1ovn-controller(8)             Open vSwitch Manual            ovn-controller(8)
2
3
4

NAME

6       ovn-controller - Open Virtual Network local controller
7

SYNOPSIS

9       ovn-controller [options] [ovs-database]
10

DESCRIPTION

12       ovn-controller is the local controller daemon for OVN, the Open Virtual
13       Network. It connects up to the OVN Southbound database (see  ovn-sb(5))
14       over  the  OVSDB  protocol,  and down to the Open vSwitch database (see
15       ovs-vswitchd.conf.db(5)) over the OVSDB protocol and to ovs-vswitchd(8)
16       via OpenFlow. Each hypervisor and software gateway in an OVN deployment
17       runs its own independent copy of ovn-controller; thus, ovn-controller’s
18       downward  connections  are machine-local and do not run over a physical
19       network.
20

ACL LOGGING

22       ACL log messages are logged through ovn-controller’s logging mechanism.
23       ACL  log entries have the module acl_log at log level info. Configuring
24       logging is described below in the Logging Options section.
25

OPTIONS

27   Daemon Options
28       --pidfile[=pidfile]
29              Causes a file (by default, program.pid) to be created indicating
30              the  PID  of the running process. If the pidfile argument is not
31              specified, or if it does not begin with /, then it is created in
32              /var/run/openvswitch.
33
34              If --pidfile is not specified, no pidfile is created.
35
36       --overwrite-pidfile
37              By  default,  when --pidfile is specified and the specified pid‐
38              file already exists and is locked by a running process, the dae‐
39              mon refuses to start. Specify --overwrite-pidfile to cause it to
40              instead overwrite the pidfile.
41
42              When --pidfile is not specified, this option has no effect.
43
44       --detach
45              Runs this program as a background process.  The  process  forks,
46              and  in  the  child it starts a new session, closes the standard
47              file descriptors (which has the side effect of disabling logging
48              to  the  console), and changes its current directory to the root
49              (unless --no-chdir is specified). After the child completes  its
50              initialization, the parent exits.
51
52       --monitor
53              Creates  an  additional  process  to monitor this program. If it
54              dies due to a signal that indicates a programming  error  (SIGA‐
55              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
56              or SIGXFSZ) then the monitor process starts a new copy of it. If
57              the daemon dies or exits for another reason, the monitor process
58              exits.
59
60              This option is normally used with --detach, but  it  also  func‐
61              tions without it.
62
63       --no-chdir
64              By  default,  when --detach is specified, the daemon changes its
65              current  working  directory  to  the  root  directory  after  it
66              detaches.  Otherwise, invoking the daemon from a carelessly cho‐
67              sen directory would prevent the  administrator  from  unmounting
68              the file system that holds that directory.
69
70              Specifying  --no-chdir  suppresses this behavior, preventing the
71              daemon from changing its current working directory. This may  be
72              useful for collecting core files, since it is common behavior to
73              write core dumps into the current working directory and the root
74              directory is not a good directory to use.
75
76              This option has no effect when --detach is not specified.
77
78       --no-self-confinement
79              By  default  this daemon will try to self-confine itself to work
80              with files under well-known  directories  whitelisted  at  build
81              time.  It  is better to stick with this default behavior and not
82              to use this flag unless some other Access  Control  is  used  to
83              confine  daemon.  Note  that in contrast to other access control
84              implementations that are typically  enforced  from  kernel-space
85              (e.g.  DAC  or  MAC), self-confinement is imposed from the user-
86              space daemon itself and hence should not be considered as a full
87              confinement  strategy,  but instead should be viewed as an addi‐
88              tional layer of security.
89
90       --user=user:group
91              Causes this program to run as  a  different  user  specified  in
92              user:group,  thus  dropping  most  of the root privileges. Short
93              forms user and :group are also allowed,  with  current  user  or
94              group  assumed,  respectively.  Only daemons started by the root
95              user accepts this argument.
96
97              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
98              CAP_NET_BIND_SERVICES  before  dropping root privileges. Daemons
99              that interact with a datapath, such  as  ovs-vswitchd,  will  be
100              granted  three  additional  capabilities,  namely CAP_NET_ADMIN,
101              CAP_NET_BROADCAST and CAP_NET_RAW. The  capability  change  will
102              apply even if the new user is root.
103
104              On Windows, this option is not currently supported. For security
105              reasons, specifying this option will cause  the  daemon  process
106              not to start.
107
108   Logging Options
109       -v[spec]
110       --verbose=[spec]
111            Sets  logging  levels.  Without  any  spec, sets the log level for
112            every module and destination to dbg. Otherwise, spec is a list  of
113            words separated by spaces or commas or colons, up to one from each
114            category below:
115
116            ·      A valid module name, as displayed by the vlog/list  command
117                   on ovs-appctl(8), limits the log level change to the speci‐
118                   fied module.
119
120            ·      syslog, console, or file, to limit the log level change  to
121                   only  to  the  system  log,  to  the console, or to a file,
122                   respectively. (If --detach is specified, the daemon  closes
123                   its  standard  file  descriptors, so logging to the console
124                   will have no effect.)
125
126                   On Windows platform, syslog is accepted as a  word  and  is
127                   only useful along with the --syslog-target option (the word
128                   has no effect otherwise).
129
130            ·      off, emer, err, warn, info, or  dbg,  to  control  the  log
131                   level.  Messages  of  the  given severity or higher will be
132                   logged, and messages of lower  severity  will  be  filtered
133                   out.  off filters out all messages. See ovs-appctl(8) for a
134                   definition of each log level.
135
136            Case is not significant within spec.
137
138            Regardless of the log levels set for file, logging to a file  will
139            not take place unless --log-file is also specified (see below).
140
141            For compatibility with older versions of OVS, any is accepted as a
142            word but has no effect.
143
144       -v
145       --verbose
146            Sets the maximum logging verbosity  level,  equivalent  to  --ver‐
147            bose=dbg.
148
149       -vPATTERN:destination:pattern
150       --verbose=PATTERN:destination:pattern
151            Sets  the  log  pattern  for  destination  to  pattern.  Refer  to
152            ovs-appctl(8) for a description of the valid syntax for pattern.
153
154       -vFACILITY:facility
155       --verbose=FACILITY:facility
156            Sets the RFC5424 facility of the log message. facility can be  one
157            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
158            ftp, ntp, audit, alert, clock2, local0,  local1,  local2,  local3,
159            local4, local5, local6 or local7. If this option is not specified,
160            daemon is used as the default for  the  local  system  syslog  and
161            local0  is used while sending a message to the target provided via
162            the --syslog-target option.
163
164       --log-file[=file]
165            Enables logging to a file. If file is specified, then it  is  used
166            as the exact name for the log file. The default log file name used
167            if file is omitted is /var/log/openvswitch/program.log.
168
169       --syslog-target=host:port
170            Send syslog messages to UDP port on host, in addition to the  sys‐
171            tem  syslog.  The host must be a numerical IP address, not a host‐
172            name.
173
174       --syslog-method=method
175            Specify method as how syslog messages should  be  sent  to  syslog
176            daemon. The following forms are supported:
177
178            ·      libc,  to  use  the  libc  syslog()  function.  This is the
179                   default behavior. Downside of using this  options  is  that
180                   libc  adds fixed prefix to every message before it is actu‐
181                   ally sent to the syslog daemon over  /dev/log  UNIX  domain
182                   socket.
183
184            ·      unix:file, to use a UNIX domain socket directly. It is pos‐
185                   sible to specify arbitrary message format with this option.
186                   However,  rsyslogd  8.9  and  older versions use hard coded
187                   parser function anyway that limits UNIX domain socket  use.
188                   If  you  want  to  use  arbitrary message format with older
189                   rsyslogd versions, then use  UDP  socket  to  localhost  IP
190                   address instead.
191
192            ·      udp:ip:port,  to  use  a UDP socket. With this method it is
193                   possible to use arbitrary message format  also  with  older
194                   rsyslogd.  When  sending  syslog  messages  over UDP socket
195                   extra precaution needs to be taken into account, for  exam‐
196                   ple,  syslog daemon needs to be configured to listen on the
197                   specified UDP port,  accidental  iptables  rules  could  be
198                   interfering  with  local  syslog traffic and there are some
199                   security considerations that apply to UDP sockets,  but  do
200                   not apply to UNIX domain sockets.
201
202   PKI Options
203       PKI  configuration  is required in order to use SSL for the connections
204       to the Northbound and Southbound databases.
205
206              -p privkey.pem
207              --private-key=privkey.pem
208                   Specifies a PEM file containing the  private  key  used  as
209                   identity for outgoing SSL connections.
210
211              -c cert.pem
212              --certificate=cert.pem
213                   Specifies  a  PEM file containing a certificate that certi‐
214                   fies the private key specified on -p or --private-key to be
215                   trustworthy. The certificate must be signed by the certifi‐
216                   cate authority (CA) that the peer in SSL  connections  will
217                   use to verify it.
218
219              -C cacert.pem
220              --ca-cert=cacert.pem
221                   Specifies a PEM file containing the CA certificate for ver‐
222                   ifying certificates presented to this program by SSL peers.
223                   (This  may  be  the  same certificate that SSL peers use to
224                   verify the certificate specified on -c or --certificate, or
225                   it  may  be a different one, depending on the PKI design in
226                   use.)
227
228              -C none
229              --ca-cert=none
230                   Disables verification  of  certificates  presented  by  SSL
231                   peers.  This  introduces  a security risk, because it means
232                   that certificates cannot be verified to be those  of  known
233                   trusted hosts.
234
235              --bootstrap-ca-cert=cacert.pem
236                     When  cacert.pem  exists, this option has the same effect
237                     as -C or --ca-cert. If it does not exist, then  the  exe‐
238                     cutable  will  attempt  to obtain the CA certificate from
239                     the SSL peer on its first SSL connection and save  it  to
240                     the  named PEM file. If it is successful, it will immedi‐
241                     ately drop the connection and reconnect, and from then on
242                     all  SSL  connections must be authenticated by a certifi‐
243                     cate signed by the CA certificate thus obtained.
244
245                     This option exposes the SSL connection to  a  man-in-the-
246                     middle  attack  obtaining the initial CA certificate, but
247                     it may be useful for bootstrapping.
248
249                     This option is only useful if the SSL peer sends  its  CA
250                     certificate as part of the SSL certificate chain. The SSL
251                     protocol does not require the server to send the CA  cer‐
252                     tificate.
253
254                     This option is mutually exclusive with -C and --ca-cert.
255
256              --peer-ca-cert=peer-cacert.pem
257                     Specifies a PEM file that contains one or more additional
258                     certificates to send to SSL peers. peer-cacert.pem should
259                     be the CA certificate used to sign the program’s own cer‐
260                     tificate, that is, the certificate  specified  on  -c  or
261                     --certificate.  If  the  program’s  certificate  is self-
262                     signed,  then  --certificate  and  --peer-ca-cert  should
263                     specify the same file.
264
265                     This  option  is  not useful in normal operation, because
266                     the SSL peer must already have the CA certificate for the
267                     peer  to  have  any confidence in the program’s identity.
268                     However, this offers a way  for  a  new  installation  to
269                     bootstrap the CA certificate on its first SSL connection.
270
271   Other Options
272       -h
273       --help
274            Prints a brief help message to the console.
275
276       -V
277       --version
278            Prints version information to the console.
279

CONFIGURATION

281       ovn-controller retrieves most of its configuration information from the
282       local Open vSwitch’s ovsdb-server instance.  The  default  location  is
283       db.sock in the local Open vSwitch’s "run" directory. It may be overrid‐
284       den by specifying the ovs-database argument as an OVSDB active or  pas‐
285       sive connection method, as described in ovsdb(7).
286
287       ovn-controller  assumes it gets configuration information from the fol‐
288       lowing keys in the Open_vSwitch table of the local OVS instance:
289
290              external_ids:system-id
291                     The chassis name to use in the Chassis table.
292
293              external_ids:hostname
294                     The hostname to use in the Chassis table.
295
296              external_ids:ovn-bridge
297                     The  integration  bridge  to  which  logical  ports   are
298                     attached.  The default is br-int. If this bridge does not
299                     exist when ovn-controller  starts,  it  will  be  created
300                     automatically with the default configuration suggested in
301                     ovn-architecture(7).
302
303              external_ids:ovn-remote
304                     The OVN database that this system should connect  to  for
305                     its  configuration,  in  one of the same forms documented
306                     above for the ovs-database.
307
308              external_ids:ovn-remote-probe-interval
309                     The inactivity probe interval of the  connection  to  the
310                     OVN  database,  in milliseconds. If the value is zero, it
311                     disables the connection keepalive feature.
312
313                     If the value is nonzero, then it  will  be  forced  to  a
314                     value of at least 1000 ms.
315
316              external_ids:ovn-encap-type
317                     The  encapsulation type that a chassis should use to con‐
318                     nect to this node. Multiple encapsulation  types  may  be
319                     specified with a comma-separated list. Each listed encap‐
320                     sulation type will be paired with ovn-encap-ip.
321
322                     Supported tunnel types  for  connecting  hypervisors  are
323                     geneve and stt. Gateways may use geneve, vxlan, or stt.
324
325                     Due to the limited amount of metadata in vxlan, the capa‐
326                     bilities and performance of connected  gateways  will  be
327                     reduced versus other tunnel formats.
328
329              external_ids:ovn-encap-ip
330                     The  IP  address  that a chassis should use to connect to
331                     this node using encapsulation types specified  by  exter‐
332                     nal_ids:ovn-encap-type.
333
334              external_ids:ovn-bridge-mappings
335                     A  list  of  key-value  pairs that map a physical network
336                     name to a local ovs bridge that provides connectivity  to
337                     that  network. An example value mapping two physical net‐
338                     work  names  to  two  ovs   bridges   would   be:   phys‐
339                     net1:br-eth0,physnet2:br-eth1.
340
341              external_ids:ovn-encap-csum
342                     ovn-encap-csum indicates that encapsulation checksums can
343                     be transmitted and received with reasonable  performance.
344                     It is a hint to senders transmitting data to this chassis
345                     that they should use checksums to protect  OVN  metadata.
346                     Set  to  true to enable or false to disable. Depending on
347                     the capabilities of the network interface card,  enabling
348                     encapsulation  checksum  may  incur  performance loss. In
349                     such cases, encapsulation checksums can be disabled.
350
351              external_ids:ovn-cms-options
352                     A list of options that will be consumed by the CMS Plugin
353                     and which specific to this particular chassis. An example
354                     would be: cms_option1,cms_option2:foo.
355
356       ovn-controller reads the following values from the  Open_vSwitch  data‐
357       base of the local OVS instance:
358
359              datapath-type from Bridge table
360                     This  value is read from local OVS integration bridge row
361                     of Bridge table and populated  in  external_ids:datapath-
362                     type of the Chassis table in the OVN_Southbound database.
363
364              iface-types from Open_vSwitch table
365                     This  value  is  populated in external_ids:iface-types of
366                     the Chassis table in the OVN_Southbound database.
367
368              private_key, certificate, ca_cert,  and  bootstrap_ca_cert  from
369              SSL table
370                     These  values provide the SSL configuration used for con‐
371                     necting to the OVN southbound database server when an SSL
372                     connection     type     is    configured    via    exter‐
373                     nal_ids:ovn-remote. Note that this SSL configuration  can
374                     also be provided via command-line options, the configura‐
375                     tion  in  the  database  takes  precedence  if  both  are
376                     present.
377

OPEN VSWITCH DATABASE USAGE

379       ovn-controller  uses  a number of external_ids keys in the Open vSwitch
380       database to keep track of ports and interfaces. For  proper  operation,
381       users should not change or clear these keys:
382
383              external_ids:ovn-chassis-id in the Port table
384                     The  presence of this key identifies a tunnel port within
385                     the integration bridge as one created  by  ovn-controller
386                     to reach a remote chassis. Its value is the chassis ID of
387                     the remote chassis.
388
389              external_ids:ct-zone-* in the Bridge table
390                     Logical ports and gateway routers are assigned a  connec‐
391                     tion  tracking  zone  by ovn-controller for stateful ser‐
392                     vices. To keep state across restarts  of  ovn-controller,
393                     these  keys are stored in the integration bridge’s Bridge
394                     table. The name contains a prefix of ct-zone- followed by
395                     the  name  of  the  logical port or gateway router’s zone
396                     key. The value for this key identifies the zone used  for
397                     this port.
398
399              external_ids:ovn-localnet-port in the Port table
400                     The  presence  of this key identifies a patch port as one
401                     created by  ovn-controller  to  connect  the  integration
402                     bridge and another bridge to implement a localnet logical
403                     port. Its value is the name of the logical port with type
404                     set  to  localnet  that  the  port implements. See exter‐
405                     nal_ids:ovn-bridge-mappings, above, for more information.
406
407                     Each localnet logical port is implemented as  a  pair  of
408                     patch ports, one in the integration bridge, one in a dif‐
409                     ferent  bridge,  with  the  same  external_ids:ovn-local‐
410                     net-port value.
411
412              external_ids:ovn-l2gateway-port in the Port table
413                     The  presence  of this key identifies a patch port as one
414                     created by  ovn-controller  to  connect  the  integration
415                     bridge  and another bridge to implement a l2gateway logi‐
416                     cal port. Its value is the name of the logical port  with
417                     type  set  to  l2gateway  that  the  port implements. See
418                     external_ids:ovn-bridge-mappings, above, for more  infor‐
419                     mation.
420
421                     Each  l2gateway  logical port is implemented as a pair of
422                     patch ports, one in the integration bridge, one in a dif‐
423                     ferent  bridge,  with  the  same external_ids:ovn-l2gate‐
424                     way-port value.
425
426              external-ids:ovn-l3gateway-port in the Port table
427                     This key identifies  a  patch  port  as  one  created  by
428                     ovn-controller to implement a l3gateway logical port. Its
429                     value is the name of the logical port with  type  set  to
430                     l3gateway.  This patch port is similar to the OVN logical
431                     patch port, except that l3gateway port can only be  bound
432                     to a paticular chassis.
433
434              external-ids:ovn-logical-patch-port in the Port table
435                     This  key  identifies  a  patch  port  as  one created by
436                     ovn-controller to implement an  OVN  logical  patch  port
437                     within  the  integration bridge. Its value is the name of
438                     the OVN logical patch port that it implements.
439

OVN SOUTHBOUND DATABASE USAGE

441       ovn-controller reads from much of the OVN_Southbound database to  guide
442       its operation. ovn-controller also writes to the following tables:
443
444              Chassis
445                     Upon  startup, ovn-controller creates a row in this table
446                     to represent its own chassis. Upon graceful  termination,
447                     e.g.  with  ovs-appctl  -t  ovn-controller  exit (but not
448                     SIGTERM), ovn-controller removes its row.
449
450              Encap  Upon startup, ovn-controller creates a  row  or  rows  in
451                     this  table  that  represent the tunnel encapsulations by
452                     which its chassis can be reached, and points its  Chassis
453                     row  to  them.  Upon graceful termination, ovn-controller
454                     removes these rows.
455
456              Port_Binding
457                     At runtime, ovn-controller sets the  chassis  columns  of
458                     ports  that  are  resident on its chassis to point to its
459                     Chassis row, and, conversely, clears the  chassis  column
460                     of  ports that point to its Chassis row but are no longer
461                     resident on its chassis. The chassis column  has  a  weak
462                     reference  type,  so when ovn-controller gracefully exits
463                     and removes its Chassis row, the database server automat‐
464                     ically clears any remaining references to that row.
465
466              MAC_Binding
467                     At  runtime, ovn-controller updates the MAC_Binding table
468                     as instructed by  put_arp  and  put_nd  logical  actions.
469                     These  changes  persist  beyond  the lifetime of ovn-con‐
470                     troller.
471

RUNTIME MANAGEMENT COMMANDS

473       ovs-appctl can send commands to a running ovn-controller  process.  The
474       currently supported commands are described below.
475
476              exit   Causes ovn-controller to gracefully terminate.
477
478              ct-zone-list
479                     Lists each local logical port and its connection tracking
480                     zone.
481
482              meter-table-list
483                     Lists each meter table entry and its local meter id.
484
485              group-table-list
486                     Lists each group table entry and its local group id.
487
488              inject-pkt microflow
489                     Injects  microflow  into  the  connected   Open   vSwitch
490                     instance.  microflow must contain an ingress logical port
491                     (inport argument) that is present  on  the  Open  vSwitch
492                     instance.
493
494                     The  microflow  argument  describes the packet whose for‐
495                     warding is to be simulated, in the syntax of an OVN logi‐
496                     cal  expression,  as  described  in ovn-sb(5), to express
497                     constraints. The parser  understands  prerequisites;  for
498                     example, if the expression refers to ip4.src, there is no
499                     need to explicitly state ip4 or eth.type == 0x800.
500
501              connection-status
502                     Show OVN SBDB connection status for the chassis.
503
504
505
506Open vSwitch 2.10.1             ovn-controller               ovn-controller(8)
Impressum