1ovn-controller-vtep(8)            OVN Manual            ovn-controller-vtep(8)
2
3
4

NAME

6       ovn-controller-vtep  -  Open  Virtual Network local controller for vtep
7       enabled physical switches.
8

SYNOPSIS

10       ovn-controller-vtep   [options]   [--vtep-db=vtep-database]   [--ovnsb-
11       db=ovnsb-database]
12

DESCRIPTION

14       ovn-controller-vtep  is  the  local  controller daemon in OVN, the Open
15       Virtual Network, for VTEP enabled physical switches. It connects up  to
16       the  OVN  Southbound  database (see ovn-sb(5)) over the OVSDB protocol,
17       and down to the VTEP database (see vtep(5)) over the OVSDB protocol.
18
19   PKI Options
20       PKI configuration is required in order to use SSL for  the  connections
21       to the VTEP and Southbound databases.
22
23              -p privkey.pem
24              --private-key=privkey.pem
25                   Specifies  a  PEM  file  containing the private key used as
26                   identity for outgoing SSL connections.
27
28              -c cert.pem
29              --certificate=cert.pem
30                   Specifies a PEM file containing a certificate  that  certi‐
31                   fies the private key specified on -p or --private-key to be
32                   trustworthy. The certificate must be signed by the certifi‐
33                   cate  authority  (CA) that the peer in SSL connections will
34                   use to verify it.
35
36              -C cacert.pem
37              --ca-cert=cacert.pem
38                   Specifies a PEM file containing the CA certificate for ver‐
39                   ifying certificates presented to this program by SSL peers.
40                   (This may be the same certificate that  SSL  peers  use  to
41                   verify the certificate specified on -c or --certificate, or
42                   it may be a different one, depending on the PKI  design  in
43                   use.)
44
45              -C none
46              --ca-cert=none
47                   Disables  verification  of  certificates  presented  by SSL
48                   peers. This introduces a security risk,  because  it  means
49                   that  certificates  cannot be verified to be those of known
50                   trusted hosts.
51
52              --bootstrap-ca-cert=cacert.pem
53                     When cacert.pem exists, this option has the  same  effect
54                     as  -C  or --ca-cert. If it does not exist, then the exe‐
55                     cutable will attempt to obtain the  CA  certificate  from
56                     the  SSL  peer on its first SSL connection and save it to
57                     the named PEM file. If it is successful, it will  immedi‐
58                     ately drop the connection and reconnect, and from then on
59                     all SSL connections must be authenticated by  a  certifi‐
60                     cate signed by the CA certificate thus obtained.
61
62                     This  option  exposes the SSL connection to a man-in-the-
63                     middle attack obtaining the initial CA  certificate,  but
64                     it may be useful for bootstrapping.
65
66                     This  option  is only useful if the SSL peer sends its CA
67                     certificate as part of the SSL certificate chain. The SSL
68                     protocol  does not require the server to send the CA cer‐
69                     tificate.
70
71                     This option is mutually exclusive with -C and --ca-cert.
72
73              --peer-ca-cert=peer-cacert.pem
74                     Specifies a PEM file that contains one or more additional
75                     certificates to send to SSL peers. peer-cacert.pem should
76                     be the CA certificate used to sign the program’s own cer‐
77                     tificate,  that  is,  the  certificate specified on -c or
78                     --certificate. If  the  program’s  certificate  is  self-
79                     signed,  then  --certificate  and  --peer-ca-cert  should
80                     specify the same file.
81
82                     This option is not useful in  normal  operation,  because
83                     the SSL peer must already have the CA certificate for the
84                     peer to have any confidence in  the  program’s  identity.
85                     However,  this  offers  a  way  for a new installation to
86                     bootstrap the CA certificate on its first SSL connection.
87

CONFIGURATION

89       ovn-controller-vtep retrieves its configuration information  from  both
90       the  ovnsb  and  the  vtep  database. If the database locations are not
91       given from command line, the default is the db.sock  in  local  OVSDB’s
92       ’run’  directory.  The database location must take one of the following
93       forms:
94
95ssl:host:port
96
97                     The specified SSL port on the give host, which can either
98                     be  a  DNS  name (if built with unbound library) or an IP
99                     address (IPv4 or IPv6). If host is an IPv6 address,  then
100                     wrap host with square brackets, e.g.: ssl:[::1]:6640. The
101                     --private-key, --certificate and either of  --ca-cert  or
102                     --bootstrap-ca-cert  options are mandatory when this form
103                     is used.
104
105tcp:host:port
106
107                     Connect to the given TCP port on host, where host can  be
108                     a  DNS name (if built with unbound library) or IP address
109                     (IPv4 or IPv6). If host is an  IPv6  address,  then  wrap
110                     host with square brackets, e.g.: tcp:[::1]:6640.
111
112unix:file
113
114                     On  POSIX, connect to the Unix domain server socket named
115                     file.
116
117                     On Windows, connect to a localhost TCP port  whose  value
118                     is written in file.
119
120       ovn-controller-vtep  assumes it gets configuration information from the
121       following keys in the Global table of the connected hardware_vtep data‐
122       base:
123
124              other_config:ovn-match-northd-version
125                     The  boolean  flag indicates if ovn-controller-vtep needs
126                     to check ovn-northd version. If this flag is set to  true
127                     and  the ovn-northd’s version (reported in the Southbound
128                     database) doesn’t match  with  the  ovn-controller-vtep’s
129                     internal version, then it will stop processing the south‐
130                     bound and connected hardware_vtep database  changes.  The
131                     default  value  is considered false if this option is not
132                     defined.
133
134
135
136OVN 22.12.0                   ovn-controller-vtep       ovn-controller-vtep(8)
Impressum