Merge lp:~roadmr/canonical-identity-provider/charm-fix-talisker-logfile-migration into lp:~ubuntuone-pqm-team/canonical-identity-provider/charm

LGTM, thanks! But check comment below.

Thanks for catching that! I've fixed it to "group" ownership.

Thanks Daniel for the fixes!

My understanding which might be completely wrong is following:

1. `sso_logs` and `logs_dir` playbook vars end up configuring Django's LOGGING in SSO's settings.py.

2. gunicorn (so talisker too) logs themselves (accesslog, errorlog) are configured using gunicorn's charm options https://bazaar.launchpad.net/~ubuntuone-hackers/charms/xenial/gunicorn/trunk/view/head:/config.yaml.

The values for `wsgi_access_logfile` and `wsgi_error_logfile` gunicorn charm options are set here: https://bazaar.launchpad.net/~ubuntuone-pqm-team/canonical-identity-provider/charm/view/head:/roles/wsgi-app/defaults/main.yaml it looks like.

But it would make sense if gunicorn logged to stderr and systemd took care of the logs. But given the above I'm not sure it's the case.

In any case it looks like we don't need to change anything here (gunicorn logging config) for the move to talisker itself. So that's good

3. The Django log file from (1) (the sso_log var) seems to be the subject of the migration tasks here. But I'm not sure it needs to be migrated at all (maybe the fix is to remove all these tasks?). This is still just the file django logging goes to. I might be also just completely missing the rationale for the migration.

I'll ask Simon to look at this. Seems like he was involved in adding these tasks and support for talisker to the playbook.

> Thanks Daniel for the fixes!
>
> My understanding which might be completely wrong is following:
>
> 1. `sso_logs` and `logs_dir` playbook vars end up configuring Django's LOGGING
> in SSO's settings.py.

So, I think we need to set LOGGING_CONFIG = None in settings.py, as per https://talisker.readthedocs.io/en/latest/django.html

That's the only thing that tries to write to files.

> 2. gunicorn (so talisker too) logs themselves (accesslog, errorlog) are
> configured using gunicorn's charm options https://bazaar.launchpad.net
> /~ubuntuone-hackers/charms/xenial/gunicorn/trunk/view/head:/config.yaml.

Yep, we want to disable these and use talisker's default of stderr

> The values for `wsgi_access_logfile` and `wsgi_error_logfile` gunicorn charm
> options are set here: https://bazaar.launchpad.net/~ubuntuone-pqm-team
> /canonical-identity-provider/charm/view/head:/roles/wsgi-
> app/defaults/main.yaml it looks like.
>
> But it would make sense if gunicorn logged to stderr and systemd took care of
> the logs. But given the above I'm not sure it's the case.
>
> In any case it looks like we don't need to change anything here (gunicorn
> logging config) for the move to talisker itself. So that's good

I think we want to disable access logs (talisker emits per-request logs that are much better than gunicorns access logs)

Error log should be unset, so it defaults to stderr.

> 3. The Django log file from (1) (the sso_log var) seems to be the subject of
> the migration tasks here. But I'm not sure it needs to be migrated at all
> (maybe the fix is to remove all these tasks?). This is still just the file
> django logging goes to. I might be also just completely missing the rationale
> for the migration.

So, the link was to keep access to the logs from the familiar location of /srv/sso/.../logs/sso.log.

>
> I'll ask Simon to look at this. Seems like he was involved in adding these
> tasks and support for talisker to the playbook.

Another wrinkle: this was written on trusty, where upstart defaults would mean that a service called 'gunicorn' would get it stdout/err written to /var/log/gunicorn.log

This doesn't happen with systemd, so we need charm work to add syslog config to do this. And the accompanying logrotation :(

More context and discoveries and next steps from a call with Simon today:

1. We can remove the migration tasks now since they were added with different constraints in place for the planned move to talisker in the past. Since for now, we're not really need to touch Django logging, we can let it log to the same file it does now.

2. We should be able to just switch to talisker.gunicorn right now:

2a. gunicorn access logs configured to log to a file (via wsgi_access_logfile) should be still logged there in the same format.

2b. gunicorn's errorlog (wsgi_error_logfile) will be ignored by talisker. It will warn about this and will log all talisker/gunicorn logs to stderr (these include access logs in talisker's format).

2c. The above stderr logs will be retained by journald setup (but possibly not permanently) and next steps should be ideally to sort this out and move to relying on these talisker logs that should contain everything we need (and disable django logging https://talisker.readthedocs.io/en/latest/django.html#logging)

Alternative MP that removes these tasks: https://code.launchpad.net/~suligap/canonical-identity-provider/charm-drop-logfile-migration-tasks/+merge/384723

Rejecting per the above, deleted code is the best code :)