1ovn-controller(8) Open vSwitch Manual ovn-controller(8)
2
3
4
6 ovn-controller - Open Virtual Network local controller
7
9 ovn-controller [options] [ovs-database]
10
12 ovn-controller is the local controller daemon for OVN, the Open Virtual
13 Network. It connects up to the OVN Southbound database (see ovn-sb(5))
14 over the OVSDB protocol, and down to the Open vSwitch database (see
15 ovs-vswitchd.conf.db(5)) over the OVSDB protocol and to ovs-vswitchd(8)
16 via OpenFlow. Each hypervisor and software gateway in an OVN deployment
17 runs its own independent copy of ovn-controller; thus, ovn-controller’s
18 downward connections are machine-local and do not run over a physical
19 network.
20
22 ACL log messages are logged through ovn-controller’s logging mechanism.
23 ACL log entries have the module acl_log at log level info. Configuring
24 logging is described below in the Logging Options section.
25
27 Daemon Options
28 --pidfile[=pidfile]
29 Causes a file (by default, program.pid) to be created indicating
30 the PID of the running process. If the pidfile argument is not
31 specified, or if it does not begin with /, then it is created in
32 /var/run/openvswitch.
33
34 If --pidfile is not specified, no pidfile is created.
35
36 --overwrite-pidfile
37 By default, when --pidfile is specified and the specified pid‐
38 file already exists and is locked by a running process, the dae‐
39 mon refuses to start. Specify --overwrite-pidfile to cause it to
40 instead overwrite the pidfile.
41
42 When --pidfile is not specified, this option has no effect.
43
44 --detach
45 Runs this program as a background process. The process forks,
46 and in the child it starts a new session, closes the standard
47 file descriptors (which has the side effect of disabling logging
48 to the console), and changes its current directory to the root
49 (unless --no-chdir is specified). After the child completes its
50 initialization, the parent exits.
51
52 --monitor
53 Creates an additional process to monitor this program. If it
54 dies due to a signal that indicates a programming error (SIGA‐
55 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
56 or SIGXFSZ) then the monitor process starts a new copy of it. If
57 the daemon dies or exits for another reason, the monitor process
58 exits.
59
60 This option is normally used with --detach, but it also func‐
61 tions without it.
62
63 --no-chdir
64 By default, when --detach is specified, the daemon changes its
65 current working directory to the root directory after it
66 detaches. Otherwise, invoking the daemon from a carelessly cho‐
67 sen directory would prevent the administrator from unmounting
68 the file system that holds that directory.
69
70 Specifying --no-chdir suppresses this behavior, preventing the
71 daemon from changing its current working directory. This may be
72 useful for collecting core files, since it is common behavior to
73 write core dumps into the current working directory and the root
74 directory is not a good directory to use.
75
76 This option has no effect when --detach is not specified.
77
78 --no-self-confinement
79 By default this daemon will try to self-confine itself to work
80 with files under well-known directories whitelisted at build
81 time. It is better to stick with this default behavior and not
82 to use this flag unless some other Access Control is used to
83 confine daemon. Note that in contrast to other access control
84 implementations that are typically enforced from kernel-space
85 (e.g. DAC or MAC), self-confinement is imposed from the user-
86 space daemon itself and hence should not be considered as a full
87 confinement strategy, but instead should be viewed as an addi‐
88 tional layer of security.
89
90 --user=user:group
91 Causes this program to run as a different user specified in
92 user:group, thus dropping most of the root privileges. Short
93 forms user and :group are also allowed, with current user or
94 group assumed, respectively. Only daemons started by the root
95 user accepts this argument.
96
97 On Linux, daemons will be granted CAP_IPC_LOCK and
98 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
99 that interact with a datapath, such as ovs-vswitchd, will be
100 granted three additional capabilities, namely CAP_NET_ADMIN,
101 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
102 apply even if the new user is root.
103
104 On Windows, this option is not currently supported. For security
105 reasons, specifying this option will cause the daemon process
106 not to start.
107
108 Logging Options
109 -v[spec]
110 --verbose=[spec]
111 Sets logging levels. Without any spec, sets the log level for
112 every module and destination to dbg. Otherwise, spec is a list of
113 words separated by spaces or commas or colons, up to one from each
114 category below:
115
116 · A valid module name, as displayed by the vlog/list command
117 on ovs-appctl(8), limits the log level change to the speci‐
118 fied module.
119
120 · syslog, console, or file, to limit the log level change to
121 only to the system log, to the console, or to a file,
122 respectively. (If --detach is specified, the daemon closes
123 its standard file descriptors, so logging to the console
124 will have no effect.)
125
126 On Windows platform, syslog is accepted as a word and is
127 only useful along with the --syslog-target option (the word
128 has no effect otherwise).
129
130 · off, emer, err, warn, info, or dbg, to control the log
131 level. Messages of the given severity or higher will be
132 logged, and messages of lower severity will be filtered
133 out. off filters out all messages. See ovs-appctl(8) for a
134 definition of each log level.
135
136 Case is not significant within spec.
137
138 Regardless of the log levels set for file, logging to a file will
139 not take place unless --log-file is also specified (see below).
140
141 For compatibility with older versions of OVS, any is accepted as a
142 word but has no effect.
143
144 -v
145 --verbose
146 Sets the maximum logging verbosity level, equivalent to --ver‐
147 bose=dbg.
148
149 -vPATTERN:destination:pattern
150 --verbose=PATTERN:destination:pattern
151 Sets the log pattern for destination to pattern. Refer to
152 ovs-appctl(8) for a description of the valid syntax for pattern.
153
154 -vFACILITY:facility
155 --verbose=FACILITY:facility
156 Sets the RFC5424 facility of the log message. facility can be one
157 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
158 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
159 local4, local5, local6 or local7. If this option is not specified,
160 daemon is used as the default for the local system syslog and
161 local0 is used while sending a message to the target provided via
162 the --syslog-target option.
163
164 --log-file[=file]
165 Enables logging to a file. If file is specified, then it is used
166 as the exact name for the log file. The default log file name used
167 if file is omitted is /var/log/openvswitch/program.log.
168
169 --syslog-target=host:port
170 Send syslog messages to UDP port on host, in addition to the sys‐
171 tem syslog. The host must be a numerical IP address, not a host‐
172 name.
173
174 --syslog-method=method
175 Specify method as how syslog messages should be sent to syslog
176 daemon. The following forms are supported:
177
178 · libc, to use the libc syslog() function. This is the
179 default behavior. Downside of using this options is that
180 libc adds fixed prefix to every message before it is actu‐
181 ally sent to the syslog daemon over /dev/log UNIX domain
182 socket.
183
184 · unix:file, to use a UNIX domain socket directly. It is pos‐
185 sible to specify arbitrary message format with this option.
186 However, rsyslogd 8.9 and older versions use hard coded
187 parser function anyway that limits UNIX domain socket use.
188 If you want to use arbitrary message format with older
189 rsyslogd versions, then use UDP socket to localhost IP
190 address instead.
191
192 · udp:ip:port, to use a UDP socket. With this method it is
193 possible to use arbitrary message format also with older
194 rsyslogd. When sending syslog messages over UDP socket
195 extra precaution needs to be taken into account, for exam‐
196 ple, syslog daemon needs to be configured to listen on the
197 specified UDP port, accidental iptables rules could be
198 interfering with local syslog traffic and there are some
199 security considerations that apply to UDP sockets, but do
200 not apply to UNIX domain sockets.
201
202 PKI Options
203 PKI configuration is required in order to use SSL for the connections
204 to the Northbound and Southbound databases.
205
206 -p privkey.pem
207 --private-key=privkey.pem
208 Specifies a PEM file containing the private key used as
209 identity for outgoing SSL connections.
210
211 -c cert.pem
212 --certificate=cert.pem
213 Specifies a PEM file containing a certificate that certi‐
214 fies the private key specified on -p or --private-key to be
215 trustworthy. The certificate must be signed by the certifi‐
216 cate authority (CA) that the peer in SSL connections will
217 use to verify it.
218
219 -C cacert.pem
220 --ca-cert=cacert.pem
221 Specifies a PEM file containing the CA certificate for ver‐
222 ifying certificates presented to this program by SSL peers.
223 (This may be the same certificate that SSL peers use to
224 verify the certificate specified on -c or --certificate, or
225 it may be a different one, depending on the PKI design in
226 use.)
227
228 -C none
229 --ca-cert=none
230 Disables verification of certificates presented by SSL
231 peers. This introduces a security risk, because it means
232 that certificates cannot be verified to be those of known
233 trusted hosts.
234
235 --bootstrap-ca-cert=cacert.pem
236 When cacert.pem exists, this option has the same effect
237 as -C or --ca-cert. If it does not exist, then the exe‐
238 cutable will attempt to obtain the CA certificate from
239 the SSL peer on its first SSL connection and save it to
240 the named PEM file. If it is successful, it will immedi‐
241 ately drop the connection and reconnect, and from then on
242 all SSL connections must be authenticated by a certifi‐
243 cate signed by the CA certificate thus obtained.
244
245 This option exposes the SSL connection to a man-in-the-
246 middle attack obtaining the initial CA certificate, but
247 it may be useful for bootstrapping.
248
249 This option is only useful if the SSL peer sends its CA
250 certificate as part of the SSL certificate chain. The SSL
251 protocol does not require the server to send the CA cer‐
252 tificate.
253
254 This option is mutually exclusive with -C and --ca-cert.
255
256 --peer-ca-cert=peer-cacert.pem
257 Specifies a PEM file that contains one or more additional
258 certificates to send to SSL peers. peer-cacert.pem should
259 be the CA certificate used to sign the program’s own cer‐
260 tificate, that is, the certificate specified on -c or
261 --certificate. If the program’s certificate is self-
262 signed, then --certificate and --peer-ca-cert should
263 specify the same file.
264
265 This option is not useful in normal operation, because
266 the SSL peer must already have the CA certificate for the
267 peer to have any confidence in the program’s identity.
268 However, this offers a way for a new installation to
269 bootstrap the CA certificate on its first SSL connection.
270
271 Other Options
272 -h
273 --help
274 Prints a brief help message to the console.
275
276 -V
277 --version
278 Prints version information to the console.
279
281 ovn-controller retrieves most of its configuration information from the
282 local Open vSwitch’s ovsdb-server instance. The default location is
283 db.sock in the local Open vSwitch’s "run" directory. It may be overrid‐
284 den by specifying the ovs-database argument as an OVSDB active or pas‐
285 sive connection method, as described in ovsdb(7).
286
287 ovn-controller assumes it gets configuration information from the fol‐
288 lowing keys in the Open_vSwitch table of the local OVS instance:
289
290 external_ids:system-id
291 The chassis name to use in the Chassis table.
292
293 external_ids:hostname
294 The hostname to use in the Chassis table.
295
296 external_ids:ovn-bridge
297 The integration bridge to which logical ports are
298 attached. The default is br-int. If this bridge does not
299 exist when ovn-controller starts, it will be created
300 automatically with the default configuration suggested in
301 ovn-architecture(7).
302
303 external_ids:ovn-remote
304 The OVN database that this system should connect to for
305 its configuration, in one of the same forms documented
306 above for the ovs-database.
307
308 external_ids:ovn-remote-probe-interval
309 The inactivity probe interval of the connection to the
310 OVN database, in milliseconds. If the value is zero, it
311 disables the connection keepalive feature.
312
313 If the value is nonzero, then it will be forced to a
314 value of at least 1000 ms.
315
316 external_ids:ovn-encap-type
317 The encapsulation type that a chassis should use to con‐
318 nect to this node. Multiple encapsulation types may be
319 specified with a comma-separated list. Each listed encap‐
320 sulation type will be paired with ovn-encap-ip.
321
322 Supported tunnel types for connecting hypervisors are
323 geneve and stt. Gateways may use geneve, vxlan, or stt.
324
325 Due to the limited amount of metadata in vxlan, the capa‐
326 bilities and performance of connected gateways will be
327 reduced versus other tunnel formats.
328
329 external_ids:ovn-encap-ip
330 The IP address that a chassis should use to connect to
331 this node using encapsulation types specified by exter‐
332 nal_ids:ovn-encap-type.
333
334 external_ids:ovn-bridge-mappings
335 A list of key-value pairs that map a physical network
336 name to a local ovs bridge that provides connectivity to
337 that network. An example value mapping two physical net‐
338 work names to two ovs bridges would be: phys‐
339 net1:br-eth0,physnet2:br-eth1.
340
341 external_ids:ovn-encap-csum
342 ovn-encap-csum indicates that encapsulation checksums can
343 be transmitted and received with reasonable performance.
344 It is a hint to senders transmitting data to this chassis
345 that they should use checksums to protect OVN metadata.
346 Set to true to enable or false to disable. Depending on
347 the capabilities of the network interface card, enabling
348 encapsulation checksum may incur performance loss. In
349 such cases, encapsulation checksums can be disabled.
350
351 external_ids:ovn-cms-options
352 A list of options that will be consumed by the CMS Plugin
353 and which specific to this particular chassis. An example
354 would be: cms_option1,cms_option2:foo.
355
356 ovn-controller reads the following values from the Open_vSwitch data‐
357 base of the local OVS instance:
358
359 datapath-type from Bridge table
360 This value is read from local OVS integration bridge row
361 of Bridge table and populated in external_ids:datapath-
362 type of the Chassis table in the OVN_Southbound database.
363
364 iface-types from Open_vSwitch table
365 This value is populated in external_ids:iface-types of
366 the Chassis table in the OVN_Southbound database.
367
368 private_key, certificate, ca_cert, and bootstrap_ca_cert from
369 SSL table
370 These values provide the SSL configuration used for con‐
371 necting to the OVN southbound database server when an SSL
372 connection type is configured via exter‐
373 nal_ids:ovn-remote. Note that this SSL configuration can
374 also be provided via command-line options, the configura‐
375 tion in the database takes precedence if both are
376 present.
377
379 ovn-controller uses a number of external_ids keys in the Open vSwitch
380 database to keep track of ports and interfaces. For proper operation,
381 users should not change or clear these keys:
382
383 external_ids:ovn-chassis-id in the Port table
384 The presence of this key identifies a tunnel port within
385 the integration bridge as one created by ovn-controller
386 to reach a remote chassis. Its value is the chassis ID of
387 the remote chassis.
388
389 external_ids:ct-zone-* in the Bridge table
390 Logical ports and gateway routers are assigned a connec‐
391 tion tracking zone by ovn-controller for stateful ser‐
392 vices. To keep state across restarts of ovn-controller,
393 these keys are stored in the integration bridge’s Bridge
394 table. The name contains a prefix of ct-zone- followed by
395 the name of the logical port or gateway router’s zone
396 key. The value for this key identifies the zone used for
397 this port.
398
399 external_ids:ovn-localnet-port in the Port table
400 The presence of this key identifies a patch port as one
401 created by ovn-controller to connect the integration
402 bridge and another bridge to implement a localnet logical
403 port. Its value is the name of the logical port with type
404 set to localnet that the port implements. See exter‐
405 nal_ids:ovn-bridge-mappings, above, for more information.
406
407 Each localnet logical port is implemented as a pair of
408 patch ports, one in the integration bridge, one in a dif‐
409 ferent bridge, with the same external_ids:ovn-local‐
410 net-port value.
411
412 external_ids:ovn-l2gateway-port in the Port table
413 The presence of this key identifies a patch port as one
414 created by ovn-controller to connect the integration
415 bridge and another bridge to implement a l2gateway logi‐
416 cal port. Its value is the name of the logical port with
417 type set to l2gateway that the port implements. See
418 external_ids:ovn-bridge-mappings, above, for more infor‐
419 mation.
420
421 Each l2gateway logical port is implemented as a pair of
422 patch ports, one in the integration bridge, one in a dif‐
423 ferent bridge, with the same external_ids:ovn-l2gate‐
424 way-port value.
425
426 external-ids:ovn-l3gateway-port in the Port table
427 This key identifies a patch port as one created by
428 ovn-controller to implement a l3gateway logical port. Its
429 value is the name of the logical port with type set to
430 l3gateway. This patch port is similar to the OVN logical
431 patch port, except that l3gateway port can only be bound
432 to a paticular chassis.
433
434 external-ids:ovn-logical-patch-port in the Port table
435 This key identifies a patch port as one created by
436 ovn-controller to implement an OVN logical patch port
437 within the integration bridge. Its value is the name of
438 the OVN logical patch port that it implements.
439
441 ovn-controller reads from much of the OVN_Southbound database to guide
442 its operation. ovn-controller also writes to the following tables:
443
444 Chassis
445 Upon startup, ovn-controller creates a row in this table
446 to represent its own chassis. Upon graceful termination,
447 e.g. with ovs-appctl -t ovn-controller exit (but not
448 SIGTERM), ovn-controller removes its row.
449
450 Encap Upon startup, ovn-controller creates a row or rows in
451 this table that represent the tunnel encapsulations by
452 which its chassis can be reached, and points its Chassis
453 row to them. Upon graceful termination, ovn-controller
454 removes these rows.
455
456 Port_Binding
457 At runtime, ovn-controller sets the chassis columns of
458 ports that are resident on its chassis to point to its
459 Chassis row, and, conversely, clears the chassis column
460 of ports that point to its Chassis row but are no longer
461 resident on its chassis. The chassis column has a weak
462 reference type, so when ovn-controller gracefully exits
463 and removes its Chassis row, the database server automat‐
464 ically clears any remaining references to that row.
465
466 MAC_Binding
467 At runtime, ovn-controller updates the MAC_Binding table
468 as instructed by put_arp and put_nd logical actions.
469 These changes persist beyond the lifetime of ovn-con‐
470 troller.
471
473 ovs-appctl can send commands to a running ovn-controller process. The
474 currently supported commands are described below.
475
476 exit Causes ovn-controller to gracefully terminate.
477
478 ct-zone-list
479 Lists each local logical port and its connection tracking
480 zone.
481
482 meter-table-list
483 Lists each meter table entry and its local meter id.
484
485 group-table-list
486 Lists each group table entry and its local group id.
487
488 inject-pkt microflow
489 Injects microflow into the connected Open vSwitch
490 instance. microflow must contain an ingress logical port
491 (inport argument) that is present on the Open vSwitch
492 instance.
493
494 The microflow argument describes the packet whose for‐
495 warding is to be simulated, in the syntax of an OVN logi‐
496 cal expression, as described in ovn-sb(5), to express
497 constraints. The parser understands prerequisites; for
498 example, if the expression refers to ip4.src, there is no
499 need to explicitly state ip4 or eth.type == 0x800.
500
501 connection-status
502 Show OVN SBDB connection status for the chassis.
503
504
505
506Open vSwitch 2.10.1 ovn-controller ovn-controller(8)