1ovn-controller(8) OVN Manual ovn-controller(8)
2build/.PP
6
8 ovn-controller - Open Virtual Network local controller
9
11 ovn-controller [options] [ovs-database]
12
14 ovn-controller is the local controller daemon for OVN, the Open Virtual
15 Network. It connects up to the OVN Southbound database (see ovn-sb(5))
16 over the OVSDB protocol, and down to the Open vSwitch database (see
17 ovs-vswitchd.conf.db(5)) over the OVSDB protocol and to ovs-vswitchd(8)
18 via OpenFlow. Each hypervisor and software gateway in an OVN deployment
19 runs its own independent copy of ovn-controller; thus, ovn-controller’s
20 downward connections are machine-local and do not run over a physical
21 network.
22
24 ACL log messages are logged through ovn-controller’s logging mechanism.
25 ACL log entries have the module acl_log at log level info. Configuring
26 logging is described below in the Logging Options section.
27
29 Daemon Options
30 --pidfile[=pidfile]
31 Causes a file (by default, program.pid) to be created indicating
32 the PID of the running process. If the pidfile argument is not
33 specified, or if it does not begin with /, then it is created in
34 .
35 If --pidfile is not specified, no pidfile is created.
37 --overwrite-pidfile
39 By default, when --pidfile is specified and the specified pid‐
40 file already exists and is locked by a running process, the dae‐
41 mon refuses to start. Specify --overwrite-pidfile to cause it to
42 instead overwrite the pidfile.
43 When --pidfile is not specified, this option has no effect.
45 --detach
47 Runs this program as a background process. The process forks,
48 and in the child it starts a new session, closes the standard
49 file descriptors (which has the side effect of disabling logging
50 to the console), and changes its current directory to the root
51 (unless --no-chdir is specified). After the child completes its
52 initialization, the parent exits.
53 --monitor
55 Creates an additional process to monitor this program. If it
56 dies due to a signal that indicates a programming error (SIGA‐
57 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
58 or SIGXFSZ) then the monitor process starts a new copy of it. If
59 the daemon dies or exits for another reason, the monitor process
60 exits.
61 This option is normally used with --detach, but it also func‐
63 tions without it.
64 --no-chdir
66 By default, when --detach is specified, the daemon changes its
67 current working directory to the root directory after it
68 detaches. Otherwise, invoking the daemon from a carelessly cho‐
69 sen directory would prevent the administrator from unmounting
70 the file system that holds that directory.
71 Specifying --no-chdir suppresses this behavior, preventing the
73 daemon from changing its current working directory. This may be
74 useful for collecting core files, since it is common behavior to
75 write core dumps into the current working directory and the root
76 directory is not a good directory to use.
77 This option has no effect when --detach is not specified.
79 --no-self-confinement
81 By default this daemon will try to self-confine itself to work
82 with files under well-known directories determined at build
83 time. It is better to stick with this default behavior and not
84 to use this flag unless some other Access Control is used to
85 confine daemon. Note that in contrast to other access control
86 implementations that are typically enforced from kernel-space
87 (e.g. DAC or MAC), self-confinement is imposed from the user-
88 space daemon itself and hence should not be considered as a full
89 confinement strategy, but instead should be viewed as an addi‐
90 tional layer of security.
91 --user=user:group
93 Causes this program to run as a different user specified in
94 user:group, thus dropping most of the root privileges. Short
95 forms user and :group are also allowed, with current user or
96 group assumed, respectively. Only daemons started by the root
97 user accepts this argument.
98 On Linux, daemons will be granted CAP_IPC_LOCK and
100 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
101 that interact with a datapath, such as ovs-vswitchd, will be
102 granted three additional capabilities, namely CAP_NET_ADMIN,
103 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
104 apply even if the new user is root.
105 On Windows, this option is not currently supported. For security
107 reasons, specifying this option will cause the daemon process
108 not to start.
109 Logging Options
111 -v[spec]
112 --verbose=[spec]
113 Sets logging levels. Without any spec, sets the log level for
114 every module and destination to dbg. Otherwise, spec is a list of
115 words separated by spaces or commas or colons, up to one from each
116 category below:
117 · A valid module name, as displayed by the vlog/list command
119 on ovs-appctl(8), limits the log level change to the speci‐
120 fied module.
121 · syslog, console, or file, to limit the log level change to
123 only to the system log, to the console, or to a file,
124 respectively. (If --detach is specified, the daemon closes
125 its standard file descriptors, so logging to the console
126 will have no effect.)
127 On Windows platform, syslog is accepted as a word and is
129 only useful along with the --syslog-target option (the word
130 has no effect otherwise).
131 · off, emer, err, warn, info, or dbg, to control the log
133 level. Messages of the given severity or higher will be
134 logged, and messages of lower severity will be filtered
135 out. off filters out all messages. See ovs-appctl(8) for a
136 definition of each log level.
137 Case is not significant within spec.
139 Regardless of the log levels set for file, logging to a file will
141 not take place unless --log-file is also specified (see below).
142 For compatibility with older versions of OVS, any is accepted as a
144 word but has no effect.
145 -v
147 --verbose
148 Sets the maximum logging verbosity level, equivalent to --ver‐
149 bose=dbg.
150 -vPATTERN:destination:pattern
152 --verbose=PATTERN:destination:pattern
153 Sets the log pattern for destination to pattern. Refer to
154 ovs-appctl(8) for a description of the valid syntax for pattern.
155 -vFACILITY:facility
157 --verbose=FACILITY:facility
158 Sets the RFC5424 facility of the log message. facility can be one
159 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
160 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
161 local4, local5, local6 or local7. If this option is not specified,
162 daemon is used as the default for the local system syslog and
163 local0 is used while sending a message to the target provided via
164 the --syslog-target option.
165 --log-file[=file]
167 Enables logging to a file. If file is specified, then it is used
168 as the exact name for the log file. The default log file name used
169 if file is omitted is /var/log/ovn/program.log.
170 --syslog-target=host:port
172 Send syslog messages to UDP port on host, in addition to the sys‐
173 tem syslog. The host must be a numerical IP address, not a host‐
174 name.
175 --syslog-method=method
177 Specify method as how syslog messages should be sent to syslog
178 daemon. The following forms are supported:
179 · libc, to use the libc syslog() function. Downside of using
181 this options is that libc adds fixed prefix to every mes‐
182 sage before it is actually sent to the syslog daemon over
183 /dev/log UNIX domain socket.
184 · unix:file, to use a UNIX domain socket directly. It is pos‐
186 sible to specify arbitrary message format with this option.
187 However, rsyslogd 8.9 and older versions use hard coded
188 parser function anyway that limits UNIX domain socket use.
189 If you want to use arbitrary message format with older
190 rsyslogd versions, then use UDP socket to localhost IP
191 address instead.
192 · udp:ip:port, to use a UDP socket. With this method it is
194 possible to use arbitrary message format also with older
195 rsyslogd. When sending syslog messages over UDP socket
196 extra precaution needs to be taken into account, for exam‐
197 ple, syslog daemon needs to be configured to listen on the
198 specified UDP port, accidental iptables rules could be
199 interfering with local syslog traffic and there are some
200 security considerations that apply to UDP sockets, but do
201 not apply to UNIX domain sockets.
202 · null, to discard all messages logged to syslog.
204 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
206 able; if it is unset, the default is libc.
207 PKI Options
209 PKI configuration is required in order to use SSL for the connections
210 to the Northbound and Southbound databases.
211 -p privkey.pem
213 --private-key=privkey.pem
214 Specifies a PEM file containing the private key used as
215 identity for outgoing SSL connections.
216 -c cert.pem
218 --certificate=cert.pem
219 Specifies a PEM file containing a certificate that certi‐
220 fies the private key specified on -p or --private-key to be
221 trustworthy. The certificate must be signed by the certifi‐
222 cate authority (CA) that the peer in SSL connections will
223 use to verify it.
224 -C cacert.pem
226 --ca-cert=cacert.pem
227 Specifies a PEM file containing the CA certificate for ver‐
228 ifying certificates presented to this program by SSL peers.
229 (This may be the same certificate that SSL peers use to
230 verify the certificate specified on -c or --certificate, or
231 it may be a different one, depending on the PKI design in
232 use.)
233 -C none
235 --ca-cert=none
236 Disables verification of certificates presented by SSL
237 peers. This introduces a security risk, because it means
238 that certificates cannot be verified to be those of known
239 trusted hosts.
240 --bootstrap-ca-cert=cacert.pem
242 When cacert.pem exists, this option has the same effect
243 as -C or --ca-cert. If it does not exist, then the exe‐
244 cutable will attempt to obtain the CA certificate from
245 the SSL peer on its first SSL connection and save it to
246 the named PEM file. If it is successful, it will immedi‐
247 ately drop the connection and reconnect, and from then on
248 all SSL connections must be authenticated by a certifi‐
249 cate signed by the CA certificate thus obtained.
250 This option exposes the SSL connection to a man-in-the-
252 middle attack obtaining the initial CA certificate, but
253 it may be useful for bootstrapping.
254 This option is only useful if the SSL peer sends its CA
256 certificate as part of the SSL certificate chain. The SSL
257 protocol does not require the server to send the CA cer‐
258 tificate.
259 This option is mutually exclusive with -C and --ca-cert.
261 --peer-ca-cert=peer-cacert.pem
263 Specifies a PEM file that contains one or more additional
264 certificates to send to SSL peers. peer-cacert.pem should
265 be the CA certificate used to sign the program’s own cer‐
266 tificate, that is, the certificate specified on -c or
267 --certificate. If the program’s certificate is self-
268 signed, then --certificate and --peer-ca-cert should
269 specify the same file.
270 This option is not useful in normal operation, because
272 the SSL peer must already have the CA certificate for the
273 peer to have any confidence in the program’s identity.
274 However, this offers a way for a new installation to
275 bootstrap the CA certificate on its first SSL connection.
276 Other Options
278 -h
279 --help
280 Prints a brief help message to the console.
281 -V
283 --version
284 Prints version information to the console.
285
287 ovn-controller retrieves most of its configuration information from the
288 local Open vSwitch’s ovsdb-server instance. The default location is
289 db.sock in the local Open vSwitch’s "run" directory. It may be overrid‐
290 den by specifying the ovs-database argument as an OVSDB active or pas‐
291 sive connection method, as described in ovsdb(7).
292 ovn-controller assumes it gets configuration information from the fol‐
294 lowing keys in the Open_vSwitch table of the local OVS instance:
295 external_ids:system-id
297 The chassis name to use in the Chassis table. Changing
298 the system-id while ovn-controller is running is not
299 directly supported. Users have two options: either first
300 gracefully stop ovn-controller or manually delete the
301 stale Chassis and Chassis_Private records after changing
302 the system-id.
303 external_ids:hostname
305 The hostname to use in the Chassis table.
306 external_ids:ovn-bridge
308 The integration bridge to which logical ports are
309 attached. The default is br-int. If this bridge does not
310 exist when ovn-controller starts, it will be created
311 automatically with the default configuration suggested in
312 ovn-architecture(7).
313 external_ids:ovn-bridge-datapath-type
315 This configuration is optional. If set, then the datapath
316 type of the integration bridge will be set to the config‐
317 ured value. If this option is not set, then ovn-con‐
318 troller will not modify the existing datapath-type of the
319 integration bridge.
320 external_ids:ovn-remote
322 The OVN database that this system should connect to for
323 its configuration, in one of the same forms documented
324 above for the ovs-database.
325 external_ids:ovn-monitor-all
327 A boolean value that tells if ovn-controller should moni‐
328 tor all records of tables in ovs-database. If set to
329 false, it will conditionally monitor the records that is
330 needed in the current chassis.
331 It is more optimal to set it to true in use cases when
333 the chassis would anyway need to monitor most of the
334 records in ovs-database, which would save the overhead of
335 conditions processing, especially for server side. Typi‐
336 cally, set it to true for environments that all workloads
337 need to be reachable from each other.
338 Default value is false.
340 external_ids:ovn-remote-probe-interval
342 The inactivity probe interval of the connection to the
343 OVN database, in milliseconds. If the value is zero, it
344 disables the connection keepalive feature.
345 If the value is nonzero, then it will be forced to a
347 value of at least 1000 ms.
348 external_ids:ovn-openflow-probe-interval
350 The inactivity probe interval of the OpenFlow connection
351 to the OpenvSwitch integration bridge, in seconds. If the
352 value is zero, it disables the connection keepalive fea‐
353 ture.
354 If the value is nonzero, then it will be forced to a
356 value of at least 5s.
357 external_ids:ovn-encap-type
359 The encapsulation type that a chassis should use to con‐
360 nect to this node. Multiple encapsulation types may be
361 specified with a comma-separated list. Each listed encap‐
362 sulation type will be paired with ovn-encap-ip.
363 Supported tunnel types for connecting hypervisors are
365 geneve and stt. Gateways may use geneve, vxlan, or stt.
366 Due to the limited amount of metadata in vxlan, the capa‐
368 bilities and performance of connected gateways will be
369 reduced versus other tunnel formats.
370 external_ids:ovn-encap-ip
372 The IP address that a chassis should use to connect to
373 this node using encapsulation types specified by exter‐
374 nal_ids:ovn-encap-type.
375 external_ids:ovn-bridge-mappings
377 A list of key-value pairs that map a physical network
378 name to a local ovs bridge that provides connectivity to
379 that network. An example value mapping two physical net‐
380 work names to two ovs bridges would be: phys‐
381 net1:br-eth0,physnet2:br-eth1.
382 external_ids:ovn-encap-csum
384 ovn-encap-csum indicates that encapsulation checksums can
385 be transmitted and received with reasonable performance.
386 It is a hint to senders transmitting data to this chassis
387 that they should use checksums to protect OVN metadata.
388 Set to true to enable or false to disable. Depending on
389 the capabilities of the network interface card, enabling
390 encapsulation checksum may incur performance loss. In
391 such cases, encapsulation checksums can be disabled.
392 external_ids:ovn-cms-options
394 A list of options that will be consumed by the CMS Plugin
395 and which specific to this particular chassis. An example
396 would be: cms_option1,cms_option2:foo.
397 external_ids:ovn-transport-zones
399 The transport zone(s) that this chassis belongs to.
400 Transport zones is a way to group different chassis so
401 that tunnels are only formed between members of the same
402 group(s). Multiple transport zones may be specified with
403 a comma-separated list. For example: tz1,tz2,tz3.
404 If not set, the Chassis will be considered part of a
406 default transport zone.
407 external_ids:ovn-chassis-mac-mappings
409 A list of key-value pairs that map a chassis specific mac
410 to a physical network name. An example value mapping two
411 chassis macs to two physical network names would be:
412 physnet1:aa:bb:cc:dd:ee:ff,physnet2:a1:b2:c3:d4:e5:f6.
413 These are the macs that ovn-controller will replace a
414 router port mac with, if packet is going from a distrib‐
415 uted router port on vlan type logical switch.
416 external_ids:ovn-is-interconn
418 The boolean flag indicates if the chassis is used as an
419 interconnection gateway.
420 external_ids:ovn-match-northd-version
422 The boolean flag indicates if ovn-controller needs to
423 check ovn-northd version. If this flag is set to true and
424 the ovn-northd’s version (reported in the Southbound
425 database) doesn’t match with the ovn-controller’s inter‐
426 nal version, then it will stop processing the southbound
427 and local Open vSwitch database changes. The default
428 value is considered false if this option is not defined.
429 ovn-controller reads the following values from the Open_vSwitch data‐
431 base of the local OVS instance:
432 datapath-type from Bridge table
434 This value is read from local OVS integration bridge row
435 of Bridge table and populated in other_config:datapath-
436 type of the Chassis table in the OVN_Southbound database.
437 iface-types from Open_vSwitch table
439 This value is populated in external_ids:iface-types of
440 the Chassis table in the OVN_Southbound database.
441 private_key, certificate, ca_cert, and bootstrap_ca_cert from
443 SSL table
444 These values provide the SSL configuration used for con‐
445 necting to the OVN southbound database server when an SSL
446 connection type is configured via exter‐
447 nal_ids:ovn-remote. Note that this SSL configuration can
448 also be provided via command-line options, the configura‐
449 tion in the database takes precedence if both are
450 present.
451
453 ovn-controller uses a number of external_ids keys in the Open vSwitch
454 database to keep track of ports and interfaces. For proper operation,
455 users should not change or clear these keys:
456 external_ids:ovn-chassis-id in the Port table
458 The presence of this key identifies a tunnel port within
459 the integration bridge as one created by ovn-controller
460 to reach a remote chassis. Its value is the chassis ID of
461 the remote chassis.
462 external_ids:ct-zone-* in the Bridge table
464 Logical ports and gateway routers are assigned a connec‐
465 tion tracking zone by ovn-controller for stateful ser‐
466 vices. To keep state across restarts of ovn-controller,
467 these keys are stored in the integration bridge’s Bridge
468 table. The name contains a prefix of ct-zone- followed by
469 the name of the logical port or gateway router’s zone
470 key. The value for this key identifies the zone used for
471 this port.
472 external_ids:ovn-localnet-port in the Port table
474 The presence of this key identifies a patch port as one
475 created by ovn-controller to connect the integration
476 bridge and another bridge to implement a localnet logical
477 port. Its value is the name of the logical port with type
478 set to localnet that the port implements. See exter‐
479 nal_ids:ovn-bridge-mappings, above, for more information.
480 Each localnet logical port is implemented as a pair of
482 patch ports, one in the integration bridge, one in a dif‐
483 ferent bridge, with the same external_ids:ovn-local‐
484 net-port value.
485 external_ids:ovn-l2gateway-port in the Port table
487 The presence of this key identifies a patch port as one
488 created by ovn-controller to connect the integration
489 bridge and another bridge to implement a l2gateway logi‐
490 cal port. Its value is the name of the logical port with
491 type set to l2gateway that the port implements. See
492 external_ids:ovn-bridge-mappings, above, for more infor‐
493 mation.
494 Each l2gateway logical port is implemented as a pair of
496 patch ports, one in the integration bridge, one in a dif‐
497 ferent bridge, with the same external_ids:ovn-l2gate‐
498 way-port value.
499 external-ids:ovn-l3gateway-port in the Port table
501 This key identifies a patch port as one created by
502 ovn-controller to implement a l3gateway logical port. Its
503 value is the name of the logical port with type set to
504 l3gateway. This patch port is similar to the OVN logical
505 patch port, except that l3gateway port can only be bound
506 to a paticular chassis.
507 external-ids:ovn-logical-patch-port in the Port table
509 This key identifies a patch port as one created by
510 ovn-controller to implement an OVN logical patch port
511 within the integration bridge. Its value is the name of
512 the OVN logical patch port that it implements.
513 external-ids:ovn-nb-cfg in the Bridge table
515 This key represents the last known OVN_South‐
516 bound.SB_Global.nb_cfg value for which all flows have
517 been successfully installed in OVS.
518
520 ovn-controller reads from much of the OVN_Southbound database to guide
521 its operation. ovn-controller also writes to the following tables:
522 Chassis
524 Upon startup, ovn-controller creates a row in this table
525 to represent its own chassis. Upon graceful termination,
526 e.g. with ovs-appctl -t ovn-controller exit (but not
527 SIGTERM), ovn-controller removes its row.
528 Encap Upon startup, ovn-controller creates a row or rows in
530 this table that represent the tunnel encapsulations by
531 which its chassis can be reached, and points its Chassis
532 row to them. Upon graceful termination, ovn-controller
533 removes these rows.
534 Port_Binding
536 At runtime, ovn-controller sets the chassis columns of
537 ports that are resident on its chassis to point to its
538 Chassis row, and, conversely, clears the chassis column
539 of ports that point to its Chassis row but are no longer
540 resident on its chassis. The chassis column has a weak
541 reference type, so when ovn-controller gracefully exits
542 and removes its Chassis row, the database server automat‐
543 ically clears any remaining references to that row.
544 MAC_Binding
546 At runtime, ovn-controller updates the MAC_Binding table
547 as instructed by put_arp and put_nd logical actions.
548 These changes persist beyond the lifetime of ovn-con‐
549 troller.
550
552 ovs-appctl can send commands to a running ovn-controller process. The
553 currently supported commands are described below.
554 exit Causes ovn-controller to gracefully terminate.
556 ct-zone-list
558 Lists each local logical port and its connection tracking
559 zone.
560 meter-table-list
562 Lists each meter table entry and its local meter id.
563 group-table-list
565 Lists each group table entry and its local group id.
566 inject-pkt microflow
568 Injects microflow into the connected Open vSwitch
569 instance. microflow must contain an ingress logical port
570 (inport argument) that is present on the Open vSwitch
571 instance.
572 The microflow argument describes the packet whose for‐
574 warding is to be simulated, in the syntax of an OVN logi‐
575 cal expression, as described in ovn-sb(5), to express
576 constraints. The parser understands prerequisites; for
577 example, if the expression refers to ip4.src, there is no
578 need to explicitly state ip4 or eth.type == 0x800.
579 connection-status
581 Show OVN SBDB connection status for the chassis.
582 recompute
584 Trigger a full compute iteration in ovn-controller based
585 on the contents of the Southbound database and local OVS
586 database.
587 This command is intended to use only in the event of a
589 bug in the incremental processing engine in ovn-con‐
590 troller to avoid inconsistent states. It should therefore
591 be used with care as full recomputes are cpu intensive.
592 sb-cluster-state-reset
594 Reset southbound database cluster status when databases
595 are destroyed and rebuilt.
596 If all databases in a clustered southbound database are
598 removed from disk, then the stored index of all databases
599 will be reset to zero. This will cause ovn-controller to
600 be unable to read or write to the southbound database,
601 because it will always detect the data as stale. In such
602 a case, run this command so that ovn-controller will
603 reset its local index so that it can interact with the
604 southbound database again.
605 debug/delay-nb-cfg-report seconds
607 This command is used to delay ovn-controller updating the
608 nb_cfg back to OVN_Southbound database. This is useful
609 when ovn-nbctl --wait=hv is used to measure end-to-end
610 latency in a large scale environment. See ovn-nbctl(8)
611 for more details.
612OVN 20.12.0 ovn-controller ovn-controller(8)