OpenStack-Ansible Horizon

OpenStack-Ansible Horizon

This Ansible role installs and configures OpenStack Horizon served by the Apache webserver. Horizon is configured to use Galera for session caching and Memcached for other caching.

To clone or view the source code for this repository, visit the role repository for os_horizon.

Default variables

## Verbosity Options
debug: False

# Set the package install state for distribution and pip packages
# Options are 'present' and 'latest'
horizon_package_state: "latest"
horizon_pip_package_state: "latest"

## Toggle developer mode
horizon_developer_mode: false

## The git source/branch for Horizon
horizon_git_repo: https://git.openstack.org/openstack/horizon
horizon_git_install_branch: "stable/queens"

## The git source/branch for the Magnum UI plugin
magnum_dashboard_git_repo: https://git.openstack.org/openstack/magnum-ui
magnum_dashboard_git_install_branch: "master" # "stable/queens" isn't branched yet.

## The git source/branch for the Octavia UI plugin
octavia_dashboard_git_repo: https://git.openstack.org/openstack/octavia-dashboard
octavia_dashboard_git_install_branch: master

## The git source/branch for the Designate UI plugin
designate_dashboard_git_repo: https://git.openstack.org/openstack/designate-dashboard
designate_dashboard_git_install_branch: "stable/queens"

## The git source/branch for the Trove UI plugin
trove_dashboard_git_repo: https://git.openstack.org/openstack/trove-dashboard
trove_dashboard_git_install_branch: "stable/queens"

## The git source/branch for the Heat UI plugin
heat_dashboard_git_repo: https://git.openstack.org/openstack/heat-dashboard
heat_dashboard_git_install_branch: "stable/queens"

## The packages to build from source (used in developer mode)
horizon_developer_constraints:
  - "git+{{ horizon_git_repo }}@{{ horizon_git_install_branch }}#egg=horizon"
  - "git+{{ magnum_dashboard_git_repo }}@{{ magnum_dashboard_git_install_branch }}#egg=magnum-ui"
  - "git+{{ designate_dashboard_git_repo }}@{{ designate_dashboard_git_install_branch }}#egg=designate_dashboard"
  - "git+{{ trove_dashboard_git_repo }}@{{ trove_dashboard_git_install_branch }}#egg=trove_dashboard"
  - "git+{{ heat_dashboard_git_repo }}@{{ heat_dashboard_git_install_branch }}#egg=heat_dashboard"

# Name of the virtual env to deploy into
horizon_venv_tag: untagged
horizon_bin: "/openstack/venvs/horizon-{{ horizon_venv_tag }}/bin"

# venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails.
horizon_venv_download: "{{ not horizon_developer_mode | bool }}"
horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz

## System info
horizon_system_user_name: horizon
horizon_system_group_name: horizon

horizon_system_shell: /bin/false
horizon_system_comment: horizon system user
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"

## Service Type and Data
horizon_service_region: RegionOne
horizon_service_name: horizon

## Database info
horizon_galera_database: dash
horizon_galera_user: dash
horizon_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
horizon_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"

## Session configuration
# Specifies the timespan in seconds inactivity, until a user is considered as
# logged out
horizon_session_timeout: 1800

## Horizon Help URL Path
horizon_help_url: http://docs.openstack.org

## Installation directories
horizon_lib_dir: "{{ horizon_bin | dirname }}/lib/python2.7/dist-packages"
horizon_lib_wsgi_file: "{{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi"

horizon_endpoint_type: internalURL

horizon_server_name: "{{ ansible_hostname | default('horizon') }}"
horizon_apache_servertokens: "Prod"
horizon_apache_serversignature: "Off"
horizon_log_level: info
horizon_apache_custom_log_format: combined
horizon_dropdown_max_items: 30
horizon_instance_log_length: 35
horizon_overview_days_range: 1
horizon_images_upload_mode: direct
horizon_images_allow_location: False
horizon_time_zone: UTC
horizon_enforce_password_check: False
horizon_disable_password_reveal: False
horizon_enable_password_retrieve: False
horizon_enable_password_autocomplete: False
horizon_enable_heatstack_user_pass: True
# If nova_libvirt_inject_password is set to True, then this can also be enabled:
horizon_can_set_password: False
horizon_enable_cinder_backup: False
# Enables IPv6 support in Horizon, such as managing network subnets
horizon_enable_ipv6: True
# Enables router support in Horizon, disable if you don't have Neutron L3 agent
horizon_enable_router: True

# Disable/Enable simplified floating IP address management for deployments with
# multiple floating IP pools or complex network requirements.
horizon_simple_ip_management: True

# To enable ha router support in horizon set to True
horizon_enable_ha_router: False

# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
# Scripting (XFS) vulnerability, so this option allows extra security hardening
# where iframes are not used in deployment. Default setting is True.
# For more information see:
# http://tinyurl.com/anticlickjack
horizon_disallow_iframe_embed: True

# WSGI tuning parameters
# horizon_wsgi_processes: 4
# horizon_wsgi_threads: 4

## Cap the maximun number of threads / workers when a user value is unspecified.
horizon_wsgi_threads_max: 16
horizon_wsgi_threads: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, horizon_wsgi_threads_max] | min }}"

## Horizon SSL
horizon_ssl_cert: /etc/ssl/certs/horizon.pem
horizon_ssl_key: /etc/ssl/private/horizon.key
horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it
horizon_ssl_self_signed_regen: false
horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

# Set these variables to deploy custom certificates
# horizon_user_ssl_cert: <path to cert on ansible deployment host>
# horizon_user_ssl_key: <path to cert on ansible deployment host>
# horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>

# Toggle whether horizon should be served via SSL
horizon_enable_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"

# Toggle whether horizon is served via an external device, like a load
# balancer. This enables the use of the horizon_secure_proxy_ssl_header
# in the web server configuration.
# Note (odyssey4me):
# This variable is actually badly named, as it applies
# settings which have nothing to do with SSL.
horizon_external_ssl: "{{ (openstack_external_ssl | default(False)) | bool }}"

# Set this to the header that your device sets when doing ssl termination
# Note (odyssey4me):
# This variable is actually badly named, as it applies
# settings which have nothing to do with SSL.
horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"

# For multiple regions uncomment this configuration, and
# add the extra endpoints below the first list item.
# horizon_available_regions:
#   - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" }
#   - { url: "http://cluster1.example.com:5000/v2.0", name: "RegionTwo" }

## Horizon's keystone endpoint settings
horizon_keystone_host: "{{ internal_lb_vip_address }}"
horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"

## Horizon Multi-Domain Support
# these variables should only be changed if horizon_keystone_endpoint is a Keystone v3 API endpoint
horizon_keystone_multidomain_support: False
horizon_keystone_default_domain: Default

# Enable/disable v2 openrc file download in horizon.
horizon_show_keystone_v2_rc: True

### Set the cacert pem for Keystone if you'd like Horizon to verify it.
# horizon_cacert_pem: /path/to/cacert.pem

## alternatively, you can set horizon to turn off ssl verification for Keystone
horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"

## The role which Horizon should use as a default for users
horizon_default_role_name: _member_

## Launch instance
horizon_launch_instance_legacy: False
horizon_launch_instance_ng: True
horizon_launch_instance_defaults:
  config_drive: False
  enable_scheduler_hints: True
  disable_image: False
  disable_instance_snapshot: False
  disable_volume: False
  disable_volume_snapshot: False
  create_volume: True

## Ironic UI Panel
horizon_enable_ironic_ui: False

## Magnum UI Panel
horizon_enable_magnum_ui: False

## Magnum UI Panel
horizon_enable_octavia_ui: False

## Sahara UI Panel
horizon_enable_sahara_ui: False

## Trove UI Panel
horizon_enable_trove_ui: False

## Designate UI Panel
horizon_enable_designate_ui: False

## Heat UI Panel
horizon_enable_heat_ui: False

## Neutron features to enable
horizon_enable_neutron_lbaas: False
horizon_enable_neutron_fwaas: False

## Swift
horizon_swift_file_transfer_chunk_size: 524288

## Panel
horizon_default_panel: overview

# For blacklisting certain Nova extensions uncomment this configuration,
# and add necessary list items.
# horizon_nova_extensions_blacklist:
#   - "SimpleTenantUsage"

## Customization module
## See https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides
# horizon_customization_module: /local/path/to/customization_module.py

## Replace default theme files with your own
# horizon_custom_uploads:
#   logo:
#     src: "path_on_deployment_host_of_your_custom_logo.svg"
#     dest: "img/logo.svg"
#   logo_splash:
#     src: "path_on_deployment_host_of_your_custom_logo-splash.svg"
#     dest: "img/logo-splash.svg"

_horizon_available_themes:
  default:
    theme_name: "default"
    theme_label: "Default"
    theme_path: "themes/default"
  material:
    theme_name: "material"
    theme_label: "Material"
    theme_path: "themes/material"

# Add custom themes. Deployers need to place the archive, with the theme inside,
# into the directory, which is specified by theme_src_archive key.
# It should be an absolute path to the archive on the deployment host.
# Leading folders are not expected in the archive.
# Following archive formats are supported:
# .tar.gz, .tgz, .zip, .tar.bz, .tar.bz2, .tbz, .tbz2
# See https://docs.openstack.org/horizon/latest/configuration/themes.html
# for more details on custom themes
# Example:
#
# horizon_custom_themes:
#   custom_theme:
#     theme_name: "custom"
#     theme_label: "Custom"
#     theme_path: "themes/custom"
#     theme_src_archive: "/etc/openstack_deploy/horizon/themes/custom.tar.gz"
#
horizon_custom_themes: {}

# Which of the available themes will be used by default
# value is the theme_name from the vars above
horizon_default_theme: "default"

horizon_webroot: /

horizon_listen_ports:
  - "80"
  - "443"

# horizon packages that must be installed before anything else
horizon_requires_pip_packages:
  - virtualenv
  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
  - httplib2

horizon_pip_packages:
  - cryptography
  - django-appconf
  - django-openstack-auth
  - greenlet
  - heat_dashboard
  - horizon
  - ironic-ui
  - magnum-ui
  - keystonemiddleware
  - PyMySQL
  - neutron-lbaas-dashboard
  - neutron-fwaas-dashboard
  - oslo.config
  - ply
  - python-memcached
  - python-keystoneclient
  - sahara_dashboard
  - trove_dashboard
  - designate_dashboard
  - octavia_dashboard

# This variable is used to install additional pip packages
# that could be needed for additional dashboards
horizon_optional_pip_packages: []

# This variable is used to update the horizon translations from
# Zanata, this can be set to "True" when testing translations,
# but should otherwise be left as False.
horizon_translations_update: False

# This variable is used by the repo_build process to determine
# which host group to check for members of before building the
# pip packages required by this role. The value is picked up
# by the py_pkgs lookup.
horizon_role_project_group: horizon_all

# Set arbitrary horizon configuration options
horizon_config_overrides: {}

horizon_keystone_admin_roles:
  - admin

# Set the "credentials" authentication choice to show as default.
# The list of authentication mechanisms which include keystone
# federation protocols and identity provider/federation protocol
horizon_websso_initial_choice: "credentials"

horizon_panels: "{{ _horizon_panels }}"

Dependencies

This role needs pip >= 7.1 installed on the target host.

To use this role, define the following variables:

horizon_galera_address: 10.100.100.101
horizon_container_mysql_password: "SuperSecrete"
horizon_secret_key: "SuperSecreteHorizonKey"

This list is not exhaustive. See role internals for further details.

Example playbook

- name: Installation and setup of horizon
  hosts: horizon_all
  user: root
  roles:
    - { role: "os_horizon", tags: [ "os-horizon" ] }
  vars:
    galera_client_drop_config_file: false
    external_lb_vip_address: 10.100.100.101
    internal_lb_vip_address: 10.100.100.101
    horizon_galera_address: 10.100.100.101
    horizon_container_mysql_password: "SuperSecrete"
    horizon_secret_key: "SuperSecreteHorizonKey"
    horizon_external_ssl: true
    galera_root_password: "secrete"
    rabbitmq_servers: 10.100.100.101
    rabbitmq_use_ssl: false
    rabbitmq_port: 5671
    keystone_admin_user_name: admin
    keystone_auth_admin_password: "SuperSecretePassword"
    keystone_admin_tenant_name: admin
    keystone_service_adminuri_insecure: false
    keystone_service_internaluri_insecure: false
    keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
    keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
    keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
    keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
    openrc_os_password: "{{ keystone_auth_admin_password }}"
    openrc_os_domain_name: "Default"
    memcached_servers: 10.100.100.101
    memcached_encryption_key: "secrete"

Tags

This role supports two tags: horizon-install and horizon-config.

The horizon-install tag can be used to install and upgrade.

The horizon-config tag can be used to manage configuration.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.