Hyperledger Fabric v2.0 动态添加组织
本文是在[<< 3.Hyperledger Fabric v2.0 CA组件 >>]使用自定义证书的基础上,进行动态添加组织的,使用的目录结构和工具都是基于<< 3.Hyperledger Fabric v2.0 CA组件 >>的(https://blog.csdn.net/weixin_41540016/article/details/108440545)
目录
提示:本文使用的单机部署的,如果使用分布式部署也是一样的,只需修改节点地址即可
一、编写org3-ca服务配置
org3-ca.yaml配置,并将配置文件上传到服务器的/usr/local/home目录下
version: '2'
networks:
byfn:
external:
name: dev
services:
org3:
container_name: org3
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b org3-admin:org3-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/org3/ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org3
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /usr/local/home/org3/ca:/usr/local/home/org3/ca
networks:
- byfn
ports:
- 7056:7054
二、启动org3-ca服务
启动org3-ca服务前 /usr/local/home目录结构
查看org3-ca服务容器,已经启动了
启动org3-ca服务后会在/usr/local/home目录下新增org3文件夹,/usr/local/home/org3的目录结构
.
└── ca
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
三、向tls-ca服务注册org3
向tls-ca服务注册org3组织下的所有节点和admin管理员
# 首先设置为tls-ca的环境变量
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/usr/local/home/tls-ca/admin
# 使用tls-ca管理员账户登录到tls-ca服务
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052
# 向tls-ca服务 注册org3下的所有节点
fabric-ca-client register -d --id.name peer1-org3 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org3 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
# 向tls-ca服务注册org3的admin管理员
fabric-ca-client register -d --id.name admin-org3 --id.secret org3AdminPW --id.type admin -u https://0.0.0.0:7052
向org3-ca服务注册org3组织内所有节点和admin管理员账户
# 设置org3-ca服务的环境变量
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/ca/admin
# 使用org3-ca服务的管理员身份登录到 org3服务,其中 org3-admin账号的启动org3-ca服务的docker-compose文件中的 command 指定的账号密码
fabric-ca-client enroll -d -u https://org3-admin:[email protected]:7056
使用org3-admin登录到org3-ca服务后会在/usr/local/home/org3目录下生成admin文件夹
/usr/local/home/org3的目录结构
.
└── ca
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── tls-msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
向org3-ca服务注册peer1,peer2和admin账户
# 向org3-ca服务注册peer1-org3账户
fabric-ca-client register -d --id.name peer1-org3 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7056
# 向org3-ca服务注册peer2-org3账户
fabric-ca-client register -d --id.name peer2-org3 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7056
# 向org3-ca服务注册管理员admin账户
fabric-ca-client register -d --id.name admin-org3 --id.secret org3AdminPW --id.type admin -u https://0.0.0.0:7056
四、获取org3的msp证书和tls证书
获取peer1-org3 的证书
peer1-org3的msp证书
# 指定peer1-org3证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/peer1
# 使用org3-ca启动时生成的证书与org3-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定peer1-org3的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer1-org3账号登录到org3-ca服务
fabric-ca-client enroll -d -u https://peer1-org3:[email protected]:7056
成功登陆org3-ca服务后会在/usr/local/home/org3下生成peer1文件夹
/usr/local/home/org3/peer1的目录结构,新增peer1文件夹
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── tls-msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── peer1
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
├── signcerts
│ └── cert.pem
└── user
peer1-org3的tls证书
# 指定peer1-org3的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca启动时生成的证书与tls-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用peer1-org3登录到tls-ca服务器
fabric-ca-client enroll -d -u https://peer1-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org3
成功登陆后会在/usr/local/home/org3/peer1目录下生成tls-msp目录
/usr/local/home/org3/peer1的目录结构,新增tls-msp目录
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── a5c168df5918978be9fa8b8d8b3371d4a7b7cd6d3a3c6a69481c372eca4aa0ee_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私钥名称
mv /usr/local/home/org3/peer1/tls-msp/keystore/*_sk /usr/local/home/org3/peer1/tls-msp/keystore/key.pem
获取peer2-org3 的证书
peer2-org3的msp证书
# 指定peer2-org3证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/peer2
# 使用org3-ca启动时生成的证书与org3-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定peer2-org3的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer2-org3账号登录到org3-ca服务
fabric-ca-client enroll -d -u https://peer2-org3:[email protected]:7056
成功登陆org3-ca服务后会在/usr/local/home/org3下生成peer2文件夹
/usr/local/home/org3/peer2的目录结构
.
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
├── signcerts
│ └── cert.pem
└── user
peer2-org3的tls证书
# 指定peer2-org3的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca启动时生成的证书与tls-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用peer2-org3登录到tls-ca服务器
fabric-ca-client enroll -d -u https://peer2-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org3
成功登陆后会在/usr/local/home/org3/peer2目录下生成tls-msp目录
/usr/local/home/org3/peer2的目录结构,新增tls-msp目录
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── a4707f6f30075d1170bbfbeda4813650b89f05b733fc939d3186d25b4da1a945_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私钥名称
mv /usr/local/home/org3/peer2/tls-msp/keystore/*_sk /usr/local/home/org3/peer2/tls-msp/keystore/key.pem
-1111111111111111111111111111111111111111111111111111
获取admin-org3 的证书
admin-org3的msp证书
# 指定admin-org3证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/admin
# 使用org3-ca启动时生成的证书与org3-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定admin-org3的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用admin-org3账号登录到org3-ca服务
fabric-ca-client enroll -d -u https://admin-org3:[email protected]:7056
成功登陆org3-ca服务后会在/usr/local/home/org3下生成admin文件夹
/usr/local/home/org3/admin的目录结构
.
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
├── signcerts
│ └── cert.pem
└── user
admin-org3的tls证书
# 指定admin-org3的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca启动时生成的证书与tls-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用admin-org3登录到tls-ca服务器
fabric-ca-client enroll -d -u https://admin-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org3
成功登陆后会在/usr/local/home/org3/admin目录下生成tls-msp目录
/usr/local/home/org3/admin的目录结构,新增tls-msp目录
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 01bb0eaf881a209e2669229e1fa745e736caee99cb689d06d9ae711a9c5f53f5_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私钥名称
mv /usr/local/home/org3/admin/tls-msp/keystore/*_sk /usr/local/home/org3/admin/tls-msp/keystore/key.pem
为peer1和peer2颁发管理员证书
分别在peer1和peer2的msp目录下创建admincerts文件,并将admin/msp/signcerts下的cert.pem证书复制到此目录下,更名为 org3-admin-cert.pem
# 为peer1 颁发管理员证书
mkdir -p /usr/local/home/org3/peer1/msp/admincerts && cp /usr/local/home/org3/admin/msp/signcerts/cert.pem /usr/local/home/org3/peer1/msp/admincerts/org3-admin-cert.pem
# 为peer2 颁发管理员证书
mkdir -p /usr/local/home/org3/peer2/msp/admincerts && cp /usr/local/home/org3/admin/msp/signcerts/cert.pem /usr/local/home/org3/peer2/msp/admincerts/org3-admin-cert.pem
config.yaml配置文件
将config.yaml配置文件复制到peer1和peer2,admin目录下的msp文件夹下,其中端口为org3-ca的端口
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: orderer
此时 /usr/local/home/org3的目录结构
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── c35eea84c985de600f48c42028603fa98bb4f3248fef011b2ff3b78f7d35bb2a_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── tls-msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
整合org3证书
# 在/usr/local/home/configtx/目录下新建org3文件夹,并将admin-org3的msp证书复制到此
mkdir -p /usr/local/home/configtx/org3 && cp -r /usr/local/home/org3/admin/msp /usr/local/home/configtx/org3
# 在/usr/local/home/configtx/org3/msp/目录下新建tlscacerts 文件夹,并将admin-org3的tls证书复制到此
mkdir -p /usr/local/home/configtx/org3/msp/tlscacerts && cp /usr/local/home/org3/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem /usr/local/home/configtx/org3/msp/tlscacerts
整合后 /usr/local/home/configtx 目录结构,其中org3为新增文件夹
/usr/local/home/configtx/org3的目录结构
.
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── config.yaml
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
五、修改区块配置
在/usr/local/home/configtx目录下新建 org3-configtx文件夹,关于更新区块的文件将放于/usr/local/home/configtx/org3-configtx/目录下
mkdir -p /usr/local/home/configtx/org3-artifacts
org3的configtx.yaml文件
修改/usr/local/home/configtx/configtx.yaml文件,新增的内容在下面的配置文件中使用注释标注出来了,注意证书路径和缩进
我的操作是在本地修改后再上传到服务器,将原来的configtx.yaml命名为 configtx-org1&org2.yaml,新增了org3的配置文件命名为configtx.yaml
---
Organizations:
- &org0
Name: org0MSP
ID: org0MSP
MSPDir: /usr/local/home/configtx/org0/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
Name: org1MSP
ID: org1MSP
MSPDir: /usr/local/home/configtx/org1/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
AnchorPeers:
- Host: peer1-org1
Port: 7051
- &org2
Name: org2MSP
ID: org2MSP
MSPDir: /usr/local/home/configtx/org2/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
- Host: peer1-org2
Port: 9051
# 增加org3配置
- &org3
Name: org3MSP
ID: org3MSP
MSPDir: /usr/local/home/configtx/org3/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org3MSP.admin', 'org3MSP.peer', 'org3MSP.client')"
Writers:
Type: Signature
Rule: "OR('org3MSP.admin', 'org3MSP.client')"
Admins:
Type: Signature
Rule: "OR('org3MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org3MSP.peer')"
AnchorPeers:
- Host: peer1-org3
Port: 10051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
- Host: orderer2-org0
Port: 8050
ClientTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
- Host: orderer3-org0
Port: 9050
ClientTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
# 增加 -*org3
NewOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *ApplicationCapabilities
/usr/local/home/configtx的目录下的文件
获取org3区块
在获取之前,检查一下必要条件
- org3-artifacts文件夹是否存在
- 新增了org3的configtx.yaml文件
还会使用到channel-artifacts文件夹,也确保存在
# org3MSP 为configtx.yaml中配置的id
# /usr/local/home/configtx configtx.yaml配置文件所在目录
# channel-artifacts/org3.json 生成的文件
configtxgen -printOrg org3MSP -configPath /usr/local/home/configtx > ./channel-artifacts/org3.json
成功生成
在channel-artifacts/下会生成一个org3.json文件
/usr/local/home/configtx/channel-artifacts目录结构,新增org3.json文件
.
├── mychannel.tx
├── org1MSPanchors.tx
├── org2MSPanchors.tx
└── org3.json
进入cli容器
# 进入cli容器
docker exec -it cli-org1 bash
# cli的工作根目录
cd /usr/local/home/configtx
可以看到新增的org3-artifacts文件夹和channel-artifact是文件夹,后续所有的操作都将以 /usr/local/home/configtx目录作为根目录
由于org3组织还没有加入通道,所以需要显示peer1-org1的证书先获取到区块,区块中包含通道配置,
修改区块的目的是为了将org3组织加入到区块中并让org1和org2两个组织认可org3的存在
# 指定order的tls证书
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 指定通道名称
export CHANNEL_NAME=mychannel
# 指定peer1-org1的msp证书
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/admin/msp
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_LOCALMSPID="org1MSP"
# 指定peer1-org1的tls证书
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 使用peer1-org1的证书,获取区块 在当前目录下,会生成 config_block.pb文件
peer channel fetch config config_block.pb -o orderer1-org0:7050 -c $CHANNEL_NAME --tls --cafile $ORDERPEM
成功获取到区块
输出 config_block.pb文件
修改配置将pb文件转json,会在/usr/local/home/configtx目录下输出 config.json文件
configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json
将之前org3的配置org3.json添加到config.json,会在/usr/local/home/configtx目录下输出 modified_config.json文件
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json /usr/local/home/configtx/channel-artifacts/org3.json > modified_config.json
将config.json 跟modified_config.json 转pb编码,会在/usr/local/home/configtx目录下输出modified_config.pb文件
# 会在/usr/local/home/configtx目录下输出config.pb文件
configtxlator proto_encode --input config.json --type common.Config --output config.pb
# modified_config.pb文件
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb
计算两个pb差异,会在/usr/local/home/configtx目录下输出org3_update.pb文件
configtxlator compute_update --channel_id mychannel --original config.pb --updated modified_config.pb --output org3_update.pb
将更新的pb解析为json,会将数据写入org3_update.json
configtxlator proto_decode --input org3_update.pb --type common.ConfigUpdate | jq . > org3_update.json
现在我们有一个解码后的更新文件org3_update.json,我们需要将其包装在信封消息中。此步骤将使我们返回之前删除的header字段。输出到/usr/local/home/configtx目录下, 文件命名为org3_update_in_envelope.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat org3_update.json)'}}}' | jq . > org3_update_in_envelope.json
使用我们正确格式的JSON – org3_update_in_envelope.json我们将configtxlator最后一次使用该工具,并将其转换为Fabric所需的完整protobuf格式。我们将命名我们的最终更新对象,org3_update_in_envelope.pb文件将输出到/usr/local/home/configtx目录下
configtxlator proto_encode --input org3_update_in_envelope.json --type common.Envelope --output org3_update_in_envelope.pb
签名并提交更新配置
peer channel signconfigtx -f org3_update_in_envelope.pb
切换环境为org2执行更新配置,因为update也会为当前组织签名,所以不需要再org2签名
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/admin/msp
export CORE_PEER_ADDRESS=peer1-org2:9051
export CORE_PEER_LOCALMSPID="org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CHANNEL_NAME=mychannel
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
#更新命令
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1-org0:7050 --tls --cafile $ORDERPEM
成功更新
六、启动org3组织下的节点
编写org3的docker-compose
进入/usr/local/home目录下并创建org3.yaml文件
cd /usr/local/home && touch org3.yaml
org3.yaml 配置
version: '2'
volumes:
peer1-org3:
peer2-org3:
networks:
byfn:
external:
name: dev
services:
peer1-org3:
container_name: peer1-org3
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer1-org3
- CORE_PEER_ADDRESS=peer1-org1:11051
- CORE_PEER_LISTENADDRESS=0.0.0.0:11051
- CORE_PEER_CHAINCODEADDRESS=peer1-org3:11052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org3:11051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org3:11051
- CORE_PEER_LOCALMSPID=org3MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org3/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org3/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org3/peer1
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 11051:11051
peer2-org3:
container_name: peer2-org3
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer2-org3
- CORE_PEER_ADDRESS=peer2-org3:12051
- CORE_PEER_LISTENADDRESS=0.0.0.0:12051
- CORE_PEER_CHAINCODEADDRESS=peer2-org3:12052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:12052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org3:12051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org3:12051
- CORE_PEER_LOCALMSPID=org3MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org3/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org3/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org3/peer2
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 12051:12051
启动org3
docker-compose -f org3.yaml up -d
七、org3加入通道
进入cli容器
docker exec -it cli-org1 bash
# 进入工作目录
cd /usr/local/home/
# 切换为org3的环境变量
export CORE_PEER_LOCALMSPID="org3MSP"
export CORE_PEER_ADDRESS=peer1-org3:11051
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/admin/msp
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 设置通道名称
export CHANNEL_NAME=mychannel
#获取mychannel 0号块创始块
peer channel fetch 0 $CHANNEL_NAME.block -o orderer1-org0:7050 -c $CHANNEL_NAME --tls --cafile $ORDERPEM
#该命令将创世块返回到名为的文件 $CHANNEL_NAME.block。现在使用此块将org3的节点加入通道。
peer channel join -b $CHANNEL_NAME.block
成功加入通道
查看通道
peer channel list
输出
八、peer1-org3安装链码
org3的链码安装于peer1-org2和peer1-org1的安装没有什么不同之处,所以这里不再赘述