1ovn-ic-sb(5) Open vSwitch Manual ovn-ic-sb(5)
2
6 ovn-ic-sb - OVN_IC_Southbound database schema
7 This database holds configuration and state for interconnecting differ‐
9 ent OVN deployments. The content of the database is populated and used
10 by the ovn-ic program in each OVN deployment, and not supposed to be
11 directly used by CMS or end user.
12 The OVN Interconnection Southbound database is shared by ovn-ic program
14 in each OVN deployment. It contains interconnection information from
15 all related OVN deployments, and is used as the intermediate store for
16 each OVN deployment to exchange the information. The ovn-ic program in
17 each deployment is responsible for syncing the data between this data‐
18 base and the its own northbound and southbound databases.
19 Database Structure
21 The OVN Interconnection Southbound database contains classes of data
22 with different properties, as described in the sections below.
23 Availability Zone Specific Information
25 These tables contain objects that are availability zone specific. Each
27 object is owned and populated by one availability zone, and read by
28 other availability zones.
29 The Availability_Zone, Gateway, Encap and Port_Binding tables are the
31 availability zone specific tables.
32 Global Information
34 The data that does not belong to any specific availability zone but is
36 common for all availability zones.
37 The Datapath_Binding table contains the common datapath binding infor‐
39 mation.
40 Common Columns
42 Each of the tables in this database contains a special column, named
44 external_ids. This column has the same form and purpose each place it
45 appears.
46 external_ids: map of string-string pairs
48 Key-value pairs for use by ovn-ic.
49
51 The following list summarizes the purpose of each of the tables in the
52 OVN_IC_Southbound database. Each table is described in more detail on
53 a later page.
54 Table Purpose
56 IC_SB_Global
57 IC Southbound configuration
58 Availability_Zone
59 Availability Zone Information
60 Gateway Interconnection Gateway Information
61 Encap Encapsulation Types
62 Datapath_Binding
63 Transit Switch Datapath Bindings
64 Port_Binding
65 Transit Port Bindings
66 Route Route
67 Connection
68 OVSDB client connections.
69 SSL SSL configuration.
70
72 Interconnection Southbound configuration. This table must have exactly
73 one row.
74 Summary:
76 Common Columns:
77 external_ids map of string-string pairs
78 options map of string-string pairs
79 Connection Options:
80 connections set of Connections
81 ssl optional SSL
82 Details:
84 Common Columns:
85 external_ids: map of string-string pairs
87 See External IDs at the beginning of this document.
88 options: map of string-string pairs
90 Connection Options:
92 connections: set of Connections
94 Database clients to which the Open vSwitch database server
95 should connect or on which it should listen, along with options
96 for how these connections should be configured. See the Connec‐
97 tion table for more information.
98 ssl: optional SSL
100 Global SSL configuration.
101
103 Each row in this table represents an Availability Zone. Each OVN de‐
104 ployment is considered an availability zone from OVN control plane per‐
105 spective, with its own central components, such as northbound and
106 southbound databases and ovn-northd daemon.
107 Summary:
109 name string (must be unique within table)
110 Details:
112 name: string (must be unique within table)
113 A name that uniquely identifies the availability zone.
114
116 Each row in this table represents a interconnection gateway chassis in
117 an availability zone.
118 Summary:
120 name string (must be unique within table)
121 availability_zone Availability_Zone
122 hostname string
123 Common Columns:
124 external_ids map of string-string pairs
125 Encapsulation Configuration:
126 encaps set of 1 or more Encaps
127 Details:
129 name: string (must be unique within table)
130 The name of the gateway. See name column of the OVN Southbound
131 database’s Chassis table.
132 availability_zone: Availability_Zone
134 The availability zone that the gateway belongs to.
135 hostname: string
137 The hostname of the gateway.
138 Common Columns:
140 The overall purpose of these columns is described under Common Columns
142 at the beginning of this document.
143 external_ids: map of string-string pairs
145 Encapsulation Configuration:
147 OVN uses encapsulation to transmit logical dataplane packets between
149 gateways.
150 encaps: set of 1 or more Encaps
152 Points to supported encapsulation configurations to transmit
153 logical dataplane packets to this gateway. Each entry is a Encap
154 record that describes the configuration. See encaps column of
155 the OVN Southbound database’s Chassis table.
157 The encaps column in the Gateway table refers to rows in this table to
158 identify how OVN may transmit logical dataplane packets to this gate‐
159 way.
160 Summary:
162 type string, one of geneve, stt, or vxlan
163 options map of string-string pairs
164 ip string
165 gateway_name string
166 Details:
168 type: string, one of geneve, stt, or vxlan
169 The encapsulation to use to transmit packets to this gateway.
170 See type column of the OVN Southbound database’s Encap table.
171 options: map of string-string pairs
173 Options for configuring the encapsulation, which may be type
174 specific. See options column of the OVN Southbound database’s
175 Encap table.
176 ip: string
178 The IPv4 address of the encapsulation tunnel endpoint.
179 gateway_name: string
181 The name of the gateway that created this encap.
182
184 Each row in this table represents a logical datapath for a transit log‐
185 ical switch configured in the OVN Interconnection Northbound database’s
186 Transit_Switch table.
187 Summary:
189 transit_switch string
190 tunnel_key integer, in range 1 to 16,777,215 (must
191 be unique within table)
192 Common Columns:
193 external_ids map of string-string pairs
194 Details:
196 transit_switch: string
197 The name of the transit logical switch that is configured in the
198 OVN Interconnection Northbound database’s Transit_Switch table.
199 tunnel_key: integer, in range 1 to 16,777,215 (must be unique within
201 table)
202 The tunnel key value to which the logical datapath is bound. The
203 key can be generated by any ovn-ic but the same key is shared by
204 all availability zones so that the logical datapaths can be
205 peered across them. A tunnel key for transit switch datapath
206 binding must be globally unique.
207 For more information about the meanings of a tunnel key, see
209 tunnel_key column of the OVN Southbound database’s Data‐
210 path_Binding table.
211 Common Columns:
213 The overall purpose of these columns is described under Common Columns
215 at the beginning of this document.
216 external_ids: map of string-string pairs
218
220 Each row in this table binds a logical port on the transit switch to a
221 physical gateway and a tunnel key. Each port on the transit switch be‐
222 longs to a specific availability zone.
223 Summary:
225 Core Features:
226 transit_switch string
227 logical_port string (must be unique within table)
228 availability_zone Availability_Zone
229 encap optional weak reference to Encap
230 gateway string
231 tunnel_key integer, in range 1 to 32,767
232 address string
233 Common Columns:
234 external_ids map of string-string pairs
235 Details:
237 Core Features:
238 transit_switch: string
240 The name of the transit switch that the corresponding logical
241 port belongs to.
242 logical_port: string (must be unique within table)
244 A logical port, taken from name in the OVN_Northbound database’s
245 Logical_Switch_Port table. The logical port name must be unique
246 across all availability zones.
247 availability_zone: Availability_Zone
249 The availability zone that the port belongs to.
250 encap: optional weak reference to Encap
252 Points to supported encapsulation configurations to transmit
253 logical dataplane packets to this gateway. Each entry is a Encap
254 record that describes the configuration.
255 gateway: string
257 The name of the gateway that this port is physically located.
258 tunnel_key: integer, in range 1 to 32,767
260 A number that represents the logical port in the key (e.g. STT
261 key or Geneve TLV) field carried within tunnel protocol packets.
262 The key can be generated by any ovn-ic but the same key is
263 shared by all availability zones so that the packets can go
264 through the datapath pipelines of different availability zones.
265 The tunnel ID must be unique within the scope of a logical data‐
267 path.
268 For more information about tunnel key, see tunnel_key column of
270 the OVN Southbound database’s Port_Binding table.
271 address: string
273 The Ethernet address and IP addresses used by the corresponding
274 logical router port peering with the transit switch port. It is
275 a string combined with the value of mac column followed by the
276 values in networks column in Logical_Router_Port table.
277 Common Columns:
279 external_ids: map of string-string pairs
281 See External IDs at the beginning of this document.
282
284 Each row in this table represents a route advertised.
285 Summary:
287 Core Features:
288 transit_switch string
289 availability_zone Availability_Zone
290 route_table string
291 ip_prefix string
292 nexthop string
293 origin string, either connected or static
294 Common Columns:
295 external_ids map of string-string pairs
296 Details:
298 Core Features:
299 transit_switch: string
301 The name of the transit switch, upon which the route is adver‐
302 tised.
303 availability_zone: Availability_Zone
305 The availability zone that has advertised the route.
306 route_table: string
308 Route table within which this route was created. Empty value
309 means <main> routing table.
310 Routes for directly-connected networks will be learned to <main>
312 routing table and if Logical Routers have more than one Transit
313 Switch, which interconnects them, directly-connected routes will
314 be added via each transit switch port and configured as ECMP
315 routes.
316 Static routes within route tables will be advertised and learned
318 only if interconnecting transit switch’s LRPs will have same
319 value in options:route_table as NB route_table or ICSB route_ta‐
320 ble value respectively.
321 ip_prefix: string
323 IP prefix of this route (e.g. 192.168.100.0/24).
324 nexthop: string
326 Nexthop IP address for this route.
327 origin: string, either connected or static
329 Can be one of connected or static. Routes to directly-connected
330 subnets - LRP’s CIDRs are inserted to OVN IC SB DB with con‐
331 nected value in origin. Static routes are inserted to OVN IC SB
332 DB with static value. Next when route is learned to another AZ
333 NB DB by ovn-ic, route origin is synced to options:origin.
334 Common Columns:
336 external_ids: map of string-string pairs
338 See External IDs at the beginning of this document.
339
341 Configuration for a database connection to an Open vSwitch database
342 (OVSDB) client.
343 This table primarily configures the Open vSwitch database server
345 (ovsdb-server).
346 The Open vSwitch database server can initiate and maintain active con‐
348 nections to remote clients. It can also listen for database connec‐
349 tions.
350 Summary:
352 Core Features:
353 target string (must be unique within table)
354 Client Failure Detection and Handling:
355 max_backoff optional integer, at least 1,000
356 inactivity_probe optional integer
357 Status:
358 is_connected boolean
359 status : last_error optional string
360 status : state optional string, one of ACTIVE, BACKOFF,
361 CONNECTING, IDLE, or VOID
362 status : sec_since_connect optional string, containing an integer,
363 at least 0
364 status : sec_since_disconnect
365 optional string, containing an integer,
366 at least 0
367 status : locks_held optional string
368 status : locks_waiting optional string
369 status : locks_lost optional string
370 status : n_connections optional string, containing an integer,
371 at least 2
372 status : bound_port optional string, containing an integer
373 Common Columns:
374 external_ids map of string-string pairs
375 other_config map of string-string pairs
376 Details:
378 Core Features:
379 target: string (must be unique within table)
381 Connection methods for clients.
382 The following connection methods are currently supported:
384 ssl:host[:port]
386 The specified SSL port on the given host, which can ei‐
387 ther be a DNS name (if built with unbound library) or an
388 IP address. A valid SSL configuration must be provided
389 when this form is used, this configuration can be speci‐
390 fied via command-line options or the SSL table.
391 If port is not specified, it defaults to 6640.
393 SSL support is an optional feature that is not always
395 built as part of Open vSwitch.
396 tcp:host[:port]
398 The specified TCP port on the given host, which can ei‐
399 ther be a DNS name (if built with unbound library) or an
400 IP address (IPv4 or IPv6). If host is an IPv6 address,
401 wrap it in square brackets, e.g. tcp:[::1]:6640.
402 If port is not specified, it defaults to 6640.
404 pssl:[port][:host]
406 Listens for SSL connections on the specified TCP port.
407 Specify 0 for port to have the kernel automatically
408 choose an available port. If host, which can either be a
409 DNS name (if built with unbound library) or an IP ad‐
410 dress, is specified, then connections are restricted to
411 the resolved or specified local IP address (either IPv4
412 or IPv6 address). If host is an IPv6 address, wrap in
413 square brackets, e.g. pssl:6640:[::1]. If host is not
414 specified then it listens only on IPv4 (but not IPv6) ad‐
415 dresses. A valid SSL configuration must be provided when
416 this form is used, this can be specified either via com‐
417 mand-line options or the SSL table.
418 If port is not specified, it defaults to 6640.
420 SSL support is an optional feature that is not always
422 built as part of Open vSwitch.
423 ptcp:[port][:host]
425 Listens for connections on the specified TCP port. Spec‐
426 ify 0 for port to have the kernel automatically choose an
427 available port. If host, which can either be a DNS name
428 (if built with unbound library) or an IP address, is
429 specified, then connections are restricted to the re‐
430 solved or specified local IP address (either IPv4 or IPv6
431 address). If host is an IPv6 address, wrap it in square
432 brackets, e.g. ptcp:6640:[::1]. If host is not specified
433 then it listens only on IPv4 addresses.
434 If port is not specified, it defaults to 6640.
436 When multiple clients are configured, the target values must be
438 unique. Duplicate target values yield unspecified results.
439 Client Failure Detection and Handling:
441 max_backoff: optional integer, at least 1,000
443 Maximum number of milliseconds to wait between connection at‐
444 tempts. Default is implementation-specific.
445 inactivity_probe: optional integer
447 Maximum number of milliseconds of idle time on connection to the
448 client before sending an inactivity probe message. If Open
449 vSwitch does not communicate with the client for the specified
450 number of seconds, it will send a probe. If a response is not
451 received for the same additional amount of time, Open vSwitch
452 assumes the connection has been broken and attempts to recon‐
453 nect. Default is implementation-specific. A value of 0 disables
454 inactivity probes.
455 Status:
457 Key-value pair of is_connected is always updated. Other key-value pairs
459 in the status columns may be updated depends on the target type.
460 When target specifies a connection method that listens for inbound con‐
462 nections (e.g. ptcp: or punix:), both n_connections and is_connected
463 may also be updated while the remaining key-value pairs are omitted.
464 On the other hand, when target specifies an outbound connection, all
466 key-value pairs may be updated, except the above-mentioned two key-
467 value pairs associated with inbound connection targets. They are omit‐
468 ted.
469 is_connected: boolean
471 true if currently connected to this client, false otherwise.
472 status : last_error: optional string
474 A human-readable description of the last error on the connection
475 to the manager; i.e. strerror(errno). This key will exist only
476 if an error has occurred.
477 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
479 IDLE, or VOID
480 The state of the connection to the manager:
481 VOID Connection is disabled.
483 BACKOFF
485 Attempting to reconnect at an increasing period.
486 CONNECTING
488 Attempting to connect.
489 ACTIVE Connected, remote host responsive.
491 IDLE Connection is idle. Waiting for response to keep-alive.
493 These values may change in the future. They are provided only
495 for human consumption.
496 status : sec_since_connect: optional string, containing an integer, at
498 least 0
499 The amount of time since this client last successfully connected
500 to the database (in seconds). Value is empty if client has never
501 successfully been connected.
502 status : sec_since_disconnect: optional string, containing an integer,
504 at least 0
505 The amount of time since this client last disconnected from the
506 database (in seconds). Value is empty if client has never dis‐
507 connected.
508 status : locks_held: optional string
510 Space-separated list of the names of OVSDB locks that the con‐
511 nection holds. Omitted if the connection does not hold any
512 locks.
513 status : locks_waiting: optional string
515 Space-separated list of the names of OVSDB locks that the con‐
516 nection is currently waiting to acquire. Omitted if the connec‐
517 tion is not waiting for any locks.
518 status : locks_lost: optional string
520 Space-separated list of the names of OVSDB locks that the con‐
521 nection has had stolen by another OVSDB client. Omitted if no
522 locks have been stolen from this connection.
523 status : n_connections: optional string, containing an integer, at
525 least 2
526 When target specifies a connection method that listens for in‐
527 bound connections (e.g. ptcp: or pssl:) and more than one con‐
528 nection is actually active, the value is the number of active
529 connections. Otherwise, this key-value pair is omitted.
530 status : bound_port: optional string, containing an integer
532 When target is ptcp: or pssl:, this is the TCP port on which the
533 OVSDB server is listening. (This is particularly useful when
534 target specifies a port of 0, allowing the kernel to choose any
535 available port.)
536 Common Columns:
538 The overall purpose of these columns is described under Common Columns
540 at the beginning of this document.
541 external_ids: map of string-string pairs
543 other_config: map of string-string pairs
545
547 SSL configuration for ovn-sb database access.
548 Summary:
550 private_key string
551 certificate string
552 ca_cert string
553 bootstrap_ca_cert boolean
554 ssl_protocols string
555 ssl_ciphers string
556 Common Columns:
557 external_ids map of string-string pairs
558 Details:
560 private_key: string
561 Name of a PEM file containing the private key used as the
562 switch’s identity for SSL connections to the controller.
563 certificate: string
565 Name of a PEM file containing a certificate, signed by the cer‐
566 tificate authority (CA) used by the controller and manager, that
567 certifies the switch’s private key, identifying a trustworthy
568 switch.
569 ca_cert: string
571 Name of a PEM file containing the CA certificate used to verify
572 that the switch is connected to a trustworthy controller.
573 bootstrap_ca_cert: boolean
575 If set to true, then Open vSwitch will attempt to obtain the CA
576 certificate from the controller on its first SSL connection and
577 save it to the named PEM file. If it is successful, it will im‐
578 mediately drop the connection and reconnect, and from then on
579 all SSL connections must be authenticated by a certificate
580 signed by the CA certificate thus obtained. This option exposes
581 the SSL connection to a man-in-the-middle attack obtaining the
582 initial CA certificate. It may still be useful for bootstrap‐
583 ping.
584 ssl_protocols: string
586 List of SSL protocols to be enabled for SSL connections. The de‐
587 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
588 ssl_ciphers: string
590 List of ciphers (in OpenSSL cipher string format) to be sup‐
591 ported for SSL connections. The default when this option is
592 omitted is HIGH:!aNULL:!MD5.
593 Common Columns:
595 The overall purpose of these columns is described under Common Columns
597 at the beginning of this document.
598 external_ids: map of string-string pairs
600Open vSwitch 23.09.2 DB Schema 1.1.1 ovn-ic-sb(5)