Version: 2.12.0

Pre and Post-Script Hooks for ECS

Introduction

Pre and post-script hooks provide an additional layer of network isolation for vault security. These scripts programmatically disconnect and reconnect the vault agent's network interfaces, supplementing the existing firewall protection that allows only outbound connections.

You can customize these scripts to match your specific network setup requirements.

How Script Hooks Work

Your vault agent VM requires two network interfaces:

[PROD ECS] ----- [FIREWALL] ----- <eth1>[VAULT_AGENT]<eth0> ----- [VAULT ECS]

Close vault: Disables the eth1 interface
Open vault: Enables the eth1 interface

Enable Script Hooks

Set Environment Variables
Add these variables to eca-env-common.conf:
```
export EVA_NTW_USE_SCRIPTS=true
export EVA_NTW_SCRIPTS_HOST_INT_IP=[internal IP of the agent host]
```
Replace [internal IP of the agent host] with the IP address assigned to eth0.
Configure Network Interface
Edit /opt/superna/eca/scripts/network-scripts/iface.config to specify which interface to enable/disable (typically eth1).

Default Script Locations

The system uses these scripts to manage network connections:

Configuration File

Path: /opt/superna/eca/scripts/network-scripts/iface.config
Purpose: Specifies the network interface name to control

Pre-Script

Path: /opt/superna/eca/scripts/network-scripts/pre-script.sh
Purpose: Enables the network interface before operations that require network access

Post-Script

Path: /opt/superna/eca/scripts/network-scripts/post-script.sh
Purpose: Disables the network interface after operations complete

Using custom scripts for networking operations

Define custom script locations in eca-env-common.conf:

export EVA_NTW_SCRIPT_PRE="/path/to/your/pre-script.sh"
export EVA_NTW_SCRIPT_POST="/path/to/your/post-script.sh"

Requirements for custom scripts:

Keep iface.config in the same directory as your scripts
Custom paths prevent automatic updates during upgrades
Cluster startup requires password to update sudoers file with new paths

When Scripts Execute

Operations That Trigger Scripts

Scripts run before and after these operations:

Running ecssync jobs
Sending job updates to Eyeglass when managed jobs change
Forwarding alerts from vault ECS to Eyeglass
Retrieving job schedules from Eyeglass UI
Uploading vault agent logs to Eyeglass

Operations Without Script Execution

These operations run without network script triggers:

Adding, cloning, removing, or listing jobs
Checking jobs with checkjobs command
Adding, removing, or listing ECS vault

Script Optimization

The system tracks running operations to minimize script execution:

Pre-script runs only when starting the first operation
Post-script runs only after the last operation completes
Concurrent operations share the same network connection

This prevents unnecessary network interface changes during overlapping operations.

Introduction​

How Script Hooks Work​

Enable Script Hooks​

Default Script Locations​

Configuration File​

Pre-Script​

Post-Script​

Using custom scripts for networking operations​

When Scripts Execute​

Operations That Trigger Scripts​

Operations Without Script Execution​

Script Optimization​