1 <?xml version="1.0" encoding="utf-8"?>
2 <manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
4 <p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
7 <p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
10 <p>This utility can be used to manage the OVN northbound database.</p>
12 <h1>General Commands</h1>
15 <dt><code>show [<var>lswitch</var>]</code></dt>
17 Prints a brief overview of the database contents. If
18 <var>lswitch</var> is provided, only records related to that
19 logical switch are shown.
23 <h1>Logical Switch Commands</h1>
26 <dt><code>lswitch-add</code> [<var>lswitch</var>]</dt> <dd> Creates a new logical switch named <var>lswitch</var>. If
27 <var>lswitch</var> is not provided, the switch will not have a
28 name so other commands must refer to this switch by its UUID.
29 Initially the switch will have no ports.
32 <dt><code>lswitch-del</code> <var>lswitch</var></dt>
34 Deletes <var>lswitch</var>.
37 <dt><code>lswitch-list</code></dt>
39 Lists all existing switches on standard output, one per line.
42 <dt><code>lswitch-set-external-id</code> <var>lswitch</var> <var>key</var> [<var>value</var>]</dt>
44 <p>Sets or clears an ``external ID'' value on <var>lswitch</var>.
45 These values are intended to identify entities external to OVN
46 with which <var>lswitch</var> is associated. The OVN Northbound
47 database schema may specify well-known <var>key</var> values,
48 but <var>key</var> and <var>value</var> are otherwise arbitrary
51 <p>If <var>value</var> is specified, then <var>key</var> is set to
52 <var>value</var> for <var>lswitch</var>, overwriting any
53 previous value. If <var>value</var> is omitted, then
54 <var>key</var> is removed from <var>lswitch</var>'s set of
55 external IDs (if it was present.</p>
58 <dt><code>lswitch-get-external-id</code> <var>lswitch</var> [<var>key</var>]</dt>
60 Queries the external IDs on <var>lswitch</var>. If
61 <var>key</var> is specified, the output is the value for that
62 <var>key</var> or the empty string if <var>key</var> is unset.
63 If <var>key</var> is omitted, the output is
64 <var>key</var><code>=</code><var>value</var>, one per line, for
71 <dt>[<code>--log</code>] <code>acl-add</code> <var>lswitch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
73 Adds the specified ACL to <var>lswitch</var>.
74 <var>direction</var> must be either <code>from-lport</code> or
75 <code>to-lport</code>. <var>priority</var> must be between
76 <code>1</code> and <code>65534</code>, inclusive. If
77 <code>--log</code> is specified, packet logging is enabled for the
78 ACL. A full description of the fields are in <code>ovn-nb</code>(5).
81 <dt><code>acl-del</code> <var>lswitch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
83 Deletes ACLs from <var>lswitch</var>. If only
84 <var>lswitch</var> is supplied, all the ACLs from the logical
85 switch are deleted. If <var>direction</var> is also specified,
86 then all the flows in that direction will be deleted from the
87 logical switch. If all the fields are given, then a single flow
88 that matches all the fields will be deleted.
91 <dt><code>acl-list</code> <var>lswitch</var></dt>
93 Lists the ACLs on <var>lswitch</var>.
97 <h1>Logical Port Commands</h1>
99 <dt><code>lport-add</code> <var>lswitch</var> <var>lport</var></dt>
101 Creates on <var>lswitch</var> a new logical port named
105 <dt><code>lport-add</code> <var>lswitch</var> <var>lport</var> <var>parent</var> <var>tag</var></dt>
107 Creates on <var>lswitch</var> a logical port named <var>lport</var>
108 that is a child of <var>parent</var> that is identifed with VLAN ID
109 <var>tag</var>. This is useful in cases such as virtualized
110 container environments where Open vSwitch does not have a direct
111 connection to the container's port and it must be shared with
112 the virtual machine's port.
115 <dt><code>lport-del</code> <var>lport</var></dt>
117 Deletes <var>lport</var>.
120 <dt><code>lport-list</code> <var>lswitch</var></dt>
122 Lists all the logical ports within <var>lswitch</var> on
123 standard output, one per line.
126 <dt><code>lport-get-parent</code> <var>lport</var></dt>
128 If set, get the parent port of <var>lport</var>. If not set, print
132 <dt><code>lport-get-tag</code> <var>lport</var></dt>
134 If set, get the tag for <var>lport</var> traffic. If not set, print
138 <dt><code>lport-set-external-id</code> <var>lport</var> <var>key</var> [<var>value</var>]</dt>
140 <p>Sets or clears an ``external ID'' value on <var>lport</var>.
141 These values are intended to identify entities external to OVN
142 with which <var>lport</var> is associated. The OVN Northbound
143 database schema may specify well-known <var>key</var> values,
144 but <var>key</var> and <var>value</var> are otherwise arbitrary
147 <p>If <var>value</var> is specified, then <var>key</var> is set to
148 <var>value</var> for <var>lport</var>, overwriting any
149 previous value. If <var>value</var> is omitted, then
150 <var>key</var> is removed from <var>lport</var>'s set of
151 external IDs (if it was present.</p>
154 <dt><code>lport-get-external-id</code> <var>lport</var> [<var>key</var>]</dt>
156 Queries the external IDs on <var>lport</var>. If
157 <var>key</var> is specified, the output is the value for that
158 <var>key</var> or the empty string if <var>key</var> is unset.
159 If <var>key</var> is omitted, the output is
160 <var>key</var><code>=</code><var>value</var>, one per line, for
164 <dt><code>lport-set-macs</code> <var>lport</var> [<var>mac</var>]...</dt>
166 Sets the MACs associated with <var>lport</var> to
167 <var>mac</var>. Multiple MACs may be sets by using multiple
168 <var>mac</var> arguments. If no <var>mac</var> argument is
169 given, <var>lport</var> will have no MACs associated with it.
172 <dt><code>lport-get-macs</code> <var>lport</var></dt>
174 Lists all the MACs associated with <var>lport</var> on standard
175 output, one per line.
178 <dt><code>lport-set-port-security</code> <var>lport</var> [<var>addrs</var>]...</dt>
181 Sets the port security addresses associated with <var>lport</var> to
182 <var>addrs</var>. Multiple sets of addresses may be set by using
183 multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
184 is given, <var>lport</var> will not have port security enabled.
188 Port security limits the addresses from which a logical port may send
189 packets and to which it may receive packets. See the
190 <code>ovn-nb</code>(5) documentation for the <ref
191 column="port_security" table="Logical_Port"/> column in the <ref
192 table="Logical_Port"/> table for details.
196 <dt><code>lport-get-port-security</code> <var>lport</var></dt>
198 Lists all the port security addresses associated with <var>lport</var>
199 on standard output, one per line.
202 <dt><code>lport-get-up</code> <var>lport</var></dt>
204 Prints the state of <var>lport</var>, either <code>up</code> or
208 <dt><code>lport-set-enabled</code> <var>lport</var> <var>state</var></dt>
210 Set the administrative state of <var>lport</var>, either <code>enabled</code>
211 or <code>disabled</code>. When a port is disabled, no traffic is allowed into
215 <dt><code>lport-get-enabled</code> <var>lport</var></dt>
217 Prints the administrative state of <var>lport</var>, either <code>enabled</code>
218 or <code>disabled</code>.
221 <dt><code>lport-set-type</code> <var>lport</var> <var>type</var></dt>
223 Set the type for the logical port. No special types have been implemented yet.
226 <dt><code>lport-get-type</code> <var>lport</var></dt>
228 Get the type for the logical port.
231 <dt><code>lport-set-options</code> <var>lport</var> [<var>key=value</var>]...</dt>
233 Set type-specific key-value options for the logical port.
236 <dt><code>lport-get-options</code> <var>lport</var></dt>
238 Get the type-specific options for the logical port.
246 <dt><code>--db</code> <var>database</var></dt>
248 The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
249 environment variable is set, its value is used as the default.
250 Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
251 default is unlikely to be useful outside of single-machine OVN test
255 <dt><code>-h</code> | <code>--help</code></dt>
256 <dt><code>-o</code> | <code>--options</code></dt>
257 <dt><code>-V</code> | <code>--version</code></dt>
260 <h1>Logging options</h1>
262 <dt><code>-v</code><var>spec</var>, <code>--verbose=</code><var>spec</var></dt>
263 <dt><code>-v</code>, <code>--verbose</code></dt>
264 <dt><code>--log-file</code>[<code>=</code><var>file</var>]</dt>
265 <dt><code>--syslog-target=</code><var>host</var><code>:</code><var>port</var></dt>
268 <h1>PKI configuration (required to use SSL)</h1>
270 <dt><code>-p</code>, <code>--private-key=</code><var>file</var> file with private key</dt>
271 <dt><code>-c</code>, <code>--certificate=</code><var>file</var> file with certificate for private key</dt>
272 <dt><code>-C</code>, <code>--ca-cert=</code><var>file</var> file with peer CA certificate</dt>