Zed Series Release Notes

18.0.0.0b1-215

New Features

• Add horizon_allowed_hosts to be able to configure django ALLOWED_HOSTS. The default is still the same as it was but you can create a list of allowed hosts in /etc/openstack_deploy/user_variables.yml. to set the correct value, see https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts for more details.

• The blazar dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_blazar_ui: True
  

• The cloudkitty dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_cloudkitty_ui: True
  

• The os_horizon role now supports distribution of user custom themes. Deployers can use the new key theme_src_archive of horizon_custom_themes dictionary to provide absolute path to the archived theme. Only .tar.gz, .tgz, .zip, .tar.bz, .tar.bz2, .tbz, .tbz2 archives are supported. Structure inside archive should be as a standard theme, without any leading folders.

• The service setup in keystone for horizon will now be executed through delegation to the horizon_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

  horizon_service_setup_host: "{{ groups['utility_all'][0] }}"
  

• Added variable horizon_bind_address which defines IP address where Apache will listen on horizon_listen_ports

• Added variable horizon_policy_overrides which allows to customize horizon specific policies. As we don’t want to carry and maintain horizon policies with OSA, they’re retrieved from horizon hosts and adjusted in-place, which means that they won’t rollback in case you just remove override. horizon_policy_overrides has also non-standart format, as it’s nested dictionary, where 1st level key represents service which policy needs to be overriden, and it’s value is normal policy override format.

• The ability to define trusted Cross-Site Request Forgery domains hsa been added with the horizon_ssl_csrf_trusted_origins variable. The new variable is a array of strings and when defined will render the django built-in variable CSRF_TRUSTED_ORIGINS.

  https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins

• Horizon now has the ability to run directly from uWSGI. To support this feature the new Boolean variable horizon_use_uwsgi has been added. The new variable, when set to true, will omit the apache2 install process and instead run horizon from a uWSGI process leveraging a systemd service file.

• Implemented horizon WEBSSO auto redirects. Following new variables were added to manage redirects configuration:

  • horizon_websso_default_redirect

  • horizon_websso_default_redirect_region

  • horizon_websso_default_redirect_logout

• Horizon has, since OSA’s inception, been deployed with HTTPS access enabled, and has had no way to turn it off. Some use-cases may want to access via HTTP instead, so this patch enables the following.

  • Listen via HTTPS on a load balancer, but via HTTP on the horizon host and have the load balancer forward the correct headers. It will do this by default in the integrated build due to the presence of the load balancer, so the current behaviour is retained.

  • Enable HTTPS on the horizon host without a load balancer. This is the role’s default behaviour which matches what it always has been.

  • Disable HTTPS entirely by setting haproxy_ssl: no (which will also disable https on haproxy. This setting is inherited by the new horizon_enable_ssl variable by default. This is a new option.

• Add the possibility to disable openrc v2 download in the dashboard. new var horizon_show_keystone_v2_rc can be set to False to remove the entry for the openrc v2 download.

• The masakari dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_masakari_ui: True
  

• The murano dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_murano_ui: True
  

• VPNaaS dashboard is again available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_neutron_vpnaas: True
  

• The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the nova_install_method variable to distro.

• Added variables horizon_session_engine and horizon_session_caches which can be used to configure horizon session engine and a backend for it.

• The tacker dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_tacker_ui: True
  

• The watcher dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_watcher_ui: True
  

• The zun dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_zun_ui: True
  

Upgrade Notes

• horizon_listen_ports variable was transformed to the dictionary with required keys http and https to have effect not only for apache ports.conf file, but also for the virtual host.

• SESSION_ENGINE has been changed to memcached by default. So that horizon do not require it’s own database for storing session information anymore. horizon_galera_* variables has no effect now.

Deprecation Notes

• The variable horizon_requires_pip_packages is no longer required and has therefore been removed.

• Variable horizon_enable_neutron_lbaas has been removed because of global neutron lbaas retirement process. This means that horizon neutron-lbaas-ui plugin won’t be installed.

• The variable ‘horizon_ssl_cipher_suite’ is deprecated in favour of ‘horizon_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

Security Issues

• The default TLS version has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the horizon_ssl_protocol variable.

Bug Fixes

• Fixes bug https://bugs.launchpad.net/openstack-ansible/+bug/1778098 where playbook failed, if horizon_custom_themes is specified, and directory for theme is not provided

• Change of horizon_webroot variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.

Other Notes

• When the option horizon_use_uwsgi is enabled, operators need to be aware that not all horizon capabilities will be present. The minimal uSGI process is just that, minimal, and not full featured. If the deployment requires full featured capabilities, the apache based deployment should remain enabled.

16.0.0.0b3

New Features

• It’s now possible to disable heat stack password field in horizon. horizon_enable_heatstack_user_pass variable has been added and default to True.

• It is now possible to use the horizon_launch_instance_defaults variable that allows customizing the default values for properties found in the Launch Instance modal, using the LAUNCH_INSTANCE_DEFAULTS config option. See https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-defaults

• You can force update the translations direct from Zanata by setting horizon_translations_update to True. This will call the pull_catalog option built into horizon-manage.py. You should only use this when testing translations, otherwise this should remain set to the default of False.

16.0.0.0b2

New Features

• The horizon_images_allow_location variable is added to support the IMAGES_ALLOW_LOCATION setting in the horizon_local_settings.py file to allow to specify and external location during the image creation.

16.0.0.0b1

New Features

• Capping the default value for the variables horizon_wsgi_processes and horizon_wsgi_threads to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

15.0.0.0rc1

New Features

• It’s now possible to change the behavior of DISALLOW_IFRAME_EMBED by defining the variable horizon_disallow_iframe_embed in the user variables.

15.0.0.0b2

New Features

• CentOS7/RHEL support has been added to the os_horizon role.

15.0.0.0b1

New Features

• The os_horizon role now has support for the horizon designate-ui dashboard. The dashboard may be enabled by setting horizon_enable_designate_ui to True in /etc/openstack_deploy/user_variables.yml.

• The Trove dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_trove_ui: True
  

Upgrade Notes

• The variables horizon_requirements_git_repo and horizon_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

14.0.0.0b3

New Features

• The os_horizon role now has support for the horizon magnum-ui dashboard. The dashboard may be enabled by setting horizon_enable_magnum_ui to True in /etc/openstack_deploy/user_variables.yml.

• The horizon_keystone_admin_roles variable is added to support the OPENSTACK_KEYSTONE_ADMIN_ROLES list in the horizon_local_settings.py file.

• The os_horizon role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting horizon_package_state to present.

• The Sahara dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_sahara_ui: True
  

Upgrade Notes

• The variable horizon_apt_packages has been renamed to horizon_distro_packages.

• The os_horizon role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option horizon_package_state should be set to present.

14.0.0.0b2

New Features

• The os_horizon role now has support for the horizon ironic-ui dashboard. The dashboard may be enabled by setting horizon_enable_ironic_ui to True in /etc/openstack_deploy/user_variables.yml.

• Deployers can now blacklist certain Nova extensions by providing a list of such extensions in horizon_nova_extensions_blacklist variable, for example:

  horizon_nova_extensions_blacklist:
    - "SimpleTenantUsage"
  

• Horizon now has the ability to set arbitrary configuration options using global option horizon_config_overrides in YAML format. The overrides follow the same pattern found within the other OpenStack service overrides. General documentation on overrides can be found here.

• The os_horizon role now supports configuration of custom themes. Deployers can use the new horizon_custom_themes and horizon_default_theme variables to configure the dashboard with custom themes and default to a specific theme respectively.

• Added horizon_apache_custom_log_format tunable to the os-horizon role for changing CustomLog format. Default is “combined”.

Upgrade Notes

• Installation of horizon and its dependent pip packages will now only occur within a Python virtual environment. The horizon_venv_bin, horizon_venv_enabled, horizon_venv_lib_dir, and horizon_non_venv_lib_dir variables have been removed.

Bug Fixes

• The standard collectstatic and compression process in the os_horizon role now happens after horizon customizations are installed, so that all static resources will be collected and compressed.

14.0.0.0b1

New Features

• The new LBaaS v2 dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

  horizon_enable_neutron_lbaas: True
  

• Horizon now has a boolean variable named horizon_enable_ha_router to enable Neutron HA router management.

• Horizon’s IPv6 support is now enabled by default. This allows users to manage subnets with IPv6 addresses within the Horizon interface. Deployers can disable IPv6 support in Horizon by setting the following variable:

  horizon_enable_ipv6: False
  

  Please note: Horizon will still display IPv6 addresses in various panels with IPv6 support disabled. However, it will not allow any direct management of IPv6 configuration.

• The horizon next generation instance management panels have been enabled by default. This changes horizon to use the upstream defaults instead of the legacy panels. Documentation can be found here.

Upgrade Notes

• The default horizon instance launch panels have been changed to the next generation panels. To enable legacy functionality set the following options accordingly:

  horizon_launch_instance_legacy: True
  horizon_launch_instance_ng: False
  

• The database and user creates have been removed from the os_horizon role. These tasks have been relocated to the playbooks.

Security Issues

• Horizon disables password autocompletion in the browser by default, but deployers can now enable autocompletion by setting horizon_enable_password_autocomplete to True.