| blob | a2948681080189289d8ef76ccf0b2c1c47d51ad1 |
3 <!-- Process this file with docbook-to-man to generate an nroff manual
4 page: `docbook-to-man manpage.sgml > manpage.1'. You may view
5 the manual page with: `docbook-to-man manpage.sgml | nroff -man |
6 less'. A typical entry in a Makefile or Makefile.am is:
8 manpage.1: manpage.sgml
9 docbook-to-man $< > $@
10 -->
12 <!-- Fill in your name for FIRSTNAME and SURNAME. -->
15 <!-- Please adjust the date whenever revising the manpage. -->
17 <!-- SECTION should be 1-8, maybe w/ subsection other parameters are
18 allowed: see man(7), man(1). -->
27 ]>
29 <refentry>
30 <refentryinfo>
31 <address>
32 &dhemail;
33 </address>
34 <author>
35 &dhfirstname;
36 &dhsurname;
37 </author>
38 <copyright>
41 </copyright>
42 &dhdate;
43 </refentryinfo>
44 <refmeta>
45 &dhucpackage;
47 &dhsection;
48 </refmeta>
49 <refnamediv>
53 exported block device</refpurpose>
54 </refnamediv>
55 <refsynopsisdiv>
56 <cmdsynopsis>
75 </cmdsynopsis>
76 <cmdsynopsis>
90 </cmdsynopsis>
91 <cmdsynopsis>
94 </cmdsynopsis>
95 <cmdsynopsis>
98 </cmdsynopsis>
99 <cmdsynopsis>
102 </cmdsynopsis>
103 <cmdsynopsis>
107 </cmdsynopsis>
108 <cmdsynopsis>
112 </cmdsynopsis>
113 </refsynopsisdiv>
114 <refsect1>
119 diskspace from that server as a blockdevice on the local
120 client.</para>
122 <para>To do this, support from the Linux Kernel is necessary, in
123 the form of the Network Block Device (NBD). When you have that,
124 either in the kernel, or as a module, you can connect to an NBD
125 server and use its exported file through a block special file with
128 <para>Optionally, long options can also be specified with two
129 leading dashes.</para>
130 </refsect1>
131 <refsect1>
136 <variablelist>
137 <varlistentry>
140 <listitem>
143 </listitem>
144 </varlistentry>
145 <varlistentry>
148 <listitem>
150 server, to allow speeding up request handling, at the cost of higher
151 resource usage on the server. Use of this option requires kernel
152 support available first with Linux 4.9.
153 </listitem>
154 </varlistentry>
155 <varlistentry>
157 <listitem>
158 <para>The hostname or IP address of the machine running
160 utilities support IPv6.</para>
161 </listitem>
162 </varlistentry>
163 <varlistentry>
164 <term><option>-timeout
167 <listitem>
169 work, you need a kernel with support for the NBD_SET_TIMEOUT
172 </listitem>
173 </varlistentry>
174 <varlistentry>
176 <listitem>
178 running at the server.</para>
180 port number for the NBD protocol.</para>
181 <para>Previous versions of the nbd tools supported an older
182 version of the negotiation protocol known as "oldstyle".
183 This protocol version is no longer supported as of version
185 </listitem>
186 </varlistentry>
187 <varlistentry>
189 <listitem>
191 nbd-client should connect to, specified as a full path.</para>
192 <para>When the mode is used wherein no hostname or export name is
193 specified, &dhpackage; will look up the necessary configuration in
196 </listitem>
197 </varlistentry>
198 <varlistentry>
201 <listitem>
202 <para>Check whether the specified nbd device is
203 connected.</para>
206 instance that connected it to stdout.
207 <para>If the device is not
208 connected or does not exist (for example because the nbd
209 module was not loaded), &dhpackage; will exit with an exit
213 </listitem>
214 </varlistentry>
215 <varlistentry>
218 <listitem>
219 <para>Disconnect the specified nbd device from the
220 server</para>
221 </listitem>
222 </varlistentry>
223 <varlistentry>
226 <listitem>
227 <para>
228 Ask the server for a list of available exports. If the
229 server is exporting over IPv6 as well as over IPv4, this
230 will list all exports twice; otherwise, it should list them
231 all only once.</para>
233 with nbd-server processes running version 3.1 or above, and
234 must be enabled in server configuration (with the
235 "allowlist" option) before it can be used.
236 </para>
237 </listitem>
238 </varlistentry>
239 <varlistentry>
242 <listitem>
244 using the netlink interface to configure an NBD device. This
245 option allows to use the older ioctl() interface to configure
246 the device.
247 </para>
249 compiled against libnl-genl. If that is not the case,
250 nbd-client will only be able to use the ioctl interface (and
251 the option will not be available).</para>
254 not yet been decided when that will be the case.</para>
255 </listitem>
256 </varlistentry
257 <varlistentry>
260 <listitem>
262 immediately try to reconnect an nbd device if the
263 connection ever drops unexpectedly due to a lost
264 server or something similar.</para>
265 </listitem>
266 </varlistentry>
267 <varlistentry>
270 <listitem>
271 <para>Connect to the server using the Socket Direct Protocol
272 (SDP), rather than IP. See nbd-server(5) for details.
273 </para>
274 </listitem>
275 </varlistentry>
276 <varlistentry>
279 <listitem>
280 <para>Specifies that this NBD device will be used as
281 swapspace. This option attempts to prevent deadlocks by
282 performing mlockall() and adjusting the oom-killer score
283 at an appropriate time. It does not however guarantee
284 that such deadlocks can be avoided.</para>
285 </listitem>
286 </varlistentry>
287 <varlistentry>
290 <listitem>
291 <para>The systemd init system requires that processes which
292 should not be killed at shutdown time be marked appropriately
293 by replacing the first letter of their argv[0] with an '@'
294 sign.</para>
296 <para>Note that this only works if nbd-client is run from an
297 initrd; i.e., systemd will ignore such a mark if run from a
298 systemd unit file or from the command line.</para>
299 </listitem>
300 </varlistentry>
301 <varlistentry>
304 <listitem>
305 <para>Specifies that the NBD client should not detach and
306 daemonize itself. This is mostly useful for debugging.</para>
307 <para>
308 Note that nbd-client will still fork once to trigger an
309 update to the device node's partition table. It is not
310 possible to disable this.
311 </para>
312 </listitem>
313 </varlistentry>
314 <varlistentry>
317 <listitem>
318 <para>Disable the use of the NBD_OPT_GO protocol message, and
319 force the use of NBD_OPT_EXPORT_NAME instead.</para>
320 <para>
321 The NBD protocol has two phases: the negotiation phase, and
322 the transmission phase. To move from negotation to
323 transmission, older clients sent the NBD_OPT_EXPORT_NAME
324 message, for which the server could not produce an error
325 message in case the export name did not exist (or the client
326 had insufficient permissions to access it). Due to those
327 limitations, a replacement message NBD_OPT_GO was created
328 instead, which allows the server to reply with an error in
329 case of any problems.</para>
330 <para>
331 The protocol allows for a server to discard a message which
332 it does not understand; however, unfortunately some
333 implementations (including older versions of nbd-server) did
334 not handle that situation correctly and would get out of
335 sync with the client when it sent a message which the server
336 did not understand.</para>
337 <para>
338 When sending NBD_OPT_GO, nbd-client will try to do the right
339 thing and fall back to NBD_OPT_EXPORT_NAME. However, when
340 the server has the above-described bug, then this does not
341 work. In such a situation, the client will issue a
342 diagnostic suggesting the use of this option.
343 </para>
344 <para>
345 Note that there is a corresponding option for nbdtab, too.
346 </para>
347 </listitem>
348 </varlistentry>
349 <varlistentry>
352 <listitem>
353 <para>
354 Specifies the name of the export that we want to use. If not
355 specified, nbd-client will ask for a "default" export, if
356 one exists on the server.
357 </para>
358 </listitem>
359 </varlistentry>
360 <varlistentry>
363 <listitem>
364 <para>
365 Connect to the server over a unix domain socket at
367 over a TCP socket. The server must be listening on the given
368 socket.
369 </para>
370 </listitem>
371 </varlistentry>
372 <varlistentry>
375 <listitem>
376 <para>
377 Use the specified file as the client certificate for TLS
378 authentication to the server.
379 </para>
380 </listitem>
381 </varlistentry>
382 <varlistentry>
385 <listitem>
386 <para>
387 Use the specified file as the private key for the client
388 cerificate.
389 </para>
390 </listitem>
391 </varlistentry>
392 <varlistentry>
395 <listitem>
396 <para>
397 Use the specified file as the CA certificate for TLS
398 authentication to the server.
399 </para>
400 </listitem>
401 </varlistentry>
402 <varlistentry>
405 <listitem>
406 <para>
407 Use the specified hostname for the TLS context. If not
408 specified, the hostname used to connect to the server will
409 be used.</para>
410 </listitem>
411 </varlistentry>
412 </variablelist>
413 <refsect2>
415 <para>Enabling any of the TLS-related options causes the client to
416 use the NBD_OPT_STARTTLS command to upgrade the connection to
417 TLS. Since negotiating TLS support from userspace for a kernel
418 socket would be very involved (if passing keys to kernel space
419 were even possible, which it isn't), the way this is implemented
420 is that the nbd-client process creates a socketpair, one side of
421 which it hands to the kernel, and the other side of which is
422 handed to an encrypting/decrypting proxy. This has the effect
423 that all communication will be encrypted before being sent over
424 the wire; however, doing so is not safe in combination with
425 swapping over an NBD device:</para>
426 <para>
427 In order to free memory by swapping, the kernel needs to be sure
428 that the write to the nbd device has finalized. For this, it
429 needs to be able to receive an NBD_CMD_WRITE reply which informs
430 it that the write has completed successfully and that the memory
431 may be released. Receiving data over the network, however,
433 first, which is impossible if we're low on memory (a likely
434 situation when trying to swap). This is likely to cause a
435 deadlock when we're low on memory and there are high amounts of
436 network traffic.</para>
437 <para>To remedy this situation, the kernel sets the PF_MEMALLOC
438 option on the nbd socket; when low on memory, it will throw away
439 all packets except for those destined to a socket with that
440 option set, relying on the normal TCP retransmit system to
441 ensure that data is not lost. This avoids the deadlock described
442 above.</para>
443 <para>However, the PF_MEMALLOC option is set on the socket that is
444 connected to the nbd device, not the encrypted socket connected
445 to the encrypting/decrypting proxy. As such, when using TLS, the
446 PF_MEMALLOC option is not set on the socket that actually
447 receives data from the network, which means that the deadlock
448 reappears.</para>
450 used when TLS is in use, &dhpackage; will issue an appropriate
451 warning.</para>
452 </refsect2>
453 </refsect1>
454 <refsect1>
459 <listitem>
461 "server.domain.com", using the client's block special file
464 /dev/nbd0</command></para>
465 </listitem>
466 <listitem>
468 "swapserver.domain.com", using the client's block special
471 -swap</command></para>
472 </listitem>
473 <listitem>
474 <para>To disconnect the above connection again (after making
475 sure the block special file is not in use anymore):</para>
477 </listitem>
478 </itemizedlist>
479 </refsect1>
480 <refsect1>
485 </refsect1>
486 <refsect1>
488 <para>The NBD kernel module and the NBD tools have been written by
489 Pavel Macheck (pavel@ucw.cz).</para>
491 <para>The kernel module is now maintained by Paul Clements
492 (Paul.Clements@steeleye.com), while the userland tools are maintained by
493 Wouter Verhelst (wouter@debian.org)</para>
496 the &debian; system (but may be used by others). Permission is
497 granted to copy, distribute and/or modify this document under the
501 </refsect1>
502 </refentry>