Electrical computers and digital processing systems: memory – Storage accessing and control – Shared memory area
Reexamination Certificate
1999-02-18
2001-06-26
Kim, Matthew (Department: 2186)
Electrical computers and digital processing systems: memory
Storage accessing and control
Shared memory area
C711S152000, C711S158000
Reexamination Certificate
active
06253294
ABSTRACT:
TECHNICAL FIELD
This invention relates to data storage devices which do not commonly employ command chains with embedded orientation, such as tape data storage devices, and, more particularly, in an environment where a device is shared between multiple communication paths, to the protection of data recorded on such devices from being overwritten.
BACKGROUND OF THE INVENTION
Devices that do not require self-orienting command chains comprise those devices whose media are not continually moving, and which typically come to a stop after completion of a read or a write operation. Self-orienting devices are those whose orientation is constantly changing, as in constantly rotating magnetic disk drives, and which require continuing sets of identifiers, such as the track, sector, etc., identifiers. Examples of devices which are not self-orienting include magnetic tape drives and optical tape drives.
For non-self-orienting devices, the assumption is made that, following each read or write command, the device is logically positioned to access the next record. This assumption is correct if the device is coupled to a single host, or to a single host at a time. Additionally, such devices typically employ removable media. Commonly, the host software verfies that the correct media is loaded by rewinding the media to read the volume identifier at the BOT (Beginning of Tape) and optionally rewinds again to the BOT. Thus, in every instance, a single host is aware of the location of the data storage media in the drive.
Typically, a static device configuration process is employed for every control program for each I/O subsystem. The configuration process defines what devices are associated with specific I/O channels or communication paths. These devices are assigned at I/O configuration generation or hardware configuration definition, and may not all be present at any one time. For example, a device may be temporarily off-line for updating or servicing.
No device may be permanently assigned to any one host or its communication path since to do so would detract from the I/O subsystem availability, for example, by leaving one device idle when not needed by one host, while another host is using its available device and requires the use of another. Thus, the typical I/O configuration couples each host to as many of the data storage devices as possible.
A difficulty arises when the device is shared between multiple hosts coupled to the device controller over multiple communication paths. Should one device controller complete a command for one host, and then a command from a different host causes movement of the media on the device (such as to read the volume identifier), the first host, in most cases, is unaware of the movement of the media and may continue with write operations, for example, at the present position of the tape, which is different than the position where the first host left it. The first host is likely to thus overwrite any data at the actual present logical position of the media. Thus, the specific data that was overwritten is at a location unknown to the host and therefore the data that was overwritten is also unknown, and may be irretrievable from any other source.
As the result, protocols have been developed to attempt to assure that only one host can move the media at one time, thus providing a one-host-at-a-time environment. Such protocols include changing the active host assignments by means of dynamic device partitioning. In systems of the IBM System 390 type, the host/device assignment mechanism is called “VARY ONLINE”. The protection against override may be at the hardware level, using the “ASSIGN” and “UNASSIGN” process for IBM System 390, and for SCSI systems, “RESERVE and RELEASE”. In one example (Job Entry Subsystem 2), the sharing of devices is through a simple “VARY”, and the protection is managed through the assign process at the hardware level, requiring operator host console intervention. However, a risk is that a sloppy operator can inadvertently override the protection. In another example (JES 3 or MULTI-IMAGE MANAGER of COMPUTER ASSOCIATES), the protection is at the software level through coordination between the hosts via a common communication mechanism (shared disk or other common link). However a software failure or certain operator failures have been found to result in inadvertent overwrite.
An example of an operator failure may result from use of default passwords to bypass hardware protections. Another system, not part of the coordinating hosts in the first system, may physically share the device, and both systems may use the same default password. Thus, the device may be accessed from hosts of any system using the same password. The first host assumes (since it has not released control) that there is no other host issuing commands causing media motion in the interim. As an example, the first host may fill much of the tape during an archiving process and wait for additional data, the second host may then do a volume verification to check for the location of a particular tape by rewinding to the beginning of tape (BOT), then the first host continues the archiving process, inadvertently overwriting the previously archived information.
Since a primary usage of tape data storage devices is to archive information, the original information is typically not saved in any form. Thus, if the archive information is overwritten, it is often not retrievable from any other source and is lost forever.
However, prevention of sharing of the devices or a significant reduction of the performance of the hosts or systems sharing the devices are alternatives unacceptable to most users.
Additionally, prior or subsequent to an actual job, multiple hosts must be able to move the tape to read the label without hindrance.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a more assured overwrite protection of shared devices without requiring any host software changes (neither control programs or applications).
Another object of the present invention is to provide the protection without a significant reduction in the performance of the hosts or systems sharing the devices.
Disclosed are a method, system, and computer program product subsystem firmware for protecting data of a shared access data storage system from being overwritten, where the data storage system comprises a device sharing access to at least two communication paths.
The method comprises the steps of:
accepting non-write commands from any of the communication paths;
upon receipt of a write command from one of the communication paths, setting a protection indicator for the device for the one communication path for the device receiving the command;
accepting all commands from the one communication path having the protection indicator; and
accepting non-motion commands and rejecting any motion command from any communication path not having the protection indicator. Upon receipt of a command or action that causes media removal from any of the communication paths, the protection indicator is canceled.
In one embodiment of the invention, the step of setting a protection indicator for the addressed device for the one communication path comprises setting a “prime protected attribute” in an attribute table relating the devices to the “prime protected attributes”, the “prime protected attribute” identifying the one communication path for the addressed device. The steps of accepting all commands and of accepting and rejecting commands additionally comprise consulting the attribute table to determine the one communication path for the addressed device.
Where the device comprises a tape drive for reading and writing on a data storage tape media, the non-write commands comprise any command other than one which directs the device to write records on the tape media, and the non-motion commands exclude commands which cause the device to reposition the tape media, the excluded commands including commands to write and to read any information on the tape media.
In another aspect of the present invention, certain of
Brogan by Irene
Brogan, Jr. James Jules
Dahman Kirby Grant
Chace C. P.
Holcombe John H.
International Business Machines - Corporation
Kim Matthew
Sullivan Robert M.
LandOfFree
Shared device access protection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Shared device access protection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Shared device access protection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2448197