1QEMU-NBD(8) QEMU QEMU-NBD(8)
2
6 qemu-nbd - QEMU Disk Network Block Device Server
7
9 qemu-nbd [OPTION]... filename
10 qemu-nbd -L [OPTION]...
12 qemu-nbd -d dev
14
16 Export a QEMU disk image using the NBD protocol.
17 Other uses:
19 · Bind a /dev/nbdX block device to a QEMU server (on Linux).
21 · As a client to query exports of a remote NBD server.
23
25 filename is a disk image filename, or a set of block driver options if
26 --image-opts is specified.
27 dev is an NBD device.
29 --object type,id=ID,...props...
31 Define a new instance of the type object class identified by ID.
32 See the qemu(1) manual page for full details of the properties
33 supported. The common object types that it makes sense to define
34 are the secret object, which is used to supply passwords and/or
35 encryption keys, and the tls-creds object, which is used to sup‐
36 ply TLS credentials for the qemu-nbd server or client.
37 -p, --port=PORT
39 TCP port to listen on as a server, or connect to as a client
40 (default 10809).
41 -o, --offset=OFFSET
43 The offset into the image.
44 -b, --bind=IFACE
46 The interface to bind to as a server, or connect to as a client
47 (default 0.0.0.0).
48 -k, --socket=PATH
50 Use a unix socket with path PATH.
51 --image-opts
53 Treat filename as a set of image options, instead of a plain
54 filename. If this flag is specified, the -f flag should not be
55 used, instead the format= option should be set.
56 -f, --format=FMT
58 Force the use of the block driver for format FMT instead of
59 auto-detecting.
60 -r, --read-only
62 Export the disk as read-only.
63 -B, --bitmap=NAME
65 If filename has a qcow2 persistent bitmap NAME, expose that bit‐
66 map via the qemu:dirty-bitmap:NAME context accessible through
67 NBD_OPT_SET_META_CONTEXT.
68 -s, --snapshot
70 Use filename as an external snapshot, create a temporary file
71 with backing_file=filename, redirect the write to the temporary
72 one.
73 -l, --load-snapshot=SNAPSHOT_PARAM
75 Load an internal snapshot inside filename and export it as an
76 read-only device, SNAPSHOT_PARAM format is snap‐
77 shot.id=[ID],snapshot.name=[NAME] or [ID_OR_NAME]
78 --cache=CACHE
80 The cache mode to be used with the file. See the documentation
81 of the emulator's -drive cache=... option for allowed values.
82 -n, --nocache
84 Equivalent to --cache=none.
85 --aio=AIO
87 Set the asynchronous I/O mode between threads (the default),
88 native (Linux only), and io_uring (Linux 5.1+).
89 --discard=DISCARD
91 Control whether discard (also known as trim or unmap) requests
92 are ignored or passed to the filesystem. DISCARD is one of
93 ignore (or off), unmap (or on). The default is ignore.
94 --detect-zeroes=DETECT_ZEROES
96 Control the automatic conversion of plain zero writes by the OS
97 to driver-specific optimized zero write commands. DETECT_ZEROES
98 is one of off, on, or unmap. unmap converts a zero write to an
99 unmap operation and can only be used if DISCARD is set to unmap.
100 The default is off.
101 -c, --connect=DEV
103 Connect filename to NBD device DEV (Linux only).
104 -d, --disconnect
106 Disconnect the device DEV (Linux only).
107 -e, --shared=NUM
109 Allow up to NUM clients to share the device (default 1). Safe
110 for readers, but for now, consistency is not guaranteed between
111 multiple writers.
112 -t, --persistent
114 Don't exit on the last connection.
115 -x, --export-name=NAME
117 Set the NBD volume export name (default of a zero-length
118 string).
119 -D, --description=DESCRIPTION
121 Set the NBD volume export description, as a human-readable
122 string.
123 -L, --list
125 Connect as a client and list all details about the exports
126 exposed by a remote NBD server. This enables list mode, and is
127 incompatible with options that change behavior related to a spe‐
128 cific export (such as --export-name, --offset, ...).
129 --tls-creds=ID
131 Enable mandatory TLS encryption for the server by setting the ID
132 of the TLS credentials object previously created with the
133 --object option; or provide the credentials needed for connect‐
134 ing as a client in list mode.
135 --fork Fork off the server process and exit the parent once the server
137 is running.
138 --pid-file=PATH
140 Store the server's process ID in the given file.
141 --tls-authz=ID
143 Specify the ID of a qauthz object previously created with the
144 --object option. This will be used to authorize connecting users
145 against their x509 distinguished name.
146 -v, --verbose
148 Display extra debugging information.
149 -h, --help
151 Display this help and exit.
152 -V, --version
154 Display version information and exit.
155 -T, --trace [[enable=]PATTERN][,events=FILE][,file=FILE]
157 Specify tracing options.
158 [enable=]PATTERN
160 Immediately enable events matching PATTERN (either event
161 name or a globbing pattern). This option is only avail‐
162 able if QEMU has been compiled with the simple, log or
163 ftrace tracing backend. To specify multiple events or
164 patterns, specify the -trace option multiple times.
165 Use -trace help to print a list of names of trace points.
167 events=FILE
169 Immediately enable events listed in FILE. The file must
170 contain one event name (as listed in the trace-events-all
171 file) per line; globbing patterns are accepted too. This
172 option is only available if QEMU has been compiled with
173 the simple, log or ftrace tracing backend.
174 file=FILE
176 Log output traces to FILE. This option is only available
177 if QEMU has been compiled with the simple tracing back‐
178 end.
179
181 Start a server listening on port 10809 that exposes only the guest-vis‐
182 ible contents of a qcow2 file, with no TLS encryption, and with the
183 default export name (an empty string). The command is one-shot, and
184 will block until the first successful client disconnects:
185 qemu-nbd -f qcow2 file.qcow2
187 Start a long-running server listening with encryption on port 10810,
189 and whitelist clients with a specific X.509 certificate to connect to a
190 1 megabyte subset of a raw file, using the export name 'subset':
191 qemu-nbd \
193 --object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
194 --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
195 O=Example Org,,L=London,,ST=London,,C=GB' \
196 --tls-creds tls0 --tls-authz auth0 \
197 -t -x subset -p 10810 \
198 --image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
199 Serve a read-only copy of a guest image over a Unix socket with as many
201 as 5 simultaneous readers, with a persistent process forked as a dae‐
202 mon:
203 qemu-nbd --fork --persistent --shared=5 --socket=/path/to/sock \
205 --read-only --format=qcow2 file.qcow2
206 Expose the guest-visible contents of a qcow2 file via a block device
208 /dev/nbd0 (and possibly creating /dev/nbd0p1 and friends for partitions
209 found within), then disconnect the device when done. Access to bind
210 qemu-nbd to an /dev/nbd device generally requires root privileges, and
211 may also require the execution of modprobe nbd to enable the kernel NBD
212 client module. CAUTION: Do not use this method to mount filesystems
213 from an untrusted guest image - a malicious guest may have prepared the
214 image to attempt to trigger kernel bugs in partition probing or file
215 system mounting.
216 qemu-nbd -c /dev/nbd0 -f qcow2 file.qcow2
218 qemu-nbd -d /dev/nbd0
219 Query a remote server to see details about what export(s) it is serving
221 on port 10809, and authenticating via PSK:
222 qemu-nbd \
224 --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=eblake,endpoint=client \
225 --tls-creds tls0 -L -b remote.example.com
226
228 qemu(1), qemu-img(1)
229
231 Anthony Liguori <anthony@codemonkey.ws>
232
234 2021, The QEMU Project Developers
2355.1.0 Jan 11, 2021 QEMU-NBD(8)