Hi- I just installed the password manager Vaultwarden using the OCI image and created a storage volume to keep all the critical image data, including the sqlite database.
Does the image need to be stopped to safely export the volume without data corruption?
I guess that leads to more general question- do instances need to be stop before backing up volumes?
If yes, would the best way to handle by creating a bash script running on the host via cron?
Thanks
In an ideal world, yes, you’d want to stop an instance before performing a snapshot or backup and same goes for any instance using a custom volume.
In practice, that’s rarely a workable strategy and instead most folks will perform both snapshots and backups while the instance is running.
With containers and volumes used by containers at least, you do have the benefit of effectively snapshotting/backing up files rather than an opaque raw block device, so things should generally be consistent, they may just be slightly behind if the application hasn’t written its most recent data to disk yet.
For VMs and block volumes, that tends to be a bit worse as there you would want the application to not only have flushed anything it has in memory to disk but also have the filesystem flush everything to the underlying block device.
Usually, I’d see backing up of an instance or its volume as a last resort. When nothing else is available, it will provide something useful in the case of a disaster. However whenever possible, I’d try to get application native backups instead, so in this case, see if Vaultwarden has a native API to perform and restore backups, if it does, then you’re going to be far better off automating that since it will provide a guaranteed consistent backup.
Thanks so much for your detailed response Stéphane. I do not believe Vaultwarden has any api or any automated backup solution. You can export your passwords to an encrypted json file in the application, but that is a totally a manual process.
It made a little concerned when I saw the following in the official documentation:
sqlite3 data/db.sqlite3 ".backup '/path/to/backups/db-$(date '+%Y%m%d-%H%M').sqlite3'"
That obviously is dependent on having sqlite installed.
My guess it is probably low risk to backup/export while the instance is running and I could export the passwords to the encrypted json file every so often.
Any other thoughts?
Thanks
Yeah, sqlite3 databases are generally pretty resilient so I wouldn’t be too worried about taking a backup while things are running.
Vaultwarden because of its design also isn’t likely to be performing constant database changes. The client basically just gets a copy of the vault, makes modifications and sends it back, but even that only really happens (or matters) when adding/modifying an entry.
Alternatively, you could use Postgres as backend and rely on something like pgbackrest for backups. It’s a bit far-fetched given the typical use of Vaultwarden indeed. If you do have multiple services that could be backed by Postgres it might be worth the effort though.
In any case, don’t forget to backup your attachments next to the database btw 