Fabric:搭建自定义网络
Hyperledger Fabric: V2.5.4
写在最前
从本篇博客开始,将陆续介绍使用Fabric搭建自定义网络及部署执行链码的过程。本篇主要介绍如何搭建网络。
由于前文在安装Fabric的时候,已经将目录fabric-samples/bin加入到了环境变量PATH中,所以正文用到cryptogen和configtxgen等工具已经可以在系统全局使用。
1 生成证书
1.1 生成模板文件
先在~/go/src下创建一个文件夹finance_network用来保存网络和通道的所有配置文件,并在该文件下使用cryptogen工具生成crypto-config.yaml模板文件。具体如下:
cd ~/go/src
mkdir finance_network
cd finance_network
cryptogen showtemplate > crypto-config.yaml
这时,会在finance_network目录下生成一个crypto-config.yaml文件。
1.2 自定义修改文件
可以根据要搭建的网络的需求在在crypto-config.yaml文件中修改相关的配置。假设搭建的网络的需求如下:
- 两个组织:Org1, Org2。Org1中有2个peer节点,而Org2中有2个peer节点,另外还有1个orderer节点。
- 每个peer节点允许的用户数为2。
- 将字符串
finance加入所有Orderer组织、peer节点的域名中。
根据这些要求修改crypto-config.yaml文件,具体如下:
OrdererOrgs:
- Name: Orderer # orderer组织的名称
Domain: finance.com # orderer组织的根域名
EnableNodeOUs: true # 是否使用组织单元
Specs:
- Hostname: orderer # 可以通过hostname设置多个orderer节点
SANS: #备用主机名
- localhost
# Hostname + Domain组成该orderer节点的完整域名
PeerOrgs: # 一个PeerOrgs设置多个peer组织
- Name: Org1 # peer组织的名称
Domain: org1.finance.com # peer组织的域名
EnableNodeOUs: true
Template: # 节点的数量
Count: 2
Users: # 用户的数量
Count: 2
- Name: Org2
Domain: org2.finance.com
EnableNodeOUs: true
Template:
Count: 1
Users:
Count: 2
另外,在PeerOrgs中可以给每个组织指定CA机构(把相关语句的注释去掉就可以了)。
1.3 生成证书
修改好配置文件之后,就可以使用如下命令生成加密材料。具体如下:
cryptogen genenrate --config=crypto-config.yaml --output="organizations"
命令执行成功会显示如下信息:
运行完之后会在当前文件夹下生成一个名为organizations的文件夹,该文件下保存的便是所有节点和组织的加密材料(可以使用tree命令查看这个文件夹的目录结构)。这些加密材料主要用于创建和管理Fabric网络的身份验证和加密。主要包括:
- 每个组织的根证书和私钥。每个组织将有一个唯一的“MSP ID”,用于标识其在网络中的身份。
- 每个组织的证书颁发机构(CA)的根证书和私钥。CA用于颁发和管理组织成员的证书和身份。
- 每个组织的每个peer节点生成证书和私钥,用于节点之间的通信和身份验证。
- 网络中的orderer节点的证书和私钥。
2 链码链接配置
链码链接配置(Chaincode Connection Profile, CCP)文件包含了与链码相关的连接信息和配置,包括网络的URL、TLS证书、通道、链码名称和版本等。如果步配置CCP文件,客户端应用程序可能无法找到或连接到目标链码,也就无法执行与链码相关的操作,如查询数据、提交交易等。
Fabric中需要给每个组织Org配置一个ccp文件,其存放位置在organizations/
可以从fabric-samples\test-network\organizations中拷贝出ccp-template.yaml和ccp-generate.sh文件并放到finance_network\organization\peerOrganizations下的两个目录下,具体如下:
#假设现在所在目录为finance_network下,fabric-sample的目录根据自己的情况进行调整
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-template.yaml organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-template.yaml organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-generate.sh organizations/ccp-generate.sh
接着需要根据实际情况修改文件:connection-org1.yaml,connection-org2.yaml。由于组织Org1中有2个peer节点,而Org2中只有1个peer节点,现成的ccp-generate.sh文件无法完成这两个文件的生成。这里分两部进行操作:
- 第1步:手动完成
connection-org1.yaml,connection-org2.yaml文件中组织、节点及端口号等信息的填充。具体如下:
修改后的connection-org1.yaml
name: test-network-org1
version: 1.0.0
client:
organization: Org1
connection:
timeout:
peer:
edorser: '300'
organizations:
Org1: #设置Org1
mspid: Org1MSP
peers: #列出Org中的所有peer节点
- peer0.org1.finance.com
- peer1.org2.finance.com
certificateAuthorities:
- ca.org1.finance.com
peers:
peer0.org1.finance.com:
url: grpcs://localhost:7051 #指定peer0的端口号
tlsCACerts:
#将organizations/peerOrganizations/org1.finance.com/tlsca/tlsca.org1.finance.com-cert.pem中的内容复制到此处,还要注意缩进
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer0.org1.finance.com
hostnameOverride: peer0.org1.finance.com
peer1.org1.finance.com:
url: grpcs://localhost:8051 #peer节点的端口号不能一样
tlsCACerts:
#同上
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer1.org1.finance.com
hostnameOverride: peer1.org1.finance.com
certificateAuthorities:
ca.org1.finance.com:
url: https://localhost:7054
caName: ca-org1
tlsCACerts:
pem:
- |
${CAPEM}
httpOptions:
verify: false
修改后的connection-org2.yaml
name: test-network-org2
version: 1.0.0
client:
organization: Org2
connection:
timeout:
peer:
endorser: '300'
organizations:
Org2:
mspid: Org2MSP
peers:
- peer0.org2.finance.com
certificateAuthorities:
- ca.org2.finance.com
peers:
peer0.org2.finance.com:
url: grpcs://localhost:9051
tlsCACerts:
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer0.org2.finance.com
hostnameOverride: peer0.org2.finance.com
certificateAuthorities:
ca.org2.finance.com:
url: https://localhost:9054
caName: ca-org2
tlsCACerts:
pem:
- |
${CAPEM}
httpOptions:
verify: false
- 第2步:修改
ccp-generate.sh文件将TLS证书的信息插入进去。
#!/bin/bash
function one_line_pem {
echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`"
}
function yaml_ccp {
local PP=$(one_line_pem $1)
local CP=$(one_line_pem $2)
sed -e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
$3 | sed -e $'s/\\\\n/\\\n /g'
}
PEERPEM=organizations/peerOrganizations/org1.finance.com/tlsca/tlsca.org1.finance.com-cert.pem
CAPEM=organizations/peerOrganizations/org1.finance.com/ca/ca.org1.finance.com-cert.pem
CONNECTION_FILE=organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
echo "$(yaml_ccp $PEERPEM $CAPEM $CONNECTION_FILE)" > organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
PEERPEM=organizations/peerOrganizations/org2.finance.com/tlsca/tlsca.org2.finance.com-cert.pem
CAPEM=organizations/peerOrganizations/org2.finance.com/ca/ca.org2.finance.com-cert.pem
CONNECTION_FILE=organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
echo "$(yaml_ccp $PEERPEM $CAPEM $CONNECTION_FILE)" > organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
接着执行如下命令即可生成ccp文件。
#先跳转到finance_network目录下,ccp-generate.sh文件在finance_network/organizations里
./organizations/ccp-generate.sh
关于ccp文件的配置有以下几点说明注意:
- 需要给每一个组织配置ccp文件。
- 该组织Org中的所有peer节点的信息都要设置。
3 启动docker容器
接下来使用docker-compose命令启动和管理docker容器。从fabric-samples/test-network/compose文件下的compose-test-net.yaml文件和docker\peercfg文件下的所有的内容复制到finance_network/compose文件夹下。具体操作如下:
#先使用cd命令跳转到~/go/src/finance_network下
#test-network的具体目录没有写全,根据自己的实际安装情况补全即可
mkdir compose
cd compose
cp fabric-samples/test-network/compose/compose-test-net.yaml compose.yaml
cp -r fabric-samples/test-network/compose/docker/peercfg docker/peercfg
cp fabric-samples/test-network/compose/docker/docker-compose-test-net.yaml docker/docker-compose.yaml
最后compose文件夹的目录如下:
这里compose\docker\core.yaml文件不需要修改,所以就不介绍了。先修改compose.yaml文件,具体如下:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '3.7'
volumes:
#所有的orderer节点和每个peer节点都需要设置
orderer.finance.com:
peer0.org1.finance.com:
peer1.org1.finance.com:
peer0.org2.finance.com:
networks:
test:
name: fabric_finance #这里可以根据自己的需要修改名称
services:
orderer.finance.com:
container_name: orderer.finance.com
image: hyperledger/fabric-orderer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_LOGGING_SPEC=INFO
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_BOOTSTRAPMETHOD=none
- ORDERER_CHANNELPARTICIPATION_ENABLED=true
- ORDERER_ADMIN_TLS_ENABLED=true
- ORDERER_ADMIN_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_ADMIN_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_ADMIN_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_ADMIN_TLS_CLIENTROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
#orderer节点的管理监听地址
- ORDERER_ADMIN_LISTENADDRESS=0.0.0.0:7053
#orderer节点的操作监听地址
- ORDERER_OPERATIONS_LISTENADDRESS=orderer.finance.com:9443
- ORDERER_METRICS_PROVIDER=prometheus
working_dir: /root
command: orderer
volumes:
#主要修改这一部分,注意相对路径
- ../organizations/ordererOrganizations/finance.com/orderers/orderer.finance.com/msp:/var/hyperledger/orderer/msp
- ../organizations/ordererOrganizations/finance.com/orderers/orderer.finance.com/tls/:/var/hyperledger/orderer/tls
- orderer.finance.com:/var/hyperledger/production/orderer
ports: #将容器的端口映射到主机上的端口
- 7050:7050
- 7053:7053
- 9443:9443
networks:
- test
peer0.org1.finance.com:
container_name: peer0.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables- 需要根据自己的情况修改
- CORE_PEER_ID=peer0.org1.finance.com
- CORE_PEER_ADDRESS=peer0.org1.finance.com:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer0.org1.finance.com:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.finance.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.finance.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer0.org1.finance.com:9444
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={"peername":"peer0org1"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org1.finance.com/peers/peer0.org1.finance.com:/etc/hyperledger/fabric
- peer0.org1.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 7051:7051
- 9444:9444
networks:
- test
peer1.org1.finance.com:
container_name: peer1.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables- 需要根据自己的情况修改
- CORE_PEER_ID=peer1.org1.finance.com
- CORE_PEER_ADDRESS=peer1.org1.finance.com:8051
- CORE_PEER_LISTENADDRESS=0.0.0.0:8051
- CORE_PEER_CHAINCODEADDRESS=peer1.org1.finance.com:8052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:8052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.finance.com:8051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org1.finance.com:8051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer1.org1.finance.com:9446
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={"peername":"peer1org1"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org1.finance.com/peers/peer0.org1.finance.com:/etc/hyperledger/fabric
- peer1.org1.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 8051:8051
- 9446:9446
networks:
- test
peer0.org2.finance.com:
container_name: peer0.org2.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables
- CORE_PEER_ID=peer0.org2.finance.com
- CORE_PEER_ADDRESS=peer0.org2.finance.com:9051
- CORE_PEER_LISTENADDRESS=0.0.0.0:9051
- CORE_PEER_CHAINCODEADDRESS=peer0.org2.finance.com:9052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.finance.com:9051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.finance.com:9051
- CORE_PEER_LOCALMSPID=Org2MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer0.org2.finance.com:9445
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={"peername":"peer0org2"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org2.finance.com/peers/peer0.org2.finance.com:/etc/hyperledger/fabric
- peer0.org2.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 9051:9051
- 9445:9445
networks:
- test
cli:
container_name: cli
image: hyperledger/fabric-tools:latest
labels:
service: hyperledger-fabric
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- FABRIC_LOGGING_SPEC=INFO
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- CORE_PEER_TLS_ENABLED=true #这一句是新增的
#- FABRIC_LOGGING_SPEC=DEBUG
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- ../channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts #这一句是新增的
- ../organizations:/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations
- ../scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
depends_on:
- peer0.org1.finance.com
- peer1.org1.finance.com
- peer0.org2.finance.com
networks:
- test
修改docker-compose.yaml文件:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '3.7'
services:
peer0.org1.finance.com:
container_name: peer0.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance #这个网络名称要跟着compose.yaml文件中指定的名称一起修改
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${DOCKER_SOCK}:/host/var/run/docker.sock
peer1.org1.finance.com:
container_name: peer1.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${DOCKER_SOCK}:/host/var/run/docker.sock
peer0.org2.finance.com:
container_name: peer0.org2.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${DOCKER_SOCK}:/host/var/run/docker.sock
cli:
container_name: cli
image: hyperledger/fabric-tools:latest
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
接着使用如下命令创建docker容器:
#先进入finance_network/compose目录
sudo DOCKER_SOCK="/var/run/docker.sock" docker-compose -f compose.yaml -f docker/docker-compose.yaml up -d
结果如下:
接下来可以使用docker ps -a命令以及docker logs --details 查看容器有没有提示错误信息。
至此,Fabric上的自定义网络已经搭建完成。
参考资料
- https://hyperledger-fabric.readthedocs.io/en/latest/create_channel/create_channel_test_net.html
- https://blog.csdn.net/qq_28052455/article/details/125473299
- https://zhuanlan.zhihu.com/p/613633111
- https://blog.csdn.net/weixin_46878177/article/details/128700555