Question

我正在Kubernetes上运行自定义的Hyperledger Fabric网络，现在我正在尝试自动化渠道的创建和加入。我现在遇到的错误与频道本身的创建有关。

我遵循的与通道创建有关的顺序是以下顺序（示例通道被命名为global）：

使用genesis.block创建configtx.yaml：

configtxgen -profile OrgsOrdererGenesis -configPath /data/config -outputBlock /data/genesis.block --channelID orderersglobal

使用先前创建的channel.tx创建genesis.block：

configtxgen -profile OrgsChannel -configPath /data/config -outputCreateChannelTx /data/global.tx -channelID global

将channel.tx复制到每个CLI和组织
在每个CLI上，我以admin身份注册并运行以下命令来创建通道块：

peer channel create -o orderer0.org1:7050 --channelID global -f /data/global.tx

但是，出现此错误：

2019-10-08 12:25:51.089 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'global', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

因此，我无法继续测试网络。最初，我为channelID和genesis.block使用了相同的channel.block，但是已经更改了。我已经阅读了一些有关此的文章，但似乎没有任何解决办法。我希望你们中的一些可以帮助我。

这是我的网络体系结构（我没有使用TLS）

org1
- peer0（ anchor ）
- peer1
- orderer0
org2
- peer0（ anchor ）
- peer1
- orderer0
org3
- orderer0

这是我的configtx.yaml文件的内容：

Capabilities:
  Global: &ChannelCapabilities
    V1_3: true
  Orderer: &OrdererCapabilities
    V1_1: true
  Application: &ApplicationCapabilities
    V1_3: true
Organizations:
- &org1
  Name: org1
  ID: org1MSP
  MSPDir: /data/orgs/org1/msp
  AdminPrincipal: Role.ADMIN
  Policies:
    Readers:
      Type: Signature
      Rule: "OR('org1MSP.member')"
    Writers:
      Type: Signature
      Rule: "OR('org1MSP.member')"
    Admins:
      Type: Signature
      Rule: "OR('org1MSP.admin')"
  AnchorPeers:
    - Host: peer0.org1
      Port: 7051
- &org2
  Name: org2
  ID: org2MSP
  MSPDir: /data/orgs/org2/msp
  AdminPrincipal: Role.ADMIN
  Policies:
    Readers:
      Type: Signature
      Rule: "OR('org2MSP.member')"
    Writers:
      Type: Signature
      Rule: "OR('org2MSP.member')"
    Admins:
      Type: Signature
      Rule: "OR('org2MSP.admin')"
  AnchorPeers:
    - Host: peer0.org2
      Port: 7051
- &org3
  Name: org3
  ID: org3MSP
  MSPDir: /data/orgs/org3/msp
  AdminPrincipal: Role.ADMIN
  Policies:
    Readers:
      Type: Signature
      Rule: "OR('org3MSP.member')"
    Writers:
      Type: Signature
      Rule: "OR('org3MSP.member')"
    Admins:
      Type: Signature
      Rule: "OR('org3MSP.admin')"
Orderer: &OrdererDefaults
  OrdererType: kafka
  Addresses:
    - orderer0.org1:7050
    - orderer0.org2:7050
    - orderer0.org3:7050
  BatchTimeout: 2s
  BatchSize:
    MaxMessageCount: 10
    AbsoluteMaxBytes: 98 MB
    PreferredMaxBytes: 512 KB
  MaxChannels: 0
  Kafka:
    Brokers:
      - bootstrap.kafka:9092
  Organizations:
      - *org1
      - *org2
      - *org3
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"
  Capabilities:
    <<: *OrdererCapabilities
Channel: &ChannelDefaults
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
  Capabilities:
    <<: *ChannelCapabilities
Application: &ApplicationDefaults
  ACLs: &ACLsDefault
    lscc/ChaincodeExists: /Channel/Application/Readers
    lscc/GetDeploymentSpec: /Channel/Application/Readers
    lscc/GetChaincodeData: /Channel/Application/Readers
    lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
    qscc/GetChainInfo: /Channel/Application/Readers
    qscc/GetBlockByNumber: /Channel/Application/Readers
    qscc/GetBlockByHash: /Channel/Application/Readers
    qscc/GetTransactionByID: /Channel/Application/Readers
    qscc/GetBlockByTxID: /Channel/Application/Readers
    cscc/GetConfigBlock: /Channel/Application/Readers
    cscc/GetConfigTree: /Channel/Application/Readers
    cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers
    peer/Propose: /Channel/Application/Writers
    peer/ChaincodeToChaincode: /Channel/Application/Readers
    event/Block: /Channel/Application/Readers
    event/FilteredBlock: /Channel/Application/Readers
  Organizations:
  Policies: &ApplicationDefaultPolicies
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
  Capabilities:
    <<: *ApplicationCapabilities
Profiles:
  OrgsOrdererGenesis:
    <<: *ChannelDefaults
    Orderer:
      <<: *OrdererDefaults
      Organizations:
      - *org1
      - *org2
      - *org3
      Capabilities:
        <<: *OrdererCapabilities
    Application:
      <<: *ApplicationDefaults
      Organizations:
      - *org1
      - *org2
      - *org3
      Capabilities:
        <<: *ApplicationCapabilities
    Consortiums:
      SampleConsortium:
        Organizations:
        - *org1
        - *org2
  OrgsChannel:
    Capabilities:
      <<: *ChannelCapabilities
    Consortium: SampleConsortium
    Application:
      <<: *ApplicationDefaults
      Organizations:
      - *org1
      - *org2
      Capabilities:
        <<: *ApplicationCapabilities

Answer 1

最可能发生的事情是：您试图用作管理员的证书实际上不是管理员。您可以检查的内容并查看错误的地方：

在您用于configtx.yaml的MSP文件夹（/ data / orgs / org1 / msp和/ data / orgs / org2 / msp）中，该文件夹是您计算机上的文件夹（实际上是运行该文件夹的计算机/容器） configtxgen命令），首先要检查的是文件夹创建是否正确。
MSP文件夹内的admincerts文件夹上是否有证书？如果没有，则MSP没有管理员。
要记住的另一件事是使用持久卷来“传递”由结构CA，加密源或任何其他CA生成的证书
我知道MSPDir使用configtx.yaml的相对路径这一事实。我不知道它是否可以在您使用的绝对路径下正常工作。

要检查每个MSP使用的证书的另一件事是获取最后一个配置块peer channel fetch config和configtxlator proto_decode --input <channel name>_config.block --type common.Block --output config.json，然后检查此JSON文件

创建新频道时，隐式策略评估失败

1 个答案: