Provided by: openvswitch-controller_2.0.1+git20140120-0ubuntu2_amd64
ovs-controller - simple OpenFlow controller reference implementation
ovs-controller [options] method [method]...
ovs-controller manages any number of remote switches over OpenFlow protocol, causing them to function as L2 MAC-learning switches or hub. ovs-controller controls one or more OpenFlow switches, specified as one or more of the following OpenFlow connection methods: pssl:[port][:ip] Listens for OpenFlow SSL connections on port (default: 6633). The --private-key, --certificate, and --ca-cert options are mandatory when this form is used. By default, connections are not bound to a particular local IP address, but ip may be specified to listen only for connections to the given ip. ptcp:[port][:ip] Listens for OpenFlow TCP connections on port (default: 6633). By default, connections are not bound to a particular local IP address, but ip may be specified to listen only for connections to the given ip. punix:file Listens for OpenFlow connections on the Unix domain server socket named file. ssl:ip[:port] The specified SSL port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). The --private-key, --certificate, and --ca-cert options are mandatory when this form is used. tcp:ip[:port] The specified TCP port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). unix:file The Unix domain server socket named file.
-n --noflow By default, ovs-controller sets up a flow in each OpenFlow switch whenever it receives a packet whose destination is known due through MAC learning. This option disables flow setup, so that every packet in the network passes through the controller. This option is most useful for debugging. It reduces switching performance, so it should not be used in production. --max-idle=secs|permanent Sets secs as the number of seconds that a flow set up by the controller will remain in the switch's flow table without any matching packets being seen. If permanent is specified, which is not recommended, flows will never expire. The default is 60 seconds. This option has no effect when -n (or --noflow) is in use (because the controller does not set up flows in that case). -H --hub By default, the controller acts as an L2 MAC-learning switch. This option changes its behavior to that of a hub that floods packets on all but the incoming port. If -H (or --hub) and -n (or --noflow) are used together, then the cumulative effect is that every packet passes through the controller and every packet is flooded. This option is most useful for debugging. It reduces switching performance, so it should not be used in production. -w[wildcard_mask] --wildcards[=wildcard_mask] By default, ovs-controller sets up exact-match flows. This option allows it to set up wildcarded flows, which may reduce flow setup latency by causing less traffic to be sent up to the controller. The optional wildcard_mask is an OpenFlow wildcard bitmask in hexadecimal that specifies the fields to wildcard. If no wildcard_mask is specified, the default value 0x2820F0 is used which specifies L2-only switching and wildcards L3 and L4 fields. Another interesting value is 0x2000EC, which specifies L3-only switching and wildcards L2 and L4 fields. This option has no effect when -n (or --noflow) is in use (because the controller does not set up flows in that case). -N --normal By default, ovs-controller directs packets to a particular port or floods them. This option causes it to direct non-flooded packets to the OpenFlow OFPP_NORMAL port. This allows the switch itself to make decisions about packet destinations. Support for OFPP_NORMAL is optional in OpenFlow, so this option may not well with some non-Open vSwitch switches. --mute Prevents ovs-controller from replying to any OpenFlow messages sent to it by switches. This option is only for debugging the Open vSwitch implementation of ``fail open'' mode. It must not be used in production. -q id --queue=id By default, ovs-controller uses the default OpenFlow queue for sending packets and setting up flows. Use one of these options, supplying id as an OpenFlow queue ID as a decimal number, to instead use that specific queue. This option is incompatible with -N or --normal and with -H or --hub. If more than one is specified then this option takes precedence. This option may be useful for testing or debugging quality of service setups. -Q port-name:queue-id --port-queue port-name:queue-id Configures packets received on the port named port-name (e.g. eth0) to be output on OpenFlow queue ID queue-id (specified as a decimal number). For the specified port, this option overrides the default specified on -q or --queue. This option may be specified any number of times with different port-name arguments. This option is incompatible with -N or --normal and with -H or --hub. If more than one is specified then this option takes precedence. This option may be useful for testing or debugging quality of service setups. --with-flows file When a switch connects, push the flow entries as described in file. Each line in file is a flow entry in the format described for the add-flows command in the Flow Syntax section of the ovs-ofctl(8) man page. Use this option more than once to add flows from multiple files. Public Key Infrastructure Options -p privkey.pem --private-key=privkey.pem Specifies a PEM file containing the private key used as ovs-controller's identity for outgoing SSL connections. -c cert.pem --certificate=cert.pem Specifies a PEM file containing a certificate that certifies the private key specified on -p or --private-key to be trustworthy. The certificate must be signed by the certificate authority (CA) that the peer in SSL connections will use to verify it. -C cacert.pem --ca-cert=cacert.pem Specifies a PEM file containing the CA certificate that ovs-controller should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on -c or --certificate, or it may be a different one, depending on the PKI design in use.) -C none --ca-cert=none Disables verification of certificates presented by SSL peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts. --peer-ca-cert=peer-cacert.pem Specifies a PEM file that contains one or more additional certificates to send to SSL peers. peer-cacert.pem should be the CA certificate used to sign ovs-controller's own certificate, that is, the certificate specified on -c or --certificate. If ovs-controller's certificate is self-signed, then --certificate and --peer-ca-cert should specify the same file. This option is not useful in normal operation, because the SSL peer must already have the CA certificate for the peer to have any confidence in ovs-controller's identity. However, this offers a way for a new installation to bootstrap the CA certificate on its first SSL connection. --pidfile[=pidfile] Causes a file (by default, ovs-controller.pid) to be created indicating the PID of the running process. If the pidfile argument is not specified, or if it does not begin with /, then it is created in /var/run/openvswitch. If --pidfile is not specified, no pidfile is created. --overwrite-pidfile By default, when --pidfile is specified and the specified pidfile already exists and is locked by a running process, ovs-controller refuses to start. Specify --overwrite-pidfile to cause it to instead overwrite the pidfile. When --pidfile is not specified, this option has no effect. --detach Causes ovs-controller to detach itself from the foreground session and run as a background process. --monitor Creates an additional process to monitor the ovs-controller daemon. If the daemon dies due to a signal that indicates a programming error (e.g. SIGSEGV, SIGABRT), then the monitor process starts a new copy of it. If the daemon die or exits for another reason, the monitor process exits. This option is normally used with --detach, but it also functions without it. --no-chdir By default, when --detach is specified, ovs-controller changes its current working directory to the root directory after it detaches. Otherwise, invoking ovs-controller from a carelessly chosen directory would prevent the administrator from unmounting the file system that holds that directory. Specifying --no-chdir suppresses this behavior, preventing ovs-controller from changing its current working directory. This may be useful for collecting core files, since it is common behavior to write core dumps into the current working directory and the root directory is not a good directory to use. This option has no effect when --detach is not specified. -v[spec] --verbose=[spec] Sets logging levels. Without any spec, sets the log level for every module and facility to dbg. Otherwise, spec is a list of words separated by spaces or commas or colons, up to one from each category below: · A valid module name, as displayed by the vlog/list command on ovs-appctl(8), limits the log level change to the specified module. · syslog, console, or file, to limit the log level change to only to the system log, to the console, or to a file, respectively. · off, emer, err, warn, info, or dbg, to control the log level. Messages of the given severity or higher will be logged, and messages of lower severity will be filtered out. off filters out all messages. See ovs-appctl(8) for a definition of each log level. Case is not significant within spec. Regardless of the log levels set for file, logging to a file will not take place unless --log-file is also specified (see below). For compatibility with older versions of OVS, any is accepted as a word but has no effect. -v --verbose Sets the maximum logging verbosity level, equivalent to --verbose=dbg. --log-file[=file] Enables logging to a file. If file is specified, then it is used as the exact name for the log file. The default log file name used if file is omitted is /var/log/openvswitch/ovs-controller.log. --unixctl=socket Sets the name of the control socket on which ovs-controller listens for runtime management commands (see RUNTIME MANAGEMENT COMMANDS, below). If socket does not begin with /, it is interpreted as relative to /var/run/openvswitch. If --unixctl is not used at all, the default socket is /var/run/openvswitch/ovs-controller.pid.ctl, where pid is ovs-controller's process ID. Specifying none for socket disables the control socket feature. -h --help Prints a brief help message to the console. -V --version Prints version information to the console. lib/ofp-version.man.
To bind locally to port 6633 (the default) and wait for incoming connections from OpenFlow switches: % ovs-controller ptcp:
Configuring a Citrix XenServer to connect to a particular controller only points the remote OVSDB management connection to that controller. It does not also configure OpenFlow connections, because the manager is expected to do that over the management protocol. ovs-controller is not an Open vSwitch manager and does not know how to do that. As a stopgap workaround, ovs-vsctl can wait for an OVSDB connection and set the controller, e.g.: % ovs-vsctl -t0 --db=pssl: --certificate=cert.pem --ca-cert=none --private-key=privkey.pem --peer-ca-cert=cacert.pem set-controller ssl:ip
ovs-appctl(8), ovs-ofctl(8), ovs-dpctl(8)