Hyperledegr Fabric BYFN 2: byfn.sh generate 操作分析
byfn例程分析-generate操作
#Create the network using docker compose
if [ "${MODE}" == "up" ]; then
networkUp
elif [ "${MODE}" == "down" ]; then ## Clear the network
networkDown
elif [ "${MODE}" == "generate" ]; then ## Generate Artifacts
generateCerts
replacePrivateKey
generateChannelArtifacts
elif [ "${MODE}" == "restart" ]; then ## Restart the network
networkDown
networkUp
elif [ "${MODE}" == "upgrade" ]; then ## Upgrade the network from version 1.2.x to 1.3.x
upgradeNetwork
else
printHelp
exit 1
fi
generate 模式会包含三个方法:
- generateCerts
- replacePrivateKey
- generateChannelArtifacts
generateCerts
generateCerts说明
这里会使用cryptogen工具来为我们的网络设备生成加密材料(x509 certs)
- 加密证书基于标准PKI实现,通过共识锚节点来实现验证。
- 运行往后,证书会打包在
crypto-config文件夹中
cryptogen需要crypto-config.yaml文件
cryptogen-config.yaml包含网络的拓扑结构,其可以用来生成相关Organizations及其组件的证书库,- 每个organization都有一个专属根证书
ca-cert来配置,ca-cert会将相关组件(peers和orderers)捆绑到该组织。
- 每个organization都有一个专属根证书
Fabeic的交易和通信会由设备的私钥keystore来注册生成,可以通过公钥signcets来进行验证
-
count变量 - 标识organization中的peer数量,在该例子中为单organization两个peer的构架
核心语句: cryptogen generate --config=./crypto-config.yaml
-
依赖文件:
crypto-config.yamlOrdererOrgs: #定义管理排序结点的organizations - Name: Orderer Domain: example.com Specs: #自定义host - Hostname: orderer PeerOrgs: #定义管理peer结点的organizations - Name: Org1 Domain: org1.example.com EnableNodeOUs: true #允许节点 OUS -> out of service暂停服务 #从一个模板来顺序定义一个或多个host。 #默认格式:peer%d,(0到count-1) #`Count`:结点数量, Template: Count: 2 Users: Count: 1 - Name: Org2 Domain: org2.example.com EnableNodeOUs: true Template: Count: 2 Users: Count: 1
generateCerts源码
# Generates Org certs using cryptogen tool
function generateCerts() {
which cryptogen
if [ "$?" -ne 0 ]; then
echo "cryptogen tool not found. exiting"
exit 1
fi
echo
echo "##########################################################"
echo "##### Generate certificates using cryptogen tool #########"
echo "##########################################################"
if [ -d "crypto-config" ]; then
rm -Rf crypto-config
fi
set -x
cryptogen generate --config=./crypto-config.yaml
res=$?
set +x
if [ $res -ne 0 ]; then
echo "Failed to generate certificates..."
exit 1
fi
echo
}
replacePrivateKey
replacePrivateKey说明
基于docker-compose-e2e-template.yaml,将其中的私钥文件名称替换为cryptogen工具生成的,然后生成一个私钥专属的docker-compose-e2e.yaml。
涉及目录:
crypto-config/peerOrganizations/org1.example.com/ca/crypto-config/peerOrganizations/org2.example.com/ca/
replacePrivateKey源码
这里去除源码中mac设定
function replacePrivateKey() {
# Copy the template to the file that will be modified to add the private key
cp docker-compose-e2e-template.yaml docker-compose-e2e.yaml
# 接下来将使用两个CA的私钥文件名称替换到模板对应处
CURRENT_DIR=$PWD
cd crypto-config/peerOrganizations/org1.example.com/ca/
PRIV_KEY=$(ls *_sk)
cd "$CURRENT_DIR"
sed $OPTS "s/CA1_PRIVATE_KEY/${PRIV_KEY}/g" docker-compose-e2e.yaml
cd crypto-config/peerOrganizations/org2.example.com/ca/
PRIV_KEY=$(ls *_sk)
cd "$CURRENT_DIR"
sed $OPTS "s/CA2_PRIVATE_KEY/${PRIV_KEY}/g" docker-compose-e2e.yaml
}
generateChannelArtifact
generateChannelArtifact说明
使用configtxgen工具生成四种材料
-
- 创世区块 orderder bootstrap block
- orderer block是排序服务的创世区块
-
- 通道配置 fabric channel configuration transaction
- 在通道创建的时候,通道配置交易文件会广播到排序结点
-
- 两个锚节点定义,每个organization各一个 anchor peer transactions
- 锚节点交易指定了每个organization在通道上的锚节点
configtxgen需要configtx.yaml文件,其包含样例网络的定义。
- 三个成员
- Orderer Org
OrdererOrg - Peer Org
Org1 - Peer Org
Org2
- Orderer Org
- Peer Org是负责管理和维护相关的peer结点。
- 文件中定义了一个consortium
SampleConsortium,其有上述的两个Peer Orgs构成 - 请注意该文件上面的
Profiles部分,有两个特殊的头部标识-
-
TwoOrgsOrdererGenesis - 用于orderer genesis block
-
-
-
TwoOrgsChannel - 用于通道
-
- 这些头部标识是生成材料的参数
-
- 文件中的附加操作
- Peer Org的锚节点anchor peer
peer0.org1.example.compeer0.org2.example.com
- 指明每个成员的MSP目录位置,其将会为每个组织在排序创世区块存储根证书
- 网络设备与排序服务进行通信时,可以利用根证书获得数字认证通过
- Peer Org的锚节点anchor peer
该函数将会产生加密材料和4个配置材料,并输出这些文件到channel-artifacts文件夹中。
如果收到以下警告,可以忽略
[bccsp] GetDefault -> WARN 001 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP.
这里不涉及相关中心证书的加密实现。
configtx.yaml文件
Organizations
定义设置中的组织身份
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
AnchorPeers:
# AnchorPeers定义了跨组织的通信的相关结点位置。此值仅支持在genesis block中进行编辑。
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities
定义fabric network的兼容性
Capabilities:
Channel: &ChannelCapabilities
V1_3: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_3: true
V1_2: false
V1_1: false
Application
Application: &ApplicationDefaults
Organizations: # 定义在参与网络应用端的orgs列表
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer
定义
Orderer: &OrdererDefaults
OrdererType: solo #可选不能参数仅有solo和kafka
Addresses:
- orderer.example.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
channel
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
TwoOrgsChannel:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
SampleDevModeKafka:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: kafka # 比TwoOrgsOrdererGenesis多的设定
Kafka: # 比TwoOrgsOrdererGenesis多的设定
Brokers:
- kafka.example.com:9092
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Application: # 比TwoOrgsOrdererGenesis多的设定
<<: *ApplicationDefaults
Organizations:
- <<: *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
Generating Orderer Genesis block
configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
创世区块中会写入共识。
Generating channel configuration transaction ‘channel.tx’
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
Generating anchor peer update for Org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org1MSP
Generating anchor peer update for Org2MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org2MSP
generateChannelArtifact源码
# Generate orderer genesis block, channel configuration transaction and
# anchor peer update transactions
function generateChannelArtifacts() {
#查找configtxen
which configtxgen
if [ "$?" -ne 0 ]; then
echo "configtxgen tool not found. exiting"
exit 1
fi
echo "##########################################################"
echo "######### Generating Orderer Genesis block ##############"
echo "##########################################################"
# Note: 由于未知原因,现在区块文件不能命名为 orderer.genesis.block,否则orderer会不能执行
echo "CONSENSUS_TYPE="$CONSENSUS_TYPE #共识类型
set -x
# 默认共识类型为solo
if [ "$CONSENSUS_TYPE" == "solo" ]; then
configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
elif [ "$CONSENSUS_TYPE" == "kafka" ]; then
configtxgen -profile SampleDevModeKafka -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
else
set +x
echo "unrecognized CONSESUS_TYPE='$CONSENSUS_TYPE'. exiting"
exit 1
fi
res=$?
set +x
if [ $res -ne 0 ]; then
echo "Failed to generate orderer genesis block..."
exit 1
fi
echo
echo "#################################################################"
echo "### Generating channel configuration transaction 'channel.tx' ###"
echo "#################################################################"
set -x
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
res=$?
set +x
if [ $res -ne 0 ]; then
echo "Failed to generate channel configuration transaction..."
exit 1
fi
echo
echo "#################################################################"
echo "####### Generating anchor peer update for Org1MSP ##########"
echo "#################################################################"
set -x
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org1MSP
res=$?
set +x
if [ $res -ne 0 ]; then
echo "Failed to generate anchor peer update for Org1MSP..."
exit 1
fi
echo
echo "#################################################################"
echo "####### Generating anchor peer update for Org2MSP ##########"
echo "#################################################################"
set -x
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate \
./channel-artifacts/Org2MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org2MSP
res=$?
set +x
if [ $res -ne 0 ]; then
echo "Failed to generate anchor peer update for Org2MSP..."
exit 1
fi
echo
}