search

hyperledger / fabric

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. Its modular and versatile design satisfies a broad range of industry use cases. It offers a unique approach to consensus that enables performance at scale while preserving privacy.
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
15.78k stars 8.86k forks source link

Test network fix for Linux hosts with SELinux enabled, e.g. Fedora, RHEL or others. #5045

Closed twoGiants closed 3 weeks ago

twoGiants commented 1 month ago

Type of change

Description

Currently the test network can only be used on Linux machines with SElinux disabled. When SELinux is enabled on the host two issues appear:

  1. Peer and orderer are crashing after start when using Docker or Podman.
  2. Chaincode can not be deployed when using Docker.

The reason for the first issue are permission errors with Docker/Podman volumes. This can be seen in the container logs:

# peer 1&2
ERRO [main] InitCmd -> Fatal error when initializing core config : error when reading core config file: Config File "core" Not Found in "[/etc/hyperledger/peercfg]"

# orderer
PANI [orderer.common.server] loadLocalMSP -> Failed to get local msp config: could not initialize BCCSP Factories: Failed initializing BCCSP: Could not initialize BCCSP SW [Failed to initialize software key store: open /var/hyperledger/orderer/msp/keystore: permission denied]

To resolve the errors the volume sections of the compose files needs to be modified.

The reason for the second issue is that the peer container can not access the Docker socket. When deploying a new chaincode in a test network running on Docker the following error happens:

Error: chaincode install failed with status: 500 - failed to invoke backing implementation of 'InstallChaincode': could not build chaincode: docker build failed: docker image inspection failed: Get "http://unix.sock/images/dev-peer0.org1.example.com-basic_1.0-c6a45e2d5563c883869149c3dbd941c22fbe27daa21f0552834f5a53fbb8058a-fe69b7bdc0bbe5769bbff0572aa6986343c77b61c84077999a9b65f29c5c0025/json": dial unix /host/var/run/docker.sock: connect: permission denied
Chaincode installation on peer0.org1 has failed
Deploying chaincode failed

To resolve this error the Docker compose file needs to be modified. The volume section needs to be updated and the security option disabled for this container.

The errors in the container logs and during chaincode deployment were added to the test_network.md 'Troubleshooting' section as an aid if someone searches the documentation for those errors.

The necessary changes are documented in a new section called 'SELinux' under the 'Tutorials/Using the Fabric test network' docs.

Additional details

The documented changes were discovered and fixed in a test network running on a Fedora 40 machine.

I deployed a version of the documentation with my changes for the reviewer here. Scroll down for the entry in the test network troubleshooting section, its the last two entries.

Two questions to the reviewer (Update 24.10):

  1. Should I create an issue for this PR? => no
  2. Should the fix be added to the fabric samples test network setup? => can be done, but not needed now
denyeart commented 1 month ago

To answer the questions in the Description:

twoGiants commented 1 month ago
  • If it can be fixed without causing too much disruption to test-network setup that would be ideal. If it will make test-network setup significantly more complex, then I agree with the doc approach...

Not to complex but not worth the effort at this point. No issues open and no complains so far. The documentation will tell how to resolve it. I think that should suffice for now.

denyeart commented 1 month ago

Note - you also need to add your email signoff at the bottom of the commit message to pass the DCO check. More details at https://github.com/hyperledger/fabric/pull/5045/checks?check_run_id=32014394611.