1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
Template: openvswitch-switch/netdevs
Type: multiselect
_Choices: ${choices}
_Description: OpenFlow switch network devices:
Choose the network devices that should become part of the OpenFlow
switch. At least two devices must be selected for this machine to be
a useful switch. Unselecting all network devices will disable the
OpenFlow switch entirely.
.
The network devices that you select should not be configured with IP
or IPv6 addresses, even if the switch contacts the controller over
one of the selected network devices. This is because a running
OpenFlow switch takes over network devices at a low level: they
become part of the switch and cannot be used for other purposes.
Template: openvswitch-switch/no-netdevs
Type: error
_Description: No network devices were selected.
No network devices were selected for inclusion in the OpenFlow switch.
The switch will be disabled.
Template: openvswitch-switch/configured-netdevs
Type: note
_Description: Some Network Devices Have IP or IPv6 Addresses
The following network devices selected to be part of the OpenFlow switch
have IP or IPv6 addresses configured:
.
${configured-netdevs}
.
This is usually a mistake, even if the switch contacts the controller over
one of the selected network devices. This is because a running
OpenFlow switch takes over network devices at a low level: they
become part of the switch and cannot be used for other purposes.
.
If this is an unintentional mistake, move back and fix the selection,
or de-configure the IP or IPv6 from these network devices.
Template: openvswitch-switch/mode
Type: select
_Choices: discovery, in-band, out-of-band
Default: discovery
_Description: Switch-to-controller access method:
The OpenFlow switch must be able to contact the OpenFlow controller over
the network. It can do so in one of three ways:
.
discovery: A single network is used for OpenFlow traffic and other
data traffic; that is, the switch contacts the controller over one of
the network devices selected as OpenFlow switch network devices in
the previous question. The switch automatically determines the
location of the controller using a DHCP request with an
OpenFlow-specific vendor option. This is the most common case.
.
in-band: As above, but the location of the controller is manually
configured.
.
out-of-band: OpenFlow traffic uses a network separate from the data traffic
that it controls. If this is the case, the control network must already
be configured on a network device other than one of those selected as
an OpenFlow switch netdev in the previous question.
Template: openvswitch-switch/discover
Type: note
_Description: Preparing to discover controller.
The setup program will now attempt to discover the OpenFlow controller.
Controller discovery may take up to 30 seconds. Please be patient.
.
See secchan(8) for instructions on how to configure a DHCP server for
controller discovery.
Template: openvswitch-switch/discovery-failure
Type: error
_Description: Controller discovery failed.
The controller's location could not be determined automatically.
.
Ensure that the OpenFlow DHCP server is properly configured. See
secchan(8) for instructions on how to configure a DHCP server for
controller discovery.
Template: openvswitch-switch/discovery-success
Type: boolean
Default: true
_Description: Use discovered settings?
Controller discovery obtained the following settings:
.
Controller location: ${controller-vconn}
.
PKI URL: ${pki-uri}
.
Please verify that these settings are correct.
Template: openvswitch-switch/switch-ip
Type: string
Default: dhcp
_Description: Switch IP address:
For in-band communication with the controller, the OpenFlow switch must
be able to determine its own IP address. Its IP address may be configured
statically or dynamically.
.
For static configuration, specify the switch's IP address as a string.
.
For dynamic configuration with DHCP (the most common case), specify "dhcp".
Configuration with DHCP will only work reliably if the network topology
allows the switch to contact the DHCP server before it connects to the
OpenFlow controller.
Template: openvswitch-switch/switch-ip-error
Type: error
_Description: The switch IP address is invalid.
The switch IP address must specified as "dhcp" or a valid IP address in
dotted-octet form (e.g. "1.2.3.4").
Template: openvswitch-switch/controller-vconn
Type: string
_Description: Controller location:
Specify how the OpenFlow switch should connect to the OpenFlow controller.
The value should be in form "ssl:HOST[:PORT]" to connect to the controller
over SSL (recommended for security) or "tcp:HOST[:PORT]" to connect over
cleartext TCP.
Template: openvswitch-switch/controller-vconn-error
Type: error
_Description: The controller location is invalid.
The controller location must be specifed as "ssl:HOST[:PORT]" to
connect to the controller over SSL (recommended for security) or
"tcp:HOST[:PORT]" to connect over cleartext TCP.
Template: openvswitch-switch/pki-uri
Type: string
_Description: OpenFlow PKI server host name or URL:
Specify a URL to the OpenFlow public key infrastructure (PKI). If a
host name or IP address is specified in place of a URL, then
http://<host>/openvswitch/pki/ will be used,
where <host> is the specified host name or IP address.
.
The OpenFlow PKI is usually on the same machine as the OpenFlow
controller.
.
The setup process will connect to the OpenFlow PKI server over
HTTP, using the system's configured default HTTP proxy (if any).
Template: openvswitch-switch/fetch-cacert-failed
Type: error
_Description: The switch CA certificate could not be retrieved.
Retrieval of ${url} failed, with the following status: "${error}".
.
Ensure that the OpenFlow PKI server is correctly configured and
available at ${pki-uri}. If the system is configured to use an HTTP
proxy, also make sure that the HTTP proxy is available and that the
PKI server can be reached through it.
Template: openvswitch-switch/verify-controller-ca
Type: select
_Choices: yes, no
Default: yes
_Description: Is ${fingerprint} the controller CA's fingerprint?
If a man-in-the-middle attack is possible in your network
environment, check that the controller CA's fingerprint is really
${fingerprint}. Answer "yes" if it matches, "no" if
there is a discrepancy.
.
If a man-in-the-middle attack is not a concern, there is no need to
verify the fingerprint. Simply answer "yes".
Template: openvswitch-switch/send-cert-req
Type: select
_Choices: yes, no
Default: yes
_Description: Send certificate request to switch CA?
Before it can connect to the controller over SSL, the OpenFlow
switch's key must be signed by the switch certificate authority (CA)
located on the OpenFlow PKI server, which is usually collocated with
the OpenFlow controller. A signing request can be sent to the PKI
server now.
.
Answer "yes" to send a signing request to the switch CA now. This is
ordinarily the correct choice. There is no harm in sending a given
signing request more than once.
.
Answer "no" to skip sending a signing request to the switch CA.
Unless the request has already been sent to the switch CA, manual
sending of the request and signing will be necessary.
Template: openvswitch-switch/send-cert-req-failed
Type: error
_Description: The certificate request could not be sent.
Posting to ${url} failed, with the following status: "${error}".
.
Ensure that the OpenFlow PKI server is correctly configured and
available at ${pki-uri}.
Template: openvswitch-switch/fetch-switch-cert
Type: select
_Choices: yes, no
_Description: Fetch signed switch certificate from PKI server?
Before it can connect to the controller over SSL, the OpenFlow
switch's key must be signed by the switch certificate authority (CA)
located on the OpenFlow PKI server, which is usually collocated with
the OpenFlow controller.
.
At this point, a signing request has been sent to the switch CA (or
sending a request has been manually skipped), but the signed
certificate has not yet been retrieved. Manual action may need to be
taken at the PKI server to approve the signing request.
.
Answer "yes" to attempt to retrieve the signed switch certificate
from the switch CA. If the switch certificate request has been
signed at the PKI server, this is the correct choice.
.
Answer "no" to postpone switch configuration. The configuration
process must be restarted later, when the switch certificate request
has been signed.
Template: openvswitch-switch/fetch-switch-cert-failed
Type: error
_Description: Signed switch certificate could not be retrieved.
The signed switch certificate could not be retrieved from the switch
CA: retrieval of ${url} failed, with the following status: "${error}".
.
This probably indicates that the switch's certificate request has not
yet been signed. If this is the problem, it may be fixed by signing
the certificate request at ${pki-uri}, then trying to fetch the
signed switch certificate again.
Template: openvswitch-switch/complete
Type: note
_Description: OpenFlow Switch Setup Finished
Setup of this OpenFlow switch is finished. Complete the setup procedure
to enable the switch.
|
