+++ This bug was initially created as a clone of Bug #1691580 +++ The following is paraphrased from the upstream bug report. https://bugs.launchpad.net/nova/+bug/1816727/ This should be considered a security hardening bug as it could lead to a denial of service situation. It has been determined the same upstream. Description of problem (nova-novncproxy): With haproxy acting as a load balancer, but not terminating SSL. With that health check enabled, it was found the nova-novncproxy process CPU spiking and eventually causing the node to hang. It seems that the haproxy health checks initiate an SSL connection but then immediately send a TCP RST. For most services this does not seem to be an issue, but for nova-novncproxy it repeatedly initializes NovaProxyRequestHandler which creates a full nova.compute.rpcapi.ComputeAPI instance which very quickly starts to consume significant CPU and overtake the host.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1670