======iSCSI target CentOS 7======
=====Installation=====
  * Do a minimal installation
  * Configure iSCSI network interfaces with MTU of 9000
  * Do a yum update after the installation

<code>
rpm -ivh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install targetcli net-tools wget chrony check-mk-agent xinetd
 
wget https://downloads.linux.hp.com/SDR/add_repo.sh
sh ./add_repo.sh spp -d rhel -r 7
yum install hpssacli
</code>
=====Tuning system configuration=====
<code - /etc/sysconfig/modules/scsi.modules>
#!/bin/sh

if [ ! -c /dev/sg0 ] ; then
  exec /sbin/modprobe sg >/dev/null 2>&1
fi
</code>
  chmod 755 /etc/sysconfig/modules/scsi.modules

  hpssacli
  controller slot=2 modify cacheratio=75/25
<code - /etc/rc.local>
echo noop > /sys/block/sda/queue/scheduler
# /sbin/blockdev --setra 1024 /dev/sda
</code>
  tuned-adm profile network-throughput
=====Configuration iSCSI target=====
  targetcli
<code>
/backstores/block create lun1 /dev/data/lun1
/iscsi create
/iscsi set discovery_auth enable=0
/iscsi/iqn.2003-01.org.linux-iscsi.testnas.x8664:sn.3e16441761a3/tpg1
portals delete 0.0.0.0 3260
portals create 192.168.0.100 3260
portals create 192.168.1.100 3260
luns/ create /backstores/block/lun1
acls/ create iqn.1998-01.com.vmware:supermicro1-22d4a58e
acls/ create iqn.1998-01.com.vmware:supermicro2-6b09d927
set parameter AuthMethod=None
set attribute authentication=0
cd /
</code>
<code>
/> ls
o- / ......................................................................................... [...]
  o- backstores .............................................................................. [...]
  | o- block .................................................................. [Storage Objects: 1]
  | | o- lun1 ...................................... [/dev/data/lun1 (50.0GiB) write-thru activated]
  | o- fileio ................................................................. [Storage Objects: 0]
  | o- pscsi .................................................................. [Storage Objects: 0]
  | o- ramdisk ................................................................ [Storage Objects: 0]
  o- iscsi ............................................................................ [Targets: 1]
  | o- iqn.2003-01.org.linux-iscsi.testnas.x8664:sn.3e16441761a3 ......................... [TPGs: 1]
  |   o- tpg1 ............................................................... [no-gen-acls, no-auth]
  |     o- acls .......................................................................... [ACLs: 2]
  |     | o- iqn.1998-01.com.vmware:supermicro1-22d4a58e .......................... [Mapped LUNs: 1]
  |     | | o- mapped_lun0 .................................................. [lun0 block/lun1 (rw)]
  |     | o- iqn.1998-01.com.vmware:supermicro2-6b09d927 .......................... [Mapped LUNs: 1]
  |     |   o- mapped_lun0 .................................................. [lun0 block/lun1 (rw)]
  |     o- luns .......................................................................... [LUNs: 1]
  |     | o- lun0 .................................................... [block/lun1 (/dev/data/lun1)]
  |     o- portals .................................................................... [Portals: 2]
  |       o- 192.168.0.100:3260 ............................................................... [OK]
  |       o- 192.168.1.100:3260 ............................................................... [OK]
  o- loopback ......................................................................... [Targets: 0]
/>
</code>
  saveconfig
  exit
  systemctl enable target
  systemctl start target

=====Firewalld=====
Remove default crap
<code>
firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=dmz --remove-service=ssh
</code>
Create new zones
<code>
firewall-cmd --permanent --new-zone=management
firewall-cmd --permanent --new-zone=local
firewall-cmd --permanent --new-zone=iscsi1
firewall-cmd --permanent --new-zone=iscsi2
</code>
Put subnets in zones
<code>
firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0

firewall-cmd --permanent --zone=dmz --add-source=5.200.9.240/28
firewall-cmd --permanent --zone=dmz --add-source=2a00:1630:59::/64
firewall-cmd --permanent --zone=dmz --add-source=46.44.183.176/28
firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:400::/64
firewall-cmd --permanent --zone=dmz --add-source=94.142.242.32/28
firewall-cmd --permanent --zone=dmz --add-source=2a02:898:126::/64

firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
firewall-cmd --permanent --zone=local --add-source=2a02:22a0:bbb7:403::/64
firewall-cmd --permanent --zone=local --add-source=172.16.5.0/24
firewall-cmd --permanent --zone=local --add-source=2a00:1630:59:5::/64
firewall-cmd --permanent --zone=local --add-source=172.16.7.0/24
firewall-cmd --permanent --zone=local --add-source=2a02:898:126:7::/64

firewall-cmd --permanent --zone=management --add-source=172.16.2.0/24
firewall-cmd --permanent --zone=management --add-source=2a02:22a0:bbb7:402::/64
firewall-cmd --permanent --zone=management --add-source=172.16.4.0/24
firewall-cmd --permanent --zone=management --add-source=2a00:1630:59:4::/64
firewall-cmd --permanent --zone=management --add-source=172.16.6.0/24
firewall-cmd --permanent --zone=management --add-source=2a02:898:126:6::/64

firewall-cmd --permanent --zone=iscsi1 --add-source=192.168.0.0/24
firewall-cmd --permanent --zone=iscsi2 --add-source=192.168.1.0/24
</code>
Add services
<code - /etc/firewalld/services/check-mk-agent.xml>
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>check-mk-agent</short>
  <description>Check_MK Agent</description>
  <port protocol="tcp" port="6556"/>
</service>
</code>
<code - /etc/firewalld/services/iscsi-target.xml>
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>iscsi-target</short>
  <description>iSCSI target</description>
  <port protocol="tcp" port="3260"/>
</service>
</code>
Add services to zones
<code>
firewall-cmd --permanent --zone=management --add-service=ssh
firewall-cmd --permanent --zone=local --add-service=ssh

firewall-cmd --permanent --zone=iscsi1 --add-service=iscsi-target
firewall-cmd --permanent --zone=iscsi2 --add-service=iscsi-target

firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv4" \
source address="172.16.4.14" service name="check-mk-agent" accept"
firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv6" \
source address="2a00:1630:59:4::14" service name="check-mk-agent" accept"
</code>

Make sure all interfaces are set to public as default!
  firewall-cmd --set-default-zone=public
  firewall-cmd --reload

{{tag>centos}}