FISCO-BCOS blockchain network environment construction (pro-test successful)

foreword

Due to the needs of project technology selection, it is necessary to build a FISCO-BCOS blockchain network environment. This article records the loading process, or a pit encountered and its solution

Target

A networking mode of 6 nodes, 3 institutions, and 2 groups as shown in the figure. Institution B and Institution C are in Group 1 and Group 2, respectively. Institution A belongs to both Group 1 and Group 2

Reference article: FISCO-BCOS blockchain network environment construction

Download and install

download

cd ~/
git clone https://github.com/FISCO-BCOS/generator.git
# 若因为网络问题导致长时间无法下载，请尝试以下命令：
git clone https://gitee.com/FISCO-BCOS/generator.git

Install

This operation requires the user to have sudo privileges.

cd ~/generator && bash ./scripts/install.sh

Encountered the problem of pip version inequity, please refer to the blog post for details: pip not fond problem is solved
successfully, as shown in the figure below

Check whether the installation is successful, if successful, output usage: generator xxx

./generator -h

get node binary

Pull the latest fisco-bcos binary file to meta. If the network is poor, you can try to download fisco-bcos in other ways, or use the –cdn option, and place the downloaded binary file in the meta folder

./generator --download_fisco ./meta
 ./generator --download_fisco ./meta --cdn # 网络较差可用选项

Check the binary version
2.5 and earlier, if successful, output FISCO-BCOS Version: xxx-x
After version 2.6, directly output FISCO-BCOS Version: xxx-x

./meta/fisco-bcos -v

Alliance chain initialization

For the sake of simplicity, all operations in this example are performed on the same machine, and different directories are used to simulate different institutional environments. Use file copy operations to simulate network sending. After downloading and installing in the tutorial, please copy the generator to the generator directory of the corresponding institution.

Institution initialization

We use the generator downloaded in the tutorial as the certificate authority.
Initialize agency A

cp -r ~/generator ~/generator-A

Initialize agency B

cp -r ~/generator ~/generator-B

Initialize chain certificate

Since the FISCO BCOS node uses a non-national secret method when communicating with the SDK, the node needs to generate a non-national secret version of the certificate to
operate on the certificate authority. A consortium chain has unique chain certificates ca.crt and gmca.crt
for -- The generate_chain_certificate command generates a chain certificate

cd ~/generator   # 在证书生成机构目录下操作
./generator --generate_chain_certificate ./dir_chain_ca -g # 生成国密证书
./generator --generate_chain_certificate ./dir_chain_ca_normal # 生成普通证书
ls ./dir_chain_ca # 查看链证书及私钥

# 上述命令解释
# 从左至右分别为链证书、链私钥
gmca.crt  gmca.key
# 上述命令解释
# 从左至右分别为链证书、链私钥
ca.crt  ca.key

Institutions A and B build group 1

Initialize agency A

In the tutorial, the agency certificate and private key are directly generated to simplify the operation. In actual application, the agency should generate the private key agency.key and gmagency.key locally, then generate the certificate request file, and obtain the agency certificate agency.crt and gmagency from the certificate issuing agency. .crt.

Operate under the directory of the certificate generation organization to generate the certificate of organization A:

./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca agencyA -g
./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca_normal agencyA_normal

View organization A certificate and private key:

ls dir_agency_ca/agencyA/
ls dir_agency_ca/agencyA_normal/

# 上述命令解释
# 从左至右分别为机构证书、机构私钥、链证书
gmagency.crt  gmagency.key  gmca.crt
# 上述命令解释
# 从左至右分别为机构证书、机构私钥、链证书
agency.crt  agency.key  ca.crt

Send the chain certificate, organization certificate, and organization private key to organization A. The example is to send the organization certificate from the certificate authority to the corresponding organization by copying the file, and put it in the meta subdirectory of the organization's working directory

cp ./dir_agency_ca/agencyA/* ~/generator-A/meta/
cp ./dir_agency_ca/agencyA_normal/* ~/generator-A/meta/

View Results

Initialize agency B

Steps are similar to institution A

cd ~/generator   # 在证书生成机构目录下操作:
# 生成机构B证书：
./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca agencyB -g
./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca_normal agencyB_normal

Send the chain certificate, organization certificate, and organization private key to organization B. The example is to send the organization certificate from the certificate authority to the corresponding organization by copying the file, and put it in the meta subdirectory of the organization's working directory

cp ./dir_agency_ca/agencyB/* ~/generator-B/meta/
cp ./dir_agency_ca/agencyB_normal/* ~/generator-B/meta/

Important: Only one root certificate ca.crt can be used in a consortium chain. Do not generate multiple root certificates and private keys when deploying multiple servers. A group can only have one group genesis block group.x.genesis

Institution A modifies the configuration file

node_deployment.ini is a node configuration file, and the operation and maintenance deployment tool will generate relevant node certificates and node configuration folders according to the configuration under node_deployment.ini.
Institution A modifies node_deployment.ini under the conf folder as shown in the figure below:
Execute the following command in the ~/generator-A directory

cd ~/generator-A

cat > ./conf/node_deployment.ini << EOF
[group]
group_id=1

[node0]
; host ip for the communication among peers.
; Please use your ssh login ip.
p2p_ip=10.241.35.7
; listen ip for the communication between sdk clients.
; This ip is the same as p2p_ip for physical host.
; But for virtual host e.g. vps servers, it is usually different from p2p_ip.
; You can check accessible addresses of your network card.
; Please see https://tecadmin.net/check-ip-address-ubuntu-18-04-desktop/
; for more instructions.
rpc_ip=0.0.0.0
channel_ip=0.0.0.0
p2p_listen_port=30300
channel_listen_port=20200
jsonrpc_listen_port=8545

[node1]
p2p_ip=10.241.35.7
rpc_ip=0.0.0.0
channel_ip=0.0.0.0
p2p_listen_port=30301
channel_listen_port=20201
jsonrpc_listen_port=8546
EOF

Modify the configuration file of organization B

Institution B modifies node_deployment.ini under the conf folder as shown in the figure below:
Execute the following command in the ~/generator-B directory

cd ~/generator-B

Institution B configuration file modification

cat > ./conf/node_deployment.ini << EOF
[group]
group_id=1

[node0]
; host ip for the communication among peers.
; Please use your ssh login ip.
p2p_ip=10.241.35.7
; listen ip for the communication between sdk clients.
; This ip is the same as p2p_ip for physical host.
; But for virtual host e.g. vps servers, it is usually different from p2p_ip.
; You can check accessible addresses of your network card.
; Please see https://tecadmin.net/check-ip-address-ubuntu-18-04-desktop/
; for more instructions.
rpc_ip=0.0.0.0
channel_ip=0.0.0.0
p2p_listen_port=30302
channel_listen_port=20202
jsonrpc_listen_port=8547

[node1]
p2p_ip=10.241.35.7
rpc_ip=127.0.0.1
channel_ip=0.0.0.0
p2p_listen_port=30303
channel_listen_port=20203
jsonrpc_listen_port=8548
EOF

Institution A generates and sends node information

Execute the following command in the ~/generator-A directory

cd ~/generator-A

Institution A generates a node certificate and a P2P connection information file. This step requires the node_deployment.ini configured above, and the institution certificate and private key under the organization meta folder. Institution A generates a node certificate and a P2P connection information file

./generator --generate_all_certificates ./agencyA_node_info -g
# 查看生成文件:
ls ./agencyA_node_info

# 上述命令解释
# 从左至右分别为需要交互给机构A的节点证书，节点P2P连接地址文件(根据node_deployment.ini生成的本机构节点信息)
gmcert_127.0.0.1_30300.crt gmcert_127.0.0.1_30301.crt peers.txt

When an organization generates a node, it needs to specify the node P2P connection address of other nodes. Therefore, organization A needs to send the node P2P connection address file to organization B

cp ./agencyA_node_info/peers.txt ~/generator-B/meta/peersA.txt

Institution B generates and sends node information

Execute the following command in the ~/generator-B directory

cd ~/generator-B

Institution B generates node certificates and P2P connection information files:

./generator --generate_all_certificates ./agencyB_node_info -g

The institution that generates the genesis block needs a node certificate. In the example, institution A generates the genesis block, so in addition to sending the node P2P connection address file, institution B also needs to send the node certificate to institution A to send the certificate

cp ./agencyB_node_info/gmcert*.crt ~/generator-A/meta/

Send node P2P connection address file

cp ./agencyB_node_info/peers.txt ~/generator-A/meta/peersB.txt

Institution A generates the genesis block of group 1

Execute the following command in the ~/generator-A directory

cd ~/generator-A

Institution A modifies group_genesis.ini under the conf folder, and the configuration items can refer to the manual. :

cat > ./conf/group_genesis.ini << EOF
[group]
group_id=1

[nodes]
node0=10.241.35.7:30300
node1=10.241.35.7:30301
node2=10.241.35.7:30302
node3=10.241.35.7:30303
EOF

Explanation of the above command:

;命令解释
[group]
;群组id
group_id=1

[nodes]
;机构A节点p2p地址
node0=127.0.0.1:30300
;机构A节点p2p地址
node1=127.0.0.1:30301
;机构B节点p2p地址
node2=127.0.0.1:30302
;机构B节点p2p地址
node3=127.0.0.1:30303

In the tutorial, organization A is selected to generate the group genesis block. In actual production, it can be selected through the negotiation of the alliance chain committee.

This step will generate the group genesis block configured in group_genesis.ini according to the node certificate configured under the meta folder of institution A. In the tutorial, the meta of institution A needs to have the name gmcert_127.0.0.1_30300.crt, gmcert_127.0.0 .1_30301.crt, gmcert_127.0.0.1_30302.crt, gmcert_127.0.0.1_30303.crt node certificate, this step needs to use the node certificate of institution B.

./generator --create_group_genesis ./group -g

Distribute the genesis block of group 1 to organization B:

cp ./group/group.1.genesis ~/generator-B/meta

Institution A generates its own node

Execute the following command in the ~/generator-A directory

cd ~/generator-A

Generate the node to which organization A belongs. This command will generate the corresponding node configuration folder according to the node_deployment.ini file configured by the user:

Note that the node P2P connection information peers.txt specified in this step is the connection information of other nodes in the group, and it needs to be merged in the case of multiple organizations networking.

./generator --build_install_package ./meta/peersB.txt ./nodeA -g

Check out the build node configuration folder:

ls ./nodeA

# 命令解释 此处采用tree风格显示
# 生成的文件夹nodeA信息如下所示，
├── monitor # monitor脚本
├── node_127.0.0.1_30300 # 127.0.0.1服务器 端口号30300的节点配置文件夹
├── node_127.0.0.1_30301
├── scripts # 节点的相关工具脚本
├── start_all.sh # 节点批量启动脚本
└── stop_all.sh # 节点批量停止脚本

Institution A starts the node:

bash ./nodeA/start_all.sh

View node process:

ps -ef | grep fisco

# 命令解释
# 可以看到如下进程
fisco  15347     1  0 17:22 pts/2    00:00:00 ~/generator-A/nodeA/node_127.0.0.1_30300/fisco-bcos -c config.ini
fisco  15402     1  0 17:22 pts/2    00:00:00 ~/generator-A/nodeA/node_127.0.0.1_30301/fisco-bcos -c config.ini

Institution B generates its own node

Execute the following command in the ~/generator-B directory

cd ~/generator-B

Generate the node to which organization B belongs. This command will generate the corresponding node configuration folder according to the node_deployment.ini file configured by the user:

./generator --build_install_package ./meta/peersA.txt ./nodeB -g

Check out the build node configuration folder:

ls ./nodeB

Institution B starts the node:

bash ./nodeB/start_all.sh

View node process:

ps -ef | grep fisco

Note: The node startup only needs to push the node folder corresponding to the ip. For example, the server of 127.0.0.1 only needs the node configuration folder corresponding to node_127.0.0.1_port. When deploying on multiple machines, you only need to push the generated node folder to the corresponding server.

View the running status of group 1 nodes

View process:

ps -ef | grep fisco

# 命令解释
# 可以看到如下所示的进程
fisco  15347     1  0 17:22 pts/2    00:00:00 ~/generator-A/nodeA/node_127.0.0.1_30300/fisco-bcos -c config.ini
fisco  15402     1  0 17:22 pts/2    00:00:00 ~/generator-A/nodeA/node_127.0.0.1_30301/fisco-bcos -c config.ini
fisco  15457     1  0 17:22 pts/2    00:00:00 ~/generator-B/nodeB/node_127.0.0.1_30302/fisco-bcos -c config.ini
fisco  15498     1  0 17:22 pts/2    00:00:00 ~/generator-B/nodeB/node_127.0.0.1_30303/fisco-bcos -c config.ini

Check the node log:

tail -f ./node*/node*/log/log*  | grep +++

The result is shown in the figure:

So far, we have completed the operation of establishing group 1 by organizations A and B as shown in the figure

Certificate Authority Initialization Authority C

Operate under the directory of the certificate generating authority:

cd ~/generator

Initialize organization C. Please note that there are chain certificates and private keys in the generator directory at this time. In the actual environment, organization C cannot obtain chain certificates and private keys.

cp -r ~/generator ~/generator-C

To generate an institution C certificate:

./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca agencyC -g
./generator --generate_agency_certificate ./dir_agency_ca ./dir_chain_ca_normal agencyC_normal

Send the chain certificate, organization certificate, and organization private key to organization C. The example is to send the organization certificate from the certificate authority to the corresponding organization by copying the file, and put it in the meta subdirectory of the organization's working directory

cp ./dir_agency_ca/agencyC/* ~/generator-C/meta/
cp ./dir_agency_ca/agencyC_normal/* ~/generator-C/meta/

Institutions A and C construct group 2

Next, organization C needs to establish a new group with A. In the example, C generates a genesis block as an example.

Institution A sends node information

Since organization A has already generated node certificates and peers files, it only needs to send the previously generated node P2P connection information and node certificates to organization C. The operation is as follows: Execute the following command
in the ~/generator-A directory

cd ~/generator-A

In the example, the group genesis block is generated by organization C, so the node certificate of organization A and the node P2P connection address file are required, and the above files are sent to organization C to send the certificate

cp ./agencyA_node_info/gmcert*.crt ~/generator-C/meta/

Send node P2P connection address file

cp ./agencyA_node_info/peers.txt ~/generator-C/meta/peersA.txt

Institution C modifies the configuration file

Institution C modifies node_deployment.ini under the conf folder as shown in the figure below:
Execute the following command in the ~/generator-C directory

cd ~/generator-C

cat > ./conf/node_deployment.ini << EOF
[group]
group_id=2

[node0]
; host ip for the communication among peers.
; Please use your ssh login ip.
p2p_ip=10.241.35.7
; listen ip for the communication between sdk clients.
; This ip is the same as p2p_ip for physical host.
; But for virtual host e.g. vps servers, it is usually different from p2p_ip.
; You can check accessible addresses of your network card.
; Please see https://tecadmin.net/check-ip-address-ubuntu-18-04-desktop/
; for more instructions.
rpc_ip=0.0.0.0
channel_ip=0.0.0.0
p2p_listen_port=30304
channel_listen_port=20204
jsonrpc_listen_port=8549

[node1]
p2p_ip=10.241.35.7
rpc_ip=0.0.0.0
channel_ip=0.0.0.0
p2p_listen_port=30305
channel_listen_port=20205
jsonrpc_listen_port=8550
EOF

Institution C generates and sends node information

Execute the following command in the ~/generator-C directory

cd ~/generator-C

Institution C generates node certificates and P2P connection information files:

./generator --generate_all_certificates ./agencyC_node_info -g

View generated files:

ls ./agencyC_node_info

# 上述命令解释
# 从左至右分别为需要交互给机构A的节点证书，节点P2P连接地址文件(根据node_deployment.ini生成的本机构节点信息)
gmcert_127.0.0.1_30304.crt gmcert_127.0.0.1_30305.crt peers.txt

When an organization generates a node, it needs to specify the node P2P connection address of other nodes. Therefore, organization C needs to send the node P2P connection address file to organization A

cp ./agencyC_node_info/peers.txt ~/generator-A/meta/peersC.txt

Institution C generates group 2 genesis block

Execute the following command in the ~/generator-C directory

cd ~/generator-C

Institution C modifies group_genesis.ini under the conf folder as shown in the figure below:

cat > ./conf/group_genesis.ini << EOF
[group]
group_id=2

[nodes]
node0=10.241.35.7:30300
node1=10.241.35.7:30301
node2=10.241.35.7:30304
node3=10.241.35.7:30305
EOF

After the command is executed, the ./conf/group_genesis.ini file will be modified:

;命令解释
[group]
group_id=2

[nodes]
node0=127.0.0.1:30300
;机构A节点p2p地址
node1=127.0.0.1:30301
;机构A节点p2p地址
node2=127.0.0.1:30304
;机构C节点p2p地址
node3=127.0.0.1:30305
;机构C节点p2p地址

In the tutorial, organization C is selected to generate the group genesis block. In actual production, it can be selected through the negotiation of the alliance chain committee.
In this step, the group genesis block configured in group_genesis.ini will be generated based on the node certificate configured under the meta folder of organization C.

./generator --create_group_genesis ./group -g

Distribute the genesis block of group 2 to organization A:

cp ./group/group.2.genesis ~/generator-A/meta/

Institution C generates its own node

Execute the following command in the ~/generator-C directory

cd ~/generator-C
./generator --build_install_package ./meta/peersA.txt ./nodeC -g

Institution C starts the node:

bash ./nodeC/start_all.sh
ps -ef | grep fisco

Institution A initializes group 2 for existing nodes

Execute the following command in the ~/generator-A directory

cd ~/generator-A

Add the group 2 configuration file to the existing node. This step adds the group 2 genesis block group.2.genesis to all nodes under ./nodeA:

./generator --add_group ./meta/group.2.genesis ./nodeA

Add the organization C node connection file peers to the existing node. This step adds the node P2P connection address of peersC.txt to all nodes under ./nodeA:

./generator --add_peers ./meta/peersC.txt ./nodeA

Restart organization A node:

bash ./nodeA/stop_all.sh
bash ./nodeA/start_all.sh

View the running status of group 2 nodes

View node process:

ps -ef | grep fisco

Check the node log:
Execute the following command in the ~/generator-C directory

cd ~/generator-C
tail -f ./node*/node*/log/log*  | grep +++
# 命令解释
# log中打印的+++即为节点正常共识
info|2019-02-25 17:25:56.028692| [g:2][p:264][CONSENSUS][SEALER]++++++++++++++++ Generating seal on,blkNum=1,tx=0,myIdx=0,hash=833bd983...
info|2019-02-25 17:25:59.058625| [g:2][p:264][CONSENSUS][SEALER]++++++++++++++++ Generating seal on,blkNum=1,tx=0,myIdx=0,hash=343b1141...
info|2019-02-25 17:25:57.038284| [g:2][p:264][CONSENSUS][SEALER]++++++++++++++++ Generating seal on,blkNum=1,tx=0,myIdx=1,hash=ea85c27b...

So far, we have completed the construction of organization A and C building group 2 as shown in the figure: