ovn-controller-vtep - Open Virtual Network local controller for
    vtep enabled physical switches.
ovn-controller-vtep [options]
    [--vtep-db=vtep-database] [--ovnsb-db=ovnsb-database]
ovn-controller-vtep is the local controller daemon in OVN,
    the Open Virtual Network, for VTEP enabled physical switches. It connects up
    to the OVN Southbound database (see ovn-sb(5)) over the OVSDB
    protocol, and down to the VTEP database (see vtep(5)) over the OVSDB
    protocol.
PKI configuration is required in order to use SSL for the
    connections to the VTEP and Southbound databases.
  - -p
    privkey.pem
- 
    
 
- --private-key=privkey.pem
- Specifies a PEM file containing the private key used as identity for
      outgoing SSL connections.
- -c cert.pem
- 
    
 
- --certificate=cert.pem
- Specifies a PEM file containing a certificate that certifies the private
      key specified on -p or --private-key to be trustworthy. The
      certificate must be signed by the certificate authority (CA) that the peer
      in SSL connections will use to verify it.
- -C cacert.pem
- 
    
 
- --ca-cert=cacert.pem
- Specifies a PEM file containing the CA certificate for verifying
      certificates presented to this program by SSL peers. (This may be the same
      certificate that SSL peers use to verify the certificate specified on
      -c or --certificate, or it may be a different one, depending
      on the PKI design in use.)
- -C none
- 
    
 
- --ca-cert=none
- Disables verification of certificates presented by SSL peers. This
      introduces a security risk, because it means that certificates cannot be
      verified to be those of known trusted hosts.
 
  - --bootstrap-ca-cert=cacert.pem
- When cacert.pem exists, this option has the same effect as
      -C or --ca-cert. If it does not exist, then the executable
      will attempt to obtain the CA certificate from the SSL peer on its first
      SSL connection and save it to the named PEM file. If it is successful, it
      will immediately drop the connection and reconnect, and from then on all
      SSL connections must be authenticated by a certificate signed by the CA
      certificate thus obtained.
  
  - This option exposes the SSL connection to a man-in-the-middle attack
      obtaining the initial CA certificate, but it may be useful for
      bootstrapping.
- This option is only useful if the SSL peer sends its CA certificate as
      part of the SSL certificate chain. The SSL protocol does not require the
      server to send the CA certificate.
- This option is mutually exclusive with -C and
    --ca-cert.
 
  - --peer-ca-cert=peer-cacert.pem
- Specifies a PEM file that contains one or more additional certificates to
      send to SSL peers. peer-cacert.pem should be the CA certificate
      used to sign the program’s own certificate, that is, the
      certificate specified on -c or --certificate. If the
      program’s certificate is self-signed, then --certificate and
      --peer-ca-cert should specify the same file.
  
  - This option is not useful in normal operation, because the SSL peer must
      already have the CA certificate for the peer to have any confidence in the
      program’s identity. However, this offers a way for a new
      installation to bootstrap the CA certificate on its first SSL
    connection.
 
ovn-controller-vtep retrieves its configuration information
    from both the ovnsb and the vtep database. If the database locations are not
    given from command line, the default is the db.sock in local
    OVSDB’s ’run’ directory. The database location must
    take one of the following forms:
  - •
- ssl:host:port
  
  - The specified SSL port on the give host, which can either be
      a DNS name (if built with unbound library) or an IP address (IPv4 or
      IPv6). If host is an IPv6 address, then wrap host with
      square brackets, e.g.: ssl:[::1]:6640. The --private-key,
      --certificate and either of --ca-cert or
      --bootstrap-ca-cert options are mandatory when this form is
    used.
  - •
- tcp:host:port
  
  - Connect to the given TCP port on host, where host can
      be a DNS name (if built with unbound library) or IP address (IPv4 or
      IPv6). If host is an IPv6 address, then wrap host with
      square brackets, e.g.: tcp:[::1]:6640.
  - •
- unix:file
  
  - On POSIX, connect to the Unix domain server socket named file.
- On Windows, connect to a localhost TCP port whose value is written in
      file.
 
ovn-controller-vtep assumes it gets configuration
    information from the following keys in the Global table of the
    connected hardware_vtep database:
  - other_config:ovn-match-northd-version
- The boolean flag indicates if ovn-controller-vtep needs to check
      ovn-northd version. If this flag is set to true and the
      ovn-northd’s version (reported in the Southbound database)
      doesn’t match with the ovn-controller-vtep’s internal
      version, then it will stop processing the southbound and connected
      hardware_vtep database changes. The default value is considered
      false if this option is not defined.