1 How to Install Open vSwitch on Linux, FreeBSD and NetBSD
2 ========================================================
4 This document describes how to build and install Open vSwitch on a
5 generic Linux, FreeBSD, or NetBSD host. For specifics around installation
6 on a specific platform, please see one of these files:
16 To compile the userspace programs in the Open vSwitch distribution,
17 you will need the following software:
21 - A C compiler, such as:
25 * Clang. Clang 3.4 and later provide useful static semantic
26 analysis and thread-safety checks. For Ubuntu, there are
27 nightly built packages available on clang's website.
29 - libssl, from OpenSSL, is optional but recommended if you plan to
30 connect the Open vSwitch to an OpenFlow controller. libssl is
31 required to establish confidentiality and authenticity in the
32 connections from an Open vSwitch to an OpenFlow controller. If
33 libssl is installed, then Open vSwitch will automatically build
36 - Python 2.x, for x >= 4.
38 To compile the kernel module on Linux, you must also install the
39 following. If you cannot build or install the kernel module, you may
40 use the userspace-only implementation, at a cost in performance. The
41 userspace implementation may also lack some features. Refer to
42 INSTALL.userspace for more information.
44 - A supported Linux kernel version. Please refer to README for a
45 list of supported versions.
47 The Open vSwitch datapath requires bridging support
48 (CONFIG_BRIDGE) to be built as a kernel module. (This is common
49 in kernels provided by Linux distributions.) The bridge module
50 must not be loaded or in use. If the bridge module is running
51 (check with "lsmod | grep bridge"), you must remove it ("rmmod
52 bridge") before starting the datapath.
54 For optional support of ingress policing, you must enable kernel
55 configuration options NET_CLS_BASIC, NET_SCH_INGRESS, and
56 NET_ACT_POLICE, either built-in or as modules. (NET_CLS_POLICE is
57 obsolete and not needed.)
59 To use GRE tunneling on Linux 2.6.37 or newer, kernel support
60 for GRE must be compiled in or available as a module
61 (CONFIG_NET_IPGRE_DEMUX).
63 To configure HTB or HFSC quality of service with Open vSwitch,
64 you must enable the respective configuration options.
66 To use Open vSwitch support for TAP devices, you must enable
69 - To build a kernel module, you need the same version of GCC that
70 was used to build that kernel.
72 - A kernel build directory corresponding to the Linux kernel image
73 the module is to run on. Under Debian and Ubuntu, for example,
74 each linux-image package containing a kernel binary has a
75 corresponding linux-headers package with the required build
78 If you are working from a Git tree or snapshot (instead of from a
79 distribution tarball), or if you modify the Open vSwitch build system
80 or the database schema, you will also need the following software:
82 - Autoconf version 2.64 or later.
84 - Automake version 1.10 or later.
86 - libtool version 2.4 or later. (Older versions might work too.)
88 To run the unit tests, you also need:
90 - Perl. Version 5.10.1 is known to work. Earlier versions should
93 The ovs-vswitchd.conf.db(5) manpage will include an E-R diagram, in
94 formats other than plain text, only if you have the following:
96 - "dot" from graphviz (http://www.graphviz.org/).
98 - Perl. Version 5.10.1 is known to work. Earlier versions should
101 - Python 2.x, for x >= 4.
103 If you are going to extensively modify Open vSwitch, please consider
104 installing the following to obtain better warnings:
106 - "sparse" version 0.4.4 or later
107 (http://www.kernel.org/pub/software/devel/sparse/dist/).
111 - clang, version 3.4 or later
113 Also, you may find the ovs-dev script found in utilities/ovs-dev.py useful.
115 Installation Requirements
116 -------------------------
118 The machine on which Open vSwitch is to be installed must have the
121 - libc compatible with the libc used for build.
123 - libssl compatible with the libssl used for build, if OpenSSL was
126 - On Linux, the same kernel version configured as part of the build.
128 - For optional support of ingress policing on Linux, the "tc" program
129 from iproute2 (part of all major distributions and available at
130 http://www.linux-foundation.org/en/Net:Iproute2).
132 On Linux you should ensure that /dev/urandom exists. To support TAP
133 devices, you must also ensure that /dev/net/tun exists.
135 Building and Installing Open vSwitch for Linux, FreeBSD or NetBSD
136 =================================================================
138 Once you have installed all the prerequisites listed above in the Base
139 Prerequisites section, follow the procedure below to build.
141 1. If you pulled the sources directly from an Open vSwitch Git tree,
142 run boot.sh in the top source directory:
146 2. In the top source directory, configure the package by running the
147 configure script. You can usually invoke configure without any
152 By default all files are installed under /usr/local. If you want
153 to install into, e.g., /usr and /var instead of /usr/local and
154 /usr/local/var, add options as shown here:
156 % ./configure --prefix=/usr --localstatedir=/var
158 To use a specific C compiler for compiling Open vSwitch user
159 programs, also specify it on the configure command line, like so:
161 % ./configure CC=gcc-4.2
163 To use 'clang' compiler:
165 % ./configure CC=clang
167 To build the Linux kernel module, so that you can run the
168 kernel-based switch, pass the location of the kernel build
169 directory on --with-linux. For example, to build for a running
172 % ./configure --with-linux=/lib/modules/`uname -r`/build
174 If you wish to build the kernel module for an architecture other
175 than the architecture of the machine used for the build, you may
176 specify the kernel architecture string using the KARCH variable
177 when invoking the configure script. For example, to build for MIPS
180 % ./configure --with-linux=/path/to/linux KARCH=mips
182 If you plan to do much Open vSwitch development, you might want to
183 add --enable-Werror, which adds the -Werror option to the compiler
184 command line, turning warnings into errors. That makes it
185 impossible to miss warnings generated by the build.
187 The configure script accepts a number of other options and honors
188 additional environment variables. For a full list, invoke
189 configure with the --help option.
191 3. Run GNU make in the top source directory, e.g.:
195 or if GNU make is installed as "gmake":
199 For improved warnings if you installed "sparse" (see
200 "Prerequisites"), add C=1 to the command line.
202 4. Consider running the testsuite. Refer to "Running the Testsuite"
203 below, for instructions.
205 5. Become root by running "su" or another program.
207 6. Run "make install" to install the executables and manpages into the
208 running system, by default under /usr/local.
210 7. If you built kernel modules, you may install and load them, e.g.:
212 % make modules_install
213 % /sbin/modprobe openvswitch
215 To verify that the modules have been loaded, run "/sbin/lsmod" and
216 check that openvswitch is listed.
218 If the "modprobe" operation fails, look at the last few kernel log
219 messages (e.g. with "dmesg | tail"):
221 - The message "openvswitch: exports duplicate symbol
222 br_should_route_hook (owned by bridge)" means that the bridge
223 module is loaded. Run "/sbin/rmmod bridge" to remove it.
225 If "/sbin/rmmod bridge" fails with "ERROR: Module bridge does
226 not exist in /proc/modules", then the bridge is compiled into
227 the kernel, rather than as a module. Open vSwitch does not
228 support this configuration (see "Build Requirements", above).
230 - The message "openvswitch: exports duplicate symbol
231 dp_ioctl_hook (owned by ofdatapath)" means that the ofdatapath
232 module from the OpenFlow reference implementation is loaded.
233 Run "/sbin/rmmod ofdatapath" to remove it. (You might have to
234 delete any existing datapaths beforehand, using the "dpctl"
235 program included with the OpenFlow reference implementation.
236 "ovs-dpctl" will not work.)
238 - Otherwise, the most likely problem is that Open vSwitch was
239 built for a kernel different from the one into which you are
240 trying to load it. Run "modinfo" on openvswitch.ko and on
241 a module built for the running kernel, e.g.:
243 % /sbin/modinfo openvswitch.ko
244 % /sbin/modinfo /lib/modules/`uname -r`/kernel/net/bridge/bridge.ko
246 Compare the "vermagic" lines output by the two commands. If
247 they differ, then Open vSwitch was built for the wrong kernel.
249 - If you decide to report a bug or ask a question related to
250 module loading, please include the output from the "dmesg" and
251 "modinfo" commands mentioned above.
253 There is an optional module parameter to openvswitch.ko called
254 vlan_tso that enables TCP segmentation offload over VLANs on NICs
255 that support it. Many drivers do not expose support for TSO on VLANs
256 in a way that Open vSwitch can use but there is no way to detect
257 whether this is the case. If you know that your particular driver can
258 handle it (for example by testing sending large TCP packets over VLANs)
259 then passing in a value of 1 may improve performance. Modules built for
260 Linux kernels 2.6.37 and later, as well as specially patched versions
261 of earlier kernels, do not need this and do not have this parameter. If
262 you do not understand what this means or do not know if your driver
263 will work, do not set this.
265 8. Initialize the configuration database using ovsdb-tool, e.g.:
267 % mkdir -p /usr/local/etc/openvswitch
268 % ovsdb-tool create /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema
273 Before starting ovs-vswitchd itself, you need to start its
274 configuration database, ovsdb-server. Each machine on which Open
275 vSwitch is installed should run its own copy of ovsdb-server.
276 Configure it to use the database you created during step 7 of
277 installation, above, to listen on a Unix domain socket, to connect to
278 any managers specified in the database itself, and to use the SSL
279 configuration in the database:
281 % ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
282 --remote=db:Open_vSwitch,Open_vSwitch,manager_options \
283 --private-key=db:Open_vSwitch,SSL,private_key \
284 --certificate=db:Open_vSwitch,SSL,certificate \
285 --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
288 (If you built Open vSwitch without SSL support, then omit
289 --private-key, --certificate, and --bootstrap-ca-cert.)
291 Then initialize the database using ovs-vsctl. This is only
292 necessary the first time after you create the database with
293 ovsdb-tool (but running it at any time is harmless):
295 % ovs-vsctl --no-wait init
297 Then start the main Open vSwitch daemon, telling it to connect to the
298 same Unix domain socket:
300 % ovs-vswitchd --pidfile --detach
302 Now you may use ovs-vsctl to set up bridges and other Open vSwitch
303 features. For example, to create a bridge named br0 and add ports
304 eth0 and vif1.0 to it:
306 % ovs-vsctl add-br br0
307 % ovs-vsctl add-port br0 eth0
308 % ovs-vsctl add-port br0 vif1.0
310 Please refer to ovs-vsctl(8) for more details.
315 When you upgrade Open vSwitch from one version to another, you should
316 also upgrade the database schema:
318 1. Stop the Open vSwitch daemons, e.g.:
320 % kill `cd /usr/local/var/run/openvswitch && cat ovsdb-server.pid ovs-vswitchd.pid`
322 2. Install the new Open vSwitch release.
324 3. Upgrade the database, in one of the following two ways:
326 - If there is no important data in your database, then you may
327 delete the database file and recreate it with ovsdb-tool,
328 following the instructions under "Building and Installing Open
329 vSwitch for Linux, FreeBSD or NetBSD".
331 - If you want to preserve the contents of your database, back it
332 up first, then use "ovsdb-tool convert" to upgrade it, e.g.:
334 % ovsdb-tool convert /usr/local/etc/openvswitch/conf.db vswitchd/vswitch.ovsschema
336 4. Start the Open vSwitch daemons as described under "Building and
337 Installing Open vSwitch for Linux, FreeBSD or NetBSD" above.
341 Upgrading Open vSwitch from one version to the next version with minimum
342 disruption of traffic going through the system that is using that Open vSwitch
343 needs some considerations:
345 1. If the upgrade only involves upgrading the userspace utilities and daemons
346 of Open vSwitch, make sure that the new userspace version is compatible with
347 the previously loaded kernel module.
349 2. An upgrade of userspace daemons means that they have to be restarted.
350 Restarting the daemons means that the Openflow flows in the ovs-vswitchd daemon
351 will be lost. One way to restore the flows is to let the controller
352 re-populate it. Another way is to save the previous flows using a utility
353 like ovs-ofctl and then re-add them after the restart. Restoring the old flows
354 is accurate only if the new Open vSwitch interfaces retain the old 'ofport'
357 3. When the new userspace daemons get restarted, they automatically flush
358 the old flows setup in the kernel. This can be expensive if there are hundreds
359 of new flows that are entering the kernel but userspace daemons are busy
360 setting up new userspace flows from either the controller or an utility like
361 ovs-ofctl. Open vSwitch database provides an option to solve this problem
362 through the other_config:flow-restore-wait column of the Open_vSwitch table.
363 Refer to the ovs-vswitchd.conf.db(5) manpage for details.
365 4. If the upgrade also involves upgrading the kernel module, the old kernel
366 module needs to be unloaded and the new kernel module should be loaded. This
367 means that the kernel network devices belonging to Open vSwitch is recreated
368 and the kernel flows are lost. The downtime of the traffic can be reduced
369 if the userspace daemons are restarted immediately and the userspace flows
370 are restored as soon as possible.
372 The ovs-ctl utility's "restart" function only restarts the userspace daemons,
373 makes sure that the 'ofport' values remain consistent across restarts, restores
374 userspace flows using the ovs-ofctl utility and also uses the
375 other_config:flow-restore-wait column to keep the traffic downtime to the
376 minimum. The ovs-ctl utility's "force-reload-kmod" function does all of the
377 above, but also replaces the old kernel module with the new one. Open vSwitch
378 startup scripts for Debian, XenServer and RHEL use ovs-ctl's functions and it
379 is recommended that these functions be used for other software platforms too.
381 Running the Testsuite
382 =====================
384 Open vSwitch includes a testsuite. Before you submit patches
385 upstream, we advise that you run the tests and ensure that they pass.
386 If you add new features to Open vSwitch, then adding tests for those
387 features will ensure your features don't break as developers modify
388 other areas of Open vSwitch.
390 You must configure and build Open vSwitch (steps 1 through 3 in
391 "Building and Installing Open vSwitch for Linux, FreeBSD or NetBSD" above)
392 before you run the testsuite. You do not need to install Open vSwitch
393 or to build or load the kernel module to run the testsuite. You do
394 not need supervisor privilege to run the testsuite.
396 To run all the unit tests in Open vSwitch, one at a time:
398 This takes under 5 minutes on a modern desktop system.
400 To run all the unit tests in Open vSwitch, up to 8 in parallel:
401 make check TESTSUITEFLAGS=-j8
402 This takes under a minute on a modern 4-core desktop system.
404 To see a list of all the available tests, run:
405 make check TESTSUITEFLAGS=--list
407 To run only a subset of tests, e.g. test 123 and tests 477 through 484:
408 make check TESTSUITEFLAGS='123 477-484'
409 (Tests do not have inter-dependencies, so you may run any subset.)
411 To run tests matching a keyword, e.g. "ovsdb":
412 make check TESTSUITEFLAGS='-k ovsdb'
414 To see a complete list of test options:
415 make check TESTSUITEFLAGS=--help
417 The results of a testing run are reported in tests/testsuite.log.
418 Please report test failures as bugs and include the testsuite.log in
421 If you have "valgrind" installed, then you can also run the testsuite
422 under valgrind by using "make check-valgrind" in place of "make
423 check". All the same options are available via TESTSUITEFLAGS. When
424 you do this, the "valgrind" results for test <N> are reported in files
425 named tests/testsuite.dir/<N>/valgrind.*. You may find that the
426 valgrind results are easier to interpret if you put "-q" in
427 ~/.valgrindrc, since that reduces the amount of output.
429 Sometimes a few tests may fail on some runs but not others. This is
430 usually a bug in the testsuite, not a bug in Open vSwitch itself. If
431 you find that a test fails intermittently, please report it, since the
432 developers may not have noticed.
437 Please report problems to bugs@openvswitch.org.