- libssl, from OpenSSL (http://www.openssl.org/), is optional but
recommended. libssl is required to establish confidentiality
and authenticity in the connections among OpenFlow switches and
- controllers.
+ controllers. To enable, compile with --enable-ssl=yes
If you are working from a Git tree or snapshot (instead of from a
distribution tarball), or if you modify the OpenFlow build system, you
Building Userspace Programs
---------------------------
-These instructions describe how to build the userspace components of
-the OpenFlow distribution. Refer to "Building and Testing the Linux
+The OpenFlow distribution includes two implementations of the switch:
+one entirely in userspace, for portability and ease of installation,
+and another with a Linux kernel module component that is more
+difficult to install but should also yield better performance. These
+instructions describe how to build the userspace components of the
+OpenFlow distribution. Refer to "Building and Testing the Linux
Kernel-Based Switch", below, for additional instructions on how to
build the optional Linux kernel module.
Testing Userspace Programs
--------------------------
+0. The commands below must run as root, so log in as root, or use a
+ program such as "su" to become root temporarily.
+
1. Start the OpenFlow controller running in the background, by running
the "controller" program with a command like the following:
- % controller ptcp: &
+ # controller ptcp: &
This command causes the controller to bind to port 975 (the
default) awaiting connections from OpenFlow switches. See
switch, specifying network devices to use as switch ports on the -i
option as a comma-separated list, like so:
- % switch tcp:127.0.0.1 -i eth1,eth2
+ # switch tcp:127.0.0.1 -i eth1,eth2
The network devices that you specify should not have configured IP
- addresses. The switch program must run as root.
+ addresses.
3. The controller causes each switch that connects to it to act like a
learning Ethernet switch. Thus, devices plugged into the specified
The instructions above set up OpenFlow for operation over a plaintext
TCP connection. Production use of OpenFlow should use SSL[*] to
ensure confidentiality and authenticity of traffic among switches and
-controllers.
+controllers. The source must be configured with --enable-ssl=yes to
+build with ssl support.
To use SSL with OpenFlow, you must set up a public-key infrastructure
(PKI) including a pair of certificate authorities (CAs), one for
OpenFlow can use it directly. Otherwise, refer to "Establishing a
Public Key Infrastructure" below.
-To configure the controller to listen for SSL connections on the
-default port, invoke it as follows:
+To configure the controller to listen for SSL connections on port 976
+(the default), invoke it as follows:
- % controller -v pssl: --private-key=PRIVKEY --certificate=CERT \
+ # controller -v pssl: --private-key=PRIVKEY --certificate=CERT \
--ca-cert=CACERT
where PRIVKEY is a file containing the controller's private key, CERT
certificate for the switch CA. If, for example, your PKI was created
with the instructions below, then the invocation would look like:
- % controller -v pssl: --private-key=ctl-privkey.pem \
+ # controller -v pssl: --private-key=ctl-privkey.pem \
--certificate=ctl-cert.pem --ca-cert=pki/switchca/cacert.pem
-To configure a switch to connect to a controller running on the
-default port on host 192.168.1.2 over SSL, invoke it as follows:
+To configure a switch to connect to a controller running on port 976
+(the default) on host 192.168.1.2 over SSL, invoke it as follows:
- % switch -v ssl:192.168.1.2 -i INTERFACES --private-key=PRIVKEY \
+ # switch -v ssl:192.168.1.2 -i INTERFACES --private-key=PRIVKEY \
--certificate=CERT --ca-cert=CACERT
-where INTERFACES is the command-separated list of network devices
+where INTERFACES is the command-separated list of network device
interfaces, PRIVKEY is a file containing the switch's private key,
CERT is a file containing the switch CA's certificate for the switch's
public key, and CACERT is a file containing the root certificate for
the controller CA. If, for example, your PKI was created with the
instructions below, then the invocation would look like:
- % secchan -v -i INTERFACES ssl:192.168.1.2 --private-key=sc-privkey.pem \
+ # secchan -v -i INTERFACES ssl:192.168.1.2 --private-key=sc-privkey.pem \
--certificate=sc-cert.pem --ca-cert=pki/controllerca/cacert.pem
[*] To be specific, OpenFlow uses TLS version 1.0 or later (TLSv1), as
% ./configure --with-l24=/lib/modules/`uname -r`/build
+If you have hardware that supports accelerated OpenFlow switching, and
+you have obtained a hardware table module for your hardware and
+extracted it into the OpenFlow reference distribution source tree,
+then you may also enable building support for the hardware switching
+table with --enable-hw-tables. For example, if your hardware
+switching table is in a directory named datapath/hwtable-foomatic, you
+could compile support for it with the running Linux 2.6 kernel like
+so:
+
+ % ./configure --with-l26=/lib/modules/`uname -r`/build \
+ --enable-hw-tables=foomatic
+
+For more information about hardware table modules, please read
+README.hwtables at the root of the OpenFlow distribution tree.
+
In addition to the binaries listed under step 2 in "Building Userspace
Programs" above, "make" will build the following kernel modules:
datapath/linux-2.6/openflow_mod.ko (if --with-l26 was specified)
datapath/linux-2.4/openflow_mod.o (if --with-l24 was specified)
+"make" will also build a kernel module for each hardware switch table
+enabled with --enable-hw-tables.
+
Once you have built the kernel modules, activating them requires only
running "insmod", e.g.:
% insmod datapath/linux-2.4/compat24_mod.o
% insmod datapath/linux-2.4/openflow_mod.o
+After you load the openflow module, you may load one hardware switch
+table module (if any were built) to enable support for that hardware
+switching table.
+
The insmod program must be run as root. You may need to specify a
full path to insmod, which is usually in the /sbin directory. To
verify that the modules have been loaded, run "lsmod" (also in /sbin)
The OpenFlow kernel module must be loaded, as described in the
previous section, before it may be tested.
+0. The commands below must run as root, so log in as root, or use a
+ program such as "su" to become root temporarily.
+
1. Create a datapath instance. The command below creates a datapath with
ID 0 (see dpctl(8) for more detailed usage information).
- % dpctl adddp 0
+ # dpctl adddp 0
- (In principle, openflow_mod supports multiple datapaths within the
- same host, but this is rarely useful in practice.)
+ In principle, openflow_mod supports multiple datapaths within the
+ same host, but this is rarely useful in practice.
+
+ If you built a support module for hardware accelerated OpenFlow
+ switching and you want to use it, you must load it before creating
+ the datapath with "dpctl adddp".
2. Use dpctl to attach the datapath to physical interfaces on the
machine. Say, for example, you want to create a trivial 2-port
switch using interfaces eth1 and eth2, you would issue the following
commands:
- % dpctl addif 0 eth1
- % dpctl addif 0 eth2
+ # dpctl addif 0 eth1
+ # dpctl addif 0 eth2
You can verify that the interfaces were successfully added by asking
dpctl to print the current status of datapath 0:
- % dpctl show 0
+ # dpctl show 0
3. (Optional) You can manually add flows to the datapath to test using
dpctl add-flows and view them using dpctl dump-flows. See dpctl(8)
controller on the host machine to manage the datapath directly using
netlink:
- % controller -v nl:0
+ # controller -v nl:0
Once the controller is running, the datapath should operate like a
learning Ethernet switch. You may monitor the flows in the datapath
the controller. In the example below, the controller will bind to
port 975 (the default) awaiting connections from secure channels.
- % controller -v ptcp:
+ # controller -v ptcp:
(See controller(8) for more details)
default port) and the datapath ID is 0, the secchan invocation
would look like:
- % secchan -v nl:0 tcp:192.168.1.2
+ # secchan -v nl:0 tcp:192.168.1.2
Bug Reporting
-------------
git://git.onelab.eu / sliver-openvswitch.git / blobdiff