1OVSDB-SERVER(7)                  Open vSwitch                  OVSDB-SERVER(7)
2
3
4

NAME

6       ovsdb-server - Open vSwitch Database Server Protocol
7

DESCRIPTION

9       ovsdb-server  implements  the  Open  vSwitch  Database (OVSDB) protocol
10       specified in RFC 7047.  This document provides clarifications  for  how
11       ovsdb-server  implements the protocol and describes the extensions that
12       it provides beyond RFC 7047.  Numbers in section headings refer to cor‐
13       responding sections in RFC 7047.
14
15   3.1 JSON Usage
16       RFC  4627  says  that names within a JSON object should be unique.  The
17       Open vSwitch JSON parser discards all but the last  value  for  a  name
18       that is specified more than once.
19
20       The  definition  of <error> allows for implementation extensions.  Cur‐
21       rently ovsdb-server uses the following additional error strings  (which
22       might change in later releases):
23
24       syntax error or unknown column
25              The  request  could not be parsed as an OVSDB request.  An addi‐
26              tional syntax member, whose value  is  a  string  that  contains
27              JSON,  may  narrow  down the particular syntax that could not be
28              parsed.
29
30       internal error
31              The request triggered a bug in ovsdb-server.
32
33       ovsdb error
34              A map or set contains a duplicate key.
35
36       permission error
37              The request was denied by the role-based access  control  exten‐
38              sion, introduced in version 2.8.
39
40   3.2 Schema Format
41       RFC 7047 requires the version field in <database-schema>.  Current ver‐
42       sions of ovsdb-server allow it  to  be  omitted  (future  versions  are
43       likely to require it).
44
45       RFC  7047  allows columns that contain weak references to be immutable.
46       This raises the issue of the behavior of the weak  reference  when  the
47       rows  that  it references are deleted.  Since version 2.6, ovsdb-server
48       forces columns that contain weak references to be mutable.
49
50       Since version 2.8, the table name RBAC_Role is used internally  by  the
51       role-based  access  control extension to ovsdb-server and should not be
52       used for purposes other than defining mappings of role names  to  table
53       access  permissions.  This table has one row per role name and the fol‐
54       lowing columns:
55
56       name   The role name.
57
58       permissions
59              A map of table name to a reference to a row in a  separate  per‐
60              mission table.
61
62       The  separate RBAC permission table has one row per access control con‐
63       figuration and the following columns:
64
65       name   The name of the table to which the row applies.
66
67       authorization
68              The set of column names and column:key pairs to be compared with
69              the  client ID in order to determine the authorization status of
70              the requested operation.
71
72       insert_delete
73              A boolean value, true if authorized insertions and deletions are
74              allowed, false if no insertions or deletions are allowed.
75
76       update The set of columns and column:key pairs for which authorized up‐
77              date and mutate operations should be permitted.
78
79   4 Wire Protocol
80       The original OVSDB specifications included the following reasons, omit‐
81       ted  from  RFC 7047, to operate JSON-RPC directly over a stream instead
82       of over HTTP:
83
84       • JSON-RPC is a peer-to-peer protocol, but HTTP is a client-server pro‐
85         tocol,  which is a poor match.  Thus, JSON-RPC over HTTP requires the
86         client to periodically poll the server to receive server requests.
87
88       • HTTP is more complicated than stream connections and doesn’t  provide
89         any corresponding advantage.
90
91       • The JSON-RPC specification for HTTP transport is incomplete.
92
93   4.1.3 Transact
94       Since  version 2.8, role-based access controls can be applied to opera‐
95       tions within a transaction that would modify the contents of the  data‐
96       base  (these  operations include row insert, row delete, column update,
97       and column mutate). Role-based access controls  are  applied  when  the
98       database  schema  contains a table with the name RBAC_Role and the con‐
99       nection on which the transaction request was received has an associated
100       role  name  (from the role column in the remote connection table). When
101       role-based access controls are enabled, transactions that are otherwise
102       well-formed may be rejected depending on the client’s role, ID, and the
103       contents of the RBAC_Role table and associated permissions table.
104
105   4.1.5 Monitor
106       For backward compatibility, ovsdb-server  currently  permits  a  single
107       <monitor-request>  to  be  used instead of an array; it is treated as a
108       single-element array.  Future versions  of  ovsdb-server  might  remove
109       this compatibility feature.
110
111       Because  the  <json-value> parameter is used to match subsequent update
112       notifications (see below) to the request, it must be unique  among  all
113       active  monitors.   ovsdb-server rejects attempt to create two monitors
114       with the same identifier.
115
116       When a given client sends a transact request that changes a table  that
117       the same client is monitoring, ovsdb-server always sends the update (or
118       update2 or update3) for these changes before it sends the reply to  the
119       transact  request.   Thus,  when a client receives a transact reply, it
120       can know immediately what changes (if any) the transaction  made.   (If
121       ovsdb-server  might  use  the other order, then a client that wishes to
122       act on based on the results of its own transactions would not know when
123       this was guaranteed to have taken place.)
124
125   4.1.7 Monitor Cancellation
126       When  a database monitored by a session is removed, and database change
127       awareness is enabled for the session (see Section 4.1.16), the database
128       server  spontaneously cancels all monitors (including conditional moni‐
129       tors described in Section 4.1.12) for the removed database.   For  each
130       canceled monitor, it issues a notification in the following form:
131
132          "method": "monitor_canceled"
133          "params": [<json-value>]
134          "id": null
135
136   4.1.12 Monitor_cond
137       A  new  monitor  method  added  in Open vSwitch version 2.6.  The moni‐
138       tor_cond request enables a client to replicate subsets of tables within
139       an OVSDB database by requesting notifications of changes to rows match‐
140       ing one of the conditions specified in where by receiving the specified
141       contents of these rows when table updates occur.  monitor_cond also al‐
142       lows a more efficient  update  notifications  by  receiving  <table-up‐
143       dates2> notifications (described below).
144
145       The  monitor  method  described  in Section 4.1.5 also applies to moni‐
146       tor_cond, with the following exceptions:
147
148       • RPC request method becomes monitor_cond.
149
150       • Reply result follows <table-updates2>, described in Section 4.1.14.
151
152       • Subsequent changes are sent to the client using the  update2  monitor
153         notification, described in Section 4.1.14
154
155       • Update  notifications  are being sent only for rows matching [<condi‐
156         tion>*].
157
158       The request object has the following members:
159
160          "method": "monitor_cond"
161          "params": [<db-name>, <json-value>, <monitor-cond-requests>]
162          "id": <nonnull-json-value>
163
164       The <json-value> parameter is used to match subsequent update notifica‐
165       tions  (see below) to this request.  The <monitor-cond-requests> object
166       maps the name of the table to an array of <monitor-cond-request>.
167
168       Each <monitor-cond-request> is an object with the following members:
169
170          "columns": [<column>*]            optional
171          "where": [<condition>*]           optional
172          "select": <monitor-select>        optional
173
174       The columns, if present, define the columns within the table to be mon‐
175       itored  that  match  conditions.  If not present, all columns are moni‐
176       tored.
177
178       The where, if present, is a JSON array of <condition> and boolean  val‐
179       ues.  If not present or condition is an empty array, implicit True will
180       be considered and updates on all rows will be sent.
181
182       <monitor-select> is an object with the following members:
183
184          "initial": <boolean>              optional
185          "insert": <boolean>               optional
186          "delete": <boolean>               optional
187          "modify": <boolean>               optional
188
189       The contents of this object specify how the columns or table are to  be
190       monitored as explained in more detail below.
191
192       The response object has the following members:
193
194          "result": <table-updates2>
195          "error": null
196          "id": same "id" as request
197
198       The  <table-updates2>  object is described in detail in Section 4.1.14.
199       It contains the contents of the tables for which initial rows  are  se‐
200       lected.  If no tables initial contents are requested, then result is an
201       empty object.
202
203       Subsequently, when changes to a specified table that match one  of  the
204       conditions in <monitor-cond-request> are committed, the changes are au‐
205       tomatically sent to the client using the update2  monitor  notification
206       (see Section 4.1.14).  This monitoring persists until the JSON-RPC ses‐
207       sion terminates or until the client sends a monitor_cancel JSON-RPC re‐
208       quest.
209
210       Each  <monitor-cond-request>  specifies  one or more conditions and the
211       manner in which the rows that match the conditions are to be monitored.
212       The  circumstances  in  which  an update notification is sent for a row
213       within the table are determined by <monitor-select>:
214
215       • If initial is omitted or true, every row in the original  table  that
216         matches  one of the conditions is sent as part of the response to the
217         monitor_cond request.
218
219       • If insert is omitted or true, update notifications are sent for  rows
220         newly inserted into the table that match conditions or for rows modi‐
221         fied in the table so that their old version does not match the condi‐
222         tion and new version does.
223
224       • If  delete is omitted or true, update notifications are sent for rows
225         deleted from the table that match conditions or for rows modified  in
226         the table so that their old version does match the conditions and new
227         version does not.
228
229       • If modify is omitted or true, update notifications are sent  whenever
230         a  row  in the table that matches conditions in both old and new ver‐
231         sion is modified.
232
233       Both monitor and monitor_cond sessions can exist concurrently. However,
234       monitor  and monitor_cond shares the same <json-value> parameter space;
235       it must be unique among all monitor and monitor_cond sessions.
236
237   4.1.13 Monitor_cond_change
238       The monitor_cond_change request enables a client to change an  existing
239       monitor_cond  replication of the database by specifying a new condition
240       and columns for each replicated table.  Currently changing the  columns
241       set is not supported.
242
243       The request object has the following members:
244
245          "method": "monitor_cond_change"
246          "params": [<json-value>, <json-value>, <monitor-cond-update-requests>]
247          "id": <nonnull-json-value>
248
249       The  <json-value>  parameter  should have a value of an existing condi‐
250       tional monitoring session from this client. The second <json-value>  in
251       params  array  is  the  requested value for this session. This value is
252       valid only after monitor_cond_change is committed. A user can use these
253       values  to distinguish between update messages before conditions update
254       and after. The <monitor-cond-update-requests> object maps the  name  of
255       the  table to an array of <monitor-cond-update-request>.  Monitored ta‐
256       bles not included in <monitor-cond-update-requests> retain  their  cur‐
257       rent conditions.
258
259       Each <monitor-cond-update-request> is an object with the following mem‐
260       bers:
261
262          "columns": [<column>*]         optional
263          "where": [<condition>*]        optional
264
265       The columns specify a new array of columns to  be  monitored,  although
266       this feature is not yet supported.
267
268       The where specify a new array of conditions to be applied to this moni‐
269       toring session.
270
271       The response object has the following members:
272
273          "result": null
274          "error": null
275          "id": same "id" as request
276
277       Subsequent <table-updates2> notifications are described  in  detail  in
278       Section  4.1.14 in the RFC.  If insert contents are requested by origi‐
279       nal monitor_cond request, <table-updates2> will contain rows that match
280       the  new condition and do not match the old condition.  If deleted con‐
281       tents are requested by origin monitor  request,  <table-updates2>  will
282       contain  any  matched  rows by old condition and not matched by the new
283       condition.
284
285       Changes according to the new conditions are automatically sent  to  the
286       client  using  the update2 or update3 monitor notification depending on
287       the monitor method.  An update, if any, as  a  result  of  a  condition
288       change,  will  be  sent  to  the  client  before the reply to the moni‐
289       tor_cond_change request.
290
291   4.1.14 Update2 notification
292       The update2 notification is sent by the server to the client to  report
293       changes in tables that are being monitored following a monitor_cond re‐
294       quest as described above. The notification has the following members:
295
296          "method": "update2"
297          "params": [<json-value>, <table-updates2>]
298          "id": null
299
300       The <json-value> in params is the same  as  the  value  passed  as  the
301       <json-value>  in  params  for  the corresponding monitor request.  <ta‐
302       ble-updates2> is an object that maps from a table name to a  <table-up‐
303       date2>.   A <table-update2> is an object that maps from row’s UUID to a
304       <row-update2> object. A <row-update2> is an object with one of the fol‐
305       lowing members:
306
307       "initial": <row>
308              present for initial updates
309
310       "insert": <row>
311              present for insert updates
312
313       "delete": <row>
314              present for delete updates
315
316       "modify": <row>"
317              present for modify updates
318
319       The format of <row> is described in Section 5.1.
320
321       <row>  is always a null object for a delete update.  In initial and in‐
322       sert updates, <row> omits columns whose values equal the default  value
323       of the column type.
324
325       For a modify update, <row> contains only the columns that are modified.
326       <row> stores the difference between the old and  new  value  for  those
327       columns, as described below.
328
329       For  columns  with single value, the difference is the value of the new
330       column.
331
332       The difference between two sets are all elements that  only  belong  to
333       one of the sets.
334
335       The  difference between two maps are all key-value pairs whose keys ap‐
336       pears in only one of the maps, plus the key-value pairs whose keys  ap‐
337       pear  in both maps but with different values.  For the latter elements,
338       <row> includes the value from the new column.
339
340       Initial views of rows are not presented in update2  notifications,  but
341       in  the response object to the monitor_cond request.  The formatting of
342       the <table-updates2> object, however, is the same in either case.
343
344   4.1.15 Monitor_cond_since
345       A new monitor method added in Open vSwitch  version  2.12.   The  moni‐
346       tor_cond_since  request  enables  a client to request changes that hap‐
347       pened after a specific transaction id. A client can use this feature to
348       request  only latest changes after a server connection reset instead of
349       re-transfer all data from the server again.
350
351       The monitor_cond method described in Section  4.1.12  also  applies  to
352       monitor_cond_since, with the following exceptions:
353
354       • RPC request method becomes monitor_cond_since.
355
356       • Reply result includes extra parameters.
357
358       • Subsequent  changes  are sent to the client using the update3 monitor
359         notification, described in Section 4.1.16
360
361       The request object has the following members:
362
363          "method": "monitor_cond_since"
364          "params": [<db-name>, <json-value>, <monitor-cond-requests>, <last-txn-id>]
365          "id": <nonnull-json-value>
366
367       The <last-txn-id> parameter is the transaction id that  identifies  the
368       latest  data  the  client  already  has, and it requests server to send
369       changes AFTER this transaction (exclusive).
370
371       All other parameters are the same as monitor_cond method.
372
373       The response object has the following members:
374
375          "result": [<found>, <last-txn-id>, <table-updates2>]
376          "error": null
377          "id": same "id" as request
378
379       The <found> is a boolean value that  tells  if  the  <last-txn-id>  re‐
380       quested  by  client  is  found in server’s history or not. If true, the
381       changes after that version up to current is sent. Otherwise,  all  data
382       is sent.
383
384       The  <last-txn-id>  is  the  transaction  id that identifies the latest
385       transaction included in the changes in  <table-updates2>  of  this  re‐
386       sponse,  so  that  client can keep tracking.  If there is no change in‐
387       volved in this response, it is the same as the <last-txn-id> in the re‐
388       quest  if  <found>  is  true, or zero uuid if <found> is false.  If the
389       server does not support transaction uuid, it will be zero uuid as well.
390
391       All other parameters are the same as in response object of monitor_cond
392       method.
393
394       Like in monitor_cond, subsequent changes that match conditions in <mon‐
395       itor-cond-request> are automatically sent to the client, but using  up‐
396       date3 monitor notification (see Section 4.1.16), instead of update2.
397
398   4.1.16 Update3 notification
399       The  update3 notification is sent by the server to the client to report
400       changes  in  tables  that  are  being  monitored  following   a   moni‐
401       tor_cond_since  request  as  described  above. The notification has the
402       following members:
403
404          "method": "update3"
405          "params": [<json-value>, <last-txn-id>, <table-updates2>]
406          "id": null
407
408       The <last-txn-id> is the same as described in the  response  object  of
409       monitor_cond_since.
410
411       All  other  parameters  are the same as in update2 monitor notification
412       (see Section 4.1.14).
413
414   4.1.17 Get Server ID
415       A new RPC method added in Open vSwitch version 2.7.  The  request  con‐
416       tains the following members:
417
418          "method": "get_server_id"
419          "params": null
420          "id": <nonnull-json-value>
421
422       The response object contains the following members:
423
424          "result": "<server_id>"
425          "error": null
426          "id": same "id" as request
427
428       <server_id>  is  JSON string that contains a UUID that uniquely identi‐
429       fies the running OVSDB server process.  A fresh UUID is generated  when
430       the process restarts.
431
432   4.1.18 Database Change Awareness
433       RFC  7047  does  not  provide a way for a client to find out about some
434       kinds of configuration changes, such as about databases  added  or  re‐
435       moved  while a client is connected to the server, or databases changing
436       between read/write and read-only due to a transition between active and
437       backup  roles.   Traditionally,  ovsdb-server  disconnects  all  of its
438       clients when this happens, because this prompts a  well-written  client
439       to reassess what is available from the server when it reconnects.
440
441       OVS  2.9  provides  a  way  for clients to keep track of these kinds of
442       changes, by monitoring the Database table in the _Server  database  in‐
443       troduced in this release (see ovsdb-server(5) for details).  By itself,
444       this does not suppress ovsdb-server disconnection behavior,  because  a
445       client  might  monitor  this database without understanding its special
446       semantics.  Instead, ovsdb-server provides a special request:
447
448          "method": "set_db_change_aware"
449          "params": [<boolean>]
450          "id": <nonnull-json-value>
451
452       If the boolean in the  request  is  true,  it  suppresses  the  connec‐
453       tion-closing  behavior  for  the current connection, and false restores
454       the default behavior.  The reply is always the same:
455
456          "result": {}
457          "error": null
458          "id": same "id" as request
459
460   4.1.19 Schema Conversion
461       Open vSwitch 2.9 adds a new JSON-RPC request to convert an online data‐
462       base  from  one  schema to another.  The request contains the following
463       members:
464
465          "method": "convert"
466          "params": [<db-name>, <database-schema>]
467          "id": <nonnull-json-value>
468
469       Upon receipt, the server converts database <db-name> to  schema  <data‐
470       base-schema>.   The schema’s name must be <db-name>.  The conversion is
471       atomic, consistent, isolated, and durable.  The data  in  the  database
472       must  be  valid when interpreted under <database-schema>, with only one
473       exception: data for tables and columns that do not  exist  in  the  new
474       schema are ignored.  Columns that exist in <database-schema> but not in
475       the database are set to their default values.  All of the new  schema’s
476       constraints apply in full.
477
478       If  the  conversion is successful, the server notifies clients that use
479       the set_db_change_aware RPC introduced in Open vSwitch 2.9 and  cancels
480       their  outstanding  transactions  and monitors.  The server disconnects
481       other clients, enabling them to notice the change when they  reconnect.
482       The server sends the following reply:
483
484          "result": {}
485          "error": null
486          "id": same "id" as request
487
488       If  the  conversion  fails, then the server sends an error reply in the
489       following form:
490
491          "result": null
492          "error": [<error>]
493          "id": same "id" as request
494
495   5.1 Notation
496       For <condition>, RFC 7047 only allows the use of !=, ==, includes,  and
497       excludes  operators  with set types.  Open vSwitch 2.4 and later extend
498       <condition> to allow the use of <, <=, >=, and > operators with a  col‐
499       umn with type “set of 0 or 1 integer” and an integer argument, and with
500       “set of 0 or 1 real” and a real argument.  These conditions evaluate to
501       false  when the column is empty, and otherwise as described in RFC 7047
502       for integer and real types.
503
504       <condition> is specified in Section 5.1 in the RFC with  the  following
505       change:  A  condition can be either a 3-element JSON array as described
506       in the RFC or a boolean value. In case of an empty  array  an  implicit
507       true boolean value will be considered.
508
509   5.2.1 Insert
510       As  an  extension,  Open  vSwitch 2.13 and later allow an optional uuid
511       member to specify the UUID for the new row.  The specified UUID must be
512       unique  within  the table when it is inserted and not the UUID of a row
513       previously deleted within the transaction.  If the UUID violates  these
514       rules, then the operation fails with a duplicate uuid error.
515
516   5.2.6 Wait, 5.2.7 Commit, 5.2.9 Comment
517       RFC  7047  says  that  the wait, commit, and comment operations have no
518       corresponding result object.  This is not true.  Instead, when such  an
519       operation is successful, it yields a result object with no members.
520

AUTHOR

522       The Open vSwitch Development Community
523
525       2021, The Open vSwitch Development Community
526
527
528
529
5302.15                             Feb 21, 2021                  OVSDB-SERVER(7)
Impressum