FENCING OF RESOURCES ALLOCATED TO NON-COOPERATIVE CLIENT COMPUTERS
Techniques are provided for processing an Input/Output (I/O) request in which an identification message is received from a client computer. It is determined whether the client computer is a rogue client based on whether a current operations record exists for the client computer.
Latest IBM Patents:
- DYNAMIC TIME-BASED DATA ACCESS POLICY DEFINITION AND ENFORCEMENT
- HOMOMORPHIC ENCRYPTED ONE-HOT MAPS USING INTERMEDIATE CHINESE REMAINDER THEOREM (CRT) MAPS
- MINIMIZING COGNITIVE OVERLOAD USING DYNAMIC INTERACTION ENVIRONMENT ADJUSTMENT
- Datacenter temperature control and management
- Translation support for a virtual cache
This application is a divisional application of and claims the benefit of “FENCING OF RESOURCES ALLOCATED TO NON-COOPERATIVE CLIENT COMPUTERS”, having application Ser. No. 10/851,452, filed May 20, 2004, the entire contents of which is incorporated herein by reference.
BACKGROUND1. Field
Implementations of the invention relate to fencing of resources allocated to non-cooperative client computers.
2. Description of the Related Art
In a distributed Input/Output (I/O) environment, such as a Storage Area Network (SAN), a lock granting server computer may provide distributed locking techniques to enable a client computer to gain exclusive/shared access to data blocks in a storage area. A rogue client may be described as a client computer that has lost connectivity with the lock granting server computer while the client computer holds an exclusive lock to one or more data blocks. The loss of connectivity may occur due to a problem at the client computer (e.g., a problem with a device driver) or due to a problem with the environment (e.g., a problem with the SAN).
For example, a lock granting server computer may give a first client computer an exclusive lock to data blocks to fulfill an I/O request (e.g., a copy operation). If the first client computer does not fulfill the I/O request within a specified period of time, the first client computer is deemed to be a rogue client. The lock granting server computer may then revoke the exclusive lock for the first computer and may allow a second client computer to write to the data blocks. In this case, if the rogue client cannot be contacted by the lock granting server computer, the rogue client may continue to write to the data blocks protected by the exclusive lock, and, thus, may overwrite data that the second client computer has written to the same data blocks.
Conventional systems may provide host-based hardware solutions or storage-based solutions to the rogue client problem. With the host-based hardware solutions, a special processor is installed on the client computer and has access to a network. The lock granting server computer is able to send a message to the processor instructing the processor to power cycle (i.e., shut down) a rogue client. An example of this is an IBM® Remote Supervisor Adapter (RSA) card (available for purchase from International Business Machines, Corporation). With RSA cards, the lock granting server computer and the client computer each have RSA cards that communicate with each other. The lock granting server computer notifies its RSA card to send a signal to the client computer RSA card to shut down the client computer. With host-based hardware solutions, if the rogue client problem occurred due to problems with a device driver at the rogue client, shutting down and restarting the client computer may solve the problem. On the other hand, if the rogue client problem occurred because the client computer was unable to communicate with the server computer due to a SAN failure, then, the hardware-based solutions do not solve the rogue client problem.
With storage-based solutions, high end storage systems support features that allow the lock granting server computer to send the storage system a message instructing the storage system to ignore I/O requests from a specific rogue client. An example of this is dynamic Logical Unit Number (LUN) masking in a SAN. A LUN is a unique number that may identify a specific disk. With dynamic LUN masking, the storage subsystem may be notified to ignore I/O requests from a particular client for a particular LUN. Storage-based solutions address situations in which the rogue client problem occurred due to a SAN failure, but do not address situations in which the rogue client problem occurred due to a failure of a device driver at the client computer.
Thus, notwithstanding existing techniques, there is a continued need in the art to provide better techniques for client computer failure recovery.
SUMMARY OF THE INVENTIONProvided are an article of manufacture, system, and method for processing an Input/Output (I/O) request. At least one data block is allocated for use in completing the I/O request. A current operations record is stored for the I/O request. It is determined whether the I/O request has been completed within a specified period of time. In response to determining that the I/O request has not been completed within the specified period of time, the allocated at least one data block is fenced.
Provided are an article of manufacture, system, and method for processing an Input/Output (I/O) request in which an identification message is received from a client computer. It is determined whether the client computer is a rogue client based on whether a current operations record exists for the client computer.
BRIEF DESCRIPTION OF THE DRAWINGSReferring now to the drawings in which like reference numbers represent corresponding parts throughout:
In the following description, reference is made to the accompanying drawings which form a part hereof and which illustrate several implementations of the invention. It is understood that other implementations may be utilized and structural and operational changes may be made without departing from the scope of the invention.
The client computer 100 includes system memory 102, which may be implemented in volatile and/or non-volatile devices, and one or more Central Processing Units (CPUs) 106. One or more client applications 104 may reside in system memory 102 for execution by a Central Processing Unit (CPU) 106.
The server computer 120 includes system memory 122, which may be implemented in volatile and/or non-volatile devices and one or more Central Processing Units (CPUs) 130. One or more server applications 124, a client identification process 125, and a data block allocation process 126 may reside in system memory 122 for execution by a Central Processing Unit 130. Also, one or more current operations records 142 may reside in a persistent data store 140. In certain implementations, the data store 140 may be part of the storage area 180, and in alternative implementations, the data store 140 may be separate from the storage area 180. The data block allocation process 126 uses the current operations records 142 to later determine whether a client computer 100 has become a rogue client. In certain implementations, the current operations records are maintained for client computers that have been allocated data blocks to complete I/O requests and are kept for rogue clients that have not completed their I/O requests.
The client computer is also connected directly or indirectly (e.g., via a network (not shown)) to a storage area 180. The storage area may include a Storage Area Network (SAN), Direct Access Storage Devices (DASDs), Just a Bunch of Disks (JBOD), Redundant Array of Independent Disks (RAID). The storage area 180 includes data blocks. The data blocks may form multiple volumes, such as Volume A 182 and Volume B 184 (i.e., each volume may include one or more data blocks).
The server computer 120 may either not be physically connected to the storage area 180 or the server computer 120 may be physically connected to the storage area but may be unable to access the storage area 180 (e.g., due to zoning, business policies, etc.).
In block 202, the data block allocation process 126 stores a current operations record. The current operations record is persistently stored and contains, for example, a persistent name for the client computer 100, addresses of the allocated data blocks, and a timestamp. The data block allocation process 126 then notifies the client computer 100 that the client computer 100 can use the allocated data blocks to complete the I/O request.
Thus, prior to granting a client computer 100 permission to write to a previously unallocated area of storage, the data block allocation process 126 persistently stores a current operations record stating the data blocks it is granting permission to write, the client it is giving permission to write, and a timestamp. The data block allocation process 126 then grants permission to the client computer 100. If at a later time that permission is to be revoked, in certain implementations, a notice is sent to the client computer 100, and, if the client computer 100 does not respond to the notice within a specified period of time, the permission is revoked and the affected data blocks are fenced off by leaving them marked as allocated.
By leaving the blocks marked as allocated, the blocks cannot be reallocated for some other purpose. If they were reallocated, it is possible that the data blocks may be overwritten at a later time by the rogue client, causing data corruption.
The next time the client computer identifies with the data block allocation process 126, the data block allocation process 126 checks to see whether the client computer is considered a rogue client. If so, the data block allocation process 126 sends the client a message to cancel any pending write operations. If a response is successfully received, then the client computer 100 is no longer considered rogue. The data block allocation process 126 removes the current operations records pertaining to the client computer 100 and deallocates the affected data blocks.
In certain implementations, the data block allocation process 126 sends a notice to the client computer 100 that access to the previously allocated data blocks is being revoked. If the client computer 100 does not respond within a specified period of time to the notice, the data block allocation process 126 declares the client computer 100 to be a rogue client, leaving behind the current operations record that was created for the allocated data blocks.
In certain implementations, the client computer periodically sends a request to the data block allocation process 126 to continue to have access to the allocated data blocks (which request is also referred to as a request to “renew a lease” for the allocated data blocks). If the data block allocation process 126 wants to revoke access to the data blocks, the data block allocation process 126 does not return a message to the client computer 100 that the lease is being renewed. In this manner, the client computer 100 automatically determines that the lease has not been renewed.
If the client computer 100 is a rogue client, processing continues to block 404, otherwise, processing continues to block 412. In block 404, the client identification process 125 sends a cancel I/O request message to the rogue client. In block 406, the client identification process 125 determines whether a response has been received from the client computer 100 for the cancel I/O request message. If a response has been received, processing continues to block 408, otherwise, processing continues to block 414. In block 408, the client identification process 125 deallocates the data blocks previously allocated to the client computer 100. That is, if the client computer 100 acknowledges the cancel I/O request message, the client identification process 125 recognizes that the data blocks will not be overwritten by the rogue client and is able to allocate them for another operation. In block 410, the client identification process 125 removes the current operations record for the client computer 100. From block 410, processing continues to block 412.
In block 412, the client identification process 125 accepts an identification message from the client computer 100, which enables the client computer 100 to communicate further with the server computer 120.
In block 414, because a response was not received from the rogue client for the cancel I/O request message, the identification message is rejected. Thus, the rogue client cannot communicate with the server computer further until the current operations record for that rogue client has been removed. In certain implementations, the current operations records are periodically removed (e.g., every 24 hours) so that if a rogue client has, for example, a persistent hardware failure or no longer exists, the allocated data blocks may later be reallocated. This typically occurs after some period of time has elapsed since creation of the current operations record (e.g., the current operations record may be removed 24 hours after being created).
Thus, when the client identification process 125 receives an identify request from a client computer, it checks to see if it has a current operations record for that client computer 100. If none exist, the client computer identify request is accepted. If there are one or more current operations records for the client computer, then the client identification process 125 sends a cancel I/O request message to the client computer. If the client computer responds successfully, that means the client computer is no longer performing I/O with those data blocks and it is safe for the data blocks to be reused. In this case, the data blocks are deallocated, the current operations records for the rogue client are removed, and the identify request is accepted.
Implementations of the invention are applicable to various scenarios. Some example scenarios will be described herein merely for illustration, and it is not intended that the implementations be limited to the example scenarios.
In one example scenario, a remote copy of data is performed using a client computer 100 as a proxy. In this case, the server computer 120 desires to copy data from one range of data blocks to another range of data blocks. In cases in which the server computer 120 does not have access to the required Logical Unit Numbers of the data blocks (e.g., due to LUN masking), the server computer 120 instructs a client computer 100 to perform the copy operation.
The data block allocation process 126 at the server computer 120 allocates a target range for the data blocks and stores the name of the client and the target data blocks persistently. The data block allocation process 126 then sends a message to the client computer 100 to copy data from source data blocks to the allocated target data blocks. If the client computer 100 response does not time out, then the I/O request has been successfully completed and the allocated data blocks are not deallocated. If the client computer 100 response times out, then the client computer 100 is considered a rogue client. While the client computer 100 is considered a rogue client, the target data blocks are not used. Once the client computer 100 identifies itself, a cancel message is sent to the client computer 100. If the client computer 100 responds successfully, then the target data blocks are deallocated (i.e., because the copy operation previously failed) and the persistent current operations record is removed.
Certain log-based file systems perform write operations as a new allocation followed by a copy of the data. Therefore, implementations of the invention are applicable to such log-based files systems that allow for distributed I/O.
In a second example scenario, a remote write of data is performed using a client computer 100 as a proxy. In this case, the server computer 120 directs a client computer 100 to write a particular set of data to one or more data blocks. The data block allocation process 126 at the server computer 120 allocates a target range for the data blocks and stores the name of the client computer 100 and the target data blocks persistently. The data block allocation process 126 then sends a message to the client computer 100 to write data to the target data blocks, and the message contains the data to be written. If the client computer 100 response does not time out, then the I/O request has been successfully completed and the allocated data blocks are not deallocated. If the client computer 100 response times out, then the client computer 100 is considered a rogue client. While the client computer 100 is considered a rogue client, the target data blocks are not used. Once the client computer 100 identifies itself, a cancel message is sent to the client computer 100. If the client computer 100 responds successfully, then the target data blocks are deallocated (i.e., because the write operation previously failed) and the persistent current operations record is removed.
In a third example scenario, implementations of the invention may be extended for the case in which the data to be written to a data block is the same (i.e., repeated writes of the data block are idempotent). In this case, implementations deallocate the data blocks after a write times out because a future write to the same block writes the same set of contents.
In the third example scenario, a Logical Unit Number is written to a disk label. The server computer 120 labels a disk by writing a small record at a fixed offset on the disk. The record contains information that uniquely identifies the disk as belonging to the server computer 120. Other client computers and server computers in the distributed I/O environment scan disks they have access to. If the client computer or server computer recognizes the label on the disk as valid, then that computer assumes it can use the disk.
Implementations of the invention enable safely labeling a LUN on a disk label using a client computer 100 as a proxy. If an administrator directs the server computer 120 to write a label to a particular disk, the server computer 120 checks the current operations records to determine whether a label has already been generated for the disk. If a label has not already been generated, the server computer 120 generates a unique label for the disk and stores the label along with the current operations record (e.g., the server computer is storing the disk identifier, unique label, and client name persistently). The server computer 120 then sends a message to the client computer 100 to write the label. If the client computer 100 response times out, the server computer 120 assumes that the write request has failed. However, since the write is idempotent (i.e., the same label will be written by a subsequent write label operation), the server computer 120 allows the same disk to be labeled by another client computer, even while the first client computer is still considered to be a rogue client.
Thus implementations provide distributed failure recovery in a distributed Input/Output (I/O) environment. Certain implementations address a subset of the “rogue” client problem. Implementations of the invention differ from the host-based hardware solutions because the implementations do not require special hardware to be installed on any of the clients. Implementations of the invention differ from the storage-based solutions because the implementations do not depend on having special storage systems.
Certain implementations of the invention address a subset of the rogue client problem for the cases in which the data blocks that are to be allocated were previously unallocated, and, therefore, their previous contents do not matter.
IBM is a registered trademark or common law mark of International Business Machines, Corporation in the United States and/or other countries.
Additional Implementation DetailsThe described embodiments may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof. The terms “article of manufacture” and “circuitry” as used herein refers to a state machine, code or logic implemented in hardware logic (e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.) or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices (e.g., EEPROMs, ROMs, PROMs, RAMs, DRAMs, SRAMs, firmware, programmable logic, etc.). Code in the computer readable medium is accessed and executed by a processor. When the code or logic is executed by a processor, the circuitry may include the medium including the code or logic as well as the processor that executes the code loaded from the medium. The code in which embodiments are implemented may further be accessible through a transmission media or from a file server over a network. In such cases, the article of manufacture in which the code is implemented may comprise a transmission media, such as a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc. Thus, the “article of manufacture” may comprise the medium in which the code is embodied. Additionally, the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed. Of course, those skilled in the art will recognize that many modifications may be made to this configuration, and that the article of manufacture may comprise any information bearing medium known in the art.
The logic of
The illustrated logic of
Also, various processing has been described as possibly occurring within “a specified period of time”, but the specified periods of time for various processing may be different. For example, the specified period of time for a client computer 100 to complete an I/O request may be a different amount of time than the specified period of time for the client computer 100 to respond to a notice from the server computer 120.
The computer architecture 500 may comprise any computing device known in the art, such as a mainframe, server, personal computer, workstation, laptop, handheld computer, telephony device, network appliance, virtualization device, storage controller, etc. Any processor 502 and operating system 505 known in the art may be used.
The foregoing description of implementations of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the implementations of the invention to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. It is intended that the scope of the implementations of the invention be limited not by this detailed description, but rather by the claims appended hereto. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the implementations of the invention. Since many implementations of the invention can be made without departing from the spirit and scope of the implementations of the invention, the implementations of the invention reside in the claims hereinafter appended or any subsequently-filed claims, and their equivalents.
Claims
1. A method for processing an Input/Output (I/O) request, comprising:
- receiving an identification message from a client computer; and
- determining whether the client computer is a rogue client based on whether a current operations record exists for the client computer.
2. The method of claim 1, further comprising:
- in response to determining that the client computer is a rogue client, sending a cancel I/O request message to the client computer; and determining whether a response was received for the cancel I/O request message.
3. The method of claim 2, further comprising:
- in response to determining that the response was received for the cancel I/O request message, deallocating the allocated at least one data block; and removing the current operations record for the cancelled I/O request; and
- in response to determining that the response was not received for the cancel I/O request message, rejecting the identification message.
4. An article of manufacture for processing an Input/Output (I/O) request, wherein the article of manufacture comprises a computer readable medium storing instructions, and wherein the article of manufacture is operable to:
- receive an identification message from a client computer; and
- determine whether the client computer is a rogue client based on whether a current operations record exists for the client computer.
5. The article of manufacture of claim 4, wherein the article of manufacture is further operable to:
- in response to determining that the client computer is a rogue client, send a cancel I/O request message to the client computer; and determine whether a response was received for the cancel I/O request message.
6. The article of manufacture of claim 5, wherein the article of manufacture is further operable to:
- in response to determining that the response was received for the cancel I/O request message, deallocate the allocated at least one data block; and remove the current operations record for the cancelled I/O request; and
- in response to determining that the response was not received for the cancel I/O request message, rejecting the identification message.
7. A system for processing an Input/Output (I/O) request, comprising:
- circuitry operable to: receive an identification message from a client computer; and determine whether the client computer is a rogue client based on whether a current operations record exists for the client computer.
8. The system of claim 7, wherein the circuitry is further operable to:
- in response to determining that the client computer is a rogue client, send a cancel I/O request message to the client computer; and determine whether a response was received for the cancel I/O request message.
9. The system of claim 8, wherein the circuitry is further operable to:
- in response to determining that the response was received for the cancel I/O request message, deallocate the allocated at least one data block; and remove the current operations record for the cancelled I/O request; and
- in response to determining that the response was not received for the cancel I/O request message, rejecting the identification message.
Type: Application
Filed: Dec 18, 2007
Publication Date: Apr 24, 2008
Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION (Armonk, NY)
Inventors: Jason Young (Portland, OR), Venkateswararao Jujjuri (Beaverton, OR), Malahal Naineni (Beaverton, OR), James Seeger (Portland, OR), Paul Dorwin (Beaverton, OR), Thomas Clark (Gresham, OR), Ninad Palsule (Beaverton, OR)
Application Number: 11/959,205
International Classification: G06F 15/173 (20060101);