AWS CloudFormation启动Hyperledger Fabric失败,错误:创建失败:[EC2InstanceForDev]

时间:2019-03-05 20:21:51

标签: hyperledger-fabric amazon-cloudformation amazon-iam

以下是aws文档:https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-hyperledger.html 使用文档中的IAM策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

但是无法启动堆栈。然后,我添加了以下所有权限:

AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
AmazonEC2ContainerRegistryReadOnly
AmazonS3ReadOnlyAccess
AmazonEC2ContainerServiceFullAccess
AdministratorAccess

但是仍然没有运气,并得到了这个错误:

  

以下资源创建失败:[EC2InstanceForDev]。

我应该添加什么IAM策略来解决此错误?

谢谢!

1 个答案:

答案 0 :(得分:0)

用于Hyperledger Fabric的官方AWS区块链云形成模板是一个嵌套模板(我们的基本模板调用另一个模板,该模板在其自身创建的EC2实例上进行所有设置)。

但是问题在于,除了安装docker-compose之外,它还在EC2-Instance上执行所有操作,并且抛出了一个错误,即最后没有找到docker-compose命令,这导致CloudFormation模板损坏(EC2InstanceForDev)并进行回滚。因此,除了使用CloudFormation模板之外,我们还可以在EC2实例上手动运行相同的脚本,而只需进行少量更改即可。更改是预先安装docker-compose。其余设置保持不变,即 1。创建一个VPC,2.创建公共子网,3.如果您以后要附加它,则创建EIP,4.创建SSH的密钥对,5.创建IAM角色和策略,6.创建具有入站8080(TCP)的安全组。 &22(SSH),7.在步骤(1to6)中使用创建的资源启动EC2实例。

首选的AMI是-

  1. ami-east-1的ami-1853ac65
  2. us-east-2的ami-25615740
  3. ami-dff017b8 for us-west-2

Docker映像存储库-

  1. 354658284331 for us-east-1
  2. 用于us-east-2的763976151875
  3. 712425161857 for us-west-2

要在EC2上运行的脚本(为脚本提供chmod 777和chmod + x)-

#!/bin/bash -x
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
res=$?
echo $res
mkdir /tmp/fabric-install/
cd /tmp/fabric-install/
wget https://aws-blockchain-templates-us-east-1.s3.us-east-1.amazonaws.com/hyperledger/fabric/templates/simplenetwork/latest/HyperLedger-BasicNetwork.tgz -O /home/ec2-user/HyperLedger-BasicNetwork.tgz
cd /home/ec2-user
tar xzvf HyperLedger-BasicNetwork.tgz
rm /home/ec2-user/HyperLedger-BasicNetwork.tgz
chown -R ec2-user:ec2-user HyperLedger-BasicNetwork
chmod +x /home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh
/home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh us-east-1 example.com org1 org2 org3 mychannel 354658284331.dkr.ecr.us-east-1.amazonaws.com/ 354658284331
res=$?
echo $res
我附加到角色的

IAM政策-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
]
}

注意- 请在上述脚本中将您的区域和相应的AWS区域替换为相应的AWS ECR帐号,并且该脚本具有(example.com org1 org2 org3 mychannel),请也根据要求进行更改。与我们在CF模板中输入的RootDomain,Org1SubDomain,Org2SubDomain,Org3SubDomain,ChannelName相同。

整个过程在us-east-1地区进行了测试。该脚本可以直接部署在us-east-1区域。访问Hyperledger Web监视程序界面(http://EC2-DNS OR EIP:8080

相关问题
最新问题