From ca352be75b964f058b44ab0079e6c4b524f62ddd Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
Date: Thu, 23 Dec 2021 16:37:44 +0200
Subject: [PATCH] Disable shell for nova when tunneled migration not used

Change-Id: If4d036794cf8edb14e6b0ed491cf0de78f425b2c
---
 defaults/main.yml                                         | 2 +-
 .../notes/disable_nova_shell-214c72d31c4d50ec.yaml        | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/disable_nova_shell-214c72d31c4d50ec.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index b1fa1faa..331c875f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -63,7 +63,7 @@ nova_bin: "{{ _nova_bin }}"
 ## Nova user information
 nova_system_user_name: nova
 nova_system_group_name: nova
-nova_system_shell: /bin/bash
+nova_system_shell: "{{ (nova_libvirtd_listen_tls | bool) | ternary('/bin/false', '/bin/bash') }}"
 nova_system_comment: nova system user
 nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}"
 nova_system_slice_name: nova
diff --git a/releasenotes/notes/disable_nova_shell-214c72d31c4d50ec.yaml b/releasenotes/notes/disable_nova_shell-214c72d31c4d50ec.yaml
new file mode 100644
index 00000000..ff88e8bc
--- /dev/null
+++ b/releasenotes/notes/disable_nova_shell-214c72d31c4d50ec.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    From now on ``nova_system_shell`` depends on the value of
+    nova_libvirtd_listen_tls by default. When libvirt listens on tls we
+    assume that tunnelled migration is not used, so nova user does not
+    need shell access and it will be disabled. When nova_libvirtd_listen_tls
+    is disabled, ``nova_system_shell`` will be set to /bin/bash