I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt
Related
I passed "first-network", no problem.
In CLI:/opt/gopath/src/github.com/hyperledger/fabric/peer:, execute these commands:
peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
peer chaincode instantiate -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -v 1.0 -c '{"Args":["init","a","100","b","200"]}' -P "AND('Org1MSP.peer','Org2MSP.peer')"
peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","10"]}' --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
There are no problem. But when I execute these commands in the subdirectory of the peer /opt/gopath/src/github.com/hyperledger/fabric/peer/scripts:, install、instantiate and query success, but invoke error:
Error: endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode mycc/1.0, error open /var/hyperledger/production/chaincodes/mycc.1.0: no such file or directory".
This happens when CLI connects to peer0.ogr1, but I find this file at peer0.ogr1:
enter image description here
I replaced the peer node through the CLI, and the same problem occurred under the same path.
The problem may arise from the path specified by chaincode install -p. The official document says that this is a path relative to $GOPATH/src, so I feel that this path should have nothing to do with the current directory.
After searching, I found two similar problems, but the reasons are completely different and cannot be used for reference. Therefore, I can only raise new problems and hope to find solutions.
two similar problems:
Install a different version of chaincode (Hyperledger fabic)
Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?
version: Fabric1.4.4, Ubuntu18.04
structure: one order, four peers, each distributed on five machines, there is no problem with normal transactions
I am using Hyperledger Fabric version 1.2. I have created a channel with 1 orderer and 10 peer nodes, all belonging to the same organisation. I want to instantiate the chaincode with the endorsement policy such that all the peers of ORG1 are the endorsing peer, not just 1. What is the valid expression for the same?
Currently using the following policy:
docker exec -e "CORE_PEER_ADDRESS=peer0.org1.example.com:7051" cli peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n chainname -v 1.0 -c '{"Args":[""]}' -P "AND('Org1MSP.member')"
Fabric documentation contains examples of including peers from different organisations.
This can be achived while invoking the chaincode. You have to pass the peer addresses of all the peer nodes who you want to act as endorsing peers
peer chaincode invoke -o orderer0.abc.com:7050 -C abcchannel -n fabcar --peerAddresses peer0.org1.example.com:7051 --peerAddresses peer1.org1.example.com:7051 -c '{"Args":["initLedger"]}'
Unfortunately! there no valid command for that, you can follow two steps if you want to achieve this:
Write your own custom endorsement logic by a plugin. This method is little cumbersome and you can follow this link if you want to do that. Pluggable endorsement and validation logic
Or, you can have an alternate solution by creating 10 Orgs with 1 peer each and define the endorsement policy through the command that you want as:
-P "OutOf(10, 'Org1.peer', 'Org2.peer', ...., 'Org10.peer')"
But, having all the peers as an endorsing peer is never a good idea as if a peer goes down, you will have to face serious problems as no transaction will be committed
I had 2 organization in Hyperledger Fabric blockchain network initially. Recently I added one more organization on a different host using swarm. When I try to invoke chaincode from 1st or 2nd organization then it's working fine and I can see the updated transaction from org3. But when I invoke a transaction from org3, I am getting the following error.
"[2019-02-06 06:44:21.895] [ERROR] invoke - The transaction was
invalid, code = ENDORSEMENT_POLICY_FAILURE"
Initially, chaincode was initiated using the following policy.
-P "OR ('Org1MSP.peer','Org2MSP.peer')"
So I think I will have to update existing endorsement policy to include org3.
Could anyone help to modify existing endorsement policy or to resolve the issue?
The way to upgrade the chaincode is as followed:
Increment the version of ccRequest containing ccPackage
Re-Install the ccRequest on all orgs in the channel.
Ex: peer chaincode install -n mycc -v 2.0 -p github.com/chaincode/chaincode_example02/go/
Create new ccPolicy with correct rules containing required orgs as endorsers.
Upgrade the chaincode by running upgradeCC command
Ex: peer chaincode upgrade -o orderer.example.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -v 2.0 -c '{"Args":["init","a","90","b","210"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
Test with a query on chaincode with peer chaincode query -C $CHANNEL_NAME -n mycc -c '{"Args":["query","a"]}'
For more details refer docs or ask on rockerchat
Yes, you can do that using peer chaincode upgrade command.
peer chaincode upgrade -o orderer.example.com:7050 --tls --cafile
$ORDERER_CA -C mychannel -n mycc -v 1.2 -c
'{"Args":["init","a","100","b","200","c","300"]}' -P "AND
('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
refer : peer chaincode upgrade
I have been roughly following http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html#troubleshoot to create my first network, and have executed steps involving installing, istantiating, querying a chaincode. However, I get the following error while invoking chaincode.
root#5a0be253ef6e:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C testhimani123456 -n mycc --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["invoke","a","b","10"]}'
Error: unknown flag: --peerAddresses
Usage:
peer chaincode invoke [flags]
Flags:
-C, --channelID string The channel on which this command should be executed
-c, --ctor string Constructor message for the chaincode in JSON format (default "{}")
-n, --name string Name of the chaincode
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with the orderer endpoint
--keyfile string Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
--logging-level string Default logging level and overrides, see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer.
--tls Use TLS when communicating with the orderer endpoint
--transient string Transient map of arguments in JSON encoding
-v, --version Display current version of fabric peer server
I have ignored the part concerning environment variables. I was confused as to where to include it. I tried adding the fields that were absent in docker-compose-base.yaml file, but it gave me errors while running docker exec -it cli bash command, saying that there is no container for cli. So i decided to go with the original file, completely ignoring the step.
(finally know how to use this) Actually found the solution thanks to a friend.
The "peer chaincode invoke " doesn't have the flag "peerAddresses". The code given on the Hyperledger fabric tutorial documentation might be outdated or incorrect.
This can be seen in the Reference documentation : https://hyperledger-fabric.readthedocs.io/en/release-1.1/commands/peerchaincode.html
So removing peerAddresses and writing something like this might solve the error.
peer chaincode invoke -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -c '{"Args":["invoke","a","b","10"]}'
Problem was resolved by changing chaincode instantiation by changing "and" to "or".
Since I had skipped the environment variables step, default was peer0.org1 (i.e. org1MSP). Nothing was set for org2MSP. Thus it was in no position to award permissions in the first place.
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer')"
I could execute peer chaincode instantiate many times successfully, it should returns it exist, but no. why?
logs after instantiate command
logs the docker returns
steps:
from my github project chaincode-docker-devmode, I copy msp (peer and orderer use together) 、genesis.block、helloch.tx、docker-compose-with-couch.yaml and so on form other place,it should be ok. When I execute :
docker-compose -f docker-compose-with-couch.yaml up
peer、orderer、couchdb0、cli start and then cli execute script.sh
#script.sh content
peer channel create -c helloch -f helloch.tx -o orderer:7050
peer channel join -b helloch.block
then I simulate cli enviroment using terminal at chaincode-docker-devmode current path by following:
#cli simulation, $pwd is the chaincode-docker-devmode path
export CORE_VM_ENDPOINT=unix:///var/run/run/docker.sock
export CORE_LOGGING_LEVEL=DEBUG
export CORE_PEER_ID=cli
export CORE_PEER_ADDRESS=127.0.0.1:7051
export CORE_PEER_LOCALMSPID=DEFAULT
export CORE_PEER_MSPCONFIGPATH=$pwd/msp
bash
When I execute peer channel list It could shows I have join helloch
channel. Then I execute :
peer chaincode install -n hello -v 1.0 -l java -p chaincode/hsl-hsl-user-guide-examples-v14/mytest
peer chaincode instantiate -o 127.0.0.1:7050 -C helloch -n hello -v 1.0 -l java -c "{\"Args\":[\"init\",\"a\", \"100\", \"b\",\"100\"]}"
But I can instantiate many times and the log does not return error as same as above instantiate logs, actually it does not instantiate successfully, why?
Instantiate of the chaincode is essentially a transaction, therefore it has to be endorsed, ordered and committed to take effect. Now in your case peer cli instantiate command succeeds since the transaction proposal successfully endorsed and signed proposal submitted to the ordering service. While based on the following log output:
peer | 2017-09-05 01:09:23.650 UTC [ConnProducer] NewConnection -> ERRO 6da Failed connecting to 127.0.0.1:7050 , error: context deadline exceeded
peer | 2017-09-05 01:09:23.650 UTC [deliveryClient] connect -> ERRO 6db Failed obtaining connection: Could not connect to any of the endpoints: [127.0.0.1:7050]
Peer cannot get connected to the ordering service endpoint which in your case configured to be 127.0.0.1:7050, therefore eventually instantiate transaction is not committed. Therefore you do able to execute the instantiate command again, since no instantiate transaction record exists on the peer ledger from your previous attempt.
You need to change ordering service endpoint from 127.0.0.1:7050 to orderer:7050 and retry your experiment. This value configured inside configtx.yaml file, e.g.:
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
Addresses:
- orderer:7050
In my case, this was giving me trouble because I did not give the instantiation process enough time before calling an invoke/query transaction.
Try adding a sleep command between your instantiate and invoke/query transaction:
peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n fabcar -l "$LANGUAGE" -v 1.0 -c '{"Args":[""]}' -P "OR ('Org1MSP.member','Org2MSP.member')"
# Sleeping to allow time for chaincode to instantiate on peers
sleep 30
peer chaincode invoke -o orderer.example.com:7050 -C mychannel -n fabcar -c '{"function":"initLedger","Args":[""]}'
This only applies in the case that you are running a "startup" script in a CLI container of some sort. In my case, I have script.sh which runs when I first bring the network up.
You can instantiate a chaincode with same name only once.
peer channel create -c helloch -f helloch.tx -o 127.0.0.1:7050
after above, you could see the helloch.block detail message by command
configtxgen --inspectBlock helloch.block
It shows
"OrdererAddresses": {
"Version": "0",
"ModPolicy": "/Channel/Orderer/Admins",
"Value": {
"addresses": [
"127.0.0.1:7050"
]
}
},
it seems that the connected orderer address which in helloch.block(channel configuration) comes from genesis.block (which generate from configtx.yaml )