如何向现有的 Hyperledger Fabric 网络添加新的订购者组织
How to add a new Orderer Organization to existing Hyperledger Fabric network
我正在尝试向基于 RAFT 的现有订购服务添加一个新的订购者组织。我使用 fabric-samples
中的 first-network
作为基础网络。在生成 crypto-material 时,我修改为为另外 1 个订购者组织生成 crypto-material。 crypto-config.yaml
看起来像:
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
- Hostname: orderer4
- Hostname: orderer5
- Name: Orderer1
Domain: example1.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 1
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
此外,configtx.yaml
用于以 JSON 格式创建新订购者组织的 MSP 的格式如下:
Organizations:
- &Orderer1Org
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Orderer1Org
# ID to load the MSP definition as
ID: Orderer1MSP
MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Orderer1MSP.admin')"
然后我使用 byfn.sh
启动网络。现在我使用 cli
容器修改 系统通道 配置,步骤如下:
首先我将组织的 JSON 添加到 Orderer 组,如下所示并提交频道更新:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
然后我将组织的 JSON 添加到 Consortium 组,如下所示并提交频道更新:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP": .[1]}}}}}}}' config1.json orderer1org.json > modified_config1.json
然后我将组织的 orderer1 TLS 证书添加到 Consenters 部分并提交频道更新:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat 已修改_config1.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert" : "'$cert'"}] ' > modified_config2.json
然后我用新的 Orderer Org 的 JSON:
更新系统通道配置的 Application 组
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
然后我在新组织 (orderer.example1.com
) 中启动了一个订购者,但容器失败并出现以下错误:
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}
orderer.example.com
日志抛出此错误:
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms
我能够通过如下添加新的订购者组织来扩展 first-network
:
- 在
etcdraft
模式下通过 fabric-samples
存储库中的 byfn.sh
脚本启动 first-network
。
- 我生成了 crypto-material 就像上面问题
crypto-config.yaml
中描述的那样。
- 使用
configtxgen
工具将新订购者组织的 MSP 打印成 JSON 格式。
- 将此 JSON 文件装载或
docker cp
到 运行ning cli
容器。
- 设置
cli
容器内与现有排序节点对应的环境。导入最新的 system-channel
配置。将其解码为 JSON 格式。
编辑系统通道配置块的 Orderer
部分以添加新的订购者组织的 MSP,如下所示:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
编辑系统通道配置块的 Consortiums
部分以添加新的订购者组织的 MSP,如下所示:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
编辑系统通道配置块的 Consenters
部分,为新排序组织的 orderer.example1.com
节点添加 TLS 凭证,如下所示:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
编码区块,找到增量,创建通道更新交易,将其编码为 protobuf 信封并提交通道更新交易。
- 获取最新的系统通道配置块。
- 使用这个最新获取的系统通道配置块作为
genesis.block
文件启动排序者之一(之前添加到同意者列表的那个)。
- 执行
docker exec
进入cli
容器。使用现有排序节点的环境,获取最新的系统通道配置。
编辑系统通道配置块,在OrdererAddresses
部分添加新的排序节点,如下:
cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
编码块,找到增量,创建通道更新交易,将其编码为 protobuf 信封并获得由 Orderer1Org
管理员签名的块以满足 mod_policy
的 /Channel/OrdererAddresses
资源设置为 Admins
政策。此隐式元策略需要 MAJORITY Admins
在该更新级别的签名。因此,由于现在 orderer 组织的数量为 2,我们需要组织的两个管理员签署此系统通道更新交易。设置Orderer1Org
admin和运行对应的环境,命令如下:
peer channel signconfigtx -f ordorg_update_in_envelope.pb
将环境设置回OrdererOrg
admin并提交频道更新事务。 peer channel update
将代表 OrdererOrg 管理员自动签署交易。
peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA
要更新任何应用程序通道,只需通过更新应用程序通道配置块的 Application
部分来替换步骤 7,以在其中添加新的订购者组织的 MSP。
希望对您有所帮助!
我按照上面的步骤顺序将新的订购者组织添加到现有网络中,但是通道(即更新配置更改到订购者通道)更新抛出如下错误,
2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
我 modified-json 使用以下设置调用进行阻止(尝试 mix/match 下面的组合 json 更改步骤)
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json ${KL_NEW_ORDERER_NAME}.json > modified-config2.json
LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json
cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json
我的网络设置基于 HLF 2.2 LTS,在 K8s 集群下有 5 个 raft 节点。
我在 2.2 LTS 上成功设置了多渠道、多对等组织(知道如何在不关闭任何网络的情况下以动态方式获得它)。但是现在正在寻找动态地将订购者组织扩展为多个 cluster/orgs。上述步骤是否需要任何提示或更新?再次感谢
玛丽亚
我正在尝试向基于 RAFT 的现有订购服务添加一个新的订购者组织。我使用 fabric-samples
中的 first-network
作为基础网络。在生成 crypto-material 时,我修改为为另外 1 个订购者组织生成 crypto-material。 crypto-config.yaml
看起来像:
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
- Hostname: orderer4
- Hostname: orderer5
- Name: Orderer1
Domain: example1.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 1
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
此外,configtx.yaml
用于以 JSON 格式创建新订购者组织的 MSP 的格式如下:
Organizations:
- &Orderer1Org
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Orderer1Org
# ID to load the MSP definition as
ID: Orderer1MSP
MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Orderer1MSP.admin')"
然后我使用 byfn.sh
启动网络。现在我使用 cli
容器修改 系统通道 配置,步骤如下:
首先我将组织的 JSON 添加到 Orderer 组,如下所示并提交频道更新:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
然后我将组织的 JSON 添加到 Consortium 组,如下所示并提交频道更新:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP": .[1]}}}}}}}' config1.json orderer1org.json > modified_config1.json
然后我将组织的 orderer1 TLS 证书添加到 Consenters 部分并提交频道更新:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat 已修改_config1.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert" : "'$cert'"}] ' > modified_config2.json
然后我用新的 Orderer Org 的 JSON:
更新系统通道配置的 Application 组jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
然后我在新组织 (orderer.example1.com
) 中启动了一个订购者,但容器失败并出现以下错误:
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}
orderer.example.com
日志抛出此错误:
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms
我能够通过如下添加新的订购者组织来扩展 first-network
:
- 在
etcdraft
模式下通过fabric-samples
存储库中的byfn.sh
脚本启动first-network
。 - 我生成了 crypto-material 就像上面问题
crypto-config.yaml
中描述的那样。 - 使用
configtxgen
工具将新订购者组织的 MSP 打印成 JSON 格式。 - 将此 JSON 文件装载或
docker cp
到 运行ningcli
容器。 - 设置
cli
容器内与现有排序节点对应的环境。导入最新的system-channel
配置。将其解码为 JSON 格式。 编辑系统通道配置块的
Orderer
部分以添加新的订购者组织的 MSP,如下所示:jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
编辑系统通道配置块的
Consortiums
部分以添加新的订购者组织的 MSP,如下所示:jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
编辑系统通道配置块的
Consenters
部分,为新排序组织的orderer.example1.com
节点添加 TLS 凭证,如下所示:cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
编码区块,找到增量,创建通道更新交易,将其编码为 protobuf 信封并提交通道更新交易。
- 获取最新的系统通道配置块。
- 使用这个最新获取的系统通道配置块作为
genesis.block
文件启动排序者之一(之前添加到同意者列表的那个)。 - 执行
docker exec
进入cli
容器。使用现有排序节点的环境,获取最新的系统通道配置。 编辑系统通道配置块,在
OrdererAddresses
部分添加新的排序节点,如下:cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
编码块,找到增量,创建通道更新交易,将其编码为 protobuf 信封并获得由
Orderer1Org
管理员签名的块以满足mod_policy
的/Channel/OrdererAddresses
资源设置为Admins
政策。此隐式元策略需要MAJORITY Admins
在该更新级别的签名。因此,由于现在 orderer 组织的数量为 2,我们需要组织的两个管理员签署此系统通道更新交易。设置Orderer1Org
admin和运行对应的环境,命令如下:peer channel signconfigtx -f ordorg_update_in_envelope.pb
将环境设置回
OrdererOrg
admin并提交频道更新事务。peer channel update
将代表 OrdererOrg 管理员自动签署交易。peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA
要更新任何应用程序通道,只需通过更新应用程序通道配置块的 Application
部分来替换步骤 7,以在其中添加新的订购者组织的 MSP。
希望对您有所帮助!
我按照上面的步骤顺序将新的订购者组织添加到现有网络中,但是通道(即更新配置更改到订购者通道)更新抛出如下错误,
2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
我 modified-json 使用以下设置调用进行阻止(尝试 mix/match 下面的组合 json 更改步骤)
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json ${KL_NEW_ORDERER_NAME}.json > modified-config2.json
LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json
cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json
我的网络设置基于 HLF 2.2 LTS,在 K8s 集群下有 5 个 raft 节点。
我在 2.2 LTS 上成功设置了多渠道、多对等组织(知道如何在不关闭任何网络的情况下以动态方式获得它)。但是现在正在寻找动态地将订购者组织扩展为多个 cluster/orgs。上述步骤是否需要任何提示或更新?再次感谢 玛丽亚