[FAB-4751] allow provisioning separate chaincode server

The chaincodeListenAddress property allows chaincode connections to use
a listener other than the peer's listener. With this, chaincode streams
need not be bound to the peers endpoint allowing more network options for
protecting it.

The e2e_cli sample uses the chaincodeListenAddress to excercise the
separate chaincode listener (on 7052 but on the same IP address as the
that peer's listener uses).

patch 1
. comment changes (thanks, Binh)

Change-Id: Ic0943be6739ef0401e12686721d3e0472479580c
Signed-off-by: Srinivasan Muralidharan <[email protected]>

Author: Srinivasan Muralidharan

core/chaincode/chaincode_support.go

@@ -120,7 +120,7 @@ func (chaincodeSupport *ChaincodeSupport) chaincodeHasBeenLaunched(chaincode str
 }
 
 // NewChaincodeSupport creates a new ChaincodeSupport instance
-func NewChaincodeSupport(getPeerEndpoint func() (*pb.PeerEndpoint, error), userrunsCC bool, ccstartuptimeout time.Duration) *ChaincodeSupport {
+func NewChaincodeSupport(getCCEndpoint func() (*pb.PeerEndpoint, error), userrunsCC bool, ccstartuptimeout time.Duration) *ChaincodeSupport {
 	ccprovider.SetChaincodesPath(config.GetPath("peer.fileSystemPath") + string(filepath.Separator) + "chaincodes")
 
 	pnid := viper.GetString("peer.networkId")
@@ -130,12 +130,12 @@ func NewChaincodeSupport(getPeerEndpoint func() (*pb.PeerEndpoint, error), userr
 
 	//initialize global chain
 
-	peerEndpoint, err := getPeerEndpoint()
+	ccEndpoint, err := getCCEndpoint()
 	if err != nil {
-		chaincodeLogger.Errorf("Error getting PeerEndpoint, using peer.address: %s", err)
-		theChaincodeSupport.peerAddress = viper.GetString("peer.address")
+		chaincodeLogger.Errorf("Error getting chaincode endpoint, using chaincode.peerAddress: %s", err)
+		theChaincodeSupport.peerAddress = viper.GetString("chaincode.peerAddress")
 	} else {
-		theChaincodeSupport.peerAddress = peerEndpoint.Address
+		theChaincodeSupport.peerAddress = ccEndpoint.Address
 	}
 	chaincodeLogger.Infof("Chaincode support using peerAddress: %s\n", theChaincodeSupport.peerAddress)
 	//peerAddress = viper.GetString("peer.address")

core/comm/connection_test.go

@@ -76,7 +76,8 @@ func TestConnection_Correct(t *testing.T) {
 func TestConnection_WrongAddress(t *testing.T) {
 	testutil.SetupTestConfig()
 	viper.Set("ledger.blockchain.deploy-system-chaincode", "false")
-	peerAddress := GetPeerTestingAddress("7052")
+	//some random port
+	peerAddress := GetPeerTestingAddress("10287")
 	var tmpConn *grpc.ClientConn
 	var err error
 	if TLSEnabled() {

examples/e2e_cli/base/docker-compose-base.yaml

@@ -39,6 +39,7 @@ services:
     environment:
       - CORE_PEER_ID=peer0.org1.example.com
       - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
+      - CORE_PEER_CHAINCODELISTENADDRESS=peer0.org1.example.com:7052
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
       - CORE_PEER_LOCALMSPID=Org1MSP
     volumes:
@@ -47,6 +48,7 @@ services:
         - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
     ports:
       - 7051:7051
+      - 7052:7052
       - 7053:7053
 
   peer1.org1.example.com:
@@ -57,6 +59,7 @@ services:
     environment:
       - CORE_PEER_ID=peer1.org1.example.com
       - CORE_PEER_ADDRESS=peer1.org1.example.com:7051
+      - CORE_PEER_CHAINCODELISTENADDRESS=peer1.org1.example.com:7052
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org1.example.com:7051
       - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.example.com:7051
       - CORE_PEER_LOCALMSPID=Org1MSP
@@ -67,6 +70,7 @@ services:
 
     ports:
       - 8051:7051
+      - 8052:7052
       - 8053:7053
 
   peer0.org2.example.com:
@@ -77,6 +81,7 @@ services:
     environment:
       - CORE_PEER_ID=peer0.org2.example.com
       - CORE_PEER_ADDRESS=peer0.org2.example.com:7051
+      - CORE_PEER_CHAINCODELISTENADDRESS=peer0.org2.example.com:7052
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:7051
       - CORE_PEER_LOCALMSPID=Org2MSP
     volumes:
@@ -85,6 +90,7 @@ services:
         - ../crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls
     ports:
       - 9051:7051
+      - 9052:7052
       - 9053:7053
 
   peer1.org2.example.com:
@@ -95,6 +101,7 @@ services:
     environment:
       - CORE_PEER_ID=peer1.org2.example.com
       - CORE_PEER_ADDRESS=peer1.org2.example.com:7051
+      - CORE_PEER_CHAINCODELISTENADDRESS=peer1.org2.example.com:7052
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org2.example.com:7051
       - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.example.com:7051
       - CORE_PEER_LOCALMSPID=Org2MSP
@@ -104,4 +111,5 @@ services:
         - ../crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls:/etc/hyperledger/fabric/tls
     ports:
       - 10051:7051
+      - 10052:7052
       - 10053:7053

peer/node/start.go

@@ -40,6 +40,9 @@ import (
 	"google.golang.org/grpc/grpclog"
 )
 
+//function used by chaincode support
+type ccEndpointFunc func() (*pb.PeerEndpoint, error)
+
 var chaincodeDevMode bool
 var peerDefaultChain bool
 var orderingEndpoint string
@@ -128,7 +131,9 @@ func serve(args []string) error {
 	// enable the cache of chaincode info
 	ccprovider.EnableCCInfoCache()
 
-	registerChaincodeSupport(peerServer.Server())
+	ccSrv, ccEpFunc := createChaincodeServer(peerServer, listenAddr)
+	registerChaincodeSupport(ccSrv.Server(), ccEpFunc)
+	go ccSrv.Start()
 
 	logger.Debugf("Running peer")
 
@@ -247,10 +252,52 @@ func serve(args []string) error {
 	return <-serve
 }
 
+//create a CC listener using peer.chaincodeListenAddress (and if that's not set use peer.peerAddress)
+func createChaincodeServer(peerServer comm.GRPCServer, peerListenAddress string) (comm.GRPCServer, ccEndpointFunc) {
+	cclistenAddress := viper.GetString("peer.chaincodeListenAddress")
+
+	var srv comm.GRPCServer
+	var ccEpFunc ccEndpointFunc
+
+	//use the chaincode address endpoint function..
+	//three cases
+	// -  peer.chaincodeListenAddress not specied (use peer's server)
+	// -  peer.chaincodeListenAddress identical to peer.listenAddress (use peer's server)
+	// -  peer.chaincodeListenAddress different and specified (create chaincode server)
+	if cclistenAddress == "" {
+		//...but log a warning
+		logger.Warningf("peer.chaincodeListenAddress is not set, use peer.listenAddress %s", peerListenAddress)
+
+		//we are using peer address, use peer endpoint
+		ccEpFunc = peer.GetPeerEndpoint
+		srv = peerServer
+	} else if cclistenAddress == peerListenAddress {
+		//using peer's endpoint...log a  warning
+		logger.Warningf("peer.chaincodeListenAddress is identical to peer.listenAddress %s", cclistenAddress)
+
+		//we are using peer address, use peer endpoint
+		ccEpFunc = peer.GetPeerEndpoint
+		srv = peerServer
+	} else {
+		config, err := peer.GetSecureConfig()
+		if err != nil {
+			panic(err)
+		}
+
+		srv, err = comm.NewGRPCServer(cclistenAddress, config)
+		if err != nil {
+			panic(err)
+		}
+		ccEpFunc = getChaincodeAddressEndpoint
+	}
+
+	return srv, ccEpFunc
+}
+
 //NOTE - when we implment JOIN we will no longer pass the chainID as param
 //The chaincode support will come up without registering system chaincodes
 //which will be registered only during join phase.
-func registerChaincodeSupport(grpcServer *grpc.Server) {
+func registerChaincodeSupport(grpcServer *grpc.Server, ccEpFunc ccEndpointFunc) {
 	//get user mode
 	userRunsCC := chaincode.IsDevMode()
 
@@ -263,14 +310,36 @@ func registerChaincodeSupport(grpcServer *grpc.Server) {
 		logger.Debugf("Chaincode startup timeout value set to %s", ccStartupTimeout)
 	}
 
-	ccSrv := chaincode.NewChaincodeSupport(peer.GetPeerEndpoint, userRunsCC, ccStartupTimeout)
+	ccSrv := chaincode.NewChaincodeSupport(ccEpFunc, userRunsCC, ccStartupTimeout)
 
 	//Now that chaincode is initialized, register all system chaincodes.
 	scc.RegisterSysCCs()
 
 	pb.RegisterChaincodeSupportServer(grpcServer, ccSrv)
 }
 
+func getChaincodeAddressEndpoint() (*pb.PeerEndpoint, error) {
+	//need this for the ID to create chaincode endpoint
+	peerEndpoint, err := peer.GetPeerEndpoint()
+	if err != nil {
+		return nil, err
+	}
+
+	ccendpoint := viper.GetString("peer.chaincodeListenAddress")
+	if ccendpoint == "" {
+		return nil, fmt.Errorf("peer.chaincodeListenAddress not specified")
+	}
+
+	if _, _, err = net.SplitHostPort(ccendpoint); err != nil {
+		return nil, err
+	}
+
+	return &pb.PeerEndpoint{
+		Id:      peerEndpoint.Id,
+		Address: ccendpoint,
+	}, nil
+}
+
 func createEventHubServer(secureConfig comm.SecureServerConfig) (comm.GRPCServer, error) {
 	var lis net.Listener
 	var err error

peer/node/start_test.go

@@ -32,6 +32,7 @@ import (
 func TestStartCmd(t *testing.T) {
 	viper.Set("peer.address", "0.0.0.0:6051")
 	viper.Set("peer.listenAddress", "0.0.0.0:6051")
+	viper.Set("peer.chaincodeListenAddress", "0.0.0.0:6052")
 	viper.Set("peer.fileSystemPath", "/tmp/hyperledger/test")
 	viper.Set("chaincode.executetimeout", "30s")
 	overrideLogModules := []string{"msp", "gossip", "ledger", "cauthdsl", "policies", "grpc"}

sampleconfig/core.yaml

@@ -57,6 +57,18 @@ peer:
     # The Address at local network interface this Peer will listen on.
     # By default, it will listen on all network interfaces
     listenAddress: 0.0.0.0:7051
+
+    # The endpoint this peer uses to listen for inbound chaincode connections.
+    #
+    # If chaincodeListenAddress is commented out or equals listenAddress, listenAddress will
+    # be used for chaincode connections.  Otherwise a new listener different from peer's listener
+    # on listenAddress will be used.
+    #
+    # The chaincode connection does not support TLS-mutual auth. Having a separate listener for
+    # the chaincode environment helps isolate the chaincode enviroment for enhanced security.
+    #
+    # chaincodeListenAddress: 127.0.0.1:7052
+
     # When used as peer config, represents the endpoint to other peers in the same organization
     # for peers in other organization, see gossip.externalEndpoint
     # When used as cli config, will mean the peer node's endpoint to interact with
@@ -270,6 +282,9 @@ vm:
 #
 ###############################################################################
 chaincode:
+    # This is used if chaincode endpoint resolution fails with the chaincodeListenAddress
+    # property
+    peerAddress:
 
     # The id is used by the Chaincode stub to register the executing Chaincode
     # ID with the Peerand is generally supplied through ENV variables

unit-test/docker-compose.yml

@@ -8,6 +8,7 @@ vp:
   log_driver: none
   expose:
     - 7051
+    - 7052
   environment:
     - CORE_PEER_ADDRESSAUTODETECT=true
   volumes: