openstack dashboard #6

Supports: xenial bionic cosmic disco trusty


The OpenStack Dashboard provides a full feature web interface for interacting with instances, images, volumes and networks within an OpenStack deployment.


The OpenStack Dashboard provides a Django based web interface for use by both administrators and users of an OpenStack Cloud.

It allows you to manage Nova, Glance, Cinder and Neutron resources within the cloud.


The OpenStack Dashboard is deployed and related to keystone:

juju deploy openstack-dashboard
juju add-relation openstack-dashboard keystone

The dashboard will use keystone for user authentication and authorization and to interact with the catalog of services within the cloud.

The dashboard is accessible on:


At a minimum, the cloud must provide Glance and Nova services.

SSL configuration

To fully secure your dashboard services, you can provide a SSL key and certificate for installation and configuration. These are provided as base64 encoded configuration options::

juju set openstack-dashboard ssl_key="$(base64 my.key)" \
    ssl_cert="$(base64 my.cert)"

The service will be reconfigured to use the supplied information.


There are two mutually exclusive high availability options: using virtual IP(s) or DNS. In both cases, a relationship to hacluster is required which provides the corosync back end HA functionality.

To use virtual IP(s) the clustered nodes must be on the same subnet such that the VIP is a valid IP on the subnet for one of the node's interfaces and each node has an interface in said subnet. The VIP becomes a highly-available API endpoint.

At a minimum, the config option 'vip' must be set in order to use virtual IP HA. If multiple networks are being used, a VIP should be provided for each network, separated by spaces. Optionally, vip_iface or vip_cidr may be specified.

To use DNS high availability there are several prerequisites. However, DNS HA does not require the clustered nodes to be on the same subnet. Currently the DNS HA feature is only available for MAAS 2.0 or greater environments. MAAS 2.0 requires Juju 2.0 or greater. The clustered nodes must have static or "reserved" IP addresses registered in MAAS. The DNS hostname(s) must be pre-registered in MAAS before use with DNS HA.

At a minimum, the config option 'dns-ha' must be set to true and at least one of 'os-public-hostname', 'os-internal-hostname' or 'os-internal-hostname' must be set in order to use DNS HA. One or more of the above hostnames may be set.

The charm will throw an exception in the following circumstances: If neither 'vip' nor 'dns-ha' is set and the charm is related to hacluster If both 'vip' and 'dns-ha' are set as they are mutually exclusive If 'dns-ha' is set and none of the os-{admin,internal,public}-hostname(s) are set

Whichever method has been used to cluster the charm the 'secret' option should be set to ensure that the Django secret is consistent across all units.

Keystone V3

If the charm is being deployed into a keystone v3 enabled environment then the charm needs to be related to a database to store session information. This is only supported for Mitaka or later.

Use with a Load Balancing Proxy

Instead of deploying with the hacluster charm for load balancing, its possible to also deploy the dashboard with load balancing proxy such as HAProxy:

juju deploy haproxy
juju add-relation haproxy openstack-dashboard
juju add-unit -n 2 openstack-dashboard

This option potentially provides better scale-out than using the charm in conjunction with the hacluster charm.

Custom Theme

This charm supports providing a custom theme as documented in the [themes configuration]. In order to enable this capability the configuration options 'ubuntu-theme' and 'default-theme' must both be turned off and the option 'custom-theme' turned on.

Once the option is enabled a custom theme can be provided via a juju resource. The resource should be a .tgz file with the contents of your custom theme. If the file '' is included it will be sourced.

juju attach-resource openstack-dashboard theme=theme.tgz

Repeating the attach-resource will update the theme and turning off the custom-theme option will return to the default.


(boolean) If True enables openstack upgrades for this charm via juju actions. You will still need to set openstack-origin to the new repository but instead of an upgrade running automatically across all units, it will wait for you to execute the openstack-upgrade action for this charm on each unit. If False it will revert to existing behavior of upgrading all units on config change.
(boolean) Setting this to True will allow password form autocompletion by browser.
(int) The maximum number of objects (e.g. Swift objects or Glance images) to display on a single page before providing a paging element (a "more" link) to paginate results.
(boolean) Enable cinder backup panel.
(boolean) Use a custom theme supplied as a resource. NOTE: This setting is supported >= OpenStack Mitaka and this setting is mutually exclustive to ubuntu-theme and default-theme.
(string) This option provides a means to enable customisation modules to modify existing dashboards and panels. This is available from Liberty onwards.
(string) Database name for Horizon (if enabled).
(string) Username for Horizon database access (if enabled).
(string) Enable Django debug messages.
(boolean) The default value for the option of creating a new volume in the workflow for image and instance snapshot sources when launching an instance. This option has an effect only to Ocata or newer releases.
(string) Default domain when authenticating with Horizon. Disables the domain field in the login page.
(string) Default role for Horizon operations that will be created in Keystone upon introduction of an identity-service relation.
(string) Specify path to theme to use (relative to /usr/share/openstack-dashboard/openstack_dashboard/themes/). . NOTE: This setting is supported >= OpenStack Liberty and this setting is mutually exclusive to ubuntu-theme.
(boolean) If enabled, the reveal button for passwords is removed.
(boolean) Use DNS HA with MAAS 2.0. Note if this is set do not set vip settings below.
(int) Max dropdown items to show in dropdown controls. NOTE: This setting is supported >= OpenStack Liberty.
(boolean) By default Cinder does not enable the Consistency Groups feature. To avoid having the Consistency Groups tabs on Horizon without the feature enabled on Cinder, this also defaults to False. Setting this to True will make the Consistency Groups tabs appear on the dashboard.
(boolean) By default Horizon checks that a project has a router attached to an external network before allowing FIPs to be attached to a VM. Some use cases will not meet this constraint, e.g. if the router is owned by a different project. Setting this to False removes this check from Horizon.
(string) Specifies the endpoint types to use for endpoints in the Keystone service catalog. Valid values are 'publicURL', 'internalURL', and 'adminURL'. Both the primary and secondary endpoint types can be specified by providing multiple comma delimited values.
(boolean) If True, redirects plain http requests to https port 443. For this option to have an effect, SSL must be configured.
(string) Default network interface on which HA cluster will bind to communication with the other members of the HA Cluster.
(int) Default multicast port number that will be used to communicate between HA Cluster nodes.
(int) Client timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(int) Connect timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(int) Queue timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 9000ms is used.
(int) Server timeout configuration in ms for haproxy, used in HA configurations. If not provided, default value of 90000ms is used.
(string) Apply system hardening. Supports a space-delimited list of modules to run. Supported modules currently include os, ssh, apache and mysql.
(int) "max-age" parameter for HSTS(HTTP Strict Transport Security) header. Use with caution since once you set this option, browsers will remember it so they can only use HTTPS (HTTP connection won't be allowed) until max-age expires. . An example value is one year (31536000). However, a shorter max-age such as 24 hours (86400) is recommended during initial rollout in case of any mistakes. For more details on HSTS, refer to: . For this option to have an effect, SSL must be configured and enforce-ssl option must be true.
(string) The image-formats setting can be used to alter the default list of advertised image formats. Many installations cannot use all the formats that Glance recognizes, restricting the list here prevents unwanted formats from being listed in Horizon which can lead to confusion. . This setting takes a space separated list, for example: iso qcow2 raw . Supported formats are: aki, ami, ari, docker, iso, ova, qcow2, raw, vdi, vhd, vmdk. . If not provided, leave the option unconfigured which enables all of the above.
(string) Parameters to pass to the nrpe plugin check_http.
-H localhost -I -u '/' -e 200,301,302
(string) Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: . juju-postgresql-0 . If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup.
(boolean) Enable Neutron distributed virtual router (DVR) feature in the Router panel.
(boolean) Enable neutron firewall service panel.
(boolean) Enable HA (High Availability) mode in Neutron virtual router in the Router panel.
(boolean) Enable neutron load balancer service panel.
(boolean) Enable neutron vpn service panel.
(string) Use pre-generated Less compiled JS and CSS.
(string) Repository from which to install. May be one of the following: distro (default), ppa:somecustom/ppa, a deb url sources entry, or a supported Ubuntu Cloud Archive e.g. . cloud:<series>-<openstack-release> cloud:<series>-<openstack-release>/updates cloud:<series>-<openstack-release>/staging cloud:<series>-<openstack-release>/proposed . See for info on which cloud archives are available and supported. . NOTE: updating this setting to a source that is known to provide a later version of OpenStack will trigger a software upgrade unless action-managed-upgrade is set to True.
(string) The hostname or address of the public endpoints created for openstack-dashboard. . This value will be used for public endpoints. For example, an os-public-hostname set to '' with will create the following public endpoint for the swift-proxy: .
(boolean) Enable "Retrieve password" instance action.
(boolean) If True enables IPv6 support. The charm will expect network interfaces to be configured with an IPv6 address. If set to False (default) IPv4 is expected. . NOTE: these charms do not currently support IPv6 privacy extension. In order for this charm to function correctly, the privacy extension must be disabled and a non-temporary address must be configured/available on your network interface.
(string) Default profile for the dashboard. Eg. cisco.
(string) Secret for Horizon to use when securing internal data; set this when using multiple dashboard units.
(int) A method to supersede the token timeout with a shorter dashboard session timeout in seconds. For example, if your token expires in 60 minutes, a value of 1800 will log users out after 30 minutes.
(string) Base64-encoded certificate authority. This CA is used in conjunction with keystone https endpoints and must, therefore, be the same CA used by any endpoint configured as https/ssl.
(string) Base64-encoded SSL certificate to install and use for Horizon. . juju set openstack-dashboard ssl_cert="$(cat cert| base64)" \ ssl_key="$(cat key| base64)"
(string) Base64-encoded SSL key to use with certificate specified as ssl_cert.
(string) Use Ubuntu theme for the dashboard.
(boolean) Setting this to True will allow supporting services to log to syslog.
(string) Virtual IP to use to front openstack dashboard ha configuration.
(int) Default CIDR netmask to use for HA vip when it cannot be automatically determined.
(string) Default network interface to use for HA vip when it cannot be automatically determined.
(string) Directory where application will be accessible, relative to http://$hostname/.
(float) The CPU core multiplier to use when configuring worker processes for Horizon. By default, the number of workers for each daemon is set to twice the number of CPU cores a service unit has. When deployed in a LXD container, this default value will be capped to 4 workers unless this configuration option is set.