This is likely going to be included in 15 via a regular import.
+++ This bug was initially created as a clone of Bug #1691580 +++
The following is paraphrased from the upstream bug report.
https://bugs.launchpad.net/nova/+bug/1816727/
This should be considered a security hardening bug as it could lead to a denial of service situation. It has been determined the same upstream.
Description of problem (nova-novncproxy):
With haproxy acting as a load balancer, but not terminating SSL.
With that health check enabled, it was found the nova-novncproxy process CPU spiking and eventually causing the node to hang.
It seems that the haproxy health checks initiate an SSL connection but then immediately send a TCP RST.
For most services this does not seem to be an issue, but for nova-novncproxy it repeatedly initializes NovaProxyRequestHandler which creates a full nova.compute.rpcapi.ComputeAPI instance which very quickly starts to consume significant CPU and overtake the host.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:0711