--- canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm --- # 2. Installation ![*](safekituserguideen_fichiers/image001.png)       Section 2.1 “SafeKit install” ![*](safekituserguideen_fichiers/image001.png)       Section 2.2 “Mirror installation recommendation” ![*](safekituserguideen_fichiers/image001.png)       Section 2.3 “Farm installation recommendation” ![*](safekituserguideen_fichiers/image001.png)       Section 2.4 “SafeKit upgrade” ![*](safekituserguideen_fichiers/image001.png)       Section 2.5 “SafeKit full uninstall” ![*](safekituserguideen_fichiers/image001.png)       Section 2.6 “SafeKit documentation” ## 2.1             SafeKit install ### 2.1.1         Download the package 1.    Connect to SafeKit product download area 2.    Go to /Platforms//Current versions 3.    Download the package | | | | --- | --- | | Windows | Two packages are available: ·         safekit\_windows\_x86\_64\_8\_2\_x\_y.msi A Windows Installer package. This package requires the Visual Studio 2022 C Runtime to be pre-installed on the system. ·         safekit\_windows\_x86\_64\_8\_2\_x\_y.exe A standalone executable bundle. It includes both the SafeKit package and the required Visual Studio 2022 C Runtime, making it suitable for systems without prior runtime installation. Choose one or the other package depending on whether the VS2022 C runtime is installed or not. | | Linux | Two files are provided: ·         safekitlinux\_x86\_64\_8\_2\_x\_y.bin A self-extractable file containing the Linux packages and associated installation script. ·         safekitlinux\_x86\_64\_8\_2\_x\_y.sha256 A file containing the SHA-256 checksum used to verify the integrity of the .bin file. | | | | --- | --- | | Commentaire, ajouter contour | You can verify the integrity of the file with the command: sha256sum -c safekitlinux\_x86\_64\_8\_2\_x\_y.sha256 | ·         Key Id (e.g. 779244d710b22ada)  The long-format identifier of the GPG public key used to sign SafeKit RPM packages starting from version 8.2.5 for Red Hat. This signature ensures that users install a verified, untampered package from Eviden. | | | | --- | --- | | Commentaire, ajouter contour | You can verify that the RPM is properly signed with SafeKit key using the command below. It displays the Key ID of the signing key. rpm -qi SafeKit-8.2.5-x.el9.x86\_64.rpm … Signature: RSA/SHA256, …, Key ID 779244d710b22ada … | | ### 2.1.2         Installation directories and disk space provisioning SafeKit is installed in: | | | | | --- | --- | --- | | SAFE | ·         in Windows SAFE=C:\safekit if %SYSTEMDRIVE%=C: ·         in Linux SAFE=/opt/safekit | Minimum free disk space: 97MB | | SAFEVAR | ·         in Windows SAFEVAR= C:\safekit\var if %SYSTEMDRIVE%=C: ·         in Linux SAFEVAR=/var/safekit | Minimum free disk space: 20MB + at least 20MB (up to 3 GB) per module for dumps |   ### 2.1.3         SafeKit install procedure #### 2.1.3.1      Install on Windows as administrator The SafeKit installation logs can be found in SAFEVAR directory. ##### 2.1.3.1.1                SafeKit package install 1.    Log-in as administrator on Windows server 2.    Locate the downloaded file safekit\_windows\_x86\_64\_8\_2\_x\_y.msi (or safekit\_windows\_x86\_64\_8\_2\_x\_y.exe) 3.    Install in interactive mode by double-clicking it and go through the installer wizard Before SafeKit 8.2.3, after installation, you need to run the firewall configuration scripts (see section 10.3) and initialize the SafeKit web service (see section 11.2.1.2). Since SafeKit 8.2.3, at the end of the SafeKit Setup, you will be asked to check or uncheck " Set console credentials and firewall rules now ". ![](safekituserguideen_fichiers/image025.png) If the box is checked, when clicking the “Finish” button: o    it configures Microsoft Windows Firewall for SafeKit. For details or other firewalls, see section 10.3. o    it opens a window to enter the password for the admin user of the SafeKit web console. ![](safekituserguideen_fichiers/image026.jpg) This step is mandatory to initialize the default configuration of the web service that requires authentication. It is initialized with the admin user and the given password pwd, for instance. It then allows access to all the web console's features, by logging in with admin/pwd, and run distributed commands. For details, see section 11.2.1. | | | | --- | --- | | Commentaire important contour | The password must be identical on all nodes that belong to the same SafeKit cluster. Otherwise, web console and distributed commands will fail with authentication errors. | **or** 3.    Install in non-interactive mode, by executing: msiexec /qn /i safekitwindows\_8\_2\_x\_y.msi Then, the firewall setup and web service initialization must be done. ##### 2.1.3.1.2                Firewall setup This step is mandatory to enable communication between the nodes of the SafeKit cluster and with the web console. No action required when firewall automatic configuration has been performed during the package install. Otherwise see section 10.3. ##### 2.1.3.1.3                Web service initialization This step is mandatory to initialize the default configuration of the web service, which is accessed by the web console and the global safekit command. The web service requires authentication to access the service. No action required when the web service initialization has been performed during the package installation. Otherwise, see section 11.2.1.2. ##### 2.1.3.1.4                Antivirus setup This step is necessary if the server's antivirus interferes with the operation of SafeKit. Since this issue (described in section 7.22) may occur sporadically but not systematically with Windows Defender, it is recommended to configure it to prevent any malfunction. Refer to section 10.6 for the list of legitimate SafeKit directories and processes that should not be affected by the antivirus. #### 2.1.3.2      Install on Linux as root Since SafeKit 8.2.6, the SafeKit installation logs are generated in /tmp/safekit directory. ##### 2.1.3.2.1                SafeKit package install 1.    Open a Shell console as root on Linux server 2.    Go to the directory that contains the downloaded file safekitlinux\_x86\_64\_8\_2\_x\_y.bin auto extractible zip file 3.    Run chmod +x safekitlinux\_x86\_64\_8\_2\_x\_y.bin 4.    Run./safekitlinux\_8\_2\_x86\_64\_x\_y.bin it extracts the package and the safekitinstall script 5.    Install in interactive mode by executing ./safekitinstall During the installation: ·         Since SafeKit 8.2.5 on Red Hat, reply to “Do you accept to import this public key (yes|no)?” SafeKit RPM packages are now GPG-signed. By replying yes, the script will automatically import the SafeKit GPG public key and will continue the installation process. If you reply no, it will be interrupted. | | | | --- | --- | | Commentaire, ajouter contour | The script displays the identifier of the key (Key Id) used to sign the RPM package. You can check this value against the official one published in the SafeKit product download area. |   | | | | --- | --- | | Commentaire, ajouter contour | The public GPG key used to sign the RPM package is extracted at the same time as the package into the file named RPM-GPG-KEY-SafeKit. You can retrieve its Key Id with the command: gpg --show-keys --no-options RPM-GPG-KEY-SafeKit (The Key Id corresponds to the last 16 characters of the pub line) | ·         reply to “Do you accept that SafeKit automatically configure the local firewall to open these ports (yes|no)?” If you answer yes, it configures firewalld or iptable Linux firewall for SafeKit. For details or other firewalls, see section 10.3. ·         reply to “Please enter a password or "no" if you want to set it later” This step is mandatory to initialize the default configuration of the web service. The web service requires authentication to access the service. It initializes it with the admin user and the given password pwd, for instance. It then allows access to all the web console's features, by logging in with admin/pwd, and run distributed commands. For details, see section 11.2.1. | | | | --- | --- | | Commentaire important contour | The password must be identical on all nodes that belong to the same SafeKit cluster. Otherwise, web console and distributed commands will fail with authentication errors. | **or** 5.    Install in non-interactive mode, by executing: ./safekitinstall -q Use the option -passwd pwd for initializing the web service authentication (where pwd is the password set for the admin user). Then, the firewall setup must be manually done. | | | | --- | --- | | Commentaire important contour | Starting with SafeKit version 8.2.5, on Red Hat, RPM packages are GPG-signed. Thus, the SafeKit GPG public key is automatically imported to allow the installation to continue. | ##### 2.1.3.2.2                Firewall setup This step is mandatory to enable communication between the nodes of the SafeKit cluster and with the web console. No action is required when firewall automatic configuration has been performed during the package installation. Otherwise see section 10.3. ##### 2.1.3.2.3                Web service initialization This step is mandatory to initialize the default configuration of the web service, which is accessed by the web console and the global safekit command. The web service requires authentication to access the service. No action required when the web service initialization has been performed during the package installation. Otherwise, see section 11.2.1.2. ##### 2.1.3.2.4                Antivirus setup This step is necessary if the server's antivirus interferes with the operation of SafeKit (see section 7.22). Refer to section 10.6 for the list of legitimate SafeKit directories and processes that should not be affected by the antivirus. ### 2.1.4         Use the SafeKit web console or command line interface Once installed, the SafeKit cluster must be defined. Then modules can be installed, configured, and administered. All these actions can be done with the SafeKit console or the command line interface. #### 2.1.4.1      The SafeKit web console 1.    Start a web browser (Microsoft Edge, Firefox, or Chrome) 2.    Connect it to the URL http://host:9010 (where host is the name or IP address of one of the SafeKit nodes) 3.    In the login page, enter admin as user’s name and the password you gave on initialization (e.g., pwd) 4.    Once the console is loaded, the admin user can access to ![](safekituserguideen_fichiers/image032.png)Monitoring and ![](safekituserguideen_fichiers/image033.png)Configuration in the navigation sidebar, as he has the default Admin role For details see section 3. #### 2.1.4.2      The SafeKit command line interface It is based on the single safekit command located at the root of the SafeKit installation directory. Almost all safekit commands can be applied locally or on a list of nodes in the SafeKit cluster. This is called global or distributed command. For details on the safekit command, see section 9.   To use the safekit command: | | | | --- | --- | | In Windows | 1.    Open a PowerShell console as administrator 2.    Go to the root of the SafeKit installation directory SAFE (by default SAFE=C:\safekit if %SYSTEMDRIVE%=C:) cd c:\safekit 3.    Run .\safekit.exe for the local command 4.    Run .\safekit.exe -H "" for the command distributed across multiple nodes | | In Linux | 1.    Open a Shell console as root 2.    Go to the root of the SafeKit installation directory SAFE (by default SAFE=/opt/safekit) cd /opt/safekit 3.    Run ./safekit for the local command 4.    Run ./safekit -H "" for the command distributed across multiple nodes |   For instance, to display the levels (SafeKit, OS…): ·         for the local host safekit level ·         for all hosts configured in the SafeKit cluster safekit -H "\*" level ### 2.1.5         SafeKit license keys License keys are determined and verified based on the Operating System (Windows or Linux) and the hostnames of machines (not the FQDN), as returned by the `hostname` command in a Windows command prompt or a Linux shell. They are delivered in a text file. Once the license key file is installed, there is no need for a connection to a license server. ·         If you do not install any license key file, the product will stop functioning every 3 days. However, it can be restarted for another 3 days. ·         You can download a one-month trial key file here. ·         When a license key expires or is incorrect (e.g., wrong OS or hostname), the system falls into the 3-day behavior. ·         After placing a purchase order, you obtain a permanent key file. The permanent key file can be installed without reinstalling or stopping the product. ·         The key file can contain keys for multiple hostnames. SafeKit will detect the appropriate license for the correct OS/hostname on each server. ·         Save the key file into the `SAFE/conf/license.txt` file (or any other file in `SAFE/conf`) on each server. ·         If files in `SAFE/conf` contain more than one key file, the most favorable key will be chosen. ·         Check the key conformance on each server with the command `SAFE/safekit level` or with the SafeKit web console. ### 2.1.6         System specific procedures and characteristics #### 2.1.6.1      Windows ·         Apply a special procedure to properly stop SafeKit modules at machine shutdown and to start safeadmin service at boot: see section 10.4. ·         For network interfaces with teaming and with SafeKit load balancing, it is necessary to uncheck "Vip" on physical network interfaces of teaming and keep it checked only on teaming virtual interface. #### 2.1.6.2      Linux ·         In Linux, the SafeKit package depends on other system packages. Most of them are installed automatically, except those specific to the implementation of load balancing in a farm and file replication in a mirror. ·         For an updated list of required packages, see the *SafeKit Release Notes**.* ·         The user safekit and a group safekit are created: all users belonging to the safekit group, and the user root can execute SafeKit commands ·         In a farm module with load balancing on a virtual IP address, the vip kernel module is compiled when the module is configured. To compile successfully, Linux packages must be installed. See the *SafeKit Release Notes*for an up-to-date list of the packages. ·         For a farm with SafeKit load balancing on a bonding interface, no ARP should be set in the bonding configuration. Otherwise, the association is broken in client ARP caches with physical MAC address of the bonding interface. ·         When Secure Boot is enabled and you are using a farm module, follow the procedure described in section 10.5 to sign and enroll the SafeKit kernel modules that implement load-balancing. ## 2.2             Mirror installation recommendation | | | | --- | --- | | ip 1.1     ip 1.2 | virtual ip =      ip 1.10                           mirror(app1)=  app1                                                              dir1                dir1 | ### 2.2.1         Hardware and system prerequisites ·         2 servers with the same operating System ·         Supported OS ·         Disk drive with write-back cache recommended for the performance of the IOs ### 2.2.2         Network prerequisites ·         1 physical IP address per server (ip 1.1 and ip 1.2) ·         If you need to set a virtual IP address (ip 1.10), both servers must be in the same IP network with the standard SafeKit configuration (LAN or extended LAN between two remote computer rooms). For setting a virtual IP address with servers in different IP networks, see section 13.6.3. ### 2.2.3         Application prerequisites ·         The application is installed and starts on both servers ·         Application can be started and stopped using command lines ·         On Linux, command lines like service "service" start|stop or su -user "appli-cmd" ·         On Windows, command lines like net start|stop "service" ·         If necessary, application with a procedure to recover after crash ·         Remove automatic application start at boot and configure the boot start of the module instead ### 2.2.4         File replication prerequisites ·         File directories that will be replicated are created on both servers ·         They are located at the same place on both servers in the file tree ·         It is better to synchronize clocks of both server for file replication (NTP protocol) ·         On Linux, align uids/gids on both servers for owners of replicated directories/files ·         See also system specific procedures and characteristics in section 2.1.6 ## 2.3             Farm installation recommendation | | | | --- | --- | | ip 1.1    ip 1.2   ip 1.3 | virtual IP =             ip 1.20     ip 1.20      ip 1.20                                                                farm (app2) =          app2        app2         app2 | ### 2.3.1         Hardware and system prerequisites ·         At least 2 servers with the same operating System ·         Supported OS ·         Linux: kernel compilation tools installed for vip kernel module ### 2.3.2         Network prerequisites ·         1 physical IP address per server (ip 1.1, ip 1.2, ip 1.3) ·         If you need to set a virtual IP address (ip 1.20), servers must be in the same IP network with the standard SafeKit configuration (same LAN or extended LAN between remote computer rooms). For setting a virtual IP address with servers in different IP networks, see section 13.6.3. ·         See also system specific procedures and characteristics in section 2.1.6 ### 2.3.3         Application prerequisites The same prerequisites as for a mirror module described in section 2.2.3 ## 2.4             SafeKit upgrade If you encounter a problem with SafeKit, see the *Software Release Bulletin*containing the list of fixes on the product. If you want to take advantage of some new features, see the *SafeKit Release Notes*. This document also tells you if you are in the case of a major upgrade (ex. 7.5 to 8.2) which requires a different procedure from the one presented here. The upgrade procedure consists in uninstalling the old package and then installing the new package. All nodes in the same cluster must be upgraded. ### 2.4.1         Prepare the upgrade 1.    Note the state "on" or "off" of SafeKit services and modules started automatically at boot safekit boot webstatus; safekit boot status -m *AM* (where *AM* is the name of the module) and in Windows: safekit boot snmpstatus; | | | | --- | --- | | Commentaire important contour | The start at boot of the module can be defined in its configuration file. If so, the use of the safekit boot command becomes unnecessary. | 2.    for a mirror module note the server in the ALONE or PRIM status to know which server holds the up-to-date replicated files 3.    optionally, take snapshots of modules Uninstalling/reinstalling will reset logs and dumps of each module. If you want to keep this information (logs and last 3 dumps and configurations), run the command safekit snapshot -m *AM* /path/snapshot\_xx.zip (replace *AM* by the module name) ### 2.4.2         Uninstall procedure On Windows as administrator and on Linux as root: 1.    stop all modules using the command safekit shutdown For a mirror in the PRIM-SECOND status, stop first the SECOND server to avoid an unnecessary failover 2.    close all editors, file explorers, shells, or terminal under SAFE and SAFEVAR (to avoid package uninstallation error) 3.    uninstall SafeKit package | | | | --- | --- | | Windows | Use the Control Panel-Add/Remove Programs applet | | Linux | Use the command safekit uninstall |   4.    undo all configurations that you have done manually for the firewall setup (see section 10.3) Uninstalling SafeKit includes creating a backup of the installed modules in SAFE/Application\_Modules/backup, then unconfiguring them. ### 2.4.3         Reinstall and postinstall procedure 1.    Install the new package as described in section 2.1 2.    Check with the command safekit level the installed SafeKit version and the validity of the license (which has not been uninstalled) If you have a problem with the new package and the old key, take a temporary license: see section 2.1.5 3.    If you use the web console, clear the browser cache and refresh pages in the web browser 4.    Since SafeKit 8.2.1, previously configured modules are automatically reconfigured on upgrade. However, you may still need to reconfigure module to apply any configuration changes coming with the new version (see the *SafeKit Release Notes*). Reconfigure the module either with: o    the web console by navigating to ![](safekituserguideen_fichiers/image033.png)“Configuration/Modules configuration/ ![](safekituserguideen_fichiers/image040.png)Configure the module/” o    the web console by directly entering the URL http://host:9010/console/en/configuration/modules/*AM*/config/ o    the command safekit config -m *AM* where *AM* is the module name 5.    If necessary, reconfigure the automatic start of modules at boot The start at boot of the module can be defined in its configuration file. If so, skip this step. Otherwise, run the command safekit boot -m *AM* on (replace *AM* by the module name) 6.    Restart the modules | | | | --- | --- | | Mirror module | The module must be started as primary on the node with the updated replicated files (former PRIM or ALONE) either with: ·         the web console by navigating to Monitoring/of the node/Force start/As primary ·         the command safekit prim -m *AM* (replace *AM* by the module name)   Check that the application is working properly once the module is in ALONE state, before starting the other node. On the other node (former SECOND), the module must be started in secondary mode either with: ·         the web console by navigating to Monitoring/of the node/Force start/As secondary ·         the command safekit second -m *AM* (replace *AM* by the module name) Once this initial start has been performed by selecting the primary and secondary nodes, subsequent starts can be performed with: ·         the web console by navigating to Monitoring/of the node/Start/ ·         the command safekit start -m *AM* (replace *AM* by the module name) | | Farm module | Start the module either with: ·         the web console by navigating to Monitoring/of the module/Start/ ·         the command safekit start -m *AM* (replace *AM* by the module name) |   Furthermore, in cases where you have modified the setup of the SafeKit web service, SNMP monitoring or SafeKit notification agent: 1.    the SafeKit web service safewebserver ·         If its automatic start at boot had been disabled, disable it again with the command safekit boot weboff ·         If you had modified configuration files and these have evolved in the new version, your modifications are saved into SAFE/web/conf before being overwritten by the new version. Carrying over your old configuration to the new version may require some adaptations. For details on the default setup and all predefined setups, see section 11. ·         For HTTPS and login/password configurations, certificates, and user.conf / group.conf generated for the previous release should be compatible. 2.    The SafeKit SNMP monitoring ·         In Windows, if its automatic start at boot had been enabled, enable it again with the command safekit boot snmpon ·         If you had modified configuration files and these have evolved in the new version, your modifications are saved into SAFE/snmp/conf before being overwritten by the new version. Carrying over your old configuration to the new version may require some adaptations. For details, see section 10.11. 3.    The SafeKit email notification agent Since SafeKit 8.2.4, SafeKit offers a notification agent to send emails for major modules events. For details, see section 10.10. If you have enabled it, it will remain enabled after the upgrade. However, you may need to reconfigure the SafeKit notification agent, as described in section 10.10.1, if its configuration file has evolved between the two versions. ## 2.5             SafeKit full uninstall For completely removing the SafeKit package, follow the procedure described below. ### 2.5.1         Uninstall on Windows as administrator 1.    Log-in as administrator on Windows server 2.    stop all modules using the command safekit shutdown 3.    close all editors, file explorers, shells, or cmd under SAFE and SAFEVAR (to avoid package uninstallation error) (SAFE=C:\safekit if %SYSTEMDRIVE%=C: ; SAFEVAR=C:\safekit\var if %SYSTEMDRIVE%=C:) 4.    uninstall SafeKit using the Control Panel-Add/Remove Programs applet 5.    reboot the server 6.    delete the folder SAFE that is the installation directory of the previous install of SafeKit 7.    undo all configurations that you have done for SafeKit boot/shutdown (see section 10.4) 8.    undo all configurations that you have done for firewalls rules setting (see section 10.3) 9.    uninstall the SafeKit Web application if installed (see section 3.1.4.2) 10. since SafeKit 8.2.5, the following SafeKit drivers are uninstalled but are no longer automatically removed from the Windows Driver Store: ·         viplwf (Virtual IP load balancer) ·         ndis6pckt (ARP rerouter) ·         rfsfilter (File replication filter) If you want to remove them from the Driver store, follow the procedure below: a.    make sure all related driver services are stopped by executing the following commands: net stop rfsfilter net stop viplwf net stop ndis6pckt b.    list all third-party driver packages installed in the Windows driver store, using the command: pnputil /enum-drivers Example output: … Published Name:     **oem4.inf** Original Name:      **ndis6pckt.inf** Provider Name:      Evidian Class Name:         Network Protocol … Published Name:     **oem18.inf** Original Name:      **saferfs.inf** Provider Name:      Evidian Class Name:         FS Replication filters … Published Name:     **oem5.inf** Original Name:      **viplwf.inf** Provider Name:      Evidian Class Name:         Network Service … c.    identify the ‘Published name’ (oemxx.inf) corresponding to the SafeKit drivers Look for entries where the ‘Original Name’ matches the following: viplwf.inf, ndis6pckt.inf, and saferfs.inf. d.    delete each SafeKit driver using the following command: pnputil /delete-driver oemxx.inf /uninstall Replace oemxx.inf with the actual name identified in step c. ### 2.5.2         Uninstall on Linux as root 1.    open a Shell console as root on Linux server 2.    stop all modules using the command safekit shutdown 3.    close all editors, file explorers, shells, or terminal under SAFE and SAFEVAR (SAFE=/opt/safekit ; SAFEVAR=/var/safekit) 4.    uninstall SafeKit using the safekit uninstall -all command and answer yes when prompted to delete all SafeKit folders 5.    reboot the server 6.    undo all configurations that you have done for firewalls rules setting (see section 10.3) 7.    delete the user/group created by the previous install (default is safekit/safekit) with the commands:  userdel safekit groupdel safekit 8.    uninstall the SafeKit Web application if installed (see section 3.1.4.2) ## 2.6             SafeKit documentation | | | | --- | --- | | *SafeKit Solution* | The SafeKit solution is fully described. | | *SafeKit Training* | Refer to this online training for a quick start in using SafeKit. | | *SafeKit Release Notes* | It presents: ·         latest install instructions ·         major changes ·         restrictions and known problems ·         migration instructions | | *Software Release Bulletin* | Bulletin listing SafeKit 8.2 packages, with descriptions of changes and fixed issues. | | *SafeKit Knowledge Base* | List of known SafeKit issues and restrictions. Other KBs are available on the Support portal, but are only accessible to registered users. | | *SafeKit User's Guide* | This is the guide. Please refer to the guide corresponding to your SafeKit version number. It is delivered with the SafeKit package and can be accessed via the web console under /User’s guide. The link opposite takes you to the latest version of this guide. |