Enhance health check robustness and observability

[ArangoGutierrez]

Enhance health check robustness and observability

This PR improves the device health check system with the following changes:

Changes

1. Extract nvmlHealthProvider struct - Modularize health monitoring logic for better
   testability and separation of concerns

2. Add buffered health channel - Prevent health check goroutine from blocking when
   ListAndWatch is slow to consume events. Uses a 64-entry buffer with non-blocking send
   and fallback error logging

3. Add device state tracking - Track LastUnhealthyTime and UnhealthyReason on
   Device struct for better observability

4. Add withDevicePlacements wrapper - Enable unit testing of device placement logic
   independently of the full resource manager

5. Add TestCheckHealth test - Unit test for health check flow using dgxa100 mock

6. Add healthCheckStats - Track events processed, devices marked unhealthy, errors,
   and XID distribution for operational visibility

Commits

• refactor: extract nvmlHealthProvider for modular health monitoring
• feat: add buffered health channel and device state tracking
• refactor: add withDevicePlacements wrapper and TestCheckHealth test
• fix: improve test type assertion and buffer size documentation

Testing

• All existing tests pass
• New TestCheckHealth test validates health check event processing
• Verified with golangci-lint, go vet, and go build

Related

• Aligned with patterns from WIP: Refactor health checks #1538

[elezar]

I don't agree with this mechanism for transitioning the device back to healthy. This is an oversimplification and will lead to unhealthy devices being considered healthy.

For example, if a device becomes unhealth due to repteated ECC memory errors, it is LIKELY that query functions such as the device name will continue to succeed and result in the device being marked as healthy when it needs a RESET.

Before we add this logic to the device plugin let us properly define and agree upon how we are detecting health.

Futhermore, although the XID-based health checking is something that is a means to an end, our ideal state is that some other component decides whether a device is health and the device plugin responds to these signals. Defining the unhealthy -> healthy transition here goes against this premise.

[ArangoGutierrez]

I've removed the healthy transition logic from this PR.

The current implementation:

• Only transitions devices from healthy → unhealthy (never the reverse)
• Devices stay unhealthy until the pod/node is restarted
• Tracks LastUnhealthyTime and UnhealthyReason for observability only

I agree that:

1. Automatic healthy transitions based on query success is an oversimplification
2. The ideal state is an external component (like DCGM or node-health-checker) deciding health
3. This PR should focus on robust unhealthy detection, not recovery

The MarkUnhealthy() method added here is one-way by design.
Any future healthy transitions should be driven by external signals as you suggest.

[elezar]

As a matter of interest, what is Phase2? (Were these tests generated?)

[ArangoGutierrez]

Yes it was generated, now removed

[elezar]

Question: Why is the refactoring done AFTER the functional changes in this PR?

[elezar]

How is this actually different from the changes proposed in a6a9f18?

[elezar]

Why do we even send the event in the case of a timeout?

[elezar]

This seems like the wrong way to try and ensure that the context has not been closed before sending to the event channel. What are we concerned about here? Is there a better way to ensure that this go routine terminates on the context being cancelled and doesn't block permenantly on the send?

[elezar]

The commit message mentions adding tests, but I only see code being removed here.

[Copilot]

Pull request overview

This PR enhances the GPU health check system to improve robustness, observability, and graceful shutdown capabilities. The changes address production stability issues by implementing context-based shutdown coordination, non-blocking device reporting, granular error handling, and health check statistics tracking.

Changes:

• Refactored health check system with structured error handling and observability
• Added device health state tracking with timestamps and reasons
• Implemented non-blocking unhealthy device reporting with buffered channel
• Added comprehensive mock NVML infrastructure for testing

Reviewed changes

Copilot reviewed 6 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
internal/rm/health.go	Major refactoring: added stats tracking, context-based shutdown, structured health provider, and non-blocking device reporting
internal/rm/devices.go	Added health tracking fields (LastUnhealthyTime, UnhealthyReason) and helper methods
internal/plugin/server.go	Increased health channel buffer size to 64 to handle event bursts
internal/rm/health_test.go	Added test for checkHealth with mock NVML infrastructure
vendor/*	Added NVML mock packages for testing (generated code)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 21 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test creates an nvmlResourceManager without initializing the config field, but line 414 in health.go accesses *r.config.Flags.FailOnInitError. This will cause a nil pointer dereference when the test runs. Initialize the config field with appropriate test values.

[Copilot]

The constant nvmlInvalidInstanceID (0xFFFFFFFF) replaces the magic number used in the original code, but this value appears to be hardcoded in multiple places. Consider documenting why this specific value is used (is it from NVML specification?) or verifying if NVML provides a constant for this sentinel value.

Suggested change

	// Compute instance IDs. Used as a sentinel value for non-MIG devices.
	// Compute instance IDs. Used as a sentinel value for non-MIG devices.
	// The value 0xFFFFFFFF matches the "invalid instance ID" sentinel defined
	// by the NVML C API. The Go bindings do not currently expose a dedicated
	// constant for this, so we centralize the literal here for clarity.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 21 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The hardcoded magic number 10 for the eventChan buffer size should be documented with a comment explaining the rationale, similar to how healthChannelBufferSize is documented in server.go.

Suggested change

	// Event receive channel with buffer
	// Event receive channel with buffer.
	// Buffer size 10 is chosen to absorb short bursts of NVML events without
	// blocking the eventSet.Wait goroutine, while keeping memory usage
	// negligible for typical workloads.

[Copilot]

In the sendUnhealthyDevice function's timeout case, calling d.MarkUnhealthy("channel-timeout") may cause confusion because this overwrites the original unhealthy reason (e.g., "XID-79") with "channel-timeout". The device was already marked unhealthy at line 303 with the actual XID reason, and this timeout scenario only represents a communication failure, not a new device failure. Consider either skipping the MarkUnhealthy call in the timeout case, or logging the original reason.

Suggested change

	// Timeout - ListAndWatch is likely stalled
	klog.Errorf("Timeout after %v sending device %s to unhealthy channel. "+
	"ListAndWatch may be stalled. Device state updated directly but "+
	"kubelet may not be notified.", unhealthySendTimeout, d.ID)
	// Mark unhealthy directly as last resort - kubelet won't see this
	// until ListAndWatch resumes, but at least internal state is correct
	d.MarkUnhealthy("channel-timeout")
	// Timeout - ListAndWatch is likely stalled; device has already been
	// marked unhealthy with the original reason, so avoid overwriting it
	// here. We only log the communication failure.
	klog.Errorf("Timeout after %v sending device %s to unhealthy channel. "+
	"ListAndWatch may be stalled. Device state may not be visible to "+
	"kubelet until ListAndWatch resumes.", unhealthySendTimeout, d.ID)

[Copilot]

The context parameter name "_" should be given a meaningful name (e.g., "ctx") as this is a public interface. Underscore-prefixed parameter names typically indicate intentionally unused parameters, but here the parameter is part of the interface contract and represents a deliberate API change to support context-based cancellation.

Suggested change

	func (r *tegraResourceManager) CheckHealth(_ context.Context, _ <-chan interface{}, _ chan<- *Device) error {
	func (r *tegraResourceManager) CheckHealth(ctx context.Context, _ <-chan interface{}, _ chan<- *Device) error {

[Copilot]

Pull request overview

Copilot reviewed 8 out of 21 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

internal/rm/health.go:1

• Race condition in UnhealthyDuration: The Health field is read without holding healthMu lock, but it's written in MarkUnhealthy under lock. This creates a data race. Move the Health check inside the locked section in UnhealthyDuration method.

/*

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Potential deadlock or test hang: The unhealthy channel is closed after checkHealth returns, but if checkHealth is still trying to send to the channel when the collector goroutine exits and closes the channel, this could cause a panic (send on closed channel). The test should ensure checkHealth has fully exited before closing the channel.