I have created Network with two organizations Org1 have two peers and org2 has one peer. After creating crypto-config and genisis block. I turn On the network. The network started successfully after that I have registered users of each organization which also succeed. After that I created a channel and org1 Join the channel successfully and when I join org2 to channel it gives
"Failed to join all peers to channel. cause:Error: Invalid results returned ::FORBIDDEN"" Error.
This is my docker-compose.yaml file
This is my error
and this is an image of logs of peer0.cma.example.com
Related
The use case is:
I created a network with Raft Ordering service having one channel say, channel1 with three Organisations (Org1, Org2 and Org3).
Org1 and Org2 peers have joined the channel channel1.
Org3 is just present in the channel config but not joined the channel yet.
Now I added the new orderer endpoints in the system channel and channel1 config and removed the old orderer endpoints.
My new orderers are working fine, able to fetch the config for both channels.
I fetched the 0 block of channel1 from Org3 peer and issued the join command.
The command works fine, but in the peer I am getting these error:
2022-04-20 05:28:18.210 UTC 006b WARN [peer.blocksprovider] func1 -> Encountered an error reading from deliver stream: EOF channel=channel1 orderer-address=orderer.example.com:7050
2022-04-20 05:28:18.210 UTC 006c WARN [peer.blocksprovider] DeliverBlocks -> Got error while attempting to receive blocks: received bad status SERVICE_UNAVAILABLE from orderer channel=channel1 orderer-address=orderer.example.com:7050
The Org3 peer is still trying to connect with the older orderer endpoints (as they were defined in the 0 block initially).
So how to sort out this problem?
One way I can think is to use the snapshot of the Org1/Org2 peer maybe.
What are your thoughts?
Thanks
I found the solution, so if anyone in the future needs it, can use this answer to join the channel when the orderer endpoints are updated in the channel configuration.
Method 1:
In the peer configuration you can override some of the variables to override the old orderer endpoint with the new orderer endpoints.
The link to the config file and params is:
https://github.com/hyperledger/fabric/blob/main/sampleconfig/core.yaml#L382-L388
This method will allow you to join the peer using genesis block and is supported by older versions of Fabric (<=v2.2) which does not support joining by snapshot.
Method 2:
If you are on Fabric v2.2+, then you can either use the Method 1 or join the channel using a snapshot from another peer.
There is tutorial in the official docs for that, please check it:
https://hyperledger-fabric.readthedocs.io/en/release-2.3/peer_ledger_snapshot.html
Thanks,
Sahil
From HLF docs
joining by snapshot will provide a peer with the latest channel configuration, which may be important if the channel configuration has changed since the genesis block. For example, the peer may need the orderer endpoints or CA certificates from the latest channel configuration before it can successfully pull blocks from the ordering service.
Taking ledger snapshots and using them to join channels
I've created a network based on 2 organizations under one two CA's (one normal, and one for TLS certificates). There's one orderer and one peer per organization.
I run the network as binaries on separate virtual machines.
After I create identities for organizations, I add the signcert directory from the CA admin to their respective msp directories as admincerts. I then enroll the identities on their respective machines, and add the admincerts directory. I create the ordererchannel genesis block and run the orderer binary. Next I generate mychannel.tx sign it with the peer's identity and submit the channel creation transaction (as far as I know, admin privilages are needed to successfully run peer channel create). Then, with the same identity, I try to join my peer to mychannel with peer channel join,and I get this error:
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
Which is weird, because I could create the channel without problems, so the identity I'm using must be an admin. This happens on both peers. I would appreciate some input on the issue.
JoinChannel checks that the submitter is an admin of the peer itself. Peer admin(s) is(are) stores in local MSP admincerts directory.
When command "peer channel fetch 0 mychannel.block -c mychannel --orderer orderer0.****.com:7050" is executed in a peer's cli container, does it mean fetching mychannel.block from the orderer(orderer0.****.com:7050)? If so, does it mean that mychannel.block is stored in orderer instead of peer? And where is mychannel.block stored and persisted, is it stored by orderer container?
Thank you.
Orderer never reads, processes or stores the data. Orderer within the fabric network is responsible for:
Creating the blocks in the correct sequence after the receiving transaction proposal requests from the application.
Delivering these blocks to the anchor peers that have subscribed to the Orderer.
Now, coming to the command:
peer channel fetch 0 mychannel.block -c mychannel --orderer orderer0.****.com:7050
Here, we're passing two important information:
Channel ID, using -c
Ordering Service Endpoint, --orderer
Here, you pass the ordering service endpoint because the ordering service provides an interface to the peer for interacting with the channel. This is because a peer can be connected to multiple channels and these channels might've different orderers.
Next, to the following query:
where is mychannel.block stored and persisted, is it stored by orderer container?
It is quite clear that Orderer container does not store any data. This data is stored within the peer's channel(ledger) itself. Ordering service just acts as an interface to connect to the channel and deliver mychannel.block.
New Peer is unable to join the channel.
I have created a new peer in an existing organization and when I am running
docker network inspect bridge I can see that new peer is part of the organization.
When I am trying this peer to join the channel (mychannel) it is throwing below error.
Error: 2 UNKNOWN: access denied: channel [] creator org [Org1MSP]
In the above error, channel is an empty string while I am sending the mychannel as an argument.
I am using the join-channel script of balance transfer. It is working perfectly fine for the peers which created during the network creation.
Any idea why it is taking an empty string?
thanks
I figured out the reason.
Actually, the new peer is generated using different CA.
Previously I moved my organization's crypto-config directory to a different folder and then when I created new Peer it created new certificates for complete organization.
But I don't know the significance of the error as it must be different in this scenario.
My fabric network's consortium(in configtx.yaml) has two organizations: ORG1 and ORG2. ORG1 has 4 main peers and ORG2 has only 1 peer. ORG2 peer's only purpose is to have the copy of the ledger(for the auditing purpose).
They all joined the same channel and let's say ORG1's admin already installed/instantiated the chaincode version 0.1
Now, ORG2's admin will be also able to 'peer chaincode upgrade" to version 0.2 with the same chaincode name and when the proposal reaches one of the ORG1 peers, it will say something like :
endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode [chaincode name]/0.2, error open /var/hyperledger/production/chaincodes/[chaincode name]/0.2: no such file or directory"
How we completely prevent ORG2 from upgrading the chaincode version? so that only ORG1's admin can perform the administrative operations?
I have searched the ACL, but it seems the administrative operations are not controlled by ACL settings.
After the research, we figured out we can set this on the instantiate policy on chaincode package.
please see below fabric document:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/commands/peerchaincode.html#peer-chaincode-package
with the flag -i, you can set the instantiate policy when packing the chaincode. Then only the Org(s) allowed on the policy will be able to instantiate or upgrade the chaincode on the channel