fix: add DNS config for ES container and fallback URL for IK plugin d…

[losingle]

…ownload

[Copilot]

Pull request overview

Improves reliability of the local Elasticsearch container startup by making IK Analyzer installation more resilient to download failures and by adjusting container DNS settings to help outbound name resolution during plugin install.

Changes:

• Add a fallback download URL (GitHub release ZIP) for IK Analyzer installation in the ES init script.
• Configure explicit DNS servers for the es service in docker-compose.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
scripts/init-es.sh	Adds a primary + fallback IK Analyzer plugin install URL during ES startup.
docker-compose.yml	Forces specific DNS resolvers for the Elasticsearch container.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Hardcoding Google public DNS servers at the service level forces the ES container to bypass the host/daemon DNS configuration, which can break deployments in restricted/offline/corporate networks and may violate network policy. Consider making DNS servers configurable (e.g., via docker-compose override or .env-driven values) and documenting when/why this is needed instead of applying it unconditionally.

Suggested change

	dns:
	- 8.8.8.8
	- 8.8.4.4

[Copilot]

The plugin installation now falls back to downloading a ZIP directly from GitHub. This expands the supply-chain surface and still performs no integrity verification of the downloaded artifact. If possible, prefer an installation method that verifies the artifact (checksum/signature) or download the ZIP to a temp location and validate a pinned checksum before installing.

Suggested change

	# Try primary URL first, fallback to GitHub release
	/usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
	|| /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
	if [ "$?" -ne 0 ]; then
	# Try primary URL first
	/usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2
	install_status=$?
	# If primary URL fails, fallback to GitHub release with checksum verification
	if [ "$install_status" -ne 0 ]; then
	echo "Primary IK Analyzer installation failed, attempting GitHub fallback with checksum verification..."
	IK_PLUGIN_VERSION="8.8.2"
	IK_PLUGIN_GITHUB_URL="https://github.com/infinilabs/analysis-ik/releases/download/v${IK_PLUGIN_VERSION}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
	# Pinned SHA-256 checksum of the expected ZIP artifact.
	# IMPORTANT: Replace the placeholder value below with the actual checksum for the release in use.
	IK_PLUGIN_GITHUB_SHA256="${IK_PLUGIN_GITHUB_SHA256:-CHANGE_ME_TO_REAL_SHA256}"
	if [ "$IK_PLUGIN_GITHUB_SHA256" = "CHANGE_ME_TO_REAL_SHA256" ]; then
	echo "GitHub fallback checksum is not set. Aborting to avoid installing an unverified plugin."
	install_status=1
	else
	TMP_DIR="$(mktemp -d)"
	IK_PLUGIN_ZIP="${TMP_DIR}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
	echo "Downloading IK Analyzer from GitHub to ${IK_PLUGIN_ZIP}..."
	if ! curl -fsSL "$IK_PLUGIN_GITHUB_URL" -o "$IK_PLUGIN_ZIP"; then
	echo "Failed to download IK Analyzer from GitHub"
	install_status=1
	else
	echo "Verifying IK Analyzer ZIP checksum..."
	if echo "${IK_PLUGIN_GITHUB_SHA256} ${IK_PLUGIN_ZIP}" | sha256sum -c -; then
	echo "Checksum verification succeeded, installing from local file..."
	/usr/share/elasticsearch/bin/elasticsearch-plugin install -b "file://${IK_PLUGIN_ZIP}"
	install_status=$?
	else
	echo "Checksum verification failed for IK Analyzer ZIP"
	install_status=1
	fi
	fi
	fi
	fi
	if [ "$install_status" -ne 0 ]; then

[Copilot]

Relying on a separate if [ "$?" -ne 0 ] after the cmd1 || cmd2 compound makes the control flow a bit harder to read and is easy to break if any command gets inserted between them. Consider rewriting this as a single if block (try primary; on failure try fallback; if both fail then exit) so the failure handling is directly tied to the install commands.

Suggested change

	/usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
	|| /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
	if [ "$?" -ne 0 ]; then
	if ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
	&& ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
	then

[earayu]

The IK plugin fallback URL looks good. But please remove the hardcoded DNS config (8.8.8.8/8.8.4.4) — it'll break setups in restricted/offline networks. Happy to merge once that's removed.