+\fBovs\-vswitchd\fR can perform all configured bridging and switching
+locally, or it can be configured to communicate with one or more
+external OpenFlow controllers. The switch is typically configured to
+connect to a primary controller that takes charge of the bridge's flow
+table to implement a network policy. In addition, the switch can be
+configured to listen to connections from service controllers. Service
+controllers are typically used for occasional support and maintenance,
+e.g. with \fBovs\-ofctl\fR.
+.
+.IP "\fBget\-controller\fR \fIbridge\fR"
+Prints the configured controller target.
+.
+.IP "\fBdel\-controller\fR \fIbridge\fR"
+Deletes the configured controller target.
+.
+.IP "\fBset\-controller\fR \fIbridge\fR \fItarget\fR\&..."
+Sets the configured controller target or targets. Each \fItarget\fR may
+use any of the following forms:
+.
+.RS
+.so lib/vconn-active.man
+.so lib/vconn-passive.man
+.RE
+.
+.ST "Controller Failure Settings"
+.PP
+When a controller is configured, it is, ordinarily, responsible for
+setting up all flows on the switch. Thus, if the connection to
+the controller fails, no new network connections can be set up. If
+the connection to the controller stays down long enough, no packets
+can pass through the switch at all.
+.PP
+If the value is \fBstandalone\fR, or if neither of these settings
+is set, \fBovs\-vswitchd\fR will take over
+responsibility for setting up
+flows when no message has been received from the controller for three
+times the inactivity probe interval. In this mode,
+\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
+MAC-learning switch. \fBovs\-vswitchd\fR will continue to retry connecting
+to the controller in the background and, when the connection succeeds,
+it discontinues its standalone behavior.
+.PP
+If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
+set up flows on its own when the controller connection fails.
+.
+.IP "\fBget\-fail\-mode\fR \fIbridge\fR"
+Prints the configured failure mode.
+.
+.IP "\fBdel\-fail\-mode\fR \fIbridge\fR"
+Deletes the configured failure mode.
+.
+.IP "\fBset\-fail\-mode\fR \fIbridge\fR \fBstandalone\fR|\fBsecure\fR"
+Sets the configured failure mode.
+.
+.SS "Manager Connectivity"
+.
+These commands manipulate the \fBmanager_options\fR column in the
+\fBOpen_vSwitch\fR table and rows in the \fBManagers\fR table. When
+\fBovsdb\-server\fR is configured to use the \fBmanager_options\fR column for
+OVSDB connections (as described in \fBINSTALL.Linux\fR and in the startup
+scripts provided with Open vSwitch), this allows the administrator to use
+\fBovs\-vsctl\fR to configure database connections.
+.
+.IP "\fBget\-manager\fR"
+Prints the configured manager(s).
+.
+.IP "\fBdel\-manager\fR"
+Deletes the configured manager(s).
+.
+.IP "\fBset\-manager\fR \fItarget\fR\&..."
+Sets the configured manager target or targets. Each \fItarget\fR may
+use any of the following forms:
+.
+.RS
+.so ovsdb/remote-active.man
+.so ovsdb/remote-passive.man
+.RE
+.
+.SS "SSL Configuration"
+When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
+controller connectivity, the following parameters are required:
+.TP
+\fIprivate-key\fR
+Specifies a PEM file containing the private key used as the virtual
+switch's identity for SSL connections to the controller.
+.TP
+\fIcertificate\fR
+Specifies a PEM file containing a certificate, signed by the
+certificate authority (CA) used by the controller and manager, that
+certifies the virtual switch's private key, identifying a trustworthy
+switch.
+.TP
+\fIca-cert\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the virtual switch is connected to a trustworthy controller.
+.PP
+These files are read only once, at \fBovs\-vswitchd\fR startup time. If
+their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
+.PP
+These SSL settings apply to all SSL connections made by the virtual
+switch.
+.
+.IP "\fBget\-ssl\fR"
+Prints the SSL configuration.
+.
+.IP "\fBdel\-ssl\fR"
+Deletes the current SSL configuration.
+.
+.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
+Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
+below.
+.
+.ST "CA Certificate Bootstrap"
+.PP
+Ordinarily, all of the files named in the SSL configuration must exist
+when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file
+does not exist and the \fB\-\-bootstrap\fR
+option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
+CA certificate from the controller on its first SSL connection and
+save it to the named PEM file. If it is successful, it will
+immediately drop the connection and reconnect, and from then on all
+SSL connections must be authenticated by a certificate signed by the
+CA certificate thus obtained.
+.PP
+\fBThis option exposes the SSL connection to a man-in-the-middle
+attack obtaining the initial CA certificate\fR, but it may be useful
+for bootstrapping.
+.PP
+This option is only useful if the controller sends its CA certificate
+as part of the SSL certificate chain. The SSL protocol does not
+require the controller to send the CA certificate.
+.
+.SS "Database Commands"
+.
+These commands query and modify the contents of \fBovsdb\fR tables.
+They are a slight abstraction of the \fBovsdb\fR interface and as such
+they operate at a lower level than other \fBovs\-vsctl\fR commands.
+.PP
+.ST "Identifying Tables, Records, and Columns"
+.PP
+Each of these commands has a \fItable\fR parameter to identify a table
+within the database. Many of them also take a \fIrecord\fR parameter
+that identifies a particular record within a table. The \fIrecord\fR
+parameter may be the UUID for a record, and many tables offer
+additional ways to identify records. Some commands also take
+\fIcolumn\fR parameters that identify a particular field within the
+records in a table.
+.PP
+The following tables are currently defined:
+.IP "\fBOpen_vSwitch\fR"
+Global configuration for an \fBovs\-vswitchd\fR. This table contains
+exactly one record, identified by specifying \fB.\fR as the record
+name.
+.IP "\fBBridge\fR"
+Configuration for a bridge within an Open vSwitch. Records may be
+identified by bridge name.
+.IP "\fBPort\fR"
+A bridge port. Records may be identified by port name.
+.IP "\fBInterface\fR"
+A network device attached to a port. Records may be identified by
+name.
+.IP "\fBFlow_Table\fR"
+Configuration for a particular OpenFlow flow table. Records may be
+identified by name.
+.IP "\fBQoS\fR"
+Quality-of-service configuration for a \fBPort\fR. Records may be
+identified by port name.
+.IP "\fBQueue\fR"
+Configuration for one queue within a \fBQoS\fR configuration. Records
+may only be identified by UUID.
+.IP "\fBMirror\fR"
+A port mirroring configuration attached to a bridge. Records may be
+identified by mirror name.
+.IP "\fBController\fR"
+Configuration for an OpenFlow controller. A controller attached to a
+particular bridge may be identified by the bridge's name.
+.IP "\fBManager\fR"
+Configuration for an OVSDB connection. Records may be identified
+by target (e.g. \fBtcp:1.2.3.4\fR).
+.IP "\fBNetFlow\fR"
+A NetFlow configuration attached to a bridge. Records may be
+identified by bridge name.
+.IP "\fBSSL\fR"
+The global SSL configuration for \fBovs\-vswitchd\fR. The record
+attached to the \fBOpen_vSwitch\fR table may be identified by
+specifying \fB.\fR as the record name.
+.IP "\fBsFlow\fR"
+An sFlow exporter configuration attached to a bridge. Records may be
+identified by bridge name.
+.IP "\fBIPFIX\fR"
+An IPFIX exporter configuration attached to a bridge. Records may be
+identified by bridge name.
+.IP "\fBFlow_Sample_Collector_Set\fR"
+An IPFIX exporter configuration attached to a bridge for sampling
+packets on a per-flow basis using OpenFlow \fBsample\fR actions.
+.PP
+Record names must be specified in full and with correct
+capitalization. Names of tables and columns are not case-sensitive,
+and \fB\-\-\fR and \fB_\fR are treated interchangeably. Unique
+abbreviations are acceptable, e.g. \fBnet\fR or \fBn\fR is sufficient
+to identify the \fBNetFlow\fR table.
+.
+.ST "Database Values"
+.PP
+Each column in the database accepts a fixed type of data. The
+currently defined basic types, and their representations, are:
+.IP "integer"
+A decimal integer in the range \-2**63 to 2**63\-1, inclusive.
+.IP "real"
+A floating-point number.
+.IP "Boolean"
+True or false, written \fBtrue\fR or \fBfalse\fR, respectively.
+.IP "string"
+An arbitrary Unicode string, except that null bytes are not allowed.
+Quotes are optional for most strings that begin with an English letter
+or underscore and consist only of letters, underscores, hyphens, and
+periods. However, \fBtrue\fR and \fBfalse\fR and strings that match
+the syntax of UUIDs (see below) must be enclosed in double quotes to
+distinguish them from other basic types. When double quotes are used,
+the syntax is that of strings in JSON, e.g. backslashes may be used to
+escape special characters. The empty string must be represented as a
+pair of double quotes (\fB""\fR).
+.IP "UUID"
+Either a universally unique identifier in the style of RFC 4122,
+e.g. \fBf81d4fae\-7dec\-11d0\-a765\-00a0c91e6bf6\fR, or an \fB@\fIname\fR
+defined by a \fBget\fR or \fBcreate\fR command within the same \fBovs\-vsctl\fR
+invocation.
+.PP
+Multiple values in a single column may be separated by spaces or a
+single comma. When multiple values are present, duplicates are not
+allowed, and order is not important. Conversely, some database
+columns can have an empty set of values, represented as \fB[]\fR, and
+square brackets may optionally enclose other non-empty sets or single
+values as well.
+.PP
+A few database columns are ``maps'' of key-value pairs, where the key
+and the value are each some fixed database type. These are specified
+in the form \fIkey\fB=\fIvalue\fR, where \fIkey\fR and \fIvalue\fR
+follow the syntax for the column's key type and value type,
+respectively. When multiple pairs are present (separated by spaces or
+a comma), duplicate keys are not allowed, and again the order is not
+important. Duplicate values are allowed. An empty map is represented
+as \fB{}\fR. Curly braces may optionally enclose non-empty maps as
+well (but use quotes to prevent the shell from expanding
+\fBother-config={0=x,1=y}\fR into \fBother-config=0=x
+other-config=1=y\fR, which may not have the desired effect).
+.
+.ST "Database Command Syntax"
+.
+.IP "[\fB\-\-if\-exists\fR] [\fB\-\-columns=\fIcolumn\fR[\fB,\fIcolumn\fR]...] \fBlist \fItable \fR[\fIrecord\fR]..."
+Lists the data in each specified \fIrecord\fR. If no
+records are specified, lists all the records in \fItable\fR.
+.IP
+If \fB\-\-columns\fR is specified, only the requested columns are
+listed, in the specified order. Otherwise, all columns are listed, in
+alphabetical order by column name.
+.IP
+Without \fB\-\-if-exists\fR, it is an error if any specified
+\fIrecord\fR does not exist. With \fB\-\-if-exists\fR, the command
+ignores any \fIrecord\fR that does not exist, without producing any
+output.