ovn-controller-vtep(8)            OVN Manual            ovn-controller-vtep(8)

       ovn-controller-vtep  -  Open  Virtual Network local controller for vtep
       enabled physical switches.

       ovn-controller-vtep   [options]   [--vtep-db=vtep-database]   [--ovnsb-

       ovn-controller-vtep  is  the  local  controller daemon in OVN, the Open
       Virtual Network, for VTEP enabled physical switches. It connects up  to
       the  OVN  Southbound  database (see ovn-sb(5)) over the OVSDB protocol,
       and down to the VTEP database (see vtep(5)) over the OVSDB protocol.

   PKI Options
       PKI configuration is required in order to use SSL for  the  connections
       to the VTEP and Southbound databases.

              -p privkey.pem
                   Specifies  a  PEM  file  containing the private key used as
                   identity for outgoing SSL connections.

              -c cert.pem
                   Specifies a PEM file containing a certificate  that  certi‐
                   fies the private key specified on -p or --private-key to be
                   trustworthy. The certificate must be signed by the certifi‐
                   cate  authority  (CA) that the peer in SSL connections will
                   use to verify it.

              -C cacert.pem
                   Specifies a PEM file containing the CA certificate for ver‐
                   ifying certificates presented to this program by SSL peers.
                   (This may be the same certificate that  SSL  peers  use  to
                   verify the certificate specified on -c or --certificate, or
                   it  may  be a different one, depending on the PKI design in

              -C none
                   Disables verification  of  certificates  presented  by  SSL
                   peers.  This  introduces  a security risk, because it means
                   that certificates cannot be verified to be those  of  known
                   trusted hosts.

                     When  cacert.pem  exists, this option has the same effect
                     as -C or --ca-cert. If it does not exist, then  the  exe‐
                     cutable  will  attempt  to obtain the CA certificate from
                     the SSL peer on its first SSL connection and save  it  to
                     the  named PEM file. If it is successful, it will immedi‐
                     ately drop the connection and reconnect, and from then on
                     all SSL connections must be authenticated by  a  certifi‐
                     cate signed by the CA certificate thus obtained.

                     This  option  exposes the SSL connection to a man-in-the-
                     middle attack obtaining the initial CA  certificate,  but
                     it may be useful for bootstrapping.

                     This  option  is only useful if the SSL peer sends its CA
                     certificate as part of the SSL certificate chain. The SSL
                     protocol does not require the server to send the CA  cer‐

                     This option is mutually exclusive with -C and --ca-cert.

                     Specifies a PEM file that contains one or more additional
                     certificates to send to SSL peers. peer-cacert.pem should
                     be the CA certificate used to sign the program’s own cer‐
                     tificate,  that  is,  the  certificate specified on -c or
                     --certificate. If  the  program’s  certificate  is  self-
                     signed,  then  --certificate  and  --peer-ca-cert  should
                     specify the same file.

                     This option is not useful in  normal  operation,  because
                     the SSL peer must already have the CA certificate for the
                     peer  to  have  any confidence in the program’s identity.
                     However, this offers a way  for  a  new  installation  to
                     bootstrap the CA certificate on its first SSL connection.

       ovn-controller-vtep  retrieves  its configuration information from both
       the ovnsb and the vtep database. If  the  database  locations  are  not
       given  from  command  line, the default is the db.sock in local OVSDB’s
       ’run’ directory. The database location must take one of  the  following

              •      ssl:host:port

                     The specified SSL port on the give host, which can either
                     be  a  DNS  name (if built with unbound library) or an IP
                     address (IPv4 or IPv6). If host is an IPv6 address,  then
                     wrap host with square brackets, e.g.: ssl:[::1]:6640. The
                     --private-key,  --certificate  and either of --ca-cert or
                     --bootstrap-ca-cert options are mandatory when this  form
                     is used.

              •      tcp:host:port

                     Connect  to the given TCP port on host, where host can be
                     a DNS name (if built with unbound library) or IP  address
                     (IPv4  or  IPv6).  If  host is an IPv6 address, then wrap
                     host with square brackets, e.g.: tcp:[::1]:6640.

              •      unix:file

                     On POSIX, connect to the Unix domain server socket  named

                     On  Windows,  connect to a localhost TCP port whose value
                     is written in file.

       ovn-controller-vtep assumes it gets configuration information from  the
       following keys in the Global table of the connected hardware_vtep data‐

                     The  boolean  flag indicates if ovn-controller-vtep needs
                     to check ovn-northd version. If this flag is set to  true
                     and  the ovn-northd’’s version (reported in the Southbound
                     database) doesn’t match  with  the  ovn-controller-vtep’’s
                     internal version, then it will stop processing the south‐
                     bound  and  connected hardware_vtep database changes. The
                     default value is considered false if this option  is  not

                     The  inactivity  probe  interval of the connection to the
                     OVN Southbound database, in milliseconds. If the value is
                     zero, it disables the connection keepalive feature.

                     If the value is nonzero, then it  will  be  forced  to  a
                     value of at least 1000 ms.

OVN 24.03.90                  ovn-controller-vtep       ovn-controller-vtep(8)