nbdkit man page

nbdkit — A toolkit for creating NBD servers

Synopsis

 nbdkit [-e EXPORTNAME] [--exit-with-parent] [-f]
        [-g GROUP] [-i IPADDR]
        [--newstyle] [--oldstyle] [-P PIDFILE] [-p PORT] [-r]
        [--run CMD] [-s] [--selinux-label LABEL]
        [--tls=off|on|require] [--tls-certificates /path/to/certificates]
        [--tls-verify-peer]
        [-U SOCKET] [-u USER] [-v] [-V]
        PLUGIN [key=value [key=value [...]]]

 nbdkit --dump-config

 nbdkit PLUGIN --dump-plugin

Description

Network Block Device (NBD) is a network protocol for accessing block devices over the network.  Block devices are hard disks and things that behave like hard disks such as disk images and virtual machines.

"nbdkit" is both a toolkit for creating NBD servers from "unconventional" sources and the name of an NBD server.

To create a new Network Block Device source, all you need to do is write a few glue functions, possibly in C, or perhaps in a high level language like Perl or Python.  The liberal licensing of nbdkit is meant to allow you to link nbdkit with proprietary libraries or to include nbdkit in proprietary code.

If you want to write an nbdkit plugin, you should read nbdkit-plugin(3).

Several plugins may be found in "$libdir/nbdkit/plugins".  You can give the full path to the plugin, like this:

 nbdkit $libdir/nbdkit/plugins/nbdkit-file-plugin.so [...]

but it is usually more convenient to use this equivalent syntax:

 nbdkit file [...]

$libdir is set at compile time.  To print it out, do:

 nbdkit --dump-config

Examples

Serve file disk.img on port 10809:

 nbdkit file file=disk.img

Run the nbdkit-example3-plugin(1) and connect to it using guestfish(1):

 nbdkit example3 size=1G
 guestfish --ro -a nbd://localhost

Serve file disk.img on port 10809, requiring clients to use encrypted (TLS) connections:

 nbdkit --newstyle --tls=require file file=disk.img

To display usage information about a specific plugin:

 nbdkit --help example1

Global Options

--help

Display brief command line usage information and exit.

--dump-config

Dump out the compile-time configuration values and exit. See "Probing Configuration and Plugins" below.

--dump-plugin

Dump out information about the plugin and exit. See "Probing Configuration and Plugins" below.

--exit-with-parent

If the parent process exits, we exit.  This can be used to avoid complicated cleanup or orphaned nbdkit processes.  There are some important caveats with this, see "Exit with Parent" below.  An alternative to this is "Captive Nbdkit" described below.

This option implies --foreground.

-e EXPORTNAME
--export EXPORTNAME
--export-name EXPORTNAME
--exportname EXPORTNAME

Set the exportname and use the newstyle protocol (implies -n).

If not set, exportname "" (empty string) is used.  Exportnames are not allowed with the oldstyle protocol.

-f
--foreground
--no-fork

Don't fork into the background.

-g GROUP
--group GROUP

Change group to "GROUP" after starting up.  A group name or numeric group ID can be used.

The server needs sufficient permissions to be able to do this. Normally this would mean starting the server up as root.

See also -u.

-i IPADDR
--ip-addr IPADDR
--ipaddr IPADDR

Listen on the specified interface.  The default is to listen on all interfaces.  See also -p.

-n
--new-style
--newstyle

Use the newstyle NBD protocol instead of the default (oldstyle) protocol.  See "New Style VS Old Style Protocol" below.

-o
--old-style
--oldstyle

Use the oldstyle NBD protocol.  This is currently the default (unless you use -n or -e), so this flag does nothing, but it is possible we might change the default protocol in future.  See "New Style VS Old Style Protocol" below.

-P PIDFILE
--pid-file PIDFILE
--pidfile PIDFILE

Write "PIDFILE" (containing the process ID of the server) after nbdkit becomes ready to accept connections.

If the file already exists, it is overwritten.  nbdkit does not delete the file when it exits.

-p PORT
--port PORT

Change the TCP/IP port number on which nbdkit serves requests. The default is 10809.  See also -i.

-r
--read-only
--readonly

The export will be read-only.  If a client writes, then it will get an error.

Note that some plugins inherently don't support writes.  With those plugins the -r option is added implicitly.

Copy-on-write (or "snapshot") functionality is not supported by this server.  However if you are using qemu as a client (or indirectly via libguestfs) then it supports snapshots.

--run CMD

Run nbdkit as a captive subprocess of "CMD".  When "CMD" exits, nbdkit is killed.  See "Captive Nbdkit" below.

This option implies --foreground.

-s
--single
--stdin

Don't fork.  Handle a single NBD connection on stdin/stdout.  After stdin closes, the server exits.

You can use this option to run nbdkit from inetd or similar superservers; or just for testing; or if you want to run nbdkit in a non-conventional way.  Note that if you want to run nbdkit from systemd, then it may be better to use "Socket Activation" instead of this option.

This option implies --foreground.

--selinux-label SOCKET-LABEL

Apply the SELinux label "SOCKET-LABEL" to the nbdkit listening socket.

The common — perhaps only — use of this option is to allow libvirt guests which are using SELinux and sVirt confinement to access nbdkit Unix domain sockets:

 nbdkit --selinux-label system_u:object_r:svirt_t:s0 ...
--tls=off
--tls=on
--tls=require

Disable, enable or require TLS (authentication and encryption support).  See "TLS" below.

--tls-certificates /path/to/certificates

Set the path to the TLS certificates directory.  If not specified, some built-in paths are checked.  See "TLS" below for more details.

--tls-verify-peer

Enables TLS client certificate verification.  The default is not to check the client's certificate.

-U SOCKET
--unix SOCKET
-U -
--unix -

Accept connections on the Unix domain socket "SOCKET" (which is a path).

nbdkit creates this socket, but it will probably have incorrect permissions (too permissive).  If it is a problem that some unauthorized user could connect to this socket between the time that nbdkit starts up and the authorized user connects, then put the socket into a directory that has restrictive permissions.

nbdkit does not delete the socket file when it exits.  The caller should delete the socket file after use (else if you try to start nbdkit up again you will get an "Address already in use" error).

If the socket name is - then nbdkit generates a randomly named private socket.  This is useful with "Captive Nbdkit".

-u USER
--user USER

Change user to "USER" after starting up.  A user name or numeric user ID can be used.

The server needs sufficient permissions to be able to do this. Normally this would mean starting the server up as root.

See also -g.

-v
--verbose

Enable verbose messages.

It's a good idea to use -f as well so the process does not fork into the background (but not required).

-V
--version

Print the version number of nbdkit and exit.

Plugin Configuration

After specifying the plugin name you can (optionally, it depends on the plugin) give plugin configuration on the command line in the form of "key=value".  For example:

 nbdkit file file=disk.img

To list all the options supported by a plugin, do:

 nbdkit --help file

Socket Activation

nbdkit supports socket activation (sometimes called systemd socket activation).  This is a simple protocol where instead of nbdkit itself opening the listening socket(s), the parent process (typically systemd) passes in pre-opened file descriptors.  Socket activation lets you serve infrequent NBD requests using a superserver without needing nbdkit to be running the whole time.

Socket activation is triggered when both the "LISTEN_FDS" and "LISTEN_PID" environment variables are set.  In this mode using -i, -p, --run, -s or -U flags on the command line is illegal and will cause an error.  Also in this mode nbdkit does not fork into the background (ie. -f is implied).

Using socket activation with systemd

To use nbdkit with socket activation from systemd, create a unit file ending in ".socket" (eg. "/etc/systemd/system/nbdkit.socket") containing:

 [Unit]
 Description=NBDKit Network Block Device server
 
 [Socket]
 ListenStream=10809
 
 [Install]
 WantedBy=sockets.target

There are various formats for the "ListenStream" key.  See systemd.socket(5) for more information.

Also create a service unit (eg. "/etc/systemd/system/nbdkit.service") containing:

 [Service]
 ExecStart=/usr/sbin/nbdkit file file=/path/to/serve

For more information on systemd and socket activation, see <http://0pointer.de/blog/projects/socket-activation.html>

Captive Nbdkit

You can run nbdkit as a "captive process", using the --run option. This means that nbdkit runs as long as (for example) qemu(1) or guestfish(1) is running.  When those exit, nbdkit is killed.

Some examples should make this clear.

To run nbdkit captive under qemu:

 nbdkit file file=disk.img --run 'qemu -drive file=$nbd,if=virtio'

On the qemu command line, $nbd is substituted automatically with the right NBD path so it can connect to nbdkit.  When qemu exits, nbdkit is killed and cleaned up automatically.

Running nbdkit captive under guestfish:

 nbdkit file file=disk.img --run 'guestfish --format=raw -a $nbd -i'

When guestfish exits, nbdkit is killed.

The following shell variables are available in the --run argument:

$nbd

A URL that refers to the nbdkit port or socket.

Note there is some magic here, since qemu and guestfish URLs have a different format, so nbdkit tries to guess which you are running.  If the magic doesn't work, try using the variables below instead.

$port

If ≠ "", the port number that nbdkit is listening on.

$unixsocket

If ≠ "", the Unix domain socket that nbdkit is listening on.

--run implies --foreground.  It is not possible, and probably not desirable, to have nbdkit fork into the background when using --run.

Even when running captive, nbdkit still listens on the regular TCP/IP port, unless you specify the -p/-U options.  If you want a truly private captive nbdkit, then you should create a private random Unix socket, like this:

 nbdkit -U - plugin [args] --run '...'

Exit with Parent

The --exit-with-parent option is almost the opposite of "Captive Nbdkit" described in the previous section.

Running nbdkit with this option, for example from a script:

 nbdkit --exit-with-parent plugin ... &

means that nbdkit will exit automatically if the parent program exits for any reason.  This can be used to avoid complicated cleanups or orphaned nbdkit processes.

--exit-with-parent is incompatible with forking into the background (because when we fork into the background we lose track of the parent process).  Therefore -f / --foreground is implied.

This is currently implemented using a feature of the Linux kernel, so it requires a Linux build of nbdkit and won't work on other operating systems (patches welcome to make it work).

If the parent application is multithreaded, then (in the Linux implementation) if the parent thread exits, that will cause nbdkit to exit.  Thus in multithreaded applications you usually want to run "nbdkit --exit-with-parent" only from the main thread (unless you actually want nbdkit to exit with the thread, but that may not work reliably if we extend the implementation to other operating systems).

New Style VS Old Style Protocol

The NBD protocol comes in two incompatible forms that we call "oldstyle" and "newstyle".  Unfortunately which protocol you should use depends on the client and cannot be known in advance, nor can it be negotiated from the server side.

nbdkit currently defaults to the oldstyle protocol for compatibility with qemu and libguestfs.  This is also the same behaviour as qemu-nbd ≤ 2.5.  Use the -n or --newstyle flag on the command line to use the newstyle protocol.  Use the -e or --exportname flag to set the exportname for the newstyle protocol.  Use the -o or --oldstyle flag to force the oldstyle protocol.

Some common clients and the protocol they require:

 Client                          Protocol
 ------------------------------------------------------------
 qemu <= 2.5 without exportname  oldstyle
 qemu <= 2.5 with exportname     newstyle
 qemu >= 2.6                     client can talk either protocol
 nbd-client < 3.10               client can talk either protocol
 nbd-client >= 3.10              newstyle
 any TLS (encrypted) client      newstyle

If you use qemu ≤ 2.5 without the exportname field against a newstyle server, it will give the error:

 Server requires an export name

If you use qemu ≤ 2.5 with the exportname field against an oldstyle server, it will give the error:

 Server does not support export names

If you use the oldstyle protocol with nbd-client ≥ 3.10, it will give the error:

 Error: It looks like you're trying to connect to an oldstyle server.

If you want to claim compatibility with what the NBD proto.txt document says should be the case (which isn't based in reality), then you should always use newstyle when using port 10809, and use oldstyle on all other ports.

TLS

TLS (authentication and encryption, sometimes incorrectly called "SSL") is supported if nbdkit was compiled with GnuTLS.  This allows the server to verify that the client is allowed access, and to encrypt the contents of the protocol in transit over the network.

TLS can be disabled or enabled by specifying either --tls=off or --tls=on.  With --tls=off, if a client tries to use TLS to connect, it will be rejected by the server (in other words, as if the server doesn't support TLS).

--tls=on means that the client may choose to connect either with or without TLS.

Because --tls=on is subject to downgrade attacks where a malicious proxy pretends not to support TLS in order to force either the client or server to communicate in plaintext, you can also specify --tls=require, where the server enables TLS and rejects all non-TLS connection attempts.

TLS with X.509 certificates

When nbdkit starts up, it loads TLS certificates from some built-in paths, or from the directory specified by the --tls-certificates option.

Without --tls-certificates, if nbdkit is started as a non-root user (note this does not include use of the -u or -g options), nbdkit looks in each of these paths in turn:

 $HOME/.pki/nbdkit/
 $HOME/.config/pki/nbdkit/

Without --tls-certificates, if nbdkit is started as root, nbkit looks in:

 $sysconfdir/pki/nbdkit/

(Use "nbdkit --dump-config" and look at the "root_tls_certificates_dir" setting to get the actual directory built into the binary.)

You can override both directories above by using --tls-certificates /path/to/certificates.

In this directory, nbdkit expects to find several files:

ca-cert.pem

The Certificate Authority certificate.

server-cert.pem

The server certificate.

server-key.pem

The server private key.

ca-crl.pem

(Optional) The certificate revocation list.

Setting up the Certificate Authority

This step only needs to be done once per organization.  It may be that your organization already has a CA.

 $ certtool --generate-privkey > ca-key.pem
 $ chmod 0600 ca-key.pem

The ca-key.pem file is the CA private key and is extremely sensitive data.  With possession of this key, anyone can create certificates pretending to be your organization!

To create the CA certificate file:

 $ cat > ca.info <<EOF
 cn = Name of your organization
 ca
 cert_signing_key
 EOF
 $ certtool --generate-self-signed \
            --load-privkey ca-key.pem \
            --template ca.info \
            --outfile ca-cert.pem

Issuing a server certificate for the nbdkit server

Each nbdkit server (or host) needs a secret key and certificate.

 $ certtool --generate-privkey > server-key.pem
 $ chmod 0600 server-key.pem

The server key file is sensitive.  Setting the mode to 0600 helps to prevent other users on the same machine from reading it.

The server DNS name ("cn" below) must be the fully qualified hostname — and the only hostname — that the client connects to.

 $ cat > server.info <<EOF
 organization = Name of your organization
 cn = nbd-server.example.com
 tls_www_server
 encryption_key
 signing_key
 EOF
 $ certtool --generate-certificate \
            --load-ca-certificate ca-cert.pem \
            --load-ca-privkey ca-key.pem \
            --load-privkey server-key.pem \
            --template server.info \
            --outfile server-cert.pem

Issuing and checking client certificates

Note: You don't need to create client certificates unless you want to check and limit which clients can connect to nbdkit.  nbdkit does not check client certificates unless you specify the --tls-verify-peer option on the command line.

For each client you should generate a private key and a client certificate:

 $ certtool --generate-privkey > client-key.pem
 $ chmod 0600 client-key.pem

The client key file is sensitive.

The client DNS name ("cn" below) is the client's name that nbdkit sees and checks.

 $ cat > client.info <<EOF
 country = US
 state = New York
 locality = New York
 organization = Name of your organization
 cn = client.example.com
 tls_www_client
 encryption_key
 signing_key
 EOF
 $ certtool --generate-certificate \
            --load-ca-certificate ca-cert.pem \
            --load-ca-privkey ca-key.pem \
            --load-privkey client-key.pem \
            --template client.info \
            --outfile client-cert.pem

Client certificates do not need to be present anywhere on the nbdkit host.  You don't need to copy them into nbdkit's TLS certificates directory.  The security comes from the fact that the client must present a client certificate signed by the Certificate Authority, and nbdkit can check this because it has the ca-cert.pem file.

To enable checking of client certificates, specify the --tls-verify-peer option on the command line.  Clients which don't present a valid certificate (eg. not signed, incorrect signature) are denied.  Also denied are clients which present a valid certificate signed by another CA.  Also denied are clients with certificates added to the certificate revocation list (ca-crl.pem).

Default TLS behaviour

If nbdkit was compiled without GnuTLS support, then TLS is disabled and TLS connections will be rejected (as if --tls=off was specified on the command line).  Also it is impossible to turn on TLS in this scenario.  You can tell if nbdkit was compiled without GnuTLS support because "nbdkit --dump-config" will contain "tls=no".

If TLS certificates cannot be loaded either from the built-in path or from the directory specified by --tls-certificates, then TLS defaults to disabled.  Turning TLS on will give a warning (--tls=on) or error (--tls=require) about the missing certificates.

If TLS certificates can be loaded from the built-in path or from the --tls-certificates directory, then TLS will by default be enabled (like --tls=on), but it is not required.  Clients can choose whether or not to use TLS and whether or not to present certificates.

TLS client certificates are not checked by default unless you specify --tls-verify-peer.

Each of these defaults is insecure to some extent (including --tls=on which could be subject to a downgrade attack), so if you expect TLS then it is best to specify the --tls option that you require, and if you want to check client certificates, specify the --tls-verify-peer option.

Choice of TLS algorithms

TLS has a bewildering choice of algorithms that can be used.  To enable you to choose a default set of algorithms, there is a configure setting "--with-tls-priority".  This defaults to "NORMAL" which, to quote the GnuTLS documentation:

""NORMAL" means all "secure" ciphersuites.  The 256-bit ciphers are included as a fallback only.  The ciphers are sorted by security margin."

You could also set the TLS priority so that it can be configured from a file at runtime:

 ./configure --with-tls-priority=@SYSTEM

means use the policy from /etc/crypto-policies/config.

 ./configure --with-tls-priority=@NBDKIT,SYSTEM

means use the policy from /etc/crypto-policies/local.d/nbdkit.config and fall back to /etc/crypto-policies/config if the first file does not exist.

More information can be found in gnutls_priority_init(3).

Probing Configuration and Plugins

You can query information about nbdkit and available plugins from the nbdkit binary.

Query basic configuration

 nbdkit --dump-config

lists information about how nbdkit was configured.  The most important fields in the output are the name of the directory where nbdkit looks for plugins and the version of nbdkit, eg:

 plugindir=/usr/lib64/nbdkit/plugins
 version=1.2.3

Query information about a particular plugin

 nbdkit pluginname --dump-plugin

(where pluginname is the name or full path of a plugin) will dump information about that plugin, eg:

 $ nbdkit file --dump-plugin
 path=/usr/lib64/nbdkit/plugins/nbdkit-file-plugin.so
 name=file
 version=1.2.3
 api_version=1
 struct_size=176
 thread_model=serialize_requests
 [etc]

Plugins which ship with nbdkit usually have the same version as the corresponding nbdkit binary.

Detect if a plugin is installed

To find out if a plugin is installed (and working) in the plugin directory, use --dump-plugin as above:

 $ nbdkit foo --dump-plugin
 nbdkit: /usr/lib64/nbdkit/plugins/nbdkit-foo-plugin.so: /usr/lib64/nbdkit/plugins/nbdkit-foo-plugin.so: cannot open shared object file: No such file or directory

Note it is better to test for the existence of plugins this way rather than just seeing if the .so file exists, because nbdkit will load the plugin and check that all its dependencies can be satisfied, and also that plugin registration works.

List all plugins in the plugin directory

You could simply get the plugin directory (from --dump-config) and list all files in this directory called nbdkit-*-plugin.so.

However a better test is to run --dump-plugin (see above) on each one to check that it is working and all of its dependencies are installed.  A complete shell script which does this is:

 #!/bin/sh -
 plugindir=`nbdkit --dump-config | grep ^plugindir= | sed 's/[^=]*=//'`
 for f in $plugindir/nbdkit-*-plugin.so; do
     if nbdkit "$f" --dump-plugin >/dev/null 2>&1; then
         b=`echo "$f" | sed 's,.*/nbdkit-\(.*\)-plugin.so$,\1,'`
         echo "$b ($f)"
     fi
 done

Signals

"nbdkit" responds to the following signals:

"SIGINT"
"SIGQUIT"
"SIGTERM"

The server exits cleanly.

"SIGPIPE"

This signal is ignored.

Environment Variables

"LISTEN_FDS"
"LISTEN_PID"

If present in the environment when nbdkit starts up, these trigger "Socket Activation".

See Also

Other nbdkit manual pages:

nbdkit-plugin(3), nbdkit-curl-plugin(1), nbdkit-example1-plugin(1), nbdkit-example2-plugin(1), nbdkit-example3-plugin(1), nbdkit-file-plugin(1), nbdkit-gzip-plugin(1), nbdkit-libvirt-plugin(1), nbdkit-ocaml-plugin(3), nbdkit-perl-plugin(3), nbdkit-python-plugin(3), nbdkit-vddk-plugin(1). nbdkit-xz-plugin(1).

Other manual pages of interest:

gnutls_priority_init(3), guestfish(1), qemu(1), systemd.socket(5).

Authors

Richard W.M. Jones

License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Referenced By

guestfs-hacking(1), nbdkit-curl-plugin(1), nbdkit-example1-plugin(1), nbdkit-example2-plugin(1), nbdkit-example3-plugin(1), nbdkit-file-plugin(1), nbdkit-guestfs-plugin(1), nbdkit-gzip-plugin(1), nbdkit-libvirt-plugin(1), nbdkit-ocaml-plugin(3), nbdkit-perl-plugin(3), nbdkit-plugin(3), nbdkit-python-plugin(3), nbdkit-ruby-plugin(3), nbdkit-streaming-plugin(1), nbdkit-xz-plugin(1), virt-p2v(1), virt-v2v(1).

2017-09-28 nbdkit