This document is for a deprecated release of Opendaylight and will receive only security updates.
agent-ovs is a policy agent that works with OVS to enforce a group-based policy networking model with locally attached virtual machines or containers. The policy agent is designed to work well with orchestration tools like OpenStack.
The agent configuration is handled using its config file which is by default found at “/etc/opflex-agent-ovs/opflex-agent-ovs.conf”
Here is an example configuration file that documents the available options:
{
// Logging configuration
// "log": {
// "level": "info"
// },
// Configuration related to the OpFlex protocol
"opflex": {
// The policy domain for this agent.
"domain": "openstack",
// The unique name in the policy domain for this agent.
"name": "example-agent",
// a list of peers to connect to, by hostname and port. One
// peer, or an anycast pseudo-peer, is sufficient to bootstrap
// the connection without needing an exhaustive list of all
// peers.
"peers": [
// EXAMPLE:
{"hostname": "10.0.0.30", "port": 8009}
],
"ssl": {
// SSL mode. Possible values:
// disabled: communicate without encryption
// encrypted: encrypt but do not verify peers
// secure: encrypt and verify peer certificates
"mode": "disabled",
// The path to a directory containing trusted certificate
// authority public certificates, or a file containing a
// specific CA certificate.
"ca-store": "/etc/ssl/certs/"
},
"inspector": {
// Enable the MODB inspector service, which allows
// inspecting the state of the managed object database.
// Default: enabled
"enabled": true,
// Listen on the specified socket for the inspector
// Default /var/run/opflex-agent-ovs-inspect.sock
"socket-name": "/var/run/opflex-agent-ovs-inspect.sock"
}
},
// Endpoint sources provide metadata about local endpoints
"endpoint-sources": {
// Filesystem path to monitor for endpoint information
"filesystem": ["/var/lib/opflex-agent-ovs/endpoints"]
},
// Renderers enforce policy obtained via OpFlex.
"renderers": {
// Stitched-mode renderer for interoperating with a
// hardware fabric such as ACI
// EXAMPLE:
"stitched-mode": {
"ovs-bridge-name": "br0",
// Set encapsulation type. Must set either vxlan or vlan.
"encap": {
// Encapsulate traffic with VXLAN.
"vxlan" : {
// The name of the tunnel interface in OVS
"encap-iface": "br0_vxlan0",
// The name of the interface whose IP should be used
// as the source IP in encapsulated traffic.
"uplink-iface": "eth0.4093",
// The vlan tag, if any, used on the uplink interface.
// Set to zero or omit if the uplink is untagged.
"uplink-vlan": 4093,
// The IP address used for the destination IP in
// the encapsulated traffic. This should be an
// anycast IP address understood by the upstream
// stiched-mode fabric.
"remote-ip": "10.0.0.32",
// UDP port number of the encapsulated traffic.
"remote-port": 8472
}
// Encapsulate traffic with a locally-significant VLAN
// tag
// EXAMPLE:
// "vlan" : {
// // The name of the uplink interface in OVS
// "encap-iface": "team0"
// }
},
// Configure forwarding policy
"forwarding": {
// Configure the virtual distributed router
"virtual-router": {
// Enable virtual distributed router. Set to true
// to enable or false to disable. Default true.
"enabled": true,
// Override MAC address for virtual router.
// Default is "00:22:bd:f8:19:ff"
"mac": "00:22:bd:f8:19:ff",
// Configure IPv6-related settings for the virtual
// router
"ipv6" : {
// Send router advertisement messages in
// response to router solicitation requests as
// well as unsolicited advertisements. This
// is not required in stitched mode since the
// hardware router will send them.
"router-advertisement": true
}
},
// Configure virtual distributed DHCP server
"virtual-dhcp": {
// Enable virtual distributed DHCP server. Set to
// true to enable or false to disable. Default
// true.
"enabled": true,
// Override MAC address for virtual dhcp server.
// Default is "00:22:bd:f8:19:ff"
"mac": "00:22:bd:f8:19:ff"
},
"endpoint-advertisements": {
// Enable generation of periodic ARP/NDP
// advertisements for endpoints. Default true.
"enabled": "true"
}
},
// Location to store cached IDs for managing flow state
"flowid-cache-dir": "/var/lib/opflex-agent-ovs/ids"
}
}
}
The agent learns about endpoints using endpoint metadata files located by default in “/var/lib/opflex-agent-ovs/endpoints”.
These are JSON-format files such as the (unusually complex) example below:
{
"uuid": "83f18f0b-80f7-46e2-b06c-4d9487b0c754",
"policy-space-name": "test",
"endpoint-group-name": "group1",
"interface-name": "veth0",
"ip": [
"10.0.0.1", "fd8f:69d8:c12c:ca62::1"
],
"dhcp4": {
"ip": "10.200.44.2",
"prefix-len": 24,
"routers": ["10.200.44.1"],
"dns-servers": ["8.8.8.8", "8.8.4.4"],
"domain": "example.com",
"static-routes": [
{
"dest": "169.254.169.0",
"dest-prefix": 24,
"next-hop": "10.0.0.1"
}
]
},
"dhcp6": {
"dns-servers": ["2001:4860:4860::8888", "2001:4860:4860::8844"],
"search-list": ["test1.example.com", "example.com"]
},
"ip-address-mapping": [
{
"uuid": "91c5b217-d244-432c-922d-533c6c036ab4",
"floating-ip": "5.5.5.1",
"mapped-ip": "10.0.0.1",
"policy-space-name": "common",
"endpoint-group-name": "nat-epg"
},
{
"uuid": "22bfdc01-a390-4b6f-9b10-624d4ccb957b",
"floating-ip": "fdf1:9f86:d1af:6cc9::1",
"mapped-ip": "fd8f:69d8:c12c:ca62::1",
"policy-space-name": "common",
"endpoint-group-name": "nat-epg"
}
],
"mac": "00:00:00:00:00:01",
"promiscuous-mode": false
}
The possible parameters for these files are:
DHCPv4 configuration blocks can contain the following parameters:
DHCPv6 configuration blocks can contain the following parameters:
IP address mapping configuration blocks can contain the following parameters:
The Opflex inspector is a useful command-line tool that will allow you to inspect the state of the managed object database for the agent for debugging and diagnosis purposes.
The command is called “gbp_inspect” and takes the following arguments:
# gbp_inspect -h
Usage: ./gbp_inspect [options]
Allowed options:
-h [ --help ] Print this help message
--log arg Log to the specified file (default
standard out)
--level arg (=warning) Use the specified log level (default
info)
--syslog Log to syslog instead of file or
standard out
--socket arg (=/usr/local/var/run/opflex-agent-ovs-inspect.sock)
Connect to the specified UNIX domain
socket (default /usr/local/var/run/opfl
ex-agent-ovs-inspect.sock)
-q [ --query ] arg Query for a specific object with
subjectname,uri or all objects of a
specific type with subjectname
-r [ --recursive ] Retrieve the whole subtree for each
returned object
-f [ --follow-refs ] Follow references in returned objects
--load arg Load managed objects from the specified
file into the MODB view
-o [ --output ] arg Output the results to the specified
file (default standard out)
-t [ --type ] arg (=tree) Specify the output format: tree, list,
or dump (default tree)
-p [ --props ] Include object properties in output
Here are some examples of the ways to use this tool.
You can get information about the running system using one or more queries, which consist of an object model class name and optionally the URI of a specific object. The simplest query is to get a single object, nonrecursively:
# gbp_inspect -q DmtreeRoot
--* DmtreeRoot,/
# gbp_inspect -q GbpEpGroup
--* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
--* GbpEpGroup,/PolicyUniverse/PolicySpace/test/GbpEpGroup/group1/
# gbp_inspect -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
--* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
You can also display all the properties for each object:
# gbp_inspect -p -q GbpeL24Classifier
--* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier4/
{
connectionTracking : 1 (reflexive)
dFromPort : 80
dToPort : 80
etherT : 2048 (ipv4)
name : classifier4
prot : 6
}
--* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier3/
{
etherT : 34525 (ipv6)
name : classifier3
order : 100
prot : 58
}
--* GbpeL24Classifier,/PolicyUniverse/PolicySpace/test/GbpeL24Classifier/classifier2/
{
etherT : 2048 (ipv4)
name : classifier2
order : 101
prot : 1
}
You can also request to get the all the children of an object you query for:
# gbp_inspect -r -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
--* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
|-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
`-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
You can also follow references found in any object downloads:
# gbp_inspect -fr -q GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
--* GbpEpGroup,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/
|-* GbpeInstContext,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpeInstContext/
`-* GbpEpGroupToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpEpGroup/nat-epg/GbpEpGroupToNetworkRSrc/
--* GbpFloodDomain,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/
`-* GbpFloodDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpFloodDomain/fd_ext/GbpFloodDomainToNetworkRSrc/
--* GbpBridgeDomain,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/
`-* GbpBridgeDomainToNetworkRSrc,/PolicyUniverse/PolicySpace/common/GbpBridgeDomain/bd_ext/GbpBridgeDomainToNetworkRSrc/
--* GbpRoutingDomain,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/
|-* GbpRoutingDomainToIntSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpRoutingDomainToIntSubnetsRSrc/122/%2fPolicyUniverse%2fPolicySpace%2fcommon%2fGbpSubnets%2fsubnets_ext%2f/
`-* GbpForwardingBehavioralGroupToSubnetsRSrc,/PolicyUniverse/PolicySpace/common/GbpRoutingDomain/rd_ext/GbpForwardingBehavioralGroupToSubnetsRSrc/
--* GbpSubnets,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/
|-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext4/
`-* GbpSubnet,/PolicyUniverse/PolicySpace/common/GbpSubnets/subnets_ext/GbpSubnet/subnet_ext6/