Provided by: ovn-common_23.03.0-1_amd64 bug

NAME

       ovn-controller-vtep  -  Open  Virtual  Network  local controller for vtep enabled physical
       switches.

SYNOPSIS

       ovn-controller-vtep [options] [--vtep-db=vtep-database] [--ovnsb-db=ovnsb-database]

DESCRIPTION

       ovn-controller-vtep is the local controller daemon in OVN, the Open Virtual  Network,  for
       VTEP  enabled  physical  switches.  It  connects  up  to  the OVN Southbound database (see
       ovn-sb(5)) over the OVSDB protocol, and down to the VTEP database (see vtep(5))  over  the
       OVSDB protocol.

   PKI Options
       PKI  configuration  is  required  in  order to use SSL for the connections to the VTEP and
       Southbound databases.

              -p privkey.pem
              --private-key=privkey.pem
                   Specifies a PEM file containing the private key used as identity for  outgoing
                   SSL connections.

              -c cert.pem
              --certificate=cert.pem
                   Specifies  a  PEM file containing a certificate that certifies the private key
                   specified on -p or --private-key to be trustworthy. The  certificate  must  be
                   signed by the certificate authority (CA) that the peer in SSL connections will
                   use to verify it.

              -C cacert.pem
              --ca-cert=cacert.pem
                   Specifies a PEM file containing the CA certificate for verifying  certificates
                   presented to this program by SSL peers. (This may be the same certificate that
                   SSL peers use to verify the certificate specified on -c or  --certificate,  or
                   it may be a different one, depending on the PKI design in use.)

              -C none
              --ca-cert=none
                   Disables  verification of certificates presented by SSL peers. This introduces
                   a security risk, because it means that certificates cannot be verified  to  be
                   those of known trusted hosts.

              --bootstrap-ca-cert=cacert.pem
                     When  cacert.pem exists, this option has the same effect as -C or --ca-cert.
                     If it does not exist, then the executable will  attempt  to  obtain  the  CA
                     certificate from the SSL peer on its first SSL connection and save it to the
                     named PEM file. If it is successful, it will immediately drop the connection
                     and reconnect, and from then on all SSL connections must be authenticated by
                     a certificate signed by the CA certificate thus obtained.

                     This option  exposes  the  SSL  connection  to  a  man-in-the-middle  attack
                     obtaining   the   initial   CA   certificate,  but  it  may  be  useful  for
                     bootstrapping.

                     This option is only useful if the SSL peer sends its CA certificate as  part
                     of  the  SSL certificate chain. The SSL protocol does not require the server
                     to send the CA certificate.

                     This option is mutually exclusive with -C and --ca-cert.

              --peer-ca-cert=peer-cacert.pem
                     Specifies a PEM file that contains one or more  additional  certificates  to
                     send to SSL peers. peer-cacert.pem should be the CA certificate used to sign
                     the program’s own certificate, that is, the certificate specified on  -c  or
                     --certificate.   If   the   program’s   certificate   is  self-signed,  then
                     --certificate and --peer-ca-cert should specify the same file.

                     This option is not useful in normal operation, because  the  SSL  peer  must
                     already  have  the CA certificate for the peer to have any confidence in the
                     program’s identity. However, this offers a way for  a  new  installation  to
                     bootstrap the CA certificate on its first SSL connection.

CONFIGURATION

       ovn-controller-vtep  retrieves  its  configuration information from both the ovnsb and the
       vtep database. If the database locations are not given from command line, the  default  is
       the  db.sock  in local OVSDB’s ’run’ directory. The database location must take one of the
       following forms:

              •      ssl:host:port

                     The specified SSL port on the give host, which can either be a DNS name  (if
                     built  with  unbound library) or an IP address (IPv4 or IPv6). If host is an
                     IPv6 address, then wrap host with square brackets, e.g.: ssl:[::1]:6640. The
                     --private-key,  --certificate and either of --ca-cert or --bootstrap-ca-cert
                     options are mandatory when this form is used.

              •      tcp:host:port

                     Connect to the given TCP port on host, where host can  be  a  DNS  name  (if
                     built with unbound library) or IP address (IPv4 or IPv6). If host is an IPv6
                     address, then wrap host with square brackets, e.g.: tcp:[::1]:6640.

              •      unix:file

                     On POSIX, connect to the Unix domain server socket named file.

                     On Windows, connect to a localhost TCP port whose value is written in file.

       ovn-controller-vtep assumes it gets configuration information from the following  keys  in
       the Global table of the connected hardware_vtep database:

              other_config:ovn-match-northd-version
                     The  boolean flag indicates if ovn-controller-vtep needs to check ovn-northd
                     version. If this flag is set to true and the ovn-northd’s version  (reported
                     in  the  Southbound  database)  doesn’t match with the ovn-controller-vtep’s
                     internal version, then it will stop processing the southbound and  connected
                     hardware_vtep  database  changes.  The  default value is considered false if
                     this option is not defined.