1ovn-controller(8) OVN Manual ovn-controller(8)
2build/.PP
6
8 ovn-controller - Open Virtual Network local controller
9
11 ovn-controller [options] [ovs-database]
12
14 ovn-controller is the local controller daemon for OVN, the Open Virtual
15 Network. It connects up to the OVN Southbound database (see ovn-sb(5))
16 over the OVSDB protocol, and down to the Open vSwitch database (see
17 ovs-vswitchd.conf.db(5)) over the OVSDB protocol and to ovs-vswitchd(8)
18 via OpenFlow. Each hypervisor and software gateway in an OVN deployment
19 runs its own independent copy of ovn-controller; thus, ovn-controller’s
20 downward connections are machine-local and do not run over a physical
21 network.
22
24 ACL log messages are logged through ovn-controller’s logging mechanism.
25 ACL log entries have the module acl_log at log level info. Configuring
26 logging is described below in the Logging Options section.
27
29 Daemon Options
30 --pidfile[=pidfile]
31 Causes a file (by default, program.pid) to be created indicating
32 the PID of the running process. If the pidfile argument is not
33 specified, or if it does not begin with /, then it is created in
34 .
35 If --pidfile is not specified, no pidfile is created.
37 --overwrite-pidfile
39 By default, when --pidfile is specified and the specified pid‐
40 file already exists and is locked by a running process, the dae‐
41 mon refuses to start. Specify --overwrite-pidfile to cause it to
42 instead overwrite the pidfile.
43 When --pidfile is not specified, this option has no effect.
45 --detach
47 Runs this program as a background process. The process forks,
48 and in the child it starts a new session, closes the standard
49 file descriptors (which has the side effect of disabling logging
50 to the console), and changes its current directory to the root
51 (unless --no-chdir is specified). After the child completes its
52 initialization, the parent exits.
53 --monitor
55 Creates an additional process to monitor this program. If it
56 dies due to a signal that indicates a programming error (SIGA‐
57 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
58 or SIGXFSZ) then the monitor process starts a new copy of it. If
59 the daemon dies or exits for another reason, the monitor process
60 exits.
61 This option is normally used with --detach, but it also func‐
63 tions without it.
64 --no-chdir
66 By default, when --detach is specified, the daemon changes its
67 current working directory to the root directory after it de‐
68 taches. Otherwise, invoking the daemon from a carelessly chosen
69 directory would prevent the administrator from unmounting the
70 file system that holds that directory.
71 Specifying --no-chdir suppresses this behavior, preventing the
73 daemon from changing its current working directory. This may be
74 useful for collecting core files, since it is common behavior to
75 write core dumps into the current working directory and the root
76 directory is not a good directory to use.
77 This option has no effect when --detach is not specified.
79 --no-self-confinement
81 By default this daemon will try to self-confine itself to work
82 with files under well-known directories determined at build
83 time. It is better to stick with this default behavior and not
84 to use this flag unless some other Access Control is used to
85 confine daemon. Note that in contrast to other access control
86 implementations that are typically enforced from kernel-space
87 (e.g. DAC or MAC), self-confinement is imposed from the user-
88 space daemon itself and hence should not be considered as a full
89 confinement strategy, but instead should be viewed as an addi‐
90 tional layer of security.
91 --user=user:group
93 Causes this program to run as a different user specified in
94 user:group, thus dropping most of the root privileges. Short
95 forms user and :group are also allowed, with current user or
96 group assumed, respectively. Only daemons started by the root
97 user accepts this argument.
98 On Linux, daemons will be granted CAP_IPC_LOCK and
100 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
101 that interact with a datapath, such as ovs-vswitchd, will be
102 granted three additional capabilities, namely CAP_NET_ADMIN,
103 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
104 apply even if the new user is root.
105 On Windows, this option is not currently supported. For security
107 reasons, specifying this option will cause the daemon process
108 not to start.
109 Logging Options
111 -v[spec]
112 --verbose=[spec]
113 Sets logging levels. Without any spec, sets the log level for ev‐
114 ery module and destination to dbg. Otherwise, spec is a list of
115 words separated by spaces or commas or colons, up to one from each
116 category below:
117 • A valid module name, as displayed by the vlog/list command
119 on ovs-appctl(8), limits the log level change to the speci‐
120 fied module.
121 • syslog, console, or file, to limit the log level change to
123 only to the system log, to the console, or to a file, re‐
124 spectively. (If --detach is specified, the daemon closes
125 its standard file descriptors, so logging to the console
126 will have no effect.)
127 On Windows platform, syslog is accepted as a word and is
129 only useful along with the --syslog-target option (the word
130 has no effect otherwise).
131 • off, emer, err, warn, info, or dbg, to control the log
133 level. Messages of the given severity or higher will be
134 logged, and messages of lower severity will be filtered
135 out. off filters out all messages. See ovs-appctl(8) for a
136 definition of each log level.
137 Case is not significant within spec.
139 Regardless of the log levels set for file, logging to a file will
141 not take place unless --log-file is also specified (see below).
142 For compatibility with older versions of OVS, any is accepted as a
144 word but has no effect.
145 -v
147 --verbose
148 Sets the maximum logging verbosity level, equivalent to --ver‐
149 bose=dbg.
150 -vPATTERN:destination:pattern
152 --verbose=PATTERN:destination:pattern
153 Sets the log pattern for destination to pattern. Refer to ovs-ap‐
154 pctl(8) for a description of the valid syntax for pattern.
155 -vFACILITY:facility
157 --verbose=FACILITY:facility
158 Sets the RFC5424 facility of the log message. facility can be one
159 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
160 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
161 local4, local5, local6 or local7. If this option is not specified,
162 daemon is used as the default for the local system syslog and lo‐
163 cal0 is used while sending a message to the target provided via
164 the --syslog-target option.
165 --log-file[=file]
167 Enables logging to a file. If file is specified, then it is used
168 as the exact name for the log file. The default log file name used
169 if file is omitted is /var/log/ovn/program.log.
170 --syslog-target=host:port
172 Send syslog messages to UDP port on host, in addition to the sys‐
173 tem syslog. The host must be a numerical IP address, not a host‐
174 name.
175 --syslog-method=method
177 Specify method as how syslog messages should be sent to syslog
178 daemon. The following forms are supported:
179 • libc, to use the libc syslog() function. Downside of using
181 this options is that libc adds fixed prefix to every mes‐
182 sage before it is actually sent to the syslog daemon over
183 /dev/log UNIX domain socket.
184 • unix:file, to use a UNIX domain socket directly. It is pos‐
186 sible to specify arbitrary message format with this option.
187 However, rsyslogd 8.9 and older versions use hard coded
188 parser function anyway that limits UNIX domain socket use.
189 If you want to use arbitrary message format with older
190 rsyslogd versions, then use UDP socket to localhost IP ad‐
191 dress instead.
192 • udp:ip:port, to use a UDP socket. With this method it is
194 possible to use arbitrary message format also with older
195 rsyslogd. When sending syslog messages over UDP socket ex‐
196 tra precaution needs to be taken into account, for example,
197 syslog daemon needs to be configured to listen on the spec‐
198 ified UDP port, accidental iptables rules could be inter‐
199 fering with local syslog traffic and there are some secu‐
200 rity considerations that apply to UDP sockets, but do not
201 apply to UNIX domain sockets.
202 • null, to discard all messages logged to syslog.
204 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
206 able; if it is unset, the default is libc.
207 PKI Options
209 PKI configuration is required in order to use SSL for the connections
210 to the Northbound and Southbound databases.
211 -p privkey.pem
213 --private-key=privkey.pem
214 Specifies a PEM file containing the private key used as
215 identity for outgoing SSL connections.
216 -c cert.pem
218 --certificate=cert.pem
219 Specifies a PEM file containing a certificate that certi‐
220 fies the private key specified on -p or --private-key to be
221 trustworthy. The certificate must be signed by the certifi‐
222 cate authority (CA) that the peer in SSL connections will
223 use to verify it.
224 -C cacert.pem
226 --ca-cert=cacert.pem
227 Specifies a PEM file containing the CA certificate for ver‐
228 ifying certificates presented to this program by SSL peers.
229 (This may be the same certificate that SSL peers use to
230 verify the certificate specified on -c or --certificate, or
231 it may be a different one, depending on the PKI design in
232 use.)
233 -C none
235 --ca-cert=none
236 Disables verification of certificates presented by SSL
237 peers. This introduces a security risk, because it means
238 that certificates cannot be verified to be those of known
239 trusted hosts.
240 --bootstrap-ca-cert=cacert.pem
242 When cacert.pem exists, this option has the same effect
243 as -C or --ca-cert. If it does not exist, then the exe‐
244 cutable will attempt to obtain the CA certificate from
245 the SSL peer on its first SSL connection and save it to
246 the named PEM file. If it is successful, it will immedi‐
247 ately drop the connection and reconnect, and from then on
248 all SSL connections must be authenticated by a certifi‐
249 cate signed by the CA certificate thus obtained.
250 This option exposes the SSL connection to a man-in-the-
252 middle attack obtaining the initial CA certificate, but
253 it may be useful for bootstrapping.
254 This option is only useful if the SSL peer sends its CA
256 certificate as part of the SSL certificate chain. The SSL
257 protocol does not require the server to send the CA cer‐
258 tificate.
259 This option is mutually exclusive with -C and --ca-cert.
261 --peer-ca-cert=peer-cacert.pem
263 Specifies a PEM file that contains one or more additional
264 certificates to send to SSL peers. peer-cacert.pem should
265 be the CA certificate used to sign the program’s own cer‐
266 tificate, that is, the certificate specified on -c or
267 --certificate. If the program’s certificate is self-
268 signed, then --certificate and --peer-ca-cert should
269 specify the same file.
270 This option is not useful in normal operation, because
272 the SSL peer must already have the CA certificate for the
273 peer to have any confidence in the program’s identity.
274 However, this offers a way for a new installation to
275 bootstrap the CA certificate on its first SSL connection.
276 Other Options
278 -h
279 --help
280 Prints a brief help message to the console.
281 -V
283 --version
284 Prints version information to the console.
285
287 ovn-controller retrieves most of its configuration information from the
288 local Open vSwitch’s ovsdb-server instance. The default location is
289 db.sock in the local Open vSwitch’s "run" directory. It may be overrid‐
290 den by specifying the ovs-database argument as an OVSDB active or pas‐
291 sive connection method, as described in ovsdb(7).
292 ovn-controller assumes it gets configuration information from the fol‐
294 lowing keys in the Open_vSwitch table of the local OVS instance:
295 external_ids:system-id
297 The chassis name to use in the Chassis table. Changing
298 the system-id while ovn-controller is running is not di‐
299 rectly supported. Users have two options: either first
300 gracefully stop ovn-controller or manually delete the
301 stale Chassis and Chassis_Private records after changing
302 the system-id.
303 external_ids:hostname
305 The hostname to use in the Chassis table.
306 external_ids:ovn-bridge
308 The integration bridge to which logical ports are at‐
309 tached. The default is br-int. If this bridge does not
310 exist when ovn-controller starts, it will be created au‐
311 tomatically with the default configuration suggested in
312 ovn-architecture(7).
313 external_ids:ovn-bridge-datapath-type
315 This configuration is optional. If set, then the datapath
316 type of the integration bridge will be set to the config‐
317 ured value. If this option is not set, then ovn-con‐
318 troller will not modify the existing datapath-type of the
319 integration bridge.
320 external_ids:ovn-remote
322 The OVN database that this system should connect to for
323 its configuration, in one of the same forms documented
324 above for the ovs-database.
325 external_ids:ovn-monitor-all
327 A boolean value that tells if ovn-controller should moni‐
328 tor all records of tables in ovs-database. If set to
329 false, it will conditionally monitor the records that is
330 needed in the current chassis.
331 It is more optimal to set it to true in use cases when
333 the chassis would anyway need to monitor most of the
334 records in ovs-database, which would save the overhead of
335 conditions processing, especially for server side. Typi‐
336 cally, set it to true for environments that all workloads
337 need to be reachable from each other.
338 Default value is false.
340 external_ids:ovn-remote-probe-interval
342 The inactivity probe interval of the connection to the
343 OVN database, in milliseconds. If the value is zero, it
344 disables the connection keepalive feature.
345 If the value is nonzero, then it will be forced to a
347 value of at least 1000 ms.
348 external_ids:ovn-openflow-probe-interval
350 The inactivity probe interval of the OpenFlow connection
351 to the OpenvSwitch integration bridge, in seconds. If the
352 value is zero, it disables the connection keepalive fea‐
353 ture.
354 If the value is nonzero, then it will be forced to a
356 value of at least 5s.
357 external_ids:ovn-encap-type
359 The encapsulation type that a chassis should use to con‐
360 nect to this node. Multiple encapsulation types may be
361 specified with a comma-separated list. Each listed encap‐
362 sulation type will be paired with ovn-encap-ip.
363 Supported tunnel types for connecting hypervisors are
365 geneve and stt. Gateways may use geneve, vxlan, or stt.
366 Due to the limited amount of metadata in vxlan, the capa‐
368 bilities and performance of connected gateways will be
369 reduced versus other tunnel formats.
370 external_ids:ovn-encap-ip
372 The IP address that a chassis should use to connect to
373 this node using encapsulation types specified by exter‐
374 nal_ids:ovn-encap-type.
375 external_ids:ovn-bridge-mappings
377 A list of key-value pairs that map a physical network
378 name to a local ovs bridge that provides connectivity to
379 that network. An example value mapping two physical net‐
380 work names to two ovs bridges would be: phys‐
381 net1:br-eth0,physnet2:br-eth1.
382 external_ids:ovn-encap-csum
384 ovn-encap-csum indicates that encapsulation checksums can
385 be transmitted and received with reasonable performance.
386 It is a hint to senders transmitting data to this chassis
387 that they should use checksums to protect OVN metadata.
388 Set to true to enable or false to disable. Depending on
389 the capabilities of the network interface card, enabling
390 encapsulation checksum may incur performance loss. In
391 such cases, encapsulation checksums can be disabled.
392 external_ids:ovn-cms-options
394 A list of options that will be consumed by the CMS Plugin
395 and which specific to this particular chassis. An example
396 would be: cms_option1,cms_option2:foo.
397 external_ids:ovn-transport-zones
399 The transport zone(s) that this chassis belongs to.
400 Transport zones is a way to group different chassis so
401 that tunnels are only formed between members of the same
402 group(s). Multiple transport zones may be specified with
403 a comma-separated list. For example: tz1,tz2,tz3.
404 If not set, the Chassis will be considered part of a de‐
406 fault transport zone.
407 external_ids:ovn-chassis-mac-mappings
409 A list of key-value pairs that map a chassis specific mac
410 to a physical network name. An example value mapping two
411 chassis macs to two physical network names would be:
412 physnet1:aa:bb:cc:dd:ee:ff,physnet2:a1:b2:c3:d4:e5:f6.
413 These are the macs that ovn-controller will replace a
414 router port mac with, if packet is going from a distrib‐
415 uted router port on vlan type logical switch.
416 external_ids:ovn-is-interconn
418 The boolean flag indicates if the chassis is used as an
419 interconnection gateway.
420 external_ids:ovn-match-northd-version
422 The boolean flag indicates if ovn-controller needs to
423 check ovn-northd version. If this flag is set to true and
424 the ovn-northd’s version (reported in the Southbound
425 database) doesn’t match with the ovn-controller’s inter‐
426 nal version, then it will stop processing the southbound
427 and local Open vSwitch database changes. The default
428 value is considered false if this option is not defined.
429 external_ids:ovn-enable-lflow-cache
431 The boolean flag indicates if ovn-controller should en‐
432 able/disable the logical flow in-memory cache it uses
433 when processing Southbound database logical flow changes.
434 By default caching is enabled.
435 external_ids:ovn-limit-lflow-cache
437 When used, this configuration value determines the maxi‐
438 mum number of logical flow cache entries ovn-controller
439 may create when the logical flow cache is enabled. By de‐
440 fault the size of the cache is unlimited.
441 external_ids:ovn-memlimit-lflow-cache-kb
443 When used, this configuration value determines the maxi‐
444 mum size of the logical flow cache (in KB) ovn-controller
445 may create when the logical flow cache is enabled. By de‐
446 fault the size of the cache is unlimited.
447 ovn-controller reads the following values from the Open_vSwitch data‐
449 base of the local OVS instance:
450 datapath-type from Bridge table
452 This value is read from local OVS integration bridge row
453 of Bridge table and populated in other_config:datapath-
454 type of the Chassis table in the OVN_Southbound database.
455 iface-types from Open_vSwitch table
457 This value is populated in external_ids:iface-types of
458 the Chassis table in the OVN_Southbound database.
459 private_key, certificate, ca_cert, and bootstrap_ca_cert from
461 SSL table
462 These values provide the SSL configuration used for con‐
463 necting to the OVN southbound database server when an SSL
464 connection type is configured via external_ids:ovn-re‐
465 mote. Note that this SSL configuration can also be pro‐
466 vided via command-line options, the configuration in the
467 database takes precedence if both are present.
468
470 ovn-controller uses a number of external_ids keys in the Open vSwitch
471 database to keep track of ports and interfaces. For proper operation,
472 users should not change or clear these keys:
473 external_ids:ovn-chassis-id in the Port table
475 The presence of this key identifies a tunnel port within
476 the integration bridge as one created by ovn-controller
477 to reach a remote chassis. Its value is the chassis ID of
478 the remote chassis.
479 external_ids:ct-zone-* in the Bridge table
481 Logical ports and gateway routers are assigned a connec‐
482 tion tracking zone by ovn-controller for stateful ser‐
483 vices. To keep state across restarts of ovn-controller,
484 these keys are stored in the integration bridge’s Bridge
485 table. The name contains a prefix of ct-zone- followed by
486 the name of the logical port or gateway router’s zone
487 key. The value for this key identifies the zone used for
488 this port.
489 external_ids:ovn-localnet-port in the Port table
491 The presence of this key identifies a patch port as one
492 created by ovn-controller to connect the integration
493 bridge and another bridge to implement a localnet logical
494 port. Its value is the name of the logical port with type
495 set to localnet that the port implements. See exter‐
496 nal_ids:ovn-bridge-mappings, above, for more information.
497 Each localnet logical port is implemented as a pair of
499 patch ports, one in the integration bridge, one in a dif‐
500 ferent bridge, with the same external_ids:ovn-local‐
501 net-port value.
502 external_ids:ovn-l2gateway-port in the Port table
504 The presence of this key identifies a patch port as one
505 created by ovn-controller to connect the integration
506 bridge and another bridge to implement a l2gateway logi‐
507 cal port. Its value is the name of the logical port with
508 type set to l2gateway that the port implements. See ex‐
509 ternal_ids:ovn-bridge-mappings, above, for more informa‐
510 tion.
511 Each l2gateway logical port is implemented as a pair of
513 patch ports, one in the integration bridge, one in a dif‐
514 ferent bridge, with the same external_ids:ovn-l2gate‐
515 way-port value.
516 external-ids:ovn-l3gateway-port in the Port table
518 This key identifies a patch port as one created by
519 ovn-controller to implement a l3gateway logical port. Its
520 value is the name of the logical port with type set to
521 l3gateway. This patch port is similar to the OVN logical
522 patch port, except that l3gateway port can only be bound
523 to a paticular chassis.
524 external-ids:ovn-logical-patch-port in the Port table
526 This key identifies a patch port as one created by
527 ovn-controller to implement an OVN logical patch port
528 within the integration bridge. Its value is the name of
529 the OVN logical patch port that it implements.
530 external-ids:ovn-nb-cfg in the Bridge table
532 This key represents the last known OVN_South‐
533 bound.SB_Global.nb_cfg value for which all flows have
534 been successfully installed in OVS.
535
537 ovn-controller reads from much of the OVN_Southbound database to guide
538 its operation. ovn-controller also writes to the following tables:
539 Chassis
541 Upon startup, ovn-controller creates a row in this table
542 to represent its own chassis. Upon graceful termination,
543 e.g. with ovs-appctl -t ovn-controller exit (but not
544 SIGTERM), ovn-controller removes its row.
545 Encap Upon startup, ovn-controller creates a row or rows in
547 this table that represent the tunnel encapsulations by
548 which its chassis can be reached, and points its Chassis
549 row to them. Upon graceful termination, ovn-controller
550 removes these rows.
551 Port_Binding
553 At runtime, ovn-controller sets the chassis columns of
554 ports that are resident on its chassis to point to its
555 Chassis row, and, conversely, clears the chassis column
556 of ports that point to its Chassis row but are no longer
557 resident on its chassis. The chassis column has a weak
558 reference type, so when ovn-controller gracefully exits
559 and removes its Chassis row, the database server automat‐
560 ically clears any remaining references to that row.
561 MAC_Binding
563 At runtime, ovn-controller updates the MAC_Binding table
564 as instructed by put_arp and put_nd logical actions.
565 These changes persist beyond the lifetime of ovn-con‐
566 troller.
567
569 ovs-appctl can send commands to a running ovn-controller process. The
570 currently supported commands are described below.
571 exit Causes ovn-controller to gracefully terminate.
573 ct-zone-list
575 Lists each local logical port and its connection tracking
576 zone.
577 meter-table-list
579 Lists each meter table entry and its local meter id.
580 group-table-list
582 Lists each group table entry and its local group id.
583 inject-pkt microflow
585 Injects microflow into the connected Open vSwitch in‐
586 stance. microflow must contain an ingress logical port
587 (inport argument) that is present on the Open vSwitch in‐
588 stance.
589 The microflow argument describes the packet whose for‐
591 warding is to be simulated, in the syntax of an OVN logi‐
592 cal expression, as described in ovn-sb(5), to express
593 constraints. The parser understands prerequisites; for
594 example, if the expression refers to ip4.src, there is no
595 need to explicitly state ip4 or eth.type == 0x800.
596 connection-status
598 Show OVN SBDB connection status for the chassis.
599 recompute
601 Trigger a full compute iteration in ovn-controller based
602 on the contents of the Southbound database and local OVS
603 database.
604 This command is intended to use only in the event of a
606 bug in the incremental processing engine in ovn-con‐
607 troller to avoid inconsistent states. It should therefore
608 be used with care as full recomputes are cpu intensive.
609 sb-cluster-state-reset
611 Reset southbound database cluster status when databases
612 are destroyed and rebuilt.
613 If all databases in a clustered southbound database are
615 removed from disk, then the stored index of all databases
616 will be reset to zero. This will cause ovn-controller to
617 be unable to read or write to the southbound database,
618 because it will always detect the data as stale. In such
619 a case, run this command so that ovn-controller will re‐
620 set its local index so that it can interact with the
621 southbound database again.
622 debug/delay-nb-cfg-report seconds
624 This command is used to delay ovn-controller updating the
625 nb_cfg back to OVN_Southbound database. This is useful
626 when ovn-nbctl --wait=hv is used to measure end-to-end
627 latency in a large scale environment. See ovn-nbctl(8)
628 for more details.
629 lflow-cache/flush
631 Flushes the ovn-controller logical flow cache.
632 lflow-cache/show-stats
634 Displays logical flow cache statistics: enabled/disabled,
635 per cache type entry counts.
636 inc-engine/show-stats
638 Display ovn-controller engine counters. For each engine
639 node the following counters have been added:
640 • recompute
642 • compute
644 • abort
646 inc-engine/clear-stats
648 Reset ovn-controller engine counters.
649OVN 21.03.1 ovn-controller ovn-controller(8)