1NBD-CLIENT(8) NBD-CLIENT(8)
2
6 nbd-client - connect to a server running nbd-server(1), to use its
7 exported block device
8
10 nbd-client host [ port ] nbd-device [ -connections num ] [ -sdp ] [
11 -swap ] [ -persist ] [ -nofork ] [ -nonetlink ] [ -systemd-mark ] [
12 -readonly ] [ -preinit ] [ -block-size block size ] [ -size bytes ] [
13 -timeout seconds ] [ -name name ] [ -certfile certfile ] [ -keyfile
14 keyfile ] [ -cacertfile cacertfile ] [ -tlshostname hostname ]
15 nbd-client -unix path nbd-device [ -connections num ] [ -sdp ] [ -swap
18 ] [ -persist ] [ -nofork ] [ -nonetlink ] [ -systemd-mark ] [ -readonly
19 ] [ -preinit ] [ -block-size block size ] [ -size bytes ] [ -timeout
20 seconds ] [ -name name ]
21 nbd-client nbd-device
24 nbd-client -d nbd-device
27 nbd-client -c nbd-device
30 nbd-client -l host [ port ]
33 nbd-client [ -netlink ] -l host
36
39 With nbd-client, you can connect to a server running nbd-server, thus
40 using raw diskspace from that server as a blockdevice on the local
41 client.
42 To do this, support from the Linux Kernel is necessary, in the form of
44 the Network Block Device (NBD). When you have that, either in the ker‐
45 nel, or as a module, you can connect to an NBD server and use its ex‐
46 ported file through a block special file with major mode 43.
47 Optionally, long options can also be specified with two leading dashes.
49
51 The following options are supported:
52 -block-size block size
54 -b Use a blocksize of "block size". Default is 1024; allowed values
56 are either 512, 1024, 2048 or 4096
57 -connections num
59 -C Use num connections to the server, to allow speeding up request
61 handling, at the cost of higher resource usage on the server.
62 Use of this option requires kernel support available first with
63 Linux 4.9.
64 host The hostname or IP address of the machine running nbd-server.
66 Since 2.9.15, the NBD utilities support IPv6.
67 -timeout seconds
69 -t Set the connection timeout to "seconds". For this to work, you
71 need a kernel with support for the NBD_SET_TIMEOUT ioctl; this
72 was introduced into Linus' tree on 2007-10-11, and will be part
73 of kernel 2.6.24.
74 port The TCP port on which nbd-server is running at the server.
76 The port number defaults to 10809, the IANA-assigned port number
78 for the NBD protocol.
79 Previous versions of the nbd tools supported an older version of
81 the negotiation protocol known as "oldstyle". This protocol
82 version is no longer supported as of version 3.11 of the nbd
83 support tools.
84 nbd-device
86 The block special file (/dev entry) which this nbd-client should
87 connect to, specified as a full path.
88 When the mode is used wherein no hostname or export name is
90 specified, nbd-client will look up the necessary configuration
91 in the nbdtab file. For more information, see nbdtab(5).
92 -check
94 -c Check whether the specified nbd device is connected.
96 If the device is connected, nbd-client will exit with an exit
98 state of 0 and print the PID of the nbd-client instance that
99 connected it to stdout.
100 If the device is not connected or does not exist (for example
102 because the nbd module was not loaded), nbd-client will exit
103 with an exit state of 1 and not print anything on stdout.
104 If an error occurred, nbd-client will exit with an exit state of
106 2, and not print anything on stdout either.
107 -disconnect
109 -d Disconnect the specified nbd device from the server
111 -list
113 -l Ask the server for a list of available exports. If the server is
115 exporting over IPv6 as well as over IPv4, this will list all ex‐
116 ports twice; otherwise, it should list them all only once.
117 Note that this option only works with nbd-server processes run‐
119 ning version 3.1 or above, and must be enabled in server config‐
120 uration (with the "allowlist" option) before it can be used.
121 -nonetlink
123 -L Starting with version 3.17, nbd-client will default to using the
125 netlink interface to configure an NBD device. This option allows
126 to use the older ioctl() interface to configure the device.
127 This option is only available if nbd-client was compiled against
129 libnl-genl. If that is not the case, nbd-client will only be
130 able to use the ioctl interface (and the option will not be
131 available).
132 Note that a future version of nbd-client will require the use of
134 netlink, but it has not yet been decided when that will be the
135 case.
136 -persist
138 -p When this option is specified, nbd-client will immediately try
140 to reconnect an nbd device if the connection ever drops unex‐
141 pectedly due to a lost server or something similar.
142 -preinit
144 -P When this option is specified, nbd-client will skip the usual
146 negotiation with the server, and hand the socket to the kernel
147 immediately after connecting. Only use this when connecting to
148 specialized NBD servers specifically designed for it. This re‐
149 quires specifying the size of the device via the -B option, and
150 does not support TLS.
151 -readonly
153 -R When this option is specified, nbd-client will tell the kernel
155 to treat the device as read-only, even if the server would allow
156 writes.
157 -size bytes
159 -B bytes
161 Force the device size to the specified number of bytes, rather
162 than using the value from server negotiation. Must be a multiple
163 of the block size. If using preinit (-P) to skip negotiation,
164 this option is required.
165 -sdp
167 -S Connect to the server using the Socket Direct Protocol (SDP),
169 rather than IP. See nbd-server(5) for details.
170 -swap
172 -s Specifies that this NBD device will be used as swapspace. This
174 option attempts to prevent deadlocks by performing mlockall()
175 and adjusting the oom-killer score at an appropriate time. It
176 does not however guarantee that such deadlocks can be avoided.
177 -systemd-mark
179 -m The systemd init system requires that processes which should not
181 be killed at shutdown time be marked appropriately by replacing
182 the first letter of their argv[0] with an '@' sign.
183 This option will cause nbd-client to do so.
185 Note that this only works if nbd-client is run from an initrd;
187 i.e., systemd will ignore such a mark if run from a systemd unit
188 file or from the command line.
189 -nofork
191 -n Specifies that the NBD client should not detach and daemonize
193 itself. This is mostly useful for debugging.
194 Note that nbd-client will still fork once to trigger an update
196 to the device node's partition table. It is not possible to dis‐
197 able this.
198 -no-optgo
200 -g Disable the use of the NBD_OPT_GO protocol message, and force
202 the use of NBD_OPT_EXPORT_NAME instead.
203 The NBD protocol has two phases: the negotiation phase, and the
205 transmission phase. To move from negotation to transmission,
206 older clients sent the NBD_OPT_EXPORT_NAME message, for which
207 the server could not produce an error message in case the export
208 name did not exist (or the client had insufficient permissions
209 to access it). Due to those limitations, a replacement message
210 NBD_OPT_GO was created instead, which allows the server to reply
211 with an error in case of any problems.
212 The protocol allows for a server to discard a message which it
214 does not understand; however, unfortunately some implementations
215 (including older versions of nbd-server) did not handle that
216 situation correctly and would get out of sync with the client
217 when it sent a message which the server did not understand.
218 When sending NBD_OPT_GO, nbd-client will try to do the right
220 thing and fall back to NBD_OPT_EXPORT_NAME. However, when the
221 server has the above-described bug, then this does not work. In
222 such a situation, the client will issue a diagnostic suggesting
223 the use of this option.
224 Note that there is a corresponding option for nbdtab, too.
226 -name
228 -N Specifies the name of the export that we want to use. If not
230 specified, nbd-client will ask for a "default" export, if one
231 exists on the server.
232 -unix
234 -u Connect to the server over a unix domain socket at path, rather
236 than to a server over a TCP socket. The server must be listening
237 on the given socket.
238 -certfile file
240 -F Use the specified file as the client certificate for TLS authen‐
242 tication to the server.
243 -keyfile file
245 -K Use the specified file as the private key for the client cerifi‐
247 cate.
248 -cacertfile file
250 -A Use the specified file as the CA certificate for TLS authentica‐
252 tion to the server.
253 -tlshostname hostname
255 -H Use the specified hostname for the TLS context. If not speci‐
257 fied, the hostname used to connect to the server will be used.
258 TLS SUPPORT
260 Enabling any of the TLS-related options causes the client to use the
261 NBD_OPT_STARTTLS command to upgrade the connection to TLS. Since nego‐
262 tiating TLS support from userspace for a kernel socket would be very
263 involved (if passing keys to kernel space were even possible, which it
264 isn't), the way this is implemented is that the nbd-client process cre‐
265 ates a socketpair, one side of which it hands to the kernel, and the
266 other side of which is handed to an encrypting/decrypting proxy. This
267 has the effect that all communication will be encrypted before being
268 sent over the wire; however, doing so is not safe in combination with
269 swapping over an NBD device:
270 In order to free memory by swapping, the kernel needs to be sure that
272 the write to the nbd device has finalized. For this, it needs to be
273 able to receive an NBD_CMD_WRITE reply which informs it that the write
274 has completed successfully and that the memory may be released. Receiv‐
275 ing data over the network, however, requires that the kernel allocate
276 memory first, which is impossible if we're low on memory (a likely sit‐
277 uation when trying to swap). This is likely to cause a deadlock when
278 we're low on memory and there are high amounts of network traffic.
279 To remedy this situation, the kernel sets the PF_MEMALLOC option on the
281 nbd socket; when low on memory, it will throw away all packets except
282 for those destined to a socket with that option set, relying on the
283 normal TCP retransmit system to ensure that data is not lost. This
284 avoids the deadlock described above.
285 However, the PF_MEMALLOC option is set on the socket that is connected
287 to the nbd device, not the encrypted socket connected to the encrypt‐
288 ing/decrypting proxy. As such, when using TLS, the PF_MEMALLOC option
289 is not set on the socket that actually receives data from the network,
290 which means that the deadlock reappears.
291 For this reason, if the -swap option is used when TLS is in use, nbd-
293 client will issue an appropriate warning.
294
296 Some examples of nbd-client usage:
297 • To connect to a server running on port 2000 at host "server.do‐
299 main.com", using the client's block special file "/dev/nbd0":
300 nbd-client server.domain.com 2000 /dev/nbd0
302 • To connect to a server running on port 2001 at host "swapserver.do‐
304 main.com", using the client's block special file "/dev/nbd1", for
305 swap purposes:
306 nbd-client swapserver.domain.com 2001 /dev/nbd1 -swap
308 • To disconnect the above connection again (after making sure the block
310 special file is not in use anymore):
311 nbd-client -d /dev/nbd1
313
315 nbd-server (1).
316
318 The NBD kernel module and the NBD tools have been written by Pavel
319 Macheck (pavel@ucw.cz).
320 The kernel module is now maintained by Paul Clements
322 (Paul.Clements@steeleye.com), while the userland tools are maintained
323 by Wouter Verhelst (wouter@debian.org)
324 This manual page was written by Wouter Verhelst (<wouter@debian.org>)
326 for the Debian GNU/Linux system (but may be used by others). Permis‐
327 sion is granted to copy, distribute and/or modify this document under
328 the terms of the GNU General Public License, version 2, as published by
329 the Free Software Foundation.
330 $ NBD-CLIENT(8)