8. Fabric account
8.1 Fabric account
Account: The account in Fabric is actually a set of certificate and key files generated according to the PKI specification
The role of the account:
- Ensure that the data recorded in the blockchain cannot be tampered with and irreversible
- Each transaction in Fabric will be tagged with the initiator (signature certificate), and encrypted with the initiator’s private key
- If the transaction requires endorsement by nodes of other organizations, the endorsing nodes will also add their own signatures to the transaction
If you need to find the certificate of which organization/organization, just go to change the directory and find its MSP folder!
8.2 Scenarios for account usage
Start orderer
Start peer
Mount the msp file directly in the container
Create channel
The creation of the channel is done on the client side and must be created by the Admin
8.3 Fabric-ca
When users need to be added dynamically, using cryptogen is too cumbersome. Fabric provides a fabric-ca mechanism
You can connect to fabric-ca to register an account through fabric-ca-client, but the drawback is to use the command line, which is unacceptable for users.
The official provides a binary executable file that has been written for us to visit:
Generally we will call through some sdk
The client implementation is written through the SDK:
- Connect to the Fabric-ca service and create an account
- Access peer node to query data
Use this to replace the previously configured cli container
There are multiple organizations in a fabric network, how should fabric-ca be deployed?
- Deploy a Fabric-ca in each organization so that the created users can access all peer nodes in the entire organization
It can also be seen from the figure that the fabric-ca server can also set up a proxy and use some relational databases.
8.4 Add fabric-ca to the network
Enter the fabric-samples/basic-network
folder:
vim docker-compose.yml
官方实例中配置了有关fabric-ca的一些相关配置
12 ca.example.com: # fabric-ca的服务名,自定义
13 image: hyperledger/fabric-ca # 依赖的镜像
14 environment:
15 - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server # 不需要改,容器中的home目录
16 - FABRIC_CA_SERVER_CA_NAME=ca.example.com # 服务器名字,自定义
# fabric-ca服务器证书文件目录中的证书文件
# 要明确当前的fabric-ca属于哪个组织!!
17 - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
# 私钥文件
# 这两个文件的路径只需要写文件名即可,因为下方的数据卷映射
18 - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
19 ports:
20 - "7054:7054" # fabric-ca绑定的端口,不改
#启动命令, admin:adminpw前面是用户名后面是密码
21 command: sh -c 'fabric-ca-server start -b admin:adminpw'
22 volumes:
# 修改自己的路径,实现数据卷
23 - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
24 container_name: ca.example.com # 容器名,自己指定
25 networks:
26 - basic # 工作的网络
27
modify:
Add fabric-ca servers to the two organizations separately
cppca.xwj.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=cppca.xwj.com
- FABRIC_CA_SERVER_CA_CERTFILE=ca.orgcpp.xwj.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=c2568c1f148e548dc09eadf76e351a466df3ae8ab18dadba132cf6f1809a2dbc_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
volumes:
- ./crypto-config/peerOrganizations/orgcpp.xwj.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: cppca.xwj.com
networks:
- byfn
goca.xwj.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=goca.xwj.com
- FABRIC_CA_SERVER_CA_CERTFILE=ca.orggo.xwj.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=b44962fdc3416c9342bba9a13ca91d40876398740f68031a0be77191c0d7a0b1_sk
ports:
- "8054:7054" # 端口映射前面的是宿主机端口,不能重复
command: sh -c 'fabric-ca-server start -b admin:adminpw'
volumes:
- ./crypto-config/peerOrganizations/orggo.xwj.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: goca.xwj.com
networks:
- byfn
This shows that the startup is successful
After the startup is successful, re-create the network, enter the client... and a series of operations
8.5 Use of the official client fabric-ca-client
在bin目录下有一个命令fabric-ca-client时官方给用户注册账户提供的工具
Hyperledger Fabric Certificate Authority Client
Usage:
fabric-ca-client [command]
Available Commands:
affiliation Manage affiliations
enroll Enroll an identity
gencrl Generate a CRL
gencsr Generate a CSR
getcacert Get CA certificate chain
identity Manage identities
reenroll Reenroll an identity
register Register an identity
revoke Revoke an identity
version Prints Fabric CA Client version
Flags:
--caname string Name of CA
--csr.cn string The common name field of the certificate signing request
--csr.hosts stringSlice A list of space-separated host names in a certificate signing request
--csr.names stringSlice A list of comma-separated CSR names of the form <name>=<value> (e.g. C=CA,O=Org1)
--csr.serialnumber string The serial number in a certificate signing request
-d, --debug Enable debug level logging
--enrollment.attrs stringSlice A list of comma-separated attribute requests of the form <name>[:opt] (e.g. foo,bar:opt)
--enrollment.label string Label to use in HSM operations
--enrollment.profile string Name of the signing profile to use in issuing the certificate
-H, --home string Client's home directory (default "$HOME/.fabric-ca-client")
--id.affiliation string The identity's affiliation
--id.attrs stringSlice A list of comma-separated attributes of the form <name>=<value> (e.g. foo=foo1,bar=bar1)
--id.maxenrollments int The maximum number of times the secret can be reused to enroll (default CA's Max Enrollment)
--id.name string Unique name of the identity
--id.secret string The enrollment secret for the identity being registered
--id.type string Type of identity being registered (e.g. 'peer, app, user') (default "client")
-M, --mspdir string Membership Service Provider directory (default "msp")
-m, --myhost string Hostname to include in the certificate signing request during enrollment (default "$HOSTNAME")
-a, --revoke.aki string AKI (Authority Key Identifier) of the certificate to be revoked
-e, --revoke.name string Identity whose certificates should be revoked
-r, --revoke.reason string Reason for revocation
-s, --revoke.serial string Serial number of the certificate to be revoked
--tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
-u, --url string URL of fabric-ca-server (default "http://localhost:7054")
Use "fabric-ca-client [command] --help" for more information about a command.
注册一个管理员账号:
fabric-ca-client enroll -u http://admin:[email protected]:8054
会在用户目录下生成.fabric-ca-client的文件夹其中就包含了msp
8.6 nodejs创建fabric-client的实现
客户端参考API:
https://hyperledger.github.io/fabric-sdk-node/
1.4 版本fabric地址: https://hyperledger.github.io/fabric-sdk-node/release-1.4/module-fabric-network.html
2.2版本:https://hyperledger.github.io/fabric-sdk-node/release-2.2/FabricCAServices.html#register
(1.2已经被删除了)
创建一个空目录
mkdir node-client
cd node-client
初始化,创建package.json配置文件
npm init # 一路回车,后头直接在文件中写
切换淘宝源,加速下载
npm config -g set registry https://registry.npm.taobao.org
检查是否切换到位
npm config -g get registry # 看到源地址就ok
或者换淘宝的cnpm
npm install -g cnpm -registry=https://registry.npm.taobao.org
查看版本,以后就用cnpm下载依赖
cnpm -v
执行如下命令,安装第三方依赖库
npm install --save fabric-ca-client # --save参数表示将该模块写入dependencies属性
npm install --save fabric-client
npm install --save grpc
==============================================
cnpm install --save fabric-ca-client
cnpm install --save fabric-client
cnpm install --save grpc
下载需要一定的时间,稍作等待
package.json配置说明:https://blog.csdn.net/Aurora100/article/details/78590346
dependencies,devDependencies: :分别是项目在生产环境中和开发测试环境中依赖的包它们都指向一个对象。该对象的各个成员,分别由模块名和对应的版本要求组成,表示依赖的模块及其版本范围。
--save
参数表示将该模块写入dependencies
属性,--save-dev
表示将该模块写入devDependencies
属性。
安装完毕后打开package.json可以看到:
(这里的版本没按视频课的来,是最新版本,因为老版本文档都没了)
复制fabric-samples/fabcar文件夹中的内容到新创建的文件夹环境中
获取其中需要的安装包
官方测试用例中的package.json文件:
1 {
2 "name": "fabcar",
3 "version": "1.0.0",
4 "description": "Hyperledger Fabric Car Sample Application",
5 "main": "fabcar.js",
6 "scripts": {
7 "test": "echo \"Error: no test specified\" && exit 1"
8 },
9 "dependencies": {
10 "fabric-ca-client": "unstable",
11 "fabric-client": "unstable",
12 "grpc": "^1.6.0"
13 },
14 "author": "Anthony O'Dowd",
15 "license": "Apache-2.0",
16 "keywords": [
17 "Hyperledger",
18 "Fabric",
19 "Car",
20 "Sample",
21 "Application"
22 ]
23 }
九、Solo共识下多机多节点部署
所有的节点分离部署,每台主机上有一个节点
名称 | ip | HostName | 组织机构 |
---|---|---|---|
orderer | 10.0.2.5 | orderer.example.com | / |
peer0 | 10.0.2.6 | peer0.orgbmw.example.com | OrgBmw宝马 |
peer1 | peer1.orgbmw.example.com | 宝马 | |
peer0 | 10.0.2.7 | peer0.orgbenz.example.com | OrgBenz奔驰 |
peer1 | peer0.orgbenz.example.com | 奔驰 |
没有多台实体主机,那么可以采用虚拟集群来实现。具体可以看我写的这一篇:
https://blog.csdn.net/weixin_43988498/article/details/109159785
我使用虚拟集群来体验测试多几多节点部署
9.1 准备工作
n台主机需要创建一个名字相同的工作目录,为的是能够连接上同一个网络
10.0.2.5
mkdir ~/carFabric
10.0.2.6
mkdir ~/carFabric
10.0.2.7
mkdir ~/carFabric
生成证书模板
cryptogen showtemplate > crypto-config.yaml
修改配置
vim crypto-config.yaml
生成证书
cryptogen generate --config=crypto-config.yaml
生成通道文件、创世块
cp ~/fabric-1.2/fabric-samples/first-network/configtx.yaml . # 复制一份
修改配置文件
vim configtx.yaml
生成创世快
configtxgen -profile CarOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
生成通道文件
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID carChannel
9.2 不同节点不同的配置文件
9.2.1 部署orderer排序节点 主机: 10.0.2.5
编写docker-compose文件:
version: '2'
services:
orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer:latest
environment:
- ORDERER_GENERAL_LOGLEVEL=INFO
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- ./channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
- ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls
ports:
- 7050:7050
networks:
default:
aliases:
- carFabric
不在继承,在继承的文件中摘出来,写到一个文件
注意networks的写法,表示使用默认的网络,所有节点加入到这个默认的网络中,aliases起别名,这里的网络名字不要瞎写,要写工作文件的目录名
网络同名,这样多个节点才能互相访问!
Tips
1.System has not been booted with systemd as init system (PID 1). Can’t operate.
Failed to connect to bus: Host is down
问题原因:
我启动centos容器的命令是:
docker run -d --name centos_1 -it centos:latest /bin/bash
需要修改为
docker run -tid --name centos_1 --privileged=true centos:latest /sbin/init
也就是加–privileged=true,修改/binbash 为/sbin/init
修改后,就可以正常启动服务了
2. Docker container centos or unbuntu cannot use systemctl command solution
When the systemctl command appears (System has not been booted with systemd as init system (PID 1). Can't operat....) message.
Solution: /sbin/init
For example: Centos8
docker run -itd --name centos --privileged=true centos /sbin/init # 使用这个命令
docker exec -it centos /bin/bash
Note: --privileged=true must be added.
3. Job for docker.service failed because the control process exited with error code error occurred when docker started
Docker's engine is based on a storage driver provided by Device Mapper, and it relies on devicemapper. The stored data directory is under /var/lib/docker.
First enter the docker storage data directory.
cd /var/lib/docker
Delete all folders/files in this directory
rm -rf *
When deleting, the device or resource may be busy.
Solution
first show with the current fuser which program to use aufs on the disk
and then use umount to uninstall an application is using aufs
fuser -m aufs/
fuser -k aufs/
umount aufs/
rm -rf aufs/
After deleting, you can successfully restart docker.
sudo systemctl restart docker
-------------End of this article Thank you for reading-------------