zoukankan html css js c++ java

HyperLedger Fabric 1.4 生产环境动态添加组织及节点

1.1 操作概述

在“kafka生产环境部署”和“生产环境使用ca生成msp和tls”两篇文章的搭建的环境基础上，实现组织及节点的动态添加功能。

视频教程：https://study.163.com/course/introduction/1210196297.htm
1.2 网络拓扑

1.3 新组织配置
1.3.1 生成新组织证书
切换到192.168.235.6服务器上进行CA服务启动及生成证书操作。
1. CA服务启动
1) IntermediaCA4启动
① 初始化CA服务

# fabric-ca-server init -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediaca4
# vi ./intermediaca4/fabric-ca-server-config.yaml
修改
version: 1.4.0
port: 7058

② 启动CA服务

【命令行启动】
# fabric-ca-server start -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediaca4 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker启动】
拷贝文件docker-intermediaca4.yml到ca-server目录
# docker-compose -f docker-intermediaca4.yaml up -d

2) IntermediaCAtls4启动
1）初始化CA服务

# fabric-ca-server init -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediacatls4
# vi ./intermediacatls4/fabric-ca-server-config.yaml
修改
version: 1.4.0
port: 8058

2）启动CA服务

【命令行启动】
# fabric-ca-server start -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediacatls4 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker启动】
拷贝文件docker-intermediaca4.yml到ca-server目录
# docker-compose -f docker-intermediacatls4.yaml up -d

2. IntermediaCA4生成证书

1) 生成org3.example.com的msp
① 登记org3.example.com

# fabric-ca-client enroll --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# vi ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/config.yaml
输入：
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: intermediatecerts/localhost-7058.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: intermediatecerts/localhost-7058.pem
OrganizationalUnitIdentifier: peer

② 添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org3 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example.org3 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2) 生成Admin@example.com的msp
1）注册Admin@example.com

# fabric-ca-client register --id.name Admin@org3.example.com --id.type client --id.affiliation "com.example.org3" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2）登记Admin@example.com

# fabric-ca-client enroll -u http://Admin@org3.example.com:123456@localhost:7058 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp --home ./fabric-ca-client

3）生成msp

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/admincerts
# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/admincerts

3) 生成peer0.org3.example.com的msp
1）注册peer0.org3.example.com

# fabric-ca-client register --id.name peer0.org3.example.com --id.type peer --id.affiliation "com.example.org3" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2）登记peer0.org3.example.com

# fabric-ca-client enroll -u http://peer0.org3.example.com:123456@localhost:7058 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp --home ./fabric-ca-client

3）生成msp

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/admincerts

3. IntermediaCAtls4生成证书
1) 生成org3.example.com的tls
① 登记org3.example.com

# fabric-ca-client enroll --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

② 添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org3 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example.org3 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2) 生成Admin@example.com的tls
1）注册Admin@example.com

# fabric-ca-client register --id.name Admin@org3.example.com --id.type client --id.affiliation "com.example.org3" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2）登记Admin@example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://Admin@org3.example.com:123456@localhost:8057 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp --home ./fabric-ca-client

1）生成tls

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls
# cp ./intermediacatls4/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/ca.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/client.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/client.key
# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp

3) 生成peer0.org3.example.com的tls
1）注册peer0.org3.example.com

# fabric-ca-client register --id.name peer0.org3.example.com --id.type peer --id.affiliation "com.example.org3" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2）登记peer0.org3.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org3.example.com:123456@localhost:8057 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp --home ./fabric-ca-client

3）生成tls

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls
# cp ./intermediacatls4/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp

1.3.2 生成新组织配置
切换到192.168.235.7服务器下进行操作。
1. 证书生成的org3.example.com目录拷贝到/crypto-config/peerOrganizations目录下。
2. 在configtx.yaml配置文件中加上org3组织信息，并拷贝到kafkapeer目录下。
3. 将org3的配置以 json 格式输出

# cd $GOPATH/src/github.com/hyperledger/fabric/kafkapeer
# docker-compose -f docker-compose-peer.yaml up -d
# ./bin/configtxgen -printOrg Org3MSP -profile ./configtx.yaml > ./channel-artifacts/org3.json

4. 安装jq工具
jq 是 Linux 下命令行处理 JSON 的工具，可以对 JSON 进行过滤、格式化、修改等等操作

# yum install epel-release
# yum install jq

5. 获取当前 channel 的配置

# docker exec -it cli bash
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel fetch config config_block.pb -o orderer0.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA
# exit
# docker cp xxxxxxxx:/opt/gopath/src/github.com/hyperledger/fabric/peer/config_block.pb /opt/gopath/src/github.com/hyperledger/fabric/kafkapeer

6. 修改原配置文件，新增 org3 配置

# ./bin/configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

7. 修改 config.json，新增 org3

# jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json ./channel-artifacts/org3.json > modified_config.json

8. 将 config.json 和 modified_config.json 转为 protobuf 格式

# ./bin/configtxlator proto_encode --input config.json --type common.Config > original_config.pb
# ./bin/configtxlator proto_encode --input modified_config.json --type common.Config > modified_config.pb

9. 根据 config.pb 和 modified_config.pb 计算出 org3_update.pb

# ./bin/configtxlator compute_update --channel_id mychannel --original original_config.pb --updated modified_config.pb > config_update.pb

10. 解码 config_update.pb 为 json，然后用 jq 修改，然后在编码为 protobuf 格式，最终输出 org3_update_in_envelope.pb

# ./bin/configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate > config_update.json
# echo '{"payload":{"header":{"channel_header":{"channel_id":"mychannel", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json
# ./bin/configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope > org3_update_in_envelope.pb
# docker cp /opt/gopath/src/github.com/hyperledger/fabric/kafkapeer/org3_update_in_envelope.pb xxxxxxxx:/opt/gopath/src/github.com/hyperledger/fabric/peer/

1.3.3 提交新组织配置
1. 为 Org3 新配置签名

# docker exec -it cli bash
# CORE_PEER_LOCALMSPID="Org1MSP"
# CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
# CORE_PEER_ADDRESS=peer0.org1.example.com:7051
# peer channel signconfigtx -f org3_update_in_envelope.pb
# CORE_PEER_LOCALMSPID="Org2MSP"
# CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
# CORE_PEER_ADDRESS=peer0.org2.example.com:7051
# peer channel signconfigtx -f org3_update_in_envelope.pb

2. 提交签名后的配置交易至 orderer

# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel update -f org3_update_in_envelope.pb -c mychannel -o orderer0.example.com:7050 --tls --cafile $ORDERER_CA

1.4 新组织启动
切换到192.168.235.11服务器上操作。
1. 配置docker-compose-peer.yaml文件，拷贝到kafkapeer目录下。
2. 服务器（192.168.235.11）启动

# cd $GOPATH/src/github.com/hyperledger/fabric/kafkapeer
# docker-compose -f docker-compose-peer.yaml up -d

3. 获取当前 channel 的配置

# docker exec -it cli bash
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel fetch 0 mychannel.block -o orderer0.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA

4. 将 Org 所有 Peer 加入 channel

# peer channel join -b mychannel.block

5. 升级chaincode和背书策略

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0

6. 为 Org1 的 peer0升级chaincode到2.0
切换到192.168.235.7服务器上

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer chaincode upgrade -o orderer0.example.com:7050 --tls --cafile $ORDERER_CA -C mychannel -n mycc -v 2.0 -c '{"Args":["init","a","200","b","400"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"

7. 为 Org2 的 peer0升级chaincode到2.0
切换到192.168.235.9服务器上

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0

1.5 新组织验证
切换到192.168.235.11服务上，在Peer上查询a值。
1） Peer上查询a，显示130

# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

2） Peer上进行a向b转20交易

# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer chaincode invoke --tls --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","20"]}'

3） Peer上查询b，显示110

# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

视频教程：https://study.163.com/course/introduction/1210196297.htm

查看全文

相关阅读:
C++ 类
 百练3383:Cell Phone Network
百练4092:牛仔裤
 百练4091:最近餐馆
 百练4090:超级备忘录
 百练2868:牛顿迭代
 百练2812:恼人的青蛙
 百练2805:正方形
 bzoj1856 [Scoi2010]字符串
 bzoj2096 [Poi2010]Pilots

原文地址：https://www.cnblogs.com/llongst/p/12072885.html