About Kaspersky Security Center Linux failover cluster
A Kaspersky Security Center Linux failover cluster provides high availability of Kaspersky Security Center Linux and minimizes downtime of Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky Security Center Linux installed on two computers. One of the instances works as an active node and the other one is a passive node. The active node manages protection of the client devices, while the passive one is prepared to take all of the functions of the active node in case the active node fails. When a failure occurs, the passive node becomes active and the active node becomes passive.
In a Kaspersky Security Center Linux failover cluster, all Kaspersky Security Center Linux services are managed automatically. Do not try to restart the services manually.
Use the syslog feature for troubleshooting.
Hardware and software requirements
To deploy a Kaspersky Security Center Linux failover cluster, you must have the following hardware:
- Two devices with identical hardware and software. These devices will act as the active and passive nodes.
Configuration of devices that will act as the active and passive nodes
Hardware
Value
CPU
16 cores, 2500 MHz
RAM
32 GB
Disk space
500 GB, 300 IOPS or higher
Network interface controller
1 Gbps
- A file server running Linux, with the EXT4 file system. You must provide a dedicated device that will act as a file server.
Configuration of a file server
Hardware
Value
CPU
16 cores, 2500 MHz
RAM
32 GB
Disk space
500 GB, 500 IOPS or higher
Network interface controller
10 Gbps
Make sure you have provided high network bandwidth between the file server, and the active and passive nodes.
- A device with a supported Database Management System (DBMS) or DBMS cluster.
Among highly available DBMSs, Kaspersky Security Center Linux failover cluster supports MariaDB Galera Cluster, Postgres Pro Enterprise. If you use a highly available cluster DBMS, a dedicated device for this purpose is not required.
Failover cluster deployment fails when you have either both arping and iputils-arping packages or only the arping package installed. Before deploying a failover cluster, ensure that you only have the iputils-arping package installed on both nodes.
Deployment schemes
You can choose one of the following schemes to deploy Kaspersky Security Center Linux failover cluster:
- A scheme that uses a secondary network adapter and a DBMS installed on a dedicated device.
- A scheme that uses a secondary network adapter and MariaDB Galera Cluster as a DBMS.
- A scheme that uses a third-party load balancer and a DBMS installed on a dedicated device.
- A scheme that uses a third-party load balancer and MariaDB Galera Cluster as a DBMS.
A scheme that uses a secondary network adapter and a DBMS installed on a dedicated device
A scheme that uses a secondary network adapter and a DBMS installed on a dedicated device
Scheme legend:
Administration Server sends data to the database. Open the necessary ports on the device where the database is located, for example, port 3306 for MySQL Server, or port 5432 for PostgreSQL or Postgres Pro. Please refer to the DBMS documentation for the relevant information.
On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.
A device with Database Management System (DBMS). If you use MariaDB Galera Cluster as a DBMS, a dedicated device for this purpose is not required. Install MariaDB Galera Cluster on each of the nodes.
A scheme that uses a secondary network adapter and MariaDB Galera Cluster as a DBMS
A scheme that uses a secondary network adapter and MariaDB Galera Cluster as a DBMS
Scheme legend:
On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.
A highly available Database Management System (DBMS), for example MariaDB Galera Cluster. Install a highly available DBMS on each of the nodes.
A scheme that uses a third-party load balancer and a DBMS installed on a dedicated device
A scheme that uses a third-party load balancer and a DBMS installed on a dedicated device
Scheme legend:
On the load balancer device, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, and TCP 17000.
If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.
On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.
Administration Server sends data to the database. Open the necessary ports on the device where the database is located, for example, port 3306 for MySQL Server, or port 5432 for PostgreSQL or Postgres Pro. Please refer to the DBMS documentation for the relevant information.
A device with Database Management System (DBMS). If you use MariaDB Galera Cluster as a DBMS, a dedicated device for this purpose is not required. Install MariaDB Galera Cluster on each of the nodes.
A scheme that uses a third-party load balancer and MariaDB Galera Cluster as a DBMS
A scheme that uses a third-party load balancer and MariaDB Galera Cluster as a DBMS
Scheme legend:
On the load balancer device, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, and TCP 17000.
If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.
On the managed devices, open the following ports: TCP 13000, UDP 13000, and TCP 17000.
A highly available Database Management System (DBMS), for example MariaDB Galera Cluster. Install a highly available DBMS on each of the nodes.
Switch conditions
The failover cluster switches protection management of the client devices from the active node to the passive one, if any of the following events occurs on the active node:
- The active node is broken due to a software or hardware failure.
- The active node was temporarily stopped for maintenance activities.
- At least one of the Kaspersky Security Center Linux services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center Linux services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv.
- The network connection between the active node and the storage on the file server was interrupted or terminated.