ovn-controller-vtep(8)            OVN Manual            ovn-controller-vtep(8)

NAME
       ovn-controller-vtep  -  Open  Virtual Network local controller for vtep
       enabled physical switches.

SYNOPSIS
       ovn-controller-vtep   [options]   [--vtep-db=vtep-database]   [--ovnsb-
       db=ovnsb-database]

DESCRIPTION
       ovn-controller-vtep  is  the  local  controller daemon in OVN, the Open
       Virtual Network, for VTEP enabled physical switches. It connects up  to
       the  OVN  Southbound  database (see ovn-sb(5)) over the OVSDB protocol,
       and down to the VTEP database (see vtep(5)) over the OVSDB protocol.

   PKI Options
       PKI configuration is required in order to use SSL/TLS for  the  connec‐
       tions to the VTEP and Southbound databases.

              -p privkey.pem
              --private-key=privkey.pem
                   Specifies  a  PEM  file  containing the private key used as
                   identity for outgoing SSL/TLS connections.

              -c cert.pem
              --certificate=cert.pem
                   Specifies a PEM file containing a certificate  that  certi‐
                   fies the private key specified on -p or --private-key to be
                   trustworthy. The certificate must be signed by the certifi‐
                   cate  authority  (CA)  that the peer in SSL/TLS connections
                   will use to verify it.

              -C cacert.pem
              --ca-cert=cacert.pem
                   Specifies a PEM file containing the CA certificate for ver‐
                   ifying certificates presented to this  program  by  SSL/TLS
                   peers. (This may be the same certificate that SSL/TLS peers
                   use to verify the certificate specified on -c or --certifi‐‐
                   cate,  or  it  may be a different one, depending on the PKI
                   design in use.)

              -C none
              --ca-cert=none
                   Disables verification of certificates presented by  SSL/TLS
                   peers.  This  introduces  a security risk, because it means
                   that certificates cannot be verified to be those  of  known
                   trusted hosts.

              --ssl-server-name=servername
                   Specifies  the server name to use for TLS Server Name Indi‐
                   cation (SNI). By default, the hostname from the  connection
                   string  is  used for SNI. This option allows overriding the
                   SNI hostname, which is useful when connecting through prox‐
                   ies or service meshes where the connection endpoint differs
                   from the intended server name.

              --bootstrap-ca-cert=cacert.pem
                     When cacert.pem exists, this option has the  same  effect
                     as  -C  or --ca-cert. If it does not exist, then the exe‐
                     cutable will attempt to obtain the  CA  certificate  from
                     the SSL/TLS peer on its first SSL/TLS connection and save
                     it  to  the  named PEM file. If it is successful, it will
                     immediately drop the connection and reconnect,  and  from
                     then  on all SSL/TLS connections must be authenticated by
                     a certificate signed by the CA certificate thus obtained.

                     This option exposes the SSL/TLS connection to  a  man-in-
                     the-middle  attack  obtaining the initial CA certificate,
                     but it may be useful for bootstrapping.

                     This option is only useful if the SSL/TLS peer sends  its
                     CA  certificate as part of the SSL/TLS certificate chain.
                     SSL/TLS protocols do not require the server to  send  the
                     CA certificate.

                     This option is mutually exclusive with -C and --ca-cert.

              --peer-ca-cert=peer-cacert.pem
                     Specifies a PEM file that contains one or more additional
                     certificates  to  send  to SSL/TLS peers. peer-cacert.pem
                     should be the CA certificate used to sign  the  program’s
                     own certificate, that is, the certificate specified on -c
                     or  --certificate.  If the program’s certificate is self-
                     signed,  then  --certificate  and  --peer-ca-cert  should
                     specify the same file.

                     This  option  is  not useful in normal operation, because
                     the SSL/TLS peer must already have the CA certificate for
                     the peer to have any confidence in  the  program’s  iden‐
                     tity.  However,  this offers a way for a new installation
                     to bootstrap the CA certificate on its first SSL/TLS con‐
                     nection.

   Other Options
       --unixctl=socket
              Sets the name of the control socket on which program listens for
              runtime management commands (see  RUNTIME  MANAGEMENT  COMMANDS,
              below).  If  socket  does not begin with /, it is interpreted as
              relative to . If --unixctl is  not  used  at  all,  the  default
              socket is /program.pid.ctl, where pid is program’s process ID.

              Specifying none for socket disables the control socket feature.



       -h
       --help
            Prints a brief help message to the console.

       -V
       --version
            Prints version information to the console.

CONFIGURATION
       ovn-controller-vtep  retrieves  its configuration information from both
       the ovnsb and the vtep database. If  the  database  locations  are  not
       given  from  command  line, the default is the db.sock in local OVSDB’s
       ’run’ directory. The database location must take one of  the  following
       forms:

              •      ssl:host:port

                     The  specified  SSL/TLS  port on the give host, which can
                     either be a DNS name (if built with unbound  library)  or
                     an IP address (IPv4 or IPv6). If host is an IPv6 address,
                     then    wrap    host    with   square   brackets,   e.g.:
                     ssl:[::1]:6640. The --private-key, --certificate and  ei‐
                     ther  of  --ca-cert  or  --bootstrap-ca-cert  options are
                     mandatory when this form is used.

              •      tcp:host:port

                     Connect to the given TCP port on host, where host can  be
                     a  DNS name (if built with unbound library) or IP address
                     (IPv4 or IPv6). If host is an  IPv6  address,  then  wrap
                     host with square brackets, e.g.: tcp:[::1]:6640.

              •      unix:file

                     Connect to the Unix domain server socket named file.

       ovn-controller-vtep  assumes it gets configuration information from the
       following keys in the Global table of the connected hardware_vtep data‐
       base:

              other_config:ovn-match-northd-version
                     The boolean flag indicates if  ovn-controller-vtep  needs
                     to  check ovn-northd version. If this flag is set to true
                     and the ovn-northd’’s version (reported in the  Southbound
                     database)  doesn’t  match  with the ovn-controller-vtep’’s
                     internal version, then it will stop processing the south‐
                     bound and connected hardware_vtep database  changes.  The
                     default  value  is considered false if this option is not
                     defined.

              other_config:ovn-remote-probe-interval
                     The inactivity probe interval of the  connection  to  the
                     OVN Southbound database, in milliseconds. If the value is
                     zero, it disables the connection keepalive feature.

                     If  the  value  is  nonzero,  then it will be forced to a
                     value of at least 1000 ms.

OVN 26.03.90                  ovn-controller-vtep       ovn-controller-vtep(8)