This Ansible role installs and configures OpenStack Horizon served by the Apache webserver. Horizon is configured to use Galera for session caching and memcached for other caching.
## Verbosity Options
debug: False
verbose: True
horizon_git_repo: https://git.openstack.org/openstack/horizon
horizon_git_install_branch: stable/mitaka
horizon_developer_mode: false
horizon_requirements_git_repo: https://git.openstack.org/openstack/requirements
horizon_requirements_git_install_branch: stable/mitaka
horizon_developer_constraints:
- "git+{{ horizon_git_repo }}@{{ horizon_git_install_branch }}#egg=horizon"
## APT Cache options
cache_timeout: 600
# Name of the virtual env to deploy into
horizon_venv_tag: untagged
horizon_venv_bin: "/openstack/venvs/horizon-{{ horizon_venv_tag }}/bin"
# Set this to enable or disable installing in a venv
horizon_venv_enabled: true
# The bin path defaults to the venv path however if installation in a
# venv is disabled the bin path will be dynamically set based on the
# system path used when the installing.
horizon_bin: "{{ horizon_venv_bin }}"
horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz
## System info
horizon_system_user_name: horizon
horizon_system_group_name: www-data
horizon_system_shell: /bin/false
horizon_system_comment: horizon system user
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"
## Service Type and Data
horizon_service_region: RegionOne
horizon_service_name: horizon
## DB info
horizon_galera_database: dash
horizon_galera_user: dash
## Session configuration
# Specifies the timespan in seconds inactivity, until a user is considered as
# logged out
horizon_session_timeout: 1800
## Horizon Help URL Path
horizon_help_url: http://docs.openstack.org
## Installation directories
horizon_venv_lib_dir: "{{ horizon_bin | dirname }}/lib/python2.7/dist-packages"
horizon_non_venv_lib_dir: "/usr/local/lib/python2.7/dist-packages"
horizon_lib_dir: "{{ (horizon_venv_enabled | bool) | ternary(horizon_venv_lib_dir, horizon_non_venv_lib_dir) }}"
horizon_lib_wsgi_file: "{{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi"
horizon_endpoint_type: internalURL
horizon_server_name: "{{ ansible_hostname | default('horizon') }}"
horizon_apache_servertokens: "Prod"
horizon_apache_serversignature: "Off"
horizon_log_level: info
horizon_apache_custom_log_format: combined
horizon_dropdown_max_items: 30
horizon_time_zone: UTC
horizon_enforce_password_check: False
horizon_disable_password_reveal: False
horizon_enable_password_retrieve: False
horizon_enable_password_autocomplete: False
# If nova_libvirt_inject_password is set to True, then this can also be enabled:
horizon_can_set_password: False
horizon_enable_cinder_backup: False
# Enables IPv6 support in Horizon, such as managing network subnets
horizon_enable_ipv6: False
# WSGI tuning parameters
# horizon_wsgi_processes: 4
# horizon_wsgi_threads: 4
## Horizon SSL
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
horizon_ssl_key: /etc/ssl/private/horizon.key
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
horizon_ssl_protocol: "{{ ssl_protocol }}"
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
# if using a self-signed certificate, set this to true to regenerate it
horizon_ssl_self_signed_regen: false
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
# Set these variables to deploy custom certificates
# horizon_user_ssl_cert: <path to cert on ansible deployment host>
# horizon_user_ssl_key: <path to cert on ansible deployment host>
# horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set this to True if you do ssl termination on an external device, like the
# load balancer
horizon_external_ssl: false
# Set this to the header that your device sets when doing ssl termination
horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"
# For multiple regions uncomment this configuration, and
# add the extra endpoints below the first list item.
# horizon_available_regions:
# - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" }
# - { url: "http://cluster1.example.com:5000/v2.0", name: "RegionTwo" }
## Horizon's keystone endpoint settings
horizon_keystone_host: "{{ internal_lb_vip_address }}"
horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"
## Horizon Multi-Domain Support
# these variables should only be changed if horizon_keystone_endpoint is a Keystone v3 API endpoint
horizon_keystone_multidomain_support: False
horizon_keystone_default_domain: Default
### Set the cacert pem for Keystone if you'd like Horizon to verify it.
# horizon_cacert_pem: /path/to/cacert.pem
## alternatively, you can set horizon to turn off ssl verification for Keystone
horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
## The role which Horizon should use as a default for users
horizon_default_role_name: _member_
## Launch instance
horizon_launch_instance_legacy: True
horizon_launch_instance_ng: False
## Neutron features to enable
horizon_enable_neutron_lbaas: False
horizon_enable_neutron_fwaas: False
horizon_enable_neutron_vpnaas: False
## Swift
horizon_swift_file_transfer_chunk_size: 524288
## Panel
horizon_default_panel: overview
# For blacklisting certain Nova extensions uncomment this configuration,
# and add necessary list items.
# horizon_nova_extensions_blacklist:
# - "SimpleTenantUsage"
## Customization module
## See http://docs.openstack.org/developer/horizon/topics/customizing.html#horizon-customization-module-overrides
# horizon_customization_module: /local/path/to/customization_module.py
## Replace default theme files with your own
# horizon_custom_uploads:
# logo:
# src: "path_on_deployment_host_of_your_custom_logo.png"
# dest: "img/logo.png"
# logo_splash:
# src: "path_on_deployment_host_of_your_custom_logo-splash.png"
# dest: "img/logo-splash.png"
_horizon_available_themes:
default:
theme_name: "default"
theme_label: "Default"
theme_path: "themes/default"
material:
theme_name: "material"
theme_label: "Material"
theme_path: "themes/material"
# Add custom themes. Deployers need to place the theme directories
# and files on the horizon containers in:
# {{ horizon_lib_dir }}/openstack_dashboard/themes
# See http://docs.openstack.org/developer/horizon/topics/customizing.html#themes
# for more details on custom themes
# Example:
#
# horizon_custom_themes:
# custom_theme:
# theme_name: "custom"
# theme_label: "Custom"
# theme_path: "themes/custom"
#
horizon_custom_themes: {}
# Which of the available themes will be used by default
# value is the theme_name from the vars above
horizon_default_theme: "default"
horizon_webroot: /
horizon_listen_ports:
- "80"
- "443"
horizon_apt_packages:
- apache2
- apache2-utils
- cron # required by the Ansible cron module
- libapache2-mod-wsgi
- libssl-dev
- libxslt1.1
- openssl
- python-mysqldb # required by the Ansible mysql_db module
# horizon packages that must be installed before anything else
horizon_requires_pip_packages:
- virtualenv
- virtualenv-tools
- python-keystoneclient # Keystoneclient needed to OSA keystone lib
- httplib2
horizon_pip_packages:
- django-appconf
- django-openstack-auth
- greenlet
- horizon
- keystonemiddleware
- MySQL-python
- PyMySQL
- neutron-lbaas-dashboard
- oslo.config
- ply
- pycrypto
- python-memcached
- python-keystoneclient
# Set arbitrary horizon configuration options
horizon_config_overrides: {}
horizon_keystone_admin_roles:
- admin
This list is not exhaustive at present. See role internals for further details.
horizon_ssl_protocol: "ALL -SSLv2 -SSLv3"
horizon_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
horizon_galera_address: 10.100.100.101
horizon_container_mysql_password: "SuperSecrete"
horizon_secret_key: "SuperSecreteHorizonKey"
- name: Installation and setup of horizon
hosts: horizon_all
user: root
roles:
- { role: "os_horizon", tags: [ "os-horizon" ] }
vars:
galera_client_drop_config_file: false
external_lb_vip_address: 10.100.100.101
internal_lb_vip_address: 10.100.100.101
horizon_galera_address: 10.100.100.101
horizon_container_mysql_password: "SuperSecrete"
horizon_secret_key: "SuperSecreteHorizonKey"
horizon_external_ssl: true
horizon_ssl_protocol: "ALL -SSLv2 -SSLv3"
horizon_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
galera_root_password: "secrete"
rabbitmq_servers: 10.100.100.101
rabbitmq_use_ssl: false
rabbitmq_port: 5671
keystone_admin_user_name: admin
keystone_auth_admin_password: "SuperSecretePassword"
keystone_admin_tenant_name: admin
keystone_service_adminuri_insecure: false
keystone_service_internaluri_insecure: false
keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
openrc_os_password: "{{ keystone_auth_admin_password }}"
openrc_os_domain_name: "Default"
memcached_servers: 10.100.100.101
memcached_encryption_key: "secrete"