7 Best Practices of Using Alibaba Cloud Container Service to Develop Blockchain Hyperledger Fabric Solutions

Alibaba Cloud Container Service allows users to deploy and configure a blockchain Hyperledger automatically with the blockchain solution, or through a manual, self-built approach. In this article, we will be exploring the best practices of using Alibaba Cloud Container Service to develop blockchain applications and solutions based on Hyperledger Fabric.

Best Practice 1: Generate Sample YAML for Hyperledger Fabric Deployment in Kubernetes

The Blockchain Solution for Kubernetes clusters of Alibaba Cloud Container Service is released in the application directory of Container Service in the form of a Helm Chart. The Blockchain Solution can be used to configure and deploy blockchain networks in Kubernetes clusters of Alibaba Cloud Container Service in one click. It can also be used as an auxiliary YAML generation tool to generate custom sample YAML for Kubernetes. If you are a novice user of Kubernetes and Hyperledger Fabric, this skill provides you with a verified sample YAML for reference to quickly develop custom YAML as needed.

This skill requires the use of the helm install --dry-run command and the schelm tool.

The procedure is as follows:

Install Golang and GIT on the master node of a Kubernetes cluster of Alibaba Cloud Container Service (the root account is used for the following operation).

Add the bin directory of Golang to the PATH environment variable.

Add the following value to PATH:

Save and exit. Run the following command to make the variable take effect:

Run the following command to install schelm:

Generate the default YAML used to deploy Hyperledger Fabric.

The command is successfully executed if the following command output is returned and an output folder is generated:

If no command output is returned or no output folder is generated, rerun the command with schelm removed and check the error message, for example:

The following is a list of properly generated YAML files:

If you want to customize blockchain network configuration, you can compile a custom value yaml file in accordance with the Blockchain Solution configuration and deployment. For example:

Run the following command to pass the values yaml file to generate a YAML deployment file for Kubernetes.

Note: The Blockchain Solution can be deployed only in Alibaba Cloud environment. The YAML file generated using the method described above cannot be directly used in non-Alibaba Cloud environments. It is mainly used for reference.

Best Practice 2: Select Storage for the Deployed Blockchain

Currently, the Blockchain Solution uses Network Attached Storage (NAS) based on the Network File System (NFS) protocol to:

  1. Share blockchain network configurations, certificates, and keys among different blockchain nodes.
  2. Provide data persistence storage for main blockchain nodes.

You can select different types of storage based on your service and technical needs, including:

  1. Block storage, such as Alibaba Cloud disk. It is applicable to data persistence storage for nodes.
  2. File storage, such as Alibaba Cloud NAS. It is applicable to access based on file paths and supports flexible attaching and usage.
  3. Object storage, such as Alibaba Cloud OSS. It is applicable to access based on file objects.

Container Service provides flexible support for the preceding storage types. For attaching and use instructions, see Storage Management.

Best Practice 3: Select a Billing Method for the Deployed Blockchain

Container Service

When you deploy a blockchain in a Kubernetes cluster of Alibaba Cloud Container Service, Container Service is free-of-charge in most cases. The main billing items are underlying resources and services, such as ECS, storage, Server Load Balancer, and Internet addresses. For details, see Billing.


By default, the ECS instance that is automatically created along with a Kubernetes cluster is billed in Pay-As-You-Go mode. If you consider switching to the Subscription mode to save costs, note that currently you cannot select existing ECS instances when creating a Kubernetes cluster and cannot add existing ECS instances to a Kubernetes cluster. Kubernetes clusters of Container Service are planned to support adding existing ECS instances to Kubernetes clusters. Follow the product documentation to get more updates.

Alibaba Cloud Disk

If you buy cloud disks for blockchains, the cloud disks are billed in Pay-As-You-Go mode by default. You can attach and detach the cloud disks to/from different ECS instances repeatedly. If you attach a cloud disk to an ECS instance and switch the instance to the Subscription mode, the cloud disk is also billed in Subscription mode. In this case, the cloud disk cannot be repeatedly attached and detached. For details, see Billing

The pricing of cloud disks is the same in Pay-As-You-Go and Subscription mode. You can keep the default Pay-As-You-Go.

Best Practice 4: Select a Region for the Deployed Blockchain

When you plan the production deployment of a blockchain system, you should choose a Container Service cluster in a specific region for the deployment. In theory, the Container Service provides the same capability in all regions that support this service. You can select a region based on your service or technical needs. If end users are spread out, you can select a region with a relatively central geographic location. If end users are relatively concentrated, you can select a region closest to them.

Best Practice 5: Allow Access to Blockchain Services from Public Networks

After a Hyperledger Fabric blockchain network is deployed in a Kubernetes cluster, corresponding services (such as CA, peer, and orderer) can be accessed within the cluster by using service names. kube-proxy resolves service names into the cluster IP address and routes access requests to pods for processing.

To enable access to the services of blockchain network nodes from outside the cluster, you need to define NodePorts in an external access control list (see the configuration document) and configure public IP addresses that permit external access.

For how to create and bind an EIP to a worker node, see Environment Preparation of the Blockchain Solution. The described method is applicable to development and test environments. It is easy to use with few configurations. You can enable access to NodePorts within a specified range after simple configuration of VPC security group rules.

The method has the following limitations:

  1. The entire cluster cannot provide services externally if the worker node is faulty.
  2. The NodePorts within the specified range are exposed to public networks regardless of whether the ports have running services.

If you plan production deployment, we recommend that you create a Server Load Balancer instance to distribute external access requests to all the worker nodes to achieve high availability, load balancing, and port security.

Image for post
Image for post

The procedure is as follows:

  1. Create a Server Load Balancer instance.
  2. Record the public IP address of the Server Load Balancer instance as the external access address (externalAddress) of the Blockchain Solution.
  3. Add all the worker nodes in batches as the backend servers of the Server Load Balancer instance.
  4. Select TCP for the listening port of the Server Load Balancer instance and specify the same NodePort as the frontend and backend ports. Use the default settings for other configuration items.
  5. Create listening ports for the NodePorts of services in the blockchain network that receive access requests from the Internet in accordance with Step 4.

Best Practice 6: Troubleshooting the “Connection Reset by Peer” Message in the Blockchain Log

If Server Load Balancer external listening is enabled for the NodePorts of all the services in a blockchain network, the logs (which can be viewed using the kubectl logs or docker logs command) of some services (such as CA and orderer) may contain many messages similar to the following:

A large number of such messages may affect log O&M and error diagnosis.

After analysis and research, we confirm that such messages are caused by TCP health check of Server Load Balancer.

The Health Check Principles document of Server Load Balancer has the following description:

By referring to the preceding document and the handling suggestions provided by Method to Handle Massive Logs Caused by Health Check, we come up with the following handling methods applicable to Hyperledger Fabric:

  1. TCP is required for access to the service port of Hyperledger Fabric. For Server Load Balancer, TCP health check cannot be disabled in the same way as HTTP health check.
  2. The internal source code of Hyperledger Fabric does not filter or suppress log messages of specified types. In this case, you can increase the health check interval.
  3. Modify the health check attributes of the listening port of the Server Load Balancer instance. Increase the default interval (2 seconds; maximum value: 50 seconds) to decrease the frequency of relevant log generation.

Best Practice 7: Troubleshooting the Error “x509: Certificate Has Expired or Is Not Yet Valid” during Blockchain SDK Application Access

When a blockchain network is deployed in a Kubernetes cluster by using the Blockchain Solution and SDK applications are tested, the x509: certificate has expired or is not yet valid error occurs occasionally during invoke chaincode. The error message in the Node.js SDK application is as follows:

A large number of comparisons and tests and deep analysis of code show that the effective start time (NotBefore time) of the user certificate of the SDK application enroll is earlier than that of the certificate of fabric-ca that signs the user certificate. Here is an example:

User certificate of the SDK application, effective from 17 06:34:00, December 17, 2017

Certificate of fabric-ca, effective from 17 06:34:32, December 17, 2017

Further analysis identifies the direct cause being due to the 5-minute backdate fabric-ca introduces to NotBefore when signing the SDK user certificate. That is, NotBefore is equal to the actual signing time minus 5 minutes. The core code is as follows. It skips the method call chain and the possibility analysis of conditional branches. If you are interested, contact us for further exploration.

The occasional occurrence of the error baffled us in the beginning. After analyzing the time consumed by the entire process, we found the cause.

The test based on the Blockchain Solution is a complete end-to-end process consisting of the following steps:

  1. Call tools automatically based on user parameters.
  2. Generate a certificate and network configurations.
  3. Generate a YAML file dynamically for Hyperledger Fabric deployment in Kubernetes.
  4. Create a blockchain network in Kubernetes based on the YAML file.
  5. Download the certificate to the SDK application and configure application access to the blockchain network
  6. Run the SDK application to test the blockchain network.

In a traditional Hyperledger Fabric example that uses an existing certificate, the effective start time of the fabric-ca certificate is much longer. Even if the actual signing time of the SDK user certificate is subtracted by the 5-minute backdate, it is not earlier than the effective start time of the fabric-ca certificate.

When Hyperledger Fabric is deployed manually, it takes more than 5 minutes to complete custom configurations and the entire end-to-end process manually. The consumed time may be dozens of minutes, several hours, or several days. The signing time of the SDK user certificate minus the 5-minute backdate is not earlier than the effective start time of the fabric-ca certificate.

The Blockchain Solution of Container Service for Kubernetes shortens the duration of custom configuration and end-to-end process implementation (including manual operations) to 2 to 3 minutes. In this case, the signing time of the SDK user certificate minus the 5-minute backdate may be earlier than the effective start time of the fabric-ca certificate. This may cause the preceding error.

The occasional occurrence is due to the time variation in completing manual operations during each test. For example, the test engineer is occupied by other things.

Based on the preceding analysis, we have worked out the following solutions:

  1. In Hyperledger Fabric 1.0.3 and later versions, the cryptogen tool provides a fix to subtract 5 minutes from the effective start time (NotBefore) of the generated fabric-ca certificate. For details, visit https://jira.hyperledger.org/browse/FAB-6251.
  2. If you use Hyperledger Fabric earlier than 1.0.3, after you create a blockchain network in a Kubernetes cluster, wait for more than 5 minutes before running the SDK application to avoid the error.
  3. The error may occur only in test and development environments with fast end-to-end testing, which are different from actual use cases, especially service usage after production deployment. The error analysis and solution are intended to help you gain a deeper understanding of how Hyperledger Fabric works.


In this article, we have explored the best practices of using Alibaba Cloud Container Service to develop blockchain applications and solutions based on Hyperledger Fabric. The content and information in this article are contributed by Chen Kai, Dong Zhenhua, and Dai Jianwu from the Hyperledger community.

To learn more about this solution, visit the Container Service Blockchain Solution documentation page.



Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store