2 Licensed under the Apache License, Version 2.0 (the "License"); you may
3 not use this file except in compliance with the License. You may obtain
4 a copy of the License at
6 http://www.apache.org/licenses/LICENSE-2.0
8 Unless required by applicable law or agreed to in writing, software
9 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10 WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11 License for the specific language governing permissions and limitations
14 Convention for heading levels in Open vSwitch documentation:
16 ======= Heading 0 (reserved for the title in a document)
22 Avoid deeper levels because they do not render well.
24 =========================================
25 Open vSwitch on Linux, FreeBSD and NetBSD
26 =========================================
28 This document describes how to build and install Open vSwitch on a generic
29 Linux, FreeBSD, or NetBSD host. For specifics around installation on a specific
30 platform, refer to one of the other installation guides listed in :doc:`index`.
32 Obtaining Open vSwitch Sources
33 ------------------------------
35 The canonical location for Open vSwitch source code is its Git
36 repository, which you can clone into a directory named "ovs" with::
38 $ git clone https://github.com/openvswitch/ovs.git
40 Cloning the repository leaves the "master" branch initially checked
41 out. This is the right branch for general development. If, on the
42 other hand, if you want to build a particular released version, you
43 can check it out by running a command such as the following from the
48 The repository also has a branch for each release series. For
49 example, to obtain the latest fixes in the Open vSwitch 2.7.x release
50 series, which might include bug fixes that have not yet been in any
51 released version, you can check it out from the "ovs" directory with::
53 $ git checkout origin/branch-2.7
55 If you do not want to use Git, you can also obtain tarballs for Open
56 vSwitch release versions via http://openvswitch.org/download/, or
57 download a ZIP file for any snapshot from the web interface at
58 https://github.com/openvswitch/ovs.
60 .. _general-build-reqs:
65 To compile the userspace programs in the Open vSwitch distribution, you will
66 need the following software:
70 - A C compiler, such as:
76 - MSVC 2013. Refer to :doc:`windows` for additional Windows build
79 While OVS may be compatible with other compilers, optimal support for atomic
80 operations may be missing, making OVS very slow (see ``lib/ovs-atomic.h``).
82 - libssl, from OpenSSL, is optional but recommended if you plan to connect the
83 Open vSwitch to an OpenFlow controller. libssl is required to establish
84 confidentiality and authenticity in the connections from an Open vSwitch to
85 an OpenFlow controller. If libssl is installed, then Open vSwitch will
86 automatically build with support for it.
88 - libcap-ng, written by Steve Grubb, is optional but recommended. It is
89 required to run OVS daemons as a non-root user with dropped root privileges.
90 If libcap-ng is installed, then Open vSwitch will automatically build with
93 - Python 3.4 or later.
95 - Unbound library, from http://www.unbound.net, is optional but recommended if
96 you want to enable ovs-vswitchd and other utilities to use DNS names when
97 specifying OpenFlow and OVSDB remotes. If unbound library is already
98 installed, then Open vSwitch will automatically build with support for it.
99 The environment variable OVS_RESOLV_CONF can be used to specify DNS server
100 configuration file (the default file on Linux is /etc/resolv.conf).
102 On Linux, you may choose to compile the kernel module that comes with the Open
103 vSwitch distribution or to use the kernel module built into the Linux kernel
104 (version 3.3 or later). See the :doc:`/faq/index` question "What features are
105 not available in the Open vSwitch kernel datapath that ships as part of the
106 upstream Linux kernel?" for more information on this trade-off. You may also
107 use the userspace-only implementation, at some cost in features and
108 performance. Refer to :doc:`userspace` for details.
110 To compile the kernel module on Linux, you must also install the
113 - A supported Linux kernel version.
115 For optional support of ingress policing, you must enable kernel
116 configuration options ``NET_CLS_BASIC``, ``NET_SCH_INGRESS``, and
117 ``NET_ACT_POLICE``, either built-in or as modules. ``NET_CLS_POLICE`` is
118 obsolete and not needed.)
120 On kernels before 3.11, the ``ip_gre`` module, for GRE tunnels over IP
121 (``NET_IPGRE``), must not be loaded or compiled in.
123 To configure HTB or HFSC quality of service with Open vSwitch, you must
124 enable the respective configuration options.
126 To use Open vSwitch support for TAP devices, you must enable ``CONFIG_TUN``.
128 - To build a kernel module, you need the same version of GCC that was used to
131 - A kernel build directory corresponding to the Linux kernel image the module
132 is to run on. Under Debian and Ubuntu, for example, each linux-image package
133 containing a kernel binary has a corresponding linux-headers package with
134 the required build infrastructure.
136 If you are working from a Git tree or snapshot (instead of from a distribution
137 tarball), or if you modify the Open vSwitch build system or the database
138 schema, you will also need the following software:
140 - Autoconf version 2.63 or later.
142 - Automake version 1.10 or later.
144 - libtool version 2.4 or later. (Older versions might work too.)
146 The datapath tests for userspace and Linux datapaths also rely upon:
148 - pyftpdlib. Version 1.2.0 is known to work. Earlier versions should
151 - GNU wget. Version 1.16 is known to work. Earlier versions should also
154 - netcat. Several common implementations are known to work.
156 - curl. Version 7.47.0 is known to work. Earlier versions should also work.
158 - tftpy. Version 0.6.2 is known to work. Earlier versions should also work.
160 - netstat. Available from various distro specific packages
162 The ovs-vswitchd.conf.db(5) manpage will include an E-R diagram, in formats
163 other than plain text, only if you have the following:
165 - dot from graphviz (http://www.graphviz.org/).
167 If you are going to extensively modify Open vSwitch, consider installing the
168 following to obtain better warnings:
170 - "sparse" version 0.5.1 or later
171 (https://git.kernel.org/pub/scm/devel/sparse/sparse.git/).
175 - clang, version 3.4 or later
177 - flake8 along with the hacking flake8 plugin (for Python code). The automatic
178 flake8 check that runs against Python code has some warnings enabled that
179 come from the "hacking" flake8 plugin. If it's not installed, the warnings
180 just won't occur until it's run on a system with "hacking" installed.
182 You may find the ovs-dev script found in ``utilities/ovs-dev.py`` useful.
184 .. _general-install-reqs:
186 Installation Requirements
187 -------------------------
189 The machine you build Open vSwitch on may not be the one you run it on. To
190 simply install and run Open vSwitch you require the following software:
192 - Shared libraries compatible with those used for the build.
194 - On Linux, if you want to use the kernel-based datapath (which is the most
195 common use case), then a kernel with a compatible kernel module. This
196 can be a kernel module built with Open vSwitch (e.g. in the previous
197 step), or the kernel module that accompanies Linux 3.3 and later. Open
198 vSwitch features and performance can vary based on the module and the
199 kernel. Refer to :doc:`/faq/releases` for more information.
201 - For optional support of ingress policing on Linux, the "tc" program
202 from iproute2 (part of all major distributions and available at
203 https://wiki.linuxfoundation.org/networking/iproute2).
205 - Python 3.4 or later.
207 On Linux you should ensure that ``/dev/urandom`` exists. To support TAP
208 devices, you must also ensure that ``/dev/net/tun`` exists.
210 .. _general-bootstrapping:
215 This step is not needed if you have downloaded a released tarball. If
216 you pulled the sources directly from an Open vSwitch Git tree or got a
217 Git tree snapshot, then run boot.sh in the top source directory to build
218 the "configure" script::
222 .. _general-configuring:
227 Configure the package by running the configure script. You can usually
228 invoke configure without any arguments. For example::
232 By default all files are installed under ``/usr/local``. Open vSwitch also
233 expects to find its database in ``/usr/local/etc/openvswitch`` by default. If
234 you want to install all files into, e.g., ``/usr`` and ``/var`` instead of
235 ``/usr/local`` and ``/usr/local/var`` and expect to use ``/etc/openvswitch`` as
236 the default database directory, add options as shown here::
238 $ ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc
242 Open vSwitch installed with packages like .rpm (e.g. via ``yum install`` or
243 ``rpm -ivh``) and .deb (e.g. via ``apt-get install`` or ``dpkg -i``) use the
244 above configure options.
246 By default, static libraries are built and linked against. If you want to use
247 shared libraries instead::
249 $ ./configure --enable-shared
251 To use a specific C compiler for compiling Open vSwitch user programs, also
252 specify it on the configure command line, like so::
254 $ ./configure CC=gcc-4.2
256 To use 'clang' compiler::
258 $ ./configure CC=clang
260 To supply special flags to the C compiler, specify them as ``CFLAGS`` on the
261 configure command line. If you want the default CFLAGS, which include ``-g`` to
262 build debug symbols and ``-O2`` to enable optimizations, you must include them
263 yourself. For example, to build with the default CFLAGS plus ``-mssse3``, you
264 might run configure as follows::
266 $ ./configure CFLAGS="-g -O2 -mssse3"
268 For efficient hash computation special flags can be passed to leverage built-in
269 intrinsics. For example on X86_64 with SSE4.2 instruction set support, CRC32
270 intrinsics can be used by passing ``-msse4.2``::
272 $ ./configure CFLAGS="-g -O2 -msse4.2"`
274 Also builtin popcnt instruction can be used to speedup the counting of the
275 bits set in an integer. For example on X86_64 with POPCNT support, it can be
276 enabled by passing ``-mpopcnt``::
278 $ ./configure CFLAGS="-g -O2 -mpopcnt"`
280 If you are on a different processor and don't know what flags to choose, it is
281 recommended to use ``-march=native`` settings::
283 $ ./configure CFLAGS="-g -O2 -march=native"
285 With this, GCC will detect the processor and automatically set appropriate
286 flags for it. This should not be used if you are compiling OVS outside the
290 CFLAGS are not applied when building the Linux kernel module. Custom CFLAGS
291 for the kernel module are supplied using the ``EXTRA_CFLAGS`` variable when
292 running make. For example::
294 $ make EXTRA_CFLAGS="-Wno-error=date-time"
296 If you are a developer and want to enable Address Sanitizer for debugging
297 purposes, at about a 2x runtime cost, you can add
298 ``-fsanitize=address -fno-omit-frame-pointer -fno-common`` to CFLAGS. For
301 $ ./configure CFLAGS="-g -O2 -fsanitize=address -fno-omit-frame-pointer -fno-common"
303 To build the Linux kernel module, so that you can run the kernel-based switch,
304 pass the location of the kernel build directory on ``--with-linux``. For
305 example, to build for a running instance of Linux::
307 $ ./configure --with-linux=/lib/modules/$(uname -r)/build
310 If ``--with-linux`` requests building for an unsupported version of Linux,
311 then ``configure`` will fail with an error message. Refer to the
312 :doc:`/faq/index` for advice in that case.
314 If you wish to build the kernel module for an architecture other than the
315 architecture of the machine used for the build, you may specify the kernel
316 architecture string using the KARCH variable when invoking the configure
317 script. For example, to build for MIPS with Linux::
319 $ ./configure --with-linux=/path/to/linux KARCH=mips
321 If you plan to do much Open vSwitch development, you might want to add
322 ``--enable-Werror``, which adds the ``-Werror`` option to the compiler command
323 line, turning warnings into errors. That makes it impossible to miss warnings
324 generated by the build. For example::
326 $ ./configure --enable-Werror
328 If you're building with GCC, then, for improved warnings, install ``sparse``
329 (see "Prerequisites") and enable it for the build by adding
330 ``--enable-sparse``. Use this with ``--enable-Werror`` to avoid missing both
331 compiler and ``sparse`` warnings, e.g.::
333 $ ./configure --enable-Werror --enable-sparse
335 To build with gcov code coverage support, add ``--enable-coverage``::
337 $ ./configure --enable-coverage
339 The configure script accepts a number of other options and honors additional
340 environment variables. For a full list, invoke configure with the ``--help``
345 You can also run configure from a separate build directory. This is helpful if
346 you want to build Open vSwitch in more than one way from a single source
347 directory, e.g. to try out both GCC and Clang builds, or to build kernel
348 modules for more than one Linux version. For example::
350 $ mkdir _gcc && (cd _gcc && ./configure CC=gcc)
351 $ mkdir _clang && (cd _clang && ./configure CC=clang)
353 Under certain loads the ovsdb-server and other components perform better when
354 using the jemalloc memory allocator, instead of the glibc memory allocator. If
355 you wish to link with jemalloc add it to LIBS::
357 $ ./configure LIBS=-ljemalloc
359 .. _general-building:
364 1. Run GNU make in the build directory, e.g.::
368 or if GNU make is installed as "gmake"::
372 If you used a separate build directory, run make or gmake from that
379 Some versions of Clang and ccache are not completely compatible. If you
380 see unusual warnings when you use both together, consider disabling
383 2. Consider running the testsuite. Refer to :doc:`/topics/testing` for
386 3. Run ``make install`` to install the executables and manpages into the
387 running system, by default under ``/usr/local``::
391 5. If you built kernel modules, you may install them, e.g.::
393 $ make modules_install
395 It is possible that you already had a Open vSwitch kernel module installed
396 on your machine that came from upstream Linux (in a different directory). To
397 make sure that you load the Open vSwitch kernel module you built from this
398 repository, you should create a ``depmod.d`` file that prefers your newly
399 installed kernel modules over the kernel modules from upstream Linux. The
400 following snippet of code achieves the same::
402 $ config_file="/etc/depmod.d/openvswitch.conf"
403 $ for module in datapath/linux/*.ko; do
404 modname="$(basename ${module})"
405 echo "override ${modname%.ko} * extra" >> "$config_file"
406 echo "override ${modname%.ko} * weak-updates" >> "$config_file"
410 Finally, load the kernel modules that you need. e.g.::
412 $ /sbin/modprobe openvswitch
414 To verify that the modules have been loaded, run ``/sbin/lsmod`` and check
415 that openvswitch is listed::
417 $ /sbin/lsmod | grep openvswitch
420 If the ``modprobe`` operation fails, look at the last few kernel log
421 messages (e.g. with ``dmesg | tail``). Generally, issues like this occur
422 when Open vSwitch is built for a kernel different from the one into which
423 you are trying to load it. Run ``modinfo`` on ``openvswitch.ko`` and on a
424 module built for the running kernel, e.g.::
426 $ /sbin/modinfo openvswitch.ko
427 $ /sbin/modinfo /lib/modules/$(uname -r)/kernel/net/bridge/bridge.ko
429 Compare the "vermagic" lines output by the two commands. If they differ,
430 then Open vSwitch was built for the wrong kernel.
432 If you decide to report a bug or ask a question related to module loading,
433 include the output from the ``dmesg`` and ``modinfo`` commands mentioned
436 .. _general-starting:
441 On Unix-alike systems, such as BSDs and Linux, starting the Open vSwitch
442 suite of daemons is a simple process. Open vSwitch includes a shell script,
443 and helpers, called ovs-ctl which automates much of the tasks for starting
444 and stopping ovsdb-server, and ovs-vswitchd. After installation, the daemons
445 can be started by using the ovs-ctl utility. This will take care to setup
446 initial conditions, and start the daemons in the correct order. The ovs-ctl
447 utility is located in '$(pkgdatadir)/scripts', and defaults to
448 '/usr/local/share/openvswitch/scripts'. An example after install might be::
450 $ export PATH=$PATH:/usr/local/share/openvswitch/scripts
453 Additionally, the ovs-ctl script allows starting / stopping the daemons
454 individually using specific options. To start just the ovsdb-server::
456 $ export PATH=$PATH:/usr/local/share/openvswitch/scripts
457 $ ovs-ctl --no-ovs-vswitchd start
459 Likewise, to start just the ovs-vswitchd::
461 $ export PATH=$PATH:/usr/local/share/openvswitch/scripts
462 $ ovs-ctl --no-ovsdb-server start
464 Refer to ovs-ctl(8) for more information on ovs-ctl.
466 In addition to using the automated script to start Open vSwitch, you may
467 wish to manually start the various daemons. Before starting ovs-vswitchd
468 itself, you need to start its configuration database, ovsdb-server. Each
469 machine on which Open vSwitch is installed should run its own copy of
470 ovsdb-server. Before ovsdb-server itself can be started, configure a
471 database that it can use::
473 $ mkdir -p /usr/local/etc/openvswitch
474 $ ovsdb-tool create /usr/local/etc/openvswitch/conf.db \
475 vswitchd/vswitch.ovsschema
477 Configure ovsdb-server to use database created above, to listen on a Unix
478 domain socket, to connect to any managers specified in the database itself, and
479 to use the SSL configuration in the database::
481 $ mkdir -p /usr/local/var/run/openvswitch
482 $ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
483 --remote=db:Open_vSwitch,Open_vSwitch,manager_options \
484 --private-key=db:Open_vSwitch,SSL,private_key \
485 --certificate=db:Open_vSwitch,SSL,certificate \
486 --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
487 --pidfile --detach --log-file
490 If you built Open vSwitch without SSL support, then omit ``--private-key``,
491 ``--certificate``, and ``--bootstrap-ca-cert``.)
493 Initialize the database using ovs-vsctl. This is only necessary the first time
494 after you create the database with ovsdb-tool, though running it at any time is
497 $ ovs-vsctl --no-wait init
499 Start the main Open vSwitch daemon, telling it to connect to the same Unix
502 $ ovs-vswitchd --pidfile --detach --log-file
504 Starting OVS in container
505 -------------------------
507 For ovs vswitchd, we need to load ovs kernel modules on host.
509 Hence, OVS containers kernel version needs to be same as that of host kernel.
511 Export following variables in .env and place it under
514 $ OVS_BRANCH=<BRANCH>
515 $ OVS_VERSION=<VERSION>
516 $ DISTRO=<LINUX_DISTRO>
517 $ KERNEL_VERSION=<LINUX_KERNEL_VERSION>
518 $ GITHUB_SRC=<GITHUB_URL>
519 $ DOCKER_REPO=<REPO_TO_PUSH_IMAGE>
521 To build ovs modules::
523 $ cd utilities/docker
526 Compiled Modules will be tagged with docker image
528 To Push ovs modules::
532 OVS docker image will be pushed to specified docker repo.
534 Start ovsdb-server using below command::
536 $ docker run -itd --net=host --name=ovsdb-server \
537 <docker_repo>:<tag> ovsdb-server
539 Start ovs-vswitchd with priviledged mode as it needs to load kernel module in
540 host using below command::
542 $ docker run -itd --net=host --name=ovs-vswitchd \
543 --volumes-from=ovsdb-server -v /lib:/lib --privileged \
544 <docker_repo>:<tag> ovs-vswitchd
547 The debian docker file uses ubuntu 16.04 as a base image for reference.
549 User can use any other base image for debian, e.g. u14.04, etc.
551 RHEL based docker build support needs to be added.
556 At this point you can use ovs-vsctl to set up bridges and other Open vSwitch
557 features. For example, to create a bridge named ``br0`` and add ports ``eth0``
558 and ``vif1.0`` to it::
560 $ ovs-vsctl add-br br0
561 $ ovs-vsctl add-port br0 eth0
562 $ ovs-vsctl add-port br0 vif1.0
564 Refer to ovs-vsctl(8) for more details. You may also wish to refer to
565 :doc:`/topics/testing` for information on more generic testing of OVS.
567 When using ovs in container, exec to container to run above commands::
569 $ docker exec -it <ovsdb-server/ovs-vswitchd> /bin/bash
574 When you upgrade Open vSwitch from one version to another you should also
575 upgrade the database schema:
578 The following manual steps may also be accomplished by using ovs-ctl to
579 stop and start the daemons after upgrade. The ovs-ctl script will
580 automatically upgrade the schema.
582 1. Stop the Open vSwitch daemons, e.g.::
584 $ kill `cd /usr/local/var/run/openvswitch && cat ovsdb-server.pid ovs-vswitchd.pid`
586 2. Install the new Open vSwitch release by using the same configure options as
587 was used for installing the previous version. If you do not use the same
588 configure options, you can end up with two different versions of Open
589 vSwitch executables installed in different locations.
591 3. Upgrade the database, in one of the following two ways:
593 - If there is no important data in your database, then you may delete the
594 database file and recreate it with ovsdb-tool, following the instructions
595 under "Building and Installing Open vSwitch for Linux, FreeBSD or NetBSD".
597 - If you want to preserve the contents of your database, back it up first,
598 then use ``ovsdb-tool convert`` to upgrade it, e.g.::
600 $ ovsdb-tool convert /usr/local/etc/openvswitch/conf.db \
601 vswitchd/vswitch.ovsschema
603 4. Start the Open vSwitch daemons as described under `Starting`_ above.
608 Upgrading Open vSwitch from one version to the next version with minimum
609 disruption of traffic going through the system that is using that Open vSwitch
610 needs some considerations:
612 1. If the upgrade only involves upgrading the userspace utilities and daemons
613 of Open vSwitch, make sure that the new userspace version is compatible with
614 the previously loaded kernel module.
616 2. An upgrade of userspace daemons means that they have to be restarted.
617 Restarting the daemons means that the OpenFlow flows in the ovs-vswitchd
618 daemon will be lost. One way to restore the flows is to let the controller
619 re-populate it. Another way is to save the previous flows using a utility
620 like ovs-ofctl and then re-add them after the restart. Restoring the old
621 flows is accurate only if the new Open vSwitch interfaces retain the old
624 3. When the new userspace daemons get restarted, they automatically flush the
625 old flows setup in the kernel. This can be expensive if there are hundreds
626 of new flows that are entering the kernel but userspace daemons are busy
627 setting up new userspace flows from either the controller or an utility like
628 ovs-ofctl. Open vSwitch database provides an option to solve this problem
629 through the ``other_config:flow-restore-wait`` column of the
630 ``Open_vSwitch`` table. Refer to the ovs-vswitchd.conf.db(5) manpage for
633 4. If the upgrade also involves upgrading the kernel module, the old kernel
634 module needs to be unloaded and the new kernel module should be loaded. This
635 means that the kernel network devices belonging to Open vSwitch is recreated
636 and the kernel flows are lost. The downtime of the traffic can be reduced if
637 the userspace daemons are restarted immediately and the userspace flows are
638 restored as soon as possible.
640 5. When upgrading ovs running in container on host that is managed by ovn,
641 simply stop the docker container, remove and re-run with new docker image
642 that has newer ovs version.
644 6. When running ovs in container, if ovs is used in bridged mode where
645 management interface is managed by ovs, docker restart will result in loss
646 of network connectivity. Hence, make sure to delete the bridge mapping of
647 physical interface from ovs, upgrade ovs via docker and then add back the
648 interface to ovs bridge. This mapping need not be deleted in case of multi
649 nics if management interface is not managed by ovs.
652 The ovs-ctl utility's ``restart`` function only restarts the userspace daemons,
653 makes sure that the 'ofport' values remain consistent across restarts, restores
654 userspace flows using the ovs-ofctl utility and also uses the
655 ``other_config:flow-restore-wait`` column to keep the traffic downtime to the
656 minimum. The ovs-ctl utility's ``force-reload-kmod`` function does all of the
657 above, but also replaces the old kernel module with the new one. Open vSwitch
658 startup scripts for Debian, XenServer and RHEL use ovs-ctl's functions and it
659 is recommended that these functions be used for other software platforms too.
664 Report problems to bugs@openvswitch.org.