ovs-vsctl: Support configuring SSL.

[sliver-openvswitch.git] / utilities / ovs-vsctl.8.in

.\" -*- nroff -*-
.de IQ
.  br
.  ns
.  IP "\\$1"
..
.de ST
.  PP
.  RS -0.15in
.  I "\\$1"
.  RE
.  PP
..
.TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-vsctl
.
.SH NAME
ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
.
.SH SYNOPSIS
\fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
[\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
.
.SH DESCRIPTION
The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
providing a high\-level interface to editing its configuration
database.  This program is mainly intended for use when
\fBovs\-vswitchd\fR is running.  If it is used when
\fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
specified and configuration changes will only take effect when
\fBovs\-vswitchd\fR is started.
.PP
By default, each time \fBovs\-vsctl\fR runs, it connects to an
\fBovsdb\-server\fR process that maintains an Open vSwitch
configuration database.  Using this connection, it queries and
possibly applies changes to the database, depending on the supplied
commands.  Then, if it applied any changes, it waits until
\fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
.PP
\fBovs\-vsctl\fR can perform any number of commands in a single run,
implemented as a single atomic transaction against the database.
Commands are separated on the command line by \fB\-\-\fR arguments.
.
.SS "Linux VLAN Bridging Compatibility"
The \fBovs\-vsctl\fR program supports the model of a bridge
implemented by Open vSwitch, in which a single bridge supports ports
on multiple VLANs.  In this model, each port on a bridge is either a
trunk port that potentially passes packets tagged with 802.1Q headers
that designate VLANs or it is assigned a single implicit VLAN that is
never tagged with an 802.1Q header.
.PP
For compatibility with software designed for the Linux bridge,
\fBovs\-vsctl\fR also supports a model in which traffic associated
with a given 802.1Q VLAN is segregated into a separate bridge.  A
special form of the \fBadd\-br\fR command (see below) creates a ``fake
bridge'' within an Open vSwitch bridge to simulate this behavior.
When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
much like a bridge separate from its ``parent bridge,'' but the actual
implementation in Open vSwitch uses only a single bridge, with ports on
the fake bridge assigned the implicit VLAN of the fake bridge of which
they are members.
.
.SH OPTIONS
.
The following options affect the behavior \fBovs\-vsctl\fR as a whole.
Some individual commands also accept their own options, which are
given just before the command name.  If the first command on the
command line has options, then those options must be separated from
the global options by \fB\-\-\fR.
.
.IP "\fB\-\-db=\fIserver\fR"
Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
contacts to query or modify configuration.  The default is
\fBunix:@RUNDIR@/ovsdb\-server\fR.  \fIserver\fR must take one of the
following forms:
.RS
.IP "\fBtcp:\fIip\fB:\fIport\fR"
Connect to the given TCP \fIport\fR on \fIip\fR.
.IP "\fBunix:\fIfile\fR"
Connect to the Unix domain server socket named \fIfile\fR.
.RE
.IP "\fB\-\-no\-wait\fR"
Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
reconfigure itself according to the the modified database.  This
option should be used if \fBovs\-vswitchd\fR is not running;
otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
starts.
.IP
This option has no effect if the commands specified do not change the
database.
.
.IP "\fB\-\-no\-syslog\fR"
By default, \fBovs\-vsctl\fR logs its arguments and the details of any
changes that it makes to the system log.  This option disables this
logging.
.IP
This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
.
.IP "\fB\-\-oneline\fR"
Modifies the output format so that the output for each command is printed
on a single line.  New-line characters that would otherwise separate
lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
would otherwise appear in the output are doubled.
Prints a blank line for each command that has no output.
.
.IP "\fB\-\-dry\-run\fR"
Prevents \fBovs\-vsctl\fR from actually modifying the database.
.
.IP "\fB-t \fIsecs\fR"
.IQ "\fB--timeout=\fIsecs\fR"
Limits runtime to approximately \fIsecs\fR seconds.  A value of 
zero will cause \fBovs\-vsctl\fR to wait forever.  If the timeout expires, 
\fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal.  If this option is
not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
(A timeout would normally happen only if the database cannot be contacted.)
.
.so lib/vlog.man
.
.SH COMMANDS
The commands implemented by \fBovs\-vsctl\fR are described in the
sections below.
.SS "Open vSwitch Commands"
These commands work with an Open vSwitch as a whole.
.
.IP "\fBinit\fR"
Initializes the Open vSwitch database, if it is empty.  If the
database has already been initialized, this command has no effect.
.IP
Any successful \fBovs\-vsctl\fR command automatically initializes the
Open vSwitch database if it is empty.  This command is provided to
initialize the database without executing any other command.
.
.SS "Bridge Commands"
These commands examine and manipulate Open vSwitch bridges.
.
.IP "\fBadd\-br \fIbridge\fR"
Creates a new bridge named \fIbridge\fR.  Initially the bridge will
have no ports (other than \fIbridge\fR itself).
.
.IP "\fBadd\-br \fIbridge parent vlan\fR"
Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
vSwitch bridge \fIparent\fR, which must already exist and must not
itself be a fake bridge.  The new fake bridge will be on 802.1Q VLAN
\fIvlan\fR, which must be an integer between 1 and 4095.  Initially
\fIbridge\fR will have no ports (other than \fIbridge\fR itself).
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
Deletes \fIbridge\fR and all of its ports.  If \fIbridge\fR is a real
bridge, this command also deletes any fake bridges that were created
with \fIbridge\fR as parent, including all of their ports.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a bridge that does not exist has no effect.
.
.IP "\fBlist\-br\fR"
Lists all existing real and fake bridges on standard output, one per
line.
.
.IP "\fBbr\-exists \fIbridge\fR"
Tests whether \fIbridge\fR exists as a real or fake bridge.  If so,
\fBovs\-vsctl\fR exits successfully with exit code 0.  If not,
\fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
.
.IP "\fBbr\-to\-vlan \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
decimal integer.  If \fIbridge\fR is a real bridge, prints 0.
.
.IP "\fBbr\-to\-parent \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the name of its parent
bridge.  If \fIbridge\fR is a real bridge, print \fIbridge\fR.
.
.IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIbridge\fR.  These values
are intended to identify entities external to Open vSwitch with which
\fIbridge\fR is associated, e.g. the bridge's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIbridge\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
Queries the external IDs on \fIbridge\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Port Commands"
.
These commands examine and manipulate Open vSwitch ports.  These
commands treat a bonded port as a single entity.
.
.IP "\fBlist\-ports \fIbridge\fR"
Lists all of the ports within \fIbridge\fR on standard output, one per
line.  The local port \fIbridge\fR is not included in the list.
.
.IP "\fBadd\-port \fIbridge port\fR"
Creates on \fIbridge\fR a new port named \fIport\fR from the network
device of the same name.
.
.IP "\fBadd\-bond \fIbridge port iface\fR\&..."
Creates on \fIbridge\fR a new port named \fIport\fR that bonds
together the network devices given as each \fIiface\fR.  At least two
interfaces must be named.
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
Deletes \fIport\fR.  If \fIbridge\fR is omitted, \fIport\fR is removed
from whatever bridge contains it; if \fIbridge\fR is specified, it
must be the real or fake bridge that contains \fIport\fR.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a port that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a port that does not exist has no effect.
.
.IP "\fBport\-to\-br \fIport\fR"
Prints the name of the bridge that contains \fIport\fR on standard
output.
.
.IP "\fBport\-set\-external\-id \fIport key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIport\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIport\fR is associated, e.g. the port's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIport\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIport\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIport\fR [\fIkey\fR]"
Queries the external IDs on \fIport\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Interface Commands"
.
These commands examine the interfaces attached to an Open vSwitch
bridge.  These commands treat a bonded port as a collection of two or
more interfaces, rather than as a single port.
.
.IP "\fBlist\-ifaces \fIbridge\fR"
Lists all of the interfaces within \fIbridge\fR on standard output,
one per line.  The local port \fIbridge\fR is not included in the
list.
.
.IP "\fBiface\-to\-br \fIiface\fR"
Prints the name of the bridge that contains \fIiface\fR on standard
output.
.
.IP "\fBiface\-set\-external\-id \fIiface key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIiface\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIiface\fR is associated, e.g. the interface's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIiface\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIiface\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIiface\fR [\fIkey\fR]"
Queries the external IDs on \fIiface\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "OpenFlow Controller Connectivity"
.
\fBovs\-vswitchd\fR can perform all configured bridging and switching
locally, or it can be configured to connect a given bridge to an
external OpenFlow controller, such as NOX.  
.
If a \fIbridge\fR argument is given, the settings apply only to the
specified bridge.  Otherwise, they apply to the Open vSwitch instance,
and its configuration applies to any bridge that has not been explicitly
configured through a \fIbridge\fR argument.
.
.IP "\fBget\-controller\fR [\fIbridge\fR]"
Prints the configured controller target.
.
.IP "\fBdel\-controller\fR [\fIbridge\fR]"
Deletes the configured controller target.
.
.IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
Sets the configured controller target.  The \fItarget\fR may use any of
the following forms:
.
.RS
.TP
\fBssl:\fIip\fR[\fB:\fIport\fR]
The specified SSL \fIport\fR (default: 6633) on the host at the given
\fIip\fR, which must be expressed as an IP address (not a DNS name).
SSL must be configured when this form is used (see \fBSSL
Configuration\fR, below).
.
.TP
\fBtcp:\fIip\fR[\fB:\fIport\fR]
The specified TCP \fIport\fR (default: 6633) on the host at the given
\fIip\fR, which must be expressed as an IP address (not a DNS name).
.TP
\fBunix:\fIfile\fR
The Unix domain server socket named \fIfile\fR.
.RE
.ST "Controller Failure Settings"
.
When a controller is configured, it is, ordinarily, responsible for
setting up all flows on the switch.  Thus, if the connection to
the controller fails, no new network connections can be set up.  If
the connection to the controller stays down long enough, no packets
can pass through the switch at all.
.ST
If the value is \fBstandalone\fR, or if neither of these settings
is set, \fBovs\-vswitchd\fR will take over
responsibility for setting up
flows when no message has been received from the controller for three
times the inactivity probe interval (xxx needs to be exposed).  In this mode,
\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
MAC-learning switch.  \fBovs\-vswitchd\fR will continue to retry connecting
to the controller in the background and, when the connection succeeds,
it discontinues its standalone behavior.
.ST
If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
set up flows on its own when the controller connection fails.
.
.IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
Prints the configured failure mode.
.
.IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
Deletes the configured failure mode.
.
.IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR"
Sets the configured failure mode.
.
.SS "SSL Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
controller connectivity, the following parameters are required:
.TP
\fBprivate-key\fR
Specifies a PEM file containing the private key used as the virtual
switch's identity for SSL connections to the controller.
.TP
\fBcertificate\fR
Specifies a PEM file containing a certificate, signed by the
certificate authority (CA) used by the controller and manager, that
certifies the virtual switch's private key, identifying a trustworthy
switch.
.TP
\fBca-cert\fR
Specifies a PEM file containing the CA certificate used to verify that
the virtual switch is connected to a trustworthy controller.
.PP
These files are read only once, at \fBovs\-vswitchd\fR startup time.  If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP
These SSL settings apply to all SSL connections made by the virtual
switch.
.
.IP "\fBget\-ssl\fR"
Prints the SSL configuration.
.
.IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration.
.
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described 
below.
.
.ST "CA Certificate Bootstrap"
Ordinarily, all of the files named in the SSL configuration must exist
when \fBovs\-vswitchd\fR starts.  However, if the \fB\-\-bootstrap\fR 
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
CA certificate from the controller on its first SSL connection and
save it to the named PEM file.  If it is successful, it will
immediately drop the connection and reconnect, and from then on all
SSL connections must be authenticated by a certificate signed by the
CA certificate thus obtained.
.PP
\fBThis option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.PP
This option is only useful if the controller sends its CA certificate
as part of the SSL certificate chain.  The SSL protocol does not
require the controller to send the CA certificate, but
\fBcontroller\fR(8) can be configured to do so with the
\fB--peer-ca-cert\fR option.
.
.SH "EXAMPLES"
Create a new bridge named br0 and add port eth0 to it:
.IP
.B "ovs-vsctl add\-br br0"
.br
.B "ovs-vsctl add\-port br0 eth0"
.PP
Alternatively, perform both operations in a single atomic transaction:
.IP 
.B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
.PP
Delete bridge \fBbr0\fR, reporting an error if it does not exist:
.IP
.B "ovs\-vsctl del\-br br0"
.PP
Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
separate \fBdel\-br\fR's options from the global options):
.IP
.B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
.
.SH "EXIT STATUS"
.IP "0"
Successful program execution.
.IP "1"
Usage, syntax, or configuration file error.
.IP "2"
The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
bridge that does not exist.
.SH "SEE ALSO"
.
.BR ovsdb\-server (1),
.BR ovs\-vswitchd (8).