[ovs-dev] [PATCH ovn v4 02/13] ovn-ic-nb: Interconnection northbound DB schema and CLI.

Han Zhou hzhou at ovn.org
Wed Jan 29 19:55:57 UTC 2020


This patch introduces OVN_IC_Northbound DB schema and the CLI
ovn-ic-nbctl that manages the DB.

Signed-off-by: Han Zhou <hzhou at ovn.org>
---
 .gitignore                   |   3 +
 automake.mk                  |  35 ++
 debian/ovn-common.install    |   1 +
 debian/ovn-common.manpages   |   2 +
 lib/.gitignore               |   3 +
 lib/automake.mk              |  16 +-
 lib/ovn-ic-nb-idl.ann        |   9 +
 lib/ovn-util.c               |  13 +
 lib/ovn-util.h               |   1 +
 ovn-ic-nb.ovsschema          |  75 ++++
 ovn-ic-nb.xml                | 371 +++++++++++++++++
 tests/automake.mk            |   2 +
 tests/ovn-ic-nbctl.at        |  65 +++
 tests/testsuite.at           |   1 +
 utilities/.gitignore         |   2 +
 utilities/automake.mk        |   8 +
 utilities/ovn-ic-nbctl.8.xml | 174 ++++++++
 utilities/ovn-ic-nbctl.c     | 950 +++++++++++++++++++++++++++++++++++++++++++
 18 files changed, 1730 insertions(+), 1 deletion(-)
 create mode 100644 lib/ovn-ic-nb-idl.ann
 create mode 100644 ovn-ic-nb.ovsschema
 create mode 100644 ovn-ic-nb.xml
 create mode 100644 tests/ovn-ic-nbctl.at
 create mode 100644 utilities/ovn-ic-nbctl.8.xml
 create mode 100644 utilities/ovn-ic-nbctl.c

diff --git a/.gitignore b/.gitignore
index 6fee075..d4f8c10 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,9 @@
 /ovn-sb.5
 /ovn-sb.gv
 /ovn-sb.pic
+/ovn-ic-nb.5
+/ovn-ic-nb.gv
+/ovn-ic-nb.pic
 /package.m4
 /stamp-h1
 /_build-gcc
diff --git a/automake.mk b/automake.mk
index 591e007..59063c2 100644
--- a/automake.mk
+++ b/automake.mk
@@ -62,6 +62,34 @@ ovn-sb.5: \
 		$(srcdir)/ovn-sb.xml > $@.tmp && \
 	mv $@.tmp $@
 
+# OVN interconnection northbound E-R diagram
+#
+# If "python" or "dot" is not available, then we do not add graphical diagram
+# to the documentation.
+if HAVE_DOT
+ovn-ic-nb.gv: ${OVSDIR}/ovsdb/ovsdb-dot.in $(srcdir)/ovn-ic-nb.ovsschema
+	$(AM_V_GEN)$(OVSDB_DOT) --no-arrows $(srcdir)/ovn-ic-nb.ovsschema > $@
+ovn-ic-nb.pic: ovn-ic-nb.gv ${OVSDIR}/ovsdb/dot2pic
+	$(AM_V_GEN)(dot -T plain < ovn-ic-nb.gv | $(PYTHON) ${OVSDIR}/ovsdb/dot2pic -f 3) > $@.tmp && \
+	mv $@.tmp $@
+OVN_IC_NB_PIC = ovn-ic-nb.pic
+OVN_IC_NB_DOT_DIAGRAM_ARG = --er-diagram=$(OVN_IC_NB_PIC)
+CLEANFILES += ovn-ic-nb.gv ovn-ic-nb.pic
+endif
+
+# OVN interconnection northbound schema documentation
+EXTRA_DIST += ovn-ic-nb.xml
+CLEANFILES += ovn-ic-nb.5
+man_MANS += ovn-ic-nb.5
+
+ovn-ic-nb.5: \
+	${OVSDIR}/ovsdb/ovsdb-doc $(srcdir)/ovn-ic-nb.xml $(srcdir)/ovn-ic-nb.ovsschema $(OVN_IC_NB_PIC)
+	$(AM_V_GEN)$(OVSDB_DOC) \
+		$(OVN_IC_NB_DOT_DIAGRAM_ARG) \
+		--version=$(VERSION) \
+		$(srcdir)/ovn-ic-nb.ovsschema \
+		$(srcdir)/ovn-ic-nb.xml > $@.tmp && \
+	mv $@.tmp $@
 
 # Version checking for ovn-nb.ovsschema.
 ALL_LOCAL += ovn-nb.ovsschema.stamp
@@ -74,7 +102,14 @@ ALL_LOCAL += ovn-sb.ovsschema.stamp
 ovn-sb.ovsschema.stamp: ovn-sb.ovsschema
 	$(srcdir)/build-aux/cksum-schema-check $? $@
 
+# Version checking for ovn-ic-nb.ovsschema.
+ALL_LOCAL += ovn-ic-nb.ovsschema.stamp
+ovn-ic-nb.ovsschema.stamp: ovn-ic-nb.ovsschema
+	$(srcdir)/build-aux/cksum-schema-check $? $@
+CLEANFILES += ovn-ic-nb.ovsschema.stamp
+
 pkgdata_DATA += ovn-nb.ovsschema
 pkgdata_DATA += ovn-sb.ovsschema
+pkgdata_DATA += ovn-ic-nb.ovsschema
 
 CLEANFILES += ovn-sb.ovsschema.stamp
diff --git a/debian/ovn-common.install b/debian/ovn-common.install
index 90484d2..59b8018 100644
--- a/debian/ovn-common.install
+++ b/debian/ovn-common.install
@@ -1,5 +1,6 @@
 usr/bin/ovn-nbctl
 usr/bin/ovn-sbctl
+usr/bin/ovn-ic-nbctl
 usr/bin/ovn-trace
 usr/bin/ovn-detrace
 usr/share/openvswitch/scripts/ovn-ctl
diff --git a/debian/ovn-common.manpages b/debian/ovn-common.manpages
index 249349e..e7d3e4d 100644
--- a/debian/ovn-common.manpages
+++ b/debian/ovn-common.manpages
@@ -1,8 +1,10 @@
 ovn/ovn-architecture.7
 ovn/ovn-nb.5
 ovn/ovn-sb.5
+ovn/ovn-ic-nb.5
 ovn/utilities/ovn-ctl.8
 ovn/utilities/ovn-nbctl.8
 ovn/utilities/ovn-sbctl.8
+ovn/utilities/ovn-ic-nbctl.8
 ovn/utilities/ovn-trace.8
 ovn/utilities/ovn-detrace.1
diff --git a/lib/.gitignore b/lib/.gitignore
index 3eed458..3af2923 100644
--- a/lib/.gitignore
+++ b/lib/.gitignore
@@ -5,4 +5,7 @@
 /ovn-sb-idl.c
 /ovn-sb-idl.h
 /ovn-sb-idl.ovsidl
+/ovn-ic-nb-idl.c
+/ovn-ic-nb-idl.h
+/ovn-ic-nb-idl.ovsidl
 /ovn-dirs.c
diff --git a/lib/automake.mk b/lib/automake.mk
index 0c8245c..5f6561a 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -29,7 +29,9 @@ nodist_lib_libovn_la_SOURCES = \
 	lib/ovn-nb-idl.c \
 	lib/ovn-nb-idl.h \
 	lib/ovn-sb-idl.c \
-	lib/ovn-sb-idl.h
+	lib/ovn-sb-idl.h \
+	lib/ovn-ic-nb-idl.c \
+	lib/ovn-ic-nb-idl.h
 
 CLEANFILES += $(nodist_lib_libovn_la_SOURCES)
 
@@ -74,3 +76,15 @@ lib/ovn-nb-idl.ovsidl: $(OVN_NB_IDL_FILES)
 	$(AM_V_GEN)$(OVSDB_IDLC) annotate $(OVN_NB_IDL_FILES) > $@.tmp && \
 	mv $@.tmp $@
 
+# ovn-ic-nb IDL
+OVSIDL_BUILT += \
+	lib/ovn-ic-nb-idl.c \
+	lib/ovn-ic-nb-idl.h \
+	lib/ovn-ic-nb-idl.ovsidl
+EXTRA_DIST += lib/ovn-ic-nb-idl.ann
+OVN_IC_NB_IDL_FILES = \
+	$(srcdir)/ovn-ic-nb.ovsschema \
+	$(srcdir)/lib/ovn-ic-nb-idl.ann
+lib/ovn-ic-nb-idl.ovsidl: $(OVN_IC_NB_IDL_FILES)
+	$(AM_V_GEN)$(OVSDB_IDLC) annotate $(OVN_IC_NB_IDL_FILES) > $@.tmp && \
+	mv $@.tmp $@
diff --git a/lib/ovn-ic-nb-idl.ann b/lib/ovn-ic-nb-idl.ann
new file mode 100644
index 0000000..9dfbafa
--- /dev/null
+++ b/lib/ovn-ic-nb-idl.ann
@@ -0,0 +1,9 @@
+# -*- python -*-
+
+# This code, when invoked by "ovsdb-idlc annotate" (by the build
+# process), annotates ovn-ic-nb.ovsschema with additional data that give
+# the ovsdb-idl engine information about the types involved, so that
+# it can generate more programmer-friendly data structures.
+
+s["idlPrefix"] = "icnbrec_"
+s["idlHeader"] = "\"lib/ovn-ic-nb-idl.h\""
diff --git a/lib/ovn-util.c b/lib/ovn-util.c
index 6e0bba2..5b891ec 100644
--- a/lib/ovn-util.c
+++ b/lib/ovn-util.c
@@ -350,6 +350,19 @@ default_sb_db(void)
     return def;
 }
 
+const char *
+default_ic_nb_db(void)
+{
+    static char *def;
+    if (!def) {
+        def = getenv("OVN_IC_NB_DB");
+        if (!def) {
+            def = xasprintf("unix:%s/ovn_ic_nb_db.sock", ovn_rundir());
+        }
+    }
+    return def;
+}
+
 char *
 get_abs_unix_ctl_path(void)
 {
diff --git a/lib/ovn-util.h b/lib/ovn-util.h
index 422d69e..cda245b 100644
--- a/lib/ovn-util.h
+++ b/lib/ovn-util.h
@@ -73,6 +73,7 @@ char *alloc_nat_zone_key(const struct uuid *key, const char *type);
 
 const char *default_nb_db(void);
 const char *default_sb_db(void);
+const char *default_ic_nb_db(void);
 char *get_abs_unix_ctl_path(void);
 
 struct ovsdb_idl_table_class;
diff --git a/ovn-ic-nb.ovsschema b/ovn-ic-nb.ovsschema
new file mode 100644
index 0000000..894db83
--- /dev/null
+++ b/ovn-ic-nb.ovsschema
@@ -0,0 +1,75 @@
+{
+    "name": "OVN_IC_Northbound",
+    "version": "1.0.0",
+    "cksum": "45589876 3383",
+    "tables": {
+        "IC_NB_Global": {
+            "columns": {
+                "external_ids": {
+                    "type": {"key": "string", "value": "string",
+                             "min": 0, "max": "unlimited"}},
+                "connections": {
+                    "type": {"key": {"type": "uuid",
+                                     "refTable": "Connection"},
+                                     "min": 0,
+                                     "max": "unlimited"}},
+                "ssl": {
+                    "type": {"key": {"type": "uuid",
+                                     "refTable": "SSL"},
+                                     "min": 0, "max": 1}},
+                "options": {
+                    "type": {"key": "string", "value": "string",
+                             "min": 0, "max": "unlimited"}}},
+            "maxRows": 1,
+            "isRoot": true},
+        "Transit_Switch": {
+            "columns": {
+                "name": {"type": "string"},
+                "other_config": {
+                    "type": {"key": "string", "value": "string",
+                             "min": 0, "max": "unlimited"}},
+                "external_ids": {
+                    "type": {"key": "string", "value": "string",
+                             "min": 0, "max": "unlimited"}}},
+            "isRoot": true,
+            "indexes": [["name"]]},
+        "Connection": {
+            "columns": {
+                "target": {"type": "string"},
+                "max_backoff": {"type": {"key": {"type": "integer",
+                                         "minInteger": 1000},
+                                         "min": 0,
+                                         "max": 1}},
+                "inactivity_probe": {"type": {"key": "integer",
+                                              "min": 0,
+                                              "max": 1}},
+                "other_config": {"type": {"key": "string",
+                                          "value": "string",
+                                          "min": 0,
+                                          "max": "unlimited"}},
+                "external_ids": {"type": {"key": "string",
+                                 "value": "string",
+                                 "min": 0,
+                                 "max": "unlimited"}},
+                "is_connected": {"type": "boolean", "ephemeral": true},
+                "status": {"type": {"key": "string",
+                                    "value": "string",
+                                    "min": 0,
+                                    "max": "unlimited"},
+                                    "ephemeral": true}},
+            "indexes": [["target"]]},
+        "SSL": {
+            "columns": {
+                "private_key": {"type": "string"},
+                "certificate": {"type": "string"},
+                "ca_cert": {"type": "string"},
+                "bootstrap_ca_cert": {"type": "boolean"},
+                "ssl_protocols": {"type": "string"},
+                "ssl_ciphers": {"type": "string"},
+                "external_ids": {"type": {"key": "string",
+                                          "value": "string",
+                                          "min": 0,
+                                          "max": "unlimited"}}},
+            "maxRows": 1}
+    }
+}
diff --git a/ovn-ic-nb.xml b/ovn-ic-nb.xml
new file mode 100644
index 0000000..a693611
--- /dev/null
+++ b/ovn-ic-nb.xml
@@ -0,0 +1,371 @@
+<?xml version="1.0" encoding="utf-8"?>
+<database name="ovn-ic-nb" title="OVN Interconnection Northbound Database">
+  <p>
+    This database is the interface for cloud management system (CMS), such as
+    OpenStack, to configure OVN interconnection settings.  The CMS produces
+    almost all of the contents of the database.  The <code>ovn-ic</code>
+    program monitors the database contents, transforms it, and stores it into
+    the <ref db="OVN_IC_Southbound"/> database.
+  </p>
+
+  <p>
+    We generally speak of ``the'' CMS, but one can imagine scenarios in
+    which multiple CMSes manage different parts of OVN interconnection.
+  </p>
+
+  <h2>External IDs</h2>
+
+  <p>
+    Each of the tables in this database contains a special column, named
+    <code>external_ids</code>.  This column has the same form and purpose each
+    place it appears.
+  </p>
+
+  <dl>
+    <dt><code>external_ids</code>: map of string-string pairs</dt>
+    <dd>
+      Key-value pairs for use by the CMS.  The CMS might use certain pairs, for
+      example, to identify entities in its own configuration that correspond to
+      those in this database.
+    </dd>
+  </dl>
+
+  <table name="IC_NB_Global" title="IC Northbound configuration">
+    <p>
+      Northbound configuration for OVN interconnection.  This table must have exactly
+      one row.
+    </p>
+
+    <group title="Common Columns">
+      <column name="external_ids">
+        See <em>External IDs</em> at the beginning of this document.
+      </column>
+    </group>
+
+    <group title="Common options">
+      <column name="options">
+        This column provides general key/value settings. The supported
+        options are described individually below.
+      </column>
+    </group>
+
+    <group title="Connection Options">
+      <column name="connections">
+        Database clients to which the Open vSwitch database server should
+        connect or on which it should listen, along with options for how these
+        connections should be configured.  See the <ref table="Connection"/>
+        table for more information.
+      </column>
+      <column name="ssl">
+        Global SSL configuration.
+      </column>
+    </group>
+  </table>
+
+  <table name="Transit_Switch" title="Transit logical switch">
+    <p>
+      Each row represents one transit logical switch for interconnection between
+      different OVN deployments (availability zones).
+    </p>
+
+    <group title="Naming">
+      <column name="name">
+        A name that uniquely identifies the transit logical switch.
+      </column>
+    </group>
+
+    <group title="Common Columns">
+      <column name="other_config"/>
+      <column name="external_ids">
+        See <em>External IDs</em> at the beginning of this document.
+      </column>
+    </group>
+  </table>
+
+  <table name="SSL">
+    SSL configuration for ovn-nb database access.
+
+    <column name="private_key">
+      Name of a PEM file containing the private key used as the switch's
+      identity for SSL connections to the controller.
+    </column>
+
+    <column name="certificate">
+      Name of a PEM file containing a certificate, signed by the
+      certificate authority (CA) used by the controller and manager,
+      that certifies the switch's private key, identifying a trustworthy
+      switch.
+    </column>
+
+    <column name="ca_cert">
+      Name of a PEM file containing the CA certificate used to verify
+      that the switch is connected to a trustworthy controller.
+    </column>
+
+    <column name="bootstrap_ca_cert">
+      If set to <code>true</code>, then Open vSwitch will attempt to
+      obtain the CA certificate from the controller on its first SSL
+      connection and save it to the named PEM file. If it is successful,
+      it will immediately drop the connection and reconnect, and from then
+      on all SSL connections must be authenticated by a certificate signed
+      by the CA certificate thus obtained.  <em>This option exposes the
+      SSL connection to a man-in-the-middle attack obtaining the initial
+      CA certificate.</em>  It may still be useful for bootstrapping.
+    </column>
+
+    <column name="ssl_protocols">
+      List of SSL protocols to be enabled for SSL connections. The default
+      when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+    </column>
+
+    <column name="ssl_ciphers">
+      List of ciphers (in OpenSSL cipher string format) to be supported
+      for SSL connections. The default when this option is omitted is
+      <code>HIGH:!aNULL:!MD5</code>.
+    </column>
+
+    <group title="Common Columns">
+      The overall purpose of these columns is described under <code>Common
+      Columns</code> at the beginning of this document.
+
+      <column name="external_ids"/>
+    </group>
+  </table>
+
+  <table name="Connection" title="OVSDB client connections.">
+    <p>
+      Configuration for a database connection to an Open vSwitch database
+      (OVSDB) client.
+    </p>
+
+    <p>
+      This table primarily configures the Open vSwitch database server
+      (<code>ovsdb-server</code>).
+    </p>
+
+    <p>
+      The Open vSwitch database server can initiate and maintain active
+      connections to remote clients.  It can also listen for database
+      connections.
+    </p>
+
+    <group title="Core Features">
+      <column name="target">
+        <p>Connection methods for clients.</p>
+        <p>
+          The following connection methods are currently supported:
+        </p>
+        <dl>
+          <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
+          <dd>
+            <p>
+              The specified SSL <var>port</var> on the host at the given
+              <var>host</var>, which can either be a DNS name (if built with
+              unbound library) or an IP address. A valid SSL configuration must
+              be provided when this form is used, this configuration can be
+              specified via command-line options or the <ref table="SSL"/> table.
+            </p>
+            <p>
+              If <var>port</var> is not specified, it defaults to 6640.
+            </p>
+            <p>
+              SSL support is an optional feature that is not always
+              built as part of Open vSwitch.
+            </p>
+          </dd>
+
+          <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
+          <dd>
+            <p>
+              The specified TCP <var>port</var> on the host at the given
+              <var>host</var>, which can either be a DNS name (if built with
+              unbound library) or an IP address.  If <var>host</var> is an IPv6
+              address, wrap it in square brackets, e.g. <code>tcp:[::1]:6640</code>.
+            </p>
+            <p>
+              If <var>port</var> is not specified, it defaults to 6640.
+            </p>
+          </dd>
+          <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
+          <dd>
+            <p>
+              Listens for SSL connections on the specified TCP <var>port</var>.
+              Specify 0 for <var>port</var> to have the kernel automatically
+              choose an available port.  If <var>host</var>, which can either
+              be a DNS name (if built with unbound library) or an IP address,
+              is specified, then connections are restricted to the resolved or
+              specified local IPaddress (either IPv4 or IPv6 address).  If
+              <var>host</var> is an IPv6 address, wrap in square brackets,
+              e.g. <code>pssl:6640:[::1]</code>.  If <var>host</var> is not
+              specified then it listens only on IPv4 (but not IPv6) addresses.
+              A valid SSL configuration must be provided when this form is used,
+             this can be specified either via command-line options or the
+             <ref table="SSL"/> table.
+            </p>
+            <p>
+              If <var>port</var> is not specified, it defaults to 6640.
+            </p>
+            <p>
+              SSL support is an optional feature that is not always built as
+              part of Open vSwitch.
+            </p>
+          </dd>
+          <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
+          <dd>
+            <p>
+              Listens for connections on the specified TCP <var>port</var>.
+              Specify 0 for <var>port</var> to have the kernel automatically
+              choose an available port.  If <var>host</var>, which can either
+              be a DNS name (if built with unbound library) or an IP address,
+              is specified, then connections are restricted to the resolved or
+              specified local IP address (either IPv4 or IPv6 address).  If
+              <var>host</var> is an IPv6 address, wrap it in square brackets,
+              e.g. <code>ptcp:6640:[::1]</code>.  If <var>host</var> is not
+              specified then it listens only on IPv4 addresses.
+            </p>
+            <p>
+              If <var>port</var> is not specified, it defaults to 6640.
+            </p>
+          </dd>
+        </dl>
+        <p>When multiple clients are configured, the <ref column="target"/>
+        values must be unique.  Duplicate <ref column="target"/> values yield
+        unspecified results.</p>
+      </column>
+    </group>
+
+    <group title="Client Failure Detection and Handling">
+      <column name="max_backoff">
+        Maximum number of milliseconds to wait between connection attempts.
+        Default is implementation-specific.
+      </column>
+
+      <column name="inactivity_probe">
+        Maximum number of milliseconds of idle time on connection to the client
+        before sending an inactivity probe message.  If Open vSwitch does not
+        communicate with the client for the specified number of seconds, it
+        will send a probe.  If a response is not received for the same
+        additional amount of time, Open vSwitch assumes the connection has been
+        broken and attempts to reconnect.  Default is implementation-specific.
+        A value of 0 disables inactivity probes.
+      </column>
+    </group>
+
+    <group title="Status">
+      <p>
+        Key-value pair of <ref column="is_connected"/> is always updated.
+        Other key-value pairs in the status columns may be updated depends
+        on the <ref column="target"/> type.
+      </p>
+
+      <p>
+        When <ref column="target"/> specifies a connection method that
+        listens for inbound connections (e.g. <code>ptcp:</code> or
+        <code>punix:</code>), both <ref column="n_connections"/> and
+        <ref column="is_connected"/> may also be updated while the
+        remaining key-value pairs are omitted.
+      </p>
+
+      <p>
+        On the other hand, when <ref column="target"/> specifies an
+        outbound connection, all key-value pairs may be updated, except
+        the above-mentioned two key-value pairs associated with inbound
+        connection targets. They are omitted.
+      </p>
+
+    <column name="is_connected">
+        <code>true</code> if currently connected to this client,
+        <code>false</code> otherwise.
+      </column>
+
+      <column name="status" key="last_error">
+        A human-readable description of the last error on the connection
+        to the manager; i.e. <code>strerror(errno)</code>.  This key
+        will exist only if an error has occurred.
+      </column>
+
+      <column name="status" key="state"
+              type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
+        <p>
+          The state of the connection to the manager:
+        </p>
+        <dl>
+          <dt><code>VOID</code></dt>
+          <dd>Connection is disabled.</dd>
+
+          <dt><code>BACKOFF</code></dt>
+          <dd>Attempting to reconnect at an increasing period.</dd>
+
+          <dt><code>CONNECTING</code></dt>
+          <dd>Attempting to connect.</dd>
+
+          <dt><code>ACTIVE</code></dt>
+          <dd>Connected, remote host responsive.</dd>
+
+          <dt><code>IDLE</code></dt>
+          <dd>Connection is idle.  Waiting for response to keep-alive.</dd>
+        </dl>
+        <p>
+          These values may change in the future.  They are provided only for
+          human consumption.
+        </p>
+      </column>
+
+      <column name="status" key="sec_since_connect"
+              type='{"type": "integer", "minInteger": 0}'>
+        The amount of time since this client last successfully connected
+        to the database (in seconds). Value is empty if client has never
+        successfully been connected.
+      </column>
+
+      <column name="status" key="sec_since_disconnect"
+              type='{"type": "integer", "minInteger": 0}'>
+        The amount of time since this client last disconnected from the
+        database (in seconds). Value is empty if client has never
+        disconnected.
+      </column>
+
+      <column name="status" key="locks_held">
+        Space-separated list of the names of OVSDB locks that the connection
+        holds.  Omitted if the connection does not hold any locks.
+      </column>
+
+      <column name="status" key="locks_waiting">
+        Space-separated list of the names of OVSDB locks that the connection is
+        currently waiting to acquire.  Omitted if the connection is not waiting
+        for any locks.
+      </column>
+
+      <column name="status" key="locks_lost">
+        Space-separated list of the names of OVSDB locks that the connection
+        has had stolen by another OVSDB client.  Omitted if no locks have been
+        stolen from this connection.
+      </column>
+
+      <column name="status" key="n_connections"
+              type='{"type": "integer", "minInteger": 2}'>
+        When <ref column="target"/> specifies a connection method that
+        listens for inbound connections (e.g. <code>ptcp:</code> or
+        <code>pssl:</code>) and more than one connection is actually active,
+        the value is the number of active connections.  Otherwise, this
+        key-value pair is omitted.
+      </column>
+
+      <column name="status" key="bound_port" type='{"type": "integer"}'>
+        When <ref column="target"/> is <code>ptcp:</code> or
+        <code>pssl:</code>, this is the TCP port on which the OVSDB server is
+        listening.  (This is particularly useful when <ref
+        column="target"/> specifies a port of 0, allowing the kernel to
+        choose any available port.)
+      </column>
+    </group>
+
+    <group title="Common Columns">
+      The overall purpose of these columns is described under <code>Common
+      Columns</code> at the beginning of this document.
+
+      <column name="external_ids"/>
+      <column name="other_config"/>
+    </group>
+  </table>
+</database>
diff --git a/tests/automake.mk b/tests/automake.mk
index ed6240c..8c1630c 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -24,6 +24,7 @@ TESTSUITE_AT = \
 	tests/ovn-northd.at \
 	tests/ovn-nbctl.at \
 	tests/ovn-sbctl.at \
+	tests/ovn-ic-nbctl.at \
 	tests/ovn-controller.at \
 	tests/ovn-controller-vtep.at \
 	tests/ovn-macros.at \
@@ -99,6 +100,7 @@ valgrind_wrappers = \
 	tests/valgrind/ovn-nbctl \
 	tests/valgrind/ovn-northd \
 	tests/valgrind/ovn-sbctl \
+	tests/valgrind/ovn-ic-nbctl \
 	tests/valgrind/ovs-appctl \
 	tests/valgrind/ovs-ofctl \
 	tests/valgrind/ovs-vsctl \
diff --git a/tests/ovn-ic-nbctl.at b/tests/ovn-ic-nbctl.at
new file mode 100644
index 0000000..2402d64
--- /dev/null
+++ b/tests/ovn-ic-nbctl.at
@@ -0,0 +1,65 @@
+AT_BANNER([ovn-ic-nbctl])
+
+# OVN_IC_NBCTL_TEST_START
+m4_define([OVN_IC_NBCTL_TEST_START],
+  [dnl Create database (ovn-ic-nb).
+   AT_KEYWORDS([ic_nbctl])
+   AT_CHECK([ovsdb-tool create ovn-ic-nb.db $abs_top_srcdir/ovn-ic-nb.ovsschema])
+
+   dnl Start ovsdb-servers.
+   AT_CHECK([ovsdb-server --detach --no-chdir --pidfile=ovn_ic_nb_db.pid --unixctl=$OVS_RUNDIR/ovn_ic_nb_db.ctl --log-file=ovsdb_ic_nb.log --remote=punix:$OVS_RUNDIR/ovn_ic_nb_db.sock ovn-ic-nb.db ], [0], [], [stderr])
+   on_exit "kill `cat ovn_ic_nb_db.pid`"
+   AT_CHECK([[sed < stderr '
+/vlog|INFO|opened log file/d
+/ovsdb_server|INFO|ovsdb-server (Open vSwitch)/d']])
+   AT_CAPTURE_FILE([ovsdb-server.log])
+])
+
+# OVN_IC_NBCTL_TEST_STOP
+m4_define([OVN_IC_NBCTL_TEST_STOP],
+  [AT_CHECK([check_logs "$1"])
+   OVS_APP_EXIT_AND_WAIT_BY_TARGET([$OVS_RUNDIR/ovn_ic_nb_db.ctl], [$OVS_RUNDIR/ovn_ic_nb_db.pid])])
+
+dnl ---------------------------------------------------------------------
+
+AT_SETUP([ovn-ic-nbctl])
+OVN_IC_NBCTL_TEST_START
+
+AT_CHECK([ovn-ic-nbctl ts-add ts0])
+AT_CHECK([ovn-ic-nbctl ts-list | uuidfilt], [0], [dnl
+<0> (ts0)
+])
+
+AT_CHECK([ovn-ic-nbctl ts-add ts1])
+AT_CHECK([ovn-ic-nbctl ts-list | uuidfilt], [0], [dnl
+<0> (ts0)
+<1> (ts1)
+])
+
+AT_CHECK([ovn-ic-nbctl show | sort], [0], [dnl
+Transit_Switch ts0
+Transit_Switch ts1
+])
+
+AT_CHECK([ovn-ic-nbctl ts-del ts1])
+AT_CHECK([ovn-ic-nbctl ts-list | uuidfilt], [0], [dnl
+<0> (ts0)
+])
+
+AT_CHECK([ovn-ic-nbctl ts-add ts0], [1], [],
+  [ovn-ic-nbctl: ts0: a transit switch with this name already exists
+])
+
+AT_CHECK([ovn-ic-nbctl --may-exist ts-add ts0])
+AT_CHECK([ovn-ic-nbctl ts-list | uuidfilt], [0], [dnl
+<0> (ts0)
+])
+
+AT_CHECK([ovn-ic-nbctl ts-del ts2], [1], [],
+  [ovn-ic-nbctl: ts2: switch name not found
+])
+
+AT_CHECK([ovn-ic-nbctl --if-exists ts-del ts2])
+
+OVN_IC_NBCTL_TEST_STOP
+AT_CLEANUP
diff --git a/tests/testsuite.at b/tests/testsuite.at
index da8157d..aa44a2e 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -26,6 +26,7 @@ m4_include([tests/ovn-performance.at])
 m4_include([tests/ovn-northd.at])
 m4_include([tests/ovn-nbctl.at])
 m4_include([tests/ovn-sbctl.at])
+m4_include([tests/ovn-ic-nbctl.at])
 m4_include([tests/ovn-controller.at])
 m4_include([tests/ovn-controller-vtep.at])
 m4_include([tests/checkpatch.at])
diff --git a/utilities/.gitignore b/utilities/.gitignore
index ab063fa..6c710fb 100644
--- a/utilities/.gitignore
+++ b/utilities/.gitignore
@@ -3,6 +3,8 @@
 /ovn-nbctl.8
 /ovn-sbctl
 /ovn-sbctl.8
+/ovn-ic-nbctl
+/ovn-ic-nbctl.8
 /ovn-appctl
 /ovn-appctl.8
 /ovn-trace
diff --git a/utilities/automake.mk b/utilities/automake.mk
index 4792799..ac2e034 100644
--- a/utilities/automake.mk
+++ b/utilities/automake.mk
@@ -7,6 +7,7 @@ man_MANS += \
     utilities/ovn-ctl.8 \
     utilities/ovn-nbctl.8 \
     utilities/ovn-sbctl.8 \
+    utilities/ovn-ic-nbctl.8 \
     utilities/ovn-trace.8 \
     utilities/ovn-detrace.1 \
     utilities/ovn-appctl.8
@@ -28,6 +29,7 @@ EXTRA_DIST += \
     utilities/ovn-docker-overlay-driver.in \
     utilities/ovn-docker-underlay-driver.in \
     utilities/ovn-nbctl.8.xml \
+    utilities/ovn-ic-nbctl.8.xml \
     utilities/ovn-appctl.8.xml \
     utilities/ovn-trace.8.xml \
     utilities/ovn-detrace.in \
@@ -51,6 +53,7 @@ CLEANFILES += \
     utilities/ovn-docker-underlay-driver \
     utilities/ovn-nbctl.8 \
     utilities/ovn-sbctl.8 \
+    utilities/ovn-ic-nbctl.8 \
     utilities/ovn-trace.8 \
     utilities/ovn-detrace.1 \
     utilities/ovn-detrace \
@@ -73,6 +76,11 @@ bin_PROGRAMS += utilities/ovn-sbctl
 utilities_ovn_sbctl_SOURCES = utilities/ovn-sbctl.c
 utilities_ovn_sbctl_LDADD = lib/libovn.la $(OVSDB_LIBDIR)/libovsdb.la $(OVS_LIBDIR)/libopenvswitch.la
 
+# ovn-ic-nbctl
+bin_PROGRAMS += utilities/ovn-ic-nbctl
+utilities_ovn_ic_nbctl_SOURCES = utilities/ovn-ic-nbctl.c
+utilities_ovn_ic_nbctl_LDADD = lib/libovn.la $(OVSDB_LIBDIR)/libovsdb.la $(OVS_LIBDIR)/libopenvswitch.la
+
 # ovn-trace
 bin_PROGRAMS += utilities/ovn-trace
 utilities_ovn_trace_SOURCES = utilities/ovn-trace.c
diff --git a/utilities/ovn-ic-nbctl.8.xml b/utilities/ovn-ic-nbctl.8.xml
new file mode 100644
index 0000000..4a70994
--- /dev/null
+++ b/utilities/ovn-ic-nbctl.8.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manpage program="ovn-ic-nbctl" section="8" title="ovn-ic-nbctl">
+    <h1>Name</h1>
+    <p>ovn-ic-nbctl -- Open Virtual Network interconnection northbound db management utility</p>
+
+    <h1>Synopsis</h1>
+    <p><code>ovn-ic-nbctl</code> [<var>options</var>] <var>command</var> [<var>arg</var>...]</p>
+
+    <h1>Description</h1>
+    <p>This utility can be used to manage the OVN interconnection northbound database.</p>
+
+    <h1>General Commands</h1>
+
+    <dl>
+      <dt><code>init</code></dt>
+      <dd>
+        Initializes the database, if it is empty.  If the database has already
+        been initialized, this command has no effect.
+      </dd>
+
+      <dt><code>show</code></dt>
+      <dd>
+        Prints a brief overview of the database contents.
+      </dd>
+    </dl>
+
+    <h1>Transit Switch Commands</h1>
+
+    <dl>
+      <dt>[<code>--may-exist</code>] <code>ts-add</code> <var>switch</var></dt>
+      <dd>
+        <p>
+          Creates a new transit switch named <var>switch</var>.
+        </p>
+
+        <p>
+          Transit switch names must be unique. Adding a duplicated name results
+          in error.  With <code>--may-exist</code>, adding a duplicate name
+          succeeds but does not create a new transit switch.
+        </p>
+      </dd>
+
+      <dt>[<code>--if-exists</code>] <code>ts-del</code> <var>switch</var></dt>
+      <dd>
+        Deletes <var>switch</var>.  It is an error if <var>switch</var> does
+        not exist, unless <code>--if-exists</code> is specified.
+      </dd>
+
+      <dt><code>ts-list</code></dt>
+      <dd>
+        Lists all existing switches on standard output, one per line.
+      </dd>
+    </dl>
+
+    <h1>Database Commands</h1>
+    <p>These commands query and modify the contents of <code>ovsdb</code> tables.
+    They are a slight abstraction of the <code>ovsdb</code> interface and
+    as such they operate at a lower level than other <code>ovn-ic-nbctl</code> commands.</p>
+    <p><var>Identifying Tables, Records, and Columns</var></p>
+    <p>Each of these commands has a <var>table</var> parameter to identify a table
+    within the database.  Many of them also take a <var>record</var> parameter
+    that identifies a particular record within a table.  The <var>record</var>
+    parameter may be the UUID for a record, which may be abbreviated to its
+    first 4 (or more) hex digits, as long as that is unique.  Many tables offer
+    additional ways to identify records.  Some commands also take
+    <var>column</var> parameters that identify a particular field within the
+    records in a table.</p>
+
+    <p>
+      For a list of tables and their columns, see <code>ovn-ic-nb</code>(5) or
+      see the table listing from the <code>--help</code> option.
+    </p>
+
+    <p>
+      Record names must be specified in full and with correct capitalization,
+      except that UUIDs may be abbreviated to their first 4 (or more) hex
+      digits, as long as that is unique within the table.  Names of tables and
+      columns are not case-sensitive, and <code>-</code> and <code>_</code> are
+      treated interchangeably.  Unique abbreviations of table and column names
+      are acceptable, e.g. <code>t</code> or <code>transit</code> is sufficient
+      to identify the <code>Transit_Switch</code> table.
+    </p>
+
+    <xi:include href="lib/db-ctl-base.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
+    <h1>Remote Connectivity Commands</h1>
+    <dl>
+      <dt><code>get-connection</code></dt>
+      <dd>
+      Prints the configured connection(s).
+      </dd>
+
+      <dt><code>del-connection</code></dt>
+      <dd>
+      Deletes the configured connection(s).
+      </dd>
+
+      <dt>[<code>--inactivity-probe=</code><var>msecs</var>] <code>set-connection</code> <var>target</var>...</dt>
+      <dd>
+        Sets the configured manager target or targets.  Use
+        <code>--inactivity-probe=</code><var>msecs</var> to override the default
+        idle connection inactivity probe time.  Use 0 to disable inactivity probes.
+      </dd>
+    </dl>
+
+    <h1>SSL Configuration Commands</h1>
+    <dl>
+      <dt><code>get-ssl</code></dt>
+      <dd>
+      Prints the SSL configuration.
+      </dd>
+
+      <dt><code>del-ssl</code></dt>
+      <dd>
+      Deletes the current SSL configuration.
+      </dd>
+
+      <dt>[<code>--bootstrap</code>] <code>set-ssl</code>
+         <var>private-key</var> <var>certificate</var> <var>ca-cert</var>
+         [<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt>
+      <dd>
+      Sets the SSL configuration.
+      </dd>
+    </dl>
+
+    <h1>Options</h1>
+
+    <dl>
+    <dt><code>--db</code> <var>database</var></dt>
+    <dd>
+      The OVSDB database remote to contact.  If the <env>OVN_IC_NB_DB</env>
+      environment variable is set, its value is used as the default.
+      Otherwise, the default is <code>unix:@RUNDIR@/ovn_ic_nb_db.sock</code>, but this
+      default is unlikely to be useful outside of single-machine OVN test
+      environments.
+    </dd>
+
+    <dt><code>--leader-only</code></dt>
+    <dt><code>--no-leader-only</code></dt>
+    <dd>
+      By default, or with <code>--leader-only</code>, when the database server
+      is a clustered database, <code>ovn-ic-nbctl</code> will avoid servers other
+      than the cluster leader.  This ensures that any data that
+      <code>ovn-ic-nbctl</code> reads and reports is up-to-date.  With
+      <code>--no-leader-only</code>, <code>ovn-ic-nbctl</code> will use any server
+      in the cluster, which means that for read-only transactions it can report
+      and act on stale data (transactions that modify the database are always
+      serialized even with <code>--no-leader-only</code>).  Refer to
+      <code>Understanding Cluster Consistency</code> in <code>ovsdb</code>(7)
+      for more information.
+    </dd>
+    </dl>
+
+    <h1>Logging options</h1>
+    <xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
+    <h1>Table Formatting Options</h1>
+    These options control the format of output from the <code>list</code> and
+    <code>find</code> commands.
+    <xi:include href="lib/table.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
+    <h2>PKI Options</h2>
+    <p>
+      PKI configuration is required to use SSL for the connection to the
+      database.
+    </p>
+    <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
+    <h2>Other Options</h2>
+
+    <xi:include href="lib/common.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
+</manpage>
diff --git a/utilities/ovn-ic-nbctl.c b/utilities/ovn-ic-nbctl.c
new file mode 100644
index 0000000..9f209a9
--- /dev/null
+++ b/utilities/ovn-ic-nbctl.c
@@ -0,0 +1,950 @@
+/*
+ * Copyright (c) 2020 eBay Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <getopt.h>
+#include <inttypes.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include "command-line.h"
+#include "compiler.h"
+#include "db-ctl-base.h"
+#include "dirs.h"
+#include "fatal-signal.h"
+#include "openvswitch/dynamic-string.h"
+#include "openvswitch/json.h"
+#include "openvswitch/shash.h"
+#include "openvswitch/vconn.h"
+#include "openvswitch/vlog.h"
+#include "lib/ovn-ic-nb-idl.h"
+#include "lib/ovn-util.h"
+#include "openvswitch/poll-loop.h"
+#include "process.h"
+#include "sset.h"
+#include "stream-ssl.h"
+#include "stream.h"
+#include "table.h"
+#include "timeval.h"
+#include "util.h"
+#include "svec.h"
+
+VLOG_DEFINE_THIS_MODULE(ic_nbctl);
+
+struct ic_nbctl_context;
+
+/* --db: The database server to contact. */
+static const char *db;
+
+/* --oneline: Write each command's output as a single line? */
+static bool oneline;
+
+/* --dry-run: Do not commit any changes. */
+static bool dry_run;
+
+/* --timeout: Time to wait for a connection to 'db'. */
+static unsigned int timeout;
+
+/* Format for table output. */
+static struct table_style table_style = TABLE_STYLE_DEFAULT;
+
+/* The IDL we're using and the current transaction, if any.
+ * This is for use by ic_nbctl_exit() only, to allow it to clean up.
+ * Other code should use its context arguments. */
+static struct ovsdb_idl *the_idl;
+static struct ovsdb_idl_txn *the_idl_txn;
+OVS_NO_RETURN static void ic_nbctl_exit(int status);
+
+/* --leader-only, --no-leader-only: Only accept the leader in a cluster. */
+static int leader_only = true;
+
+static void ic_nbctl_cmd_init(void);
+OVS_NO_RETURN static void usage(void);
+static void parse_options(int argc, char *argv[], struct shash *local_options);
+static void run_prerequisites(struct ctl_command[], size_t n_commands,
+                              struct ovsdb_idl *);
+static bool do_ic_nbctl(const char *args, struct ctl_command *, size_t n,
+                     struct ovsdb_idl *);
+
+int
+main(int argc, char *argv[])
+{
+    struct ovsdb_idl *idl;
+    struct ctl_command *commands;
+    struct shash local_options;
+    unsigned int seqno;
+    size_t n_commands;
+
+    set_program_name(argv[0]);
+    fatal_ignore_sigpipe();
+    vlog_set_levels(NULL, VLF_CONSOLE, VLL_WARN);
+    vlog_set_levels_from_string_assert("reconnect:warn");
+
+    ic_nbctl_cmd_init();
+
+    /* Parse command line. */
+    char *args = process_escape_args(argv);
+    shash_init(&local_options);
+    parse_options(argc, argv, &local_options);
+    char *error = ctl_parse_commands(argc - optind, argv + optind,
+                                     &local_options, &commands, &n_commands);
+    if (error) {
+        ctl_fatal("%s", error);
+    }
+    VLOG(ctl_might_write_to_db(commands, n_commands) ? VLL_INFO : VLL_DBG,
+         "Called as %s", args);
+
+    ctl_timeout_setup(timeout);
+
+    /* Initialize IDL. */
+    idl = the_idl = ovsdb_idl_create(db, &icnbrec_idl_class, true, false);
+    ovsdb_idl_set_leader_only(idl, leader_only);
+    run_prerequisites(commands, n_commands, idl);
+
+    /* Execute the commands.
+     *
+     * 'seqno' is the database sequence number for which we last tried to
+     * execute our transaction.  There's no point in trying to commit more than
+     * once for any given sequence number, because if the transaction fails
+     * it's because the database changed and we need to obtain an up-to-date
+     * view of the database before we try the transaction again. */
+    seqno = ovsdb_idl_get_seqno(idl);
+    for (;;) {
+        ovsdb_idl_run(idl);
+        if (!ovsdb_idl_is_alive(idl)) {
+            int retval = ovsdb_idl_get_last_error(idl);
+            ctl_fatal("%s: database connection failed (%s)",
+                        db, ovs_retval_to_string(retval));
+        }
+
+        if (seqno != ovsdb_idl_get_seqno(idl)) {
+            seqno = ovsdb_idl_get_seqno(idl);
+            if (do_ic_nbctl(args, commands, n_commands, idl)) {
+                free(args);
+                exit(EXIT_SUCCESS);
+            }
+        }
+
+        if (seqno == ovsdb_idl_get_seqno(idl)) {
+            ovsdb_idl_wait(idl);
+            poll_block();
+        }
+    }
+}
+
+static void
+parse_options(int argc, char *argv[], struct shash *local_options)
+{
+    enum {
+        OPT_DB = UCHAR_MAX + 1,
+        OPT_ONELINE,
+        OPT_NO_SYSLOG,
+        OPT_DRY_RUN,
+        OPT_LOCAL,
+        OPT_COMMANDS,
+        OPT_OPTIONS,
+        OPT_BOOTSTRAP_CA_CERT,
+        VLOG_OPTION_ENUMS,
+        TABLE_OPTION_ENUMS,
+        SSL_OPTION_ENUMS,
+    };
+    static const struct option global_long_options[] = {
+        {"db", required_argument, NULL, OPT_DB},
+        {"no-syslog", no_argument, NULL, OPT_NO_SYSLOG},
+        {"dry-run", no_argument, NULL, OPT_DRY_RUN},
+        {"oneline", no_argument, NULL, OPT_ONELINE},
+        {"timeout", required_argument, NULL, 't'},
+        {"help", no_argument, NULL, 'h'},
+        {"commands", no_argument, NULL, OPT_COMMANDS},
+        {"options", no_argument, NULL, OPT_OPTIONS},
+        {"leader-only", no_argument, &leader_only, true},
+        {"no-leader-only", no_argument, &leader_only, false},
+        {"version", no_argument, NULL, 'V'},
+        VLOG_LONG_OPTIONS,
+        STREAM_SSL_LONG_OPTIONS,
+        {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
+        TABLE_LONG_OPTIONS,
+        {NULL, 0, NULL, 0},
+    };
+    const int n_global_long_options = ARRAY_SIZE(global_long_options) - 1;
+    char *tmp, *short_options;
+
+    struct option *options;
+    size_t allocated_options;
+    size_t n_options;
+    size_t i;
+
+    tmp = ovs_cmdl_long_options_to_short_options(global_long_options);
+    short_options = xasprintf("+%s", tmp);
+    free(tmp);
+
+    /* We want to parse both global and command-specific options here, but
+     * getopt_long() isn't too convenient for the job.  We copy our global
+     * options into a dynamic array, then append all of the command-specific
+     * options. */
+    options = xmemdup(global_long_options, sizeof global_long_options);
+    allocated_options = ARRAY_SIZE(global_long_options);
+    n_options = n_global_long_options;
+    ctl_add_cmd_options(&options, &n_options, &allocated_options, OPT_LOCAL);
+
+    for (;;) {
+        int idx;
+        int c;
+
+        c = getopt_long(argc, argv, short_options, options, &idx);
+        if (c == -1) {
+            break;
+        }
+
+        switch (c) {
+        case OPT_DB:
+            db = optarg;
+            break;
+
+        case OPT_ONELINE:
+            oneline = true;
+            break;
+
+        case OPT_NO_SYSLOG:
+            vlog_set_levels(&this_module, VLF_SYSLOG, VLL_WARN);
+            break;
+
+        case OPT_DRY_RUN:
+            dry_run = true;
+            break;
+
+        case OPT_LOCAL:
+            if (shash_find(local_options, options[idx].name)) {
+                ctl_fatal("'%s' option specified multiple times",
+                            options[idx].name);
+            }
+            shash_add_nocopy(local_options,
+                             xasprintf("--%s", options[idx].name),
+                             nullable_xstrdup(optarg));
+            break;
+
+        case 'h':
+            usage();
+
+        case OPT_COMMANDS:
+            ctl_print_commands();
+            /* fall through */
+
+        case OPT_OPTIONS:
+            ctl_print_options(global_long_options);
+            /* fall through */
+
+        case 'V':
+            ovs_print_version(0, 0);
+            printf("DB Schema %s\n", icnbrec_get_db_version());
+            exit(EXIT_SUCCESS);
+
+        case 't':
+            if (!str_to_uint(optarg, 10, &timeout) || !timeout) {
+                ctl_fatal("value %s on -t or --timeout is invalid", optarg);
+            }
+            break;
+
+        VLOG_OPTION_HANDLERS
+        TABLE_OPTION_HANDLERS(&table_style)
+        STREAM_SSL_OPTION_HANDLERS
+
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+
+        case '?':
+            exit(EXIT_FAILURE);
+
+        default:
+            ovs_abort(0, "Internal error when parsing option %d.", c);
+
+        case 0:
+            break;
+        }
+    }
+    free(short_options);
+
+    if (!db) {
+        db = default_ic_nb_db();
+    }
+
+    for (i = n_global_long_options; options[i].name; i++) {
+        free(CONST_CAST(char *, options[i].name));
+    }
+    free(options);
+}
+
+static void
+usage(void)
+{
+    printf("\
+%s: OVN interconnection northbound DB management utility\n\
+\n\
+usage: %s [OPTIONS] COMMAND [ARG...]\n\
+\n\
+General commands:\n\
+  init                       initialize the database\n\
+  show                       print overview of database contents\n\
+\n\
+Transit switch commands:\n\
+  ts-add SWITCH              create a transit switch named SWITCH\n\
+  ts-del SWITCH              delete SWITCH\n\
+  ts-list                    print all transit switches\n\
+\n\
+Connection commands:\n\
+  get-connection             print the connections\n\
+  del-connection             delete the connections\n\
+  [--inactivity-probe=MSECS]\n\
+  set-connection TARGET...   set the list of connections to TARGET...\n\
+\n\
+SSL commands:\n\
+  get-ssl                     print the SSL configuration\n\
+  del-ssl                     delete the SSL configuration\n\
+  set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
+set the SSL configuration\n\
+\n\
+%s\
+%s\
+\n\
+Options:\n\
+  --db=DATABASE               connect to DATABASE\n\
+                              (default: %s)\n\
+  --no-leader-only            accept any cluster member, not just the leader\n\
+  -t, --timeout=SECS          wait at most SECS seconds\n\
+  --dry-run                   do not commit changes to database\n\
+  --oneline                   print exactly one line of output per command\n",
+           program_name, program_name, ctl_get_db_cmd_usage(),
+           ctl_list_db_tables_usage(), default_ic_nb_db());
+    table_usage();
+    vlog_usage();
+    printf("\
+  --no-syslog             equivalent to --verbose=ic_nbctl:syslog:warn\n");
+    printf("\n\
+Other options:\n\
+  -h, --help                  display this help message\n\
+  -V, --version               display version information\n");
+    stream_usage("database", true, true, true);
+    exit(EXIT_SUCCESS);
+}
+
+
+/* ovs-ic_nbctl specific context.  Inherits the 'struct ctl_context' as base.
+ * Now empty, just keep the framework for future additions. */
+struct ic_nbctl_context {
+    struct ctl_context base;
+
+    /* A cache of the contents of the database.
+     *
+     * A command that needs to use any of this information must first call
+     * ic_nbctl_context_populate_cache().  A command that changes anything that
+     * could invalidate the cache must either call
+     * ic_nbctl_context_invalidate_cache() or manually update the cache to
+     * maintain its correctness. */
+    bool cache_valid;
+};
+
+static struct cmd_show_table cmd_show_tables[] = {
+    {&icnbrec_table_transit_switch,
+     &icnbrec_transit_switch_col_name,
+     {NULL},
+     {NULL, NULL, NULL}},
+
+    {NULL, NULL, {NULL, NULL, NULL}, {NULL, NULL, NULL}},
+};
+
+static void
+ic_nbctl_init(struct ctl_context *ctx OVS_UNUSED)
+{
+}
+
+static void
+ic_nbctl_ts_add(struct ctl_context *ctx)
+{
+    const char *ts_name = ctx->argv[1];
+    bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL;
+
+    const struct icnbrec_transit_switch *ts;
+    ICNBREC_TRANSIT_SWITCH_FOR_EACH (ts, ctx->idl) {
+        if (!strcmp(ts->name, ts_name)) {
+            if (may_exist) {
+                return;
+            }
+            ctl_error(ctx, "%s: a transit switch with this name already "
+                      "exists", ts_name);
+            return;
+        }
+    }
+
+    ts = icnbrec_transit_switch_insert(ctx->txn);
+    icnbrec_transit_switch_set_name(ts, ts_name);
+}
+
+static char *
+ts_by_name_or_uuid(struct ctl_context *ctx, const char *id, bool must_exist,
+                   const struct icnbrec_transit_switch **ts_p)
+{
+    const struct icnbrec_transit_switch *ts = NULL;
+    *ts_p = NULL;
+
+    struct uuid ts_uuid;
+    bool is_uuid = uuid_from_string(&ts_uuid, id);
+    if (is_uuid) {
+        ts = icnbrec_transit_switch_get_for_uuid(ctx->idl, &ts_uuid);
+    }
+
+    if (!ts) {
+        const struct icnbrec_transit_switch *iter;
+
+        ICNBREC_TRANSIT_SWITCH_FOR_EACH (iter, ctx->idl) {
+            if (!strcmp(iter->name, id)) {
+                ts = iter;
+                break;
+            }
+        }
+    }
+
+    if (!ts && must_exist) {
+        return xasprintf("%s: switch %s not found",
+                         id, is_uuid ? "UUID" : "name");
+    }
+
+    *ts_p = ts;
+    return NULL;
+}
+
+static void
+ic_nbctl_ts_del(struct ctl_context *ctx)
+{
+    bool must_exist = !shash_find(&ctx->options, "--if-exists");
+    const char *id = ctx->argv[1];
+    const struct icnbrec_transit_switch *ts = NULL;
+
+    char *error = ts_by_name_or_uuid(ctx, id, must_exist, &ts);
+    if (error) {
+        ctx->error = error;
+        return;
+    }
+    if (!ts) {
+        return;
+    }
+
+    icnbrec_transit_switch_delete(ts);
+}
+
+static void
+ic_nbctl_ts_list(struct ctl_context *ctx)
+{
+    const struct icnbrec_transit_switch *ts;
+    struct smap switches;
+
+    smap_init(&switches);
+    ICNBREC_TRANSIT_SWITCH_FOR_EACH (ts, ctx->idl) {
+        smap_add_format(&switches, ts->name, UUID_FMT " (%s)",
+                        UUID_ARGS(&ts->header_.uuid), ts->name);
+    }
+    const struct smap_node **nodes = smap_sort(&switches);
+    for (size_t i = 0; i < smap_count(&switches); i++) {
+        const struct smap_node *node = nodes[i];
+        ds_put_format(&ctx->output, "%s\n", node->value);
+    }
+    smap_destroy(&switches);
+    free(nodes);
+}
+static void
+verify_connections(struct ctl_context *ctx)
+{
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    const struct icnbrec_connection *conn;
+
+    icnbrec_ic_nb_global_verify_connections(ic_nb_global);
+
+    ICNBREC_CONNECTION_FOR_EACH (conn, ctx->idl) {
+        icnbrec_connection_verify_target(conn);
+    }
+}
+
+static void
+pre_connection(struct ctl_context *ctx)
+{
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ic_nb_global_col_connections);
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_connection_col_target);
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_connection_col_inactivity_probe);
+}
+
+static void
+cmd_get_connection(struct ctl_context *ctx)
+{
+    const struct icnbrec_connection *conn;
+    struct svec targets;
+    size_t i;
+
+    verify_connections(ctx);
+
+    /* Print the targets in sorted order for reproducibility. */
+    svec_init(&targets);
+
+    ICNBREC_CONNECTION_FOR_EACH (conn, ctx->idl) {
+        svec_add(&targets, conn->target);
+    }
+
+    svec_sort_unique(&targets);
+    for (i = 0; i < targets.n; i++) {
+        ds_put_format(&ctx->output, "%s\n", targets.names[i]);
+    }
+    svec_destroy(&targets);
+}
+
+static void
+delete_connections(struct ctl_context *ctx)
+{
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    const struct icnbrec_connection *conn, *next;
+
+    /* Delete Manager rows pointed to by 'connection_options' column. */
+    ICNBREC_CONNECTION_FOR_EACH_SAFE (conn, next, ctx->idl) {
+        icnbrec_connection_delete(conn);
+    }
+
+    /* Delete 'Manager' row refs in 'manager_options' column. */
+    icnbrec_ic_nb_global_set_connections(ic_nb_global, NULL, 0);
+}
+
+static void
+cmd_del_connection(struct ctl_context *ctx)
+{
+    verify_connections(ctx);
+    delete_connections(ctx);
+}
+
+static void
+insert_connections(struct ctl_context *ctx, char *targets[], size_t n)
+{
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    struct icnbrec_connection **connections;
+    size_t i, conns = 0;
+    const char *inactivity_probe = shash_find_data(&ctx->options,
+                                                   "--inactivity-probe");
+
+    /* Insert each connection in a new row in Connection table. */
+    connections = xmalloc(n * sizeof *connections);
+    for (i = 0; i < n; i++) {
+        if (stream_verify_name(targets[i]) &&
+                   pstream_verify_name(targets[i])) {
+            VLOG_WARN("target type \"%s\" is possibly erroneous", targets[i]);
+        }
+
+        connections[conns] = icnbrec_connection_insert(ctx->txn);
+        icnbrec_connection_set_target(connections[conns], targets[i]);
+        if (inactivity_probe) {
+            int64_t msecs = atoll(inactivity_probe);
+            icnbrec_connection_set_inactivity_probe(connections[conns],
+                                                  &msecs, 1);
+        }
+        conns++;
+    }
+
+    /* Store uuids of new connection rows in 'connection' column. */
+    icnbrec_ic_nb_global_set_connections(ic_nb_global, connections, conns);
+    free(connections);
+}
+
+static void
+cmd_set_connection(struct ctl_context *ctx)
+{
+    const size_t n = ctx->argc - 1;
+
+    verify_connections(ctx);
+    delete_connections(ctx);
+    insert_connections(ctx, &ctx->argv[1], n);
+}
+
+static void
+pre_cmd_get_ssl(struct ctl_context *ctx)
+{
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ic_nb_global_col_ssl);
+
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ssl_col_private_key);
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ssl_col_certificate);
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ssl_col_ca_cert);
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ssl_col_bootstrap_ca_cert);
+}
+
+static void
+cmd_get_ssl(struct ctl_context *ctx)
+{
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    const struct icnbrec_ssl *ssl = icnbrec_ssl_first(ctx->idl);
+
+    icnbrec_ic_nb_global_verify_ssl(ic_nb_global);
+    if (ssl) {
+        icnbrec_ssl_verify_private_key(ssl);
+        icnbrec_ssl_verify_certificate(ssl);
+        icnbrec_ssl_verify_ca_cert(ssl);
+        icnbrec_ssl_verify_bootstrap_ca_cert(ssl);
+
+        ds_put_format(&ctx->output, "Private key: %s\n", ssl->private_key);
+        ds_put_format(&ctx->output, "Certificate: %s\n", ssl->certificate);
+        ds_put_format(&ctx->output, "CA Certificate: %s\n", ssl->ca_cert);
+        ds_put_format(&ctx->output, "Bootstrap: %s\n",
+                ssl->bootstrap_ca_cert ? "true" : "false");
+    }
+}
+
+static void
+pre_cmd_del_ssl(struct ctl_context *ctx)
+{
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ic_nb_global_col_ssl);
+}
+
+static void
+cmd_del_ssl(struct ctl_context *ctx)
+{
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    const struct icnbrec_ssl *ssl = icnbrec_ssl_first(ctx->idl);
+
+    if (ssl) {
+        icnbrec_ic_nb_global_verify_ssl(ic_nb_global);
+        icnbrec_ssl_delete(ssl);
+        icnbrec_ic_nb_global_set_ssl(ic_nb_global, NULL);
+    }
+}
+
+static void
+pre_cmd_set_ssl(struct ctl_context *ctx)
+{
+    ovsdb_idl_add_column(ctx->idl, &icnbrec_ic_nb_global_col_ssl);
+}
+
+static void
+cmd_set_ssl(struct ctl_context *ctx)
+{
+    bool bootstrap = shash_find(&ctx->options, "--bootstrap");
+    const struct icnbrec_ic_nb_global *ic_nb_global =
+        icnbrec_ic_nb_global_first(ctx->idl);
+    const struct icnbrec_ssl *ssl = icnbrec_ssl_first(ctx->idl);
+
+    icnbrec_ic_nb_global_verify_ssl(ic_nb_global);
+    if (ssl) {
+        icnbrec_ssl_delete(ssl);
+    }
+    ssl = icnbrec_ssl_insert(ctx->txn);
+
+    icnbrec_ssl_set_private_key(ssl, ctx->argv[1]);
+    icnbrec_ssl_set_certificate(ssl, ctx->argv[2]);
+    icnbrec_ssl_set_ca_cert(ssl, ctx->argv[3]);
+
+    icnbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
+
+    if (ctx->argc == 5) {
+        icnbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+    } else if (ctx->argc == 6) {
+        icnbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+        icnbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
+    }
+
+    icnbrec_ic_nb_global_set_ssl(ic_nb_global, ssl);
+}
+
+
+static const struct ctl_table_class tables[ICNBREC_N_TABLES] = {
+    [ICNBREC_TABLE_TRANSIT_SWITCH].row_ids[0] =
+    {&icnbrec_transit_switch_col_name, NULL, NULL},
+};
+
+
+static void
+ic_nbctl_context_init_command(struct ic_nbctl_context *ic_nbctl_ctx,
+                           struct ctl_command *command)
+{
+    ctl_context_init_command(&ic_nbctl_ctx->base, command);
+}
+
+static void
+ic_nbctl_context_init(struct ic_nbctl_context *ic_nbctl_ctx,
+                   struct ctl_command *command, struct ovsdb_idl *idl,
+                   struct ovsdb_idl_txn *txn,
+                   struct ovsdb_symbol_table *symtab)
+{
+    ctl_context_init(&ic_nbctl_ctx->base, command, idl, txn, symtab,
+                     NULL);
+    ic_nbctl_ctx->cache_valid = false;
+}
+
+static void
+ic_nbctl_context_done_command(struct ic_nbctl_context *ic_nbctl_ctx,
+                           struct ctl_command *command)
+{
+    ctl_context_done_command(&ic_nbctl_ctx->base, command);
+}
+
+static void
+ic_nbctl_context_done(struct ic_nbctl_context *ic_nbctl_ctx,
+                   struct ctl_command *command)
+{
+    ctl_context_done(&ic_nbctl_ctx->base, command);
+}
+
+static void
+run_prerequisites(struct ctl_command *commands, size_t n_commands,
+                  struct ovsdb_idl *idl)
+{
+    ovsdb_idl_add_table(idl, &icnbrec_table_ic_nb_global);
+
+    for (struct ctl_command *c = commands; c < &commands[n_commands]; c++) {
+        if (c->syntax->prerequisites) {
+            struct ic_nbctl_context ic_nbctl_ctx;
+
+            ds_init(&c->output);
+            c->table = NULL;
+
+            ic_nbctl_context_init(&ic_nbctl_ctx, c, idl, NULL, NULL);
+            (c->syntax->prerequisites)(&ic_nbctl_ctx.base);
+            if (ic_nbctl_ctx.base.error) {
+                ctl_fatal("%s", ic_nbctl_ctx.base.error);
+            }
+            ic_nbctl_context_done(&ic_nbctl_ctx, c);
+
+            ovs_assert(!c->output.string);
+            ovs_assert(!c->table);
+        }
+    }
+}
+
+static bool
+do_ic_nbctl(const char *args, struct ctl_command *commands, size_t n_commands,
+         struct ovsdb_idl *idl)
+{
+    struct ovsdb_idl_txn *txn;
+    enum ovsdb_idl_txn_status status;
+    struct ovsdb_symbol_table *symtab;
+    struct ic_nbctl_context ic_nbctl_ctx;
+    struct ctl_command *c;
+    struct shash_node *node;
+
+    txn = the_idl_txn = ovsdb_idl_txn_create(idl);
+    if (dry_run) {
+        ovsdb_idl_txn_set_dry_run(txn);
+    }
+
+    ovsdb_idl_txn_add_comment(txn, "ovs-ic_nbctl: %s", args);
+
+    const struct icnbrec_ic_nb_global *inb = icnbrec_ic_nb_global_first(idl);
+    if (!inb) {
+        /* XXX add verification that table is empty */
+        icnbrec_ic_nb_global_insert(txn);
+    }
+
+    symtab = ovsdb_symbol_table_create();
+    for (c = commands; c < &commands[n_commands]; c++) {
+        ds_init(&c->output);
+        c->table = NULL;
+    }
+    ic_nbctl_context_init(&ic_nbctl_ctx, NULL, idl, txn, symtab);
+    for (c = commands; c < &commands[n_commands]; c++) {
+        ic_nbctl_context_init_command(&ic_nbctl_ctx, c);
+        if (c->syntax->run) {
+            (c->syntax->run)(&ic_nbctl_ctx.base);
+        }
+        if (ic_nbctl_ctx.base.error) {
+            ctl_fatal("%s", ic_nbctl_ctx.base.error);
+        }
+        ic_nbctl_context_done_command(&ic_nbctl_ctx, c);
+
+        if (ic_nbctl_ctx.base.try_again) {
+            ic_nbctl_context_done(&ic_nbctl_ctx, NULL);
+            goto try_again;
+        }
+    }
+    ic_nbctl_context_done(&ic_nbctl_ctx, NULL);
+
+    SHASH_FOR_EACH (node, &symtab->sh) {
+        struct ovsdb_symbol *symbol = node->data;
+        if (!symbol->created) {
+            ctl_fatal("row id \"%s\" is referenced but never created (e.g. "
+                      "with \"-- --id=%s create ...\")",
+                      node->name, node->name);
+        }
+        if (!symbol->strong_ref) {
+            if (!symbol->weak_ref) {
+                VLOG_WARN("row id \"%s\" was created but no reference to it "
+                          "was inserted, so it will not actually appear in "
+                          "the database", node->name);
+            } else {
+                VLOG_WARN("row id \"%s\" was created but only a weak "
+                          "reference to it was inserted, so it will not "
+                          "actually appear in the database", node->name);
+            }
+        }
+    }
+
+    status = ovsdb_idl_txn_commit_block(txn);
+    if (status == TXN_UNCHANGED || status == TXN_SUCCESS) {
+        for (c = commands; c < &commands[n_commands]; c++) {
+            if (c->syntax->postprocess) {
+                ic_nbctl_context_init(&ic_nbctl_ctx, c, idl, txn, symtab);
+                (c->syntax->postprocess)(&ic_nbctl_ctx.base);
+                if (ic_nbctl_ctx.base.error) {
+                    ctl_fatal("%s", ic_nbctl_ctx.base.error);
+                }
+                ic_nbctl_context_done(&ic_nbctl_ctx, c);
+            }
+        }
+    }
+
+    switch (status) {
+    case TXN_UNCOMMITTED:
+    case TXN_INCOMPLETE:
+        OVS_NOT_REACHED();
+
+    case TXN_ABORTED:
+        /* Should not happen--we never call ovsdb_idl_txn_abort(). */
+        ctl_fatal("transaction aborted");
+
+    case TXN_UNCHANGED:
+    case TXN_SUCCESS:
+        break;
+
+    case TXN_TRY_AGAIN:
+        goto try_again;
+
+    case TXN_ERROR:
+        ctl_fatal("transaction error: %s", ovsdb_idl_txn_get_error(txn));
+
+    case TXN_NOT_LOCKED:
+        /* Should not happen--we never call ovsdb_idl_set_lock(). */
+        ctl_fatal("database not locked");
+
+    default:
+        OVS_NOT_REACHED();
+    }
+
+    ovsdb_symbol_table_destroy(symtab);
+
+    for (c = commands; c < &commands[n_commands]; c++) {
+        struct ds *ds = &c->output;
+
+        if (c->table) {
+            table_print(c->table, &table_style);
+        } else if (oneline) {
+            size_t j;
+
+            ds_chomp(ds, '\n');
+            for (j = 0; j < ds->length; j++) {
+                int ch = ds->string[j];
+                switch (ch) {
+                case '\n':
+                    fputs("\\n", stdout);
+                    break;
+
+                case '\\':
+                    fputs("\\\\", stdout);
+                    break;
+
+                default:
+                    putchar(ch);
+                }
+            }
+            putchar('\n');
+        } else {
+            fputs(ds_cstr(ds), stdout);
+        }
+        ds_destroy(&c->output);
+        table_destroy(c->table);
+        free(c->table);
+
+        shash_destroy_free_data(&c->options);
+    }
+    free(commands);
+    ovsdb_idl_txn_destroy(txn);
+    ovsdb_idl_destroy(idl);
+
+    return true;
+
+try_again:
+    /* Our transaction needs to be rerun, or a prerequisite was not met.  Free
+     * resources and return so that the caller can try again. */
+    ovsdb_idl_txn_abort(txn);
+    ovsdb_idl_txn_destroy(txn);
+    the_idl_txn = NULL;
+
+    ovsdb_symbol_table_destroy(symtab);
+    for (c = commands; c < &commands[n_commands]; c++) {
+        ds_destroy(&c->output);
+        table_destroy(c->table);
+        free(c->table);
+    }
+    return false;
+}
+
+/* Frees the current transaction and the underlying IDL and then calls
+ * exit(status).
+ *
+ * Freeing the transaction and the IDL is not strictly necessary, but it makes
+ * for a clean memory leak report from valgrind in the normal case.  That makes
+ * it easier to notice real memory leaks. */
+static void
+ic_nbctl_exit(int status)
+{
+    if (the_idl_txn) {
+        ovsdb_idl_txn_abort(the_idl_txn);
+        ovsdb_idl_txn_destroy(the_idl_txn);
+    }
+    ovsdb_idl_destroy(the_idl);
+    exit(status);
+}
+
+static const struct ctl_command_syntax ic_nbctl_commands[] = {
+    { "init", 0, 0, "", NULL, ic_nbctl_init, NULL, "", RW },
+
+    /* transit switch commands. */
+    { "ts-add", 1, 1, "SWITCH", NULL, ic_nbctl_ts_add, NULL, "--may-exist", RW },
+    { "ts-del", 1, 1, "SWITCH", NULL, ic_nbctl_ts_del, NULL, "--if-exists", RW },
+    { "ts-list", 0, 0, "", NULL, ic_nbctl_ts_list, NULL, "", RO },
+
+    /* Connection commands. */
+    {"get-connection", 0, 0, "", pre_connection, cmd_get_connection, NULL, "",
+        RO},
+    {"del-connection", 0, 0, "", pre_connection, cmd_del_connection, NULL, "",
+        RW},
+    {"set-connection", 1, INT_MAX, "TARGET...", pre_connection,
+        cmd_set_connection, NULL, "--inactivity-probe=", RW},
+
+    /* SSL commands. */
+    {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
+    {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
+    {"set-ssl", 3, 5,
+        "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
+        pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},
+
+    {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO},
+};
+
+/* Registers ic_nbctl and common db commands. */
+static void
+ic_nbctl_cmd_init(void)
+{
+    ctl_init(&icnbrec_idl_class, icnbrec_table_classes, tables,
+             cmd_show_tables, ic_nbctl_exit);
+    ctl_register_commands(ic_nbctl_commands);
+}
-- 
2.1.0



More information about the dev mailing list