Heptapod: the complete guide from Docker to CI/CD

Heptapod: the complete guide from Docker to CI/CD

THUX offers a comprehensive easy guide to get Heptapod (GitLab with Mercurial) deployed using Docker behind a Træfik load balancer. The final setup is completed by activation of the built-in Docker registry and runners for optimal CI/CD.

Discover the guide to Heptapod:



The goal of this post is to bolster the adoption of Heptapod through the very few steps really needed to get it working via docker and get a complete setup with working CI (Continuous Integration) and registry for the image produced within the CI.

The target of the article are system administrators with a little knowledge of docker. No previous knowledge of Gitlab is required as we’ll lead you through the main concepts.

THUX has always used mercurial as the Version Control System of choice for our code and in the last years we hosted the repositories in Bitbucket, until the moment the infamous decision of Bitbucket to discontinue the support of mercurial forced us to take a decision. 
We considered switching to git but I didn’t like to do that just for a non-technical reason and we definitely like mercurial more than git.

Heptapod came to the rescue, especially its docker image, ready to deploy in no-time. Heptapod brings Mercurial SCM support to Gitlab, so that any feature of gitlab is available to the Mercurial world. 
It honestly took some time to get to the final configuration, but in hindsight it all was just very simple and can be replicated with no effort by anybody just following the right directions.

Let’s start from the big picture to offer a sneak peak of the outcome:

  1. We have a docker host that has a Træfik load balancer (version 2+), that handles reachability of all docker instances on port 80 and 443. Træfik is great as it also manages certificates from LetsEncrypt with no hassle at all.
  2. Heptapod runs in a docker and we want to reach it on port 22 as well as 443, so that we can hg clone <my-repo> in a natural way. That implies we reach docker server via ssh on port 23.
  3. We have a runner (actually we can have several different runners for different scopes) that handles the jobs needed when a commit is done. Eg: check the code, run some tests, build a docker image… 
    Heptapod makes it effortless to inspect the result of each job: a little icon informs us of the state of the job and a click on it will just drop us to the console where the job is running.
  4. We have a registry to host our images that in our case will be exposed with a separate name and will be reachable via Træfik as well.



We will take for granted you have a server with docker and docker-compose installed. Similarly I suppose you have 2 entries in DNS pointing to this server: one for the heptapod and one for the registry. The working configuration and a streamlined README can be downloaded from the public area of our Heptapod


As anticipated, we want to use mercurial via ssh so that we opted to change port of the docker server to 23 in /etc/ssh/sshd_config:

   Port 23

followed by a systemctl reload ssh.service


Træfik is a very useful load balancer, suited for the docker environment. We run it in a docker, it forwards http requests to other servers. In our case it forwards requests to other dockers. 
It has several different “providers” that is to say, different ways to configure it’s routing. Here we use only the “docker” provider, that reads the docker socket to read the “labels” each docker can publish. This way, the configuration of the routing to a particular docker is delegated to that same docker and it is defined in its docker-compose.yml.
You can see how this mechanism is used to publish an internal dashboard of traefik:

traefik.http.routers.api.rule: Host(`monitor.thux.it`)
traefik.http.routers.api.service: api@internal

that you can read as: all trafik to monitor.thux.it is to be routed to the service api@internal

version: "3.3"

    image: traefik:v2.2
    restart: always
      - "80:80" # <== http
      - "443:443" # <== https
    #### These are the CLI commands that will configure Traefik and tell it how to work! ####
      - --api.dashboard=true # <== Enabling the dashboard to view services, middlewares, routers, etc...
      - --log.level=DEBUG # <== Setting the level of the logs from traefik
      - --accessLog.filePath=/logs/access.log
      - --log.filePath=/logs/traefik.log
      ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
      - --providers.docker=true # <== Enabling docker as the provider for traefik
      - --providers.docker.exposedbydefault=false # <== Don't expose every container to traefik, only expose enabled ones
      - --providers.docker.network=web # <== Operate on the docker network named web
      ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
      - --entrypoints.web.address=:80 # <== Defining an entrypoint for port :80 named web
      - --entrypoints.web-secured.address=:443 # <== Defining an entrypoint for https on port :443 named web-secured
      ## Certificate Settings (Let's Encrypt) -  https://docs.traefik.io/https/acme/#configuration-examples ##
      - --certificatesresolvers.leresolver.acme.tlschallenge=true # <== Enable TLS-ALPN-01 to generate and renew ACME certs
      - --certificatesresolvers.leresolver.acme.email=myemail@domain.com # <== Setting email for certs
      - --certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json # <== Defining acme file to store cert information
      - ./logs:/logs # <== Volume for certs (TLS)
      - ./letsencrypt:/letsencrypt # <== Volume for certs (TLS)
      - /var/run/docker.sock:/var/run/docker.sock # <== Volume for docker admin
      - ./dynamic.yaml:/dynamic.yaml # <== Volume for dynamic conf file, **ref: line 27
      - web # <== Placing traefik on the network named web, to access containers on this network
      #### Labels define the behavior and rules of the traefik proxy for this container ####
      traefik.enable: true
      traefik.http.routers.api.rule: Host(`monitor.thux.it`)
      traefik.http.routers.api.service: api@internal 
      traefik.http.routers.api.middlewares: redirect-to-https
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
      # let’s define a redirect to https valid for any request:
      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
      traefik.http.routers.traefik.rule: Host(`monitor.thux.it`)
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.tls.certresolver: leresolver
   external: true


Note we tell Træfik that it must request certificates to LetsEncrypt. 
3 lines of configuration are enough to forget about ssl certificates from now on. As soon as Træfik receives from the label of a docker machine that it needs a certificate it will issue the request to LetsEncrypt for us and it will renew it when needed.


Let’s move on to the core of our challenge: Heptapod.
As of this writing, the current version is 0.15.1 but 1 will soon be available. Current version is built on Gitlab 13.1.5 and mercurial 5.4.2 while the last release of Gitlab is 13.2.1. 

You can configure GitLab via file gitlab.rb (ruby syntax) or via the environment configuration GITLAB_OMNIBUS_CONFIG that will overwrite any configuration found in the default config template. I’ll follow this second possibility as it is easier to copy/paste and to keep updated when you update your docker image. 
My docker-compose.yml starts as follows:

version: '3.4'

    image: octobus/heptapod:0.15.1
    hostname: hg.thux.dev
    restart: always
      - web
      - "22:22"
        external_url 'https://gitlab.thux.it'
        gitlab_rails['gitlab_email_from'] = 'hg@thux.it'
        gitlab_rails['gitlab_email_display_name'] = 'Thux Mercurial Server'
        gitlab_rails['gitlab_email_reply_to'] = 'name@example.com'
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.example.com"
        gitlab_rails['smtp_port'] = 25
        gitlab_rails['smtp_authentication'] = "plain"
        gitlab_rails['smtp_enable_starttls_auto'] = true
        gitlab_rails['smtp_domain'] = "thux.it"
                 # Registry settings
        registry_external_url 'https://registry.gitlab.thux.it'
        gitlab_rails['registry_enabled'] = true
        registry['enable'] = true
        gitlab_shell['migration'] = { enabled: true, features: ["hg"] }
        nginx['listen_port'] = 80
        nginx['listen_https'] = false
        nginx['proxy_set_headers'] = {
         "Host" => "$$http_host_with_default",
         "X-Real-IP" => "$$remote_addr",
         "X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
         "X-Forwarded-Proto" => "https",
         "X-Forwarded-Ssl" => "on",
         "Upgrade" => "$$http_upgrade",
         "Connection" => "$$connection_upgrade"
        registry_nginx['listen_https'] = false
        registry_nginx['listen_port'] = 80
       - ./gitlab/config:/etc/gitlab
       - ./gitlab/logs:/var/log/gitlab
       - ./gitlab/data:/var/opt/gitlab


Before delving into the GitLab configuration, we can note:

GitLab configuration

As stated above we preferred to configure gitlab via variable GITLAB_OMNIBUS_CONFIG so we don’t need to mount a conf file and when we upgrade to a newer version of heptapod we’re sure any default will correctly be picked from the template. We can inspect the default configuration reading the file /etc/gitlab/gitlab.rb:

 docker-compose exec heptapod cat /etc/gitlab/gitlab.rb

That file is exactly the default, while configuration from environment variable GITLAB_OMNIBUS_CONFIG is applied on top of that. You will need to look at it to know which values you can customize. In case you prefer to edit it directly remember to bind-mount it.  

The first section is very easy to understand: it just enables email and configures the relay server. 
The second section configures how to enable and serve registry service. As per our big picture, we decided to use Træfik to handle the ssl certificate so the connection between 
træfik and gitlab is on port 80, that is what the nginx config part does. The result can be inspected by running:

# docker-compose exec heptapod cat /var/opt/gitlab/nginx/conf/gitlab-registry.conf

whose output is:

# This file is managed by gitlab-ctl. Manual changes will be erased! server {
  listen *:80;
  server_name registry.gitlab.thux.it;
  location / {     proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_pass          http://localhost:5000;


Up to now we have not yet configured Træfik that knows nothing about our docker services. It’s time to add one more section in our docker-compose file:

   traefik.enable: true
   traefik.http.routers.hg.rule: Host(`gitlab.thux.it`)
   traefik.http.routers.hg.entrypoints: web-secured
   traefik.http.routers.hg.tls.certresolver: leresolver
   traefik.http.routers.hg.tls: true
   traefik.http.routers.hg.service: hg    
   traefik.http.routers.registry.rule: Host(`registry.gitlab.thux.it`)
   traefik.http.routers.registry.entrypoints: web-secured
   traefik.http.routers.registry.service: registry
   traefik.http.routers.registry.tls.certresolver: leresolver
   traefik.http.routers.registry.tls: true    

   traefik.http.services.hg.loadbalancer.server.port: 80
   traefik.http.services.registry.loadbalancer.server.port: 80


Starting from the last 2 lines: docker informs Træfik that it offers 2 services on port 80 named hg and registry, these service names are used in the router definitions above. Each of the two blocks defines a router (named again hg and registry) with entry point port 443 (named web-secured in our Træfik docker-compose), how to get a certificate and which service should be attached to. Both services are handled by nginx that proxies them according to their domain name and we saw earlier an excerpt.

If we start this docker machine with command:

mkdir -p gitlab/config gitlab/logs gitlab/data
docker-compose pull
docker-compose up -d


… and wait enough (some minutes) for the services to be started we should see a page where the password for the root user is prompted (“Please create a password for your new account”). That is where we set it. Going to administration area we should see something similar to this:

Please note that Container registry appears enabled.

Should you fiddle around with gitlab-ctl, you should call it via exec. The proper way to invoke the help is:

   docker-compose exec heptapod gitlab-ctl help

Shared Runners

So far so good! Shared Runners are enabled but we have none yet. Shared Runners are a key part in continuous integrations. They are the servers that execute the jobs. Each of our projects has a configuration file named .gitlab-ci.yml that dictates which jobs will be run on each commit and under which conditions. We could decide to check code quality, to run tests or to produce the docker image… we can decide to run some jobs on each commit and an image build on each commit of the default branch. The configuration of .gitlab-ci.yml is outside the scope of this article but I’ll give a couple examples to generate docker images as it goes along with different Runner configurations.

Let’s start from the docker-compose configurations for our runner:

    image: octobus/heptapod-runner:0.3.0
    restart: always
      - web
      - /var/run/docker.sock:/var/run/docker.sock
      - ./gitlab-runner:/etc/gitlab-runner


Please note:

we will use job’s tags to select the correct runner for each job

Registering the runner

To register a runner we need to get the token from the administration area, following “GitLab runner” link and run:

# docker-compose exec heptapod-runner gitlab-runner register

The registration process will prompt us with some simple questions and the result will be written to the config.toml. You can add more runners specialized in different jobs. After adding 2 runners and a little bit of hand editing, this is the resulting configuration:

# cat gitlab-runner/config.toml
concurrent = 1
check_interval = 0

  session_timeout = 1800 [[runners]]
  name = "ThuxRunnerPriviledged"
  url = "https://hg.thux.dev/"
  token = "SecretToken"
  executor = "docker"
  environment = ["DOCKER_DRIVER=overlay2"]
    tls_verify = false
    image = "docker:19.03.12"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/certs/client", "/cache"]
    shm_size = 0 [[runners]]
  name = "Thux Runner Socket Binding"
  url = "https://hg.thux.dev/"
  token = "SecretToken"
  executor = "docker"
  environment = ["DOCKER_DRIVER=overlay2"]
    tls_verify = false
    image = "docker:19.03.12"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    shm_size = 0


Please note:

A third option, that may be more secure, uses kaniko, a builder of docker images that doesn’t require root privileges. 

Working example

You can test with a simple project. Let’s start with a fake Python project. No code and random dependencies:

  echo “ipython\nrequests” > requirements.txt

The Dockerfile is very basic but uses BuildKit (a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner - note the syntax = part, it's not a comment) that in turns implies caching is working::

# syntax = docker/dockerfile:experimental
FROM python:3.8 as production-stage
COPY requirements.txt /requirements.txt RUN \
  mkdir /code/ \
  && pip install --no-cache-dir -r /requirements.txt COPY . /code/
WORKDIR /code/
USER ${APP_USER}:${APP_USER} CMD ["ipython"]


Let’s now move on to preparing a couple of .gitlab-ci.yml for different runners.

Example with dind

  image: docker
    - dind
    - name: "docker:19.03.12-dind"
      command: ["--experimental"]   variables:
    DOCKER_DRIVER: overlay2
    # Create the certificates inside this directory for both the server
    # and client. The certificates used by the client will be created in
    # /certs/client so we only need to share this directory with the
    # volume mount in `config.toml`.
    DOCKER_TLS_CERTDIR: "/certs"   script:
    - mkdir $HOME/.docker
    - "echo -e '{\n  \"experimental\": \"enabled\"\n}' | tee $HOME/.docker/config.json"
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
    - docker build -t  $IMAGE_NAME .
    - docker push $IMAGE_NAME


Some remarks:

Inspect result

Add our .gitlab-ci.yml, commit and push. 
A little icon will appear in the project page indicating the state of the job, clicking on that icon will get you to a pipeline page where you can investigate what is going on. 

Example with bind-mount

  image: docker   variables:
    - mkdir $HOME/.docker
    - "echo -e '{\n  \"experimental\": \"enabled\"\n}' | tee $HOME/.docker/config.json"
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
    - docker build -t  $IMAGE_NAME .
    - docker push $IMAGE_NAME


Some remarks:

This time let’s follow the icons:

to land in the terminal where we see the job execution logs

Final remarks

We want to thank the Octobus team for the effort done to add mercurial to Gitlab in this wonderful way. I found the team very helpful, a special mention goes to Georges Racinet. I would say it is not a minor detail to have good and prompt support. They’re also super reactive in the mercurial list and that makes it a perfect match. 
We started investigating Heptapod just to have a shared repo for our code and we landed in a much more up-to-date setup than we were used before.

You can download the ready-to-use configuration from the public area of our Heptapod site.


This article is written and curated by Alessandro Dentella


Vuoi approfondire l'argomento?