Provided by: openvswitch-common_2.5.9-0ubuntu0.16.04.3_amd64 
NAME
ovsdb-client - command-line interface to ovsdb-server(1)
SYNOPSIS
ovsdb-client [options] list-dbs [server]
ovsdb-client [options] get-schema [server] [database]
ovsdb-client [options] get-schema-version [server] [database]
ovsdb-client [options] list-tables [server] [database]
ovsdb-client [options] list-columns [server] [database] [table]
ovsdb-client [options] transact [server] transaction
ovsdb-client [options] dump [server] [database] [table [column...]]
ovsdb-client [options] monitor [server] [database] table [column[,column]...]...
ovsdb-client [options] monitor [server] [database] ALL
ovsdb-client help
Output formatting options:
[--format=format] [--data=format] [--no-heading] [--pretty] [--bare] [--no-heading]
[--timestamp]
Daemon options:
[--pidfile[=pidfile]] [--overwrite-pidfile] [--detach] [--no-chdir]
Logging options:
[-v[module[:destination[:level]]]]...
[--verbose[=module[:destination[:level]]]]...
[--log-file[=file]]
Public key infrastructure options:
[--private-key=privkey.pem]
[--certificate=cert.pem]
[--ca-cert=cacert.pem]
[--bootstrap-ca-cert=cacert.pem]
Common options:
[-h | --help] [-V | --version]
DESCRIPTION
The ovsdb-client program is a command-line client for interacting with a running
ovsdb-server process. Each command connects to an OVSDB server, which is
unix:/var/run/openvswitch/db.sock by default, or may be specified as server in one of the
following forms:
ssl:ip:port
The specified SSL port on the host at the given ip, which must be expressed
as an IP address (not a DNS name) in IPv4 or IPv6 address format. If ip is
an IPv6 address, then wrap ip with square brackets, e.g.: ssl:[::1]:6640.
The --private-key, --certificate, and --ca-cert options are mandatory when
this form is used.
tcp:ip:port
Connect to the given TCP port on ip, where ip can be IPv4 or IPv6 address.
If ip is an IPv6 address, then wrap ip with square brackets, e.g.:
tcp:[::1]:6640.
unix:file
On POSIX, connect to the Unix domain server socket named file.
On Windows, connect to a localhost TCP port whose value is written in file.
pssl:port[:ip]
Listen on the given SSL port for a connection. By default, connections are
not bound to a particular local IP address and it listens only on IPv4 (but
not IPv6) addresses, but specifying ip limits connections to those from the
given ip, either IPv4 or IPv6 address. If ip is an IPv6 address, then wrap
ip with square brackets, e.g.: pssl:6640:[::1]. The --private-key,
--certificate, and --ca-cert options are mandatory when this form is used.
ptcp:port[:ip]
Listen on the given TCP port for a connection. By default, connections are
not bound to a particular local IP address and it listens only on IPv4 (but
not IPv6) addresses, but ip may be specified to listen only for connections
to the given ip, either IPv4 or IPv6 address. If ip is an IPv6 address,
then wrap ip with square brackets, e.g.: ptcp:6640:[::1].
punix:file
On POSIX, listen on the Unix domain server socket named file for a
connection.
On Windows, listen on a kernel chosen TCP port on the localhost. The kernel
chosen TCP port value is written in file.
The default database is Open_vSwitch.
Commands
The following commands are implemented:
list-dbs [server]
Connects to server, retrieves the list of known databases, and prints them one per
line. These database names are the ones that may be used for database in the
following commands.
get-schema [server] [database]
Connects to server, retrieves the schema for database, and prints it in JSON
format.
get-schema-version [server] [database]
Connects to server, retrieves the schema for database, and prints its version
number on stdout. A schema version number has the form x.y.z. See
ovs-vswitchd.conf.db(5) for details.
Schema version numbers and Open vSwitch version numbers are independent.
If database was created before schema versioning was introduced, then it will not
have a version number and this command will print a blank line.
list-tables [server] [database]
Connects to server, retrieves the schema for database, and prints a table listing
the name of each table within the database.
list-columns [server] [database] table
Connects to server, retrieves the schema for database, and prints a table listing
the name and type of each column. If table is specified, only columns in that
table are listed; otherwise, the tables include columns in all tables.
transact [server] transaction
Connects to server, sends it the specified transaction, which must be a JSON array
containing one or more valid OVSDB operations, and prints the received reply on
stdout.
dump [server] [database] [table [column...]]
Connects to server, retrieves all of the data in database, and prints it on stdout
as a series of tables. If table is specified, only that table is retrieved. If at
least one column is specified, only those columns are retrieved.
monitor [server] [database] table [column[,column]...]...
Connects to server and monitors the contents of table in database. By default, the
initial contents of table are printed, followed by each change as it occurs. If at
least one column is specified, only those columns are monitored. The following
column names have special meanings:
!initial
Do not print the initial contents of the specified columns.
!insert
Do not print newly inserted rows.
!delete
Do not print deleted rows.
!modify
Do not print modifications to existing rows.
Multiple [column[,column]...] groups may be specified as separate arguments, e.g.
to apply different reporting parameters to each group. Whether multiple groups or
only a single group is specified, any given column may only be mentioned once on
the command line.
If --detach is used with monitor, then ovsdb-client detaches after it has
successfully received and printed the initial contents of table.
monitor [server] [database] ALL
Connects to server and monitors the contents of all tables in database. Prints
initial values and all kinds of changes to all columns in the database. The
--detach option causes ovsdb-client to detach after it successfully receives and
prints the initial database contents.
OPTIONS
Output Formatting Options
Much of the output from ovsdb-client is in the form of tables. The following options
controlling output formatting:
-f format
--format=format
Sets the type of table formatting. The following types of format are available:
table (default)
2-D text tables with aligned columns.
list A list with one column per line and rows separated by a blank line.
html HTML tables.
csv Comma-separated values as defined in RFC 4180.
json JSON format as defined in RFC 4627. The output is a sequence of JSON
objects, each of which corresponds to one table. Each JSON object has the
following members with the noted values:
caption
The table's caption. This member is omitted if the table has no
caption.
headings
An array with one element per table column. Each array element is a
string giving the corresponding column's heading.
data An array with one element per table row. Each element is also an
array with one element per table column. The elements of this
second-level array are the cells that constitute the table. Cells
that represent OVSDB data or data types are expressed in the format
described in the OVSDB specification; other cells are simply
expressed as text strings.
-d format
--data=format
Sets the formatting for cells within output tables. The following types of format
are available:
string (default)
The simple format described in the Database Values section of ovs-vsctl(8).
bare The simple format with punctuation stripped off: [] and {} are omitted
around sets, maps, and empty columns, items within sets and maps are space-
separated, and strings are never quoted. This format may be easier for
scripts to parse.
json JSON.
The json output format always outputs cells in JSON format, ignoring this option.
--no-heading
This option suppresses the heading row that otherwise appears in the first row of
table output.
--pretty
By default, JSON in output is printed as compactly as possible. This option causes
JSON in output to be printed in a more readable fashion. Members of objects and
elements of arrays are printed one per line, with indentation.
This option does not affect JSON in tables, which is always printed compactly.
--bare Equivalent to --format=list --data=bare --no-headings.
--timestamp
For the monitor command, adds a timestamp to each table update. Most output
formats add the timestamp on a line of its own just above the table. The JSON
output format puts the timestamp in a member of the top-level JSON object named
time.
Daemon Options
The daemon options apply only to the monitor command. With any other command, they have
no effect. The following options are valid on POSIX based platforms.
--pidfile[=pidfile]
Causes a file (by default, ovsdb-client.pid) to be created indicating the PID of
the running process. If the pidfile argument is not specified, or if it does not
begin with /, then it is created in /var/run/openvswitch.
If --pidfile is not specified, no pidfile is created.
--overwrite-pidfile
By default, when --pidfile is specified and the specified pidfile already exists
and is locked by a running process, ovsdb-client refuses to start. Specify
--overwrite-pidfile to cause it to instead overwrite the pidfile.
When --pidfile is not specified, this option has no effect.
--detach
Runs ovsdb-client as a background process. The process forks, and in the child it
starts a new session, closes the standard file descriptors (which has the side
effect of disabling logging to the console), and changes its current directory to
the root (unless --no-chdir is specified). After the child completes its
initialization, the parent exits.
--monitor
Creates an additional process to monitor the ovsdb-client daemon. If the daemon
dies due to a signal that indicates a programming error (SIGABRT, SIGALRM, SIGBUS,
SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process
starts a new copy of it. If the daemon dies or exits for another reason, the
monitor process exits.
This option is normally used with --detach, but it also functions without it.
--no-chdir
By default, when --detach is specified, ovsdb-client changes its current working
directory to the root directory after it detaches. Otherwise, invoking
ovsdb-client from a carelessly chosen directory would prevent the administrator
from unmounting the file system that holds that directory.
Specifying --no-chdir suppresses this behavior, preventing ovsdb-client from
changing its current working directory. This may be useful for collecting core
files, since it is common behavior to write core dumps into the current working
directory and the root directory is not a good directory to use.
This option has no effect when --detach is not specified.
--user Causes ovsdb-client to run as a different user specified in "user:group", thus
dropping most of the root privileges. Short forms "user" and ":group" are also
allowed, with current user or group are assumed respectively. Only daemons started
by the root user accepts this argument.
On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before
dropping root privileges. Daemons interact with datapath, such as ovs-vswitchd,
will be granted two additional capabilities, namely CAP_NET_ADMIN and CAP_NET_RAW.
The capability change will apply even if new user is "root".
On Windows, this option is not currently supported. For security reasons,
specifying this option will cause the daemon process not to start.
Logging Options
-v[spec]
--verbose=[spec]
Sets logging levels. Without any spec, sets the log level for every module and
destination to dbg. Otherwise, spec is a list of words separated by spaces or
commas or colons, up to one from each category below:
• A valid module name, as displayed by the vlog/list command on ovs-appctl(8),
limits the log level change to the specified module.
• syslog, console, or file, to limit the log level change to only to the
system log, to the console, or to a file, respectively. (If --detach is
specified, ovsdb-client closes its standard file descriptors, so logging to
the console will have no effect.)
On Windows platform, syslog is accepted as a word and is only useful along
with the --syslog-target option (the word has no effect otherwise).
• off, emer, err, warn, info, or dbg, to control the log level. Messages of
the given severity or higher will be logged, and messages of lower severity
will be filtered out. off filters out all messages. See ovs-appctl(8) for
a definition of each log level.
Case is not significant within spec.
Regardless of the log levels set for file, logging to a file will not take place
unless --log-file is also specified (see below).
For compatibility with older versions of OVS, any is accepted as a word but has no
effect.
-v
--verbose
Sets the maximum logging verbosity level, equivalent to --verbose=dbg.
-vPATTERN:destination:pattern
--verbose=PATTERN:destination:pattern
Sets the log pattern for destination to pattern. Refer to ovs-appctl(8) for a
description of the valid syntax for pattern.
-vFACILITY:facility
--verbose=FACILITY:facility
Sets the RFC5424 facility of the log message. facility can be one of kern, user,
mail, daemon, auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2,
local0, local1, local2, local3, local4, local5, local6 or local7. If this option is
not specified, daemon is used as the default for the local system syslog and local0
is used while sending a message to the target provided via the --syslog-target
option.
--log-file[=file]
Enables logging to a file. If file is specified, then it is used as the exact name
for the log file. The default log file name used if file is omitted is
/var/log/openvswitch/ovsdb-client.log.
--syslog-target=host:port
Send syslog messages to UDP port on host, in addition to the system syslog. The
host must be a numerical IP address, not a hostname.
--syslog-method=method
Specify method how syslog messages should be sent to syslog daemon. Following
forms are supported:
• libc, use libc syslog() function. This is the default behavior. Downside
of using this options is that libc adds fixed prefix to every message before
it is actually sent to the syslog daemon over /dev/log UNIX domain socket.
• unix:file, use UNIX domain socket directly. It is possible to specify
arbitrary message format with this option. However, rsyslogd 8.9 and older
versions use hard coded parser function anyway that limits UNIX domain
socket use. If you want to use arbitrary message format with older rsyslogd
versions, then use UDP socket to localhost IP address instead.
• udp:ip:port, use UDP socket. With this method it is possible to use
arbitrary message format also with older rsyslogd. When sending syslog
messages over UDP socket extra precaution needs to be taken into account,
for example, syslog daemon needs to be configured to listen on the specified
UDP port, accidental iptables rules could be interfering with local syslog
traffic and there are some security considerations that apply to UDP
sockets, but do not apply to UNIX domain sockets.
Public Key Infrastructure Options
-p privkey.pem
--private-key=privkey.pem
Specifies a PEM file containing the private key used as ovsdb-client's identity for
outgoing SSL connections.
-c cert.pem
--certificate=cert.pem
Specifies a PEM file containing a certificate that certifies the private key
specified on -p or --private-key to be trustworthy. The certificate must be signed
by the certificate authority (CA) that the peer in SSL connections will use to
verify it.
-C cacert.pem
--ca-cert=cacert.pem
Specifies a PEM file containing the CA certificate that ovsdb-client should use to
verify certificates presented to it by SSL peers. (This may be the same
certificate that SSL peers use to verify the certificate specified on -c or
--certificate, or it may be a different one, depending on the PKI design in use.)
-C none
--ca-cert=none
Disables verification of certificates presented by SSL peers. This introduces a
security risk, because it means that certificates cannot be verified to be those of
known trusted hosts.
--bootstrap-ca-cert=cacert.pem
When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it
does not exist, then ovsdb-client will attempt to obtain the CA certificate from
the SSL peer on its first SSL connection and save it to the named PEM file. If it
is successful, it will immediately drop the connection and reconnect, and from then
on all SSL connections must be authenticated by a certificate signed by the CA
certificate thus obtained.
This option exposes the SSL connection to a man-in-the-middle attack obtaining the
initial CA certificate, but it may be useful for bootstrapping.
This option is only useful if the SSL peer sends its CA certificate as part of the
SSL certificate chain. The SSL protocol does not require the server to send the CA
certificate.
This option is mutually exclusive with -C and --ca-cert.
Other Options
-h
--help Prints a brief help message to the console.
-V
--version
Prints version information to the console.
SEE ALSO
ovsdb-server(1), ovsdb-client(1), and the OVSDB specification.