1ovn-ic(8) OVN Manual ovn-ic(8)
2
3
4
5build/.PP
6
8 ovn-ic - Open Virtual Network interconnection controller
9
11 ovn-ic [options]
12
14 ovn-ic, OVN interconnection controller, is a centralized daemon which
15 communicates with global interconnection databases IC_NB/IC_SB to con‐
16 figure and exchange data with local NB/SB for interconnecting with
17 other OVN deployments.
18
20 --ovnnb-db=database
21 The OVSDB database containing the OVN Northbound Database. If
22 the OVN_NB_DB environment variable is set, its value is used as
23 the default. Otherwise, the default is unix:/ovnnb_db.sock.
24
25 --ovnsb-db=database
26 The OVSDB database containing the OVN Southbound Database. If
27 the OVN_SB_DB environment variable is set, its value is used as
28 the default. Otherwise, the default is unix:/ovnsb_db.sock.
29
30 --ic-nb-db=database
31 The OVSDB database containing the OVN Interconnection Northbound
32 Database. If the OVN_IC_NB_DB environment variable is set, its
33 value is used as the default. Otherwise, the default is
34 unix:/ovn_ic_nb_db.sock.
35
36 --ic-sb-db=database
37 The OVSDB database containing the OVN Interconnection Southbound
38 Database. If the OVN_IC_SB_DB environment variable is set, its
39 value is used as the default. Otherwise, the default is
40 unix:/ovn_ic_sb_db.sock.
41
42 database in the above options must be an OVSDB active or passive con‐
43 nection method, as described in ovsdb(7).
44
45 Daemon Options
46 --pidfile[=pidfile]
47 Causes a file (by default, program.pid) to be created indicating
48 the PID of the running process. If the pidfile argument is not
49 specified, or if it does not begin with /, then it is created in
50 .
51
52 If --pidfile is not specified, no pidfile is created.
53
54 --overwrite-pidfile
55 By default, when --pidfile is specified and the specified pid‐
56 file already exists and is locked by a running process, the dae‐
57 mon refuses to start. Specify --overwrite-pidfile to cause it to
58 instead overwrite the pidfile.
59
60 When --pidfile is not specified, this option has no effect.
61
62 --detach
63 Runs this program as a background process. The process forks,
64 and in the child it starts a new session, closes the standard
65 file descriptors (which has the side effect of disabling logging
66 to the console), and changes its current directory to the root
67 (unless --no-chdir is specified). After the child completes its
68 initialization, the parent exits.
69
70 --monitor
71 Creates an additional process to monitor this program. If it
72 dies due to a signal that indicates a programming error (SIGA‐
73 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
74 or SIGXFSZ) then the monitor process starts a new copy of it. If
75 the daemon dies or exits for another reason, the monitor process
76 exits.
77
78 This option is normally used with --detach, but it also func‐
79 tions without it.
80
81 --no-chdir
82 By default, when --detach is specified, the daemon changes its
83 current working directory to the root directory after it
84 detaches. Otherwise, invoking the daemon from a carelessly cho‐
85 sen directory would prevent the administrator from unmounting
86 the file system that holds that directory.
87
88 Specifying --no-chdir suppresses this behavior, preventing the
89 daemon from changing its current working directory. This may be
90 useful for collecting core files, since it is common behavior to
91 write core dumps into the current working directory and the root
92 directory is not a good directory to use.
93
94 This option has no effect when --detach is not specified.
95
96 --no-self-confinement
97 By default this daemon will try to self-confine itself to work
98 with files under well-known directories whitelisted at build
99 time. It is better to stick with this default behavior and not
100 to use this flag unless some other Access Control is used to
101 confine daemon. Note that in contrast to other access control
102 implementations that are typically enforced from kernel-space
103 (e.g. DAC or MAC), self-confinement is imposed from the user-
104 space daemon itself and hence should not be considered as a full
105 confinement strategy, but instead should be viewed as an addi‐
106 tional layer of security.
107
108 --user=user:group
109 Causes this program to run as a different user specified in
110 user:group, thus dropping most of the root privileges. Short
111 forms user and :group are also allowed, with current user or
112 group assumed, respectively. Only daemons started by the root
113 user accepts this argument.
114
115 On Linux, daemons will be granted CAP_IPC_LOCK and
116 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
117 that interact with a datapath, such as ovs-vswitchd, will be
118 granted three additional capabilities, namely CAP_NET_ADMIN,
119 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
120 apply even if the new user is root.
121
122 On Windows, this option is not currently supported. For security
123 reasons, specifying this option will cause the daemon process
124 not to start.
125
126 Logging Options
127 -v[spec]
128 --verbose=[spec]
129 Sets logging levels. Without any spec, sets the log level for
130 every module and destination to dbg. Otherwise, spec is a list of
131 words separated by spaces or commas or colons, up to one from each
132 category below:
133
134 · A valid module name, as displayed by the vlog/list command
135 on ovs-appctl(8), limits the log level change to the speci‐
136 fied module.
137
138 · syslog, console, or file, to limit the log level change to
139 only to the system log, to the console, or to a file,
140 respectively. (If --detach is specified, the daemon closes
141 its standard file descriptors, so logging to the console
142 will have no effect.)
143
144 On Windows platform, syslog is accepted as a word and is
145 only useful along with the --syslog-target option (the word
146 has no effect otherwise).
147
148 · off, emer, err, warn, info, or dbg, to control the log
149 level. Messages of the given severity or higher will be
150 logged, and messages of lower severity will be filtered
151 out. off filters out all messages. See ovs-appctl(8) for a
152 definition of each log level.
153
154 Case is not significant within spec.
155
156 Regardless of the log levels set for file, logging to a file will
157 not take place unless --log-file is also specified (see below).
158
159 For compatibility with older versions of OVS, any is accepted as a
160 word but has no effect.
161
162 -v
163 --verbose
164 Sets the maximum logging verbosity level, equivalent to --ver‐
165 bose=dbg.
166
167 -vPATTERN:destination:pattern
168 --verbose=PATTERN:destination:pattern
169 Sets the log pattern for destination to pattern. Refer to
170 ovs-appctl(8) for a description of the valid syntax for pattern.
171
172 -vFACILITY:facility
173 --verbose=FACILITY:facility
174 Sets the RFC5424 facility of the log message. facility can be one
175 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
176 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
177 local4, local5, local6 or local7. If this option is not specified,
178 daemon is used as the default for the local system syslog and
179 local0 is used while sending a message to the target provided via
180 the --syslog-target option.
181
182 --log-file[=file]
183 Enables logging to a file. If file is specified, then it is used
184 as the exact name for the log file. The default log file name used
185 if file is omitted is /var/log/ovn/program.log.
186
187 --syslog-target=host:port
188 Send syslog messages to UDP port on host, in addition to the sys‐
189 tem syslog. The host must be a numerical IP address, not a host‐
190 name.
191
192 --syslog-method=method
193 Specify method as how syslog messages should be sent to syslog
194 daemon. The following forms are supported:
195
196 · libc, to use the libc syslog() function. Downside of using
197 this options is that libc adds fixed prefix to every mes‐
198 sage before it is actually sent to the syslog daemon over
199 /dev/log UNIX domain socket.
200
201 · unix:file, to use a UNIX domain socket directly. It is pos‐
202 sible to specify arbitrary message format with this option.
203 However, rsyslogd 8.9 and older versions use hard coded
204 parser function anyway that limits UNIX domain socket use.
205 If you want to use arbitrary message format with older
206 rsyslogd versions, then use UDP socket to localhost IP
207 address instead.
208
209 · udp:ip:port, to use a UDP socket. With this method it is
210 possible to use arbitrary message format also with older
211 rsyslogd. When sending syslog messages over UDP socket
212 extra precaution needs to be taken into account, for exam‐
213 ple, syslog daemon needs to be configured to listen on the
214 specified UDP port, accidental iptables rules could be
215 interfering with local syslog traffic and there are some
216 security considerations that apply to UDP sockets, but do
217 not apply to UNIX domain sockets.
218
219 · null, to discard all messages logged to syslog.
220
221 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
222 able; if it is unset, the default is libc.
223
224 PKI Options
225 PKI configuration is required in order to use SSL for the connections
226 to the Northbound and Southbound databases.
227
228 -p privkey.pem
229 --private-key=privkey.pem
230 Specifies a PEM file containing the private key used as
231 identity for outgoing SSL connections.
232
233 -c cert.pem
234 --certificate=cert.pem
235 Specifies a PEM file containing a certificate that certi‐
236 fies the private key specified on -p or --private-key to be
237 trustworthy. The certificate must be signed by the certifi‐
238 cate authority (CA) that the peer in SSL connections will
239 use to verify it.
240
241 -C cacert.pem
242 --ca-cert=cacert.pem
243 Specifies a PEM file containing the CA certificate for ver‐
244 ifying certificates presented to this program by SSL peers.
245 (This may be the same certificate that SSL peers use to
246 verify the certificate specified on -c or --certificate, or
247 it may be a different one, depending on the PKI design in
248 use.)
249
250 -C none
251 --ca-cert=none
252 Disables verification of certificates presented by SSL
253 peers. This introduces a security risk, because it means
254 that certificates cannot be verified to be those of known
255 trusted hosts.
256
257 Other Options
258 --unixctl=socket
259 Sets the name of the control socket on which program listens for
260 runtime management commands (see RUNTIME MANAGEMENT COMMANDS,
261 below). If socket does not begin with /, it is interpreted as
262 relative to . If --unixctl is not used at all, the default
263 socket is /program.pid.ctl, where pid is program’s process ID.
264
265 On Windows a local named pipe is used to listen for runtime man‐
266 agement commands. A file is created in the absolute path as
267 pointed by socket or if --unixctl is not used at all, a file is
268 created as program in the configured OVS_RUNDIR directory. The
269 file exists just to mimic the behavior of a Unix domain socket.
270
271 Specifying none for socket disables the control socket feature.
272
273
274
275 -h
276 --help
277 Prints a brief help message to the console.
278
279 -V
280 --version
281 Prints version information to the console.
282
284 ovs-appctl can send commands to a running ovn-ic process. The currently
285 supported commands are described below.
286
287 exit Causes ovn-ic to gracefully terminate.
288
289 pause Pauses the ovn-ic operation from processing any database
290 changes. This will also instruct ovn-ic to drop any lock
291 on SB DB.
292
293 resume Resumes the ovn-ic operation to process database con‐
294 tents. This will also instruct ovn-northd to aspire for
295 the lock on SB DB.
296
297 is-paused
298 Returns "true" if ovn-ic is currently paused, "false"
299 otherwise.
300
301 status Prints this server’s status. Status will be "active" if
302 ovn-ic has acquired OVSDB lock on SB DB, "standby" if it
303 has not or "paused" if this instance is paused.
304
306 You may run ovn-ic more than once in an OVN deployment. When connected
307 to a standalone or clustered DB setup, OVN will automatically ensure
308 that only one of them is active at a time. If multiple instances of
309 ovn-ic are running and the active ovn-ic fails, one of the hot standby
310 instances of ovn-ic will automatically take over.
311
312
313
314OVN 20.03.0 ovn-ic ovn-ic(8)