14 .TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
18 ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
21 \fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
22 [\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
25 The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
26 providing a high\-level interface to editing its configuration
27 database. This program is mainly intended for use when
28 \fBovs\-vswitchd\fR is running. If it is used when
29 \fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
30 specified and configuration changes will only take effect when
31 \fBovs\-vswitchd\fR is started.
33 By default, each time \fBovs\-vsctl\fR runs, it connects to an
34 \fBovsdb\-server\fR process that maintains an Open vSwitch
35 configuration database. Using this connection, it queries and
36 possibly applies changes to the database, depending on the supplied
37 commands. Then, if it applied any changes, it waits until
38 \fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
40 \fBovs\-vsctl\fR can perform any number of commands in a single run,
41 implemented as a single atomic transaction against the database.
42 Commands are separated on the command line by \fB\-\-\fR arguments.
44 .SS "Linux VLAN Bridging Compatibility"
45 The \fBovs\-vsctl\fR program supports the model of a bridge
46 implemented by Open vSwitch, in which a single bridge supports ports
47 on multiple VLANs. In this model, each port on a bridge is either a
48 trunk port that potentially passes packets tagged with 802.1Q headers
49 that designate VLANs or it is assigned a single implicit VLAN that is
50 never tagged with an 802.1Q header.
52 For compatibility with software designed for the Linux bridge,
53 \fBovs\-vsctl\fR also supports a model in which traffic associated
54 with a given 802.1Q VLAN is segregated into a separate bridge. A
55 special form of the \fBadd\-br\fR command (see below) creates a ``fake
56 bridge'' within an Open vSwitch bridge to simulate this behavior.
57 When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
58 much like a bridge separate from its ``parent bridge,'' but the actual
59 implementation in Open vSwitch uses only a single bridge, with ports on
60 the fake bridge assigned the implicit VLAN of the fake bridge of which
65 The following options affect the behavior \fBovs\-vsctl\fR as a whole.
66 Some individual commands also accept their own options, which are
67 given just before the command name. If the first command on the
68 command line has options, then those options must be separated from
69 the global options by \fB\-\-\fR.
71 .IP "\fB\-\-db=\fIserver\fR"
72 Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
73 contacts to query or modify configuration. The default is
74 \fBunix:@RUNDIR@/ovsdb\-server\fR. \fIserver\fR must take one of the
77 .so ovsdb/remote-active.man
80 .IP "\fB\-\-no\-wait\fR"
81 Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
82 reconfigure itself according to the the modified database. This
83 option should be used if \fBovs\-vswitchd\fR is not running;
84 otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
87 This option has no effect if the commands specified do not change the
90 .IP "\fB\-\-no\-syslog\fR"
91 By default, \fBovs\-vsctl\fR logs its arguments and the details of any
92 changes that it makes to the system log. This option disables this
95 This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
97 .IP "\fB\-\-oneline\fR"
98 Modifies the output format so that the output for each command is printed
99 on a single line. New-line characters that would otherwise separate
100 lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
101 would otherwise appear in the output are doubled.
102 Prints a blank line for each command that has no output.
104 .IP "\fB\-\-dry\-run\fR"
105 Prevents \fBovs\-vsctl\fR from actually modifying the database.
107 .IP "\fB-t \fIsecs\fR"
108 .IQ "\fB--timeout=\fIsecs\fR"
109 Limits runtime to approximately \fIsecs\fR seconds. A value of
110 zero will cause \fBovs\-vsctl\fR to wait forever. If the timeout expires,
111 \fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal. If this option is
112 not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
113 (A timeout would normally happen only if the database cannot be contacted.)
119 The commands implemented by \fBovs\-vsctl\fR are described in the
121 .SS "Open vSwitch Commands"
122 These commands work with an Open vSwitch as a whole.
125 Initializes the Open vSwitch database, if it is empty. If the
126 database has already been initialized, this command has no effect.
128 Any successful \fBovs\-vsctl\fR command automatically initializes the
129 Open vSwitch database if it is empty. This command is provided to
130 initialize the database without executing any other command.
132 .SS "Bridge Commands"
133 These commands examine and manipulate Open vSwitch bridges.
135 .IP "\fBadd\-br \fIbridge\fR"
136 Creates a new bridge named \fIbridge\fR. Initially the bridge will
137 have no ports (other than \fIbridge\fR itself).
139 .IP "\fBadd\-br \fIbridge parent vlan\fR"
140 Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
141 vSwitch bridge \fIparent\fR, which must already exist and must not
142 itself be a fake bridge. The new fake bridge will be on 802.1Q VLAN
143 \fIvlan\fR, which must be an integer between 1 and 4095. Initially
144 \fIbridge\fR will have no ports (other than \fIbridge\fR itself).
146 .IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
147 Deletes \fIbridge\fR and all of its ports. If \fIbridge\fR is a real
148 bridge, this command also deletes any fake bridges that were created
149 with \fIbridge\fR as parent, including all of their ports.
151 Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
152 not exist is an error. With \fB\-\-if\-exists\fR, attempting to
153 delete a bridge that does not exist has no effect.
156 Lists all existing real and fake bridges on standard output, one per
159 .IP "\fBbr\-exists \fIbridge\fR"
160 Tests whether \fIbridge\fR exists as a real or fake bridge. If so,
161 \fBovs\-vsctl\fR exits successfully with exit code 0. If not,
162 \fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
164 .IP "\fBbr\-to\-vlan \fIbridge\fR"
165 If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
166 decimal integer. If \fIbridge\fR is a real bridge, prints 0.
168 .IP "\fBbr\-to\-parent \fIbridge\fR"
169 If \fIbridge\fR is a fake bridge, prints the name of its parent
170 bridge. If \fIbridge\fR is a real bridge, print \fIbridge\fR.
172 .IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
173 Sets or clears an ``external ID'' value on \fIbridge\fR. These values
174 are intended to identify entities external to Open vSwitch with which
175 \fIbridge\fR is associated, e.g. the bridge's identifier in a
176 virtualization management platform. The Open vSwitch database schema
177 specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
178 are otherwise arbitrary strings.
180 If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
181 \fIbridge\fR, overwriting any previous value. If \fIvalue\fR is
182 omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
183 IDs (if it was present).
185 For real bridges, the effect of this command is similar to that of a
186 \fBset\fR or \fBremove\fR command in the \fBexternal\-ids\fR column of
187 the \fBBridge\fR table. For fake bridges, it actually modifies keys
188 with names prefixed by \fBfake\-bridge\-\fR in the \fBPort\fR table.
190 .IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
191 Queries the external IDs on \fIbridge\fR. If \fIkey\fR is specified,
192 the output is the value for that \fIkey\fR or the empty string if
193 \fIkey\fR is unset. If \fIkey\fR is omitted, the output is
194 \fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
196 For real bridges, the effect of this command is similar to that of a
197 \fBget\fR command in the \fBexternal\-ids\fR column of the
198 \fBBridge\fR table. For fake bridges, it queries keys with names
199 prefixed by \fBfake\-bridge\-\fR in the \fBPort\fR table.
203 These commands examine and manipulate Open vSwitch ports. These
204 commands treat a bonded port as a single entity.
206 .IP "\fBlist\-ports \fIbridge\fR"
207 Lists all of the ports within \fIbridge\fR on standard output, one per
208 line. The local port \fIbridge\fR is not included in the list.
210 .IP "\fBadd\-port \fIbridge port\fR"
211 Creates on \fIbridge\fR a new port named \fIport\fR from the network
212 device of the same name.
214 .IP "[\fB\-\-fake\-iface\fR] \fBadd\-bond \fIbridge port iface\fR\&..."
215 Creates on \fIbridge\fR a new port named \fIport\fR that bonds
216 together the network devices given as each \fIiface\fR. At least two
217 interfaces must be named.
219 With \fB\-\-fake\-iface\fR, a fake interface with the name \fIport\fR is
220 created. This should only be used for compatibility with legacy
221 software that requires it.
223 .IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
224 Deletes \fIport\fR. If \fIbridge\fR is omitted, \fIport\fR is removed
225 from whatever bridge contains it; if \fIbridge\fR is specified, it
226 must be the real or fake bridge that contains \fIport\fR.
228 Without \fB\-\-if\-exists\fR, attempting to delete a port that does
229 not exist is an error. With \fB\-\-if\-exists\fR, attempting to
230 delete a port that does not exist has no effect.
232 .IP "\fBport\-to\-br \fIport\fR"
233 Prints the name of the bridge that contains \fIport\fR on standard
236 .SS "Interface Commands"
238 These commands examine the interfaces attached to an Open vSwitch
239 bridge. These commands treat a bonded port as a collection of two or
240 more interfaces, rather than as a single port.
242 .IP "\fBlist\-ifaces \fIbridge\fR"
243 Lists all of the interfaces within \fIbridge\fR on standard output,
244 one per line. The local port \fIbridge\fR is not included in the
247 .IP "\fBiface\-to\-br \fIiface\fR"
248 Prints the name of the bridge that contains \fIiface\fR on standard
251 .SS "OpenFlow Controller Connectivity"
253 \fBovs\-vswitchd\fR can perform all configured bridging and switching
254 locally, or it can be configured to connect a given bridge to an
255 external OpenFlow controller, such as NOX.
257 If a \fIbridge\fR argument is given, the settings apply only to the
258 specified bridge. Otherwise, they apply to the Open vSwitch instance,
259 and its configuration applies to any bridge that has not been explicitly
260 configured through a \fIbridge\fR argument.
262 .IP "\fBget\-controller\fR [\fIbridge\fR]"
263 Prints the configured controller target.
265 .IP "\fBdel\-controller\fR [\fIbridge\fR]"
266 Deletes the configured controller target.
268 .IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
269 Sets the configured controller target. The \fItarget\fR may use any of
273 .so lib/vconn-active.man
276 .ST "Controller Failure Settings"
278 When a controller is configured, it is, ordinarily, responsible for
279 setting up all flows on the switch. Thus, if the connection to
280 the controller fails, no new network connections can be set up. If
281 the connection to the controller stays down long enough, no packets
282 can pass through the switch at all.
284 If the value is \fBstandalone\fR, or if neither of these settings
285 is set, \fBovs\-vswitchd\fR will take over
286 responsibility for setting up
287 flows when no message has been received from the controller for three
288 times the inactivity probe interval (xxx needs to be exposed). In this mode,
289 \fBovs\-vswitchd\fR causes the datapath to act like an ordinary
290 MAC-learning switch. \fBovs\-vswitchd\fR will continue to retry connecting
291 to the controller in the background and, when the connection succeeds,
292 it discontinues its standalone behavior.
294 If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
295 set up flows on its own when the controller connection fails.
297 .IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
298 Prints the configured failure mode.
300 .IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
301 Deletes the configured failure mode.
303 .IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR"
304 Sets the configured failure mode.
306 .SS "SSL Configuration"
307 When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
308 controller connectivity, the following parameters are required:
311 Specifies a PEM file containing the private key used as the virtual
312 switch's identity for SSL connections to the controller.
315 Specifies a PEM file containing a certificate, signed by the
316 certificate authority (CA) used by the controller and manager, that
317 certifies the virtual switch's private key, identifying a trustworthy
321 Specifies a PEM file containing the CA certificate used to verify that
322 the virtual switch is connected to a trustworthy controller.
324 These files are read only once, at \fBovs\-vswitchd\fR startup time. If
325 their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
327 These SSL settings apply to all SSL connections made by the virtual
331 Prints the SSL configuration.
334 Deletes the current SSL configuration.
336 .IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
337 Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
340 .ST "CA Certificate Bootstrap"
341 Ordinarily, all of the files named in the SSL configuration must exist
342 when \fBovs\-vswitchd\fR starts. However, if the \fB\-\-bootstrap\fR
343 option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
344 CA certificate from the controller on its first SSL connection and
345 save it to the named PEM file. If it is successful, it will
346 immediately drop the connection and reconnect, and from then on all
347 SSL connections must be authenticated by a certificate signed by the
348 CA certificate thus obtained.
350 \fBThis option exposes the SSL connection to a man-in-the-middle
351 attack obtaining the initial CA certificate\fR, but it may be useful
354 This option is only useful if the controller sends its CA certificate
355 as part of the SSL certificate chain. The SSL protocol does not
356 require the controller to send the CA certificate, but
357 \fBcontroller\fR(8) can be configured to do so with the
358 \fB--peer-ca-cert\fR option.
360 .SS "Database Commands"
362 These commands query and modify the contents of \fBovsdb\fR tables.
363 They are a slight abstraction of the \fBovsdb\fR interface and as such
364 they operate at a lower level than other \fBovs\-vsctl\fR commands.
366 .ST "Identifying Tables, Records, and Columns"
368 Each of these commands has a \fItable\fR parameter to identify a table
369 within the database. Many of them also take a \fIrecord\fR parameter
370 that identifies a particular record within a table. The \fIrecord\fR
371 parameter may be the UUID for a record, and many tables offer
372 additional ways to identify records. Some commands also take
373 \fIcolumn\fR parameters that identify a particular field within the
376 The following tables are currently defined:
377 .IP "\fBOpen_vSwitch\fR"
378 Global configuration for an \fBovs\-vswitchd\fR. This table contains
379 exactly one record, identified by specifying \fB.\fR as the record
382 Configuration for a bridge within an Open vSwitch. Records may be
383 identified by bridge name.
385 A bridge port. Records may be identified by port name.
386 .IP "\fBInterface\fR"
387 A network device attached to a port. Records may be identified by
389 .IP "\fBController\fR"
390 Configuration for an OpenFlow controller. A controller attached to a
391 particular bridge may be identified by the bridge's name. The default
392 controller controller for an Open vSwitch may be identified by
393 specifying \fB.\fR as the record name.
395 A port mirroring configuration attached to a bridge. Records may be
396 identified by mirror name.
398 A NetFlow configuration attached to a bridge. Records may be
399 identified by bridge name.
401 Names of tables, records, and columns are not case-sensitive, and
402 \fB--\fR and \fB_\fR are treated interchangeably. Unique
403 abbreviations are acceptable, e.g. \fBnet\fR or \fRn\fR is sufficient
404 to identify the \fBNetFlow\fR table.
406 .ST "Database Values"
407 Each column in the database accepts a fixed type of data. The
408 currently defined basic types, and their representations, are:
410 A decimal integer in the range \-2**63 to 2**63\-1, inclusive.
412 A floating-point number.
414 True or false, written \fBtrue\fR or \fBfalse\fR, respectively.
416 An arbitrary Unicode string, except that null bytes are not allowed.
417 Quotes are optional for most strings that begin with an English letter
418 or underscore and consist only of letters, underscores, hyphens, and
419 periods. However, \fBtrue\fR and \fBfalse\fR and strings that match
420 the syntax of UUIDs (see below) must be enclosed in double quotes to
421 distinguish them from other basic types. When double quotes are used,
422 the syntax is that of strings in JSON, e.g. backslashes may be used to
423 escape special characters. The empty string must be represented as a
424 pair of double quotes (\fB""\fR).
426 A universally unique identifier in the style of RFC 4122,
427 e.g. \fBf81d4fae-7dec-11d0-a765-00a0c91e6bf6\fR.
429 Multiple values in a single column may be separated by spaces or a
430 single comma. When multiple values are present, duplicates are not
431 allowed, and order is not important. Conversely, some database
432 columns can have an empty set of values, represented as \fB[]\fR, and
433 square brackets may optionally enclose other non-empty sets or single
436 A few database columns are ``maps'' of key-value pairs, where the key
437 and the value are each some fixed database type. These are specified
438 in the form \fIkey\fB=\fIvalue\fR, where \fIkey\fR and \fIvalue\fR
439 follow the syntax for the column's key type and value type,
440 respectively. When multiple pairs are present (separated by spaces or
441 a comma), duplicate keys are not allowed, and again the order is not
442 important. Duplicate values are allowed. An empty map is represented
443 as \fB{}\fR, and curly braces may be optionally enclose non-empty maps
446 .ST "Database Command Syntax"
448 By default, database commands refuse to make some kinds of
449 modifications that could violate database structuring constraints. If
450 you are sure that you know what you are doing, use \fB\-\-force\fR to
451 override this safety measure. Constraints that are enforced by the
452 database server itself, instead of by \fBovs\-vsctl\fR, cannot be
455 .IP "\fBlist \fItable \fR[\fIrecord\fR]..."
456 List the values of all columns of each specified \fIrecord\fR. If no
457 records are specified, lists all the records in \fItable\fR.
459 The UUIDs shown for rows created in the same \fBovs\-vsctl\fR
460 invocation will be wrong.
462 .IP "[\fB\-\-if\-exists\fR] \fBget \fItable record column\fR[\fB:\fIkey\fR]..."
463 Prints the value of each specified \fIcolumn\fR in the given
464 \fIrecord\fR in \fItable\fR. For map columns, a \fIkey\fR may
465 optionally be specified, in which case the value associated with
466 \fIkey\fR in the column is printed, instead of the entire map.
468 For a map column, without \fB\-\-if\-exists\fR it is an error if
469 \fIkey\fR does not exist; with it, a blank line is printed. If
470 \fIcolumn\fR is not a map column or if \fIkey\fR is not specified,
471 \fB\-\-if\-exists\fR has no effect.
473 .IP "[\fB\-\-force\fR] \fBset \fItable record column\fR[\fB:\fIkey\fR]\fB=\fIvalue\fR..."
474 Sets the value of each specified \fIcolumn\fR in the given
475 \fIrecord\fR in \fItable\fR to \fIvalue\fR. For map columns, a
476 \fIkey\fR may optionally be specified, in which case the value
477 associated with \fIkey\fR in that column is changed (or added, if none
478 exists), instead of the entire map.
480 .IP "[\fB\-\-force\fR] \fBadd \fItable record column \fR[\fIkey\fB=\fR]\fIvalue\fR..."
481 Adds the specified value or key-value pair to \fIcolumn\fR in
482 \fIrecord\fR in \fItable\fR. If \fIcolumn\fR is a map, then \fIkey\fR
483 is required, otherwise it is prohibited. If \fIkey\fR already exists
484 in a map column, then the current \fIvalue\fR is not replaced (use the
485 \fBset\fR command to replace an existing value).
487 .IP "[\fB\-\-force\fR] \fBremove \fItable record column \fR\fIvalue\fR..."
488 .IQ "[\fB\-\-force\fR] \fBremove \fItable record column \fR\fIkey\fR..."
489 .IQ "[\fB\-\-force\fR] \fBremove \fItable record column \fR\fIkey\fB=\fR\fIvalue\fR..."
490 Removes the specified values or key-value pairs from \fIcolumn\fR in
491 \fIrecord\fR in \fItable\fR. The first form applies to columns that
492 are not maps: each specified \fIvalue\fR is removed from the column.
493 The second and third forms apply to map columns: if only a \fIkey\fR
494 is specified, then any key-value pair with the given \fIkey\fR is
495 removed, regardless of its value; if a \fIvalue\fR is given then a
496 pair is removed only if both key and value match.
498 It is not an error if the column does not contain the specified key or
501 .IP "\fB[\fB\-\-force\fR] \fBclear\fR \fItable record column\fR..."
502 Sets each \fIcolumn\fR in \fIrecord\fR in \fItable\fR to the empty set
503 or empty map, as appropriate. This command applies only to columns
504 that are allowed to be empty.
506 .IP "\fB\-\-force create \fItable column\fR[\fB:\fIkey\fR]\fB=\fIvalue\fR..."
507 Creates a new record in \fItable\fR and sets the initial values of
508 each \fIcolumn\fR. Columns not explicitly set will receive their
509 default values. Outputs the UUID of the new row.
511 This command requires the \fB\-\-force\fR option.
513 .IP "\fB\-\-force \fR[\fB\-\-if\-exists\fR] \fBdestroy \fItable record\fR..."
514 Deletes each specified \fIrecord\fR from \fItable\fR. Unless
515 \fB\-\-if\-exists\fR is specified, each \fIrecord\fRs must exist.
517 This command requires the \fB\-\-force\fR option.
519 Create a new bridge named br0 and add port eth0 to it:
521 .B "ovs-vsctl add\-br br0"
523 .B "ovs-vsctl add\-port br0 eth0"
525 Alternatively, perform both operations in a single atomic transaction:
527 .B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
529 Delete bridge \fBbr0\fR, reporting an error if it does not exist:
531 .B "ovs\-vsctl del\-br br0"
533 Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
534 separate \fBdel\-br\fR's options from the global options):
536 .B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
540 Successful program execution.
542 Usage, syntax, or configuration file error.
544 The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
545 bridge that does not exist.
548 .BR ovsdb\-server (1),
549 .BR ovs\-vswitchd (8).