The backup command creates a backup of an MKE manager node. Specifically, the command creates a TAR file with the contents of the volumes used by the given MKE manager node and then prints it. You can then use the restore command to restore the data from an existing backup.

To create backups of a multi-node cluster, you only need to back up a single manager node. The restore operation will reconstitute a new MKE installation from the backup of any previous manager node.


The backup contains private keys and other sensitive information. Use the --passphrase flag to encrypt the backup with PGP-compatible encryption or --no-passphrase to opt out of encrypting the backup. Mirantis does not recommend the latter option.

To use the backup command:

docker container run \
  --rm \
  --interactive \
  --name ucp \
  --log-driver none \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  mirantis/ucp:3.x.y \
  backup <command-options> > backup.tar




--debug, -D

Enables debug mode.

--file <filename>

Specifies the name of the file wherein the backup contents are written. This option requires that you bind-mount the file path to the container that is performing the backup. The file path must be relative to the container file tree. For example:

docker run <other options> --mount
type=bind,src=/home/user/backup:/backup mirantis/ucp --file

This option is ignored in interactive mode.


Produces JSON-formatted output for easier parsing.


Stores an encrypted backup.log file in the mounted directory. Must be issued at the same time as the --file option. The default value is true.

--interactive, -i

Runs in interactive mode and prompts for configuration values.


Bypasses the option to encrypt the TAR file with a passphrase. Mirantis does not recommend this option.

--passphrase <value>

Encrypts the TAR file with a passphrase.


Installing MKE on a manager node with SELinux enabled at the daemon and the operating system levels requires that you include --security-opt label=disable with your backup command. This flag disables SELinux policies on the MKE container. The MKE container mounts and configures the Docker socket as part of the MKE container. Therefore, the MKE backup process fails with the following error if you neglect to include this flag:

FATA[0000] unable to get valid Docker client: unable to ping Docker
daemon: Got permission denied while trying to connect to the Docker
daemon socket at unix:///var/run/docker.sock:
Get http://%2Fvar%2Frun%2Fdocker.sock/_ping:
dial unix /var/run/docker.sock: connect: permission denied -
If SELinux is enabled on the Docker daemon, make sure you run
MKE with "docker run --security-opt label=disable -v /var/run/docker.sock:/var/run/docker.sock ..."

To backup MKE with SELinux enabled at the daemon level:

docker container run \
  --rm \
  --interactive \
  --name ucp \
  --security-opt label=disable \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  mirantis/ucp:3.x.y \
  backup <command-options> > backup.tar