Pre and Post-Script Hooks for ECS
Introduction
Pre and post-script hooks provide an additional layer of network isolation for vault security. These scripts programmatically disconnect and reconnect the vault agent's network interfaces, supplementing the existing firewall protection that allows only outbound connections.
You can customize these scripts to match your specific network setup requirements.
How Script Hooks Work
Your vault agent VM requires two network interfaces:
[PROD ECS] ----- [FIREWALL] ----- <eth1>[VAULT_AGENT]<eth0> ----- [VAULT ECS]
- Close vault: Disables the eth1 interface
- Open vault: Enables the eth1 interface
Enable Script Hooks
-
Set Environment Variables
Add these variables toeca-env-common.conf
:export EVA_NTW_USE_SCRIPTS=true
export EVA_NTW_SCRIPTS_HOST_INT_IP=[internal IP of the agent host]Replace
[internal IP of the agent host]
with the IP address assigned to eth0. -
Configure Network Interface
Edit/opt/superna/eca/scripts/network-scripts/iface.config
to specify which interface to enable/disable (typically eth1).
Default Script Locations
The system uses these scripts to manage network connections:
Configuration File
- Path:
/opt/superna/eca/scripts/network-scripts/iface.config
- Purpose: Specifies the network interface name to control
Pre-Script
- Path:
/opt/superna/eca/scripts/network-scripts/pre-script.sh
- Purpose: Enables the network interface before operations that require network access
Post-Script
- Path:
/opt/superna/eca/scripts/network-scripts/post-script.sh
- Purpose: Disables the network interface after operations complete
Using custom scripts for networking operations
Define custom script locations in eca-env-common.conf
:
export EVA_NTW_SCRIPT_PRE="/path/to/your/pre-script.sh"
export EVA_NTW_SCRIPT_POST="/path/to/your/post-script.sh"
Requirements for custom scripts:
- Keep
iface.config
in the same directory as your scripts - Custom paths prevent automatic updates during upgrades
- Cluster startup requires password to update sudoers file with new paths
When Scripts Execute
Operations That Trigger Scripts
Scripts run before and after these operations:
- Running
ecssync
jobs - Sending job updates to Eyeglass when managed jobs change
- Forwarding alerts from vault ECS to Eyeglass
- Retrieving job schedules from Eyeglass UI
- Uploading vault agent logs to Eyeglass
Operations Without Script Execution
These operations run without network script triggers:
- Adding, cloning, removing, or listing jobs
- Checking jobs with
checkjobs
command - Adding, removing, or listing ECS vault
Script Optimization
The system tracks running operations to minimize script execution:
- Pre-script runs only when starting the first operation
- Post-script runs only after the last operation completes
- Concurrent operations share the same network connection
This prevents unnecessary network interface changes during overlapping operations.