华为云区块链的跨云联通能力构建

【小宅按】区块链本质上是一种团队活动，成功源自相互的开放与协作。真实业务驱动的区块链需要多方服务提供商的参与，而且客户拥有对区块链网络的最终选择权。华为不断探索多云区块链网络的互连和互操作，与合作伙伴共同提供区块链云化解决方案和服务。

一. 背景

为了验证华为云BCS区块链服务云上云下融合部署能力、支持跨云部署能力，以及华为云BCS服务与社区原生Fabric网络的融合部署能力，我们做了如下的部署验证，证明了方案的可行性，完成了部署并实测了invoke交易，过程中顺便验证了下Fabric1.2版本新增的discovery功能，以及已部署好的peer节点进行goleverdb数据库切换couchdb数据库操作。故有本文，欢迎各位华为云BCS服务使用者和关注者，以及Fabric爱好者参与交流。

跨云部署
discovery服务
goleverdb数据库切换couchdb
云上云下融合部署（华为云BCS服务与社区原生Fabric网络的融合部署）

二. 跨云部署

1、背景与步骤

A云上已经创建好fabric服务，并且已创建好组织org1.huawei及通道silk-road-chain 按照以下步骤，验证Fabric的从A云到华为云的打通部署

•用A云上Fabric已生成的证书，开源1.2镜像，模拟新peer0加入通道silk-road-chain

•加入通道后，实例化链码并进行invoke操作

•更新anchor peer及discovery

•用新生成的证书，华为1.1镜像，模拟新peer1加入通道silk-road-chain

2、用A云上Fabric已生成的证书，开源1.2镜像，模拟新peer0加入通道silk-road-chain

由于A云上已经创建好了组织及通道，只需要直接验证加入通道即可

• 在华为云上订购一个ECS，并安装docker，然后下载官方1.2peer和cli镜像

docker pull hyperledger/fabric-peer:1.2.0
docker pull hyperledger/fabric-tools:1.2.0

修改华为云安全组由于peer将会运行在7051端口，在ECS对应的安全组里增加7051配置

• 准备core.yaml配置文件注意由于镜像是1.2版本，故需要用1.2版本的core.yaml来修改，否则会有问题开源的core.yaml，修改

peer.id jdoe --> peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering
peer.chaincodeListenAddress # chaincodeListenAddress: 0.0.0.0:7052 --> chaincodeListenAddress: 0.0.0.0:7052
peer.address 0.0.0.0:7051 --> peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering:7051
peer.gossip.bootstrap 127.0.0.1:7051 --> 0.0.0.0:7051
peer.tls.enabled false --> true
peer.tls.clientAuthRequired false --> yes
peer.tls.cert file: tls/server.crt --> file: msp/tls/server.crt
peer.tls.key file: tls/server.key --> file: msp/tls/server.key
peer.tls.rootcert file: tls/ca.crt --> file: msp/tls/ca.crt
peer.tls.clientRootCAs file: - tls/ca.crt --> file: - msp/tls/ca.crt - /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem
peer.tls.clientKey file: "" --> file: msp/tls/server.key
peer.tls.clientCert file: "" --> file: msp/tls/server.crt
peer.localMspId SampleOrg --> huaweiMSP

准备证书

A云侧已提供的证书见附件crypto-config.zip文件 core.yaml中peer.tls.clientRootCAs配置项需要的证书，order的tls证书/home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem来自crypto-config.zip中ordererOrganizations/icn.backbonetestnet.baas.dev.icn.engineering/tlsca/目录，peer的tls证书msp/tls/ca.crt来自crypto-config.zip中peerOrganizations/org1.huawei.backbonetestnet.baas.dev.icn.engineering/peers/peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering/tls/ peer节点和cli节点的/home/msp证书需要使用组织的Admin证书，来自crypto-config.zip中peerOrganizations/org1.huawei.backbonetestnet.baas.dev.icn.engineering/users/Admin@org1.huawei.backbonetestnet.baas.dev.icn.engineering/msp路径 peer节点和cli节点的/home/msp/tls证书都需要使用组织节点的tls证书，来自crypto-config.zip中peerOrganizations/org1.huawei.backbonetestnet.baas.dev.icn.engineering/peers/peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering/tls

启动peer容器

docker run -p 7051:7051 -p 7052:7052 -p 7053:7053 -v /var/run:/host/var/run -e CORE_VM_ENDPOINT="unix:///host/var/run/docker.sock" -e CORE_PEER_ADDRESS="0.0.0.0:7052" -e CORE_PEER_GOSSIP_ORGLEADER=false -e CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering:7051 -e CORE_PEER_GOSSIP_USELEADERELECTION=true -e CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering:7051 -it http://docker.io/hyperledger/fabric-peer:1.2.0 bash

配置CORE_VM_ENDPOINT给链码实例化时使用，必须加CORE_PEER_ADDRESS且必须为IP，给链码容器用，否则链码容器没有域名连不上peer GOSSIP相关的四个环境变量是给后面discovery使用的，不配置的话discovery会不正常

docker cp core.yaml ${peerCID}:/home

docker cp silk-road-chain.genesis.block ${peerCID}:/home
docker cp ordererOrganizations/icn.backbonetestnet.baas.dev.icn.engineering/tlsca/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem ${peerCID}:/home
docker cp peerOrganizations/org1.huawei.backbonetestnet.baas.dev.icn.engineering/users/Admin@org1.huawei.backbonetestnet.baas.dev.icn.engineering/msp ${peerCID}:/home
docker cp peerOrganizations/org1.huawei.backbonetestnet.baas.dev.icn.engineering/peers/peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering/tls ${peerCID}:/home/msp

在容器中配置/etc/hosts

echo "35.158.219.246 orderer0.icn.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts
echo "49.4.14.175 peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts

•容器中启动peer命令

export FABRIC_CFG_PATH=/home
peer node start

•启动cli容器

docker run -it -v /var/run:/host/var/run -e CORE_VM_ENDPOINT="unix:///host/var/run/docker.sock" http://docker.io/hyperledger/fabric-tools:1.2.0 bash
echo "35.158.219.246 orderer0.icn.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts
echo "49.4.14.175 peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts
CORE_PEER_ADDRESS=peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering:7051
export FABRIC_CFG_PATH=/home

•加入通道从A云侧部署的Fabric上取到通道的genesis block配置文件（silk-road-chain.genesis.block）进入cli容器中执行

peer channel join -b /home/silk-road-chain.genesis.block --orderer orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem --tls true

•加入成功截图

•查看已加入通道

peer channel list --orderer orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem --tls

•其他获取通道配置

peer channel fetch config silk-road.pb --orderer orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 -c silk-road-chain --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem --tls

3、加入通道中遇到的坑

•问题

Error: error getting chaincode code sacc: : failed with error: "exec: not started",>

不能再用peer做cli，需要用fabric-tools

•问题

peer channel join -b /home/silk-road-chain.protobuf --orderer orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem --tls true

2018-08-07 12:11:54.717 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500)

2018-08-07 12:11:54.723 UTC [ledgermgmt] CreateLedger -> INFO 02c Creating ledger [silk-road-chain] with genesis block
2018-08-07 12:11:54.728 UTC [endorser] ProcessProposal -> ERRO 02d [][9d432b23] simulateProposal() resulted in chaincode name:"cscc" response status 500 for txid: 9d432b23f3ad660af90e38bb6a4f6079dd60da9132f130b926556fdc29b3b79a

channel join时报此错，后发现-b参数应该用genesis.block而不是protobuf

4、加入通道后，实例化链码并进行invoke操作

•安装链码进入cli容器中创建链码根目录

docker exec -it xx bash
cd $GOPATH/src
mkdir -p fabbank

将链码文件拷贝到容器中创建好的链码根目录下

docker cp fabbankid.go xxx:/opt/gopath/src/fabbank

放置好链码的目录如下 /opt/gopath/src/fabbank/fabbankio.go

容器中执行链码安装

peer chaincode install -n fabbank -v 1.0 -l golang -p fabbank

•链码实例化

peer chaincode instantiate -o orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --tls true --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem -C silk-road-chain -n fabbank -v 1.0 -c '{"Args":["init","a","200","b","300"]}' -P "OR ('huaweiMSP.member')"

•链码invoke

peer chaincode invoke -o orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --tls true --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem -C silk-road-chain -n fabbank -c '{"Args":["creditAccountInfo","bohai","zhangsan","211004197001010000","6225777788889999","15600000000"]}'

peer chaincode invoke -o orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --tls true --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem -C silk-road-chain -n fabbank -c '{"Args":["authAccount","bohai","211004197001010000"]}'

•链码query

peer chaincode query -C silk-road-chain -n fabbank -c '{"Args":["authAccount","bohai","234567"]}'

•查询已安装的链码

peer chaincode list -C silk-road-chain --installed
Get installed chaincodes on peer:
Name: sacc, Version: 0, Path: sacc, Id: b60426d87dcfbf436628f6b23371d9385e3d3a4f1fd1724031ca3e182d8e045f

•查询已实例化的链码

peer chaincode list -C silk-road-chain --instantiated
Get instantiated chaincodes on channel silk-road-chain:
Name: fabbank, Version: 1.0, Escc: escc, Vscc: vscc
Name: fabbank2, Version: 1.0, Escc: escc, Vscc: vscc
Name: mycc3, Version: 1.0, Escc: escc, Vscc: vscc

5、实例化链码及invoke时遇到的坑

•问题

Error: could not assemble transaction, err Proposal response was not successful, error code 500, msg failed to execute transaction 0a25ad459d622e1a8f35c6fa192c027dd5f74738acf76373c35f30d1e061e2d7: error starting container: error starting container: Post http://unix.sock/containers/create?name=dev-peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering-sacc-0: dial unix /var/run/docker.sock: connect: no such file or directory

在fabric-tools(cli)里配了docker run -v /var/run:/host/var/run -e CORE_VM_ENDPOINT还是不行，后来才想起来是要给peer配置的

•问题

Error: could not assemble transaction, err Proposal response was not successful, error code 500, msg failed to execute transaction a85d6d5c144677750ef70c8d0acc3d8b4e3bbb7220141d3526ebb33df3490077: error starting container: error starting container: API error (404): oci runtime error: container_linux.go:247: starting container process caused "exec: \"chaincode\": executable file not found in $PATH"

•问题

Error: could not assemble transaction, err Proposal response was not successful, error code 500, msg plugin with name escc could not be used: plugin with name escc wasn't found

由于是1.2的镜像，但是core.yaml用的是1.1的

•问题

Error: endorsement failure during invoke. chaincode result: status:500 message:

大多数invoke都没有报错，但查询发现没有生效，像未写入账本，原因是实例化的时候背书策略不能用MSP.peer，改成MSP.member则OK

6. 更新anchor peer及discovery

需要A云侧提供供cli使用的anchor peer的配置文件（huaweimsp_silk-road-chain_anchors_cli.tx）将配置文件复制到cli容器里然后进行更新

docker cp huaweimsp_silk-road-chain_anchors_cli.tx xx:/home
docker exec -it xxx bash
export FABRIC_CFG_PATH=/home
root@c362aa2f5c93:/# CORE_PEER_ADDRESS=peer0.org1.huawei.backbonetestnet.baas.dev.icn.engineering:7051
root@c362aa2f5c93:/# peer channel update -o orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --tls true --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem -c silk-road-chain -f /home/huaweimsp_silk-road-chain_anchors_cli.tx

7. 更新anchor peer遇到的问题

•问题

Error: Invalid channel create transaction : bad payload

tx配置文件有问题，少了外层的payload结构

8.用新生成的证书，华为1.1镜像，模拟新peer1加入通道silk-road-chain

•生成peer1节点证书 peer1节点证书，通过cryptogen工具生成先创建crypto-config.yaml证书生成配置文件,内容如下

PeerOrgs:
- Name: org1
Domain: org1.huawei.backbonetestnet.baas.dev.icn.engineering
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1

生成命令

cryptogen generate --config=./crypto-config.yaml

在华为云上创建一个联盟链的服务，创建一个peer组织，节点个数为1。将其中的peer组织进行改造

docker run -it -v /var/run:/host/var/run -e CORE_VM_ENDPOINT="unix:///host/var/run/docker.sock" http://docker.io/hyperledger/fabric-tools:1.2.0 bash

echo "35.158.219.246 orderer0.icn.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts
echo "49.4.93.157 peer1.org1.huawei.backbonetestnet.baas.dev.icn.engineering" >> /etc/hosts

export FABRIC_CFG_PATH=/home
export CORE_PEER_ID=peer1.org1.huawei.backbonetestnet.baas.dev.icn.engineering
export CORE_PEER_ADDRESS=peer1.org1.huawei.backbonetestnet.baas.dev.icn.engineering:30605
export CORE_PEER_LOCALMSPID=huaweiMSP
export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/msp
export PAAS_CRYPTO_PATH=/var/paas/srv/kubernetes
export CORE_PEER_TLS_ENABLED=true

加入命令

peer channel join -b /home/silk-road-chain.genesis.block --orderer orderer0.icn.backbonetestnet.baas.dev.icn.engineering:7050 --cafile /home/tlsca.icn.backbonetestnet.baas.dev.icn.engineering-cert.pem --tls true

最终验证出华为云fabric1.1版本无法和A云侧1.2版本打通，待升级到1.2版本再继续验证

更多精彩内容，请滑至顶部点击右上角关注小宅哦~

来源：华为云原创作者：华为云技术