KubeCon_China_Blockchain

很多企业着眼于用区块链技术解决商业问题。由于区块链的去中心化特点,云平台成为运行区块链应用的理想场所。Kubernetes 是无所不在的云操作系统,可从绝大多数的云供应商处获取。在 Kubernetes 上运行和操作区块链系统成为多数用户降低操作复杂度的理想选择。 在本次演讲中,我们将介绍并展示在 Kubernetes 上自动化开源区块链框架 Hyperledger Fabric 的途径。此外,我们将说明如何利用 CNI 插件设置基于 Kubernetes 的域名空间的网络策略。这一措施通过在不同区块链实体间分离工作负载而增强安全性。我们的工作可以作为基于 Kubernetes 的企业区块链即服务 (BaaS) 的基础。
展开查看详情

1.Managing and Securing Blockchain Applications on Kubernetes Henry Zhang, Chief Architect, VMware China Yang Yu, Staff Engineer, VMware China

2.Henry Zhang Yang Yu • Chief Architect, VMware China R&D • Staff Engineer, VMware China R&D • Current focus: Blockchain, Cloud Native Apps, IoT • Working on Kubernetes CNI plugin for VMware NSX transformers • Founder of Project Harbor, an open source container registry hosted by CNCF • Familiar with OpenStack’s networking component Neutron • Hyperledger Cello Contributor • Speaker of KubeCon Europe 2018 • Coauthor of two blockchain books (in Chinese) • Blockchain Technical Guides • Blockchain Core Technologies and Applications

3.Agenda 1 Business Blockchain Overview 2 Why Kubernetes for Blockchain 3 Deploy Fabric on Kubernetes 4 Summary

4.

5.5

6. . , • . • , • , • • . . • • , 6

7. 72 + 7 • 0 5 + 05 751 2 +0 • 5 +0 3 3 7 • Technology: IBM, Intel, Cisco, etc • Finance: JP Morgan, Well Fargos, DTCC, etc • Blockchain: R3, ConsenSys, DAH, etc. • 3 3 7 • 5 70 57 • 5330 7

8.8

9. ) . , • ) , , , 0 ) , 2 0) • , 2 0) ). • , ) . ) ) , ) • . , ) 0 ( 9

10. . / / / ) ( ( / / B / /B / . // B B ( , , ) / / // . / . / . / ( , B ( ( 10

11.11

12.)B 2 21 2 0 • 2: 021 : 20 • 2A2 21 : ( : :1 21 0 : :2 0 2 • 2B 2 2 • : 0 : : 12: B • 002 0 : • B: 0 0 : : 12 • 2 2 5 5 • 1 2 0 : 0 05 :0 12 12

13.) ) & & & & ) ) ( 13

14.

15. What is Kubernetes • Kubernetes, is an open-source platform for managing, automating deployment, scaling, and operating containerized applications across a cluster of worker nodes. Capabilities: • Deploy your applications quickly and predictably • Scale your applications on the fly • Seamlessly roll out new features • Optimize use of your hardware by using only the resources you need Role: • K8s sits in the Container as a Service (CaaS) or Container orchestration layer 15

16.K8s introduces a lot new concepts • 10,000 ft. View K8s Cluster Pod 1 Pod 2 Worker node 1 • Cluster • Master Pod 3 Pod 4 Master • Workers (nodes) Worker node 2 • Pods Pod 5 Pod 6 Worker node 3 16

17. Services Worker Node Node IP: • Services Types 192.168.10.10 • ClusterIP • NodePort IP: 10.2.3.14 • Loadbalancer DNS: service1.cluster.local Service Port: 9443 NodePort: 31233 Protocol: TCP • Service Discovery • DNS • Environmental variables Pod 1 Pod 2 Pod N Port: 9443 17

18. Replication Controller • Features for replicating Pods • Auto-healing K8s Cluster • Manual Scaling P1R1 P2R1 P2R1 P1R1 • Rolling Updates Worker K • Multiple Release Tracks (Container Host) P1R2 P2R1 P1R1 ReplicaSet.yaml Worker API Master K (Container Host) ContainerImage1 Replicas: 3 P1R3 P2R2 P2R2 P1R2 ContainerImage2 Deployment_Y.yaml Replicas: 2 Worker K ContainerImage1 (Container Host) Replicas: 1 ContainerImage2 Replicas: 2

19.Challenges of Fabric • Barriers to use Fabric • Complex configuration • Hard to scale out • Need to monitor status of nodes and bring up crashed nodes. • Need an efficient way to manage blockchain 19

20.Why Kubernetes? • Fabric • Components are encapsulated in containers • Need the flexibility to configure and scale out • Kubernetes • Microservice oriented • Easy scaling • Tooling for operational management • Multi-tenancy support to segregation workload 20

21.

22.Network topology of Fabric Deployment Fabric Fabric Fabric Fabric kube_dns Pod Pod Pod Pod Pod NFS CMD client 10.0.0.10 Server flannel flannel flannel Master 10.0.0.1/16 Worker1 10.0.0.1/16 Worker2 10.0.0.1/16 192.168.0.1/24

23.Network • All pods are deployed on Kubernetes’ overlay network (such as flannel) • Mapping Kubernetes’ namespace to Fabric organization • Using namespaces to separate components of different organizations • Applying network policy to enforce isolation between organizations 23

24.Storage • Configuration and data files are placed in shared storage (NFS) • Support pod portability between worker nodes • Use PV and PVC to limit visibility of data for peer nodes of Fabric 24

25.Mapping Fabric Components into Pods • Peer Pod Fabric peer couchDB • CA Server Pod Fabric CA Server • CLI Pod: (Optional) CLI environment for the org • Orderer Pod: Orderer nodes • Kafka Pod Nodes of Kafka • Zookeeper Pod: Nodes of Zookeeper 25

26.Separate components by namespaces service service service service Pod Pod Pod Pod Peer0 CouchDB PeerN CouchDB orderer0 …. ordererM … Container PVC PVC PVC PVC NFS Namespace: orgorderer1 service Pod Pod service service CA CLI Pod Pod Kafka 0 …. Kafka N PVC PVC service service NFS Pod Pod Zookeeper0 …. ZookeeperN Namespace: org1 … Namespace: Kafka Namespace: orgN

27.Exposing Services • Using NodePort for CA peer and Orderer services • Port mapping rules :( N>=1, M>=0) • Organization orgN port ranges 30000+(N-1)*100 ~ 30000+(N)*100-1 • orgN’s CA service port ca.orgN:7054 -> worker:30000+(N-1)*100 • Peer M of orgN exposes two ports: 7051, 7052 peerM.orgN:7051 -> worker:30000+(N-1)*100 + 2 * M + 1 peerM.orgN:7052 -> worker:30000+(N-1)*100 + 2 * M + 2 • ordererN port ordererN:7050 -> worker:33700+N

28.Launching Fabric Cluster • Automate the process by scripts • Generate configuration files of Fabric components • Generate Pod definitions • Create definitions of PV and PVC • Start the cluster using kubectl commands 28

29.Using Fabric Cluster • List all pods under namespace of org1 $ kubectl get pods –namespaces org1 • Enter cli-2586364563-vclmr Pod $ kubectl exec -it cli-2586364563-vclmr bash --namespace=org1 • Run Fabric command e.g. create a new channel $ peer channel create -o orderer0.orgorderer1:7050 \ -c mychannel -f ./channel-artifacts/channel.tx