Trace Options
--detailed
--summary
--minimal
These options control the form and level of detail in
ovn-trace
output. If more than one of these options is
specified, all of the selected forms are output, in the
order listed above, each headed by a banner line. If none of
these options is given, --detailed
is the default. See
Output
, above, for a description of each kind of output.
--all
Selects all three forms of output.
--ovs
[=
remote]
Makes ovn-trace
attempt to obtain and display the OpenFlow
flows that correspond to each OVN logical flow. To do so,
ovn-trace
connects to remote (by default,
unix:/usr/local/var/run/openvswitch/br-int.mgmt
) over
OpenFlow and retrieves the flows. If remote is specified, it
must be an active OpenFlow connection method described in
ovsdb
(7).
To make the best use of the output, it is important to
understand the relationship between logical flows and
OpenFlow flows. ovn-architecture(7), under Architectural
Physical Life Cycle of a Packet
, describes this
relationship. Keep in mind the following points:
• ovn-trace
currently shows all the OpenFlow flows to
which a logical flow corresponds, even though an
actual packet ordinarily matches only one of these.
• Some logical flows can map to the Open vSwitch
``conjunctive match'' extension (see ovs-fields(7)).
Currently ovn-trace
cannot display the flows with
conjunction
actions that effectively produce the
conj_id
match.
• Some logical flows may not be represented in the
OpenFlow tables on a given hypervisor, if they could
not be used on that hypervisor.
• Some OpenFlow flows do not correspond to logical
flows, such as OpenFlow flows that map between
physical and logical ports. These flows will never
show up in a trace.
• When ovn-trace
omits uninteresting logical flows from
output, it does not look up the corresponding
OpenFlow flows.
--ct=
flags
This option sets the ct_state
flags that a ct_next
logical
action will report. The flags must be a comma- or space-
separated list of the following connection tracking flags:
• trk
: Include to indicate connection tracking has
taken place. (This bit is set automatically even if
not listed in flags.
• new
: Include to indicate a new flow.
• est
: Include to indicate an established flow.
• rel
: Include to indicate a related flow.
• rpl
: Include to indicate a reply flow.
• inv
: Include to indicate a connection entry in a bad
state.
• dnat
: Include to indicate a packet whose destination
IP address has been changed.
• snat
: Include to indicate a packet whose source IP
address has been changed.
The ct_next
action is used to implement the OVN distributed
firewall. For testing, useful flag combinations include:
• trk,new
: A packet in a flow in either direction
through a firewall that has not yet been committed
(with ct_commit
).
• trk,est
: A packet in an established flow going out
through a firewall.
• trk,rpl
: A packet coming in through a firewall in
reply to an established flow.
• trk,inv
: An invalid packet in either direction.
A packet might pass through the connection tracker twice in
one trip through OVN: once following egress from a VM as it
passes outward through a firewall, and once preceding
ingress to a second VM as it passes inward through a
firewall. Use multiple --ct
options to specify the flags for
multiple ct_next
actions.
When --ct
is unspecified, or when there are fewer --ct
options than ct_next
actions, the flags default to trk,est
.
--lb-dst=
ip[:
port]
Sets the IP from VIP pool to use as destination of the
packet. --lb-dst
is not available in daemon mode.
--friendly-names
--no-friendly-names
When cloud management systems such as OpenStack are layered
on top of OVN, they often use long, human-unfriendly names
for ports and datapaths, for example, ones that include
entire UUIDs. They do usually include friendlier names, but
the long, hard-to-read names are the ones that appear in
matches and actions. By default, or with --friendly-names
,
ovn-trace
substitutes these friendlier names for the long
names in its output. Use --no-friendly-names
to disable this
behavior; this option might be useful, for example, if a
program is going to parse ovn-trace
output.
Daemon Options
--pidfile
[=
pidfile]
Causes a file (by default, program.pid
) to be created
indicating the PID of the running process. If the pidfile
argument is not specified, or if it does not begin with /
,
then it is created in /usr/local/var/run/openvswitch
.
If --pidfile
is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile
is specified and the specified
pidfile already exists and is locked by a running process,
the daemon refuses to start. Specify --overwrite-pidfile
to cause it to instead overwrite the pidfile.
When --pidfile
is not specified, this option has no
effect.
--detach
Runs this program as a background process. The process
forks, and in the child it starts a new session, closes
the standard file descriptors (which has the side effect
of disabling logging to the console), and changes its
current directory to the root (unless --no-chdir
is
specified). After the child completes its initialization,
the parent exits.
--monitor
Creates an additional process to monitor this program. If
it dies due to a signal that indicates a programming error
(SIGABRT
, SIGALRM
, SIGBUS
, SIGFPE
, SIGILL
, SIGPIPE
,
SIGSEGV
, SIGXCPU
, or SIGXFSZ
) then the monitor process
starts a new copy of it. If the daemon dies or exits for
another reason, the monitor process exits.
This option is normally used with --detach
, but it also
functions without it.
--no-chdir
By default, when --detach
is specified, the daemon changes
its current working directory to the root directory after
it detaches. Otherwise, invoking the daemon from a
carelessly chosen directory would prevent the
administrator from unmounting the file system that holds
that directory.
Specifying --no-chdir
suppresses this behavior, preventing
the daemon from changing its current working directory.
This may be useful for collecting core files, since it is
common behavior to write core dumps into the current
working directory and the root directory is not a good
directory to use.
This option has no effect when --detach
is not specified.
--no-self-confinement
By default this daemon will try to self-confine itself to
work with files under well-known directories whitelisted
at build time. It is better to stick with this default
behavior and not to use this flag unless some other Access
Control is used to confine daemon. Note that in contrast
to other access control implementations that are typically
enforced from kernel-space (e.g. DAC or MAC), self-
confinement is imposed from the user-space daemon itself
and hence should not be considered as a full confinement
strategy, but instead should be viewed as an additional
layer of security.
--user=
user:
group
Causes this program to run as a different user specified
in user:
group, thus dropping most of the root privileges.
Short forms user and :
group are also allowed, with current
user or group assumed, respectively. Only daemons started
by the root user accepts this argument.
On Linux, daemons will be granted CAP_IPC_LOCK
and
CAP_NET_BIND_SERVICES
before dropping root privileges.
Daemons that interact with a datapath, such as
ovs-vswitchd
, will be granted three additional
capabilities, namely CAP_NET_ADMIN
, CAP_NET_BROADCAST
and
CAP_NET_RAW
. The capability change will apply even if the
new user is root.
On Windows, this option is not currently supported. For
security reasons, specifying this option will cause the
daemon process not to start.
Logging Options
-v
[spec]
--verbose=
[spec]
Sets logging levels. Without any spec, sets the log level
for every module and destination to dbg
. Otherwise, spec is
a list of words separated by spaces or commas or colons, up
to one from each category below:
• A valid module name, as displayed by the vlog/list
command on ovs-appctl(8), limits the log level change
to the specified module.
• syslog
, console
, or file
, to limit the log level
change to only to the system log, to the console, or
to a file, respectively. (If --detach
is specified,
the daemon closes its standard file descriptors, so
logging to the console will have no effect.)
On Windows platform, syslog
is accepted as a word and
is only useful along with the --syslog-target
option
(the word has no effect otherwise).
• off
, emer
, err
, warn
, info
, or dbg
, to control the
log level. Messages of the given severity or higher
will be logged, and messages of lower severity will
be filtered out. off
filters out all messages. See
ovs-appctl(8) for a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file
, logging to a file
will not take place unless --log-file
is also specified (see
below).
For compatibility with older versions of OVS, any
is
accepted as a word but has no effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to
--verbose=dbg
.
-vPATTERN:
destination:
pattern
--verbose=PATTERN:
destination:
pattern
Sets the log pattern for destination to pattern. Refer to
ovs-appctl(8) for a description of the valid syntax for
pattern.
-vFACILITY:
facility
--verbose=FACILITY:
facility
Sets the RFC5424 facility of the log message. facility can
be one of kern
, user
, mail
, daemon
, auth
, syslog
, lpr
, news
,
uucp
, clock
, ftp
, ntp
, audit
, alert
, clock2
, local0
, local1
,
local2
, local3
, local4
, local5
, local6
or local7
. If this
option is not specified, daemon
is used as the default for
the local system syslog and local0
is used while sending a
message to the target provided via the --syslog-target
option.
--log-file
[=
file]
Enables logging to a file. If file is specified, then it is
used as the exact name for the log file. The default log
file name used if file is omitted is
/usr/local/var/log/openvswitch/
program.log
.
--syslog-target=
host:
port
Send syslog messages to UDP port on host, in addition to the
system syslog. The host must be a numerical IP address, not
a hostname.
--syslog-method=
method
Specify method as how syslog messages should be sent to
syslog daemon. The following forms are supported:
• libc
, to use the libc syslog()
function. Downside of
using this options is that libc adds fixed prefix to
every message before it is actually sent to the
syslog daemon over /dev/log
UNIX domain socket.
• unix:
file, to use a UNIX domain socket directly. It
is possible to specify arbitrary message format with
this option. However, rsyslogd 8.9
and older versions
use hard coded parser function anyway that limits
UNIX domain socket use. If you want to use arbitrary
message format with older rsyslogd
versions, then use
UDP socket to localhost IP address instead.
• udp:
ip:
port, to use a UDP socket. With this method it
is possible to use arbitrary message format also with
older rsyslogd
. When sending syslog messages over UDP
socket extra precaution needs to be taken into
account, for example, syslog daemon needs to be
configured to listen on the specified UDP port,
accidental iptables rules could be interfering with
local syslog traffic and there are some security
considerations that apply to UDP sockets, but do not
apply to UNIX domain sockets.
• null
, to discard all messages logged to syslog.
The default is taken from the OVS_SYSLOG_METHOD
environment
variable; if it is unset, the default is libc
.
PKI Options
PKI configuration is required to use SSL for the connection to
the database (and the switch, if --ovs
is specified).
-p
privkey.pem
--private-key=
privkey.pem
Specifies a PEM file containing the private key used
as identity for outgoing SSL connections.
-c
cert.pem
--certificate=
cert.pem
Specifies a PEM file containing a certificate that
certifies the private key specified on -p
or
--private-key
to be trustworthy. The certificate must
be signed by the certificate authority (CA) that the
peer in SSL connections will use to verify it.
-C
cacert.pem
--ca-cert=
cacert.pem
Specifies a PEM file containing the CA certificate
for verifying certificates presented to this program
by SSL peers. (This may be the same certificate that
SSL peers use to verify the certificate specified on
-c
or --certificate
, or it may be a different one,
depending on the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by
SSL peers. This introduces a security risk, because
it means that certificates cannot be verified to be
those of known trusted hosts.
Other Options
--db
database
The OVSDB database remote to contact. If the OVN_SB_DB
environment variable is set, its value is used as the
default. Otherwise, the default is
unix:/usr/local/var/run/openvswitch/db.sock
, but this
default is unlikely to be useful outside of single-machine
OVN test environments.
-h
--help
Prints a brief help message to the console.
-V
--version
Prints version information to the console.