1ovn-ic(8)                         OVN Manual                         ovn-ic(8)
2
3
4

NAME

6       ovn-ic - Open Virtual Network interconnection controller
7

SYNOPSIS

9       ovn-ic [options]
10

DESCRIPTION

12       ovn-ic,  OVN  interconnection controller, is a centralized daemon which
13       communicates with global interconnection databases IC_NB/IC_SB to  con‐
14       figure  and  exchange  data  with  local NB/SB for interconnecting with
15       other OVN deployments.
16

OPTIONS

18       --ovnnb-db=database
19              The OVSDB database containing the OVN  Northbound  Database.  If
20              the  OVN_NB_DB environment variable is set, its value is used as
21              the default. Otherwise, the default is unix:/ovnnb_db.sock.
22
23       --ovnsb-db=database
24              The OVSDB database containing the OVN  Southbound  Database.  If
25              the  OVN_SB_DB environment variable is set, its value is used as
26              the default. Otherwise, the default is unix:/ovnsb_db.sock.
27
28       --ic-nb-db=database
29              The OVSDB database containing the OVN Interconnection Northbound
30              Database.  If  the OVN_IC_NB_DB environment variable is set, its
31              value  is  used  as  the  default.  Otherwise,  the  default  is
32              unix:/ovn_ic_nb_db.sock.
33
34       --ic-sb-db=database
35              The OVSDB database containing the OVN Interconnection Southbound
36              Database. If the OVN_IC_SB_DB environment variable is  set,  its
37              value  is  used  as  the  default.  Otherwise,  the  default  is
38              unix:/ovn_ic_sb_db.sock.
39
40       database in the above options must be an OVSDB active or  passive  con‐
41       nection method, as described in ovsdb(7).
42
43   Daemon Options
44       --pidfile[=pidfile]
45              Causes a file (by default, program.pid) to be created indicating
46              the PID of the running process. If the pidfile argument  is  not
47              specified, or if it does not begin with /, then it is created in
48              .
49
50              If --pidfile is not specified, no pidfile is created.
51
52       --overwrite-pidfile
53              By default, when --pidfile is specified and the  specified  pid‐
54              file already exists and is locked by a running process, the dae‐
55              mon refuses to start. Specify --overwrite-pidfile to cause it to
56              instead overwrite the pidfile.
57
58              When --pidfile is not specified, this option has no effect.
59
60       --detach
61              Runs  this  program  as a background process. The process forks,
62              and in the child it starts a new session,  closes  the  standard
63              file descriptors (which has the side effect of disabling logging
64              to the console), and changes its current directory to  the  root
65              (unless  --no-chdir is specified). After the child completes its
66              initialization, the parent exits.
67
68       --monitor
69              Creates an additional process to monitor  this  program.  If  it
70              dies  due  to a signal that indicates a programming error (SIGA‐
71              BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
72              or SIGXFSZ) then the monitor process starts a new copy of it. If
73              the daemon dies or exits for another reason, the monitor process
74              exits.
75
76              This  option  is  normally used with --detach, but it also func‐
77              tions without it.
78
79       --no-chdir
80              By default, when --detach is specified, the daemon  changes  its
81              current  working  directory  to  the root directory after it de‐
82              taches. Otherwise, invoking the daemon from a carelessly  chosen
83              directory  would  prevent  the administrator from unmounting the
84              file system that holds that directory.
85
86              Specifying --no-chdir suppresses this behavior,  preventing  the
87              daemon  from changing its current working directory. This may be
88              useful for collecting core files, since it is common behavior to
89              write core dumps into the current working directory and the root
90              directory is not a good directory to use.
91
92              This option has no effect when --detach is not specified.
93
94       --no-self-confinement
95              By default this daemon will try to self-confine itself  to  work
96              with  files  under  well-known  directories  determined at build
97              time. It is better to stick with this default behavior  and  not
98              to  use  this  flag  unless some other Access Control is used to
99              confine daemon. Note that in contrast to  other  access  control
100              implementations  that  are  typically enforced from kernel-space
101              (e.g. DAC or MAC), self-confinement is imposed  from  the  user-
102              space daemon itself and hence should not be considered as a full
103              confinement strategy, but instead should be viewed as  an  addi‐
104              tional layer of security.
105
106       --user=user:group
107              Causes  this  program  to  run  as a different user specified in
108              user:group, thus dropping most of  the  root  privileges.  Short
109              forms  user  and  :group  are also allowed, with current user or
110              group assumed, respectively. Only daemons started  by  the  root
111              user accepts this argument.
112
113              On   Linux,   daemons   will   be   granted   CAP_IPC_LOCK   and
114              CAP_NET_BIND_SERVICES before dropping root  privileges.  Daemons
115              that  interact  with  a  datapath, such as ovs-vswitchd, will be
116              granted three  additional  capabilities,  namely  CAP_NET_ADMIN,
117              CAP_NET_BROADCAST  and  CAP_NET_RAW.  The capability change will
118              apply even if the new user is root.
119
120              On Windows, this option is not currently supported. For security
121              reasons,  specifying  this  option will cause the daemon process
122              not to start.
123
124   Logging Options
125       -v[spec]
126       --verbose=[spec]
127            Sets logging levels. Without any spec, sets the log level for  ev‐
128            ery  module  and  destination to dbg. Otherwise, spec is a list of
129            words separated by spaces or commas or colons, up to one from each
130            category below:
131
132            •      A  valid module name, as displayed by the vlog/list command
133                   on ovs-appctl(8), limits the log level change to the speci‐
134                   fied module.
135
136syslog,  console, or file, to limit the log level change to
137                   only to the system log, to the console, or to a  file,  re‐
138                   spectively.  (If  --detach  is specified, the daemon closes
139                   its standard file descriptors, so logging  to  the  console
140                   will have no effect.)
141
142                   On  Windows  platform,  syslog is accepted as a word and is
143                   only useful along with the --syslog-target option (the word
144                   has no effect otherwise).
145
146off,  emer,  err,  warn,  info,  or dbg, to control the log
147                   level. Messages of the given severity  or  higher  will  be
148                   logged,  and  messages  of  lower severity will be filtered
149                   out. off filters out all messages. See ovs-appctl(8) for  a
150                   definition of each log level.
151
152            Case is not significant within spec.
153
154            Regardless  of the log levels set for file, logging to a file will
155            not take place unless --log-file is also specified (see below).
156
157            For compatibility with older versions of OVS, any is accepted as a
158            word but has no effect.
159
160       -v
161       --verbose
162            Sets  the  maximum  logging  verbosity level, equivalent to --ver‐
163            bose=dbg.
164
165       -vPATTERN:destination:pattern
166       --verbose=PATTERN:destination:pattern
167            Sets the log pattern for destination to pattern. Refer to  ovs-ap‐
168            pctl(8) for a description of the valid syntax for pattern.
169
170       -vFACILITY:facility
171       --verbose=FACILITY:facility
172            Sets  the RFC5424 facility of the log message. facility can be one
173            of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
174            ftp,  ntp,  audit,  alert, clock2, local0, local1, local2, local3,
175            local4, local5, local6 or local7. If this option is not specified,
176            daemon  is used as the default for the local system syslog and lo‐
177            cal0 is used while sending a message to the  target  provided  via
178            the --syslog-target option.
179
180       --log-file[=file]
181            Enables  logging  to a file. If file is specified, then it is used
182            as the exact name for the log file. The default log file name used
183            if file is omitted is /var/log/ovn/program.log.
184
185       --syslog-target=host:port
186            Send  syslog messages to UDP port on host, in addition to the sys‐
187            tem syslog. The host must be a numerical IP address, not  a  host‐
188            name.
189
190       --syslog-method=method
191            Specify  method  as  how  syslog messages should be sent to syslog
192            daemon. The following forms are supported:
193
194libc, to use the libc syslog() function. Downside of  using
195                   this  options  is that libc adds fixed prefix to every mes‐
196                   sage before it is actually sent to the syslog  daemon  over
197                   /dev/log UNIX domain socket.
198
199unix:file, to use a UNIX domain socket directly. It is pos‐
200                   sible to specify arbitrary message format with this option.
201                   However,  rsyslogd  8.9  and  older versions use hard coded
202                   parser function anyway that limits UNIX domain socket  use.
203                   If  you  want  to  use  arbitrary message format with older
204                   rsyslogd versions, then use UDP socket to localhost IP  ad‐
205                   dress instead.
206
207udp:ip:port,  to  use  a UDP socket. With this method it is
208                   possible to use arbitrary message format  also  with  older
209                   rsyslogd.  When sending syslog messages over UDP socket ex‐
210                   tra precaution needs to be taken into account, for example,
211                   syslog daemon needs to be configured to listen on the spec‐
212                   ified UDP port, accidental iptables rules could  be  inter‐
213                   fering  with  local syslog traffic and there are some secu‐
214                   rity considerations that apply to UDP sockets, but  do  not
215                   apply to UNIX domain sockets.
216
217null, to discard all messages logged to syslog.
218
219            The  default is taken from the OVS_SYSLOG_METHOD environment vari‐
220            able; if it is unset, the default is libc.
221
222   PKI Options
223       PKI configuration is required in order to use SSL for  the  connections
224       to the Northbound and Southbound databases.
225
226              -p privkey.pem
227              --private-key=privkey.pem
228                   Specifies  a  PEM  file  containing the private key used as
229                   identity for outgoing SSL connections.
230
231              -c cert.pem
232              --certificate=cert.pem
233                   Specifies a PEM file containing a certificate  that  certi‐
234                   fies the private key specified on -p or --private-key to be
235                   trustworthy. The certificate must be signed by the certifi‐
236                   cate  authority  (CA) that the peer in SSL connections will
237                   use to verify it.
238
239              -C cacert.pem
240              --ca-cert=cacert.pem
241                   Specifies a PEM file containing the CA certificate for ver‐
242                   ifying certificates presented to this program by SSL peers.
243                   (This may be the same certificate that  SSL  peers  use  to
244                   verify the certificate specified on -c or --certificate, or
245                   it may be a different one, depending on the PKI  design  in
246                   use.)
247
248              -C none
249              --ca-cert=none
250                   Disables  verification  of  certificates  presented  by SSL
251                   peers. This introduces a security risk,  because  it  means
252                   that  certificates  cannot be verified to be those of known
253                   trusted hosts.
254
255   Other Options
256       --unixctl=socket
257              Sets the name of the control socket on which program listens for
258              runtime  management  commands  (see RUNTIME MANAGEMENT COMMANDS,
259              below). If socket does not begin with /, it  is  interpreted  as
260              relative  to  .  If  --unixctl  is  not used at all, the default
261              socket is /program.pid.ctl, where pid is program’s process ID.
262
263              On Windows a local named pipe is used to listen for runtime man‐
264              agement  commands.  A  file  is  created in the absolute path as
265              pointed by socket or if --unixctl is not used at all, a file  is
266              created  as  program in the configured OVS_RUNDIR directory. The
267              file exists just to mimic the behavior of a Unix domain socket.
268
269              Specifying none for socket disables the control socket feature.
270
271
272
273       -h
274       --help
275            Prints a brief help message to the console.
276
277       -V
278       --version
279            Prints version information to the console.
280

RUNTIME MANAGEMENT COMMANDS

282       ovs-appctl can send commands to a running ovn-ic process. The currently
283       supported commands are described below.
284
285              exit   Causes ovn-ic to gracefully terminate.
286
287              pause  Pauses  the ovn-ic operation from processing any database
288                     changes. This will also instruct ovn-ic to drop any  lock
289                     on SB DB.
290
291              resume Resumes  the  ovn-ic  operation  to process database con‐
292                     tents. This will also instruct ovn-northd to  aspire  for
293                     the lock on SB DB.
294
295              is-paused
296                     Returns  "true"  if  ovn-ic  is currently paused, "false"
297                     otherwise.
298
299              status Prints this server’s status. Status will be  "active"  if
300                     ovn-ic  has acquired OVSDB lock on SB DB, "standby" if it
301                     has not or "paused" if this instance is paused.
302

ACTIVE-STANDBY FOR HIGH AVAILABILITY

304       You may run ovn-ic more than once in an OVN deployment. When  connected
305       to  a  standalone  or clustered DB setup, OVN will automatically ensure
306       that only one of them is active at a time.  If  multiple  instances  of
307       ovn-ic  are running and the active ovn-ic fails, one of the hot standby
308       instances of ovn-ic will automatically take over.
309
310
311
312OVN 23.09.2                         ovn-ic                           ovn-ic(8)
Impressum