fabric 多机部署

心已入冬 提交于 2020-11-19 13:53:55

Fabric多机部署步骤

 

1 Fabric CA生成

1.1 环境准备和yaml文件编写

  1. CA 镜像装载,版本根据需求而定,本次版本是1.4.4。
  2. CA 的yaml文件编写。

  需要⚠️yaml文件有标准格式

//版本

version: '2'

//网络名称

networks:

  rootchain:

//定义服务

services:

 //服务名称

  lzsk.ca.chain.com:

   //容器名称

container_name: lzsk.ca.chain.com

//镜像

image: hyperledger/fabric-ca

//docer容器环境

environment:

   //CA 服务端生成证书路径

      - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server

      //CA客户端生成证书路径,主要为节点和sdk所用

      - FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client

       // CA 的名字

      - FABRIC_CA_SERVER_CA_NAME=lzsk.ca.chain.com

      # 启用tls

      - FABRIC_CA_SERVER_TLS_ENABLED=true

      # 公用名称

      - FABRIC_CA_SERVER_CSR_CN=ca.chain.com

      #- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0

      #- FABRIC_CA_SERVER_DEBUG=true

      - FABRIC_CA_SERVER_PORT=7054

    # -b: 提供注册用户的名称与密码, 如果没有使用LDAP, 这个选项为必需.

    # 后面两个参数表示允许删除联盟和用户

command: sh -c 'fabric-ca-server start -b lzsk_dsp:lzsk_dsp --port 7054 --cfg.affiliations.allowremove  --cfg.identities.allowremove'

 

volumes:

// 宿机和docker 路径映射

      - "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"

      - "./crypto-config:/etc/hyperledger/fabric-ca-client"

   //启动端口

    ports:

      - 7054:7054

   //网络名称

    networks:

      - rootchain

  1. 启动步骤2编写的yaml 文件。

   命令为:docker-compose -f  yaml文件  up -d

 

  1. 停止docker容器。

   在步骤3启动后会生成相应的持久化文件,如步骤2中

   // 宿机和docker 路径映射

      - "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"

      - "./crypto-config:/etc/hyperledger/fabric-ca-client"

  在宿机上就在./lzsk.ca.chain.com下有一个yaml文件。

进行修改文件。

version: 1.4.4

 

# 指定服务的监听端口

port: 7054

 

# 跨域资源共享(CORS)

cors:

    enabled: false

    origins:

      - "*"

 

# 是否启用DEBUG模式, 输出更多的调试信息上

debug: false

 

# 可接受的CRL的大小限制(以字节为单位)(默认值:512000)

# 证书具有一个指定的寿命,但 CA 可通过称为证书吊销的过程来缩短这一寿命。

# CA 发布一个证书吊销列表 (CRL),列出被认为不能再使用的证书的序列号。

crlsizelimit: 512000

 

#############################################################################

#

#   是否在服务端启用TLS,如果启用TLS后,进行身份验证的证书和签名的私钥

#

#############################################################################

tls:

  # 是否启用TLS, 默认不启用

  enabled: true

  # TLS证书文件

  certfile:

  # TLS密钥文件

  keyfile:

  # 客户端验证配置

  clientauth:

    # 默认不进行身份验证

    type: noclientcert

    # 进行客户端身份验证时, 信任的证书文件列表

    certfiles:

 

#############################################################################

#   

#    包括实例的名称、签名私钥文件、身份验证证书和证书链文件;这些私钥和证书

#    文件会用来作为生成ECert、TCert的根证书

#    

#############################################################################

ca:

  # CA服务名称. 可以支持多个服务

  name: ca.chain.com

  # 密钥文件(默认: ca-key.pem)

  keyfile:

  # 证书文件(默认: ca-cert.pem)

  certfile:

  # 证书链文件(默认: chain-cert.pem)

  chainfile:

 

#############################################################################

#  The gencrl REST endpoint is used to generate a CRL that contains revoked

#  certificates. This section contains configuration options that are used

#  during gencrl request processing.

#############################################################################

crl:

  # 为生成的CRL指定过期时间。

  # 此属性指定的小时数将添加到UTC时间

  # 产生的时间用于设置CRL的“下一次更新”日期。

  expiry: 1h

 

#############################################################################

#  

#  当fabric-ca-server自身提供用户的注册管理时使用, 此情况下需要禁用LDAP功能,

#  否则fabric-ca-server将会把注册管理数据转发到LDAP进行查询

#

#############################################################################

registry:

  # 允许同一个用户名和密码进行enrollment的最大次数, -1为无限制, 0为不支持登记

  maxenrollments: -1

 

  # 注册的实体信息, 可以进行enroll. 只有当LDAP未启用时起作用

  identities:

     - name: lzsk_dsp

       pass: lzsk_dsp

       type: client

       affiliation: ""

       attrs:

          hf.Registrar.Roles: "*"

          hf.Registrar.DelegateRoles: "*"

          hf.Revoker: true

          # 该id是否是一个中间层的CA

          hf.IntermediateCA: true

          hf.GenCRL: true

          hf.Registrar.Attributes: "*"

          hf.AffiliationMgr: true

 

#############################################################################

#  

#    数据库支持SQLite3、MySQL、Postgres. 默认为SQLite3类型的本地数据库.

#    如果要配置集群, 则需要选用MySQL或Postgres后端数据库,

#    并在前端部署负载均衡器(如Nginx或HAProxy)

#

#############################################################################

db:

  type: mysql

  datasource: root:tjfae_dsp@tcp(192.168.21.42:3306)/lzsk_ca?parseTime=true

  tls:

      # 是否启用TLS来连接到数据库

      enabled: false

      # PEM格式的可信根证书文件列表, 多个用逗号隔开

      certfiles:

      client:

        # PEM格式的客户端证书文件

        certfile:

        # PEM格式的客户端证书私钥文件

        keyfile:

 

#############################################################################

#  

#     配置使用远端的LDAP来进行注册管理, 认证enrollment的用户和密码,

#     并获取用户属性信息. 此时, 服务端将按照指定的usrfilter从LDAP获取对应的用户,

#     利用其唯一识别名(distinguidhed name)和给定的密码进行验证.

#     当LDAP功能启用时, registry中的配置将被忽略

#

#############################################################################

ldap:

   # 是否启用LDAP, 默认不启用

   enabled: false

   # LDAP的服务地址

   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>

   # 客户端到LDAP服务器的连接的TLS配置

   tls:

      # PEM格式的LDAP服务器的TLS根证书, 可以为多个, 用逗号隔开

      certfiles:

      client:

         # PEM格式的客户端证书文件

         certfile:

         # PEM格式的客户端证书私钥文件

         keyfile:

   # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes

   attribute:

      # 'names' is an array of strings containing the LDAP attribute names which are

      # requested from the LDAP server for an LDAP identity's entry

      names: ['uid','member']

      # The 'converters' section is used to convert an LDAP entry to the value of

      # a fabric CA attribute.

      # For example, the following converts an LDAP 'uid' attribute

      # whose value begins with 'revoker' to a fabric CA attribute

      # named "hf.Revoker" with a value of "true" (because the boolean expression

      # evaluates to true).

      #    converters:

      #       - name: hf.Revoker

      #         value: attr("uid") =~ "revoker*"

      converters:

         - name:

           value:

      # The 'maps' section contains named maps which may be referenced by the 'map'

      # function in the 'converters' section to map LDAP responses to arbitrary values.

      # For example, assume a user has an LDAP attribute named 'member' which has multiple

      # values which are each a distinguished name (i.e. a DN). For simplicity, assume the

      # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.

      # Further assume the following configuration.

      #    converters:

      #       - name: hf.Registrar.Roles

      #         value: map(attr("member"),"groups")

      #    maps:

      #       groups:

      #          - name: dn1

      #            value: peer

      #          - name: dn2

      #            value: client

      # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be

      # "peer,client,dn3".  This is because the value of 'attr("member")' is

      # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of

      # "group" replaces "dn1" with "peer" and "dn2" with "client".

      maps:

         groups:

            - name:

              value:

 

#############################################################################

#

#    组织结构配置

#

#############################################################################

affiliations:

   org1:

      - department1

      - department2

   org2:

      - department1

 

#############################################################################

#  

#   签发证书相关的配置包括签名方法、证书超时时间等. fabric-ca-server可以作为

#   用户证书的签发CA(默认情况下), 也可以作为根CA来进一步支持其它中间CA

#

#############################################################################

signing:

    # 默认情况下,用于签署Ecert

    default:

      # 所签发证书的KeyUsage extension域

      usage:

        - digital signature

      # 一年

      expiry: 8760h

    # 不同的签发配置

    profiles:

      # 签署中间层CA证书时的配置模板

      ca:

         usage:

           # 所签发证书的KeyUsage extension域

           - cert sign

           - crl sign

         expiry: 43800h

         caconstraint:

           isca: true

            # 限制该中间层CA无法进一步签署中间层CA

           maxpathlen: 0

      tls:

         usage:

            - signing

            - key encipherment

            - server auth

            - client auth

            - key agreement

         expiry: 8760h

 

###########################################################################

#  

#   CA自身证书的申请请求配置. 当CA作为根证书服务时, 将基于请求生成一个

#   自签名的证书; 当CA作为中间证书服务时, 将请求发送给上层的根证书进行签署

#   生成ca-cert.pem文件,是一个自签署的证书

###########################################################################

csr:

   # 公用名称

   cn: ca.chain.com

   keyrequest:

     algo: ecdsa

     size: 256

   names:

      # 国家

      - C: China

        # 所在州

        ST: "BeiJing"

        # 位置或城市

        L: BeiJing

        # 机构名称

        O: chain

        # 机构部门名称

        OU: LZSKMSP

   hosts:

     - lzsk.ca.chain.com

     - localhost

   # 配置后会加入到证书的扩展字段

   ca:

      # CA根证书默认15年有效

      expiry: 131400h

      # 允许产生的中间证书的深度

      pathlength: 1

 

###########################################################################

# Each CA can issue both X509 enrollment certificate as well as Idemix

# Credential. This section specifies configuration for the issuer component

# that is responsible for issuing Idemix credentials.

###########################################################################

idemix:

  # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an

  # Idemix credential. The issuer will create a pool revocation handles of this specified size. When

  # a credential is requested, issuer will get handle from the pool and assign it to the credential.

  # Issuer will repopulate the pool with new handles when the last handle in the pool is used.

  # A revocation handle and credential revocation information (CRI) are used to create non revocation proof

  # by the prover to prove to the verifier that her credential is not revoked.

  rhpoolsize: 1000

 

  # The Idemix credential issuance is a two step process. First step is to  get a nonce from the issuer

  # and second step is send credential request that is constructed using the nonce to the isuser to

  # request a credential. This configuration property specifies expiration for the nonces. By default is

  # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).

  nonceexpiration: 15s

 

  # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.

  #  The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)

  noncesweepinterval: 15m

 

#############################################################################

#

#   配置所选择的加密库

#   msp/keystore中存放的BCCSP (BlockChain Crypto Service Provider)中用到的key

#############################################################################

bccsp:

    default: SW

    sw:

        hash: SHA2

        security: 256

        filekeystore:

            # 存放密钥文件的路径

            keystore: msp/keystore

 

# 自动创建除了默认CA外的多个CA实例, 如ca1、ca2等

cacount:

 

# 可以指定多个CA配置文件路径, 每个配置文件会启动一个CA服务,注意不同配置文件之间需要避免出现冲突(如服务端口、TLS证书等)

cafiles:

 

#############################################################################

#

#   当CA作为中间层CA服务时的相关配置. 包括父CA的地址和名称、登记信息、TLS配置等.

#   注意: 当intermediate.parentserver.url非空时, 意味着本CA是中间层CA服务,

#   否则为根CA服务

#

#############################################################################

intermediate:

  # 父CA相关信息

  parentserver:

    url:

    caname:

  # 在父CA侧的登记信息

  enrollment:

    # 证书主机名列表

    hosts:

    # 签发所用的profile

    profile:

    # HSM操作中的标签信息

    label:

  # TLS相关配置

  tls:

    # 信任的根CA证书

    certfiles:

    # 客户端验证启用时的相关文件

    client:

      certfile:

      keyfile:

 

#############################################################################

# CA configuration section

#

# Configure the number of incorrect password attempts are allowed for

# identities. By default, the value of 'passwordattempts' is 10, which

# means that 10 incorrect password attempts can be made before an identity get

# locked out.

#############################################################################

cfg:

  identities:

    passwordattempts: 10

 

###############################################################################

#

#    Operations section

#

###############################################################################

operations:

    # host and port for the operations server

    listenAddress: 127.0.0.1:9443

 

    # TLS configuration for the operations endpoint

    tls:

        # TLS enabled

        enabled: false

 

        # path to PEM encoded server certificate for the operations server

        cert:

            file:

 

        # path to PEM encoded server key for the operations server

        key:

            file:

 

        # require client certificate authentication to access all resources

        clientAuthRequired: false

 

        # paths to PEM encoded ca certificates to trust for client authentication

        clientRootCAs:

            files: []

 

###############################################################################

#

#    Metrics section

#

###############################################################################

metrics:

    # statsd, prometheus, or disabled

    provider: disabled

 

    # statsd configuration

    statsd:

        # network type: tcp or udp

        network: udp

 

        # statsd server address

        address: 127.0.0.1:8125

 

        # the interval at which locally cached counters and gauges are pushsed

        # to statsd; timings are pushed immediately

        writeInterval: 10s

 

        # prefix is prepended to all emitted statsd merics

        prefix: server

 

      

  1. 配置完成后进行重新启动docker 容器。

                                     

1.2 在容器内操作生成证书

1.2.1 注册排序节点、peer节点管理员用户

# 创建CA管理员文件夹

1、mkdir -p ${FABRIC_CA_CLIENT_HOME}/tjfae_admin

 

# 生成fabric-ca admin的凭证

2、export FABRIC_CA_CLIENT_HOME=${FABRIC_CA_CLIENT_HOME}/tjfae_admin// 环境变量设定

   fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 查看联盟(使用admin用户)

3、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 删除默认联盟

  1. fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation remove --force org1 --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️一定删除干净默认的联盟

 

# 创建联盟

5、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfae --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfadc --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️红色为联盟的名称,应人而定

# 为每个组织准备msp同时生成节点类型分类配置文件

6、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp

   mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp

 

   fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

   复制config.yaml到orderOrganization/chain.com/msp/config.yaml          config.yaml内指定的文件名要和真实目录下的一致  

   复制config.yaml到peerOrganizations/tjfae.chain.com/msp/config.yaml    config.yaml内指定的文件名要和真实目录下的一致

 

# 注册各组织管理员

fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️一定要执行这步,否则会报错

7、fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name Admin@chain.com --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name Admin@tjfae.chain.com --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 生成各组织管理员凭证

8、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com

   mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com

 

   fabric-ca-client enroll -u https://Admin@chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com  -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   fabric-ca-client enroll -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com  -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

   

   cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com/msp/config.yaml

   cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp/config.yaml

 

# 将Admin@chain.com的证书复制到chain.com/msp/admincerts/

9、mkdir /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/

   mkdir /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/

   

   cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com/msp/signcerts/cert.pem  /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/

   cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem  /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/

 

#查看联盟

fabric-ca-client -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

1.2.2 管理员账号注册排序节点普通用户

# 使用管理员账号注册以及生成凭证

17、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com

    fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

    fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer2.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer3.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件

18、mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers

    mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com

    mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com

mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com

 

# 获取每一个Orderer节点的MSP证书文件

19、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 获取每一个Orderer节点的TLS证书文件

20、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls --enrollment.profile tls --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

    fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls --enrollment.profile tls --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls --enrollment.profile tls --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 将之前生成的节点类型分类配置文件拷贝到每一个节点的MSP文件夹

  cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/config.yaml

  cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/config.yaml

  cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/config.yaml

 

# 为每一个节点的TLS证书以及秘钥文件修改名字,方便之后的使用

21、cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/ca.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.key

 

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/ca.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.key

 

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/ca.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.crt

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.key

 

# 在MSP文件夹内创建tlscacerts文件夹,并将TLS文件拷贝过去

22、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts

    mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts

 

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

 

# 复制TLS根证书

23、mkdir -p ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts

    cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/tlsca.chain.com-cert.pem

 

# 将Admin@chain.com的证书复制到/chain.com/orderers/orderer.chain.com/msp/admincerts

24、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts

    mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts

 

    cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts

 

1.2.3 管理员账号注册peer节点普通用户 

 

# 创建子文件夹用于存储证书文件

25、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/

 

# 注册四个用户:peer0,peer1,user1,tjfaeAdmin,其中peer是必需的,user1用于测试的,Admin@tjfae.chain.com为Admin用户,安装和实例化链码需要Admin用户的证书

26、fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name tjfae_peer0 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

    fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name tjfae_peer1 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

    fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name User1@tjfae.chain.com --id.secret tjfae_dsp --id.type client --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client",role=client:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件

26、mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers

    mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com

   mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com

 

# MSP文件

27、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

    fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# TLS证书

28、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer0.tjfae.chain.com --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer1.tjfae.chain.com --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 拷贝节点分类配置文件

29、cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/config.yaml

    cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/config.yaml

 

# 修改证书以及秘钥文件,方便之后使用

30、cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/ca.crt

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.crt

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.key

 

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/ca.crt

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.crt

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.key

 

# 复制TLS相关证书

31、mkdir ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/ca.crt

mkdir ${FABRIC_CA_CLIENT_HOME}/tlsca

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/tlsca/tlsca.tjfae.chain.com-cert.pem

mkdir ${FABRIC_CA_CLIENT_HOME}/ca

    cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/cacerts/* ${FABRIC_CA_CLIENT_HOME}/ca/ca.tjfae.chain.com-cert.pem

 

# 获取user用户证书文件

32、mkdir -p ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com

 

# 获取证书文件

48、fabric-ca-client enroll -u https://User1@tjfae.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

 

# 将Admin@tjfae.chain.com的证书复制到${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

24、mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

    mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp/admincerts

 

    cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp/admincerts

 

1.2.4生成证书完成操作

  生成完证书完成后,客户端证书拷贝到各个节点路径下。

2 节点配置文件修改

version: '2'

 

# 对网络的声明,即该yaml配置文件中所有服务所涉及到的网络

networks:

  rootchain:

    # 网络使用的驱动类型。默认为bridge

    driver: bridge

 

services:

  peer0.lzsk1.chain.com:

    container_name: peer0.lzsk1.chain.com

    hostname: peer0.lzsk1.chain.com

    image: hyperledger/fabric-peer:latest

    environment:

      - TZ=Asia/Shanghai

      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB

   //couchDB端口

  -CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb1:6984

      //couchDB用户设置

      - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=lzsk_dsp

      //couchDB 密码设置

      - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=lzsk_dsp

      - CORE_PEER_ID=peer0.lzsk1.chain.com

      - CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051

      # 设置或读取peer节点的监听地址。默认情况下Peer节点在所有 地址上监听请求

      - CORE_PEER_LISTENADDRESS=0.0.0.0:8051

      # 链码连接该Peer节点的地址。

      - CORE_PEER_CHAINCODEADDRESS=peer0.lzsk1.chain.com:8052

      # Peer节点监听链码连接请求的地址。如果未设置该参数,将自动选择 节点地址的7052端口

      - CORE_PEER_CHAINCODELISTENADDRESS=peer0.lzsk1.chain.com:8052

      # 向机构外的节点发布的访问端节点。如果未设置该参数,节点 将不为其他机构所知。

      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.lzsk1.chain.com:8051

      # 设置初始化gossip的引导节点列表,节点启动时将连接 这些引导节点。

      # 这里列出的引导节点必须与当前节点属于同一 机构,否则连接将被拒绝。

      - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.lzsk1.chain.com:8051

      # 本地MSP的标识ID

      # 部署人员需要修改localMspId的值!尤其重要的一点 是,

      # localMspID的值需要匹配该节点所在通道中的某个MSP,

      # 否则 该节点的消息将被其他节点视为无效

      - CORE_PEER_LOCALMSPID=Lzsk1MSP

      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock

      - FABRIC_LOGGING_SPEC=INFO

      - CORE_LEDGER_HISTORY_ENABLEHISTORYDATABASE=true

      # 节点是否使用动态算法选出主导节点,该主导节点将连接

      # 排序服务并使用分发协议从排序服务拉取账本区块。

      # 对大型网络建议启用主导节点选举。

      - CORE_PEER_GOSSIP_USELEADERELECTION=true

      # 是否静态指定机构的主导节点,该节点将负责维持与排序节点的

      # 连接并向机构中的其他节点分发区块。

      - CORE_PEER_GOSSIP_ORGLEADER=false

      - CORE_PEER_PROFILE_ENABLED=true

      # 启用对服务端的TLS身份验证。

      - CORE_PEER_TLS_ENABLED=true

      # Peer节点的X.509证书文件路径。

      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt

      # Peer节点的私钥文件路径。

      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key

      # Peer节点证书的验证链根证书文件路径

      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt

    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer

    command: peer node start

    volumes:

      - /var/run/:/host/var/run/

      - ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/msp:/etc/hyperledger/fabric/msp

      - ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls:/etc/hyperledger/fabric/tls

      - /root/go/src/github.com/hyperledger/fabric-samples/lzsk/peer0.lzsk1.chain.com:/var/hyperledger/production

    ports:

      - "8051:8051"

      - "8052:8052"

      - "8053:8053"

    depends_on:

      - couchdb1

    networks:

      - rootchain

    extra_hosts:

      #- "orderer117.chain.com:192.168.133.117"

      - "orderer.chain.com:192.168.21.42"

      - "couchdb1:192.168.21.42"

    container_name: couchdb1

    image: hyperledger/fabric-couchdb:latest

    environment:

      - TZ=Asia/Shanghai

      - COUCHDB_USER=lzsk_dsp

      - COUCHDB_PASSWORD=lzsk_dsp

    volumes:

      - /root/go/src/github.com/hyperledger/fabric-samples/lzsk/couchdb1:/opt/couchdb/data

    ports:

      - "6984:5984"

    networks:

      - rootchain

 

  cli1:

    container_name: cli1

    image: hyperledger/fabric-tools:latest

    tty: true

    environment:

      - TZ=Asia/Shanghai

      - GOPATH=/opt/gopath

      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock

      - FABRIC_LOGGING_SPEC=INFO

      - CORE_PEER_ID=cli

      - CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051

      - CORE_PEER_LOCALMSPID=Lzsk1MSP

      - CORE_PEER_TLS_ENABLED=true

      - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.crt

      - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.key

      - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/ca.crt

      - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/users/Admin@lzsk1.chain.com/msp

    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer

    command: /bin/bash

    volumes:

      - /var/run/:/host/var/run/

      - ./chaincode:/opt/gopath/src/github.com/chaincode

      - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/

      - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts

    depends_on:

      - peer0.lzsk1.chain.com

    networks:

      - rootchain

extra_hosts:

      #- "orderer117.chain.com:192.168.133.117"

      - "orderer.chain.com:192.168.21.42"

      - "peer0.lzsk1.chain.com:192.168.21.42"

修改完成后,docker启动节点.

命令为:docker-compose -f  yaml文件  up -d

2.1 生成创世区块和通道

# 首先进入区块链文件夹 例如:cd /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

# 告诉configtxgen从哪里寻找configtx.yaml文件

1、export FABRIC_CFG_PATH=$PWD

# Raft方式:生成系统通道创世区块genesis.block

2、../bin/configtxgen -profile SampleMultiNodeEtcdRaft -channelID mychannel  -outputBlock ./channel-artifacts/genesis.block

 

# 创建通道配置事务

3 ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID rootchain

 

# 创建 更新组织TjfaeMSP、TjfadcMSP在该通道上的锚节点 的事务

4、../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfaeMSPanchors.tx -channelID rootchain -asOrg TjfaeMSP

   ../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfadcMSPanchors.tx -channelID rootchain -asOrg TjfadcMSP

 

# 发送生成的文件到另外机器上

5、

   Scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts root@192.168.133.112:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

   scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts root@192.168.133.119:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

2.2 启动各节点 

# peer客户端cli内执行:创建通道

1、peer channel create -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/mychannel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

 

# peer客户端cli内执行:加入通道(其他机器加入通道需先执行9-11步骤)

2、peer channel join -b rootchain.block

 

# 退出容器:从容器中拷贝生成的mychannel.block文件到宿主机

3、docker cp cli:/opt/gopath/src/github.com/hyperledger/fabric/peer/rootchain.block /opt/

 

# 发送mychannel.block文件到其他机器

4、scp -r /opt/rootchain.block root@192.168.133.113:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts

 

# 从宿主机拷贝mychannel.block文件到容器内,使用mychannel.block文件加入通道

5、docker cp /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer

   

docker cp /opt/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer

⚠️各个几点都需要拷贝mychannel.block 拷贝到启动容器内

2.3 安装链码

# peer客户端cli内执行:更新锚节点(每个组织都需要更新锚节点,各组织进入自己的peer客户端内执行)

6、peer channel update -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfaeMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

   peer channel update -o orderer2.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfadcMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

 

# 环境变量

CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp

CORE_PEER_ADDRESS=peer0.tjfae.chain.com:7051

CORE_PEER_LOCALMSPID="TjfaeMSP"CORE_PEER_LOCALMSPID="TjfaeMSP"

CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/peers/peer0.tjfae.chain.com/tls/ca.crt

 

# 在peer节点上安装链码(同一组织多个节点切换环境变量依次安装,只需在背书节点安装链码。各组织进入自己的peer客户端内执行)

7、peer chaincode install -n benefit -v 1.0 -p ../../../chaincode/benefit/ -l java

 

# 初始化链码(只需在其中一个背书节点执行即可。后续执行交易,其他节点收到交易请求后,会自动安装链码)

8、peer chaincode instantiate -o orderer.chain.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem -C rootchain -n benefit -v 1.0 -c '{"Args":["init"]}' -P "AND ('TjfadcMSP.peer','TjfaeMSP.peer')"

peer chaincode query -C rootchain -n benefit -c '{"Args":["create","{\"name\":\"test\"}","10"]}'

 

3 常见问题分析

3.1 Mysql问题 

  1. Mysql ERROR 1067: Invalid default value for 字段

解决方案:

vi /etc/my.cnf    //添加以下配置
 sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

  1. ERROR 1067 (42000): Invalid default value for ' '

 解决方案 :

 

3.2 镜像版本问题

3.3 容器报的错

  1. iptabes: No chain/target/match by that name. (exit status 1)

解决方案:iptables: No chain/target/match by that name. (exit status 1)

  1. connect error: No route to host(errno:113)

解决方案:方法一:关闭防火墙

centos关闭防火墙的操作为

systemctl stop firewalld

方法二: 在防火墙上开发指定端口

firewall-cmd --zone=public --add-port=2181/tcp --perm anent

firewall-cmd --reload

  1.  Get https://registry-1.docker.io/v2/: dia tcp: lookup registry-1.docker.io: no such host 

解决方案:

编辑/etc/resolv.conf 文件,增加一行dns地址,例如:nameserver 8.8.4.4

3.4 浏览器报错

  1. sudo: psq:找不到命令
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!