1 <?xml version="1.0" encoding="utf-8"?>
2 <manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
4 <p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
7 <p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
10 <p>This utility can be used to manage the OVN northbound database.</p>
12 <h1>General Commands</h1>
15 <dt><code>show [<var>switch</var> | <var>router</var>]</code></dt>
17 Prints a brief overview of the database contents. If
18 <var>switch</var> is provided, only records related to that
19 logical switch are shown. If
20 <var>router</var> is provided, only records related to that
21 logical router are shown.
25 <h1>Logical Switch Commands</h1>
28 <dt><code>ls-add</code></dt>
31 Creates a new, unnamed logical switch, which initially has no ports.
32 The switch does not have a name, other commands must refer to this
37 <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>ls-add</code> <var>switch</var></dt>
40 Creates a new logical switch named <var>switch</var>, which
41 initially has no ports.
45 The OVN northbound database schema does not require logical switch
46 names to be unique, but the whole point to the names is to provide an
47 easy way for humans to refer to the switches, making duplicate names
48 unhelpful. Thus, without any options, this command regards it as an
49 error if <var>switch</var> is a duplicate name. With
50 <code>--may-exist</code>, adding a duplicate name succeeds but does
51 not create a new logical switch. With <code>--add-duplicate</code>,
52 the command really creates a new logical switch with a duplicate
53 name. It is an error to specify both options. If there are multiple
54 logical switches with a duplicate name, configure the logical switches
55 using the UUID instead of the <var>switch</var> name.
59 <dt>[<code>--if-exists</code>] <code>ls-del</code> <var>switch</var></dt>
61 Deletes <var>switch</var>. It is an error if <var>switch</var> does
62 not exist, unless <code>--if-exists</code> is specified.
65 <dt><code>ls-list</code></dt>
67 Lists all existing switches on standard output, one per line.
71 <h1>Logical Switch ACL Commands</h1>
73 <dt>[<code>--log</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
75 Adds the specified ACL to <var>switch</var>.
76 <var>direction</var> must be either <code>from-lport</code> or
77 <code>to-lport</code>. <var>priority</var> must be between
78 <code>1</code> and <code>65534</code>, inclusive. If
79 <code>--log</code> is specified, packet logging is enabled for the
80 ACL. A full description of the fields are in <code>ovn-nb</code>(5).
83 <dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
85 Deletes ACLs from <var>switch</var>. If only
86 <var>switch</var> is supplied, all the ACLs from the logical
87 switch are deleted. If <var>direction</var> is also specified,
88 then all the flows in that direction will be deleted from the
89 logical switch. If all the fields are given, then a single flow
90 that matches all the fields will be deleted.
93 <dt><code>acl-list</code> <var>switch</var></dt>
95 Lists the ACLs on <var>switch</var>.
99 <h1>Logical Switch Port Commands</h1>
101 <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var></dt>
104 Creates on <var>lswitch</var> a new logical switch port named
109 It is an error if a logical port named <var>port</var> already
110 exists, unless <code>--may-exist</code> is specified. Regardless of
111 <code>--may-exist</code>, it is an error if the existing port is in
112 some logical switch other than <var>switch</var> or if it has a
117 <dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var> <var>parent</var> <var>tag</var></dt>
120 Creates on <var>switch</var> a logical switch port named
121 <var>port</var> that is a child of <var>parent</var> that is
122 identifed with VLAN ID <var>tag</var>. This is useful in
123 cases such as virtualized container environments where Open
124 vSwitch does not have a direct connection to the container's
125 port and it must be shared with the virtual machine's port.
129 It is an error if a logical port named <var>port</var> already
130 exists, unless <code>--may-exist</code> is specified. Regardless of
131 <code>--may-exist</code>, it is an error if the existing port is not
132 in <var>switch</var> or if it does not have the specified
133 <var>parent</var> and <var>tag</var>.
137 <dt>[<code>--if-exists</code>] <code>lsp-del</code> <var>port</var></dt>
139 Deletes <var>port</var>. It is an error if <var>port</var> does
140 not exist, unless <code>--if-exists</code> is specified.
143 <dt><code>lsp-list</code> <var>switch</var></dt>
145 Lists all the logical switch ports within <var>switch</var> on
146 standard output, one per line.
149 <dt><code>lsp-get-parent</code> <var>port</var></dt>
151 If set, get the parent port of <var>port</var>. If not set, print
155 <dt><code>lsp-get-tag</code> <var>port</var></dt>
157 If set, get the tag for <var>port</var> traffic. If not set, print
161 <dt><code>lsp-set-addresses</code> <var>port</var> [<var>address</var>]...</dt>
163 Sets the addresses associated with <var>port</var> to
164 <var>address</var>. Each <var>address</var> should be either an
165 Ethernet address or an Ethernet address followed by an IP address
166 (separated by a space and quoted to form a single command-line
167 argument). The special form <code>unknown</code> is also valid.
168 Multiple Ethernet addresses or Ethernet+IP pairs may be set. If no
169 <var>address</var> argument is given, <var>port</var> will have no
170 addresses associated with it.
173 <dt><code>lsp-get-addresses</code> <var>port</var></dt>
175 Lists all the addresses associated with <var>port</var> on standard
176 output, one per line.
179 <dt><code>lsp-set-port-security</code> <var>port</var> [<var>addrs</var>]...</dt>
182 Sets the port security addresses associated with <var>port</var> to
183 <var>addrs</var>. Multiple sets of addresses may be set by using
184 multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
185 is given, <var>port</var> will not have port security enabled.
189 Port security limits the addresses from which a logical port may send
190 packets and to which it may receive packets. See the
191 <code>ovn-nb</code>(5) documentation for the <ref
192 column="port_security" table="Logical_Switch_Port"/> column in
193 the <ref table="Logical_Switch_Port"/> table for details.
197 <dt><code>lsp-get-port-security</code> <var>port</var></dt>
199 Lists all the port security addresses associated with <var>port</var>
200 on standard output, one per line.
203 <dt><code>lsp-get-up</code> <var>port</var></dt>
205 Prints the state of <var>port</var>, either <code>up</code> or
209 <dt><code>lsp-set-enabled</code> <var>port</var> <var>state</var></dt>
211 Set the administrative state of <var>port</var>, either <code>enabled</code>
212 or <code>disabled</code>. When a port is disabled, no traffic is allowed into
216 <dt><code>lsp-get-enabled</code> <var>port</var></dt>
218 Prints the administrative state of <var>port</var>, either <code>enabled</code>
219 or <code>disabled</code>.
222 <dt><code>lsp-set-type</code> <var>port</var> <var>type</var></dt>
224 Set the type for the logical port. No special types have been implemented yet.
227 <dt><code>lsp-get-type</code> <var>port</var></dt>
229 Get the type for the logical port.
232 <dt><code>lsp-set-options</code> <var>port</var> [<var>key=value</var>]...</dt>
234 Set type-specific key-value options for the logical port.
237 <dt><code>lsp-get-options</code> <var>port</var></dt>
239 Get the type-specific options for the logical port.
244 <h1>Logical Router Commands</h1>
247 <dt><code>lr-add</code></dt>
250 Creates a new, unnamed logical router, which initially has no ports.
251 The router does not have a name, other commands must refer to this
256 <dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lr-add</code> <var>router</var></dt>
259 Creates a new logical router named <var>router</var>, which
260 initially has no ports.
264 The OVN northbound database schema does not require logical router
265 names to be unique, but the whole point to the names is to provide an
266 easy way for humans to refer to the routers, making duplicate names
267 unhelpful. Thus, without any options, this command regards it as an
268 error if <var>router</var> is a duplicate name. With
269 <code>--may-exist</code>, adding a duplicate name succeeds but does
270 not create a new logical router. With <code>--add-duplicate</code>,
271 the command really creates a new logical router with a duplicate
272 name. It is an error to specify both options. If there are multiple
273 logical routers with a duplicate name, configure the logical routers
274 using the UUID instead of the <var>router</var> name.
278 <dt>[<code>--if-exists</code>] <code>lr-del</code> <var>router</var></dt>
280 Deletes <var>router</var>. It is an error if <var>router</var> does
281 not exist, unless <code>--if-exists</code> is specified.
284 <dt><code>lr-list</code></dt>
286 Lists all existing routers on standard output, one per line.
290 <h1>Logical Router Port Commands</h1>
293 <dt>[<code>--may-exist</code>] <code>lrp-add</code> <var>router</var> <var>port</var> <var>mac</var> <var>network</var>... [<code>peer=</code><var>peer</var>]</dt>
296 Creates on <var>router</var> a new logical router port named
297 <var>port</var> with Ethernet address <var>mac</var> and one
298 or more IP address/netmask for each <var>network</var>.
302 The optional argument <code>peer</code> identifies a logical
303 router port that connects to this one. The following example
304 adds a router port with an IPv4 and IPv6 address with peer
309 <code>lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64 peer=lr1</code>
313 It is an error if a logical router port named <var>port</var>
314 already exists, unless <code>--may-exist</code> is specified.
315 Regardless of <code>--may-exist</code>, it is an error if the
316 existing router port is in some logical router other than
321 <dt>[<code>--if-exists</code>] <code>lrp-del</code> <var>port</var></dt>
323 Deletes <var>port</var>. It is an error if <var>port</var> does
324 not exist, unless <code>--if-exists</code> is specified.
327 <dt><code>lrp-list</code> <var>router</var></dt>
329 Lists all the logical router ports within <var>router</var> on
330 standard output, one per line.
333 <dt><code>lrp-set-enabled</code> <var>port</var> <var>state</var></dt>
335 Set the administrative state of <var>port</var>, either
336 <code>enabled</code> or <code>disabled</code>. When a port is
337 disabled, no traffic is allowed into or out of the port.
340 <dt><code>lrp-get-enabled</code> <var>port</var></dt>
342 Prints the administrative state of <var>port</var>, either
343 <code>enabled</code> or <code>disabled</code>.
347 <h1>Logical Router Static Route Commands</h1>
350 <dt>[<code>--may-exist</code>] <code>lr-route-add</code> <var>router</var> <var>prefix</var> <var>nexthop</var> [<var>port</var>]</dt>
353 Adds the specified route to <var>router</var>.
354 <var>prefix</var> describes an IPv4 or IPv6 prefix for this
355 route, such as <code>192.168.100.0/24</code>.
356 <var>nexthop</var> specifies the gateway to use for this
357 route, which should be the IP address of one of
358 <var>router</var> logical router ports or the IP address of a
359 logical port. If <var>port</var> is specified, packets that
360 match this route will be sent out that port. When
361 <var>port</var> is omitted, OVN infers the output port based
362 on <var>nexthop</var>.
366 It is an error if a route with <var>prefix</var> already exists,
367 unless <code>--may-exist</code> is specified.
371 <dt>[<code>--if-exists</code>] <code>lr-route-del</code> <var>router</var> [<var>prefix</var>]</dt>
374 Deletes routes from <var>router</var>. If only <var>router</var>
375 is supplied, all the routes from the logical router are
376 deleted. If <var>prefix</var> is also specified, then all the
377 routes that match the prefix will be deleted from the logical
382 It is an error if <code>prefix</code> is specified and there
383 is no matching route entry, unless <code>--if-exists</code> is
388 <dt><code>lr-route-list</code> <var>router</var></dt>
390 Lists the routes on <var>router</var>.
394 <h1>DHCP Options commands</h1>
397 <dt><code>dhcp-options-create</code> <var>cidr</var> [<var>key=value</var>]</dt>
399 Creates a new DHCP Options entry in the <code>DHCP_Options</code> table
400 with the specified <code>cidr</code> and optional <code>external-ids</code>.
403 <dt><code>dhcp-options-list</code></dt>
405 Lists the DHCP Options entries.
408 <dt><code>dhcp-options-del</code> <var>dhcp-option</var></dt>
410 Deletes the DHCP Options entry referred by <var>dhcp-option</var> UUID.
413 <dt><code>dhcp-options-set-options</code> <var>dhcp-option</var> [<var>key=value</var>]...</dt>
415 Set the DHCP Options for the <var>dhcp-option</var> UUID.
418 <dt><code>dhcp-options-get-options</code> <var>dhcp-option</var></dt>
420 Lists the DHCP Options for the <var>dhcp-option</var> UUID.
424 <h1>Database Commands</h1>
425 <p>These commands query and modify the contents of <code>ovsdb</code> tables.
426 They are a slight abstraction of the <code>ovsdb</code> interface and
427 as suchthey operate at a lower level than other <code>ovn-nbctl</code> commands.</p>
428 <p><var>Identifying Tables, Records, and Columns</var></p>
429 <p>Each of these commands has a <var>table</var> parameter to identify a table
430 within the database. Many of them also take a <var>record</var> parameter
431 that identifies a particular record within a table. The <var>record</var>
432 parameter may be the UUID for a record, and many tables offer
433 additional ways to identify records. Some commands also take
434 <var>column</var> parameters that identify a particular field within the
435 records in a table.</p>
436 <p>The following tables are currently defined:</p>
438 <dt><code>Logical_Switch</code></dt>
440 An L2 logical switch. Records may be identified by name.
443 <dt><code>Logical_Switch_Port</code></dt>
445 A port within an L2 logical switch. Records may be identified by name.
448 <dt><code>ACL</code></dt>
450 An ACL rule for a logical switch that points to it through its <var>acls</var> column.
453 <dt><code>Logical_Router</code></dt>
455 An L3 logical router. Records may be identified by name.
458 <dt><code>Logical_Router_Port</code></dt>
460 A port within an L3 logical router. Records may be identified by name.
463 <dt><code>Logical_Router_Static_Route</code></dt>
465 A static route belonging to an L3 logical router.
470 <xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
475 <dt><code>--db</code> <var>database</var></dt>
477 The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
478 environment variable is set, its value is used as the default.
479 Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
480 default is unlikely to be useful outside of single-machine OVN test
484 <dt><code>-h</code> | <code>--help</code></dt>
485 <dt><code>-o</code> | <code>--options</code></dt>
486 <dt><code>-V</code> | <code>--version</code></dt>
489 <h1>Logging options</h1>
491 <dt><code>-v</code><var>spec</var>, <code>--verbose=</code><var>spec</var></dt>
492 <dt><code>-v</code>, <code>--verbose</code></dt>
493 <dt><code>--log-file</code>[<code>=</code><var>file</var>]</dt>
494 <dt><code>--syslog-target=</code><var>host</var><code>:</code><var>port</var></dt>
497 <h1>PKI configuration (required to use SSL)</h1>
499 <dt><code>-p</code>, <code>--private-key=</code><var>file</var> file with private key</dt>
500 <dt><code>-c</code>, <code>--certificate=</code><var>file</var> file with certificate for private key</dt>
501 <dt><code>-C</code>, <code>--ca-cert=</code><var>file</var> file with peer CA certificate</dt>