Hyperledger fabric 如何向现有Hyperledger结构网络添加新的订购方组织_Hyperledger Fabric_Hyperledger_Raft

Hyperledger fabric 如何向现有Hyperledger结构网络添加新的订购方组织
hyperledger-fabric
Hyperledger fabric 如何向现有Hyperledger结构网络添加新的订购方组织,hyperledger-fabric,hyperledger,raft,Hyperledger Fabric,Hyperledger,Raft,我正在尝试向基于RAFT的现有订购服务添加一个新的订购者组织。我使用结构样本中的第一个网络作为基础网络。在生成加密资料时，我已修改为为再生成一个订购方组织的加密资料。crypto config.yaml如下所示： OrdererOrgs: # --------------------------------------------------------------------------- # Orderer # ----------------------------------
我正在尝试向基于RAFT的现有订购服务添加一个新的订购者组织。我使用
结构样本中的第一个网络
作为基础网络。在生成加密资料时，我已修改为为再生成一个订购方组织的加密资料。crypto config.yaml
如下所示：
OrdererOrgs:
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: true
    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3
      - Hostname: orderer4
      - Hostname: orderer5
  - Name: Orderer1
    Domain: example1.com
    EnableNodeOUs: true
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: Org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
      # Start: 5
      # Hostname: {{.Prefix}}{{.Index}} # default
    # ---------------------------------------------------------------------------
    # "Users"
    # ---------------------------------------------------------------------------
    # Count: The number of user accounts _in addition_ to Admin
    # ---------------------------------------------------------------------------
    Users:
      Count: 1
  # ---------------------------------------------------------------------------
  # Org2: See "Org1" for full specification
  # ---------------------------------------------------------------------------
  - Name: Org2
    Domain: org2.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
    Users:
      Count: 1

另外，用于以JSON格式创建新订购方组织的MSP的configtx.yaml
如下所示：
Organizations:
    - &Orderer1Org
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Orderer1Org

        # ID to load the MSP definition as
        ID: Orderer1MSP

        MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Orderer1MSP.admin')"

order.example.com
日志抛出以下错误：
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
 grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms

我可以通过添加一个新的订购方组织来扩展第一个网络，如下所示：
在etcdraft
模式下，通过fabric samples
repo中的byfn.sh
脚本启动first network
我生成了加密材料，如上面问题中的crypto config.yaml
中所述
使用configtxgen
工具将新订购方组织的MSP打印为JSON格式
将此JSON文件装载或docker cp
到正在运行的cli
容器中
设置与现有订购节点对应的cli
容器内的环境。导入最新的系统频道
配置。将其解码为JSON格式
编辑系统频道配置块的订购方
部分，添加新订购方组织的MSP，如下所示：
jq-s.[0]*{“channel_group”：{“groups”：{“order”：{“groups”：{“order1org”：[1]}}}}}}config.json order1org.json>config1.json

编辑系统频道配置块的联合体
部分以添加新订购方组织的MSP，如下所示：
jq-s.[0]*{“channel_group”：{“groups”：{“Consortiums”：{“groups”：{“SampleConsortium”：{“groups”：{“order1msp”：[1]}}}'config1.json order1org.json>config2.json

编辑系统通道配置块的同意人
部分，为新订购方组织的订购方添加TLS凭据。example1.com
节点如下：
cert=`base64../crypto/orderOrganizations/example1.com/orders/order.example1.com/tls/server.crt | sed”：a；N、 美元！文学士；s/\n//g'`

cat config2.json | jq'.channel_group.groups.order.values.ConsensusType.value.metadata.approvers+=[{“client_tls_cert”：“$cert'”，“host”：“order.example1.com”，“port”：7050，“server_tls_cert”：“$cert'}]>修改的_config.json

对块进行编码，查找增量，创建通道更新事务，将其编码为protobuf信封并提交通道更新事务
获取最新的系统通道配置块
使用此最新获取的系统通道配置块作为genesis.block
文件启动一个订购方（先前添加到同意人列表中的订购方）
在cli
容器中执行docker exec
。使用现有订购方节点的环境，获取最新的系统通道配置
编辑系统通道配置块以在orderAddresses
部分中添加新订购方的端点，如下所示：
cat config.json | jq'.channel_group.values.orderAddresses.value.addresses+=[“order.example1.com:7050”]>修改的_config.json

对块进行编码，查找增量，创建通道更新事务，将其编码为protobuf信封，并获得由Order1org
admin签名的块，以满足/channel/OrderAddresses
资源的mod\u策略，该资源设置为Admins
策略。此隐式元策略需要该更新级别的多数管理员的签名。因此，由于现在订购方组织的数量是2，我们需要组织的管理员都签署这个系统通道更新事务。设置与order1org
admin对应的环境，并运行以下命令：
peer channel signconfigtx-f ordorg\u update\u in\u envelope.pb

将环境设置回orderorg
admin并提交频道更新事务。对等通道更新
将代表OrderRog admin自动签署交易
peer channel update-f ordorg\u update\u in_envelope.pb-c$channel\u NAME-o order.example.com:7050--tls true--cafile$order\u CA

要更新任何应用程序通道，只需更新应用程序通道配置块的application
部分，将新订购方组织的MSP添加到此处，从而替换步骤7
希望这有帮助
 我按照上述步骤顺序将新的订购方组织添加到现有网络中，但通道（即更新订购方通道的配置更改）更新抛出错误，如下所示
    2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied


我使用下面的设置调用修改了json块（尝试了下面json更改步骤的混合/匹配组合）
我的网络设置基于HLF 2.2 LTS，K8s集群下有5个raft节点
我在2.2 LTS上成功地建立了多通道、多对等组织（知道如何在不建立任何网络的情况下以动态方式实现这一点）。但现在正在寻找将订购者组织动态扩展到多个集群/组织的方法。以上步骤是否需要任何提示或更新？再次感谢
Mariya
Hi@RaspiRepo，我建议您发布一个新问题，您可以添加此问题/答案的链接作为参考。执行此操作时，还请添加已配置为发送通道更新请求的环境变量。例如，什么是CORE\u PEER\u MSPCONFIGPATH，等等。我在这里创建了一个新问题
    2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied


jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json 
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json 

jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json  ${KL_NEW_ORDERER_NAME}.json > modified-config2.json 

LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json

cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json