Method and apparatus for migrating resources in a multi-processor computer system

Abstract

Multiple instances of operating systems execute cooperatively in a single multi-processor computer wherein a single physical machine is subdivided by software into multiple partitions, each with the ability to run a distinct copy, or instance, of an operating system. Each individual instance has the resources it needs to execute independently, but instances cooperate to migrate resources from one partition to another. The migration can be initiated and carried out under control of the operating system instances "on the fly" without intervention of the system administrator. Alternatively, a system administrator can reconfigure the system. Resource migration is carried out under a "push" model in which resources are controlled by an owning partition and must be released by that partition before they can be migrated to another partition. In accordance with this model, a first operating system instance which requires a resource must first request the resource from a second instance. In response to this request, the second instance determines whether it can spare the resource, and if so, begins to bring the resource into an idle state. The resource is actually transferred when the second instance stops using the resource.

Claims

What is claimed is:

1. A computer system having a plurality of assignable system resources, including processors, memory and I/O circuitry, the computer system comprising:

an interconnection mechanism for electrically interconnecting the processors, the memory and the I/O circuitry so that each processor has electrical access to all of the memory and at least some of the I/O circuitry;

a software mechanism for assigning the assignable system resources to a plurality of partitions, each partition including at least one processor, a portion of the memory and a portion of the I/O circuitry;

an operating system instance running in each partition; and

a migration mechanism for migrating one or more of the assignable system resources from one partition to another partition.

2. A computer system according to claim 1, wherein the migration mechanism comprises a runtime migration mechanism for moving the one or more of the assignable system resources during system operation without a reboot of the entire system.

3. A computer system according to claim 1, wherein the one or more of the assignable system resources includes a first processor, wherein the migration mechanism comprises a first communication mechanism which communicates with an operating system instance in a partition from which the first processor is being moved to cause the operating system instance to quiesce the first processor.

4. A computer system according to claim 3, wherein an operating system instance in a partition from which the first processor is being moved must acquiesce to the move before the first processor can be removed.

5. A computer system according to claim 1 wherein the software mechanism for assigning system resources comprises a first data storage for maintaining configuration information indicating which of the plurality of processors is assigned to each partition.

6. A computer system according to claim 5, wherein the software mechanism for assigning resources comprises a mechanism for modifying the configuration information to change an assignment of assignable system resources from one partition to another partition.

7. A computer system according to claim 1, wherein the one or more of the assignable system resources includes a second processor, wherein the migration mechanism comprises a second communication mechanism which communicates with an operating system instance in a partition to which the second processor is being moved to cause the operating system instance to begin using the second processor.

8. A computer system according to claim 1, wherein the one or more of the assignable system resources includes a first region of the memory, wherein the migration mechanism comprises a third communication mechanism which communicates with an operating system instance in a partition from which the first region of the memory is being moved to cause the operating system instance to unload the first region of the memory.

9. A computer system according to claim 1, wherein the one or more of the assignable system resources includes a second region of the memory, wherein the migration mechanism comprises a fourth communication mechanism which communicates with a plurality of operating system instances which share the second region of the memory to be moved to cause the plurality of the operating system instances to cooperatively unload the second region of the memory.

10. A computer system according to claim 9, wherein the migration mechanism comprises a console controlled by one program of the plurality of operating system instances which share the second region of the memory to move the second region of the memory from the one partition to the other partition.

11. A computer system according to claim 1, wherein the software mechanism for assigning resources comprises a second data storage which maintains configuration information indicating which portions of the memory are assigned to each partition.

12. A computer system according to claim 1, wherein the one or more of the assignable system resources includes a third region of the memory, wherein the migration mechanism comprises a fifth communication mechanism which communicates with an operating system instance in a partition to which the third region of the memory is being moved to cause the operating system instance to begin filling the third region of the memory.

13. A computer system according to claim 1, wherein the plurality of processors is physically divided into partitions and wherein each respective partition comprises a console program which interacts with the processors in the respective partition.

14. A computer system according to claim 13, wherein the software mechanism for assigning resources comprises a console program which maintains configuration information indicating which of the plurality of processors, which portions of the memory, and which portions of the I/O circuitry are assigned to each partition.

15. A method for changing a configuration of a computer system, the method comprising the steps of:

(a) electrically interconnecting a plurality of assignable system resources, including processors, memory and I/O circuitry, so that each processor has electrical access to all of the memory and at least some of the I/O circuitry;

(b) assigning the assignable system resources to a plurality of partitions, each partition including at least one processor, a portion of the memory, and a portion of the I/O circuitry;

(c) running an operating system instance in each partition; and

(d) changing the configuration by migrating one or more of the assignable system resources from one partition to another partition.

16. A method according to claim 15, wherein step (d) comprises the step of:

(d1) moving one or more of the assignable system resources from one partition to another partition during system operation without a reboot of the entire system.

17. A method according to claim 15 wherein step (d) comprises the step of:

(d2) communicating with an operating system instance in a partition from which a processor is being moved to cause the operating system instance to quiesce the processor.

18. A method according to claim 17, wherein step (d2) comprises the step of:

(d2a) requiring an operating system instance in the partition from which the processor is being moved to acquiesce to the move before the processor can be removed from the partition.

19. A method according to claim 15 wherein step (b) comprise the step of:

(b1) maintaining, in a first data storage, configuration information indicating which of the plurality of processors is assigned to each partition.

20. A method according to claim 19, wherein step (b) comprises the step of:

(b2) modifying the configuration information to change an assignment of one or more of the assignable system resources from one partition to another partition.

21. A method according to claim 15 wherein step (d) comprises the step of:

(d3) communicating with an operating system instance in a partition to which a processor is being moved to cause the operating system instance to begin using the processor.

22. A method according to claim 15, wherein step (d) comprises the step of:

(d4) communicating with an operating system instance in a partition from which a region of the memory is being moved to cause the operating system instance to unload the region of the memory.

23. A method according to claim 15, wherein step (d) comprises the step of:

(d5) communicating with a plurality of operating system instances which share a region of the memory to be moved to cause the plurality of operating system instances to cooperatively unload the region of the memory to be moved.

24. A method according to claim 23, wherein step (d5) comprises the step of:

(d5a) controlling a console program with one of the plurality of operating system instances to move the region of the memory from the one partition to the other partition.

25. A method according to claim 15, wherein step (b) comprises the step of:

(b3) maintaining, in a second data storage, configuration information indicating which portions of the memory are assigned to each partition.

26. A method according to claim 15, wherein step (d) comprises the step of:

(d6) communicating with an operating system instance in a partition to which a region of the memory is being moved to cause the operating system instance to begin filling the region of the memory.

27. A method according to claim 15 wherein the plurality of processors is physically divided into partitions and wherein the method further comprises the step of:

(e) providing each partition with a console program which interacts with the processors in the partition.

28. A method according to claim 27 wherein step (e) comprises the step of:

(e1) providing a console program which maintains configuration information indicating which of the plurality of processors, which memory portions and which I/O circuitry are assigned to each partition.

29. A computer program product for changing a configuration of a computer system having a plurality of assignable system resources, including processors, memory and I/O circuitry, in which the processors, memory, and I/O circuitry are electrically interconnected so that each processor has electrical access to all of the memory and at least some of the I/O circuitry, the computer program product comprising a computer usable medium having computer readable program code thereon, comprising:

(a) program code which assigns the assignable system resources to a plurality of partitions, each partition including at least one processor, a portion of the memory, and a portion of the I/O circuitry;

(b) operating system code for creating an operating system instance running in each partition; and

(c) program code which changes the configuration by migrating one or more of the assignable system resources from one partition to another partition.

30. A computer program product according to claim 29, wherein the program code which changes the configuration comprises program code which moves one or more of the assignable system resources from one partition to another partition during system operation without a reboot of the entire system.

31. A computer program product according to claim 29 wherein the program code which changes the configuration comprises program code which communicates with an operating system instance in a partition from which a processor is being moved to cause the operating system instance to quiesce the processor.

32. A computer product according to claim 31, wherein the program code which communicates with an operating system instance comprises program code which requires the operating system instance in the partition from which the processor is being moved to acquiesce to the move before the processor can be removed.

33. A computer program product according to claim 29 wherein the program code which assigns the system resources comprises program code which maintains, in a first data storage, configuration information indicating which of the plurality of processors is assigned to each partition.

34. A computer program product according to claim 33, wherein the program code which assigns the system resources comprises program code which modifies the configuration information to change the assignment of one or more of the assignable system resources from one partition to another partition.

35. A computer program product according to claim 29 wherein the program code which changes the configuration comprises program code which communicates with an operating system instance in a partition to which a processor is being moved to cause the operating system instance to begin using the processor.

36. A computer program product according to claim 29, wherein the program code which changes the configuration comprises program code which communicates with an operating system instance in a partition from which a region of the memory is being moved to cause the operating system instance to unload the region of the memory being moved.

37. A computer program product according to claim 29, wherein the program code which changes the configuration comprises program code which communicates with a plurality of operating system instances which share a region of the memory to be moved to cause the plurality of operating system instances to cooperatively unload the region of the memory to be moved.

38. A computer program product according to claim 37, wherein the program code which communicates with a plurality of operating system instances comprises program code in one of the plurality of operating system instances which controls a console program to move the region of the memory from the one partition to the other partition.

39. A computer program product according to claim 29, wherein the program code which assigns the system resources comprises program code which maintains, in a second data storage, configuration information indicating which portions of the memory are assigned to each partition.

40. A computer program product according to claim 29, wherein the program code which changes the configuration comprises program code which communicates with an operating system instance in a partition to which a region of the memory is being moved to cause the operating system instance to begin filling the region of the memory.

41. A computer program product according to claim 29 wherein the plurality of processors is physically divided into partitions and wherein the computer program product further comprises console program code which interacts with the processors in the partition.

42. A computer program product according to claim 41, wherein the console program code comprises console program code which maintains configuration information indicating which of the plurality of processors, which portions of the memory and which portions of the I/O circuitry are assigned to each partition.

Description

FIELD OF THE INVENTION

This invention relates to multiprocessor computer architectures in which processors and other computer hardware resources are grouped in partitions, each of which has an operating system instance and, more specifically, to methods and apparatus for migrating computer hardware resources from one partition to another without rebooting the computer system.

BACKGROUND OF THE INVENTION

The efficient operation of many applications in present computing environments depend upon fast, powerful and flexible computing systems. The configuration and design of such systems has become very complicated when such systems are to be used in an "enterprise" commercial environment where there may be many separate departments, many different problem types and continually changing computing needs. Users in such environments generally want to be able to quickly and easily change the capacity of the system, its speed and its configuration. They may also want to expand the system work capacity and change configurations to achieve better utilization of resources without stopping execution of application programs on the system. In addition they may want be able to configure the system in order to maximize resource availability so that each application will have an optimum computing configuration.

Traditionally, computing speed has been addressed by using a "shared nothing" computing architecture where data, business logic, and graphic user interfaces are distinct tiers and have specific computing resources dedicated to each tier. Initially, a single central processing unit was used and the power and speed of such a computing system was increased by increasing the clock rate of the single central processing unit. More recently, computing systems have been developed which use several processors working as a team instead one massive processor working alone. In this manner, a complex application can be distributed among many processors instead of waiting to be executed by a single processor. Such systems typically consist of several central processing units (CPUs) which are controlled by a single operating system. In a variant of a multiple processor system called "symmetric multiprocessing" or SMP, the applications are distributed equally across all processors. The processors also share memory. In another variant called "asymmetric multiprocessing" or AMP, one processor acts as a "master" and all of the other processors act as "slaves." Therefore, all operations, including the operating system, must pass through the master before being passed onto the slave processors. These multiprocessing architectures have the advantage that performance can be increased by adding additional processors, but suffer from the disadvantage that the software running on such systems must be carefully written to take advantage of the multiple processors and it is difficult to scale the software as the number of processors increases. Current commercial workloads do not scale well beyond 8-24 CPUs as a single SMP system, the exact number depending upon platform, operating system and application mix.

For increased performance, another typical answer has been to dedicate computer resources (machines) to an application in order to optimally tune the machine resources to the application. However, this approach has not been adopted by the majority of users because most sites have many applications and separate databases developed by different vendors. Therefore, it is difficult, and expensive, to dedicate resources among all of the applications especially in environments where the application mix is constantly changing. Further, with dedicated resources, it is essentially impossible to quickly and easily migrate resources from one computer system to another, especially if different vendors are involved. Even if such a migration can be performed, it typically involves the intervention of a system administrator and requires at least some of the computer systems to be powered down and rebooted.

Alternatively, a computing system can be partitioned with hardware to make a subset of the resources on a computer available to a specific application. This approach avoids dedicating the resources permanently since the partitions can be changed, but still leaves issues concerning performance improvements by means of load balancing of resources among partitions and resource availability.

The availability and maintainability issues were addressed by a "shared everything" model in which a large centralized robust server that contains most of the resources is networked with and services many small, uncomplicated client network computers. Alternatively, "clusters" are used in which each system or "node" has its own memory and is controlled by its own operating system. The systems interact by sharing disks and passing messages among themselves via some type of communication network. A cluster system has the advantage that additional systems can easily be added to a cluster. However, networks and clusters suffer from a lack of shared memory and from limited interconnect bandwidth which places limitations on performance.

In many enterprise computing environments, it is clear that the two separate computing models must be simultaneously accommodated and each model optimized. Further, it is highly desirable to be able to modify computer configurations "on the fly" without rebooting any of the systems. Several prior art approaches have been used to attempt this accommodation. For example, a design called a "virtual machine" or VM developed and marketed by International Business Machines Corporation, Armonk, N.Y., uses a single physical machine, with one or more physical processors, in combination with software which simulates multiple virtual machines. Each of those virtual machines has, in principle, access to all the physical resources of the underlying real computer. The assignment of resources to each virtual machine is controlled by a program called a "hypervisor". There is only one hypervisor in the system and it is responsible for all the physical resources. Consequently, the hypervisor, not the other operating systems, deals with the allocation of physical hardware. The hypervisor intercepts requests for resources from the other operating systems and deals with the requests in a globally-correct way.

The VM architecture supports the concept of a "logical partition" or LPAR. Each LPAR contains some of the available physical CPUs and resources which are logically assigned to the partition. The same resources can be assigned to more than one partition. LPARs are set up by an administrator statically, but can respond to changes in load dynamically, and without rebooting, in several ways. For example, if two logical partitions, each containing ten CPUs, are shared on a physical system containing ten physical CPUs, and, if the logical ten CPU partitions have complementary peak loads, each partition can take over the entire physical ten CPU system as the workload shifts without a re-boot or operator intervention.

In addition, the CPUs logically assigned to each partition can be turned "on" and "off" dynamically via normal operating system operator commands without re-boot. The only limitation is that the number of CPUs active at system initialization is the maximum number of CPUs that can be turned "on" in any partition.

Finally, in cases where the aggregate workload demand of all partitions is more than can be delivered by the physical system, LPAR "weights" can be used to define the portion of the total CPU resources which is given to each partition. These weights can be changed by system administrators, on-the-fly, with no disruption.

Another prior art system is called a "Parallel Sysplex" and is also marketed and developed by the International Business Machines Corporation. This architecture consists of a set of computers that are clustered via a hardware entity called a "coupling facility" attached to each CPU. The coupling facilities on each node are connected, via a fiber-optic link, and each node operates as a traditional SMP machine, with a maximum of 10 CPUs. Certain CPU instructions directly invoke the coupling facility. For example, a node registers a data structure with the coupling facility, then the coupling facility takes care of keeping the data structures coherent within the local memory of each node.

The Enterprise 10000 Unix server developed and marketed by Sun Microsystems, Mountain View, Calif., uses a partitioning arrangement called "Dynamic System Domains" to logically divide the resources of a single physical server into multiple partitions, or domains, each of which operates as a stand-alone server.

Each of the partitions has CPUs, memory and I/O hardware. Dynamic reconfiguration allows a system administrator to create, resize, or delete domains "on the fly" and without rebooting. Every domain remains logically isolated from any other domain in the system, isolating it completely from any software error or CPU, memory, or I/O error generated by any other domain. There is no sharing of resources between any of the domains.

The Hive Project conducted at Stanford University uses an architecture which is structured as a set of cells. When the system boots, each cell is assigned a range of nodes, each having memory and I/O devices, that the cell owns throughout execution. Each cell manages the processors, memory and I/O devices on those nodes as if it were an independent operating system. The cells cooperate to present the illusion of a single system to user-level processes.

Hive cells are not responsible for deciding how to divide their resources between local and remote requests. Each cell is responsible only for maintaining its internal resources and for optimizing performance within the resources it has been allocated. Global resource allocation is carried out by a user-level process called "wax." The Hive system attempts to prevent data corruption by using certain fault containment boundaries between the cells. In order to implement the tight sharing expected from a multiprocessor system, despite the fault containment boundaries between cells, resource sharing is implemented through the cooperation of the various cell kernels, but the policy is implemented outside the kernels in the wax process. Both memory and processors can be shared.

A system called "Cellular IRIX" developed and marketed by Silicon Graphics Inc. Mountain View, Calif., supports modular computing by extending traditional symmetric multiprocessing systems. The Cellular IRIX architecture distributes global kernel text and data into optimized SMP-sized chunks or "cells". Cells represent a control domain consisting of one or more machine modules, where each module consists of processors, memory, and I/O. Applications running on these cells rely extensively on a full set of local operating system services, including local copies of operating system text and kernel data structures, bit only one instance of the operating system exists on the entire system. Inter-cell coordination allows application images to directly and transparently utilize processing, memory and I/O resources from other cells without incurring the overhead of data copies or extra context switches.

Another existing architecture called NUMA-Q developed and marketed by Sequent Computer Systems, Inc., Beaverton, Oreg. uses "quads", or a group of four processors per portion of memory, as the basic building block for NUMA-Q SMP nodes. Adding I/O to each quad further improves performance. Therefore, the NUMA-Q architecture not only distributes physical memory but puts a predetermined number of processors and PCI slots next to each processor. The memory in each quad is not local memory in the traditional sense. Rather, it is a portion of the physical memory address space and has a specific address range. The address map is divided evenly over memory, with each quad containing a contiguous portion of address space. Only one copy of the operating system is running and, as in any SMP system, it resides in memory and runs processes without distinction and simultaneously on one or more processors.

Accordingly, while many attempts have been made at providing a flexible computer system having mechanisms for reconfiguring the system "on the fly" without rebooting, existing systems each have significant shortcomings. Therefore, it would be desirable to have a new computer system design which provides improved flexibility, and resource migration capabilities. Further, it would be desirable to have a new computer system design which permits dynamic reconfiguration under control of the operating systems running on the system and without system administrator intervention.

SUMMARY OF THE INVENTION

In accordance with the principles of the present invention, multiple instances of operating systems execute cooperatively in a single multiprocessor computer wherein a single physical machine is subdivided by software into multiple partitions, each with the ability to run a distinct copy, or instance, of an operating system. Each individual instance has the resources it needs to execute independently, but instances cooperate to migrate resources from one partition to another. In accordance with the principles of the invention, the migration can be initiated and carried out under control of the operating system instances "on the fly" without intervention of the system administrator. Alternatively, a system administrator can reconfigure the system.

In accordance with one embodiment, resource migration is carried out under a "push" model in which resources are controlled by an owning partition and must be released by that partition before they can be migrated to another partition. In accordance with this model, a first operating system instance which requires a resource first requests the resource from a second instance. In response to this request, the second instance determines whether it can spare the resource, and if so, begins to bring the resource into an idle state. The resource is transferred when the second instance stops using the resource. Also, in accordance with the "push" model, the request for the resource migration may be initiated from an operator running a program on the second instance or from policy management software which initiates the request.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and further advantages of the invention may be better understood by referring to the following description in conjunction with the accompanying drawings and which:

FIG. 1 is a schematic block diagram of a hardware platform illustrating several system building blocks.

FIG. 2 is a schematic diagram of an APMP computer system constructed in accordance with the principles of the present invention illustrating several partitions.

FIG. 3 is a schematic diagram of a configuration tree which represents hardware resource configurations and software configurations and their component parts with child and sibling pointers.

FIG. 4 is a schematic diagram of the configuration tree shown in FIG. 3 and rearranged to illustrate the assignment of hardware to software instances by ownership pointers.

FIG. 5 is a flowchart outlining steps in an illustrative routine for creating an APMP computer system in accordance with the principles of the present invention.

FIG. 6 is a flowchart illustrating the steps in an illustrative routine for creating entries in an APMP system management database which maintains information concerning the APMP system and its configuration.

FIG. 7 forms a flowchart illustrating in detail the steps in an illustrative routine for creating an APMP computer system in accordance with the principles of the present invention.

FIG. 8 forms a flowchart illustrating the steps in an illustrative routine followed by an operating system instance to join an APMP computer system which is already created.

FIG. 9 is a flowchart generally illustrating the steps for migrating a resource from one partition to another.

FIGS. 10A-10E are block schematic illustrations which graphically depict the steps for migrating a resource from one partition to another.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

A computer platform constructed in accordance with the principles of the present invention is a multi-processor system capable of being partitioned to allow the concurrent execution of multiple instances of operating system software. The system does not require hardware support for the partitioning of its memory, CPUs and I/O subsystems, but some hardware may be used to provide additional hardware assistance for isolating faults, and minimizing the cost of software engineering. The following specification describes the interfaces and data structures required to support the inventive software architecture. The interfaces and data structures described are not meant to imply a specific operating system must be used, or that only a single type of operating system will execute concurrently. Any operating system which implements the software requirements discussed below can participate in the inventive system operation.

System Building Blocks

The inventive software architecture operates on a hardware platform which incorporates multiple CPUs, memory and I/O hardware. Preferably, a modular architecture such as that shown in FIG. 1 is used, although those skilled in the art will understand that other architectures can also be used, which architectures need not be modular. FIG. 1 illustrates a computing system constructed of four basic system building blocks (SBBs) 100-106. In the illustrative embodiment, each building block, such as block 100, is identical and comprises several CPUs 108-114, several memory slots (illustrated collectively as memory 120), an I/O processor 118, and a port 116 which contains a switch (not shown) that can connect the system to another such system. However, in other embodiments, the building blocks need not be identical. Large multiprocessor systems can be constructed by connecting the desired number of system building blocks by means of their ports. Switch technology, rather than bus technology, is employed to connect building block components in order to both achieve the improved bandwidth and to allow for non-uniform memory architectures (NUMA).

In accordance with the principles of the invention, the hardware switches are arranged so that each CPU can address all available memory and I/O ports regardless of the number of building blocks configured as schematically illustrated by line 122. In addition, all CPUs may communicate to any or all other CPUs in all SBBs with conventional mechanisms, such as inter-processor interrupts. Consequently, the CPUs and other hardware resources can be associated solely with software. Such a platform architecture is inherently scalable so that large amounts of processing power, memory and I/O will be available in a single computer.

An APMP computer system 200 constructed in accordance with the principles of the present invention from a software view is illustrated in FIG. 2. In this system, the hardware components have been allocated to allow concurrent execution of multiple operating system instances 208, 210, 212.

In a preferred embodiment, this allocation is performed by a software program called a "console" program, which, as will hereinafter be described in detail, is loaded into memory at power up. Console programs are shown schematically in FIG. 2 as programs 213, 215 and 217. The console program may be a modification of an existing administrative program or a separate program which interacts with an operating system to control the operation of the preferred embodiment. The console program does not virtualize the system resources, that is, it does not create any software layers between the running operating systems 208, 210 and 212 and the physical hardware, such as memory and I/O units (not shown in FIG. 2.) Nor is the state of the running operating systems 208, 210 and 212 swapped to provide access to the same hardware. Instead, the inventive system logically divides the hardware into partitions. It is the responsibility of operating system instance 208, 210, and 212 to use the resources appropriately and provide coordination of resource allocation and sharing. The hardware platform may optionally provide hardware assistance for the division of resources, and may provide fault barriers to minimize the ability of an operating system to corrupt memory, or affect devices controlled by another operating system copy.

The execution environment for a single copy of an operating system, such as copy 208 is called a "partition" 202, and the executing operating system 208 in partition 202 is called "instance" 208. Each operating system instance is capable of booting and running independently of all other operating system instances in the computer system, and can cooperatively take part in sharing resources between operating system instances as described below.

In order to run an operating system instance, a partition must include a hardware restart parameter block (HWRPB), a copy of a console program, some amount of memory, one or more CPUs, and at least one I/O bus which must have a dedicated physical port for the console. The HWRPB is a configuration block which is passed between the console program and the operating system.

Each of console programs 213, 215 and 217, is connected to a console port, shown as ports 214, 216 and 218, respectively. Console ports, such as ports 214, 216 and 218, generally come in the form of a serial line port, or attached graphics, keyboard and mouse options. For the purposes of the inventive computer system, the capability of supporting a dedicated graphics port and associated input devices is not required, although a specific operating system may require it. The base assumption is that a serial port is sufficient for each partition. While a separate terminal, or independent graphics console, could be used to display information generated by each console, preferably the serial lines 220, 222 and 224, can all be connected to a single multiplexer 226 attached to a workstation, PC, or LAT 228 for display of console information.

It is important to note that partitions are not synonymous with system building blocks. For example, partition 202 may comprise the hardware in building blocks 100 and 106 in FIG. 1 whereas partitions 204 and 206 might comprise the hardware in building blocks 102 and 104, respectively. Partitions may also include part of the hardware in a building block.

Partitions can be "initialized" or "uninitialized." An initialized partition has sufficient resources to execute an operating system instance, has a console program image loaded, and a primary CPU available and executing. An initialized partition may be under control of a console program, or may be executing an operating system instance. In an initialized state, a partition has full ownership and control of hardware components assigned to it and only the partition itself may release its components.

In accordance with the principles of the invention, resources can be reassigned from one initialized partition to another. Reassignment of resources can only be performed by the initialized partition to which the resource is currently assigned. When a partition is in an uninitialized state, other partitions may reassign its hardware components and may delete it.

An uninitialized partition is a partition which has no primary CPU executing either under control of a console program or an operating system. For example, a partition may be uninitialized due to a lack of sufficient resources at power up to run a primary CPU, or when a system administrator is reconfiguring the computer system. When in an uninitialized state, a partition may reassign its hardware components and may be deleted by another partition. Unassigned resources may be assigned by any partition.

Partitions may be organized into "communities" which provide the basis for grouping separate execution contexts to allow cooperative resource sharing. Partitions in the same community can share resources. Partitions that are not within the same community cannot share resources. Resources may only be manually moved between partitions that are not in the same community by the system administrator by de-assigning the resource (and stopping usage), and manually reconfiguring the resource. Communities can be used to create independent operating system domains, or to implement user policy for hardware usage. In FIG. 2, partitions 202 and 204 have been organized into community 230. Partition 206 may be in its own community 205. Communities can be constructed using the configuration tree described below and may be enforced by hardware.

The Console Program

When a computer system constructed in accordance with the principles of the present invention is enabled on a platform, multiple HWRPB's must be created, multiple console program copies must be loaded, and system resources must be assigned in such a way that each HWRPB is associated with specific components of the system. To do this, the first console program to run will create a configuration tree structure in memory which represents all of the hardware in the system. The tree will also contain the software partitioning information, and the assignments of hardware to partitions and is discussed in detail below.

More specifically, when the APMP system is powered up, a CPU will be selected as a primary CPU in a conventional manner by hardware which is specific to the platform on which the system is running. The primary CPU then loads a copy of a console program into memory. This console copy is called a "master console" program. The primary CPU initially operates under control of the master console program to perform testing and checking assuming that there is a single system which owns the entire machine. Subsequently, a set of environment variables are loaded which define the system partitions. Finally, the master console creates and initializes the partitions based on the environment variables. In this latter process the master console operates to create the configuration tree, to create additional HWRPB data blocks, to load the additional console program copies, and to start the CPUs on the alternate HWRPBs. Each partition then has an operating system instance running on it, which instance cooperates with a console program copy also running in that partition. In an unconfigured APMP system, the master console program will initially create a single partition containing the primary CPU, a minimum amount of memory, and a physical system administrator's console selected in a platform-specific way. Console program commands will then allow the system administrator to create additional partitions, and configure I/O buses, memory, and CPUs for each partition.

After associations of resources to partitions have been made by the console program, the associations are stored in non-volatile RAM to allow for an automatic configuration of the system during subsequent boots. During subsequent boots, the master console program must validate the current configuration with the stored configuration to handle the removal and addition of new components. Newly-added components are placed into an unassigned state, until they are assigned by the system administrator. If the removal of a hardware component results in a partition with insufficient resources to run an operating system, resources will continue to be assigned to the partition, but it will be incapable of running an operating system instance until additional new resources are allocated to it.

As previously mentioned, the console program communicates with an operating system instance by means of an HWRPB which is passed to the operating system during operating system boot up. The fundamental requirements for a console program are that it should be able to create multiple copies of HWRPBs and itself. Each HWRPB copy created by the console program will be capable of booting an independent operating system instance into a private section of memory and each operating system instance booted in this manner can be identified by a unique value placed into the HWRPB. The value indicates the partition, and is also used as the operating system instance ID.

In addition, the console program is configured to provide a mechanism to remove a CPU from the available CPUs within a partition in response to a request by an operating system running in that partition. Each operating system instance must be able to shutdown, halt, or otherwise crash in a manner that control is passed to the console program. Conversely, each operating system instance must be able to reboot into an operational mode, independently of any other operating system instance.

Each HWRPB which is created by a console program will contain a CPU slot-specific database for each CPU that is in the system, or that can be added to the system without powering the entire system down. Each CPU that is physically present will be marked "present", but only CPUs that will initially execute in a specific partition will be marked "available" in the HWRPB for the partition. The operating system instance running on a partition will be capable of recognizing that a CPU may be available at some future time by a present (PP) bit in a per-CPU state flag fields of the HWRPB, and can build data structures to reflect this. When set, the available (PA) bit in the per-CPU state flag fields indicates that the associated CPU is currently associated with the partition, and can be invited to join SMP operation.

The Configuration Tree

As previously mentioned, the master console program creates a configuration tree which represents the hardware configuration, and the assignment of each component in the system to each partition. Each console program then identifies the configuration tree to its associated operating system instance by placing a pointer to the tree in the HWRPB.

Referring to FIG. 3, the configuration tree 300 represents the hardware components in the system, the platform constraints and minimums, and the software configuration. The master console program builds the tree using information discovered by probing the hardware, and from information stored in non-volatile RAM which contains configuration information generated during previous initializations.

The master console may generate a single copy of the tree which copy is shared by all operating system instances, or it may replicate the tree for each instance. A single copy of the tree has the disadvantage that it can create a single point of failure in systems with independent memories. However, platforms that generate multiple tree copies require the console programs to be capable of keeping changes to the tree synchronized.

The configuration tree comprises multiple nodes including root nodes, child nodes and sibling nodes. Each node is formed of a fixed header and a variable length extension for overlaid data structures. The tree starts with a tree root node 302 representing the entire system box, followed by branches that describe the hardware configuration (hardware root node 304), the software configuration (software root node 306), and the minimum partition requirements (template root node 308.) In FIG. 3, the arrows represent child and sibling relationships. The children of a node represent component parts of the hardware or software configuration. Siblings represent peers of a component that may not be related except by having the same parent. Nodes in the tree 300 contain information on the software communities and operating system instances, hardware configuration, configuration constraints, performance boundaries and hot-swap capabilities. The nodes also provide the relationship of hardware to software ownership, or the sharing of a hardware component.

The nodes are stored contiguously in memory and the address offset from the tree root node 302 of the tree 300 to a specific node forms a "handle" which may be used from any operating system instance to unambiguously identify the same component on any operating system instance. In addition, each component in the inventive computer system has a separate ID. This may illustratively be a 64-bit unsigned value. The ID must specify a unique component when combined with the type and subtype values of the component. That is, for a given type of component, the ID must identify a specific component. The ID may be a simple number, for example the CPU ID, it may be some other unique encoding, or a physical address. The component ID and handle allow any member of the computer system to identify a specific piece of hardware or software. That is, any partition using either method of specification must be able to use the same specification, and obtain the same result.

As described above, the inventive computer system is composed of one or more communities which, in turn, are composed of one or more partitions. By dividing the partitions across the independent communities, the inventive computer system can be placed into a configuration in which sharing of devices and memory can be limited. Communities and partitions will have IDs which are densely packed. The hardware platform will determine the maximum number of partitions based on the hardware that is present in the system, as well as having a platform maximum limit. Partition and community IDs will never exceed this value during runtime. IDs will be reused for deleted partitions and communities. The maximum number of communities is the same as the maximum number of partitions. In addition, each operating system instance is identified by a unique instance identifier, for example a combination of the partition ID plus an incarnation number.

The communities and partitions are represented by a software root node 306, which has community node children (of which community node 310 is shown), and partition node grandchildren (of which two nodes, 312 and 314, are shown.)

The hardware components are represented by a hardware root node 304 which contains children that represent a hierarchical representation of all of the hardware currently present in the computer system. "Ownership" of a hardware component is represented by a handle in the associated hardware node which points to the appropriate software node (310, 312 or 314.) These handles are illustrated in FIG. 4 which will be discussed in more detail below. Components that are owned by a specific partition will have handles that point to the node representing the partition. Hardware which is shared by multiple partitions (for example, memory) will have handles that point to the community to which sharing is confined. Un-owned hardware will have a handle of zero (representing the tree root node 302).

Hardware components place configuration constraints on how ownership may be divided. A "config" handle in the configuration tree node associated with each component determines if the component is free to be associated anywhere in the computer system by pointing to the hardware root node 304. However, some hardware components may be bound to an ancestor node and must be configured as part of this node. Examples of this are CPUs, which may have no constraints on where they execute, but which are a component part of a system building block (SBB), such as SBBs 322 or 324. In this case, even though the CPU is a child of the SBB, its config handle will point to the hardware root node 304. An I/O bus, however, may not be able to be owned by a partition other than the partition that owns its I/O processor. In this case, the configuration tree node representing the I/O bus would have a config handle pointing to the I/O processor. Because the rules governing hardware configuration are platform specific, this information is provided to the operating system instances by the config handle.

Each hardware component also has an "affinity" handle. The affinity handle is identical to the config handle, except that it represents a configuration which will obtain the best performance of the component. For example, a CPU or memory may have a config handle which allows it to be configured anywhere in the computer system (it points to the hardware root node 304), however, for optimal performance, the CPU or memory should be configured to use the System Building Block of which they are a part. The result is that the config pointer points to the hardware root node 304, but the affinity pointer points to an SBB node such as node 322 or node 324. The affinity of any component is platform specific, and determined by the firmware. Firmware may use this information when asked to form "optimal" automatic configurations.

Each node also contains several flags which indicate the type and state of the node. These flags include a node_hotswap flag which indicates that the component represented is a "hot swappable" component and can be powered down independently of its parent and siblings. However, all children of this node must power down if this component powers down. If the children can power down independently of this component, they must also have this bit set in their corresponding nodes. Another flag is a node_unavailable flag which, when set, indicates that the component represented by the node is not currently available for use. When a component is powered down (or is never powered up) it is flagged as unavailable.

Two flags, node_hardware and node_template, indicate the type of node. Further flags, such as node_initialized and node_cpu_primary may also be provided to indicate whether the node represents a partition which has been initialized or a CPU that is currently a primary CPU.

The configuration tree 300 may extend to the level of device controllers, which will allow the operating system to build bus and device configuration tables without probing the buses. However, the tree may also end at any level, if all components below it cannot be configured independently. System software will still be required to probe for bus and device information not provided by the tree.

The console program implements and enforces configuration constraints, if any, on each component of the system. In general, components are either assignable without constraints (for example, CPUs may have no constraints), or are configurable only as a part of another component (a device adapter, for example, may be configurable only as a part of its bus). A partition which is, as explained above, a grouping of CPUs, memory, and I/O devices into a unique software entity also has minimum requirements. For example, the minimum hardware requirements for a partition are at least one CPU, some private memory (platform dependent minimum, including console memory) and an I/O bus, including a physical, non-shared, console port.

The minimal component requirements for a partition are provided by the information contained in the template root node 308. The template root node 308 contains nodes, 316, 318 and 320, representing the hardware components that must be provided to create a partition capable of execution of a console program and an operating system instance. Configuration editors can use this information as the basis to determine what types, and how many resources must be available to form a new partition.

During the construction of a new partition, the template subtree will be "walked", and, for each node in the template subtree, there must be a node with the same type and subtype owned by the new partition so that it will be capable of loading a console program and booting an operating system instance. If there are more than one node of the same type and subtype in the template tree, there must also be multiple nodes in the new partition. The console program will use the template to validate that a new partition has the minimum requirements prior to attempting to load a console program and initialize operation.

The following is a detailed example of a particular implementation of configuration tree nodes. It is intended for descriptive purposes only and is not intended to be limiting. Each HWRPB must point to a configuration tree which provides the current configuration, and the assignments of components to partitions. A configuration pointer (in the CONFIG field) in the HWRPB is used to point to the configuration tree. The CONFIG field points to a 64-byte header containing the size of the memory pool for the tree, and the initial checksum of the memory. Immediately following the header is the root node of the tree. The header and root node of the tree will be page aligned.

The total size in bytes of the memory allocated for the configuration tree is located in the first quadword of the header. The size is guaranteed to be in multiples of the hardware page size. The second quadword of the header is reserved for a checksum. In order to examine the configuration tree, an operating system instance maps the tree into its local address space. Because an operating system instance may map this memory with read access allowed for all applications, some provision must be made to prevent a non-privileged application from gaining access to console data to which it should not have access. Access may be restricted by appropriately allocating memory. For example, the memory may be page aligned and allocated in whole pages. Normally, an operating system instance will map the first page of the configuration tree, obtain the tree size, and then remap the memory allocated for configuration tree usage. The total size may include additional memory used by the console for dynamic changes to the tree.

Preferably, configuration tree nodes are formed with fixed headers, and may optionally contain type-specific information following the fixed portion. The size field contains the full length of the node, nodes are illustratively allocated in multiples of 64-bytes and padded as needed. The following description defines illustrative fields in the fixed header for a node:

        typedef struct_gct_node {
            unsigned char        type;
            unsigned char        subtype;
            uint16               size;
            GCT_HANDLE           owner;
            GCT_HANDLE           current_owner;
            GCT_ID               id;
            union {
              uint64             node_flags;
              struct {
                unsigned          node_hardware      : 1;
                unsigned          node_hotswap       : 1;
                unsigned          node_unavailable   : 1;
                unsigned          node_hw_template   : 1;
                unsigned          node_initialized   : 1;
                unsigned          node_cpu_primary   : 1;
            #define NODE_HARDWARE            0x001
            #define NODE_HOTSWAP             0x002
            #define NODE_UNAVAILABLE         0x004
            #define NODE_HW_TEMPLATE         0x008
            #define NODE_INITIALIZED         0x010
            #define NODE_PRIMARY             0x020
                } flag_bits
              } flag_union;
              GCT_HANDLE        config;
              GCT_HANDLE        affinity;
              GCT_HANDLE        parent;
              GCT_HANDLE        next_sib;
              GCT_HANDLE        prev_sib;
              GCT_HANDLE        child;
              GCT_HANDLE        reserved;
              uint32            magic
              } GCT_NODE;

              typedef struct_gct_root_node {
                  GCT_NODE        hd;
                  uint64          lock;
                  uint64          transient_level;
                  uint64          current_level;
                  uint64          console_req;
                  uint64          min_alloc;
                  uint64          min_align;
                  uint64          base_alloc;
                  uint64          base_align;
                  uint64          max_phys_address;
                  uint64          mem_size;
                  uint64          platform_type;
                  int32           platform_name;
                  GCT_HANDLE      primary_instance;
                  GCT_HANDLE      first_free;
                  GCT_HANDLE      high_limit;
                  GCT_HANDLE      lookaside;
                  GCT_HANDLE      available;
                  uint32          max_partition;
                  int32           partitions;
                  int32           communities;
                  uint32          max_platform_partition;
                  uint32          max_fragments;
                  uint32          max_desc;
                  char            APMP_id[16];
                  char            APMP_id_pad[4];
                  int32           bindings;
              } GCT_ROOT_NODE;

                typedef struct_gct_partition_node {
                    GCT_NODE      hd;
                    uint64        hwrpb;
                    uint64        incarnation;
                    uint64        priority;
                    int32         os_type;
                    uint32        partition_reserved_1;
                    uint64        instance_name_format;
                    char          instance_name[128];
                } GCT_PARTITION_NODE;

                  typedef struct_gct_cpu_node {
                        GCT_NODE    hd;
                  } GCT_CPU_NODE;

    typedef struct_gct_mem_desc_node {
        GCT_NODE          hd;
        GCT_MEM_INFO      mem_info;
        int32             mem_frag;
    }GCT_MEM_DESC_NODE;
        The mem_info structure has the following definition:
    typedef struct_gct_mem_info {
        uint64            base_pa;
        uint64            base_size;
        uint32            desc_count;
        uint32            info_fill;
    }GCT_MEM_INFO:
        The mem_frag field holds an offset from the base of the memory
    descriptor node to an array of GCT_MEM_DESC structures
    which have the definition:.
    typedef struct_gct_mem_desc {
        uint64                       pa;
        unit64                       size;
        GCT_HANDLE                   mem_owner;
        GCT_HANDLE                   mem_current_owner;
        union {
            uint32                   mem_flags;
            struct {
                unsigned             mem_console   : 1;
                unsigned             mem_private   : 1;
                unsigned             mem_shared    : 1;
                unsigned             base          : 1;
        #define CGT_MEM_CONSOLE      0.times.1
        #define CGT_MEM_PRIVATE      0.times.2
        #define CGT_MEM_SHARED       0.times.4
        #define CGT_MEM_CONSOLE      0.times.8
            } flag_bits;
        }   flag_union;
        uint32                       mem_fill;
    } GCT_MEM_DESC;

    TABLE 1
    owner field value current_owner field value Resource State
    none            none                   unowned, and inactive
    none            valid                  unowned, but still active
    valid           none                   owned, not yet active
    valid           equal to owner         owned and active
    valid           is not equal to owner  loaned