Provided by: openvswitch-controller_2.0.2-0ubuntu0.14.04.3_amd64 
NAME
ovs-controller - simple OpenFlow controller reference implementation
SYNOPSIS
ovs-controller [options] method [method]...
DESCRIPTION
ovs-controller manages any number of remote switches over OpenFlow protocol, causing them
to function as L2 MAC-learning switches or hub.
ovs-controller controls one or more OpenFlow switches, specified as one or more of the
following OpenFlow connection methods:
pssl:[port][:ip]
Listens for OpenFlow SSL connections on port (default: 6633). The
--private-key, --certificate, and --ca-cert options are mandatory when this
form is used. By default, connections are not bound to a particular local
IP address, but ip may be specified to listen only for connections to the
given ip.
ptcp:[port][:ip]
Listens for OpenFlow TCP connections on port (default: 6633). By default,
connections are not bound to a particular local IP address, but ip may be
specified to listen only for connections to the given ip.
punix:file
Listens for OpenFlow connections on the Unix domain server socket named
file.
ssl:ip[:port]
The specified SSL port (default: 6633) on the host at the given ip, which
must be expressed as an IP address (not a DNS name). The --private-key,
--certificate, and --ca-cert options are mandatory when this form is used.
tcp:ip[:port]
The specified TCP port (default: 6633) on the host at the given ip, which
must be expressed as an IP address (not a DNS name).
unix:file
The Unix domain server socket named file.
OPTIONS
-n
--noflow
By default, ovs-controller sets up a flow in each OpenFlow switch whenever it
receives a packet whose destination is known due through MAC learning. This option
disables flow setup, so that every packet in the network passes through the
controller.
This option is most useful for debugging. It reduces switching performance, so it
should not be used in production.
--max-idle=secs|permanent
Sets secs as the number of seconds that a flow set up by the controller will remain
in the switch's flow table without any matching packets being seen. If permanent
is specified, which is not recommended, flows will never expire. The default is 60
seconds.
This option has no effect when -n (or --noflow) is in use (because the controller
does not set up flows in that case).
-H
--hub By default, the controller acts as an L2 MAC-learning switch. This option changes
its behavior to that of a hub that floods packets on all but the incoming port.
If -H (or --hub) and -n (or --noflow) are used together, then the cumulative effect
is that every packet passes through the controller and every packet is flooded.
This option is most useful for debugging. It reduces switching performance, so it
should not be used in production.
-w[wildcard_mask]
--wildcards[=wildcard_mask]
By default, ovs-controller sets up exact-match flows. This option allows it to set
up wildcarded flows, which may reduce flow setup latency by causing less traffic to
be sent up to the controller.
The optional wildcard_mask is an OpenFlow wildcard bitmask in hexadecimal that
specifies the fields to wildcard. If no wildcard_mask is specified, the default
value 0x2820F0 is used which specifies L2-only switching and wildcards L3 and L4
fields. Another interesting value is 0x2000EC, which specifies L3-only switching
and wildcards L2 and L4 fields.
This option has no effect when -n (or --noflow) is in use (because the controller
does not set up flows in that case).
-N
--normal
By default, ovs-controller directs packets to a particular port or floods them.
This option causes it to direct non-flooded packets to the OpenFlow OFPP_NORMAL
port. This allows the switch itself to make decisions about packet destinations.
Support for OFPP_NORMAL is optional in OpenFlow, so this option may not well with
some non-Open vSwitch switches.
--mute Prevents ovs-controller from replying to any OpenFlow messages sent to it by
switches.
This option is only for debugging the Open vSwitch implementation of ``fail open''
mode. It must not be used in production.
-q id
--queue=id
By default, ovs-controller uses the default OpenFlow queue for sending packets and
setting up flows. Use one of these options, supplying id as an OpenFlow queue ID
as a decimal number, to instead use that specific queue.
This option is incompatible with -N or --normal and with -H or --hub. If more than
one is specified then this option takes precedence.
This option may be useful for testing or debugging quality of service setups.
-Q port-name:queue-id
--port-queue port-name:queue-id
Configures packets received on the port named port-name (e.g. eth0) to be output on
OpenFlow queue ID queue-id (specified as a decimal number). For the specified
port, this option overrides the default specified on -q or --queue.
This option may be specified any number of times with different port-name
arguments.
This option is incompatible with -N or --normal and with -H or --hub. If more than
one is specified then this option takes precedence.
This option may be useful for testing or debugging quality of service setups.
--with-flows file
When a switch connects, push the flow entries as described in file. Each line in
file is a flow entry in the format described for the add-flows command in the Flow
Syntax section of the ovs-ofctl(8) man page.
Use this option more than once to add flows from multiple files.
Public Key Infrastructure Options
-p privkey.pem
--private-key=privkey.pem
Specifies a PEM file containing the private key used as ovs-controller's identity
for outgoing SSL connections.
-c cert.pem
--certificate=cert.pem
Specifies a PEM file containing a certificate that certifies the private key
specified on -p or --private-key to be trustworthy. The certificate must be signed
by the certificate authority (CA) that the peer in SSL connections will use to
verify it.
-C cacert.pem
--ca-cert=cacert.pem
Specifies a PEM file containing the CA certificate that ovs-controller should use
to verify certificates presented to it by SSL peers. (This may be the same
certificate that SSL peers use to verify the certificate specified on -c or
--certificate, or it may be a different one, depending on the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL peers. This introduces a
security risk, because it means that certificates cannot be verified to be those of
known trusted hosts.
--peer-ca-cert=peer-cacert.pem
Specifies a PEM file that contains one or more additional certificates to send to
SSL peers. peer-cacert.pem should be the CA certificate used to sign
ovs-controller's own certificate, that is, the certificate specified on -c or
--certificate. If ovs-controller's certificate is self-signed, then --certificate
and --peer-ca-cert should specify the same file.
This option is not useful in normal operation, because the SSL peer must already
have the CA certificate for the peer to have any confidence in ovs-controller's
identity. However, this offers a way for a new installation to bootstrap the CA
certificate on its first SSL connection.
--pidfile[=pidfile]
Causes a file (by default, ovs-controller.pid) to be created indicating the PID of
the running process. If the pidfile argument is not specified, or if it does not
begin with /, then it is created in /var/run/openvswitch.
If --pidfile is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile is specified and the specified pidfile already exists
and is locked by a running process, ovs-controller refuses to start. Specify
--overwrite-pidfile to cause it to instead overwrite the pidfile.
When --pidfile is not specified, this option has no effect.
--detach
Causes ovs-controller to detach itself from the foreground session and run as a
background process.
--monitor
Creates an additional process to monitor the ovs-controller daemon. If the daemon
dies due to a signal that indicates a programming error (e.g. SIGSEGV, SIGABRT),
then the monitor process starts a new copy of it. If the daemon die or exits for
another reason, the monitor process exits.
This option is normally used with --detach, but it also functions without it.
--no-chdir
By default, when --detach is specified, ovs-controller changes its current working
directory to the root directory after it detaches. Otherwise, invoking
ovs-controller from a carelessly chosen directory would prevent the administrator
from unmounting the file system that holds that directory.
Specifying --no-chdir suppresses this behavior, preventing ovs-controller from
changing its current working directory. This may be useful for collecting core
files, since it is common behavior to write core dumps into the current working
directory and the root directory is not a good directory to use.
This option has no effect when --detach is not specified.
-v[spec]
--verbose=[spec]
Sets logging levels. Without any spec, sets the log level for every module and
facility to dbg. Otherwise, spec is a list of words separated by spaces or commas
or colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
limits the log level change to the specified module.
• syslog, console, or file, to limit the log level change to only to the
system log, to the console, or to a file, respectively.
• off, emer, err, warn, info, or dbg, to control the log level. Messages of
the given severity or higher will be logged, and messages of lower severity
will be filtered out. off filters out all messages. See ovs-appctl(8) for
a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file, logging to a file will not take place
unless --log-file is also specified (see below).
For compatibility with older versions of OVS, any is accepted as a word but has no
effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to --verbose=dbg.
--log-file[=file]
Enables logging to a file. If file is specified, then it is used as the exact name
for the log file. The default log file name used if file is omitted is
/var/log/openvswitch/ovs-controller.log.
--unixctl=socket
Sets the name of the control socket on which ovs-controller listens for runtime
management commands (see RUNTIME MANAGEMENT COMMANDS, below). If socket does not
begin with /, it is interpreted as relative to /var/run/openvswitch. If --unixctl
is not used at all, the default socket is
/var/run/openvswitch/ovs-controller.pid.ctl, where pid is ovs-controller's process
ID. Specifying none for socket disables the control socket feature.
-h
--help Prints a brief help message to the console.
-V
--version
Prints version information to the console.
lib/ofp-version.man.
EXAMPLES
To bind locally to port 6633 (the default) and wait for incoming connections from OpenFlow
switches:
% ovs-controller ptcp:
BUGS
Configuring a Citrix XenServer to connect to a particular controller only points the
remote OVSDB management connection to that controller. It does not also configure
OpenFlow connections, because the manager is expected to do that over the management
protocol. ovs-controller is not an Open vSwitch manager and does not know how to do that.
As a stopgap workaround, ovs-vsctl can wait for an OVSDB connection and set the
controller, e.g.:
% ovs-vsctl -t0 --db=pssl: --certificate=cert.pem --ca-cert=none
--private-key=privkey.pem --peer-ca-cert=cacert.pem set-controller ssl:ip
SEE ALSO
ovs-appctl(8), ovs-ofctl(8), ovs-dpctl(8)