1ovn-trace(8) OVN Manual ovn-trace(8)
2
3
4
6 ovn-trace - Open Virtual Network logical network tracing utility
7
9 ovn-trace [options] [datapath] microflow
10
11 ovn-trace [options] --detach
12
14 This utility simulates packet forwarding within an OVN logical network.
15 It can be used to run through ``what-if’’ scenarios: if a packet origi‐
16 nates at a logical port, what will happen to it and where will it ulti‐
17 mately end up? Users already familiar with the Open vSwitch of‐
18 proto/trace command described in ovs-vswitch(8) will find ovn-trace to
19 be a similar tool for logical networks.
20
21 ovn-trace works by reading the Logical_Flow and other tables from the
22 OVN southbound database (see ovn-sb(5)). It simulates a packet’s path
23 through logical networks by repeatedly looking it up in the logical
24 flow table, following the entire tree of possibilities.
25
26 ovn-trace simulates only the OVN logical network. It does not simulate
27 the physical elements on which the logical network is layered. This
28 means that, for example, it is unimportant how VMs are distributed
29 among hypervisors, or whether their hypervisors are functioning and
30 reachable, so ovn-trace will yield the same results regardless. There
31 is one important exception: ovn-northd, the daemon that generates the
32 logical flows that ovn-trace simulates, treats logical ports differ‐
33 ently based on whether they are up or down. Thus, if you see surprising
34 results, ensure that the ports involved in a simulation are up.
35
36 The simplest way to use ovn-trace is to provide the microflow (and op‐
37 tional datapath) arguments on the command line. In this case, it simu‐
38 lates the behavior of a single packet and exits. For an alternate usage
39 model, see Daemon Mode below.
40
41 The optional datapath argument specifies the name of a logical data‐
42 path. Acceptable names are the name from the northbound Logical_Switch
43 or Logical_Router table, the UUID of a record from one of those tables,
44 or the UUID of a record from the southbound Datapath_Binding table.
45 (The datapath is optional because ovn-trace can figure it out from the
46 inport that the microflow matches.)
47
48 The microflow argument describes the packet whose forwarding is to be
49 simulated, in the syntax of an OVN logical expression, as described in
50 ovn-sb(5), to express constraints. The parser understands prerequi‐
51 sites; for example, if the expression refers to ip4.src, there is no
52 need to explicitly state ip4 or eth.type == 0x800.
53
54 For reasonable L2 behavior, the microflow should include at least in‐
55 port and eth.dst, plus eth.src if port security is enabled. For exam‐
56 ple:
57
58 inport == "lp11" && eth.src == 00:01:02:03:04:05 && eth.dst == ff:ff:ff:ff:ff:ff
59
60
61 For reasonable L3 behavior, microflow should also include ip4.src and
62 ip4.dst (or ip6.src and ip6.dst) and ip.ttl. For example:
63
64 inport == "lp111" && eth.src == f0:00:00:00:01:11 && eth.dst == 00:00:00:00:ff:11
65 && ip4.src == 192.168.11.1 && ip4.dst == 192.168.22.2 && ip.ttl == 64
66
67
68 Here’s an ARP microflow example:
69
70 inport == "lp123"
71 && eth.dst == ff:ff:ff:ff:ff:ff && eth.src == f0:00:00:00:01:11
72 && arp.op == 1 && arp.sha == f0:00:00:00:01:11 && arp.spa == 192.168.1.11
73 && arp.tha == ff:ff:ff:ff:ff:ff && arp.tpa == 192.168.2.22
74
75
76 ovn-trace will reject erroneous microflow expressions, which beyond
77 syntax errors fall into two categories. First, they can be ambiguous.
78 For example, tcp.src == 80 is ambiguous because it does not state IPv4
79 or IPv6 as the Ethernet type. ip4 && tcp.src > 1024 is also ambiguous
80 because it does not constrain bits of tcp.src to particular values.
81 Second, they can be contradictory, e.g. ip4 && ip6.
82
84 ovn-trace supports the three different forms of output, each described
85 in a separate section below. Regardless of the selected output format,
86 ovn-trace starts the output with a line that shows the microflow being
87 traced in OpenFlow syntax.
88
89 Detailed Output
90 The detailed form of output is also the default form. This form groups
91 output into sections headed up by the ingress or egress pipeline being
92 traversed. Each pipeline lists each table that was visited (by number
93 and name), the ovn-northd source file and line number of the code that
94 added the flow, the match expression and priority of the logical flow
95 that was matched, and the actions that were executed.
96
97 The execution of OVN logical actions naturally forms a ``control
98 stack’’ that resembles that of a program in conventional programming
99 languages such as C or Java. Because the next action that calls into
100 another logical flow table for a lookup is a recursive construct, OVN
101 ``programs’’ in practice tend to form deep control stacks that, dis‐
102 played in the obvious way using additional indentation for each level,
103 quickly use up the horizontal space on all but the widest displays. To
104 make detailed output more readable, without loss of generality,
105 ovn-trace omits indentation for ``tail recursion,’’ that is, when next
106 is the last action in a logical flow, it does not indent details of the
107 next table lookup more deeply. Output still uses indentation when it is
108 needed for clarity.
109
110 OVN ``programs’’ traces also tend to encounter long strings of logical
111 flows with match expression 1 (which matches every packet) and the sin‐
112 gle action next;. These are uninteresting and merely clutter output, so
113 ovn-trace omits them entirely even from detailed output.
114
115 The following excerpt from detailed ovn-trace output shows a section
116 for a packet traversing the ingress pipeline of logical datapath ls1
117 with ingress logical port lp111. The packet matches a logical flow in
118 table 0 (aka ls_in_port_sec_l2) with priority 50 and executes next(1);
119 to pass to table 1. Tables 1 through 11 are trivial and omitted. In ta‐
120 ble 19 (aka ls_in_l2_lkup), the packet matches a flow with priority 50
121 based on its Ethernet destination address and the flow’s actions output
122 the packet to the lrp11-attachement logical port.
123
124 ingress(dp="ls1", inport="lp111")
125 ---------------------------------
126 0. ls_in_port_sec_l2: inport == "lp111", priority 50
127 next(1);
128 19. ls_in_l2_lkup: eth.dst == 00:00:00:00:ff:11, priority 50
129 outport = "lrp11-attachment";
130 output;
131
132
133 Summary Output
134 Summary output includes the logical pipelines visited by a packet and
135 the logical actions executed on it. Compared to the detailed output,
136 however, it removes details of tables and logical flows traversed by a
137 packet. It uses a format closer to that of a programming language and
138 does not attempt to avoid indentation. The summary output equivalent to
139 the above detailed output fragment is:
140
141 ingress(dp="ls1", inport="lp111") {
142 outport = "lrp11-attachment";
143 output;
144 ...
145 };
146
147
148 Minimal Output
149 Minimal output includes only actions that modify packet data (not in‐
150 cluding OVN registers or metadata such as outport) and output actions
151 that actually deliver a packet to a logical port (excluding patch
152 ports). The operands of actions that modify packet data are displayed
153 reduced to constants, e.g. ip4.dst = reg0; might be show as ip4.dst =
154 192.168.0.1; if that was the value actually loaded. This yields output
155 even simpler than the summary format. (Users familiar with Open vSwitch
156 may recognize this as similar in spirit to the datapath actions listed
157 at the bottom of ofproto/trace output.)
158
159 The minimal output format reflects the externally seen behavior of the
160 logical networks more than it does the implementation. This makes this
161 output format the most suitable for use in regression tests, because it
162 is least likely to change when logical flow tables are rearranged with‐
163 out semantic change.
164
166 Some OVN logical actions use or update state that is not available in
167 the southbound database. ovn-trace handles these actions as described
168 below:
169
170 ct_next
171 By default ovn-trace treats flows as ``tracked’’ and
172 ``established.’’ See the description of the --ct option
173 for a way to override this behavior.
174
175 ct_dnat (without an argument)
176 Forks the pipeline. In one fork, advances to the next ta‐
177 ble as if next; were executed. The packet is not changed,
178 on the assumption that no NAT state was available. In the
179 other fork, the pipeline continues without change after
180 the ct_dnat action.
181
182 ct_snat (without an argument)
183 This action distinguishes between gateway routers and
184 distributed routers. A gateway router is defined as a
185 logical datapath that contains an l3gateway port; any
186 other logical datapath is a distributed router. On a
187 gateway router, ct_snat; is treated as a no-op. On a dis‐
188 tributed router, it is treated the same way as ct_dnat;.
189
190 ct_dnat(ip)
191 ct_snat(ip)
192 Forks the pipeline. In one fork, sets ip4.dst (or ip4.src)
193 to ip and ct.dnat (or ct.snat) to 1 and advances to the
194 next table as if next; were executed. In the other fork,
195 the pipeline continues without change after the ct_dnat (or
196 ct_snat) action.
197
198 ct_lb;
199 ct_lb(ip[:port]...);
200 Forks the pipeline. In one fork, sets ip4.dst (or ip6.dst)
201 to one of the load-balancer addresses and the destination
202 port to its associated port, if any, and sets ct.dnat to 1.
203 With one or more arguments, gives preference to the address
204 specified on --lb-dst, if any; without arguments, uses the
205 address and port specified on --lb-dst. In the other fork,
206 the pipeline continues without change after the ct_lb ac‐
207 tion.
208
209 ct_commit
210 put_arp
211 put_nd
212 These actions are treated as no-ops.
213
215 If ovn-trace is invoked with the --detach option (see Daemon Options,
216 below), it runs in the background as a daemon and accepts commands from
217 ovs-appctl (or another JSON-RPC client) indefinitely. The currently
218 supported commands are described below.
219
220 trace [options] [datapath] microflow
221 Traces microflow through datapath and replies with the
222 results of the trace. Accepts the options described under
223 Trace Options below.
224
225 exit Causes ovn-trace to gracefully terminate.
226
228 Trace Options
229 --detailed
230 --summary
231 --minimal
232 These options control the form and level of detail in ovn-trace
233 output. If more than one of these options is specified, all of the
234 selected forms are output, in the order listed above, each headed
235 by a banner line. If none of these options is given, --detailed is
236 the default. See Output, above, for a description of each kind of
237 output.
238
239 --all
240 Selects all three forms of output.
241
242 --ovs[=remote]
243 Makes ovn-trace attempt to obtain and display the OpenFlow flows
244 that correspond to each OVN logical flow. To do so, ovn-trace con‐
245 nects to remote (by default, unix:/br-int.mgmt) over OpenFlow and
246 retrieves the flows. If remote is specified, it must be an active
247 OpenFlow connection method described in ovsdb(7).
248
249 To make the best use of the output, it is important to understand
250 the relationship between logical flows and OpenFlow flows. ovn-ar‐
251 chitecture(7), under Architectural Physical Life Cycle of a
252 Packet, describes this relationship. Keep in mind the following
253 points:
254
255 • ovn-trace currently shows all the OpenFlow flows to which a
256 logical flow corresponds, even though an actual packet or‐
257 dinarily matches only one of these.
258
259 • Some logical flows can map to the Open vSwitch ``conjunc‐
260 tive match’’ extension (see ovs-fields(7)). Currently
261 ovn-trace cannot display the flows with conjunction actions
262 that effectively produce the conj_id match.
263
264 • Some logical flows may not be represented in the OpenFlow
265 tables on a given hypervisor, if they could not be used on
266 that hypervisor.
267
268 • Some OpenFlow flows do not correspond to logical flows,
269 such as OpenFlow flows that map between physical and logi‐
270 cal ports. These flows will never show up in a trace.
271
272 • When ovn-trace omits uninteresting logical flows from out‐
273 put, it does not look up the corresponding OpenFlow flows.
274
275 --ct=flags
276 This option sets the ct_state flags that a ct_next logical action
277 will report. The flags must be a comma- or space-separated list of
278 the following connection tracking flags:
279
280 • trk: Include to indicate connection tracking has taken
281 place. (This bit is set automatically even if not listed in
282 flags.
283
284 • new: Include to indicate a new flow.
285
286 • est: Include to indicate an established flow.
287
288 • rel: Include to indicate a related flow.
289
290 • rpl: Include to indicate a reply flow.
291
292 • inv: Include to indicate a connection entry in a bad state.
293
294 • dnat: Include to indicate a packet whose destination IP ad‐
295 dress has been changed.
296
297 • snat: Include to indicate a packet whose source IP address
298 has been changed.
299
300 The ct_next action is used to implement the OVN distributed fire‐
301 wall. For testing, useful flag combinations include:
302
303 • trk,new: A packet in a flow in either direction through a
304 firewall that has not yet been committed (with ct_commit).
305
306 • trk,est: A packet in an established flow going out through
307 a firewall.
308
309 • trk,rpl: A packet coming in through a firewall in reply to
310 an established flow.
311
312 • trk,inv: An invalid packet in either direction.
313
314 A packet might pass through the connection tracker twice in one
315 trip through OVN: once following egress from a VM as it passes
316 outward through a firewall, and once preceding ingress to a second
317 VM as it passes inward through a firewall. Use multiple --ct op‐
318 tions to specify the flags for multiple ct_next actions.
319
320 When --ct is unspecified, or when there are fewer --ct options
321 than ct_next actions, the flags default to trk,est.
322
323 --lb-dst=ip[:port]
324 Sets the IP from VIP pool to use as destination of the packet.
325 --lb-dst is not available in daemon mode.
326
327 --select-id=id
328 Specify the id to be selected by the select action. id must be one
329 of the values listed in the select action. Otherwise, a random id
330 is selected from the list, as if --select-id were not specified.
331 --select-id is not available in daemon mode.
332
333 --friendly-names
334 --no-friendly-names
335 When cloud management systems such as OpenStack are layered on top
336 of OVN, they often use long, human-unfriendly names for ports and
337 datapaths, for example, ones that include entire UUIDs. They do
338 usually include friendlier names, but the long, hard-to-read names
339 are the ones that appear in matches and actions. By default, or
340 with --friendly-names, ovn-trace substitutes these friendlier
341 names for the long names in its output. Use --no-friendly-names to
342 disable this behavior; this option might be useful, for example,
343 if a program is going to parse ovn-trace output.
344
345 Daemon Options
346 --pidfile[=pidfile]
347 Causes a file (by default, program.pid) to be created indicating
348 the PID of the running process. If the pidfile argument is not
349 specified, or if it does not begin with /, then it is created in
350 .
351
352 If --pidfile is not specified, no pidfile is created.
353
354 --overwrite-pidfile
355 By default, when --pidfile is specified and the specified pid‐
356 file already exists and is locked by a running process, the dae‐
357 mon refuses to start. Specify --overwrite-pidfile to cause it to
358 instead overwrite the pidfile.
359
360 When --pidfile is not specified, this option has no effect.
361
362 --detach
363 Runs this program as a background process. The process forks,
364 and in the child it starts a new session, closes the standard
365 file descriptors (which has the side effect of disabling logging
366 to the console), and changes its current directory to the root
367 (unless --no-chdir is specified). After the child completes its
368 initialization, the parent exits.
369
370 --monitor
371 Creates an additional process to monitor this program. If it
372 dies due to a signal that indicates a programming error (SIGA‐
373 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
374 or SIGXFSZ) then the monitor process starts a new copy of it. If
375 the daemon dies or exits for another reason, the monitor process
376 exits.
377
378 This option is normally used with --detach, but it also func‐
379 tions without it.
380
381 --no-chdir
382 By default, when --detach is specified, the daemon changes its
383 current working directory to the root directory after it de‐
384 taches. Otherwise, invoking the daemon from a carelessly chosen
385 directory would prevent the administrator from unmounting the
386 file system that holds that directory.
387
388 Specifying --no-chdir suppresses this behavior, preventing the
389 daemon from changing its current working directory. This may be
390 useful for collecting core files, since it is common behavior to
391 write core dumps into the current working directory and the root
392 directory is not a good directory to use.
393
394 This option has no effect when --detach is not specified.
395
396 --no-self-confinement
397 By default this daemon will try to self-confine itself to work
398 with files under well-known directories determined at build
399 time. It is better to stick with this default behavior and not
400 to use this flag unless some other Access Control is used to
401 confine daemon. Note that in contrast to other access control
402 implementations that are typically enforced from kernel-space
403 (e.g. DAC or MAC), self-confinement is imposed from the user-
404 space daemon itself and hence should not be considered as a full
405 confinement strategy, but instead should be viewed as an addi‐
406 tional layer of security.
407
408 --user=user:group
409 Causes this program to run as a different user specified in
410 user:group, thus dropping most of the root privileges. Short
411 forms user and :group are also allowed, with current user or
412 group assumed, respectively. Only daemons started by the root
413 user accepts this argument.
414
415 On Linux, daemons will be granted CAP_IPC_LOCK and
416 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
417 that interact with a datapath, such as ovs-vswitchd, will be
418 granted three additional capabilities, namely CAP_NET_ADMIN,
419 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
420 apply even if the new user is root.
421
422 On Windows, this option is not currently supported. For security
423 reasons, specifying this option will cause the daemon process
424 not to start.
425
426 Logging Options
427 -v[spec]
428 --verbose=[spec]
429 Sets logging levels. Without any spec, sets the log level for ev‐
430 ery module and destination to dbg. Otherwise, spec is a list of
431 words separated by spaces or commas or colons, up to one from each
432 category below:
433
434 • A valid module name, as displayed by the vlog/list command
435 on ovs-appctl(8), limits the log level change to the speci‐
436 fied module.
437
438 • syslog, console, or file, to limit the log level change to
439 only to the system log, to the console, or to a file, re‐
440 spectively. (If --detach is specified, the daemon closes
441 its standard file descriptors, so logging to the console
442 will have no effect.)
443
444 On Windows platform, syslog is accepted as a word and is
445 only useful along with the --syslog-target option (the word
446 has no effect otherwise).
447
448 • off, emer, err, warn, info, or dbg, to control the log
449 level. Messages of the given severity or higher will be
450 logged, and messages of lower severity will be filtered
451 out. off filters out all messages. See ovs-appctl(8) for a
452 definition of each log level.
453
454 Case is not significant within spec.
455
456 Regardless of the log levels set for file, logging to a file will
457 not take place unless --log-file is also specified (see below).
458
459 For compatibility with older versions of OVS, any is accepted as a
460 word but has no effect.
461
462 -v
463 --verbose
464 Sets the maximum logging verbosity level, equivalent to --ver‐
465 bose=dbg.
466
467 -vPATTERN:destination:pattern
468 --verbose=PATTERN:destination:pattern
469 Sets the log pattern for destination to pattern. Refer to ovs-ap‐
470 pctl(8) for a description of the valid syntax for pattern.
471
472 -vFACILITY:facility
473 --verbose=FACILITY:facility
474 Sets the RFC5424 facility of the log message. facility can be one
475 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
476 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
477 local4, local5, local6 or local7. If this option is not specified,
478 daemon is used as the default for the local system syslog and lo‐
479 cal0 is used while sending a message to the target provided via
480 the --syslog-target option.
481
482 --log-file[=file]
483 Enables logging to a file. If file is specified, then it is used
484 as the exact name for the log file. The default log file name used
485 if file is omitted is /var/log/ovn/program.log.
486
487 --syslog-target=host:port
488 Send syslog messages to UDP port on host, in addition to the sys‐
489 tem syslog. The host must be a numerical IP address, not a host‐
490 name.
491
492 --syslog-method=method
493 Specify method as how syslog messages should be sent to syslog
494 daemon. The following forms are supported:
495
496 • libc, to use the libc syslog() function. Downside of using
497 this options is that libc adds fixed prefix to every mes‐
498 sage before it is actually sent to the syslog daemon over
499 /dev/log UNIX domain socket.
500
501 • unix:file, to use a UNIX domain socket directly. It is pos‐
502 sible to specify arbitrary message format with this option.
503 However, rsyslogd 8.9 and older versions use hard coded
504 parser function anyway that limits UNIX domain socket use.
505 If you want to use arbitrary message format with older
506 rsyslogd versions, then use UDP socket to localhost IP ad‐
507 dress instead.
508
509 • udp:ip:port, to use a UDP socket. With this method it is
510 possible to use arbitrary message format also with older
511 rsyslogd. When sending syslog messages over UDP socket ex‐
512 tra precaution needs to be taken into account, for example,
513 syslog daemon needs to be configured to listen on the spec‐
514 ified UDP port, accidental iptables rules could be inter‐
515 fering with local syslog traffic and there are some secu‐
516 rity considerations that apply to UDP sockets, but do not
517 apply to UNIX domain sockets.
518
519 • null, to discard all messages logged to syslog.
520
521 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
522 able; if it is unset, the default is libc.
523
524 PKI Options
525 PKI configuration is required to use SSL for the connection to the
526 database (and the switch, if --ovs is specified).
527
528 -p privkey.pem
529 --private-key=privkey.pem
530 Specifies a PEM file containing the private key used as
531 identity for outgoing SSL connections.
532
533 -c cert.pem
534 --certificate=cert.pem
535 Specifies a PEM file containing a certificate that certi‐
536 fies the private key specified on -p or --private-key to be
537 trustworthy. The certificate must be signed by the certifi‐
538 cate authority (CA) that the peer in SSL connections will
539 use to verify it.
540
541 -C cacert.pem
542 --ca-cert=cacert.pem
543 Specifies a PEM file containing the CA certificate for ver‐
544 ifying certificates presented to this program by SSL peers.
545 (This may be the same certificate that SSL peers use to
546 verify the certificate specified on -c or --certificate, or
547 it may be a different one, depending on the PKI design in
548 use.)
549
550 -C none
551 --ca-cert=none
552 Disables verification of certificates presented by SSL
553 peers. This introduces a security risk, because it means
554 that certificates cannot be verified to be those of known
555 trusted hosts.
556
557 Other Options
558 --db database
559 The OVSDB database remote to contact. If the OVN_SB_DB environ‐
560 ment variable is set, its value is used as the default. Other‐
561 wise, the default is unix:/db.sock, but this default is unlikely
562 to be useful outside of single-machine OVN test environments.
563
564 -h
565 --help
566 Prints a brief help message to the console.
567
568 -V
569 --version
570 Prints version information to the console.
571
572
573
574OVN 23.09.2 ovn-trace ovn-trace(8)