1ovn-controller-vtep(8) OVN Manual ovn-controller-vtep(8)
2build/.PP
6
8 ovn-controller-vtep - Open Virtual Network local controller for vtep
9 enabled physical switches.
10
12 ovn-controller-vtep [options] [--vtep-db=vtep-database] [--ovnsb-
13 db=ovnsb-database]
14
16 ovn-controller-vtep is the local controller daemon in OVN, the Open
17 Virtual Network, for VTEP enabled physical switches. It connects up to
18 the OVN Southbound database (see ovn-sb(5)) over the OVSDB protocol,
19 and down to the VTEP database (see vtep(5)) over the OVSDB protocol.
20 PKI Options
22 PKI configuration is required in order to use SSL for the connections
23 to the VTEP and Southbound databases.
24 -p privkey.pem
26 --private-key=privkey.pem
27 Specifies a PEM file containing the private key used as
28 identity for outgoing SSL connections.
29 -c cert.pem
31 --certificate=cert.pem
32 Specifies a PEM file containing a certificate that certi‐
33 fies the private key specified on -p or --private-key to be
34 trustworthy. The certificate must be signed by the certifi‐
35 cate authority (CA) that the peer in SSL connections will
36 use to verify it.
37 -C cacert.pem
39 --ca-cert=cacert.pem
40 Specifies a PEM file containing the CA certificate for ver‐
41 ifying certificates presented to this program by SSL peers.
42 (This may be the same certificate that SSL peers use to
43 verify the certificate specified on -c or --certificate, or
44 it may be a different one, depending on the PKI design in
45 use.)
46 -C none
48 --ca-cert=none
49 Disables verification of certificates presented by SSL
50 peers. This introduces a security risk, because it means
51 that certificates cannot be verified to be those of known
52 trusted hosts.
53 --bootstrap-ca-cert=cacert.pem
55 When cacert.pem exists, this option has the same effect
56 as -C or --ca-cert. If it does not exist, then the exe‐
57 cutable will attempt to obtain the CA certificate from
58 the SSL peer on its first SSL connection and save it to
59 the named PEM file. If it is successful, it will immedi‐
60 ately drop the connection and reconnect, and from then on
61 all SSL connections must be authenticated by a certifi‐
62 cate signed by the CA certificate thus obtained.
63 This option exposes the SSL connection to a man-in-the-
65 middle attack obtaining the initial CA certificate, but
66 it may be useful for bootstrapping.
67 This option is only useful if the SSL peer sends its CA
69 certificate as part of the SSL certificate chain. The SSL
70 protocol does not require the server to send the CA cer‐
71 tificate.
72 This option is mutually exclusive with -C and --ca-cert.
74 --peer-ca-cert=peer-cacert.pem
76 Specifies a PEM file that contains one or more additional
77 certificates to send to SSL peers. peer-cacert.pem should
78 be the CA certificate used to sign the program’s own cer‐
79 tificate, that is, the certificate specified on -c or
80 --certificate. If the program’s certificate is self-
81 signed, then --certificate and --peer-ca-cert should
82 specify the same file.
83 This option is not useful in normal operation, because
85 the SSL peer must already have the CA certificate for the
86 peer to have any confidence in the program’s identity.
87 However, this offers a way for a new installation to
88 bootstrap the CA certificate on its first SSL connection.
89
91 ovn-controller-vtep retrieves its configuration information from both
92 the ovnsb and the vtep database. If the database locations are not
93 given from command line, the default is the db.sock in local OVSDB’s
94 ’run’ directory. The datapath location must take one of the following
95 forms:
96 · ssl:host:port
98 The specified SSL port on the give host, which can either
100 be a DNS name (if built with unbound library) or an IP
101 address (IPv4 or IPv6). If host is an IPv6 address, then
102 wrap host with square brackets, e.g.: ssl:[::1]:6640. The
103 --private-key, --certificate and either of --ca-cert or
104 --bootstrap-ca-cert options are mandatory when this form
105 is used.
106 · tcp:host:port
108 Connect to the given TCP port on host, where host can be
110 a DNS name (if built with unbound library) or IP address
111 (IPv4 or IPv6). If host is an IPv6 address, then wrap
112 host with square brackets, e.g.: tcp:[::1]:6640.
113 · unix:file
115 On POSIX, connect to the Unix domain server socket named
117 file.
118 On Windows, connect to a localhost TCP port whose value
120 is written in file.
121OVN 20.03.0 ovn-controller-vtep ovn-controller-vtep(8)