aboutsummaryrefslogtreecommitdiff
path: root/docs/tools/qemu-nbd.rst
blob: 2b8c90c35498fd848b99d65a1cc137e4cafd6481 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
=====================================
QEMU Disk Network Block Device Server
=====================================

Synopsis
--------

**qemu-nbd** [*OPTION*]... *filename*

**qemu-nbd** -L [*OPTION*]...

**qemu-nbd** -d *dev*

Description
-----------

Export a QEMU disk image using the NBD protocol.

Other uses:

- Bind a /dev/nbdX block device to a QEMU server (on Linux).
- As a client to query exports of a remote NBD server.

Options
-------

.. program:: qemu-nbd

*filename* is a disk image filename, or a set of block
driver options if ``--image-opts`` is specified.

*dev* is an NBD device.

.. option:: --object type,id=ID,...

  Define a new instance of the *type* object class identified by *ID*.
  See the :manpage:`qemu(1)` manual page for full details of the properties
  supported. The common object types that it makes sense to define are the
  ``secret`` object, which is used to supply passwords and/or encryption
  keys, and the ``tls-creds`` object, which is used to supply TLS
  credentials for the ``qemu-nbd`` server or client.

.. option:: -p, --port=PORT

  TCP port to listen on as a server, or connect to as a client
  (default ``10809``).

.. option:: -o, --offset=OFFSET

  The offset into the image.

.. option:: -b, --bind=IFACE

  The interface to bind to as a server, or connect to as a client
  (default ``0.0.0.0``).

.. option:: -k, --socket=PATH

  Use a unix socket with path *PATH*.

.. option:: --image-opts

  Treat *filename* as a set of image options, instead of a plain
  filename. If this flag is specified, the ``-f`` flag should
  not be used, instead the :option:`format=` option should be set.

.. option:: -f, --format=FMT

  Force the use of the block driver for format *FMT* instead of
  auto-detecting.

.. option:: -r, --read-only

  Export the disk as read-only.

.. option:: -A, --allocation-depth

  Expose allocation depth information via the
  ``qemu:allocation-depth`` metadata context accessible through
  NBD_OPT_SET_META_CONTEXT.

.. option:: -B, --bitmap=NAME

  If *filename* has a qcow2 persistent bitmap *NAME*, expose
  that bitmap via the ``qemu:dirty-bitmap:NAME`` metadata context
  accessible through NBD_OPT_SET_META_CONTEXT.

.. option:: -s, --snapshot

  Use *filename* as an external snapshot, create a temporary
  file with ``backing_file=``\ *filename*, redirect the write to
  the temporary one.

.. option:: -l, --load-snapshot=SNAPSHOT_PARAM

  Load an internal snapshot inside *filename* and export it
  as an read-only device, SNAPSHOT_PARAM format is
  ``snapshot.id=[ID],snapshot.name=[NAME]`` or ``[ID_OR_NAME]``

.. option:: --cache=CACHE

  The cache mode to be used with the file. Valid values are:
  ``none``, ``writeback`` (the default), ``writethrough``,
  ``directsync`` and ``unsafe``. See the documentation of
  the emulator's ``-drive cache=...`` option for more info.

.. option:: -n, --nocache

  Equivalent to :option:`--cache=none`.

.. option:: --aio=AIO

  Set the asynchronous I/O mode between ``threads`` (the default),
  ``native`` (Linux only), and ``io_uring`` (Linux 5.1+).

.. option:: --discard=DISCARD

  Control whether ``discard`` (also known as ``trim`` or ``unmap``)
  requests are ignored or passed to the filesystem. *DISCARD* is one of
  ``ignore`` (or ``off``), ``unmap`` (or ``on``).  The default is
  ``ignore``.

.. option:: --detect-zeroes=DETECT_ZEROES

  Control the automatic conversion of plain zero writes by the OS to
  driver-specific optimized zero write commands.  *DETECT_ZEROES* is one of
  ``off``, ``on``, or ``unmap``.  ``unmap``
  converts a zero write to an unmap operation and can only be used if
  *DISCARD* is set to ``unmap``.  The default is ``off``.

.. option:: -c, --connect=DEV

  Connect *filename* to NBD device *DEV* (Linux only).

.. option:: -d, --disconnect

  Disconnect the device *DEV* (Linux only).

.. option:: -e, --shared=NUM

  Allow up to *NUM* clients to share the device (default
  ``1``), 0 for unlimited. Safe for readers, but for now,
  consistency is not guaranteed between multiple writers.

.. option:: -t, --persistent

  Don't exit on the last connection.

.. option:: -x, --export-name=NAME

  Set the NBD volume export name (default of a zero-length string).

.. option:: -D, --description=DESCRIPTION

  Set the NBD volume export description, as a human-readable
  string.

.. option:: -L, --list

  Connect as a client and list all details about the exports exposed by
  a remote NBD server.  This enables list mode, and is incompatible
  with options that change behavior related to a specific export (such as
  :option:`--export-name`, :option:`--offset`, ...).

.. option:: --tls-creds=ID

  Enable mandatory TLS encryption for the server by setting the ID
  of the TLS credentials object previously created with the --object
  option; or provide the credentials needed for connecting as a client
  in list mode.

.. option:: --tls-hostname=hostname

  When validating an x509 certificate received over a TLS connection,
  the hostname that the NBD client used to connect will be checked
  against information in the server provided certificate. Sometimes
  it might be required to override the hostname used to perform this
  check. For example, if the NBD client is using a tunnel from localhost
  to connect to the remote server, the `--tls-hostname` option should
  be used to set the officially expected hostname of the remote NBD
  server. This can also be used if accessing NBD over a UNIX socket
  where there is no inherent hostname available. This is only permitted
  when acting as a NBD client with the `--list` option.

.. option:: --fork

  Fork off the server process and exit the parent once the server is running.

.. option:: --pid-file=PATH

  Store the server's process ID in the given file.

.. option:: --tls-authz=ID

  Specify the ID of a qauthz object previously created with the
  :option:`--object` option. This will be used to authorize connecting users
  against their x509 distinguished name.

.. option:: -v, --verbose

  Display extra debugging information.

.. option:: -h, --help

  Display this help and exit.

.. option:: -V, --version

  Display version information and exit.

.. option:: -T, --trace [[enable=]PATTERN][,events=FILE][,file=FILE]

  .. include:: ../qemu-option-trace.rst.inc

Examples
--------

Start a server listening on port 10809 that exposes only the
guest-visible contents of a qcow2 file, with no TLS encryption, and
with the default export name (an empty string). The command is
one-shot, and will block until the first successful client
disconnects:

::

  qemu-nbd -f qcow2 file.qcow2

Start a long-running server listening with encryption on port 10810,
and whitelist clients with a specific X.509 certificate to connect to
a 1 megabyte subset of a raw file, using the export name 'subset':

::

  qemu-nbd \
    --object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
    --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
              O=Example Org,,L=London,,ST=London,,C=GB' \
    --tls-creds tls0 --tls-authz auth0 \
    -t -x subset -p 10810 \
    --image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw

Serve a read-only copy of a guest image over a Unix socket with as
many as 5 simultaneous readers, with a persistent process forked as a
daemon:

::

  qemu-nbd --fork --persistent --shared=5 --socket=/path/to/sock \
    --read-only --format=qcow2 file.qcow2

Expose the guest-visible contents of a qcow2 file via a block device
/dev/nbd0 (and possibly creating /dev/nbd0p1 and friends for
partitions found within), then disconnect the device when done.
Access to bind ``qemu-nbd`` to a /dev/nbd device generally requires root
privileges, and may also require the execution of ``modprobe nbd``
to enable the kernel NBD client module.  *CAUTION*: Do not use
this method to mount filesystems from an untrusted guest image - a
malicious guest may have prepared the image to attempt to trigger
kernel bugs in partition probing or file system mounting.

::

  qemu-nbd -c /dev/nbd0 -f qcow2 file.qcow2
  qemu-nbd -d /dev/nbd0

Query a remote server to see details about what export(s) it is
serving on port 10809, and authenticating via PSK:

::

  qemu-nbd \
    --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=eblake,endpoint=client \
    --tls-creds tls0 -L -b remote.example.com

See also
--------

:manpage:`qemu(1)`, :manpage:`qemu-img(1)`