Skip to main content
Hugo’s IT journal

Hyperledger fabric

·
blockchain
Hugo
Author
Hugo
DevOps Engineer in London
Table of Contents

Notes
#

  • installation - curl -sSL https://bit.ly/2ysbOFE | bash -s – 2.2.7 1.5.3
  • to start a basic test network (two org, 1 application channel)
    • network.sh up createChannel -c mychannel -s couchdb without fabric-ca
    • network.sh up createChannel -ca -c mychannel -s couchdb with fabric-ca
  • organizations/cryptogen/crypto-config-org3.yaml + cryptogen will be used to bootstrap all required crypto stuff like certificates / tls / user identity for you - this is what I call “without fabric-ca”
  • in the with fabric-ca way, you have to cretae a fabric-ca-server and register the peer, generate the user identity and certificates manually with fabric-ca-client
  • configtx/configtx.yaml + configtxgen will be used to generate the genesis block, channel transaction and org definition for you
  • peer environment variables setup - useful when performing channel update and chaincode installation / execution
  • tls setup for orderer, peer and fabric-ca
  • configtx.yaml reference

Leader, Anchor (Gossip)
#

  • leader peer
    • it will always receive the block from orderer
    • it will then send the block to others peers
    • it can be set to keep the peer always up-to-date
    • it can be auto-elected or config statically
  • anchor peer
    • The network uses the GOSSIP mechanism to know peers from other org with anchor peer.
    • For example: org1 peer1 has to communicate with org2 peer1. it can know org2 peer1 from org1 anchor peer.
    • an anchor peer can talk with another anchor peer from different org
    • to enable this in peer, define CORE_PEER_GOSSIP_EXTERNALENDPOINT to expose peer to the GOSSIP channel

create channels
#

add org3
#

add peer
#

  • same as add org but
  • no need to update channel config

add orderer
#

  • same as add org but
  • need to update both orderer and application channel config (update the Addresses and Consensers list)
  • bring up the new orderer with the latest orderer config block (don’t use the original genesis.block)

service discovery
#

chaincode
#

  • use peer lifecycle chaincode package to package the chaincode source code.
  • no need to call npm install / go mod vendor before packaging because the package command will exclude the dependencies folders (vendors / node_modules) for you
  • use peer lifecycle chaincode install to install the chaincode. a chaincode container will be started in each installed peers

To commit a chaincode, suggests to follow the Using Private Data in Fabric tutorial

It is a good example as it show how to add the extra params to the chaincode definition

For example,

  • --signature-policy: define which peers need to endorse during the invoke
  • --collections-config: config the private data definition
  • --init-required: need to add -I when first time invoke the chaincode

To check which org has approved the chaincode, use

Notice that those extra params have to be kept in the whole commit process.

For example if you set --init-required in approveformyorg. you have to keep this in approveformyorg for other org, commit and checkcommitreadiness.

Some information need to know to commit a new version of chaincode:

However, there is no way to know what extra parameters are used in approveformyorg by other orgs.

It is hard to approve a chaincode without knowing the extra params being used in other org.

To execute an approved chaincode,

  • use peer chaincode invoke
  • --waitForEvent and peerAddresses are needed in peer chaincode invoke
  • --transient can be used to pass an object to the chaincode
  • --tls means use tls to connect to the orderer but not peers
  • if tls is enabled in peers, you must connect peer with tls by export CORE_PEER_TLS_ENABLED=true

To define which / how many org are required in peer lifecycle chaincode commit

  • change “LifecycleEndorsement” policy in channel config

To define which / how many org are required to endorse in peer chaincode invoke

  • change “Endorsements” policy in channel config
  • use --signature-policy to approve and commit the chaincode. this will override the channel config

fabric-ca-client
#

  • fabric-ca-client will look at the fabric-ca-client-config.yml and msp (user identity) at the $FABRIC_CA_CLIENT_HOME folder.

  • by setting up this environment variable, you could run commands with that user identity directly without enrollment

  • fabric-ca-client enroll will generate the fabric-ca-client-config.yml and msp (user identity) at the $FABRIC_CA_CLIENT_HOME folder.

  • you have to specify -M when enrolling a user so you won’t override the user identity config.

  • everytime when you call fabric-ca-client enroll. a new pair of cert and key will be generated in the $FABRIC_CA_CLIENT_HOME/msp folder

  • Using Private Data in Fabric has a good example to show how to create a user in fabric-ca

    • login as org1.example.com admin ($FABRIC_CA_CLIENT_HOME/msp)
      export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/
    • create new user owner
      fabric-ca-client register --caname ca-org1 --id.name owner --id.secret ownerpw --id.type client --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"
    • generate owner’s certificate in ${PWD}/organizations/peerOrganizations/org1.example.com/users/owner@org1.example.com/msp
      fabric-ca-client enroll -u https://owner:ownerpw@localhost:7054 --caname ca-org1 -M "${PWD}/organizations/peerOrganizations/org1.example.com/users/owner@org1.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"
    • if remove -M, $FABRIC_CA_CLIENT_HOME/msp will be overridden so the user identity will change to owner. If you don’t have any backup for the msp folder, you have to enroll in an admin account to re-generate the config again.
      fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"

  • Fabric CA User’s Guide recorded many useful examples for daily operations

fabric-ca-server
#

  • use fabric-ca-server init -b to generate the dummy server config. They will be stored in $FABRIC_CA_HOME

  • update csr.cn, csr.names, csr.hosts, ca.name, tls.enabled in $FABRIC_CA_HOME/fabric-ca-server-config.yaml

  • before starting the server, make sure to unset all conflict fabric-ca-server environment variables. They will override the setting in config.yaml. I spent lots of time debugging because of this.

  • fabric-ca-server start -b to start the ca server

  • enable hsm

    • this page tells how to enable hsm in fabric-ca-server.
    • basically, we need the libsofthsm2.so pin and label to config the bccsp session in fabric-ca-server-config.yaml.
    • then the private keys will be stored in hsm instead of the msp folder
    • however they don’t provide any fabric-ca binary with pscs11 enabled
    • to play with fabric-ca-server with hsm. we have to compile softhsm2 and fabric-ca by ourselves

  • enable mysql

    • by default, the user identities will be stored in a sqlite file
    • if you plan to create a ca in cluster - build multiple ca servers and use haproxy to load balancer them - you need a mysql server to store the user identities globally (among the cluster)
    • the config can be found in fabric-ca-server-config.yaml db:type
    • you may need to set sql_mode='' in the mysql server to fix the incapability

  • intermediate ca

    • start ca with fabric-ca-server start -b admin:adminpw -u http://<enrollmentID>:<secret>@<parentserver>:<parentport>
    • to enroll a peer with intermediate ca. you need to concat root ca + intermediate certs for the org definition and msp (user identity)

Note for exam
#

  • remote desktop environment
    • XFCE 4.14
    • Guacamole 1.4.0
    • XFCE Terminal Emulator (black background, white font)
    • Ubuntu 20.04
    • Firefox Browser
  • PSI secure browser interface
  • retake policy - one free retake per Exam purchase
  • Update on Certification Exam Proctoring Migration mentioned a few important things about the exam:
    • no personal bookmarks anymore - it’s very stupid…
    • copying and pasting the yaml in vim will cause incorrect indentation - fix it by :set paste!
    • copy and paste from the terminal will be Copy = CTRL+SHIFT+C, Paste = CTRL+SHIFT+V for Paste - you may need to get used to it
  • External monitor: only 1 active monitor is allowed - If you are using macbook, you will see 2 monitors in “About This Macs > Displays”. There is no way for me to disable the built-in monitor unless I close the lid. So I can’t use the monitor during the exam.