accessed is being copied, the disk node 400b does not send a slice abnormality notification and waits until data can be read.
[Step S135] Thereafter, the T2 detection unit 440 of the disk node 400 detects that T2 has elapsed since the inspection command was issued. Then, the T2 detection unit 440 transmits a T2 progress notification to the control node 800.

  [Step S136] Upon receiving the T2 progress notification, the slice allocation management unit 850 of the control node 800 recognizes that the storage apparatus 410 has become unusable due to a failure, and starts recovery processing for the entire storage apparatus 410.

  [Step S137] On the other hand, the disk node 400b receives a response from the storage apparatus to the inspection command. Then, the disk node 400 b transmits a storage device recovery notification to the control node 800.

[Step S138] The storage state management unit 840 transmits a confirmation response to the disk node 400b after changing the allocation availability storage unit 830.
As described above, when data in a slice in the storage device is being copied (the duplexed state has not been restored), the disk node detects T1 progress of the storage device and there is access to the slice. Continue the lead process. In other words, the disk node does not change the status of the slice to be accessed to “B (Bad)” or transmits a slice abnormality notification to the control node 800. As a result, it is possible to prevent the primary slice from being treated as abnormal before the copy processing for duplex recovery is completed. As a result, data loss is prevented.

  Next, a detailed procedure of the disk diagnosis process in the disk node will be described. Although the following processing is described as being performed by the disk node 400, the other disk nodes 400a and 400b periodically execute similar processing.

  FIG. 26 is a flowchart showing the procedure of the disk diagnosis process. In the following, the process illustrated in FIG. 26 will be described in order of step number. This process is periodically executed at preset intervals.

  [Step S151] The T1 / return detection unit 430 outputs an inspection command to the storage device 410. At this time, the T1 / return detection unit 430 stores the output time of the inspection command in the internal memory.

  [Step S152] The T1 / return detection unit 430 determines whether or not T1 has elapsed since the inspection command was issued. Specifically, the T1 / return detection unit 430 subtracts the output time of the inspection command from the current time, and determines that T1 has elapsed if the subtraction result is equal to or greater than T1. If T1 has elapsed, the process proceeds to step S155. If T1 has not elapsed, the process proceeds to step S153.

  [Step S153] The T1 / return detection unit 430 performs a diagnosis completion check. Specifically, the T1 / recovery detection unit 430 checks whether a normal response is returned from the storage device 410.

[Step S154] When the normal response is returned, the T1 / return detection unit 430 ends the process. If a normal response has not been returned, the process proceeds to step S152.
[Step S155] The T1 / return detection unit 430 transmits a T1 progress notification to the control node 800 when T1 has elapsed since the transmission of the inspection command.

  [Step S156] The T2 / recovery detection process is executed by the cooperation process of a plurality of elements in the disk node 400. Details of this processing will be described later. When this process ends, the disk diagnosis process ends.

FIG. 27 is a flowchart illustrating a procedure of the T2 / return detection process. In the following, the process illustrated in FIG. 27 will be described in order of step number.
[Step S161] The T2 detection unit 440 determines whether or not T2 has elapsed since the inspection command was issued. Specifically, the T2 detection unit 440 acquires the output time of the inspection command from the T1 / recovery detection unit 430. Then, the T2 detection unit 440 subtracts the output time of the inspection command from the current time, and determines that T2 has elapsed if the subtraction result is equal to or greater than T2. If T2 has elapsed, the process proceeds to step S162. If T2 has not elapsed, the process proceeds to step S163.

[Step S162] The T2 detection unit 440 transmits a T2 progress notification to the control node 800. Thereafter, the T2 / return detection process ends.
[Step S163] The slice access processing unit 420 determines whether an access request to the storage apparatus 410 has been input. If an access request is input, the process proceeds to step S165. If no access request is input, the process proceeds to step S164.

  [Step S164] The T1 / return detection unit 430 performs a diagnosis completion check. Specifically, the T1 / recovery detection unit 430 checks whether a normal response is returned from the storage device 410. Thereafter, the process proceeds to step S170.

  [Step S165] The slice access processing unit 420 determines whether the slice to be accessed is being copied. Specifically, the slice access processing unit 420 refers to the metadata storage unit 450 and confirms the duplex state of the slice to be accessed. If “duplicating” is set as the duplex status, the corresponding slice is being copied. If copying is in progress, the process proceeds to step S166. If not copying, the process proceeds to step S167.

  [Step S166] The slice access processing unit 420 performs access processing to the storage apparatus 410 in response to the access request. This access process does not succeed until the storage device 410 is restored. Therefore, the slice access processing unit 420 waits for the storage device 410 to recover and executes data read or data write according to the access request. Thereafter, the process proceeds to step S170.

  [Step S167] When the slice to be accessed is not being copied, the slice access processing unit 420 notifies the accessed slice detection unit 470 that there has been an access request to the slice in the storage device 410. In the disk diagnosis processing of the storage apparatus 410, the accessed slice detection unit 470 confirms that T1 has elapsed since the inspection command issuance and before T2 has elapsed / returned, and transmits a metadata change request to the slice management unit 460. . In response to the metadata change request, the slice management unit 460 updates the metadata of the slice to be accessed in the metadata storage unit 450 with the state being “B (Bad)”. In addition, when the storage device 410 returns, the slice management unit 460 similarly updates the metadata in the storage device 410.

[Step S168] The accessed slice detection unit 470 notifies the control node 800 of a slice abnormality.
[Step S169] The slice access processing unit 420 transmits an access error to the access node 600. Thereafter, the process proceeds to step S170.

  [Step S170] When a normal response is returned, the T1 / return detection unit 430 advances the process to step S171. If a normal response has not been returned, the process proceeds to step S161.

[Step S171] The T1 / recovery detection unit 430 transmits a return notification to the control node 800. Thereafter, the T2 / return detection process ends.
In this way, T1 is detected in the storage apparatus having the slice assigned to the segment being recovered, and even if there is an access request for that slice, no slice abnormality notification is performed. As a result, it is possible to prevent the data from being lost even when the T1 progress is simultaneously detected in a plurality of storage apparatuses.

  As described above, in the third embodiment, since slice reassignment is performed based on an abnormality notification from a disk node, it is not necessary to delay the metadata search processing according to the metadata inquiry. As a result, the access node can quickly receive a response to the metadata query even if it takes time to change the metadata accompanying the slice reassignment. As a result, even when a plurality of storage apparatuses are in trouble at the same time, data access from the access node is prevented from being delayed as much as possible.

  Also in the third embodiment, similarly to the first and second embodiments, the failure detection time “T2” can be set long while suppressing the access from being stopped for a long time. That is, there is an advantage that it is not necessary to adjust the failure detection time “T2” for each storage device.

  Note that the storage status storage unit 530 in the first embodiment may be used instead of the allocation permission / inhibition storage unit 830 in the third embodiment. In this case, it is determined that the storage apparatus in which the state is “normal” in the storage state storage unit 530 is “assignable” and the storage apparatus in which the state is “T1” is “unassignable”.

In the first embodiment, as in the third embodiment, a slice in the storage apparatus in which the T1 progress has been detected can be disabled in the recovery process.
The above processing functions can be realized by a computer. In that case, a program describing the processing contents of the functions that the control node and the disk node should have is provided. By executing the program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. Examples of the computer-readable recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory. Examples of the magnetic recording device include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape. Optical disks include DVD (Digital Versatile Disc), DVD-RAM, CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), and the like. Magneto-optical recording media include MO (Magneto-Optical disc).

  When distributing the program, for example, a portable recording medium such as a DVD or a CD-ROM in which the program is recorded is sold. It is also possible to store the program in a storage device of a server computer and transfer the program from the server computer to another computer via a network.

  The computer that executes the program stores, for example, the program recorded on the portable recording medium or the program transferred from the server computer in its own storage device. Then, the computer reads the program from its own storage device and executes processing according to the program. The computer can also read the program directly from the portable recording medium and execute processing according to the program. Further, each time the program is transferred from the server computer, the computer can sequentially execute processing according to the received program.

The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the gist of the present invention.
The main technical features of the embodiment described above are as follows.

(Supplementary note 1) A data management program for causing a computer to execute management processing of data stored in a duplicated manner in a plurality of storage devices in which a storage area is divided into a plurality of slices and managed.
The computer,
Operation malfunction information management means for storing the operation malfunction information in the malfunction information storage means when receiving malfunction information indicating that one of the plurality of storage devices may be out of order;
When access related information indicating that an access request is issued with the slices of the plurality of storage devices as access target slices, the access target slice belongs with reference to the operation malfunction information in the operation malfunction information storage unit A data input / output function to the storage device that determines whether or not the storage device may be in failure and stores redundant data having the same contents as the data in the access target slice when there is a possibility of failure. Recovery instruction means for instructing the slice management means having recovery processing of data stored in the access target slice;
Data management program characterized by functioning as

  (Supplementary note 2) The data management program according to supplementary note 1, wherein the malfunction information is transmitted via a network from a disk node to which the storage device that may be in a failure state is connected.

  (Supplementary Note 3) The access-related information is transmitted from the access node when access to the slice in the storage device by the access node that accesses the plurality of storage devices via the network fails. A data management program according to appendix 1, which is characterized.

  (Supplementary note 4) The data management program according to supplementary note 3, wherein the recovery instruction means notifies the access node of the storage location of the redundant data when receiving the access related information from the access node.

  (Additional remark 5) The said slice management means is one function of the disk node connected to the said computer via a network, and the said storage apparatus which stores the said redundant data is connected. Data management program.

(Supplementary note 6)
A virtual disk composed of a plurality of segments is defined, two slices belonging to different storage devices are assigned to each of the segments, and each slice of the plurality of storage devices is provided for each slice. And function as virtual disk metadata storage means for storing metadata indicating the allocation relationship between the segment and the segment,
The access-related information is transmitted from the access node when access to the slice in the storage device by the access node that accesses the plurality of storage devices via the network fails. An allocation-related query request that specifies the segment being allocated as the query target segment,
The recovery instruction means includes
Search the metadata of the two allocated slices assigned to the inquiry target segment specified by the access related information from the virtual disk metadata storage means, and refer to the malfunction information storage means and search Metadata search means for determining whether or not there is a possibility that the storage device to which the allocated slice belongs is based on the metadata obtained by
When it is determined that the metadata search means may be in failure, the allocation of the allocated slice belonging to the storage device that may be in failure may be released from the query target segment, and the other A slice assignment means for newly assigning a slice to the query target segment;
The data management program according to appendix 1, characterized by comprising:

(Appendix 7) When the slice allocation unit completes the allocation of the new slice to the inquiry target segment, it updates the metadata in the virtual disk metadata storage unit according to the allocation result,
When the metadata search unit determines that there is a possibility that the storage device to which the allocated slice belongs has a failure, a new slice is allocated to the inquiry target segment instead of the allocated slice. After the new slice is allocated, the metadata of the slice allocated to the inquiry target segment is acquired from the virtual disk metadata storage unit and transmitted to the access node. Data management program.

  (Supplementary Note 8) The slice allocating unit refers to the operation malfunction information storage unit, and selects a slice to be newly allocated to the inquiry target segment from slices of the storage device not indicated by the operation malfunction information. The data management program according to appendix 6, which is a feature.

  (Supplementary Note 9) When the recovery instruction means receives failure detection information indicating that any one of the plurality of storage devices has failed, the recovery instruction means stores redundant data having the same content as each data in the failed storage device. The data management program according to appendix 1, wherein the data management program instructs the slice management means having a data input / output function to the storage apparatus to instruct recovery processing of all data in the failed storage apparatus.

  (Supplementary Note 10) When the malfunction information management unit receives return information indicating that the normal operation of the storage device that has been considered to be in failure is confirmed, from the malfunction information storage unit, The data management program according to appendix 1, wherein the operation malfunction information of the storage apparatus whose normal operation is confirmed is deleted.

(Supplementary Note 11) A storage device diagnosis program that causes a computer connected to a control node that manages data stored in the storage device to be connected to the storage node via a network, and that performs an operation diagnosis process of the storage device. There,
The computer,
A response time measuring means for issuing an inspection command to the storage device and measuring an elapsed time from when the inspection command is issued until there is a response;
If there is no response even when the elapsed time reaches a preset operation malfunction detection time, operation malfunction information indicating that the storage apparatus may be out of order is sent to the control node. Detection means,
A return detection means for transmitting return information indicating return of the storage device to the control node when a response to the inspection command is returned from the storage device after transmitting the malfunction information;
A storage apparatus diagnosis program that is caused to function as a storage device.

(Supplementary note 12)
Failure detection means for transmitting failure detection information relating to the storage device to the control node when there is no response even when the elapsed time reaches a failure detection time set in advance that is larger than the malfunction detection time ,
The storage apparatus diagnosis program according to appendix 11, wherein the storage apparatus diagnosis program is made to function as:

(Supplementary note 13)
After sending the malfunction information, if there is an access to a slice in the storage device before sending the return information or the failure detection information, a slice error notification that sends a slice error notification specifying the access target slice to the control node means,
The storage device diagnostic program according to appendix 12, wherein the storage device diagnostic program is made to function as:

(Supplementary Note 14) A storage device diagnosis program for causing a computer connected to a control node for managing data stored in the storage device via a network to execute operation diagnosis processing of the storage device while the storage device is connected There,
The computer,
A response time measuring means for issuing an inspection command to the storage device and measuring an elapsed time from when the inspection command is issued until there is a response;
After the elapsed time exceeds a preset operation malfunction detection time, if there is an access to a slice in the storage device before obtaining a response to the check command, a slice abnormality notification specifying the access target slice is sent. Slice abnormality notification means to be transmitted to the control node,
A storage apparatus diagnosis program which is made to function as a storage device.

(Supplementary note 15) A multi-node storage system for managing data by duplication,
A response time measuring means for issuing an inspection command to a storage device managed by dividing a storage area into a plurality of slices, and measuring an elapsed time from the inspection command issuance to a response;
When there is no response even when the elapsed time reaches a preset operation malfunction detection time, an operation malfunction detection means for transmitting malfunction information indicating that the storage apparatus may be out of order to the control node. When,
A return detection means for sending return information indicating return of the storage device to the control node when a response to the inspection command is returned from the storage device after sending the malfunction information;
A plurality of disk nodes comprising:
Upon receiving the malfunction information from one of the disk nodes, malfunction information management means for storing the malfunction information in the malfunction information storage means;
When access related information indicating that an access request is issued with the slices of the plurality of storage devices as access target slices, the access target slice belongs with reference to the operation malfunction information in the operation malfunction information storage unit The disk node to which the storage device that stores the redundant data having the same contents as the data in the slice to be accessed is determined if there is a possibility that the storage device is in failure. Recovery instruction means for instructing recovery processing of data stored in the access target slice,
The control node comprising:
A multi-node storage system comprising:

1-3 Storage devices 1a, 2a, 3a Slice 4-6 Disk node 4a Response time measuring means 4b Operation malfunction detection means 4c Failure detection means 4d Recovery detection means 5a, 6a Slice management means 7 Control node 7a Operation malfunction information management means 7b Operation malfunction information storage means 7c Recovery instruction means 8 Access node

Claims (4)

A data management program for causing a computer to execute a management process of data stored in duplicate in a plurality of storage devices managed by dividing a storage area into a plurality of slices,
In the computer,
One of the plurality of storage devices is issued when there is no response even when a preset malfunction detection time is reached, and there is a possibility that one of the plurality of storage devices is in failure. receives irregularity information indicating, storing the irregularity information memorize means,
Wherein the plurality of the slice-access request as an access target slice in the storage device receives the access-related information indicating that issued, the irregularity information referring to the storage access target slice belongs before crisis憶the means It is determined whether there is a possibility that the device is in failure. If there is a possibility that the device is in failure, a storage device that stores redundant data having the same contents as the data in the access target slice, and a storage to which the access target slice belongs Sending a redundant data copy instruction to a storage device that is different from any of the devices, and having a data input / output function to the storage device storing the redundant data ,
A failure indicating that one of the plurality of storage devices has failed, which is issued when there is no response even when the elapsed time reaches a failure detection time set in advance that is larger than the malfunction detection time. For each piece of redundant data having the same content as each data in the failed storage device, the detection information is received, and the storage device that stores the redundant data and a storage device that is different from both of the failed storage devices are used as copy destinations. Sending a copy instruction of the redundant data to a device having a data input / output function to a storage device storing the redundant data ;
A data management program for executing processing. In addition to the computer,
  When there is a possibility that the storage device to which the access target slice belongs is in failure, the access destination when accessing the data in the access target slice is changed to a storage device that stores redundant data having the same contents as the data To notify the transmission source of the access related information,
  The data management program according to claim 1, wherein processing is executed.   A multi-node storage system that manages data in duplicate,
  A storage area having a plurality of disk nodes connected to one of a plurality of storage devices managed by dividing into a plurality of slices, and a control node;
  Each of the plurality of disk nodes is
  A response time measuring means for issuing an inspection command to the connected storage device and measuring an elapsed time from when the inspection command is issued until a response is received;
  If there is no response when the elapsed time reaches a preset malfunction detection time, malfunction detection is performed to transmit malfunction information indicating that the storage device may be out of order to the control node. Means,
  Failure detection means for transmitting failure detection information indicating that the storage device has failed when there is no response even if the elapsed time reaches a failure detection time set in advance that is larger than the malfunction detection time When,
  In accordance with a data copy instruction, slice management means for copying data in the storage device to another storage device;
  Comprising
  The control node is
  Upon receiving the malfunction information from one of the plurality of disk nodes, malfunction information management means for storing the malfunction information in storage means;
  Upon receiving access-related information indicating that an access request has been issued with the slices of the plurality of storage devices as access target slices, the storage device to which the access target slice belongs is referred to the operation malfunction information in the storage means It is determined whether or not there is a possibility of failure, and when there is a possibility of failure, a storage device that stores redundant data having the same content as the data in the access target slice, and a storage device to which the access target slice belongs A first recovery instruction means for sending a redundant data copy instruction to a disk node to which the storage apparatus storing the redundant data is connected, with the storage apparatus being different from any of the storage apparatuses as a copy destination;
  Upon receiving failure detection information from one of the plurality of disk nodes, a storage device that stores the redundant data for each redundant data having the same content as each data in the failed storage device, and the failed storage device A second recovery instruction means for transmitting a copy instruction of the redundant data to a disk node to which the storage apparatus storing the redundant data is connected, with the storage apparatus different from any of the storage apparatuses as a copy destination;
  Comprising
  A multi-node storage system characterized by that.   The control node is
  When there is a possibility that the storage device to which the access target slice belongs is in failure, the access destination when accessing the data in the access target slice is changed to a storage device that stores redundant data having the same contents as the data To notify the transmission source of the access related information,
  The multi-node storage system according to claim 3, further comprising:

Images