Setting up an NBD Server for VMware Backups
#To back up and restore VMware compute instances, Plakar Control Plane does not
talk to vCenter or ESXi directly for disk I/O. Instead, a separate NBD server
running nbdkit with the VDDK plugin sits between vCenter/ESXi and Plakar
Control Plane. It reads and writes VM disks using VMware’s Virtual Disk
Development Kit (VDDK) and streams the data over NBD. Plakar Control Plane
connects to it purely as a client; it does not run any VMware-specific component
itself.
The NBD server can run anywhere, as a plain compute instance (for example, on OVHcloud), as long as it has network access to both sides:
flowchart TD
subgraph PCP["Plakar Control Plane"]
Consumer["NBD client
(orchestration over SSH,
disk data over TLS)"]
end
subgraph NBDServer["NBD Server (compute instance)"]
Nbdkit["nbdkit + VDDK plugin"]
end
subgraph VMware["VMware Environment"]
VCenter["vCenter / ESXi"]
end
Consumer -->|"SSH: orchestration"| Nbdkit
Consumer -->|"NBD over TLS: disk bytes"| Nbdkit
Nbdkit -->|"VDDK API"| VCenter
This guide walks through:
- Installing
nbdkitand the VDDK plugin - Installing the VMware VDDK libraries
- Generating TLS certificates for the NBD server
- Setting up SSH access for consumers
- Configuring the Plakar connector to use the NBD server
Prerequisites
#- Root access on that instance is recommended, since the NBD server behaves best when the executing user has root privileges.
- Network access from the NBD server to your vCenter/ESXi environment. Some vCenter deployments including OVHcloud Managed vSphere sit behind a firewall, so the NBD server’s IP address must be added to the allow list before it can reach vCenter.
- Network access from Plakar Control Plane to the NBD server, both for SSH (orchestration) and for the TLS-secured NBD port (disk data).
Step 1: Install nbdkit and the VDDK plugin
#On the NBD server instance, install nbdkit along with the NBD client tools and
the VDDK plugin:
sudo apt update
sudo apt install -y nbdkit libnbd-bin nbd-client qemu-utils nbdkit-plugin-vddkConfirm both nbdkit and the VDDK plugin installed correctly:
nbdkit vddk --dump-pluginThis should print a list of plugin parameters. If instead you get a
cannot open plugin error, the plugin was not installed correctly.
Step 2: Install the VDDK libraries from Broadcom
#nbdkit-vddk needs the actual VMware VDDK libraries, which are distributed
separately from Broadcom.
Download the VMware Virtual Disk Development Kit (VDDK) tarball from the
Broadcom support portal
for example, VMware-vix-disklib-8.x.x-xxxxxxx.x86_64.tar.gz. Transfer it to
the NBD server (for example with scp), then extract and install it:
tar xzf VMware-vix-disklib-*.tar.gz
sudo mkdir -p /usr/lib/vmware-vix-disklib
sudo cp -r vmware-vix-disklib-distrib/* /usr/lib/vmware-vix-disklib/The VDDK libraries must be installed at this exact path,
/usr/lib/vmware-vix-disklib, for the nbdkit-vddk plugin to find them.
Verify the installation:
ls /usr/lib/vmware-vix-disklib/lib64/libvixDiskLib.so*
nbdkit vddk libdir=/usr/lib/vmware-vix-disklib --dump-plugin # should show VDDK versionA successful install shows a line similar to
vddk_dll=/usr/lib/vmware-vix-disklib/lib64/libvixDiskLib.so.9.1.0.0 in the
--dump-plugin output.
Step 3: Generate TLS certificates
#Disk data flows over plain TCP between the consumer (Plakar Control Plane) and
nbdkit, so TLS is required (--tls=require). The recommended approach is to
run your own private CA and issue a single server certificate for the NBD
server.
Set these two variables first, you’ll reuse them throughout this step:
user='ubuntu'
nbd_ip=''
org_name=''Install certtool and create a dedicated group for TLS material access:
sudo apt install -y gnutls-bin
sudo groupadd --system nbdtls 2>/dev/null || trueGenerate the CA and server certificate in a private scratch directory, so key material is never briefly world-readable:
umask 077
tmpdir=$(mktemp -d)
cd "$tmpdir"
# CA - do this once; keep ca-key.pem in your secret provider, never on disk here longer than needed
certtool --generate-privkey > ca-key.pem
cat > ca.info < server-key.pem
# Server certificate, bound to the NBD server's IP address
cat > server.info <<EOF
organization = ${org_name}
cn = ${nbd_ip}
ip_address = ${nbd_ip}
tls_www_server
encryption_key
signing_key
expiration_days = 3650
EOF
certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey server-key.pem \
--template server.info \
--outfile server-cert.pemInstall the certificates into /etc/nbdkit/certs with group-based access, and
add the executing user to the nbdtls group:
sudo install -d -o root -g nbdtls -m 0750 /etc/nbdkit /etc/nbdkit/certs
sudo install -o root -g nbdtls -m 0640 server-key.pem /etc/nbdkit/certs/server-key.pem
sudo install -o root -g nbdtls -m 0644 server-cert.pem /etc/nbdkit/certs/server-cert.pem
sudo install -o root -g nbdtls -m 0644 ca-cert.pem /etc/nbdkit/certs/ca-cert.pem
sudo usermod -aG nbdtls "$user"Then clean up the scratch directory. ca-key.pem should go to your secret
provider. It does not belong on the NBD server itself:
# (upload ca-key.pem to your secret provider before this step)
cd /
shred -u "$tmpdir"/*.pem "$tmpdir"/*.info 2>/dev/null
rmdir "$tmpdir"
Note
If you are connected to the NBD server over SSH as the executing user (e.g.
ubuntu), reconnect before running the sanity check below. Group membership
changes require a fresh login to take effect.
Sanity check that the certificate’s Subject Alternative Name matches the NBD server’s IP:
certtool --certificate-info --infile /etc/nbdkit/certs/server-cert.pem | grep -A2 "Subject Alternative Name"
# expect: IPAddress:Keep a copy of ca-cert.pem. You’ll need it later when configuring the VMware
Compute resource in Plakar Control Plane.
Step 4: Set up SSH access for consumers
#SSH is used for orchestration only. Disk bytes never travel over SSH, only over the TLS-secured NBD connection set up in Step 3.
Generate a keypair. This can be done on any machine since only the private key
contents are needed later as the nbd_ssh_private_key value:
ssh-keygen -t ed25519 -N "" -f <key-name>Keep the private key secure. You’ll need it later when configuring the VMware Compute resource in Plakar Control Plane.
On the NBD server, add the corresponding public key to the executing user’s authorized keys:
echo "" >> ~/.ssh/authorized_keysNext Steps
#Your NBD server is now ready to be used by Plakar Control Plane.
Continue with the VMware Compute documentation to configure a VMware source or destination app and connect it to this NBD server.