Preparing nodes for a Kaspersky Security Center Linux failover cluster

Prepare two computers to work as the active and passive nodes of the Kaspersky Security Center Linux failover cluster.

To prepare nodes for the Kaspersky Security Center Linux failover cluster:

  1. Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster.
  2. To make the nodes function as NFS clients, install the nfs-utils package on each node.

    Run the following command:

    sudo yum install nfs-utils

  3. Create mount points by running the following commands:

    sudo mkdir -p /mnt/KlFocStateShare

    sudo mkdir -p /mnt/KlFocDataShare_klfoc

  4. Check that the shared folders can be successfully mounted. [optional step]

    Run the following commands:

    sudo mount -t nfs -o vers=4,soft,auto,user,rw {server}:{path to the KlFocStateShare folder} /mnt/KlFocStateShare

    sudo mount -t nfs -o vers=4,noauto,user,rw {server}:{path to the KlFocDataShare_klfoc folder} /mnt/KlFocDataShare_klfoc

    Here, {server}:{path to the KlFocStateShare folder} and {server}:{path to the KlFocDataShare_klfoc folder} are the network paths to the shared folders on the file server.

    After the shared folders have been successfully mounted, unmount them by running the following commands:

    sudo umount /mnt/KlFocStateShare

    sudo umount /mnt/KlFocDataShare_klfoc

  5. Match the mount points and the shared folders:

    sudo vi /etc/fstab

    {server}:{path to the KlFocStateShare folder} /mnt/KlFocStateShare nfs vers=4,soft,timeo=50,retrans=2,auto,user,rw 0 0

    {server}:{path to the KlFocDataShare_klfoc folder} /mnt/KlFocDataShare_klfoc nfs vers=4,noauto,user,rw,exec 0 0

    Here, {server}:{path to the KlFocStateShare folder} and {server}:{path to the KlFocDataShare_klfoc folder} are the network paths to the shared folders on the file server.

  6. Restart both nodes.
  7. Mount the shared folders by running the following commands:

    mount /mnt/KlFocStateShare

    mount /mnt/KlFocDataShare_klfoc

  8. Ensure that the permissions to access the shared folders belong to ksc:kladmins.

    Run the following command:

    sudo ls -la /mnt/

  9. On each of the nodes, configure a secondary network adapter.

    A secondary network adapter can be physical or virtual. If you want to use a physical network adapter, connect and configure it with standard operating system tools. If you want to use a virtual network adapter, create it by using third-party software.

    Do one of the following:

    • Use a virtual network adapter.
      1. Use the following command to check that NetworkManager is used to manage the physical adapter:

        nmcli device status

        If the physical adapter is shown as unmanaged in the output, configure NetworkManager to manage the physical adapter. The exact configuration steps depend on your distribution.

      2. Use the following command to identify interfaces:

        ip a

      3. Create a new configuration profile:

        nmcli connection add type macvlan dev <physical interface> mode bridge ifname <virtual interface> ipv4.addresses <address mask> ipv4.method manual autoconnect no

    • Use a physical network adapter or a hypervisor. In this scenario, disable the software NetworkManager.
      1. Delete NetworkManager connections for the target interface:

        nmcli con del <connection name>

        Use the following command to check if the target interface has connections:

        nmcli con show

      2. Edit the NetworkManager.conf file. Locate the keyfile section and assign the target interface to the unmanaged-devices parameter.

        [keyfile]

        unmanaged-devices=interface-name:<interface name>

      3. Restart NetworkManager:

        systemctl reload NetworkManager

        Use the following command to verify that the target interface is unmanaged:

        nmcli dev status

    • Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
      1. Provide a dedicated Linux-based computer with nginx installed.
      2. Configure load balancing. Set the active node as the main server, and the passive node as a backup server.
      3. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, TCP 17000.

        If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.

The nodes are prepared. To deploy Kaspersky Security Center Linux failover cluster, follow the further instructions of the scenario.

See also:

About Kaspersky Security Center Linux failover cluster

Scenario: Deployment of Kaspersky Security Center Linux failover cluster
Page top