FreeBSD Manual Pages
ovsdb-client(1) Open vSwitch Manual ovsdb-client(1) NAME ovsdb-client - command-line interface to ovsdb-server(1) SYNOPSIS Server-Level Commands: ovsdb-client [options] list-dbs [server] Database Schema Commands: ovsdb-client [options] get-schema [server] [database] ovsdb-client [options] list-tables [server] [database] ovsdb-client [options] list-columns [server] [database] [table] Database Version Management Commands: ovsdb-client [options] convert [server] schema ovsdb-client [options] needs-conversion [server] schema ovsdb-client [options] get-schema-version [server] [database] Data Management Commands: ovsdb-client [options] transact [server] transaction ovsdb-client [options] query [server] transaction ovsdb-client [options] dump [server] [database] [table [col- umn...]] ovsdb-client [options] backup [server] [database] > snapshot ovsdb-client [options] [--force] restore [server] [database] < snapshot ovsdb-client [options] monitor [server] [database] table [col- umn[,column]...]... ovsdb-client [options] monitor [server] [database] ALL ovsdb-client [options] monitor-cond [server] [database] condi- tions table [column[,column]...]... ovsdb-client [options] monitor-cond-since [server] [database] [last-id] conditions table [column[,column]...]... ovsdb-client [options] wait [server] database state Testing Commands: ovsdb-client [options] lock [server] lock ovsdb-client [options] steal [server] lock ovsdb-client [options] unlock [server] lock Other Commands: ovsdb-client help Cluster Options: [--no-leader-only] Output formatting options: [--format=format] [--data=format] [--no-headings] [--pretty] [--bare] [--timestamp] Daemon options: [--pidfile[=pidfile]] [--overwrite-pidfile] [--detach] [--no-chdir] [--no-self-confinement] Logging options: [-v[module[:destination[:level]]]]... [--verbose[=module[:destination[:level]]]]... [--log-file[=file]] Public key infrastructure options: [--private-key=privkey.pem] [--certificate=cert.pem] [--ca-cert=cacert.pem] [--bootstrap-ca-cert=cacert.pem] SSL connection options: [--ssl-protocols=protocols] [--ssl-ciphers=ciphers] Replay options: [--record[=directory]] [--replay[=directory]] Common options: [-h | --help] [-V | --version] DESCRIPTION The ovsdb-client program is a command-line client for interacting with a running ovsdb-server process. Each command connects to the specified OVSDB server, which may be an OVSDB active or passive connection method, as described in ovsdb(7). The default server is unix:/var/run/openvswitch/db.sock and the default database is Open_vSwitch. ovsdb-client supports the method1,method2,...,methodN syntax described in ovsdb(7) for connecting to a cluster. When this syntax is used, ovsdb-client tries the cluster members in random order until it finds the cluster leader. Specify the --no-leader-only option to instead ac- cept any server that is connected to the cluster. For an introduction to OVSDB and its implementation in Open vSwitch, see ovsdb(7). The following sections describe the commands that ovsdb-client sup- ports. Server-Level Commands Most ovsdb-client commands work with an individual database, but these commands apply to an entire database server. list-dbs [server] Connects to server, retrieves the list of known databases, and prints them one per line. These database names are the ones that other commands may use for database. Database Schema Commands These commands obtain the schema from a database and print it or part of it. get-schema [server] [database] Connects to server, retrieves the schema for database, and prints it in JSON format. list-tables [server] [database] Connects to server, retrieves the schema for database, and prints a table listing the name of each table within the data- base. list-columns [server] [database] table Connects to server, retrieves the schema for database, and prints a table listing the name and type of each column. If ta- ble is specified, only columns in that table are listed; other- wise, the tables include columns in all tables. Database Version Management Commands An OVSDB schema has a schema version number, and an OVSDB database em- beds a particular version of an OVSDB schema. These version numbers take the form x.y.z, e.g. 1.2.3. The OVSDB implementation does not en- force a particular version numbering scheme, but schemas managed within the Open vSwitch project use the following approach. Whenever the database schema is changed in a non-backward compatible way (e.g. deleting a column or a table), x is incremented (and y and z are reset to 0). When the database schema is changed in a backward compatible way (e.g. adding a new column), y is incremented (and z is reset to 0). When the database schema is changed cosmetically (e.g. reindenting its syntax), z is incremented. Some OVSDB databases and schemas, especially very old ones, do not have a version number. Schema version numbers and Open vSwitch version numbers are indepen- dent. These commands work with different versions of OVSDB schemas and data- bases. convert [server] schema Reads an OVSDB schema in JSON format, as specified in the OVSDB specification, from schema, then connects to server and requests the server to convert the database whose name is specified in schema to the schema also specified in schema. The conversion is atomic, consistent, isolated, and durable. Following the schema change, the server notifies clients that use the set_db_change_aware RPC introduced in Open vSwitch 2.9 and cancels their outstanding transactions and monitors. The server disconnects other clients, enabling them to notice the change when they reconnect. This command can do simple ``upgrades'' and ``downgrades'' on a database's schema. The data in the database must be valid when interpreted under schema, with only one exception: data for ta- bles and columns that do not exist in schema are ignored. Columns that exist in schema but not in the database are set to their default values. All of schema's constraints apply in full. Some uses of this command can cause unrecoverable data loss. For example, converting a database from a schema that has a given column or table to one that does not will delete all data in that column or table. Back up critical databases before con- verting them. This command works with clustered and standalone databases. Standalone databases may also be converted (offline) with ovsdb-tool's convert command. needs-conversion [server] schema Reads the schema from schema, then connects to server and re- quests the schema from the database whose name is specified in schema. If the two schemas are the same, prints no on stdout; if they differ, prints yes. get-schema-version [server] [database] Connects to server, retrieves the schema for database, and prints its version number on stdout. If database was created before schema versioning was introduced, then it will not have a version number and this command will print a blank line. get-schema-cksum [server] [database] Connects to server, retrieves the schema for database, and prints its checksum on stdout. If database does not include a checksum, prints a blank line. Data Management Commands These commands read or modify the data in a database. transact [server] transaction Connects to server, sends it the specified transaction, which must be a JSON array appropriate for use as the params to a JSON-RPC transact request, and prints the received reply on std- out. query [server] transaction This commands acts like a read-only version of transact. It connects to server, sends it the specified transaction, which must be a JSON array appropriate for use as the params to a JSON-RPC transact request, and prints the received reply on std- out. To ensure that the transaction does not modify the data- base, this command appends an abort operation to the set of op- erations included in transaction before sending it to the data- base, and then removes the abort result from the reply (if it is present). dump [server] [database] [table [column...]] Connects to server, retrieves all of the data in database, and prints it on stdout as a series of tables. If table is speci- fied, only that table is retrieved. If at least one column is specified, only those columns are retrieved. backup [server] [database] > snapshot Connects to server, retrieves a snapshot of the schema and data in database, and prints it on stdout in the format used for OVSDB standalone and active-backup databases. This is an appro- priate way to back up any remote database. The database snap- shot that it outputs is suitable to be served up directly by ovsdb-server or used as the input to ovsdb-client restore. Another way to back up a standalone or active-backup database is to copy its database file, e.g. with cp. This is safe even if the database is in use. The output does not include ephemeral columns, which by design do not survive across restarts of ovsdb-server. [--force] restore [server] [database] < snapshot Reads snapshot, which must be a OVSDB standalone or active- backup database (possibly but not necessarily created by ovsdb-client backup). Then, connects to server, verifies that database and snapshot have the same schema, then deletes all of the data in database and replaces it by snapshot. The replace- ment happens atomically, in a single transaction. UUIDs for rows in the restored database will differ from those in snapshot, because the OVSDB protocol does not allow clients to specify row UUIDs. Another way to restore a standalone or active-backup database, which does also restore row UUIDs, is to stop the server or servers, replace the database file by the snapshot, then restart the database. Either way, ephemeral columns are not restored, since by design they do not survive across restarts of ovsdb-server. Normally restore exits with a failure if snapshot and the server's database have different schemas. In such a case, it is a good idea to convert the database to the new schema before restoring, e.g. with ovsdb-client convert. Use --force to pro- ceed regardless of schema differences even though the restore might fail with an error or succeed with surprising results. monitor [server] [database] table [column[,column]...]... monitor-cond [server] [database] conditions table [column[,col- umn]...]... monitor-cond-since [server] [database] [last-id] conditions table [col- umn[,column]...]... Connects to server and monitors the contents of rows that match conditions in table in database. By default, the initial con- tents of table are printed, followed by each change as it oc- curs. If conditions empty, all rows will be monitored. If at least one column is specified, only those columns are monitored. The following column names have special meanings: !initial Do not print the initial contents of the specified columns. !insert Do not print newly inserted rows. !delete Do not print deleted rows. !modify Do not print modifications to existing rows. Multiple [column[,column]...] groups may be specified as sepa- rate arguments, e.g. to apply different reporting parameters to each group. Whether multiple groups or only a single group is specified, any given column may only be mentioned once on the command line. conditions is a JSON array of <condition> as defined in RFC 7047 5.1 with the following change: A condition can be either a 3-el- ement JSON array as described in the RFC or a boolean value. If --detach is used with monitor, monitor-cond or moni- tor-cond-since, then ovsdb-client detaches after it has success- fully received and printed the initial contents of table. The monitor command uses RFC 7047 "monitor" method to open a monitor session with the server. The monitor-cond and moni- tor-cond-since commandls uses RFC 7047 extension "monitor_cond" and "monitor_cond_since" methods. See ovsdb-server(1) for de- tails. monitor [server] [database] ALL Connects to server and monitors the contents of all tables in database. Prints initial values and all kinds of changes to all columns in the database. The --detach option causes ovsdb-client to detach after it successfully receives and prints the initial database contents. The monitor command uses RFC 7047 "monitor" method to open a monitor session with the server. wait [server] database state Waits for database on server to enter a desired state, which may be one of: added Waits until a database with the given name has been added to server. connected Waits until a database with the given name has been added to server. Then, if database is clustered, additionally waits until it has joined and connected to its cluster. removed Waits until database has been removed from the database server. This can also be used to wait for a database to complete leaving its cluster, because ovsdb-server re- moves a database at that point. database is mandatory for this command because it is often used to check for databases that have not yet been added to the server, so that the ovsdb-client semantics of acting on a de- fault database do not work. This command acts on a particular database server, not on a cluster, so server must name a single server, not a comma-delim- ited list of servers. Testing commands These commands are mostly of interest for testing the correctness of the OVSDB server. lock [server] lock steal [server] lock unlock [server] lock Connects to server and issues corresponding RFC 7047 lock opera- tions on lock. Prints json reply or subsequent update messages. The --detach option causes ovsdb-client to detach after it suc- cessfully receives and prints the initial reply. When running with the --detach option, lock, steal, unlock and exit commands can be issued by using ovs-appctl. exit command causes the ovsdb-client to close its ovsdb-server connection be- fore exit. The lock, steal and unlock commands can be used to issue additional lock operations over the same ovsdb-server con- nection. All above commands take a single lock argument, which does not have to be the same as the lock that ovsdb-client started with. OPTIONS Output Formatting Options Much of the output from ovsdb-client is in the form of tables. The following options controlling output formatting: -f format --format=format Sets the type of table formatting. The following types of for- mat are available: table (default) 2-D text tables with aligned columns. list A list with one column per line and rows separated by a blank line. html HTML tables. csv Comma-separated values as defined in RFC 4180. json JSON format as defined in RFC 4627. The output is a se- quence of JSON objects, each of which corresponds to one table. Each JSON object has the following members with the noted values: caption The table's caption. This member is omitted if the table has no caption. headings An array with one element per table column. Each array element is a string giving the corresponding column's heading. data An array with one element per table row. Each el- ement is also an array with one element per table column. The elements of this second-level array are the cells that constitute the table. Cells that represent OVSDB data or data types are ex- pressed in the format described in the OVSDB spec- ification; other cells are simply expressed as text strings. -d format --data=format Sets the formatting for cells within output tables unless the table format is set to json, in which case json formatting is always used when formatting cells. The following types of for- mat are available: string (default) The simple format described in the Database Values sec- tion of ovs-vsctl(8). bare The simple format with punctuation stripped off: [] and {} are omitted around sets, maps, and empty columns, items within sets and maps are space-separated, and strings are never quoted. This format may be easier for scripts to parse. json The RFC 4627 JSON format as described above. --no-headings This option suppresses the heading row that otherwise appears in the first row of table output. --pretty By default, JSON in output is printed as compactly as possible. This option causes JSON in output to be printed in a more read- able fashion. Members of objects and elements of arrays are printed one per line, with indentation. This option does not affect JSON in tables, which is always printed compactly. --bare Equivalent to --format=list --data=bare --no-headings. --max-column-width=n For table output only, limits the width of any column in the output to n columns. Longer cell data is truncated to fit, as necessary. Columns are always wide enough to display the column names, if the heading row is printed. --timestamp For the monitor, monitor-cond and monitor-cond-since commands, add a timestamp to each table update. Most output formats add the timestamp on a line of its own just above the table. The JSON output format puts the timestamp in a member of the top- level JSON object named time. -t --timeout=secs Limits ovsdb-client runtime to approximately secs seconds. If the timeout expires, ovsdb-client will exit with a SIGALRM sig- nal. Daemon Options The daemon options apply only to the monitor, monitor-cond and moni- tor-cond-since commands. With any other command, they have no effect. The following options are valid on POSIX based platforms. --pidfile[=pidfile] Causes a file (by default, ovsdb-client.pid) to be created indi- cating the PID of the running process. If the pidfile argument is not specified, or if it does not begin with /, then it is created in /var/run/openvswitch. If --pidfile is not specified, no pidfile is created. --overwrite-pidfile By default, when --pidfile is specified and the specified pid- file already exists and is locked by a running process, ovsdb-client refuses to start. Specify --overwrite-pidfile to cause it to instead overwrite the pidfile. When --pidfile is not specified, this option has no effect. --detach Runs ovsdb-client as a background process. The process forks, and in the child it starts a new session, closes the standard file descriptors (which has the side effect of disabling logging to the console), and changes its current directory to the root (unless --no-chdir is specified). After the child completes its initialization, the parent exits. --monitor Creates an additional process to monitor the ovsdb-client dae- mon. If the daemon dies due to a signal that indicates a pro- gramming error (SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIG- PIPE, SIGSEGV, SIGXCPU, or SIGXFSZ) then the monitor process starts a new copy of it. If the daemon dies or exits for an- other reason, the monitor process exits. This option is normally used with --detach, but it also func- tions without it. --no-chdir By default, when --detach is specified, ovsdb-client changes its current working directory to the root directory after it de- taches. Otherwise, invoking ovsdb-client from a carelessly cho- sen directory would prevent the administrator from unmounting the file system that holds that directory. Specifying --no-chdir suppresses this behavior, preventing ovsdb-client from changing its current working directory. This may be useful for collecting core files, since it is common be- havior to write core dumps into the current working directory and the root directory is not a good directory to use. This option has no effect when --detach is not specified. --no-self-confinement By default daemon will try to self-confine itself to work with files under well-known directories determined during build. It is better to stick with this default behavior and not to use this flag unless some other Access Control is used to confine daemon. Note that in contrast to other access control implemen- tations that are typically enforced from kernel-space (e.g. DAC or MAC), self-confinement is imposed from the user-space daemon itself and hence should not be considered as a full confinement strategy, but instead should be viewed as an additional layer of security. --user Causes ovsdb-client to run as a different user specified in "user:group", thus dropping most of the root privileges. Short forms "user" and ":group" are also allowed, with current user or group are assumed respectively. Only daemons started by the root user accepts this argument. On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES before dropping root privileges. Daemons that interact with a datapath, such as ovs-vswitchd, will be granted three additional capabilities, namely CAP_NET_ADMIN, CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will apply even if the new user is root. On Windows, this option is not currently supported. For security reasons, specifying this option will cause the daemon process not to start. Logging Options -v[spec] --verbose=[spec] Sets logging levels. Without any spec, sets the log level for every module and destination to dbg. Otherwise, spec is a list of words separated by spaces or commas or colons, up to one from each category below: • A valid module name, as displayed by the vlog/list com- mand on ovs-appctl(8), limits the log level change to the specified module. • syslog, console, or file, to limit the log level change to only to the system log, to the console, or to a file, respectively. (If --detach is specified, ovsdb-client closes its standard file descriptors, so logging to the console will have no effect.) On Windows platform, syslog is accepted as a word and is only useful along with the --syslog-target option (the word has no effect otherwise). • off, emer, err, warn, info, or dbg, to control the log level. Messages of the given severity or higher will be logged, and messages of lower severity will be filtered out. off filters out all messages. See ovs-appctl(8) for a definition of each log level. Case is not significant within spec. Regardless of the log levels set for file, logging to a file will not take place unless --log-file is also specified (see be- low). For compatibility with older versions of OVS, any is accepted as a word but has no effect. -v --verbose Sets the maximum logging verbosity level, equivalent to --ver- bose=dbg. -vPATTERN:destination:pattern --verbose=PATTERN:destination:pattern Sets the log pattern for destination to pattern. Refer to ovs-appctl(8) for a description of the valid syntax for pattern. -vFACILITY:facility --verbose=FACILITY:facility Sets the RFC5424 facility of the log message. facility can be one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock, ftp, ntp, audit, alert, clock2, local0, local1, local2, local3, local4, local5, local6 or local7. If this option is not specified, daemon is used as the default for the local system syslog and local0 is used while sending a message to the target provided via the --syslog-target option. --log-file[=file] Enables logging to a file. If file is specified, then it is used as the exact name for the log file. The default log file name used if file is omitted is /var/log/open- vswitch/ovsdb-client.log. --syslog-target=host:port Send syslog messages to UDP port on host, in addition to the system syslog. The host must be a numerical IP address, not a hostname. --syslog-method=method Specify method how syslog messages should be sent to syslog dae- mon. Following forms are supported: • libc, use libc syslog() function. Downside of using this options is that libc adds fixed prefix to every message before it is actually sent to the syslog daemon over /dev/log UNIX domain socket. • unix:file, use UNIX domain socket directly. It is possi- ble to specify arbitrary message format with this option. However, rsyslogd 8.9 and older versions use hard coded parser function anyway that limits UNIX domain socket use. If you want to use arbitrary message format with older rsyslogd versions, then use UDP socket to localhost IP address instead. • udp:ip:port, use UDP socket. With this method it is pos- sible to use arbitrary message format also with older rsyslogd. When sending syslog messages over UDP socket extra precaution needs to be taken into account, for ex- ample, syslog daemon needs to be configured to listen on the specified UDP port, accidental iptables rules could be interfering with local syslog traffic and there are some security considerations that apply to UDP sockets, but do not apply to UNIX domain sockets. • null, discards all messages logged to syslog. The default is taken from the OVS_SYSLOG_METHOD environment variable; if it is unset, the default is libc. Public Key Infrastructure Options -p privkey.pem --private-key=privkey.pem Specifies a PEM file containing the private key used as ovsdb-client's identity for outgoing SSL connections. -c cert.pem --certificate=cert.pem Specifies a PEM file containing a certificate that certifies the private key specified on -p or --private-key to be trustworthy. The certificate must be signed by the certificate authority (CA) that the peer in SSL connections will use to verify it. -C cacert.pem --ca-cert=cacert.pem Specifies a PEM file containing the CA certificate that ovsdb-client should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on -c or --certificate, or it may be a different one, depending on the PKI design in use.) -C none --ca-cert=none Disables verification of certificates presented by SSL peers. This introduces a security risk, because it means that certifi- cates cannot be verified to be those of known trusted hosts. --bootstrap-ca-cert=cacert.pem When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it does not exist, then ovsdb-client will attempt to obtain the CA certificate from the SSL peer on its first SSL connection and save it to the named PEM file. If it is success- ful, it will immediately drop the connection and reconnect, and from then on all SSL connections must be authenticated by a cer- tificate signed by the CA certificate thus obtained. This option exposes the SSL connection to a man-in-the-middle attack obtaining the initial CA certificate, but it may be use- ful for bootstrapping. This option is only useful if the SSL peer sends its CA certifi- cate as part of the SSL certificate chain. The SSL protocol does not require the server to send the CA certificate. This option is mutually exclusive with -C and --ca-cert. SSL Connection Options --ssl-protocols=protocols Specifies, in a comma- or space-delimited list, the SSL proto- cols ovsdb-client will enable for SSL connections. Supported protocols include TLSv1, TLSv1.1, and TLSv1.2. Regardless of order, the highest protocol supported by both sides will be cho- sen when making the connection. The default when this option is omitted is TLSv1,TLSv1.1,TLSv1.2. --ssl-ciphers=ciphers Specifies, in OpenSSL cipher string format, the ciphers ovsdb-client will support for SSL connections. The default when this option is omitted is HIGH:!aNULL:!MD5. Other Options --record[=directory] Sets the process in "recording" mode, in which it will record all the connections, data from streams (Unix domain and network sockets) and some other important necessary bits, so they could be replayed later. Recorded data is stored in replay files in specified directory. If directory does not begin with /, it is interpreted as relative to /var/run/openvswitch. If directory is not specified, /var/run/openvswitch will be used. --replay[=directory] Sets the process in "replay" mode, in which it will read infor- mation about connections, data from streams (Unix domain and network sockets) and some other necessary bits directly from re- play files instead of using real sockets. Replay files from the directory will be used. If directory does not begin with /, it is interpreted as relative to /var/run/openvswitch. If direc- tory is not specified, /var/run/openvswitch will be used. -h --help Prints a brief help message to the console. -V --version Prints version information to the console. SEE ALSO ovsdb(7), ovsdb-server(1), ovsdb-client(1). Open vSwitch 2.17.12 ovsdb-client(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ovsdb-client&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>