The Operations Service — Hyperledger Fabric Docs main documentation Hyperledger Fabric Docs       Introduction What’s new in Hyperledger Fabric v2.x Release notes Key Concepts Getting Started - Install Getting Started - Run Fabric Tutorials Deploying a production network Operations Guides Membership Service Providers (MSP) Certificates Management Guide Taking ledger snapshots and using them to join channels Using a Hardware Security Module (HSM) Channel Configuration (configtx) Endorsement policies Pluggable transaction endorsement and validation Access Control Lists (ACL) MSP Implementation with Identity Mixer Identity Mixer MSP configuration generator (idemixgen) The Operations Service Configuring the Operations Service Peer Orderer Operations Security Log Level Management Metrics Configuring Metrics Prometheus StatsD Health Checks Version Metrics Reference External Builders and Launchers Running Chaincode as an External Service Error handling Logging Control Securing Communication With Transport Layer Security (TLS) Configuring and operating a Raft ordering service Migrating from Kafka to Raft Bringing up a Kafka-based Ordering Service Upgrading to the latest release Commands Reference Architecture Reference Frequently Asked Questions Contributions Welcome! Glossary Releases Still Have Questions? Status Hyperledger Fabric Docs Operations Guides The Operations Service View page source The Operations Service¶ The peer and the orderer host an HTTP server that offers a RESTful “operations” API. This API is unrelated to the Fabric network services and is intended to be used by operators, not administrators or “users” of the network. The API exposes the following capabilities: Log level management Health checks Prometheus target for operational metrics (when configured) Endpoint for retrieving version information Configuring the Operations Service¶ The operations service requires two basic pieces of configuration: The address and port to listen on. The TLS certificates and keys to use for authentication and encryption. Note, these certificates should be generated by a separate and dedicated CA. Do not use a CA that has generated certificates for any organizations in any channels. Peer¶ For each peer, the operations server can be configured in the operations section of core.yaml: operations: # host and port for the operations server listenAddress: 127.0.0.1:9443 # TLS configuration for the operations endpoint tls: # TLS enabled enabled: true # path to PEM encoded server certificate for the operations server cert: file: tls/server.crt # path to PEM encoded server key for the operations server key: file: tls/server.key # most operations service endpoints require client authentication when TLS # is enabled. clientAuthRequired requires client certificate authentication # at the TLS layer to access all resources. clientAuthRequired: false # paths to PEM encoded ca certificates to trust for client authentication clientRootCAs: files: [] The listenAddress key defines the host and port that the operation server will listen on. If the server should listen on all addresses, the host portion can be omitted. The tls section is used to indicate whether or not TLS is enabled for the operations service, the location of the service’s certificate and private key, and the locations of certificate authority root certificates that should be trusted for client authentication. When enabled is true, most of the operations service endpoints require client authentication, therefore clientRootCAs.files must be set. When clientAuthRequired is true, the TLS layer will require clients to provide a certificate for authentication on every request. See Operations Security section below for more details. Orderer¶ For each orderer, the operations server can be configured in the Operations section of orderer.yaml: Operations: # host and port for the operations server ListenAddress: 127.0.0.1:8443 # TLS configuration for the operations endpoint TLS: # TLS enabled Enabled: true # PrivateKey: PEM-encoded tls key for the operations endpoint PrivateKey: tls/server.key # Certificate governs the file location of the server TLS certificate. Certificate: tls/server.crt # Paths to PEM encoded ca certificates to trust for client authentication ClientRootCAs: [] # Most operations service endpoints require client authentication when TLS # is enabled. ClientAuthRequired requires client certificate authentication # at the TLS layer to access all resources. ClientAuthRequired: false The ListenAddress key defines the host and port that the operations server will listen on. If the server should listen on all addresses, the host portion can be omitted. The TLS section is used to indicate whether or not TLS is enabled for the operations service, the location of the service’s certificate and private key, and the locations of certificate authority root certificates that should be trusted for client authentication. When Enabled is true, most of the operations service endpoints require client authentication, therefore RootCAs must be set. When ClientAuthRequired is true, the TLS layer will require clients to provide a certificate for authentication on every request. See Operations Security section below for more details. Operations Security¶ As the operations service is focused on operations and intentionally unrelated to the Fabric network, it does not use the Membership Services Provider for access control. Instead, the operations service relies entirely on mutual TLS with client certificate authentication. When TLS is disabled, authorization is bypassed and any client that can connect to the operations endpoint will be able to use the API. When TLS is enabled, a valid client certificate must be provided in order to access the logging and metrics services. The health check and version services only require a valid client certificate when clientAuthRequired is enabled, since these services are often used by network operators and only provide read-only information. When clientAuthRequired is enabled, the TLS layer will also require a valid client certificate regardless of the resource being accessed. Log Level Management¶ The operations service provides a /logspec resource that operators can use to manage the active logging spec for a peer or orderer. The resource is a conventional REST resource and supports GET and PUT requests. When a GET /logspec request is received by the operations service, it will respond with a JSON payload that contains the current logging specification: {"spec":"info"} When a PUT /logspec request is received by the operations service, it will read the body as a JSON payload. The payload must consist of a single attribute named spec. {"spec":"chaincode=debug:info"} If the spec is activated successfully, the service will respond with a 204 "No Content" response. If an error occurs, the service will respond with a 400 "Bad Request" and an error payload: {"error":"error message"} When TLS is enabled, a valid client certificate is required to use this service regardless of whether clientAuthRequired is set to true at the TLS level. Metrics¶ Some components of the Fabric peer and orderer expose metrics that can help provide insight into the behavior of the system. Operators and administrators can use this information to better understand how the system is performing over time. Configuring Metrics¶ Fabric provides two ways to expose metrics: a pull model based on Prometheus and a push model based on StatsD. Prometheus¶ A typical Prometheus deployment scrapes metrics by requesting them from an HTTP endpoint exposed by instrumented targets. As Prometheus is responsible for requesting the metrics, it is considered a pull system. When configured, a Fabric peer or orderer will present a /metrics resource on the operations service. When TLS is enabled, a valid client certificate is required to use this service regardless of whether clientAuthRequired is set to true at the TLS level. Peer¶ A peer can be configured to expose a /metrics endpoint for Prometheus to scrape by setting the metrics provider to prometheus in the metrics section of core.yaml. metrics: provider: prometheus Orderer¶ An orderer can be configured to expose a /metrics endpoint for Prometheus to scrape by setting the metrics provider to prometheus in the Metrics section of orderer.yaml. Metrics: Provider: prometheus StatsD¶ StatsD is a simple statistics aggregation daemon. Metrics are sent to a statsd daemon where they are collected, aggregated, and pushed to a backend for visualization and alerting. As this model requires instrumented processes to send metrics data to StatsD, this is considered a push system. Peer¶ A peer can be configured to send metrics to StatsD by setting the metrics provider to statsd in the metrics section of core.yaml. The statsd subsection must also be configured with the address of the StatsD daemon, the network type to use (tcp or udp), and how often to send the metrics. An optional prefix may be specified to help differentiate the source of the metrics — for example, differentiating metrics coming from separate peers — that would be prepended to all generated metrics. metrics: provider: statsd statsd: network: udp address: 127.0.0.1:8125 writeInterval: 10s prefix: peer-0 Orderer¶ An orderer can be configured to send metrics to StatsD by setting the metrics provider to statsd in the Metrics section of orderer.yaml. The Statsd subsection must also be configured with the address of the StatsD daemon, the network type to use (tcp or udp), and how often to send the metrics. An optional prefix may be specified to help differentiate the source of the metrics. Metrics: Provider: statsd Statsd: Network: udp Address: 127.0.0.1:8125 WriteInterval: 30s Prefix: org-orderer For a look at the different metrics that are generated, check out Metrics Reference. Health Checks¶ The operations service provides a /healthz resource that operators can use to help determine the liveness and health of peers and orderers. The resource is a conventional REST resource that supports GET requests. The implementation is intended to be compatible with the liveness probe model used by Kubernetes but can be used in other contexts. When a GET /healthz request is received, the operations service will call all registered health checkers for the process to ensure all registered services and dependencies are available. When all of the health checkers return successfully, the operations service will respond with a 200 "OK" and a JSON body: { "status": "OK", "time": "2009-11-10T23:00:00Z" } If one or more of the health checkers returns an error, the operations service will respond with a 503 "Service Unavailable" and a JSON body that includes information about which health checker failed: { "status": "Service Unavailable", "time": "2009-11-10T23:00:00Z", "failed_checks": [ { "component": "docker", "reason": "failed to connect to Docker daemon: invalid endpoint" } ] } The peer has the following health checks available: Docker daemon health check (if a Docker endpoint is configured for chaincodes) CouchDB health check (if CouchDB is configured as the state database) When TLS is enabled, a valid client certificate is not required to use this service unless clientAuthRequired is set to true. Version¶ The orderer and peer both expose a /version endpoint. This endpoint serves a JSON document containing the orderer or peer version and the commit SHA on which the release was created. When TLS is enabled, a valid client certificate is not required to use this service unless clientAuthRequired is set to true. Next Previous © Copyright Hyperledger 2020-2023. This work is licensed under a Creative Commons Attribution 4.0 International License Built with Sphinx using a theme provided by Read the Docs.