1NBD-SERVER(5) NBD-SERVER(5)
2
3
4
6 /etc/nbd-server/config - configuration file for nbd-server
7
9 /etc/nbd-server/config
10
11
13 This file allows to configure the nbd-server.
14
15 While /etc/nbd-server/config is the default configuration file, this
16 can be varied with the -C option to nbd-server(1).
17
18 The configuration file consists of section header lines, comment lines,
19 and option lines.
20
21 A section header is a unique name that is enclosed in square brackets
22 ("[" and "]"). A section header denotes the beginning of a section; a
23 section continues until the next section or the end of the file, which‐
24 ever is first. The first section in the configuration file must be
25 called generic, and is used for global options that apply to more than
26 one export. This section must always be present, even if it holds no
27 options. Every other section defines one export; the names of these
28 sections are not important, except that you should take care to make
29 sure that each section name is unique. The section name is used as the
30 name for the export in case the client connects with a name rather than
31 a port to specify an export, and must therefore be unique.
32
33 A comment line is a line that starts with optional whitespace, followed
34 by a pound sign ("#"), and continues until the end of the line. Com‐
35 ments may not be used on option lines or section header lines.
36
37 An option line is a line that starts with an option name, followed by
38 an equals sign ("="), followed by the option value. An option can be of
39 type string, of type integer, or of type boolean. The value of a bool‐
40 ean option can be denoted with either true or false (so not yes, no,
41 on, off, 1, or 0). All booleans default to false unless specified oth‐
42 erwise. No value may be quoted; always enter it directly. For a string
43 option, leading whitespace is stripped (but trailing whitespace is
44 not).
45
47 allowlist
48 Optional; boolean
49
50 Whether to allow the client to fetch a list of exports from this
51 server. If enabled, the client can run nbd-client -l to get a
52 list of exports on this server.
53
54 cacertfile
55 Optional; string
56
57 If this option is set, it should contain a path to a PEM format
58 X.509 CA certificate used for validating client certificates
59 supplied by the client. If this option is not set then client
60 certificates will not be checked.
61
62 certfile
63 Optional; string
64
65 If this option is set, it should contain a path to a PEM format
66 X.509 public certificate used for TLS negotiation with the
67 client. If keyfile is set but certfile is not set, then the
68 server will attempt to read the certificate from the path speci‐
69 fied by keyfile.
70
71 force_tls
72 Optional; boolean.
73
74 Switch the server to FORCEDTLS mode.
75
76 Note: this is not the same as enabling the force_tls option for
77 each and every export individually. The latter will allow cer‐
78 tain options to be issued during negotiation (e.g., the "list
79 exports" option, even if that would return an empty result set),
80 whereas enabling this option will disallow the use of any option
81 to be issued during negotiation, apart from the STARTTLS option
82 itself (to switch the transport to TLS).
83
84 Using FORCEDTLS mode should result in a safer environment, as
85 the server will not allow any communication to take place unless
86 and until TLS has been negotiated. However, it also makes it
87 impossible to set up a nonencrypted export for the benefit of
88 older clients, or for clients that want to swap and not dead‐
89 lock.
90
91 Using this parameter without also specifying a value for the
92 other TLS-related parameters is possible, but silly.
93
94 group Optional; string.
95
96 The name of the group this server must run as. If this parameter
97 is not specified, then nbd-server will not attempt to change its
98 GID (so the GID it runs as will be the primary group of the user
99 who starts nbd-server). If it is specified, then nbd-server will
100 change its GID after opening ports, but before accepting connec‐
101 tions or opening files.
102
103 includedir
104 Optional; string
105
106 The argument should be a directory containing files with the
107 '.conf' extension; these files will be parsed as if they were
108 part of the configuration file. Note that these extra configura‐
109 tion files cannot contain a [generic] section; any configuration
110 that should go in the generic section must be placed in the main
111 configuration file.
112
113 If this argument is not specified, then no directory will be
114 searched. If it is specified but the directory does not exist,
115 then nbd-server will exit with an appropriate error message; if
116 it is specified but the given directory is empty, nbd-server
117 will continue (unless no exports whatsoever have been config‐
118 ured, in which case it will exit with an appropriate error mes‐
119 sage)
120
121 keyfile
122 Optional; string
123
124 If this option is set, it should contain a path to a PEM format
125 X.509 private key used for TLS negotiation with the client. This
126 option must be set to enable TLS.
127
128 listenaddr
129 Optional; string
130
131 If this option is set, it should contain a comma-separated lis
132 of the local IP addresses on which we should listen to nbd-
133 client(8) connections. If it is not set, nbd-server will listen
134 to "::, 0.0.0.0", which causes nbd-server to listen to all local
135 IPv4 and IPv6 addresses. To limit to IPv6, specify the address
136 as "::". To limit to IPv4, specify as "0.0.0.0".
137
138 max_threads
139 Optional; integer; default 4
140
141 Since NBD 3.12, nbd-server will read requests in a main thread,
142 but do the handling of these requests, and the sending of the
143 reply, in a number of separate worker threads, which are shared
144 among all exports. With this parameter, you can configure the
145 number of these worker threads.
146
147 The default should be reasonable for a dual-core single-disk
148 server. You might want to increase it if you have a powerful
149 server that does little else than serving NBD.
150
151 oldstyle
152 Optional; boolean
153
154 In versions of nbd-server between 2.9.17 and 3.9.1, when this
155 option was set to true, nbd-server would export all exports on a
156 separate port with the old (pre-2.9.17) handshake protocol. In
157 that case, the 'port' option for individual exports was manda‐
158 tory.
159
160 Since version 3.10 of nbd-server, however, this option is no
161 longer supported, and any attempt to use it will result in nbd-
162 server exiting with an appropriate error message.
163
164 port Optional; string
165
166 The port on which to listen for new-style nbd-client connec‐
167 tions. If not specified, the IANA-assigned port of 10809 is
168 used.
169
170 splice Optional; boolean
171
172 Allow the server to use the splice() system call to handle read
173 or write calls when possible. Using splice can speed up handling
174 of such calls significantly. Unfortunately, splice cannot be
175 used in combination with TLS or the copyonwrite mode, and will
176 only work for requests smaller than 1MiB.
177
178 To handle these situations, the server will exit with an appro‐
179 priate error message if splice and copyonwrite are both enabled
180 for an export; it will silently ignore the splice option if TLS
181 is enabled, falling back on normal reads and writes; and it will
182 similarly fall back on normal reads when the request size
183 exceeds 1MiB.
184
185 user Optional; string.
186
187 The name of the user this server must run as. If this parameter
188 is not specified, then nbd-server will not attempt to change its
189 UID (so the UID it runs as will be the user who starts nbd-
190 server). If it is specified, then nbd-server will change its UID
191 after opening ports, but before accepting connections or opening
192 files.
193
194 unixsock
195 Optional; string
196
197 Path for a UNIX domain socket.
198
199 If specified, the server will listen on a UNIX domain socket
200 with the specified name. Only newstyle negotiation is supported
201 on UNIX domain sockets. If a UNIX domain socket is, then the
202 server will not listen for TCP connections.
203
204 duallisten
205 Optional; boolean
206
207 If true, and unixsock is specified, the the server will listen
208 on both the configured UNIX domain socket and any configured TCP
209 or SDP socket. Defaults to false.
210
211 tlsprio
212 Optional; string; default NORMAL:-VERS-TLS-ALL:+VERS-
213 TLS1.2:%SERVER_PRECEDENCE
214
215 This option allows to configure the GnuTLS priority string,
216 which is used to select the algorithms which GnuTLS will allow
217 to be negotiated with the client. The NBD STARTTLS specification
218 requires that clients and servers require TLS1.2 or higher by
219 default, so the default string disables all older versions of
220 the TLS protocol.
221
222 Not all versions of GnuTLS support the %SERVER_PRECEDENCE flag,
223 which exists to signal that the server should pay no attention
224 to the algorithm preferences selected by the client. If you're
225 using an older version of GnuTLS (e.g., 2.12), it may be neces‐
226 sary to specify a priority string that does not include the
227 %SERVER_PRECEDENCE flag.
228
229 For an explanation of the possible values of this option, see
230 the "Priority strings" chapter in the GnuTLS documentation.
231
233 authfile
234 Optional; string; default empty
235
236 The name of the authorization file for this export. This file
237 should contain one line per IP-address, or per network (which
238 must be specified in CIDR-style network/masklen). Empty lines
239 are skipped, as is any content behind a hashmark ('#') on any
240 line.
241
242 If the file does not exist, everyone is allowed to connect. If
243 the file exists but is empty, nobody is allowed to connect. Oth‐
244 erwise, nbd-server will only allow clients to connect whose IP-
245 adres is listed in this file.
246
247 Corresponds to the -l option on the command line. However, note
248 that for the command line, the default is /etc/nbd-server/allow.
249
250 copyonwrite
251 Optional; boolean.
252
253 Whether this is a copy-on-write export. If it is, then any
254 writes to this export will not be written to the master file,
255 but to a separate file which will be removed upon disconnect.
256 The result of using this option is that nbd-server will be some‐
257 what slower, and that any writes will be lost upon disconnect.
258
259 Corresponds to the -c option on the command line
260
261 cowdir Optional; string.
262
263 Specifies where to write copy-on-write diff files. If this
264 option is absent, copy-on-write files will be written in the
265 same directory as the base export file. Useful for exporting
266 files in copy-on-write mode from a directory that the user run‐
267 ning nbd-server has no write access to.
268
269 If the copy-on-write mode is not active, this option has no
270 effect.
271
272 exportname
273 Required; string.
274
275 The name of the file (or block device) that will be exported.
276 This must be a fully-qualified path and filename; relative paths
277 are not allowed. If used in conjunction with the temporary, this
278 specifies a template for the temporary file concerned, and thus
279 can be used to control the directory it is created in. If the
280 file does not exist, but filesize is set, then the file will be
281 created.
282
283 Note that nbd-server will only try to find and open the exported
284 file when a client actually connects; as a result, nbd-server
285 must be able to open and read this file after changing to the
286 user and group that have been specified by use of the user and
287 group options; also, nbd-server will only detect errors in this
288 option upon connection of a client.
289
290 When specified on the command line, this should be the second
291 argument.
292
293 Note: this is not the "exportname" as defined in the protocol
294 document, and which is the name that nbd-client needs to pass to
295 select the correct export; the section name is used for that.
296 The name of the file to be exported is called the exportname in
297 the configuration file for historical reasons, and cannot easily
298 be changed.
299
300 filesize
301 Optional; integer; default autodetected.
302
303 Disable autodetection of file or block device size, and forcibly
304 specify a size. Sizes must be specified in bytes. If the multi‐
305 file option is in effect, this option specifies the size of the
306 entire export, not of individual files. If the file is not
307 present, a single file is created of this size.
308
309 When specified on the command line, this should be the third
310 argument.
311
312 flush Optional; boolean.
313
314 When this option is enabled, nbd-server will inform the client
315 that it supports and desires to be sent flush requests when the
316 elevator layer receives them. Receipt of a flush request will
317 cause an fdatasync() (or, if the sync option is set, an fsync())
318 on the backend storage. This increases reliability in the case
319 of an unclean shutdown at the expense of a degradation of per‐
320 formance. This option will have no effect unless supported by
321 the client.
322
323 force_tls
324 Optional; boolean.
325
326 Require the use of TLS for this export to be available.
327
328 When this option has been enabled for an export, clients that do
329 not negotiate TLS will not see the export when they request a
330 list of exports, and will not be able to connect to it.
331
332 Enabling this option when TLS credentials have not been config‐
333 ured in the [generic] section is possible, but silly.
334
335 fua Optional; boolean.
336
337 When this option is enabled, nbd-server will inform the client
338 that it supports and desires to be sent fua (force unit access)
339 commands when the elevator layer receives them. Receipt of a
340 force unit access command will cause the specified command to be
341 synced to backend storage using sync_file_range() if supported,
342 or fdatasync() otherwise. This increases reliability in the case
343 of an unclean shutdown at the expense of a degradation of per‐
344 formance. This option will have no effect unless supported by
345 the client.
346
347 listenaddr
348 Optional; string
349
350 Ignored, kept for compatibility with the obsolete 'oldstyle'
351 global parameter.
352
353 maxconnections
354 Optional; integer
355
356 If specified, then it limits the number of opened connections
357 for this export.
358
359 multifile
360 Optional; boolean.
361
362 If this option is set to true, then nbd-server will search for
363 files of the form exportname.integer, with exportname being the
364 filename that would otherwise have been used (after name trans‐
365 formation for virtualization, if any, has been performed) and
366 integer an integer number, starting with 0 and ending when no
367 more files can be found.
368
369 The size of the individual files will be autodetected, even if
370 the filesize option has been specified.
371
372 Corresponds to the -m option on the command line.
373
374 treefiles
375 Optional; boolean.
376
377 If this option is set to true, then nbd-server will search for
378 files of the form exportname/TREEXXXX/.../FILEXXXX, with export‐
379 name being the filename that would otherwise have been used
380 (after name transformation for virtualization, if any, has been
381 performed) and TREEXXXX and FILEXXXX being autogenerated direc‐
382 tory and path names for individual block files.
383
384 Files and directories are automatically created. Files will be
385 deleted if the corresponding block gets marked as unused. The
386 size of the individual block files is fixed to 4096 bytes.
387 There will be at most 1024 files/subdirectories per folder. An
388 apropriate nesting level of subdirectories will be created to
389 create a filesystem of filesize bytes in total forming a virtual
390 block device.
391
392 This feature is useful to provide a virtual block device on an
393 underlying filesystem that does not handle large files well, for
394 example fuse/ftpfs, davfs or other network filesytems.
395
396 This feature is mutually exclusive with the -m and will take
397 precedence if both are given. There is no corresponding command
398 line option, since command line control is considered depre‐
399 cated. You can however specify a custom config file with the -C
400 option. The filesize option must be specified when using this
401 feature!
402
403 postrun
404 Optional; string
405
406 If specified, then it is assumed to be a command that will be
407 ran when a client has disconnected. This can be useful to clean
408 up whatever prerun has set up, to log something, or similar.
409
410 If the literal string '%s' is present in the command, it will be
411 replaced by the file name that has just been closed.
412
413 In contrast to the prerun option, the exit state of postrun is
414 ignored.
415
416 prerun Optional; string
417
418 If specified, then this command will be ran after a client has
419 connected to the server (and has been accepted), but before the
420 server starts serving. If the command contains the literal
421 string '%s', then this string will be replaced by the filename
422 of the file which nbd-server wants to export.
423
424 This is useful to create export files on the fly, or to verify
425 that a file can be used for export, to write something to a log
426 file, or similar.
427
428 If the command runs with a nonzero exit status, then nbd-server
429 will assume the export will fail, and refuse to serve it.
430
431 readonly
432 Optional; boolean.
433
434 Disallow writes to the device. If this option is specified, nbd-
435 server will issue an error to any client that tries to write to
436 the device.
437
438 Use of this option in conjunction with copyonwrite is possible,
439 but silly.
440
441 Corresponds to the -r option on the command line.
442
443 rotational
444 Optional; boolean.
445
446 When this option is enabled, nbd-server will inform the client
447 that it would prefer it to send requests in elevator (i.e.,
448 optimized) order, perhaps because it has a backing store and no
449 local elevator. By default, the client uses QUEUE_FLAG_NONROT,
450 which effectively restricts the function of the elevator to
451 block merges. By specifying this flag on the server, the client
452 will not use QUEUE_FLAG_NONROT, meaning the client elevator will
453 perform normal elevator ordering of I/O requests. Note that even
454 when the backing store is on rotating media, it is not normally
455 necessary to specify this flag, as the server's elevator algo‐
456 rithm will be used. This flag is only required where the server
457 will not be using an elevator algorithm or where the elevator
458 algorithm is effectively neutered (e.g. with the sync option
459 set). This option will have no effect unless supported by the
460 client.
461
462 sdp Optional; boolean.
463
464 When this option is enabled, nbd-server will use the Socket
465 Direct Protocol (SDP) to serve the export, rather than just IP.
466 This is faster, but requires special hardware (usually something
467 like InfiniBand) and support in the kernel.
468
469 Additionally, support for this option must be enabled at compile
470 time, using the --enable-sdp option to the configure script. If
471 this option is found in a configuration file and nbd-server does
472 not have support for SDP, then nbd-server will exit with an
473 error message.
474
475 sparse_cow
476 Optional; boolean.
477
478 When this option is enabled, nbd-server will use sparse files to
479 implement the copy-on-write option; such files take up less
480 space then they appear to, which allows nbd-server to handle the
481 file as if it was just as large as the block device it's for.
482
483 If this option is disabled, nbd-server will map every newly
484 written block to the end of the copy-on-write file, which means
485 that nbd-server will have to lseek(2) to the right position
486 after every 4096-byte block.
487
488 Using this option may be faster when much is being written dur‐
489 ing a connection.
490
491 sync Optional; boolean.
492
493 When this option is enabled, nbd-server will call an fsync()
494 after every write to the backend storage. Calling fsync()
495 increases reliability in case of an unclean shutdown of nbd-
496 server; but, depending on the file system used on the nbd-server
497 side, may degrade performance. The use of this option isn't
498 always necessary; e.g., on ext3 filesystems, it is recommended
499 that it is not enabled, since it seriously reduces performance
500 on ext3 filesystems while not importantly impacting reliability.
501
502 temporary
503 Optional; boolean.
504
505 Create a temporary export with a name based on exportname (this
506 can be used to set the directory). A unique filename is created,
507 which is unlinked as soon as it is created, and therefore the
508 export will not persist between invocations of nbd-server. Set
509 the size of the file using the filesize option. This option is
510 incompatible with the multifile option.
511
512 When specified on the command line, this should be the third
513 argument.
514
515 timeout
516 Optional; integer; default 0
517
518 How many seconds a connection may be idle for this export. When
519 a connection is idle for a longer time, nbd-server will forcibly
520 disconnect the connection. If you specify 0 (the default), then
521 a connection may be idle forever.
522
523 Corresponds to the -a option on the command line
524
525 transactionlog
526 Optional; string
527
528 If specified, then this pathname is used to generate a transac‐
529 tion log. A transaction log is a binary file consisting of the
530 requests sent to and the replies received by the server, but
531 excluding any data (so, for a write command, it records the off‐
532 set and length of the write but not the data written). It is
533 therefore relatively safe to distribute to a third party. Note
534 that the transaction log does not include the negotiation
535 sequence. Transaction logs are mainly useful for debugging. The
536 program nbd-tester-client distributed with the source to this
537 program can reply a transaction log against a server and perform
538 a data integrity test. Note that the transaction log is written
539 to for every client opened. If it is necessary to maintain sepa‐
540 rate transaction logs for each client, the prerun script should
541 rename the transaction log (which will just have been opened in
542 order to avoid transaction logs overwriting eachother. This
543 action should be race-free.
544
545 trim Optional; boolean
546
547 When this option is activated, the server announces it supports
548 the NBD_CMD_TRIM command for the export. This command allows the
549 server to discard the data from the disk, but does not require
550 it to.
551
552 virtstyle
553 Optional; string; default "ipliteral"
554
555 Defines the style of virtualization. Virtualization allows one
556 to create one export that will serve a different file depending
557 on the IP address that is connecting. When virtualization is
558 active, the exportname parameter needs to contain the string
559 '%s'; this will then be replaced by the IP address of the client
560 connecting, in accordance with the option selected here. The
561 result of this transformation is then used as the filename to be
562 opened.
563
564 When a client connects over a UNIX domain socket, the literal
565 string "unix" is used in lieu of a client IP address.
566
567 There are four types of virtualization that nbd-server supports:
568
569 none No virtualization. Will attempt to open the filename as
570 it was written, even if it contains '%s' in the name.
571
572 ipliteral
573 The %s is replaced by the IP address of the connecting
574 host is used as-is. For IPv4, this is done in dotted-
575 quad notation; for IPv6, in hexadecimal form with leading
576 zeros omitted.
577
578 As an example, if a client connects from 192.168.1.100
579 and exportname is specified as /export/%s, then nbd-
580 server will attempt to serve /export/192.168.1.100. For
581 IPv6, with a client connecting from 2001:6f8:32f::39, the
582 filename would be /export/2001:6f8:32f:0:0:0:0:39
583
584 iphash Same as above, except that nbd-server will replace the
585 dots in the IP address by forward slashes ('/'); in the
586 same example, nbd-server would open /export/192/168/1/100
587 instead.
588
589 Since there are no dots in most IPv6 addresses, the
590 effect of using this option when IPv6 is in use is indis‐
591 tinguishable from the ipliteral option. It was thought
592 that having to create an eight-deep directory structure
593 would not be as useful.
594
595 cidrhash
596 This option requires one to add a space and a number
597 after it. nbd-server will use the number as a network
598 mask in CIDR style, and use that as a hash cutoff point.
599 In the above example, if virtstyle has been specified as
600 cidrhash 16, then nbd-server will try to open
601 /export/192.168.0.0/192.168.1.100; if virtstyle were
602 specified as cidrhash 26, then nbd-server will try to
603 open /export/192.168.1.64/192.168.1.100.
604
605 For IPv6, in the above example, with cidrhash 42, the
606 filename would be
607 /export/2001:32f:6c0:0:0:0:0:0/2001:32f:6f8:0:0:0:0:39.
608
609 tlsonly
610 Optional; boolean.
611
612 When this option is enabled, nbd-server will only serve the
613 export using the TLS extension. If this option is not supplied,
614 TLS is optional, unless tlsonly is set in the generic section.
615 In order for TLS to work at all, the keyfile option must be
616 specified in the generic section.
617
618 waitfile
619 Optional; string.
620
621 When this option is set, nbd-server will allow writes to this
622 export, but not reads, until the server is sent a SIGUSR1 com‐
623 mand. Any writes to the export will be stored in a diff file
624 with the same algorithm as for the copy-on-write option. In par‐
625 ticular, this means that the cowdir option is in effect for this
626 option, too.
627
628 The backend file (as per the exportname parameter) need not
629 exist until the SIGUSR1 signal is sent to the server.
630
631 Once SIGUSR1 is received, nbd-server will open the main export
632 file, and start merging all outstanding writes into it. Once
633 this operation finishes, the diff file will be removed, and the
634 server will allow normal use of the export.
635
636 This allows the out-of-band live migration of an export from one
637 server to another.
638
639 Note that this option cannot be combined with the copy-on-write
640 option itself.
641
643 nbd-server (1), nbd-client (8), nbd-trdump (8)
644
646 The NBD kernel module and the NBD tools were originally written by
647 Pavel Machek (pavel@ucw.cz)
648
649 The Linux kernel module is now maintained by Paul Clements
650 (Paul.Clements@steeleye.com), while the userland tools are maintained
651 by Wouter Verhelst (<wouter@debian.org>)
652
653 On The Hurd there is a regular translator available to perform the
654 client side of the protocol, and the use of nbd-client is not required.
655 Please see the relevant documentation for more information.
656
657 This manual page was written by Wouter Verhelst (<wouter@debian.org>)
658 for the Debian GNU/Linux system (but may be used by others). Permis‐
659 sion is granted to copy, distribute and/or modify this document under
660 the terms of the GNU General Public License, version 2, as published by
661 the Free Software Foundation.
662
664 A simple nbd-server configuration file would look like this:
665
666 [generic]
667 [export]
668 exportname = /export/blkdev
669
670
671 For increased security, one might want to create an authorization file,
672 and set the UID and GID to run as:
673
674 [generic]
675 user = nbd
676 group = nbd
677 [export]
678 exportname = /export/blkdev
679 authfile = /etc/nbd-server/allow
680
681
682 With /etc/nbd-server/allow containing the following:
683
684 127.0.0.1
685 192.168.0.0/8
686 192.168.1.1
687
688
689
690
691 : 2006-10-18 15:01:57 +0200 (wo, 18 okt 2006) $ NBD-SERVER(5)