Difference between revisions of "IT-SDK-Hyperledger-Fabric-Admin"

From wiki.samerhijazi.net
Jump to navigation Jump to search
(TLS (Transport Layer Security))
(Discovery)
Line 299: Line 299:
 
==Discovery==
 
==Discovery==
 
<pre class="code">
 
<pre class="code">
export USER_KEY_FILE= ../configca/peerOrganizations/org1.example.com/userer/User1@org1.example.com/msp/keystore/ba57b6261921e0f6bf271ab01501e66e732eaff2b31f6ca106875d29af6fd431_sk
+
--userKey  >> $USER_KEY_FILE=*/peer/*/user/*/msp/keystore
export USER_CRT_FILE= ../configca/peerOrganizations/org1.example.com/userer/User1@org1.example.com/msp/signcerts/User1@org1.example.com-cert.pem
+
--userCert >> $USER_CER_FILE=*/peer/*/user/*/msp/signcerts
 
...
 
...
discover saveConfig --configFile discoveryConfig.yaml --userKey $USER_KEY_FILE --userCert $USER_CRT_FILE --MSP Org1MSP  
+
CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
 +
</pre>
 +
<pre class="code">
 +
discover saveConfig --configFile discoveryConfig.yaml --userKey $USER_KEY_FILE --userCert $USER_CER_FILE --MSP Org1MSP  
 
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051
 
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051
 
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051 --chaincode ccForAll
 
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051 --chaincode ccForAll

Revision as of 08:24, 14 April 2021

Lab-Infrastructure

- vCPU: 2
- RAM: 7GB
- HDD: 30GB
- OS: Ubuntu 16.04
- Fabric: v1.4.1

# -*- mode: ruby -*-
# vi: set ft=ruby :
ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox'
ENV["LC_ALL"] = "en_US.UTF-8"

Vagrant.configure("2") do |config|
   config.vm.box = "ubuntu/xenial64"
   config.vm.hostname = "fabric"
   config.vm.network "public_network"
   config.vm.base_address = "192.168.178.201"
   config.vm.base_mac = "0800278A8081"
   config.vm.synced_folder ".", "/vagrant"

   config.disksize.size = '50GB'
# --------------------------------------------------------------------
   config.vm.provider "virtualbox" do |vb|
      vb.gui = false
          vb.name = "Fabric"
          vb.cpus = 2
          vb.memory = 4096
   end
# --------------------------------------------------------------------
end

Initial

Ref: main

Ref: temp

Glossary

* Peer: Node
* Channel: Is a primary communications mechanism between the members of a consortium
* CA (Certificate Authorities): issue identities by generating a public and private key.
* MSP (Member Service Provider): contains a list of permissioned identities.
* TLS (Transport Layer Security): Certificates for Transport/communications. Secure all communication between nodes.
* AnchorPeer: define the location of peer which can be used for cross org gossip communication.
* Orderer: Are Nodes that orders transactions into a block and then distributes blocks to connected peers for validation and commit.
* Orderer: validates & generates a new configuration transaction, and packages it into a block, then broadcaste to all peers on the channel.
* Transactions: Transactions are created when a chaincode is invoked from a client application to read or write data from the ledge.
* Block/Blockchain: A block contains an ordered set of transactions. Chain is a transaction log structured as hash-linked blocks of transactions.
* SmartContract(Chaincode): Defines the transaction logic of a business object. It is then packaged into a chaincode, then deployed to a blockchain network (Leger).
* Ledger: blockchain & worldstate. Is a record of all state transitions. State transitions are a result of chaincode invocations (“transactions”).
* World State/Current State: The world state represents the latest values for all keys included in the chain transaction log.
* Consensus(إجماع)/Consistent(ثابت): Shared agreement. Is a process, in which each peer in a channel update its own copy of the ledger with every other peer’s copy.

Notes-Collections

  • Components: Ledger, Channel, Chaincode, types of network nodes (Endorser, Committer, Orderer, etc.), transaction flow, Certificate Authority (CA).
  • Cryptographic Keys (public & private)
  • Chaincode: install & instantiat & upgrade (Ohne/Mit TLS && Multi-Org)
  • CA Operations: Regesrtation, Enroll.
  • Multi-Org mit JP
  • SoftHSM (Hardware Security Module): installing, configuring and testing the SoftHSM via PKCS#11 interface. https://www.opendnssec.org/softhsm/
  • Logging-Levels: critical, error, warning, notice, info, debug

Notes-My

Architekture

Life-Cycle

* Generate configuration crypto
* Generate configuration genesis
* Generate configuration channel
* Generate configuration anchor
..................................
* Expand Network: Peer
* Expand Network: Anchor
* Expand Network: Channel
* Expand Network: MultiOrg
..................................
* Chaincode install
* Chaincode upgrade
..................................
* Infrastrukture: CouchDB
* Infrastrukture: Kafka
..................................
* CA (Certificate Authorities)
* TLS (Transport Layer Security) & MSP (Membership Service Provider)
* Discovery
* BCCSP (BlockChain Crypto Service Provider)

Code

* https://raw.githubusercontent.com/hyperledger/fabric/master/scripts/bootstrap.sh    # bootstrap: Download the Fabric-Core, Fabric-CA and Fabric-Samples
* https://github.com/hyperledger/fabric                                               # /bin/ && /config/
* https://github.com/hyperledger/fabric-ca                                            # /bin/fabric-ca-client && /bin/fabric-ca-server
* https://github.com/hyperledger/fabric-samples                                       # Samples-Fabric-Projects

# bootstrap: Download the Fabric-Core, Fabric-CA and Fabric-Samples
curl -sSL http://bit.ly/2ysbOFE | bash -s -- 1.4.7 1.4.7 0.4.20
curl -sSL http://bit.ly/2ysbOFE | bash -s 1.4.9

cd ./fabric-samples/basic-network/
start.sh
stop.sh
---
cd ./fabric-samples/first-network/
eyfn.sh generate
eyfn.sh up
eyfn.sh down

Basisc

Folder-Structure

configca>>>>OrderersInOrg>>>>Domian>>>Orderers>>>>HOST>>>>MSP && TLS
configca>>>>PeersInOrg...>>>>Domain>>>Peers...>>>>HOST>>>>MSP && TLS
configca>>>>PeersInOrg...>>>>Domain>>>Users...>>>>USER>>>>MSP && TLS
configca>>>>PeersInOrg...>>>>Domain>>>ca......>>>>KEYFILE && CERTFILE

ENV

export BASE_FOLDER=/etc/hyperledger/
export BASE_FOLDER=/opt/gopath/src/github.com/hyperledger/
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=Org1MSP
export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@​org1.example.com/msp
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/configca/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp

Docker

docker-compose -f docker-compose.yml stop
docker-compose -f docker-compose.yml kill
docker-compose -f docker-compose.yml down
docker-compose -f docker-compose.yml up -d ca orderer couchdb0 peer0 cli
----------------------------------------------------------------------
docker logs peer0
docker exec -it peer0 bash
docker exec -e $CORE_PEER_LOCALMSPID -e $CORE_PEER_MSPCONFIGPATH -it peer0 bash

Generate configuration

cryptogen generate --config=./crypto-config.yaml                                                                   # Generate crypto certificates  
cryptogen extend --config=./crypto-config.yaml                                                                     # Extend crypto certificates

configtxgen -profile Genesis -outputBlock ./config/genesis.block                                                   # Generate transaction: genesis
configtxgen -profile Channel -outputCreateChannelTx ./config/channel.tx -channelID channel-id                      # Generate transaction: channel
configtxgen -profile Channel -outputAnchorPeersUpdate ./config/ancher.tx -channelID channel-id -asOrg Org1MSP      # Generate transaction: anchor
configtxgen -inspectBlock ./config/genesis.block                                                                   # Inspects genesis block

Peer Operations

Channel

peer channel create -o orderer.example.com:7050 -c channel-id -f /etc/hyperledger/configtx/channel.tx 
peer channel fetch oldest channel-id.block -o orderer.example.com:7050 -c channel-id
peer channel join -b channel-id.block
peer channel update -o orderer.example.com:7050 -c channel-id -f ./config/ancher.tx
---
peer channel fetch config blockFetchedConfig.pb -o orderer.example.com:7050 -c allarewelcome
peer channel list

Chaincode

peer chaincode install -n ccForAll -p github.com/sacc -v 1.0
peer chaincode instantiate -n ccForAll  -v 1.0 -C allarewelcome -o orderer.example.com:7050 -c '{"Args":["Mach","50"]}' --policy "AND('Org1.peer', OR ('Org1.member'))"
peer chaincode upgrade -n ccForAll -v 1.1 -C allarewelcome  -c '{"Args":["Mach","50"]}' --policy "AND('Org1.peer','Org2.peer', OR('Org1.member','org2.peer'))"
peer chaincode list --installed
peer chaincode list --instantiated -C channel1org1

Multi-Org

cryptogen extend --config=./configca.yaml
configtxgen -printOrg Org2MSP > ./configtx/org2_definition.json
...
docker exec -it cli bash
peer channel fetch config blockFetchedConfig.pb -o orderer.example.com:7050 -c allarewelcome
configtxlator proto_decode --input blockFetchedConfig.pb --type common.Block | jq .data.data[0].payload.data.config > configBlock.json
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups":{"Org2MSP":.[1]}}}}}' configBlock.json ./configtx/org2_definition.json > configChanges.json
configtxlator proto_encode --input configBlock.json --type common.Config --output configBlock.pb
configtxlator proto_encode --input configChanges.json --type common.Config --output configChanges.pb
configtxlator compute_update --channel_id org1channel1 --original configBlock.pb --updated configChanges.pb --output configProposal_Org2.pb
configtxlator proto_decode --input configProposal_Org2.pb --type common.ConfigUpdate | jq . > configProposal_Org2.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"allarewelcome","type":2}},"data":{"config_update":'$(cat configProposal_Org2.json)'}}}' | jq . > org2SubmitReady.json
configtxlator proto_encode --input org2SubmitReady.json --type common.Envelope --output org2SubmitReady.pb
peer channel signconfigtx -f org2SubmitReady.pb
peer channel update -f org2SubmitReady.pb -c allarewelcome -o orderer.example.com:7050
....
docker exec -it cli bash
peer channel fetch 0 Org2AddedConfig.block -o orderer.example.com:7050 -c allarewelcome
peer channel join -b Org2AddedConfig.block

CA (Certificate Authority)

  • Intial Server
  • Enroll Server
  • Register Node (admin, peer, user)
  • Enroll Node

Initial Server

cd /etc/hyperledger/fabric-ca-server
rm ca-cert.pem fabric-ca-server-config.yaml

fabric-ca-server init -b admin:admin                                                                  # Initialized Root CA-Server
fabric-ca-server start -b admin:admin -p 8080                                                         # Start Root CA-Server
fabric-ca-server start -b intermediate:intermediate -u http://admin:admin@localhost:8080 -p 3000      # Start Intermediate CA-Server

Register & Enroll: bootstrap

fabric-ca-client enroll -u http://admin:admin@localhost:8080

Register & Enroll: admin

fabric-ca-client register -u http://localhost:8080 --id.name nameAdmin --id.secret 'password' --id.affiliation org1 --id.type admin --id.attrs 'hf.Registrar.Roles=peer, hf.GenCRL=true, admin=true:ecert, hf.Revoker=true' 
fabric-ca-client enroll -u http://nameAdmin:password@localhost:8080 -M $FABRIC_CA_HOME/msp/nameAdmin

Register & Ennroll: peer

fabric-ca-client register --id.name namePeer --id.secret 'password' --id.affiliation org1 --id.type peer -u http://nameAdmin:'password'@localhost:8080
fabric-ca-client enroll -u http://namePeer:'password'@localhost:8080 -M $FABRIC_CA_HOME/msp/namePeer

Register & Ennroll: user

fabric-ca-client register --id.name nameUser --id.secret 'password' --id.affiliation org2 --id.type user -u http://nameAdmin:'password'@localhost:8080
fabric-ca-client enroll -u http://nameUser:'password'@localhost:8080 -M $FABRIC_CA_HOME/msp/nameUser

Modify & Revoke

fabric-ca-client identity modify peerSam --affiliation org1 --type peer --secret ImFinallyAPeer

fabric-ca-client revoke -e peerSam -r 'keycompromise'
fabric-ca-client gencrl
fabric-ca-client certificate list --revocation 2018-01-01::2022-12-30

CMD

ls $FABRIC_CA_HOME/msp
ls $FABRIC_CA_HOME/msp/nameAdmin
ls $FABRIC_CA_HOME/msp/namePeer
ls $FABRIC_CA_HOME/msp/nameUser
fabric-ca-client identity list *
fabric-ca-client identity list --id nameAdmin
fabric-ca-client identity list --id namePeer
fabric-ca-client identity list --id nameUser
fabric-ca-client certificate list --id nameAdmin

TLS (Transport Layer Security)

  • Settings
- Enable TLS
- The Key for peer
- The Certificate for peer
- The Certificate for root/admin

CORE_PEER_TLS_ENABLED=       true
CORE_PEER_TLS_KEY_FILE=      /etc/hyperledger/msp/peer/tls/server.key
CORE_PEER_TLS_CERT_FILE=     /etc/hyperledger/msp/peer/tls/server.crt
CORE_PEER_TLS_ROOTCERT_FILE= /etc/hyperledger/msp/peer/tls/ca.crt
  • Examples how to use tls
# Exported
peer chaincode list --installed --tls
...
# Runtime
peer chaincode install -n mycc -v 1.3 -p github.com/sacc --tls --cafile $CORE_PEER_TLS_ROOTCERT_FILE --certfile $CORE_PEER_TLS_CERT_FILE --keyfile $CORE_PEER_TLS_KEY_FILE

Discovery

--userKey  >> $USER_KEY_FILE=*/peer/*/user/*/msp/keystore
--userCert >> $USER_CER_FILE=*/peer/*/user/*/msp/signcerts
...
CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051

discover saveConfig --configFile discoveryConfig.yaml --userKey $USER_KEY_FILE --userCert $USER_CER_FILE --MSP Org1MSP 
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051
discover peers --configFile discoveryConfig.yaml --channel org1channel1 --server peer0.org1.example.com:7051 --chaincode ccForAll

Infrastructure: CouchDB

#-------------------------
  couchdbOrg1Peer0:
    container_name: couchdbOrg1Peer0
    image: hyperledger/fabric-couchdb
    environment:
      - COUCHDB_USER=​peer0.Org1
      - COUCHDB_PASSWORD=​password
    ports:
      - "5984:5984"
    networks:
      - basic
#-------------------------
environment:
   - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
   - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdbOrg1Peer0:5984
   - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=peer0.Org1
   - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=password
depends_on:
   - orderer.example.com
   - couchdbPeer0Org1
#-------------------------

Infrastructure: Kafka

# configtx.xaml
# -----------------------------------
Orderer: &OrdererDefaults
    OrdererType: kafka
    ...
    Kafka:
        Brokers:
        - kafkaA.example.com:9092
        - kafkaB.example.com:9092
# -----------------------------------



Settings-YAML


  • container_name
    • 

  • image
    • 

  • ports
    • 

  • depends_on
    • 

  • networks
    • 

  • command
    • 

  • working_dir
    • 

  • volumes
    • 

  • environment


Commands


CMD_CA:			sh -c 'fabric-ca-server start -b admin:adminpw'
CMD_Orderer:	        orderer
CMD_Peer:		peer node start
CMD_CLI:		/bin/bash



Working-Directory


WD_CA:			KEIN
WD_Peer:		/opt/gopath/src/github.com/hyperledger/fabric
WD_CLI:			/opt/gopath/src/github.com/hyperledger/fabric/peer
WD_Order:		/opt/gopath/src/github.com/hyperledger/fabric/orderer



volumes


  • CA


./crypto-config/peerOrganizations/org1.example.com/ca/: 	                                /etc/hyperledger/fabric-ca-server-config



  • Orderer


./config/:											/etc/hyperledger/configtx
./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/:			/etc/hyperledger/msp/orderer
./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/:		/etc/hyperledger/msp/peerOrg1



  • Peer


/var/run/:											/host/var/run/
./config:											/etc/hyperledger/configtx
./crypto-config/peerOrganizations/org2.example.com/users:       				/etc/hyperledger/msp/users
./crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp:    	/etc/hyperledger/msp/peer
./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:	        /etc/hyperledger/msp/peer/tls



  • CLI


/var/run/:                                                                                      /host/var/run/
./../chaincode/:	         								/opt/gopath/src/github.com/
./config:                                                                                       /opt/gopath/src/github.com/hyperledger/fabric/peer/config/
./crypto-config:										/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/



Environment


  • ENV-CA


FABRIC_CA_SERVER_CA_NAME=		ca.example.com
FABRIC_CA_HOME=				/etc/hyperledger/fabric-ca-server
FABRIC_CA_SERVER_CA_CERTFILE=		/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
FABRIC_CA_SERVER_CA_KEYFILE=		/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk



  • NV-Orderer


FABRIC_LOGGING_SPEC=			info
ORDERER_GENERAL_LISTENADDRESS=		0.0.0.0
ORDERER_GENERAL_GENESISMETHOD=		file
ORDERER_GENERAL_LOCALMSPID=		OrdererMSP
ORDERER_GENERAL_GENESISFILE=		/etc/hyperledger/configtx/genesis.block
ORDERER_GENERAL_LOCALMSPDIR=		/etc/hyperledger/msp/orderer/msp



  • ENV-Peer


CORE_VM_ENDPOINT=					unix:///host/var/run/docker.sock
CORE_LOGGING_PEER=					debug
CORE_CHAINCODE_LOGGING_LEVEL=				debug
CORE_PEER_ID=						peer0.org2.example.com
CORE_PEER_LOCALMSPID=					Org2MSP
CORE_PEER_MSPCONFIGPATH=				/etc/hyperledger/msp/peer/
CORE_PEER_ADDRESS=					peer0.org2.example.com:7051
CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=			startFiles_basic



  • ENV-Peer-CouchDB


CORE_LEDGER_STATE_STATEDATABASE=			CouchDB
CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=		couchdbOrg2Peer0:5984
CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=		Org2Peer0
CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=		password



  • ENV-Peer-TLS


CORE_PEER_TLS_KEY_FILE=		 			/etc/hyperledger/msp/peer/tls/server.key
CORE_PEER_TLS_CERT_FILE=				/etc/hyperledger/msp/peer/tls/server.crt
CORE_PEER_TLS_ROOTCERT_FILE=				/etc/hyperledger/msp/peer/tls/ca.crt



  • ENV-CLI


CORE_PEER_TLS_KEY_FILE=			/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_TLS_CERT_FILE=		/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_ROOTCERT_FILE=	        /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt



Tutorial: Building First Network



sudo apt-get install curl
sudo apt-get install golang-go
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
sudo apt-get install nodejs
sudo apt-get install npm
sudo apt-get install python
sudo apt-get install docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
apt-cache policy docker-ce
sudo apt-get install -y docker-ce
sudo apt-get install docker-compose
sudo apt-get upgrade



sudo curl -sSL https://goo.gl/6wtTN5 | sudo bash -s 1.1.0
sudo chmod 777 -R fabric-samples



cd fabric-samples/first-network
...
sudo ./byfn.sh generate
sudo ./byfn.sh up
sudo ./byfn.sh down






					

						Retrieved from "http://wiki.samerhijazi.net/index.php?title=IT-SDK-Hyperledger-Fabric-Admin&oldid=1682"