ovn-controller-vtep(8) — Linux manual page


ovn-controller-vtep(8)         OVN Manual         ovn-controller-vtep(8)

NAME         top

       ovn-controller-vtep - Open Virtual Network local controller for
       vtep enabled physical switches.

SYNOPSIS         top

       ovn-controller-vtep [options] [--vtep-db=vtep-database] [--ovnsb-

DESCRIPTION         top

       ovn-controller-vtep is the local controller daemon in OVN, the
       Open Virtual Network, for VTEP enabled physical switches. It
       connects up to the OVN Southbound database (see ovn-sb(5)) over
       the OVSDB protocol, and down to the VTEP database (see vtep(5))
       over the OVSDB protocol.

   PKI Options
       PKI configuration is required in order to use SSL for the
       connections to the VTEP and Southbound databases.

              -p privkey.pem
                   Specifies a PEM file containing the private key used
                   as identity for outgoing SSL connections.

              -c cert.pem
                   Specifies a PEM file containing a certificate that
                   certifies the private key specified on -p or
                   --private-key to be trustworthy. The certificate must
                   be signed by the certificate authority (CA) that the
                   peer in SSL connections will use to verify it.

              -C cacert.pem
                   Specifies a PEM file containing the CA certificate
                   for verifying certificates presented to this program
                   by SSL peers. (This may be the same certificate that
                   SSL peers use to verify the certificate specified on
                   -c or --certificate, or it may be a different one,
                   depending on the PKI design in use.)

              -C none
                   Disables verification of certificates presented by
                   SSL peers. This introduces a security risk, because
                   it means that certificates cannot be verified to be
                   those of known trusted hosts.

                     When cacert.pem exists, this option has the same
                     effect as -C or --ca-cert. If it does not exist,
                     then the executable will attempt to obtain the CA
                     certificate from the SSL peer on its first SSL
                     connection and save it to the named PEM file. If it
                     is successful, it will immediately drop the
                     connection and reconnect, and from then on all SSL
                     connections must be authenticated by a certificate
                     signed by the CA certificate thus obtained.

                     This option exposes the SSL connection to a man-in-
                     the-middle attack obtaining the initial CA
                     certificate, but it may be useful for

                     This option is only useful if the SSL peer sends
                     its CA certificate as part of the SSL certificate
                     chain. The SSL protocol does not require the server
                     to send the CA certificate.

                     This option is mutually exclusive with -C and

                     Specifies a PEM file that contains one or more
                     additional certificates to send to SSL peers. peer-
                     cacert.pem should be the CA certificate used to
                     sign the program’s own certificate, that is, the
                     certificate specified on -c or --certificate. If
                     the program’s certificate is self-signed, then
                     --certificate and --peer-ca-cert should specify the
                     same file.

                     This option is not useful in normal operation,
                     because the SSL peer must already have the CA
                     certificate for the peer to have any confidence in
                     the program’s identity. However, this offers a way
                     for a new installation to bootstrap the CA
                     certificate on its first SSL connection.


       ovn-controller-vtep retrieves its configuration information from
       both the ovnsb and the vtep database. If the database locations
       are not given from command line, the default is the db.sock in
       local OVSDB’s ’run’ directory. The database location must take
       one of the following forms:

              •      ssl:host:port

                     The specified SSL port on the give host, which can
                     either be a DNS name (if built with unbound
                     library) or an IP address (IPv4 or IPv6). If host
                     is an IPv6 address, then wrap host with square
                     brackets, e.g.: ssl:[::1]:6640. The --private-key,
                     --certificate and either of --ca-cert or
                     --bootstrap-ca-cert options are mandatory when this
                     form is used.

              •      tcp:host:port

                     Connect to the given TCP port on host, where host
                     can be a DNS name (if built with unbound library)
                     or IP address (IPv4 or IPv6). If host is an IPv6
                     address, then wrap host with square brackets, e.g.:

              •      unix:file

                     On POSIX, connect to the Unix domain server socket
                     named file.

                     On Windows, connect to a localhost TCP port whose
                     value is written in file.

       ovn-controller-vtep assumes it gets configuration information
       from the following keys in the Global table of the connected
       hardware_vtep database:

                     The boolean flag indicates if ovn-controller-vtep
                     needs to check ovn-northd version. If this flag is
                     set to true and the ovn-northd’s version (reported
                     in the Southbound database) doesn’t match with the
                     ovn-controller-vtep’s internal version, then it
                     will stop processing the southbound and connected
                     hardware_vtep database changes. The default value
                     is considered false if this option is not defined.

                     The inactivity probe interval of the connection to
                     the OVN Southbound database, in milliseconds. If
                     the value is zero, it disables the connection
                     keepalive feature.

                     If the value is nonzero, then it will be forced to
                     a value of at least 1000 ms.

COLOPHON         top

       This page is part of the Open Virtual Network (Daemons for Open
       vSwitch that translate virtual network configurations into
       OpenFlow) project.  Information about the project can be found at
       ⟨https://www.ovn.org/⟩.  If you have a bug report for this manual
       page, send it to bugs@openvswitch.org.  This page was obtained
       from the project's upstream Git repository
       ⟨https://github.com/ovn-org/ovn⟩ on 2024-06-14.  (At that time,
       the date of the most recent commit that was found in the
       repository was 2024-06-12.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

OVN 24.03.90               ovn-controller-vtep    ovn-controller-vtep(8)

Pages that refer to this page: ovn-sb(5)