我正在尝试将新的订购者组织添加到基于RAFT的现有订购服务中。我正在使用first-network中的fabric-samples作为基础网络。在生成加密材料的同时,我进行了修改以为另外1个订购者组织生成加密材料。 crypto-config.yaml看起来像:
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
- Hostname: orderer4
- Hostname: orderer5
- Name: Orderer1
Domain: example1.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 1
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
此外,用于以JSON格式创建新的Orderer组织的MSP的configtx.yaml给出为:
Organizations:
- &Orderer1Org
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Orderer1Org
# ID to load the MSP definition as
ID: Orderer1MSP
MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Orderer1MSP.admin')"
然后,我使用byfn.sh启动网络。现在,在以下步骤中,使用cli容器修改系统通道配置:
首先,我将组织的JSON添加到Orderer组,如下所示,并提交频道更新:
jq -s'。[0] * {“ channel_group”:{“ groups”:{“ Orderer”:{“ groups:{” Orderer1Org“:。[1]}}}}}'config.json orderer1org.json> Modifyed_config.json
然后我将组织的JSON添加到Consortium组,如下所示,并提交频道更新:
jq -s'。[0] * {“ channel_group”:{“ groups”:{“ Consortiums :: {” groups“:{” SampleConsortium“:{” groups“:{” Orderer1MSP“:.. [1]}}}}}}}}'} config1。 json orderer1org.json> Modifyed_config1.json
然后我将组织的orderer1 TLS证书添加到Consenters部分并提交频道更新:
cert =`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed':a; N; $!ba; s / \ n // g'`
catmodified_config1.json | jq'.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters + = [{“ client_tls_cert”:“'$ cert'”,“ host”:“ orderer.example1.com”,“端口”:7050 ,“ server_tls_cert”:“'$ cert'”}}'> Modifyed_config2.json
然后用新的Orderer Org的JSON更新系统通道配置的Application组:
jq -s'。[0] * {“ channel_group”:{“ groups”:{“ Application”:{“ groups:{” Orderer1Org“:。[1]}}}}}'config.json orderer1org.json> Modifyed_config.json
然后我在新组织(orderer.example1.com)中启动一个订购者,但容器由于以下错误而失败:
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}
orderer.example.com日志抛出此错误:
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms
我能够通过添加新的订购者组织来扩展first-network,如下所示:
first-network模式在byfn.sh存储库中通过fabric-samples脚本启动etcdraft。crypto-config.yaml中所述的加密材料。configtxgen工具将新订购者组织的MSP打印为JSON格式。docker cp到正在运行的cli容器中。cli容器内设置环境。导入最新的system-channel配置。将其解码为JSON格式。编辑系统通道配置块的Orderer部分,如下所示添加新订购者组织的MSP:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
编辑系统通道配置块的Consortiums部分,如下所示添加新订购者组织的MSP:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
编辑系统通道配置块的Consenters部分,为新订购者组织的orderer.example1.com节点添加TLS凭据,如下所示:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
对块进行编码,找到增量,创建频道更新交易,将其编码为protobuf信封,然后提交频道更新交易。
] >>genesis.block文件,启动一个订购者(先前添加到同意者列表中的订购者)。>>docker exec放入cli容器。使用现有订购者节点的环境,获取最新的系统通道配置。编辑系统通道配置块以在OrdererAddresses部分中添加新订购者的端点,如下所示:
cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
对块进行编码,找到增量,创建频道更新事务,将其编码为protobuf信封,并获得Orderer1Org管理员签名的块,以满足mod_policy资源的/Channel/OrdererAddresses需求,该资源已设置为Admins策略。此隐式元策略期望在该更新级别上具有MAJORITY Admins的签名。因此,由于订购者组织的数量现在为2,因此我们需要组织的两位管理员来签署此系统渠道更新交易。设置与Orderer1Org admin对应的环境,然后运行以下命令:
peer channel signconfigtx -f ordorg_update_in_envelope.pb
将环境重新设置为OrdererOrg管理员并提交频道更新交易。 peer channel update将代表OrdererOrg管理员自动签署交易。
peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA
要更新任何应用程序通道,只需通过更新应用程序通道配置块的Application部分来替换步骤7,以在其中添加新订购者组织的MSP。
希望这会有所帮助!