fabric-common
Current version 1.4.6
Prerequisite
- docker: 17.06.2-ce +
- docker-compose: 1.14.0 +
- golang: 1.12.x
- fabric-node-sdk:
- nodejs: 10.x
- npm: 6 +
- Python: 2.7
Mono repository division
- bash
- [deprecated]Hyperledger composer
- golang
- java
- nodejs
Design Notes
- CICD: using travis
Milestone
- [1.2]
- [privateData]
- [1.4]
- [Operations][healthz][metrics][logLevel]
- [raft]
- [1.4.3][orderer][FAB-7559] apply new ordering service endpoints config structure
Notes
- [connectionProfile]A connection profile is normally created by an administrator who understands the network topology.
- if random result is included in WriteSet, it corrupts the deterministic process.
- instantiate/upgrade could be where data migration is performed, if necessary
- [keystore] For private keys existing in local file system, you should set the permissions to 0400 on *nix based OS’s.
- [gRpcs][docker network] host name SHOULD not include upper-case character, otherwise gRpcs ping for discovery_client will not response back with docker network DNS
- [query]blockHeight(got from queryChain) indexing from 1, blockNumber in blockEvent starting from 0
- [reference]playback conference: https://wiki.hyperledger.org/display/fabric/Playbacks
- [channel]
txId
is required in peer join channel because: [bret Harrison]There is a transaction proposal to the system chaincode, so a transaction id is required. - [channel][orderer] individual properties may be overridden by setting environment variables, such as
CONFIGTX_ORDERER_ORDERERTYPE=kafka
. - [channel][system] peer could not join system channel
[Orderer.js]: sendDeliver - rejecting - status:FORBIDDEN
- [channel]channel ID length < 250 :initializing configtx manager failed: bad channel ID: channel ID illegal, cannot be longer than 249
- [proposalResponse] instantiate|upgrade action return a response payload with struct
ChaincodeData
. See in protobuf message description file - [disaster]backup recovery: at least 1 anchor peer for each organization should be resumed to recover transaction process
- [couchdb]error symptom of run richQuery on levelDB:
GET_QUERY_RESULT failed: transaction ID: 6b53220f87f791047ba44635f32d07cb667b6439c5df95e9a208d74ab12b5ff2: ExecuteQuery not supported for leveldb
- [raft] etcdraft does not support non TLS
- Raft nodes identify each other using TLS pinning, so in order to impersonate a Raft node, an attacker needs to obtain the private key of its TLS certificate. As a result, it is not possible to run a Raft node without a valid TLS configuration.
[orderer.common.server] initializeClusterClientConfig -> PANI 004 TLS is required for running ordering nodes of type etcdraft.
ClientTLSCert
,ServerTLSCert
in configtx.yaml have to be aligned with orderer environment set:otherwise it will say:General.Cluster.ClientCertificate = "" General.Cluster.ClientPrivateKey = "" General.Cluster.RootCAs = []
I do not belong to channel testchainid or am forbidden pulling it (not in the channel), skipping chain retrieval
- [raft] Each channel has its own RAFT orderer cluster, but system channel should have a super set of all orderer cluster -- Jay Guo
- [raft][migrate] migrate from kafka to etcdRaft, see here
- [solo][FAB-15754] Deploy a single-node Raft-based ordering service instead of using solo consensus type
- [Replay Attack] txID replay validation is done by orderer, the duplicated txID could not be found at next block marked as "invalid transaction"
Notes: ChannelEventHub
- for application channel
- The first block could be replayed is not the channel genesis block (available from
Channel.getGenesisBlock
), but the one after, which isblock.header.number='1'
.
- The first block could be replayed is not the channel genesis block (available from
Notes: Private Data
- [privateData]requirePeerCount <= peerCount - 1 (1 for peer itself)
- [privateData]"2-of" collectionPolicy is not allowed
- [privateData]private data work only after manually set anchor peers
- [privateData]Note that collections cannot be deleted, as there may be prior private data hashes on the channel’s blockchain that cannot be removed.
- [privateData]call
await stub.putPrivateData('any', "key", 'value');
without setup collection Config or in Init step:
Error: collection config not define for namespace [node]
See also in https://github.com/hyperledger/fabric/commit/8a705b75070b7a7021ec6f897a80898abf6a1e45 - [privateData] collectionConfig.memberOnlyRead
- expected symptom:
Error: GET_STATE failed: transaction ID: 35175d5ac4ccaa44ad77257a25caca5999c1a70fdee27174f0b7d9df1c39cfe5: tx creator does not have read access permission on privatedata in chaincodeName:diagnose collectionName: private
- expected symptom:
- [privateData] private data will automatic sync on new peer(process last for seconds)
Notes: Chaincode
-
[chaincode]peer.response in chaincode.Init cannot be recovered from proposal response. stub.GetState is meaningless in Init
-
[chaincode]transient map context keep persistent when cross chaincode
-
[chaincode]it is allowed that chaincode invoker
creator
, target peers belongs to differed organization. -
[chaincode]chaincode name is not a secret, we can use combination of discovery service and query chaincode installed on peer to get them all
-
[chaincode]chaincode upgrade could not replace instantiate for fabric-sdk-node:
Error: could not find chaincode with name 'diagnose'
-
[chaincode][nodejs]nodejs chaincode take longer time in install chaincode only.
-
[chaincode][nodejs][FAB-9287] devDependencies and offline chaincode instantiate is not supported yet
-
[chaincode][nodejs][contract-api] later contract in
index#exports.contracts
array will overlap to previous one, similar asObject.assign()
-
[chaincode][nodejs][contract-api] multiple contract in index.js: for invoke function code split
- contract name: defined in subclass of Contract constructor
super(`${contractName}`)
- function namespace division: :
- ledger data is integral for multiple contract
- contract name: defined in subclass of Contract constructor
-
[chaincode][nodejs][contract-api] minimum package.json
{ "main": "index.js", "scripts": { "start": "fabric-chaincode-node start" }, "dependencies": { "fabric-contract-api": "^1.4.4", "fabric-shim": "^1.4.4" } }
property "name", "version" is useless
-
[chaincode] call
await stub.putPrivateData('anyCollection', "key", 'value');
without setup collection Config or in Init step:
Error: collection config not define for namespace
See in https://github.com/hyperledger/fabric/commit/8a705b75070b7a7021ec6f897a80898abf6a1e45 -
[chaincode][system]System chaincodes are intended to be invoked by a client rather than by a user chaincode
-
[chaincode][golang]
failed to invoke chaincode name:"lscc" , error: API error (400): OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"chaincode\": executable file not found in $PATH": unknown
- means package name for golang-chaincode entrance is not
main
- means package name for golang-chaincode entrance is not
-
[chaincode][endorsement]chaincode partial update: when not all peers upgrade to latest chaincode, is it possible that old chaincode still work with inappropriate endorsement config; while with appropriate endorsement policy, we get chaincode fingerprint mismatch error
-
[chaincode][system] System chaincodes are intended to be invoked by a client rather than by a user chaincode. Invoking from a user chaincode may cause deadlocks. See here
-
[chaincode][instantiate policy]
instantiate policy
is notendorsemnet policy
, it is used during chaincode packaging/install determining who is able to instantiate/upgrade chaincode, it is partially supported in nodejs with chaincode package binary(byte[]) as input.- to customize instantiate policy, we reply on
peer chaincode package
Notes: Operations
-
[logLevel]
logspec
:{"spec":"chaincode=debug:info"}
, the logger is in debug mode and level is info. -
[healthz] In the current version, the only health check that is registered is for Docker.
-
[metrics][TLS] the TLS enable flag located in
Operations
section -
[metrics][TLS] for peer and orderer, even ...OPERATIONS_TLS_CLIENTAUTHREQUIRED=false, client side key-cert is still
- required on endpoints:
/metrics
,/logspec
- but not required on endpoints
/healthz
,/version
See details in FAB-14323
- required on endpoints:
-
[metrics] The
/metrics
endpoint allows operators to utilize Prometheus to pull operational metrics from peer and orderer nodes.
TODO
- npm couchdb-dump in nodejs/couchdbDump.sh
- level db navigator(https://github.com/Level/level or https://github.com/syndtr/goleveldb) and richQuery for leveldb;leveldb analyzer
- NodeOUs enable and intermediate CA
- channelEventHub.disconnect status sync
- make use of npm jsrsasign
- make use of softHSM in node-sdk
- replace some function in query.js with system chaincode
Fabric weakness
-
fabric RSA key support:
- not supported as peer|orderer keystore
-
new Feature required: GetPrivateStateByRangeWithPagination: https://jira.hyperledger.org/browse/FAB-11732
-
async or not: CryptoSuite importKey
-
[1.4]
Channel#getChannelConfigFromOrderer
could not specify target orderer -
client.newTransactionID(); --> new TransactionID(Identity,isAdmin)
-
create docker env manager to convert a env jsObject to env list(having same key checking)
-
[go mod support]
lib/packager/Golang.js
could not support project outside of GoPath (as usually in go mod)const projDir = path.join(goPath, 'src', chaincodePath);
Abandoned
- what is peer_chaincode_id and peer_chaincode_path
- keystore object un-promisify: https://gerrit.hyperledger.org/r/#/c/24749/
- endpoint ping: https://gerrit.hyperledger.org/r/#/c/28115/
- docker-swarm support
- graphiteapp/graphite-statsd not working to receive metrics: push statsD to AWS