Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   ovs-vsctl    ( 8 )

утилита для запроса и настройки ovs-vswitchd (utility for querying and configuring ovs-vswitchd)

  Name  |  Synopsis  |  Description  |  Options  |    Commands    |  Examples  |  Configuration cookbook  |  Exit  |  See also  |

Команды (Commands)

The commands implemented by ovs-vsctl are described in the
       sections below.

Open vSwitch Commands These commands work with an Open vSwitch as a whole.

init Initializes the Open vSwitch database, if it is empty. If the database has already been initialized, this command has no effect.

Any successful ovs-vsctl command automatically initializes the Open vSwitch database if it is empty. This command is provided to initialize the database without executing any other command.

show Prints a brief overview of the database contents.

emer-reset Reset the configuration into a clean state. It deconfigures OpenFlow controllers, OVSDB servers, and SSL, and deletes port mirroring, fail_mode, NetFlow, sFlow, and IPFIX configuration. This command also removes all other-config keys from all database records, except that other-config:hwaddr is preserved if it is present in a Bridge record. Other networking configuration is left as- is.

Bridge Commands These commands examine and manipulate Open vSwitch bridges.

[--may-exist] add-br bridge Creates a new bridge named bridge. Initially the bridge will have no ports (other than bridge itself).

Without --may-exist, attempting to create a bridge that exists is an error. With --may-exist, this command does nothing if bridge already exists as a real bridge.

[--may-exist] add-br bridge parent vlan Creates a ``fake bridge'' named bridge within the existing Open vSwitch bridge parent, which must already exist and must not itself be a fake bridge. The new fake bridge will be on 802.1Q VLAN vlan, which must be an integer between 0 and 4095. The parent bridge must not already have a fake bridge for vlan. Initially bridge will have no ports (other than bridge itself).

Without --may-exist, attempting to create a bridge that exists is an error. With --may-exist, this command does nothing if bridge already exists as a VLAN bridge under parent for vlan.

[--if-exists] del-br bridge Deletes bridge and all of its ports. If bridge is a real bridge, this command also deletes any fake bridges that were created with bridge as parent, including all of their ports.

Without --if-exists, attempting to delete a bridge that does not exist is an error. With --if-exists, attempting to delete a bridge that does not exist has no effect.

[--real|--fake] list-br Lists all existing real and fake bridges on standard output, one per line. With --real or --fake, only bridges of that type are returned.

br-exists bridge Tests whether bridge exists as a real or fake bridge. If so, ovs-vsctl exits successfully with exit code 0. If not, ovs-vsctl exits unsuccessfully with exit code 2.

br-to-vlan bridge If bridge is a fake bridge, prints the bridge's 802.1Q VLAN as a decimal integer. If bridge is a real bridge, prints 0.

br-to-parent bridge If bridge is a fake bridge, prints the name of its parent bridge. If bridge is a real bridge, print bridge.

br-set-external-id bridge key [value] Sets or clears an ``external ID'' value on bridge. These values are intended to identify entities external to Open vSwitch with which bridge is associated, e.g. the bridge's identifier in a virtualization management platform. The Open vSwitch database schema specifies well-known key values, but key and value are otherwise arbitrary strings.

If value is specified, then key is set to value for bridge, overwriting any previous value. If value is omitted, then key is removed from bridge's set of external IDs (if it was present).

For real bridges, the effect of this command is similar to that of a set or remove command in the external-ids column of the Bridge table. For fake bridges, it actually modifies keys with names prefixed by fake-bridge- in the Port table.

br-get-external-id bridge [key] Queries the external IDs on bridge. If key is specified, the output is the value for that key or the empty string if key is unset. If key is omitted, the output is key=value, one per line, for each key-value pair.

For real bridges, the effect of this command is similar to that of a get command in the external-ids column of the Bridge table. For fake bridges, it queries keys with names prefixed by fake-bridge- in the Port table.

Port Commands These commands examine and manipulate Open vSwitch ports. These commands treat a bonded port as a single entity.

list-ports bridge Lists all of the ports within bridge on standard output, one per line. The local port bridge is not included in the list.

[--may-exist] add-port bridge port [column[:key]=value]... Creates on bridge a new port named port from the network device of the same name.

Optional arguments set values of column in the Port record created by the command. For example, tag=9 would make the port an access port for VLAN 9. The syntax is the same as that for the set command (see Database Commands below).

Without --may-exist, attempting to create a port that exists is an error. With --may-exist, this command does nothing if port already exists on bridge and is not a bonded port.

[--if-exists] del-port [bridge] port Deletes port. If bridge is omitted, port is removed from whatever bridge contains it; if bridge is specified, it must be the real or fake bridge that contains port.

Without --if-exists, attempting to delete a port that does not exist is an error. With --if-exists, attempting to delete a port that does not exist has no effect.

[--if-exists] --with-iface del-port [bridge] iface Deletes the port named iface or that has an interface named iface. If bridge is omitted, the port is removed from whatever bridge contains it; if bridge is specified, it must be the real or fake bridge that contains the port.

Without --if-exists, attempting to delete the port for an interface that does not exist is an error. With --if-exists, attempting to delete the port for an interface that does not exist has no effect.

port-to-br port Prints the name of the bridge that contains port on standard output.

Bond Commands These commands work with ports that have more than one interface, which Open vSwitch calls ``bonds.''

[--fake-iface] add-bond bridge port iface... [column[:key]=value]... Creates on bridge a new port named port that bonds together the network devices given as each iface. At least two interfaces must be named. If the interfaces are DPDK enabled then the transaction will need to include operations to explicitly set the interface type to 'dpdk'.

Optional arguments set values of column in the Port record created by the command. The syntax is the same as that for the set command (see Database Commands below).

With --fake-iface, a fake interface with the name port is created. This should only be used for compatibility with legacy software that requires it.

Without --may-exist, attempting to create a port that exists is an error. With --may-exist, this command does nothing if port already exists on bridge and bonds together exactly the specified interfaces.

[--may-exist] add-bond-iface bond iface Adds iface as a new bond interface to the existing port bond. If bond previously had only one port, this transforms it into a bond.

Without --may-exist, attempting to add an iface that is already part of bond is an error. With --may-exist, this command does nothing if iface is already part of bond. (It is still an error if iface is an interface of some other port or bond.)

[--if-exists] del-bond-iface [bond] iface Removes iface from its port. If bond is omitted, iface is removed from whatever port contains it; if bond is specified, it must be the port that contains bond.

If removing iface causes its port to have only a single interface, then that port transforms from a bond into an ordinary port. It is an error if iface is the only interface in its port.

Without --if-exists, attempting to delete an interface that does not exist is an error. With --if-exists, attempting to delete an interface that does not exist has no effect.

Interface Commands These commands examine the interfaces attached to an Open vSwitch bridge. These commands treat a bonded port as a collection of two or more interfaces, rather than as a single port.

list-ifaces bridge Lists all of the interfaces within bridge on standard output, one per line. The local port bridge is not included in the list.

iface-to-br iface Prints the name of the bridge that contains iface on standard output.

Conntrack Zone Commands These commands query and modify datapath CT zones and Timeout Policies.

[--may-exist] add-zone-tp datapath zone=zone_id policies Creates a conntrack zone timeout policy with zone_id in datapath. The policies consist of key=value pairs, separated by spaces. For example, icmp_first=30 icmp_reply=60 specifies a 30-second timeout policy for the first ICMP packet and a 60-second policy for ICMP reply packets. See the CT_Timeout_Policy table in ovs-vswitchd.conf.db(5) for the supported keys.

Without --may-exist, attempting to add a zone_id that already exists is an error. With --may-exist, this command does nothing if zone_id already exists.

[--if-exists] del-zone-tp datapath zone=zone_id Delete the timeout policy associated with zone_id from datapath.

Without --if-exists, attempting to delete a zone that does not exist is an error. With --if-exists, attempting to delete a zone that does not exist has no effect.

list-zone-tp datapath Prints the timeout policies of all zones in datapath.

Datapath Capabilities Command The command query datapath capabilities.

list-dp-cap datapath Prints the datapath's capabilities.

OpenFlow Controller Connectivity ovs-vswitchd can perform all configured bridging and switching locally, or it can be configured to communicate with one or more external OpenFlow controllers. The switch is typically configured to connect to a primary controller that takes charge of the bridge's flow table to implement a network policy. In addition, the switch can be configured to listen to connections from service controllers. Service controllers are typically used for occasional support and maintenance, e.g. with ovs-ofctl.

get-controller bridge Prints the configured controller target.

del-controller bridge Deletes the configured controller target.

set-controller bridge target... Sets the configured controller target or targets. Each target may use any of the following forms:

ssl:host[:port] tcp:host[:port] The specified port on the given host, which can be expressed either as a DNS name (if built with unbound library) or an IP address in IPv4 or IPv6 address format. Wrap IPv6 addresses in square brackets, e.g. tcp:[::1]:6653. On Linux, use %device to designate a scope for IPv6 link-level addresses, e.g. tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key, --certificate, and --ca-cert options are mandatory.

If port is not specified, it defaults to 6653.

unix:file On POSIX, a Unix domain server socket named file.

On Windows, connect to a local named pipe that is represented by a file created in the path file to mimic the behavior of a Unix domain socket.

pssl:[port][:host] ptcp:[port][:host] Listens for OpenFlow connections on port. The default port is 6653. By default, connections are allowed from any IPv4 address. Specify host as an IPv4 address or a bracketed IPv6 address (e.g. ptcp:6653:[::1]). On Linux, use %device to designate a scope for IPv6 link-level addresses, e.g. ptcp:6653:[fe80::1234%eth0]. DNS names can be used if built with unbound library. For pssl, the --private-key,--certificate, and --ca-cert options are mandatory.

punix:file Listens for OpenFlow connections on the Unix domain server socket named file.

Controller Failure Settings

When a controller is configured, it is, ordinarily, responsible for setting up all flows on the switch. Thus, if the connection to the controller fails, no new network connections can be set up. If the connection to the controller stays down long enough, no packets can pass through the switch at all.

If the value is standalone, or if neither of these settings is set, ovs-vswitchd will take over responsibility for setting up flows when no message has been received from the controller for three times the inactivity probe interval. In this mode, ovs-vswitchd causes the datapath to act like an ordinary MAC- learning switch. ovs-vswitchd will continue to retry connecting to the controller in the background and, when the connection succeeds, it discontinues its standalone behavior.

If this option is set to secure, ovs-vswitchd will not set up flows on its own when the controller connection fails.

get-fail-mode bridge Prints the configured failure mode.

del-fail-mode bridge Deletes the configured failure mode.

set-fail-mode bridge standalone|secure Sets the configured failure mode.

Manager Connectivity These commands manipulate the manager_options column in the Open_vSwitch table and rows in the Managers table. When ovsdb-server is configured to use the manager_options column for OVSDB connections (as described in the startup scripts provided with Open vSwitch; the corresponding ovsdb-server command option is --remote=db:Open_vSwitch,Open_vSwitch,manager_options), this allows the administrator to use ovs-vsctl to configure database connections.

get-manager Prints the configured manager(s).

del-manager Deletes the configured manager(s).

set-manager target... Sets the configured manager target or targets. Each target may be an OVSDB active or passive connection method, e.g. pssl:6640, as described in ovsdb(7).

SSL Configuration When ovs-vswitchd is configured to connect over SSL for management or controller connectivity, the following parameters are required:

private-key Specifies a PEM file containing the private key used as the virtual switch's identity for SSL connections to the controller.

certificate Specifies a PEM file containing a certificate, signed by the certificate authority (CA) used by the controller and manager, that certifies the virtual switch's private key, identifying a trustworthy switch.

ca-cert Specifies a PEM file containing the CA certificate used to verify that the virtual switch is connected to a trustworthy controller.

These files are read only once, at ovs-vswitchd startup time. If their contents change, ovs-vswitchd must be killed and restarted.

These SSL settings apply to all SSL connections made by the virtual switch.

get-ssl Prints the SSL configuration.

del-ssl Deletes the current SSL configuration.

[--bootstrap] set-ssl private-key certificate ca-cert Sets the SSL configuration. The --bootstrap option is described below.

CA Certificate Bootstrap

Ordinarily, all of the files named in the SSL configuration must exist when ovs-vswitchd starts. However, if the ca-cert file does not exist and the --bootstrap option is given, then ovs-vswitchd will attempt to obtain the CA certificate from the controller on its first SSL connection and save it to the named PEM file. If it is successful, it will immediately drop the connection and reconnect, and from then on all SSL connections must be authenticated by a certificate signed by the CA certificate thus obtained.

This option exposes the SSL connection to a man-in-the-middle attack obtaining the initial CA certificate, but it may be useful for bootstrapping.

This option is only useful if the controller sends its CA certificate as part of the SSL certificate chain. The SSL protocol does not require the controller to send the CA certificate.

Auto-Attach Commands The IETF Auto-Attach SPBM draft standard describes a compact method of using IEEE 802.1AB Link Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest Path Bridging (SPB) network to automatically attach network devices to individual services in a SPB network. The intent here is to allow network applications and devices using OVS to be able to easily take advantage of features offered by industry standard SPB networks. A fundamental element of the Auto-Attach feature is to map traditional VLANs onto SPB I_SIDs. These commands manage the Auto-Attach I-SID/VLAN mappings.

add-aa-mapping bridge i-sid vlan Creates a new Auto-Attach mapping on bridge for i-sid and vlan.

del-aa-mapping bridge i-sid vlan Deletes an Auto-Attach mapping on bridge for i-sid and vlan.

get-aa-mapping bridge Lists all of the Auto-Attach mappings within bridge on standard output.

Database Commands These commands query and modify the contents of ovsdb tables. They are a slight abstraction of the ovsdb interface and as such they operate at a lower level than other ovs-vsctl commands.

Identifying Tables, Records, and Columns

Each of these commands has a table parameter to identify a table within the database. Many of them also take a record parameter that identifies a particular record within a table. The record parameter may be the UUID for a record, and many tables offer additional ways to identify records. Some commands also take column parameters that identify a particular field within the records in a table.

For a list of tables and their columns, see ovs-vswitchd.conf.db(5) or see the table listing from the --help option.

Record names must be specified in full and with correct capitalization, except that UUIDs may be abbreviated to their first 4 (or more) hex digits, as long as that is unique within the table. Names of tables and columns are not case-sensitive, and - and _ are treated interchangeably. Unique abbreviations of table and column names are acceptable, e.g. net or n is sufficient to identify the NetFlow table.

Database Values

Each column in the database accepts a fixed type of data. The currently defined basic types, and their representations, are:

integer A decimal integer in the range -2**63 to 2**63-1, inclusive.

real A floating-point number.

Boolean True or false, written true or false, respectively.

string An arbitrary Unicode string, except that null bytes are not allowed. Quotes are optional for most strings that begin with an English letter or underscore and consist only of letters, underscores, hyphens, and periods. However, true and false and strings that match the syntax of UUIDs (see below) must be enclosed in double quotes to distinguish them from other basic types. When double quotes are used, the syntax is that of strings in JSON, e.g. backslashes may be used to escape special characters. The empty string must be represented as a pair of double quotes ("").

UUID Either a universally unique identifier in the style of RFC 4122, e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or an @name defined by a get or create command within the same ovs-vsctl invocation.

Multiple values in a single column may be separated by spaces or a single comma. When multiple values are present, duplicates are not allowed, and order is not important. Conversely, some database columns can have an empty set of values, represented as [], and square brackets may optionally enclose other non-empty sets or single values as well. For a column accepting a set of integers, database commands accept a range. A range is represented by two integers separated by -. A range is inclusive. A range has a maximum size of 4096 elements. If more elements are needed, they can be specified in seperate ranges.

A few database columns are ``maps'' of key-value pairs, where the key and the value are each some fixed database type. These are specified in the form key=value, where key and value follow the syntax for the column's key type and value type, respectively. When multiple pairs are present (separated by spaces or a comma), duplicate keys are not allowed, and again the order is not important. Duplicate values are allowed. An empty map is represented as {}. Curly braces may optionally enclose non-empty maps as well (but use quotes to prevent the shell from expanding other-config={0=x,1=y} into other-config=0=x other-config=1=y, which may not have the desired effect).

Database Command Syntax

[--if-exists] [--columns=column[,column]...] list table [record]... Lists the data in each specified record. If no records are specified, lists all the records in table.

If --columns is specified, only the requested columns are listed, in the specified order. Otherwise, all columns are listed, in alphabetical order by column name.

Without --if-exists, it is an error if any specified record does not exist. With --if-exists, the command ignores any record that does not exist, without producing any output.

[--columns=column[,column]...] find table [column[:key]=value]... Lists the data in each record in table whose column equals value or, if key is specified, whose column contains a key with the specified value. The following operators may be used where = is written in the syntax summary:

= != < > <= >= Selects records in which column[:key] equals, does not equal, is less than, is greater than, is less than or equal to, or is greater than or equal to value, respectively.

Consider column[:key] and value as sets of elements. Identical sets are considered equal. Otherwise, if the sets have different numbers of elements, then the set with more elements is considered to be larger. Otherwise, consider a element from each set pairwise, in increasing order within each set. The first pair that differs determines the result. (For a column that contains key-value pairs, first all the keys are compared, and values are considered only if the two sets contain identical keys.)

{=} {!=} Test for set equality or inequality, respectively.

{<=} Selects records in which column[:key] is a subset of value. For example, flood-vlans{<=}1,2 selects records in which the flood-vlans column is the empty set or contains 1 or 2 or both.

{<} Selects records in which column[:key] is a proper subset of value. For example, flood-vlans{<}1,2 selects records in which the flood-vlans column is the empty set or contains 1 or 2 but not both.

{>=} {>} Same as {<=} and {<}, respectively, except that the relationship is reversed. For example, flood- vlans{>=}1,2 selects records in which the flood- vlans column contains both 1 and 2.

The following operators are available only in Open vSwitch 2.16 and later:

{in} Selects records in which every element in column[:key] is also in value. (This is the same as {<=}.)

{not-in} Selects records in which every element in column[:key] is not in value.

For arithmetic operators (= != < > <= >=), when key is specified but a particular record's column does not contain key, the record is always omitted from the results. Thus, the condition other-config:mtu!=1500 matches records that have a mtu key whose value is not 1500, but not those that lack an mtu key.

For the set operators, when key is specified but a particular record's column does not contain key, the comparison is done against an empty set. Thus, the condition other-config:mtu{!=}1500 matches records that have a mtu key whose value is not 1500 and those that lack an mtu key.

Don't forget to escape < or > from interpretation by the shell.

If --columns is specified, only the requested columns are listed, in the specified order. Otherwise all columns are listed, in alphabetical order by column name.

The UUIDs shown for rows created in the same ovs-vsctl invocation will be wrong.

[--if-exists] [--id=@name] get table record [column[:key]]... Prints the value of each specified column in the given record in table. For map columns, a key may optionally be specified, in which case the value associated with key in the column is printed, instead of the entire map.

Without --if-exists, it is an error if record does not exist or key is specified, if key does not exist in record. With --if-exists, a missing record yields no output and a missing key prints a blank line.

If @name is specified, then the UUID for record may be referred to by that name later in the same ovs-vsctl invocation in contexts where a UUID is expected.

Both --id and the column arguments are optional, but usually at least one or the other should be specified. If both are omitted, then get has no effect except to verify that record exists in table.

--id and --if-exists cannot be used together.

[--if-exists] set table record column[:key]=value... Sets the value of each specified column in the given record in table to value. For map columns, a key may optionally be specified, in which case the value associated with key in that column is changed (or added, if none exists), instead of the entire map.

Without --if-exists, it is an error if record does not exist. With --if-exists, this command does nothing if record does not exist.

[--if-exists] add table record column [key=]value... Adds the specified value or key-value pair to column in record in table. If column is a map, then key is required, otherwise it is prohibited. If key already exists in a map column, then the current value is not replaced (use the set command to replace an existing value).

Without --if-exists, it is an error if record does not exist. With --if-exists, this command does nothing if record does not exist.

[--if-exists] remove table record column value... [--if-exists] remove table record column key... [--if-exists] remove table record column key=value... Removes the specified values or key-value pairs from column in record in table. The first form applies to columns that are not maps: each specified value is removed from the column. The second and third forms apply to map columns: if only a key is specified, then any key-value pair with the given key is removed, regardless of its value; if a value is given then a pair is removed only if both key and value match.

It is not an error if the column does not contain the specified key or value or pair.

Without --if-exists, it is an error if record does not exist. With --if-exists, this command does nothing if record does not exist.

[--if-exists] clear table record column... Sets each column in record in table to the empty set or empty map, as appropriate. This command applies only to columns that are allowed to be empty.

Without --if-exists, it is an error if record does not exist. With --if-exists, this command does nothing if record does not exist.

[--id=@name] create table column[:key]=value... Creates a new record in table and sets the initial values of each column. Columns not explicitly set will receive their default values. Outputs the UUID of the new row.

If @name is specified, then the UUID for the new row may be referred to by that name elsewhere in the same ovs-vsctl invocation in contexts where a UUID is expected. Such references may precede or follow the create command.

Caution (ovs-vsctl as example) Records in the Open vSwitch database are significant only when they can be reached directly or indirectly from the Open_vSwitch table. Except for records in the QoS or Queue tables, records that are not reachable from the Open_vSwitch table are automatically deleted from the database. This deletion happens immediately, without waiting for additional ovs-vsctl commands or other database activity. Thus, a create command must generally be accompanied by additional commands within the same ovs-vsctl invocation to add a chain of references to the newly created record from the top-level Open_vSwitch record. The EXAMPLES section gives some examples that show how to do this.

[--if-exists] destroy table record... Deletes each specified record from table. Unless --if-exists is specified, each records must exist.

--all destroy table Deletes all records from the table.

Caution (ovs-vsctl as example) The destroy command is only useful for records in the QoS or Queue tables. Records in other tables are automatically deleted from the database when they become unreachable from the Open_vSwitch table. This means that deleting the last reference to a record is sufficient for deleting the record itself. For records in these tables, destroy is silently ignored. See the EXAMPLES section below for more information.

wait-until table record [column[:key]=value]... Waits until table contains a record named record whose column equals value or, if key is specified, whose column contains a key with the specified value. This command supports the same operators and semantics described for the find command above.

If no column[:key]=value arguments are given, this command waits only until record exists. If more than one such argument is given, the command waits until all of them are satisfied.

Caution (ovs-vsctl as example) Usually wait-until should be placed at the beginning of a set of ovs-vsctl commands. For example, wait-until bridge br0 -- get bridge br0 datapath_id waits until a bridge named br0 is created, then prints its datapath_id column, whereas get bridge br0 datapath_id -- wait-until bridge br0 will abort if no bridge named br0 exists when ovs-vsctl initially connects to the database.

Consider specifying --timeout=0 along with --wait-until, to prevent ovs-vsctl from terminating after waiting only at most 5 seconds.

comment [arg]... This command has no effect on behavior, but any database log record created by the command will include the command and its arguments.