--mlockall
Causes ovs-vswitchd
to call the mlockall()
function, to
attempt to lock all of its process memory into physical
RAM, preventing the kernel from paging any of its memory
to disk. This helps to avoid networking interruptions due
to system memory pressure.
Some systems do not support mlockall()
at all, and other
systems only allow privileged users, such as the
superuser, to use it. ovs-vswitchd
emits a log message if
mlockall()
is unavailable or unsuccessful.
DPDK Options
For details on initializing ovs-vswitchd
to use DPDK ports, refer
to the documentation or ovs-vswitchd.conf.db(5).
Daemon Options
The following options are valid on POSIX based platforms.
--pidfile
[=
pidfile]
Causes a file (by default, ovs-vswitchd.pid
) to be created
indicating the PID of the running process. If the pidfile
argument is not specified, or if it does not begin with /
,
then it is created in /usr/local/var/run/openvswitch
.
If --pidfile
is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile
is specified and the specified
pidfile already exists and is locked by a running process,
ovs-vswitchd
refuses to start. Specify
--overwrite-pidfile
to cause it to instead overwrite the
pidfile.
When --pidfile
is not specified, this option has no
effect.
--detach
Runs ovs-vswitchd
as a background process. The process
forks, and in the child it starts a new session, closes
the standard file descriptors (which has the side effect
of disabling logging to the console), and changes its
current directory to the root (unless --no-chdir
is
specified). After the child completes its initialization,
the parent exits. ovs-vswitchd
detaches only after it has
connected to the database, retrieved the initial
configuration, and set up that configuration.
--monitor
Creates an additional process to monitor the ovs-vswitchd
daemon. If the daemon dies due to a signal that indicates
a programming error (SIGABRT
, SIGALRM
, SIGBUS
, SIGFPE
,
SIGILL
, SIGPIPE
, SIGSEGV
, SIGXCPU
, or SIGXFSZ
) then the
monitor process starts a new copy of it. If the daemon
dies or exits for another reason, the monitor process
exits.
This option is normally used with --detach
, but it also
functions without it.
--no-chdir
By default, when --detach
is specified, ovs-vswitchd
changes its current working directory to the root
directory after it detaches. Otherwise, invoking
ovs-vswitchd
from a carelessly chosen directory would
prevent the administrator from unmounting the file system
that holds that directory.
Specifying --no-chdir
suppresses this behavior, preventing
ovs-vswitchd
from changing its current working directory.
This may be useful for collecting core files, since it is
common behavior to write core dumps into the current
working directory and the root directory is not a good
directory to use.
This option has no effect when --detach
is not specified.
--no-self-confinement
By default daemon will try to self-confine itself to work
with files under well-known directories determined during
build. It is better to stick with this default behavior
and not to use this flag unless some other Access Control
is used to confine daemon. Note that in contrast to other
access control implementations that are typically enforced
from kernel-space (e.g. DAC or MAC), self-confinement is
imposed from the user-space daemon itself and hence should
not be considered as a full confinement strategy, but
instead should be viewed as an additional layer of
security.
--user
Causes ovs-vswitchd
to run as a different user specified
in "user:group", thus dropping most of the root
privileges. Short forms "user" and ":group" are also
allowed, with current user or group are assumed
respectively. Only daemons started by the root user
accepts this argument.
On Linux, daemons will be granted CAP_IPC_LOCK and
CAP_NET_BIND_SERVICES before dropping root privileges.
Daemons that interact with a datapath, such as
ovs-vswitchd
, will be granted three additional
capabilities, namely CAP_NET_ADMIN, CAP_NET_BROADCAST and
CAP_NET_RAW. The capability change will apply even if the
new user is root.
On Windows, this option is not currently supported. For
security reasons, specifying this option will cause the
daemon process not to start.
Service Options
The following options are valid only on Windows platform.
--service
Causes ovs-vswitchd
to run as a service in the background.
The service should already have been created through
external tools like SC.exe
.
--service-monitor
Causes the ovs-vswitchd
service to be automatically
restarted by the Windows services manager if the service
dies or exits for unexpected reasons.
When --service
is not specified, this option has no
effect.
Public Key Infrastructure Options
-p
privkey.pem
--private-key=
privkey.pem
Specifies a PEM file containing the private key used as
ovs-vswitchd
's identity for outgoing SSL connections.
-c
cert.pem
--certificate=
cert.pem
Specifies a PEM file containing a certificate that
certifies the private key specified on -p
or --private-key
to be trustworthy. The certificate must be signed by the
certificate authority (CA) that the peer in SSL
connections will use to verify it.
-C
cacert.pem
--ca-cert=
cacert.pem
Specifies a PEM file containing the CA certificate that
ovs-vswitchd
should use to verify certificates presented
to it by SSL peers. (This may be the same certificate
that SSL peers use to verify the certificate specified on
-c
or --certificate
, or it may be a different one,
depending on the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL
peers. This introduces a security risk, because it means
that certificates cannot be verified to be those of known
trusted hosts.
--bootstrap-ca-cert=
cacert.pem
When cacert.pem exists, this option has the same effect as
-C
or --ca-cert
. If it does not exist, then ovs-vswitchd
will attempt to obtain the CA certificate from the SSL
peer on its first SSL connection and save it to the named
PEM file. If it is successful, it will immediately drop
the connection and reconnect, and from then on all SSL
connections must be authenticated by a certificate signed
by the CA certificate thus obtained.
This option exposes the SSL connection to a man-in-the-
middle attack obtaining the initial CA certificate
, but it
may be useful for bootstrapping.
This option is only useful if the SSL peer sends its CA
certificate as part of the SSL certificate chain. The SSL
protocol does not require the server to send the CA
certificate.
This option is mutually exclusive with -C
and --ca-cert
.
--peer-ca-cert=
peer-cacert.pem
Specifies a PEM file that contains one or more additional
certificates to send to SSL peers. peer-cacert.pem should
be the CA certificate used to sign ovs-vswitchd
's own
certificate, that is, the certificate specified on -c
or
--certificate
. If ovs-vswitchd
's certificate is self-
signed, then --certificate
and --peer-ca-cert
should
specify the same file.
This option is not useful in normal operation, because the
SSL peer must already have the CA certificate for the peer
to have any confidence in ovs-vswitchd
's identity.
However, this offers a way for a new installation to
bootstrap the CA certificate on its first SSL connection.
Logging Options
-v
[spec]
--verbose=
[spec]
Sets logging levels. Without any spec, sets the log level
for every module and destination to dbg
. Otherwise, spec
is a list of words separated by spaces or commas or
colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list
command on ovs-appctl(8), limits the log level
change to the specified module.
• syslog
, console
, or file
, to limit the log level
change to only to the system log, to the console,
or to a file, respectively. (If --detach
is
specified, ovs-vswitchd
closes its standard file
descriptors, so logging to the console will have no
effect.)
On Windows platform, syslog
is accepted as a word
and is only useful along with the --syslog-target
option (the word has no effect otherwise).
• off
, emer
, err
, warn
, info
, or dbg
, to control the
log level. Messages of the given severity or
higher will be logged, and messages of lower
severity will be filtered out. off
filters out all
messages. See ovs-appctl(8) for a definition of
each log level.
Case is not significant within spec.
Regardless of the log levels set for file
, logging to a
file will not take place unless --log-file
is also
specified (see below).
For compatibility with older versions of OVS, any
is
accepted as a word but has no effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to
--verbose=dbg
.
-vPATTERN:
destination:
pattern
--verbose=PATTERN:
destination:
pattern
Sets the log pattern for destination to pattern. Refer to
ovs-appctl(8) for a description of the valid syntax for
pattern.
-vFACILITY:
facility
--verbose=FACILITY:
facility
Sets the RFC5424 facility of the log message. facility can
be one of kern
, user
, mail
, daemon
, auth
, syslog
, lpr
,
news
, uucp
, clock
, ftp
, ntp
, audit
, alert
, clock2
, local0
,
local1
, local2
, local3
, local4
, local5
, local6
or local7
.
If this option is not specified, daemon
is used as the
default for the local system syslog and local0
is used
while sending a message to the target provided via the
--syslog-target
option.
--log-file
[=
file]
Enables logging to a file. If file is specified, then it
is used as the exact name for the log file. The default
log file name used if file is omitted is
/usr/local/var/log/openvswitch/ovs-vswitchd.log
.
--syslog-target=
host:
port
Send syslog messages to UDP port on host, in addition to
the system syslog. The host must be a numerical IP
address, not a hostname.
--syslog-method=
method
Specify method how syslog messages should be sent to
syslog daemon. Following forms are supported:
• libc
, use libc syslog()
function. Downside of
using this options is that libc adds fixed prefix
to every message before it is actually sent to the
syslog daemon over /dev/log
UNIX domain socket.
• unix:
file, use UNIX domain socket directly. It is
possible to specify arbitrary message format with
this option. However, rsyslogd 8.9
and older
versions use hard coded parser function anyway that
limits UNIX domain socket use. If you want to use
arbitrary message format with older rsyslogd
versions, then use UDP socket to localhost IP
address instead.
• udp:
ip:port, use UDP socket. With this method it
is possible to use arbitrary message format also
with older rsyslogd
. When sending syslog messages
over UDP socket extra precaution needs to be taken
into account, for example, syslog daemon needs to
be configured to listen on the specified UDP port,
accidental iptables rules could be interfering with
local syslog traffic and there are some security
considerations that apply to UDP sockets, but do
not apply to UNIX domain sockets.
• null
, discards all messages logged to syslog.
The default is taken from the OVS_SYSLOG_METHOD
environment variable; if it is unset, the default is libc
.
Other Options
--unixctl=
socket
Sets the name of the control socket on which ovs-vswitchd
listens for runtime management commands (see RUNTIME
MANAGEMENT COMMANDS
, below). If socket does not begin
with /
, it is interpreted as relative to
/usr/local/var/run/openvswitch
. If --unixctl
is not used
at all, the default socket is
/usr/local/var/run/openvswitch/ovs-vswitchd.
pid.ctl
, where
pid is ovs-vswitchd
's process ID.
On Windows a local named pipe is used to listen for
runtime management commands. A file is created in the
absolute path as pointed by socket or if --unixctl
is not
used at all, a file is created as ovs-vswitchd.ctl
in the
configured OVS_RUNDIR directory. The file exists just to
mimic the behavior of a Unix domain socket.
Specifying none
for socket disables the control socket
feature.
-h
--help
Prints a brief help message to the console.
-V
--version
Prints version information to the console.