fabric-ca-server
却仍是二进制的方式启动,这会造成环境依赖的问题(如GLIBC库版本依赖),所以这里将fabric-ca-server也使用docker-compose启动,同样也是保证客户端和节点主机不在一个机器。假设客户端主机在192.168.2.195,在节点主机192.168.3.128部署1个orderer节点和1个peer节点,将fabric-ca-server也部署在192.168.2.195。
拉下来Fabric v2.2.0
相关的docker镜像:
hyperledger/fabric-tools:2.2.0 # 包含二进制工具
hyperledger/fabric-peer:2.2.0 # 对等节点
hyperledger/fabric-orderer:2.2.0 # 排序节点
hyperledger/fabric-ccenv:2.2.0 # 合约运行环境
hyperledger/fabric-baseos:2.2.0 # 基础操作系统
hyperledger/fabric-nodeenv:2.2.0 # 提供node环境
hyperledger/fabric-javaenv:2.2.0 # 提供java环境
hyperledger/fabric-ca:1.4.7 # 身份认证和秘钥管理
节点主机192.168.3.128上需要的docker-compose
配置:
version: '2'
volumes:
orderer0.org1.example.com:
peer0.org1.example.com:
networks:
dev:
name: fabric_dev
services:
orderer0.org1.example.com:
container_name: orderer0.org1.example.com
image: hyperledger/fabric-orderer:2.2.0
environment:
#- FABRIC_LOGGING_SPEC=INFO
- FABRIC_LOGGING_SPEC=DEBUG
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererOrg1MSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
- ORDERER_OPERATIONS_LISTENADDRESS=0.0.0.0:17050
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- /home/songzehao/fabric/config/system-genesis-block/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp:/var/hyperledger/orderer/msp
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/:/var/hyperledger/orderer/tls
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com:/var/hyperledger/production/orderer
ports:
- 7050:7050
- 17050:17050
networks:
- dev
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: hyperledger/fabric-peer:2.2.0
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_dev
#- FABRIC_LOGGING_SPEC=INFO
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variabes
- CORE_PEER_ID=peer0.org1.example.com
- CORE_PEER_ADDRESS=0.0.0.0:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
#- CORE_PEER_CHAINCODEADDRESS=0.0.0.0:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=0.0.0.0:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=0.0.0.0:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_OPERATIONS_LISTENADDRESS=0.0.0.0:17051
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com:/var/hyperledger/production
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
ports:
- 7051:7051
- 17051:17051
networks:
- dev
fabric-ca-server主机192.168.2.195上需要的docker-compose
配置:
version: '2'
networks:
dev:
name: fabric_dev
services:
ca_org1:
image: hyperledger/fabric-ca:1.4.7
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=0.0.0.0:17054
ports:
- "7054:7054"
- "17054:17054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- /home/songzehao/fabric/fabric-ca-server/org1.example.com:/etc/hyperledger/fabric-ca-server
container_name: ca_org1
networks:
- dev
mkdir -p ~/fabric/organizations/ordererOrganizations
mkdir -p ~/fabric/organizations/peerOrganizations
mkdir -p ~/fabric/bin
# fabric-ca-server
# fabric-ca-client
# peer
# configtxgen
# configtxlator
mkdir -p ~/fabric/config
# configtx.yaml
mkdir -p ~/fabric/log
configtx.yaml
模板:
Organizations:
- &OrdererOrg1
Name: OrdererOrg1
SkipAsForeign: false
ID: OrdererOrg1MSP
MSPDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererOrg1MSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererOrg1MSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererOrg1MSP.admin')"
OrdererEndpoints:
- "192.168.3.128:7050"
- &Org1
Name: Org1MSP
SkipAsForeign: false
ID: Org1MSP
MSPDir: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.member')"
AnchorPeers:
- Host: 192.168.3.128
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- 192.168.3.128:7050
EtcdRaft:
Consenters:
- Host: 192.168.3.128
Port: 7050
ClientTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
ServerTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 521 KB
MaxChannels: 0
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
OneOrgOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg1
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
Channel1:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
Capabilities:
<<: *ApplicationCapabilities
需要注意,一般情况下,多组织的fabric链下,每个组织有自己单独的fabric-ca-server,所以fabric-ca-client也是需要区分组织。虽然这里示例创建的链是单机构org1的,但是目录设计上最好也保证可以兼容多组织。如下:
mkdir -p /home/songzehao/fabric/fabric-ca-server/org1.example.com
mkdir -p /home/songzehao/fabric/fabric-ca-client/org1.example.com
在对应组织的fabric-ca-server目录下,创建配置文件fabric-ca-server-config.yaml
:
vim /home/songzehao/fabric/fabric-ca-server/org1.example.com/fabric-ca-server-config.yaml
内容如下:
version: 1.2.0
port: 7054
debug: false
crlsizelimit: 512000
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
ca:
name: ca-org1
keyfile:
certfile:
chainfile:
crl:
expiry: 24h
registry:
maxenrollments: -1
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
ldap:
enabled: false
url: ldap://:@:/
tls:
certfiles:
client:
certfile:
keyfile:
attribute:
names: ['uid','member']
converters:
- name:
value:
maps:
groups:
- name:
value:
affiliations:
org1:
- department1
- department2
org2:
- department1
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
csr:
cn: ca.org1.example.com
names:
- C: US
ST: "North Carolina"
L: "Durham"
O: org1.example.com
OU:
hosts:
- 192.168.2.195
ca:
expiry: 131400h
pathlength: 1
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
cacount:
cafiles:
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
最后还需要fabric-ca-server的docker-compose配置:
vim /home/songzehao/fabric/fabric-ca-server/org1.example.com/docker-compose.yaml
内容如下:
version: '2'
networks:
dev:
name: fabric_dev
services:
ca_org1:
image: hyperledger/fabric-ca:1.4.7
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=0.0.0.0:17054
ports:
- "7054:7054"
- "17054:17054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- /home/songzehao/fabric/fabric-ca-server/org1.example.com:/etc/hyperledger/fabric-ca-server
container_name: ca_org1
networks:
- dev
目录如下:
/home/songzehao/fabric
├── bin
│ ├── configtxgen
│ ├── configtxlator
│ ├── fabric-ca-client
│ ├── fabric-ca-server
│ └── peer
├── config
│ └── configtx.yaml
├── fabric-ca-client
│ └── org1.example.com
├── fabric-ca-server
│ └── org1.example.com
│ ├── docker-compose.yaml
│ └── fabric-ca-server-config.yaml
├── log
└── organizations
├── ordererOrganizations
└── peerOrganizations
10 directories, 8 files
export PATH=/home/songzehao/fabric/bin:$PATH
export FABRIC_CA_CLIENT_HOME=/home/songzehao/fabric/fabric-ca-client/org1.example.com
export FABRIC_CFG_PATH=/home/songzehao/fabric/config
启动:
cd /home/songzehao/fabric/fabric-ca-server/org1.example.com
docker-compose -f docker-compose.yaml up -d
fabric-ca-client enroll -u https://admin:[email protected]:7054 --caname ca-org1 --tls.certfiles ~/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
到这一步的目录如下:
/home/songzehao/fabric
├── bin
│ ├── configtxgen
│ ├── configtxlator
│ ├── fabric-ca-client
│ ├── fabric-ca-server
│ └── peer
├── config
│ └── configtx.yaml
├── fabric-ca-client
│ └── org1.example.com
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 192-168-2-195-7054-ca-org1.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 229ebcbd9640fc514dac37ab161d8723c85c7b20a356a68c441c01073acb8d41_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
├── fabric-ca-server
│ └── org1.example.com
│ ├── ca-cert.pem
│ ├── docker-compose.yaml
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 76c048c240cbd23f81316caa2c2893cc522c994d5eab8ae3d460f4d79db210f9_sk
│ │ │ ├── eebdddecea02a8d62056965aba6954c7f9a9c1a645dc00eed0afc2565eef8278_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── log
└── organizations
├── ordererOrganizations
└── peerOrganizations
20 directories, 23 files
mkdir -p ~/fabric/organizations/peerOrganizations/org1.example.com/msp
mkdir -p ~/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com
mkdir -p ~/fabric/organizations/ordererOrganizations/org1.example.com/msp
mkdir -p ~/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com
echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/192-168-2-195-7054-ca-org1.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/192-168-2-195-7054-ca-org1.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/192-168-2-195-7054-ca-org1.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/192-168-2-195-7054-ca-org1.pem
OrganizationalUnitIdentifier: orderer' > /home/songzehao/fabric/fabric-ca-server/org1.example.com/config.yaml
并拷贝org1的ca证书到org1的/msp/tlscacerts、/tlsca和/ca目录:
mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt
mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/tlsca
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/ca
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
fabric-ca-client enroll -u https://peer0:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
并拷贝该组织的msp配置文件到peer0节点目录下:
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml
fabric-ca-client enroll -u https://peer0:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts 192.168.3.128 --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
fabric-ca-client enroll -u https://user1:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
fabric-ca-client enroll -u https://org1admin:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
在ordererOrganizations/org1.example.com/msp目录下,创建tlscacerts子目录:
mkdir -p /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/tlscacerts
拷贝组织的ca证书到tlscacerts子目录:
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
创建~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca目录:
mkdir ~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca
拷贝组织的ca证书到tlsca子目录:
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem ~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
fabric-ca-client register --caname ca-org1 --id.name orderer0 --id.secret orderer0pw --id.type orderer --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
fabric-ca-client register --caname ca-org1 --id.name ordererOrg1Admin --id.secret ordererOrg1Adminpw --id.type admin --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
fabric-ca-client enroll -u https://orderer0:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
并拷贝msp配置文件到orderer0节点目录下:
cp /home/songzehao/fabric/fabric-ca-server/org1.example.com/config.yaml /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/config.yaml
fabric-ca-client enroll -u https://orderer0:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls --enrollment.profile tls --csr.hosts 192.168.3.128 --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
拷贝到tls目录下,并重命名为更好看的文件名:
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/ca.crt
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/signcerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/keystore/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key
拷贝该tlsca证书到orderer0节点目录下msp/tlscacerts目录:
mkdir -p /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
fabric-ca-client enroll -u https://ordererOrg1Admin:[email protected]:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles /home/songzehao/fabric/fabric-ca-server/org1.example.com/ca-cert.pem
拷贝msp配置文件到管理员的msp目录下:
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
走到这一步,组织目录下msp/只有tlscacerts目录,缺少cacert:
/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/
├── config.yaml
└── tlscacerts
└── tlsca.org1.example.com-cert.pem
1 directory, 2 files
所以先将orderer0的msp目录下的cacert,即~/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/cacerts/
放到~/fabric/organizations/ordererOrganizations/org1.example.com/msp/cacerts/
,顺带给peer0也一起处理:
cp -r /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/cacerts /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp
cp -r /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp
更改configtx.yaml
:
Organizations:
- &OrdererOrg1
Name: OrdererOrg1
SkipAsForeign: false
ID: OrdererOrg1MSP
MSPDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererOrg1MSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererOrg1MSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererOrg1MSP.admin')"
OrdererEndpoints:
- "192.168.3.128:7050"
- &Org1
Name: Org1MSP
SkipAsForeign: false
ID: Org1MSP
MSPDir: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.member')"
AnchorPeers:
- Host: 192.168.3.128
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- 192.168.3.128:7050
EtcdRaft:
Consenters:
- Host: 192.168.3.128
Port: 7050
ClientTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
ServerTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 521 KB
MaxChannels: 0
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
OneOrgOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg1
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
Channel1:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
Capabilities:
<<: *ApplicationCapabilities
创建创世块:
configtxgen -profile OneOrgOrdererGenesis -channelID system-channel -outputBlock /home/songzehao/fabric/config/system-genesis-block/genesis.block
在节点主机创建同样的链组织节点目录:
mkdir -p ~/fabric/organizations/peerOrganizations/
从客户端主机传送peer组织目录到peer0节点主机:
scp -r /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/ [email protected]:/home/songzehao/fabric/organizations/peerOrganizations
调整docker-compose.yaml
中peer0相关的部分:
version: '2'
volumes:
orderer0.org1.example.com:
peer0.org1.example.com:
networks:
dev:
name: fabric_dev
services:
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: hyperledger/fabric-peer:2.2.0
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_dev
#- FABRIC_LOGGING_SPEC=INFO
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variabes
- CORE_PEER_ID=peer0.org1.example.com
- CORE_PEER_ADDRESS=0.0.0.0:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
#- CORE_PEER_CHAINCODEADDRESS=0.0.0.0:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=192.168.3.128:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=0.0.0.0:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_OPERATIONS_LISTENADDRESS=0.0.0.0:17051
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
- /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com:/var/hyperledger/production
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
ports:
- 7051:7051
- 17051:17051
networks:
- dev
在节点主机创建同样的链组织节点目录。
mkdir -p ~/fabric/organizations/ordererOrganizations/
mkdir -p ~/fabric/config/system-genesis-block/
从客户端主机传送orderer组织目录到orderer0节点主机:
scp -r /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/ [email protected]:/home/songzehao/fabric/organizations/ordererOrganizations
scp -r /home/songzehao/fabric/config/system-genesis-block/genesis.block [email protected]:/home/songzehao/fabric/config/system-genesis-block/
调整docker-compose.yaml
中orderer0相关的部分:
version: '2'
volumes:
orderer0.org1.example.com:
peer0.org1.example.com:
networks:
dev:
name: fabric_dev
services:
orderer0.org1.example.com:
container_name: orderer0.org1.example.com
image: hyperledger/fabric-orderer:2.2.0
environment:
#- FABRIC_LOGGING_SPEC=INFO
- FABRIC_LOGGING_SPEC=DEBUG
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererOrg1MSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
- ORDERER_OPERATIONS_LISTENADDRESS=0.0.0.0:17050
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- /home/songzehao/fabric/config/system-genesis-block/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp:/var/hyperledger/orderer/msp
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/:/var/hyperledger/orderer/tls
- /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com:/var/hyperledger/production/orderer
ports:
- 7050:7050
- 17050:17050
networks:
- dev
客户端传送docker-compose.yaml到节点主机之后,节点主机启动节点:
docker-compose -f docker-compose.yaml up -d
configtxgen -profile Channel1 -outputCreateChannelTx /home/songzehao/fabric/config/channel-artifacts/channel1.tx -channelID channel1
首先需要在客户端主机配置peer0相关环境变量:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=/home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=192.168.3.128:7051
export CORE_PEER_GOSSIP_EXTERNALENDPOINT=192.168.3.128:7051
【注意】:客户端也需要一份core.yaml才能成功执行peer客户端命令。
再创建channel1区块:
peer channel create -o 192.168.3.128:7050 -c channel1 -f /home/songzehao/fabric/config/channel-artifacts/channel1.tx --outputBlock /home/songzehao/fabric/config/channel-artifacts/channel1.block --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
peer channel join -b /home/songzehao/fabric/config/channel-artifacts/channel1.block
peer channel fetch config /home/songzehao/fabric/config/channel-artifacts/config_block.pb -o 192.168.3.128:7050 -c channel1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
protobuf序列化(编码)后的.pb
配置文件,转化为.json
格式:
configtxlator proto_decode --input /home/songzehao/fabric/config/channel-artifacts/config_block.pb --type common.Block --output /home/songzehao/fabric/config/channel-artifacts/config_block.json
抽取配置部分的json,得到原始配置:
jq .data.data[0].payload.data.config /home/songzehao/fabric/config/channel-artifacts/config_block.json > /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json
进一步追加锚节点peer0信息到Org1MSP的values
部分,得到更改后配置:
jq '.channel_group.groups.Application.groups.Org1MSP.values += {"AnchorPeers":{"mod_policy": "Admins","value":{"anchor_peers": [{"host": "192.168.3.128","port": 7051}]},"version": "0"}}' /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json > /home/songzehao/fabric/config/channel-artifacts/Org1MSPmodified_config.json
protobuf编码原始配置:
configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json --type common.Config --output /home/songzehao/fabric/config/channel-artifacts/original_config.pb
protobuf编码更改后配置:
configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/Org1MSPmodified_config.json --type common.Config --output /home/songzehao/fabric/config/channel-artifacts/modified_config.pb
计算更改前后的配置差异,得到.pb
的差异配置:
configtxlator compute_update --channel_id channel1 --original /home/songzehao/fabric/config/channel-artifacts/original_config.pb --updated /home/songzehao/fabric/config/channel-artifacts/modified_config.pb --output /home/songzehao/fabric/config/channel-artifacts/config_update.pb
protobuf解码为.json
格式:
configtxlator proto_decode --input /home/songzehao/fabric/config/channel-artifacts/config_update.pb --type common.ConfigUpdate --output /home/songzehao/fabric/config/channel-artifacts/config_update.json
追加.json
格式的差异文件内容到新包装后的.json
文件:
echo '{"payload":{"header":{"channel_header":{"channel_id":"channel1", "type":2}},"data":{"config_update":'$(cat /home/songzehao/fabric/config/channel-artifacts/config_update.json)'}}}' | jq . > /home/songzehao/fabric/config/channel-artifacts/config_update_in_envelope.json
编码为Envelope
类型的新的交易文件:
configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/config_update_in_envelope.json --type common.Envelope --output /home/songzehao/fabric/config/channel-artifacts/Org1MSPanchors.tx
peer channel update -o 192.168.3.128:7050 -c channel1 -f /home/songzehao/fabric/config/channel-artifacts/Org1MSPanchors.tx --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
将fabric-samples
示例工程https://github.com/hyperledger/fabric-samples/tree/v2.2.0/拉下来:
git clone -b v2.2.0 https://gitee.com/hyperledger/fabric-samples.git
以其中一个asset-transfer-basic
链码举例,编译该java链码,并打包为basic.tar.gz:
rm -rf ~/fabric/fabric-samples/asset-transfer-basic/chaincode-java/build/install/
./gradlew installDist
peer lifecycle chaincode package ~/fabric/config/basic.tar.gz --path ~/fabric/fabric-samples/asset-transfer-basic/chaincode-java/build/install/basic --lang java --label basic_1.0
进行链码安装:
peer lifecycle chaincode install /home/songzehao/fabric/config/basic.tar.gz
查看已安装的链码:
peer lifecycle chaincode queryinstalled
批准链码定义:
peer lifecycle chaincode approveformyorg -o 192.168.3.128:7050 --channelID channel1 --name basic --version 1.0 --package-id basic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773 --sequence 1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
检查批准状态:
peer lifecycle chaincode queryapproved -C channel1 -n basic
检查提交就绪状态:
peer lifecycle chaincode checkcommitreadiness --channelID channel1 --name basic --version 1.0 --sequence 1 --output json
提交到peer0:
peer lifecycle chaincode commit -o 192.168.3.128:7050 --channelID channel1 --name basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --version 1.0 --sequence 1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
检查提交状态:
peer lifecycle chaincode querycommitted --channelID channel1 --name basic --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
docker验证新的链代码是否已在您的对等点192.168.3.128上提交启动:
docker ps --no-trunc
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
660ab24842f1c96dc644f931b6540befca1cfb953399d880d9fe6e02560e4dc0 dev-peer0.org1.example.com-basic_1.0-67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773-4ae135e5fa18d99cbd8dc7e8907079b31a3f779d0137e69204d3307d30236441 "/root/chaincode-java/start --peerAddress localhost:7052" About a minute ago Up About a minute dev-peer0.org1.example.com-basic_1.0-67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773
发交易,初始化资产(调用链码的初始化方法InitLedger):
peer chaincode invoke -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"InitLedger","Args":[]}'
查询初始化后的资产(调用链码的GetAllAssets方法):
peer chaincode query -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"GetAllAssets","Args":[]}'
发交易,新增资产(调用链码的初始化方法CreateAsset):
peer chaincode invoke -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"CreateAsset","Args":["asset7", "pink", "18", "Jay", "800"]}'