【发布时间】:2021-03-26 09:12:47
【问题描述】:
我已经尝试了 Hyperledger Fabric 2.3 版的教程,他们在其中实例化了 2 个对等节点(Org1 和 Org2)和一个排序节点(Orderer),并尝试继续在不同的 VM 上实例化每个节点。最终目标是通过 raft 共识增加 peer 和 orderer 节点,每个节点都有自己的 VM。 我已经定义了以下 configtx.yaml。
---
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ../organizations/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer0.example.com:7050
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ../organizations/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ../organizations/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer0.example.com
Port: 7050
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
AllOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
AllOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
在节点 Org1 上,使用 cryptogen 创建加密材料后,我使用 configtxgen 创建了创世块和应用程序通道。
configtxgen -profile AllOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block -channelID mychannel
configtxgen -profile AllOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel
接下来,我已将此项目共享给所有节点并启动关联的 docker。下一步是创建通道,所以在 Org1 VM 上,我使用以下命令:
peer channel create -o <IP of the ordering node>:7050 --ordererTLSHostnameOverride orderer0.example.com -c mychannel -f ./channel-artifacts/mychannel.tx --outputBlock ./channel-artifacts/mychannel.block --tls –cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
我的 shell 出现以下错误:
2020-12-15 16:52:38.764 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser 和 orderer 连接已初始化
错误:出现意外状态:禁止 - 现有频道的配置更新未通过初始检查:隐式策略评估失败 - 满足 0 个子策略,但此策略需要 1 个“作家”子策略满意:权限被拒绝
在订购者日志中调查给我以下错误:
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 368 [0m 0xc000902e60 signed by 0 principal evaluation starts (used [false])
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 369 [0m 0xc000902e60 processing identity 0 - &{Org1MSP 6ead373932c104ed8f9aa3da8431824fbe733b84eeee6d8b70a0f2ddca84a932}
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36a [0m 0xc000902e60 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected OrdererMSP, got Org1MSP)
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36b [0m 0xc000902e60 principal evaluation fails
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func1 -> DEBU 36c [0m 0xc000902e60 gate 1608051158780630929 evaluation fails
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36d [0m Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36e [0m == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 36f [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 370 [0m Signature set did not satisfy policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 371 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 372 [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Consortiums/Writers Orderer/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 373 [0m Signature set did not satisfy policy /Channel/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 374 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Writers
我假设 orderer 策略期望来自 orderer 的通道创建需求,但只有 peer 可以做到。也许我在写我的政策时犯了一个错误。拜托,你能帮我修复我的平台吗?
编辑:在你的 cmets 之后,我完成: Org1 的一些可变环境是:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051
orderer容器的docker compose文件的volume部分是:
volumes:
- ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp:/var/hyperledger/orderer/msp
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/:/var/hyperledger/orderer/tls
- ../orgconfig/orderer.yaml:/etc/hyperledger/fabric/orderer.yaml
- orderer0.example.com:/var/hyperledger/production/orderer
与其 MSP 关联的 Orderer 配置值是:
General.LocalMSPDir = "/var/hyperledger/orderer/msp"
General.LocalMSPID = "OrdererMSP"
General.TLS.Enabled = true
General.TLS.PrivateKey = "/var/hyperledger/orderer/tls/server.key"
General.TLS.Certificate = "/var/hyperledger/orderer/tls/server.crt"
General.TLS.RootCAs = [/var/hyperledger/orderer/tls/ca.crt]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
根据 orderer 的日志,TLS 握手完成且没有错误
【问题讨论】:
-
CORE_PEER_MSPCONFIGPATH 环境变量的值是多少?
-
能否给出orderer container的配置信息?
-
和报错是不同的问题,但是对于raft算法,推荐至少三个奇数作为CFT方法。即如果orderer是单节点,Raft不适合,要在单独的网络上测试Raft运行,配置3个或更多奇数orderer。 fabric-raft
-
orderer的双向tls设置是否正确?
GENERAL_TLS_CLIENTAUTHREQUIREDGENERAL_TLS_CLIENTROOTCASGENERAL_CLUSTER_CLIENTCERTIFICATEGENERAL_CLUSTER_PRIVATEKEY你也可以给这些项目的配置值吗?
标签: hyperledger-fabric hyperledger