Disable shell for nova when tunneled migration not used

Change-Id: If4d036794cf8edb14e6b0ed491cf0de78f425b2c

defaults/main.yml

@@ -63,7 +63,7 @@ nova_bin: "{{ _nova_bin }}"
 ## Nova user information
 nova_system_user_name: nova
 nova_system_group_name: nova
-nova_system_shell: /bin/bash
+nova_system_shell: "{{ (nova_libvirtd_listen_tls | bool) | ternary('/bin/false', '/bin/bash') }}"
 nova_system_comment: nova system user
 nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}"
 nova_system_slice_name: nova

releasenotes/notes/disable_nova_shell-214c72d31c4d50ec.yaml

@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    From now on ``nova_system_shell`` depends on the value of
+    nova_libvirtd_listen_tls by default. When libvirt listens on tls we
+    assume that tunnelled migration is not used, so nova user does not
+    need shell access and it will be disabled. When nova_libvirtd_listen_tls
+    is disabled, ``nova_system_shell`` will be set to /bin/bash