openstack dashboard #518

Supports: bionic focal groovy hirsute impish


The OpenStack Dashboard provides a full feature web interface for interacting with instances, images, volumes and networks within an OpenStack deployment.


The OpenStack Dashboard provides a Django based web interface for use by both administrators and users of an OpenStack Cloud.

It allows you to manage Nova, Glance, Cinder and Neutron resources within the cloud.


The OpenStack Dashboard is deployed and related to keystone:

juju deploy openstack-dashboard
juju add-relation openstack-dashboard:identity-service \

The dashboard will use keystone for user authentication and authorization and to interact with the catalog of services within the cloud.

The dashboard is accessible on:


At a minimum, the cloud must provide Glance and Nova services.

SSL configuration

To fully secure your dashboard services, you can provide a SSL key and certificate for installation and configuration. These are provided as base64 encoded configuration options:

juju config openstack-dashboard ssl_key="$(base64 my.key)" \
    ssl_cert="$(base64 my.cert)"

The service will be reconfigured to use the supplied information.

High availability

When more than one unit is deployed with the hacluster application the charm will bring up an HA active/active cluster.

There are two mutually exclusive high availability options: using virtual IP(s) or DNS. In both cases the hacluster subordinate charm is used to provide the Corosync and Pacemaker backend HA functionality.

See OpenStack high availability in the OpenStack Charms Deployment Guide for details.

Note: Regardless of which HA method has been chosen, the secret option should be set to ensure that the Django secret is consistent across all units.

Keystone V3

If the charm is being deployed into a keystone v3 enabled environment then the charm needs to be related to a database to store session information. This is only supported for Mitaka or later.

Use with a Load Balancing Proxy

Instead of deploying with the hacluster charm for load balancing, its possible to also deploy the dashboard with load balancing proxy such as HAProxy:

juju deploy haproxy
juju add-relation haproxy openstack-dashboard
juju add-unit -n 2 openstack-dashboard

This option potentially provides better scale-out than using the charm in conjunction with the hacluster charm.

Custom Theme

This charm supports providing a custom theme as documented in the themes configuration. In order to enable this capability the configuration options 'ubuntu-theme' and 'default-theme' must both be turned off and the option 'custom-theme' turned on.

Once the option is enabled a custom theme can be provided via a juju resource. The resource should be a .tgz file with the contents of your custom theme. If the file '' is included it will be sourced.

juju attach-resource openstack-dashboard theme=theme.tgz

Repeating the attach-resource will update the theme and turning off the custom-theme option will return to the default.

Policy Overrides

Policy overrides is an advanced feature that allows an operator to override the default policy of an OpenStack service. The policies that the service supports, the defaults it implements in its code, and the defaults that a charm may include should all be clearly understood before proceeding.

Caution: It is possible to break the system (for tenants and other services) if policies are incorrectly applied to the service.

Policy statements are placed in a YAML file. This file (or files) is then placed into an appropriately-name directory (or directories) and (ZIP) compressed into a single file. This compressed file is then used as an application resource. Finally, the override is enabled via a Boolean charm option.

The directory names correspond to the OpenStack services that Horizon has policy override support for:

directory name service charm
compute Nova nova-cloud-controller
identity Keystone keystone
image Glance glance
network Neutron neutron-api
volume Cinder cinder

Important: The exact same overrides must also be implemented at the service level using the appropriate charm. See the Policy Overrides section of each charm's README.

For example, to provide overrides for Nova and Keystone, the compressed file should have a structure similar to the following (the YAML filenames are arbitrary):

\ compute - compute-override1.yaml
|         \ compute-override2.yaml
\ identity - identity-override1.yaml
           | identity-override2.yaml
           \ identity-override3.yaml

Here are the essential commands:

zip -r compute identity
juju attach-resource openstack-dashboard
juju config openstack-dashboard use-policyd-override=true

See appendix Policy Overrides in the OpenStack Charms Deployment Guide for a thorough treatment of this feature.


Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.


(boolean) If True enables openstack upgrades for this charm via juju actions. You will still need to set openstack-origin to the new repository but instead of an upgrade running automatically across all units, it will wait for you to execute the openstack-upgrade action for this charm on each unit. If False it will revert to existing behavior of upgrading all units on config change.
(boolean) Setting this to True will allow password form autocompletion by browser.
(int) The maximum number of objects (e.g. Swift objects or Glance images) to display on a single page before providing a paging element (a "more" link) to paginate results.
(boolean) Enable cinder backup panel.
(boolean) Use a custom theme supplied as a resource. NOTE: This setting is supported >= OpenStack Mitaka and this setting is mutually exclustive to ubuntu-theme and default-theme.
(string) This option provides a means to enable customisation modules to modify existing dashboards and panels. This is available from Liberty onwards.
(string) Database name for Horizon (if enabled).
(string) Username for Horizon database access (if enabled).
(string) Enable Django debug messages.
(boolean) The default value for the option of creating a new volume in the workflow for image and instance snapshot sources when launching an instance. This option has an effect only to Ocata or newer releases.
(string) Default domain when authenticating with Horizon. Disables the domain field in the login page.
(string) Default role for Horizon operations that will be created in Keystone upon introduction of an identity-service relation.
(string) Specify path to theme to use (relative to /usr/share/openstack-dashboard/openstack_dashboard/themes/). . NOTE: This setting is supported >= OpenStack Liberty and this setting is mutually exclusive to ubuntu-theme.
(boolean) This setting disables Snapshots as a valid boot source for launching instances. Snapshots sources won’t show up in the Launch Instance modal dialogue box. This option works from the Newton release, and has no effect on earlier OpenStack releases.
(boolean) If enabled, the reveal button for passwords is removed.
(boolean) Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings below.
(int) Max dropdown items to show in dropdown controls. NOTE: This setting is supported >= OpenStack Liberty.
(boolean) By default Cinder does not enable the Consistency Groups feature. To avoid having the Consistency Groups tabs on Horizon without the feature enabled on Cinder, this also defaults to False. Setting this to True will make the Consistency Groups tabs appear on the dashboard. . This option is supported for releases up to OpenStack Stein only. As of OpenStack Train, consistency groups have been dropped and replaced by the generic group feature. Setting this option for OpenStack Train or above will not do anything.
(boolean) By default Horizon checks that a project has a router attached to an external network before allowing FIPs to be attached to a VM. Some use cases will not meet this constraint, e.g. if the router is owned by a different project. Setting this to False removes this check from Horizon.
(string) Specifies the endpoint types to use for endpoints in the Keystone service catalog. Valid values are 'publicURL', 'internalURL', and 'adminURL'. Both the primary and secondary endpoint types can be specified by providing multiple comma delimited values.
(boolean) If True, displays an ‘Admin Password’ field on the Change Password form to verify that it is indeed the admin logged-in who wants to change the password.
(boolean) If True, redirects plain http requests to https port 443. For this option to have an effect, SSL must be configured.
(string) Default network interface on which HA cluster will bind to communication with the other members of the HA Cluster.
(int) Default multicast port number that will be used to communicate between HA Cluster nodes.
(int) Client timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(int) Connect timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(boolean) If True, exposes stats interface externally.
(int) Queue timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(int) Server timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(string) Apply system hardening. Supports a space-delimited list of modules to run. Supported modules currently include os, ssh, apache and mysql.
(boolean) Hide the "Create New Volume" option and rely on the default-create-volume value during instance creation.
(int) "max-age" parameter for HSTS(HTTP Strict Transport Security) header. Use with caution since once you set this option, browsers will remember it so they can only use HTTPS (HTTP connection won't be allowed) until max-age expires. . An example value is one year (31536000). However, a shorter max-age such as 24 hours (86400) is recommended during initial rollout in case of any mistakes. For more details on HSTS, refer to: . For this option to have an effect, SSL must be configured and enforce-ssl option must be true.
(string) The image-formats setting can be used to alter the default list of advertised image formats. Many installations cannot use all the formats that Glance recognizes, restricting the list here prevents unwanted formats from being listed in Horizon which can lead to confusion. . This setting takes a space separated list, for example: iso qcow2 raw . Supported formats are: aki, ami, ari, docker, iso, ova, qcow2, raw, vdi, vhd, vmdk. . If not provided, leave the option unconfigured which enables all of the above.
(string) Parameters to pass to the nrpe plugin check_http.
-H localhost -I -u '/' -e 200,301,302
(string) Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: . juju-postgresql-0 . If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup.
(boolean) Enable Neutron distributed virtual router (DVR) feature in the Router panel.
(boolean) Enable neutron firewall service panel.
(boolean) Enable HA (High Availability) mode in Neutron virtual router in the Router panel.
(boolean) Enable neutron load balancer service panel. . NOTE: This configuration option only applies to OpenStack Stein and earlier. Since OpenStack Train the Neutron load balancer components have been replaced by Octavia.
(boolean) Enable neutron vpn service panel.
(string) Use pre-generated Less compiled JS and CSS.
(string) Repository from which to install. May be one of the following: distro (default), ppa:somecustom/ppa, a deb url sources entry, or a supported Ubuntu Cloud Archive e.g. . cloud:<series>-<openstack-release> cloud:<series>-<openstack-release>/updates cloud:<series>-<openstack-release>/staging cloud:<series>-<openstack-release>/proposed . See for info on which cloud archives are available and supported. . NOTE: updating this setting to a source that is known to provide a later version of OpenStack will trigger a software upgrade unless action-managed-upgrade is set to True.
(string) The hostname or address of the public endpoints created for openstack-dashboard. . This value will be used for public endpoints. For example, an os-public-hostname set to '' with will create the following public endpoint for the swift-proxy: .
(boolean) Enable "Retrieve password" instance action.
(boolean) If True enables IPv6 support. The charm will expect network interfaces to be configured with an IPv6 address. If set to False (default) IPv4 is expected. . NOTE: these charms do not currently support IPv6 privacy extension. In order for this charm to function correctly, the privacy extension must be disabled and a non-temporary address must be configured/available on your network interface.
(string) Default profile for the dashboard. Eg. cisco.
(string) Secret for Horizon to use when securing internal data; set this when using multiple dashboard units.
(int) A method to supersede the token timeout with a shorter dashboard session timeout in seconds. For example, if your token expires in 60 minutes, a value of 1800 will log users out after 30 minutes.
(string) Base64-encoded certificate authority. This CA is used in conjunction with keystone https endpoints and must, therefore, be the same CA used by any endpoint configured as https/ssl.
(string) Base64-encoded SSL certificate to install and use for Horizon. . juju config openstack-dashboard ssl_cert="$(cat cert| base64)" \ ssl_key="$(cat key| base64)"
(string) Base64-encoded SSL key to use with certificate specified as ssl_cert.
(string) Use Ubuntu theme for the dashboard.
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
(boolean) If True then use the resource named 'policyd-override' to install override YAML files in the horizon's policy directories. The resource file should be a ZIP file containing YAML policy files. These are to be placed into directories that indicate the service that the policy file belongs to. Please see the README of the charm for further details. . If False then remove/disable any overrides in force.
(boolean) Setting this to True will allow supporting services to log to syslog.
(string) Virtual IP to use to front openstack dashboard ha configuration.
(int) Default CIDR netmask to use for HA vip when it cannot be automatically determined.
(string) Default network interface to use for HA vip when it cannot be automatically determined.
(string) Directory where application will be accessible, relative to http://$hostname/.
(float) The CPU core multiplier to use when configuring worker processes for this service. By default, the number of workers for each daemon is set to twice the number of CPU cores a service unit has. This default value will be capped to 4 workers unless this configuration option is set.