Master Open vSwitch: Architecture, Installation, and Advanced Configuration
This guide explains Open vSwitch's origins, core features, software architecture, key components such as ovsdb-server, ovs-vswitchd, and the kernel module, provides step‑by‑step installation on CentOS 7, and details configuration of bridges, ports, SSL, controllers, and flow handling for SDN environments.
Open vSwitch
In 2009, the creators of OpenFlow v1.0 founded Nicira Networks and began developing Open vSwitch (OvS), adhering to the OpenFlow Switch Specification to provide efficient virtual networking for virtualized environments.
Nicira open‑sourced OvS under GPLv2 in 2011; VMware acquired Nicira in 2012 and integrated OvS into vSphere. In 2013 OvS became a Linux Foundation Networking project and a core Virtual Network Provider for OpenStack Neutron.
Key Features of Open vSwitch
Supports OpenFlow protocol
802.3 Ethernet switching with trunk mode
802.1Q VLAN and VLAN trunking
802.1AX LACP (link aggregation)
802.1AG and BFD link monitoring
802.1D STP
IPv4 and IPv6
VxLAN, GRE, IPsec, GRE‑and‑VXLAN over IPsec tunnels
Fine‑grained QoS and HFSC traffic‑control queues
Per‑VM NIC traffic‑control policies
NetFlow, sFlow, IPFIX, SPAN, RSPAN, GRE‑tunneled flow detection
Src‑MAC load‑balancing, active‑backup, L4 hash port bonding
Kernel‑space and user‑space datapath engines
Installing Open vSwitch on CentOS 7
Step 1 . Disable SELinux so that ovsdb‑server Manager can work.
$ setenforce 0
$ cat /etc/selinux/config | grep -v ^#
SELINUX=disabled
SELINUXTYPE=targetedStep 2 . Install packages. $ yum install openvswitch openvswitch-test Step 3 . Enable and start the service.
$ systemctl enable openvswitch
$ systemctl start openvswitch
$ systemctl status openvswitchOpen vSwitch Software Architecture
ovsdb-server
ovsdb-server runs in user space as a lightweight database service exposing a UNIX socket (db.sock). The backend database is a JSON‑formatted conf.db file that stores vSwitch configuration.
Typical start command:
ovsdb-server /etc/openvswitch/conf.db \
-vconsole:emer -vsyslog:err -vfile:info \
--remote=punix:/var/run/openvswitch/db.sock \
--log-file=/var/log/openvswitch/ovsdb-server.log \
--pidfile=/var/run/openvswitch/ovsdb-server.pid \
--detach --monitorThe database schema can be created with ovsdb-tool create and inspected with ovsdb-client dump.
ovs-vswitchd
ovs-vswitchd is the user‑space daemon that implements the vSwitch. It obtains configuration from ovsdb‑server, receives Flow Table entries via OpenFlow from an SDN controller, and synchronizes with the kernel datapath through a NETLINK socket.
ovs-vswitchd unix:/var/run/openvswitch/db.sock \
-vconsole:emer -vsyslog:err -vfile:info \
--mlockall --no-chdir \
--log-file=/var/log/openvswitch/ovs-vswitchd.log \
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
--detach --monitorKey configuration options include other_config:stats-update-interval, other_config:flow-limit, other_config:n-handler-threads, and other_config:n-revalidator-threads.
openvswitch.ko
The kernel module openvswitch.ko provides the kernel datapath. It can host multiple independent datapaths, each with its own flow table.
$ lsmod | grep openvswitch
openvswitch 70743 0
vxlan 37584 1 openvswitch
gre 13808 1 openvswitch
libcrc32c 12644 2 xfs,openvswitch
$ modinfo openvswitch
filename: /lib/modules/3.10.0-327.el7.x86_64/kernel/net/openvswitch/openvswitch.ko
license: GPL
description: Open vSwitch switching datapath
...Four datapath implementations exist: Linux Upstream, Linux OVS Tree, DPDK Userspace, and Hyper‑V. Linux OVS Tree and DPDK Userspace are the most common.
CLI Toolset
ovs-vsctl : Manage ovs‑vswitchd configuration (most common).
ovsdb-client : Interact with ovsdb‑server.
ovsdb-tool : Create and initialize conf.db.
ovs-ofctl : Manage Flow Table entries when no external controller is present.
ovs-dpctl : Inspect kernel datapath flow entries.
ovs-appctl : Application‑layer commands, e.g., packet injection for testing.
Core Operational Objects
Manager
The Manager object configures TCP/SSL/UNIX listeners for ovsdb‑server, enabling external components such as ovs‑vswitchd to perform DB operations.
$ ovs-vsctl set-manager ptcp:8881 # passive listener
# ovs-vsctl set-manager tcp:1.2.3.4:6640 # active listenerSSL
SSL object stores CA certificate, private key, and server certificate. Example commands to generate a self‑signed CA and client certificates using OpenSSL are provided, followed by configuration of the SSL connection in ovsdb‑server.
$ mkdir ~/OVS_CA
$ cd ~/OVS_CA
$ openssl genrsa -out caprivate.key 1024
$ openssl req -key caprivate.key -new -subj "/C=CN/ST=CN/L=CN/O=CN/[email protected]" -out cacertificate.req
$ openssl x509 -req -in cacertificate.req -signkey caprivate.key -out cacertificate.pem
$ mkdir ~/ClientCerts
$ cd ~/ClientCerts
$ openssl genrsa -out cliu8private.key 1024
$ openssl req -key cliu8private.key -new -subj "/C=CN/ST=CN/L=CN/O=CN/[email protected]" -out cliu8certificate.req
$ cp ~/OVS_CA/caprivate.key ~/OVS_CA/cacertificate.pem ~/ClientCerts
$ openssl x509 -req -in cliu8certificate.req -CA cacertificate.pem -CAkey caprivate.key -out cliu8certificate.pem -CAcreateserial$ ovs-vsctl del-manager
$ ovs-vsctl set-manager pssl:8881
$ ovs-vsctl set-ssl /root/ClientCerts/cliu8private.key /root/ClientCerts/cliu8certificate.pem /root/OVS_CA/cacertificate.pemBridge
Bridge objects represent virtual switches. They operate in mixed mode, learn source MAC addresses, and forward frames according to L2 rules. Common commands:
ovs-vsctl show
ovs-vsctl add-br <bridge>
ovs-vsctl del-br <bridge>
ovs-vsctl add-port <bridge> <port>
ovs-vsctl del-port <bridge> <port>
ovs-vsctl list bridge <bridge>Port / Interface
Ports connect to Bridges; Interfaces represent the actual network devices attached to Ports. Types include Normal, Internal, Patch, and Tunnel. VLAN configuration can be performed with tag (access) or trunk options, and flow rules can add or strip VLAN tags.
# Add access port with VLAN 3
ovs-vsctl add-port <bridge> <vlan_access_interface> tag=3 -- set interface <vlan_access_interface> type=internal
# Set trunk VLANs
ovs-vsctl add-port <bridge> <vlan_trunk_interface> trunk=3,4,5,6
# Add flow to push VLAN 100
ovs-ofctl add-flow <bridge> in_port=1,dl_vlan=0xffff,actions=mod_vlan_vid:100,output:3Controller
SDN Controllers manage Bridges via OpenFlow. Primary controllers own the Flow Table; Service controllers provide auxiliary functions. Controllers can be set, queried, or removed with ovs-vsctl set-controller, get-controller, and del-controller. Fail‑mode can be secure or standalone.
$ ovs-vsctl set-controller <bridge> tcp:<controller_ip>:6633
$ ovs-vsctl set-fail-mode <bridge> secure
$ ovs-vsctl get-fail-mode <bridge>Open vSwitch Operation Summary
OvS uses a two‑path model: the fast path (kernel datapath) processes packets directly in the kernel using cached flow entries; the slow path (user datapath) handles cache misses by up‑calling to ovs‑vswitchd, which may consult the SDN controller and then inject new flow entries back into the kernel.
Kernel datapath monitors ports.
If no matching flow, packet is up‑called to user datapath.
User datapath holds the full flow table and may forward packets to the controller.
Controller returns new flow entries.
User datapath syncs entries to kernel datapath.
Packet is reinjected into kernel datapath for fast processing.
Packet is finally forwarded out the appropriate port or dropped.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.