Preparing nodes for a Kaspersky Security Center Linux failover cluster

Before continuing, ensure that you completed the previous steps in the Scenario: Deployment of Kaspersky failover cluster.

Prepare two devices to work as the active and passive nodes of the Kaspersky Security Center Linux failover cluster.

Common folders configuration

To configure common folders:

Depending on your Linux distribution, install either nfs-utils package or nfs-kernel-server package on each node by running the corresponding command:
yum install nfs-utils

apt install nfs-kernel-server
Create mount points by running the following commands:
mkdir -p /mnt/KlFocStateShare

mkdir -p /mnt/KlFocDataShare_klfoc
Match the mount points and the shared folders:
sudo sh -c "echo <file server>:/mnt/KlFocStateShare /mnt/KlFocStateShare nfs vers=4,soft,timeo=50,retrans=2,auto,user,rw 0 0 >> /etc/fstab"

sudo sh -c "echo <file server>:/mnt/KlFocDataShare_klfoc /mnt/KlFocDataShare_klfoc nfs vers=4,noauto,user,rw,exec 0 0 >> /etc/fstab"

Where, {file server} is the FQDN of the file server with shared folders.
Mount the shared folders by running the following commands:
mount /mnt/KlFocStateShare

mount /mnt/KlFocDataShare_klfoc
Ensure that the permissions to access the shared folders belong to ksc:kladmins.
Run the following command:

ls -la /mnt/

Network adapters configuration

A secondary network adapter can be physical or virtual. If you chose a deployment schema with a secondary network adapter, perform the corresponding procedure on both nodes:

Use a virtual secondary network adapter based on a physical network adapter (the MACVLAN technology):
1. Install the iputils-arping package. Depending on your Linux distributive, run either of the following commands:
  - yum install iputils
  or
  - apt install iputils-arping
2. To ensure that NetworkManager is used to manage the physical network adapter, run the following command:
  nmcli device status
  
  If the command output shows the physical network adapter as not being managed, configure the NetworkManager to manage the physical network adapter. The exact configuration steps depend on your Linux distributive.
3. To identify interfaces, use the following command:
  ip a
4. To create a configuration profile, run the following command:
  nmcli connection add type macvlan dev <physical interface> mode bridge ifname <virtual interface> ipv4.addresses <address mask> ipv4.method manual autoconnect no
Use a physical secondary network adapter or create a virtual TAP device using a hypervisor. In this scenario, disable the NetworkManager software.
1. Connect the secondary network adapter to a node.
2. Install the iputils-arping package. Depending on your Linux distributive, run either of the following commands:
  - yum install iputils
  or
  - apt install iputils-arping
3. To delete the NetworkManager connection for the target interface, run the following command:
  nmcli con del <connection name>
  
  To check connections to the target interface, run the following command:
  
  nmcli con show
4. Modify the NetworkManager.conf file. Locate the key file section and assign the target interface to the unmanaged-devices parameter:
  [keyfile]
  
  unmanaged-devices=interface-name:<interface name>
5. Restart the NetworkManager:
  systemctl reload NetworkManager
  
  To ensure that the target interface is no longer managed, run the following command:
  
  nmcli dev status

Load balancer configuration

If you chose a deployment schema with a load balancer, follow the instruction below to configure it.

To configure the load balancer:

Prepare a dedicated Linux-based device with nginx or another load balancer installed.
Configure load balancing. Set the active node as the main server, and the passive node as a backup server.
On the nginx server, open all of the Administration Server ports according to the following article: Ports used by Kaspersky Security Center Linux.

To deploy Kaspersky Security Center Linux failover cluster, follow the further instructions of the scenario.

The availability of the failover cluster nodes should be determined by the availability of the main connection ports to the Administration Server. The passive node does not accept any external connections until a switch occurs.