How to back up a Elasticsearch Docker container (2026)

Elasticsearch needs a consistent dump before it touches restic. Dockstash runs `PUT _snapshot/<repo>/<snap> via the snapshot API (register a repository first)` inside the container, captures the output, and stores it encrypted off-site — it never copies /usr/share/elasticsearch/data live, because the snapshot API captures a consistent, incremental point-in-time view of each index while Lucene segments keep merging underneath.

Detection

What Dockstash detects

Env keys detectedELASTIC_PASSWORD, ELASTICSEARCH_USERNAME, discovery.type
Default port9200
Live data paths (never copied live)/usr/share/elasticsearch/data
Example imageselasticsearch:8.13.0, elasticsearch:8, docker.elastic.co/elasticsearch/elasticsearch
Commands

The dump command

PUT _snapshot/<repo>/<snap> via the snapshot API (register a repository first)

The restore command

POST _snapshot/<repo>/<snap>/_restore via the snapshot API

the snapshot API captures a consistent, incremental point-in-time view of each index while Lucene segments keep merging underneath.

The gotchas

Gotchas to avoid

  • Never restic the live data directory — Lucene segments are written and merged continuously, so a file copy is inconsistent.
  • You must register a snapshot repository (a shared fs path or object store) before the first snapshot; a bind-mounted path shared with the container is the simplest fs repo.
  • Restoring an index that already exists requires closing or deleting it first, or the restore is rejected.

Do it in one click with Dockstash

Dockstash runs the exact dump above, restics it off-site, and drill-tests the restore automatically — no script to maintain.

Start free All guides

Last updated: July 2026

Frequently asked questions

Why use the snapshot API instead of copying the data folder?

Elasticsearch writes and merges Lucene segments constantly, so a live directory copy is inconsistent and may not open. The snapshot API captures a consistent, incremental point-in-time view of each index.

How do I register a snapshot repository?

Configure a filesystem repository pointing at a path both Elasticsearch and Dockstash can read (or an object store), then register it with a PUT _snapshot call. Dockstash restics that repository directory.

Are Elasticsearch snapshots incremental?

Yes. Within a repository, each snapshot only stores segments not already present, so repeated snapshots are cheap. restic deduplication compounds this.

Does this work for OpenSearch too?

Yes — OpenSearch forked from Elasticsearch and uses the same snapshot API model. Register a repository and snapshot the same way.