參考《Hyperledger Fabric 2.0 手動生成CA憑證(TLS)搭建Fabric網絡-Raft協定》
位址:https://segmentfault.com/a/1190000023337696
上面這個部落格中存在部分代碼錯誤和描述不清晰問題,本文加以修正
1.總體架構
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnL3YjMiVDZjFTMkZDMzE2NiBTMzQjNmdTYyYWNlhjZykzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
官方采用的是多機部署環境、這裡就簡化下下,所有操作就簡化下都在一台機器上。多機環境後面在驗證。
下面介紹下本文所采用的整體架構
三個組織
Org0 ---> 組織0
Org1 ---> 組織1
Org2 ---> 組織2
組織中的成員
Org0: 一個orderer節點,一個Org0的Admin節點
Org1: 兩個Peer節點,一個Org1的Admin節點,一個Org1的User節點
Org2: 兩個Peer節點,一個Org2的Admin節點,一個Org2的User節點
四台CA伺服器
TLS伺服器:為網絡中所有節點頒發TLS證書,用于通信的加密
Org1的CA伺服器:為組織1中所有使用者頒發證書
Org2的Ca伺服器:為組織2中所有使用者頒發證書
Org0的CA伺服器:為組織0中所有使用者頒發證書
這裡的四台CA伺服器都是根伺服器。彼此之間都是獨立的存在,沒有任何關系,也就是說每一個CA伺服器生成的證書在其他CA伺服器都是不能用的。
介紹完之後,可以進入正題了。
2、Fabric、Fabric-CA環境搭建
Fabric、Fabric-CA的基礎環境搭建就不再這裡說了,不明白的可以去看官網。
完成環境搭建以後我們還需要一個 HOME 目錄用于存放我們生成的證書檔案以及Fabric配置檔案,本文設定的HOME路徑和官方文檔的路徑一緻,為:
/tmp/hyperledger
這個自行建立,一般不要用太複雜的路徑,也不要用中文路徑,會為之後的操作帶來很多麻煩。在下文中簡單稱HOME檔案夾為工作目錄,除非特殊說明,一般指令的執行都是在工作目錄進行。
注:因所有服務啟動均使用docker-compose為了使其在同一個docker network 我們需要設定
export COMPOSE_PROJECT_NAME=net 或者将所有的docker-compose 檔案存放在一個目錄下。
3、CA伺服器的配置
3.1啟動TLS CA伺服器
前期工作準備好之後,我們開始啟動第一台CA伺服器。本文中使用Docker容器啟動。
3.1.1 建立docker-compose.yaml檔案
這裡隻建立一個
docker-compose.yaml
檔案,後面所有CA伺服器和節點的啟動程式均放在該檔案中,友善啟動和關閉所有容器
mkdir -p /tmp/hyperledger/docker-compose && cd /tmp/hyperledger/docker-compose
touch docker-compose.yaml
并在檔案内添加以下内容(tips:内容格式不要亂掉):
version: '2'
networks:
fabric-ca:
services:
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=ca-tls
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7052
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/fabric-ca-tls:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7052:7052
啟動docker容器
docker-compose -f docker-compose.yaml up ca-tls
如果指令行出現以下内容則說明啟動成功:
[INFO] Listening on https://0.0.0.0:7052
同時工作目錄
/tmp/hyperledger/fabric-ca/
下面會出現
crypto
檔案夾,裡面的具體内容不在這解釋,想了解的可以去官網檢視。不過有個一檔案需要解釋下,應為之後會頻繁的使用到。
在
/tmp/hyperledger/fabric-ca/crypto/
路徑下的
ca-cert.pem
檔案。這是TLS CA伺服器的簽名根證書,目的是用來對CA的TLS證書進行驗證,同時也需要持有這個證書才可以進行證書的頒發。
多環境下我們需要将它複制到每一台機器上。
3.1.2 TLS CA 伺服器注冊使用者
第一步是在TLS CA伺服器中注冊使用者,經過注冊的使用者才擁有TLS證書。
設定環境變量&登陸
#設定環境變量指定根證書的路徑(如果工作目錄不同的話記得指定自己的工作目錄,以下不再重複說明)
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
#設定環境變量指定CA用戶端的HOME檔案夾
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/fabric-ca-tls/admin
#登入管理者使用者用于之後的節點身份注冊
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
登陸成功後會在
/tmp/hyperledger/fabric-ca-tls/
目錄下生車給你
admin
檔案夾,這裡面是 admin相關的證書檔案,并且隻有登陸了admin,才具有權限進行使用者注冊,因為該使用者具有CA的全部權限,相當于CA服務的root使用者。
接下來對各個節點和使用者進行注冊
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem
這裡我們為各個節點注冊TLS證書,之後Fabric網絡的通信則需要通過這一步驟注冊過的使用者的TLS證書來進行TLS加密通信。
到這裡我們隻是注冊了各個節點的身份,還沒有擷取到他們的證書。證書可以通過登入擷取,不過暫時不着急擷取他們的TLS證書。
接下來,我們對其他幾個CA伺服器進行配置。
3.2配置Org0的CA服務
先建立org0的ca目錄
mkdir -p /tmp/hyperledger/org0/ca
再強調一下,本文中的幾個CA伺服器都是根伺服器,彼此之間沒有任何關系,是以上一步驟的TLS CA伺服器在這一部分并沒有用到。
同樣,本文使用Docker容器啟動CA伺服器。配置檔案如下,隻需要添加進之前的docker-compose.yaml檔案中就好:
org0:
container_name: org0
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org0-admin:org0-adminpw --port 7053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7053
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca ##重要!!!記得修改這裡的路徑為自己的工作目錄
networks:
- fabric-ca
ports:
- 7053:7053
啟動容器
docker-compose -f docker-compose.yaml up org0
注冊org0的使用者
設定環境變量&登陸
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://org0-admin:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
在本組織中共有兩個使用者:orderer節點和admin使用者(這裡的admin和管理者是不同的。)
将他們注冊到org0的CA伺服器
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
指令執行完之後,将會注冊一個Orderer節點的身份和一個Admin的身份。同時在工作目錄下的org0子檔案夾中會有兩個檔案夾:crypto和admin。crypto中是CA伺服器的配置資訊,admin是伺服器管理者的身份資訊。
3.3配置Org1的CA服務
先建立org1的ca目錄
mkdir -p /tmp/hyperledger/org1/ca
配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
org1:
container_name: org1
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org1-admin:org1-adminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca ##重要!!!記得修改這裡的路徑為自己的工作目錄
networks:
- fabric-ca
ports:
- 7054:7054
啟動容器
docker-compose -f docker-compose.yaml up org1
注冊org1的使用者
設定環境變量&登陸
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://org1-admin:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
組織一種共有四個使用者:peer1,peer2,admin,user,分别注冊他們
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type client -u https://0.0.0.0:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
3.4配置Org2的CA服務
先建立org2的ca目錄
mkdir -p /tmp/hyperledger/org2/ca
配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
org2:
container_name: org2
image: hyperledger/fabric-ca:latest
command: sh -c 'fabric-ca-server start -d -b org2-admin:org2-adminpw --port 7055'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7055
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca ##重要!!!記得修改這裡的路徑為自己的工作目錄
networks:
- fabric-ca
ports:
- 7055:7055
啟動容器
docker-compose -f docker-compose.yaml up org2
注冊org1的使用者
設定環境變量&登陸
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/ca/admin
fabric-ca-client enroll -d -u https://org2-admin:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
組織一種共有四個使用者:peer1,peer2,admin,user,分别注冊他們
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
fabric-ca-client register -d --id.name user-org2 --id.secret org2UserPW --id.type client -u https://0.0.0.0:7055 --tls.certfiles /tmp/hyperledger/org2/ca/crypto/ca-cert.pem
4、組織一節點配置
4.1 peer1
mkdir -p /tmp/hyperledger/org1/peer1/assets/ca/
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
首先是本組織的MSP證書:
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登陸peer1節點到org1 CA 伺服器上
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
這一步完成後在/tmp/hyperledger/org1/peer1下出現一個msp檔案夾,這是peer1節點的msp證書。
接下來是TLS證書
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=/tmp/hyperledger/org1/peer1/tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
登入peer1節點的TLS CA伺服器上
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org1 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
這一步完成後,在/tmp/hyperledger/org1/peer1下會出現一個tls-msp檔案夾,這是peer1節點的TLS證書。
修改秘鑰檔案名
為什麼要修改呢,進入這個檔案夾看一下就知道了,由伺服器生成的秘鑰檔案名是一長串無規則的字元串,後期我們使用的時候難道要一個字元一個字元地輸入?
mv /tmp/hyperledger/org1/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
4.2 peer2
mkdir -p /tmp/hyperledger/org1/peer2/assets/ca/
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
首先是本組織的MSP證書:
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登陸peer2節點到org1 CA 伺服器上
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
這一步完成後在/tmp/hyperledger/org1/peer2下出現一個msp檔案夾,這是peer2節點的msp證書。
接下來是TLS證書
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca/
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
登入peer2節點的TLS CA伺服器上
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1 --tls.certfiles /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
這一步完成後,在/tmp/hyperledger/org1/peer2下會出現一個tls-msp檔案夾,這是peer2節點的TLS證書。
修改秘鑰檔案名
為什麼要修改呢,進入這個檔案夾看一下就知道了,由伺服器生成的秘鑰檔案名是一長串無規則的字元串,後期我們使用的時候難道要一個字元一個字元地輸入?
mv /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
4.3 admin
首先是本組織的MSP證書:
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登入admin節點的org1 CA 伺服器上
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
接下來是TLS證書
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
登入peer2節點的TLS CA伺服器上
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org1 --tls.certfiles /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
複制證書到admincerts檔案夾:
去看Fabric官方的例子,每一個peer節點的MSP檔案夾下都有admincerts這個子檔案夾的,而且是需要我們手動建立的。
mkdir /tmp/hyperledger/org1/peer1/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
mkdir /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem
4.4啟動peer節點
到這裡,已經配置好了一個節點,是以我們就可以啟動這個節點了,當然在之後和orderer節點一起啟動也可以,不過忙活了這麼多,還是應該提前看到一下所做的工作的成果的!
peer1節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer1-org1:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up peer1-org1
如果沒有報錯的話,說明之前配置的沒有什麼問題,如果出錯的話,則需要傳回去檢查一下了
peer2節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer2-org1:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up peer2-org1
5、組織二節點配置
群組織一配置一樣,這裡就不做過多的解釋了,直接上指令
5.1 peer1
mkdir -p /tmp/hyperledger/org2/peer1/assets/ca
cp /tmp/hyperledger/org2/ca/crypto/ca-cert.pem /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登陸peer1節點到org2 CA伺服器上
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
接下來是TLS
mkdir /tmp/hyperledger/org2/peer1/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
登入peer1節點到 TLS CA伺服器上
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org2 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
修改密鑰檔案
mv /tmp/hyperledger/org2/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
5.2 peer2
mkdir -p /tmp/hyperledger/org2/peer2/assets/ca
cp /tmp/hyperledger/org2/ca/crypto/ca-cert.pem /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登陸peer2節點到org2 CA伺服器上
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
接下來是TLS
mkdir /tmp/hyperledger/org2/peer2/assets/tls-ca
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
登入peer2節點到 TLS CA伺服器上
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org2 --tls.certfiles /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
修改密鑰檔案
mv /tmp/hyperledger/org2/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
5.3 admin
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登陸admin節點到org2 CA伺服器上
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7055 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
接下來是TLS
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
登入admin節點到 TLS CA伺服器上
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org2 --tls.certfiles /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
5.4 複制證書到admincerts檔案夾:
mkdir /tmp/hyperledger/org2/peer1/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem
mkdir /tmp/hyperledger/org2/peer2/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer2/msp/admincerts/org2-admin-cert.pem
5.5 啟動peer節點
peer1節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer1-org2:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up peer1-org2
peer2節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer2-org2:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_fabric-ca
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_PROFILE_ENABLED=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up peer2-org2
6、 排序節點配置
接下來是排序節點的配置,為什麼放在最後面呢,因為排序節點的啟動需要提前生成創世區塊,而創世區塊的生成涉及到另一個配置檔案,是以就先配置簡單的peer節點
6.1 orderer
mkdir -p /tmp/hyperledger/org0/orderer/assets/ca/
cp /tmp/hyperledger/org0/ca/crypto/ca-cert.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登入order節點到org0 CA伺服器上
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
接下來是TLS證書
mkdir /tmp/hyperledger/org0/orderer/assets/tls-ca/
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
配置環境變量
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
登入order節點到TLS CA伺服器上
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer1-org0 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
修改密鑰
mv /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
6.2 admin
配置環境變量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
登入admin 使用者擷取msp
fabric-ca-client enroll -d -u https://admin-org0:[email protected]:7053 --tls.certfiles /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
複制證書到admincerts檔案夾:
mkdir /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem
證書都準備好了之後我們還需要在每個msp檔案下添加一個config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
#修改對應的證書名稱
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: orderer
需要org0,org1, org2 下所有msp目錄下都添加。
7、Fabric 網絡
證書都生成好了,即将要啟動網絡了。不過在啟動網絡之前還是有很多準備工作需要做。
7.1 整理MSPDir檔案
---------------org0--------------------
mkdir -p /tmp/hyperledger/configtx && cd /tmp/hyperledger/configtx
mkdir org0
cp -r ../org0/admin/msp org0/
cd org0/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------
---------------org1--------------------
cd /tmp/hyperledger/configtx
mkdir org1
cp -r ../org1/admin/msp org1/
cd org1/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org1/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------
---------------org2--------------------
cd /tmp/hyperledger/configtx
mkdir org2
cp -r ../org2/admin/msp org2/
cd org2/msp
mkdir tlscacerts && cd tlscacerts
cp /tmp/hyperledger/org2/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ./
--------------------------------------
7.2 configtx.yaml檔案配置
在下一個步驟的生成創世區塊和通道配置資訊需要一個檔案:configtx.yaml檔案。
cd /tmp/hyperledger/configtx
touch configtx.yaml
檔案内容
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &org0
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org0MSP
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: ../configtx/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
MSPDir: ../configtx/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
- &org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org2MSP
# ID to load the MSP definition as
ID: org2MSP
MSPDir: ../configtx/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
ServerTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
7.3 生成創世區塊和通道資訊
cd /tmp/hyperledger/configtx
mkdir system-genesis-block
mkdir channel-artifacts
生成創世區塊檔案
configtxgen -profile TwoOrgsOrdererGenesis -channelID system-channel -outputBlock ./system-genesis-block/genesis.block
生成通道
export CHANNEL_NAME=mychannel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/${CHANNEL_NAME}.tx -channelID ${CHANNEL_NAME}
錨節點更新配置
export orgmsp=org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}
錨節點更新配置
export orgmsp=org2MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}
創世區塊檔案通道資訊生成後,啟動orderer節
orderer1-org0節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
- /tmp/hyperledger/configtx/system-genesis-block/genesis.block:/tmp/hyperledger/orderer/orderer.genesis.block
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up orderer1-org0
啟動組織一的cli
cli容器内容,我們需要這個容器對組織1進行鍊碼的互動
cli-org1節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
cli-org1:
container_name: cli-org1
image: hyperledger/fabric-tools
tty: true
stdin_open: true
environment:
- SYS_CHANNEL=testchainid
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: /bin/bash
volumes:
- /tmp/hyperledger/org1:/tmp/hyperledger/org1/
- /tmp/hyperledger/org2:/tmp/hyperledger/org2/
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org1/admin:/tmp/hyperledger/org1/admin
- /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem:/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts:/tmp/hyperledger/org1/admin/msp/tlscacerts
- /tmp/hyperledger/configtx/channel-artifacts:/tmp/hyperledger/configtx/channel-artifacts
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up cli-org1
cli-org2節點的配置檔案如下,和之前一樣添加進之前的docker-compose.yaml檔案中就好:
cli-org2:
container_name: cli-org2
image: hyperledger/fabric-tools
tty: true
stdin_open: true
environment:
- SYS_CHANNEL=testchainid
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2
command: /bin/bash
volumes:
- /tmp/hyperledger/org1:/tmp/hyperledger/org1/
- /tmp/hyperledger/org2:/tmp/hyperledger/org2/
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
- /tmp/hyperledger/org2/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org2/admin:/tmp/hyperledger/org2/admin
- /tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem:/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts:/tmp/hyperledger/org2/peer1/msp/tlscacerts
- /tmp/hyperledger/configtx/channel-artifacts:/tmp/hyperledger/configtx/channel-artifacts
networks:
- fabric-ca
啟動容器
docker-compose -f docker-compose.yaml up cli-org2
至此,整個
docker-compose.yaml
檔案已經配置完整,後續啟動網絡和關閉網絡時,可使用如下指令:
啟動所有容器
docker-compose up -d
關閉所有容器
docker-compose down
關閉所有容器,并清除容器和本地挂載的資料,建議使用此指令
docker-compose down -v
docker占用的磁盤空間檢視
docker system df
删除所有無用的volume
docker volume rm $(docker volume ls -qf dangling=true)
8、建立&加入通道
-----------------------------cli-org1-------------------------------
docker exec -it cli-org1 bash
export CHANNEL_NAME=mychannel
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
cd /tmp/hyperledger/configtx
peer channel create -o orderer1-org0:7050 -c ${CHANNEL_NAME} --ordererTLSHostnameOverride orderer1-org0 -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block --tls --cafile ${ORDERER_CA}
export CORE_PEER_ADDRESS=peer1-org1:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_ADDRESS=peer2-org1:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_LOCALMSPID=org1MSP
peer channel update -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls --cafile $ORDERER_CA
-----------------------------cli-org1-end-------------------------------
-----------------------------cli-org2------------------------------------
docker exec -it cli-org2 bash
export CHANNEL_NAME=mychannel
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
cd /tmp/hyperledger/configtx
export CORE_PEER_ADDRESS=peer1-org2:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_ADDRESS=peer2-org2:7051
peer channel join -b ./channel-artifacts/mychannel.block
export CORE_PEER_LOCALMSPID=org2MSP
peer channel update -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls --cafile $ORDERER_CA
-----------------------------cli-org2-end-------------------------------
9 鍊碼安裝測試
安裝鍊碼前,需要先将打包好的鍊碼壓縮包放到/tmp/hyperledger/org1/peer1/assets/chaincode目錄和/tmp/hyperledger/org2/peer1/assets/chaincode目錄下
鍊碼安裝
-----------------------------cli-org1-------------------------------
docker exec -it cli-org1 bash
cd /tmp/hyperledger/org1/peer1/assets/chaincode
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode install fabcar.tar.gz
-----------------------------cli-org1-end-------------------------------
-----------------------------cli-org2-------------------------------
docker exec -it cli-org2 bash
cd /tmp/hyperledger/org2/peer1/assets/chaincode
export CORE_PEER_ADDRESS=peer1-org2:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
peer lifecycle chaincode install fabcar.tar.gz
-----------------------------cli-org2-end-------------------------------
鍊碼查詢
peer lifecycle chaincode queryinstalled
packageid: fabcar_1:469a86090d7e3b537d6495abaae326fc5909d45692e4b19d43348a76e5fe4eb0
#注意,記下自己的鍊碼ID,後面會用到
組織授權校驗
-----------------------------cli-org1-------------------------------
docker exec -it cli-org1 bash
export VERSION=1
export PACKAGE_ID=fabcar_1:469a86090d7e3b537d6495abaae326fc5909d45692e4b19d43348a76e5fe4eb0 #注意修改為自己的鍊碼ID
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CHANNEL_NAME=mychannel
peer lifecycle chaincode approveformyorg -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile ${ORDERER_CA} --channelID ${CHANNEL_NAME} --name fabcar --version ${VERSION} --init-required --package-id ${PACKAGE_ID} --sequence ${VERSION}
peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name fabcar --version ${VERSION} --sequence ${VERSION} --output json --init-required
-----------------------------cli-org1-end-------------------------------
-----------------------------cli-org2-------------------------------
docker exec -it cli-org2 bash
export VERSION=1
export PACKAGE_ID=fabcar_1:469a86090d7e3b537d6495abaae326fc5909d45692e4b19d43348a76e5fe4eb0 #注意修改為自己的鍊碼ID
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CHANNEL_NAME=mychannel
peer lifecycle chaincode approveformyorg -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile ${ORDERER_CA} --channelID ${CHANNEL_NAME} --name fabcar --version ${VERSION} --init-required --package-id ${PACKAGE_ID} --sequence ${VERSION}
peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name fabcar --version ${VERSION} --sequence ${VERSION} --output json --init-required
-----------------------------cli-org2-end-------------------------------
送出鍊碼定義,隻在組織一送出即可
docker exec -it cli-org1 bash
export CHANNEL_NAME=mychannel
export VERSION=1
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode commit -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile $ORDERER_CA --channelID $CHANNEL_NAME --name fabcar --peerAddresses peer1-org1:7051 --tlsRootCertFiles /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:7051 --tlsRootCertFiles /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --version ${VERSION} --sequence ${VERSION} --init-required
查詢送出内容
export CHANNEL_NAME=mychannel
peer lifecycle chaincode querycommitted --channelID $CHANNEL_NAME --name fabcar
初始化鍊碼
export CHANNEL_NAME=mychannel
export VERSION=1
export ORDERER_CA=/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer chaincode invoke -o orderer1-org0:7050 --ordererTLSHostnameOverride orderer1-org0 --tls --cafile $ORDERER_CA -C $CHANNEL_NAME -n fabcar --peerAddresses peer1-org1:7051 --tlsRootCertFiles /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:7051 --tlsRootCertFiles /tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --isInit -c '{"function":"initLedger","Args":[]}'
查詢
peer chaincode query -C $CHANNEL_NAME -n fabcar -c '{"Args":["queryAllCars"]}'
輸出所有汽車明細,表明整個生産網絡搭建成功