dpkg -i openvswitch-common_2.5.90-1_amd64.deb
dpkg -i openvswitch-switch_2.5.90-1_amd64.deb
dpkg -i ovn-common_2.5.90-1_amd64.deb
dpkg -i ovn-central_2.5.90-1_amd64.deb
OVN database files will be at /etc/openvswitch directory by default. The above will also install openvswitch openvswitchd and its default database. There will be total three ovs database files:
- conf.db
- ovnnb_db.db
- ovnsb_db.db
Once ovn-central is installed, there will be ovsdb-server running for ovnnb_db and ovnsb_db. This service will also have ovn-northd running. Use the following command to start/stop the service
service ovn-central start/stop
The above service should produce four processes like the following:
ovsdb-server --detach -vconsole:off --log-file=/var/log/openvswitch/ovsdb-server-nb.log --remote=punix:/var/run/openvswitch/ovnnb_db.sock --remote=ptcp:6641:0.0.0.0 --pidfile=/var/run/openvswitch/ovnnb_db.pid --unixctl=ovnnb_db.ctl /etc/openvswitch/ovnnb_db.db
ovsdb-server --detach -vconsole:off --log-file=/var/log/openvswitch/ovsdb-server-sb.log --remote=punix:/var/run/openvswitch/ovnsb_db.sock --remote=ptcp:6642:0.0.0.0 --pidfile=/var/run/openvswitch/ovnsb_db.pid --unixctl=ovnsb_db.ctl /etc/openvswitch/ovnsb_db.db
ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/var/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/var/run/openvswitch/ovn-northd.pid --detach --monitor
ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/openvswitch/ovnnb_db.sock --ovnsb-db=unix:/var/run/openvswitch/ovnsb_db.sock --no-chdir --log-file=/var/log/openvswitch/ovn-northd.log --pidfile=/var/run/openvswitch/ovn-northd.pid --detach --monitor
Use the following command to list the database running at the different port
1. ovsdb-client list-dbs tcp:127.0.0.1:6641
2. ovsdb-client list-dbs tcp:127.0.0.1:6642
3. ovsdb-client list-dbs
Command #1 above shows the OVN_Northbound database, command #2 above shows the OVN_Southbound database. Command #3 above shows the database running at the default port.
To list each database schema, try the following command
ovsdb-client get-schema tcp:127.0.0.1:6641 | python -m json.tool
Install ovn-host service onto compute node and configure it
Useful commands:
ovs-ofctl show br-intovs-ofctl -O OpenFlow13 dump-flows br-int 
Hi Tong,
ReplyDeleteThanks for the great post.
I am trying to experiment stateful ACLs on a non-openstack and non-sandbox environment.
I have one physical host(ovs2.6 installed), with one physical port(eth2) added to br-int. Now, I want to apply the ACL rules for eth2. I am following the below steps:
# ovn-nbctl ls-add sw0
# ovn-nbctl lsp-add sw0 sw0-port1
# ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01
# ovs-vsctl add-port br-int eth2 — set Interface eth2 external_ids:iface-id=sw0-port1
# ovn-nbctl acl-add sw0 from-lport 1002 “inport == \”sw0-port1\” && ip” allow-related
# ovn-nbctl acl-add sw0 to-lport 1002 “outport == \”sw0-port1\” && ip && icmp” allow-related
# ovn-nbctl acl-add sw0 to-lport 1002 “outport == \”sw0-port1\” && ip && tcp && tcp.dst == 22″ allow-related
# ovn-nbctl acl-add sw0 to-lport 1001 “outport == \”sw0-port1\” && ip” drop
I have two queries here :
1) Am I doing right so far ?
2) How do I verify whether ACL rules are getting evaluated or not ?( I was thinking of pumping UDP traffic using iperf destined to eth2, but since eth2 is attached to br-int, it doesn’t have an ip)
Please help.