1ovn-controller-vtep(8)            OVN Manual            ovn-controller-vtep(8)
2
3
4
5build/.PP
6

NAME

8       ovn-controller-vtep  -  Open  Virtual Network local controller for vtep
9       enabled physical switches.
10

SYNOPSIS

12       ovn-controller-vtep   [options]   [--vtep-db=vtep-database]   [--ovnsb-
13       db=ovnsb-database]
14

DESCRIPTION

16       ovn-controller-vtep  is  the  local  controller daemon in OVN, the Open
17       Virtual Network, for VTEP enabled physical switches. It connects up  to
18       the  OVN  Southbound  database (see ovn-sb(5)) over the OVSDB protocol,
19       and down to the VTEP database (see vtep(5)) over the OVSDB protocol.
20
21   PKI Options
22       PKI configuration is required in order to use SSL for  the  connections
23       to the VTEP and Southbound databases.
24
25              -p privkey.pem
26              --private-key=privkey.pem
27                   Specifies  a  PEM  file  containing the private key used as
28                   identity for outgoing SSL connections.
29
30              -c cert.pem
31              --certificate=cert.pem
32                   Specifies a PEM file containing a certificate  that  certi‐
33                   fies the private key specified on -p or --private-key to be
34                   trustworthy. The certificate must be signed by the certifi‐
35                   cate  authority  (CA) that the peer in SSL connections will
36                   use to verify it.
37
38              -C cacert.pem
39              --ca-cert=cacert.pem
40                   Specifies a PEM file containing the CA certificate for ver‐
41                   ifying certificates presented to this program by SSL peers.
42                   (This may be the same certificate that  SSL  peers  use  to
43                   verify the certificate specified on -c or --certificate, or
44                   it may be a different one, depending on the PKI  design  in
45                   use.)
46
47              -C none
48              --ca-cert=none
49                   Disables  verification  of  certificates  presented  by SSL
50                   peers. This introduces a security risk,  because  it  means
51                   that  certificates  cannot be verified to be those of known
52                   trusted hosts.
53
54              --bootstrap-ca-cert=cacert.pem
55                     When cacert.pem exists, this option has the  same  effect
56                     as  -C  or --ca-cert. If it does not exist, then the exe‐
57                     cutable will attempt to obtain the  CA  certificate  from
58                     the  SSL  peer on its first SSL connection and save it to
59                     the named PEM file. If it is successful, it will  immedi‐
60                     ately drop the connection and reconnect, and from then on
61                     all SSL connections must be authenticated by  a  certifi‐
62                     cate signed by the CA certificate thus obtained.
63
64                     This  option  exposes the SSL connection to a man-in-the-
65                     middle attack obtaining the initial CA  certificate,  but
66                     it may be useful for bootstrapping.
67
68                     This  option  is only useful if the SSL peer sends its CA
69                     certificate as part of the SSL certificate chain. The SSL
70                     protocol  does not require the server to send the CA cer‐
71                     tificate.
72
73                     This option is mutually exclusive with -C and --ca-cert.
74
75              --peer-ca-cert=peer-cacert.pem
76                     Specifies a PEM file that contains one or more additional
77                     certificates to send to SSL peers. peer-cacert.pem should
78                     be the CA certificate used to sign the program’s own cer‐
79                     tificate,  that  is,  the  certificate specified on -c or
80                     --certificate. If  the  program’s  certificate  is  self-
81                     signed,  then  --certificate  and  --peer-ca-cert  should
82                     specify the same file.
83
84                     This option is not useful in  normal  operation,  because
85                     the SSL peer must already have the CA certificate for the
86                     peer to have any confidence in  the  program’s  identity.
87                     However,  this  offers  a  way  for a new installation to
88                     bootstrap the CA certificate on its first SSL connection.
89

CONFIGURATION

91       ovn-controller-vtep retrieves its configuration information  from  both
92       the  ovnsb  and  the  vtep  database. If the database locations are not
93       given from command line, the default is the db.sock  in  local  OVSDB’s
94       ’run’  directory.  The datapath location must take one of the following
95       forms:
96
97              ·      ssl:host:port
98
99                     The specified SSL port on the give host, which can either
100                     be  a  DNS  name (if built with unbound library) or an IP
101                     address (IPv4 or IPv6). If host is an IPv6 address,  then
102                     wrap host with square brackets, e.g.: ssl:[::1]:6640. The
103                     --private-key, --certificate and either of  --ca-cert  or
104                     --bootstrap-ca-cert  options are mandatory when this form
105                     is used.
106
107              ·      tcp:host:port
108
109                     Connect to the given TCP port on host, where host can  be
110                     a  DNS name (if built with unbound library) or IP address
111                     (IPv4 or IPv6). If host is an  IPv6  address,  then  wrap
112                     host with square brackets, e.g.: tcp:[::1]:6640.
113
114              ·      unix:file
115
116                     On  POSIX, connect to the Unix domain server socket named
117                     file.
118
119                     On Windows, connect to a localhost TCP port  whose  value
120                     is written in file.
121
122
123
124OVN 20.12.0                   ovn-controller-vtep       ovn-controller-vtep(8)
Impressum