Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   ovs-vswitchd    ( 8 )

открыть демон vSwitch (Open vSwitch daemon)

Параметры (Options)

--mlockall
              Causes ovs-vswitchd to call the mlockall() function, to
              attempt to lock all of its process memory into physical
              RAM, preventing the kernel from paging any of its memory
              to disk.  This helps to avoid networking interruptions due
              to system memory pressure.

Some systems do not support mlockall() at all, and other systems only allow privileged users, such as the superuser, to use it. ovs-vswitchd emits a log message if mlockall() is unavailable or unsuccessful.

DPDK Options For details on initializing ovs-vswitchd to use DPDK ports, refer to the documentation or ovs-vswitchd.conf.db(5).

Daemon Options The following options are valid on POSIX based platforms.

--pidfile[=pidfile] Causes a file (by default, ovs-vswitchd.pid) to be created indicating the PID of the running process. If the pidfile argument is not specified, or if it does not begin with /, then it is created in /usr/local/var/run/openvswitch.

If --pidfile is not specified, no pidfile is created.

--overwrite-pidfile By default, when --pidfile is specified and the specified pidfile already exists and is locked by a running process, ovs-vswitchd refuses to start. Specify --overwrite-pidfile to cause it to instead overwrite the pidfile.

When --pidfile is not specified, this option has no effect.

--detach Runs ovs-vswitchd as a background process. The process forks, and in the child it starts a new session, closes the standard file descriptors (which has the side effect of disabling logging to the console), and changes its current directory to the root (unless --no-chdir is specified). After the child completes its initialization, the parent exits. ovs-vswitchd detaches only after it has connected to the database, retrieved the initial configuration, and set up that configuration.

--monitor Creates an additional process to monitor the ovs-vswitchd daemon. If the daemon dies due to a signal that indicates a programming error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process starts a new copy of it. If the daemon dies or exits for another reason, the monitor process exits.

This option is normally used with --detach, but it also functions without it.

--no-chdir By default, when --detach is specified, ovs-vswitchd changes its current working directory to the root directory after it detaches. Otherwise, invoking ovs-vswitchd from a carelessly chosen directory would prevent the administrator from unmounting the file system that holds that directory.

Specifying --no-chdir suppresses this behavior, preventing ovs-vswitchd from changing its current working directory. This may be useful for collecting core files, since it is common behavior to write core dumps into the current working directory and the root directory is not a good directory to use.

This option has no effect when --detach is not specified.

--no-self-confinement By default daemon will try to self-confine itself to work with files under well-known directories determined during build. It is better to stick with this default behavior and not to use this flag unless some other Access Control is used to confine daemon. Note that in contrast to other access control implementations that are typically enforced from kernel-space (e.g. DAC or MAC), self-confinement is imposed from the user-space daemon itself and hence should not be considered as a full confinement strategy, but instead should be viewed as an additional layer of security.

--user Causes ovs-vswitchd to run as a different user specified in "user:group", thus dropping most of the root privileges. Short forms "user" and ":group" are also allowed, with current user or group are assumed respectively. Only daemons started by the root user accepts this argument.

On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root privileges. Daemons that interact with a datapath, such as ovs-vswitchd, will be granted three additional capabilities, namely CAP_NET_ADMIN, CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will apply even if the new user is root.

On Windows, this option is not currently supported. For security reasons, specifying this option will cause the daemon process not to start.

Service Options The following options are valid only on Windows platform.

--service Causes ovs-vswitchd to run as a service in the background. The service should already have been created through external tools like SC.exe.

--service-monitor Causes the ovs-vswitchd service to be automatically restarted by the Windows services manager if the service dies or exits for unexpected reasons.

When --service is not specified, this option has no effect.

Public Key Infrastructure Options -p privkey.pem --private-key=privkey.pem Specifies a PEM file containing the private key used as ovs-vswitchd's identity for outgoing SSL connections.

-c cert.pem --certificate=cert.pem Specifies a PEM file containing a certificate that certifies the private key specified on -p or --private-key to be trustworthy. The certificate must be signed by the certificate authority (CA) that the peer in SSL connections will use to verify it.

-C cacert.pem --ca-cert=cacert.pem Specifies a PEM file containing the CA certificate that ovs-vswitchd should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on -c or --certificate, or it may be a different one, depending on the PKI design in use.)

-C none --ca-cert=none Disables verification of certificates presented by SSL peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts.

--bootstrap-ca-cert=cacert.pem When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it does not exist, then ovs-vswitchd will attempt to obtain the CA certificate from the SSL peer on its first SSL connection and save it to the named PEM file. If it is successful, it will immediately drop the connection and reconnect, and from then on all SSL connections must be authenticated by a certificate signed by the CA certificate thus obtained.

This option exposes the SSL connection to a man-in-the- middle attack obtaining the initial CA certificate, but it may be useful for bootstrapping.

This option is only useful if the SSL peer sends its CA certificate as part of the SSL certificate chain. The SSL protocol does not require the server to send the CA certificate.

This option is mutually exclusive with -C and --ca-cert.

--peer-ca-cert=peer-cacert.pem Specifies a PEM file that contains one or more additional certificates to send to SSL peers. peer-cacert.pem should be the CA certificate used to sign ovs-vswitchd's own certificate, that is, the certificate specified on -c or --certificate. If ovs-vswitchd's certificate is self- signed, then --certificate and --peer-ca-cert should specify the same file.

This option is not useful in normal operation, because the SSL peer must already have the CA certificate for the peer to have any confidence in ovs-vswitchd's identity. However, this offers a way for a new installation to bootstrap the CA certificate on its first SSL connection.

Logging Options -v[spec] --verbose=[spec] Sets logging levels. Without any spec, sets the log level for every module and destination to dbg. Otherwise, spec is a list of words separated by spaces or commas or colons, up to one from each category below:

• A valid module name, as displayed by the vlog/list command on ovs-appctl(8), limits the log level change to the specified module.

syslog, console, or file, to limit the log level change to only to the system log, to the console, or to a file, respectively. (If --detach is specified, ovs-vswitchd closes its standard file descriptors, so logging to the console will have no effect.)

On Windows platform, syslog is accepted as a word and is only useful along with the --syslog-target option (the word has no effect otherwise).

off, emer, err, warn, info, or dbg, to control the log level. Messages of the given severity or higher will be logged, and messages of lower severity will be filtered out. off filters out all messages. See ovs-appctl(8) for a definition of each log level.

Case is not significant within spec.

Regardless of the log levels set for file, logging to a file will not take place unless --log-file is also specified (see below).

For compatibility with older versions of OVS, any is accepted as a word but has no effect.

-v --verbose Sets the maximum logging verbosity level, equivalent to --verbose=dbg.

-vPATTERN:destination:pattern --verbose=PATTERN:destination:pattern Sets the log pattern for destination to pattern. Refer to ovs-appctl(8) for a description of the valid syntax for pattern.

-vFACILITY:facility --verbose=FACILITY:facility Sets the RFC5424 facility of the log message. facility can be one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2, local0, local1, local2, local3, local4, local5, local6 or local7. If this option is not specified, daemon is used as the default for the local system syslog and local0 is used while sending a message to the target provided via the --syslog-target option.

--log-file[=file] Enables logging to a file. If file is specified, then it is used as the exact name for the log file. The default log file name used if file is omitted is /usr/local/var/log/openvswitch/ovs-vswitchd.log.

--syslog-target=host:port Send syslog messages to UDP port on host, in addition to the system syslog. The host must be a numerical IP address, not a hostname.

--syslog-method=method Specify method how syslog messages should be sent to syslog daemon. Following forms are supported:

libc, use libc syslog() function. Downside of using this options is that libc adds fixed prefix to every message before it is actually sent to the syslog daemon over /dev/log UNIX domain socket.

unix:file, use UNIX domain socket directly. It is possible to specify arbitrary message format with this option. However, rsyslogd 8.9 and older versions use hard coded parser function anyway that limits UNIX domain socket use. If you want to use arbitrary message format with older rsyslogd versions, then use UDP socket to localhost IP address instead.

udp:ip:port, use UDP socket. With this method it is possible to use arbitrary message format also with older rsyslogd. When sending syslog messages over UDP socket extra precaution needs to be taken into account, for example, syslog daemon needs to be configured to listen on the specified UDP port, accidental iptables rules could be interfering with local syslog traffic and there are some security considerations that apply to UDP sockets, but do not apply to UNIX domain sockets.

null, discards all messages logged to syslog.

The default is taken from the OVS_SYSLOG_METHOD environment variable; if it is unset, the default is libc.

Other Options --unixctl=socket Sets the name of the control socket on which ovs-vswitchd listens for runtime management commands (see RUNTIME MANAGEMENT COMMANDS, below). If socket does not begin with /, it is interpreted as relative to /usr/local/var/run/openvswitch. If --unixctl is not used at all, the default socket is /usr/local/var/run/openvswitch/ovs-vswitchd.pid.ctl, where pid is ovs-vswitchd's process ID.

On Windows a local named pipe is used to listen for runtime management commands. A file is created in the absolute path as pointed by socket or if --unixctl is not used at all, a file is created as ovs-vswitchd.ctl in the configured OVS_RUNDIR directory. The file exists just to mimic the behavior of a Unix domain socket.

Specifying none for socket disables the control socket feature.

-h --help Prints a brief help message to the console.

-V --version Prints version information to the console.