1、总体架构
官方采用的是多机部署环境、这里就简化下下,所有操作就简化下都在一台机器上。多机环境后面在验证。
下面介绍下本文所采用的整体架构
三个组织
- Org0 ---> 组织0
- Org1 ---> 组织1
- Org2 ---> 组织2
组织中的成员
- Org0: 一个orderer节点,一个Org0的Admin节点
- Org1: 两个Peer节点,一个Org1的Admin节点,一个Org1的User节点
- Org2: 两个Peer节点,一个Org2的Admin节点,一个Org2的User节点
四台CA服务器
- TLS服务器:为网络中所有节点颁发TLS证书,用于通信的加密
- Org1的CA服务器:为组织1中所有用户颁发证书
- Org2的Ca服务器:为组织2中所有用户颁发证书
- Org0的CA服务器:为组织0中所有用户颁发证书
这里的四台CA服务器都是根服务器。彼此之间都是独立的存在,没有任何关系。,也就是说每一个CA服务器生成的证书在其他CA服务器都是不能用的。
介绍完之后,可以进入正题了。
2、Fabric、Fabric-CA环境搭建
Fabric、Fabric-CA的基础环境搭建就不再这里说了,不明白的可以去看官网。
完成环境搭建以后我们还需要一个 HOME 目录用于存放我们生成的证书文件以及Fabric配置文件,本文设置的HOME路径为:
/tmp/hyperledger这个自行创建,一般不要用太复杂的路径,也不要用中文路径,会为之后的操作带来很多麻烦。在下文中简单称HOME文件夹为工作目录,除非特殊说明,一般命令的执行都是在工作目录进行。
注:因所有服务启动均使用docker-compose为了使其在同一个docker network 我们需要设置
export COMPOSE_PROJECT_NAME=net 或者将所有的docker-compose 文件存放在一个目录下。
3、CA服务器的配置
3.1启动TLS CA服务器
前期工作准备好之后,我们开始启动第一台CA服务器。本文中使用Docker容器启动。
3.1.1 创建docker-compose.yaml文件
mkdir -p /tmp/hyperledger/docker-compose/fabric-ca-tls && cd /tmp/hyperledger/docker-compose/fabric-ca-tls
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=ca-tls
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7052
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/fabric-ca-tls:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7052:7052启动docker容器docker-compose up -d
如果命令行出现以下内容则说明启动成功:[INFO] Listening on https://0.0.0.0:7052
同时工作目录/tmp/hyperledger/fabric-ca/ 下面会出现crypto文件夹,里面的具体内容不在这解释,想了解的可以去官网查看。不过有个一文件需要解释下,应为之后会频繁的使用到。
在/tmp/hyperledger/fabric-ca/crypto/路径下的ca-cert.pem文件。这是TLS CA服务器的签名根证书,目的是用来对CA的TLS证书进行验证,同时也需要持有这个证书才可以进行证书的颁发。
多环境下我们需要将它复制到每一台机器上。
3.1.2 TLS CA 服务器注册用户
第一步是在TLS CA服务器中注册用户,经过注册的用户才拥有TLS证书。
设置环境变量&登陆
#设置环境变量指定根证书的路径(如果工作目录不同的话记得指定自己的工作目录,以下不再重复说明)
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
#设置环境变量指定CA客户端的HOME文件夹
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/fabric-ca-tls/admin
#登录管理员用户用于之后的节点身份注册
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem登陆成功后会在/tmp/hyperledger/fabric-ca-tls/目录下生车给你admin文件夹,这里面是 admin相关的证书文件,并且只有登陆了admin,才具有权限进行用户注册,因为该用户具有CA的全部权限,相当于CA服务的root用户。
接下来对各个节点和用户进行注册
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem这里我们为各个节点注册TLS证书,之后Fabric网络的通信则需要通过这一步骤注册过的用户的TLS证书来进行TLS加密通信。
到这里我们只是注册了各个节点的身份,还没有获取到他们的证书。证书可以通过登录获取,不过暂时不着急获取他们的TLS证书。
接下来,我们对其他几个CA服务器进行配置。
3.2配置Org0的CA服务
再强调一下,本文中的几个CA服务器都是根服务器,彼此之间没有任何关系,所以上一步骤的TLS CA服务器在这一部分并没有用到。
同样,本文使用Docker容器启动CA服务器。
mkdir -p /tmp/hyperledger/org0/ca
mkdir -p /tmp/hyperledger/docker-compose/org0/ca && cd /tmp/hyperledger/docker-compose/org0/ca
touch docker-copose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
org0:
container_name: org0
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org0-admin:org0-adminpw --port 7053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7053
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca ##重要!!!记得修改这里的路径为自己的工作目录
networks:
- fabric-ca
ports:
- 7053:7053启动容器
docker-compose up -d
注册org0的用户
设置环境变量&登陆
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://org0-admin:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem在本组织中共有两个用户:orderer节点和admin用户(这里的admin和管理员是不同的。)
将他们注册到org0的CA服务器
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem命令执行完之后,将会注册一个Orderer节点的身份和一个Admin的身份。同时在工作目录下的org0子文件夹中会有两个文件夹:crypto和admin。crypto中是CA服务器的配置信息,admin是服务器管理员的身份信息。
3.3配置Org1的CA服务
mkdir -p /tmp/hyperledger/org1/ca
mkdir -p /tmp/hyperledger/docker-compose/org1/ca && cd /tmp/hyperledger/docker-compose/org1/ca
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
org1:
container_name: org1
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org1-admin:org1-adminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca ##重要!!!记得修改这里的路径为自己的工作目录
networks:
- fabric-ca
ports:
- 7054:7054启动容器docker-compose up -d
注册org1的用户
设置环境变量&登陆
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://org1-admin:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem组织一种共有四个用户:peer1,peer2,admin,user,分别注册他们
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type client -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem3.4配置Org2的CA服务
mkdir -p /tmp/hyperledger/org2/ca
mkdir -p /tmp/hyperledger/docker-compose/org2/ca && cd /tmp/hyperledger/docker-compose/org2/ca
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
org2:
container_name: org2
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org2-admin:org2-adminpw --port 7055'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7055
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca ##重要!!!记得修改这里的路径为自己的工作目录
networks:
- fabric-ca
ports:
- 7055:7055启动容器docker-compose up -d
注册org1的用户
设置环境变量&登陆
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/ca/admin
fabric-ca-client enroll -d -u https://org2-admin:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem组织一种共有四个用户:peer1,peer2,admin,user,分别注册他们
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name user-org2 --id.secret org2UserPW --id.type client -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem4、组织一节点配置
4.1 peer1
mkdir -p /tmp/hyperledger/org1/peer1/assets/ca/
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem首先是本组织的MSP证书:
配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登陆peer1节点到org1 CA 服务器上
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem这一步完成后在/tmp/hyperledger/org1/peer1下出现一个msp文件夹,这是peer1节点的msp证书。
接下来是TLS证书
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem登录peer1节点的TLS CA服务器上
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org1 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem这一步完成后,在/tmp/hyperledger/org1/peer1下会出现一个tls-msp文件夹,这是peer1节点的TLS证书。
修改秘钥文件名
为什么要修改呢,进入这个文件夹看一下就知道了,由服务器生成的秘钥文件名是一长串无规则的字符串,后期我们使用的时候难道要一个字符一个字符地输入?
mv /tmp/hyperledger/org1/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem4.2 peer2
mkdir -p /tmp/hyperledger/org1/peer2/assets/ca/
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem首先是本组织的MSP证书:
配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登陆peer1节点到org1 CA 服务器上
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem这一步完成后在/tmp/hyperledger/org1/peer2下出现一个msp文件夹,这是peer2节点的msp证书。
接下来是TLS证书
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca/
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
登录peer2节点的TLS CA服务器上
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1 --tls.certfiles /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem这一步完成后,在/tmp/hyperledger/org1/peer2下会出现一个tls-msp文件夹,这是peer2节点的TLS证书。
修改秘钥文件名
为什么要修改呢,进入这个文件夹看一下就知道了,由服务器生成的秘钥文件名是一长串无规则的字符串,后期我们使用的时候难道要一个字符一个字符地输入?
mv /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem4.3 admin
首先是本组织的MSP证书:
配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登录admin节点的org1 CA 服务器上
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem接下来是TLS证书
配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem登录peer2节点的TLS CA服务器上
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org1 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem复制证书到admincerts文件夹:
去看Fabric官方的例子,每一个peer节点的MSP文件夹下都有admincerts这个子文件夹的,而且是需要我们手动创建的。
mkdir /tmp/hyperledger/org1/peer1/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
mkdir /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem4.4启动peer节点
到这里,已经配置好了一个节点,所以我们就可以启动这个节点了,当然在之后和orderer节点一起启动也可以,不过忙活了这么多,还是应该提前看到一下所做的工作的成果的!
附上peer1节点的容器配置信息:
peer1节点配置启动
mkdir -p /tmp/hyperledger/docker-compose/org1/peer1 && cd /tmp/hyperledger/docker-compose/org1/peer1
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:2.0.0
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer1-org1:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
- fabric-ca启动容器docker-compose up -d
如果没有报错的话,说明之前配置的没有什么问题,如果出错的话,则需要返回去检查一下了
peer2 节点配置启动
mkdir -p /tmp/hyperledger/docker-compose/org1/peer2 && cd /tmp/hyperledger/docker-compose/org1/peer2
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:2.0.0
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer2-org1:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
- fabric-ca启动容器docker-compose up -d
5、组织二节点配置
和组织一配置一样,这里就不做过多的解释了,直接上命令
5.1 peer1
mkdir -p /tmp/hyperledger/org2/peer1/assets/ca
cp /tmp/hyperledger/org2/ca/crypto/ca-cert.pem /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登陆peer1节点到org2 CA服务器上
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem接下来是TLS
mkdir /tmp/hyperledger/org2/peer1/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem登录peer1节点到 TLS CA服务器上
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org2 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem修改密钥文件
mv /tmp/hyperledger/org2/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem5.2 peer2
mkdir -p /tmp/hyperledger/org2/peer2/assets/ca
cp /tmp/hyperledger/org2/ca/crypto/ca-cert.pem /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登陆peer2节点到org2 CA服务器上
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem接下来是TLS
mkdir /tmp/hyperledger/org2/peer2/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem登录peer2节点到 TLS CA服务器上
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org2 --tls.certfiles /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem修改密钥文件
mv /tmp/hyperledger/org2/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem5.3 admin
配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登陆admin节点到org2 CA服务器上
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem接下来是TLS
配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem登录admin节点到 TLS CA服务器上
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org2 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem5.4 复制证书到admincerts文件夹:
mkdir /tmp/hyperledger/org2/peer1/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem
mkdir /tmp/hyperledger/org2/peer2/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer2/msp/admincerts/org2-admin-cert.pem
5.5 启动peer节点
peer1节点配置
mkdir -p /tmp/hyperledger/docker-compose/org2/peer1 && cd /tmp/hyperledger/docker-compose/org2/peer1
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:2.0.0
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer1-org2:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
- fabric-ca启动容器
docker-compose up -d
peer2节点配置
mkdir -p /tmp/hyperledger/docker-compose/org2/peer2 && cd /tmp/hyperledger/docker-compose/org2/peer2
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:2.0.0
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer2-org2:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_PROFILE_ENABLED=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
- fabric-ca启动容器
docker-compose up -d
6、 排序节点配置
接下来是排序节点的配置,为什么放在最后面呢,因为排序节点的启动需要提前生成创世区块,而创世区块的生成涉及到另一个配置文件,所以就先配置简单的peer节点
6.1 orderer
mkdir -p /tmp/hyperledger/org0/orderer/assets/ca/
cp /tmp/hyperledger/org0/ca/crypto/ca-cert.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登录order节点到org0 CA服务器上
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem接下来是TLS证书
mkdir /tmp/hyperledger/org0/orderer/assets/tls-ca/
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem配置环境变量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem登录order节点到TLS CA服务器上
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer1-org0 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem修改密钥
mv /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem6.2 admin
配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp登录admin 用户获取msp
fabric-ca-client enroll -d -u https://admin-org0:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem复制证书到admincerts文件夹:
mkdir /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem证书都准备好了之后我们还需要在每个msp文件下添加一个config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
#修改对应的证书名称
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: orderer需要org0,org1, org2 下所有msp目录下都添加。
7、Fabric 网络
证书都生成好了,即将要启动网络了。不过在启动网络之前还是有很多准备工作需要做。
7.1 整理MSPDir文件
---------------org0--------------------
mkdir -p /tmp/hyperledger/configtx && cd /tmp/hyperledger/configtx
mkdir org0
cp -r ../org0/admin/msp org0/
cd org0/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------
---------------org1--------------------
cd /tmp/hyperledger/configtx
mkdir org1
cp -r ../org1/admin/msp org1/
cd org1/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org1/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------
---------------org2--------------------
cd /tmp/hyperledger/configtx
mkdir org2
cp -r ../org2/admin/msp org2/
cd org2/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org2/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------7.2 configtx.yaml文件配置
在下一个步骤的生成创世区块和通道配置信息需要一个文件:configtx.yaml文件。
cd /tmp/hyperledger/configtx
touch configtx.yaml文件内容
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &org0
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org0MSP
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: ../configtx/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel///
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
MSPDir: ../configtx/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel///
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
- &org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org2MSP
# ID to load the MSP definition as
ID: org2MSP
MSPDir: ../configtx/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel///
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
ServerTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities 注:根据情况修改MSP的路径
7.3 生成创世区块和通道信息
cd /tmp/hyperledger/configtx
mkdir system-genesis-block
mkdir channel-artifacts
生成创世区块文件
configtxgen -profile TwoOrgsOrdererGenesis -channelID system-channel -outputBlock ./system-genesis-block/genesis.block
生成通道
export CHANNEL_NAME=mychannel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/${CHANNEL_NAME}.tx -channelID ${CHANNEL_NAME}
锚节点更新配置
export orgmsp=org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}
锚节点更新配置
export orgmsp=org2MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}创世区块文件通&道信息生成后启动orderer节
mkdir -p /tmp/hyperledger/docker-compose/org0/orderer cd /tmp/hyperledger/docker-compose/org0/orderer
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:2.0.0
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
- /tmp/hyperledger/configtx/system-genesis-block/genesis.block:/tmp/hyperledger/orderer/orderer.genesis.block
networks:
- fabric-ca启动容器docker-compose up -d
启动组织一的cli
cli容器内容,我们需要这个容器对组织1进行链码的交互
mkdir -p /tmp/hyperledger/docker-compose/org1/cli
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
cli-org1:
container_name: cli-org1
image: hyperledger/fabric-tools:2.0.0
tty: true
stdin_open: true
environment:
- SYS_CHANNEL=testchainid
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: /bin/bash
volumes:
- /tmp/hyperledger/org1:/tmp/hyperledger/org1/
- /tmp/hyperledger/org2:/tmp/hyperledger/org2/
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org1/admin:/tmp/hyperledger/org1/admin
- /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem:/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts:/tmp/hyperledger/org1/admin/msp/tlscacerts
- /tmp/hyperledger/configtx/channel-artifacts:/tmp/hyperledger/configtx/channel-artifacts
networks:
- fabric-ca启动组织二的cli
cli容器内容,我们需要这个容器对组织1进行链码的交互
mkdir -p /tmp/hyperledger/docker-compose/org2/cli
touch docker-compose.yaml并在文件内添加以下内容(tips:内容格式不要乱掉):
version: '2'
networks:
fabric-ca:
services:
cli-org2:
container_name: cli-org2
image: hyperledger/fabric-tools:2.0.0
tty: true
stdin_open: true
environment:
- SYS_CHANNEL=testchainid
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2
command: /bin/bash
volumes:
- /tmp/hyperledger/org1:/tmp/hyperledger/org1/
- /tmp/hyperledger/org2:/tmp/hyperledger/org2/
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
- /tmp/hyperledger/org2/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org2/admin:/tmp/hyperledger/org2/admin
- /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem:/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts:/tmp/hyperledger/org2/peer1/msp/tlscacerts
- /tmp/hyperledger/configtx/channel-artifacts:/tmp/hyperledger/configtx/channel-artifacts
networks:
- fabric-ca8、创建&加入通道
-----------------------------cli-org1-------------------------------
docker exec -it cli-org1 bash
export CHANNEL_NAME=mychannel
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
cd /tmp/hyperledger/configtx
peer channel create -o orderer1-org0:7050 -c ${CHANNEL_NAME} --ordererTLSHostnameOverride orderer1-org0 -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block --tls --cafile ${ORDERER_CA}
export CORE_PEER_ADDRESS=peer1-org1:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_ADDRESS=peer2-org1:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_LOCALMSPID=org1MSP
peer channel update -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls --cafile $ORDERER_CA
-----------------------------cli-org1-end-------------------------------
-----------------------------cli-org2------------------------------------
docker exec -it cli-org2 bash
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
export CORE_PEER_ADDRESS=peer1-org2:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_ADDRESS=peer2-org2:7051
peer channel join -b ./channel-artifacts/mychannel.block
cd /tmp/hyperledger/configtx
export CHANNEL_NAME=mychannel
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_LOCALMSPID=org2MSP
peer channel update -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls --cafile $ORDERER_CA
-----------------------------cli-org2-end-------------------------------9 链码安装测试
链码安装
installChaincode
-----------------------------------------------
docker exec -it cli-org1 bash
cd /tmp/hyperledger/org1/peer1/assets/chaincode
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode install fabcar.tar.gz
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
peer lifecycle chaincode install fabcar.tar.gz
cli-org2 的安装基本相同,自行登录cli-org2容器中安装
-----------------------------------------------链码查询
queryInstalled()
-----------------------------------------------
peer lifecycle chaincode queryinstalled
packageid: fabcar_1:469a86090d7e3b537d6495abaae326fc5909d45692e4b19d43348a76e5fe4eb0
-----------------------------------------------组织授权校验
docker exec -it cli-org1 bash
export VERSION=1
export PACKAGE_ID=fabcar_1:469a86090d7e3b537d6495abaae326fc5909d45692e4b19d43348a76e5fe4eb0
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CHANNEL_NAME=mychannel
peer lifecycle chaincode approveformyorg -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile ${ORDERER_CA} --channelID ${CHANNEL_NAME} --name fabcar --version ${VERSION} --init-required --package-id ${PACKAGE_ID} --sequence ${VERSION}
peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name fabcar --version ${VERSION} --sequence ${VERSION} --output json --init-required
同理cli-org2授权基本相同
提交链码定义
docker exec -it cli-org1 bash
export CHANNEL_NAME=mychannel
export VERSION=1
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode commit -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile $ORDERER_CA --channelID $CHANNEL_NAME --name fabcar --peerAddresses peer1-org1:7051 --tlsRootCertFiles /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:7051 --tlsRootCertFiles /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --version ${VERSION} --sequence ${VERSION} --init-required
-----------------------------------cli-org2----------------------------------------
docker exec -it cli-org2 bash
export CHANNEL_NAME=mychannel
export VERSION=1
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
peer lifecycle chaincode commit -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile $ORDERER_CA --channelID $CHANNEL_NAME --name fabcar --peerAddresses peer1-org1:7051 --tlsRootCertFiles /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:7051 --tlsRootCertFiles /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --version ${VERSION} --sequence ${VERSION} --init-required查询提交内容
export CHANNEL_NAME=mychannel
peer lifecycle chaincode querycommitted --channelID $CHANNEL_NAME --name fabcar初始化链码
export CHANNEL_NAME=mychannel
export VERSION=1
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer chaincode invoke -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile $ORDERER_CA -C $CHANNEL_NAME -n fabcar --peerAddresses peer1-org1:7051 --tlsRootCertFiles /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:7051 --tlsRootCertFiles /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --isInit -c '{"function":"initLedger","Args":[]}'查询
peer chaincode query -C $CHANNEL_NAME -n fabcar -c '{"Args":["queryAllCars"]}'