I recently updated my main lightsail container to use python3.11, a venv, and debian bookworm for its base. During previous deployments under bullseye + python3.10 this issue was not present. The image works fine locally and occasionally AWS allows the image to deploy in spite of the SSL failures after which the container works fine as well.
[12/Nov/2023:16:26:05] Error on request:
[12/Nov/2023:16:26:05] Traceback (most recent call last):
[12/Nov/2023:16:26:05] File "/opt/venv/lib/python3.11/site-packages/werkzeug/serving.py", line 362, in run_wsgi
[12/Nov/2023:16:26:05] execute(self.server.app)
[12/Nov/2023:16:26:05] File "/opt/venv/lib/python3.11/site-packages/werkzeug/serving.py", line 326, in execute
[12/Nov/2023:16:26:05] write(data)
[12/Nov/2023:16:26:05] File "/opt/venv/lib/python3.11/site-packages/werkzeug/serving.py", line 301, in write
[12/Nov/2023:16:26:05] self.wfile.write(data)
[12/Nov/2023:16:26:05] File "/usr/lib/python3.11/socketserver.py", line 834, in write
[12/Nov/2023:16:26:05] self._sock.sendall(b)
[12/Nov/2023:16:26:05] File "/usr/lib/python3.11/ssl.py", line 1241, in sendall
[12/Nov/2023:16:26:05] v = self.send(byte_view[count:])
[12/Nov/2023:16:26:05] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[12/Nov/2023:16:26:05] File "/usr/lib/python3.11/ssl.py", line 1210, in send
[12/Nov/2023:16:26:05] return self._sslobj.write(data)
[12/Nov/2023:16:26:05] ^^^^^^^^^^^^^^^^^^^^^^^^
[12/Nov/2023:16:26:05] ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:2393)
Obviously I've tried messing with my openssl config and various other things that worked fine with python3.10 to no avail. I feel resigned to the fact that it's likely an issue with how AWS health check is handling SSL. Here is essentially my Dockerfile:
FROM amd64/postgres
# RUN apt-get update python-deps and some other stuff
RUN mkdir -p /etc/apt/keyrings
ENV PYTHONUNBUFFERED 1
WORKDIR /app/
RUN python3 -m venv /opt/venv
# Enable venv
ENV PATH="/opt/venv/bin:$PATH"
COPY ./requirements.txt /app/requirements.txt
RUN pip install --no-cache-dir --upgrade pip \
&& pip install --no-cache-dir -Ur requirements.txt
RUN chmod +x start_api.sh
and here is start_api.sh:
#!/bin/bash
set -Eeuo pipefail
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.redacted.com" \
-keyout server.key -out server.cert
FLASK_ENV=development
export FLASK_APP=backend
FLASK_APP=backend
flask run --host 0.0.0.0 --port 443 --cert=server.cert --key=server.key
I'm aware that running flask in production environments is a bad idea but this is largely just a testing environment for me for the time being.
So it turns out I was running low on ram. I just switched from micro to medium in the container service capacity panel and all the issues went away.