Skip to main content
Version: 2.12.0

Pre and Post-Script Hooks for ECS

Introduction

Pre and post-script hooks provide an additional layer of network isolation for vault security. These scripts programmatically disconnect and reconnect the vault agent's network interfaces, supplementing the existing firewall protection that allows only outbound connections.

You can customize these scripts to match your specific network setup requirements.

How Script Hooks Work

Your vault agent VM requires two network interfaces:

[PROD ECS] ----- [FIREWALL] ----- <eth1>[VAULT_AGENT]<eth0> ----- [VAULT ECS]
  • Close vault: Disables the eth1 interface
  • Open vault: Enables the eth1 interface

Enable Script Hooks

  1. Set Environment Variables
    Add these variables to eca-env-common.conf:

    export EVA_NTW_USE_SCRIPTS=true
    export EVA_NTW_SCRIPTS_HOST_INT_IP=[internal IP of the agent host]

    Replace [internal IP of the agent host] with the IP address assigned to eth0.

  2. Configure Network Interface
    Edit /opt/superna/eca/scripts/network-scripts/iface.config to specify which interface to enable/disable (typically eth1).

Default Script Locations

The system uses these scripts to manage network connections:

Configuration File

  • Path: /opt/superna/eca/scripts/network-scripts/iface.config
  • Purpose: Specifies the network interface name to control

Pre-Script

  • Path: /opt/superna/eca/scripts/network-scripts/pre-script.sh
  • Purpose: Enables the network interface before operations that require network access

Post-Script

  • Path: /opt/superna/eca/scripts/network-scripts/post-script.sh
  • Purpose: Disables the network interface after operations complete

Using custom scripts for networking operations

Define custom script locations in eca-env-common.conf:

export EVA_NTW_SCRIPT_PRE="/path/to/your/pre-script.sh"
export EVA_NTW_SCRIPT_POST="/path/to/your/post-script.sh"

Requirements for custom scripts:

  • Keep iface.config in the same directory as your scripts
  • Custom paths prevent automatic updates during upgrades
  • Cluster startup requires password to update sudoers file with new paths

When Scripts Execute

Operations That Trigger Scripts

Scripts run before and after these operations:

  • Running ecssync jobs
  • Sending job updates to Eyeglass when managed jobs change
  • Forwarding alerts from vault ECS to Eyeglass
  • Retrieving job schedules from Eyeglass UI
  • Uploading vault agent logs to Eyeglass

Operations Without Script Execution

These operations run without network script triggers:

  • Adding, cloning, removing, or listing jobs
  • Checking jobs with checkjobs command
  • Adding, removing, or listing ECS vault

Script Optimization

The system tracks running operations to minimize script execution:

  • Pre-script runs only when starting the first operation
  • Post-script runs only after the last operation completes
  • Concurrent operations share the same network connection

This prevents unnecessary network interface changes during overlapping operations.