Hyperledger Fabric v2.0 動态添加組織
本文是在[<< 3.Hyperledger Fabric v2.0 CA元件 >>]使用自定義證書的基礎上,進行動态添加組織的,使用的目錄結構和工具都是基于<< 3.Hyperledger Fabric v2.0 CA元件 >>的(https://blog.csdn.net/weixin_41540016/article/details/108440545)
目錄
- Hyperledger Fabric v2.0 動态添加組織
- 一、編寫org3-ca服務配置
- 二、啟動org3-ca服務
- 三、向tls-ca服務注冊org3
- 四、擷取org3的msp證書和tls證書
-
- 擷取peer1-org3 的證書
-
- peer1-org3的msp證書
- peer1-org3的tls證書
- 擷取peer2-org3 的證書
-
- peer2-org3的msp證書
- peer2-org3的tls證書
- 擷取admin-org3 的證書
-
- admin-org3的msp證書
- admin-org3的tls證書
- 為peer1和peer2頒發管理者證書
- config.yaml配置檔案
- 整合org3證書
- 五、修改區塊配置
-
- org3的configtx.yaml檔案
- 擷取org3區塊
- 進入cli容器
- 六、啟動org3組織下的節點
-
- 編寫org3的docker-compose
- 啟動org3
- 七、org3加入通道
-
- 進入cli容器
- 檢視通道
- 八、peer1-org3安裝鍊碼
提示:本文使用的單機部署的,如果使用分布式部署也是一樣的,隻需修改節點位址即可
一、編寫org3-ca服務配置
org3-ca.yaml配置,并将配置檔案上傳到伺服器的/usr/local/home目錄下
version: '2'
networks:
byfn:
external:
name: dev
services:
org3:
container_name: org3
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b org3-admin:org3-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/org3/ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org3
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /usr/local/home/org3/ca:/usr/local/home/org3/ca
networks:
- byfn
ports:
- 7056:7054
二、啟動org3-ca服務
啟動org3-ca服務前 /usr/local/home目錄結構
檢視org3-ca服務容器,已經啟動了
啟動org3-ca服務後會在/usr/local/home目錄下新增org3檔案夾,/usr/local/home/org3的目錄結構
.
└── ca
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
三、向tls-ca服務注冊org3
向tls-ca服務注冊org3組織下的所有節點和admin管理者
# 首先設定為tls-ca的環境變量
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/usr/local/home/tls-ca/admin
# 使用tls-ca管理者賬戶登入到tls-ca服務
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052
# 向tls-ca服務 注冊org3下的所有節點
fabric-ca-client register -d --id.name peer1-org3 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org3 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
# 向tls-ca服務注冊org3的admin管理者
fabric-ca-client register -d --id.name admin-org3 --id.secret org3AdminPW --id.type admin -u https://0.0.0.0:7052
向org3-ca服務注冊org3組織内所有節點和admin管理者賬戶
# 設定org3-ca服務的環境變量
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/ca/admin
# 使用org3-ca服務的管理者身份登入到 org3服務,其中 org3-admin賬号的啟動org3-ca服務的docker-compose檔案中的 command 指定的賬号密碼
fabric-ca-client enroll -d -u https://org3-admin:[email protected]:7056
使用org3-admin登入到org3-ca服務後會在/usr/local/home/org3目錄下生成admin檔案夾
/usr/local/home/org3的目錄結構
.
└── ca
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── tls-msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
向org3-ca服務注冊peer1,peer2和admin賬戶
# 向org3-ca服務注冊peer1-org3賬戶
fabric-ca-client register -d --id.name peer1-org3 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7056
# 向org3-ca服務注冊peer2-org3賬戶
fabric-ca-client register -d --id.name peer2-org3 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7056
# 向org3-ca服務注冊管理者admin賬戶
fabric-ca-client register -d --id.name admin-org3 --id.secret org3AdminPW --id.type admin -u https://0.0.0.0:7056
四、擷取org3的msp證書和tls證書
擷取peer1-org3 的證書
peer1-org3的msp證書
# 指定peer1-org3證書的根目錄
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/peer1
# 使用org3-ca啟動時生成的證書與org3-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定peer1-org3的msp證書目錄
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer1-org3賬号登入到org3-ca服務
fabric-ca-client enroll -d -u https://peer1-org3:[email protected]:7056
成功登陸org3-ca服務後會在/usr/local/home/org3下生成peer1檔案夾
/usr/local/home/org3/peer1的目錄結構,新增peer1檔案夾
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── tls-msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── peer1
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
├── signcerts
│ └── cert.pem
└── user
peer1-org3的tls證書
# 指定peer1-org3的tls證書目錄
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca啟動時生成的證書與tls-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用peer1-org3登入到tls-ca伺服器
fabric-ca-client enroll -d -u https://peer1-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org3
成功登陸後會在/usr/local/home/org3/peer1目錄下生成tls-msp目錄
/usr/local/home/org3/peer1的目錄結構,新增tls-msp目錄
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── a5c168df5918978be9fa8b8d8b3371d4a7b7cd6d3a3c6a69481c372eca4aa0ee_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私鑰名稱
mv /usr/local/home/org3/peer1/tls-msp/keystore/*_sk /usr/local/home/org3/peer1/tls-msp/keystore/key.pem
擷取peer2-org3 的證書
peer2-org3的msp證書
# 指定peer2-org3證書的根目錄
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/peer2
# 使用org3-ca啟動時生成的證書與org3-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定peer2-org3的msp證書目錄
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer2-org3賬号登入到org3-ca服務
fabric-ca-client enroll -d -u https://peer2-org3:[email protected]:7056
成功登陸org3-ca服務後會在/usr/local/home/org3下生成peer2檔案夾
/usr/local/home/org3/peer2的目錄結構
.
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
├── signcerts
│ └── cert.pem
└── user
peer2-org3的tls證書
# 指定peer2-org3的tls證書目錄
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca啟動時生成的證書與tls-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用peer2-org3登入到tls-ca伺服器
fabric-ca-client enroll -d -u https://peer2-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org3
成功登陸後會在/usr/local/home/org3/peer2目錄下生成tls-msp目錄
/usr/local/home/org3/peer2的目錄結構,新增tls-msp目錄
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── a4707f6f30075d1170bbfbeda4813650b89f05b733fc939d3186d25b4da1a945_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私鑰名稱
mv /usr/local/home/org3/peer2/tls-msp/keystore/*_sk /usr/local/home/org3/peer2/tls-msp/keystore/key.pem
-1111111111111111111111111111111111111111111111111111
擷取admin-org3 的證書
admin-org3的msp證書
# 指定admin-org3證書的根目錄
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org3/admin
# 使用org3-ca啟動時生成的證書與org3-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org3/ca/crypto/ca-cert.pem
# 指定admin-org3的msp證書目錄
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用admin-org3賬号登入到org3-ca服務
fabric-ca-client enroll -d -u https://admin-org3:[email protected]:7056
成功登陸org3-ca服務後會在/usr/local/home/org3下生成admin檔案夾
/usr/local/home/org3/admin的目錄結構
.
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
├── signcerts
│ └── cert.pem
└── user
admin-org3的tls證書
# 指定admin-org3的tls證書目錄
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca啟動時生成的證書與tls-ca通訊
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 使用admin-org3登入到tls-ca伺服器
fabric-ca-client enroll -d -u https://admin-org3:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org3
成功登陸後會在/usr/local/home/org3/admin目錄下生成tls-msp目錄
/usr/local/home/org3/admin的目錄結構,新增tls-msp目錄
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 01bb0eaf881a209e2669229e1fa745e736caee99cb689d06d9ae711a9c5f53f5_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私鑰名稱
mv /usr/local/home/org3/admin/tls-msp/keystore/*_sk /usr/local/home/org3/admin/tls-msp/keystore/key.pem
為peer1和peer2頒發管理者證書
分别在peer1和peer2的msp目錄下建立admincerts檔案,并将admin/msp/signcerts下的cert.pem證書複制到此目錄下,更名為 org3-admin-cert.pem
# 為peer1 頒發管理者證書
mkdir -p /usr/local/home/org3/peer1/msp/admincerts && cp /usr/local/home/org3/admin/msp/signcerts/cert.pem /usr/local/home/org3/peer1/msp/admincerts/org3-admin-cert.pem
# 為peer2 頒發管理者證書
mkdir -p /usr/local/home/org3/peer2/msp/admincerts && cp /usr/local/home/org3/admin/msp/signcerts/cert.pem /usr/local/home/org3/peer2/msp/admincerts/org3-admin-cert.pem
config.yaml配置檔案
将config.yaml配置檔案複制到peer1和peer2,admin目錄下的msp檔案夾下,其中端口為org3-ca的端口
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: orderer
此時 /usr/local/home/org3的目錄結構
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── c35eea84c985de600f48c42028603fa98bb4f3248fef011b2ff3b78f7d35bb2a_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── tls-msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 7f72c1e7a3d96e6a5ee4077c31df080c9d0c96d7fbde3baa1866aeb9895cb8c2_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 7bfe66a82fd0a55de8f001a054170ae4729cbd84c4591c205b60b5a03ec0524a_sk
│ │ │ ├── f00f7ec8ead847fd8802e8fbf7915468a96c5d13a7cc3bdc90226e44571b1581_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7056.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 485c2bcd4e59f254f0b4f2fa02dba3c38d4421e216e8d40f6e610b9cf9d99eb7_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7056.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 6d19ee59c6c55a1994560746437fe1c3ccc91e3602d6287196a8832dc6c5331d_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
整合org3證書
# 在/usr/local/home/configtx/目錄下建立org3檔案夾,并将admin-org3的msp證書複制到此
mkdir -p /usr/local/home/configtx/org3 && cp -r /usr/local/home/org3/admin/msp /usr/local/home/configtx/org3
# 在/usr/local/home/configtx/org3/msp/目錄下建立tlscacerts 檔案夾,并将admin-org3的tls證書複制到此
mkdir -p /usr/local/home/configtx/org3/msp/tlscacerts && cp /usr/local/home/org3/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem /usr/local/home/configtx/org3/msp/tlscacerts
整合後 /usr/local/home/configtx 目錄結構,其中org3為新增檔案夾
/usr/local/home/configtx/org3的目錄結構
.
└── msp
├── cacerts
│ └── 0-0-0-0-7056.pem
├── config.yaml
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 57ae6383f055f293c15bd8746edc6909e71af47517eb966e0bc0c190c91d080e_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
五、修改區塊配置
在/usr/local/home/configtx目錄下建立 org3-configtx檔案夾,關于更新區塊的檔案将放于/usr/local/home/configtx/org3-configtx/目錄下
mkdir -p /usr/local/home/configtx/org3-artifacts
org3的configtx.yaml檔案
修改/usr/local/home/configtx/configtx.yaml檔案,新增的内容在下面的配置檔案中使用注釋标注出來了,注意證書路徑和縮進
我的操作是在本地修改後再上傳到伺服器,将原來的configtx.yaml命名為 configtx-org1&org2.yaml,新增了org3的配置檔案命名為configtx.yaml
---
Organizations:
- &org0
Name: org0MSP
ID: org0MSP
MSPDir: /usr/local/home/configtx/org0/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
Name: org1MSP
ID: org1MSP
MSPDir: /usr/local/home/configtx/org1/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
AnchorPeers:
- Host: peer1-org1
Port: 7051
- &org2
Name: org2MSP
ID: org2MSP
MSPDir: /usr/local/home/configtx/org2/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
- Host: peer1-org2
Port: 9051
# 增加org3配置
- &org3
Name: org3MSP
ID: org3MSP
MSPDir: /usr/local/home/configtx/org3/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org3MSP.admin', 'org3MSP.peer', 'org3MSP.client')"
Writers:
Type: Signature
Rule: "OR('org3MSP.admin', 'org3MSP.client')"
Admins:
Type: Signature
Rule: "OR('org3MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org3MSP.peer')"
AnchorPeers:
- Host: peer1-org3
Port: 10051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
- Host: orderer2-org0
Port: 8050
ClientTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
- Host: orderer3-org0
Port: 9050
ClientTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
# 增加 -*org3
NewOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *ApplicationCapabilities
/usr/local/home/configtx的目錄下的檔案
擷取org3區塊
在擷取之前,檢查一下必要條件
- org3-artifacts檔案夾是否存在
-
新增了org3的configtx.yaml檔案
還會使用到channel-artifacts檔案夾,也确儲存在
# org3MSP 為configtx.yaml中配置的id
# /usr/local/home/configtx configtx.yaml配置檔案所在目錄
# channel-artifacts/org3.json 生成的檔案
configtxgen -printOrg org3MSP -configPath /usr/local/home/configtx > ./channel-artifacts/org3.json
成功生成
在channel-artifacts/下會生成一個org3.json檔案
/usr/local/home/configtx/channel-artifacts目錄結構,新增org3.json檔案
.
├── mychannel.tx
├── org1MSPanchors.tx
├── org2MSPanchors.tx
└── org3.json
進入cli容器
# 進入cli容器
docker exec -it cli-org1 bash
# cli的工作根目錄
cd /usr/local/home/configtx
可以看到新增的org3-artifacts檔案夾和channel-artifact是檔案夾,後續所有的操作都将以 /usr/local/home/configtx目錄作為根目錄
由于org3組織還沒有加入通道,是以需要顯示peer1-org1的證書先擷取到區塊,區塊中包含通道配置,
修改區塊的目的是為了将org3組織加入到區塊中并讓org1和org2兩個組織認可org3的存在
# 指定order的tls證書
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 指定通道名稱
export CHANNEL_NAME=mychannel
# 指定peer1-org1的msp證書
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/admin/msp
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_LOCALMSPID="org1MSP"
# 指定peer1-org1的tls證書
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 使用peer1-org1的證書,擷取區塊 在目前目錄下,會生成 config_block.pb檔案
peer channel fetch config config_block.pb -o orderer1-org0:7050 -c $CHANNEL_NAME --tls --cafile $ORDERPEM
成功擷取到區塊
輸出 config_block.pb檔案
修改配置将pb檔案轉json,會在/usr/local/home/configtx目錄下輸出 config.json檔案
configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json
将之前org3的配置org3.json添加到config.json,會在/usr/local/home/configtx目錄下輸出 modified_config.json檔案
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json /usr/local/home/configtx/channel-artifacts/org3.json > modified_config.json
将config.json 跟modified_config.json 轉pb編碼,會在/usr/local/home/configtx目錄下輸出modified_config.pb檔案
# 會在/usr/local/home/configtx目錄下輸出config.pb檔案
configtxlator proto_encode --input config.json --type common.Config --output config.pb
# modified_config.pb檔案
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb
計算兩個pb差異,會在/usr/local/home/configtx目錄下輸出org3_update.pb檔案
configtxlator compute_update --channel_id mychannel --original config.pb --updated modified_config.pb --output org3_update.pb
将更新的pb解析為json,會将資料寫入org3_update.json
configtxlator proto_decode --input org3_update.pb --type common.ConfigUpdate | jq . > org3_update.json
現在我們有一個解碼後的更新檔案org3_update.json,我們需要将其包裝在信封消息中。此步驟将使我們傳回之前删除的header字段。輸出到/usr/local/home/configtx目錄下, 檔案命名為org3_update_in_envelope.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat org3_update.json)'}}}' | jq . > org3_update_in_envelope.json
使用我們正确格式的JSON – org3_update_in_envelope.json我們将configtxlator最後一次使用該工具,并将其轉換為Fabric所需的完整protobuf格式。我們将命名我們的最終更新對象,org3_update_in_envelope.pb檔案将輸出到/usr/local/home/configtx目錄下
configtxlator proto_encode --input org3_update_in_envelope.json --type common.Envelope --output org3_update_in_envelope.pb
簽名并送出更新配置
peer channel signconfigtx -f org3_update_in_envelope.pb
切換環境為org2執行更新配置,因為update也會為目前組織簽名,是以不需要再org2簽名
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/admin/msp
export CORE_PEER_ADDRESS=peer1-org2:9051
export CORE_PEER_LOCALMSPID="org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CHANNEL_NAME=mychannel
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
#更新指令
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer1-org0:7050 --tls --cafile $ORDERPEM
成功更新
六、啟動org3組織下的節點
編寫org3的docker-compose
進入/usr/local/home目錄下并建立org3.yaml檔案
cd /usr/local/home && touch org3.yaml
org3.yaml 配置
version: '2'
volumes:
peer1-org3:
peer2-org3:
networks:
byfn:
external:
name: dev
services:
peer1-org3:
container_name: peer1-org3
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer1-org3
- CORE_PEER_ADDRESS=peer1-org1:11051
- CORE_PEER_LISTENADDRESS=0.0.0.0:11051
- CORE_PEER_CHAINCODEADDRESS=peer1-org3:11052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org3:11051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org3:11051
- CORE_PEER_LOCALMSPID=org3MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org3/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org3/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org3/peer1
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 11051:11051
peer2-org3:
container_name: peer2-org3
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer2-org3
- CORE_PEER_ADDRESS=peer2-org3:12051
- CORE_PEER_LISTENADDRESS=0.0.0.0:12051
- CORE_PEER_CHAINCODEADDRESS=peer2-org3:12052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:12052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org3:12051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org3:12051
- CORE_PEER_LOCALMSPID=org3MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org3/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org3/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org3/peer2
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 12051:12051
啟動org3
docker-compose -f org3.yaml up -d
七、org3加入通道
進入cli容器
docker exec -it cli-org1 bash
# 進入工作目錄
cd /usr/local/home/
# 切換為org3的環境變量
export CORE_PEER_LOCALMSPID="org3MSP"
export CORE_PEER_ADDRESS=peer1-org3:11051
export CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org3/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
export CORE_PEER_MSPCONFIGPATH=/usr/local/home/org3/admin/msp
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 設定通道名稱
export CHANNEL_NAME=mychannel
#擷取mychannel 0号塊創始塊
peer channel fetch 0 $CHANNEL_NAME.block -o orderer1-org0:7050 -c $CHANNEL_NAME --tls --cafile $ORDERPEM
#該指令将創世塊傳回到名為的檔案 $CHANNEL_NAME.block。現在使用此塊将org3的節點加入通道。
peer channel join -b $CHANNEL_NAME.block
成功加入通道
檢視通道
peer channel list
輸出
八、peer1-org3安裝鍊碼
org3的鍊碼安裝于peer1-org2和peer1-org1的安裝沒有什麼不同之處,是以這裡不再贅述