HyperLedger Fabric 1.4 生产环境动态添加组织及节点

1.1 操作概述

      在“kafka生产环境部署”和“生产环境使用ca生成msp和tls”两篇文章的搭建的环境基础上,实现组织及节点的动态添加功能。

1.2 网络拓扑

      

 


1.3 新组织配置
1.3.1 生成新组织证书
      切换到192.168.235.6服务器上进行CA服务启动及生成证书操作。
1. CA服务启动
1) IntermediaCA4启动
① 初始化CA服务

# fabric-ca-server init -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediaca4
# vi ./intermediaca4/fabric-ca-server-config.yaml
修改
version: 1.4.0
port: 7058

② 启动CA服务

【命令行启动】
# fabric-ca-server start -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediaca4 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker启动】
拷贝文件docker-intermediaca4.yml到ca-server目录
# docker-compose -f docker-intermediaca4.yaml up -d

 


2) IntermediaCAtls4启动
1) 初始化CA服务

# fabric-ca-server init -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediacatls4
# vi ./intermediacatls4/fabric-ca-server-config.yaml
修改
version: 1.4.0
port: 8058

2) 启动CA服务

【命令行启动】
# fabric-ca-server start -b admin4:adminpw4 -u http://admin:adminpw@localhost:7054 --home ./intermediacatls4 --cfg.affiliations.allowremove --cfg.identities.allowremove
【docker启动】
拷贝文件docker-intermediaca4.yml到ca-server目录
# docker-compose -f docker-intermediacatls4.yaml up -d

2. IntermediaCA4生成证书

1) 生成org3.example.com的msp
① 登记org3.example.com

# fabric-ca-client enroll --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# vi ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/config.yaml
输入:
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: intermediatecerts/localhost-7058.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: intermediatecerts/localhost-7058.pem
OrganizationalUnitIdentifier: peer

② 添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org3 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example.org3 -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2) 生成Admin@example.com的msp
1) 注册Admin@example.com

# fabric-ca-client register --id.name Admin@org3.example.com --id.type client --id.affiliation "com.example.org3" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2) 登记Admin@example.com

# fabric-ca-client enroll -u http://Admin@org3.example.com:123456@localhost:7058 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp --home ./fabric-ca-client

3) 生成msp

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/admincerts
# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/msp/admincerts

3) 生成peer0.org3.example.com的msp
1) 注册peer0.org3.example.com

# fabric-ca-client register --id.name peer0.org3.example.com --id.type peer --id.affiliation "com.example.org3" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/msp -u http://admin4:adminpw4@localhost:7058 --home ./fabric-ca-client

2) 登记peer0.org3.example.com

# fabric-ca-client enroll -u http://peer0.org3.example.com:123456@localhost:7058 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp --home ./fabric-ca-client

3) 生成msp

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/admincerts
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/admincerts

3. IntermediaCAtls4生成证书
1) 生成org3.example.com的tls
① 登记org3.example.com

# fabric-ca-client enroll --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

② 添加联盟成员

# fabric-ca-client affiliation list -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org1 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation remove --force org3 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client
# fabric-ca-client affiliation add com.example.org3 -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2) 生成Admin@example.com的tls
1) 注册Admin@example.com

# fabric-ca-client register --id.name Admin@org3.example.com --id.type client --id.affiliation "com.example.org3" --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --id.secret=123456 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2) 登记Admin@example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://Admin@org3.example.com:123456@localhost:8057 --csr.cn=org3.example.com --csr.hosts=['org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp --home ./fabric-ca-client

1) 生成tls

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls
# cp ./intermediacatls4/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/ca.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/client.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tls/client.key
# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/users/Admin@org3.example.com/tlstmp

3) 生成peer0.org3.example.com的tls
1) 注册peer0.org3.example.com

# fabric-ca-client register --id.name peer0.org3.example.com --id.type peer --id.affiliation "com.example.org3" --id.attrs '"role=peer",ecert=true' --id.secret=123456 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/tlstmp -u http://admin4:adminpw4@localhost:8057 --home ./fabric-ca-client

2) 登记peer0.org3.example.com

# fabric-ca-client enroll -d --enrollment.profile tls -u http://peer0.org3.example.com:123456@localhost:8057 --csr.cn=peer0.org3.example.com --csr.hosts=['peer0.org3.example.com'] -M ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp --home ./fabric-ca-client

3) 生成tls

# mkdir ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls
# cp ./intermediacatls4/ca-chain.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp/signcerts/cert.pem ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
# cp ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp/keystore/xxxxxxx_sk ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
# rm -rf ./fabric-ca-client/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tlstmp

1.3.2 生成新组织配置
切换到192.168.235.7服务器下进行操作。
1. 证书生成的org3.example.com目录拷贝到/crypto-config/peerOrganizations目录下。
2. 在configtx.yaml配置文件中加上org3组织信息,并拷贝到kafkapeer目录下。
3. 将org3的配置以 json 格式输出

# cd $GOPATH/src/github.com/hyperledger/fabric/kafkapeer
# docker-compose -f docker-compose-peer.yaml up -d
# ./bin/configtxgen -printOrg Org3MSP -profile ./configtx.yaml > ./channel-artifacts/org3.json

4. 安装jq工具
jq 是 Linux 下命令行处理 JSON 的工具,可以对 JSON 进行过滤、格式化、修改等等操作

# yum install epel-release
# yum install jq

5. 获取当前 channel 的配置

# docker exec -it cli bash
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel fetch config config_block.pb -o orderer0.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA
# exit
# docker cp xxxxxxxx:/opt/gopath/src/github.com/hyperledger/fabric/peer/config_block.pb /opt/gopath/src/github.com/hyperledger/fabric/kafkapeer

6. 修改原配置文件,新增 org3 配置

# ./bin/configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

7. 修改 config.json,新增 org3

# jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json ./channel-artifacts/org3.json > modified_config.json

8. 将 config.json 和 modified_config.json 转为 protobuf 格式

# ./bin/configtxlator proto_encode --input config.json --type common.Config > original_config.pb
# ./bin/configtxlator proto_encode --input modified_config.json --type common.Config > modified_config.pb

9. 根据 config.pb 和 modified_config.pb 计算出 org3_update.pb

# ./bin/configtxlator compute_update --channel_id mychannel --original original_config.pb --updated modified_config.pb > config_update.pb

10. 解码 config_update.pb 为 json,然后用 jq 修改,然后在编码为 protobuf 格式,最终输出 org3_update_in_envelope.pb

# ./bin/configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate > config_update.json
# echo '{"payload":{"header":{"channel_header":{"channel_id":"mychannel", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json
# ./bin/configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope > org3_update_in_envelope.pb
# docker cp /opt/gopath/src/github.com/hyperledger/fabric/kafkapeer/org3_update_in_envelope.pb xxxxxxxx:/opt/gopath/src/github.com/hyperledger/fabric/peer/

1.3.3 提交新组织配置
1. 为 Org3 新配置签名

# docker exec -it cli bash
# CORE_PEER_LOCALMSPID="Org1MSP"
# CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
# CORE_PEER_ADDRESS=peer0.org1.example.com:7051
# peer channel signconfigtx -f org3_update_in_envelope.pb
# CORE_PEER_LOCALMSPID="Org2MSP"
# CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
# CORE_PEER_ADDRESS=peer0.org2.example.com:7051
# peer channel signconfigtx -f org3_update_in_envelope.pb

2. 提交签名后的配置交易至 orderer

# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel update -f org3_update_in_envelope.pb -c mychannel -o orderer0.example.com:7050 --tls --cafile $ORDERER_CA

1.4 新组织启动
切换到192.168.235.11服务器上操作。
1. 配置docker-compose-peer.yaml文件,拷贝到kafkapeer目录下。
2. 服务器(192.168.235.11)启动

# cd $GOPATH/src/github.com/hyperledger/fabric/kafkapeer
# docker-compose -f docker-compose-peer.yaml up -d

3. 获取当前 channel 的配置

# docker exec -it cli bash
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer channel fetch 0 mychannel.block -o orderer0.example.com:7050 -c mychannel --tls --cafile $ORDERER_CA

4. 将 Org 所有 Peer 加入 channel

# peer channel join -b mychannel.block

5. 升级chaincode和背书策略

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0

6. 为 Org1 的 peer0升级chaincode到2.0
切换到192.168.235.7服务器上

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0
# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer chaincode upgrade -o orderer0.example.com:7050 --tls --cafile $ORDERER_CA -C mychannel -n mycc -v 2.0 -c '{"Args":["init","a","200","b","400"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"

7. 为 Org2 的 peer0升级chaincode到2.0
切换到192.168.235.9服务器上

# peer chaincode install -n mycc -p github.com/hyperledger/fabric/kafkapeer/chaincode/go/example02/ -v 2.0

1.5 新组织验证
切换到192.168.235.11服务上,在Peer上查询a值。
1) Peer上查询a,显示130

# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

 



2) Peer上进行a向b转20交易

# ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlsintermediatecerts/tls-localhost-8055.pem
# peer chaincode invoke --tls --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","20"]}'

 



3) Peer上查询b,显示110

# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

 

视频教程:https://study.163.com/course/introduction/1210196297.htm

posted @ 2019-12-20 14:21  灵·龙  阅读(3319)  评论(1编辑  收藏  举报