Based on Official Guide: Kolla Ansible 2025.1 Development Quickstart
✅ All-in-One (AIO) Setup | ✅ VirtualBox VM | ✅ Fixed Common Issues
✅ Perfect for Evaluation, Learning Development & Production
🔧 Deploy OpenStack All-in-One with Kolla Ansible — Fast, Reliable & Professional
- About Kolla Ansible
- Prerequisites
- Step-by-Step Installation
- Verify & Use OpenStack
- Manage & Maintain Your Cloud
- Cleanup / Uninstall
- 🔧 Troubleshooting & Common Issues
- 📜 License & Credits
Kolla Ansible is an official OpenStack project that uses Ansible to deploy containerized OpenStack services via Docker. It’s ideal for:
- Rapid deployment of OpenStack for testing or evaluation.
- Consistent, repeatable infrastructure as code.
- Production-ready architecture (scalable from single-node to multi-node).
✅ Why Use Kolla Ansible?
- Fully automated setup
- Built-in high availability (VIP + keepalived)
- Easy upgrades and maintenance
- Supports Ubuntu, Rocky Linux, CentOS
This guide uses the development-style installation method (cloning from Git) as per the official Kolla Ansible quickstart.
Ensure your VM meets these requirements:
| Requirement | Details |
|---|---|
| OS | Ubuntu 24.04 LTS or Rocky Linux 9 |
| RAM | 8 GB or more |
| Disk | 40+ GB free space |
| Network Interfaces | 3 NICs (NAT, Host-Only, Bridged) |
| User Privileges | Root access or sudo rights |
✅ 2+ vCPUs
✅ 8+ GB RAM
✅ 40+ GB Disk
✅ OS: Ubuntu 24.04.X LTS
✅ 3 Network Interfaces (as described)
| Interface | Type | IP Address | Purpose |
|---|---|---|---|
enp0s3 |
NAT | 10.0.2.15 |
Internet access |
enp0s8 |
Host-Only | 192.168.10.10 |
Management network |
enp0s9 |
Bridged | 192.168.102.221 |
External network for instances |
We'll use:
enp0s8→network_interfaceenp0s9→neutron_external_interface- VIP →
192.168.10.250
Run all commands as root or with sudo.
💡 Run all commands as root or use
sudo.
sudo apt update && sudo apt upgrade -y
apt install -y git python3-dev libffi-dev gcc libssl-dev libdbus-glib-1-dev python3-venv
🐧 For Rocky/CentOS, use:
dnf install -y git python3-devel libffi-devel gcc openssl-devel python3-libselinux
python3 -m venv /opt/venv-kolla
source /opt/venv-kolla/bin/activate
pip install --upgrade pip
pip install docker
pip install dbus-python🔁 Keep this environment activated for all steps!
git clone --branch stable/2025.1 https://opendev.org/openstack/kolla-ansiblepip install ./kolla-ansible
mkdir -p /etc/kolla
chown $USER:$USER /etc/kollacp -r kolla-ansible/etc/kolla/* /etc/kolla/
cp kolla-ansible/ansible/inventory/* .kolla-ansible install-depskolla-ansible/tools/generate_passwords.py🔐 All passwords are now securely generated in
/etc/kolla/passwords.yml
Edit the main config file:
nano /etc/kolla/globals.ymlUpdate with your settings:
# Base OS for containers
kolla_base_distro: "ubuntu"
# OpenStack release
kolla_install_type: "source"
# Management interface (host-only)
network_interface: "enp0s8"
# External interface for Neutron (bridged, no IP!)
neutron_external_interface: "enp0s9"
# Virtual IP for internal traffic (must be unused)
kolla_internal_vip_address: "192.168.10.250"
# Enable key services
enable_haproxy: "yes"
enable_keystone: "yes"
enable_glance: "yes"
enable_nova: "yes"
enable_neutron: "yes"
enable_placement: "yes"
enable_horizon: "yes"
enable_cinder: "yes"
enable_cinder_backend_lvm: "yes"
enable_heat: "yes"Save and exit (Ctrl+O, Enter, Ctrl+X).
Installs Docker and other required tools.
kolla-ansible bootstrap-servers -i all-in-onekolla-ansible prechecks -i all-in-one❌ If it fails due to missing Python modules, see Troubleshooting below.
Deploy all services in containers:
kolla-ansible deploy -i all-in-one🕐 This may take 10–20 minutes.
✅ Wait for: PLAY RECAP with 0 failed tasks.
kolla-ansible post-deploy -i ~/all-in-one✅ Output:
/etc/kolla/clouds.yamland/etc/kolla/admin-openrc.sh
pip install python-openstackclient -c https://releases.openstack.org/constraints/upper/2025.1source /etc/kolla/admin-openrc.shTest connection:
openstack token issue✅ You should see a valid authentication token.
Creates sample network, image, and instance.
kolla-ansible/tools/init-runonce
⚠️ Only for testing! Do not run in production.
Open in browser:
http://192.168.10.10
or
http://192.168.102.221
Login with:
- Username:
admin - Password: See
/etc/kolla/passwords.yml→keystone_admin_password
Get password:
grep keystone_admin_password /etc/kolla/passwords.yml| Task | Command |
|---|---|
| Redeploy (e.g., after config change) | kolla-ansible deploy -i ~/all-in-one |
| Restart specific service (Nova) | kolla-ansible deploy -i ~/all-in-one --tags nova |
| Stop all containers | kolla-ansible stop -i ~/all-in-one |
| Pull latest images | kolla-ansible pull -i ~/all-in-one |
| View logs | docker logs <container_name> |
| List running containers | docker ps |
When upgrading to a new version:
# Pull new images
kolla-ansible pull -i ~/all-in-one
# Run upgrade playbook
kolla-ansible upgrade -i ~/all-in-one
⚠️ Always backup first!
To completely remove OpenStack:
kolla-ansible destroy -i ~/all-in-one --yes-i-really-really-mean-it
⚠️ Warning: This deletes all data, including volumes and databases.
Then remove config and virtual env:
rm -rf /etc/kolla
rm -rf /opt/venv-kolla
rm -rf ~/kolla-ansibleHere are real problems you faced and their perfect fixes, plus other likely issues.
Error during prechecks:
failed: [localhost] ... ModuleNotFoundError: No module named 'docker'
✅ Solution:
Install docker in the Ansible runtime environment:
pip install docker
or
/opt/ansible-runtime/bin/pip install dockerError:
import dbus; ModuleNotFoundError: No module named 'dbus'
✅ Solution:
Install dbus-python in the Ansible runtime:
pip install dbus-python
or
/opt/ansible-runtime/bin/pip install dbus-python🔗 Requires system package:
libdbus-glib-1-dev(already installed above).
Error:
Kolla inventory /etc/kolla/ansible/inventory/all-in-one is invalid: Path does not exist
✅ Solution:
Create the correct directory and copy the file:
mkdir -p /etc/kolla/ansible/inventory
cp all-in-one /etc/kolla/ansible/inventory/all-in-oneOr always specify -i:
kolla-ansible post-deploy -i all-in-oneSymptoms:
- Instances can't reach internet
- Floating IPs not accessible
✅ Fix:
Ensure neutron_external_interface has no IP address:
ip addr flush dev enp0s9And disable any network manager control over it.
Error in prechecks about NTP.
✅ Fix:
Enable time sync:
timedatectl set-ntp true
timedatectl statusSymptom: Docker fails to start or containers crash.
✅ Fix:
- Allocate at least 8GB RAM and 40GB disk to VM.
- Monitor usage:
df -h,free -h
Error Message:
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["vgs", "cinder-volumes"], ...
"stderr": "Volume group \"cinder-volumes\" not found"}
When it happens:
During kolla-ansible prechecks or deploy.
- Default Behavior: OpenStack Cinder uses LVM storage by default.
- Requirement: It looks for a specific Volume Group named
cinder-volumes. - Your Setup: You have only one disk (used for OS). No extra disk exists for Cinder.
- Result: Precheck fails because the storage group is missing.
We will create a large file on your existing disk and treat it as a virtual hard disk for Cinder.
Create a 20GB file named cinder-volumes.img in the root directory.
dd if=/dev/zero of=/cinder-volumes.img bs=1M count=20480Connect the file to a loop device (e.g., /dev/loop0).
losetup /dev/loop0 /cinder-volumes.imgInitialize the loop device for LVM.
pvcreate /dev/loop0Create the required group named cinder-volumes.
vgcreate cinder-volumes /dev/loop0Check if VG exists:
vgsYou should see cinder-volumes in the list.
Re-run Prechecks:
kolla-ansible prechecks -i all-in-oneThe Cinder error should be gone.
The loop device will disconnect after reboot. To fix this automatically:
- Open
/etc/rc.local(create if not exists). - Add these lines before
exit 0:losetup /dev/loop0 /cinder-volumes.img vgchange -ay
- Make sure
/etc/rc.localis executable.
- Total Size: 20 GB.
- Usable Size: ~18 GB (some space used for LVM metadata).
- Usage: You can create multiple volumes (e.g., 10 volumes of 1GB each). Once full, you cannot create new volumes.
- Lab/Testing: Perfectly fine.
- Production: Not recommended. It is slower than a physical disk.
If you add Ceph storage later:
- Update
globals.ymlto enablecinder_backend_ceph. - Disable
cinder_backend_lvm. - Re-run
kolla-ansible deploy. - You do not need to delete the loopback file, but Cinder will stop using it for new volumes.
"The Nova compute service failed to register itself"
(Caused by: Libvirt SASL Authentication Failed)
When running kolla-ansible deploy, the playbook fails at the nova-cell role with this message:
fatal: [localhost]: FAILED! => {"msg": "The Nova compute service failed to register itself on the following hosts: controller"}
Related log errors from nova-compute.log:
nova.exception.HypervisorUnavailable: Connection to the hypervisor is broken on host
libvirt.libvirtError: authentication failed: authentication failed
What this means:
The nova-compute container cannot connect to the nova-libvirt container because the SASL (Simple Authentication and Security Layer) password verification is failing.
| Cause | Explanation |
|---|---|
| 1. Corrupted passwd.db file | The /etc/libvirt/passwd.db file (which stores SASL passwords) got corrupted or has wrong format. This is a binary file, and sometimes it gets broken during container startup or config copy. |
| 2. Password mismatch | The password in nova-compute's auth.conf does not match the password in nova-libvirt's passwd.db. |
| 3. Container startup timing | nova-compute tries to connect before nova-libvirt is fully ready. This is a race condition. |
| 4. Incomplete config propagation | After updating passwords.yml, the new password was not properly copied to the containers. |
Disable SASL authentication temporarily to complete deployment:
-
Edit
/etc/kolla/globals.yml:libvirt_enable_sasl: false nova_libvirt_enable_sasl: false
-
Re-deploy only nova services:
kolla-ansible deploy -i <inventory> --limit controller --tags nova
⚠️ Warning: Only use this for development or testing. Do not use in production.
Fix the SASL authentication properly:
grep libvirt_sasl /etc/kolla/passwords.ymlMake sure you see:
libvirt_sasl_username: nova
libvirt_sasl_password: <your_password>#### Enter the container
docker exec -it nova_libvirt bash
#### Remove corrupted file
rm -f /etc/libvirt/passwd.db
#### Create new clean file
touch /etc/libvirt/passwd.db
chmod 640 /etc/libvirt/passwd.db
chown root:nova /etc/libvirt/passwd.db
#### Add correct password entry (use your actual password)
SASL_PASS="your_password_here"
saslpasswd2 -p -c -f /etc/libvirt/passwd.db -u openstack nova <<< "$SASL_PASS"
#### Verify (use strings, not cat)
strings /etc/libvirt/passwd.db
> Expected output: nova@openstack:your_password_here
#### Exit container
exitdocker exec -it nova_compute bash
cat /var/lib/nova/.config/libvirt/auth.confMake sure the password value matches the one in passwd.db.
docker restart nova_libvirt
sleep 10
docker restart nova_compute# Check nova-compute logs
docker logs -tf nova_compute | grep -E "Connected|ERROR"
# Check OpenStack service status
source /etc/kolla/admin-openrc.sh
openstack compute service list --service nova-compute✅ Success: Status should show up and :-)
Run these commands to confirm everything is working:
# 1. Check container status
docker ps | grep -E "nova_compute|nova_libvirt"
# 2. Check passwd.db content (use strings)
docker exec nova_libvirt strings /etc/libvirt/passwd.db
# 3. Check auth.conf content
docker exec nova_compute cat /var/lib/nova/.config/libvirt/auth.conf
# 4. Test libvirt connection
docker exec nova_compute virsh -c qemu+tcp://controller/system list
# 5. Check OpenStack service
source /etc/kolla/admin-openrc.sh
openstack compute service list --service nova-compute| Tip | Why It Helps |
|---|---|
✅ Always run full kolla-ansible deploy after changing passwords.yml |
Ensures all configs are properly copied to containers |
✅ Use strings command to check passwd.db |
cat shows garbage for binary files; strings shows readable content |
✅ Restart nova_libvirt before nova_compute |
Avoids race conditions during startup |
✅ Keep globals.yml and passwords.yml in sync |
Prevents password mismatch errors |
| ✅ Test SASL disabled first in lab, then enable for production | Easier debugging during development |
| Environment | SASL Setting | Reason |
|---|---|---|
| 🧪 Lab / Learning | false |
Faster setup, easier debugging |
| 🏢 Production | true |
Required for security |
| 🔄 Hybrid (Test → Prod) | Start false, then true |
Test features first, then secure |
If the problem persists, collect this information for further help:
# 1. Nova compute logs (last 50 lines)
docker logs --tail 50 nova_compute
# 2. SASL file content
docker exec nova_libvirt strings /etc/libvirt/passwd.db
# 3. Auth config
docker exec nova_compute cat /var/lib/nova/.config/libvirt/auth.conf
# 4. Libvirt network status
docker exec nova_libvirt netstat -tlnp | grep 16509Share these outputs with your support team or community for faster troubleshooting.
💡 Final Note: If you disabled SASL for testing and your deployment is now working, your OpenStack cloud is functional. You can enable SASL later when you are ready for production hardening.
- Guide Version: 2025.1
- Author: Sumon Paul
- Source: Based on OpenStack Kolla Ansible Docs
- License: MIT (Feel free to reuse and modify)
✅ Congratulations!
You’ve successfully deployed a fully functional single-node OpenStack cloud using Kolla Ansible.
Use this environment to learn Nova, Neutron, Cinder, Horizon, and more!
📬 Need Help?
Have questions or improvements? Open an issue or contact me!
✨ Happy Cloud Building!