Chapter 13. Deploying the Dashboard (Horizon)

The Horizon dashboard provides a web browser accessible interface to an OpenStack environment. It allows users and administrators of the environment to interact with and manage the various functional components without having to install any local client tools other than a web browser.

13.1. Installing Horizon

To install the Horizon dashboard and prepare it for use you must:
  • Install the openstack-dashboard package.
  • Create a Member role in Keystone.
  • Start the httpd service.
  • Configure SELinux to allow the httpd service to make outbound network connections, allowing it to connect to the Keystone server.
  • Configure the firewall to allow incoming connections to the httpd service.
Unless otherwise noted all steps in this procedure must be performed while logged in as the root user or a user with sudo access.

Procedure 13.1. Installing Horizon

  1. Installing the openstack-dashboard Package

    Use yum install to install the openstack-dashboard package.
    $ sudo yum install -y openstack-dashboard

    Important

    Users access the dashboard using HTTP in the default configuration. For security reasons it is recommended that HTTPS is enabled and used to encrypt communications with the dashboard. To support HTTPS you must install the mod_ssl package.
    $ sudo yum install -y mod_ssl
  2. Creating a Member Role in Keystone

    Horizon requires a Keystone role named the Member role. You must create this role in Keystone prior to using the dashboard.
    1. Log in to the system on which your keystonerc_admin file resides and authenticate as the Keystone administrator.
      $ source ~/keystonerc_admin
    2. Use the keystone role-create command to create the Member role.
      $ keystone role-create --name Member
      +----------+----------------------------------+
      | Property |              Value               |
      +----------+----------------------------------+
      | id       | 8261ac4eabcc4da4b01610dbad6c038a |
      | name     |              Member              |
      +----------+----------------------------------+

    Note

    To configure Horizon to use a role other than the Member role change the value of the OPENSTACK_KEYSTONE_DEFAULT_ROLE configuration key.
    The OPENSTACK_KEYSTONE_DEFAULT_ROLE configuration key is stored in the /etc/openstack-dashboard/local_settings file.
    The httpd service must be restarted for the change to take effect.
  3. Configuring httpd

    1. Use the service command to start the httpd service.
      $ sudo service httpd start
    2. Use the chkconfig command to ensure the httpd service starts automatically in future.
      $ sudo chkconfig httpd on
  4. Configuring SELinux

    Use the getenforce command to check the status of SELinux on the system. Possible return values are Enforcing, Permissive, and Disabled.
    $ getenforce
    Enforcing
    If SELinux is configured in Enforcing mode then you must modify the SELinux policy to allow connections from the httpd service to the Keystone server. This is also recommended if SELinux is configured in Permissive mode.
    Use setsebool command to modify the SELinux policy to allow the httpd service to connect to the Keystone server.
    $ sudo setsebool -P httpd_can_network_connect on
  5. Configuring the Firewall

    To allow users to connect to the dashboard you must configure the system firewall to allow connections. The httpd service, and the dashboard, support both HTTP and HTTPS connections. To protect authentication credentials and other data it is highly recommended that you only enable HTTPS connections.
    • Allowing HTTPS Connections (Recommended)

      Allow incoming connections to Horizon using HTTPS by adding this firewall rule to the /etc/sysconfig/iptables configuration file:
      -A INPUT -p tcp -m multiport --dports 443 -j ACCEPT
    • Allowing HTTP Connections

      Allow incoming connections to Horizon using HTTP by adding this firewall rule to the /etc/sysconfig/iptables configuration file:
      -A INPUT -p tcp -m multiport --dports 80 -j ACCEPT

    Important

    These rules allows communication from all remote hosts to the system running the Horizon services on ports 80 or 443. For information regarding the creation of more restrictive firewall rules refer to the Red Hat Enterprise Linux 6 Security Guide.
    You must restart the iptables service for the changes to take effect.
    $ sudo service iptables restart
You have successfully installed the Horizon dashboard. Use your browser to open the appropriate link for your configuration to access the dashboard for the first time. Replace HOSTNAME with the host name or IP address of the server on which you installed Horizon:
HTTPS:
https://HOSTNAME/dashboard/
HTTP:
http://HOSTNAME/dashboard/
When prompted log in using the credentials of your OpenStack user. Refer to Chapter 7, Deploying Identity Services (Keystone) for information on creating an OpenStack user.
The Horizon dashboard login page

Figure 13.1. The Horizon dashboard login page