Querying OVN


This page has been identified as being affected by the breaking changes introduced between versions 2.9.x and 3.x of the Juju client. Read support note Breaking changes between Juju 2.9.x and 3.x before continuing.

The OVN databases are configured to use the Clustered Database Service Model. In this configuration only the leader processes transactions and the administrative client tools are configured to require a connection to the leader to operate.


For general information on OVN, refer to the main Open Virtual Network (OVN) page.

The leader of the Northbound and Southbound databases does not have to coincide with the charm leader, so before querying databases you must consult the output of juju status to check which unit is the leader of the database you want to query. Example:

juju status ovn-central
Unit            Workload  Agent  Machine  Public address  Ports              Message
ovn-central/0*  active    idle   0/lxd/5   6641/tcp,6642/tcp  Unit is ready (leader: ovnnb_db)
ovn-central/1   active    idle   1/lxd/4   6641/tcp,6642/tcp  Unit is ready (northd: active)
ovn-central/2   active    idle   2/lxd/2   6641/tcp,6642/tcp  Unit is ready (leader: ovnsb_db)

In the above example ‘ovn-central/0’ is the leader for the Northbound DB, ‘ovn-central/1’ has the active ovn-northd daemon and ‘ovn-central/2’ is the leader for the Southbound DB.

OVSDB Cluster status

The cluster status as conveyed through juju status is updated each time a hook is run, in some circumstances it may be necessary to get an immediate view of the current cluster status.

To get an immediate view of the database clusters:

juju exec --application ovn-central 'ovn-appctl -t \
    /var/run/ovn/ovnnb_db.ctl cluster/status OVN_Northbound'
juju exec --application ovn-central 'ovn-appctl -t \
    /var/run/ovn/ovnsb_db.ctl cluster/status OVN_Southbound'

Querying DBs

To query the individual databases:

juju exec --unit ovn-central/0 'ovn-nbctl show'
juju exec --unit ovn-central/2 'ovn-sbctl show'
juju exec --unit ovn-central/2 'ovn-sbctl lflow-list'

As an alternative you may provide the administrative client tools with command-line arguments for path to certificates and IP address of servers so that you can run the client from anywhere:

ovn-nbctl \
   -p /etc/ovn/key_host \
   -C /etc/ovn/ovn-central.crt \
   -c /etc/ovn/cert_host \
   --db ssl:,ssl:,ssl: \

Note that for remote administrative write access to the Southbound DB you must use port number ‘16642’. This is due to OVN RBAC being enabled on the standard ‘6642’ port:

ovn-sbctl \
   -p /etc/ovn/key_host \
   -C /etc/ovn/ovn-central.crt \
   -c /etc/ovn/cert_host \
   --db ssl:,ssl:,ssl: \

Data plane flow tracing

Connect (by SSH) to one of the chassis units to get access to various diagnostic tools:

juju ssh ovn-chassis/0

sudo ovs-vsctl show

sudo ovs-ofctl -O OpenFlow13 dump-flows br-int

sudo ovs-appctl -t ovs-vswitchd \
   ofproto/trace br-provider \

sudo ovn-trace \
   -p /etc/ovn/key_host \
   -C /etc/ovn/ovn-chassis.crt \
   -c /etc/ovn/cert_host \
   --db ssl:,ssl:,ssl: \
   --ovs ext-net 'inport=="provnet-dde76bc9-0620-44f7-b99a-99cfc66e1095" && \
   eth.src==30:e1:71:5c:7a:b5 && \
   eth.dst==fa:16:3e:f7:15:73 && \
   ip4.src== && \
   ip4.dst== && \
   icmp4.type==8 && \
   ip.ttl == 64'


OVN makes use of OpenFlow 1.3 (and newer) and as such the charm configures bridges to use these protocols. To be able to successfully use the ovs-ofctl command you must specify the OpenFlow version as shown in the example above.

You may issue the ovs-vsctl list bridge command to show what protocols are enabled on the bridges.