AWS CloudFormation启动Hyperledger Fabric失败,错误:创建失败:[EC2InstanceForDev]

问题描述 投票:1回答:1

遵循aws文档:https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-hyperledger.html使用文档中的IAM策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

但是无法启动堆栈。然后,我添加了以下所有权限:

AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
AmazonS3FullAccess
AmazonEC2ContainerRegistryReadOnly
AmazonS3ReadOnlyAccess
AmazonEC2ContainerServiceFullAccess
AdministratorAccess

但仍然没有运气,并收到此错误:

以下资源创建失败:[EC2InstanceForDev]。

我应该添加什么IAM策略来解决此错误?

谢谢!

hyperledger-fabric amazon-cloudformation amazon-iam
1个回答
0
投票

用于Hyperledger Fabric的官方AWS区块链云形成模板是一个嵌套模板(我们的基本模板调用另一个模板,该模板在其自身创建的EC2实例上进行所有设置)。

但是问题是,除了安装docker-compose之外,它还在EC2-Instance上执行所有操作,并且抛出了一个错误,即最后没有找到docker-compose命令,这导致CloudFormation模板损坏(EC2InstanceForDev)并进行回滚。因此,除了使用CloudFormation模板之外,我们还可以在EC2实例上手动运行相同的脚本,而只需进行少量更改即可。更改是预先安装docker-compose。其余设置保持不变,即-1。创建一个VPC,2.创建公共子网,3.如果您想稍后附加它,则创建EIP,4.创建SSH的密钥对,5.创建IAM角色和策略,6.创建具有入站8080(TCP)的安全组。 &22(SSH),7.在步骤(1to6)中使用创建的资源启动EC2实例。

AMI首选-->>

  1. ami-1853ac65 for us-east-1
  2. [ami-25615740 for us-east-2
  3. us-west-2的[ami-dff017b8]

    4. Docker镜像存储库-

  1. 对于us-east-1的[354658284331
  2. [763976151875 for us-east-2
  3. [712425161857 for us-west-2

    4. 要在EC2上运行的脚本

(为脚本提供chmod 777和chmod + x)-
#!/bin/bash -x
sudo curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
yum install -y aws-cfn-bootstrap
res=$?
echo $res
mkdir /tmp/fabric-install/ 
cd /tmp/fabric-install/ 
wget https://aws-blockchain-templates-us-east-1.s3.us-east-1.amazonaws.com/hyperledger/fabric/templates/simplenetwork/latest/HyperLedger-BasicNetwork.tgz -O /home/ec2-user/HyperLedger-BasicNetwork.tgz
cd /home/ec2-user
tar xzvf HyperLedger-BasicNetwork.tgz
rm /home/ec2-user/HyperLedger-BasicNetwork.tgz
chown -R ec2-user:ec2-user HyperLedger-BasicNetwork
chmod +x /home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh
/home/ec2-user/HyperLedger-BasicNetwork/artifacts/first-run-standalone.sh us-east-1 example.com org1 org2 org3 mychannel 354658284331.dkr.ecr.us-east-1.amazonaws.com/ 354658284331
res=$?
echo $res
# Signal init result
/opt/aws/bin/cfn-signal -e $res          --stack blockchainbook-FabricEC2CommonStack-1OXLFN66D7U1J         --resource EC2InstanceForDev         --region us-east-1

我担任职务的IAM政策-
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
]
}

NOTE
-请在上面的脚本中替换您所在区域和相应AWS区域的相应AWS ECR帐号,并且脚本具有example.com org1 org2 org3 mychannel(请根据要求也进行更改)。它与我们在CF模板中输入的RootDomain,Org1SubDomain,Org2SubDomain,Org3SubDomain,ChannelName相同)。

整个过程在us-east-1地区进行了测试。该脚本可以直接部署在us-east-1区域。访问超级分类帐的Web控制台(http://EC2-DNS OR EIP:8080

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.