1QEMU-NBD(8)                          QEMU                          QEMU-NBD(8)
2
3
4

NAME

6       qemu-nbd - QEMU Disk Network Block Device Server
7

SYNOPSIS

9       qemu-nbd [OPTION]... filename
10
11       qemu-nbd -L [OPTION]...
12
13       qemu-nbd -d dev
14

DESCRIPTION

16       Export a QEMU disk image using the NBD protocol.
17
18       Other uses:
19
20       • Bind a /dev/nbdX block device to a QEMU server (on Linux).
21
22       • As a client to query exports of a remote NBD server.
23

OPTIONS

25       filename  is a disk image filename, or a set of block driver options if
26       --image-opts is specified.
27
28       dev is an NBD device.
29
30       --object type,id=ID,...props...
31              Define a new instance of the type object class identified by ID.
32              See  the  qemu(1) manual page for full details of the properties
33              supported. The common object types that it makes sense to define
34              are  the secret object, which is used to supply passwords and/or
35              encryption keys, and the tls-creds object, which is used to sup‐
36              ply TLS credentials for the qemu-nbd server or client.
37
38       -p, --port=PORT
39              TCP  port  to  listen  on as a server, or connect to as a client
40              (default 10809).
41
42       -o, --offset=OFFSET
43              The offset into the image.
44
45       -b, --bind=IFACE
46              The interface to bind to as a server, or connect to as a  client
47              (default 0.0.0.0).
48
49       -k, --socket=PATH
50              Use a unix socket with path PATH.
51
52       --image-opts
53              Treat  filename  as  a  set of image options, instead of a plain
54              filename. If this flag is specified, the -f flag should  not  be
55              used, instead the format= option should be set.
56
57       -f, --format=FMT
58              Force  the  use  of  the  block driver for format FMT instead of
59              auto-detecting.
60
61       -r, --read-only
62              Export the disk as read-only.
63
64       -A, --allocation-depth
65              Expose  allocation  depth  information  via   the   qemu:alloca‐
66              tion-depth      metadata      context     accessible     through
67              NBD_OPT_SET_META_CONTEXT.
68
69       -B, --bitmap=NAME
70              If filename has a qcow2 persistent bitmap NAME, expose that bit‐
71              map  via  the qemu:dirty-bitmap:NAME metadata context accessible
72              through NBD_OPT_SET_META_CONTEXT.
73
74       -s, --snapshot
75              Use filename as an external snapshot, create  a  temporary  file
76              with  backing_file=filename, redirect the write to the temporary
77              one.
78
79       -l, --load-snapshot=SNAPSHOT_PARAM
80              Load an internal snapshot inside filename and export  it  as  an
81              read-only     device,    SNAPSHOT_PARAM    format    is    snap‐
82              shot.id=[ID],snapshot.name=[NAME] or [ID_OR_NAME]
83
84       --cache=CACHE
85              The cache mode to be used with the file.  See the  documentation
86              of the emulator's -drive cache=... option for allowed values.
87
88       -n, --nocache
89              Equivalent to --cache=none.
90
91       --aio=AIO
92              Set the asynchronous I/O mode between threads (the default), na‐
93              tive (Linux only), and io_uring (Linux 5.1+).
94
95       --discard=DISCARD
96              Control whether discard (also known as trim or  unmap)  requests
97              are  ignored  or passed to the filesystem. DISCARD is one of ig‐
98              nore (or off), unmap (or on).  The default is ignore.
99
100       --detect-zeroes=DETECT_ZEROES
101              Control the automatic conversion of plain zero writes by the  OS
102              to driver-specific optimized zero write commands.  DETECT_ZEROES
103              is one of off, on, or unmap.  unmap converts a zero write to  an
104              unmap operation and can only be used if DISCARD is set to unmap.
105              The default is off.
106
107       -c, --connect=DEV
108              Connect filename to NBD device DEV (Linux only).
109
110       -d, --disconnect
111              Disconnect the device DEV (Linux only).
112
113       -e, --shared=NUM
114              Allow up to NUM clients to share the device  (default  1).  Safe
115              for  readers, but for now, consistency is not guaranteed between
116              multiple writers.
117
118       -t, --persistent
119              Don't exit on the last connection.
120
121       -x, --export-name=NAME
122              Set the  NBD  volume  export  name  (default  of  a  zero-length
123              string).
124
125       -D, --description=DESCRIPTION
126              Set  the  NBD  volume  export  description,  as a human-readable
127              string.
128
129       -L, --list
130              Connect as a client and list all details about the  exports  ex‐
131              posed  by  a  remote NBD server.  This enables list mode, and is
132              incompatible with options that change behavior related to a spe‐
133              cific export (such as --export-name, --offset, ...).
134
135       --tls-creds=ID
136              Enable mandatory TLS encryption for the server by setting the ID
137              of the TLS credentials object previously created with the  --ob‐
138              ject option; or provide the credentials needed for connecting as
139              a client in list mode.
140
141       --fork Fork off the server process and exit the parent once the  server
142              is running.
143
144       --pid-file=PATH
145              Store the server's process ID in the given file.
146
147       --tls-authz=ID
148              Specify  the  ID  of a qauthz object previously created with the
149              --object option. This will be used to authorize connecting users
150              against their x509 distinguished name.
151
152       -v, --verbose
153              Display extra debugging information.
154
155       -h, --help
156              Display this help and exit.
157
158       -V, --version
159              Display version information and exit.
160
161       -T, --trace [[enable=]PATTERN][,events=FILE][,file=FILE]
162              Specify tracing options.
163
164              [enable=]PATTERN
165                 Immediately enable events matching PATTERN (either event name
166                 or a globbing pattern).  This option  is  only  available  if
167                 QEMU has been compiled with the simple, log or ftrace tracing
168                 backend.  To specify multiple events or patterns, specify the
169                 -trace option multiple times.
170
171                 Use -trace help to print a list of names of trace points.
172
173              events=FILE
174                 Immediately enable events listed in FILE.  The file must con‐
175                 tain one event name (as listed in the trace-events-all  file)
176                 per line; globbing patterns are accepted too.  This option is
177                 only available if QEMU has been compiled with the simple, log
178                 or ftrace tracing backend.
179
180              file=FILE
181                 Log  output traces to FILE.  This option is only available if
182                 QEMU has been compiled with the simple tracing backend.
183

EXAMPLES

185       Start a server listening on port 10809 that exposes only the guest-vis‐
186       ible contents of a qcow2 file, with no TLS encryption, and with the de‐
187       fault export name (an empty string). The command is one-shot, and  will
188       block until the first successful client disconnects:
189
190          qemu-nbd -f qcow2 file.qcow2
191
192       Start  a  long-running  server listening with encryption on port 10810,
193       and whitelist clients with a specific X.509 certificate to connect to a
194       1 megabyte subset of a raw file, using the export name 'subset':
195
196          qemu-nbd \
197            --object tls-creds-x509,id=tls0,endpoint=server,dir=/path/to/qemutls \
198            --object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,\
199                      O=Example Org,,L=London,,ST=London,,C=GB' \
200            --tls-creds tls0 --tls-authz auth0 \
201            -t -x subset -p 10810 \
202            --image-opts driver=raw,offset=1M,size=1M,file.driver=file,file.filename=file.raw
203
204       Serve a read-only copy of a guest image over a Unix socket with as many
205       as 5 simultaneous readers, with a persistent process forked as  a  dae‐
206       mon:
207
208          qemu-nbd --fork --persistent --shared=5 --socket=/path/to/sock \
209            --read-only --format=qcow2 file.qcow2
210
211       Expose  the  guest-visible  contents of a qcow2 file via a block device
212       /dev/nbd0 (and possibly creating /dev/nbd0p1 and friends for partitions
213       found  within),  then  disconnect the device when done.  Access to bind
214       qemu-nbd to an /dev/nbd device generally requires root privileges,  and
215       may also require the execution of modprobe nbd to enable the kernel NBD
216       client module.  CAUTION: Do not use this method  to  mount  filesystems
217       from an untrusted guest image - a malicious guest may have prepared the
218       image to attempt to trigger kernel bugs in partition  probing  or  file
219       system mounting.
220
221          qemu-nbd -c /dev/nbd0 -f qcow2 file.qcow2
222          qemu-nbd -d /dev/nbd0
223
224       Query a remote server to see details about what export(s) it is serving
225       on port 10809, and authenticating via PSK:
226
227          qemu-nbd \
228            --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=eblake,endpoint=client \
229            --tls-creds tls0 -L -b remote.example.com
230

SEE ALSO

232       qemu(1), qemu-img(1)
233

AUTHOR

235       Anthony Liguori <anthony@codemonkey.ws>
236
238       2021, The QEMU Project Developers
239
240
241
242
2435.2.0                            May 19, 2021                      QEMU-NBD(8)
Impressum