WO2006019744A2 - Deterministically active-active failover of redundant servers in a network storage appliance - Google Patents

Deterministically active-active failover of redundant servers in a network storage appliance Download PDF

Info

Publication number
WO2006019744A2
WO2006019744A2 PCT/US2005/024710 US2005024710W WO2006019744A2 WO 2006019744 A2 WO2006019744 A2 WO 2006019744A2 US 2005024710 W US2005024710 W US 2005024710W WO 2006019744 A2 WO2006019744 A2 WO 2006019744A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
network
application server
blade
servers
Prior art date
Application number
PCT/US2005/024710
Other languages
French (fr)
Other versions
WO2006019744A3 (en
Inventor
Ian Davies
Original Assignee
Dot Hill Systems Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dot Hill Systems Corporation filed Critical Dot Hill Systems Corporation
Publication of WO2006019744A2 publication Critical patent/WO2006019744A2/en
Publication of WO2006019744A3 publication Critical patent/WO2006019744A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2046Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant where the redundant components share persistent storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2023Failover techniques
    • G06F11/2028Failover techniques eliminating a faulty processor or activating a spare
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2035Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant without idle spare hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2053Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where persistent mass storage functionality or persistent mass storage control functionality is redundant
    • G06F11/2089Redundant storage control functionality
    • G06F11/2092Techniques of failing over between control units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3055Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2002Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant
    • G06F11/2005Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant using redundant communication controllers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2002Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant
    • G06F11/2007Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant using redundant communication media
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant
    • G06F11/2038Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant with a single idle spare processing component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2053Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where persistent mass storage functionality or persistent mass storage control functionality is redundant
    • G06F11/2094Redundant storage or storage space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2097Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements maintaining the standby controller/processing unit updated
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route

Definitions

  • This invention relates in general to the field of network storage in a computer network and particularly to the integration of server computers into a network storage appliance.
  • a second potential disadvantage is the difficulty of managing the storage devices for the potentially many computers in the network.
  • a third potential disadvantage is that the DAS model does not facilitate applications in which the various users of the network need to access a common large set of data, such as a database.
  • NAS Network attached storage
  • SAN storage area network
  • a storage controller that controls storage devices exists as a distinct entity on a network, such as an Ethernet or FibreChannel network, that is accessed by each of the servers in the enterprise. That is, the servers share the storage controlled by the storage controller over the network.
  • the storage controller presents the storage at a filesystem level
  • the storage controller presents the storage at a block level, such as in the SCSI block level protocol.
  • the NAS/SAN model provides similar solutions to the fileserver DAS model problems that the fileserver DAS model provided to the workstation DAS problems.
  • the storage controllers have their own enclosures, or chassis, or boxes, discrete from the server boxes.
  • Each chassis provides its own power Docket CHAP.0115 5 and cooling, and since the chassis are discrete, they require networking cables to connect them, such as Ethernet or FibreChannel cables.
  • storage application servers In a common NAS/SAN model, one or more storage application servers resides in the network between the storage controller and the other servers, and executes storage software applications that provided value- added storage functions that benefit all of the servers accessing the common storage controller. These storage applications are also commonly referred to as "middleware.” Examples of middleware include data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications.
  • middleware include data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications.
  • HSM hierarchical storage management
  • the storage application servers provide a valuable function; however, they introduce yet another set of discrete separately powered and cooled boxes that must be managed, require additional space and cost, and introduce additional cabling in the network.
  • the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein.
  • the network storage appliance includes redundant servers, each having at least one unique ID for communicating on a network.
  • the network storage appliance also includes at least one storage controller, coupled to the redundant servers, for transferring data between storage devices and the servers.
  • the network storage appliance also includes a backplane.
  • the storage controller and servers comprise a plurality of blades for plugging into the backplane.
  • the network storage appliance also includes first and second status paths, comprised in the backplane, each for providing a heartbeat from one of the servers to the other server.
  • Each of the servers is configured to deterministically disable the other server from communicating on the network in response to detecting that the heartbeat of the other server has stopped, and to assume the unique ID of the other server for communicating on the network thereafter.
  • the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein.
  • the network storage appliance includes a chassis and redundant servers, enclosed in the chassis, each having at least one unique ID for communicating on a network.
  • the network storage appliance also includes at least one storage controller, enclosed in the chassis, coupled to the redundant servers, for transferring data Docket CHAP.0115 7 between storage devices and the servers.
  • the network storage appliance also includes first and second status paths, enclosed in the chassis, each for providing a heartbeat from one of the servers to the other server.
  • Each of the servers is configured to deterministically disable the other server from communicating on the network in response to detecting that the heartbeat of the other server has stopped, and to assume the unique ID of the other server for communicating on the network thereafter.
  • the present invention provides an apparatus for deterministically performing active-active failover of redundant servers integrated with at least one storage controller into a network storage appliance chassis, each of the servers being configured to communicate with computers on a network.
  • the apparatus includes a backplane, enclosed in the chassis, configured to receive a plurality of hot-pluggable blades comprising the servers and storage controller.
  • the apparatus also includes two heartbeat paths comprised in the backplane, each for conveying a respective heartbeat signal from one of the servers to the other server.
  • the apparatus also includes two kill paths on the backplane, each for conveying a signal for inactivating the other server from communicating on the network in response to detecting the heartbeat of the other server has stopped.
  • the inactivating server is configured to take over the identity of the inactivated server on the network after inactivating the other server.
  • the present invention provides a method for deterministically performing active-active Docket CHAP.0115 8 failover of first and second redundant servers integrated into a network storage appliance chassis .
  • the method includes the second server receiving a second heartbeat signal from the first server via a second signal path etched into a backplane of the chassis.
  • the method also includes the first server detecting that the first heartbeat signal has stopped.
  • the method also includes the first server generating a kill signal to the second server to disable the second server from communicating on a network, in response to detecting the first heartbeat signal has stopped.
  • the method also includes the first server taking over the identity of the second server on the network, after generating the kill signal.
  • the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers ⁇ enclosed therein.
  • the network storage appliance includes redundant servers, each having at least one unique ID for communicating on a network.
  • the network storage appliance also includes at least one storage controller, coupled to the redundant servers, for transferring data between storage devices and the servers .
  • the network storage appliance also includes a backplane.
  • the storage controller and servers comprise a plurality of blades for plugging into the backplane.
  • the network storage appliance also includes first and second status paths, comprised in the backplane, each for providing an indication of whether a respective one of the servers is present in the backplane.
  • Each of the servers is configured to deterministically disable the other server from Docket CHAP.0115 9 communicating on the network in response to detecting via the indication that the other server has been removed from the backplane, and to assume the unique ID of the other server for communicating on the network thereafter.
  • An advantage of the present invention is that by- disposing the heartbeat paths within the chassis backplane, rather than external to the chassis such as in an Ethernet cable, the probability that both heartbeat paths will fail simultaneously when the servers are still operable is extremely low. That is, the possibility of a "split brains" condition is made extremely low by including the heartbeat paths in the chassis backplane, particularly relative to an external cable which is susceptible to user removal at inappropriate times or to damage by a user. This is possible due to the integration of the redundant servers into the network storage appliance chassis . Particularly where the network storage appliance has been tested to work, the likelihood of a subsequent failure of the heartbeat path within the backplane is extremely low.
  • FIGURE 1 is a diagram of a prior art computer network.
  • FIGURE 2 is a diagram of a computer network according to the present invention.
  • FIGURE 3 is a block diagram illustrating the computer network of Figure 2 including the storage appliance of Figure 2.
  • FIGURE 4 is a block diagram of one embodiment of the storage appliance of Figure 3. Docket CHAP.0115 10
  • FIGURE 5 is a block diagram of one embodiment of the storage appliance of Figure 4 illustrating the interconnection of the various local bus interconnections of the blade modules of Figure 4.
  • FIGURE 6 is a block diagram illustrating the logical flow of data through the storage appliance of
  • FIGURE 7 is a block diagram of one embodiment of the storage appliance of Figure 5 illustrating the application server blades and data manager blades in more detail.
  • FIGURE 8 is a block diagram illustrating one embodiment of the application server blade of Figure 7.
  • FIGURE 9 is a diagram illustrating the physical layout of a circuit board of one embodiment of the application server blade of Figure 8.
  • FIGURE 10 is an illustration of one embodiment of the faceplate of the application server blade of Figure 9.
  • FIGURE 11 is a block diagram illustrating the software architecture of the application server blade of
  • FIGURE 12 is a block diagram illustrating the storage appliance of Figure 5 in a fully fault-tolerant configuration in the computer network of Figure 2.
  • FIGURE 13 is a block diagram illustrating the computer network of Figure 12 in which a data gate blade has failed.
  • FIGURE 14 is a block diagram illustrating the computer network of Figure 12 in which a data manager blade has failed. Docket CHAP.0115 11
  • FIGURE 15 is a block diagram illustrating the computer network of Figure 12 in which an application server blade has failed.
  • FIGURE 16 is a diagram of a prior art computer network.
  • FIGURE 17 is a block diagram illustrating the storage appliance of Figure 2.
  • FIGURE 18 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17.
  • FIGURE 19 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17.
  • FIGURE 20 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17 according to an alternate embodiment.
  • FIGURE 21 is a block diagram illustrating the interconnection of the various storage appliance blades via the BCI buses of Figure 7.
  • FIGURE 22 is a block diagram illustrating the interconnection of the various storage appliance blades via the BCI buses of Figure 7 and discrete reset signals according to an alternate embodiment.
  • FIGURE 23 is a block diagram illustrating an embodiment of the storage appliance of Figure 2 comprising a single application server blade.
  • FIGURE 24 is a block diagram illustrating an embodiment of the storage appliance of Figure 2 comprising a single application server blade. Docket CHAP.0115 12
  • FIGURE 25 is a block diagram illustrating the computer network of Figure 2 and portions of the storage appliance of Figure 12 and in detail one embodiment of the port combiner of Figure 8.
  • FIGURE 26 is a block diagram illustrating the storage appliance of Figure 2.
  • FIGURE 27 is a block diagram illustrating the storage appliance of Figure 2 according to an alternate embodiment.
  • FIGURE 28 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figures 26 and 27.
  • the computer network 100 includes a plurality of client computers 102 coupled to a plurality of traditional server computers 104 via a network 114.
  • the network 114 components may include switches, hubs, routers, and the like.
  • the computer network 100 also includes a plurality of storage application servers 106 coupled to the traditional servers 104 via the network 114.
  • the computer network 100 also includes one or more storage controllers 108 coupled to the storage application servers 106 via the network 114.
  • the computer network 100 also includes storage devices 112 coupled to the storage controllers 108.
  • the clients 102 may include, but are not limited to workstations, personal computers, notebook computers, or personal digital assistants (PDAs), and the like. Typically, the clients 102 are used by end users to perform Docket CHAP.0115 13 computing tasks, including but not limited to, word processing, database access, data entry, email access, internet access, spreadsheet access, graphic development, scientific calculations, or any other computing tasks commonly performed by users of computing systems.
  • the clients 102 may also include a computer used by a system administrator to administer the various manageable elements of the network 100.
  • the clients 102 may or may not include direct attached storage (DAS), such as a hard disk drive.
  • DAS direct attached storage
  • Portions of the network 114 may include, but are not limited to, links, switches, routers, hubs, directors, etc. performing the following protocols: FibreChannel (FC), Ethernet, Infiniband, TCP/IP, Small Computer Systems Interface (SCSI), HIPPI, Token Ring, Arcnet, FDDI, LocalTalk, ESCON, FICON, ATM, Serial Attached SCSI (SAS), Serial Advanced Technology Attachment (SATA), and the like, and relevant combinations thereof.
  • FC FibreChannel
  • Ethernet Infiniband
  • TCP/IP Small Computer Systems Interface
  • SCSI Small Computer Systems Interface
  • HIPPI Token Ring
  • Arcnet FDDI
  • LocalTalk LocalTalk
  • ESCON Serial Attached SCSI
  • FICON Serial Advanced Technology Attachment
  • the traditional servers 104 may include, but are not limited to file servers, print servers, enterprise servers, mail servers, web servers, database servers, departmental servers, and the like. Typically, the traditional servers 104 are accessed by the clients 102 via the network 114 to access shared files, shared databases, shared printers, email, the internet, or other computing services provided by the traditional servers 104.
  • the traditional servers 104 may or may not include direct attached storage (DAS), such as a hard disk drive. However, at least a portion of the storage utilized by the traditional servers 104 comprises detached storage provided Docket CHAP.0115 14 on the storage devices 112 controlled by the storage controllers 108.
  • DAS direct attached storage
  • the storage devices 112 may include, but are not limited to, disk drives, tape drives, or optical drives.
  • the storage devices 112 may be grouped by the storage application servers 106 and/or storage controllers 108 into logical storage devices using any of well-known methods for grouping physical storage devices, including but not limited to mirroring, striping, or other redundant array of inexpensive disks (RAID) methods.
  • the logical storage devices may also comprise a portion of a single physical storage device or a portion of a grouping of storage devices.
  • the storage controllers 108 may include, but are not limited to, a redundant array of inexpensive disks (RAID) controller.
  • the storage controllers 108 control the storage devices 112 and interface with the storage application servers 106 via the network 114 to provide storage for the traditional servers 104.
  • the storage application servers 106 comprise computers capable of executing storage application software, such as data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications.
  • storage application software such as data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications.
  • the storage application servers 106 are physically discrete from the storage controllers 108. That is, they reside in physically discrete Docket CHAP.0115 15 enclosures, or chassis. Consequently, network cables must be run externally between the two or more chassis to connect the storage controllers 108 and the storage application servers 106. This exposes the external cables for potential damage, for example by network administrators, thereby jeopardizing the reliability of the computer network 100. Also, the cabling may be complex, and therefore prone to be connected incorrectly by users. Additionally, there is cost and space associated with each chassis of the storage controllers 108 and the storage application servers 106, and each chassis must typically include its own separate cooling and power system. Furthermore, the discrete storage controllers 108 and storage application servers 106 constitute discrete entities to be configured and managed by network administrators. However, many of these disadvantages are overcome by the presently disclosed network storage appliance of the present invention, as will now be described.
  • FIG. 2 a diagram of a computer network 200 according to the present invention is shown.
  • the computer network 200 of Figure 2 includes a network storage appliance 202, which integrates storage application servers and storage controllers in a single chassis.
  • the storage appliance 202 is coupled to the traditional servers 104 via the network 114, as shown, to provide detached storage, such as storage area network (SAN) storage or network Docket CHAP.0115 16 attached storage (NAS) , for the traditional servers 104 by controlling the storage devices 112 coupled to the storage appliance 202.
  • SAN storage area network
  • NAS network Docket CHAP.0115 16 attached storage
  • the storage appliance 202 provides the traditional servers 104 with two interfaces to the detached storage: one directly to the storage controllers within the storage appliance 202, and another to the servers integrated into the storage appliance 202 chassis, which in turn directly access the storage controllers via internal high speed I/O links within the storage appliance 202 chassis.
  • the servers and storage controllers in the storage appliance 202 comprise redundant hot-replaceable field replaceable units (FRUs), thereby providing fault-tolerance and high data availability. That is, one of the redundant FRUs may ⁇ be replaced during operation of the storage appliance 202 without loss of availability of the data stored on the storage devices 112.
  • FRUs redundant hot-replaceable field replaceable units
  • single storage controller and single server embodiments are also contemplated.
  • the integration of the storage application servers into a single chassis with the storage controllers provides the potential for improved manageability, lower cost, less space, better diagnosability, and better cabling for improved reliability.
  • FIG. 3 a block diagram illustrating the computer network 200 of Figure 2 including the storage appliance 202 of Figure 2 is shown.
  • the computer network 200 includes the clients 102 and/or traditional servers 104 of Figure 2, referred to collectively as host computers 302, networked to the storage appliance 202.
  • the computer network 200 also Docket CHAP,0115 17 includes external devices 322 networked to the storage appliance 202, i.e., devices external to the storage appliance 202.
  • the external devices 322 may include, but are not limited to, host computers, tape drives or other backup type devices, storage controllers or storage appliances, switches, routers, or hubs.
  • the computer network 200 also includes the storage devices 112 of Figure 2 coupled to the storage appliance 202.
  • the storage appliance 202 includes application servers 306 coupled to storage controllers 308.
  • the host computers 302 are coupled to the application servers 306, and the storage devices 112 are coupled to the storage controllers 308.
  • the application servers 306 are coupled to the storage controllers 308 via high speed I/O links 304, such as FibreChannel, Infiniband, or Ethernet links, as described below in detail.
  • the high speed I/O links 304 are also provided by the storage appliance 202 external to its chassis 414 (of Figure 4) via port combiners 842 (shown in Figure 8) and expansion I/O connectors 754 (shown in Figure 7) to which the external devices 1232 are coupled.
  • the externalizing of the I/O links 304 advantageously enables the storage controllers 308 to be directly accessed by other external network devices 322, such as the host computers, switches, routers, or hubs. Additionally, the externalizing of the I/O links 304 advantageously enables the application servers 306 to directly access other external storage devices 322, such as tape drives, storage controllers, or other storage appliances, as discussed below. Docket CHAP.0115 18
  • the application servers 306 execute storage software applications, such as those described above that are executed by the storage application servers 106 of Figure 1. However, other embodiments are contemplated in which the application servers 306 execute software applications such as those described above that are executed by the traditional servers 104 of Figure 1.
  • the hosts 302 may comprise clients 102 such as those of Figure 2 networked to the storage appliance 202.
  • the storage controllers 308 control the storage devices 112 and interface with the application servers 306 to provide storage for the host computers 302 and to perform data transfers between the storage devices 112 and the application servers 306 and/or host computers 302.
  • the storage controllers 308 may include, but ' are not limited to, redundant array of inexpensive disks (RAID) controllers .
  • RAID redundant array of inexpensive disks
  • the storage appliance 202 includes a plurality of hot-replaceable field replaceable units (FRUs) , referred to as modules or blades, as shown, enclosed in a chassis 414.
  • the blades plug into a backplane 412, or mid-plane 412, enclosed in the chassis 414 which couples the blades together and provides a communication path between them.
  • each of the blades plugs into the same side of the chassis 414.
  • the backplane 412 comprises an active backplane.
  • the backplane 412 comprises a passive backplane.
  • the blades include two power Docket CHAP.0115 19 manager blades 416 (referred to individually as power manager blade A 416A and power manager blade B 416B) , two power port blades 404 (referred to individually as power port blade A 404A and power port blade B 404B) , two application server blades 402 (referred to individually as application server blade A 402A and application server blade B 402B) , two data manager blades 406 (referred to individually as data manager blade A 406A and data manager blade B 406B) , and two data gate blades 408 (referred to individually as data gate blade A 408A and data gate blade B 408B) , as shown.
  • the power manager blades 416 each comprise a power supply for supplying power to the other blades in the storage appliance 202.
  • each power manager blade 416 comprises a 240 watt AC-DC power supply.
  • the power manager blades 416 are redundant. That is, if one of the power manager blades 416 fails, the other power manager blade 416 continues to provide power to the other blades in order to prevent failure of the storage appliance 202, thereby enabling the storage appliance 202 to continue to provide the host computers 302 access to the storage devices 112.
  • the power port blades 404 each comprise a cooling system for cooling the blades in the chassis 414.
  • each of the power port blades 404 comprises direct current fans for cooling, an integrated EMI filter, and a power switch.
  • the power port blades 404 are redundant. That is, if one of the power port blades 404 fails, the other power port blade 404 continues to cool the storage appliance 202 in order to Docket CHAP.0115 20 prevent failure of the storage appliance 202, thereby enabling the storage appliance 202 to continue to provide the host computers 302 access to the storage devices 112.
  • Data manager blade A 406A, data gate blade A 408A, and a portion of application server blade A 402A logically comprise storage controller A 308A of Figure 3; and the remainder of application server blade A 402A comprises application server A 306A of Figure 3.
  • Data manager blade B 406B, data gate blade B 408B, and a portion of application server blade B 402B comprise the other storage controller 308 of Figure 3, and the remainder of application server blade B 402B comprises the other application server 306 of Figure 3.
  • the application servers 306 comprise computers configured to execute software applications, such as storage software applications.
  • the application servers 306 function as a redundant pair such that if one of the application servers 306 fails, the remaining application server 306 takes over the functionality of the failed application server 306 such that the storage appliance 202 continues to provide the host computers 302 access to the storage devices 112.
  • the application software executing on the application servers 306 performs a function independent of the host computers 302, such as a backup operation of the storage devices 112, if one of the application servers 306 fails, the remaining application server 306 continues to perform its function independent of the host computers 302.
  • the application servers 306, and in particular the Docket CHAP.0115 21 application server blades 402, are described in more detail below.
  • Each of the data gate blades 408 comprises one or more I/O interface controllers (such as FC interface controllers 1206 and 1208 of Figure 12) for interfacing with the storage devices 112.
  • each of the data gate blades 408 comprises redundant interface controllers for providing fault-tolerant access to the storage devices 112.
  • the interface controllers comprise dual FibreChannel (FC) interface controllers for interfacing to the storage devices 112 via a dual FC arbitrated loop configuration, as shown in Figure 12.
  • FC FibreChannel
  • the data gate blades 408 interface with the storage devices 112 via other interfaces including, but not limited to, Advanced Technology Attachment (ATA), SAS, SATA, Ethernet, Infiniband, SCSI, HIPPI, ESCON, FICON, or relevant combinations thereof.
  • ATA Advanced Technology Attachment
  • SAS Serial Advanced Technology Attachment
  • SATA Serial Advanced Technology Attachment
  • Ethernet Infiniband
  • SCSI High Speed Serial Bus
  • HIPPI Internet IPPI
  • ESCON FICON
  • FICON relevant combinations thereof.
  • the storage devices 112 and storage appliance 202 may communicate using stacked protocols, such as SCSI over FibreChannel or Internet SCSI (iSCSI) .
  • iSCSI Internet SCSI
  • at least a portion of the protocol employed between the storage appliance 202 and the storage devices 112 includes a low-level block interface, such as the SCSI protocol.
  • At least a portion of the protocol employed between the host computers 302 and the storage appliance 202 includes a low-level block interface, such as the SCSI protocol.
  • the interface controllers perform the protocol necessary to transfer commands and data between the storage devices 112 and the storage appliance 202.
  • the interface controllers also Docket CHAP.0115 22 include a local bus interface for interfacing to local buses (shown as local buses 516 of Figure 5) that facilitate command and data transfers between the data gate blades 408 and the other storage appliance 202 blades.
  • each of the interface controllers is coupled to a different local bus (as shown in Figure 5)
  • each data gate blade 408 also includes a local bus bridge (shown as bus bridge 1212 of Figure 12) for bridging the two local buses.
  • the- data gate blades 408 function as a redundant pair such that if one of the data gate blades 408 fails, the storage appliance 202 continues to provide the host computers 302 and application servers 306 access to the storage devices 112 via the remaining data gate blade 408.
  • Each of the data manager blades 406 comprises a processor (such as CPU 702 of Figure 7) for executing programs to control the transfer of data between the storage devices 112 and the application servers 306 and/or host computers 302.
  • Each of the data manager blades 406 also comprises a memory (such as memory 706 in Figure 7) for buffering data transferred between the storage devices 112 and the application servers 306 and/or host computers 302.
  • the processor receives commands from the application servers 306 and/or host computers 302 and responsively issues commands to the data gate blade 408 interface controllers to accomplish data transfers with the storage devices 112.
  • the data manager blades 406 also include a direct memory access controller (DMAC)
  • the processor also issues commands to the DMAC and interface controllers on the application server blades 402 (such as I/O interface controllers 746/748 of Figure 7) to accomplish data transfers between the data manager blade 406 buffer memory and the application servers 306 and/or host computers 302 via the local buses and high speed I/O links 304.
  • the processor may also perform storage controller functions such as RAID control, logical block translation, buffer management, and data caching.
  • Each of the data manager blades 406 also comprises a memory controller (such as local bus bridge/memory controller 704 in Figure 7) for controlling the buffer memory.
  • the memory controller also includes a local bus interface for interfacing to the local buses that facilitate command and data transfers between the data manager blades 406 and the other storage appliance 202 blades.
  • each of the data manager blades 406 is coupled to a different redundant local bus pair, and each data manager blade 406 also includes a local bus bridge (such as local bus bridge/memory controller 704 in Figure 7) for bridging between the two local buses of the pair.
  • the data manager blades 406 function as a redundant pair such that if one of the data manager blades 406 fails, the remaining data manager blade 406 takes over the functionality of the failed data manager blade 406 such that the storage appliance 202 continues to provide the host computers 302 and/or application servers 306 access to the storage devices 112.
  • each data Docket CHAP.0115 24 manager blade 406 monitors the status of the other storage appliance 202 blades, including the other data manager blade 406, in order to perform failover functions necessary to accomplish fault-tolerant operation, as described herein.
  • each of the data manager blades 406 also includes a management subsystem for facilitating management of the storage appliance 202 by a system administrator.
  • the management subsystem comprises an Advanced Micro Devices® ElanTM microcontroller for facilitating communication with a user, such as a system administrator.
  • the management subsystem receives input from the user via a serial interface such as an RS-232 interface.
  • the management subsystem receives user input from the user via an Ethernet interface and provides a web- based configuration and management utility.
  • the management subsystem In addition to its configuration and management functions, the management subsystem also performs monitoring functions, such as monitoring the temperature, presence, and status of the storage devices 112 or other components of the storage appliance 202, and monitoring the status of other critical components, such as fans or power supplies, such as those of the power manager blades 416 and power port blades 404.
  • the chassis 414 comprises a single enclosure for enclosing the blade modules and backplane 412 of the storage appliance 202.
  • the chassis 414 comprises a chassis for being mounted in well known 19" wide racks.
  • the chassis 414 comprises a one unit (IU) high chassis. Docket CHAP.0115 25
  • the power manager blades 416, power port blades 404, data manager blades 406, and data gate blades 408 are similar in some aspects to corresponding modules in the RIO Raid Controller product sold by Chaparral Network Storage of Longmont, Colorado.
  • the embodiment of Figure 4 illustrates redundant modules, other lower cost embodiments are contemplated in which some or all of the blade modules are not redundant.
  • FIG. 5 a block diagram of one embodiment of the storage appliance 202 of Figure 4 illustrating the interconnection of the various local bus interconnections of the blade modules of Figure 4 is shown.
  • the storage appliance 202 in the embodiment of Figure 5 includes four local buses, denoted local bus A 516A, local bus B 516B, local bus C 516C, and local bus D 516D, which are referred to collectively as local buses 516 or individually as local bus 516.
  • the local buses 516 comprise a high speed PCI-X local bus.
  • the local buses 516 include, but are not limited to a PCI, CompactPCI, PCI- Express, PCI-X2, EISA, VESA, VME, RapidIO, AGP, ISA, 3GIO, Hyper ⁇ ransport, Futurebus, MultiBus, or any similar local bus capable of transferring data at a high rate.
  • data manager blade A 406A is coupled to local bus A 516A and local bus C 516C; data manager blade B 406B is coupled to local bus B 516B and local bus D 516D / data gate blade A 408A is coupled to local bus A 516A and local bus B 516B; data gate blade B 408B is coupled to local bus C 516C and local bus D 516D; application server blade A 402A is Docket CHAP.0115 26 coupled to local bus A 516A and local bus B 516B; application server blade B 402B is coupled to local bus C 516C and local bus D 516D.
  • the coupling of the blades to the local buses 516 enables each of the application server blades 402 to communicate with each of the data manager blades 406, and enables each of the data manager blades 406 to communicate with each of the data gate blades 408 and each of the application server blades 402. Furthermore, the hot-pluggable coupling of the FRU blades to the backplane 412 comprising the local buses 516 enables fault-tolerant operation of the redundant storage controllers 308 and application servers 306, as described in more detail below.
  • the application server blades 402 receive data transfer requests from the host computers 302 of Figure 3, such as SCSI read and write commands, over an interface protocol link, including but not limited to FibreChannel, Ethernet, or Infiniband.
  • the application server blades 402 process the requests and issue commands to the data manager blades 406 to perform data transfers to or from the storage devices 112 based on the type of request received from the host computers 302.
  • the data manager blades 406 process the commands received from the application server blades 402 and issue commands to the data gate blades 408, such as SCSI over FC protocol commands, which the data gate blades 408 transmit to the storage devices 112.
  • the storage devices 112 process the commands and perform the appropriate data transfers to or Docket CHAP.0115 27 from the data gate blades 408.
  • the data is transmitted from the host computers 302 to the application server blades 402 and then to the data manager blades 406 and then to the data gate blades 408 and then to the storage devices 112.
  • the data is transferred from the storage devices 112 to the data gate blades 408 then to the data manager blades 406 then to the application server blades 402 then to the host computers 302.
  • each of the application server blades 402 has a path to each of the data manager blades 406, and each of the data manager blades 406 has a path to each of the data gate blades 408.
  • the paths comprise the local buses 516 of Figure 5.
  • each of the host computers 302 has a path to each of the application server blades 402, and each of the data gate blades 408 has a path to each of the storage devices 112, as shown. Because each of the stages in the command and data transfers is a redundant pair, and a redundant communication path exists between each of the redundant pairs of each stage of the transfer, a failure of any one of the blades of a redundant pair does not cause a failure of the storage appliance 202.
  • the redundant application server blades 402 are capable of providing an effective data transfer bandwidth of approximately 800 megabytes per second (MBps) between the host computers 302 and the redundant storage controllers 308. Docket CHAP.0115 28
  • FIG. 7 a block diagram of one embodiment of the storage appliance 202 of Figure 5 illustrating the application server blades 402 and data manager blades 406 in more detail is shown.
  • the data gate blades 408 of Figure 5 are not shown in Figure 7.
  • the local buses 516 of Figure 5 comprise PCIX buses 516.
  • Figure 7 illustrates application server blade 402A and 402B coupled to data manager blade 406A and 406B via PCIX buses 516A, 516B, 516C, and 516D according to the interconnection shown in Figure 5.
  • the elements of the application server blades 402A and 402B are identical; however, their interconnections to the particular PCIX buses 516 are different as shown; therefore, the description of application server blade A 402A is identical for application server blade B 402B except as noted below with respect to the PCIX bus 516 interconnections.
  • the elements of the data manager blades 406A and 406B are identical; therefore, the description of data manager blade A 406A is identical for data manager blade B 406B except as noted below with respect to the PCIX bus 516 interconnections.
  • application server blade A 402A comprises two logically-distinct portions, an application server 306 portion and a storage controller 308 portion, physically coupled by the I/O links 304 of Figure 3 and integrated onto a single FRU.
  • the application server 306 portion includes a CPU subsystem 714, Ethernet controller 732, and first and second FC controllers 742/744, which comprise a server computer employed to Docket CHAP.0115 29 execute server software applications, similar to those executed by the storage application servers 106 and/or traditional servers 104 of Figure 1.
  • the storage controller 308 portion of application server blade A 402A includes third and fourth FC controllers 746/748, which are programmed by a data manager blade 406 CPU 702 and are logically part of the storage controller 308 of Figure 3.
  • the storage controller 308 portions of the application server blades 402 may be logically viewed as the circuitry of a data gate blade 408 integrated onto the application server blade 402 to facilitate data transfers between the data manager blades 406 and the application server 306 portion of the application server blade 402.
  • the storage controller 308 portions of the application server blades 402 also facilitate data transfers between the data manager blades 406 and external devices 322 of Figure 3 coupled to expansion I/O connectors 754 of the application server blade 402.
  • Application server blade A 402A includes a CPU subsystem 714, described in detail below, which is coupled to a PCI bus 722.
  • the PCI bus 722 is coupled to a dual port Ethernet interface controller 732, whose ports are coupled to connectors 756 on the application server blade 402 faceplate (shown in Figure 10) to provide local area network (LAN) or wide area network (WAN) access to application server blade A 402A by the host computers 302 of Figure 3.
  • LAN local area network
  • WAN wide area network
  • one port of the Ethernet interface controller 732 of application server blade A 402A is coupled to one port of the Ethernet interface controller Docket CHAP.0115 30
  • the Ethernet controller 732 ports may be used as a management interface to perform device management of the storage appliance 202.
  • the application servers 306 may function as remote mirroring servers, and the Ethernet controller 732 ports may be used to transfer data to a remote mirror site.
  • the CPU subsystem 714 is also coupled to a PCIX bus 724.
  • a first dual FibreChannel (FC) interface controller 742 is coupled to the PCIX bus 724.
  • the first FC interface controller 742 ports (also referred to as front-end ports) are coupled to the I/O connectors 752 on the application server blade 402 faceplate (shown in Figure 10) to provide the host computers 302 NAS/SAN access to the application servers 306.
  • the first FC controller 742 functions as a target device and may be connected to the host computers 302 in a point-to-point, arbitrated loop, or switched fabric configuration.
  • a line connecting two FC ports, or a FC port and a FC connector indicates a bi-directional FC link, i.e., an FC link with a transmit path and a receive path between the two FC ports, or between the FC port and the FC connector.
  • a second dual FC interface controller 744 is also coupled to the PCIX bus 724.
  • the second FC controller 744 functions as an initiator device.
  • the second FC interface Docket CHAP.0115 31 controller 744 ports are coupled to the expansion I/O connectors 754 on the application server blade 402 faceplate (shown in Figure 10) to provide a means for the CPU subsystem 714 of the application server blade 402 to directly access devices 322 of Figure 3 external to the storage appliance 202 chassis 414, such as other storage controllers or storage appliances, tape drives, host computers, switches, routers, and hubs.
  • the expansion I/O connectors 754 provide the external devices 322 direct NAS/SAN access to the storage controllers 308, rather than through the application servers 306, as described in detail below.
  • the expansion I/O connectors 754 provide externalization of the internal I/O links 304 between the servers 306 and storage controllers 308 of Figure 3, as described in more detail below.
  • An industry standard architecture (ISA) bus 716 is also coupled to the CPU subsystem 714.
  • a complex programmable logic device (CPLD) 712 is coupled to the ISA bus 716.
  • the CPLD 712 is also coupled to dual blade control interface (BCI) buses 718.
  • BCI blade control interface
  • the BCI buses 718 are a proprietary 8-bit plus parity asynchronous multiplexed address/data bus supporting up to a 256 byte addressable region that interfaces the data manager blades 406 to the data gate blades 408 and application server blades 402.
  • the BCI buses 718 enable each of the data Docket CHAP.0115 32 manager blades 406 to independently configure and monitor the application server blades 402 and data gate blades 408 via the CPLD 712.
  • the BCI buses 718 are included in the backplane 412 of Figure 4.
  • the CPLD 712 is described in more detail with respect to Figures 8, 21, and 22 below.
  • Application server blade A 402A also includes a third dual FibreChannel interface controller 746, coupled to PCIX bus 516A of Figure 5, whose FC ports are coupled to respective ones of the second dual FC interface controller 744.
  • Application server blade A 402A also includes a fourth dual FibreChannel interface controller 748, coupled to PCIX bus 516B of Figure 5, whose FC ports are coupled to respective ones of the second dual FC interface controller 744 and to respective ones of the third dual FC interface controller 746.
  • its third FC interface controller 746 PCIX interface couples to PCIX bus 516C of Figure 5
  • its fourth FC interface controller 748 PCIX interface couples to PCIX bus 516D of Figure 5.
  • Data manager blade A 406A includes a CPU 702 and a memory 706, each coupled to a local bus bridge/memory controller 704.
  • the processor comprises a Pentium III microprocessor.
  • the memory 706 comprises DRAM used to buffer data transferred between the storage devices 112 and the application server blade 402.
  • the CPU 702 manages use of buffer memory 706.
  • the CPU 702 performs caching of the data read from the storage devices 112 into the buffer memory 706.
  • data manager blade A 406A also Docket CHAP.0115 33 includes a memory coupled to the CPU 702 for storing program instructions and data used by the CPU 702.
  • the local bus bridge/memory controller 704 comprises a proprietary integrated circuit that controls the buffer memory 706.
  • the local bus bridge/memory controller 704 also includes two PCIX bus interfaces for interfacing to PCIX bus 516A and 516C of Figure 5.
  • the local bus bridge/memory controller 704 also includes circuitry for bridging the two PCIX buses 516A and 516C.
  • the local bus bridge/memory controller 704 interfaces to and bridges PCIX buses 516B and 516D of Figure 5.
  • the local bus bridge/memory controller 704 facilitates data transfers between each of the data manager blades 406 and each of the application server blades 402 via the PCIX buses 516.
  • the third and fourth FC interface controllers 746/748 are included on the application server blade 402.
  • the high-speed I/O links 304 between the second FC controller 744 and the third/fourth FC controller 746/748 are etched into the application server blade 402 printed circuit board rather than being discrete cables and connectors that are potentially more prone to being damaged or to other failure.
  • a local bus interface e.g., PCIX
  • PCIX a local bus interface
  • the application server blade 402 includes the CPU subsystem 714 of Figure 7, comprising a CPU 802 coupled to a north bridge 804 by a Gunning Transceiver Logic (GTL) bus 812 and a memory 806 coupled to the north bridge by a double-data rate (DDR) bus 814.
  • the memory 806 functions as a system memory for the application server blade 402. That is, programs and data are loaded into the memory 806, such as from the DOC memory 838 described below, and executed by the CPU 802. Additionally, the memory 806 serves as a buffer for data transferred between the storage devices 112 and the host computers 302.
  • data is transferred from the host computers 302 through the first FC controller 742 and north bridge 804 into the memory 806, and vice versa.
  • data is transferred from the memory 806 through the north bridge 804, second FC controller 744, third or forth FC controller 746 or 748, and backplane 412 to the data manager blades 406.
  • the north bridge 804 also functions as a bridge between the GTL bus 812/DDR bus 814 and the PCIX bus 724 and the PCI bus 722 of Figure 7.
  • the CPU subsystem 714 also includes a south bridge 808 coupled to the PCI bus 722.
  • the connectors 756 of Figure 7 comprise RJ45 jacks, denoted 756A and 756B in Figure 8, for coupling to respective ports of the Ethernet controller 732 of Figure 7 for coupling to Ethernet links to the host computers 302.
  • the south bridge 808 also provides an I 2 C bus by which temperature sensors 816 are coupled to the south bridge 808.
  • the temperature sensors 816 provide temperature information for critical components in the chassis 414, such as of CPUs and storage devices 112, to detect potential failure sources.
  • the south bridge 808 also functions as a bridge to the ISA bus 716 of Figure 7.
  • a FLASH memory 836, disk on chip (DOC) memory 838, dual UART 818, and the CPLD 712 of Figure 7 are coupled to the ISA bus 716.
  • the FLASH memory 836 comprises a 16MB memory used to store firmware to bootstrap the application server blade 402 CPU 802.
  • the FLASH memory 836 stores a Basic Input/Output System (BIOS) .
  • the DOC memory 838 comprises a 128MB NAND FLASH memory used to store, among other things, an operating system, application software, and data, such as web pages.
  • the application server blade 402 is able to boot and function as a stand-alone server.
  • the application server blade 402 provides the DOC memory 838 thereby alleviating the need for a mechanical mass storage device, such as a hard disk drive, for storing the operating system and application software.
  • the DOC memory 838 may be used by the storage Docket CHAP.0115 36 application software executing on the application server blade 402 as a high speed storage device in a storage hierarchy to cache frequently accessed data from the storage devices 112.
  • the application server blade 402 includes a mechanical disk drive, such as a microdrive, for storing an operating system, application software, and data instead of or in addition to the DOC memory 838.
  • the two UART 818 ports are coupled to respective 3-pin serial connectors denoted 832A and 832B for coupling to serial RS-232 links.
  • the two serial ports function similarly to COMl and COM2 ports of a personal computer.
  • the RS-232 ports may be used for debugging and manufacturing support.
  • the CPLD 712 is coupled to a light emitting diode (LED) 834.
  • the CPLD 712 is coupled via the BCI buses 718 of Figure 7 to a connector 828 for plugging into the backplane 412 of Figure 4.
  • the CPLD 712 includes a 2Kx8 SRAM port for accessing a shared mailbox memory region.
  • the CPLD 712 also provides the ability to program chip select decodes for other application server blade 402 devices such as the FLASH memory 836 and DOC memory 838.
  • the CPLD 712 provides dual independent BCI bus interfaces by which the data manager blades 406 can control and obtain status of the application server blades 402. For example, the CPLD 712 provides the ability for the data manager blade 406 to reset the application server blades 402 and data gate blades 408, such as in the event of detection of a failure.
  • the CPLD 712 also provides the ability to determine the status of activity on the various FibreChannel links and to Docket CHAP.0115 37 control the status indicator LED 834.
  • the CPLD 712 also enables monitoring of the I/O connectors 752/754 and control of port combiners 842, as described below.
  • the CPLD 712 also enables control of hot-plugging of the various modules, or blades, in the storage appliance 202.
  • the CPLD 712 also provides general purpose registers for use as application server blade 402 and data manager blade 406 mailboxes and doorbells.
  • the first and second FC controllers 742/744 of Figure 7 are coupled" to the PCIX bus 724.
  • the I/O connectors 752 and 754 of Figure 7 comprise FC small form-factor pluggable sockets (SFPs) .
  • SFPs FC small form-factor pluggable sockets
  • the two ports of the first FC controller 742 are coupled to respective SFPs 752A and 752B for coupling to FC links to the host computers 302.
  • the two ports of the second FC controller 744 are coupled to respective port combiners denoted 842A and 842B.
  • the port combiners 842 are also coupled to respective SFPs 754A and 754B for coupling to FC links to the external devices 322 of Figure 3.
  • each of the port combiners 842 comprises a FibreChannel arbitrated loop hub that allows devices to be inserted into or removed from an active FC arbitrated loop.
  • the arbitrated loop hub includes four FC Docket CHAP.0115 38 port bypass circuits (PBCs), or loop resiliency circuits (LRCs), serially coupled in a loop configuration, as described in detail with respect to Figure 25.
  • PBCs port bypass circuits
  • LRCs loop resiliency circuits
  • a PBC or LRC is a circuit that may be used to keep a FC arbitrated loop operating when a FC L_Port location is physically removed or not populated, L_Ports are powered-off, or a failing L_Port is present.
  • a PBC or LRC provides the means to route the serial FC channel signal past an L_Port.
  • a FC L_Port is an FC port that supports the FC arbitrated loop topology.
  • each of the four FC devices may communicate with one another via port combiner 842A.
  • the FC device connected to any one or two of the ports is removed, or becomes non-operational, then the port combiner 842A will bypass the non-operational ports keeping the loop intact and enabling the remaining two or three FC devices to continue communicating through the port combiner 842A.
  • port combiner 842A enables the second FC controller 744 to communicate with each of the third and fourth FC controllers 746/748, and consequently to each of the data manager blades 406; additionally, port combiner 842A enables external devices 322 of Figure 3 coupled to SFP 754A to also communicate with each of the third and fourth FC controllers 746/748, and consequently to each of the data manager blades 406.
  • the port combiners 842 are FC LRC hubs
  • the port combiners 842 are FC loop Docket CHAP.0115 39 switches. Because the FC loop switches are cross-point switches, they provide higher performance since more than one port pair can communicate simultaneously through the switch.
  • the port combiners 842 may comprise Ethernet or Infiniband switches, rather than FC devices.
  • the application servers 306 substantially comprise personal computers without mechanical hard drives, keyboard, and mouse connectors. That is, the application servers 306 portion of the application server blade 402 includes off-the-shelf components mapped within the address spaces of the system just as in a PC.
  • the CPU subsystem 714 is logically identical to a PC, including the mappings of the FLASH memory 836 and system RAM 806 into the CPU 802 address space.
  • the system peripherals, such as the UARTs 818, interrupt controllers, real-time clock, etc., are logically identical to and mapping the same as in a PC.
  • the PCI 722, PCIX 724, ISA 716 local buses and north bridge 804 and south bridge 808 are similar to those commonly used in high-end PC servers.
  • the Ethernet controller 732 and first and second FC interface controllers 742/744 function as integrated Ethernet network interface cards (NICs) and FC host bus adapters (HBAs), respectively. All of this advantageously potentially results in the ability to execute standard off-the-shelf software applications on the application server 306, and the ability to run a standard operating system on the application servers 306 with little modification.
  • the hard drive functionality may be provided by the DOC memory 838, and the user interface may be Docket CHAP.0115 40 provided via the Ethernet controller 732 interfaces and web-based utilities, or via the UART 818 interfaces.
  • the storage controller 308 portion of the application server blade 402 includes the third and fourth interface controllers 746/748, and the SFPs 754; the remainder comprises the application server 306 portion of the application server blade 402.
  • FIG 9 a diagram illustrating the physical layout of a circuit board of one embodiment of the application server blade 402 of Figure 8 is shown. The layout diagram is drawn to scale. As shown, the board is 5.040 inches wide and 11.867 inches deep. The elements of Figure 8 are included in the layout and numbered similarly.
  • the first and second FC controllers 742/744 each comprise an ISP2312 dual channel FibreChannel to PCI-X controller produced by the QLogic Corporation of Aliso Viejo, California.
  • a 512Kxl8 synchronous SRAM is coupled to each of the first and second FC controllers 742/744.
  • the third and fourth FC controllers 746/748 each comprise a JNIC-1560 Milano dual channel FibreChannel to PCI-X controller.
  • the south bridge 808 comprises an Intel PIIX4E, which includes internal peripheral interrupt controller (PIC) , programmable interval timer (PIT) , and real-time clock (RTC) .
  • the north bridge 804 comprises a Micron PAD21 Copperhead.
  • the memory 806 comprises up to IGB of DDR SDRAM ECC-protected memory DIMM.
  • Figure 9 illustrates an outline for a memory 806 DIMM to be plugged into a 184 pin right angle socket.
  • the CPU 802 comprises a 933 MHz Intel Tualatin low voltage mobile Pentium 3 with a 32KB on-chip Ll cache and a 512K on-chip L2 cache.
  • FLASH memory 836 comprises a 16MBx8 FLASH memory chip-
  • the DOC memory 838 comprises two 32MB each NAND FLASH memory chips that emulate an embedded IDE hard drive.
  • the port combiners 842 each comprise a Vitesse VSC7147-01.
  • the Ethernet controller 732 comprises an Intel 82546EB 10/100/1000 Mbit Ethernet controller.
  • the faceplate 1000 includes two openings for receiving the two RJ45 Ethernet connectors 756 of Figure 7.
  • the faceplate 1000 also includes two openings for receiving the two pairs of SFPs 752 and 754 of Figure 7.
  • the face plate 1000 is one unit (l ⁇ ) high for mounting in a standard 19 inch wide chassis 414.
  • the faceplate 1000 includes removal latches 1002, or removal mechanisms 1002, such as those well-known in the art of blade modules, that work together with mechanisms on the chassis 414 to enable a person to remove the application server blade 402 from the chassis 414 backplane 412 and to insert the application server blade 402 into the chassis 414 backplane 412 while the storage appliance 202 is operational without interrupting data availability on the storage devices 112.
  • the mechanisms 1002 cause the application server blade 402 connector to mate with the backplane 412 connector and Docket CHAP.0115 42 immediately begin to receive power from the backplane 412; conversely, during removal, the mechanisms 1002 cause the application server blade 402 connector to disconnect from the backplane 412 connector to which it mates, thereby removing power from the application server blade 402.
  • Each of the blades in the storage appliance 202 includes removal latches similar to the removal latches 1002 of the application server blade 402 faceplate 1000 shown in Figure 10.
  • the removal mechanism 1002 enables a person to remove and insert a blade module without having to open the chassis 414.
  • the software architecture includes a loader 1104.
  • the loader 1104 executes first when power is supplied to the CPU 802.
  • the loader 1104 performs initial boot functions for the hardware and loads and executes the operating system.
  • the loader 1104 is also capable of loading and flashing new firmware images into the FLASH memory 836.
  • the loader 1104 is substantially similar to a personal computer BIOS.
  • the loader 1104 comprises the RedBoot boot loader product by Red Hat, Inc. of Raleigh, North Carolina.
  • the architecture also includes power-on self-test (POST) , diagnostics, and manufacturing support software 1106.
  • POST power-on self-test
  • the diagnostics software executed by the CPU 802 does not diagnose the third and fourth FC controllers 746/748, which are instead diagnosed by firmware executing on the data manager blades 406.
  • the architecture also includes PCI configuration Docket CHAP.0115 43 software 1108, which configures the PCI bus 722, the PCIX bus 724, and each of the devices connected to them.
  • the PCI configuration software 1108 is executed by the loader 1104.
  • the architecture also includes an embedded operating system and associated services 1118.
  • the operating system 1118 comprises an embedded version of the Linux operating system distributed by Red Hat, Inc.
  • Other operating systems 1118 are contemplated including, but not limited to, Hard Hat Linux from Monta Vista Software, VA Linux, an embedded version of Windows NT from Microsoft Corporation, VxWorks from Wind River of Alameda, California, Microsoft Windows CE, and Apple Mac OS X 10.2.
  • the operating system services 1118 include serial port support, interrupt handling, a console interface, multi ⁇ tasking capability, network protocol stacks, storage protocol stacks, and the like.
  • the architecture also includes device driver software for execution with the operating system 1118.
  • the architecture includes an Ethernet device driver 1112 for controlling the Ethernet controller 732, and FC device drivers 1116 for controlling the first and second FC controllers 742/744.
  • an FC device driver 1116 must include the ability for the first controller 742 to function as a FC target to receive commands from the host computers 302 and an FC device driver 1116 must include the ability for the second controller 744 to function as a FC initiator to Docket CHAP.0115 44 initiate commands to the storage controller 308 and to any target external devices 322 of Figure 3 connected to the expansion I/O connectors 754.
  • the architecture also includes a hardware abstraction layer (HAL) 1114 that abstracts the underlying application server blade 402 hardware to reduce the amount of development required to port a standard operating system to the hardware platform.
  • HAL hardware abstraction layer
  • the software architecture also includes an operating system-specific Configuration Application Programming Interface (CAPI) client 1122 that provides a standard management interface to the storage controllers 308 for use by application server blade 402 management applications.
  • the CAPI client 1122 includes a CAPI Link Manager Exchange (LMX) that executes on the application server blade 402 and communicates with the data manager blades 406.
  • the LMX communicates with the data manager blades 406 via the high-speed I/O links 304 provided between the second FC controller 744 and the third and fourth FC controllers 746/748.
  • the CAPI client 1122 also includes a CAPI client application layer that provides an abstraction of CAPI services for use by device management applications executing on the application server blade 402.
  • the software architecture also includes storage management software 1126 that is used to manage the storage devices 112 coupled to the storage appliance 202.
  • the software architecture also includes RAID management software 1124 that is used to manage RAID arrays comprised of the storage devices 112 controlled by the data manager blades 406. Docket CHAP.0115 45
  • the software architecture includes one or more storage applications 1128.
  • storage applications 1128 executing on the application servers 306 include, but are not limited to, the following applications: data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file services - such as network attached storage (NAS) .
  • An example of storage application software is the IPStor product provided by FalconStor Software, Inc. of Melville, New York.
  • the storage application software may also be referred to as "middleware" or "value-added storage functions.”
  • Other examples of storage application software include products produced by Network Appliance, Inc.
  • the software included in the application server blade 402 software architecture may comprise existing software with little or no modification required.
  • the embodiment of the application server blade 402 of Figure 8 substantially conforms to the x86 personal computer (PC) architecture, existing operating systems that run on an x86 PC architecture require a modest amount of modification to run on the application server blade 402.
  • existing boot loaders, PCI configuration software, and operating system HALs also require a relatively small amount of modification to run on the application server blade 402. Docket CHAP.0115 46
  • the DOC memories 838 provide a standard hard disk drive interface
  • the boot loaders and operating systems require little modification, if any, to run on the application server blade 402 rather than on a hardware platform with an actual hard disk drive.
  • the use of popular FC controllers 742/744/746/748 and Ethernet controllers 732 increases the likelihood that device drivers already exist for these devices for the operating system executing on the application server blade 402.
  • the use of standard operating systems increases the likelihood that many- storage applications will execute on the application server blade 402 with a relatively small amount of modification required.
  • the storage controllers 308 logically retain their host- independent (or stand-alone) storage controller nature because of the application server blade 402 architecture. That is, the application server blade 402 includes the host bus adapter-type second interface controller 744 which provides the internal host-independent I/O link 304 to the third/fourth interface controllers 746/748, which in turn provide an interface to the local buses for communication with the other blades in the chassis 414 via the backplane 412.
  • the third/fourth interface controllers 746/748 are programmable by the data manager blades 406 via Docket CHAP.0115 47 the local buses 516, the third/fourth interface controllers 746/748 function as target interface controllers belonging to the storage controllers 308. This fact has software reuse and interoperability advantages, in addition to other advantages mentioned. That is, the storage controllers 308 appear to the application servers 306 and external devices 322 coupled to the expansion I/O connectors 754 as stand ⁇ alone storage controllers.
  • the second, third, and fourth FC controllers 744/746/748 of Figure 7 are not included in the application server blade 402 and are instead replaced by a pair of PCIX bus bridges that couple the CPU subsystem 714 directly to the PCIX buses 516 of the backplane 412.
  • One advantage of this embodiment is potentially lower component cost, which may lower the cost of the application server blade 402. Additionally, the embodiment may also provide higher performance, particularly in reduced latency and higher bandwidth without the intermediate I/O links. However, this embodiment may also require substantial software development, which may be costly both in time and money, to develop device drivers running on the application server Docket CHAP.0115 48 blade 402 and to modify the data manager blade 406 firmware and software.
  • the storage controllers in this alternate embodiment are host-dependent host bus adapters, rather than host-independent, stand-alone storage controllers. Consequently, device drivers must be developed for each operating system executing on the application server blade 402 to drive the storage controllers.
  • FIG 12 a block diagram illustrating the storage appliance 202 of Figure 5 in a fully fault-tolerant configuration in the computer network 200 of Figure 2 is shown. That is, Figure 12 illustrates a storage appliance 202 in which all blades are functioning properly. In contrast, Figures 13 through 15 illustrate the storage appliance 202 in which one of the blades has failed and yet due to the redundancy of the various blades, the storage appliance 202 continues to provide end-to-end connectivity, thereby maintaining the availability of the data stored on the storage devices 112.
  • the storage appliance 202 comprises the chassis 414 of Figure 4 for enclosing each of the blades included in Figure 12.
  • the embodiment of Figure 12 includes a storage appliance 202 with two representative host computers 302A and 302B of Figure 3 redundantly coupled to the storage appliance 202 via I/O connectors 752.
  • Each of the host computers 302 includes two I/O ports, such as FibreChannel, Ethernet, Infiniband, or other high-speed I/O ports.
  • Each host computer 302 has one of its I/O ports coupled to one of the I/O connectors 752 of application server blade A 402A and the other of its I/O ports coupled to one of the I/O Docket CHAP.0115 49 connectors 752 of application server blade B 402B.
  • the embodiment of Figure 12 also includes two representative external devices 322 of Figure 3 redundantly coupled to the storage appliance 202 via expansion I/O connectors 754. Although the external devices 322 are shown directly connected to the application server blade 402 I/O connectors 754, the external devices 322 may be networked to a switch, router, or hub that is coupled to the application server blade 402 I/O connectors 754.
  • Each external device 322 includes two I/O ports, such as FibreChannel, Ethernet, Infiniband, or other high-speed I/O ports. Each external device 322 has one of its I/O ports coupled to one of the expansion I/O connectors 754 of application server blade A 402A and the other of its I/O ports coupled to one of the expansion I/O connectors 754 of application server blade B 402B.
  • the external devices 322 may include, but are not limited to, other host computers, a tape drive or other backup type device, a storage controller or storage appliance, a switch, a router, or a hub.
  • the external devices 322 may communicate directly with the storage controllers 308 via the expansion I/O connectors 754 and port combiners 842 of Figure 8, without the need for intervention by the application servers 306. Additionally, the application servers 306 may communicate directly with the external devices 322 via the port Docket CHAP.0115 50 combiners 842 and expansion I/O connectors 754, without the need for intervention by the storage controllers 308.
  • the I/O link 304 between the second interface controller 744 ports of the application server 306 and the third interface controller 746 ports of storage controller A 308A and the I/O link 304 between the second interface controller 744 ports of the application server 306 and the fourth interface controller 748 ports of storage controller B 308B are externalized by the inclusion of the port combiners 842. That is, the port combiners 842 effectively create a blade area network (BAN) on the application server blade 402 that allows inclusion of the external devices 322 in the BAN to directly access the storage controllers 308. Additionally, the BAN enables the application servers 306 to directly access the external devices 322.
  • BAN blade area network
  • the storage application software 1128 executing on the application server blades 402 includes storage virtualization/provisioning software and the external devices 322 include storage controllers and/or other storage appliances that are accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754.
  • the virtualization/provisioning servers 306 may combine the storage devices controlled by the external storage controllers/appliances 322 and the storage devices 112 controlled by the internal storage controllers 308 when virtualizing/provisioning storage to the host computers 302. Docket CHAP.0115 51
  • the storage application software 1128 executing on the application server blades 402 includes storage replication software and the external devices 322 include a remote host computer system on which the data is replicated that is accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754. If the remote site is farther away than the maximum distance supported by the I/O link type, then the external devices 322 may include a repeater or router to enable communication with the remote site.
  • the storage application software 1128 executing on the application server blades 402 includes data backup software and the external devices 322 include a tape drive or tape farm, for backing up the data on the storage devices 112, which is accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754.
  • the backup server 306 may also back up to the tape drives data of other storage devices on the network 200, such as direct attached storage of the host computers 302.
  • the external devices 322 include host computers - or switches or routers or hubs to which host computers are networked - which directly access the storage controllers 308 via the third/fourth interface controllers 746/748 via expansion I/O connectors 754 and port combiners 842.
  • the storage controllers 308 may be configured to present, or zone, two different sets of logical storage devices, or logical Docket CHAP.0115 52 units, to the servers 306 and to the external host computers 322.
  • the embodiment of Figure 12 includes two groups of physical storage devices 112A and 112B each redundantly coupled to the storage appliance 202.
  • each physical storage device of the two groups of storage devices 112A and 112B includes two FC ports, for communicating with the storage appliance 202 via redundant FC arbitrated loops.
  • the two groups of physical storage devices 112A and 112B may be viewed as two groups of logical storage devices 112A and 112B presented for access to the application servers 306 and to the external devices 322.
  • the logical storage devices 112A and 112B may be comprised of a grouping of physical storage devices A 112A and/or physical storage devices B 112B using any of well-known methods for grouping physical storage devices, including but not limited to mirroring, striping, or other redundant array of inexpensive disks (RAID) methods.
  • the logical storage devices 112A and 112B may also comprise a portion of a single physical storage device or a portion of a grouping of physical storage devices.
  • the logical storage devices A 112A are presented to the application servers 306 and to the external devices 322 by storage controller A 308A, and the logical storage devices B 112B are presented to the application servers 306 and external devices 322 by storage controller B 308B.
  • the logical storage devices 112A or 112B previously presented by the failing storage controller 308 will also be presented by the remaining, i.e., non- failing, storage controller 308.
  • the logical storage devices 112 are presented as SCSI logical units.
  • the storage appliance 202 physically includes two application server blades 402A and 402B of Figure 7, two data manager blades 406A and 406B of Figure 7, and two data gate blades 408A and 408B of Figure 5.
  • Figure 12 is shaded to illustrate the elements of application server A 306A, application server B 306B, storage controller A 308A, and storage controller B 308B of Figure 4 based on the key at the bottom of Figure 12.
  • Storage controller A 308A comprises data manager blade A 406A, the first interface controllers 1206 of the data gate blades 408, and the third interface controllers 746 of the application server blades 402; storage controller B 308B comprises data manager blade B 406B, the second interface controllers 1208 of the data gate blades 408, and the fourth interface controllers 748 of the application server blades 402; application server A 306A comprises CPU subsystem 714 and the first and second interface controllers 742/744 of application server blade A 402A; application server B 306B comprises CPU subsystem 714 and the first and second interface controllers 742/744 of application server blade B 402B.
  • each of the application server blades 402 accesses the physical storage devices 112 via each of the storage controllers 308 in order to obtain maximum throughput. Docket CHAP.0115 54
  • each of the application server blades 402 includes first, second, third, and fourth dual channel FC controllers 742/744/746/748. Portl of the first FC controller 742 of each application server blade 402 is coupled to a respective one of the I/O ports of host computer A 302A, and port2 of the first FC controller 742 of each application server blade 402 is coupled to a respective one of the I/O ports of host computer B 302B. Each of the application server blades 402 also includes a CPU subsystem 714 coupled to the first and second FC controllers 742/744.
  • Portl of each of the second, third, and fourth FC controllers 744/746/748 of each application server blade 402 are coupled to each other via port combiner 842A of Figure 8, and port2 of each controller 744/746/748 of each application server blade 402 are coupled to each other via port combiners 842B of Figure 8.
  • the third FC controller 746 of application server blade A 402A is coupled to PCIX bus 516A
  • the fourth FC controller 748 of application server blade A 402A is coupled to PCIX bus 516B
  • the third FC controller 746 of application server blade B 402B is coupled to PCIX bus 516C
  • the fourth FC controller 748 of application server blade B 402B is coupled to PCIX bus 516D.
  • data manager blade A 406A includes a bus bridge/memory controller 704 that bridges PCIX bus 516A and PCIX bus 516C and controls memory 706, and data manager blade B 406B includes a bus bridge/memory controller 704 that bridges PCIX bus 516B and PCIX bus 516D Docket CHAP.0115 55 and controls memory 706.
  • the third FC controllers 746 of both application server blades 402A and 402B are coupled to transfer data to and from the memory 706 of data manager blade A 406A via PCIX buses 516A and 516C, respectively, and the fourth FC controllers 748 of both application server blades 402A and 402B are coupled to transfer data to and from the memory 706 of data manager blade B 406B via PCIX buses 516B and 516D, respectively.
  • the data manager blade A 406A CPU 702 of Figure 7 is coupled to program the third FC controllers 746 of both the application server blades 402A and 402B via PCIX bus 516A and 516C, respectively, and the data manager blade B 406B CPU 702 of Figure 7 is coupled to program the fourth FC controllers 748 of both the application server blades 402A and 402B via PCIX bus 516B and 516D, respectively.
  • Each of data gate blades 408A and 408B include first and second dual FC controllers 1206 and 1208, respectively.
  • the FC controllers 1206/1208 each comprise a JNIC-1560 Milano dual channel FibreChannel to PCI-X controller developed by the JNI CorporationTM that performs the FibreChannel protocol for transferring FibreChannel packets between the storage devices 112 and the storage appliance 202.
  • the PCIX interface of the data gate blade A 408A first FC controller 1206 is coupled to PCIX bus 516A
  • the PCIX interface of the data gate blade A 408A second FC controller 1208 is coupled to PCIX bus 516B
  • the PCIX interface of the data gate blade B 408B first FC controller 1206 is coupled to PCIX bus 516C
  • the PCIX interface of the data gate blade B 408B Docket CHAP.0115 56 second FC controller 1208 is coupled to PCIX bus 516D.
  • the first and second FC controllers 1206/1208 function as FC initiator devices for initiating commands to the storage devices 112.
  • one or more of the first and second FC controllers 1206/1208 ports may function as FC target devices for receiving commands from other FC initiators, such as the external devices 322.
  • a bus bridge 1212 of data gate blade A 408A couples PCIX buses 516A and 516B and a bus bridge 1212 of data gate blade B 408B couples PCIX buses 516C and 516D.
  • the first FC controllers 1206 of both data gate blades 408A and 408B are coupled to transfer data to and from the memory 706 of data manager blade A 406A via PCIX buses 516A and 516C, respectively, and the second FC controllers 1208 of both data gate blades 408A and 408B are coupled to transfer data to and from the memory 706 of data manager blade B 406B via PCIX buses 516B and 516D, respectively.
  • the data manager blade A 406A CPU 702 of Figure 7 is coupled to program the first FC controllers 1206 of both the data gate blades 408A and 408B via PCIX bus 516A and 516C, respectively, and the data manager blade B 406B CPU 702 of Figure 7 is coupled to program the second FC controllers 1208 of both the data gate blades 408A and 408B via PCIX bus 516B and 516D, respectively.
  • portl of each of the first and second interface controllers 1206/1208 of data gate blade A 408A and of storage devices B 112B is coupled to a port combiner 1202 of data gate blade A 408A, Docket CHAP.0115 57 similar to the port combiner 842 of Figure 8, for including each of the FC devices in a FC arbitrated loop configuration.
  • port2 of each of the first and second interface controllers 1206/1208 of data gate blade A 408A and of storage devices A 112A is coupled to a port combiner 1204 of data gate blade A 408A; portl of each of the first and second interface controllers 1206/1208 of data gate blade B 408B and of storage devices A 112A is coupled to a port combiner 1202 of data gate blade B 408B; port2 of each of the first and second interface controllers 1206/1208 of data gate blade B 408B and of storage devices B 112B is coupled to a port combiner 1204 of data gate blade B 408B.
  • the storage devices 112 are coupled to the data gate blades 408 via point-to- point links through a FC loop switch.
  • the port combiners 1202/1204 are coupled to external connectors 1214 to connect the storage devices 112 to the data gate blades 408.
  • the connectors 1214 comprise FC SFPs, similar to SFPs 752A and 752B of Figure 7, for coupling to FC links to the storage devices 112.
  • the redundant storage controllers 308 and application servers 306 of the embodiment of Figure 12 of the storage appliance 202 provide active-active failover fault-tolerance, as described below with respect to Figures 13 through 15 and 17 through 22, such that if any one of the storage appliance 202 blades fails, the redundant blade takes over for the failed blade to provide no loss of availability to data stored on the storage devices 112.
  • the primary data manager blade 406 Docket CHAP.0115 58 deterministically kills the failed application server blade 402, and programs the I/O ports of the third and fourth interface controllers 746/748 of the live application server blade 402 to take over the identity of the failed application server blade 402, such that the application server 306 second interface controller 744 (coupled to the third or fourth interface controllers 746/748 via the port combiners 842) and the external devices 322 (coupled to the third or fourth interface controllers 746/748 via the port combiners 842 and expansion I/O connectors 754) continue to have access to the data on the storage devices 112; additionally, the live application server blade 402 programs the I/O ports of the first interface controller 742 to take over the identity of the failed application server blade 402, such that the host computers 302 continue to have access to the data on the storage devices 112, as described in detail below.
  • Figures 13 through 15 will now be described. Figures 13 through 15 illustrate three different failure scenarios in which one blade of the storage appliance 202 has failed and how the storage appliance 202 continues to provide access to the data stored on the storage devices 112.
  • FIG. 13 a block diagram illustrating the computer network 200 of Figure 12 in which data gate blade 408A has failed is shown.
  • Figure 13 is similar to Figure 12, except that data gate blade 408A is not shown in order to indicate that data gate blade 408A has failed.
  • storage appliance 202 continues to make the data stored in the storage devices Docket CHAP.0115 59
  • data gate blade B 408B continues to provide a data path to the storage devices 112 for each of the data manager blades 406A and 406B.
  • Data manager blade A 406A accesses data gate blade B 408B via PCIX bus 516C and data manager blade B 406B accesses data gate blade B 408B via PCIX bus 516D through the chassis 414 backplane 412.
  • data manager blade A 406A determines that data gate blade A 408A has failed because data manager blade A 406A issues a command to data gate blade A 408A and data gate blade A 408A has not completed the command within a predetermined time period.
  • data manager blade A 406A determines that data gate blade A 408A has failed because data manager blade A 406A determines that a heartbeat of data gate blade A 408A has stopped.
  • the data manager blade A 406A CPU 702 programs the data gate blade B 408B first interface controller 1206 via data manager blade A 406A bus bridge 704 and PCIX bus 516C to access storage devices A 112A via data gate blade B 408B first interface controller 1206 portl, and data is transferred between storage devices A 112A and data manager blade A 406A memory 706 via data gate blade B 408B port combiner 1202, data gate blade B 408B first interface controller 1206 portl, PCIX bus 516C, and data manager blade A 406A bus bridge 704.
  • data manager blade A 406A CPU 702 programs the data gate blade B 408B first interface controller 1206 via data manager blade A 406A bus bridge 704 and PCIX bus 516c to access storage devices B 112B via data gate blade B Docket CHAP.0115 60
  • the storage appliance 202 continues to provide availability to the storage devices 112 data until the failed data gate blade A 408A can be replaced by hot-unplugging the failed data gate blade A 408A from the chassis 414 backplane 412 and hot- plugging a new data gate blade A 408A into the chassis 414 backplane 412.
  • FIG 14 a block diagram illustrating the computer network 200 of Figure 12 in which data manager blade A 406A has failed is shown.
  • Figure 14 is similar to Figure 12, except that data manager blade A 406A is not shown in order to indicate that data manager blade A 406A has failed.
  • storage appliance 202 continues to make the data stored in the storage devices 112 available in spite of the failure of a data manager blade 406.
  • data manager blade B 406B provides a data path to the storage devices 112 for the application server blade A 402A CPU subsystem 714 and the external devices 322 via the application server blade A 402A fourth interface controller 748 and PCIX bus 516B; additionally, data manager blade B 406B continues to provide a data path to the storage devices 112 for the application server blade B 402B CPU subsystem 714 and external devices 322 via the application server blade B Docket CHAP.0115 61
  • data manager blade A 406A owns the third interface controller 746 of each of the application server blades 402 and programs each of the ports of the third interface controllers 746 with an ID for identifying itself on its respective arbitrated loop, which includes itself, the corresponding port of the respective application server blade 402 second and fourth interface controllers 744/748, and any external devices 322 connected to the respective application server blade 402 corresponding expansion I/O connector 754.
  • the ID comprises a unique world-wide name.
  • data manager blade B 406B owns the fourth interface controller 748 of each of the application server blades 402 and programs each of the ports of the fourth interface controllers 748 with an ID for identifying itself on its respective arbitrated loop. Consequently, when a FC packet is transmitted on one of the arbitrated loops by one of the second interface controllers 744 or by an external device 322, the port of the third interface controller 746 or fourth interface controller 748 having the ID specified in the packet obtains the packet and provides the packet on the appropriate PCIX bus 516 to either data manager blade A 406A or data manager blade B 406B depending upon which of the data manager blades 406 owns the interface controller. [00114] When data manager blade B 406B determines that data manager blade A 406A has failed, data manager blade B Docket CHAP.0115 62
  • data manager blade B 406B disables the third interface controller 746 of each of the application server blades 402.
  • data manager blade B 406B disables, or inactivates, the application server blade 402 third interface controllers 746 via the BCI bus 718 and CPLD 712 of Figure 7, such that the third interface controller 746 ports no longer respond to or transmit packets on their respective networks.
  • data manager blade B 406B programs the fourth interface controllers 748 to add the FC IDs previously held by respective ports of the now disabled respective third interface controllers 746 to each of the respective ports of the respective fourth interface controllers 748 of the application server blades 402. This causes the fourth interface controllers 748 to impersonate, or take over the identity of, the respective now disabled third interface controller 746 ports.
  • the fourth interface controller 748 ports respond as targets of FC packets specifying the new IDs programmed into them, which IDs were previously programmed into the now disabled third interface controller 746 ports.
  • the fourth interface controllers 748 continue to respond as targets of FC packets with their original IDs programmed at initialization of normal operation. Consequently, commands and data previously destined for data manager blade A 406A via the third interface controllers 746 are obtained by the relevant fourth interface controller 748 and provided to data manager blade B 406B. Additionally, commands and data previously destined for data manager blade B 406B via the fourth interface controllers 748 continue to be obtained by the relevant fourth interface controller 748 and provided Docket CHAP.0115 63 to data manager blade B 406B.
  • This operation is referred to as a multi-ID operation since the ports of the non- failed data gate blade 408 fourth interface controllers 748 are programmed with multiple FC IDs and therefore respond to two FC IDs per port rather than one.
  • data manager blade A 406A and data manager blade B 406B present different sets of logical storage devices to the application servers 306 and external devices 322 associated with the FC IDs held by the third and fourth interface controllers 746/748.
  • data manager blade B 406B continues to present the sets of logical storage devices to the application servers 306 and external devices 322 associated with the FC IDs according to the pre-failure ID assignments using the multi-ID operation.
  • Data manager blade B 406B CPU 702 programs the application server blade A 402A fourth interface controller 748 via data manager blade B 406B bus bridge 704 and PCIX bus 516B and programs the application server blade B 402B fourth interface controller 748 via data manager blade B 406B bus bridge 704 and PCIX bus 516D; data is transferred between application server blade A 402A CPU subsystem 714 memory 806 of Figure 8 and data manager blade B 406B memory 706 via application server blade A 402A second interface controller 744, port combiner 842A or 842B, application server blade A 402A fourth interface controller 748, PCIX bus 516B, and data manager blade B 406B bus bridge 704; data is transferred between application server blade B 402B CPU subsystem 714 memory 806 of Figure 8 and data manager Docket CHAP.0115 64 blade B 406B memory 706 via application server blade B 402B second interface controller 744, port combiner 842 ⁇ or 842B, application server blade B 402B fourth interface controller 748
  • data manager blade A 406A fails, data manager blade B 406B continues to provide a data path to the storage devices 112 via both data gate blade A 408A and data gate blade B 408B via PCIX bus 516B and 516D, respectively, for each of the application server blade 402 CPU subsystems 714 and for the external devices 322.
  • the data manager blade B 406B CPU 702 programs the data gate blade A 408A second interface controller 1208 via data manager blade B 406B bus bridge 704 and PCIX bus 516B to access the storage devices 112 via data gate blade A 408A second interface controller 1208; and data is transferred between the storage devices 112 and data manager blade B 406B memory 706 via data gate blade A 408A port combiner 1202 of 1204, data gate blade A 408A second interface controller 1208, PCIX bus 516B, and data manager Docket CHAP.0115 65 blade B 406B bus bridge 704.
  • the data manager blade B 406B CPU 702 programs the data gate blade B 408B second interface controller 1208 via data manager blade B 406B bus bridge 704 and PCIX bus 516D to access the storage devices 112 via data gate blade B 408B second interface controller 1208; and data is transferred between the storage devices 112 and data manager blade B 406B memory 706 via data gate blade B 408B port combiner 1202 or 1204, data gate blade B 408B second interface controller 1208, PCIX bus 516D, and data manager blade B 406B bus bridge 704.
  • the storage appliance 202 continues to provide availability to the storage devices 112 data until the failed data manager blade A 406A can be replaced by removing the failed data manager blade A 406A from the chassis 414 backplane 412 and hot-plugging a new data manager blade A 406A into the chassis 414 backplane 412.
  • the backplane 412 includes dedicated out-of-band signals used by the data manager blades 406 to determine whether the other data manager blade 406 has failed or been removed from the chassis 414.
  • One set of backplane 412 signals includes a heartbeat signal generated by each of the data manager blades 406. Each of the data manager blades 406 periodically toggles a respective backplane 412 heartbeat signal to indicate it is functioning properly.
  • Each of the data manager blades 406 periodically examines the heartbeat signal of the other data manager blade 406 to determine whether the other data manager blade 406 is functioning properly.
  • the backplane 412 includes a signal for each blade of the storage appliance 202 to indicate whether the blade is Docket CHAP.0115 66 present in the chassis 414.
  • Each data manager blade 406 examines the presence signal for the other data manager blade 406 to determine whether the other data manager blade 406 has been removed from the chassis 414.
  • the non-failed data manager blade 406 when one of the data manager blades 406 detects that the other data manager blade 406 has failed, e.g., via the heartbeat signal, the non-failed data manager blade 406 asserts and holds a reset signal to the failing data manager blade 406 via the backplane 412 in order to disable the failing data manager blade 406 to reduce the possibility of the failing data manager blade 406 disrupting operation of the storage appliance 202 until the failing data manager blade 406 can be replaced, such as by hot-swapping.
  • FIG 15 a block diagram illustrating the computer network 200 of Figure 12 in which application server blade A 402A has failed is shown.
  • Figure 15 is similar to Figure 12, except that application server blade A 402A is not shown in order to indicate that application server blade A 402A has failed.
  • storage appliance 202 continues to make the data stored in the storage devices 112 available in spite of the failure of an application server blade 402.
  • application server blade B 402B provides a data path to the storage devices 112 for the host computers 302 and external devices 322.
  • application server blade A 402A fails, application server blade B 402B continues to provide a data path to the storage devices 112 via both data manager blade A 406A and data manager blade B 406B via PCIX bus 516C and Docket CHAP.0115 67
  • the data manager blade A 406A CPU 702 programs the application server blade B 402B third interface controller 746 via bus bridge 704 and PCIX bus 516C; data is transferred between the data manager blade A 406A memory 706 and the application server blade B 402B CPU subsystem 714 memory 806 of Figure 8 via data manager blade A 406A bus bridge 704, PCIX bus 516C, application server blade B 402B third interface controller 746, port combiner 842A or 842B, and application server blade B 402B second interface controller 744; data is transferred between the data manager blade A 406A memory 706 and the external devices 322 via data manager blade A 406A bus bridge 704, PCIX bus 516C, application server blade B 402B third interface controller 746, and port combiner 842A or 842B; data is transferred between the application server blade B 402B memory 806 and host computer A 302A via portl of the application
  • Host computer A 302A for example among the host computers 302, re-routes requests to application server blade B 402B I/O connector 752 coupled to portl of the first interface controller 742 in one of two ways.
  • host computer A 302A includes a device driver that resides in the operating system between the filesystem software and the disk device Docket CHAP.0115 68 drivers, which monitors the status of I/O paths to the storage appliance 202.
  • the device driver detects a failure in an I/O path, such as between host computer A 302A and application server A 306A, the device driver begins issuing I/O requests to application server B 306B instead.
  • An example of the device driver is software substantially similar to the DynaPath agent product developed by FalconStor Software, Inc.
  • application server blade B 402B detects the failure of application server blade A 402A, and reprograms the ports of its first interface controller 742 to take over the identity of the first interface controller 742 of now failed application server blade -A 402A via a multi-ID operation. Additionally, the data manager blades 406 reprogram the ports of the application server blade B 402B third and fourth interface controllers 746/748 to take over the identities of the third and fourth interface controllers 746/748 of now failed application server blade A 402A via a multi-ID operation.
  • This embodiment provides failover operation in a configuration in which the host computers 302 and external devices 322 are networked to the storage appliance 202 via a switch or router via network 114.
  • the data manager blades 406 detect the failure of application server blade A 402A and responsively inactivate application server blade A 402A to prevent it from interfering with application server blade B 402B taking over the identity of application server blade A 402A.
  • the storage appliance 202 continues to provide availability to the storage devices 112 data Docket CHAP.0115 69 until the failed application server blade A 402A can be replaced by removing the failed application server blade A 402A from the chassis 414 backplane 412 and hot-replacing a new application server blade A 402A into the chassis 414 backplane 412.
  • FIG. 16 a diagram of a prior art computer network 1600 is shown.
  • the computer network 1600 of Figure 16 is similar to the computer network 100 of Figure 1 and like-numbered items are alike.
  • the computer network 1600 of Figure 16 also includes a heartbeat link 1602 coupling the two storage application servers 106, which are redundant active-active failover servers. That is, the storage application servers 106 monitor one another's heartbeat via the heartbeat link 1602 to detect a failure in the other storage application server 106. If one of the storage application servers 106 fails as determined from the heartbeat link 1602, then the remaining storage application server 106 takes over the identify of the other storage application server 106 on the network 114 and services requests in place of the failed storage application server 106.
  • a heartbeat link 1602 coupling the two storage application servers 106, which are redundant active-active failover servers. That is, the storage application servers 106 monitor one another's heartbeat via the heartbeat link 1602 to detect a failure in the other storage application server 106. If one of the storage application servers 106 fails as
  • the heartbeat link 1602 is an Ethernet link or FibreChannel link. That is, each of the storage application servers 106 includes an Ethernet or FC controller for communicating its heartbeat Docket CHAP.0115 70 on the heartbeat link 1602 to the other storage application server 106. Each of the storage application servers 106 periodically transmits the heartbeat to the other storage application server 106 to indicate that the storage application server 106 is still operational. Similarly, each storage application server 106 periodically monitors the heartbeat from the other storage application server 106 to determine whether the heartbeat stopped, and if so, infers a failure of the other storage application server 106.
  • the remaining storage application server 106 takes over the identity of the failed storage application server 106 on the network 114, such as by taking on the MAC address, world wide name, or IP address of the failed storage application server 106.
  • a situation may occur in which both storage application servers 106 are fully operational and yet a failure occurs on the heartbeat link 1602.
  • the heartbeat link 1602 cable may be damaged or disconnected.
  • each server 106 infers that the other server 106 has failed because it no longer receives a heartbeat from the other server 106. This condition may be referred to as a "split brain" condition.
  • a true failure occurs on one of the storage application servers 106 such that the failed server 106 no longer transmits a heartbeat to the other server 106.
  • the non-failed server 106 sends a command to the failed server 106 on the heartbeat link 1602 commanding the failed server 106 to inactivate itself, i.e., to abandon its identity on the network 114, namely by not transmitting or responding to packets on the network 114 specifying its ID.
  • the non-failed server 106 attempts to take over the identity of the failed server 106 on the network 114.
  • the failed server 106 may not be operational enough to receive and perform the command to abandon its identity on the network 114; yet, the failed server 106 may still be operational enough to maintain its identity on the network, namely to transmit and/or respond to packets on the network 114 specifying its ID. Consequently, when the non-failed server 106 attempts to take over the identity of the failed server 106, this may cause lack of availability of the data on the storage devices 112 to the traditional server 104 and clients 102.
  • an apparatus, system and method for the non-failed server 106 to deterministically inactivate on the network 114 a failed application server 306 integrated into the storage appliance 202 of Figure 2 is described herein. Docket CHAP.0115 72
  • FIG. 17 a block diagram illustrating the storage appliance 202 of Figure 2 is shown.
  • the storage appliance 202 of Figure 17 includes application server blade A 402A, application server blade B 402B, data manager blade A 406A, data manager blade B 406B, and backplane 412 of Figure 4.
  • the storage appliance 202 also includes a heartbeat link 1702 coupling application server blade A 402A and application server blade B 402B.
  • the heartbeat link 1702 of Figure 17 serves a similar function as the heartbeat link 1602 of Figure 16.
  • the heartbeat link 1702 may comprise a link external to the storage appliance 202 chassis 414 of Figure 4, such as an Ethernet link coupling an Ethernet port of the Ethernet interface controller 732 of Figure 7 of each of the application server blades 402, or such as a FC link coupling a FC port of the first FC interface controller 742 of Figure 7 of each of the application server blades 402, or any other suitable communications link for transmitting and receiving a heartbeat.
  • the heartbeat link 1702 may comprise a link internal to the storage appliance 202 chassis 414, and in particular, may be comprised in the backplane 412. In this embodiment, a device driver sends the heartbeat over the internal link.
  • the heartbeat link 1702 advantageously may be internal to the chassis 414, which is potentially more reliable than an external heartbeat link 1702.
  • Application server blade A 402A transmits on heartbeat link 1702 to application server blade B 402B an A-to-B link heartbeat 1744, and application server blade B Docket CHAP.0115 73
  • each of the data manager blades 406 receives a blade present status indicator 1752 for each of the blade slots of the chassis 414.
  • Each of the blade present status indicators 1752 indicates whether or not a blade - such as the application server blades 402, data manager blades 406, and data gate blades 408 - are present in the respective slot of the chassis 414.
  • the corresponding blade present status indicator 1752 indicates the slot is empty, and whenever a blade is inserted into a slot of the chassis 414, the corresponding blade present status indicator 1752 indicates that a blade is present in the slot.
  • Application server blade A 402A generates a health-A status indicator 1722, which is provided to each of the data manager blades 406, to indicate the health of application server blade A 402A.
  • the health comprises a three-bit number indicating the relative health (7 being totally healthy, 0 being least healthy) of the application server blade A 402A based on internal diagnostics periodically executed by the application server blade A 402A to diagnose its health. That is, some subsystems of application server blade A 402A may be operational, but others may not, resulting in the report of a health lower than totally healthy.
  • Application server blade B 402B generates a similar status indicator, denoted Docket CHAP.0115 74 health-B status indicator 1732, which is provided to each of the data manager blades 406, to indicate the health of application server blade B 402B.
  • Application server blade A 402A also generates a direct heartbeat-A status indicator 1726, corresponding to the A-to-B link heartbeat 1744, but which is provided directly to each of the data manager blades 406 rather than to application server blade B 402B. That is, when application server blade A 402A is operational, it generates a heartbeat both to application server blade B 402B via A-to-B link heartbeat 1744 and to each of the data manager blades 406 via direct heartbeat-A 1726.
  • Application server blade B 402B generates a similar direct heartbeat-B status indicator 1736, which is provided directly to each of the data manager blades 406.
  • Application server blade A 402A generates an indirect heartbeat B-to-A status indicator 1724, which is provided to each of the data manager blades 406.
  • the indirect heartbeat B-to-A status indicator 1724 indicates the receipt of B-to-A link heartbeat 1742. That is, when application server blade A 402A receives a B-to-A link heartbeat 1742, application server blade A 402A generates a heartbeat on indirect heartbeat B-to-A status indicator 1724, thereby enabling the data manager blades 406 to determine whether the B-to-A link heartbeat 1742 is being received by application server blade A 402A.
  • Application server blade B 402B generates an indirect heartbeat A-to-B status indicator 1734, similar to indirect heartbeat B-to-A status indicator 1724, which is provided to each of the data manager blades 406 to indicate the receipt of A-to-B Docket CHAP.0115 75 link heartbeat 1744.
  • the indirect heartbeat B-to-A status indicator 1724 and indirect heartbeat A-to-B status indicator 1734 in conjunction with the direct heartbeat-A status indicator 1726 and direct heartbeat-B status indicator 1736, enable the data manager blades 406 to deterministically detect when a split brain condition has occurred, i.e., when a failure of the heartbeat link 1702 has occurred although the application server blades 402 are operational.
  • Data manager blade B 406B generates a kill A-by-B control 1712 provided to application server blade A 402A to kill, or inactivate, application server blade A 402A.
  • killing or inactivating application server blade A 402A denotes inactivating the I/O ports of the application server blade A 402A coupling the application server blade A 402A to the network 114, particularly the ports of the interface controllers 732/742/744/746/748 of Figure 7.
  • the kill A-by-B control 1712 is also provided to application server blade B 402B as a status indicator to indicate to application server blade B 402B whether data manager blade B 406B has killed application server blade A 402A.
  • Data manager blade B 406B also generates a kill B- by-B control 1714 provided to application server blade B 402B to kill application server blade B 402B, which is also provided to application server blade A 402A as a status indicator.
  • data manager blade A 406A generates a kill B-by-A control 1716 provided to application server blade B 402B to kill application server blade B 402B, which is also provided to application server blade A 402A as a status indicator
  • data manager blade A 406A generates a Docket CHAP.0115 76 kill A-by-A control 1718 provided to application server blade A 402A to kill application server blade A 402A, which is also provided to application server blade B 402B as a status indicator.
  • the kill controls 1712-1718 deterministically inactivate the respective application server blade 402. That is, the kill controls 1712-1718 inactivate the application server blade 402 without requiring any operational intelligence or state of the application server blade 402, in contrast to the system of Figure 16, in which the failed storage application server 106 must still have enough operational intelligence or state to receive the command from the non-failed storage application server 106 to inactivate itself.
  • a data manager blade 406 kills an application server blade 402 by causing power to be removed from the application server blade 402 specified for killing.
  • the kill controls 1712-1718 are provided on the backplane 412 to power modules, such as power manager blades 416 of Figure 4, and instruct the power modules to remove power from the application server blade 402 specified for killing.
  • the status indicators and controls shown in Figure 17 are logically illustrated.
  • logical status indicators and controls of Figure 17 correspond to discrete signals on the backplane 412.
  • other means may be employed to generate the logical status indicators and controls.
  • the blade control interface (BCI) buses 718 and CPLDs 712 shown in Figures 7, 21, and 22 may be Docket CHAP.0115 77 employed to generate and receive the logical status indicators and controls shown in Figure 17. Operation of the status indicators and controls of Figure 17 will now be described with respect to Figures 18 through 20.
  • FIG. 18 a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 is shown.
  • Figure 18 primarily describes the operation of the data manager blades 406, whereas Figures 19 and 20 primarily describe the operation of the application server blades 402.
  • Flow begins at block 1802.
  • one or more of the data manager blades 406 is reset. The reset may occur because the storage appliance 202 is powered up, or because a data manager blade 406 is hot-plugged into a chassis 414 slot, or because one data manager blade 406 reset the other data manager blade 406.
  • Flow proceeds to block 1804.
  • the data manager blades 406 establish between themselves a primary data manager blade 406.
  • the primary data manager blade 406 is responsible for monitoring the health and heartbeat-related status indicators of Figure 17 from the application server blades 402 and deterministically killing one of the application server blades 402 in the event of a heartbeat link 1702 failure or application server blade 402 failure in order to deterministically accomplish active-active failover of the application server blades 402. Flow proceeds to decision block 1806.
  • the data manager blades 406 determine whether the primary data manager blade 406 Docket CHAP.0115 78 has failed. If so, flow proceeds to block 1808; otherwise, flow proceeds to block 1812.
  • the secondary data manager blade 406 becomes the primary data manager blade 406 in place of the failed data manager blade 406. Flow proceeds to block 1812.
  • the primary data manager blade 406 (and secondary data manager blade 406 if present) receives and monitors the status indicators from each application server blade 402.
  • the primary data manager blade 406 receives the health-A 1722, health-B 1732, indirect heartbeat B-to-A 1724, indirect heartbeat A-to-B 1734, direct heartbeat A 1726, and direct heartbeat B 1736 status indicators of Figure 17.
  • Flow proceeds to decision block 1814.
  • the primary data manager blade 406 determines whether direct heartbeat A 1726 has stopped. If so, flow proceeds to block 1816; otherwise, flow proceeds to decision block 1818.
  • the primary data manager blade 406 kills application server blade A 402A. That is, if data manager blade A 406A is the primary data manager blade 406, then data manager blade A 406A kills application server blade A 402A via the kill A-by-A control 1718, and if data manager blade B 406B is the primary data manager blade 406, then data manager blade B 406B kills application server blade A 402A via the kill A-by-B control 1712. As described herein, various embodiments are described for the primary data manager blade 406 to kill the application server blade 402, such as by resetting the application Docket CHAP.0115 79 server blade 402 or by removing power from it.
  • the primary data manager blade 406 causes the application server blade 402 to be inactive on its network 114 I/O ports, thereby enabling the remaining application server blade 402 to reliably assume the identity of the killed application server blade 402 on the network 114. Flow proceeds to decision block 1834.
  • the primary data manager blade 406 determines whether direct heartbeat B 1736 has stopped. If so, flow proceeds to block 1822; otherwise, flow proceeds to decision block 1824.
  • the primary data manager blade 406 kills application server blade B 402B. That is, if data manager blade A 406A is the primary data manager blade 406, then data manager blade A 406A kills application server blade B 402B via the kill B-by-A control 1716, and if data manager blade B 406B is the primary data manager blade 406, then data manager blade B 406B kills application server blade B 402B via the kill B-by-B control 1714. Flow proceeds to decision block 1834.
  • the primary data manager blade 406 determines whether both indirect heartbeat B-to-A 1724 and indirect heartbeat A-to-B 1734 have stopped (i.e., the heartbeat link 1702 has failed or both servers have failed) . If so, flow proceeds to decision block 1826; otherwise, flow returns to block 1812.
  • the primary data manager blade 406 examines the health-A status 1722 and health-B status 1732 to determine whether the health of application server blade A 402A is worse than the health of application Docket CHAP.0115 80 server blade B 402B. If so, flow proceeds to block 1828; otherwise, flow proceeds to block 1832.
  • the primary data manager blade 406 kills application server blade A 402A. Flow proceeds to decision block 1834.
  • the primary data manager blade 406 kills application server blade B 402B. It is noted that block 1832 is reached in the case that both of the application server blades 402 are operational and totally healthy but the heartbeat link 1702 is failed. In this case, as with all the failure cases, the system management subsystem of the data manager blades 406 notifies the system administrator that a failure has occurred and should be remedied. Additionally, in one embodiment, status indicators on the faceplates of the application server blades 402 may be lit to indicate a failure of the heartbeat link 1702. Flow proceeds to decision block 1834. [00150] At decision block 1834, the primary data manager blade 406 determines whether the killed application server blade 402 has been replaced.
  • the primary data manager blade 406 determines whether the killed application server blade 402 has been replaced by detecting a transition on the blade present status indicator 1752 of the slot corresponding to the killed application server blade 402 from present to not present and then to present again. If decision block 1834 was arrived at because of a failure of the heartbeat link 1702, then the administrator may repair the heartbeat link 1702, and then simply remove and then re-insert the killed ⁇ application server blade 402. If the killed application Docket CHAP.0115 81 server blade 402 has been replaced, flow proceeds to block 1836; otherwise, flow returns to decision block 1834. [00151] At block 1836, the primary data manager blade 406 unkills the replaced application server blade 402. In one embodiment, unkilling the replaced application server blade 402 comprises releasing the relevant kill control 1712/1714/1716/1718 in order to bring the killed application server blade 402 out of a reset state. Flow returns to block 1812.
  • the primary data manager blade 406 determines a failure of an application server blade 402 at decision blocks 1814 and 1818 by means other than the direct heartbeats 1726/1736.
  • the primary data manager blade 406 may receive an indication (such as from temperature sensors 816 of Figure 8) that the temperature of one or more of the components of the application server blade 402 has exceeded a predetermined limit.
  • the direct heartbeat status indicator 1726/1736 of an application server blade 402 may stop for any of various reasons including, but not limited to, a failure of the CPU subsystem 714 or a failure of one of the I/O interface controllers 732/742/744/746/748.
  • FIG. 19 a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 is shown. Flow begins at block 1902. [00154] At block 1902, application server blade A 402A provides it's A-to ⁇ B link heartbeat 1744 to application server blade B 402B, and application server blade B 402B Docket CHAP.0115 82 provides it' s B-to-A link heartbeat 1724 to application server blade A 402A of Figure 17.
  • application server blade A 402A provides health-A 1722, indirect heartbeat B-to-A 1724, and direct heartbeat-A 1726 to the data manager blades 406, and application server blade B 402B provides health-B 1732, indirect heartbeat A- to-B 1734, and direct heartbeat-B 1736 to the data manager blades 406.
  • the frequency with which the application server blades 402 provide their health 1722/1732 may be different from the frequency with which the direct heartbeat 1726/1736 and/or link heartbeats 1742/1744 are provided.
  • Flow proceeds to block 1904. [00155]
  • application server blade A 402A monitors the B-to-A link heartbeat 1742 and application server blade B 402B monitors the A-to-B link heartbeat 1744.
  • decision block 1906 proceeds to decision block 1906.
  • each application server blade 402 determines whether the other application server blade 402 link heartbeat 1742/1744 has stopped. If so, flow proceeds to decision block 1908; otherwise, flow returns to block 1902.
  • each application server blade 402 examines the relevant kill signals 1712-1718 to determine whether the primary data manager blade 406 has killed the other application server blade 402. If so, flow proceeds to block 1912; otherwise, flow returns to decision block 1908.
  • the live application server blade 402 takes over the identity of the killed application server blade 402 on the network 114.
  • the live application server blade 402 takes over the identity of the killed application server blade 402 on the network 114 by assuming the MAC address, IP address, and/or world wide name of the corresponding killed application server blade 402 I/O ports.
  • the I/O ports may include, but are not limited to, FibreChannel ports, Ethernet ports, and Infiniband ports. Flow ends at block 1912.
  • a portion of the I/O ports of each of the application server blades 402 are maintained in a passive state, while other of the I/O ports are active.
  • the primary data manager blade 406 kills one of the application server blades 402
  • one or more of the passive I/O ports of the live application server blade 402 take over the identity of the I/O ports of the killed application server blade 402 at block 1912.
  • the storage appliance 202 advantageously deterministically performs active-active failover from the failed application server blade 402 to the live application server blade 402 by ensuring that the failed application server blade 402 is killed, i.e., inactive on the network 114, before the live application server blade 402 takes over the failed application server blade 402 identity, thereby avoiding data unavailability due to conflict of identity on the network.
  • FIG 20 a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 according to an alternate embodiment is shown.
  • Figure 20 is identical to Figure 19, and like-numbered blocks are alike, except that block 2008 replaces decision block 1908. That is, if at decision block 1906 it is determined that the other application server blade 402 heartbeat stopped, then flow proceeds to block 2008 rather than decision block 1908; and flow unconditionally proceeds from block 2008 to block 1912.
  • the live application server blade 402 pauses long enough for the primary data manager blade 406 to kill the other application server blade 402.
  • the live application server blade 402 pauses a predetermined amount of time.
  • the predetermined amount of time is programmed into the application server blades 402 based on the maximum of the amount of time required by the primary data manager blade 406 to detect a failure of the link heartbeats 1742/1744 via the indirect heartbeats 1724/1734 and to subsequently kill an application server blade 402, or to detect an application server blade 402 failure via the direct heartbeats 1726/1736 and to subsequently kill the failed application server blade 402.
  • the storage appliance 202 advantageously deterministically performs active-active failover from the failed application server blade 402 to the live application server blade 402 by ensuring that the failed application server blade 402 is killed, i.e., inactive on the network 114, before the live application server blade 402 takes over the failed application server blade 402 identity, thereby avoiding Docket CHAP.0115 85 data unavailability due to conflict of identity on the network.
  • Figure 21 a block diagram illustrating the interconnection of the various storage appliance 202 blades via the BCI buses 718 of Figure 7 is shown.
  • Figure 21 includes data manager blade A 406A, data manager blade B 406B, application server blade A 402A, application server blade B 402B, data gate blade A 408A, data gate blade B 408B, and backplane 412 of Figure 4.
  • Each application server blade 402 includes CPLD 712 of Figure 7 coupled to CPU 802 of Figure 8 and I/O interface controllers 732/742/744/746/748 via ISA bus 716 of Figure 7.
  • the CPLD 712 generates a reset signal 2102, which is coupled to the reset input of CPU 802 and I/O interface controllers 732/742/744/746/748, in response to predetermined control input received from a data manager blade 406 on one of the BCI buses 718 coupled to the CPLD 712.
  • Each of the data manager blades 406 includes CPU 706 of Figure 7 coupled to a CPLD 2104 via an ISA bus 2106.
  • Each data gate blade 408 includes I/O interface controllers 1206/1208 of Figure 12 coupled to a CPLD 2108 via an ISA bus 2112.
  • the CPLD 2108 generates a reset signal 2114, which is coupled to the reset input of the I/O interface controllers 1206/1208, in response to predetermined control input received from a data manager blade 406 on one of the BCI buses 718 coupled to the CPLD 2108.
  • the backplane 412 includes four BCI buses denoted BCI-A 718A, BCI-B 718B, BCI-C 718C, and BCI-D 718D.
  • BCI-A 718A couples the CPLDs 712, 2104, and 2108 of data manager blade A 406A, application server blade A 402A, and data gate blade A Docket CHAP.0115 86
  • BCI-B 718B- couples the CPLDs 712, 2104, and 2108 of data manager blade A 406A, application server blade B 402B, and data gate blade B 408B, respectively.
  • BCI-C 718C couples the CPLDs 712, 2104, and 2108 of data manager blade B 406B, application server blade A 402A, and data gate blade A 408A, respectively.
  • BCI-D 718D couples the CPLDs 712, 2104, and 2108 of data manager blade B 406B, application server blade B 402B, and data gate blade B 408B, respectively.
  • the application server blade 402 CPUs 802 generate the health and heartbeat statuses 1722/1724/1726/1732/1734/1736 via CPLDs 712 on the BCI buses 718, which are received by the data manager blade 406 CPLDs 2104 and conveyed to the CPUs 706 via ISA buses 2106, thereby enabling the primary data manager blade 406 to deterministically distinguish a split brain condition from a true application server blade 402 failure.
  • the data manager blade 406 CPUs 706 generate the kill controls 1712/1714/1716/1718 via CPLDs 2104 on the BCI buses 718, which cause the application server blade 402 CPLDs 712 to generate the reset signals 2102 to reset the application server blades 402, thereby enabling a data manager blade 406 to deterministically inactivate an application server blade 402 so that the other application server blade 402 can take over its network identity, as described above.
  • the apparatus of Figure 21 does not require the application server blade 402 CPU 802 or I/O interface controllers 732/742/744/746/748 to be in a particular state or have a particular level of Docket CHAP.0115 87 operational intelligence in order for the primary data manager blade 406 to inactivate them.
  • FIG 22 a block diagram illustrating the interconnection of the various storage appliance 202 blades via the BCI buses 718 of Figure 7 and discrete reset signals according to an alternate embodiment is shown.
  • Figure 22 is identical to Figure 21, and like- numbered elements are alike, except that reset signals 2102 of Figure 21 are not present in Figure 22. Instead, a reset-A signal 2202 is provided from the backplane 412 directly to the reset inputs of the application server blade A 402A CPU 802 and I/O interface controllers 732/742/744/746/748, and a reset-B signal 2204 is provided from the backplane 412 directly to the reset inputs of the application server blade B 402B CPU 802 and I/O interface controllers 732/742/744/746/748.
  • Application server blade A 402A CPU 802 also receives the reset-B signal 2204 as a status indicator, and application server blade B 402B CPU 802 also receives the reset-A signal 2202 as a status indicator.
  • Data manager blade A 406A generates a reset A- by-A signal 2218 to reset application server blade A 402A and generates a reset B-by-A signal 2216 to reset application server blade B 402B.
  • Data manager blade B 406B generates a reset B-by-B signal 2214 to reset application server blade B 402B and generates a reset A-by-B signal 2212 to reset application server blade A 402A.
  • the reset-A signal 2202 is the logical OR of the reset A-by-A signal 2218 and the reset A-by-B signal 2212.
  • the reset-B signal 2204 is the logical OR of the reset B-by-B signal 2214 and the reset B-by-A signal 2216. Docket CHAP.0115 88
  • the application server blade 402 CPUs 802 generate the health and heartbeat statuses 1722/1724/1726/1732/1734/1736 via CPLDs 712 on the BCI buses 718 which are received by the data manager blade 406 CPLDs 2104 and conveyed to the CPUs 706 via ISA buses 2106, thereby enabling the primary data manager blade 406 to deterministically distinguish a split brain condition from a true application server blade 402 failure.
  • the data manager blade 406 CPUs 706 generate the reset signals 2212/2214/2216/2218 via CPLDs 2104, which reset the application server blades 402, thereby enabling a data manager blade 406 to deterministically inactivate an application server blade 402 so that the other application server blade 402 can take over its network identity, as described above.
  • the apparatus of Figure 22 does not require the application server blade 402 CPU 802 or I/O interface controllers 732/742/744/746/748 to be in a particular state or having a particular level of operational intelligence in order for the primary data manager blade 406 to inactivate them.
  • FIG. 23 a block diagram illustrating an embodiment of the storage appliance 202 of Figure 2 comprising a single application server blade 402 is shown.
  • the storage appliance 202 embodiment of Figure 23 may be lower cost than the redundant application server blade 402 storage appliance 202 embodiment of Figure 12.
  • Figure 23 is similar to Figure 12 and like-numbered elements are alike.
  • the storage appliance 202 of Figure 23 does not include application server blade B 402B.
  • the storage Docket CHAP.0115 89 appliance 202 of Figure 23 includes a third data gate blade 408 similar to data gate blade B 408B, denoted data gate blade C 408C, in the chassis 414 slot occupied by application server blade B 402B in the storage appliance 202 of Figure 12.
  • the data gate blade C 408C first interface controller 1206 is logically a portion of storage controller A 308A
  • the second interface controller 1208 is logically a portion of storage controller B 308B, as shown by the shaded portions of data gate blade C 408C.
  • data gate blade C 408C comprises four I/O port connectors 1214 rather than two.
  • Data manager blade A 406A communicates with the data gate blade C 408C first interface controller 1206 via PCIX bus 516C
  • data manager blade B 406B communicates with the data gate blade C 408C second interface controller 1208 via PCIX bus 516D.
  • Port2 of external device A 322A is coupled to the data gate blade C 408C I/O connector 1214 coupled to port combiner 1202, and port2 of external device B 322B is coupled to the data gate blade C 408C I/O connector 1214 coupled to port combiner 1204, thereby enabling the external devices 322 to have redundant direct connections to the storage controllers 308, and in particular, redundant paths to each of the data manager blades 406 via the redundant interface controllers 746/748/1206/1208.
  • the data manager blades 406 program the data gate blade C 408C interface controllers 1206/1208 as target devices to receive commands from the external devices 322.
  • the data manager blades 406 program the data Docket CHAP.0115 90 gate blade C 408C interface controller 1206/1208 ports to take over the identities of the application server blade A 402A third/fourth interface controller 746/748 ports. Conversely, if data gate blade C 408C fails, the data manager blades 406 program the application server blade A 402A third/fourth interface controller 746/748 ports to take over the identities of the data gate blade C 408C interface controller 1206/1208 ports.
  • the embodiment of Figure 23 may be particularly advantageous for out-of-band server applications, such as a data backup or data snapshot application, in which server fault-tolerance is not as crucial as in other applications, but where high data availability to the storage devices 112 by the external devices 322 is crucial.
  • FIG. 24 a block diagram illustrating an embodiment of the storage appliance 202 of Figure 2 comprising a single application server blade 402 is shown.
  • the storage appliance 202 embodiment of Figure 24 may be lower cost than the redundant application server blade 402 storage appliance 202 embodiment of Figure 12 or then the single server embodiment of Figure 23.
  • Figure 24 is similar to Figure 12 and like-numbered elements are alike.
  • the storage appliance 202 of Figure 24 does not include application server blade B 402B. Instead, the storage devices A 112A and storage devices B 112B are all coupled on the same dual loops, thereby leaving the other data gate blade 408 I/O connectors 1214 available for connecting to the external devices 322. That is, port2 of external device A 322A is coupled to one I/O connector 1214 of data gate blade B Docket CHAP.0115 91
  • the data manager blades 406 program the data gate blade 408 interface controllers 1206/1208 as target devices to receive commands from the external devices 322.
  • the data manager blades 406 program portl of the data gate blade A 408A interface controllers 1206/1208 to take over the identities of portl of the application server blade A 402A third/fourth interface controllers 746/748, and the data manager blades 406 program port2 of the data gate blade B 408B interface controllers 1206/1208 to take over the identities of port2 of the application server blade A 402A third/fourth interface controllers 746/748.
  • data gate blade A 408A fails, the data manager blades 406 program port2 of the application server blade A 402A third/fourth interface controllers 746/748 to take over the identities of portl of the data gate blade A 408A interface controller 1206/1208 ports.
  • data gate blade B 408B fails, the data manager blades 406 program portl of the application server blade A 402A third/fourth interface controllers 746/748 to take over the identities of port2 of the data gate blade B 408B interface controller 1206/1208 ports.
  • the embodiment of Figure 24 may be Docket CHAP.0115 92 particularly advantageous for out-of-band server applications, such as a data backup or data snapshot application, in which server fault-tolerance is not as crucial as in other applications, but where high data availability to the storage devices 112 by the external devices 322 is crucial.
  • I/O interfaces typically impose a limit on the number of storage devices that may be connected on an interface.
  • the number of FC devices that may be connected on a single FC arbitrated loop is 127.
  • a potential disadvantage of placing all the storage devices 112 on the two arbitrated loops rather than four arbitrated loops as in Figure 23 is that potentially half the number of storage devices may be coupled to the storage appliance 202.
  • Another potential disadvantage is that the storage devices 112 must share the bandwidth of two arbitrated loops rather than the bandwidth of four arbitrated loops.
  • the embodiment of Figure 24 has the potential advantage of being lower cost than the embodiments of Figure 12 and/or Figure 23.
  • FIG 25 a block diagram illustrating the computer network 200 of Figure 2 and portions of the storage appliance 202 of Figure 12 and in detail one embodiment of the port combiner 842 of Figure 8 is shown.
  • the storage appliance 202 includes the chassis 414 of Figure 4 enclosing various elements of the storage appliance 202.
  • the storage appliance 202 also illustrates one of the application server blade 402 expansion I/O connectors 754 of Figure 7.
  • Figure 25 also includes an external device 322 of Figure 3 external to the chassis 414 Docket CHAP.0115 93 with one of its ports coupled to the expansion I/O connector 754.
  • the expansion I/O connector 754 is coupled to the port combiner 842 by an I/O link 2506.
  • the I/O link 2506 includes a transmit signal directed from the expansion I/O connector 754 to the port combiner 842, and a receive signal directed from the port combiner 842 to the expansion I/O connector 754.
  • the storage appliance 202 also includes the application server blade 402 CPU subsystem 714 coupled to an application server blade 402 second interface controller 744 via PCIX bus 724, the data manager blade A 406A CPU 702 coupled to the application server blade 402 third interface controller 746 via PCIX bus 516, and the data manager blade B 406B CPU 702 coupled to the application server blade 402 fourth interface controller 748 via PCIX bus 516, all of Figure 7.
  • the storage appliance 202 also includes the application server blade 402 CPLD 712 of Figure 7. One port of each of the I/O interface controllers 744/746/748 is coupled to the port combiner 842 by a respective I/O link 2506.
  • the port combiner 842 comprises a FibreChannel arbitrated loop hub.
  • the arbitrated loop hub includes four FC port bypass circuits (PBCs), or loop resiliency circuits (LRCs), denoted 2502A, 2502B, 2502C, 2502D.
  • PBCs FC port bypass circuits
  • LRCs loop resiliency circuits
  • Each LRC 2502 includes a 2-input multiplexer. The four multiplexers are coupled in a serial loop.
  • multiplexer 2502A is coupled to one input of multiplexer 2502B
  • the output of multiplexer 2502B is coupled to one input of multiplexer 2502C
  • the output of multiplexer 2502C is coupled to one Docket CHAP.0115 94 input of multiplexer 2502D
  • the output of multiplexer 2502D is coupled to one input of multiplexer 2502A.
  • the second input of multiplexer 2502A is coupled to receive the transmit signal of the I/O link 2506 coupled to the second interface controller 744 port; the second input of multiplexer 2502B is coupled to receive the transmit signal of the I/O link 2506 coupled to the third interface controller 746 port; the second input of multiplexer 2502C is coupled to receive the transmit signal of the I/O link 2506 coupled to the fourth interface controller 748 port; and the second input of multiplexer 2502D is coupled to receive the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754.
  • the output of multiplexer 2502D is provided as the receive signal of the I/O link 2506 to the second I/O interface controller port 744; the output of multiplexer 2502A is provided as the receive signal of the I/O link 2506 to the third I/O interface controller port 746; the output of multiplexer 2502B is provided as the receive signal of the I/O link 2506 to the fourth I/O interface controller port 748; the output of multiplexer 2502C is provided as the receive signal of the I/O link 2506 to the expansion I/O connector 754. [00177] Each multiplexer 2502 also receives a bypass control input 2512 that selects which of the two inputs will be provided on the output of the multiplexer 2502.
  • the application server blade 402 CPU subsystem 714 provides the bypass control 2512 to multiplexer 2502A; the data manager blade A 406A CPU 702 provides the bypass control 2512 to multiplexer 2502B; the data manager blade B 406B CPU 702 provides the bypass control 2512 to multiplexer Docket CHAP.0115 95
  • a value is generated on the respective bypass signal 2512 to cause the respective multiplexer 2502 to select the output of the previous multiplexer 2502, i.e., to bypass its respective interface controller 744/746/748 I/O port, if the I/O port is not operational; otherwise, a value is generated on the bypass signal 2512 to cause the multiplexer 2502 to select the input receiving the respective I/O link 2506 transmit signal, i.e., to enable the respective I/O port on the arbitrated loop.
  • the application server blade 402 CPU 714, data manager blade A 406A CPU 702, and data manager blade B 406B CPU 702 each diagnose their respective I/O interface controller 744/746/748 to determine whether the respective I/O port is operational and responsively control the bypass signal 2512 accordingly. Furthermore, if at any time during operation of the storage appliance 202 the CPU 714/702/702 determines the I/O port is not operational, the CPU 714/702/702 generates a value on the bypass signal 2512 to bypass the I/O port.
  • the CPLD 712 receives a presence detected signal 2508 from the expansion I/O connector 754 to determine whether an I/O link, such as a FC cable, is plugged into the expansion I/O connector 754.
  • the port combiner 842 also includes a signal detector 2504 coupled to receive the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754.
  • the signal detector 2504 samples the transmit signal and Docket CHAP.0115 96 generates a true value if a valid signal is detected thereon.
  • the CPLD 712 generates a value on its bypass signal 2512 to cause multiplexer 2502D to select the output of multiplexer 2502C, (i.e., to bypass the expansion I/O connector 754, and consequently to bypass the I/O port in the external device 322 that may be connected to the expansion I/O connector 754) , if either the presence detected signal 2508 or signal detected signal 2514 are false; otherwise, the CPLD 712 generates a value on its bypass signal 2512 to cause multiplexer 2502D to select the input receiving the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754 (i.e., to enable the external device 322 I/O port on the FC arbitrated loop) .
  • the CPLD 712 generates the bypass signal 2512 in response to the application server blade 402 CPU 702 writing a control value to the CPLD 712.
  • Figure 25 describes an embodiment in which the port combiner 842 of Figure 8 is a FibreChannel hub, other embodiments are contemplated.
  • the port combiner 842 may include, but is not limited to, a FC switch or hub, an Infiniband switch or hub, or an Ethernet switch or hub.
  • the I/O links 304 advantageously enable redundant application servers 306 to be coupled to architecturally host-independent, or stand-alone, redundant storage controllers 308.
  • the port combiner 842 advantageously enables the I/O links 304 between the application servers 306 and storage controllers 308 to be externalized beyond the chassis 414 to external devices 322. This advantageously enables the integrated Docket CHAP.0115 97 application servers 306 to access the external devices 322 and enables the external devices 322 to directly access the storage controllers 308.
  • the I/O links 304 between the second I/O interface controller 744 and the third and fourth I/O interface controllers 746/748 is FibreChannel
  • other interfaces may be employed.
  • a high-speed Ethernet or Infiniband interface may be employed.
  • the second interface controller 744 is an interface controller that already has a device driver for the operating system or systems to be run on the application server blade 402, then an advantage is gained in terms of reduced software development.
  • Device drivers for the QLogic ISP2312 have already been developed for many popular operating systems, for example. This advantageously reduces software development time for employment of the application server blade 402 embodiment described.
  • a link type between the second interface controller 744 and the third and fourth interface controllers 746/748 which supports protocols that are frequently used by storage application software to communicate with external storage controllers, such as FibreChannel, Ethernet, or Infiniband since they support the SCSI protocol and the internet protocol (IP) , for example.
  • a link type should be selected which provides the bandwidth needed to transfer data according to the rate requirements of the application for which the storage appliance 202 is sought to be used. Docket CHAP.0115 98
  • the local buses 516 between the various blades of storage appliance 202 is PCIX
  • other local buses may be employed, such as PCI, CompactPCI, PCI-Express, PCI- X2 bus, EISA bus, VESA bus, Futurebus, VME bus, MultiBus, RapidIO bus, AGP bus, ISA bus, 3GIO bus, HyperTransport bus, or any similar local bus capable of transferring data at a high rate.
  • the sustainable data rate requirements may be very high, requiring a very high data bandwidth link between the controllers 744 and 746/748 and very high data bandwidth local buses.
  • Embodiments are contemplated in which some of the functions of the traditional servers 104 may also be integrated into the network storage appliance 202 and executed by the application server blade 402 described herein, particularly for applications in which the hardware Docket CHAP.0115 99 capabilities of the application server blade 402 are sufficient to support the traditional server 104 application. That is, although embodiments have been described in which storage application servers are integrated into the network storage appliance chassis 414, it is understood that the software applications traditionally executed on the traditional application servers 104 may also be migrated to the application server blades 402 in the network storage appliance 202 chassis 414 and executed thereon.
  • Figure 26 a block diagram illustrating the storage appliance 202 of Figure 2 is shown.
  • Figures 26 and 27 are similar to Figure 17 in many respects; however, whereas Figure 17 illustrates an apparatus for enabling a data manager blade 406 to deterministically kill an application server blade 402, Figures 26 and 27 illustrate an apparatus for enabling an application server blade 402 to deterministically kill the other application server blade 402.
  • the storage appliance 202 of Figure 26 includes application server blade A 402A, application server blade B 402B, data manager blade A 406A, data manager blade B 406B, and backplane 412 of Figure 4.
  • the storage appliance 202 also includes a heartbeat link 1702 coupling application server blade A 402A and application server blade B 402B.
  • the heartbeat link 1702 of Figure 26 serves a similar function as the heartbeat link 1702 of Figure 17.
  • the heartbeat link 1702 may comprise a link external to the storage appliance 202 chassis 414 of Figure 4, such as an Ethernet link coupling an Ethernet port of the Ethernet interface Docket CHAP.0115 100 controller 732 of Figure 7 of each of the application server blades 402, or such as a FC link coupling a FC port of the first FC interface controller 742 of Figure 7 of each of the application server blades 402, or any other suitable communications link for transmitting and receiving a heartbeat.
  • Application server blade A 402A transmits on heartbeat link 1702 to application server blade B 402B an A-to-B link heartbeat 1744
  • application server blade B 402B transmits on heartbeat link 1702 to application server blade A 402A a B-to-A link heartbeat 1742. That is, when application server blade A 402A is operational, it generates a heartbeat to application server blade B 402B via A-to-B link heartbeat 1744. Similarly, when application server blade B 402B is operational, it generates a heartbeat to application server blade A 402A via B-to-A link heartbeat 1742.
  • the application server blades 402 and data manager blades 406 are interconnected via the PCIX buses 516 as shown in Figure 7.
  • Each of the application server blades 402 receives a blade present status indicator 2652 for each of the blade slots of the chassis 414.
  • Each of the blade present status indicators 2652 indicates whether or not a blade - such as the application server blades 402, data manager blades 406, and data gate blades 408 - are present in the respective slot of the chassis 414. That is, whenever a blade is removed from a slot of the chassis 414, the corresponding blade present status indicator 2652 indicates the slot is empty, and whenever a blade is inserted into a slot of the chassis 414, the corresponding Docket CHAP.0115 101 blade present status indicator 2652 indicates that a blade is present in the slot.
  • Application server blade B 402B generates a kill A-by-B control 2612 provided to application server blade A 402A to kill, or inactivate, or disable application server blade A 402A.
  • killing or inactivating application server blade A 402A denotes inactivating or disabling the I/O ports of the server portion 308 of the application server blade A 402A coupling the application server blade A 402A to the network 114, particularly the ports of the interface controllers 732/742/744 of Figure 7.
  • application server blade A 402A generates a kill B-by-A control 2614 provided to application server blade B 402B to kill application server blade B 402B.
  • each application server blade 402 also provides a status indicator to each of the data manager blades 406 indicating whether it killed the other application server blade 402.
  • Each of the application server blades 402 includes the CPU 714 of Figure 7.
  • Each of the application server blades 402 also includes a shield circuit 2602.
  • the shield 2602 of application server blade A 402A receives an enable control 2604 from the CPO 714 and kill A-by-B control 2612.
  • Shield 2602 generates a reset signal 2606 that is coupled to the reset input of I/O controllers 732/742/744 to disable, or inactivate, them and in particular to disable their I/O ports from communicating on the network 114.
  • the shield 2602 comprises logic that generates a value on the reset control 2606 to disable the I/O controllers 732/742/744 when Docket CHAP.0115 102 application server blade B 402B indicates via kill A-by-B control 2612 that application server blade A 402A should be killed.
  • shield 2602 only disables the I/O controllers 732/742/744 if CPU 714 has not enabled shield 2602 via enable control 2604; otherwise, shield 2602 does not reset the I/O controllers 732/742/744.
  • Shield 2602 of application server blade B 402B operates similarly to shield 2602 of application server blade A 402, but in response to kill B-by-A control 2614 rather than kill A-by- B control 2612.
  • the reset controls 2606 also reset the CPU 714.
  • each shield 2602 is disabled at reset.
  • the kill signals 2612/2614 comprise a plurality of digital signals, thereby- enabling a plurality of different states to be transmitted thereon.
  • application server blade 402 kills the other application server blade 402 by generating a predetermined sequence of states on the kill signal 2612/2614.
  • the application server blade 402 shield 2602 includes a state machine that recognizes the predetermined sequence of states and disables the I/O controllers 732/742/744 via the reset control 2606 in response to detecting the predetermined sequence, if the shield 2602 is disabled.
  • An advantage of this embodiment is that it reduces the likelihood that an application server blade 402 that is not functioning properly will accidentally or unintentionally kill the other application server blade 402, which might occur if the CPUs 714 could invoke the kill signals 2612/2614 by simply setting a bit in a control register. For example, a bug in an Docket CHAP.0115 103 application software program executing on one application server blade 402 or a hardware error in the application server blade 402 might cause a write to the address of the control register that sets a bit to invoke the kill signal 2612/2614. However, in the embodiment, the likelihood of a bug in an application software program or a hardware error in the application server blade 402 causing the predetermined sequence of states to be generated on the kill signals 2612/2614 is highly unlikely.
  • the kill controls 2612/2614 deterministically inactivate the respective application server blade 402. That is, the kill controls '2612/2614 inactivate the application server blade 402 without requiring any operational intelligence or state of the application server blade 402, in contrast to the system of Figure 16, in which the failed storage application server 106 must still have enough operational intelligence to receive the command from the non-failed storage application server 106 to inactivate itself.
  • an application server blade 402 kills the other application server blade 402 by causing power to be removed from the other application server blade 402.
  • the kill controls 2612/2614 are provided on the backplane 412 to power modules, such as power manager blades 416 of Figure 4, and instruct the power modules to remove power from the application server blade 402 specified for killing.
  • FIG. 27 a block diagram illustrating the storage appliance 202 of Figure 2 according to an alternate embodiment is shown.
  • the storage Docket CHAP.0115 104 appliance 202 of Figure 27 is similar to the storage appliance 202 of Figure 26; however, the embodiment of Figure 27 does not have the external heartbeat link 1702 of Figure 26. Rather, the storage appliance 202 of Figure 27 comprises heartbeat paths 2742 and 2744, or status paths 2742 and 2744, that are internal to the storage appliance 202 chassis 414.
  • Application server blade B 402B transmits a heartbeat to application server blade A 402A via a heartbeat path 2742, denoted heartbeat B-to-A 2742 in Figure 27.
  • application server blade A 402A transmits a heartbeat to application server blade B 402B via a heartbeat path 2744, denoted heartbeat A-to-B 2744 in Figure 27.
  • the heartbeat paths 2742/2744 are comprised in the backplane 412.
  • a device driver sends the heartbeat over the internal paths 2742/2744.
  • the internal heartbeat paths 2742/2744 are extremely reliable and much more reliable than the external heartbeat link 1702 of Figure 26, in part because while the storage appliance 202 is operational they are not able to be removed by a user, such as an Ethernet, Infiniband, or FibreChannel cable is.
  • the application server blades 402 transmit a digital heartbeat signal toggling between two states via heartbeat paths 2742/2744.
  • the digital heartbeat signal is a low frequency signal.
  • the application Docket CHAP.0115 105 server blade 402 CPU 714 causes the heartbeat signal to be generated after determining that the application server blade 402 is functioning properly.
  • the status indicators and controls shown in Figures 26 and 27 are logically illustrated.
  • logical status indicators and controls of Figures 26 and 27 correspond to discrete signals on the backplane 412.
  • the signals are etched into the backplane 412.
  • other means may be employed to generate .the logical status indicators and controls.
  • the blade control interface (BCI) buses 718 and CPLDs 712 shown in Figures 7, 21, and 22 may be employed to generate and receive the logical status indicators and controls shown in Figures 26 and 27.
  • simple combinatorial logic may be employed to generate and receive the logical status indicators and controls shown in Figures 26 and 27.
  • the apparatus of Figures 26 and 27 do not require the application server blade 402 CPU 714 or I/O interface controllers 732/742/744 to be in a particular state or having a particular level of operational intelligence in order for the other application server blade 402 to inactivate them.
  • FIG. 28 a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figures 26 and 27 is shown. Flow begins at block 2802. Docket CHAP.0115 106
  • each application server blade 402 monitors the heartbeat of the other application server blade .402.
  • application server blade A 402A monitors the heartbeat of application server blade B 402B via B-to-A link heartbeat 1742
  • application server blade B 402B monitors the heartbeat of application server blade A 402A via A-to-B link heartbeat 1744.
  • application server blade A 402A monitors the heartbeat of application server blade B 402B via heartbeat B-to-A path 2742
  • application server blade B 402B monitors the heartbeat of application server blade A 402A via heartbeat A-to-B path 2744.
  • Flow proceeds to decision block 2804.
  • application server blade A 402A determines whether the heartbeat of application server blade B 402B has stopped. In one embodiment, application server blade A 402A also determines whether application server blade B 402B has been removed from the backplane 412 via blade present signals 2652. If the heartbeat of application server blade B 402B has stopped or application server blade B 402B has been removed from the backplane 412, flow proceeds to block 2806; otherwise, flow proceeds to decision block 2822.
  • application server blade A 402A raises its shield 2602. That is, CPU 714 enables its shield 2602 via enable control 2604, thereby preventing the reset of its I/O controllers 732/742/744 by the other application server blade 402. Flow proceeds to block 2808. [00197] At block 2808, application server blade A 402A kills application server blade B 402B via kill B-by-A control 2614. In particular, application server blade A Docket CHAP.0115 107
  • 402A causes the I/O ports of the interface controllers 732/742/744 of application server blade B 402B to be disabled or inactive on the network 114, thereby enabling application server blade A 402A to reliably assume the identity of application server blade B 402B on the network 114.
  • Flow proceeds to block 2812.
  • application server blade A 402A takes over the identity of application server blade B 402B on the network 114.
  • application server blade A 402A takes over the identity of application server blade B 402B on the network 114 by assuming the MAC address, IP address, and/or world wide name of the corresponding application server blade B 402B I/O ports.
  • the I/O ports may include, but are not limited to, FibreChannel ports, Ethernet ports, and Infiniband ports. Flow proceeds to decision block 2816.
  • application server blade A 402A determines whether application server blade B 402B has been replaced. In one embodiment, application server blade A 402A determines whether application server blade B 402B has been replaced by detecting a transition on the blade present status indicator 2652 of the slot corresponding to application server blade B 402B from present to not present and then to present again. If decision block 2816 was arrived at because of a failure of Docket CHAP.0115 108 the heartbeat link 1702 of Figure 26, then the administrator may repair the heartbeat link 1702, and then simply remove and then re-insert the killed application server blade B 402B. When application server blade B 402B has been replaced, flow proceeds to block 2818; otherwise, flow returns to decision block 2816.
  • application server blade A 402A unkills the replaced application server blade B 402B.
  • unkilling the replaced application server blade B 402B comprises releasing kill B-by-A control 2614 in order to bring the killed application server blade B 402B out of a reset state.
  • Flow returns to block 2802.
  • application server blade B 402B determines whether the heartbeat of application server blade A 402A has stopped. In one embodiment, application server blade B 402B also determines whether application server blade A 402A has been removed from the backplane 412 via blade present signals 2652. If the heartbeat of application server blade A 402A has stopped or application server blade A 402A has been removed from the backplane 412, flow proceeds to block 2824; otherwise, flow returns to block 2802.
  • application server blade B 402B kills application server blade A 402A via kill A-by-B control 2612. Flow proceeds to block 2826.
  • application server blade B 402B takes over the identity of application server blade A 402A on the network 114. Flow proceeds to decision block 2828. [00205] At decision block 2828, application server blade B 402B determines whether application server blade A 402A Docket CHAP.0115 109 has been replaced. If so, flow proceeds to block 2832; otherwise, flow returns to decision block 2828. [00206] At block 2832, application server blade B 402B unkills the replaced application server blade A 402A. Flow returns to block 2802.
  • the application server blade 402 shields 2606 provide a means for avoiding a situation in which the application server blades 402 kill one another.
  • application server blade A 402A will kill application server blade B 402B, but not vice versa, because application server blade B 402B does not raise its shield before attempting to kill application server blade A 402A.
  • Figure 28 assumes a convention in which application server blade A 402A is the primary and application server blade B 402B is the secondary with respect to a condition in which each application server blade 402 detects a stopped heartbeat of the other application server blade 402, in which each application server blade 402 would attempt to kill the other application server blade 402.
  • a different convention in which application server blade B 402B is the primary could be adopted.
  • the primary application server blade 402 is determined dynamically through negotiation between the application server blades 402.
  • the primary application server blade 402 is established based on which slot of the chassis 414 each application server blade 402 is plugged into. Docket CHAP.0115 110
  • an application server blade 402 comprises an application server portion 306 and a storage controller portion 308. Each of these portions may fail separately or together. In one case, only the application server 306 of an application server blade 402 fails. For example, a bug in the software executing on the application server 306 may cause this type of failure. In this case, the heartbeat of the failing application server 306 will stop, which will be detected by the ⁇ surviving application server blade 402. In response, the surviving application server blade 402 will kill the failed application server blade 402, thereby disabling the failed application server blade 402 CPU 714 and I/O controllers 732/742/744.
  • the third and fourth I/O controllers 746/748 of the application server blade 402 will continue to function. This enables the data manager blades 406 to continue to communicate on the network 114 via the expansion ports 754, thereby allowing the external devices 322 to access the storage devices 112 via each of the storage controllers 308.
  • the entire application server blade 402 fails, i.e., both the application server 306 and storage controller 308 portions.
  • a loss of power to the application server 306 may cause this type of failure.
  • the heartbeat of the failing application server 306 will stop, and the surviving application server blade 402 will kill the failed application server blade 402, as in the first case.
  • the third and fourth I/O controllers 746/748 of the application server blade 402 Docket CHAP.0115 111 will not continue to function.
  • the data manager blades 406 may continue to communicate on the network 114 via the expansion ports 754 of the surviving application server blade 402, thereby allowing the external devices 322 to access the storage devices 112 via each of the data manager blades 406.
  • the application server blade 402 In a third case, only the storage controller 308 portion of an application server blade 402 fails. In this case, the application server blade 402 will continue to generate a heartbeat to the other application server blade 402. However, in one embodiment, the application server blade 402 CPU 714 with the failed storage controller 308 portion times out after seeing no response from the third/fourth I/O controllers 746/748 or receives an indication that the FibreChannel link is down, and in response stops sending its heartbeat to the other application server blade 402, thereby forcing the other application server blade 402 to kill it.
  • the invention can be implemented in computer readable code (e.g., computer readable program code, data, etc.) embodied in a computer usable (e.g., readable) medium.
  • the computer code causes the enablement of the functions or fabrication or both of the invention disclosed herein. For example, this can be accomplished through the use of general programming languages (e.g., C, C++, JAVA, and the like) ; GDSII databases; hardware description languages (HDL) including Verilog HDL, VHDL, Altera HDL (AHDL) , and so on; or oth.er programming and/or circuit (i.e., schematic) capture tools available in the art.
  • general programming languages e.g., C, C++, JAVA, and the like
  • HDL hardware description languages
  • HDL including Verilog HDL, VHDL, Altera HDL (AHDL)
  • AHDL Altera HDL
  • circuit i.e., schematic
  • the computer code can be disposed in any known computer usable (e.g., readable) medium including semiconductor memory, magnetic disk, optical disk (e.g., CD-ROM, DVD-ROM, and the like) , and as a computer data signal embodied in a computer usable (e.g., readable) transmission medium (e.g., carrier wave or any other medium including digital, optical or analog-based medium) .
  • a computer usable (e.g., readable) transmission medium e.g., carrier wave or any other medium including digital, optical or analog-based medium
  • the computer code can be transmitted over communication networks, including Internets and intranets.
  • the invention can be embodied in computer code and transformed to hardware as part of the production of integrated circuits. Also, the invention may be embodied as a combination of hardware and computer code. Docket CHAP.0115 113

Abstract

Deterministic active-active failover of redundant server blades hot-pluggable into a backplane of a network storage appliance chassis is disclosed. Each server monitors the other's heartbeat on a respective path in the backplane. Other paths between the two servers on the backplane enable one server to reliably kill the other server and take over its identity on the network in response to detecting a stopped heartbeat of the other server. The apparatus is superior to a conventional heartbeat link between servers in separate chassis, such as an Ethernet cable, because it is not prone to user removal or damage since the backplane cannot be removed by a user while the appliance is operational and enables each server to know a true heartbeat failure has occurred, as opposed to failure of a conventional external heartbeat link causing each server to each think the other has failed.

Description

DETEBMINI STICALLY
PEKFOBMING ACTIVE- ACTIVE FAILOVER OF REDUNDANT SERVERS IN A NETWORK STOBAGE APPLIANCE toy
Ian Robert Davies
CROSS REFERENCE EO RELATED APPIiICAIION(S)
[0001] This application is a continuation-in-part of the following U.S. Applications which, are hereby incorporated by reference in their entirety for all purposes:
Figure imgf000003_0001
r » A-
£'U- r yuIs8sϋS£-ύ.Vώ-* Docket CHAP.0115
Figure imgf000004_0001
Each of the above applications claims priority to the following U.S. Provisional Applications:
Figure imgf000004_0002
This application claims the benefit of the following U.S. Provisional Application which is incorporated herein by reference for all intents and purposes:
Figure imgf000004_0003
FIELD OF THE INVENTION
[0002] This invention relates in general to the field of network storage in a computer network and particularly to the integration of server computers into a network storage appliance.
BACKGROUND OF THE INVENTION
[0003] Historically, computer systems have each included their own storage within the computer system enclosure, or chassis, or ^box." A typical computer system included a hard disk, such as an IDE or SCSI disk, directly attached Docket CHAP.0115 3 to a disk controller, which was in turn connected to the motherboard by a local bus. This model is commonly referred to as direct attached storage (DAS) . [0004] However, this model has certain disadvantages in an enterprise, such as a business or university, in which many computers are networked together, each having its own DAS. One potential disadvantage is the inefficient use of the storage devices. Each computer may only use a relatively small percentage of the space on its disk drive with the remainder of the space being wasted. A second potential disadvantage is the difficulty of managing the storage devices for the potentially many computers in the network. A third potential disadvantage is that the DAS model does not facilitate applications in which the various users of the network need to access a common large set of data, such as a database. These disadvantages, among others, have caused a trend toward more centralized, shared storage in computer networks.
[0005] Initially the solution was to employ centralized servers, such as file servers, which included large amounts of storage shared by the various workstations in the network. That is, each server had its own DAS that was shared by the other computers in the network. The centralized server DAS could be managed more easily by network administrators since it presented a single set of storage to manage, rather than many smaller storage sets on each of the individual workstations. Additionally, the network administrators could monitor the amount of storage space needed and incrementally add storage devices on the server DAS on an as-needed basis, thereby more efficiently Docket CHAP.0115 4 using storage device space. Furthermore, because the data was centralized, all the users of the network who needed to access a database, for example, could do so without overloading one user's computer.
[0006] However, a concurrent trend was toward a proliferation of servers. Today, many enterprises include multiple servers, such as a file server, a print server, an email server, a web server, a database server, etc., and potentially multiple of each of these types of servers . Consequently, the same types of problems that existed with the workstation DAS model existed again with the server DAS model.
[0007] Network attached storage (NAS) and storage area network (SAN) models were developed to address this problem. In a NAS/SAN model, a storage controller that controls storage devices (typically representing a large amount of storage) exists as a distinct entity on a network, such as an Ethernet or FibreChannel network, that is accessed by each of the servers in the enterprise. That is, the servers share the storage controlled by the storage controller over the network. In the NAS model, the storage controller presents the storage at a filesystem level, whereas in the SAN model, the storage controller presents the storage at a block level, such as in the SCSI block level protocol. The NAS/SAN model provides similar solutions to the fileserver DAS model problems that the fileserver DAS model provided to the workstation DAS problems. In the NAS/SAN model, the storage controllers have their own enclosures, or chassis, or boxes, discrete from the server boxes. Each chassis provides its own power Docket CHAP.0115 5 and cooling, and since the chassis are discrete, they require networking cables to connect them, such as Ethernet or FibreChannel cables.
[0008] Another recent trend is toward storage application servers. In a common NAS/SAN model, one or more storage application servers resides in the network between the storage controller and the other servers, and executes storage software applications that provided value- added storage functions that benefit all of the servers accessing the common storage controller. These storage applications are also commonly referred to as "middleware." Examples of middleware include data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications. The storage application servers provide a valuable function; however, they introduce yet another set of discrete separately powered and cooled boxes that must be managed, require additional space and cost, and introduce additional cabling in the network. [0009] Therefore, what is needed is a way to improve the reliability and manageability and reduce the cost and physical space of a NAS/SAN system. It is also desirable to obtain these improvements in a manner that capitalizes on the use of existing software to minimize the amount of software development necessary, thereby achieving improved time to market and a reduction in development cost and resources . Docket CHAP.0115 6
BRIEF SUMMARY OF INVENTION
[0010] In one aspect, the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein. The network storage appliance includes redundant servers, each having at least one unique ID for communicating on a network. The network storage appliance also includes at least one storage controller, coupled to the redundant servers, for transferring data between storage devices and the servers. The network storage appliance also includes a backplane. The storage controller and servers comprise a plurality of blades for plugging into the backplane. The network storage appliance also includes first and second status paths, comprised in the backplane, each for providing a heartbeat from one of the servers to the other server. Each of the servers is configured to deterministically disable the other server from communicating on the network in response to detecting that the heartbeat of the other server has stopped, and to assume the unique ID of the other server for communicating on the network thereafter.
[0011] In another aspect, the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein. The network storage appliance includes a chassis and redundant servers, enclosed in the chassis, each having at least one unique ID for communicating on a network. The network storage appliance also includes at least one storage controller, enclosed in the chassis, coupled to the redundant servers, for transferring data Docket CHAP.0115 7 between storage devices and the servers. The network storage appliance also includes first and second status paths, enclosed in the chassis, each for providing a heartbeat from one of the servers to the other server. Each of the servers is configured to deterministically disable the other server from communicating on the network in response to detecting that the heartbeat of the other server has stopped, and to assume the unique ID of the other server for communicating on the network thereafter. [0012] In another aspect, the present invention provides an apparatus for deterministically performing active-active failover of redundant servers integrated with at least one storage controller into a network storage appliance chassis, each of the servers being configured to communicate with computers on a network. The apparatus includes a backplane, enclosed in the chassis, configured to receive a plurality of hot-pluggable blades comprising the servers and storage controller. The apparatus also includes two heartbeat paths comprised in the backplane, each for conveying a respective heartbeat signal from one of the servers to the other server. The apparatus also includes two kill paths on the backplane, each for conveying a signal for inactivating the other server from communicating on the network in response to detecting the heartbeat of the other server has stopped. The inactivating server is configured to take over the identity of the inactivated server on the network after inactivating the other server.
[0013] In another aspect, the present invention provides a method for deterministically performing active-active Docket CHAP.0115 8 failover of first and second redundant servers integrated into a network storage appliance chassis . The method includes the second server receiving a second heartbeat signal from the first server via a second signal path etched into a backplane of the chassis. The method also includes the first server detecting that the first heartbeat signal has stopped. The method also includes the first server generating a kill signal to the second server to disable the second server from communicating on a network, in response to detecting the first heartbeat signal has stopped. The method also includes the first server taking over the identity of the second server on the network, after generating the kill signal.
[0014] In another aspect, the present invention provides a network storage appliance for deterministically performing active-active failover of redundant servers ■enclosed therein. The network storage appliance includes redundant servers, each having at least one unique ID for communicating on a network. The network storage appliance also includes at least one storage controller, coupled to the redundant servers, for transferring data between storage devices and the servers . The network storage appliance also includes a backplane. The storage controller and servers comprise a plurality of blades for plugging into the backplane. The network storage appliance also includes first and second status paths, comprised in the backplane, each for providing an indication of whether a respective one of the servers is present in the backplane. Each of the servers is configured to deterministically disable the other server from Docket CHAP.0115 9 communicating on the network in response to detecting via the indication that the other server has been removed from the backplane, and to assume the unique ID of the other server for communicating on the network thereafter. [0015] An advantage of the present invention is that by- disposing the heartbeat paths within the chassis backplane, rather than external to the chassis such as in an Ethernet cable, the probability that both heartbeat paths will fail simultaneously when the servers are still operable is extremely low. That is, the possibility of a "split brains" condition is made extremely low by including the heartbeat paths in the chassis backplane, particularly relative to an external cable which is susceptible to user removal at inappropriate times or to damage by a user. This is possible due to the integration of the redundant servers into the network storage appliance chassis . Particularly where the network storage appliance has been tested to work, the likelihood of a subsequent failure of the heartbeat path within the backplane is extremely low.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] FIGURE 1 is a diagram of a prior art computer network.
[0017] FIGURE 2 is a diagram of a computer network according to the present invention.
[0018] FIGURE 3 is a block diagram illustrating the computer network of Figure 2 including the storage appliance of Figure 2.
[0019] FIGURE 4 is a block diagram of one embodiment of the storage appliance of Figure 3. Docket CHAP.0115 10
[0020] FIGURE 5 is a block diagram of one embodiment of the storage appliance of Figure 4 illustrating the interconnection of the various local bus interconnections of the blade modules of Figure 4.
[0021] FIGURE 6 is a block diagram illustrating the logical flow of data through the storage appliance of
Figure 4.
[0022] FIGURE 7 is a block diagram of one embodiment of the storage appliance of Figure 5 illustrating the application server blades and data manager blades in more detail.
[0023] FIGURE 8 is a block diagram illustrating one embodiment of the application server blade of Figure 7.
[0024] FIGURE 9 is a diagram illustrating the physical layout of a circuit board of one embodiment of the application server blade of Figure 8.
[0025] FIGURE 10 is an illustration of one embodiment of the faceplate of the application server blade of Figure 9.
[0026] FIGURE 11 is a block diagram illustrating the software architecture of the application server blade of
Figure 8.
[0027] FIGURE 12 is a block diagram illustrating the storage appliance of Figure 5 in a fully fault-tolerant configuration in the computer network of Figure 2.
[0028] FIGURE 13 is a block diagram illustrating the computer network of Figure 12 in which a data gate blade has failed.
[0029] FIGURE 14 is a block diagram illustrating the computer network of Figure 12 in which a data manager blade has failed. Docket CHAP.0115 11
[0030] FIGURE 15 is a block diagram illustrating the computer network of Figure 12 in which an application server blade has failed.
[0031] FIGURE 16 is a diagram of a prior art computer network.
[0032] FIGURE 17 is a block diagram illustrating the storage appliance of Figure 2.
[0033] FIGURE 18 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17. [0034] FIGURE 19 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17. [0035] FIGURE 20 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figure 17 according to an alternate embodiment.
[0036] FIGURE 21 is a block diagram illustrating the interconnection of the various storage appliance blades via the BCI buses of Figure 7.
[0037] FIGURE 22 is a block diagram illustrating the interconnection of the various storage appliance blades via the BCI buses of Figure 7 and discrete reset signals according to an alternate embodiment.
[0038] FIGURE 23 is a block diagram illustrating an embodiment of the storage appliance of Figure 2 comprising a single application server blade.
[0039] FIGURE 24 is a block diagram illustrating an embodiment of the storage appliance of Figure 2 comprising a single application server blade. Docket CHAP.0115 12
[0040] FIGURE 25 is a block diagram illustrating the computer network of Figure 2 and portions of the storage appliance of Figure 12 and in detail one embodiment of the port combiner of Figure 8.
[0041] FIGURE 26 is a block diagram illustrating the storage appliance of Figure 2.
[0042] FIGURE 27 is a block diagram illustrating the storage appliance of Figure 2 according to an alternate embodiment.
[0043] FIGURE 28 is a flowchart illustrating fault- tolerant active-active failover of the application server blades of the storage appliance of Figures 26 and 27.
DETAILED DESCRIPTION
[0044] Referring now to Figure 1, a diagram of a prior art computer network 100 is shown. The computer network 100 includes a plurality of client computers 102 coupled to a plurality of traditional server computers 104 via a network 114. The network 114 components may include switches, hubs, routers, and the like. The computer network 100 also includes a plurality of storage application servers 106 coupled to the traditional servers 104 via the network 114. The computer network 100 also includes one or more storage controllers 108 coupled to the storage application servers 106 via the network 114. The computer network 100 also includes storage devices 112 coupled to the storage controllers 108.
[0045] The clients 102 may include, but are not limited to workstations, personal computers, notebook computers, or personal digital assistants (PDAs), and the like. Typically, the clients 102 are used by end users to perform Docket CHAP.0115 13 computing tasks, including but not limited to, word processing, database access, data entry, email access, internet access, spreadsheet access, graphic development, scientific calculations, or any other computing tasks commonly performed by users of computing systems. The clients 102 may also include a computer used by a system administrator to administer the various manageable elements of the network 100. The clients 102 may or may not include direct attached storage (DAS), such as a hard disk drive. [0046] Portions of the network 114 may include, but are not limited to, links, switches, routers, hubs, directors, etc. performing the following protocols: FibreChannel (FC), Ethernet, Infiniband, TCP/IP, Small Computer Systems Interface (SCSI), HIPPI, Token Ring, Arcnet, FDDI, LocalTalk, ESCON, FICON, ATM, Serial Attached SCSI (SAS), Serial Advanced Technology Attachment (SATA), and the like, and relevant combinations thereof.
[0047] The traditional servers 104 may include, but are not limited to file servers, print servers, enterprise servers, mail servers, web servers, database servers, departmental servers, and the like. Typically, the traditional servers 104 are accessed by the clients 102 via the network 114 to access shared files, shared databases, shared printers, email, the internet, or other computing services provided by the traditional servers 104. The traditional servers 104 may or may not include direct attached storage (DAS), such as a hard disk drive. However, at least a portion of the storage utilized by the traditional servers 104 comprises detached storage provided Docket CHAP.0115 14 on the storage devices 112 controlled by the storage controllers 108.
[0048] The storage devices 112 may include, but are not limited to, disk drives, tape drives, or optical drives. The storage devices 112 may be grouped by the storage application servers 106 and/or storage controllers 108 into logical storage devices using any of well-known methods for grouping physical storage devices, including but not limited to mirroring, striping, or other redundant array of inexpensive disks (RAID) methods. The logical storage devices may also comprise a portion of a single physical storage device or a portion of a grouping of storage devices.
[0049] The storage controllers 108 may include, but are not limited to, a redundant array of inexpensive disks (RAID) controller. The storage controllers 108 control the storage devices 112 and interface with the storage application servers 106 via the network 114 to provide storage for the traditional servers 104.
[0050] The storage application servers 106 comprise computers capable of executing storage application software, such as data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file service applications.
[0051] As may be observed from Figure 1, in the prior art computer network 100 the storage application servers 106 are physically discrete from the storage controllers 108. That is, they reside in physically discrete Docket CHAP.0115 15 enclosures, or chassis. Consequently, network cables must be run externally between the two or more chassis to connect the storage controllers 108 and the storage application servers 106. This exposes the external cables for potential damage, for example by network administrators, thereby jeopardizing the reliability of the computer network 100. Also, the cabling may be complex, and therefore prone to be connected incorrectly by users. Additionally, there is cost and space associated with each chassis of the storage controllers 108 and the storage application servers 106, and each chassis must typically include its own separate cooling and power system. Furthermore, the discrete storage controllers 108 and storage application servers 106 constitute discrete entities to be configured and managed by network administrators. However, many of these disadvantages are overcome by the presently disclosed network storage appliance of the present invention, as will now be described.
[0052] Referring now to Figure 2, a diagram of a computer network 200 according to the present invention is shown. In one embodiment, the clients 102, traditional servers 104, storage devices 112, and network 114 are similar to like-numbered elements of Figure 1. The computer network 200 of Figure 2 includes a network storage appliance 202, which integrates storage application servers and storage controllers in a single chassis. The storage appliance 202 is coupled to the traditional servers 104 via the network 114, as shown, to provide detached storage, such as storage area network (SAN) storage or network Docket CHAP.0115 16 attached storage (NAS) , for the traditional servers 104 by controlling the storage devices 112 coupled to the storage appliance 202. Advantageously, the storage appliance 202 provides the traditional servers 104 with two interfaces to the detached storage: one directly to the storage controllers within the storage appliance 202, and another to the servers integrated into the storage appliance 202 chassis, which in turn directly access the storage controllers via internal high speed I/O links within the storage appliance 202 chassis. In one embodiment, the servers and storage controllers in the storage appliance 202 comprise redundant hot-replaceable field replaceable units (FRUs), thereby providing fault-tolerance and high data availability. That is, one of the redundant FRUs may¬ be replaced during operation of the storage appliance 202 without loss of availability of the data stored on the storage devices 112. However, single storage controller and single server embodiments are also contemplated. Advantageously, the integration of the storage application servers into a single chassis with the storage controllers provides the potential for improved manageability, lower cost, less space, better diagnosability, and better cabling for improved reliability.
[0053] Referring now to Figure 3, a block diagram illustrating the computer network 200 of Figure 2 including the storage appliance 202 of Figure 2 is shown. The computer network 200 includes the clients 102 and/or traditional servers 104 of Figure 2, referred to collectively as host computers 302, networked to the storage appliance 202. The computer network 200 also Docket CHAP,0115 17 includes external devices 322 networked to the storage appliance 202, i.e., devices external to the storage appliance 202. The external devices 322 may include, but are not limited to, host computers, tape drives or other backup type devices, storage controllers or storage appliances, switches, routers, or hubs. The computer network 200 also includes the storage devices 112 of Figure 2 coupled to the storage appliance 202. The storage appliance 202 includes application servers 306 coupled to storage controllers 308. The host computers 302 are coupled to the application servers 306, and the storage devices 112 are coupled to the storage controllers 308. In one embodiment, the application servers 306 are coupled to the storage controllers 308 via high speed I/O links 304, such as FibreChannel, Infiniband, or Ethernet links, as described below in detail. The high speed I/O links 304 are also provided by the storage appliance 202 external to its chassis 414 (of Figure 4) via port combiners 842 (shown in Figure 8) and expansion I/O connectors 754 (shown in Figure 7) to which the external devices 1232 are coupled. The externalizing of the I/O links 304 advantageously enables the storage controllers 308 to be directly accessed by other external network devices 322, such as the host computers, switches, routers, or hubs. Additionally, the externalizing of the I/O links 304 advantageously enables the application servers 306 to directly access other external storage devices 322, such as tape drives, storage controllers, or other storage appliances, as discussed below. Docket CHAP.0115 18
[0054] The application servers 306 execute storage software applications, such as those described above that are executed by the storage application servers 106 of Figure 1. However, other embodiments are contemplated in which the application servers 306 execute software applications such as those described above that are executed by the traditional servers 104 of Figure 1. In these embodiments, the hosts 302 may comprise clients 102 such as those of Figure 2 networked to the storage appliance 202. The storage controllers 308 control the storage devices 112 and interface with the application servers 306 to provide storage for the host computers 302 and to perform data transfers between the storage devices 112 and the application servers 306 and/or host computers 302. The storage controllers 308 may include, but' are not limited to, redundant array of inexpensive disks (RAID) controllers .
[0055] Referring now to Figure 4, a block diagram of one embodiment of the storage appliance 202 of Figure 3 is shown. The storage appliance 202 includes a plurality of hot-replaceable field replaceable units (FRUs) , referred to as modules or blades, as shown, enclosed in a chassis 414. The blades plug into a backplane 412, or mid-plane 412, enclosed in the chassis 414 which couples the blades together and provides a communication path between them. In one embodiment, each of the blades plugs into the same side of the chassis 414. In one embodiment, the backplane 412 comprises an active backplane. In one embodiment, the backplane 412 comprises a passive backplane. In the embodiment of Figure 4, the blades include two power Docket CHAP.0115 19 manager blades 416 (referred to individually as power manager blade A 416A and power manager blade B 416B) , two power port blades 404 (referred to individually as power port blade A 404A and power port blade B 404B) , two application server blades 402 (referred to individually as application server blade A 402A and application server blade B 402B) , two data manager blades 406 (referred to individually as data manager blade A 406A and data manager blade B 406B) , and two data gate blades 408 (referred to individually as data gate blade A 408A and data gate blade B 408B) , as shown.
[0056] The power manager blades 416 each comprise a power supply for supplying power to the other blades in the storage appliance 202. In one embodiment, each power manager blade 416 comprises a 240 watt AC-DC power supply. In one embodiment, the power manager blades 416 are redundant. That is, if one of the power manager blades 416 fails, the other power manager blade 416 continues to provide power to the other blades in order to prevent failure of the storage appliance 202, thereby enabling the storage appliance 202 to continue to provide the host computers 302 access to the storage devices 112. [0057] The power port blades 404 each comprise a cooling system for cooling the blades in the chassis 414. In one embodiment, each of the power port blades 404 comprises direct current fans for cooling, an integrated EMI filter, and a power switch. In one embodiment, the power port blades 404 are redundant. That is, if one of the power port blades 404 fails, the other power port blade 404 continues to cool the storage appliance 202 in order to Docket CHAP.0115 20 prevent failure of the storage appliance 202, thereby enabling the storage appliance 202 to continue to provide the host computers 302 access to the storage devices 112.
[0058] Data manager blade A 406A, data gate blade A 408A, and a portion of application server blade A 402A logically comprise storage controller A 308A of Figure 3; and the remainder of application server blade A 402A comprises application server A 306A of Figure 3. Data manager blade B 406B, data gate blade B 408B, and a portion of application server blade B 402B comprise the other storage controller 308 of Figure 3, and the remainder of application server blade B 402B comprises the other application server 306 of Figure 3.
[0059] The application servers 306 comprise computers configured to execute software applications, such as storage software applications. In one embodiment, the application servers 306 function as a redundant pair such that if one of the application servers 306 fails, the remaining application server 306 takes over the functionality of the failed application server 306 such that the storage appliance 202 continues to provide the host computers 302 access to the storage devices 112. Similarly, if the application software executing on the application servers 306 performs a function independent of the host computers 302, such as a backup operation of the storage devices 112, if one of the application servers 306 fails, the remaining application server 306 continues to perform its function independent of the host computers 302. The application servers 306, and in particular the Docket CHAP.0115 21 application server blades 402, are described in more detail below.
[0060] Each of the data gate blades 408 comprises one or more I/O interface controllers (such as FC interface controllers 1206 and 1208 of Figure 12) for interfacing with the storage devices 112. In one embodiment, each of the data gate blades 408 comprises redundant interface controllers for providing fault-tolerant access to the storage devices 112. In one embodiment, the interface controllers comprise dual FibreChannel (FC) interface controllers for interfacing to the storage devices 112 via a dual FC arbitrated loop configuration, as shown in Figure 12. However, other embodiments are contemplated in which the data gate blades 408 interface with the storage devices 112 via other interfaces including, but not limited to, Advanced Technology Attachment (ATA), SAS, SATA, Ethernet, Infiniband, SCSI, HIPPI, ESCON, FICON, or relevant combinations thereof. The storage devices 112 and storage appliance 202 may communicate using stacked protocols, such as SCSI over FibreChannel or Internet SCSI (iSCSI) . In one embodiment, at least a portion of the protocol employed between the storage appliance 202 and the storage devices 112 includes a low-level block interface, such as the SCSI protocol. Additionally, in one embodiment, at least a portion of the protocol employed between the host computers 302 and the storage appliance 202 includes a low-level block interface, such as the SCSI protocol. The interface controllers perform the protocol necessary to transfer commands and data between the storage devices 112 and the storage appliance 202. The interface controllers also Docket CHAP.0115 22 include a local bus interface for interfacing to local buses (shown as local buses 516 of Figure 5) that facilitate command and data transfers between the data gate blades 408 and the other storage appliance 202 blades. In the redundant interface controller embodiment of Figure 4, each of the interface controllers is coupled to a different local bus (as shown in Figure 5) , and each data gate blade 408 also includes a local bus bridge (shown as bus bridge 1212 of Figure 12) for bridging the two local buses. In one embodiment, the- data gate blades 408 function as a redundant pair such that if one of the data gate blades 408 fails, the storage appliance 202 continues to provide the host computers 302 and application servers 306 access to the storage devices 112 via the remaining data gate blade 408.
[0061] Each of the data manager blades 406 comprises a processor (such as CPU 702 of Figure 7) for executing programs to control the transfer of data between the storage devices 112 and the application servers 306 and/or host computers 302. Each of the data manager blades 406 also comprises a memory (such as memory 706 in Figure 7) for buffering data transferred between the storage devices 112 and the application servers 306 and/or host computers 302. The processor receives commands from the application servers 306 and/or host computers 302 and responsively issues commands to the data gate blade 408 interface controllers to accomplish data transfers with the storage devices 112. In one embodiment, the data manager blades 406 also include a direct memory access controller (DMAC)
(such as may be included in the local bus bridge/memory Docket CHAP.0115 23 controller 704 shown in Figure 7) for performing data transfers to and from the buffer memory on the local buses. The processor also issues commands to the DMAC and interface controllers on the application server blades 402 (such as I/O interface controllers 746/748 of Figure 7) to accomplish data transfers between the data manager blade 406 buffer memory and the application servers 306 and/or host computers 302 via the local buses and high speed I/O links 304. The processor may also perform storage controller functions such as RAID control, logical block translation, buffer management, and data caching. Each of the data manager blades 406 also comprises a memory controller (such as local bus bridge/memory controller 704 in Figure 7) for controlling the buffer memory. The memory controller also includes a local bus interface for interfacing to the local buses that facilitate command and data transfers between the data manager blades 406 and the other storage appliance 202 blades. In one embodiment, each of the data manager blades 406 is coupled to a different redundant local bus pair, and each data manager blade 406 also includes a local bus bridge (such as local bus bridge/memory controller 704 in Figure 7) for bridging between the two local buses of the pair. In one embodiment, the data manager blades 406 function as a redundant pair such that if one of the data manager blades 406 fails, the remaining data manager blade 406 takes over the functionality of the failed data manager blade 406 such that the storage appliance 202 continues to provide the host computers 302 and/or application servers 306 access to the storage devices 112. In one embodiment, each data Docket CHAP.0115 24 manager blade 406 monitors the status of the other storage appliance 202 blades, including the other data manager blade 406, in order to perform failover functions necessary to accomplish fault-tolerant operation, as described herein.
[0062] In one embodiment, each of the data manager blades 406 also includes a management subsystem for facilitating management of the storage appliance 202 by a system administrator. In one embodiment, the management subsystem comprises an Advanced Micro Devices® Elan™ microcontroller for facilitating communication with a user, such as a system administrator. In one embodiment, the management subsystem receives input from the user via a serial interface such as an RS-232 interface. In one embodiment, the management subsystem receives user input from the user via an Ethernet interface and provides a web- based configuration and management utility. In addition to its configuration and management functions, the management subsystem also performs monitoring functions, such as monitoring the temperature, presence, and status of the storage devices 112 or other components of the storage appliance 202, and monitoring the status of other critical components, such as fans or power supplies, such as those of the power manager blades 416 and power port blades 404. [0063] The chassis 414 comprises a single enclosure for enclosing the blade modules and backplane 412 of the storage appliance 202. In one embodiment, the chassis 414 comprises a chassis for being mounted in well known 19" wide racks. In one embodiment, the chassis 414 comprises a one unit (IU) high chassis. Docket CHAP.0115 25
[0064] In one embodiment, the power manager blades 416, power port blades 404, data manager blades 406, and data gate blades 408 are similar in some aspects to corresponding modules in the RIO Raid Controller product sold by Chaparral Network Storage of Longmont, Colorado. [0065] Although the embodiment of Figure 4 illustrates redundant modules, other lower cost embodiments are contemplated in which some or all of the blade modules are not redundant.
[0066] Referring now to Figure 5, a block diagram of one embodiment of the storage appliance 202 of Figure 4 illustrating the interconnection of the various local bus interconnections of the blade modules of Figure 4 is shown. The storage appliance 202 in the embodiment of Figure 5 includes four local buses, denoted local bus A 516A, local bus B 516B, local bus C 516C, and local bus D 516D, which are referred to collectively as local buses 516 or individually as local bus 516. In one embodiment, the local buses 516 comprise a high speed PCI-X local bus. Other embodiments are contemplated in which the local buses 516 include, but are not limited to a PCI, CompactPCI, PCI- Express, PCI-X2, EISA, VESA, VME, RapidIO, AGP, ISA, 3GIO, Hyperϊransport, Futurebus, MultiBus, or any similar local bus capable of transferring data at a high rate. As shown, data manager blade A 406A is coupled to local bus A 516A and local bus C 516C; data manager blade B 406B is coupled to local bus B 516B and local bus D 516D/ data gate blade A 408A is coupled to local bus A 516A and local bus B 516B; data gate blade B 408B is coupled to local bus C 516C and local bus D 516D; application server blade A 402A is Docket CHAP.0115 26 coupled to local bus A 516A and local bus B 516B; application server blade B 402B is coupled to local bus C 516C and local bus D 516D. As may be observed, the coupling of the blades to the local buses 516 enables each of the application server blades 402 to communicate with each of the data manager blades 406, and enables each of the data manager blades 406 to communicate with each of the data gate blades 408 and each of the application server blades 402. Furthermore, the hot-pluggable coupling of the FRU blades to the backplane 412 comprising the local buses 516 enables fault-tolerant operation of the redundant storage controllers 308 and application servers 306, as described in more detail below.
[0067] Referring now to Figure 6, a block diagram illustrating the logical flow of data through the storage appliance 202 of Figure 4 is shown. The application server blades 402 receive data transfer requests from the host computers 302 of Figure 3, such as SCSI read and write commands, over an interface protocol link, including but not limited to FibreChannel, Ethernet, or Infiniband. The application server blades 402 process the requests and issue commands to the data manager blades 406 to perform data transfers to or from the storage devices 112 based on the type of request received from the host computers 302. The data manager blades 406 process the commands received from the application server blades 402 and issue commands to the data gate blades 408, such as SCSI over FC protocol commands, which the data gate blades 408 transmit to the storage devices 112. The storage devices 112 process the commands and perform the appropriate data transfers to or Docket CHAP.0115 27 from the data gate blades 408. In the case of a write to the storage devices 112, the data is transmitted from the host computers 302 to the application server blades 402 and then to the data manager blades 406 and then to the data gate blades 408 and then to the storage devices 112. In the case of a read from the storage devices 112, the data is transferred from the storage devices 112 to the data gate blades 408 then to the data manager blades 406 then to the application server blades 402 then to the host computers 302.
[0068] As shown in Figure 6, each of the application server blades 402 has a path to each of the data manager blades 406, and each of the data manager blades 406 has a path to each of the data gate blades 408. In one embodiment, the paths comprise the local buses 516 of Figure 5. Additionally, in one embodiment, each of the host computers 302 has a path to each of the application server blades 402, and each of the data gate blades 408 has a path to each of the storage devices 112, as shown. Because each of the stages in the command and data transfers is a redundant pair, and a redundant communication path exists between each of the redundant pairs of each stage of the transfer, a failure of any one of the blades of a redundant pair does not cause a failure of the storage appliance 202.
[0069] In one embodiment, the redundant application server blades 402 are capable of providing an effective data transfer bandwidth of approximately 800 megabytes per second (MBps) between the host computers 302 and the redundant storage controllers 308. Docket CHAP.0115 28
[0070] Referring now to Figure 7, a block diagram of one embodiment of the storage appliance 202 of Figure 5 illustrating the application server blades 402 and data manager blades 406 in more detail is shown. The data gate blades 408 of Figure 5 are not shown in Figure 7. In the embodiment of Figure 7, the local buses 516 of Figure 5 comprise PCIX buses 516. Figure 7 illustrates application server blade 402A and 402B coupled to data manager blade 406A and 406B via PCIX buses 516A, 516B, 516C, and 516D according to the interconnection shown in Figure 5. The elements of the application server blades 402A and 402B are identical; however, their interconnections to the particular PCIX buses 516 are different as shown; therefore, the description of application server blade A 402A is identical for application server blade B 402B except as noted below with respect to the PCIX bus 516 interconnections. Similarly, with the exception of the PCIX bus 516 interconnections, the elements of the data manager blades 406A and 406B are identical; therefore, the description of data manager blade A 406A is identical for data manager blade B 406B except as noted below with respect to the PCIX bus 516 interconnections. [0071] In the embodiment of Figure 7, application server blade A 402A comprises two logically-distinct portions, an application server 306 portion and a storage controller 308 portion, physically coupled by the I/O links 304 of Figure 3 and integrated onto a single FRU. The application server 306 portion includes a CPU subsystem 714, Ethernet controller 732, and first and second FC controllers 742/744, which comprise a server computer employed to Docket CHAP.0115 29 execute server software applications, similar to those executed by the storage application servers 106 and/or traditional servers 104 of Figure 1. The storage controller 308 portion of application server blade A 402A, shown in the shaded area, includes third and fourth FC controllers 746/748, which are programmed by a data manager blade 406 CPU 702 and are logically part of the storage controller 308 of Figure 3. The storage controller 308 portions of the application server blades 402 may be logically viewed as the circuitry of a data gate blade 408 integrated onto the application server blade 402 to facilitate data transfers between the data manager blades 406 and the application server 306 portion of the application server blade 402. The storage controller 308 portions of the application server blades 402 also facilitate data transfers between the data manager blades 406 and external devices 322 of Figure 3 coupled to expansion I/O connectors 754 of the application server blade 402.
[0072] Application server blade A 402A includes a CPU subsystem 714, described in detail below, which is coupled to a PCI bus 722. The PCI bus 722 is coupled to a dual port Ethernet interface controller 732, whose ports are coupled to connectors 756 on the application server blade 402 faceplate (shown in Figure 10) to provide local area network (LAN) or wide area network (WAN) access to application server blade A 402A by the host computers 302 of Figure 3. In one embodiment, one port of the Ethernet interface controller 732 of application server blade A 402A is coupled to one port of the Ethernet interface controller Docket CHAP.0115 30
732 of application server blade B 402B to provide a heartbeat link (such as heartbeat link 1712 of Figure 17) between the servers for providing redundant fault-tolerant operation of the two application server blades 402, as described below. In one embodiment, the Ethernet controller 732 ports may be used as a management interface to perform device management of the storage appliance 202. In one embodiment, the application servers 306 may function as remote mirroring servers, and the Ethernet controller 732 ports may be used to transfer data to a remote mirror site. The CPU subsystem 714 is also coupled to a PCIX bus 724.
[0073] A first dual FibreChannel (FC) interface controller 742 is coupled to the PCIX bus 724. The first FC interface controller 742 ports (also referred to as front-end ports) are coupled to the I/O connectors 752 on the application server blade 402 faceplate (shown in Figure 10) to provide the host computers 302 NAS/SAN access to the application servers 306. The first FC controller 742 functions as a target device and may be connected to the host computers 302 in a point-to-point, arbitrated loop, or switched fabric configuration. In Figure 7 and the remaining Figures, a line connecting two FC ports, or a FC port and a FC connector, indicates a bi-directional FC link, i.e., an FC link with a transmit path and a receive path between the two FC ports, or between the FC port and the FC connector.
[0074] A second dual FC interface controller 744 is also coupled to the PCIX bus 724. The second FC controller 744 functions as an initiator device. The second FC interface Docket CHAP.0115 31 controller 744 ports are coupled to the expansion I/O connectors 754 on the application server blade 402 faceplate (shown in Figure 10) to provide a means for the CPU subsystem 714 of the application server blade 402 to directly access devices 322 of Figure 3 external to the storage appliance 202 chassis 414, such as other storage controllers or storage appliances, tape drives, host computers, switches, routers, and hubs. In addition, the expansion I/O connectors 754 provide the external devices 322 direct NAS/SAN access to the storage controllers 308, rather than through the application servers 306, as described in detail below. Advantageously, the expansion I/O connectors 754 provide externalization of the internal I/O links 304 between the servers 306 and storage controllers 308 of Figure 3, as described in more detail below.
[0075] An industry standard architecture (ISA) bus 716 is also coupled to the CPU subsystem 714. A complex programmable logic device (CPLD) 712 is coupled to the ISA bus 716. The CPLD 712 is also coupled to dual blade control interface (BCI) buses 718. Although not shown in Figure 7, one of the BCI buses 718 is coupled to data manager blade A 406A and data gate blade A 408A, and the other BCI bus 718 is coupled to data manager blade B 406B and data gate blade B 408B, as shown in Figure 21. The BCI buses 718 are a proprietary 8-bit plus parity asynchronous multiplexed address/data bus supporting up to a 256 byte addressable region that interfaces the data manager blades 406 to the data gate blades 408 and application server blades 402. The BCI buses 718 enable each of the data Docket CHAP.0115 32 manager blades 406 to independently configure and monitor the application server blades 402 and data gate blades 408 via the CPLD 712. The BCI buses 718 are included in the backplane 412 of Figure 4. The CPLD 712 is described in more detail with respect to Figures 8, 21, and 22 below. [0076] Application server blade A 402A also includes a third dual FibreChannel interface controller 746, coupled to PCIX bus 516A of Figure 5, whose FC ports are coupled to respective ones of the second dual FC interface controller 744. Application server blade A 402A also includes a fourth dual FibreChannel interface controller 748, coupled to PCIX bus 516B of Figure 5, whose FC ports are coupled to respective ones of the second dual FC interface controller 744 and to respective ones of the third dual FC interface controller 746. In the case of application server blade B 402B, its third FC interface controller 746 PCIX interface couples to PCIX bus 516C of Figure 5 and its fourth FC interface controller 748 PCIX interface couples to PCIX bus 516D of Figure 5. The third and fourth FC interface controllers 746/748 function as target devices. [0077] Data manager blade A 406A includes a CPU 702 and a memory 706, each coupled to a local bus bridge/memory controller 704. In one embodiment, the processor comprises a Pentium III microprocessor. In one embodiment, the memory 706 comprises DRAM used to buffer data transferred between the storage devices 112 and the application server blade 402. The CPU 702 manages use of buffer memory 706. In one embodiment, the CPU 702 performs caching of the data read from the storage devices 112 into the buffer memory 706. In one embodiment, data manager blade A 406A also Docket CHAP.0115 33 includes a memory coupled to the CPU 702 for storing program instructions and data used by the CPU 702. In one embodiment, the local bus bridge/memory controller 704 comprises a proprietary integrated circuit that controls the buffer memory 706. The local bus bridge/memory controller 704 also includes two PCIX bus interfaces for interfacing to PCIX bus 516A and 516C of Figure 5. The local bus bridge/memory controller 704 also includes circuitry for bridging the two PCIX buses 516A and 516C. In the case of data manager blade B 406B, the local bus bridge/memory controller 704 interfaces to and bridges PCIX buses 516B and 516D of Figure 5. The local bus bridge/memory controller 704 facilitates data transfers between each of the data manager blades 406 and each of the application server blades 402 via the PCIX buses 516. [0078] Several advantages are obtained by including the third and fourth FC interface controllers 746/748 on the application server blade 402. First, the high-speed I/O links 304 between the second FC controller 744 and the third/fourth FC controller 746/748 are etched into the application server blade 402 printed circuit board rather than being discrete cables and connectors that are potentially more prone to being damaged or to other failure. Second, a local bus interface (e.g., PCIX) is provided on the application server blade 402 backplane 412 connector, which enables the application server blades 402 to interconnect and communicate via the local buses 516 of the backplane 412 with the data manager blades 406 and data gate blades 408, which also include a local bus interface on their backplane 412 connector. Third, substantial Docket CHAP.0115 34 software development savings may be obtained from the storage appliance 202 architecture. In particular, the software executing on the data manager blades 406 and the application server blades 402 requires little modification to existing software. This advantage is discussed below in more detail with respect to Figure 11.
[0079] Referring now to Figure 8, a block diagram illustrating one embodiment of the application server blade A 402A of Figure 7 is shown. The application server blade 402 includes the CPU subsystem 714 of Figure 7, comprising a CPU 802 coupled to a north bridge 804 by a Gunning Transceiver Logic (GTL) bus 812 and a memory 806 coupled to the north bridge by a double-data rate (DDR) bus 814. The memory 806 functions as a system memory for the application server blade 402. That is, programs and data are loaded into the memory 806, such as from the DOC memory 838 described below, and executed by the CPU 802. Additionally, the memory 806 serves as a buffer for data transferred between the storage devices 112 and the host computers 302. In particular, data is transferred from the host computers 302 through the first FC controller 742 and north bridge 804 into the memory 806, and vice versa. Similarly, data is transferred from the memory 806 through the north bridge 804, second FC controller 744, third or forth FC controller 746 or 748, and backplane 412 to the data manager blades 406. The north bridge 804 also functions as a bridge between the GTL bus 812/DDR bus 814 and the PCIX bus 724 and the PCI bus 722 of Figure 7. The CPU subsystem 714 also includes a south bridge 808 coupled to the PCI bus 722. The Ethernet controller 732 of Figure Docket CHAP.0115 35
7 is coupled to the PCI bus 722. In one embodiment, the connectors 756 of Figure 7 comprise RJ45 jacks, denoted 756A and 756B in Figure 8, for coupling to respective ports of the Ethernet controller 732 of Figure 7 for coupling to Ethernet links to the host computers 302. The south bridge 808 also provides an I2C bus by which temperature sensors 816 are coupled to the south bridge 808. The temperature sensors 816 provide temperature information for critical components in the chassis 414, such as of CPUs and storage devices 112, to detect potential failure sources. The south bridge 808 also functions as a bridge to the ISA bus 716 of Figure 7.
[0080] A FLASH memory 836, disk on chip (DOC) memory 838, dual UART 818, and the CPLD 712 of Figure 7 are coupled to the ISA bus 716. In one embodiment, the FLASH memory 836 comprises a 16MB memory used to store firmware to bootstrap the application server blade 402 CPU 802. In one embodiment, in which the application server blade 402 conforms substantially to a personal computer (PC) , the FLASH memory 836 stores a Basic Input/Output System (BIOS) . In one embodiment, the DOC memory 838 comprises a 128MB NAND FLASH memory used to store, among other things, an operating system, application software, and data, such as web pages. Consequently, the application server blade 402 is able to boot and function as a stand-alone server. Advantageously, the application server blade 402 provides the DOC memory 838 thereby alleviating the need for a mechanical mass storage device, such as a hard disk drive, for storing the operating system and application software. Additionally, the DOC memory 838 may be used by the storage Docket CHAP.0115 36 application software executing on the application server blade 402 as a high speed storage device in a storage hierarchy to cache frequently accessed data from the storage devices 112. In one embodiment, the application server blade 402 includes a mechanical disk drive, such as a microdrive, for storing an operating system, application software, and data instead of or in addition to the DOC memory 838. The two UART 818 ports are coupled to respective 3-pin serial connectors denoted 832A and 832B for coupling to serial RS-232 links. In one embodiment, the two serial ports function similarly to COMl and COM2 ports of a personal computer. Additionally, the RS-232 ports may be used for debugging and manufacturing support. The CPLD 712 is coupled to a light emitting diode (LED) 834. The CPLD 712 is coupled via the BCI buses 718 of Figure 7 to a connector 828 for plugging into the backplane 412 of Figure 4.
[0081] The CPLD 712 includes a 2Kx8 SRAM port for accessing a shared mailbox memory region. The CPLD 712 also provides the ability to program chip select decodes for other application server blade 402 devices such as the FLASH memory 836 and DOC memory 838. The CPLD 712 provides dual independent BCI bus interfaces by which the data manager blades 406 can control and obtain status of the application server blades 402. For example, the CPLD 712 provides the ability for the data manager blade 406 to reset the application server blades 402 and data gate blades 408, such as in the event of detection of a failure. The CPLD 712 also provides the ability to determine the status of activity on the various FibreChannel links and to Docket CHAP.0115 37 control the status indicator LED 834. The CPLD 712 also enables monitoring of the I/O connectors 752/754 and control of port combiners 842, as described below. The CPLD 712 also enables control of hot-plugging of the various modules, or blades, in the storage appliance 202. The CPLD 712 also provides general purpose registers for use as application server blade 402 and data manager blade 406 mailboxes and doorbells.
[0082] The first and second FC controllers 742/744 of Figure 7 are coupled" to the PCIX bus 724. In the embodiment of Figure 8, the I/O connectors 752 and 754 of Figure 7 comprise FC small form-factor pluggable sockets (SFPs) . The two ports of the first FC controller 742 are coupled to respective SFPs 752A and 752B for coupling to FC links to the host computers 302. The two ports of the second FC controller 744 are coupled to respective port combiners denoted 842A and 842B. The port combiners 842 are also coupled to respective SFPs 754A and 754B for coupling to FC links to the external devices 322 of Figure 3. One port of each of the third and fourth FC controllers 746 and 748 of Figure 7 are coupled to port combiner 842A, and one port of each of the third and fourth FC controllers 746 and 748 are coupled to port combiner 842B. The PCIX interface of each of the third and fourth FC controllers 746 and 748 are coupled to the backplane connector 828 via PCIX bus 516A and 516B, respectively, of Figure 5. [0083] In one embodiment, each of the port combiners 842 comprises a FibreChannel arbitrated loop hub that allows devices to be inserted into or removed from an active FC arbitrated loop. The arbitrated loop hub includes four FC Docket CHAP.0115 38 port bypass circuits (PBCs), or loop resiliency circuits (LRCs), serially coupled in a loop configuration, as described in detail with respect to Figure 25. A PBC or LRC is a circuit that may be used to keep a FC arbitrated loop operating when a FC L_Port location is physically removed or not populated, L_Ports are powered-off, or a failing L_Port is present. A PBC or LRC provides the means to route the serial FC channel signal past an L_Port. A FC L_Port is an FC port that supports the FC arbitrated loop topology. Hence, for example, if portl of each of the second, third, and fourth FC controllers 744/746/748 are all connected and operational, and SFP 754A has an operational device coupled to it, then each of the four FC devices may communicate with one another via port combiner 842A. However, if the FC device connected to any one or two of the ports is removed, or becomes non-operational, then the port combiner 842A will bypass the non-operational ports keeping the loop intact and enabling the remaining two or three FC devices to continue communicating through the port combiner 842A. Hence, port combiner 842A enables the second FC controller 744 to communicate with each of the third and fourth FC controllers 746/748, and consequently to each of the data manager blades 406; additionally, port combiner 842A enables external devices 322 of Figure 3 coupled to SFP 754A to also communicate with each of the third and fourth FC controllers 746/748, and consequently to each of the data manager blades 406. Although an embodiment is described herein in which the port combiners 842 are FC LRC hubs, other embodiments are contemplated in which the port combiners 842 are FC loop Docket CHAP.0115 39 switches. Because the FC loop switches are cross-point switches, they provide higher performance since more than one port pair can communicate simultaneously through the switch. Furthermore, the port combiners 842 may comprise Ethernet or Infiniband switches, rather than FC devices. [0084] In one embodiment, the application servers 306 substantially comprise personal computers without mechanical hard drives, keyboard, and mouse connectors. That is, the application servers 306 portion of the application server blade 402 includes off-the-shelf components mapped within the address spaces of the system just as in a PC. The CPU subsystem 714 is logically identical to a PC, including the mappings of the FLASH memory 836 and system RAM 806 into the CPU 802 address space. The system peripherals, such as the UARTs 818, interrupt controllers, real-time clock, etc., are logically identical to and mapping the same as in a PC. The PCI 722, PCIX 724, ISA 716 local buses and north bridge 804 and south bridge 808 are similar to those commonly used in high-end PC servers. The Ethernet controller 732 and first and second FC interface controllers 742/744 function as integrated Ethernet network interface cards (NICs) and FC host bus adapters (HBAs), respectively. All of this advantageously potentially results in the ability to execute standard off-the-shelf software applications on the application server 306, and the ability to run a standard operating system on the application servers 306 with little modification. The hard drive functionality may be provided by the DOC memory 838, and the user interface may be Docket CHAP.0115 40 provided via the Ethernet controller 732 interfaces and web-based utilities, or via the UART 818 interfaces. [0085] As indicated in Figure 8, the storage controller 308 portion of the application server blade 402 includes the third and fourth interface controllers 746/748, and the SFPs 754; the remainder comprises the application server 306 portion of the application server blade 402. [0086] Referring now to Figure 9, a diagram illustrating the physical layout of a circuit board of one embodiment of the application server blade 402 of Figure 8 is shown. The layout diagram is drawn to scale. As shown, the board is 5.040 inches wide and 11.867 inches deep. The elements of Figure 8 are included in the layout and numbered similarly. The first and second FC controllers 742/744 each comprise an ISP2312 dual channel FibreChannel to PCI-X controller produced by the QLogic Corporation of Aliso Viejo, California. Additionally, a 512Kxl8 synchronous SRAM is coupled to each of the first and second FC controllers 742/744. The third and fourth FC controllers 746/748 each comprise a JNIC-1560 Milano dual channel FibreChannel to PCI-X controller. The south bridge 808 comprises an Intel PIIX4E, which includes internal peripheral interrupt controller (PIC) , programmable interval timer (PIT) , and real-time clock (RTC) . The north bridge 804 comprises a Micron PAD21 Copperhead. The memory 806 comprises up to IGB of DDR SDRAM ECC-protected memory DIMM. Figure 9 illustrates an outline for a memory 806 DIMM to be plugged into a 184 pin right angle socket. The CPU 802 comprises a 933 MHz Intel Tualatin low voltage mobile Pentium 3 with a 32KB on-chip Ll cache and a 512K on-chip L2 cache. The Docket CHAP.0115 41
FLASH memory 836 comprises a 16MBx8 FLASH memory chip- The DOC memory 838 comprises two 32MB each NAND FLASH memory chips that emulate an embedded IDE hard drive. The port combiners 842 each comprise a Vitesse VSC7147-01. The Ethernet controller 732 comprises an Intel 82546EB 10/100/1000 Mbit Ethernet controller.
[0087] Although an embodiment is described using particular components, such as particular microprocessors, interface controllers, bridge circuits, memories, etc., other similar suitable components may be employed in the storage appliance 202.
[0088] Referring now to Figure 10, an illustration of one embodiment of the faceplate 1000 of the application server blade 402 of Figure 9 is shown. The faceplate 1000 includes two openings for receiving the two RJ45 Ethernet connectors 756 of Figure 7. The faceplate 1000 also includes two openings for receiving the two pairs of SFPs 752 and 754 of Figure 7. The face plate 1000 is one unit (lϋ) high for mounting in a standard 19 inch wide chassis 414. The faceplate 1000 includes removal latches 1002, or removal mechanisms 1002, such as those well-known in the art of blade modules, that work together with mechanisms on the chassis 414 to enable a person to remove the application server blade 402 from the chassis 414 backplane 412 and to insert the application server blade 402 into the chassis 414 backplane 412 while the storage appliance 202 is operational without interrupting data availability on the storage devices 112. In particular, during insertion, the mechanisms 1002 cause the application server blade 402 connector to mate with the backplane 412 connector and Docket CHAP.0115 42 immediately begin to receive power from the backplane 412; conversely, during removal, the mechanisms 1002 cause the application server blade 402 connector to disconnect from the backplane 412 connector to which it mates, thereby removing power from the application server blade 402. Each of the blades in the storage appliance 202 includes removal latches similar to the removal latches 1002 of the application server blade 402 faceplate 1000 shown in Figure 10. Advantageously, the removal mechanism 1002 enables a person to remove and insert a blade module without having to open the chassis 414.
[0089] Referring now to Figure 11, a block diagram illustrating the software architecture of the application server blade 402 of Figure 8 is shown. The software architecture includes a loader 1104. The loader 1104 executes first when power is supplied to the CPU 802. The loader 1104 performs initial boot functions for the hardware and loads and executes the operating system. The loader 1104 is also capable of loading and flashing new firmware images into the FLASH memory 836. In one embodiment, the loader 1104 is substantially similar to a personal computer BIOS. In one embodiment, the loader 1104 comprises the RedBoot boot loader product by Red Hat, Inc. of Raleigh, North Carolina. The architecture also includes power-on self-test (POST) , diagnostics, and manufacturing support software 1106. In one embodiment, the diagnostics software executed by the CPU 802 does not diagnose the third and fourth FC controllers 746/748, which are instead diagnosed by firmware executing on the data manager blades 406. The architecture also includes PCI configuration Docket CHAP.0115 43 software 1108, which configures the PCI bus 722, the PCIX bus 724, and each of the devices connected to them. In one embodiment, the PCI configuration software 1108 is executed by the loader 1104.
[0090] The architecture also includes an embedded operating system and associated services 1118. In one embodiment, the operating system 1118 comprises an embedded version of the Linux operating system distributed by Red Hat, Inc. Other operating systems 1118 are contemplated including, but not limited to, Hard Hat Linux from Monta Vista Software, VA Linux, an embedded version of Windows NT from Microsoft Corporation, VxWorks from Wind River of Alameda, California, Microsoft Windows CE, and Apple Mac OS X 10.2. Although the operating systems listed above execute on Intel x86 processor architecture platforms, other processor architecture platforms are contemplated. The operating system services 1118 include serial port support, interrupt handling, a console interface, multi¬ tasking capability, network protocol stacks, storage protocol stacks, and the like. The architecture also includes device driver software for execution with the operating system 1118. In particular, the architecture includes an Ethernet device driver 1112 for controlling the Ethernet controller 732, and FC device drivers 1116 for controlling the first and second FC controllers 742/744. In particular, an FC device driver 1116 must include the ability for the first controller 742 to function as a FC target to receive commands from the host computers 302 and an FC device driver 1116 must include the ability for the second controller 744 to function as a FC initiator to Docket CHAP.0115 44 initiate commands to the storage controller 308 and to any target external devices 322 of Figure 3 connected to the expansion I/O connectors 754. The architecture also includes a hardware abstraction layer (HAL) 1114 that abstracts the underlying application server blade 402 hardware to reduce the amount of development required to port a standard operating system to the hardware platform. [0091] The software architecture also includes an operating system-specific Configuration Application Programming Interface (CAPI) client 1122 that provides a standard management interface to the storage controllers 308 for use by application server blade 402 management applications. The CAPI client 1122 includes a CAPI Link Manager Exchange (LMX) that executes on the application server blade 402 and communicates with the data manager blades 406. In one embodiment, the LMX communicates with the data manager blades 406 via the high-speed I/O links 304 provided between the second FC controller 744 and the third and fourth FC controllers 746/748. The CAPI client 1122 also includes a CAPI client application layer that provides an abstraction of CAPI services for use by device management applications executing on the application server blade 402. The software architecture also includes storage management software 1126 that is used to manage the storage devices 112 coupled to the storage appliance 202. In one embodiment, the software architecture also includes RAID management software 1124 that is used to manage RAID arrays comprised of the storage devices 112 controlled by the data manager blades 406. Docket CHAP.0115 45
[0092] Finally, the software architecture includes one or more storage applications 1128. Examples of storage applications 1128 executing on the application servers 306 include, but are not limited to, the following applications: data backup, remote mirroring, data snapshot, storage virtualization, data replication, hierarchical storage management (HSM) , data content caching, data storage provisioning, and file services - such as network attached storage (NAS) . An example of storage application software is the IPStor product provided by FalconStor Software, Inc. of Melville, New York. The storage application software may also be referred to as "middleware" or "value-added storage functions." Other examples of storage application software include products produced by Network Appliance, Inc. of Sunnyvale, California, Veritas Software Corporation of Mountain View, California, and Computer Associates, Inc. of Islandia, New York similar to the FalconStor IPStor product. [0093] Advantageously, much of the software included in the application server blade 402 software architecture may comprise existing software with little or no modification required. In particular, because the embodiment of the application server blade 402 of Figure 8 substantially conforms to the x86 personal computer (PC) architecture, existing operating systems that run on an x86 PC architecture require a modest amount of modification to run on the application server blade 402. Similarly, existing boot loaders, PCI configuration software, and operating system HALs also require a relatively small amount of modification to run on the application server blade 402. Docket CHAP.0115 46
Furthermore, because the DOC memories 838 provide a standard hard disk drive interface, the boot loaders and operating systems require little modification, if any, to run on the application server blade 402 rather than on a hardware platform with an actual hard disk drive. Additionally, the use of popular FC controllers 742/744/746/748 and Ethernet controllers 732 increases the likelihood that device drivers already exist for these devices for the operating system executing on the application server blade 402. Finally, the use of standard operating systems increases the likelihood that many- storage applications will execute on the application server blade 402 with a relatively small amount of modification required.
[0094] Advantageously, although in the embodiment of the storage appliance 202 of Figure 7 the data manager blades 406 and data gate blades 408 are coupled to the application server blades 402 via local buses as is typical with host bus adapter-type (or host-dependent) storage controllers, the storage controllers 308 logically retain their host- independent (or stand-alone) storage controller nature because of the application server blade 402 architecture. That is, the application server blade 402 includes the host bus adapter-type second interface controller 744 which provides the internal host-independent I/O link 304 to the third/fourth interface controllers 746/748, which in turn provide an interface to the local buses for communication with the other blades in the chassis 414 via the backplane 412. Because the third/fourth interface controllers 746/748 are programmable by the data manager blades 406 via Docket CHAP.0115 47 the local buses 516, the third/fourth interface controllers 746/748 function as target interface controllers belonging to the storage controllers 308. This fact has software reuse and interoperability advantages, in addition to other advantages mentioned. That is, the storage controllers 308 appear to the application servers 306 and external devices 322 coupled to the expansion I/O connectors 754 as stand¬ alone storage controllers. This enables the application servers 306 and external devices 322 to communicate with the storage controllers 308 as a FC device using non- storage controller-specific device drivers, rather than as a host bus adapter storage controller, which would require development of a proprietary device driver for each operating system running on the application server 306 or external host computers 322.
[0095] Notwithstanding the above advantages, another embodiment is contemplated in which the second, third, and fourth FC controllers 744/746/748 of Figure 7 are not included in the application server blade 402 and are instead replaced by a pair of PCIX bus bridges that couple the CPU subsystem 714 directly to the PCIX buses 516 of the backplane 412. One advantage of this embodiment is potentially lower component cost, which may lower the cost of the application server blade 402. Additionally, the embodiment may also provide higher performance, particularly in reduced latency and higher bandwidth without the intermediate I/O links. However, this embodiment may also require substantial software development, which may be costly both in time and money, to develop device drivers running on the application server Docket CHAP.0115 48 blade 402 and to modify the data manager blade 406 firmware and software. In particular, the storage controllers in this alternate embodiment are host-dependent host bus adapters, rather than host-independent, stand-alone storage controllers. Consequently, device drivers must be developed for each operating system executing on the application server blade 402 to drive the storage controllers.
[0096] Referring now to Figure 12, a block diagram illustrating the storage appliance 202 of Figure 5 in a fully fault-tolerant configuration in the computer network 200 of Figure 2 is shown. That is, Figure 12 illustrates a storage appliance 202 in which all blades are functioning properly. In contrast, Figures 13 through 15 illustrate the storage appliance 202 in which one of the blades has failed and yet due to the redundancy of the various blades, the storage appliance 202 continues to provide end-to-end connectivity, thereby maintaining the availability of the data stored on the storage devices 112. The storage appliance 202 comprises the chassis 414 of Figure 4 for enclosing each of the blades included in Figure 12. The embodiment of Figure 12 includes a storage appliance 202 with two representative host computers 302A and 302B of Figure 3 redundantly coupled to the storage appliance 202 via I/O connectors 752. Each of the host computers 302 includes two I/O ports, such as FibreChannel, Ethernet, Infiniband, or other high-speed I/O ports. Each host computer 302 has one of its I/O ports coupled to one of the I/O connectors 752 of application server blade A 402A and the other of its I/O ports coupled to one of the I/O Docket CHAP.0115 49 connectors 752 of application server blade B 402B. Although the host computers 302 are shown directly connected to the application server blade 402 I/O connectors 752, the host computers 302 may be networked to a switch, router, or hub of network 114 that is coupled to the application server blade 402 I/O connectors 752/754. [0097] The embodiment of Figure 12 also includes two representative external devices 322 of Figure 3 redundantly coupled to the storage appliance 202 via expansion I/O connectors 754. Although the external devices 322 are shown directly connected to the application server blade 402 I/O connectors 754, the external devices 322 may be networked to a switch, router, or hub that is coupled to the application server blade 402 I/O connectors 754. Each external device 322 includes two I/O ports, such as FibreChannel, Ethernet, Infiniband, or other high-speed I/O ports. Each external device 322 has one of its I/O ports coupled to one of the expansion I/O connectors 754 of application server blade A 402A and the other of its I/O ports coupled to one of the expansion I/O connectors 754 of application server blade B 402B. The external devices 322 may include, but are not limited to, other host computers, a tape drive or other backup type device, a storage controller or storage appliance, a switch, a router, or a hub. The external devices 322 may communicate directly with the storage controllers 308 via the expansion I/O connectors 754 and port combiners 842 of Figure 8, without the need for intervention by the application servers 306. Additionally, the application servers 306 may communicate directly with the external devices 322 via the port Docket CHAP.0115 50 combiners 842 and expansion I/O connectors 754, without the need for intervention by the storage controllers 308. These direct communications are possible, advantageously, because the I/O link 304 between the second interface controller 744 ports of the application server 306 and the third interface controller 746 ports of storage controller A 308A and the I/O link 304 between the second interface controller 744 ports of the application server 306 and the fourth interface controller 748 ports of storage controller B 308B are externalized by the inclusion of the port combiners 842. That is, the port combiners 842 effectively create a blade area network (BAN) on the application server blade 402 that allows inclusion of the external devices 322 in the BAN to directly access the storage controllers 308. Additionally, the BAN enables the application servers 306 to directly access the external devices 322. [0098] In one embodiment, the storage application software 1128 executing on the application server blades 402 includes storage virtualization/provisioning software and the external devices 322 include storage controllers and/or other storage appliances that are accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754. Advantageously, the virtualization/provisioning servers 306 may combine the storage devices controlled by the external storage controllers/appliances 322 and the storage devices 112 controlled by the internal storage controllers 308 when virtualizing/provisioning storage to the host computers 302. Docket CHAP.0115 51
[0099] In another embodiment, the storage application software 1128 executing on the application server blades 402 includes storage replication software and the external devices 322 include a remote host computer system on which the data is replicated that is accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754. If the remote site is farther away than the maximum distance supported by the I/O link type, then the external devices 322 may include a repeater or router to enable communication with the remote site.
[00100] In another embodiment, the storage application software 1128 executing on the application server blades 402 includes data backup software and the external devices 322 include a tape drive or tape farm, for backing up the data on the storage devices 112, which is accessed by the second interface controllers 744 of the application servers 306 via port combiners 842 and expansion I/O port connectors 754. The backup server 306 may also back up to the tape drives data of other storage devices on the network 200, such as direct attached storage of the host computers 302.
[00101] In another embodiment, the external devices 322 include host computers - or switches or routers or hubs to which host computers are networked - which directly access the storage controllers 308 via the third/fourth interface controllers 746/748 via expansion I/O connectors 754 and port combiners 842. In one embodiment, the storage controllers 308 may be configured to present, or zone, two different sets of logical storage devices, or logical Docket CHAP.0115 52 units, to the servers 306 and to the external host computers 322.
[00102] The embodiment of Figure 12 includes two groups of physical storage devices 112A and 112B each redundantly coupled to the storage appliance 202. In one embodiment, each physical storage device of the two groups of storage devices 112A and 112B includes two FC ports, for communicating with the storage appliance 202 via redundant FC arbitrated loops. For illustration purposes, the two groups of physical storage devices 112A and 112B may be viewed as two groups of logical storage devices 112A and 112B presented for access to the application servers 306 and to the external devices 322. The logical storage devices 112A and 112B may be comprised of a grouping of physical storage devices A 112A and/or physical storage devices B 112B using any of well-known methods for grouping physical storage devices, including but not limited to mirroring, striping, or other redundant array of inexpensive disks (RAID) methods. The logical storage devices 112A and 112B may also comprise a portion of a single physical storage device or a portion of a grouping of physical storage devices. In one embodiment,, under normal operation, i.e., prior to a failure of one of the blades of the storage appliance 202, the logical storage devices A 112A are presented to the application servers 306 and to the external devices 322 by storage controller A 308A, and the logical storage devices B 112B are presented to the application servers 306 and external devices 322 by storage controller B 308B. However, as described below, if the data manager blade 406 of one of the storage Docket CHAP.0115 53 controllers 308 fails, the logical storage devices 112A or 112B previously presented by the failing storage controller 308 will also be presented by the remaining, i.e., non- failing, storage controller 308. In one embodiment, the logical storage devices 112 are presented as SCSI logical units.
[00103] The storage appliance 202 physically includes two application server blades 402A and 402B of Figure 7, two data manager blades 406A and 406B of Figure 7, and two data gate blades 408A and 408B of Figure 5. Figure 12 is shaded to illustrate the elements of application server A 306A, application server B 306B, storage controller A 308A, and storage controller B 308B of Figure 4 based on the key at the bottom of Figure 12. Storage controller A 308A comprises data manager blade A 406A, the first interface controllers 1206 of the data gate blades 408, and the third interface controllers 746 of the application server blades 402; storage controller B 308B comprises data manager blade B 406B, the second interface controllers 1208 of the data gate blades 408, and the fourth interface controllers 748 of the application server blades 402; application server A 306A comprises CPU subsystem 714 and the first and second interface controllers 742/744 of application server blade A 402A; application server B 306B comprises CPU subsystem 714 and the first and second interface controllers 742/744 of application server blade B 402B. In one embodiment, during normal operation, each of the application server blades 402 accesses the physical storage devices 112 via each of the storage controllers 308 in order to obtain maximum throughput. Docket CHAP.0115 54
[00104] As in Figure 7, each of the application server blades 402 includes first, second, third, and fourth dual channel FC controllers 742/744/746/748. Portl of the first FC controller 742 of each application server blade 402 is coupled to a respective one of the I/O ports of host computer A 302A, and port2 of the first FC controller 742 of each application server blade 402 is coupled to a respective one of the I/O ports of host computer B 302B. Each of the application server blades 402 also includes a CPU subsystem 714 coupled to the first and second FC controllers 742/744. Portl of each of the second, third, and fourth FC controllers 744/746/748 of each application server blade 402 are coupled to each other via port combiner 842A of Figure 8, and port2 of each controller 744/746/748 of each application server blade 402 are coupled to each other via port combiners 842B of Figure 8. As in Figure 7, the third FC controller 746 of application server blade A 402A is coupled to PCIX bus 516A, the fourth FC controller 748 of application server blade A 402A is coupled to PCIX bus 516B, the third FC controller 746 of application server blade B 402B is coupled to PCIX bus 516C, and the fourth FC controller 748 of application server blade B 402B is coupled to PCIX bus 516D. The Ethernet interface controllers 732, CPLDs 712, and BCI buses 718 of Figure 7 are not shown in Figure 12. [00105] As in Figure 7, data manager blade A 406A includes a bus bridge/memory controller 704 that bridges PCIX bus 516A and PCIX bus 516C and controls memory 706, and data manager blade B 406B includes a bus bridge/memory controller 704 that bridges PCIX bus 516B and PCIX bus 516D Docket CHAP.0115 55 and controls memory 706. Hence, the third FC controllers 746 of both application server blades 402A and 402B are coupled to transfer data to and from the memory 706 of data manager blade A 406A via PCIX buses 516A and 516C, respectively, and the fourth FC controllers 748 of both application server blades 402A and 402B are coupled to transfer data to and from the memory 706 of data manager blade B 406B via PCIX buses 516B and 516D, respectively. Additionally, the data manager blade A 406A CPU 702 of Figure 7 is coupled to program the third FC controllers 746 of both the application server blades 402A and 402B via PCIX bus 516A and 516C, respectively, and the data manager blade B 406B CPU 702 of Figure 7 is coupled to program the fourth FC controllers 748 of both the application server blades 402A and 402B via PCIX bus 516B and 516D, respectively.
[00106] Each of data gate blades 408A and 408B include first and second dual FC controllers 1206 and 1208, respectively. In one embodiment, the FC controllers 1206/1208 each comprise a JNIC-1560 Milano dual channel FibreChannel to PCI-X controller developed by the JNI Corporation™ that performs the FibreChannel protocol for transferring FibreChannel packets between the storage devices 112 and the storage appliance 202. The PCIX interface of the data gate blade A 408A first FC controller 1206 is coupled to PCIX bus 516A, the PCIX interface of the data gate blade A 408A second FC controller 1208 is coupled to PCIX bus 516B, the PCIX interface of the data gate blade B 408B first FC controller 1206 is coupled to PCIX bus 516C, and the PCIX interface of the data gate blade B 408B Docket CHAP.0115 56 second FC controller 1208 is coupled to PCIX bus 516D. The first and second FC controllers 1206/1208 function as FC initiator devices for initiating commands to the storage devices 112. In one embodiment, such as the embodiment of Figure 24, one or more of the first and second FC controllers 1206/1208 ports may function as FC target devices for receiving commands from other FC initiators, such as the external devices 322. In the embodiment of Figure 12, a bus bridge 1212 of data gate blade A 408A couples PCIX buses 516A and 516B and a bus bridge 1212 of data gate blade B 408B couples PCIX buses 516C and 516D. Hence, the first FC controllers 1206 of both data gate blades 408A and 408B are coupled to transfer data to and from the memory 706 of data manager blade A 406A via PCIX buses 516A and 516C, respectively, and the second FC controllers 1208 of both data gate blades 408A and 408B are coupled to transfer data to and from the memory 706 of data manager blade B 406B via PCIX buses 516B and 516D, respectively. Additionally, the data manager blade A 406A CPU 702 of Figure 7 is coupled to program the first FC controllers 1206 of both the data gate blades 408A and 408B via PCIX bus 516A and 516C, respectively, and the data manager blade B 406B CPU 702 of Figure 7 is coupled to program the second FC controllers 1208 of both the data gate blades 408A and 408B via PCIX bus 516B and 516D, respectively.
[00107] In the embodiment of Figure 12, portl of each of the first and second interface controllers 1206/1208 of data gate blade A 408A and of storage devices B 112B is coupled to a port combiner 1202 of data gate blade A 408A, Docket CHAP.0115 57 similar to the port combiner 842 of Figure 8, for including each of the FC devices in a FC arbitrated loop configuration. Similarly, port2 of each of the first and second interface controllers 1206/1208 of data gate blade A 408A and of storage devices A 112A is coupled to a port combiner 1204 of data gate blade A 408A; portl of each of the first and second interface controllers 1206/1208 of data gate blade B 408B and of storage devices A 112A is coupled to a port combiner 1202 of data gate blade B 408B; port2 of each of the first and second interface controllers 1206/1208 of data gate blade B 408B and of storage devices B 112B is coupled to a port combiner 1204 of data gate blade B 408B. In another embodiment, the storage devices 112 are coupled to the data gate blades 408 via point-to- point links through a FC loop switch. The port combiners 1202/1204 are coupled to external connectors 1214 to connect the storage devices 112 to the data gate blades 408. In one embodiment, the connectors 1214 comprise FC SFPs, similar to SFPs 752A and 752B of Figure 7, for coupling to FC links to the storage devices 112. [00108] Advantageously, the redundant storage controllers 308 and application servers 306 of the embodiment of Figure 12 of the storage appliance 202 provide active-active failover fault-tolerance, as described below with respect to Figures 13 through 15 and 17 through 22, such that if any one of the storage appliance 202 blades fails, the redundant blade takes over for the failed blade to provide no loss of availability to data stored on the storage devices 112. In particular, if one of the application • server blades 402 fails, the primary data manager blade 406 Docket CHAP.0115 58 deterministically kills the failed application server blade 402, and programs the I/O ports of the third and fourth interface controllers 746/748 of the live application server blade 402 to take over the identity of the failed application server blade 402, such that the application server 306 second interface controller 744 (coupled to the third or fourth interface controllers 746/748 via the port combiners 842) and the external devices 322 (coupled to the third or fourth interface controllers 746/748 via the port combiners 842 and expansion I/O connectors 754) continue to have access to the data on the storage devices 112; additionally, the live application server blade 402 programs the I/O ports of the first interface controller 742 to take over the identity of the failed application server blade 402, such that the host computers 302 continue to have access to the data on the storage devices 112, as described in detail below.
[00109] Figures 13 through 15 will now be described. Figures 13 through 15 illustrate three different failure scenarios in which one blade of the storage appliance 202 has failed and how the storage appliance 202 continues to provide access to the data stored on the storage devices 112.
[00110] Referring now to Figure 13, a block diagram illustrating the computer network 200 of Figure 12 in which data gate blade 408A has failed is shown. Figure 13 is similar to Figure 12, except that data gate blade 408A is not shown in order to indicate that data gate blade 408A has failed. However, as may be seen, storage appliance 202 continues to make the data stored in the storage devices Docket CHAP.0115 59
112 available in spite of the failure of a data gate blade 408. In particular, data gate blade B 408B continues to provide a data path to the storage devices 112 for each of the data manager blades 406A and 406B. Data manager blade A 406A accesses data gate blade B 408B via PCIX bus 516C and data manager blade B 406B accesses data gate blade B 408B via PCIX bus 516D through the chassis 414 backplane 412. In one embodiment, data manager blade A 406A determines that data gate blade A 408A has failed because data manager blade A 406A issues a command to data gate blade A 408A and data gate blade A 408A has not completed the command within a predetermined time period. In another embodiment, data manager blade A 406A determines that data gate blade A 408A has failed because data manager blade A 406A determines that a heartbeat of data gate blade A 408A has stopped.
[00111] If data gate blade A 408A fails, the data manager blade A 406A CPU 702 programs the data gate blade B 408B first interface controller 1206 via data manager blade A 406A bus bridge 704 and PCIX bus 516C to access storage devices A 112A via data gate blade B 408B first interface controller 1206 portl, and data is transferred between storage devices A 112A and data manager blade A 406A memory 706 via data gate blade B 408B port combiner 1202, data gate blade B 408B first interface controller 1206 portl, PCIX bus 516C, and data manager blade A 406A bus bridge 704. Similarly, data manager blade A 406A CPU 702 programs the data gate blade B 408B first interface controller 1206 via data manager blade A 406A bus bridge 704 and PCIX bus 516c to access storage devices B 112B via data gate blade B Docket CHAP.0115 60
408B first interface controller 1206 port2, and data is transferred between storage devices B 112B and data manager blade A 406A memory 706 via data gate blade B 408B port combiner 1204, data gate blade B 408B first interface controller 1206 port2, PCIX bus 516C, and data manager blade A 406A bus bridge 704. Advantageously, the storage appliance 202 continues to provide availability to the storage devices 112 data until the failed data gate blade A 408A can be replaced by hot-unplugging the failed data gate blade A 408A from the chassis 414 backplane 412 and hot- plugging a new data gate blade A 408A into the chassis 414 backplane 412.
[00112] Referring now to Figure 14, a block diagram illustrating the computer network 200 of Figure 12 in which data manager blade A 406A has failed is shown. Figure 14 is similar to Figure 12, except that data manager blade A 406A is not shown in order to indicate that data manager blade A 406A has failed. However, as may be seen, storage appliance 202 continues to make the data stored in the storage devices 112 available in spite of the failure of a data manager blade 406. In particular, data manager blade B 406B provides a data path to the storage devices 112 for the application server blade A 402A CPU subsystem 714 and the external devices 322 via the application server blade A 402A fourth interface controller 748 and PCIX bus 516B; additionally, data manager blade B 406B continues to provide a data path to the storage devices 112 for the application server blade B 402B CPU subsystem 714 and external devices 322 via the application server blade B Docket CHAP.0115 61
402B fourth interface controller 748 and PCIX bus 516D, as described after a brief explanation of normal operation. [00113] In one embodiment, during normal operation (i.e., in a configuration such as shown in Figure 12 prior to failure of data manager blade A 406A) , data manager blade A 406A owns the third interface controller 746 of each of the application server blades 402 and programs each of the ports of the third interface controllers 746 with an ID for identifying itself on its respective arbitrated loop, which includes itself, the corresponding port of the respective application server blade 402 second and fourth interface controllers 744/748, and any external devices 322 connected to the respective application server blade 402 corresponding expansion I/O connector 754. In one embodiment, the ID comprises a unique world-wide name. Similarly, data manager blade B 406B owns the fourth interface controller 748 of each of the application server blades 402 and programs each of the ports of the fourth interface controllers 748 with an ID for identifying itself on its respective arbitrated loop. Consequently, when a FC packet is transmitted on one of the arbitrated loops by one of the second interface controllers 744 or by an external device 322, the port of the third interface controller 746 or fourth interface controller 748 having the ID specified in the packet obtains the packet and provides the packet on the appropriate PCIX bus 516 to either data manager blade A 406A or data manager blade B 406B depending upon which of the data manager blades 406 owns the interface controller. [00114] When data manager blade B 406B determines that data manager blade A 406A has failed, data manager blade B Docket CHAP.0115 62
406B disables the third interface controller 746 of each of the application server blades 402. In one embodiment, data manager blade B 406B disables, or inactivates, the application server blade 402 third interface controllers 746 via the BCI bus 718 and CPLD 712 of Figure 7, such that the third interface controller 746 ports no longer respond to or transmit packets on their respective networks. Next, in one embodiment, data manager blade B 406B programs the fourth interface controllers 748 to add the FC IDs previously held by respective ports of the now disabled respective third interface controllers 746 to each of the respective ports of the respective fourth interface controllers 748 of the application server blades 402. This causes the fourth interface controllers 748 to impersonate, or take over the identity of, the respective now disabled third interface controller 746 ports. That is, the fourth interface controller 748 ports respond as targets of FC packets specifying the new IDs programmed into them, which IDs were previously programmed into the now disabled third interface controller 746 ports. In addition, the fourth interface controllers 748 continue to respond as targets of FC packets with their original IDs programmed at initialization of normal operation. Consequently, commands and data previously destined for data manager blade A 406A via the third interface controllers 746 are obtained by the relevant fourth interface controller 748 and provided to data manager blade B 406B. Additionally, commands and data previously destined for data manager blade B 406B via the fourth interface controllers 748 continue to be obtained by the relevant fourth interface controller 748 and provided Docket CHAP.0115 63 to data manager blade B 406B. This operation is referred to as a multi-ID operation since the ports of the non- failed data gate blade 408 fourth interface controllers 748 are programmed with multiple FC IDs and therefore respond to two FC IDs per port rather than one. Additionally, as described above, in one embodiment, during normal operation, data manager blade A 406A and data manager blade B 406B present different sets of logical storage devices to the application servers 306 and external devices 322 associated with the FC IDs held by the third and fourth interface controllers 746/748. Advantageously, when'' data manager blade A 406A fails, data manager blade B 406B continues to present the sets of logical storage devices to the application servers 306 and external devices 322 associated with the FC IDs according to the pre-failure ID assignments using the multi-ID operation.
[00115] Data manager blade B 406B CPU 702 programs the application server blade A 402A fourth interface controller 748 via data manager blade B 406B bus bridge 704 and PCIX bus 516B and programs the application server blade B 402B fourth interface controller 748 via data manager blade B 406B bus bridge 704 and PCIX bus 516D; data is transferred between application server blade A 402A CPU subsystem 714 memory 806 of Figure 8 and data manager blade B 406B memory 706 via application server blade A 402A second interface controller 744, port combiner 842A or 842B, application server blade A 402A fourth interface controller 748, PCIX bus 516B, and data manager blade B 406B bus bridge 704; data is transferred between application server blade B 402B CPU subsystem 714 memory 806 of Figure 8 and data manager Docket CHAP.0115 64 blade B 406B memory 706 via application server blade B 402B second interface controller 744, port combiner 842Α or 842B, application server blade B 402B fourth interface controller 748, PCIX bus 516D, and data manager blade B 406B bus bridge 704; data may be transferred between the application server blade A 402A expansion I/O connectors 754 and data manager blade B 406B memory 706 via port combiner 842A or 842B, application server blade A 402A fourth interface controller 748, PCIX bus 516B, and data manager blade B 406B bus bridge 704; data may be transferred between the application server blade B 402B expansion I/O connectors 754 and data manager blade B 406B memory 706 via port combiner 842A or 842B, application server blade B 402B fourth interface controller 748, PCIX bus 516D, and data manager blade B 406B bus bridge 704. [00116] Furthermore, if data manager blade A 406A fails, data manager blade B 406B continues to provide a data path to the storage devices 112 via both data gate blade A 408A and data gate blade B 408B via PCIX bus 516B and 516D, respectively, for each of the application server blade 402 CPU subsystems 714 and for the external devices 322. In particular, the data manager blade B 406B CPU 702 programs the data gate blade A 408A second interface controller 1208 via data manager blade B 406B bus bridge 704 and PCIX bus 516B to access the storage devices 112 via data gate blade A 408A second interface controller 1208; and data is transferred between the storage devices 112 and data manager blade B 406B memory 706 via data gate blade A 408A port combiner 1202 of 1204, data gate blade A 408A second interface controller 1208, PCIX bus 516B, and data manager Docket CHAP.0115 65 blade B 406B bus bridge 704. Similarly, the data manager blade B 406B CPU 702 programs the data gate blade B 408B second interface controller 1208 via data manager blade B 406B bus bridge 704 and PCIX bus 516D to access the storage devices 112 via data gate blade B 408B second interface controller 1208; and data is transferred between the storage devices 112 and data manager blade B 406B memory 706 via data gate blade B 408B port combiner 1202 or 1204, data gate blade B 408B second interface controller 1208, PCIX bus 516D, and data manager blade B 406B bus bridge 704. Advantageously, the storage appliance 202 continues to provide availability to the storage devices 112 data until the failed data manager blade A 406A can be replaced by removing the failed data manager blade A 406A from the chassis 414 backplane 412 and hot-plugging a new data manager blade A 406A into the chassis 414 backplane 412. [00117] In one embodiment, the backplane 412 includes dedicated out-of-band signals used by the data manager blades 406 to determine whether the other data manager blade 406 has failed or been removed from the chassis 414. One set of backplane 412 signals includes a heartbeat signal generated by each of the data manager blades 406. Each of the data manager blades 406 periodically toggles a respective backplane 412 heartbeat signal to indicate it is functioning properly. Each of the data manager blades 406 periodically examines the heartbeat signal of the other data manager blade 406 to determine whether the other data manager blade 406 is functioning properly. In addition, the backplane 412 includes a signal for each blade of the storage appliance 202 to indicate whether the blade is Docket CHAP.0115 66 present in the chassis 414. Each data manager blade 406 examines the presence signal for the other data manager blade 406 to determine whether the other data manager blade 406 has been removed from the chassis 414. In one embodiment, when one of the data manager blades 406 detects that the other data manager blade 406 has failed, e.g., via the heartbeat signal, the non-failed data manager blade 406 asserts and holds a reset signal to the failing data manager blade 406 via the backplane 412 in order to disable the failing data manager blade 406 to reduce the possibility of the failing data manager blade 406 disrupting operation of the storage appliance 202 until the failing data manager blade 406 can be replaced, such as by hot-swapping.
[00118] Referring now to Figure 15, a block diagram illustrating the computer network 200 of Figure 12 in which application server blade A 402A has failed is shown. Figure 15 is similar to Figure 12, except that application server blade A 402A is not shown in order to indicate that application server blade A 402A has failed. However, as may be seen, storage appliance 202 continues to make the data stored in the storage devices 112 available in spite of the failure of an application server blade 402. In particular, application server blade B 402B provides a data path to the storage devices 112 for the host computers 302 and external devices 322.
[00119] If application server blade A 402A fails, application server blade B 402B continues to provide a data path to the storage devices 112 via both data manager blade A 406A and data manager blade B 406B via PCIX bus 516C and Docket CHAP.0115 67
516D, respectively, for the application server blade B 402B CPU subsystem 714 and the external devices 322. In particular, the data manager blade A 406A CPU 702 programs the application server blade B 402B third interface controller 746 via bus bridge 704 and PCIX bus 516C; data is transferred between the data manager blade A 406A memory 706 and the application server blade B 402B CPU subsystem 714 memory 806 of Figure 8 via data manager blade A 406A bus bridge 704, PCIX bus 516C, application server blade B 402B third interface controller 746, port combiner 842A or 842B, and application server blade B 402B second interface controller 744; data is transferred between the data manager blade A 406A memory 706 and the external devices 322 via data manager blade A 406A bus bridge 704, PCIX bus 516C, application server blade B 402B third interface controller 746, and port combiner 842A or 842B; data is transferred between the application server blade B 402B memory 806 and host computer A 302A via portl of the application server blade B 402B first interface controller 742; and data is transferred between the application server blade B 402B memory 806 and host computer B 302B via port2 of the application server blade B 402B first interface controller 742.
[00120] Host computer A 302A, for example among the host computers 302, re-routes requests to application server blade B 402B I/O connector 752 coupled to portl of the first interface controller 742 in one of two ways. [00121] In one embodiment, host computer A 302A includes a device driver that resides in the operating system between the filesystem software and the disk device Docket CHAP.0115 68 drivers, which monitors the status of I/O paths to the storage appliance 202. When the device driver detects a failure in an I/O path, such as between host computer A 302A and application server A 306A, the device driver begins issuing I/O requests to application server B 306B instead. An example of the device driver is software substantially similar to the DynaPath agent product developed by FalconStor Software, Inc.
[00122] In a second embodiment, application server blade B 402B detects the failure of application server blade A 402A, and reprograms the ports of its first interface controller 742 to take over the identity of the first interface controller 742 of now failed application server blade -A 402A via a multi-ID operation. Additionally, the data manager blades 406 reprogram the ports of the application server blade B 402B third and fourth interface controllers 746/748 to take over the identities of the third and fourth interface controllers 746/748 of now failed application server blade A 402A via a multi-ID operation. This embodiment provides failover operation in a configuration in which the host computers 302 and external devices 322 are networked to the storage appliance 202 via a switch or router via network 114. In one embodiment, the data manager blades 406 detect the failure of application server blade A 402A and responsively inactivate application server blade A 402A to prevent it from interfering with application server blade B 402B taking over the identity of application server blade A 402A. Advantageously, the storage appliance 202 continues to provide availability to the storage devices 112 data Docket CHAP.0115 69 until the failed application server blade A 402A can be replaced by removing the failed application server blade A 402A from the chassis 414 backplane 412 and hot-replacing a new application server blade A 402A into the chassis 414 backplane 412. The descriptions associated with Figures 17 through 22 provide details of how the data manager blades 406 determine that an application server blade 402 has failed, how the data manager blades 406 inactivate the failed application server blade 406, and how the identity of the failed application server blade 406 is taken over by the remaining application server blade 406.
[00123] Referring now to Figure 16, a diagram of a prior art computer network 1600 is shown. The computer network 1600 of Figure 16 is similar to the computer network 100 of Figure 1 and like-numbered items are alike. However, the computer network 1600 of Figure 16 also includes a heartbeat link 1602 coupling the two storage application servers 106, which are redundant active-active failover servers. That is, the storage application servers 106 monitor one another's heartbeat via the heartbeat link 1602 to detect a failure in the other storage application server 106. If one of the storage application servers 106 fails as determined from the heartbeat link 1602, then the remaining storage application server 106 takes over the identify of the other storage application server 106 on the network 114 and services requests in place of the failed storage application server 106. Typically, the heartbeat link 1602 is an Ethernet link or FibreChannel link. That is, each of the storage application servers 106 includes an Ethernet or FC controller for communicating its heartbeat Docket CHAP.0115 70 on the heartbeat link 1602 to the other storage application server 106. Each of the storage application servers 106 periodically transmits the heartbeat to the other storage application server 106 to indicate that the storage application server 106 is still operational. Similarly, each storage application server 106 periodically monitors the heartbeat from the other storage application server 106 to determine whether the heartbeat stopped, and if so, infers a failure of the other storage application server 106. In response to inferring a failure, the remaining storage application server 106 takes over the identity of the failed storage application server 106 on the network 114, such as by taking on the MAC address, world wide name, or IP address of the failed storage application server 106. [00124] As indicated in Figure 16, a situation may occur in which both storage application servers 106 are fully operational and yet a failure occurs on the heartbeat link 1602. For example, the heartbeat link 1602 cable may be damaged or disconnected. In this situation, each server 106 infers that the other server 106 has failed because it no longer receives a heartbeat from the other server 106. This condition may be referred to as a "split brain" condition. An undesirable consequence of this condition is that each server 106 attempts to take over the identity of the other server 106 on the network 114, potentially causing lack of availability of the data on the storage devices 112 to the traditional server 104 and clients 102. [00125] A means of minimizing the probability of encountering the split brain problem is to employ dual heartbeat links. However, even this solution is not a Docket CHAP.0115 71 deterministic solution since the possibility still exists that both heartbeat links will fail. Advantageously, an apparatus, system and method for deterministically solving the split brain problem are described herein. [00126] A further disadvantage of the network 1600 of Figure 16 will now be described. A true failure occurs on one of the storage application servers 106 such that the failed server 106 no longer transmits a heartbeat to the other server 106. In response, the non-failed server 106 sends a command to the failed server 106 on the heartbeat link 1602 commanding the failed server 106 to inactivate itself, i.e., to abandon its identity on the network 114, namely by not transmitting or responding to packets on the network 114 specifying its ID. The non-failed server 106 then attempts to take over the identity of the failed server 106 on the network 114. However, the failed server 106 may not be operational enough to receive and perform the command to abandon its identity on the network 114; yet, the failed server 106 may still be operational enough to maintain its identity on the network, namely to transmit and/or respond to packets on the network 114 specifying its ID. Consequently, when the non-failed server 106 attempts to take over the identity of the failed server 106, this may cause lack of availability of the data on the storage devices 112 to the traditional server 104 and clients 102. Advantageously, an apparatus, system and method for the non-failed server 106 to deterministically inactivate on the network 114 a failed application server 306 integrated into the storage appliance 202 of Figure 2 is described herein. Docket CHAP.0115 72
[00127] Referring now to Figure 17, a block diagram illustrating the storage appliance 202 of Figure 2 is shown. The storage appliance 202 of Figure 17 includes application server blade A 402A, application server blade B 402B, data manager blade A 406A, data manager blade B 406B, and backplane 412 of Figure 4. The storage appliance 202 also includes a heartbeat link 1702 coupling application server blade A 402A and application server blade B 402B. The heartbeat link 1702 of Figure 17 serves a similar function as the heartbeat link 1602 of Figure 16. In one embodiment, the heartbeat link 1702 may comprise a link external to the storage appliance 202 chassis 414 of Figure 4, such as an Ethernet link coupling an Ethernet port of the Ethernet interface controller 732 of Figure 7 of each of the application server blades 402, or such as a FC link coupling a FC port of the first FC interface controller 742 of Figure 7 of each of the application server blades 402, or any other suitable communications link for transmitting and receiving a heartbeat. In another embodiment, the heartbeat link 1702 may comprise a link internal to the storage appliance 202 chassis 414, and in particular, may be comprised in the backplane 412. In this embodiment, a device driver sends the heartbeat over the internal link. By integrating the application server blades 402 into the storage appliance 202 chassis 414, the heartbeat link 1702 advantageously may be internal to the chassis 414, which is potentially more reliable than an external heartbeat link 1702. Application server blade A 402A transmits on heartbeat link 1702 to application server blade B 402B an A-to-B link heartbeat 1744, and application server blade B Docket CHAP.0115 73
402B transmits on heartbeat link 1702 to application server blade A 402A a B-to-A link heartbeat 1742. In one of the internal heartbeat link 1702 embodiments, the heartbeat link 1702 comprises discrete signals on the backplane 412. [00128] Each of the data manager blades 406 receives a blade present status indicator 1752 for each of the blade slots of the chassis 414. Each of the blade present status indicators 1752 indicates whether or not a blade - such as the application server blades 402, data manager blades 406, and data gate blades 408 - are present in the respective slot of the chassis 414. That is, whenever a blade is removed from a slot of the chassis 414, the corresponding blade present status indicator 1752 indicates the slot is empty, and whenever a blade is inserted into a slot of the chassis 414, the corresponding blade present status indicator 1752 indicates that a blade is present in the slot.
[00129] Application server blade A 402A generates a health-A status indicator 1722, which is provided to each of the data manager blades 406, to indicate the health of application server blade A 402A. In one embodiment, the health comprises a three-bit number indicating the relative health (7 being totally healthy, 0 being least healthy) of the application server blade A 402A based on internal diagnostics periodically executed by the application server blade A 402A to diagnose its health. That is, some subsystems of application server blade A 402A may be operational, but others may not, resulting in the report of a health lower than totally healthy. Application server blade B 402B generates a similar status indicator, denoted Docket CHAP.0115 74 health-B status indicator 1732, which is provided to each of the data manager blades 406, to indicate the health of application server blade B 402B.
[00130] Application server blade A 402A also generates a direct heartbeat-A status indicator 1726, corresponding to the A-to-B link heartbeat 1744, but which is provided directly to each of the data manager blades 406 rather than to application server blade B 402B. That is, when application server blade A 402A is operational, it generates a heartbeat both to application server blade B 402B via A-to-B link heartbeat 1744 and to each of the data manager blades 406 via direct heartbeat-A 1726. Application server blade B 402B generates a similar direct heartbeat-B status indicator 1736, which is provided directly to each of the data manager blades 406. [00131] Application server blade A 402A generates an indirect heartbeat B-to-A status indicator 1724, which is provided to each of the data manager blades 406. The indirect heartbeat B-to-A status indicator 1724 indicates the receipt of B-to-A link heartbeat 1742. That is, when application server blade A 402A receives a B-to-A link heartbeat 1742, application server blade A 402A generates a heartbeat on indirect heartbeat B-to-A status indicator 1724, thereby enabling the data manager blades 406 to determine whether the B-to-A link heartbeat 1742 is being received by application server blade A 402A. Application server blade B 402B generates an indirect heartbeat A-to-B status indicator 1734, similar to indirect heartbeat B-to-A status indicator 1724, which is provided to each of the data manager blades 406 to indicate the receipt of A-to-B Docket CHAP.0115 75 link heartbeat 1744. The indirect heartbeat B-to-A status indicator 1724 and indirect heartbeat A-to-B status indicator 1734, in conjunction with the direct heartbeat-A status indicator 1726 and direct heartbeat-B status indicator 1736, enable the data manager blades 406 to deterministically detect when a split brain condition has occurred, i.e., when a failure of the heartbeat link 1702 has occurred although the application server blades 402 are operational.
[00132] Data manager blade B 406B generates a kill A-by-B control 1712 provided to application server blade A 402A to kill, or inactivate, application server blade A 402A. In one embodiment, killing or inactivating application server blade A 402A denotes inactivating the I/O ports of the application server blade A 402A coupling the application server blade A 402A to the network 114, particularly the ports of the interface controllers 732/742/744/746/748 of Figure 7. The kill A-by-B control 1712 is also provided to application server blade B 402B as a status indicator to indicate to application server blade B 402B whether data manager blade B 406B has killed application server blade A 402A. Data manager blade B 406B also generates a kill B- by-B control 1714 provided to application server blade B 402B to kill application server blade B 402B, which is also provided to application server blade A 402A as a status indicator. Similarly, data manager blade A 406A generates a kill B-by-A control 1716 provided to application server blade B 402B to kill application server blade B 402B, which is also provided to application server blade A 402A as a status indicator, and data manager blade A 406A generates a Docket CHAP.0115 76 kill A-by-A control 1718 provided to application server blade A 402A to kill application server blade A 402A, which is also provided to application server blade B 402B as a status indicator.
[00133] Advantageously, the kill controls 1712-1718 deterministically inactivate the respective application server blade 402. That is, the kill controls 1712-1718 inactivate the application server blade 402 without requiring any operational intelligence or state of the application server blade 402, in contrast to the system of Figure 16, in which the failed storage application server 106 must still have enough operational intelligence or state to receive the command from the non-failed storage application server 106 to inactivate itself. [00134] In one embodiment, a data manager blade 406 kills an application server blade 402 by causing power to be removed from the application server blade 402 specified for killing. In this embodiment, the kill controls 1712-1718 are provided on the backplane 412 to power modules, such as power manager blades 416 of Figure 4, and instruct the power modules to remove power from the application server blade 402 specified for killing.
[00135] The status indicators and controls shown in Figure 17 are logically illustrated. In one embodiment, logical status indicators and controls of Figure 17 correspond to discrete signals on the backplane 412. However, other means may be employed to generate the logical status indicators and controls. For example, in one embodiment, the blade control interface (BCI) buses 718 and CPLDs 712 shown in Figures 7, 21, and 22 may be Docket CHAP.0115 77 employed to generate and receive the logical status indicators and controls shown in Figure 17. Operation of the status indicators and controls of Figure 17 will now be described with respect to Figures 18 through 20. [00136] Referring now to Figure 18, a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 is shown. Figure 18 primarily describes the operation of the data manager blades 406, whereas Figures 19 and 20 primarily describe the operation of the application server blades 402. Flow begins at block 1802. [00137] At block 1802, one or more of the data manager blades 406 is reset. The reset may occur because the storage appliance 202 is powered up, or because a data manager blade 406 is hot-plugged into a chassis 414 slot, or because one data manager blade 406 reset the other data manager blade 406. Flow proceeds to block 1804. [00138] At block 1804, the data manager blades 406 establish between themselves a primary data manager blade 406. In particular, the primary data manager blade 406 is responsible for monitoring the health and heartbeat-related status indicators of Figure 17 from the application server blades 402 and deterministically killing one of the application server blades 402 in the event of a heartbeat link 1702 failure or application server blade 402 failure in order to deterministically accomplish active-active failover of the application server blades 402. Flow proceeds to decision block 1806.
[00139] At decision block 1806, the data manager blades 406 determine whether the primary data manager blade 406 Docket CHAP.0115 78 has failed. If so, flow proceeds to block 1808; otherwise, flow proceeds to block 1812.
[00140] At block 1808, the secondary data manager blade 406 becomes the primary data manager blade 406 in place of the failed data manager blade 406. Flow proceeds to block 1812.
[00141] At block 1812, the primary data manager blade 406 (and secondary data manager blade 406 if present) receives and monitors the status indicators from each application server blade 402. In particular, the primary data manager blade 406 receives the health-A 1722, health-B 1732, indirect heartbeat B-to-A 1724, indirect heartbeat A-to-B 1734, direct heartbeat A 1726, and direct heartbeat B 1736 status indicators of Figure 17. Flow proceeds to decision block 1814.
[00142] At decision block 1814, the primary data manager blade 406 determines whether direct heartbeat A 1726 has stopped. If so, flow proceeds to block 1816; otherwise, flow proceeds to decision block 1818.
[00143] At block 1816, the primary data manager blade 406 kills application server blade A 402A. That is, if data manager blade A 406A is the primary data manager blade 406, then data manager blade A 406A kills application server blade A 402A via the kill A-by-A control 1718, and if data manager blade B 406B is the primary data manager blade 406, then data manager blade B 406B kills application server blade A 402A via the kill A-by-B control 1712. As described herein, various embodiments are described for the primary data manager blade 406 to kill the application server blade 402, such as by resetting the application Docket CHAP.0115 79 server blade 402 or by removing power from it. In particular, the primary data manager blade 406 causes the application server blade 402 to be inactive on its network 114 I/O ports, thereby enabling the remaining application server blade 402 to reliably assume the identity of the killed application server blade 402 on the network 114. Flow proceeds to decision block 1834.
[00144] At decision block 1818, the primary data manager blade 406 determines whether direct heartbeat B 1736 has stopped. If so, flow proceeds to block 1822; otherwise, flow proceeds to decision block 1824.
[00145] At block 1822, the primary data manager blade 406 kills application server blade B 402B. That is, if data manager blade A 406A is the primary data manager blade 406, then data manager blade A 406A kills application server blade B 402B via the kill B-by-A control 1716, and if data manager blade B 406B is the primary data manager blade 406, then data manager blade B 406B kills application server blade B 402B via the kill B-by-B control 1714. Flow proceeds to decision block 1834.
[00146] At decision block 1824, the primary data manager blade 406 determines whether both indirect heartbeat B-to-A 1724 and indirect heartbeat A-to-B 1734 have stopped (i.e., the heartbeat link 1702 has failed or both servers have failed) . If so, flow proceeds to decision block 1826; otherwise, flow returns to block 1812.
[00147] At decision block 1826, the primary data manager blade 406 examines the health-A status 1722 and health-B status 1732 to determine whether the health of application server blade A 402A is worse than the health of application Docket CHAP.0115 80 server blade B 402B. If so, flow proceeds to block 1828; otherwise, flow proceeds to block 1832.
[00148] At block 1828, the primary data manager blade 406 kills application server blade A 402A. Flow proceeds to decision block 1834.
[00149] At block 1832, the primary data manager blade 406 kills application server blade B 402B. It is noted that block 1832 is reached in the case that both of the application server blades 402 are operational and totally healthy but the heartbeat link 1702 is failed. In this case, as with all the failure cases, the system management subsystem of the data manager blades 406 notifies the system administrator that a failure has occurred and should be remedied. Additionally, in one embodiment, status indicators on the faceplates of the application server blades 402 may be lit to indicate a failure of the heartbeat link 1702. Flow proceeds to decision block 1834. [00150] At decision block 1834, the primary data manager blade 406 determines whether the killed application server blade 402 has been replaced. In one embodiment, the primary data manager blade 406 determines whether the killed application server blade 402 has been replaced by detecting a transition on the blade present status indicator 1752 of the slot corresponding to the killed application server blade 402 from present to not present and then to present again. If decision block 1834 was arrived at because of a failure of the heartbeat link 1702, then the administrator may repair the heartbeat link 1702, and then simply remove and then re-insert the killed application server blade 402. If the killed application Docket CHAP.0115 81 server blade 402 has been replaced, flow proceeds to block 1836; otherwise, flow returns to decision block 1834. [00151] At block 1836, the primary data manager blade 406 unkills the replaced application server blade 402. In one embodiment, unkilling the replaced application server blade 402 comprises releasing the relevant kill control 1712/1714/1716/1718 in order to bring the killed application server blade 402 out of a reset state. Flow returns to block 1812.
[00152] Other embodiments are contemplated in which the primary data manager blade 406 determines a failure of an application server blade 402 at decision blocks 1814 and 1818 by means other than the direct heartbeats 1726/1736. For example, the primary data manager blade 406 may receive an indication (such as from temperature sensors 816 of Figure 8) that the temperature of one or more of the components of the application server blade 402 has exceeded a predetermined limit. Furthermore, the direct heartbeat status indicator 1726/1736 of an application server blade 402 may stop for any of various reasons including, but not limited to, a failure of the CPU subsystem 714 or a failure of one of the I/O interface controllers 732/742/744/746/748.
[00153] Referring now to Figure 19, a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 is shown. Flow begins at block 1902. [00154] At block 1902, application server blade A 402A provides it's A-to~B link heartbeat 1744 to application server blade B 402B, and application server blade B 402B Docket CHAP.0115 82 provides it' s B-to-A link heartbeat 1724 to application server blade A 402A of Figure 17. Additionally, application server blade A 402A provides health-A 1722, indirect heartbeat B-to-A 1724, and direct heartbeat-A 1726 to the data manager blades 406, and application server blade B 402B provides health-B 1732, indirect heartbeat A- to-B 1734, and direct heartbeat-B 1736 to the data manager blades 406. In one embodiment, the frequency with which the application server blades 402 provide their health 1722/1732 may be different from the frequency with which the direct heartbeat 1726/1736 and/or link heartbeats 1742/1744 are provided. Flow proceeds to block 1904. [00155] At block 1904, application server blade A 402A monitors the B-to-A link heartbeat 1742 and application server blade B 402B monitors the A-to-B link heartbeat 1744. Flow proceeds to decision block 1906.
[00156] At decision block 1906, each application server blade 402 determines whether the other application server blade 402 link heartbeat 1742/1744 has stopped. If so, flow proceeds to decision block 1908; otherwise, flow returns to block 1902.
[00157] At decision block 1908, each application server blade 402 examines the relevant kill signals 1712-1718 to determine whether the primary data manager blade 406 has killed the other application server blade 402. If so, flow proceeds to block 1912; otherwise, flow returns to decision block 1908.
[00158] At block 1912, the live application server blade 402 takes over the identity of the killed application server blade 402 on the network 114. In various Docket CHAP.0115 83 embodiments, the live application server blade 402 takes over the identity of the killed application server blade 402 on the network 114 by assuming the MAC address, IP address, and/or world wide name of the corresponding killed application server blade 402 I/O ports. The I/O ports may include, but are not limited to, FibreChannel ports, Ethernet ports, and Infiniband ports. Flow ends at block 1912.
[00159] In an alternate embodiment, a portion of the I/O ports of each of the application server blades 402 are maintained in a passive state, while other of the I/O ports are active. When the primary data manager blade 406 kills one of the application server blades 402, one or more of the passive I/O ports of the live application server blade 402 take over the identity of the I/O ports of the killed application server blade 402 at block 1912.
[00160] As may be seen from Figure 19, the storage appliance 202 advantageously deterministically performs active-active failover from the failed application server blade 402 to the live application server blade 402 by ensuring that the failed application server blade 402 is killed, i.e., inactive on the network 114, before the live application server blade 402 takes over the failed application server blade 402 identity, thereby avoiding data unavailability due to conflict of identity on the network.
[00161] Referring now to Figure 20, a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figure 17 according to an alternate embodiment is shown. Docket CHAP.0115 84
Figure 20 is identical to Figure 19, and like-numbered blocks are alike, except that block 2008 replaces decision block 1908. That is, if at decision block 1906 it is determined that the other application server blade 402 heartbeat stopped, then flow proceeds to block 2008 rather than decision block 1908; and flow unconditionally proceeds from block 2008 to block 1912.
[00162] At block 2008, the live application server blade 402 pauses long enough for the primary data manager blade 406 to kill the other application server blade 402. In one embodiment, the live application server blade 402 pauses a predetermined amount of time. In one embodiment, the predetermined amount of time is programmed into the application server blades 402 based on the maximum of the amount of time required by the primary data manager blade 406 to detect a failure of the link heartbeats 1742/1744 via the indirect heartbeats 1724/1734 and to subsequently kill an application server blade 402, or to detect an application server blade 402 failure via the direct heartbeats 1726/1736 and to subsequently kill the failed application server blade 402.
[00163] As may be seen from Figure 20, the storage appliance 202 advantageously deterministically performs active-active failover from the failed application server blade 402 to the live application server blade 402 by ensuring that the failed application server blade 402 is killed, i.e., inactive on the network 114, before the live application server blade 402 takes over the failed application server blade 402 identity, thereby avoiding Docket CHAP.0115 85 data unavailability due to conflict of identity on the network.
[00164] Referring now to Figure 21, a block diagram illustrating the interconnection of the various storage appliance 202 blades via the BCI buses 718 of Figure 7 is shown. Figure 21 includes data manager blade A 406A, data manager blade B 406B, application server blade A 402A, application server blade B 402B, data gate blade A 408A, data gate blade B 408B, and backplane 412 of Figure 4. Each application server blade 402 includes CPLD 712 of Figure 7 coupled to CPU 802 of Figure 8 and I/O interface controllers 732/742/744/746/748 via ISA bus 716 of Figure 7. The CPLD 712 generates a reset signal 2102, which is coupled to the reset input of CPU 802 and I/O interface controllers 732/742/744/746/748, in response to predetermined control input received from a data manager blade 406 on one of the BCI buses 718 coupled to the CPLD 712. Each of the data manager blades 406 includes CPU 706 of Figure 7 coupled to a CPLD 2104 via an ISA bus 2106. Each data gate blade 408 includes I/O interface controllers 1206/1208 of Figure 12 coupled to a CPLD 2108 via an ISA bus 2112. The CPLD 2108 generates a reset signal 2114, which is coupled to the reset input of the I/O interface controllers 1206/1208, in response to predetermined control input received from a data manager blade 406 on one of the BCI buses 718 coupled to the CPLD 2108. The backplane 412 includes four BCI buses denoted BCI-A 718A, BCI-B 718B, BCI-C 718C, and BCI-D 718D. BCI-A 718A couples the CPLDs 712, 2104, and 2108 of data manager blade A 406A, application server blade A 402A, and data gate blade A Docket CHAP.0115 86
408A, respectively. BCI-B 718B- couples the CPLDs 712, 2104, and 2108 of data manager blade A 406A, application server blade B 402B, and data gate blade B 408B, respectively. BCI-C 718C couples the CPLDs 712, 2104, and 2108 of data manager blade B 406B, application server blade A 402A, and data gate blade A 408A, respectively. BCI-D 718D couples the CPLDs 712, 2104, and 2108 of data manager blade B 406B, application server blade B 402B, and data gate blade B 408B, respectively.
[00165] In the embodiment of Figure 21, the application server blade 402 CPUs 802 generate the health and heartbeat statuses 1722/1724/1726/1732/1734/1736 via CPLDs 712 on the BCI buses 718, which are received by the data manager blade 406 CPLDs 2104 and conveyed to the CPUs 706 via ISA buses 2106, thereby enabling the primary data manager blade 406 to deterministically distinguish a split brain condition from a true application server blade 402 failure. Similarly, the data manager blade 406 CPUs 706 generate the kill controls 1712/1714/1716/1718 via CPLDs 2104 on the BCI buses 718, which cause the application server blade 402 CPLDs 712 to generate the reset signals 2102 to reset the application server blades 402, thereby enabling a data manager blade 406 to deterministically inactivate an application server blade 402 so that the other application server blade 402 can take over its network identity, as described above. Advantageously, the apparatus of Figure 21 does not require the application server blade 402 CPU 802 or I/O interface controllers 732/742/744/746/748 to be in a particular state or have a particular level of Docket CHAP.0115 87 operational intelligence in order for the primary data manager blade 406 to inactivate them.
[00166] Referring now to Figure 22, a block diagram illustrating the interconnection of the various storage appliance 202 blades via the BCI buses 718 of Figure 7 and discrete reset signals according to an alternate embodiment is shown. Figure 22 is identical to Figure 21, and like- numbered elements are alike, except that reset signals 2102 of Figure 21 are not present in Figure 22. Instead, a reset-A signal 2202 is provided from the backplane 412 directly to the reset inputs of the application server blade A 402A CPU 802 and I/O interface controllers 732/742/744/746/748, and a reset-B signal 2204 is provided from the backplane 412 directly to the reset inputs of the application server blade B 402B CPU 802 and I/O interface controllers 732/742/744/746/748. Application server blade A 402A CPU 802 also receives the reset-B signal 2204 as a status indicator, and application server blade B 402B CPU 802 also receives the reset-A signal 2202 as a status indicator. Data manager blade A 406A generates a reset A- by-A signal 2218 to reset application server blade A 402A and generates a reset B-by-A signal 2216 to reset application server blade B 402B. Data manager blade B 406B generates a reset B-by-B signal 2214 to reset application server blade B 402B and generates a reset A-by-B signal 2212 to reset application server blade A 402A. The reset-A signal 2202 is the logical OR of the reset A-by-A signal 2218 and the reset A-by-B signal 2212. The reset-B signal 2204 is the logical OR of the reset B-by-B signal 2214 and the reset B-by-A signal 2216. Docket CHAP.0115 88
[00167] In the embodiment of Figure 22, the application server blade 402 CPUs 802 generate the health and heartbeat statuses 1722/1724/1726/1732/1734/1736 via CPLDs 712 on the BCI buses 718 which are received by the data manager blade 406 CPLDs 2104 and conveyed to the CPUs 706 via ISA buses 2106, thereby enabling the primary data manager blade 406 to deterministically distinguish a split brain condition from a true application server blade 402 failure. Similarly, the data manager blade 406 CPUs 706 generate the reset signals 2212/2214/2216/2218 via CPLDs 2104, which reset the application server blades 402, thereby enabling a data manager blade 406 to deterministically inactivate an application server blade 402 so that the other application server blade 402 can take over its network identity, as described above. Advantageously, the apparatus of Figure 22 does not require the application server blade 402 CPU 802 or I/O interface controllers 732/742/744/746/748 to be in a particular state or having a particular level of operational intelligence in order for the primary data manager blade 406 to inactivate them.
[00168] Referring now to Figure 23, a block diagram illustrating an embodiment of the storage appliance 202 of Figure 2 comprising a single application server blade 402 is shown. Advantageously, the storage appliance 202 embodiment of Figure 23 may be lower cost than the redundant application server blade 402 storage appliance 202 embodiment of Figure 12. Figure 23 is similar to Figure 12 and like-numbered elements are alike. However, the storage appliance 202 of Figure 23 does not include application server blade B 402B. Instead, the storage Docket CHAP.0115 89 appliance 202 of Figure 23 includes a third data gate blade 408 similar to data gate blade B 408B, denoted data gate blade C 408C, in the chassis 414 slot occupied by application server blade B 402B in the storage appliance 202 of Figure 12. The data gate blade C 408C first interface controller 1206 is logically a portion of storage controller A 308A, and the second interface controller 1208 is logically a portion of storage controller B 308B, as shown by the shaded portions of data gate blade C 408C. In one embodiment not shown, data gate blade C 408C comprises four I/O port connectors 1214 rather than two. [00169] Data manager blade A 406A communicates with the data gate blade C 408C first interface controller 1206 via PCIX bus 516C, and data manager blade B 406B communicates with the data gate blade C 408C second interface controller 1208 via PCIX bus 516D. Port2 of external device A 322A is coupled to the data gate blade C 408C I/O connector 1214 coupled to port combiner 1202, and port2 of external device B 322B is coupled to the data gate blade C 408C I/O connector 1214 coupled to port combiner 1204, thereby enabling the external devices 322 to have redundant direct connections to the storage controllers 308, and in particular, redundant paths to each of the data manager blades 406 via the redundant interface controllers 746/748/1206/1208. The data manager blades 406 program the data gate blade C 408C interface controllers 1206/1208 as target devices to receive commands from the external devices 322.
[00170] In one embodiment, if application server blade A 402A fails, the data manager blades 406 program the data Docket CHAP.0115 90 gate blade C 408C interface controller 1206/1208 ports to take over the identities of the application server blade A 402A third/fourth interface controller 746/748 ports. Conversely, if data gate blade C 408C fails, the data manager blades 406 program the application server blade A 402A third/fourth interface controller 746/748 ports to take over the identities of the data gate blade C 408C interface controller 1206/1208 ports. The embodiment of Figure 23 may be particularly advantageous for out-of-band server applications, such as a data backup or data snapshot application, in which server fault-tolerance is not as crucial as in other applications, but where high data availability to the storage devices 112 by the external devices 322 is crucial.
[00171] Referring now to Figure 24, a block diagram illustrating an embodiment of the storage appliance 202 of Figure 2 comprising a single application server blade 402 is shown. Advantageously, the storage appliance 202 embodiment of Figure 24 may be lower cost than the redundant application server blade 402 storage appliance 202 embodiment of Figure 12 or then the single server embodiment of Figure 23. Figure 24 is similar to Figure 12 and like-numbered elements are alike. However, the storage appliance 202 of Figure 24 does not include application server blade B 402B. Instead, the storage devices A 112A and storage devices B 112B are all coupled on the same dual loops, thereby leaving the other data gate blade 408 I/O connectors 1214 available for connecting to the external devices 322. That is, port2 of external device A 322A is coupled to one I/O connector 1214 of data gate blade B Docket CHAP.0115 91
408B, and port2 of external device B 322B is coupled to one I/O connector 1214 of data gate blade A 408A, thereby enabling the external devices 322 to have redundant direct connections to the storage controllers 308, and in particular, redundant paths to each of the data manager blades 406 via the redundant interface controllers 746/748/1206/1208. The data manager blades 406 program the data gate blade 408 interface controllers 1206/1208 as target devices to receive commands from the external devices 322.
[00172] In one embodiment, if application server blade A 402A fails, the data manager blades 406 program portl of the data gate blade A 408A interface controllers 1206/1208 to take over the identities of portl of the application server blade A 402A third/fourth interface controllers 746/748, and the data manager blades 406 program port2 of the data gate blade B 408B interface controllers 1206/1208 to take over the identities of port2 of the application server blade A 402A third/fourth interface controllers 746/748. Additionally, if data gate blade A 408A fails, the data manager blades 406 program port2 of the application server blade A 402A third/fourth interface controllers 746/748 to take over the identities of portl of the data gate blade A 408A interface controller 1206/1208 ports. Furthermore, if data gate blade B 408B fails, the data manager blades 406 program portl of the application server blade A 402A third/fourth interface controllers 746/748 to take over the identities of port2 of the data gate blade B 408B interface controller 1206/1208 ports. As with Figure 23, the embodiment of Figure 24 may be Docket CHAP.0115 92 particularly advantageous for out-of-band server applications, such as a data backup or data snapshot application, in which server fault-tolerance is not as crucial as in other applications, but where high data availability to the storage devices 112 by the external devices 322 is crucial.
[00173] I/O interfaces typically impose a limit on the number of storage devices that may be connected on an interface. For example, the number of FC devices that may be connected on a single FC arbitrated loop is 127. Hence, in the embodiment of Figure 24, a potential disadvantage of placing all the storage devices 112 on the two arbitrated loops rather than four arbitrated loops as in Figure 23 is that potentially half the number of storage devices may be coupled to the storage appliance 202. Another potential disadvantage is that the storage devices 112 must share the bandwidth of two arbitrated loops rather than the bandwidth of four arbitrated loops. However, the embodiment of Figure 24 has the potential advantage of being lower cost than the embodiments of Figure 12 and/or Figure 23. [00174] Referring now to Figure 25, a block diagram illustrating the computer network 200 of Figure 2 and portions of the storage appliance 202 of Figure 12 and in detail one embodiment of the port combiner 842 of Figure 8 is shown. The storage appliance 202 includes the chassis 414 of Figure 4 enclosing various elements of the storage appliance 202. The storage appliance 202 also illustrates one of the application server blade 402 expansion I/O connectors 754 of Figure 7. Figure 25 also includes an external device 322 of Figure 3 external to the chassis 414 Docket CHAP.0115 93 with one of its ports coupled to the expansion I/O connector 754. The expansion I/O connector 754 is coupled to the port combiner 842 by an I/O link 2506. The I/O link 2506 includes a transmit signal directed from the expansion I/O connector 754 to the port combiner 842, and a receive signal directed from the port combiner 842 to the expansion I/O connector 754.
[00175] The storage appliance 202 also includes the application server blade 402 CPU subsystem 714 coupled to an application server blade 402 second interface controller 744 via PCIX bus 724, the data manager blade A 406A CPU 702 coupled to the application server blade 402 third interface controller 746 via PCIX bus 516, and the data manager blade B 406B CPU 702 coupled to the application server blade 402 fourth interface controller 748 via PCIX bus 516, all of Figure 7. The storage appliance 202 also includes the application server blade 402 CPLD 712 of Figure 7. One port of each of the I/O interface controllers 744/746/748 is coupled to the port combiner 842 by a respective I/O link 2506.
[00176] In the embodiment of Figure 25, the port combiner 842 comprises a FibreChannel arbitrated loop hub. The arbitrated loop hub includes four FC port bypass circuits (PBCs), or loop resiliency circuits (LRCs), denoted 2502A, 2502B, 2502C, 2502D. Each LRC 2502 includes a 2-input multiplexer. The four multiplexers are coupled in a serial loop. That is, the output of multiplexer 2502A is coupled to one input of multiplexer 2502B, the output of multiplexer 2502B is coupled to one input of multiplexer 2502C, the output of multiplexer 2502C is coupled to one Docket CHAP.0115 94 input of multiplexer 2502D, and the output of multiplexer 2502D is coupled to one input of multiplexer 2502A. The second input of multiplexer 2502A is coupled to receive the transmit signal of the I/O link 2506 coupled to the second interface controller 744 port; the second input of multiplexer 2502B is coupled to receive the transmit signal of the I/O link 2506 coupled to the third interface controller 746 port; the second input of multiplexer 2502C is coupled to receive the transmit signal of the I/O link 2506 coupled to the fourth interface controller 748 port; and the second input of multiplexer 2502D is coupled to receive the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754. The output of multiplexer 2502D is provided as the receive signal of the I/O link 2506 to the second I/O interface controller port 744; the output of multiplexer 2502A is provided as the receive signal of the I/O link 2506 to the third I/O interface controller port 746; the output of multiplexer 2502B is provided as the receive signal of the I/O link 2506 to the fourth I/O interface controller port 748; the output of multiplexer 2502C is provided as the receive signal of the I/O link 2506 to the expansion I/O connector 754. [00177] Each multiplexer 2502 also receives a bypass control input 2512 that selects which of the two inputs will be provided on the output of the multiplexer 2502. The application server blade 402 CPU subsystem 714 provides the bypass control 2512 to multiplexer 2502A; the data manager blade A 406A CPU 702 provides the bypass control 2512 to multiplexer 2502B; the data manager blade B 406B CPU 702 provides the bypass control 2512 to multiplexer Docket CHAP.0115 95
2502C; and the application server blade 402 CPLD 712 provides the bypass control 2512 to multiplexer 2502D. A value is generated on the respective bypass signal 2512 to cause the respective multiplexer 2502 to select the output of the previous multiplexer 2502, i.e., to bypass its respective interface controller 744/746/748 I/O port, if the I/O port is not operational; otherwise, a value is generated on the bypass signal 2512 to cause the multiplexer 2502 to select the input receiving the respective I/O link 2506 transmit signal, i.e., to enable the respective I/O port on the arbitrated loop. In particular, at initialization time, the application server blade 402 CPU 714, data manager blade A 406A CPU 702, and data manager blade B 406B CPU 702 each diagnose their respective I/O interface controller 744/746/748 to determine whether the respective I/O port is operational and responsively control the bypass signal 2512 accordingly. Furthermore, if at any time during operation of the storage appliance 202 the CPU 714/702/702 determines the I/O port is not operational, the CPU 714/702/702 generates a value on the bypass signal 2512 to bypass the I/O port.
[00178] With respect to multiplexer 2502D, the CPLD 712 receives a presence detected signal 2508 from the expansion I/O connector 754 to determine whether an I/O link, such as a FC cable, is plugged into the expansion I/O connector 754. The port combiner 842 also includes a signal detector 2504 coupled to receive the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754. The signal detector 2504 samples the transmit signal and Docket CHAP.0115 96 generates a true value if a valid signal is detected thereon. The CPLD 712 generates a value on its bypass signal 2512 to cause multiplexer 2502D to select the output of multiplexer 2502C, (i.e., to bypass the expansion I/O connector 754, and consequently to bypass the I/O port in the external device 322 that may be connected to the expansion I/O connector 754) , if either the presence detected signal 2508 or signal detected signal 2514 are false; otherwise, the CPLD 712 generates a value on its bypass signal 2512 to cause multiplexer 2502D to select the input receiving the transmit signal of the I/O link 2506 coupled to the expansion I/O connector 754 (i.e., to enable the external device 322 I/O port on the FC arbitrated loop) . In one embodiment, the CPLD 712 generates the bypass signal 2512 in response to the application server blade 402 CPU 702 writing a control value to the CPLD 712. [00179] Although Figure 25 describes an embodiment in which the port combiner 842 of Figure 8 is a FibreChannel hub, other embodiments are contemplated. The port combiner 842 may include, but is not limited to, a FC switch or hub, an Infiniband switch or hub, or an Ethernet switch or hub. [00180] The I/O links 304 advantageously enable redundant application servers 306 to be coupled to architecturally host-independent, or stand-alone, redundant storage controllers 308.' As may be observed from Figure 25 and various of the other Figures, the port combiner 842 advantageously enables the I/O links 304 between the application servers 306 and storage controllers 308 to be externalized beyond the chassis 414 to external devices 322. This advantageously enables the integrated Docket CHAP.0115 97 application servers 306 to access the external devices 322 and enables the external devices 322 to directly access the storage controllers 308.
[00181] Although embodiments have been described in which the I/O links 304 between the second I/O interface controller 744 and the third and fourth I/O interface controllers 746/748 is FibreChannel, other interfaces may be employed. For example, a high-speed Ethernet or Infiniband interface may be employed. If the second interface controller 744 is an interface controller that already has a device driver for the operating system or systems to be run on the application server blade 402, then an advantage is gained in terms of reduced software development. Device drivers for the QLogic ISP2312 have already been developed for many popular operating systems, for example. This advantageously reduces software development time for employment of the application server blade 402 embodiment described. Also, it is advantageous to select a link type between the second interface controller 744 and the third and fourth interface controllers 746/748 which supports protocols that are frequently used by storage application software to communicate with external storage controllers, such as FibreChannel, Ethernet, or Infiniband since they support the SCSI protocol and the internet protocol (IP) , for example. A link type should be selected which provides the bandwidth needed to transfer data according to the rate requirements of the application for which the storage appliance 202 is sought to be used. Docket CHAP.0115 98
[00182] Similarly, although embodiments have been described in which the local buses 516 between the various blades of storage appliance 202 is PCIX, other local buses may be employed, such as PCI, CompactPCI, PCI-Express, PCI- X2 bus, EISA bus, VESA bus, Futurebus, VME bus, MultiBus, RapidIO bus, AGP bus, ISA bus, 3GIO bus, HyperTransport bus, or any similar local bus capable of transferring data at a high rate. For example, if the storage appliance 202 is to be used as a streaming video or audio storage appliance, then the sustainable data rate requirements may be very high, requiring a very high data bandwidth link between the controllers 744 and 746/748 and very high data bandwidth local buses. In other applications lower bandwidth I/O links and local buses may suffice. Also, it is advantageous to select third and fourth interface controllers 746/748 for which storage controller 308 firmware has already been developed, such as the JNIC-1560, in order to reduce software development time. [00183] Although embodiments have been described in which the application server blades 402 execute middleware, or storage application software, typically associated with intermediate storage application server boxes, which have now been described as integrated into the storage appliance 202 as application servers 306, it should be understood that the servers 306 are not limited to executing middleware. Embodiments are contemplated in which some of the functions of the traditional servers 104 may also be integrated into the network storage appliance 202 and executed by the application server blade 402 described herein, particularly for applications in which the hardware Docket CHAP.0115 99 capabilities of the application server blade 402 are sufficient to support the traditional server 104 application. That is, although embodiments have been described in which storage application servers are integrated into the network storage appliance chassis 414, it is understood that the software applications traditionally executed on the traditional application servers 104 may also be migrated to the application server blades 402 in the network storage appliance 202 chassis 414 and executed thereon.
[00184] Referring now to Figure 26, a block diagram illustrating the storage appliance 202 of Figure 2 is shown. Figures 26 and 27 are similar to Figure 17 in many respects; however, whereas Figure 17 illustrates an apparatus for enabling a data manager blade 406 to deterministically kill an application server blade 402, Figures 26 and 27 illustrate an apparatus for enabling an application server blade 402 to deterministically kill the other application server blade 402. The storage appliance 202 of Figure 26 includes application server blade A 402A, application server blade B 402B, data manager blade A 406A, data manager blade B 406B, and backplane 412 of Figure 4. The storage appliance 202 also includes a heartbeat link 1702 coupling application server blade A 402A and application server blade B 402B. The heartbeat link 1702 of Figure 26 serves a similar function as the heartbeat link 1702 of Figure 17. In one embodiment, the heartbeat link 1702 may comprise a link external to the storage appliance 202 chassis 414 of Figure 4, such as an Ethernet link coupling an Ethernet port of the Ethernet interface Docket CHAP.0115 100 controller 732 of Figure 7 of each of the application server blades 402, or such as a FC link coupling a FC port of the first FC interface controller 742 of Figure 7 of each of the application server blades 402, or any other suitable communications link for transmitting and receiving a heartbeat. Application server blade A 402A transmits on heartbeat link 1702 to application server blade B 402B an A-to-B link heartbeat 1744, and application server blade B 402B transmits on heartbeat link 1702 to application server blade A 402A a B-to-A link heartbeat 1742. That is, when application server blade A 402A is operational, it generates a heartbeat to application server blade B 402B via A-to-B link heartbeat 1744. Similarly, when application server blade B 402B is operational, it generates a heartbeat to application server blade A 402A via B-to-A link heartbeat 1742. The application server blades 402 and data manager blades 406 are interconnected via the PCIX buses 516 as shown in Figure 7. [00185] Each of the application server blades 402 receives a blade present status indicator 2652 for each of the blade slots of the chassis 414. Each of the blade present status indicators 2652 indicates whether or not a blade - such as the application server blades 402, data manager blades 406, and data gate blades 408 - are present in the respective slot of the chassis 414. That is, whenever a blade is removed from a slot of the chassis 414, the corresponding blade present status indicator 2652 indicates the slot is empty, and whenever a blade is inserted into a slot of the chassis 414, the corresponding Docket CHAP.0115 101 blade present status indicator 2652 indicates that a blade is present in the slot.
[00186] Application server blade B 402B generates a kill A-by-B control 2612 provided to application server blade A 402A to kill, or inactivate, or disable application server blade A 402A. In one embodiment, killing or inactivating application server blade A 402A denotes inactivating or disabling the I/O ports of the server portion 308 of the application server blade A 402A coupling the application server blade A 402A to the network 114, particularly the ports of the interface controllers 732/742/744 of Figure 7. Similarly, application server blade A 402A generates a kill B-by-A control 2614 provided to application server blade B 402B to kill application server blade B 402B. In one embodiment, each application server blade 402 also provides a status indicator to each of the data manager blades 406 indicating whether it killed the other application server blade 402.
[00187] Each of the application server blades 402 includes the CPU 714 of Figure 7. Each of the application server blades 402 also includes a shield circuit 2602. The shield 2602 of application server blade A 402A receives an enable control 2604 from the CPO 714 and kill A-by-B control 2612. Shield 2602 generates a reset signal 2606 that is coupled to the reset input of I/O controllers 732/742/744 to disable, or inactivate, them and in particular to disable their I/O ports from communicating on the network 114. In one embodiment, the shield 2602 comprises logic that generates a value on the reset control 2606 to disable the I/O controllers 732/742/744 when Docket CHAP.0115 102 application server blade B 402B indicates via kill A-by-B control 2612 that application server blade A 402A should be killed. However, shield 2602 only disables the I/O controllers 732/742/744 if CPU 714 has not enabled shield 2602 via enable control 2604; otherwise, shield 2602 does not reset the I/O controllers 732/742/744. Shield 2602 of application server blade B 402B operates similarly to shield 2602 of application server blade A 402, but in response to kill B-by-A control 2614 rather than kill A-by- B control 2612.
[00188] In one embodiment, the reset controls 2606 also reset the CPU 714. In one embodiment, each shield 2602 is disabled at reset. In one embodiment, the kill signals 2612/2614 comprise a plurality of digital signals, thereby- enabling a plurality of different states to be transmitted thereon. In this embodiment, application server blade 402 kills the other application server blade 402 by generating a predetermined sequence of states on the kill signal 2612/2614. Additionally, the application server blade 402 shield 2602 includes a state machine that recognizes the predetermined sequence of states and disables the I/O controllers 732/742/744 via the reset control 2606 in response to detecting the predetermined sequence, if the shield 2602 is disabled. An advantage of this embodiment is that it reduces the likelihood that an application server blade 402 that is not functioning properly will accidentally or unintentionally kill the other application server blade 402, which might occur if the CPUs 714 could invoke the kill signals 2612/2614 by simply setting a bit in a control register. For example, a bug in an Docket CHAP.0115 103 application software program executing on one application server blade 402 or a hardware error in the application server blade 402 might cause a write to the address of the control register that sets a bit to invoke the kill signal 2612/2614. However, in the embodiment, the likelihood of a bug in an application software program or a hardware error in the application server blade 402 causing the predetermined sequence of states to be generated on the kill signals 2612/2614 is highly unlikely.
[00189] Advantageously, the kill controls 2612/2614 deterministically inactivate the respective application server blade 402. That is, the kill controls '2612/2614 inactivate the application server blade 402 without requiring any operational intelligence or state of the application server blade 402, in contrast to the system of Figure 16, in which the failed storage application server 106 must still have enough operational intelligence to receive the command from the non-failed storage application server 106 to inactivate itself.
[00190] In one embodiment, an application server blade 402 kills the other application server blade 402 by causing power to be removed from the other application server blade 402. In this embodiment, the kill controls 2612/2614 are provided on the backplane 412 to power modules, such as power manager blades 416 of Figure 4, and instruct the power modules to remove power from the application server blade 402 specified for killing.
[00191] Referring now to Figure 27, a block diagram illustrating the storage appliance 202 of Figure 2 according to an alternate embodiment is shown. The storage Docket CHAP.0115 104 appliance 202 of Figure 27 is similar to the storage appliance 202 of Figure 26; however, the embodiment of Figure 27 does not have the external heartbeat link 1702 of Figure 26. Rather, the storage appliance 202 of Figure 27 comprises heartbeat paths 2742 and 2744, or status paths 2742 and 2744, that are internal to the storage appliance 202 chassis 414. Application server blade B 402B transmits a heartbeat to application server blade A 402A via a heartbeat path 2742, denoted heartbeat B-to-A 2742 in Figure 27. Similarly, application server blade A 402A transmits a heartbeat to application server blade B 402B via a heartbeat path 2744, denoted heartbeat A-to-B 2744 in Figure 27. In one embodiment, the heartbeat paths 2742/2744 are comprised in the backplane 412. In one embodiment, a device driver sends the heartbeat over the internal paths 2742/2744. By integrating the application server blades 402 into the storage appliance 202 chassis 414, the heartbeat paths 2742/2744 advantageously may be internal to the chassis 414, which is potentially much more reliable than an external heartbeat link 1702 of Figure 26. In particular, the internal heartbeat paths 2742/2744 are extremely reliable and much more reliable than the external heartbeat link 1702 of Figure 26, in part because while the storage appliance 202 is operational they are not able to be removed by a user, such as an Ethernet, Infiniband, or FibreChannel cable is. In one embodiment, the application server blades 402 transmit a digital heartbeat signal toggling between two states via heartbeat paths 2742/2744. In one embodiment, the digital heartbeat signal is a low frequency signal. In one embodiment, the application Docket CHAP.0115 105 server blade 402 CPU 714 causes the heartbeat signal to be generated after determining that the application server blade 402 is functioning properly.
[00192] The status indicators and controls shown in Figures 26 and 27 are logically illustrated. In one embodiment, logical status indicators and controls of Figures 26 and 27 correspond to discrete signals on the backplane 412. In one embodiment, the signals are etched into the backplane 412. However, other means may be employed to generate .the logical status indicators and controls. For example, in one embodiment, the blade control interface (BCI) buses 718 and CPLDs 712 shown in Figures 7, 21, and 22 may be employed to generate and receive the logical status indicators and controls shown in Figures 26 and 27. In other embodiments, simple combinatorial logic may be employed to generate and receive the logical status indicators and controls shown in Figures 26 and 27. Operation of the status indicators and controls of Figure 26 and 27 will now be described with respect to Figure 28. Advantageously, the apparatus of Figures 26 and 27 do not require the application server blade 402 CPU 714 or I/O interface controllers 732/742/744 to be in a particular state or having a particular level of operational intelligence in order for the other application server blade 402 to inactivate them.
[00193] Referring now to Figure 28, a flowchart illustrating fault-tolerant active-active failover of the application server blades 402 of the storage appliance 202 of Figures 26 and 27 is shown. Flow begins at block 2802. Docket CHAP.0115 106
[00194] At block 2802, each application server blade 402 monitors the heartbeat of the other application server blade .402. In Figure 26, application server blade A 402A monitors the heartbeat of application server blade B 402B via B-to-A link heartbeat 1742, and application server blade B 402B monitors the heartbeat of application server blade A 402A via A-to-B link heartbeat 1744. In Figure 27, application server blade A 402A monitors the heartbeat of application server blade B 402B via heartbeat B-to-A path 2742, and application server blade B 402B monitors the heartbeat of application server blade A 402A via heartbeat A-to-B path 2744. Flow proceeds to decision block 2804. [00195] At decision block 2804, application server blade A 402A determines whether the heartbeat of application server blade B 402B has stopped. In one embodiment, application server blade A 402A also determines whether application server blade B 402B has been removed from the backplane 412 via blade present signals 2652. If the heartbeat of application server blade B 402B has stopped or application server blade B 402B has been removed from the backplane 412, flow proceeds to block 2806; otherwise, flow proceeds to decision block 2822.
[00196] At block 2806, application server blade A 402A raises its shield 2602. That is, CPU 714 enables its shield 2602 via enable control 2604, thereby preventing the reset of its I/O controllers 732/742/744 by the other application server blade 402. Flow proceeds to block 2808. [00197] At block 2808, application server blade A 402A kills application server blade B 402B via kill B-by-A control 2614. In particular, application server blade A Docket CHAP.0115 107
402A causes the I/O ports of the interface controllers 732/742/744 of application server blade B 402B to be disabled or inactive on the network 114, thereby enabling application server blade A 402A to reliably assume the identity of application server blade B 402B on the network 114. Flow proceeds to block 2812.
[00198] At block 2812, lowers its shield 2602. That is, application server blade A 402A CPU 714 disables its shield 2602 via enable control 2604, thereby allowing the reset of I/O controllers 732/742/744 by application server blade B 402B. Flow proceeds to block 2814.
[00199] At block 2814, application server blade A 402A takes over the identity of application server blade B 402B on the network 114. In various embodiments, application server blade A 402A takes over the identity of application server blade B 402B on the network 114 by assuming the MAC address, IP address, and/or world wide name of the corresponding application server blade B 402B I/O ports. The I/O ports may include, but are not limited to, FibreChannel ports, Ethernet ports, and Infiniband ports. Flow proceeds to decision block 2816.
[00200] At decision block 2816, application server blade A 402A determines whether application server blade B 402B has been replaced. In one embodiment, application server blade A 402A determines whether application server blade B 402B has been replaced by detecting a transition on the blade present status indicator 2652 of the slot corresponding to application server blade B 402B from present to not present and then to present again. If decision block 2816 was arrived at because of a failure of Docket CHAP.0115 108 the heartbeat link 1702 of Figure 26, then the administrator may repair the heartbeat link 1702, and then simply remove and then re-insert the killed application server blade B 402B. When application server blade B 402B has been replaced, flow proceeds to block 2818; otherwise, flow returns to decision block 2816.
[00201] At block 2818, application server blade A 402A unkills the replaced application server blade B 402B. In one embodiment, unkilling the replaced application server blade B 402B comprises releasing kill B-by-A control 2614 in order to bring the killed application server blade B 402B out of a reset state. Flow returns to block 2802. [00202] At decision block 2822, application server blade B 402B determines whether the heartbeat of application server blade A 402A has stopped. In one embodiment, application server blade B 402B also determines whether application server blade A 402A has been removed from the backplane 412 via blade present signals 2652. If the heartbeat of application server blade A 402A has stopped or application server blade A 402A has been removed from the backplane 412, flow proceeds to block 2824; otherwise, flow returns to block 2802.
[00203] At block 2824, application server blade B 402B kills application server blade A 402A via kill A-by-B control 2612. Flow proceeds to block 2826.
[00204] At block 2826, application server blade B 402B takes over the identity of application server blade A 402A on the network 114. Flow proceeds to decision block 2828. [00205] At decision block 2828, application server blade B 402B determines whether application server blade A 402A Docket CHAP.0115 109 has been replaced. If so, flow proceeds to block 2832; otherwise, flow returns to decision block 2828. [00206] At block 2832, application server blade B 402B unkills the replaced application server blade A 402A. Flow returns to block 2802.
[00207] As may be observed from Figure 28, advantageously the application server blade 402 shields 2606 provide a means for avoiding a situation in which the application server blades 402 kill one another. In particular, according to Figure 28, if both of the application server blades 402 attempt to kill one another at the same time, application server blade A 402A will kill application server blade B 402B, but not vice versa, because application server blade B 402B does not raise its shield before attempting to kill application server blade A 402A. Figure 28 assumes a convention in which application server blade A 402A is the primary and application server blade B 402B is the secondary with respect to a condition in which each application server blade 402 detects a stopped heartbeat of the other application server blade 402, in which each application server blade 402 would attempt to kill the other application server blade 402. However, a different convention in which application server blade B 402B is the primary could be adopted. In another embodiment, the primary application server blade 402 is determined dynamically through negotiation between the application server blades 402. In another embodiment, the primary application server blade 402 is established based on which slot of the chassis 414 each application server blade 402 is plugged into. Docket CHAP.0115 110
[00208] As discussed above with respect to the other Figures, an application server blade 402 comprises an application server portion 306 and a storage controller portion 308. Each of these portions may fail separately or together. In one case, only the application server 306 of an application server blade 402 fails. For example, a bug in the software executing on the application server 306 may cause this type of failure. In this case, the heartbeat of the failing application server 306 will stop, which will be detected by the surviving application server blade 402. In response, the surviving application server blade 402 will kill the failed application server blade 402, thereby disabling the failed application server blade 402 CPU 714 and I/O controllers 732/742/744. However, the third and fourth I/O controllers 746/748 of the application server blade 402 will continue to function. This enables the data manager blades 406 to continue to communicate on the network 114 via the expansion ports 754, thereby allowing the external devices 322 to access the storage devices 112 via each of the storage controllers 308.
[00209] In a second case, the entire application server blade 402 fails, i.e., both the application server 306 and storage controller 308 portions. For example, a loss of power to the application server 306 may cause this type of failure. In this case, the heartbeat of the failing application server 306 will stop, and the surviving application server blade 402 will kill the failed application server blade 402, as in the first case. However, in the second case, the third and fourth I/O controllers 746/748 of the application server blade 402 Docket CHAP.0115 111 will not continue to function. However, the data manager blades 406 may continue to communicate on the network 114 via the expansion ports 754 of the surviving application server blade 402, thereby allowing the external devices 322 to access the storage devices 112 via each of the data manager blades 406.
[00210] In a third case, only the storage controller 308 portion of an application server blade 402 fails. In this case, the application server blade 402 will continue to generate a heartbeat to the other application server blade 402. However, in one embodiment, the application server blade 402 CPU 714 with the failed storage controller 308 portion times out after seeing no response from the third/fourth I/O controllers 746/748 or receives an indication that the FibreChannel link is down, and in response stops sending its heartbeat to the other application server blade 402, thereby forcing the other application server blade 402 to kill it.
[00211] Although the present invention and its objects, features and advantages have been described in detail, other embodiments are encompassed by the invention. For example, although embodiments have been described employing dual channel I/O interface controllers, other embodiments are contemplated using single channel interface controllers. Additionally, although embodiments have been described in which the redundant blades of the storage appliance are duplicate redundant blades, other embodiments are contemplated in which the redundant blades are triplicate redundant or greater. Furthermore, although Docket CHAP.0115 112 active-active failover embodiments have been described, active-passive embodiments are also contemplated. [00212] Also, although the present invention and its objects, features and advantages have been described in detail, other embodiments are encompassed by the invention. In addition to implementations of the invention using hardware, the invention can be implemented in computer readable code (e.g., computer readable program code, data, etc.) embodied in a computer usable (e.g., readable) medium. The computer code causes the enablement of the functions or fabrication or both of the invention disclosed herein. For example, this can be accomplished through the use of general programming languages (e.g., C, C++, JAVA, and the like) ; GDSII databases; hardware description languages (HDL) including Verilog HDL, VHDL, Altera HDL (AHDL) , and so on; or oth.er programming and/or circuit (i.e., schematic) capture tools available in the art. The computer code can be disposed in any known computer usable (e.g., readable) medium including semiconductor memory, magnetic disk, optical disk (e.g., CD-ROM, DVD-ROM, and the like) , and as a computer data signal embodied in a computer usable (e.g., readable) transmission medium (e.g., carrier wave or any other medium including digital, optical or analog-based medium) . As such, the computer code can be transmitted over communication networks, including Internets and intranets. It is understood that the invention can be embodied in computer code and transformed to hardware as part of the production of integrated circuits. Also, the invention may be embodied as a combination of hardware and computer code. Docket CHAP.0115 113
[00213] Finally, those skilled in the art should appreciate that they can readily use the disclosed conception and specific embodiments as a basis for designing or modifying other structures for carrying out the same purposes of the present invention without departing from the spirit and scope of the invention as defined by the appended claims. I claim:

Claims

Docket CHAP.0115 114
1. A network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein, comprising:
redundant servers, each having at least one unique ID for communicating on a network;
at least one storage controller, coupled to said redundant servers, for transferring data between storage devices and said servers;
a backplane, wherein said storage controller and servers comprise a plurality of blades for plugging into said backplane; and
first and second status paths, comprised in said backplane, each for providing a heartbeat from one of the servers to the other server;
wherein each of said servers is configured to deterministically disable the other server from communicating on said network in response to detecting that said heartbeat of the other server has stopped, and to assume said at least one unique ID of the other server for communicating on said network thereafter. Docket CHAP.0115 115
2. The network storage appliance of claim 1, wherein each of said first and second status paths are etched in said backplane .
3. The network storage appliance of claim 1, wherein each of said first and second status paths are non-user- removable .
4. The network storage appliance of claim 1, wherein each of said first and second status paths comprise paths with extremely low failure rates.
5. The network storage appliance of claim 1, wherein each of said first and second status paths comprises:
control logic, for generating said heartbeat from one of the servers to the other server.
6. The network storage appliance of claim 5, wherein each of said servers comprises said control logic.
7. The network storage appliance of claim 6, wherein said control logic comprises a programmable logic device.
Docket CHAP.0115 116
8. The network storage appliance of claim 1, wherein each of said servers comprises at least one FibreChannel port having said at least one unique ID for communicating on said network.
9. The network storage appliance of claim 1, wherein each of said servers comprises at least one Ethernet port having said at least one unique ID for communicating on said network.
10. The network storage appliance of claim 1, wherein each of said servers comprises at least one Infiniband port having said at least one unique ID for communicating on said network.
11. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server disabling the other server independent of whether the other server is operational.
Docket CHAP.0115 117
12. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server disabling the other server without intelligence of the other server.
13. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server disabling the other server regardless of whether a central processing unit comprised in the other server is operational.
14. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server disabling the other server without requiring the other server to be in a predetermined state.
15. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server causing the other server not to participate on said network using said at least one unique ID. Docket CHAP.0115 118
16. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server causing the other server not to respond to said at least one unique ID on said network.
17. The network storage appliance of claim 1, wherein said server deterministically disabling the other server from communicating on said network comprises said server causing the other server not to transmit packets with said at least one unique ID on said network.
18. The network storage appliance of claim 1, wherein each of said servers comprises an interface controller comprising an I/O port having said at least one unique ID, wherein said server deterministically disabling the other server from communicating on said network comprises said server resetting said interface controller of the other server.
19. The network storage appliance of claim 1, wherein each of said at least one unique ID comprises a unique world wide name. Docket CHAP.0115 119
20. The network storage appliance of claim 1, wherein each of said at least one unique ID comprises a unique internet protocol (IP) address.
21. The network storage appliance of claim 1, wherein each of said at least one unique ID comprises a unique MAC address .
22. The network storage appliance of claim 1, wherein said heartbeat comprises a signal generated on said first and second status paths by each of the redundant servers .
23. The network storage appliance of claim 22, wherein said heartbeat signal toggles between two predetermined states.
24. The network storage appliance of claim 22, wherein said heartbeat signal toggles between two predetermined states at a low frequency.
Docket CHAP.0115 120
25. The network storage appliance of claim 1, further comprising:
a chassis, for enclosing said redundant servers, said at least one storage controller, and said backplane.
26. The network storage appliance of claim 25, wherein said chassis comprises a chassis for mounting in a 19 inch wide rack.
27. The network storage appliance of claim 1, further comprising:
first and second control paths, comprised in said backplane, each for allowing one of the servers to disable the other server from communicating on said network in response to detecting that said heartbeat of the other server has stopped.
Docket CHAP.0115 121
28. The network storage appliance of claim 27, wherein each of said servers comprises at least one I/O port having said at least one unique ID, wherein said first and second control paths each allow one of the servers to reset said at least one I/O port on the other server to disable the other server from communicating on said network.
29. The network storage appliance of claim 1, wherein said server is configured to transfer data between said at least one storage controller and one or more computers on the network in response to I/O requests to said at least one unique ID of the other server after deterministically disabling the other server from communicating on said network and assuming said at least one unique ID of the other server.
30. The network storage appliance of claim 1, wherein said blades are hot-pluggable into said backplane.
31. The network storage appliance of claim 1, wherein said at least one storage controller comprises redundant storage controllers . Docket CHAP.0115 122
32. The network storage appliance of claim 31, wherein said redundant storage controllers are configured to transfer data between said storage devices and each of said servers.
33.' The network storage appliance of claim 31, wherein two of said plurality of blades each comprise:
one of said redundant servers; and
a portion of one of said redundant storage controllers .
34. The network storage appliance of claim 33, wherein each of said portions of one of said redundant storage controllers comprises:
an I/O port, for communicating on said network with computers to transfer data between said storage devices and said computers.
35. The network storage appliance of claim 1, wherein said backplane comprises a plurality of local buses for transferring data between said plurality of blades .
36. The network storage appliance of claim 35, wherein said plurality of local buses comprise PCIX buses. Docket CHAP.0115 123
37. The network storage appliance of claim 1, wherein said at least one storage controller comprises at least one redundant array of inexpensive disks (RAID) controller.
38. The network storage appliance of claim 1, wherein said server deterministically disabling the other server comprises said server causing power to be removed from the other server.
Docket CHAP.0115 124
39. A network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein, comprising:
a chassis;
redundant servers, enclosed in said chassis, each having at least one unique ID for communicating on a network;
at least one storage controller, enclosed in said chassis, coupled to said redundant servers, for transferring data between storage devices and said servers; and
first and second status paths, enclosed in said chassis, each for providing a heartbeat from one of the servers to the other server;
wherein each of said servers is configured to deterministically disable the other server from communicating on said network in response to detecting that said heartbeat of the other server has stopped, and to assume said at least one unique ID of the other server for communicating on said network thereafter. Docket CHAP.0115 125
40. The network storage appliance of claim 39, further comprising:
a backplane, enclosed in said chassis, wherein said storage controller and servers comprise a plurality of blades for plugging into said backplane.
41. The network storage appliance of claim 40, wherein said plurality of blades are hot-pluggable into said backplane .
42. The network storage appliance of claim 39, wherein each of said redundant servers comprises substantially an x86 architecture personal computer server.
Docket CHAP.0115 126
43. An apparatus for deterministically performing active- active failover of redundant servers integrated with at least one storage controller into a network storage appliance chassis, each of the servers being configured to communicate with computers on a network, the apparatus comprising:
a backplane, enclosed in the chassis, configured to receive a plurality of hot-pluggable blades comprising the servers and storage controller;
two heartbeat paths, comprised in said backplane, each for conveying a respective heartbeat signal from one of the servers to the other server; and
two kill paths, on said backplane, each for conveying a signal for inactivating the other server from communicating on the network in response to detecting said heartbeat of the other server has stopped;
wherein the inactivating server is configured to take over the identity of the inactivated server on the network after inactivating the other server. Docket CHAP.0115 127
44. The apparatus of claim 43, wherein said two heartbeat paths and said two kill paths are non-user-removable while the appliance is operational.
45. The apparatus of claim 43, further comprising:
a presence input, received by each of the servers for indicating whether the other server is present in said chassis, wherein the inactivating server ceases inactivating the other server after determining via said presence input that the other server has been replaced in said chassis.
Docket CHAP.0115 128
46. A method for deterministically performing failover of first and second redundant servers integrated into a network storage appliance chassis, the method comprising:
the first server receiving a first heartbeat signal from the second server via a first signal path in a backplane of the chassis;
the second server receiving a second heartbeat signal from the first server via a second signal path in a backplane of the chassis;
the first server detecting that the first heartbeat signal has stopped;
the first server generating a kill signal to the second server to disable the second server from communicating on a network, in response to said detecting the first heartbeat signal has stopped; and
the first server taking over the identity of the second server on the network, after said generating the kill signal. Docket CHAP.0115 129
47. The method of claim 46, wherein said generating the kill signal to the second server comprises the first server generating the kill signal to the second server via a third signal path in the backplane.
48. The method of claim 46, further comprising:
the first server enabling a shield circuit, prior to said generating the kill signal, to prevent the second server from disabling the first server from communicating on the network.
49. The method of claim 48, further comprising:
the first server disabling the shield circuit, after said generating the kill signal, to enable the second server to disable the first server from communicating on the network.
Docket CHAP.0115 130
50. The method of claim 46, further comprising:
the first server determining that the second server has been replaced in the backplane, after said taking over the identity of the second server on the network; and
the first server ceasing said generating the kill signal, after said determining that the second server has been replaced in the backplane.
Docket CHAP.0115 131
51. A network storage appliance for deterministically performing active-active failover of redundant servers enclosed therein, comprising:
redundant servers, each having at least one unigue ID for communicating on a network;
at least one storage controller, coupled to said redundant servers, for transferring data between storage devices and said servers;
a backplane, wherein said storage controller and servers comprise a plurality of blades for plugging into said backplane; and
first and second status paths, comprised in said backplane, each for providing an indication of whether a respective one of the servers is present in said backplane;
wherein each of said servers is configured to deterministically disable the other server from communicating on said network in response to detecting via said indication that the other server has been removed from said backplane, and to assume said at least one unique ID of the Docket CHAP.0115 132 other server for communicating on said network thereafter.
PCT/US2005/024710 2004-07-16 2005-07-11 Deterministically active-active failover of redundant servers in a network storage appliance WO2006019744A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/893,718 US7627780B2 (en) 2003-04-23 2004-07-16 Apparatus and method for deterministically performing active-active failover of redundant servers in a network storage appliance
US10/893,718 2004-07-16

Publications (2)

Publication Number Publication Date
WO2006019744A2 true WO2006019744A2 (en) 2006-02-23
WO2006019744A3 WO2006019744A3 (en) 2006-09-14

Family

ID=35907862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2005/024710 WO2006019744A2 (en) 2004-07-16 2005-07-11 Deterministically active-active failover of redundant servers in a network storage appliance

Country Status (2)

Country Link
US (1) US7627780B2 (en)
WO (1) WO2006019744A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008115625A2 (en) * 2007-03-16 2008-09-25 Dot Hill Systems Corporation Method and apparatus for operating storage controller system in elevated temperature environment
GB2499822A (en) * 2012-02-29 2013-09-04 Metaswitch Networks Ltd Failover processing using different physical paths

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7565566B2 (en) * 2003-04-23 2009-07-21 Dot Hill Systems Corporation Network storage appliance with an integrated switch
US7320083B2 (en) * 2003-04-23 2008-01-15 Dot Hill Systems Corporation Apparatus and method for storage controller to deterministically kill one of redundant servers integrated within the storage controller chassis
US7644135B2 (en) * 2004-10-25 2010-01-05 Texas Instruments Incorporated Method of improving communications data throughput on embedded systems and reducing the load on the operating system and central processing unit
US20060142874A1 (en) * 2004-12-23 2006-06-29 Pettigrew David D Jr System for reducing electrical wiring in complex apparatus, such as vehicles and aircraft
US7486526B1 (en) * 2005-03-29 2009-02-03 Emc Corporation Techniques for redundant computing from within a 1U form factor with improved serviceability and high availability characteristics
US7809993B2 (en) * 2006-01-17 2010-10-05 International Business Machines Corporation Apparatus, system, and method for receiving digital instructions at devices sharing an identity
US7930529B2 (en) * 2006-12-27 2011-04-19 International Business Machines Corporation Failover of computing devices assigned to storage-area network (SAN) storage volumes
US20080307005A1 (en) * 2007-06-09 2008-12-11 Pettigrew Jr David D System for reducing electrical wiring in complex apparatus, such as vehicles and aircraft
US8260891B2 (en) * 2007-10-30 2012-09-04 Dell Products L.P. System and method for the provision of secure network boot services
US8306652B2 (en) * 2008-03-14 2012-11-06 International Business Machines Corporation Dual-band communication of management traffic in a blade server system
US8615606B2 (en) * 2008-12-10 2013-12-24 At&T Intellectual Property I, L.P. Methods and apparatus to manipulate services in a distributed business intelligence computing environment
US8037364B2 (en) * 2009-01-09 2011-10-11 International Business Machines Corporation Forced management module failover by BMC impeachment consensus
US8176150B2 (en) * 2009-08-12 2012-05-08 Dell Products L.P. Automated services procurement through multi-stage process
US9182874B2 (en) * 2011-01-31 2015-11-10 Dell Products, Lp System and method for out-of-band communication between a remote user and a local user of a server
US8681606B2 (en) 2011-08-30 2014-03-25 International Business Machines Corporation Implementing redundancy on infiniband (IB) networks
US9137141B2 (en) 2012-06-12 2015-09-15 International Business Machines Corporation Synchronization of load-balancing switches
US8938521B2 (en) 2012-08-29 2015-01-20 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Bi-directional synchronization enabling active-active redundancy for load-balancing switches
US8954780B1 (en) * 2012-10-11 2015-02-10 Symantec Corporation Systems and methods for transferring input/output operations within computer clusters
US9311173B2 (en) 2013-03-12 2016-04-12 Honeywell International Inc. Systems and methods for increasing robustness of a system with a remote server
EP3033676A1 (en) 2013-08-14 2016-06-22 Intel Corporation Manageability redundancy for micro server and clustered system-on-a-chip deployments
US10402217B2 (en) * 2014-05-15 2019-09-03 Vmware, Inc. Automatic reconfiguration of a pre-configured hyper-converged computing device
KR102387973B1 (en) * 2015-12-01 2022-04-19 삼성전자주식회사 Duplicated storage device, server system having the same, and operation method thereof
JP6409812B2 (en) * 2016-04-01 2018-10-24 横河電機株式会社 Redundancy apparatus, redundancy system, and redundancy method
US10467100B2 (en) * 2016-08-15 2019-11-05 Western Digital Technologies, Inc. High availability state machine and recovery
CN108352995B (en) * 2016-11-25 2020-09-08 华为技术有限公司 SMB service fault processing method and storage device
JP2018116477A (en) * 2017-01-18 2018-07-26 富士通株式会社 Information processing apparatus and information processing system
US11300604B2 (en) 2018-04-06 2022-04-12 Bently Nevada, Llc Monitoring system with serial data lane transmission network
US11009864B2 (en) 2018-04-06 2021-05-18 Bently Nevada, Llc Gated asynchronous multipoint network interface monitoring system
CN110830817A (en) * 2018-08-08 2020-02-21 视联动力信息技术股份有限公司 Video transcoding capacity adjusting method and video transcoding server
CN110069381A (en) * 2019-03-20 2019-07-30 山东超越数控电子股份有限公司 A method of Domestic Platform heartbeat detection is realized by CPLD
US10762773B1 (en) 2019-08-19 2020-09-01 Ademco Inc. Systems and methods for building and using a false alarm predicting model to determine whether to alert a user and/or relevant authorities about an alarm signal from a security system
US11327858B2 (en) 2020-08-11 2022-05-10 Seagate Technology Llc Preserving data integrity during controller failure
CN113691306B (en) * 2021-07-08 2022-09-23 曙光网络科技有限公司 Method, system and storage medium for protecting optical fiber circuit

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002101573A2 (en) * 2001-06-13 2002-12-19 Intel Corporation Modular server architecture
US20030018927A1 (en) * 2001-07-23 2003-01-23 Gadir Omar M.A. High-availability cluster virtual server system
US6609213B1 (en) * 2000-08-10 2003-08-19 Dell Products, L.P. Cluster-based system and method of recovery from server failures
US20040111559A1 (en) * 2002-12-10 2004-06-10 Thomas Heil Apparatus and method for sharing boot volume among server blades

Family Cites Families (105)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4159516A (en) * 1976-03-23 1979-06-26 Texas Instruments Incorporated Input/output controller having selectable timing and maskable interrupt generation
US4245344A (en) 1979-04-02 1981-01-13 Rockwell International Corporation Processing system with dual buses
US4245355A (en) * 1979-08-08 1981-01-13 Eaton Corporation Microwave frequency converter
BE887134A (en) * 1979-12-14 1981-05-14 Gte Automatic Electric Lab Inc INTERRUPTION EXPANSION CIRCUIT
US5175849A (en) 1988-07-28 1992-12-29 Amdahl Corporation Capturing data of a database system
US5140592A (en) * 1990-03-02 1992-08-18 Sf2 Corporation Disk array system
US5124987A (en) * 1990-04-16 1992-06-23 Storage Technology Corporation Logical track write scheduling system for a parallel disk drive array data storage subsystem
GB2273180A (en) * 1992-12-02 1994-06-08 Ibm Database backup and recovery.
US5590381A (en) 1994-06-30 1996-12-31 Lucent Technologies Inc. Method and apparatus for buffered video playback of video content distributed on a plurality of disks
US5546272A (en) * 1995-01-18 1996-08-13 Dell Usa, L.P. Serial fan cooling subsystem for computer systems
US5790775A (en) * 1995-10-23 1998-08-04 Digital Equipment Corporation Host transparent storage controller failover/failback of SCSI targets and associated units
JP3628777B2 (en) * 1995-10-30 2005-03-16 株式会社日立製作所 External storage device
US5884098A (en) * 1996-04-18 1999-03-16 Emc Corporation RAID controller system utilizing front end and back end caching systems including communication path connecting two caching systems and synchronizing allocation of blocks in caching systems
US5852724A (en) * 1996-06-18 1998-12-22 Veritas Software Corp. System and method for "N" primary servers to fail over to "1" secondary server
US5835694A (en) * 1996-12-06 1998-11-10 International Business Machines Corporation Raid-configured disk drive array wherein array control occurs at the disk drive level
US6144887A (en) * 1996-12-09 2000-11-07 Denso Corporation Electronic control unit with reset blocking during loading
US6073209A (en) 1997-03-31 2000-06-06 Ark Research Corporation Data storage controller providing multiple hosts with access to multiple storage subsystems
US6134673A (en) * 1997-05-13 2000-10-17 Micron Electronics, Inc. Method for clustering software applications
US5986880A (en) * 1997-06-16 1999-11-16 Compaq Computer Corporation Electronic apparatus having I/O board with cable-free redundant adapter cards thereon
US6085333A (en) * 1997-12-19 2000-07-04 Lsi Logic Corporation Method and apparatus for synchronization of code in redundant controllers in a swappable environment
US5996024A (en) * 1998-01-14 1999-11-30 Emc Corporation Method and apparatus for a SCSI applications server which extracts SCSI commands and data from message and encapsulates SCSI responses to provide transparent operation
US5964886A (en) * 1998-05-12 1999-10-12 Sun Microsystems, Inc. Highly available cluster virtual disk system
US6728781B1 (en) * 1998-05-12 2004-04-27 Cornell Research Foundation, Inc. Heartbeat failure detector method and apparatus
US6272591B2 (en) * 1998-10-19 2001-08-07 Intel Corporation Raid striping using multiple virtual channels
US6330687B1 (en) 1998-11-13 2001-12-11 Digi-Data Corporation System and method to maintain performance among N single raid systems during non-fault conditions while sharing multiple storage devices during conditions of a faulty host computer or faulty storage array controller
US6260079B1 (en) * 1998-11-15 2001-07-10 Hewlett-Packard Company Method and system for enhancing fibre channel loop resiliency for a mass storage enclosure by increasing component redundancy and using shunt elements and intelligent bypass management
JP2000172624A (en) * 1998-12-07 2000-06-23 Hitachi Ltd Input/output processing system
JP4132322B2 (en) 1998-12-16 2008-08-13 株式会社日立製作所 Storage control device and control method thereof
EP1026575A3 (en) * 1999-02-08 2006-09-06 Hitachi, Ltd. Disk array system and method of changing its configuration
US6289376B1 (en) * 1999-03-31 2001-09-11 Diva Systems Corp. Tightly-coupled disk-to-CPU storage server
US6389432B1 (en) * 1999-04-05 2002-05-14 Auspex Systems, Inc. Intelligent virtual volume access
AU4036700A (en) * 1999-04-06 2000-10-23 Lipstream Networks, Inc. Facilitating real-time, multi-point communications over the internet
US6401170B1 (en) * 1999-08-18 2002-06-04 Digi-Data Corporation RAID systems during non-fault and faulty conditions on a fiber channel arbitrated loop, SCSI bus or switch fabric configuration
US7103647B2 (en) * 1999-08-23 2006-09-05 Terraspring, Inc. Symbolic definition of a computer system
US6346489B1 (en) * 1999-09-02 2002-02-12 Applied Materials, Inc. Precleaning process for metal plug that minimizes damage to low-κ dielectric
US6526477B1 (en) * 1999-09-03 2003-02-25 Adaptec, Inc. Host-memory based raid system, device, and method
JP4462697B2 (en) * 2000-01-31 2010-05-12 株式会社日立製作所 Storage controller
US20030099254A1 (en) * 2000-03-03 2003-05-29 Richter Roger K. Systems and methods for interfacing asynchronous and non-asynchronous data media
US6654831B1 (en) * 2000-03-07 2003-11-25 International Business Machine Corporation Using multiple controllers together to create data spans
US6898727B1 (en) * 2000-03-22 2005-05-24 Emc Corporation Method and apparatus for providing host resources for an electronic commerce site
US7162542B2 (en) * 2000-04-13 2007-01-09 Intel Corporation Cascading network apparatus for scalability
WO2001084313A2 (en) * 2000-05-02 2001-11-08 Sun Microsystems, Inc. Method and system for achieving high availability in a networked computer system
US6658504B1 (en) 2000-05-16 2003-12-02 Eurologic Systems Storage apparatus
US6971016B1 (en) * 2000-05-31 2005-11-29 International Business Machines Corporation Authenticated access to storage area network
CA2398698A1 (en) * 2000-06-23 2002-01-03 Comsonics, Inc. Diving mask with embedded computer system
DE10030329C1 (en) * 2000-06-27 2002-01-24 Siemens Ag Redundant control system as well as control computer and peripheral unit for such a control system
IES20010400A2 (en) * 2000-07-06 2002-02-06 Richmount Computers Ltd Data gathering device for a rack enclosure
EP1316017A2 (en) 2000-08-07 2003-06-04 Inrange Technologies Corporation Method and apparatus for imparting fault tolerance in a director switch
KR100340686B1 (en) 2000-09-19 2002-06-15 오길록 The Apparatus for Redundant Interconnection between Multiple Hosts and RAID
JP4734484B2 (en) * 2000-10-19 2011-07-27 新世代株式会社 Information processing apparatus and memory cartridge system
US6785678B2 (en) * 2000-12-21 2004-08-31 Emc Corporation Method of improving the availability of a computer clustering system through the use of a network medium link state function
WO2002069076A2 (en) * 2000-12-29 2002-09-06 Ming Qiu Server array hardware architecture and system
US6934875B2 (en) * 2000-12-29 2005-08-23 International Business Machines Corporation Connection cache for highly available TCP systems with fail over connections
US6990547B2 (en) * 2001-01-29 2006-01-24 Adaptec, Inc. Replacing file system processors by hot swapping
US6715098B2 (en) * 2001-02-23 2004-03-30 Falconstor, Inc. System and method for fibrechannel fail-over through port spoofing
IES20010610A2 (en) * 2001-03-08 2002-09-18 Richmount Computers Ltd Reset facility for redundant processor using a fibre channel loop
IES20010783A2 (en) * 2001-04-26 2002-09-18 Richmount Computers Ltd Data storage apparatus
US6691184B2 (en) * 2001-04-30 2004-02-10 Lsi Logic Corporation System and method employing a dynamic logical identifier
US6792515B2 (en) * 2001-06-21 2004-09-14 International Business Machines Corporation System for addressing processors connected to a peripheral bus
US6757177B2 (en) * 2001-07-05 2004-06-29 Tropic Networks Inc. Stacked backplane assembly
US6874100B2 (en) * 2001-07-12 2005-03-29 Digi-Data Corporation Raid system with multiple controllers and proof against any single point of failure
US6785744B2 (en) * 2001-08-08 2004-08-31 International Business Machines Corporation Mapping SCSI medium changer commands to mainframe-compatible perform library function commands
US20030033463A1 (en) * 2001-08-10 2003-02-13 Garnett Paul J. Computer system storage
US7437493B2 (en) 2001-09-28 2008-10-14 Dot Hill Systems Corp. Modular architecture for a network storage controller
US6839788B2 (en) * 2001-09-28 2005-01-04 Dot Hill Systems Corp. Bus zoning in a channel independent storage controller architecture
US7062591B2 (en) 2001-09-28 2006-06-13 Dot Hill Systems Corp. Controller data sharing using a modular DMA architecture
US6895467B2 (en) * 2001-10-22 2005-05-17 Hewlett-Packard Development Company, L.P. System and method for atomizing storage
GB2381713A (en) * 2001-11-01 2003-05-07 3Com Corp Failover mechanism involving blocking of access of a malfunctioning server and continuing monitoring to enable unblocking of access if server recovers
US6732243B2 (en) * 2001-11-08 2004-05-04 Chaparral Network Storage, Inc. Data mirroring using shared buses
US6874103B2 (en) * 2001-11-13 2005-03-29 Hewlett-Packard Development Company, L.P. Adapter-based recovery server option
US7127633B1 (en) * 2001-11-15 2006-10-24 Xiotech Corporation System and method to failover storage area network targets from one interface to another
US6883065B1 (en) * 2001-11-15 2005-04-19 Xiotech Corporation System and method for a redundant communication channel via storage area network back-end
US6904482B2 (en) * 2001-11-20 2005-06-07 Intel Corporation Common boot environment for a modular server system
US6983397B2 (en) * 2001-11-29 2006-01-03 International Business Machines Corporation Method, system, and program for error handling in a dual adaptor system where one adaptor is a master
US6782450B2 (en) * 2001-12-06 2004-08-24 Raidcore, Inc. File mode RAID subsystem
US7138733B2 (en) * 2001-12-13 2006-11-21 Hewlett-Packard Development Company, L.P. Redundant data and power infrastructure for modular server components in a rack
US7111084B2 (en) * 2001-12-28 2006-09-19 Hewlett-Packard Development Company, L.P. Data storage network with host transparent failover controlled by host bus adapter
US7076555B1 (en) * 2002-01-23 2006-07-11 Novell, Inc. System and method for transparent takeover of TCP connections between servers
US6983396B2 (en) * 2002-02-15 2006-01-03 International Business Machines Corporation Apparatus for reducing the overhead of cache coherency processing on each primary controller and increasing the overall throughput of the system
US7152185B2 (en) 2002-02-22 2006-12-19 Bea Systems, Inc. Method for event triggered monitoring of managed server health
US20030177224A1 (en) * 2002-03-15 2003-09-18 Nguyen Minh Q. Clustered/fail-over remote hardware management system
US7073022B2 (en) * 2002-05-23 2006-07-04 International Business Machines Corporation Serial interface for a data storage array
US7986618B2 (en) 2002-06-12 2011-07-26 Cisco Technology, Inc. Distinguishing between link and node failure to facilitate fast reroute
JP3932994B2 (en) * 2002-06-25 2007-06-20 株式会社日立製作所 Server handover system and method
PL203170B1 (en) * 2002-07-01 2009-09-30 Advanced Digital Broadcast Ltd System designed to detect actuation of microprocessor operation monitoring internal system and method of zeroing microprocessor system equipped with a system detecting actuation of internal monitoring system
US7548971B2 (en) 2002-08-12 2009-06-16 Hewlett-Packard Development Company, L.P. System and method for managing the operating frequency of blades in a bladed-system
US6970054B2 (en) * 2002-10-02 2005-11-29 Hewlett-Packard Development Company, L.P. Apparatus for terminating transmission lines to reduce electromagnetic interference in an electronic system
US7739485B2 (en) 2002-10-11 2010-06-15 Hewlett-Packard Development Company, L.P. Cached field replaceable unit EEPROM data
US7752294B2 (en) * 2002-10-28 2010-07-06 Netapp, Inc. Method and system for dynamic expansion and contraction of nodes in a storage area network
US20040117522A1 (en) * 2002-12-11 2004-06-17 Dell Products L.P. System and method for addressing protocol translation in a storage environment
JP2004220216A (en) * 2003-01-14 2004-08-05 Hitachi Ltd San/nas integrated storage device
JP2004234558A (en) * 2003-01-31 2004-08-19 Hitachi Ltd Storage device controller and program
US20040168008A1 (en) 2003-02-18 2004-08-26 Hewlett-Packard Development Company, L.P. High speed multiple ported bus interface port state identification system
US7236987B1 (en) * 2003-02-28 2007-06-26 Sun Microsystems Inc. Systems and methods for providing a storage virtualization environment
US7290168B1 (en) * 2003-02-28 2007-10-30 Sun Microsystems, Inc. Systems and methods for providing a multi-path network switch system
US7134046B2 (en) 2003-03-19 2006-11-07 Lucent Technologies Inc. Method and apparatus for high availability distributed processing across independent networked computer fault groups
US7565566B2 (en) * 2003-04-23 2009-07-21 Dot Hill Systems Corporation Network storage appliance with an integrated switch
US7320083B2 (en) * 2003-04-23 2008-01-15 Dot Hill Systems Corporation Apparatus and method for storage controller to deterministically kill one of redundant servers integrated within the storage controller chassis
US7251745B2 (en) 2003-06-11 2007-07-31 Availigent, Inc. Transparent TCP connection failover
US7475134B2 (en) * 2003-10-14 2009-01-06 International Business Machines Corporation Remote activity monitoring
US7225356B2 (en) * 2003-11-06 2007-05-29 Siemens Medical Solutions Health Services Corporation System for managing operational failure occurrences in processing devices
US7246256B2 (en) * 2004-01-20 2007-07-17 International Business Machines Corporation Managing failover of J2EE compliant middleware in a high availability system
US7249277B2 (en) * 2004-03-11 2007-07-24 Hitachi, Ltd. Disk array including plural exchangeable magnetic disk unit
US7137042B2 (en) * 2004-03-17 2006-11-14 Hitachi, Ltd. Heartbeat apparatus via remote mirroring link on multi-site and method of using same
JP2005301442A (en) * 2004-04-07 2005-10-27 Hitachi Ltd Storage device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6609213B1 (en) * 2000-08-10 2003-08-19 Dell Products, L.P. Cluster-based system and method of recovery from server failures
WO2002101573A2 (en) * 2001-06-13 2002-12-19 Intel Corporation Modular server architecture
US20030018927A1 (en) * 2001-07-23 2003-01-23 Gadir Omar M.A. High-availability cluster virtual server system
US20040111559A1 (en) * 2002-12-10 2004-06-10 Thomas Heil Apparatus and method for sharing boot volume among server blades

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
J. REGULA: "Using PCI Express and Non-transparent Bridging in Blade Servers" BLADE LETTER, [Online] March 2004 (2004-03), page 12, XP002374828 Retrieved from the Internet: URL:http://www.bladesystems.org/elearning_ center/publications/BladeLetter_Q104.pdf> [retrieved on 2006-03-29] *
T. OKANO: "Future Trends of BladeServer: Virtualization and Optimization" NEC JOURNAL OF ADVANCED TECHNOLOGY, [Online] vol. 1, no. 2, 20 June 2004 (2004-06-20), pages 119-124, XP002374827 Retrieved from the Internet: URL:http://www.nec.co.jp/techrep/en/r_and_ d/a04/a04-no2/a119.pdf> [retrieved on 2006-03-27] *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008115625A2 (en) * 2007-03-16 2008-09-25 Dot Hill Systems Corporation Method and apparatus for operating storage controller system in elevated temperature environment
WO2008115625A3 (en) * 2007-03-16 2009-06-18 Dot Hill Systems Corp Method and apparatus for operating storage controller system in elevated temperature environment
US7861113B2 (en) 2007-03-16 2010-12-28 Dot Hill Systems Corporation Method and apparatus for operating storage controller system in elevated temperature environment
GB2499822A (en) * 2012-02-29 2013-09-04 Metaswitch Networks Ltd Failover processing using different physical paths
US9047250B2 (en) 2012-02-29 2015-06-02 Metaswitch Networks Ltd Failover processing
GB2499822B (en) * 2012-02-29 2020-01-08 Metaswitch Networks Ltd Failover processing

Also Published As

Publication number Publication date
WO2006019744A3 (en) 2006-09-14
US7627780B2 (en) 2009-12-01
US20050207105A1 (en) 2005-09-22

Similar Documents

Publication Publication Date Title
US7401254B2 (en) Apparatus and method for a server deterministically killing a redundant server integrated within the same network storage appliance chassis
US7380163B2 (en) Apparatus and method for deterministically performing active-active failover of redundant servers in response to a heartbeat link failure
US7627780B2 (en) Apparatus and method for deterministically performing active-active failover of redundant servers in a network storage appliance
US7565566B2 (en) Network storage appliance with an integrated switch
US7941693B2 (en) Disk array apparatus and method for controlling the same
EP0769744B1 (en) System and method for sharing multiple storage arrays by multiple host computer systems
US7028218B2 (en) Redundant multi-processor and logical processor configuration for a file server
US8074105B2 (en) High data availability SAS-based RAID system
US20030074599A1 (en) System and method for providing automatic data restoration after a storage device failure
US7574630B1 (en) Method and system for reliable access of expander state information in highly available storage devices
US20050149637A1 (en) Methods of restoring operation of serial ATA storage devices

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase