1ovn-ic(8)                         OVN Manual                         ovn-ic(8)
2
3
4
5build/.PP
6

NAME

8       ovn-ic - Open Virtual Network interconnection controller
9

SYNOPSIS

11       ovn-ic [options]
12

DESCRIPTION

14       ovn-ic,  OVN  interconnection controller, is a centralized daemon which
15       communicates with global interconnection databases IC_NB/IC_SB to  con‐
16       figure  and  exchange  data  with  local NB/SB for interconnecting with
17       other OVN deployments.
18

OPTIONS

20       --ovnnb-db=database
21              The OVSDB database containing the OVN  Northbound  Database.  If
22              the  OVN_NB_DB environment variable is set, its value is used as
23              the default. Otherwise, the default is unix:/ovnnb_db.sock.
24
25       --ovnsb-db=database
26              The OVSDB database containing the OVN  Southbound  Database.  If
27              the  OVN_SB_DB environment variable is set, its value is used as
28              the default. Otherwise, the default is unix:/ovnsb_db.sock.
29
30       --ic-nb-db=database
31              The OVSDB database containing the OVN Interconnection Northbound
32              Database.  If  the OVN_IC_NB_DB environment variable is set, its
33              value  is  used  as  the  default.  Otherwise,  the  default  is
34              unix:/ovn_ic_nb_db.sock.
35
36       --ic-sb-db=database
37              The OVSDB database containing the OVN Interconnection Southbound
38              Database. If the OVN_IC_SB_DB environment variable is  set,  its
39              value  is  used  as  the  default.  Otherwise,  the  default  is
40              unix:/ovn_ic_sb_db.sock.
41
42       database in the above options must be an OVSDB active or  passive  con‐
43       nection method, as described in ovsdb(7).
44
45   Daemon Options
46       --pidfile[=pidfile]
47              Causes a file (by default, program.pid) to be created indicating
48              the PID of the running process. If the pidfile argument  is  not
49              specified, or if it does not begin with /, then it is created in
50              .
51
52              If --pidfile is not specified, no pidfile is created.
53
54       --overwrite-pidfile
55              By default, when --pidfile is specified and the  specified  pid‐
56              file already exists and is locked by a running process, the dae‐
57              mon refuses to start. Specify --overwrite-pidfile to cause it to
58              instead overwrite the pidfile.
59
60              When --pidfile is not specified, this option has no effect.
61
62       --detach
63              Runs  this  program  as a background process. The process forks,
64              and in the child it starts a new session,  closes  the  standard
65              file descriptors (which has the side effect of disabling logging
66              to the console), and changes its current directory to  the  root
67              (unless  --no-chdir is specified). After the child completes its
68              initialization, the parent exits.
69
70       --monitor
71              Creates an additional process to monitor  this  program.  If  it
72              dies  due  to a signal that indicates a programming error (SIGA‐
73              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
74              or SIGXFSZ) then the monitor process starts a new copy of it. If
75              the daemon dies or exits for another reason, the monitor process
76              exits.
77
78              This  option  is  normally used with --detach, but it also func‐
79              tions without it.
80
81       --no-chdir
82              By default, when --detach is specified, the daemon  changes  its
83              current  working  directory  to  the  root  directory  after  it
84              detaches. Otherwise, invoking the daemon from a carelessly  cho‐
85              sen  directory  would  prevent the administrator from unmounting
86              the file system that holds that directory.
87
88              Specifying --no-chdir suppresses this behavior,  preventing  the
89              daemon  from changing its current working directory. This may be
90              useful for collecting core files, since it is common behavior to
91              write core dumps into the current working directory and the root
92              directory is not a good directory to use.
93
94              This option has no effect when --detach is not specified.
95
96       --no-self-confinement
97              By default this daemon will try to self-confine itself  to  work
98              with  files  under  well-known  directories  determined at build
99              time. It is better to stick with this default behavior  and  not
100              to  use  this  flag  unless some other Access Control is used to
101              confine daemon. Note that in contrast to  other  access  control
102              implementations  that  are  typically enforced from kernel-space
103              (e.g. DAC or MAC), self-confinement is imposed  from  the  user-
104              space daemon itself and hence should not be considered as a full
105              confinement strategy, but instead should be viewed as  an  addi‐
106              tional layer of security.
107
108       --user=user:group
109              Causes  this  program  to  run  as a different user specified in
110              user:group, thus dropping most of  the  root  privileges.  Short
111              forms  user  and  :group  are also allowed, with current user or
112              group assumed, respectively. Only daemons started  by  the  root
113              user accepts this argument.
114
115              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
116              CAP_NET_BIND_SERVICES before dropping root  privileges.  Daemons
117              that  interact  with  a  datapath, such as ovs-vswitchd, will be
118              granted three  additional  capabilities,  namely  CAP_NET_ADMIN,
119              CAP_NET_BROADCAST  and  CAP_NET_RAW.  The capability change will
120              apply even if the new user is root.
121
122              On Windows, this option is not currently supported. For security
123              reasons,  specifying  this  option will cause the daemon process
124              not to start.
125
126   Logging Options
127       -v[spec]
128       --verbose=[spec]
129            Sets logging levels. Without any spec,  sets  the  log  level  for
130            every  module and destination to dbg. Otherwise, spec is a list of
131            words separated by spaces or commas or colons, up to one from each
132            category below:
133
134            ·      A  valid module name, as displayed by the vlog/list command
135                   on ovs-appctl(8), limits the log level change to the speci‐
136                   fied module.
137
138            ·      syslog,  console, or file, to limit the log level change to
139                   only to the system log, to  the  console,  or  to  a  file,
140                   respectively.  (If --detach is specified, the daemon closes
141                   its standard file descriptors, so logging  to  the  console
142                   will have no effect.)
143
144                   On  Windows  platform,  syslog is accepted as a word and is
145                   only useful along with the --syslog-target option (the word
146                   has no effect otherwise).
147
148            ·      off,  emer,  err,  warn,  info,  or dbg, to control the log
149                   level. Messages of the given severity  or  higher  will  be
150                   logged,  and  messages  of  lower severity will be filtered
151                   out. off filters out all messages. See ovs-appctl(8) for  a
152                   definition of each log level.
153
154            Case is not significant within spec.
155
156            Regardless  of the log levels set for file, logging to a file will
157            not take place unless --log-file is also specified (see below).
158
159            For compatibility with older versions of OVS, any is accepted as a
160            word but has no effect.
161
162       -v
163       --verbose
164            Sets  the  maximum  logging  verbosity level, equivalent to --ver‐
165            bose=dbg.
166
167       -vPATTERN:destination:pattern
168       --verbose=PATTERN:destination:pattern
169            Sets  the  log  pattern  for  destination  to  pattern.  Refer  to
170            ovs-appctl(8) for a description of the valid syntax for pattern.
171
172       -vFACILITY:facility
173       --verbose=FACILITY:facility
174            Sets  the RFC5424 facility of the log message. facility can be one
175            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
176            ftp,  ntp,  audit,  alert, clock2, local0, local1, local2, local3,
177            local4, local5, local6 or local7. If this option is not specified,
178            daemon  is  used  as  the  default for the local system syslog and
179            local0 is used while sending a message to the target provided  via
180            the --syslog-target option.
181
182       --log-file[=file]
183            Enables  logging  to a file. If file is specified, then it is used
184            as the exact name for the log file. The default log file name used
185            if file is omitted is /var/log/ovn/program.log.
186
187       --syslog-target=host:port
188            Send  syslog messages to UDP port on host, in addition to the sys‐
189            tem syslog. The host must be a numerical IP address, not  a  host‐
190            name.
191
192       --syslog-method=method
193            Specify  method  as  how  syslog messages should be sent to syslog
194            daemon. The following forms are supported:
195
196            ·      libc, to use the libc syslog() function. Downside of  using
197                   this  options  is that libc adds fixed prefix to every mes‐
198                   sage before it is actually sent to the syslog  daemon  over
199                   /dev/log UNIX domain socket.
200
201            ·      unix:file, to use a UNIX domain socket directly. It is pos‐
202                   sible to specify arbitrary message format with this option.
203                   However,  rsyslogd  8.9  and  older versions use hard coded
204                   parser function anyway that limits UNIX domain socket  use.
205                   If  you  want  to  use  arbitrary message format with older
206                   rsyslogd versions, then use  UDP  socket  to  localhost  IP
207                   address instead.
208
209            ·      udp:ip:port,  to  use  a UDP socket. With this method it is
210                   possible to use arbitrary message format  also  with  older
211                   rsyslogd.  When  sending  syslog  messages  over UDP socket
212                   extra precaution needs to be taken into account, for  exam‐
213                   ple,  syslog daemon needs to be configured to listen on the
214                   specified UDP port,  accidental  iptables  rules  could  be
215                   interfering  with  local  syslog traffic and there are some
216                   security considerations that apply to UDP sockets,  but  do
217                   not apply to UNIX domain sockets.
218
219            ·      null, to discard all messages logged to syslog.
220
221            The  default is taken from the OVS_SYSLOG_METHOD environment vari‐
222            able; if it is unset, the default is libc.
223
224   PKI Options
225       PKI configuration is required in order to use SSL for  the  connections
226       to the Northbound and Southbound databases.
227
228              -p privkey.pem
229              --private-key=privkey.pem
230                   Specifies  a  PEM  file  containing the private key used as
231                   identity for outgoing SSL connections.
232
233              -c cert.pem
234              --certificate=cert.pem
235                   Specifies a PEM file containing a certificate  that  certi‐
236                   fies the private key specified on -p or --private-key to be
237                   trustworthy. The certificate must be signed by the certifi‐
238                   cate  authority  (CA) that the peer in SSL connections will
239                   use to verify it.
240
241              -C cacert.pem
242              --ca-cert=cacert.pem
243                   Specifies a PEM file containing the CA certificate for ver‐
244                   ifying certificates presented to this program by SSL peers.
245                   (This may be the same certificate that  SSL  peers  use  to
246                   verify the certificate specified on -c or --certificate, or
247                   it may be a different one, depending on the PKI  design  in
248                   use.)
249
250              -C none
251              --ca-cert=none
252                   Disables  verification  of  certificates  presented  by SSL
253                   peers. This introduces a security risk,  because  it  means
254                   that  certificates  cannot be verified to be those of known
255                   trusted hosts.
256
257   Other Options
258       --unixctl=socket
259              Sets the name of the control socket on which program listens for
260              runtime  management  commands  (see RUNTIME MANAGEMENT COMMANDS,
261              below). If socket does not begin with /, it  is  interpreted  as
262              relative  to  .  If  --unixctl  is  not used at all, the default
263              socket is /program.pid.ctl, where pid is program’s process ID.
264
265              On Windows a local named pipe is used to listen for runtime man‐
266              agement  commands.  A  file  is  created in the absolute path as
267              pointed by socket or if --unixctl is not used at all, a file  is
268              created  as  program in the configured OVS_RUNDIR directory. The
269              file exists just to mimic the behavior of a Unix domain socket.
270
271              Specifying none for socket disables the control socket feature.
272
273
274
275       -h
276       --help
277            Prints a brief help message to the console.
278
279       -V
280       --version
281            Prints version information to the console.
282

RUNTIME MANAGEMENT COMMANDS

284       ovs-appctl can send commands to a running ovn-ic process. The currently
285       supported commands are described below.
286
287              exit   Causes ovn-ic to gracefully terminate.
288
289              pause  Pauses  the ovn-ic operation from processing any database
290                     changes. This will also instruct ovn-ic to drop any  lock
291                     on SB DB.
292
293              resume Resumes  the  ovn-ic  operation  to process database con‐
294                     tents. This will also instruct ovn-northd to  aspire  for
295                     the lock on SB DB.
296
297              is-paused
298                     Returns  "true"  if  ovn-ic  is currently paused, "false"
299                     otherwise.
300
301              status Prints this server’s status. Status will be  "active"  if
302                     ovn-ic  has acquired OVSDB lock on SB DB, "standby" if it
303                     has not or "paused" if this instance is paused.
304

ACTIVE-STANDBY FOR HIGH AVAILABILITY

306       You may run ovn-ic more than once in an OVN deployment. When  connected
307       to  a  standalone  or clustered DB setup, OVN will automatically ensure
308       that only one of them is active at a time.  If  multiple  instances  of
309       ovn-ic  are running and the active ovn-ic fails, one of the hot standby
310       instances of ovn-ic will automatically take over.
311
312
313
314OVN 20.12.0                         ovn-ic                           ovn-ic(8)
Impressum