[ovs.git] / utilities / ovs-vsctl.8.in

.\" -*- nroff -*-
.de IQ
.  br
.  ns
.  IP "\\$1"
..
.de ST
.  PP
.  RS -0.15in
.  I "\\$1"
.  RE
.  PP
..
.TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
.ds PN ovs\-vsctl
.
.SH NAME
ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
.
.SH SYNOPSIS
\fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
[\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
.
.SH DESCRIPTION
The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
providing a high\-level interface to editing its configuration
database.  This program is mainly intended for use when
\fBovs\-vswitchd\fR is running.  If it is used when
\fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
specified and configuration changes will only take effect when
\fBovs\-vswitchd\fR is started.
.PP
By default, each time \fBovs\-vsctl\fR runs, it connects to an
\fBovsdb\-server\fR process that maintains an Open vSwitch
configuration database.  Using this connection, it queries and
possibly applies changes to the database, depending on the supplied
commands.  Then, if it applied any changes, it waits until
\fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
.PP
\fBovs\-vsctl\fR can perform any number of commands in a single run,
implemented as a single atomic transaction against the database.
Commands are separated on the command line by \fB\-\-\fR arguments.
.
.SS "Linux VLAN Bridging Compatibility"
The \fBovs\-vsctl\fR program supports the model of a bridge
implemented by Open vSwitch, in which a single bridge supports ports
on multiple VLANs.  In this model, each port on a bridge is either a
trunk port that potentially passes packets tagged with 802.1Q headers
that designate VLANs or it is assigned a single implicit VLAN that is
never tagged with an 802.1Q header.
.PP
For compatibility with software designed for the Linux bridge,
\fBovs\-vsctl\fR also supports a model in which traffic associated
with a given 802.1Q VLAN is segregated into a separate bridge.  A
special form of the \fBadd\-br\fR command (see below) creates a ``fake
bridge'' within an Open vSwitch bridge to simulate this behavior.
When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
much like a bridge separate from its ``parent bridge,'' but the actual
implementation in Open vSwitch uses only a single bridge, with ports on
the fake bridge assigned the implicit VLAN of the fake bridge of which
they are members.
.
.SH OPTIONS
.
The following options affect the behavior \fBovs\-vsctl\fR as a whole.
Some individual commands also accept their own options, which are
given just before the command name.  If the first command on the
command line has options, then those options must be separated from
the global options by \fB\-\-\fR.
.
.IP "\fB\-\-db=\fIserver\fR"
Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
contacts to query or modify configuration.  The default is
\fBunix:@RUNDIR@/ovsdb\-server\fR.  \fIserver\fR must take one of the
following forms:
.RS
.so ovsdb/remote-active.man
.RE
.
.IP "\fB\-\-no\-wait\fR"
Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
reconfigure itself according to the the modified database.  This
option should be used if \fBovs\-vswitchd\fR is not running;
otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
starts.
.IP
This option has no effect if the commands specified do not change the
database.
.
.IP "\fB\-\-no\-syslog\fR"
By default, \fBovs\-vsctl\fR logs its arguments and the details of any
changes that it makes to the system log.  This option disables this
logging.
.IP
This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
.
.IP "\fB\-\-oneline\fR"
Modifies the output format so that the output for each command is printed
on a single line.  New-line characters that would otherwise separate
lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
would otherwise appear in the output are doubled.
Prints a blank line for each command that has no output.
.
.IP "\fB\-\-dry\-run\fR"
Prevents \fBovs\-vsctl\fR from actually modifying the database.
.
.IP "\fB-t \fIsecs\fR"
.IQ "\fB--timeout=\fIsecs\fR"
Limits runtime to approximately \fIsecs\fR seconds.  A value of 
zero will cause \fBovs\-vsctl\fR to wait forever.  If the timeout expires, 
\fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal.  If this option is
not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
(A timeout would normally happen only if the database cannot be contacted.)
.
.so lib/ssl.man
.so lib/vlog.man
.
.SH COMMANDS
The commands implemented by \fBovs\-vsctl\fR are described in the
sections below.
.SS "Open vSwitch Commands"
These commands work with an Open vSwitch as a whole.
.
.IP "\fBinit\fR"
Initializes the Open vSwitch database, if it is empty.  If the
database has already been initialized, this command has no effect.
.IP
Any successful \fBovs\-vsctl\fR command automatically initializes the
Open vSwitch database if it is empty.  This command is provided to
initialize the database without executing any other command.
.
.SS "Bridge Commands"
These commands examine and manipulate Open vSwitch bridges.
.
.IP "\fBadd\-br \fIbridge\fR"
Creates a new bridge named \fIbridge\fR.  Initially the bridge will
have no ports (other than \fIbridge\fR itself).
.
.IP "\fBadd\-br \fIbridge parent vlan\fR"
Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
vSwitch bridge \fIparent\fR, which must already exist and must not
itself be a fake bridge.  The new fake bridge will be on 802.1Q VLAN
\fIvlan\fR, which must be an integer between 1 and 4095.  Initially
\fIbridge\fR will have no ports (other than \fIbridge\fR itself).
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
Deletes \fIbridge\fR and all of its ports.  If \fIbridge\fR is a real
bridge, this command also deletes any fake bridges that were created
with \fIbridge\fR as parent, including all of their ports.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a bridge that does not exist has no effect.
.
.IP "\fBlist\-br\fR"
Lists all existing real and fake bridges on standard output, one per
line.
.
.IP "\fBbr\-exists \fIbridge\fR"
Tests whether \fIbridge\fR exists as a real or fake bridge.  If so,
\fBovs\-vsctl\fR exits successfully with exit code 0.  If not,
\fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
.
.IP "\fBbr\-to\-vlan \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
decimal integer.  If \fIbridge\fR is a real bridge, prints 0.
.
.IP "\fBbr\-to\-parent \fIbridge\fR"
If \fIbridge\fR is a fake bridge, prints the name of its parent
bridge.  If \fIbridge\fR is a real bridge, print \fIbridge\fR.
.
.IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIbridge\fR.  These values
are intended to identify entities external to Open vSwitch with which
\fIbridge\fR is associated, e.g. the bridge's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIbridge\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
Queries the external IDs on \fIbridge\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Port Commands"
.
These commands examine and manipulate Open vSwitch ports.  These
commands treat a bonded port as a single entity.
.
.IP "\fBlist\-ports \fIbridge\fR"
Lists all of the ports within \fIbridge\fR on standard output, one per
line.  The local port \fIbridge\fR is not included in the list.
.
.IP "\fBadd\-port \fIbridge port\fR"
Creates on \fIbridge\fR a new port named \fIport\fR from the network
device of the same name.
.
.IP "\fBadd\-bond \fIbridge port iface\fR\&..."
Creates on \fIbridge\fR a new port named \fIport\fR that bonds
together the network devices given as each \fIiface\fR.  At least two
interfaces must be named.
.
.IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
Deletes \fIport\fR.  If \fIbridge\fR is omitted, \fIport\fR is removed
from whatever bridge contains it; if \fIbridge\fR is specified, it
must be the real or fake bridge that contains \fIport\fR.
.IP
Without \fB\-\-if\-exists\fR, attempting to delete a port that does
not exist is an error.  With \fB\-\-if\-exists\fR, attempting to
delete a port that does not exist has no effect.
.
.IP "\fBport\-to\-br \fIport\fR"
Prints the name of the bridge that contains \fIport\fR on standard
output.
.
.IP "\fBport\-set\-external\-id \fIport key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIport\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIport\fR is associated, e.g. the port's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIport\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIport\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIport\fR [\fIkey\fR]"
Queries the external IDs on \fIport\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "Interface Commands"
.
These commands examine the interfaces attached to an Open vSwitch
bridge.  These commands treat a bonded port as a collection of two or
more interfaces, rather than as a single port.
.
.IP "\fBlist\-ifaces \fIbridge\fR"
Lists all of the interfaces within \fIbridge\fR on standard output,
one per line.  The local port \fIbridge\fR is not included in the
list.
.
.IP "\fBiface\-to\-br \fIiface\fR"
Prints the name of the bridge that contains \fIiface\fR on standard
output.
.
.IP "\fBiface\-set\-external\-id \fIiface key\fR [\fIvalue\fR]"
Sets or clears an ``external ID'' value on \fIiface\fR.  These value
are intended to identify entities external to Open vSwitch with which
\fIiface\fR is associated, e.g. the interface's identifier in a
virtualization management platform.  The Open vSwitch database schema
specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
are otherwise arbitrary strings.
.IP
If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
\fIiface\fR, overwriting any previous value.  If \fIvalue\fR is
omitted, then \fIkey\fR is removed from \fIiface\fR's set of external
IDs (if it was present).
.
.IP "\fBbr\-get\-external\-id \fIiface\fR [\fIkey\fR]"
Queries the external IDs on \fIiface\fR.  If \fIkey\fR is specified,
the output is the value for that \fIkey\fR or the empty string if
\fIkey\fR is unset.  If \fIkey\fR is omitted, the output is
\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
.
.SS "OpenFlow Controller Connectivity"
.
\fBovs\-vswitchd\fR can perform all configured bridging and switching
locally, or it can be configured to connect a given bridge to an
external OpenFlow controller, such as NOX.  
.
If a \fIbridge\fR argument is given, the settings apply only to the
specified bridge.  Otherwise, they apply to the Open vSwitch instance,
and its configuration applies to any bridge that has not been explicitly
configured through a \fIbridge\fR argument.
.
.IP "\fBget\-controller\fR [\fIbridge\fR]"
Prints the configured controller target.
.
.IP "\fBdel\-controller\fR [\fIbridge\fR]"
Deletes the configured controller target.
.
.IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
Sets the configured controller target.  The \fItarget\fR may use any of
the following forms:
.
.RS
.TP
.so lib/vconn-active.man
.RE
.
.ST "Controller Failure Settings"
.
When a controller is configured, it is, ordinarily, responsible for
setting up all flows on the switch.  Thus, if the connection to
the controller fails, no new network connections can be set up.  If
the connection to the controller stays down long enough, no packets
can pass through the switch at all.
.ST
If the value is \fBstandalone\fR, or if neither of these settings
is set, \fBovs\-vswitchd\fR will take over
responsibility for setting up
flows when no message has been received from the controller for three
times the inactivity probe interval (xxx needs to be exposed).  In this mode,
\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
MAC-learning switch.  \fBovs\-vswitchd\fR will continue to retry connecting
to the controller in the background and, when the connection succeeds,
it discontinues its standalone behavior.
.ST
If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
set up flows on its own when the controller connection fails.
.
.IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
Prints the configured failure mode.
.
.IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
Deletes the configured failure mode.
.
.IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR"
Sets the configured failure mode.
.
.SS "SSL Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
controller connectivity, the following parameters are required:
.TP
\fBprivate-key\fR
Specifies a PEM file containing the private key used as the virtual
switch's identity for SSL connections to the controller.
.TP
\fBcertificate\fR
Specifies a PEM file containing a certificate, signed by the
certificate authority (CA) used by the controller and manager, that
certifies the virtual switch's private key, identifying a trustworthy
switch.
.TP
\fBca-cert\fR
Specifies a PEM file containing the CA certificate used to verify that
the virtual switch is connected to a trustworthy controller.
.PP
These files are read only once, at \fBovs\-vswitchd\fR startup time.  If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP
These SSL settings apply to all SSL connections made by the virtual
switch.
.
.IP "\fBget\-ssl\fR"
Prints the SSL configuration.
.
.IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration.
.
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described 
below.
.
.ST "CA Certificate Bootstrap"
Ordinarily, all of the files named in the SSL configuration must exist
when \fBovs\-vswitchd\fR starts.  However, if the \fB\-\-bootstrap\fR 
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
CA certificate from the controller on its first SSL connection and
save it to the named PEM file.  If it is successful, it will
immediately drop the connection and reconnect, and from then on all
SSL connections must be authenticated by a certificate signed by the
CA certificate thus obtained.
.PP
\fBThis option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.PP
This option is only useful if the controller sends its CA certificate
as part of the SSL certificate chain.  The SSL protocol does not
require the controller to send the CA certificate, but
\fBcontroller\fR(8) can be configured to do so with the
\fB--peer-ca-cert\fR option.
.
.SH "EXAMPLES"
Create a new bridge named br0 and add port eth0 to it:
.IP
.B "ovs-vsctl add\-br br0"
.br
.B "ovs-vsctl add\-port br0 eth0"
.PP
Alternatively, perform both operations in a single atomic transaction:
.IP 
.B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
.PP
Delete bridge \fBbr0\fR, reporting an error if it does not exist:
.IP
.B "ovs\-vsctl del\-br br0"
.PP
Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
separate \fBdel\-br\fR's options from the global options):
.IP
.B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
.
.SH "EXIT STATUS"
.IP "0"
Successful program execution.
.IP "1"
Usage, syntax, or configuration file error.
.IP "2"
The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
bridge that does not exist.
.SH "SEE ALSO"
.
.BR ovsdb\-server (1),
.BR ovs\-vswitchd (8).
Commit	Line	Data
3b135da3 BP	1	.\" -- nroff --
	2	.de IQ
	3	. br
	4	. ns
	5	. IP "\\$1"
	6	..
5aa00635 JP	7	.de ST
	8	. PP
	9	. RS -0.15in
	10	. I "\\$1"
	11	. RE
	12	. PP
	13	..
3fbe1d30	14	.TH ovs\-vsctl 8 "November 2009" "Open vSwitch" "Open vSwitch Manual"
3b135da3 BP	15	.ds PN ovs\-vsctl
	16	.
	17	.SH NAME
	18	ovs\-vsctl \- utility for querying and configuring \fBovs\-vswitchd\fR
	19	.
	20	.SH SYNOPSIS
460aad80	21	\fBovs\-vsctl\fR [\fIoptions\fR] [\fB\-\-\fR] \fIcommand \fR[\fIargs\fR\&...]
4d14e30f	22	[\fB\-\-\fR \fIcommand \fR[\fIargs\fR\&...]]
3b135da3 BP	23	.
3b135da3 BP	24	.SH DESCRIPTION
dfbe07ba BP	25	The \fBovs\-vsctl\fR program configures \fBovs\-vswitchd\fR(8) by
	26	providing a high\-level interface to editing its configuration
	27	database. This program is mainly intended for use when
	28	\fBovs\-vswitchd\fR is running. If it is used when
	29	\fBovs\-vswitchd\fR is not running, then \fB\-\-no\-wait\fR should be
	30	specified and configuration changes will only take effect when
	31	\fBovs\-vswitchd\fR is started.
3b135da3	32	.PP
dfbe07ba BP	33	By default, each time \fBovs\-vsctl\fR runs, it connects to an
	34	\fBovsdb\-server\fR process that maintains an Open vSwitch
	35	configuration database. Using this connection, it queries and
	36	possibly applies changes to the database, depending on the supplied
	37	commands. Then, if it applied any changes, it waits until
	38	\fBovs\-vswitchd\fR has finished reconfiguring itself before it exits.
460aad80 BP	39	.PP
	40	\fBovs\-vsctl\fR can perform any number of commands in a single run,
	41	implemented as a single atomic transaction against the database.
	42	Commands are separated on the command line by \fB\-\-\fR arguments.
3b135da3 BP	43	.
	44	.SS "Linux VLAN Bridging Compatibility"
	45	The \fBovs\-vsctl\fR program supports the model of a bridge
	46	implemented by Open vSwitch, in which a single bridge supports ports
	47	on multiple VLANs. In this model, each port on a bridge is either a
	48	trunk port that potentially passes packets tagged with 802.1Q headers
	49	that designate VLANs or it is assigned a single implicit VLAN that is
	50	never tagged with an 802.1Q header.
	51	.PP
	52	For compatibility with software designed for the Linux bridge,
	53	\fBovs\-vsctl\fR also supports a model in which traffic associated
	54	with a given 802.1Q VLAN is segregated into a separate bridge. A
	55	special form of the \fBadd\-br\fR command (see below) creates a ``fake
	56	bridge'' within an Open vSwitch bridge to simulate this behavior.
	57	When such a ``fake bridge'' is active, \fBovs\-vsctl\fR will treat it
	58	much like a bridge separate from its ``parent bridge,'' but the actual
	59	implementation in Open vSwitch uses only a single bridge, with ports on
	60	the fake bridge assigned the implicit VLAN of the fake bridge of which
	61	they are members.
	62	.
	63	.SH OPTIONS
	64	.
460aad80 BP	65	The following options affect the behavior \fBovs\-vsctl\fR as a whole.
	66	Some individual commands also accept their own options, which are
	67	given just before the command name. If the first command on the
	68	command line has options, then those options must be separated from
	69	the global options by \fB\-\-\fR.
3b135da3	70	.
dfbe07ba BP	71	.IP "\fB\-\-db=\fIserver\fR"
	72	Sets \fIserver\fR as the database server that \fBovs\-vsctl\fR
	73	contacts to query or modify configuration. The default is
	74	\fBunix:@RUNDIR@/ovsdb\-server\fR. \fIserver\fR must take one of the
	75	following forms:
	76	.RS
9467fe62	77	.so ovsdb/remote-active.man
dfbe07ba	78	.RE
9467fe62	79	.
dfbe07ba BP	80	.IP "\fB\-\-no\-wait\fR"
	81	Prevents \fBovs\-vsctl\fR from waiting for \fBovs\-vswitchd\fR to
	82	reconfigure itself according to the the modified database. This
	83	option should be used if \fBovs\-vswitchd\fR is not running;
	84	otherwise, \fBovs-vsctl\fR will not exit until \fBovs-vswitchd\fR
	85	starts.
3b135da3	86	.IP
dfbe07ba BP	87	This option has no effect if the commands specified do not change the
dfbe07ba BP	88	database.
3b135da3	89	.
37c84020 BP	90	.IP "\fB\-\-no\-syslog\fR"
	91	By default, \fBovs\-vsctl\fR logs its arguments and the details of any
	92	changes that it makes to the system log. This option disables this
	93	logging.
dfbe07ba BP	94	.IP
	95	This option is equivalent to \fB\-\-verbose=vvsctl:syslog:warn\fR.
	96	.
2792c2ad	97	.IP "\fB\-\-oneline\fR"
4d14e30f	98	Modifies the output format so that the output for each command is printed
2792c2ad	99	on a single line. New-line characters that would otherwise separate
4d14e30f	100	lines are printed as \fB\\n\fR, and any instances of \fB\\\fR that
2792c2ad	101	would otherwise appear in the output are doubled.
4d14e30f	102	Prints a blank line for each command that has no output.
37c84020	103	.
577aebdf BP	104	.IP "\fB\-\-dry\-run\fR"
	105	Prevents \fBovs\-vsctl\fR from actually modifying the database.
	106	.
342045e1 BP	107	.IP "\fB-t \fIsecs\fR"
342045e1 BP	108	.IQ "\fB--timeout=\fIsecs\fR"
a39a859a JP	109	Limits runtime to approximately \fIsecs\fR seconds. A value of
	110	zero will cause \fBovs\-vsctl\fR to wait forever. If the timeout expires,
	111	\fBovs\-vsctl\fR will exit with a \fBSIGALRM\fR signal. If this option is
	112	not used, \fBovs\-vsctl\fR uses a timeout of five seconds.
	113	(A timeout would normally happen only if the database cannot be contacted.)
342045e1	114	.
84ee7bcf	115	.so lib/ssl.man
dfbe07ba BP	116	.so lib/vlog.man
dfbe07ba BP	117	.
3b135da3 BP	118	.SH COMMANDS
	119	The commands implemented by \fBovs\-vsctl\fR are described in the
	120	sections below.
524555d1 BP	121	.SS "Open vSwitch Commands"
	122	These commands work with an Open vSwitch as a whole.
	123	.
	124	.IP "\fBinit\fR"
	125	Initializes the Open vSwitch database, if it is empty. If the
	126	database has already been initialized, this command has no effect.
	127	.IP
	128	Any successful \fBovs\-vsctl\fR command automatically initializes the
	129	Open vSwitch database if it is empty. This command is provided to
	130	initialize the database without executing any other command.
3b135da3 BP	131	.
	132	.SS "Bridge Commands"
	133	These commands examine and manipulate Open vSwitch bridges.
	134	.
	135	.IP "\fBadd\-br \fIbridge\fR"
	136	Creates a new bridge named \fIbridge\fR. Initially the bridge will
	137	have no ports (other than \fIbridge\fR itself).
	138	.
	139	.IP "\fBadd\-br \fIbridge parent vlan\fR"
	140	Creates a ``fake bridge'' named \fIbridge\fR within the existing Open
	141	vSwitch bridge \fIparent\fR, which must already exist and must not
	142	itself be a fake bridge. The new fake bridge will be on 802.1Q VLAN
	143	\fIvlan\fR, which must be an integer between 1 and 4095. Initially
	144	\fIbridge\fR will have no ports (other than \fIbridge\fR itself).
	145	.
460aad80	146	.IP "[\fB\-\-if\-exists\fR] \fBdel\-br \fIbridge\fR"
3b135da3 BP	147	Deletes \fIbridge\fR and all of its ports. If \fIbridge\fR is a real
	148	bridge, this command also deletes any fake bridges that were created
	149	with \fIbridge\fR as parent, including all of their ports.
460aad80 BP	150	.IP
	151	Without \fB\-\-if\-exists\fR, attempting to delete a bridge that does
	152	not exist is an error. With \fB\-\-if\-exists\fR, attempting to
	153	delete a bridge that does not exist has no effect.
3b135da3 BP	154	.
	155	.IP "\fBlist\-br\fR"
	156	Lists all existing real and fake bridges on standard output, one per
	157	line.
	158	.
	159	.IP "\fBbr\-exists \fIbridge\fR"
	160	Tests whether \fIbridge\fR exists as a real or fake bridge. If so,
	161	\fBovs\-vsctl\fR exits successfully with exit code 0. If not,
	162	\fBovs\-vsctl\fR exits unsuccessfully with exit code 2.
	163	.
8e58fa9a BP	164	.IP "\fBbr\-to\-vlan \fIbridge\fR"
	165	If \fIbridge\fR is a fake bridge, prints the bridge's 802.1Q VLAN as a
	166	decimal integer. If \fIbridge\fR is a real bridge, prints 0.
	167	.
	168	.IP "\fBbr\-to\-parent \fIbridge\fR"
	169	If \fIbridge\fR is a fake bridge, prints the name of its parent
	170	bridge. If \fIbridge\fR is a real bridge, print \fIbridge\fR.
	171	.
457e1eb0 BP	172	.IP "\fBbr\-set\-external\-id \fIbridge key\fR [\fIvalue\fR]"
	173	Sets or clears an ``external ID'' value on \fIbridge\fR. These values
	174	are intended to identify entities external to Open vSwitch with which
	175	\fIbridge\fR is associated, e.g. the bridge's identifier in a
	176	virtualization management platform. The Open vSwitch database schema
	177	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	178	are otherwise arbitrary strings.
	179	.IP
	180	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	181	\fIbridge\fR, overwriting any previous value. If \fIvalue\fR is
	182	omitted, then \fIkey\fR is removed from \fIbridge\fR's set of external
	183	IDs (if it was present).
	184	.
	185	.IP "\fBbr\-get\-external\-id \fIbridge\fR [\fIkey\fR]"
	186	Queries the external IDs on \fIbridge\fR. If \fIkey\fR is specified,
	187	the output is the value for that \fIkey\fR or the empty string if
	188	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	189	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	190	.
3b135da3 BP	191	.SS "Port Commands"
	192	.
	193	These commands examine and manipulate Open vSwitch ports. These
	194	commands treat a bonded port as a single entity.
	195	.
	196	.IP "\fBlist\-ports \fIbridge\fR"
	197	Lists all of the ports within \fIbridge\fR on standard output, one per
	198	line. The local port \fIbridge\fR is not included in the list.
	199	.
	200	.IP "\fBadd\-port \fIbridge port\fR"
	201	Creates on \fIbridge\fR a new port named \fIport\fR from the network
	202	device of the same name.
	203	.
	204	.IP "\fBadd\-bond \fIbridge port iface\fR\&..."
	205	Creates on \fIbridge\fR a new port named \fIport\fR that bonds
	206	together the network devices given as each \fIiface\fR. At least two
	207	interfaces must be named.
	208	.
460aad80	209	.IP "[\fB\-\-if\-exists\fR] \fBdel\-port \fR[\fIbridge\fR] \fIport\fR"
3d1b9636 BP	210	Deletes \fIport\fR. If \fIbridge\fR is omitted, \fIport\fR is removed
	211	from whatever bridge contains it; if \fIbridge\fR is specified, it
	212	must be the real or fake bridge that contains \fIport\fR.
460aad80 BP	213	.IP
	214	Without \fB\-\-if\-exists\fR, attempting to delete a port that does
	215	not exist is an error. With \fB\-\-if\-exists\fR, attempting to
	216	delete a port that does not exist has no effect.
3b135da3 BP	217	.
	218	.IP "\fBport\-to\-br \fIport\fR"
	219	Prints the name of the bridge that contains \fIport\fR on standard
	220	output.
	221	.
457e1eb0 BP	222	.IP "\fBport\-set\-external\-id \fIport key\fR [\fIvalue\fR]"
	223	Sets or clears an ``external ID'' value on \fIport\fR. These value
	224	are intended to identify entities external to Open vSwitch with which
	225	\fIport\fR is associated, e.g. the port's identifier in a
	226	virtualization management platform. The Open vSwitch database schema
	227	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	228	are otherwise arbitrary strings.
	229	.IP
	230	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	231	\fIport\fR, overwriting any previous value. If \fIvalue\fR is
	232	omitted, then \fIkey\fR is removed from \fIport\fR's set of external
	233	IDs (if it was present).
	234	.
	235	.IP "\fBbr\-get\-external\-id \fIport\fR [\fIkey\fR]"
	236	Queries the external IDs on \fIport\fR. If \fIkey\fR is specified,
	237	the output is the value for that \fIkey\fR or the empty string if
	238	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	239	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	240	.
3b135da3 BP	241	.SS "Interface Commands"
	242	.
	243	These commands examine the interfaces attached to an Open vSwitch
	244	bridge. These commands treat a bonded port as a collection of two or
	245	more interfaces, rather than as a single port.
	246	.
	247	.IP "\fBlist\-ifaces \fIbridge\fR"
	248	Lists all of the interfaces within \fIbridge\fR on standard output,
	249	one per line. The local port \fIbridge\fR is not included in the
	250	list.
	251	.
	252	.IP "\fBiface\-to\-br \fIiface\fR"
	253	Prints the name of the bridge that contains \fIiface\fR on standard
	254	output.
457e1eb0 BP	255	.
	256	.IP "\fBiface\-set\-external\-id \fIiface key\fR [\fIvalue\fR]"
	257	Sets or clears an ``external ID'' value on \fIiface\fR. These value
	258	are intended to identify entities external to Open vSwitch with which
	259	\fIiface\fR is associated, e.g. the interface's identifier in a
	260	virtualization management platform. The Open vSwitch database schema
	261	specifies well-known \fIkey\fR values, but \fIkey\fR and \fIvalue\fR
	262	are otherwise arbitrary strings.
	263	.IP
	264	If \fIvalue\fR is specified, then \fIkey\fR is set to \fIvalue\fR for
	265	\fIiface\fR, overwriting any previous value. If \fIvalue\fR is
	266	omitted, then \fIkey\fR is removed from \fIiface\fR's set of external
	267	IDs (if it was present).
	268	.
	269	.IP "\fBbr\-get\-external\-id \fIiface\fR [\fIkey\fR]"
	270	Queries the external IDs on \fIiface\fR. If \fIkey\fR is specified,
	271	the output is the value for that \fIkey\fR or the empty string if
	272	\fIkey\fR is unset. If \fIkey\fR is omitted, the output is
	273	\fIkey\fB=\fIvalue\fR, one per line, for each key-value pair.
	274	.
5aa00635 JP	275	.SS "OpenFlow Controller Connectivity"
	276	.
	277	\fBovs\-vswitchd\fR can perform all configured bridging and switching
	278	locally, or it can be configured to connect a given bridge to an
	279	external OpenFlow controller, such as NOX.
	280	.
	281	If a \fIbridge\fR argument is given, the settings apply only to the
	282	specified bridge. Otherwise, they apply to the Open vSwitch instance,
	283	and its configuration applies to any bridge that has not been explicitly
	284	configured through a \fIbridge\fR argument.
	285	.
	286	.IP "\fBget\-controller\fR [\fIbridge\fR]"
	287	Prints the configured controller target.
	288	.
	289	.IP "\fBdel\-controller\fR [\fIbridge\fR]"
	290	Deletes the configured controller target.
	291	.
	292	.IP "\fBset\-controller\fR [\fIbridge\fR] \fItarget\fR"
	293	Sets the configured controller target. The \fItarget\fR may use any of
	294	the following forms:
	295	.
	296	.RS
	297	.TP
84ee7bcf	298	.so lib/vconn-active.man
5aa00635	299	.RE
84ee7bcf	300	.
5aa00635 JP	301	.ST "Controller Failure Settings"
	302	.
	303	When a controller is configured, it is, ordinarily, responsible for
	304	setting up all flows on the switch. Thus, if the connection to
	305	the controller fails, no new network connections can be set up. If
	306	the connection to the controller stays down long enough, no packets
	307	can pass through the switch at all.
	308	.ST
	309	If the value is \fBstandalone\fR, or if neither of these settings
	310	is set, \fBovs\-vswitchd\fR will take over
	311	responsibility for setting up
	312	flows when no message has been received from the controller for three
	313	times the inactivity probe interval (xxx needs to be exposed). In this mode,
	314	\fBovs\-vswitchd\fR causes the datapath to act like an ordinary
	315	MAC-learning switch. \fBovs\-vswitchd\fR will continue to retry connecting
	316	to the controller in the background and, when the connection succeeds,
	317	it discontinues its standalone behavior.
	318	.ST
	319	If this option is set to \fBsecure\fR, \fBovs\-vswitchd\fR will not
	320	set up flows on its own when the controller connection fails.
	321	.
	322	.IP "\fBget\-fail\-mode\fR [\fIbridge\fR]"
	323	Prints the configured failure mode.
	324	.
	325	.IP "\fBdel\-fail\-mode\fR [\fIbridge\fR]"
	326	Deletes the configured failure mode.
	327	.
	328	.IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR\|\fBsecure\fR"
	329	Sets the configured failure mode.
	330	.
dd8ac6fe JP	331	.SS "SSL Configuration"
	332	When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
	333	controller connectivity, the following parameters are required:
	334	.TP
	335	\fBprivate-key\fR
	336	Specifies a PEM file containing the private key used as the virtual
	337	switch's identity for SSL connections to the controller.
	338	.TP
	339	\fBcertificate\fR
	340	Specifies a PEM file containing a certificate, signed by the
	341	certificate authority (CA) used by the controller and manager, that
	342	certifies the virtual switch's private key, identifying a trustworthy
	343	switch.
	344	.TP
	345	\fBca-cert\fR
	346	Specifies a PEM file containing the CA certificate used to verify that
	347	the virtual switch is connected to a trustworthy controller.
	348	.PP
	349	These files are read only once, at \fBovs\-vswitchd\fR startup time. If
	350	their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
	351	.PP
	352	These SSL settings apply to all SSL connections made by the virtual
	353	switch.
	354	.
	355	.IP "\fBget\-ssl\fR"
	356	Prints the SSL configuration.
	357	.
	358	.IP "\fBdel\-ssl\fR"
	359	Deletes the current SSL configuration.
	360	.
	361	.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
	362	Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
	363	below.
	364	.
	365	.ST "CA Certificate Bootstrap"
	366	Ordinarily, all of the files named in the SSL configuration must exist
	367	when \fBovs\-vswitchd\fR starts. However, if the \fB\-\-bootstrap\fR
	368	option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
	369	CA certificate from the controller on its first SSL connection and
	370	save it to the named PEM file. If it is successful, it will
	371	immediately drop the connection and reconnect, and from then on all
	372	SSL connections must be authenticated by a certificate signed by the
	373	CA certificate thus obtained.
	374	.PP
	375	\fBThis option exposes the SSL connection to a man-in-the-middle
	376	attack obtaining the initial CA certificate\fR, but it may be useful
	377	for bootstrapping.
	378	.PP
	379	This option is only useful if the controller sends its CA certificate
	380	as part of the SSL certificate chain. The SSL protocol does not
	381	require the controller to send the CA certificate, but
	382	\fBcontroller\fR(8) can be configured to do so with the
	383	\fB--peer-ca-cert\fR option.
	384	.
4d14e30f BP	385	.SH "EXAMPLES"
	386	Create a new bridge named br0 and add port eth0 to it:
	387	.IP
	388	.B "ovs-vsctl add\-br br0"
	389	.br
	390	.B "ovs-vsctl add\-port br0 eth0"
	391	.PP
	392	Alternatively, perform both operations in a single atomic transaction:
	393	.IP
	394	.B "ovs-vsctl add\-br br0 \-\- add\-port br0 eth0"
460aad80 BP	395	.PP
	396	Delete bridge \fBbr0\fR, reporting an error if it does not exist:
	397	.IP
	398	.B "ovs\-vsctl del\-br br0"
	399	.PP
	400	Delete bridge \fBbr0\fR if it exists (the \fB\-\-\fR is required to
	401	separate \fBdel\-br\fR's options from the global options):
	402	.IP
	403	.B "ovs\-vsctl \-\- \-\-if\-exists del\-br br0"
3b135da3 BP	404	.
	405	.SH "EXIT STATUS"
	406	.IP "0"
	407	Successful program execution.
	408	.IP "1"
	409	Usage, syntax, or configuration file error.
	410	.IP "2"
	411	The \fIbridge\fR argument to \fBbr\-exists\fR specified the name of a
	412	bridge that does not exist.
	413	.SH "SEE ALSO"
	414	.
dfbe07ba	415	.BR ovsdb\-server (1),
3b135da3	416	.BR ovs\-vswitchd (8).