Fabric CA 学习记录
什么是Fabric CA
Hyperledger Fabric CA 是 Hyperledger Fabric 的证书颁发机构 (CA)。
它提供以下功能:
- 身份注册,或作为用户注册表连接到 LDAP
- 颁发注册证书 (ECerts)
- 证书更新和撤销
Fabric CA 由服务器和客户端组件组成
TLS-CA:为整个网络的网络组件(orderer 和 peers)颁发 TLS 服务器证书的 CA。此认证仅用于 TLS 通信,并注意与此结构网络中的身份相关。这些证书用于确保组件之间的网络链路完整性。使用标准的TLS,可以确保客户端连接到的服务器实际上就是他们想要的服务器,而不是伪装成他们的目的地的另一方。当相互TLS被启用时,除了来自标准TLS的标准客户端->服务器保证之外,服务器还可以验证客户端被授权形成TLS链接。
RCA-ORG x (x=0, 1, 2):它是每个组织中身份的根 CA。一方面,它向组件和用户颁发所需的证书。另一方面,它在形成结构网络时代表组织(以 MSP 方式)。CA证书用于在Fabric网络上进行交易。客户使用他们的签名者证书来签署发送给对等点的提案和发送给订单者的事务,对等点使用他们的签名者证书来签署提案响应(创建背书),而订购者使用他们的签名者证书来签署块,这些块被传播回对等点和客户。当你看到一个没有明确注明为TLS的“证书”的引用时,这个证书通常是一个签名者证书
生产环境建议
建议为每个组织部署两个 CA,一个组织 CA 和一个 TLS CA
- TLS CA:
用来保护组织中节点之间的通信,生成所有节点的通信证书 - 组织CA:
用于生成组织和节点身份
排序服务节点不应该与peer所属同一组织,因此需要为peer所在组织和排序服务节点单独创建组织
部署CA 服务时应遵循部署顺序为:
1)TLS CA
2) 组织 CA
文中若没有特殊说明,则指令均运行在宿主机中
总体架构
官方采用的是多机部署环境、这里就简化下下,所有操作就简化下都在一台机器上。
下面介绍下本文所采用的整体架构
三个组织
Org0 —> 组织0
Org1 —> 组织1
Org2 —> 组织2
组织中的成员
Org0: 一个orderer节点,一个Org0的Admin节点
Org1: 两个Peer节点,一个Org1的Admin节点,一个Org1的User节点
Org2: 两个Peer节点,一个Org2的Admin节点,一个Org2的User节点
四台CA服务器
TLS服务器:为网络中所有节点颁发TLS证书,用于通信的加密
Org1的CA服务器:为组织1中所有用户颁发证书
Org2的Ca服务器:为组织2中所有用户颁发证书
Org0的CA服务器:为组织0中所有用户颁发证书
这里的四台CA服务器都是根服务器。彼此之间都是独立的存在,没有任何关系。,也就是说每一个CA服务器生成的证书在其他CA服务器都是不能用的。
总体流程介绍
1.启动四个 CA,每个 CA 作为一个 Fabric-CA-Server 在容器中运行。
2.在宿主机中使用 Fabric-CA-Client 与这些 CA 进行交互。对于每个 CA,注册一个注册商,并对所有组织进行实体注册。
3.对于每个组织,使用 Fabric-CA-Client 注册在 2 中注册的实体。现在我们拥有所需的所有加密材料。
4.将生成的加密材料放在适当的目录中,这些目录将映射到 docker-compose 文件中定义的那些组件(orderer 和 peer)中。
5.为每个组织准备 MSP 目录,在创建结构网络时需要该目录。
6.调出五个容器(一个orderer,四个)和两个 CLI 容器。
7创建通道并将对等方加入通道
8.部署链码并观察链码。
一、 安装
1. 依赖条件
###依赖及go环境
yum install libtool libltdl-dev go docker
###另需要
docker-compose
二、配置TLS CA服务器
TLS CA 用于颁发 TLS 证书。需要这些证书来保护各种进程之间的通信。
1启动TLS CA 容器
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=tls-ca
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7052:7052
docker-compose up -d ca-tls
1.2 目录结构
[root@10 hyperledger]# tree
crypto
├── ca-cert.pem ####TLS CA 的签名证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db ###数据库文件
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp ###是定义管理该组织有效身份规则的组件,存放签名用的证书文件和加密用的私钥文件
│ ├── cacerts ##CA服务器的证书
│ ├── keystore ####节点或者账号的私钥
│ │ ├── 5d3c6784f5d5d0df8f368e6cda6c483f5ebe8b7189fa8817c3543b487b654bdf_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts ##符合X.509的节点或者账户证书文件。可以理解为账户的ID,将其复制到某个peer或Org的admincerts目录下代表管理员账号
│ └── user
└── tls-cert.pem ###TLS根CA的证书
在/tmp/hyperledger/tls-ca/crypto/路径下的ca-cert.pem文件。这是TLS CA服务器的签名根证书,目的是用来对CA的TLS证书进行验证,同时也需要持有这个证书才可以进行证书的颁发。
多环境下我们需要将它复制到每一台已经注册的peer机器上。
2.TLS CA 注册用户
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
####登录管理员
fabric-ca-client enroll -d -u https://tls-ca-admin:tls-ca-adminpw@0.0.0.0:7052
###注册节点身份,当节点登录的时候将证书下载到对应节点中
###在TLS CA服务器中注册用户,经过注册的用户才拥有TLS证书。
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
####查看注册的实体
[root@10 tls-ca]# fabric-ca-client identity list
Name: tls-ca-admin, Type: client, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.GenCRL Value:1 ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false} {Name:hf.AffiliationMgr Value:1 ECert:false} {Name:hf.Registrar.Roles Value:* ECert:false} {Name:hf.Registrar.DelegateRoles Value:* ECert:false} {Name:hf.Revoker Value:1 ECert:false} {Name:hf.IntermediateCA Value:1 ECert:false}]
Name: peer1-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.EnrollmentID Value:peer1-org1 ECert:true} {Name:hf.Type Value:peer ECert:true} {Name:hf.Affiliation Value: ECert:true}]
Name: peer2-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.EnrollmentID Value:peer2-org1 ECert:true} {Name:hf.Type Value:peer ECert:true} {Name:hf.Affiliation Value: ECert:true}]
Name: peer1-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.EnrollmentID Value:peer1-org2 ECert:true} {Name:hf.Type Value:peer ECert:true} {Name:hf.Affiliation Value: ECert:true}]
Name: peer2-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.EnrollmentID Value:peer2-org2 ECert:true} {Name:hf.Type Value:peer ECert:true} {Name:hf.Affiliation Value: ECert:true}]
Name: orderer1-org0, Type: orderer, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.EnrollmentID Value:orderer1-org0 ECert:true} {Name:hf.Type Value:orderer ECert:true} {Name:hf.Affiliation Value: ECert:true}]
#####
/tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem 与 /tmp/hyperledger/tls-ca/crypto/ca-cert.pem 为同一证书。 org1~org2的对应结构下的证书也相同不在赘述。
#md5sum /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem
#7c1bd16b69fd426ab491a0cafb325883 /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem
#md5sum /tmp/hyperledger/tls-ca/crypto/ca-cert.pem
#7c1bd16b69fd426ab491a0cafb325883 /tmp/hyperledger/tls-ca/crypto/ca-cert.pem
三、配置org0的CA服务
1. 启动容器
rca-org0:
container_name: rca-org0
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7053:7053
docker-compose up -d rca-org0
2.设置org0环境变量并登录
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
sleep 5
3.注册org0用户
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type user -u https://0.0.0.0:7053
目录结构
org0/
└── ca
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem ##CA 的签名证书
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 455952eecb1abda68cc24645bc794a96fa0425f8dc98812c8f9619fd05573f17_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem ##TLS ca的签名证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 4ab50bc9c07892f6073b9cfc0ad87844e0199959464781491daf56c73f508cec_sk
│ │ ├── b683f46bc857306e9ed09b553153edc3a501b94fade626c2936acfa91371a325_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem ###TLS根证书
#两个证书为同一证书
#md5sum /tmp/hyperledger/org0/ca/admin/msp/cacerts/0-0-0-0-7053.pem
#562bc79aa5c383a4144e9f4883ffc1be /tmp/hyperledger/org0/ca/admin/msp/cacerts/0-0-0-0-7053.pem
#md5sum /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
#562bc79aa5c383a4144e9f4883ffc1be /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
四、配置 Org1 的 CA
1.启动容器
rca-org1:
container_name: rca-org1
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7054:7054
docker-compose up -d rca-org1
2.设置org1环境变量并登录
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://rca-org1-admin:rca-org1-adminpw@0.0.0.0:7054
3.注册org1用户
org1组织中共四种用户,分别注册他们
Peer 1 (peer1-org1)
Peer 2 (peer2-org1)
Admin (admin1-org1)
End user (user-org1)
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://0.0.0.0:7054
五、配置org2 的CA
1.启动容器
rca-org2:
container_name: rca-org2
image: hyperledger/fabric-ca:1.4.9
command: /bin/bash -c 'fabric-ca-server start -d -b rca-org2-admin:rca-org2-adminpw --port 7055'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7055:7055
docker-compose up -d rca-org2
2.设置org2环境变量并登录
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/ca/admin
fabric-ca-client enroll -d -u https://rca-org2-admin:rca-org2-adminpw@0.0.0.0:7055
3. 注册org2用户
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type user -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name user-org2 --id.secret org2UserPW --id.type user -u https://0.0.0.0:7055
六 、设置排序服务节点
1. 准备证书
mkdir -p /tmp/hyperledger/org0/orderer/assets/ca
cp /tmp/hyperledger/org0/ca/admin/msp/cacerts/0-0-0-0-7053.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
mkdir -p /tmp/hyperledger/org0/orderer/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
2. 配置环境变量并登录order节点到org0 CA服务器上
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://orderer1-org0:ordererpw@0.0.0.0:7053
3. 配置环境变量并登录order节点到TLS-CA服务器上
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1-org0:ordererPW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts orderer1-org0
####修改私钥名称为key.pem
cp /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
4. Admin
####配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
###登录admin 用户获取msp
fabric-ca-client enroll -d -u https://admin-org0:org0adminpw@0.0.0.0:7053
### 复制证书到admincerts文件夹
mkdir -p /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem
mkdir -p /tmp/hyperledger/org0/msp/{admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem /tmp/hyperledger/org0/msp/cacerts/
cp /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org0/msp/tlscacerts/
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/msp/admincerts/admin-org0-cert.pem
七、配置org1
1. peer1节点配置
1.1 准备组织证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org1/peer1/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
1.2. 获取org1组织MSP证书
###配置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
###登陆peer1节点到org1 CA 服务器上
fabric-ca-client enroll -d -u https://peer1-org1:peer1PW@0.0.0.0:7054
### 完成后在/tmp/hyperledger/org1/peer1下出现一个msp文件夹,这是peer1节点的msp证书
1.3. 获取TLS-CA MSP证书
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca/
cp /tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org1:peer1PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer1-org1
####在/tmp/hyperledger/org1/peer1下会出现一个tls-msp文件夹,这是peer1节点的TLS证书
###修改秘钥文件名便于后面使用
mv /tmp/hyperledger/org1/peer1/tls-msp/keystore/* /tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
2.peer2节点配置
2.1 准备组织证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org1/peer2/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
2.2.获取org1组织MSP证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@0.0.0.0:7054
2.3.获取TLS-CA MSP证书
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer2-org1
cp /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
3.Admin
###设置环境变量
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
###登录admin节点到org1 CA 服务器上
fabric-ca-client enroll -d -u https://admin-org1:org1AdminPW@0.0.0.0:7054
mkdir -p /tmp/hyperledger/org1/peer1/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/admin/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/admin/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/msp/{admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem /tmp/hyperledger/org1/msp/cacerts/
cp /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org1/msp/tlscacerts/
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/msp/admincerts/admin-org1-cert.pem
八、配置0rg2
1.peer1节点配置
1.1 准备组织证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org2/peer1/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
1.2.获取org2组织MSP证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer1-org2:peer1PW@0.0.0.0:7055
1.3.获取TLS-CA MSP证书
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org2:peer1PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer1-org2
sleep 5
cp /tmp/hyperledger/org2/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
2.peer2节点配置
2.1准备组织证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org2/peer2/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
2.2获取org2组织MSP证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org2:peer2PW@0.0.0.0:7055
2.3 获取TLS-CA MSP证书
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org2:peer2PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer2-org2
sleep 5
cp /tmp/hyperledger/org2/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
3. admin
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org2:org2AdminPW@0.0.0.0:7055
mkdir -p /tmp/hyperledger/org2/peer1/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer2/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/admin/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/admin/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/msp/{admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem /tmp/hyperledger/org2/msp/cacerts/
cp /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org2/msp/tlscacerts/
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/msp/admincerts/admin-org2-cert.pem
九、启动org1,org2、orderer
1.启动org1,org2的peer节点
查看docker-compose 文件
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
- fabric-ca
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
- fabric-ca
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
- fabric-ca
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
- fabric-ca
docker-compose up -d peer1-org1 peer2-org1 peer1-org2 peer2-org2
2.查看configtx.yaml
configtx.yaml 主要由以下三个功能块构成
1)应用程序功能控制对等节点使用的功能,例如 Fabric 链码生命周期,并设置加入通道的对等节点可以运行的 Fabric 二进制文件的最低版本。
2)Orderer功能控制 orderer 节点使用的功能,例如 Raft 共识,并设置可由属于通道同意者集的 ordering 节点运行的 Fabric 二进制文件的最低版本。
3)通道功能 设置了对等节点和排序节点可以运行的 Fabric 的最低版本。
export FABRIC_CFG_PATH=$PWD
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &org0
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org0MSP
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
#MSPDir: ../configtx/org0/msp
MSPDir: /tmp/hyperledger/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
#MSPDir: ../configtx/org1/msp
MSPDir: /tmp/hyperledger/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
- &org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org2MSP
# ID to load the MSP definition as
ID: org2MSP
#MSPDir: ../configtx/org2/msp
MSPDir: /tmp/hyperledger/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
ServerTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
3.创建创世块和通道交易
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock /tmp/hyperledger/org0/orderer/genesis.block -channelID syschannel
sleep 5
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx /tmp/hyperledger/org0/orderer/channel.tx -channelID mychannel
4.启动orderer,cli-org1,cli-org2
查看docker-compose
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:2.2.2
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/org0/orderer/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
networks:
- fabric-ca
ports:
- 7050:7050
cli-org1:
container_name: cli-org1
image: hyperledger/fabric-tools:2.2.2
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: sh
volumes:
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org1/admin:/tmp/hyperledger/org1/admin
networks:
- fabric-ca
cli-org2:
container_name: cli-org2
image: hyperledger/fabric-tools:2.2.2
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2
command: sh
volumes:
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org2/admin:/tmp/hyperledger/org2/admin
networks:
- fabric-ca
docker-compose up -d orderer1-org0 cli-org1 cli-org2
5.查看容器状态
[root@10 fabric]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0b8cfdf19fc hyperledger/fabric-tools:2.2.2 "sh" 11 hours ago Up 11 hours cli-org1
8d09489a5f5c hyperledger/fabric-tools:2.2.2 "sh" 11 hours ago Up 11 hours cli-org2
02479659e0a2 hyperledger/fabric-orderer:2.2.2 "orderer" 11 hours ago Up 11 hours 0.0.0.0:7050->7050/tcp, :::7050->7050/tcp orderer1-org0
91252c73d1ae hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer2-org2
717b6ff28cee hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer2-org1
7ed9b9ed7038 hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer1-org1
4c11783e2513 hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer1-org2
4c2cbaebfb85 hyperledger/fabric-ca:1.4.9 "/bin/bash -c 'fabri…" 11 hours ago Up 11 hours 7054/tcp, 0.0.0.0:7055->7055/tcp, :::7055->7055/tcp rca-org2
efa57941cf30 hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7054->7054/tcp, :::7054->7054/tcp rca-org1
bdd73fe9529a hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7053->7053/tcp, :::7053->7053/tcp, 7054/tcp rca-org0
af6ac116c410 hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7052->7052/tcp, :::7052->7052/tcp, 7054/tcp ca-tls
十、创建和加入通道
1.peer1创建通道
将通道配置文件复制到peer1
cp /tmp/hyperledger/org0/orderer/channel.tx /tmp/hyperledger/org1/peer1/assets/
2.创建通道并加入
1)org1创建通道
docker exec -it cli-org1 sh
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer channel create -c mychannel -t 120s -f /tmp/hyperledger/org1/peer1/assets/channel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/org1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
#2022-06-08 06:47:47.572 UTC [msp.identity] Sign -> DEBU 03f Sign: plaintext: 0AFB070A1508051A0608938C81950622...421646E0A4CE12080A021A0012021A00
#2022-06-08 06:47:47.572 UTC [msp.identity] Sign -> DEBU 040 Sign: digest: 81B641C28BB08FADBA8BD3498A47E9E63D2DF25829F9C9BF3FA72B0BA741BC45
#2022-06-08 06:47:47.613 UTC [cli.common] readBlock -> INFO 041 Received block: 0
结果是mychannel.block保存在org1/peer1/assets/
2)peer1、peer2加入通道
使用 org1 终端加入peer1-org1和peer2 -org1
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
export CORE_PEER_ADDRESS=peer1-org1:7051
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
#2022-06-08 06:48:27.246 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08011A0B08BB8C81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:48:27.246 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: B697CD25AFDCF753EB09C44319F04BA3CBBA13B2DCD4B09EE132AC27E78DB9A5
#2022-06-08 06:48:27.365 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
export CORE_PEER_ADDRESS=peer2-org1:7051
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
#2022-06-08 06:49:07.257 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08011A0B08E38C81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:49:07.257 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 1C4926FB92DA59227BDB629D0CB918583533191B6413EEE51FA42FA36B3FC1C3
#2022-06-08 06:49:07.360 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
3)org2加入通道
cp /tmp/hyperledger/org1/peer1/assets/mychannel.block /tmp/hyperledger/org2/peer1/assets/
4) peer1、peer2加入通道
使用 org2 终端加入peer1-org1和peer2 -org1
docker exec -it cli-org2 sh
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
export CORE_PEER_ADDRESS=peer1-org2:7051
peer channel join -b /tmp/hyperledger/org2/peer1/assets/mychannel.block
#2022-06-08 06:50:13.319 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADB080A5C08011A0C08A58D81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:50:13.319 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: D52F4ED7EBBEC8AAD901B0EEA677027BD142B1582E239E8A175ADA8EEE798D01
#2022-06-08 06:50:13.450 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
export CORE_PEER_ADDRESS=peer2-org2:7051
peer channel join -b /tmp/hyperledger/org2/peer1/assets/mychannel.block
#2022-06-08 06:50:44.337 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADB080A5C08011A0C08C48D81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:50:44.337 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 1A019F2C1A98DF6B276317A24734BB892D4BD996EBEF76BB8ECADE18FA9935E4
#2022-06-08 06:50:44.471 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
5)检查通道是否加入成功
在org1终端
peer channel getinfo -c mychannel
#2022-06-08 06:51:34.362 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC2080A5C08031A0C08F68D81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:51:34.362 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 96F334B615878C69A800D21C7BB73FB07C001A6651B2025B4E1F813A0BC0E0E1
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
CORE_PEER_ADDRESS=peer2-org1:7051 peer channel getinfo -c mychannel
#2022-06-08 06:52:19.102 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08031A0B08A38E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:52:19.102 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: DCB3D1F065993FEF0D30B8FE9F9380B90BD7D8CDE9AC4E0B4BAEE20EBCA428A9
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
在org2终端
peer channel getinfo -c mychannel
#2022-06-08 06:52:57.106 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADA080A5B08031A0B08C98E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:52:57.106 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 3DC6AE9852CBD7D1FF12EE739CB2F659518A9F71075B2A1711E5A52B29C0E833
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
CORE_PEER_ADDRESS=peer2-org2:7051 peer channel getinfo -c mychannel
#2022-06-08 06:53:27.249 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADA080A5B08031A0B08E78E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:53:27.249 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 41FB0E99481FE63FF419E66336E595EAAA4BF21E4BD6942C776CDB8D08D0FC6D
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
我们应该得到上面四个命令的相同结果,这意味着所有peer都具有相同的账本(区块链)
十一、安装和实例化链码
1.链码拷贝到cli-org1 容器内
##cp -rp /tmp/fabric-samples/fabcar/go/* /tmp/hyperledger/org1/peer1/assets/chaincode
这里由于官网示例链码abac已经失效,因此采用官网-教程中自动化脚本中的示例代码basic。
在这里偷懒,直接通过自动化脚本network.sh 打包生成basic.tar.gz。
通过docker cp 将basic.tar.gz 传入cli-org1/cli-org2 的/目录下
例:
docker cp basic.tar.gz cli-org1:/
docker cp basic.tar.gz cli-org2:/
2.在cli-org1安装
docker exec -it cli-org1 bash
#peer1安装链码
export GOPROXY=https://goproxy.cn,direct
export GO111MODULE=on go mod vendor
#go mod vendor
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
#cd /
#打包链码
#peer lifecycle chaincode package /basic.tar.gz --path /tmp/hyperledger/org1/peer1/assets/chaincode/ --lang golang --label basic_1.0
peer lifecycle chaincode install /basic.tar.gz
###peer2 安装链码
export CORE_PEER_ADDRESS=peer2-org1:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode install /basic.tar.gz
3. 在cli-org2安装
docker exec -it cli-org2 bash
export GOPROXY=https://goproxy.cn,direct
export GO111MODULE=on go mod vendor
export CORE_PEER_ADDRESS=peer1-org2:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
#peer1安装链码
peer lifecycle chaincode install /basic.tar.gz
export CORE_PEER_ADDRESS=peer2-org2:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
#peer2安装链码
peer lifecycle chaincode install /basic.tar.gz
查看链码ID
peer lifecycle chaincode queryinstalled
#Installed chaincodes on peer:
#Package ID: basic_1.0:0e4c1bdc4fa1888d5cb876e91ca3c53cd4630752207e4cc17819ac4ca1a512cd, Label: basic_1.0