Fabric CA 学习记录
加入Fabric联盟链的计算机结点和用户都必须要经过注册并获得CA颁发的证书,才能在联盟链中操作。证书颁发机构可以提供的功能如下:
身份的注册 或连接到LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)作为用户注册表;
签发登记证书(ECerts)(Enrollment Certificates)
签发交易证书(TCerts)(Transaction Certificates),在Hyperledger Fabric blockchain上交易时提供匿名性和不可链接性。
证书续期和撤销
与 Hyperledger Fabric CA 服务器交互的方式有两种:通过 Hyperledger Fabric CA 客户端或通过其中一个 Fabric SDK。与 Hyperledger Fabric CA 服务器的所有通信都是通过 REST API 进行的。
集群中的所有 Hyperledger Fabric CA 服务器共享同一个数据库以跟踪身份和证书。如果配置了 LDAP,身份信息将保存在 LDAP 而不是数据库中。
一个服务器可能包含多个 CA。每个 CA 要么是根 CA,要么是中间 CA。每个中间 CA 都有一个父 CA,它要么是根 CA,要么是另一个中间 CA。
什么是Fabric CA
Hyperledger Fabric CA 是 Hyperledger Fabric 的证书颁发机构 (CA)。
它提供以下功能:
- 身份注册,或作为用户注册表连接到 LDAP
- 颁发注册证书 (ECerts)
- 证书更新和撤销
Fabric CA 由服务器和客户端组件组成
TLS证书用于TLS协商。这些证书用于确保组件之间的网络链路完整性。使用标准的TLS,可以确保客户端连接到的服务器实际上就是他们想要的服务器,而不是伪装成他们的目的地的另一方。当相互TLS被启用时,除了来自标准TLS的标准客户端->服务器保证之外,服务器还可以验证客户端被授权形成TLS链接。
CA证书用于在Fabric网络上进行交易。客户使用他们的签名者证书来签署发送给对等点的提案和发送给订单者的事务,对等点使用他们的签名者证书来签署提案响应(创建背书),而订购者使用他们的签名者证书来签署块,这些块被传播回对等点和客户。当你看到一个没有明确注明为TLS的“证书”的引用时,这个证书通常是一个签名者证书
生产环境建议
建议为每个组织部署两个 CA,一个组织 CA 和一个 TLS CA
- TLS CA:
用来保护组织中节点之间的通信,生成所有节点的通信证书 - 组织CA:
用于生成组织和节点身份
排序服务节点不应该与peer所属同一组织,因此需要为peer所在组织和排序服务节点单独创建组织
部署CA 服务时应遵循部署顺序为:
1)TLS CA
2) 组织 CA
总体架构
官方采用的是多机部署环境、这里就简化下下,所有操作就简化下都在一台机器上。
下面介绍下本文所采用的整体架构
三个组织
Org0 —> 组织0
Org1 —> 组织1
Org2 —> 组织2
组织中的成员
Org0: 一个orderer节点,一个Org0的Admin节点
Org1: 两个Peer节点,一个Org1的Admin节点,一个Org1的User节点
Org2: 两个Peer节点,一个Org2的Admin节点,一个Org2的User节点
四台CA服务器
TLS服务器:为网络中所有节点颁发TLS证书,用于通信的加密
Org1的CA服务器:为组织1中所有用户颁发证书
Org2的Ca服务器:为组织2中所有用户颁发证书
Org0的CA服务器:为组织0中所有用户颁发证书
这里的四台CA服务器都是根服务器。彼此之间都是独立的存在,没有任何关系。,也就是说每一个CA服务器生成的证书在其他CA服务器都是不能用的。
一、 安装
1. 依赖条件
###依赖及go环境
yum install libtool libltdl-dev go docker
###另需要
docker-compose
二、设置TLS CA
TLS CA 用于颁发 TLS 证书。需要这些证书来保护各种进程之间的通信。
1启动TLS CA 容器
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=tls-ca
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7052:7052
docker-compose up -d ca-tls
1.2 目录结构
[root@10 hyperledger]# tree
crypto
├── ca-cert.pem ####TLS CA 的签名证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp ###是定义管理该组织有效身份规则的组件,存放签名用的证书文件和加密用的私钥文件
│ ├── cacerts ##CA服务器的证书
│ ├── keystore ####节点或者账号的私钥
│ │ ├── 5d3c6784f5d5d0df8f368e6cda6c483f5ebe8b7189fa8817c3543b487b654bdf_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts ##符合X.509的节点或者账户证书文件。可以理解为账户的ID,将其复制到某个peer或Org的admincerts目录下代表管理员账号
│ └── user
└── tls-cert.pem ###TLS根CA的证书
在/tmp/hyperledger/tls-ca/crypto/路径下的ca-cert.pem文件。这是TLS CA服务器的签名根证书,目的是用来对CA的TLS证书进行验证,同时也需要持有这个证书才可以进行证书的颁发。
多环境下我们需要将它复制到每一台机器上。
2.注册 TLS CA 的管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
####查看注册的实体
[root@10 tls-ca]# fabric-ca-client identity list
Name: tls-ca-admin, Type: client, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.GenCRL Value:1 ECert:false} {
Name:hf.Registrar.Attributes Value:* ECert:false} {
Name:hf.AffiliationMgr Value:1 ECert:false} {
Name:hf.Registrar.Roles Value:* ECert:false} {
Name:hf.Registrar.DelegateRoles Value:* ECert:false} {
Name:hf.Revoker Value:1 ECert:false} {
Name:hf.IntermediateCA Value:1 ECert:false}]
Name: peer1-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.EnrollmentID Value:peer1-org1 ECert:true} {
Name:hf.Type Value:peer ECert:true} {
Name:hf.Affiliation Value: ECert:true}]
Name: peer2-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.EnrollmentID Value:peer2-org1 ECert:true} {
Name:hf.Type Value:peer ECert:true} {
Name:hf.Affiliation Value: ECert:true}]
Name: peer1-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.EnrollmentID Value:peer1-org2 ECert:true} {
Name:hf.Type Value:peer ECert:true} {
Name:hf.Affiliation Value: ECert:true}]
Name: peer2-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.EnrollmentID Value:peer2-org2 ECert:true} {
Name:hf.Type Value:peer ECert:true} {
Name:hf.Affiliation Value: ECert:true}]
Name: orderer1-org0, Type: orderer, Affiliation: , Max Enrollments: -1, Attributes: [{
Name:hf.EnrollmentID Value:orderer1-org0 ECert:true} {
Name:hf.Type Value:orderer ECert:true} {
Name:hf.Affiliation Value: ECert:true}]
三、设置Orderer的CA 管理
1. 启动容器
rca-org0:
container_name: rca-org0
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7053:7053
docker-compose up -d rca-org0
2.注册orderer的 CA 管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://rca-org0-admin:[email protected]:7053
sleep 5
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type user -u https://0.0.0.0:7053
目录结构
admin/
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7053.pem ##CA 的公共证书
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 2da4e5e8d777be61fc29e81b4295c97f40395a0d9cbe7dddbfd12e8c6beda6af_sk ##客户端生成的私钥
├── signcerts
│ └── cert.pem ##CA 签发的 admin 的证书
└── user
四、设置 Org1 的 CA
1.启动容器
rca-org1:
container_name: rca-org1
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7054:7054
docker-compose up -d rca-org1
2.注册 Org1 的 CA 管理员
Peer 1 (peer1-org1)
Peer 2 (peer2-org1)
Admin (admin1-org1)
End user (user-org1)
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://rca-org1-admin:[email protected]:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://0.0.0.0:7054
五、设置 org2 的CA
1.启动容器
rca-org2:
container_name: rca-org2
image: hyperledger/fabric-ca:1.4.9
command: /bin/bash -c 'fabric-ca-server start -d -b rca-org2-admin:rca-org2-adminpw --port 7055'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7055:7055
docker-compose up -d rca-org2
2.注册org2的管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/ca/admin
fabric-ca-client enroll -d -u https://rca-org2-admin:[email protected]:7055
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type user --id.attrs "abac.init=true:ecert" -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name user-org2 --id.secret org2UserPW --id.type user -u https://0.0.0.0:7055
六 、注册org0
1. 准备证书
mkdir -p /tmp/hyperledger/org0/orderer/assets/ca
cp /tmp/hyperledger/org0/ca/admin/msp/cacerts/0-0-0-0-7053.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
mkdir -p /tmp/hyperledger/org0/orderer/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
2. 注册身份
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7053
3. tls-ca注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer1-org0
####修改私钥名称为key.pem
cp /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org0:[email protected]:7053
mkdir -p /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem
mkdir -p /tmp/hyperledger/org0/msp/{
admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem /tmp/hyperledger/org0/msp/cacerts/
cp /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org0/msp/tlscacerts/
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/msp/admincerts/admin-org0-cert.pem
echo "Org0 done"
七、注册org1
1. 准备证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org1/peer1/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
2. 注册peer1
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7054
3. tls-ca注册
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca/
cp /tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1
mv /tmp/hyperledger/org1/peer2/tls-msp/keystore/* /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
4.准备证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org1/peer2/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
5.注册peer2
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7054
6.tls-ca 注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1
cp /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
7.注册org1的admin
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054
mkdir -p /tmp/hyperledger/org1/peer1/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/admin/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/admin/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/msp/{
admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem /tmp/hyperledger/org1/msp/cacerts/
cp /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org1/msp/tlscacerts/
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/msp/admincerts/admin-org1-cert.pem
八、注册0rg2
1.准备证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org2/peer1/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
2.注册peer1
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7055
3.tls-ca注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org2
sleep 5
cp /tmp/hyperledger/org2/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
4.准备证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org2/peer2/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
5.注册peer2
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7055
6.tls-ca 注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org2
sleep 5
cp /tmp/hyperledger/org2/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
7.注册org2的admin
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7055
mkdir -p /tmp/hyperledger/org2/peer1/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer2/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/admin/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/admin/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/msp/{
admincerts,cacerts,tlscacerts,users}
cp /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem /tmp/hyperledger/org2/msp/cacerts/
cp /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org2/msp/tlscacerts/
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/msp/admincerts/admin-org2-cert.pem
九、启动org1,org2、orderer
1.启动org1,org2的peer节点
查看docker-compose 文件
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
- fabric-ca
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
- fabric-ca
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
- fabric-ca
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
- fabric-ca
docker-compose up -d peer1-org1 peer2-org1 peer1-org2 peer2-org2
2.查看configtx.yaml
export FABRIC_CFG_PATH=$PWD
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &org0
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org0MSP
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
#MSPDir: ../configtx/org0/msp
MSPDir: /tmp/hyperledger/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
#MSPDir: ../configtx/org1/msp
MSPDir: /tmp/hyperledger/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
- &org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org2MSP
# ID to load the MSP definition as
ID: org2MSP
#MSPDir: ../configtx/org2/msp
MSPDir: /tmp/hyperledger/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
ServerTLSCert: /tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
3.创建创世块和通道交易
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock /tmp/hyperledger/org0/orderer/genesis.block -channelID syschannel
sleep 5
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx /tmp/hyperledger/org0/orderer/channel.tx -channelID mychannel
4.启动orderer,cli-org1,cli-org2
查看docker-compose
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:2.2.2
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/org0/orderer/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
networks:
- fabric-ca
ports:
- 7050:7050
cli-org1:
container_name: cli-org1
image: hyperledger/fabric-tools:2.2.2
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: sh
volumes:
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org1/admin:/tmp/hyperledger/org1/admin
networks:
- fabric-ca
cli-org2:
container_name: cli-org2
image: hyperledger/fabric-tools:2.2.2
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2
command: sh
volumes:
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
- /tmp/hyperledger/org1/peer1/assets/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
- /tmp/hyperledger/org2/admin:/tmp/hyperledger/org2/admin
networks:
- fabric-ca
docker-compose up -d orderer1-org0 cli-org1 cli-org2
5.查看容器状态
[root@10 fabric]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0b8cfdf19fc hyperledger/fabric-tools:2.2.2 "sh" 11 hours ago Up 11 hours cli-org1
8d09489a5f5c hyperledger/fabric-tools:2.2.2 "sh" 11 hours ago Up 11 hours cli-org2
02479659e0a2 hyperledger/fabric-orderer:2.2.2 "orderer" 11 hours ago Up 11 hours 0.0.0.0:7050->7050/tcp, :::7050->7050/tcp orderer1-org0
91252c73d1ae hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer2-org2
717b6ff28cee hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer2-org1
7ed9b9ed7038 hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer1-org1
4c11783e2513 hyperledger/fabric-peer:2.2.2 "peer node start" 11 hours ago Up 11 hours 7051/tcp peer1-org2
4c2cbaebfb85 hyperledger/fabric-ca:1.4.9 "/bin/bash -c 'fabri…" 11 hours ago Up 11 hours 7054/tcp, 0.0.0.0:7055->7055/tcp, :::7055->7055/tcp rca-org2
efa57941cf30 hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7054->7054/tcp, :::7054->7054/tcp rca-org1
bdd73fe9529a hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7053->7053/tcp, :::7053->7053/tcp, 7054/tcp rca-org0
af6ac116c410 hyperledger/fabric-ca:1.4.9 "sh -c 'fabric-ca-se…" 11 hours ago Up 11 hours 0.0.0.0:7052->7052/tcp, :::7052->7052/tcp, 7054/tcp ca-tls
十、创建和加入通道
1.peer1创建通道
将通道配置文件复制到peer1
cp /tmp/hyperledger/org0/orderer/channel.tx /tmp/hyperledger/org1/peer1/assets/
2.创建通道并加入
1)org1创建通道
docker exec -it cli-org1 sh
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer channel create -c mychannel -f /tmp/hyperledger/org1/peer1/assets/channel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/org1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
#2022-06-08 06:47:47.572 UTC [msp.identity] Sign -> DEBU 03f Sign: plaintext: 0AFB070A1508051A0608938C81950622...421646E0A4CE12080A021A0012021A00
#2022-06-08 06:47:47.572 UTC [msp.identity] Sign -> DEBU 040 Sign: digest: 81B641C28BB08FADBA8BD3498A47E9E63D2DF25829F9C9BF3FA72B0BA741BC45
#2022-06-08 06:47:47.613 UTC [cli.common] readBlock -> INFO 041 Received block: 0
结果是mychannel.block保存在org1/peer1/assets/
2)peer1、peer2加入通道
使用 org1 终端加入peer1-org1和peer2 -org1
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
export CORE_PEER_ADDRESS=peer1-org1:7051
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
#2022-06-08 06:48:27.246 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08011A0B08BB8C81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:48:27.246 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: B697CD25AFDCF753EB09C44319F04BA3CBBA13B2DCD4B09EE132AC27E78DB9A5
#2022-06-08 06:48:27.365 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
export CORE_PEER_ADDRESS=peer2-org1:7051
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
#2022-06-08 06:49:07.257 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08011A0B08E38C81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:49:07.257 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 1C4926FB92DA59227BDB629D0CB918583533191B6413EEE51FA42FA36B3FC1C3
#2022-06-08 06:49:07.360 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
3)org2加入通道
cp /tmp/hyperledger/org1/peer1/assets/mychannel.block /tmp/hyperledger/org2/peer1/assets/
4) peer1、peer2加入通道
使用 org2 终端加入peer1-org1和peer2 -org1
docker exec -it cli-org2 sh
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
export CORE_PEER_ADDRESS=peer1-org2:7051
peer channel join -b /tmp/hyperledger/org2/peer1/assets/mychannel.block
#2022-06-08 06:50:13.319 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADB080A5C08011A0C08A58D81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:50:13.319 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: D52F4ED7EBBEC8AAD901B0EEA677027BD142B1582E239E8A175ADA8EEE798D01
#2022-06-08 06:50:13.450 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
export CORE_PEER_ADDRESS=peer2-org2:7051
peer channel join -b /tmp/hyperledger/org2/peer1/assets/mychannel.block
#2022-06-08 06:50:44.337 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADB080A5C08011A0C08C48D81950610...8C4986F31A0A0A000A000A000A000A00
#2022-06-08 06:50:44.337 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 1A019F2C1A98DF6B276317A24734BB892D4BD996EBEF76BB8ECADE18FA9935E4
#2022-06-08 06:50:44.471 UTC [channelCmd] executeJoin -> INFO 02e Successfully submitted proposal to join channel
5)检查通道是否加入成功
在org1终端
peer channel getinfo -c mychannel
#2022-06-08 06:51:34.362 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC2080A5C08031A0C08F68D81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:51:34.362 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 96F334B615878C69A800D21C7BB73FB07C001A6651B2025B4E1F813A0BC0E0E1
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
CORE_PEER_ADDRESS=peer2-org1:7051 peer channel getinfo -c mychannel
#2022-06-08 06:52:19.102 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0AC1080A5B08031A0B08A38E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:52:19.102 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: DCB3D1F065993FEF0D30B8FE9F9380B90BD7D8CDE9AC4E0B4BAEE20EBCA428A9
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
在org2终端
peer channel getinfo -c mychannel
#2022-06-08 06:52:57.106 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADA080A5B08031A0B08C98E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:52:57.106 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 3DC6AE9852CBD7D1FF12EE739CB2F659518A9F71075B2A1711E5A52B29C0E833
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
CORE_PEER_ADDRESS=peer2-org2:7051 peer channel getinfo -c mychannel
#2022-06-08 06:53:27.249 UTC [msp.identity] Sign -> DEBU 02c Sign: plaintext: 0ADA080A5B08031A0B08E78E81950610...6E496E666F0A096D796368616E6E656C
#2022-06-08 06:53:27.249 UTC [msp.identity] Sign -> DEBU 02d Sign: digest: 41FB0E99481FE63FF419E66336E595EAAA4BF21E4BD6942C776CDB8D08D0FC6D
#Blockchain info: {"height":1,"currentBlockHash":"fSiblHfyDAgNcTnsCMY5jfEu9tW9kBcUDw9h5a74APs="}
我们应该得到上面四个命令的相同结果,这意味着所有peer都具有相同的账本(区块链)
十一、安装和实例化链码
1.链码拷贝到cli-org1 容器内
cp -rp /tmp/fabric-samples/fabcar/go/* /tmp/hyperledger/org1/peer1/assets/chaincode
2.在cli-org1安装
#{containerID} 是cli-org1
#docker cp /tmp/fabric-samples/chaincode {containerID}:/opt/gopath/src/github.com/hyperledger/fabric-samples/
#docker cp /tmp/fabric-samples/asset-transfer-basic/chaincode-go/vendor/github.com/hyperledger/fabric-contract-api-go {containerID}:/opt/gopath/src/github.com/hyperledger/
docker exec -it cli-org1 bash
export GOPROXY=https://goproxy.cn,direct
export GO111MODULE=on go mod vendor
go mod vendor
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
cd /root
打包链码
peer lifecycle chaincode package basic.tar.gz --path /tmp/hyperledger/org1/peer1/assets/chaincode/ --lang golang --label basic_1.0
安装链码
peer lifecycle chaincode install basic.tar.gz
export CORE_PEER_ADDRESS=peer2-org1:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
peer lifecycle chaincode install basic.tar.gz
3. 在cli-org2安装
宿主机执行
docker cp ${containerId-cli-org1}:/basic.tar.gz /root
将打包的链码传到cli-org2
#docker cp /tmp/fabric-samples/chaincode {containerID}:/opt/gopath/src/github.com/hyperledger/fabric-samples/
#docker cp /tmp/fabric-samples/asset-transfer-basic/chaincode-go/vendor/github.com/hyperledger/fabric-contract-api-go {containerID}:/opt/gopath/src/github.com/hyperledger/
docker exec -it cli-org2 bash
export GOPROXY=https://goproxy.cn,direct
export GO111MODULE=on go mod vendor
export CORE_PEER_ADDRESS=peer1-org2:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
安装链码
peer lifecycle chaincode install /root/basic.tar.gz
export CORE_PEER_ADDRESS=peer2-org2:7051
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
安装链码
peer lifecycle chaincode install /root/basic.tar.gz
查看链码ID
peer lifecycle chaincode queryinstalled
#Installed chaincodes on peer:
#Package ID: basic_1.0:0e4c1bdc4fa1888d5cb876e91ca3c53cd4630752207e4cc17819ac4ca1a512cd, Label: basic_1.0