tests: vsock: Use VMADDR_CID_LOCAL for loopback testing.

[nbdkit/ericb.git] / docs / nbdkit.pod

=head1 NAME

nbdkit - toolkit for creating NBD servers

=head1 SYNOPSIS

__SYNOPSIS__

=head1 DESCRIPTION

Network Block Device (NBD) is a network protocol for accessing block
devices over the network.  Block devices are hard disks and things
that behave like hard disks such as disk images and virtual machines.

nbdkit is both a toolkit for creating NBD servers from
“unconventional” sources, and the name of an NBD server.  nbdkit ships
with many plugins for performing common tasks like serving local
files.

=head2 Plugins and filters

nbdkit is different from other NBD servers because you can easily
create new Network Block Device sources by writing a few glue
functions, possibly in C, or perhaps in a high level language like
Perl or Python.  The liberal licensing of nbdkit is meant to allow you
to link nbdkit with proprietary libraries or to include nbdkit in
proprietary code.

If you want to write your own nbdkit plugin you should read
L<nbdkit-plugin(3)>.

nbdkit also has a concept of filters which can be layered on top of
plugins.  Several filters are provided with nbdkit and if you want to
write your own you should read L<nbdkit-filter(3)>.

=head1 EXAMPLES

=head2 Basic file serving

=over 4

=item *

Serve file F<disk.img> on port 10809 using L<nbdkit-file-plugin(1)>,
and connect to it using L<guestfish(1)>:

 nbdkit file disk.img
 guestfish --rw --format=raw -a nbd://localhost

=item *

Serve file F<disk.img> on port 10809, requiring clients to use
encrypted (TLS) connections:

 nbdkit --tls=require file disk.img

=back

=head2 Other nbdkit plugins

=over 4

=item *

Create a 1MB disk with one empty partition entirely on the command
line using L<nbdkit-data-plugin(1)>:

 nbdkit data size=1M \
             data="@0x1b8 0xf8 0x21 0xdc 0xeb 0 0 0 0
                   2 0 0x83 0x20 0x20 0 1 0  0 0 0xff 0x7
                   @0x1fe 0x55 0xaa"

=item *

Forward an NBD connection to a remote server over HTTPS or SSH using
L<nbdkit-curl-plugin(1)> or L<nbdkit-ssh-plugin(1)>:

 nbdkit -r curl https://example.com/disk.img

 nbdkit ssh host=example.com /var/tmp/disk.img

=item *

Create a RAM disk using L<nbdkit-memory-plugin(1)>:

 nbdkit memory 64M

=item *

Create a floppy disk image containing files from a local directory
using L<nbdkit-floppy-plugin(1)>:

 nbdkit floppy dir/

=back

=head2 Combining plugins and filters

=over 4

=item *

Serve only the first partition from compressed disk image
F<disk.img.xz>, combining L<nbdkit-partition-filter(1)>,
L<nbdkit-xz-filter(1)> and L<nbdkit-file-plugin(1)>.

 nbdkit --filter=partition --filter=xz file disk.img.xz partition=1

To understand this command line:

                             plugin name and plugin parameter
                                               │
                                       ┌───────┴──────┐
                                       │              │
 nbdkit --filter=partition --filter=xz file disk.img.xz partition=1
                 │              │                          │
                 └──────────────┴────┬─────────────────────┘
                                     │
                        filters and filter parameter

=item *

Create a scratch, empty nbdkit device and inject errors and delays,
for testing clients, using L<nbdkit-memory-plugin(1)>,
L<nbdkit-error-filter(1)> and L<nbdkit-delay-filter(1)>:

 nbdkit --filter=error --filter=delay memory 100M \
        error-rate=10% rdelay=1 wdelay=1

=back

=head2 Writing plugins in scripting languages

=over 4

=item *

Write a simple, custom plugin entirely on the command line in shell
script using L<nbdkit-sh-plugin(3)>:

 nbdkit sh - <<'EOF'
   case "$1" in
     get_size) echo 1M ;;
     pread) dd if=/dev/zero count=$3 iflag=count_bytes ;;
     *) exit 2 ;;
   esac
 EOF

=back

=head2 Display information

Display information about nbdkit or a specific plugin:

 nbdkit --help
 nbdkit --version
 nbdkit --dump-config
 nbdkit example1 --help
 nbdkit example1 --dump-plugin

=head1 GLOBAL OPTIONS

=over 4

=item B<--help>

Display brief command line usage information and exit.

=item B<-D> PLUGIN.FLAG=N

=item B<-D> FILTER.FLAG=N

=item B<--debug> PLUGIN.FLAG=N

=item B<--debug> FILTER.FLAG=N

Set the plugin or filter Debug Flag called C<FLAG> to the integer
value C<N>.  See L<nbdkit-plugin(3)/Debug Flags>.

=item B<-D> nbdkit.FLAG=N

=item B<--debug> nbdkit.FLAG=N

Set the nbdkit server Debug Flag called C<FLAG> to the integer value
C<N>.  See L</SERVER DEBUG FLAGS> below.

=item B<--dump-config>

Dump out the compile-time configuration values and exit.
See L<nbdkit-probing(1)>.

=item B<--dump-plugin>

Dump out information about the plugin and exit.
See L<nbdkit-probing(1)>.

=item B<--exit-with-parent>

If the parent process exits, we exit.  This can be used to avoid
complicated cleanup or orphaned nbdkit processes.  There are some
important caveats with this, see L<nbdkit-captive(1)/EXIT WITH PARENT>.

An alternative to this is L<nbdkit-captive(1)/CAPTIVE NBDKIT>.

This option implies I<--foreground>.

=item B<-e> EXPORTNAME

=item B<--export> EXPORTNAME

=item B<--export-name> EXPORTNAME

=item B<--exportname> EXPORTNAME

Set the exportname.

If not set, exportname C<""> (empty string) is used.  Exportnames are
not allowed with the oldstyle protocol.

=item B<-f>

=item B<--foreground>

=item B<--no-fork>

I<Don't> fork into the background.

=item B<--filter> FILTER

Add a filter before the plugin.  This option may be given one or more
times to stack filters in front of the plugin.  They are processed in
the order they appear on the command line.  See L</FILTERS> and
L<nbdkit-filter(3)>.

=item B<-g> GROUP

=item B<--group> GROUP

Change group to C<GROUP> after starting up.  A group name or numeric
group ID can be used.

The server needs sufficient permissions to be able to do this.
Normally this would mean starting the server up as root.

See also I<-u>.

=item B<-i> IPADDR

=item B<--ip-addr> IPADDR

=item B<--ipaddr> IPADDR

Listen on the specified interface.  The default is to listen on all
interfaces.  See also I<-p>.

=item B<--log=stderr>

=item B<--log=syslog>

=item B<--log=null>

Send error messages to standard error (I<--log=stderr>), or to the
system log (I<--log=syslog>), or discard them completely
(I<--log=null>, not recommended for normal use).

The default is to send error messages to stderr, unless nbdkit
forks into the background in which case they are sent to syslog.

For more details see L<nbdkit-service(1)/LOGGING>.

=item B<-n>

=item B<--new-style>

=item B<--newstyle>

Use the newstyle NBD protocol.  This is the default in nbdkit
E<ge> 1.3.  In earlier versions the default was oldstyle.
See L<nbdkit-protocol(1)>.

=item B<--no-sr>

Do not advertise structured replies.  A client must request structured
replies to take advantage of block status and potential sparse reads;
however, as structured reads are not a mandatory part of the newstyle
NBD protocol, this option can be used to debug client fallbacks for
dealing with older servers.  See L<nbdkit-protocol(1)>.

=item B<-o>

=item B<--old-style>

=item B<--oldstyle>

Use the oldstyle NBD protocol.  This I<was> the default in nbdkit
E<le> 1.2, but now the default is newstyle.  Note this is incompatible
with newer features such as export names and TLS.
See L<nbdkit-protocol(1)>.

=item B<-P> PIDFILE

=item B<--pid-file> PIDFILE

=item B<--pidfile> PIDFILE

Write C<PIDFILE> (containing the process ID of the server) after
nbdkit becomes ready to accept connections.

If the file already exists, it is overwritten.  nbdkit I<does not>
delete the file when it exits.

=item B<-p> PORT

=item B<--port> PORT

Change the TCP/IP port number on which nbdkit serves requests.
The default is C<10809>.  See also I<-i>.

=item B<-r>

=item B<--read-only>

=item B<--readonly>

The export will be read-only.  If a client writes, then it will get an
error.

Note that some plugins inherently don't support writes.  With those
plugins the I<-r> option is added implicitly.

L<nbdkit-cow-filter(1)> can be placed over read-only plugins to
provide copy-on-write (or "snapshot") functionality.  If you are using
qemu as a client then it also supports snapshots.

=item B<--run> CMD

Run nbdkit as a captive subprocess of C<CMD>.  When C<CMD> exits,
nbdkit is killed.  See L<nbdkit-captive(1)/CAPTIVE NBDKIT>.

This option implies I<--foreground>.

=item B<-s>

=item B<--single>

=item B<--stdin>

Don't fork.  Handle a single NBD connection on stdin/stdout.  After
stdin closes, the server exits.

You can use this option to run nbdkit from inetd or similar
superservers; or just for testing; or if you want to run nbdkit in a
non-conventional way.  Note that if you want to run nbdkit from
systemd, then it may be better to use
L<nbdkit-service(1)/SOCKET ACTIVATION> instead of this option.

This option implies I<--foreground>.

=item B<--selinux-label> SOCKET-LABEL

Apply the SELinux label C<SOCKET-LABEL> to the nbdkit listening
socket.

The common — perhaps only — use of this option is to allow libvirt
guests which are using SELinux and sVirt confinement to access nbdkit
Unix domain sockets:

 nbdkit --selinux-label system_u:object_r:svirt_t:s0 ...

=item B<--swap>

Specifies that the NBD device will be used as swap space loop mounted
on the same machine which is running nbdkit.  To avoid deadlocks this
locks the whole nbdkit process into memory using L<mlockall(2)>.  This
may require additional permissions, such as starting the server as
root or raising the C<RLIMIT_MEMLOCK> (L<ulimit(1)> I<-l>) limit on
the process.

=item B<-t> THREADS

=item B<--threads> THREADS

Set the number of threads to be used per connection, which in turn
controls the number of outstanding requests that can be processed at
once.  Only matters for plugins with thread_model=parallel (where it
defaults to 16).  To force serialized behavior (useful if the client
is not prepared for out-of-order responses), set this to 1.

=item B<--tls=off>

=item B<--tls=on>

=item B<--tls=require>

Disable, enable or require TLS (authentication and encryption
support).  See L<nbdkit-tls(1)>.

=item B<--tls-certificates> /path/to/certificates

Set the path to the TLS certificates directory.  If not specified,
some built-in paths are checked.  See L<nbdkit-tls(1)> for more
details.

=item B<--tls-psk> /path/to/pskfile

Set the path to the pre-shared keys (PSK) file.  If used, this
overrides certificate authentication.  There is no built-in path.  See
L<nbdkit-tls(1)> for more details.

=item B<--tls-verify-peer>

Enables TLS client certificate verification.  The default is I<not> to
check the client's certificate.

=item B<-U> SOCKET

=item B<--unix> SOCKET

=item B<-U ->

=item B<--unix ->

Accept connections on the Unix domain socket C<SOCKET> (which is a
path).

nbdkit creates this socket, but it will probably have incorrect
permissions (too permissive).  If it is a problem that some
unauthorized user could connect to this socket between the time that
nbdkit starts up and the authorized user connects, then put the socket
into a directory that has restrictive permissions.

nbdkit does B<not> delete the socket file when it exits.  The caller
should delete the socket file after use (else if you try to start
nbdkit up again you will get an C<Address already in use> error).

If the socket name is I<-> then nbdkit generates a randomly named
private socket.  This is useful with L<nbdkit-captive(1)/CAPTIVE NBDKIT>.

=item B<-u> USER

=item B<--user> USER

Change user to C<USER> after starting up.  A user name or numeric user
ID can be used.

The server needs sufficient permissions to be able to do this.
Normally this would mean starting the server up as root.

See also I<-g>.

=item B<-v>

=item B<--verbose>

Enable verbose messages.

It's a good idea to use I<-f> as well so the process does not fork
into the background (but not required).

=item B<-V>

=item B<--version>

Print the version number of nbdkit and exit.

=item B<--vsock>

Use the AF_VSOCK protocol (instead of TCP/IP).  You must use this in
conjunction with I<-p>/I<--port>.  See L<nbdkit-service(1)/AF_VSOCK>.

=back

=head1 PLUGIN NAME

You can give the full path to the plugin, like this:

 nbdkit $libdir/nbdkit/plugins/nbdkit-file-plugin.so [...]

but it is usually more convenient to use this equivalent syntax:

 nbdkit file [...]

C<$libdir> is set at compile time.  To print it out, do:

 nbdkit --dump-config

=head1 PLUGIN CONFIGURATION

After specifying the plugin name you can (optionally, it depends
on the plugin) give plugin configuration on the command line in
the form of C<key=value>.  For example:

 nbdkit file file=disk.img

To list all the options supported by a plugin, do:

 nbdkit --help file

To dump information about a plugin, do:

 nbdkit file --dump-plugin

=head2 Magic parameters

Some plugins declare a special "magic config key".  This is a key
which is assumed if no C<key=> part is present.  For example:

 nbdkit file disk.img

is assumed to be C<file=disk.img> because the file plugin declares
C<file> as its magic config key.  There can be ambiguity in the
parsing of magic config keys if the value might look like a
C<key=value>.  If there could be ambiguity then modify the value,
eg. by prefixing it with C<./>

There is also a special exception for plugins which do not declare a
magic config key, but where the first plugin argument does not contain
an C<'='> character: it is assumed to be C<script=value>.  This is
used by scripting language plugins:

 nbdkit perl foo.pl [args...]

has the same meaning as:

 nbdkit perl script=foo.pl [args...]

=head2 Shebang scripts

You can use C<#!> to run nbdkit plugins written in most scripting
languages.  The file should be executable.  For example:

 #!/usr/sbin/nbdkit perl
 sub open {
   # etc
 }

(see L<nbdkit-perl-plugin(3)> for a full example).

=head1 SERVER DEBUG FLAGS

As well as enabling or disabling debugging in the server using
I<--verbose> you can control extra debugging in the server using the
C<-D nbdkit.*> flags listed in this section.  Note these flags are an
internal implementation detail of the server and may be changed or
removed at any time in the future.

=over 4

=item B<-D nbdkit.backend.controlpath=0>

=item B<-D nbdkit.backend.controlpath=1>

=item B<-D nbdkit.backend.datapath=0>

=item B<-D nbdkit.backend.datapath=1>

These flags control the verbosity of nbdkit backend debugging messages
(the ones which show every request processed by the server).  The
default for both settings is C<1> (normal debugging) but you can set
them to C<0> to suppress these messages.

C<-D nbdkit.backend.datapath=0> is the more useful setting which lets you
suppress messages about pread, pwrite, zero, trim, etc. commands.
When transferring large amounts of data these messages are numerous
and not usually very interesting.

C<-D nbdkit.backend.controlpath=0> suppresses the non-datapath
commands (config, open, close, can_write, etc.)

=back

=head1 SIGNALS

nbdkit responds to the following signals:

=over 4

=item C<SIGINT>

=item C<SIGQUIT>

=item C<SIGTERM>

The server exits cleanly.

=item C<SIGPIPE>

This signal is ignored.

=back

=head1 ENVIRONMENT VARIABLES

=over 4

=item C<LISTEN_FDS>

=item C<LISTEN_PID>

If present in the environment when nbdkit starts up, these trigger
L<nbdkit-service(1)/SOCKET ACTIVATION>.

=back

=head1 SEE ALSO

=head2 Other topics

L<nbdkit-captive(1)> — Run nbdkit under another process and have it
reliably cleaned up.

L<nbdkit-loop(1)> — Use nbdkit with the Linux kernel client to create
loop devices and loop mounts.

L<nbdkit-probing(1)> — How to probe for nbdkit configuration and plugins.

L<nbdkit-protocol(1)> — Which parts of the NBD protocol nbdkit supports.

L<nbdkit-security(1)> — Lists past security issues in nbdkit.

L<nbdkit-service(1)> — Running nbdkit as a service, and systemd socket
activation.

L<nbdkit-tls(1)> — Authentication and encryption of NBD connections
(sometimes incorrectly called "SSL").

=head2 Plugins

__PLUGIN_LINKS__.

=head2 Filters

__FILTER_LINKS__.

=head2 For developers

L<nbdkit-plugin(3)>,
L<nbdkit-filter(3)>.

=head2 Writing plugins in other programming languages

__LANG_PLUGIN_LINKS__.

=head2 Release notes for previous releases of nbdkit

L<nbdkit-release-notes-1.4(1)>,
L<nbdkit-release-notes-1.6(1)>,
L<nbdkit-release-notes-1.8(1)>,
L<nbdkit-release-notes-1.10(1)>,
L<nbdkit-release-notes-1.12(1)>,
L<nbdkit-release-notes-1.14(1)>,
L<nbdkit-release-notes-1.16(1)>.

=head2 NBD clients

L<guestfish(1)>,
L<libnbd(3)>,
L<nbd-client(1)>,
L<nbdfuse(1)>,
L<nbdsh(1)>,
L<qemu(1)>.

=head2 nbdkit links

L<http://github.com/libguestfs/nbdkit> — Source code.

=head2 Other NBD servers

L<qemu-nbd(1)>,
L<nbd-server(1)>,
L<https://bitbucket.org/hirofuchi/xnbd>.

=head2 Documentation for the NBD protocol

L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/proto.md>,
L<https://nbd.sourceforge.io/>.

=head2 Similar protocols

L<https://en.wikipedia.org/wiki/iSCSI>,
L<https://en.wikipedia.org/wiki/ATA_over_Ethernet>,
L<https://en.wikipedia.org/wiki/Fibre_Channel_over_Ethernet>.

=head2 Other manual pages of interest

L<gnutls_priority_init(3)>,
L<qemu-img(1)>,
L<psktool(1)>,
L<systemd.socket(5)>.

=head1 AUTHORS

Eric Blake

Richard W.M. Jones

Yann E. MORIN

Nir Soffer

Pino Toscano

=head1 COPYRIGHT

Copyright (C) 2013-2019 Red Hat Inc.