- Open vSwitch Installation Instructions
+ How to Install Open vSwitch on Linux and FreeBSD
+ ================================================
-This document describes how to build, install, and execute
-Open vSwitch.
+This document describes how to build and install Open vSwitch on a
+generic Linux or FreeBSD host. If you want to install Open vSwitch on
+a Citrix XenServer, see INSTALL.XenServer instead.
-Open vSwitch implements an Ethernet switch with MAC learning that may
-be configured with any of the following features:
+This version of Open vSwitch may be built manually with "configure"
+and "make", as described below. You may also build Debian packages by
+running "dpkg-buildpackage".
- * NIC bonding with automatic fail-over and source MAC-based TX
- load balancing ("SLB").
-
- * 802.1Q VLAN support.
-
- * Port mirroring, with optional VLAN tagging.
-
- * NetFlow v5 flow logging.
-
- * Connectivity to an external OpenFlow controller, such as
- NOX.
-
-The current version of this distribution requires a kernel module to
-be built and loaded. An (optional) entirely userspace switch is on
-the roadmap for future versions.
-
-The distribution also contains a number of related utilities.
+Build Requirements
+------------------
-Build Methods
-=============
+To compile the userspace programs in the Open vSwitch distribution,
+you will need the following software:
-There are two principal ways to build and install this distribution:
+ - A make program, e.g. GNU make. BSD make should also work.
- - Using "configure" and "make" in the ordinary way. See
- Building Conventionally below for detailed instructions.
+ - The GNU C compiler. We generally test with version 4.1, 4.2, or
+ 4.3.
- - As a set of Debian packages. Refer to Building Debian
- Packages, below, for instructions.
+ - pkg-config. We test with version 0.22.
-Base Prerequisites
-------------------
+ - libssl, from OpenSSL, is optional but recommended if you plan to
+ connect the Open vSwitch to an OpenFlow controller. libssl is
+ required to establish confidentiality and authenticity in the
+ connections from an Open vSwitch to an OpenFlow controller. If
+ libssl is installed, then Open vSwitch will automatically build
+ with support for it.
-Regardless of how it is built, Open vSwitch has a common set of
-prerequisites. To compile the userspace programs in the OpenFlow
-reference distribution, you will need the following software:
+To compile the kernel module on Linux, you must also install the
+following. If you cannot build or install the kernel module, you may
+use the userspace-only implementation, at a cost in performance. The
+userspace implementation may also lack some features. Refer to
+INSTALL.userspace for more information.
- - A make program, e.g. GNU make
- (http://www.gnu.org/software/make/). BSD make should also work.
+ - A supported Linux kernel version. Please refer to README for a
+ list of supported versions.
- - The GNU C compiler (http://gcc.gnu.org/). We generally test
- with version 4.2 or 4.3.
+ The Open vSwitch datapath requires bridging support
+ (CONFIG_BRIDGE) to be built as a kernel module. (This is common
+ in kernels provided by Linux distributions.) The bridge module
+ must not be loaded or in use. If the bridge module is running
+ (check with "lsmod | grep bridge"), you must remove it ("rmmod
+ bridge") before starting the datapath.
- - libssl, from OpenSSL (http://www.openssl.org/), is optional but
- recommended if you plan to connect the Open vSwitch to an
- OpenFlow controller. libssl is required to establish
- confidentiality and authenticity in the connections from an
- Open vSwitch to an OpenFlow controller. To enable, configure
- with --enable-ssl=yes.
+ For optional support of ingress policing, you must enable kernel
+ configuration options NET_CLS_BASIC, NET_SCH_INGRESS, and
+ NET_ACT_POLICE, either built-in or as modules. (NET_CLS_POLICE is
+ obsolete and not needed.)
-To compile the kernel module, you must also install the following:
+ If GRE tunneling is being used it is recommended that the kernel
+ be compiled with IPv6 support (CONFIG_IPV6). This allows for
+ special handling (such as path MTU discovery) of IPv6 packets.
- - A supported Linux kernel version. Please refer to README for a
- list of supported versions.
+ To configure HTB or HFSC quality of service with Open vSwitch,
+ you must enable the respective configuration options.
- The OpenFlow datapath requires bridging support (CONFIG_BRIDGE)
- to be built as a kernel module. (This is common in kernels
- provided by Linux distributions.) The bridge module must not be
- loaded or in use. If the bridge module is running (check with
- "lsmod | grep bridge"), you must remove it ("rmmod bridge")
- before starting the datapath.
+ To use Open vSwitch support for TAP devices, you must enable
+ CONFIG_TUN.
- To build a kernel module, you need the same version of GCC that
- was used to build that kernel (usually version 4.0 or later).
+ was used to build that kernel.
- A kernel build directory corresponding to the Linux kernel image
the module is to run on. Under Debian and Ubuntu, for example,
infrastructure.
If you are working from a Git tree or snapshot (instead of from a
-distribution tarball), or if you modify the Open vSwitch build system,
-you will also need the following software:
-
- - Autoconf version 2.60 or later (http://www.gnu.org/software/autoconf).
-
- - Automake version 1.10 or later (http://www.gnu.org/software/automake).
-
- - pkg-config (http://pkg-config.freedesktop.org/wiki/). We test
- with version 0.22.
+distribution tarball), or if you modify the Open vSwitch build system
+or the database schema, you will also need the following software:
-Debian Prerequisites
---------------------
+ - Autoconf version 2.64 or later.
-To build Debian packages from the Open vSwitch distribution, you will
-need to install a number of Debian packages in addition to the base
-prerequisites listed above. These additional prerequisites may be
-found listed as "Build-Depends" in debian/control in the source tree.
-To check that they are installed, first install the dpkg-dev package,
-then run dpkg-checkbuilddeps from the top level of the OpenFlow source
-tree.
+ - Automake version 1.10 or later.
-To build Debian packages without being root, also install the
-"fakeroot" package.
+ - Python 2.x, for x >= 4.
-Building Conventionally
-=======================
+If you modify the ovsdbmonitor tool, then you will also need the
+following:
-This section explains how to build and install the Open vSwitch
-distribution in the ordinary way using "configure" and "make".
+ - pyuic4 from PyQt4 (http://www.riverbankcomputing.co.uk).
-0. Check that you have installed all the prerequisites listed above in
- the Base Prerequisites section.
+To run the unit tests, you also need:
-1. In the top source directory, configure the package by running the
- configure script. You can usually invoke configure without any
- arguments:
+ - Perl. Version 5.10.1 is known to work. Earlier versions should
+ also work.
- % ./configure
+If you modify the vswitchd database schema, then the E-R diagram in
+the ovs-vswitchd.conf.db(5) manpage will be updated properly only if
+you have the following:
- To use a specific C compiler for compiling OpenFlow user programs,
- also specify it on the configure command line, like so:
+ - "dot" from graphviz (http://www.graphviz.org/).
- % ./configure CC=gcc-4.2
+ - Perl. Version 5.10.1 is known to work. Earlier versions should
+ also work.
- To build the Linux kernel module, so that you can run the
- kernel-based switch, pass the location of the kernel build
- directory on --with-l26. For example, to build for a running
- instance of Linux 2.6:
+ - Python 2.x, for x >= 4.
- % ./configure --with-l26=/lib/modules/`uname -r`/build
+If you are going to extensively modify Open vSwitch, please consider
+installing the following to obtain better warnings:
- If you wish to build the kernel module for an architecture other
- than the architecture of the machine used for the build, you may
- specify the kernel architecture string using the KARCH variable
- when invoking the configure script. For example, to build for MIPS
- with Linux 2.6:
-
- % ./configure --with-l26=/path/to/linux-2.6 KARCH=mips
-
- The configure script accepts a number of other options and honors
- additional environment variables. For a full list, invoke
- configure with the --help option.
+ - "sparse" version 0.4.4 or later
+ (http://www.kernel.org/pub/software/devel/sparse/dist/).
-2. Run make in the top source directory:
+ - GNU make.
- % make
-
- The following main binaries will be built:
-
- - Virtual switch daemon: vswitchd/ovs-vswitchd
-
- - Bridge compatibility daemon: vswitchd/ovs-brcompatd
-
- - Datapath administration utility: utilities/ovs-dpctl.
-
- Some less important binaries will be built also:
-
- - Runtime configuration utility: utilities/ovs-appctl.
-
- - Simple OpenFlow controller: utilities/ovs-controller.
-
- - Secure channel executable: secchan/secchan.
-
- - Miscellaneous utilities: utilities/ovs-discover,
- utilities/ovs-kill.
+Installation Requirements
+-------------------------
- - ANSI terminal support for EZIO 16x2 LCD panel:
- extras/ezio/ezio-term (only if the proper libraries are
- installed).
+The machine on which Open vSwitch is to be installed must have the
+following software:
- - Switch monitoring UI for small text displays:
- extras/ezio/ovs-switchui (only if the proper libraries are
- installed).
+ - libc compatible with the libc used for build.
- - Tests: various binaries in tests/.
+ - libssl compatible with the libssl used for build, if OpenSSL was
+ used for the build.
- If you passed --with-l26 to configure, "make" will also build the
- following kernel modules:
+ - On Linux, the same kernel version configured as part of the build.
- - datapath/linux-2.6/brcompat_mod.ko
+ - For optional support of ingress policing on Linux, the "tc" program
+ from iproute2 (part of all major distributions and available at
+ http://www.linux-foundation.org/en/Net:Iproute2).
- - datapath/linux-2.6/openflow_mod.ko
+On Linux you should ensure that /dev/urandom exists. To support TAP
+devices, you must also ensure that /dev/net/tun exists.
-3. Run "make install" to install the executables and manpages into the
- running system, by default under /usr/local.
+To run the ovsdbmonitor tool, the machine must also have the following
+software:
-4. If you built kernel modules, you may load them with "insmod", e.g.:
+ - Python 2.x, for x >= 4.
- % insmod datapath/linux-2.6/openflow_mod.ko
+ - Python Twisted Conch.
- The insmod program must be run as root. You may need to specify a
- full path to insmod, e.g. /sbin/insmod. To verify that the modules
- have been loaded, run "/sbin/lsmod" and check that openflow_mod is
- listed.
+ - Python JSON.
-5. Test the virtuaal switch, as described under Testing the Virtual
-Switch below.
+ - PySide or PyQt4.
-Building Debian Packages
-========================
+ - Python Zope interface module.
-Follow these instructions to build Debian packages for OpenFlow.
+(On Debian "lenny" the above can be installed with "apt-get install
+python-json python-qt4 python-zopeinterface python-twisted-conch".)
-0. Check that you have installed all the prerequisites listed above in
- the Base Prerequisites and Debian Prerequisites sections above.
+Building and Installing Open vSwitch for Linux or FreeBSD
+=========================================================
-1. In the top source directory, run the following command, as root:
+Once you have installed all the prerequisites listed above in the Base
+Prerequisites section, follow the procedure below to build.
- % dpkg-buildpackage
+1. If you pulled the sources directly from an Open vSwitch Git tree,
+ run boot.sh in the top source directory:
- Alternatively, if you installed the "fakeroot" package, you may run
- dpkg-buildpackage as an ordinary user with the following syntax:
+ % ./boot.sh
- % dpkg-buildpackage -rfakeroot
-
- The following packages will be built in the directory above the
- source tree:
+2. In the top source directory, configure the package by running the
+ configure script. You can usually invoke configure without any
+ arguments:
- - openflow-controller: The OpenFlow controller. Depends on
- openflow-pki (see below).
+ % ./configure
- - openflow-switch: Install this package on a machine that acts
- as an OpenFlow kernel switch.
+ By default all files are installed under /usr/local. If you want
+ to install into, e.g., /usr and /var instead of /usr/local and
+ /usr/local/var, add options as shown here:
- - openflow-datapath-source: Source code for OpenFlow's Linux
- kernel module.
+ % ./configure --prefix=/usr --localstatedir=/var
- - openflow-pki: Public-key infrastructure for OpenFlow. Install
- this package on a machine that acts as an OpenFlow PKI server
- (see "Establishing a Public Key Infrastructure" below).
+ To use a specific C compiler for compiling Open vSwitch user
+ programs, also specify it on the configure command line, like so:
- - openflow-common: Files and utilities required by more than one
- of the above packages.
+ % ./configure CC=gcc-4.2
-2. To set up an OpenFlow controller, install the openflow-controller
- package and its dependencies. You may configure it by editing
- /etc/default/openflow-controller, e.g. to enable non-SSL
- connections, which are disabled by default. If you change the
- default settings, you will need to restart the controller by
- running:
+ To build the Linux kernel module, so that you can run the
+ kernel-based switch, pass the location of the kernel build
+ directory on --with-linux. For example, to build for a running
+ instance of Linux:
- % /etc/init.d/openflow-controller restart
+ % ./configure --with-linux=/lib/modules/`uname -r`/build
-3. To set up an OpenFlow switch, install the openflow-switch package
- and its dependencies. If it is to be a kernel-based switch, also
- install openflow-datapath-source, then follow the instructions in
- /usr/share/doc/openflow-datapath-source/README.Debian to build and
- install the kernel module.
+ If you wish to build the kernel module for an architecture other
+ than the architecture of the machine used for the build, you may
+ specify the kernel architecture string using the KARCH variable
+ when invoking the configure script. For example, to build for MIPS
+ with Linux:
- You may configure the switch one of the following ways:
+ % ./configure --with-linux=/path/to/linux KARCH=mips
- - Completely by hand, as described under the Testing section
- below.
+ The configure script accepts a number of other options and honors
+ additional environment variables. For a full list, invoke
+ configure with the --help option.
- For the userspace datapath-based switch, this is the only
- supported form of configuration.
+3. Run make in the top source directory:
- - By editing /etc/default/openflow-switch. You must at least
- configure some network devices, by uncommenting NETDEVS and
- adding the appropriate devices to the list, e.g. NETDEVS="eth0
- eth1".
+ % make
- After you edit this file, you will need to start the switch by
- running:
+ On FreeBSD you may need to use GNU make (gmake) or NetBSD make
+ (bmake) instead of the native make.
- % /etc/init.d/openflow-switch restart
+ For improved warnings if you installed "sparse" (see
+ "Prerequisites"), add C=1 to the "make" command line.
- This form of configuration is not supported for the userspace
- datapath-based switch.
+4. Become root by running "su" or another program.
- - By running the ovs-switch-setup program. This interactive
- program will walk you through all the steps of configuring an
- OpenFlow switch, including configuration of SSL certificates.
- Run it without arguments, as root:
+5. Run "make install" to install the executables and manpages into the
+ running system, by default under /usr/local.
- % ovs-switch-setup
+6. If you built kernel modules, you may load them with "insmod", e.g.:
- This form of configuration is not supported for the userspace
- datapath-based switch.
+ % insmod datapath/linux/openvswitch.ko
-Installation
-============
+ You may need to specify a full path to insmod, e.g. /sbin/insmod.
+ To verify that the modules have been loaded, run "/sbin/lsmod" and
+ check that openvswitch is listed.
-This section explains how to install Open vSwitch in a network with one
-controller and one or more switches, each of which runs on a separate
-machine. Before you begin, you must decide on one of two ways for
-each switch to reach the controller over the network:
+ If the "insmod" operation fails, look at the last few kernel log
+ messages (e.g. with "dmesg | tail"):
- - Use a "control network" that is completely separate from the
- "data network" to be controlled ("out-of-band control"). The
- location of the controller must be configured manually in this
- case.
+ - The message "openvswitch: exports duplicate symbol
+ br_should_route_hook (owned by bridge)" means that the bridge
+ module is loaded. Run "/sbin/rmmod bridge" to remove it.
- - Use the same network for control and for data ("in-band
- control"). When in-band control is used, the location of the
- controller may be configured manually or discovered
- automatically. We will assume manual configuration here;
- please refer to secchan(8) for instructions on setting up
- controller discovery.
+ If "/sbin/rmmod bridge" fails with "ERROR: Module bridge does
+ not exist in /proc/modules", then the bridge is compiled into
+ the kernel, rather than as a module. Open vSwitch does not
+ support this configuration (see "Build Requirements", above).
-Controller Setup
-----------------
+ - The message "openvswitch: exports duplicate symbol
+ dp_ioctl_hook (owned by ofdatapath)" means that the ofdatapath
+ module from the OpenFlow reference implementation is loaded.
+ Run "/sbin/rmmod ofdatapath" to remove it. (You might have to
+ delete any existing datapaths beforehand, using the "dpctl"
+ program included with the OpenFlow reference implementation.
+ "ovs-dpctl" will not work.)
-On the machine that is to be the OpenFlow controller, start the
-"ovs-controller" program listening for connections from switches on
-TCP port 6633 (the default), as shown below.
+ - Otherwise, the most likely problem is that Open vSwitch was
+ built for a kernel different from the one into which you are
+ trying to load it. Run "modinfo" on openvswitch.ko and on
+ a module built for the running kernel, e.g.:
- # ovs-controller -v ptcp:
+ % /sbin/modinfo openvswitch.ko
+ % /sbin/modinfo /lib/modules/`uname -r`/kernel/net/bridge/bridge.ko
-(See ovs-controller(8) for more details)
+ Compare the "vermagic" lines output by the two commands. If
+ they differ, then Open vSwitch was built for the wrong kernel.
-Make sure the machine hosting the controller is reachable by the
-switch.
+ - If you decide to report a bug or ask a question related to
+ module loading, please include the output from the "dmesg" and
+ "modinfo" commands mentioned above.
-Testing the Virtual Switch
---------------------------
+ There is an optional module parameter to openvswitch.ko called
+ vlan_tso that enables TCP segmentation offload over VLANs on NICs
+ that support it. Many drivers do not expose support for TSO on VLANs
+ in a way that Open vSwitch can use but there is no way to detect
+ whether this is the case. If you know that your particular driver can
+ handle it (for example by testing sending large TCP packets over VLANs)
+ then passing in a value of 1 may improve performance. Modules built for
+ Linux kernels 2.6.37 and later, as well as specially patched versions
+ of earlier kernels, do not need this and do not have this parameter. If
+ you do not understand what this means or do not know if your driver
+ will work, do not set this.
-The Open vSwitch kernel module must be loaded, as described under
-"Building Conventionally", before it may be used.
+ Once you verify that the kernel modules load properly, you should
+ install them:
-0. The commands below must run as root, so log in as root, or use a
- program such as "su" to become root temporarily.
+ % make modules_install
-1. Create a datapath instance. The command below creates a datapath
- identified as dp0 (see ovs-dpctl(8) for more detailed usage
- information).
+7. Initialize the configuration database using ovsdb-tool, e.g.:
- # ovs-dpctl add-dp dp0
-
- (dp0 is the first datapath within a host. openvswitch_mod supports
- multiple datapaths within the same host, which would be identified
- as dp1, dp2, etc.)
+ % mkdir -p /usr/local/etc/openvswitch
+ % ovsdb-tool create /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema
- Creating datapath dp0 creates a new network device, also named dp0.
- This network device, called the datapath's "local port", will be
- bridged to the physical switch ports by the secchan, for use in
- in-band control.
+Startup
+=======
-2. Use ovs-dpctl to attach the datapath to physical interfaces on the
- machine. Say, for example, you want to create a trivial 2-port
- switch using interfaces eth1 and eth2, you would issue the
- following commands:
+Before starting ovs-vswitchd itself, you need to start its
+configuration database, ovsdb-server. Each machine on which Open
+vSwitch is installed should run its own copy of ovsdb-server.
+Configure it to use the database you created during step 7 of
+installation, above, to listen on a Unix domain socket, to connect to
+any managers specified in the database itself, and to use the SSL
+configuration in the database:
- # ovs-dpctl add-if dp0 eth1
- # ovs-dpctl add-if dp0 eth2
+ % ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
+ --remote=db:Open_vSwitch,manager_options \
+ --private-key=db:SSL,private_key \
+ --certificate=db:SSL,certificate \
+ --bootstrap-ca-cert=db:SSL,ca_cert \
+ --pidfile --detach
- You can verify that the interfaces were successfully added by asking
- ovs-dpctl to print the current status of datapath dp0:
+(If you built Open vSwitch without SSL support, then omit
+--private-key, --certificate, and --bootstrap-ca-cert.)
- # ovs-dpctl show dp0
+Then initialize the database using ovs-vsctl. This is only
+necessary the first time after you create the database with
+ovsdb-tool (but running it at any time is harmless):
-3. Arrange so that the switch can reach the controller over the
- network.
+ % ovs-vsctl --no-wait init
- - If you are using out-of-band control, at this point make sure
- that the switch machine can reach the controller over the
- network.
+Then start the main Open vSwitch daemon, telling it to connect to the
+same Unix domain socket:
- - If you are using in-band control, then at this point you must
- configure the dp0 network device created in step 1. This
- device is not yet bridged to any physical network (because
- secchan does that, and it is not yet running), so the next
- step depends on whether connectivity is required to configure
- the device's IP address:
+ % ovs-vswitchd --pidfile --detach
- * If the switch has a static IP address, you may configure
- its IP address now, e.g.:
+Now you may use ovs-vsctl to set up bridges and other Open vSwitch
+features. For example, to create a bridge named br0 and add ports
+eth0 and vif1.0 to it:
- # ifconfig dp0 192.168.1.1
+ % ovs-vsctl add-br br0
+ % ovs-vsctl add-port br0 eth0
+ % ovs-vsctl add-port br0 vif1.0
- * If the switch does not have a static IP address, e.g. its
- IP address is obtained dynamically via DHCP, then proceed
- to step 4. The DHCP client will not be able to contact
- the DHCP server until the secure channel has started up.
+Please refer to ovs-vsctl(8) for more details.
- - If you are using in-band control with controller discovery, no
- configuration is required at this point. You may proceed to
- step 4.
+Upgrading
+=========
-4. Run secchan to start the secure channel connecting the datapath to
- a remote controller. If the controller is running on host
- 192.168.1.2 port 6633 (the default port), the secchan invocation
- would look like this:
+When you upgrade Open vSwitch from one version to another, you should
+also upgrade the database schema:
- # secchan dp0 tcp:192.168.1.2
+1. Stop the Open vSwitch daemons, e.g.:
- - If you are using in-band control with controller discovery, omit
- the second argument to the secchan command.
+ % kill `cd /usr/local/var/run/openvswitch && cat ovsdb-server.pid ovs-vswitchd.pid`
- - If you are using out-of-band control, add --out-of-band to the
- command line.
+2. Install the new Open vSwitch release.
-5. If you are using in-band control with manual configuration, and the
- switch obtains its IP address dynamically, then you may now obtain
- the switch's IP address, e.g. by invoking a DHCP client. The
- secure channel will only be able to connect to the controller after
- an IP address has been obtained.
+3. Upgrade the database, in one of the following two ways:
-6. The secure channel should connect to the controller within a few
- seconds. It may take a little longer if controller discovery is in
- use, because the switch must then also obtain its own IP address
- and the controller's location via DHCP.
+ - If there is no important data in your database, then you may
+ delete the database file and recreate it with ovsdb-tool,
+ following the instructions under "Building and Installing Open
+ vSwitch for Linux or FreeBSD".
-Configuration
-=============
+ - If you want to preserve the contents of your database, back it
+ up first, then use "ovsdb-tool convert" to upgrade it, e.g.:
-Secure operation over SSL
--------------------------
+ % ovsdb-tool convert /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema
-The instructions above set up Open vSwitch for operation over a
-plaintext TCP connection. Production use of Open vSwitch should use
-SSL[*] to ensure confidentiality and authenticity of traffic among
-switches and controllers. The source must be configured with
---enable-ssl=yes to build with SSL support.
-
-To use SSL with Open vSwitch, you must set up a public-key infrastructure
-(PKI) including a pair of certificate authorities (CAs), one for
-controllers and one for switches. If you have an established PKI,
-Open vSwitch can use it directly. Otherwise, refer to "Establishing a
-Public Key Infrastructure" below.
-
-To configure the controller to listen for SSL connections on port 6633
-(the default), invoke it as follows:
-
- # ovs-controller -v pssl: --private-key=PRIVKEY --certificate=CERT \
- --ca-cert=CACERT
-
-where PRIVKEY is a file containing the controller's private key, CERT
-is a file containing the controller CA's certificate for the
-controller's public key, and CACERT is a file containing the root
-certificate for the switch CA. If, for example, your PKI was created
-with the instructions below, then the invocation would look like:
-
- # ovs-controller -v pssl: --private-key=ctl-privkey.pem \
- --certificate=ctl-cert.pem --ca-cert=pki/switchca/cacert.pem
-
-To configure a switch to connect to a controller running on port 6633
-(the default) on host 192.168.1.2 over SSL, invoke secchan as follows:
-
- # secchan -v DATAPATH ssl:192.168.1.2 --private-key=PRIVKEY \
- --certificate=CERT --ca-cert=CACERT
-
-where DATAPATH is the datapath to connect to (e.g. dp0 or
-unix:/var/run/dp0.sock), PRIVKEY is a file containing the switch's
-private key, CERT is a file containing the switch CA's certificate for
-the switch's public key, and CACERT is a file containing the root
-certificate for the controller CA. If, for example, your PKI was
-created with the instructions below, then the invocation would look
-like:
-
- # secchan -v DATAPATH ssl:192.168.1.2 --private-key=sc-privkey.pem \
- --certificate=sc-cert.pem --ca-cert=pki/controllerca/cacert.pem
-
-[*] To be specific, Open vSwitch uses TLS version 1.0 or later (TLSv1), as
- specified by RFC 2246, which is very similar to SSL version 3.0.
- TLSv1 was released in January 1999, so all current software and
- hardware should implement it.
-
-Establishing a Public Key Infrastructure
-----------------------------------------
-
-If you do not have a PKI, the ovs-pki script included with Open vSwitch
-can help. To create an initial PKI structure, invoke it as:
- % ovs-pki init
-which will create and populate a new PKI directory. The default
-location for the PKI directory depends on how the Open vSwitch tree was
-configured (to see the configured default, look for the --dir option
-description in the output of "ovs-pki --help").
-
-The pki directory contains two important subdirectories. The
-controllerca subdirectory contains controller certificate authority
-related files, including the following:
-
- - cacert.pem: Root certificate for the controller certificate
- authority. This file must be provided to secchan with the
- --ca-cert option to enable it to authenticate valid controllers.
-
- - private/cakey.pem: Private signing key for the controller
- certificate authority. This file must be kept secret. There is
- no need for switches or controllers to have a copy of it.
-
-The switchca subdirectory contains switch certificate authority
-related files, analogous to those in the controllerca subdirectory:
-
- - cacert.pem: Root certificate for the switch certificate
- authority. This file must be provided to the controller program
- with the --ca-cert option to enable it to authenticate valid
- switches.
-
- - private/cakey.pem: Private signing key for the switch
- certificate authority. This file must be kept secret. There is
- no need for switches or controllers to have a copy of it.
-
-After you create the initial structure, you can create keys and
-certificates for switches and controllers with ovs-pki. To create a
-controller private key and certificate in files named ctl-privkey.pem
-and ctl-cert.pem, for example, you could run:
- % ovs-pki req+sign ctl controller
-ctl-privkey.pem and ctl-cert.pem would need to be copied to the
-controller for its use at runtime (they could then be deleted from
-their original locations). The --private-key and --certificate
-options of ovs-controller, respectively, would point to these files.
-
-Analogously, to create a switch private key and certificate in files
-named sc-privkey.pem and sc-cert.pem, for example, you could run:
- % ovs-pki req+sign sc switch
-sc-privkey.pem and sc-cert.pem would need to be copied to the switch
-for its use at runtime (they could then be deleted from their original
-locations). The --private-key and --certificate options,
-respectively, of secchan would point to these files.
+4. Start the Open vSwitch daemons as described under "Building and
+ Installing Open vSwitch for Linux or FreeBSD" above.
Bug Reporting
-------------
-Please report problems to ovs-bugs@openvswitch.org.
+Please report problems to bugs@openvswitch.org.