Hyperledger Fabric 手动部署

背景

官网的部署是做过很多封装的,即使部署成功,对于里面的组件也不是很清楚,这次会在三台虚拟机上手动一部分一部分的搭建,OS 是centos7, 由于我是在公司搭建的,公司会对IP进行检查,所以我用了NAT模式,只要注意端口冲突就好了。先搭建简单的fabric链来熟悉,整体架构如下。
Hyperledger Fabric 手动部署_第1张图片

安装前准备

Virtual Box: https://www.virtualbox.org/wiki/Downloads
Centos7: https://www.centos.org/download/
putty:SSH工具, https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
FileZila: FTP工具,https://filezilla-project.org/download.php?type=client

NAT的配置:

Org1 Order & Peer0
Hyperledger Fabric 手动部署_第2张图片

Org1 Peer1
Hyperledger Fabric 手动部署_第3张图片

Org2 Peer0
Hyperledger Fabric 手动部署_第4张图片

centos 7 内部网络配置,三台server都要这样:

基础网络配置
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
然后将 ONBOOT=yes
service network restart
verify: ping 10.222.48.152

vi /etc/hosts , 尾部添加下面域名IP映射,ping下域名可以verify,整体架构图中的几个组件在fabric网络是以以下域名作为标识。
//
10.222.48.152 orderer.example.com
10.222.48.152 peer0.org1.example.com
10.222.48.152 peer1.org1.example.com
10.222.48.152 peer0.org2.example.com
//


防火墙,所有的上面NAT提到的端口到要在对应的server去开,记得开的是Guest Port
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload
verify:
在宿主机上面(telnet 10.222.48.152 NAT配置的Host Port)

如果你想改hostname:
hostname set-hostname orderer

安装Docker
yum install -y docker
vi /etc/sysconfig/docker-storage,用下面内容去覆盖的文件
//
DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper "
//
systemctl docker start
systemctl start docker

安装fabric基本组件
docker pull hyperledger/fabric-javaenv:x86_64-1.1.0
docker pull hyperledger/fabric-ccenv:x86_64-1.1.0
docker pull hyperledger/fabric-baseos:x86_64-0.4.6

yum install -y wget
mkdir /root/fabric-deploy
cd /root/fabric-deploy

下载fabric网络辅助的工具
wget https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric/hyperledger-fabric/linux-amd64-1.1.0/hyperledger-fabric-linux-amd64-1.1.0.tar.gz
tar -xvf hyperledger-fabric-linux-amd64-1.1.0.tar.gz

在宿主机(我是Windows),有时候端口会被Virtual Box启动的server给占用,可以用这两条命令知道是谁占用,
要不就先stop掉虚拟server再重启,要不就改后面NAT forward配置里面的端口,对于NAT forward的端口细节后面会讲到
netstat -aon|findstr "端口"
tasklist|findstr "PID"

开始安装

首先了解下辅助工具

ll /root/fabric-deploy/bin
configtxgen:链配置的生成工具,如创世块,channel配置
configtxlator
cryptogen:证书相关的工具,generate 证书
get-docker-images.sh: 获取docker image,这里没用
orderer: 跑order命令,如order启动
peer:跑peer命令,如peer启动,状态查询

接下来是配置文件
ls /root/fabric-deploy/config/
这三个文件都是模板文件,所有配置都有解释,在后面深入时会有用
configtx.yaml: 生成创世块时候会用到,里面会有channel的配置
core.yaml: Peer 配置
orderer.yaml: order配置

大致理解之后就开始:
先生成证书,这里是用cryptogen这个工具生成:

cd /root/fabric-deploy
vi crypto-config.yaml , 内容如下
//
OrdererOrgs:
  - Name: Orderer
    Domain: example.com
    Specs:
      - Hostname: orderer
PeerOrgs:
  - Name: Org1
    Domain: org1.example.com
    Template:
      Count: 2 #自动对应peer0,peer1
    Users:
      Count: 1
  - Name: Org2
    Domain: org2.example.com
    Template:
      Count: 1 #peer0
    Users:
      Count: 1
//
./bin/cryptogen generate --config=crypto-config.yaml --output ./certs

yum install -y tree

证书结构

对于证书理解,对troubleshot有很大帮助

下面命令可以看到一个orderer.example.com证书的结构

tree -A certs/ordererOrganizations/example.com/orderers/orderer.example.com/
|-- msp
|   |-- admincerts :管理员权限的证书,该orderer.example.com面向example.com这个order组织证书
|   |   -- Admin@example.com-cert.pem
|   |-- cacerts: Order用于校验用户证书,过程--》openssl verify -CAfile ./cacerts/ca.example.com-cert.pem  admincerts/Admin\@example.com-cert.pem
|   |   -- ca.example.com-cert.pem
|   |-- keystore: 这个Order操作区块时,进行签署的私钥
|   |   -- 16da15d400d4ca4b53d369b6d6e50a084d4354998c3b4d7a0934635d3907f90f_sk
|   |-- signcerts
|   |   -- orderer.example.com-cert.pem
|   -- tlscacerts
|       -- tlsca.example.com-cert.pem
-- tls: Order对外服务时使用的私钥(server.key)和证书(server.crt),ca.crt是签注这个证书的CA,需要提供给发起请求的一端。
    |-- ca.crt
    |-- server.crt
    -- server.key

一个peer的证书结构,都是针对peer0在org1的证书,注意不是说操作peer0的user的证书:

tree -A ./certs/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/

├── msp 
│   ├── admincerts
│   │   └── Admin@org1.example.com-cert.pem : peer0启动是会读取改证书,拥有该证书的人就是admin
│   ├── cacerts : 用去验证这个peer0的signcerts的证书 --》 openssl verify -CAfile cacerts/ca.org1.example.com-cert.pem  signcerts/peer0.org1.example.com-cert.pem
│   │   └── ca.org1.example.com-cert.pem
│   ├── keystore : 这个peer0的私钥,操作区块使用
│   │   └── bc2cc295ee6df54d35e6f5df6c0cdd297fb0486eeb81cd5058ec2536ef8afe20_sk
│   ├── signcerts : peer0签名时使用的证书,非grpc时候的
│   │   └── peer0.org1.example.com-cert.pem
│   └── tlscacerts
│       └── tlsca.org1.example.com-cert.pem
└── tls
    ├── ca.crt
    ├── server.crt
    └── server.key

对于用户证书,每个peer组织都有对应的users和Adminuser,每个Order也有对应的user和admin user, 结构类似下面

├── Admin@org1.example.com
│   ├── msp
│   │   ├── admincerts
│   │   │   └── Admin@org1.example.com-cert.pem
│   │   ├── cacerts
│   │   │   └── ca.org1.example.com-cert.pem
│   │   ├── keystore
│   │   │   └── fefe0cc627c067775b1fe1a1809fe8fb9dfe0f327d32682cc51837f10f78947c_sk
│   │   ├── signcerts
│   │   │   └── Admin@org1.example.com-cert.pem
│   │   └── tlscacerts
│   │       └── tlsca.org1.example.com-cert.pem
│   └── tls
│       ├── ca.crt
│       ├── client.crt
│       └── client.key
└── User1@org1.example.com
    ├── msp
    │   ├── admincerts
    │   │   └── User1@org1.example.com-cert.pem
    │   ├── cacerts
    │   │   └── ca.org1.example.com-cert.pem
    │   ├── keystore
    │   │   └── 9d0a6cb707c9cf1a21481b28dee69ee0017669dd07bb3b33911fc6090e109756_sk
    │   ├── signcerts
    │   │   └── User1@org1.example.com-cert.pem
    │   └── tlscacerts
    │       └── tlsca.org1.example.com-cert.pem
    └── tls
        ├── ca.crt
        ├── client.crt
        └── client.key

首先要理解证书是有分层次的使用的,例如:order1要向所属的order组织提供证书,该order组织又要向整个链提供证书。peer0需要跟它所属的peer组织提供证书,这个peer组织又需要向整个链提供证书。

对于每个order组织而言,它需要提供证书来证明它是属于这整个链中的一个order组织,证书是放在(/root/fabric-deploy/certs/ordererOrganizations/example.com组织目录下面,包括msp,tls, 这两个是面向整个链的证书, users是这个order组织内部user,能操作这个order组织的用户,由于这个是SOLO模式,只有单个Order,也就是单个order组织,所以只看到个example.com组织和orderer.example.com), 每个order要提供给它的在该组织证书,放在(/root/fabric-deploy/certs/ordererOrganizations/example.com/orderers/orderer.example.com,这里面只有 msp,tls,面向该order组织)。

peer组织跟order组织证书结构是类似,对于每个peer组织而言,它需要对整个网络链提供证书,证明我是属于这个链的peer组织,以org1为例: /root/fabric-deploy/certs/peerOrganizations/org1.example.com/ 下面的msp,tls也是面向整个链,users是整个peer组织的users。这个/root/fabric-deploy/certs/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/ 下面放的就是peer0面向这个peer组织(org1)的证书。

生成运行目录

先生成部署目录,后面运行目录有什么问题,可以直接用部署目录替换。
orderer.example.com:

   mkdir orderer.example.com
   #copy order命令工具
   cp bin/orderer orderer.example.com/
   #copy order的证书
    cp -rf certs/ordererOrganizations/example.com/orderers/orderer.example.com/* orderer.example.com/
    cd orderer.example.com/
    #生成order的配置文件,里面有关于这个order的端口配置
    vi orderer.yaml
    General:
    LedgerType: file
    ListenAddress: 0.0.0.0
    ListenPort: 7050
    TLS:
        Enabled: true
        PrivateKey: ./tls/server.key
        Certificate: ./tls/server.crt
        RootCAs:
          - ./tls/ca.crt
#        ClientAuthEnabled: false
#        ClientRootCAs:
    LogLevel: debug
    LogFormat: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
#    GenesisMethod: provisional
    GenesisMethod: file
    GenesisProfile: SampleInsecureSolo
    GenesisFile: ./genesisblock
    LocalMSPDir: ./msp
    LocalMSPID: OrdererMSP
    Profile:
        Enabled: false
        Address: 0.0.0.0:6060
    BCCSP:
        Default: SW
        SW:
            Hash: SHA2
            Security: 256
            FileKeyStore:
                KeyStore:
FileLedger:
    Location:  /opt/app/fabric/orderer/data
    Prefix: hyperledger-fabric-ordererledger
RAMLedger:
    HistorySize: 1000
Kafka:
    Retry:
        ShortInterval: 5s
        ShortTotal: 10m
        LongInterval: 5m
        LongTotal: 12h
        NetworkTimeouts:
            DialTimeout: 10s
            ReadTimeout: 10s
            WriteTimeout: 10s
        Metadata:
            RetryBackoff: 250ms
            RetryMax: 3
        Producer:
            RetryBackoff: 100ms
            RetryMax: 3
        Consumer:
            RetryBackoff: 2s
    Verbose: false
    TLS:
      Enabled: false
      PrivateKey:
        #File: path/to/PrivateKey
      Certificate:
        #File: path/to/Certificate
      RootCAs:
        #File: path/to/RootCAs
    Version:

创建存放数据文件夹

     mkdir data

生成peer0:

     cd ../
     mkdir peer0.org1.example.com
    cp bin/peer peer0.org1.example.com/
    cp -rf certs/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/* peer0.org1.example.com/
    cd peer0.org1.example.com/
    vi core.yaml

core.yaml内容如下

logging:
    peer:       debug
    cauthdsl:   warning
    gossip:     warning
    ledger:     info
    msp:        warning
    policies:   warning
    grpc:       error
    format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
peer:
    id: peer0.org1.example.com
    networkId: dev
    listenAddress: 0.0.0.0:7056
    address: 0.0.0.0:7056
    addressAutoDetect: false
    gomaxprocs: -1
    gossip:
        bootstrap: 127.0.0.1:7056
        bootstrap: peer0.org1.example.com:7056
        useLeaderElection: true
        orgLeader: false
        endpoint:
        maxBlockCountToStore: 100
        maxPropagationBurstLatency: 10ms
        maxPropagationBurstSize: 10
        propagateIterations: 1
        propagatePeerNum: 3
        pullInterval: 4s
        pullPeerNum: 3
        requestStateInfoInterval: 4s
        publishStateInfoInterval: 4s
        stateInfoRetentionInterval:
        publishCertPeriod: 10s
        skipBlockVerification: false
        dialTimeout: 3s
        connTimeout: 2s
        recvBuffSize: 20
        sendBuffSize: 200
        digestWaitTime: 1s
        requestWaitTime: 1s
        responseWaitTime: 2s
        aliveTimeInterval: 5s
        aliveExpirationTimeout: 25s
        reconnectInterval: 25s
        externalEndpoint: peer0.org1.example.com:7056
        election:
            startupGracePeriod: 15s
            membershipSampleInterval: 1s
            leaderAliveThreshold: 10s
            leaderElectionDuration: 5s
    events:
        address: 0.0.0.0:7057
        buffersize: 100
        timeout: 10ms
    tls:
        enabled: true
        cert:
            file: ./tls/server.crt
        key:
            file: ./tls/server.key
        rootcert:
            file: ./tls/ca.crt
        serverhostoverride:
    fileSystemPath: /opt/app/fabric/peer/data
    BCCSP:
        Default: SW
        SW:
            Hash: SHA2
            Security: 256
            FileKeyStore:
                KeyStore:
    mspConfigPath: msp
    localMspId: Org1MSP
    profile:
        enabled:    true
        listenAddress: 0.0.0.0:6363
vm:
    endpoint: unix:///var/run/docker.sock
    docker:
        tls:
            enabled: false
            ca:
                file: docker/ca.crt
            cert:
                file: docker/tls.crt
            key:
                file: docker/tls.key
        attachStdout: false
        hostConfig:
            NetworkMode: host
            Dns:
               # - 192.168.0.1
            LogConfig:
                Type: json-file
                Config:
                    max-size: "50m"
                    max-file: "5"
            Memory: 2147483648
chaincode:
    peerAddress:
    id:
        path:
        name:
    builder: $(DOCKER_NS)/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
    golang:
        runtime: $(BASE_DOCKER_NS)/fabric-baseos:$(ARCH)-$(BASE_VERSION)
    car:
        runtime: $(BASE_DOCKER_NS)/fabric-baseos:$(ARCH)-$(BASE_VERSION)
    java:
        Dockerfile:  |
            from $(DOCKER_NS)/fabric-javaenv:$(ARCH)-$(PROJECT_VERSION)
    startuptimeout: 300s
    executetimeout: 30s
    mode: net
    keepalive: 0
    system:
        cscc: enable
        lscc: enable
        escc: enable
        vscc: enable
        qscc: enable
    logging:
      level:  info
      shim:   warning
      format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
ledger:
  blockchain:
  state:
    stateDatabase: goleveldb
    couchDBConfig:
       couchDBAddress: 127.0.0.1:5987
       username:
       password:
       maxRetries: 3
       maxRetriesOnStartup: 10
       requestTimeout: 35s
       queryLimit: 10000
  history:
    enableHistoryDatabase: true    

帮到执行目录

mkdir -p /opt/app/fabric/{orderer,peer}
cp -rf ./orderer.example.com/* /opt/app/fabric/orderer/
cp -rf ./peer0.org1.example.com/* /opt/app/fabric/peer/

创建传世块且运行order server

 ./bin/configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./genesisblock
  cp ./genesisblock /opt/app/fabric/orderer/
  cd /opt/app/fabric/orderer/
  ./orderer 2>&1 |tee log

看到这条就成功了
 Start -> INFO 154 Beginning to serve requests

换个终端,运行peer0 server

cd /opt/app/fabric/peer
./peer node start  2>&1 |tee log

看到下面就证明成功了
[nodeCmd] serve -> INFO 033 Starting peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[10.0.2.15:7056]
2018-06-23 15:23:58.621 CST [nodeCmd] serve -> INFO 034 Started peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[10.0.2.15:7056]
2018-06-23 15:23:58.621 CST [nodeCmd] func7 -> INFO 035 Starting profiling server with listenAddress = 0.0.0.0:6363

其他的peer也想org1 peer0那样配置就可以了.

用户

重新开个order server终端,需要从org1 peer0组织的角度去创建channel,创建的是admin user,对于普通的user也是类似配置

 cd /root/fabric-deploy
 mkdir Admin@org1.example.com
 # cp peer0.org1.example.com/core.yaml  Admin\@org1.example.com/
 cp -rf certs/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/* Admin\@org1.example.com/
 #peer0 的配置
 cp peer0.org1.example.com/core.yaml  Admin\@org1.example.com/
 #用于执行peer命令
 cp bin/peer Admin\@org1.example.com/
 cd Admin\@org1.example.com/
 #用于封装一些常用变量
 vi peer.sh
TH=`pwd`/../bin:$PATH

export FABRIC_CFG_PATH=`pwd`

export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_CERT_FILE=./tls/client.crt
export CORE_PEER_TLS_KEY_FILE=./tls/client.key

export CORE_PEER_MSPCONFIGPATH=./msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7056
export CORE_PEER_LOCALMSPID=Org1MSP
export CORE_PEER_TLS_ROOTCERT_FILE=./tls/ca.crt
export CORE_PEER_ID=cli
export CORE_LOGGING_LEVEL=INFO

./peer $*
#test
./peer.sh node status 
下面结果即是成功
//
status:STARTED
2018-06-23 16:21:30.426 CST [main] main -> INFO 001 Exiting.....
//

当拥有了admin权限的用户(其实是指定的证书是不是admin证书,则判断这个人是不是admin),就可以开始channel的创建。

Channel创建

生成mychannel.tx 文件

./bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx mychannel.tx -channelID mychannel

为mychannel 生成可指定org1的Anchor peer 的配置文件

 ./bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate Org1MSPanchors.tx -channelID mychannel -asOrg Org1MSP

为mychannel 生成可指定org2的Anchor peer 的配置文件

 ./bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate Org2MSPanchors.tx -channelID mychannel -asOrg Org2MSP

把order server里面的 org1 peer0指定为org1的锚点peer,另外的 peer类似

 ./peer.sh channel update -o orderer.example.com:7050 -c mychannel -f ../Org1MSPanchors.tx --tls true --cafile ./tlsca.example.com-cert.pem

create channel

./peer.sh channel create -o orderer.example.com:7050 -c mychannel -f ../mychannel.tx --tls true --cafile tlsca.example.com-cert.pem

./peer.sh channel list

到此链与channel的搭建就完了。

Chaincode

Refer:
http://www.lijiaocn.com/%E9%A1%B9%E7%9B%AE/2018/04/26/hyperledger-fabric-deploy.html

你可能感兴趣的:(Hyperledger,Fabric)