1ovn-trace(8) Open vSwitch Manual ovn-trace(8)
2
6 ovn-trace - Open Virtual Network logical network tracing utility
7
9 ovn-trace [options] datapath microflow
10 ovn-trace [options] --detach
12
14 This utility simulates packet forwarding within an OVN logical network.
15 It can be used to run through ``what-if’’ scenarios: if a packet origi‐
16 nates at a logical port, what will happen to it and where will it ulti‐
17 mately end up? Users already familiar with the Open vSwitch
18 ofproto/trace command described in ovs-vswitch(8) will find ovn-trace
19 to be a similar tool for logical networks.
20 ovn-trace works by reading the Logical_Flow and other tables from the
22 OVN southbound database (see ovn-sb(5)). It simulates a packet’s path
23 through logical networks by repeatedly looking it up in the logical
24 flow table, following the entire tree of possibilities.
25 ovn-trace simulates only the OVN logical network. It does not simulate
27 the physical elements on which the logical network is layered. This
28 means that, for example, it is unimportant how VMs are distributed
29 among hypervisors, or whether their hypervisors are functioning and
30 reachable, so ovn-trace will yield the same results regardless. There
31 is one important exception: ovn-northd, the daemon that generates the
32 logical flows that ovn-trace simulates, treats logical ports differ‐
33 ently based on whether they are up or down. Thus, if you see surprising
34 results, ensure that the ports involved in a simulation are up.
35 The simplest way to use ovn-trace is to provide datapath and microflow
37 arguments on the command line. In this case, it simulates the behavior
38 of a single packet and exits. For an alternate usage model, see Daemon
39 Mode below.
40 The datapath argument specifies the name of a logical datapath. Accept‐
42 able names are the name from the northbound Logical_Switch or Logi‐
43 cal_Router table, the UUID of a record from one of those tables, or the
44 UUID of a record from the southbound Datapath_Binding table.
45 The microflow argument describes the packet whose forwarding is to be
47 simulated, in the syntax of an OVN logical expression, as described in
48 ovn-sb(5), to express constraints. The parser understands prerequi‐
49 sites; for example, if the expression refers to ip4.src, there is no
50 need to explicitly state ip4 or eth.type == 0x800.
51 For reasonable L2 behavior, the microflow should include at least
53 inport and eth.dst, plus eth.src if port security is enabled. For exam‐
54 ple:
55 inport == "lp11" && eth.src == 00:01:02:03:04:05 && eth.dst == ff:ff:ff:ff:ff:ff
57 For reasonable L3 behavior, microflow should also include ip4.src and
60 ip4.dst (or ip6.src and ip6.dst) and ip.ttl. For example:
61 inport == "lp111" && eth.src == f0:00:00:00:01:11 && eth.dst == 00:00:00:00:ff:11
63 && ip4.src == 192.168.11.1 && ip4.dst == 192.168.22.2 && ip.ttl == 64
64 Here’s an ARP microflow example:
67 inport == "lp123"
69 && eth.dst == ff:ff:ff:ff:ff:ff && eth.src == f0:00:00:00:01:11
70 && arp.op == 1 && arp.sha == f0:00:00:00:01:11 && arp.spa == 192.168.1.11
71 && arp.tha == ff:ff:ff:ff:ff:ff && arp.tpa == 192.168.2.22
72 ovn-trace will reject erroneous microflow expressions, which beyond
75 syntax errors fall into two categories. First, they can be ambiguous.
76 For example, tcp.src == 80 is ambiguous because it does not state IPv4
77 or IPv6 as the Ethernet type. ip4 && tcp.src > 1024 is also ambiguous
78 because it does not constrain bits of tcp.src to particular values.
79 Second, they can be contradictory, e.g. ip4 && ip6.
80
82 ovn-trace supports the three different forms of output, each described
83 in a separate section below. Regardless of the selected output format,
84 ovn-trace starts the output with a line that shows the microflow being
85 traced in OpenFlow syntax.
86 Detailed Output
88 The detailed form of output is also the default form. This form groups
89 output into sections headed up by the ingress or egress pipeline being
90 traversed. Each pipeline lists each table that was visited (by number
91 and name), the ovn-northd source file and line number of the code that
92 added the flow, the match expression and priority of the logical flow
93 that was matched, and the actions that were executed.
94 The execution of OVN logical actions naturally forms a ``control
96 stack’’ that resembles that of a program in conventional programming
97 languages such as C or Java. Because the next action that calls into
98 another logical flow table for a lookup is a recursive construct, OVN
99 ``programs’’ in practice tend to form deep control stacks that, dis‐
100 played in the obvious way using additional indentation for each level,
101 quickly use up the horizontal space on all but the widest displays. To
102 make detailed output more readable, without loss of generality,
103 ovn-trace omits indentation for ``tail recursion,’’ that is, when next
104 is the last action in a logical flow, it does not indent details of the
105 next table lookup more deeply. Output still uses indentation when it is
106 needed for clarity.
107 OVN ``programs’’ traces also tend to encounter long strings of logical
109 flows with match expression 1 (which matches every packet) and the sin‐
110 gle action next;. These are uninteresting and merely clutter output, so
111 ovn-trace omits them entirely even from detailed output.
112 The following excerpt from detailed ovn-trace output shows a section
114 for a packet traversing the ingress pipeline of logical datapath ls1
115 with ingress logical port lp111. The packet matches a logical flow in
116 table 0 (aka ls_in_port_sec_l2) with priority 50 and executes next(1);
117 to pass to table 1. Tables 1 through 11 are trivial and omitted. In ta‐
118 ble 12 (aka ls_in_l2_lkup), the packet matches a flow with priority 50
119 based on its Ethernet destination address and the flow’s actions output
120 the packet to the lrp11-attachement logical port.
121 ingress(dp="ls1", inport="lp111")
123 ---------------------------------
124 0. ls_in_port_sec_l2: inport == "lp111", priority 50
125 next(1);
126 12. ls_in_l2_lkup: eth.dst == 00:00:00:00:ff:11, priority 50
127 outport = "lrp11-attachment";
128 output;
129 Summary Output
132 Summary output includes the logical pipelines visited by a packet and
133 the logical actions executed on it. Compared to the detailed output,
134 however, it removes details of tables and logical flows traversed by a
135 packet. It uses a format closer to that of a programming language and
136 does not attempt to avoid indentation. The summary output equivalent to
137 the above detailed output fragment is:
138 ingress(dp="ls1", inport="lp111") {
140 outport = "lrp11-attachment";
141 output;
142 ...
143 };
144 Minimal Output
147 Minimal output includes only actions that modify packet data (not
148 including OVN registers or metadata such as outport) and output actions
149 that actually deliver a packet to a logical port (excluding patch
150 ports). The operands of actions that modify packet data are displayed
151 reduced to constants, e.g. ip4.dst = reg0; might be show as ip4.dst =
152 192.168.0.1; if that was the value actually loaded. This yields output
153 even simpler than the summary format. (Users familiar with Open vSwitch
154 may recognize this as similar in spirit to the datapath actions listed
155 at the bottom of ofproto/trace output.)
156 The minimal output format reflects the externally seen behavior of the
158 logical networks more than it does the implementation. This makes this
159 output format the most suitable for use in regression tests, because it
160 is least likely to change when logical flow tables are rearranged with‐
161 out semantic change.
162
164 Some OVN logical actions use or update state that is not available in
165 the southbound database. ovn-trace handles these actions as described
166 below:
167 ct_next
169 By default ovn-trace treats flows as ``tracked’’ and
170 ``established.’’ See the description of the --ct option
171 for a way to override this behavior.
172 ct_dnat (without an argument)
174 Forks the pipeline. In one fork, advances to the next ta‐
175 ble as if next; were executed. The packet is not changed,
176 on the assumption that no NAT state was available. In the
177 other fork, the pipeline continues without change after
178 the ct_dnat action.
179 ct_snat (without an argument)
181 This action distinguishes between gateway routers and
182 distributed routers. A gateway router is defined as a
183 logical datapath that contains an l3gateway port; any
184 other logical datapath is a distributed router. On a
185 gateway router, ct_snat; is treated as a no-op. On a dis‐
186 tributed router, it is treated the same way as ct_dnat;.
187 ct_dnat(ip)
189 ct_snat(ip)
190 Forks the pipeline. In one fork, sets ip4.dst (or ip4.src)
191 to ip and ct.dnat (or ct.snat) to 1 and advances to the
192 next table as if next; were executed. In the other fork,
193 the pipeline continues without change after the ct_dnat (or
194 ct_snat) action.
195 ct_lb
197 Not yet implemented; currently implemented as a no-op.
198 ct_commit
200 put_arp
201 put_nd
202 These actions are treated as no-ops.
203
205 If ovn-trace is invoked with the --detach option (see Daemon Options,
206 below), it runs in the background as a daemon and accepts commands from
207 ovs-appctl (or another JSON-RPC client) indefinitely. The currently
208 supported commands are described below.
209 trace [options] datapath microflow
211 Traces microflow through datapath and replies with the
212 results of the trace. Accepts the options described under
213 Trace Options below.
214 exit Causes ovn-trace to gracefully terminate.
216
218 Trace Options
219 --detailed
220 --summary
221 --minimal
222 These options control the form and level of detail in ovn-trace
223 output. If more than one of these options is specified, all of the
224 selected forms are output, in the order listed above, each headed
225 by a banner line. If none of these options is given, --detailed is
226 the default. See Output, above, for a description of each kind of
227 output.
228 --all
230 Selects all three forms of output.
231 --ovs[=remote]
233 Makes ovn-trace attempt to obtain and display the OpenFlow flows
234 that correspond to each OVN logical flow. To do so, ovn-trace con‐
235 nects to remote (by default, unix:/var/run/open‐
236 vswitch/br-int.mgmt) over OpenFlow and retrieves the flows. If
237 remote is specified, it must be an active OpenFlow connection
238 method described in ovs-ofctl(8).
239 To make the best use of the output, it is important to understand
241 the relationship between logical flows and OpenFlow flows.
242 ovn-architecture(7), under Architectural Physical Life Cycle of a
243 Packet, describes this relationship. Keep in mind the following
244 points:
245 · ovn-trace currently shows all the OpenFlow flows to which a
247 logical flow corresponds, even though an actual packet
248 ordinarily matches only one of these.
249 · Some logical flows can map to the Open vSwitch ``conjunc‐
251 tive match’’ extension (see ovs-fields(7)). Currently
252 ovn-trace cannot display the flows with conjunction actions
253 that effectively produce the conj_id match.
254 · Some logical flows may not be represented in the OpenFlow
256 tables on a given hypervisor, if they could not be used on
257 that hypervisor.
258 · Some OpenFlow flows do not correspond to logical flows,
260 such as OpenFlow flows that map between physical and logi‐
261 cal ports. These flows will never show up in a trace.
262 · When ovn-trace omits uninteresting logical flows from out‐
264 put, it does not look up the corresponding OpenFlow flows.
265 --ct=flags
267 This option sets the ct_state flags that a ct_next logical action
268 will report. The flags must be a comma- or space-separated list of
269 the following connection tracking flags:
270 · trk: Include to indicate connection tracking has taken
272 place. (This bit is set automatically even if not listed in
273 flags.
274 · new: Include to indicate a new flow.
276 · est: Include to indicate an established flow.
278 · rel: Include to indicate a related flow.
280 · rpl: Include to indicate a reply flow.
282 · inv: Include to indicate a connection entry in a bad state.
284 · dnat: Include to indicate a packet whose destination IP
286 address has been changed.
287 · snat: Include to indicate a packet whose source IP address
289 has been changed.
290 The ct_next action is used to implement the OVN distributed fire‐
292 wall. For testing, useful flag combinations include:
293 · trk,new: A packet in a flow in either direction through a
295 firewall that has not yet been committed (with ct_commit).
296 · trk,est: A packet in an established flow going out through
298 a firewall.
299 · trk,rpl: A packet coming in through a firewall in reply to
301 an established flow.
302 · trk,inv: An invalid packet in either direction.
304 A packet might pass through the connection tracker twice in one
306 trip through OVN: once following egress from a VM as it passes
307 outward through a firewall, and once preceding ingress to a second
308 VM as it passes inward through a firewall. Use multiple --ct
309 options to specify the flags for multiple ct_next actions.
310 When --ct is unspecified, or when there are fewer --ct options
312 than ct_next actions, the flags default to trk,est.
313 --friendly-names
315 --no-friendly-names
316 When cloud management systems such as OpenStack are layered on top
317 of OVN, they often use long, human-unfriendly names for ports and
318 datapaths, for example, ones that include entire UUIDs. They do
319 usually include friendlier names, but the long, hard-to-read names
320 are the ones that appear in matches and actions. By default, or
321 with --friendly-names, ovn-trace substitutes these friendlier
322 names for the long names in its output. Use --no-friendly-names to
323 disable this behavior; this option might be useful, for example,
324 if a program is going to parse ovn-trace output.
325 Daemon Options
327 --pidfile[=pidfile]
328 Causes a file (by default, program.pid) to be created indicating
329 the PID of the running process. If the pidfile argument is not
330 specified, or if it does not begin with /, then it is created in
331 /var/run/openvswitch.
332 If --pidfile is not specified, no pidfile is created.
334 --overwrite-pidfile
336 By default, when --pidfile is specified and the specified pid‐
337 file already exists and is locked by a running process, the dae‐
338 mon refuses to start. Specify --overwrite-pidfile to cause it to
339 instead overwrite the pidfile.
340 When --pidfile is not specified, this option has no effect.
342 --detach
344 Runs this program as a background process. The process forks,
345 and in the child it starts a new session, closes the standard
346 file descriptors (which has the side effect of disabling logging
347 to the console), and changes its current directory to the root
348 (unless --no-chdir is specified). After the child completes its
349 initialization, the parent exits.
350 --monitor
352 Creates an additional process to monitor this program. If it
353 dies due to a signal that indicates a programming error (SIGA‐
354 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
355 or SIGXFSZ) then the monitor process starts a new copy of it. If
356 the daemon dies or exits for another reason, the monitor process
357 exits.
358 This option is normally used with --detach, but it also func‐
360 tions without it.
361 --no-chdir
363 By default, when --detach is specified, the daemon changes its
364 current working directory to the root directory after it
365 detaches. Otherwise, invoking the daemon from a carelessly cho‐
366 sen directory would prevent the administrator from unmounting
367 the file system that holds that directory.
368 Specifying --no-chdir suppresses this behavior, preventing the
370 daemon from changing its current working directory. This may be
371 useful for collecting core files, since it is common behavior to
372 write core dumps into the current working directory and the root
373 directory is not a good directory to use.
374 This option has no effect when --detach is not specified.
376 --no-self-confinement
378 By default this daemon will try to self-confine itself to work
379 with files under well-known directories whitelisted at build
380 time. It is better to stick with this default behavior and not
381 to use this flag unless some other Access Control is used to
382 confine daemon. Note that in contrast to other access control
383 implementations that are typically enforced from kernel-space
384 (e.g. DAC or MAC), self-confinement is imposed from the user-
385 space daemon itself and hence should not be considered as a full
386 confinement strategy, but instead should be viewed as an addi‐
387 tional layer of security.
388 --user=user:group
390 Causes this program to run as a different user specified in
391 user:group, thus dropping most of the root privileges. Short
392 forms user and :group are also allowed, with current user or
393 group assumed, respectively. Only daemons started by the root
394 user accepts this argument.
395 On Linux, daemons will be granted CAP_IPC_LOCK and
397 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
398 that interact with a datapath, such as ovs-vswitchd, will be
399 granted three additional capabilities, namely CAP_NET_ADMIN,
400 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
401 apply even if the new user is root.
402 On Windows, this option is not currently supported. For security
404 reasons, specifying this option will cause the daemon process
405 not to start.
406 Logging Options
408 -v[spec]
409 --verbose=[spec]
410 Sets logging levels. Without any spec, sets the log level for
411 every module and destination to dbg. Otherwise, spec is a list of
412 words separated by spaces or commas or colons, up to one from each
413 category below:
414 · A valid module name, as displayed by the vlog/list command
416 on ovs-appctl(8), limits the log level change to the speci‐
417 fied module.
418 · syslog, console, or file, to limit the log level change to
420 only to the system log, to the console, or to a file,
421 respectively. (If --detach is specified, the daemon closes
422 its standard file descriptors, so logging to the console
423 will have no effect.)
424 On Windows platform, syslog is accepted as a word and is
426 only useful along with the --syslog-target option (the word
427 has no effect otherwise).
428 · off, emer, err, warn, info, or dbg, to control the log
430 level. Messages of the given severity or higher will be
431 logged, and messages of lower severity will be filtered
432 out. off filters out all messages. See ovs-appctl(8) for a
433 definition of each log level.
434 Case is not significant within spec.
436 Regardless of the log levels set for file, logging to a file will
438 not take place unless --log-file is also specified (see below).
439 For compatibility with older versions of OVS, any is accepted as a
441 word but has no effect.
442 -v
444 --verbose
445 Sets the maximum logging verbosity level, equivalent to --ver‐
446 bose=dbg.
447 -vPATTERN:destination:pattern
449 --verbose=PATTERN:destination:pattern
450 Sets the log pattern for destination to pattern. Refer to
451 ovs-appctl(8) for a description of the valid syntax for pattern.
452 -vFACILITY:facility
454 --verbose=FACILITY:facility
455 Sets the RFC5424 facility of the log message. facility can be one
456 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
457 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
458 local4, local5, local6 or local7. If this option is not specified,
459 daemon is used as the default for the local system syslog and
460 local0 is used while sending a message to the target provided via
461 the --syslog-target option.
462 --log-file[=file]
464 Enables logging to a file. If file is specified, then it is used
465 as the exact name for the log file. The default log file name used
466 if file is omitted is /var/log/openvswitch/program.log.
467 --syslog-target=host:port
469 Send syslog messages to UDP port on host, in addition to the sys‐
470 tem syslog. The host must be a numerical IP address, not a host‐
471 name.
472 --syslog-method=method
474 Specify method as how syslog messages should be sent to syslog
475 daemon. The following forms are supported:
476 · libc, to use the libc syslog() function. This is the
478 default behavior. Downside of using this options is that
479 libc adds fixed prefix to every message before it is actu‐
480 ally sent to the syslog daemon over /dev/log UNIX domain
481 socket.
482 · unix:file, to use a UNIX domain socket directly. It is pos‐
484 sible to specify arbitrary message format with this option.
485 However, rsyslogd 8.9 and older versions use hard coded
486 parser function anyway that limits UNIX domain socket use.
487 If you want to use arbitrary message format with older
488 rsyslogd versions, then use UDP socket to localhost IP
489 address instead.
490 · udp:ip:port, to use a UDP socket. With this method it is
492 possible to use arbitrary message format also with older
493 rsyslogd. When sending syslog messages over UDP socket
494 extra precaution needs to be taken into account, for exam‐
495 ple, syslog daemon needs to be configured to listen on the
496 specified UDP port, accidental iptables rules could be
497 interfering with local syslog traffic and there are some
498 security considerations that apply to UDP sockets, but do
499 not apply to UNIX domain sockets.
500 PKI Options
502 PKI configuration is required to use SSL for the connection to the
503 database (and the switch, if --ovs is specified).
504 -p privkey.pem
506 --private-key=privkey.pem
507 Specifies a PEM file containing the private key used as
508 identity for outgoing SSL connections.
509 -c cert.pem
511 --certificate=cert.pem
512 Specifies a PEM file containing a certificate that certi‐
513 fies the private key specified on -p or --private-key to be
514 trustworthy. The certificate must be signed by the certifi‐
515 cate authority (CA) that the peer in SSL connections will
516 use to verify it.
517 -C cacert.pem
519 --ca-cert=cacert.pem
520 Specifies a PEM file containing the CA certificate for ver‐
521 ifying certificates presented to this program by SSL peers.
522 (This may be the same certificate that SSL peers use to
523 verify the certificate specified on -c or --certificate, or
524 it may be a different one, depending on the PKI design in
525 use.)
526 -C none
528 --ca-cert=none
529 Disables verification of certificates presented by SSL
530 peers. This introduces a security risk, because it means
531 that certificates cannot be verified to be those of known
532 trusted hosts.
533 Other Options
535 --db database
536 The OVSDB database remote to contact. If the OVN_SB_DB environ‐
537 ment variable is set, its value is used as the default. Other‐
538 wise, the default is unix:/var/run/openvswitch/db.sock, but this
539 default is unlikely to be useful outside of single-machine OVN
540 test environments.
541 -h
543 --help
544 Prints a brief help message to the console.
545 -V
547 --version
548 Prints version information to the console.
549Open vSwitch 2.10.1 ovn-trace ovn-trace(8)