I'm trying to upgrade my Hyperledger Fabric network from v1.4.7 to v2.1. Upgrading peers and orderers is done smoothly and already instantiated chaincodes work well. (Channel capabilities still remaining v1.x.) However, when I try to upgrade the new version of my chaincode, it keeps failed.
In v1.4.7, I built a server to install/instantiate/upgrade a chaincode using Fabric SDK v1.4.x. However, I found that all APIs related to installing/instantiating/upgrading a chaincode had been removed from Fabric SDK v2.1. So, as the doc said, I tried to upgrade a chaincode using peer CLI.
First, I packaged my chaincode using peer lifecycle chaincode ... command. At this time, I set FABRIC_CFG_PATH to a core.yaml in fabric-samples folder (I don't understand why I do this for only packaging a chaincode, but anyway I did what the doc said). And I set CORE_PEER_MSPCONFIGPATH to my admin user msp folder.
After I got my chaincode package, I connect to my first peer, peer0.identity.bpl, using docker exec -it peer0.identity.bpl /bin/sh command. My docker container doesn't open the port outside in the production mode, so I need to connect the container inside.
Then, I typed the following command and I got the error message:
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
Error: chaincode install failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [BPLMSP]: The identity does not contain OU [ADMIN], MSP: [BPLMSP]]
So, I think I need some 'admin' identity, so I copied my admin msp folder to this peer. Then, I set CORE_PEER_MSPCONFIGPATH to this copied admin msp folder. Then I got:
/artifacts # export CORE_PEER_MSPCONFIGPATH=/artifacts/org-admin/msp
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
2020-05-26 07:21:47.020 UTC [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /artifacts/org-admin/msp: administrators must be declared when no admin ou classification is set
Now, I thought that maybe the OU setting had some problem. So, I disabled OU setting from the config.yaml file. But, I got the same error message again.
So, I changed CORE_PEER_MSPCONFIGPATH setting to original setting again, but now it said this is not an admin identity.
/artifacts # export CORE_PEER_MSPCONFIGPATH=/artifacts/msp
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
Error: chaincode install failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]
I understand. This identity is just a peer identity, not an admin identity. So, I tried to enroll admin in this peer, but this fabric-peer docker image doesn't contain fabric-ca-client binary. So, I thought I did something wrong and this is not the intended way.
At this point, how can I install and instantiate the new version of my chaincode?
After I set OU config to admin msp that is copied to peer, every problem has been solved and installing/committing a chaincode works well.
Related
I'm working with hyperledger fabric on the IBM Blockchain Platform service. I've been able to test chain codes with no problems, however, after the last update, I started to get the error required chain codes are not installed on sufficient peers that looks simple but the problem is that the chaincode is in fact installed in all peers.
Log for Peer1
2021-10-28 20:12:53.535 UTC [lifecycle] CheckCommitReadiness -> INFO 111c Successfully
checked commit readiness of chaincode name 'test-cc' on channel 'testchannel2' with
definition {sequence: 5, endorsement info: (version: '0.0.9', plugin: 'escc', init
required: false), validation info: (plugin: 'vscc', policy:
'12202f4368616e6e656c2f4170706c69636174696f6e2f456e646f7273656d656e74'), collections: ()}
Log for Peer2
2021-10-28 20:12:25.575 UTC [lifecycle] CheckCommitReadiness -> INFO 7bf1 Successfully
checked commit readiness of chaincode name 'test-cc' on channel 'testchannel2' with
definition {sequence: 5, endorsement info: (version: '0.0.9', plugin: 'escc', init
required: false), validation info: (plugin: 'vscc', policy:
'12202f4368616e6e656c2f4170706c69636174696f6e2f456e646f7273656d656e74'), collections: ()}
However, when I execute the newly committed chaincode, I get:
2021-10-28 20:20:00.004 UTC [discovery] chaincodeQuery -> ERRO 1126 Failed constructing
descriptor for chaincode chaincodes:<name:"test-cc" > ,: required chaincodes are not
installed on sufficient peers
Any ideas?
CheckCommitReadiness only checks if the chaincode definition has been approved. It does not check if the chaincode has actually been installed on the peers. Use queryinstalled for that. If you find that the chaincode is indeed installed on each peer, then the next thing to check is that the discovery service can see each of the peers where the chaincode is installed. To check that, look in the peer logs for the "Membership view" messages. If the "Membership view" is incomplete, then it is likely a gossip configuration issue across the peers.
The problem was related to how I was deploying the CC. IBM Blockchain platform has a way to install CC on peer copying from another, simply uploading the CC again (for each peer). I tried again using the "copy from another" peer method and it worked. So, perhaps I was choosing a different version when uploading from my laptop.
we are able to update peer and orderer components to the latest version but while updating the channel capababilities to fetch the config block,peers are not able to connect with the orderer
Error: could not not connect to ordering service:could not dial endpoint:dial tcp:lookup orderer.example.com on 192.168.0.1:53 :no such host channel=mychannel
peer logs
you'll need to backup the msp and tls folders and load them in your the upgraded containers!
the official documentation mentions that you need to backup the msp but they don't do it.
I have created a sample HLF network with 3 organizations. I have taken an orderer and a peer from each organization ( total 3 orderers, 3 peers, 3 fabric-CA, 3 CouchDB instances).
I have successfully created the certificates, system channel, channel configuration, application channel and also successfully deployed the chaincode on each peer.
I am able to invoke/query any chaincode using peer binary in docker cli but not able to invoke/query the same chaincode through fabric Node SDK.
I have created the connection profile as per the template provided in the test network and also able to register any user for a specific organization. But whenever I am trying to query any chaincode function I am getting the below error:
[ServiceEndpoint]: Error: Failed to connect before the deadline on
Committer- name: orderer.example.com:7050, url:grpcs://localhost:7050,
connected:false, connectAttempted:true [ServiceEndpoint]: waitForReady
Failed to connect to remote gRPC server orderer.example.com:7050 url:grpcs://localhost:7050 timeout:3000
When I check the orderer logs I found this error:
ServerHandshake -> ERRO 087 Server TLS handshake failed in 2.085859ms
with error EOF server=Orderer remoteaddress=172.23.0.1:45678
**Why I am getting this error?
I am trying to just query so why it's connecting to the orderer?
If there is any TLS issue then why I am able to query it through peer binary?**
This link might help Hyperledger Fabric CA releasing wrong certificates (wrong issuer) to Node SDK when TLS enabled
If you are not running as a test network on your local machine, then you will need to specify the connection option of discovery.asLocalhost as false
I first generate crypto materials using cryptogen and then start, for example, org1 CA server like so:
fabric-ca-server start --ca.certfile $(ls crypto-config/peerOrganizations/org1/ca/*.pem) --ca.keyfile $(ls crypto-config/peerOrganizations/org1/ca/*_sk) -d -b admin:adminpw --port 7054
From NodeJS SDK I can enroll admin and register (and enroll) new users. But when I try to access Fabric network with these new user credentials or even admin credentials, I get the below error on SDK console:
root#peer0:/var/hyperledger/api# ts-node src/invoke.ts
Wallet path: /var/hyperledger/api/wallet
2019-10-08T13:32:17.819Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.826Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.833Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.841Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
Failed to submit transaction: Error: Endorsement has failed
peer log says:
MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority.
I'm using exactly the same credentials in peer CLI container and SDK. I can do all chaincode operations from CLI, but why peers don't accept connection from SDK?
Does FABRIC_CA_SERVER_CA_NAME has anything to do with it? Does cryptogen also create a FABRIC_CA_SERVER_CA_NAME for the CA server? If so, are peer credentials associated with the CA name? In NodeJS SDK, I tried caName=ca-org1 as well as caName=ca.org1, but still getting same error.
I ran into this (or something very simalar) and managed to resolve it. The issue for me was incorrect paths to my .pem and private key files in the fabric-ca-server start command.
If the paths are incorrect, when the CA container starts it will be unable to locate your files (generated by cryptogen) so will generate its own.
The enroll and register scripts generate identities based on your cryptogen material, which is correct, but they're not the certs your CA has decided to generate for you.
To check if this is what's happening, have a look at the CA logs:
docker logs <your ca container>
Near the top where the server starts up, look for messages referring to missing keys, or messages about generating files.
Hope that helps.
I am looking at the fabric-samples.git. There is a folder called fabric-samples/basic-network. I have a few questions about it.
Here is a script called init.sh. What is it intended to do?
After using
./generate.sh ,
./start.sh
to provison a basic network, I am unable to use the CLI to query chaincode.
This is due to not having permissions. I expected that the peer would automatically have permissions to do this.
docker exec -it peer0.org1.example.com bash
root#b67973bdc00c:/opt/gopath/src/github.com/hyperledger/fabric# peer chaincode list --installed -C mychannel
Error: Error endorsing chaincode: rpc error: code = Unknown desc =
chaincode error (status: 500, message: Authorization for
GETINSTALLEDCHAINCODES on channel getinstalledchaincodes has been
denied with error Failed verifying that proposal's creator satisfies
local MSP principal during channelless check policy with policy
[Admins]: [This identity is not an admin])
I expected that root user of the container was an admin because of the contents of:
config/Org1MSPanchors.tx
What am I missing here?
When you query a peer using cli, you need to set certain environment variables first.
# Environment variables for PEER0
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
CORE_PEER_LOCALMSPID="Org1MSP"
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
After that try querying the peer for chaincode list