Fabric多机部署步骤
1 Fabric CA生成
1.1 环境准备和yaml文件编写
- CA 镜像装载,版本根据需求而定,本次版本是1.4.4。
- CA 的yaml文件编写。
需要⚠️yaml文件有标准格式
//版本
version: '2'
//网络名称
networks:
rootchain:
//定义服务
services:
//服务名称
lzsk.ca.chain.com:
//容器名称
container_name: lzsk.ca.chain.com
//镜像
image: hyperledger/fabric-ca
//docer容器环境
environment:
//CA 服务端生成证书路径
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server
//CA客户端生成证书路径,主要为节点和sdk所用
- FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client
// CA 的名字
- FABRIC_CA_SERVER_CA_NAME=lzsk.ca.chain.com
# 启用tls
- FABRIC_CA_SERVER_TLS_ENABLED=true
# 公用名称
- FABRIC_CA_SERVER_CSR_CN=ca.chain.com
#- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
#- FABRIC_CA_SERVER_DEBUG=true
- FABRIC_CA_SERVER_PORT=7054
# -b: 提供注册用户的名称与密码, 如果没有使用LDAP, 这个选项为必需.
# 后面两个参数表示允许删除联盟和用户
command: sh -c 'fabric-ca-server start -b lzsk_dsp:lzsk_dsp --port 7054 --cfg.affiliations.allowremove --cfg.identities.allowremove'
volumes:
// 宿机和docker 路径映射
- "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"
- "./crypto-config:/etc/hyperledger/fabric-ca-client"
//启动端口
ports:
- 7054:7054
//网络名称
networks:
- rootchain
- 启动步骤2编写的yaml 文件。
命令为:docker-compose -f yaml文件 up -d
- 停止docker容器。
在步骤3启动后会生成相应的持久化文件,如步骤2中
// 宿机和docker 路径映射
- "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"
- "./crypto-config:/etc/hyperledger/fabric-ca-client"
在宿机上就在./lzsk.ca.chain.com下有一个yaml文件。
进行修改文件。
version: 1.4.4
# 指定服务的监听端口
port: 7054
# 跨域资源共享(CORS)
cors:
enabled: false
origins:
- "*"
# 是否启用DEBUG模式, 输出更多的调试信息上
debug: false
# 可接受的CRL的大小限制(以字节为单位)(默认值:512000)
# 证书具有一个指定的寿命,但 CA 可通过称为证书吊销的过程来缩短这一寿命。
# CA 发布一个证书吊销列表 (CRL),列出被认为不能再使用的证书的序列号。
crlsizelimit: 512000
#############################################################################
#
# 是否在服务端启用TLS,如果启用TLS后,进行身份验证的证书和签名的私钥
#
#############################################################################
tls:
# 是否启用TLS, 默认不启用
enabled: true
# TLS证书文件
certfile:
# TLS密钥文件
keyfile:
# 客户端验证配置
clientauth:
# 默认不进行身份验证
type: noclientcert
# 进行客户端身份验证时, 信任的证书文件列表
certfiles:
#############################################################################
#
# 包括实例的名称、签名私钥文件、身份验证证书和证书链文件;这些私钥和证书
# 文件会用来作为生成ECert、TCert的根证书
#
#############################################################################
ca:
# CA服务名称. 可以支持多个服务
name: ca.chain.com
# 密钥文件(默认: ca-key.pem)
keyfile:
# 证书文件(默认: ca-cert.pem)
certfile:
# 证书链文件(默认: chain-cert.pem)
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# 为生成的CRL指定过期时间。
# 此属性指定的小时数将添加到UTC时间
# 产生的时间用于设置CRL的“下一次更新”日期。
expiry: 1h
#############################################################################
#
# 当fabric-ca-server自身提供用户的注册管理时使用, 此情况下需要禁用LDAP功能,
# 否则fabric-ca-server将会把注册管理数据转发到LDAP进行查询
#
#############################################################################
registry:
# 允许同一个用户名和密码进行enrollment的最大次数, -1为无限制, 0为不支持登记
maxenrollments: -1
# 注册的实体信息, 可以进行enroll. 只有当LDAP未启用时起作用
identities:
- name: lzsk_dsp
pass: lzsk_dsp
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
# 该id是否是一个中间层的CA
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
#
# 数据库支持SQLite3、MySQL、Postgres. 默认为SQLite3类型的本地数据库.
# 如果要配置集群, 则需要选用MySQL或Postgres后端数据库,
# 并在前端部署负载均衡器(如Nginx或HAProxy)
#
#############################################################################
db:
type: mysql
datasource: root:tjfae_dsp@tcp(192.168.21.42:3306)/lzsk_ca?parseTime=true
tls:
# 是否启用TLS来连接到数据库
enabled: false
# PEM格式的可信根证书文件列表, 多个用逗号隔开
certfiles:
client:
# PEM格式的客户端证书文件
certfile:
# PEM格式的客户端证书私钥文件
keyfile:
#############################################################################
#
# 配置使用远端的LDAP来进行注册管理, 认证enrollment的用户和密码,
# 并获取用户属性信息. 此时, 服务端将按照指定的usrfilter从LDAP获取对应的用户,
# 利用其唯一识别名(distinguidhed name)和给定的密码进行验证.
# 当LDAP功能启用时, registry中的配置将被忽略
#
#############################################################################
ldap:
# 是否启用LDAP, 默认不启用
enabled: false
# LDAP的服务地址
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# 客户端到LDAP服务器的连接的TLS配置
tls:
# PEM格式的LDAP服务器的TLS根证书, 可以为多个, 用逗号隔开
certfiles:
client:
# PEM格式的客户端证书文件
certfile:
# PEM格式的客户端证书私钥文件
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
#
# 组织结构配置
#
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
#
# 签发证书相关的配置包括签名方法、证书超时时间等. fabric-ca-server可以作为
# 用户证书的签发CA(默认情况下), 也可以作为根CA来进一步支持其它中间CA
#
#############################################################################
signing:
# 默认情况下,用于签署Ecert
default:
# 所签发证书的KeyUsage extension域
usage:
- digital signature
# 一年
expiry: 8760h
# 不同的签发配置
profiles:
# 签署中间层CA证书时的配置模板
ca:
usage:
# 所签发证书的KeyUsage extension域
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
# 限制该中间层CA无法进一步签署中间层CA
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
#
# CA自身证书的申请请求配置. 当CA作为根证书服务时, 将基于请求生成一个
# 自签名的证书; 当CA作为中间证书服务时, 将请求发送给上层的根证书进行签署
# 生成ca-cert.pem文件,是一个自签署的证书
###########################################################################
csr:
# 公用名称
cn: ca.chain.com
keyrequest:
algo: ecdsa
size: 256
names:
# 国家
- C: China
# 所在州
ST: "BeiJing"
# 位置或城市
L: BeiJing
# 机构名称
O: chain
# 机构部门名称
OU: LZSKMSP
hosts:
- lzsk.ca.chain.com
- localhost
# 配置后会加入到证书的扩展字段
ca:
# CA根证书默认15年有效
expiry: 131400h
# 允许产生的中间证书的深度
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
#
# 配置所选择的加密库
# msp/keystore中存放的BCCSP (BlockChain Crypto Service Provider)中用到的key
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# 存放密钥文件的路径
keystore: msp/keystore
# 自动创建除了默认CA外的多个CA实例, 如ca1、ca2等
cacount:
# 可以指定多个CA配置文件路径, 每个配置文件会启动一个CA服务,注意不同配置文件之间需要避免出现冲突(如服务端口、TLS证书等)
cafiles:
#############################################################################
#
# 当CA作为中间层CA服务时的相关配置. 包括父CA的地址和名称、登记信息、TLS配置等.
# 注意: 当intermediate.parentserver.url非空时, 意味着本CA是中间层CA服务,
# 否则为根CA服务
#
#############################################################################
intermediate:
# 父CA相关信息
parentserver:
url:
caname:
# 在父CA侧的登记信息
enrollment:
# 证书主机名列表
hosts:
# 签发所用的profile
profile:
# HSM操作中的标签信息
label:
# TLS相关配置
tls:
# 信任的根CA证书
certfiles:
# 客户端验证启用时的相关文件
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushsed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd merics
prefix: server
- 配置完成后进行重新启动docker 容器。
1.2 在容器内操作生成证书
1.2.1 注册排序节点、peer节点管理员用户
# 创建CA管理员文件夹
1、mkdir -p ${FABRIC_CA_CLIENT_HOME}/tjfae_admin
# 生成fabric-ca admin的凭证
2、export FABRIC_CA_CLIENT_HOME=${FABRIC_CA_CLIENT_HOME}/tjfae_admin// 环境变量设定
fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 查看联盟(使用admin用户)
3、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 删除默认联盟
- fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation remove --force org1 --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
⚠️一定删除干净默认的联盟
# 创建联盟
5、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfae --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfadc --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
⚠️红色为联盟的名称,应人而定
# 为每个组织准备msp同时生成节点类型分类配置文件
6、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp
mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp
fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
复制config.yaml到orderOrganization/chain.com/msp/config.yaml config.yaml内指定的文件名要和真实目录下的一致
复制config.yaml到peerOrganizations/tjfae.chain.com/msp/config.yaml config.yaml内指定的文件名要和真实目录下的一致
# 注册各组织管理员
fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
⚠️一定要执行这步,否则会报错
7、fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name Admin@chain.com --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name Admin@tjfae.chain.com --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 生成各组织管理员凭证
8、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com
mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com
fabric-ca-client enroll -u https://Admin@chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com/msp/config.yaml
cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp/config.yaml
# 将Admin@chain.com的证书复制到chain.com/msp/admincerts/
9、mkdir /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/
mkdir /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/
cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com/msp/signcerts/cert.pem /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/
cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/
#查看联盟
fabric-ca-client -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/Admin@chain.com affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
1.2.2 管理员账号注册排序节点普通用户
# 使用管理员账号注册以及生成凭证
17、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com
fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer2.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client register -u https://Admin@chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com --caname tjfae.ca.chain.com --id.name orderer3.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件
18、mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers
mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com
mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com
mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com
# 获取每一个Orderer节点的MSP证书文件
19、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 获取每一个Orderer节点的TLS证书文件
20、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls --enrollment.profile tls --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls --enrollment.profile tls --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls --enrollment.profile tls --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 将之前生成的节点类型分类配置文件拷贝到每一个节点的MSP文件夹
cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/config.yaml
cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/config.yaml
cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/config.yaml
# 为每一个节点的TLS证书以及秘钥文件修改名字,方便之后的使用
21、cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/ca.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.key
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/ca.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.key
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/ca.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.crt
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.key
# 在MSP文件夹内创建tlscacerts文件夹,并将TLS文件拷贝过去
22、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts
mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts
mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
# 复制TLS根证书
23、mkdir -p ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts
cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/tlsca.chain.com-cert.pem
# 将Admin@chain.com的证书复制到/chain.com/orderers/orderer.chain.com/msp/admincerts
24、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts
mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts
mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts
1.2.3 管理员账号注册peer节点普通用户
# 创建子文件夹用于存储证书文件
25、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/
# 注册四个用户:peer0,peer1,user1,tjfaeAdmin,其中peer是必需的,user1用于测试的,Admin@tjfae.chain.com为Admin用户,安装和实例化链码需要Admin用户的证书
26、fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name tjfae_peer0 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name tjfae_peer1 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client register -u https://Admin@tjfae.chain.com:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com --caname tjfae.ca.chain.com --id.name User1@tjfae.chain.com --id.secret tjfae_dsp --id.type client --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client",role=client:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件
26、mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers
mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com
mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com
# MSP文件
27、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# TLS证书
28、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer0.tjfae.chain.com --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer1.tjfae.chain.com --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 拷贝节点分类配置文件
29、cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/config.yaml
cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/config.yaml
# 修改证书以及秘钥文件,方便之后使用
30、cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/ca.crt
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.crt
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.key
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/ca.crt
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.crt
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.key
# 复制TLS相关证书
31、mkdir ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/ca.crt
mkdir ${FABRIC_CA_CLIENT_HOME}/tlsca
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/tlsca/tlsca.tjfae.chain.com-cert.pem
mkdir ${FABRIC_CA_CLIENT_HOME}/ca
cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/cacerts/* ${FABRIC_CA_CLIENT_HOME}/ca/ca.tjfae.chain.com-cert.pem
# 获取user用户证书文件
32、mkdir -p ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com
# 获取证书文件
48、fabric-ca-client enroll -u https://User1@tjfae.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem
# 将Admin@tjfae.chain.com的证书复制到${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts
24、mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts
mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts
mkdir ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts
cp ${FABRIC_CA_CLIENT_HOME}/users/Admin@tjfae.chain.com/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/users/User1@tjfae.chain.com/msp/admincerts
1.2.4生成证书完成操作
生成完证书完成后,客户端证书拷贝到各个节点路径下。
2 节点配置文件修改
version: '2'
# 对网络的声明,即该yaml配置文件中所有服务所涉及到的网络
networks:
rootchain:
# 网络使用的驱动类型。默认为bridge
driver: bridge
services:
peer0.lzsk1.chain.com:
container_name: peer0.lzsk1.chain.com
hostname: peer0.lzsk1.chain.com
image: hyperledger/fabric-peer:latest
environment:
- TZ=Asia/Shanghai
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
//couchDB端口
-CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb1:6984
//couchDB用户设置
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=lzsk_dsp
//couchDB 密码设置
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=lzsk_dsp
- CORE_PEER_ID=peer0.lzsk1.chain.com
- CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051
# 设置或读取peer节点的监听地址。默认情况下Peer节点在所有 地址上监听请求
- CORE_PEER_LISTENADDRESS=0.0.0.0:8051
# 链码连接该Peer节点的地址。
- CORE_PEER_CHAINCODEADDRESS=peer0.lzsk1.chain.com:8052
# Peer节点监听链码连接请求的地址。如果未设置该参数,将自动选择 节点地址的7052端口
- CORE_PEER_CHAINCODELISTENADDRESS=peer0.lzsk1.chain.com:8052
# 向机构外的节点发布的访问端节点。如果未设置该参数,节点 将不为其他机构所知。
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.lzsk1.chain.com:8051
# 设置初始化gossip的引导节点列表,节点启动时将连接 这些引导节点。
# 这里列出的引导节点必须与当前节点属于同一 机构,否则连接将被拒绝。
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.lzsk1.chain.com:8051
# 本地MSP的标识ID
# 部署人员需要修改localMspId的值!尤其重要的一点 是,
# localMspID的值需要匹配该节点所在通道中的某个MSP,
# 否则 该节点的消息将被其他节点视为无效
- CORE_PEER_LOCALMSPID=Lzsk1MSP
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=INFO
- CORE_LEDGER_HISTORY_ENABLEHISTORYDATABASE=true
# 节点是否使用动态算法选出主导节点,该主导节点将连接
# 排序服务并使用分发协议从排序服务拉取账本区块。
# 对大型网络建议启用主导节点选举。
- CORE_PEER_GOSSIP_USELEADERELECTION=true
# 是否静态指定机构的主导节点,该节点将负责维持与排序节点的
# 连接并向机构中的其他节点分发区块。
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
# 启用对服务端的TLS身份验证。
- CORE_PEER_TLS_ENABLED=true
# Peer节点的X.509证书文件路径。
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
# Peer节点的私钥文件路径。
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
# Peer节点证书的验证链根证书文件路径
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/msp:/etc/hyperledger/fabric/msp
- ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls:/etc/hyperledger/fabric/tls
- /root/go/src/github.com/hyperledger/fabric-samples/lzsk/peer0.lzsk1.chain.com:/var/hyperledger/production
ports:
- "8051:8051"
- "8052:8052"
- "8053:8053"
depends_on:
- couchdb1
networks:
- rootchain
extra_hosts:
#- "orderer117.chain.com:192.168.133.117"
- "orderer.chain.com:192.168.21.42"
- "couchdb1:192.168.21.42"
container_name: couchdb1
image: hyperledger/fabric-couchdb:latest
environment:
- TZ=Asia/Shanghai
- COUCHDB_USER=lzsk_dsp
- COUCHDB_PASSWORD=lzsk_dsp
volumes:
- /root/go/src/github.com/hyperledger/fabric-samples/lzsk/couchdb1:/opt/couchdb/data
ports:
- "6984:5984"
networks:
- rootchain
cli1:
container_name: cli1
image: hyperledger/fabric-tools:latest
tty: true
environment:
- TZ=Asia/Shanghai
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=INFO
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051
- CORE_PEER_LOCALMSPID=Lzsk1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/ca.crt
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/users/Admin@lzsk1.chain.com/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./chaincode:/opt/gopath/src/github.com/chaincode
- ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
- ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
depends_on:
- peer0.lzsk1.chain.com
networks:
- rootchain
extra_hosts:
#- "orderer117.chain.com:192.168.133.117"
- "orderer.chain.com:192.168.21.42"
- "peer0.lzsk1.chain.com:192.168.21.42"
修改完成后,docker启动节点.
命令为:docker-compose -f yaml文件 up -d
2.1 生成创世区块和通道
# 首先进入区块链文件夹 例如:cd /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/
# 告诉configtxgen从哪里寻找configtx.yaml文件
1、export FABRIC_CFG_PATH=$PWD
# Raft方式:生成系统通道创世区块genesis.block
2、../bin/configtxgen -profile SampleMultiNodeEtcdRaft -channelID mychannel -outputBlock ./channel-artifacts/genesis.block
# 创建通道配置事务
3 ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID rootchain
# 创建 更新组织TjfaeMSP、TjfadcMSP在该通道上的锚节点 的事务
4、../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfaeMSPanchors.tx -channelID rootchain -asOrg TjfaeMSP
../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfadcMSPanchors.tx -channelID rootchain -asOrg TjfadcMSP
# 发送生成的文件到另外机器上
5、
Scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts root@192.168.133.112:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/
scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts root@192.168.133.119:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/
2.2 启动各节点
# peer客户端cli内执行:创建通道
1、peer channel create -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/mychannel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
# peer客户端cli内执行:加入通道(其他机器加入通道需先执行9-11步骤)
2、peer channel join -b rootchain.block
# 退出容器:从容器中拷贝生成的mychannel.block文件到宿主机
3、docker cp cli:/opt/gopath/src/github.com/hyperledger/fabric/peer/rootchain.block /opt/
# 发送mychannel.block文件到其他机器
4、scp -r /opt/rootchain.block root@192.168.133.113:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts
# 从宿主机拷贝mychannel.block文件到容器内,使用mychannel.block文件加入通道
5、docker cp /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer
docker cp /opt/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer
⚠️各个几点都需要拷贝mychannel.block 拷贝到启动容器内
2.3 安装链码
# peer客户端cli内执行:更新锚节点(每个组织都需要更新锚节点,各组织进入自己的peer客户端内执行)
6、peer channel update -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfaeMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
peer channel update -o orderer2.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfadcMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem
# 环境变量
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/users/Admin@tjfae.chain.com/msp
CORE_PEER_ADDRESS=peer0.tjfae.chain.com:7051
CORE_PEER_LOCALMSPID="TjfaeMSP"CORE_PEER_LOCALMSPID="TjfaeMSP"
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/peers/peer0.tjfae.chain.com/tls/ca.crt
# 在peer节点上安装链码(同一组织多个节点切换环境变量依次安装,只需在背书节点安装链码。各组织进入自己的peer客户端内执行)
7、peer chaincode install -n benefit -v 1.0 -p ../../../chaincode/benefit/ -l java
# 初始化链码(只需在其中一个背书节点执行即可。后续执行交易,其他节点收到交易请求后,会自动安装链码)
8、peer chaincode instantiate -o orderer.chain.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem -C rootchain -n benefit -v 1.0 -c '{"Args":["init"]}' -P "AND ('TjfadcMSP.peer','TjfaeMSP.peer')"
peer chaincode query -C rootchain -n benefit -c '{"Args":["create","{\"name\":\"test\"}","10"]}'
3 常见问题分析
3.1 Mysql问题
- Mysql ERROR 1067: Invalid default value for 字段
解决方案:
vi /etc/my.cnf //添加以下配置
sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
- ERROR 1067 (42000): Invalid default value for ' '
解决方案 :
3.2 镜像版本问题
3.3 容器报的错
- iptabes: No chain/target/match by that name. (exit status 1)
解决方案:iptables: No chain/target/match by that name. (exit status 1)
- connect error: No route to host(errno:113)
解决方案:方法一:关闭防火墙
centos关闭防火墙的操作为
systemctl stop firewalld
方法二: 在防火墙上开发指定端口
firewall-cmd --zone=public --add-port=2181/tcp --perm anent
firewall-cmd --reload
- Get https://registry-1.docker.io/v2/: dia tcp: lookup registry-1.docker.io: no such host
解决方案:
编辑/etc/resolv.conf 文件,增加一行dns地址,例如:nameserver 8.8.4.4
3.4 浏览器报错
- sudo: psq:找不到命令
来源:oschina
链接:https://my.oschina.net/u/4356296/blog/4724859