Add liveness probe to kubelet-plugin

[guptaNswati]

Backport liveness probe from example-dra-driver. Code taken from kubernetes-sigs/dra-example-driver#104

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[copy-pr-bot]

/ok to test

@guptaNswati, there was an error processing your request: E1

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/1/

[copy-pr-bot]

/ok to test e6ab222

@guptaNswati, there was an error processing your request: E2

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/2/

[guptaNswati]

/ok to test 569c69a

[guptaNswati]

Quick test:

$ describe pod
Restart Count:  0
    Liveness:       grpc <pod>:51518 liveness delay=0s timeout=1s period=10s #success=1 #failure=3
  
$ exec pod
[root@nvidia-dra-driver-gpu-kubelet-plugin-d7h5r /]# grpc_health_probe -addr=:51518
status: SERVING

ToDo: simulate a failure test

[guptaNswati]

cc @nojnhuh

[guptaNswati]

Just looked at this kubernetes-sigs/dra-example-driver#113

make kubelet path configurable:

• Expose kubelet plugin socket path(s) as configuration parameter(s) #339
• Make kubelet plugin dirs configurable kubernetes-sigs/dra-example-driver#98

[klueska]

Let's first backport this so that the diff for the changes in the PR are even more minimal:
kubernetes-sigs/dra-example-driver#98

[klueska]

That last commit should be its own PR linked to the issue describing it as well as the equivalent PR in the example driver repo.

[guptaNswati]

That last commit should be its own PR linked to the issue describing it as well as the equivalent PR in the example driver repo.

Oh.. To keep parity with the example-driver? Or this will make it easier to review?

Updated: #464

[jgehrcke]

IIUC, this is the directory that the kubelet monitors for unix domain sockets (files) placed by plugins.

So, we should change the text to something like

"Absolute path to the directory that the kubelet monitors for unix domain sockets for plugin registration".

[jgehrcke]

(the kubelet does not store plugin registrations there, that I believe is a wrong concept)

[jgehrcke]

What can we say about this port number, and it potentially ever being in conflict with something else?

The kubelet plugin does not use hostNetworking: true -- in that sense, it probably has all ports to itself. Is that right (I am speculating here, one of us should understand this deeply! :)).

If there is no conflict, ever, we can pick a different number. One that looks less magic.

[guptaNswati]

Honestly, i dint think much about it. Based on some reading... There are 65k+ ports available and this number is so arbitrary that its rare to conflict with usual port numbers like 5000s or 8080s (standard health and monitoring ports). And like you said, without shared host network, each pod has unlimited (more than 65k) ports where i cannot imagine them being able to consume all or this specific one.

upstream sets it to: healthcheckPort: 51515.. when i dint know, deviation from upstream is not wanted :)

[klueska]

Why not just leave it as 51515 and then make the other one 51516 to keep the diffs as small as possible?

[jgehrcke]

Hm. When instantiating a TCP listener, a literal 0 will lead to a system-provided port -- yes.

Here, we specify where to connect to (if I am not mistaken), so specifying zero probably never makes quite sense. Happy to learn where I am off!

[guptaNswati]

Port to start a gRPC healthcheck service. When positive, a literal port number. When zero, a random port is allocated. When negative, the healthcheck service is disabled

Thats how you can configure them in helm. this is the default 51515

[klueska]

The code below has this check:

{{- if (gt (int .Values.kubeletPlugin.containers.plugin.healthcheckPort) 0) }}

So if one was to specify 0 in the values.yaml file, then the section to specify the port below will be omitted.
Essentially not running a liveness probe at all.

A better implementation would probably have been to put some code in validation.yaml to error out if healthcheckPort == 0 rather than silently omitting the liveness probe altogether.

Let's leave that for a follow-up so that this code continues to follow the original PR from the example driver as closely as possible.

[jgehrcke]

a random port

It's not quite random. The operating system yields the next free one.

(for your/our understanding, I don't ask to change the wording -- if you want to change the wording however, please go ahead :)).

[guptaNswati]

you don't always know without looking whats the next port available so for a general user, it is random :-D

[klueska]

I think the technically correct word here would be "arbitrary", not "random", but that's a bit pedantic. We can revisit this as a follow-up since this is an exact copy of the original PR and I'd like to keep the diffs as small as possible to ensure correctness.

[jgehrcke]

What is this after all doing? And what is this signaling when it succeeds?
CC @klueska

[guptaNswati]

without digging in the code too much, my understanding is that here we basically care about the error. whether a call to NodePrepareResources() is successful or not. A nil error would mean drivers are ready, nodes are ready and everything is an expected state.

[klueska]

This is consistent with the code in the original PR. If we want to follow-up later we can, but I think this is OK for now.

[jgehrcke]

I believe that maybe we don't need to log this every time this succeeds -- I understand that this is what we did upstream, and maybe we want to keep changes minimal. But still, curious about your opinion.

[klueska]

This is a log level v6, so I think it's fine.

[klueska]

We should make sure are track this as part of this PR as well:
kubernetes-sigs/dra-example-driver#107

[guptaNswati]

We should make sure are track this as part of this PR as well: kubernetes-sigs/dra-example-driver#107

yup, already linked as a follow-up #453 (comment)

[klueska]

This is not needed

[klueska]

This is not needed

[klueska]

The code below has this check:

{{- if (gt (int .Values.kubeletPlugin.containers.plugin.healthcheckPort) 0) }}

So if one was to specify 0 in the values.yaml file, then the section to specify the port below will be omitted.
Essentially not running a liveness probe at all.

A better implementation would probably have been to put some code in validation.yaml to error out if healthcheckPort == 0 rather than silently omitting the liveness probe altogether.

Let's leave that for a follow-up so that this code continues to follow the original PR from the example driver as closely as possible.

[klueska]

Why not just leave it as 51515 and then make the other one 51516 to keep the diffs as small as possible?

[guptaNswati]

Another quick test after all the changes.

$ kubectl logs nvidia-dra-driver-gpu-kubelet-plugin-jwr4m   -n nvidia-dra-driver-gpu -c compute-domains | grep sock
I0821 23:52:18.869366       1 nonblockinggrpcserver.go:90] "GRPC server started" logger="dra" endpoint="/var/lib/kubelet/plugins/compute-domain.nvidia.com/dra.sock"
I0821 23:52:18.869468       1 nonblockinggrpcserver.go:90] "GRPC server started" logger="registrar" endpoint="/var/lib/kubelet/plugins_registry/compute-domain.nvidia.com-reg.sock"
I0821 23:52:19.138501       1 nonblockinggrpcserver.go:161] "handling request succeeded" logger="registrar" requestID=1 method="/pluginregistration.Registration/GetInfo" response="type:\"DRAPlugin\" name:\"compute-domain.nvidia.com\" endpoint:\"/var/lib/kubelet/plugins/compute-domain.nvidia.com/dra.sock\" supported_versions:\"v1.DRAPlugin\" supported_versions:\"v1beta1.DRAPlugin\""

$ grpcurl -plaintext   -import-path /tmp   -proto /tmp/kubelet_pluginregistration.proto   unix:///var/lib/kubelet/plugins_registry/gpu.nvidia.com-reg.sock   pluginregistration.Registration/GetInfo
{
  "type": "DRAPlugin",
  "name": "gpu.nvidia.com",
  "endpoint": "/var/lib/kubelet/plugins/gpu.nvidia.com/dra.sock",
  "supportedVersions": [
    "v1.DRAPlugin",
    "v1beta1.DRAPlugin"
  ]
}

[klueska]

I think this is fine for now. It is a minimal diff to the original PR with the only real changes in logging code. We should do a larger refactor / update to our logging strategy to fix these inconsistencies.

[klueska]

With this PR merged I am not able to install the helm chart out of the box:

$ helm install nvidia-dra-driver-gpu deployments/helm/nvidia-dra-driver-gpu   --create-namespace  
 --namespace nvidia-dra-driver-gpu   --set nvidiaDriverRoot=/run/nvidia/driver   --set gpuResourcesEnabledOverride=true   --set controller.containers.computeDomain.env[0].name=ADDITIONAL_NAMESPACES   --set controller.containers.computeDomain.env[0].value=gpu-operator  --set webhook.replicas=2 --set webhook.enabled=true
Error: INSTALLATION FAILED: template: nvidia-dra-driver-gpu/templates/kubeletplugin.yaml:110:31: executing "nvidia-dra-driver-gpu/templates/kubeletplugin.yaml" at <.Values.kubeletPlugin.containers.plugin.healthcheckPort>: nil pointer evaluating interface {}.healthcheckPort