1ovn-nbctl(8) OVN Manual ovn-nbctl(8)
2
3
4
6 ovn-nbctl - Open Virtual Network northbound db management utility
7
9 ovn-nbctl [options] command [arg...]
10
12 The ovn-nbctl program configures the OVN_Northbound database by provid‐
13 ing a high-level interface to its configuration database. See ovn-nb(5)
14 for comprehensive documentation of the database schema.
15
16 ovn-nbctl connects to an ovsdb-server process that maintains an
17 OVN_Northbound configuration database. Using this connection, it
18 queries and possibly applies changes to the database, depending on the
19 supplied commands.
20
21 ovn-nbctl can perform any number of commands in a single run, imple‐
22 mented as a single atomic transaction against the database.
23
24 The ovn-nbctl command line begins with global options (see OPTIONS be‐
25 low for details). The global options are followed by one or more com‐
26 mands. Each command should begin with -- by itself as a command-line
27 argument, to separate it from the following commands. (The -- before
28 the first command is optional.) The command itself starts with command-
29 specific options, if any, followed by the command name and any argu‐
30 ments.
31
33 When it is invoked in the most ordinary way, ovn-nbctl connects to an
34 OVSDB server that hosts the northbound database, retrieves a partial
35 copy of the database that is complete enough to do its work, sends a
36 transaction request to the server, and receives and processes the
37 server’s reply. In common interactive use, this is fine, but if the
38 database is large, the step in which ovn-nbctl retrieves a partial copy
39 of the database can take a long time, which yields poor performance
40 overall.
41
42 To improve performance in such a case, ovn-nbctl offers a "daemon
43 mode," in which the user first starts ovn-nbctl running in the back‐
44 ground and afterward uses the daemon to execute operations. Over sev‐
45 eral ovn-nbctl command invocations, this performs better overall be‐
46 cause it retrieves a copy of the database only once at the beginning,
47 not once per program run.
48
49 Use the --detach option to start an ovn-nbctl daemon. With this option,
50 ovn-nbctl prints the name of a control socket to stdout. The client
51 should save this name in environment variable OVN_NB_DAEMON. Under the
52 Bourne shell this might be done like this:
53
54 export OVN_NB_DAEMON=$(ovn-nbctl --pidfile --detach)
55
56
57 When OVN_NB_DAEMON is set, ovn-nbctl automatically and transparently
58 uses the daemon to execute its commands.
59
60 When the daemon is no longer needed, kill it and unset the environment
61 variable, e.g.:
62
63 kill $(cat $OVN_RUNDIR/ovn-nbctl.pid)
64 unset OVN_NB_DAEMON
65
66
67 When using daemon mode, an alternative to the OVN_NB_DAEMON environment
68 variable is to specify a path for the Unix socket. When starting the
69 ovn-nbctl daemon, specify the -u option with a full path to the loca‐
70 tion of the socket file. Here is an exmple:
71
72 ovn-nbctl --detach -u /tmp/mysock.ctl
73
74
75 Then to connect to the running daemon, use the -u option with the full
76 path to the socket created when the daemon was started:
77
78 ovn-nbctl -u /tmp/mysock.ctl show
79
80
81 Daemon Commands
82
83 Daemon mode is internally implemented using the same mechanism used by
84 ovn-appctl. One may also use ovn-appctl directly with the following
85 commands:
86
87 run [options] command [arg...] [-- [options] command [arg...]
88 ...]
89 Instructs the daemon process to run one or more ovn-nbctl
90 commands described above and reply with the results of
91 running these commands. Accepts the --no-wait, --wait,
92 --timeout, --dry-run, --oneline, and the options de‐
93 scribed under Table Formatting Options in addition to the
94 the command-specific options.
95
96 exit Causes ovn-nbctl to gracefully terminate.
97
99 The options listed below affect the behavior of ovn-nbctl as a whole.
100 Some individual commands also accept their own options, which are given
101 just before the command name. If the first command on the command line
102 has options, then those options must be separated from the global op‐
103 tions by --.
104
105 ovn-nbctl also accepts options from the OVN_NBCTL_OPTIONS environment
106 variable, in the same format as on the command line. Options from the
107 command line override those in the environment.
108
109 --no-wait | --wait=none
110 --wait=sb
111 --wait=hv
112 These options control whether and how ovn-nbctl waits for
113 the OVN system to become up-to-date with changes made in an
114 ovn-nbctl invocation.
115
116 By default, or if --no-wait or --wait=none, ovn-nbctl exits
117 immediately after confirming that changes have been commit‐
118 ted to the northbound database, without waiting.
119
120 With --wait=sb, before ovn-nbctl exits, it waits for
121 ovn-northd to bring the southbound database up-to-date with
122 the northbound database updates.
123
124 With --wait=hv, before ovn-nbctl exits, it additionally
125 waits for all OVN chassis (hypervisors and gateways) to be‐
126 come up-to-date with the northbound database updates. (This
127 can become an indefinite wait if any chassis is malfunc‐
128 tioning.)
129
130 Ordinarily, --wait=sb or --wait=hv only waits for changes
131 by the current ovn-nbctl invocation to take effect. This
132 means that, if none of the commands supplied to ovn-nbctl
133 change the database, then the command does not wait at all.
134 Use the sync command to override this behavior.
135
136 --db database
137 The OVSDB database remote to contact. If the OVN_NB_DB en‐
138 vironment variable is set, its value is used as the de‐
139 fault. Otherwise, the default is unix:/ovnnb_db.sock, but
140 this default is unlikely to be useful outside of single-ma‐
141 chine OVN test environments.
142
143 --leader-only
144 --no-leader-only
145 By default, or with --leader-only, when the database server
146 is a clustered database, ovn-nbctl will avoid servers other
147 than the cluster leader. This ensures that any data that
148 ovn-nbctl reads and reports is up-to-date. With
149 --no-leader-only, ovn-nbctl will use any server in the
150 cluster, which means that for read-only transactions it can
151 report and act on stale data (transactions that modify the
152 database are always serialized even with --no-leader-only).
153 Refer to Understanding Cluster Consistency in ovsdb(7) for
154 more information.
155
156 --shuffle-remotes
157 --no-shuffle-remotes
158 By default, or with --shuffle-remotes, when there are mul‐
159 tiple remotes specified in the OVSDB connection string
160 specified by --db or the OVN_NB_DB environment variable,
161 the order of the remotes will be shuffled before the client
162 tries to connect. The remotes will be shuffled only once to
163 a new order before the first connection attempt. The fol‐
164 lowing retries, if any, will follow the same new order. The
165 default behavior is to make sure clients of a clustered
166 database can distribute evenly to all memembers of the
167 cluster. With --no-shuffle-remotes, ovn-nbctl will use the
168 original order specified in the connection string to con‐
169 nect. This allows user to specify the preferred order,
170 which is particularly useful for testing.
171
172 --no-syslog
173 By default, ovn-nbctl logs its arguments and the details of
174 any changes that it makes to the system log. This option
175 disables this logging.
176
177 This option is equivalent to --verbose=nbctl:syslog:warn.
178
179 --oneline
180 Modifies the output format so that the output for each com‐
181 mand is printed on a single line. New-line characters that
182 would otherwise separate lines are printed as \fB\\n\fR,
183 and any instances of \fB\\\fR that would otherwise appear
184 in the output are doubled. Prints a blank line for each
185 command that has no output. This option does not affect the
186 formatting of output from the list or find commands; see
187 Table Formatting Options below.
188
189 --dry-run
190 Prevents ovn-nbctl from actually modifying the database.
191
192 -t secs
193 --timeout=secs
194 By default, or with a secs of 0, ovn-nbctl waits forever
195 for a response from the database. This option limits run‐
196 time to approximately secs seconds. If the timeout expires,
197 ovn-nbctl will exit with a SIGALRM signal. (A timeout would
198 normally happen only if the database cannot be contacted,
199 or if the system is overloaded.)
200
201 --print-wait-time
202 When --wait is specified, the option --print-wait-time can
203 be used to print the time spent on waiting, depending on
204 the value specified in --wait option. If --wait=sb is
205 specified, it prints "ovn-northd delay before processing",
206 which is the time between the Northbound DB update by the
207 command and the moment when ovn-northd starts processing
208 the update, and "ovn-northd completion", which is the time
209 between the Northbound DB update and the moment when
210 ovn-northd completes the Southbound DB updating success‐
211 fully. If --wait=hv is specified, in addition to the above
212 information, it also prints "ovn-controller(s) completion",
213 which is the time between the Northbound DB update and the
214 moment when the slowest hypervisor finishes processing the
215 update.
216
217 Daemon Options
218 --pidfile[=pidfile]
219 Causes a file (by default, program.pid) to be created indicating
220 the PID of the running process. If the pidfile argument is not
221 specified, or if it does not begin with /, then it is created in
222 .
223
224 If --pidfile is not specified, no pidfile is created.
225
226 --overwrite-pidfile
227 By default, when --pidfile is specified and the specified pid‐
228 file already exists and is locked by a running process, the dae‐
229 mon refuses to start. Specify --overwrite-pidfile to cause it to
230 instead overwrite the pidfile.
231
232 When --pidfile is not specified, this option has no effect.
233
234 --detach
235 Runs this program as a background process. The process forks,
236 and in the child it starts a new session, closes the standard
237 file descriptors (which has the side effect of disabling logging
238 to the console), and changes its current directory to the root
239 (unless --no-chdir is specified). After the child completes its
240 initialization, the parent exits.
241
242 --monitor
243 Creates an additional process to monitor this program. If it
244 dies due to a signal that indicates a programming error (SIGA‐
245 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
246 or SIGXFSZ) then the monitor process starts a new copy of it. If
247 the daemon dies or exits for another reason, the monitor process
248 exits.
249
250 This option is normally used with --detach, but it also func‐
251 tions without it.
252
253 --no-chdir
254 By default, when --detach is specified, the daemon changes its
255 current working directory to the root directory after it de‐
256 taches. Otherwise, invoking the daemon from a carelessly chosen
257 directory would prevent the administrator from unmounting the
258 file system that holds that directory.
259
260 Specifying --no-chdir suppresses this behavior, preventing the
261 daemon from changing its current working directory. This may be
262 useful for collecting core files, since it is common behavior to
263 write core dumps into the current working directory and the root
264 directory is not a good directory to use.
265
266 This option has no effect when --detach is not specified.
267
268 --no-self-confinement
269 By default this daemon will try to self-confine itself to work
270 with files under well-known directories determined at build
271 time. It is better to stick with this default behavior and not
272 to use this flag unless some other Access Control is used to
273 confine daemon. Note that in contrast to other access control
274 implementations that are typically enforced from kernel-space
275 (e.g. DAC or MAC), self-confinement is imposed from the user-
276 space daemon itself and hence should not be considered as a full
277 confinement strategy, but instead should be viewed as an addi‐
278 tional layer of security.
279
280 --user=user:group
281 Causes this program to run as a different user specified in
282 user:group, thus dropping most of the root privileges. Short
283 forms user and :group are also allowed, with current user or
284 group assumed, respectively. Only daemons started by the root
285 user accepts this argument.
286
287 On Linux, daemons will be granted CAP_IPC_LOCK and
288 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
289 that interact with a datapath, such as ovs-vswitchd, will be
290 granted three additional capabilities, namely CAP_NET_ADMIN,
291 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
292 apply even if the new user is root.
293
294 On Windows, this option is not currently supported. For security
295 reasons, specifying this option will cause the daemon process
296 not to start.
297
298 Logging options
299 -v[spec]
300 --verbose=[spec]
301 Sets logging levels. Without any spec, sets the log level for ev‐
302 ery module and destination to dbg. Otherwise, spec is a list of
303 words separated by spaces or commas or colons, up to one from each
304 category below:
305
306 • A valid module name, as displayed by the vlog/list command
307 on ovs-appctl(8), limits the log level change to the speci‐
308 fied module.
309
310 • syslog, console, or file, to limit the log level change to
311 only to the system log, to the console, or to a file, re‐
312 spectively. (If --detach is specified, the daemon closes
313 its standard file descriptors, so logging to the console
314 will have no effect.)
315
316 On Windows platform, syslog is accepted as a word and is
317 only useful along with the --syslog-target option (the word
318 has no effect otherwise).
319
320 • off, emer, err, warn, info, or dbg, to control the log
321 level. Messages of the given severity or higher will be
322 logged, and messages of lower severity will be filtered
323 out. off filters out all messages. See ovs-appctl(8) for a
324 definition of each log level.
325
326 Case is not significant within spec.
327
328 Regardless of the log levels set for file, logging to a file will
329 not take place unless --log-file is also specified (see below).
330
331 For compatibility with older versions of OVS, any is accepted as a
332 word but has no effect.
333
334 -v
335 --verbose
336 Sets the maximum logging verbosity level, equivalent to --ver‐
337 bose=dbg.
338
339 -vPATTERN:destination:pattern
340 --verbose=PATTERN:destination:pattern
341 Sets the log pattern for destination to pattern. Refer to ovs-ap‐
342 pctl(8) for a description of the valid syntax for pattern.
343
344 -vFACILITY:facility
345 --verbose=FACILITY:facility
346 Sets the RFC5424 facility of the log message. facility can be one
347 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
348 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
349 local4, local5, local6 or local7. If this option is not specified,
350 daemon is used as the default for the local system syslog and lo‐
351 cal0 is used while sending a message to the target provided via
352 the --syslog-target option.
353
354 --log-file[=file]
355 Enables logging to a file. If file is specified, then it is used
356 as the exact name for the log file. The default log file name used
357 if file is omitted is /var/log/ovn/program.log.
358
359 --syslog-target=host:port
360 Send syslog messages to UDP port on host, in addition to the sys‐
361 tem syslog. The host must be a numerical IP address, not a host‐
362 name.
363
364 --syslog-method=method
365 Specify method as how syslog messages should be sent to syslog
366 daemon. The following forms are supported:
367
368 • libc, to use the libc syslog() function. Downside of using
369 this options is that libc adds fixed prefix to every mes‐
370 sage before it is actually sent to the syslog daemon over
371 /dev/log UNIX domain socket.
372
373 • unix:file, to use a UNIX domain socket directly. It is pos‐
374 sible to specify arbitrary message format with this option.
375 However, rsyslogd 8.9 and older versions use hard coded
376 parser function anyway that limits UNIX domain socket use.
377 If you want to use arbitrary message format with older
378 rsyslogd versions, then use UDP socket to localhost IP ad‐
379 dress instead.
380
381 • udp:ip:port, to use a UDP socket. With this method it is
382 possible to use arbitrary message format also with older
383 rsyslogd. When sending syslog messages over UDP socket ex‐
384 tra precaution needs to be taken into account, for example,
385 syslog daemon needs to be configured to listen on the spec‐
386 ified UDP port, accidental iptables rules could be inter‐
387 fering with local syslog traffic and there are some secu‐
388 rity considerations that apply to UDP sockets, but do not
389 apply to UNIX domain sockets.
390
391 • null, to discard all messages logged to syslog.
392
393 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
394 able; if it is unset, the default is libc.
395
396 Table Formatting Options
397 These options control the format of output from the list and find com‐
398 mands.
399
400 -f format
401 --format=format
402 Sets the type of table formatting. The following types of
403 format are available:
404
405 table 2-D text tables with aligned columns.
406
407 list (default)
408 A list with one column per line and rows separated
409 by a blank line.
410
411 html HTML tables.
412
413 csv Comma-separated values as defined in RFC 4180.
414
415 json JSON format as defined in RFC 4627. The output is a
416 sequence of JSON objects, each of which corresponds
417 to one table. Each JSON object has the following
418 members with the noted values:
419
420 caption
421 The table’s caption. This member is omitted
422 if the table has no caption.
423
424 headings
425 An array with one element per table column.
426 Each array element is a string giving the
427 corresponding column’s heading.
428
429 data An array with one element per table row. Each
430 element is also an array with one element per
431 table column. The elements of this second-
432 level array are the cells that constitute the
433 table. Cells that represent OVSDB data or
434 data types are expressed in the format de‐
435 scribed in the OVSDB specification; other
436 cells are simply expressed as text strings.
437
438 -d format
439 --data=format
440 Sets the formatting for cells within output tables unless
441 the table format is set to json, in which case json format‐
442 ting is always used when formatting cells. The following
443 types of format are available:
444
445 string (default)
446 The simple format described in the Database Values
447 section of ovs-vsctl(8).
448
449 bare The simple format with punctuation stripped off: []
450 and {} are omitted around sets, maps, and empty col‐
451 umns, items within sets and maps are space-sepa‐
452 rated, and strings are never quoted. This format may
453 be easier for scripts to parse.
454
455 json The RFC 4627 JSON format as described above.
456
457 --no-headings
458 This option suppresses the heading row that otherwise ap‐
459 pears in the first row of table output.
460
461 --pretty
462 By default, JSON in output is printed as compactly as pos‐
463 sible. This option causes JSON in output to be printed in a
464 more readable fashion. Members of objects and elements of
465 arrays are printed one per line, with indentation.
466
467 This option does not affect JSON in tables, which is always
468 printed compactly.
469
470 --bare
471 Equivalent to --format=list --data=bare --no-headings.
472
473 PKI Options
474 PKI configuration is required to use SSL for the connection to the
475 database.
476
477 -p privkey.pem
478 --private-key=privkey.pem
479 Specifies a PEM file containing the private key used as
480 identity for outgoing SSL connections.
481
482 -c cert.pem
483 --certificate=cert.pem
484 Specifies a PEM file containing a certificate that certi‐
485 fies the private key specified on -p or --private-key to be
486 trustworthy. The certificate must be signed by the certifi‐
487 cate authority (CA) that the peer in SSL connections will
488 use to verify it.
489
490 -C cacert.pem
491 --ca-cert=cacert.pem
492 Specifies a PEM file containing the CA certificate for ver‐
493 ifying certificates presented to this program by SSL peers.
494 (This may be the same certificate that SSL peers use to
495 verify the certificate specified on -c or --certificate, or
496 it may be a different one, depending on the PKI design in
497 use.)
498
499 -C none
500 --ca-cert=none
501 Disables verification of certificates presented by SSL
502 peers. This introduces a security risk, because it means
503 that certificates cannot be verified to be those of known
504 trusted hosts.
505
506 --bootstrap-ca-cert=cacert.pem
507 When cacert.pem exists, this option has the same effect
508 as -C or --ca-cert. If it does not exist, then the exe‐
509 cutable will attempt to obtain the CA certificate from
510 the SSL peer on its first SSL connection and save it to
511 the named PEM file. If it is successful, it will immedi‐
512 ately drop the connection and reconnect, and from then on
513 all SSL connections must be authenticated by a certifi‐
514 cate signed by the CA certificate thus obtained.
515
516 This option exposes the SSL connection to a man-in-the-
517 middle attack obtaining the initial CA certificate, but
518 it may be useful for bootstrapping.
519
520 This option is only useful if the SSL peer sends its CA
521 certificate as part of the SSL certificate chain. The SSL
522 protocol does not require the server to send the CA cer‐
523 tificate.
524
525 This option is mutually exclusive with -C and --ca-cert.
526
527 Other Options
528 -h
529 --help
530 Prints a brief help message to the console.
531
532 -V
533 --version
534 Prints version information to the console.
535
537 The following sections describe the commands that ovn-nbctl supports.
538
539 General Commands
540 init Initializes the database, if it is empty. If the database has
541 already been initialized, this command has no effect.
542
543 show [switch | router]
544 Prints a brief overview of the database contents. If switch is
545 provided, only records related to that logical switch are shown.
546 If router is provided, only records related to that logical
547 router are shown.
548
549 Logical Switch Commands
550 ls-add Creates a new, unnamed logical switch, which initially has no
551 ports. The switch does not have a name, other commands must re‐
552 fer to this switch by its UUID.
553
554 [--may-exist | --add-duplicate] ls-add switch
555 Creates a new logical switch named switch, which initially has
556 no ports.
557
558 The OVN northbound database schema does not require logical
559 switch names to be unique, but the whole point to the names is
560 to provide an easy way for humans to refer to the switches, mak‐
561 ing duplicate names unhelpful. Thus, without any options, this
562 command regards it as an error if switch is a duplicate name.
563 With --may-exist, adding a duplicate name succeeds but does not
564 create a new logical switch. With --add-duplicate, the command
565 really creates a new logical switch with a duplicate name. It is
566 an error to specify both options. If there are multiple logical
567 switches with a duplicate name, configure the logical switches
568 using the UUID instead of the switch name.
569
570 [--if-exists] ls-del switch
571 Deletes switch. It is an error if switch does not exist, unless
572 --if-exists is specified.
573
574 ls-list
575 Lists all existing switches on standard output, one per line.
576
577 ACL Commands
578 These commands operates on ACL objects for a given entity. The entity
579 can be either a logical switch or a port group. The entity can be spec‐
580 ified as uuid or name. The --type option can be used to specify the
581 type of the entity, in case both a logical switch and a port groups ex‐
582 ist with the same name specified for entity. type must be either switch
583 or port-group.
584
585 [--type={switch | port-group}] [--log] [--meter=meter] [--sever‐
586 ity=severity] [--name=name] [--label=label] [--may-exist] [--ap‐
587 ply-after-lb] acl-add entity direction priority match verdict
588 Adds the specified ACL to entity. direction must be ei‐
589 ther from-lport or to-lport. priority must be between 0
590 and 32767, inclusive. A full description of the fields
591 are in ovn-nb(5). If --may-exist is specified, adding a
592 duplicated ACL succeeds but the ACL is not really cre‐
593 ated. Without --may-exist, adding a duplicated ACL re‐
594 sults in error.
595
596 The --log option enables packet logging for the ACL. The
597 options --severity and --name specify a severity and
598 name, respectively, for log entries (and also enable log‐
599 ging). The severity must be one of alert, warning, no‐
600 tice, info, or debug. If a severity is not specified, the
601 default is info. The --meter=meter option is used to
602 rate-limit packet logging. The meter argument names a me‐
603 ter configured by meter-add.
604
605 The --apply-after-lb option sets apply-after-lb=true in
606 the options column of the ACL table. As the option name
607 suggests, the ACL will be applied after the logical
608 switch load balancer stage.
609
610 [--type={switch | port-group}] acl-del entity [direction [prior‐
611 ity match]]
612 Deletes ACLs from entity. If only entity is supplied, all
613 the ACLs from the entity are deleted. If direction is
614 also specified, then all the flows in that direction will
615 be deleted from the entity. If all the fields are given,
616 then a single flow that matches all the fields will be
617 deleted.
618
619 [--type={switch | port-group}] acl-list entity
620 Lists the ACLs on entity.
621
622 Logical Switch QoS Rule Commands
623 [--may-exist] qos-add switch direction priority match [dscp=dscp]
624 [rate=rate [burst=burst]]
625 Adds QoS marking and metering rules to switch. direction must be
626 either from-lport or to-lport. priority must be between 0 and
627 32767, inclusive.
628
629 If dscp=dscp is specified, then matching packets will have DSCP
630 marking applied. dscp must be between 0 and 63, inclusive. If
631 rate=rate is specified then matching packets will have metering
632 applied at rate kbps. If metering is configured, then
633 burst=burst specifies the burst rate limit in kilobits. dscp
634 and/or rate are required arguments.
635
636 If --may-exist is specified, adding a duplicated QoS rule suc‐
637 ceeds but the QoS rule is not really created. Without --may-ex‐
638 ist, adding a duplicated QoS rule results in error.
639
640 qos-del switch [direction [priority match]]
641 Deletes QoS rules from switch. If only switch is supplied, all
642 the QoS rules from the logical switch are deleted. If direction
643 is also specified, then all the flows in that direction will be
644 deleted from the logical switch. If all the fields are supplied,
645 then a single flow that matches the given fields will be
646 deleted.
647
648 If switch and uuid are supplied, then the QoS rule with sepci‐
649 fied uuid is deleted.
650
651 qos-list switch
652 Lists the QoS rules on switch.
653
654 Meter Commands
655 meter-add name action rate unit [burst]
656 Adds the specified meter. name must be a unique name to identify
657 this meter. The action argument specifies what should happen
658 when this meter is exceeded. The only supported action is drop.
659
660 The unit specifies the unit for the rate argument; valid values
661 are kbps and pktps for kilobits per second and packets per sec‐
662 ond, respectively. The burst option configures the maximum burst
663 allowed for the band in kilobits or packets depending on whether
664 the unit chosen was kbps or pktps, respectively. If a burst is
665 not supplied, the switch is free to select some reasonable value
666 depending on its configuration.
667
668 ovn-nbctl only supports adding a meter with a single band, but
669 the other commands support meters with multiple bands.
670
671 Names that start with "__" (two underscores) are reserved for
672 internal use by OVN, so ovn-nbctl does not allow adding them.
673
674 meter-del [name]
675 Deletes meters. By default, all meters are deleted. If name is
676 supplied, only the meter with that name will be deleted.
677
678 meter-list
679 Lists all meters.
680
681 Logical Switch Port Commands
682 [--may-exist] lsp-add switch port
683 Creates on lswitch a new logical switch port named port.
684
685 It is an error if a logical port named port already exists, un‐
686 less --may-exist is specified. Regardless of --may-exist, it is
687 an error if the existing port is in some logical switch other
688 than switch or if it has a parent port.
689
690 [--may-exist] lsp-add switch port parent tag_request
691 Creates on switch a logical switch port named port that is a
692 child of parent that is identified with VLAN ID tag_request,
693 which must be between 0 and 4095, inclusive. If tag_request is
694 0, ovn-northd generates a tag that is unique in the scope of
695 parent. This is useful in cases such as virtualized container
696 environments where Open vSwitch does not have a direct connec‐
697 tion to the container’s port and it must be shared with the vir‐
698 tual machine’s port.
699
700 It is an error if a logical port named port already exists, un‐
701 less --may-exist is specified. Regardless of --may-exist, it is
702 an error if the existing port is not in switch or if it does not
703 have the specified parent and tag_request.
704
705 [--if-exists] lsp-del port
706 Deletes port. It is an error if port does not exist, unless
707 --if-exists is specified.
708
709 lsp-list switch
710 Lists all the logical switch ports within switch on standard
711 output, one per line.
712
713 lsp-get-parent port
714 If set, get the parent port of port. If not set, print nothing.
715
716 lsp-get-tag port
717 If set, get the tag for port traffic. If not set, print nothing.
718
719 lsp-set-addresses port [address]...
720 Sets the addresses associated with port to address. Each address
721 should be one of the following:
722
723 an Ethernet address, optionally followed by a space and one or
724 more IP addresses
725 OVN delivers packets for the Ethernet address to this
726 port.
727
728 unknown
729 OVN delivers unicast Ethernet packets whose destination
730 MAC address is not in any logical port’s addresses column
731 to ports with address unknown.
732
733 dynamic
734 Use this keyword to make ovn-northd generate a globally
735 unique MAC address and choose an unused IPv4 address with
736 the logical port’s subnet and store them in the port’s
737 dynamic_addresses column.
738
739 router Accepted only when the type of the logical switch port is
740 router. This indicates that the Ethernet, IPv4, and IPv6
741 addresses for this logical switch port should be obtained
742 from the connected logical router port, as specified by
743 router-port in lsp-set-options.
744
745 Multiple addresses may be set. If no address argument is given,
746 port will have no addresses associated with it.
747
748 lsp-get-addresses port
749 Lists all the addresses associated with port on standard output,
750 one per line.
751
752 lsp-set-port-security port [addrs]...
753 Sets the port security addresses associated with port to addrs.
754 Multiple sets of addresses may be set by using multiple addrs
755 arguments. If no addrs argument is given, port will not have
756 port security enabled.
757
758 Port security limits the addresses from which a logical port may
759 send packets and to which it may receive packets. See the
760 ovn-nb(5) documentation for the port_security column in the Log‐
761 ical_Switch_Port table for details.
762
763 lsp-get-port-security port
764 Lists all the port security addresses associated with port on
765 standard output, one per line.
766
767 lsp-get-up port
768 Prints the state of port, either up or down.
769
770 lsp-set-enabled port state
771 Set the administrative state of port, either enabled or dis‐
772 abled. When a port is disabled, no traffic is allowed into or
773 out of the port.
774
775 lsp-get-enabled port
776 Prints the administrative state of port, either enabled or dis‐
777 abled.
778
779 lsp-set-type port type
780 Set the type for the logical port. The type must be one of the
781 following:
782
783 (empty string)
784 A VM (or VIF) interface.
785
786 router A connection to a logical router.
787
788 localnet
789 A connection to a locally accessible network from each
790 ovn-controller instance. A logical switch can only have a
791 single localnet port attached. This is used to model di‐
792 rect connectivity to an existing network.
793
794 localport
795 A connection to a local VIF. Traffic that arrives on a
796 localport is never forwarded over a tunnel to another
797 chassis. These ports are present on every chassis and
798 have the same address in all of them. This is used to
799 model connectivity to local services that run on every
800 hypervisor.
801
802 l2gateway
803 A connection to a physical network.
804
805 vtep A port to a logical switch on a VTEP gateway.
806
807 lsp-get-type port
808 Get the type for the logical port.
809
810 lsp-set-options port [key=value]...
811 Set type-specific key-value options for the logical port.
812
813 lsp-get-options port
814 Get the type-specific options for the logical port.
815
816 lsp-set-dhcpv4-options port dhcp_options
817 Set the DHCPv4 options for the logical port. The dhcp_options is
818 a UUID referring to a set of DHCP options in the DHCP_Options
819 table.
820
821 lsp-get-dhcpv4-options port
822 Get the configured DHCPv4 options for the logical port.
823
824 lsp-set-dhcpv6-options port dhcp_options
825 Set the DHCPv6 options for the logical port. The dhcp_options is
826 a UUID referring to a set of DHCP options in the DHCP_Options
827 table.
828
829 lsp-get-dhcpv6-options port
830 Get the configured DHCPv6 options for the logical port.
831
832 lsp-get-ls port
833 Get the logical switch which the port belongs to.
834
835 Forwarding Group Commands
836 [--liveness]fwd-group-add group switch vip vmac ports
837 Creates a new forwarding group named group as the name with the
838 provided vip and vmac. vip should be a virtual IP address and
839 vmac should be a virtual MAC address to access the forwarding
840 group. ports are the logical switch port names that are put in
841 the forwarding group. Example for ports is lsp1 lsp2 ... Traffic
842 destined to virtual IP of the forwarding group will be load bal‐
843 anced to all the child ports.
844
845 When --liveness is specified then child ports are expected to be
846 bound to external devices like routers. BFD should be configured
847 between hypervisors and the external devices. The child port se‐
848 lection will become dependent on BFD status with its external
849 device.
850
851 [--if-exists] fwd-group-del group
852 Deletes group. It is an error if group does not exist, unless
853 --if-exists is specified.
854
855 fwd-group-list [switch]
856 Lists all existing forwarding groups, If switch is specified
857 then only the forwarding groups configured for switch will be
858 listed.
859
860 Logical Router Commands
861 lr-add Creates a new, unnamed logical router, which initially has no
862 ports. The router does not have a name, other commands must re‐
863 fer to this router by its UUID.
864
865 [--may-exist | --add-duplicate] lr-add router
866 Creates a new logical router named router, which initially has
867 no ports.
868
869 The OVN northbound database schema does not require logical
870 router names to be unique, but the whole point to the names is
871 to provide an easy way for humans to refer to the routers, mak‐
872 ing duplicate names unhelpful. Thus, without any options, this
873 command regards it as an error if router is a duplicate name.
874 With --may-exist, adding a duplicate name succeeds but does not
875 create a new logical router. With --add-duplicate, the command
876 really creates a new logical router with a duplicate name. It is
877 an error to specify both options. If there are multiple logical
878 routers with a duplicate name, configure the logical routers us‐
879 ing the UUID instead of the router name.
880
881 [--if-exists] lr-del router
882 Deletes router. It is an error if router does not exist, unless
883 --if-exists is specified.
884
885 lr-list
886 Lists all existing routers on standard output, one per line.
887
888 Logical Router Port Commands
889 [--may-exist] lrp-add router port mac network... [peer=peer]
890 Creates on router a new logical router port named port with Eth‐
891 ernet address mac and one or more IP address/netmask for each
892 network.
893
894 The optional argument peer identifies a logical router port that
895 connects to this one. The following example adds a router port
896 with an IPv4 and IPv6 address with peer lr1:
897
898 lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64
899 peer=lr1
900
901 It is an error if a logical router port named port already ex‐
902 ists, unless --may-exist is specified. Regardless of --may-ex‐
903 ist, it is an error if the existing router port is in some logi‐
904 cal router other than router.
905
906 [--if-exists] lrp-del port
907 Deletes port. It is an error if port does not exist, unless
908 --if-exists is specified.
909
910 lrp-list router
911 Lists all the logical router ports within router on standard
912 output, one per line.
913
914 lrp-set-enabled port state
915 Set the administrative state of port, either enabled or dis‐
916 abled. When a port is disabled, no traffic is allowed into or
917 out of the port.
918
919 lrp-get-enabled port
920 Prints the administrative state of port, either enabled or dis‐
921 abled.
922
923 lrp-set-gateway-chassis port chassis [priority]
924 Set gateway chassis for port. chassis is the name of the chas‐
925 sis. This creates a gateway chassis entry in Gateway_Chassis ta‐
926 ble. It won’t check if chassis really exists in OVN_Southbound
927 database. Priority will be set to 0 if priority is not provided
928 by user. priority must be between 0 and 32767, inclusive.
929
930 lrp-del-gateway-chassis port chassis
931 Deletes gateway chassis from port. It is an error if gateway
932 chassis with chassis for port does not exist.
933
934 lrp-get-gateway-chassis port
935 Lists all the gateway chassis with priority within port on stan‐
936 dard output, one per line, ordered based on priority.
937
938 Logical Router Static Route Commands
939 [--may-exist] [--policy=POLICY] [--ecmp] [--ecmp-symmetric-reply]
940 [--bfd[=UUID]] lr-route-add router prefix nexthop [port]
941 Adds the specified route to router. prefix describes an IPv4 or
942 IPv6 prefix for this route, such as 192.168.100.0/24. nexthop
943 specifies the gateway to use for this route, which should be the
944 IP address of one of router logical router ports or the IP ad‐
945 dress of a logical port. If port is specified, packets that
946 match this route will be sent out that port. When port is omit‐
947 ted, OVN infers the output port based on nexthop. Nexthop can be
948 set to discard for dropping packets which match the given route.
949
950 --policy describes the policy used to make routing decisions.
951 This should be one of "dst-ip" or "src-ip". If not specified,
952 the default is "dst-ip".
953
954 The --ecmp option allows for multiple routes with the same pre‐
955 fix POLICY but different nexthop and port to be added.
956
957 The --ecmp-symmetric-reply option makes it so that traffic that
958 arrives over an ECMP route will have its reply traffic sent out
959 over that same route. Setting --ecmp-symmetric-reply implies
960 --ecmp so it is not necessary to set both.
961
962 --bfd option is used to link a BFD session to the OVN route. If
963 the BFD session UUID is provided, it will be used for the OVN
964 route otherwise the next-hop will be used to perform a lookup in
965 the OVN BFD table. If the lookup fails and port is specified, a
966 new entry in the BFD table will be created using the nexthop as
967 dst_ip and port as logical_port.
968
969 It is an error if a route with prefix and POLICY already exists,
970 unless --may-exist, --ecmp, or --ecmp-symmetric-reply is speci‐
971 fied. If --may-exist is specified but not --ecmp or --ecmp-sym‐
972 metric-reply, the existed route will be updated with the new
973 nexthop and port. If --ecmp or --ecmp-symmetric-reply is speci‐
974 fied, a new route will be added, regardless of the existed
975 route., which is useful when adding ECMP routes, i.e. routes
976 with same POLICY and prefix but different nexthop and port.
977
978 [--if-exists] [--policy=POLICY] lr-route-del router [prefix [nexthop
979 [port]]]
980 Deletes routes from router. If only router is supplied, all the
981 routes from the logical router are deleted. If POLICY, prefix,
982 nexthop and/or port are also specified, then all the routes that
983 match the conditions will be deleted from the logical router.
984
985 It is an error if there is no matching route entry, unless
986 --if-exists is specified.
987
988 lr-route-list router
989 Lists the routes on router.
990
991 Logical Router Policy Commands
992 [--may-exist]lr-policy-add router priority match action [nexthop[,nex‐
993 thop,...]] [options key=value]]
994 Add Policy to router which provides a way to configure per‐
995 mit/deny and reroute policies on the router. Permit/deny poli‐
996 cies are similar to OVN ACLs, but exist on the logical-router.
997 Reroute policies are needed for service-insertion and service-
998 chaining. nexthop is an optional parameter. It needs to be pro‐
999 vided only when action is reroute. Multiple nexthops can be
1000 specified for ECMP routing. A policy is uniquely identified by
1001 priority and match. Multiple policies can have the same prior‐
1002 ity. options sets the router policy options as key-value pair.
1003 The supported option is : pkt_mark.
1004
1005 If --may-exist is specified, adding a duplicated routing policy
1006 with the same priority and match string is not really created.
1007 Without --may-exist, adding a duplicated routing policy results
1008 in error.
1009
1010 The following example shows a policy to lr1, which will drop
1011 packets from192.168.100.0/24.
1012
1013 lr-policy-add lr1 100 ip4.src == 192.168.100.0/24 drop.
1014
1015 lr-policy-add lr1 100 ip4.src == 192.168.100.0/24 allow
1016 pkt_mark=100 .
1017
1018 [--if-exists] lr-policy-del router [{priority | uuid} [match]]
1019 Deletes polices from router. If only router is supplied, all the
1020 polices from the logical router are deleted. If priority and/or
1021 match are also specified, then all the polices that match the
1022 conditions will be deleted from the logical router.
1023
1024 If router and uuid are supplied, then the policy with sepcified
1025 uuid is deleted. It is an error if uuid does not exist, unless
1026 --if-exists is specified.
1027
1028 lr-policy-list router
1029 Lists the polices on router.
1030
1031 NAT Commands
1032 [--may-exist] [--stateless] [--gateway_port=GATEWAY_PORT] lr-nat-add
1033 router type external_ip logical_ip [logical_port external_mac]
1034 Adds the specified NAT to router. The type must be one of snat,
1035 dnat, or dnat_and_snat. The external_ip is an IPv4 address. The
1036 logical_ip is an IPv4 network (e.g 192.168.1.0/24) or an IPv4
1037 address. The logical_port and external_mac are only accepted
1038 when router is a distributed router (rather than a gateway
1039 router) and type is dnat_and_snat. The logical_port is the name
1040 of an existing logical switch port where the logical_ip resides.
1041 The external_mac is an Ethernet address.
1042
1043 When --stateless is specified then it implies that we will be
1044 not use connection tracker, i.e internal ip and external ip are
1045 1:1 mapped. This implies that --stateless is applicable only to
1046 dnat_and_snat type NAT rules. An external ip with --stateless
1047 NAT cannot be shared with any other NAT rule.
1048
1049 --gateway-port option allows specifying the distributed gateway
1050 port of router where the NAT rule needs to be applied. GATE‐
1051 WAY_PORT should reference a Logical_Router_Port row that is a
1052 distributed gateway port of router. When router has multiple
1053 distributed gateway ports, it is an error to not specify the
1054 GATEWAY_PORT.
1055
1056 When type is dnat, the externally visible IP address external_ip
1057 is DNATted to the IP address logical_ip in the logical space.
1058
1059 When type is snat, IP packets with their source IP address that
1060 either matches the IP address in logical_ip or is in the network
1061 provided by logical_ip is SNATed into the IP address in exter‐
1062 nal_ip.
1063
1064 When type is dnat_and_snat, the externally visible IP address
1065 external_ip is DNATted to the IP address logical_ip in the logi‐
1066 cal space. In addition, IP packets with the source IP address
1067 that matches logical_ip is SNATed into the IP address in exter‐
1068 nal_ip.
1069
1070 When the logical_port and external_mac are specified, the NAT
1071 rule will be programmed on the chassis where the logical_port
1072 resides. This includes ARP replies for the external_ip, which
1073 return the value of external_mac. All packets transmitted with
1074 source IP address equal to external_ip will be sent using the
1075 external_mac.
1076
1077 It is an error if a NAT already exists with the same values of
1078 router, type, external_ip, logical_ip and GATEWAY_PORT (in case
1079 of multiple distributed gateway ports), unless --may-exist is
1080 specified. When --may-exist, logical_port, and external_mac are
1081 all specified, the existing values of logical_port and exter‐
1082 nal_mac are overwritten.
1083
1084 [--if-exists] lr-nat-del router [type [ip] [gateway_port]]
1085 Deletes NATs from router. If only router is supplied, all the
1086 NATs from the logical router are deleted. If type is also speci‐
1087 fied, then all the NATs that match the type will be deleted from
1088 the logical router. If ip is also specified without specifying
1089 gateway_port, then all the NATs that match the type and ip will
1090 be deleted from the logical router. If gateway_port is specified
1091 without specifying ip, then all the NATs that match the type and
1092 gateway_port will be deleted from the logical router. If all the
1093 fields are given, then a single NAT rule that matches all the
1094 fields will be deleted. When type is snat, the ip should be log‐
1095 ical_ip. When type is dnat or dnat_and_snat, the ip shoud be ex‐
1096 ternal_ip.
1097
1098 It is an error if both ip and gateway_port are specified and
1099 there is no matching NAT entry, unless --if-exists is specified.
1100
1101 lr-nat-list router
1102 Lists the NATs on router.
1103
1104 Load Balancer Commands
1105 [--may-exist | --add-duplicate | --reject | --event] lb-add lb vip ips
1106 [protocol]
1107 Creates a new load balancer named lb with the provided vip and
1108 ips or adds the vip to an existing lb. vip should be a virtual
1109 IP address (or an IP address and a port number with : as a sepa‐
1110 rator). Examples for vip are 192.168.1.4, fd0f::1, and
1111 192.168.1.5:8080. ips should be comma separated IP endpoints (or
1112 comma separated IP addresses and port numbers with : as a sepa‐
1113 rator). ips must be the same address family as vip. Examples for
1114 ips are 10.0.0.1,10.0.0.2or [fdef::1]:8800,[fdef::2]:8800.
1115
1116 The optional argument protocol must be either tcp, udp or sctp.
1117 This argument is useful when a port number is provided as part
1118 of the vip. If the protocol is unspecified and a port number is
1119 provided as part of the vip, OVN assumes the protocol to be tcp.
1120
1121 It is an error if the vip already exists in the load balancer
1122 named lb, unless --may-exist is specified. With --add-duplicate,
1123 the command really creates a new load balancer with a duplicate
1124 name.
1125
1126 If the load balancer is created with --reject option and it has
1127 no active backends, a TCP reset segment (for tcp) or an ICMP
1128 port unreachable packet (for all other kind of traffic) will be
1129 sent whenever an incoming packet is received for this load-bal‐
1130 ancer. Please note using --reject option will disable empty_lb
1131 SB controller event for this load balancer.
1132
1133 If the load balancer is created with --event option and it has
1134 no active backends, whenever the lb receives traffic, the event
1135 is reported in the Controller_Event table in the SB db. Please
1136 note --event option can’t be specified with --reject one.
1137
1138 The following example adds a load balancer.
1139
1140 lb-add lb0 30.0.0.10:80
1141 192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp
1142
1143 [--if-exists] lb-del lb [vip]
1144 Deletes lb or the vip from lb. If vip is supplied, only the vip
1145 will be deleted from the lb. If only the lb is supplied, the lb
1146 will be deleted. It is an error if vip does not already exist in
1147 lb, unless --if-exists is specified.
1148
1149 lb-list [lb]
1150 Lists the LBs. If lb is also specified, then only the specified
1151 lb will be listed.
1152
1153 [--may-exist] ls-lb-add switch lb
1154 Adds the specified lb to switch. It is an error if a load bal‐
1155 ancer named lb already exists in the switch, unless --may-exist
1156 is specified.
1157
1158 [--if-exists] ls-lb-del switch [lb]
1159 Removes lb from switch. If only switch is supplied, all the LBs
1160 from the logical switch are removed. If lb is also specified,
1161 then only the lb will be removed from the logical switch. It is
1162 an error if lb does not exist in the switch, unless --if-exists
1163 is specified.
1164
1165 ls-lb-list switch
1166 Lists the LBs for the given switch.
1167
1168 [--may-exist] lr-lb-add router lb
1169 Adds the specified lb to router. It is an error if a load bal‐
1170 ancer named lb already exists in the router, unless --may-exist
1171 is specified.
1172
1173 [--if-exists] lr-lb-del router [lb]
1174 Removes lb from router. If only router is supplied, all the LBs
1175 from the logical router are removed. If lb is also specified,
1176 then only the lb will be removed from the logical router. It is
1177 an error if lb does not exist in the router, unless --if-exists
1178 is specified.
1179
1180 lr-lb-list router
1181 Lists the LBs for the given router.
1182
1183 DHCP Options commands
1184 dhcp-options-create cidr [key=value]
1185 Creates a new DHCP Options entry in the DHCP_Options table with
1186 the specified cidr and optional external-ids.
1187
1188 dhcp-options-list
1189 Lists the DHCP Options entries.
1190
1191 dhcp-options-del dhcp-option
1192 Deletes the DHCP Options entry referred by dhcp-option UUID.
1193
1194 dhcp-options-set-options dhcp-option [key=value]...
1195 Set the DHCP Options for the dhcp-option UUID.
1196
1197 dhcp-options-get-options dhcp-option
1198 Lists the DHCP Options for the dhcp-option UUID.
1199
1200 Port Group commands
1201 pg-add group [port]...
1202 Creates a new port group in the Port_Group table named group
1203 with optional ports added to the group.
1204
1205 pg-set-ports group port...
1206 Sets ports on the port group named group. It is an error if
1207 group does not exist.
1208
1209 pg-del group
1210 Deletes port group group. It is an error if group does not ex‐
1211 ist.
1212
1213 HA Chassis Group commands
1214 ha-chassis-group-add group
1215 Creates a new HA chassis group in the HA_Chassis_Group table
1216 named group.
1217
1218 ha-chassis-group-del group
1219 Deletes the HA chassis group group. It is an error if group does
1220 not exist.
1221
1222 ha-chassis-group-list
1223 Lists the HA chassis group group along with the HA chassis if
1224 any associated with it.
1225
1226 ha-chassis-group-add-chassis group chassis priority
1227 Adds a new HA chassis chassis to the HA Chassis group group with
1228 the specified priority. If the chassis already exists, then the
1229 priority is updated. The chassis should be the name of the chas‐
1230 sis in the OVN_Southbound.
1231
1232 ha-chassis-group-remove-chassis group chassis
1233 Removes the HA chassis chassis from the HA chassis group group.
1234 It is an error if chassis does not exist.
1235
1236 Control Plane Protection Policy commands
1237 These commands manage meters configured in Copp table linking them to
1238 logical datapaths through copp column in Logical_Switch or Logi‐
1239 cal_Router tables. Protocol packets for which CoPP is enforced when
1240 sending packets to ovn-controller (if configured):
1241
1242 • ARP
1243
1244 • ND_NS
1245
1246 • ND_NA
1247
1248 • ND_RA
1249
1250 • ND
1251
1252 • DNS
1253
1254 • IGMP
1255
1256 • packets that require ARP resolution before forwarding
1257
1258 • packets that require ND_NS before forwarding
1259
1260 • packets that need to be replied to with ICMP Errors
1261
1262 • packets that need to be replied to with TCP RST
1263
1264 • packets that need to be replied to with DHCP_OPTS
1265
1266 • packets that trigger a reject action
1267
1268 • packets that trigger a SCTP abort action
1269
1270 • controller_events
1271
1272 • BFD
1273
1274 copp-add name proto meter
1275 Adds the control proto to meter mapping to the control
1276 plane protection policy name. If no policy exists yet, it
1277 creates one. If a mapping already existed for proto, this
1278 will overwrite it.
1279
1280 copp-del name [proto]
1281 Removes the control proto mapping for the name control
1282 plane protection policy. If proto is not specified, the
1283 whole control plane protection policy is destroyed.
1284
1285 copp-list name
1286 Display the current control plane protection policy for
1287 name.
1288
1289 ls-copp-add name switch
1290 Adds the control plane protection policy name to the log‐
1291 ical switch switch.
1292
1293 lr-copp-add name router
1294 Adds the control plane protection policy name to the log‐
1295 ical router router.
1296
1297 Synchronization Commands
1298 sync Ordinarily, --wait=sb or --wait=hv only waits for changes by the
1299 current ovn-nbctl invocation to take effect. This means that, if
1300 none of the commands supplied to ovn-nbctl change the database,
1301 then the command does not wait at all. With the sync command,
1302 however, ovn-nbctl waits even for earlier changes to the data‐
1303 base to propagate down to the southbound database or all of the
1304 OVN chassis, according to the argument to --wait.
1305
1306 Remote Connectivity Commands
1307 These commands manipulate the connections column in the NB_Global table
1308 and rows in the Connection table. When ovsdb-server is configured to
1309 use the connections column for OVSDB connections, this allows the ad‐
1310 ministrator to use ovn-nbctl to configure database connections.
1311
1312 get-connection
1313 Prints the configured connection(s).
1314
1315 del-connection
1316 Deletes the configured connection(s).
1317
1318 [--inactivity-probe=msecs] set-connection target...
1319 Sets the configured manager target or targets. Use --in‐
1320 activity-probe=msecs to override the default idle connec‐
1321 tion inactivity probe time. Use 0 to disable inactivity
1322 probes.
1323
1324 SSL Configuration Commands
1325 get-ssl
1326 Prints the SSL configuration.
1327
1328 del-ssl
1329 Deletes the current SSL configuration.
1330
1331 [--bootstrap] set-ssl private-key certificate ca-cert [ssl-protocol-
1332 list [ssl-cipher-list]]
1333 Sets the SSL configuration.
1334
1335 Database Commands
1336 These commands query and modify the contents of ovsdb tables. They are
1337 a slight abstraction of the ovsdb interface and as such they operate at
1338 a lower level than other ovn-nbctl commands.
1339
1340 Identifying Tables, Records, and Columns
1341
1342 Each of these commands has a table parameter to identify a table within
1343 the database. Many of them also take a record parameter that identifies
1344 a particular record within a table. The record parameter may be the
1345 UUID for a record, which may be abbreviated to its first 4 (or more)
1346 hex digits, as long as that is unique. Many tables offer additional
1347 ways to identify records. Some commands also take column parameters
1348 that identify a particular field within the records in a table.
1349
1350 For a list of tables and their columns, see ovn-nb(5) or see the table
1351 listing from the --help option.
1352
1353 Record names must be specified in full and with correct capitalization,
1354 except that UUIDs may be abbreviated to their first 4 (or more) hex
1355 digits, as long as that is unique within the table. Names of tables and
1356 columns are not case-sensitive, and - and _ are treated interchange‐
1357 ably. Unique abbreviations of table and column names are acceptable,
1358 e.g. d or dhcp is sufficient to identify the DHCP_Options table.
1359
1360 Database Values
1361
1362 Each column in the database accepts a fixed type of data. The currently
1363 defined basic types, and their representations, are:
1364
1365 integer
1366 A decimal integer in the range -2**63 to 2**63-1, inclu‐
1367 sive.
1368
1369 real A floating-point number.
1370
1371 Boolean
1372 True or false, written true or false, respectively.
1373
1374 string An arbitrary Unicode string, except that null bytes are
1375 not allowed. Quotes are optional for most strings that
1376 begin with an English letter or underscore and consist
1377 only of letters, underscores, hyphens, and periods. How‐
1378 ever, true and false and strings that match the syntax of
1379 UUIDs (see below) must be enclosed in double quotes to
1380 distinguish them from other basic types. When double
1381 quotes are used, the syntax is that of strings in JSON,
1382 e.g. backslashes may be used to escape special charac‐
1383 ters. The empty string must be represented as a pair of
1384 double quotes ("").
1385
1386 UUID Either a universally unique identifier in the style of
1387 RFC 4122, e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or
1388 an @name defined by a get or create command within the
1389 same ovs-vsctl invocation.
1390
1391 Multiple values in a single column may be separated by spaces or a sin‐
1392 gle comma. When multiple values are present, duplicates are not al‐
1393 lowed, and order is not important. Conversely, some database columns
1394 can have an empty set of values, represented as [], and square brackets
1395 may optionally enclose other non-empty sets or single values as well.
1396
1397 A few database columns are ``maps’’ of key-value pairs, where the key
1398 and the value are each some fixed database type. These are specified in
1399 the form key=value, where key and value follow the syntax for the col‐
1400 umn’s key type and value type, respectively. When multiple pairs are
1401 present (separated by spaces or a comma), duplicate keys are not al‐
1402 lowed, and again the order is not important. Duplicate values are al‐
1403 lowed. An empty map is represented as {}. Curly braces may optionally
1404 enclose non-empty maps as well (but use quotes to prevent the shell
1405 from expanding other-config={0=x,1=y} into other-config=0=x other-con‐
1406 fig=1=y, which may not have the desired effect).
1407
1408 Database Command Syntax
1409
1410 [--if-exists] [--columns=column[,column]...] list table
1411 [record]...
1412 Lists the data in each specified record. If no records
1413 are specified, lists all the records in table.
1414
1415 If --columns is specified, only the requested columns are
1416 listed, in the specified order. Otherwise, all columns
1417 are listed, in alphabetical order by column name.
1418
1419 Without --if-exists, it is an error if any specified
1420 record does not exist. With --if-exists, the command ig‐
1421 nores any record that does not exist, without producing
1422 any output.
1423
1424 [--columns=column[,column]...] find table [col‐
1425 umn[:key]=value]...
1426 Lists the data in each record in table whose column
1427 equals value or, if key is specified, whose column con‐
1428 tains a key with the specified value. The following oper‐
1429 ators may be used where = is written in the syntax sum‐
1430 mary:
1431
1432 = != < > <= >=
1433 Selects records in which column[:key] equals, does
1434 not equal, is less than, is greater than, is less
1435 than or equal to, or is greater than or equal to
1436 value, respectively.
1437
1438 Consider column[:key] and value as sets of ele‐
1439 ments. Identical sets are considered equal. Other‐
1440 wise, if the sets have different numbers of ele‐
1441 ments, then the set with more elements is consid‐
1442 ered to be larger. Otherwise, consider a element
1443 from each set pairwise, in increasing order within
1444 each set. The first pair that differs determines
1445 the result. (For a column that contains key-value
1446 pairs, first all the keys are compared, and values
1447 are considered only if the two sets contain iden‐
1448 tical keys.)
1449
1450 {=} {!=}
1451 Test for set equality or inequality, respectively.
1452
1453 {<=} Selects records in which column[:key] is a subset
1454 of value. For example, flood-vlans{<=}1,2 selects
1455 records in which the flood-vlans column is the
1456 empty set or contains 1 or 2 or both.
1457
1458 {<} Selects records in which column[:key] is a proper
1459 subset of value. For example, flood-vlans{<}1,2
1460 selects records in which the flood-vlans column is
1461 the empty set or contains 1 or 2 but not both.
1462
1463 {>=} {>}
1464 Same as {<=} and {<}, respectively, except that
1465 the relationship is reversed. For example,
1466 flood-vlans{>=}1,2 selects records in which the
1467 flood-vlans column contains both 1 and 2.
1468
1469 The following operators are available only in Open
1470 vSwitch 2.16 and later:
1471
1472 {in} Selects records in which every element in col‐
1473 umn[:key] is also in value. (This is the same as
1474 {<=}.)
1475
1476 {not-in}
1477 Selects records in which every element in col‐
1478 umn[:key] is not in value.
1479
1480 For arithmetic operators (= != < > <= >=), when key is
1481 specified but a particular record’s column does not con‐
1482 tain key, the record is always omitted from the results.
1483 Thus, the condition other-config:mtu!=1500 matches
1484 records that have a mtu key whose value is not 1500, but
1485 not those that lack an mtu key.
1486
1487 For the set operators, when key is specified but a par‐
1488 ticular record’s column does not contain key, the compar‐
1489 ison is done against an empty set. Thus, the condition
1490 other-config:mtu{!=}1500 matches records that have a mtu
1491 key whose value is not 1500 and those that lack an mtu
1492 key.
1493
1494 Don’t forget to escape < or > from interpretation by the
1495 shell.
1496
1497 If --columns is specified, only the requested columns are
1498 listed, in the specified order. Otherwise all columns are
1499 listed, in alphabetical order by column name.
1500
1501 The UUIDs shown for rows created in the same ovs-vsctl
1502 invocation will be wrong.
1503
1504 [--if-exists] [--id=@name] get table record [column[:key]]...
1505 Prints the value of each specified column in the given
1506 record in table. For map columns, a key may optionally be
1507 specified, in which case the value associated with key in
1508 the column is printed, instead of the entire map.
1509
1510 Without --if-exists, it is an error if record does not
1511 exist or key is specified, if key does not exist in
1512 record. With --if-exists, a missing record yields no out‐
1513 put and a missing key prints a blank line.
1514
1515 If @name is specified, then the UUID for record may be
1516 referred to by that name later in the same ovs-vsctl in‐
1517 vocation in contexts where a UUID is expected.
1518
1519 Both --id and the column arguments are optional, but usu‐
1520 ally at least one or the other should be specified. If
1521 both are omitted, then get has no effect except to verify
1522 that record exists in table.
1523
1524 --id and --if-exists cannot be used together.
1525
1526 [--if-exists] set table record column[:key]=value...
1527 Sets the value of each specified column in the given
1528 record in table to value. For map columns, a key may op‐
1529 tionally be specified, in which case the value associated
1530 with key in that column is changed (or added, if none ex‐
1531 ists), instead of the entire map.
1532
1533 Without --if-exists, it is an error if record does not
1534 exist. With --if-exists, this command does nothing if
1535 record does not exist.
1536
1537 [--if-exists] add table record column [key=]value...
1538 Adds the specified value or key-value pair to column in
1539 record in table. If column is a map, then key is re‐
1540 quired, otherwise it is prohibited. If key already exists
1541 in a map column, then the current value is not replaced
1542 (use the set command to replace an existing value).
1543
1544 Without --if-exists, it is an error if record does not
1545 exist. With --if-exists, this command does nothing if
1546 record does not exist.
1547
1548 [--if-exists] remove table record column value...
1549
1550 [--if-exists] remove table record column key...
1551
1552 [--if-exists] remove table record column key=value...
1553 Removes the specified values or key-value pairs from col‐
1554 umn in record in table. The first form applies to columns
1555 that are not maps: each specified value is removed from
1556 the column. The second and third forms apply to map col‐
1557 umns: if only a key is specified, then any key-value pair
1558 with the given key is removed, regardless of its value;
1559 if a value is given then a pair is removed only if both
1560 key and value match.
1561
1562 It is not an error if the column does not contain the
1563 specified key or value or pair.
1564
1565 Without --if-exists, it is an error if record does not
1566 exist. With --if-exists, this command does nothing if
1567 record does not exist.
1568
1569 [--if-exists] clear table record column...
1570 Sets each column in record in table to the empty set or
1571 empty map, as appropriate. This command applies only to
1572 columns that are allowed to be empty.
1573
1574 Without --if-exists, it is an error if record does not
1575 exist. With --if-exists, this command does nothing if
1576 record does not exist.
1577
1578 [--id=@name] create table column[:key]=value...
1579 Creates a new record in table and sets the initial values
1580 of each column. Columns not explicitly set will receive
1581 their default values. Outputs the UUID of the new row.
1582
1583 If @name is specified, then the UUID for the new row may
1584 be referred to by that name elsewhere in the same \*(PN
1585 invocation in contexts where a UUID is expected. Such
1586 references may precede or follow the create command.
1587
1588 Caution (ovs-vsctl as example)
1589 Records in the Open vSwitch database are signifi‐
1590 cant only when they can be reached directly or in‐
1591 directly from the Open_vSwitch table. Except for
1592 records in the QoS or Queue tables, records that
1593 are not reachable from the Open_vSwitch table are
1594 automatically deleted from the database. This
1595 deletion happens immediately, without waiting for
1596 additional ovs-vsctl commands or other database
1597 activity. Thus, a create command must generally be
1598 accompanied by additional commands within the same
1599 ovs-vsctl invocation to add a chain of references
1600 to the newly created record from the top-level
1601 Open_vSwitch record. The EXAMPLES section gives
1602 some examples that show how to do this.
1603
1604 [--if-exists] destroy table record...
1605 Deletes each specified record from table. Unless --if-ex‐
1606 ists is specified, each records must exist.
1607
1608 --all destroy table
1609 Deletes all records from the table.
1610
1611 Caution (ovs-vsctl as example)
1612 The destroy command is only useful for records in
1613 the QoS or Queue tables. Records in other tables
1614 are automatically deleted from the database when
1615 they become unreachable from the Open_vSwitch ta‐
1616 ble. This means that deleting the last reference
1617 to a record is sufficient for deleting the record
1618 itself. For records in these tables, destroy is
1619 silently ignored. See the EXAMPLES section below
1620 for more information.
1621
1622 wait-until table record [column[:key]=value]...
1623 Waits until table contains a record named record whose
1624 column equals value or, if key is specified, whose column
1625 contains a key with the specified value. This command
1626 supports the same operators and semantics described for
1627 the find command above.
1628
1629 If no column[:key]=value arguments are given, this com‐
1630 mand waits only until record exists. If more than one
1631 such argument is given, the command waits until all of
1632 them are satisfied.
1633
1634 Caution (ovs-vsctl as example)
1635 Usually wait-until should be placed at the begin‐
1636 ning of a set of ovs-vsctl commands. For example,
1637 wait-until bridge br0 -- get bridge br0 data‐
1638 path_id waits until a bridge named br0 is created,
1639 then prints its datapath_id column, whereas get
1640 bridge br0 datapath_id -- wait-until bridge br0
1641 will abort if no bridge named br0 exists when
1642 ovs-vsctl initially connects to the database.
1643
1644 Consider specifying --timeout=0 along with --wait-until,
1645 to prevent ovs-vsctl from terminating after waiting only
1646 at most 5 seconds.
1647
1648 comment [arg]...
1649 This command has no effect on behavior, but any database
1650 log record created by the command will include the com‐
1651 mand and its arguments.
1652
1654 OVN_NB_DAEMON
1655 If set, this should name the Unix domain socket for an ovn-nbctl
1656 server process. See Daemon Mode, above, for more information.
1657
1658 OVN_NBCTL_OPTIONS
1659 If set, a set of options for ovn-nbctl to apply automatically,
1660 in the same form as on the command line.
1661
1662 OVN_NB_DB
1663 If set, the default database to contact when the --db option is
1664 not used.
1665
1667 0 Successful program execution.
1668
1669 1 Usage, syntax, or network error.
1670
1672 ovn-nb(5), ovn-appctl(8).
1673
1674
1675
1676OVN 22.06.1 ovn-nbctl ovn-nbctl(8)