1ovn-nbctl(8) OVN Manual ovn-nbctl(8)
2build/.PP
6
8 ovn-nbctl - Open Virtual Network northbound db management utility
9
11 ovn-nbctl [options] command [arg...]
12
14 This utility can be used to manage the OVN northbound database.
15
17 init Initializes the database, if it is empty. If the database has
18 already been initialized, this command has no effect.
19 show [switch | router]
21 Prints a brief overview of the database contents. If switch is
22 provided, only records related to that logical switch are shown.
23 If router is provided, only records related to that logical
24 router are shown.
25
27 ls-add Creates a new, unnamed logical switch, which initially has no
28 ports. The switch does not have a name, other commands must
29 refer to this switch by its UUID.
30 [--may-exist | --add-duplicate] ls-add switch
32 Creates a new logical switch named switch, which initially has
33 no ports.
34 The OVN northbound database schema does not require logical
36 switch names to be unique, but the whole point to the names is
37 to provide an easy way for humans to refer to the switches, mak‐
38 ing duplicate names unhelpful. Thus, without any options, this
39 command regards it as an error if switch is a duplicate name.
40 With --may-exist, adding a duplicate name succeeds but does not
41 create a new logical switch. With --add-duplicate, the command
42 really creates a new logical switch with a duplicate name. It is
43 an error to specify both options. If there are multiple logical
44 switches with a duplicate name, configure the logical switches
45 using the UUID instead of the switch name.
46 [--if-exists] ls-del switch
48 Deletes switch. It is an error if switch does not exist, unless
49 --if-exists is specified.
50 ls-list
52 Lists all existing switches on standard output, one per line.
53
55 These commands operates on ACL objects for a given entity. The entity
56 can be either a logical switch or a port group. The entity can be spec‐
57 ified as uuid or name. The --type option can be used to specify the
58 type of the entity, in case both a logical switch and a port groups
59 exist with the same name specified for entity. type must be either
60 switch or port-group.
61 [--type={switch | port-group}] [--log] [--meter=meter] [--sever‐
63 ity=severity] [--name=name] [--may-exist] acl-add entity direc‐
64 tion priority match verdict
65 Adds the specified ACL to entity. direction must be
66 either from-lport or to-lport. priority must be between 0
67 and 32767, inclusive. A full description of the fields
68 are in ovn-nb(5). If --may-exist is specified, adding a
69 duplicated ACL succeeds but the ACL is not really cre‐
70 ated. Without --may-exist, adding a duplicated ACL
71 results in error.
72 The --log option enables packet logging for the ACL. The
74 options --severity and --name specify a severity and
75 name, respectively, for log entries (and also enable log‐
76 ging). The severity must be one of alert, warning,
77 notice, info, or debug. If a severity is not specified,
78 the default is info. The --meter=meter option is used to
79 rate-limit packet logging. The meter argument names a
80 meter configured by meter-add.
81 [--type={switch | port-group}] acl-del entity [direction [prior‐
83 ity match]]
84 Deletes ACLs from entity. If only entity is supplied, all
85 the ACLs from the entity are deleted. If direction is
86 also specified, then all the flows in that direction will
87 be deleted from the entity. If all the fields are given,
88 then a single flow that matches all the fields will be
89 deleted.
90 [--type={switch | port-group}] acl-list entity
92 Lists the ACLs on entity.
93
95 [--may-exist] qos-add switch direction priority match [dscp=dscp]
96 [rate=rate [burst=burst]]
97 Adds QoS marking and metering rules to switch. direction must be
98 either from-lport or to-lport. priority must be between 0 and
99 32767, inclusive.
100 If dscp=dscp is specified, then matching packets will have DSCP
102 marking applied. dscp must be between 0 and 63, inclusive. If
103 rate=rate is specified then matching packets will have metering
104 applied at rate kbps. If metering is configured, then
105 burst=burst specifies the burst rate limit in kilobits. dscp
106 and/or rate are required arguments.
107 If --may-exist is specified, adding a duplicated QoS rule suc‐
109 ceeds but the QoS rule is not really created. Without
110 --may-exist, adding a duplicated QoS rule results in error.
111 qos-del switch [direction [priority match]]
113 Deletes QoS rules from switch. If only switch is supplied, all
114 the QoS rules from the logical switch are deleted. If direction
115 is also specified, then all the flows in that direction will be
116 deleted from the logical switch. If all the fields are supplied,
117 then a single flow that matches the given fields will be
118 deleted.
119 qos-list switch
121 Lists the QoS rules on switch.
122
124 meter-add name action rate unit [burst]
125 Adds the specified meter. name must be a unique name to identify
126 this meter. The action argument specifies what should happen
127 when this meter is exceeded. The only supported action is drop.
128 The unit specifies the unit for the rate argument; valid values
130 are kbps and pktps for kilobits per second and packets per sec‐
131 ond, respectively. The burst option configures the maximum burst
132 allowed for the band in kilobits or packets depending on whether
133 the unit chosen was kbps or pktps, respectively. If a burst is
134 not supplied, the switch is free to select some reasonable value
135 depending on its configuration.
136 ovn-nbctl only supports adding a meter with a single band, but
138 the other commands support meters with multiple bands.
139 Names that start with "__" (two underscores) are reserved for
141 internal use by OVN, so ovn-nbctl does not allow adding them.
142 meter-del [name]
144 Deletes meters. By default, all meters are deleted. If name is
145 supplied, only the meter with that name will be deleted.
146 meter-list
148 Lists all meters.
149
151 [--may-exist] lsp-add switch port
152 Creates on lswitch a new logical switch port named port.
153 It is an error if a logical port named port already exists,
155 unless --may-exist is specified. Regardless of --may-exist, it
156 is an error if the existing port is in some logical switch other
157 than switch or if it has a parent port.
158 [--may-exist] lsp-add switch port parent tag_request
160 Creates on switch a logical switch port named port that is a
161 child of parent that is identified with VLAN ID tag_request,
162 which must be between 0 and 4095, inclusive. If tag_request is
163 0, ovn-northd generates a tag that is unique in the scope of
164 parent. This is useful in cases such as virtualized container
165 environments where Open vSwitch does not have a direct connec‐
166 tion to the container’s port and it must be shared with the vir‐
167 tual machine’s port.
168 It is an error if a logical port named port already exists,
170 unless --may-exist is specified. Regardless of --may-exist, it
171 is an error if the existing port is not in switch or if it does
172 not have the specified parent and tag_request.
173 [--if-exists] lsp-del port
175 Deletes port. It is an error if port does not exist, unless
176 --if-exists is specified.
177 lsp-list switch
179 Lists all the logical switch ports within switch on standard
180 output, one per line.
181 lsp-get-parent port
183 If set, get the parent port of port. If not set, print nothing.
184 lsp-get-tag port
186 If set, get the tag for port traffic. If not set, print nothing.
187 lsp-set-addresses port [address]...
189 Sets the addresses associated with port to address. Each address
190 should be one of the following:
191 an Ethernet address, optionally followed by a space and one or
193 more IP addresses
194 OVN delivers packets for the Ethernet address to this
195 port.
196 unknown
198 OVN delivers unicast Ethernet packets whose destination
199 MAC address is not in any logical port’s addresses column
200 to ports with address unknown.
201 dynamic
203 Use this keyword to make ovn-northd generate a globally
204 unique MAC address and choose an unused IPv4 address with
205 the logical port’s subnet and store them in the port’s
206 dynamic_addresses column.
207 router Accepted only when the type of the logical switch port is
209 router. This indicates that the Ethernet, IPv4, and IPv6
210 addresses for this logical switch port should be obtained
211 from the connected logical router port, as specified by
212 router-port in lsp-set-options.
213 Multiple addresses may be set. If no address argument is given,
215 port will have no addresses associated with it.
216 lsp-get-addresses port
218 Lists all the addresses associated with port on standard output,
219 one per line.
220 lsp-set-port-security port [addrs]...
222 Sets the port security addresses associated with port to addrs.
223 Multiple sets of addresses may be set by using multiple addrs
224 arguments. If no addrs argument is given, port will not have
225 port security enabled.
226 Port security limits the addresses from which a logical port may
228 send packets and to which it may receive packets. See the
229 ovn-nb(5) documentation for the port_security column in the Log‐
230 ical_Switch_Port table for details.
231 lsp-get-port-security port
233 Lists all the port security addresses associated with port on
234 standard output, one per line.
235 lsp-get-up port
237 Prints the state of port, either up or down.
238 lsp-set-enabled port state
240 Set the administrative state of port, either enabled or dis‐
241 abled. When a port is disabled, no traffic is allowed into or
242 out of the port.
243 lsp-get-enabled port
245 Prints the administrative state of port, either enabled or dis‐
246 abled.
247 lsp-set-type port type
249 Set the type for the logical port. The type must be one of the
250 following:
251 (empty string)
253 A VM (or VIF) interface.
254 router A connection to a logical router.
256 localnet
258 A connection to a locally accessible network from each
259 ovn-controller instance. A logical switch can only have a
260 single localnet port attached. This is used to model
261 direct connectivity to an existing network.
262 localport
264 A connection to a local VIF. Traffic that arrives on a
265 localport is never forwarded over a tunnel to another
266 chassis. These ports are present on every chassis and
267 have the same address in all of them. This is used to
268 model connectivity to local services that run on every
269 hypervisor.
270 l2gateway
272 A connection to a physical network.
273 vtep A port to a logical switch on a VTEP gateway.
275 lsp-get-type port
277 Get the type for the logical port.
278 lsp-set-options port [key=value]...
280 Set type-specific key-value options for the logical port.
281 lsp-get-options port
283 Get the type-specific options for the logical port.
284 lsp-set-dhcpv4-options port dhcp_options
286 Set the DHCPv4 options for the logical port. The dhcp_options is
287 a UUID referring to a set of DHCP options in the DHCP_Options
288 table.
289 lsp-get-dhcpv4-options port
291 Get the configured DHCPv4 options for the logical port.
292 lsp-set-dhcpv6-options port dhcp_options
294 Set the DHCPv6 options for the logical port. The dhcp_options is
295 a UUID referring to a set of DHCP options in the DHCP_Options
296 table.
297 lsp-get-dhcpv6-options port
299 Get the configured DHCPv6 options for the logical port.
300 lsp-get-ls port
302 Get the logical switch which the port belongs to.
303
305 [--liveness]fwd-group-add group switch vip vmac ports
306 Creates a new forwarding group named group as the name with the
307 provided vip and vmac. vip should be a virtual IP address and
308 vmac should be a virtual MAC address to access the forwarding
309 group. ports are the logical switch port names that are put in
310 the forwarding group. Example for ports is lsp1 lsp2 ... Traffic
311 destined to virtual IP of the forwarding group will be load bal‐
312 anced to all the child ports.
313 When --liveness is specified then child ports are expected to be
315 bound to external devices like routers. BFD should be configured
316 between hypervisors and the external devices. The child port
317 selection will become dependent on BFD status with its external
318 device.
319 [--if-exists] fwd-group-del group
321 Deletes group. It is an error if group does not exist, unless
322 --if-exists is specified.
323 fwd-group-list [switch]
325 Lists all existing forwarding groups, If switch is specified
326 then only the forwarding groups configured for switch will be
327 listed.
328
330 lr-add Creates a new, unnamed logical router, which initially has no
331 ports. The router does not have a name, other commands must
332 refer to this router by its UUID.
333 [--may-exist | --add-duplicate] lr-add router
335 Creates a new logical router named router, which initially has
336 no ports.
337 The OVN northbound database schema does not require logical
339 router names to be unique, but the whole point to the names is
340 to provide an easy way for humans to refer to the routers, mak‐
341 ing duplicate names unhelpful. Thus, without any options, this
342 command regards it as an error if router is a duplicate name.
343 With --may-exist, adding a duplicate name succeeds but does not
344 create a new logical router. With --add-duplicate, the command
345 really creates a new logical router with a duplicate name. It is
346 an error to specify both options. If there are multiple logical
347 routers with a duplicate name, configure the logical routers
348 using the UUID instead of the router name.
349 [--if-exists] lr-del router
351 Deletes router. It is an error if router does not exist, unless
352 --if-exists is specified.
353 lr-list
355 Lists all existing routers on standard output, one per line.
356
358 [--may-exist] lrp-add router port mac network... [peer=peer]
359 Creates on router a new logical router port named port with Eth‐
360 ernet address mac and one or more IP address/netmask for each
361 network.
362 The optional argument peer identifies a logical router port that
364 connects to this one. The following example adds a router port
365 with an IPv4 and IPv6 address with peer lr1:
366 lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64
368 peer=lr1
369 It is an error if a logical router port named port already
371 exists, unless --may-exist is specified. Regardless of
372 --may-exist, it is an error if the existing router port is in
373 some logical router other than router.
374 [--if-exists] lrp-del port
376 Deletes port. It is an error if port does not exist, unless
377 --if-exists is specified.
378 lrp-list router
380 Lists all the logical router ports within router on standard
381 output, one per line.
382 lrp-set-enabled port state
384 Set the administrative state of port, either enabled or dis‐
385 abled. When a port is disabled, no traffic is allowed into or
386 out of the port.
387 lrp-get-enabled port
389 Prints the administrative state of port, either enabled or dis‐
390 abled.
391 lrp-set-gateway-chassis port chassis [priority]
393 Set gateway chassis for port. chassis is the name of the chas‐
394 sis. This creates a gateway chassis entry in Gateway_Chassis ta‐
395 ble. It won’t check if chassis really exists in OVN_Southbound
396 database. Priority will be set to 0 if priority is not provided
397 by user. priority must be between 0 and 32767, inclusive.
398 lrp-del-gateway-chassis port chassis
400 Deletes gateway chassis from port. It is an error if gateway
401 chassis with chassis for port does not exist.
402 lrp-get-gateway-chassis port
404 Lists all the gateway chassis with priority within port on stan‐
405 dard output, one per line, ordered based on priority.
406
408 [--may-exist] [--policy=POLICY] [--ecmp] lr-route-add router prefix
409 nexthop [port]
410 Adds the specified route to router. prefix describes an IPv4 or
411 IPv6 prefix for this route, such as 192.168.100.0/24. nexthop
412 specifies the gateway to use for this route, which should be the
413 IP address of one of router logical router ports or the IP
414 address of a logical port. If port is specified, packets that
415 match this route will be sent out that port. When port is omit‐
416 ted, OVN infers the output port based on nexthop.
417 --policy describes the policy used to make routing decisions.
419 This should be one of "dst-ip" or "src-ip". If not specified,
420 the default is "dst-ip".
421 It is an error if a route with prefix and POLICY already exists,
423 unless --may-exist or --ecmp is specified. If --may-exist is
424 specified but not --ecmp, the existed route will be updated with
425 the new nexthop and port. If --ecmp is specified, a new route
426 will be added, regardless of the existed route, which is useful
427 when adding ECMP routes, i.e. routes with same POLICY and prefix
428 but different nexthop and port.
429 [--if-exists] [--policy=POLICY] lr-route-del router [prefix [nexthop
431 [port]]]
432 Deletes routes from router. If only router is supplied, all the
433 routes from the logical router are deleted. If POLICY, prefix,
434 nexthop and/or port are also specified, then all the routes that
435 match the conditions will be deleted from the logical router.
436 It is an error if there is no matching route entry, unless
438 --if-exists is specified.
439 lr-route-list router
441 Lists the routes on router.
442
444 [--may-exist] [--stateless]lr-nat-add router type external_ip logi‐
445 cal_ip [logical_port external_mac]
446 Adds the specified NAT to router. The type must be one of snat,
447 dnat, or dnat_and_snat. The external_ip is an IPv4 address. The
448 logical_ip is an IPv4 network (e.g 192.168.1.0/24) or an IPv4
449 address. The logical_port and external_mac are only accepted
450 when router is a distributed router (rather than a gateway
451 router) and type is dnat_and_snat. The logical_port is the name
452 of an existing logical switch port where the logical_ip resides.
453 The external_mac is an Ethernet address. The --stateless
454 When --stateless is specified then it implies that we will be
456 not use connection tracker, i.e internal ip and external ip are
457 1:1 mapped. This implies that --stateless is applicable only to
458 dnat_and_snat type NAT rules. An external ip with --stateless
459 NAT cannot be shared with any other NAT rule.
460 When type is dnat, the externally visible IP address external_ip
462 is DNATted to the IP address logical_ip in the logical space.
463 When type is snat, IP packets with their source IP address that
465 either matches the IP address in logical_ip or is in the network
466 provided by logical_ip is SNATed into the IP address in exter‐
467 nal_ip.
468 When type is dnat_and_snat, the externally visible IP address
470 external_ip is DNATted to the IP address logical_ip in the logi‐
471 cal space. In addition, IP packets with the source IP address
472 that matches logical_ip is SNATed into the IP address in exter‐
473 nal_ip.
474 When the logical_port and external_mac are specified, the NAT
476 rule will be programmed on the chassis where the logical_port
477 resides. This includes ARP replies for the external_ip, which
478 return the value of external_mac. All packets transmitted with
479 source IP address equal to external_ip will be sent using the
480 external_mac.
481 It is an error if a NAT already exists with the same values of
483 router, type, external_ip, and logical_ip, unless --may-exist is
484 specified. When --may-exist, logical_port, and external_mac are
485 all specified, the existing values of logical_port and exter‐
486 nal_mac are overwritten.
487 [--if-exists] lr-nat-del router [type [ip]]
489 Deletes NATs from router. If only router is supplied, all the
490 NATs from the logical router are deleted. If type is also speci‐
491 fied, then all the NATs that match the type will be deleted from
492 the logical router. If all the fields are given, then a single
493 NAT rule that matches all the fields will be deleted. When type
494 is snat, the ip should be logical_ip. When type is dnat or
495 dnat_and_snat, the ip shoud be external_ip.
496 It is an error if ip is specified and there is no matching NAT
498 entry, unless --if-exists is specified.
499 lr-nat-list router
501 Lists the NATs on router.
502
504 [--may-exist | --add-duplicate] lb-add lb vip ips [protocol]
505 Creates a new load balancer named lb with the provided vip and
506 ips or adds the vip to an existing lb. vip should be a virtual
507 IP address (or an IP address and a port number with : as a sepa‐
508 rator). Examples for vip are 192.168.1.4, fd0f::1, and
509 192.168.1.5:8080. ips should be comma separated IP endpoints (or
510 comma separated IP addresses and port numbers with : as a sepa‐
511 rator). ips must be the same address family as vip. Examples for
512 ips are 10.0.0.1,10.0.0.2or [fdef::1]:8800,[fdef::2]:8800.
513 The optional argument protocol must be either tcp or udp. This
515 argument is useful when a port number is provided as part of the
516 vip. If the protocol is unspecified and a port number is pro‐
517 vided as part of the vip, OVN assumes the protocol to be tcp.
518 It is an error if the vip already exists in the load balancer
520 named lb, unless --may-exist is specified. With --add-duplicate,
521 the command really creates a new load balancer with a duplicate
522 name.
523 The following example adds a load balancer.
525 lb-add lb0 30.0.0.10:80
527 192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp
528 [--if-exists] lb-del lb [vip]
530 Deletes lb or the vip from lb. If vip is supplied, only the vip
531 will be deleted from the lb. If only the lb is supplied, the lb
532 will be deleted. It is an error if vip does not already exist in
533 lb, unless --if-exists is specified.
534 lb-list [lb]
536 Lists the LBs. If lb is also specified, then only the specified
537 lb will be listed.
538 [--may-exist] ls-lb-add switch lb
540 Adds the specified lb to switch. It is an error if a load bal‐
541 ancer named lb already exists in the switch, unless --may-exist
542 is specified.
543 [--if-exists] ls-lb-del switch [lb]
545 Removes lb from switch. If only switch is supplied, all the LBs
546 from the logical switch are removed. If lb is also specified,
547 then only the lb will be removed from the logical switch. It is
548 an error if lb does not exist in the switch, unless --if-exists
549 is specified.
550 ls-lb-list switch
552 Lists the LBs for the given switch.
553 [--may-exist] lr-lb-add router lb
555 Adds the specified lb to router. It is an error if a load bal‐
556 ancer named lb already exists in the router, unless --may-exist
557 is specified.
558 [--if-exists] lr-lb-del router [lb]
560 Removes lb from router. If only router is supplied, all the LBs
561 from the logical router are removed. If lb is also specified,
562 then only the lb will be removed from the logical router. It is
563 an error if lb does not exist in the router, unless --if-exists
564 is specified.
565 lr-lb-list router
567 Lists the LBs for the given router.
568
570 dhcp-options-create cidr [key=value]
571 Creates a new DHCP Options entry in the DHCP_Options table with
572 the specified cidr and optional external-ids.
573 dhcp-options-list
575 Lists the DHCP Options entries.
576 dhcp-options-del dhcp-option
578 Deletes the DHCP Options entry referred by dhcp-option UUID.
579 dhcp-options-set-options dhcp-option [key=value]...
581 Set the DHCP Options for the dhcp-option UUID.
582 dhcp-options-get-options dhcp-option
584 Lists the DHCP Options for the dhcp-option UUID.
585
587 pg-add group [port]...
588 Creates a new port group in the Port_Group table named group
589 with optional ports added to the group.
590 pg-set-ports group port...
592 Sets ports on the port group named group. It is an error if
593 group does not exist.
594 pg-del group
596 Deletes port group group. It is an error if group does not
597 exist.
598
600 ha-chassis-group-add group
601 Creates a new HA chassis group in the HA_Chassis_Group table
602 named group.
603 ha-chassis-group-del group
605 Deletes the HA chassis group group. It is an error if group does
606 not exist.
607 ha-chassis-group-list
609 Lists the HA chassis group group along with the HA chassis if
610 any associated with it.
611 ha-chassis-group-add-chassis group chassis priority
613 Adds a new HA chassis chassis to the HA Chassis group group with
614 the specified priority. If the chassis already exists, then the
615 priority is updated. The chassis should be the name of the chas‐
616 sis in the OVN_Southbound.
617 ha-chassis-group-remove-chassis group chassis
619 Removes the HA chassis chassis from the HA chassis group group.
620 It is an error if chassis does not exist.
621
623 These commands query and modify the contents of ovsdb tables. They are
624 a slight abstraction of the ovsdb interface and as such they operate at
625 a lower level than other ovn-nbctl commands.
626 Identifying Tables, Records, and Columns
628 Each of these commands has a table parameter to identify a table within
630 the database. Many of them also take a record parameter that identifies
631 a particular record within a table. The record parameter may be the
632 UUID for a record, which may be abbreviated to its first 4 (or more)
633 hex digits, as long as that is unique. Many tables offer additional
634 ways to identify records. Some commands also take column parameters
635 that identify a particular field within the records in a table.
636 For a list of tables and their columns, see ovn-nb(5) or see the table
638 listing from the --help option.
639 Record names must be specified in full and with correct capitalization,
641 except that UUIDs may be abbreviated to their first 4 (or more) hex
642 digits, as long as that is unique within the table. Names of tables and
643 columns are not case-sensitive, and - and _ are treated interchange‐
644 ably. Unique abbreviations of table and column names are acceptable,
645 e.g. d or dhcp is sufficient to identify the DHCP_Options table.
646 Database Values
648 Each column in the database accepts a fixed type of data. The currently
650 defined basic types, and their representations, are:
651 integer
653 A decimal integer in the range -2**63 to 2**63-1, inclu‐
654 sive.
655 real A floating-point number.
657 Boolean
659 True or false, written true or false, respectively.
660 string An arbitrary Unicode string, except that null bytes are
662 not allowed. Quotes are optional for most strings that
663 begin with an English letter or underscore and consist
664 only of letters, underscores, hyphens, and periods. How‐
665 ever, true and false and strings that match the syntax of
666 UUIDs (see below) must be enclosed in double quotes to
667 distinguish them from other basic types. When double
668 quotes are used, the syntax is that of strings in JSON,
669 e.g. backslashes may be used to escape special charac‐
670 ters. The empty string must be represented as a pair of
671 double quotes ("").
672 UUID Either a universally unique identifier in the style of
674 RFC 4122, e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or
675 an @name defined by a get or create command within the
676 same ovs-vsctl invocation.
677 Multiple values in a single column may be separated by spaces or a sin‐
679 gle comma. When multiple values are present, duplicates are not
680 allowed, and order is not important. Conversely, some database columns
681 can have an empty set of values, represented as [], and square brackets
682 may optionally enclose other non-empty sets or single values as well.
683 A few database columns are ``maps’’ of key-value pairs, where the key
685 and the value are each some fixed database type. These are specified in
686 the form key=value, where key and value follow the syntax for the col‐
687 umn’s key type and value type, respectively. When multiple pairs are
688 present (separated by spaces or a comma), duplicate keys are not
689 allowed, and again the order is not important. Duplicate values are
690 allowed. An empty map is represented as {}. Curly braces may optionally
691 enclose non-empty maps as well (but use quotes to prevent the shell
692 from expanding other-config={0=x,1=y} into other-config=0=x other-con‐
693 fig=1=y, which may not have the desired effect).
694 Database Command Syntax
696 [--if-exists] [--columns=column[,column]...] list table
698 [record]...
699 Lists the data in each specified record. If no records
700 are specified, lists all the records in table.
701 If --columns is specified, only the requested columns are
703 listed, in the specified order. Otherwise, all columns
704 are listed, in alphabetical order by column name.
705 Without --if-exists, it is an error if any specified
707 record does not exist. With --if-exists, the command
708 ignores any record that does not exist, without producing
709 any output.
710 [--columns=column[,column]...] find table [col‐
712 umn[:key]=value]...
713 Lists the data in each record in table whose column
714 equals value or, if key is specified, whose column con‐
715 tains a key with the specified value. The following oper‐
716 ators may be used where = is written in the syntax sum‐
717 mary:
718 = != < > <= >=
720 Selects records in which column[:key] equals, does
721 not equal, is less than, is greater than, is less
722 than or equal to, or is greater than or equal to
723 value, respectively.
724 Consider column[:key] and value as sets of ele‐
726 ments. Identical sets are considered equal. Other‐
727 wise, if the sets have different numbers of ele‐
728 ments, then the set with more elements is consid‐
729 ered to be larger. Otherwise, consider a element
730 from each set pairwise, in increasing order within
731 each set. The first pair that differs determines
732 the result. (For a column that contains key-value
733 pairs, first all the keys are compared, and values
734 are considered only if the two sets contain iden‐
735 tical keys.)
736 {=} {!=}
738 Test for set equality or inequality, respectively.
739 {<=} Selects records in which column[:key] is a subset
741 of value. For example, flood-vlans{<=}1,2 selects
742 records in which the flood-vlans column is the
743 empty set or contains 1 or 2 or both.
744 {<} Selects records in which column[:key] is a proper
746 subset of value. For example, flood-vlans{<}1,2
747 selects records in which the flood-vlans column is
748 the empty set or contains 1 or 2 but not both.
749 {>=} {>}
751 Same as {<=} and {<}, respectively, except that
752 the relationship is reversed. For example,
753 flood-vlans{>=}1,2 selects records in which the
754 flood-vlans column contains both 1 and 2.
755 For arithmetic operators (= != < > <= >=), when key is
757 specified but a particular record’s column does not con‐
758 tain key, the record is always omitted from the results.
759 Thus, the condition other-config:mtu!=1500 matches
760 records that have a mtu key whose value is not 1500, but
761 not those that lack an mtu key.
762 For the set operators, when key is specified but a par‐
764 ticular record’s column does not contain key, the compar‐
765 ison is done against an empty set. Thus, the condition
766 other-config:mtu{!=}1500 matches records that have a mtu
767 key whose value is not 1500 and those that lack an mtu
768 key.
769 Don’t forget to escape < or > from interpretation by the
771 shell.
772 If --columns is specified, only the requested columns are
774 listed, in the specified order. Otherwise all columns are
775 listed, in alphabetical order by column name.
776 The UUIDs shown for rows created in the same ovs-vsctl
778 invocation will be wrong.
779 [--if-exists] [--id=@name] get table record [column[:key]]...
781 Prints the value of each specified column in the given
782 record in table. For map columns, a key may optionally be
783 specified, in which case the value associated with key in
784 the column is printed, instead of the entire map.
785 Without --if-exists, it is an error if record does not
787 exist or key is specified, if key does not exist in
788 record. With --if-exists, a missing record yields no out‐
789 put and a missing key prints a blank line.
790 If @name is specified, then the UUID for record may be
792 referred to by that name later in the same ovs-vsctl
793 invocation in contexts where a UUID is expected.
794 Both --id and the column arguments are optional, but usu‐
796 ally at least one or the other should be specified. If
797 both are omitted, then get has no effect except to verify
798 that record exists in table.
799 --id and --if-exists cannot be used together.
801 [--if-exists] set table record column[:key]=value...
803 Sets the value of each specified column in the given
804 record in table to value. For map columns, a key may
805 optionally be specified, in which case the value associ‐
806 ated with key in that column is changed (or added, if
807 none exists), instead of the entire map.
808 Without --if-exists, it is an error if record does not
810 exist. With --if-exists, this command does nothing if
811 record does not exist.
812 [--if-exists] add table record column [key=]value...
814 Adds the specified value or key-value pair to column in
815 record in table. If column is a map, then key is
816 required, otherwise it is prohibited. If key already
817 exists in a map column, then the current value is not
818 replaced (use the set command to replace an existing
819 value).
820 Without --if-exists, it is an error if record does not
822 exist. With --if-exists, this command does nothing if
823 record does not exist.
824 [--if-exists] remove table record column value...
826 [--if-exists] remove table record column key...
828 [--if-exists] remove table record column key=value...
830 Removes the specified values or key-value pairs from col‐
831 umn in record in table. The first form applies to columns
832 that are not maps: each specified value is removed from
833 the column. The second and third forms apply to map col‐
834 umns: if only a key is specified, then any key-value pair
835 with the given key is removed, regardless of its value;
836 if a value is given then a pair is removed only if both
837 key and value match.
838 It is not an error if the column does not contain the
840 specified key or value or pair.
841 Without --if-exists, it is an error if record does not
843 exist. With --if-exists, this command does nothing if
844 record does not exist.
845 [--if-exists] clear table record column...
847 Sets each column in record in table to the empty set or
848 empty map, as appropriate. This command applies only to
849 columns that are allowed to be empty.
850 Without --if-exists, it is an error if record does not
852 exist. With --if-exists, this command does nothing if
853 record does not exist.
854 [--id=@name] create table column[:key]=value...
856 Creates a new record in table and sets the initial values
857 of each column. Columns not explicitly set will receive
858 their default values. Outputs the UUID of the new row.
859 If @name is specified, then the UUID for the new row may
861 be referred to by that name elsewhere in the same \*(PN
862 invocation in contexts where a UUID is expected. Such
863 references may precede or follow the create command.
864 Caution (ovs-vsctl as example)
866 Records in the Open vSwitch database are signifi‐
867 cant only when they can be reached directly or
868 indirectly from the Open_vSwitch table. Except for
869 records in the QoS or Queue tables, records that
870 are not reachable from the Open_vSwitch table are
871 automatically deleted from the database. This
872 deletion happens immediately, without waiting for
873 additional ovs-vsctl commands or other database
874 activity. Thus, a create command must generally be
875 accompanied by additional commands within the same
876 ovs-vsctl invocation to add a chain of references
877 to the newly created record from the top-level
878 Open_vSwitch record. The EXAMPLES section gives
879 some examples that show how to do this.
880 [--if-exists] destroy table record...
882 Deletes each specified record from table. Unless
883 --if-exists is specified, each records must exist.
884 --all destroy table
886 Deletes all records from the table.
887 Caution (ovs-vsctl as example)
889 The destroy command is only useful for records in
890 the QoS or Queue tables. Records in other tables
891 are automatically deleted from the database when
892 they become unreachable from the Open_vSwitch ta‐
893 ble. This means that deleting the last reference
894 to a record is sufficient for deleting the record
895 itself. For records in these tables, destroy is
896 silently ignored. See the EXAMPLES section below
897 for more information.
898 wait-until table record [column[:key]=value]...
900 Waits until table contains a record named record whose
901 column equals value or, if key is specified, whose column
902 contains a key with the specified value. Any of the oper‐
903 ators !=, <, >, <=, or >= may be substituted for = to
904 test for inequality, less than, greater than, less than
905 or equal to, or greater than or equal to, respectively.
906 (Don’t forget to escape < or > from interpretation by the
907 shell.)
908 If no column[:key]=value arguments are given, this com‐
910 mand waits only until record exists. If more than one
911 such argument is given, the command waits until all of
912 them are satisfied.
913 Caution (ovs-vsctl as example)
915 Usually wait-until should be placed at the begin‐
916 ning of a set of ovs-vsctl commands. For example,
917 wait-until bridge br0 -- get bridge br0 data‐
918 path_id waits until a bridge named br0 is created,
919 then prints its datapath_id column, whereas get
920 bridge br0 datapath_id -- wait-until bridge br0
921 will abort if no bridge named br0 exists when
922 ovs-vsctl initially connects to the database.
923 Consider specifying --timeout=0 along with --wait-until,
925 to prevent ovs-vsctl from terminating after waiting only
926 at most 5 seconds.
927 comment [arg]...
929 This command has no effect on behavior, but any database
930 log record created by the command will include the com‐
931 mand and its arguments.
932
934 sync Ordinarily, --wait=sb or --wait=hv only waits for changes by the
935 current ovn-nbctl invocation to take effect. This means that, if
936 none of the commands supplied to ovn-nbctl change the database,
937 then the command does not wait at all. With the sync command,
938 however, ovn-nbctl waits even for earlier changes to the data‐
939 base to propagate down to the southbound database or all of the
940 OVN chassis, according to the argument to --wait.
941
943 get-connection
944 Prints the configured connection(s).
945 del-connection
947 Deletes the configured connection(s).
948 [--inactivity-probe=msecs] set-connection target...
950 Sets the configured manager target or targets. Use --inactiv‐
951 ity-probe=msecs to override the default idle connection inactiv‐
952 ity probe time. Use 0 to disable inactivity probes.
953
955 get-ssl
956 Prints the SSL configuration.
957 del-ssl
959 Deletes the current SSL configuration.
960 [--bootstrap] set-ssl private-key certificate ca-cert [ssl-protocol-
962 list [ssl-cipher-list]]
963 Sets the SSL configuration.
964
966 When it is invoked in the most ordinary way, ovn-nbctl connects to an
967 OVSDB server that hosts the northbound database, retrieves a partial
968 copy of the database that is complete enough to do its work, sends a
969 transaction request to the server, and receives and processes the
970 server’s reply. In common interactive use, this is fine, but if the
971 database is large, the step in which ovn-nbctl retrieves a partial copy
972 of the database can take a long time, which yields poor performance
973 overall.
974 To improve performance in such a case, ovn-nbctl offers a "daemon
976 mode," in which the user first starts ovn-nbctl running in the back‐
977 ground and afterward uses the daemon to execute operations. Over sev‐
978 eral ovn-nbctl command invocations, this performs better overall
979 because it retrieves a copy of the database only once at the beginning,
980 not once per program run.
981 Use the --detach option to start an ovn-nbctl daemon. With this option,
983 ovn-nbctl prints the name of a control socket to stdout. The client
984 should save this name in environment variable OVN_NB_DAEMON. Under the
985 Bourne shell this might be done like this:
986 export OVN_NB_DAEMON=$(ovn-nbctl --pidfile --detach)
988 When OVN_NB_DAEMON is set, ovn-nbctl automatically and transparently
991 uses the daemon to execute its commands.
992 When the daemon is no longer needed, kill it and unset the environment
994 variable, e.g.:
995 kill $(cat $OVN_RUNDIR/ovn-nbctl.pid)
997 unset OVN_NB_DAEMON
998 When using daemon mode, an alternative to the OVN_NB_DAEMON environment
1001 variable is to specify a path for the Unix socket. When starting the
1002 ovn-nbctl daemon, specify the -u option with a full path to the loca‐
1003 tion of the socket file. Here is an exmple:
1004 ovn-nbctl --detach -u /tmp/mysock.ctl
1006 Then to connect to the running daemon, use the -u option with the full
1009 path to the socket created when the daemon was started:
1010 ovn-nbctl -u /tmp/mysock.ctl show
1012 Daemon mode is experimental.
1015 Daemon Commands
1017 Daemon mode is internally implemented using the same mechanism used by
1018 ovs-appctl. One may also use ovs-appctl directly with the following
1019 commands:
1020 run [options] command [arg...] [-- [options] command [arg...]
1022 ...]
1023 Instructs the daemon process to run one or more ovn-nbctl
1024 commands described above and reply with the results of
1025 running these commands. Accepts the --no-wait, --wait,
1026 --timeout, --dry-run, --oneline, and the options
1027 described under Table Formatting Options in addition to
1028 the the command-specific options.
1029 exit Causes ovn-nbctl to gracefully terminate.
1031
1033 --no-wait | --wait=none
1034 --wait=sb
1035 --wait=hv
1036 These options control whether and how ovn-nbctl waits for the OVN
1037 system to become up-to-date with changes made in an ovn-nbctl
1038 invocation.
1039 By default, or if --no-wait or --wait=none, ovn-nbctl exits imme‐
1041 diately after confirming that changes have been committed to the
1042 northbound database, without waiting.
1043 With --wait=sb, before ovn-nbctl exits, it waits for ovn-northd to
1045 bring the southbound database up-to-date with the northbound data‐
1046 base updates.
1047 With --wait=hv, before ovn-nbctl exits, it additionally waits for
1049 all OVN chassis (hypervisors and gateways) to become up-to-date
1050 with the northbound database updates. (This can become an indefi‐
1051 nite wait if any chassis is malfunctioning.)
1052 Ordinarily, --wait=sb or --wait=hv only waits for changes by the
1054 current ovn-nbctl invocation to take effect. This means that, if
1055 none of the commands supplied to ovn-nbctl change the database,
1056 then the command does not wait at all. Use the sync command to
1057 override this behavior.
1058 User can set one or more OVN_NBCTL_OPTIONS options in environment
1060 variable. Under the Bourne shell this might be done like this:
1061 OVN_NBCTL_OPTIONS="--db=unix:nb1.ovsdb --no-leader-only"
1063 When OVN_NBCTL_OPTIONS is set, ovn-nbctl automatically and trans‐
1066 parently uses the environment variable to execute its commands.
1067 However user can still over-ride environment options by passing
1068 different in cli.
1069 When the environment variable is no longer needed, unset it, e.g.:
1071 unset OVN_NBCTL_OPTIONS
1073 --db database
1076 The OVSDB database remote to contact. If the OVN_NB_DB environment
1077 variable is set, its value is used as the default. Otherwise, the
1078 default is unix:/ovnnb_db.sock, but this default is unlikely to be
1079 useful outside of single-machine OVN test environments.
1080 --leader-only
1082 --no-leader-only
1083 By default, or with --leader-only, when the database server is a
1084 clustered database, ovn-nbctl will avoid servers other than the
1085 cluster leader. This ensures that any data that ovn-nbctl reads
1086 and reports is up-to-date. With --no-leader-only, ovn-nbctl will
1087 use any server in the cluster, which means that for read-only
1088 transactions it can report and act on stale data (transactions
1089 that modify the database are always serialized even with
1090 --no-leader-only). Refer to Understanding Cluster Consistency in
1091 ovsdb(7) for more information.
1092 --shuffle-remotes
1094 --no-shuffle-remotes
1095 By default, or with --shuffle-remotes, when there are multiple
1096 remotes specified in the OVSDB connection string specified by --db
1097 or the OVN_NB_DB environment variable, the order of the remotes
1098 will be shuffled before the client tries to connect. The remotes
1099 will be shuffled only once to a new order before the first connec‐
1100 tion attempt. The following retries, if any, will follow the same
1101 new order. The default behavior is to make sure clients of a clus‐
1102 tered database can distribute evenly to all memembers of the clus‐
1103 ter. With --no-shuffle-remotes, ovn-nbctl will use the original
1104 order specified in the connection string to connect. This allows
1105 user to specify the preferred order, which is particularly useful
1106 for testing.
1107 Daemon Options
1109 --pidfile[=pidfile]
1110 Causes a file (by default, program.pid) to be created indicating
1111 the PID of the running process. If the pidfile argument is not
1112 specified, or if it does not begin with /, then it is created in
1113 .
1114 If --pidfile is not specified, no pidfile is created.
1116 --overwrite-pidfile
1118 By default, when --pidfile is specified and the specified pid‐
1119 file already exists and is locked by a running process, the dae‐
1120 mon refuses to start. Specify --overwrite-pidfile to cause it to
1121 instead overwrite the pidfile.
1122 When --pidfile is not specified, this option has no effect.
1124 --detach
1126 Runs this program as a background process. The process forks,
1127 and in the child it starts a new session, closes the standard
1128 file descriptors (which has the side effect of disabling logging
1129 to the console), and changes its current directory to the root
1130 (unless --no-chdir is specified). After the child completes its
1131 initialization, the parent exits.
1132 --monitor
1134 Creates an additional process to monitor this program. If it
1135 dies due to a signal that indicates a programming error (SIGA‐
1136 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
1137 or SIGXFSZ) then the monitor process starts a new copy of it. If
1138 the daemon dies or exits for another reason, the monitor process
1139 exits.
1140 This option is normally used with --detach, but it also func‐
1142 tions without it.
1143 --no-chdir
1145 By default, when --detach is specified, the daemon changes its
1146 current working directory to the root directory after it
1147 detaches. Otherwise, invoking the daemon from a carelessly cho‐
1148 sen directory would prevent the administrator from unmounting
1149 the file system that holds that directory.
1150 Specifying --no-chdir suppresses this behavior, preventing the
1152 daemon from changing its current working directory. This may be
1153 useful for collecting core files, since it is common behavior to
1154 write core dumps into the current working directory and the root
1155 directory is not a good directory to use.
1156 This option has no effect when --detach is not specified.
1158 --no-self-confinement
1160 By default this daemon will try to self-confine itself to work
1161 with files under well-known directories whitelisted at build
1162 time. It is better to stick with this default behavior and not
1163 to use this flag unless some other Access Control is used to
1164 confine daemon. Note that in contrast to other access control
1165 implementations that are typically enforced from kernel-space
1166 (e.g. DAC or MAC), self-confinement is imposed from the user-
1167 space daemon itself and hence should not be considered as a full
1168 confinement strategy, but instead should be viewed as an addi‐
1169 tional layer of security.
1170 --user=user:group
1172 Causes this program to run as a different user specified in
1173 user:group, thus dropping most of the root privileges. Short
1174 forms user and :group are also allowed, with current user or
1175 group assumed, respectively. Only daemons started by the root
1176 user accepts this argument.
1177 On Linux, daemons will be granted CAP_IPC_LOCK and
1179 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
1180 that interact with a datapath, such as ovs-vswitchd, will be
1181 granted three additional capabilities, namely CAP_NET_ADMIN,
1182 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
1183 apply even if the new user is root.
1184 On Windows, this option is not currently supported. For security
1186 reasons, specifying this option will cause the daemon process
1187 not to start.
1188
1190 -v[spec]
1191 --verbose=[spec]
1192 Sets logging levels. Without any spec, sets the log level for
1193 every module and destination to dbg. Otherwise, spec is a list of
1194 words separated by spaces or commas or colons, up to one from each
1195 category below:
1196 · A valid module name, as displayed by the vlog/list command
1198 on ovs-appctl(8), limits the log level change to the speci‐
1199 fied module.
1200 · syslog, console, or file, to limit the log level change to
1202 only to the system log, to the console, or to a file,
1203 respectively. (If --detach is specified, the daemon closes
1204 its standard file descriptors, so logging to the console
1205 will have no effect.)
1206 On Windows platform, syslog is accepted as a word and is
1208 only useful along with the --syslog-target option (the word
1209 has no effect otherwise).
1210 · off, emer, err, warn, info, or dbg, to control the log
1212 level. Messages of the given severity or higher will be
1213 logged, and messages of lower severity will be filtered
1214 out. off filters out all messages. See ovs-appctl(8) for a
1215 definition of each log level.
1216 Case is not significant within spec.
1218 Regardless of the log levels set for file, logging to a file will
1220 not take place unless --log-file is also specified (see below).
1221 For compatibility with older versions of OVS, any is accepted as a
1223 word but has no effect.
1224 -v
1226 --verbose
1227 Sets the maximum logging verbosity level, equivalent to --ver‐
1228 bose=dbg.
1229 -vPATTERN:destination:pattern
1231 --verbose=PATTERN:destination:pattern
1232 Sets the log pattern for destination to pattern. Refer to
1233 ovs-appctl(8) for a description of the valid syntax for pattern.
1234 -vFACILITY:facility
1236 --verbose=FACILITY:facility
1237 Sets the RFC5424 facility of the log message. facility can be one
1238 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
1239 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
1240 local4, local5, local6 or local7. If this option is not specified,
1241 daemon is used as the default for the local system syslog and
1242 local0 is used while sending a message to the target provided via
1243 the --syslog-target option.
1244 --log-file[=file]
1246 Enables logging to a file. If file is specified, then it is used
1247 as the exact name for the log file. The default log file name used
1248 if file is omitted is /var/log/ovn/program.log.
1249 --syslog-target=host:port
1251 Send syslog messages to UDP port on host, in addition to the sys‐
1252 tem syslog. The host must be a numerical IP address, not a host‐
1253 name.
1254 --syslog-method=method
1256 Specify method as how syslog messages should be sent to syslog
1257 daemon. The following forms are supported:
1258 · libc, to use the libc syslog() function. Downside of using
1260 this options is that libc adds fixed prefix to every mes‐
1261 sage before it is actually sent to the syslog daemon over
1262 /dev/log UNIX domain socket.
1263 · unix:file, to use a UNIX domain socket directly. It is pos‐
1265 sible to specify arbitrary message format with this option.
1266 However, rsyslogd 8.9 and older versions use hard coded
1267 parser function anyway that limits UNIX domain socket use.
1268 If you want to use arbitrary message format with older
1269 rsyslogd versions, then use UDP socket to localhost IP
1270 address instead.
1271 · udp:ip:port, to use a UDP socket. With this method it is
1273 possible to use arbitrary message format also with older
1274 rsyslogd. When sending syslog messages over UDP socket
1275 extra precaution needs to be taken into account, for exam‐
1276 ple, syslog daemon needs to be configured to listen on the
1277 specified UDP port, accidental iptables rules could be
1278 interfering with local syslog traffic and there are some
1279 security considerations that apply to UDP sockets, but do
1280 not apply to UNIX domain sockets.
1281 · null, to discard all messages logged to syslog.
1283 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
1285 able; if it is unset, the default is libc.
1286
1288 These options control the format of output from the list and find com‐
1289 mands.
1290 -f format
1292 --format=format
1293 Sets the type of table formatting. The following types of
1294 format are available:
1295 table 2-D text tables with aligned columns.
1297 list (default)
1299 A list with one column per line and rows separated
1300 by a blank line.
1301 html HTML tables.
1303 csv Comma-separated values as defined in RFC 4180.
1305 json JSON format as defined in RFC 4627. The output is a
1307 sequence of JSON objects, each of which corresponds
1308 to one table. Each JSON object has the following
1309 members with the noted values:
1310 caption
1312 The table’s caption. This member is omitted
1313 if the table has no caption.
1314 headings
1316 An array with one element per table column.
1317 Each array element is a string giving the
1318 corresponding column’s heading.
1319 data An array with one element per table row. Each
1321 element is also an array with one element per
1322 table column. The elements of this second-
1323 level array are the cells that constitute the
1324 table. Cells that represent OVSDB data or
1325 data types are expressed in the format
1326 described in the OVSDB specification; other
1327 cells are simply expressed as text strings.
1328 -d format
1330 --data=format
1331 Sets the formatting for cells within output tables unless
1332 the table format is set to json, in which case json format‐
1333 ting is always used when formatting cells. The following
1334 types of format are available:
1335 string (default)
1337 The simple format described in the Database Values
1338 section of ovs-vsctl(8).
1339 bare The simple format with punctuation stripped off: []
1341 and {} are omitted around sets, maps, and empty col‐
1342 umns, items within sets and maps are space-sepa‐
1343 rated, and strings are never quoted. This format may
1344 be easier for scripts to parse.
1345 json The RFC 4627 JSON format as described above.
1347 --no-headings
1349 This option suppresses the heading row that otherwise
1350 appears in the first row of table output.
1351 --pretty
1353 By default, JSON in output is printed as compactly as pos‐
1354 sible. This option causes JSON in output to be printed in a
1355 more readable fashion. Members of objects and elements of
1356 arrays are printed one per line, with indentation.
1357 This option does not affect JSON in tables, which is always
1359 printed compactly.
1360 --bare
1362 Equivalent to --format=list --data=bare --no-headings.
1363 PKI Options
1365 PKI configuration is required to use SSL for the connection to the
1366 database.
1367 -p privkey.pem
1369 --private-key=privkey.pem
1370 Specifies a PEM file containing the private key used as
1371 identity for outgoing SSL connections.
1372 -c cert.pem
1374 --certificate=cert.pem
1375 Specifies a PEM file containing a certificate that certi‐
1376 fies the private key specified on -p or --private-key to be
1377 trustworthy. The certificate must be signed by the certifi‐
1378 cate authority (CA) that the peer in SSL connections will
1379 use to verify it.
1380 -C cacert.pem
1382 --ca-cert=cacert.pem
1383 Specifies a PEM file containing the CA certificate for ver‐
1384 ifying certificates presented to this program by SSL peers.
1385 (This may be the same certificate that SSL peers use to
1386 verify the certificate specified on -c or --certificate, or
1387 it may be a different one, depending on the PKI design in
1388 use.)
1389 -C none
1391 --ca-cert=none
1392 Disables verification of certificates presented by SSL
1393 peers. This introduces a security risk, because it means
1394 that certificates cannot be verified to be those of known
1395 trusted hosts.
1396 --bootstrap-ca-cert=cacert.pem
1398 When cacert.pem exists, this option has the same effect
1399 as -C or --ca-cert. If it does not exist, then the exe‐
1400 cutable will attempt to obtain the CA certificate from
1401 the SSL peer on its first SSL connection and save it to
1402 the named PEM file. If it is successful, it will immedi‐
1403 ately drop the connection and reconnect, and from then on
1404 all SSL connections must be authenticated by a certifi‐
1405 cate signed by the CA certificate thus obtained.
1406 This option exposes the SSL connection to a man-in-the-
1408 middle attack obtaining the initial CA certificate, but
1409 it may be useful for bootstrapping.
1410 This option is only useful if the SSL peer sends its CA
1412 certificate as part of the SSL certificate chain. The SSL
1413 protocol does not require the server to send the CA cer‐
1414 tificate.
1415 This option is mutually exclusive with -C and --ca-cert.
1417 Other Options
1419 -h
1420 --help
1421 Prints a brief help message to the console.
1422 -V
1424 --version
1425 Prints version information to the console.
1426OVN 20.03.0 ovn-nbctl ovn-nbctl(8)