1QEMU-NBD.8(8) QEMU-NBD.8(8)
2
6 qemu-nbd - QEMU Disk Network Block Device Server
7
9 qemu-nbd [OPTION]... filename
10 qemu-nbd -L [OPTION]...
12 qemu-nbd -d dev
14
16 Export a QEMU disk image using the NBD protocol.
17 Other uses:
19 · Bind a /dev/nbdX block device to a QEMU server (on Linux).
21 · As a client to query exports of a remote NBD server.
23
25 filename is a disk image filename, or a set of block driver options if
26 --image-opts is specified.
27 dev is an NBD device.
29 --object type,id=id,...props...
31 Define a new instance of the type object class identified by id.
32 See the qemu(1) manual page for full details of the properties
33 supported. The common object types that it makes sense to define
34 are the "secret" object, which is used to supply passwords and/or
35 encryption keys, and the "tls-creds" object, which is used to
36 supply TLS credentials for the qemu-nbd server or client.
37 -p, --port=port
39 The TCP port to listen on as a server, or connect to as a client
40 (default 10809).
41 -o, --offset=offset
43 The offset into the image.
44 -b, --bind=iface
46 The interface to bind to as a server, or connect to as a client
47 (default 0.0.0.0).
48 -k, --socket=path
50 Use a unix socket with path path.
51 --image-opts
53 Treat filename as a set of image options, instead of a plain
54 filename. If this flag is specified, the -f flag should not be
55 used, instead the '"format="' option should be set.
56 -f, --format=fmt
58 Force the use of the block driver for format fmt instead of auto-
59 detecting.
60 -r, --read-only
62 Export the disk as read-only.
63 -P, --partition=num
65 Deprecated: Only expose MBR partition num. Understands physical
66 partitions 1-4 and logical partition 5. New code should instead use
67 --image-opts with the raw driver wrapping a subset of the original
68 image.
69 -B, --bitmap=name
71 If filename has a qcow2 persistent bitmap name, expose that bitmap
72 via the "qemu:dirty-bitmap:name" context accessible through
73 NBD_OPT_SET_META_CONTEXT.
74 -s, --snapshot
76 Use filename as an external snapshot, create a temporary file with
77 backing_file=filename, redirect the write to the temporary one.
78 -l, --load-snapshot=snapshot_param
80 Load an internal snapshot inside filename and export it as an read-
81 only device, snapshot_param format is
82 'snapshot.id=[ID],snapshot.name=[NAME]' or '[ID_OR_NAME]'
83 -n, --nocache
85 --cache=cache
86 The cache mode to be used with the file. See the documentation of
87 the emulator's "-drive cache=..." option for allowed values.
88 --aio=aio
90 Set the asynchronous I/O mode between threads (the default) and
91 native (Linux only).
92 --discard=discard
94 Control whether discard (also known as trim or unmap) requests are
95 ignored or passed to the filesystem. discard is one of ignore (or
96 off), unmap (or on). The default is ignore.
97 --detect-zeroes=detect-zeroes
99 Control the automatic conversion of plain zero writes by the OS to
100 driver-specific optimized zero write commands. detect-zeroes is
101 one of off, on or unmap. unmap converts a zero write to an unmap
102 operation and can only be used if discard is set to unmap. The
103 default is off.
104 -c, --connect=dev
106 Connect filename to NBD device dev (Linux only).
107 -d, --disconnect
109 Disconnect the device dev (Linux only).
110 -e, --shared=num
112 Allow up to num clients to share the device (default 1). Safe for
113 readers, but for now, consistency is not guaranteed between
114 multiple writers.
115 -t, --persistent
117 Don't exit on the last connection.
118 -x, --export-name=name
120 Set the NBD volume export name (default of a zero-length string).
121 -D, --description=description
123 Set the NBD volume export description, as a human-readable string.
124 -L, --list
126 Connect as a client and list all details about the exports exposed
127 by a remote NBD server. This enables list mode, and is
128 incompatible with options that change behavior related to a
129 specific export (such as --export-name, --offset, ...).
130 --tls-creds=ID
132 Enable mandatory TLS encryption for the server by setting the ID of
133 the TLS credentials object previously created with the --object
134 option; or provide the credentials needed for connecting as a
135 client in list mode.
136 --fork
138 Fork off the server process and exit the parent once the server is
139 running.
140 --pid-file=PATH
142 Store the server's process ID in the given file.
143 --tls-authz=ID
145 Specify the ID of a qauthz object previously created with the
146 --object option. This will be used to authorize connecting users
147 against their x509 distinguished name.
148 -v, --verbose
150 Display extra debugging information.
151 -h, --help
153 Display this help and exit.
154 -V, --version
156 Display version information and exit.
157 -T, --trace [[enable=]pattern][,events=file][,file=file]
159 Specify tracing options.
160 [enable=]pattern
162 Immediately enable events matching pattern (either event name
163 or a globbing pattern). This option is only available if QEMU
164 has been compiled with the simple, log or ftrace tracing
165 backend. To specify multiple events or patterns, specify the
166 -trace option multiple times.
167 Use "-trace help" to print a list of names of trace points.
169 events=file
171 Immediately enable events listed in file. The file must
172 contain one event name (as listed in the trace-events-all file)
173 per line; globbing patterns are accepted too. This option is
174 only available if QEMU has been compiled with the simple, log
175 or ftrace tracing backend.
176 file=file
178 Log output traces to file. This option is only available if
179 QEMU has been compiled with the simple tracing backend.
180
182 Start a server listening on port 10809 that exposes only the guest-
183 visible contents of a qcow2 file, with no TLS encryption, and with the
184 default export name (an empty string). The command is one-shot, and
185 will block until the first successful client disconnects:
186 qemu-nbd -f qcow2 file.qcow2
188 Start a long-running server listening with encryption on port 10810,
190 and whitelist clients with a specific X.509 certificate to connect to a
191 1 megabyte subset of a raw file, using the export name 'subset':
192 qemu-nbd \
194 --object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
195 --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
196 O=Example Org,,L=London,,ST=London,,C=GB' \
197 --tls-creds tls0 --tls-authz auth0 \
198 -t -x subset -p 10810 \
199 --image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
200 Serve a read-only copy of just the first MBR partition of a guest image
202 over a Unix socket with as many as 5 simultaneous readers, with a
203 persistent process forked as a daemon:
204 qemu-nbd --fork --persistent --shared=5 --socket=/path/to/sock \
206 --partition=1 --read-only --format=qcow2 file.qcow2
207 Expose the guest-visible contents of a qcow2 file via a block device
209 /dev/nbd0 (and possibly creating /dev/nbd0p1 and friends for partitions
210 found within), then disconnect the device when done. Access to bind
211 qemu-nbd to an /dev/nbd device generally requires root privileges, and
212 may also require the execution of "modprobe nbd" to enable the kernel
213 NBD client module. CAUTION: Do not use this method to mount
214 filesystems from an untrusted guest image - a malicious guest may have
215 prepared the image to attempt to trigger kernel bugs in partition
216 probing or file system mounting.
217 qemu-nbd -c /dev/nbd0 -f qcow2 file.qcow2
219 qemu-nbd -d /dev/nbd0
220 Query a remote server to see details about what export(s) it is serving
222 on port 10809, and authenticating via PSK:
223 qemu-nbd \
225 --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=eblake,endpoint=client \
226 --tls-creds tls0 -L -b remote.example.com
227
229 qemu(1), qemu-img(1)
230
232 Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>. This is
233 free software; see the source for copying conditions. There is NO
234 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
235 PURPOSE.
236 2019-11-15 QEMU-NBD.8(8)