mirantis/msr backup

mirantis/msr backup

Create a backup of MSR


docker run -i --rm mirantis/dtr \
    backup [command options] > backup.tar

Example Commands


docker run -i --rm --log-driver none docker/dtr:2.7.5 \
    backup --ucp-ca "$(cat ca.pem)" --existing-replica-id 5eb9459a7832 > backup.tar

Advanced (with chained commands)

The following command has been tested on Linux:

DTR_VERSION=$(docker container inspect $(docker container ps -f \
  name=dtr-registry -q) | grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \
REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-'); \
read -p 'ucp-url (The MKE URL including domain and port): ' UCP_URL; \
read -p 'ucp-username (The MKE administrator username): ' UCP_ADMIN; \
read -sp 'ucp password: ' UCP_PASSWORD; \
docker run --log-driver none -i --rm \
  docker/dtr:$DTR_VERSION backup \
  --ucp-username $UCP_ADMIN \
  --ucp-url $UCP_URL \
  --ucp-ca "$(curl https://${UCP_URL}/ca)" \
  --existing-replica-id $REPLICA_ID > \
  dtr-metadata-${DTR_VERSION}-backup-$(date +%Y%m%d-%H_%M_%S).tar


This command creates a tar file with the contents of the volumes used by MSR, and prints it. You can then use mirantis/dtr restore to restore the data from an existing backup.


  • This command only creates backups of configurations, and image metadata. It does not back up users and organizations. Users and organizations can be backed up during a MKE backup.

    It also does not back up Docker images stored in your registry. You should implement a separate backup policy for the Docker images stored in your registry, taking into consideration whether your MSR installation is configured to store images on the filesystem or is using a cloud provider.

  • This backup contains sensitive information and should be stored securely.

  • Using the --offline-backup flag temporarily shuts down the RethinkDB container. Take the replica out of your load balancer to avoid downtime.


Option Environment variable Description
--debug $DEBUG Enable debug mode for additional logs.
--existing-replica-i $DTR_REPLICA_ID The ID of an existing MSR replica. To add, remove or modify a MSR replica, you must connect to an existing healthy replica’s database.
--help-extended $$DTR_EXTENDED_HELP Display extended help text for a given command.
--offline-backup $DTR_OFFLINE_BACKUP This flag takes RethinkDB down during backup and takes a more reliable backup. If you back up MSR with this flag, RethinkDB will go down during backup. However, offline backups are guaranteed to be more consistent than online backups.
--ucp-ca $UCP_CA Use a PEM-encoded TLS CA certificate for MKE. Download the MKE TLS CA certificate from https://<mke-url>/ca, and use --ucp-ca "$(cat ca.pem)".
--ucp-insecure-tls $UCP_INSECURE_TLS Disable TLS verification for MKE. The installation uses TLS but always trusts the TLS certificate used by MKE, which can lead to MITM (man-in-the-middle) attacks. For production deployments, use --ucp-ca "$(cat ca.pem)" instead.
--ucp-password $UCP_PASSWORD The MKE administrator password.
--ucp-url $UCP_URL The MKE URL including domain and port.
--ucp-username $UCP_USERNAME The MKE administrator username.