elasticsearch/docs/reference/setup/install/docker.asciidoc

[[docker]]
=== Install {es} with Docker

{es} is available as a Docker image. A list of all published Docker images and
tags is available at https://www.docker.elastic.co[www.docker.elastic.co]. The
source files are in
https://github.com/elastic/elasticsearch/blob/{branch}/distribution/docker[Github].

include::license.asciidoc[]

Starting in {es} 8.0, security is enabled by default. With security enabled,
{stack} {security-features} require TLS encryption for the transport networking
layer, or your cluster will fail to start.

==== Install Docker

Visit https://docs.docker.com/get-docker/[Get Docker] to install Docker for your
environment.

IMPORTANT: If using Docker Desktop, make sure to allocate at least 4GB of
memory. You can adjust memory usage in Docker Desktop by going to **Settings >
Resources**.

==== Pull the Docker image

Use the `docker pull` command to pull the {es} image from the the Elastic Docker
registry.

ifeval::["{release-state}"=="unreleased"]

WARNING: Version {version} of {es} has not yet been released, so no
Docker image is currently available for this version.

endif::[]

[source,sh,subs="attributes"]
----
docker pull {docker-repo}:{version}
----

[[docker-verify-signature]]
==== Optional: Verify the image signature

Verify the signatures included in your {es} Docker images to ensure they're valid.

Elastic images are signed with https://docs.sigstore.dev/cosign/overview/[Cosign] which is part of the https://www.sigstore.dev/[Sigstore] project.
Cosign supports container signing, verification, and storage in an OCI registry.

ifeval::["{release-state}"=="unreleased"]

WARNING: Version {version} of {es} has not yet been released, so no
Docker image signature is currently available for this version.

endif::[]

Install the appropriate https://docs.sigstore.dev/cosign/installation/[Cosign application]
for your operating system.

The container image signature for {es} v{version} can be verified as follows:

["source","sh",subs="attributes"]
--------------------------------------------
wget https://artifacts.elastic.co/cosign.pub <1>
cosign verify --key cosign.pub {docker-repo}:{version} <2>
--------------------------------------------
<1> Download the Elastic public key to verify container signature
<2> Verify the container against the Elastic public key

The command prints the check results and the signature payload in JSON format:

[source,sh,subs="attributes"]
--------------------------------------------
Verification for docker.elastic.co/elasticsearch/elasticsearch:{version} --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
--------------------------------------------


[[docker-cli-run-dev-mode]]
==== Run {es} in Docker

Use Docker commands to start a single-node {es} cluster for development or
testing. You can then run additional Docker commands to add nodes to the test
cluster.

TIP: This setup doesn't run multiple {es} nodes or {kib} by default. To create a
multi-node cluster with {kib}, use Docker Compose instead. See
<<docker-compose-file>>.


===== Start a single-node cluster

ifeval::["{release-state}"=="unreleased"]

WARNING: Version {version} of the {es} Docker image has not yet been released.

endif::[]

. Create a new docker network.
+
[source,sh]
----
docker network create elastic
----

. Start an {es} container.
+
--
ifeval::["{release-state}"=="unreleased"]

WARNING: Version {version} of {es} has not yet been released, so no
Docker image is currently available for this version.

endif::[]

[source,sh,subs="attributes"]
----
docker run --name es01 --net elastic -p 9200:9200 -it -m 1GB {docker-image}
----

TIP: Use the `-m` flag to set a memory limit for the container.

The command prints the `elastic` user password and an enrollment token for {kib}.
--

. Copy the generated `elastic` password and enrollment token. These credentials
are only shown when you start {es} for the first time. You can regenerate the
credentials using the following commands.
+
--
[source,sh,subs="attributes"]
----
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
----

We recommend storing the `elastic` password as an environment variable in your shell. Example:

[source,sh]
----
export ELASTIC_PASSWORD="your_password"
----
--

. Copy the `http_ca.crt` SSL certificate from the container to your local machine.
+
[source,sh]
----
docker cp es01:/usr/share/elasticsearch/config/certs/http_ca.crt .
----

. Make a REST API call to {es} to ensure the {es} container is running.
+
[source,sh]
----
curl --cacert http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200
----
// NOTCONSOLE

===== Add more nodes

. Use an existing node to generate a enrollment token for the new node.
+
--
[source,sh]
----
docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
----

The enrollment token is valid for 30 minutes.
--

. Start a new {es} container. Include the enrollment token as an environment variable.
+
--
ifeval::["{release-state}"=="unreleased"]

WARNING: Version {version} of {es} has not yet been released, so no
Docker image is currently available for this version.

endif::[]

[source,sh,subs="attributes"]
----
docker run -e ENROLLMENT_TOKEN="<token>" --name es02 --net elastic -it {docker-image}
----
--

. Call the <<cat-nodes,cat nodes API>> to verify the node was added to the cluster.
+
[source,sh]
----
curl --cacert http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200/_cat/nodes
----
// NOTCONSOLE

===== Setting JVM heap size
If you experience issues where the container where your first node is running
exits when your second node starts, explicitly set values for the JVM heap size.
To <<set-jvm-heap-size,manually configure the heap size>>, include the
`ES_JAVA_OPTS` variable and set values for `-Xms` and `-Xmx` when starting each
node. For example, the following command starts node `es02` and sets the
minimum and maximum JVM heap size to 1 GB:

[source,sh,subs="attributes"]
----
docker run -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -e ENROLLMENT_TOKEN="<token>" --name es02 -p 9201:9200 --net elastic -it {docker-image}
----

===== Next steps

You now have a test {es} environment set up. Before you start
serious development or go into production with {es}, review the
<<docker-prod-prerequisites,requirements and recommendations>> to apply when running {es} in Docker in production.

[[elasticsearch-security-certificates]]
include::security-files-reference.asciidoc[]

[[docker-compose-file]]
==== Start a multi-node cluster with Docker Compose

To get a multi-node {es} cluster and {kib} up and running in Docker with
security enabled, you can use Docker Compose.

This configuration provides a simple method of starting a secured cluster that
you can use for development before building a distributed deployment with
multiple hosts.

===== Prerequisites

Install the appropriate https://docs.docker.com/get-docker/[Docker application]
for your operating system.

If you're running on Linux, install https://docs.docker.com/compose/install/[Docker Compose].

[NOTE]
====
Make sure that Docker is allotted at least 4GB of memory. In Docker Desktop,
you configure resource usage on the Advanced tab in Preferences (macOS) or
Settings (Windows).
====

===== Prepare the environment

Create the following configuration files in a new, empty directory. These files
are also available from the
https://github.com/elastic/elasticsearch/tree/master/docs/reference/setup/install/docker[elasticsearch]
repository on GitHub.

--
ifeval::["{release-state}"=="unreleased"]
WARNING: Version {version} of {es} has not been released,
so the following Docker Compose and configuration files won't work.
See the {stack-gs-current}/get-started-docker.html[current version]
for the latest working files.
endif::[]
--


[discrete]
[[docker-env-file]]
===== `.env`

The `.env` file sets environment variables that are used when you run the
`docker-compose.yml` configuration file. Ensure that you specify a strong
password for the `elastic` and `kibana_system` users with the
`ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables. These variable are
referenced by the `docker-compose.yml` file.

IMPORTANT: Your passwords must be alphanumeric, and cannot contain special
characters such as `!` or `@`. The `bash` script included in the
`docker-compose.yml` file only operates on alphanumeric characters.

["source","txt",subs="attributes"]
----
include::docker/.env[]
----

[discrete]
[[docker-file]]
===== `docker-compose.yml`

This `docker-compose.yml` file creates a three-node secure {es} cluster with authentication and network encryption enabled, and a {kib} instance securely connected to it.

.Exposing ports
****
This configuration exposes port `9200` on all network interfaces. Because
of how Docker handles ports, a port that isn't bound to `localhost` leaves your
{es} cluster publicly accessible, potentially ignoring any firewall settings.
If you don't want to expose port `9200` to external hosts, set the value for
`ES_PORT` in the `.env` file to something like `127.0.0.1:9200`. {es} will
then only be accessible from the host machine itself.
****

[source,yaml,subs="attributes"]
----
include::docker/docker-compose.yml[]
----


===== Start your cluster with security enabled and configured

. Modify the `.env` file and enter strong password values for both the
`ELASTIC_PASSWORD` and `KIBANA_PASSWORD` variables.
+
NOTE: You must use the `ELASTIC_PASSWORD` value for further interactions with
the cluster. The `KIBANA_PASSWORD` value is only used internally when
configuring {kib}.

. Create and start the three-node {es} cluster and {kib} instance:
+
["source","sh"]
----
docker-compose up -d
----

. When the deployment has started, open a browser and navigate to http://localhost:5601[http://localhost:5601] to
access {kib}, where you can load sample data and interact with your cluster.

===== Stop and remove the deployment
To stop the cluster, run `docker-compose down`. The data in the Docker volumes
is preserved and loaded when you restart the cluster with `docker-compose up`.

--
["source","sh"]
----
docker-compose down
----
--

To **delete** the network, containers, and volumes when you stop the cluster,
specify the `-v` option:

["source","sh"]
----
docker-compose down -v
----

===== Next steps

You now have a test {es} environment set up. Before you start
serious development or go into production with {es}, review the
<<docker-prod-prerequisites,requirements and recommendations>> to apply when running {es} in Docker in production.

[[docker-prod-prerequisites]]
==== Using the Docker images in production

The following requirements and recommendations apply when running {es} in Docker in production.

===== Set `vm.max_map_count` to at least `262144`

The `vm.max_map_count` kernel setting must be set to at least `262144` for production use.

How you set `vm.max_map_count` depends on your platform.

====== Linux

To view the current value for the `vm.max_map_count` setting, run:

[source,sh]
--------------------------------------------
grep vm.max_map_count /etc/sysctl.conf
vm.max_map_count=262144
--------------------------------------------

To apply the setting on a live system, run:

[source,sh]
--------------------------------------------
sysctl -w vm.max_map_count=262144
--------------------------------------------

To permanently change the value for the `vm.max_map_count` setting, update the
value in `/etc/sysctl.conf`.

====== macOS with https://docs.docker.com/docker-for-mac[Docker for Mac]

The `vm.max_map_count` setting must be set within the xhyve virtual machine:

. From the command line, run:
+
[source,sh]
--------------------------------------------
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
--------------------------------------------

. Press enter and use `sysctl` to configure `vm.max_map_count`:
+
[source,sh]
--------------------------------------------
sysctl -w vm.max_map_count=262144
--------------------------------------------

. To exit the `screen` session, type `Ctrl a d`.

====== Windows and macOS with https://www.docker.com/products/docker-desktop[Docker Desktop]

The `vm.max_map_count` setting must be set via docker-machine:

[source,sh]
--------------------------------------------
docker-machine ssh
sudo sysctl -w vm.max_map_count=262144
--------------------------------------------

====== Windows with https://docs.docker.com/docker-for-windows/wsl[Docker Desktop WSL 2 backend]

The `vm.max_map_count` setting must be set in the "docker-desktop" WSL instance before the
ElasticSearch container will properly start. There are several ways to do this, depending
on your version of Windows and your version of WSL.

If you are on Windows 10 before version 22H2, or if you are on Windows 10 version 22H2 using the
built-in version of WSL, you must either manually set it every time you restart Docker before starting
your ElasticSearch container, or (if you do not wish to do so on every restart) you must globally set
every WSL2 instance to have the `vm.max_map_count` changed. This is because these versions of WSL
do not properly process the /etc/sysctl.conf file.

To manually set it every time you reboot, you must run the following commands in a command prompt
or PowerShell window every time you restart Docker:

[source,sh]
--------------------------------------------
wsl -d docker-desktop -u root
sysctl -w vm.max_map_count=262144
--------------------------------------------

If you are on these versions of WSL and you do not want to have to run those commands every
time you restart Docker, you can globally change every WSL distribution with this setting
by modifying your %USERPROFILE%\.wslconfig as follows:

[source,text]
--------------------------------------------
[wsl2]
kernelCommandLine = "sysctl.vm.max_map_count=262144"
--------------------------------------------

This will cause all WSL2 VMs to have that setting assigned when they start.

If you are on Windows 11, or Windows 10 version 22H2 and have installed the Microsoft Store
version of WSL, you can modify the /etc/sysctl.conf within the "docker-desktop" WSL
distribution, perhaps with commands like this:

[source,sh]
--------------------------------------------
wsl -d docker-desktop -u root
vi /etc/sysctl.conf
--------------------------------------------

and appending a line which reads:
[source,text]
--------------------------------------------
vm.max_map_count = 262144
--------------------------------------------

===== Configuration files must be readable by the `elasticsearch` user

By default, {es} runs inside the container as user `elasticsearch` using
uid:gid `1000:0`.

IMPORTANT: One exception is https://docs.openshift.com/container-platform/3.6/creating_images/guidelines.html#openshift-specific-guidelines[Openshift],
which runs containers using an arbitrarily assigned user ID.
Openshift presents persistent volumes with the gid set to `0`, which works without any adjustments.

If you are bind-mounting a local directory or file, it must be readable by the `elasticsearch` user.
In addition, this user must have write access to the <<path-settings,config, data and log dirs>>
({es} needs write access to the `config` directory so that it can generate a keystore).
A good strategy is to grant group access to gid `0` for the local directory.

For example, to prepare a local directory for storing data through a bind-mount:

[source,sh]
--------------------------------------------
mkdir esdatadir
chmod g+rwx esdatadir
chgrp 0 esdatadir
--------------------------------------------

You can also run an {es} container using both a custom UID and GID. You
must ensure that file permissions will not prevent {es} from executing. You
can use one of two options:

* Bind-mount the `config`, `data` and `logs`
  directories. If you intend to install plugins and prefer not to
  <<_c_customized_image, create a custom Docker image>>, you must also
  bind-mount the `plugins` directory.
* Pass the `--group-add 0` command line option to `docker run`. This
  ensures that the user under which {es} is running is also a member of the
  `root` (GID 0) group inside the container.

===== Increase ulimits for nofile and nproc

Increased ulimits for <<setting-system-settings,nofile>> and <<max-number-threads-check,nproc>>
must be available for the {es} containers.
Verify the https://github.com/moby/moby/tree/ea4d1243953e6b652082305a9c3cda8656edab26/contrib/init[init system]
for the Docker daemon sets them to acceptable values.

To check the Docker daemon defaults for ulimits, run:

[source,sh]
--------------------------------------------
docker run --rm docker.elastic.co/elasticsearch/elasticsearch:{version} /bin/bash -c 'ulimit -Hn && ulimit -Sn && ulimit -Hu && ulimit -Su'
--------------------------------------------

If needed, adjust them in the Daemon or override them per container.
For example, when using `docker run`, set:

[source,sh]
--------------------------------------------
--ulimit nofile=65535:65535
--------------------------------------------

===== Disable swapping

Swapping needs to be disabled for performance and node stability.
For information about ways to do this, see <<setup-configuration-memory>>.

If you opt for the `bootstrap.memory_lock: true` approach,
you also need to define the `memlock: true` ulimit in the
https://docs.docker.com/engine/reference/commandline/dockerd/#default-ulimits[Docker Daemon],
or explicitly set for the container as shown in the  <<docker-compose-file, sample compose file>>.
When using `docker run`, you can specify:

[source,sh]
----
-e "bootstrap.memory_lock=true" --ulimit memlock=-1:-1
----

===== Randomize published ports

The image https://docs.docker.com/engine/reference/builder/#/expose[exposes]
TCP ports 9200 and 9300. For production clusters, randomizing the
published ports with `--publish-all` is recommended,
unless you are pinning one container per host.

[[docker-set-heap-size]]
===== Manually set the heap size

By default, {es} automatically sizes JVM heap based on a nodes's
<<node-roles,roles>> and the total memory available to the node's container. We
recommend this default sizing for most production environments. If needed, you
can override default sizing by manually setting JVM heap size.

To manually set the heap size in production, bind mount a <<set-jvm-options,JVM
options>> file under `/usr/share/elasticsearch/config/jvm.options.d` that
includes your desired <<set-jvm-heap-size,heap size>> settings.

For testing, you can also manually set the heap size using the `ES_JAVA_OPTS`
environment variable. For example, to use 16GB, specify `-e
ES_JAVA_OPTS="-Xms16g -Xmx16g"` with `docker run`. The `ES_JAVA_OPTS` variable
overrides all other JVM options. We do not recommend using `ES_JAVA_OPTS` in
production. The `docker-compose.yml` file above sets the heap size to 512MB.


===== Pin deployments to a specific image version

Pin your deployments to a specific version of the {es} Docker image. For
example +docker.elastic.co/elasticsearch/elasticsearch:{version}+.

===== Always bind data volumes

You should use a volume bound on `/usr/share/elasticsearch/data` for the following reasons:

. The data of your {es} node won't be lost if the container is killed

. {es} is I/O sensitive and the Docker storage driver is not ideal for fast I/O

. It allows the use of advanced
https://docs.docker.com/engine/extend/plugins/#volume-plugins[Docker volume plugins]

===== Avoid using `loop-lvm` mode

If you are using the devicemapper storage driver, do not use the default `loop-lvm` mode.
Configure docker-engine to use
https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/#configure-docker-with-devicemapper[direct-lvm].

===== Centralize your logs

Consider centralizing your logs by using a different
https://docs.docker.com/engine/admin/logging/overview/[logging driver]. Also
note that the default json-file logging driver is not ideally suited for
production use.

[[docker-configuration-methods]]
==== Configuring {es} with Docker

When you run in Docker, the <<config-files-location,{es} configuration files>> are loaded from
`/usr/share/elasticsearch/config/`.

To use custom configuration files, you <<docker-config-bind-mount, bind-mount the files>>
over the configuration files in the image.

You can set individual {es} configuration parameters using Docker environment variables.
The <<docker-compose-file, sample compose file>> and the
<<docker-cli-run-dev-mode, single-node example>> use this method. You can
use the setting name directly as the environment variable name. If
you cannot do this, for example because your orchestration platform forbids
periods in environment variable names, then you can use an alternative
style by converting the setting name as follows.

. Change the setting name to uppercase
. Prefix it with `ES_SETTING_`
. Escape any underscores (`_`) by duplicating them
. Convert all periods (`.`) to underscores (`_`)

For example, `-e bootstrap.memory_lock=true` becomes
`-e ES_SETTING_BOOTSTRAP_MEMORY__LOCK=true`.

You can use the contents of a file to set the value of the
`ELASTIC_PASSWORD` or `KEYSTORE_PASSWORD` environment variables, by
suffixing the environment variable name with `_FILE`. This is useful for
passing secrets such as passwords to {es} without specifying them directly.

For example, to set the {es} bootstrap password from a file, you can bind mount the
file and set the `ELASTIC_PASSWORD_FILE` environment variable to the mount location.
If you mount the password file to `/run/secrets/bootstrapPassword.txt`, specify:

[source,sh]
--------------------------------------------
-e ELASTIC_PASSWORD_FILE=/run/secrets/bootstrapPassword.txt
--------------------------------------------

You can override the default command for the image to pass {es} configuration
parameters as command line options. For example:

[source,sh]
--------------------------------------------
docker run <various parameters> bin/elasticsearch -Ecluster.name=mynewclustername
--------------------------------------------

While bind-mounting your configuration files is usually the preferred method in production,
you can also <<_c_customized_image, create a custom Docker image>>
that contains your configuration.

[[docker-config-bind-mount]]
===== Mounting {es} configuration files

Create custom config files and bind-mount them over the corresponding files in the Docker image.
For example, to bind-mount `custom_elasticsearch.yml` with `docker run`, specify:

[source,sh]
--------------------------------------------
-v full_path_to/custom_elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
--------------------------------------------

If you bind-mount a custom `elasticsearch.yml` file, ensure it includes the
`network.host: 0.0.0.0` setting. This setting ensures the node is reachable for
HTTP and transport traffic, provided its ports are exposed. The Docker image's
built-in `elasticsearch.yml` file includes this setting by default.

IMPORTANT: The container **runs {es} as user `elasticsearch` using
uid:gid `1000:0`**. Bind mounted host directories and files must be accessible by this user,
and the data and log directories must be writable by this user.

[[docker-keystore-bind-mount]]
===== Create an encrypted {es} keystore

By default, {es} will auto-generate a keystore file for <<secure-settings,secure
settings>>. This file is obfuscated but not encrypted.

To encrypt your secure settings with a password and have them persist outside
the container, use a `docker run` command to manually create the keystore
instead. The command must:

* Bind-mount the `config` directory. The command will create an
  `elasticsearch.keystore` file in this directory. To avoid errors, do
  not directly bind-mount the `elasticsearch.keystore` file.
* Use the `elasticsearch-keystore` tool with the `create -p` option. You'll be
  prompted to enter a password for the keystore.

For example:

[source,sh,subs="attributes"]
----
docker run -it --rm \
-v full_path_to/config:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:{version} \
bin/elasticsearch-keystore create -p
----

You can also use a `docker run` command to add or update secure settings in the
keystore. You'll be prompted to enter the setting values. If the keystore is
encrypted, you'll also be prompted to enter the keystore password.

[source,sh,subs="attributes"]
----
docker run -it --rm \
-v full_path_to/config:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:{version} \
bin/elasticsearch-keystore \
add my.secure.setting \
my.other.secure.setting
----

If you've already created the keystore and don't need to update it, you can
bind-mount the `elasticsearch.keystore` file directly. You can use the
`KEYSTORE_PASSWORD` environment variable to provide the keystore password to the
container at startup. For example, a `docker run` command might have the
following options:

[source,sh]
----
-v full_path_to/config/elasticsearch.keystore:/usr/share/elasticsearch/config/elasticsearch.keystore
-e KEYSTORE_PASSWORD=mypassword
----

[[_c_customized_image]]
===== Using custom Docker images
In some environments, it might make more sense to prepare a custom image that contains
your configuration. A `Dockerfile` to achieve this might be as simple as:

[source,sh,subs="attributes"]
--------------------------------------------
FROM docker.elastic.co/elasticsearch/elasticsearch:{version}
COPY --chown=elasticsearch:elasticsearch elasticsearch.yml /usr/share/elasticsearch/config/
--------------------------------------------

You could then build and run the image with:

[source,sh]
--------------------------------------------
docker build --tag=elasticsearch-custom .
docker run -ti -v /usr/share/elasticsearch/data elasticsearch-custom
--------------------------------------------

Some plugins require additional security permissions.
You must explicitly accept them either by:

* Attaching a `tty` when you run the Docker image and allowing the permissions when prompted.
* Inspecting the security permissions and accepting them (if appropriate) by adding the `--batch` flag to the plugin install command.

See {plugins}/_other_command_line_parameters.html[Plugin management]
for more information.

[discrete]
[[troubleshoot-docker-errors]]
==== Troubleshoot Docker errors for {es}

Here’s how to resolve common errors when running {es} with Docker.

===== elasticsearch.keystore is a directory

[source,txt]
----
Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.io.IOException: Is a directory: SimpleFSIndexInput(path="/usr/share/elasticsearch/config/elasticsearch.keystore") Likely root cause: java.io.IOException: Is a directory
----

A <<docker-keystore-bind-mount,keystore-related>> `docker run` command attempted
to directly bind-mount an `elasticsearch.keystore` file that doesn't exist. If
you use the `-v` or `--volume` flag to mount a file that doesn't exist, Docker
instead creates a directory with the same name.

To resolve this error:

. Delete the `elasticsearch.keystore` directory in the `config` directory.
. Update the `-v` or `--volume` flag to point to the `config` directory path
  rather than the keystore file's path. For an example, see
  <<docker-keystore-bind-mount>>.
. Retry the command.

===== elasticsearch.keystore: Device or resource busy

[source,txt]
----
Exception in thread "main" java.nio.file.FileSystemException: /usr/share/elasticsearch/config/elasticsearch.keystore.tmp -> /usr/share/elasticsearch/config/elasticsearch.keystore: Device or resource busy
----

A `docker run` command attempted to <<docker-keystore-bind-mount,update the
keystore>> while directly bind-mounting the `elasticsearch.keystore` file. To
update the keystore, the container requires access to other files in the
`config` directory, such as `keystore.tmp`.

To resolve this error:

. Update the `-v` or `--volume` flag to point to the `config` directory
  path rather than the keystore file's path. For an example, see
  <<docker-keystore-bind-mount>>.
. Retry the command.