前言
在Hyperledger Fabric無系統(tǒng)通道啟動及通道的創(chuàng)建和刪除中,我們已經(jīng)完成了以無系統(tǒng)通道的方式啟動 Hyperledger Fabric 網(wǎng)絡(luò),并將鏈碼安裝到指定通道。但目前為止,實驗中的 orderer 服務(wù)都是通過單獨的排序組織來維護(hù)且只有一個,那能不能排序排序組織而使用普通組織來運行維護(hù)多個 orderer 服務(wù)以降低網(wǎng)絡(luò)復(fù)雜度呢?在全網(wǎng)檢索后發(fā)現(xiàn)并沒有人進(jìn)行相關(guān)嘗試,只能自己慢慢排坑了。本文將在之前的實驗基礎(chǔ)上,啟動一個沒有 orderer 組織的 Fabric 網(wǎng)絡(luò),網(wǎng)絡(luò)中包含三個組織且每個組織運行維護(hù)著一個 Raft 協(xié)議的 orderer 節(jié)點,最后成功在其上部署運行鏈碼。
工作準(zhǔn)備
本文工作
以無排序組織的方式啟動 Hyperledger Fabric 網(wǎng)絡(luò),其中包含四個組織—— council 、 soft 、 web 、 hard ,council 組織為網(wǎng)絡(luò)提供 TLS-CA 服務(wù),除了 council 外每個組織都運行維護(hù)著一個 peer 節(jié)點和一個 orderer,網(wǎng)絡(luò)結(jié)構(gòu)為(實驗代碼已上傳至:https://github.com/wefantasy/FabricLearn 的 4-1_RunOrdererByOneself 下):
項運行端口說明 council.ifantasy.net 7050 council 組織的 CA 服務(wù), 為聯(lián)盟鏈網(wǎng)絡(luò)提供 TLS-CA 服務(wù) soft.ifantasy.net 7250 soft 組織的 CA 服務(wù), 包含成員: peer1 、 admin1 peer1.soft.ifantasy.net 7251 soft 組織的 peer1 成員節(jié)點 orderer1.soft.ifantasy.net 8251 soft 組織的 orderer1 服務(wù) orderer1.soft.ifantasy.net 8252 soft 組織的 orderer1 服務(wù)的 admin 服務(wù) web.ifantasy.net 7350 web 組織的 CA 服務(wù), 包含成員: peer1 、 admin1 peer1.web.ifantasy.net 7351 web 組織的 peer1 成員節(jié)點 orderer1.soft.ifantasy.net 8351 web 組織的 orderer1 服務(wù) orderer1.soft.ifantasy.net 8352 web 組織的 orderer1 服務(wù)的 admin 服務(wù) hard.ifantasy.net 7450 hard 組織的 CA 服務(wù), 包含成員: peer1 、 admin1 peer1.hard.ifantasy.net 7451 hard 組織的 peer1 成員節(jié)點 orderer1.soft.ifantasy.net 8451 hard 組織的 orderer1 服務(wù) orderer1.soft.ifantasy.net 8452 hard 組織的 orderer1 服務(wù)的 admin 服務(wù)
實驗準(zhǔn)備
本文網(wǎng)絡(luò)結(jié)構(gòu)直接將 Hyperledger Fabric無系統(tǒng)通道啟動及通道的創(chuàng)建和刪除 中創(chuàng)建的 3_RunWithNoSystemChannel 復(fù)制為 4-1_RunOrdererByOneself (建議直接將本案例倉庫 FabricLearn 下的 4-1_RunOrdererByOneself 目錄拷貝到本地運行),文中大部分命令在 Hyperledger Fabric定制聯(lián)盟鏈網(wǎng)絡(luò)工程實踐 中已有介紹因此不會詳細(xì)說明。默認(rèn)情況下,所有命令皆在 4-1_RunOrdererByOneself 根目錄下執(zhí)行,在開始后面的實驗前按照以下命令啟動基礎(chǔ)實驗網(wǎng)絡(luò)(主要修改為刪除 orderer 組織相關(guān)配置):
設(shè)置DNS(如果未設(shè)置): ./setDNS.sh 設(shè)置環(huán)境變量: source envpeer1soft 啟動CA網(wǎng)絡(luò): ./0_Restart.sh
本實驗初始 docker 網(wǎng)絡(luò)為:
實驗步驟
配置文件
修改配置文件 compose/docker-compose.yaml ,刪除所有關(guān)于 orderer 組織的配置,并新增 hard 組織相關(guān)容器和普通組織的 orderer 容器:
hard.ifantasy.net:container_name: hard.ifantasy.netextends:file: docker-base.yamlservice: ca-basecommand:
sh -c
'fabric-ca-server start -d -b ca-admin:ca-adminpw --port 7050' environment:-
FABRIC_CA_SERVER_CSR_CN = hard.ifantasy.net-
FABRIC_CA_SERVER_CSR_HOSTS = hard.ifantasy.netvolumes:-
${LOCAL_CA_PATH} /hard.ifantasy.net/ca:
${DOCKER_CA_PATH} /caports:-
7450 :7050peer1.hard.ifantasy.net:container_name: peer1.hard.ifantasy.netextends:file: docker-base.yamlservice: peer-baseenvironment:-
CORE_PEER_ID = peer1.hard.ifantasy.net-
CORE_PEER_LISTENADDRESS = 0.0 .0.0:7051-
CORE_PEER_ADDRESS = peer1.hard.ifantasy.net:7051-
CORE_PEER_LOCALMSPID = hardMSP-
CORE_PEER_GOSSIP_EXTERNALENDPOINT = peer1.hard.ifantasy.net:7051volumes:-
${LOCAL_CA_PATH} /hard.ifantasy.net/registers/peer1:
${DOCKER_CA_PATH} /peerports:-
7451 :7051orderer1.soft.ifantasy.net:container_name: orderer1.soft.ifantasy.netextends:file: docker-base.yamlservice: orderer-baseenvironment:-
ORDERER_HOST = orderer1.soft.ifantasy.net-
ORDERER_GENERAL_LOCALMSPID = softMSP-
ORDERER_GENERAL_LISTENPORT = 8251 volumes:-
${LOCAL_CA_PATH} /soft.ifantasy.net/registers/orderer1:
${DOCKER_CA_PATH} /ordererports:-
8251 :8251-
8252 :8888-
8253 :9999orderer1.web.ifantasy.net:container_name: orderer1.web.ifantasy.netextends:file: docker-base.yamlservice: orderer-baseenvironment:-
ORDERER_HOST = orderer1.web.ifantasy.net-
ORDERER_GENERAL_LOCALMSPID = webMSP-
ORDERER_GENERAL_LISTENPORT = 8351 volumes:-
${LOCAL_CA_PATH} /web.ifantasy.net/registers/orderer1:
${DOCKER_CA_PATH} /ordererports:-
8351 :8351-
8352 :8888-
8353 :9999orderer1.hard.ifantasy.net:container_name: orderer1.hard.ifantasy.netextends:file: docker-base.yamlservice: orderer-baseenvironment:-
ORDERER_HOST = orderer1.hard.ifantasy.net-
ORDERER_GENERAL_LOCALMSPID = hardMSP-
ORDERER_GENERAL_LISTENPORT = 8451 volumes:-
${LOCAL_CA_PATH} /hard.ifantasy.net/registers/orderer1:
${DOCKER_CA_PATH} /ordererports:-
8451 :8451-
8452 :8888-
8453 :9999
修改配置文件 config/configtx.yaml ,源文件太長在此不貼,其主要修改內(nèi)容為:
每個組織 MSP 下增加本組織維護(hù)的 OrdererEndpoints 配置: Orderer 配置下修改 orderer 服務(wù)的地址: Profiles 配置下修改排序節(jié)點的維護(hù)組織為 softMSP 、 webMSP 、 hardMSP: 必須有一個組織 MSP 的 Policies 中的 Readers 和 Writers 下 Rule 值為 member ,文末會有解釋: 各組織的環(huán)境變量文件中添加 orderer 服務(wù)的管理證書環(huán)境變量,以 envpeer1soft 為例:
export ORDERER_CA = $LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/tls-msp/tlscacerts/tls-council-ifantasy-net-7050.pem
export ORDERER_ADMIN_TLS_SIGN_CERT = $LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/tls-msp/signcerts/cert.pem
export ORDERER_ADMIN_TLS_PRIVATE_KEY = $LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
將 envpeer1soft 復(fù)制為 envpeer1hard 作為 hard 組織的環(huán)境變量,其內(nèi)容為:
export LOCAL_ROOT_PATH = $PWD
export LOCAL_CA_PATH = $LOCAL_ROOT_PATH /orgs
export DOCKER_CA_PATH = /tmp
export COMPOSE_PROJECT_NAME = fabriclearn
export DOCKER_NETWORKS = network
export FABRIC_BASE_VERSION = 2.4
export FABRIC_CA_VERSION = 1.5
echo "init terminal hard"
export FABRIC_CFG_PATH = $LOCAL_ROOT_PATH /config
export CORE_PEER_TLS_ENABLED = true
export CORE_PEER_LOCALMSPID = "hardMSP"
export CORE_PEER_ADDRESS = peer1.hard.ifantasy.net:7451
export CORE_PEER_TLS_ROOTCERT_FILE = $LOCAL_CA_PATH /hard.ifantasy.net/assets/tls-ca-cert.pem
export CORE_PEER_MSPCONFIGPATH = $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp
export ORDERER_CA = $LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/tls-msp/tlscacerts/tls-council-ifantasy-net-7050.pem
export ORDERER_ADMIN_TLS_SIGN_CERT = $LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/tls-msp/signcerts/cert.pem
export ORDERER_ADMIN_TLS_PRIVATE_KEY = $LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
注冊用戶
直接運行根目錄下的 1_RegisterUser.sh 即可完成本實驗所需用戶的注冊。
council 用戶注冊:
echo "Working on council"
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /council.ifantasy.net/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /council.ifantasy.net/ca/admin
fabric-ca-client enroll -d -u https://ca-admin:ca-adminpw@council.ifantasy.net:7050
fabric-ca-client register -d --id.name peer1soft --id.secret peer1soft --id.type peer -u https://council.ifantasy.net:7050
fabric-ca-client register -d --id.name orderer1soft --id.secret orderer1soft --id.type orderer -u https://council.ifantasy.net:7050
fabric-ca-client register -d --id.name peer1web --id.secret peer1web --id.type peer -u https://council.ifantasy.net:7050
fabric-ca-client register -d --id.name orderer1web --id.secret orderer1web --id.type orderer -u https://council.ifantasy.net:7050
fabric-ca-client register -d --id.name peer1hard --id.secret peer1hard --id.type peer -u https://council.ifantasy.net:7050
fabric-ca-client register -d --id.name orderer1hard --id.secret orderer1hard --id.type orderer -u https://council.ifantasy.net:7050
soft 用戶注冊:
echo "Working on soft"
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /soft.ifantasy.net/ca/admin
fabric-ca-client enroll -d -u https://ca-admin:ca-adminpw@soft.ifantasy.net:7250
fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://soft.ifantasy.net:7250
fabric-ca-client register -d --id.name orderer1 --id.secret orderer1 --id.type orderer -u https://soft.ifantasy.net:7250
fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://soft.ifantasy.net:7250
web 用戶注冊:
echo "Working on web"
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /web.ifantasy.net/ca/admin
fabric-ca-client enroll -d -u https://ca-admin:ca-adminpw@web.ifantasy.net:7350
fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://web.ifantasy.net:7350
fabric-ca-client register -d --id.name orderer1 --id.secret orderer1 --id.type orderer -u https://web.ifantasy.net:7350
fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://web.ifantasy.net:7350
hard 用戶注冊:
echo "Working on hard"
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /hard.ifantasy.net/ca/admin
fabric-ca-client enroll -d -u https://ca-admin:ca-adminpw@hard.ifantasy.net:7450
fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://hard.ifantasy.net:7450
fabric-ca-client register -d --id.name orderer1 --id.secret orderer1 --id.type orderer -u https://hard.ifantasy.net:7450
fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://hard.ifantasy.net:7450
echo "All CA and registration done"
組織證書構(gòu)建
直接運行根目錄下的 2_EnrollUser.sh 即可完成本實驗所需證書的構(gòu)建。
組織資產(chǎn)預(yù)處理:
echo "Preparation============================="
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/assets
cp $LOCAL_CA_PATH /soft.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/assets/ca-cert.pem
cp $LOCAL_CA_PATH /council.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/assets/tls-ca-cert.pem
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/assets
cp $LOCAL_CA_PATH /web.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/assets/ca-cert.pem
cp $LOCAL_CA_PATH /council.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/assets/tls-ca-cert.pem
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/assets
cp $LOCAL_CA_PATH /hard.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/assets/ca-cert.pem
cp $LOCAL_CA_PATH /council.ifantasy.net/ca/crypto/ca-cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/assets/tls-ca-cert.pem
echo "Preparation============================="
soft 證書構(gòu)建:
echo "Start Soft============================="
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://admin1:admin1@soft.ifantasy.net:7250
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/admincerts
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
echo "Enroll Peer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /soft.ifantasy.net/registers/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://peer1:peer1@soft.ifantasy.net:7250
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1soft:peer1soft@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts peer1.soft.ifantasy.net
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /soft.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/registers/peer1/msp/admincerts
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
echo "Enroll Orderer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://orderer1:orderer1@soft.ifantasy.net:7250
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /soft.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1soft:orderer1soft@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts orderer1.soft.ifantasy.net
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/msp/admincerts
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/registers/orderer1/msp/admincerts/cert.pem
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/msp/admincerts
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/msp/cacerts
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/msp/tlscacerts
mkdir -p
$LOCAL_CA_PATH /soft.ifantasy.net/msp/users
cp $LOCAL_CA_PATH /soft.ifantasy.net/assets/ca-cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/msp/cacerts/
cp $LOCAL_CA_PATH /soft.ifantasy.net/assets/tls-ca-cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/msp/tlscacerts/
cp $LOCAL_CA_PATH /soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /soft.ifantasy.net/msp/admincerts/cert.pem
cp $LOCAL_ROOT_PATH /config/config-msp.yaml
$LOCAL_CA_PATH /soft.ifantasy.net/msp/config.yaml
echo "End Soft============================="
web 證書構(gòu)建:
echo "Start Web============================="
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /web.ifantasy.net/registers/admin1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://admin1:admin1@web.ifantasy.net:7350
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/admincerts
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
echo "Enroll Peer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /web.ifantasy.net/registers/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://peer1:peer1@web.ifantasy.net:7350
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1web:peer1web@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts peer1.web.ifantasy.net
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /web.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/registers/peer1/msp/admincerts
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
echo "Enroll Orderer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /web.ifantasy.net/registers/orderer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://orderer1:orderer1@web.ifantasy.net:7350
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/registers/orderer1/msp/admincerts
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/registers/orderer1/msp/admincerts/cert.pem
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /web.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1web:orderer1web@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts orderer1.web.ifantasy.net
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/orderer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /web.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/msp/admincerts
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/msp/cacerts
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/msp/tlscacerts
mkdir -p
$LOCAL_CA_PATH /web.ifantasy.net/msp/users
cp $LOCAL_CA_PATH /web.ifantasy.net/assets/ca-cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/msp/cacerts/
cp $LOCAL_CA_PATH /web.ifantasy.net/assets/tls-ca-cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/msp/tlscacerts/
cp $LOCAL_CA_PATH /web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /web.ifantasy.net/msp/admincerts/cert.pem
cp $LOCAL_ROOT_PATH /config/config-msp.yaml
$LOCAL_CA_PATH /web.ifantasy.net/msp/config.yaml
echo "End Web============================="
hard 證書構(gòu)建:
echo "Start Hard============================="
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://admin1:admin1@hard.ifantasy.net:7450
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/admincerts
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
echo "Enroll Peer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /hard.ifantasy.net/registers/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://peer1:peer1@hard.ifantasy.net:7450
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1hard:peer1hard@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts peer1.hard.ifantasy.net
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /hard.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/registers/peer1/msp/admincerts
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
echo "Enroll Orderer1"
export FABRIC_CA_CLIENT_HOME = $LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/assets/ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR = msp
fabric-ca-client enroll -d -u https://orderer1:orderer1@hard.ifantasy.net:7450
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/msp/admincerts
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/msp/admincerts/cert.pem
export FABRIC_CA_CLIENT_MSPDIR = tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES = $LOCAL_CA_PATH /hard.ifantasy.net/assets/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1hard:orderer1hard@council.ifantasy.net:7050 --enrollment.profile tls --csr.hosts orderer1.hard.ifantasy.net
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/tls-msp/keystore/*_sk
$LOCAL_CA_PATH /hard.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/msp/admincerts
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/msp/cacerts
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/msp/tlscacerts
mkdir -p
$LOCAL_CA_PATH /hard.ifantasy.net/msp/users
cp $LOCAL_CA_PATH /hard.ifantasy.net/assets/ca-cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/msp/cacerts/
cp $LOCAL_CA_PATH /hard.ifantasy.net/assets/tls-ca-cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/msp/tlscacerts/
cp $LOCAL_CA_PATH /hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem
$LOCAL_CA_PATH /hard.ifantasy.net/msp/admincerts/cert.pem
cp $LOCAL_ROOT_PATH /config/config-msp.yaml
$LOCAL_CA_PATH /hard.ifantasy.net/msp/config.yaml
echo "End Hard============================="
配置通道
直接運行根目錄下的 3_Configtxgen.sh 即可完成本實驗所需通道配置。
啟動 orderer 和 peer 容器:
docker-compose -f
$LOCAL_ROOT_PATH /compose/docker-compose.yaml up -d peer1.soft.ifantasy.net peer1.web.ifantasy.net peer1.hard.ifantasy.net
docker-compose -f
$LOCAL_ROOT_PATH /compose/docker-compose.yaml up -d orderer1.soft.ifantasy.net orderer1.web.ifantasy.net orderer1.hard.ifantasy.net
此時已啟動所有實驗所需容器:
configtxgen -profile OrgsChannel -outputCreateChannelTx
$LOCAL_ROOT_PATH /data/testchannel.tx -channelID testchannel
configtxgen -profile OrgsChannel -outputBlock
$LOCAL_ROOT_PATH /data/testchannel.block -channelID testchannel
cp $LOCAL_ROOT_PATH /data/testchannel.block
$LOCAL_CA_PATH /soft.ifantasy.net/assets/
cp $LOCAL_ROOT_PATH /data/testchannel.block
$LOCAL_CA_PATH /web.ifantasy.net/assets/
cp $LOCAL_ROOT_PATH /data/testchannel.block
$LOCAL_CA_PATH /hard.ifantasy.net/assets/
使三個 orderer 加入 testchannel 通道:
source envpeer1soft
osnadmin channel list -o orderer1.soft.ifantasy.net:8252 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
osnadmin channel
join -o orderer1.soft.ifantasy.net:8252 --channelID testchannel --config-block
$LOCAL_ROOT_PATH /data/testchannel.block --ca-file
"$ORDERER_CA " --client-cert
"$ORDERER_ADMIN_TLS_SIGN_CERT " --client-key
"$ORDERER_ADMIN_TLS_PRIVATE_KEY "
osnadmin channel list -o orderer1.soft.ifantasy.net:8252 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
source envpeer1web
osnadmin channel list -o orderer1.web.ifantasy.net:8352 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
osnadmin channel
join -o orderer1.web.ifantasy.net:8352 --channelID testchannel --config-block
$LOCAL_ROOT_PATH /data/testchannel.block --ca-file
"$ORDERER_CA " --client-cert
"$ORDERER_ADMIN_TLS_SIGN_CERT " --client-key
"$ORDERER_ADMIN_TLS_PRIVATE_KEY "
osnadmin channel list -o orderer1.web.ifantasy.net:8352 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
source envpeer1hard
osnadmin channel list -o orderer1.hard.ifantasy.net:8452 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
osnadmin channel
join -o orderer1.hard.ifantasy.net:8452 --channelID testchannel --config-block
$LOCAL_ROOT_PATH /data/testchannel.block --ca-file
"$ORDERER_CA " --client-cert
"$ORDERER_ADMIN_TLS_SIGN_CERT " --client-key
"$ORDERER_ADMIN_TLS_PRIVATE_KEY "
osnadmin channel list -o orderer1.hard.ifantasy.net:8452 --ca-file
$ORDERER_CA --client-cert
$ORDERER_ADMIN_TLS_SIGN_CERT --client-key
$ORDERER_ADMIN_TLS_PRIVATE_KEY
三組織加入 testchannel 通道:
source envpeer1soft
peer channel
join -b
$LOCAL_CA_PATH /soft.ifantasy.net/assets/testchannel.block
peer channel list
source envpeer1web
peer channel
join -b
$LOCAL_CA_PATH /web.ifantasy.net/assets/testchannel.block
peer channel list
source envpeer1hard
peer channel
join -b
$LOCAL_CA_PATH /hard.ifantasy.net/assets/testchannel.block
peer channel list
部署測試鏈碼
直接運行根目錄下的 4_TestChaincode.sh 即可完成本實驗示例的鏈碼安裝和測試。
各組織安裝測試鏈碼:
source envpeer1soft
peer lifecycle chaincode
install basic.tar.gz
peer lifecycle chaincode queryinstalled
source envpeer1web
peer lifecycle chaincode
install basic.tar.gz
peer lifecycle chaincode queryinstalled
source envpeer1hard
peer lifecycle chaincode
install basic.tar.gz
peer lifecycle chaincode queryinstalled
設(shè)置鏈碼 ID 環(huán)境變量:
export CHAINCODE_ID = basic_1:06613e463ef6694805dd896ca79634a2de36fdf019fa7976467e6e632104d718
soft 組織批準(zhǔn)鏈碼:
source envpeer1soft
peer lifecycle chaincode approveformyorg -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --version
1.0 --sequence
1 --waitForEvent --init-required --package-id
$CHAINCODE_ID
peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence
1
web 組織批準(zhǔn)鏈碼:
source envpeer1web
peer lifecycle chaincode approveformyorg -o orderer1.web.ifantasy.net:8351 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --version
1.0 --sequence
1 --waitForEvent --init-required --package-id
$CHAINCODE_ID
peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence
1
hard 組織批準(zhǔn)鏈碼:
source envpeer1hard
peer lifecycle chaincode approveformyorg -o orderer1.hard.ifantasy.net:8451 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --version
1.0 --sequence
1 --waitForEvent --init-required --package-id
$CHAINCODE_ID
peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence
1
注意,這里各組織批準(zhǔn)鏈碼時的 -o 參數(shù)可以指定任意一個 orderer 服務(wù) 。
peer lifecycle chaincode checkcommitreadiness -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --version
1.0 --sequence
1 --init-required
測試調(diào)用鏈碼:
source envpeer1soft
peer lifecycle chaincode commit -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --init-required --version
1.0 --sequence
1 --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE
peer lifecycle chaincode querycommitted --channelID testchannel --name basic -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE
peer chaincode invoke --isInit -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE -c
'{"Args":["InitLedger"]}'
sleep 3
peer chaincode invoke -o orderer1.soft.ifantasy.net:8251 --tls --cafile
$ORDERER_CA --channelID testchannel --name basic --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles
$CORE_PEER_TLS_ROOTCERT_FILE -c
'{"Args":["GetAllAssets"]}'
[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機(jī)制,建議將圖片保存下來直接上傳(img-9ES22auf-1649826579827)(https://cdn.jsdelivr.net/gh/wefantasy/FileCloud/img/hyperledger_fabric_5_run_orderer_by_oneself-2022-04-12-10-25-52.png “測試調(diào)用鏈碼:”)]
常見錯誤
沒有領(lǐng)導(dǎo)節(jié)點
Error: failed to send transaction: got unexpected status: SERVICE_UNAVAILABLE -- no Raft leader
上述錯誤歸結(jié)起來就是 orderer 之間沒有選出領(lǐng)導(dǎo)節(jié)點,此時應(yīng)該檢查:
網(wǎng)絡(luò)中 orderer 節(jié)點的數(shù)量是否為 2n+1 個,否則可能無法完成選舉 各 orderer 容器的 ORDERER_GENERAL_LOCALMSPID 配置是否正確,必須為自身所屬組織的 MSPID 檢查 configtx.yaml 中各組織的 Policies 配置是否正確 排序節(jié)點之間無法通信
2022 -04-09 05:32:07.086 UTC 0032 ERRO
[ orderer.consensus.etcdraft
] logSendFailure -
> Failed to send StepRequest to
3 , because: rpc error: code
= Unavailable desc
= connection error: desc
= "transport: Error while dialing dial tcp 172.19.0.10:8451: connect: connection refused" channel = syschannel
node = 1
上述錯誤的原因是 orderer 節(jié)點間無法通信, 此時應(yīng)該檢查 configtx.yaml 中相關(guān)的 orderer 地址是否正確。這里有個大坑:所有 configtx.yaml 文件內(nèi)的 orderer 相關(guān)配置的端口必須設(shè)置為容器內(nèi) ORDERER_GENERAL_LISTENPORT 的監(jiān)聽端口,而不是容器外的映射端口 ,假如 orderer 容器配置如下圖, configtx.yaml 中的 orderer 端口必須為 7050 而不能填 8251 (所以為了避免沖突,強(qiáng)烈建議這兩個端口設(shè)置成一樣的 8251)。
peer 節(jié)點之間無法通信
Error: timed out waiting
for txid on all peers
2022 -04-10 02:57:37.135 UTC 00a1 WARN
[ peer.blocksprovider
] DeliverBlocks -
> Got error
while attempting to receive blocks: block from orderer could not be verified: implicit policy evaluation failed -
0 sub-policies were satisfied, but this policy requires
1 of the
'Writers' sub-policies to be satisfied
channel = testchannel orderer-address
= orderer1.soft.ifantasy.net:8251
錯誤原因是沒有操作權(quán)限,通常是 configtx.yaml 中的策略問題,在本實驗中如果三個組織的 Policies 都設(shè)置為下列內(nèi)容則會觸發(fā)本錯誤:
Policies : Readers : Type : Signature
Rule : "OR('softMSP.admin', 'softMSP.peer', 'softMSP.client')" Writers : Type : Signature
Rule : "OR('softMSP.admin', 'softMSP.client')" Admins : Type : Signature
Rule : "OR('softMSP.admin')" Endorsement : Type : Signature
Rule : "OR('softMSP.peer')"
此時需要將任意組織(比如 web)的 Readers 和 Writers 的 Rule 改為 menber 即可解決,解決后實驗各步驟結(jié)果符合預(yù)期:
Policies : Readers : Type : Signature
Rule : "OR('webMSP.member')" Writers : Type : Signature
Rule : "OR('webMSP.member')" Admins : Type : Signature
Rule : "OR('webMSP.admin')" Endorsement : Type : Signature
Rule : "OR('webMSP.peer')"
至于為什么會導(dǎo)致如此尚未發(fā)現(xiàn),猜測是普通組織的策略與排序節(jié)點所需要的策略存在沖突,因此建議排序服務(wù)獨立于普通組織 。
總結(jié)
以上是生活随笔 為你收集整理的Hyperledger Fabric无排序组织以Raft共识算法启动多个Orderer服务、多组织共同运行维护Orderer服务 的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔 推薦給好友。
