U.S. patent application number 11/474359 was filed with the patent office on 2006-11-09 for remote copy with worm guarantee.
This patent application is currently assigned to HITACHI, LTD.. Invention is credited to Naoto Matsunami, Yoichi Mizuno, Akira Nishimoto, Yusuke Nonaka.
Application Number | 20060253672 11/474359 |
Document ID | / |
Family ID | 34927176 |
Filed Date | 2006-11-09 |
United States Patent
Application |
20060253672 |
Kind Code |
A1 |
Nonaka; Yusuke ; et
al. |
November 9, 2006 |
Remote copy with worm guarantee
Abstract
In the case in which data in a storage system A is remotely
copied to a storage system B, it is not taken into account whether
the data of the remote copy is WORM data. In the case in which a
setting is made such that data stored in a volume in the storage
system A is copied to a volume in the storage system B, storage
system A judges whether an attribute to the effect that data can be
referred to and can be updated or to the effect that data can be
referred to but cannot be updated is added to the volume in the
storage system A. Then, if the volume is a volume to which the
attribute to the effect that data can be referred to but cannot be
updated is added, such attribute is added to the volume in the
storage system B.
Inventors: |
Nonaka; Yusuke; (Yokohama,
JP) ; Matsunami; Naoto; (Hayamamachi, JP) ;
Nishimoto; Akira; (Sagahihara, JP) ; Mizuno;
Yoichi; (Yokohama, JP) |
Correspondence
Address: |
MATTINGLY, STANGER, MALUR & BRUNDIDGE, P.C.
Suite 370
1800 Diagonal Road
Alexandria
VA
22314
US
|
Assignee: |
HITACHI, LTD.
|
Family ID: |
34927176 |
Appl. No.: |
11/474359 |
Filed: |
June 26, 2006 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10883753 |
Jul 6, 2004 |
|
|
|
11474359 |
Jun 26, 2006 |
|
|
|
Current U.S.
Class: |
711/162 ;
714/E11.103 |
Current CPC
Class: |
G06F 11/2069
20130101 |
Class at
Publication: |
711/162 |
International
Class: |
G06F 12/16 20060101
G06F012/16 |
Foreign Application Data
Date |
Code |
Application Number |
May 27, 2004 |
JP |
2004-157034 |
Claims
1-20. (canceled)
21. A system comprising a first storage system including at least
one first disk drive and a first control apparatus for controlling
to store data in the first disk drive, the first disk drive being
related to a primary volume; and a second storage system including
at least one second disk drive and a second control apparatus for
controlling to store data in the second disk drive, the second disk
drive being related to a secondary volume; wherein, if a remote
copy process between the primary volume and the secondary volume is
processed, an attribute of the primary volume is copied to an
attribute of the secondary volume, and wherein the attribute of the
primary volume is an attribute to the effect that data can be
referred to but cannot be updated.
22. The system according to claim 21, wherein: the attribute of the
primary volume is stored in the first disk drive.
23. The system according to claim 21, wherein: the attribute of the
secondary volume is stored in the second disk drive.
24. The system according to claim 21, wherein: if a pair status
between the primary volume and the secondary volume is occurred,
the attribute of the primary volume is copied to the attribute of
the secondary volume.
25. The system according to claim 21, wherein: if the remote copy
process is processed, the first control apparatus judge whether the
attribute of the primary volume is an attribute to the effect that
data can be referred to and can be updated or the attribute to the
effect that data can be referred to but cannot be updated.
26. The system according to claim 21, wherein: the first control
apparatus receives designation of a volume to which the attribute
to the effect that data can be referred to but cannot be updated is
added, an in the case in which the designated volume is set as the
secondary volume, the first control apparatus outputs a notice to
the effect that the designation cannot be accepted.
27. A system comprising: a first storage system including at least
one first disk drive and a first control apparatus for controlling
to store data in the first disk drive, the first disk drive being
related to a primary volume; and a second storage system including
at least one second disk drive and a second control apparatus for
controlling to store data in the second disk drive, the second disk
drive being related to a secondary volume; wherein, if a remote
copy process between the primary volume and the secondary volume is
processed, an attribute of the primary volume is copied to an
attribute of the secondary volume, and wherein the attribute of the
primary volume is Read Only.
28. The system according to claim 27, wherein: the attribute of the
primary volume is stored in the first disk drive.
29. The system according to claim 27, wherein: the attribute of the
secondary volume is stored in the second disk drive.
30. The system according to claim 27, wherein: if a pair status
between the primary volume and the secondary volume is occurred,
the attribute of the primary volume is copied to the attribute of
the secondary volume.
31. The system according to claim 27, wherein: if the remote copy
process is processed, the first control apparatus judge whether the
attribute of the primary volume is Read/Write Enable or the Read
Only.
32. The system according to claim 27, wherein: the first control
apparatus receives designation of a volume to which the Read Only
is added, an in the case in which the designated volume is set as
the secondary volume, the first control apparatus outputs a notice
to the effect that the designation cannot be accepted.
33. A system comprising: a first storage system including at least
one first disk drive and a first control apparatus for controlling
to store data in the first disk drive, the first disk drive being
related to a primary volume; and a second storage system including
at least one second disk drive and a second control apparatus for
controlling to store data in the second disk drive, the second disk
drive being related to a secondary volume; wherein, if a remote
copy process between the primary volume and the secondary volume is
processed, an attribute of the primary volume is copied to an
attribute of the secondary volume, and wherein the attribute of the
primary volume is Write Once Read Many (WORM).
34. The system according to claim 33, wherein: the attribute of the
primary volume is stored in the first disk drive.
35. The system according to claim 33, wherein: the attribute of the
secondary volume is stored in the second disk drive.
36. The system according to claim 33, wherein: if a pair status
between the primary volume and the secondary volume is occurred,
the attribute of the primary volume is copied to the attribute of
the secondary volume.
37. The system according to claim 33, wherein: if the remote copy
process is processed, the first control apparatus judge whether the
attribute of the primary volume is the WORM or not.
38. The system according to claim 33, wherein: the first control
apparatus receives designation of a volume to which the WORM is
added, an in the case in which the designated volume is set as the
secondary volume, the first control apparatus outputs a notice to
the effect that the designation cannot be accepted.
Description
CROSS-REFERENCES TO RELATED APPLICATIONS
[0001] This application relates to and claims priority from
Japanese Patent Application No. 2004-157034, filed on May 27, 2004,
the entire disclosure of which is incorporated herein by
reference.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The present invention relates to a storage system that
constitutes a computer system, and in particular, to a remote copy
function and a WORM function that the storage system has.
[0004] 2. Description of the Related Art
[0005] The remote copy is a technique for mirroring data among
plural storage systems (here, the storage system includes a storage
that records data and a control apparatus that controls the
storage; this applies in the following description) without the
intervention of a host computer. The remote copy will be explained
with a case in which a storage system A having a logical volume
A(1) and a storage system B having a logical volume B(1) are
connected by a network such as a Fibre Channel or an IP or a
private line as an example.
[0006] By performing the remote copy, contents recorded in the
logical volume A(1) and the logical volume B(1) are kept identical.
A host computer is connected to the storage system A, refers to or
updates data recorded in the logical volume A(1), and sets the
logical volume A(1) and the logical volume B(1) as a pair for the
remote copy. When the host computer issues a command for updating
the data recorded in the logical volume A(1) to the storage system
A, the storage system A updates the data recorded in the logical
volume A(1) and sends the updated data to the storage system B. The
storage system B updates data recorded in the logical volume B(1).
In this way, the data recorded in the logical volume A(1) and the
data recorded in the logical volume B(1) are kept identical.
[0007] The plural storage systems are arranged remote from each
other to perform the remote copy, whereby, when a disaster occurs,
an operation of the computer system is continued and restored
promptly. Moreover, by performing the remote copy, an operation of
data recorded in a certain storage system can be transferred to
another storage system. As a method of transferring an operation of
data recorded in a certain storage system to another storage
system, there are a method of stopping a storage system at time
decided in advance to transfer an operation of data to another
storage system and a method of transferring an operation of data to
another storage system without stopping a storage system. Details
of the remote copy are disclosed in U.S. Pat. No. 5,742,792.
[0008] WORM is the abbreviation of Write Once Read Many, which
means a characteristic of data, that is, data which is recorded
once, cannot be updated and can only be referred to. Data having
the nature of WORM is effective for proving that the data has not
been falsified after the data was recorded and preventing deletion
of data due to an operation mistake. The data having the nature of
WORM will be hereinafter referred to as WORM data. As a method of
realizing the WORM data, there are a method of using a recording
device having the nature of WORM as a physical nature like a Write
Once CD and a method of adding a device or a program for
prohibiting update of data to a storage incorporating a magnetic
disk or the like that can be updated many times physically. The
latter is disclosed in "Hitachi LDEV Guard".
SUMMARY OF THE INVENTION
[0009] In a conventional technique, in the case in which the data
in the storage system A is remotely copied to the storage system B,
it is not taken into account whether data to be copied is WORM
data. Therefore, for example, when the storage system A breaks down
due to a disaster during the remote copy, and an operation of a
system has to be continued using the data copied to the storage
system B remotely, since the data recorded in the storage system B
is not WORM data, falsification of the data is possible, and it
cannot be proved that the data has not been falsified after the
data was recorded. In addition, the same problem occurs when an
operation of data in a storage system is transferred to another
storage system in a planned manner.
[0010] Thus, the present invention discloses a system having a
remote copy function for WORM data that can copy not only data but
also the nature of WORM, that is, can impart the nature of WORM to
copy destination data as in copy source data.
[0011] In the case in which setting is made such that data stored
in a volume in the storage system A is copied to a volume in the
storage system B, a first control apparatus in the storage system A
judges whether an attribute to the effect that data can be referred
to and can be updated or an attribute to the effect that data can
be referred to but cannot be updated is added to the volume in the
storage system A. Then, if the volume is a volume to which the
attribute to the effect that data can be referred to but cannot be
updated is added, the first control apparatus instructs a second
control apparatus in the storage system B to add the attribute to
the effect that data can be referred to but cannot be updated to
the volume in the storage system B.
[0012] When the remote copy is performed among plural storage
systems, not only data but also the nature of WORM can be copied
from one storage system to the other storage systems. In other
words, the nature of WORM can be imparted to copy destination data
as in copy source data.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] In the accompanying drawings:
[0014] FIG. 1 is a block diagram showing an example of a structure
of a system in accordance with the present invention;
[0015] FIG. 2 is a diagram showing an example of volume management
information;
[0016] FIG. 3 is a diagram showing an example of a volume
management table;
[0017] FIG. 4 is a diagram showing an example of a WORM attribute
of a certain volume;
[0018] FIG. 5 is a diagram showing an example of a WORM attribute
of a certain volume;
[0019] FIG. 6 is a flowchart showing an example of processing in
which a configuration management program of a storage sets a remote
copy pair;
[0020] FIG. 7 is a flowchart showing an example of processing in
which a configuration management program of a storage sets an I/O
control type of a volume as WORM;
[0021] FIG. 8 is a flowchart showing an example of command
processing; and
[0022] FIG. 9 is a diagram showing an example of state transition
in remote copy.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0023] An embodiment of the present invention will be hereinafter
explained with reference to the accompanying drawings. Note that
the present invention is not limited to this embodiment.
[0024] FIG. 1 is a block diagram showing an example of a structure
of a system to which the present invention is applied.
[0025] The system to which the present invention is applied
includes: a storage system A 110, a storage system B 111, a
management terminal 101; clients 102; a LAN 103 that connects the
management terminal 101, the storage system A 110, and the storage
system B 111; and a SAN 104 that connects the clients 102, the
storage system A 110, and the storage system B 111.
[0026] The storage system A 110 has a controller 126 and a disk
driver group 127. The storage system A 110 receives I/O requests
for a logical volume in the storage system A 110 from the clients
102 connected to the SAN 104.
[0027] The storage system B 111 has the same structure as the
storage system A 110 and receives I/O requests for a logical volume
in the storage system B 111 from the clients 102. In this
embodiment, the storage system B 111 is assumed to have the same
structure as the storage system A 110. However, the storage system
B 111 does not have to be completely the same as the storage system
A 110.
[0028] The disk driver group 127 has plural hard disks, and the
plural hard disks are connected to an I/F 120. A storage area in
the disk driver group 127 is divided into plural logical volumes. A
logical volume 122 is one of the plural logical volumes. Volume
management information A 124, which indicates a correspondence
relation and the like between the logical volumes and the hard
disks, is recorded in a storage area 121 in the disk driver group
127. In this embodiment, the volume management information A 124 is
assumed to be recorded in the storage area 121 in the disk driver
group 127. However, the volume management information A 124 may be
recorded in flash memory or the like on the controller 126 other
than the storage area 121 in the disk driver group 127.
[0029] In this embodiment, it is assumed that the volume management
information A 124 and the volume management information B 125
record that the logical volume 122 in the storage system A 110 and
the logical volume 123 in the storage system B 111 form a remote
copy pair, and the logical volume 122 is a primary volume and the
logical volume 123 is a secondary volume. Here, the remote copy
pair is a set of a copy source and a copy destination of remote
copy that are constituted by a primary volume and a secondary
volume. The management terminal 101 connected to the LAN 103
designates logical volumes, which constitute the primary volume and
the secondary volume, for the storage system A 110 and the storage
system B 111, whereby the remote copy pair is set.
[0030] The controller 126 includes: a processing unit 114; a memory
115 in which a program to be executed by the processing unit 114 is
stored; a cache 119; an I/F 112 that is connected to the SAN 104;
an I/F 113 that is connected to the LAN 103; and an I/F 120 that is
connected to the disk driver group 127. An input/output processing
program 116, a remote copy program 117, and a configuration
management program 118 are stored in the memory 115.
[0031] The input/output processing program 116 is a program for
executing processing for converting an I/O command for a logical
volume received from the client 102 into an I/O command for the
respective hard disks in the disk driver group 127 using the volume
management information.
[0032] The configuration management program 118 is a program for
executing processing for receiving an instruction for setting of a
remote copy pair from the management terminal 101 and setting the
remote copy pair. Details of the remote copy pair will be described
later.
[0033] The remote copy program 117 is a program for executing
processing for, when a remote copy pair is set, providing a remote
copy function between the set remote copy pair. Here, the remote
copy function means a function for, when a remote copy pair is set,
copying data stored in a primary volume to a secondary volume, and
after the remote copy is set, copying data, which is written in the
primary volume according to an instruction from the client 102, to
the secondary volume. A write request for the primary volume 122
from the client 102 is executed for the secondary volume 123 in the
same manner according to the remote copy function. Therefore, the
secondary volume 123 becomes a copy (mirror) of the primary volume
122 that forms the remote copy pair with the secondary volume
123.
[0034] FIG. 2 is a diagram showing an example of the volume
management information A 124. The volume management information A
124 stores and manages a volume management table A 224 and WORM
attributes 300 and 400 that are prepared for each volume
corresponding to volumes for which WORM is set. Details concerning
the volume management table A 224 and the WORM attributes will be
described later. Note that the volume management information A 124
is not limited to the volume management information of this
embodiment but may include other information. In addition, in this
embodiment, it is assumed that, when WORM is set for a volume, the
WORM attribute 300 or 400 corresponding to the volume, for which
WORM is set, is prepared according to the configuration management
programs of the respective storage systems. However, the WORM
attribute 300 or 400 corresponding to all volumes may be prepared
in advance.
[0035] FIG. 3 is a diagram showing an example of the volume
management table A 224. The volume management table A 224 stores
and manages a volume number 201, a capacity 202, an I/O control
type 203, a WORM unit 204, a remote copy attribute 205, and a
remote copy state 206.
[0036] The volume number 201 indicates the number of a logical
volume.
[0037] The capacity 202 indicates a storage capacity of a logical
volume.
[0038] An attribute of normal or WORM is set in the I/O control
type 203 by the management terminal 101 or the client 102. The
client 102 is capable of referring to and updating all sectors
concerning a logical volume for which normal is set in the I/O
control type 203. On the other hand, concerning a logical volume
for which WORM is set in the I/O control type 203, update of all
sectors or specific sectors or files by the client 102 is
restricted on the basis of the WORM unit 204 and conditions set in
a WORM attribute shown in FIG. 4 or 5.
[0039] A unit for restricting update of a logical volume, for which
WORM is set, is set in the WORM unit 204 by the management terminal
101 or the client 102. In this embodiment, a file, a sector, and a
volume are described as examples of the unit. However, any unit can
be applied as the WORM unit 204 as long as the unit designates a
specific part of a logical volume. In the case in which a volume is
set as the WORM unit 204, update for all sectors of the volume is
prohibited. In the case in which a sector is set as the WORM unit
204, update for a sector, which is set as an update prohibited area
in the WORM attribute 300, is prohibited. In the case in which a
file is set as the WORM unit 204, update for a file, which is set
as an update prohibited file in the WORM attribute 400,
corresponding to the volume is prohibited. However, in the case in
which a file is designated as the WORM unit 204, the storage system
A 110 and the storage system B 111 in FIG. 1 should have a file
server function, or a file server, which communicates with the
storage system A 110 and the storage system B 111, should be
present on the SAN 104.
[0040] The remote copy attribute 205 indicates whether the logical
volume constitutes a remote copy pair. If the logical volume
constitutes a remote copy pair, it is recorded in the remote copy
attribute 205 whether the logical volume is a primary volume or a
secondary volume. Note that, although not shown in the figure, if
the logical volume constitutes a remote copy pair, the remote copy
attribute 205 also includes additional information such as a volume
number of the other logical volume forming the remote copy pair and
an identification (ID) of a storage including the logical volume.
As the identification (ID) of the storage, there is, for example, a
World Wide Name (WWN) or the like of the Fibre Channel standard.
Here, a remote copy pair, in which both a primary volume and a
secondary volume have the attribute of WORM, is called a WORM
remote copy pair. By forming the WORM remote copy pair, the
attribute of WORM of the primary volume can be transferred to the
secondary volume.
[0041] If the logical volume constitutes a remote copy pair, a
state of remote copy is recorded in the remote copy state 206. A
type and transition of a state will be described later in
conjunction with an explanation of FIG. 7.
[0042] FIG. 4 is a diagram showing an example of a WORM attribute
provided in the volume management information A 124 for each
logical volume. The WORM attribute shown in FIG. 4 is attribute
information of a volume, for which an I/O control type is WORM and
a sector is designated as the WORM unit 204, among the volumes in
FIG. 3.
[0043] A WORM sector range 310 included in the WORM attribute 300
includes plural pieces of information indicating an update
prohibited area. The information indicating the update prohibiting
area is constituted by a set of a starting address 311 and an
ending address 312 and ON or OFF of a write flag 313. These pieces
of information are designated by the management terminal 101 or the
client 102. The write flag 313 indicates whether data can be
written or updated once in the update prohibited area. ON indicates
that data can be written or updated once in the update prohibited
area, and OFF indicates that data cannot be written and updated in
the update prohibited area. Moreover, in the case in which the
write flag 313 is ON, the WORM attribute 300 has a write management
bit map 314 corresponding to the update prohibited area and manages
whether data is written or updated once in each sector in the
update prohibited area using the write management bitmap 314. When
data is written or updated once in all sectors in the update
prohibited area designated by the starting address 311 and the
ending address 312, the input/output processing program 116
switches the write flag to OFF.
[0044] Note that, in the case in which the I/O control type is WORM
and a volume is designated as the WORM unit 204 in a volume among
the volumes in FIG. 3, all storage areas of the volume are
registered in the WORM sector range 310 in FIG. 4.
[0045] A log of events concerning remote copy is recorded in an
event log 320 included in the WORM attribute 300. Here, the events
concerning remote copy include, for example, transition of a remote
copy state shown in FIG. 7. In addition, the event log includes,
for example, a sequence number 321, an event occurrence time 322,
and an event content 323.
[0046] FIG. 5 is a diagram showing another example of the WORM
attribute provided in the volume management information A 124 for
each logical volume. The WORM attribute shown in FIG. 5 is
attribute information of a volume, for which an I/O control type is
WORM and a file is designated as the WORM unit 204, among the
volumes in FIG. 3.
[0047] A set of WORM files 410 included in the WORM attribute 400
includes plural pieces of information indicating update prohibited
files. The information indicating update prohibited files is
constituted by a pathname 411 and ON or OFF of the write flag 412.
These pieces of information are designated by the management
terminal 101 or the client 102. The write flag 412 indicates
whether data can be written or updated once in the file. ON
indicates that data can be written or updated once in the file, and
OFF indicates that data cannot be written or updated in the file.
Moreover, in the case in which the write flag 412 is ON, the WORM
attribute 400 has a write management bitmap 413 corresponding to a
storage area, in which the file is stored, and manages whether data
has been written or updated once in each sector in the storage area
in which the file is stored. When data is written or updated once
in all the sectors in the storage area, in which the file is
stored, designated by a pathname, the input/output processing
program 116 switches the write flag to OFF.
[0048] A log of events concerning remote copy is recorded in an
event log 420 as in the event log 320 in FIG. 4.
[0049] Note that, in this embodiment, there are two type as a
method of setting WORM for a volume.
[0050] In the type 1, WORM is set for a storage area in which data
has already been written. After WORM is set, writing and update of
data in the storage area are prohibited.
[0051] In the type 2, after WORM is set for a storage area, writing
or update of data is permitted only once. However, after data is
written or updated once, both writing and update of data in the
storage area are prohibited.
[0052] Whether WORM is set by a method of the type 1 or the type 2
is determined by an instruction of the configuration management
program 118 from the management terminal 101 or the client 102.
[0053] In the case in which WORM is set only by the method of the
type 1, in all cases in which the WORM unit 204 is a sector, a
volume, a file, and the like, a write flag and a write management
bitmap are unnecessary.
[0054] FIG. 6 is a diagram showing an example of processing in
which the management terminal 101 connected to the LAN 103 sets a
remote copy pair for the storage system A 110 and the storage
system B 111 in FIG. 1. Respective steps of remote copy pair
setting 500 will be hereinafter explained.
[0055] In step 501, a user instructs the storage system A 110 and
the storage system B 111 to form a remote copy pair from the
management terminal 101. Designation by the user includes
identification information for a volume in the storage system A 110
to be a primary volume and identification information for a volume
in the storage system B 111 to be a secondary volume.
[0056] In step 502, the configuration management program 118 in the
storage system B 111 judges whether the logical volume designated
as the secondary volume has a WORM attribute with reference to the
I/O control type 203 included in the volume management information
B 124. If the logical volume designated as the secondary volume has
the WORM attribute, in step 504, the configuration management
program 118 informs the user of irregularity of the instruction,
which leads to an abnormal end. This is because, if the secondary
volume has the WORM attribute before remote copy is set, data
copied from the primary volume may not be saved. If the logical
volume designated as the secondary volume does not have the WORM
attribute, the configuration management program 118 of the storage
system B 111 informs the configuration management program 118 of
the storage system A 110 that the logical volume designated as the
secondary volume does not have the WORM attribute.
[0057] In step 503, the configuration management program 118 of the
storage system A 110 judges whether the logical volume designated
as the primary volume has the WORM attribute with reference to the
I/O control type 203 included in the volume management information
A 124. In the case in which the logical volume designated as the
primary volume has the WORM attribute, in step 505, the
configuration management program 118 of the storage system A 110
sets the I/O control type 203 of the secondary volume to WORM. In
this case, the configuration management program 118 of the storage
system A 110 having the primary volume communicates with the
configuration management program 118 of the storage system B 111
having the secondary volume through the LAN 103 or the SAN 104 and
instructs the latter to set the secondary volume to WORM. The
configuration management program of the storage system B 111 sets
the I/O control type 203 of the secondary volume to WORM according
to the instruction from the configuration management program 118 of
the storage system A 110. The configuration management program 118
of the storage system B 111 creates the WORM attribute 300 or 400,
which corresponds to the volume designated as the secondary volume,
on the basis of the WORM unit 204 of the primary volume and sets
the WORM unit 204 in the same manner as the primary volume.
Concerning a volume which is set to the attribute of WORM and for
which the remote copy attribute 205 is secondary, only update
processing for copying data from the primary volume is permitted,
and update from the client 102 is prohibited.
[0058] In step 506, the respective configuration management
programs 118 of the storage system A 110 and the storage system B
111 write IDs of the primary volume and the secondary volume, which
are designated by the user in step 501, in the remote copy
attribute 205. The respective configuration management programs 118
send completion of the remote copy pair setting to the management
terminal, inform the user of the completion, and end the remote
copy pair setting normally (step 507).
[0059] As described above, in the case in which a volume for which
the WORM attribute is set is designated as the primary volume in
the remote copy pair setting 500, the WORM attribute is
automatically set for the secondary volume, whereby setting for a
WORM remote copy pair can be performed automatically without
drawing the user's attention.
[0060] In the above explanation, it is assumed that any one of the
logical volumes in the storage system A 110 is designated as a
primary volume and any one of the logical volumes in the storage
system B 111 is designated as a secondary volume to set a remote
copy pair. However, it is possible to assume that any one of the
logical volumes in the storage system B 111 is set as a primary
volume and any one of the logical volumes in the storage system A
110 is set as a secondary volume to set a remote copy pair in the
same manner.
[0061] FIG. 7 is a diagram showing an example of WORM setting
processing in which the management terminal 101 connected to the
LAN 103 changes an I/O control type of a logical volume in the
storage system A 110 to WORM. Processing for changing an I/O
control type of a logical volume in the storage system B 111 to
WORM can be executed in the same manner. Respective steps of WORM
setting processing 600 will be hereinafter explained.
[0062] In step 601, a user designates a logical volume, for which
an I/O control type is set to WORM, from the management terminal
101 and informs the configuration management program 118 of the
storage system A 110 of the logical volume.
[0063] In step 602, the configuration management program 118 of the
storage system A 110 in FIG. 1 judges whether the logical volume
designated by the user is a secondary volume with reference to the
remote copy attribute 205 of FIG. 3 included in the volume
management table A 124. If a remote copy attribute of the logical
volume is secondary, in step 604, the configuration management
program 118 of the storage system A informs irregularity of the
designation to the user, which leads to abnormal end. This is
because, when only the secondary volume has a WORM attribute, data
copied from a primary volume to the secondary volume cannot be
saved in some cases.
[0064] If the remote copy attribute of the logical volume
designated by the user is primary in step 603, in step 605, the
configuration management program 118 of the storage system A 110
sets the I/O control type 203 of the logical volume designated by
the user to WORM and sets the I/O control type 203 of a secondary
volume, which forms a remote copy pair with the logical volume
designated by the user, to WORM in the same manner as step 505 in
FIG. 6. Consequently, the remote copy pair has been automatically
changed to a WORM remote copy pair.
[0065] If the logical volume designated by the user does not form a
remote copy pair in step 603, in step 6051, the configuration
management program 118 of the storage system A 110 sets the I/O
control type 203 of the logical volume designated by the user to
WORM.
[0066] Note that, in the case in which the I/O control type 203 of
a volume of a storage system is set to WORM, the configuration
management program 118 of the storage system create the WORM
attribute 300 or 400 corresponding to the volume for which the I/O
control type 203 is set to WORM.
[0067] In step 606, the control management program 118 of the
storage system A 110 informs the user of completion of the WORM
setting and normally ends the WORM setting (step 607).
[0068] In the case in which the primary volume of the remote copy
pair is set to WORM in the WORM setting 600, the WORM attribute is
automatically set also in the secondary volume, whereby the remote
copy pair is automatically changed to a WORM remote copy pair
without drawing attention of the user.
[0069] Next, an event log, which is recorded in the WORM attribute
shown in FIG. 4 or 5, will be explained. Concerning processing for
setting WORM for a volume and processing for receiving instruction
for setting a remote copy pair form the client 102 or the
management terminal 101 to execute the instruction, the
configuration management program 118 creates an event log and
records the event log in the WORM attribute. For example, when the
configuration management program 118 of the storage system A 110 is
instructed by the client 102 or the management terminal 101 to copy
data of a primary volume to a secondary volume in the storage
system B 111 and executes the instruction, the configuration
management program 118 of the storage system A 110 creates an event
log to that effect and stores the event log in the volume
management information A 124.
[0070] Moreover, in the case in which a volume, which is an object
of recording of an event log, forms a pair, the configuration
management program 118 of the storage system A 110 instructs the
configuration management program 118 of the storage system B 111 to
store the event log, which is created by the configuration
management program 118 of the storage system A 110, in the volume
management information B. By performing such processing,
consistency of event logs stored in WORM attributes corresponding
to the primary and secondary volumes, which form a remote copy
pair, is kept.
[0071] FIG. 8 is a flowchart showing an example of processing in
the case in which the client 102 has issued a write request for a
logical volume to the storage system A 110. Here, command
processing 800 will be explained with a case in which a WORM unit
is a sector as an example. First, the command processing 800 will
be explained with a case in which WORM is set by the method of the
type 1 as an example.
[0072] In step 801, the input/output processing program 116
extracts one command among commands, which are sent from the client
102 and stored in a command queue on the memory 115, from the
command queue.
[0073] In step 802, the input/output processing program 116 judges
whether the command is a command for updating a sector on a basis
of a field indicating the type of a command. If the command is a
command for updating a sector, the input/output processing program
116 shifts to step 803. If the command is a command not for
updating a sector such as a command for reading, the input/output
processing program 116 shifts to step 806.
[0074] In step 803, the input/output processing program 116 judges
whether a sector, which is an object of the command, is included in
the WORM sector range 310 with reference to the WORM attribute 300
of FIG. 4 for a volume, which is an object of the command. If the
sector is included in the WORM sector range 310, the input/output
processing program 116 shifts to step 804. If the sector is not
included in the WORM sector range 310, the input/output processing
program 116 shifts to step 806.
[0075] In step 804, the input/output processing program 116 judges
whether the volume is a secondary volume of a remote copy pair with
reference to the remote copy attribute 205 of FIG. 2 for the
volume, which is an object of the command. If the volume is a
secondary volume of a remote copy pair, the input/output processing
program 116 shifts to step 805. If the volume is not a secondary
volume of a remote copy pair, the input/output processing program
116 judges that the command is an irregular update command for an
update prohibited sector and shifts to step 807.
[0076] In step 805, the input/output processing program 116 judges
whether the command is a command generated by remote copy from a
primary volume forming the remote copy pair.
[0077] As a method for the judgment, there is a method of using an
identifier of a SAN I/F of an apparatus that has issued the
command. For example, in the case of the Fibre Channel, each I/F
has an identifier called a WWN (World Wide Name). Similar
identifiers are present in the other network systems. The command
includes an area in which the identifier of the SAN I/F of the
apparatus that has issued the command. The configuration management
program 118 of FIG. 1 records a WWN of the I/F 112 of the storage
system A 110 having the primary volume 122 in the volume management
information B 125 when the configuration management program 118
sets a remote copy pair. Instep 805, the input/output processing
program 116 can compare the identifier stored in the command and
the identifier recorded in the volume management information B 125
and judge whether the update command for the secondary volume is a
command generated by remote copy from the primary volume.
[0078] As another method, a method of adding a code indicating that
a command is a regular remote copy command when the remote copy
program 117 of a storage system having a primary volume sends the
command to a remote copy program of a storage system having a
secondary volume is possible. As a technique for proving that data
is sent from a correct sender, a message authentication code and
the like are known.
[0079] If it is judged in step 805 that the command is judged as a
regular remote copy command, the input/output processing program
116 shifts to step 806. If it is judged in step 805 that the
command is not a regular remote copy command, the input/output
processing program 116 shifts to step 807. In step 806, the
input/output processing program 116 executes normal command
processing. If there is no failure in the apparatus, abnormality of
the command, or the like, the input/output processing program 116
executes step 809 to normally end the command processing (810). In
step 807, the command processing ends abnormally (808).
[0080] Next, a difference between a case in which WORM is set by
the method of the type 1 and the case in which WORM is set by the
method of the type 2 will be explained. After it is judged in step
804 that the volume is not a secondary volume of a remote copy
pair, the input/output processing program 116 judges whether a
write flag of a sector, for which data is about to be updated, is
ON with reference to the WORM attribute 300. If the write flag is
ON, the input/output processing program 116 judges whether data has
been written once in the sector, for which data is about to be
updated, with reference to a bitmap of the sector. If data has not
been written in the sector once, the input/output processing
program 116 shifts to step 806. Regardless of the write flag being
ON or OFF, when input/output processing program 116 judges data has
been written once in the sector, for which data is about to be
updated, with reference to a bit map of the sector, the
input/output processing program 116 proceeds to step 807.
[0081] In addition, a program for adding an electronic signature or
a message authentication code, which can be generated by only a
storage system having a primary volume, to copy data to be sent
from the primary volume to a secondary volume, a program for
verifying the electronic signature or the message authentication
code added to the copy data in a storage system having the
secondary volume, and a program for prohibiting update of the
secondary volume according to the copy data if authentication fails
on the basis of the verification of the electronic signature or the
message authentication code are added to the remote copy program
117. Consequently, control can be performed surely such that data
in the secondary volume of the WORM remote copy pair is not updated
according to irregular data other than the copy data of the data
stored in the primary volume from the storage system having the
primary volume.
[0082] FIG. 9 is a diagram showing an example of transition of the
remote copy state 206 of the volume management table A 224 in FIG.
3.
[0083] In the remote copy state 206, no remote copy, copying, pair,
pair suspend, communication error, or pair deletion is set.
[0084] No remote copy indicates a state in which a pertinent volume
is a volume not forming a remote copy pair (state 701).
[0085] Copying indicates a state in which data of a primary volume
is being copied to a secondary volume in order to make data of the
secondary volume identical with that in the primary volume (state
702). In the state 702, in the primary volume and the secondary
volume, not only data but also WORM attributes of both the volumes
are made identical. The WORM attribute 300 or 400 of the primary
volume is sent from the storage system A 110 to the storage system
B 111 by the remote copy program 117 and copied to the WORM
attribute 300 or 400 of the secondary volume.
[0086] Pair indicates a state in which update of data according to
a write request for the primary volume from the client 102 is also
executed for the secondary volume (state 703). In addition, in the
state 703, not only the update of data according to the write
request to the storage system A 110 from the client 102 but also
the update of the WORM attribute for the primary volume is executed
for the secondary volume. Moreover, in this case, the management
terminal 101 or the client 102 instructs the storage system A 110,
which has the primary volume, and the storage system B 111, which
has the secondary volume corresponding to the primary volume, to
switch an operation of the primary and the secondary volumes,
whereby an operation of a volume can be switched.
[0087] Pair suspend indicates a state in which the update of data
according to the write request for the primary volume from the
client 102 is not executed for the secondary volume (state
704).
[0088] Communication error indicates a state in which a
communication failure or a failure in any one of storages forming a
WORM remote copy pair has occurred (state 705).
[0089] Pair deletion indicates a state in which a remote copy pair
is deleted (state 706).
[0090] Next, a transition process from one state to another will be
explained.
[0091] Transition from the state 701 to the state 702 is performed
by the remote copy pair setting 500 shown in FIG. 6 (transition
711). Copy of data from the primary volume to the secondary volume,
which is executed for forming a remote copy pair in the transition
711, is referred to as initial copy.
[0092] When the copy from the primary volume to the secondary
volume is completed in the state 702, the remote copy state 206
transits to the state 703 (transition 712). When a communication
failure or the like occurs while data is copied from the primary
volume to the secondary volume and the copy cannot be continued in
the state 702, the remote copy state 206 transits to the state 705
(transition 717).
[0093] In the state 703, the management terminal 101 or the client
102 instructs the storage system A 110 not to execute update of
data for the secondary volume, whereby the remote copy state 206
transits to the state 704 (transition 714). In addition, in the
state 703, when a communication failure or the like occurs and the
remote copy pair cannot be continued, the remote copy state 206
transits to the state 705 (transition 715).
[0094] In the state 704, the management terminal 101 or the client
102 instructs the storage system A 110 to copy data of the primary
volume to the secondary volume, whereby the remote copy state 206
transits to the state 702 (transition 713). In the transition 713,
in order to reflect the update of the data executed for the primary
volume during the pair suspend (state 704) on the secondary volume,
updated data stored in the primary volume during the pair suspend
is copied to the secondary volume. Processing for making the data
of the primary volume and the data of the secondary volume
identical-through this copy processing is referred to as
resynchronization. The resynchronization includes processing for
making the WORM attribute 300 or 400 of the primary volume and that
of the secondary volume identical. In addition, the management
terminal 101 or the client 102 instructs the storage system A 110
to delete the remote copy pair, whereby the remote copy state 206
transits to the state 706 (transition 719).
[0095] When an error factor is eliminated in the state 705, the
remote copy state 206 transits to the state 702 (transition 716).
In the transition 716, in order to reflect the update of the data
executed for the primary volume during the communication error
(state 705) on the secondary volume, updated data stored in the
primary volume during the communication error is copied to the
secondary volume. Processing for making the data of the primary
volume and the data of the secondary volume identical through this
copy processing is referred to as resynchronization. The
resynchronization includes processing for making the WORM attribute
300 or 400 of the primary volume and that of the secondary volume
identical. In addition, the management terminal 101 or the client
102 instructs the storage system A 110 to delete the remote copy
pair, whereby the remote copy state 206 transits from the state 705
to the state 706 (transition 718).
[0096] When the remote copy state 206 has transited to the state
706, the remote copy attributes 205 and the remote copy states 206
corresponding to both the volumes forming the WORM remote copy pair
change to "none". In addition, the I/O control types 203 of both
the volumes change to WORM. When the remote copy state 206 has
transited to the state 706, if the remote copy state 206 has
transited to the state 703 at least once to that point, the WORM
attribute and the data of the primary volume have been transferred
to the secondary volume, although not completely. The data stored
in the primary volume and the WORM attribute set in the primary
volume at the point when the remote copy state 206 transited to the
state 704 through the transition 714 finally or at the point when
the remote copy state 206 transited to the state 705 through the
transition 715 are transferred to the secondary volume. However,
transfer of the data and the WORM attribute after that point is not
guaranteed. It can be confirmed to which point the data and the
WORM attribute have been transferred with reference to the event
log 320 (FIG. 4) or the event log 420 (FIG. 5) of the volume that
has been the secondary volume. The I/O control types of both the
volumes after the pair deletion, which have been the primary volume
and the secondary volume, are WORM. Thus, the WORM remote copy pair
cannot be formed again according to the restriction described in
the explanation of the remote copy pair setting 500 in FIG. 6.
[0097] In this embodiment, the data to be stored in the volume
designated as the primary volume, for which the I/O control type is
WORM, is initially copied in the state 702, and the I/O control
type of the volume designated as the secondary volume is set to
WORM. In addition, in the mirror in the state 703 and the
resynchronization in the state 702, update of data in the secondary
volume by means other than the remote copy program is prohibited to
prevent illegal falsification. This realizes the WORM remote copy
that can impart the same character as in the primary volume, which
makes it possible to prove that data recorded initially has not
been falsified, to the secondary volume.
[0098] In addition, by replacing the secondary volume with the
primary volume in the state 703, the operation of the system can be
continued using the logical volume, which was the secondary volume
before the replacement, while maintaining a non-falsification
proving capability equivalent to that of the logical volume which
was the primary volume before the replacement.
[0099] Further, in the case in which identity of the primary volume
and the secondary volume cannot be kept due to a failure in the
storage having the primary volume or a failure in a communication
path for performing remote copy, by recording state transition of
the remote copy in the event log 320 or 420 (FIG. 4 or 5) included
in the WORM attribute, it can be proved that the data and the WORM
attribute of the primary volume up to a certain point, for which a
record remains in the log, are recorded in the secondary volume.
Thus, the operation of the system can be continued using the
secondary volume. As described in the explanation of the remote
copy pair setting 500 in FIG. 6, the configuration management
program 118 in FIG. 1 judges whether the logical volume designated
as the primary volume is WORM or not using the I/O control type of
the volume for which remote copy pair formation is instructed,
whereby a WORM remote copy pair can be formed automatically.
[0100] Moreover, as described in the explanation of the WORM
setting 600 in FIG. 7, the configuration management program 118 of
FIG. 1 judges a remote copy attribute of a logical volume, for
which the configuration management program 118 is instructed to
change the I/O control type to WORM, whereby a WORM remote copy
pair can be formed automatically.
[0101] In this embodiment, the logical volume is illustrated as an
object of remote copy. However, the same method as this embodiment
is applicable to remote copy targeting a physical volume, a
directory or a file in a file system, and the like in order to
realize WORM.
* * * * *