I've brought up an etcdraft based orderer cluster with 3 nodes and no peer nodes are deployed for now. And now I want to modify the orderer cluster like removing or adding members. Instructions I've found require firstly fetching the current config with the 'peer channel fetch config' command.
My question is how I can do to fetch the current system channel config with 'peer channel fetch config' command before/without any peer up and running, or is there any other way to achieve this.
fabric version: 1.4.4
You need to invoke it against an orderer since you also need to do this for the system channel, and peers don't have the system channel in them.
Use something like:
peer channel fetch config mychannel.block -c mychannel --orderer orderer.example.com:7050 --cafile ca.crt
Related
I'm trying to create a channel from the test-network sample of Hyperledger Fabric v2.1. I have installed all the latest fabric binaries & Docker images. The channel-artifacts, 2 peers and a ordering node were successfully created.
However, the command ./network.sh createChannel gives the following error.
Error: failed to create deliver client for orderer: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open /home/fabric/HLF/fabric-sample: no such file or directory
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!
I believe CreateChannel is roughly 5 steps.
Generate a CreateChannel Transaction
Generate an Anchor peer transaction
Create the channel with the genesis block
Join the peers to the channel and
Update one peer in each organization to Anchor peer.
Any chance you can share the output of ./network.sh createChannel, I'd like to see how far you got before you ran into this error.
I was able to solve this issue by removing the spaces from name of parent directory in which the "fabric-samples" repo were installed. This was the final output was:
2020-05-14 16:56:04.064 IST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-05-14 16:56:04.130 IST [channelCmd] update -> INFO 002 Successfully submitted channel update
===================== Anchor peers updated for org 'Org2MSP' on channel 'mychannel' =====================
========= Channel successfully joined ===========
In my opinion, The problem is with the directory fabric-samples kindly re-download the binaries and try again.
Download using curl via:
curl -sSL https://raw.githubusercontent.com/hyperledger/fabric/release-2.1/scripts/bootstrap.sh | bash -s -- 2.1.0 1.5.2
Hope this helps, otherwise see the directory structures and path exports.
I have doubt on creating the peer, where to configure, peer is endoser or Anchor.Lets say, After defining the peer of any-type,Is it possible to update peer type, from endoser to anchor viceversa.
Only peers with chaincode installed can act as endorser, in order to make a node endorser install the chaincode otherwise it'll be simple verify node.
for Anchor peers you need to provide in channel def.
example:
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/Org1MSPanchors.tx --tls --cafile tlsca.example.com-cert.pem
Fabric provide three types of peer:
endorser , anchor and simple peer(verify).
endorser peer: peer on which chaincode is installed is called endorser peer.this peer is used to execute smart contract ad return result to client application. client app select that result which is return same from most endorsers.
Anchor peer: this peer is used when peer from one org need to communicate with other org.
for example:
org1 need to communicate with org2. now communication will be done between anchor peer of org1 and org2.
As you asked in comment peer can act as anchor or endorser peer at same time. Example : you can find it in byfn example. where peer0.org1.example.com is anchor as well as endorser.
I am using Hyperledger Fabric version 1.2. I have created a channel with 1 orderer and 10 peer nodes, all belonging to the same organisation. I want to instantiate the chaincode with the endorsement policy such that all the peers of ORG1 are the endorsing peer, not just 1. What is the valid expression for the same?
Currently using the following policy:
docker exec -e "CORE_PEER_ADDRESS=peer0.org1.example.com:7051" cli peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n chainname -v 1.0 -c '{"Args":[""]}' -P "AND('Org1MSP.member')"
Fabric documentation contains examples of including peers from different organisations.
This can be achived while invoking the chaincode. You have to pass the peer addresses of all the peer nodes who you want to act as endorsing peers
peer chaincode invoke -o orderer0.abc.com:7050 -C abcchannel -n fabcar --peerAddresses peer0.org1.example.com:7051 --peerAddresses peer1.org1.example.com:7051 -c '{"Args":["initLedger"]}'
Unfortunately! there no valid command for that, you can follow two steps if you want to achieve this:
Write your own custom endorsement logic by a plugin. This method is little cumbersome and you can follow this link if you want to do that. Pluggable endorsement and validation logic
Or, you can have an alternate solution by creating 10 Orgs with 1 peer each and define the endorsement policy through the command that you want as:
-P "OutOf(10, 'Org1.peer', 'Org2.peer', ...., 'Org10.peer')"
But, having all the peers as an endorsing peer is never a good idea as if a peer goes down, you will have to face serious problems as no transaction will be committed
I have a multi-org network fabric network up and running from different hosts.
The docker containers for the peers have TLS enabled. The build configuration of the peer:
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
While creating and joining the channel I followed byfn docs and did not supply the TLS cert/file of the peer while joining the channel. All the peers were able to join the channel.
However, when I tried to fetch the newest block using peer channel fetch newest -o orderer.example.com:7050 -c examplechannel, I got the error:
Serve failed to complete security handshake from "ip:43402": tls: first record does not look like a TLS handshake
Further, I referred this doc on TLS and this doc
on passing TLS certs of the peer with the above fetch command:
peer channel fetch newest -o orderer.example.com:7050 -c examplechannel --tls --certfile $CORE_PEER_TLS_CERT_FILE --keyfile $CORE_PEER_TLS_KEY_FILE --cafile $CORE_PEER_TLS_ROOTCERT_FILE
This gave a new error:
grpc: Server.Serve failed to complete security handshake from "ip:43496": remote error: tls: bad certificate
Debugging TLS issues doc states that this happens when the server does not trust the client certificate. So in my case, I infer that the orderer is not trusting the certificate that the peer is passing.
So
Does it mean that I was supposed to pass TLS_CERT, TLS_KEY and TLS_ROOT cert while proposing a channel join from this peer?
If #1 is true, can I pass these certificates without bringing down the network and rejoining the channel with certs?
While creating the channel, it uses orderer's ca-cert. Also, when submitting anchor peer transaction, it uses orderer's ca cert? So am I supposed to use Orderer's ca cert for peer fetch command as well?
If #3 is true, then in a production environment, do we need to build up the peer containers such that it contains orderer's ca-cert?
There are multiple concepts baked into your questions. It's important to understand that there is a difference between using the peer to run a peer node--peer node start-- and using the peer as a CLI (e.g. peer channel fetch).
When the peer is running as a server, there's no need to pass in crypto material for the channels as the peer actually extracts the required TLS certificate information from the config block passed in the peer channel join ... command.
When the peer is running in CLI mode, you do need to provide the the TLS certificate information to connect to the various endpoints. When communicating with peers, this information is extracted from the peer config (either in core.yaml or from the corresponding CORE_ environment variables). When communicating with the orderer, there are specific command line flags for setting the TLS material.
How do I join members on a channel configured on another computer?
On one computer, I joined the channel through the consortium definition and authentication process.
I do not know how to access channel B of B computer from Peer of computer A. I would be grateful if you could give me specific instructions on how to access the channel from another computer.
Computer A: Once you create the channel, you have the genesis block. You need the genesis block to join the channel.
Computer B: When you have the genesis block, you should execute the following commands:
peer channel join -b mychannel.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/Org1MSPanchors.tx --tls --cafile tlsca.example.com-cert.pem
In the channel configuration you should define both Peers