ovn-controller-vtep(8) — Linux manual page


ovn-controller-vtep(8)       Open vSwitch Manual      ovn-controller-vtep(8)

NAME         top

       ovn-controller-vtep  - Open Virtual Network local controller for vtep
       enabled physical switches.

SYNOPSIS         top

       ovn-controller-vtep [options] [--vtep-db=vtep-database] [--ovnsb-

DESCRIPTION         top

       ovn-controller-vtep is the local controller daemon in OVN, the Open
       Virtual Network, for VTEP enabled physical switches. It connects up
       to the OVN Southbound database (see ovn-sb(5)) over the OVSDB
       protocol, and down to the VTEP database (see vtep(5)) over the OVSDB

   PKI Options
       PKI configuration is required in order to use SSL for the connections
       to the VTEP and Southbound databases.

              -p privkey.pem
                   Specifies a PEM file containing the private key used as
                   identity for outgoing SSL connections.

              -c cert.pem
                   Specifies a PEM file containing a certificate that
                   certifies the private key specified on -p or
                   --private-key to be trustworthy. The certificate must be
                   signed by the certificate authority (CA) that the peer in
                   SSL connections will use to verify it.

              -C cacert.pem
                   Specifies a PEM file containing the CA certificate for
                   verifying certificates presented to this program by SSL
                   peers. (This may be the same certificate that SSL peers
                   use to verify the certificate specified on -c or
                   --certificate, or it may be a different one, depending on
                   the PKI design in use.)

              -C none
                   Disables verification of certificates presented by SSL
                   peers. This introduces a security risk, because it means
                   that certificates cannot be verified to be those of known
                   trusted hosts.

                     When cacert.pem exists, this option has the same effect
                     as -C or --ca-cert. If it does not exist, then the
                     executable will attempt to obtain the CA certificate
                     from the SSL peer on its first SSL connection and save
                     it to the named PEM file. If it is successful, it will
                     immediately drop the connection and reconnect, and from
                     then on all SSL connections must be authenticated by a
                     certificate signed by the CA certificate thus obtained.

                     This option exposes the SSL connection to a man-in-the-
                     middle attack obtaining the initial CA certificate, but
                     it may be useful for bootstrapping.

                     This option is only useful if the SSL peer sends its CA
                     certificate as part of the SSL certificate chain. The
                     SSL protocol does not require the server to send the CA

                     This option is mutually exclusive with -C and

                     Specifies a PEM file that contains one or more
                     additional certificates to send to SSL peers. peer-
                     cacert.pem should be the CA certificate used to sign
                     the program’s own certificate, that is, the certificate
                     specified on -c or --certificate. If the program’s
                     certificate is self-signed, then --certificate and
                     --peer-ca-cert should specify the same file.

                     This option is not useful in normal operation, because
                     the SSL peer must already have the CA certificate for
                     the peer to have any confidence in the program’s
                     identity. However, this offers a way for a new
                     installation to bootstrap the CA certificate on its
                     first SSL connection.


       ovn-controller-vtep retrieves its configuration information from both
       the ovnsb and the vtep database. If the database locations are not
       given from command line, the default is the db.sock in local OVSDB’s
       ’run’ directory. The datapath location must take one of the following

              ·      ssl:host:port

                     The specified SSL port on the give host, which can
                     either be a DNS name (if built with unbound library) or
                     an IP address (IPv4 or IPv6). If host is an IPv6
                     address, then wrap host with square brackets, e.g.:
                     ssl:[::1]:6640. The --private-key, --certificate and
                     either of --ca-cert or --bootstrap-ca-cert options are
                     mandatory when this form is used.

              ·      tcp:host:port

                     Connect to the given TCP port on host, where host can
                     be a DNS name (if built with unbound library) or IP
                     address (IPv4 or IPv6). If host is an IPv6 address,
                     then wrap host with square brackets, e.g.:

              ·      unix:file

                     On POSIX, connect to the Unix domain server socket
                     named file.

                     On Windows, connect to a localhost TCP port whose value
                     is written in file.

COLOPHON         top

       This page is part of the Open vSwitch (a distributed virtual
       multilayer switch) project.  Information about the project can be
       found at ⟨http://openvswitch.org/⟩.  If you have a bug report for
       this manual page, send it to bugs@openvswitch.org.  This page was
       obtained from the project's upstream Git repository
       ⟨https://github.com/openvswitch/ovs.git⟩ on 2020-09-18.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-09-16.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to man-pages@man7.org

Open vSwitch 2.10.90         ovn-controller-vtep      ovn-controller-vtep(8)

Pages that refer to this page: ovn-sb(5)