1ovn-controller-vtep(8) OVN Manual ovn-controller-vtep(8)
2
3
4
6 ovn-controller-vtep - Open Virtual Network local controller for vtep
7 enabled physical switches.
8
10 ovn-controller-vtep [options] [--vtep-db=vtep-database] [--ovnsb-
11 db=ovnsb-database]
12
14 ovn-controller-vtep is the local controller daemon in OVN, the Open
15 Virtual Network, for VTEP enabled physical switches. It connects up to
16 the OVN Southbound database (see ovn-sb(5)) over the OVSDB protocol,
17 and down to the VTEP database (see vtep(5)) over the OVSDB protocol.
18
19 PKI Options
20 PKI configuration is required in order to use SSL for the connections
21 to the VTEP and Southbound databases.
22
23 -p privkey.pem
24 --private-key=privkey.pem
25 Specifies a PEM file containing the private key used as
26 identity for outgoing SSL connections.
27
28 -c cert.pem
29 --certificate=cert.pem
30 Specifies a PEM file containing a certificate that certi‐
31 fies the private key specified on -p or --private-key to be
32 trustworthy. The certificate must be signed by the certifi‐
33 cate authority (CA) that the peer in SSL connections will
34 use to verify it.
35
36 -C cacert.pem
37 --ca-cert=cacert.pem
38 Specifies a PEM file containing the CA certificate for ver‐
39 ifying certificates presented to this program by SSL peers.
40 (This may be the same certificate that SSL peers use to
41 verify the certificate specified on -c or --certificate, or
42 it may be a different one, depending on the PKI design in
43 use.)
44
45 -C none
46 --ca-cert=none
47 Disables verification of certificates presented by SSL
48 peers. This introduces a security risk, because it means
49 that certificates cannot be verified to be those of known
50 trusted hosts.
51
52 --bootstrap-ca-cert=cacert.pem
53 When cacert.pem exists, this option has the same effect
54 as -C or --ca-cert. If it does not exist, then the exe‐
55 cutable will attempt to obtain the CA certificate from
56 the SSL peer on its first SSL connection and save it to
57 the named PEM file. If it is successful, it will immedi‐
58 ately drop the connection and reconnect, and from then on
59 all SSL connections must be authenticated by a certifi‐
60 cate signed by the CA certificate thus obtained.
61
62 This option exposes the SSL connection to a man-in-the-
63 middle attack obtaining the initial CA certificate, but
64 it may be useful for bootstrapping.
65
66 This option is only useful if the SSL peer sends its CA
67 certificate as part of the SSL certificate chain. The SSL
68 protocol does not require the server to send the CA cer‐
69 tificate.
70
71 This option is mutually exclusive with -C and --ca-cert.
72
73 --peer-ca-cert=peer-cacert.pem
74 Specifies a PEM file that contains one or more additional
75 certificates to send to SSL peers. peer-cacert.pem should
76 be the CA certificate used to sign the program’s own cer‐
77 tificate, that is, the certificate specified on -c or
78 --certificate. If the program’s certificate is self-
79 signed, then --certificate and --peer-ca-cert should
80 specify the same file.
81
82 This option is not useful in normal operation, because
83 the SSL peer must already have the CA certificate for the
84 peer to have any confidence in the program’s identity.
85 However, this offers a way for a new installation to
86 bootstrap the CA certificate on its first SSL connection.
87
89 ovn-controller-vtep retrieves its configuration information from both
90 the ovnsb and the vtep database. If the database locations are not
91 given from command line, the default is the db.sock in local OVSDB’s
92 ’run’ directory. The database location must take one of the following
93 forms:
94
95 • ssl:host:port
96
97 The specified SSL port on the give host, which can either
98 be a DNS name (if built with unbound library) or an IP
99 address (IPv4 or IPv6). If host is an IPv6 address, then
100 wrap host with square brackets, e.g.: ssl:[::1]:6640. The
101 --private-key, --certificate and either of --ca-cert or
102 --bootstrap-ca-cert options are mandatory when this form
103 is used.
104
105 • tcp:host:port
106
107 Connect to the given TCP port on host, where host can be
108 a DNS name (if built with unbound library) or IP address
109 (IPv4 or IPv6). If host is an IPv6 address, then wrap
110 host with square brackets, e.g.: tcp:[::1]:6640.
111
112 • unix:file
113
114 On POSIX, connect to the Unix domain server socket named
115 file.
116
117 On Windows, connect to a localhost TCP port whose value
118 is written in file.
119
120 ovn-controller-vtep assumes it gets configuration information from the
121 following keys in the Global table of the connected hardware_vtep data‐
122 base:
123
124 other_config:ovn-match-northd-version
125 The boolean flag indicates if ovn-controller-vtep needs
126 to check ovn-northd version. If this flag is set to true
127 and the ovn-northd’s version (reported in the Southbound
128 database) doesn’t match with the ovn-controller-vtep’s
129 internal version, then it will stop processing the south‐
130 bound and connected hardware_vtep database changes. The
131 default value is considered false if this option is not
132 defined.
133
134
135
136OVN 22.12.0 ovn-controller-vtep ovn-controller-vtep(8)