OpenStack-Ansible Horizon

This Ansible role installs and configures OpenStack Horizon served by the Apache webserver. Horizon is configured to use Galera for session caching and memcached for other caching.

Default Variables

## Verbosity Options
debug: False
verbose: True

horizon_git_install_branch: master
horizon_developer_mode: false
horizon_requirements_git_install_branch: master
  - "git+{{ horizon_git_repo }}@{{ horizon_git_install_branch }}#egg=horizon"

## APT Cache options
cache_timeout: 600

# Name of the virtual env to deploy into
horizon_venv_tag: untagged
horizon_venv_bin: "/openstack/venvs/horizon-{{ horizon_venv_tag }}/bin"

# Set this to enable or disable installing in a venv
horizon_venv_enabled: true

# The bin path defaults to the venv path however if installation in a
#  venv is disabled the bin path will be dynamically set based on the
#  system path used when the installing.
horizon_bin: "{{ horizon_venv_bin }}"


## System info
horizon_system_user_name: horizon
horizon_system_group_name: www-data
horizon_system_shell: /bin/false
horizon_system_comment: horizon system user
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"

## Service Type and Data
horizon_service_region: RegionOne
horizon_service_name: horizon

## DB info
horizon_galera_database: dash
horizon_galera_user: dash

## Session configuration
# Specifies the timespan in seconds inactivity, until a user is considered as
# logged out
horizon_session_timeout: 1800

## Horizon Help URL Path

## Installation directories
horizon_venv_lib_dir: "{{ horizon_bin | dirname }}/lib/python2.7/dist-packages"
horizon_non_venv_lib_dir: "/usr/local/lib/python2.7/dist-packages"
horizon_lib_dir: "{{ (horizon_venv_enabled | bool) | ternary(horizon_venv_lib_dir, horizon_non_venv_lib_dir) }}"
horizon_lib_wsgi_file: "{{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi"

horizon_endpoint_type: internalURL

horizon_server_name: "{{ ansible_hostname | default('horizon') }}"
horizon_apache_servertokens: "Prod"
horizon_apache_serversignature: "Off"
horizon_log_level: info
horizon_apache_custom_log_format: combined
horizon_dropdown_max_items: 30
horizon_time_zone: UTC
horizon_enforce_password_check: False
horizon_disable_password_reveal: False
horizon_enable_password_retrieve: False
horizon_enable_password_autocomplete: False
# If nova_libvirt_inject_password is set to True, then this can also be enabled:
horizon_can_set_password: False
horizon_enable_cinder_backup: False
# Enables IPv6 support in Horizon, such as managing network subnets
horizon_enable_ipv6: False

# WSGI tuning parameters
# horizon_wsgi_processes: 4
# horizon_wsgi_threads: 4

## Horizon SSL
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
horizon_ssl_key: /etc/ssl/private/horizon.key
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
horizon_ssl_protocol: "{{ ssl_protocol }}"
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
# if using a self-signed certificate, set this to true to regenerate it
horizon_ssl_self_signed_regen: false
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these variables to deploy custom certificates
# horizon_user_ssl_cert: <path to cert on ansible deployment host>
# horizon_user_ssl_key: <path to cert on ansible deployment host>
# horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>

# Set this to True if you do ssl termination on an external device, like the
# load balancer
horizon_external_ssl: false

# Set this to the header that your device sets when doing ssl termination
horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"

# For multiple regions uncomment this configuration, and
# add the extra endpoints below the first list item.
# horizon_available_regions:
#   - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" }
#   - { url: "", name: "RegionTwo" }

## Horizon's keystone endpoint settings
horizon_keystone_host: "{{ internal_lb_vip_address }}"
horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"

## Horizon Multi-Domain Support
# these variables should only be changed if horizon_keystone_endpoint is a Keystone v3 API endpoint
horizon_keystone_multidomain_support: False
horizon_keystone_default_domain: Default

### Set the cacert pem for Keystone if you'd like Horizon to verify it.
# horizon_cacert_pem: /path/to/cacert.pem

## alternatively, you can set horizon to turn off ssl verification for Keystone
horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"

## The role which Horizon should use as a default for users
horizon_default_role_name: _member_

## Launch instance
horizon_launch_instance_legacy: True
horizon_launch_instance_ng: False

## Neutron features to enable
horizon_enable_neutron_lbaas: False
horizon_enable_neutron_fwaas: False
horizon_enable_neutron_vpnaas: False

## Swift
horizon_swift_file_transfer_chunk_size: 524288

## Panel
horizon_default_panel: overview

# For blacklisting certain Nova extensions uncomment this configuration,
# and add necessary list items.
# horizon_nova_extensions_blacklist:
#   - "SimpleTenantUsage"

## Customization module
## See
# horizon_customization_module: /local/path/to/

## Replace default theme files with your own
# horizon_custom_uploads:
#   logo:
#     src: "path_on_deployment_host_of_your_custom_logo.png"
#     dest: "img/logo.png"
#   logo_splash:
#     src: "path_on_deployment_host_of_your_custom_logo-splash.png"
#     dest: "img/logo-splash.png"

    theme_name: "default"
    theme_label: "Default"
    theme_path: "themes/default"
    theme_name: "material"
    theme_label: "Material"
    theme_path: "themes/material"

# Add custom themes. Deployers need to place the theme directories
# and files on the horizon containers in:
#   {{ horizon_lib_dir }}/openstack_dashboard/themes
# See
# for more details on custom themes
# Example:
# horizon_custom_themes:
#   custom_theme:
#     theme_name: "custom"
#     theme_label: "Custom"
#     theme_path: "themes/custom"
horizon_custom_themes: {}

# Which of the available themes will be used by default
# value is the theme_name from the vars above
horizon_default_theme: "default"

horizon_webroot: /

  - "80"
  - "443"

  - apache2
  - apache2-utils
  - cron # required by the Ansible cron module
  - libapache2-mod-wsgi
  - libssl-dev
  - libxslt1.1
  - openssl
  - python-mysqldb # required by the Ansible mysql_db module

# horizon packages that must be installed before anything else
  - virtualenv
  - virtualenv-tools
  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
  - httplib2

  - django-appconf
  - django-openstack-auth
  - greenlet
  - horizon
  - keystonemiddleware
  - MySQL-python
  - PyMySQL
  - neutron-lbaas-dashboard
  - oslo.config
  - ply
  - pycrypto
  - python-memcached
  - python-keystoneclient

# Set arbitrary horizon configuration options
horizon_config_overrides: {}

  - admin

Required Variables

This list is not exhaustive at present. See role internals for further details.

horizon_ssl_protocol: "ALL -SSLv2 -SSLv3"
horizon_container_mysql_password: "SuperSecrete"
horizon_secret_key: "SuperSecreteHorizonKey"

Example Playbook

- name: Installation and setup of horizon
  hosts: horizon_all
  user: root
    - { role: "os_horizon", tags: [ "os-horizon" ] }
    galera_client_drop_config_file: false
    horizon_container_mysql_password: "SuperSecrete"
    horizon_secret_key: "SuperSecreteHorizonKey"
    horizon_external_ssl: true
    horizon_ssl_protocol: "ALL -SSLv2 -SSLv3"
    galera_root_password: "secrete"
    rabbitmq_use_ssl: false
    rabbitmq_port: 5671
    keystone_admin_user_name: admin
    keystone_auth_admin_password: "SuperSecretePassword"
    keystone_admin_tenant_name: admin
    keystone_service_adminuri_insecure: false
    keystone_service_internaluri_insecure: false
    keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
    keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
    keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
    keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
    openrc_os_password: "{{ keystone_auth_admin_password }}"
    openrc_os_domain_name: "Default"
    memcached_encryption_key: "secrete"

