OpenStack-Ansible Horizon¶

Configuring the Dashboard (horizon) (optional)
- Securing horizon communication with SSL certificates
- Configuring a horizon customization module

This Ansible role installs and configures OpenStack Horizon served by the Apache webserver. Horizon is configured to use Galera for session caching and Memcached for other caching.

To clone or view the source code for this repository, visit the role repository for os_horizon.

Default variables¶

## Verbosity Options
debug: False

# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
horizon_package_state: "latest"
horizon_pip_package_state: "latest"

## Toggle developer mode
horizon_developer_mode: false

## The git source/branch for Horizon
horizon_git_repo: https://git.openstack.org/openstack/horizon
horizon_git_install_branch: stable/ocata

## The git source/branch for the Magnum UI plugin
magnum_dashboard_git_repo: https://git.openstack.org/openstack/magnum-ui
magnum_dashboard_git_install_branch: stable/ocata

## The git source/branch for the Designate UI plugin
designate_dashboard_git_repo: https://git.openstack.org/openstack/designate-dashboard
designate_dashboard_git_install_branch: stable/ocata

## The git source/branch for the Trove UI plugin
trove_dashboard_git_repo: https://git.openstack.org/openstack/trove-dashboard
trove_dashboard_git_install_branch: stable/ocata

## The packages to build from source (used in developer mode)
horizon_developer_constraints:
  - "git+{{ horizon_git_repo }}@{{ horizon_git_install_branch }}#egg=horizon"
  - "git+{{ magnum_dashboard_git_repo }}@{{ magnum_dashboard_git_install_branch }}#egg=magnum-ui"
  - "git+{{ designate_dashboard_git_repo }}@{{ designate_dashboard_git_install_branch }}#egg=designate_dashboard"
  - "git+{{ trove_dashboard_git_repo }}@{{ trove_dashboard_git_install_branch }}#egg=trove_dashboard"

# Name of the virtual env to deploy into
horizon_venv_tag: untagged
horizon_bin: "/openstack/venvs/horizon-{{ horizon_venv_tag }}/bin"

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
horizon_venv_download: "{{ not horizon_developer_mode | bool }}"
horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz

## System info
horizon_system_user_name: horizon
horizon_system_group_name: horizon

horizon_system_shell: /bin/false
horizon_system_comment: horizon system user
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"

## Service Type and Data
horizon_service_region: RegionOne
horizon_service_name: horizon

## DB info
horizon_galera_database: dash
horizon_galera_user: dash

## Session configuration
# Specifies the timespan in seconds inactivity, until a user is considered as
# logged out
horizon_session_timeout: 1800

## Horizon Help URL Path
horizon_help_url: http://docs.openstack.org

## Installation directories
horizon_lib_dir: "{{ horizon_bin | dirname }}/lib/python2.7/dist-packages"
horizon_lib_wsgi_file: "{{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi"

horizon_endpoint_type: internalURL

horizon_server_name: "{{ ansible_hostname | default('horizon') }}"
horizon_apache_servertokens: "Prod"
horizon_apache_serversignature: "Off"
horizon_log_level: info
horizon_apache_custom_log_format: combined
horizon_dropdown_max_items: 30
horizon_instance_log_length: 35
horizon_overview_days_range: 1
horizon_images_upload_mode: direct
horizon_images_allow_location: False
horizon_time_zone: UTC
horizon_enforce_password_check: False
horizon_disable_password_reveal: False
horizon_enable_password_retrieve: False
horizon_enable_password_autocomplete: False
horizon_enable_heatstack_user_pass: True
# If nova_libvirt_inject_password is set to True, then this can also be enabled:
horizon_can_set_password: False
horizon_enable_cinder_backup: False
# Enables IPv6 support in Horizon, such as managing network subnets
horizon_enable_ipv6: True

# Disable/Enable simplified floating IP address management for deployments with
# multiple floating IP pools or complex network requirements.
horizon_simple_ip_management: True

# To enable ha router support in horizon set to True
horizon_enable_ha_router: False

# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
# Scripting (XFS) vulnerability, so this option allows extra security hardening
# where iframes are not used in deployment. Default setting is True.
# For more information see:
# http://tinyurl.com/anticlickjack
horizon_disallow_iframe_embed: True

# WSGI tuning parameters
# horizon_wsgi_processes: 4
# horizon_wsgi_threads: 4

## Cap the maximun number of threads / workers when a user value is unspecified.
horizon_wsgi_threads_max: 16
horizon_wsgi_threads: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, horizon_wsgi_threads_max] | min }}"

## Horizon SSL
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
horizon_ssl_key: /etc/ssl/private/horizon.key
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
horizon_ssl_self_signed_regen: false
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these variables to deploy custom certificates
# horizon_user_ssl_cert: <path to cert on ansible deployment host>
# horizon_user_ssl_key: <path to cert on ansible deployment host>
# horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>

# Set this to True if you do ssl termination on an external device, like the
# load balancer
horizon_external_ssl: false

# Set this to the header that your device sets when doing ssl termination
horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"

# For multiple regions uncomment this configuration, and
# add the extra endpoints below the first list item.
# horizon_available_regions:
#   - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" }
#   - { url: "http://cluster1.example.com:5000/v2.0", name: "RegionTwo" }

## Horizon's keystone endpoint settings
horizon_keystone_host: "{{ internal_lb_vip_address }}"
horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"

## Horizon Multi-Domain Support
# these variables should only be changed if horizon_keystone_endpoint is a Keystone v3 API endpoint
horizon_keystone_multidomain_support: False
horizon_keystone_default_domain: Default

### Set the cacert pem for Keystone if you'd like Horizon to verify it.
# horizon_cacert_pem: /path/to/cacert.pem

## alternatively, you can set horizon to turn off ssl verification for Keystone
horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"

## The role which Horizon should use as a default for users
horizon_default_role_name: _member_

## Launch instance
horizon_launch_instance_legacy: False
horizon_launch_instance_ng: True

## Ironic UI Panel
horizon_enable_ironic_ui: False

## Magnum UI Panel
horizon_enable_magnum_ui: False

## Sahara UI Panel
horizon_enable_sahara_ui: False

## Trove UI Panel
horizon_enable_trove_ui: False

## Designate UI Panel
horizon_enable_designate_ui: False

## Neutron features to enable
horizon_enable_neutron_lbaas: False
horizon_enable_neutron_fwaas: False
horizon_enable_neutron_vpnaas: False

## Swift
horizon_swift_file_transfer_chunk_size: 524288

## Panel
horizon_default_panel: overview

# For blacklisting certain Nova extensions uncomment this configuration,
# and add necessary list items.
# horizon_nova_extensions_blacklist:
#   - "SimpleTenantUsage"

## Customization module
## See http://docs.openstack.org/developer/horizon/topics/customizing.html#horizon-customization-module-overrides
# horizon_customization_module: /local/path/to/customization_module.py

## Replace default theme files with your own
# horizon_custom_uploads:
#   logo:
#     src: "path_on_deployment_host_of_your_custom_logo.png"
#     dest: "img/logo.png"
#   logo_splash:
#     src: "path_on_deployment_host_of_your_custom_logo-splash.png"
#     dest: "img/logo-splash.png"

_horizon_available_themes:
  default:
    theme_name: "default"
    theme_label: "Default"
    theme_path: "themes/default"
  material:
    theme_name: "material"
    theme_label: "Material"
    theme_path: "themes/material"

# Add custom themes. Deployers need to place the theme directories
# and files on the horizon containers in:
#   {{ horizon_lib_dir }}/openstack_dashboard/themes
# See http://docs.openstack.org/developer/horizon/topics/customizing.html#themes
# for more details on custom themes
# Example:
#
# horizon_custom_themes:
#   custom_theme:
#     theme_name: "custom"
#     theme_label: "Custom"
#     theme_path: "themes/custom"
#
horizon_custom_themes: {}

# Which of the available themes will be used by default
# value is the theme_name from the vars above
horizon_default_theme: "default"

horizon_webroot: /

horizon_listen_ports:
  - "80"
  - "443"

# horizon packages that must be installed before anything else
horizon_requires_pip_packages:
  - virtualenv
  - virtualenv-tools
  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
  - httplib2

horizon_pip_packages:
  - django-appconf
  - django-openstack-auth
  - greenlet
  - horizon
  - ironic-ui
  - magnum-ui
  - keystonemiddleware
  - MySQL-python
  - PyMySQL
  - neutron-lbaas-dashboard
  - oslo.config
  - ply
  - pycrypto
  - python-memcached
  - python-keystoneclient
  - sahara_dashboard
  - trove_dashboard
  - designate_dashboard

# This variable is used to install additional pip packages
# that could be needed for additional dashboards
horizon_optional_pip_packages: []

# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
horizon_role_project_group: horizon_all

# Set arbitrary horizon configuration options
horizon_config_overrides: {}

horizon_keystone_admin_roles:
  - admin

Required variables¶

This list is not exhaustive. See role internals for further details.

horizon_galera_address: 10.100.100.101
horizon_container_mysql_password: "SuperSecrete"
horizon_secret_key: "SuperSecreteHorizonKey"

Example playbook¶

- name: Installation and setup of horizon
  hosts: horizon_all
  user: root
  roles:
    - { role: "os_horizon", tags: [ "os-horizon" ] }
  vars:
    galera_client_drop_config_file: false
    external_lb_vip_address: 10.100.100.101
    internal_lb_vip_address: 10.100.100.101
    horizon_galera_address: 10.100.100.101
    horizon_container_mysql_password: "SuperSecrete"
    horizon_secret_key: "SuperSecreteHorizonKey"
    horizon_external_ssl: true
    galera_root_password: "secrete"
    rabbitmq_servers: 10.100.100.101
    rabbitmq_use_ssl: false
    rabbitmq_port: 5671
    keystone_admin_user_name: admin
    keystone_auth_admin_password: "SuperSecretePassword"
    keystone_admin_tenant_name: admin
    keystone_service_adminuri_insecure: false
    keystone_service_internaluri_insecure: false
    keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
    keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
    keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
    keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
    openrc_os_password: "{{ keystone_auth_admin_password }}"
    openrc_os_domain_name: "Default"
    memcached_servers: 10.100.100.101
    memcached_encryption_key: "secrete"

Tags¶

This role supports two tags: horizon-install and horizon-config.

The horizon-install tag can be used to install and upgrade.

The horizon-config tag can be used to manage configuration.