如何将新的 Orderer 组织添加到现有的 Hyperledger Fabric 网络

我正在尝试向基于 RAFT 的现有订购服务添加一个新的订购者组织。我正在使用first-network from fabric-samples作为基础网络。在生成加密材料时，我进行了修改，为另外 1 个订购者组织生成加密材料。这crypto-config.yaml好像：

OrdererOrgs:
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: true
    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3
      - Hostname: orderer4
      - Hostname: orderer5
  - Name: Orderer1
    Domain: example1.com
    EnableNodeOUs: true
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: Org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
      # Start: 5
      # Hostname: {{.Prefix}}{{.Index}} # default
    # ---------------------------------------------------------------------------
    # "Users"
    # ---------------------------------------------------------------------------
    # Count: The number of user accounts _in addition_ to Admin
    # ---------------------------------------------------------------------------
    Users:
      Count: 1
  # ---------------------------------------------------------------------------
  # Org2: See "Org1" for full specification
  # ---------------------------------------------------------------------------
  - Name: Org2
    Domain: org2.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
    Users:
      Count: 1

另外，configtx.yaml用于创建新的 Orderer 组织的 JSON 格式的 MSP 如下：

Organizations:
    - &Orderer1Org
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Orderer1Org

        # ID to load the MSP definition as
        ID: Orderer1MSP

        MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Orderer1MSP.admin')"

然后我使用启动网络byfn.sh。现在我用的是cli容器来修改系统频道配置步骤如下：

1. 首先，我将组织的 JSON 添加到Orderer按如下分组并提交频道更新：

   jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modded_config.json

2. 然后我将组织的 JSON 添加到财团按如下分组并提交频道更新：

   jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1. json orderer1org.json > modded_config1.json

3. 然后我添加组织的orderer1TLS 证书到同意者部分并提交频道更新：

   cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`

   猫修改_config1.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "主机": "orderer.example1.com", "端口": 7050 , "server_tls_cert": "'$cert'"}] ' > modded_config2.json

4. 然后我更新系统通道配置应用与新 Orderer Org 的 JSON 组：

   jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modded_config.json

然后我在新组织中启动一个订购者（orderer.example1.com）但容器失败并出现以下错误：

2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN  from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}

The orderer.example.com日志抛出此错误：

2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
 grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms

我能够延长first-network通过添加新的排序者组织，如下所示：

1. 开始first-network通过byfn.sh脚本中的fabric-samples回购协议在etcdraft mode.
2. 我生成了加密材料，如中所述crypto-config.yaml在上面的问题中。
3. Use the configtxgen用于将新订购者组织的 MSP 打印为 JSON 格式的工具。
4. 安装或docker cp将此 JSON 文件添加到运行中cli容器。
5. 设置里面的环境cli与现有排序节点对应的容器。导入最新的system-channel配置。将其解码为 JSON 格式。

6. 编辑系统通道配置块Orderer添加新排序者组织的 MSP 部分，如下所示：

   jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json

7. 编辑系统通道配置块Consortiums添加新排序者组织的 MSP 部分，如下所示：

   jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json

8. 编辑系统通道配置块Consenters部分为新订购者组织添加 TLS 凭据orderer.example1.com节点如下：

   cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`

   cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json

9. 对块进行编码，查找增量，创建通道更新交易，将其编码为 protobuf 信封并提交通道更新交易。

10. 获取最新的系统通道配置块。
11. 使用最新获取的系统通道配置块启动订购者之一（之前添加到同意者列表中的订购者）genesis.block file.
12. Perform docker exec进入cli容器。使用现有orderer节点的环境，获取最新的系统通道配置。

13. 编辑系统通道配置块以将新排序者的端点添加到OrdererAddresses部分如下：

    cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json

14. 对区块进行编码，找到增量，创建通道更新交易，将其编码为 protobuf 信封并获得签名的区块Orderer1Org管理员以满足mod_policy for /Channel/OrdererAddresses资源设置为Admins政策。这个隐式元策略期望签名MAJORITY Admins在那个更新级别。因此，由于现在订购者组织的数量为 2 个，我们需要组织的管理员都签署此系统通道更新交易。设置对应的环境Orderer1Org管理员并运行以下命令：

    peer channel signconfigtx -f ordorg_update_in_envelope.pb

15. 将环境设置回OrdererOrg管理并提交频道更新交易。这peer channel update将代表 OrdererOrg 管理员自动签署交易。

    peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA

要更新任何应用程序通道，只需更新应用程序通道配置块的步骤 7 即可Application部分以在其中添加新订购者组织的 MSP。

希望这可以帮助！