《HyperLedger Fabric 实战》—— 十八、升级 Fabric 1.2 —— 7、动态增加组织

《HyperLedger Fabric 实战》—— 十八、升级 Fabric 1.2 —— 7、动态增加组织

1、添加新组织配置文件

在~/fabric/aberic/文件夹下新建org3-artifacts目录，创建文件~/fabric/aberic/org3-artifacts/org3-crypto.yaml，内容如下：

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org3
  # ---------------------------------------------------------------------------
  - Name: Org3
    Domain: org3.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
    Users:
      Count: 1

执行命令，生成新组织证书文件：

cd org3-artifacts/
../../release/linux-amd64/bin/cryptogen generate --config=./org3-crypto.yaml

创建文件~/fabric/aberic/org3-artifacts/configtx.yaml，内容如下：

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

---
################################################################################
#
#   Section: Organizations
#
#   - This section defines the different organizational identities which will
#   be referenced later in the configuration.
#
################################################################################
Organizations:
    - &Org3
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org3MSP

        # ID to load the MSP definition as
        ID: Org3MSP

        MSPDir: crypto-config/peerOrganizations/org3.example.com/msp

        AnchorPeers:
            # AnchorPeers defines the location of peers which can be used
            # for cross org gossip communication.  Note, this value is only
            # encoded in the genesis block in the Application section context
            - Host: peer0.org3.example.com
              Port: 7051

将 org3 的配置以 json 格式输出：

export FABRIC_CFG_PATH=$PWD
../../release/linux-amd64/bin/configtxgen -printOrg Org3MSP -profile ./configtx.yaml > ../channel-artifacts/org3.json

将 orderer 的证书和密钥拷贝至 org3 的 crypto-config 目录下

cp -r ../crypto-config/ordererOrganizations crypto-config/

2、获取当前 channel 配置

docker exec -it cli bash

apt-get -y update && apt-get -y install jq
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peer channel fetch config config_block.pb -o orderer1.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA

3、修改原配置文件，新增 org3 配置

1. 解码原有网络的配置文件 config_block.pb。然后通过 jq 命令行将其中部分取出，输出至 config.json

configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

2. 修改 config.json，新增 org3

jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json ./channel-artifacts/org3.json > modified_config.json

3. 将 config.json 和 modified_config.json 转为 protobuf 格式

configtxlator proto_encode --input config.json --type common.Config > original_config.pb
configtxlator proto_encode --input modified_config.json --type common.Config > modified_config.pb

4. 根据 config.pb 和 modified_config.pb 计算出 org3_update.pb

configtxlator compute_update --channel_id mychannel --original original_config.pb --updated modified_config.pb > config_update.pb

5. 解码 config_update.pb 为 json，然后用 jq 修改，然后在编码为 protobuf 格式，最终输出 org3_update_in_envelope.pb

configtxlator proto_decode --input config_update.pb  --type common.ConfigUpdate > config_update.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"mychannel", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json
configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope > org3_update_in_envelope.pb

4、为 Org3 新配置签名

为配置交易签名，需要 channel 中的大多数 Org 对其进行签名。对于 mychannel 而言，目前只有 org1，org2，因此新增 org3 时需要 org1、org2 都签名。

签名操作于 cli 中完成，需采用 Anchor Peer，即 peer0.orgx.example.com；

分别登录 peer0.org1.example.com 及 peer0.org2.example.com，并执行：

peer channel signconfigtx -f org3_update_in_envelope.pb

在 peer0.org1.example.com 中执行完毕后，需将签名后的 org3_update_in_envelope.pb 拷贝到 peer0.org2.example.com 中再执行上面的命令，如果有更多组织，则以此类推。

5、提交签名后的配置交易至 orderer

export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peer channel update -f org3_update_in_envelope.pb -c mychannel -o orderer1.example.com:7050 --tls --cafile $ORDERER_CA

6、配置新组织 Peer 服务

配置新组织集群，docker-peer0.org3.yaml:

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

version: '2'

services:
  ca1:
    container_name: ca_Org3
    extends:
      file: base/docker-compose-base.yaml
      service: ca
    environment:
      - FABRIC_CA_SERVER_CA_NAME=ca-org3
      - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org3.example.com-cert.pem
      - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/b687233103886f51b1cfa1b92eee9e3e78b9fb684c6203d44f4806c55c411a4c_sk
    command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org3.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/b687233103886f51b1cfa1b92eee9e3e78b9fb684c6203d44f4806c55c411a4c_sk -b admin:adminpw -d'
    volumes:
      - ./crypto-config/peerOrganizations/org3.example.com/ca/:/etc/hyperledger/fabric-ca-server-config

  couchdb06:
    container_name: couchdb06
    extends:
      file: base/docker-compose-base.yaml
      service: couchdb

  peer0.org3.example.com:
    container_name: peer0.org3.example.com
    extends:
      file:  base/docker-compose-base.yaml
      service: peer.org.example.com
    environment:
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb06:5984
      - CORE_PEER_ID=peer0.org3.example.com
      - CORE_PEER_ADDRESS=peer0.org3.example.com:7051
      - CORE_PEER_CHAINCODEADDRESS=peer0.org3.example.com:7052
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org3.example.com:7051
      - CORE_PEER_LOCALMSPID=Org3MSP
    volumes:
      - /var/run/:/host/var/run/
      - ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp:/etc/hyperledger/fabric/msp
      - ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls:/etc/hyperledger/fabric/tls

  cli:
    container_name: cli
    extends:
      file:  base/docker-compose-base.yaml
      service: cli
    environment:
      - CORE_PEER_ADDRESS=peer0.org3.example.com:7051
      - CORE_PEER_LOCALMSPID=Org3MSP
      - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
      - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/[email protected]/msp

启动 peer0.org3

docker-compose -f docker-peer0.org3.yaml up

7、将新 org 添加入 channel

登录新 org 集群，从 orderer 中获取 channel 创世块配置

docker exec -it cli bash

export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peer channel fetch 0 mychannel.block -o orderer1.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA

将新组织 Peer 加入 channel

peer channel join -b mychannel.block

8、升级chaincode和背书策略

要将 Org3 加入合约的背书策略，需要重新实例化合约，而重新实例化合约需要先升级合约，由于 Org3 是新建立的组织，所以我们无需先安装再升级，而可以直接安装 2.0 版本的 chaincode。

peer chaincode install -n mycc -v 2.0 -p github.com/hyperledger/fabric/aberic/chaincode/go/example02/cmd

则 Org1，Org2 也需要安装 2.0 版 chaincode，分别登入 org1，org2，同样执行：

peer chaincode install -n mycc -v 2.0 -p github.com/hyperledger/fabric/aberic/chaincode/go/example02/cmd

9、升级背书策略

在合约的原属背书组织（peer0.org1 | peer0.org2）中，升级合约，并使用新的背书策略：

export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peer chaincode upgrade -o orderer1.example.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C mychannel -n mycc -v 2.0 -c '{"Args":["init","a","90","b","210"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"

10、验证升级结果

peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peer chaincode invoke -o orderer1.example.com:7050 --tls --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","10"]}'

peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

好了，动态增加组织完成，至些，我们可以新建联盟，或加入现有联盟。