Preparing nodes for a Kaspersky Security Center Linux failover cluster

Before continuing, ensure that you completed the previous steps in the Scenario: Deployment of Kaspersky failover cluster.

Prepare two devices to work as the active and passive nodes of the Kaspersky Security Center Linux failover cluster.

Common folders configuration

Depending on your Linux distribution, install either nfs-utils package or nfs-kernel-server package on each node by running the corresponding command:
sudo yum install nfs-utils

sudo apt install nfs-kernel-server
Create mount points by running the following commands:
sudo mkdir -p /mnt/KlFocStateShare

sudo mkdir -p /mnt/KlFocDataShare_klfoc
Match the mount points and the shared folders:
sudo sh -c "echo {file server}:/mnt/KlFocStateShare /mnt/KlFocStateShare nfs vers=4,soft,timeo=50,retrans=2,auto,user,rw 0 0 >> /etc/fstab"

sudo sh -c "echo {file server}:/mnt/KlFocDataShare_klfoc /mnt/KlFocDataShare_klfoc nfs vers=4,noauto,user,rw,exec 0 0 >> /etc/fstab"

Here, {file server} is the FQDN of the file server with shared folders.
Mount the shared folders by running the following commands:
mount /mnt/KlFocStateShare

mount /mnt/KlFocDataShare_klfoc
Ensure that the permissions to access the shared folders belong to ksc:kladmins.
Run the following command:

sudo ls -la /mnt/

Network adapters configuration

A secondary network adapter can be physical or virtual. If you chose a deployment schema with a secondary network adapter, perform the corresponding procedure on both nodes:

Use a virtual secondary network adapter based on a physical network adapter (the MACVLAN technology):
1. Install the iputils-arping package. Depending on your Linux distributive, run either of the following commands:
  - sudo yum install iputils
  or
  - apt install iputils-arping
2. Run the following command to ensure that NetworkManager is used to manage the physical network adapter:
  nmcli device status
  
  If the command output shows the physical network adapter as not being managed, configure the NetworkManager to manage the physical network adapter. The exact configuration steps depend on your Linux distributive.
3. Use the following command to identify interfaces:
  ip a
4. Run the following command to create a configuration profile:
  nmcli connection add type macvlan dev <physical interface> mode bridge ifname <virtual interface> ipv4.addresses <address mask> ipv4.method manual autoconnect no
Use a physical secondary network adapter or create a virtual TAP device using a hypervisor. In this scenario, disable the NetworkManager software.
1. Connect the secondary network adapter to a node.
2. Install the iputils-arping package. Depending on your Linux distributive, run either of the following commands:
  - sudo yum install iputils
  or
  - apt install iputils-arping
3. Run the following command to delete the NetworkManager connection for the target interface:
  nmcli con del <connection name>
  
  Use the following command to check connections to the target interface:
  
  nmcli con show
4. Modify the NetworkManager.conf file. Locate the key file section and assign the target interface to the unmanaged-devices parameter:
  [keyfile]
  
  unmanaged-devices=interface-name:<interface name>
5. Restart the NetworkManager:
  systemctl reload NetworkManager
  
  Use the following command to ensure that the target interface is no longer managed:
  
  nmcli dev status

Load balancer configuration

If you chose a deployment schema with a load balancer, perform the following steps:

Prepare a dedicated Linux-based device with nginx or another load balancer installed.
Configure load balancing. Set the active node as the main server, and the passive node as a backup server.
On the nginx server, open all of the Administration Server ports according to the following article: Ports used by Kaspersky Security Center Linux.

To deploy Kaspersky Security Center Linux failover cluster, follow the further instructions of the scenario.

The availability of the failover cluster nodes should be determined by the availability of the main connection ports to the Administration Server. The passive node does not accept any external connections until a switch occurs.