Preparing nodes for a Kaspersky Security Center Linux failover cluster

Prepare two devices to work as the active and passive nodes of the Kaspersky Security Center Linux failover cluster.

Failover cluster deployment fails when you have either both arping and iputils-arping packages or only the arping package installed. Before deploying a failover cluster, ensure that you only have the iputils-arping package installed on both nodes.

To prepare nodes for the Kaspersky Security Center Linux failover cluster:

Make sure that you have two devices that meet the hardware and software requirements. These devices will act as the active and passive nodes of the failover cluster.
Depending on your Linux distribution, install either nfs-utils package or nfs-kernel-server package on each node by running the corresponding command:
sudo yum install nfs-utils

sudo apt install nfs-kernel-server
Create mount points by running the following commands:
sudo mkdir -p /mnt/KlFocStateShare

sudo mkdir -p /mnt/KlFocDataShare_klfoc
Match the mount points and the shared folders:
sudo sh -c "echo {server}:{path to the KlFocStateShare folder} /mnt/KlFocStateShare nfs vers=4,soft,timeo=50,retrans=2,auto,user,rw 0 0 >> /etc/fstab"

sudo sh -c "echo {server}:{path to the KlFocDataShare_klfoc folder} /mnt/KlFocDataShare_klfoc nfs vers=4,noauto,user,rw,exec 0 0 >> /etc/fstab"

Here, {server}:{path to the KlFocStateShare folder} and {server}:{path to the KlFocDataShare_klfoc folder} are the network paths to the shared folders on the file server.
Mount the shared folders by running the following commands:
mount /mnt/KlFocStateShare

mount /mnt/KlFocDataShare_klfoc
Ensure that the permissions to access the shared folders belong to ksc:kladmins.
Run the following command:

sudo ls -la /mnt/
On each of the nodes, configure a secondary network adapter.
A secondary network adapter can be physical or virtual. If you want to use a physical network adapter, connect and configure it with standard operating system tools. If you want to use a virtual network adapter, create it by using third-party software.

Do one of the following:
- Use a virtual network adapter.
  1. Use the following command to check that NetworkManager is used to manage the physical adapter:
    nmcli device status
    
    If the physical adapter is shown as unmanaged in the output, configure NetworkManager to manage the physical adapter. The exact configuration steps depend on your distribution.
  2. Use the following command to identify interfaces:
    ip a
  3. Create a new configuration profile:
    nmcli connection add type macvlan dev <physical interface> mode bridge ifname <virtual interface> ipv4.addresses <address mask> ipv4.method manual autoconnect no
- Use a physical network adapter or a hypervisor. In this scenario, disable the software NetworkManager.
  1. Delete NetworkManager connections for the target interface:
    nmcli con del <connection name>
    
    Use the following command to check if the target interface has connections:
    
    nmcli con show
  2. Edit the NetworkManager.conf file. Locate the keyfile section and assign the target interface to the unmanaged-devices parameter.
    [keyfile]
    
    unmanaged-devices=interface-name:<interface name>
  3. Restart NetworkManager:
    systemctl reload NetworkManager
    
    Use the following command to verify that the target interface is unmanaged:
    
    nmcli dev status
- Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
  1. Provide a dedicated Linux-based device with nginx installed.
  2. Configure load balancing. Set the active node as the main server, and the passive node as a backup server.
  3. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13299, TCP 17000.
    If you want to use the klakaut utility for automation, you must also open the TCP 13291 port.

The nodes are prepared. To deploy Kaspersky Security Center Linux failover cluster, follow the further instructions of the scenario.