1 <?xml version="1.0" encoding="utf-8"?>
2 <manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
4 <p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
7 <p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
10 <p>This utility can be used to manage the OVN northbound database.</p>
12 <h1>General Commands</h1>
15 <dt><code>show [<var>lswitch</var>]</code></dt>
17 Prints a brief overview of the database contents. If
18 <var>lswitch</var> is provided, only records related to that
19 logical switch are shown.
23 <h1>Logical Switch Commands</h1>
26 <dt><code>lswitch-add</code> [<var>lswitch</var>]</dt> <dd> Creates a new logical switch named <var>lswitch</var>. If
27 <var>lswitch</var> is not provided, the switch will not have a
28 name so other commands must refer to this switch by its UUID.
29 Initially the switch will have no ports.
32 <dt><code>lswitch-del</code> <var>lswitch</var></dt>
34 Deletes <var>lswitch</var>.
37 <dt><code>lswitch-list</code></dt>
39 Lists all existing switches on standard output, one per line.
45 <dt>[<code>--log</code>] <code>acl-add</code> <var>lswitch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
47 Adds the specified ACL to <var>lswitch</var>.
48 <var>direction</var> must be either <code>from-lport</code> or
49 <code>to-lport</code>. <var>priority</var> must be between
50 <code>1</code> and <code>65534</code>, inclusive. If
51 <code>--log</code> is specified, packet logging is enabled for the
52 ACL. A full description of the fields are in <code>ovn-nb</code>(5).
55 <dt><code>acl-del</code> <var>lswitch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
57 Deletes ACLs from <var>lswitch</var>. If only
58 <var>lswitch</var> is supplied, all the ACLs from the logical
59 switch are deleted. If <var>direction</var> is also specified,
60 then all the flows in that direction will be deleted from the
61 logical switch. If all the fields are given, then a single flow
62 that matches all the fields will be deleted.
65 <dt><code>acl-list</code> <var>lswitch</var></dt>
67 Lists the ACLs on <var>lswitch</var>.
71 <h1>Logical Port Commands</h1>
73 <dt><code>lport-add</code> <var>lswitch</var> <var>lport</var></dt>
75 Creates on <var>lswitch</var> a new logical port named
79 <dt><code>lport-add</code> <var>lswitch</var> <var>lport</var> <var>parent</var> <var>tag</var></dt>
81 Creates on <var>lswitch</var> a logical port named <var>lport</var>
82 that is a child of <var>parent</var> that is identifed with VLAN ID
83 <var>tag</var>. This is useful in cases such as virtualized
84 container environments where Open vSwitch does not have a direct
85 connection to the container's port and it must be shared with
86 the virtual machine's port.
89 <dt><code>lport-del</code> <var>lport</var></dt>
91 Deletes <var>lport</var>.
94 <dt><code>lport-list</code> <var>lswitch</var></dt>
96 Lists all the logical ports within <var>lswitch</var> on
97 standard output, one per line.
100 <dt><code>lport-get-parent</code> <var>lport</var></dt>
102 If set, get the parent port of <var>lport</var>. If not set, print
106 <dt><code>lport-get-tag</code> <var>lport</var></dt>
108 If set, get the tag for <var>lport</var> traffic. If not set, print
112 <dt><code>lport-set-addresses</code> <var>lport</var> [<var>address</var>]...</dt>
114 Sets the addresses associated with <var>lport</var> to
115 <var>address</var>. Each <var>address</var> should be either an
116 Ethernet address or an Ethernet address followed by an IP address
117 (separated by a space and quoted to form a single command-line
118 argument). The special form <code>unknown</code> is also valid.
119 Multiple Ethernet addresses or Ethernet+IP pairs may be set. If no
120 <var>address</var> argument is given, <var>lport</var> will have no
121 addresses associated with it.
124 <dt><code>lport-get-addresses</code> <var>lport</var></dt>
126 Lists all the addresses associated with <var>lport</var> on standard
127 output, one per line.
130 <dt><code>lport-set-port-security</code> <var>lport</var> [<var>addrs</var>]...</dt>
133 Sets the port security addresses associated with <var>lport</var> to
134 <var>addrs</var>. Multiple sets of addresses may be set by using
135 multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
136 is given, <var>lport</var> will not have port security enabled.
140 Port security limits the addresses from which a logical port may send
141 packets and to which it may receive packets. See the
142 <code>ovn-nb</code>(5) documentation for the <ref
143 column="port_security" table="Logical_Port"/> column in the <ref
144 table="Logical_Port"/> table for details.
148 <dt><code>lport-get-port-security</code> <var>lport</var></dt>
150 Lists all the port security addresses associated with <var>lport</var>
151 on standard output, one per line.
154 <dt><code>lport-get-up</code> <var>lport</var></dt>
156 Prints the state of <var>lport</var>, either <code>up</code> or
160 <dt><code>lport-set-enabled</code> <var>lport</var> <var>state</var></dt>
162 Set the administrative state of <var>lport</var>, either <code>enabled</code>
163 or <code>disabled</code>. When a port is disabled, no traffic is allowed into
167 <dt><code>lport-get-enabled</code> <var>lport</var></dt>
169 Prints the administrative state of <var>lport</var>, either <code>enabled</code>
170 or <code>disabled</code>.
173 <dt><code>lport-set-type</code> <var>lport</var> <var>type</var></dt>
175 Set the type for the logical port. No special types have been implemented yet.
178 <dt><code>lport-get-type</code> <var>lport</var></dt>
180 Get the type for the logical port.
183 <dt><code>lport-set-options</code> <var>lport</var> [<var>key=value</var>]...</dt>
185 Set type-specific key-value options for the logical port.
188 <dt><code>lport-get-options</code> <var>lport</var></dt>
190 Get the type-specific options for the logical port.
198 <dt><code>--db</code> <var>database</var></dt>
200 The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
201 environment variable is set, its value is used as the default.
202 Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
203 default is unlikely to be useful outside of single-machine OVN test
207 <dt><code>-h</code> | <code>--help</code></dt>
208 <dt><code>-o</code> | <code>--options</code></dt>
209 <dt><code>-V</code> | <code>--version</code></dt>
212 <h1>Logging options</h1>
214 <dt><code>-v</code><var>spec</var>, <code>--verbose=</code><var>spec</var></dt>
215 <dt><code>-v</code>, <code>--verbose</code></dt>
216 <dt><code>--log-file</code>[<code>=</code><var>file</var>]</dt>
217 <dt><code>--syslog-target=</code><var>host</var><code>:</code><var>port</var></dt>
220 <h1>PKI configuration (required to use SSL)</h1>
222 <dt><code>-p</code>, <code>--private-key=</code><var>file</var> file with private key</dt>
223 <dt><code>-c</code>, <code>--certificate=</code><var>file</var> file with certificate for private key</dt>
224 <dt><code>-C</code>, <code>--ca-cert=</code><var>file</var> file with peer CA certificate</dt>