]> git.proxmox.com Git - mirror_ovs.git/blob - ovn/utilities/ovn-nbctl.8.xml
projects / mirror_ovs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ovn-architecture: Add notes on L3 gateway HA.
[mirror_ovs.git] / ovn / utilities / ovn-nbctl.8.xml
1 <?xml version="1.0" encoding="utf-8"?>
2 <manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
3 <h1>Name</h1>
4 <p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
5
6 <h1>Synopsis</h1>
7 <p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
8
9 <h1>Description</h1>
10 <p>This utility can be used to manage the OVN northbound database.</p>
11
12 <h1>General Commands</h1>
13
14 <dl>
15 <dt><code>init</code></dt>
16 <dd>
17 Initializes the database, if it is empty. If the database has already
18 been initialized, this command has no effect.
19 </dd>
20
21 <dt><code>show [<var>switch</var> | <var>router</var>]</code></dt>
22 <dd>
23 Prints a brief overview of the database contents. If
24 <var>switch</var> is provided, only records related to that
25 logical switch are shown. If
26 <var>router</var> is provided, only records related to that
27 logical router are shown.
28 </dd>
29 </dl>
30
31 <h1>Logical Switch Commands</h1>
32
33 <dl>
34 <dt><code>ls-add</code></dt>
35 <dd>
36 <p>
37 Creates a new, unnamed logical switch, which initially has no ports.
38 The switch does not have a name, other commands must refer to this
39 switch by its UUID.
40 </p>
41 </dd>
42
43 <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>ls-add</code> <var>switch</var></dt>
44 <dd>
45 <p>
46 Creates a new logical switch named <var>switch</var>, which
47 initially has no ports.
48 </p>
49
50 <p>
51 The OVN northbound database schema does not require logical switch
52 names to be unique, but the whole point to the names is to provide an
53 easy way for humans to refer to the switches, making duplicate names
54 unhelpful. Thus, without any options, this command regards it as an
55 error if <var>switch</var> is a duplicate name. With
56 <code>--may-exist</code>, adding a duplicate name succeeds but does
57 not create a new logical switch. With <code>--add-duplicate</code>,
58 the command really creates a new logical switch with a duplicate
59 name. It is an error to specify both options. If there are multiple
60 logical switches with a duplicate name, configure the logical switches
61 using the UUID instead of the <var>switch</var> name.
62 </p>
63 </dd>
64
65 <dt>[<code>--if-exists</code>] <code>ls-del</code> <var>switch</var></dt>
66 <dd>
67 Deletes <var>switch</var>. It is an error if <var>switch</var> does
68 not exist, unless <code>--if-exists</code> is specified.
69 </dd>
70
71 <dt><code>ls-list</code></dt>
72 <dd>
73 Lists all existing switches on standard output, one per line.
74 </dd>
75 </dl>
76
77 <h1>Logical Switch ACL Commands</h1>
78 <dl>
79 <dt>[<code>--log</code>] [<code>--may-exist</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
80 <dd>
81 Adds the specified ACL to <var>switch</var>.
82 <var>direction</var> must be either <code>from-lport</code> or
83 <code>to-lport</code>. <var>priority</var> must be between
84 <code>0</code> and <code>32767</code>, inclusive. If
85 <code>--log</code> is specified, packet logging is enabled for the
86 ACL. A full description of the fields are in <code>ovn-nb</code>(5).
87 If <code>--may-exist</code> is specified, adding a duplicated ACL
88 succeeds but the ACL is not really created. Without <code>--may-exist</code>,
89 adding a duplicated ACL results in error.
90 </dd>
91
92 <dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
93 <dd>
94 Deletes ACLs from <var>switch</var>. If only
95 <var>switch</var> is supplied, all the ACLs from the logical
96 switch are deleted. If <var>direction</var> is also specified,
97 then all the flows in that direction will be deleted from the
98 logical switch. If all the fields are given, then a single flow
99 that matches all the fields will be deleted.
100 </dd>
101
102 <dt><code>acl-list</code> <var>switch</var></dt>
103 <dd>
104 Lists the ACLs on <var>switch</var>.
105 </dd>
106 </dl>
107
108 <h1>Logical Switch Port Commands</h1>
109 <dl>
110 <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var></dt>
111 <dd>
112 <p>
113 Creates on <var>lswitch</var> a new logical switch port named
114 <var>port</var>.
115 </p>
116
117 <p>
118 It is an error if a logical port named <var>port</var> already
119 exists, unless <code>--may-exist</code> is specified. Regardless of
120 <code>--may-exist</code>, it is an error if the existing port is in
121 some logical switch other than <var>switch</var> or if it has a
122 parent port.
123 </p>
124 </dd>
125
126 <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var> <var>parent</var> <var>tag_request</var></dt>
127 <dd>
128 <p>
129 Creates on <var>switch</var> a logical switch port named
130 <var>port</var> that is a child of <var>parent</var> that is
131 identified with VLAN ID <var>tag_request</var>,
132 which must be between <code>0</code> and
133 <code>4095</code>, inclusive. If
134 <var>tag_request</var> is <code>0</code>, <code>ovn-northd</code>
135 generates a tag that is unique in the scope of <var>parent</var>.
136 This is useful in cases such as virtualized container environments
137 where Open vSwitch does not have a direct connection to the
138 container's port and it must be shared with the virtual machine's
139 port.
140 </p>
141
142 <p>
143 It is an error if a logical port named <var>port</var> already
144 exists, unless <code>--may-exist</code> is specified. Regardless of
145 <code>--may-exist</code>, it is an error if the existing port is not
146 in <var>switch</var> or if it does not have the specified
147 <var>parent</var> and <var>tag_request</var>.
148 </p>
149 </dd>
150
151 <dt>[<code>--if-exists</code>] <code>lsp-del</code> <var>port</var></dt>
152 <dd>
153 Deletes <var>port</var>. It is an error if <var>port</var> does
154 not exist, unless <code>--if-exists</code> is specified.
155 </dd>
156
157 <dt><code>lsp-list</code> <var>switch</var></dt>
158 <dd>
159 Lists all the logical switch ports within <var>switch</var> on
160 standard output, one per line.
161 </dd>
162
163 <dt><code>lsp-get-parent</code> <var>port</var></dt>
164 <dd>
165 If set, get the parent port of <var>port</var>. If not set, print
166 nothing.
167 </dd>
168
169 <dt><code>lsp-get-tag</code> <var>port</var></dt>
170 <dd>
171 If set, get the tag for <var>port</var> traffic. If not set, print
172 nothing.
173 </dd>
174
175 <dt><code>lsp-set-addresses</code> <var>port</var> [<var>address</var>]...</dt>
176 <dd>
177 <p>
178 Sets the addresses associated with <var>port</var> to
179 <var>address</var>. Each <var>address</var> should be one of the
180 following:
181 </p>
182
183 <dl>
184 <dt>an Ethernet address, optionally followed by a space and one or more IP addresses</dt>
185 <dd>
186 OVN delivers packets for the Ethernet address to this port.
187 </dd>
188
189 <dt><code>unknown</code></dt>
190 <dd>
191 OVN delivers unicast Ethernet packets whose destination MAC address
192 is not in any logical port's addresses column to ports with address
193 <code>unknown</code>.
194 </dd>
195
196 <dt><code>dynamic</code></dt>
197 <dd>
198 Use this keyword to make <code>ovn-northd</code> generate a
199 globally unique MAC address and choose an unused IPv4 address with
200 the logical port's subnet and store them in the port's
201 <code>dynamic_addresses</code> column.
202 </dd>
203
204 <dt><code>router</code></dt>
205 <dd>
206 Accepted only when the <code>type</code> of the logical switch
207 port is <code>router</code>. This indicates that the Ethernet,
208 IPv4, and IPv6 addresses for this logical switch port should be
209 obtained from the connected logical router port, as specified by
210 <code>router-port</code> in <code>lsp-set-options</code>.
211 </dd>
212 </dl>
213
214 <p>
215 Multiple addresses may be set. If no <var>address</var> argument is
216 given, <var>port</var> will have no addresses associated with it.
217 </p>
218 </dd>
219
220 <dt><code>lsp-get-addresses</code> <var>port</var></dt>
221 <dd>
222 Lists all the addresses associated with <var>port</var> on standard
223 output, one per line.
224 </dd>
225
226 <dt><code>lsp-set-port-security</code> <var>port</var> [<var>addrs</var>]...</dt>
227 <dd>
228 <p>
229 Sets the port security addresses associated with <var>port</var> to
230 <var>addrs</var>. Multiple sets of addresses may be set by using
231 multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
232 is given, <var>port</var> will not have port security enabled.
233 </p>
234
235 <p>
236 Port security limits the addresses from which a logical port may send
237 packets and to which it may receive packets. See the
238 <code>ovn-nb</code>(5) documentation for the <ref
239 column="port_security" table="Logical_Switch_Port"/> column in
240 the <ref table="Logical_Switch_Port"/> table for details.
241 </p>
242 </dd>
243
244 <dt><code>lsp-get-port-security</code> <var>port</var></dt>
245 <dd>
246 Lists all the port security addresses associated with <var>port</var>
247 on standard output, one per line.
248 </dd>
249
250 <dt><code>lsp-get-up</code> <var>port</var></dt>
251 <dd>
252 Prints the state of <var>port</var>, either <code>up</code> or
253 <code>down</code>.
254 </dd>
255
256 <dt><code>lsp-set-enabled</code> <var>port</var> <var>state</var></dt>
257 <dd>
258 Set the administrative state of <var>port</var>, either <code>enabled</code>
259 or <code>disabled</code>. When a port is disabled, no traffic is allowed into
260 or out of the port.
261 </dd>
262
263 <dt><code>lsp-get-enabled</code> <var>port</var></dt>
264 <dd>
265 Prints the administrative state of <var>port</var>, either <code>enabled</code>
266 or <code>disabled</code>.
267 </dd>
268
269 <dt><code>lsp-set-type</code> <var>port</var> <var>type</var></dt>
270 <dd>
271 Set the type for the logical port. No special types have been implemented yet.
272 </dd>
273
274 <dt><code>lsp-get-type</code> <var>port</var></dt>
275 <dd>
276 Get the type for the logical port.
277 </dd>
278
279 <dt><code>lsp-set-options</code> <var>port</var> [<var>key=value</var>]...</dt>
280 <dd>
281 Set type-specific key-value options for the logical port.
282 </dd>
283
284 <dt><code>lsp-get-options</code> <var>port</var></dt>
285 <dd>
286 Get the type-specific options for the logical port.
287 </dd>
288
289 </dl>
290
291 <h1>Logical Router Commands</h1>
292
293 <dl>
294 <dt><code>lr-add</code></dt>
295 <dd>
296 <p>
297 Creates a new, unnamed logical router, which initially has no ports.
298 The router does not have a name, other commands must refer to this
299 router by its UUID.
300 </p>
301 </dd>
302
303 <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lr-add</code> <var>router</var></dt>
304 <dd>
305 <p>
306 Creates a new logical router named <var>router</var>, which
307 initially has no ports.
308 </p>
309
310 <p>
311 The OVN northbound database schema does not require logical router
312 names to be unique, but the whole point to the names is to provide an
313 easy way for humans to refer to the routers, making duplicate names
314 unhelpful. Thus, without any options, this command regards it as an
315 error if <var>router</var> is a duplicate name. With
316 <code>--may-exist</code>, adding a duplicate name succeeds but does
317 not create a new logical router. With <code>--add-duplicate</code>,
318 the command really creates a new logical router with a duplicate
319 name. It is an error to specify both options. If there are multiple
320 logical routers with a duplicate name, configure the logical routers
321 using the UUID instead of the <var>router</var> name.
322 </p>
323 </dd>
324
325 <dt>[<code>--if-exists</code>] <code>lr-del</code> <var>router</var></dt>
326 <dd>
327 Deletes <var>router</var>. It is an error if <var>router</var> does
328 not exist, unless <code>--if-exists</code> is specified.
329 </dd>
330
331 <dt><code>lr-list</code></dt>
332 <dd>
333 Lists all existing routers on standard output, one per line.
334 </dd>
335 </dl>
336
337 <h1>Logical Router Port Commands</h1>
338
339 <dl>
340 <dt>[<code>--may-exist</code>] <code>lrp-add</code> <var>router</var> <var>port</var> <var>mac</var> <var>network</var>... [<code>peer=</code><var>peer</var>]</dt>
341 <dd>
342 <p>
343 Creates on <var>router</var> a new logical router port named
344 <var>port</var> with Ethernet address <var>mac</var> and one
345 or more IP address/netmask for each <var>network</var>.
346 </p>
347
348 <p>
349 The optional argument <code>peer</code> identifies a logical
350 router port that connects to this one. The following example
351 adds a router port with an IPv4 and IPv6 address with peer
352 <code>lr1</code>:
353 </p>
354
355 <p>
356 <code>lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64 peer=lr1</code>
357 </p>
358
359 <p>
360 It is an error if a logical router port named <var>port</var>
361 already exists, unless <code>--may-exist</code> is specified.
362 Regardless of <code>--may-exist</code>, it is an error if the
363 existing router port is in some logical router other than
364 <var>router</var>.
365 </p>
366 </dd>
367
368 <dt>[<code>--if-exists</code>] <code>lrp-del</code> <var>port</var></dt>
369 <dd>
370 Deletes <var>port</var>. It is an error if <var>port</var> does
371 not exist, unless <code>--if-exists</code> is specified.
372 </dd>
373
374 <dt><code>lrp-list</code> <var>router</var></dt>
375 <dd>
376 Lists all the logical router ports within <var>router</var> on
377 standard output, one per line.
378 </dd>
379
380 <dt><code>lrp-set-enabled</code> <var>port</var> <var>state</var></dt>
381 <dd>
382 Set the administrative state of <var>port</var>, either
383 <code>enabled</code> or <code>disabled</code>. When a port is
384 disabled, no traffic is allowed into or out of the port.
385 </dd>
386
387 <dt><code>lrp-get-enabled</code> <var>port</var></dt>
388 <dd>
389 Prints the administrative state of <var>port</var>, either
390 <code>enabled</code> or <code>disabled</code>.
391 </dd>
392 </dl>
393
394 <h1>Logical Router Static Route Commands</h1>
395
396 <dl>
397 <dt>[<code>--may-exist</code>] [<code>--policy</code>=<var>POLICY</var>] <code>lr-route-add</code> <var>router</var> <var>prefix</var> <var>nexthop</var> [<var>port</var>]</dt>
398 <dd>
399 <p>
400 Adds the specified route to <var>router</var>.
401 <var>prefix</var> describes an IPv4 or IPv6 prefix for this
402 route, such as <code>192.168.100.0/24</code>.
403 <var>nexthop</var> specifies the gateway to use for this
404 route, which should be the IP address of one of
405 <var>router</var> logical router ports or the IP address of a
406 logical port. If <var>port</var> is specified, packets that
407 match this route will be sent out that port. When
408 <var>port</var> is omitted, OVN infers the output port based
409 on <var>nexthop</var>.
410 </p>
411
412 <p>
413 <code>--policy</code> describes the policy used to make routing
414 decisions. This should be one of "dst-ip" or "src-ip". If not
415 specified, the default is "dst-ip".
416 </p>
417
418 <p>
419 It is an error if a route with <var>prefix</var> already exists,
420 unless <code>--may-exist</code> is specified.
421 </p>
422 </dd>
423
424 <dt>[<code>--if-exists</code>] <code>lr-route-del</code> <var>router</var> [<var>prefix</var>]</dt>
425 <dd>
426 <p>
427 Deletes routes from <var>router</var>. If only <var>router</var>
428 is supplied, all the routes from the logical router are
429 deleted. If <var>prefix</var> is also specified, then all the
430 routes that match the prefix will be deleted from the logical
431 router.
432 </p>
433
434 <p>
435 It is an error if <var>prefix</var> is specified and there
436 is no matching route entry, unless <code>--if-exists</code> is
437 specified.
438 </p>
439 </dd>
440
441 <dt><code>lr-route-list</code> <var>router</var></dt>
442 <dd>
443 Lists the routes on <var>router</var>.
444 </dd>
445 </dl>
446
447 <h1>NAT Commands</h1>
448
449 <dl>
450 <dt>[<code>--may-exist</code>] <code>lr-nat-add</code> <var>router</var> <var>type</var> <var>external_ip</var> <var>logical_ip</var> [<var>logical_port</var> <var>external_mac</var>]</dt>
451 <dd>
452 <p>
453 Adds the specified NAT to <var>router</var>.
454 The <var>type</var> must be one of <code>snat</code>,
455 <code>dnat</code>, or <code>dnat_and_snat</code>.
456 The <var>external_ip</var> is an IPv4 address.
457 The <var>logical_ip</var> is an IPv4 network (e.g 192.168.1.0/24)
458 or an IPv4 address.
459 The <var>logical_port</var> and <var>external_mac</var> are only
460 accepted when <var>router</var> is a distributed router (rather
461 than a gateway router) and <var>type</var> is
462 <code>dnat_and_snat</code>.
463 The <var>logical_port</var> is the name of an existing logical
464 switch port where the <var>logical_ip</var> resides.
465 The <var>external_mac</var> is an Ethernet address.
466 </p>
467 <p>
468 When <var>type</var> is <code>dnat</code>, the externally
469 visible IP address <var>external_ip</var> is DNATted to the
470 IP address <var>logical_ip</var> in the logical space.
471 </p>
472 <p>
473 When <var>type</var> is <code>snat</code>, IP packets with their
474 source IP address that either matches the IP address in
475 <var>logical_ip</var> or is in the network provided by
476 <var>logical_ip</var> is SNATed into the IP address in
477 <var>external_ip</var>.
478 </p>
479 <p>
480 When <var>type</var> is <code>dnat_and_snat</code>,
481 the externally visible IP address <var>external_ip</var>
482 is DNATted to the IP address <var>logical_ip</var> in
483 the logical space. In addition, IP packets with the source
484 IP address that matches <var>logical_ip</var> is SNATed into
485 the IP address in <var>external_ip</var>.
486 </p>
487 <p>
488 When the <var>logical_port</var> and <var>external_mac</var>
489 are specified, the NAT rule will be programmed on the chassis
490 where the <var>logical_port</var> resides. This includes
491 ARP replies for the <var>external_ip</var>, which return the
492 value of <var>external_mac</var>. All packets transmitted
493 with source IP address equal to <var>external_ip</var> will
494 be sent using the <var>external_mac</var>.
495 </p>
496 <p>
497 It is an error if a NAT already exists with the same values
498 of <var>router</var>, <var>type</var>, <var>external_ip</var>,
499 and <var>logical_ip</var>, unless <code>--may-exist</code> is
500 specified. When <code>--may-exist</code>,
501 <var>logical_port</var>, and <var>external_mac</var> are all
502 specified, the existing values of <var>logical_port</var> and
503 <var>external_mac</var> are overwritten.
504 </p>
505 </dd>
506
507 <dt>[<code>--if-exists</code>] <code>lr-nat-del</code> <var>router</var> [<var>type</var> [<var>ip</var>]]</dt>
508 <dd>
509 <p>
510 Deletes NATs from <var>router</var>. If only <var>router</var>
511 is supplied, all the NATs from the logical router are
512 deleted. If <var>type</var> is also specified, then all the
513 NATs that match the <var>type</var> will be deleted from the logical
514 router. If all the fields are given, then a single NAT rule
515 that matches all the fields will be deleted. When <var>type</var>
516 is <code>snat</code>, the <var>ip</var> should be logical_ip.
517 When <var>type</var> is <code>dnat</code> or
518 <code>dnat_and_snat</code>, the <var>ip</var> shoud be external_ip.
519 </p>
520
521 <p>
522 It is an error if <var>ip</var> is specified and there
523 is no matching NAT entry, unless <code>--if-exists</code> is
524 specified.
525 </p>
526 </dd>
527
528 <dt><code>lr-nat-list</code> <var>router</var></dt>
529 <dd>
530 Lists the NATs on <var>router</var>.
531 </dd>
532 </dl>
533
534 <h1>Load Balancer Commands</h1>
535 <dl>
536 <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lb-add</code> <var>lb</var> <var>vip</var> <var>ips</var> [<var>protocol</var>]</dt>
537 <dd>
538 <p>
539 Creates a new load balancer named <var>lb</var> with the provided
540 <var>vip</var> and <var>ips</var> or adds the <var>vip</var> to
541 an existing <var>lb</var>. <var>vip</var> should be a
542 virtual IPv4 address (or an IPv4 address and a port number with
543 <code>:</code> as a separator). Examples for <var>vip</var> are
544 <code>192.168.1.4</code> and <code>192.168.1.5:8080</code>.
545 <var>ips</var> should be comma separated IPv4 endpoints (or comma
546 separated IPv4 addresses and port numbers with <code>:</code> as a
547 separator). Examples for <var>ips</var> are <code>10.0.0.1,10.0.0.2
548 </code>or <code>20.0.0.10:8800,20.0.0.11:8800</code>.
549 </p>
550
551 <p>
552 The optional argument <var>protocol</var> must be either
553 <code>tcp</code> or <code>udp</code>. This argument is useful when
554 a port number is provided as part of the <var>vip</var>. If the
555 <var>protocol</var> is unspecified and a port number is provided as
556 part of the <var>vip</var>, OVN assumes the <var>protocol</var> to
557 be <code>tcp</code>.
558 </p>
559
560 <p>
561 It is an error if the <var>vip</var> already exists in the load
562 balancer named <var>lb</var>, unless <code>--may-exist</code> is
563 specified. With <code>--add-duplicate</code>, the command really
564 creates a new load balancer with a duplicate name.
565 </p>
566
567 <p>
568 The following example adds a load balancer.
569 </p>
570
571 <p>
572 <code>lb-add lb0 30.0.0.10:80
573 192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp</code>
574 </p>
575 </dd>
576
577 <dt>[<code>--if-exists</code>] <code>lb-del</code> <var>lb</var> [<var>vip</var>]</dt>
578 <dd>
579 Deletes <var>lb</var> or the <var>vip</var> from <var>lb</var>.
580 If <var>vip</var> is supplied, only the <var>vip</var> will be
581 deleted from the <var>lb</var>. If only the <var>lb</var> is supplied,
582 the <var>lb</var> will be deleted. It is an error if <var>vip</var>
583 does not already exist in <var>lb</var>, unless
584 <code>--if-exists</code> is specified.
585 </dd>
586
587 <dt><code>lb-list</code> [<var>lb</var>]</dt>
588 <dd>
589 Lists the LBs. If <var>lb</var> is also specified, then only the
590 specified <var>lb</var> will be listed.
591 </dd>
592
593 <dt>[<code>--may-exist</code>] <code>ls-lb-add</code> <var>switch</var> <var>lb</var></dt>
594 <dd>
595 Adds the specified <var>lb</var> to <var>switch</var>.
596 It is an error if a load balancer named <var>lb</var> already exists
597 in the <var>switch</var>, unless <code>--may-exist</code> is specified.
598 </dd>
599
600 <dt>[<code>--if-exists</code>] <code>ls-lb-del</code> <var>switch</var> [<var>lb</var>]</dt>
601 <dd>
602 Removes <var>lb</var> from <var>switch</var>. If only
603 <var>switch</var> is supplied, all the LBs from the logical switch are
604 removed. If <var>lb</var> is also specified, then only the
605 <var>lb</var> will be removed from the logical switch.
606 It is an error if <var>lb</var> does not exist in the
607 <var>switch</var>, unless <code>--if-exists</code> is specified.
608 </dd>
609
610 <dt><code>ls-lb-list</code> <var>switch</var></dt>
611 <dd>
612 Lists the LBs for the given <var>switch</var>.
613 </dd>
614
615 <dt>[<code>--may-exist</code>] <code>lr-lb-add</code> <var>router</var> <var>lb</var></dt>
616 <dd>
617 Adds the specified <var>lb</var> to <var>router</var>.
618 It is an error if a load balancer named <var>lb</var> already exists
619 in the <var>router</var>, unless <code>--may-exist</code> is specified.
620 </dd>
621
622 <dt>[<code>--if-exists</code>] <code>lr-lb-del</code> <var>router</var> [<var>lb</var>]</dt>
623 <dd>
624 Removes <var>lb</var> from <var>router</var>. If only
625 <var>router</var> is supplied, all the LBs from the logical router are
626 removed. If <var>lb</var> is also specified, then only the
627 <var>lb</var> will be removed from the logical router.
628 It is an error if <var>lb</var> does not exist in the
629 <var>router</var>, unless <code>--if-exists</code> is specified.
630 </dd>
631
632 <dt><code>lr-lb-list</code> <var>router</var></dt>
633 <dd>
634 Lists the LBs for the given <var>router</var>.
635 </dd>
636 </dl>
637
638
639 <h1>DHCP Options commands</h1>
640
641 <dl>
642 <dt><code>dhcp-options-create</code> <var>cidr</var> [<var>key=value</var>]</dt>
643 <dd>
644 Creates a new DHCP Options entry in the <code>DHCP_Options</code> table
645 with the specified <code>cidr</code> and optional <code>external-ids</code>.
646 </dd>
647
648 <dt><code>dhcp-options-list</code></dt>
649 <dd>
650 Lists the DHCP Options entries.
651 </dd>
652
653 <dt><code>dhcp-options-del</code> <var>dhcp-option</var></dt>
654 <dd>
655 Deletes the DHCP Options entry referred by <var>dhcp-option</var> UUID.
656 </dd>
657
658 <dt><code>dhcp-options-set-options</code> <var>dhcp-option</var> [<var>key=value</var>]...</dt>
659 <dd>
660 Set the DHCP Options for the <var>dhcp-option</var> UUID.
661 </dd>
662
663 <dt><code>dhcp-options-get-options</code> <var>dhcp-option</var></dt>
664 <dd>
665 Lists the DHCP Options for the <var>dhcp-option</var> UUID.
666 </dd>
667 </dl>
668
669 <h1>Database Commands</h1>
670 <p>These commands query and modify the contents of <code>ovsdb</code> tables.
671 They are a slight abstraction of the <code>ovsdb</code> interface and
672 as such they operate at a lower level than other <code>ovn-nbctl</code> commands.</p>
673 <p><var>Identifying Tables, Records, and Columns</var></p>
674 <p>Each of these commands has a <var>table</var> parameter to identify a table
675 within the database. Many of them also take a <var>record</var> parameter
676 that identifies a particular record within a table. The <var>record</var>
677 parameter may be the UUID for a record, which may be abbreviated to its
678 first 4 (or more) hex digits, as long as that is unique. Many tables offer
679 additional ways to identify records. Some commands also take
680 <var>column</var> parameters that identify a particular field within the
681 records in a table.</p>
682 <p>The following tables are currently defined:</p>
683 <dl>
684 <dt><code>Logical_Switch</code></dt>
685 <dd>
686 An L2 logical switch. Records may be identified by name.
687 </dd>
688
689 <dt><code>Logical_Switch_Port</code></dt>
690 <dd>
691 A port within an L2 logical switch. Records may be identified by name.
692 </dd>
693
694 <dt><code>ACL</code></dt>
695 <dd>
696 An ACL rule for a logical switch that points to it through its <var>acls</var> column.
697 </dd>
698
699 <dt><code>Logical_Router</code></dt>
700 <dd>
701 An L3 logical router. Records may be identified by name.
702 </dd>
703
704 <dt><code>Logical_Router_Port</code></dt>
705 <dd>
706 A port within an L3 logical router. Records may be identified by name.
707 </dd>
708
709 <dt><code>Logical_Router_Static_Route</code></dt>
710 <dd>
711 A static route belonging to an L3 logical router.
712 </dd>
713
714 <dt><code>Address_Set</code></dt>
715 <dd>
716 An address set that can be used in ACLs.
717 </dd>
718
719 <dt><code>Load_Balancer</code></dt>
720 <dd>
721 A load balancer for a logical switch that points to it through its <var>load_balancer</var> column.
722 </dd>
723
724 <dt><code>NAT</code></dt>
725 <dd>
726 A NAT rule for a Gateway router.
727 </dd>
728
729 <dt><code>DHCP_Options</code></dt>
730 <dd>
731 DHCP options.
732 </dd>
733
734 <dt><code>NB_Global</code></dt>
735 <dd>
736 North bound global configurations.
737 </dd>
738
739 </dl>
740
741 <p>
742 Record names must be specified in full and with correct capitalization,
743 except that UUIDs may be abbreviated to their first 4 (or more) hex
744 digits, as long as that is unique within the table. Names of tables and
745 columns are not case-sensitive, and <code>-</code> and <code>_</code> are
746 treated interchangeably. Unique abbreviations of table and column names
747 are acceptable, e.g. <code>d</code> or <code>dhcp</code> is sufficient
748 to identify the <code>DHCP_Options</code> table.
749 </p>
750
751 <xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
752
753 <h1>Synchronization Commands</h1>
754
755 <dl>
756 <dt>sync</dt>
757 <dd>
758 Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only waits
759 for changes by the current <code>ovn-nbctl</code> invocation to take
760 effect. This means that, if none of the commands supplied to
761 <code>ovn-nbctl</code> change the database, then the command does not
762 wait at all. With the <code>sync</code> command, however,
763 <code>ovn-nbctl</code> waits even for earlier changes to the database
764 to propagate down to the southbound database or all of the OVN chassis,
765 according to the argument to <code>--wait</code>.
766 </dd>
767 </dl>
768
769 <h1>Remote Connectivity Commands</h1>
770 <dl>
771 <dt><code>get-connection</code></dt>
772 <dd>
773 Prints the configured connection(s).
774 </dd>
775
776 <dt><code>del-connection</code></dt>
777 <dd>
778 Deletes the configured connection(s).
779 </dd>
780
781 <dt><code>set-connection</code> <var>target</var>...</dt>
782 <dd>
783 Sets the configured manager target or targets.
784 </dd>
785 </dl>
786
787 <h1>SSL Configuration Commands</h1>
788 <dl>
789 <dt><code>get-ssl</code></dt>
790 <dd>
791 Prints the SSL configuration.
792 </dd>
793
794 <dt><code>del-ssl</code></dt>
795 <dd>
796 Deletes the current SSL configuration.
797 </dd>
798
799 <dt>[<code>--bootstrap</code>] <code>set-ssl</code>
800 <var>private-key</var> <var>certificate</var> <var>ca-cert</var>
801 [<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt>
802 <dd>
803 Sets the SSL configuration.
804 </dd>
805 </dl>
806
807 <h1>Options</h1>
808
809 <dl>
810 <dt><code>--no-wait</code> | <code>--wait=none</code></dt>
811 <dt><code>--wait=sb</code></dt>
812 <dt><code>--wait=hv</code></dt>
813
814 <dd>
815 <p>
816 These options control whether and how <code>ovn-nbctl</code> waits
817 for the OVN system to become up-to-date with changes made in an
818 <code>ovn-nbctl</code> invocation.
819 </p>
820
821 <p>
822 By default, or if <code>--no-wait</code> or <code>--wait=none</code>,
823 <code>ovn-nbctl</code> exits immediately after confirming that
824 changes have been committed to the northbound database, without
825 waiting.
826 </p>
827
828 <p>
829 With <code>--wait=sb</code>, before <code>ovn-nbctl</code> exits, it
830 waits for <code>ovn-northd</code> to bring the southbound database
831 up-to-date with the northbound database updates.
832 </p>
833
834 <p>
835 With <code>--wait=hv</code>, before <code>ovn-nbctl</code> exits, it
836 additionally waits for all OVN chassis (hypervisors and gateways) to
837 become up-to-date with the northbound database updates. (This can
838 become an indefinite wait if any chassis is malfunctioning.)
839 </p>
840
841 <p>
842 Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only
843 waits for changes by the current <code>ovn-nbctl</code> invocation to
844 take effect. This means that, if none of the commands supplied to
845 <code>ovn-nbctl</code> change the database, then the command does not
846 wait at all. Use the <code>sync</code> command to override this
847 behavior.
848 </p>
849 </dd>
850
851 <dt><code>--db</code> <var>database</var></dt>
852 <dd>
853 The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
854 environment variable is set, its value is used as the default.
855 Otherwise, the default is <code>unix:@RUNDIR@/ovnnb_db.sock</code>, but this
856 default is unlikely to be useful outside of single-machine OVN test
857 environments.
858 </dd>
859 </dl>
860
861 <h1>Logging options</h1>
862 <xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
863
864 <h1>Table Formatting Options</h1>
865 These options control the format of output from the <code>list</code> and
866 <code>find</code> commands.
867 <xi:include href="lib/table.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
868
869 <h2>PKI Options</h2>
870 <p>
871 PKI configuration is required to use SSL for the connection to the
872 database.
873 </p>
874 <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
875 <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
876
877 <h2>Other Options</h2>
878
879 <xi:include href="lib/common.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
880
881 </manpage>
openvswitch mirror