一.生成公私鑰和證書
Fabric中有兩種類型的公私鑰和證書,一種是給節點之前通訊安全而准備的TLS證書,另一種是用戶登錄和權限控制的用戶證書。這些證書本來應該是由CA來頒發,但是目前只有兩個社區,所以目前暫時沒有啟用CA節點,但是Fabric幫我們提供了一個crytogen工具來生成證書。
1.1編譯cryptogen
編譯生成 cryptogen之前我們需要安裝一個軟件包,否則編譯時會報錯
sudo apt install libtool libltdl3-dev
Fabric提供了專門編譯cryptogen的入口,我們只需要運行以下命令即可:
cd ~/go/src/github.com/hyperledger/fabric make cryptogen
運行后系統返回如下結果即代表編譯成功了
build/bin/cryptogen CGO_CFLAGS=" " GOBIN=/home/studyzy/go/src/github.com/hyperledger/fabric/build/bin go install -tags "" -ldflags "-X github.com/hyperledger/fabric/common/tools/cryptogen/metadata.Version=1.0.0" github.com/hyperledger/fabric/common/tools/cryptogen Binary available as build/bin/cryptogen
我們在build/bin文件夾下就可以看到編譯出來的cryptogen程序。
1.2配置crypto-config.yaml
examples/e2e_cli/crypto-config.yaml已經提供了一個Orderer Org和兩個Peer Org的配置,該模板中也對字段進行了注釋。我們可以把配置修改一下:
OrdererOrgs: - Name: Orderer Domain: example.com Specs: - Hostname: orderer PeerOrgs: - Name: Org1 Domain: org1.example.com Template: Count: 1 Users: Count: 1 - Name: Org2 Domain: org2.example.com Template: Count: 1 Users: Count: 1
Name和Domain就是關於這個組織的名字和域名,這主要是用於生成證書的時候,證書內會包含該信息。而Template Count=1是說我們要生成1套公私鑰和證書,因為我們一個組織只需要一個peer節點。最后Users. Count=1是說每個Template下面會有幾個普通User(注意,Admin是Admin,不包含在這個計數中),這里配置了1,也就是說我們只需要一個普通用戶User1@org2.example.com 我們可以根據實際需要調整這個配置文件,增刪Org Users等。
1.3生成公司鑰和證書
我們配置好crypto-config.yaml文件后,就可以用cryptogen去讀取該文件,並生成對應的公私鑰和證書了:
cd examples/e2e_cli/ ../../build/bin/cryptogen generate --config=./crypto-config.yaml
生成的文件都保存到crypto-config文件夾,我們可以進入該文件夾查看生成了哪些文件:
tree crypto-config
二.生成創世區塊和Channel配置區塊
2.1編譯生成configtxgen
與前面1.1說到的類似,我們可以通過make命令生成configtxgen程序:
cd ~/go/src/github.com/hyperledger/fabric make configtxgen
運行后的結果為:
build/bin/configtxgen CGO_CFLAGS=" " GOBIN=/home/studyzy/go/src/github.com/hyperledger/fabric/build/bin go install -tags "nopkcs11" -ldflags "-X github.com/hyperledger/fabric/common/configtx/tool/configtxgen/metadata.Version=1.0.0" github.com/hyperledger/fabric/common/configtx/tool/configtxgen Binary available as build/bin/configtxgen
2.2配置configtx.yaml
官方提供的examples/e2e_cli/configtx.yaml這個文件里面配置了由2個Org參與的Orderer共識配置TwoOrgsOrdererGenesis,以及由2個Org參與的Channel配置:TwoOrgsChannel。Orderer可以設置共識的算法是Solo還是Kafka,以及共識時區塊大小,超時時間等,我們使用默認值即可,不用更改。而Peer節點的配置包含了MSP的配置,錨節點的配置。如果我們有更多的Org,或者有更多的Channel,那么就可以根據模板進行對應的修改。
2.3生成創世區塊
配置修改好后,我們就用configtxgen 生成創世區塊。並把這個區塊保存到本地channel-artifacts文件夾中:
cd examples/e2e_cli/ ../../build/bin/configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
2.4生成Channel配置區塊
../../build/bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID mychannel
另外關於錨節點的更新,我們也需要使用這個程序來生成文件:
../../build/bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID mychannel -asOrg Org1MSP ../../build/bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID mychannel -asOrg Org2MSP
最終,我們在channel-artifacts文件夾中,應該是能夠看到4個文件。
channel-artifacts/
├── channel.tx
├── genesis.block
├── Org1MSPanchors.tx
└── Org2MSPanchors.tx
三.配置docker-compose文件
前面對節點和用戶的公私鑰以及證書,還有創世區塊都生成完畢,接下來我們就可以分別為兩個peer和一個orderer配置docker-compose的yaml文件,分別分發給三台虛擬機以后就可以啟動Fabric的Docker環境了。
3.1 修改基礎配置文件
peer和orderder的基礎配置文件在base文件里面。
因為我們只有兩個組織,每個組織只有一個peer,所以只需修改base/docker-compose-base.yaml文件,刪除peer1.org1.example.com和peer1.org2.example.com。另外在單擊模式下,4個peer會映射主機不同的端口,但是我們在多機部署的時候是不需要映射不同端口的,所以將所有peer的端口映射都改為相同的,修改完成的docker-compose-base.yaml文件如下:
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' services: orderer.example.com: container_name: orderer.example.com image: hyperledger/fabric-orderer environment: - ORDERER_GENERAL_LOGLEVEL=debug - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 - ORDERER_GENERAL_GENESISMETHOD=file - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block - ORDERER_GENERAL_LOCALMSPID=OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp # enabled TLS - ORDERER_GENERAL_TLS_ENABLED=true - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] working_dir: /opt/gopath/src/github.com/hyperledger/fabric command: orderer volumes: - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block - ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp - ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls ports: - 7050:7050 peer0.org1.example.com: container_name: peer0.org1.example.com extends: file: peer-base.yaml service: peer-base environment: - CORE_PEER_ID=peer0.org1.example.com - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_CHAINCODELISTENADDRESS=peer0.org1.example.com:7052 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP volumes: - /var/run/:/host/var/run/ - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls ports: - 7051:7051 - 7052:7052 - 7053:7053 peer0.org2.example.com: container_name: peer0.org2.example.com extends: file: peer-base.yaml service: peer-base environment: - CORE_PEER_ID=peer0.org2.example.com - CORE_PEER_ADDRESS=peer0.org2.example.com:7051 - CORE_PEER_CHAINCODELISTENADDRESS=peer0.org2.example.com:7052 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:7051 - CORE_PEER_LOCALMSPID=Org2MSP volumes: - /var/run/:/host/var/run/ - ../crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp:/etc/hyperledger/fabric/msp - ../crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls ports: - 7051:7051 - 7052:7052 - 7053:7053
3.2設置orderer節點的docker-compose文件
e2e_cli提供了多個docker-compose文件,我們可以根據docker-compose-cli來修改
cp docker-compose-cli.yaml docker-compose-orderer.yaml
orderer服務器上我們只需要保留order設置,其他peer和cli設置都可以刪除。orderer配置文件如下:
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' services: orderer.example.com: extends: file: base/docker-compose-base.yaml service: orderer.example.com container_name: orderer.example.com
3.3設置peer節點的docker-compose文件
先為peer0.org1.example.com配置,與創建orderer的配置文件類似,我們也復制一個yaml文件出來進行修改:
cp docker-compose-cli.yaml docker-compose-peer0org1.yaml
去掉orderer的配置,只保留一個peer和cli,因為我們要多級部署,節點與節點之前又是通過主機名通訊,所以需要修改容器中的host文件,也就是extra_hosts設置。因為之后我們要連接couchdb,所以這里加入couchdb的配置,這里的10.0.2.11:5984是我映射CouchDB后的Linux的IP地址和IP,然后是設置用戶名和密碼。
同樣,cli也需要能夠和各個節點通訊,所以cli下面也需要添加extra_hosts設置,去掉無效的依賴,並且去掉command這一行,因為我們是每個peer都會有個對應的客戶端,也就是cli,所以我只需要去手動執行一次命令,而不是自動運行。
修改后的配置文件如下:
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' services: peer0.org1.example.com: container_name: peer0.org1.example.com environment: - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=10.0.2.11:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=password extends: file: base/docker-compose-base.yaml service: peer0.org1.example.com extra_hosts: - "orderer.example.com:10.0.2.10" cli: container_name: cli image: hyperledger/fabric-tools tty: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_ID=cli - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer volumes: - /var/run/:/host/var/run/ - ../chaincode/go/:/opt/gopath/src/github.com/hyperledger/fabric/examples/chaincode/go - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ - ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/ - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts depends_on: - peer0.org1.example.com extra_hosts: - "orderer.example.com:10.0.2.10" - "peer0.org1.example.com:10.0.2.11" - "peer0.org2.example.com:10.0.2.12"
為peer0.org2.example.com配置文件,根據peer0.org1.example.com修改即可
cp docker-compose-peer0org1.yaml docker-compose-peer0org2.yaml
修改后的配置文件如下:
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' services: peer0.org2.example.com: container_name: peer0.org2.example.com environment: - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=10.0.2.12:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=password extends: file: base/docker-compose-base.yaml service: peer0.org2.example.com extra_hosts: - "orderer.example.com:10.0.2.10" cli: container_name: cli image: hyperledger/fabric-tools tty: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_ID=cli - CORE_PEER_ADDRESS=peer0.org2.example.com:7051 - CORE_PEER_LOCALMSPID=Org2MSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer volumes: - /var/run/:/host/var/run/ - ../chaincode/go/:/opt/gopath/src/github.com/hyperledger/fabric/examples/chaincode/go - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ - ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/ - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts depends_on: - peer0.org2.example.com extra_hosts: - "orderer.example.com:10.0.2.10" - "peer0.org2.example.com:10.0.2.11" - "peer0.org1.example.com:10.0.2.12"
3.4分發配置文件
前面4步的操作,我們都是在orderer.example.com上完成的,接下來我們需要將這些文件分發到另外2台服務器上。Linux之間的文件傳輸,我們可以使用scp命令。
我先登錄peer0.org1.example.com,將本地的e2e_cli文件夾刪除:
rm e2e_cli –R
然后再登錄到orderer服務器上,退回到examples文件夾,因為這樣可以方便的把其下的e2e_cli文件夾整個傳到peer0.org1服務器上。
scp -r e2e_cli lxh@10.0.2.11:/home/fabric/go/src/github.com/hyperledger/fabric/examples/
接下來繼續使用scp命令將orderer上的文件夾傳送給peer0.org2.example.com。
現在所有的配置文件都已經准備完畢了!