How to back up a Elasticsearch Docker container (2026)
Elasticsearch needs a consistent dump before it touches restic. Dockstash runs `PUT _snapshot/<repo>/<snap> via the snapshot API (register a repository first)` inside the container, captures the output, and stores it encrypted off-site — it never copies /usr/share/elasticsearch/data live, because the snapshot API captures a consistent, incremental point-in-time view of each index while Lucene segments keep merging underneath.
What Dockstash detects
| Env keys detected | ELASTIC_PASSWORD, ELASTICSEARCH_USERNAME, discovery.type |
|---|---|
| Default port | 9200 |
| Live data paths (never copied live) | /usr/share/elasticsearch/data |
| Example images | elasticsearch:8.13.0, elasticsearch:8, docker.elastic.co/elasticsearch/elasticsearch |
The dump command
PUT _snapshot/<repo>/<snap> via the snapshot API (register a repository first)The restore command
POST _snapshot/<repo>/<snap>/_restore via the snapshot APIthe snapshot API captures a consistent, incremental point-in-time view of each index while Lucene segments keep merging underneath.
Gotchas to avoid
- Never restic the live data directory — Lucene segments are written and merged continuously, so a file copy is inconsistent.
- You must register a snapshot repository (a shared fs path or object store) before the first snapshot; a bind-mounted path shared with the container is the simplest fs repo.
- Restoring an index that already exists requires closing or deleting it first, or the restore is rejected.
Do it in one click with Dockstash
Dockstash runs the exact dump above, restics it off-site, and drill-tests the restore automatically — no script to maintain.
Last updated: July 2026
Frequently asked questions
Why use the snapshot API instead of copying the data folder?
Elasticsearch writes and merges Lucene segments constantly, so a live directory copy is inconsistent and may not open. The snapshot API captures a consistent, incremental point-in-time view of each index.
How do I register a snapshot repository?
Configure a filesystem repository pointing at a path both Elasticsearch and Dockstash can read (or an object store), then register it with a PUT _snapshot call. Dockstash restics that repository directory.
Are Elasticsearch snapshots incremental?
Yes. Within a repository, each snapshot only stores segments not already present, so repeated snapshots are cheap. restic deduplication compounds this.
Does this work for OpenSearch too?
Yes — OpenSearch forked from Elasticsearch and uses the same snapshot API model. Register a repository and snapshot the same way.