How to add a new org in HyperledgerFabric? - hyperledger-fabric

I follow this site: https://www.ibm.com/developerworks/cloud/library/cl-add-an-organization-to-your-hyperledger-fabric-blockchain/index.html . And I had some problem at section 4. the section 4 said that, I should add a new org json content ( that is Org3MSP ). But the doc didn't mention how to generate the json content. especially there are some string which look like a pem.

The documentation for v1.1.x has been updated to add a tutorial for reconfiguring an existing Hyperledger Fabric blockchain network (the "build your first network" sample network) to add a new organization and peer to an existing channel.
The general flow will be to:
set up a configtxlator server to interact with the config block of
the channel
fetch the config block using peer channel fetch
command
translate the retrieved config block from protobuf to json
using configtxlator server
modify the json configuration to
include the new org's info
encode the json into protobuf using
configtxlator
compute the delta of the new config and the original in the channel
decode the delta config update from protobuf to json
wrap that json update in an envelope
encode the resulting json into protobuf again, using configtxlator
sign the transaction for a sufficient subset of the channel's membership to satisfy its endorsement policy
submit the signed channel update command with peer channel update command
fetch the genesis block for the channel with peer channel fetch
start the new org's peer(s)
join the new org's peer(s) to the channel using the genesis block with peer channel join
install the chaincode to the new org's peer(s) as needed
upgrade the chaincode to set a new endorsement policy including the new organization
Yes, it is a bit involved, but we expect that much of this will be automated and simplified for the administrator over time.

You have to update configtx.yaml and crypto-config.yaml file. Once you edit you have to runn cryptogen tool to generated related certificates.

Related

Hyperledger Fabric Peer Join Channel

The use case is:
I created a network with Raft Ordering service having one channel say, channel1 with three Organisations (Org1, Org2 and Org3).
Org1 and Org2 peers have joined the channel channel1.
Org3 is just present in the channel config but not joined the channel yet.
Now I added the new orderer endpoints in the system channel and channel1 config and removed the old orderer endpoints.
My new orderers are working fine, able to fetch the config for both channels.
I fetched the 0 block of channel1 from Org3 peer and issued the join command.
The command works fine, but in the peer I am getting these error:
2022-04-20 05:28:18.210 UTC 006b WARN [peer.blocksprovider] func1 -> Encountered an error reading from deliver stream: EOF channel=channel1 orderer-address=orderer.example.com:7050
2022-04-20 05:28:18.210 UTC 006c WARN [peer.blocksprovider] DeliverBlocks -> Got error while attempting to receive blocks: received bad status SERVICE_UNAVAILABLE from orderer channel=channel1 orderer-address=orderer.example.com:7050
The Org3 peer is still trying to connect with the older orderer endpoints (as they were defined in the 0 block initially).
So how to sort out this problem?
One way I can think is to use the snapshot of the Org1/Org2 peer maybe.
What are your thoughts?
Thanks
I found the solution, so if anyone in the future needs it, can use this answer to join the channel when the orderer endpoints are updated in the channel configuration.
Method 1:
In the peer configuration you can override some of the variables to override the old orderer endpoint with the new orderer endpoints.
The link to the config file and params is:
https://github.com/hyperledger/fabric/blob/main/sampleconfig/core.yaml#L382-L388
This method will allow you to join the peer using genesis block and is supported by older versions of Fabric (<=v2.2) which does not support joining by snapshot.
Method 2:
If you are on Fabric v2.2+, then you can either use the Method 1 or join the channel using a snapshot from another peer.
There is tutorial in the official docs for that, please check it:
https://hyperledger-fabric.readthedocs.io/en/release-2.3/peer_ledger_snapshot.html
Thanks,
Sahil
From HLF docs
joining by snapshot will provide a peer with the latest channel configuration, which may be important if the channel configuration has changed since the genesis block. For example, the peer may need the orderer endpoints or CA certificates from the latest channel configuration before it can successfully pull blocks from the ordering service.
Taking ledger snapshots and using them to join channels

How to view a chaincode definition?

The Fabric documentation explains in detail what a chaincode definition is and which role it plays for the lifecycle and governance of a chaincode. It says, that an organisation needs to approve a definition in order to use the chaincode. What it doesn't explain - imho - is, how to VIEW a chaincode defintion prior approving it.
Question: Is there a command to view a chaincode definition? Or is there another workflow that I missed, so that an organization can study the definition before approving it?
The parameters to the approval is the definition. You can think of a chaincode definition as being all the parameters required to execute and validate a chaincode transaction. You supply the definition via the parameters you see in the documentation, so, it is in fact impossible to perform the approval without already knowing the definition.
Generally speaking, the definition is agreed to out of band, and then all participating organization approve the externally agreed to definition. However, if you are on a network and wishing to discover what other members have approved, or what definitions have committed, there are a number of query utilities provided via the peer CLI. You can see what definition an org has approved using the queryapproved subcommand, you can see what orgs have approved a particular definition using the checkcommitreadiness subcommand, and you can view the currently committed definition using the querycommitted subcommand or by using the queryinstalled subcommand.
Step 1: Each organization have to agree on a chaincode package which have a unique hash value and a label, they all may get the chaincode package from a developer and if someone try to change something on chaincode, that chaincode package will give different hash value compare to others.
Step 2: Each organization will install that chaincode package on there peers.
Step 3: After that each organization get an identical Package ID which is a combination on that chaincode package's hash value and label. You can get it by "peer lifecycle chaincode queryinstalled" command.
step 4: Now you can approve that identical Package ID with channelID, name, version, init-required etc etc from your organization. Before approval you can also check the checkcommitreadiness.
step 5: TO check the checkcommitreadiness of that identical Package ID with channelID, name, version, init-required, sequence 1 etc etc follow the command given below. If it gets enough approval, It's ready for commit.
So each organization will give approval of it's own chaincode with other definitions like channelID, name, version, init-required etc etc & due to the system a fraudulent activity will not get enough approval.
Check whether a chaincode definition is ready to be committed on a channel.
Usage:
peer lifecycle chaincode checkcommitreadiness [flags]
Flags:
--channel-config-policy string The endorsement policy associated to this chaincode specified as a channel config policy reference
-C, --channelID string The channel on which this command should be executed
--collections-config string The fully qualified path to the collection JSON file including the file name
--connectionProfile string The fully qualified path to the connection profile that provides the necessary connection information for the network. Note: currently only supported for providing peer connection information
-E, --endorsement-plugin string The name of the endorsement plugin to be used for this chaincode
-h, --help help for checkcommitreadiness
--init-required Whether the chaincode requires invoking 'init'
-n, --name string Name of the chaincode
-O, --output string The output format for query results. Default is human-readable plain-text. json is currently the only supported format.
--peerAddresses stringArray The addresses of the peers to connect to
--sequence int The sequence number of the chaincode definition for the channel (default 1)
--signature-policy string The endorsement policy associated to this chaincode specified as a signature policy
--tlsRootCertFiles stringArray If TLS is enabled, the paths to the TLS root cert files of the peers to connect to. The order and number of certs specified should match the --peerAddresses flag
-V, --validation-plugin string The name of the validation plugin to be used for this chaincode
-v, --version string Version of the chaincode
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with the orderer endpoint
--connTimeout duration Timeout for client to connect (default 3s)
--keyfile string Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer.
--tls Use TLS when communicating with the orderer endpoint
As answered before chaincode defination is the combination of parameters.

Adding a new consortium definition to existing running network

EYFN allows to add an organization Org3 to existing channel "mychannel". I am trying to add add Org1 and Org3 to a new channel, by dynamically creating the channel in a running network. For this, I understand, there is a need to define consortium with Org1 and Org3.
when following the document, it was mentioned "In practice, consortium definition X2 has been added to the network configuration NC4. We discuss the exact mechanics of this operation elsewhere in the documentation." (https://hyperledger-fabric.readthedocs.io/en/release-1.4/network/network.html)
Is it possible to do this by updating the network configuration? or any alternative?
yes,it is possible,Instead of fetching the application channel,you must fetch the system channel block and add the new organization into the existing consortium,and add a new profile in the configtx and genarate a new transaction file and create your new channel

Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?

My fabric network's consortium(in configtx.yaml) has two organizations: ORG1 and ORG2. ORG1 has 4 main peers and ORG2 has only 1 peer. ORG2 peer's only purpose is to have the copy of the ledger(for the auditing purpose).
They all joined the same channel and let's say ORG1's admin already installed/instantiated the chaincode version 0.1
Now, ORG2's admin will be also able to 'peer chaincode upgrade" to version 0.2 with the same chaincode name and when the proposal reaches one of the ORG1 peers, it will say something like :
endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode [chaincode name]/0.2, error open /var/hyperledger/production/chaincodes/[chaincode name]/0.2: no such file or directory"
How we completely prevent ORG2 from upgrading the chaincode version? so that only ORG1's admin can perform the administrative operations?
I have searched the ACL, but it seems the administrative operations are not controlled by ACL settings.
After the research, we figured out we can set this on the instantiate policy on chaincode package.
please see below fabric document:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/commands/peerchaincode.html#peer-chaincode-package
with the flag -i, you can set the instantiate policy when packing the chaincode. Then only the Org(s) allowed on the policy will be able to instantiate or upgrade the chaincode on the channel

Hyperledger Fabric ACL in configtx.yaml

Please have a look into my issue .I am using hyperledger fabric 1.2 . I am exploring ACL at the time of channel creation. I just copied default Writers Policy and rename it with PankajPolicy and put into the Channel.Application in configtx.yaml see here.
Now the issue is that I just replaced peer/Propose: /Channel/Application/Writers With PankajPolicy in peer/Propose: /Channel/Application/PankajPoilicy. For complete configtx.yaml please have a look see here.
When i create genesis block with this and trying to create the channel evrything goes fine .But at the time of query am getting error
Error: error endorsing query: rpc error: code = Unknown desc = failed evaluating policy on signed data during check policy [/Channel/Application/PankajPoilicy]: [policy /Channel/Application/PankajPoilicy not found] - proposal response: <nil>
Instead if something is wrong then it should stop on write operation means at the time of peer chaincode instansiate.
Thanks in advance !!!
You created your own policy. So according to the comment on sample configtx.yaml
Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Your custom defined policy will be accessible on this path /Channel/<PolicyName>
Please use this peer/Propose: /Channel/PankajPoilicy
instead of this
peer/Propose: /Channel/Application/PankajPoilicy
I do not know why your write operations are working with the current configuration.

Resources