Hyperledger Fabric動態配置Raft節點
Hyperledger Fabric動態配置Raft節點
最近看官方文件發現新的共識演算法etcdRaft允許動態新增或刪除排序節點,所以也花了一天時間操作了以下,寫篇文章把整個過程記錄一下。
初始網路本文設定了4個Orderer節點,1個Peer節點(用於更新配置檔案以及測試用),然後動態新增第五個Orderer節點。
本文分成兩個部分:
- 第一部分是手動通過Fabric-CA生成每一個節點的證書檔案
- 第二部分是更新Fabric網路配置新增新的Orderer節點。
本文基於Fabric v2.0.0-beta版本。版本號只要高於1.4.1就行
1 搭建定製化的Fabric網路
前提條件是成功跑起來Fabric的示例網路,可以看這裡->Hyperledger Fabric環境搭建
首先在$GOPATH
下(本文路徑地址為$GOPATH/src/github.com/hyperledger/fab
)建立如下幾個資料夾用於之後的操作:
. # 這裡是根目錄fab ├── ca # 用於生成CA證書的ca配置檔案的資料夾 │ ├── org1 │ │ └── fabric-ca-server-config.yaml │ └── server │ └── fabric-ca-server-config.yaml ├── channel-artifacts #用於儲存創世區塊以及通道配置檔案 ├── configtx.yaml #配置檔案:用於生成創世區塊以及通道配置檔案 ├── crypto-config #儲存生成的證書檔案 ├── docker # Fabric網路節點通過Docker啟動,用於啟動節點的Docker檔案 │ ├── base.yaml │ ├── docker-compose-addOrderer5.yaml │ ├── docker-compose-ca.yaml │ ├── docker-compose-orderers.yaml │ └── docker-compose-peer.yaml └── store #儲存區塊等資訊
以下所有操作預設都在根目錄資料夾內!
1.1CA配置檔案
直接在這裡貼出來:org1/fabric-ca-server-config.yaml
:
展開檢視org1/fabric-ca-server-config.yaml
version: 1.2.0 # Server's listening port (default: 7054) port: 7054 # Enables debug logging (default: false) debug: false crlsizelimit: 512000 tls: # Enable TLS (default: false) enabled: true certfile: keyfile: clientauth: type: noclientcert certfiles: ca: # Name of this CA name: Org1CA keyfile: certfile: chainfile: crl: expiry: 24h registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true db: type: sqlite3 datasource: fabric-ca-server.db tls: enabled: false certfiles: client: certfile: keyfile: ldap: enabled: false url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> tls: certfiles: client: certfile: keyfile: attribute: names: ['uid','member'] converters: - name: value: maps: groups: - name: value: affiliations: org1: - department1 - department2 org2: - department1 signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h csr: cn: ca.org1.example.com names: - C: US ST: "North Carolina" L: "Durham" O: org1.example.com OU: hosts: - localhost - org1.example.com ca: expiry: 131400h pathlength: 1 bccsp: default: SW sw: hash: SHA2 security: 256 filekeystore: keystore: msp/keystore cacount: cafiles: intermediate: parentserver: url: caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile:
以及
server/fabric-ca-server-config.yaml:
:展開檢視server/fabric-ca-server-config.yaml:
# Version of config file version: 1.2.0 # Server's listening port (default: 7054) port: 7054 # Enables debug logging (default: false) debug: false # Size limit of an acceptable CRL in bytes (default: 512000) crlsizelimit: 512000 tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ca: # Name of this CA name: OrdererCA keyfile: certfile: chainfile: crl: expiry: 24h registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true db: type: sqlite3 datasource: fabric-ca-server.db tls: enabled: false certfiles: client: certfile: keyfile: ldap: enabled: false url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> tls: certfiles: client: certfile: keyfile: attribute: names: ['uid','member'] converters: - name: value: maps: groups: - name: value: affiliations: org1: - department1 - department2 org2: - department1 signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h csr: cn: ca.example.com names: - C: US ST: "New York" L: "New York" O: example.com OU: hosts: - localhost - example.com ca: expiry: 131400h pathlength: 1 bccsp: default: SW sw: hash: SHA2 security: 256 filekeystore: keystore: msp/keystore cacount: cafiles: intermediate: parentserver: url: caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile:
docker-compose-ca.yaml
檔案:展開檢視docker-compose-ca.yaml
檔案
version: '2' services: ca: image: hyperledger/fabric-ca:1.4.4 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-orderer - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=9054 ports: - "9054:9054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ../ca/server:/etc/hyperledger/fabric-ca-server container_name: ca_orderer ca0: image: hyperledger/fabric-ca:1.4.4 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=7054 ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ../ca/org1:/etc/hyperledger/fabric-ca-server container_name: ca_org1
將以上三個檔案儲存到指定的路徑,然後使用以下命令啟動CA伺服器:
docker-compose -f docker/docker-compose-ca.yaml up -d
伺服器會自動讀取上面的兩個配置檔案,並初始化CA伺服器。
當然,伺服器配置檔案將自動生成在ca/server/
子資料夾內,其中最主要使用到的是tls-cert.pem
檔案。
1.2 註冊Orderer節點
首先配置環境變數並登陸管理員賬號:
#建立儲存Order節點證書的子資料夾。
mkdir -p crypto-config/orderOrganization/example.com
export FABRIC_CA_CLIENT_HOME=${PWD}/crypto-config/orderOrganization/example.com
fabric-ca-client enroll -u https://admin:adminpw@localhost:9054 --caname ca-orderer --tls.certfiles ${PWD}/ca/server/tls-cert.pem
生成節點型別分類配置檔案(不知道這個檔案應該稱作什麼,暫且使用這個名字稱呼好了):
echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-9054-ca-orderer.pem
OrganizationalUnitIdentifier: orderer' > ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml
之後註冊網路中初始的4個Orderer節點:
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name orderer1 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name orderer2 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name orderer3 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name orderer4 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
註冊Admin
節點:
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
1.3 獲取Orderer證書檔案
為剛剛建立的幾個使用者建立各自的資料夾用於儲存證書檔案:
mkdir -p crypto-config/orderOrganization/example.com/orderers
mkdir -p crypto-config/orderOrganization/example.com/orderers/orderer1.example.com
mkdir -p crypto-config/orderOrganization/example.com/orderers/orderer2.example.com
mkdir -p crypto-config/orderOrganization/example.com/orderers/orderer3.example.com
mkdir -p crypto-config/orderOrganization/example.com/orderers/orderer4.example.com
接下來獲取每一個Orderer節點的MSP
證書檔案:
fabric-ca-client enroll -u https://orderer1:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/msp --csr.hosts orderer1.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer2:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/msp --csr.hosts orderer2.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer3:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/msp --csr.hosts orderer3.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer4:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/msp --csr.hosts orderer4.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
還有每一個節點的TLS
證書:
fabric-ca-client enroll -u https://orderer1:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls --enrollment.profile tls --csr.hosts orderer1.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer2:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls --enrollment.profile tls --csr.hosts orderer2.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer3:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls --enrollment.profile tls --csr.hosts orderer3.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
fabric-ca-client enroll -u https://orderer4:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls --enrollment.profile tls --csr.hosts orderer4.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
將之前生成的節點型別分類配置檔案拷貝到每一個節點的MSP
資料夾:
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/msp/config.yaml
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/msp/config.yaml
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/msp/config.yaml
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/msp/config.yaml
然後為每一個節點的TLS
證書以及祕鑰檔案修改名字,方便之後的使用:
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/ca.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/signcerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/keystore/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.key
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/ca.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/signcerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/server.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/keystore/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/server.key
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/ca.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/signcerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/server.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/keystore/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/server.key
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/ca.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/signcerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/server.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/keystore/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/server.key
然後在MSP
資料夾內建立tlscacerts
資料夾,並將TLS
檔案拷貝過去:
mkdir ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/msp/tlscacerts
mkdir ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/msp/tlscacerts
mkdir ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/msp/tlscacerts
mkdir ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/msp/tlscacerts
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
複製TLS根證書:
mkdir -p ${PWD}/crypto-config/orderOrganization/example.com/msp/tlscacerts
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/msp/tlscacerts/tlsca.example.com-cert.pem
最後是Admin
節點的證書檔案:
#首先也是建立資料夾
mkdir -p crypto-config/orderOrganization/example.com/users
mkdir -p crypto-config/orderOrganization/example.com/users/[email protected]
#獲取證書檔案
fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/users/[email protected]/msp --tls.certfiles ${PWD}/ca/server/tls-cert.pem
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/users/[email protected]/msp/config.yaml
到這裡Orderer節點證書已經生成完畢(可以根據實際需要修改Orderer節點數量,最少不能低於3個),接下來是網路中唯一的peer
節點的配置檔案生成:
1.4 註冊Peer節點
和上面步驟相同,首先建立子資料夾用於儲存證書檔案:
mkdir -p crypto-config/peerOrganizations/org1.example.com/
配置環境變數並登陸管理員身份:
export FABRIC_CA_CLIENT_HOME=${PWD}/crypto-config/peerOrganizations/org1.example.com/
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
生成節點型別分類配置檔案:
echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-7054-ca-org1.pem
OrganizationalUnitIdentifier: orderer' > ${PWD}/crypto-config/peerOrganizations/org1.example.com/msp/config.yaml
雖然網路中只有一個peer節點,但是我們需要註冊三個使用者:peer0,user1,org1admin
,其中第一個是必需的,第二個是用於測試的,第三個為Admin
使用者,安裝和例項化鏈碼需要Admin
使用者的證書:
fabric-ca-client register -u https://admin:adminpw@localhost:7054 --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
fabric-ca-client register -u https://admin:adminpw@localhost:7054 --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
fabric-ca-client register -u https://admin:adminpw@localhost:7054 --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
1.5 獲取Peer節點證書檔案
節點註冊完畢,獲取他們的證書檔案:
建立子資料夾:
mkdir -p crypto-config/peerOrganizations/org1.example.com/peers
mkdir -p crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.co
獲取證書檔案:
#MSP檔案
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
#TLS證書
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
拷貝節點分類配置檔案:
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml
修改證書以及祕鑰檔案,方便之後使用:
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
將TLS相關證書複製一份:
mkdir ${PWD}/crypto-config/peerOrganizations/org1.example.com/msp/tlscacerts
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt
mkdir ${PWD}/crypto-config/peerOrganizations/org1.example.com/tlsca
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
mkdir ${PWD}/crypto-config/peerOrganizations/org1.example.com/ca
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
獲取user
與Admin
使用者證書檔案:
#建立子資料夾
mkdir -p crypto-config/peerOrganizations/org1.example.com/users
mkdir -p crypto-config/peerOrganizations/org1.example.com/users/[email protected]
mkdir -p crypto-config/peerOrganizations/org1.example.com/users/[email protected]
#獲取證書檔案
fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp --tls.certfiles ${PWD}/ca/org1/tls-cert.pem
cp ${PWD}/crypto-config/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/config.yaml
1.6 啟動網路之前的準備
到這裡我們已經生成了所有需要的證書檔案,接下來是生成用於啟動網路的創世區塊,生成創世區塊需要一個檔案configtx.yaml
,直接複製過來:
展開檢視configtx.yaml
Organizations: - &OrdererOrg Name: OrdererOrg ID: OrdererMSP MSPDir: ./crypto-config/orderOrganization/example.com/msp #這裡路徑需要對應!!! Policies: Readers: Type: Signature Rule: "OR('OrdererMSP.member')" Writers: Type: Signature Rule: "OR('OrdererMSP.member')" Admins: Type: Signature Rule: "OR('OrdererMSP.admin')" - &Org1 #如果需要更多組織節點,可以按照該模板在下面新增 Name: Org1MSP ID: Org1MSP MSPDir: ./crypto-config/peerOrganizations/org1.example.com/msp #這裡路徑需要對應!!! Policies: Readers: Type: Signature Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" Writers: Type: Signature Rule: "OR('Org1MSP.admin', 'Org1MSP.client')" Admins: Type: Signature Rule: "OR('Org1MSP.admin')" Endorsement: Type: Signature Rule: "OR('Org1MSP.peer')" AnchorPeers: Port: 7051 Capabilities: Channel: &ChannelCapabilities V2_0: true Orderer: &OrdererCapabilities V2_0: true Application: &ApplicationCapabilities V2_0: true Application: &ApplicationDefaults Organizations: Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" LifecycleEndorsement: Type: ImplicitMeta Rule: "MAJORITY Endorsement" Endorsement: Type: ImplicitMeta Rule: "MAJORITY Endorsement" Capabilities: <<: *ApplicationCapabilities Orderer: &OrdererDefaults OrdererType: etcdraft Addresses: - orderer1.example.com:7050 BatchTimeout: 2s BatchSize: MaxMessageCount: 10 AbsoluteMaxBytes: 99 MB PreferredMaxBytes: 512 KB Organizations: Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" BlockValidation: Type: ImplicitMeta Rule: "ANY Writers" Channel: &ChannelDefaults Policies: # Who may invoke the 'Deliver' API Readers: Type: ImplicitMeta Rule: "ANY Readers" # Who may invoke the 'Broadcast' API Writers: Type: ImplicitMeta Rule: "ANY Writers" # By default, who may modify elements at this config level Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" Capabilities: <<: *ChannelCapabilities Profiles: TwoOrgsChannel: #用於生成通道配置檔案 Consortium: SampleConsortium <<: *ChannelDefaults Application: <<: *ApplicationDefaults Organizations: - *Org1 Capabilities: <<: *ApplicationCapabilities SampleMultiNodeEtcdRaft: #用於生成系統通道創世區塊 <<: *ChannelDefaults Capabilities: <<: *ChannelCapabilities Orderer: <<: *OrdererDefaults OrdererType: etcdraft #指定使用etcdraft共識演算法 EtcdRaft: Consenters: - Host: orderer1.example.com Port: 7050 ClientTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.crt ServerTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.crt - Host: orderer2.example.com Port: 8050 ClientTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/server.crt ServerTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/server.crt - Host: orderer3.example.com Port: 9050 ClientTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/server.crt ServerTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/server.crt - Host: orderer4.example.com Port: 10050 ClientTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/server.crt ServerTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/server.crt # - Host: orderer5.example.com # Port: 11050 # ClientTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.crt # ServerTLSCert: ./crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/server.crt Addresses: - orderer1.example.com:7050 - orderer2.example.com:8050 - orderer3.example.com:9050 - orderer4.example.com:10050 # - orderer5.example.com:11050 Organizations: - *OrdererOrg Capabilities: <<: *OrdererCapabilities Application: <<: *ApplicationDefaults Organizations: - <<: *OrdererOrg Consortiums: SampleConsortium: Organizations: - *Org1
將該檔案儲存到指定位置,接下來生成創世區塊:
export FABRIC_CFG_PATH=$PWD
configtxgen -profile SampleMultiNodeEtcdRaft -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
# 生成通道配置檔案
export CHANNEL_NAME=mychannel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID $CHANNEL_NAME
1.7 啟動網路
首先寫包含所有節點的Docker檔案,這裡直接貼出來:
展開檢視base.yaml
version: '2' services: orderer-base: image: hyperledger/fabric-orderer:2.0.0-beta environment: - FABRIC_LOGGING_SPEC=INFO # - FABRIC_LOGGING_SPEC=DEBUG - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 - ORDERER_GENERAL_BOOTSTRAPMETHOD=file - ORDERER_GENERAL_BOOTSTRAPFILE=/var/hyperledger/orderer/orderer.genesis.block - ORDERER_GENERAL_LOCALMSPID=OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp # enabled TLS - ORDERER_GENERAL_TLS_ENABLED=true - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] working_dir: /opt/gopath/src/github.com/hyperledger/fabric command: orderer
然後是Orderer節點的Docker檔案:
展開檢視docker-compose-orderers.yaml
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' volumes: orderer1.example.com: orderer2.example.com: orderer3.example.com: orderer4.example.com: networks: byfn: services: orderer1.example.com: extends: file: base.yaml service: orderer-base environment: - ORDERER_GENERAL_LISTENPORT=7050 container_name: orderer1.example.com networks: - byfn volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/orderOrganization/example.com/orderers/orderer1.example.com/tls/:/var/hyperledger/orderer/tls - ../store/o1:/var/hyperledger/production/orderer ports: - 7050:7050 orderer2.example.com: extends: file: base.yaml service: orderer-base environment: - ORDERER_GENERAL_LISTENPORT=8050 container_name: orderer2.example.com networks: - byfn volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/orderOrganization/example.com/orderers/orderer2.example.com/tls/:/var/hyperledger/orderer/tls - ../store/o2:/var/hyperledger/production/orderer ports: - 8050:8050 orderer3.example.com: extends: file: base.yaml service: orderer-base environment: - ORDERER_GENERAL_LISTENPORT=9050 container_name: orderer3.example.com networks: - byfn volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/orderOrganization/example.com/orderers/orderer3.example.com/tls/:/var/hyperledger/orderer/tls - ../store/o3:/var/hyperledger/production/orderer ports: - 9050:9050 orderer4.example.com: extends: file: base.yaml service: orderer-base environment: - ORDERER_GENERAL_LISTENPORT=10050 container_name: orderer4.example.com networks: - byfn volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/orderOrganization/example.com/orderers/orderer4.example.com/tls/:/var/hyperledger/orderer/tls - ../store/o4:/var/hyperledger/production/orderer ports: - 10050:10050
最後一個是peer節點的Docker檔案:
展開檢視docker-compose-peer.yaml
version: '2' volumes: peer0.org1.example.com: networks: byfn: services: peer0.org1.example.com: container_name: peer0.org1.example.com image: hyperledger/fabric-peer:2.0.0-beta environment: #Generic peer variables - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock # the following setting starts chaincode containers on the same # bridge network as the peers # https://docs.docker.com/compose/networking/ - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn - FABRIC_LOGGING_SPEC=INFO #- FABRIC_LOGGING_SPEC=DEBUG - CORE_PEER_TLS_ENABLED=true - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt # Peer specific variabes - CORE_PEER_ID=peer0.org1.example.com - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_LISTENADDRESS=0.0.0.0:7051 - CORE_PEER_CHAINCODEADDRESS=peer0.org1.example.com:7052 - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052 - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.example.com:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb0:5984 # The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD # provide the credentials for ledger to connect to CouchDB. The username and password must # match the username and password set for the associated CouchDB. - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME= - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD= volumes: - /var/run/:/host/var/run/ - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls - ../store/p1:/var/hyperledger/production working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: peer node start depends_on: - couchdb0 ports: - 7051:7051 networks: - byfn couchdb0: container_name: couchdb0 image: couchdb:2.3 # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password # for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode. environment: - COUCHDB_USER= - COUCHDB_PASSWORD= # Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service, # for example map it to utilize Fauxton User Interface in dev environments. ports: - "5984:5984" networks: - byfn cli: container_name: cli image: hyperledger/fabric-tools:2.0.0-beta tty: true stdin_open: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock # - FABRIC_LOGGING_SPEC=DEBUG - FABRIC_LOGGING_SPEC=INFO - CORE_PEER_ID=peer0.org1.example.com - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: /bin/bash volumes: - /var/run/:/host/var/run/ - ./../../chaincode/:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode - ../crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ - ../channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts depends_on: - peer0.org1.example.com networks: - byfn
將以上檔案儲存到指定位置後,使用以下命令直接啟動:
docker-compose -f docker/docker-compose-orderers.yaml -f docker/docker-compose-peer.yaml up -d
啟動完成後可以檢視每個節點的日誌確認節點成功執行:
docker logs orderer1.example.com
...
docker logs peer0.org1.example.com
如果沒有錯誤的話就可以進行第二部分了,如果出現錯誤則要回去檢查是不是哪裡漏掉了。
1.8 簡單測試
先進行第一部分的測試,看一下建立通道,加入通道是否成功:
#進入CLI容器
docker exec -it cli bash
#配置環境變數
export CHANNEL_NAME=mychannel
export ORDERER_CA=${PWD}/crypto/orderOrganization/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
export PEER0_ORG1_CA=${PWD}/crypto/peerOrganization/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG1_CA
export CORE_PEER_MSPCONFIGPATH=${PWD}/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
建立通道:
peer channel create -o orderer1.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/mychannel.tx --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block
加入通道:
peer channel join -b ./channel-artifacts/$CHANNEL_NAME.block
如果一切順利的話,網路就成功搭建起來了,至於鏈碼就不再測試了。
直接到第二部分,動態新增一個Orderer節點。
2 動態新增Raft節點
主要步驟如下:
- 為該節點生成證書檔案
- 獲取當前網路的配置檔案
- 將證書檔案新增到配置檔案中
- 更新配置檔案
- 啟動新的Orderer節點
2.1 生成證書檔案
2.1.1 註冊該節點身份
fabric-ca-client register -u https://admin:adminpw@localhost:9054 --caname ca-orderer --id.name orderer5 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/ca/server/tls-cert.pem
為該節點建立儲存證書的資料夾:
mkdir -p crypto-config/orderOrganization/example.com/orderers/orderer5.example.com
2.1.2 獲取該節點證書
#MSP
fabric-ca-client enroll -u https://orderer5:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/msp --csr.hosts orderer5.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
#TLS
fabric-ca-client enroll -u https://orderer5:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls --enrollment.profile tls --csr.hosts orderer5.example.com --tls.certfiles ${PWD}/ca/server/tls-cert.pem
複製節點分類配置檔案:
cp ${PWD}/crypto-config/orderOrganization/example.com/msp/config.yaml ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/msp/config.yaml
修改證書與祕鑰檔名稱:
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/ca.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/signcerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/server.crt
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/keystore/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/server.key
建立資料夾並拷貝TLS證書檔案:
mkdir ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/msp/tlscacerts
cp ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/tlscacerts/* ${PWD}/crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2.2 獲取網路配置檔案
將節點新增進網路,首先需要將該節點新增到系統通道內,所以先獲取系統通道的配置檔案:
進入cli
容器:
docker exec -it cli bash
配置環境變數,需要使用Orderer節點的身份資訊:
export CORE_PEER_LOCALMSPID="OrdererMSP"
export ORDERER_CA=${PWD}/crypto/orderOrganization/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/crypto/ordererOrganization/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/orderOrganization/example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
獲取系統通道配置檔案:
peer channel fetch config channel-artifacts/config_block.pb -o orderer1.example.com:7050 -c byfn-sys-channel --tls --cafile $ORDERER_CA
解碼該配置檔案:
configtxlator proto_decode --input channel-artifacts/config_block.pb --type common.Block | jq .data.data[0].payload.data.config > channel-artifacts/config.json
2.3將證書檔案新增到配置檔案中
退出容器,可以在channel-artifacts
檔案內找到config.json
檔案。將該檔案複製一份並在channel-artifacts
資料夾下儲存為update_config.json
,使用編輯工具開啟,並搜尋.example.com
欄位如下:
欄位一部分:
{
"client_tls_cert": "一連串的字串",
"host": "orderer1.example.com",
"port": 7050,
"server_tls_cert": "一連串的字串"
}
以及匹配到的第二部分的欄位:
"OrdererAddresses": {
"mod_policy": "/Channel/Orderer/Admins",
"value": {
"addresses": [
"orderer1.example.com:7050",
"orderer2.example.com:8050",
"orderer3.example.com:9050",
"orderer4.example.com:10050"
]
},
"version": "0"
}
在欄位一部分,需要將我們生成的新的節點的證書新增上去,其中證書檔案地址為:
crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
使用BASE64
轉碼:
cat crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt | base64 > cert.txt
在update_config.json
檔案中欄位一的部分下面按照欄位一的格式新增相同的程式碼塊,並進行修改:
將cert.txt
檔案中的內容複製到欄位一的client_tls_cert,server_tls_cert
對應部分,並修改host
對應部分為orderer5.example.com
,port
為11050
.
2.4更新配置檔案
接下來進入cli
容器:
docker exec -it cli bash
對原有的配置檔案與更新的配置檔案進行編碼:
configtxlator proto_encode --input channel-artifacts/config.json --type common.Config > channel-artifacts/config.pb
configtxlator proto_encode --input channel-artifacts/update_config.json --type common.Config > channel-artifacts/config_update.pb
計算出兩個檔案的差異:
configtxlator compute_update --channel_id byfn-sys-channel --original channel-artifacts/config.pb --updated channel-artifacts/config_update.pb > channel-artifacts/updated.pb
對該檔案進行解碼,並新增用於更新配置的頭部資訊:
configtxlator proto_decode --input channel-artifacts/updated.pb --type common.ConfigUpdate > channel-artifacts/updated.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"byfn-sys-channel", "type":2}},"data":{"config_update":'$(cat channel-artifacts/updated.json)'}}}' | jq . > channel-artifacts/updated_envelope.json
編碼為Envelope
格式的檔案:
configtxlator proto_encode --input channel-artifacts/updated_envelope.json --type common.Envelope > channel-artifacts/updated_envelope.pb
對該檔案進行簽名操作,用於更新配置:
peer channel signconfigtx -f channel-artifacts/updated_envelope.pb
提交更新通道配置交易:
peer channel update -f channel-artifacts/updated_envelope.pb -c byfn-sys-channel -o orderer1.example.com:7050 --tls true --cafile $ORDERER_CA
如果沒有錯誤的話,新的Orderer節點證書已經成功新增到網路配置中,接下來可以啟動新的節點了:
2.5 啟動新的Orderer節點
寫一下新的Orderer節點的Docker檔案:
展開檢視docker-compose-addOrderer5.yaml
version: '2' volumes: orderer5.example.com: networks: byfn: services: orderer5.example.com: extends: file: base.yaml service: orderer-base environment: - ORDERER_GENERAL_LISTENPORT=11050 container_name: orderer5.example.com networks: - byfn volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/orderOrganization/example.com/orderers/orderer5.example.com/tls/:/var/hyperledger/orderer/tls - ../store/o5:/var/hyperledger/production/orderer ports: - 11050:11050
直接通過命令啟動它:
docker-compose -f docker-compose-addOrderer5.yaml up -d
可以檢視新節點的日誌確認新的節點已經成功加入了網路。
到這裡,本文成功把新的Orderer節點新增進了網路,但是隻將該節點新增到了系統通道內,對於應用通道mychannel
來說,新的節點並沒有新增進來,將新的節點新增進mychannel
通道和以上步驟相同,只需要將通道名稱由系統通道修改為mychannel
即可。本文便不再說明了。
而動態刪除節點的過程與新增相似,只不過是從配置檔案中刪除節點證書