The restore command restores an MKE cluster from a backup. Specifically, the command installs a new MKE cluster that is populated with the state of a previous MKE manager node using a TAR file originally generated using the backup command. All of the MKE settings, users, teams, and permissions are restored from the backup file.

The restore operation does not alter or recover the following cluster resources:

  • Containers

  • Networks

  • Volumes

  • Services

You can use the restore command on any manager node in an existing cluster. If the current node does not belong in a cluster, one is initialized using the value of the --host-address flag. When restoring on an existing Swarm-mode cluster, there must be no previous MKE components running on any node of the cluster. This cleanup operation is performed using the uninstall-ucp command.

If the restoration is performed on a different cluster than the one from which the backup file was created, the cluster root CA of the old MKE installation is not restored. This restoration invalidates any previously issued admin client bundles and, thus, all administrators are required to download new client bundles after the operation is complete. Any existing non-admin user client bundles remain fully operational.

By default, the backup TAR file is read from stdin. You can also bind-mount the backup file under /config/backup.tar and run the restore command with the --interactive flag.


  • You must run uninstall-ucp before attempting the restore operation on an existing MKE cluster.

  • If your Swarm-mode cluster has lost quorum and the original set of managers are not recoverable, you can attempt to recover a single-manager cluster using the docker swarm init --force-new-cluster command.

  • You can restore MKE from a backup that was taken on a different manager node or a different cluster altogether.

To use the restore command:

docker run --rm -it \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --name ucp \
  mirantis/ucp:3.x.y \
  restore <command-options>




--debug, -D

Enables debug mode.


Produces JSON-formatted output for easier parsing.

--interactive, i

Runs in interactive mode and prompts for configuration values.

--data-path-addr <value>

Sets the address or interface to use for data path traffic.


Forces the install or upgrade, which will go through even if the system does not meet the minimum requirements.

--host-address <value>

Sets the network address to advertise to other nodes.

Format: IP address or network interface name

--passphrase <value>

Decrypts the backup TAR file with the provided passphrase.

--san <value>

Adds subject alternative names to certificates, for example, --san

--swarm-grpc-port <value>

Sets the port for communication between nodes.

Default: 2377.

--unlock-key <value>

Sets the unlock key for a Swarm-mode cluster.


Indicates that the backup cluster is configured in Swarm-only mode.

--timeout value

Sets the timeout duration.

Valid time units: ns, us, ms, s, m, and h.

Default: "30m".