Make Horizon Dashboard settings operator overrideable.

We want to allow operators to override Horizon's default settings. This involves moving local_settings.d out of the read only snap filesystem, and into $SNAP_COMMON. This is a little bit tricky. First, we patch settings.py and local_settings.py as we're building the snap, to include a LOCAL_PATH in $SNAP_COMMON. Then, we add a template with the rest of our default overrides, and write it out to $SNAP_COMMON/horizon/local_settings.d Finally we tweak our tests so that we can give our overrides a spin. As a bonus, this makes test_horizonglogin.py a lot easier to run in our multipass testing scenario! `tox -e basic` now also runs selenium tests, as well. Change-Id: Ic0ce18cfa1b97a93191da749095d8aa2270d5aeb
2019-09-18 10:31:54 +00:00 · 2019-09-18 10:31:54 +00:00 · 73d39dc8ce
parent c5f679a673
commit 73d39dc8ce
11 changed files with 138 additions and 936 deletions
--- a/patches/horizon/0001-Added-SNAP_COMMON-pathing.patch
+++ b/patches/horizon/0001-Added-SNAP_COMMON-pathing.patch
@ -0,0 +1,66 @@
 From 4d90b94a0a4ce3e7e69507c2c25a6981336c66a1 Mon Sep 17 00:00:00 2001
 From: Pete Vander Giessen <pete.vandergiessen@canonical.com>
 Date: Thu, 19 Sep 2019 13:18:50 +0000
 Subject: [PATCH] Added SNAP_COMMON pathing
 ---
 lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py | 4 +++-
 openstack_dashboard/settings.py                     | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)
 diff --git a/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py b/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
 index 5f1ab10cc..cef4e9485 100644
 --- a/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
 +++ b/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
@@ -10,6 +10,8 @@ from openstack_dashboard.settings import HORIZON_CONFIG
 DEBUG = True
 +SNAP_COMMON = os.environ['SNAP_COMMON']
 +
 # This setting controls whether or not compression is enabled. Disabling
 # compression makes Horizon considerably slower, but makes it much easier
 # to debug JS and CSS changes
@@ -62,7 +64,7 @@ DEBUG = True
 # including on the login form.
 #HORIZON_CONFIG["disable_password_reveal"] = False
 -LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 +LOCAL_PATH = "{}/etc/horizon".format(SNAP_COMMON)
 # Set custom secret key:
 # You can either set it to a specific value or you can let horizon generate a
 diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
 index 02cd17ef3..69380f460 100644
 --- a/lib/python3.6/site-packages/openstack_dashboard/settings.py
 +++ b/lib/python3.6/site-packages/openstack_dashboard/settings.py
@@ -55,6 +55,8 @@ if ROOT_PATH not in sys.path:
 DEBUG = False
 +SNAP_COMMON = os.environ['SNAP_COMMON']
 +
 ROOT_URLCONF = 'openstack_dashboard.urls'
 HORIZON_CONFIG = {
@@ -216,7 +218,7 @@ USE_TZ = True
 DEFAULT_EXCEPTION_REPORTER_FILTER = 'horizon.exceptions.HorizonReporterFilter'
 SECRET_KEY = None
 -LOCAL_PATH = None
 +LOCAL_PATH = "{}/etc/horizon".format(SNAP_COMMON)
 ADD_INSTALLED_APPS = []
@@ -265,7 +267,7 @@ else:
     )
 # allow to drop settings snippets into a local_settings_dir
 -LOCAL_SETTINGS_DIR_PATH = os.path.join(ROOT_PATH, "local", "local_settings.d")
 +LOCAL_SETTINGS_DIR_PATH = os.path.join(LOCAL_PATH, "local_settings.d")
 if os.path.exists(LOCAL_SETTINGS_DIR_PATH):
     for (dirpath, dirnames, filenames) in os.walk(LOCAL_SETTINGS_DIR_PATH):
         for filename in sorted(filenames):
 -- 
 2.17.1
--- a/snap-overlay/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
+++ b/snap-overlay/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
@ -1,917 +0,0 @@
 # -*- coding: utf-8 -*-
 import os
 from django.utils.translation import ugettext_lazy as _
 from horizon.utils import secret_key
 from openstack_dashboard.settings import HORIZON_CONFIG
 DEBUG = False
 # This setting controls whether or not compression is enabled. Disabling
 # compression makes Horizon considerably slower, but makes it much easier
 # to debug JS and CSS changes
 #COMPRESS_ENABLED = not DEBUG
 # This setting controls whether compression happens on the fly, or offline
 # with `python manage.py compress`
 # See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
 # for more information
 #COMPRESS_OFFLINE = not DEBUG
 # WEBROOT is the location relative to Webserver root
 # should end with a slash.
 WEBROOT = '/'
 #LOGIN_URL = WEBROOT + 'auth/login/'
 #LOGOUT_URL = WEBROOT + 'auth/logout/'
 #LOGIN_ERROR = WEBROOT + 'auth/error/'
 #
 # LOGIN_REDIRECT_URL can be used as an alternative for
 # HORIZON_CONFIG.user_home, if user_home is not set.
 # Do not set it to '/home/', as this will cause circular redirect loop
 #LOGIN_REDIRECT_URL = WEBROOT
 # If horizon is running in production (DEBUG is False), set this
 # with the list of host/domain names that the application can serve.
 # For more information see:
 # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
 #ALLOWED_HOSTS = '*'
 # Set SSL proxy settings:
 # Pass this header from the proxy after terminating the SSL,
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
 #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
 #CSRF_COOKIE_SECURE = True
 #SESSION_COOKIE_SECURE = True
 # The absolute path to the directory where message files are collected.
 # The message file must have a .json file extension. When the user logins to
 # horizon, the message files collected are processed and displayed to the user.
 #MESSAGES_PATH=None
 # Overrides for OpenStack API versions. Use this setting to force the
 # OpenStack dashboard to use a specific API version for a given service API.
 # Versions specified here should be integers or floats, not strings.
 # NOTE: The version should be formatted as it appears in the URL for the
 # service API. For example, The identity service APIs have inconsistent
 # use of the decimal point, so valid options would be 2.0 or 3.
 # Minimum compute version to get the instance locked status is 2.9.
 #OPENSTACK_API_VERSIONS = {
 #    "identity": 3,
 #    "image": 2,
 #    "volume": 3,
 #    "compute": 2,
 #}
 # Set this to True if running on a multi-domain model. When this is enabled, it
 # will require the user to enter the Domain name in addition to the username
 # for login.
 #OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
 # Set this to True if you want available domains displayed as a dropdown menu
 # on the login screen. It is strongly advised NOT to enable this for public
 # clouds, as advertising enabled domains to unauthenticated customers
 # irresponsibly exposes private information. This should only be used for
 # private clouds where the dashboard sits behind a corporate firewall.
 #OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
 # If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
 # set the available domains to choose from. This is a list of pairs whose first
 # value is the domain name and the second is the display name.
 #OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
 #  ('Default', 'Default'),
 #)
 # Overrides the default domain used when running on single-domain model
 # with Keystone V3. All entities will be created in the default domain.
 # NOTE: This value must be the name of the default domain, NOT the ID.
 # Also, you will most likely have a value in the keystone policy file like this
 #    "cloud_admin": "rule:admin_required and domain_id:<your domain id>"
 # This value must be the name of the domain whose ID is specified there.
 #OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
 # Set this to True to enable panels that provide the ability for users to
 # manage Identity Providers (IdPs) and establish a set of rules to map
 # federation protocol attributes to Identity API attributes.
 # This extension requires v3.0+ of the Identity API.
 #OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False
 # Set Console type:
 # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS"
 # or None. Set to None explicitly if you want to deactivate the console.
 #CONSOLE_TYPE = "AUTO"
 # Toggle showing the openrc file for Keystone V2.
 # If set to false the link will be removed from the user dropdown menu
 # and the API Access page
 #SHOW_KEYSTONE_V2_RC = False
 # Controls whether the keystone openrc file is accesible from the user
 # menu and the api access panel.
 SHOW_OPENRC_FILE = True
 # Controls whether clouds.yaml is accesible from the user
 # menu and the api access panel.
 SHOW_OPENSTACK_CLOUDS_YAML = True
 # If provided, a "Report Bug" link will be displayed in the site header
 # which links to the value of this setting (ideally a URL containing
 # information on how to report issues).
 #HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com"
 # Show backdrop element outside the modal, do not close the modal
 # after clicking on backdrop.
 #HORIZON_CONFIG["modal_backdrop"] = "static"
 # Specify a regular expression to validate user passwords.
 #HORIZON_CONFIG["password_validator"] = {
 #    "regex": '.*',
 #    "help_text": _("Your password does not meet the requirements."),
 #}
 # Turn off browser autocompletion for forms including the login form and
 # the database creation workflow if so desired.
 #HORIZON_CONFIG["password_autocomplete"] = "off"
 # Setting this to True will disable the reveal button for password fields,
 # including on the login form.
 #HORIZON_CONFIG["disable_password_reveal"] = False
 #LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 # Set custom secret key:
 # You can either set it to a specific value or you can let horizon generate a
 # default secret key that is unique on this machine, e.i. regardless of the
 # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
 # there may be situations where you would want to set this explicitly, e.g.
 # when multiple dashboard instances are distributed on different machines
 # (usually behind a load-balancer). Either you have to make sure that a session
 # gets all requests routed to the same dashboard instance or you set the same
 # SECRET_KEY for all of them.
 #SECRET_KEY = secret_key.generate_or_read_from_file(
 #    os.path.join(LOCAL_PATH, '.secret_key_store'))
 # We recommend you use memcached for development; otherwise after every reload
 # of the django development server, you will have to login again. To use
 # memcached set CACHES to something like below.
 # For more information, see
 # https://docs.djangoproject.com/en/1.11/topics/http/sessions/.
 #CACHES = {
 #    'default': {
 #        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
 #    },
 #}
 # If you use ``tox -e runserver`` for developments,then configure
 # SESSION_ENGINE to django.contrib.sessions.backends.signed_cookies
 # as shown below:
 #SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
 # Send email to the console by default
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 # Or send them to /dev/null
 #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
 # Configure these for your outgoing email host
 #EMAIL_HOST = 'smtp.my-company.com'
 #EMAIL_PORT = 25
 #EMAIL_HOST_USER = 'djangomail'
 #EMAIL_HOST_PASSWORD = 'top-secret!'
 # For multiple regions uncomment this configuration, and add (endpoint, title).
 #AVAILABLE_REGIONS = [
 #    ('http://cluster1.example.com:5000/v3', 'cluster1'),
 #    ('http://cluster2.example.com:5000/v3', 'cluster2'),
 #]
 OPENSTACK_HOST = "127.0.0.1"
 OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 # For setting the default service region on a per-endpoint basis. Note that the
 # default value for this setting is {}, and below is just an example of how it
 # should be specified.
 # A key of '*' is an optional global default if no other key matches.
 #DEFAULT_SERVICE_REGIONS = {
 #    '*': 'microstack'
 #    OPENSTACK_KEYSTONE_URL: 'RegionTwo'
 #}
 # Enables keystone web single-sign-on if set to True.
 #WEBSSO_ENABLED = False
 # Authentication mechanism to be selected as default.
 # The value must be a key from WEBSSO_CHOICES.
 #WEBSSO_INITIAL_CHOICE = "credentials"
 # The list of authentication mechanisms which include keystone
 # federation protocols and identity provider/federation protocol
 # mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
 # IDs are 'saml2' and 'oidc'  which represent SAML 2.0, OpenID
 # Connect respectively.
 # Do not remove the mandatory credentials mechanism.
 # Note: The last two tuples are sample mapping keys to a identity provider
 # and federation protocol combination (WEBSSO_IDP_MAPPING).
 #WEBSSO_CHOICES = (
 #    ("credentials", _("Keystone Credentials")),
 #    ("oidc", _("OpenID Connect")),
 #    ("saml2", _("Security Assertion Markup Language")),
 #    ("acme_oidc", "ACME - OpenID Connect"),
 #    ("acme_saml2", "ACME - SAML2"),
 #)
 # A dictionary of specific identity provider and federation protocol
 # combinations. From the selected authentication mechanism, the value
 # will be looked up as keys in the dictionary. If a match is found,
 # it will redirect the user to a identity provider and federation protocol
 # specific WebSSO endpoint in keystone, otherwise it will use the value
 # as the protocol_id when redirecting to the WebSSO by protocol endpoint.
 # NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
 #WEBSSO_IDP_MAPPING = {
 #    "acme_oidc": ("acme", "oidc"),
 #    "acme_saml2": ("acme", "saml2"),
 #}
 # Enables redirection on login to the identity provider defined on
 # WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
 #WEBSSO_DEFAULT_REDIRECT = False
 # Specifies the protocol to use for default redirection on login
 #WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
 # Specifies the region to which the connection will be established on login
 #WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
 # Enables redirection on logout to the method specified on the identity provider.
 # Once logout the client will be redirected to the address specified in this
 # variable.
 #WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
 # If set this URL will be used for web single-sign-on authentication
 # instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
 # scenarios where network segmentation is used per security requirement.
 # In this case, the controllers are not reachable from public network.
 # Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
 # if it is set to the internal endpoint.
 #WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
 # The Keystone Provider drop down uses Keystone to Keystone federation
 # to switch between Keystone service providers.
 # Set display name for Identity Provider (dropdown display name)
 #KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone"
 # This id is used for only for comparison with the service provider IDs. This ID
 # should not match any service provider IDs.
 #KEYSTONE_PROVIDER_IDP_ID = "localkeystone"
 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
 # The CA certificate to use to verify SSL connections
 #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
 # If Keystone has been configured to use LDAP as the auth backend then set
 # can_edit_user to False and name to 'ldap'.
 #
 # TODO(tres): Remove these once Keystone has an API to identify auth backend.
 OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'native',
    'can_edit_user': True,
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
 }
 # Setting this to True, will add a new "Retrieve Password" action on instance,
 # allowing Admin session password retrieval/decryption.
 #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
 # The Launch Instance user experience has been significantly enhanced.
 # You can choose whether to enable the new launch instance experience,
 # the legacy experience, or both. The legacy experience will be removed
 # in a future release, but is available as a temporary backup setting to ensure
 # compatibility with existing deployments. Further development will not be
 # done on the legacy experience. Please report any problems with the new
 # experience via the Launchpad tracking system.
 #
 # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
 # determine the experience to enable.  Set them both to true to enable
 # both.
 #LAUNCH_INSTANCE_LEGACY_ENABLED = True
 #LAUNCH_INSTANCE_NG_ENABLED = False
 # A dictionary of settings which can be used to provide the default values for
 # properties found in the Launch Instance modal.
 #LAUNCH_INSTANCE_DEFAULTS = {
 #    'config_drive': False,
 #    'enable_scheduler_hints': True,
 #    'disable_image': False,
 #    'disable_instance_snapshot': False,
 #    'disable_volume': False,
 #    'disable_volume_snapshot': False,
 #    'create_volume': True,
 #}
 # The Xen Hypervisor has the ability to set the mount point for volumes
 # attached to instances (other Hypervisors currently do not). Setting
 # can_set_mount_point to True will add the option to set the mount point
 # from the UI.
 OPENSTACK_HYPERVISOR_FEATURES = {
    'can_set_mount_point': False,
    'can_set_password': False,
    'requires_keypair': False,
    'enable_quotas': True
 }
 # This settings controls whether IP addresses of servers are retrieved from
 # neutron in the project instance table. Setting this to ``False`` may mitigate
 # a performance issue in the project instance table in large deployments.
 #OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True
 # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
 # services provided by cinder that is not exposed by its extension API.
 OPENSTACK_CINDER_FEATURES = {
    'enable_backup': False,
 }
 # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
 # services provided by neutron. Options currently available are load
 # balancer service, security groups, quotas, VPN service.
 OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': True,
    'enable_quotas': True,
    'enable_ipv6': True,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_fip_topology_check': True,
    # Default dns servers you would like to use when a subnet is
    # created.  This is only a default, users can still choose a different
    # list of dns servers when creating a new subnet.
    # The entries below are examples only, and are not appropriate for
    # real deployments
    # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"],
    # Set which provider network types are supported. Only the network types
    # in this list will be available to choose from when creating a network.
    # Network types include local, flat, vlan, gre, vxlan and geneve.
    # 'supported_provider_types': ['*'],
    # You can configure available segmentation ID range per network type
    # in your deployment.
    # 'segmentation_id_range': {
    #     'vlan': [1024, 2048],
    #     'vxlan': [4094, 65536],
    # },
    # You can define additional provider network types here.
    # 'extra_provider_types': {
    #     'awesome_type': {
    #         'display_name': 'Awesome New Type',
    #         'require_physical_network': False,
    #         'require_segmentation_id': True,
    #     }
    # },
    # Set which VNIC types are supported for port binding. Only the VNIC
    # types in this list will be available to choose from when creating a
    # port.
    # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap',
    # 'baremetal' and 'virtio-forwarder'
    # Set to empty list or None to disable VNIC type selection.
    'supported_vnic_types': ['*'],
    # Set list of available physical networks to be selected in the physical
    # network field on the admin create network modal. If it's set to an empty
    # list, the field will be a regular input field.
    # e.g. ['default', 'test']
    'physical_networks': [],
 }
 # The OPENSTACK_HEAT_STACK settings can be used to disable password
 # field required while launching the stack.
 OPENSTACK_HEAT_STACK = {
    'enable_user_pass': True,
 }
 # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
 # in the OpenStack Dashboard related to the Image service, such as the list
 # of supported image formats.
 #OPENSTACK_IMAGE_BACKEND = {
 #    'image_formats': [
 #        ('', _('Select format')),
 #        ('aki', _('AKI - Amazon Kernel Image')),
 #        ('ami', _('AMI - Amazon Machine Image')),
 #        ('ari', _('ARI - Amazon Ramdisk Image')),
 #        ('docker', _('Docker')),
 #        ('iso', _('ISO - Optical Disk Image')),
 #        ('ova', _('OVA - Open Virtual Appliance')),
 #        ('qcow2', _('QCOW2 - QEMU Emulator')),
 #        ('raw', _('Raw')),
 #        ('vdi', _('VDI - Virtual Disk Image')),
 #        ('vhd', _('VHD - Virtual Hard Disk')),
 #        ('vhdx', _('VHDX - Large Virtual Hard Disk')),
 #        ('vmdk', _('VMDK - Virtual Machine Disk')),
 #    ],
 #}
 # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
 # image custom property attributes that appear on image detail pages.
 IMAGE_CUSTOM_PROPERTY_TITLES = {
    "architecture": _("Architecture"),
    "kernel_id": _("Kernel ID"),
    "ramdisk_id": _("Ramdisk ID"),
    "image_state": _("Euca2ools state"),
    "project_id": _("Project ID"),
    "image_type": _("Image Type"),
 }
 # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
 # custom properties should not be displayed in the Image Custom Properties
 # table.
 IMAGE_RESERVED_CUSTOM_PROPERTIES = []
 # Set to 'legacy' or 'direct' to allow users to upload images to glance via
 # Horizon server. When enabled, a file form field will appear on the create
 # image form. If set to 'off', there will be no file form field on the create
 # image form. See documentation for deployment considerations.
 #HORIZON_IMAGES_UPLOAD_MODE = 'legacy'
 # Allow a location to be set when creating or updating Glance images.
 # If using Glance V2, this value should be False unless the Glance
 # configuration and policies allow setting locations.
 #IMAGES_ALLOW_LOCATION = False
 # A dictionary of default settings for create image modal.
 #CREATE_IMAGE_DEFAULTS = {
 #    'image_visibility': "public",
 #}
 # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is 'publicURL'.
 #OPENSTACK_ENDPOINT_TYPE = "publicURL"
 # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
 # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is None. This
 # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
 #SECONDARY_ENDPOINT_TYPE = None
 # The number of objects (Swift containers/objects or images) to display
 # on a single page before providing a paging element (a "more" link)
 # to paginate results.
 API_RESULT_LIMIT = 1000
 API_RESULT_PAGE_SIZE = 20
 # The size of chunk in bytes for downloading objects from Swift
 SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
 # The default number of lines displayed for instance console log.
 INSTANCE_LOG_LENGTH = 35
 # Specify a maximum number of items to display in a dropdown.
 DROPDOWN_MAX_ITEMS = 30
 # The timezone of the server. This should correspond with the timezone
 # of your entire OpenStack installation, and hopefully be in UTC.
 TIME_ZONE = "UTC"
 # When launching an instance, the menu of available flavors is
 # sorted by RAM usage, ascending. If you would like a different sort order,
 # you can provide another flavor attribute as sorting key. Alternatively, you
 # can provide a custom callback method to use for sorting. You can also provide
 # a flag for reverse sort. For more info, see
 # http://docs.python.org/2/library/functions.html#sorted
 #CREATE_INSTANCE_FLAVOR_SORT = {
 #    'key': 'name',
 #     # or
 #    'key': my_awesome_callback_method,
 #    'reverse': False,
 #}
 # Set this to True to display an 'Admin Password' field on the Change Password
 # form to verify that it is indeed the admin logged-in who wants to change
 # the password.
 #ENFORCE_PASSWORD_CHECK = False
 # Modules that provide /auth routes that can be used to handle different types
 # of user authentication. Add auth plugins that require extra route handling to
 # this list.
 #AUTHENTICATION_URLS = [
 #    'openstack_auth.urls',
 #]
 # The Horizon Policy Enforcement engine uses these values to load per service
 # policy rule files. The content of these files should match the files the
 # OpenStack services are using to determine role based access control in the
 # target installation.
 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
 # Map of local copy of service policy files.
 # Please insure that your identity policy file matches the one being used on
 # your keystone servers. There is an alternate policy file that may be used
 # in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
 # This file is not included in the Horizon repository by default but can be
 # found at
 # http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
 # policy.v3cloudsample.json
 # Having matching policy files on the Horizon and Keystone servers is essential
 # for normal operation. This holds true for all services and their policy files.
 #POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
 #    'compute': 'nova_policy.json',
 #    'volume': 'cinder_policy.json',
 #    'image': 'glance_policy.json',
 #    'network': 'neutron_policy.json',
 #}
 # Change this patch to the appropriate list of tuples containing
 # a key, label and static directory containing two files:
 # _variables.scss and _styles.scss
 #AVAILABLE_THEMES = [
 #    ('default', 'Default', 'themes/default'),
 #    ('material', 'Material', 'themes/material'),
 #    ('example', 'Example', 'themes/example'),
 #]
 LOGGING = {
    'version': 1,
    # When set to True this will disable all logging except
    # for loggers specified in this configuration dictionary. Note that
    # if nothing is specified here and disable_existing_loggers is True,
    # django.db.backends will still log unless it is disabled explicitly.
    'disable_existing_loggers': False,
    # If apache2 mod_wsgi is used to deploy OpenStack dashboard
    # timestamp is output by mod_wsgi. If WSGI framework you use does not
    # output timestamp for logging, add %(asctime)s in the following
    # format definitions.
    'formatters': {
        'console': {
            'format': '%(levelname)s %(name)s %(message)s'
        },
        'operation': {
            # The format of "%(message)s" is defined by
            # OPERATION_LOG_OPTIONS['format']
            'format': '%(message)s'
        },
    },
    'handlers': {
        'null': {
            'level': 'DEBUG',
            'class': 'logging.NullHandler',
        },
        'console': {
            # Set the level to "DEBUG" for verbose output logging.
            'level': 'INFO',
            'class': 'logging.StreamHandler',
            'formatter': 'console',
        },
        'operation': {
            'level': 'INFO',
            'class': 'logging.StreamHandler',
            'formatter': 'operation',
        },
    },
    'loggers': {
        'horizon': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'horizon.operation_log': {
            'handlers': ['operation'],
            'level': 'INFO',
            'propagate': False,
        },
        'openstack_dashboard': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'novaclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'cinderclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'keystoneauth': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'keystoneclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'glanceclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'neutronclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'swiftclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'oslo_policy': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'openstack_auth': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'django': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        # Logging from django.db.backends is VERY verbose, send to null
        # by default.
        'django.db.backends': {
            'handlers': ['null'],
            'propagate': False,
        },
        'requests': {
            'handlers': ['null'],
            'propagate': False,
        },
        'urllib3': {
            'handlers': ['null'],
            'propagate': False,
        },
        'chardet.charsetprober': {
            'handlers': ['null'],
            'propagate': False,
        },
        'iso8601': {
            'handlers': ['null'],
            'propagate': False,
        },
        'scss': {
            'handlers': ['null'],
            'propagate': False,
        },
    },
 }
 # 'direction' should not be specified for all_tcp/udp/icmp.
 # It is specified in the form.
 SECURITY_GROUP_RULES = {
    'all_tcp': {
        'name': _('All TCP'),
        'ip_protocol': 'tcp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_udp': {
        'name': _('All UDP'),
        'ip_protocol': 'udp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_icmp': {
        'name': _('All ICMP'),
        'ip_protocol': 'icmp',
        'from_port': '-1',
        'to_port': '-1',
    },
    'ssh': {
        'name': 'SSH',
        'ip_protocol': 'tcp',
        'from_port': '22',
        'to_port': '22',
    },
    'smtp': {
        'name': 'SMTP',
        'ip_protocol': 'tcp',
        'from_port': '25',
        'to_port': '25',
    },
    'dns': {
        'name': 'DNS',
        'ip_protocol': 'tcp',
        'from_port': '53',
        'to_port': '53',
    },
    'http': {
        'name': 'HTTP',
        'ip_protocol': 'tcp',
        'from_port': '80',
        'to_port': '80',
    },
    'pop3': {
        'name': 'POP3',
        'ip_protocol': 'tcp',
        'from_port': '110',
        'to_port': '110',
    },
    'imap': {
        'name': 'IMAP',
        'ip_protocol': 'tcp',
        'from_port': '143',
        'to_port': '143',
    },
    'ldap': {
        'name': 'LDAP',
        'ip_protocol': 'tcp',
        'from_port': '389',
        'to_port': '389',
    },
    'https': {
        'name': 'HTTPS',
        'ip_protocol': 'tcp',
        'from_port': '443',
        'to_port': '443',
    },
    'smtps': {
        'name': 'SMTPS',
        'ip_protocol': 'tcp',
        'from_port': '465',
        'to_port': '465',
    },
    'imaps': {
        'name': 'IMAPS',
        'ip_protocol': 'tcp',
        'from_port': '993',
        'to_port': '993',
    },
    'pop3s': {
        'name': 'POP3S',
        'ip_protocol': 'tcp',
        'from_port': '995',
        'to_port': '995',
    },
    'ms_sql': {
        'name': 'MS SQL',
        'ip_protocol': 'tcp',
        'from_port': '1433',
        'to_port': '1433',
    },
    'mysql': {
        'name': 'MYSQL',
        'ip_protocol': 'tcp',
        'from_port': '3306',
        'to_port': '3306',
    },
    'rdp': {
        'name': 'RDP',
        'ip_protocol': 'tcp',
        'from_port': '3389',
        'to_port': '3389',
    },
 }
 # Deprecation Notice:
 #
 # The setting FLAVOR_EXTRA_KEYS has been deprecated.
 # Please load extra spec metadata into the Glance Metadata Definition Catalog.
 #
 # The sample quota definitions can be found in:
 # <glance_source>/etc/metadefs/compute-quota.json
 #
 # The metadata definition catalog supports CLI and API:
 #  $glance --os-image-api-version 2 help md-namespace-import
 #  $glance-manage db_load_metadefs <directory_with_definition_files>
 #
 # See Metadata Definitions on:
 # https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html
 # AngularJS requires some settings to be made available to
 # the client side. Some settings are required by in-tree / built-in horizon
 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
 # form of ['SETTING_1','SETTING_2'], etc.
 #
 # You may remove settings from this list for security purposes, but do so at
 # the risk of breaking a built-in horizon feature. These settings are required
 # for horizon to function properly. Only remove them if you know what you
 # are doing. These settings may in the future be moved to be defined within
 # the enabled panel configuration.
 # You should not add settings to this list for out of tree extensions.
 # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
 REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
                              'LAUNCH_INSTANCE_DEFAULTS',
                              'OPENSTACK_IMAGE_FORMATS',
                              'OPENSTACK_KEYSTONE_BACKEND',
                              'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN',
                              'CREATE_IMAGE_DEFAULTS',
                              'ENFORCE_PASSWORD_CHECK']
 # Additional settings can be made available to the client side for
 # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
 # !! Please use extreme caution as the settings are transferred via HTTP/S
 # and are not encrypted on the browser. This is an experimental API and
 # may be deprecated in the future without notice.
 #REST_API_ADDITIONAL_SETTINGS = []
 # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
 # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
 # Scripting (XFS) vulnerability, so this option allows extra security hardening
 # where iframes are not used in deployment. Default setting is True.
 # For more information see:
 # http://tinyurl.com/anticlickjack
 #DISALLOW_IFRAME_EMBED = True
 # Help URL can be made available for the client. To provide a help URL, edit the
 # following attribute to the URL of your choice.
 #HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org"
 # Settings for OperationLogMiddleware
 # OPERATION_LOG_ENABLED is flag to use the function to log an operation on
 # Horizon.
 # mask_targets is arrangement for appointing a target to mask.
 # method_targets is arrangement of HTTP method to output log.
 # format is the log contents.
 #OPERATION_LOG_ENABLED = False
 #OPERATION_LOG_OPTIONS = {
 #    'mask_fields': ['password'],
 #    'target_methods': ['POST'],
 #    'ignored_urls': ['/js/', '/static/', '^/api/'],
 #    'format': ("[%(client_ip)s] [%(domain_name)s]"
 #        " [%(domain_id)s] [%(project_name)s]"
 #        " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]"
 #        " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]"
 #        " [%(http_status)s] [%(param)s]"),
 #}
 # The default date range in the Overview panel meters - either <today> minus N
 # days (if the value is integer N), or from the beginning of the current month
 # until today (if set to None). This setting should be used to limit the amount
 # of data fetched by default when rendering the Overview panel.
 #OVERVIEW_DAYS_RANGE = 1
 # To allow operators to require users provide a search criteria first
 # before loading any data into the views, set the following dict
 # attributes to True in each one of the panels you want to enable this feature.
 # Follow the convention <dashboard>.<view>
 #FILTER_DATA_FIRST = {
 #    'admin.instances': False,
 #    'admin.images': False,
 #    'admin.networks': False,
 #    'admin.routers': False,
 #    'admin.volumes': False,
 #    'identity.users': False,
 #    'identity.projects': False,
 #    'identity.groups': False,
 #    'identity.roles': False
 #}
 # Dict used to restrict user private subnet cidr range.
 # An empty list means that user input will not be restricted
 # for a corresponding IP version. By default, there is
 # no restriction for IPv4 or IPv6. To restrict
 # user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR
 # to something like
 #ALLOWED_PRIVATE_SUBNET_CIDR = {
 #    'ipv4': ['10.0.0.0/8', '192.168.0.0/16'],
 #    'ipv6': ['fc00::/7']
 #}
 ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
 # Projects and users can have extra attributes as defined by keystone v3.
 # Horizon has the ability to display these extra attributes via this setting.
 # If you'd like to display extra data in the project or user tables, set the
 # corresponding dict key to the attribute name, followed by the display name.
 # For more information, see horizon's customization
 # (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides)
 #PROJECT_TABLE_EXTRA_INFO = {
 #   'phone_num': _('Phone Number'),
 #}
 #USER_TABLE_EXTRA_INFO = {
 #   'phone_num': _('Phone Number'),
 #}
 # Password will have an expiration date when using keystone v3 and enabling the
 # feature.
 # This setting allows you to set the number of days that the user will be alerted
 # prior to the password expiration.
 # Once the password expires keystone will deny the access and users must
 # contact an admin to change their password.
 #PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0
--- a/snap-overlay/snap-openstack.yaml
+++ b/snap-overlay/snap-openstack.yaml
@ -11,6 +11,7 @@ setup:
    - "{snap_common}/etc/nginx/snap/sites-enabled"
    - "{snap_common}/etc/glance/glance.conf.d"
    - "{snap_common}/etc/horizon/horizon.conf.d"
    - "{snap_common}/etc/horizon/local_settings.d"
    - "{snap_common}/var/horizon/static"
    - "{snap_common}/etc/keystone/uwsgi/snap"
    - "{snap_common}/etc/cinder/uwsgi/snap"
@ -33,9 +34,9 @@ setup:
    glance-snap.conf.j2: "{snap_common}/etc/glance/glance.conf.d/glance-snap.conf"
    cinder-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/cinder.conf"
    cinder-snap.conf.j2: "{snap_common}/etc/cinder/cinder.conf.d/cinder-snap.conf"
 # TODO add local_settings.py
    horizon-snap.conf.j2: "{snap_common}/etc/horizon/horizon.conf.d/horizon-snap.conf"
    horizon-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/horizon.conf"
    05_snap_tweaks.j2: "{snap_common}/etc/horizon/local_settings.d/_05_snap_tweaks.py"
    libvirtd.conf.j2: "{snap_common}/libvirt/libvirtd.conf"
    virtlogd.conf.j2: "{snap_common}/libvirt/virtlogd.conf"
    microstack.rc.j2: "{snap_common}/etc/microstack.rc"
--- a/snap-overlay/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.d/_05_snap_tweaks.py
+++ b/snap-overlay/lib/python3.6/site-packages/openstack_dashboard/local/local_settings.d/_05_snap_tweaks.py
@ -6,16 +6,6 @@ DEBUG = True
 # Set our webroot.
 WEBROOT = '/'
 # Caches and such should get written out here.
 LOCAL_PATH = '/var/snap/microstack/common/etc/horizon/'
 # We don't want django to try writing the secret key before we've told
 # it not to attempt to write it out in the read only snap dir in our
 # local_settings.py. So we override the behavior of the default
 # settings.py here.
 SECRET_KEY = secret_key.generate_or_read_from_file(
    os.path.join(LOCAL_PATH, '.secret_key_store'))
 # Django wants to write out compressed files even when we turn
 # compression off (either a bug or something that I'm not
 # understanding). Tell it to write them some place writeable.
--- a/snap/hooks/install
+++ b/snap/hooks/install
@ -18,6 +18,8 @@ for project in neutron nova keystone glance; do
    mkdir -p ${SNAP_COMMON}/etc/${project}/${project}.conf.d
    cp -r ${SNAP}/etc/${project}/${project}.conf.d/* ${SNAP_COMMON}/etc/${project}/${project}.conf.d || true # Skip conf files that have been moved into templates
 done
 # Make a place for our horizon config overrides to live
 mkdir -p ${SNAP_COMMON}/etc/horizon/local_settings.d
 snap-openstack setup  # Sets up templates for the first time.
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -328,6 +328,7 @@ parts:
    python-version: python3
    after:
      - uca-sources
      - patches
    constraints:
      - https://raw.githubusercontent.com/openstack/requirements/stable/stein/upper-constraints.txt
    source: http://tarballs.openstack.org/keystone/keystone-stable-stein.tar.gz
@ -360,6 +361,16 @@ parts:
      - python3-dev
    override-prime: |
      snapcraftctl prime
      # Patch Openstack Dashboard (horizon) settings files.
      for patch in ${SNAPCRAFT_STAGE}/patches/horizon/*.patch; do
        echo "Applying $(basename "$patch") ..."
        patch \
          --batch \
          --forward \
          --strip 1 \
          --input "$patch"
        echo
      done
      # Uncomment the below line for better python-libvirt debugging output.
      # patch --batch --forward --strip 1 --input ../project/patches/nova/nova_log_error.patch
      # Now that everything is built, let's disable user site-packages
@ -368,6 +379,9 @@ parts:
      # This is the last step, let's now compile all our pyc files.
      # Ignore errors due to syntax issues in foobar python 2.
      ./usr/bin/python3.6 -m compileall . || true
    organize:
      lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py.example: lib/python3.6/site-packages/openstack_dashboard/local/local_settings.py
  keystone-config:
    after: [openstack-projects]
    plugin: dump
--- a/tests/basic-test.sh
+++ b/tests/basic-test.sh
@ -24,6 +24,7 @@ UPGRADE_FROM="none"
 FORCE_QEMU=false
 PREFIX=""
 DISTRO="bionic"
 HORIZON_IP="10.20.20.1"
 while getopts u:d:mq option
 do
@ -72,6 +73,9 @@ if [ "$PREFIX" == "multipass" ]; then
    multipass launch --cpus 2 --mem 16G $DISTRO --name $MACHINE
    multipass copy-files microstack_stein_amd64.snap $MACHINE:
    HORIZON_IP=`multipass info $MACHINE | grep IPv4 | cut -d":" -f2 \
        | tr -d '[:space:]'`
 fi
 # Possibly install a release of the snap before running a test.
@ -159,16 +163,34 @@ until $PREFIX ssh -oStrictHostKeyChecking=no -i \
    sleep 5
 done;
 echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo "++   Running Horizon GUI tests                  ++"
 echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
 export HORIZON_IP
 if [[ $PREFIX == *"multipass"* ]]; then
    echo "Opening $HORIZON_IP:80 up to the outside world."
    cat<<EOF > /tmp/_10_hosts.py
 # Allow all hosts to connect to this machine
 ALLOWED_HOSTS = ['*',]
 EOF
    multipass copy-files /tmp/_10_hosts.py $MACHINE:/tmp/_10_hosts.py
    $PREFIX sudo cp /tmp/_10_hosts.py \
         /var/snap/microstack/common/etc/horizon/local_settings.d/
    $PREFIX sudo snap restart microstack
 fi
 tests/test_horizonlogin.py
 echo "Horizon tests complete!."
 unset HORIZON_IP
 # Cleanup
 echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo "++   Completed tests. Cleaning up               ++"
 echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
 unset IP
 if [[ $PREFIX == *"multipass"* ]]; then
    echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
    echo "++   Completed tests. Cleaning up               ++"
    echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
    sudo multipass delete $MACHINE
    sudo multipass purge
 else
-    echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
+    sudo snap remove --purge microstack
    echo "++   Completed tests. Leaving snap installed.   ++"
    echo "++++++++++++++++++++++++++++++++++++++++++++++++++"
 fi
--- a/tests/test_horizonlogin.py
+++ b/tests/test_horizonlogin.py
@ -19,6 +19,9 @@ from selenium import webdriver
 from selenium.webdriver.common.by import By
 HORIZON_IP = os.environ.get("HORIZON_IP", "10.20.20.1")
 class TestHorizonlogin(unittest.TestCase):
  def setUp(self):
    self.display = xvfbwrapper.Xvfb(width=1280, height=720)
@ -30,7 +33,7 @@ class TestHorizonlogin(unittest.TestCase):
    self.display.stop()
  def test_horizonlogin(self):
-    self.driver.get("http://10.20.20.1/")
+    self.driver.get("http://{horizon_ip}/".format(horizon_ip=HORIZON_IP))
    # Login to horizon!
    self.driver.find_element(By.ID, "id_username").click()
    self.driver.find_element(By.ID, "id_username").send_keys("admin")
--- a/tools/basic_setup.sh
+++ b/tools/basic_setup.sh
@ -0,0 +1,12 @@
 #!/bin/bash
 set -ex
 sudo apt update
 # Install the X virtual framebuffer, which is required for selenium
 # tests of the horizon dashboard.
 sudo apt install -y xvfb npm libfontconfig1
 sudo npm install -g phantomjs-prebuilt
 # Verify that PhantomJS, our selenium web driver, works.
 phantomjs -v
--- a/tools/multipass_build.sh
+++ b/tools/multipass_build.sh
@ -4,6 +4,15 @@ set -ex
 export PATH=/snap/bin:$PATH
 sudo apt update
 # Install the X virtual framebuffer, which is required for selenium
 # tests of the horizon dashboard.
 sudo apt install -y xvfb npm libfontconfig1
 sudo npm install -g phantomjs-prebuilt
 # Verify that PhantomJS, our selenium web driver, works.
 phantomjs -v
 sudo snap install --classic snapcraft
 sudo snap install --classic --beta multipass
--- a/tox.ini
+++ b/tox.ini
@ -21,7 +21,6 @@ deps = -r{toxinidir}/test-requirements.txt
 commands =
    {toxinidir}/tools/lxd_build.sh
    {toxinidir}/tests/basic-test.sh
    {toxinidir}/tests/test_horizonlogin.py
 [testenv:multipass]
 # Default testing environment for a human operated machine. Builds the
@ -39,6 +38,7 @@ commands =
 [testenv:basic]
 # Just run basic_test.sh, with multipass support.
 commands =
    {toxinidir}/tools/basic_setup.sh
    {toxinidir}/tests/basic-test.sh -m
 [testenv:init_lint]