一、基础设施管理
(一)常用工具及命令
1.证书工具
(1)查看当前证书属于哪个用户
openssl x509 -in config/msp/signcerts/cert.pem -noout -subject
(2)打印证书的过期时间
openssl x509 -in signed.crt -noout -dates
(3)打印出证书的内容
openssl x509 -in cert.pem -noout -text
(4)打印出证书的系列号
openssl x509 -in cert.pem -noout -serial
(5)打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject
(6)以RFC2253规定的格式打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
2.证书详解
(1)证书常见格式
|
文件扩展名 |
描述 |
|
.pem |
隐私增强型电子邮件,DER编码证书的Base64存储格式 |
|
.cert |
通常采用二进制DER形式,但是Base64编码也存在,不含私钥 |
|
.crt |
通常采用二进制DER形式,但是Base64编码也存在,不含私钥 |
(2)Tlsca证书格式pem
openssl x509 -in tlsca.sm611.newcapec.net-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:c9:64:c5:3f:23:14:e0:43:cd:b1:e8:d9:66:11:d3
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = sm611.newcapec.net, CN = tlsca.sm611.newcapec.net
Validity
Not Before: Apr 6 01:49:00 2021 GMT
Not After : Apr 4 01:49:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, O = sm611.newcapec.net, CN = tlsca.sm611.newcapec.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d6:ce:fd:4e:19:ae:a6:bb:71:e1:60:21:54:ec:
89:3e:a2:06:40:44:f1:bd:99:48:0d:2d:10:82:64:
76:9a:47:76:21:0b:a1:14:1d:58:0a:09:a5:f9:f2:
80:b9:55:02:b7:4c:5e:a4:e0:63:a7:c7:e9:5b:03:
a1:b4:5d:2d:dd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
98:E9:C7:FA:15:96:37:7F:CD:E4:6B:A9:4C:95:62:F2:72:95:06:99:C1:0D:54:BB:E1:69:2D:EB:9E:BC:D8:AD
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:ac:39:96:f2:0d:e7:87:f1:f1:3a:e9:f8:05:
cc:23:07:7f:23:e2:76:69:ce:0a:c4:35:70:69:fc:08:32:53:
ab:02:21:00:a8:08:f9:07:83:8f:ca:5e:64:bf:70:18:00:d7:
83:32:7f:ad:15:af:61:23:0e:26:58:6e:72:dc:dc:31:84:82
3.Fabric工具
(1)列出节点上的所有通道
Peer channel list
执行结果:
/opt/gopath/src/github.com/hyperledger/fabric/peer # peer channel list
2021-03-12 10:16:41.196 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
mychannel
(2)查看到通道的概要信息(区块高度,前后区块哈希)
peer channel getinfo -c mychannel
执行结果:
2021-03-12 10:17:02.732 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Blockchain info: {"height":4,"currentBlockHash":"9Div//uLrUjcEPOP+f5tBy0oX6scJMiXCFcsjEEWyJM=","previousBlockHash":"oZEoG0BRpOu8WAJhK5gA7nDeC2dhhPLQ+eZwFMfqES4="}
备注:
新增org3组织节点,有权限执行该命令,可以得到信息。
(3)节点上已安装的链码
peer chaincode list --installed
备注:
新增org3组织节点,无权限执行该命令,不能得到信息。
报错如下:
Error: bad response: 500 - access denied for [getinstalledchaincodes]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org3MSP]: The identity does not contain OU [ADMIN], MSP: [Org3MSP]]
翻译: 当前的身份信息不是Org3MSP的管理员
(4)查看当前配置
peer channel fetch config
配置:
- 节点
(1) 排序节点 order
- 身份
(1)
peer channel fetch config config_block.pb -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL --tls --cafile $ORDERER_CA
4.环境变量查看
(1)Fabric环境变量
Env |grep CORE
执行结果:
- 节点类
(1) 节点ID
(2) MSPID
(3) 服务侦听地址
(4) 服务对外提供地址
CORE_PEER_ID=peer0.org3.example.com
CORE_PEER_LOCALMSPID=Org3MSP
CORE_PEER_LISTENADDRESS=0.0.0.0:11051
CORE_PEER_ADDRESS=peer0.org3.example.com:11051
- 安全传输类
(1) 安全传输启用状态
(2) 安全传输证书
(3) 安全传输私钥文件
(4) 安全传输根证书
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
CORE_PEER_PROFILE_ENABLED=true
- 链码类
(1) 链码侦听地址
(2) 链码对外服务地址
CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052
CORE_PEER_CHAINCODEADDRESS=peer0.org3.example.com:11052
- 链码容器类
(1) 链码容器子网名字
(2) 链码容器接入点
CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=net_test
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- P2P协议类
(1) 流言协议接入点
(2) 流言协议启动
CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org3.example.com:11051
CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org3.example.com:11051
5.网络诊断工具
(1)测试端口是否开发
nc -nvv 192.168.112.20 7050
成功:
192.168.112.20 (192.168.112.20:7050) open
失败:
nc: 192.168.60.26 (192.168.60.26:7050): Host is unreachable
sent 0, rcvd 0
nc -vz 192.168.116.46:7051
(2)节点容器的IP
docker inspect --format='{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -aq)
结果如下:
/Org3cli - 172.22.0.3
/peer0.sm611.newcapec.net - 172.22.0.2
/peer0.org3.example.com - 172.25.0.8
/peer0.org1.example.com - 172.25.0.3
/orderer.example.com - 172.25.0.4
/peer0.org2.example.com - 172.25.0.2
/ca_orderer - 172.25.0.5
/ca_org2 - 172.25.0.7
/ca_org1 - 172.25.0.6
(3)列出所有容器网络
docker network ls
如下:
NETWORK ID NAME DRIVER SCOPE
03e2f971f19b bridge bridge local
4ca370671e33 host host local
ddcda3fb5bb2 net_dev-test bridge local
a69b6c059c61 net_test bridge local
20a2a302f7af none null local
备注:
Bridge 桥接网络,同一个桥接网络下的容器网络是互通的。
同一个网桥下Fabric节点容器,互联非常顺畅,通过宿主机的IP不能联通。此处存疑,有时间再排查分析。
(4)查看容器网络详情
docker inspect net_test
如下:
[
{
"Name": "net_test",
"Id": "a69b6c059c61444125f17abbef90564240384ba8dcdb6884a3993b689032a307",
"Created": "2021-04-02T16:15:24.299874379+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.25.0.0/16",
"Gateway": "172.25.0.1"
}
]
},
6.Docker工具
(1)Docker数据卷
查看docker数据卷
docker volume ls|grep peer
结果:
local net_peer0.org3.example.com
local net_peer0.sm611.newcapec.net
查看卷具体的存储位置
docker volume inspect net_peer0.sm611.newcapec.net
结果:
[
{
"CreatedAt": "2021-04-02T09:11:49+08:00",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/net_peer0.sm611.newcapec.net/_data",
"Name": "net_peer0.sm611.newcapec.net",
"Options": null,
"Scope": "local"
}
]