Hyperledger fabric

Notes>

Notes #

installation - curl -sSL https://bit.ly/2ysbOFE | bash -s – 2.2.7 1.5.3
to start a basic test network (two org, 1 application channel)
- network.sh up createChannel -c mychannel -s couchdb without fabric-ca
- network.sh up createChannel -ca -c mychannel -s couchdb with fabric-ca
organizations/cryptogen/crypto-config-org3.yaml + cryptogen will be used to bootstrap all required crypto stuff like certificates / tls / user identity for you - this is what I call “without fabric-ca”
in the with fabric-ca way, you have to cretae a fabric-ca-server and register the peer, generate the user identity and certificates manually with fabric-ca-client
configtx/configtx.yaml + configtxgen will be used to generate the genesis block, channel transaction and org definition for you
peer environment variables setup - useful when performing channel update and chaincode installation / execution
tls setup for orderer, peer and fabric-ca
configtx.yaml reference

Leader, Anchor (Gossip)>

Leader, Anchor (Gossip) #

leader peer
- it will always receive the block from orderer
- it will then send the block to others peers
- it can be set to keep the peer always up-to-date
- it can be auto-elected or config statically
anchor peer
- The network uses the GOSSIP mechanism to know peers from other org with anchor peer.
- For example: org1 peer1 has to communicate with org2 peer1. it can know org2 peer1 from org1 anchor peer.
- an anchor peer can talk with another anchor peer from different org
- to enable this in peer, define CORE_PEER_GOSSIP_EXTERNALENDPOINT to expose peer to the GOSSIP channel

create channels>

create channels #

orderer system channel
- use configtxgen -outputBlock to generate genesis block
- config ORDERER_GENERAL_GENESISFILE with genesis.block in orderer
application channel
- use configtxgen -outputCreateChannelTx to create transaction
- create block with peer channel create
- add peer to the channel with peer channel join -b

add org3>

add org3 #

update organizations/cryptogen/crypto-config-org3.yaml
generate certificates for the org3 peer
update configtx/config.yaml with org3 definition
print out the definition
update channel config
- fetch channel config
- make a change request for adding new org definition to the channel config
- sign the change request by org
- commit the change
bring up new org’s peer

add peer>

add peer #

same as add org but
no need to update channel config

add orderer>

add orderer #

same as add org but
need to update both orderer and application channel config (update the Addresses and Consensers list)
bring up the new orderer with the latest orderer config block (don’t use the original genesis.block)

service discovery>

service discovery #

configure external endpoints
add anchor peers to channel config
setup persistent config
query peers
query channel config
query endorsers
- when the chaincode wasn’t installed on the peer. it will return an error: chaincode definition wasn’t found.

chaincode>

chaincode #

use peer lifecycle chaincode package to package the chaincode source code.
no need to call npm install / go mod vendor before packaging because the package command will exclude the dependencies folders (vendors / node_modules) for you
use peer lifecycle chaincode install to install the chaincode. a chaincode container will be started in each installed peers

To commit a chaincode, suggests to follow the Using Private Data in Fabric tutorial

It is a good example as it show how to add the extra params to the chaincode definition

For example,

--signature-policy: define which peers need to endorse during the invoke
--collections-config: config the private data definition
--init-required: need to add -I when first time invoke the chaincode

To check which org has approved the chaincode, use

peer lifecycle chaincode checkcommitreadiness

Notice that those extra params have to be kept in the whole commit process.

For example if you set --init-required in approveformyorg. you have to keep this in approveformyorg for other org, commit and checkcommitreadiness.

Some information need to know to commit a new version of chaincode:

cc_package_id - peer lifecycle chaincode queryinstalled
channel_name - peer channel list
chaincode version and sequence - peer lifecycle chaincode querycommitted or peer lifecycle chaincode queryapproved

However, there is no way to know what extra parameters are used in approveformyorg by other orgs.

It is hard to approve a chaincode without knowing the extra params being used in other org.

To execute an approved chaincode,

use peer chaincode invoke
--waitForEvent and peerAddresses are needed in peer chaincode invoke
--transient can be used to pass an object to the chaincode
--tls means use tls to connect to the orderer but not peers
if tls is enabled in peers, you must connect peer with tls by export CORE_PEER_TLS_ENABLED=true

To define which / how many org are required in peer lifecycle chaincode commit

change “LifecycleEndorsement” policy in channel config

To define which / how many org are required to endorse in peer chaincode invoke

change “Endorsements” policy in channel config
use --signature-policy to approve and commit the chaincode. this will override the channel config

fabric-ca-client>

fabric-ca-client #

fabric-ca-client will look at the fabric-ca-client-config.yml and msp (user identity) at the $FABRIC_CA_CLIENT_HOME folder.
by setting up this environment variable, you could run commands with that user identity directly without enrollment
fabric-ca-client enroll will generate the fabric-ca-client-config.yml and msp (user identity) at the $FABRIC_CA_CLIENT_HOME folder.
you have to specify -M when enrolling a user so you won’t override the user identity config.
everytime when you call fabric-ca-client enroll. a new pair of cert and key will be generated in the $FABRIC_CA_CLIENT_HOME/msp folder

Using Private Data in Fabric has a good example to show how to create a user in fabric-ca

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/

create new user owner

fabric-ca-client register --caname ca-org1 --id.name owner --id.secret ownerpw --id.type client --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"

generate owner’s certificate in ${PWD}/organizations/peerOrganizations/org1.example.com/users/owner@org1.example.com/msp

fabric-ca-client enroll -u https://owner:ownerpw@localhost:7054 --caname ca-org1 -M "${PWD}/organizations/peerOrganizations/org1.example.com/users/owner@org1.example.com/msp" --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"

if remove -M, $FABRIC_CA_CLIENT_HOME/msp will be overridden so the user identity will change to owner. If you don’t have any backup for the msp folder, you have to enroll in an admin account to re-generate the config again.
```
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles "${PWD}/organizations/fabric-ca/org1/tls-cert.pem"
```

Fabric CA User’s Guide recorded many useful examples for daily operations
- create a user with type: client - fabric-ca-client register
- login & generate the certificate - fabric-ca-client enroll
- list out the certs in ca - fabric-ca-client certificate list
- set user’s affiliation - –affiliation org2
- set user as revoker of peer and client - –id.attrs ‘“hf.Registrar.Roles=peer,client”,hf.Revoker=true’
- revoke a user identity - fabric-ca-client revoke -e
- update the crl - fabric-ca-client gencrl
- renew the cert - fabric-ca-client reenroll

fabric-ca-server>

fabric-ca-server #

use fabric-ca-server init -b to generate the dummy server config. They will be stored in $FABRIC_CA_HOME
update csr.cn, csr.names, csr.hosts, ca.name, tls.enabled in $FABRIC_CA_HOME/fabric-ca-server-config.yaml
before starting the server, make sure to unset all conflict fabric-ca-server environment variables. They will override the setting in config.yaml. I spent lots of time debugging because of this.
fabric-ca-server start -b to start the ca server
enable hsm
- this page tells how to enable hsm in fabric-ca-server.
- basically, we need the libsofthsm2.so pin and label to config the bccsp session in fabric-ca-server-config.yaml.
- then the private keys will be stored in hsm instead of the msp folder
- however they don’t provide any fabric-ca binary with pscs11 enabled
- to play with fabric-ca-server with hsm. we have to compile softhsm2 and fabric-ca by ourselves
enable mysql
- by default, the user identities will be stored in a sqlite file
- if you plan to create a ca in cluster - build multiple ca servers and use haproxy to load balancer them - you need a mysql server to store the user identities globally (among the cluster)
- the config can be found in fabric-ca-server-config.yaml db:type
- you may need to set sql_mode='' in the mysql server to fix the incapability
intermediate ca
- start ca with fabric-ca-server start -b admin:adminpw -u http://<enrollmentID>:<secret>@<parentserver>:<parentport>
- to enroll a peer with intermediate ca. you need to concat root ca + intermediate certs for the org definition and msp (user identity)

Note for exam>

Note for exam #

remote desktop environment
- XFCE 4.14
- Guacamole 1.4.0
- XFCE Terminal Emulator (black background, white font)
- Ubuntu 20.04
- Firefox Browser
PSI secure browser interface
retake policy - one free retake per Exam purchase
Update on Certification Exam Proctoring Migration mentioned a few important things about the exam:
- no personal bookmarks anymore - it’s very stupid…
- copying and pasting the yaml in vim will cause incorrect indentation - fix it by :set paste!
- copy and paste from the terminal will be Copy = CTRL+SHIFT+C, Paste = CTRL+SHIFT+V for Paste - you may need to get used to it
External monitor: only 1 active monitor is allowed - If you are using macbook, you will see 2 monitors in “About This Macs > Displays”. There is no way for me to disable the built-in monitor unless I close the lid. So I can’t use the monitor during the exam.