The following options affect the behavior of ovn-sbctl
as a
whole. Some individual commands also accept their own options,
which are given just before the command name. If the first
command on the command line has options, then those options must
be separated from the global options by --
.
--db=
server
The OVSDB database remote to contact. If the OVN_SB_DB
environment variable is set, its value is used as the
default. Otherwise, the default is
unix:/usr/local/var/run/openvswitch/ovnsb_db.sock
, but
this default is unlikely to be useful outside of single-
machine OVN test environments.
server may be an OVSDB active or passive connection
method, e.g. ssl:192.168.10.5:6640
, as described in
ovsdb
(7).
--leader-only
--no-leader-only
By default, or with --leader-only
, when the database
server is a clustered database, ovn-sbctl
will avoid
servers other than the cluster leader. This ensures that
any data that ovn-sbctl
reads and reports is up-to-date.
With --no-leader-only
, ovn-sbctl
will use any server in
the cluster, which means that for read-only transactions
it can report and act on stale data (transactions that
modify the database are always serialized even with
--no-leader-only
). Refer to Understanding Cluster
Consistency
in ovsdb
(7) for more information.
--no-syslog
By default, ovn-sbctl
logs its arguments and the details
of any changes that it makes to the system log. This
option disables this logging.
This option is equivalent to --verbose=sbctl:syslog:warn
.
--oneline
Modifies the output format so that the output for each
command is printed on a single line. New-line characters
that would otherwise separate lines are printed as \n
, and
any instances of \
that would otherwise appear in the
output are doubled. Prints a blank line for each command
that has no output. This option does not affect the
formatting of output from the list
or find
commands; see
Table Formatting Options
below.
--dry-run
Prevents ovn-sbctl
from actually modifying the database.
-t
secs
--timeout=
secs
By default, or with a secs of 0
, ovn-sbctl
waits forever
for a response from the database. This option limits
runtime to approximately secs seconds. If the timeout
expires, ovn-sbctl
will exit with a SIGALRM
signal. (A
timeout would normally happen only if the database cannot
be contacted, or if the system is overloaded.)
-v
[spec]
--verbose=
[spec]
Sets logging levels. Without any spec, sets the log level
for every module and destination to dbg
. Otherwise, spec
is a list of words separated by spaces or commas or
colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list
command on ovs-appctl(8), limits the log level
change to the specified module.
• syslog
, console
, or file
, to limit the log level
change to only to the system log, to the console,
or to a file, respectively. (If --detach
is
specified, ovn-sbctl
closes its standard file
descriptors, so logging to the console will have no
effect.)
On Windows platform, syslog
is accepted as a word
and is only useful along with the --syslog-target
option (the word has no effect otherwise).
• off
, emer
, err
, warn
, info
, or dbg
, to control the
log level. Messages of the given severity or
higher will be logged, and messages of lower
severity will be filtered out. off
filters out all
messages. See ovs-appctl(8) for a definition of
each log level.
Case is not significant within spec.
Regardless of the log levels set for file
, logging to a
file will not take place unless --log-file
is also
specified (see below).
For compatibility with older versions of OVS, any
is
accepted as a word but has no effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to
--verbose=dbg
.
-vPATTERN:
destination:
pattern
--verbose=PATTERN:
destination:
pattern
Sets the log pattern for destination to pattern. Refer to
ovs-appctl(8) for a description of the valid syntax for
pattern.
-vFACILITY:
facility
--verbose=FACILITY:
facility
Sets the RFC5424 facility of the log message. facility can
be one of kern
, user
, mail
, daemon
, auth
, syslog
, lpr
,
news
, uucp
, clock
, ftp
, ntp
, audit
, alert
, clock2
, local0
,
local1
, local2
, local3
, local4
, local5
, local6
or local7
.
If this option is not specified, daemon
is used as the
default for the local system syslog and local0
is used
while sending a message to the target provided via the
--syslog-target
option.
--log-file
[=
file]
Enables logging to a file. If file is specified, then it
is used as the exact name for the log file. The default
log file name used if file is omitted is
/usr/local/var/log/openvswitch/ovn-sbctl.log
.
--syslog-target=
host:
port
Send syslog messages to UDP port on host, in addition to
the system syslog. The host must be a numerical IP
address, not a hostname.
--syslog-method=
method
Specify method how syslog messages should be sent to
syslog daemon. Following forms are supported:
• libc
, use libc syslog()
function. Downside of
using this options is that libc adds fixed prefix
to every message before it is actually sent to the
syslog daemon over /dev/log
UNIX domain socket.
• unix:
file, use UNIX domain socket directly. It is
possible to specify arbitrary message format with
this option. However, rsyslogd 8.9
and older
versions use hard coded parser function anyway that
limits UNIX domain socket use. If you want to use
arbitrary message format with older rsyslogd
versions, then use UDP socket to localhost IP
address instead.
• udp:
ip:port, use UDP socket. With this method it
is possible to use arbitrary message format also
with older rsyslogd
. When sending syslog messages
over UDP socket extra precaution needs to be taken
into account, for example, syslog daemon needs to
be configured to listen on the specified UDP port,
accidental iptables rules could be interfering with
local syslog traffic and there are some security
considerations that apply to UDP sockets, but do
not apply to UNIX domain sockets.
• null
, discards all messages logged to syslog.
The default is taken from the OVS_SYSLOG_METHOD
environment variable; if it is unset, the default is libc
.
-h
--help
Prints a brief help message to the console.
-V
--version
Prints version information to the console.
Table Formatting Options
These options control the format of output from the list
and find
commands.
-f
format
--format=
format
Sets the type of table formatting. The following types of
format are available:
table
2-D text tables with aligned columns.
list
(default)
A list with one column per line and rows separated
by a blank line.
html
HTML tables.
csv
Comma-separated values as defined in RFC 4180.
json
JSON format as defined in RFC 4627. The output is
a sequence of JSON objects, each of which
corresponds to one table. Each JSON object has the
following members with the noted values:
caption
The table's caption. This member is omitted
if the table has no caption.
headings
An array with one element per table column.
Each array element is a string giving the
corresponding column's heading.
data
An array with one element per table row.
Each element is also an array with one
element per table column. The elements of
this second-level array are the cells that
constitute the table. Cells that represent
OVSDB data or data types are expressed in
the format described in the OVSDB
specification; other cells are simply
expressed as text strings.
-d
format
--data=
format
Sets the formatting for cells within output tables unless
the table format is set to json
, in which case json
formatting is always used when formatting cells. The
following types of format are available:
string
(default)
The simple format described in the Database Values
section of ovs-vsctl(8).
bare
The simple format with punctuation stripped off: []
and {}
are omitted around sets, maps, and empty
columns, items within sets and maps are space-
separated, and strings are never quoted. This
format may be easier for scripts to parse.
json
The RFC 4627 JSON format as described above.
--no-headings
This option suppresses the heading row that otherwise
appears in the first row of table output.
--pretty
By default, JSON in output is printed as compactly as
possible. This option causes JSON in output to be printed
in a more readable fashion. Members of objects and
elements of arrays are printed one per line, with
indentation.
This option does not affect JSON in tables, which is
always printed compactly.
--bare
Equivalent to --format=list --data=bare --no-headings
.
--max-column-width=
n
For table output only, limits the width of any column in
the output to n columns. Longer cell data is truncated to
fit, as necessary. Columns are always wide enough to
display the column names, if the heading row is printed.
Public Key Infrastructure Options
--bootstrap-ca-cert=
cacert.pem
When cacert.pem exists, this option has the same effect as
-C
or --ca-cert
. If it does not exist, then ovn-sbctl
will attempt to obtain the CA certificate from the SSL
peer on its first SSL connection and save it to the named
PEM file. If it is successful, it will immediately drop
the connection and reconnect, and from then on all SSL
connections must be authenticated by a certificate signed
by the CA certificate thus obtained.
This option exposes the SSL connection to a man-in-the-
middle attack obtaining the initial CA certificate
, but it
may be useful for bootstrapping.
This option is only useful if the SSL peer sends its CA
certificate as part of the SSL certificate chain. The SSL
protocol does not require the server to send the CA
certificate.
This option is mutually exclusive with -C
and --ca-cert
.
-p
privkey.pem
--private-key=
privkey.pem
Specifies a PEM file containing the private key used as
ovn-sbctl
's identity for outgoing SSL connections.
-c
cert.pem
--certificate=
cert.pem
Specifies a PEM file containing a certificate that
certifies the private key specified on -p
or --private-key
to be trustworthy. The certificate must be signed by the
certificate authority (CA) that the peer in SSL
connections will use to verify it.
-C
cacert.pem
--ca-cert=
cacert.pem
Specifies a PEM file containing the CA certificate that
ovn-sbctl
should use to verify certificates presented to
it by SSL peers. (This may be the same certificate that
SSL peers use to verify the certificate specified on -c
or
--certificate
, or it may be a different one, depending on
the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL
peers. This introduces a security risk, because it means
that certificates cannot be verified to be those of known
trusted hosts.