Hyperledger Fabric: V2.5.4
写在最前
从本篇博客开始,将陆续介绍使用Fabric搭建自定义网络及部署执行链码的过程。本篇主要介绍如何搭建网络。
由于前文在安装Fabric的时候,已经将目录fabric-samples/bin加入到了环境变量PATH中,所以正文用到cryptogen和configtxgen等工具已经可以在系统全局使用。
1 生成证书
1.1 生成模板文件
先在~/go/src下创建一个文件夹finance_network用来保存网络和通道的所有配置文件,并在该文件下使用cryptogen工具生成crypto-config.yaml模板文件。具体如下:
cd ~/go/src
mkdir finance_network
cd finance_network
cryptogen showtemplate > crypto-config.yaml
这时,会在finance_network目录下生成一个crypto-config.yaml文件。
1.2 修改模板文件
可以根据要搭建的网络的需求在在crypto-config.yaml文件中修改相关的配置。假设搭建的网络的需求如下:
- 两个组织:Org1, Org2。Org1中有2个peer节点,而Org2中有2个peer节点,另外还有1个orderer节点。网络上很多资料都是基于两个组织各有1个peer节点进行创建的,这里是为了更具有一般性。
- 每个组织的用户数为2。目前还不太了解其作用。
- 将字符串
finance加入所有Orderer组织、peer节点的域名中。这个可以根据自己的需要修改,因为笔者后续是想基于该网络实现一个与金融相关的项目,所以这里使用该字符串作为Domain名称。
根据这些要求修改crypto-config.yaml文件,具体如下:
OrdererOrgs:
- Name: Orderer # orderer组织的名称
Domain: finance.com # orderer组织的根域名
EnableNodeOUs: true # 是否使用组织单元
Specs:
- Hostname: orderer # 可以通过hostname设置多个orderer节点
SANS: #备用主机名
- localhost
# Hostname + Domain组成该orderer节点的完整域名
PeerOrgs: # 一个PeerOrgs设置多个peer组织
- Name: Org1 # peer组织的名称
Domain: org1.finance.com # peer组织的域名
EnableNodeOUs: true
Template: # 节点的数量
Count: 2
SANS:
- localhost
Users: # 用户的数量
Count: 2
- Name: Org2
Domain: org2.finance.com
EnableNodeOUs: true
Template:
Count: 1
SANS:
- localhost
Users:
Count: 2
1.3 生成证书
修改好配置文件之后,就可以使用如下命令生成加密材料。具体如下:
cryptogen genenrate --config=crypto-config.yaml --output="organizations"
命令执行成功会显示如下信息:
运行完之后会在当前文件夹下生成一个名为organizations的文件夹,该文件下保存的便是所有节点和组织的加密材料(可以使用tree命令查看这个文件夹的目录结构)。这些加密材料主要用于创建和管理Fabric网络的身份验证和加密。主要包括:
- 每个组织的根证书和私钥。每个组织将有一个唯一的“MSP ID”,用于标识其在网络中的身份。
- 每个组织的证书颁发机构(CA)的根证书和私钥。CA用于颁发和管理组织成员的证书和身份。
- 每个组织的每个peer节点生成证书和私钥,用于节点之间的通信和身份验证。
- 网络中的orderer节点的证书和私钥。
2 链码链接配置
链码链接配置(Chaincode Connection Profile, CCP)文件包含了与链码相关的连接信息和配置,包括网络的URL、TLS证书、通道、链码名称和版本等。如果步配置CCP文件,客户端应用程序可能无法找到或连接到目标链码,也就无法执行与链码相关的操作,如查询数据、提交交易等。
Fabric中需要给每个组织Org配置一个ccp文件,其存放位置在organizations/
可以从fabric-samples\test-network\organizations中拷贝出ccp-template.yaml和ccp-generate.sh文件并放到finance_network\organization\peerOrganizations下的两个目录下,具体如下:
#假设现在所在目录为finance_network下,fabric-sample的目录根据自己的情况进行调整
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-template.yaml organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-template.yaml organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
cp ~/go/src/github.com/hyperledger/fabric/scripts/test-network/organizations/ccp-generate.sh organizations/ccp-generate.sh
接着需要根据实际情况修改文件:connection-org1.yaml,connection-org2.yaml。由于组织Org1中有2个peer节点,而Org2中只有1个peer节点,现成的ccp-generate.sh文件无法完成这两个文件的生成。这里分两部进行操作:
- 第1步:手动完成
connection-org1.yaml,connection-org2.yaml文件中组织、节点及端口号等信息的填充。具体如下:
修改后的connection-org1.yaml
name: test-network-org1
version: 1.0.0
client:
organization: Org1
connection:
timeout:
peer:
edorser: '300'
organizations:
Org1: #设置Org1
mspid: Org1MSP
peers: #列出Org中的所有peer节点
- peer0.org1.finance.com
- peer1.org2.finance.com
certificateAuthorities:
- ca.org1.finance.com
peers:
peer0.org1.finance.com:
url: grpcs://localhost:7051 #指定peer0的端口号
tlsCACerts:
#将organizations/peerOrganizations/org1.finance.com/tlsca/tlsca.org1.finance.com-cert.pem中的内容复制到此处,还要注意缩进
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer0.org1.finance.com
hostnameOverride: peer0.org1.finance.com
peer1.org1.finance.com:
url: grpcs://localhost:8051 #peer节点的端口号不能一样
tlsCACerts:
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer1.org1.finance.com
hostnameOverride: peer1.org1.finance.com
certificateAuthorities:
ca.org1.finance.com:
url: https://localhost:7054
caName: ca-org1
tlsCACerts:
pem:
- |
${CAPEM}
httpOptions:
verify: false
修改后的connection-org2.yaml
name: test-network-org2
version: 1.0.0
client:
organization: Org2
connection:
timeout:
peer:
endorser: '300'
organizations:
Org2:
mspid: Org2MSP
peers:
- peer0.org2.finance.com
certificateAuthorities:
- ca.org2.finance.com
peers:
peer0.org2.finance.com:
url: grpcs://localhost:9051
tlsCACerts:
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer0.org2.finance.com
hostnameOverride: peer0.org2.finance.com
certificateAuthorities:
ca.org2.finance.com:
url: https://localhost:9054
caName: ca-org2
tlsCACerts:
pem:
- |
${CAPEM}
httpOptions:
verify: false
- 第2步:修改
ccp-generate.sh文件将TLS证书的信息插入进去。
#!/bin/bash
function one_line_pem {
echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`"
}
function yaml_ccp {
local PP=$(one_line_pem $1)
local CP=$(one_line_pem $2)
sed -e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
$3 | sed -e $'s/\\\\n/\\\n /g'
}
PEERPEM=organizations/peerOrganizations/org1.finance.com/tlsca/tlsca.org1.finance.com-cert.pem
CAPEM=organizations/peerOrganizations/org1.finance.com/ca/ca.org1.finance.com-cert.pem
CONNECTION_FILE=organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
echo "$(yaml_ccp $PEERPEM $CAPEM $CONNECTION_FILE)" > organizations/peerOrganizations/org1.finance.com/connection-org1.yaml
PEERPEM=organizations/peerOrganizations/org2.finance.com/tlsca/tlsca.org2.finance.com-cert.pem
CAPEM=organizations/peerOrganizations/org2.finance.com/ca/ca.org2.finance.com-cert.pem
CONNECTION_FILE=organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
echo "$(yaml_ccp $PEERPEM $CAPEM $CONNECTION_FILE)" > organizations/peerOrganizations/org2.finance.com/connection-org2.yaml
接着执行如下命令即可生成ccp文件。
#先跳转到finance_network目录下,ccp-generate.sh文件在finance_network/organizations里
./organizations/ccp-generate.sh
关于ccp文件的配置有以下几点说明注意:
- 需要给每一个组织配置ccp文件。
- 该组织Org中的所有peer节点的信息都要设置。
3 启动docker容器
接下来使用docker-compose命令启动和管理docker容器。从fabric-samples/test-network/compose文件下的compose-test-net.yaml文件和docker\peercfg文件下的所有的内容复制到finance_network/compose文件夹下。具体操作如下:
#先使用cd命令跳转到~/go/src/finance_network下
#test-network的具体目录没有写全,根据自己的实际安装情况补全即可
mkdir compose
cd compose
cp fabric-samples/test-network/compose/compose-test-net.yaml compose.yaml
cp -r fabric-samples/test-network/compose/docker/peercfg docker/peercfg
cp fabric-samples/test-network/compose/docker/docker-compose-test-net.yaml docker/docker-compose.yaml
最后compose文件夹的目录如下:
这里compose\docker\core.yaml文件不需要修改,所以就不介绍了。先修改compose.yaml文件,具体如下:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '3.7'
volumes:
#所有的orderer节点和每个peer节点都需要设置
orderer.finance.com:
peer0.org1.finance.com:
peer1.org1.finance.com:
peer0.org2.finance.com:
networks:
test:
name: fabric_finance #这里可以根据自己的需要修改名称
services:
orderer.finance.com:
container_name: orderer.finance.com
image: hyperledger/fabric-orderer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_LOGGING_SPEC=INFO
#指定监听端口,其他节点可以通过给端口与orderer节点进行通信
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_BOOTSTRAPMETHOD=none
- ORDERER_CHANNELPARTICIPATION_ENABLED=true
- ORDERER_ADMIN_TLS_ENABLED=true
- ORDERER_ADMIN_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_ADMIN_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_ADMIN_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_ADMIN_TLS_CLIENTROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
#orderer节点的管理监听地址,用来接收管理工具通过gRPC协议发送的管理命令和查询请求。
- ORDERER_ADMIN_LISTENADDRESS=0.0.0.0:7053
#orderer节点的操作监听地址
- ORDERER_OPERATIONS_LISTENADDRESS=orderer.finance.com:9443
- ORDERER_METRICS_PROVIDER=prometheus
working_dir: /root
command: orderer
volumes:
#主要修改这一部分,注意相对路径
- ../organizations/ordererOrganizations/finance.com/orderers/orderer.finance.com/msp:/var/hyperledger/orderer/msp
- ../organizations/ordererOrganizations/finance.com/orderers/orderer.finance.com/tls/:/var/hyperledger/orderer/tls
- orderer.finance.com:/var/hyperledger/production/orderer
ports: #将容器的端口映射到主机上的端口
- 7050:7050
- 7053:7053
- 9443:9443
networks:
- test
peer0.org1.finance.com:
container_name: peer0.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables- 需要根据自己的情况修改
- CORE_PEER_ID=peer0.org1.finance.com
- CORE_PEER_ADDRESS=peer0.org1.finance.com:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer0.org1.finance.com:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.finance.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.finance.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer0.org1.finance.com:9444
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={
"peername":"peer0org1"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org1.finance.com/peers/peer0.org1.finance.com:/etc/hyperledger/fabric
- peer0.org1.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 7051:7051
- 9444:9444
networks:
- test
peer1.org1.finance.com:
container_name: peer1.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables- 需要根据自己的情况修改
- CORE_PEER_ID=peer1.org1.finance.com
- CORE_PEER_ADDRESS=peer1.org1.finance.com:8051
- CORE_PEER_LISTENADDRESS=0.0.0.0:8051
- CORE_PEER_CHAINCODEADDRESS=peer1.org1.finance.com:8052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:8052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.finance.com:8051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org1.finance.com:8051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer1.org1.finance.com:9446
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={
"peername":"peer1org1"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org1.finance.com/peers/peer0.org1.finance.com:/etc/hyperledger/fabric
- peer1.org1.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 8051:8051
- 9446:9446
networks:
- test
peer0.org2.finance.com:
container_name: peer0.org2.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=false
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variables
- CORE_PEER_ID=peer0.org2.finance.com
- CORE_PEER_ADDRESS=peer0.org2.finance.com:9051
- CORE_PEER_LISTENADDRESS=0.0.0.0:9051
- CORE_PEER_CHAINCODEADDRESS=peer0.org2.finance.com:9052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.finance.com:9051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.finance.com:9051
- CORE_PEER_LOCALMSPID=Org2MSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
- CORE_OPERATIONS_LISTENADDRESS=peer0.org2.finance.com:9445
- CORE_METRICS_PROVIDER=prometheus
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG={
"peername":"peer0org2"}
- CORE_CHAINCODE_EXECUTETIMEOUT=300s
volumes:
- ../organizations/peerOrganizations/org2.finance.com/peers/peer0.org2.finance.com:/etc/hyperledger/fabric
- peer0.org2.finance.com:/var/hyperledger/production
working_dir: /root
command: peer node start
ports:
- 9051:9051
- 9445:9445
networks:
- test
cli:
container_name: cli
image: hyperledger/fabric-tools:latest
labels:
service: hyperledger-fabric
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- FABRIC_LOGGING_SPEC=INFO
- FABRIC_CFG_PATH=/etc/hyperledger/peercfg
- CORE_PEER_TLS_ENABLED=true #这一句是新增的
#- FABRIC_LOGGING_SPEC=DEBUG
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- ../channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts #这一句是新增的
- ../organizations:/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations
- ../scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
depends_on:
- peer0.org1.finance.com
- peer1.org1.finance.com
- peer0.org2.finance.com
networks:
- test
修改docker-compose.yaml文件:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '3.7'
services:
peer0.org1.finance.com:
container_name: peer0.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance #这个网络名称要跟着compose.yaml文件中指定的名称一起修改
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${
DOCKER_SOCK}:/host/var/run/docker.sock
peer1.org1.finance.com:
container_name: peer1.org1.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${
DOCKER_SOCK}:/host/var/run/docker.sock
peer0.org2.finance.com:
container_name: peer0.org2.finance.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_finance
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
- ${
DOCKER_SOCK}:/host/var/run/docker.sock
cli:
container_name: cli
image: hyperledger/fabric-tools:latest
volumes:
- ./docker/peercfg:/etc/hyperledger/peercfg
接着使用如下命令创建docker容器(这里一定要注意各个容器之间的端口号不要冲突):
#先进入finance_network/compose目录
sudo DOCKER_SOCK="/var/run/docker.sock" docker-compose -f compose.yaml -f docker/docker-compose.yaml up -d
结果如下:
接下来可以使用docker ps -a命令以及docker logs --details <CONTAINER ID>查看容器有没有提示错误信息。
至此,Fabric上的自定义网络已经搭建完成。
4 关闭网络
关闭网络时一定要将容器与数据卷一起删除。否则在搭建通道的时候可能会遇到很多错误,比如重启网络之后会发现上次创建的通道数据还没删除导致新增同名通道失败等等。关闭网络的命令如下:
#先进入finance_network/compose目录
sudo DOCKER_SOCK="/var/run/docker.sock" docker-compose -f compose.yaml -f docker/docker-compose.yaml down -v
正常运行时结果如下:
