fabric-docs-i18n icon indicating copy to clipboard operation
fabric-docs-i18n copied to clipboard
verified publisher icon hyperledger

[ja_JP] Deploying a production network / Checklist for a production ordering node

Open shimos opened this issue 2 years ago • 0 comments

Original HTML: https://hyperledger-fabric.readthedocs.io/en/release-2.5/deployorderer/ordererchecklist.html Original Source: https://github.com/hyperledger/fabric/blob/e1e8e2e52aa4fc543360d245fe6554a0eaf81183/docs/source/deployorderer/ordererchecklist.md

diff --git a/docs/source/deployorderer/ordererchecklist.md b/docs/source/deployorderer/ordererchecklist.md
index dbeb04bb1..7b8cc18d8 100644
--- a/docs/source/deployorderer/ordererchecklist.md
+++ b/docs/source/deployorderer/ordererchecklist.md
@@ -6,19 +6,23 @@ While in a production environment you could override the environment variables i
 
 This checklist covers key configuration parameters for setting up a production ordering service. Of course, you can always refer to the orderer.yaml file for additional parameters or more information. It also provides guidance on which parameters should be overridden. The list of parameters that you need to understand and that are described in this topic include:
 
-* [General.ListenAddress](#general-listenaddress)
-* [General.ListenPort](#general-listenport)
-* [General.TLS.*](#general-tls)
-* [General.Keepalive.*](#general-keepalive)
-* [General.Cluster.*](#general-cluster)
-* [General.BoostrapMethod](#general-bootstrapmethod)
-* [General.BoostrapFile](#general-bootstrapfile)
-* [General.LocalMSPDir](#general-localmspdir)
-* [General.LocalMSPID](#general-localmspid)
-* [FileLedger.Location](#fileledger-location)
-* [Operations.*](#operations)
-* [Metrics.*](#metrics)
-* [Consensus.*](#consensus)
+- [Checklist for a production ordering node](#checklist-for-a-production-ordering-node)
+  - [General.ListenAddress](#generallistenaddress)
+  - [General.ListenPort](#generallistenport)
+  - [General.TLS](#generaltls)
+  - [General.KeepAlive](#generalkeepalive)
+  - [General.Cluster](#generalcluster)
+  - [General.BoostrapMethod](#generalboostrapmethod)
+  - [General.BoostrapFile](#generalboostrapfile)
+  - [General.LocalMSPDir](#generallocalmspdir)
+  - [General.LocalMSPID](#generallocalmspid)
+  - [General.BCCSP.\*](#generalbccsp)
+  - [FileLedger.Location](#fileledgerlocation)
+  - [Operations.\*](#operations)
+  - [Metrics.\*](#metrics)
+  - [Admin.\*](#admin)
+  - [ChannelParticipation.\*](#channelparticipation)
+  - [Consensus.\*](#consensus)
 
 ## General.ListenAddress
 
@@ -41,14 +45,24 @@ ListenPort: 7050
 ## General.TLS
 
 ```
+# Require server-side TLS
 Enabled: false
 # PrivateKey governs the file location of the private key of the TLS certificate.
 PrivateKey: tls/server.key
 # Certificate governs the file location of the server TLS certificate.
 Certificate: tls/server.crt
+# RootCAs contains a list additional root certificates used for verifying certificates
+# of other orderer nodes during outbound connections.
+# It is not required to be set, but can be used to augment the set of TLS CA certificates
+# available from the MSPs of each channel’s configuration.
 RootCAs:
   - tls/ca.crt
+# Require client certificates / mutual TLS for inbound connections.
 ClientAuthRequired: false
+# If mutual TLS is enabled, ClientRootCAs contains a list of additional root certificates
+# used for verifying certificates of client connections.
+# It is not required to be set, but can be used to augment the set of TLS CA certificates
+# available from the MSPs of each channel’s configuration.
 ClientRootCAs:
 ```
 
@@ -85,7 +99,7 @@ ServerTimeout: 20s
 # SendBufferSize is the maximum number of messages in the egress buffer.
 # Consensus messages are dropped if the buffer is full, and transaction
 # messages are waiting for space to be freed.
-SendBufferSize: 10
+SendBufferSize: 100
 # ClientCertificate governs the file location of the client TLS certificate
 # If not set, the server General.TLS.Certificate is re-used.
 ClientCertificate:
@@ -130,7 +144,7 @@ In general, these four parameters would only need to be configured if you want t
 BootstrapMethod: file
 ```
 
-* **`BootstrapMethod`**: (default value should not be overridden) Unless you plan to use a file type other than “file”, this value should be left as is.
+* **`BootstrapMethod`**: If you plan to create this node on a network that is not using a system channel, override this value to `none` and then ensure that [`ChannelParticipation.Enabled`](#channelparticipation) is set to `true`, otherwise you will get an error when you attempt to start the node. If you are creating a node to be joined to a system channel, unless you plan to use a file type other than “file”, this value should be left as is.
 
 ## General.BoostrapFile
 
@@ -145,7 +159,7 @@ BootstrapMethod: file
 BootstrapFile:
 ```
 
-* **`BoostrapFile`**: (default value should be overridden) Specify the location and name of the system channel genesis block to use when this node is created.
+* **`BoostrapFile`**: (if you are creating this node to be joined to a system channel, the default value should be overridden) Specify the location and name of the system channel genesis block to use when this node is created. If you are creating this node without using a system channel, this value will not be used, and can therefore be left blank.
 
 ## General.LocalMSPDir
 
@@ -156,7 +170,7 @@ BootstrapFile:
 LocalMSPDir: msp
 ```
 
-**`LocalMSPDir`**: (default value will often be overriden be overridden) This is the path to the ordering node's local MSP, which must be created before it can be deployed. The path can be absolute or relative to `FABRIC_CFG_PATH` (by default, it is `/etc/hyperledger/fabric` in the orderer image). Unless an absolute path is specified to a folder named something other than "msp", the ordering node defaults to looking for a folder called “msp” at the path (in other words, `FABRIC_CFG_PATH/msp`) and when using the orderer image: `/etc/hyperledger/fabric/msp`. If you are using the recommended folder structure described in the [Registering and enrolling identities with a CA](https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/deployguide/use_CA.html) topic, it would be relative to the `FABRIC_CFG_PATH` as follows:
+**`LocalMSPDir`**: (default value will often be overridden) This is the path to the ordering node's local MSP, which must be created before it can be deployed. The path can be absolute or relative to `FABRIC_CFG_PATH` (by default, it is `/etc/hyperledger/fabric` in the orderer image). Unless an absolute path is specified to a folder named something other than "msp", the ordering node defaults to looking for a folder called “msp” at the path (in other words, `FABRIC_CFG_PATH/msp`) and when using the orderer image: `/etc/hyperledger/fabric/msp`. If you are using the recommended folder structure described in the [Registering and enrolling identities with a CA](https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/deployguide/use_CA.html) topic, it would be relative to the `FABRIC_CFG_PATH` as follows:
 `config/organizations/ordererOrganizations/org0.example.com/orderers/orderer0.org0.example.com/msp`. **The best practice is to store this data in persistent storage**. This prevents the MSP from being lost if your orderer containers are destroyed for some reason.
 
 ## General.LocalMSPID
@@ -170,7 +184,7 @@ LocalMSPDir: msp
 LocalMSPID: SampleOrg
 ```
 
-* **`LocalMSPID`**: (default value should be overridden) The MSP ID must match the orderer organization MSP ID that exists in the configuration of the system channel. This means the MSP ID must have been listed in the `configtx.yaml` used to create the genesis block of the system channel (or have been added later to the list of system channel administrators).
+* **`LocalMSPID`**: (default value should be overridden) This identifies the organization this ordering node belongs to. The MSP ID must match the orderer organization MSP ID that exists in the configuration of any channel this joined will be joined to.
 
 ## General.BCCSP.*
 
@@ -298,6 +312,57 @@ Because Prometheus utilizes a "pull" model there is not any configuration requir
 * **`Provider`**: Set this value to `statsd` if using `StatsD` or `prometheus` if using `Prometheus`.
 * **`Statsd.Address`**: (required to use `StatsD` metrics for the ordering node) When `StatsD` is enabled, you will need to configure the `hostname` and `port` of the `StatsD` server so that the ordering node can push metric updates.
 
+## Admin.*
+
+```
+Admin:
+    # host and port for the admin server
+    ListenAddress: 127.0.0.1:9443
+
+    # TLS configuration for the admin endpoint
+    TLS:
+        # TLS enabled
+        Enabled: false
+
+        # Certificate is the location of the PEM encoded TLS certificate
+        Certificate:
+
+        # PrivateKey points to the location of the PEM-encoded key
+        PrivateKey:
+
+        # Most admin service endpoints require client authentication when TLS
+        # is enabled. ClientAuthRequired requires client certificate authentication
+        # at the TLS layer to access all resources.
+        #
+        # NOTE: When TLS is enabled, the admin endpoint requires mutual TLS. The
+        # orderer will panic on startup if this value is set to false.
+        ClientAuthRequired: true
+
+        # Paths to PEM encoded ca certificates to trust for client authentication
+        ClientRootCAs: []
+```
+
+* **`ListenAddress`**: The orderer admin server address (host and port) that can be used by the `osnadmin` command to configure channels on the ordering service. This value should be a unique `host:port` combination to avoid conflicts.
+* **`TLS.Enabled`**: Technically this can be set to `false`, but this is not recommended. In general, you should always set this value to `true`.
+* **`TLS.Certificate`**: The path to and file name of the orderer signed certificate issued by the TLS CA.
+* **`TLS.PrivateKey`**: The path to and file name of the orderer private key issued by the TLS CA.
+* **`TLS.ClientAuthRequired`**: This value must be set to `true`. Note that while mutual TLS is required for all operations on the orderer `Admin` endpoint, the entire network is not required to use mutual TLS.
+* **`TLS.ClientRootCAs`**: The path to and file name of the admin client TLS CA root certificate.
+
+## ChannelParticipation.*
+
+```
+ChannelParticipation:
+    # Channel participation API is enabled.
+    Enabled: false
+
+    # The maximum size of the request body when joining a channel.
+    MaxRequestBodySize: 1 MB
+```
+
+* **`Enabled`**: If you are bootstrapping the ordering node with a system channel genesis block, this value can be set to either `true` or `false` (setting the value to `true` allows you to list channels and to migrate away from the system channel in the future). If you are **not** bootstrapping the ordering node with a system channel genesis block, this value must be set to `true` and the [`General.BoostrapMethod`](#general-boostrapmethod) should be set to `none`.
+* **`MaxRequestBodySize`**: (default value should not be overridden) This value controls the maximum size a configuration block can be and be accepted by this ordering node. Most configuration blocks are smaller than 1 MB, but if for some reason a configuration block is too large to be accept, bring down the node, increase this value, and restart the node.
+
 ## Consensus.*
 
 The values of this section vary by consensus plugin. The values below are for the `etcdraft` consensus plugin. If you are using a different consensus plugin, refer to its documentation for allowed keys and recommended values.

shimos avatar Sep 28 '23 00:09 shimos