A Kaspersky Security Center Linux failover cluster provides high availability of Kaspersky Security Center Linux and minimizes downtime of Administration Server in case of a failure. The failover cluster is based on two identical instances of Kaspersky Security Center Linux installed on two computers. One of the instances works as an active node and the other one is a passive node. The active node manages protection of the client devices, while the passive one is prepared to take all of the functions of the active node in case the active node fails. When a failure occurs, the passive node becomes active and the active node becomes passive.
Kaspersky applications deployment proceeds in stages:
It is recommended to follow the sequence of stages described in this scenario.
Ensure that you have the hardware that meets the requirements for the failover cluster.
Choose the deployment schema. This affects the next stages of deployment.
Perform the following steps on the active node, passive node and file server:
kladmins group. Run the following commands:sudo groupadd kladmins
sudo groupmod -g <new_GID> kladmins
Ensure that the group has the same GID on all three devices. Run the following command:
getent group kladmins
If GID do not match, you can use the following command to specify GID:
sudo groupmod -g <new_GID> kladmins
ksc user account. Assign user accounts to the kladmins group. Run the following commands:sudo adduser ksc
sudo usermod -u <new_UID> ksc
sudo gpasswd -a ksc kladmins
sudo usermod -g kladmins ksc
Ensure that the user account has the same UID on all three devices. Run the following command:
getent passwd ksc
If UID do not match, you can use the following command to specify UID:
sudo usermod -u <new_UID> ksc
rightless user account. Assign user accounts to the kladmins group. Run the following commands:sudo adduser rightless
sudo usermod -u <new_UID> rightless
sudo gpasswd -a rightless kladmins
sudo usermod -g kladmins rightless
Ensure that the user account has the same UID on all three devices. Run the following command:
getent passwd rightless
If UID do not match, you can use the following command to specify UID:
sudo usermod -u <new_UID> rightless
ksc soft nofile <max_number_of_opened_files>
ksc hard nofile <max_number_of_opened_files>
By default, limits of the file descriptors are specified during the installation. The soft file limit is 32 768 files, the hard file limit is 131 072 files.
Prepare the file server to work as a component of Kaspersky Security Center Linux failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center Linux data, and configure permissions to access the shared folders.
How-to instructions: Preparing a file server for Kaspersky Security Center Linux failover cluster
Install the DBMS for Kaspersky Security Center Linux. You can choose one of supported DBMS. For information about how to install the selected DBMS, refer to its documentation.
If the distribution of your Linux-based operating system does not contain a supported DBMS, you can install the DBMS from a third-party package repository.
After installing the DBMS, follow the corresponding instruction:
On the device with the DBMS installed, configure connection to devices that will work as an active and passive nodes.
Prepare two devices with identical hardware and software to work as an active and passive nodes.
How-to instructions: Preparing nodes for Kaspersky Security Center Linux failover cluster
Install Kaspersky Security Center Linux in the failover cluster mode on both nodes.
You must first install Kaspersky Security Center Linux on the device that you want to be the active node, and then install it on the passive one.
How-to instructions: Installing Kaspersky Security Center Linux on the Kaspersky Security Center Linux failover cluster nodes.
Install Kaspersky Security Center Web Console on a separate device that is not a cluster node.
Specify the failover cluster as the Administration server address in the answer file.
The Administration server certificate is located at the following path: /mnt/KlFocDataShare_klfoc/1093/cert/klserver.cer
Copy the certificate file to the device on which Kaspersky Security Center Web Console is being installed. Specify the local path to the certificate in the answer file.
Check that you configured the failover cluster correctly and it works properly. For example, you can run the following command to initiate switching to the passive node:
/opt/kaspersky/ksc64/sbin/klfoc -failover --stp klfoc
Use the following command to verify that failover cluster management service is Active: active (running) on both nodes:
systemctl status klfocsvc_klfoc
Use the following commands to verify that other failover cluster services are Active: active (running) on the active node. On the passive node, these failover cluster services must be Active: inactive (dead) or Active: failed (Result: signal).
systemctl status klnagent_klfocsystemctl status kladminserver_klfocsystemctl status klactprx_klfocsystemctl status klwebsrv_klfocKaspersky Security Center Linux failover cluster is deployed.
Page top