[ovs.git] / utilities / ovs-vsctl.8.in

.\" -*- nroff -*-
.de IQ
.  br
.  ns
.  IP "\\$1"
..
.de ST
.  PP
.  RS -0.15in
.  I "\\$1"
.  RE
.  PP
..
.TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-vsctl
.
.SH NAME
ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
.
.SH SYNOPSIS
\fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
[\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
.
.SH DESCRIPTION
The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
providing a high\-level interface to editing its configuration
database.  This program is mainly intended for use when
\fBovs\-vswitchd\fR is running.  If it is used when
\fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
specified and configuration changes will only take effect when
\fBovs\-vswitchd\fR is started.
.PP
By default, each time \fBovs\-vsctl\fR runs, it connects to an
\fBovsdb\-server\fR process that maintains an Open vSwitch
configuration database.  Using this connection, it queries and
possibly applies changes to the database, depending on the supplied
commands.  Then, if it applied any changes, it waits until
\fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
.PP
\fBovs\-vsctl\fR can perform any number of commands in a single run,
implemented as a single atomic transaction against the database.
Commands are separated on the command line by \fB\-\-\fR arguments.
.
.SS "Linux VLAN Bridging Compatibility"
The \fBovs\-vsctl\fR program supports the model of a bridge
implemented by Open vSwitch, in which a single bridge supports ports
on multiple VLANs.  In this model, each port on a bridge is either a
trunk port that potentially passes packets tagged with 802.1Q headers
that designate VLANs or it is assigned a single implicit VLAN that is
never tagged with an 802.1Q header.
.PP
For compatibility with software designed for the Linux bridge,
\fBovs\-vsctl\fR also supports a model in which traffic associated
with a given 802.1Q VLAN is segregated into a separate bridge.  A
special form of the \fBadd\-br\fR command (see below) creates a ``fake
bridge'' within an Open vSwitch bridge to simulate this behavior.
When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
much like a bridge separate from its ``parent bridge,'' but the actual
implementation in Open vSwitch uses only a single bridge, with ports on
the fake bridge assigned the implicit VLAN of the fake bridge of which
they are members.
.
.SH OPTIONS
.
The following options affect the behavior \fBovs\-vsctl\fR as a whole.
Some individual commands also accept their own options, which are
given just before the command name.  If the first command on the
command line has options, then those options must be separated from
the global options by \fB\-\-\fR.
.
.IP "\fB\-\-db=\fIserver\fR"
Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
contacts to query or modify configuration.  The default is
\fBunix:@RUNDIR@/ovsdb\-server\fR.  \fIserver\fR must take one of the
following forms:
.RS
.so ovsdb/remote-active.man
.RE
.
.IP "\fB\-\-no\-wait\fR"
Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
reconfigure itself according to the the modified database.  This
option should be used if \fBovs\-vswitchd\fR is not running;
otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
starts.
.IP
This option has no effect if the commands specified do not change the
database.
.
.IP "\fB\-\-no\-syslog\fR"
By default, \fBovs\-vsctl\fR logs its arguments and the details of any
changes that it makes to the system log.  This option disables this
logging.
.IP
This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
.
.IP "\fB\-\-oneline\fR"
Modifies the output format so that the output for each command is printed
on a single line.  New-line characters that would otherwise separate
lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
would otherwise appear in the output are doubled.
Prints a blank line for each command that has no output.
.
.IP "\fB\-\-dry\-run\fR"
Prevents \fBovs\-vsctl\fR from actually modifying the database.
.
.IP "\fB-t \fIsecs\fR"
.IQ "\fB--timeout=\fIsecs\fR"
Limits runtime to approximately \fIsecs\fR seconds.  A value of 
zero will cause \fBovs\-vsctl\fR to wait forever.  If the timeout expires, 
\fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal.  If this option is
not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
(A timeout would normally happen only if the database cannot be contacted.)
.
.so lib/ssl.man
.so lib/vlog.man
.
.SH COMMANDS
The commands implemented by \fBovs\-vsctl\fR are described in the
sections below.
.SS "Open vSwitch Commands"
These commands work with an Open vSwitch as a whole.
.
.IP "\fBinit\fR"
Initializes the Open vSwitch database, if it is empty.  If the
database has already been initialized, this command has no effect.
.IP
Any successful \fBovs\-vsctl\fR command automatically initializes the
Open vSwitch database if it is empty.  This command is provided to
initialize the database without executing any other command.
.
.SS "Bridge Commands"
These commands examine and manipulate Open vSwitch bridges.
.
.IP "\fBadd\-br \fIbridge\fR"
Creates a new bridge named \fIbridge\fR.  Initially the bridge will
have no ports (other than \fIbridge\fR itself).
.
.IP "\fBadd\-br \fIbridge parent vlan\fR"
Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
vSwitch bridge \fIparent\fR, which must already exist and must not
itself be a fake bridge.  The new fake bridge will be on 802.1Q VLAN
\fIvlan\fR, which must be an integer between 1 and 4095.  Initially
\fIbridge\fR will have no ports (other than \fIbridge\fR itself).
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
Deletes \fIbridge\fR and all of its ports.  If \fIbridge\fR is a real
bridge, this command also deletes any fake bridges that were created
with \fIbridge\fR as parent, including all of their ports.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a bridge that does not exist has no effect.
.
.IP "\fBlist\-br\fR"
Lists all existing real and fake bridges on standard output, one per
line.
.
.IP "\fBbr\-exists \fIbridge\fR"
Tests whether \fIbridge\fR exists as a real or fake bridge.  If so,
\fBovs\-vsctl\fR exits successfully with exit code 0.  If not,
\fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
.
.IP "\fBbr\-to\-vlan \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
decimal integer.  If \fIbridge\fR is a real bridge, prints 0.
.
.IP "\fBbr\-to\-parent \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the name of its parent
bridge.  If \fIbridge\fR is a real bridge, print \fIbridge\fR.
.
.IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIbridge\fR.  These values
are intended to identify entities external to Open vSwitch with which
\fIbridge\fR is associated, e.g. the bridge's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIbridge\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
Queries the external IDs on \fIbridge\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Port Commands"
.
These commands examine and manipulate Open vSwitch ports.  These
commands treat a bonded port as a single entity.
.
.IP "\fBlist\-ports \fIbridge\fR"
Lists all of the ports within \fIbridge\fR on standard output, one per
line.  The local port \fIbridge\fR is not included in the list.
.
.IP "\fBadd\-port \fIbridge port\fR"
Creates on \fIbridge\fR a new port named \fIport\fR from the network
device of the same name.
.
.IP "[\fB\-\-fake\-iface\fR] \fBadd\-bond \fIbridge port iface\fR\&..."
Creates on \fIbridge\fR a new port named \fIport\fR that bonds
together the network devices given as each \fIiface\fR.  At least two
interfaces must be named.
.IP
With \fB\-\-fake\-iface\fR, a fake interface with the name \fIport\fR is
created.  This should only be used for compatibility with legacy
software that requires it.
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
Deletes \fIport\fR.  If \fIbridge\fR is omitted, \fIport\fR is removed
from whatever bridge contains it; if \fIbridge\fR is specified, it
must be the real or fake bridge that contains \fIport\fR.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a port that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a port that does not exist has no effect.
.
.IP "\fBport\-to\-br \fIport\fR"
Prints the name of the bridge that contains \fIport\fR on standard
output.
.
.IP "\fBport\-set\-external\-id \fIport key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIport\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIport\fR is associated, e.g. the port's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIport\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIport\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIport\fR [\fIkey\fR]"
Queries the external IDs on \fIport\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Interface Commands"
.
These commands examine the interfaces attached to an Open vSwitch
bridge.  These commands treat a bonded port as a collection of two or
more interfaces, rather than as a single port.
.
.IP "\fBlist\-ifaces \fIbridge\fR"
Lists all of the interfaces within \fIbridge\fR on standard output,
one per line.  The local port \fIbridge\fR is not included in the
list.
.
.IP "\fBiface\-to\-br \fIiface\fR"
Prints the name of the bridge that contains \fIiface\fR on standard
output.
.
.IP "\fBiface\-set\-external\-id \fIiface key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIiface\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIiface\fR is associated, e.g. the interface's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIiface\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIiface\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIiface\fR [\fIkey\fR]"
Queries the external IDs on \fIiface\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "OpenFlow Controller Connectivity"
.
\fBovs\-vswitchd\fR can perform all configured bridging and switching
locally, or it can be configured to connect a given bridge to an
external OpenFlow controller, such as NOX.  
.
If a \fIbridge\fR argument is given, the settings apply only to the
specified bridge.  Otherwise, they apply to the Open vSwitch instance,
and its configuration applies to any bridge that has not been explicitly
configured through a \fIbridge\fR argument.
.
.IP "\fBget\-controller\fR [\fIbridge\fR]"
Prints the configured controller target.
.
.IP "\fBdel\-controller\fR [\fIbridge\fR]"
Deletes the configured controller target.
.
.IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
Sets the configured controller target.  The \fItarget\fR may use any of
the following forms:
.
.RS
.TP
.so lib/vconn-active.man
.RE
.
.ST "Controller Failure Settings"
.
When a controller is configured, it is, ordinarily, responsible for
setting up all flows on the switch.  Thus, if the connection to
the controller fails, no new network connections can be set up.  If
the connection to the controller stays down long enough, no packets
can pass through the switch at all.
.ST
If the value is \fBstandalone\fR, or if neither of these settings
is set, \fBovs\-vswitchd\fR will take over
responsibility for setting up
flows when no message has been received from the controller for three
times the inactivity probe interval (xxx needs to be exposed).  In this mode,
\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
MAC-learning switch.  \fBovs\-vswitchd\fR will continue to retry connecting
to the controller in the background and, when the connection succeeds,
it discontinues its standalone behavior.
.ST
If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
set up flows on its own when the controller connection fails.
.
.IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
Prints the configured failure mode.
.
.IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
Deletes the configured failure mode.
.
.IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR"
Sets the configured failure mode.
.
.SS "SSL Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
controller connectivity, the following parameters are required:
.TP
\fBprivate-key\fR
Specifies a PEM file containing the private key used as the virtual
switch's identity for SSL connections to the controller.
.TP
\fBcertificate\fR
Specifies a PEM file containing a certificate, signed by the
certificate authority (CA) used by the controller and manager, that
certifies the virtual switch's private key, identifying a trustworthy
switch.
.TP
\fBca-cert\fR
Specifies a PEM file containing the CA certificate used to verify that
the virtual switch is connected to a trustworthy controller.
.PP
These files are read only once, at \fBovs\-vswitchd\fR startup time.  If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP
These SSL settings apply to all SSL connections made by the virtual
switch.
.
.IP "\fBget\-ssl\fR"
Prints the SSL configuration.
.
.IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration.
.
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described 
below.
.
.ST "CA Certificate Bootstrap"
Ordinarily, all of the files named in the SSL configuration must exist
when \fBovs\-vswitchd\fR starts.  However, if the \fB\-\-bootstrap\fR 
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
CA certificate from the controller on its first SSL connection and
save it to the named PEM file.  If it is successful, it will
immediately drop the connection and reconnect, and from then on all
SSL connections must be authenticated by a certificate signed by the
CA certificate thus obtained.
.PP
\fBThis option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.PP
This option is only useful if the controller sends its CA certificate
as part of the SSL certificate chain.  The SSL protocol does not
require the controller to send the CA certificate, but
\fBcontroller\fR(8) can be configured to do so with the
\fB--peer-ca-cert\fR option.
.
.SH "EXAMPLES"
Create a new bridge named br0 and add port eth0 to it:
.IP
.B "ovs-vsctl add\-br br0"
.br
.B "ovs-vsctl add\-port br0 eth0"
.PP
Alternatively, perform both operations in a single atomic transaction:
.IP 
.B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
.PP
Delete bridge \fBbr0\fR, reporting an error if it does not exist:
.IP
.B "ovs\-vsctl del\-br br0"
.PP
Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
separate \fBdel\-br\fR's options from the global options):
.IP
.B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
.
.SH "EXIT STATUS"
.IP "0"
Successful program execution.
.IP "1"
Usage, syntax, or configuration file error.
.IP "2"
The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
bridge that does not exist.
.SH "SEE ALSO"
.
.BR ovsdb\-server (1),
.BR ovs\-vswitchd (8).
Commit	Line	Data
3b135da3 BP	1	.\" -- nroff --
	2	.de IQ
	3	. br
	4	. ns
	5	. IP "\\$1"
	6	..
5aa00635 JP	7	.de ST
	8	. PP
	9	. RS -0.15in
	10	. I "\\$1"
	11	. RE
	12	. PP
	13	..
3fbe1d30	14	.TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
3b135da3 BP	15	.ds PN ovs\-vsctl
	16	.
	17	.SH NAME
	18	ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
	19	.
	20	.SH SYNOPSIS
460aad80	21	\fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
4d14e30f	22	[\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
3b135da3 BP	23	.
3b135da3 BP	24	.SH DESCRIPTION
dfbe07ba BP	25	The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
	26	providing a high\-level interface to editing its configuration
	27	database. This program is mainly intended for use when
	28	\fBovs\-vswitchd\fR is running. If it is used when
	29	\fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
	30	specified and configuration changes will only take effect when
	31	\fBovs\-vswitchd\fR is started.
3b135da3	32	.PP
dfbe07ba BP	33	By default, each time \fBovs\-vsctl\fR runs, it connects to an
	34	\fBovsdb\-server\fR process that maintains an Open vSwitch
	35	configuration database. Using this connection, it queries and
	36	possibly applies changes to the database, depending on the supplied
	37	commands. Then, if it applied any changes, it waits until
	38	\fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
460aad80 BP	39	.PP
	40	\fBovs\-vsctl\fR can perform any number of commands in a single run,
	41	implemented as a single atomic transaction against the database.
	42	Commands are separated on the command line by \fB\-\-\fR arguments.
3b135da3 BP	43	.
	44	.SS "Linux VLAN Bridging Compatibility"
	45	The \fBovs\-vsctl\fR program supports the model of a bridge
	46	implemented by Open vSwitch, in which a single bridge supports ports
	47	on multiple VLANs. In this model, each port on a bridge is either a
	48	trunk port that potentially passes packets tagged with 802.1Q headers
	49	that designate VLANs or it is assigned a single implicit VLAN that is
	50	never tagged with an 802.1Q header.
	51	.PP
	52	For compatibility with software designed for the Linux bridge,
	53	\fBovs\-vsctl\fR also supports a model in which traffic associated
	54	with a given 802.1Q VLAN is segregated into a separate bridge. A
	55	special form of the \fBadd\-br\fR command (see below) creates a ``fake
	56	bridge'' within an Open vSwitch bridge to simulate this behavior.
	57	When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
	58	much like a bridge separate from its ``parent bridge,'' but the actual
	59	implementation in Open vSwitch uses only a single bridge, with ports on
	60	the fake bridge assigned the implicit VLAN of the fake bridge of which
	61	they are members.
	62	.
	63	.SH OPTIONS
	64	.
460aad80 BP	65	The following options affect the behavior \fBovs\-vsctl\fR as a whole.
	66	Some individual commands also accept their own options, which are
	67	given just before the command name. If the first command on the
	68	command line has options, then those options must be separated from
	69	the global options by \fB\-\-\fR.
3b135da3	70	.
dfbe07ba BP	71	.IP "\fB\-\-db=\fIserver\fR"
	72	Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
	73	contacts to query or modify configuration. The default is
	74	\fBunix:@RUNDIR@/ovsdb\-server\fR. \fIserver\fR must take one of the
	75	following forms:
	76	.RS
9467fe62	77	.so ovsdb/remote-active.man
dfbe07ba	78	.RE
9467fe62	79	.
dfbe07ba BP	80	.IP "\fB\-\-no\-wait\fR"
	81	Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
	82	reconfigure itself according to the the modified database. This
	83	option should be used if \fBovs\-vswitchd\fR is not running;
	84	otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
	85	starts.
3b135da3	86	.IP
dfbe07ba BP	87	This option has no effect if the commands specified do not change the
dfbe07ba BP	88	database.
3b135da3	89	.
37c84020 BP	90	.IP "\fB\-\-no\-syslog\fR"
	91	By default, \fBovs\-vsctl\fR logs its arguments and the details of any
	92	changes that it makes to the system log. This option disables this
	93	logging.
dfbe07ba BP	94	.IP
	95	This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
	96	.
2792c2ad	97	.IP "\fB\-\-oneline\fR"
4d14e30f	98	Modifies the output format so that the output for each command is printed
2792c2ad	99	on a single line. New-line characters that would otherwise separate
4d14e30f	100	lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
2792c2ad	101	would otherwise appear in the output are doubled.
4d14e30f	102	Prints a blank line for each command that has no output.
37c84020	103	.
577aebdf BP	104	.IP "\fB\-\-dry\-run\fR"
	105	Prevents \fBovs\-vsctl\fR from actually modifying the database.
	106	.
342045e1 BP	107	.IP "\fB-t \fIsecs\fR"
342045e1 BP	108	.IQ "\fB--timeout=\fIsecs\fR"
a39a859a JP	109	Limits runtime to approximately \fIsecs\fR seconds. A value of
	110	zero will cause \fBovs\-vsctl\fR to wait forever. If the timeout expires,
	111	\fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal. If this option is
	112	not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
	113	(A timeout would normally happen only if the database cannot be contacted.)
342045e1	114	.
84ee7bcf	115	.so lib/ssl.man
dfbe07ba BP	116	.so lib/vlog.man
dfbe07ba BP	117	.
3b135da3 BP	118	.SH COMMANDS
	119	The commands implemented by \fBovs\-vsctl\fR are described in the
	120	sections below.
524555d1 BP	121	.SS "Open vSwitch Commands"
	122	These commands work with an Open vSwitch as a whole.
	123	.
	124	.IP "\fBinit\fR"
	125	Initializes the Open vSwitch database, if it is empty. If the
	126	database has already been initialized, this command has no effect.
	127	.IP
	128	Any successful \fBovs\-vsctl\fR command automatically initializes the
	129	Open vSwitch database if it is empty. This command is provided to
	130	initialize the database without executing any other command.
3b135da3 BP	131	.
	132	.SS "Bridge Commands"
	133	These commands examine and manipulate Open vSwitch bridges.
	134	.
	135	.IP "\fBadd\-br \fIbridge\fR"
	136	Creates a new bridge named \fIbridge\fR. Initially the bridge will
	137	have no ports (other than \fIbridge\fR itself).
	138	.
	139	.IP "\fBadd\-br \fIbridge parent vlan\fR"
	140	Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
	141	vSwitch bridge \fIparent\fR, which must already exist and must not
	142	itself be a fake bridge. The new fake bridge will be on 802.1Q VLAN
	143	\fIvlan\fR, which must be an integer between 1 and 4095. Initially
	144	\fIbridge\fR will have no ports (other than \fIbridge\fR itself).
	145	.
460aad80	146	.IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
3b135da3 BP	147	Deletes \fIbridge\fR and all of its ports. If \fIbridge\fR is a real
	148	bridge, this command also deletes any fake bridges that were created
	149	with \fIbridge\fR as parent, including all of their ports.
460aad80 BP	150	.IP
	151	Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
	152	not exist is an error. With \fB\-\-if\-exists\fR, attempting to
	153	delete a bridge that does not exist has no effect.
3b135da3 BP	154	.
	155	.IP "\fBlist\-br\fR"
	156	Lists all existing real and fake bridges on standard output, one per
	157	line.
	158	.
	159	.IP "\fBbr\-exists \fIbridge\fR"
	160	Tests whether \fIbridge\fR exists as a real or fake bridge. If so,
	161	\fBovs\-vsctl\fR exits successfully with exit code 0. If not,
	162	\fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
	163	.
8e58fa9a BP	164	.IP "\fBbr\-to\-vlan \fIbridge\fR"
	165	If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
	166	decimal integer. If \fIbridge\fR is a real bridge, prints 0.
	167	.
	168	.IP "\fBbr\-to\-parent \fIbridge\fR"
	169	If \fIbridge\fR is a fake bridge, prints the name of its parent
	170	bridge. If \fIbridge\fR is a real bridge, print \fIbridge\fR.
	171	.
457e1eb0 BP	172	.IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
	173	Sets or clears an ``external ID'' value on \fIbridge\fR. These values
	174	are intended to identify entities external to Open vSwitch with which
	175	\fIbridge\fR is associated, e.g. the bridge's identifier in a
	176	virtualization management platform. The Open vSwitch database schema
	177	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	178	are otherwise arbitrary strings.
	179	.IP
	180	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	181	\fIbridge\fR, overwriting any previous value. If \fIvalue\fR is
	182	omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
	183	IDs (if it was present).
	184	.
	185	.IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
	186	Queries the external IDs on \fIbridge\fR. If \fIkey\fR is specified,
	187	the output is the value for that \fIkey\fR or the empty string if
	188	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	189	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	190	.
3b135da3 BP	191	.SS "Port Commands"
	192	.
	193	These commands examine and manipulate Open vSwitch ports. These
	194	commands treat a bonded port as a single entity.
	195	.
	196	.IP "\fBlist\-ports \fIbridge\fR"
	197	Lists all of the ports within \fIbridge\fR on standard output, one per
	198	line. The local port \fIbridge\fR is not included in the list.
	199	.
	200	.IP "\fBadd\-port \fIbridge port\fR"
	201	Creates on \fIbridge\fR a new port named \fIport\fR from the network
	202	device of the same name.
	203	.
b4182c7f	204	.IP "[\fB\-\-fake\-iface\fR] \fBadd\-bond \fIbridge port iface\fR\&..."
3b135da3 BP	205	Creates on \fIbridge\fR a new port named \fIport\fR that bonds
	206	together the network devices given as each \fIiface\fR. At least two
	207	interfaces must be named.
b4182c7f JP	208	.IP
	209	With \fB\-\-fake\-iface\fR, a fake interface with the name \fIport\fR is
	210	created. This should only be used for compatibility with legacy
	211	software that requires it.
3b135da3	212	.
460aad80	213	.IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
3d1b9636 BP	214	Deletes \fIport\fR. If \fIbridge\fR is omitted, \fIport\fR is removed
	215	from whatever bridge contains it; if \fIbridge\fR is specified, it
	216	must be the real or fake bridge that contains \fIport\fR.
460aad80 BP	217	.IP
	218	Without \fB\-\-if\-exists\fR, attempting to delete a port that does
	219	not exist is an error. With \fB\-\-if\-exists\fR, attempting to
	220	delete a port that does not exist has no effect.
3b135da3 BP	221	.
	222	.IP "\fBport\-to\-br \fIport\fR"
	223	Prints the name of the bridge that contains \fIport\fR on standard
	224	output.
	225	.
457e1eb0 BP	226	.IP "\fBport\-set\-external\-id \fIport key\fR [\fIvalue\fR]"
	227	Sets or clears an ``external ID'' value on \fIport\fR. These value
	228	are intended to identify entities external to Open vSwitch with which
	229	\fIport\fR is associated, e.g. the port's identifier in a
	230	virtualization management platform. The Open vSwitch database schema
	231	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	232	are otherwise arbitrary strings.
	233	.IP
	234	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	235	\fIport\fR, overwriting any previous value. If \fIvalue\fR is
	236	omitted, then \fIkey\fR is removed from \fIport\fR's set of external
	237	IDs (if it was present).
	238	.
	239	.IP "\fBbr\-get\-external\-id \fIport\fR [\fIkey\fR]"
	240	Queries the external IDs on \fIport\fR. If \fIkey\fR is specified,
	241	the output is the value for that \fIkey\fR or the empty string if
	242	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	243	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	244	.
3b135da3 BP	245	.SS "Interface Commands"
	246	.
	247	These commands examine the interfaces attached to an Open vSwitch
	248	bridge. These commands treat a bonded port as a collection of two or
	249	more interfaces, rather than as a single port.
	250	.
	251	.IP "\fBlist\-ifaces \fIbridge\fR"
	252	Lists all of the interfaces within \fIbridge\fR on standard output,
	253	one per line. The local port \fIbridge\fR is not included in the
	254	list.
	255	.
	256	.IP "\fBiface\-to\-br \fIiface\fR"
	257	Prints the name of the bridge that contains \fIiface\fR on standard
	258	output.
457e1eb0 BP	259	.
	260	.IP "\fBiface\-set\-external\-id \fIiface key\fR [\fIvalue\fR]"
	261	Sets or clears an ``external ID'' value on \fIiface\fR. These value
	262	are intended to identify entities external to Open vSwitch with which
	263	\fIiface\fR is associated, e.g. the interface's identifier in a
	264	virtualization management platform. The Open vSwitch database schema
	265	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	266	are otherwise arbitrary strings.
	267	.IP
	268	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	269	\fIiface\fR, overwriting any previous value. If \fIvalue\fR is
	270	omitted, then \fIkey\fR is removed from \fIiface\fR's set of external
	271	IDs (if it was present).
	272	.
	273	.IP "\fBbr\-get\-external\-id \fIiface\fR [\fIkey\fR]"
	274	Queries the external IDs on \fIiface\fR. If \fIkey\fR is specified,
	275	the output is the value for that \fIkey\fR or the empty string if
	276	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	277	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	278	.
5aa00635 JP	279	.SS "OpenFlow Controller Connectivity"
	280	.
	281	\fBovs\-vswitchd\fR can perform all configured bridging and switching
	282	locally, or it can be configured to connect a given bridge to an
	283	external OpenFlow controller, such as NOX.
	284	.
	285	If a \fIbridge\fR argument is given, the settings apply only to the
	286	specified bridge. Otherwise, they apply to the Open vSwitch instance,
	287	and its configuration applies to any bridge that has not been explicitly
	288	configured through a \fIbridge\fR argument.
	289	.
	290	.IP "\fBget\-controller\fR [\fIbridge\fR]"
	291	Prints the configured controller target.
	292	.
	293	.IP "\fBdel\-controller\fR [\fIbridge\fR]"
	294	Deletes the configured controller target.
	295	.
	296	.IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
	297	Sets the configured controller target. The \fItarget\fR may use any of
	298	the following forms:
	299	.
	300	.RS
	301	.TP
84ee7bcf	302	.so lib/vconn-active.man
5aa00635	303	.RE
84ee7bcf	304	.
5aa00635 JP	305	.ST "Controller Failure Settings"
	306	.
	307	When a controller is configured, it is, ordinarily, responsible for
	308	setting up all flows on the switch. Thus, if the connection to
	309	the controller fails, no new network connections can be set up. If
	310	the connection to the controller stays down long enough, no packets
	311	can pass through the switch at all.
	312	.ST
	313	If the value is \fBstandalone\fR, or if neither of these settings
	314	is set, \fBovs\-vswitchd\fR will take over
	315	responsibility for setting up
	316	flows when no message has been received from the controller for three
	317	times the inactivity probe interval (xxx needs to be exposed). In this mode,
	318	\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
	319	MAC-learning switch. \fBovs\-vswitchd\fR will continue to retry connecting
	320	to the controller in the background and, when the connection succeeds,
	321	it discontinues its standalone behavior.
	322	.ST
	323	If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
	324	set up flows on its own when the controller connection fails.
	325	.
	326	.IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
	327	Prints the configured failure mode.
	328	.
	329	.IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
	330	Deletes the configured failure mode.
	331	.
	332	.IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR\|\fBsecure\fR"
	333	Sets the configured failure mode.
	334	.
dd8ac6fe JP	335	.SS "SSL Configuration"
	336	When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
	337	controller connectivity, the following parameters are required:
	338	.TP
	339	\fBprivate-key\fR
	340	Specifies a PEM file containing the private key used as the virtual
	341	switch's identity for SSL connections to the controller.
	342	.TP
	343	\fBcertificate\fR
	344	Specifies a PEM file containing a certificate, signed by the
	345	certificate authority (CA) used by the controller and manager, that
	346	certifies the virtual switch's private key, identifying a trustworthy
	347	switch.
	348	.TP
	349	\fBca-cert\fR
	350	Specifies a PEM file containing the CA certificate used to verify that
	351	the virtual switch is connected to a trustworthy controller.
	352	.PP
	353	These files are read only once, at \fBovs\-vswitchd\fR startup time. If
	354	their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
	355	.PP
	356	These SSL settings apply to all SSL connections made by the virtual
	357	switch.
	358	.
	359	.IP "\fBget\-ssl\fR"
	360	Prints the SSL configuration.
	361	.
	362	.IP "\fBdel\-ssl\fR"
	363	Deletes the current SSL configuration.
	364	.
	365	.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
	366	Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
	367	below.
	368	.
	369	.ST "CA Certificate Bootstrap"
	370	Ordinarily, all of the files named in the SSL configuration must exist
	371	when \fBovs\-vswitchd\fR starts. However, if the \fB\-\-bootstrap\fR
	372	option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
	373	CA certificate from the controller on its first SSL connection and
	374	save it to the named PEM file. If it is successful, it will
	375	immediately drop the connection and reconnect, and from then on all
	376	SSL connections must be authenticated by a certificate signed by the
	377	CA certificate thus obtained.
	378	.PP
	379	\fBThis option exposes the SSL connection to a man-in-the-middle
	380	attack obtaining the initial CA certificate\fR, but it may be useful
	381	for bootstrapping.
	382	.PP
	383	This option is only useful if the controller sends its CA certificate
	384	as part of the SSL certificate chain. The SSL protocol does not
	385	require the controller to send the CA certificate, but
	386	\fBcontroller\fR(8) can be configured to do so with the
	387	\fB--peer-ca-cert\fR option.
	388	.
4d14e30f BP	389	.SH "EXAMPLES"
	390	Create a new bridge named br0 and add port eth0 to it:
	391	.IP
	392	.B "ovs-vsctl add\-br br0"
	393	.br
	394	.B "ovs-vsctl add\-port br0 eth0"
	395	.PP
	396	Alternatively, perform both operations in a single atomic transaction:
	397	.IP
	398	.B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
460aad80 BP	399	.PP
	400	Delete bridge \fBbr0\fR, reporting an error if it does not exist:
	401	.IP
	402	.B "ovs\-vsctl del\-br br0"
	403	.PP
	404	Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
	405	separate \fBdel\-br\fR's options from the global options):
	406	.IP
	407	.B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
3b135da3 BP	408	.
	409	.SH "EXIT STATUS"
	410	.IP "0"
	411	Successful program execution.
	412	.IP "1"
	413	Usage, syntax, or configuration file error.
	414	.IP "2"
	415	The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
	416	bridge that does not exist.
	417	.SH "SEE ALSO"
	418	.
dfbe07ba	419	.BR ovsdb\-server (1),
3b135da3	420	.BR ovs\-vswitchd (8).