1ovs-controller(8) Open vSwitch Manual ovs-controller(8)
2
6 ovs-controller - simple OpenFlow controller reference implementation
7
9 ovs-controller [options] method [method]...
10
12 ovs-controller manages any number of remote switches over OpenFlow pro‐
13 tocol, causing them to function as L2 MAC-learning switches or hub.
14 ovs-controller controls one or more OpenFlow switches, specified as one
16 or more of the following OpenFlow connection methods:
17 pssl:[port][:ip]
19 Listens for OpenFlow SSL connections on port (default:
20 6633). The --private-key, --certificate, and --ca-cert
21 options are mandatory when this form is used. By
22 default, connections are not bound to a particular local
23 IP address, but ip may be specified to listen only for
24 connections to the given ip.
25 ptcp:[port][:ip]
27 Listens for OpenFlow TCP connections on port (default:
28 6633). By default, connections are not bound to a par‐
29 ticular local IP address, but ip may be specified to lis‐
30 ten only for connections to the given ip.
31 punix:file
33 Listens for OpenFlow connections on the Unix domain
34 server socket named file.
35 ssl:ip[:port]
37 The specified SSL port (default: 6633) on the host at the
38 given ip, which must be expressed as an IP address (not a
39 DNS name). The --private-key, --certificate, and
40 --ca-cert options are mandatory when this form is used.
41 tcp:ip[:port]
43 The specified TCP port (default: 6633) on the host at the
44 given ip, which must be expressed as an IP address (not a
45 DNS name).
46 unix:file
48 The Unix domain server socket named file.
49
51 -n
52 --noflow
53 By default, ovs-controller sets up a flow in each OpenFlow
54 switch whenever it receives a packet whose destination is known
55 due through MAC learning. This option disables flow setup, so
56 that every packet in the network passes through the controller.
57 This option is most useful for debugging. It reduces switching
59 performance, so it should not be used in production.
60 --max-idle=secs|permanent
62 Sets secs as the number of seconds that a flow set up by the
63 controller will remain in the switch's flow table without any
64 matching packets being seen. If permanent is specified, which
65 is not recommended, flows will never expire. The default is 60
66 seconds.
67 This option has no effect when -n (or --noflow) is in use
69 (because the controller does not set up flows in that case).
70 -H
72 --hub By default, the controller acts as an L2 MAC-learning switch.
73 This option changes its behavior to that of a hub that floods
74 packets on all but the incoming port.
75 If -H (or --hub) and -n (or --noflow) are used together, then
77 the cumulative effect is that every packet passes through the
78 controller and every packet is flooded.
79 This option is most useful for debugging. It reduces switching
81 performance, so it should not be used in production.
82 -w[wildcard_mask]
84 --wildcards[=wildcard_mask]
85 By default, ovs-controller sets up exact-match flows. This
86 option allows it to set up wildcarded flows, which may reduce
87 flow setup latency by causing less traffic to be sent up to the
88 controller.
89 The optional wildcard_mask is an OpenFlow wildcard bitmask in
91 hexadecimal that specifies the fields to wildcard. If no wild‐
92 card_mask is specified, the default value 0x2820F0 is used which
93 specifies L2-only switching and wildcards L3 and L4 fields.
94 Another interesting value is 0x2000EC, which specifies L3-only
95 switching and wildcards L2 and L4 fields.
96 This option has no effect when -n (or --noflow) is in use
98 (because the controller does not set up flows in that case).
99 -N
101 --normal
102 By default, ovs-controller directs packets to a particular port
103 or floods them. This option causes it to direct non-flooded
104 packets to the OpenFlow OFPP_NORMAL port. This allows the
105 switch itself to make decisions about packet destinations. Sup‐
106 port for OFPP_NORMAL is optional in OpenFlow, so this option may
107 not well with some non-Open vSwitch switches.
108 --mute Prevents ovs-controller from replying to any OpenFlow messages
110 sent to it by switches.
111 This option is only for debugging the Open vSwitch implementa‐
113 tion of ``fail open'' mode. It must not be used in production.
114 -q id
116 --queue=id
117 By default, ovs-controller uses the default OpenFlow queue for
118 sending packets and setting up flows. Use one of these options,
119 supplying id as an OpenFlow queue ID as a decimal number, to
120 instead use that specific queue.
121 This option is incompatible with -N or --normal and with -H or
123 --hub. If more than one is specified then this option takes
124 precedence.
125 This option may be useful for testing or debugging quality of
127 service setups.
128 -Q port-name:queue-id
130 --port-queue port-name:queue-id
132 Configures packets received on the port named port-name (e.g.
133 eth0) to be output on OpenFlow queue ID queue-id (specified as a
134 decimal number). For the specified port, this option overrides
135 the default specified on -q or --queue.
136 This option may be specified any number of times with different
138 port-name arguments.
139 This option is incompatible with -N or --normal and with -H or
141 --hub. If more than one is specified then this option takes
142 precedence.
143 This option may be useful for testing or debugging quality of
145 service setups.
146 --with-flows file
148 When a switch connects, push the flow entries as described in
149 file. Each line in file is a flow entry in the format described
150 for the add-flows command in the Flow Syntax section of the
151 ovs-ofctl(8) man page.
152 Use this option more than once to add flows from multiple files.
154 Public Key Infrastructure Options
156 -p privkey.pem
157 --private-key=privkey.pem
158 Specifies a PEM file containing the private key used as ovs-con‐
159 troller's identity for outgoing SSL connections.
160 -c cert.pem
162 --certificate=cert.pem
163 Specifies a PEM file containing a certificate that certifies the
164 private key specified on -p or --private-key to be trustworthy.
165 The certificate must be signed by the certificate authority (CA)
166 that the peer in SSL connections will use to verify it.
167 -C cacert.pem
169 --ca-cert=cacert.pem
170 Specifies a PEM file containing the CA certificate that ovs-con‐
171 troller should use to verify certificates presented to it by SSL
172 peers. (This may be the same certificate that SSL peers use to
173 verify the certificate specified on -c or --certificate, or it
174 may be a different one, depending on the PKI design in use.)
175 -C none
177 --ca-cert=none
178 Disables verification of certificates presented by SSL peers.
179 This introduces a security risk, because it means that certifi‐
180 cates cannot be verified to be those of known trusted hosts.
181 --peer-ca-cert=peer-cacert.pem
183 Specifies a PEM file that contains one or more additional cer‐
184 tificates to send to SSL peers. peer-cacert.pem should be the
185 CA certificate used to sign ovs-controller's own certificate,
186 that is, the certificate specified on -c or --certificate. If
187 ovs-controller's certificate is self-signed, then --certificate
188 and --peer-ca-cert should specify the same file.
189 This option is not useful in normal operation, because the SSL
191 peer must already have the CA certificate for the peer to have
192 any confidence in ovs-controller's identity. However, this
193 offers a way for a new installation to bootstrap the CA certifi‐
194 cate on its first SSL connection.
195 --pidfile[=pidfile]
197 Causes a file (by default, ovs-controller.pid) to be created
198 indicating the PID of the running process. If the pidfile argu‐
199 ment is not specified, or if it does not begin with /, then it
200 is created in /var/run/openvswitch.
201 If --pidfile is not specified, no pidfile is created.
203 --overwrite-pidfile
205 By default, when --pidfile is specified and the specified pid‐
206 file already exists and is locked by a running process, ovs-con‐
207 troller refuses to start. Specify --overwrite-pidfile to cause
208 it to instead overwrite the pidfile.
209 When --pidfile is not specified, this option has no effect.
211 --detach
213 Causes ovs-controller to detach itself from the foreground ses‐
214 sion and run as a background process.
215 --monitor
217 Creates an additional process to monitor the ovs-controller dae‐
218 mon. If the daemon dies due to a signal that indicates a pro‐
219 gramming error (e.g. SIGSEGV, SIGABRT), then the monitor process
220 starts a new copy of it. If the daemon die or exits for another
221 reason, the monitor process exits.
222 This option is normally used with --detach, but it also func‐
224 tions without it.
225 --no-chdir
227 By default, when --detach is specified, ovs-controller changes
228 its current working directory to the root directory after it
229 detaches. Otherwise, invoking ovs-controller from a carelessly
230 chosen directory would prevent the administrator from unmounting
231 the file system that holds that directory.
232 Specifying --no-chdir suppresses this behavior, preventing
234 ovs-controller from changing its current working directory.
235 This may be useful for collecting core files, since it is common
236 behavior to write core dumps into the current working directory
237 and the root directory is not a good directory to use.
238 This option has no effect when --detach is not specified.
240 -v[spec]
242 --verbose=[spec]
243 Sets logging levels. Without any spec, sets the log level for
244 every module and facility to dbg. Otherwise, spec is a list of
245 words separated by spaces or commas or colons, up to one from
246 each category below:
247 · A valid module name, as displayed by the vlog/list com‐
249 mand on ovs-appctl(8), limits the log level change to the
250 specified module.
251 · syslog, console, or file, to limit the log level change
253 to only to the system log, to the console, or to a file,
254 respectively.
255 · off, emer, err, warn, info, or dbg, to control the log
257 level. Messages of the given severity or higher will be
258 logged, and messages of lower severity will be filtered
259 out. off filters out all messages. See ovs-appctl(8)
260 for a definition of each log level.
261 Case is not significant within spec.
263 Regardless of the log levels set for file, logging to a file
265 will not take place unless --log-file is also specified (see
266 below).
267 For compatibility with older versions of OVS, any is accepted as
269 a word but has no effect.
270 -v
272 --verbose
273 Sets the maximum logging verbosity level, equivalent to --ver‐
274 bose=dbg.
275 --log-file[=file]
277 Enables logging to a file. If file is specified, then it is
278 used as the exact name for the log file. The default log file
279 name used if file is omitted is /var/log/openvswitch/ovs-con‐
280 troller.log.
281 --unixctl=socket
283 Sets the name of the control socket on which ovs-controller lis‐
284 tens for runtime management commands (see RUNTIME MANAGEMENT
285 COMMANDS, below). If socket does not begin with /, it is inter‐
286 preted as relative to /var/run/openvswitch. If --unixctl is not
287 used at all, the default socket is /var/run/openvswitch/ovs-con‐
288 troller.pid.ctl, where pid is ovs-controller's process ID.
289 Specifying none for socket disables the control socket feature.
290 -h
292 --help Prints a brief help message to the console.
293 -V
295 --version
296 Prints version information to the console.
297 lib/ofp-version.man.
298
300 To bind locally to port 6633 (the default) and wait for incoming con‐
301 nections from OpenFlow switches:
302 % ovs-controller ptcp:
304
306 Configuring a Citrix XenServer to connect to a particular controller
307 only points the remote OVSDB management connection to that controller.
308 It does not also configure OpenFlow connections, because the manager is
309 expected to do that over the management protocol. ovs-controller is
310 not an Open vSwitch manager and does not know how to do that.
311 As a stopgap workaround, ovs-vsctl can wait for an OVSDB connection and
313 set the controller, e.g.:
314 % ovs-vsctl -t0 --db=pssl: --certificate=cert.pem --ca-cert=none
316 --private-key=privkey.pem --peer-ca-cert=cacert.pem set-con‐
317 troller ssl:ip
318
320 ovs-appctl(8), ovs-ofctl(8), ovs-dpctl(8)
321Open vSwitch 2.0.0 ovs-controller(8)