Composing a sample trade network
The last command also has the effect of generating a network configuration file, docker-compose-e2e.yaml, which is used to start the network as a set of Docker containers using the docker-compose tool. The file itself depends on the statically configured files base/peer-base.yaml and base/docker-compose-base.yaml. These files collectively specify services and their attributes, and enable us to run them all in one go within Docker containers, rather than having to manually run instances of these services on one or more machines. The services we need to run are as follows:
- Four instances of a Fabric peer, one in each organization
- One instance of a Fabric orderer
- Five instances of a Fabric CA, corresponding to the MSPs of each organization
Docker images for each can be obtained from the Hyperledger project on Docker Hub (https://hub.docker.com/u/hyperledger/), with the images being hyperledger/fabric-peer, hyperledger/fabric-orderer, hyperledger/fabric-ca for peers, orderers, and MSPs, respectively.
The base configuration of a peer can be as follows (see base/peer-base.yaml):
peer-base:
image: hyperledger/fabric-peer:$IMAGE_TAG
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_trade
- CORE_LOGGING_LEVEL=INFO
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
Fabric configuration parameters can be set here, but if you use the pre-built Docker image for fabric-peer, the defaults are sufficient to get a peer service up and running. The command to run the peer service is specified in the last line of the configuration as peer node start; if you wish to run a peer by downloading the Fabric source and building it on your local machine, this is the command you will have to run (see Chapter 4, Designing a Data and Transaction Model with Golang, for examples). Also make sure you configure the logging level appropriately using the CORE_LOGGING_LEVEL variable. In our configuration, the variable is set to INFO, which means that only informational, warning, and error messages will be logged. If you wish to debug a peer and need more extensive logging, you can set this variable to DEBUG.
The IMAGE_TAG variable is set to latest in the .env file in the network folder, though you can set a specific tag if you wish to pull older images.
Furthermore, we need to configure the hostnames and ports for each peer, and sync the cryptographic material generated (using cryptogen) to the container filesystem. The peer in the exporter organization is configured in base/docker-compose-base.yaml as follows:
peer0.exporterorg.trade.com:
container_name: peer0.exporterorg.trade.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.exporterorg.trade.com
- CORE_PEER_ADDRESS=peer0.exporterorg.trade.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.exporterorg.trade.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.exporterorg.trade.com:7051
- CORE_PEER_LOCALMSPID=ExporterOrgMSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/exporterorg.trade.com/peers/peer0.exporterorg.trade.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/exporterorg.trade.com/peers/peer0.exporterorg.trade.com/tls:/etc/hyperledger/fabric/tls
- peer0.exporterorg.trade.com:/var/hyperledger/production
ports:
- 7051:7051
- 7053:7053
As indicated by the extends parameter, this extends the base configuration. Note that the ID (CORE_PEER_ID) matches that which is specified for this peer in configtx.yaml. This identity is the hostname for the peer running in the exporter organization, and will be used in the middleware code later in this chapter. The volumes section indicates the rules for copying the cryptographic material generated in the crypto-config folder to the container. The peer service itself listens on port 7051, and the port that clients can use to subscribe to events is set to 7053.
In the file, you will see that the in-container ports are identical across peers, but are mapped to distinct ports on the host machine. Lastly, note that the MSP ID specified here also matches that specified in configtx.yaml.
The configuration of the orderer service is similar, as the following snippet from base/docker-compose-base.yaml indicates:
orderer.trade.com:
container_name: orderer.trade.com
image: hyperledger/fabric-orderer:$IMAGE_TAG
environment:
- ORDERER_GENERAL_LOGLEVEL=INFO
……
command: orderer
……
The command to start the orderer is simply orderer, as the code indicates. The logging level can be configured using the ORDERER_GENERAL_LOGLEVEL variable, and is set to INFO in our configuration.
The actual network configuration that we will run is based on a file named docker-compose-e2e.yaml. This file does not exist in the repository but is rather created by the command ./trade.sh generate -c tradechannel, which we ran earlier to generate channel and cryptographic material. This file depends on base/docker-compose-base.yaml (and indirectly base/peer-base.yaml) as you can see by examining the file contents. It is actually created from a template YAML file named docker-compose-e2e-template.yaml, which you can find in the network folder. The template file contains variables as stand-ins for key filenames that are generated using cryptogen. When docker-compose-e2e.yaml is generated, those variable names are replaced with actual filenames within the crypto-config folder.
For example, consider the exporter-ca section in docker-compose-e2e-template.yaml:
exporter-ca:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
……
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/EXPORTER_CA_PRIVATE_KEY
……
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.exporterorg.trade.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/EXPORTER_CA_PRIVATE_KEY -b admin:adminpw -d'
Now, look at the same section in the generated file docker-compose-e2e.yaml:
exporter-ca:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
……
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk
……
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.exporterorg.trade.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk -b admin:adminpw -d'
As you can see, the variable EXPORTER_CA_PRIVATE_KEY has been replaced with cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk, both in the environment variable and in the command. If you now examine the contents of the crypto-config folder, you will notice that there exists a file named cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk in the folder crypto-config/peerOrganizations/exporterorg.trade.com/ca/. This file contains the exporter organization’s MSP’s private (secret) signing key.
The preceding code snippet contains the result of a sample run. The key filename will vary whenever you run the cryptographic material generation tool.
Let us now look at the configuration of an MSP in more detail, taking the example of the exporter organization MSP, as specified in docker-compose-e2e.yaml:
exporter-ca:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-exporterorg
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.exporterorg.trade.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.exporterorg.trade.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/exporterorg.trade.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_peerExporterOrg
networks:
- trade
The service that will run in the MSP is the fabric-ca-server, listening on port 7054, bootstrapped with the certificates and keys created using cryptogen, and using the default login and password (admin and adminpw, respectively) configured in the fabric-ca image. The command to start an instance of a Fabric CA server is fabric-ca-server start …, as you can see in the preceding code.
Peers as well as CAs are configured for TLS-based communication, as indicated in the preceding configurations. The reader must note that if TLS is disabled in one, it must be disabled in the other too.
Also, as can be observed by examining docker-compose-e2e.yaml, we do not create a Fabric CA server (and container) for the orderer’s organization. For the exercise we will go through in this book, statically created admin users and credentials for the orderer are sufficient; we will not be registering new orderer organization users dynamically, so a Fabric CA server is not needed.