Hyperledegr Fabric BYFN 2: byfn.sh generate 操作分析

byfn例程分析-generate操作

#Create the network using docker compose
if [ "${MODE}" == "up" ]; then
  networkUp
elif [ "${MODE}" == "down" ]; then ## Clear the network
  networkDown
elif [ "${MODE}" == "generate" ]; then ## Generate Artifacts
  generateCerts
  replacePrivateKey
  generateChannelArtifacts
elif [ "${MODE}" == "restart" ]; then ## Restart the network
networkDown
  networkUp
elif [ "${MODE}" == "upgrade" ]; then ## Upgrade the network from version 1.2.x to 1.3.x
  upgradeNetwork
else
  printHelp
  exit 1
fi

generate 模式会包含三个方法:

  • generateCerts
  • replacePrivateKey
  • generateChannelArtifacts

generateCerts

generateCerts说明

这里会使用cryptogen工具来为我们的网络设备生成加密材料(x509 certs)

  • 加密证书基于标准PKI实现,通过共识锚节点来实现验证。
  • 运行往后,证书会打包在crypto-config文件夹中

cryptogen需要crypto-config.yaml文件

  • cryptogen-config.yaml包含网络的拓扑结构,其可以用来生成相关Organizations及其组件的证书库,
    • 每个organization都有一个专属根证书ca-cert来配置,ca-cert会将相关组件(peers和orderers)捆绑到该组织。

Fabeic的交易和通信会由设备的私钥keystore来注册生成,可以通过公钥signcets来进行验证

count变量
标识organization中的peer数量,在该例子中为单organization两个peer的构架

核心语句: cryptogen generate --config=./crypto-config.yaml

  • 依赖文件:crypto-config.yaml

    OrdererOrgs: #定义管理排序结点的organizations
      - Name: Orderer
        Domain: example.com
        Specs: #自定义host
          - Hostname: orderer
    PeerOrgs: #定义管理peer结点的organizations
      - Name: Org1
        Domain: org1.example.com
        EnableNodeOUs: true #允许节点 OUS -> out of service暂停服务
    
        #从一个模板来顺序定义一个或多个host。
        #默认格式:peer%d,(0到count-1)
        #`Count`:结点数量,
        Template:
          Count: 2
        Users:
          Count: 1
      - Name: Org2
        Domain: org2.example.com
        EnableNodeOUs: true
        Template:
          Count: 2
        Users:
          Count: 1
    

generateCerts源码

# Generates Org certs using cryptogen tool
function generateCerts() {
  which cryptogen
  if [ "$?" -ne 0 ]; then
    echo "cryptogen tool not found. exiting"
    exit 1
  fi
  echo
  echo "##########################################################"
  echo "##### Generate certificates using cryptogen tool #########"
  echo "##########################################################"

  if [ -d "crypto-config" ]; then
    rm -Rf crypto-config
  fi
  set -x
  cryptogen generate --config=./crypto-config.yaml
  res=$?
  set +x
  if [ $res -ne 0 ]; then
    echo "Failed to generate certificates..."
    exit 1
  fi
  echo
}

replacePrivateKey

replacePrivateKey说明

基于docker-compose-e2e-template.yaml,将其中的私钥文件名称替换为cryptogen工具生成的,然后生成一个私钥专属的docker-compose-e2e.yaml

涉及目录:

  • crypto-config/peerOrganizations/org1.example.com/ca/
  • crypto-config/peerOrganizations/org2.example.com/ca/

replacePrivateKey源码

这里去除源码中mac设定

function replacePrivateKey() {
  # Copy the template to the file that will be modified to add the private key
  cp docker-compose-e2e-template.yaml docker-compose-e2e.yaml

  # 接下来将使用两个CA的私钥文件名称替换到模板对应处
  CURRENT_DIR=$PWD
  cd crypto-config/peerOrganizations/org1.example.com/ca/
  PRIV_KEY=$(ls *_sk)
  cd "$CURRENT_DIR"
  sed $OPTS "s/CA1_PRIVATE_KEY/${PRIV_KEY}/g" docker-compose-e2e.yaml
  cd crypto-config/peerOrganizations/org2.example.com/ca/
  PRIV_KEY=$(ls *_sk)
  cd "$CURRENT_DIR"
  sed $OPTS "s/CA2_PRIVATE_KEY/${PRIV_KEY}/g" docker-compose-e2e.yaml
}

generateChannelArtifact

generateChannelArtifact说明

使用configtxgen工具生成四种材料

  • 创世区块 orderder bootstrap block
    orderer block是排序服务的创世区块
  • 通道配置 fabric channel configuration transaction
    在通道创建的时候,通道配置交易文件会广播到排序结点
  • 两个锚节点定义,每个organization各一个 anchor peer transactions
    锚节点交易指定了每个organization在通道上的锚节点

configtxgen需要configtx.yaml文件,其包含样例网络的定义。

  • 三个成员
    • Orderer Org OrdererOrg
    • Peer Org Org1
    • Peer Org Org2
  • Peer Org是负责管理和维护相关的peer结点。
  • 文件中定义了一个consortium SampleConsortium,其有上述的两个Peer Orgs构成
  • 请注意该文件上面的Profiles部分,有两个特殊的头部标识
    • TwoOrgsOrdererGenesis
      用于orderer genesis block
    • TwoOrgsChannel
      用于通道
    • 这些头部标识是生成材料的参数
  • 文件中的附加操作
    • Peer Org的锚节点anchor peer
      • peer0.org1.example.com
      • peer0.org2.example.com
    • 指明每个成员的MSP目录位置,其将会为每个组织在排序创世区块存储根证书
      • 网络设备与排序服务进行通信时,可以利用根证书获得数字认证通过

该函数将会产生加密材料和4个配置材料,并输出这些文件到channel-artifacts文件夹中。

如果收到以下警告,可以忽略

[bccsp] GetDefault -> WARN 001 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP.

这里不涉及相关中心证书的加密实现。

configtx.yaml文件

Organizations

定义设置中的组织身份

Organizations:
  - &OrdererOrg
    Name: OrdererOrg
    ID: OrdererMSP
    MSPDir: crypto-config/ordererOrganizations/example.com/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('OrdererMSP.member')"
      Writers:
        Type: Signature
        Rule: "OR('OrdererMSP.member')"
      Admins:
        Type: Signature
        Rule: "OR('OrdererMSP.admin')"

  - &Org1
    Name: Org1MSP
    ID: Org1MSP
    MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
      Writers:
        Type: Signature
        Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
      Admins:
        Type: Signature
        Rule: "OR('Org1MSP.admin')"
    AnchorPeers:
    # AnchorPeers定义了跨组织的通信的相关结点位置。此值仅支持在genesis block中进行编辑。
      - Host: peer0.org1.example.com
        Port: 7051

  - &Org2
    Name: Org2MSP
    ID: Org2MSP
    MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
      Writers:
        Type: Signature
        Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
      Admins:
        Type: Signature
        Rule: "OR('Org2MSP.admin')"
    AnchorPeers:
      - Host: peer0.org2.example.com
        Port: 7051

Capabilities

定义fabric network的兼容性

Capabilities:
  Channel: &ChannelCapabilities
    V1_3: true
  Orderer: &OrdererCapabilities
    V1_1: true
  Application: &ApplicationCapabilities
    V1_3: true
    V1_2: false
    V1_1: false

Application

Application: &ApplicationDefaults
  Organizations: # 定义在参与网络应用端的orgs列表
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
  Capabilities:
    <<: *ApplicationCapabilities

Orderer

定义

Orderer: &OrdererDefaults
  OrdererType: solo #可选不能参数仅有solo和kafka
  Addresses:
    - orderer.example.com:7050
  BatchTimeout: 2s
  BatchSize:
    MaxMessageCount: 10
    AbsoluteMaxBytes: 99 MB
    PreferredMaxBytes: 512 KB

  Kafka:
    Brokers:
      - 127.0.0.1:9092

  Organizations:

  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"

channel

Channel: &ChannelDefaults
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
  Capabilities:
    <<: *ChannelCapabilities

Profiles

Profiles:
  TwoOrgsOrdererGenesis:
    <<: *ChannelDefaults
    Orderer:
      <<: *OrdererDefaults
      Organizations:
        - *OrdererOrg
      Capabilities:
        <<: *OrdererCapabilities
    Consortiums:
      SampleConsortium:
        Organizations:
          - *Org1
          - *Org2

  TwoOrgsChannel:
    Consortium: SampleConsortium
    Application:
      <<: *ApplicationDefaults
      Organizations:
        - *Org1
        - *Org2
      Capabilities:
        <<: *ApplicationCapabilities

  SampleDevModeKafka:
    <<: *ChannelDefaults
    Capabilities:
      <<: *ChannelCapabilities
    Orderer:
      <<: *OrdererDefaults
      OrdererType: kafka # 比TwoOrgsOrdererGenesis多的设定
      Kafka: # 比TwoOrgsOrdererGenesis多的设定
        Brokers:
        - kafka.example.com:9092
      Organizations:
      - *OrdererOrg
      Capabilities:
        <<: *OrdererCapabilities
    Application: # 比TwoOrgsOrdererGenesis多的设定
      <<: *ApplicationDefaults
      Organizations:
      - <<: *OrdererOrg
    Consortiums:
      SampleConsortium:
        Organizations:
        - *Org1
        - *Org2

Generating Orderer Genesis block

configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block

创世区块中会写入共识。

Generating channel configuration transaction ‘channel.tx’

configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME

Generating anchor peer update for Org1MSP

configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org1MSP

Generating anchor peer update for Org2MSP

configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org2MSP

generateChannelArtifact源码

# Generate orderer genesis block, channel configuration transaction and
# anchor peer update transactions
function generateChannelArtifacts() {
  #查找configtxen
  which configtxgen
  if [ "$?" -ne 0 ]; then
    echo "configtxgen tool not found. exiting"
    exit 1
  fi

  echo "##########################################################"
  echo "#########  Generating Orderer Genesis block ##############"
  echo "##########################################################"
  # Note: 由于未知原因,现在区块文件不能命名为 orderer.genesis.block,否则orderer会不能执行
  echo "CONSENSUS_TYPE="$CONSENSUS_TYPE #共识类型
  set -x
  # 默认共识类型为solo
  if [ "$CONSENSUS_TYPE" == "solo" ]; then
    configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
  elif [ "$CONSENSUS_TYPE" == "kafka" ]; then
    configtxgen -profile SampleDevModeKafka -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
  else
    set +x
    echo "unrecognized CONSESUS_TYPE='$CONSENSUS_TYPE'. exiting"
    exit 1
  fi
  res=$?
  set +x
  if [ $res -ne 0 ]; then
    echo "Failed to generate orderer genesis block..."
    exit 1
  fi
  echo
  echo "#################################################################"
  echo "### Generating channel configuration transaction 'channel.tx' ###"
  echo "#################################################################"
  set -x
  configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
  res=$?
  set +x
  if [ $res -ne 0 ]; then
    echo "Failed to generate channel configuration transaction..."
    exit 1
  fi

  echo
  echo "#################################################################"
  echo "#######    Generating anchor peer update for Org1MSP   ##########"
  echo "#################################################################"
  set -x
  configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org1MSP
  res=$?
  set +x
  if [ $res -ne 0 ]; then
    echo "Failed to generate anchor peer update for Org1MSP..."
    exit 1
  fi

  echo
  echo "#################################################################"
  echo "#######    Generating anchor peer update for Org2MSP   ##########"
  echo "#################################################################"
  set -x
  configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate \
    ./channel-artifacts/Org2MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org2MSP
  res=$?
  set +x
  if [ $res -ne 0 ]; then
    echo "Failed to generate anchor peer update for Org2MSP..."
    exit 1
  fi
  echo
}

你可能感兴趣的:(hyperledger,fabric)