Preparing nodes for a Kaspersky Security Center Linux failover cluster

Prepare two computers to work as the active and passive nodes of the Kaspersky Security Center Linux failover cluster.

To prepare nodes for the Kaspersky Security Center Linux failover cluster:

  1. Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster.
  2. Depending on your Linux distribution, install either nfs-utils package or nfs-kernel-server package on each node by running the corresponding command:

    sudo yum install nfs-utils

    sudo apt install nfs-kernel-server

  3. Create mount points by running the following commands:

    sudo mkdir -p /mnt/KlFocStateShare

    sudo mkdir -p /mnt/KlFocDataShare_klfoc

  4. Match the mount points and the shared folders:

    sudo sh -c "echo {server}:{path to the KlFocStateShare folder} /mnt/KlFocStateShare nfs vers=4,nolock,local_lock=none,auto,user,rw 0 0 >> /etc/fstab"

    sudo sh -c "echo {server}:{path to the KlFocDataShare_klfoc folder} /mnt/KlFocDataShare_klfoc nfs vers=4,nolock,local_lock=none,noauto,user,rw,exec 0 0 >> /etc/fstab

    Here, {server}:{path to the KlFocStateShare folder} and {server}:{path to the KlFocDataShare_klfoc folder} are the network paths to the shared folders on the file server.

  5. Mount the shared folders by running the following commands:

    mount /mnt/KlFocStateShare

    mount /mnt/KlFocDataShare_klfoc

  6. Ensure that the permissions to access the shared folders belong to ksc:kladmins.

    Run the following command:

    sudo ls -la /mnt/

  7. On each of the nodes, configure a secondary network adapter.

    A secondary network adapter can be physical or virtual. If you want to use a physical network adapter, connect and configure it with standard operating system tools. If you want to use a virtual network adapter, create it by using third-party software.

    Do one of the following:

    • Use a virtual network adapter.
      1. Use the following command to check that NetworkManager is used to manage the physical adapter:

        nmcli device status

        If the physical adapter is shown as unmanaged in the output, configure NetworkManager to manage the physical adapter. The exact configuration steps depend on your distribution.

      2. Use the following command to identify interfaces:

        ip a

      3. Create a new configuration profile:

        nmcli connection add type macvlan dev <physical interface> mode bridge ifname <virtual interface> ipv4.addresses <address mask> ipv4.method manual autoconnect no

    • Use a physical network adapter or a hypervisor. In this scenario, disable the software NetworkManager.
      1. Delete NetworkManager connections for the target interface:

        nmcli con del <connection name>

        Use the following command to check if the target interface has connections:

        nmcli con show

      2. Edit the NetworkManager.conf file. Locate the keyfile section and assign the target interface to the unmanaged-devices parameter.

        [keyfile]

        unmanaged-devices=interface-name:<interface name>

      3. Restart NetworkManager:

        systemctl reload NetworkManager

        Use the following command to verify that the target interface is unmanaged:

        nmcli dev status

    • Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
      1. Provide a dedicated Linux-based computer with nginx installed.
      2. Configure load balancing. Set the active node as the main server, and the passive node as a backup server.
      3. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP 13299, TCP 17000.

The nodes are prepared. To deploy Kaspersky Security Center Linux failover cluster, follow the further instructions of the scenario.

See also:

About Kaspersky Security Center Linux failover cluster

Scenario: Deployment of Kaspersky Security Center Linux failover cluster

Page top