I am trying to build Hyperledger network like balanace-transfer from fabric-samples.
I have error
status: 'BAD_REQUEST',
- info: 'Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining'
docker logs orderer.exmaple.com output
.
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 120 Signature set did not satisfy policy /Channel/Application/Gov1MSP/Admins
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 121 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Gov1MSP/
-2018-06-26 14:41:04.631 UTC [policies] func1 -> DEBU 122 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Gov1MSP.Admins ]
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 123 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 124 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy
-2018-06-26 14:41:04.631 UTC [orderer/common/broadcast] Handle -> WARN 125 [channel: usachannel] Rejecting broadcast of config message from 172.18.0.1:46638 because of error: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
-2018-06-26 14:41:04.631 UTC [orderer/common/server] func1 -> DEBU 126 Closing Broadcast stream
I generate artifacts with cryptogen and configtxgen
I know that this error comes with wrong certificates when trying to create a channel
I can create channel, join peer, add new peers and add new channels with cli, e.g. same step with cli
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c usachannel -f /etc/hyperledger/configtx/channel.tx works properly
Thank you for your help
Related
My chaincode was instantiated with the following command:
peer chaincode instantiate -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v 1.0 -c '{"Args":[]}' -P "OR ('Org1MSP.member')"
I would like to change the endorsement policy such that all peers in the organization are required for endorsement; currently I have two peers, but the number is set to increase.
What I do for now is the following procedure:
Step one: install the same chaincode with a different version name.
peer chaincode install -n mycc -v <version> -l java -p /opt/gopath/src/github.com/chaincode
Step two: upgrade the chaincode using the following command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v <version> -c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses peer2.org1.example.com:7051
However, I am unable to achieve my desired outcome. Under the current endorsement policy, when I use my my client to submit a transaction, it is committed after a while. After I change the policy, my transaction is no longer automatically accepted, and the logs reflect this with the following error message:
VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode
mycc in tx 132:0 failed: signature set did not satisfy policy
So while I am able to stop the auto-acceptance of transactions, now I find myself unable to validate any transaction.
The procedure I follow in changing the chaincode endorsement policy, is it correct?
Does my endorsement policy do what I intend to do?
How come I am no longer able to validate transactions?
EDIT: I changed my logging spec to the one suggested by Jason Yellick. I think I found some debug which might provide insight:
<time> [cauthdsl] func1 -> DEBU 4bd 0xc0004e4050 gate 1594275943563937246 evaluation starts
<time> [cauthdsl] func2 -> DEBU 4be 0xc0004e4050 signed by 0 principal evaluation starts (used [false])
<time> [cauthdsl] func2 -> DEBU 4bf 0xc0004e4050 processing identity 0 with bytes of 1159660
<time> [cauthdsl] func2 -> DEBU 4c0 0xc0004e4050 principal matched by identity 0
<time> [cauthdsl] func2 -> DEBU 4c1 0xc0004e4050 principal evaluation succeeds for identity 0
<time> [cauthdsl] func2 -> DEBU 4c2 0xc0004e4050 signed by 1 principal evaluation starts (used [true])
<time> [cauthdsl] func2 -> DEBU 4c3 0xc0004e4050 skipping identity 0 because it has already been used
<time> [cauthdsl] func2 -> DEBU 4c4 0xc0004e4050 principal evaluation fails
<time> [cauthdsl] func1 -> DEBU 4c5 0xc0004e4050 gate 1594275943563937246 evaluation fails
<time> [vscc] Validate -> ERRO 4c6 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [vscc] Validate -> DEBU 4c7 block 140, namespace: myteacc, tx 0 validation results is: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] ValidateWithPlugin -> DEBU 4c8 Transaction 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d appears to be invalid: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> ERRO 4c9 VSCCValidateTx for transaction txId = 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d returned error: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> DEBU 4ca [isprintchannel] validateTx completes for block 0xc0026306c0 env 0xc00245e190 txn 0
This is with policy set to AND('Org1MSP.member','Org1MSP.member')
Your endorsement policy is unsatisfiable. In your upgrade command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true
--cafile <cafile> -C mychannel -n mycc -l java -v <version>
-c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses
peer2.org1.example.com:7051
you can see that your policy is:
-P "OutOf(2, 'Org1MSP.member')"
This endorsement policy is requiring that "2 out of 1 identities must sign". This can never be satisfied, as you can never have more signatures than principles. It is essentially saying "Of 1 thing, pick 2 of them", which is a contradiction. If you really want to require two peers from the same organization, then you would want to write:
-P "OutOf(2, 'Org1MSP.member', 'Org1MSP.member')"
Or, you could have simply used the AND syntax:
-P "AND('Org1MSP.member', 'Org1MSP.member')"
I would note, it's unusual to require multiple peers from the same organization to endorse, and if you go this route, you need to be careful in your certificate management. In particular, if you are using the fabric-ca, you must ensure that the peer identity can only enroll once, otherwise it could re-enroll and now have two valid identities, and be able to pretend to be two different peers. Similarly, if the identity must be re-issued, be careful to ensure that the old certificate is revoked.
You might consider instead defining a second logical organization and writing your policies using the two distinct logical organizations such as:
-P "AND('Org1MSP.member', 'Org2MSP.member')"
This is a much more conventional way to operate Fabric.
I have created a network of fabric and it running fine. I want to update the oderer configuration such as batchtimeout in running network. I have followed this tutorial to update the channel configuration at runtime. This tutorial works for adding a new org. But when i am updating orderer configuration then i am getting error as
Error: got unexpected status: BAD_REQUEST -- error applying config
update to existing channel 'mychannel': error authorizing update:
error validating DeltaSet: policy for [Value]
/Channel/Orderer/BatchTimeout not satisfied: implicit policy
evaluation failed - 0 sub-policies were satisfied, but this policy
requires 1 of the 'Admins' sub-policies to be satisfied
I sigining the envelope.pb file from all the org admins such as org1 and org2. Kindly help me with this.
Note: I have used fabric-samples first-network for this.
EDIT:
I have signed pb file with org1 and org2.I have also signed it with orderer by exporting below variables
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
CORE_PEER_ADDRESS=orderer.example.com:7050
CORE_PEER_LOCALMSPID=OrdererMSP
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
Logs
11-28 09:13:57.207 UTC [policies] Manager -> DEBU cc4 Manager Channel/Orderer looking up path []
2019-11-28 09:13:57.207 UTC [policies] Manager -> DEBU cc5 Manager Channel/Orderer has managers OrdererOrg
2019-11-28 09:13:57.207 UTC [policies] Evaluate -> DEBU cc6 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Admins ==
2019-11-28 09:13:57.207 UTC [policies] Evaluate -> DEBU cc7 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-11-28 09:13:57.207 UTC [policies] Evaluate -> DEBU cc8 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins ==
2019-11-28 09:13:57.207 UTC [cauthdsl] deduplicate -> WARN cc9 De-duplicating identity [OrdererMSP95598fd8d4ea9aa73dad2aee5bc32375d01e3ed9da0a25c2f64ae1067af7ac74] at index 1 in signature set
2019-11-28 09:13:57.207 UTC [cauthdsl] deduplicate -> WARN cca De-duplicating identity [OrdererMSP95598fd8d4ea9aa73dad2aee5bc32375d01e3ed9da0a25c2f64ae1067af7ac74] at index 2 in signature set
2019-11-28 09:13:57.208 UTC [cauthdsl] func1 -> DEBU ccb 0xc000c99ef0 gate 1574932437208001961 evaluation starts
2019-11-28 09:13:57.208 UTC [cauthdsl] func2 -> DEBU ccc 0xc000c99ef0 signed by 0 principal evaluation starts (used [false false false])
2019-11-28 09:13:57.208 UTC [cauthdsl] func2 -> DEBU ccd 0xc000c99ef0 processing identity 0 with bytes of a1f390
2019-11-28 09:13:57.208 UTC [msp] satisfiesPrincipalInternalV143 -> DEBU cce Checking if identity has been named explicitly as an admin for OrdererMSP
2019-11-28 09:13:57.208 UTC [msp] satisfiesPrincipalInternalV143 -> DEBU ccf Checking if identity carries the admin ou for OrdererMSP
2019-11-28 09:13:57.208 UTC [msp] Validate -> DEBU cd0 MSP OrdererMSP validating identity
2019-11-28 09:13:57.208 UTC [msp] getCertificationChain -> DEBU cd1 MSP OrdererMSP getting certification chain
2019-11-28 09:13:57.208 UTC [msp] hasOURole -> DEBU cd2 MSP OrdererMSP checking if the identity is a client
2019-11-28 09:13:57.208 UTC [msp] getCertificationChain -> DEBU cd3 MSP OrdererMSP getting certification chain
2019-11-28 09:13:57.208 UTC [cauthdsl] func2 -> DEBU cd4 0xc000c99ef0 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdererMSP]: The identity does not contain OU [ADMIN], MSP: [OrdererMSP]
2019-11-28 09:13:57.208 UTC [cauthdsl] func2 -> DEBU cd5 0xc000c99ef0 principal evaluation fails
2019-11-28 09:13:57.208 UTC [cauthdsl] func1 -> DEBU cd6 0xc000c99ef0 gate 1574932437208001961 evaluation fails
2019-11-28 09:13:57.208 UTC [policies] Evaluate -> DEBU cd7 Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Admins
2019-11-28 09:13:57.208 UTC [policies] Evaluate -> DEBU cd8 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins
2019-11-28 09:13:57.208 UTC [policies] func1 -> DEBU cd9 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Admins ]
2019-11-28 09:13:57.208 UTC [policies] Evaluate -> DEBU cda Signature set did not satisfy policy /Channel/Orderer/Admins
2019-11-28 09:13:57.208 UTC [policies] Evaluate -> DEBU cdb == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Admins
2019-11-28 09:13:57.208 UTC [orderer.common.broadcast] ProcessMessage -> WARN cdc [channel: mychannel] Rejecting broadcast of config message from 172.25.0.7:42570 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchTimeout not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
2019-11-28 09:13:57.208 UTC [orderer.common.server] func1 -> DEBU cdd Closing Broadcast stream
2019-11-28 09:13:57.208 UTC [comm.grpc.server] 1 -> INFO cde streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.25.0.7:42570 grpc.code=OK grpc.call_duration=1.864323ms
2019-11-28 09:13:57.209 UTC [grpc] warningf -> DEBU cdf transport: http2Server.HandleStreams failed to read frame: read tcp 172.25.0.3:7050->172.25.0.7:42570: read: connection reset by peer
2019-11-28 09:13:57.209 UTC [grpc] infof -> DEBU ce0 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2019-11-28 09:13:57.209 UTC [grpc] infof -> DEBU ce1 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2019-11-28 09:13:57.209 UTC [common.deliver] Handle -> WARN ce2 Error reading from 172.25.0.7:42568: rpc error: code = Canceled desc = context canceled
2019-11-28 09:13:57.209 UTC [orderer.common.server] func1 -> DEBU ce3 Closing Deliver stream
2019-11-28 09:13:57.209 UTC [comm.grpc.server] 1 -> INFO ce4 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.7:42568 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=4.921585ms
Updated env
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_LOCALMSPID=OrdererMSP
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin#example.com/msp/
CORE_PEER_ID=cli
CORE_PEER_ADDRESS=orderer.example.com:7050
I am facing the same issue, but on BatchSize updating.
You can see the orderer log below:
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d6e This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d6f == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins ==
2019-11-28 11:28:42.768 UTC [cauthdsl] deduplicate -> WARN d70 De-duplicating identity [OrdererMSPde02f61469eb325656c1a87232aeff9f44728b59015fccc5995bd849935812cb] at index 1 in signature set
2019-11-28 11:28:42.768 UTC [cauthdsl] deduplicate -> WARN d71 De-duplicating identity [OrdererMSPde02f61469eb325656c1a87232aeff9f44728b59015fccc5995bd849935812cb] at index 2 in signature set
2019-11-28 11:28:42.768 UTC [cauthdsl] func1 -> DEBU d72 0xc000453620 gate 1574940522768302200 evaluation starts
2019-11-28 11:28:42.768 UTC [cauthdsl] func2 -> DEBU d73 0xc000453620 signed by 0 principal evaluation starts (used [false false false])
2019-11-28 11:28:42.768 UTC [cauthdsl] func2 -> DEBU d74 0xc000453620 processing identity 0 with bytes of fd5830
2019-11-28 11:28:42.768 UTC [cauthdsl] func2 -> DEBU d75 0xc000453620 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdererMSP]: The identity does not contain OU [ADMIN], MSP: [OrdererMSP]
2019-11-28 11:28:42.768 UTC [cauthdsl] func2 -> DEBU d76 0xc000453620 principal evaluation fails
2019-11-28 11:28:42.768 UTC [cauthdsl] func1 -> DEBU d77 0xc000453620 gate 1574940522768302200 evaluation fails
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d78 Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Admins
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d79 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins
2019-11-28 11:28:42.768 UTC [policies] func1 -> DEBU d7a Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Admins ]
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d7b Signature set did not satisfy policy /Channel/Orderer/Admins
2019-11-28 11:28:42.768 UTC [policies] Evaluate -> DEBU d7c == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Admins
2019-11-28 11:28:42.768 UTC [orderer.common.broadcast] ProcessMessage -> WARN d7d [channel: mychannel] Rejecting broadcast of config message from 172.29.0.7:43756 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
I have tried to add an OrganizationalUnit: ADMIN in the crypto-config.yaml file, in order to fix - The identity does not contain OU [ADMIN]. The OU was added but but this doesn't help me.
I also have tried to copy the orderer sign certificate to the msp/admincerts in order to fix - The identity is not an admin under this MSP [OrdererMSP], e.g.
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
Hope the above steps will help someone, I am still investigating my issue with the channel configuration update. ✌️
For you both.
https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification. If you are using NodeOUs, be sure to check the config.yaml in every MSP folder is correct, that the OU fields of the admin certificates include admin (as defined in your config.yaml and in your configtx.yaml organization policies), and that your configtx.yaml at least specifies:
Capabilities:
Channel: &ChannelCapabilities
V1_4_3: true
V1_1: true
#TechChain, you are now signing with a non-admin OrdererMSP, when you have a first policy check expecting any (non-OrdererMSP) organization writer signature and a second policy check expecting an admin OrdererMSP.
Try this:
Export orderer organization environment:
export CH_NAME=<your-channel>
export CORE_PEER_LOCALMSPID="OrdererMSP"
export CORE_PEER_MSPCONFIGPATH=<ca-client-path>/organizations/ordererOrganizations/orderer.com/users/admin#orderer.com/msp/ <OR> <your-orderer-admin-msp-path>
export ORDERER_CONTAINER=localhost:7050
export ORDERER_CA=../../ca/fabric-ca-client/organizations/ordererOrganizations/orderer.com/msp/tlscacerts/<your-tls-cert>.pem <OR> <your-orderer-tlscert-path>
export FABRIC_CFG_PATH=../../peers/<your-org-peer>
Sign-in using the signconfigtx tool:
peer channel signconfigtx -f <your-enveloped-config>.pb
Try to send the config update again:
peer channel update -f <your-enveloped-config>.pb -c $CH_NAME -o $ORDERER_CONTAINER --tls --cafile $TLS_ROOT_CA
Then, the transaction maybe also needs to be signed the orderer's admin.
The way to know what signature is missing is setting FABRIC_LOGGING_SPEC=DEBUG in the orderer and looking for the orderer DEBUG messages previous to the error. There you can see every signature certificate received in pem format and which organizations and roles are checked an passed (or not). I know that logs allergy spreads among many StackOverflow users, but it's the only way to find out what's going on.
EDIT:
What I mean:
Set FABRIC_LOGGING_SPEC=DEBUG in your orderer/s.
Relaunch your orderers so the new environment variable is applied.
Debug the process of checking the policies painstakingly and patiently.
docker logs -f --tail 200 myorderercontainer 2>&1 | grep ERRO -B100 -A10
Thanks, #kekomal!
I have checked config.yaml files in every MSP folder.For example the one for the OrderereMSP looks like this:
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
I have updated and the channel capabilities section with:
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V1.4.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.4.3
# level, but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.4.3 channel capabilities, ensure that all
# orderers and peers on a channel are at v1.4.3 or later.
V1_4_3: true
# V1.3 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.3
V1_3: true
# V1.1 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.1
V1_1: true
The end result is the same, failed channel update tx.
If you have any other suggestions, please share.
Orderer logs show following error(highlighted) during broadcast even though the transaction is successful and committed to all peers:
2018-12-19 13:43:42.724 UTC [policies] Evaluate -> DEBU 997 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2018-12-19 13:43:42.724 UTC [orderer/common/broadcast] Handle -> DEBU 998 [channel: mychannel] Broadcast has successfully enqueued message of type ENDORSER_TRANSACTION from 172.19.0.7:40978
2018-12-19 13:43:42.724 UTC [orderer/common/blockcutter] Ordered -> DEBU 999 Enqueuing message into batch
2018-12-19 13:43:42.724 UTC [orderer/consensus/solo] main -> DEBU 99a Just began 2s batch timer
2018-12-19 13:43:42.730 UTC [grpc] infof -> DEBU 99b transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2018-12-19 13:43:42.730 UTC [orderer/common/broadcast] Handle -> WARN
99c Error reading from 172.19.0.7:40978: rpc error: code = Canceled
desc = context canceled
2018-12-19 13:43:42.731 UTC [orderer/common/server] func1 -> DEBU 99d Closing Broadcast stream
2018-12-19 13:43:44.724 UTC [orderer/consensus/solo] main -> DEBU 99e Batch timer expired, creating block
2018-12-19 13:43:44.724 UTC [msp] GetDefaultSigningIdentity -> DEBU 99f Obtaining default signing identity
Fabric Config: All configs and setup same as specified in Build you First Network tutorial at https://hyperledger-fabric.readthedocs.io/en/release-1.3/build_network.html
Query
What is meant by this error? What does orderer read from cli(IP of cli: 172.19.0.7:40978) during broadcast?
I'm trying to create channel to test my fabric environment, and I don't use docker instead I am running the actual executable itself. However, the creation failed with errors.
Error on the orderer:
2018-09-04 20:36:55.034 CST [cauthdsl] deduplicate -> ERRO 251 Principal deserialization failure (MSP OrdererOrg is unknown) for identity 0a0a4f7264657265724f72671281062d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949434444434341624b67417749424167495158346c644c424e55705271796451705845475767446a414b42676771686b6a4f50515144416a42704d5173770a435159445651514745774a56557a45544d4245474131554543424d4b5132467361575a76636d3570595445574d4251474131554542784d4e5532467549455a790a5957356a61584e6a627a45554d4249474131554543684d4c5a586868625842735a53356a62323078467a415642674e5642414d54446d4e684c6d5634595731770a62475575593239744d423458445445344d446b774e4445794d6a55784d466f58445449344d446b774d5445794d6a55784d466f775744454c4d416b47413155450a42684d4356564d78457a415242674e5642416754436b4e6862476c6d62334a7561574578466a415542674e564241635444564e6862694247636d467559326c7a0a593238784844416142674e5642414d54453239795a4756795a5849755a586868625842735a53356a623230775754415442676371686b6a4f50514942426767710a686b6a4f50514d4242774e434141514670514e4b7665305a332f5059377369315730537550553347326d6a61366b3744495756727a41766541516d6a4169415a0a6e4b6d6c4c4a742b5164655a4e4342446c6558742b72384b69656c4d72556b6e7159554e6f303077537a414f42674e56485138424166384542414d43423441770a44415944565230544151482f424149774144417242674e5648534d454a444169674341716e446c77684434524f6e6f6b424d72476249496d51724871697934680a6e514279524657617a5233774f54414b42676771686b6a4f5051514441674e4941444246416945416b6c356336596a64515038565352384679694462393553310a325130633032727269593662764a454d53544d4349435445346f6f79627843414a577a5a4f5069507173766d4c53667a316238676a337572692b5a434d664e470a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a
>2018-09-04 20:36:55.035 CST [cauthdsl] func1 -> DEBU 252 0xc00000f0e8 gate 1536064615035064391 evaluation starts
2018-09-04 20:36:55.035 CST [cauthdsl] func2 -> DEBU 253 0xc00000f0e8 signed by 0 principal evaluation starts (used [false])
2018-09-04 20:36:55.035 CST [cauthdsl] func2 -> DEBU 254 0xc00000f0e8 principal evaluation fails
2018-09-04 20:36:55.035 CST [cauthdsl] func1 -> DEBU 255 0xc00000f0e8 gate 1536064615035064391 evaluation fails
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 256 Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 257 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
2018-09-04 20:36:55.035 CST [policies] func1 -> DEBU 258 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg.Writers ]
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 259 Signature set did not satisfy policy /Channel/Orderer/Writers
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 25a == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2018-09-04 20:36:55.035 CST [policies] func1 -> DEBU 25b Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Orderer.Writers Consortiums.Writers ]
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 25c Signature set did not satisfy policy /Channel/Writers
2018-09-04 20:36:55.035 CST [policies] Evaluate -> DEBU 25d == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2018-09-04 20:36:55.035 CST [orderer/common/broadcast] Handle -> WARN 25e [channel: roberttestchannel] Rejecting broadcast of config message from 192.168.136.100:54494 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
2018-09-04 20:36:55.035 CST [orderer/common/server] func1 -> DEBU 25f Closing Broadcast stream
2018-09-04 20:36:55.037 CST [common/deliver] Handle -> WARN 260 Error reading from 192.168.136.100:54492: rpc error: code = Canceled desc = context canceled
2018-09-04 20:36:55.037 CST [orderer/common/server] func1 -> DEBU 261 Closing Deliver stream
2018-09-04 20:36:55.037 CST [grpc] infof -> DEBU 262 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2018-09-04 20:36:55.037 CST [grpc] infof -> DEBU 263 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
Error on the peer:
2018-09-04 20:36:55.007 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
I have tried to reboot or delete all the project files. But it didn't work.
Thank you for your attention!
Here is the condition from you description:
modifying the crypto-config.yaml and configtx.yaml file to create your own fabric network.
using cryptogen and configtxgen to generate the channel artifacts and keycerts file
then your may use fabric-tool or Node-SDK to handle the fabric network like enroll the user, create channel and join channel.
the error threw out when your are create channel
In the head of the log, it shows that MSP OrdererOrg is unknown. That problem may cause by after using orderer certs signed the channel-creating request then the client sent the request to the orderer. It is fine that you use the order to sign the channel-creating request, only if you configured your Signature policy to your target member. Like setting the Rule like:
Policies:
Readers:
Type: Signature
Rule: "OR('OrgOrderer.admin','OrgOrderer.client')"
Writers:
Type: Signature
Rule: "OR('OrgOrderer.admin')"
If you are left the Policies setting to blank, it will follow the default policy.
The logs similar to Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers do shows that your signature is not valid. If you want to know more detail about what specific policy configuration, using the configentx to inspect the channel.tx or genesis.block:
configtxgen -inspectBlock ./channel-artifacts/genesis.block -configPath ./crypto-config/example.com/ >genesis.json
configtxgen -inspectChannelCreateTx ./channel-artifacts/channel.tx --configPath ./crypto-config/example.com/ >channel.json
I am trying to enable peer/orderer logging in the Balance Transfer sample of Hyperledger Fabric, so I can understand the step-by-step consensus and transaction process of my Hyperledger Fabric project.
---------
If we start the blockchain network of chaincode-docker-devmode, and go to the Terminal 1 where this command below is executed
docker-compose -f docker-compose-simple.yaml up
We can easily see all the peer/orderers/cli logs in the terminal, for example like this:
peer | 2018-07-26 08:58:07.426 UTC [chaincode] Execute -> DEBU 73d Entry
peer | 2018-07-26 08:58:07.426 UTC [chaincode] Execute -> DEBU 73e chaincode canonical name: escc:1.1.0
orderer | 2018-07-26 08:58:07.434 UTC [policies] Evaluate -> DEBU 3c4 Signature set satisfies policy /Channel/Orderer/SampleOrg/Writers
orderer | 2018-07-26 08:58:07.434 UTC [policies] Evaluate -> DEBU 3c5 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/SampleOrg/Writers
orderer | 2018-07-26 08:58:07.434 UTC [policies] Evaluate -> DEBU 3c6 Signature set satisfies policy /Channel/Orderer/Writers
peer | 2018-07-26 08:58:07.426 UTC [chaincode] sendExecuteMessage -> DEBU 73f [82a18317]Inside sendExecuteMessage. Message TRANSACTION
peer | 2018-07-26 08:58:07.426 UTC [chaincode] setChaincodeProposal -> DEBU 740 Setting chaincode proposal context...
orderer | 2018-07-26 08:58:07.435 UTC [policies] Evaluate -> DEBU 3c7 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
orderer | 2018-07-26 08:58:07.435 UTC [policies] Evaluate -> DEBU 3c8 Signature set satisfies policy /Channel/Writers
orderer | 2018-07-26 08:58:07.435 UTC [policies] Evaluate -> DEBU 3c9 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
orderer | 2018-07-26 08:58:07.436 UTC [orderer/common/blockcutter] Ordered -> DEBU 3ca Enqueuing message into batch
orderer | 2018-07-26 08:58:07.436 UTC [orderer/common/broadcast] Handle -> DEBU 3cb [channel: myc] Broadcast has successfully enqueued message of type ENDORSER_TRANSACTION from 172.23.0.5:57804
peer | 2018-07-26 08:58:07.426 UTC [chaincode] setChaincodeProposal -> DEBU 741 Proposal different from nil. Creating chaincode proposal context...
In my case, I want to replicate that condition into the Balance Transfer sample. So when I run ./runApp.sh, it will show all the logs.
How can I do that? What environment should I put in Balance Transfer's docker-compose.yaml file?
Thanks!
In balance transfer go to directory artifacts and type this command.
docker-compose -f docker-compose.yaml logs -f for live logging.[1][2]
docker-compose -f docker-compose.yaml logs` for upto the point logs with no live logging.
NOTE : When you run the script in balance-transfer, docker starts the docker containers in detached mode : Run containers in the background,print new container names. That's the reason logs are not shown as soon as containers are orchestrated.[3][4]
References :
[1] : Docker - How do I view real time logging of Docker containers? (https://success.docker.com/article/view-realtime-container-logging)
[2] : docker container logs | Docker Documentation (https://docs.docker.com/engine/reference/commandline/container_logs/)
[3] : docker run | Docker Documentation (https://docs.docker.com/engine/reference/commandline/run/)
[4] : docker-compose up | Docker Documentation (https://docs.docker.com/compose/reference/up/)