The commands implemented by ovs-vsctl
are described in the
sections below.
Open vSwitch Commands
These commands work with an Open vSwitch as a whole.
init
Initializes the Open vSwitch database, if it is empty. If
the database has already been initialized, this command
has no effect.
Any successful ovs-vsctl
command automatically initializes
the Open vSwitch database if it is empty. This command is
provided to initialize the database without executing any
other command.
show
Prints a brief overview of the database contents.
emer-reset
Reset the configuration into a clean state. It
deconfigures OpenFlow controllers, OVSDB servers, and SSL,
and deletes port mirroring, fail_mode
, NetFlow, sFlow, and
IPFIX configuration. This command also removes all
other-config
keys from all database records, except that
other-config:hwaddr
is preserved if it is present in a
Bridge record. Other networking configuration is left as-
is.
Bridge Commands
These commands examine and manipulate Open vSwitch bridges.
[--may-exist
] add-br
bridge
Creates a new bridge named bridge. Initially the bridge
will have no ports (other than bridge itself).
Without --may-exist
, attempting to create a bridge that
exists is an error. With --may-exist
, this command does
nothing if bridge already exists as a real bridge.
[--may-exist
] add-br
bridge parent vlan
Creates a ``fake bridge'' named bridge within the existing
Open vSwitch bridge parent, which must already exist and
must not itself be a fake bridge. The new fake bridge
will be on 802.1Q VLAN vlan, which must be an integer
between 0 and 4095. The parent bridge must not already
have a fake bridge for vlan. Initially bridge will have
no ports (other than bridge itself).
Without --may-exist
, attempting to create a bridge that
exists is an error. With --may-exist
, this command does
nothing if bridge already exists as a VLAN bridge under
parent for vlan.
[--if-exists
] del-br
bridge
Deletes bridge and all of its ports. If bridge is a real
bridge, this command also deletes any fake bridges that
were created with bridge as parent, including all of their
ports.
Without --if-exists
, attempting to delete a bridge that
does not exist is an error. With --if-exists
, attempting
to delete a bridge that does not exist has no effect.
[--real
|--fake
] list-br
Lists all existing real and fake bridges on standard
output, one per line. With --real
or --fake
, only bridges
of that type are returned.
br-exists
bridge
Tests whether bridge exists as a real or fake bridge. If
so, ovs-vsctl
exits successfully with exit code 0. If
not, ovs-vsctl
exits unsuccessfully with exit code 2.
br-to-vlan
bridge
If bridge is a fake bridge, prints the bridge's 802.1Q
VLAN as a decimal integer. If bridge is a real bridge,
prints 0.
br-to-parent
bridge
If bridge is a fake bridge, prints the name of its parent
bridge. If bridge is a real bridge, print bridge.
br-set-external-id
bridge key [value]
Sets or clears an ``external ID'' value on bridge. These
values are intended to identify entities external to Open
vSwitch with which bridge is associated, e.g. the bridge's
identifier in a virtualization management platform. The
Open vSwitch database schema specifies well-known key
values, but key and value are otherwise arbitrary strings.
If value is specified, then key is set to value for
bridge, overwriting any previous value. If value is
omitted, then key is removed from bridge's set of external
IDs (if it was present).
For real bridges, the effect of this command is similar to
that of a set
or remove
command in the external-ids
column
of the Bridge
table. For fake bridges, it actually
modifies keys with names prefixed by fake-bridge-
in the
Port
table.
br-get-external-id
bridge [key]
Queries the external IDs on bridge. If key is specified,
the output is the value for that key or the empty string
if key is unset. If key is omitted, the output is
key=
value, one per line, for each key-value pair.
For real bridges, the effect of this command is similar to
that of a get
command in the external-ids
column of the
Bridge
table. For fake bridges, it queries keys with
names prefixed by fake-bridge-
in the Port
table.
Port Commands
These commands examine and manipulate Open vSwitch ports. These
commands treat a bonded port as a single entity.
list-ports
bridge
Lists all of the ports within bridge on standard output,
one per line. The local port bridge is not included in
the list.
[--may-exist
] add-port
bridge port [column[:
key]=value]...
Creates on bridge a new port named port from the network
device of the same name.
Optional arguments set values of column in the Port record
created by the command. For example, tag=9
would make the
port an access port for VLAN 9. The syntax is the same as
that for the set
command (see Database Commands
below).
Without --may-exist
, attempting to create a port that
exists is an error. With --may-exist
, this command does
nothing if port already exists on bridge and is not a
bonded port.
[--if-exists
] del-port
[bridge] port
Deletes port. If bridge is omitted, port is removed from
whatever bridge contains it; if bridge is specified, it
must be the real or fake bridge that contains port.
Without --if-exists
, attempting to delete a port that does
not exist is an error. With --if-exists
, attempting to
delete a port that does not exist has no effect.
[--if-exists
] --with-iface del-port
[bridge] iface
Deletes the port named iface or that has an interface
named iface. If bridge is omitted, the port is removed
from whatever bridge contains it; if bridge is specified,
it must be the real or fake bridge that contains the port.
Without --if-exists
, attempting to delete the port for an
interface that does not exist is an error. With
--if-exists
, attempting to delete the port for an
interface that does not exist has no effect.
port-to-br
port
Prints the name of the bridge that contains port on
standard output.
Bond Commands
These commands work with ports that have more than one interface,
which Open vSwitch calls ``bonds.''
[--fake-iface
] add-bond
bridge port iface...
[column[:
key]=value]...
Creates on bridge a new port named port that bonds
together the network devices given as each iface. At
least two interfaces must be named. If the interfaces are
DPDK enabled then the transaction will need to include
operations to explicitly set the interface type to 'dpdk'.
Optional arguments set values of column in the Port record
created by the command. The syntax is the same as that
for the set
command (see Database Commands
below).
With --fake-iface
, a fake interface with the name port is
created. This should only be used for compatibility with
legacy software that requires it.
Without --may-exist
, attempting to create a port that
exists is an error. With --may-exist
, this command does
nothing if port already exists on bridge and bonds
together exactly the specified interfaces.
[--may-exist
] add-bond-iface
bond iface
Adds iface as a new bond interface to the existing port
bond. If bond previously had only one port, this
transforms it into a bond.
Without --may-exist
, attempting to add an iface that is
already part of bond is an error. With --may-exist
, this
command does nothing if iface is already part of bond.
(It is still an error if iface is an interface of some
other port or bond.)
[--if-exists
] del-bond-iface
[bond] iface
Removes iface from its port. If bond is omitted, iface is
removed from whatever port contains it; if bond is
specified, it must be the port that contains bond.
If removing iface causes its port to have only a single
interface, then that port transforms from a bond into an
ordinary port. It is an error if iface is the only
interface in its port.
Without --if-exists
, attempting to delete an interface
that does not exist is an error. With --if-exists
,
attempting to delete an interface that does not exist has
no effect.
Interface Commands
These commands examine the interfaces attached to an Open vSwitch
bridge. These commands treat a bonded port as a collection of
two or more interfaces, rather than as a single port.
list-ifaces
bridge
Lists all of the interfaces within bridge on standard
output, one per line. The local port bridge is not
included in the list.
iface-to-br
iface
Prints the name of the bridge that contains iface on
standard output.
Conntrack Zone Commands
These commands query and modify datapath CT zones and Timeout
Policies.
[--may-exist
] add-zone-tp
datapath zone=
zone_id policies
Creates a conntrack zone timeout policy with zone_id in
datapath. The policies consist of key=
value pairs,
separated by spaces. For example, icmp_first=30
icmp_reply=60
specifies a 30-second timeout policy for the
first ICMP packet and a 60-second policy for ICMP reply
packets. See the CT_Timeout_Policy
table in
ovs-vswitchd.conf.db(5) for the supported keys.
Without --may-exist
, attempting to add a zone_id that
already exists is an error. With --may-exist
, this
command does nothing if zone_id already exists.
[--if-exists
] del-zone-tp
datapath zone=
zone_id
Delete the timeout policy associated with zone_id from
datapath.
Without --if-exists
, attempting to delete a zone that does
not exist is an error. With --if-exists
, attempting to
delete a zone that does not exist has no effect.
list-zone-tp
datapath
Prints the timeout policies of all zones in datapath.
Datapath Capabilities Command
The command query datapath capabilities.
list-dp-cap
datapath
Prints the datapath's capabilities.
OpenFlow Controller Connectivity
ovs-vswitchd
can perform all configured bridging and switching
locally, or it can be configured to communicate with one or more
external OpenFlow controllers. The switch is typically
configured to connect to a primary controller that takes charge
of the bridge's flow table to implement a network policy. In
addition, the switch can be configured to listen to connections
from service controllers. Service controllers are typically used
for occasional support and maintenance, e.g. with ovs-ofctl
.
get-controller
bridge
Prints the configured controller target.
del-controller
bridge
Deletes the configured controller target.
set-controller
bridge target...
Sets the configured controller target or targets. Each
target may use any of the following forms:
ssl:
host[:
port]
tcp:
host[:
port]
The specified port on the given host, which can be
expressed either as a DNS name (if built with
unbound library) or an IP address in IPv4 or IPv6
address format. Wrap IPv6 addresses in square
brackets, e.g. tcp:[::1]:6653
. On Linux, use
%
device to designate a scope for IPv6 link-level
addresses, e.g. tcp:[fe80::1234%eth0]:6653
. For
ssl
, the --private-key
, --certificate
, and
--ca-cert
options are mandatory.
If port is not specified, it defaults to 6653.
unix:
file
On POSIX, a Unix domain server socket named file.
On Windows, connect to a local named pipe that is
represented by a file created in the path file to
mimic the behavior of a Unix domain socket.
pssl:
[port][:
host]
ptcp:
[port][:
host]
Listens for OpenFlow connections on port. The
default port is 6653. By default, connections are
allowed from any IPv4 address. Specify host as an
IPv4 address or a bracketed IPv6 address (e.g.
ptcp:6653:[::1]
). On Linux, use %
device to
designate a scope for IPv6 link-level addresses,
e.g. ptcp:6653:[fe80::1234%eth0]
. DNS names can be
used if built with unbound library. For pssl
, the
--private-key
,--certificate
, and --ca-cert
options
are mandatory.
punix:
file
Listens for OpenFlow connections on the Unix domain
server socket named file.
Controller Failure Settings
When a controller is configured, it is, ordinarily, responsible
for setting up all flows on the switch. Thus, if the connection
to the controller fails, no new network connections can be set
up. If the connection to the controller stays down long enough,
no packets can pass through the switch at all.
If the value is standalone
, or if neither of these settings is
set, ovs-vswitchd
will take over responsibility for setting up
flows when no message has been received from the controller for
three times the inactivity probe interval. In this mode,
ovs-vswitchd
causes the datapath to act like an ordinary MAC-
learning switch. ovs-vswitchd
will continue to retry connecting
to the controller in the background and, when the connection
succeeds, it discontinues its standalone behavior.
If this option is set to secure
, ovs-vswitchd
will not set up
flows on its own when the controller connection fails.
get-fail-mode
bridge
Prints the configured failure mode.
del-fail-mode
bridge
Deletes the configured failure mode.
set-fail-mode
bridge standalone
|secure
Sets the configured failure mode.
Manager Connectivity
These commands manipulate the manager_options
column in the
Open_vSwitch
table and rows in the Managers
table. When
ovsdb-server
is configured to use the manager_options
column for
OVSDB connections (as described in the startup scripts provided
with Open vSwitch; the corresponding ovsdb-server
command option
is --remote=db:Open_vSwitch,Open_vSwitch,manager_options
), this
allows the administrator to use ovs-vsctl
to configure database
connections.
get-manager
Prints the configured manager(s).
del-manager
Deletes the configured manager(s).
set-manager
target...
Sets the configured manager target or targets. Each
target may be an OVSDB active or passive connection
method, e.g. pssl:6640
, as described in ovsdb
(7).
SSL Configuration
When ovs-vswitchd
is configured to connect over SSL for
management or controller connectivity, the following parameters
are required:
private-key
Specifies a PEM file containing the private key used as
the virtual switch's identity for SSL connections to the
controller.
certificate
Specifies a PEM file containing a certificate, signed by
the certificate authority (CA) used by the controller and
manager, that certifies the virtual switch's private key,
identifying a trustworthy switch.
ca-cert
Specifies a PEM file containing the CA certificate used to
verify that the virtual switch is connected to a
trustworthy controller.
These files are read only once, at ovs-vswitchd
startup time. If
their contents change, ovs-vswitchd
must be killed and restarted.
These SSL settings apply to all SSL connections made by the
virtual switch.
get-ssl
Prints the SSL configuration.
del-ssl
Deletes the current SSL configuration.
[--bootstrap
] set-ssl
private-key certificate ca-cert
Sets the SSL configuration. The --bootstrap
option is
described below.
CA Certificate Bootstrap
Ordinarily, all of the files named in the SSL configuration must
exist when ovs-vswitchd
starts. However, if the ca-cert file
does not exist and the --bootstrap
option is given, then
ovs-vswitchd
will attempt to obtain the CA certificate from the
controller on its first SSL connection and save it to the named
PEM file. If it is successful, it will immediately drop the
connection and reconnect, and from then on all SSL connections
must be authenticated by a certificate signed by the CA
certificate thus obtained.
This option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate
, but it may be useful
for bootstrapping.
This option is only useful if the controller sends its CA
certificate as part of the SSL certificate chain. The SSL
protocol does not require the controller to send the CA
certificate.
Auto-Attach Commands
The IETF Auto-Attach SPBM draft standard describes a compact
method of using IEEE 802.1AB Link Layer Discovery Protocol (LLDP)
together with a IEEE 802.1aq Shortest Path Bridging (SPB) network
to automatically attach network devices to individual services in
a SPB network. The intent here is to allow network applications
and devices using OVS to be able to easily take advantage of
features offered by industry standard SPB networks. A fundamental
element of the Auto-Attach feature is to map traditional VLANs
onto SPB I_SIDs. These commands manage the Auto-Attach I-SID/VLAN
mappings.
add-aa-mapping
bridge i-sid vlan
Creates a new Auto-Attach mapping on bridge for i-sid and
vlan.
del-aa-mapping
bridge i-sid vlan
Deletes an Auto-Attach mapping on bridge for i-sid and
vlan.
get-aa-mapping
bridge
Lists all of the Auto-Attach mappings within bridge on
standard output.
Database Commands
These commands query and modify the contents of ovsdb
tables.
They are a slight abstraction of the ovsdb
interface and as such
they operate at a lower level than other ovs-vsctl
commands.
Identifying Tables, Records, and Columns
Each of these commands has a table parameter to identify a table
within the database. Many of them also take a record parameter
that identifies a particular record within a table. The record
parameter may be the UUID for a record, and many tables offer
additional ways to identify records. Some commands also take
column parameters that identify a particular field within the
records in a table.
For a list of tables and their columns, see
ovs-vswitchd.conf.db(5) or see the table listing from the --help
option.
Record names must be specified in full and with correct
capitalization, except that UUIDs may be abbreviated to their
first 4 (or more) hex digits, as long as that is unique within
the table. Names of tables and columns are not case-sensitive,
and -
and _
are treated interchangeably. Unique abbreviations of
table and column names are acceptable, e.g. net
or n
is
sufficient to identify the NetFlow
table.
Database Values
Each column in the database accepts a fixed type of data. The
currently defined basic types, and their representations, are:
integer
A decimal integer in the range -2**63 to 2**63-1,
inclusive.
real A floating-point number.
Boolean
True or false, written true
or false
, respectively.
string An arbitrary Unicode string, except that null bytes are
not allowed. Quotes are optional for most strings that
begin with an English letter or underscore and consist
only of letters, underscores, hyphens, and periods.
However, true
and false
and strings that match the syntax
of UUIDs (see below) must be enclosed in double quotes to
distinguish them from other basic types. When double
quotes are used, the syntax is that of strings in JSON,
e.g. backslashes may be used to escape special characters.
The empty string must be represented as a pair of double
quotes (""
).
UUID Either a universally unique identifier in the style of RFC
4122, e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6
, or an
@
name defined by a get
or create
command within the same
ovs-vsctl
invocation.
Multiple values in a single column may be separated by spaces or
a single comma. When multiple values are present, duplicates are
not allowed, and order is not important. Conversely, some
database columns can have an empty set of values, represented as
[]
, and square brackets may optionally enclose other non-empty
sets or single values as well. For a column accepting a set of
integers, database commands accept a range. A range is
represented by two integers separated by -
. A range is inclusive.
A range has a maximum size of 4096 elements. If more elements are
needed, they can be specified in seperate ranges.
A few database columns are ``maps'' of key-value pairs, where the
key and the value are each some fixed database type. These are
specified in the form key=
value, where key and value follow the
syntax for the column's key type and value type, respectively.
When multiple pairs are present (separated by spaces or a comma),
duplicate keys are not allowed, and again the order is not
important. Duplicate values are allowed. An empty map is
represented as {}
. Curly braces may optionally enclose non-empty
maps as well (but use quotes to prevent the shell from expanding
other-config={0=x,1=y}
into other-config=0=x other-config=1=y
,
which may not have the desired effect).
Database Command Syntax
[--if-exists
] [--columns=
column[,
column]...] list
table
[record]...
Lists the data in each specified record. If no records
are specified, lists all the records in table.
If --columns
is specified, only the requested columns are
listed, in the specified order. Otherwise, all columns
are listed, in alphabetical order by column name.
Without --if-exists
, it is an error if any specified
record does not exist. With --if-exists
, the command
ignores any record that does not exist, without producing
any output.
[--columns=
column[,
column]...] find
table [column[:
key]=
value]...
Lists the data in each record in table whose column equals
value or, if key is specified, whose column contains a key
with the specified value. The following operators may be
used where =
is written in the syntax summary:
= != < > <= >=
Selects records in which column[:
key] equals, does
not equal, is less than, is greater than, is less
than or equal to, or is greater than or equal to
value, respectively.
Consider column[:
key] and value as sets of
elements. Identical sets are considered equal.
Otherwise, if the sets have different numbers of
elements, then the set with more elements is
considered to be larger. Otherwise, consider a
element from each set pairwise, in increasing order
within each set. The first pair that differs
determines the result. (For a column that contains
key-value pairs, first all the keys are compared,
and values are considered only if the two sets
contain identical keys.)
{=} {!=}
Test for set equality or inequality, respectively.
{<=}
Selects records in which column[:
key] is a subset
of value. For example, flood-vlans{<=}1,2
selects
records in which the flood-vlans
column is the
empty set or contains 1 or 2 or both.
{<}
Selects records in which column[:
key] is a proper
subset of value. For example, flood-vlans{<}1,2
selects records in which the flood-vlans
column is
the empty set or contains 1 or 2 but not both.
{>=} {>}
Same as {<=}
and {<}
, respectively, except that the
relationship is reversed. For example, flood-
vlans{>=}1,2
selects records in which the flood-
vlans
column contains both 1 and 2.
The following operators are available only in Open vSwitch
2.16 and later:
{in}
Selects records in which every element in
column[:
key] is also in value. (This is the same
as {<=}
.)
{not-in}
Selects records in which every element in
column[:
key] is not in value.
For arithmetic operators (= != < > <= >=
), when key is
specified but a particular record's column does not
contain key, the record is always omitted from the
results. Thus, the condition other-config:mtu!=1500
matches records that have a mtu
key whose value is not
1500, but not those that lack an mtu
key.
For the set operators, when key is specified but a
particular record's column does not contain key, the
comparison is done against an empty set. Thus, the
condition other-config:mtu{!=}1500
matches records that
have a mtu
key whose value is not 1500 and those that lack
an mtu
key.
Don't forget to escape <
or >
from interpretation by the
shell.
If --columns
is specified, only the requested columns are
listed, in the specified order. Otherwise all columns are
listed, in alphabetical order by column name.
The UUIDs shown for rows created in the same ovs-vsctl
invocation will be wrong.
[--if-exists
] [--id=@
name] get
table record [column[:
key]]...
Prints the value of each specified column in the given
record in table. For map columns, a key may optionally be
specified, in which case the value associated with key in
the column is printed, instead of the entire map.
Without --if-exists
, it is an error if record does not
exist or key is specified, if key does not exist in
record. With --if-exists
, a missing record yields no
output and a missing key prints a blank line.
If @
name is specified, then the UUID for record may be
referred to by that name later in the same ovs-vsctl
invocation in contexts where a UUID is expected.
Both --id
and the column arguments are optional, but
usually at least one or the other should be specified. If
both are omitted, then get
has no effect except to verify
that record exists in table.
--id
and --if-exists
cannot be used together.
[--if-exists
] set
table record column[:
key]=
value...
Sets the value of each specified column in the given
record in table to value. For map columns, a key may
optionally be specified, in which case the value
associated with key in that column is changed (or added,
if none exists), instead of the entire map.
Without --if-exists
, it is an error if record does not
exist. With --if-exists
, this command does nothing if
record does not exist.
[--if-exists
] add
table record column [key=
]value...
Adds the specified value or key-value pair to column in
record in table. If column is a map, then key is
required, otherwise it is prohibited. If key already
exists in a map column, then the current value is not
replaced (use the set
command to replace an existing
value).
Without --if-exists
, it is an error if record does not
exist. With --if-exists
, this command does nothing if
record does not exist.
[--if-exists
] remove
table record column value...
[--if-exists
] remove
table record column key...
[--if-exists
] remove
table record column key=
value...
Removes the specified values or key-value pairs from
column in record in table. The first form applies to
columns that are not maps: each specified value is removed
from the column. The second and third forms apply to map
columns: if only a key is specified, then any key-value
pair with the given key is removed, regardless of its
value; if a value is given then a pair is removed only if
both key and value match.
It is not an error if the column does not contain the
specified key or value or pair.
Without --if-exists
, it is an error if record does not
exist. With --if-exists
, this command does nothing if
record does not exist.
[--if-exists
] clear
table record column...
Sets each column in record in table to the empty set or
empty map, as appropriate. This command applies only to
columns that are allowed to be empty.
Without --if-exists
, it is an error if record does not
exist. With --if-exists
, this command does nothing if
record does not exist.
[--id=@
name] create
table column[:
key]=
value...
Creates a new record in table and sets the initial values
of each column. Columns not explicitly set will receive
their default values. Outputs the UUID of the new row.
If @
name is specified, then the UUID for the new row may
be referred to by that name elsewhere in the same
ovs-vsctl
invocation in contexts where a UUID is expected.
Such references may precede or follow the create
command.
Caution (ovs-vsctl as example)
Records in the Open vSwitch database are
significant only when they can be reached directly
or indirectly from the Open_vSwitch
table. Except
for records in the QoS
or Queue
tables, records
that are not reachable from the Open_vSwitch
table
are automatically deleted from the database. This
deletion happens immediately, without waiting for
additional ovs-vsctl
commands or other database
activity. Thus, a create
command must generally be
accompanied by additional commands within the same
ovs-vsctl
invocation to add a chain of references
to the newly created record from the top-level
Open_vSwitch
record. The EXAMPLES
section gives
some examples that show how to do this.
[--if-exists
] destroy
table record...
Deletes each specified record from table. Unless
--if-exists
is specified, each records must exist.
--all destroy
table
Deletes all records from the table.
Caution (ovs-vsctl as example)
The destroy
command is only useful for records in
the QoS
or Queue
tables. Records in other tables
are automatically deleted from the database when
they become unreachable from the Open_vSwitch
table. This means that deleting the last reference
to a record is sufficient for deleting the record
itself. For records in these tables, destroy
is
silently ignored. See the EXAMPLES
section below
for more information.
wait-until
table record [column[:
key]=
value]...
Waits until table contains a record named record whose
column equals value or, if key is specified, whose column
contains a key with the specified value. This command
supports the same operators and semantics described for
the find
command above.
If no column[:
key]=
value arguments are given, this command
waits only until record exists. If more than one such
argument is given, the command waits until all of them are
satisfied.
Caution (ovs-vsctl as example)
Usually wait-until
should be placed at the
beginning of a set of ovs-vsctl
commands. For
example, wait-until bridge br0 -- get bridge br0
datapath_id
waits until a bridge named br0
is
created, then prints its datapath_id
column,
whereas get bridge br0 datapath_id -- wait-until
bridge br0
will abort if no bridge named br0
exists
when ovs-vsctl
initially connects to the database.
Consider specifying --timeout=0
along with --wait-until
,
to prevent ovs-vsctl
from terminating after waiting only
at most 5 seconds.
comment
[arg]...
This command has no effect on behavior, but any database
log record created by the command will include the command
and its arguments.