apecloud · losingle · Mar 3, 2026 · Copilot · Mar 3, 2026 · Copilot
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -178,6 +178,9 @@ services:
   es:
     image: ${REGISTRY:-docker.io}/apecloud/elasticsearch:8.8.2
     container_name: aperag-es
+    dns:
+      - 8.8.8.8
+      - 8.8.4.4
-    dns:
-      - 8.8.8.8
-      - 8.8.4.4
-    dns:
-      - 8.8.8.8
-      - 8.8.4.4
     ports:
       - "9200:9200"
     environment:

diff --git a/scripts/init-es.sh b/scripts/init-es.sh
@@ -23,7 +23,9 @@ fi
 # Check and install IK Analyzer if needed
 if ! ik_plugin_installed; then
     echo "Installing IK Analyzer..."
-    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2
+    # Try primary URL first, fallback to GitHub release
+    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
+    || /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
     if [ "$?" -ne 0 ]; then
-    # Try primary URL first, fallback to GitHub release
-    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
-    || /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
-    if [ "$?" -ne 0 ]; then
+    # Try primary URL first
+    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2
+    install_status=$?
+
+    # If primary URL fails, fallback to GitHub release with checksum verification
+    if [ "$install_status" -ne 0 ]; then
+        echo "Primary IK Analyzer installation failed, attempting GitHub fallback with checksum verification..."
+
+        IK_PLUGIN_VERSION="8.8.2"
+        IK_PLUGIN_GITHUB_URL="https://github.com/infinilabs/analysis-ik/releases/download/v${IK_PLUGIN_VERSION}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
+        # Pinned SHA-256 checksum of the expected ZIP artifact.
+        # IMPORTANT: Replace the placeholder value below with the actual checksum for the release in use.
+        IK_PLUGIN_GITHUB_SHA256="${IK_PLUGIN_GITHUB_SHA256:-CHANGE_ME_TO_REAL_SHA256}"
+
+        if [ "$IK_PLUGIN_GITHUB_SHA256" = "CHANGE_ME_TO_REAL_SHA256" ]; then
+            echo "GitHub fallback checksum is not set. Aborting to avoid installing an unverified plugin."
+            install_status=1
+        else
+            TMP_DIR="$(mktemp -d)"
+            IK_PLUGIN_ZIP="${TMP_DIR}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
+
+            echo "Downloading IK Analyzer from GitHub to ${IK_PLUGIN_ZIP}..."
+            if ! curl -fsSL "$IK_PLUGIN_GITHUB_URL" -o "$IK_PLUGIN_ZIP"; then
+                echo "Failed to download IK Analyzer from GitHub"
+                install_status=1
+            else
+                echo "Verifying IK Analyzer ZIP checksum..."
+                if echo "${IK_PLUGIN_GITHUB_SHA256}  ${IK_PLUGIN_ZIP}" | sha256sum -c -; then
+                    echo "Checksum verification succeeded, installing from local file..."
+                    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b "file://${IK_PLUGIN_ZIP}"
+                    install_status=$?
+                else
+                    echo "Checksum verification failed for IK Analyzer ZIP"
+                    install_status=1
+                fi
+            fi
+        fi
+    fi
+
+    if [ "$install_status" -ne 0 ]; then
-    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
-    || /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
-    if [ "$?" -ne 0 ]; then
+    if ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
+       && ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
+    then
-    # Try primary URL first, fallback to GitHub release
-    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
-    || /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
-    if [ "$?" -ne 0 ]; then
+    # Try primary URL first
+    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2
+    install_status=$?
+
+    # If primary URL fails, fallback to GitHub release with checksum verification
+    if [ "$install_status" -ne 0 ]; then
+        echo "Primary IK Analyzer installation failed, attempting GitHub fallback with checksum verification..."
+
+        IK_PLUGIN_VERSION="8.8.2"
+        IK_PLUGIN_GITHUB_URL="https://github.com/infinilabs/analysis-ik/releases/download/v${IK_PLUGIN_VERSION}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
+        # Pinned SHA-256 checksum of the expected ZIP artifact.
+        # IMPORTANT: Replace the placeholder value below with the actual checksum for the release in use.
+        IK_PLUGIN_GITHUB_SHA256="${IK_PLUGIN_GITHUB_SHA256:-CHANGE_ME_TO_REAL_SHA256}"
+
+        if [ "$IK_PLUGIN_GITHUB_SHA256" = "CHANGE_ME_TO_REAL_SHA256" ]; then
+            echo "GitHub fallback checksum is not set. Aborting to avoid installing an unverified plugin."
+            install_status=1
+        else
+            TMP_DIR="$(mktemp -d)"
+            IK_PLUGIN_ZIP="${TMP_DIR}/elasticsearch-analysis-ik-${IK_PLUGIN_VERSION}.zip"
+
+            echo "Downloading IK Analyzer from GitHub to ${IK_PLUGIN_ZIP}..."
+            if ! curl -fsSL "$IK_PLUGIN_GITHUB_URL" -o "$IK_PLUGIN_ZIP"; then
+                echo "Failed to download IK Analyzer from GitHub"
+                install_status=1
+            else
+                echo "Verifying IK Analyzer ZIP checksum..."
+                if echo "${IK_PLUGIN_GITHUB_SHA256}  ${IK_PLUGIN_ZIP}" | sha256sum -c -; then
+                    echo "Checksum verification succeeded, installing from local file..."
+                    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b "file://${IK_PLUGIN_ZIP}"
+                    install_status=$?
+                else
+                    echo "Checksum verification failed for IK Analyzer ZIP"
+                    install_status=1
+                fi
+            fi
+        fi
+    fi
+
+    if [ "$install_status" -ne 0 ]; then
-    /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
-    || /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
-    if [ "$?" -ne 0 ]; then
+    if ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://get.infini.cloud/elasticsearch/analysis-ik/8.8.2 \
+       && ! /usr/share/elasticsearch/bin/elasticsearch-plugin install -b https://github.com/infinilabs/analysis-ik/releases/download/v8.8.2/elasticsearch-analysis-ik-8.8.2.zip
+    then
         echo "Failed to install IK Analyzer"
         exit 1