X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=blobdiff_plain;f=docs%2Fuser-guide%2Fopflex-agent-ovs-user-guide.rst;h=d7212fc4e9f0c1d2d188ee513868cc4c92fed14e;hb=d2eb6c5b4b624257a53a3b219f749ae47fbafad9;hp=c054635529a76ab9a212f890167fa7cd80bc6b1e;hpb=9fbcc9d005dfb6faf142ec5e17c4b7f1ca4f63ca;p=docs.git diff --git a/docs/user-guide/opflex-agent-ovs-user-guide.rst b/docs/user-guide/opflex-agent-ovs-user-guide.rst index c05463552..d7212fc4e 100644 --- a/docs/user-guide/opflex-agent-ovs-user-guide.rst +++ b/docs/user-guide/opflex-agent-ovs-user-guide.rst @@ -1,3 +1,5 @@ +.. _opflex-agent-ovs-user-guide: + OpFlex agent-ovs User Guide =========================== @@ -23,7 +25,12 @@ options: { // Logging configuration // "log": { - // "level": "info" + // // Set the log level. + // // Possible values in descending order of verbosity: + // // "debug7"-"debug0", "debug" (synonym for "debug0"), + // // "info", "warning", "error", "fatal" + // // Default: "info" + // "level": "info" // }, // Configuration related to the OpFlex protocol @@ -40,47 +47,91 @@ options: // peers. "peers": [ // EXAMPLE: - {"hostname": "10.0.0.30", "port": 8009} + // {"hostname": "10.0.0.30", "port": 8009} ], "ssl": { // SSL mode. Possible values: - // disabled: communicate without encryption + // disabled: communicate without encryption (default) // encrypted: encrypt but do not verify peers // secure: encrypt and verify peer certificates - "mode": "disabled", + "mode": "encrypted", // The path to a directory containing trusted certificate // authority public certificates, or a file containing a // specific CA certificate. - "ca-store": "/etc/ssl/certs/" + // Default: "/etc/ssl/certs" + "ca-store": "/etc/ssl/certs" }, "inspector": { // Enable the MODB inspector service, which allows // inspecting the state of the managed object database. - // Default: enabled + // Default: true "enabled": true, // Listen on the specified socket for the inspector - // Default /var/run/opflex-agent-ovs-inspect.sock + // Default: "/var/run/opflex-agent-ovs-inspect.sock" "socket-name": "/var/run/opflex-agent-ovs-inspect.sock" + }, + + "notif": { + // Enable the agent notification service, which sends + // notifications to interested listeners over a UNIX + // socket. + // Default: true + "enabled": true, + + // Listen on the specified socket for the inspector + // Default: "/var/run/opflex-agent-ovs-notif.sock" + "socket-name": "/var/run/opflex-agent-ovs-notif.sock", + + // Set the socket owner user after binding if the user + // exists + // Default: do not set the owner + // "socket-owner": "root", + + // Set the socket group after binding if the group name + // exists + // Default: do not set the group + "socket-group": "opflexep", + + // Set the socket permissions after binding to the + // specified octal permissions mask + // Default: do not set the permissions + "socket-permissions": "770" } }, // Endpoint sources provide metadata about local endpoints "endpoint-sources": { // Filesystem path to monitor for endpoint information + // Default: no endpoint sources "filesystem": ["/var/lib/opflex-agent-ovs/endpoints"] }, + // Service sources provide metadata about services that can + // provide functionality for local endpoints + "service-sources": { + // Filesystem path to monitor for service information + // Default: no service sources + "filesystem": ["/var/lib/opflex-agent-ovs/services"] + }, + // Renderers enforce policy obtained via OpFlex. + // Default: no renderers "renderers": { // Stitched-mode renderer for interoperating with a // hardware fabric such as ACI // EXAMPLE: "stitched-mode": { - "ovs-bridge-name": "br0", + // "Integration" bridge used to enforce contracts and forward + // packets + "int-bridge-name": "br-int", + + // "Access" bridge used to enforce access control and enforce + // security groups. + "access-bridge-name": "br-access", // Set encapsulation type. Must set either vxlan or vlan. "encap": { @@ -91,7 +142,7 @@ options: // The name of the interface whose IP should be used // as the source IP in encapsulated traffic. - "uplink-iface": "eth0.4093", + "uplink-iface": "team0.4093", // The vlan tag, if any, used on the uplink interface. // Set to zero or omit if the uplink is untagged. @@ -121,11 +172,12 @@ options: // Configure the virtual distributed router "virtual-router": { // Enable virtual distributed router. Set to true - // to enable or false to disable. Default true. + // to enable or false to disable. + // Default: true. "enabled": true, // Override MAC address for virtual router. - // Default is "00:22:bd:f8:19:ff" + // Default: "00:22:bd:f8:19:ff" "mac": "00:22:bd:f8:19:ff", // Configure IPv6-related settings for the virtual @@ -136,31 +188,45 @@ options: // well as unsolicited advertisements. This // is not required in stitched mode since the // hardware router will send them. - "router-advertisement": true + "router-advertisement": false } }, // Configure virtual distributed DHCP server "virtual-dhcp": { // Enable virtual distributed DHCP server. Set to - // true to enable or false to disable. Default - // true. + // true to enable or false to disable. + // Default: true "enabled": true, // Override MAC address for virtual dhcp server. - // Default is "00:22:bd:f8:19:ff" + // Default: "00:22:bd:f8:19:ff" "mac": "00:22:bd:f8:19:ff" }, "endpoint-advertisements": { - // Enable generation of periodic ARP/NDP - // advertisements for endpoints. Default true. - "enabled": "true" + // Set mode for generation of periodic ARP/NDP + // advertisements for endpoints. Possible values: + // disabled: Do not send advertisements + // gratuitous-unicast: Send gratuitous endpoint + // advertisements as unicast packets to the router + // mac. + // gratuitous-broadcast: Send gratuitous endpoint + // advertisements as broadcast packets. + // router-request: Unicast a spoofed request/solicitation + // for the subnet's gateway router. + // Default: router-request. + "mode": "gratuitous-broadcast" } }, // Location to store cached IDs for managing flow state - "flowid-cache-dir": "/var/lib/opflex-agent-ovs/ids" + // Default: "/var/lib/opflex-agent-ovs/ids" + "flowid-cache-dir": "/var/lib/opflex-agent-ovs/ids", + + // Location to write multicast groups for the mcast-daemon + // Default: "/var/lib/opflex-agent-ovs/mcast/opflex-groups.json" + "mcast-group-file": "/var/lib/opflex-agent-ovs/mcast/opflex-groups.json" } } } @@ -318,18 +384,18 @@ The command is called "gbp\_inspect" and takes the following arguments: :: # gbp_inspect -h - Usage: ./gbp_inspect [options] + Usage: gbp_inspect [options] Allowed options: -h [ --help ] Print this help message --log arg Log to the specified file (default standard out) --level arg (=warning) Use the specified log level (default - info) + warning) --syslog Log to syslog instead of file or standard out - --socket arg (=/usr/local/var/run/opflex-agent-ovs-inspect.sock) + --socket arg (=/usr/var/run/opflex-agent-ovs-inspect.sock) Connect to the specified UNIX domain - socket (default /usr/local/var/run/opfl + socket (default /usr/var/run/opfl ex-agent-ovs-inspect.sock) -q [ --query ] arg Query for a specific object with subjectname,uri or all objects of a @@ -341,8 +407,8 @@ The command is called "gbp\_inspect" and takes the following arguments: file into the MODB view -o [ --output ] arg Output the results to the specified file (default standard out) - -t [ --type ] arg (=tree) Specify the output format: tree, list, - or dump (default tree) + -t [ --type ] arg (=tree) Specify the output format: tree, + asciitree, list, or dump (default tree) -p [ --props ] Include object properties in output Here are some examples of the ways to use this tool. @@ -355,41 +421,47 @@ nonrecursively: :: # gbp_inspect -q DmtreeRoot - --* DmtreeRoot,/ + ───⦁ DmtreeRoot,/ # gbp_inspect -q GbpEpGroup - --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - --* GbpEpGroup,/PolicyUniverse/PolicySpace/test/GbpEpGroup/group1/ + ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/test/GbpEpGroup/group1/ + ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ # gbp_inspect -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ + ───⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ You can also display all the properties for each object: :: # gbp_inspect -p -q GbpeL24Classifier - --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier4/ - { - connectionTracking : 1 (reflexive) - dFromPort : 80 - dToPort : 80 - etherT : 2048 (ipv4) - name : classifier4 - prot : 6 - } - --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier3/ - { - etherT : 34525 (ipv6) - name : classifier3 - order : 100 - prot : 58 - } - --* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier2/ - { - etherT : 2048 (ipv4) - name : classifier2 - order : 101 - prot : 1 - } + ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier4/ + { + connectionTracking : 1 (reflexive) + dFromPort : 80 + dToPort : 80 + etherT : 2048 (ipv4) + name : classifier4 + prot : 6 + } + ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier3/ + { + etherT : 34525 (ipv6) + name : classifier3 + order : 100 + prot : 58 + } + ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier1/ + { + etherT : 2054 (arp) + name : classifier1 + order : 102 + } + ───⦁ GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier2/ + { + etherT : 2048 (ipv4) + name : classifier2 + order : 101 + prot : 1 + } You can also request to get the all the children of an object you query for: @@ -397,26 +469,25 @@ for: :: # gbp_inspect -r -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - |-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/ - `-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/ + ──┬⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ + ├──⦁ GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/ + ╰──⦁ GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/ You can also follow references found in any object downloads: :: # gbp_inspect -fr -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - --* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ - |-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/ - `-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/ - --* GbpFloodDomain,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/ - `-* GbpFloodDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/GbpFloodDomainToNetworkRSrc/ - --* GbpBridgeDomain,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/ - `-* GbpBridgeDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/GbpBridgeDomainToNetworkRSrc/ - --* GbpRoutingDomain,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/ - |-* GbpRoutingDomainToIntSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpRoutingDomainToIntSubnetsRSrc/122/%2fPolicyUniverse%2fPolicySpace%2fcommon%2fGbpSubnets%2fsubnets_ext%2f/ - `-* GbpForwardingBehavioralGroupToSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpForwardingBehavioralGroupToSubnetsRSrc/ - --* GbpSubnets,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/ - |-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext4/ - `-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext6/ - + ──┬⦁ GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/ + ├──⦁ GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/ + ╰──⦁ GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/ + ──┬⦁ GbpBridgeDomain,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/ + ╰──⦁ GbpBridgeDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/GbpBridgeDomainToNetworkRSrc/ + ──┬⦁ GbpFloodDomain,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/ + ╰──⦁ GbpFloodDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/GbpFloodDomainToNetworkRSrc/ + ──┬⦁ GbpRoutingDomain,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/ + ├──⦁ GbpRoutingDomainToIntSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpRoutingDomainToIntSubnetsRSrc/152/%2fPolicyUniverse%2fPolicySpace%2fcommon%2fGbpSubnets%2fsubnets_ext%2f/ + ╰──⦁ GbpForwardingBehavioralGroupToSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpForwardingBehavioralGroupToSubnetsRSrc/ + ──┬⦁ GbpSubnets,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/ + ├──⦁ GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext4/ + ╰──⦁ GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext6/