From 5d5825428008ca638f8706d057f3ed74c4cfb453 Mon Sep 17 00:00:00 2001 From: NIKHIL E GUPTA Date: Tue, 26 Nov 2019 18:01:57 -0500 Subject: [PATCH] [FAB-17145] Add test network to Fabric Samples Signed-off-by: NIKHIL E GUPTA --- test-network/.env | 3 + test-network/.gitignore | 14 + test-network/README.md | 50 ++ test-network/add-Org3/.env | 2 + test-network/add-org3/addOrg3.sh | 228 +++++++ test-network/add-org3/configtx.yaml | 42 ++ .../docker/docker-compose-couch-org3.yaml | 39 ++ .../add-org3/docker/docker-compose-org3.yaml | 84 +++ test-network/add-org3/org3-crypto.yaml | 21 + test-network/configtx/configtx.yaml | 333 ++++++++++ test-network/docker/docker-compose-ca.yaml | 50 ++ test-network/docker/docker-compose-couch.yaml | 64 ++ test-network/docker/docker-compose-e2e.yaml | 176 ++++++ .../docker/docker-compose-test-net.yaml | 128 ++++ test-network/network.sh | 573 ++++++++++++++++++ test-network/organizations/ccp-generate.sh | 49 ++ test-network/organizations/ccp-template.json | 60 ++ test-network/organizations/ccp-template.yaml | 43 ++ .../cryptogen/crypto-config-orderer.yaml | 20 + .../cryptogen/crypto-config-org1.yaml | 61 ++ .../cryptogen/crypto-config-org2.yaml | 61 ++ .../ordererOrg/fabric-ca-server-config.yaml | 406 +++++++++++++ .../org1/fabric-ca-server-config.yaml | 406 +++++++++++++ .../org2/fabric-ca-server-config.yaml | 406 +++++++++++++ .../organizations/fabric-ca/registerEnroll.sh | 307 ++++++++++ test-network/scripts/createChannel.sh | 167 +++++ test-network/scripts/deployCC.sh | 325 ++++++++++ test-network/scripts/envVar.sh | 81 +++ .../scripts/org3-scripts/envVarCLI.sh | 79 +++ .../scripts/org3-scripts/step1org3.sh | 122 ++++ .../scripts/org3-scripts/step2org3.sh | 68 +++ test-network/system-genesis-block/.gitkeep | 0 32 files changed, 4468 insertions(+) create mode 100644 test-network/.env create mode 100644 test-network/.gitignore create mode 100644 test-network/README.md create mode 100644 test-network/add-Org3/.env create mode 100755 test-network/add-org3/addOrg3.sh create mode 100644 test-network/add-org3/configtx.yaml create mode 100644 test-network/add-org3/docker/docker-compose-couch-org3.yaml create mode 100644 test-network/add-org3/docker/docker-compose-org3.yaml create mode 100644 test-network/add-org3/org3-crypto.yaml create mode 100644 test-network/configtx/configtx.yaml create mode 100644 test-network/docker/docker-compose-ca.yaml create mode 100644 test-network/docker/docker-compose-couch.yaml create mode 100644 test-network/docker/docker-compose-e2e.yaml create mode 100644 test-network/docker/docker-compose-test-net.yaml create mode 100755 test-network/network.sh create mode 100755 test-network/organizations/ccp-generate.sh create mode 100644 test-network/organizations/ccp-template.json create mode 100644 test-network/organizations/ccp-template.yaml create mode 100644 test-network/organizations/cryptogen/crypto-config-orderer.yaml create mode 100644 test-network/organizations/cryptogen/crypto-config-org1.yaml create mode 100644 test-network/organizations/cryptogen/crypto-config-org2.yaml create mode 100644 test-network/organizations/fabric-ca/ordererOrg/fabric-ca-server-config.yaml create mode 100644 test-network/organizations/fabric-ca/org1/fabric-ca-server-config.yaml create mode 100644 test-network/organizations/fabric-ca/org2/fabric-ca-server-config.yaml create mode 100755 test-network/organizations/fabric-ca/registerEnroll.sh create mode 100755 test-network/scripts/createChannel.sh create mode 100755 test-network/scripts/deployCC.sh create mode 100755 test-network/scripts/envVar.sh create mode 100644 test-network/scripts/org3-scripts/envVarCLI.sh create mode 100755 test-network/scripts/org3-scripts/step1org3.sh create mode 100755 test-network/scripts/org3-scripts/step2org3.sh create mode 100644 test-network/system-genesis-block/.gitkeep diff --git a/test-network/.env b/test-network/.env new file mode 100644 index 0000000000..eba89f913b --- /dev/null +++ b/test-network/.env @@ -0,0 +1,3 @@ +COMPOSE_PROJECT_NAME=net +IMAGE_TAG=latest +SYS_CHANNEL=system-channel diff --git a/test-network/.gitignore b/test-network/.gitignore new file mode 100644 index 0000000000..ab11a4e8c9 --- /dev/null +++ b/test-network/.gitignore @@ -0,0 +1,14 @@ +/channel-artifacts/*.tx +/channel-artifacts/*.block +/ledgers +/ledgers-backup +/channel-artifacts/*.json +/org3-artifacts/crypto-config/* +organizations/fabric-ca/ordererOrg/* +organizations/fabric-ca/org1/* +organizations/fabric-ca/org2/* +organizations/ordererOrganizations/* +organizations/peerOrganizations/* +system-genesis-block/* +fabcar.tar.gz +log.txt diff --git a/test-network/README.md b/test-network/README.md new file mode 100644 index 0000000000..a68c5a47a5 --- /dev/null +++ b/test-network/README.md @@ -0,0 +1,50 @@ +## Running the test network + +Use the `./network.sh` script to stand up a simple Fabric test network. The +network has two peer peer organizations with one peer each and a single node +raft ordering service. You can also use the script to create channels, and deploy +the fabcar chaincode on those channels. The test network is being introduced in +Fabric v2.0 as the long term replacement for the `first-network` sample. + +Before you can deploy the test network, you need follow the instructions to +[Install the Samples, Binaries and Docker Images](https://hyperledger-fabric.readthedocs.io/en/latest/install.html) in the Hyperledger Fabric documentation. You may experience problems if you run the +sample using a local build. + +For more information, see `./network.sh -help` +``` +Usage: + network.sh [Flags] + + - 'up' - bring up fabric orderer and peer nodes. No channel is created + - 'up createChannel' - bring up fabric network with one channel + - 'createChannel' - create and join a channel after the network is created + - 'deployCC' - deploy the fabcar chaincode on the channel + - 'down' - clear the network with docker-compose down + - 'restart' - restart the network + + Flags: + -ca - create Certificate Authorities to generate the crypto material + -c - channel name to use (defaults to "mychannel") + -s - the database backend to use: goleveldb (default) or couchdb + -r - CLI times out after certain number of attempts (defaults to 5) + -d - delay duration in seconds (defaults to 3) + -l - the programming language of the chaincode to deploy: go (default), javascript, or java + -v - chaincode version. Must be a round number, 1, 2, 3, etc + -i - the tag to be used to launch the network (defaults to "latest") + -verbose - verbose mode + network.sh -h (print this message) + + Possible Mode and flags + network.sh up -ca -c -r -d -s -i -verbose + network.sh up createChannel -ca -c -r -d -s -i -verbose + network.sh createChannel -c -r -d -verbose + network.sh deployCC -l -v -r -d -verbose + + Taking all defaults: + network.sh up + + Examples: + network.sh up createChannel -ca -c mychannel -s couchdb -i 1.4.0 + network.sh createChannel -c channelName + network.sh deployCC -l node +``` diff --git a/test-network/add-Org3/.env b/test-network/add-Org3/.env new file mode 100644 index 0000000000..a6665fed28 --- /dev/null +++ b/test-network/add-Org3/.env @@ -0,0 +1,2 @@ +COMPOSE_PROJECT_NAME=net +IMAGE_TAG=latest diff --git a/test-network/add-org3/addOrg3.sh b/test-network/add-org3/addOrg3.sh new file mode 100755 index 0000000000..9c95c3c3ff --- /dev/null +++ b/test-network/add-org3/addOrg3.sh @@ -0,0 +1,228 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This script extends the Hyperledger Fabric test network by adding +# adding a third organization to the network +# + +# prepending $PWD/../bin to PATH to ensure we are picking up the correct binaries +# this may be commented out to resolve installed version of tools if desired +export PATH=${PWD}/../../bin:${PWD}:$PATH +export FABRIC_CFG_PATH=${PWD} +export VERBOSE=false + +# Print the usage message +function printHelp () { + echo "Usage: " + echo " addOrg3.sh up|down|generate [-c ] [-t ] [-d ] [-f ] [-s ]" + echo " addOrg3.sh -h|--help (print this message)" + echo " - one of 'up', 'down', or 'generate'" + echo " - 'up' - add org3 to the sample network. You need to create a channel first." + echo " - 'down' - clear the network with docker-compose down" + echo " - 'generate' - generate required certificates and org definition" + echo " -c - channel name to use (defaults to \"mychannel\")" + echo " -t - CLI timeout duration in seconds (defaults to 10)" + echo " -d - delay duration in seconds (defaults to 3)" + echo " -f - specify which docker-compose file use (defaults to docker-compose-cli.yaml)" + echo " -s - the database backend to use: goleveldb (default) or couchdb" + echo " -i - the tag to be used to launch the network (defaults to \"latest\")" + echo " -v - verbose mode" + echo + echo "Typically, one would first generate the required certificates and " + echo "genesis block, then bring up the network. e.g.:" + echo + echo " eyfn.sh generate" + echo " addOrg3.sh up -c mychannel -s couchdb" + echo " addOrg3.sh up -l node" + echo " addOrg3.sh down -c mychannel" + echo + echo "Taking all defaults:" + echo " addOrg3.sh up" + echo " addOrg3.sh down" +} + +# We use the cryptogen tool to generate the cryptographic material +# (x509 certs) for the new org. After we run the tool, the certs will +# be put in the organizations folder with org1 and org2 + +# Generates Org3 certs using cryptogen tool +function generateOrg3 (){ + which cryptogen + if [ "$?" -ne 0 ]; then + echo "cryptogen tool not found. exiting" + exit 1 + fi + echo + echo "###############################################################" + echo "##### Generate Org3 certificates using cryptogen tool #########" + echo "###############################################################" + + set -x + cryptogen generate --config=org3-crypto.yaml --output="../organizations" + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate certificates..." + exit 1 + fi + echo +} + +# Generate channel configuration transaction +function generateOrg3Definition() { + which configtxgen + if [ "$?" -ne 0 ]; then + echo "configtxgen tool not found. exiting" + exit 1 + fi + echo "##########################################################" + echo "######### Generating Org3 config material ###############" + echo "##########################################################" + export FABRIC_CFG_PATH=$PWD + set -x + configtxgen -printOrg Org3MSP > ../organizations/peerOrganizations/org3.example.com/org3.json + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate Org3 config material..." + exit 1 + fi + echo +} + + + +# Generate the needed certificates, the genesis block and start the network. +function networkUp () { + # generate artifacts if they don't exist + if [ ! -d "../organizations/peerOrganizations/org3.example.com" ]; then + generateOrg3 + generateOrg3Definition + fi + # start org3 peers + if [ "${DATABASE}" == "couchdb" ]; then + IMAGE_TAG=${IMAGETAG} docker-compose -f $COMPOSE_FILE_ORG3 -f $COMPOSE_FILE_COUCH_ORG3 up -d 2>&1 + else + IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE_ORG3 up -d 2>&1 + fi + if [ $? -ne 0 ]; then + echo "ERROR !!!! Unable to start Org3 network" + exit 1 + fi + + # Use the CLI container to create the configuration transaction needed to add + # Org3 to the network + echo + echo "###############################################################" + echo "####### Generate and submit config tx to add Org3 #############" + echo "###############################################################" + docker exec Org3cli ./scripts/org3-scripts/step1org3.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE + if [ $? -ne 0 ]; then + echo "ERROR !!!! Unable to create config tx" + exit 1 + fi + + echo + echo "###############################################################" + echo "############### Have Org3 peers join network ##################" + echo "###############################################################" + docker exec Org3cli ./scripts/org3-scripts/step2org3.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE + if [ $? -ne 0 ]; then + echo "ERROR !!!! Unable to have Org3 peers join network" + exit 1 + fi + +} + +# Tear down running network +function networkDown () { + + cd .. + ./network.sh down + +} + + +# If the test network is not up, abort +if [ ! -d ../organizations/peerOrganizations ]; then + echo + echo "ERROR: Please, run network.sh first." + echo + exit 1 +fi + +# Obtain the OS and Architecture string that will be used to select the correct +# native binaries for your platform +OS_ARCH=$(echo "$(uname -s|tr '[:upper:]' '[:lower:]'|sed 's/mingw64_nt.*/windows/')-$(uname -m | sed 's/x86_64/amd64/g')" | awk '{print tolower($0)}') +# timeout duration - the duration the CLI should wait for a response from +# another container before giving up +CLI_TIMEOUT=10 +#default for delay +CLI_DELAY=3 +# channel name defaults to "mychannel" +CHANNEL_NAME="mychannel" +# use this as the docker compose couch file +COMPOSE_FILE_COUCH_ORG3=docker/docker-compose-couch-org3.yaml +# use this as the default docker-compose yaml definition +COMPOSE_FILE_ORG3=docker/docker-compose-org3.yaml +# default image tag +IMAGETAG="latest" +# database +DATABASE="leveldb" + +# Parse commandline args +if [ "$1" = "-m" ];then # supports old usage, muscle memory is powerful! + shift +fi +MODE=$1;shift +# Determine whether starting, stopping, restarting or generating for announce +if [ "$MODE" == "up" ]; then + echo ="Add org3 to channel '${CHANNEL_NAME}' with '${CLI_TIMEOUT}' seconds and CLI delay of '${CLI_DELAY}' seconds and using database '${DATABASE}'" + echo +elif [ "$MODE" == "down" ]; then + EXPMODE="Stopping network" +elif [ "$MODE" == "generate" ]; then + EXPMODE="Generating certs and organization definition for Org3" +else + printHelp + exit 1 +fi +while getopts "h?c:t:d:f:s:l:i:v" opt; do + case "$opt" in + h|\?) + printHelp + exit 0 + ;; + c) CHANNEL_NAME=$OPTARG + ;; + t) CLI_TIMEOUT=$OPTARG + ;; + d) CLI_DELAY=$OPTARG + ;; + f) COMPOSE_FILE=$OPTARG + ;; + s) DATABASE=$OPTARG + ;; + i) IMAGETAG=$OPTARG + ;; + v) VERBOSE=true + ;; + esac +done + +#Create the network using docker compose +if [ "${MODE}" == "up" ]; then + networkUp +elif [ "${MODE}" == "down" ]; then ## Clear the network + networkDown +elif [ "${MODE}" == "generate" ]; then ## Generate Artifacts + generateOrg3 + generateOrg3Definition +else + printHelp + exit 1 +fi diff --git a/test-network/add-org3/configtx.yaml b/test-network/add-org3/configtx.yaml new file mode 100644 index 0000000000..ea2e815dc7 --- /dev/null +++ b/test-network/add-org3/configtx.yaml @@ -0,0 +1,42 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +################################################################################ +# +# Section: Organizations +# +# - This section defines the different organizational identities which will +# be referenced later in the configuration. +# +################################################################################ +Organizations: + - &Org3 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org3MSP + + # ID to load the MSP definition as + ID: Org3MSP + + MSPDir: ../organizations/peerOrganizations/org3.example.com/msp + + Policies: + Readers: + Type: Signature + Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org3MSP.admin')" + + AnchorPeers: + # AnchorPeers defines the location of peers which can be used + # for cross org gossip communication. Note, this value is only + # encoded in the genesis block in the Application section context + - Host: peer0.org3.example.com + Port: 11051 diff --git a/test-network/add-org3/docker/docker-compose-couch-org3.yaml b/test-network/add-org3/docker/docker-compose-couch-org3.yaml new file mode 100644 index 0000000000..912b9a8391 --- /dev/null +++ b/test-network/add-org3/docker/docker-compose-couch-org3.yaml @@ -0,0 +1,39 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +networks: + test: + +services: + couchdb4: + container_name: couchdb4 + image: hyperledger/fabric-couchdb + # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password + # for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode. + environment: + - COUCHDB_USER= + - COUCHDB_PASSWORD= + # Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service, + # for example map it to utilize Fauxton User Interface in dev environments. + ports: + - "9984:5984" + networks: + - test + + peer0.org3.example.com: + environment: + - CORE_LEDGER_STATE_STATEDATABASE=CouchDB + - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb4:5984 + # The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD + # provide the credentials for ledger to connect to CouchDB. The username and password must + # match the username and password set for the associated CouchDB. + - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME= + - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD= + depends_on: + - couchdb4 + networks: + - test diff --git a/test-network/add-org3/docker/docker-compose-org3.yaml b/test-network/add-org3/docker/docker-compose-org3.yaml new file mode 100644 index 0000000000..bd14935aa1 --- /dev/null +++ b/test-network/add-org3/docker/docker-compose-org3.yaml @@ -0,0 +1,84 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +volumes: + peer0.org3.example.com: + +networks: + test: + +services: + + peer0.org3.example.com: + container_name: peer0.org3.example.com + image: hyperledger/fabric-peer:$IMAGE_TAG + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + # the following setting starts chaincode containers on the same + # bridge network as the peers + # https://docs.docker.com/compose/networking/ + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_GOSSIP_USELEADERELECTION=true + - CORE_PEER_GOSSIP_ORGLEADER=false + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org3.example.com + - CORE_PEER_ADDRESS=peer0.org3.example.com:11051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:11051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org3.example.com:11052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org3.example.com:12051 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org3.example.com:11051 + - CORE_PEER_LOCALMSPID=Org3MSP + volumes: + - /var/run/:/host/var/run/ + - ../../organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp:/etc/hyperledger/fabric/msp + - ../../organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org3.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 11051:11051 + networks: + - test + + Org3cli: + container_name: Org3cli + image: hyperledger/fabric-tools:$IMAGE_TAG + tty: true + stdin_open: true + environment: + - GOPATH=/opt/gopath + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_ID=Org3cli + - CORE_PEER_ADDRESS=peer0.org3.example.com:11051 + - CORE_PEER_LOCALMSPID=Org3MSP + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt + - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: /bin/bash + volumes: + - /var/run/:/host/var/run/ + - ../../../chaincode/:/opt/gopath/src/github.com/chaincode + - ../../organizations:/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations + - ../../scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/ + depends_on: + - peer0.org3.example.com + networks: + - test diff --git a/test-network/add-org3/org3-crypto.yaml b/test-network/add-org3/org3-crypto.yaml new file mode 100644 index 0000000000..73ae733372 --- /dev/null +++ b/test-network/add-org3/org3-crypto.yaml @@ -0,0 +1,21 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# --------------------------------------------------------------------------- +# "PeerOrgs" - Definition of organizations managing peer nodes +# --------------------------------------------------------------------------- +PeerOrgs: + # --------------------------------------------------------------------------- + # Org3 + # --------------------------------------------------------------------------- + - Name: Org3 + Domain: org3.example.com + EnableNodeOUs: true + Template: + Count: 1 + SANS: + - localhost + Users: + Count: 1 diff --git a/test-network/configtx/configtx.yaml b/test-network/configtx/configtx.yaml new file mode 100644 index 0000000000..9580184aef --- /dev/null +++ b/test-network/configtx/configtx.yaml @@ -0,0 +1,333 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +################################################################################ +# +# Section: Organizations +# +# - This section defines the different organizational identities which will +# be referenced later in the configuration. +# +################################################################################ +Organizations: + + # SampleOrg defines an MSP using the sampleconfig. It should never be used + # in production but may be used as a template for other definitions + - &OrdererOrg + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: OrdererOrg + + # ID to load the MSP definition as + ID: OrdererMSP + + # MSPDir is the filesystem path which contains the MSP configuration + MSPDir: ../organizations/ordererOrganizations/example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('OrdererMSP.member')" + Writers: + Type: Signature + Rule: "OR('OrdererMSP.member')" + Admins: + Type: Signature + Rule: "OR('OrdererMSP.admin')" + + - &Org1 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org1MSP + + # ID to load the MSP definition as + ID: Org1MSP + + MSPDir: ../organizations/peerOrganizations/org1.example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org1MSP.admin', 'Org1MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org1MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('Org1MSP.peer')" + + # leave this flag set to true. + AnchorPeers: + # AnchorPeers defines the location of peers which can be used + # for cross org gossip communication. Note, this value is only + # encoded in the genesis block in the Application section context + - Host: peer0.org1.example.com + Port: 7051 + + - &Org2 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org2MSP + + # ID to load the MSP definition as + ID: Org2MSP + + MSPDir: ../organizations/peerOrganizations/org2.example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org2MSP.admin', 'Org2MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org2MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('Org2MSP.peer')" + + AnchorPeers: + # AnchorPeers defines the location of peers which can be used + # for cross org gossip communication. Note, this value is only + # encoded in the genesis block in the Application section context + - Host: peer0.org2.example.com + Port: 9051 + +################################################################################ +# +# SECTION: Capabilities +# +# - This section defines the capabilities of fabric network. This is a new +# concept as of v1.1.0 and should not be utilized in mixed networks with +# v1.0.x peers and orderers. Capabilities define features which must be +# present in a fabric binary for that binary to safely participate in the +# fabric network. For instance, if a new MSP type is added, newer binaries +# might recognize and validate the signatures from this type, while older +# binaries without this support would be unable to validate those +# transactions. This could lead to different versions of the fabric binaries +# having different world states. Instead, defining a capability for a channel +# informs those binaries without this capability that they must cease +# processing transactions until they have been upgraded. For v1.0.x if any +# capabilities are defined (including a map with all capabilities turned off) +# then the v1.0.x peer will deliberately crash. +# +################################################################################ +Capabilities: + # Channel capabilities apply to both the orderers and the peers and must be + # supported by both. + # Set the value of the capability to true to require it. + Channel: &ChannelCapabilities + # V2_0 capability ensures that orderers and peers behave according + # to v2.0 channel capabilities. Orderers and peers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 capability. + # Prior to enabling V2.0 channel capabilities, ensure that all + # orderers and peers on a channel are at v2.0.0 or later. + V2_0: true + + # Orderer capabilities apply only to the orderers, and may be safely + # used with prior release peers. + # Set the value of the capability to true to require it. + Orderer: &OrdererCapabilities + # V2_0 orderer capability ensures that orderers behave according + # to v2.0 orderer capabilities. Orderers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 orderer capability. + # Prior to enabling V2.0 orderer capabilities, ensure that all + # orderers on channel are at v2.0.0 or later. + V2_0: true + + # Application capabilities apply only to the peer network, and may be safely + # used with prior release orderers. + # Set the value of the capability to true to require it. + Application: &ApplicationCapabilities + # V2_0 application capability ensures that peers behave according + # to v2.0 application capabilities. Peers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 application capability. + # Prior to enabling V2.0 application capabilities, ensure that all + # peers on channel are at v2.0.0 or later. + V2_0: true + +################################################################################ +# +# SECTION: Application +# +# - This section defines the values to encode into a config transaction or +# genesis block for application related parameters +# +################################################################################ +Application: &ApplicationDefaults + + # Organizations is the list of orgs which are defined as participants on + # the application side of the network + Organizations: + + # Policies defines the set of policies at this level of the config tree + # For Application policies, their canonical path is + # /Channel/Application/ + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + LifecycleEndorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + Endorsement: + Type: ImplicitMeta + Rule: "MAJORITY Endorsement" + + Capabilities: + <<: *ApplicationCapabilities +################################################################################ +# +# SECTION: Orderer +# +# - This section defines the values to encode into a config transaction or +# genesis block for orderer related parameters +# +################################################################################ +Orderer: &OrdererDefaults + + # Orderer Type: The orderer implementation to start + # Available types are "solo" and "kafka" + OrdererType: etcdraft + + EtcdRaft: + Consenters: + - Host: orderer.example.com + Port: 7050 + ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt + ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt + Addresses: + - orderer.example.com:7050 + + # Batch Timeout: The amount of time to wait before creating a batch + BatchTimeout: 2s + + # Batch Size: Controls the number of messages batched into a block + BatchSize: + + # Max Message Count: The maximum number of messages to permit in a batch + MaxMessageCount: 10 + + # Absolute Max Bytes: The absolute maximum number of bytes allowed for + # the serialized messages in a batch. + AbsoluteMaxBytes: 99 MB + + # Preferred Max Bytes: The preferred maximum number of bytes allowed for + # the serialized messages in a batch. A message larger than the preferred + # max bytes will result in a batch larger than preferred max bytes. + PreferredMaxBytes: 512 KB + + # Organizations is the list of orgs which are defined as participants on + # the orderer side of the network + Organizations: + + # Policies defines the set of policies at this level of the config tree + # For Orderer policies, their canonical path is + # /Channel/Orderer/ + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + # BlockValidation specifies what signatures must be included in the block + # from the orderer for the peer to validate it. + BlockValidation: + Type: ImplicitMeta + Rule: "ANY Writers" + +################################################################################ +# +# CHANNEL +# +# This section defines the values to encode into a config transaction or +# genesis block for channel related parameters. +# +################################################################################ +Channel: &ChannelDefaults + # Policies defines the set of policies at this level of the config tree + # For Channel policies, their canonical path is + # /Channel/ + Policies: + # Who may invoke the 'Deliver' API + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + # Who may invoke the 'Broadcast' API + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + # By default, who may modify elements at this config level + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + + # Capabilities describes the channel level capabilities, see the + # dedicated Capabilities section elsewhere in this file for a full + # description + Capabilities: + <<: *ChannelCapabilities + +################################################################################ +# +# Profile +# +# - Different configuration profiles may be encoded here to be specified +# as parameters to the configtxgen tool +# +################################################################################ +Profiles: + + TwoOrgsOrdererGenesis: + <<: *ChannelDefaults + Orderer: + <<: *OrdererDefaults + Organizations: + - *OrdererOrg + Capabilities: + <<: *OrdererCapabilities + Consortiums: + SampleConsortium: + Organizations: + - *Org1 + - *Org2 + TwoOrgsChannel: + Consortium: SampleConsortium + <<: *ChannelDefaults + Application: + <<: *ApplicationDefaults + Organizations: + - *Org1 + - *Org2 + Capabilities: + <<: *ApplicationCapabilities diff --git a/test-network/docker/docker-compose-ca.yaml b/test-network/docker/docker-compose-ca.yaml new file mode 100644 index 0000000000..967ec02a31 --- /dev/null +++ b/test-network/docker/docker-compose-ca.yaml @@ -0,0 +1,50 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +services: + + ca0: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org1 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=7054 + ports: + - "7054:7054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/org1:/etc/hyperledger/fabric-ca-server + container_name: ca_org1 + + ca1: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org2 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=8054 + ports: + - "8054:8054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/org2:/etc/hyperledger/fabric-ca-server + container_name: ca_org2 + + ca2: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-orderer + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=9054 + ports: + - "9054:9054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/ordererOrg:/etc/hyperledger/fabric-ca-server + container_name: ca_orderer diff --git a/test-network/docker/docker-compose-couch.yaml b/test-network/docker/docker-compose-couch.yaml new file mode 100644 index 0000000000..85b14f7a8e --- /dev/null +++ b/test-network/docker/docker-compose-couch.yaml @@ -0,0 +1,64 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +networks: + test: + +services: + couchdb0: + container_name: couchdb0 + image: hyperledger/fabric-couchdb + # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password + # for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode. + environment: + - COUCHDB_USER= + - COUCHDB_PASSWORD= + # Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service, + # for example map it to utilize Fauxton User Interface in dev environments. + ports: + - "5984:5984" + networks: + - test + + peer0.org1.example.com: + environment: + - CORE_LEDGER_STATE_STATEDATABASE=CouchDB + - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb0:5984 + # The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD + # provide the credentials for ledger to connect to CouchDB. The username and password must + # match the username and password set for the associated CouchDB. + - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME= + - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD= + depends_on: + - couchdb0 + + couchdb1: + container_name: couchdb1 + image: hyperledger/fabric-couchdb + # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password + # for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode. + environment: + - COUCHDB_USER= + - COUCHDB_PASSWORD= + # Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service, + # for example map it to utilize Fauxton User Interface in dev environments. + ports: + - "7984:5984" + networks: + - test + + peer0.org2.example.com: + environment: + - CORE_LEDGER_STATE_STATEDATABASE=CouchDB + - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb1:5984 + # The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD + # provide the credentials for ledger to connect to CouchDB. The username and password must + # match the username and password set for the associated CouchDB. + - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME= + - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD= + depends_on: + - couchdb1 diff --git a/test-network/docker/docker-compose-e2e.yaml b/test-network/docker/docker-compose-e2e.yaml new file mode 100644 index 0000000000..57b9e60d05 --- /dev/null +++ b/test-network/docker/docker-compose-e2e.yaml @@ -0,0 +1,176 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +volumes: + orderer.example.com: + peer0.org1.example.com: + peer0.org2.example.com: + +networks: + test: + +services: + + ca0: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org1 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=7054 + ports: + - "7054:7054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/org1:/etc/hyperledger/fabric-ca-server + container_name: ca_org1 + networks: + - test + + ca1: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org2 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=8054 + ports: + - "8054:8054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/org2:/etc/hyperledger/fabric-ca-server + container_name: ca_org2 + networks: + - test + + ca2: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-orderer + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=9054 + ports: + - "9054:9054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../organizations/fabric-ca/ordererOrg:/etc/hyperledger/fabric-ca-server + container_name: ca_orderer + networks: + - test + + orderer.example.com: + container_name: orderer.example.com + image: hyperledger/fabric-orderer:$IMAGE_TAG + environment: + - FABRIC_LOGGING_SPEC=INFO + - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 + - ORDERER_GENERAL_GENESISMETHOD=file + - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block + - ORDERER_GENERAL_LOCALMSPID=OrdererMSP + - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp + # enabled TLS + - ORDERER_GENERAL_TLS_ENABLED=true + - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key + - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt + - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] + - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1 + - ORDERER_KAFKA_VERBOSE=true + - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt + - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key + - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] + working_dir: /opt/gopath/src/github.com/hyperledger/fabric + command: orderer + volumes: + - ../system-genesis-block/genesis.block:/var/hyperledger/orderer/orderer.genesis.block + - ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp + - ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls + - orderer.example.com:/var/hyperledger/production/orderer + ports: + - 7050:7050 + networks: + - test + + peer0.org1.example.com: + container_name: peer0.org1.example.com + image: hyperledger/fabric-peer:$IMAGE_TAG + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + # the following setting starts chaincode containers on the same + # bridge network as the peers + # https://docs.docker.com/compose/networking/ + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_GOSSIP_USELEADERELECTION=true + - CORE_PEER_GOSSIP_ORGLEADER=false + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org1.example.com + - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:7051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org1.example.com:7052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.example.com:7051 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051 + - CORE_PEER_LOCALMSPID=Org1MSP + volumes: + - /var/run/:/host/var/run/ + - ../organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp + - ../organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org1.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 7051:7051 + networks: + - test + + peer0.org2.example.com: + container_name: peer0.org2.example.com + image: hyperledger/fabric-peer:$IMAGE_TAG + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + # the following setting starts chaincode containers on the same + # bridge network as the peers + # https://docs.docker.com/compose/networking/ + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_GOSSIP_USELEADERELECTION=true + - CORE_PEER_GOSSIP_ORGLEADER=false + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org2.example.com + - CORE_PEER_ADDRESS=peer0.org2.example.com:9051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:9051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org2.example.com:9052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:9051 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.example.com:9051 + - CORE_PEER_LOCALMSPID=Org2MSP + volumes: + - /var/run/:/host/var/run/ + - ../organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp:/etc/hyperledger/fabric/msp + - ../organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org2.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 9051:9051 + networks: + - test diff --git a/test-network/docker/docker-compose-test-net.yaml b/test-network/docker/docker-compose-test-net.yaml new file mode 100644 index 0000000000..278248f296 --- /dev/null +++ b/test-network/docker/docker-compose-test-net.yaml @@ -0,0 +1,128 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +volumes: + orderer.example.com: + peer0.org1.example.com: + peer0.org2.example.com: + +networks: + test: + +services: + + orderer.example.com: + container_name: orderer.example.com + image: hyperledger/fabric-orderer:$IMAGE_TAG + environment: + - FABRIC_LOGGING_SPEC=INFO + - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 + - ORDERER_GENERAL_GENESISMETHOD=file + - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block + - ORDERER_GENERAL_LOCALMSPID=OrdererMSP + - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp + # enabled TLS + - ORDERER_GENERAL_TLS_ENABLED=true + - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key + - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt + - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] + - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1 + - ORDERER_KAFKA_VERBOSE=true + - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt + - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key + - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt] + working_dir: /opt/gopath/src/github.com/hyperledger/fabric + command: orderer + volumes: + - ../system-genesis-block/genesis.block:/var/hyperledger/orderer/orderer.genesis.block + - ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp + - ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls + - orderer.example.com:/var/hyperledger/production/orderer + ports: + - 7050:7050 + networks: + - test + + peer0.org1.example.com: + container_name: peer0.org1.example.com + image: hyperledger/fabric-peer:$IMAGE_TAG + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + # the following setting starts chaincode containers on the same + # bridge network as the peers + # https://docs.docker.com/compose/networking/ + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_GOSSIP_USELEADERELECTION=true + - CORE_PEER_GOSSIP_ORGLEADER=false + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org1.example.com + - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:7051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org1.example.com:7052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.example.com:7051 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051 + - CORE_PEER_LOCALMSPID=Org1MSP + volumes: + - /var/run/:/host/var/run/ + - ../organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp + - ../organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org1.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 7051:7051 + networks: + - test + + peer0.org2.example.com: + container_name: peer0.org2.example.com + image: hyperledger/fabric-peer:$IMAGE_TAG + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + # the following setting starts chaincode containers on the same + # bridge network as the peers + # https://docs.docker.com/compose/networking/ + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_GOSSIP_USELEADERELECTION=true + - CORE_PEER_GOSSIP_ORGLEADER=false + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org2.example.com + - CORE_PEER_ADDRESS=peer0.org2.example.com:9051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:9051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org2.example.com:9052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:9051 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.example.com:9051 + - CORE_PEER_LOCALMSPID=Org2MSP + volumes: + - /var/run/:/host/var/run/ + - ../organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp:/etc/hyperledger/fabric/msp + - ../organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org2.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 9051:9051 + networks: + - test diff --git a/test-network/network.sh b/test-network/network.sh new file mode 100755 index 0000000000..8ece694c13 --- /dev/null +++ b/test-network/network.sh @@ -0,0 +1,573 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This script brings up a Hyperledger Fabric network for testing smart contracts +# and applications. The test network consists of two organizations with one +# peer each, and a single node Raft ordering service. Users can also use this +# script to create a channel deploy a chaincode on the channel +# +# prepending $PWD/../bin to PATH to ensure we are picking up the correct binaries +# this may be commented out to resolve installed version of tools if desired +export PATH=${PWD}/../bin:${PWD}:$PATH +export FABRIC_CFG_PATH=${PWD}/configtx +export VERBOSE=false + +# Print the usage message +function printHelp() { + echo "Usage: " + echo " network.sh [Flags]" + echo " " + echo " - 'up' - bring up fabric orderer and peer nodes. No channel is created" + echo " - 'up createChannel' - bring up fabric network with one channel" + echo " - 'createChannel' - create and join a channel after the network is created" + echo " - 'deployCC' - deploy the fabcar chaincode on the channel" + echo " - 'down' - clear the network with docker-compose down" + echo " - 'restart' - restart the network" + echo + echo " Flags:" + echo " -ca - create Certificate Authorities to generate the crypto material" + echo " -c - channel name to use (defaults to \"mychannel\")" + echo " -s - the database backend to use: goleveldb (default) or couchdb" + echo " -r - CLI times out after certain number of attempts (defaults to 5)" + echo " -d - delay duration in seconds (defaults to 3)" + echo " -l - the programming language of the chaincode to deploy: go (default), javascript, or java" + echo " -v - chaincode version. Must be a round number, 1, 2, 3, etc" + echo " -i - the tag to be used to launch the network (defaults to \"latest\")" + echo " -verbose - verbose mode" + echo " network.sh -h (print this message)" + echo + echo " Possible Mode and flags" + echo " network.sh up -ca -c -r -d -s -i -verbose" + echo " network.sh up createChannel -ca -c -r -d -s -i -verbose" + echo " network.sh createChannel -c -r -d -verbose" + echo " network.sh deployCC -l -v -r -d -verbose" + echo + echo " Taking all defaults:" + echo " network.sh up" + echo + echo " Examples:" + echo " network.sh up createChannel -ca -c mychannel -s couchdb -i 1.4.0" + echo " network.sh createChannel -c channelName" + echo " network.sh deployCC -l node" +} + +# Obtain CONTAINER_IDS and remove them +# TODO Might want to make this optional - could clear other containers +# This function is called when you bring a network down +function clearContainers() { + CONTAINER_IDS=$(docker ps -a | awk '($2 ~ /dev-peer.*/) {print $1}') + if [ -z "$CONTAINER_IDS" -o "$CONTAINER_IDS" == " " ]; then + echo "---- No containers available for deletion ----" + else + docker rm -f $CONTAINER_IDS + fi +} + +# Delete any images that were generated as a part of this setup +# specifically the following images are often left behind: +# This function is called when you bring the network down +function removeUnwantedImages() { + DOCKER_IMAGE_IDS=$(docker images | awk '($1 ~ /dev-peer.*/) {print $3}') + if [ -z "$DOCKER_IMAGE_IDS" -o "$DOCKER_IMAGE_IDS" == " " ]; then + echo "---- No images available for deletion ----" + else + docker rmi -f $DOCKER_IMAGE_IDS + fi +} + +# Versions of fabric known not to work with this release of first-network +BLACKLISTED_VERSIONS="^1\.0\. ^1\.1\.0-preview ^1\.1\.0-alpha" + +# Do some basic sanity checking to make sure that the appropriate versions of fabric +# binaries/images are available. In the future, additional checking for the presence +# of go or other items could be added. +function checkPrereqs() { + ## Check if your have cloned the peer binaries and configuration files. + peer version > /dev/null 2>&1 + + if [[ $? -ne 0 || ! -d "../config" ]]; then + echo "ERROR! Peer binary and configuration files not found.." + echo + echo "Follow the instructions in the Fabric docs to install the Fabric Binaries:" + echo "https://hyperledger-fabric.readthedocs.io/en/latest/install.html" + exit 1 + fi + # use the fabric tools container to see if the samples and binaries match your + # docker images + LOCAL_VERSION=$(peer version | sed -ne 's/ Version: //p') + DOCKER_IMAGE_VERSION=$(docker run --rm hyperledger/fabric-tools:$IMAGETAG peer version | sed -ne 's/ Version: //p' | head -1) + + echo "LOCAL_VERSION=$LOCAL_VERSION" + echo "DOCKER_IMAGE_VERSION=$DOCKER_IMAGE_VERSION" + + if [ "$LOCAL_VERSION" != "$DOCKER_IMAGE_VERSION" ]; then + echo "=================== WARNING ===================" + echo " Local fabric binaries and docker images are " + echo " out of sync. This may cause problems. " + echo "===============================================" + fi + + for UNSUPPORTED_VERSION in $BLACKLISTED_VERSIONS; do + echo "$LOCAL_VERSION" | grep -q $UNSUPPORTED_VERSION + if [ $? -eq 0 ]; then + echo "ERROR! Local Fabric binary version of $LOCAL_VERSION does not match this newer version of the network and is unsupported. Either move to a later version of Fabric or checkout an earlier version of fabric-samples." + exit 1 + fi + + echo "$DOCKER_IMAGE_VERSION" | grep -q $UNSUPPORTED_VERSION + if [ $? -eq 0 ]; then + echo "ERROR! Fabric Docker image version of $DOCKER_IMAGE_VERSION does not match this newer version of the network and is unsupported. Either move to a later version of Fabric or checkout an earlier version of fabric-samples." + exit 1 + fi + done +} + + +# Before you can bring up a network, each organization needs to generate the crypto +# material that will define that organization on the network. Because Hyperledger +# Fabric is a permissioned blockchain, each node and user on the network needs to +# use certificates and keys to sign and verify its actions. In addition, each user +# needs to belong to an organization that is recognized as a member of the network. +# You can use the Cryptogen tool or Fabric CAs to generate the organization crypto +# material. + +# By default, the sample network uses cryptogen. Cryptogen is a tool that is +# meant for development and testing that can quicky create the certificates and keys +# that can be consumed by a Fabric network. The cryptogen tool consumes a series +# of configuration files for each organization in the "organizations/cryptogen" +# directory. Cryptogen uses the files to generate the crypto material for each +# org in the "organizations" directory. + +# You can also Fabric CAs to generate the crypto material. CAs sign the certificates +# and keys that they generate to create a valid root of trust for each organization. +# The script uses Docker Compose to bring up three CAs, one for each peer organization +# and the ordering organization. The configuration file for creating the Fabric CA +# servers are in the "organizations/fabric-ca" directory. Within the same diectory, +# the "registerEnroll.sh" script uses the Fabric CA client to create the identites, +# certificates, and MSP folders that are needed to create the test network in the +# "organizations/ordererOrganizations" directory. + +# Create Organziation crypto material using cryptogen or CAs +function createOrgs() { + + if [ -d "organizations/peerOrganizations" ]; then + rm -Rf organizations/peerOrganizations && rm -Rf organizations/ordererOrganizations + fi + + # Create crypto material using cryptogen + if [ "$CRYPTO" == "cryptogen" ]; then + which cryptogen + if [ "$?" -ne 0 ]; then + echo "cryptogen tool not found. exiting" + exit 1 + fi + echo + echo "##########################################################" + echo "##### Generate certificates using cryptogen tool #########" + echo "##########################################################" + echo + + echo "##########################################################" + echo "############ Create Org1 Identities ######################" + echo "##########################################################" + + set -x + cryptogen generate --config=./organizations/cryptogen/crypto-config-org1.yaml --output="organizations" + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate certificates..." + exit 1 + fi + + echo "##########################################################" + echo "############ Create Org2 Identities ######################" + echo "##########################################################" + + set -x + cryptogen generate --config=./organizations/cryptogen/crypto-config-org2.yaml --output="organizations" + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate certificates..." + exit 1 + fi + + echo "##########################################################" + echo "############ Create Orderer Org Identities ###############" + echo "##########################################################" + + set -x + cryptogen generate --config=./organizations/cryptogen/crypto-config-orderer.yaml --output="organizations" + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate certificates..." + exit 1 + fi + + fi + + # Create crypto material using Fabric CAs + if [ "$CRYPTO" == "Certificate Authorities" ]; then + + fabric-ca-client version > /dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "Fabric CA client not found locally, downloading..." + cd .. + curl -s -L "https://github.com/hyperledger/fabric-ca/releases/download/v1.4.4/hyperledger-fabric-ca-${OS_ARCH}-1.4.4.tar.gz" | tar xz || rc=$? + if [ -n "$rc" ]; then + echo "==> There was an error downloading the binary file." + echo "fabric-ca-client binary is not available to download" + else + echo "==> Done." + cd test-network + fi + fi + + echo + echo "##########################################################" + echo "##### Generate certificates using Fabric CA's ############" + echo "##########################################################" + + IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE_CA up -d 2>&1 + + . organizations/fabric-ca/registerEnroll.sh + + sleep 10 + + echo "##########################################################" + echo "############ Create Org1 Identities ######################" + echo "##########################################################" + + createOrg1 + + echo "##########################################################" + echo "############ Create Org2 Identities ######################" + echo "##########################################################" + + createOrg2 + + echo "##########################################################" + echo "############ Create Orderer Org Identities ###############" + echo "##########################################################" + + createOrderer + + fi + + echo + echo "Generate CCP files for Org1 and Org2" + ./organizations/ccp-generate.sh +} + +# Once you create the organization crypto material, you need to create the +# genesis block of the orderer system channel. This block is required to bring +# up any orderer nodes and create any application channels. + +# The configtxgen tool is used to create the genesis block. Configtxgen consumes a +# "configtx.yaml" file that contains the definitions for the sample network. The +# genesis block is defiend using the "TwoOrgsOrdererGenesis" profile at the bottom +# of the file. This profile defines a sample consortium, "SampleConsortium", +# consisting of our two Peer Orgs. This consortium defines which organizations are +# recognized as members of the network. The peer and ordering organizations are defined +# in the "Profiles" section at the top of the file. As part of each organization +# profile, the file points to a the location of the MSP directory for each member. +# This MSP is used to create the channel MSP that defines the root of trust for +# each organization. In essense, the channel MSP allows the nodes and users to be +# recognized as network members. The file also specifies the anchor peers for each +# peer org. In future steps, this same file is used to create the channel creation +# transaction and the anchor peer updates. +# +# +# If you receive the following warning, it can be safely ignored: +# +# [bccsp] GetDefault -> WARN 001 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP. +# +# You can ignore the logs regarding intermediate certs, we are not using them in +# this crypto implementation. + +# Generate orderer system channel genesis block. +function createConsortium() { + + which configtxgen + if [ "$?" -ne 0 ]; then + echo "configtxgen tool not found. exiting" + exit 1 + fi + + echo "######### Generating Orderer Genesis block ##############" + + # Note: For some unknown reason (at least for now) the block file can't be + # named orderer.genesis.block or the orderer will fail to launch! + set -x + configtxgen -profile TwoOrgsOrdererGenesis -channelID system-channel -outputBlock ./system-genesis-block/genesis.block + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate orderer genesis block..." + exit 1 + fi +} + +# After we create the org crypto material and the system channel genesis block, +# we can now bring up the peers and orderering service. By default, the base +# file for creating the network is "docker-compose-test-net.yaml" in the ``docker`` +# folder. This file defines the environment variables and file mounts that +# point the crypto material and genesis block that were created in earlier. + +# Bring up the peer and orderer nodes using docker compose. +function networkUp() { + + checkPrereqs + # generate artifacts if they don't exist + if [ ! -d "organizations/peerOrganizations" ]; then + createOrgs + createConsortium + fi + + COMPOSE_FILES="-f ${COMPOSE_FILE_BASE}" + + if [ "${DATABASE}" == "couchdb" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_COUCH}" + fi + + IMAGE_TAG=$IMAGETAG docker-compose ${COMPOSE_FILES} up -d 2>&1 + + docker ps -a + if [ $? -ne 0 ]; then + echo "ERROR !!!! Unable to start network" + exit 1 + fi +} + +## call the script to join create the channel and join the peers of org1 and org2 +function createChannel() { + +## Bring up the network if it is not arleady up. + + CONTAINER_IDS=$(docker ps -a | awk '($2 ~ /fabric-peer/) {print $1}') + if [ -z "$CONTAINER_IDS" -o "$CONTAINER_IDS" == " " ]; then + echo "Bringing up network" + networkUp + fi + + # now run the script that creates a channel. This script uses configtxgen once + # more to create the channel creation transaction and the anchor peer updates. + # configtx.yaml is mounted in the cli container, which allows us to use it to + # create the channel artifacts + scripts/createChannel.sh $CHANNEL_NAME $CLI_DELAY $MAX_RETRY $VERBOSE + if [ $? -ne 0 ]; then + echo "Error !!! Create channel failed" + exit 1 + fi + +} + +## Call the script to isntall and instantiate a chaincode on the channel +function deployCC() { + + if [ "$CC_RUNTIME_LANGUAGE" = "go" -o "$CC_RUNTIME_LANGUAGE" = "golang" ]; then + echo Vendoring Go dependencies ... + pushd ../chaincode/fabcar/go + GO111MODULE=on go mod vendor + popd + echo Finished vendoring Go dependencies + fi + + scripts/deployCC.sh $CHANNEL_NAME $CC_RUNTIME_LANGUAGE $VERSION $CLI_DELAY $MAX_RETRY $VERBOSE + + if [ $? -ne 0 ]; then + echo "ERROR !!! Deploying chaincode failed" + exit 1 + fi + + exit 0 +} + + +# Tear down running network +function networkDown() { + # stop org3 containers also in addition to org1 and org2, in case we were running sample to add org3 + docker-compose -f $COMPOSE_FILE_BASE -f $COMPOSE_FILE_COUCH -f $COMPOSE_FILE_CA down --volumes --remove-orphans + docker-compose -f $COMPOSE_FILE_COUCH_ORG3 -f $COMPOSE_FILE_ORG3 down --volumes --remove-orphans + # Don't remove the generated artifacts -- note, the ledgers are always removed + if [ "$MODE" != "restart" ]; then + # Bring down the network, deleting the volumes + #Delete any ledger backups + docker run -v $PWD:/tmp/first-network --rm hyperledger/fabric-tools:$IMAGETAG rm -Rf /tmp/first-network/ledgers-backup + #Cleanup the chaincode containers + clearContainers + #Cleanup images + removeUnwantedImages + # remove orderer block and other channel configuration transactions and certs + rm -rf system-genesis-block/*.block organizations/peerOrganizations organizations/ordererOrganizations + ## remove fabric ca artifacts + rm -rf organizations/fabric-ca/org1/msp organizations/fabric-ca/org1/tls-cert.pem organizations/fabric-ca/org1/ca-cert.pem organizations/fabric-ca/org1/issuerPublicKey organizations/fabric-ca/org1/issuerRevocationPublicKey organizations/fabric-ca/org1/fabric-ca-server.db + rm -rf organizations/fabric-ca/org2/msp organizations/fabric-ca/org2/tls-cert.pem organizations/fabric-ca/org2/ca-cert.pem organizations/fabric-ca/org2/issuerPublicKey organizations/fabric-ca/org2/issuerRevocationPublicKey organizations/fabric-ca/org2/fabric-ca-server.db + rm -rf organizations/fabric-ca/ordererOrg/msp organizations/fabric-ca/ordererOrg/tls-cert.pem organizations/fabric-ca/ordererOrg/ca-cert.pem organizations/fabric-ca/ordererOrg/issuerPublicKey organizations/fabric-ca/ordererOrg/issuerRevocationPublicKey organizations/fabric-ca/ordererOrg/fabric-ca-server.db + # remove channel and script artifacts + rm -rf channel-artifacts log.txt fabcar.tar.gz fabcar + + fi +} + +# Obtain the OS and Architecture string that will be used to select the correct +# native binaries for your platform, e.g., darwin-amd64 or linux-amd64 +OS_ARCH=$(echo "$(uname -s | tr '[:upper:]' '[:lower:]' | sed 's/mingw64_nt.*/windows/')-$(uname -m | sed 's/x86_64/amd64/g')" | awk '{print tolower($0)}') +# Using crpto vs CA. default is cryptogen +CRYPTO="cryptogen" +# timeout duration - the duration the CLI should wait for a response from +# another container before giving up +MAX_RETRY=5 +# default for delay between commands +CLI_DELAY=3 +# channel name defaults to "mychannel" +CHANNEL_NAME="mychannel" +# use this as the default docker-compose yaml definition +COMPOSE_FILE_BASE=docker/docker-compose-test-net.yaml +# docker-compose.yaml file if you are using couchdb +COMPOSE_FILE_COUCH=docker/docker-compose-couch.yaml +# certificate authorities compose file +COMPOSE_FILE_CA=docker/docker-compose-ca.yaml +# use this as the docker compose couch file for org3 +COMPOSE_FILE_COUCH_ORG3=add-org3/docker/docker-compose-couch-org3.yaml +# use this as the default docker-compose yaml definition for org3 +COMPOSE_FILE_ORG3=add-org3/docker/docker-compose-org3.yaml +# +# use golang as the default language for chaincode +CC_RUNTIME_LANGUAGE=golang +# Chaincode version +VERSION=1 +# Chaincode source path +CC_SRC_PATH="../chaincode/fabcar/go/" +# default image tag +IMAGETAG="latest" +# default database +DATABASE="leveldb" + +# Parse commandline args + +## Parse mode +if [[ $# -lt 1 ]] ; then + printHelp + exit 0 +else + MODE=$1 + shift +fi + +# parse a createChannel subcommand if used +if [[ $# -ge 1 ]] ; then + key="$1" + if [[ "$key" == "createChannel" ]]; then + export MODE="createChannel" + shift + fi +fi + +# parse flags + +while [[ $# -ge 1 ]] ; do + key="$1" + case $key in + -h ) + printHelp + exit 0 + ;; + + -c ) + CHANNEL_NAME="$2" + shift + ;; + -ca ) + CRYPTO="Certificate Authorities" + ;; + -r ) + MAX_RETRY="$2" + shift + ;; + -d ) + CLI_DELAY="$2" + shift + ;; + -s ) + DATABASE="$2" + shift + ;; + -l ) + CC_RUNTIME_LANGUAGE="$2" + shift + ;; + -v ) + VERSION="$2" + shift + ;; + -i ) + IMAGETAG=$(go env GOARCH)"-""$2" + shift + ;; + -verbose ) + VERBOSE=true + shift + ;; + * ) + echo + echo "Unknown flag: $key" + echo + printHelp + exit 1 + ;; + esac + shift +done + +# Are we generating crypto material with this command? +if [ ! -d "organizations/peerOrganizations" ]; then + CRYPTO_MODE="with crypto from '${CRYPTO}'" +else + CRYPTO_MODE="" +fi + +# Determine mode of operation and printing out what we asked for +if [ "$MODE" == "up" ]; then + echo "Starting nodes with CLI timeout of '${MAX_RETRY}' tries and CLI delay of '${CLI_DELAY}' seconds and using database '${DATABASE}' ${CRYPTO_MODE}" + echo +elif [ "$MODE" == "createChannel" ]; then + echo "Creating channel '${CHANNEL_NAME}'." + echo + echo "If network is not up, starting nodes with CLI timeout of '${MAX_RETRY}' tries and CLI delay of '${CLI_DELAY}' seconds and using database '${DATABASE} ${CRYPTO_MODE}" + echo +elif [ "$MODE" == "down" ]; then + echo "Stopping network" + echo +elif [ "$MODE" == "restart" ]; then + echo "Restarting network" + echo +elif [ "$MODE" == "deployCC" ]; then + echo "deploying chaincode on channel '${CHANNEL_NAME}'" + echo +else + printHelp + exit 1 +fi + +if [ "${MODE}" == "up" ]; then + networkUp +elif [ "${MODE}" == "createChannel" ]; then + createChannel +elif [ "${MODE}" == "deployCC" ]; then + deployCC +elif [ "${MODE}" == "down" ]; then + networkDown +elif [ "${MODE}" == "restart" ]; then + networkDown + networkUp +else + printHelp + exit 1 +fi diff --git a/test-network/organizations/ccp-generate.sh b/test-network/organizations/ccp-generate.sh new file mode 100755 index 0000000000..1d072ea797 --- /dev/null +++ b/test-network/organizations/ccp-generate.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +function one_line_pem { + echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" +} + +function json_ccp { + local PP=$(one_line_pem $5) + local CP=$(one_line_pem $6) + sed -e "s/\${ORG}/$1/" \ + -e "s/\${P0PORT}/$2/" \ + -e "s/\${P1PORT}/$3/" \ + -e "s/\${CAPORT}/$4/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + organizations/ccp-template.json +} + +function yaml_ccp { + local PP=$(one_line_pem $5) + local CP=$(one_line_pem $6) + sed -e "s/\${ORG}/$1/" \ + -e "s/\${P0PORT}/$2/" \ + -e "s/\${P1PORT}/$3/" \ + -e "s/\${CAPORT}/$4/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + organizations/ccp-template.yaml | sed -e $'s/\\\\n/\\\n /g' +} + +ORG=1 +P0PORT=7051 +P1PORT=8051 +CAPORT=7054 +PEERPEM=organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem +CAPEM=organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem + +echo "$(json_ccp $ORG $P0PORT $P1PORT $CAPORT $PEERPEM $CAPEM)" > organizations/peerOrganizations/org1.example.com/connection-org1.json +echo "$(yaml_ccp $ORG $P0PORT $P1PORT $CAPORT $PEERPEM $CAPEM)" > organizations/peerOrganizations/org1.example.com/connection-org1.yaml + +ORG=2 +P0PORT=9051 +P1PORT=10051 +CAPORT=8054 +PEERPEM=organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem +CAPEM=organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem + +echo "$(json_ccp $ORG $P0PORT $P1PORT $CAPORT $PEERPEM $CAPEM)" > organizations/peerOrganizations/org2.example.com/connection-org2.json +echo "$(yaml_ccp $ORG $P0PORT $P1PORT $CAPORT $PEERPEM $CAPEM)" > organizations/peerOrganizations/org2.example.com/connection-org2.yaml diff --git a/test-network/organizations/ccp-template.json b/test-network/organizations/ccp-template.json new file mode 100644 index 0000000000..243f0ccdcd --- /dev/null +++ b/test-network/organizations/ccp-template.json @@ -0,0 +1,60 @@ +{ + "name": "first-network-org${ORG}", + "version": "1.0.0", + "client": { + "organization": "Org${ORG}", + "connection": { + "timeout": { + "peer": { + "endorser": "300" + } + } + } + }, + "organizations": { + "Org${ORG}": { + "mspid": "Org${ORG}MSP", + "peers": [ + "peer0.org${ORG}.example.com", + "peer1.org${ORG}.example.com" + ], + "certificateAuthorities": [ + "ca.org${ORG}.example.com" + ] + } + }, + "peers": { + "peer0.org${ORG}.example.com": { + "url": "grpcs://localhost:${P0PORT}", + "tlsCACerts": { + "pem": "${PEERPEM}" + }, + "grpcOptions": { + "ssl-target-name-override": "peer0.org${ORG}.example.com", + "hostnameOverride": "peer0.org${ORG}.example.com" + } + }, + "peer1.org${ORG}.example.com": { + "url": "grpcs://localhost:${P1PORT}", + "tlsCACerts": { + "pem": "${PEERPEM}" + }, + "grpcOptions": { + "ssl-target-name-override": "peer1.org${ORG}.example.com", + "hostnameOverride": "peer1.org${ORG}.example.com" + } + } + }, + "certificateAuthorities": { + "ca.org${ORG}.example.com": { + "url": "https://localhost:${CAPORT}", + "caName": "ca-org${ORG}", + "tlsCACerts": { + "pem": "${CAPEM}" + }, + "httpOptions": { + "verify": false + } + } + } +} diff --git a/test-network/organizations/ccp-template.yaml b/test-network/organizations/ccp-template.yaml new file mode 100644 index 0000000000..35333d9975 --- /dev/null +++ b/test-network/organizations/ccp-template.yaml @@ -0,0 +1,43 @@ +--- +name: first-network-org${ORG} +version: 1.0.0 +client: + organization: Org${ORG} + connection: + timeout: + peer: + endorser: '300' +organizations: + Org${ORG}: + mspid: Org${ORG}MSP + peers: + - peer0.org${ORG}.example.com + - peer1.org${ORG}.example.com + certificateAuthorities: + - ca.org${ORG}.example.com +peers: + peer0.org${ORG}.example.com: + url: grpcs://localhost:${P0PORT} + tlsCACerts: + pem: | + ${PEERPEM} + grpcOptions: + ssl-target-name-override: peer0.org${ORG}.example.com + hostnameOverride: peer0.org${ORG}.example.com + peer1.org${ORG}.example.com: + url: grpcs://localhost:${P1PORT} + tlsCACerts: + pem: | + ${PEERPEM} + grpcOptions: + ssl-target-name-override: peer1.org${ORG}.example.com + hostnameOverride: peer1.org${ORG}.example.com +certificateAuthorities: + ca.org${ORG}.example.com: + url: https://localhost:${CAPORT} + caName: ca-org${ORG} + tlsCACerts: + pem: | + ${CAPEM} + httpOptions: + verify: false diff --git a/test-network/organizations/cryptogen/crypto-config-orderer.yaml b/test-network/organizations/cryptogen/crypto-config-orderer.yaml new file mode 100644 index 0000000000..ce50978f2f --- /dev/null +++ b/test-network/organizations/cryptogen/crypto-config-orderer.yaml @@ -0,0 +1,20 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# --------------------------------------------------------------------------- +# "OrdererOrgs" - Definition of organizations managing orderer nodes +# --------------------------------------------------------------------------- +OrdererOrgs: + # --------------------------------------------------------------------------- + # Orderer + # --------------------------------------------------------------------------- + - Name: Orderer + Domain: example.com + EnableNodeOUs: true + # --------------------------------------------------------------------------- + # "Specs" - See PeerOrgs for complete description + # --------------------------------------------------------------------------- + Specs: + - Hostname: orderer diff --git a/test-network/organizations/cryptogen/crypto-config-org1.yaml b/test-network/organizations/cryptogen/crypto-config-org1.yaml new file mode 100644 index 0000000000..4073845038 --- /dev/null +++ b/test-network/organizations/cryptogen/crypto-config-org1.yaml @@ -0,0 +1,61 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +# --------------------------------------------------------------------------- +# "PeerOrgs" - Definition of organizations managing peer nodes +# --------------------------------------------------------------------------- +PeerOrgs: + # --------------------------------------------------------------------------- + # Org1 + # --------------------------------------------------------------------------- + - Name: Org1 + Domain: org1.example.com + EnableNodeOUs: true + # --------------------------------------------------------------------------- + # "Specs" + # --------------------------------------------------------------------------- + # Uncomment this section to enable the explicit definition of hosts in your + # configuration. Most users will want to use Template, below + # + # Specs is an array of Spec entries. Each Spec entry consists of two fields: + # - Hostname: (Required) The desired hostname, sans the domain. + # - CommonName: (Optional) Specifies the template or explicit override for + # the CN. By default, this is the template: + # + # "{{.Hostname}}.{{.Domain}}" + # + # which obtains its values from the Spec.Hostname and + # Org.Domain, respectively. + # --------------------------------------------------------------------------- + # - Hostname: foo # implicitly "foo.org1.example.com" + # CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above + # - Hostname: bar + # - Hostname: baz + # --------------------------------------------------------------------------- + # "Template" + # --------------------------------------------------------------------------- + # Allows for the definition of 1 or more hosts that are created sequentially + # from a template. By default, this looks like "peer%d" from 0 to Count-1. + # You may override the number of nodes (Count), the starting index (Start) + # or the template used to construct the name (Hostname). + # + # Note: Template and Specs are not mutually exclusive. You may define both + # sections and the aggregate nodes will be created for you. Take care with + # name collisions + # --------------------------------------------------------------------------- + Template: + Count: 1 + SANS: + - localhost + # Start: 5 + # Hostname: {{.Prefix}}{{.Index}} # default + # --------------------------------------------------------------------------- + # "Users" + # --------------------------------------------------------------------------- + # Count: The number of user accounts _in addition_ to Admin + # --------------------------------------------------------------------------- + Users: + Count: 1 diff --git a/test-network/organizations/cryptogen/crypto-config-org2.yaml b/test-network/organizations/cryptogen/crypto-config-org2.yaml new file mode 100644 index 0000000000..6298ff6d31 --- /dev/null +++ b/test-network/organizations/cryptogen/crypto-config-org2.yaml @@ -0,0 +1,61 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# --------------------------------------------------------------------------- +# "PeerOrgs" - Definition of organizations managing peer nodes +# --------------------------------------------------------------------------- +PeerOrgs: + # --------------------------------------------------------------------------- + # Org2 + # --------------------------------------------------------------------------- + - Name: Org2 + Domain: org2.example.com + EnableNodeOUs: true + # --------------------------------------------------------------------------- + # "Specs" + # --------------------------------------------------------------------------- + # Uncomment this section to enable the explicit definition of hosts in your + # configuration. Most users will want to use Template, below + # + # Specs is an array of Spec entries. Each Spec entry consists of two fields: + # - Hostname: (Required) The desired hostname, sans the domain. + # - CommonName: (Optional) Specifies the template or explicit override for + # the CN. By default, this is the template: + # + # "{{.Hostname}}.{{.Domain}}" + # + # which obtains its values from the Spec.Hostname and + # Org.Domain, respectively. + # --------------------------------------------------------------------------- + # Specs: + # - Hostname: foo # implicitly "foo.org1.example.com" + # CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above + # - Hostname: bar + # - Hostname: baz + # --------------------------------------------------------------------------- + # "Template" + # --------------------------------------------------------------------------- + # Allows for the definition of 1 or more hosts that are created sequentially + # from a template. By default, this looks like "peer%d" from 0 to Count-1. + # You may override the number of nodes (Count), the starting index (Start) + # or the template used to construct the name (Hostname). + # + # Note: Template and Specs are not mutually exclusive. You may define both + # sections and the aggregate nodes will be created for you. Take care with + # name collisions + # --------------------------------------------------------------------------- + Template: + Count: 1 + SANS: + - localhost + # Start: 5 + # Hostname: {{.Prefix}}{{.Index}} # default + # --------------------------------------------------------------------------- + # "Users" + # --------------------------------------------------------------------------- + # Count: The number of user accounts _in addition_ to Admin + # --------------------------------------------------------------------------- + Users: + Count: 1 diff --git a/test-network/organizations/fabric-ca/ordererOrg/fabric-ca-server-config.yaml b/test-network/organizations/fabric-ca/ordererOrg/fabric-ca-server-config.yaml new file mode 100644 index 0000000000..0591b3e1db --- /dev/null +++ b/test-network/organizations/fabric-ca/ordererOrg/fabric-ca-server-config.yaml @@ -0,0 +1,406 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.2.0 + +# Server's listening port (default: 7054) +port: 7054 + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: OrdererCA + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: ca.example.com + names: + - C: US + ST: "New York" + L: "New York" + O: example.com + OU: + hosts: + - localhost + - example.com + ca: + expiry: 131400h + pathlength: 1 + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: diff --git a/test-network/organizations/fabric-ca/org1/fabric-ca-server-config.yaml b/test-network/organizations/fabric-ca/org1/fabric-ca-server-config.yaml new file mode 100644 index 0000000000..becf4456ef --- /dev/null +++ b/test-network/organizations/fabric-ca/org1/fabric-ca-server-config.yaml @@ -0,0 +1,406 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.2.0 + +# Server's listening port (default: 7054) +port: 7054 + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: Org1CA + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: ca.org1.example.com + names: + - C: US + ST: "North Carolina" + L: "Durham" + O: org1.example.com + OU: + hosts: + - localhost + - org1.example.com + ca: + expiry: 131400h + pathlength: 1 + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: diff --git a/test-network/organizations/fabric-ca/org2/fabric-ca-server-config.yaml b/test-network/organizations/fabric-ca/org2/fabric-ca-server-config.yaml new file mode 100644 index 0000000000..0062daf44a --- /dev/null +++ b/test-network/organizations/fabric-ca/org2/fabric-ca-server-config.yaml @@ -0,0 +1,406 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.2.0 + +# Server's listening port (default: 7054) +port: 7054 + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: Org2CA + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: ca.org2.example.com + names: + - C: UK + ST: "Hampshire" + L: "Hursley" + O: org2.example.com + OU: + hosts: + - localhost + - org2.example.com + ca: + expiry: 131400h + pathlength: 1 + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: diff --git a/test-network/organizations/fabric-ca/registerEnroll.sh b/test-network/organizations/fabric-ca/registerEnroll.sh new file mode 100755 index 0000000000..cba2d734e1 --- /dev/null +++ b/test-network/organizations/fabric-ca/registerEnroll.sh @@ -0,0 +1,307 @@ + + +function createOrg1 { + + echo + echo "Enroll the CA admin" + echo + mkdir -p organizations/peerOrganizations/org1.example.com/ + + export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/ +# rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml +# rm -rf $FABRIC_CA_CLIENT_HOME/msp + + set -x + fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + echo 'NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/localhost-7054-ca-org1.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/localhost-7054-ca-org1.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/localhost-7054-ca-org1.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/localhost-7054-ca-org1.pem + OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml + + echo + echo "Register peer0" + echo + set -x + fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + echo + echo "Register user" + echo + set -x + fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + echo + echo "Register the org admin" + echo + set -x + fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + mkdir -p organizations/peerOrganizations/org1.example.com/peers + mkdir -p organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com + + echo + echo "## Generate the peer0 msp" + echo + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml + + echo + echo "## Generate the peer0-tls certificates" + echo + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key + + mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt + + mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem + + mkdir ${PWD}/organizations/peerOrganizations/org1.example.com/ca + cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem + + mkdir -p organizations/peerOrganizations/org1.example.com/users + mkdir -p organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com + + echo + echo "## Generate the user msp" + echo + set -x + fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + mkdir -p organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com + + echo + echo "## Generate the org admin msp" + echo + set -x + fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem + set +x + + cp ${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml + +} + + +function createOrg2 { + + echo + echo "Enroll the CA admin" + echo + mkdir -p organizations/peerOrganizations/org2.example.com/ + + export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/ +# rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml +# rm -rf $FABRIC_CA_CLIENT_HOME/msp + + set -x + fabric-ca-client enroll -u https://admin:adminpw@localhost:8054 --caname ca-org2 --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + echo 'NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/localhost-8054-ca-org2.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/localhost-8054-ca-org2.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/localhost-8054-ca-org2.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/localhost-8054-ca-org2.pem + OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml + + echo + echo "Register peer0" + echo + set -x + fabric-ca-client register --caname ca-org2 --id.name peer0 --id.secret peer0pw --id.type peer --id.attrs '"hf.Registrar.Roles=peer"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + echo + echo "Register user" + echo + set -x + fabric-ca-client register --caname ca-org2 --id.name user1 --id.secret user1pw --id.type client --id.attrs '"hf.Registrar.Roles=client"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + echo + echo "Register the org admin" + echo + set -x + fabric-ca-client register --caname ca-org2 --id.name org2admin --id.secret org2adminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + mkdir -p organizations/peerOrganizations/org2.example.com/peers + mkdir -p organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com + + echo + echo "## Generate the peer0 msp" + echo + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts peer0.org2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/config.yaml + + echo + echo "## Generate the peer0-tls certificates" + echo + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts peer0.org2.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key + + mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/ca.crt + + mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem + + mkdir ${PWD}/organizations/peerOrganizations/org2.example.com/ca + cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/cacerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem + + mkdir -p organizations/peerOrganizations/org2.example.com/users + mkdir -p organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com + + echo + echo "## Generate the user msp" + echo + set -x + fabric-ca-client enroll -u https://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + mkdir -p organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com + + echo + echo "## Generate the org admin msp" + echo + set -x + fabric-ca-client enroll -u https://org2admin:org2adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem + set +x + + cp ${PWD}/organizations/peerOrganizations/org2.example.com/msp/config.yaml ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml + +} + +function createOrderer { + + echo + echo "Enroll the CA admin" + echo + mkdir -p organizations/ordererOrganizations/example.com + + export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com +# rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml +# rm -rf $FABRIC_CA_CLIENT_HOME/msp + + set -x + fabric-ca-client enroll -u https://admin:adminpw@localhost:9054 --caname ca-orderer --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + echo 'NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/localhost-9054-ca-orderer.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/localhost-9054-ca-orderer.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/localhost-9054-ca-orderer.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/localhost-9054-ca-orderer.pem + OrganizationalUnitIdentifier: orderer' > ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml + + + echo + echo "Register orderer" + echo + set -x + fabric-ca-client register --caname ca-orderer --id.name orderer --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + echo + echo "Register the orderer admin" + echo + set -x + fabric-ca-client register --caname ca-orderer --id.name ordererAdmin --id.secret ordererAdminpw --id.type admin --id.attrs '"hf.Registrar.Roles=admin"' --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + mkdir -p organizations/ordererOrganizations/example.com/orderers + mkdir -p organizations/ordererOrganizations/example.com/orderers/example.com + + mkdir -p organizations/ordererOrganizations/example.com/orderers/orderer.example.com + + echo + echo "## Generate the orderer msp" + echo + set -x + fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts orderer.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/config.yaml + + echo + echo "## Generate the orderer-tls certificates" + echo + set -x + fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts orderer.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt + cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt + cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key + + mkdir ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts + cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem + + mkdir ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts + cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/tlscacerts/* ${PWD}/organizations/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem + + mkdir -p organizations/ordererOrganizations/example.com/users + mkdir -p organizations/ordererOrganizations/example.com/users/Admin@example.com + + echo + echo "## Generate the admin msp" + echo + set -x + fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem + set +x + + cp ${PWD}/organizations/ordererOrganizations/example.com/msp/config.yaml ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/config.yaml + + +} diff --git a/test-network/scripts/createChannel.sh b/test-network/scripts/createChannel.sh new file mode 100755 index 0000000000..d9f6e153ea --- /dev/null +++ b/test-network/scripts/createChannel.sh @@ -0,0 +1,167 @@ +#!/bin/bash + + +CHANNEL_NAME="$1" +DELAY="$2" +MAX_RETRY="$3" +VERBOSE="$4" +: ${CHANNEL_NAME:="mychannel"} +: ${DELAY:="3"} +: ${MAX_RETRY:="5"} +: ${VERBOSE:="false"} +COUNTER=1 + +# import utils +. scripts/envVar.sh + +if [ ! -d "channel-artifacts" ]; then + mkdir channel-artifacts +fi + +createChannelTx() { + + set -x + configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/${CHANNEL_NAME}.tx -channelID $CHANNEL_NAME + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate channel configuration transaction..." + exit 1 + fi + echo + +} + +createAncorPeerTx() { + + for orgmsp in Org1MSP Org2MSP; do + + echo "####### Generating anchor peer update for ${orgmsp} ##########" + set -x + configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID $CHANNEL_NAME -asOrg ${orgmsp} + res=$? + set +x + if [ $res -ne 0 ]; then + echo "Failed to generate anchor peer update for ${orgmsp}..." + exit 1 + fi + echo + done +} + +createChannel() { + setGlobals 1 + + # Poll in case the raft leader is not set yet + local rc=1 + if [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + sleep $DELAY + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer channel create -o localhost:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block >&log.txt + res=$? + set +x + else + set -x + peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA >&log.txt + res=$? + set +x + fi + test $res -eq 0 || let rc=1 + else + COUNTER=1 + fi + cat log.txt + verifyResult $res "Channel creation failed" + echo "===================== Channel '$CHANNEL_NAME' created ===================== " + echo +} + +# queryCommitted ORG +joinChannel() { + ORG=$1 + setGlobals $ORG + local rc=1 + ## Sometimes Join takes time, hence retry + if [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + sleep $DELAY + set -x + peer channel join -b ./channel-artifacts/$CHANNEL_NAME.block >&log.txt + res=$? + set +x + test $res -eq 0 || let rc=1 + else + COUNTER=1 + echo "peer0.org${ORG} failed to join the channel, Retry after $DELAY seconds" + fi + cat log.txt + echo + verifyResult $res "After $MAX_RETRY attempts, peer0.org${ORG} has failed to join channel '$CHANNEL_NAME' " +} + +updateAnchorPeers() { + ORG=$1 + setGlobals $ORG + + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer channel update -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx >&log.txt + res=$? + set +x + else + set -x + peer channel update -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA >&log.txt + res=$? + set +x + fi + cat log.txt + verifyResult $res "Anchor peer update failed" + echo "===================== Anchor peers updated for org '$CORE_PEER_LOCALMSPID' on channel '$CHANNEL_NAME' ===================== " + sleep $DELAY + echo +} + +verifyResult() { + if [ $1 -ne 0 ]; then + echo "!!!!!!!!!!!!!!! "$2" !!!!!!!!!!!!!!!!" + echo "========= ERROR !!! FAILED to execute End-2-End Scenario ===========" + echo + exit 1 + fi +} + +FABRIC_CFG_PATH=${PWD}/configtx + +## Create channeltx +echo "### Generating channel configuration transaction '${CHANNEL_NAME}.tx' ###" +createChannelTx + +## Create anchorpeertx +echo "### Generating channel configuration transaction '${CHANNEL_NAME}.tx' ###" +createAncorPeerTx + +FABRIC_CFG_PATH=$PWD/../config/ + +## Create channel +echo "Creating channel "$CHANNEL_NAME +createChannel + +## Join all the peers to the channel +echo "Join Org1 peers to the channel..." +joinChannel 1 +echo "Join Org2 peers to the channel..." +joinChannel 2 + +## Set the anchor peers for each org in the channel +echo "Updating anchor peers for org1..." +updateAnchorPeers 1 +echo "Updating anchor peers for org2..." +updateAnchorPeers 2 + +echo +echo "========= Channel successfully joined =========== " +echo + +exit 0 diff --git a/test-network/scripts/deployCC.sh b/test-network/scripts/deployCC.sh new file mode 100755 index 0000000000..da35021af5 --- /dev/null +++ b/test-network/scripts/deployCC.sh @@ -0,0 +1,325 @@ + +CHANNEL_NAME="$1" +CC_RUNTIME_LANGUAGE="$2" +VERSION="$3" +DELAY="$4" +MAX_RETRY="$5" +VERBOSE="$6" +: ${CHANNEL_NAME:="mychannel"} +: ${CC_RUNTIME_LANGUAGE:="golang"} +: ${VERSION:="1"} +: ${DELAY:="3"} +: ${MAX_RETRY:="5"} +: ${VERBOSE:="false"} +CC_RUNTIME_LANGUAGE=`echo "$CC_RUNTIME_LANGUAGE" | tr [:upper:] [:lower:]` +COUNTER=1 + +FABRIC_CFG_PATH=$PWD/../config/ + +if [ "$CC_RUNTIME_LANGUAGE" = "go" -o "$CC_RUNTIME_LANGUAGE" = "golang" ]; then + CC_RUNTIME_LANGUAGE=golang + CC_SRC_PATH="../chaincode/fabcar/go/" +elif [ "$CC_RUNTIME_LANGUAGE" = "javascript" ]; then + CC_RUNTIME_LANGUAGE=node # chaincode runtime language is node.js + CC_SRC_PATH="../chaincode/fabcar/javascript/" +elif [ "$CC_RUNTIME_LANGUAGE" = "java" ]; then + CC_RUNTIME_LANGUAGE=java + CC_SRC_PATH="../chaincode/fabcar/java/" +else + echo The chaincode language ${CC_RUNTIME_LANGUAGE} is not supported by this script + echo Supported chaincode languages are: go, javascript, java + exit 1 +fi + +# import utils +. scripts/envVar.sh + + +packageChaincode() { + ORG=$1 + setGlobals $ORG + set -x + peer lifecycle chaincode package fabcar.tar.gz --path ${CC_SRC_PATH} --lang ${CC_RUNTIME_LANGUAGE} --label fabcar_${VERSION} >&log.txt + res=$? + set +x + cat log.txt + verifyResult $res "Chaincode packaging on peer0.org${ORG} has failed" + echo "===================== Chaincode is packaged on peer0.org${ORG} ===================== " + echo +} + +# installChaincode PEER ORG +installChaincode() { + ORG=$1 + setGlobals $ORG + set -x + peer lifecycle chaincode install fabcar.tar.gz >&log.txt + res=$? + set +x + cat log.txt + verifyResult $res "Chaincode installation on peer0.org${ORG} has failed" + echo "===================== Chaincode is installed on peer0.org${ORG} ===================== " + echo +} + +# queryInstalled PEER ORG +queryInstalled() { + ORG=$1 + setGlobals $ORG + set -x + peer lifecycle chaincode queryinstalled >&log.txt + res=$? + set +x + cat log.txt + PACKAGE_ID=$(sed -n "/fabcar_${VERSION}/{s/^Package ID: //; s/, Label:.*$//; p;}" log.txt) + verifyResult $res "Query installed on peer0.org${ORG} has failed" + echo PackageID is ${PACKAGE_ID} + echo "===================== Query installed successful on peer0.org${ORG} on channel ===================== " + echo +} + +# approveForMyOrg VERSION PEER ORG +approveForMyOrg() { + ORG=$1 + setGlobals $ORG + + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer lifecycle chaincode approveformyorg -o localhost:7050 --channelID $CHANNEL_NAME --name fabcar --version ${VERSION} --init-required --package-id ${PACKAGE_ID} --sequence ${VERSION} --waitForEvent >&log.txt + set +x + else + set -x + peer lifecycle chaincode approveformyorg -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA --channelID $CHANNEL_NAME --name fabcar --version ${VERSION} --init-required --package-id ${PACKAGE_ID} --sequence ${VERSION} >&log.txt + set +x + fi + cat log.txt + verifyResult $res "Chaincode definition approved on peer0.org${ORG} on channel '$CHANNEL_NAME' failed" + echo "===================== Chaincode definition approved on peer0.org${ORG} on channel '$CHANNEL_NAME' ===================== " + echo +} + +# commitChaincodeDefinition VERSION PEER ORG (PEER ORG)... +commitChaincodeDefinition() { + parsePeerConnectionParameters $@ + res=$? + verifyResult $res "Invoke transaction failed on channel '$CHANNEL_NAME' due to uneven number of peer and org parameters " + + # while 'peer chaincode' command can get the orderer endpoint from the + # peer (if join was successful), let's supply it directly as we know + # it using the "-o" option + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer lifecycle chaincode commit -o localhost:7050 --channelID $CHANNEL_NAME --name fabcar $PEER_CONN_PARMS --version ${VERSION} --sequence ${VERSION} --init-required >&log.txt + res=$? + set +x + else + set -x + peer lifecycle chaincode commit -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA --channelID $CHANNEL_NAME --name fabcar $PEER_CONN_PARMS --version ${VERSION} --sequence ${VERSION} --init-required >&log.txt + res=$? + set +x + fi + cat log.txt + verifyResult $res "Chaincode definition commit failed on peer0.org${ORG} on channel '$CHANNEL_NAME' failed" + echo "===================== Chaincode definition committed on channel '$CHANNEL_NAME' ===================== " + echo +} + +# checkCommitReadiness VERSION PEER ORG +checkCommitReadiness() { + ORG=$1 + shift 1 + setGlobals $ORG + echo "===================== Checking the commit readiness of the chaincode definition on peer0.org${ORG} on channel '$CHANNEL_NAME'... ===================== " + local rc=1 + # continue to poll + # we either get a successful response, or reach MAX RETRY + if [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + sleep $DELAY + echo "Attempting to check the commit readiness of the chaincode definition on peer0.org${ORG} secs" + set -x + peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name fabcar $PEER_CONN_PARMS --version ${VERSION} --sequence ${VERSION} --output json --init-required >&log.txt + res=$? + set +x + test $res -eq 0 || let rc=1 + else + COUNTER=1 + fi + for var in "$@" + do + grep "$var" log.txt &>/dev/null || let rc=1 + done + echo + cat log.txt + if test $rc -eq 1; then + echo "===================== Checking the commit readiness of the chaincode definition successful on peer0.org${ORG} on channel '$CHANNEL_NAME' ===================== " + else + echo "!!!!!!!!!!!!!!! After $MAX_RETRY attempts, Check commit readiness result on peer0.org${ORG} is INVALID !!!!!!!!!!!!!!!!" + echo "================== ERROR !!! FAILED to execute End-2-End Scenario ==================" + echo + exit 1 + fi +} + +# queryCommitted ORG +queryCommitted() { + ORG=$1 + setGlobals $ORG + EXPECTED_RESULT="Version: ${VERSION}, Sequence: ${VERSION}, Endorsement Plugin: escc, Validation Plugin: vscc" + echo "===================== Querying chaincode definition on peer0.org${ORG} on channel '$CHANNEL_NAME'... ===================== " + local rc=1 + # continue to poll + # we either get a successful response, or reach MAX RETRY + if [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + sleep $DELAY + echo "Attempting to Query committed status on peer0.org${ORG}, Retry after $DELAY seconds." + set -x + peer lifecycle chaincode querycommitted --channelID $CHANNEL_NAME --name fabcar >&log.txt + res=$? + set +x + test $res -eq 0 || let rc=1 + else + COUNTER=1 + fi + echo + cat log.txt + if test $rc -eq 1; then + echo "===================== Query chaincode definition successful on peer0.org${ORG} on channel '$CHANNEL_NAME' ===================== " + else + echo "!!!!!!!!!!!!!!! After $MAX_RETRY attempts, Query chaincode definition result on peer0.org${ORG} is INVALID !!!!!!!!!!!!!!!!" + echo "================== ERROR !!! FAILED to execute End-2-End Scenario ==================" + echo + exit 1 + fi +} + +chaincodeInvokeInit() { + parsePeerConnectionParameters $@ + res=$? + verifyResult $res "Invoke transaction failed on channel '$CHANNEL_NAME' due to uneven number of peer and org parameters " + + # while 'peer chaincode' command can get the orderer endpoint from the + # peer (if join was successful), let's supply it directly as we know + # it using the "-o" option + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer chaincode invoke -o localhost:7050 -C $CHANNEL_NAME -n fabcar $PEER_CONN_PARMS --isInit -c '{"function":"init","Args":[]}' >&log.txt + res=$? + set +x + else + set -x + peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n fabcar $PEER_CONN_PARMS --isInit -c '{"function":"initLedger","Args":[]}' >&log.txt + res=$? + set +x + fi + cat log.txt + verifyResult $res "Invoke execution on $PEERS failed " + echo "===================== Invoke transaction successful on $PEERS on channel '$CHANNEL_NAME' ===================== " + echo +} + +chaincodeInvoke() { + parsePeerConnectionParameters $@ + res=$? + verifyResult $res "Invoke transaction failed on channel '$CHANNEL_NAME' due to uneven number of peer and org parameters " + + # while 'peer chaincode' command can get the orderer endpoint from the + # peer (if join was successful), let's supply it directly as we know + # it using the "-o" option + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer chaincode invoke -o localhost:7050 -C $CHANNEL_NAME -n fabcar $PEER_CONN_PARMS -c '{"function":"initLedger","Args":[]}' >&log.txt + res=$? + set +x + else + set -x + peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n fabcar $PEER_CONN_PARMS -c '{"function":"initLedger","Args":[]}' >&log.txt + res=$? + set +x + fi + cat log.txt + verifyResult $res "Invoke execution on $PEERS failed " + echo "===================== Invoke transaction successful on $PEERS on channel '$CHANNEL_NAME' ===================== " + echo +} + +chaincodeQuery() { + ORG=$1 + setGlobals $ORG + echo "===================== Querying on peer0.org${ORG} on channel '$CHANNEL_NAME'... ===================== " + local rc=1 + # continue to poll + # we either get a successful response, or reach MAX RETRY + if [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + sleep $DELAY + echo "Attempting to Query peer0.org${ORG} ...$(($(date +%s) - starttime)) secs" + set -x + peer chaincode query -C $CHANNEL_NAME -n fabcar -c '{"Args":["queryAllCars"]}' >&log.txt + res=$? + set +x + test $res -eq 0 || let rc=1 + else + COUNTER=1 + fi + echo + cat log.txt + if test $rc -eq 1; then + echo "===================== Query successful on peer0.org${ORG} on channel '$CHANNEL_NAME' ===================== " + else + echo "!!!!!!!!!!!!!!! After $MAX_RETRY attempts, Query result on peer0.org${ORG} is INVALID !!!!!!!!!!!!!!!!" + echo "================== ERROR !!! FAILED to execute End-2-End Scenario ==================" + echo + exit 1 + fi +} + +## at first we package the chaincode +packageChaincode 1 + +## Install chaincode on peer0.org1 and peer0.org2 +echo "Installing chaincode on peer0.org1..." +installChaincode 1 +echo "Install chaincode on peer0.org2..." +installChaincode 2 + +## query whether the chaincode is installed +queryInstalled 1 + +## approve the definition for org1 +approveForMyOrg 1 + +## check whether the chaincode definition is ready to be committed +## expect org1 to have approved and org2 not to +checkCommitReadiness 1 "\"Org1MSP\": true" "\"Org2MSP\": false" +checkCommitReadiness 2 "\"Org1MSP\": true" "\"Org2MSP\": false" + +## now approve also for org2 +approveForMyOrg 2 + +## check whether the chaincode definition is ready to be committed +## expect them both to have approved +checkCommitReadiness 1 "\"Org1MSP\": true" "\"Org2MSP\": true" +checkCommitReadiness 2 "\"Org1MSP\": true" "\"Org2MSP\": true" + +## now that we know for sure both orgs have approved, commit the definition +commitChaincodeDefinition 1 2 + +## query on both orgs to see that the definition committed successfully +queryCommitted 1 +queryCommitted 2 + +## Invoke the chaincode +chaincodeInvokeInit 1 2 + +sleep 10 + +## Invoke the chaincode +chaincodeInvoke 1 2 + +# Query chaincode on peer0.org1 +echo "Querying chaincode on peer0.org1..." +chaincodeQuery 1 + +exit 0 diff --git a/test-network/scripts/envVar.sh b/test-network/scripts/envVar.sh new file mode 100755 index 0000000000..5c684b137b --- /dev/null +++ b/test-network/scripts/envVar.sh @@ -0,0 +1,81 @@ +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This is a collection of bash functions used by different scripts + +export CORE_PEER_TLS_ENABLED=true +export ORDERER_CA=${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem +export PEER0_ORG1_CA=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt +export PEER0_ORG2_CA=${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt +export PEER0_ORG3_CA=${PWD}/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt + +# Set OrdererOrg.Admin globals +setOrdererGlobals() { + export CORE_PEER_LOCALMSPID="OrdererMSP" + export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem + export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp +} + +# Set environment variables for the peer org +setGlobals() { + ORG=$1 + if [ $ORG -eq 1 ]; then + export CORE_PEER_LOCALMSPID="Org1MSP" + export CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG1_CA + export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp + export CORE_PEER_ADDRESS=localhost:7051 + elif [ $ORG -eq 2 ]; then + export CORE_PEER_LOCALMSPID="Org2MSP" + export CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG2_CA + export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp + export CORE_PEER_ADDRESS=localhost:9051 + + elif [ $ORG -eq 3 ]; then + export CORE_PEER_LOCALMSPID="Org3MSP" + export CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG3_CA + export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp + export CORE_PEER_ADDRESS=localhost:11051 + else + echo "================== ERROR !!! ORG Unknown ==================" + fi + + if [ "$VERBOSE" == "true" ]; then + env | grep CORE + fi +} + +# parsePeerConnectionParameters $@ +# Helper function that takes the parameters from a chaincode operation +# (e.g. invoke, query, instantiate) and checks for an even number of +# peers and associated org, then sets $PEER_CONN_PARMS and $PEERS +parsePeerConnectionParameters() { + # check for uneven number of peer and org parameters + + PEER_CONN_PARMS="" + PEERS="" + while [ "$#" -gt 0 ]; do + setGlobals $1 + PEER="peer0.org$1" + PEERS="$PEERS $PEER" + PEER_CONN_PARMS="$PEER_CONN_PARMS --peerAddresses $CORE_PEER_ADDRESS" + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "true" ]; then + TLSINFO=$(eval echo "--tlsRootCertFiles \$PEER0_ORG$1_CA") + PEER_CONN_PARMS="$PEER_CONN_PARMS $TLSINFO" + fi + # shift by two to get the next pair of peer/org parameters + shift + done + # remove leading space for output + PEERS="$(echo -e "$PEERS" | sed -e 's/^[[:space:]]*//')" +} + +verifyResult() { + if [ $1 -ne 0 ]; then + echo "!!!!!!!!!!!!!!! "$2" !!!!!!!!!!!!!!!!" + echo + exit 1 + fi +} diff --git a/test-network/scripts/org3-scripts/envVarCLI.sh b/test-network/scripts/org3-scripts/envVarCLI.sh new file mode 100644 index 0000000000..a4e5b0923d --- /dev/null +++ b/test-network/scripts/org3-scripts/envVarCLI.sh @@ -0,0 +1,79 @@ +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This is a collection of bash functions used by different scripts + +ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem +PEER0_ORG1_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt +PEER0_ORG2_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt +PEER0_ORG3_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt + +# Set OrdererOrg.Admin globals +setOrdererGlobals() { + CORE_PEER_LOCALMSPID="OrdererMSP" + CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem + CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp +} + +# Set environment variables for the peer org +setGlobals() { + ORG=$1 + if [ $ORG -eq 1 ]; then + CORE_PEER_LOCALMSPID="Org1MSP" + CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG1_CA + CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp + CORE_PEER_ADDRESS=peer0.org1.example.com:7051 + elif [ $ORG -eq 2 ]; then + CORE_PEER_LOCALMSPID="Org2MSP" + CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG2_CA + CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp + CORE_PEER_ADDRESS=peer0.org2.example.com:9051 + elif [ $ORG -eq 3 ]; then + CORE_PEER_LOCALMSPID="Org3MSP" + CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG3_CA + CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp + CORE_PEER_ADDRESS=peer0.org3.example.com:11051 + else + echo "================== ERROR !!! ORG Unknown ==================" + fi + + if [ "$VERBOSE" == "true" ]; then + env | grep CORE + fi +} + +# parsePeerConnectionParameters $@ +# Helper function that takes the parameters from a chaincode operation +# (e.g. invoke, query, instantiate) and checks for an even number of +# peers and associated org, then sets $PEER_CONN_PARMS and $PEERS +parsePeerConnectionParameters() { + # check for uneven number of peer and org parameters + + PEER_CONN_PARMS="" + PEERS="" + while [ "$#" -gt 0 ]; do + setGlobals $1 + PEER="peer0.org$1" + PEERS="$PEERS $PEER" + PEER_CONN_PARMS="$PEER_CONN_PARMS --peerAddresses $CORE_PEER_ADDRESS" + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "true" ]; then + TLSINFO=$(eval echo "--tlsRootCertFiles \$PEER0_ORG$1_CA") + PEER_CONN_PARMS="$PEER_CONN_PARMS $TLSINFO" + fi + # shift by two to get the next pair of peer/org parameters + shift + done + # remove leading space for output + PEERS="$(echo -e "$PEERS" | sed -e 's/^[[:space:]]*//')" +} + +verifyResult() { + if [ $1 -ne 0 ]; then + echo "!!!!!!!!!!!!!!! "$2" !!!!!!!!!!!!!!!!" + echo + exit 1 + fi +} diff --git a/test-network/scripts/org3-scripts/step1org3.sh b/test-network/scripts/org3-scripts/step1org3.sh new file mode 100755 index 0000000000..87a3d29a61 --- /dev/null +++ b/test-network/scripts/org3-scripts/step1org3.sh @@ -0,0 +1,122 @@ +#!/bin/bash +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This script is designed to be run in the org3cli container as the +# first step of the EYFN tutorial. It creates and submits a +# configuration transaction to add org3 to the test network +# + +CHANNEL_NAME="$1" +DELAY="$2" +TIMEOUT="$3" +VERBOSE="$4" +: ${CHANNEL_NAME:="mychannel"} +: ${DELAY:="3"} +: ${TIMEOUT:="10"} +: ${VERBOSE:="false"} +COUNTER=1 +MAX_RETRY=5 + + +# import environment variables +. scripts/org3-scripts/envVarCLI.sh + + +# fetchChannelConfig +# Writes the current channel config for a given channel to a JSON file +fetchChannelConfig() { + ORG=$1 + CHANNEL=$2 + OUTPUT=$3 + + setOrdererGlobals + + setGlobals $ORG + + echo "Fetching the most recent configuration block for the channel" + if [ -z "$CORE_PEER_TLS_ENABLED" -o "$CORE_PEER_TLS_ENABLED" = "false" ]; then + set -x + peer channel fetch config config_block.pb -o orderer.example.com:7050 -c $CHANNEL --cafile $ORDERER_CA + set +x + else + set -x + peer channel fetch config config_block.pb -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL --tls --cafile $ORDERER_CA + set +x + fi + + echo "Decoding config block to JSON and isolating config to ${OUTPUT}" + set -x + configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config >"${OUTPUT}" + set +x +} + +# createConfigUpdate +# Takes an original and modified config, and produces the config update tx +# which transitions between the two +createConfigUpdate() { + CHANNEL=$1 + ORIGINAL=$2 + MODIFIED=$3 + OUTPUT=$4 + + set -x + configtxlator proto_encode --input "${ORIGINAL}" --type common.Config >original_config.pb + configtxlator proto_encode --input "${MODIFIED}" --type common.Config >modified_config.pb + configtxlator compute_update --channel_id "${CHANNEL}" --original original_config.pb --updated modified_config.pb >config_update.pb + configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate >config_update.json + echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL'", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . >config_update_in_envelope.json + configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope >"${OUTPUT}" + set +x +} + +# signConfigtxAsPeerOrg +# Set the peerOrg admin of an org and signing the config update +signConfigtxAsPeerOrg() { + PEERORG=$1 + TX=$2 + setGlobals $PEERORG + set -x + peer channel signconfigtx -f "${TX}" + set +x +} + +echo +echo "========= Creating config transaction to add org3 to network =========== " +echo + +# Fetch the config for the channel, writing it to config.json +fetchChannelConfig 1 ${CHANNEL_NAME} config.json + +# Modify the configuration to append the new org +set -x +jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json ./organizations/peerOrganizations/org3.example.com/org3.json > modified_config.json +set +x + +# Compute a config update, based on the differences between config.json and modified_config.json, write it as a transaction to org3_update_in_envelope.pb +createConfigUpdate ${CHANNEL_NAME} config.json modified_config.json org3_update_in_envelope.pb + +echo +echo "========= Config transaction to add org3 to network created ===== " +echo + +echo "Signing config transaction" +echo +signConfigtxAsPeerOrg 1 org3_update_in_envelope.pb + +echo +echo "========= Submitting transaction from a different peer (peer0.org2) which also signs it ========= " +echo +setGlobals 2 +set -x +peer channel update -f org3_update_in_envelope.pb -c ${CHANNEL_NAME} -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile ${ORDERER_CA} +set +x + +echo +echo "========= Config transaction to add org3 to network submitted! =========== " +echo + +exit 0 diff --git a/test-network/scripts/org3-scripts/step2org3.sh b/test-network/scripts/org3-scripts/step2org3.sh new file mode 100755 index 0000000000..7b65b7e87e --- /dev/null +++ b/test-network/scripts/org3-scripts/step2org3.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This script is designed to be run in the org3cli container as the +# second step of the EYFN tutorial. It joins the org3 peers to the +# channel previously setup in the BYFN tutorial and install the +# chaincode as version 2.0 on peer0.org3. +# + +echo +echo "========= Getting Org3 on to your first network ========= " +echo +CHANNEL_NAME="$1" +DELAY="$2" +TIMEOUT="$3" +VERBOSE="$4" +: ${CHANNEL_NAME:="mychannel"} +: ${DELAY:="3"} +: ${TIMEOUT:="10"} +: ${VERBOSE:="false"} +COUNTER=1 +MAX_RETRY=5 + +# import environment variables +. scripts/org3-scripts/envVarCLI.sh + +## Sometimes Join takes time hence RETRY at least 5 times +joinChannelWithRetry() { + ORG=$1 + setGlobals $ORG + + set -x + peer channel join -b $CHANNEL_NAME.block >&log.txt + res=$? + set +x + cat log.txt + if [ $res -ne 0 -a $COUNTER -lt $MAX_RETRY ]; then + COUNTER=$(expr $COUNTER + 1) + echo "peer0.org${ORG} failed to join the channel, Retry after $DELAY seconds" + sleep $DELAY + joinChannelWithRetry $PEER $ORG + else + COUNTER=1 + fi + verifyResult $res "After $MAX_RETRY attempts, peer0.org${ORG} has failed to join channel '$CHANNEL_NAME' " +} + + +echo "Fetching channel config block from orderer..." +set -x +peer channel fetch 0 $CHANNEL_NAME.block -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL_NAME --tls --cafile $ORDERER_CA >&log.txt +res=$? +set +x +cat log.txt +verifyResult $res "Fetching config block from orderer has Failed" + +joinChannelWithRetry 3 +echo "===================== peer0.org3 joined channel '$CHANNEL_NAME' ===================== " + +echo +echo "========= Finished adding Org3 to your first network! ========= " +echo + +exit 0 diff --git a/test-network/system-genesis-block/.gitkeep b/test-network/system-genesis-block/.gitkeep new file mode 100644 index 0000000000..e69de29bb2