Hyperledger fabric is deployed on multiple hosts

Time:2022-5-2

preface

In the experiment, hyperledger fabric unordered organization starts multiple orderer services with raft protocol and TLS organization runs and maintains orderer services, we have completed the operation and maintenance of three orderer nodes of raft protocol with Council organization providing tls-ca service. However, at present, we all start the fabric network on a single host. This paper will try to deploy the network structure of hyperledger fabric unordered organization to start multiple orderer services with raft protocol and TLS organization to run and maintain orderer services on multiple hosts.

Work preparation

Paper work

The hyperledger fabric unordered organization starts multiple orderer services with the raft protocol, and the TLS organization runs and maintains the network in the orderer service. The network is deployed to two hosts – debiana and debianb. Debiana maintains the Council and soft organization and related nodes, and debianb maintains the web and hard organization and related nodes. The network structure is (the experimental code has been uploaded to: https://github.com/wefantasy/FabricLearn of5_FabricNetworkByMultiHostBelow):

term Host Run port explain
council.ifantasy.net DebianA 7050 The CA service of Council organization provides tls-ca service for alliance chain network
orderer1.council.ifantasy.net DebianA 7051 Ordering service for orderer1
orderer1.council.ifantasy.net DebianA 7052 Admin service of orderer1
orderer2.council.ifantasy.net DebianA 7054 Ordering service of orderer2
orderer2.council.ifantasy.net DebianA 7055 Admin service of orderer2
orderer3.council.ifantasy.net DebianB 7057 Ordering service of orderer3
orderer3.council.ifantasy.net DebianB 7058 Sadmin service
soft.ifantasy.net DebianA 7250 CA service of soft organization, including members: peer1 and admin1
peer1.soft.ifantasy.net DebianA 7251 Peer1 member node of soft organization
web.ifantasy.net DebianB 7350 CA service of Web Organization, including members: peer1, admin1
peer1.web.ifantasy.net DebianB 7351 Peer1 member node of Web Organization
hard.ifantasy.net DebianB 7450 The CA service of hard organization includes members: peer1 and admin1
peer1.hard.ifantasy.net DebianB 7451 Peer1 member node of hard organization

The relevant information of the two hosts is:

host name alias network address explain
DebianA host1 172.25.1.250 Run Council and soft
DebianB host2 172.25.1.251 Run web and hard

Experimental preparation

In this paper, the network structure directly starts multiple orderer services with the raft protocol by the non sorting organization of hyperledger fabric, and is created in the orderer service of TLS organization operation and maintenance4-2_RunOrdererByCouncilCopy as5_FabricNetworkByMultiHostAnd modify (it is recommended to directly transfer the information under fabriclearn in the case warehouse)5_FabricNetworkByMultiHostCopy the directory to the local operation), most of the commands in this article have been introduced in the network engineering practice of hyperledger fabric customized alliance chain, so they will not be described in detail. By default, all commands are in the5_FabricNetworkByMultiHostExecute under the root directory.

All experiments in this series are completed under Debian virtual machine (Debian a) of VM ware. This paper will directly copy a copy of Debian a virtual machine to Debian B, then generate all certificate files and channel files under Debian a, then copy a copy of the file to Debian B, and then start the corresponding network respectively.

configuration file

Running fabric network through docker always needs to solve the communication problem between different nodes (DNS cannot be configured only). At present, there are three main solutions:

  • staydocker-compose.yamlMedium settingextra_hostsfield
  • Orchestration tools through containersdocker swarmrealization
  • Orchestration tools through containersKubernetes(K8S)Implementation (later attempt)

At present, k8s is the most popular method of large-scale container scheduling management, and I will try it in this direction later. In order to simplify, this paper uses the first method to realize docker container communication between different hosts. In terms of specific implementation, you only need to go to compose / docker compose Add the following code to the order service and peer service in yaml, such asorderer1.council.ifantasy.net

  orderer1.council.ifantasy.net:
    container_name: orderer1.council.ifantasy.net
    extends:
      file: docker-base.yaml
      service: orderer-base
    environment:
      - ORDERER_HOST=orderer1.council.ifantasy.net
      - ORDERER_GENERAL_LOCALMSPID=councilMSP
      - ORDERER_GENERAL_LISTENPORT=7051
    volumes:
      - ${LOCAL_CA_PATH}/council.ifantasy.net/registers/orderer1:${DOCKER_CA_PATH}/orderer
      - ${LOCAL_ROOT_PATH}/data/genesis.block:${DOCKER_CA_PATH}/orderer/genesis.block
    ports:
      - 7051:7051
      - 7052:8888
      - 7053:9999
    extra_hosts:
      - "orderer1.council.ifantasy.net:172.25.1.250"
      - "orderer2.council.ifantasy.net:172.25.1.250"
      - "orderer3.council.ifantasy.net:172.25.1.251"

If the above configuration is not carried out, the following errors will occur due to failure of communication:

Error: failed to send transaction: got unexpected status: SERVICE_UNAVAILABLE -- no Raft leader

Generate certificates and channels

Many related tutorials on the Internet illustrate the method of deploying fabric network to multiple hosts1 2, most tutorials generate all organization certificate files on the same host and then distribute and deploy certificates (including this article). However, it must be noted that this method must not be used in the production environment, because the host that generates the organization certificate will have access rights to all organizations. In the production environment, each organization should generate its own organization certificate through its own CA service, and after a channel is created by a single organization, other organizations should be added to the channel by using the method in the dynamic addition and deletion of hyperledger fabric organizations. In addition, there is no doubt that using cryptogen to generate all certificates at once is much simpler than the fabric CA method used in this article (DNS does not have to be considered).

Start CA service

Since you want to generate all certificate files through debaina, you must first point the local DNS to debiana(setDNSTemp.sh):

echo "127.0.0.1       council.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       soft.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       web.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       hard.ifantasy.net" >> /etc/hosts

echo "127.0.0.1       orderer1.council.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       orderer2.council.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       orderer3.council.ifantasy.net" >> /etc/hosts

echo "127.0.0.1       peer1.soft.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       peer1.web.ifantasy.net" >> /etc/hosts
echo "127.0.0.1       peer1.hard.ifantasy.net" >> /etc/hosts

Run directly under the root directory0_Restart.shThe CA service required for this experiment can be started.

docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
docker rmi $(docker images dev-* -q)
# rm -rf orgs data
docker-compose -f $LOCAL_ROOT_PATH/compose/docker-compose.yaml up -d council.ifantasy.net soft.ifantasy.net web.ifantasy.net hard.ifantasy.net

In the previous experiment, we delete all the certificate files every time we restart, but considering the complexity of multi machine certificate generation, we only clear the docker image instead of deleting the certificate file here.

Registered account

The registered account is no different from the previous one. It runs directly under the root directory1_RegisterUser.shYou can complete the registration of users required for this experiment.

  1. Council user registration:

    echo "Working on council"
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/council.ifantasy.net/ca/admin
    fabric-ca-client enroll -d -u https://ca-admin:[email protected]:7050
    fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name orderer1 --id.secret orderer1 --id.type orderer -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name orderer2 --id.secret orderer2 --id.type orderer -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name orderer3 --id.secret orderer3 --id.type orderer -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name peer1soft --id.secret peer1soft --id.type peer -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name peer1web --id.secret peer1web --id.type peer -u https://council.ifantasy.net:7050
    fabric-ca-client register -d --id.name peer1hard --id.secret peer1hard --id.type peer -u https://council.ifantasy.net:7050
  2. Soft user registration:

    echo "Working on soft"
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/soft.ifantasy.net/ca/crypto/ca-cert.pem
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/soft.ifantasy.net/ca/admin
    fabric-ca-client enroll -d -u https://ca-admin:[email protected]:7250
    fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://soft.ifantasy.net:7250
    fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://soft.ifantasy.net:7250
  3. Web user registration:

    echo "Working on web"
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/web.ifantasy.net/ca/crypto/ca-cert.pem
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/web.ifantasy.net/ca/admin
    fabric-ca-client enroll -d -u https://ca-admin:[email protected]web.ifantasy.net:7350
    fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://web.ifantasy.net:7350
    fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://web.ifantasy.net:7350
  4. Hard user registration:

    echo "Working on hard"
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/hard.ifantasy.net/ca/crypto/ca-cert.pem
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/hard.ifantasy.net/ca/admin
    fabric-ca-client enroll -d -u https://ca-admin:[email protected]:7450
    fabric-ca-client register -d --id.name peer1 --id.secret peer1 --id.type peer -u https://hard.ifantasy.net:7450
    fabric-ca-client register -d --id.name admin1 --id.secret admin1 --id.type admin -u https://hard.ifantasy.net:7450

Organization certificate construction

The organization certificate construction is the same as the previous experiment, which runs directly under the root directory2_EnrollUser.shYou can complete the construction of the certificate required for this experiment.
Run directly under the root directory2_EnrollUser.shYou can complete the construction of the certificate required for this experiment.

  1. Organization asset preprocessing:

    echo "Preparation============================="
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/assets
    cp $LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem
    cp $LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/council.ifantasy.net/assets/tls-ca-cert.pem
    
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/assets
    cp $LOCAL_CA_PATH/soft.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/assets/ca-cert.pem
    cp $LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/assets/tls-ca-cert.pem
    
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/assets 
    cp $LOCAL_CA_PATH/web.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/web.ifantasy.net/assets/ca-cert.pem
    cp $LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/web.ifantasy.net/assets/tls-ca-cert.pem
    
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/assets
    cp $LOCAL_CA_PATH/hard.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/assets/ca-cert.pem
    cp $LOCAL_CA_PATH/council.ifantasy.net/ca/crypto/ca-cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/assets/tls-ca-cert.pem
    echo "Preparation end=========================="
  2. Council certificate Construction:

    echo "Start Council============================="
    echo "Enroll Admin"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/council.ifantasy.net/registers/admin1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://admin1:[email protected]:7050
    #Admin / MSP will be used when joining the channel, and there must be admincers under it
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/admincerts
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
    
    echo "Enroll Orderer1"
    # for identity
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://orderer1:[email protected]:7050
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/msp/admincerts
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/msp/admincerts/cert.pem
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://orderer1:[email protected]:7050 --enrollment.profile tls --csr.hosts orderer1.council.ifantasy.net
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/tls-msp/keystore/*_sk $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
    
    echo "Enroll Orderer2"
    # for identity
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://orderer2:[email protected]:7050
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/msp/admincerts
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/msp/admincerts/cert.pem
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://orderer2:[email protected]:7050 --enrollment.profile tls --csr.hosts orderer2.council.ifantasy.net
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/tls-msp/keystore/*_sk $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/tls-msp/keystore/key.pem
    
    echo "Enroll Orderer3"
    # for identity
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://orderer3:[email protected]:7050
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/msp/admincerts
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/msp/admincerts/cert.pem
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/council.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://orderer3:[email protected]:7050 --enrollment.profile tls --csr.hosts orderer3.council.ifantasy.net
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/tls-msp/keystore/*_sk $LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/tls-msp/keystore/key.pem
    
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/msp/admincerts
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/msp/cacerts
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/msp/tlscacerts
    mkdir -p $LOCAL_CA_PATH/council.ifantasy.net/msp/users
    cp $LOCAL_CA_PATH/council.ifantasy.net/assets/ca-cert.pem $LOCAL_CA_PATH/council.ifantasy.net/msp/cacerts/
    cp $LOCAL_CA_PATH/council.ifantasy.net/assets/tls-ca-cert.pem $LOCAL_CA_PATH/council.ifantasy.net/msp/tlscacerts/
    cp $LOCAL_CA_PATH/council.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/council.ifantasy.net/msp/admincerts/cert.pem
    cp $LOCAL_ROOT_PATH/config/config-msp.yaml $LOCAL_CA_PATH/council.ifantasy.net/msp/config.yaml
    echo "End council============================="
  3. Soft certificate Construction:

    echo "Start Soft============================="
    echo "Enroll Admin"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/soft.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://admin1:[email protected]:7250
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1/msp/admincerts
    cp $LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
    
    echo "Enroll Peer1"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/soft.ifantasy.net/registers/peer1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/soft.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://peer1:[email protected]:7250
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/soft.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://peer1soft:[email protected]:7050 --enrollment.profile tls --csr.hosts peer1.soft.ifantasy.net
    cp $LOCAL_CA_PATH/soft.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk $LOCAL_CA_PATH/soft.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/registers/peer1/msp/admincerts
    cp $LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
    
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/msp/admincerts
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/msp/cacerts
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/msp/tlscacerts
    mkdir -p $LOCAL_CA_PATH/soft.ifantasy.net/msp/users
    cp $LOCAL_CA_PATH/soft.ifantasy.net/assets/ca-cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/msp/cacerts/
    cp $LOCAL_CA_PATH/soft.ifantasy.net/assets/tls-ca-cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/msp/tlscacerts/
    cp $LOCAL_CA_PATH/soft.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/soft.ifantasy.net/msp/admincerts/cert.pem
    cp $LOCAL_ROOT_PATH/config/config-msp.yaml $LOCAL_CA_PATH/soft.ifantasy.net/msp/config.yaml
    echo "End Soft============================="
    
  4. Web certificate building:

    echo "Start Web============================="
    echo "Enroll Admin"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/web.ifantasy.net/registers/admin1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/web.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://admin1:[email protected]:7350
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/registers/admin1/msp/admincerts
    cp $LOCAL_CA_PATH/web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/web.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
    
    echo "Enroll Peer1"
    # for identity
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/web.ifantasy.net/registers/peer1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/web.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://peer1:[email protected]:7350
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/web.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://peer1web:[email protected]:7050 --enrollment.profile tls --csr.hosts peer1.web.ifantasy.net
    cp $LOCAL_CA_PATH/web.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk $LOCAL_CA_PATH/web.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/registers/peer1/msp/admincerts
    cp $LOCAL_CA_PATH/web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/web.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
    
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/msp/admincerts
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/msp/cacerts
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/msp/tlscacerts
    mkdir -p $LOCAL_CA_PATH/web.ifantasy.net/msp/users
    cp $LOCAL_CA_PATH/web.ifantasy.net/assets/ca-cert.pem $LOCAL_CA_PATH/web.ifantasy.net/msp/cacerts/
    cp $LOCAL_CA_PATH/web.ifantasy.net/assets/tls-ca-cert.pem $LOCAL_CA_PATH/web.ifantasy.net/msp/tlscacerts/
    cp $LOCAL_CA_PATH/web.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/web.ifantasy.net/msp/admincerts/cert.pem
    cp $LOCAL_ROOT_PATH/config/config-msp.yaml $LOCAL_CA_PATH/web.ifantasy.net/msp/config.yaml
    echo "End Web============================="
  5. Hard certificate Construction:

    echo "Start Hard============================="
    echo "Enroll Admin"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/hard.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://admin1:[email protected]:7450
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1/msp/admincerts
    cp $LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1/msp/admincerts/cert.pem
    
    echo "Enroll Peer1"
    export FABRIC_CA_CLIENT_HOME=$LOCAL_CA_PATH/hard.ifantasy.net/registers/peer1
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/hard.ifantasy.net/assets/ca-cert.pem
    export FABRIC_CA_CLIENT_MSPDIR=msp
    fabric-ca-client enroll -d -u https://peer1:[email protected]:7450
    # for TLS
    export FABRIC_CA_CLIENT_MSPDIR=tls-msp
    export FABRIC_CA_CLIENT_TLS_CERTFILES=$LOCAL_CA_PATH/hard.ifantasy.net/assets/tls-ca-cert.pem
    fabric-ca-client enroll -d -u https://peer1hard:[email protected]:7050 --enrollment.profile tls --csr.hosts peer1.hard.ifantasy.net
    cp $LOCAL_CA_PATH/hard.ifantasy.net/registers/peer1/tls-msp/keystore/*_sk $LOCAL_CA_PATH/hard.ifantasy.net/registers/peer1/tls-msp/keystore/key.pem
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/registers/peer1/msp/admincerts
    cp $LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/registers/peer1/msp/admincerts/cert.pem
    
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/msp/admincerts
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/msp/cacerts
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/msp/tlscacerts
    mkdir -p $LOCAL_CA_PATH/hard.ifantasy.net/msp/users
    cp $LOCAL_CA_PATH/hard.ifantasy.net/assets/ca-cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/msp/cacerts/
    cp $LOCAL_CA_PATH/hard.ifantasy.net/assets/tls-ca-cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/msp/tlscacerts/
    cp $LOCAL_CA_PATH/hard.ifantasy.net/registers/admin1/msp/signcerts/cert.pem $LOCAL_CA_PATH/hard.ifantasy.net/msp/admincerts/cert.pem
    cp $LOCAL_ROOT_PATH/config/config-msp.yaml $LOCAL_CA_PATH/hard.ifantasy.net/msp/config.yaml
    echo "End Hard============================="

After the above operations are completed, the CA service is no longer needed, so use it firstdocker stop $(docker ps -aq)The command closes the four running CA containers.

Configure channel

The channel configuration method is slightly different from that of the single machine. Because we expect to deploy peer and order services on different hosts, we don’t need to use docker compose to start other containers. We just need to generate the channel file. Run in the root directory3_Configtxgen.shThe channel configuration required for this experiment can be completed.

configtxgen -profile OrgsChannel -outputCreateChannelTx $LOCAL_ROOT_PATH/data/testchannel.tx -channelID testchannel
configtxgen -profile OrgsChannel -outputBlock $LOCAL_ROOT_PATH/data/testchannel.block -channelID testchannel

cp $LOCAL_ROOT_PATH/data/testchannel.block $LOCAL_CA_PATH/soft.ifantasy.net/assets/
cp $LOCAL_ROOT_PATH/data/testchannel.block $LOCAL_CA_PATH/web.ifantasy.net/assets/
cp $LOCAL_ROOT_PATH/data/testchannel.block $LOCAL_CA_PATH/hard.ifantasy.net/assets/

After the above steps are completed, in5_FabricNetworkByMultiHostUnder folderdataandorgsThe channel files and organization certificate files required by all networks have been generated in the directory. Now we will5_FabricNetworkByMultiHostCopy a copy of the folder to debianb host to start the next experiment. In the future, each time you restart the network, you only need to run on each host0_Restart.sh4_JoinChannel_host1.sh4_JoinChannel_host2.sh5_TestChaincode_host1.sh5_TestChaincode_host2.sh

Start multi machine network

Configure DNS

In the previous section, in order to facilitate the generation of certificates on debiana, we pointed all domain name mappings to debiana itself. Now we need to modify them manually/etc/hostsFile and delete the DNS mapping set in the previous section, and then set the new DNS content:

echo "172.25.1.250       council.ifantasy.net" >> /etc/hosts
echo "172.25.1.250       soft.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       web.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       hard.ifantasy.net" >> /etc/hosts

echo "172.25.1.250       orderer1.council.ifantasy.net" >> /etc/hosts
echo "172.25.1.250       orderer2.council.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       orderer3.council.ifantasy.net" >> /etc/hosts

echo "172.25.1.250       peer1.soft.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       peer1.web.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       peer1.hard.ifantasy.net" >> /etc/hosts

Similarly, we need to set up a similar DNS mapping on debianb:

echo "172.25.1.250       council.ifantasy.net" >> /etc/hosts
echo "172.25.1.250       soft.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       web.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       hard.ifantasy.net" >> /etc/hosts

echo "172.25.1.250       orderer1.council.ifantasy.net" >> /etc/hosts
echo "172.25.1.250       orderer2.council.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       orderer3.council.ifantasy.net" >> /etc/hosts

echo "172.25.1.250       peer1.soft.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       peer1.web.ifantasy.net" >> /etc/hosts
echo "172.25.1.251       peer1.hard.ifantasy.net" >> /etc/hosts

Start the container and join the channel

DebainA

You can run directly under the root directory4_JoinChannel_host1.shScript to enable debiana to execute the following command to start the container and join the channel:

  1. Start this host container:

    source envpeer1soft
    docker-compose -f $LOCAL_ROOT_PATH/compose/docker-compose.yaml up -d council.ifantasy.net soft.ifantasy.net peer1.soft.ifantasy.net 
    docker-compose -f $LOCAL_ROOT_PATH/compose/docker-compose.yaml up -d orderer1.council.ifantasy.net orderer2.council.ifantasy.net

    At this time, the container network running debiana is:
    Hyperledger fabric is deployed on multiple hosts

  2. The host sorting service joins the channel:

    source envpeer1soft
    export ORDERER_ADMIN_TLS_SIGN_CERT=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/tls-msp/signcerts/cert.pem
    export ORDERER_ADMIN_TLS_PRIVATE_KEY=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer1/tls-msp/keystore/key.pem
    osnadmin channel join -o orderer1.council.ifantasy.net:7052 --channelID testchannel --config-block $LOCAL_ROOT_PATH/data/testchannel.block --ca-file "$ORDERER_CA" --client-cert "$ORDERER_ADMIN_TLS_SIGN_CERT" --client-key "$ORDERER_ADMIN_TLS_PRIVATE_KEY"
    osnadmin channel list -o orderer1.council.ifantasy.net:7052 --ca-file $ORDERER_CA --client-cert $ORDERER_ADMIN_TLS_SIGN_CERT --client-key $ORDERER_ADMIN_TLS_PRIVATE_KEY
    export ORDERER_ADMIN_TLS_SIGN_CERT=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/tls-msp/signcerts/cert.pem
    export ORDERER_ADMIN_TLS_PRIVATE_KEY=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer2/tls-msp/keystore/key.pem
    osnadmin channel join -o orderer2.council.ifantasy.net:7055 --channelID testchannel --config-block $LOCAL_ROOT_PATH/data/testchannel.block --ca-file "$ORDERER_CA" --client-cert "$ORDERER_ADMIN_TLS_SIGN_CERT" --client-key "$ORDERER_ADMIN_TLS_PRIVATE_KEY"
    osnadmin channel list -o orderer2.council.ifantasy.net:7055 --ca-file $ORDERER_CA --client-cert $ORDERER_ADMIN_TLS_SIGN_CERT --client-key $ORDERER_ADMIN_TLS_PRIVATE_KEY
  3. The host organization joins the channel:

    source envpeer1soft
    peer channel join -b $LOCAL_CA_PATH/soft.ifantasy.net/assets/testchannel.block
    peer channel list

    DebianB

    You can run directly under the root directory4_JoinChannel_host2.shJoin debianb to the container and execute the following command:

  4. Start this host container:

    source envpeer1web
    docker-compose -f $LOCAL_ROOT_PATH/compose/docker-compose.yaml up -d web.ifantasy.net peer1.web.ifantasy.net hard.ifantasy.net peer1.hard.ifantasy.net 
    docker-compose -f $LOCAL_ROOT_PATH/compose/docker-compose.yaml up -d orderer3.council.ifantasy.net

    At this time, the container network running debianb is:
    Hyperledger fabric is deployed on multiple hosts

  5. The host sorting service joins the channel:

    source envpeer1web
    export ORDERER_ADMIN_TLS_SIGN_CERT=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/tls-msp/signcerts/cert.pem
    export ORDERER_ADMIN_TLS_PRIVATE_KEY=$LOCAL_CA_PATH/council.ifantasy.net/registers/orderer3/tls-msp/keystore/key.pem
    osnadmin channel join -o orderer3.council.ifantasy.net:7058 --channelID testchannel --config-block $LOCAL_ROOT_PATH/data/testchannel.block --ca-file "$ORDERER_CA" --client-cert "$ORDERER_ADMIN_TLS_SIGN_CERT" --client-key "$ORDERER_ADMIN_TLS_PRIVATE_KEY"
    osnadmin channel list -o orderer3.council.ifantasy.net:7058 --ca-file $ORDERER_CA --client-cert $ORDERER_ADMIN_TLS_SIGN_CERT --client-key $ORDERER_ADMIN_TLS_PRIVATE_KEY
  6. The host organization joins the channel:

    source envpeer1web
    peer channel join -b $LOCAL_CA_PATH/web.ifantasy.net/assets/testchannel.block
    peer channel list
    source envpeer1hard
    peer channel join -b $LOCAL_CA_PATH/hard.ifantasy.net/assets/testchannel.block
    peer channel list

Install and test chain code

Since the channel update needs to be operated in sequence according to the policy, somay notRun directly under the root directory5_TestChaincode_host1.shInstead, run the corresponding script content according to the chain code cycle in different hosts:

  1. Debiana installation chain code:

    source envpeer1soft
    # peer lifecycle chaincode package basic.tar.gz --path asset-transfer-basic/chaincode-go --label basic_1
    peer lifecycle chaincode install basic.tar.gz
    peer lifecycle chaincode queryinstalled
  2. Debianb installation chain code:

    source envpeer1web
    peer lifecycle chaincode install basic.tar.gz
    peer lifecycle chaincode queryinstalled
    source envpeer1hard
    peer lifecycle chaincode install basic.tar.gz
    peer lifecycle chaincode queryinstalled
  3. Debiana approval chain code:

    export CHAINCODE_ID=basic_1:06613e463ef6694805dd896ca79634a2de36fdf019fa7976467e6e632104d718
    source envpeer1soft
    peer lifecycle chaincode approveformyorg -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA  --channelID testchannel --name basic --version 1.0 --sequence 1 --waitForEvent --init-required --package-id $CHAINCODE_ID
    peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence 1

    At this time, use the following command to view the chain code approval:

    peer lifecycle chaincode checkcommitreadiness -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA --channelID testchannel --name basic --version 1.0 --sequence 1 --init-required

    Hyperledger fabric is deployed on multiple hosts

  4. Debainb approval chain code:

    export CHAINCODE_ID=basic_1:06613e463ef6694805dd896ca79634a2de36fdf019fa7976467e6e632104d718
    source envpeer1web
    peer lifecycle chaincode approveformyorg -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA  --channelID testchannel --name basic --version 1.0 --sequence 1 --waitForEvent --init-required --package-id $CHAINCODE_ID
    peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence 1
    source envpeer1hard
    peer lifecycle chaincode approveformyorg -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA  --channelID testchannel --name basic --version 1.0 --sequence 1 --waitForEvent --init-required --package-id $CHAINCODE_ID
    peer lifecycle chaincode queryapproved -C testchannel -n basic --sequence 1

    At this time, go back to debiana to check the chain code approval and find that it has been synchronized:
    Hyperledger fabric is deployed on multiple hosts

  5. Debainb submission chain code:

    source envpeer1web
    peer lifecycle chaincode commit -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA --channelID testchannel --name basic --init-required --version 1.0 --sequence 1 --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE
  6. Debainb initialization chain code:

    source envpeer1web
    peer chaincode invoke --isInit -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA --channelID testchannel --name basic --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE -c '{"Args":["InitLedger"]}'
  7. Debaina call chain code:

    peer chaincode invoke -o orderer1.council.ifantasy.net:7051 --tls --cafile $ORDERER_CA --channelID testchannel --name basic --peerAddresses peer1.soft.ifantasy.net:7251 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE --peerAddresses peer1.web.ifantasy.net:7351 --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE -c '{"Args":["GetAllAssets"]}'

    Hyperledger fabric is deployed on multiple hosts

reference resources


  1. KC Tam. Multi-Host Deployment for First Network (Hyperledger Fabric v2). CSDN. [2020-08-11] ↩
  2. Yu Fu Hyperledger Fabric 2. X multi machine deployment / distributed cluster deployment process CSDN. [2020-11-28] ↩