1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
|
<?xml version="1.0" encoding="utf-8"?>
<manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
<h1>Name</h1>
<p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
<h1>Synopsys</h1>
<p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
<h1>Description</h1>
<p>This utility can be used to manage the OVN northbound database.</p>
<h1>General Commands</h1>
<dl>
<dt><code>init</code></dt>
<dd>
Initializes the database, if it is empty. If the database has already
been initialized, this command has no effect.
</dd>
<dt><code>show [<var>switch</var> | <var>router</var>]</code></dt>
<dd>
Prints a brief overview of the database contents. If
<var>switch</var> is provided, only records related to that
logical switch are shown. If
<var>router</var> is provided, only records related to that
logical router are shown.
</dd>
</dl>
<h1>Logical Switch Commands</h1>
<dl>
<dt><code>ls-add</code></dt>
<dd>
<p>
Creates a new, unnamed logical switch, which initially has no ports.
The switch does not have a name, other commands must refer to this
switch by its UUID.
</p>
</dd>
<dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>ls-add</code> <var>switch</var></dt>
<dd>
<p>
Creates a new logical switch named <var>switch</var>, which
initially has no ports.
</p>
<p>
The OVN northbound database schema does not require logical switch
names to be unique, but the whole point to the names is to provide an
easy way for humans to refer to the switches, making duplicate names
unhelpful. Thus, without any options, this command regards it as an
error if <var>switch</var> is a duplicate name. With
<code>--may-exist</code>, adding a duplicate name succeeds but does
not create a new logical switch. With <code>--add-duplicate</code>,
the command really creates a new logical switch with a duplicate
name. It is an error to specify both options. If there are multiple
logical switches with a duplicate name, configure the logical switches
using the UUID instead of the <var>switch</var> name.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>ls-del</code> <var>switch</var></dt>
<dd>
Deletes <var>switch</var>. It is an error if <var>switch</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>ls-list</code></dt>
<dd>
Lists all existing switches on standard output, one per line.
</dd>
</dl>
<h1>Logical Switch ACL Commands</h1>
<dl>
<dt>[<code>--log</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
<dd>
Adds the specified ACL to <var>switch</var>.
<var>direction</var> must be either <code>from-lport</code> or
<code>to-lport</code>. <var>priority</var> must be between
<code>1</code> and <code>65534</code>, inclusive. If
<code>--log</code> is specified, packet logging is enabled for the
ACL. A full description of the fields are in <code>ovn-nb</code>(5).
</dd>
<dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
<dd>
Deletes ACLs from <var>switch</var>. If only
<var>switch</var> is supplied, all the ACLs from the logical
switch are deleted. If <var>direction</var> is also specified,
then all the flows in that direction will be deleted from the
logical switch. If all the fields are given, then a single flow
that matches all the fields will be deleted.
</dd>
<dt><code>acl-list</code> <var>switch</var></dt>
<dd>
Lists the ACLs on <var>switch</var>.
</dd>
</dl>
<h1>Logical Switch Port Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var></dt>
<dd>
<p>
Creates on <var>lswitch</var> a new logical switch port named
<var>port</var>.
</p>
<p>
It is an error if a logical port named <var>port</var> already
exists, unless <code>--may-exist</code> is specified. Regardless of
<code>--may-exist</code>, it is an error if the existing port is in
some logical switch other than <var>switch</var> or if it has a
parent port.
</p>
</dd>
<dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var> <var>parent</var> <var>tag</var></dt>
<dd>
<p>
Creates on <var>switch</var> a logical switch port named
<var>port</var> that is a child of <var>parent</var> that is
identifed with VLAN ID <var>tag</var>. This is useful in
cases such as virtualized container environments where Open
vSwitch does not have a direct connection to the container's
port and it must be shared with the virtual machine's port.
</p>
<p>
It is an error if a logical port named <var>port</var> already
exists, unless <code>--may-exist</code> is specified. Regardless of
<code>--may-exist</code>, it is an error if the existing port is not
in <var>switch</var> or if it does not have the specified
<var>parent</var> and <var>tag</var>.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lsp-del</code> <var>port</var></dt>
<dd>
Deletes <var>port</var>. It is an error if <var>port</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lsp-list</code> <var>switch</var></dt>
<dd>
Lists all the logical switch ports within <var>switch</var> on
standard output, one per line.
</dd>
<dt><code>lsp-get-parent</code> <var>port</var></dt>
<dd>
If set, get the parent port of <var>port</var>. If not set, print
nothing.
</dd>
<dt><code>lsp-get-tag</code> <var>port</var></dt>
<dd>
If set, get the tag for <var>port</var> traffic. If not set, print
nothing.
</dd>
<dt><code>lsp-set-addresses</code> <var>port</var> [<var>address</var>]...</dt>
<dd>
Sets the addresses associated with <var>port</var> to
<var>address</var>. Each <var>address</var> should be either an
Ethernet address or an Ethernet address followed by an IP address
(separated by a space and quoted to form a single command-line
argument). The special form <code>unknown</code> is also valid.
Multiple Ethernet addresses or Ethernet+IP pairs may be set. If no
<var>address</var> argument is given, <var>port</var> will have no
addresses associated with it.
</dd>
<dt><code>lsp-get-addresses</code> <var>port</var></dt>
<dd>
Lists all the addresses associated with <var>port</var> on standard
output, one per line.
</dd>
<dt><code>lsp-set-port-security</code> <var>port</var> [<var>addrs</var>]...</dt>
<dd>
<p>
Sets the port security addresses associated with <var>port</var> to
<var>addrs</var>. Multiple sets of addresses may be set by using
multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
is given, <var>port</var> will not have port security enabled.
</p>
<p>
Port security limits the addresses from which a logical port may send
packets and to which it may receive packets. See the
<code>ovn-nb</code>(5) documentation for the <ref
column="port_security" table="Logical_Switch_Port"/> column in
the <ref table="Logical_Switch_Port"/> table for details.
</p>
</dd>
<dt><code>lsp-get-port-security</code> <var>port</var></dt>
<dd>
Lists all the port security addresses associated with <var>port</var>
on standard output, one per line.
</dd>
<dt><code>lsp-get-up</code> <var>port</var></dt>
<dd>
Prints the state of <var>port</var>, either <code>up</code> or
<code>down</code>.
</dd>
<dt><code>lsp-set-enabled</code> <var>port</var> <var>state</var></dt>
<dd>
Set the administrative state of <var>port</var>, either <code>enabled</code>
or <code>disabled</code>. When a port is disabled, no traffic is allowed into
or out of the port.
</dd>
<dt><code>lsp-get-enabled</code> <var>port</var></dt>
<dd>
Prints the administrative state of <var>port</var>, either <code>enabled</code>
or <code>disabled</code>.
</dd>
<dt><code>lsp-set-type</code> <var>port</var> <var>type</var></dt>
<dd>
Set the type for the logical port. No special types have been implemented yet.
</dd>
<dt><code>lsp-get-type</code> <var>port</var></dt>
<dd>
Get the type for the logical port.
</dd>
<dt><code>lsp-set-options</code> <var>port</var> [<var>key=value</var>]...</dt>
<dd>
Set type-specific key-value options for the logical port.
</dd>
<dt><code>lsp-get-options</code> <var>port</var></dt>
<dd>
Get the type-specific options for the logical port.
</dd>
</dl>
<h1>Logical Router Commands</h1>
<dl>
<dt><code>lr-add</code></dt>
<dd>
<p>
Creates a new, unnamed logical router, which initially has no ports.
The router does not have a name, other commands must refer to this
router by its UUID.
</p>
</dd>
<dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lr-add</code> <var>router</var></dt>
<dd>
<p>
Creates a new logical router named <var>router</var>, which
initially has no ports.
</p>
<p>
The OVN northbound database schema does not require logical router
names to be unique, but the whole point to the names is to provide an
easy way for humans to refer to the routers, making duplicate names
unhelpful. Thus, without any options, this command regards it as an
error if <var>router</var> is a duplicate name. With
<code>--may-exist</code>, adding a duplicate name succeeds but does
not create a new logical router. With <code>--add-duplicate</code>,
the command really creates a new logical router with a duplicate
name. It is an error to specify both options. If there are multiple
logical routers with a duplicate name, configure the logical routers
using the UUID instead of the <var>router</var> name.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lr-del</code> <var>router</var></dt>
<dd>
Deletes <var>router</var>. It is an error if <var>router</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lr-list</code></dt>
<dd>
Lists all existing routers on standard output, one per line.
</dd>
</dl>
<h1>Logical Router Port Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lrp-add</code> <var>router</var> <var>port</var> <var>mac</var> <var>network</var>... [<code>peer=</code><var>peer</var>]</dt>
<dd>
<p>
Creates on <var>router</var> a new logical router port named
<var>port</var> with Ethernet address <var>mac</var> and one
or more IP address/netmask for each <var>network</var>.
</p>
<p>
The optional argument <code>peer</code> identifies a logical
router port that connects to this one. The following example
adds a router port with an IPv4 and IPv6 address with peer
<code>lr1</code>:
</p>
<p>
<code>lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64 peer=lr1</code>
</p>
<p>
It is an error if a logical router port named <var>port</var>
already exists, unless <code>--may-exist</code> is specified.
Regardless of <code>--may-exist</code>, it is an error if the
existing router port is in some logical router other than
<var>router</var>.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lrp-del</code> <var>port</var></dt>
<dd>
Deletes <var>port</var>. It is an error if <var>port</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lrp-list</code> <var>router</var></dt>
<dd>
Lists all the logical router ports within <var>router</var> on
standard output, one per line.
</dd>
<dt><code>lrp-set-enabled</code> <var>port</var> <var>state</var></dt>
<dd>
Set the administrative state of <var>port</var>, either
<code>enabled</code> or <code>disabled</code>. When a port is
disabled, no traffic is allowed into or out of the port.
</dd>
<dt><code>lrp-get-enabled</code> <var>port</var></dt>
<dd>
Prints the administrative state of <var>port</var>, either
<code>enabled</code> or <code>disabled</code>.
</dd>
</dl>
<h1>Logical Router Static Route Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lr-route-add</code> <var>router</var> <var>prefix</var> <var>nexthop</var> [<var>port</var>]</dt>
<dd>
<p>
Adds the specified route to <var>router</var>.
<var>prefix</var> describes an IPv4 or IPv6 prefix for this
route, such as <code>192.168.100.0/24</code>.
<var>nexthop</var> specifies the gateway to use for this
route, which should be the IP address of one of
<var>router</var> logical router ports or the IP address of a
logical port. If <var>port</var> is specified, packets that
match this route will be sent out that port. When
<var>port</var> is omitted, OVN infers the output port based
on <var>nexthop</var>.
</p>
<p>
It is an error if a route with <var>prefix</var> already exists,
unless <code>--may-exist</code> is specified.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lr-route-del</code> <var>router</var> [<var>prefix</var>]</dt>
<dd>
<p>
Deletes routes from <var>router</var>. If only <var>router</var>
is supplied, all the routes from the logical router are
deleted. If <var>prefix</var> is also specified, then all the
routes that match the prefix will be deleted from the logical
router.
</p>
<p>
It is an error if <code>prefix</code> is specified and there
is no matching route entry, unless <code>--if-exists</code> is
specified.
</p>
</dd>
<dt><code>lr-route-list</code> <var>router</var></dt>
<dd>
Lists the routes on <var>router</var>.
</dd>
</dl>
<h1>DHCP Options commands</h1>
<dl>
<dt><code>dhcp-options-create</code> <var>cidr</var> [<var>key=value</var>]</dt>
<dd>
Creates a new DHCP Options entry in the <code>DHCP_Options</code> table
with the specified <code>cidr</code> and optional <code>external-ids</code>.
</dd>
<dt><code>dhcp-options-list</code></dt>
<dd>
Lists the DHCP Options entries.
</dd>
<dt><code>dhcp-options-del</code> <var>dhcp-option</var></dt>
<dd>
Deletes the DHCP Options entry referred by <var>dhcp-option</var> UUID.
</dd>
<dt><code>dhcp-options-set-options</code> <var>dhcp-option</var> [<var>key=value</var>]...</dt>
<dd>
Set the DHCP Options for the <var>dhcp-option</var> UUID.
</dd>
<dt><code>dhcp-options-get-options</code> <var>dhcp-option</var></dt>
<dd>
Lists the DHCP Options for the <var>dhcp-option</var> UUID.
</dd>
</dl>
<h1>Database Commands</h1>
<p>These commands query and modify the contents of <code>ovsdb</code> tables.
They are a slight abstraction of the <code>ovsdb</code> interface and
as suchthey operate at a lower level than other <code>ovn-nbctl</code> commands.</p>
<p><var>Identifying Tables, Records, and Columns</var></p>
<p>Each of these commands has a <var>table</var> parameter to identify a table
within the database. Many of them also take a <var>record</var> parameter
that identifies a particular record within a table. The <var>record</var>
parameter may be the UUID for a record, and many tables offer
additional ways to identify records. Some commands also take
<var>column</var> parameters that identify a particular field within the
records in a table.</p>
<p>The following tables are currently defined:</p>
<dl>
<dt><code>Logical_Switch</code></dt>
<dd>
An L2 logical switch. Records may be identified by name.
</dd>
<dt><code>Logical_Switch_Port</code></dt>
<dd>
A port within an L2 logical switch. Records may be identified by name.
</dd>
<dt><code>ACL</code></dt>
<dd>
An ACL rule for a logical switch that points to it through its <var>acls</var> column.
</dd>
<dt><code>Logical_Router</code></dt>
<dd>
An L3 logical router. Records may be identified by name.
</dd>
<dt><code>Logical_Router_Port</code></dt>
<dd>
A port within an L3 logical router. Records may be identified by name.
</dd>
<dt><code>Logical_Router_Static_Route</code></dt>
<dd>
A static route belonging to an L3 logical router.
</dd>
</dl>
<xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h1>Options</h1>
<dl>
<dt><code>--no-wait</code> | <code>--wait=none</code></dt>
<dt><code>--wait=sb</code></dt>
<dt><code>--wait=hv</code></dt>
<dd>
<p>
These options control whether and how <code>ovn-nbctl</code> waits
for the OVN system to become up-to-date with changes made in an
<code>ovn-nbctl</code> invocation.
</p>
<p>
By default, or if <code>--no-wait</code> or <code>--wait=none</code>,
<code>ovn-nbctl</code> exits immediately after confirming that
changes have been committed to the northbound database, without
waiting.
</p>
<p>
With <code>--wait=sb</code>, before <code>ovn-nbctl</code> exits, it
waits for <code>ovn-northd</code> to bring the southbound database
up-to-date with the northbound database updates.
</p>
<p>
With <code>--wait=hv</code>, before <code>ovn-nbctl</code> exits, it
additionally waits for all OVN chassis (hypervisors and gateways) to
become up-to-date with the northbound database updates. (This can
become an indefinite wait if any chassis is malfunctioning.)
</p>
</dd>
<dt><code>--db</code> <var>database</var></dt>
<dd>
The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
environment variable is set, its value is used as the default.
Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
default is unlikely to be useful outside of single-machine OVN test
environments.
</dd>
<dt><code>-h</code> | <code>--help</code></dt>
<dt><code>-o</code> | <code>--options</code></dt>
<dt><code>-V</code> | <code>--version</code></dt>
</dl>
<h1>Logging options</h1>
<dl>
<dt><code>-v</code><var>spec</var>, <code>--verbose=</code><var>spec</var></dt>
<dt><code>-v</code>, <code>--verbose</code></dt>
<dt><code>--log-file</code>[<code>=</code><var>file</var>]</dt>
<dt><code>--syslog-target=</code><var>host</var><code>:</code><var>port</var></dt>
</dl>
<h1>PKI configuration (required to use SSL)</h1>
<dl>
<dt><code>-p</code>, <code>--private-key=</code><var>file</var> file with private key</dt>
<dt><code>-c</code>, <code>--certificate=</code><var>file</var> file with certificate for private key</dt>
<dt><code>-C</code>, <code>--ca-cert=</code><var>file</var> file with peer CA certificate</dt>
</dl>
</manpage>
|
