1nbdkit-vddk-plugin(1) NBDKIT nbdkit-vddk-plugin(1)
2
6 nbdkit-vddk-plugin - nbdkit VMware VDDK plugin
7
9 nbdkit vddk [file=]FILENAME
10 [compression=none|zlib|fastlz|skipz]
11 [config=FILENAME] [cookie=COOKIE] [libdir=LIBRARY]
12 [nfchostport=PORT] [single-link=true]
13 [password=PASSWORD | password=- | password=+FILENAME |
14 password=-FD]
15 [port=PORT] [server=HOSTNAME] [snapshot=MOREF]
16 [thumbprint=THUMBPRINT] [transports=MODE:MODE:...]
17 [unbuffered=true] [user=USERNAME] [vm=moref=ID]
18 nbdkit vddk --dump-plugin
19
21 "nbdkit-vddk-plugin" is an nbdkit(1) plugin that serves disks from
22 local VMware VMDK files, VMware ESXi servers, VMware VCenter servers,
23 and other sources.
24 It requires VMware's proprietary VDDK library that you must download
26 yourself (see "LIBRARY LOCATION" below).
27
29 Open a local VMDK file
30 nbdkit vddk /absolute/path/to/file.vmdk
31 When opening local files the filename must be an absolute path.
33 Because VDDK needs to lock the file, the file must be on a writable
35 filesystem. You can avoid this by opening the file read-only (the -r
36 option):
37 nbdkit -r vddk /absolute/path/to/file.vmdk
39 Open a file on a remote VMware ESXi hypervisor
41 Connect directly to a VMware ESXi hypervisor and export a particular
42 file:
43 nbdkit vddk user=root password=+/tmp/rootpw \
45 server=esxi.example.com thumbprint=xx:xx:xx:... \
46 vm=moref=2 \
47 "[datastore1] Fedora/Fedora.vmdk"
48 "user" and "password" must be specified. Use "password=+FILENAME" to
50 provide the password securely in a file.
51 "server" is the hostname of the ESXi server.
53 "thumbprint" is the thumb print for validating the SSL certificate.
55 How to find the thumb print of a server is described in "THUMBPRINTS"
56 below.
57 "vm" is the Managed Object Reference ("moref") of the virtual machine.
59 See "MANAGED OBJECT REFERENCE" below.
60 The file parameter is the file you want to open, usually in the form
62 "[datastore] vmname/vmname.vmdk". See "FILE PARAMETER" below.
63 Open a file on a remote VMware vCenter server
65 Connect via VMware vCenter and export a particular file:
66 nbdkit vddk user=root password=vmware \
68 server=vcenter.example.com thumbprint=xx:xx:xx:... \
69 vm=moref=vm-16 \
70 "[datastore1] Fedora/Fedora.vmdk"
71 "user" and "password" must be specified. Use "password=+FILENAME" to
73 provide the password securely in a file.
74 "server" is the hostname of the vCenter server.
76 "thumbprint" is the thumb print for validating the SSL certificate.
78 How to find the thumb print of a server is described in "THUMBPRINTS"
79 below.
80 "vm" is the Managed Object Reference ("moref") of the virtual machine.
82 See "MANAGED OBJECT REFERENCE" below.
83 The file parameter is the file you want to open, usually in the form
85 "[datastore] vmname/vmname.vmdk". See "FILE PARAMETER" below.
86
88 For opening a local VMDK file, the "file" parameter is required and
89 must be an absolute path.
90 For opening a remote connection, "file", "server", "thumbprint",
92 "user", "password" and "vm" are required.
93 All other parameters are optional.
95 compression=none
97 compression=zlib
98 compression=fastlz
99 compression=skipz
100 (nbdkit ≥ 1.24, vSphere ≥ 6.5)
101 Select the compression type used over the network between VDDK and
103 the VMware server. The default is "none". See VMware document
104 “Best Practices for NBD Transport”.
105 config=FILENAME
107 The name of the VDDK configuration file.
108 The config file controls rarely adjusted VDDK settings like log
110 level, caching and timeouts. See the VDDK documentation for a full
111 list of settings.
112 VDDK itself looks in a few default locations for the configuration
114 file, usually including /etc/vmware/config and
115 $HOME/.vmware/config. Using "config" overrides these defaults.
116 cookie=COOKIE
118 (vSphere ≥ 6.7)
119 Cookie from existing authenticated session on the host.
121 This changes the authentication type from "VIXDISKLIB_CRED_UID" to
123 "VIXDISKLIB_CRED_SESSIONID" which can improve performance. The
124 cookie can be found by connecting to a VCenter Server over HTTPS
125 and retrieving the "vmware_soap_session" cookie.
126 [file=]FILENAME
128 [file=][datastore] vmname/vmname.vmdk
129 Set the name of the VMDK file to serve.
130 For local files you must supply an absolute path. For remote files
132 see "FILE PARAMETER" section below.
133 If a VM has multiple disks, nbdkit can only serve one at a time.
135 To serve more than one you must run multiple copies of nbdkit.
136 (See "NOTES" below).
137 "file=" is a magic config key and may be omitted in most cases.
139 See "Magic parameters" in nbdkit(1).
140 libdir=PATHNAME
142 This sets the path of the VMware VDDK distribution.
143 VDDK uses this to load its own plugins, if this path is unspecified
145 or wrong then VDDK will work with reduced functionality. See
146 "LIBRARY LOCATION" below.
147 nfchostport=PORT
149 Port used to establish an NFC connection to ESXi. Defaults to 902.
150 password=PASSWORD
152 Set the password to use when connecting to the remote server.
153 Note that passing this on the command line is not secure on shared
155 machines.
156 password=-
158 Ask for the password (interactively) when nbdkit starts up.
159 password=+FILENAME
161 Read the password from the named file. This is a secure method to
162 supply a password, as long as you set the permissions on the file
163 appropriately.
164 password=-FD
166 Read the password from file descriptor number "FD", inherited from
167 the parent process when nbdkit starts up. This is also a secure
168 method to supply a password.
169 port=PORT
171 The port on the VCenter/ESXi host. Defaults to 443.
172 server=HOSTNAME
174 The hostname or IP address of VCenter or ESXi host.
175 single-link=true
177 (nbdkit ≥ 1.12)
178 Open the current link, not the entire chain. This corresponds to
180 the "VIXDISKLIB_FLAG_OPEN_SINGLE_LINK" flag.
181 snapshot=MOREF
183 The Managed Object Reference of the snapshot. See "MANAGED OBJECT
184 REFERENCE" below.
185 thumbprint=THUMBPRINT
187 The SSL (SHA1) thumbprint for validating the SSL certificate.
188 The format is
190 "xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx" (20
191 hex digit pairs).
192 See "THUMBPRINTS" below for how to get this.
194 transports=MODE:MODE:...
196 List of one or more transport modes to use. Possible values
197 include ‘nbd’, ‘nbdssl’, ‘san’, ‘hotadd’, ‘file’ (there may be
198 others). If not given, VDDK will try to choose the best transport
199 mode.
200 unbuffered=true
202 (nbdkit ≥ 1.12)
203 Disable host caching. This corresponds to the
205 "VIXDISKLIB_FLAG_OPEN_UNBUFFERED" flag.
206 user=USERNAME
208 The username to connect to the remote server as.
209 vm=moref=ID
211 The Managed Object Reference ("moref") of the virtual machine. See
212 "MANAGED OBJECT REFERENCE" below.
213 vimapiver=APIVER
215 This parameter is ignored for backwards compatibility.
216
218 The VDDK library should not be placed on a system library path such as
219 /usr/lib. The reason is that the VDDK library ships with recompiled
220 libraries like libcrypto.so and libstdc++.so that conflict with system
221 libraries.
222 You have two choices:
224 · Place VDDK in the default libdir which is compiled into this
226 plugin, for example:
227 $ nbdkit vddk --dump-plugin | grep ^vddk_default_libdir
229 vddk_default_libdir=/usr/lib64/vmware-vix-disklib
230 · But the best advice is to unpack the VDDK tarball anywhere you like
232 and set the "libdir=/path/to/vmware-vix-disklib-distrib". For
233 example:
234 nbdkit vddk \
236 libdir=/opt/vmware-vix-disklib-distrib \
237 /path/to/file.vmdk
238 No need to set "LD_LIBRARY_PATH"
240 In nbdkit ≤ 1.16 you had to set the environment variable
241 "LD_LIBRARY_PATH" when using this plugin. In nbdkit ≥ 1.18 this is not
242 recommended.
243
245 The "file" parameter can either be a local file, in which case it must
246 be the absolute path. Or it can refer to a remote file on the VMware
247 server in the format "[datastore] vmname/vmname.vmdk".
248 Finding the remote filename
250 For remote files you can find the path using virsh(1). For ESXi:
251 $ virsh -c 'esx://esxi.example.com?no_verify=1' dumpxml guestname
253 ...
254 <disk type='file' device='disk'>
255 <source file='[datastore] vmname/vmname.vmdk'/>
256 ...
257 For vCenter the command is the same but the URI starts with "vpx://":
259 $ virsh -c 'vpx://vcenter.example.com/Datacenter/esxi.example.com?no_verify=1' \
261 dumpxml guestname
262 See also: https://libvirt.org/drvesx.html
264 Optional file= prefix
266 The "file=" part is optional, so these commands are equivalent:
267 nbdkit vddk file=/path/to/file.vmdk
269 nbdkit vddk /path/to/file.vmdk
270
272 The thumbprint is a 20 byte string containing the SSL (SHA1)
273 fingerprint of the remote VMware server and it is required when making
274 a remote connection. There are several ways to obtain this.
275 Using a web browser
277 Visit "https://SERVER-NAME/folder" and log in. Click the lock icon
278 next to the URL bar and navigate to the SHA-1 fingerprint of the site’s
279 certificate. This 20 hex digit pair string can be directly copied to
280 the "thumbprint=" parameter.
281 Using openssl remotely
283 The following command will print the thumbprint of a VMware server
284 called "SERVER-NAME":
285 $ openssl s_client -connect SERVER-NAME:443 </dev/null |
287 openssl x509 -in /dev/stdin -fingerprint -sha1 -noout
288 By logging in to the ESXi or vCenter server
290 Log in to the ESXi hypervisor shell and run this command:
291 # openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout
293 For VMware vCenter servers the thumbprint is printed on the text
295 console of the server or is available by logging in to the server and
296 using this command:
297 # openssl x509 -in /etc/vmware-vpx/ssl/rui.crt -fingerprint -sha1 -noout
299 Trick: Get VDDK to tell you the thumbprint
301 Another way to get the thumbprint of a server is to connect to the
302 server using a bogus thumbprint with debugging enabled:
303 nbdkit -U - -fv vddk server=esxi.example.com [...] thumbprint=12 \
305 --run 'qemu-img info "$uri"'
306 The nbdkit process will try to connect (and fail because the thumbprint
308 is wrong). However in the debug output will be a message such as this:
309 nbdkit: debug: VixDiskLibVim: Failed to verify SSL certificate: actual thumbprint=B2:31:BD:DE:9F:DB:9D:E0:78:EF:30:42:8A:41:B0:28:92:93:C8:DD expected=12
311 This gives you the server’s real thumbprint. Of course this method is
313 not secure since it allows a Man-in-the-Middle (MITM) attack.
314
316 Some use cases require you to pass in the Managed Object Reference
317 ("moref") of an object on the VMware server.
318 For VMware ESXi hypervisors, the "vm" moref is a number (eg.
320 "vm=moref=2"). For VMware VCenter it is a string beginning with "vm-")
321 (eg. "vm=moref=vm-16"). Across ESXi and vCenter the numbers are
322 different even for the same virtual machine.
323 If you have libvirt ≥ 3.7, the moref is available in the virsh(1)
325 "dumpxml" output:
326 $ virsh -c 'esx://esxi.example.com?no_verify=1' dumpxml guestname
328 ...
329 <vmware:moref>2</vmware:moref>
330 ...
331 or:
333 $ virsh -c 'vpx://vcenter.example.com/Datacenter/esxi.example.com?no_verify=1' \
335 dumpxml guestname
336 ...
337 <vmware:moref>vm-16</vmware:moref>
338 ...
339 An alternative way to find the moref of a VM is using the
341 "moRefFinder.pl" script written by William Lam
342 (http://www.virtuallyghetto.com/2011/11/vsphere-moref-managed-object-reference.html
343 https://blogs.vmware.com/vsphere/2012/02/uniquely-identifying-virtual-machines-in-vsphere-and-vcloud-part-2-technical.html).
344
346 To query more information about the plugin (and whether it is working),
347 use:
348 nbdkit vddk --dump-plugin
350 If the plugin is not present, not working or the library path is wrong
352 you will get an error.
353 If it works the output will include:
355 "vddk_default_libdir=..."
357 The compiled-in library path. Use "libdir=PATHNAME" to override
358 this at runtime.
359 "vddk_has_nfchostport=1"
361 If this is printed then the "nfchostport=PORT" parameter is
362 supported by this build.
363 "vddk_dll=..."
365 Prints the full path to the VDDK shared library. Since this
366 requires a glibc extension it may not be available in all builds of
367 the plugin.
368
370 Sector size limitation
371 The VDDK plugin can only answer read/write requests on whole 512 byte
372 sector boundaries. This is because the VDDK Read and Write APIs only
373 take sector numbers. If your client needs finer granularity, you can
374 use nbdkit-blocksize-filter(1) with the setting "minblock=512".
375 Threads
377 Handling threads in the VDDK API is complex and does not map well to
378 any of the thread models offered by nbdkit (see "THREADS" in
379 nbdkit-plugin(3)). The plugin uses the nbdkit "SERIALIZE_ALL_REQUESTS"
380 model, but technically even this is not completely safe. This is a
381 subject of future work.
382 Out of memory errors
384 In the verbose log you may see errors like:
385 nbdkit: vddk[3]: error: [NFC ERROR] NfcFssrvrProcessErrorMsg:
387 received NFC error 5 from server: Failed to allocate the
388 requested 2097176 bytes
389 This seems especially common when there are multiple parallel
391 connections open to the VMware server.
392 These can be caused by resource limits set on the VMware server. You
394 can increase the limit for the NFC service by editing
395 /etc/vmware/hostd/config.xml and adjusting the "<maxMemory>" setting:
396 <nfcsvc>
398 <path>libnfcsvc.so</path>
399 <enabled>true</enabled>
400 <maxMemory>50331648</maxMemory>
401 <maxStreamMemory>10485760</maxStreamMemory>
402 </nfcsvc>
403 and restarting the "hostd" service:
405 # /etc/init.d/hostd restart
407 For more information see https://bugzilla.redhat.com/1614276.
409
411 This plugin requires VDDK ≥ 5.5.5, which in turn means that it is only
412 supported on x64-64 platforms.
413 It has been tested with all versions up to 7.0.0 (but should work with
415 future versions).
416 VDDK ≥ 6.0 should be used if possible. This is the first version which
418 added Flush support which is crucial for data integrity when writing.
419
421 Debugging messages can be very helpful if you have problems connecting
422 to VMware servers, or to find the list of available transport modes, or
423 to diagnose SAN problems:
424 nbdkit -f -v vddk file=FILENAME [...]
426 Additional debug flags are available:
428 -D vddk.diskinfo=1
430 Debug disk information returned by "GetInfo".
431 -D vddk.extents=1
433 Debug extents returned by "QueryAllocatedBlocks".
434 -D vddk.datapath=0
436 Suppress debugging of datapath calls ("Read" and "Write").
437
439 $plugindir/nbdkit-vddk-plugin.so
440 The plugin.
441 Use "nbdkit --dump-config" to find the location of $plugindir.
443
445 "nbdkit-vddk-plugin" first appeared in nbdkit 1.2.
446
448 nbdkit(1), nbdkit-plugin(3), nbdkit-blocksize-filter(1),
449 nbdkit-readahead-filter(1), nbdkit-retry-filter(1), virsh(1),
450 https://libvirt.org/drvesx.html,
451 https://www.vmware.com/support/developer/vddk/, VMware document “Best
452 Practices for NBD Transport”.
453
455 Richard W.M. Jones
456
458 Copyright (C) 2013-2020 Red Hat Inc.
459
461 Redistribution and use in source and binary forms, with or without
462 modification, are permitted provided that the following conditions are
463 met:
464 · Redistributions of source code must retain the above copyright
466 notice, this list of conditions and the following disclaimer.
467 · Redistributions in binary form must reproduce the above copyright
469 notice, this list of conditions and the following disclaimer in the
470 documentation and/or other materials provided with the
471 distribution.
472 · Neither the name of Red Hat nor the names of its contributors may
474 be used to endorse or promote products derived from this software
475 without specific prior written permission.
476 THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
478 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
479 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
480 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
481 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
482 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
483 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
484 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
485 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
486 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
487 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
488nbdkit-1.24.2 2021-03-02 nbdkit-vddk-plugin(1)