Fabric framework learning-5-fabric account and solo multi-machine multi-node deployment

8. Fabric account

8.1 Fabric account

• Account: The account in Fabric is actually a set of certificate and key files generated according to the PKI specification

• The role of the account:

  • Ensure that the data recorded in the blockchain cannot be tampered with and irreversible
  • Each transaction in Fabric will be tagged with the initiator (signature certificate), and encrypted with the initiator’s private key
  • If the transaction requires endorsement by nodes of other organizations, the endorsing nodes will also add their own signatures to the transaction

If you need to find the certificate of which organization/organization, just go to change the directory and find its MSP folder!

8.2 Scenarios for account usage

• Start orderer

  
  

• Start peer

  
  

  Mount the msp file directly in the container

• Create channel

  

  The creation of the channel is done on the client side and must be created by the Admin

  

8.3 Fabric-ca

When users need to be added dynamically, using cryptogen is too cumbersome. Fabric provides a fabric-ca mechanism

You can connect to fabric-ca to register an account through fabric-ca-client, but the drawback is to use the command line, which is unacceptable for users.

The official provides a binary executable file that has been written for us to visit:

Generally we will call through some sdk

The client implementation is written through the SDK:

• Connect to the Fabric-ca service and create an account
• Access peer node to query data

Use this to replace the previously configured cli container

---

There are multiple organizations in a fabric network, how should fabric-ca be deployed?

• Deploy a Fabric-ca in each organization so that the created users can access all peer nodes in the entire organization

---

It can also be seen from the figure that the fabric-ca server can also set up a proxy and use some relational databases.

8.4 Add fabric-ca to the network

Enter the fabric-samples/basic-networkfolder:

vim docker-compose.yml
# 官方实例中配置了有关fabric-ca的一些相关配置

12	ca.example.com: 						# fabric-ca的服务名，自定义
13     image: hyperledger/fabric-ca  		# 依赖的镜像
14     environment:
15       - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server	# 不需要改，容器中的home目录
16       - FABRIC_CA_SERVER_CA_NAME=ca.example.com				# 服务器名字，自定义
		  # fabric-ca服务器证书文件目录中的证书文件
		  # 要明确当前的fabric-ca属于哪个组织！！
17       - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
		  # 私钥文件
		  # 这两个文件的路径只需要写文件名即可，因为下方的数据卷映射
18       - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
19     ports:
20       - "7054:7054"		# fabric-ca绑定的端口，不改
		#启动命令， admin:adminpw前面是用户名后面是密码
21     command: sh -c 'fabric-ca-server start -b admin:adminpw'
22     volumes:
		# 修改自己的路径，实现数据卷
23       - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
24     container_name: ca.example.com	# 容器名，自己指定
25     networks:
26       - basic			# 工作的网络
27

modify:

Add fabric-ca servers to the two organizations separately

cppca.xwj.com:
    image: hyperledger/fabric-ca
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=cppca.xwj.com
      - FABRIC_CA_SERVER_CA_CERTFILE=ca.orgcpp.xwj.com-cert.pem
      - FABRIC_CA_SERVER_CA_KEYFILE=c2568c1f148e548dc09eadf76e351a466df3ae8ab18dadba132cf6f1809a2dbc_sk
    ports:
      - "7054:7054"
    command: sh -c 'fabric-ca-server start -b admin:adminpw'
    volumes:
      - ./crypto-config/peerOrganizations/orgcpp.xwj.com/ca/:/etc/hyperledger/fabric-ca-server-config
    container_name: cppca.xwj.com
    networks:
      - byfn

  goca.xwj.com:
    image: hyperledger/fabric-ca
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=goca.xwj.com
      - FABRIC_CA_SERVER_CA_CERTFILE=ca.orggo.xwj.com-cert.pem
      - FABRIC_CA_SERVER_CA_KEYFILE=b44962fdc3416c9342bba9a13ca91d40876398740f68031a0be77191c0d7a0b1_sk
    ports:
      - "8054:7054"		# 端口映射前面的是宿主机端口，不能重复
    command: sh -c 'fabric-ca-server start -b admin:adminpw'
    volumes:
      - ./crypto-config/peerOrganizations/orggo.xwj.com/ca/:/etc/hyperledger/fabric-ca-server-config
    container_name: goca.xwj.com
    networks:
      - byfn

This shows that the startup is successful

After the startup is successful, re-create the network, enter the client... and a series of operations

8.5 Use of the official client fabric-ca-client

在bin目录下有一个命令fabric-ca-client时官方给用户注册账户提供的工具

Hyperledger Fabric Certificate Authority Client

Usage:
  fabric-ca-client [command]

Available Commands:
  affiliation Manage affiliations
  enroll      Enroll an identity
  gencrl      Generate a CRL
  gencsr      Generate a CSR
  getcacert   Get CA certificate chain
  identity    Manage identities
  reenroll    Reenroll an identity
  register    Register an identity
  revoke      Revoke an identity
  version     Prints Fabric CA Client version

Flags:
      --caname string                  Name of CA
      --csr.cn string                  The common name field of the certificate signing request
      --csr.hosts stringSlice          A list of space-separated host names in a certificate signing request
      --csr.names stringSlice          A list of comma-separated CSR names of the form <name>=<value> (e.g. C=CA,O=Org1)
      --csr.serialnumber string        The serial number in a certificate signing request
  -d, --debug                          Enable debug level logging
      --enrollment.attrs stringSlice   A list of comma-separated attribute requests of the form <name>[:opt] (e.g. foo,bar:opt)
      --enrollment.label string        Label to use in HSM operations
      --enrollment.profile string      Name of the signing profile to use in issuing the certificate
  -H, --home string                    Client's home directory (default "$HOME/.fabric-ca-client")
      --id.affiliation string          The identity's affiliation
      --id.attrs stringSlice           A list of comma-separated attributes of the form <name>=<value> (e.g. foo=foo1,bar=bar1)
      --id.maxenrollments int          The maximum number of times the secret can be reused to enroll (default CA's Max Enrollment)
      --id.name string                 Unique name of the identity
      --id.secret string               The enrollment secret for the identity being registered
      --id.type string                 Type of identity being registered (e.g. 'peer, app, user') (default "client")
  -M, --mspdir string                  Membership Service Provider directory (default "msp")
  -m, --myhost string                  Hostname to include in the certificate signing request during enrollment (default "$HOSTNAME")
  -a, --revoke.aki string              AKI (Authority Key Identifier) of the certificate to be revoked
  -e, --revoke.name string             Identity whose certificates should be revoked
  -r, --revoke.reason string           Reason for revocation
  -s, --revoke.serial string           Serial number of the certificate to be revoked
      --tls.certfiles stringSlice      A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
      --tls.client.certfile string     PEM-encoded certificate file when mutual authenticate is enabled
      --tls.client.keyfile string      PEM-encoded key file when mutual authentication is enabled
  -u, --url string                     URL of fabric-ca-server (default "http://localhost:7054")

Use "fabric-ca-client [command] --help" for more information about a command.

注册一个管理员账号：

fabric-ca-client enroll -u http://admin:[email protected]:8054

会在用户目录下生成.fabric-ca-client的文件夹其中就包含了msp

8.6 nodejs创建fabric-client的实现

客户端参考API：

https://hyperledger.github.io/fabric-sdk-node/

1.4 版本fabric地址： https://hyperledger.github.io/fabric-sdk-node/release-1.4/module-fabric-network.html

2.2版本：https://hyperledger.github.io/fabric-sdk-node/release-2.2/FabricCAServices.html#register

(1.2已经被删除了)

---

# 创建一个空目录
mkdir node-client
cd node-client
# 初始化，创建package.json配置文件
npm init  # 一路回车，后头直接在文件中写
# 切换淘宝源，加速下载
npm config -g set registry https://registry.npm.taobao.org
# 检查是否切换到位
npm config -g get registry  # 看到源地址就ok
# 或者换淘宝的cnpm
npm install -g cnpm -registry=https://registry.npm.taobao.org
# 查看版本，以后就用cnpm下载依赖
cnpm -v
# 执行如下命令，安装第三方依赖库
npm install --save fabric-ca-client   # --save参数表示将该模块写入dependencies属性
npm install --save fabric-client
npm install --save grpc
==============================================
cnpm install --save fabric-ca-client  
cnpm install --save fabric-client
cnpm install --save grpc
# 下载需要一定的时间，稍作等待

package.json配置说明：https://blog.csdn.net/Aurora100/article/details/78590346

dependencies，devDependencies: :分别是项目在生产环境中和开发测试环境中依赖的包它们都指向一个对象。该对象的各个成员，分别由模块名和对应的版本要求组成，表示依赖的模块及其版本范围。

--save参数表示将该模块写入dependencies属性，--save-dev表示将该模块写入devDependencies属性。

安装完毕后打开package.json可以看到：

(这里的版本没按视频课的来，是最新版本，因为老版本文档都没了)

---

复制fabric-samples/fabcar文件夹中的内容到新创建的文件夹环境中

# 获取其中需要的安装包

官方测试用例中的package.json文件：

 1 {
     
     
 2     "name": "fabcar",
 3     "version": "1.0.0",
 4     "description": "Hyperledger Fabric Car Sample Application",
 5     "main": "fabcar.js",
 6     "scripts": {
     
     
 7         "test": "echo \"Error: no test specified\" && exit 1"
 8     },
 9     "dependencies": {
     
     
10         "fabric-ca-client": "unstable",
11         "fabric-client": "unstable",
12         "grpc": "^1.6.0"
13     },
14     "author": "Anthony O'Dowd",
15     "license": "Apache-2.0",
16     "keywords": [
17         "Hyperledger",
18         "Fabric",
19         "Car",
20         "Sample",
21         "Application"
22     ]
23 }

九、Solo共识下多机多节点部署

---

所有的节点分离部署，每台主机上有一个节点

名称	ip	HostName	组织机构
orderer	10.0.2.5	orderer.example.com	/
peer0	10.0.2.6	peer0.orgbmw.example.com	OrgBmw宝马
peer1		peer1.orgbmw.example.com	宝马
peer0	10.0.2.7	peer0.orgbenz.example.com	OrgBenz奔驰
peer1		peer0.orgbenz.example.com	奔驰

没有多台实体主机，那么可以采用虚拟集群来实现。具体可以看我写的这一篇：

https://blog.csdn.net/weixin_43988498/article/details/109159785

我使用虚拟集群来体验测试多几多节点部署

9.1 准备工作

n台主机需要创建一个名字相同的工作目录，为的是能够连接上同一个网络

# 10.0.2.5
mkdir ~/carFabric
# 10.0.2.6
mkdir ~/carFabric 
# 10.0.2.7
mkdir ~/carFabric

# 生成证书模板
cryptogen showtemplate > crypto-config.yaml
# 修改配置
vim crypto-config.yaml

# 生成证书
cryptogen generate --config=crypto-config.yaml

# 生成通道文件、创世块
cp ~/fabric-1.2/fabric-samples/first-network/configtx.yaml .  # 复制一份
# 修改配置文件
vim configtx.yaml
# 生成创世快
configtxgen -profile CarOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
# 生成通道文件
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID carChannel

9.2 不同节点不同的配置文件

9.2.1 部署orderer排序节点 主机： 10.0.2.5

编写docker-compose文件：

version: '2'

services:

  orderer.example.com:
    container_name: orderer.example.com
    image: hyperledger/fabric-orderer:latest
    environment:
      - ORDERER_GENERAL_LOGLEVEL=INFO
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer
    volumes:
    - ./channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
    - ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
    - ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls
    ports:
      - 7050:7050
	networks:
	  default:
	    aliases:
	      - carFabric

不在继承，在继承的文件中摘出来，写到一个文件

注意networks的写法，表示使用默认的网络，所有节点加入到这个默认的网络中，aliases起别名，这里的网络名字不要瞎写，要写工作文件的目录名

网络同名，这样多个节点才能互相访问！

Tips

1.System has not been booted with systemd as init system (PID 1). Can’t operate.

Failed to connect to bus: Host is down

问题原因:

我启动centos容器的命令是：

docker run -d --name centos_1 -it  centos:latest /bin/bash

需要修改为

docker run -tid --name centos_1 --privileged=true centos:latest /sbin/init

也就是加–privileged=true，修改/binbash 为/sbin/init

修改后，就可以正常启动服务了

2. Docker container centos or unbuntu cannot use systemctl command solution

When the systemctl command appears (System has not been booted with systemd as init system (PID 1). Can't operat....) message.

Solution: /sbin/init

For example: Centos8

docker run -itd --name centos --privileged=true centos /sbin/init  # 使用这个命令
docker exec -it centos /bin/bash

Note: --privileged=true must be added.

3. Job for docker.service failed because the control process exited with error code error occurred when docker started

Docker's engine is based on a storage driver provided by Device Mapper, and it relies on devicemapper. The stored data directory is under /var/lib/docker.
First enter the docker storage data directory.

cd /var/lib/docker

Delete all folders/files in this directory

rm -rf *

When deleting, the device or resource may be busy.

Solution
first show with the current fuser which program to use aufs on the disk
and then use umount to uninstall an application is using aufs

fuser -m aufs/
fuser -k aufs/
umount aufs/
rm -rf aufs/

After deleting, you can successfully restart docker.

sudo systemctl restart docker

Author: DDDemons hide Published: 2020-10-14 Last Updated: 2020-10-19 title of this article: Learning -5-fabric Fabric account the framework of multi-node and multi-machine deployment solo This link: HTTPS: //xwjahahahaha.github .io/2020/10/14/Technical Posts/Blockchain/Fabric/Fabric framework learning-5-fabric account and solo multi-machine multi-node deployment/ Copyright statement: This work uses the CC BY-NC-SA 4.0 license agreement Make permission. Please indicate the source!

-------------End of this article Thank you for reading-------------

reward

Thank you for inviting me to eat candy

Alipay

Wechat