+.. _opflex-agent-ovs-user-guide:
+
OpFlex agent-ovs User Guide
===========================
{
// Logging configuration
// "log": {
- // "level": "info"
+ // // Set the log level.
+ // // Possible values in descending order of verbosity:
+ // // "debug7"-"debug0", "debug" (synonym for "debug0"),
+ // // "info", "warning", "error", "fatal"
+ // // Default: "info"
+ // "level": "info"
// },
// Configuration related to the OpFlex protocol
// peers.
"peers": [
// EXAMPLE:
- {"hostname": "10.0.0.30", "port": 8009}
+ // {"hostname": "10.0.0.30", "port": 8009}
],
"ssl": {
// SSL mode. Possible values:
- // disabled: communicate without encryption
+ // disabled: communicate without encryption (default)
// encrypted: encrypt but do not verify peers
// secure: encrypt and verify peer certificates
- "mode": "disabled",
+ "mode": "encrypted",
// The path to a directory containing trusted certificate
// authority public certificates, or a file containing a
// specific CA certificate.
- "ca-store": "/etc/ssl/certs/"
+ // Default: "/etc/ssl/certs"
+ "ca-store": "/etc/ssl/certs"
},
"inspector": {
// Enable the MODB inspector service, which allows
// inspecting the state of the managed object database.
- // Default: enabled
+ // Default: true
"enabled": true,
// Listen on the specified socket for the inspector
- // Default /var/run/opflex-agent-ovs-inspect.sock
+ // Default: "/var/run/opflex-agent-ovs-inspect.sock"
"socket-name": "/var/run/opflex-agent-ovs-inspect.sock"
+ },
+
+ "notif": {
+ // Enable the agent notification service, which sends
+ // notifications to interested listeners over a UNIX
+ // socket.
+ // Default: true
+ "enabled": true,
+
+ // Listen on the specified socket for the inspector
+ // Default: "/var/run/opflex-agent-ovs-notif.sock"
+ "socket-name": "/var/run/opflex-agent-ovs-notif.sock",
+
+ // Set the socket owner user after binding if the user
+ // exists
+ // Default: do not set the owner
+ // "socket-owner": "root",
+
+ // Set the socket group after binding if the group name
+ // exists
+ // Default: do not set the group
+ "socket-group": "opflexep",
+
+ // Set the socket permissions after binding to the
+ // specified octal permissions mask
+ // Default: do not set the permissions
+ "socket-permissions": "770"
}
},
// Endpoint sources provide metadata about local endpoints
"endpoint-sources": {
// Filesystem path to monitor for endpoint information
+ // Default: no endpoint sources
"filesystem": ["/var/lib/opflex-agent-ovs/endpoints"]
},
+ // Service sources provide metadata about services that can
+ // provide functionality for local endpoints
+ "service-sources": {
+ // Filesystem path to monitor for service information
+ // Default: no service sources
+ "filesystem": ["/var/lib/opflex-agent-ovs/services"]
+ },
+
// Renderers enforce policy obtained via OpFlex.
+ // Default: no renderers
"renderers": {
// Stitched-mode renderer for interoperating with a
// hardware fabric such as ACI
// EXAMPLE:
"stitched-mode": {
- "ovs-bridge-name": "br0",
+ // "Integration" bridge used to enforce contracts and forward
+ // packets
+ "int-bridge-name": "br-int",
+
+ // "Access" bridge used to enforce access control and enforce
+ // security groups.
+ "access-bridge-name": "br-access",
// Set encapsulation type. Must set either vxlan or vlan.
"encap": {
// The name of the interface whose IP should be used
// as the source IP in encapsulated traffic.
- "uplink-iface": "eth0.4093",
+ "uplink-iface": "team0.4093",
// The vlan tag, if any, used on the uplink interface.
// Set to zero or omit if the uplink is untagged.
// Configure the virtual distributed router
"virtual-router": {
// Enable virtual distributed router. Set to true
- // to enable or false to disable. Default true.
+ // to enable or false to disable.
+ // Default: true.
"enabled": true,
// Override MAC address for virtual router.
- // Default is "00:22:bd:f8:19:ff"
+ // Default: "00:22:bd:f8:19:ff"
"mac": "00:22:bd:f8:19:ff",
// Configure IPv6-related settings for the virtual
// well as unsolicited advertisements. This
// is not required in stitched mode since the
// hardware router will send them.
- "router-advertisement": true
+ "router-advertisement": false
}
},
// Configure virtual distributed DHCP server
"virtual-dhcp": {
// Enable virtual distributed DHCP server. Set to
- // true to enable or false to disable. Default
- // true.
+ // true to enable or false to disable.
+ // Default: true
"enabled": true,
// Override MAC address for virtual dhcp server.
- // Default is "00:22:bd:f8:19:ff"
+ // Default: "00:22:bd:f8:19:ff"
"mac": "00:22:bd:f8:19:ff"
},
"endpoint-advertisements": {
- // Enable generation of periodic ARP/NDP
- // advertisements for endpoints. Default true.
- "enabled": "true"
+ // Set mode for generation of periodic ARP/NDP
+ // advertisements for endpoints. Possible values:
+ // disabled: Do not send advertisements
+ // gratuitous-unicast: Send gratuitous endpoint
+ // advertisements as unicast packets to the router
+ // mac.
+ // gratuitous-broadcast: Send gratuitous endpoint
+ // advertisements as broadcast packets.
+ // router-request: Unicast a spoofed request/solicitation
+ // for the subnet's gateway router.
+ // Default: router-request.
+ "mode": "gratuitous-broadcast"
}
},
// Location to store cached IDs for managing flow state
- "flowid-cache-dir": "/var/lib/opflex-agent-ovs/ids"
+ // Default: "/var/lib/opflex-agent-ovs/ids"
+ "flowid-cache-dir": "/var/lib/opflex-agent-ovs/ids",
+
+ // Location to write multicast groups for the mcast-daemon
+ // Default: "/var/lib/opflex-agent-ovs/mcast/opflex-groups.json"
+ "mcast-group-file": "/var/lib/opflex-agent-ovs/mcast/opflex-groups.json"
}
}
}
::
# gbp_inspect -h
- Usage: ./gbp_inspect [options]
+ Usage: gbp_inspect [options]
Allowed options:
-h [ --help ] Print this help message
--log arg Log to the specified file (default
standard out)
--level arg (=warning) Use the specified log level (default
- info)
+ warning)
--syslog Log to syslog instead of file or
standard out
- --socket arg (=/usr/local/var/run/opflex-agent-ovs-inspect.sock)
+ --socket arg (=/usr/var/run/opflex-agent-ovs-inspect.sock)
Connect to the specified UNIX domain
- socket (default /usr/local/var/run/opfl
+ socket (default /usr/var/run/opfl
ex-agent-ovs-inspect.sock)
-q [ --query ] arg Query for a specific object with
subjectname,uri or all objects of a
file into the MODB view
-o [ --output ] arg Output the results to the specified
file (default standard out)
- -t [ --type ] arg (=tree) Specify the output format: tree, list,
- or dump (default tree)
+ -t [ --type ] arg (=tree) Specify the output format: tree,
+ asciitree, list, or dump (default tree)
-p [ --props ] Include object properties in output
Here are some examples of the ways to use this tool.
::
# gbp_inspect -q DmtreeRoot
- --* DmtreeRoot,/
+ ───⦁ DmtreeRoot,/
# gbp_inspect -q GbpEpGroup
- --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- --* GbpEpGroup,/PolicyUniverse/PolicySpace/test/GbpEpGroup/group1/
+ ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/test/GbpEpGroup/group1/
+ ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
# gbp_inspect -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
+ ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
You can also display all the properties for each object:
::
# gbp_inspect -p -q GbpeL24Classifier
- --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier4/
- {
- connectionTracking : 1 (reflexive)
- dFromPort : 80
- dToPort : 80
- etherT : 2048 (ipv4)
- name : classifier4
- prot : 6
- }
- --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier3/
- {
- etherT : 34525 (ipv6)
- name : classifier3
- order : 100
- prot : 58
- }
- --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier2/
- {
- etherT : 2048 (ipv4)
- name : classifier2
- order : 101
- prot : 1
- }
+ ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier4/
+ {
+ connectionTracking : 1 (reflexive)
+ dFromPort : 80
+ dToPort : 80
+ etherT : 2048 (ipv4)
+ name : classifier4
+ prot : 6
+ }
+ ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier3/
+ {
+ etherT : 34525 (ipv6)
+ name : classifier3
+ order : 100
+ prot : 58
+ }
+ ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier1/
+ {
+ etherT : 2054 (arp)
+ name : classifier1
+ order : 102
+ }
+ ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier2/
+ {
+ etherT : 2048 (ipv4)
+ name : classifier2
+ order : 101
+ prot : 1
+ }
You can also request to get the all the children of an object you query
for:
::
# gbp_inspect -r -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- |-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
- `-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
+ ──┬⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
+ ├──⦁ GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
+ ╰──⦁ GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
You can also follow references found in any object downloads:
::
# gbp_inspect -fr -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
- |-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
- `-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
- --* GbpFloodDomain,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/
- `-* GbpFloodDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/GbpFloodDomainToNetworkRSrc/
- --* GbpBridgeDomain,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/
- `-* GbpBridgeDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/GbpBridgeDomainToNetworkRSrc/
- --* GbpRoutingDomain,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/
- |-* GbpRoutingDomainToIntSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpRoutingDomainToIntSubnetsRSrc/122/%2fPolicyUniverse%2fPolicySpace%2fcommon%2fGbpSubnets%2fsubnets_ext%2f/
- `-* GbpForwardingBehavioralGroupToSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpForwardingBehavioralGroupToSubnetsRSrc/
- --* GbpSubnets,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/
- |-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext4/
- `-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext6/
-
+ ──┬⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
+ ├──⦁ GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
+ ╰──⦁ GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
+ ──┬⦁ GbpBridgeDomain,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/
+ ╰──⦁ GbpBridgeDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/GbpBridgeDomainToNetworkRSrc/
+ ──┬⦁ GbpFloodDomain,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/
+ ╰──⦁ GbpFloodDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/GbpFloodDomainToNetworkRSrc/
+ ──┬⦁ GbpRoutingDomain,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/
+ ├──⦁ GbpRoutingDomainToIntSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpRoutingDomainToIntSubnetsRSrc/152/%2fPolicyUniverse%2fPolicySpace%2fcommon%2fGbpSubnets%2fsubnets_ext%2f/
+ ╰──⦁ GbpForwardingBehavioralGroupToSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpForwardingBehavioralGroupToSubnetsRSrc/
+ ──┬⦁ GbpSubnets,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/
+ ├──⦁ GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext4/
+ ╰──⦁ GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext6/
Code Review / docs.git / blobdiff