diff mbox

[ovs-dev,2/2] Add wrapper scripts for *ctl commands

Message ID 1470111621-6396-3-git-send-email-rmoats@us.ibm.com
State Superseded
Headers show

Commit Message

Ryan Moats Aug. 2, 2016, 4:20 a.m. UTC 
This commit creates wrapper scripts for the *ctl commands to use
--dry-run for those that have them, and to allow for log level
setting via ovs-appctl without allowing full access to ovs-appctl.
Tests have been added to make sure that the wrapper scripts
don't actually do anything when asked to perform a write operation.

Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
---
 ovn/utilities/automake.mk |   8 ++-
 ovn/utilities/ovn-nbread  |   2 +
 ovn/utilities/ovn-sbread  |   2 +
 tests/ovn-nbctl.at        | 103 ++++++++++++++++++++++++++++++++
 tests/ovn-sbctl.at        |  46 +++++++++++++++
 tests/ovs-ofctl.at        |  33 +++++++++++
 tests/ovs-vsctl.at        |  90 ++++++++++++++++++++++++++++
 tests/vtep-ctl.at         | 145 ++++++++++++++++++++++++++++++++++++++++++++++
 utilities/automake.mk     |  10 +++-
 utilities/ovs-appsetlog   |  37 ++++++++++++
 utilities/ovs-dpread      |   2 +
 utilities/ovs-ofread      |   2 +
 utilities/ovs-vsread      |   2 +
 vtep/automake.mk          |   5 +-
 vtep/vtep-read            |   2 +
 15 files changed, 484 insertions(+), 5 deletions(-)
 create mode 100755 ovn/utilities/ovn-nbread
 create mode 100755 ovn/utilities/ovn-sbread
 create mode 100755 utilities/ovs-appsetlog
 create mode 100755 utilities/ovs-dpread
 create mode 100755 utilities/ovs-ofread
 create mode 100755 utilities/ovs-vsread
 create mode 100755 vtep/vtep-read

Comments

Russell Bryant Aug. 2, 2016, 11:56 a.m. UTC | #1 
On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:

> This commit creates wrapper scripts for the *ctl commands to use
> --dry-run for those that have them, and to allow for log level
> setting via ovs-appctl without allowing full access to ovs-appctl.
> Tests have been added to make sure that the wrapper scripts
> don't actually do anything when asked to perform a write operation.
>
> Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
>

What's the motivation for all the new "read" scripts?  It seems a bit
confusing to install all of these.  They're also not documented anywhere.
Russell Bryant Aug. 2, 2016, 12:11 p.m. UTC | #2 
On Tue, Aug 2, 2016 at 7:56 AM, Russell Bryant <russell@ovn.org> wrote:

>
> On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
>
>> This commit creates wrapper scripts for the *ctl commands to use
>> --dry-run for those that have them, and to allow for log level
>> setting via ovs-appctl without allowing full access to ovs-appctl.
>> Tests have been added to make sure that the wrapper scripts
>> don't actually do anything when asked to perform a write operation.
>>
>> Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
>>
>
> What's the motivation for all the new "read" scripts?  It seems a bit
> confusing to install all of these.  They're also not documented anywhere.
>

I see the thread discussing this now.  I'm still not a big fan of
installing this for everyone...
Ryan Moats Aug. 2, 2016, 1:34 p.m. UTC | #3 
Russell Bryant <russell@ovn.org> wrote on 08/02/2016 07:11:38 AM:

> From: Russell Bryant <russell@ovn.org>
> To: Ryan Moats/Omaha/IBM@IBMUS
> Cc: ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 07:12 AM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>
> On Tue, Aug 2, 2016 at 7:56 AM, Russell Bryant <russell@ovn.org> wrote:
>
> On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> This commit creates wrapper scripts for the *ctl commands to use
> --dry-run for those that have them, and to allow for log level
> setting via ovs-appctl without allowing full access to ovs-appctl.
> Tests have been added to make sure that the wrapper scripts
> don't actually do anything when asked to perform a write operation.
>
> Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
>
> What's the motivation for all the new "read" scripts?  It seems a
> bit confusing to install all of these.  They're also not documented
anywhere.
>
> I see the thread discussing this now.  I'm still not a big fan of
> installing this for everyone...

I admit that I need to respin with better documentation, but I
doubt that alone would make you a fan...
Ryan Moats Aug. 2, 2016, 1:37 p.m. UTC | #4 
"dev" <dev-bounces@openvswitch.org> wrote on 08/02/2016 08:34:08 AM:

> From: Ryan Moats/Omaha/IBM@IBMUS
> To: Russell Bryant <russell@ovn.org>
> Cc: ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 08:35 AM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
> Sent by: "dev" <dev-bounces@openvswitch.org>
>
>
>
> Russell Bryant <russell@ovn.org> wrote on 08/02/2016 07:11:38 AM:
>
> > From: Russell Bryant <russell@ovn.org>
> > To: Ryan Moats/Omaha/IBM@IBMUS
> > Cc: ovs dev <dev@openvswitch.org>
> > Date: 08/02/2016 07:12 AM
> > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
commands
> >
> > On Tue, Aug 2, 2016 at 7:56 AM, Russell Bryant <russell@ovn.org> wrote:
> >
> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> > This commit creates wrapper scripts for the *ctl commands to use
> > --dry-run for those that have them, and to allow for log level
> > setting via ovs-appctl without allowing full access to ovs-appctl.
> > Tests have been added to make sure that the wrapper scripts
> > don't actually do anything when asked to perform a write operation.
> >
> > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> >
> > What's the motivation for all the new "read" scripts?  It seems a
> > bit confusing to install all of these.  They're also not documented
> anywhere.
> >
> > I see the thread discussing this now.  I'm still not a big fan of
> > installing this for everyone...
>
> I admit that I need to respin with better documentation, but I
> doubt that alone would make you a fan...

Meh, I hit send too soon. I should add that (as Mestery can tell you)
I'm not a real big fan of this either - it's a necessity...
Russell Bryant Aug. 2, 2016, 3:27 p.m. UTC | #5 
On Tue, Aug 2, 2016 at 9:37 AM, Ryan Moats <rmoats@us.ibm.com> wrote:

> "dev" <dev-bounces@openvswitch.org> wrote on 08/02/2016 08:34:08 AM:
>
> > From: Ryan Moats/Omaha/IBM@IBMUS
> > To: Russell Bryant <russell@ovn.org>
> > Cc: ovs dev <dev@openvswitch.org>
> > Date: 08/02/2016 08:35 AM
> > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
> > Sent by: "dev" <dev-bounces@openvswitch.org>
> >
> >
> >
> > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 07:11:38 AM:
> >
> > > From: Russell Bryant <russell@ovn.org>
> > > To: Ryan Moats/Omaha/IBM@IBMUS
> > > Cc: ovs dev <dev@openvswitch.org>
> > > Date: 08/02/2016 07:12 AM
> > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
> commands
> > >
> > > On Tue, Aug 2, 2016 at 7:56 AM, Russell Bryant <russell@ovn.org>
> wrote:
> > >
> > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> > > This commit creates wrapper scripts for the *ctl commands to use
> > > --dry-run for those that have them, and to allow for log level
> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > Tests have been added to make sure that the wrapper scripts
> > > don't actually do anything when asked to perform a write operation.
> > >
> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > >
> > > What's the motivation for all the new "read" scripts?  It seems a
> > > bit confusing to install all of these.  They're also not documented
> > anywhere.
> > >
> > > I see the thread discussing this now.  I'm still not a big fan of
> > > installing this for everyone...
> >
> > I admit that I need to respin with better documentation, but I
> > doubt that alone would make you a fan...
>

Right.

> Meh, I hit send too soon. I should add that (as Mestery can tell you)
> I'm not a real big fan of this either - it's a necessity...
>

The scripts seem small enough.  I'm sure you're having to do deployment
customization to ensure the scripts have the right access so your admins
can use those, but not the full commands.  Perhaps just include the scripts
in that customization as well?
Ryan Moats Aug. 2, 2016, 3:57 p.m. UTC | #6 
Russell Bryant <russell@ovn.org> wrote on 08/02/2016 10:27:55 AM:

> From: Russell Bryant <russell@ovn.org>
> To: Ryan Moats/Omaha/IBM@IBMUS
> Cc: ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 10:28 AM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>
> On Tue, Aug 2, 2016 at 9:37 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> "dev" <dev-bounces@openvswitch.org> wrote on 08/02/2016 08:34:08 AM:
>
> > From: Ryan Moats/Omaha/IBM@IBMUS
> > To: Russell Bryant <russell@ovn.org>
> > Cc: ovs dev <dev@openvswitch.org>
> > Date: 08/02/2016 08:35 AM
> > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
commands
> > Sent by: "dev" <dev-bounces@openvswitch.org>
> >
> >
> >
> > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 07:11:38 AM:
> >
> > > From: Russell Bryant <russell@ovn.org>
> > > To: Ryan Moats/Omaha/IBM@IBMUS
> > > Cc: ovs dev <dev@openvswitch.org>
> > > Date: 08/02/2016 07:12 AM
> > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
commands
> > >
> > > On Tue, Aug 2, 2016 at 7:56 AM, Russell Bryant <russell@ovn.org>
wrote:
> > >
> > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com>
wrote:
> > > This commit creates wrapper scripts for the *ctl commands to use
> > > --dry-run for those that have them, and to allow for log level
> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > Tests have been added to make sure that the wrapper scripts
> > > don't actually do anything when asked to perform a write operation.
> > >
> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > >
> > > What's the motivation for all the new "read" scripts?  It seems a
> > > bit confusing to install all of these.  They're also not documented
> > anywhere.
> > >
> > > I see the thread discussing this now.  I'm still not a big fan of
> > > installing this for everyone...
> >
> > I admit that I need to respin with better documentation, but I
> > doubt that alone would make you a fan...
>
> Right.
> Meh, I hit send too soon. I should add that (as Mestery can tell you)
> I'm not a real big fan of this either - it's a necessity...
>
> The scripts seem small enough.  I'm sure you're having to do
> deployment customization to ensure the scripts have the right access
> so your admins can use those, but not the full commands.  Perhaps
> just include the scripts in that customization as well?

Actually, we are trying to avoid that type of customization wherever
possible, which is why the patch was submitted upstream.  If it gets
rejected, well *then* we'll carry it locally.
Ben Pfaff Aug. 2, 2016, 4:03 p.m. UTC | #7 
On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> 
> > This commit creates wrapper scripts for the *ctl commands to use
> > --dry-run for those that have them, and to allow for log level
> > setting via ovs-appctl without allowing full access to ovs-appctl.
> > Tests have been added to make sure that the wrapper scripts
> > don't actually do anything when asked to perform a write operation.
> >
> > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> >
> 
> What's the motivation for all the new "read" scripts?  It seems a bit
> confusing to install all of these.  They're also not documented anywhere.

My assumption had been that we'd put the options into the tree and then
that the one-liner redirection scripts would be an IBM customization.
After all, they need to customize somehow anyway to hide the read/write
versions in some off-$PATH place.
Ryan Moats Aug. 2, 2016, 4:10 p.m. UTC | #8 
Ben Pfaff <blp@ovn.org> wrote on 08/02/2016 11:03:52 AM:

> From: Ben Pfaff <blp@ovn.org>
> To: Russell Bryant <russell@ovn.org>
> Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 11:04 AM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>
> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> >
> > > This commit creates wrapper scripts for the *ctl commands to use
> > > --dry-run for those that have them, and to allow for log level
> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > Tests have been added to make sure that the wrapper scripts
> > > don't actually do anything when asked to perform a write operation.
> > >
> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > >
> >
> > What's the motivation for all the new "read" scripts?  It seems a bit
> > confusing to install all of these.  They're also not documented
anywhere.
>
> My assumption had been that we'd put the options into the tree and then
> that the one-liner redirection scripts would be an IBM customization.
> After all, they need to customize somehow anyway to hide the read/write
> versions in some off-$PATH place.

Something like that... (mumble mumble sudo mumble mumble)
Russell Bryant Aug. 2, 2016, 5 p.m. UTC | #9 
On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:

> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> >
> > > This commit creates wrapper scripts for the *ctl commands to use
> > > --dry-run for those that have them, and to allow for log level
> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > Tests have been added to make sure that the wrapper scripts
> > > don't actually do anything when asked to perform a write operation.
> > >
> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > >
> >
> > What's the motivation for all the new "read" scripts?  It seems a bit
> > confusing to install all of these.  They're also not documented anywhere.
>
> My assumption had been that we'd put the options into the tree and then
> that the one-liner redirection scripts would be an IBM customization.
> After all, they need to customize somehow anyway to hide the read/write
> versions in some off-$PATH place.
>

+1 to this approach.
Ryan Moats Aug. 2, 2016, 5:13 p.m. UTC | #10 
Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:

> From: Russell Bryant <russell@ovn.org>
> To: Ben Pfaff <blp@ovn.org>
> Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 12:00 PM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>
> On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> >
> > > This commit creates wrapper scripts for the *ctl commands to use
> > > --dry-run for those that have them, and to allow for log level
> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > Tests have been added to make sure that the wrapper scripts
> > > don't actually do anything when asked to perform a write operation.
> > >
> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > >
> >
> > What's the motivation for all the new "read" scripts?  It seems a bit
> > confusing to install all of these.  They're also not documented
anywhere.
>
> My assumption had been that we'd put the options into the tree and then
> that the one-liner redirection scripts would be an IBM customization.
> After all, they need to customize somehow anyway to hide the read/write
> versions in some off-$PATH place.
>
> +1 to this approach.
>
> --
> Russell Bryant

Obviously, I think this is somewhat short-sighted (or I wouldn't have
proposed
the patch)...

How about if we were to spin a new repo openvswitch/operator-tools (like
openvswitch/ovn-scale-test)
and put things like this *there*?

Ryan
Kyle Mestery Aug. 2, 2016, 5:16 p.m. UTC | #11 
On Tue, Aug 2, 2016 at 12:13 PM, Ryan Moats <rmoats@us.ibm.com> wrote:
>
> Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
>
>> From: Russell Bryant <russell@ovn.org>
>> To: Ben Pfaff <blp@ovn.org>
>> Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
>> Date: 08/02/2016 12:00 PM
>> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>>
>> On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
>> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
>> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
>> >
>> > > This commit creates wrapper scripts for the *ctl commands to use
>> > > --dry-run for those that have them, and to allow for log level
>> > > setting via ovs-appctl without allowing full access to ovs-appctl.
>> > > Tests have been added to make sure that the wrapper scripts
>> > > don't actually do anything when asked to perform a write operation.
>> > >
>> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
>> > >
>> >
>> > What's the motivation for all the new "read" scripts?  It seems a bit
>> > confusing to install all of these.  They're also not documented
> anywhere.
>>
>> My assumption had been that we'd put the options into the tree and then
>> that the one-liner redirection scripts would be an IBM customization.
>> After all, they need to customize somehow anyway to hide the read/write
>> versions in some off-$PATH place.
>>
>> +1 to this approach.
>>
>> --
>> Russell Bryant
>
> Obviously, I think this is somewhat short-sighted (or I wouldn't have
> proposed
> the patch)...
>
> How about if we were to spin a new repo openvswitch/operator-tools (like
> openvswitch/ovn-scale-test)
> and put things like this *there*?
>
I'd be in favor of this approach, because I think having tools like
this for cloud operators would be a good thing to share. And as one of
the main users/committers into ovn-scale-test, I can also attest to
how nice it is to have the shared github to work on so.

So I'm +1 to this new repository idea.

> Ryan
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
Ben Pfaff Aug. 2, 2016, 5:45 p.m. UTC | #12 
On Tue, Aug 02, 2016 at 12:13:13PM -0500, Ryan Moats wrote:
> 
> Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
> 
> > From: Russell Bryant <russell@ovn.org>
> > To: Ben Pfaff <blp@ovn.org>
> > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> > Date: 08/02/2016 12:00 PM
> > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
> >
> > On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
> > On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com> wrote:
> > >
> > > > This commit creates wrapper scripts for the *ctl commands to use
> > > > --dry-run for those that have them, and to allow for log level
> > > > setting via ovs-appctl without allowing full access to ovs-appctl.
> > > > Tests have been added to make sure that the wrapper scripts
> > > > don't actually do anything when asked to perform a write operation.
> > > >
> > > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > > >
> > >
> > > What's the motivation for all the new "read" scripts?  It seems a bit
> > > confusing to install all of these.  They're also not documented
> anywhere.
> >
> > My assumption had been that we'd put the options into the tree and then
> > that the one-liner redirection scripts would be an IBM customization.
> > After all, they need to customize somehow anyway to hide the read/write
> > versions in some off-$PATH place.
> >
> > +1 to this approach.
> >
> > --
> > Russell Bryant
> 
> Obviously, I think this is somewhat short-sighted (or I wouldn't have
> proposed
> the patch)...

Everyone seems to be jumping to conclusions here really fast.  Let's try
to get it right rather than just doing something.

Can we discuss how you will hide the r/w versions?  And how you give
access to those versions to the software that really needs it?  For
example, libvirt might call into ovs-vsctl to add ports (unless it has
direct OVSDB bindings--I doubt it), and XenServer definitely does, so if
they're not working and in $PATH then they'll break.
Ryan Moats Aug. 2, 2016, 5:59 p.m. UTC | #13 
Ben Pfaff <blp@ovn.org> wrote on 08/02/2016 12:45:49 PM:

> From: Ben Pfaff <blp@ovn.org>
> To: Ryan Moats/Omaha/IBM@IBMUS
> Cc: Russell Bryant <russell@ovn.org>, ovs dev <dev@openvswitch.org>
> Date: 08/02/2016 12:46 PM
> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
>
> On Tue, Aug 02, 2016 at 12:13:13PM -0500, Ryan Moats wrote:
> >
> > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
> >
> > > From: Russell Bryant <russell@ovn.org>
> > > To: Ben Pfaff <blp@ovn.org>
> > > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> > > Date: 08/02/2016 12:00 PM
> > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
commands
> > >
> > > On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
> > > On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com>
wrote:
> > > >
> > > > > This commit creates wrapper scripts for the *ctl commands to use
> > > > > --dry-run for those that have them, and to allow for log level
> > > > > setting via ovs-appctl without allowing full access to
ovs-appctl.
> > > > > Tests have been added to make sure that the wrapper scripts
> > > > > don't actually do anything when asked to perform a write
operation.
> > > > >
> > > > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > > > >
> > > >
> > > > What's the motivation for all the new "read" scripts?  It seems a
bit
> > > > confusing to install all of these.  They're also not documented
> > anywhere.
> > >
> > > My assumption had been that we'd put the options into the tree and
then
> > > that the one-liner redirection scripts would be an IBM customization.
> > > After all, they need to customize somehow anyway to hide the
read/write
> > > versions in some off-$PATH place.
> > >
> > > +1 to this approach.
> > >
> > > --
> > > Russell Bryant
> >
> > Obviously, I think this is somewhat short-sighted (or I wouldn't have
> > proposed
> > the patch)...
>
> Everyone seems to be jumping to conclusions here really fast.  Let's try
> to get it right rather than just doing something.
>
> Can we discuss how you will hide the r/w versions?  And how you give
> access to those versions to the software that really needs it?  For
> example, libvirt might call into ovs-vsctl to add ports (unless it has
> direct OVSDB bindings--I doubt it), and XenServer definitely does, so if
> they're not working and in $PATH then they'll break.

That was what I was alluding to in my "mumble mumble sudo mumble mumble"
comment a few posts back...

The current plan is *not* to hide the *ctl commands off PATH, but to
set up things so that the sockets require privileged access and then to
only
allow privileged access from a terminal shell to the RO versions via sudo.
Ben Pfaff Aug. 2, 2016, 6:09 p.m. UTC | #14 
On Tue, Aug 02, 2016 at 12:59:42PM -0500, Ryan Moats wrote:
> 
> Ben Pfaff <blp@ovn.org> wrote on 08/02/2016 12:45:49 PM:
> 
> > From: Ben Pfaff <blp@ovn.org>
> > To: Ryan Moats/Omaha/IBM@IBMUS
> > Cc: Russell Bryant <russell@ovn.org>, ovs dev <dev@openvswitch.org>
> > Date: 08/02/2016 12:46 PM
> > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
> >
> > On Tue, Aug 02, 2016 at 12:13:13PM -0500, Ryan Moats wrote:
> > >
> > > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
> > >
> > > > From: Russell Bryant <russell@ovn.org>
> > > > To: Ben Pfaff <blp@ovn.org>
> > > > Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> > > > Date: 08/02/2016 12:00 PM
> > > > Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
> commands
> > > >
> > > > On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
> > > > On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> > > > > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com>
> wrote:
> > > > >
> > > > > > This commit creates wrapper scripts for the *ctl commands to use
> > > > > > --dry-run for those that have them, and to allow for log level
> > > > > > setting via ovs-appctl without allowing full access to
> ovs-appctl.
> > > > > > Tests have been added to make sure that the wrapper scripts
> > > > > > don't actually do anything when asked to perform a write
> operation.
> > > > > >
> > > > > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> > > > > >
> > > > >
> > > > > What's the motivation for all the new "read" scripts?  It seems a
> bit
> > > > > confusing to install all of these.  They're also not documented
> > > anywhere.
> > > >
> > > > My assumption had been that we'd put the options into the tree and
> then
> > > > that the one-liner redirection scripts would be an IBM customization.
> > > > After all, they need to customize somehow anyway to hide the
> read/write
> > > > versions in some off-$PATH place.
> > > >
> > > > +1 to this approach.
> > > >
> > > > --
> > > > Russell Bryant
> > >
> > > Obviously, I think this is somewhat short-sighted (or I wouldn't have
> > > proposed
> > > the patch)...
> >
> > Everyone seems to be jumping to conclusions here really fast.  Let's try
> > to get it right rather than just doing something.
> >
> > Can we discuss how you will hide the r/w versions?  And how you give
> > access to those versions to the software that really needs it?  For
> > example, libvirt might call into ovs-vsctl to add ports (unless it has
> > direct OVSDB bindings--I doubt it), and XenServer definitely does, so if
> > they're not working and in $PATH then they'll break.
> 
> That was what I was alluding to in my "mumble mumble sudo mumble mumble"
> comment a few posts back...
> 
> The current plan is *not* to hide the *ctl commands off PATH, but to
> set up things so that the sockets require privileged access and then to
> only
> allow privileged access from a terminal shell to the RO versions via sudo.

OK.  That's reasonable.
Russell Bryant Aug. 3, 2016, 12:35 p.m. UTC | #15 
On Tue, Aug 2, 2016 at 1:16 PM, Kyle Mestery <mestery@mestery.com> wrote:

> On Tue, Aug 2, 2016 at 12:13 PM, Ryan Moats <rmoats@us.ibm.com> wrote:
> >
> > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
> >
> >> From: Russell Bryant <russell@ovn.org>
> >> To: Ben Pfaff <blp@ovn.org>
> >> Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
> >> Date: 08/02/2016 12:00 PM
> >> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl commands
> >>
> >> On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
> >> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
> >> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com>
> wrote:
> >> >
> >> > > This commit creates wrapper scripts for the *ctl commands to use
> >> > > --dry-run for those that have them, and to allow for log level
> >> > > setting via ovs-appctl without allowing full access to ovs-appctl.
> >> > > Tests have been added to make sure that the wrapper scripts
> >> > > don't actually do anything when asked to perform a write operation.
> >> > >
> >> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
> >> > >
> >> >
> >> > What's the motivation for all the new "read" scripts?  It seems a bit
> >> > confusing to install all of these.  They're also not documented
> > anywhere.
> >>
> >> My assumption had been that we'd put the options into the tree and then
> >> that the one-liner redirection scripts would be an IBM customization.
> >> After all, they need to customize somehow anyway to hide the read/write
> >> versions in some off-$PATH place.
> >>
> >> +1 to this approach.
> >>
> >> --
> >> Russell Bryant
> >
> > Obviously, I think this is somewhat short-sighted (or I wouldn't have
> > proposed
> > the patch)...
> >
> > How about if we were to spin a new repo openvswitch/operator-tools (like
> > openvswitch/ovn-scale-test)
> > and put things like this *there*?
> >
> I'd be in favor of this approach, because I think having tools like
> this for cloud operators would be a good thing to share. And as one of
> the main users/committers into ovn-scale-test, I can also attest to
> how nice it is to have the shared github to work on so.
>
> So I'm +1 to this new repository idea.
>

There are lots of things in the ovs repo that could be considered operator
tools, but I don't think moving them is really needed.  The issue here is
whether this is more IBM specific or general purpose.

Maybe create the new repo in a personal space somewhere and we see what
builds up there to see if it makes sense to move it to openvswitch/?  I
don't think just these one liner scripts really justify it, yet.
Kyle Mestery Aug. 3, 2016, 3:45 p.m. UTC | #16 
On Wed, Aug 3, 2016 at 7:35 AM, Russell Bryant <russell@ovn.org> wrote:
>
> On Tue, Aug 2, 2016 at 1:16 PM, Kyle Mestery <mestery@mestery.com> wrote:
>>
>> On Tue, Aug 2, 2016 at 12:13 PM, Ryan Moats <rmoats@us.ibm.com> wrote:
>> >
>> > Russell Bryant <russell@ovn.org> wrote on 08/02/2016 12:00:08 PM:
>> >
>> >> From: Russell Bryant <russell@ovn.org>
>> >> To: Ben Pfaff <blp@ovn.org>
>> >> Cc: Ryan Moats/Omaha/IBM@IBMUS, ovs dev <dev@openvswitch.org>
>> >> Date: 08/02/2016 12:00 PM
>> >> Subject: Re: [ovs-dev] [PATCH 2/2] Add wrapper scripts for *ctl
>> >> commands
>> >>
>> >> On Tue, Aug 2, 2016 at 12:03 PM, Ben Pfaff <blp@ovn.org> wrote:
>> >> On Tue, Aug 02, 2016 at 07:56:27AM -0400, Russell Bryant wrote:
>> >> > On Tue, Aug 2, 2016 at 12:20 AM, Ryan Moats <rmoats@us.ibm.com>
>> >> > wrote:
>> >> >
>> >> > > This commit creates wrapper scripts for the *ctl commands to use
>> >> > > --dry-run for those that have them, and to allow for log level
>> >> > > setting via ovs-appctl without allowing full access to ovs-appctl.
>> >> > > Tests have been added to make sure that the wrapper scripts
>> >> > > don't actually do anything when asked to perform a write operation.
>> >> > >
>> >> > > Signed-off-by: Ryan Moats <rmoats@us.ibm.com>
>> >> > >
>> >> >
>> >> > What's the motivation for all the new "read" scripts?  It seems a bit
>> >> > confusing to install all of these.  They're also not documented
>> > anywhere.
>> >>
>> >> My assumption had been that we'd put the options into the tree and then
>> >> that the one-liner redirection scripts would be an IBM customization.
>> >> After all, they need to customize somehow anyway to hide the read/write
>> >> versions in some off-$PATH place.
>> >>
>> >> +1 to this approach.
>> >>
>> >> --
>> >> Russell Bryant
>> >
>> > Obviously, I think this is somewhat short-sighted (or I wouldn't have
>> > proposed
>> > the patch)...
>> >
>> > How about if we were to spin a new repo openvswitch/operator-tools (like
>> > openvswitch/ovn-scale-test)
>> > and put things like this *there*?
>> >
>> I'd be in favor of this approach, because I think having tools like
>> this for cloud operators would be a good thing to share. And as one of
>> the main users/committers into ovn-scale-test, I can also attest to
>> how nice it is to have the shared github to work on so.
>>
>> So I'm +1 to this new repository idea.
>
>
> There are lots of things in the ovs repo that could be considered operator
> tools, but I don't think moving them is really needed.  The issue here is
> whether this is more IBM specific or general purpose.
>
> Maybe create the new repo in a personal space somewhere and we see what
> builds up there to see if it makes sense to move it to openvswitch/?  I
> don't think just these one liner scripts really justify it, yet.
>

This is fair, and that's what we've done for now.

> --
> Russell Bryant
diff mbox

Patch

diff --git a/ovn/utilities/automake.mk b/ovn/utilities/automake.mk
index d84368c..c78a07f 100644
--- a/ovn/utilities/automake.mk
+++ b/ovn/utilities/automake.mk
@@ -1,5 +1,7 @@ 
 scripts_SCRIPTS += \
-    ovn/utilities/ovn-ctl
+    ovn/utilities/ovn-ctl \
+    ovn/utilities/ovn-nbread \
+    ovn/utilities/ovn-sbread
 
 man_MANS += \
     ovn/utilities/ovn-ctl.8 \
@@ -18,7 +20,9 @@  EXTRA_DIST += \
     ovn/utilities/ovn-ctl.8.xml \
     ovn/utilities/ovn-docker-overlay-driver \
     ovn/utilities/ovn-docker-underlay-driver \
-    ovn/utilities/ovn-nbctl.8.xml
+    ovn/utilities/ovn-nbctl.8.xml \
+    ovn/utilities/ovn-nbread \
+    ovn/utilities/ovn-sbread
 
 DISTCLEANFILES += \
     ovn/utilities/ovn-ctl.8 \
diff --git a/ovn/utilities/ovn-nbread b/ovn/utilities/ovn-nbread
new file mode 100755
index 0000000..27c9b71
--- /dev/null
+++ b/ovn/utilities/ovn-nbread
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec ovn-nbctl --dry-run "$@"
diff --git a/ovn/utilities/ovn-sbread b/ovn/utilities/ovn-sbread
new file mode 100755
index 0000000..d5c3f44
--- /dev/null
+++ b/ovn/utilities/ovn-sbread
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec ovn-sbctl --dry-run "$@"
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 5357ced..615e0fc 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -485,3 +485,106 @@  IPv6 Routes
 
 OVN_NBCTL_TEST_STOP
 AT_CLEANUP
+
+dnl ---------------------------------------------------------------------
+
+AT_SETUP([ovn-nbread - negative tests])
+OVN_NBCTL_TEST_START
+ovn-nbctl ls-add base
+ovn-nbctl ls-list > expout
+ovn-nbread init
+AT_CHECK([ovn-nbread ls-list], [0], [expout])
+ovn-nbread ls-add canary
+AT_CHECK([ovn-nbread ls-list], [0], [expout])
+ovn-nbread ls-del base
+AT_CHECK([ovn-nbread ls-list], [0], [expout])
+
+ovn-nbread acl-add base to-lport 100 1 allow
+AT_CHECK([ovn-nbread acl-list base], [0], [])
+ovn-nbread acl-del base
+AT_CHECK([ovn-nbread acl-list base], [0], [])
+
+ovn-nbctl lsp-add base base-port
+ovn-nbctl lsp-list base > expout
+ovn-nbread lsp-add base canary
+AT_CHECK([ovn-nbread lsp-list base], [0], [expout])
+ovn-nbread lsp-del base-port
+AT_CHECK([ovn-nbread lsp-list base], [0], [expout])
+
+ovn-nbread lsp-get-addresses base-port > expout
+ovn-nbread lsp-set-addresses base-port "01:23:45:67:89:ab"
+AT_CHECK([ovn-nbread lsp-get-addresses base-port], [0], [expout])
+
+ovn-nbread lsp-get-port-security base-port > expout
+ovn-nbread lsp-set-port-security base-port "01:23:45:67:89:ab"
+AT_CHECK([ovn-nbread lsp-get-port-security base-port], [0], [expout])
+
+ovn-nbctl lsp-set-enabled base-port disabled
+ovn-nbread lsp-set-enabled base-port enabled
+AT_CHECK([ovn-nbctl lsp-get-enabled base-port], [0], [disabled
+])
+ovn-nbctl lsp-set-type base-port patch
+ovn-nbread lsp-set-type base-port gateway
+AT_CHECK([ovn-nbread lsp-get-type base-port], [0], [patch
+])
+ovn-nbread lsp-get-options base-port > expout
+ovn-nbread lsp-set-options base-port key=value
+AT_CHECK([ovn-nbread lsp-get-options base-port], [0], [expout])
+
+ovn-nbread lsp-get-dhcpv4-options base-port > expout
+ovn-nbread lsp-set-dhcpv4-options base-port 00000000-0000-0000-0000-000000001234
+AT_CHECK([ovn-nbread lsp-get-dhcpv4-options base-port], [0], [expout])
+
+ovn-nbctl lr-add baserouter
+ovn-nbctl lr-list > expout
+ovn-nbread lr-add canary
+AT_CHECK([ovn-nbctl lr-list], [0], [expout])
+ovn-nbread lr-del baserouter
+AT_CHECK([ovn-nbctl lr-list], [0], [expout])
+
+ovn-nbctl lrp-add baserouter brp 01:23:45:67:89:EF 1.1.1.2
+ovn-nbctl lrp-list baserouter > expout
+ovn-nbread lrp-add baserouter canary 12:34:56:78:90:AB 1.1.1.1
+AT_CHECK([ovn-nbread lrp-list baserouter], [0], [expout])
+ovn-nbread lrp-del brp
+AT_CHECK([ovn-nbread lrp-list baserouter], [0], [expout])
+
+ovn-nbctl lrp-set-enabled brp disabled
+ovn-nbread lrp-set-enabled brp enabled
+AT_CHECK([ovn-nbread lrp-get-enabled brp], [0], [disabled
+])
+
+ovn-nbctl lr-route-add baserouter 1.1.1.0/24 1.1.2.1
+ovn-nbread lr-route-list baserouter > expout
+ovn-nbread lr-route-add baserouter 2.2.2.0/24 1.1.2.2
+AT_CHECK([ovn-nbread lr-route-list baserouter], [0], [expout])
+ovn-nbread lr-route-del baserouter 1.1.1.0/24
+AT_CHECK([ovn-nbread lr-route-list baserouter], [0], [expout])
+
+ovn-nbctl  dhcp-options-create 3.3.3.0/24
+ovn-nbread dhcp-options-list > expout
+ovn-nbread dhcp-options-create 4.4.4.0/24
+AT_CHECK([ovn-nbread dhcp-options-list], [0], [expout])
+ovn-nbread dhcp-options-del `ovn-nbread dhcp-options-list`
+AT_CHECK([ovn-nbread dhcp-options-list], [0], [expout])
+ovn-nbread dhcp-options-set-options `ovn-nbread dhcp-options-list` key=value
+AT_CHECK([ovn-nbread dhcp-options-get-options `ovn-nbread dhcp-options-list`], [0], [])
+
+ovn-nbread list Logical_Switch > expout
+ovn-nbread add Logical_Switch base external_ids ovn-bridge-mappings="test"
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+ovn-nbread set Logical_Switch base external_ids='ovn-bridge-mappings="test"'
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+ovn-nbctl add Logical_Switch base external_ids ovn-bridge-mappings="test"
+ovn-nbread list Logical_Switch > expout
+ovn-nbread remove Logical_Switch base external_ids ovn-bridge-mappings="test"
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+ovn-nbread clear Logical_Switch base external_ids
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+ovn-nbread create Logical_Switch name=canary
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+ovn-nbread destroy Logical_Switch base
+AT_CHECK([ovn-nbread list Logical_Switch], [0], [expout])
+
+OVN_NBCTL_TEST_STOP
+AT_CLEANUP
diff --git a/tests/ovn-sbctl.at b/tests/ovn-sbctl.at
index 72dc441..89cc6a8 100644
--- a/tests/ovn-sbctl.at
+++ b/tests/ovn-sbctl.at
@@ -141,3 +141,49 @@  options             : {vtep_logical_switch="l0", vtep_physical_switch="p0"}
 
 OVN_SBCTL_TEST_STOP
 AT_CLEANUP
+
+dnl ---------------------------------------------------------------------
+
+AT_SETUP([ovn-sbread - negative tests])
+OVN_SBCTL_TEST_START
+
+ovn-sbctl chassis-add base geneve 10.10.10.10
+ovn-sbread list Chassis > expout
+ovn-sbread init
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread chassis-add canary geneve 20.20.20.20
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread chassis-del base
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+
+AT_CHECK([ovn-nbctl ls-add br-test])
+AT_CHECK([ovn-nbctl lsp-add br-test vif0])
+ovn-sbread list Port_Binding > expout
+ovn-sbread lsp-bind vif0 base
+AT_CHECK([ovn-sbread list Port_Binding], [0], [expout])
+
+ovn-sbctl lsp-bind vif0 base
+ovn-sbread list Port_Binding > expout
+ovn-sbread lsp-unbind vif0
+AT_CHECK([ovn-sbread list Port_Binding], [0], [expout])
+
+ovn-sbctl add Chassis base external_ids ovn-bridge-mappings="test"
+
+ovn-sbread list Chassis > expout
+ovn-sbread add Chassis base external_ids ovn-bridge-mappings="test"
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread set Chassis base hostname=test
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbctl add Chassis base external_ids ovn-bridge-mappings="test"
+ovn-sbread list Chassis > expout
+ovn-sbread remove Chassis base external_ids ovn-bridge-mappings="test"
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread clear Chassis base external_ids
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread create Chassis name=canary
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+ovn-sbread destroy Chassis base
+AT_CHECK([ovn-sbread list Chassis], [0], [expout])
+
+OVN_SBCTL_TEST_STOP
+AT_CLEANUP
diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at
index 00db247..c7e77b6 100644
--- a/tests/ovs-ofctl.at
+++ b/tests/ovs-ofctl.at
@@ -3042,3 +3042,36 @@  vconn|DBG|unix: sent (Success): OFPST_FLOW reply (OF1.4):
 
 OVS_VSWITCHD_STOP
 AT_CLEANUP
+
+AT_SETUP([ovs-ofread - negative tests])
+AT_KEYWORDS([ovs-ofread])
+AT_DATA([allflows.txt], [[
+priority=4,in_port=23213 actions=output:42
+priority=5,in_port=1029 actions=output:43
+priority=7,in_port=1029 actions=output:43
+priority=3,in_port=1028 actions=output:44
+priority=1,in_port=1026 actions=output:45
+priority=6,in_port=1027 actions=output:64
+priority=2,in_port=1025 actions=output:47
+priority=8,tcp,tp_src=5 actions=drop
+priority=9,tcp,tp_src=6 actions=drop
+]])
+OVS_VSWITCHD_START
+
+AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip > expout])
+AT_CHECK([ovs-ofread add-flow br0 'ip actions=mod_tp_dst:1234'])
+AT_CHECK([ovs-ofread dump-flows br0 | ofctl_strip], [0], [expout])
+AT_CHECK([ovs-ofread add-flows br0 allflows.txt])
+AT_CHECK([ovs-ofread dump-flows br0 | ofctl_strip], [0], [expout])
+AT_CHECK([ovs-ofread replace-flows br0 allflows.txt])
+AT_CHECK([ovs-ofread dump-flows br0 | ofctl_strip], [0], [expout])
+AT_CHECK([ovs-ofctl add-flows br0 allflows.txt
+], [0], [ignore])
+AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip > expout])
+AT_CHECK([ovs-ofread mod-flows br0 "priority=9,tcp,tp_src=6 actions=output:48"])
+AT_CHECK([ovs-ofread dump-flows br0 | ofctl_strip], [0], [expout])
+AT_CHECK([ovs-ofread del-flows br0])
+AT_CHECK([ovs-ofread dump-flows br0 | ofctl_strip], [0], [expout])
+
+OVS_VSWITCHD_STOP
+AT_CLEANUP
diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at
index 5171786..c4bec27 100644
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@@ -1361,3 +1361,93 @@  AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$P
 
 OVS_VSCTL_CLEANUP
 AT_CLEANUP
+
+dnl RUN_OVS_VSREAD(COMMAND, ...)
+dnl
+dnl Executes each ovs-vsread COMMAND.
+m4_define([RUN_OVS_VSREAD],
+  [m4_foreach([command], [$@], [ovs-vsread --no-wait -vreconnect:emer --db=unix:socket command
+])])
+
+AT_SETUP([ovs-vsread - negative tests])
+AT_KEYWORDS([ovs-vsread])
+OVS_VSCTL_SETUP
+RUN_OVS_VSCTL([add-br a])
+RUN_OVS_VSCTL([list-br > expout])
+AT_CHECK([RUN_OVS_VSREAD([list-br])], [0], [expout])
+RUN_OVS_VSREAD([init])
+AT_CHECK([RUN_OVS_VSREAD([list-br])], [0], [expout])
+RUN_OVS_VSREAD([add-br b])
+AT_CHECK([RUN_OVS_VSREAD([list-br])], [0], [expout])
+RUN_OVS_VSREAD([del-br a])
+AT_CHECK([RUN_OVS_VSREAD([list-br])], [0], [expout])
+
+RUN_OVS_VSCTL([br-get-external-id a > expout])
+RUN_OVS_VSREAD([br-set-external-id a key0 value0])
+AT_CHECK([RUN_OVS_VSREAD([br-get-external-id a])], [0], [expout])
+
+RUN_OVS_VSCTL([add-port a a1])
+RUN_OVS_VSCTL([list-ports a > expout])
+RUN_OVS_VSREAD([ add-port a a2])
+AT_CHECK([RUN_OVS_VSREAD([list-ports a])], [0], [expout])
+RUN_OVS_VSREAD([ add-bond a bond0 a1 a2 a3])
+AT_CHECK([RUN_OVS_VSREAD([list-ports a])], [0], [expout])
+RUN_OVS_VSREAD([ del-port a])
+AT_CHECK([RUN_OVS_VSREAD([list-ports a])], [0], [expout])
+
+RUN_OVS_VSCTL([get-controller a > expout])
+RUN_OVS_VSREAD([set-controller a tcp:4.5.6.7])
+AT_CHECK([RUN_OVS_VSREAD([get-controller a])], [0], [expout])
+RUN_OVS_VSCTL([set-controller a tcp:4.5.6.7])
+RUN_OVS_VSCTL([get-controller a > expout])
+RUN_OVS_VSREAD([del-controller a])
+AT_CHECK([RUN_OVS_VSREAD([get-controller a])], [0], [expout])
+
+RUN_OVS_VSCTL([set-fail-mode a closed])
+RUN_OVS_VSCTL([get-fail-mode a > expout])
+RUN_OVS_VSREAD([set-fail-mode a open])
+AT_CHECK([RUN_OVS_VSREAD([get-fail-mode a])], [0], [expout])
+RUN_OVS_VSREAD([del-fail-mode a])
+AT_CHECK([RUN_OVS_VSREAD([get-fail-mode a])], [0], [expout])
+
+RUN_OVS_VSCTL([set-manager tcp:1.2.3.4])
+RUN_OVS_VSCTL([get-manager > expout])
+RUN_OVS_VSREAD([set-manager tcp:5.6.7.8])
+AT_CHECK([RUN_OVS_VSREAD([get-manager])], [0], [expout])
+RUN_OVS_VSREAD([del-manager])
+AT_CHECK([RUN_OVS_VSREAD([get-manager])], [0], [expout])
+
+RUN_OVS_VSCTL([set-ssl a b c])
+RUN_OVS_VSCTL([get-ssl > expout])
+RUN_OVS_VSREAD([set-ssl d e f])
+AT_CHECK([RUN_OVS_VSREAD([get-ssl])], [0], [expout])
+RUN_OVS_VSREAD([del-ssl])
+AT_CHECK([RUN_OVS_VSREAD([get-ssl])], [0], [expout])
+
+RUN_OVS_VSCTL([set-aa-mapping a b 10])
+RUN_OVS_VSCTL([get-aa-mapping a > expout])
+RUN_OVS_VSREAD([set-aa-mapping a c 20])
+AT_CHECK([RUN_OVS_VSREAD([get-aa-mapping a])], [0], [expout])
+RUN_OVS_VSREAD([del-aa-mapping a b 10])
+AT_CHECK([RUN_OVS_VSREAD([get-aa-mapping a])], [0], [expout])
+
+RUN_OVS_VSREAD([emer-reset])
+AT_CHECK([RUN_OVS_VSREAD([get-aa-mapping a])], [0], [expout])
+
+RUN_OVS_VSCTL([set Bridge a external_ids="bridge-id=test"])
+RUN_OVS_VSCTL([list Bridge > expout])
+RUN_OVS_VSREAD([set Bridge a datapath_type=test])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+RUN_OVS_VSREAD([add Bridge a datapath_type=test])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+RUN_OVS_VSREAD([remove Bridge a external_ids="bridge-id=test"])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+RUN_OVS_VSREAD([clear Bridge a external_ids])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+RUN_OVS_VSREAD([create Bridge b])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+RUN_OVS_VSREAD([destroy Bridge a])
+AT_CHECK([RUN_OVS_VSREAD([list Bridge])], [0], [expout])
+
+OVS_VSCTL_CLEANUP
+AT_CLEANUP
diff --git a/tests/vtep-ctl.at b/tests/vtep-ctl.at
index f0511ad..163cf82 100644
--- a/tests/vtep-ctl.at
+++ b/tests/vtep-ctl.at
@@ -942,3 +942,148 @@  AT_CHECK([vtep-ctl --timeout=5 -vreconnect:emer --db=unix:socket show | tail -n+
 
 VTEP_CTL_CLEANUP
 AT_CLEANUP
+
+dnl RUN_VTEP_READ(COMMAND, ...)
+dnl
+dnl Executes each vtep-read COMMAND.
+m4_define([RUN_VTEP_READ],
+  [m4_foreach([command], [$@], [vtep-read --timeout=5 -vreconnect:emer --db=unix:socket command
+])])
+AT_SETUP([vtep-read -- negative tests])
+AT_KEYWORDS([vtep-read])
+VTEP_CTL_SETUP
+AT_CHECK([RUN_VTEP_CTL([add-ps a])], [0], [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-ps b])])
+CHECK_PSWITCHES([a])
+AT_CHECK([RUN_VTEP_READ([del-ps a])])
+CHECK_PSWITCHES([a])
+
+AT_CHECK([RUN_VTEP_CTL([add-port a a1])], [0], [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-port a a2])])
+CHECK_PORTS([a], [a1])
+AT_CHECK([RUN_VTEP_READ([del-port a a1])])
+CHECK_PORTS([a], [a1])
+
+AT_CHECK([RUN_VTEP_CTL([add-ls ls1])], [0], [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-ls b])])
+CHECK_LSWITCHES([ls1])
+AT_CHECK([RUN_VTEP_READ([del-ls ls1])])
+CHECK_LSWITCHES([ls1])
+
+AT_CHECK([RUN_VTEP_READ([bind-ls a a1 300 ls1])])
+AT_CHECK([RUN_VTEP_CTL([list-bindings a a1])], [0],
+   [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_CTL([bind-ls a a1 300 ls1])])
+AT_CHECK([RUN_VTEP_READ([unbind-ls a a1 300])])
+AT_CHECK([RUN_VTEP_CTL([list-bindings a a1])], [0],
+   [0300 ls1
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_READ([set-replication-mode ls1 source_node])])
+AT_CHECK([RUN_VTEP_CTL(
+  [get-replication-mode ls1])],
+  [0], [[(null)]
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL([add-lr lr1])])
+AT_CHECK([RUN_VTEP_READ([add-lr lr2])])
+AT_CHECK([RUN_VTEP_CTL([list-lr])], [0], [lr1
+], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([del-lr lr1])])
+AT_CHECK([RUN_VTEP_CTL([list-lr])], [0], [lr1
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL(
+   [add-ucast-local ls1 00:11:22:33:44:55 10.0.0.10])], [0], [], [],
+   [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-ucast-local ls1 00:11:22:33:44:66 vxlan_over_ipv4 10.0.0.11])])
+AT_CHECK([RUN_VTEP_READ([del-ucast-local ls1 00:11:22:33:44:55])])
+AT_CHECK([RUN_VTEP_CTL([list-local-macs ls1])], [0],
+   [ucast-mac-local
+  00:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-local
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL(
+   [add-mcast-local ls1 01:11:22:33:44:55 10.0.0.12])
+], [0], [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-mcast-local ls1 01:11:22:33:44:55 10.0.0.10])])
+AT_CHECK([RUN_VTEP_READ([del-mcast-local ls1 01:11:22:33:44:55 10.0.0.12])])
+AT_CHECK([RUN_VTEP_CTL([list-local-macs ls1])], [0],
+   [ucast-mac-local
+  00:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-local
+  01:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.12
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_READ([clear-local-macs ls1])])
+AT_CHECK([RUN_VTEP_CTL([list-local-macs ls1])], [0],
+   [ucast-mac-local
+  00:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-local
+  01:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.12
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL(
+   [add-ucast-remote ls1 02:11:22:33:44:55 10.0.0.10])], [0], [], [],
+   [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ(
+   [add-ucast-remote ls1 00:11:22:33:44:66 vxlan_over_ipv4 10.0.0.11])])
+AT_CHECK([RUN_VTEP_READ([del-ucast-remote ls1 02:11:22:33:44:55])])
+AT_CHECK([RUN_VTEP_CTL([list-remote-macs ls1])], [0],
+   [ucast-mac-remote
+  02:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-remote
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL(
+   [add-mcast-remote ls1 03:11:22:33:44:55 10.0.0.12])
+], [0], [], [], [VTEP_CTL_CLEANUP])
+AT_CHECK([RUN_VTEP_READ([add-mcast-remote ls1 03:11:22:33:44:55 10.0.0.14])])
+AT_CHECK([RUN_VTEP_READ([del-mcast-remote ls1 03:11:22:33:44:55 10.0.0.12])])
+AT_CHECK([RUN_VTEP_CTL([list-remote-macs ls1])], [0],
+   [ucast-mac-remote
+  02:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-remote
+  03:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.12
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_READ([clear-remote-macs ls1])])
+AT_CHECK([RUN_VTEP_CTL([list-remote-macs ls1])], [0],
+   [ucast-mac-remote
+  02:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.10
+
+mcast-mac-remote
+  03:11:22:33:44:55 -> vxlan_over_ipv4/10.0.0.12
+
+], [], [VTEP_CTL_CLEANUP])
+
+AT_CHECK([RUN_VTEP_CTL([set-manager tcp:4.5.6.7])])
+AT_CHECK([RUN_VTEP_CTL([get-manager > expout])])
+AT_CHECK([RUN_VTEP_READ([set-manager tcp:4.5.6.8])])
+AT_CHECK([RUN_VTEP_READ([del-manager])])
+AT_CHECK([RUN_VTEP_CTL([get-manager])], [0], [expout])
+
+AT_CHECK([RUN_VTEP_CTL([set Physical_Switch a management_ips=[[4.3.2.1]] tunnel_ips=[[1.2.3.4]]])])
+AT_CHECK([RUN_VTEP_CTL([list Physical_Switch > expout])])
+AT_CHECK([RUN_VTEP_READ([set Physical_Switch a management_ips=[[4.3.2.2]]])])
+AT_CHECK([RUN_VTEP_READ([add Physical_Switch a management_ips [[4.3.2.3]]])])
+AT_CHECK([RUN_VTEP_READ([remove Physical_Switch a management_ips [[4.3.2.1]]])])
+AT_CHECK([RUN_VTEP_CTL([list Physical_Switch])], [0], [expout])
+AT_CHECK([RUN_VTEP_READ([clear Physical_Switch a management_ips])])
+AT_CHECK([RUN_VTEP_CTL([list Physical_Switch])], [0], [expout])
+AT_CHECK([RUN_VTEP_READ([destroy Physical_Switch a])])
+AT_CHECK([RUN_VTEP_CTL([list Physical_Switch])], [0], [expout])
+
+VTEP_CTL_CLEANUP
+AT_CLEANUP
diff --git a/utilities/automake.mk b/utilities/automake.mk
index 9d5b425..6eb7164 100644
--- a/utilities/automake.mk
+++ b/utilities/automake.mk
@@ -5,7 +5,11 @@  bin_PROGRAMS += \
 	utilities/ovs-ofctl \
 	utilities/ovs-vsctl
 bin_SCRIPTS += utilities/ovs-docker \
-	utilities/ovs-pki
+	utilities/ovs-pki \
+        utilities/ovs-appsetlog \
+	utilities/ovs-dpread \
+	utilities/ovs-ofread \
+	utilities/ovs-vsread
 if HAVE_PYTHON
 bin_SCRIPTS += \
 	utilities/ovs-dpctl-top \
@@ -40,14 +44,17 @@  utilities/ovs-lib: $(top_builddir)/config.status
 docs += utilities/ovs-command-bashcomp.INSTALL.md
 EXTRA_DIST += \
 	utilities/ovs-appctl-bashcomp.bash \
+        utilities/ovs-appsetlog \
 	utilities/ovs-check-dead-ifs.in \
 	utilities/ovs-command-bashcomp.INSTALL.md \
 	utilities/ovs-ctl.in \
 	utilities/ovs-dev.py \
 	utilities/ovs-docker \
 	utilities/ovs-dpctl-top.in \
+	utilities/ovs-dpread \
 	utilities/ovs-l3ping.in \
 	utilities/ovs-lib.in \
+	utilities/ovs-ofread \
 	utilities/ovs-parse-backtrace.in \
 	utilities/ovs-pcap.in \
 	utilities/ovs-pipegen.py \
@@ -58,6 +65,7 @@  EXTRA_DIST += \
 	utilities/ovs-test.in \
 	utilities/ovs-vlan-test.in \
 	utilities/ovs-vsctl-bashcomp.bash \
+	utilities/ovs-vsread \
 	utilities/qemu-wrap.py \
 	utilities/checkpatch.py
 MAN_ROOTS += \
diff --git a/utilities/ovs-appsetlog b/utilities/ovs-appsetlog
new file mode 100755
index 0000000..80c8943
--- /dev/null
+++ b/utilities/ovs-appsetlog
@@ -0,0 +1,37 @@ 
+#! /bin/sh
+
+case $1 in
+    ovsdb-server)
+        ;;
+    ovn-northd)
+        ;;
+    ovn-controller)
+        ;;
+    ovn-controller-vtep)
+        ;;
+    *)
+        echo "Invalid target"
+        exit 1;
+        ;;
+esac
+
+case $2 in
+    off)
+        ;;
+    emer)
+        ;;
+    err)
+        ;;
+    warn)
+        ;;
+    info)
+        ;;
+    dbg)
+        ;;
+    *)
+        echo "Invalid log level"
+        exit 1;
+        ;;
+esac
+
+exec ovs-appctl vlog/set "$1:$2"
diff --git a/utilities/ovs-dpread b/utilities/ovs-dpread
new file mode 100755
index 0000000..a560edf
--- /dev/null
+++ b/utilities/ovs-dpread
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec ovs-dpctl --dry-run "$@"
diff --git a/utilities/ovs-ofread b/utilities/ovs-ofread
new file mode 100755
index 0000000..fd8bf82
--- /dev/null
+++ b/utilities/ovs-ofread
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec ovs-ofctl --dry-run "$@"
diff --git a/utilities/ovs-vsread b/utilities/ovs-vsread
new file mode 100755
index 0000000..39b156e
--- /dev/null
+++ b/utilities/ovs-vsread
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec ovs-vsctl --dry-run "$@"
diff --git a/vtep/automake.mk b/vtep/automake.mk
index 2645f30..05387fd 100644
--- a/vtep/automake.mk
+++ b/vtep/automake.mk
@@ -38,10 +38,11 @@  vtep_vtep_ctl_LDADD = vtep/libvtep.la lib/libopenvswitch.la
 
 # ovs-vtep
 scripts_SCRIPTS += \
-    vtep/ovs-vtep
+    vtep/ovs-vtep \
+    vtep/vtep-read
 
 docs += vtep/README.ovs-vtep.md
-EXTRA_DIST += vtep/ovs-vtep
+EXTRA_DIST += vtep/ovs-vtep vtep/vtep-read
 
 FLAKE8_PYFILES += vtep/ovs-vtep
 
diff --git a/vtep/vtep-read b/vtep/vtep-read
new file mode 100755
index 0000000..4f0f919
--- /dev/null
+++ b/vtep/vtep-read
@@ -0,0 +1,2 @@ 
+#! /bin/sh
+exec vtep-ctl --dry-run "$@"