fabric2.0动态添加组织
1、生成新增组织证书
对于fabric网络来说,要新增一个组织,首先是从证书开始,因为证书就是fabric里面的身份。这里使用fabric-ca生产组织证书。
docker-compose-ca_org3.yaml
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' services: ca_org3: image: hyperledger/fabric-ca:1.4 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org3 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_PORT=10054 ports: - "10054:10054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./organizations/fabric-ca/org3:/etc/hyperledger/fabric-ca-server container_name: ca_org3
修改配置文件fabric-ca-server-config.yaml,将数据库改成mysql
db: type: mysql datasource: root:password@tcp(10.20.31.113:3306)/ca_org3?parseTime=true tls: enabled: false certfiles: client: certfile: keyfile:
启动fabric ca
docker-compose -f docker-compose-ca_org3.yaml up -d
生成org3证书脚本(registerOrg3.sh )
function createOrg3 { echo echo "Enroll the CA admin" echo mkdir -p organizations/peerOrganizations/org3.example.com/ export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org3.example.com/ set -x fabric-ca-client enroll -u https://admin:adminpw@localhost:10054 --caname ca-org3 --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo 'NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/localhost-10054-ca-org3.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/localhost-10054-ca-org3.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/localhost-10054-ca-org3.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/localhost-10054-ca-org3.pem OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org3.example.com/msp/config.yaml echo echo "Register peer0" echo set -x fabric-ca-client register --caname ca-org3 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo echo "Register peer1" echo set -x fabric-ca-client register --caname ca-org3 --id.name peer1 --id.secret peer1pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo echo "Register user" echo set -x fabric-ca-client register --caname ca-org3 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo echo "Register the org admin" echo set -x fabric-ca-client register --caname ca-org3 --id.name org3admin --id.secret org3adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x mkdir -p organizations/peerOrganizations/org3.example.com/peers mkdir -p organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com mkdir -p organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com echo echo "## Generate the peer0 msp" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp --csr.hosts peer0.org3.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo echo "## Generate the peer1 msp" echo set -x fabric-ca-client enroll -u https://peer1:peer1pw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/msp --csr.hosts peer1.org3.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org3.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/config.yaml cp ${PWD}/organizations/peerOrganizations/org3.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/msp/config.yaml echo echo "## Generate the peer0-tls certificates" echo set -x fabric-ca-client enroll -u https://peer0:peer0pw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls --enrollment.profile tls --csr.hosts peer0.org3.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x echo echo "## Generate the peer1-tls certificates" echo set -x fabric-ca-client enroll -u https://peer1:peer1pw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls --enrollment.profile tls --csr.hosts peer1.org3.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/ca.crt cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/server.crt cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/server.key mkdir ${PWD}/organizations/peerOrganizations/org3.example.com/msp/tlscacerts cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/msp/tlscacerts/ca.crt mkdir ${PWD}/organizations/peerOrganizations/org3.example.com/tlsca cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/tlsca/tlsca.org3.example.com-cert.pem mkdir ${PWD}/organizations/peerOrganizations/org3.example.com/ca cp ${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org3.example.com/ca/ca.org3.example.com-cert.pem mkdir -p organizations/peerOrganizations/org3.example.com/users mkdir -p organizations/peerOrganizations/org3.example.com/users/User1@org3.example.com echo echo "## Generate the user msp" echo set -x fabric-ca-client enroll -u https://user1:user1pw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/users/User1@org3.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x mkdir -p organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com echo echo "## Generate the org admin msp" echo set -x fabric-ca-client enroll -u https://org3admin:org3adminpw@localhost:10054 --caname ca-org3 -M ${PWD}/organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org3/tls-cert.pem set +x cp ${PWD}/organizations/peerOrganizations/org3.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp/config.yaml }
执行脚本生成证书
. registerOrg3.sh createOrg3
将证书复制到fabric网络
2、新增org3定义到区块链
之前我们启动的网络的时候,在启动前需要是创建创始区块与通道配置,因此在为了让区块链知道这个新来的组织,需要把组织的配置添加到区块配置中
配置文件/root/go/src/github.com/hyperledger/fabric/fabric-samples/first-network/org3-artifacts/first-network/org3-artifacts/configtx.yaml
注意证书目录必须对应正确的org3证书目录
在first-network目录控制台输入以下命令生成org3定义
export FABRIC_CFG_PATH=$PWD configtxgen -printOrg Org3MSP -configPath org3-artifacts > channel-artifacts/org3.json
3、配置并启动org3相关节点容器
docker-compose-org3.yaml
# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # version: '2' volumes: peer0.org3.example.com: peer1.org3.example.com: networks: byfn: services: peer0.org3.example.com: container_name: peer0.org3.example.com extends: file: base/peer-base.yaml service: peer-base environment: - CORE_PEER_ID=peer0.org3.example.com - CORE_PEER_ADDRESS=peer0.org3.example.com:11051 - CORE_PEER_LISTENADDRESS=0.0.0.0:11051 - CORE_PEER_CHAINCODEADDRESS=peer0.org3.example.com:11052 - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052 - CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org3.example.com:12051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org3.example.com:11051 - CORE_PEER_LOCALMSPID=Org3MSP volumes: - /var/run/:/host/var/run/ - ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp:/etc/hyperledger/fabric/msp - ./crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls:/etc/hyperledger/fabric/tls #- ./org3-config:/etc/hyperledger/fabric - peer0.org3.example.com:/var/hyperledger/production ports: - 11051:11051 networks: - byfn extra_hosts: - "orderer.example.com:10.20.31.116" - "orderer2.example.com:10.20.31.117" - "orderer3.example.com:10.20.31.137" - "orderer4.example.com:10.20.31.232" - "orderer5.example.com:10.20.31.116" - "peer0.org1.example.com:10.20.31.116" - "peer1.org1.example.com:10.20.31.117" - "peer0.org2.example.com:10.20.31.137" - "peer1.org2.example.com:10.20.31.232" - "peer0.org3.example.com:10.20.31.137" - "peer1.org3.example.com:10.20.31.137" - "couchdb0:10.20.31.116" - "couchdb1:10.20.31.117" - "couchdb2:10.20.31.137" - "couchdb3:10.20.31.232" peer1.org3.example.com: container_name: peer1.org3.example.com extends: file: base/peer-base.yaml service: peer-base environment: - CORE_PEER_ID=peer1.org3.example.com - CORE_PEER_ADDRESS=peer1.org3.example.com:12051 - CORE_PEER_LISTENADDRESS=0.0.0.0:12051 - CORE_PEER_CHAINCODEADDRESS=peer1.org3.example.com:12052 - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:12052 - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org3.example.com:11051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org3.example.com:12051 - CORE_PEER_LOCALMSPID=Org3MSP volumes: - /var/run/:/host/var/run/ - ./crypto-config/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/msp:/etc/hyperledger/fabric/msp - ./crypto-config/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls:/etc/hyperledger/fabric/tls #- ./org3-config:/etc/hyperledger/fabric - peer1.org3.example.com:/var/hyperledger/production ports: - 12051:12051 networks: - byfn extra_hosts: - "orderer.example.com:10.20.31.116" - "orderer2.example.com:10.20.31.117" - "orderer3.example.com:10.20.31.137" - "orderer4.example.com:10.20.31.232" - "orderer5.example.com:10.20.31.116" - "peer0.org1.example.com:10.20.31.116" - "peer1.org1.example.com:10.20.31.117" - "peer0.org2.example.com:10.20.31.137" - "peer1.org2.example.com:10.20.31.232" - "peer0.org3.example.com:10.20.31.137" - "peer1.org3.example.com:10.20.31.137"
启动org3
docker-compose -f docker-compose-org3.yaml up -d
4、 更新通道配置
进入cli:docker exec -it cli /bin/bash设置环境变量
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem export CHANNEL_NAME=mychannel echo $ORDERER_CA && echo $CHANNEL_NAME
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp export CORE_PEER_ADDRESS=peer0.org1.example.com:7051 export CORE_PEER_LOCALMSPID="Org1MSP" export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
输入以下命令获取最新块
peer channel fetch config config_block.pb -o orderer.example.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
修改配置将pb文件转json
configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json
将之前org3的配置org3.json添加到config.json
先把之前生成的org3.json放进去Org3cli容器
docker cp channel-artifacts/org3.json 099ab9c5f39b:/opt/gopath/src/github.com/hyperledger/fabric/peer
PS:099ab9c5f39b cli容器id
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json org3.json > modified_config.json
将config.json 跟modified_config.json 转pb编码
configtxlator proto_encode --input config.json --type common.Config --output config.pb configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb
计算两个pb差异
configtxlator compute_update --channel_id mychannel --original config.pb --updated modified_config.pb --output org3_update.pb
将更新的pb解析为json
configtxlator proto_decode --input org3_update.pb --type common.ConfigUpdate | jq . > org3_update.json
现在我们有一个解码后的更新文件org3_update.json,我们需要将其包装在信封消息中。此步骤将使我们返回之前删除的header字段。我们将这个文件命名为org3_update_in_envelope.json:
echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat org3_update.json)'}}}' | jq . > org3_update_in_envelope.json
使用我们正确格式的JSON – org3_update_in_envelope.json我们将configtxlator最后一次使用该工具,并将其转换为Fabric所需的完整protobuf格式。我们将命名我们的最终更新对象org3_update_in_envelope.pb:
configtxlator proto_encode --input org3_update_in_envelope.json --type common.Envelope --output org3_update_in_envelope.pb
签名并提交更新配置
peer channel signconfigtx -f org3_update_in_envelope.pb
切换环境为org2执行更新配置,因为update也会为当前组织签名,所以不需要再org2签名
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp export CORE_PEER_ADDRESS=peer0.org2.example.com:7051 export CORE_PEER_LOCALMSPID="Org2MSP" export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2
更新命令
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
5、org3加入通道
切换成org3环境变量
export CORE_PEER_LOCALMSPID=Org3MSP export CORE_PEER_ADDRESS=peer0.org3.example.com:11051 export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp
获取mychannel 0号块创始块
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
该命令将创世块返回到名为的文件mychannel.block。现在,我们可以使用此块将org3的节点加入通道。
peer channel join -b mychannel.block
通过peer channel list 验证