|
Re: Question about invokeChaincode api
#fabric-chaincode
BigBang019
Thank you guys so much, it's really helpful!
|
|||||||||
|
|
|||||||||
|
Re: ANNOUNCEMENT: Hyperledger Fabric v2.4.1 is now available!
toggle quoted messageShow quoted text
|
|||||||||
|
|
|||||||||
|
ANNOUNCEMENT: Hyperledger Fabric v2.4.1 is now available!
David Enyeart
Hyperledger Fabric v2.4.1 is now available! v2.4.1 introduces a "Chaincode as a service" sample builder into the fabric-peer docker image, making it easier to manage smart contracts in Kubernetes and other runtime environments.
|
|||||||||
|
|
|||||||||
|
Enrollment with fabric-ca-client with Mismatching Host (on AWS Managed Blockchain)
Stein, Alexander J. (Fed) <alexander.stein@...>
Hello,
I am working with a team and we are trying to use an _existing_ deployment of a Hyperledger Fabric 1.4 network that is private (this becomes important later), as configured on the AWS Managed Blockchain platform. I presume I cannot modify the certificate authority, only access it the way it is provided, so I need to know how to work around this without blowing away all the members and the network to start from scratch. Can you enroll a admin member with the member CA if there is a hostname mismatch? So far, we reached this portion of official AWS documentation. https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/get-started-enroll-admin.html When we use our CA configuration data it does not work _as-is_ with the given configuration. We are not using a public network, so this configuration is a hard requirement by AWS (until we advance further). We must a VPC endpoint to access the member certificate authority by an internal IP address via a special VPC Endpoint DNS record, not public. AWS does not seem to have an option for a private network with public addresses. So, when following this post, we get back obvious cert name mismatches when sending the CSR. To start, we are using 1.4.7 pulled down from GitHub releases yesterday. $ ~/go/src/github.com/hyperledger/fabric-ca/bin/fabric-ca-client version fabric-ca-client: Version: 1.4.7 Go version: go1.13.9 OS/Arch: linux/amd64 We set out our CAENDPOINT to a VPC endpoint, which is valid, but slightly different hostname from the official endpoint. vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkid.managedblockchain.us-east-1.vpce.amazonaws.com:30002 Notice this is different from what AWS tells us the member CA is, but that is intentional and by design. This is what you would see in the console as the official member CA endpoint. ca.mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com:30002 (NOTE: this does not even show up in DNS by design, it will not resolve, this is to force you to use the aforementioned API endpoints only through private addresses via VPC endpoints.) So when we do this, either the client (but more likely the CA server right?) says hey, those hostnames don't mismatch, I am ignoring your CSR, better luck next time. $ ~/go/src/github.com/hyperledger/fabric-ca/bin/fabric-ca-client enroll -u "https://adminuser:adminpassword@$CASERVICEENDPOINT" --tls.certfiles ~/managedblockchain-tsl-chain.pem -m ~/admin-msp 2021/12/17 19:38:27 [INFO] TLS Enabled 2021/12/17 19:38:27 [INFO] generating key: &{A:ecdsa S:256} 2021/12/17 19:38:27 [INFO] encoded CSR Error: POST failure of request: POST https://vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkidce.managedblockchain.us-east-1.vpce.amazonaws.com:30002/enroll {"hosts":["/home/ec2-user/admin-msp"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkid.managedblockchain.us-east-1.vpce.amazonaws.com:30002/enroll: x509: certificate is valid for nd-blahblahblah.m-mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com, localhost, ca.m-mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com, not vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkidce.managedblockchain.us-east-1.vpce.amazonaws.com Again ca.mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com will not resolve and this is by design, but luckily it seems a proper HTTPS POST request came back, albeit with an error. Is there are any way to force a CSR with a hostname mismatch from the client side, or is this a (member CA) server-side only thing? This is a managed Hyperledger Fabric deployment, so I do not think we can modify the CA server config. Is there are any way to force this with the fabric-ca-client-config.yaml? Am I missing something obvious? Sorry, I am new to Fabric and the docs do not help me with this level of detail. Best, AJ
|
|||||||||
|
|
|||||||||
|
fabric-sdk-java released with Log4J critical vulnerability fix
Mark Lewis
Hi everyone,
fabric-sdk-java v2.2.10 and v1.4.14 have been published to Maven Central. They update the Log4J dependency to 2.16.0 to address both CVE-2021-44228 (Log4Shell, which was already patched in fabric-sdk-java v2.2.9) and also the follow-on CVE-2021-45046 vulnerabilities:
|
|||||||||
|
|
|||||||||
|
Re: Question about invokeChaincode api
#fabric-chaincode
Hi! The chaincode has a unique identifier in the network when it is running. If a chaincode calls itself (another function) using invokeChaincode method, an error will occur. You have to call the function directly without using invokeChaincode method. If a chaincode invokes another chaincode in the same channel, both calls will have their write sets appended to the transaction. If a chaincode invokes another chaincode in another channel, it will be considered a query and no changes will be applied to the second chaincode state. Best regards. David Em sex., 17 de dez. de 2021 às 08:24, BigBang019 <zhuxy0000@...> escreveu:
--
David Reis
|
|||||||||
|
|
|||||||||
|
Re: Question about invokeChaincode api
#fabric-chaincode
BigBang019
Thanks for your attention: https://github.com/hyperledger/fabric-chaincode-java/issues/218
|
|||||||||
|
|
|||||||||
|
Re: Question about invokeChaincode api
#fabric-chaincode
Matthew White
Hello;
Can I suggest that you raise an issue on the github hyperledger/fabric-chaincode-java repo?
Though to check that you can call `helloworld()` directly from `invokeChaincode` without having to call invokeChaincode? Pass on the ctx variable, and both methods are then part of the same transaction.
Typically only use invokerChaincode, when you going to a completely different chaincode.
Regards, Matthew.
Matthew B White IBM Blockchain Solutions Architect
Email me at WHITEMAT@...
Find me on StackOverflow, and generally at calanais.me.uk
Note: restricted availability for meetings 14:30 to 17:00 UK Tuesday
IBM United Kingdom Limited, Hursley Park, Winchester, Hampshire, SO21 2JN
"The wrong answers are the ones you go looking for when the right answers stare you in the face" ----- Original message ----- Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
|
|||||||||
|
|
|||||||||
|
Question about invokeChaincode api
#fabric-chaincode
BigBang019
Environment: fabric release-2.2
My chaincode named vulnerable is as follows:  When I invoke helloworld directly, it gives me responce "helloworld", everything works fine. But when I invoke invokeChaincode method, it gives me  and chaincode docker container logging is as follows:  It seems like (1) the statement System.out.printf("\n%s\n", chaincodeName) works fine. (2) org.hyperledger.fabric.shim.impl.InvocationStubImpl.invokeChaincode also finds the registered method helloworld, but it encountered another exception half way the invocation. Does anyone met this problem before? Thanks in advance.
|
|||||||||
|
|
|||||||||
|
Re: Question about PrivateData Endorsement in Hyperledger Fabric
#fabric-endorser
BigBang019
Hi, thanks for your reply.
I'm using fabric release-2.2, and deployed a test network on a clean environment. I have the following phenomena: (1) When I use cmd docker exec peer0.org1.example.com peer channel getinfo -c mychannel and docker exec peer0.org2.example.com peer channel getinfo -c mychannel, I got the same result, which means there's no state inconsistency. (2) When I change the endorsement policy of the chaincode vulenrable to "OR('Org1MSP.peer','Org2MSP.peer')" everything works fine. Conclusion: If we deploy a chaincode with (1) privatedata config above, (2) endorsement policy like "AND('Org1MSP.peer','Org2MSP.peer')", then this chaincode fail with endorsement conflict. Is this a bug? I haven't get deeper inspection of the reason.
|
|||||||||
|
|
|||||||||
|
Re: Question about PrivateData Endorsement in Hyperledger Fabric
#fabric-endorser
David Enyeart
You're right, the private data collection should have nothing to do with that error. That error typically means state is not identical across the peers and therefore the chaincode results do not match. In a production system with load it can be caused by peers at different block heights at time of chaincode execution. If you are seeing it on a system at rest then there may be something wrong with one of your peers. Are you able to reproduce it on a clean environment? Scenario: 1. I have a chaicode named vulnerable with a collection-config as follows: and transaction functions as follows But I didn't give any endorsement policy to this chaincode, which means its endorsement policy are supposed to be ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Scenario: 1. I have a chaicode named vulnerable with a collection-config as follows:  and transaction functions as follows  But I didn't give any endorsement policy to this chaincode, which means its endorsement policy are supposed to be "MAJORITY Endorsement". 2. Now I deployed a network with 2 Orgs and 1 Peer per Org, i.e. I have 2 peers in total. 3. When I invoke this chaincode through fabric-sdk-go, as follows  It gives me:  I'm really confused, because everything works fine before I add that collection-config. Could you please give any help on this situation? Thanks in advance.
|
|||||||||
|
|
|||||||||
|
Question about PrivateData Endorsement in Hyperledger Fabric
#fabric-endorser
BigBang019
Scenario:
1. I have a chaicode named vulnerable with a collection-config as follows:  and transaction functions as follows  But I didn't give any endorsement policy to this chaincode, which means its endorsement policy are supposed to be "MAJORITY Endorsement". 2. Now I deployed a network with 2 Orgs and 1 Peer per Org, i.e. I have 2 peers in total. 3. When I invoke this chaincode through fabric-sdk-go, as follows  It gives me:  I'm really confused, because everything works fine before I add that collection-config. Could you please give any help on this situation? Thanks in advance.
|
|||||||||
|
|
|||||||||
|
Re: management of k8s deployed test network
Nikos Karamolegkos
Extending the previous question. How can I use the scripts to deploy a second channel with an other chaincode (the asset-transfer-basic but with an other name in avoid problems in the peers). I tried to channel the ENV TEST_NETWORK_CHANNEL_NAME before creating the channel and then change TEST_NETWORK_CHAINCODE_LABEL before deploying the chaincode. However, during invoke and query the commands stall.
|
|||||||||
|
|
|||||||||
|
Re: Question on EVM chaincode on Hyperledger Fabric
Hi, Gourav. I've forwarded this to the Fabric mailing list, which is the best place to get an answer. Ry
|
|||||||||
|
|
|||||||||
|
Re: About BCCSP plugin
Yacov
I am aware of companies that use validation plugins to complement the built-in endorsement policy checks because they have an atypical adversary model.
I also think that endorsement plugins are useful for achieving threshold signature orchestration without needing to change Fabric, and I know of companies that have a need for threshold signatures because a strong endorsement policy has a big impact on transaction
size and throughput.
While I know that plugins are not exactly... flexible or easy to use, it is still possible to use them if you are determined enough to have a hand-tailored solution for a problem that no one else will solve for you.
I also don't think we should've removed the BCCSP plugins.
Until Go 1.17 where we had a clash between plugin implementation and dependencies, they did not carry any maintenance burden.
Regards,
Yacov
From: fabric@... <fabric@...> on behalf of David Enyeart <enyeart@...>
Sent: Tuesday, December 14, 2021 11:04 PM To: Ry Jones <rjones@...> Cc: community-architects@... <community-architects@...>; fabric <fabric@...>; twg-china@... <twg-china@...>; 袁怿 <yy19902439@...> Subject: [EXTERNAL] Re: [Hyperledger Fabric] About BCCSP plugin The work item that removed BCCSP plugin support explains the rationale
and points to a Go issue about plugin restrictions: https://jira.hyperledger.org/browse/FAB-15338 In a nutshell, nobody was using them and while they sound good on the surface,
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
The work item that removed BCCSP plugin support explains the rationale and points to a Go issue about plugin restrictions:
https://jira.hyperledger.org/browse/FAB-15338 Hi, Sam. I've added the Fabric list so that the other maintainers can see it. Ry On Fri, Dec 10, 2021 at 7:09 AM 袁怿 <yy19902439@...> wrote: ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi, Sam. I've added the Fabric list so that the other maintainers can see it. Ry On Fri, Dec 10, 2021 at 7:09 AM 袁怿 <yy19902439@...> wrote: Hi fabric maintainers and David, I found two interested commits in fabric history. hyperledger/fabric@01c50ef hyperledger/fabric@0cde017#diff-62806c7dcf924402565d4ef558b602db6197cb4b1075bacb8514f95ca073392d mapping to jira tickets https://jira.hyperledger.org/browse/FAB-6189 and https://jira.hyperledger.org/browse/FAB-15340 with above things. Which means in historical, we support fabric BCCSP running in plugin mode and may I know the reason we removed BCCSP plugin mode support?
-- Ry Jones Community Architect, Hyperledger Chat: @rjones Calendar
|
|||||||||
|
|
|||||||||
|
Re: About BCCSP plugin
David Enyeart
The work item that removed BCCSP plugin support explains the rationale and points to a Go issue about plugin restrictions: https://jira.hyperledger.org/browse/FAB-15338 Hi, Sam. I've added the Fabric list so that the other maintainers can see it. Ry On Fri, Dec 10, 2021 at 7:09 AM 袁怿 <yy19902439@...> wrote: ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi, Sam. I've added the Fabric list so that the other maintainers can see it. Ry
On Fri, Dec 10, 2021 at 7:09 AM 袁怿 <yy19902439@...> wrote: Hi fabric maintainers and David, I found two interested commits in fabric history. hyperledger/fabric@01c50ef hyperledger/fabric@0cde017#diff-62806c7dcf924402565d4ef558b602db6197cb4b1075bacb8514f95ca073392d mapping to jira tickets https://jira.hyperledger.org/browse/FAB-6189 and https://jira.hyperledger.org/browse/FAB-15340 with above things. Which means in historical, we support fabric BCCSP running in plugin mode and may I know the reason we removed BCCSP plugin mode support?
-- Ry Jones Community Architect, Hyperledger Chat: @rjones Calendar
|
|||||||||
|
|
|||||||||
|
Re: About BCCSP plugin
Hi, Sam. I've added the Fabric list so that the other maintainers can see it. Ry
On Fri, Dec 10, 2021 at 7:09 AM 袁怿 <yy19902439@...> wrote:
|
|||||||||
|
|
|||||||||
|
Now: Private Chaincode Lab - 12/14/2021
#cal-notice
fabric@lists.hyperledger.org Calendar <noreply@...>
Private Chaincode Lab When: Where: Organizer: Marcus Brandenburger bur@... Description:
|
|||||||||
|
|
|||||||||
|
Re: Urgent: problems with starting local fabric(2.x) network for dev mode using docker containers
#fabric
#configtxgen
#fabric-peer
#fabric-orderer
Matthew White
Hello; Have you tried using the `fabric-samples` test-network? I'd be concerned if there's something wrong in the initial setup that is causing later issues. The error suggests to me that the peer still thinks this chaincode is going to be used in non-dev mode.
Matthew White
|
|||||||||
|
|
|||||||||
|
Re: Number of channels
Tsvetan Georgiev
Hello, Older discussion on that topic: In one of the threads above David Enyeart shared a nice section regarding PDC vs channel: You have to consider some numbers when dealing with the ordering service cluster and number of channels per orderer: The management of the channels may bring overhead. However it is important to consider the functional requirements first and then decide on the technical model. Note that since HLF 2.x version implicit PDC is available: https://hyperledger-fabric.readthedocs.io/en/latest/private-data-arch.html#implicit-private-data-collections It is mostly about your functional / privacy requirements. Technically speaking I see no problem scaling to 8 channels (ledgers) if your business will benefit from it. Channel management may be a maintenance concern depending on how often you need to do updates (i.e. deploy chaincodes, change policies, etc). However if regular updates are required we usually automate the steps anyways. Best Regards,
---- On Sat, 11 Dec 2021 05:09:40 -0500 J K via lists.hyperledger.org <jsjkj434=yahoo.com@...> wrote ----
|
|||||||||
|
|
|||||||||
"BigBang019" ---12/15/2021 07:50:47 AM---*Scenario* : 1. I have a chaicode named *vulnerable* with a *collection-config* as follows:
"Ry
Jones" ---12/14/2021 01:18:53 PM---Hi, Sam. I've added the Fabric list so that the other maintainers can see it.
"Ry Jones" ---12/14/2021 01:18:53 PM---Hi, Sam. I've added the Fabric list so that the other maintainers can see it.
