WIP: Add serverless support

[darioackermann]

Todo

• General POC
• Check integration with AWS EFS
• Build and test mysql, postgres support
• Check how login tokens can be handled over multiple lambda instances (limit concurrency?)

additionally

• Docs / Guide to build bootstrap file yourself
• Provide AWS bootstrap file as releases
• Provide Terraform Example Scripts

[darioackermann]

General POC results: works, with an almost unnoticable cold-start time

[BlackDex]

If the step to build it your self is a preferred step, then might i suggest to put this behind a feature flag?
That way it would cause extra code run by default, and people who want to run this as a serverless option can just build it using that feature enabled.

[darioackermann]

If the step to build it your self is a preferred step, then might i suggest to put this behind a feature flag? That way it would cause extra code run by default, and people who want to run this as a serverless option can just build it using that feature enabled.

I think it would be wise to offer this option as a feature-flag, thanks for the suggestion!
Like this, anyone not trusting provided binaries can build it themselves.

Furthermore, I'd suggest that this repo here will provide the guides and tools, terraform examples and built "ready-to-deploy" releases. https://github.com/dani-garcia/vaultwarden could place a small link here.

Open for all kind of suggestions :)

PS: EFS Integation works flawlessly, and thanks to JWT, Lambda concurrency is no issue either 🎉

[darioackermann]

Just wanted to give a quick update; basic integration is all fine, including mysql and postgres, however there are concurrency issues as sqlite is clearly not designed for network shares. Processes that write to the DB (time-consuming ones, such as logins and registers) can easily interfere with each other, leaving the database blocked until concurrency normalises.

"Problematic actions"

• Registration
• Login

Typical error messages that will appear on the Web Vault / Mobile clients include

• Wrong username / password (immediately after registration)
• Error saving device
• Internal Server Error

As said, as a workaround it is enough to wait some time but this can be a real show-stopper if you need credentials right at this moment.

The current standing is that it should be "just fine" for a small personal server, maybe even small orgs, but it cannot relied upon for bigger use-cases. For that, rewriting all the database parts to DynamoDB would be needed, for which I have created issue #2

I'll be checking dynarust and dynomite in the next two weeks as a first step to determine how much work is needed; the goal would still be to provide some "patch" or small additions/modifications such that it can be merged into vaultwarden.

I'll extend the Readme such that interested users are aware of this pitfall at the moment.

[jww-cw]

Would it be worth considering merging this in now and adding DynamoDB as a feature by itself?

[darioackermann]

Thanks for raising the question. I have tested the serverless solution with my personal vault for several weeks two months ago.

Unfortunately, I can not recommend merging this back to vaultwarden at the moment as the usage of this feature would potentially harm users.

Due to the concurrency of AWS Lambda instances, the network share with the sqlite file will be mounted on different instances. Whenever a write / sync to the sqlite file happens, we risk corrupting it as other instances might be trying to do the same thing at the same time. While AWS claims, that locking on EFS supported, I have been able to successfully race these locks while they were propagating and corrupted several databases this way.

[jww-cw]

Have you seen any issues when using MySQL or PG?

[darioackermann]

I haven't tested it but that should work fine.
Just out of curiosity: why would you use this on a serverless lambda when u still end up using a server-db?

[jww-cw]

Serversless apps are great, no need to manage the ec2 instance, and I already have a RDS for internal tooling etc, so this will be perfect.