1ovn-nbctl(8)                  Open vSwitch Manual                 ovn-nbctl(8)
2
3
4

NAME

6       ovn-nbctl - Open Virtual Network northbound db management utility
7

SYNOPSIS

9       ovn-nbctl [options] command [arg...]
10

DESCRIPTION

12       This utility can be used to manage the OVN northbound database.
13

GENERAL COMMANDS

15       init   Initializes  the  database,  if it is empty. If the database has
16              already been initialized, this command has no effect.
17
18       show [switch | router]
19              Prints a brief overview of the database contents. If  switch  is
20              provided, only records related to that logical switch are shown.
21              If router is provided, only  records  related  to  that  logical
22              router are shown.
23

LOGICAL SWITCH COMMANDS

25       ls-add Creates  a  new,  unnamed logical switch, which initially has no
26              ports. The switch does not have  a  name,  other  commands  must
27              refer to this switch by its UUID.
28
29       [--may-exist | --add-duplicate] ls-add switch
30              Creates  a  new logical switch named switch, which initially has
31              no ports.
32
33              The OVN northbound database  schema  does  not  require  logical
34              switch  names  to be unique, but the whole point to the names is
35              to provide an easy way for humans to refer to the switches, mak‐
36              ing  duplicate  names unhelpful. Thus, without any options, this
37              command regards it as an error if switch is  a  duplicate  name.
38              With  --may-exist, adding a duplicate name succeeds but does not
39              create a new logical switch. With --add-duplicate,  the  command
40              really creates a new logical switch with a duplicate name. It is
41              an error to specify both options. If there are multiple  logical
42              switches  with  a duplicate name, configure the logical switches
43              using the UUID instead of the switch name.
44
45       [--if-exists] ls-del switch
46              Deletes switch. It is an error if switch does not exist,  unless
47              --if-exists is specified.
48
49       ls-list
50              Lists all existing switches on standard output, one per line.
51

ACL COMMANDS

53       These  commands  operates on ACL objects for a given entity. The entity
54       can be either a logical switch or a port group. The entity can be spec‐
55       ified  as  uuid  or  name. The --type option can be used to specify the
56       type of the entity, in case both a logical switch  and  a  port  groups
57       exist  with  the  same  name  specified for entity. type must be either
58       switch or port-group.
59
60              [--type={switch | port-group}] [--log] [--meter=meter] [--sever‐
61              ity=severity]  [--name=name] [--may-exist] acl-add entity direc‐
62              tion priority match verdict
63                     Adds the specified  ACL  to  entity.  direction  must  be
64                     either from-lport or to-lport. priority must be between 0
65                     and 32767, inclusive. A full description  of  the  fields
66                     are  in  ovn-nb(5). If --may-exist is specified, adding a
67                     duplicated ACL succeeds but the ACL is  not  really  cre‐
68                     ated.   Without  --may-exist,  adding  a  duplicated  ACL
69                     results in error.
70
71                     The --log option enables packet logging for the ACL.  The
72                     options  --severity  and  --name  specify  a severity and
73                     name, respectively, for log entries (and also enable log‐
74                     ging).  The  severity  must  be  one  of  alert, warning,
75                     notice, info, or debug. If a severity is  not  specified,
76                     the  default is info. The --meter=meter option is used to
77                     rate-limit packet logging. The  meter  argument  names  a
78                     meter configured by meter-add.
79
80              [--type={switch | port-group}] acl-del entity [direction [prior‐
81              ity match]]
82                     Deletes ACLs from entity. If only entity is supplied, all
83                     the  ACLs  from  the  entity are deleted. If direction is
84                     also specified, then all the flows in that direction will
85                     be  deleted from the entity. If all the fields are given,
86                     then a single flow that matches all the  fields  will  be
87                     deleted.
88
89              [--type={switch | port-group}] acl-list entity
90                     Lists the ACLs on entity.
91

LOGICAL SWITCH QOS RULE COMMANDS

93       [--may-exist]  qos-add  switch  direction  priority  match  [dscp=dscp]
94       [rate=rate [burst=burst]]
95              Adds QoS marking and metering rules to switch. direction must be
96              either  from-lport  or  to-lport. priority must be between 0 and
97              32767, inclusive.
98
99              If dscp=dscp is specified, then matching packets will have  DSCP
100              marking  applied.  dscp  must be between 0 and 63, inclusive. If
101              rate=rate is specified then matching packets will have  metering
102              applied   at   rate   kbps.  If  metering  is  configured,  then
103              burst=burst specifies the burst rate  limit  in  kilobits.  dscp
104              and/or rate are required arguments.
105
106              If  --may-exist  is specified, adding a duplicated QoS rule suc‐
107              ceeds  but  the  QoS  rule  is  not  really   created.   Without
108              --may-exist, adding a duplicated QoS rule results in error.
109
110       qos-del switch [direction [priority match]]
111              Deletes  QoS  rules from switch. If only switch is supplied, all
112              the QoS rules from the logical switch are deleted. If  direction
113              is  also specified, then all the flows in that direction will be
114              deleted from the logical switch. If all the fields are supplied,
115              then  a  single  flow  that  matches  the  given  fields will be
116              deleted.
117
118       qos-list switch
119              Lists the QoS rules on switch.
120

METER COMMANDS

122       meter-add name action rate unit [burst]
123              Adds the specified meter. name must be a unique name to identify
124              this  meter.  The  action  argument specifies what should happen
125              when this meter is exceeded. The only supported action is drop.
126
127              The unit specifies the unit for the rate argument; valid  values
128              are  kbps and pktps for kilobits per second and packets per sec‐
129              ond, respectively. The burst option configures the maximum burst
130              allowed for the band in kilobits or packets depending on whether
131              the unit chosen was kbps or pktps, respectively. If a  burst  is
132              not supplied, the switch is free to select some reasonable value
133              depending on its configuration.
134
135              ovn-nbctl only supports adding a meter with a single  band,  but
136              the other commands support meters with multiple bands.
137
138              Names  that  start  with "__" (two underscores) are reserved for
139              internal use by OVN, so ovn-nbctl does not allow adding them.
140
141       meter-del [name]
142              Deletes meters. By default, all meters are deleted. If  name  is
143              supplied, only the meter with that name will be deleted.
144
145       meter-list
146              Lists all meters.
147

LOGICAL SWITCH PORT COMMANDS

149       [--may-exist] lsp-add switch port
150              Creates on lswitch a new logical switch port named port.
151
152              It  is  an  error  if  a logical port named port already exists,
153              unless --may-exist is specified. Regardless of  --may-exist,  it
154              is an error if the existing port is in some logical switch other
155              than switch or if it has a parent port.
156
157       [--may-exist] lsp-add switch port parent tag_request
158              Creates on switch a logical switch port named  port  that  is  a
159              child  of  parent  that  is identified with VLAN ID tag_request,
160              which must be between 0 and 4095, inclusive. If  tag_request  is
161              0,  ovn-northd  generates  a  tag that is unique in the scope of
162              parent. This is useful in cases such  as  virtualized  container
163              environments  where  Open vSwitch does not have a direct connec‐
164              tion to the container’s port and it must be shared with the vir‐
165              tual machine’s port.
166
167              It  is  an  error  if  a logical port named port already exists,
168              unless --may-exist is specified. Regardless of  --may-exist,  it
169              is  an error if the existing port is not in switch or if it does
170              not have the specified parent and tag_request.
171
172       [--if-exists] lsp-del port
173              Deletes port. It is an error if  port  does  not  exist,  unless
174              --if-exists is specified.
175
176       lsp-list switch
177              Lists  all  the  logical  switch ports within switch on standard
178              output, one per line.
179
180       lsp-get-parent port
181              If set, get the parent port of port. If not set, print nothing.
182
183       lsp-get-tag port
184              If set, get the tag for port traffic. If not set, print nothing.
185
186       lsp-set-addresses port [address]...
187              Sets the addresses associated with port to address. Each address
188              should be one of the following:
189
190              an  Ethernet  address, optionally followed by a space and one or
191              more IP addresses
192                     OVN delivers packets for the  Ethernet  address  to  this
193                     port.
194
195              unknown
196                     OVN  delivers  unicast Ethernet packets whose destination
197                     MAC address is not in any logical port’s addresses column
198                     to ports with address unknown.
199
200              dynamic
201                     Use  this  keyword to make ovn-northd generate a globally
202                     unique MAC address and choose an unused IPv4 address with
203                     the  logical  port’s  subnet and store them in the port’s
204                     dynamic_addresses column.
205
206              router Accepted only when the type of the logical switch port is
207                     router.  This indicates that the Ethernet, IPv4, and IPv6
208                     addresses for this logical switch port should be obtained
209                     from  the  connected logical router port, as specified by
210                     router-port in lsp-set-options.
211
212              Multiple addresses may be set. If no address argument is  given,
213              port will have no addresses associated with it.
214
215       lsp-get-addresses port
216              Lists all the addresses associated with port on standard output,
217              one per line.
218
219       lsp-set-port-security port [addrs]...
220              Sets the port security addresses associated with port to  addrs.
221              Multiple  sets  of  addresses may be set by using multiple addrs
222              arguments. If no addrs argument is given,  port  will  not  have
223              port security enabled.
224
225              Port security limits the addresses from which a logical port may
226              send packets and to  which  it  may  receive  packets.  See  the
227              ovn-nb(5) documentation for the port_security column in the Log‐
228              ical_Switch_Port table for details.
229
230       lsp-get-port-security port
231              Lists all the port security addresses associated  with  port  on
232              standard output, one per line.
233
234       lsp-get-up port
235              Prints the state of port, either up or down.
236
237       lsp-set-enabled port state
238              Set  the  administrative  state  of port, either enabled or dis‐
239              abled. When a port is disabled, no traffic is  allowed  into  or
240              out of the port.
241
242       lsp-get-enabled port
243              Prints  the administrative state of port, either enabled or dis‐
244              abled.
245
246       lsp-set-type port type
247              Set the type for the logical port. The type must be one  of  the
248              following:
249
250              (empty string)
251                     A VM (or VIF) interface.
252
253              router A connection to a logical router.
254
255              localnet
256                     A  connection  to  a locally accessible network from each
257                     ovn-controller instance. A logical switch can only have a
258                     single  localnet  port  attached.  This  is used to model
259                     direct connectivity to an existing network.
260
261              localport
262                     A connection to a local VIF. Traffic that  arrives  on  a
263                     localport  is  never  forwarded  over a tunnel to another
264                     chassis. These ports are present  on  every  chassis  and
265                     have  the  same  address  in all of them. This is used to
266                     model connectivity to local services that  run  on  every
267                     hypervisor.
268
269              l2gateway
270                     A connection to a physical network.
271
272              vtep   A port to a logical switch on a VTEP gateway.
273
274       lsp-get-type port
275              Get the type for the logical port.
276
277       lsp-set-options port [key=value]...
278              Set type-specific key-value options for the logical port.
279
280       lsp-get-options port
281              Get the type-specific options for the logical port.
282
283       lsp-set-dhcpv4-options port dhcp_options
284              Set the DHCPv4 options for the logical port. The dhcp_options is
285              a UUID referring to a set of DHCP options  in  the  DHCP_Options
286              table.
287
288       lsp-get-dhcpv4-options port
289              Get the configured DHCPv4 options for the logical port.
290
291       lsp-set-dhcpv6-options port dhcp_options
292              Set the DHCPv6 options for the logical port. The dhcp_options is
293              a UUID referring to a set of DHCP options  in  the  DHCP_Options
294              table.
295
296       lsp-get-dhcpv6-options port
297              Get the configured DHCPv6 options for the logical port.
298
299       lsp-get-ls port
300              Get the logical switch which the port belongs to.
301

LOGICAL ROUTER COMMANDS

303       lr-add Creates  a  new,  unnamed logical router, which initially has no
304              ports. The router does not have  a  name,  other  commands  must
305              refer to this router by its UUID.
306
307       [--may-exist | --add-duplicate] lr-add router
308              Creates  a  new logical router named router, which initially has
309              no ports.
310
311              The OVN northbound database  schema  does  not  require  logical
312              router  names  to be unique, but the whole point to the names is
313              to provide an easy way for humans to refer to the routers,  mak‐
314              ing  duplicate  names unhelpful. Thus, without any options, this
315              command regards it as an error if router is  a  duplicate  name.
316              With  --may-exist, adding a duplicate name succeeds but does not
317              create a new logical router. With --add-duplicate,  the  command
318              really creates a new logical router with a duplicate name. It is
319              an error to specify both options. If there are multiple  logical
320              routers  with  a  duplicate  name, configure the logical routers
321              using the UUID instead of the router name.
322
323       [--if-exists] lr-del router
324              Deletes router. It is an error if router does not exist,  unless
325              --if-exists is specified.
326
327       lr-list
328              Lists all existing routers on standard output, one per line.
329

LOGICAL ROUTER PORT COMMANDS

331       [--may-exist] lrp-add router port mac network... [peer=peer]
332              Creates on router a new logical router port named port with Eth‐
333              ernet address mac and one or more IP  address/netmask  for  each
334              network.
335
336              The optional argument peer identifies a logical router port that
337              connects to this one. The following example adds a  router  port
338              with an IPv4 and IPv6 address with peer lr1:
339
340              lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64
341              peer=lr1
342
343              It is an error if a  logical  router  port  named  port  already
344              exists,   unless   --may-exist   is   specified.  Regardless  of
345              --may-exist, it is an error if the existing router  port  is  in
346              some logical router other than router.
347
348       [--if-exists] lrp-del port
349              Deletes  port.  It  is  an  error if port does not exist, unless
350              --if-exists is specified.
351
352       lrp-list router
353              Lists all the logical router ports  within  router  on  standard
354              output, one per line.
355
356       lrp-set-enabled port state
357              Set  the  administrative  state  of port, either enabled or dis‐
358              abled. When a port is disabled, no traffic is  allowed  into  or
359              out of the port.
360
361       lrp-get-enabled port
362              Prints  the administrative state of port, either enabled or dis‐
363              abled.
364
365       lrp-set-gateway-chassis port chassis [priority]
366              Set gateway chassis for port. chassis is the name of  the  chas‐
367              sis. This creates a gateway chassis entry in Gateway_Chassis ta‐
368              ble. It won’t check if chassis really exists  in  OVN_Southbound
369              database.  Priority will be set to 0 if priority is not provided
370              by user. priority must be between 0 and 32767, inclusive.
371
372       lrp-del-gateway-chassis port chassis
373              Deletes gateway chassis from port. It is  an  error  if  gateway
374              chassis with chassis for port does not exist.
375
376       lrp-get-gateway-chassis port
377              Lists all the gateway chassis with priority within port on stan‐
378              dard output, one per line, ordered based on priority.
379

LOGICAL ROUTER STATIC ROUTE COMMANDS

381       [--may-exist]  [--policy=POLICY]  lr-route-add  router  prefix  nexthop
382       [port]
383              Adds  the specified route to router. prefix describes an IPv4 or
384              IPv6 prefix for this route, such  as  192.168.100.0/24.  nexthop
385              specifies the gateway to use for this route, which should be the
386              IP address of one of router  logical  router  ports  or  the  IP
387              address  of  a  logical port. If port is specified, packets that
388              match this route will be sent out that port. When port is  omit‐
389              ted, OVN infers the output port based on nexthop.
390
391              --policy  describes  the  policy used to make routing decisions.
392              This should be one of "dst-ip" or "src-ip".  If  not  specified,
393              the default is "dst-ip".
394
395              It  is  an  error  if a route with prefix already exists, unless
396              --may-exist is specified.
397
398       [--if-exists] lr-route-del router [prefix]
399              Deletes routes from router. If only router is supplied, all  the
400              routes  from  the  logical router are deleted. If prefix is also
401              specified, then all the routes that match  the  prefix  will  be
402              deleted from the logical router.
403
404              It  is  an error if prefix is specified and there is no matching
405              route entry, unless --if-exists is specified.
406
407       lr-route-list router
408              Lists the routes on router.
409

NAT COMMANDS

411       [--may-exist] lr-nat-add  router  type  external_ip  logical_ip  [logi‐
412       cal_port external_mac]
413              Adds  the specified NAT to router. The type must be one of snat,
414              dnat, or dnat_and_snat. The external_ip is an IPv4 address.  The
415              logical_ip  is  an  IPv4 network (e.g 192.168.1.0/24) or an IPv4
416              address. The logical_port and  external_mac  are  only  accepted
417              when  router  is  a  distributed  router  (rather than a gateway
418              router) and type is dnat_and_snat. The logical_port is the  name
419              of an existing logical switch port where the logical_ip resides.
420              The external_mac is an Ethernet address.
421
422              When type is dnat, the externally visible IP address external_ip
423              is DNATted to the IP address logical_ip in the logical space.
424
425              When  type is snat, IP packets with their source IP address that
426              either matches the IP address in logical_ip or is in the network
427              provided  by  logical_ip is SNATed into the IP address in exter‐
428              nal_ip.
429
430              When type is dnat_and_snat, the externally  visible  IP  address
431              external_ip is DNATted to the IP address logical_ip in the logi‐
432              cal space. In addition, IP packets with the  source  IP  address
433              that  matches logical_ip is SNATed into the IP address in exter‐
434              nal_ip.
435
436              When the logical_port and external_mac are  specified,  the  NAT
437              rule  will  be  programmed on the chassis where the logical_port
438              resides. This includes ARP replies for  the  external_ip,  which
439              return  the  value of external_mac. All packets transmitted with
440              source IP address equal to external_ip will be  sent  using  the
441              external_mac.
442
443              It  is  an error if a NAT already exists with the same values of
444              router, type, external_ip, and logical_ip, unless --may-exist is
445              specified.  When --may-exist, logical_port, and external_mac are
446              all specified, the existing values of  logical_port  and  exter‐
447              nal_mac are overwritten.
448
449       [--if-exists] lr-nat-del router [type [ip]]
450              Deletes  NATs  from  router. If only router is supplied, all the
451              NATs from the logical router are deleted. If type is also speci‐
452              fied, then all the NATs that match the type will be deleted from
453              the logical router. If all the fields are given, then  a  single
454              NAT  rule that matches all the fields will be deleted. When type
455              is snat, the ip should be  logical_ip.  When  type  is  dnat  or
456              dnat_and_snat, the ip shoud be external_ip.
457
458              It  is  an error if ip is specified and there is no matching NAT
459              entry, unless --if-exists is specified.
460
461       lr-nat-list router
462              Lists the NATs on router.
463

LOAD BALANCER COMMANDS

465       [--may-exist | --add-duplicate] lb-add lb vip ips [protocol]
466              Creates a new load balancer named lb with the provided  vip  and
467              ips  or  adds the vip to an existing lb. vip should be a virtual
468              IP address (or an IP address and a port number with : as a sepa‐
469              rator).   Examples   for   vip  are  192.168.1.4,  fd0f::1,  and
470              192.168.1.5:8080. ips should be comma separated IP endpoints (or
471              comma  separated IP addresses and port numbers with : as a sepa‐
472              rator). ips must be the same address family as vip. Examples for
473              ips are 10.0.0.1,10.0.0.2or [fdef::1]:8800,[fdef::2]:8800.
474
475              The  optional  argument protocol must be either tcp or udp. This
476              argument is useful when a port number is provided as part of the
477              vip.  If  the  protocol is unspecified and a port number is pro‐
478              vided as part of the vip, OVN assumes the protocol to be tcp.
479
480              It is an error if the vip already exists in  the  load  balancer
481              named lb, unless --may-exist is specified. With --add-duplicate,
482              the command really creates a new load balancer with a  duplicate
483              name.
484
485              The following example adds a load balancer.
486
487              lb-add                      lb0                     30.0.0.10:80
488              192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp
489
490       [--if-exists] lb-del lb [vip]
491              Deletes lb or the vip from lb. If vip is supplied, only the  vip
492              will  be deleted from the lb. If only the lb is supplied, the lb
493              will be deleted. It is an error if vip does not already exist in
494              lb, unless --if-exists is specified.
495
496       lb-list [lb]
497              Lists  the LBs. If lb is also specified, then only the specified
498              lb will be listed.
499
500       [--may-exist] ls-lb-add switch lb
501              Adds the specified lb to switch. It is an error if a  load  bal‐
502              ancer  named lb already exists in the switch, unless --may-exist
503              is specified.
504
505       [--if-exists] ls-lb-del switch [lb]
506              Removes lb from switch. If only switch is supplied, all the  LBs
507              from  the  logical  switch are removed. If lb is also specified,
508              then only the lb will be removed from the logical switch. It  is
509              an  error if lb does not exist in the switch, unless --if-exists
510              is specified.
511
512       ls-lb-list switch
513              Lists the LBs for the given switch.
514
515       [--may-exist] lr-lb-add router lb
516              Adds the specified lb to router. It is an error if a  load  bal‐
517              ancer  named lb already exists in the router, unless --may-exist
518              is specified.
519
520       [--if-exists] lr-lb-del router [lb]
521              Removes lb from router. If only router is supplied, all the  LBs
522              from  the  logical  router are removed. If lb is also specified,
523              then only the lb will be removed from the logical router. It  is
524              an  error if lb does not exist in the router, unless --if-exists
525              is specified.
526
527       lr-lb-list router
528              Lists the LBs for the given router.
529

DHCP OPTIONS COMMANDS

531       dhcp-options-create cidr [key=value]
532              Creates a new DHCP Options entry in the DHCP_Options table  with
533              the specified cidr and optional external-ids.
534
535       dhcp-options-list
536              Lists the DHCP Options entries.
537
538       dhcp-options-del dhcp-option
539              Deletes the DHCP Options entry referred by dhcp-option UUID.
540
541       dhcp-options-set-options dhcp-option [key=value]...
542              Set the DHCP Options for the dhcp-option UUID.
543
544       dhcp-options-get-options dhcp-option
545              Lists the DHCP Options for the dhcp-option UUID.
546

PORT GROUP COMMANDS

548       pg-add group [port]...
549              Creates  a  new  port  group in the Port_Group table named group
550              with optional ports added to the group.
551
552       pg-set-ports group port...
553              Sets ports on the port group named group.  It  is  an  error  if
554              group does not exist.
555
556       pg-del group
557              Deletes  port  group  group.  It  is  an error if group does not
558              exist.
559
560 HA CHASSIS GROUP COMMANDS
561       ha-chassis-group-add group
562              Creates a new HA chassis group  in  the  HA_Chassis_Group  table
563              named group.
564
565       ha-chassis-group-del group
566              Deletes the HA chassis group group. It is an error if group does
567              not exist.
568
569       ha-chassis-group-list
570              Lists the HA chassis group group along with the  HA  chassis  if
571              any associated with it.
572
573       ha-chassis-group-add-chassis group chassis priority
574              Adds a new HA chassis chassis to the HA Chassis group group with
575              the specified priority. If the chassis already exists, then  the
576              priority is updated. The chassis should be the name of the chas‐
577              sis in the OVN_Southbound.
578
579       ha-chassis-group-remove-chassis group chassis
580              Removes the HA chassis chassis from the HA chassis group  group.
581              It is an error if chassis does not exist.
582

DATABASE COMMANDS

584       These  commands query and modify the contents of ovsdb tables. They are
585       a slight abstraction of the ovsdb interface and as such they operate at
586       a lower level than other ovn-nbctl commands.
587
588       Identifying Tables, Records, and Columns
589
590       Each of these commands has a table parameter to identify a table within
591       the database. Many of them also take a record parameter that identifies
592       a  particular  record  within  a table. The record parameter may be the
593       UUID for a record, which may be abbreviated to its first  4  (or  more)
594       hex  digits,  as  long  as that is unique. Many tables offer additional
595       ways to identify records. Some commands  also  take  column  parameters
596       that identify a particular field within the records in a table.
597
598       For  a list of tables and their columns, see ovn-nb(5) or see the table
599       listing from the --help option.
600
601       Record names must be specified in full and with correct capitalization,
602       except  that  UUIDs  may  be abbreviated to their first 4 (or more) hex
603       digits, as long as that is unique within the table. Names of tables and
604       columns  are  not  case-sensitive, and - and _ are treated interchange‐
605       ably. Unique abbreviations of table and column  names  are  acceptable,
606       e.g. d or dhcp is sufficient to identify the DHCP_Options table.
607
608       Database Values
609
610       Each column in the database accepts a fixed type of data. The currently
611       defined basic types, and their representations, are:
612
613              integer
614                     A decimal integer in the range -2**63 to 2**63-1,  inclu‐
615                     sive.
616
617              real   A floating-point number.
618
619              Boolean
620                     True or false, written true or false, respectively.
621
622              string An  arbitrary  Unicode string, except that null bytes are
623                     not allowed. Quotes are optional for  most  strings  that
624                     begin  with  an  English letter or underscore and consist
625                     only of letters, underscores, hyphens, and periods.  How‐
626                     ever, true and false and strings that match the syntax of
627                     UUIDs (see below) must be enclosed in  double  quotes  to
628                     distinguish  them  from  other  basic  types. When double
629                     quotes are used, the syntax is that of strings  in  JSON,
630                     e.g.  backslashes  may  be used to escape special charac‐
631                     ters. The empty string must be represented as a  pair  of
632                     double quotes ("").
633
634              UUID   Either  a  universally  unique identifier in the style of
635                     RFC 4122, e.g.  f81d4fae-7dec-11d0-a765-00a0c91e6bf6,  or
636                     an  @name  defined  by a get or create command within the
637                     same ovs-vsctl invocation.
638
639       Multiple values in a single column may be separated by spaces or a sin‐
640       gle  comma.  When  multiple  values  are  present,  duplicates  are not
641       allowed, and order is not important. Conversely, some database  columns
642       can have an empty set of values, represented as [], and square brackets
643       may optionally enclose other non-empty sets or single values as well.
644
645       A few database columns are ``maps’’ of key-value pairs, where  the  key
646       and the value are each some fixed database type. These are specified in
647       the form key=value, where key and value follow the syntax for the  col‐
648       umn’s  key  type  and value type, respectively. When multiple pairs are
649       present (separated by spaces  or  a  comma),  duplicate  keys  are  not
650       allowed,  and  again  the  order is not important. Duplicate values are
651       allowed. An empty map is represented as {}. Curly braces may optionally
652       enclose  non-empty  maps  as  well (but use quotes to prevent the shell
653       from expanding other-config={0=x,1=y} into other-config=0=x  other-con‐
654       fig=1=y, which may not have the desired effect).
655
656       Database Command Syntax
657
658              [--if-exists]    [--columns=column[,column]...]    list    table
659              [record]...
660                     Lists the data in each specified record.  If  no  records
661                     are specified, lists all the records in table.
662
663                     If --columns is specified, only the requested columns are
664                     listed, in the specified order.  Otherwise,  all  columns
665                     are listed, in alphabetical order by column name.
666
667                     Without  --if-exists,  it  is  an  error if any specified
668                     record does not  exist.  With  --if-exists,  the  command
669                     ignores any record that does not exist, without producing
670                     any output.
671
672              [--columns=column[,column]...]      find       table       [col‐
673              umn[:key]=value]...
674                     Lists  the  data  in  each  record  in table whose column
675                     equals value or, if key is specified, whose  column  con‐
676                     tains a key with the specified value. The following oper‐
677                     ators may be used where = is written in the  syntax  sum‐
678                     mary:
679
680                     = != < > <= >=
681                            Selects records in which column[:key] equals, does
682                            not equal, is less than, is greater than, is  less
683                            than  or  equal to, or is greater than or equal to
684                            value, respectively.
685
686                            Consider column[:key] and value as  sets  of  ele‐
687                            ments. Identical sets are considered equal. Other‐
688                            wise, if the sets have different numbers  of  ele‐
689                            ments,  then the set with more elements is consid‐
690                            ered to be larger. Otherwise, consider  a  element
691                            from each set pairwise, in increasing order within
692                            each set. The first pair that  differs  determines
693                            the  result. (For a column that contains key-value
694                            pairs, first all the keys are compared, and values
695                            are  considered only if the two sets contain iden‐
696                            tical keys.)
697
698                     {=} {!=}
699                            Test for set equality or inequality, respectively.
700
701                     {<=}   Selects records in which column[:key] is a  subset
702                            of  value. For example, flood-vlans{<=}1,2 selects
703                            records in which the  flood-vlans  column  is  the
704                            empty set or contains 1 or 2 or both.
705
706                     {<}    Selects  records in which column[:key] is a proper
707                            subset of value.  For  example,  flood-vlans{<}1,2
708                            selects records in which the flood-vlans column is
709                            the empty set or contains 1 or 2 but not both.
710
711                     {>=} {>}
712                            Same as {<=} and {<},  respectively,  except  that
713                            the   relationship   is   reversed.  For  example,
714                            flood-vlans{>=}1,2 selects records  in  which  the
715                            flood-vlans column contains both 1 and 2.
716
717                     For  arithmetic  operators  (= != < > <= >=), when key is
718                     specified but a particular record’s column does not  con‐
719                     tain  key, the record is always omitted from the results.
720                     Thus,  the   condition   other-config:mtu!=1500   matches
721                     records  that have a mtu key whose value is not 1500, but
722                     not those that lack an mtu key.
723
724                     For the set operators, when key is specified but  a  par‐
725                     ticular record’s column does not contain key, the compar‐
726                     ison is done against an empty set.  Thus,  the  condition
727                     other-config:mtu{!=}1500  matches records that have a mtu
728                     key whose value is not 1500 and those that  lack  an  mtu
729                     key.
730
731                     Don’t  forget to escape < or > from interpretation by the
732                     shell.
733
734                     If --columns is specified, only the requested columns are
735                     listed, in the specified order. Otherwise all columns are
736                     listed, in alphabetical order by column name.
737
738                     The UUIDs shown for rows created in  the  same  ovs-vsctl
739                     invocation will be wrong.
740
741              [--if-exists] [--id=@name] get table record [column[:key]]...
742                     Prints  the  value  of each specified column in the given
743                     record in table. For map columns, a key may optionally be
744                     specified, in which case the value associated with key in
745                     the column is printed, instead of the entire map.
746
747                     Without --if-exists, it is an error if  record  does  not
748                     exist  or  key  is  specified,  if  key does not exist in
749                     record. With --if-exists, a missing record yields no out‐
750                     put and a missing key prints a blank line.
751
752                     If  @name  is  specified, then the UUID for record may be
753                     referred to by that name  later  in  the  same  ovs-vsctl
754                     invocation in contexts where a UUID is expected.
755
756                     Both --id and the column arguments are optional, but usu‐
757                     ally at least one or the other should  be  specified.  If
758                     both are omitted, then get has no effect except to verify
759                     that record exists in table.
760
761                     --id and --if-exists cannot be used together.
762
763              [--if-exists] set table record column[:key]=value...
764                     Sets the value of each  specified  column  in  the  given
765                     record  in  table  to  value.  For map columns, a key may
766                     optionally be specified, in which case the value  associ‐
767                     ated  with  key  in  that column is changed (or added, if
768                     none exists), instead of the entire map.
769
770                     Without --if-exists, it is an error if  record  does  not
771                     exist.  With  --if-exists,  this  command does nothing if
772                     record does not exist.
773
774              [--if-exists] add table record column [key=]value...
775                     Adds the specified value or key-value pair to  column  in
776                     record  in  table.  If  column  is  a  map,  then  key is
777                     required, otherwise it  is  prohibited.  If  key  already
778                     exists  in  a  map  column, then the current value is not
779                     replaced (use the set  command  to  replace  an  existing
780                     value).
781
782                     Without  --if-exists,  it  is an error if record does not
783                     exist. With --if-exists, this  command  does  nothing  if
784                     record does not exist.
785
786              [--if-exists] remove table record column value...
787
788                     [--if-exists] remove table record column key...
789
790                     [--if-exists]  remove  table  record  column key=value...
791                     Removes the specified values or key-value pairs from col‐
792                     umn in record in table. The first form applies to columns
793                     that are not maps: each specified value is  removed  from
794                     the  column. The second and third forms apply to map col‐
795                     umns: if only a key is specified, then any key-value pair
796                     with  the  given key is removed, regardless of its value;
797                     if a value is given then a pair is removed only  if  both
798                     key and value match.
799
800                     It  is  not  an  error if the column does not contain the
801                     specified key or value or pair.
802
803                     Without --if-exists, it is an error if  record  does  not
804                     exist.  With  --if-exists,  this  command does nothing if
805                     record does not exist.
806
807              [--if-exists] clear table record column...
808                     Sets each column in record in table to the empty  set  or
809                     empty  map,  as appropriate. This command applies only to
810                     columns that are allowed to be empty.
811
812                     Without --if-exists, it is an error if  record  does  not
813                     exist.  With  --if-exists,  this  command does nothing if
814                     record does not exist.
815
816              [--id=@name] create table column[:key]=value...
817                     Creates a new record in table and sets the initial values
818                     of  each  column. Columns not explicitly set will receive
819                     their default values. Outputs the UUID of the new row.
820
821                     If @name is specified, then the UUID for the new row  may
822                     be  referred  to by that name elsewhere in the same \*(PN
823                     invocation in contexts where a  UUID  is  expected.  Such
824                     references may precede or follow the create command.
825
826                     Caution (ovs-vsctl as example)
827                            Records  in the Open vSwitch database are signifi‐
828                            cant only when they can  be  reached  directly  or
829                            indirectly from the Open_vSwitch table. Except for
830                            records in the QoS or Queue tables,  records  that
831                            are  not reachable from the Open_vSwitch table are
832                            automatically  deleted  from  the  database.  This
833                            deletion  happens immediately, without waiting for
834                            additional ovs-vsctl commands  or  other  database
835                            activity. Thus, a create command must generally be
836                            accompanied by additional commands within the same
837                            ovs-vsctl  invocation to add a chain of references
838                            to the newly created  record  from  the  top-level
839                            Open_vSwitch  record.  The  EXAMPLES section gives
840                            some examples that show how to do this.
841
842              [--if-exists] destroy table record...
843                     Deletes  each  specified  record   from   table.   Unless
844                     --if-exists is specified, each records must exist.
845
846              --all destroy table
847                     Deletes all records from the table.
848
849                     Caution (ovs-vsctl as example)
850                            The  destroy command is only useful for records in
851                            the QoS or Queue tables. Records in  other  tables
852                            are  automatically  deleted from the database when
853                            they become unreachable from the Open_vSwitch  ta‐
854                            ble.  This  means that deleting the last reference
855                            to a record is sufficient for deleting the  record
856                            itself.  For  records  in these tables, destroy is
857                            silently ignored. See the EXAMPLES  section  below
858                            for more information.
859
860              wait-until table record [column[:key]=value]...
861                     Waits  until  table  contains a record named record whose
862                     column equals value or, if key is specified, whose column
863                     contains a key with the specified value. Any of the oper‐
864                     ators !=, <, >, <=, or >= may be  substituted  for  =  to
865                     test  for  inequality, less than, greater than, less than
866                     or equal to, or greater than or equal  to,  respectively.
867                     (Don’t forget to escape < or > from interpretation by the
868                     shell.)
869
870                     If no column[:key]=value arguments are given,  this  com‐
871                     mand  waits  only  until  record exists. If more than one
872                     such argument is given, the command waits  until  all  of
873                     them are satisfied.
874
875                     Caution (ovs-vsctl as example)
876                            Usually  wait-until should be placed at the begin‐
877                            ning of a set of ovs-vsctl commands. For  example,
878                            wait-until  bridge  br0  --  get  bridge br0 data‐
879                            path_id waits until a bridge named br0 is created,
880                            then  prints  its  datapath_id column, whereas get
881                            bridge br0 datapath_id --  wait-until  bridge  br0
882                            will  abort  if  no  bridge  named br0 exists when
883                            ovs-vsctl initially connects to the database.
884
885                     Consider specifying --timeout=0 along with  --wait-until,
886                     to  prevent ovs-vsctl from terminating after waiting only
887                     at most 5 seconds.
888
889              comment [arg]...
890                     This command has no effect on behavior, but any  database
891                     log  record  created by the command will include the com‐
892                     mand and its arguments.
893

SYNCHRONIZATION COMMANDS

895       sync   Ordinarily, --wait=sb or --wait=hv only waits for changes by the
896              current ovn-nbctl invocation to take effect. This means that, if
897              none of the commands supplied to ovn-nbctl change the  database,
898              then  the  command  does not wait at all. With the sync command,
899              however, ovn-nbctl waits even for earlier changes to  the  data‐
900              base  to propagate down to the southbound database or all of the
901              OVN chassis, according to the argument to --wait.
902

REMOTE CONNECTIVITY COMMANDS

904       get-connection
905              Prints the configured connection(s).
906
907       del-connection
908              Deletes the configured connection(s).
909
910       [--inactivity-probe=msecs] set-connection target...
911              Sets the configured manager target or  targets.  Use  --inactiv‐
912              ity-probe=msecs to override the default idle connection inactiv‐
913              ity probe time. Use 0 to disable inactivity probes.
914

SSL CONFIGURATION COMMANDS

916       get-ssl
917              Prints the SSL configuration.
918
919       del-ssl
920              Deletes the current SSL configuration.
921
922       [--bootstrap] set-ssl private-key  certificate  ca-cert  [ssl-protocol-
923       list [ssl-cipher-list]]
924              Sets the SSL configuration.
925

DAEMON MODE

927       When  it  is invoked in the most ordinary way, ovn-nbctl connects to an
928       OVSDB server that hosts the northbound database,  retrieves  a  partial
929       copy  of  the  database that is complete enough to do its work, sends a
930       transaction request to the  server,  and  receives  and  processes  the
931       server’s  reply.  In  common  interactive use, this is fine, but if the
932       database is large, the step in which ovn-nbctl retrieves a partial copy
933       of  the  database  can  take a long time, which yields poor performance
934       overall.
935
936       To improve performance in such  a  case,  ovn-nbctl  offers  a  "daemon
937       mode,"  in  which  the user first starts ovn-nbctl running in the back‐
938       ground and afterward uses the daemon to execute operations.  Over  sev‐
939       eral  ovn-nbctl  command  invocations,  this  performs  better  overall
940       because it retrieves a copy of the database only once at the beginning,
941       not once per program run.
942
943       Use the --detach option to start an ovn-nbctl daemon. With this option,
944       ovn-nbctl prints the name of a control socket  to  stdout.  The  client
945       should  save this name in environment variable OVN_NB_DAEMON. Under the
946       Bourne shell this might be done like this:
947
948             export OVN_NB_DAEMON=$(ovn-nbctl --pidfile --detach)
949
950
951       When OVN_NB_DAEMON is set, ovn-nbctl  automatically  and  transparently
952       uses the daemon to execute its commands.
953
954       When  the daemon is no longer needed, kill it and unset the environment
955       variable, e.g.:
956
957             kill $(cat /var/run/ovn-nbctl.pid)
958             unset OVN_NB_DAEMON
959
960
961       When using daemon mode, an alternative to the OVN_NB_DAEMON environment
962       variable  is  to  specify a path for the Unix socket. When starting the
963       ovn-nbctl daemon, specify the -u option with a full path to  the  loca‐
964       tion of the socket file. Here is an exmple:
965
966             ovn-nbctl --detach -u /tmp/mysock.ctl
967
968
969       Then  to connect to the running daemon, use the -u option with the full
970       path to the socket created when the daemon was started:
971
972             ovn-nbctl -u /tmp/mysock.ctl show
973
974
975       Daemon mode is experimental.
976
977   Daemon Commands
978       Daemon mode is internally implemented using the same mechanism used  by
979       ovs-appctl.  One  may  also  use ovs-appctl directly with the following
980       commands:
981
982              run [options] command [arg...] [--  [options]  command  [arg...]
983              ...]
984                     Instructs the daemon process to run one or more ovn-nbctl
985                     commands described above and reply with  the  results  of
986                     running  these  commands.  Accepts the --no-wait, --wait,
987                     --timeout,  --dry-run,   --oneline,   and   the   options
988                     described  under  Table Formatting Options in addition to
989                     the the command-specific options.
990
991              exit   Causes ovn-nbctl to gracefully terminate.
992

OPTIONS

994       --no-wait | --wait=none
995       --wait=sb
996       --wait=hv
997            These options control whether and how ovn-nbctl waits for the  OVN
998            system  to  become  up-to-date  with  changes made in an ovn-nbctl
999            invocation.
1000
1001            By default, or if --no-wait or --wait=none, ovn-nbctl exits  imme‐
1002            diately  after  confirming that changes have been committed to the
1003            northbound database, without waiting.
1004
1005            With --wait=sb, before ovn-nbctl exits, it waits for ovn-northd to
1006            bring the southbound database up-to-date with the northbound data‐
1007            base updates.
1008
1009            With --wait=hv, before ovn-nbctl exits, it additionally waits  for
1010            all  OVN  chassis  (hypervisors and gateways) to become up-to-date
1011            with the northbound database updates. (This can become an  indefi‐
1012            nite wait if any chassis is malfunctioning.)
1013
1014            Ordinarily,  --wait=sb  or --wait=hv only waits for changes by the
1015            current ovn-nbctl invocation to take effect. This means  that,  if
1016            none  of  the  commands supplied to ovn-nbctl change the database,
1017            then the command does not wait at all. Use  the  sync  command  to
1018            override this behavior.
1019
1020       --db database
1021            The OVSDB database remote to contact. If the OVN_NB_DB environment
1022            variable is set, its value is used as the default. Otherwise,  the
1023            default is unix:/ovnnb_db.sock, but this default is unlikely to be
1024            useful outside of single-machine OVN test environments.
1025
1026       --leader-only
1027       --no-leader-only
1028            By default, or with --leader-only, when the database server  is  a
1029            clustered  database,  ovn-nbctl  will avoid servers other than the
1030            cluster leader. This ensures that any data  that  ovn-nbctl  reads
1031            and  reports  is up-to-date. With --no-leader-only, ovn-nbctl will
1032            use any server in the cluster,  which  means  that  for  read-only
1033            transactions  it  can  report  and act on stale data (transactions
1034            that  modify  the  database  are  always  serialized   even   with
1035            --no-leader-only).  Refer  to Understanding Cluster Consistency in
1036            ovsdb(7) for more information.
1037
1038       --shuffle-remotes
1039       --no-shuffle-remotes
1040            By default, or with --shuffle-remotes,  when  there  are  multiple
1041            remotes specified in the OVSDB connection string specified by --db
1042            or the OVN_NB_DB environment variable, the order  of  the  remotes
1043            will  be  shuffled before the client tries to connect. The remotes
1044            will be shuffled only once to a new order before the first connec‐
1045            tion  attempt. The following retries, if any, will follow the same
1046            new order. The default behavior is to make sure clients of a clus‐
1047            tered database can distribute evenly to all memembers of the clus‐
1048            ter. With --no-shuffle-remotes, ovn-nbctl will  use  the  original
1049            order  specified  in the connection string to connect. This allows
1050            user to specify the preferred order, which is particularly  useful
1051            for testing.
1052
1053   Daemon Options
1054       --pidfile[=pidfile]
1055              Causes a file (by default, program.pid) to be created indicating
1056              the PID of the running process. If the pidfile argument  is  not
1057              specified, or if it does not begin with /, then it is created in
1058              .
1059
1060              If --pidfile is not specified, no pidfile is created.
1061
1062       --overwrite-pidfile
1063              By default, when --pidfile is specified and the  specified  pid‐
1064              file already exists and is locked by a running process, the dae‐
1065              mon refuses to start. Specify --overwrite-pidfile to cause it to
1066              instead overwrite the pidfile.
1067
1068              When --pidfile is not specified, this option has no effect.
1069
1070       --detach
1071              Runs  this  program  as a background process. The process forks,
1072              and in the child it starts a new session,  closes  the  standard
1073              file descriptors (which has the side effect of disabling logging
1074              to the console), and changes its current directory to  the  root
1075              (unless  --no-chdir is specified). After the child completes its
1076              initialization, the parent exits.
1077
1078       --monitor
1079              Creates an additional process to monitor  this  program.  If  it
1080              dies  due  to a signal that indicates a programming error (SIGA‐
1081              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
1082              or SIGXFSZ) then the monitor process starts a new copy of it. If
1083              the daemon dies or exits for another reason, the monitor process
1084              exits.
1085
1086              This  option  is  normally used with --detach, but it also func‐
1087              tions without it.
1088
1089       --no-chdir
1090              By default, when --detach is specified, the daemon  changes  its
1091              current  working  directory  to  the  root  directory  after  it
1092              detaches. Otherwise, invoking the daemon from a carelessly  cho‐
1093              sen  directory  would  prevent the administrator from unmounting
1094              the file system that holds that directory.
1095
1096              Specifying --no-chdir suppresses this behavior,  preventing  the
1097              daemon  from changing its current working directory. This may be
1098              useful for collecting core files, since it is common behavior to
1099              write core dumps into the current working directory and the root
1100              directory is not a good directory to use.
1101
1102              This option has no effect when --detach is not specified.
1103
1104       --no-self-confinement
1105              By default this daemon will try to self-confine itself  to  work
1106              with  files  under  well-known  directories whitelisted at build
1107              time. It is better to stick with this default behavior  and  not
1108              to  use  this  flag  unless some other Access Control is used to
1109              confine daemon. Note that in contrast to  other  access  control
1110              implementations  that  are  typically enforced from kernel-space
1111              (e.g. DAC or MAC), self-confinement is imposed  from  the  user-
1112              space daemon itself and hence should not be considered as a full
1113              confinement strategy, but instead should be viewed as  an  addi‐
1114              tional layer of security.
1115
1116       --user=user:group
1117              Causes  this  program  to  run  as a different user specified in
1118              user:group, thus dropping most of  the  root  privileges.  Short
1119              forms  user  and  :group  are also allowed, with current user or
1120              group assumed, respectively. Only daemons started  by  the  root
1121              user accepts this argument.
1122
1123              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
1124              CAP_NET_BIND_SERVICES before dropping root  privileges.  Daemons
1125              that  interact  with  a  datapath, such as ovs-vswitchd, will be
1126              granted three  additional  capabilities,  namely  CAP_NET_ADMIN,
1127              CAP_NET_BROADCAST  and  CAP_NET_RAW.  The capability change will
1128              apply even if the new user is root.
1129
1130              On Windows, this option is not currently supported. For security
1131              reasons,  specifying  this  option will cause the daemon process
1132              not to start.
1133

LOGGING OPTIONS

1135       -v[spec]
1136       --verbose=[spec]
1137            Sets logging levels. Without any spec,  sets  the  log  level  for
1138            every  module and destination to dbg. Otherwise, spec is a list of
1139            words separated by spaces or commas or colons, up to one from each
1140            category below:
1141
1142            ·      A  valid module name, as displayed by the vlog/list command
1143                   on ovs-appctl(8), limits the log level change to the speci‐
1144                   fied module.
1145
1146            ·      syslog,  console, or file, to limit the log level change to
1147                   only to the system log, to  the  console,  or  to  a  file,
1148                   respectively.  (If --detach is specified, the daemon closes
1149                   its standard file descriptors, so logging  to  the  console
1150                   will have no effect.)
1151
1152                   On  Windows  platform,  syslog is accepted as a word and is
1153                   only useful along with the --syslog-target option (the word
1154                   has no effect otherwise).
1155
1156            ·      off,  emer,  err,  warn,  info,  or dbg, to control the log
1157                   level. Messages of the given severity  or  higher  will  be
1158                   logged,  and  messages  of  lower severity will be filtered
1159                   out. off filters out all messages. See ovs-appctl(8) for  a
1160                   definition of each log level.
1161
1162            Case is not significant within spec.
1163
1164            Regardless  of the log levels set for file, logging to a file will
1165            not take place unless --log-file is also specified (see below).
1166
1167            For compatibility with older versions of OVS, any is accepted as a
1168            word but has no effect.
1169
1170       -v
1171       --verbose
1172            Sets  the  maximum  logging  verbosity level, equivalent to --ver‐
1173            bose=dbg.
1174
1175       -vPATTERN:destination:pattern
1176       --verbose=PATTERN:destination:pattern
1177            Sets  the  log  pattern  for  destination  to  pattern.  Refer  to
1178            ovs-appctl(8) for a description of the valid syntax for pattern.
1179
1180       -vFACILITY:facility
1181       --verbose=FACILITY:facility
1182            Sets  the RFC5424 facility of the log message. facility can be one
1183            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
1184            ftp,  ntp,  audit,  alert, clock2, local0, local1, local2, local3,
1185            local4, local5, local6 or local7. If this option is not specified,
1186            daemon  is  used  as  the  default for the local system syslog and
1187            local0 is used while sending a message to the target provided  via
1188            the --syslog-target option.
1189
1190       --log-file[=file]
1191            Enables  logging  to a file. If file is specified, then it is used
1192            as the exact name for the log file. The default log file name used
1193            if file is omitted is /var/log/ovn/program.log.
1194
1195       --syslog-target=host:port
1196            Send  syslog messages to UDP port on host, in addition to the sys‐
1197            tem syslog. The host must be a numerical IP address, not  a  host‐
1198            name.
1199
1200       --syslog-method=method
1201            Specify  method  as  how  syslog messages should be sent to syslog
1202            daemon. The following forms are supported:
1203
1204            ·      libc, to use the libc syslog() function. Downside of  using
1205                   this  options  is that libc adds fixed prefix to every mes‐
1206                   sage before it is actually sent to the syslog  daemon  over
1207                   /dev/log UNIX domain socket.
1208
1209            ·      unix:file, to use a UNIX domain socket directly. It is pos‐
1210                   sible to specify arbitrary message format with this option.
1211                   However,  rsyslogd  8.9  and  older versions use hard coded
1212                   parser function anyway that limits UNIX domain socket  use.
1213                   If  you  want  to  use  arbitrary message format with older
1214                   rsyslogd versions, then use  UDP  socket  to  localhost  IP
1215                   address instead.
1216
1217            ·      udp:ip:port,  to  use  a UDP socket. With this method it is
1218                   possible to use arbitrary message format  also  with  older
1219                   rsyslogd.  When  sending  syslog  messages  over UDP socket
1220                   extra precaution needs to be taken into account, for  exam‐
1221                   ple,  syslog daemon needs to be configured to listen on the
1222                   specified UDP port,  accidental  iptables  rules  could  be
1223                   interfering  with  local  syslog traffic and there are some
1224                   security considerations that apply to UDP sockets,  but  do
1225                   not apply to UNIX domain sockets.
1226
1227            ·      null, to discard all messages logged to syslog.
1228
1229            The  default is taken from the OVS_SYSLOG_METHOD environment vari‐
1230            able; if it is unset, the default is libc.
1231

TABLE FORMATTING OPTIONS

1233       These options control the format of output from the list and find  com‐
1234       mands.
1235
1236              -f format
1237              --format=format
1238                   Sets  the  type of table formatting. The following types of
1239                   format are available:
1240
1241                   table  2-D text tables with aligned columns.
1242
1243                   list (default)
1244                          A list with one column per line and  rows  separated
1245                          by a blank line.
1246
1247                   html   HTML tables.
1248
1249                   csv    Comma-separated values as defined in RFC 4180.
1250
1251                   json   JSON  format as defined in RFC 4627. The output is a
1252                          sequence of JSON objects, each of which  corresponds
1253                          to  one  table.  Each  JSON object has the following
1254                          members with the noted values:
1255
1256                          caption
1257                                 The table’s caption. This member  is  omitted
1258                                 if the table has no caption.
1259
1260                          headings
1261                                 An  array  with one element per table column.
1262                                 Each array element is  a  string  giving  the
1263                                 corresponding column’s heading.
1264
1265                          data   An array with one element per table row. Each
1266                                 element is also an array with one element per
1267                                 table  column.  The  elements of this second-
1268                                 level array are the cells that constitute the
1269                                 table.  Cells  that  represent  OVSDB data or
1270                                 data  types  are  expressed  in  the   format
1271                                 described  in  the OVSDB specification; other
1272                                 cells are simply expressed as text strings.
1273
1274              -d format
1275              --data=format
1276                   Sets the formatting for cells within output  tables  unless
1277                   the table format is set to json, in which case json format‐
1278                   ting is always used when formatting  cells.  The  following
1279                   types of format are available:
1280
1281                   string (default)
1282                          The  simple  format described in the Database Values
1283                          section of ovs-vsctl(8).
1284
1285                   bare   The simple format with punctuation stripped off:  []
1286                          and {} are omitted around sets, maps, and empty col‐
1287                          umns, items within sets  and  maps  are  space-sepa‐
1288                          rated, and strings are never quoted. This format may
1289                          be easier for scripts to parse.
1290
1291                   json   The RFC 4627 JSON format as described above.
1292
1293              --no-headings
1294                   This option  suppresses  the  heading  row  that  otherwise
1295                   appears in the first row of table output.
1296
1297              --pretty
1298                   By  default, JSON in output is printed as compactly as pos‐
1299                   sible. This option causes JSON in output to be printed in a
1300                   more  readable  fashion. Members of objects and elements of
1301                   arrays are printed one per line, with indentation.
1302
1303                   This option does not affect JSON in tables, which is always
1304                   printed compactly.
1305
1306              --bare
1307                   Equivalent to --format=list --data=bare --no-headings.
1308
1309   PKI Options
1310       PKI  configuration  is  required  to  use SSL for the connection to the
1311       database.
1312
1313              -p privkey.pem
1314              --private-key=privkey.pem
1315                   Specifies a PEM file containing the  private  key  used  as
1316                   identity for outgoing SSL connections.
1317
1318              -c cert.pem
1319              --certificate=cert.pem
1320                   Specifies  a  PEM file containing a certificate that certi‐
1321                   fies the private key specified on -p or --private-key to be
1322                   trustworthy. The certificate must be signed by the certifi‐
1323                   cate authority (CA) that the peer in SSL  connections  will
1324                   use to verify it.
1325
1326              -C cacert.pem
1327              --ca-cert=cacert.pem
1328                   Specifies a PEM file containing the CA certificate for ver‐
1329                   ifying certificates presented to this program by SSL peers.
1330                   (This  may  be  the  same certificate that SSL peers use to
1331                   verify the certificate specified on -c or --certificate, or
1332                   it  may  be a different one, depending on the PKI design in
1333                   use.)
1334
1335              -C none
1336              --ca-cert=none
1337                   Disables verification  of  certificates  presented  by  SSL
1338                   peers.  This  introduces  a security risk, because it means
1339                   that certificates cannot be verified to be those  of  known
1340                   trusted hosts.
1341
1342              --bootstrap-ca-cert=cacert.pem
1343                     When  cacert.pem  exists, this option has the same effect
1344                     as -C or --ca-cert. If it does not exist, then  the  exe‐
1345                     cutable  will  attempt  to obtain the CA certificate from
1346                     the SSL peer on its first SSL connection and save  it  to
1347                     the  named PEM file. If it is successful, it will immedi‐
1348                     ately drop the connection and reconnect, and from then on
1349                     all  SSL  connections must be authenticated by a certifi‐
1350                     cate signed by the CA certificate thus obtained.
1351
1352                     This option exposes the SSL connection to  a  man-in-the-
1353                     middle  attack  obtaining the initial CA certificate, but
1354                     it may be useful for bootstrapping.
1355
1356                     This option is only useful if the SSL peer sends  its  CA
1357                     certificate as part of the SSL certificate chain. The SSL
1358                     protocol does not require the server to send the CA  cer‐
1359                     tificate.
1360
1361                     This option is mutually exclusive with -C and --ca-cert.
1362
1363   Other Options
1364       -h
1365       --help
1366            Prints a brief help message to the console.
1367
1368       -V
1369       --version
1370            Prints version information to the console.
1371
1372
1373
1374Open vSwitch 2.12.0                ovn-nbctl                      ovn-nbctl(8)
Impressum