Provided by: openvswitch-switch_2.0.2-0ubuntu0.14.04.3_amd64 
NAME
ovs-vswitchd - Open vSwitch daemon
SYNOPSIS
ovs-vswitchd [database]
DESCRIPTION
A daemon that manages and controls any number of Open vSwitch switches on the local
machine.
The database argument specifies how ovs-vswitchd connects to ovsdb-server. The default is
unix:/var/run/openvswitch/db.sock. The following forms are accepted:
ssl:ip:port
The specified SSL port on the host at the given ip, which must be expressed as an
IP address (not a DNS name). The --private-key, --certificate, and --ca-cert
options are mandatory when this form is used.
tcp:ip:port
Connect to the given TCP port on ip.
unix:file
Connect to the Unix domain server socket named file.
pssl:port[:ip]
Listen on the given SSL port for a connection. By default, connections are not
bound to a particular local IP address, but specifying ip limits connections to
those from the given ip. The --private-key, --certificate, and --ca-cert options
are mandatory when this form is used.
ptcp:port[:ip]
Listen on the given TCP port for a connection. By default, connections are not
bound to a particular local IP address, but ip may be specified to listen only for
connections to the given ip.
punix:file
Listen on the Unix domain server socket named file for a connection.
ovs-vswitchd retrieves its configuration from database at startup. It sets up Open
vSwitch datapaths and then operates switching across each bridge described in its
configuration files. As the database changes, ovs-vswitchd automatically updates its
configuration to match.
Upon receipt of a SIGHUP signal, ovs-vswitchd reopens its log file, if one was specified
on the command line.
ovs-vswitchd switches may be configured with any of the following features:
• L2 switching with MAC learning.
• NIC bonding with automatic fail-over and source MAC-based TX load balancing
("SLB").
• 802.1Q VLAN support.
• Port mirroring, with optional VLAN tagging.
• NetFlow v5 flow logging.
• sFlow(R) monitoring.
• Connectivity to an external OpenFlow controller, such as NOX.
Only a single instance of ovs-vswitchd is intended to run at a time. A single
ovs-vswitchd can manage any number of switch instances, up to the maximum number of
supported Open vSwitch datapaths.
ovs-vswitchd does all the necessary management of Open vSwitch datapaths itself. Thus,
external tools, such ovs-dpctl(8), are not needed for managing datapaths in conjunction
with ovs-vswitchd, and their use to modify datapaths when ovs-vswitchd is running can
interfere with its operation. (ovs-dpctl may still be useful for diagnostics.)
An Open vSwitch datapath kernel module must be loaded for ovs-vswitchd to be useful.
Please refer to the INSTALL.Linux file included in the Open vSwitch distribution for
instructions on how to build and load the Open vSwitch kernel module.
OPTIONS
--mlockall
Causes ovs-vswitchd to call the mlockall() function, to attempt to lock all of its
process memory into physical RAM, preventing the kernel from paging any of its
memory to disk. This helps to avoid networking interruptions due to system memory
pressure.
Some systems do not support mlockall() at all, and other systems only allow
privileged users, such as the superuser, to use it. ovs-vswitchd emits a log
message if mlockall() is unavailable or unsuccessful.
--pidfile[=pidfile]
Causes a file (by default, ovs-vswitchd.pid) to be created indicating the PID of
the running process. If the pidfile argument is not specified, or if it does not
begin with /, then it is created in /var/run/openvswitch.
If --pidfile is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile is specified and the specified pidfile already exists
and is locked by a running process, ovs-vswitchd refuses to start. Specify
--overwrite-pidfile to cause it to instead overwrite the pidfile.
When --pidfile is not specified, this option has no effect.
--detach
Causes ovs-vswitchd to detach itself from the foreground session and run as a
background process. ovs-vswitchd detaches only after it has connected to the
database, retrieved the initial configuration, and set up that configuration.
--monitor
Creates an additional process to monitor the ovs-vswitchd daemon. If the daemon
dies due to a signal that indicates a programming error (e.g. SIGSEGV, SIGABRT),
then the monitor process starts a new copy of it. If the daemon die or exits for
another reason, the monitor process exits.
This option is normally used with --detach, but it also functions without it.
--no-chdir
By default, when --detach is specified, ovs-vswitchd changes its current working
directory to the root directory after it detaches. Otherwise, invoking
ovs-vswitchd from a carelessly chosen directory would prevent the administrator
from unmounting the file system that holds that directory.
Specifying --no-chdir suppresses this behavior, preventing ovs-vswitchd from
changing its current working directory. This may be useful for collecting core
files, since it is common behavior to write core dumps into the current working
directory and the root directory is not a good directory to use.
This option has no effect when --detach is not specified.
Public Key Infrastructure Options
-p privkey.pem
--private-key=privkey.pem
Specifies a PEM file containing the private key used as ovs-vswitchd's identity for
outgoing SSL connections.
-c cert.pem
--certificate=cert.pem
Specifies a PEM file containing a certificate that certifies the private key
specified on -p or --private-key to be trustworthy. The certificate must be signed
by the certificate authority (CA) that the peer in SSL connections will use to
verify it.
-C cacert.pem
--ca-cert=cacert.pem
Specifies a PEM file containing the CA certificate that ovs-vswitchd should use to
verify certificates presented to it by SSL peers. (This may be the same
certificate that SSL peers use to verify the certificate specified on -c or
--certificate, or it may be a different one, depending on the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL peers. This introduces a
security risk, because it means that certificates cannot be verified to be those of
known trusted hosts.
--bootstrap-ca-cert=cacert.pem
When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it
does not exist, then ovs-vswitchd will attempt to obtain the CA certificate from
the SSL peer on its first SSL connection and save it to the named PEM file. If it
is successful, it will immediately drop the connection and reconnect, and from then
on all SSL connections must be authenticated by a certificate signed by the CA
certificate thus obtained.
This option exposes the SSL connection to a man-in-the-middle attack obtaining the
initial CA certificate, but it may be useful for bootstrapping.
This option is only useful if the SSL peer sends its CA certificate as part of the
SSL certificate chain. The SSL protocol does not require the server to send the CA
certificate, but ovs-controller(8) can be configured to do so with the
--peer-ca-cert option.
This option is mutually exclusive with -C and --ca-cert.
-v[spec]
--verbose=[spec]
Sets logging levels. Without any spec, sets the log level for every module and
facility to dbg. Otherwise, spec is a list of words separated by spaces or commas
or colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
limits the log level change to the specified module.
• syslog, console, or file, to limit the log level change to only to the
system log, to the console, or to a file, respectively.
• off, emer, err, warn, info, or dbg, to control the log level. Messages of
the given severity or higher will be logged, and messages of lower severity
will be filtered out. off filters out all messages. See ovs-appctl(8) for
a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file, logging to a file will not take place
unless --log-file is also specified (see below).
For compatibility with older versions of OVS, any is accepted as a word but has no
effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to --verbose=dbg.
--log-file[=file]
Enables logging to a file. If file is specified, then it is used as the exact name
for the log file. The default log file name used if file is omitted is
/var/log/openvswitch/ovs-vswitchd.log.
-h
--help Prints a brief help message to the console.
-V
--version
Prints version information to the console.
RUNTIME MANAGEMENT COMMANDS
ovs-appctl(8) can send commands to a running ovs-vswitchd process. The currently
supported commands are described below. The command descriptions assume an understanding
of how to configure Open vSwitch.
GENERAL COMMANDS
exit Causes ovs-vswitchd to gracefully terminate.
qos/show interface
Queries the kernel for Quality of Service configuration and statistics associated
with the given interface.
bfd/show [interface]
Displays detailed information about Bidirectional Forwarding Detection configured
on interface. If interface is not specified, then displays detailed information
about all interfaces with BFD enabled.
bfd/set-forwarding [interface] status
Force the fault status of the BFD module on interface (or all interfaces if none is
given) to be status. status can be "true", "false", or "normal" which reverts to
the standard behavior.
cfm/show [interface]
Displays detailed information about Connectivity Fault Management configured on
interface. If interface is not specified, then displays detailed information about
all interfaces with CFM enabled.
cfm/set-fault [interface] status
Force the fault status of the CFM module on interface (or all interfaces if none is
given) to be status. status can be "true", "false", or "normal" which reverts to
the standard behavior.
stp/tcn [bridge]
Forces a topology change event on bridge if it's running STP. This may cause it to
send Topology Change Notifications to its peers and flush its MAC table.. If no
bridge is given, forces a topology change event on all bridges.
BRIDGE COMMANDS
These commands manage bridges.
fdb/flush [bridge]
Flushes bridge MAC address learning table, or all learning tables if no bridge is
given.
fdb/show bridge
Lists each MAC address/VLAN pair learned by the specified bridge, along with the
port on which it was learned and the age of the entry, in seconds.
bridge/reconnect [bridge]
Makes bridge drop all of its OpenFlow controller connections and reconnect. If
bridge is not specified, then all bridges drop their controller connections and
reconnect.
This command might be useful for debugging OpenFlow controller issues.
bridge/dump-flows bridge
Lists all flows in bridge, including those normally hidden to commands such as
ovs-ofctl dump-flows. Flows set up by mechanisms such as in-band control and fail-
open are hidden from the controller since it is not allowed to modify or override
them.
BOND COMMANDS
These commands manage bonded ports on an Open vSwitch's bridges. To understand some of
these commands, it is important to understand a detail of the bonding implementation
called ``source load balancing'' (SLB). Instead of directly assigning Ethernet source
addresses to slaves, the bonding implementation computes a function that maps an 48-bit
Ethernet source addresses into an 8-bit value (a ``MAC hash'' value). All of the Ethernet
addresses that map to a single 8-bit value are then assigned to a single slave.
bond/list
Lists all of the bonds, and their slaves, on each bridge.
bond/show [port]
Lists all of the bond-specific information (updelay, downdelay, time until the next
rebalance) about the given bonded port, or all bonded ports if no port is given.
Also lists information about each slave: whether it is enabled or disabled, the
time to completion of an updelay or downdelay if one is in progress, whether it is
the active slave, the hashes assigned to the slave. Any LACP information related
to this bond may be found using the lacp/show command.
bond/migrate port hash slave
Only valid for SLB bonds. Assigns a given MAC hash to a new slave. port specifies
the bond port, hash the MAC hash to be migrated (as a decimal number between 0 and
255), and slave the new slave to be assigned.
The reassignment is not permanent: rebalancing or fail-over will cause the MAC hash
to be shifted to a new slave in the usual manner.
A MAC hash cannot be migrated to a disabled slave.
bond/set-active-slave port slave
Sets slave as the active slave on port. slave must currently be enabled.
The setting is not permanent: a new active slave will be selected if slave becomes
disabled.
bond/enable-slave port slave
bond/disable-slave port slave
Enables (or disables) slave on the given bond port, skipping any updelay (or
downdelay).
This setting is not permanent: it persists only until the carrier status of slave
changes.
bond/hash mac [vlan] [basis]
Returns the hash value which would be used for mac with vlan and basis if
specified.
lacp/show [port]
Lists all of the LACP related information about the given port: active or passive,
aggregation key, system id, and system priority. Also lists information about each
slave: whether it is enabled or disabled, whether it is attached or detached, port
id and priority, actor information, and partner information. If port is not
specified, then displays detailed information about all interfaces with CFM
enabled.
DATAPATH COMMANDS
These commands manage logical datapaths. They are are similar to the equivalent ovs-dpctl
commands.
dpif/dump-dps
Prints the name of each configured datapath on a separate line.
dpif/show
Prints a summary of configured datapaths, including statistics and a list of
connected ports. The port information includes the OpenFlow port number, datapath
port number, and the type. (The local port is identified as OpenFlow port 65534.)
dpif/dump-flows dp
Prints to the console all flow entries in datapath dp's flow table.
This command is primarily useful for debugging Open vSwitch. The flow table
entries that it displays are not OpenFlow flow entries. Instead, they are
different and considerably simpler flows maintained by the datapath module. If you
wish to see the OpenFlow flow entries, use ovs-ofctl dump-flows.
dpif/del-flows dp
Deletes all flow entries from datapath dp's flow table and underlying datapath
implementation (e.g., kernel datapath module).
This command is primarily useful for debugging Open vSwitch. As discussed in
dpif/dump-flows, these entries are not OpenFlow flow entries.
OFPROTO COMMANDS
These commands manage the core OpenFlow switch implementation (called ofproto).
ofproto/list
Lists the names of the running ofproto instances. These are the names that may be
used on ofproto/trace.
ofproto/trace [dpname] odp_flow [-generate | packet]
ofproto/trace bridge br_flow [-generate | packet]
Traces the path of an imaginary packet through switch and reports the path that it
took. The packet's headers (e.g. source and destination) and metadata (e.g. input
port), together called its ``flow,'' are usually all that matter for this purpose.
You can specify the flow in the following ways:
dpname odp_flow
odp_flow is a flow in the form printed by ovs-dpctl(8)'s dump-flows command.
If all of your bridges have the same type, which is the common case, then
you can omit dpname, but if you have bridges of different types (say, both
ovs-netdev and ovs-system), then you need to specify a dpname to
disambiguate.
bridge br_flow
br_flow is a flow in the form similar to that accepted by ovs-ofctl(8)'s
add-flow command. (This is not an OpenFlow flow: besides other differences,
it never contains wildcards.) bridge names of the bridge through which
br_flow should be traced.
Most commonly, one specifies only a flow, using one of the forms above, but
sometimes one might need to specify an actual packet instead of just a flow:
Side effects.
Some actions have side effects. For example, the normal action can update
the MAC learning table, and the learn action can change OpenFlow tables.
ofproto/trace only performs side effects when a packet is specified. If you
want side effects to take place, then you must supply a packet.
(Output actions are obviously side effects too, but ofproto/trace never
executes them, even when one specifies a packet.)
Incomplete information.
Most of the time, Open vSwitch can figure out everything about the path of a
packet using just the flow, but in some special circumstances it needs to
look at parts of the packet that are not included in the flow. When this is
the case, and you do not supply a packet, then ofproto/trace will tell you
it needs a packet.
If you wish to include a packet as part of the ofproto/trace operation, there are
two ways to do it:
-generate
This option, added to one of the ways to specify a flow already described,
causes Open vSwitch to internally generate a packet with the flow described
and then to use that packet. If your goal is to execute side effects, then
-generate is the easiest way to do it, but -generate is not a good way to
fill in incomplete information, because it generates packets based on only
the flow information, which means that the packets really do not have any
more information than the flow.
packet This form supplies an explicit packet as a sequence of hex digits. An
Ethernet frame is at least 14 bytes long, so there must be at least 28 hex
digits. Obviously, it is inconvenient to type in the hex digits by hand, so
the ovs-pcap(1) and ovs-tcpundump(1) utilities provide easier ways.
With this form, packet headers are extracted directly from packet, so the
odp_flow or br_flow should specify only metadata. The metadata can be:
skb_priority
Packet QoS priority.
pkt_mark
Mark of the packet.
tun_id The tunnel ID on which the packet arrived.
in_port
The port on which the packet arrived.
The in_port value is kernel datapath port number for the first format and OpenFlow
port number for the second format. The numbering of these two types of port usually
differs and there is no relationship.
ofproto/self-check [switch]
Runs an internal consistency check on switch, if specified, otherwise on all
ofproto instances, and responds with a brief summary of the results. If the
summary reports any errors, then the Open vSwitch logs should contain more detailed
information. Please pass along errors reported by this command to the Open vSwitch
developers as bugs.
VLOG COMMANDS
These commands manage ovs-vswitchd's logging settings.
vlog/set [spec]
Sets logging levels. Without any spec, sets the log level for every module and
facility to dbg. Otherwise, spec is a list of words separated by spaces or commas
or colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
limits the log level change to the specified module.
• syslog, console, or file, to limit the log level change to only to the
system log, to the console, or to a file, respectively.
• off, emer, err, warn, info, or dbg, to control the log level. Messages of
the given severity or higher will be logged, and messages of lower severity
will be filtered out. off filters out all messages. See ovs-appctl(8) for
a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file, logging to a file will not take place
unless ovs-vswitchd was invoked with the --log-file option.
For compatibility with older versions of OVS, any is accepted as a word but has no
effect.
vlog/set PATTERN:facility:pattern
Sets the log pattern for facility to pattern. Refer to ovs-appctl(8) for a
description of the valid syntax for pattern.
vlog/list
Lists the supported logging modules and their current levels.
vlog/reopen
Causes ovs-vswitchd to close and reopen its log file. (This is useful after
rotating log files, to cause a new log file to be used.)
This has no effect unless ovs-vswitchd was invoked with the --log-file option.
vlog/disable-rate-limit [module]...
vlog/enable-rate-limit [module]...
By default, ovs-vswitchd limits the rate at which certain messages can be logged.
When a message would appear more frequently than the limit, it is suppressed. This
saves disk space, makes logs easier to read, and speeds up execution, but
occasionally troubleshooting requires more detail. Therefore,
vlog/disable-rate-limit allows rate limits to be disabled at the level of an
individual log module. Specify one or more module names, as displayed by the
vlog/list command. Specifying either no module names at all or the keyword any
disables rate limits for every log module.
The vlog/enable-rate-limit command, whose syntax is the same as
vlog/disable-rate-limit, can be used to re-enable a rate limit that was previously
disabled.
MEMORY COMMANDS
These commands report memory usage.
memory/show
Displays some basic statistics about ovs-vswitchd's memory usage. ovs-vswitchd
also logs this information soon after startup and periodically as its memory
consumption grows.
COVERAGE COMMANDS
These commands manage ovs-vswitchd's ``coverage counters,'' which count the number of
times particular events occur during a daemon's runtime. In addition to these commands,
ovs-vswitchd automatically logs coverage counter values, at INFO level, when it detects
that the daemon's main loop takes unusually long to run.
Coverage counters are useful mainly for performance analysis and debugging.
coverage/show
Displays the values of all of the coverage counters.
OPENFLOW IMPLEMENTATION
This section documents aspects of OpenFlow for which the OpenFlow specification requires
documentation.
Packet buffering.
The OpenFlow specification, version 1.2, says:
Switches that implement buffering are expected to expose, through documentation,
both the amount of available buffering, and the length of time before buffers may
be reused.
Open vSwitch maintains a separate set of 256 packet buffers for each OpenFlow connection.
Any given packet buffer is preserved until it is referenced by an OFPT_FLOW_MOD or
OFPT_PACKET_OUT request or for 5 seconds, whichever comes first.
LIMITS
We believe these limits to be accurate as of this writing. These limits assume the use of
the Linux kernel datapath.
• ovs-vswitchd started through ovs-ctl(8) provides a limit of 7500 file descriptors.
The limits on the number of bridges and ports is decided by the availability of
file descriptors. With the Linux kernel datapath, creation of a single bridge
consumes 3 file descriptors and adding a port consumes 1 file descriptor.
Performance will degrade beyond 1,024 ports per bridge due to fixed hash table
sizing. Other platforms may have different limitations.
• 2,048 MAC learning entries per bridge, by default. (This is configurable via
other-config:mac-table-size in the Bridge table. See ovs-vswitchd.conf.db(5) for
details.)
• Kernel flows are limited only by memory available to the kernel. Performance will
degrade beyond 1,048,576 kernel flows per bridge with a 32-bit kernel, beyond
262,144 with a 64-bit kernel. (ovs-vswitchd should never install anywhere near
that many flows.)
• OpenFlow flows are limited only by available memory. Performance is linear in the
number of unique wildcard patterns. That is, an OpenFlow table that contains many
flows that all match on the same fields in the same way has a constant-time lookup,
but a table that contains many flows that match on different fields requires lookup
time linear in the number of flows.
• 255 ports per bridge participating in 802.1D Spanning Tree Protocol.
• 32 mirrors per bridge.
• 15 bytes for the name of a port. (This is a Linux kernel limitation.)
SEE ALSO
ovs-appctl(8), ovsdb-server(1), INSTALL.Linux in the Open vSwitch distribution.