forked from openvswitch/ovs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathovn-nbctl.8.xml
862 lines (742 loc) · 33 KB
/
ovn-nbctl.8.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
<?xml version="1.0" encoding="utf-8"?>
<manpage program="ovn-nbctl" section="8" title="ovn-nbctl">
<h1>Name</h1>
<p>ovn-nbctl -- Open Virtual Network northbound db management utility</p>
<h1>Synopsis</h1>
<p><code>ovn-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
<h1>Description</h1>
<p>This utility can be used to manage the OVN northbound database.</p>
<h1>General Commands</h1>
<dl>
<dt><code>init</code></dt>
<dd>
Initializes the database, if it is empty. If the database has already
been initialized, this command has no effect.
</dd>
<dt><code>show [<var>switch</var> | <var>router</var>]</code></dt>
<dd>
Prints a brief overview of the database contents. If
<var>switch</var> is provided, only records related to that
logical switch are shown. If
<var>router</var> is provided, only records related to that
logical router are shown.
</dd>
</dl>
<h1>Logical Switch Commands</h1>
<dl>
<dt><code>ls-add</code></dt>
<dd>
<p>
Creates a new, unnamed logical switch, which initially has no ports.
The switch does not have a name, other commands must refer to this
switch by its UUID.
</p>
</dd>
<dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>ls-add</code> <var>switch</var></dt>
<dd>
<p>
Creates a new logical switch named <var>switch</var>, which
initially has no ports.
</p>
<p>
The OVN northbound database schema does not require logical switch
names to be unique, but the whole point to the names is to provide an
easy way for humans to refer to the switches, making duplicate names
unhelpful. Thus, without any options, this command regards it as an
error if <var>switch</var> is a duplicate name. With
<code>--may-exist</code>, adding a duplicate name succeeds but does
not create a new logical switch. With <code>--add-duplicate</code>,
the command really creates a new logical switch with a duplicate
name. It is an error to specify both options. If there are multiple
logical switches with a duplicate name, configure the logical switches
using the UUID instead of the <var>switch</var> name.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>ls-del</code> <var>switch</var></dt>
<dd>
Deletes <var>switch</var>. It is an error if <var>switch</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>ls-list</code></dt>
<dd>
Lists all existing switches on standard output, one per line.
</dd>
</dl>
<h1>Logical Switch ACL Commands</h1>
<dl>
<dt>[<code>--log</code>] [<code>--may-exist</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
<dd>
Adds the specified ACL to <var>switch</var>.
<var>direction</var> must be either <code>from-lport</code> or
<code>to-lport</code>. <var>priority</var> must be between
<code>0</code> and <code>32767</code>, inclusive. If
<code>--log</code> is specified, packet logging is enabled for the
ACL. A full description of the fields are in <code>ovn-nb</code>(5).
If <code>--may-exist</code> is specified, adding a duplicated ACL
succeeds but the ACL is not really created. Without <code>--may-exist</code>,
adding a duplicated ACL results in error.
</dd>
<dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
<dd>
Deletes ACLs from <var>switch</var>. If only
<var>switch</var> is supplied, all the ACLs from the logical
switch are deleted. If <var>direction</var> is also specified,
then all the flows in that direction will be deleted from the
logical switch. If all the fields are given, then a single flow
that matches all the fields will be deleted.
</dd>
<dt><code>acl-list</code> <var>switch</var></dt>
<dd>
Lists the ACLs on <var>switch</var>.
</dd>
</dl>
<h1>Logical Switch Port Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var></dt>
<dd>
<p>
Creates on <var>lswitch</var> a new logical switch port named
<var>port</var>.
</p>
<p>
It is an error if a logical port named <var>port</var> already
exists, unless <code>--may-exist</code> is specified. Regardless of
<code>--may-exist</code>, it is an error if the existing port is in
some logical switch other than <var>switch</var> or if it has a
parent port.
</p>
</dd>
<dt>[<code>--may-exist</code>] <code>lsp-add</code> <var>switch</var> <var>port</var> <var>parent</var> <var>tag_request</var></dt>
<dd>
<p>
Creates on <var>switch</var> a logical switch port named
<var>port</var> that is a child of <var>parent</var> that is
identified with VLAN ID <var>tag_request</var>,
which must be between <code>0</code> and
<code>4095</code>, inclusive. If
<var>tag_request</var> is <code>0</code>, <code>ovn-northd</code>
generates a tag that is unique in the scope of <var>parent</var>.
This is useful in cases such as virtualized container environments
where Open vSwitch does not have a direct connection to the
container's port and it must be shared with the virtual machine's
port.
</p>
<p>
It is an error if a logical port named <var>port</var> already
exists, unless <code>--may-exist</code> is specified. Regardless of
<code>--may-exist</code>, it is an error if the existing port is not
in <var>switch</var> or if it does not have the specified
<var>parent</var> and <var>tag_request</var>.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lsp-del</code> <var>port</var></dt>
<dd>
Deletes <var>port</var>. It is an error if <var>port</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lsp-list</code> <var>switch</var></dt>
<dd>
Lists all the logical switch ports within <var>switch</var> on
standard output, one per line.
</dd>
<dt><code>lsp-get-parent</code> <var>port</var></dt>
<dd>
If set, get the parent port of <var>port</var>. If not set, print
nothing.
</dd>
<dt><code>lsp-get-tag</code> <var>port</var></dt>
<dd>
If set, get the tag for <var>port</var> traffic. If not set, print
nothing.
</dd>
<dt><code>lsp-set-addresses</code> <var>port</var> [<var>address</var>]...</dt>
<dd>
<p>
Sets the addresses associated with <var>port</var> to
<var>address</var>. Each <var>address</var> should be one of the
following:
</p>
<dl>
<dt>an Ethernet address, optionally followed by a space and one or more IP addresses</dt>
<dd>
OVN delivers packets for the Ethernet address to this port.
</dd>
<dt><code>unknown</code></dt>
<dd>
OVN delivers unicast Ethernet packets whose destination MAC address
is not in any logical port's addresses column to ports with address
<code>unknown</code>.
</dd>
<dt><code>dynamic</code></dt>
<dd>
Use this keyword to make <code>ovn-northd</code> generate a
globally unique MAC address and choose an unused IPv4 address with
the logical port's subnet and store them in the port's
<code>dynamic_addresses</code> column.
</dd>
<dt><code>router</code></dt>
<dd>
Accepted only when the <code>type</code> of the logical switch
port is <code>router</code>. This indicates that the Ethernet,
IPv4, and IPv6 addresses for this logical switch port should be
obtained from the connected logical router port, as specified by
<code>router-port</code> in <code>lsp-set-options</code>.
</dd>
</dl>
<p>
Multiple addresses may be set. If no <var>address</var> argument is
given, <var>port</var> will have no addresses associated with it.
</p>
</dd>
<dt><code>lsp-get-addresses</code> <var>port</var></dt>
<dd>
Lists all the addresses associated with <var>port</var> on standard
output, one per line.
</dd>
<dt><code>lsp-set-port-security</code> <var>port</var> [<var>addrs</var>]...</dt>
<dd>
<p>
Sets the port security addresses associated with <var>port</var> to
<var>addrs</var>. Multiple sets of addresses may be set by using
multiple <var>addrs</var> arguments. If no <var>addrs</var> argument
is given, <var>port</var> will not have port security enabled.
</p>
<p>
Port security limits the addresses from which a logical port may send
packets and to which it may receive packets. See the
<code>ovn-nb</code>(5) documentation for the <ref
column="port_security" table="Logical_Switch_Port"/> column in
the <ref table="Logical_Switch_Port"/> table for details.
</p>
</dd>
<dt><code>lsp-get-port-security</code> <var>port</var></dt>
<dd>
Lists all the port security addresses associated with <var>port</var>
on standard output, one per line.
</dd>
<dt><code>lsp-get-up</code> <var>port</var></dt>
<dd>
Prints the state of <var>port</var>, either <code>up</code> or
<code>down</code>.
</dd>
<dt><code>lsp-set-enabled</code> <var>port</var> <var>state</var></dt>
<dd>
Set the administrative state of <var>port</var>, either <code>enabled</code>
or <code>disabled</code>. When a port is disabled, no traffic is allowed into
or out of the port.
</dd>
<dt><code>lsp-get-enabled</code> <var>port</var></dt>
<dd>
Prints the administrative state of <var>port</var>, either <code>enabled</code>
or <code>disabled</code>.
</dd>
<dt><code>lsp-set-type</code> <var>port</var> <var>type</var></dt>
<dd>
Set the type for the logical port. No special types have been implemented yet.
</dd>
<dt><code>lsp-get-type</code> <var>port</var></dt>
<dd>
Get the type for the logical port.
</dd>
<dt><code>lsp-set-options</code> <var>port</var> [<var>key=value</var>]...</dt>
<dd>
Set type-specific key-value options for the logical port.
</dd>
<dt><code>lsp-get-options</code> <var>port</var></dt>
<dd>
Get the type-specific options for the logical port.
</dd>
</dl>
<h1>Logical Router Commands</h1>
<dl>
<dt><code>lr-add</code></dt>
<dd>
<p>
Creates a new, unnamed logical router, which initially has no ports.
The router does not have a name, other commands must refer to this
router by its UUID.
</p>
</dd>
<dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lr-add</code> <var>router</var></dt>
<dd>
<p>
Creates a new logical router named <var>router</var>, which
initially has no ports.
</p>
<p>
The OVN northbound database schema does not require logical router
names to be unique, but the whole point to the names is to provide an
easy way for humans to refer to the routers, making duplicate names
unhelpful. Thus, without any options, this command regards it as an
error if <var>router</var> is a duplicate name. With
<code>--may-exist</code>, adding a duplicate name succeeds but does
not create a new logical router. With <code>--add-duplicate</code>,
the command really creates a new logical router with a duplicate
name. It is an error to specify both options. If there are multiple
logical routers with a duplicate name, configure the logical routers
using the UUID instead of the <var>router</var> name.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lr-del</code> <var>router</var></dt>
<dd>
Deletes <var>router</var>. It is an error if <var>router</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lr-list</code></dt>
<dd>
Lists all existing routers on standard output, one per line.
</dd>
</dl>
<h1>Logical Router Port Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lrp-add</code> <var>router</var> <var>port</var> <var>mac</var> <var>network</var>... [<code>peer=</code><var>peer</var>]</dt>
<dd>
<p>
Creates on <var>router</var> a new logical router port named
<var>port</var> with Ethernet address <var>mac</var> and one
or more IP address/netmask for each <var>network</var>.
</p>
<p>
The optional argument <code>peer</code> identifies a logical
router port that connects to this one. The following example
adds a router port with an IPv4 and IPv6 address with peer
<code>lr1</code>:
</p>
<p>
<code>lrp-add lr0 lrp0 00:11:22:33:44:55 192.168.0.1/24 2001:db8::1/64 peer=lr1</code>
</p>
<p>
It is an error if a logical router port named <var>port</var>
already exists, unless <code>--may-exist</code> is specified.
Regardless of <code>--may-exist</code>, it is an error if the
existing router port is in some logical router other than
<var>router</var>.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lrp-del</code> <var>port</var></dt>
<dd>
Deletes <var>port</var>. It is an error if <var>port</var> does
not exist, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lrp-list</code> <var>router</var></dt>
<dd>
Lists all the logical router ports within <var>router</var> on
standard output, one per line.
</dd>
<dt><code>lrp-set-enabled</code> <var>port</var> <var>state</var></dt>
<dd>
Set the administrative state of <var>port</var>, either
<code>enabled</code> or <code>disabled</code>. When a port is
disabled, no traffic is allowed into or out of the port.
</dd>
<dt><code>lrp-get-enabled</code> <var>port</var></dt>
<dd>
Prints the administrative state of <var>port</var>, either
<code>enabled</code> or <code>disabled</code>.
</dd>
</dl>
<h1>Logical Router Static Route Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] [<code>--policy</code>=<var>POLICY</var>] <code>lr-route-add</code> <var>router</var> <var>prefix</var> <var>nexthop</var> [<var>port</var>]</dt>
<dd>
<p>
Adds the specified route to <var>router</var>.
<var>prefix</var> describes an IPv4 or IPv6 prefix for this
route, such as <code>192.168.100.0/24</code>.
<var>nexthop</var> specifies the gateway to use for this
route, which should be the IP address of one of
<var>router</var> logical router ports or the IP address of a
logical port. If <var>port</var> is specified, packets that
match this route will be sent out that port. When
<var>port</var> is omitted, OVN infers the output port based
on <var>nexthop</var>.
</p>
<p>
<code>--policy</code> describes the policy used to make routing
decisions. This should be one of "dst-ip" or "src-ip". If not
specified, the default is "dst-ip".
</p>
<p>
It is an error if a route with <var>prefix</var> already exists,
unless <code>--may-exist</code> is specified.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lr-route-del</code> <var>router</var> [<var>prefix</var>]</dt>
<dd>
<p>
Deletes routes from <var>router</var>. If only <var>router</var>
is supplied, all the routes from the logical router are
deleted. If <var>prefix</var> is also specified, then all the
routes that match the prefix will be deleted from the logical
router.
</p>
<p>
It is an error if <var>prefix</var> is specified and there
is no matching route entry, unless <code>--if-exists</code> is
specified.
</p>
</dd>
<dt><code>lr-route-list</code> <var>router</var></dt>
<dd>
Lists the routes on <var>router</var>.
</dd>
</dl>
<h1>NAT Commands</h1>
<dl>
<dt>[<code>--may-exist</code>] <code>lr-nat-add</code> <var>router</var> <var>type</var> <var>external_ip</var> <var>logical_ip</var> [<var>logical_port</var> <var>external_mac</var>]</dt>
<dd>
<p>
Adds the specified NAT to <var>router</var>.
The <var>type</var> must be one of <code>snat</code>,
<code>dnat</code>, or <code>dnat_and_snat</code>.
The <var>external_ip</var> is an IPv4 address.
The <var>logical_ip</var> is an IPv4 network (e.g 192.168.1.0/24)
or an IPv4 address.
The <var>logical_port</var> and <var>external_mac</var> are only
accepted when <var>router</var> is a distributed router (rather
than a gateway router) and <var>type</var> is
<code>dnat_and_snat</code>.
The <var>logical_port</var> is the name of an existing logical
switch port where the <var>logical_ip</var> resides.
The <var>external_mac</var> is an Ethernet address.
</p>
<p>
When <var>type</var> is <code>dnat</code>, the externally
visible IP address <var>external_ip</var> is DNATted to the
IP address <var>logical_ip</var> in the logical space.
</p>
<p>
When <var>type</var> is <code>snat</code>, IP packets with their
source IP address that either matches the IP address in
<var>logical_ip</var> or is in the network provided by
<var>logical_ip</var> is SNATed into the IP address in
<var>external_ip</var>.
</p>
<p>
When <var>type</var> is <code>dnat_and_snat</code>,
the externally visible IP address <var>external_ip</var>
is DNATted to the IP address <var>logical_ip</var> in
the logical space. In addition, IP packets with the source
IP address that matches <var>logical_ip</var> is SNATed into
the IP address in <var>external_ip</var>.
</p>
<p>
When the <var>logical_port</var> and <var>external_mac</var>
are specified, the NAT rule will be programmed on the chassis
where the <var>logical_port</var> resides. This includes
ARP replies for the <var>external_ip</var>, which return the
value of <var>external_mac</var>. All packets transmitted
with source IP address equal to <var>external_ip</var> will
be sent using the <var>external_mac</var>.
</p>
<p>
It is an error if a NAT already exists with the same values
of <var>router</var>, <var>type</var>, <var>external_ip</var>,
and <var>logical_ip</var>, unless <code>--may-exist</code> is
specified. When <code>--may-exist</code>,
<var>logical_port</var>, and <var>external_mac</var> are all
specified, the existing values of <var>logical_port</var> and
<var>external_mac</var> are overwritten.
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lr-nat-del</code> <var>router</var> [<var>type</var> [<var>ip</var>]]</dt>
<dd>
<p>
Deletes NATs from <var>router</var>. If only <var>router</var>
is supplied, all the NATs from the logical router are
deleted. If <var>type</var> is also specified, then all the
NATs that match the <var>type</var> will be deleted from the logical
router. If all the fields are given, then a single NAT rule
that matches all the fields will be deleted. When <var>type</var>
is <code>snat</code>, the <var>ip</var> should be logical_ip.
When <var>type</var> is <code>dnat</code> or
<code>dnat_and_snat</code>, the <var>ip</var> shoud be external_ip.
</p>
<p>
It is an error if <var>ip</var> is specified and there
is no matching NAT entry, unless <code>--if-exists</code> is
specified.
</p>
</dd>
<dt><code>lr-nat-list</code> <var>router</var></dt>
<dd>
Lists the NATs on <var>router</var>.
</dd>
</dl>
<h1>Load Balancer Commands</h1>
<dl>
<dt>[<code>--may-exist</code> | <code>--add-duplicate</code>] <code>lb-add</code> <var>lb</var> <var>vip</var> <var>ips</var> [<var>protocol</var>]</dt>
<dd>
<p>
Creates a new load balancer named <var>lb</var> with the provided
<var>vip</var> and <var>ips</var> or adds the <var>vip</var> to
an existing <var>lb</var>. <var>vip</var> should be a
virtual IPv4 address (or an IPv4 address and a port number with
<code>:</code> as a separator). Examples for <var>vip</var> are
<code>192.168.1.4</code> and <code>192.168.1.5:8080</code>.
<var>ips</var> should be comma separated IPv4 endpoints (or comma
separated IPv4 addresses and port numbers with <code>:</code> as a
separator). Examples for <var>ips</var> are <code>10.0.0.1,10.0.0.2
</code>or <code>20.0.0.10:8800,20.0.0.11:8800</code>.
</p>
<p>
The optional argument <var>protocol</var> must be either
<code>tcp</code> or <code>udp</code>. This argument is useful when
a port number is provided as part of the <var>vip</var>. If the
<var>protocol</var> is unspecified and a port number is provided as
part of the <var>vip</var>, OVN assumes the <var>protocol</var> to
be <code>tcp</code>.
</p>
<p>
It is an error if the <var>vip</var> already exists in the load
balancer named <var>lb</var>, unless <code>--may-exist</code> is
specified. With <code>--add-duplicate</code>, the command really
creates a new load balancer with a duplicate name.
</p>
<p>
The following example adds a load balancer.
</p>
<p>
<code>lb-add lb0 30.0.0.10:80
192.168.10.10:80,192.168.10.20:80,192.168.10.30:80 udp</code>
</p>
</dd>
<dt>[<code>--if-exists</code>] <code>lb-del</code> <var>lb</var> [<var>vip</var>]</dt>
<dd>
Deletes <var>lb</var> or the <var>vip</var> from <var>lb</var>.
If <var>vip</var> is supplied, only the <var>vip</var> will be
deleted from the <var>lb</var>. If only the <var>lb</var> is supplied,
the <var>lb</var> will be deleted. It is an error if <var>vip</var>
does not already exist in <var>lb</var>, unless
<code>--if-exists</code> is specified.
</dd>
<dt><code>lb-list</code> [<var>lb</var>]</dt>
<dd>
Lists the LBs. If <var>lb</var> is also specified, then only the
specified <var>lb</var> will be listed.
</dd>
<dt>[<code>--may-exist</code>] <code>ls-lb-add</code> <var>switch</var> <var>lb</var></dt>
<dd>
Adds the specified <var>lb</var> to <var>switch</var>.
It is an error if a load balancer named <var>lb</var> already exists
in the <var>switch</var>, unless <code>--may-exist</code> is specified.
</dd>
<dt>[<code>--if-exists</code>] <code>ls-lb-del</code> <var>switch</var> [<var>lb</var>]</dt>
<dd>
Removes <var>lb</var> from <var>switch</var>. If only
<var>switch</var> is supplied, all the LBs from the logical switch are
removed. If <var>lb</var> is also specified, then only the
<var>lb</var> will be removed from the logical switch.
It is an error if <var>lb</var> does not exist in the
<var>switch</var>, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>ls-lb-list</code> <var>switch</var></dt>
<dd>
Lists the LBs for the given <var>switch</var>.
</dd>
<dt>[<code>--may-exist</code>] <code>lr-lb-add</code> <var>router</var> <var>lb</var></dt>
<dd>
Adds the specified <var>lb</var> to <var>router</var>.
It is an error if a load balancer named <var>lb</var> already exists
in the <var>router</var>, unless <code>--may-exist</code> is specified.
</dd>
<dt>[<code>--if-exists</code>] <code>lr-lb-del</code> <var>router</var> [<var>lb</var>]</dt>
<dd>
Removes <var>lb</var> from <var>router</var>. If only
<var>router</var> is supplied, all the LBs from the logical router are
removed. If <var>lb</var> is also specified, then only the
<var>lb</var> will be removed from the logical router.
It is an error if <var>lb</var> does not exist in the
<var>router</var>, unless <code>--if-exists</code> is specified.
</dd>
<dt><code>lr-lb-list</code> <var>router</var></dt>
<dd>
Lists the LBs for the given <var>router</var>.
</dd>
</dl>
<h1>DHCP Options commands</h1>
<dl>
<dt><code>dhcp-options-create</code> <var>cidr</var> [<var>key=value</var>]</dt>
<dd>
Creates a new DHCP Options entry in the <code>DHCP_Options</code> table
with the specified <code>cidr</code> and optional <code>external-ids</code>.
</dd>
<dt><code>dhcp-options-list</code></dt>
<dd>
Lists the DHCP Options entries.
</dd>
<dt><code>dhcp-options-del</code> <var>dhcp-option</var></dt>
<dd>
Deletes the DHCP Options entry referred by <var>dhcp-option</var> UUID.
</dd>
<dt><code>dhcp-options-set-options</code> <var>dhcp-option</var> [<var>key=value</var>]...</dt>
<dd>
Set the DHCP Options for the <var>dhcp-option</var> UUID.
</dd>
<dt><code>dhcp-options-get-options</code> <var>dhcp-option</var></dt>
<dd>
Lists the DHCP Options for the <var>dhcp-option</var> UUID.
</dd>
</dl>
<h1>Database Commands</h1>
<p>These commands query and modify the contents of <code>ovsdb</code> tables.
They are a slight abstraction of the <code>ovsdb</code> interface and
as suchthey operate at a lower level than other <code>ovn-nbctl</code> commands.</p>
<p><var>Identifying Tables, Records, and Columns</var></p>
<p>Each of these commands has a <var>table</var> parameter to identify a table
within the database. Many of them also take a <var>record</var> parameter
that identifies a particular record within a table. The <var>record</var>
parameter may be the UUID for a record, and many tables offer
additional ways to identify records. Some commands also take
<var>column</var> parameters that identify a particular field within the
records in a table.</p>
<p>The following tables are currently defined:</p>
<dl>
<dt><code>Logical_Switch</code></dt>
<dd>
An L2 logical switch. Records may be identified by name.
</dd>
<dt><code>Logical_Switch_Port</code></dt>
<dd>
A port within an L2 logical switch. Records may be identified by name.
</dd>
<dt><code>ACL</code></dt>
<dd>
An ACL rule for a logical switch that points to it through its <var>acls</var> column.
</dd>
<dt><code>Logical_Router</code></dt>
<dd>
An L3 logical router. Records may be identified by name.
</dd>
<dt><code>Logical_Router_Port</code></dt>
<dd>
A port within an L3 logical router. Records may be identified by name.
</dd>
<dt><code>Logical_Router_Static_Route</code></dt>
<dd>
A static route belonging to an L3 logical router.
</dd>
<dt><code>Address_Set</code></dt>
<dd>
An address set that can be used in ACLs.
</dd>
<dt><code>Load_Balancer</code></dt>
<dd>
A load balancer for a logical switch that points to it through its <var>load_balancer</var> column.
</dd>
<dt><code>NAT</code></dt>
<dd>
A NAT rule for a Gateway router.
</dd>
<dt><code>DHCP_Options</code></dt>
<dd>
DHCP options.
</dd>
<dt><code>NB_Global</code></dt>
<dd>
North bound global configurations.
</dd>
</dl>
<xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h1>Synchronization Commands</h1>
<dl>
<dt>sync</dt>
<dd>
Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only waits
for changes by the current <code>ovn-nbctl</code> invocation to take
effect. This means that, if none of the commands supplied to
<code>ovn-nbctl</code> change the database, then the command does not
wait at all. With the <code>sync</code> command, however,
<code>ovn-nbctl</code> waits even for earlier changes to the database
to propagate down to the southbound database or all of the OVN chassis,
according to the argument to <code>--wait</code>.
</dd>
</dl>
<h1>Remote Connectivity Commands</h1>
<dl>
<dt><code>get-connection</code></dt>
<dd>
Prints the configured connection(s).
</dd>
<dt><code>del-connection</code></dt>
<dd>
Deletes the configured connection(s).
</dd>
<dt><code>set-connection</code> <var>target</var>...</dt>
<dd>
Sets the configured manager target or targets.
</dd>
</dl>
<h1>SSL Configuration Commands</h1>
<dl>
<dt><code>get-ssl</code></dt>
<dd>
Prints the SSL configuration.
</dd>
<dt><code>del-ssl</code></dt>
<dd>
Deletes the current SSL configuration.
</dd>
<dt>[<code>--bootstrap</code>] <code>set-ssl</code> <var>private-key</var> <var>certificate</var> <var>ca-cert</var></dt>
<dd>
Sets the SSL configuration.
</dd>
</dl>
<h1>Options</h1>
<dl>
<dt><code>--no-wait</code> | <code>--wait=none</code></dt>
<dt><code>--wait=sb</code></dt>
<dt><code>--wait=hv</code></dt>
<dd>
<p>
These options control whether and how <code>ovn-nbctl</code> waits
for the OVN system to become up-to-date with changes made in an
<code>ovn-nbctl</code> invocation.
</p>
<p>
By default, or if <code>--no-wait</code> or <code>--wait=none</code>,
<code>ovn-nbctl</code> exits immediately after confirming that
changes have been committed to the northbound database, without
waiting.
</p>
<p>
With <code>--wait=sb</code>, before <code>ovn-nbctl</code> exits, it
waits for <code>ovn-northd</code> to bring the southbound database
up-to-date with the northbound database updates.
</p>
<p>
With <code>--wait=hv</code>, before <code>ovn-nbctl</code> exits, it
additionally waits for all OVN chassis (hypervisors and gateways) to
become up-to-date with the northbound database updates. (This can
become an indefinite wait if any chassis is malfunctioning.)
</p>
<p>
Ordinarily, <code>--wait=sb</code> or <code>--wait=hv</code> only
waits for changes by the current <code>ovn-nbctl</code> invocation to
take effect. This means that, if none of the commands supplied to
<code>ovn-nbctl</code> change the database, then the command does not
wait at all. Use the <code>sync</code> command to override this
behavior.
</p>
</dd>
<dt><code>--db</code> <var>database</var></dt>
<dd>
The OVSDB database remote to contact. If the <env>OVN_NB_DB</env>
environment variable is set, its value is used as the default.
Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
default is unlikely to be useful outside of single-machine OVN test
environments.
</dd>
</dl>
<h1>Logging options</h1>
<xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>PKI Options</h2>
<p>
PKI configuration is required to use SSL for the connection to the
database.
</p>
<xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>Other Options</h2>
<xi:include href="lib/common.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
</manpage>