1ovn-nbctl(8)                      OVN Manual                      ovn-nbctl(8)
2
3
4

NAME

6       ovn-nbctl - Open Virtual Network northbound db management utility
7

SYNOPSIS

9       ovn-nbctl [options] command [arg...]
10

DESCRIPTION

12       The ovn-nbctl program configures the OVN_Northbound database by provid‐
13       ing a high-level interface to its configuration database. See ovn-nb(5)
14       for comprehensive documentation of the database schema.
15
16       ovn-nbctl  connects  to  an  ovsdb-server  process  that  maintains  an
17       OVN_Northbound  configuration  database.  Using  this  connection,   it
18       queries  and possibly applies changes to the database, depending on the
19       supplied commands.
20
21       ovn-nbctl can perform any number of commands in a  single  run,  imple‐
22       mented as a single atomic transaction against the database.
23
24       The  ovn-nbctl command line begins with global options (see OPTIONS be‐
25       low for details). The global options are followed by one or  more  com‐
26       mands.  Each  command  should begin with -- by itself as a command-line
27       argument, to separate it from the following commands.  (The  --  before
28       the first command is optional.) The command itself starts with command-
29       specific options, if any, followed by the command name  and  any  argu‐
30       ments.
31

DAEMON MODE

33       When  it  is invoked in the most ordinary way, ovn-nbctl connects to an
34       OVSDB server that hosts the northbound database,  retrieves  a  partial
35       copy  of  the  database that is complete enough to do its work, sends a
36       transaction request to the  server,  and  receives  and  processes  the
37       server’s  reply.  In  common  interactive use, this is fine, but if the
38       database is large, the step in which ovn-nbctl retrieves a partial copy
39       of  the  database  can  take a long time, which yields poor performance
40       overall.
41
42       To improve performance in such  a  case,  ovn-nbctl  offers  a  "daemon
43       mode,"  in  which  the user first starts ovn-nbctl running in the back‐
44       ground and afterward uses the daemon to execute operations.  Over  sev‐
45       eral  ovn-nbctl  command  invocations, this performs better overall be‐
46       cause it retrieves a copy of the database only once at  the  beginning,
47       not once per program run.
48
49       Use the --detach option to start an ovn-nbctl daemon. With this option,
50       ovn-nbctl prints the name of a control socket  to  stdout.  The  client
51       should  save this name in environment variable OVN_NB_DAEMON. Under the
52       Bourne shell this might be done like this:
53
54             export OVN_NB_DAEMON=$(ovn-nbctl --pidfile --detach)
55
56
57       When OVN_NB_DAEMON is set, ovn-nbctl  automatically  and  transparently
58       uses the daemon to execute its commands.
59
60       When  the daemon is no longer needed, kill it and unset the environment
61       variable, e.g.:
62
63             kill $(cat $OVN_RUNDIR/ovn-nbctl.pid)
64             unset OVN_NB_DAEMON
65
66
67       When using daemon mode, an alternative to the OVN_NB_DAEMON environment
68       variable  is  to  specify a path for the Unix socket. When starting the
69       ovn-nbctl daemon, specify the -u option with a full path to  the  loca‐
70       tion of the socket file. Here is an exmple:
71
72             ovn-nbctl --detach -u /tmp/mysock.ctl
73
74
75       Then  to connect to the running daemon, use the -u option with the full
76       path to the socket created when the daemon was started:
77
78             ovn-nbctl -u /tmp/mysock.ctl show
79
80
81     Daemon Commands
82
83       Daemon mode is internally implemented using the same mechanism used  by
84       ovn-appctl.  One  may  also  use ovn-appctl directly with the following
85       commands:
86
87              run [options] command [arg...] [--  [options]  command  [arg...]
88              ...]
89                     Instructs the daemon process to run one or more ovn-nbctl
90                     commands described above and reply with  the  results  of
91                     running  these  commands.  Accepts the --no-wait, --wait,
92                     --timeout, --dry-run,  --oneline,  and  the  options  de‐
93                     scribed under Table Formatting Options in addition to the
94                     the command-specific options.
95
96              exit   Causes ovn-nbctl to gracefully terminate.
97

OPTIONS

99       The options listed below affect the behavior of ovn-nbctl as  a  whole.
100       Some individual commands also accept their own options, which are given
101       just before the command name. If the first command on the command  line
102       has  options,  then those options must be separated from the global op‐
103       tions by --.
104
105       ovn-nbctl also accepts options from the  OVN_NBCTL_OPTIONS  environment
106       variable,  in  the same format as on the command line. Options from the
107       command line override those in the environment.
108
109              --no-wait | --wait=none
110              --wait=sb
111              --wait=hv
112                   These options control whether and how ovn-nbctl  waits  for
113                   the OVN system to become up-to-date with changes made in an
114                   ovn-nbctl invocation.
115
116                   By default, or if --no-wait or --wait=none, ovn-nbctl exits
117                   immediately after confirming that changes have been commit‐
118                   ted to the northbound database, without waiting.
119
120                   With  --wait=sb,  before  ovn-nbctl  exits,  it  waits  for
121                   ovn-northd to bring the southbound database up-to-date with
122                   the northbound database updates.
123
124                   With --wait=hv, before  ovn-nbctl  exits,  it  additionally
125                   waits for all OVN chassis (hypervisors and gateways) to be‐
126                   come up-to-date with the northbound database updates. (This
127                   can  become  an  indefinite wait if any chassis is malfunc‐
128                   tioning.)
129
130                   Ordinarily, --wait=sb or --wait=hv only waits  for  changes
131                   by  the  current  ovn-nbctl invocation to take effect. This
132                   means that, if none of the commands supplied  to  ovn-nbctl
133                   change the database, then the command does not wait at all.
134                   Use the sync command to override this behavior.
135
136              --db database
137                   The OVSDB database remote to contact. If the OVN_NB_DB  en‐
138                   vironment  variable  is  set,  its value is used as the de‐
139                   fault. Otherwise, the default is  unix:/ovnnb_db.sock,  but
140                   this default is unlikely to be useful outside of single-ma‐
141                   chine OVN test environments.
142
143              --leader-only
144              --no-leader-only
145                   By default, or with --leader-only, when the database server
146                   is a clustered database, ovn-nbctl will avoid servers other
147                   than the cluster leader. This ensures that  any  data  that
148                   ovn-nbctl   reads   and   reports   is   up-to-date.   With
149                   --no-leader-only, ovn-nbctl will  use  any  server  in  the
150                   cluster, which means that for read-only transactions it can
151                   report and act on stale data (transactions that modify  the
152                   database are always serialized even with --no-leader-only).
153                   Refer to Understanding Cluster Consistency in ovsdb(7)  for
154                   more information.
155
156              --shuffle-remotes
157              --no-shuffle-remotes
158                   By  default, or with --shuffle-remotes, when there are mul‐
159                   tiple remotes specified  in  the  OVSDB  connection  string
160                   specified  by  --db  or the OVN_NB_DB environment variable,
161                   the order of the remotes will be shuffled before the client
162                   tries to connect. The remotes will be shuffled only once to
163                   a new order before the first connection attempt.  The  fol‐
164                   lowing retries, if any, will follow the same new order. The
165                   default behavior is to make sure  clients  of  a  clustered
166                   database  can  distribute  evenly  to  all memembers of the
167                   cluster. With --no-shuffle-remotes, ovn-nbctl will use  the
168                   original  order  specified in the connection string to con‐
169                   nect. This allows user  to  specify  the  preferred  order,
170                   which is particularly useful for testing.
171
172              --no-syslog
173                   By default, ovn-nbctl logs its arguments and the details of
174                   any changes that it makes to the system  log.  This  option
175                   disables this logging.
176
177                   This option is equivalent to --verbose=nbctl:syslog:warn.
178
179              --oneline
180                   Modifies the output format so that the output for each com‐
181                   mand is printed on a single line. New-line characters  that
182                   would  otherwise  separate  lines are printed as \fB\\n\fR,
183                   and any instances of \fB\\\fR that would  otherwise  appear
184                   in  the  output  are  doubled. Prints a blank line for each
185                   command that has no output. This option does not affect the
186                   formatting  of  output  from the list or find commands; see
187                   Table Formatting Options below.
188
189              --dry-run
190                   Prevents ovn-nbctl from actually modifying the database.
191
192              -t secs
193              --timeout=secs
194                   By default, or with a secs of 0,  ovn-nbctl  waits  forever
195                   for  a  response from the database. This option limits run‐
196                   time to approximately secs seconds. If the timeout expires,
197                   ovn-nbctl will exit with a SIGALRM signal. (A timeout would
198                   normally happen only if the database cannot  be  contacted,
199                   or if the system is overloaded.)
200
201              --print-wait-time
202                   When  --wait is specified, the option --print-wait-time can
203                   be used to print the time spent on  waiting,  depending  on
204                   the  value  specified  in   --wait  option. If --wait=sb is
205                   specified, it prints "ovn-northd delay before  processing",
206                   which  is  the time between the Northbound DB update by the
207                   command and the moment when  ovn-northd  starts  processing
208                   the  update, and "ovn-northd completion", which is the time
209                   between the  Northbound  DB  update  and  the  moment  when
210                   ovn-northd  completes  the  Southbound DB updating success‐
211                   fully. If --wait=hv is specified, in addition to the  above
212                   information, it also prints "ovn-controller(s) completion",
213                   which is the time between the Northbound DB update and  the
214                   moment  when the slowest hypervisor finishes processing the
215                   update.
216
217   Daemon Options
218       --pidfile[=pidfile]
219              Causes a file (by default, program.pid) to be created indicating
220              the  PID  of the running process. If the pidfile argument is not
221              specified, or if it does not begin with /, then it is created in
222              .
223
224              If --pidfile is not specified, no pidfile is created.
225
226       --overwrite-pidfile
227              By  default,  when --pidfile is specified and the specified pid‐
228              file already exists and is locked by a running process, the dae‐
229              mon refuses to start. Specify --overwrite-pidfile to cause it to
230              instead overwrite the pidfile.
231
232              When --pidfile is not specified, this option has no effect.
233
234       --detach
235              Runs this program as a background process.  The  process  forks,
236              and  in  the  child it starts a new session, closes the standard
237              file descriptors (which has the side effect of disabling logging
238              to  the  console), and changes its current directory to the root
239              (unless --no-chdir is specified). After the child completes  its
240              initialization, the parent exits.
241
242       --monitor
243              Creates  an  additional  process  to monitor this program. If it
244              dies due to a signal that indicates a programming  error  (SIGA‐
245              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
246              or SIGXFSZ) then the monitor process starts a new copy of it. If
247              the daemon dies or exits for another reason, the monitor process
248              exits.
249
250              This option is normally used with --detach, but  it  also  func‐
251              tions without it.
252
253       --no-chdir
254              By  default,  when --detach is specified, the daemon changes its
255              current working directory to the root  directory  after  it  de‐
256              taches.  Otherwise, invoking the daemon from a carelessly chosen
257              directory would prevent the administrator  from  unmounting  the
258              file system that holds that directory.
259
260              Specifying  --no-chdir  suppresses this behavior, preventing the
261              daemon from changing its current working directory. This may  be
262              useful for collecting core files, since it is common behavior to
263              write core dumps into the current working directory and the root
264              directory is not a good directory to use.
265
266              This option has no effect when --detach is not specified.
267
268       --no-self-confinement
269              By  default  this daemon will try to self-confine itself to work
270              with files under  well-known  directories  determined  at  build
271              time.  It  is better to stick with this default behavior and not
272              to use this flag unless some other Access  Control  is  used  to
273              confine  daemon.  Note  that in contrast to other access control
274              implementations that are typically  enforced  from  kernel-space
275              (e.g.  DAC  or  MAC), self-confinement is imposed from the user-
276              space daemon itself and hence should not be considered as a full
277              confinement  strategy,  but instead should be viewed as an addi‐
278              tional layer of security.
279
280       --user=user:group
281              Causes this program to run as  a  different  user  specified  in
282              user:group,  thus  dropping  most  of the root privileges. Short
283              forms user and :group are also allowed,  with  current  user  or
284              group  assumed,  respectively.  Only daemons started by the root
285              user accepts this argument.
286
287              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
288              CAP_NET_BIND_SERVICES  before  dropping root privileges. Daemons
289              that interact with a datapath, such  as  ovs-vswitchd,  will  be
290              granted  three  additional  capabilities,  namely CAP_NET_ADMIN,
291              CAP_NET_BROADCAST and CAP_NET_RAW. The  capability  change  will
292              apply even if the new user is root.
293
294              On Windows, this option is not currently supported. For security
295              reasons, specifying this option will cause  the  daemon  process
296              not to start.
297
298   Logging options
299       -v[spec]
300       --verbose=[spec]
301            Sets  logging levels. Without any spec, sets the log level for ev‐
302            ery module and destination to dbg. Otherwise, spec is  a  list  of
303            words separated by spaces or commas or colons, up to one from each
304            category below:
305
306            •      A valid module name, as displayed by the vlog/list  command
307                   on ovs-appctl(8), limits the log level change to the speci‐
308                   fied module.
309
310syslog, console, or file, to limit the log level change  to
311                   only  to  the system log, to the console, or to a file, re‐
312                   spectively. (If --detach is specified,  the  daemon  closes
313                   its  standard  file  descriptors, so logging to the console
314                   will have no effect.)
315
316                   On Windows platform, syslog is accepted as a  word  and  is
317                   only useful along with the --syslog-target option (the word
318                   has no effect otherwise).
319
320off, emer, err, warn, info, or  dbg,  to  control  the  log
321                   level.  Messages  of  the  given severity or higher will be
322                   logged, and messages of lower  severity  will  be  filtered
323                   out.  off filters out all messages. See ovs-appctl(8) for a
324                   definition of each log level.
325
326            Case is not significant within spec.
327
328            Regardless of the log levels set for file, logging to a file  will
329            not take place unless --log-file is also specified (see below).
330
331            For compatibility with older versions of OVS, any is accepted as a
332            word but has no effect.
333
334       -v
335       --verbose
336            Sets the maximum logging verbosity  level,  equivalent  to  --ver‐
337            bose=dbg.
338
339       -vPATTERN:destination:pattern
340       --verbose=PATTERN:destination:pattern
341            Sets  the log pattern for destination to pattern. Refer to ovs-ap‐
342            pctl(8) for a description of the valid syntax for pattern.
343
344       -vFACILITY:facility
345       --verbose=FACILITY:facility
346            Sets the RFC5424 facility of the log message. facility can be  one
347            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
348            ftp, ntp, audit, alert, clock2, local0,  local1,  local2,  local3,
349            local4, local5, local6 or local7. If this option is not specified,
350            daemon is used as the default for the local system syslog and  lo‐
351            cal0  is  used  while sending a message to the target provided via
352            the --syslog-target option.
353
354       --log-file[=file]
355            Enables logging to a file. If file is specified, then it  is  used
356            as the exact name for the log file. The default log file name used
357            if file is omitted is /var/log/ovn/program.log.
358
359       --syslog-target=host:port
360            Send syslog messages to UDP port on host, in addition to the  sys‐
361            tem  syslog.  The host must be a numerical IP address, not a host‐
362            name.
363
364       --syslog-method=method
365            Specify method as how syslog messages should  be  sent  to  syslog
366            daemon. The following forms are supported:
367
368libc,  to use the libc syslog() function. Downside of using
369                   this options is that libc adds fixed prefix to  every  mes‐
370                   sage  before  it is actually sent to the syslog daemon over
371                   /dev/log UNIX domain socket.
372
373unix:file, to use a UNIX domain socket directly. It is pos‐
374                   sible to specify arbitrary message format with this option.
375                   However, rsyslogd 8.9 and older  versions  use  hard  coded
376                   parser  function anyway that limits UNIX domain socket use.
377                   If you want to use  arbitrary  message  format  with  older
378                   rsyslogd  versions, then use UDP socket to localhost IP ad‐
379                   dress instead.
380
381udp:ip:port, to use a UDP socket. With this  method  it  is
382                   possible  to  use  arbitrary message format also with older
383                   rsyslogd. When sending syslog messages over UDP socket  ex‐
384                   tra precaution needs to be taken into account, for example,
385                   syslog daemon needs to be configured to listen on the spec‐
386                   ified  UDP  port, accidental iptables rules could be inter‐
387                   fering with local syslog traffic and there are  some  secu‐
388                   rity  considerations  that apply to UDP sockets, but do not
389                   apply to UNIX domain sockets.
390
391null, to discard all messages logged to syslog.
392
393            The default is taken from the OVS_SYSLOG_METHOD environment  vari‐
394            able; if it is unset, the default is libc.
395
396   Table Formatting Options
397       These  options control the format of output from the list and find com‐
398       mands.
399
400              -f format
401              --format=format
402                   Sets the type of table formatting. The following  types  of
403                   format are available:
404
405                   table  2-D text tables with aligned columns.
406
407                   list (default)
408                          A  list  with one column per line and rows separated
409                          by a blank line.
410
411                   html   HTML tables.
412
413                   csv    Comma-separated values as defined in RFC 4180.
414
415                   json   JSON format as defined in RFC 4627. The output is  a
416                          sequence  of JSON objects, each of which corresponds
417                          to one table. Each JSON  object  has  the  following
418                          members with the noted values:
419
420                          caption
421                                 The  table’s  caption. This member is omitted
422                                 if the table has no caption.
423
424                          headings
425                                 An array with one element per  table  column.
426                                 Each  array  element  is  a string giving the
427                                 corresponding column’s heading.
428
429                          data   An array with one element per table row. Each
430                                 element is also an array with one element per
431                                 table column. The elements  of  this  second-
432                                 level array are the cells that constitute the
433                                 table. Cells that  represent  OVSDB  data  or
434                                 data  types  are  expressed in the format de‐
435                                 scribed in  the  OVSDB  specification;  other
436                                 cells are simply expressed as text strings.
437
438              -d format
439              --data=format
440                   Sets  the  formatting for cells within output tables unless
441                   the table format is set to json, in which case json format‐
442                   ting  is  always  used when formatting cells. The following
443                   types of format are available:
444
445                   string (default)
446                          The simple format described in the  Database  Values
447                          section of ovs-vsctl(8).
448
449                   bare   The  simple format with punctuation stripped off: []
450                          and {} are omitted around sets, maps, and empty col‐
451                          umns,  items  within  sets  and maps are space-sepa‐
452                          rated, and strings are never quoted. This format may
453                          be easier for scripts to parse.
454
455                   json   The RFC 4627 JSON format as described above.
456
457              --no-headings
458                   This  option  suppresses the heading row that otherwise ap‐
459                   pears in the first row of table output.
460
461              --pretty
462                   By default, JSON in output is printed as compactly as  pos‐
463                   sible. This option causes JSON in output to be printed in a
464                   more readable fashion. Members of objects and  elements  of
465                   arrays are printed one per line, with indentation.
466
467                   This option does not affect JSON in tables, which is always
468                   printed compactly.
469
470              --bare
471                   Equivalent to --format=list --data=bare --no-headings.
472
473   PKI Options
474       PKI configuration is required to use SSL  for  the  connection  to  the
475       database.
476
477              -p privkey.pem
478              --private-key=privkey.pem
479                   Specifies  a  PEM  file  containing the private key used as
480                   identity for outgoing SSL connections.
481
482              -c cert.pem
483              --certificate=cert.pem
484                   Specifies a PEM file containing a certificate  that  certi‐
485                   fies the private key specified on -p or --private-key to be
486                   trustworthy. The certificate must be signed by the certifi‐
487                   cate  authority  (CA) that the peer in SSL connections will
488                   use to verify it.
489
490              -C cacert.pem
491              --ca-cert=cacert.pem
492                   Specifies a PEM file containing the CA certificate for ver‐
493                   ifying certificates presented to this program by SSL peers.
494                   (This may be the same certificate that  SSL  peers  use  to
495                   verify the certificate specified on -c or --certificate, or
496                   it may be a different one, depending on the PKI  design  in
497                   use.)
498
499              -C none
500              --ca-cert=none
501                   Disables  verification  of  certificates  presented  by SSL
502                   peers. This introduces a security risk,  because  it  means
503                   that  certificates  cannot be verified to be those of known
504                   trusted hosts.
505
506              --bootstrap-ca-cert=cacert.pem
507                     When cacert.pem exists, this option has the  same  effect
508                     as  -C  or --ca-cert. If it does not exist, then the exe‐
509                     cutable will attempt to obtain the  CA  certificate  from
510                     the  SSL  peer on its first SSL connection and save it to
511                     the named PEM file. If it is successful, it will  immedi‐
512                     ately drop the connection and reconnect, and from then on
513                     all SSL connections must be authenticated by  a  certifi‐
514                     cate signed by the CA certificate thus obtained.
515
516                     This  option  exposes the SSL connection to a man-in-the-
517                     middle attack obtaining the initial CA  certificate,  but
518                     it may be useful for bootstrapping.
519
520                     This  option  is only useful if the SSL peer sends its CA
521                     certificate as part of the SSL certificate chain. The SSL
522                     protocol  does not require the server to send the CA cer‐
523                     tificate.
524
525                     This option is mutually exclusive with -C and --ca-cert.
526
527   Other Options
528       -h
529       --help
530            Prints a brief help message to the console.
531
532       -V
533       --version
534            Prints version information to the console.
535

COMMANDS

537       The following sections describe the commands that ovn-nbctl supports.
538
539   General Commands
540       init   Initializes the database, if it is empty. If  the  database  has
541              already been initialized, this command has no effect.
542
543       show [switch | router]
544              Prints  a  brief overview of the database contents. If switch is
545              provided, only records related to that logical switch are shown.
546              If  router  is  provided,  only  records related to that logical
547              router are shown.
548
549   Logical Switch Commands
550       ls-add Creates a new, unnamed logical switch, which  initially  has  no
551              ports.  The switch does not have a name, other commands must re‐
552              fer to this switch by its UUID.
553
554       [--may-exist | --add-duplicate] ls-add switch
555              Creates a new logical switch named switch, which  initially  has
556              no ports.
557
558              The  OVN  northbound  database  schema  does not require logical
559              switch names to be unique, but the whole point to the  names  is
560              to provide an easy way for humans to refer to the switches, mak‐
561              ing duplicate names unhelpful. Thus, without any  options,  this
562              command  regards  it  as an error if switch is a duplicate name.
563              With --may-exist, adding a duplicate name succeeds but does  not
564              create  a  new logical switch. With --add-duplicate, the command
565              really creates a new logical switch with a duplicate name. It is
566              an  error to specify both options. If there are multiple logical
567              switches with a duplicate name, configure the  logical  switches
568              using the UUID instead of the switch name.
569
570       [--if-exists] ls-del switch
571              Deletes  switch. It is an error if switch does not exist, unless
572              --if-exists is specified.
573
574       ls-list
575              Lists all existing switches on standard output, one per line.
576
577   ACL Commands
578       These commands operates on ACL objects for a given entity.  The  entity
579       can be either a logical switch or a port group. The entity can be spec‐
580       ified as uuid or name. The --type option can be  used  to  specify  the
581       type of the entity, in case both a logical switch and a port groups ex‐
582       ist with the same name specified for entity. type must be either switch
583       or port-group.
584
585              [--type={switch | port-group}] [--log] [--meter=meter] [--sever‐
586              ity=severity] [--name=name] [--label=label] [--may-exist] [--ap‐
587              ply-after-lb] acl-add entity direction priority match verdict
588                     Adds  the  specified ACL to entity. direction must be ei‐
589                     ther from-lport or to-lport. priority must be  between  0
590                     and  32767,  inclusive.  A full description of the fields
591                     are in ovn-nb(5). If --may-exist is specified,  adding  a
592                     duplicated  ACL  succeeds  but the ACL is not really cre‐
593                     ated. Without --may-exist, adding a  duplicated  ACL  re‐
594                     sults in error.
595
596                     The  --log option enables packet logging for the ACL. The
597                     options --severity and  --name  specify  a  severity  and
598                     name, respectively, for log entries (and also enable log‐
599                     ging). The severity must be one of  alert,  warning,  no‐
600                     tice, info, or debug. If a severity is not specified, the
601                     default is info. The  --meter=meter  option  is  used  to
602                     rate-limit packet logging. The meter argument names a me‐
603                     ter configured by meter-add.
604
605                     The --apply-after-lb option sets  apply-after-lb=true  in
606                     the  options  column of the ACL table. As the option name
607                     suggests, the ACL  will  be  applied  after  the  logical
608                     switch load balancer stage.
609
610              [--type={switch | port-group}] acl-del entity [direction [prior‐
611              ity match]]
612                     Deletes ACLs from entity. If only entity is supplied, all
613                     the  ACLs  from  the  entity are deleted. If direction is
614                     also specified, then all the flows in that direction will
615                     be  deleted from the entity. If all the fields are given,
616                     then a single flow that matches all the  fields  will  be
617                     deleted.
618
619              [--type={switch | port-group}] acl-list entity
620                     Lists the ACLs on entity.
621
622   Logical Switch QoS Rule Commands
623       [--may-exist]  qos-add  switch  direction  priority  match  [dscp=dscp]
624       [rate=rate [burst=burst]]
625              Adds QoS marking and metering rules to switch. direction must be
626              either  from-lport  or  to-lport. priority must be between 0 and
627              32767, inclusive.
628
629              If dscp=dscp is specified, then matching packets will have  DSCP
630              marking  applied.  dscp  must be between 0 and 63, inclusive. If
631              rate=rate is specified then matching packets will have  metering
632              applied   at   rate   kbps.  If  metering  is  configured,  then
633              burst=burst specifies the burst rate  limit  in  kilobits.  dscp
634              and/or rate are required arguments.
635
636              If  --may-exist  is specified, adding a duplicated QoS rule suc‐
637              ceeds but the QoS rule is not really created. Without  --may-ex‐
638              ist, adding a duplicated QoS rule results in error.
639
640       qos-del switch [direction [priority match]]
641              Deletes  QoS  rules from switch. If only switch is supplied, all
642              the QoS rules from the logical switch are deleted. If  direction
643              is  also specified, then all the flows in that direction will be
644              deleted from the logical switch. If all the fields are supplied,
645              then  a  single  flow  that  matches  the  given  fields will be
646              deleted.
647
648              If switch and uuid are supplied, then the QoS rule  with  sepci‐
649              fied uuid is deleted.
650
651       qos-list switch
652              Lists the QoS rules on switch.
653
654   Meter Commands
655       meter-add name action rate unit [burst]
656              Adds the specified meter. name must be a unique name to identify
657              this meter. The action argument  specifies  what  should  happen
658              when this meter is exceeded. The only supported action is drop.
659
660              The  unit specifies the unit for the rate argument; valid values
661              are kbps and pktps for kilobits per second and packets per  sec‐
662              ond, respectively. The burst option configures the maximum burst
663              allowed for the band in kilobits or packets depending on whether
664              the  unit  chosen was kbps or pktps, respectively. If a burst is
665              not supplied, the switch is free to select some reasonable value
666              depending on its configuration.
667
668              ovn-nbctl  only  supports adding a meter with a single band, but
669              the other commands support meters with multiple bands.
670
671              Names that start with "__" (two underscores)  are  reserved  for
672              internal use by OVN, so ovn-nbctl does not allow adding them.
673
674       meter-del [name]
675              Deletes  meters.  By default, all meters are deleted. If name is
676              supplied, only the meter with that name will be deleted.
677
678       meter-list
679              Lists all meters.
680
681   Logical Switch Port Commands
682       [--may-exist] lsp-add switch port
683              Creates on lswitch a new logical switch port named port.
684
685              It is an error if a logical port named port already exists,  un‐
686              less  --may-exist is specified. Regardless of --may-exist, it is
687              an error if the existing port is in some  logical  switch  other
688              than switch or if it has a parent port.
689
690       [--may-exist] lsp-add switch port parent tag_request
691              Creates  on  switch  a  logical switch port named port that is a
692              child of parent that is identified  with  VLAN  ID  tag_request,
693              which  must  be between 0 and 4095, inclusive. If tag_request is
694              0, ovn-northd generates a tag that is unique  in  the  scope  of
695              parent.  This  is  useful in cases such as virtualized container
696              environments where Open vSwitch does not have a  direct  connec‐
697              tion to the container’s port and it must be shared with the vir‐
698              tual machine’s port.
699
700              It is an error if a logical port named port already exists,  un‐
701              less  --may-exist is specified. Regardless of --may-exist, it is
702              an error if the existing port is not in switch or if it does not
703              have the specified parent and tag_request.
704
705       [--if-exists] lsp-del port
706              Deletes  port.  It  is  an  error if port does not exist, unless
707              --if-exists is specified.
708
709       lsp-list switch
710              Lists all the logical switch ports  within  switch  on  standard
711              output, one per line.
712
713       lsp-get-parent port
714              If set, get the parent port of port. If not set, print nothing.
715
716       lsp-get-tag port
717              If set, get the tag for port traffic. If not set, print nothing.
718
719       lsp-set-addresses port [address]...
720              Sets the addresses associated with port to address. Each address
721              should be one of the following:
722
723              an Ethernet address, optionally followed by a space and  one  or
724              more IP addresses
725                     OVN  delivers  packets  for  the Ethernet address to this
726                     port.
727
728              unknown
729                     OVN delivers unicast Ethernet packets  whose  destination
730                     MAC address is not in any logical port’s addresses column
731                     to ports with address unknown.
732
733              dynamic
734                     Use this keyword to make ovn-northd generate  a  globally
735                     unique MAC address and choose an unused IPv4 address with
736                     the logical port’s subnet and store them  in  the  port’s
737                     dynamic_addresses column.
738
739              router Accepted only when the type of the logical switch port is
740                     router. This indicates that the Ethernet, IPv4, and  IPv6
741                     addresses for this logical switch port should be obtained
742                     from the connected logical router port, as  specified  by
743                     router-port in lsp-set-options.
744
745              Multiple  addresses may be set. If no address argument is given,
746              port will have no addresses associated with it.
747
748       lsp-get-addresses port
749              Lists all the addresses associated with port on standard output,
750              one per line.
751
752       lsp-set-port-security port [addrs]...
753              Sets  the port security addresses associated with port to addrs.
754              Multiple sets of addresses may be set by  using  multiple  addrs
755              arguments.  If  no  addrs  argument is given, port will not have
756              port security enabled.
757
758              Port security limits the addresses from which a logical port may
759              send  packets  and  to  which  it  may  receive packets. See the
760              ovn-nb(5) documentation for the port_security column in the Log‐
761              ical_Switch_Port table for details.
762
763       lsp-get-port-security port
764              Lists  all  the  port security addresses associated with port on
765              standard output, one per line.
766
767       lsp-get-up port
768              Prints the state of port, either up or down.
769
770       lsp-set-enabled port state
771              Set the administrative state of port,  either  enabled  or  dis‐
772              abled.  When  a  port is disabled, no traffic is allowed into or
773              out of the port.
774
775       lsp-get-enabled port
776              Prints the administrative state of port, either enabled or  dis‐
777              abled.
778
779       lsp-set-type port type
780              Set  the  type for the logical port. The type must be one of the
781              following:
782
783              (empty string)
784                     A VM (or VIF) interface.
785
786              router A connection to a logical router.
787
788              localnet
789                     A connection to a locally accessible  network  from  each
790                     ovn-controller instance. A logical switch can only have a
791                     single localnet port attached. This is used to model  di‐
792                     rect connectivity to an existing network.
793
794              localport
795                     A  connection  to  a local VIF. Traffic that arrives on a
796                     localport is never forwarded over  a  tunnel  to  another
797                     chassis.  These  ports  are  present on every chassis and
798                     have the same address in all of them.  This  is  used  to
799                     model  connectivity  to  local services that run on every
800                     hypervisor.
801
802              l2gateway
803                     A connection to a physical network.
804
805              vtep   A port to a logical switch on a VTEP gateway.
806
807       lsp-get-type port
808              Get the type for the logical port.
809
810       lsp-set-options port [key=value]...
811              Set type-specific key-value options for the logical port.
812
813       lsp-get-options port
814              Get the type-specific options for the logical port.
815
816       lsp-set-dhcpv4-options port dhcp_options
817              Set the DHCPv4 options for the logical port. The dhcp_options is
818              a  UUID  referring  to a set of DHCP options in the DHCP_Options
819              table.
820
821       lsp-get-dhcpv4-options port
822              Get the configured DHCPv4 options for the logical port.
823
824       lsp-set-dhcpv6-options port dhcp_options
825              Set the DHCPv6 options for the logical port. The dhcp_options is
826              a  UUID  referring  to a set of DHCP options in the DHCP_Options
827              table.
828
829       lsp-get-dhcpv6-options port
830              Get the configured DHCPv6 options for the logical port.
831
832       lsp-get-ls port
833              Get the logical switch which the port belongs to.
834
835   Forwarding Group Commands
836       [--liveness]fwd-group-add group switch vip vmac ports
837              Creates a new forwarding group named group as the name with  the
838              provided  vip  and  vmac. vip should be a virtual IP address and
839              vmac should be a virtual MAC address to  access  the  forwarding
840              group.  ports  are the logical switch port names that are put in
841              the forwarding group. Example for ports is lsp1 lsp2 ... Traffic
842              destined to virtual IP of the forwarding group will be load bal‐
843              anced to all the child ports.
844
845              When --liveness is specified then child ports are expected to be
846              bound to external devices like routers. BFD should be configured
847              between hypervisors and the external devices. The child port se‐
848              lection  will  become  dependent on BFD status with its external
849              device.
850
851       [--if-exists] fwd-group-del group
852               Deletes group. It is an error if group does not  exist,  unless
853              --if-exists is specified.
854
855       fwd-group-list [switch]
856              Lists  all  existing  forwarding  groups, If switch is specified
857              then only the forwarding groups configured for  switch  will  be
858              listed.
859
860   Logical Router Commands
861       lr-add Creates  a  new,  unnamed logical router, which initially has no
862              ports. The router does not have a name, other commands must  re‐
863              fer to this router by its UUID.
864
865       [--may-exist | --add-duplicate] lr-add router
866              Creates  a  new logical router named router, which initially has
867              no ports.
868
869              The OVN northbound database  schema  does  not  require  logical
870              router  names  to be unique, but the whole point to the names is
871              to provide an easy way for humans to refer to the routers,  mak‐
872              ing  duplicate  names unhelpful. Thus, without any options, this
873              command regards it as an error if router is  a  duplicate  name.
874              With  --may-exist, adding a duplicate name succeeds but does not
875              create a new logical router. With --add-duplicate,  the  command
876              really creates a new logical router with a duplicate name. It is
877              an error to specify both options. If there are multiple  logical
878              routers with a duplicate name, configure the logical routers us‐
879              ing the UUID instead of the router name.
880
881       [--if-exists] lr-del router
882              Deletes router. It is an error if router does not exist,  unless
883              --if-exists is specified.
884
885       lr-list
886              Lists all existing routers on standard output, one per line.
887
888   Logical Router Port Commands
889       [--may-exist] lrp-add router port mac network... [peer=peer]
890              Creates on router a new logical router port named port with Eth‐
891              ernet address mac and one or more IP  address/netmask  for  each
892              network.
893
894              The optional argument peer identifies a logical router port that
895              connects to this one. The following example adds a  router  port
896              with an IPv4 and IPv6 address with peer lr1:
897
898              lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64
899              peer=lr1
900
901              It is an error if a logical router port named port  already  ex‐
902              ists,  unless  --may-exist is specified. Regardless of --may-ex‐
903              ist, it is an error if the existing router port is in some logi‐
904              cal router other than router.
905
906       [--if-exists] lrp-del port
907              Deletes  port.  It  is  an  error if port does not exist, unless
908              --if-exists is specified.
909
910       lrp-list router
911              Lists all the logical router ports  within  router  on  standard
912              output, one per line.
913
914       lrp-set-enabled port state
915              Set  the  administrative  state  of port, either enabled or dis‐
916              abled. When a port is disabled, no traffic is  allowed  into  or
917              out of the port.
918
919       lrp-get-enabled port
920              Prints  the administrative state of port, either enabled or dis‐
921              abled.
922
923       lrp-set-gateway-chassis port chassis [priority]
924              Set gateway chassis for port. chassis is the name of  the  chas‐
925              sis. This creates a gateway chassis entry in Gateway_Chassis ta‐
926              ble. It won’t check if chassis really exists  in  OVN_Southbound
927              database.  Priority will be set to 0 if priority is not provided
928              by user. priority must be between 0 and 32767, inclusive.
929
930       lrp-del-gateway-chassis port chassis
931              Deletes gateway chassis from port. It is  an  error  if  gateway
932              chassis with chassis for port does not exist.
933
934       lrp-get-gateway-chassis port
935              Lists all the gateway chassis with priority within port on stan‐
936              dard output, one per line, ordered based on priority.
937
938   Logical Router Static Route Commands
939       [--may-exist]   [--policy=POLICY]   [--ecmp]   [--ecmp-symmetric-reply]
940       [--bfd[=UUID]] lr-route-add router prefix nexthop [port]
941              Adds  the specified route to router. prefix describes an IPv4 or
942              IPv6 prefix for this route, such  as  192.168.100.0/24.  nexthop
943              specifies the gateway to use for this route, which should be the
944              IP address of one of router logical router ports or the  IP  ad‐
945              dress  of  a  logical  port.  If port is specified, packets that
946              match this route will be sent out that port. When port is  omit‐
947              ted, OVN infers the output port based on nexthop. Nexthop can be
948              set to discard for dropping packets which match the given route.
949
950              --policy describes the policy used to  make  routing  decisions.
951              This  should  be  one of "dst-ip" or "src-ip". If not specified,
952              the default is "dst-ip".
953
954              The --ecmp option allows for multiple routes with the same  pre‐
955              fix POLICY but different nexthop and port to be added.
956
957              The  --ecmp-symmetric-reply option makes it so that traffic that
958              arrives over an ECMP route will have its reply traffic sent  out
959              over  that  same  route.  Setting --ecmp-symmetric-reply implies
960              --ecmp so it is not necessary to set both.
961
962              --bfd option is used to link a BFD session to the OVN route.  If
963              the  BFD  session  UUID is provided, it will be used for the OVN
964              route otherwise the next-hop will be used to perform a lookup in
965              the  OVN BFD table. If the lookup fails and port is specified, a
966              new entry in the BFD table will be created using the nexthop  as
967              dst_ip and port as logical_port.
968
969              It is an error if a route with prefix and POLICY already exists,
970              unless --may-exist, --ecmp, or --ecmp-symmetric-reply is  speci‐
971              fied.  If --may-exist is specified but not --ecmp or --ecmp-sym‐
972              metric-reply, the existed route will be  updated  with  the  new
973              nexthop  and port. If --ecmp or --ecmp-symmetric-reply is speci‐
974              fied, a new route will  be  added,  regardless  of  the  existed
975              route.,  which  is  useful  when adding ECMP routes, i.e. routes
976              with same POLICY and prefix but different nexthop and port.
977
978       [--if-exists] [--policy=POLICY] lr-route-del  router  [prefix  [nexthop
979       [port]]]
980              Deletes  routes from router. If only router is supplied, all the
981              routes from the logical router are deleted. If  POLICY,  prefix,
982              nexthop and/or port are also specified, then all the routes that
983              match the conditions will be deleted from the logical router.
984
985              It is an error if there  is  no  matching  route  entry,  unless
986              --if-exists is specified.
987
988       lr-route-list router
989              Lists the routes on router.
990
991   Logical Router Policy Commands
992       [--may-exist]lr-policy-add  router priority match action [nexthop[,nex‐
993       thop,...]] [options key=value]]
994              Add Policy to router which provides  a  way  to  configure  per‐
995              mit/deny  and  reroute policies on the router. Permit/deny poli‐
996              cies are similar to OVN ACLs, but exist on  the  logical-router.
997              Reroute  policies  are needed for service-insertion and service-
998              chaining. nexthop is an optional parameter. It needs to be  pro‐
999              vided  only  when  action  is  reroute. Multiple nexthops can be
1000              specified for ECMP routing. A policy is uniquely  identified  by
1001              priority  and  match. Multiple policies can have the same prior‐
1002              ity. options sets the router policy options as  key-value  pair.
1003              The supported option is : pkt_mark.
1004
1005              If  --may-exist is specified, adding a duplicated routing policy
1006              with the same priority and match string is not  really  created.
1007              Without  --may-exist, adding a duplicated routing policy results
1008              in error.
1009
1010              The following example shows a policy to  lr1,  which  will  drop
1011              packets from192.168.100.0/24.
1012
1013              lr-policy-add lr1 100 ip4.src == 192.168.100.0/24 drop.
1014
1015                 lr-policy-add  lr1  100  ip4.src  ==  192.168.100.0/24  allow
1016              pkt_mark=100 .
1017
1018       [--if-exists] lr-policy-del router [{priority | uuid} [match]]
1019              Deletes polices from router. If only router is supplied, all the
1020              polices  from the logical router are deleted. If priority and/or
1021              match are also specified, then all the polices  that  match  the
1022              conditions will be deleted from the logical router.
1023
1024              If  router and uuid are supplied, then the policy with sepcified
1025              uuid is deleted. It is an error if uuid does not  exist,  unless
1026              --if-exists is specified.
1027
1028       lr-policy-list router
1029              Lists the polices on router.
1030
1031   NAT Commands
1032       [--may-exist]  [--stateless]  [--gateway_port=GATEWAY_PORT]  lr-nat-add
1033       router type external_ip logical_ip [logical_port external_mac]
1034              Adds the specified NAT to router. The type must be one of  snat,
1035              dnat,  or dnat_and_snat. The external_ip is an IPv4 address. The
1036              logical_ip is an IPv4 network (e.g 192.168.1.0/24)  or  an  IPv4
1037              address.  The  logical_port  and  external_mac are only accepted
1038              when router is a  distributed  router  (rather  than  a  gateway
1039              router)  and type is dnat_and_snat. The logical_port is the name
1040              of an existing logical switch port where the logical_ip resides.
1041              The external_mac is an Ethernet address.
1042
1043              When  --stateless  is  specified then it implies that we will be
1044              not use connection tracker, i.e internal ip and external ip  are
1045              1:1  mapped. This implies that --stateless is applicable only to
1046              dnat_and_snat type NAT rules. An external  ip  with  --stateless
1047              NAT cannot be shared with any other NAT rule.
1048
1049              --gateway-port  option allows specifying the distributed gateway
1050              port of router where the NAT rule needs  to  be  applied.  GATE‐
1051              WAY_PORT  should  reference  a Logical_Router_Port row that is a
1052              distributed gateway port of router.  When  router  has  multiple
1053              distributed  gateway  ports,  it  is an error to not specify the
1054              GATEWAY_PORT.
1055
1056              When type is dnat, the externally visible IP address external_ip
1057              is DNATted to the IP address logical_ip in the logical space.
1058
1059              When  type is snat, IP packets with their source IP address that
1060              either matches the IP address in logical_ip or is in the network
1061              provided  by  logical_ip is SNATed into the IP address in exter‐
1062              nal_ip.
1063
1064              When type is dnat_and_snat, the externally  visible  IP  address
1065              external_ip is DNATted to the IP address logical_ip in the logi‐
1066              cal space. In addition, IP packets with the  source  IP  address
1067              that  matches logical_ip is SNATed into the IP address in exter‐
1068              nal_ip.
1069
1070              When the logical_port and external_mac are  specified,  the  NAT
1071              rule  will  be  programmed on the chassis where the logical_port
1072              resides. This includes ARP replies for  the  external_ip,  which
1073              return  the  value of external_mac. All packets transmitted with
1074              source IP address equal to external_ip will be  sent  using  the
1075              external_mac.
1076
1077              It  is  an error if a NAT already exists with the same values of
1078              router, type, external_ip, logical_ip and GATEWAY_PORT (in  case
1079              of  multiple  distributed  gateway ports), unless --may-exist is
1080              specified. When --may-exist, logical_port, and external_mac  are
1081              all  specified,  the  existing values of logical_port and exter‐
1082              nal_mac are overwritten.
1083
1084       [--if-exists] lr-nat-del router [type [ip] [gateway_port]]
1085              Deletes NATs from router. If only router is  supplied,  all  the
1086              NATs from the logical router are deleted. If type is also speci‐
1087              fied, then all the NATs that match the type will be deleted from
1088              the  logical  router. If ip is also specified without specifying
1089              gateway_port, then all the NATs that match the type and ip  will
1090              be deleted from the logical router. If gateway_port is specified
1091              without specifying ip, then all the NATs that match the type and
1092              gateway_port will be deleted from the logical router. If all the
1093              fields are given, then a single NAT rule that  matches  all  the
1094              fields will be deleted. When type is snat, the ip should be log‐
1095              ical_ip. When type is dnat or dnat_and_snat, the ip shoud be ex‐
1096              ternal_ip.
1097
1098              It  is  an  error  if both ip and gateway_port are specified and
1099              there is no matching NAT entry, unless --if-exists is specified.
1100
1101       lr-nat-list router
1102              Lists the NATs on router.
1103
1104   Load Balancer Commands
1105       [--may-exist | --add-duplicate | --reject | --event] lb-add lb vip  ips
1106       [protocol]
1107              Creates  a  new load balancer named lb with the provided vip and
1108              ips or adds the vip to an existing lb. vip should be  a  virtual
1109              IP address (or an IP address and a port number with : as a sepa‐
1110              rator).  Examples  for  vip  are   192.168.1.4,   fd0f::1,   and
1111              192.168.1.5:8080. ips should be comma separated IP endpoints (or
1112              comma separated IP addresses and port numbers with : as a  sepa‐
1113              rator). ips must be the same address family as vip. Examples for
1114              ips are 10.0.0.1,10.0.0.2or [fdef::1]:8800,[fdef::2]:8800.
1115
1116              The optional argument protocol must be either tcp, udp or  sctp.
1117              This  argument  is useful when a port number is provided as part
1118              of the vip. If the protocol is unspecified and a port number  is
1119              provided as part of the vip, OVN assumes the protocol to be tcp.
1120
1121              It  is  an  error if the vip already exists in the load balancer
1122              named lb, unless --may-exist is specified. With --add-duplicate,
1123              the  command really creates a new load balancer with a duplicate
1124              name.
1125
1126              If the load balancer is created with --reject option and it  has
1127              no  active  backends,  a  TCP reset segment (for tcp) or an ICMP
1128              port unreachable packet (for all other kind of traffic) will  be
1129              sent  whenever an incoming packet is received for this load-bal‐
1130              ancer. Please note using --reject option will  disable  empty_lb
1131              SB controller event for this load balancer.
1132
1133              If  the  load balancer is created with --event option and it has
1134              no active backends, whenever the lb receives traffic, the  event
1135              is  reported  in the Controller_Event table in the SB db. Please
1136              note --event option can’t be specified with --reject one.
1137
1138              The following example adds a load balancer.
1139
1140              lb-add                     lb0                      30.0.0.10:80
1141              192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp
1142
1143       [--if-exists] lb-del lb [vip]
1144              Deletes  lb or the vip from lb. If vip is supplied, only the vip
1145              will be deleted from the lb. If only the lb is supplied, the  lb
1146              will be deleted. It is an error if vip does not already exist in
1147              lb, unless --if-exists is specified.
1148
1149       lb-list [lb]
1150              Lists the LBs. If lb is also specified, then only the  specified
1151              lb will be listed.
1152
1153       [--may-exist] ls-lb-add switch lb
1154              Adds  the  specified lb to switch. It is an error if a load bal‐
1155              ancer named lb already exists in the switch, unless  --may-exist
1156              is specified.
1157
1158       [--if-exists] ls-lb-del switch [lb]
1159              Removes  lb from switch. If only switch is supplied, all the LBs
1160              from the logical switch are removed. If lb  is  also  specified,
1161              then  only the lb will be removed from the logical switch. It is
1162              an error if lb does not exist in the switch, unless  --if-exists
1163              is specified.
1164
1165       ls-lb-list switch
1166              Lists the LBs for the given switch.
1167
1168       [--may-exist] lr-lb-add router lb
1169              Adds  the  specified lb to router. It is an error if a load bal‐
1170              ancer named lb already exists in the router, unless  --may-exist
1171              is specified.
1172
1173       [--if-exists] lr-lb-del router [lb]
1174              Removes  lb from router. If only router is supplied, all the LBs
1175              from the logical router are removed. If lb  is  also  specified,
1176              then  only the lb will be removed from the logical router. It is
1177              an error if lb does not exist in the router, unless  --if-exists
1178              is specified.
1179
1180       lr-lb-list router
1181              Lists the LBs for the given router.
1182
1183   DHCP Options commands
1184       dhcp-options-create cidr [key=value]
1185              Creates  a new DHCP Options entry in the DHCP_Options table with
1186              the specified cidr and optional external-ids.
1187
1188       dhcp-options-list
1189              Lists the DHCP Options entries.
1190
1191       dhcp-options-del dhcp-option
1192              Deletes the DHCP Options entry referred by dhcp-option UUID.
1193
1194       dhcp-options-set-options dhcp-option [key=value]...
1195              Set the DHCP Options for the dhcp-option UUID.
1196
1197       dhcp-options-get-options dhcp-option
1198              Lists the DHCP Options for the dhcp-option UUID.
1199
1200   Port Group commands
1201       pg-add group [port]...
1202              Creates a new port group in the  Port_Group  table  named  group
1203              with optional ports added to the group.
1204
1205       pg-set-ports group port...
1206              Sets  ports  on  the  port  group named group. It is an error if
1207              group does not exist.
1208
1209       pg-del group
1210              Deletes port group group. It is an error if group does  not  ex‐
1211              ist.
1212
1213   HA Chassis Group commands
1214       ha-chassis-group-add group
1215              Creates  a  new  HA  chassis group in the HA_Chassis_Group table
1216              named group.
1217
1218       ha-chassis-group-del group
1219              Deletes the HA chassis group group. It is an error if group does
1220              not exist.
1221
1222       ha-chassis-group-list
1223              Lists  the  HA  chassis group group along with the HA chassis if
1224              any associated with it.
1225
1226       ha-chassis-group-add-chassis group chassis priority
1227              Adds a new HA chassis chassis to the HA Chassis group group with
1228              the  specified priority. If the chassis already exists, then the
1229              priority is updated. The chassis should be the name of the chas‐
1230              sis in the OVN_Southbound.
1231
1232       ha-chassis-group-remove-chassis group chassis
1233              Removes  the HA chassis chassis from the HA chassis group group.
1234              It is an error if chassis does not exist.
1235
1236   Control Plane Protection Policy commands
1237       These commands manage meters configured in Copp table linking  them  to
1238       logical  datapaths  through  copp  column  in  Logical_Switch  or Logi‐
1239       cal_Router tables. Protocol packets for which  CoPP  is  enforced  when
1240       sending packets to ovn-controller (if configured):
1241
1242              •      ARP
1243
1244              •      ND_NS
1245
1246              •      ND_NA
1247
1248              •      ND_RA
1249
1250              •      ND
1251
1252              •      DNS
1253
1254              •      IGMP
1255
1256              •      packets that require ARP resolution before forwarding
1257
1258              •      packets that require ND_NS before forwarding
1259
1260              •      packets that need to be replied to with ICMP Errors
1261
1262              •      packets that need to be replied to with TCP RST
1263
1264              •      packets that need to be replied to with DHCP_OPTS
1265
1266              •      packets that trigger a reject action
1267
1268              •      packets that trigger a SCTP abort action
1269
1270              •      controller_events
1271
1272              •      BFD
1273
1274              copp-add name proto meter
1275                     Adds  the  control  proto to meter mapping to the control
1276                     plane protection policy name. If no policy exists yet, it
1277                     creates one. If a mapping already existed for proto, this
1278                     will overwrite it.
1279
1280              copp-del name [proto]
1281                     Removes the control proto mapping for  the  name  control
1282                     plane  protection  policy. If proto is not specified, the
1283                     whole control plane protection policy is destroyed.
1284
1285              copp-list name
1286                     Display the current control plane protection  policy  for
1287                     name.
1288
1289              ls-copp-add name switch
1290                     Adds the control plane protection policy name to the log‐
1291                     ical switch switch.
1292
1293              lr-copp-add name router
1294                     Adds the control plane protection policy name to the log‐
1295                     ical router router.
1296
1297   Synchronization Commands
1298       sync   Ordinarily, --wait=sb or --wait=hv only waits for changes by the
1299              current ovn-nbctl invocation to take effect. This means that, if
1300              none  of the commands supplied to ovn-nbctl change the database,
1301              then the command does not wait at all. With  the  sync  command,
1302              however,  ovn-nbctl  waits even for earlier changes to the data‐
1303              base to propagate down to the southbound database or all of  the
1304              OVN chassis, according to the argument to --wait.
1305
1306   Remote Connectivity Commands
1307       These commands manipulate the connections column in the NB_Global table
1308       and rows in the Connection table. When ovsdb-server  is  configured  to
1309       use  the  connections column for OVSDB connections, this allows the ad‐
1310       ministrator to use ovn-nbctl to configure database connections.
1311
1312              get-connection
1313                     Prints the configured connection(s).
1314
1315              del-connection
1316                     Deletes the configured connection(s).
1317
1318              [--inactivity-probe=msecs] set-connection target...
1319                     Sets the configured manager target or targets. Use  --in‐
1320                     activity-probe=msecs to override the default idle connec‐
1321                     tion inactivity probe time. Use 0 to  disable  inactivity
1322                     probes.
1323
1324   SSL Configuration Commands
1325       get-ssl
1326              Prints the SSL configuration.
1327
1328       del-ssl
1329              Deletes the current SSL configuration.
1330
1331       [--bootstrap]  set-ssl  private-key  certificate ca-cert [ssl-protocol-
1332       list [ssl-cipher-list]]
1333              Sets the SSL configuration.
1334
1335   Database Commands
1336       These commands query and modify the contents of ovsdb tables. They  are
1337       a slight abstraction of the ovsdb interface and as such they operate at
1338       a lower level than other ovn-nbctl commands.
1339
1340       Identifying Tables, Records, and Columns
1341
1342       Each of these commands has a table parameter to identify a table within
1343       the database. Many of them also take a record parameter that identifies
1344       a particular record within a table. The record  parameter  may  be  the
1345       UUID  for  a  record, which may be abbreviated to its first 4 (or more)
1346       hex digits, as long as that is unique.  Many  tables  offer  additional
1347       ways  to  identify  records.  Some commands also take column parameters
1348       that identify a particular field within the records in a table.
1349
1350       For a list of tables and their columns, see ovn-nb(5) or see the  table
1351       listing from the --help option.
1352
1353       Record names must be specified in full and with correct capitalization,
1354       except that UUIDs may be abbreviated to their first  4  (or  more)  hex
1355       digits, as long as that is unique within the table. Names of tables and
1356       columns are not case-sensitive, and - and _  are  treated  interchange‐
1357       ably.  Unique  abbreviations  of table and column names are acceptable,
1358       e.g. d or dhcp is sufficient to identify the DHCP_Options table.
1359
1360       Database Values
1361
1362       Each column in the database accepts a fixed type of data. The currently
1363       defined basic types, and their representations, are:
1364
1365              integer
1366                     A  decimal integer in the range -2**63 to 2**63-1, inclu‐
1367                     sive.
1368
1369              real   A floating-point number.
1370
1371              Boolean
1372                     True or false, written true or false, respectively.
1373
1374              string An arbitrary Unicode string, except that null  bytes  are
1375                     not  allowed.  Quotes  are optional for most strings that
1376                     begin with an English letter or  underscore  and  consist
1377                     only  of letters, underscores, hyphens, and periods. How‐
1378                     ever, true and false and strings that match the syntax of
1379                     UUIDs  (see  below)  must be enclosed in double quotes to
1380                     distinguish them from  other  basic  types.  When  double
1381                     quotes  are  used, the syntax is that of strings in JSON,
1382                     e.g. backslashes may be used to  escape  special  charac‐
1383                     ters.  The  empty string must be represented as a pair of
1384                     double quotes ("").
1385
1386              UUID   Either a universally unique identifier in  the  style  of
1387                     RFC  4122,  e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or
1388                     an @name defined by a get or create  command  within  the
1389                     same ovs-vsctl invocation.
1390
1391       Multiple values in a single column may be separated by spaces or a sin‐
1392       gle comma. When multiple values are present,  duplicates  are  not  al‐
1393       lowed,  and  order  is not important. Conversely, some database columns
1394       can have an empty set of values, represented as [], and square brackets
1395       may optionally enclose other non-empty sets or single values as well.
1396
1397       A  few  database columns are ``maps’’ of key-value pairs, where the key
1398       and the value are each some fixed database type. These are specified in
1399       the  form key=value, where key and value follow the syntax for the col‐
1400       umn’s key type and value type, respectively. When  multiple  pairs  are
1401       present  (separated  by  spaces or a comma), duplicate keys are not al‐
1402       lowed, and again the order is not important. Duplicate values  are  al‐
1403       lowed.  An  empty map is represented as {}. Curly braces may optionally
1404       enclose non-empty maps as well (but use quotes  to  prevent  the  shell
1405       from  expanding other-config={0=x,1=y} into other-config=0=x other-con‐
1406       fig=1=y, which may not have the desired effect).
1407
1408       Database Command Syntax
1409
1410              [--if-exists]    [--columns=column[,column]...]    list    table
1411              [record]...
1412                     Lists  the  data  in each specified record. If no records
1413                     are specified, lists all the records in table.
1414
1415                     If --columns is specified, only the requested columns are
1416                     listed,  in  the  specified order. Otherwise, all columns
1417                     are listed, in alphabetical order by column name.
1418
1419                     Without --if-exists, it is  an  error  if  any  specified
1420                     record  does not exist. With --if-exists, the command ig‐
1421                     nores any record that does not exist,  without  producing
1422                     any output.
1423
1424              [--columns=column[,column]...]       find       table      [col‐
1425              umn[:key]=value]...
1426                     Lists the data in  each  record  in  table  whose  column
1427                     equals  value  or, if key is specified, whose column con‐
1428                     tains a key with the specified value. The following oper‐
1429                     ators  may  be used where = is written in the syntax sum‐
1430                     mary:
1431
1432                     = != < > <= >=
1433                            Selects records in which column[:key] equals, does
1434                            not  equal, is less than, is greater than, is less
1435                            than or equal to, or is greater than or  equal  to
1436                            value, respectively.
1437
1438                            Consider  column[:key]  and  value as sets of ele‐
1439                            ments. Identical sets are considered equal. Other‐
1440                            wise,  if  the sets have different numbers of ele‐
1441                            ments, then the set with more elements is  consid‐
1442                            ered  to  be larger. Otherwise, consider a element
1443                            from each set pairwise, in increasing order within
1444                            each  set.  The first pair that differs determines
1445                            the result. (For a column that contains  key-value
1446                            pairs, first all the keys are compared, and values
1447                            are considered only if the two sets contain  iden‐
1448                            tical keys.)
1449
1450                     {=} {!=}
1451                            Test for set equality or inequality, respectively.
1452
1453                     {<=}   Selects  records in which column[:key] is a subset
1454                            of value. For example, flood-vlans{<=}1,2  selects
1455                            records  in  which  the  flood-vlans column is the
1456                            empty set or contains 1 or 2 or both.
1457
1458                     {<}    Selects records in which column[:key] is a  proper
1459                            subset  of  value.  For example, flood-vlans{<}1,2
1460                            selects records in which the flood-vlans column is
1461                            the empty set or contains 1 or 2 but not both.
1462
1463                     {>=} {>}
1464                            Same  as  {<=}  and {<}, respectively, except that
1465                            the  relationship  is   reversed.   For   example,
1466                            flood-vlans{>=}1,2  selects  records  in which the
1467                            flood-vlans column contains both 1 and 2.
1468
1469                     The  following  operators  are  available  only  in  Open
1470                     vSwitch 2.16 and later:
1471
1472                     {in}   Selects  records  in  which  every element in col‐
1473                            umn[:key] is also in value. (This is the  same  as
1474                            {<=}.)
1475
1476                     {not-in}
1477                            Selects  records  in  which  every element in col‐
1478                            umn[:key] is not in value.
1479
1480                     For arithmetic operators (= != < > <= >=),  when  key  is
1481                     specified  but a particular record’s column does not con‐
1482                     tain key, the record is always omitted from the  results.
1483                     Thus,   the   condition   other-config:mtu!=1500  matches
1484                     records that have a mtu key whose value is not 1500,  but
1485                     not those that lack an mtu key.
1486
1487                     For  the  set operators, when key is specified but a par‐
1488                     ticular record’s column does not contain key, the compar‐
1489                     ison  is  done  against an empty set. Thus, the condition
1490                     other-config:mtu{!=}1500 matches records that have a  mtu
1491                     key  whose  value  is not 1500 and those that lack an mtu
1492                     key.
1493
1494                     Don’t forget to escape < or > from interpretation by  the
1495                     shell.
1496
1497                     If --columns is specified, only the requested columns are
1498                     listed, in the specified order. Otherwise all columns are
1499                     listed, in alphabetical order by column name.
1500
1501                     The  UUIDs  shown  for rows created in the same ovs-vsctl
1502                     invocation will be wrong.
1503
1504              [--if-exists] [--id=@name] get table record [column[:key]]...
1505                     Prints the value of each specified column  in  the  given
1506                     record in table. For map columns, a key may optionally be
1507                     specified, in which case the value associated with key in
1508                     the column is printed, instead of the entire map.
1509
1510                     Without  --if-exists,  it  is an error if record does not
1511                     exist or key is specified,  if  key  does  not  exist  in
1512                     record. With --if-exists, a missing record yields no out‐
1513                     put and a missing key prints a blank line.
1514
1515                     If @name is specified, then the UUID for  record  may  be
1516                     referred  to by that name later in the same ovs-vsctl in‐
1517                     vocation in contexts where a UUID is expected.
1518
1519                     Both --id and the column arguments are optional, but usu‐
1520                     ally  at  least  one or the other should be specified. If
1521                     both are omitted, then get has no effect except to verify
1522                     that record exists in table.
1523
1524                     --id and --if-exists cannot be used together.
1525
1526              [--if-exists] set table record column[:key]=value...
1527                     Sets  the  value  of  each  specified column in the given
1528                     record in table to value. For map columns, a key may  op‐
1529                     tionally be specified, in which case the value associated
1530                     with key in that column is changed (or added, if none ex‐
1531                     ists), instead of the entire map.
1532
1533                     Without  --if-exists,  it  is an error if record does not
1534                     exist. With --if-exists, this  command  does  nothing  if
1535                     record does not exist.
1536
1537              [--if-exists] add table record column [key=]value...
1538                     Adds  the  specified value or key-value pair to column in
1539                     record in table. If column is a  map,  then  key  is  re‐
1540                     quired, otherwise it is prohibited. If key already exists
1541                     in a map column, then the current value is  not  replaced
1542                     (use the set command to replace an existing value).
1543
1544                     Without  --if-exists,  it  is an error if record does not
1545                     exist. With --if-exists, this  command  does  nothing  if
1546                     record does not exist.
1547
1548              [--if-exists] remove table record column value...
1549
1550                     [--if-exists] remove table record column key...
1551
1552                     [--if-exists]  remove  table  record  column key=value...
1553                     Removes the specified values or key-value pairs from col‐
1554                     umn in record in table. The first form applies to columns
1555                     that are not maps: each specified value is  removed  from
1556                     the  column. The second and third forms apply to map col‐
1557                     umns: if only a key is specified, then any key-value pair
1558                     with  the  given key is removed, regardless of its value;
1559                     if a value is given then a pair is removed only  if  both
1560                     key and value match.
1561
1562                     It  is  not  an  error if the column does not contain the
1563                     specified key or value or pair.
1564
1565                     Without --if-exists, it is an error if  record  does  not
1566                     exist.  With  --if-exists,  this  command does nothing if
1567                     record does not exist.
1568
1569              [--if-exists] clear table record column...
1570                     Sets each column in record in table to the empty  set  or
1571                     empty  map,  as appropriate. This command applies only to
1572                     columns that are allowed to be empty.
1573
1574                     Without --if-exists, it is an error if  record  does  not
1575                     exist.  With  --if-exists,  this  command does nothing if
1576                     record does not exist.
1577
1578              [--id=@name] create table column[:key]=value...
1579                     Creates a new record in table and sets the initial values
1580                     of  each  column. Columns not explicitly set will receive
1581                     their default values. Outputs the UUID of the new row.
1582
1583                     If @name is specified, then the UUID for the new row  may
1584                     be  referred  to by that name elsewhere in the same \*(PN
1585                     invocation in contexts where a  UUID  is  expected.  Such
1586                     references may precede or follow the create command.
1587
1588                     Caution (ovs-vsctl as example)
1589                            Records  in the Open vSwitch database are signifi‐
1590                            cant only when they can be reached directly or in‐
1591                            directly  from  the Open_vSwitch table. Except for
1592                            records in the QoS or Queue tables,  records  that
1593                            are  not reachable from the Open_vSwitch table are
1594                            automatically  deleted  from  the  database.  This
1595                            deletion  happens immediately, without waiting for
1596                            additional ovs-vsctl commands  or  other  database
1597                            activity. Thus, a create command must generally be
1598                            accompanied by additional commands within the same
1599                            ovs-vsctl  invocation to add a chain of references
1600                            to the newly created  record  from  the  top-level
1601                            Open_vSwitch  record.  The  EXAMPLES section gives
1602                            some examples that show how to do this.
1603
1604              [--if-exists] destroy table record...
1605                     Deletes each specified record from table. Unless --if-ex‐
1606                     ists is specified, each records must exist.
1607
1608              --all destroy table
1609                     Deletes all records from the table.
1610
1611                     Caution (ovs-vsctl as example)
1612                            The  destroy command is only useful for records in
1613                            the QoS or Queue tables. Records in  other  tables
1614                            are  automatically  deleted from the database when
1615                            they become unreachable from the Open_vSwitch  ta‐
1616                            ble.  This  means that deleting the last reference
1617                            to a record is sufficient for deleting the  record
1618                            itself.  For  records  in these tables, destroy is
1619                            silently ignored. See the EXAMPLES  section  below
1620                            for more information.
1621
1622              wait-until table record [column[:key]=value]...
1623                     Waits  until  table  contains a record named record whose
1624                     column equals value or, if key is specified, whose column
1625                     contains  a  key  with  the specified value. This command
1626                     supports the same operators and semantics  described  for
1627                     the find command above.
1628
1629                     If  no  column[:key]=value arguments are given, this com‐
1630                     mand waits only until record exists.  If  more  than  one
1631                     such  argument  is  given, the command waits until all of
1632                     them are satisfied.
1633
1634                     Caution (ovs-vsctl as example)
1635                            Usually wait-until should be placed at the  begin‐
1636                            ning  of a set of ovs-vsctl commands. For example,
1637                            wait-until bridge br0  --  get  bridge  br0  data‐
1638                            path_id waits until a bridge named br0 is created,
1639                            then prints its datapath_id  column,  whereas  get
1640                            bridge  br0  datapath_id  -- wait-until bridge br0
1641                            will abort if no  bridge  named  br0  exists  when
1642                            ovs-vsctl initially connects to the database.
1643
1644                     Consider  specifying --timeout=0 along with --wait-until,
1645                     to prevent ovs-vsctl from terminating after waiting  only
1646                     at most 5 seconds.
1647
1648              comment [arg]...
1649                     This  command has no effect on behavior, but any database
1650                     log record created by the command will include  the  com‐
1651                     mand and its arguments.
1652

ENVIRONMENT

1654       OVN_NB_DAEMON
1655              If set, this should name the Unix domain socket for an ovn-nbctl
1656              server process. See Daemon Mode, above, for more information.
1657
1658       OVN_NBCTL_OPTIONS
1659              If set, a set of options for ovn-nbctl to  apply  automatically,
1660              in the same form as on the command line.
1661
1662       OVN_NB_DB
1663              If  set, the default database to contact when the --db option is
1664              not used.
1665

EXIT STATUS

1667       0      Successful program execution.
1668
1669       1      Usage, syntax, or network error.
1670

SEE ALSO

1672       ovn-nb(5), ovn-appctl(8).
1673
1674
1675
1676OVN 22.06.1                        ovn-nbctl                      ovn-nbctl(8)
Impressum