ovn-ic(8) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | RUNTIME MANAGEMENT COMMANDS | ACTIVE-STANDBY FOR HIGH AVAILABILITY | COLOPHON

ovn-ic(8)                      OVN Manual                      ovn-ic(8)

NAME         top

       ovn-ic - Open Virtual Network interconnection controller

SYNOPSIS         top

       ovn-ic [options]

DESCRIPTION         top

       ovn-ic, OVN interconnection controller, is a centralized daemon
       which communicates with global interconnection databases
       IC_NB/IC_SB to configure and exchange data with local NB/SB for
       interconnecting with other OVN deployments.

OPTIONS         top

       --ovnnb-db=database
              The OVSDB database containing the OVN Northbound Database.
              If the OVN_NB_DB environment variable is set, its value is
              used as the default. Otherwise, the default is
              unix:/ovnnb_db.sock.

       --ovnsb-db=database
              The OVSDB database containing the OVN Southbound Database.
              If the OVN_SB_DB environment variable is set, its value is
              used as the default. Otherwise, the default is
              unix:/ovnsb_db.sock.

       --ic-nb-db=database
              The OVSDB database containing the OVN Interconnection
              Northbound Database. If the OVN_IC_NB_DB environment
              variable is set, its value is used as the default.
              Otherwise, the default is unix:/ovn_ic_nb_db.sock.

       --ic-sb-db=database
              The OVSDB database containing the OVN Interconnection
              Southbound Database. If the OVN_IC_SB_DB environment
              variable is set, its value is used as the default.
              Otherwise, the default is unix:/ovn_ic_sb_db.sock.

       database in the above options must be an OVSDB active or passive
       connection method, as described in ovsdb(7).

   Daemon Options
       --pidfile[=pidfile]
              Causes a file (by default, program.pid) to be created
              indicating the PID of the running process. If the pidfile
              argument is not specified, or if it does not begin with /,
              then it is created in .

              If --pidfile is not specified, no pidfile is created.

       --overwrite-pidfile
              By default, when --pidfile is specified and the specified
              pidfile already exists and is locked by a running process,
              the daemon refuses to start. Specify --overwrite-pidfile
              to cause it to instead overwrite the pidfile.

              When --pidfile is not specified, this option has no
              effect.

       --detach
              Runs this program as a background process. The process
              forks, and in the child it starts a new session, closes
              the standard file descriptors (which has the side effect
              of disabling logging to the console), and changes its
              current directory to the root (unless --no-chdir is
              specified). After the child completes its initialization,
              the parent exits.

       --monitor
              Creates an additional process to monitor this program. If
              it dies due to a signal that indicates a programming error
              (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE,
              SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process
              starts a new copy of it. If the daemon dies or exits for
              another reason, the monitor process exits.

              This option is normally used with --detach, but it also
              functions without it.

       --no-chdir
              By default, when --detach is specified, the daemon changes
              its current working directory to the root directory after
              it detaches. Otherwise, invoking the daemon from a
              carelessly chosen directory would prevent the
              administrator from unmounting the file system that holds
              that directory.

              Specifying --no-chdir suppresses this behavior, preventing
              the daemon from changing its current working directory.
              This may be useful for collecting core files, since it is
              common behavior to write core dumps into the current
              working directory and the root directory is not a good
              directory to use.

              This option has no effect when --detach is not specified.

       --no-self-confinement
              By default this daemon will try to self-confine itself to
              work with files under well-known directories determined at
              build time. It is better to stick with this default
              behavior and not to use this flag unless some other Access
              Control is used to confine daemon. Note that in contrast
              to other access control implementations that are typically
              enforced from kernel-space (e.g. DAC or MAC), self-
              confinement is imposed from the user-space daemon itself
              and hence should not be considered as a full confinement
              strategy, but instead should be viewed as an additional
              layer of security.

       --user=user:group
              Causes this program to run as a different user specified
              in user:group, thus dropping most of the root privileges.
              Short forms user and :group are also allowed, with current
              user or group assumed, respectively. Only daemons started
              by the root user accepts this argument.

              On Linux, daemons will be granted CAP_IPC_LOCK and
              CAP_NET_BIND_SERVICES before dropping root privileges.
              Daemons that interact with a datapath, such as
              ovs-vswitchd, will be granted three additional
              capabilities, namely CAP_NET_ADMIN, CAP_NET_BROADCAST and
              CAP_NET_RAW. The capability change will apply even if the
              new user is root.

              On Windows, this option is not currently supported. For
              security reasons, specifying this option will cause the
              daemon process not to start.

   Logging Options
       -v[spec]
       --verbose=[spec]
            Sets logging levels. Without any spec, sets the log level
            for every module and destination to dbg. Otherwise, spec is
            a list of words separated by spaces or commas or colons, up
            to one from each category below:

            •      A valid module name, as displayed by the vlog/list
                   command on ovs-appctl(8), limits the log level change
                   to the specified module.

            •      syslog, console, or file, to limit the log level
                   change to only to the system log, to the console, or
                   to a file, respectively. (If --detach is specified,
                   the daemon closes its standard file descriptors, so
                   logging to the console will have no effect.)

                   On Windows platform, syslog is accepted as a word and
                   is only useful along with the --syslog-target option
                   (the word has no effect otherwise).

            •      off, emer, err, warn, info, or dbg, to control the
                   log level. Messages of the given severity or higher
                   will be logged, and messages of lower severity will
                   be filtered out. off filters out all messages. See
                   ovs-appctl(8) for a definition of each log level.

            Case is not significant within spec.

            Regardless of the log levels set for file, logging to a file
            will not take place unless --log-file is also specified (see
            below).

            For compatibility with older versions of OVS, any is
            accepted as a word but has no effect.

       -v
       --verbose
            Sets the maximum logging verbosity level, equivalent to
            --verbose=dbg.

       -vPATTERN:destination:pattern
       --verbose=PATTERN:destination:pattern
            Sets the log pattern for destination to pattern. Refer to
            ovs-appctl(8) for a description of the valid syntax for
            pattern.

       -vFACILITY:facility
       --verbose=FACILITY:facility
            Sets the RFC5424 facility of the log message. facility can
            be one of kern, user, mail, daemon, auth, syslog, lpr, news,
            uucp, clock, ftp, ntp, audit, alert, clock2, local0, local1,
            local2, local3, local4, local5, local6 or local7. If this
            option is not specified, daemon is used as the default for
            the local system syslog and local0 is used while sending a
            message to the target provided via the --syslog-target
            option.

       --log-file[=file]
            Enables logging to a file. If file is specified, then it is
            used as the exact name for the log file. The default log
            file name used if file is omitted is
            /usr/local/var/log/ovn/program.log.

       --syslog-target=host:port
            Send syslog messages to UDP port on host, in addition to the
            system syslog. The host must be a numerical IP address, not
            a hostname.

       --syslog-method=method
            Specify method as how syslog messages should be sent to
            syslog daemon. The following forms are supported:

            •      libc, to use the libc syslog() function. Downside of
                   using this options is that libc adds fixed prefix to
                   every message before it is actually sent to the
                   syslog daemon over /dev/log UNIX domain socket.

            •      unix:file, to use a UNIX domain socket directly. It
                   is possible to specify arbitrary message format with
                   this option. However, rsyslogd 8.9 and older versions
                   use hard coded parser function anyway that limits
                   UNIX domain socket use. If you want to use arbitrary
                   message format with older rsyslogd versions, then use
                   UDP socket to localhost IP address instead.

            •      udp:ip:port, to use a UDP socket. With this method it
                   is possible to use arbitrary message format also with
                   older rsyslogd. When sending syslog messages over UDP
                   socket extra precaution needs to be taken into
                   account, for example, syslog daemon needs to be
                   configured to listen on the specified UDP port,
                   accidental iptables rules could be interfering with
                   local syslog traffic and there are some security
                   considerations that apply to UDP sockets, but do not
                   apply to UNIX domain sockets.

            •      null, to discard all messages logged to syslog.

            The default is taken from the OVS_SYSLOG_METHOD environment
            variable; if it is unset, the default is libc.

   PKI Options
       PKI configuration is required in order to use SSL for the
       connections to the Northbound and Southbound databases.

              -p privkey.pem
              --private-key=privkey.pem
                   Specifies a PEM file containing the private key used
                   as identity for outgoing SSL connections.

              -c cert.pem
              --certificate=cert.pem
                   Specifies a PEM file containing a certificate that
                   certifies the private key specified on -p or
                   --private-key to be trustworthy. The certificate must
                   be signed by the certificate authority (CA) that the
                   peer in SSL connections will use to verify it.

              -C cacert.pem
              --ca-cert=cacert.pem
                   Specifies a PEM file containing the CA certificate
                   for verifying certificates presented to this program
                   by SSL peers. (This may be the same certificate that
                   SSL peers use to verify the certificate specified on
                   -c or --certificate, or it may be a different one,
                   depending on the PKI design in use.)

              -C none
              --ca-cert=none
                   Disables verification of certificates presented by
                   SSL peers. This introduces a security risk, because
                   it means that certificates cannot be verified to be
                   those of known trusted hosts.

   Other Options
       --unixctl=socket
              Sets the name of the control socket on which program
              listens for runtime management commands (see RUNTIME
              MANAGEMENT COMMANDS, below). If socket does not begin with
              /, it is interpreted as relative to . If --unixctl is not
              used at all, the default socket is /program.pid.ctl, where
              pid is program’s process ID.

              On Windows a local named pipe is used to listen for
              runtime management commands. A file is created in the
              absolute path as pointed by socket or if --unixctl is not
              used at all, a file is created as program in the
              configured OVS_RUNDIR directory. The file exists just to
              mimic the behavior of a Unix domain socket.

              Specifying none for socket disables the control socket
              feature.

       -h
       --help
            Prints a brief help message to the console.

       -V
       --version
            Prints version information to the console.

RUNTIME MANAGEMENT COMMANDS         top

       ovs-appctl can send commands to a running ovn-ic process. The
       currently supported commands are described below.

              exit   Causes ovn-ic to gracefully terminate.

              pause  Pauses the ovn-ic operation from processing any
                     database changes. This will also instruct ovn-ic to
                     drop any lock on SB DB.

              resume Resumes the ovn-ic operation to process database
                     contents. This will also instruct ovn-northd to
                     aspire for the lock on SB DB.

              is-paused
                     Returns "true" if ovn-ic is currently paused,
                     "false" otherwise.

              status Prints this server’s status. Status will be
                     "active" if ovn-ic has acquired OVSDB lock on SB
                     DB, "standby" if it has not or "paused" if this
                     instance is paused.

ACTIVE-STANDBY FOR HIGH AVAILABILITY         top

       You may run ovn-ic more than once in an OVN deployment. When
       connected to a standalone or clustered DB setup, OVN will
       automatically ensure that only one of them is active at a time.
       If multiple instances of ovn-ic are running and the active ovn-ic
       fails, one of the hot standby instances of ovn-ic will
       automatically take over.

COLOPHON         top

       This page is part of the Open Virtual Network (Daemons for Open
       vSwitch that translate virtual network configurations into
       OpenFlow) project.  Information about the project can be found at
       ⟨https://www.ovn.org/⟩.  If you have a bug report for this manual
       page, send it to [email protected].  This page was obtained
       from the project's upstream Git repository
       ⟨https://github.com/ovn-org/ovn⟩ on 2024-06-14.  (At that time,
       the date of the most recent commit that was found in the
       repository was 2024-06-12.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

OVN 24.03.90                     ovn-ic                        ovn-ic(8)

Pages that refer to this page: ovn-sb(5)