The following main binaries will be built:
- - Virtual switch daemon: vswitchd/vswitchd
+ - Virtual switch daemon: vswitchd/ovs-vswitchd
- Bridge compatibility daemon: vswitchd/ovs-brcompatd
- A Linux kernel module for flow-based switching, in the
datapath directory.
- - vswitchd, a daemon that implements the virtual switch.
+ - ovs-vswitchd, a daemon that implements the virtual switch.
- ovs-dpctl, a tool for configuring the kernel module and
controlling OpenFlow switches.
This distribution includes some additional software as well:
- secchan, a program that implements a simple OpenFlow switch
- (without the special features provided by vswitchd) using
- the same kernel module as vswitchd.
+ (without the special features provided by ovs-vswitchd) using
+ the same kernel module as ovs-vswitchd.
- ovs-controller, a simple OpenFlow switch
static struct genl_family brc_genl_family;
static struct genl_multicast_group brc_mc_group;
-/* Time to wait for vswitchd to respond to a datapath action, in jiffies. */
+/* Time to wait for ovs-vswitchd to respond to a datapath action, in
+ * jiffies. */
#define BRC_TIMEOUT (HZ * 5)
/* Mutex to serialize ovs-brcompatd callbacks. (Some callbacks naturally hold
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
- In addition, as a special exception, Nicira Networks gives permission
- to link the code of its release of vswitchd with the OpenSSL project's
- "OpenSSL" library (or with modified versions of it that use the same
- license as the "OpenSSL" library), and distribute the linked
- executables. You must obey the GNU General Public License in all
- respects for all of the code used other than "OpenSSL". If you modify
- this file, you may extend this exception to your version of the file,
- but you are not obligated to do so. If you do not wish to do so,
- delete this exception statement from your version.
+ In addition, as a special exception, Nicira Networks gives
+ permission to link the code of its release of ovs-vswitchd with
+ the OpenSSL project's "OpenSSL" library (or with modified versions
+ of it that use the same license as the "OpenSSL" library), and
+ distribute the linked executables. You must obey the GNU General
+ Public License in all respects for all of the code used other than
+ "OpenSSL". If you modify this file, you may extend this exception
+ to your version of the file, but you are not obligated to do so.
+ If you do not wish to do so, delete this exception statement from
+ your version.
/* Bitmask of capability description styles. */
enum ofmp_capability_format {
- OFMPCAF_SIMPLE = 0 << 0, /* "vswitchd.conf" style. */
+ OFMPCAF_SIMPLE = 0 << 0, /* "ovs-vswitchd.conf" style. */
};
/* Body of capbility request.
/* Bitmask of capability description styles. */
enum ofmp_config_format {
- OFMPCOF_SIMPLE = 0 << 0, /* "vswitchd.conf" style. */
+ OFMPCOF_SIMPLE = 0 << 0, /* "ovs-vswitchd.conf" style. */
};
#define CONFIG_COOKIE_LEN 20
*/
BRC_GENL_C_DP_ADD, /* K: Datapath created. */
BRC_GENL_C_DP_DEL, /* K: Datapath destroyed. */
- BRC_GENL_C_DP_RESULT, /* U: Result of datapath command from vswitchd. */
+ BRC_GENL_C_DP_RESULT, /* U: Return code from ovs-brcompatd. */
BRC_GENL_C_PORT_ADD, /* K: Port added to datapath. */
BRC_GENL_C_PORT_DEL, /* K: Port removed from datapath. */
BRC_GENL_C_QUERY_MC, /* U: Get multicast group for brcompat. */
struct pvconn **snoops;
size_t n_snoops;
- /* Hooks for vswitchd. */
+ /* Hooks for ovs-vswitchd. */
const struct ofhooks *ofhooks;
void *aux;
unsigned int priority);
void ofproto_flush_flows(struct ofproto *);
-/* Hooks for vswitchd. */
+/* Hooks for ovs-vswitchd. */
struct ofhooks {
void (*port_changed_cb)(enum ofp_port_reason, const struct ofp_phy_port *,
void *aux);
.BR ovs\-dpctl (8),
.BR ovs\-ofctl (8),
.BR ovs\-pki (8),
-.BR vswitchd.conf (5)
+.BR ovs\-vswitchd.conf (5)
.SH DESCRIPTION
The \fBovs\-appctl\fR program connects to one or more running
-Open vSwitch daemons (such as \fBvswitchd\fR(8)), as specified by the
+Open vSwitch daemons (such as \fBovs\-vswitchd\fR(8)), as specified by the
user, and sends them commands to query or modify their behavior.
Its primary purpose is currently to adjust daemons' logging levels.
Each Open vSwitch daemon by default creates a socket named
\fB@RUNDIR@/\fIprogram\fB.\fIpid\fB.ctl\fR, where \fIprogram\fR is
-the program's name (such as \fBvswitchd\fR) and \fIpid\fR is the
+the program's name (such as \fBovs\-vswitchd\fR) and \fIpid\fR is the
daemon's PID.
.PP
.ds PN ovs-cfg-mod
.
.SH NAME
-ovs-cfg-mod \- Safely manage a vswitchd.conf-style configuration file
+ovs-cfg-mod \- Safely manage a ovs\-vswitchd.conf-style configuration file
.
.SH SYNOPSIS
.B ovs-cfg-mod
--config-file=\fIfile\fR [ \fIaction\fR ][ \fIaction\fR \fI...\fR ]
.
.SH DESCRIPTION
-A program for managing a \fBvswitchd.conf\fR(5)-style configuration file.
-\fBovs-cfg-mod\fR uses the same locking mechanisms as \fBvswitchd\fR and its
-related utilities. This allows it to be run safely on "live"
-configurations.
+A program for managing a \fovs\-vswitchd.conf\fR(5)-style configuration
+file. \fBovs-cfg-mod\fR uses the same locking mechanisms as
+\fBovs\-vswitchd\fR and its related utilities. This allows it to be
+run safely on "live" configurations.
The \fB--config-file\fR argument must be the first argument provided:
.TP
single lock instance, so they appear atomic to external viewers of
\fIfile\fR.
-As discussed in \fBvswitchd.conf\fR(5), each line in the configuration
-file consists of a key-value pair. Actions generally take either a
-\fIkey\fR or \fIentry\fR argument. A \fIkey\fR is a dot-separated
-description of a configuration option. A \fIentry\fR is a key-value
-pair, separated by the '=' sign.
+As discussed in \fBovs\-vswitchd.conf\fR(5), each line in the
+configuration file consists of a key-value pair. Actions generally
+take either a \fIkey\fR or \fIentry\fR argument. A \fIkey\fR is a
+dot-separated description of a configuration option. A \fIentry\fR is
+a key-value pair, separated by the '=' sign.
The following actions are supported:
instance.
.
.SH "SEE ALSO"
-.BR vswitchd (8),
-.BR vswitchd.conf (5)
+.BR ovs\-vswitchd (8),
+.BR ovs\-vswitchd.conf (5)
that network device to the datapath.
Do not use \fBovs\-dpctl\fR commands to modify datapaths if
-\fBvswitchd\fR(8) is in use. Instead, modify the \fBvswitchd\fR
-configuration file and send \fBSIGHUP\fR to the \fBvswitchd\fR
-process.
+\fBovs\-vswitchd\fR(8) is in use. Instead, modify the
+\fBovs\-vswitchd\fR configuration file and send \fBSIGHUP\fR to the
+\fBovs\-vswitchd\fR process.
.PP
Most \fBovs\-dpctl\fR commands that work with datapaths take an argument
.SH "SEE ALSO"
-.BR vswitchd (8),
.BR secchan (8),
-.BR ovs\-appctl (8)
+.BR ovs\-appctl (8),
+.BR ovs\-vswitchd (8)
.SH "SEE ALSO"
-.BR vswitchd (8),
.BR ovs\-appctl (8),
-.BR ovs\-controller (8)
+.BR ovs\-controller (8),
+.BR ovs\-vswitchd (8)
/Makefile.in
/ovs-brcompatd
/ovs-brcompatd.8
-/vswitchd
-/vswitchd.8
-/vswitchd.conf.5
+/ovs-vswitchd
+/ovs-vswitchd.8
+/ovs-vswitchd.conf.5
-sbin_PROGRAMS += vswitchd/vswitchd vswitchd/ovs-brcompatd
-man_MANS += vswitchd/vswitchd.conf.5 \
- vswitchd/vswitchd.8 \
+sbin_PROGRAMS += vswitchd/ovs-vswitchd vswitchd/ovs-brcompatd
+man_MANS += \
+ vswitchd/ovs-vswitchd.conf.5 \
+ vswitchd/ovs-vswitchd.8 \
+ vswitchd/ovs-brcompatd.8
+DISTCLEANFILES += \
+ vswitchd/ovs-vswitchd.conf.5 \
+ vswitchd/ovs-vswitchd.8 \
vswitchd/ovs-brcompatd.8
-DISTCLEANFILES += vswitchd/vswitchd.conf.5 \
- vswitchd/vswitchd.8 \
- vswitchd/ovs-brcompatd.8
-vswitchd_vswitchd_SOURCES = \
+vswitchd_ovs_vswitchd_SOURCES = \
vswitchd/bridge.c \
vswitchd/bridge.h \
vswitchd/mgmt.c \
vswitchd/port.h \
vswitchd/proc-net-compat.c \
vswitchd/proc-net-compat.h \
- vswitchd/vswitchd.c \
- vswitchd/vswitchd.h \
+ vswitchd/ovs-vswitchd.c \
+ vswitchd/ovs-vswitchd.h \
vswitchd/xenserver.c \
vswitchd/xenserver.h
-vswitchd_vswitchd_LDADD = \
+vswitchd_ovs_vswitchd_LDADD = \
secchan/libsecchan.a \
lib/libopenvswitch.a \
$(FAULT_LIBS) \
lib/libopenvswitch.a \
$(FAULT_LIBS)
-EXTRA_DIST += vswitchd/vswitchd.conf.5.in \
- vswitchd/vswitchd.8.in \
+EXTRA_DIST += \
+ vswitchd/ovs-vswitchd.conf.5.in \
+ vswitchd/ovs-vswitchd.8.in \
vswitchd/ovs-brcompatd.8.in
\f
/* Public functions. */
-/* xxx Temporary to get around "." delimiter vswitchd.conf problem in
+/* xxx Temporary to get around "." delimiter ovs-vswitchd.conf problem in
* xxx port.c. */
void
bridge_get_ifaces(struct svec *svec)
#include "openflow/openflow.h"
#include "openflow/openflow-mgmt.h"
#include "ofpbuf.h"
+#include "ovs-vswitchd.h"
#include "packets.h"
#include "rconn.h"
#include "svec.h"
#include "vconn.h"
#include "vconn-ssl.h"
-#include "vswitchd.h"
#include "xtoxll.h"
#define THIS_MODULE VLM_mgmt
.ds PN ovs\-brcompatd
.
.SH NAME
-ovs\-brcompatd \- Bridge compatibility front-end for vswitchd
+ovs\-brcompatd \- Bridge compatibility front-end for ovs\-vswitchd
.
.SH SYNOPSIS
.B ovs\-brcompatd
[\fIoptions\fR] \fIconfig\fR
.
.SH DESCRIPTION
-A daemon that provides a legacy bridge front-end for \fBvswitchd\fR. It
+A daemon that provides a legacy bridge front-end for \fBovs\-vswitchd\fR. It
does this by listening for bridge ioctl commands (e.g., those generated by
the \fBbrctl\fR program) to add or remove datapaths and the interfaces
that attach to them. It modifies \fIconfig\fR and forces
-\fBvswitchd\fR to reload its configuration file.
+\fBovs\-vswitchd\fR to reload its configuration file.
.PP
.SH OPTIONS
.IP "\fB--reload-command=\fIcommand\fR"
-Sets the command that \fBovs\-brcompatd\fR runs to force \fBvswitchd\fR to
+Sets the command that \fBovs\-brcompatd\fR runs to force \fBovs\-vswitchd\fR to
reload its configuration file to \fIcommand\fR. The command is run in
a subshell, so it may contain arbitrary shell metacharacters, etc.
The \fB--help\fR option displays the default reload command.
\fBovs\-brcompatd\fR requires the \fBbrcompat_mod.ko\fR kernel module to be
loaded.
.SH "SEE ALSO"
-.BR ovs-appctl (8),
-.BR vswitchd (8),
-.BR vswitchd.conf (5),
+.BR ovs\-appctl (8),
+.BR ovs\-vswitchd (8),
+.BR ovs\-vswitchd.conf (5),
\fBINSTALL\fR in the Open vSwitch distribution.
* no longer exist. If set to zero, ports are never pruned. */
static int prune_timeout = 5000;
-/* Config file shared with vswitchd (usually vswitchd.conf). */
+/* Config file shared with ovs-vswitchd (usually ovs-vswitchd.conf). */
static char *config_file;
-/* Command to run (via system()) to reload the vswitchd configuration file. */
+/* Command to run (via system()) to reload the ovs-vswitchd configuration
+ * file. */
static char *reload_command;
/* Netlink socket to listen for interface changes. */
enum netdev_flags flags;
/* The local port and internal ports are created and destroyed by
- * vswitchd itself, so don't bother checking for them at all. In
- * practice, they might not exist if vswitchd hasn't finished
- * reloading since the configuration file was updated. */
+ * ovs-vswitchd itself, so don't bother checking for them at all.
+ * In practice, they might not exist if ovs-vswitchd hasn't
+ * finished reloading since the configuration file was updated. */
if (!strcmp(iface_name, br_name)
|| cfg_get_bool(0, "iface.%s.internal", iface_name)) {
continue;
* false otherwise.
*
* XXX it is possible that this doesn't entirely accomplish what we want in
- * context, since vswitchd.conf may cause vswitchd to create or destroy network
- * devices based on iface.*.internal settings.
+ * context, since ovs-vswitchd.conf may cause vswitchd to create or destroy
+ * network devices based on iface.*.internal settings.
*
* XXX may want to move this to lib/netdev. */
static bool
char *short_options = long_options_to_short_options(long_options);
int error;
- reload_command = xasprintf("%s/ovs-appctl "
- "-t %s/vswitchd.`cat %s/vswitchd.pid`.ctl "
+ reload_command = xasprintf("%s/ovs-appctl -t "
+ "%s/ovs-vswitchd.`cat %s/ovs-vswitchd.pid`.ctl "
"-e vswitchd/reload 2>&1 "
"| /usr/bin/logger -t brcompatd-reload",
ovs_bindir, ovs_rundir, ovs_rundir);
static void
usage(void)
{
- printf("%s: bridge compatibility front-end for vswitchd\n"
+ printf("%s: bridge compatibility front-end for ovs-vswitchd\n"
"usage: %s [OPTIONS] CONFIG\n"
- "CONFIG is the configuration file used by vswitchd.\n",
+ "CONFIG is the configuration file used by ovs-vswitchd.\n",
program_name, program_name);
printf("\nConfiguration options:\n"
- " --reload-command=COMMAND command to run to reload vswitchd\n"
+ " --reload-command=COMMAND shell command to reload ovs-vswitchd\n"
" --prune-timeout=SECS wait at most SECS before pruning ports\n"
" --lock-timeout=MSECS wait at most MSECS for CONFIG to unlock\n"
);
--- /dev/null
+.TH ovs\-vswitchd 8 "March 2009" "Open vSwitch" "OpenVSwitch Manual"
+.ds PN ovs\-vswitchd
+.
+.SH NAME
+ovs\-vswitchd \- virtual switch daemon
+.
+.SH SYNOPSIS
+.B ovs\-vswitchd
+\fIconfig\fR
+.
+.SH DESCRIPTION
+A daemon that manages and controls any number of virtual switches on
+the local machine.
+.PP
+The mandatory \fIconfig\fR argument specifies a configuration file.
+For a description of \fBovs\-vswitchd\fR configuration syntax, see
+\fBovs\-vswitchd.conf\fR(5).
+.PP
+At startup or upon receipt of a \fBSIGHUP\fR signal, \fBovs\-vswitchd\fR
+reads the configuration file. It sets up Open vSwitch datapaths and then
+operates switching across each bridge described in its configuration
+files. If a logfile was specified on the command line it will also
+be opened or reopened.
+.PP
+\fBovs\-vswitchd\fR virtual switches may be configured with any of the
+following features:
+.
+.IP \(bu
+L2 switching with MAC learning.
+.
+.IP \(bu
+NIC bonding with automatic fail-over and source MAC-based TX load
+balancing ("SLB").
+.
+.IP \(bu
+802.1Q VLAN support.
+.
+.IP \(bu
+Port mirroring, with optional VLAN tagging.
+.
+.IP \(bu
+NetFlow v5 flow logging.
+.
+.IP \(bu
+Connectivity to an external OpenFlow controller, such as NOX.
+.
+.PP
+Only a single instance of \fBovs\-vswitchd\fR is intended to run at a time.
+A single \fBovs\-vswitchd\fR can manage any number of virtual switches, up
+to the maximum number of supported Open vSwitch datapaths.
+.PP
+\fBovs\-vswitchd\fR does all the necessary management of OpenVSwitch datapaths
+itself. Thus, external tools, such \fBovs\-dpctl\fR(8), are not needed for
+managing datapaths in conjunction with \fBovs\-vswitchd\fR, and their use
+to modify datapaths when \fBovs\-vswitchd\fR is running can interfere with
+its operation. (\fBovs\-dpctl\fR may still be useful for diagnostics.)
+.PP
+An Open vSwitch datapath kernel module must be loaded for \fBovs\-vswitchd\fR
+to be useful. Please refer to the \fBINSTALL\fR file included in the
+Open vSwitch distribution for instructions on how to build and load
+the Open vSwitch kernel module.
+.PP
+.SH OPTIONS
+.IP "\fB--fake-proc-net\fR"
+Causes \fBovs\-vswitchd\fR to simulate some files in \fB/proc/net/vlan\fR
+and \fB/proc/net/bonding\fR that some legacy software expects to
+exist. This option should only be used if such legacy software is
+actually in use. It requires the \fBbrcompat_mod.ko\fR kernel module
+to be loaded.
+.
+.so lib/daemon.man
+.so lib/vlog.man
+.so lib/common.man
+.so lib/leak-checker.man
+.
+.SH "BUGS"
+.
+Only Open vSwitch kernel-based datapaths are currently supported. In the
+future, this restriction may be lifted.
+.PP
+Only Linux 2.6.\fIx\fR is currently supported.
+.
+.SH "SEE ALSO"
+.BR ovs\-appctl (8),
+.BR ovs\-vswitchd.conf (5),
+.BR ovs\-brcompatd (8),
+\fBINSTALL\fR in the Open vSwitch distribution.
--- /dev/null
+/* Copyright (c) 2008, 2009 Nicira Networks
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, Nicira Networks gives permission
+ * to link the code of its release of vswitchd with the OpenSSL project's
+ * "OpenSSL" library (or with modified versions of it that use the same
+ * license as the "OpenSSL" library), and distribute the linked
+ * executables. You must obey the GNU General Public License in all
+ * respects for all of the code used other than "OpenSSL". If you modify
+ * this file, you may extend this exception to your version of the file,
+ * but you are not obligated to do so. If you do not wish to do so,
+ * delete this exception statement from your version.
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <getopt.h>
+#include <limits.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "bridge.h"
+#include "cfg.h"
+#include "command-line.h"
+#include "compiler.h"
+#include "daemon.h"
+#include "fault.h"
+#include "leak-checker.h"
+#include "mgmt.h"
+#include "ovs-vswitchd.h"
+#include "poll-loop.h"
+#include "port.h"
+#include "proc-net-compat.h"
+#include "process.h"
+#include "signals.h"
+#include "svec.h"
+#include "timeval.h"
+#include "unixctl.h"
+#include "util.h"
+#include "vconn-ssl.h"
+#include "vconn.h"
+
+#include "vlog.h"
+#define THIS_MODULE VLM_vswitchd
+
+static void parse_options(int argc, char *argv[]);
+static void usage(void) NO_RETURN;
+static void reload(struct unixctl_conn *, const char *args);
+
+static bool need_reconfigure;
+static struct unixctl_conn **conns;
+static size_t n_conns;
+
+int
+main(int argc, char *argv[])
+{
+ struct unixctl_server *unixctl;
+ struct signal *sighup;
+ int retval;
+
+ set_program_name(argv[0]);
+ register_fault_handlers();
+ time_init();
+ vlog_init();
+ parse_options(argc, argv);
+ signal(SIGPIPE, SIG_IGN);
+ sighup = signal_register(SIGHUP);
+ process_init();
+
+ die_if_already_running();
+ daemonize();
+
+ retval = unixctl_server_create(NULL, &unixctl);
+ if (retval) {
+ ovs_fatal(retval, "could not listen for control connections");
+ }
+ unixctl_command_register("vswitchd/reload", reload);
+
+ cfg_read();
+ mgmt_init();
+ bridge_init();
+ port_init();
+ mgmt_reconfigure();
+
+ need_reconfigure = false;
+ for (;;) {
+ if (need_reconfigure || signal_poll(sighup)) {
+ need_reconfigure = false;
+ vlog_reopen_log_file();
+ reconfigure();
+ }
+ mgmt_run();
+ if (bridge_run()) {
+ need_reconfigure = true;
+ }
+ unixctl_server_run(unixctl);
+
+ if (need_reconfigure) {
+ poll_immediate_wake();
+ }
+ signal_wait(sighup);
+ mgmt_wait();
+ bridge_wait();
+ unixctl_server_wait(unixctl);
+ poll_block();
+ }
+
+ return 0;
+}
+
+static void
+reload(struct unixctl_conn *conn, const char *args UNUSED)
+{
+ need_reconfigure = true;
+ conns = xrealloc(conns, sizeof *conns * (n_conns + 1));
+ conns[n_conns++] = conn;
+}
+
+void
+reconfigure(void)
+{
+ size_t i;
+
+ cfg_read();
+ bridge_reconfigure();
+ mgmt_reconfigure();
+ port_reconfigure();
+
+ for (i = 0; i < n_conns; i++) {
+ unixctl_command_reply(conns[i], 202, NULL);
+ }
+ free(conns);
+ conns = NULL;
+ n_conns = 0;
+}
+
+static void
+parse_options(int argc, char *argv[])
+{
+ enum {
+ OPT_PEER_CA_CERT = UCHAR_MAX + 1,
+ OPT_FAKE_PROC_NET,
+ VLOG_OPTION_ENUMS,
+ LEAK_CHECKER_OPTION_ENUMS
+ };
+ static struct option long_options[] = {
+ {"help", no_argument, 0, 'h'},
+ {"version", no_argument, 0, 'V'},
+ {"fake-proc-net", no_argument, 0, OPT_FAKE_PROC_NET},
+ DAEMON_LONG_OPTIONS,
+ VLOG_LONG_OPTIONS,
+ LEAK_CHECKER_LONG_OPTIONS,
+#ifdef HAVE_OPENSSL
+ VCONN_SSL_LONG_OPTIONS
+ {"peer-ca-cert", required_argument, 0, OPT_PEER_CA_CERT},
+#endif
+ {0, 0, 0, 0},
+ };
+ char *short_options = long_options_to_short_options(long_options);
+ const char *config_file;
+ int error;
+
+ for (;;) {
+ int c;
+
+ c = getopt_long(argc, argv, short_options, long_options, NULL);
+ if (c == -1) {
+ break;
+ }
+
+ switch (c) {
+ case 'H':
+ case 'h':
+ usage();
+
+ case 'V':
+ OVS_PRINT_VERSION(OFP_VERSION, OFP_VERSION);
+ exit(EXIT_SUCCESS);
+
+ case OPT_FAKE_PROC_NET:
+ error = proc_net_compat_init();
+ if (error) {
+ ovs_fatal(error, "failed to initialize /proc/net "
+ "compatibility");
+ }
+ break;
+
+ VLOG_OPTION_HANDLERS
+ DAEMON_OPTION_HANDLERS
+ VCONN_SSL_OPTION_HANDLERS
+ LEAK_CHECKER_OPTION_HANDLERS
+
+#ifdef HAVE_OPENSSL
+ case OPT_PEER_CA_CERT:
+ vconn_ssl_set_peer_ca_cert_file(optarg);
+ break;
+#endif
+
+ case '?':
+ exit(EXIT_FAILURE);
+
+ default:
+ abort();
+ }
+ }
+ free(short_options);
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc != 1) {
+ ovs_fatal(0, "config file is only non-option argument; "
+ "use --help for usage");
+ }
+
+ config_file = argv[0];
+ error = cfg_set_file(config_file);
+ if (error) {
+ ovs_fatal(error, "failed to add configuration file \"%s\"",
+ config_file);
+ }
+}
+
+static void
+usage(void)
+{
+ printf("%s: virtual switch daemon\n"
+ "usage: %s [OPTIONS] CONFIG\n"
+ "CONFIG is a configuration file in ovs-vswitchd.conf(5) format.\n",
+ program_name, program_name);
+ daemon_usage();
+ vlog_usage();
+ printf("\nLegacy compatibility options:\n"
+ " --fake-proc-net simulate some files in /proc/net\n"
+ "\nOther options:\n"
+ " -h, --help display this help message\n"
+ " -V, --version display version information\n");
+ leak_checker_usage();
+ exit(EXIT_SUCCESS);
+}
--- /dev/null
+.\" -*- nroff -*-
+.de TQ
+. br
+. ns
+. TP "\\$1"
+..
+.de IQ
+. br
+. ns
+. IP "\\$1"
+..
+.de ST
+. PP
+. RS -0.15in
+. I "\\$1"
+. RE
+. PP
+..
+.TH ovs\-vswitchd.conf 5 "April 2009" "Open vSwitch" "OpenVSwitch Manual"
+.
+.SH NAME
+ovs\-vswitchd.conf \- configuration file for \fBovs\-vswitchd\fR
+.
+.SH DESCRIPTION
+This manual page describes the syntax for the configuration file used
+by \fBovs\-vswitchd\fR(8), the virtual switch daemon.
+.PP
+The configuration file is based on key-value pairs, which are given
+one per line in the form \fIkey\fB=\fIvalue\fR. Each \fIkey\fR
+consists of one or more parts separated by dots,
+e.g. \fIpart1\fB.\fIpart2\fB.\fIpart3\fR. Each \fIpart\fR may consist
+only of the English letters, digits, and the special characters
+\fB_-@$:+\fR. White space within \fIvalue\fR and at the beginning of a
+line is significant, but is otherwise ignored.
+.PP
+If a single key is specified more than once, that key has multiple
+values, one value for each time the key is specified. The ordering of
+key-value pairs, and the ordering of multiple values for a single key,
+within a configuration file is not significant.
+.PP
+Blank lines, lines that consist only of white space, and lines that
+begin with \fB#\fR (optionally preceded by white space) are ignored.
+Keep in mind that programs that modify the configuration file, such as
+\fBovs\-brcompatd\fR and \fBovs-cfg-mod\fR, may alter the order of
+elements and
+strip comments and blank lines.
+.PP
+The following subsections describe how key-value pairs are used to
+configure \fBovs\-vswitchd\fR.
+.SS "Bridge Configuration"
+A bridge (switch) with a given \fIname\fR is configured by specifying
+the names of its network devices as values for key
+\fBbridge.\fIname\fB.port\fR. (The specified \fIname\fR may not begin
+with \fBdp\fR or \fBnl:\fR followed by a digit.)
+.PP
+The names given on \fBbridge.\fIname\fB.port\fR must be the names of
+existing network devices, except for ``internal ports.'' An internal
+port is a simulated network device that receives traffic only only
+through the virtual switch and switches any traffic sent it through
+virtual switch. An internal port may configured with an IP address,
+etc. using the usual system tools (e.g. \fBifconfig\fR, \fBip\fR). To
+designate network device \fInetdev\fR as an internal port, add
+\fBiface.\fInetdev\fB.internal=true\fR to the configuration file.
+\fBovs\-vswitchd\fR will honor this configuration setting by automatically
+creating the named internal port.
+.PP
+A bridge with a given \fIname\fR always has an internal port with the
+same \fIname\fR, called the ``local port.'' This network device may
+be included
+in the bridge, by specifying it as one of the values for key
+\fBbridge.\fIname\fB.port\fR, or it may be omitted. If it is
+included, then its MAC address is by default the lowest-numbered MAC
+address among the other bridge ports, ignoring other internal ports
+and bridge ports that are
+used as port mirroring destinations (see \fBPort Mirroring\fR, below). To
+use a specific MAC address instead, set \fBbridge.\fIname\fB.mac\fR to
+a MAC address in the format
+\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR, where each
+\fIx\fR is a hex digit. If no valid MAC address can be determined
+either of these ways, then a MAC address is randomly generated.
+.PP
+The following syntax defines a bridge named \fBmybr\fR, configured
+with network devices \fBeth0\fR, \fBeth1\fR, and \fBeth2\fR:
+.RS
+.nf
+
+bridge.mybr.port=eth0
+bridge.mybr.port=eth1
+bridge.mybr.port=eth2
+
+.fi
+.RE
+.SS "802.1Q VLAN support"
+A bridge port may be configured either as a trunk port or as belonging
+to a single, untagged VLAN. These two options are mutually exclusive,
+and a port must be configured in one way or the other.
+.ST "Trunk Ports"
+By default, bridge ports are trunk ports that carry all VLANs. To
+limit the VLANs that a trunk port carries, define
+\fBvlan.\fIport\fB.trunks\fR to one or more integers between 0 and
+4095 designating VLANs. Only frames that have an 802.1Q header with
+one of the listed VLANs are accepted on a trunk port. If 0 is
+included in the list, then frames without an 802.1Q header are also
+accepted. Other frames are discarded.
+.PP
+The following syntax makes network device \fBeth0\fR a trunk port that
+carries VLANs 1, 2, and 3:
+.PP
+.RS
+.nf
+
+vlan.eth0.trunks=1
+vlan.eth0.trunks=2
+vlan.eth0.trunks=3
+
+.fi
+.RE
+.ST "Untagged VLAN Ports"
+A bridge port may be configured with an implicit, untagged VLAN.
+Define key
+\fBvlan.\fIport\fB.tag\fR to an integer value \fIvid\fR between 0 and
+4095, inclusive, to designate the named \fIport\fR as a member
+of 802.1Q VLAN \fIvid\fR. When \fIport\fR is assigned a VLAN tag this
+way, frames arriving on trunk ports will be forwarded to \fIport\fR
+only if they are tagged with VLAN \fIvid\fR, and frames arriving on
+other VLAN ports will be forwarded to \fIport\fR only if their
+\fIvid\fR values are equal. Frames forwarded to \fIport\fR will not
+have an 802.1Q header.
+.PP
+When \fIvid\fR is 0, frames arriving on trunk ports without an 802.1Q
+VLAN header will also be forwarded to \fIport\fR.
+.PP
+When a frame with a 802.1Q header that indicates a nonzero VLAN is
+received on an implicit VLAN port, it is discarded.
+.PP
+The following syntax makes network device \fBeth0\fR a member of VLAN
+101:
+.PP
+.RS
+.nf
+
+vlan.eth0.tag=101
+
+.fi
+.RE
+.SS "Network Device Bonding"
+Bonding allows multiple ``slave'' network devices to be treated as if
+they were a single virtual ``bonded'' network device. It is useful for
+load balancing and fail-over.
+.PP
+\fBovs\-vswitchd\fR supports ``source load balancing'' (SLB) bonding, which
+assigns flows to slaves based on source MAC address, with periodic
+rebalancing as traffic patterns change. This form of bonding does not
+require 802.3ad or other special support from the upstream switch to
+which the slave devices are connected.
+.PP
+To configure bonding, create a virtual bonding device by specifying
+the slave network device names as values for
+\fBbonding.\fIname\fB.slave\fR, then specify \fIname\fR as a bridge
+port. The chosen \fIname\fR should not be the name of any real
+network device on the host system.
+.PP
+By default, bonding interfaces are enabled or disabled immediately
+when a carrier is detected or dropped on the underlying network
+device. To insert a delay when carrier comes up or goes down before
+enabling or disabling an interface, set the value of
+\fBbonding.\fIname\fB.updelay\fR or
+\fBbonding.\fIname\fB.downdelay\fR, respectively, to a positive
+integer, interpreted in milliseconds.
+.PP
+The following syntax bonds \fBeth0\fR and \fBeth1\fR into a bonding
+device named \fBbond0\fR, which is added to bridge \fBmybr\fR along
+with physical network devices \fBeth2\fR and \fBeth3\fR:
+.PP
+.RS
+.nf
+
+bridge.mybr.port=bond0
+bridge.mybr.port=eth2
+bridge.mybr.port=eth3
+
+bonding.bond0.slave=eth0
+bonding.bond0.slave=eth1
+
+.fi
+.RE
+.SS "Port Mirroring (SPAN and RSPAN)"
+\fBovs\-vswitchd\fR may be configured to send selected frames to special
+``mirrored'' ports, in addition to their normal destinations. Mirroring
+traffic may also be referred to as SPAN or RSPAN, depending on the
+mechanism used for delivery.
+.PP
+Up to 32 instances of port mirroring may be configured on a given
+bridge. Each must be given a name that is unique within the bridge.
+The keys associated with port mirroring instance \fIpmname\fR for
+bridge \fIbrname\fR begin with \fBmirror.\fIbrname\fB.\fIpmname\fR.
+.PP
+The selection of the frames to mirror and the form in which they
+should be output is configured separately for each port mirroring
+instances, through a subsection of
+\fBmirror.\fIbrname\fB.\fIpmname\fR, named \fBselect\fR, and
+\fBoutput\fR, respectively.
+.ST "Selecting Frames to Mirror"
+The values for the following keys, if specified, limit the frames that
+are chosen for mirroring. If none of these keys is specified, then
+all frames received by the bridge are mirrored. If more than one of
+these keys is specified, then a frame must meet all specified criteria
+to be mirrored.
+.TP
+\fBmirror.\fIbrname\fB.\fIpmname\fB.select.src-port=\fIport\fR
+.TQ
+\fBmirror.\fIbrname\fB.\fIpmname\fB.select.dst-port=\fIport\fR
+.TQ
+\fBmirror.\fIbrname\fB.\fIpmname\fB.select.port=\fIport\fR
+Frame received on \fIport\fR, output to \fIport\fR, or either received
+on or output to \fIport\fR, respectively. \fIport\fR must be part of
+the bridge \fIbrname\fR; that is, it must be listed on
+\fBbridge.\fIbrname\fB.port\fR.
+.TP
+\fBmirror.\fIbrname\fB.\fIpmname\fB.select.vlan=\fIvid\fR
+.
+\fIvid\fR must be an integer between 0 and 4095, inclusive. A nonzero
+\fIvid\fR selects frames that belong to VLAN \fIvid\fR, that is,
+frames that arrived on a trunk port tagged with VLAN \fIvid\fR or on a
+port that is configured as part of VLAN \fIvid\fR (see \fB802.1Q VLAN
+tagging\fR, above). A \fIvid\fR of zero selects frames that do not
+belong to a VLAN, that is, frames that arrived on a trunk port without
+a VLAN tag or tagged with VLAN 0.
+.ST "Mirror Output"
+The values of the following keys determine how frames selected for
+mirroring are output. Only one of the keys may be specified.
+.TP
+\fBmirror.\fIbrname\fB.\fIpmname\fB.output.port=\fIport\fR
+.
+Causes the selected frames to be sent out \fIport\fR, which must be
+part of the bridge \fIbrname\fR; that is, it must be listed on
+\fBbridge.\fIbrname\fB.port\fR.
+.IP
+Specifying a \fIport\fR in this way reserves that port exclusively for
+mirroring. No frames other than those selected for mirroring will be
+forwarded to \fIport\fR, and any frames received on \fIport\fR will be
+discarded. This type of mirroring may be referred to as SPAN.
+.TP
+\fBmirror.\fIbrname\fB.\fIpmname\fB.output.vlan=\fIvid\fR
+.
+Causes the selected frames to be sent on the VLAN numbered \fIvid\fR,
+which must be an integer between 0 and 4095, inclusive. The frames
+will be sent out all ports that trunk VLAN \fIvid\fR, as well as any
+ports with implicit VLAN \fIvid\fR. When a mirrored frame is sent out
+a trunk port, the frame's VLAN tag will be set to \fIvid\fR, replacing
+any existing tag; when it is sent out an implicit VLAN port, the frame
+will not be tagged. This type of mirroring may be referred to as
+RSPAN.
+.ST "Example"
+The following \fBovs\-vswitchd\fR configuration copies all frames received
+on \fBeth1\fR or \fBeth2\fR to \fBeth3\fR.
+.PP
+.RS
+.nf
+
+bridge.mybr.port=eth1
+bridge.mybr.port=eth2
+bridge.mybr.port=eth3
+
+mirror.mybr.a.select.src-port=eth1
+mirror.mybr.a.select.src-port=eth2
+mirror.mybr.a.output.port=eth3
+
+.fi
+.RE
+.SS "Port Rate-Limiting"
+Traffic policing and shaping are configured on physical ports. Policing
+defines a hard limit at which traffic that exceeds the specified rate is
+dropped. Shaping uses queues to delay packets so that egress traffic
+leaves at the specified rate.
+
+.ST "Ingress Policing"
+The rate at which traffic is allowed to enter through a particular
+physical port can be configured with ingress policing. The rate is
+specified in kilobits (1000 bits) per second with a maximum burst size
+specified in kilobits (1000 bits). The burst size should be at least
+the size of the port's MTU.
+
+A port may be configured to enforce ingress policing by defining the
+key \fBport.\fIname\fB.ingress.policing-rate\fR with an integer
+indicating the rate. The port \fIname\fR will only allow traffic to be
+received at the rate specified in kilobits per second. If the rate is zero
+or the key is not defined, then ingress policing is disabled.
+
+If ingress policing is enabled, then the burst rate may be set by defining
+the key \fBport.\fIname\fB.ingress.policing-burst\fR with an integer
+indicating the burst rate in kilobits. If the key is not supplied or is
+zero, then the default burst is 10 kilobits.
+
+.PP
+The following syntax limits port \fBeth1\fR to receiving traffic at
+\fB512\fR kilobits per second with a burst of \fB20\fR kilobits:
+.PP
+.RS
+.nf
+
+port.eth1.ingress.policing-rate=512
+port.eth1.ingress.policing-burst=20
+
+.fi
+.SS "NetFlow v5 Flow Logging"
+NetFlow is a protocol that exports a number of details about terminating
+IP flows, such as the principals involved and duration. A bridge may be
+configured to send NetFlow v5 records to NetFlow collectors when flows
+end. To enable, define the key \fBnetflow.\fIbridge\fB.host\fR for each
+collector in the form \fIhost\fB:\fIport\fR. Records from \fIbridge\fR
+will be sent to each \fIhost\fR on UDP \fIport\fR.
+
+The NetFlow messages will use the datapath index for the engine type and id.
+This can be overridden with the \fBnetflow.\fIbridge\fB.engine-type\fR and
+\fBnetflow.\fIbridge\fB.engine-id\fR, respectively. Each takes a value
+between 0 and 255, inclusive.
+
+Many NetFlow collectors do not expect multiple virtual switches to be
+sending messages from the same host, and they do not store the engine
+information which could be used to disambiguate the traffic. To prevent
+flows from multiple switches appearing as if they came on the interface,
+add \fBnetflow.\fIbridge\fB.add-id-to-iface=true\fR to the configuration
+file. This will place the least significant 7 bits of the engine id
+into the most significant bits of the ingress and egress interface fields
+of flow records. By default, this behavior is disabled.
+
+The following syntax sends NetFlow records for \fBmybr\fR to the NetFlow
+collector \fBnflow.example.com\fR on UDP port \fB9995\fR:
+.PP
+.RS
+.nf
+
+netflow.mybr.host=nflow.example.com:9995
+
+.fi
+.RE
+.SS "Remote Management"
+A \fBovs\-vswitchd\fR instance may be remotely managed by a controller that
+supports the OpenFlow Management Protocol, such as NOX. This
+functionality is enabled by setting the key \fBmgmt.controller\fR to one
+of the following values:
+.
+.TP
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 6633) on the given remote
+\fIhost\fR. SSL must be configured when this form is used (see \fBSSL
+Configuration\fR, below).
+.
+.TP
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 6633) on the given remote
+\fIhost\fR.
+.PP
+The maximum time between attempts to connect to the controller may be
+specified in integral seconds with the \fBmgmt.max-backoff\fR key. The
+default maximum backoff is 15 seconds, and the minimum value is 1
+second.
+
+An inactivity probe may be configured with the \fBmgmt.inactivity-probe\fR
+key. If \fBovs\-vswitchd\fR does not communicate with the controller for the
+specified number of seconds, it will send a probe. If a response is not
+received for an additional amount of that time, \fBovs\-vswitchd\fR assumes
+the connection has been broken and attempts to reconnect. The default
+is 15 seconds, and the minimum value is 5 seconds.
+
+A management id may be specified with the \fBmgmt.id\fR key. It takes
+an id in the form of exactly 12 hexadecimal digits. If one is not
+specified, a random id is generated each time \fBovs\-vswitchd\fR is started.
+.fi
+.RE
+.SS "OpenFlow Controller Connectivity"
+\fBovs\-vswitchd\fR can perform all configured bridging and switching
+locally, or it can be configured to connect a given bridge to an
+external OpenFlow controller, such as NOX. Its behavior depends on
+the \fBbridge.\fIname\fB.controller\fR setting:
+.
+.TP
+\fI\[la]unset\[ra]\fR
+When the key is not set, the behavior depends on whether remote
+management is configured. If management is configured, then the switch
+will connect to the controller specified on \fBmgmt.controller\fR. If
+management is not configured, the switch will perform all configured
+bridging and switching locally.
+.
+.TP
+\fI\[la]empty\[ra]\fR
+Setting an empty string value disables controller connectivity. The
+switch will perform all configured bridging and switching locally.
+.
+.TP
+\fBdiscover\fR
+Use controller discovery to find the local OpenFlow controller.
+Refer to \fBsecchan\fR(8) for information on how to configure a DHCP
+server to support controller discovery. The following additional
+options control the discovery process:
+.
+.RS
+.TP
+\fBbridge.\fIname\fB.controller.accept-regex=\fIregex\fR
+A POSIX extended regular expression against which the discovered
+controller location is validated. Only controllers whose names match
+the regular expression will be accepted.
+.IP
+The default regular expression is \fBssl:.*\fR, meaning that only SSL
+controller connections will be accepted, when SSL is configured (see
+\fBSSL Configuration\fR), and \fB.*\fR otherwise, meaning that any
+controller will be accepted.
+.IP
+The regular expression is implicitly anchored at the beginning of the
+controller location string, as if it begins with \fB^\fR.
+.TP
+\fBbridge.\fIname\fB.controller.update-resolv.conf=\fBtrue\fR|\fBfalse\fR
+By default, or if this is set to \fBtrue\fR, \fBovs\-vswitchd\fR overwrites
+the system's \fB/etc/resolv.conf\fR with domain information and DNS
+servers obtained via DHCP. If this setting is \fBfalse\fR,
+\fBovs\-vswitchd\fR will not modify \fB/etc/resolv.conf\fR.
+.IP
+\fBovs\-vswitchd\fR will only modify \fBresolv.conf\fR if the DHCP response
+that it receives specifies one or more DNS servers.
+.RE
+.
+.TP
+\fBssl:\fIhost\fR[\fB:\fIport\fR]
+The specified SSL \fIport\fR (default: 6633) on the given remote
+\fIhost\fR. SSL must be configured when this form is used (see \fBSSL
+Configuration\fR, below).
+.
+.TP
+\fBtcp:\fIhost\fR[\fB:\fIport\fR]
+The specified TCP \fIport\fR (default: 6633) on the given remote
+\fIhost\fR.
+.
+.TP
+\fBunix:\fIfile\fR
+The Unix domain server socket named \fIfile\fR.
+.PP
+The datapath ID used by the bridge to identify itself to the remote
+controller may be specified as \fBbridge.\fIname\fB.datapath-id\fR,
+in the form of exactly 12 hexadecimal digits. If the datapath ID
+is not specified, then it defaults to the bridge's MAC address (see
+\fBBridge Configuration\fR, above, for information on how the bridge's
+MAC address is chosen).
+.ST "Local Port Network Configuration"
+When an external controller is configured, but controller discovery is
+not in use, the following additional settings are honored:
+.TP
+\fBbridge.\fIname\fB.controller.in-band=\fBtrue\fR|\fBfalse\fR
+By default, or if this is set to \fBtrue\fR, \fBovs\-vswitchd\fR connects
+to the controller in-band. If this is set to \fBfalse\fR,
+\fBovs\-vswitchd\fR connects to the controller out-of-band. Refer to
+\fBsecchan\fR(8) for a description of in-band and out-of-band control.
+.IP "\fBbridge.\fIname\fB.controller.ip=\fIip\fR"
+If specified, the IP address to configure on the bridge's local port.
+.IP "\fBbridge.\fIname\fB.controller.netmask=\fInetmask\fR"
+When an IP is specified, the corresponding netmask. The default is
+255.255.255.0 for a Class C IP address, 255.255.0.0 for Class B, and
+255.0.0.0 for Class A.
+.IP "\fBbridge.\fIname\fB.controller.gateway=\fIip\fR"
+When an IP is specified, the corresponding IP gateway. There is no
+default gateway.
+.ST "Controller Failure Settings"
+The following additional settings take effect when any remote
+controller is configured:
+.IP "\fBbridge.\fIname\fB.controller.inactivity-probe=\fIsecs\fR"
+This optional setting may be set to \fIsecs\fR, a number of seconds.
+The minimum value of \fIsecs\fR is 5 seconds. The default is taken
+from \fBmgmt.inactivity-probe\fR (see above).
+.IP
+When the virtual switch is connected to the controller, it waits for a
+message to be received from the controller for \fIsecs\fR seconds
+before it sends a inactivity probe to the controller. After sending
+the inactivity probe, if no response is received for an additional
+\fIsecs\fR seconds, the secure channel assumes that the connection has
+been broken and attempts to reconnect.
+.IP
+Changing the inactivity probe interval also changes the interval
+before entering standalone mode (see below).
+.IP "\fBbridge.\fIname\fB.controller.fail-mode=\fBstandalone\fR|\fBsecure\fR"
+.IQ "\fBmgmt.fail-mode=standalone\fR|\fBsecure\fR"
+When a controller is configured, it is, ordinarily, responsible for
+setting up all flows on the virtual switch. Thus, if the connection to
+the controller fails, no new network connections can be set up. If
+the connection to the controller stays down long enough, no packets
+can pass through the switch at all.
+.IP
+The first of these that is set takes effect.
+If the value is \fBstandalone\fR, \fBovs\-vswitchd\fR will take over
+responsibility for setting up
+flows when no message has been received from the controller for three
+times the inactivity probe interval (see above). In this mode,
+\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
+MAC-learning switch. \fBovs\-vswitchd\fR will continue to retry connecting
+to the controller in the background and, when the connection succeeds,
+it discontinues its standalone behavior.
+.IP
+If this option is set to \fBsecure\fR, or if neither of these settings
+is set, \fBovs\-vswitchd\fR will not set up flows on its own when the
+controller connection fails.
+.IP "\fBbridge.\fIname\fB.controller.max-backoff=\fIsecs\fR"
+Sets the maximum time between attempts to connect to the controller to
+\fIsecs\fR, which must be at least 1. The actual interval between
+connection attempts starts at 1 second and doubles on each failing
+attempt until it reaches the maximum. The default maximum backoff
+time is taken from \fBmgmt.max-backoff\fR.
+.ST "Controller Rate-Limiting"
+These settings configure how the virtual switch applies a ``token
+bucket'' to limit the rate at which packets in unknown flows are
+forwarded to the OpenFlow controller for flow-setup processing. This
+feature prevents a single bridge from overwhelming a controller.
+.IP "\fBbridge.\fIname\fB.controller.rate-limit=\fIrate\fR"
+.IQ "\fBmgmt.rate-limit=\fIrate\fR"
+Limits the maximum rate at which packets will be forwarded to the
+OpenFlow controller to \fIrate\fR packets per second. A rate specified
+explicitly for \fIname\fR overrides a value configured using the
+\fBmgmt.rate-limit\fR key.
+.IP
+If neither one of these settings is set, then the bridge does not
+limit the rate at which packets are forwarded to the controller.
+.IP "\fBbridge.\fIname\fB.controller.burst-limit=\fIburst\fR"
+.IQ "\fBmgmt.burst-limit=\fIburst\fR"
+Sets the maximum number of unused packet credits that the bridge will
+allow to accumulate during the time in which no packets are being
+forwarded to the OpenFlow controller to \fIburst\fR (measured in
+packets). The default \fIburst\fR is one-quarter of the \fIrate\fR
+specified in the rate-limit setting.
+.IP
+A burst specified explicitly for \fIname\fR overrides a value configured
+using the \fBmgmt.burst-limit\fR key. This option takes effect only
+when a rate-limit is specified.
+.ST "Remote Command Execution Settings"
+These settings configure the commands that remote OpenFlow connections
+are allowed to invoke using (e.g.) \fBovs\-ofctl execute\fR. To be
+permitted, a command name must be whitelisted and must not be
+blacklisted. When the whitelist and blacklist permit a command name,
+\fBovs\-vswitchd\fR looks for a program with the same name as the command
+in the commands directory (see below). Other directories are not
+searched.
+.IP "\fBbridge.\fIname\fB.controller.commands.acl=\fIglob\fR"
+Whitelists commands whose names match shell glob pattern \fIglob\fR,
+allowing those commands to be invoked by the remote controller.
+.IP
+By default, no commands are whitelisted, so this setting is mandatory
+if any remote command execution is to be allowed.
+.IP "\fBbridge.\fIname\fB.controller.commands.acl=\fB!\fR\fIglob\fR"
+Blacklists commands whose names match shell glob pattern \fIglob\fR,
+prohibiting those commands from being invoked by the remote
+controller. Command names that include characters other than upper-
+and lower-case English letters, digits, and the underscore and hyphen
+characters are blacklisted unconditionally.
+.IP "\fBbridge.\fIname\fB.controller.commands.dir=\fIdirectory\fR"
+Sets the directory searched for remote command execution to
+\fIdirectory\fR. The default directory is
+\fB@pkgdatadir@/commands\fR.
+.SS "SSL Configuration"
+When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
+for controller connectivity, the following settings are required:
+.TP
+\fBssl.private-key=\fIprivkey.pem\fR
+Specifies a PEM file containing the private key used as the virtual
+switch's identity for SSL connections to the controller.
+.TP
+\fBssl.certificate=\fIcert.pem\fR
+Specifies a PEM file containing a certificate, signed by the
+certificate authority (CA) used by the controller and manager, that
+certifies the virtual switch's private key, identifying a trustworthy
+switch.
+.TP
+\fBssl.ca-cert=\fIcacert.pem\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the virtual switch is connected to a trustworthy controller.
+.PP
+These files are read only once, at \fBovs\-vswitchd\fR startup time. If
+their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
+.PP
+These SSL settings apply to all SSL connections made by the virtual
+switch.
+.ST "CA Certificate Bootstrap"
+Ordinarily, all of the files named in the SSL configuration must exist
+when \fBovs\-vswitchd\fR starts. However, if \fBssl.bootstrap-ca-cert\fR
+is set to \fBtrue\fR, then \fBovs\-vswitchd\fR will attempt to obtain the
+CA certificate from the controller on its first SSL connection and
+save it to the named PEM file. If it is successful, it will
+immediately drop the connection and reconnect, and from then on all
+SSL connections must be authenticated by a certificate signed by the
+CA certificate thus obtained.
+.PP
+\fBThis option exposes the SSL connection to a man-in-the-middle
+attack obtaining the initial CA certificate\fR, but it may be useful
+for bootstrapping.
+.PP
+This option is only useful if the controller sends its CA certificate
+as part of the SSL certificate chain. The SSL protocol does not
+require the controller to send the CA certificate, but
+\fBcontroller\fR(8) can be configured to do so with the
+\fB--peer-ca-cert\fR option.
+.SS "OpenFlow Management Connections"
+By default, each bridge \fIname\fR listens for OpenFlow management
+connections on a Unix domain socket named
+\fB@RUNDIR@/\fIname\fB.mgmt\fR. This socket can be used to perform
+local OpenFlow monitoring and administration, e.g., \fBovs\-ofctl dump-flows
+unix:@RUNDIR@/\fIname\fB.mgmt\fR to display the flows currently set up
+in bridge \fIname\fR.
+.PP
+If \fBbridge.\fIname\fB.openflow.listeners\fR is set to one or more
+values, \fBovs\-vswitchd\fR instead listens on the specified connection
+methods. Acceptable connection methods include:
+.RS
+.IP "\fBpunix:\fIfile\fR"
+Listens for connections on the Unix domain server socket named \fIfile\fR.
+.IP "\fBpssl:\fR[\fIport\fR]"
+Listens for SSL connections on \fIport\fR (default: 6633). SSL must
+be configured when this form is used (see \fBSSL Configuration\fR,
+above).
+.IP "\fBptcp:\fR[\fIport\fR]"
+Listens for TCP connections on \fIport\fR (default: 6633).
+.RE
+To entirely disable listening for management connections, set
+\fBbridge.\fIname\fB.openflow.listeners\fR to the single value
+\fBnone\fR.
+
+.SS "OpenFlow Controller Connection Snooping"
+By default, each bridge \fIname\fR listens for OpenFlow controller
+connection snooping connections on a Unix domain socket named
+\fB@RUNDIR@/\fIname\fB.snoop\fR. A client that connects to this
+socket, e.g., \fBovs\-ofctl monitor unix:@RUNDIR@/\fIname\fB.snoop\fR, will
+receive a copy of every OpenFlow message sent by the switch to the
+controller, or vice versa, on the primary OpenFlow controller
+connection.
+.PP
+If \fBbridge.\fIname\fB.openflow.snoops\fR is set to one or more
+values, \fBovs\-vswitchd\fR instead listens on the specified connection
+methods. The acceptable connection methods are the same as for
+OpenFlow management connections (see above).
+.PP
+To entirely disable controller connection snooping, set
+\fBbridge.\fIname\fB.openflow.snoops\fR to the single value
+\fBnone\fR.
+.SH "SEE ALSO"
+.BR ovs\-brcompatd (8),
+.BR ovs\-cfg\-mod (8),
+.BR ovs\-vswitchd (8)
--- /dev/null
+/* Copyright (c) 2009 Nicira Networks
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, Nicira Networks gives permission
+ * to link the code of its release of vswitchd with the OpenSSL project's
+ * "OpenSSL" library (or with modified versions of it that use the same
+ * license as the "OpenSSL" library), and distribute the linked
+ * executables. You must obey the GNU General Public License in all
+ * respects for all of the code used other than "OpenSSL". If you modify
+ * this file, you may extend this exception to your version of the file,
+ * but you are not obligated to do so. If you do not wish to do so,
+ * delete this exception statement from your version.
+ */
+
+#ifndef VSWITCHD_H
+#define VSWITCHD_H 1
+
+void reconfigure(void);
+
+#endif /* ovs-vswitchd.h */
#include "bridge.h"
#include "cfg.h"
#include "netdev.h"
+#include "ovs-vswitchd.h"
#include "port.h"
#include "svec.h"
-#include "vswitchd.h"
#define THIS_MODULE VLM_port
#include "vlog.h"
ds_init(&ds);
ds_put_format(
&ds,
- "Ethernet Channel Bonding Driver: vswitchd "
+ "Ethernet Channel Bonding Driver: ovs-vswitchd "
VERSION BUILDNR" ("__DATE__" "__TIME__")\n"
"Bonding Mode: source load balancing\n"
"Primary Slave: None\n"
+++ /dev/null
-.TH vswitchd 8 "March 2009" "Open vSwitch" "Open vSwitch Manual"
-.ds PN vswitchd
-.
-.SH NAME
-vswitchd \- virtual switch daemon
-.
-.SH SYNOPSIS
-.B vswitchd
-\fIconfig\fR
-.
-.SH DESCRIPTION
-A daemon that manages and controls any number of virtual switches on
-the local machine.
-.PP
-The mandatory \fIconfig\fR argument specifies a configuration file.
-For a description of \fBvswitchd\fR configuration syntax, see
-\fBvswitchd.conf\fR(5).
-.PP
-At startup or upon receipt of a \fBSIGHUP\fR signal, \fBvswitchd\fR
-reads the configuration file. It sets up Open vSwitch datapaths and then
-operates switching across each bridge described in its configuration
-files. If a logfile was specified on the command line it will also
-be opened or reopened.
-.PP
-\fBvswitchd\fR virtual switches may be configured with any of the
-following features:
-.
-.IP \(bu
-L2 switching with MAC learning.
-.
-.IP \(bu
-NIC bonding with automatic fail-over and source MAC-based TX load
-balancing ("SLB").
-.
-.IP \(bu
-802.1Q VLAN support.
-.
-.IP \(bu
-Port mirroring, with optional VLAN tagging.
-.
-.IP \(bu
-NetFlow v5 flow logging.
-.
-.IP \(bu
-Connectivity to an external OpenFlow controller, such as NOX.
-.
-.PP
-Only a single instance of \fBvswitchd\fR is intended to run at a time.
-A single \fBvswitchd\fR can manage any number of virtual switches, up
-to the maximum number of supported Open vSwitch datapaths.
-.PP
-\fBvswitchd\fR does all the necessary management of Open vSwitch datapaths
-itself. Thus, external tools, such \fBovs\-dpctl\fR(8), are not needed for
-managing datapaths in conjunction with \fBvswitchd\fR, and their use
-to modify datapaths when \fBvswitchd\fR is running can interfere with
-its operation. (\fBovs\-dpctl\fR may still be useful for diagnostics.)
-.PP
-An Open vSwitch datapath kernel module must be loaded for \fBvswitchd\fR
-to be useful. Please refer to the \fBINSTALL\fR file included in the
-Open vSwitch distribution for instructions on how to build and load
-the Open vSwitch kernel module.
-.PP
-.SH OPTIONS
-.IP "\fB--fake-proc-net\fR"
-Causes \fBvswitchd\fR to simulate some files in \fB/proc/net/vlan\fR
-and \fB/proc/net/bonding\fR that some legacy software expects to
-exist. This option should only be used if such legacy software is
-actually in use. It requires the \fBbrcompat_mod.ko\fR kernel module
-to be loaded.
-.
-.so lib/daemon.man
-.so lib/vlog.man
-.so lib/common.man
-.so lib/leak-checker.man
-.
-.SH "BUGS"
-.
-Only Open vSwitch kernel-based datapaths are currently supported. In the
-future, this restriction may be lifted.
-.PP
-Only Linux 2.6.\fIx\fR is currently supported.
-.
-.SH "SEE ALSO"
-.BR ovs-appctl (8),
-.BR vswitchd.conf (5),
-.BR brcompatd (8),
-\fBINSTALL\fR in the Open vSwitch distribution.
+++ /dev/null
-/* Copyright (c) 2008, 2009 Nicira Networks
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * In addition, as a special exception, Nicira Networks gives permission
- * to link the code of its release of vswitchd with the OpenSSL project's
- * "OpenSSL" library (or with modified versions of it that use the same
- * license as the "OpenSSL" library), and distribute the linked
- * executables. You must obey the GNU General Public License in all
- * respects for all of the code used other than "OpenSSL". If you modify
- * this file, you may extend this exception to your version of the file,
- * but you are not obligated to do so. If you do not wish to do so,
- * delete this exception statement from your version.
- */
-
-#include <config.h>
-
-#include <assert.h>
-#include <errno.h>
-#include <getopt.h>
-#include <limits.h>
-#include <signal.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "bridge.h"
-#include "cfg.h"
-#include "command-line.h"
-#include "compiler.h"
-#include "daemon.h"
-#include "fault.h"
-#include "leak-checker.h"
-#include "mgmt.h"
-#include "poll-loop.h"
-#include "port.h"
-#include "proc-net-compat.h"
-#include "process.h"
-#include "signals.h"
-#include "svec.h"
-#include "timeval.h"
-#include "unixctl.h"
-#include "util.h"
-#include "vconn-ssl.h"
-#include "vconn.h"
-#include "vswitchd.h"
-
-#include "vlog.h"
-#define THIS_MODULE VLM_vswitchd
-
-static void parse_options(int argc, char *argv[]);
-static void usage(void) NO_RETURN;
-static void reload(struct unixctl_conn *, const char *args);
-
-static bool need_reconfigure;
-static struct unixctl_conn **conns;
-static size_t n_conns;
-
-int
-main(int argc, char *argv[])
-{
- struct unixctl_server *unixctl;
- struct signal *sighup;
- int retval;
-
- set_program_name(argv[0]);
- register_fault_handlers();
- time_init();
- vlog_init();
- parse_options(argc, argv);
- signal(SIGPIPE, SIG_IGN);
- sighup = signal_register(SIGHUP);
- process_init();
-
- die_if_already_running();
- daemonize();
-
- retval = unixctl_server_create(NULL, &unixctl);
- if (retval) {
- ovs_fatal(retval, "could not listen for control connections");
- }
- unixctl_command_register("vswitchd/reload", reload);
-
- cfg_read();
- mgmt_init();
- bridge_init();
- port_init();
- mgmt_reconfigure();
-
- need_reconfigure = false;
- for (;;) {
- if (need_reconfigure || signal_poll(sighup)) {
- need_reconfigure = false;
- vlog_reopen_log_file();
- reconfigure();
- }
- mgmt_run();
- if (bridge_run()) {
- need_reconfigure = true;
- }
- unixctl_server_run(unixctl);
-
- if (need_reconfigure) {
- poll_immediate_wake();
- }
- signal_wait(sighup);
- mgmt_wait();
- bridge_wait();
- unixctl_server_wait(unixctl);
- poll_block();
- }
-
- return 0;
-}
-
-static void
-reload(struct unixctl_conn *conn, const char *args UNUSED)
-{
- need_reconfigure = true;
- conns = xrealloc(conns, sizeof *conns * (n_conns + 1));
- conns[n_conns++] = conn;
-}
-
-void
-reconfigure(void)
-{
- size_t i;
-
- cfg_read();
- bridge_reconfigure();
- mgmt_reconfigure();
- port_reconfigure();
-
- for (i = 0; i < n_conns; i++) {
- unixctl_command_reply(conns[i], 202, NULL);
- }
- free(conns);
- conns = NULL;
- n_conns = 0;
-}
-
-static void
-parse_options(int argc, char *argv[])
-{
- enum {
- OPT_PEER_CA_CERT = UCHAR_MAX + 1,
- OPT_FAKE_PROC_NET,
- VLOG_OPTION_ENUMS,
- LEAK_CHECKER_OPTION_ENUMS
- };
- static struct option long_options[] = {
- {"help", no_argument, 0, 'h'},
- {"version", no_argument, 0, 'V'},
- {"fake-proc-net", no_argument, 0, OPT_FAKE_PROC_NET},
- DAEMON_LONG_OPTIONS,
- VLOG_LONG_OPTIONS,
- LEAK_CHECKER_LONG_OPTIONS,
-#ifdef HAVE_OPENSSL
- VCONN_SSL_LONG_OPTIONS
- {"peer-ca-cert", required_argument, 0, OPT_PEER_CA_CERT},
-#endif
- {0, 0, 0, 0},
- };
- char *short_options = long_options_to_short_options(long_options);
- const char *config_file;
- int error;
-
- for (;;) {
- int c;
-
- c = getopt_long(argc, argv, short_options, long_options, NULL);
- if (c == -1) {
- break;
- }
-
- switch (c) {
- case 'H':
- case 'h':
- usage();
-
- case 'V':
- OVS_PRINT_VERSION(OFP_VERSION, OFP_VERSION);
- exit(EXIT_SUCCESS);
-
- case OPT_FAKE_PROC_NET:
- error = proc_net_compat_init();
- if (error) {
- ovs_fatal(error, "failed to initialize /proc/net "
- "compatibility");
- }
- break;
-
- VLOG_OPTION_HANDLERS
- DAEMON_OPTION_HANDLERS
- VCONN_SSL_OPTION_HANDLERS
- LEAK_CHECKER_OPTION_HANDLERS
-
-#ifdef HAVE_OPENSSL
- case OPT_PEER_CA_CERT:
- vconn_ssl_set_peer_ca_cert_file(optarg);
- break;
-#endif
-
- case '?':
- exit(EXIT_FAILURE);
-
- default:
- abort();
- }
- }
- free(short_options);
-
- argc -= optind;
- argv += optind;
-
- if (argc != 1) {
- ovs_fatal(0, "config file is only non-option argument; "
- "use --help for usage");
- }
-
- config_file = argv[0];
- error = cfg_set_file(config_file);
- if (error) {
- ovs_fatal(error, "failed to add configuration file \"%s\"",
- config_file);
- }
-}
-
-static void
-usage(void)
-{
- printf("%s: virtual switch daemon\n"
- "usage: %s [OPTIONS] CONFIG\n"
- "CONFIG is a configuration file in vswitchd.conf(5) format.\n",
- program_name, program_name);
- daemon_usage();
- vlog_usage();
- printf("\nLegacy compatibility options:\n"
- " --fake-proc-net simulate some files in /proc/net\n"
- "\nOther options:\n"
- " -h, --help display this help message\n"
- " -V, --version display version information\n");
- leak_checker_usage();
- exit(EXIT_SUCCESS);
-}
+++ /dev/null
-.\" -*- nroff -*-
-.de TQ
-. br
-. ns
-. TP "\\$1"
-..
-.de IQ
-. br
-. ns
-. IP "\\$1"
-..
-.de ST
-. PP
-. RS -0.15in
-. I "\\$1"
-. RE
-. PP
-..
-.TH vswitchd.conf 5 "April 2009" "Open vSwitch" "Open vSwitch Manual"
-.
-.SH NAME
-vswitchd.conf \- configuration file for \fBvswitchd\fR
-.
-.SH DESCRIPTION
-This manual page describes the syntax for the configuration file used
-by \fBvswitchd\fR(8), the virtual switch daemon.
-.PP
-The configuration file is based on key-value pairs, which are given
-one per line in the form \fIkey\fB=\fIvalue\fR. Each \fIkey\fR
-consists of one or more parts separated by dots,
-e.g. \fIpart1\fB.\fIpart2\fB.\fIpart3\fR. Each \fIpart\fR may consist
-only of the English letters, digits, and the special characters
-\fB_-@$:+\fR. White space within \fIvalue\fR and at the beginning of a
-line is significant, but is otherwise ignored.
-.PP
-If a single key is specified more than once, that key has multiple
-values, one value for each time the key is specified. The ordering of
-key-value pairs, and the ordering of multiple values for a single key,
-within a configuration file is not significant.
-.PP
-Blank lines, lines that consist only of white space, and lines that
-begin with \fB#\fR (optionally preceded by white space) are ignored.
-Keep in mind that programs that modify the configuration file, such as
-\fBovs\-brcompatd\fR and \fBovs-cfg-mod\fR, may alter the order of
-elements and
-strip comments and blank lines.
-.PP
-The following subsections describe how key-value pairs are used to
-configure \fBvswitchd\fR.
-.SS "Bridge Configuration"
-A bridge (switch) with a given \fIname\fR is configured by specifying
-the names of its network devices as values for key
-\fBbridge.\fIname\fB.port\fR. (The specified \fIname\fR may not begin
-with \fBdp\fR or \fBnl:\fR followed by a digit.)
-.PP
-The names given on \fBbridge.\fIname\fB.port\fR must be the names of
-existing network devices, except for ``internal ports.'' An internal
-port is a simulated network device that receives traffic only only
-through the virtual switch and switches any traffic sent it through
-virtual switch. An internal port may configured with an IP address,
-etc. using the usual system tools (e.g. \fBifconfig\fR, \fBip\fR). To
-designate network device \fInetdev\fR as an internal port, add
-\fBiface.\fInetdev\fB.internal=true\fR to the configuration file.
-\fBvswitchd\fR will honor this configuration setting by automatically
-creating the named internal port.
-.PP
-A bridge with a given \fIname\fR always has an internal port with the
-same \fIname\fR, called the ``local port.'' This network device may
-be included
-in the bridge, by specifying it as one of the values for key
-\fBbridge.\fIname\fB.port\fR, or it may be omitted. If it is
-included, then its MAC address is by default the lowest-numbered MAC
-address among the other bridge ports, ignoring other internal ports
-and bridge ports that are
-used as port mirroring destinations (see \fBPort Mirroring\fR, below). To
-use a specific MAC address instead, set \fBbridge.\fIname\fB.mac\fR to
-a MAC address in the format
-\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fB:\fIxx\fR, where each
-\fIx\fR is a hex digit. If no valid MAC address can be determined
-either of these ways, then a MAC address is randomly generated.
-.PP
-The following syntax defines a bridge named \fBmybr\fR, configured
-with network devices \fBeth0\fR, \fBeth1\fR, and \fBeth2\fR:
-.RS
-.nf
-
-bridge.mybr.port=eth0
-bridge.mybr.port=eth1
-bridge.mybr.port=eth2
-
-.fi
-.RE
-.SS "802.1Q VLAN support"
-A bridge port may be configured either as a trunk port or as belonging
-to a single, untagged VLAN. These two options are mutually exclusive,
-and a port must be configured in one way or the other.
-.ST "Trunk Ports"
-By default, bridge ports are trunk ports that carry all VLANs. To
-limit the VLANs that a trunk port carries, define
-\fBvlan.\fIport\fB.trunks\fR to one or more integers between 0 and
-4095 designating VLANs. Only frames that have an 802.1Q header with
-one of the listed VLANs are accepted on a trunk port. If 0 is
-included in the list, then frames without an 802.1Q header are also
-accepted. Other frames are discarded.
-.PP
-The following syntax makes network device \fBeth0\fR a trunk port that
-carries VLANs 1, 2, and 3:
-.PP
-.RS
-.nf
-
-vlan.eth0.trunks=1
-vlan.eth0.trunks=2
-vlan.eth0.trunks=3
-
-.fi
-.RE
-.ST "Untagged VLAN Ports"
-A bridge port may be configured with an implicit, untagged VLAN.
-Define key
-\fBvlan.\fIport\fB.tag\fR to an integer value \fIvid\fR between 0 and
-4095, inclusive, to designate the named \fIport\fR as a member
-of 802.1Q VLAN \fIvid\fR. When \fIport\fR is assigned a VLAN tag this
-way, frames arriving on trunk ports will be forwarded to \fIport\fR
-only if they are tagged with VLAN \fIvid\fR, and frames arriving on
-other VLAN ports will be forwarded to \fIport\fR only if their
-\fIvid\fR values are equal. Frames forwarded to \fIport\fR will not
-have an 802.1Q header.
-.PP
-When \fIvid\fR is 0, frames arriving on trunk ports without an 802.1Q
-VLAN header will also be forwarded to \fIport\fR.
-.PP
-When a frame with a 802.1Q header that indicates a nonzero VLAN is
-received on an implicit VLAN port, it is discarded.
-.PP
-The following syntax makes network device \fBeth0\fR a member of VLAN
-101:
-.PP
-.RS
-.nf
-
-vlan.eth0.tag=101
-
-.fi
-.RE
-.SS "Network Device Bonding"
-Bonding allows multiple ``slave'' network devices to be treated as if
-they were a single virtual ``bonded'' network device. It is useful for
-load balancing and fail-over.
-.PP
-\fBvswitchd\fR supports ``source load balancing'' (SLB) bonding, which
-assigns flows to slaves based on source MAC address, with periodic
-rebalancing as traffic patterns change. This form of bonding does not
-require 802.3ad or other special support from the upstream switch to
-which the slave devices are connected.
-.PP
-To configure bonding, create a virtual bonding device by specifying
-the slave network device names as values for
-\fBbonding.\fIname\fB.slave\fR, then specify \fIname\fR as a bridge
-port. The chosen \fIname\fR should not be the name of any real
-network device on the host system.
-.PP
-By default, bonding interfaces are enabled or disabled immediately
-when a carrier is detected or dropped on the underlying network
-device. To insert a delay when carrier comes up or goes down before
-enabling or disabling an interface, set the value of
-\fBbonding.\fIname\fB.updelay\fR or
-\fBbonding.\fIname\fB.downdelay\fR, respectively, to a positive
-integer, interpreted in milliseconds.
-.PP
-The following syntax bonds \fBeth0\fR and \fBeth1\fR into a bonding
-device named \fBbond0\fR, which is added to bridge \fBmybr\fR along
-with physical network devices \fBeth2\fR and \fBeth3\fR:
-.PP
-.RS
-.nf
-
-bridge.mybr.port=bond0
-bridge.mybr.port=eth2
-bridge.mybr.port=eth3
-
-bonding.bond0.slave=eth0
-bonding.bond0.slave=eth1
-
-.fi
-.RE
-.SS "Port Mirroring (SPAN and RSPAN)"
-\fBvswitchd\fR may be configured to send selected frames to special
-``mirrored'' ports, in addition to their normal destinations. Mirroring
-traffic may also be referred to as SPAN or RSPAN, depending on the
-mechanism used for delivery.
-.PP
-Up to 32 instances of port mirroring may be configured on a given
-bridge. Each must be given a name that is unique within the bridge.
-The keys associated with port mirroring instance \fIpmname\fR for
-bridge \fIbrname\fR begin with \fBmirror.\fIbrname\fB.\fIpmname\fR.
-.PP
-The selection of the frames to mirror and the form in which they
-should be output is configured separately for each port mirroring
-instances, through a subsection of
-\fBmirror.\fIbrname\fB.\fIpmname\fR, named \fBselect\fR, and
-\fBoutput\fR, respectively.
-.ST "Selecting Frames to Mirror"
-The values for the following keys, if specified, limit the frames that
-are chosen for mirroring. If none of these keys is specified, then
-all frames received by the bridge are mirrored. If more than one of
-these keys is specified, then a frame must meet all specified criteria
-to be mirrored.
-.TP
-\fBmirror.\fIbrname\fB.\fIpmname\fB.select.src-port=\fIport\fR
-.TQ
-\fBmirror.\fIbrname\fB.\fIpmname\fB.select.dst-port=\fIport\fR
-.TQ
-\fBmirror.\fIbrname\fB.\fIpmname\fB.select.port=\fIport\fR
-Frame received on \fIport\fR, output to \fIport\fR, or either received
-on or output to \fIport\fR, respectively. \fIport\fR must be part of
-the bridge \fIbrname\fR; that is, it must be listed on
-\fBbridge.\fIbrname\fB.port\fR.
-.TP
-\fBmirror.\fIbrname\fB.\fIpmname\fB.select.vlan=\fIvid\fR
-.
-\fIvid\fR must be an integer between 0 and 4095, inclusive. A nonzero
-\fIvid\fR selects frames that belong to VLAN \fIvid\fR, that is,
-frames that arrived on a trunk port tagged with VLAN \fIvid\fR or on a
-port that is configured as part of VLAN \fIvid\fR (see \fB802.1Q VLAN
-tagging\fR, above). A \fIvid\fR of zero selects frames that do not
-belong to a VLAN, that is, frames that arrived on a trunk port without
-a VLAN tag or tagged with VLAN 0.
-.ST "Mirror Output"
-The values of the following keys determine how frames selected for
-mirroring are output. Only one of the keys may be specified.
-.TP
-\fBmirror.\fIbrname\fB.\fIpmname\fB.output.port=\fIport\fR
-.
-Causes the selected frames to be sent out \fIport\fR, which must be
-part of the bridge \fIbrname\fR; that is, it must be listed on
-\fBbridge.\fIbrname\fB.port\fR.
-.IP
-Specifying a \fIport\fR in this way reserves that port exclusively for
-mirroring. No frames other than those selected for mirroring will be
-forwarded to \fIport\fR, and any frames received on \fIport\fR will be
-discarded. This type of mirroring may be referred to as SPAN.
-.TP
-\fBmirror.\fIbrname\fB.\fIpmname\fB.output.vlan=\fIvid\fR
-.
-Causes the selected frames to be sent on the VLAN numbered \fIvid\fR,
-which must be an integer between 0 and 4095, inclusive. The frames
-will be sent out all ports that trunk VLAN \fIvid\fR, as well as any
-ports with implicit VLAN \fIvid\fR. When a mirrored frame is sent out
-a trunk port, the frame's VLAN tag will be set to \fIvid\fR, replacing
-any existing tag; when it is sent out an implicit VLAN port, the frame
-will not be tagged. This type of mirroring may be referred to as
-RSPAN.
-.ST "Example"
-The following \fBvswitchd\fR configuration copies all frames received
-on \fBeth1\fR or \fBeth2\fR to \fBeth3\fR.
-.PP
-.RS
-.nf
-
-bridge.mybr.port=eth1
-bridge.mybr.port=eth2
-bridge.mybr.port=eth3
-
-mirror.mybr.a.select.src-port=eth1
-mirror.mybr.a.select.src-port=eth2
-mirror.mybr.a.output.port=eth3
-
-.fi
-.RE
-.SS "Port Rate-Limiting"
-Traffic policing and shaping are configured on physical ports. Policing
-defines a hard limit at which traffic that exceeds the specified rate is
-dropped. Shaping uses queues to delay packets so that egress traffic
-leaves at the specified rate.
-
-.ST "Ingress Policing"
-The rate at which traffic is allowed to enter through a particular
-physical port can be configured with ingress policing. The rate is
-specified in kilobits (1000 bits) per second with a maximum burst size
-specified in kilobits (1000 bits). The burst size should be at least
-the size of the port's MTU.
-
-A port may be configured to enforce ingress policing by defining the
-key \fBport.\fIname\fB.ingress.policing-rate\fR with an integer
-indicating the rate. The port \fIname\fR will only allow traffic to be
-received at the rate specified in kilobits per second. If the rate is zero
-or the key is not defined, then ingress policing is disabled.
-
-If ingress policing is enabled, then the burst rate may be set by defining
-the key \fBport.\fIname\fB.ingress.policing-burst\fR with an integer
-indicating the burst rate in kilobits. If the key is not supplied or is
-zero, then the default burst is 10 kilobits.
-
-.PP
-The following syntax limits port \fBeth1\fR to receiving traffic at
-\fB512\fR kilobits per second with a burst of \fB20\fR kilobits:
-.PP
-.RS
-.nf
-
-port.eth1.ingress.policing-rate=512
-port.eth1.ingress.policing-burst=20
-
-.fi
-.SS "NetFlow v5 Flow Logging"
-NetFlow is a protocol that exports a number of details about terminating
-IP flows, such as the principals involved and duration. A bridge may be
-configured to send NetFlow v5 records to NetFlow collectors when flows
-end. To enable, define the key \fBnetflow.\fIbridge\fB.host\fR for each
-collector in the form \fIhost\fB:\fIport\fR. Records from \fIbridge\fR
-will be sent to each \fIhost\fR on UDP \fIport\fR.
-
-The NetFlow messages will use the datapath index for the engine type and id.
-This can be overridden with the \fBnetflow.\fIbridge\fB.engine-type\fR and
-\fBnetflow.\fIbridge\fB.engine-id\fR, respectively. Each takes a value
-between 0 and 255, inclusive.
-
-Many NetFlow collectors do not expect multiple virtual switches to be
-sending messages from the same host, and they do not store the engine
-information which could be used to disambiguate the traffic. To prevent
-flows from multiple switches appearing as if they came on the interface,
-add \fBnetflow.\fIbridge\fB.add-id-to-iface=true\fR to the configuration
-file. This will place the least significant 7 bits of the engine id
-into the most significant bits of the ingress and egress interface fields
-of flow records. By default, this behavior is disabled.
-
-The following syntax sends NetFlow records for \fBmybr\fR to the NetFlow
-collector \fBnflow.example.com\fR on UDP port \fB9995\fR:
-.PP
-.RS
-.nf
-
-netflow.mybr.host=nflow.example.com:9995
-
-.fi
-.RE
-.SS "Remote Management"
-A \fBvswitchd\fR instance may be remotely managed by a controller that
-supports the OpenFlow Management Protocol, such as NOX. This
-functionality is enabled by setting the key \fBmgmt.controller\fR to one
-of the following values:
-.
-.TP
-\fBssl:\fIhost\fR[\fB:\fIport\fR]
-The specified SSL \fIport\fR (default: 6633) on the given remote
-\fIhost\fR. SSL must be configured when this form is used (see \fBSSL
-Configuration\fR, below).
-.
-.TP
-\fBtcp:\fIhost\fR[\fB:\fIport\fR]
-The specified TCP \fIport\fR (default: 6633) on the given remote
-\fIhost\fR.
-.PP
-The maximum time between attempts to connect to the controller may be
-specified in integral seconds with the \fBmgmt.max-backoff\fR key. The
-default maximum backoff is 15 seconds, and the minimum value is 1
-second.
-
-An inactivity probe may be configured with the \fBmgmt.inactivity-probe\fR
-key. If \fBvswitchd\fR does not communicate with the controller for the
-specified number of seconds, it will send a probe. If a response is not
-received for an additional amount of that time, \fBvswitchd\fR assumes
-the connection has been broken and attempts to reconnect. The default
-is 15 seconds, and the minimum value is 5 seconds.
-
-A management id may be specified with the \fBmgmt.id\fR key. It takes
-an id in the form of exactly 12 hexadecimal digits. If one is not
-specified, a random id is generated each time \fBvswitchd\fR is started.
-.fi
-.RE
-.SS "OpenFlow Controller Connectivity"
-\fBvswitchd\fR can perform all configured bridging and switching
-locally, or it can be configured to connect a given bridge to an
-external OpenFlow controller, such as NOX. Its behavior depends on
-the \fBbridge.\fIname\fB.controller\fR setting:
-.
-.TP
-\fI\[la]unset\[ra]\fR
-When the key is not set, the behavior depends on whether remote
-management is configured. If management is configured, then the switch
-will connect to the controller specified on \fBmgmt.controller\fR. If
-management is not configured, the switch will perform all configured
-bridging and switching locally.
-.
-.TP
-\fI\[la]empty\[ra]\fR
-Setting an empty string value disables controller connectivity. The
-switch will perform all configured bridging and switching locally.
-.
-.TP
-\fBdiscover\fR
-Use controller discovery to find the local OpenFlow controller.
-Refer to \fBsecchan\fR(8) for information on how to configure a DHCP
-server to support controller discovery. The following additional
-options control the discovery process:
-.
-.RS
-.TP
-\fBbridge.\fIname\fB.controller.accept-regex=\fIregex\fR
-A POSIX extended regular expression against which the discovered
-controller location is validated. Only controllers whose names match
-the regular expression will be accepted.
-.IP
-The default regular expression is \fBssl:.*\fR, meaning that only SSL
-controller connections will be accepted, when SSL is configured (see
-\fBSSL Configuration\fR), and \fB.*\fR otherwise, meaning that any
-controller will be accepted.
-.IP
-The regular expression is implicitly anchored at the beginning of the
-controller location string, as if it begins with \fB^\fR.
-.TP
-\fBbridge.\fIname\fB.controller.update-resolv.conf=\fBtrue\fR|\fBfalse\fR
-By default, or if this is set to \fBtrue\fR, \fBvswitchd\fR overwrites
-the system's \fB/etc/resolv.conf\fR with domain information and DNS
-servers obtained via DHCP. If this setting is \fBfalse\fR,
-\fBvswitchd\fR will not modify \fB/etc/resolv.conf\fR.
-.IP
-\fBvswitchd\fR will only modify \fBresolv.conf\fR if the DHCP response
-that it receives specifies one or more DNS servers.
-.RE
-.
-.TP
-\fBssl:\fIhost\fR[\fB:\fIport\fR]
-The specified SSL \fIport\fR (default: 6633) on the given remote
-\fIhost\fR. SSL must be configured when this form is used (see \fBSSL
-Configuration\fR, below).
-.
-.TP
-\fBtcp:\fIhost\fR[\fB:\fIport\fR]
-The specified TCP \fIport\fR (default: 6633) on the given remote
-\fIhost\fR.
-.
-.TP
-\fBunix:\fIfile\fR
-The Unix domain server socket named \fIfile\fR.
-.PP
-The datapath ID used by the bridge to identify itself to the remote
-controller may be specified as \fBbridge.\fIname\fB.datapath-id\fR,
-in the form of exactly 12 hexadecimal digits. If the datapath ID
-is not specified, then it defaults to the bridge's MAC address (see
-\fBBridge Configuration\fR, above, for information on how the bridge's
-MAC address is chosen).
-.ST "Local Port Network Configuration"
-When an external controller is configured, but controller discovery is
-not in use, the following additional settings are honored:
-.TP
-\fBbridge.\fIname\fB.controller.in-band=\fBtrue\fR|\fBfalse\fR
-By default, or if this is set to \fBtrue\fR, \fBvswitchd\fR connects
-to the controller in-band. If this is set to \fBfalse\fR,
-\fBvswitchd\fR connects to the controller out-of-band. Refer to
-\fBsecchan\fR(8) for a description of in-band and out-of-band control.
-.IP "\fBbridge.\fIname\fB.controller.ip=\fIip\fR"
-If specified, the IP address to configure on the bridge's local port.
-.IP "\fBbridge.\fIname\fB.controller.netmask=\fInetmask\fR"
-When an IP is specified, the corresponding netmask. The default is
-255.255.255.0 for a Class C IP address, 255.255.0.0 for Class B, and
-255.0.0.0 for Class A.
-.IP "\fBbridge.\fIname\fB.controller.gateway=\fIip\fR"
-When an IP is specified, the corresponding IP gateway. There is no
-default gateway.
-.ST "Controller Failure Settings"
-The following additional settings take effect when any remote
-controller is configured:
-.IP "\fBbridge.\fIname\fB.controller.inactivity-probe=\fIsecs\fR"
-This optional setting may be set to \fIsecs\fR, a number of seconds.
-The minimum value of \fIsecs\fR is 5 seconds. The default is taken
-from \fBmgmt.inactivity-probe\fR (see above).
-.IP
-When the virtual switch is connected to the controller, it waits for a
-message to be received from the controller for \fIsecs\fR seconds
-before it sends a inactivity probe to the controller. After sending
-the inactivity probe, if no response is received for an additional
-\fIsecs\fR seconds, the secure channel assumes that the connection has
-been broken and attempts to reconnect.
-.IP
-Changing the inactivity probe interval also changes the interval
-before entering standalone mode (see below).
-.IP "\fBbridge.\fIname\fB.controller.fail-mode=\fBstandalone\fR|\fBsecure\fR"
-.IQ "\fBmgmt.fail-mode=standalone\fR|\fBsecure\fR"
-When a controller is configured, it is, ordinarily, responsible for
-setting up all flows on the virtual switch. Thus, if the connection to
-the controller fails, no new network connections can be set up. If
-the connection to the controller stays down long enough, no packets
-can pass through the switch at all.
-.IP
-The first of these that is set takes effect.
-If the value is \fBstandalone\fR, \fBvswitchd\fR will take over
-responsibility for setting up
-flows when no message has been received from the controller for three
-times the inactivity probe interval (see above). In this mode,
-\fBvswitchd\fR causes the datapath to act like an ordinary
-MAC-learning switch. \fBvswitchd\fR will continue to retry connecting
-to the controller in the background and, when the connection succeeds,
-it discontinues its standalone behavior.
-.IP
-If this option is set to \fBsecure\fR, or if neither of these settings
-is set, \fBvswitchd\fR will not set up flows on its own when the
-controller connection fails.
-.IP "\fBbridge.\fIname\fB.controller.max-backoff=\fIsecs\fR"
-Sets the maximum time between attempts to connect to the controller to
-\fIsecs\fR, which must be at least 1. The actual interval between
-connection attempts starts at 1 second and doubles on each failing
-attempt until it reaches the maximum. The default maximum backoff
-time is taken from \fBmgmt.max-backoff\fR.
-.ST "Controller Rate-Limiting"
-These settings configure how the virtual switch applies a ``token
-bucket'' to limit the rate at which packets in unknown flows are
-forwarded to the OpenFlow controller for flow-setup processing. This
-feature prevents a single bridge from overwhelming a controller.
-.IP "\fBbridge.\fIname\fB.controller.rate-limit=\fIrate\fR"
-.IQ "\fBmgmt.rate-limit=\fIrate\fR"
-Limits the maximum rate at which packets will be forwarded to the
-OpenFlow controller to \fIrate\fR packets per second. A rate specified
-explicitly for \fIname\fR overrides a value configured using the
-\fBmgmt.rate-limit\fR key.
-.IP
-If neither one of these settings is set, then the bridge does not
-limit the rate at which packets are forwarded to the controller.
-.IP "\fBbridge.\fIname\fB.controller.burst-limit=\fIburst\fR"
-.IQ "\fBmgmt.burst-limit=\fIburst\fR"
-Sets the maximum number of unused packet credits that the bridge will
-allow to accumulate during the time in which no packets are being
-forwarded to the OpenFlow controller to \fIburst\fR (measured in
-packets). The default \fIburst\fR is one-quarter of the \fIrate\fR
-specified in the rate-limit setting.
-.IP
-A burst specified explicitly for \fIname\fR overrides a value configured
-using the \fBmgmt.burst-limit\fR key. This option takes effect only
-when a rate-limit is specified.
-.ST "Remote Command Execution Settings"
-These settings configure the commands that remote OpenFlow connections
-are allowed to invoke using (e.g.) \fBovs\-ofctl execute\fR. To be
-permitted, a command name must be whitelisted and must not be
-blacklisted. When the whitelist and blacklist permit a command name,
-\fBvswitchd\fR looks for a program with the same name as the command
-in the commands directory (see below). Other directories are not
-searched.
-.IP "\fBbridge.\fIname\fB.controller.commands.acl=\fIglob\fR"
-Whitelists commands whose names match shell glob pattern \fIglob\fR,
-allowing those commands to be invoked by the remote controller.
-.IP
-By default, no commands are whitelisted, so this setting is mandatory
-if any remote command execution is to be allowed.
-.IP "\fBbridge.\fIname\fB.controller.commands.acl=\fB!\fR\fIglob\fR"
-Blacklists commands whose names match shell glob pattern \fIglob\fR,
-prohibiting those commands from being invoked by the remote
-controller. Command names that include characters other than upper-
-and lower-case English letters, digits, and the underscore and hyphen
-characters are blacklisted unconditionally.
-.IP "\fBbridge.\fIname\fB.controller.commands.dir=\fIdirectory\fR"
-Sets the directory searched for remote command execution to
-\fIdirectory\fR. The default directory is
-\fB@pkgdatadir@/commands\fR.
-.SS "SSL Configuration"
-When \fBvswitchd\fR is configured to connect over SSL for management or
-for controller connectivity, the following settings are required:
-.TP
-\fBssl.private-key=\fIprivkey.pem\fR
-Specifies a PEM file containing the private key used as the virtual
-switch's identity for SSL connections to the controller.
-.TP
-\fBssl.certificate=\fIcert.pem\fR
-Specifies a PEM file containing a certificate, signed by the
-certificate authority (CA) used by the controller and manager, that
-certifies the virtual switch's private key, identifying a trustworthy
-switch.
-.TP
-\fBssl.ca-cert=\fIcacert.pem\fR
-Specifies a PEM file containing the CA certificate used to verify that
-the virtual switch is connected to a trustworthy controller.
-.PP
-These files are read only once, at \fBvswitchd\fR startup time. If
-their contents change, \fBvswitchd\fR must be killed and restarted.
-.PP
-These SSL settings apply to all SSL connections made by the virtual
-switch.
-.ST "CA Certificate Bootstrap"
-Ordinarily, all of the files named in the SSL configuration must exist
-when \fBvswitchd\fR starts. However, if \fBssl.bootstrap-ca-cert\fR
-is set to \fBtrue\fR, then \fBvswitchd\fR will attempt to obtain the
-CA certificate from the controller on its first SSL connection and
-save it to the named PEM file. If it is successful, it will
-immediately drop the connection and reconnect, and from then on all
-SSL connections must be authenticated by a certificate signed by the
-CA certificate thus obtained.
-.PP
-\fBThis option exposes the SSL connection to a man-in-the-middle
-attack obtaining the initial CA certificate\fR, but it may be useful
-for bootstrapping.
-.PP
-This option is only useful if the controller sends its CA certificate
-as part of the SSL certificate chain. The SSL protocol does not
-require the controller to send the CA certificate, but
-\fBcontroller\fR(8) can be configured to do so with the
-\fB--peer-ca-cert\fR option.
-.SS "OpenFlow Management Connections"
-By default, each bridge \fIname\fR listens for OpenFlow management
-connections on a Unix domain socket named
-\fB@RUNDIR@/\fIname\fB.mgmt\fR. This socket can be used to perform
-local OpenFlow monitoring and administration, e.g., \fBovs\-ofctl dump-flows
-unix:@RUNDIR@/\fIname\fB.mgmt\fR to display the flows currently set up
-in bridge \fIname\fR.
-.PP
-If \fBbridge.\fIname\fB.openflow.listeners\fR is set to one or more
-values, \fBvswitchd\fR instead listens on the specified connection
-methods. Acceptable connection methods include:
-.RS
-.IP "\fBpunix:\fIfile\fR"
-Listens for connections on the Unix domain server socket named \fIfile\fR.
-.IP "\fBpssl:\fR[\fIport\fR]"
-Listens for SSL connections on \fIport\fR (default: 6633). SSL must
-be configured when this form is used (see \fBSSL Configuration\fR,
-above).
-.IP "\fBptcp:\fR[\fIport\fR]"
-Listens for TCP connections on \fIport\fR (default: 6633).
-.RE
-To entirely disable listening for management connections, set
-\fBbridge.\fIname\fB.openflow.listeners\fR to the single value
-\fBnone\fR.
-
-.SS "OpenFlow Controller Connection Snooping"
-By default, each bridge \fIname\fR listens for OpenFlow controller
-connection snooping connections on a Unix domain socket named
-\fB@RUNDIR@/\fIname\fB.snoop\fR. A client that connects to this
-socket, e.g., \fBovs\-ofctl monitor unix:@RUNDIR@/\fIname\fB.snoop\fR, will
-receive a copy of every OpenFlow message sent by the switch to the
-controller, or vice versa, on the primary OpenFlow controller
-connection.
-.PP
-If \fBbridge.\fIname\fB.openflow.snoops\fR is set to one or more
-values, \fBvswitchd\fR instead listens on the specified connection
-methods. The acceptable connection methods are the same as for
-OpenFlow management connections (see above).
-.PP
-To entirely disable controller connection snooping, set
-\fBbridge.\fIname\fB.openflow.snoops\fR to the single value
-\fBnone\fR.
-.SH "SEE ALSO"
-.BR vswitchd (8),
-.BR ovs\-brcompatd (8),
-.BR ovs\-cfg\-mod (8).
+++ /dev/null
-/* Copyright (c) 2009 Nicira Networks
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * In addition, as a special exception, Nicira Networks gives permission
- * to link the code of its release of vswitchd with the OpenSSL project's
- * "OpenSSL" library (or with modified versions of it that use the same
- * license as the "OpenSSL" library), and distribute the linked
- * executables. You must obey the GNU General Public License in all
- * respects for all of the code used other than "OpenSSL". If you modify
- * this file, you may extend this exception to your version of the file,
- * but you are not obligated to do so. If you do not wish to do so,
- * delete this exception statement from your version.
- */
-
-#ifndef VSWITCHD_H
-#define VSWITCHD_H 1
-
-void reconfigure(void);
-
-#endif /* vswitchd.h */
etc_logrotate.d_vswitch
- Ensures that /var/log/vswitchd.log is rotated periodically and
- that vswitch reopens its log file at that point.
+ Ensures that /var/log/ovs-vswitchd.log is rotated periodically
+ and that ovs-vswitchd reopens its log file at that point.
etc_profile.d_vswitch.sh
etc_xapi.d_plugins_vswitch-cfg-update
xapi plugin script to update the cache of configuration items
- in the vswitchd configuration file that are managed in the
+ in the ovs-vswitchd configuration file that are managed in the
xapi database when integrated with Citrix management tools.
etc_xensource_scripts_vif
FORCE_COREFILES="${FORCE_COREFILES:-n}"
COREFILE_PATTERN="${COREFILE_PATTERN:-/var/log/%e-%t}"
-# Config variables specific to vswitchd
-VSWITCHD_CONF="${VSWITCHD_CONF:-/etc/vswitchd.conf}"
-VSWITCHD_PIDFILE="${VSWITCHD_PIDFILE:-/var/run/vswitchd.pid}"
+# Config variables specific to ovs-vswitchd
+VSWITCHD_CONF="${VSWITCHD_CONF:-/etc/ovs-vswitchd.conf}"
+VSWITCHD_PIDFILE="${VSWITCHD_PIDFILE:-/var/run/ovs-vswitchd.pid}"
VSWITCHD_PRIORITY="${VSWITCHD_PRIORITY:--5}"
-VSWITCHD_LOGFILE="${VSWITCHD_LOGFILE:-/var/log/vswitchd.log}"
+VSWITCHD_LOGFILE="${VSWITCHD_LOGFILE:-/var/log/ovs-vswitchd.log}"
VSWITCHD_FILE_LOGLEVEL="${VSWITCHD_FILE_LOGLEVEL:-}"
VSWITCHD_SYSLOG_LOGLEVEL="${VSWITCHD_SYSLOG_LOGLEVEL:-WARN}"
VSWITCHD_MEMLEAK_LOGFILE="${VSWITCHD_MEMLEAK_LOGFILE:-}"
# Config variables specific to ovs-brcompatd
BRCOMPATD_PIDFILE="${BRCOMPATD_PIDFILE:-/var/run/ovs-brcompatd.pid}"
BRCOMPATD_PRIORITY="${BRCOMPATD_PRIORITY:--5}"
-BRCOMPATD_LOGFILE="${BRCOMPATD_LOGFILE:-/var/log/brcompatd.log}"
+BRCOMPATD_LOGFILE="${BRCOMPATD_LOGFILE:-/var/log/ovs-brcompatd.log}"
BRCOMPATD_FILE_LOGLEVEL="${BRCOMPATD_FILE_LOGLEVEL:-}"
BRCOMPATD_SYSLOG_LOGLEVEL="${BRCOMPATD_SYSLOG_LOGLEVEL:-WARN}"
BRCOMPATD_MEMLEAK_LOGFILE="${BRCOMPATD_MEMLEAK_LOGFILE:-}"
# Full paths to executables & modules
-vswitchd="$VSWITCH_BASE/sbin/vswitchd"
+vswitchd="$VSWITCH_BASE/sbin/ovs-vswitchd"
brcompatd="$VSWITCH_BASE/sbin/ovs-brcompatd"
dpctl="$VSWITCH_BASE/bin/ovs-dpctl"
appctl="$VSWITCH_BASE/bin/ovs-appctl"
function reload_vswitchd {
if [ -f "$VSWITCHD_PIDFILE" ]; then
"$appctl" \
- --target=vswitchd.$(cat "$VSWITCHD_PIDFILE").ctl \
+ --target=ovs-vswitchd.$(cat "$VSWITCHD_PIDFILE").ctl \
--execute=vswitchd/reload
fi
}
fi
if [ "$daemonize" != "y" ]; then
# Start in background and force a "success" message
- action "Starting vswitchd ($strace_opt$valgrind_opt)" true
+ action "Starting ovs-vswitchd ($strace_opt$valgrind_opt)" true
(nice -n "$VSWITCHD_PRIORITY" $strace_opt $valgrind_opt "$vswitchd" -P"$VSWITCHD_PIDFILE" -D $fake_proc_net_opt -vANY:CONSOLE:EMER $syslog_opt $logfile_level_opt $logfile_file_opt $leak_opt "$VSWITCHD_CONF") &
else
- action "Starting vswitchd" nice -n "$VSWITCHD_PRIORITY" "$vswitchd" -P"$VSWITCHD_PIDFILE" -D $fake_proc_net_opt -vANY:CONSOLE:EMER $syslog_opt $logfile_level_opt $logfile_file_opt $leak_opt "$VSWITCHD_CONF"
+ action "Starting ovs-vswitchd" nice -n "$VSWITCHD_PRIORITY" "$vswitchd" -P"$VSWITCHD_PIDFILE" -D $fake_proc_net_opt -vANY:CONSOLE:EMER $syslog_opt $logfile_level_opt $logfile_file_opt $leak_opt "$VSWITCHD_CONF"
fi
}
valgrind_opt="valgrind --log-file=$BRCOMPATD_VALGRIND_LOG $BRCOMPATD_VALGRIND_OPT"
daemonize="n"
fi
- reload_cmd='/root/vswitch/bin/ovs-appctl -t /var/run/vswitchd.`cat /var/run/vswitchd.pid`.ctl -e vswitchd/reload 2>&1 | /usr/bin/logger -t brcompatd-reload'
+ reload_cmd='/root/vswitch/bin/ovs-appctl -t /var/run/ovs-vswitchd.`cat /var/run/ovs-vswitchd.pid`.ctl -e vswitchd/reload 2>&1 | /usr/bin/logger -t brcompatd-reload'
if [ "$daemonize" != "y" ]; then
# Start in background and force a "success" message
action "Starting ovs-brcompatd ($strace_opt$valgrind_opt)" true
function stop_vswitchd {
if [ -f "$VSWITCHD_PIDFILE" ]; then
local pid=$(cat "$VSWITCHD_PIDFILE")
- action "Killing vswitchd ($pid)" kill -TERM $pid
+ action "Killing ovs-vswitchd ($pid)" kill -TERM $pid
rm -f "$VSWITCHD_PIDFILE"
fi
}
insert_modules_if_required
start_vswitchd
start_brcompatd
- reload_vswitchd # ensures vswitchd has fully read config file.
+ reload_vswitchd # ensures ovs-vswitchd has fully read config file.
#allow_xen_mgmt_traffic # Seems to work okay without...
}
restart_unload
;;
status)
- status -p vswitchd.pid vswitchd
- status -p brcompatd.pid ovs-brcompatd
+ status -p ovs-vswitchd.pid ovs-vswitchd
+ status -p ovs-brcompatd.pid ovs-brcompatd
;;
version)
- "$VSWITCH_BASE"/sbin/vswitchd -V
+ "$VSWITCH_BASE"/sbin/ovs-vswitchd -V
"$VSWITCH_BASE"/sbin/ovs-brcompatd -V
;;
help)
test -e /etc/sysconfig/vswitch && . /etc/sysconfig/vswitch
VSWITCH_BASE="${VSWITCH_BASE:-/root/vswitch}"
-VSWITCHD_CONF="${VSWITCHD_CONF:-/etc/vswitchd.conf}"
-VSWITCHD_PIDFILE="${VSWITCHD_PIDFILE:-/var/run/vswitchd.pid}"
+VSWITCHD_CONF="${VSWITCHD_CONF:-/etc/ovs-vswitchd.conf}"
+VSWITCHD_PIDFILE="${VSWITCHD_PIDFILE:-/var/run/ovs-vswitchd.pid}"
VSWITCHD_PRIORITY="${VSWITCHD_PRIORITY:--5}"
-VSWITCHD_LOGFILE="${VSWITCHD_LOGFILE:-/var/log/vswitchd.log}"
+VSWITCHD_LOGFILE="${VSWITCHD_LOGFILE:-/var/log/ovs-vswitchd.log}"
VSWITCHD_FILE_LOGLEVEL="${VSWITCHD_FILE_LOGLEVEL:-}"
VSWITCHD_SYSLOG_LOGLEVEL="${VSWITCHD_SYSLOG_LOGLEVEL:-WARN}"
VSWITCHD_MEMLEAK_LOGFILE="${VSWITCHD_MEMLEAK_LOGFILE:-}"
# notice and this notice are preserved. This file is offered as-is,
# without warranty of any kind.
-/var/log/vswitchd.log {
+/var/log/ovs-vswitchd.log {
sharedscripts
postrotate
# Send sighup to vswitch which will cause it to reopen its log files.
alias vswitch='service vswitch'
function watchconf {
- watch cat /etc/vswitchd.conf
+ watch cat /etc/ovs-vswitchd.conf
}
function watchdp {
done
grep="$grep'"
fi
- cmd="tail -F /var/log/messages /var/log/vswitchd.log /var/log/xensource.log $grep | tee /var/log/monitorlogs.out"
+ cmd="tail -F /var/log/messages /var/log/ovs-vswitchd.log /var/log/xensource.log $grep | tee /var/log/monitorlogs.out"
printf "cmd: $cmd\n"
eval "$cmd"
}
# ENABLE_FAKE_PROC_NET: If 'y' then emulate linux bonding and vlan
# files in /proc as if the bonding and vlan demultiplexing done in
-# vswitchd were being implemented using existing Linux mechanisms.
+# ovs-vswitchd were being implemented using existing Linux mechanisms.
# This is useful in some cases when replacing existing solutions.
# ENABLE_FAKE_PROC_NET=y
# See the manpage for "core".
# COREFILE_PATTERN="/var/log/%e-%t"
-# VSWITCHD_CONF: File in which vswitchd stores its configuration.
-# VSWITCHD_CONF=/etc/vswitchd.conf
+# VSWITCHD_CONF: File in which ovs-vswitchd stores its configuration.
+# VSWITCHD_CONF=/etc/ovs-vswitchd.conf
# VSWITCHD_PIDFILE: File in which to store the pid of the running
-# vswitchd.
-# VSWITCHD_PIDFILE=/var/run/vswitchd.pid
+# ovs-vswitchd.
+# VSWITCHD_PIDFILE=/var/run/ovs-vswitchd.pid
-# VSWITCHD_PRIORITY: "nice" priority at which to run vswitchd and related
+# VSWITCHD_PRIORITY: "nice" priority at which to run ovs-vswitchd and related
# processes.
# VSWITCHD_PRIORITY=-5
# VSWITCHD_LOGFILE: File to send the FILE_LOGLEVEL log messages to.
-# VSWITCHD_LOGFILE=/var/log/vswitchd.log
+# VSWITCHD_LOGFILE=/var/log/ovs-vswitchd.log
# VSWITCHD_FILE_LOGLEVEL: Log level at which to log into the
# VSWITCHD_LOG file. If this is null or not set the logfile will
# VSWITCHD_SYSLOG_LOGLEVEL="WARN"
# BRCOMPATD_PIDFILE: File in which to store the pid of the running
-# ovs-brcompatd (the Linux bridge compatibility daemon for vswitchd).
+# ovs-brcompatd (the Linux bridge compatibility daemon for ovs-vswitchd).
# If this is the empty string, ovs-brcompatd will not be started and
# the brcompat_mod kernel module will not be inserted. Note that
# the default is to use brcompat!
# BRCOMPATD_PIDFILE=/var/run/ovs-brcompatd.pid
-# BRCOMPATD_PRIORITY: "nice" priority at which to run vswitchd and related
+# BRCOMPATD_PRIORITY: "nice" priority at which to run ovs-vswitchd and related
# processes.
# BRCOMPATD_PRIORITY=-5
#!/usr/bin/env python
#
# xapi plugin script to update the cache of configuration items in the
-# vswitchd configuration file that are managed in the xapi database
+# ovs-vswitchd configuration file that are managed in the xapi database
# when integrated with Citrix management tools.
# Copyright (C) 2009 Nicira Networks, Inc.
import subprocess
cfg_mod="/root/vswitch/bin/ovs-cfg-mod"
-vswitchd_cfg_filename="/etc/vswitchd.conf"
+vswitchd_cfg_filename="/etc/ovs-vswitchd.conf"
def update(session, args):
pools = session.xenapi.pool.get_all()
"--del-match", "ssl.certificate=*",
"-a", "mgmt.controller=ssl:" + controller,
"-a", "ssl.bootstrap-ca-cert=true",
- "-a", "ssl.ca-cert=/etc/vswitchd.cacert",
+ "-a", "ssl.ca-cert=/etc/ovs-vswitchd.cacert",
"-a", "ssl.private-key=/etc/xensource/xapi-ssl.pem",
"-a", "ssl.certificate=/etc/xensource/xapi-ssl.pem"])
${IP} link set "${vif}" address "${address}" || logger -t scripts-vif "Failed to ip link set ${vif} address ${address}"
${IP} addr flush "${vif}" || logger -t scripts-vif "Failed to ip addr flush ${vif}"
- $cfg_mod -F /etc/vswitchd.conf \
+ $cfg_mod -F /etc/ovs-vswitchd.conf \
--del-match="bridge.*.port=$vif" \
--del-match="vlan.$vif.[!0-9]*" \
--add="bridge.$bridge.port=$vif" \
xenstore-rm "${HOTPLUG}/hotplug"
vif=vif${DOMID}.${DEVID}
logger -t scripts-vif "${vif} has been removed"
- $cfg_mod -vANY:console:emer -F /etc/vswitchd.conf \
+ $cfg_mod -vANY:console:emer -F /etc/ovs-vswitchd.conf \
--del-match="bridge.*.port=${vif}" \
--del-match="vlan.${vif}.[!0-9]*" -c
;;
# XXX: Sometimes this leaves "orphaned" datapaths, e.g. a datapath whose
# only port is the local port. Should delete those.
-# XXX: This can leave crud in vswitchd.conf in this scenario:
+# XXX: This can leave crud in ovs-vswitchd.conf in this scenario:
# - Create bond in XenCenter.
# - Create VLAN on bond in XenCenter.
# - Attempt to delete bond in XenCenter (this will fail because there
# - Delete VLAN in XenCenter.
# - Delete bond in XenCenter.
# At this point there will still be some configuration data for the bond
-# or the VLAN in vswitchd.conf.
+# or the VLAN in ovs-vswitchd.conf.
import XenAPI
import os, sys, getopt, time, signal
def modify_config(commands):
run_command(['/root/vswitch/bin/ovs-cfg-mod', '-vANY:console:emer',
- '-F', '/etc/vswitchd.conf']
+ '-F', '/etc/ovs-vswitchd.conf']
+ commands + ['-c'])
run_command(['/sbin/service', 'vswitch', 'reload'])
# implicitly being asked to take them down.)
del_ports = add_ports + physdevs + get_bond_masters_of_pif(pif)
- # Now modify the vswitchd config file.
+ # Now modify the ovs-vswitchd config file.
argv = []
for port in set(del_ports):
argv += interface_deconfigure_commands(port)
import subprocess
cfg_mod="/root/vswitch/bin/ovs-cfg-mod"
-vswitchd_cfg_filename="/etc/vswitchd.conf"
+vswitchd_cfg_filename="/etc/ovs-vswitchd.conf"
if __name__ == "__main__":
raise Exception("This script is a plugin for xsconsole and cannot run independently")
lambda: self.deleteController()),
ChoiceDef(Lang("Resync server controller config"),
lambda: self.syncController()),
-# ChoiceDef(Lang("Restart vswitchd"),
+# ChoiceDef(Lang("Restart ovs-vswitchd"),
# lambda: self.restartService("vswitch")),
# ChoiceDef(Lang("Restart ovs-brcompatd"),
# lambda: self.restartService("vswitch-brcompatd"))
inPane.AddStatusField(Lang("Controller (in-use)", 20), controller)
inPane.NewLine()
- inPane.AddStatusField(Lang("vswitchd status", 20),
- VSwitchService.Inst("vswitch", "vswitchd").status())
+ inPane.AddStatusField(Lang("ovs-vswitchd status", 20),
+ VSwitchService.Inst("vswitch", "ovs-vswitchd").status())
inPane.AddStatusField(Lang("ovs-brcompatd status", 20),
VSwitchService.Inst("vswitch", "ovs-brcompatd").status())
xe host-param-set \
"other-config:vSwitchVersion=%{version}" uuid="$INSTALLATION_UUID"
-# Ensure vswitchd.conf exists
-touch /etc/vswitchd.conf
+# Ensure ovs-vswitchd.conf exists
+touch /etc/ovs-vswitchd.conf
# Replace original XenServer files
mkdir -p %{_prefix}/xs-original \
|| printf "Could not remove vSwitch install directory.\n"
# Remove all configuration and log files
- rm -f /etc/vswitchd.conf
+ rm -f /etc/ovs-vswitchd.conf
rm -f /etc/sysconfig/vswitch
rm -f /var/log/vswitch*
- rm -f /etc/vswitchd.cacert
+ rm -f /etc/ovs-vswitchd.cacert
if [ ! -f /etc/xensource-inventory ]; then
printf "XenSource inventory not present in /etc/xensource-inventory\n"
/root/vswitch/scripts/XSFeatureVSwitch.pyc
/root/vswitch/scripts/XSFeatureVSwitch.pyo
/root/vswitch/sbin/ovs-brcompatd
-/root/vswitch/sbin/vswitchd
+/root/vswitch/sbin/ovs-vswitchd
/root/vswitch/bin/ovs-appctl
/root/vswitch/bin/ovs-cfg-mod
/root/vswitch/bin/ovs-dpctl
/root/vswitch/bin/ovs-ofctl
-/root/vswitch/share/man/man5/vswitchd.conf.5
-/root/vswitch/share/man/man8/ovs-brcompatd.8
+/root/vswitch/share/man/man5/ovs-vswitchd.conf.5
/root/vswitch/share/man/man8/ovs-appctl.8
+/root/vswitch/share/man/man8/ovs-brcompatd.8
/root/vswitch/share/man/man8/ovs-cfg-mod.8
/root/vswitch/share/man/man8/ovs-dpctl.8
/root/vswitch/share/man/man8/ovs-ofctl.8
-/root/vswitch/share/man/man8/vswitchd.8
+/root/vswitch/share/man/man8/ovs-vswitchd.8
projects / openvswitch / commitdiff