关于fabric:进阶篇一Fabric-20-手动生成CA证书搭建Fabric网络Raft协议多orderer节点

41次阅读

共计 9882 个字符,预计需要花费 25 分钟才能阅读完成。

本文不会在从 0 开始搭建这个那个网络,咱们会在 <<Hyperledger Fabric 2.0 手动生成 CA 证书搭建 Fabric 网络 -Raft 协定 >> 的根底上来改良,有上文中单 orderer 节点改成多节点共识。

本次将 orderer 改为三个节点,本人须要更多节点的能够本人依据机会状况进行减少,步骤和办法雷同。

一、orderer 节点用户注册(TLS)

在向 TLS 注册用户是,有以前注册单用户改成注册多用户(三个节点、orderer1-org0,orderer2-org0,orderer3-org0)
https://0.0.0.0:7052 为 TLS CA 地址,

fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer
-u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem

fabric-ca-client register -d --id.name orderer2-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem

fabric-ca-client register -d --id.name orderer3-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052 --tls.certfiles /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem

二、org0 注册用户

同样须要注册三个节点用户

export FABRIC_CA_CLIENT_TLS_CERTFILES=/data/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/data/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://org0-admin:org0-adminpw@0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

#注册 order1 用户
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053  --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

#注册 order2 用户
fabric-ca-client register -d --id.name orderer2-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053  --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

#注册 order3 用户
fabric-ca-client register -d --id.name orderer3-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053  --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

三、生成 oerders MSP 证书


mkdir -p /tmp/hyperledger/org0/orderers/assets/ca/
cp /tmp/hyperledger/org0/ca/crypto/ca-cert.pem /tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderers/orderer1-org0

#orderer1 msp 证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -u https://orderer1-org0:ordererpw@0.0.0.0:7053 -M /tmp/hyperledger/org0/orderers/orderer1-org0/msp --csr.hosts orderer1-org0 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

#orderer2 msp 证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderers/orderer2-org0
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -u https://orderer2-org0:ordererpw@0.0.0.0:7053 -M /tmp/hyperledger/org0/orderers/orderer2-org0/msp --csr.hosts orderer2-org0 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem

#orderer3 msp 证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderers/orderer3-org0
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -u https://orderer3-org0:ordererpw@0.0.0.0:7053 -M /tmp/hyperledger/org0/orderers/orderer3-org0/msp --csr.hosts orderer3-org0 --tls.certfiles /tmp/hyperledger/org0/ca/crypto/ca-cert.pem


#admin msp 证书
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org0:org0adminpw@0.0.0.0:7053 --tls.certfiles /tmp/hyperledger/org0/orderers/assets/ca/org0-ca-cert.pem

四、生成 oerders tls-ca 证书

mkdir /tmp/hyperledger/org0/orderers/assets/tls-ca/
cp /tmp/hyperledger/fabric-ca-tls/crypto/ca-cert.pem /tmp/hyperledger/org0/orderers/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderers/assets/tls-ca/tls-ca-cert.pem

fabric-ca-client enroll -u https://orderer1-org0:ordererPW@0.0.0.0:7052  -M /tmp/hyperledger/org0/orderers/orderer1-org0/tls-msp --enrollment.profile tls --csr.hosts orderer1-org0 --tls.certfiles /data/hyperledger/org0/orderers/tls-ca-cert.pem

fabric-ca-client enroll -u https://orderer2-org0:ordererPW@0.0.0.0:7052  -M /tmp/hyperledger/org0/orderers/orderer2-org0/tls-msp --enrollment.profile tls --csr.hosts orderer2-org0 --tls.certfiles /data/hyperledger/org0/orderers/tls-ca-cert.pem

fabric-ca-client enroll -u https://orderer3-org0:ordererPW@0.0.0.0:7052  -M /tmp/hyperledger/org0/orderers/orderer3-org0/tls-msp --enrollment.profile tls --csr.hosts orderer3-org0 --tls.certfiles /data/hyperledger/org0/orderers/tls-ca-cert.pem


#批改 keystore 名称
mv /tmp/hyperledger/org0/orderers/orderer1-org0/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderers/orderer1-org0/tls-msp/keystore/key.pem
mv /tmp/hyperledger/org0/orderers/orderer2-org0/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderers/orderer2-org0/tls-msp/keystore/key.pem
mv /tmp/hyperledger/org0/orderers/orderer3-org0/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderers/orderer3-org0/tls-msp/keystore/key.pem


#生成 admincerts 目录

mkdir /tmp/hyperledger/org0/orderers/orderer1-org0/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /data/hyperledger/org0/orderers/orderer1-org0/msp/admincerts/orderer-admin-cert.pem


mkdir /tmp/hyperledger/org0/orderers/orderer2-org0/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /data/hyperledger/org0/orderers/orderer2-org0/msp/admincerts/orderer-admin-cert.pem

mkdir /tmp/hyperledger/org0/orderers/orderer3-org0/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /data/hyperledger/org0/orderers/orderer3-org0/msp/admincerts/orderer-admin-cert.pem

⚠️:同理在每个 orderer 节点 msp 上面增加 config.yaml 文件

五、批改 configtx.yaml 共识策略

configtx.yaml 文件内容比拟长,我在这就不贴全副,只贴出须要批改的中央,残缺文件请参照上一篇文章,

Orderer: &OrdererDefaults

    # Orderer Type: The orderer implementation to start
    OrdererType: etcdraft

    EtcdRaft:
        Consenters:
        - Host: orderer1-org0
          Port: 7050
          ClientTLSCert: /tmp/hyperledger/org0/orderers/orderer1-org0/tls-msp/signcerts/cert..
pem
          ServerTLSCert: /tmp/hyperledger/org0/orderers/orderer1-org0/tls-msp/signcerts/cert..
pem
        - Host: orderer2-org0
          Port: 7050
          ClientTLSCert: /tmp/hyperledger/org0/orderers/orderer2-org0/tls-msp/signcerts/cert..
pem
          ServerTLSCert: /tmp/hyperledger/org0/orderers/orderer2-org0/tls-msp/signcerts/cert..
pem

        - Host: orderer3-org0
          Port: 7050
          ClientTLSCert: /tmp/hyperledger/org0/orderers/orderer3-org0/tls-msp/signcerts/cert..
pem
          ServerTLSCert: /tmp/hyperledger/org0/orderers/orderer3-org0/tls-msp/signcerts/cert..
pem
    Addresses:
        - orderer1-org0:7050
        - orderer2-org0:7050
        - orderer3-org0:7050

只须要批改 orderer 共识策略这块就能够了,其它依照原流程不须要变。

六、启动所有 orderer 节点

6.1 orderer1 启动


version: '2'

networks:
  fabric-ca:
services: 
  orderer1-org0:
    container_name: orderer1-org0
    image: hyperledger/fabric-orderer:2.1.0
    environment:
      - ORDERER_HOME=/tmp/hyperledger/orderer
      - ORDERER_HOST=orderer1-org0
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=org0MSP
      - ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
      - ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
      - ORDERER_GENERAL_LOGLEVEL=debug
      - ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
    volumes:
      - /tmp/hyperledger/org0/fabric-ca-client/orderers/orderer1-org0:/tmp/hyperledger/org0/orderer/
      - /tmp/hyperledger/block:/tmp/hyperledger/
    networks:
      - fabric-ca

6.2 orderer3 启动


version: '2'

networks:
  fabric-ca:
services: 
  orderer2-org0:
    container_name: orderer2-org0
    image: hyperledger/fabric-orderer:2.1.0
    environment:
      - ORDERER_HOME=/tmp/hyperledger/orderer
      - ORDERER_HOST=orderer2-org0
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=org0MSP
      - ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
      - ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
      - ORDERER_GENERAL_LOGLEVEL=debug
      - ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
    volumes:
      - /tmp/hyperledger/org0/fabric-ca-client/orderers/orderer2-org0:/tmp/hyperledger/org0/orderer/
      - /tmp/hyperledger/block:/tmp/hyperledger/
    networks:
      - fabric-ca

6.3 orderer3 启动


version: '2'

networks:
  fabric-ca:
services: 
  orderer3-org0:
    container_name: orderer3-org0
    image: hyperledger/fabric-orderer:2.0.0
    environment:
      - ORDERER_HOME=/tmp/hyperledger/orderer
      - ORDERER_HOST=orderer2-org0
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=org0MSP
      - ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
      - ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
      - ORDERER_GENERAL_LOGLEVEL=debug
      - ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
    volumes:
      - /tmp/hyperledger/org0/fabric-ca-client/orderers/orderer3-org0:/tmp/hyperledger/org0/orderer/
      - /tmp/hyperledger/block:/tmp/hyperledger/
    networks:
      - fabric-ca

到这多节点改变曾经实现,上述在 <<Hyperledger Fabric 2.0 手动生成 CA 证书搭建 Fabric 网络 -Raft 协定 >> 根底上来批改 ordderer 共识节点流程,其它流程不变。再次申明这个篇文章不是一个残缺程序的流程。

联合这两篇文章,Hyperledger Fabric 2.0 手动生成 CA 证书搭建 Fabric 网络 -Raft 协定 - 多 orderer 节点部署用该不会有任何问题,能够间接用于生产环境。

如有谬误,请指教。谢谢!

正文完
 0