1ovn-trace(8)                      OVN Manual                      ovn-trace(8)
2
3
4

NAME

6       ovn-trace - Open Virtual Network logical network tracing utility
7

SYNOPSIS

9       ovn-trace [options] [datapath] microflow
10
11       ovn-trace [options] --detach
12

DESCRIPTION

14       This utility simulates packet forwarding within an OVN logical network.
15       It can be used to run through ``what-if’’ scenarios: if a packet origi‐
16       nates at a logical port, what will happen to it and where will it ulti‐
17       mately end up?  Users  already  familiar  with  the  Open  vSwitch  of‐
18       proto/trace  command described in ovs-vswitch(8) will find ovn-trace to
19       be a similar tool for logical networks.
20
21       ovn-trace works by reading the Logical_Flow and other tables  from  the
22       OVN  southbound  database (see ovn-sb(5)). It simulates a packet’s path
23       through logical networks by repeatedly looking it  up  in  the  logical
24       flow table, following the entire tree of possibilities.
25
26       ovn-trace  simulates only the OVN logical network. It does not simulate
27       the physical elements on which the logical  network  is  layered.  This
28       means  that,  for  example,  it  is unimportant how VMs are distributed
29       among hypervisors, or whether their  hypervisors  are  functioning  and
30       reachable,  so  ovn-trace will yield the same results regardless. There
31       is one important exception: ovn-northd, the daemon that  generates  the
32       logical  flows  that  ovn-trace simulates, treats logical ports differ‐
33       ently based on whether they are up or down. Thus, if you see surprising
34       results, ensure that the ports involved in a simulation are up.
35
36       The  simplest way to use ovn-trace is to provide the microflow (and op‐
37       tional datapath) arguments on the command line. In this case, it  simu‐
38       lates the behavior of a single packet and exits. For an alternate usage
39       model, see Daemon Mode below.
40
41       The optional datapath argument specifies the name of  a  logical  data‐
42       path.  Acceptable names are the name from the northbound Logical_Switch
43       or Logical_Router table, the UUID of a record from one of those tables,
44       or  the  UUID  of  a record from the southbound Datapath_Binding table.
45       (The datapath is optional because ovn-trace can figure it out from  the
46       inport that the microflow matches.)
47
48       The  microflow  argument describes the packet whose forwarding is to be
49       simulated, in the syntax of an OVN logical expression, as described  in
50       ovn-sb(5),  to  express  constraints.  The parser understands prerequi‐
51       sites; for example, if the expression refers to ip4.src,  there  is  no
52       need to explicitly state ip4 or eth.type == 0x800.
53
54       For  reasonable  L2 behavior, the microflow should include at least in‐
55       port and eth.dst, plus eth.src if port security is enabled.  For  exam‐
56       ple:
57
58           inport == "lp11" && eth.src == 00:01:02:03:04:05 && eth.dst == ff:ff:ff:ff:ff:ff
59
60
61       For  reasonable  L3 behavior, microflow should also include ip4.src and
62       ip4.dst (or ip6.src and ip6.dst) and ip.ttl. For example:
63
64           inport == "lp111" && eth.src == f0:00:00:00:01:11 && eth.dst == 00:00:00:00:ff:11
65           && ip4.src == 192.168.11.1 && ip4.dst == 192.168.22.2 && ip.ttl == 64
66
67
68       Here’s an ARP microflow example:
69
70           inport == "lp123"
71           && eth.dst == ff:ff:ff:ff:ff:ff && eth.src == f0:00:00:00:01:11
72           && arp.op == 1 && arp.sha == f0:00:00:00:01:11 && arp.spa == 192.168.1.11
73           && arp.tha == ff:ff:ff:ff:ff:ff && arp.tpa == 192.168.2.22
74
75
76       ovn-trace will reject erroneous  microflow  expressions,  which  beyond
77       syntax  errors  fall into two categories. First, they can be ambiguous.
78       For example, tcp.src == 80 is ambiguous because it does not state  IPv4
79       or  IPv6  as the Ethernet type. ip4 && tcp.src > 1024 is also ambiguous
80       because it does not constrain bits of  tcp.src  to  particular  values.
81       Second, they can be contradictory, e.g. ip4 && ip6.
82

OUTPUT

84       ovn-trace  supports the three different forms of output, each described
85       in a separate section below. Regardless of the selected output  format,
86       ovn-trace  starts the output with a line that shows the microflow being
87       traced in OpenFlow syntax.
88
89   Detailed Output
90       The detailed form of output is also the default form. This form  groups
91       output  into sections headed up by the ingress or egress pipeline being
92       traversed. Each pipeline lists each table that was visited  (by  number
93       and  name), the ovn-northd source file and line number of the code that
94       added the flow, the match expression and priority of the  logical  flow
95       that was matched, and the actions that were executed.
96
97       The  execution  of  OVN  logical  actions  naturally  forms a ``control
98       stack’’ that resembles that of a program  in  conventional  programming
99       languages  such  as  C or Java. Because the next action that calls into
100       another logical flow table for a lookup is a recursive  construct,  OVN
101       ``programs’’  in  practice  tend to form deep control stacks that, dis‐
102       played in the obvious way using additional indentation for each  level,
103       quickly  use up the horizontal space on all but the widest displays. To
104       make  detailed  output  more  readable,  without  loss  of  generality,
105       ovn-trace  omits indentation for ``tail recursion,’’ that is, when next
106       is the last action in a logical flow, it does not indent details of the
107       next table lookup more deeply. Output still uses indentation when it is
108       needed for clarity.
109
110       OVN ``programs’’ traces also tend to encounter long strings of  logical
111       flows with match expression 1 (which matches every packet) and the sin‐
112       gle action next;. These are uninteresting and merely clutter output, so
113       ovn-trace omits them entirely even from detailed output.
114
115       The  following  excerpt  from detailed ovn-trace output shows a section
116       for a packet traversing the ingress pipeline of  logical  datapath  ls1
117       with  ingress  logical port lp111. The packet matches a logical flow in
118       table 0 (aka ls_in_port_sec_l2) with priority 50 and executes  next(1);
119       to pass to table 1. Tables 1 through 11 are trivial and omitted. In ta‐
120       ble 19 (aka ls_in_l2_lkup), the packet matches a flow with priority  50
121       based on its Ethernet destination address and the flow’s actions output
122       the packet to the lrp11-attachement logical port.
123
124           ingress(dp="ls1", inport="lp111")
125           ---------------------------------
126           0. ls_in_port_sec_l2: inport == "lp111", priority 50
127           next(1);
128           19. ls_in_l2_lkup: eth.dst == 00:00:00:00:ff:11, priority 50
129           outport = "lrp11-attachment";
130           output;
131
132
133   Summary Output
134       Summary output includes the logical pipelines visited by a  packet  and
135       the  logical  actions  executed on it. Compared to the detailed output,
136       however, it removes details of tables and logical flows traversed by  a
137       packet.  It  uses a format closer to that of a programming language and
138       does not attempt to avoid indentation. The summary output equivalent to
139       the above detailed output fragment is:
140
141           ingress(dp="ls1", inport="lp111") {
142           outport = "lrp11-attachment";
143           output;
144           ...
145           };
146
147
148   Minimal Output
149       Minimal  output  includes only actions that modify packet data (not in‐
150       cluding OVN registers or metadata such as outport) and  output  actions
151       that  actually  deliver  a  packet  to  a logical port (excluding patch
152       ports). The operands of actions that modify packet data  are  displayed
153       reduced  to  constants, e.g. ip4.dst = reg0; might be show as ip4.dst =
154       192.168.0.1; if that was the value actually loaded. This yields  output
155       even simpler than the summary format. (Users familiar with Open vSwitch
156       may recognize this as similar in spirit to the datapath actions  listed
157       at the bottom of ofproto/trace output.)
158
159       The  minimal output format reflects the externally seen behavior of the
160       logical networks more than it does the implementation. This makes  this
161       output format the most suitable for use in regression tests, because it
162       is least likely to change when logical flow tables are rearranged with‐
163       out semantic change.
164

STATEFUL ACTIONS

166       Some  OVN  logical actions use or update state that is not available in
167       the southbound database. ovn-trace handles these actions  as  described
168       below:
169
170              ct_next
171                     By  default  ovn-trace  treats  flows  as ``tracked’’ and
172                     ``established.’’ See the description of the  --ct  option
173                     for a way to override this behavior.
174
175              ct_dnat (without an argument)
176                     Forks the pipeline. In one fork, advances to the next ta‐
177                     ble as if next; were executed. The packet is not changed,
178                     on the assumption that no NAT state was available. In the
179                     other fork, the pipeline continues without  change  after
180                     the ct_dnat action.
181
182              ct_snat (without an argument)
183                     This  action  distinguishes  between  gateway routers and
184                     distributed routers. A gateway router  is  defined  as  a
185                     logical  datapath  that  contains  an l3gateway port; any
186                     other logical datapath is  a  distributed  router.  On  a
187                     gateway router, ct_snat; is treated as a no-op. On a dis‐
188                     tributed router, it is treated the same way as ct_dnat;.
189
190              ct_dnat(ip)
191              ct_snat(ip)
192                   Forks the pipeline. In one fork, sets ip4.dst (or  ip4.src)
193                   to  ip  and  ct.dnat  (or ct.snat) to 1 and advances to the
194                   next table as if next; were executed. In  the  other  fork,
195                   the pipeline continues without change after the ct_dnat (or
196                   ct_snat) action.
197
198              ct_lb;
199              ct_lb(ip[:port]...);
200                   Forks the pipeline. In one fork, sets ip4.dst (or  ip6.dst)
201                   to  one  of the load-balancer addresses and the destination
202                   port to its associated port, if any, and sets ct.dnat to 1.
203                   With one or more arguments, gives preference to the address
204                   specified on --lb-dst, if any; without arguments, uses  the
205                   address  and port specified on --lb-dst. In the other fork,
206                   the pipeline continues without change after the  ct_lb  ac‐
207                   tion.
208
209              ct_commit
210              put_arp
211              put_nd
212                   These actions are treated as no-ops.
213

DAEMON MODE

215       If  ovn-trace  is invoked with the --detach option (see Daemon Options,
216       below), it runs in the background as a daemon and accepts commands from
217       ovs-appctl  (or  another  JSON-RPC  client) indefinitely. The currently
218       supported commands are described below.
219
220              trace [options] [datapath] microflow
221                     Traces microflow through datapath and  replies  with  the
222                     results of the trace. Accepts the options described under
223                     Trace Options below.
224
225              exit   Causes ovn-trace to gracefully terminate.
226

OPTIONS

228   Trace Options
229       --detailed
230       --summary
231       --minimal
232            These options control the form and level of  detail  in  ovn-trace
233            output. If more than one of these options is specified, all of the
234            selected forms are output, in the order listed above, each  headed
235            by a banner line. If none of these options is given, --detailed is
236            the default. See Output, above, for a description of each kind  of
237            output.
238
239       --all
240            Selects all three forms of output.
241
242       --ovs[=remote]
243            Makes  ovn-trace  attempt to obtain and display the OpenFlow flows
244            that correspond to each OVN logical flow. To do so, ovn-trace con‐
245            nects  to remote (by default, unix:/br-int.mgmt) over OpenFlow and
246            retrieves the flows. If remote is specified, it must be an  active
247            OpenFlow connection method described in ovsdb(7).
248
249            To  make the best use of the output, it is important to understand
250            the relationship between logical flows and OpenFlow flows. ovn-ar‐
251            chitecture(7),  under  Architectural  Physical  Life  Cycle  of  a
252            Packet, describes this relationship. Keep in  mind  the  following
253            points:
254
255ovn-trace currently shows all the OpenFlow flows to which a
256                   logical flow corresponds, even though an actual packet  or‐
257                   dinarily matches only one of these.
258
259            •      Some  logical  flows can map to the Open vSwitch ``conjunc‐
260                   tive  match’’  extension  (see  ovs-fields(7)).   Currently
261                   ovn-trace cannot display the flows with conjunction actions
262                   that effectively produce the conj_id match.
263
264            •      Some logical flows may not be represented in  the  OpenFlow
265                   tables  on a given hypervisor, if they could not be used on
266                   that hypervisor.
267
268            •      Some OpenFlow flows do not  correspond  to  logical  flows,
269                   such  as OpenFlow flows that map between physical and logi‐
270                   cal ports. These flows will never show up in a trace.
271
272            •      When ovn-trace omits uninteresting logical flows from  out‐
273                   put, it does not look up the corresponding OpenFlow flows.
274
275       --ct=flags
276            This  option sets the ct_state flags that a ct_next logical action
277            will report. The flags must be a comma- or space-separated list of
278            the following connection tracking flags:
279
280trk:  Include  to  indicate  connection  tracking has taken
281                   place. (This bit is set automatically even if not listed in
282                   flags.
283
284new: Include to indicate a new flow.
285
286est: Include to indicate an established flow.
287
288rel: Include to indicate a related flow.
289
290rpl: Include to indicate a reply flow.
291
292inv: Include to indicate a connection entry in a bad state.
293
294dnat: Include to indicate a packet whose destination IP ad‐
295                   dress has been changed.
296
297snat: Include to indicate a packet whose source IP  address
298                   has been changed.
299
300            The  ct_next action is used to implement the OVN distributed fire‐
301            wall. For testing, useful flag combinations include:
302
303trk,new: A packet in a flow in either direction  through  a
304                   firewall that has not yet been committed (with ct_commit).
305
306trk,est:  A packet in an established flow going out through
307                   a firewall.
308
309trk,rpl: A packet coming in through a firewall in reply  to
310                   an established flow.
311
312trk,inv: An invalid packet in either direction.
313
314            A  packet  might  pass through the connection tracker twice in one
315            trip through OVN: once following egress from a  VM  as  it  passes
316            outward through a firewall, and once preceding ingress to a second
317            VM as it passes inward through a firewall. Use multiple  --ct  op‐
318            tions to specify the flags for multiple ct_next actions.
319
320            When  --ct  is  unspecified,  or when there are fewer --ct options
321            than ct_next actions, the flags default to trk,est.
322
323       --lb-dst=ip[:port]
324            Sets the IP from VIP pool to use as  destination  of  the  packet.
325            --lb-dst is not available in daemon mode.
326
327       --select-id=id
328            Specify the id to be selected by the select action. id must be one
329            of the values listed in the select action. Otherwise, a random  id
330            is  selected  from the list, as if --select-id were not specified.
331            --select-id is not available in daemon mode.
332
333       --friendly-names
334       --no-friendly-names
335            When cloud management systems such as OpenStack are layered on top
336            of  OVN, they often use long, human-unfriendly names for ports and
337            datapaths, for example, ones that include entire  UUIDs.  They  do
338            usually include friendlier names, but the long, hard-to-read names
339            are the ones that appear in matches and actions.  By  default,  or
340            with  --friendly-names,  ovn-trace  substitutes  these  friendlier
341            names for the long names in its output. Use --no-friendly-names to
342            disable  this  behavior; this option might be useful, for example,
343            if a program is going to parse ovn-trace output.
344
345   Daemon Options
346       --pidfile[=pidfile]
347              Causes a file (by default, program.pid) to be created indicating
348              the  PID  of the running process. If the pidfile argument is not
349              specified, or if it does not begin with /, then it is created in
350              .
351
352              If --pidfile is not specified, no pidfile is created.
353
354       --overwrite-pidfile
355              By  default,  when --pidfile is specified and the specified pid‐
356              file already exists and is locked by a running process, the dae‐
357              mon refuses to start. Specify --overwrite-pidfile to cause it to
358              instead overwrite the pidfile.
359
360              When --pidfile is not specified, this option has no effect.
361
362       --detach
363              Runs this program as a background process.  The  process  forks,
364              and  in  the  child it starts a new session, closes the standard
365              file descriptors (which has the side effect of disabling logging
366              to  the  console), and changes its current directory to the root
367              (unless --no-chdir is specified). After the child completes  its
368              initialization, the parent exits.
369
370       --monitor
371              Creates  an  additional  process  to monitor this program. If it
372              dies due to a signal that indicates a programming  error  (SIGA‐
373              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
374              or SIGXFSZ) then the monitor process starts a new copy of it. If
375              the daemon dies or exits for another reason, the monitor process
376              exits.
377
378              This option is normally used with --detach, but  it  also  func‐
379              tions without it.
380
381       --no-chdir
382              By  default,  when --detach is specified, the daemon changes its
383              current working directory to the root  directory  after  it  de‐
384              taches.  Otherwise, invoking the daemon from a carelessly chosen
385              directory would prevent the administrator  from  unmounting  the
386              file system that holds that directory.
387
388              Specifying  --no-chdir  suppresses this behavior, preventing the
389              daemon from changing its current working directory. This may  be
390              useful for collecting core files, since it is common behavior to
391              write core dumps into the current working directory and the root
392              directory is not a good directory to use.
393
394              This option has no effect when --detach is not specified.
395
396       --no-self-confinement
397              By  default  this daemon will try to self-confine itself to work
398              with files under  well-known  directories  determined  at  build
399              time.  It  is better to stick with this default behavior and not
400              to use this flag unless some other Access  Control  is  used  to
401              confine  daemon.  Note  that in contrast to other access control
402              implementations that are typically  enforced  from  kernel-space
403              (e.g.  DAC  or  MAC), self-confinement is imposed from the user-
404              space daemon itself and hence should not be considered as a full
405              confinement  strategy,  but instead should be viewed as an addi‐
406              tional layer of security.
407
408       --user=user:group
409              Causes this program to run as  a  different  user  specified  in
410              user:group,  thus  dropping  most  of the root privileges. Short
411              forms user and :group are also allowed,  with  current  user  or
412              group  assumed,  respectively.  Only daemons started by the root
413              user accepts this argument.
414
415              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
416              CAP_NET_BIND_SERVICES  before  dropping root privileges. Daemons
417              that interact with a datapath, such  as  ovs-vswitchd,  will  be
418              granted  three  additional  capabilities,  namely CAP_NET_ADMIN,
419              CAP_NET_BROADCAST and CAP_NET_RAW. The  capability  change  will
420              apply even if the new user is root.
421
422              On Windows, this option is not currently supported. For security
423              reasons, specifying this option will cause  the  daemon  process
424              not to start.
425
426   Logging Options
427       -v[spec]
428       --verbose=[spec]
429            Sets  logging levels. Without any spec, sets the log level for ev‐
430            ery module and destination to dbg. Otherwise, spec is  a  list  of
431            words separated by spaces or commas or colons, up to one from each
432            category below:
433
434            •      A valid module name, as displayed by the vlog/list  command
435                   on ovs-appctl(8), limits the log level change to the speci‐
436                   fied module.
437
438syslog, console, or file, to limit the log level change  to
439                   only  to  the system log, to the console, or to a file, re‐
440                   spectively. (If --detach is specified,  the  daemon  closes
441                   its  standard  file  descriptors, so logging to the console
442                   will have no effect.)
443
444                   On Windows platform, syslog is accepted as a  word  and  is
445                   only useful along with the --syslog-target option (the word
446                   has no effect otherwise).
447
448off, emer, err, warn, info, or  dbg,  to  control  the  log
449                   level.  Messages  of  the  given severity or higher will be
450                   logged, and messages of lower  severity  will  be  filtered
451                   out.  off filters out all messages. See ovs-appctl(8) for a
452                   definition of each log level.
453
454            Case is not significant within spec.
455
456            Regardless of the log levels set for file, logging to a file  will
457            not take place unless --log-file is also specified (see below).
458
459            For compatibility with older versions of OVS, any is accepted as a
460            word but has no effect.
461
462       -v
463       --verbose
464            Sets the maximum logging verbosity  level,  equivalent  to  --ver‐
465            bose=dbg.
466
467       -vPATTERN:destination:pattern
468       --verbose=PATTERN:destination:pattern
469            Sets  the log pattern for destination to pattern. Refer to ovs-ap‐
470            pctl(8) for a description of the valid syntax for pattern.
471
472       -vFACILITY:facility
473       --verbose=FACILITY:facility
474            Sets the RFC5424 facility of the log message. facility can be  one
475            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
476            ftp, ntp, audit, alert, clock2, local0,  local1,  local2,  local3,
477            local4, local5, local6 or local7. If this option is not specified,
478            daemon is used as the default for the local system syslog and  lo‐
479            cal0  is  used  while sending a message to the target provided via
480            the --syslog-target option.
481
482       --log-file[=file]
483            Enables logging to a file. If file is specified, then it  is  used
484            as the exact name for the log file. The default log file name used
485            if file is omitted is /var/log/ovn/program.log.
486
487       --syslog-target=host:port
488            Send syslog messages to UDP port on host, in addition to the  sys‐
489            tem  syslog.  The host must be a numerical IP address, not a host‐
490            name.
491
492       --syslog-method=method
493            Specify method as how syslog messages should  be  sent  to  syslog
494            daemon. The following forms are supported:
495
496libc,  to use the libc syslog() function. Downside of using
497                   this options is that libc adds fixed prefix to  every  mes‐
498                   sage  before  it is actually sent to the syslog daemon over
499                   /dev/log UNIX domain socket.
500
501unix:file, to use a UNIX domain socket directly. It is pos‐
502                   sible to specify arbitrary message format with this option.
503                   However, rsyslogd 8.9 and older  versions  use  hard  coded
504                   parser  function anyway that limits UNIX domain socket use.
505                   If you want to use  arbitrary  message  format  with  older
506                   rsyslogd  versions, then use UDP socket to localhost IP ad‐
507                   dress instead.
508
509udp:ip:port, to use a UDP socket. With this  method  it  is
510                   possible  to  use  arbitrary message format also with older
511                   rsyslogd. When sending syslog messages over UDP socket  ex‐
512                   tra precaution needs to be taken into account, for example,
513                   syslog daemon needs to be configured to listen on the spec‐
514                   ified  UDP  port, accidental iptables rules could be inter‐
515                   fering with local syslog traffic and there are  some  secu‐
516                   rity  considerations  that apply to UDP sockets, but do not
517                   apply to UNIX domain sockets.
518
519null, to discard all messages logged to syslog.
520
521            The default is taken from the OVS_SYSLOG_METHOD environment  vari‐
522            able; if it is unset, the default is libc.
523
524   PKI Options
525       PKI  configuration  is  required  to  use SSL for the connection to the
526       database (and the switch, if --ovs is specified).
527
528              -p privkey.pem
529              --private-key=privkey.pem
530                   Specifies a PEM file containing the  private  key  used  as
531                   identity for outgoing SSL connections.
532
533              -c cert.pem
534              --certificate=cert.pem
535                   Specifies  a  PEM file containing a certificate that certi‐
536                   fies the private key specified on -p or --private-key to be
537                   trustworthy. The certificate must be signed by the certifi‐
538                   cate authority (CA) that the peer in SSL  connections  will
539                   use to verify it.
540
541              -C cacert.pem
542              --ca-cert=cacert.pem
543                   Specifies a PEM file containing the CA certificate for ver‐
544                   ifying certificates presented to this program by SSL peers.
545                   (This  may  be  the  same certificate that SSL peers use to
546                   verify the certificate specified on -c or --certificate, or
547                   it  may  be a different one, depending on the PKI design in
548                   use.)
549
550              -C none
551              --ca-cert=none
552                   Disables verification  of  certificates  presented  by  SSL
553                   peers.  This  introduces  a security risk, because it means
554                   that certificates cannot be verified to be those  of  known
555                   trusted hosts.
556
557   Other Options
558       --db database
559              The  OVSDB database remote to contact. If the OVN_SB_DB environ‐
560              ment variable is set, its value is used as the  default.  Other‐
561              wise, the default is unix:/db.sock, but this default is unlikely
562              to be useful outside of single-machine OVN test environments.
563
564              -h
565              --help
566                   Prints a brief help message to the console.
567
568              -V
569              --version
570                   Prints version information to the console.
571
572
573
574OVN 23.09.2                        ovn-trace                      ovn-trace(8)
Impressum