+++ This bug was initially created as a clone of Bug #1691580 +++ The following is paraphrased from the upstream bug report. https://bugs.launchpad.net/nova/+bug/1816727/ This should be considered a security hardening bug as it could lead to a denial of service situation. It has been determined the same upstream. Description of problem (nova-novncproxy): With haproxy acting as a load balancer, but not terminating SSL. With that health check enabled, it was found the nova-novncproxy process CPU spiking and eventually causing the node to hang. It seems that the haproxy health checks initiate an SSL connection but then immediately send a TCP RST. For most services this does not seem to be an issue, but for nova-novncproxy it repeatedly initializes NovaProxyRequestHandler which creates a full nova.compute.rpcapi.ComputeAPI instance which very quickly starts to consume significant CPU and overtake the host.
This bug does not exist in nova version <= queens.