The document discusses ensuring data integrity in the LDS Church's digital preservation archive (DRPS). It describes the DRPS system architecture which uses multiple copies across locations, automatic replication, and various integrity checks like fixity values and cyclic redundancy checks to ensure data integrity from ingest to permanent tape storage. It highlights how tape storage provides better long-term preservation than disk, though it presents some access challenges, and discusses ongoing efforts to verify archive integrity through periodic reading and drive-level error checking of tapes.
Report
Share
Report
Share
1 of 27
More Related Content
Gabe Nault Data Integrity
1. Ensuring Data Integrity
in a Digital Preservation
Archive
Gabe Nault
LDS Church
naultga@ldschurch.org
Future Perfect Conference
2012
image courtesy of IBM
2. Introducing the LDS Church
• The Church of Jesus Christ of Latter-day Saints
• Global Christian church with 14 million members
• 3 universities, 1 college
• State-of-the-art audio-
visual capabilities
• Scriptural mandate to
keep and preserve records since
since 1830
photo by Henok Montoya
3. The Church History Department
• Preserves records of enduring value from
Church leaders, departments, universities,
and affiliations (more than 35 organizations)
• Typically, less than
10% of records are
candidates for
preservation
Church History Library on Temple Square
4. Granite Mountain Records Vault
• Bored into a solid granite
mountain
• Stores large microfilm
collections and valuable
Church artifacts
• Plans recently developed
to renovate the facility for
digital preservation
5. The Media Services Department
• Audiovisual records will
consume majority of our
archive capacity
Mormon Tabernacle Choir and Orchestra
Free Bible videos from biblevideos.lds.org
• 100+ PB in a decade
for a single copy!
Conference Center on Temple Square
6. DRPS System Architecture
Fixity
Creation DRPS Ingest Tools
Preservation
Digital Functions
Records Fixity
Storage Extensions
Preservation Bridge
Information
System Lifecycle StorageGRID
Management
Tape IBM
Interface Tivoli Storage Manager
8. DRPS Highlights
• Multiple copies in multiple geographic
locations (eventually)
• Approximately 1 PB spinning media
• Automatic replication to remote site(s)
• End to end data integrity
• Tape base permanent storage
9. Why Tape for Preservation?
Total cost of storage ownership study
• TCO - Over ten years, ownership and
operating costs of tape are three to
fifteen times less than associated costs
for disk arrays IBM TS3500
Tape Libraries
• Cost advantages of tape are expected image courtesy of IBM
to increase over time
• Conclusion—for now, tape is required
to sustain a multi-PB digital archive
• But . . . tape presents some challenges
10. Why Tape for Preservation?
Limitations
• Latency
• Limited to sequential access
• Limited number of read/writes IBM TS3500
• Leads to greater system and Tape Libraries
image courtesy of IBM
operational complexity
11. Data Integrity
• Data integrity validation is provided by fixity checks
when data is written, transferred, moved, or copied
• Fixity checking should be performed from file
creation to permanent storage to delivery
• Periodic validation of the entire archive should also
be performed to detect data corruption(bit rot, drive
errors, tape degradation, etc)
• DRPS uses a variety of integrity values for fixity
13. DRPS Data Integrity Validation
SHA-1
control
DRPS Ingest Tools SHA-1 created for producer files
SHA-1 SHA-1 checked upon ingest
control and write to permanent storage
Web service retrieves StorageGRID
Storage Extensions SHA-1, then Rosetta plug-in
compares with Rosetta SHA-1
SHA-1 SHA-1 created for ingested files
control
StorageGRID
14. StorageGRID Fixity Checking
• StorageGRID is constructed around the concept
of object storage
StorageGRID
• Provides a layered/overlapping set of protection
domains to guard against object data corruption
1. SHA-1 object hash—checked on store and access
2. Content hash—checked on access
3. CRC checksum—checked with every operation
4. Key-based hash value—checked on access
15. DRPS Data Integrity Validation
SHA-1
control
DRPS Ingest Tools SHA-1 created for producer files
SHA-1 SHA-1 checked upon ingest
control and write to permanent storage
Web service retrieves StorageGRID
Storage Extensions SHA-1, then Rosetta plug-in
compares with Rosetta SHA-1
SHA-1 SHA-1 created for ingested files
control
StorageGRID
SHA-1 and other fixity checked
during write to storage nodes
CRCs, IBM TSM end-to-end logical block
ECCs Tivoli Storage Manager
protection
16. TSM End-to-End Logical Block Protection
• Supersedes SHA-1 fixity information with
cyclic redundancy check values (CRCs)
and error-correcting codes (ECCs)
• Enabled with new, state-of-the-art
functionality of IBM LTO-5 and TS1140
tape drives
• Seamlessly extends validation
of data integrity as data is
written to tape
17. TSM End-to-End Logical Block Protection
1. TSM server calculates and
appends “original data CRC”
to logical data block
2. Tape drive computes its
own CRC and compares
to original data CRC
18. TSM End-to-End Logical Block Protection
3. As logical block is loaded into
drive data buffer, on-the-fly
verifier checks original data CRC
4. In parallel, a “C1 code”
(ECC) is computed and
appended
19. TSM End-to-End Logical Block Protection
5. An additional ECC, referred to
as “C2 code,” is added to the
logical block
6. More powerful than the
original data CRC, the
C1 code is checked every
time data is read from the buffer
20. TSM End-to-End Logical Block Protection
7. Data written to tape at full
line speed with read-while-
write process
8. Just written data loaded to
buffer and C1 code checked
Successful read-while-
write operation assures no
data corruption from TSM
server to tape
21. TSM End-to-End Logical Block Protection
9. When tape is read, all codes
(C1, C2, original data CRC)
are checked by drive
10. Original data CRC appended
to logical block
11. TSM server verifies original
data CRC, completing TSM
end-to-end logical block
protection cycle
22. Ongoing Archive Data Integrity
• We must assume that data may become
corrupted after being written correctly
to tape
• Therefore, tapes must be read
periodically to identify and correct data
errors
image courtesy of IBM
23. Ongoing Archive Data Integrity
• Staging IEs to disk to verify integrity
is resource intensive!
• IBM LTO-5 and TS1140 tape drives
provide a more efficient solution
• During “SCSI Verify” operation, a
tape is mounted, drive checks all image courtesy of IBM
codes (C1, C2, original data CRC) as
data is being read (at full line speed)
• Only status is reported as these
internal checks are completed
24. Summary
• Fixity information is the SHA-1
DRPS Ingest Tools
key to data integrity control
• SHA-1 values ensure data SHA-1
integrity to StorageGRID control
• TSM end-to-end logical Storage Extensions
block protection ensures
data integrity to tape SHA-1
control
StorageGRID
• In-drive validation enables
ongoing integrity checks CRCs, IBM
ECCs Tivoli Storage Manager
for the entire archive
26. Trademarks
The Ex Libris logo and Rosetta are trademarks of Ex Libris Group.
The IBM logo and Tivoli Storage Manager are trademarks of International Business Machines Corporation.
The NetApp logo and StorageGRID are trademarks of NetApp, Inc.
27. Rate of Bit Errors
• Preliminary validation of DRPS archive
resulted in a 3.3x10-14 bit error rate
• USC Shoah Foundation Institute visit
• 8 PB tape archive of videotaped interviews of
Holocaust survivors and other witnesses
• Experienced 1500 bit flips in 8 PB
(2.3x10-14 bit error rate)`
Editor's Notes
Good morning! My presentation will cover the challenges of, and some working solutions to, a key requirement of digital preservation—ongoing data integrity of the archive. The solutions I will discuss were developed cooperatively by three vendors in conjunction with the Church of Jesus Christ of Latter-day Saints. By the way, you will be able to download a white paper that covers my presentation along with the presentation itself when the conference is over.
First let me introduce the Church.Its full name is the Church of Jesus Christ of Latter-day Saints. Headquarters are in Salt Lake City, Utah – a Western State in the United Sates of America. The building shown here is the Salt Lake Temple, which has come to be a symbol for the Church. For your information, the Church operates 134 temples around the world. Temples are not weekly meeting places; rather, they are sacred places where families are sealed together forever – beyond life here on earth.We are a global Christian Church with more than 14 million members.The Church has more than 700,000 students enrolled in religious training around the world.It also operates three universities and a business college. Education is very important to members of the Church of Jesus Christ of Latter-day Saints.Over the last two decades, the Church has developed state-of-the-art digital audiovisual capabilities to support its vast, worldwide communications needs. I will talk more about this later.The Church has a scriptural mandate to keep records of its proceedings and preserve them for future generations. Accordingly, the Church has been creating and keeping records since 1830, when it was organized. A Church Historian’s Office was formed in the 1840s, and in 1972 it was renamed the Church History Department.
Today, the Church History Department has ultimate responsibility for preserving records of enduring value that originate from its ecclesiastical leaders and within the various Church departments, the Church’s educational institutions, and its affiliations. In order to carry out this responsibility, the Church History Department’s Records Management team helps each Church organization develop a records management plan. The plan identifies all records used by the organization and establishes a record retention and disposition schedule for each collection.Usually, less than 10% of the records have a final disposition of “archive.” Only these records are preserved for future generations.
Unfortunately, reading all the tapes in the archive in order to stage AIPs to disk so servers can check the fixity information is clearly a resource intensive task—especially for an archive with a capacity measured in hundreds of petabytes! Fortunately, IBM LTO-5 and TS1140 tape drives provide a much more efficient solution.During a “Verify” operation, IBM LTO-5 and TS1140 drives perform data integrity validation in-drive, which means a drive reads a tape and concurrently checks the three logical block CRCs and ECCs discussed previously at full line speed.Good or bad status is reported as soon as these internal checks are completed. And this is done without requiring any other resources! Clearly, this advanced capability enhances the ability of DRPS to perform periodic data integrity validations of the entire archive more frequently, which will facilitate the correction of bit flips after AIPs are written correctly to tape.
I mentioned earlier that the Church has developed state-of-the-art digital audiovisual capabilities to support its vast, worldwide communications needs. The Media Services Department uses these capabilities to support the rest of the Church organizations in their audiovisual needs. Because of the average size of MSD audiovisual files, which is several hundred gigabytes so far, MSD audiovisual files will consume the vast majority of archive capacity in the Church History Department’s Digital Records Preservation System.One example of audiovisual records we preserve is weekly broadcasts of Music and the Spoken Word—the world’s longest continuous network broadcast (now in its 83rd year). Each broadcast features an inspirational message and music performed by the Mormon Tabernacle Choir, also known as “America’s Choir,” and the Orchestra at Temple Square. These National Radio Hall of Fame broadcasts are clearly a priceless treasure for the world that are being preserved for future generations.Another example of audiovisual records we preserve is semiannual broadcasts of General Conference, which is held in the remarkable Conference Center, shown here, that seats 21,000. The meetings are broadcast in high definition video via satellite to more than 7,400 Church buildings in 102 countries. The broadcasts are simultaneously translated into 76 languages. Ultimately, digital audio tracks for 96 languages are created and preserved to augment the digital video taping of each meeting. Not surprisingly, the Church is the world’s largest language broadcaster. As a gift to the world, the Church launched a new website last Christmas that provides free Bible videos of the birth, life, death, and resurrection of the Lord Jesus Christ. Viewable with a free mobile app, these videos are faithful to the biblical account, and of course will be preserved for future generations. I encourage you to visit the website at biblevideos.lds.org.With audiovisual files such as these, we expect that our archive capacity within a decade will exceed 100 petabytes for a single copy!
The Church History Department’s Digital Records Preservation System, or DRPS, is based on Ex Libris Rosetta. Rosetta provides configurable preservation workflows and advanced preservation planning functions, but only writes a single copy of an AIP to a storage device for permanent storage. Therefore, an appropriate storage layer must be integrated with Rosetta in order to provide the full capabilities of a digital preservation archive, including AIP replication.After investigating a host of potential storage layer solutions, the Church History Department chose NetApp StorageGRID to provide the ILM capabilities that were desired. In particular, StorageGRID’s data integrity, data resilience, and data replication capabilities were attractive. In order to support ILM migration of AIPs from disk to tape, StorageGRID utilizes IBM Tivoli Storage Manager, or TSM, as an interface to tape libraries.DRPS also employs software extensions developed by my team, which is part of Church Information and Communications Services . The first is a set of ingest tools that help with fixity information creation, which I will discuss later.The second involves a fixity information bridge that will also be described later.
You may wonder why we chose to use tape libraries for the DRPS archive. In 2008, an internal study was performed to compare the costs of acquisition, maintenance, administration, data center floor space, and power to archive hundreds of petabytes of digital records using disk arrays, optical disks, virtual tape libraries, and automated tape cartridges. The model also incorporated assumptions about increasing storage densities of these different storage technologies over time.Calculating all costs over a ten year period, the study concluded that the total cost of ownership of automated tape cartridges would be 33.7% of the next closest storage technology, which was disk arrays.Based on discussions with major storage providers, we believe that the cost of power and the cost per terabyte advantages of tape will only increase over time.Therefore, we concluded that, at least for now, we should use tape libraries to sustain our digital archive that is expected to skyrocket to a multiple petabyte capacity in just a few years. When we made this decision, we were NOT naive to the challenges of tape we would be facing.
You may wonder why we chose to use tape libraries for the DRPS archive. In 2008, an internal study was performed to compare the costs of acquisition, maintenance, administration, data center floor space, and power to archive hundreds of petabytes of digital records using disk arrays, optical disks, virtual tape libraries, and automated tape cartridges. The model also incorporated assumptions about increasing storage densities of these different storage technologies over time.Calculating all costs over a ten year period, the study concluded that the total cost of ownership of automated tape cartridges would be 33.7% of the next closest storage technology, which was disk arrays.Based on discussions with major storage providers, we believe that the cost of power and the cost per terabyte advantages of tape will only increase over time.Therefore, we concluded that, at least for now, we should use tape libraries to sustain our digital archive that is expected to skyrocket to a multiple petabyte capacity in just a few years. When we made this decision, we were NOT naive to the challenges of tape we would be facing.
One of those challenges has to do with ensuring data integrity of the tape archive. This is a critical requirement for any digital preservation archive, and it differentiates a tape archive from other types of tape farms. Modern IT equipment, including servers, storage, and network switches and routers, incorporate advanced features to minimize data corruption. Nevertheless, undetected errors still occur for a variety of reasons. Whenever data files are written, read, stored, transmitted over a network, or processed, there is a small but real possibility that corruption will occur. Causes range from hardware and software failures to network transmission failures and interruptions. Bit flips within files stored on tape can also cause data corruption.Fixity information enables data integrity validation. Fixity information is a checksum, or integrity value, that is calculated by a secure hash algorithm to ensure data integrity of an AIP file throughout preservation workflows and after the file has been written to the archive. By comparing fixity hash values before and after records are written, transferred over a network, moved or copied, a digital preservation system can determine if data corruption has taken place during its workflows or while the AIP is stored in the archive.To do data integrity validation correctly, end-to-end fixity checking should be performed from file ingest to storing the file on permanent storage to eventual access and delivery.Furthermore, data integrity validation of the entire archive should be performed periodically to detect and correct bit flips (also known as bit rot).DRPS uses a variety of hash values, cyclic redundancy check values, and error-correcting codes for such fixity information.
As mentioned earlier, DRPS employs a variety of hash values, cyclic redundancy check values, and error-correcting codes in order to ensure data integrity of its tape archive. The chain of control of this fixity information is illustrated here.In order to implement fixity information as early as possible in the preservation process, and thus minimize data errors, DRPS provides ingest tools developed by my team that create SHA-1 fixity information for producer files before they are transferred to DRPS for ingest Control of this SHA-1 fixity information is transferred when a file is ingested into Rosetta. Within Rosetta, SHA-1 fixity checks are performed three times—(1) when the deposit server receives a Submission Information Package (SIP), (2) during the SIP validation process, and (3) when an AIP is moved to permanent storage. Rosetta also provides the capability to perform fixity checks on AIP files written to permanent storage, but the ILM features of StorageGRID do not utilize this capability. Therefore, StorageGRID must take over control of the SHA-1 fixity information once files have been written to it.By collaborating with Ex Libris on this process, ICS and Ex Libris have been successful in making the fixity information hand off from Rosetta to StorageGRID. This is accomplished with a web service we developed that retrieves SHA-1 hash values generated independently by StorageGRID when the files are written to the StorageGRID gateway node. Ex Libris developed a Rosetta plug-in that calls this web service and compares the StorageGRID SHA-1 hash values with those in the Rosetta database, which are known to be correct.
Before I go any further with the DRPS data integrity validation chain, I’d like to discuss in some detail how StorageGRID handles fixity checking.First, StorageGRID is constructed around the concept of object storage, which enables it to provide advanced Information Lifecycle Management capabilities.To ensure object data integrity, StorageGRID provides a layered and overlapping set of protection domains that guard against object data corruption and alteration of files that are written to the grid. The first domain is called the SHA-1 object hash—this is the same SHA-1 hash value we just discussed with the previous slide. It is generated when the object (or AIP) is created (i.e., when the gateway node writes it to the first storage node), and it is verified every time the object is stored and accessed.The second domain is called the content hash. Because this hash is not self-contained, it requires external information for verification, and therefore is checked only when the object is accessed. The third domain is a cyclic redundancy check, or CRC, checksum. It is verified during every StorageGRID object operation—store, retrieve, transmit, receive, access, and background verification.And finally, the fourth domain is a key-based hash value. Using the hash key, this domain secures against all forms of tampering. As you see, StorageGRID provides very sophisticated and advanced fixity checking, which is a major reason we selected it for our DRPS storage layer.
Continuing with the DRPS data integrity validation chain . . .. . . StorageGRID uses the four levels of fixity checking we just discussed to ensure integrity of AIPs that are written to the grid—from the gateway node to the storage nodes. Once a file has been correctly written to a storage node, StorageGRID invokes the TSM Client running on the archive node server in order to write the file to tape. As this happens, the SHA-1 fixity information is not handed off to TSM. Rather, TSM end-to-end logical block protection takes over.
TSM end-to-end logical block protection utilizes CRCs and ECCs that supersede the use of SHA-1 fixity information while TSM is in control of the file.This advanced protection is enabled with brand new, state-of-the-art functionality provided by IBM LTO-5 and TS1140 tape drives, which I will soon illustrate.While the DRPS fixity information chain of control is altered when StorageGRID invokes TSM, validation of the file’s data integrity continues seamlessly until it is correctly written to tape using TSM end-to-end logical block protection.
The TSM end-to-end logical block protection process begins when . . . . . . the TSM server calculates and appends a cyclic redundancy check value, or CRC, to each AIP logical block before transferring it to a tape drive for writing. Each appended CRC is called the “original data CRC” for that logical block. When the tape drive receives a logical block, it computes its own CRC for the data and compares it to the original data CRC. If an error is detected, a check condition is generated, forcing a re-drive or a permanent error. This step effectively guarantees protection of the logical block during transfer.
As the logical block is loaded into the drive’s main data buffer, two parallel processes occur. In one process, data is cycled back through an on-the-fly verifier that once again validates the original data CRC. Any introduced error will force a re-drive or a permanent error. In parallel, an error-correcting code, or ECC, is computed and appended to the data. Referred to as the “C1 code,” this ECC protects data integrity of the logical block as it goes through additional formatting steps . . .
. . . including the addition of an additional ECC, referred to as the “C2 code.”As part of these formatting steps, the C1 code is checked every time data is read from the data buffer. Thus, protection of the original data CRC is essentially transformed to protection from the more powerful C1 code.
Finally the data is read from the main data buffer and is written to tape using a read-while-write process. During this process, the just written data is read back from tape and loaded into the main data buffer so the C1 code can be checked once again to verify the written data. A successful read-while-write operation assures that no data corruption has occurred from the time the AIP logical block was transferred from the TSM server until it is written to tape. And using these ECCs and CRCs, the tape drive can validate AIP logical blocks at full line speed as they are being written!
During a read operation, data is read from the tape and all three codes (C1, C2, and the original data CRC) are decoded and checked, and a read error is generated if any process indicates an error. The original data CRC is then appended to the logical block.When the logical block is transferred to the TSM server, the original data CRC is independently verified by that server, thus completing the TSM end-to-end logical block protection cycle. I didn’t mention this previously, but TSM also performs data integrity validation during client sessions when data is sent between a client and the server, or vice versa.
Unfortunately, continuously ensuring data integrity of a DRPS AIP does not end once the AIP has been written correctly to tape. We must assume that bits will flip after being written correctly to tape.As we discussed earlier, the USC Shoah Foundation Institute has seen a 10-14 bit error rate, and we have also when we recently validated our entire tape archive. Therefore, we believe that all written tapes in the archive must be read periodically to find and correct bit flips that have occurred since the tapes were written correctly.
Unfortunately, reading all the tapes in the archive in order to stage AIPs to disk so servers can check the fixity information is clearly a resource intensive task—especially for an archive with a capacity measured in hundreds of petabytes! Fortunately, IBM LTO-5 and TS1140 tape drives provide a much more efficient solution.During a “Verify” operation, IBM LTO-5 and TS1140 drives perform data integrity validation in-drive, which means a drive reads a tape and concurrently checks the three logical block CRCs and ECCs discussed previously at full line speed.Good or bad status is reported as soon as these internal checks are completed. And this is done without requiring any other resources! Clearly, this advanced capability enhances the ability of DRPS to perform periodic data integrity validations of the entire archive more frequently, which will facilitate the correction of bit flips after AIPs are written correctly to tape.
To summarize my presentation, fixity information is the key to archive data integrity.For the Church History Department’s Digital Records Preservation System, SHA-1 fixity values ensure data integrity all the way from the producer to StorageGRID archive nodes.From there, TSM end-to-end logical block protection takes over to ensure data integrity until the data is correctly written to tape.And finally, the new in-drive data integrity validation capability of IBM tape drives enables DRPS to perform periodic data integrity checks of the entire archive to provide continuous data integrity.
Sizing bit errors in your digital archive may be somewhat difficult. I heard from a tape vendor at a recent preservation conference that tape exhibits a 10-19 bit error rate. This rate is optimistic, however, compared to the results we recently encountered when we performed a data integrity validation of our entire DRPS archive. We realized a 3.3x10-14 bit error rate—which is five orders of magnitude higher than the vendor claim!10-19 is also higher than what I encountered when I visited the University of Southern California’s Shoah Foundation Institute in 2009. But first, some background on this Institute. It was established by Steve Spielberg, the great film producer, after he finished filming Schindler’s List. Shoah is the Hebrew term for Holocaust. More than 51,000 interviews of Holocaust survivors and other witness have been videotaped by the Shoah Institute.Currently, 87% of the 204,000+ Betacam SP master tapes have been converted to Motion JPEG 2000 preservation masters. When I visited the Institute in 2009, the tape archive capacity was 8 petabytes.Sam Gustman, the CTO of the Shoah Foundation Institute, told me that his team had encountered 1500 bit flips in those 8 petabytes. This translates to a bit error rate of 2.3x10-14—also five orders of magnitude higher than the vendor claim!I believe these real life measurements provide credible guidance for tape archives.