From b94c92153140c35a8bb37091946a5c84ffbaf251 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 17 Apr 2025 10:23:38 +0100
Subject: [PATCH 01/45] DAOS-17427 control: Restart evicted rank after suicide

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/events/ras.go          |  1 +
 src/control/server/server_utils.go |  4 ++++
 src/engine/init.c                  | 13 ++++++++++---
 src/include/daos_srv/ras.h         |  3 ++-
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/control/events/ras.go b/src/control/events/ras.go
index 902a8559e58..b3fd0ebcfbe 100644
--- a/src/control/events/ras.go
+++ b/src/control/events/ras.go
@@ -59,6 +59,7 @@ const (
 	RASNVMeLinkSpeedChanged    RASID = C.RAS_DEVICE_LINK_SPEED_CHANGED  // warning|notice
 	RASNVMeLinkWidthChanged    RASID = C.RAS_DEVICE_LINK_WIDTH_CHANGED  // warning|notice
 	RASDeviceLEDSet            RASID = C.RAS_DEVICE_LED_SET             // info
+	RASEngineEvictSuicide      RASID = C.RAS_ENGINE_EVICT_SUICIDE       // notice
 )
 
 func (id RASID) String() string {
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index b9b57481f50..2188a3d09cd 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -777,6 +777,8 @@ func registerFollowerSubscriptions(srv *server) {
 	srv.pubSub.Reset()
 	srv.pubSub.Subscribe(events.RASTypeAny, srv.evtLogger)
 	srv.pubSub.Subscribe(events.RASTypeStateChange, srv.evtForwarder)
+	// TODO 17427: Register subscriber for RASEngineEvictSuicide RasTypeInfo to handle local
+	//             event and restart suicided rank.
 }
 
 func isSysSelfHealExcludeSet(svc *mgmtSvc) (bool, error) {
@@ -854,6 +856,8 @@ func registerLeaderSubscriptions(srv *server) {
 				handleRankDead(ctx, srv, evt)
 			}
 		}))
+	// TODO 17427: Register subscriber for RASEngineEvictSuicide RasTypeInfo to handle local
+	//             event and restart suicided rank.
 
 	// Add a debounce to throttle multiple SWIM Rank Dead events for the same rank/incarnation.
 	srv.pubSub.Debounce(events.RASSwimRankDead, 0, func(ev *events.RASEvent) string {
diff --git a/src/engine/init.c b/src/engine/init.c
index 0072b87be33..a4a6bf2e7a0 100644
--- a/src/engine/init.c
+++ b/src/engine/init.c
@@ -597,11 +597,18 @@ dss_crt_event_cb(d_rank_t rank, uint64_t incarnation, enum crt_event_source src,
 		if (rank == dss_self_rank()) {
 			D_WARN("raising SIGKILL: exclusion of this engine (rank %u) detected\n",
 			       self_rank);
+
 			/*
-			 * For now, we just raise a SIGKILL to ourselves; we could
-			 * inform daos_server, who would initiate a termination and
-			 * decide whether to restart us.
+			 * Send RAS event to inform local server of intentional suicide before
+			 * raisin a SIGKILL to ourselves. Local daos_server can then decide
+			 * whether to restart rank.
 			 */
+			ds_notify_ras_eventf(RAS_ENGINE_EVICT_SUICIDE, RAS_TYPE_INFO,
+				RAS_SEV_NOTICE, NULL /* hwid */, NULL /* rank */, NULL /* inc */,
+				NULL /* jobid */, NULL /* pool */, NULL /* cont */,
+				NULL /* objid */, NULL /* ctlop */, NULL /* data */,
+				"evicted engine suicide detected");
+
 			rc = kill(getpid(), SIGKILL);
 			if (rc != 0)
 				D_ERROR("failed to raise SIGKILL: %d\n", errno);
diff --git a/src/include/daos_srv/ras.h b/src/include/daos_srv/ras.h
index 8fcf4ae8013..cc5d9eb8f42 100644
--- a/src/include/daos_srv/ras.h
+++ b/src/include/daos_srv/ras.h
@@ -66,7 +66,8 @@
 	X(RAS_ENGINE_JOIN_FAILED, "engine_join_failed")                                            \
 	X(RAS_DEVICE_LINK_SPEED_CHANGED, "device_link_speed_changed")                              \
 	X(RAS_DEVICE_LINK_WIDTH_CHANGED, "device_link_width_changed")                              \
-	X(RAS_DEVICE_LED_SET, "device_led_set")
+	X(RAS_DEVICE_LED_SET, "device_led_set")                                                    \
+	X(RAS_ENGINE_EVICT_SUICIDE, "engine_evict_suicide")
 
 /** Define RAS event enum */
 typedef enum {

From af7f05698eb094e6a17d09ae72df20382760881b Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 19 Mar 2026 01:17:27 +0000
Subject: [PATCH 02/45] implement suicide event handlers

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/events/ras.go          |  2 +-
 src/control/server/server_utils.go | 62 ++++++++++++++++++++++++++++--
 src/engine/drpc_ras.c              | 12 ++++++
 src/engine/init.c                  | 15 +++-----
 src/include/daos_srv/ras.h         | 15 +++++++-
 5 files changed, 90 insertions(+), 16 deletions(-)

diff --git a/src/control/events/ras.go b/src/control/events/ras.go
index b3fd0ebcfbe..8b925183dfa 100644
--- a/src/control/events/ras.go
+++ b/src/control/events/ras.go
@@ -49,6 +49,7 @@ const (
 	RASUnknownEvent            RASID = C.RAS_UNKNOWN_EVENT
 	RASEngineFormatRequired    RASID = C.RAS_ENGINE_FORMAT_REQUIRED     // notice
 	RASEngineDied              RASID = C.RAS_ENGINE_DIED                // error
+	RASEngineSuicide           RASID = C.RAS_ENGINE_SUICIDE             // notice
 	RASPoolRepsUpdate          RASID = C.RAS_POOL_REPS_UPDATE           // info
 	RASSwimRankAlive           RASID = C.RAS_SWIM_RANK_ALIVE            // info
 	RASSwimRankDead            RASID = C.RAS_SWIM_RANK_DEAD             // info
@@ -59,7 +60,6 @@ const (
 	RASNVMeLinkSpeedChanged    RASID = C.RAS_DEVICE_LINK_SPEED_CHANGED  // warning|notice
 	RASNVMeLinkWidthChanged    RASID = C.RAS_DEVICE_LINK_WIDTH_CHANGED  // warning|notice
 	RASDeviceLEDSet            RASID = C.RAS_DEVICE_LED_SET             // info
-	RASEngineEvictSuicide      RASID = C.RAS_ENGINE_EVICT_SUICIDE       // notice
 )
 
 func (id RASID) String() string {
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 2188a3d09cd..ccc8b405cdd 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -769,6 +769,46 @@ func registerTelemetryCallbacks(ctx context.Context, srv *server) {
 	})
 }
 
+// Handle local engine suicide and restart engine to rejoin system.
+func handleEngineSuicide(ctx context.Context, srv *server, evt *events.RASEvent) error {
+
+	srv.log.Infof("handling suicide")
+
+	ts, err := evt.GetTimestamp()
+	if err != nil {
+		return errors.Wrapf(err, "bad event timestamp %q", evt.Timestamp)
+	}
+
+	// Find the engine instance by rank
+	instances, err := srv.harness.FilterInstancesByRankSet(fmt.Sprintf("%d", evt.Rank))
+	if err != nil {
+		return errors.Wrapf(err, "failed to find instance for rank %d", evt.Rank)
+	}
+
+	if len(instances) == 0 {
+		return errors.Errorf("no instance found for rank %d", evt.Rank)
+	}
+	if len(instances) > 1 {
+		return errors.Errorf("multiple instances found for rank %d", evt.Rank)
+	}
+	engine := instances[0]
+
+	srv.log.Infof("%s was notified @ %s of rank %d:%x (instance %d) suicide", ts, evt.Hostname,
+		evt.Rank, evt.Incarnation, engine.Index())
+
+	// Wait until engine is stopped.
+	pollFn := func(e Engine) bool { return !e.IsStarted() }
+	if err := pollInstanceState(ctx, instances, pollFn); err != nil {
+		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, engine.Index())
+	}
+
+	// TODO: Check if rank should be restarted?
+
+	engine.requestStart(ctx)
+
+	return nil
+}
+
 // registerFollowerSubscriptions stops handling received forwarded (in addition
 // to local) events and starts forwarding events to the new MS leader.
 // Log events on the host that they were raised (and first published) on.
@@ -777,8 +817,15 @@ func registerFollowerSubscriptions(srv *server) {
 	srv.pubSub.Reset()
 	srv.pubSub.Subscribe(events.RASTypeAny, srv.evtLogger)
 	srv.pubSub.Subscribe(events.RASTypeStateChange, srv.evtForwarder)
-	// TODO 17427: Register subscriber for RASEngineEvictSuicide RasTypeInfo to handle local
-	//             event and restart suicided rank.
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			switch evt.ID {
+			case events.RASEngineSuicide:
+				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSuicide: %s", err)
+				}
+			}
+		}))
 }
 
 func isSysSelfHealExcludeSet(svc *mgmtSvc) (bool, error) {
@@ -856,8 +903,15 @@ func registerLeaderSubscriptions(srv *server) {
 				handleRankDead(ctx, srv, evt)
 			}
 		}))
-	// TODO 17427: Register subscriber for RASEngineEvictSuicide RasTypeInfo to handle local
-	//             event and restart suicided rank.
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			switch evt.ID {
+			case events.RASEngineSuicide:
+				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSuicide: %s", err)
+				}
+			}
+		}))
 
 	// Add a debounce to throttle multiple SWIM Rank Dead events for the same rank/incarnation.
 	srv.pubSub.Debounce(events.RASSwimRankDead, 0, func(ev *events.RASEvent) string {
diff --git a/src/engine/drpc_ras.c b/src/engine/drpc_ras.c
index 2361cd6acff..d1b62fdbb60 100644
--- a/src/engine/drpc_ras.c
+++ b/src/engine/drpc_ras.c
@@ -1,5 +1,6 @@
 /*
  * (C) Copyright 2021-2023 Intel Corporation.
+ * (C) Copyright 2026 Hewlett Packard Enterprise Development LP
  *
  * SPDX-License-Identifier: BSD-2-Clause-Patent
  */
@@ -367,6 +368,17 @@ ds_notify_swim_rank_dead(d_rank_t rank, uint64_t incarnation)
 			 NULL /* ctlop */, &evt, false /* wait_for_resp */);
 }
 
+int
+ds_notify_rank_suicide(d_rank_t rank, uint64_t incarnation)
+{
+	Shared__RASEvent evt = SHARED__RASEVENT__INIT;
+
+	return raise_ras(RAS_ENGINE_SUICIDE, "excluded rank suicide detected", RAS_TYPE_INFO,
+			 RAS_SEV_NOTICE, NULL /* hwid */, &rank /* rank */, &incarnation /* inc */,
+			 NULL /* jobid */, NULL /* pool */, NULL /* cont */, NULL /* objid */,
+			 NULL /* ctlop */, &evt, false /* wait_for_resp */);
+}
+
 void
 ds_chk_free_pool_list(struct chk_list_pool *clp, uint32_t nr)
 {
diff --git a/src/engine/init.c b/src/engine/init.c
index a4a6bf2e7a0..887a49613c6 100644
--- a/src/engine/init.c
+++ b/src/engine/init.c
@@ -598,23 +598,20 @@ dss_crt_event_cb(d_rank_t rank, uint64_t incarnation, enum crt_event_source src,
 			D_WARN("raising SIGKILL: exclusion of this engine (rank %u) detected\n",
 			       self_rank);
 
-			/*
+			/**
 			 * Send RAS event to inform local server of intentional suicide before
-			 * raisin a SIGKILL to ourselves. Local daos_server can then decide
+			 * raising a SIGKILL to ourselves. Local daos_server can then decide
 			 * whether to restart rank.
 			 */
-			ds_notify_ras_eventf(RAS_ENGINE_EVICT_SUICIDE, RAS_TYPE_INFO,
-				RAS_SEV_NOTICE, NULL /* hwid */, NULL /* rank */, NULL /* inc */,
-				NULL /* jobid */, NULL /* pool */, NULL /* cont */,
-				NULL /* objid */, NULL /* ctlop */, NULL /* data */,
-				"evicted engine suicide detected");
+			rc = ds_notify_rank_suicide(rank, incarnation);
+			if (rc)
+				D_ERROR("failed to handle %u/%u event: " DF_RC "\n", src, type,
+					DP_RC(rc));
 
 			rc = kill(getpid(), SIGKILL);
 			if (rc != 0)
 				D_ERROR("failed to raise SIGKILL: %d\n", errno);
-			return;
 		}
-
 	}
 }
 
diff --git a/src/include/daos_srv/ras.h b/src/include/daos_srv/ras.h
index cc5d9eb8f42..1ae83c75151 100644
--- a/src/include/daos_srv/ras.h
+++ b/src/include/daos_srv/ras.h
@@ -43,6 +43,7 @@
 	X(RAS_ENGINE_DIED, "engine_died")                                                          \
 	X(RAS_ENGINE_ASSERTED, "engine_asserted")                                                  \
 	X(RAS_ENGINE_CLOCK_DRIFT, "engine_clock_drift")                                            \
+	X(RAS_ENGINE_SUICIDE, "engine_suicide")                                                    \
 	X(RAS_POOL_CORRUPTION_DETECTED, "pool_corruption_detected")                                \
 	X(RAS_POOL_REBUILD_START, "pool_rebuild_started")                                          \
 	X(RAS_POOL_REBUILD_END, "pool_rebuild_finished")                                           \
@@ -66,8 +67,7 @@
 	X(RAS_ENGINE_JOIN_FAILED, "engine_join_failed")                                            \
 	X(RAS_DEVICE_LINK_SPEED_CHANGED, "device_link_speed_changed")                              \
 	X(RAS_DEVICE_LINK_WIDTH_CHANGED, "device_link_width_changed")                              \
-	X(RAS_DEVICE_LED_SET, "device_led_set")                                                    \
-	X(RAS_ENGINE_EVICT_SUICIDE, "engine_evict_suicide")
+	X(RAS_DEVICE_LED_SET, "device_led_set")
 
 /** Define RAS event enum */
 typedef enum {
@@ -239,6 +239,17 @@ ds_notify_pool_svc_update(uuid_t *pool, d_rank_list_t *svcl, uint64_t version);
 int
 ds_notify_swim_rank_dead(d_rank_t rank, uint64_t incarnation);
 
+/**
+ * Notify control plane that an excluded engine has committed suicide.
+ *
+ * \param[in] rank		Rank that committed suicide.
+ * \param[in] incarnation	Incarnation of rank that committed suicide.
+ *
+ * \retval		Zero on success, non-zero otherwise.
+ */
+int
+ds_notify_rank_suicide(d_rank_t rank, uint64_t incarnation);
+
 /**
  * List all the known pools from control plane (MS).
  *

From 4ce711f1928880982ab2aa1304e5fbc43866a60b Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 19 Mar 2026 16:36:25 +0000
Subject: [PATCH 03/45] add unit testing and documentation

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/admin/administration.md            |   1 +
 docs/overview/fault.md                  |  25 ++
 src/control/events/README.md            |  17 +
 src/control/server/server_utils_test.go | 449 ++++++++++++++++++++++++
 4 files changed, 492 insertions(+)

diff --git a/docs/admin/administration.md b/docs/admin/administration.md
index ca61456d7be..f72e0ae761d 100644
--- a/docs/admin/administration.md
+++ b/docs/admin/administration.md
@@ -55,6 +55,7 @@ severity, message, description, and cause.
 | engine\_died| STATE\_CHANGE| ERROR| DAOS engine <idx\> exited exited unexpectedly: <error\> | Indicates engine instance <idx\> unexpectedly. <error> describes the exit state returned from exited daos\_engine process.| N/A                          |
 | engine\_asserted| STATE\_CHANGE| ERROR| TBD| Indicates engine instance <idx\> threw a runtime assertion, causing a crash. | An unexpected internal state resulted in assert failure. |
 | engine\_clock\_drift| INFO\_ONLY   | ERROR| clock drift detected| Indicates CART comms layer has detected clock skew between engines.| NTP may not be syncing clocks across DAOS system.      |
+| engine\_suicide| INFO\_ONLY| NOTICE| excluded rank suicide detected| Indicates that a DAOS engine rank has performed a self-exclusion (suicide) due to detecting an unrecoverable condition. The rank is automatically restarted by the control plane. | An engine detected an internal condition requiring restart (e.g., unresponsive state, critical error). The control plane monitors for this event and automatically restarts the affected rank. |
 | engine\_join\_failed| INFO\_ONLY| ERROR | DAOS engine <idx\> (rank <rank\>) was not allowed to join the system | Join operation failed for the given engine instance ID and rank (if assigned). | Reason should be provided in the extended info field of the event data. |
 | pool\_corruption\_detected| INFO\_ONLY| ERROR | Data corruption detected| Indicates a corruption in pool data has been detected. The event fields will contain pool and container UUIDs. | A corruption was found by the checksum scrubber. |
 | pool\_destroy\_deferred| INFO\_ONLY| WARNING | pool:<uuid\> destroy is deferred| Indicates a destroy operation has been deferre. | Pool destroy in progress but not complete. |
diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index 49d7e400e1b..95ce0d978c8 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -84,3 +84,28 @@ can now read from the rebuilt object shards.
 
 This rebuild process is executed online while applications continue accessing
 and updating objects.
+
+### Engine Self-Exclusion and Automatic Restart
+
+In some cases, a DAOS engine may detect an internal unrecoverable condition
+that prevents it from operating correctly. When this occurs, the engine can
+perform a self-exclusion (referred to as "suicide") to protect data integrity
+and system stability.
+
+When an engine commits suicide, it raises a `engine_suicide` RAS event
+(INFO_ONLY, NOTICE severity) containing the rank and incarnation information.
+The control plane automatically handles this event by:
+
+1. Detecting the suicide event through the RAS event system
+2. Identifying the engine instance associated with the rank
+3. Waiting for the engine process to fully stop
+4. Automatically restarting the engine to rejoin the system
+
+This automatic restart mechanism is implemented in both follower and leader
+control servers to ensure local engine recovery happens regardless of
+management service leadership state. The restarted engine will rejoin the
+system with a new incarnation number and resume normal operations.
+
+This self-healing mechanism allows DAOS to automatically recover from
+transient engine failures without administrator intervention, improving
+overall system availability.
diff --git a/src/control/events/README.md b/src/control/events/README.md
index e269b190f6a..68355099490 100644
--- a/src/control/events/README.md
+++ b/src/control/events/README.md
@@ -16,3 +16,20 @@ A subset of events are actionable (type 'STATE_CHANGE' as opposed to
 'INFO_ONLY') and will be forwarded to the management service (MS) leader. On
 receipt of an actionable event, the MS will update the membership and backing
 database based on the event's contents.
+
+## Engine Suicide Event
+
+The `engine_suicide` event (RAS_ENGINE_SUICIDE) is an INFO_ONLY event raised
+when a DAOS engine rank performs a self-exclusion due to an unrecoverable
+condition. The control plane automatically handles this event by:
+
+1. Waiting for the engine instance to fully stop
+2. Restarting the engine to rejoin the system
+
+This event is handled by both follower and leader control servers to ensure
+local engine restarts happen regardless of MS leadership state. The event
+includes rank and incarnation information to identify the specific engine
+instance that requires restart.
+
+See `src/control/server/server_utils.go:handleEngineSuicide()` for the
+implementation details.
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 9536c20d8aa..ebdaa4ba13c 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -8,12 +8,14 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"os"
 	"os/user"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/dustin/go-humanize"
 	"github.com/google/go-cmp/cmp"
@@ -21,7 +23,10 @@ import (
 
 	"github.com/daos-stack/daos/src/control/common"
 	"github.com/daos-stack/daos/src/control/common/test"
+	"github.com/daos-stack/daos/src/control/events"
+	"github.com/daos-stack/daos/src/control/lib/control"
 	"github.com/daos-stack/daos/src/control/lib/hardware"
+	"github.com/daos-stack/daos/src/control/lib/ranklist"
 	"github.com/daos-stack/daos/src/control/logging"
 	sysprov "github.com/daos-stack/daos/src/control/provider/system"
 	"github.com/daos-stack/daos/src/control/server/config"
@@ -1981,3 +1986,447 @@ f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 		t.Fatalf("unexpected output format (-want, +got):\n%s\n", diff)
 	}
 }
+
+func TestServer_handleEngineSuicide(t *testing.T) {
+	testRank := ranklist.Rank(1)
+	testIncarnation := uint64(42)
+	testHostname := "test-host-1"
+	validTimestamp := time.Now().Format(time.RFC3339)
+
+	for name, tc := range map[string]struct {
+		evt                *events.RASEvent
+		setupEngines       func(*testing.T, logging.Logger, *EngineHarness)
+		setupMockStartReq  bool
+		timeout            time.Duration
+		expErr             error
+		expEngineRestarted bool
+		expLogContains     []string
+	}{
+		"nil event timestamp": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   "",
+			},
+			timeout:            1 * time.Second,
+			expErr:             errors.New("bad event timestamp"),
+			expEngineRestarted: false,
+		},
+		"invalid event timestamp": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   "not-a-valid-timestamp",
+			},
+			timeout:            1 * time.Second,
+			expErr:             errors.New("bad event timestamp"),
+			expEngineRestarted: false,
+		},
+		"rank not found in harness": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        99, // Non-existent rank
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+				e._superblock.Rank = ranklist.NewRankPtr(1)
+				if err := h.AddInstance(e); err != nil {
+					t.Fatal(err)
+				}
+			},
+			timeout:            1 * time.Second,
+			expErr:             errors.New("no instance found for rank 99"),
+			expEngineRestarted: false,
+		},
+		"filter instances error - nil superblock": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+				e._superblock = nil
+				if err := h.AddInstance(e); err != nil {
+					t.Fatal(err)
+				}
+			},
+			timeout:            1 * time.Second,
+			expErr:             errors.New("no instance found for rank"),
+			expEngineRestarted: false,
+		},
+		//		"successful restart - engine already stopped": {
+		//			evt: &events.RASEvent{
+		//				ID:          events.RASEngineSuicide,
+		//				Rank:        uint32(testRank),
+		//				Incarnation: testIncarnation,
+		//				Hostname:    testHostname,
+		//				Timestamp:   validTimestamp,
+		//			},
+		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
+		//				rCfg := &engine.TestRunnerConfig{}
+		//				rCfg.Running.SetFalse()
+		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+		//				e.ready.SetFalse()
+		//				if err := h.AddInstance(e); err != nil {
+		//					t.Fatal(err)
+		//				}
+		//			},
+		//			setupMockStartReq:  true,
+		//			timeout:            2 * time.Second,
+		//			expEngineRestarted: true,
+		//			expLogContains: []string{
+		//				fmt.Sprintf("rank %d:%x (instance 0) suicide", testRank, testIncarnation),
+		//				testHostname,
+		//			},
+		//		},
+		//		"engine stops during wait": {
+		//			evt: &events.RASEvent{
+		//				ID:          events.RASEngineSuicide,
+		//				Rank:        uint32(testRank),
+		//				Incarnation: testIncarnation,
+		//				Hostname:    testHostname,
+		//				Timestamp:   validTimestamp,
+		//			},
+		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
+		//				rCfg := &engine.TestRunnerConfig{}
+		//				rCfg.Running.SetTrue()
+		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+		//				if err := h.AddInstance(e); err != nil {
+		//					t.Fatal(err)
+		//				}
+		//
+		//				go func() {
+		//					time.Sleep(200 * time.Millisecond)
+		//					rCfg.Running.SetFalse()
+		//				}()
+		//			},
+		//			setupMockStartReq:  true,
+		//			timeout:            3 * time.Second,
+		//			expEngineRestarted: true,
+		//			expLogContains: []string{
+		//				"suicide",
+		//			},
+		//		},
+		//		"timeout waiting for engine to stop": {
+		//			evt: &events.RASEvent{
+		//				ID:          events.RASEngineSuicide,
+		//				Rank:        uint32(testRank),
+		//				Incarnation: testIncarnation,
+		//				Hostname:    testHostname,
+		//				Timestamp:   validTimestamp,
+		//			},
+		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
+		//				rCfg := &engine.TestRunnerConfig{}
+		//				rCfg.Running.SetTrue()
+		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+		//				if err := h.AddInstance(e); err != nil {
+		//					t.Fatal(err)
+		//				}
+		//			},
+		//			timeout:            500 * time.Millisecond,
+		//			expErr:             errors.New("did not stop"),
+		//			expEngineRestarted: false,
+		//		},
+		//		"multiple engines - restart correct one": {
+		//			evt: &events.RASEvent{
+		//				ID:          events.RASEngineSuicide,
+		//				Rank:        2,
+		//				Incarnation: testIncarnation,
+		//				Hostname:    testHostname,
+		//				Timestamp:   validTimestamp,
+		//			},
+		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+		//				for i := 0; i < 3; i++ {
+		//					e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+		//					e._superblock.Rank = ranklist.NewRankPtr(uint32(i))
+		//					rCfg := &engine.TestRunnerConfig{}
+		//					rCfg.Running.SetFalse()
+		//					e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+		//					e.ready.SetFalse()
+		//					if err := h.AddInstance(e); err != nil {
+		//						t.Fatal(err)
+		//					}
+		//				}
+		//			},
+		//			setupMockStartReq:  true,
+		//			timeout:            2 * time.Second,
+		//			expEngineRestarted: true,
+		//			expLogContains: []string{
+		//				"rank 2:42 (instance 2) suicide",
+		//			},
+		//		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			log, buf := logging.NewTestLogger(t.Name())
+			defer test.ShowBufferOnFailure(t, buf)
+
+			ctx, cancel := context.WithTimeout(test.Context(t), tc.timeout)
+			defer cancel()
+
+			harness := NewEngineHarness(log)
+
+			if tc.setupEngines != nil {
+				tc.setupEngines(t, log, harness)
+			}
+
+			srv := &server{
+				log:     log,
+				harness: harness,
+			}
+
+			restartRequested := false
+			if tc.setupMockStartReq && len(harness.instances) > 0 {
+				targetRank := ranklist.Rank(tc.evt.Rank)
+				for _, inst := range harness.instances {
+					rank, err := inst.GetRank()
+					if err != nil || rank != targetRank {
+						continue
+					}
+
+					ei, ok := inst.(*EngineInstance)
+					if !ok {
+						continue
+					}
+
+					go func(e *EngineInstance) {
+						select {
+						case <-ctx.Done():
+						case <-e.startRequested:
+							restartRequested = true
+						case <-time.After(2 * time.Second):
+						}
+					}(ei)
+				}
+			}
+
+			err := handleEngineSuicide(ctx, srv, tc.evt)
+
+			time.Sleep(100 * time.Millisecond)
+
+			test.CmpErr(t, tc.expErr, err)
+
+			if tc.expEngineRestarted != restartRequested {
+				t.Errorf("expected engine restarted=%v, got=%v",
+					tc.expEngineRestarted, restartRequested)
+			}
+
+			logOutput := buf.String()
+			for _, expStr := range tc.expLogContains {
+				if !strings.Contains(logOutput, expStr) {
+					t.Errorf("expected log to contain %q, but it didn't\nLog:\n%s",
+						expStr, logOutput)
+				}
+			}
+		})
+	}
+}
+
+func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+
+	harness := NewEngineHarness(log)
+	pubSub := events.NewPubSub(ctx, log)
+
+	srv := &server{
+		log:       log,
+		harness:   harness,
+		pubSub:    pubSub,
+		evtLogger: control.NewEventLogger(log),
+	}
+
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			switch evt.ID {
+			case events.RASEngineSuicide:
+				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSuicide: %s", err)
+				}
+			}
+		}))
+
+	evt := &events.RASEvent{
+		ID:          events.RASEngineSuicide,
+		Rank:        1,
+		Incarnation: 42,
+		Hostname:    "test-host",
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	pubSub.Publish(evt)
+
+	time.Sleep(100 * time.Millisecond)
+
+	if !strings.Contains(buf.String(), "handleEngineSuicide") {
+		t.Error("expected error to be logged by handler")
+	}
+	if !strings.Contains(buf.String(), "no instance found") {
+		t.Errorf("expected 'no instance found' in log, got:\n%s", buf.String())
+	}
+}
+
+func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
+	validTimestamp := time.Now().Format(time.RFC3339)
+
+	for name, tc := range map[string]struct {
+		evt            *events.RASEvent
+		expErrContains string
+	}{
+		"zero incarnation": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        1,
+				Incarnation: 0,
+				Hostname:    "test-host",
+				Timestamp:   validTimestamp,
+			},
+			expErrContains: "no instance found",
+		},
+		"very high rank number": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        999999,
+				Incarnation: 1,
+				Hostname:    "test-host",
+				Timestamp:   validTimestamp,
+			},
+			expErrContains: "no instance found for rank",
+		},
+		"max incarnation value": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        1,
+				Incarnation: ^uint64(0),
+				Hostname:    "test-host",
+				Timestamp:   validTimestamp,
+			},
+			expErrContains: "no instance found",
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			log, buf := logging.NewTestLogger(t.Name())
+			defer test.ShowBufferOnFailure(t, buf)
+
+			ctx, cancel := context.WithTimeout(test.Context(t), 1*time.Second)
+			defer cancel()
+
+			harness := NewEngineHarness(log)
+			srv := &server{
+				log:     log,
+				harness: harness,
+			}
+
+			err := handleEngineSuicide(ctx, srv, tc.evt)
+
+			if err == nil {
+				t.Fatalf("expected error, got nil")
+			}
+
+			if !strings.Contains(err.Error(), tc.expErrContains) {
+				t.Errorf("expected error containing %q, got: %s",
+					tc.expErrContains, err)
+			}
+		})
+	}
+}
+
+//func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
+//	log, buf := logging.NewTestLogger(t.Name())
+//	defer test.ShowBufferOnFailure(t, buf)
+//
+//	ctx := test.Context(t)
+//
+//	harness := NewEngineHarness(log)
+//	pubSub := events.NewPubSub(ctx, log)
+//
+//	srv := &server{
+//		log:       log,
+//		harness:   harness,
+//		pubSub:    pubSub,
+//		evtLogger: control.NewEventLogger(log),
+//	}
+//
+//	registerFollowerSubscriptions(srv)
+//
+//	evt := &events.RASEvent{
+//		ID:          events.RASEngineSuicide,
+//		Rank:        1,
+//		Incarnation: 42,
+//		Hostname:    "test-host",
+//		Timestamp:   time.Now().Format(time.RFC3339),
+//	}
+//
+//	pubSub.Publish(evt)
+//	time.Sleep(100 * time.Millisecond)
+//
+//	logOutput := buf.String()
+//	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+//		strings.Contains(logOutput, "no instance found") ||
+//		strings.Contains(logOutput, "handling suicide")
+//
+//	if !hasHandler {
+//		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+//	}
+//}
+//
+//func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
+//	log, buf := logging.NewTestLogger(t.Name())
+//	defer test.ShowBufferOnFailure(t, buf)
+//
+//	ctx := test.Context(t)
+//
+//	harness := NewEngineHarness(log)
+//	pubSub := events.NewPubSub(ctx, log)
+//
+//	svc := newTestMgmtSvc(t, log)
+//
+//	srv := &server{
+//		log:        log,
+//		harness:    harness,
+//		pubSub:     pubSub,
+//		evtLogger:  control.NewEvenEventtLogger(log),
+//		membership: svc.membership,
+//		sysdb:      svc.sysdb,
+//		mgmtSvc:    svc,
+//	}
+//
+//	registerLeaderSubscriptions(srv)
+//
+//	evt := &events.RASEvent{
+//		ID:          events.RASEngineSuicide,
+//		Rank:        1,
+//		Incarnation: 42,
+//		Hostname:    "test-host",
+//		Timestamp:   time.Now().Format(time.RFC3339),
+//	}
+//
+//	pubSub.Publish(evt)
+//	time.Sleep(100 * time.Millisecond)
+//
+//	logOutput := buf.String()
+//	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+//		strings.Contains(logOutput, "no instance found") ||
+//		strings.Contains(logOutput, "handling suicide")
+//
+//	if !hasHandler {
+//		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+//	}
+//}

From 550ef12f4e6469f944449b681a9d7385ade38aaa Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 25 Mar 2026 14:45:38 +0000
Subject: [PATCH 04/45] fix docs and unit tests

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/admin/administration.md            |   2 +-
 docs/overview/fault.md                  |  10 +-
 src/control/events/README.md            |  17 --
 src/control/server/server_utils_test.go | 260 ++++++++++++------------
 4 files changed, 141 insertions(+), 148 deletions(-)

diff --git a/docs/admin/administration.md b/docs/admin/administration.md
index f72e0ae761d..d9383c569c8 100644
--- a/docs/admin/administration.md
+++ b/docs/admin/administration.md
@@ -55,7 +55,7 @@ severity, message, description, and cause.
 | engine\_died| STATE\_CHANGE| ERROR| DAOS engine <idx\> exited exited unexpectedly: <error\> | Indicates engine instance <idx\> unexpectedly. <error> describes the exit state returned from exited daos\_engine process.| N/A                          |
 | engine\_asserted| STATE\_CHANGE| ERROR| TBD| Indicates engine instance <idx\> threw a runtime assertion, causing a crash. | An unexpected internal state resulted in assert failure. |
 | engine\_clock\_drift| INFO\_ONLY   | ERROR| clock drift detected| Indicates CART comms layer has detected clock skew between engines.| NTP may not be syncing clocks across DAOS system.      |
-| engine\_suicide| INFO\_ONLY| NOTICE| excluded rank suicide detected| Indicates that a DAOS engine rank has performed a self-exclusion (suicide) due to detecting an unrecoverable condition. The rank is automatically restarted by the control plane. | An engine detected an internal condition requiring restart (e.g., unresponsive state, critical error). The control plane monitors for this event and automatically restarts the affected rank. |
+| engine\_suicide| INFO\_ONLY| NOTICE| excluded rank suicide detected| Indicates that a DAOS engine rank has performed a self-termination (suicide) due to having been excluded from the system's group map. The rank is automatically restarted by the control plane. | An engine was found to be in a transient non-functional state and excluded from the group map. The control plane monitors for this event and automatically restarts the affected engine so it can rejoin the system. |
 | engine\_join\_failed| INFO\_ONLY| ERROR | DAOS engine <idx\> (rank <rank\>) was not allowed to join the system | Join operation failed for the given engine instance ID and rank (if assigned). | Reason should be provided in the extended info field of the event data. |
 | pool\_corruption\_detected| INFO\_ONLY| ERROR | Data corruption detected| Indicates a corruption in pool data has been detected. The event fields will contain pool and container UUIDs. | A corruption was found by the checksum scrubber. |
 | pool\_destroy\_deferred| INFO\_ONLY| WARNING | pool:<uuid\> destroy is deferred| Indicates a destroy operation has been deferre. | Pool destroy in progress but not complete. |
diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index 95ce0d978c8..8abcf451274 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -85,12 +85,12 @@ can now read from the rebuilt object shards.
 This rebuild process is executed online while applications continue accessing
 and updating objects.
 
-### Engine Self-Exclusion and Automatic Restart
+### Engine Self-Termination and Automatic Restart
 
-In some cases, a DAOS engine may detect an internal unrecoverable condition
-that prevents it from operating correctly. When this occurs, the engine can
-perform a self-exclusion (referred to as "suicide") to protect data integrity
-and system stability.
+A DAOS engine may be excluded from the group map because of inactivity
+for example. When an engine becomes aware of it's removal from the
+group map it will self-terminate (referred to as "suicide") to protect
+data integrity and system stability.
 
 When an engine commits suicide, it raises a `engine_suicide` RAS event
 (INFO_ONLY, NOTICE severity) containing the rank and incarnation information.
diff --git a/src/control/events/README.md b/src/control/events/README.md
index 68355099490..e269b190f6a 100644
--- a/src/control/events/README.md
+++ b/src/control/events/README.md
@@ -16,20 +16,3 @@ A subset of events are actionable (type 'STATE_CHANGE' as opposed to
 'INFO_ONLY') and will be forwarded to the management service (MS) leader. On
 receipt of an actionable event, the MS will update the membership and backing
 database based on the event's contents.
-
-## Engine Suicide Event
-
-The `engine_suicide` event (RAS_ENGINE_SUICIDE) is an INFO_ONLY event raised
-when a DAOS engine rank performs a self-exclusion due to an unrecoverable
-condition. The control plane automatically handles this event by:
-
-1. Waiting for the engine instance to fully stop
-2. Restarting the engine to rejoin the system
-
-This event is handled by both follower and leader control servers to ensure
-local engine restarts happen regardless of MS leadership state. The event
-includes rank and incarnation information to identify the specific engine
-instance that requires restart.
-
-See `src/control/server/server_utils.go:handleEngineSuicide()` for the
-implementation details.
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index ebdaa4ba13c..4b7364ce606 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"os/user"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -24,7 +25,6 @@ import (
 	"github.com/daos-stack/daos/src/control/common"
 	"github.com/daos-stack/daos/src/control/common/test"
 	"github.com/daos-stack/daos/src/control/events"
-	"github.com/daos-stack/daos/src/control/lib/control"
 	"github.com/daos-stack/daos/src/control/lib/hardware"
 	"github.com/daos-stack/daos/src/control/lib/ranklist"
 	"github.com/daos-stack/daos/src/control/logging"
@@ -1993,6 +1993,25 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	testHostname := "test-host-1"
 	validTimestamp := time.Now().Format(time.RFC3339)
 
+	setupEngine := func(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
+		t.Helper()
+
+		rank := uint32(testRank)
+		if len(ranks) != 0 {
+			rank = ranks[0]
+		}
+
+		e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+		e._superblock.Rank = ranklist.NewRankPtr(rank)
+		rCfg := &engine.TestRunnerConfig{}
+		rCfg.Running.Store(isRunning)
+		e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+		e.ready.SetFalse()
+		if err := h.AddInstance(e); err != nil {
+			t.Fatal(err)
+		}
+	}
+
 	for name, tc := range map[string]struct {
 		evt                *events.RASEvent
 		setupEngines       func(*testing.T, logging.Logger, *EngineHarness)
@@ -2064,33 +2083,25 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			expErr:             errors.New("no instance found for rank"),
 			expEngineRestarted: false,
 		},
-		//		"successful restart - engine already stopped": {
-		//			evt: &events.RASEvent{
-		//				ID:          events.RASEngineSuicide,
-		//				Rank:        uint32(testRank),
-		//				Incarnation: testIncarnation,
-		//				Hostname:    testHostname,
-		//				Timestamp:   validTimestamp,
-		//			},
-		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
-		//				rCfg := &engine.TestRunnerConfig{}
-		//				rCfg.Running.SetFalse()
-		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-		//				e.ready.SetFalse()
-		//				if err := h.AddInstance(e); err != nil {
-		//					t.Fatal(err)
-		//				}
-		//			},
-		//			setupMockStartReq:  true,
-		//			timeout:            2 * time.Second,
-		//			expEngineRestarted: true,
-		//			expLogContains: []string{
-		//				fmt.Sprintf("rank %d:%x (instance 0) suicide", testRank, testIncarnation),
-		//				testHostname,
-		//			},
-		//		},
+		"successful restart - engine already stopped": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				setupEngine(t, log, h, false)
+			},
+			setupMockStartReq:  true,
+			timeout:            2 * time.Second,
+			expEngineRestarted: true,
+			expLogContains: []string{
+				fmt.Sprintf("rank %d:%x (instance 0) suicide", testRank, testIncarnation),
+				testHostname,
+			},
+		},
 		//		"engine stops during wait": {
 		//			evt: &events.RASEvent{
 		//				ID:          events.RASEngineSuicide,
@@ -2121,56 +2132,41 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		//				"suicide",
 		//			},
 		//		},
-		//		"timeout waiting for engine to stop": {
-		//			evt: &events.RASEvent{
-		//				ID:          events.RASEngineSuicide,
-		//				Rank:        uint32(testRank),
-		//				Incarnation: testIncarnation,
-		//				Hostname:    testHostname,
-		//				Timestamp:   validTimestamp,
-		//			},
-		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
-		//				rCfg := &engine.TestRunnerConfig{}
-		//				rCfg.Running.SetTrue()
-		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-		//				if err := h.AddInstance(e); err != nil {
-		//					t.Fatal(err)
-		//				}
-		//			},
-		//			timeout:            500 * time.Millisecond,
-		//			expErr:             errors.New("did not stop"),
-		//			expEngineRestarted: false,
-		//		},
-		//		"multiple engines - restart correct one": {
-		//			evt: &events.RASEvent{
-		//				ID:          events.RASEngineSuicide,
-		//				Rank:        2,
-		//				Incarnation: testIncarnation,
-		//				Hostname:    testHostname,
-		//				Timestamp:   validTimestamp,
-		//			},
-		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-		//				for i := 0; i < 3; i++ {
-		//					e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-		//					e._superblock.Rank = ranklist.NewRankPtr(uint32(i))
-		//					rCfg := &engine.TestRunnerConfig{}
-		//					rCfg.Running.SetFalse()
-		//					e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-		//					e.ready.SetFalse()
-		//					if err := h.AddInstance(e); err != nil {
-		//						t.Fatal(err)
-		//					}
-		//				}
-		//			},
-		//			setupMockStartReq:  true,
-		//			timeout:            2 * time.Second,
-		//			expEngineRestarted: true,
-		//			expLogContains: []string{
-		//				"rank 2:42 (instance 2) suicide",
-		//			},
-		//		},
+		"timeout waiting for engine to stop": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				setupEngine(t, log, h, true)
+			},
+			timeout:            500 * time.Millisecond,
+			expErr:             errors.New("did not stop"),
+			expEngineRestarted: false,
+		},
+		"multiple engines - restart correct one": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSuicide,
+				Rank:        2,
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				for i := 0; i < 3; i++ {
+					setupEngine(t, log, h, false, uint32(i))
+				}
+			},
+			setupMockStartReq:  true,
+			timeout:            2 * time.Second,
+			expEngineRestarted: true,
+			expLogContains: []string{
+				"rank 2:42 (instance 2) suicide",
+			},
+		},
 	} {
 		t.Run(name, func(t *testing.T) {
 			log, buf := logging.NewTestLogger(t.Name())
@@ -2189,18 +2185,26 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 				log:     log,
 				harness: harness,
 			}
-
+			finished := struct {
+				o  sync.Once
+				ch chan struct{}
+			}{
+				ch: make(chan struct{}),
+			}
 			restartRequested := false
+
 			if tc.setupMockStartReq && len(harness.instances) > 0 {
 				targetRank := ranklist.Rank(tc.evt.Rank)
 				for _, inst := range harness.instances {
 					rank, err := inst.GetRank()
 					if err != nil || rank != targetRank {
+						finished.o.Do(func() { close(finished.ch) })
 						continue
 					}
 
 					ei, ok := inst.(*EngineInstance)
 					if !ok {
+						finished.o.Do(func() { close(finished.ch) })
 						continue
 					}
 
@@ -2211,13 +2215,18 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 							restartRequested = true
 						case <-time.After(2 * time.Second):
 						}
+						finished.o.Do(func() { close(finished.ch) })
 					}(ei)
 				}
+			} else {
+				close(finished.ch)
 			}
 
 			err := handleEngineSuicide(ctx, srv, tc.evt)
 
-			time.Sleep(100 * time.Millisecond)
+			//if tc.setupMockStartReq && len(harness.instances) > 0 {
+			<-finished.ch
+			//}
 
 			test.CmpErr(t, tc.expErr, err)
 
@@ -2237,51 +2246,52 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	}
 }
 
-func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	ctx := test.Context(t)
-
-	harness := NewEngineHarness(log)
-	pubSub := events.NewPubSub(ctx, log)
-
-	srv := &server{
-		log:       log,
-		harness:   harness,
-		pubSub:    pubSub,
-		evtLogger: control.NewEventLogger(log),
-	}
-
-	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
-		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			switch evt.ID {
-			case events.RASEngineSuicide:
-				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSuicide: %s", err)
-				}
-			}
-		}))
-
-	evt := &events.RASEvent{
-		ID:          events.RASEngineSuicide,
-		Rank:        1,
-		Incarnation: 42,
-		Hostname:    "test-host",
-		Timestamp:   time.Now().Format(time.RFC3339),
-	}
-
-	pubSub.Publish(evt)
-
-	time.Sleep(100 * time.Millisecond)
-
-	if !strings.Contains(buf.String(), "handleEngineSuicide") {
-		t.Error("expected error to be logged by handler")
-	}
-	if !strings.Contains(buf.String(), "no instance found") {
-		t.Errorf("expected 'no instance found' in log, got:\n%s", buf.String())
-	}
-}
+//func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
+//	log, buf := logging.NewTestLogger(t.Name())
+//	defer test.ShowBufferOnFailure(t, buf)
+//
+//	ctx := test.Context(t)
+//
+//	harness := NewEngineHarness(log)
+//	pubSub := events.NewPubSub(ctx, log)
+//
+//	srv := &server{
+//		log:       log,
+//		harness:   harness,
+//		pubSub:    pubSub,
+//		evtLogger: control.NewEventLogger(log),
+//	}
+//
+//	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
+//		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+//			switch evt.ID {
+//			case events.RASEngineSuicide:
+//				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
+//					srv.log.Errorf("handleEngineSuicide: %s", err)
+//				}
+//			}
+//		}))
+//
+//	evt := &events.RASEvent{
+//		ID:          events.RASEngineSuicide,
+//		Rank:        1,
+//		Incarnation: 42,
+//		Hostname:    "test-host",
+//		Timestamp:   time.Now().Format(time.RFC3339),
+//	}
+//
+//	pubSub.Publish(evt)
+//
+//	time.Sleep(900 * time.Millisecond)
+//
+//	t.Log(buf.String())
+//	if !strings.Contains(buf.String(), "handleEngineSuicide") {
+//		t.Error("expected error to be logged by handler")
+//	}
+//	if !strings.Contains(buf.String(), "no instance found") {
+//		t.Errorf("expected 'no instance found' in log, got:\n%s", buf.String())
+//	}
+//}
 
 func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 	validTimestamp := time.Now().Format(time.RFC3339)

From 1f61b9862cdcd6ab38e184f19d8ebe352ff3e0b7 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 26 Mar 2026 15:24:50 +0000
Subject: [PATCH 05/45] revise unit test for suicide handler

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/server_utils.go      |  4 +-
 src/control/server/server_utils_test.go | 83 +++++--------------------
 2 files changed, 18 insertions(+), 69 deletions(-)

diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index ccc8b405cdd..550eb7bee0f 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -793,7 +793,7 @@ func handleEngineSuicide(ctx context.Context, srv *server, evt *events.RASEvent)
 	}
 	engine := instances[0]
 
-	srv.log.Infof("%s was notified @ %s of rank %d:%x (instance %d) suicide", ts, evt.Hostname,
+	srv.log.Infof("%s was notified @ %s of rank %d:%d (instance %d) suicide", ts, evt.Hostname,
 		evt.Rank, evt.Incarnation, engine.Index())
 
 	// Wait until engine is stopped.
@@ -802,8 +802,6 @@ func handleEngineSuicide(ctx context.Context, srv *server, evt *events.RASEvent)
 		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, engine.Index())
 	}
 
-	// TODO: Check if rank should be restarted?
-
 	engine.requestStart(ctx)
 
 	return nil
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 4b7364ce606..42d98c8cfdb 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -15,6 +15,7 @@ import (
 	"os/user"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -2015,8 +2016,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	for name, tc := range map[string]struct {
 		evt                *events.RASEvent
 		setupEngines       func(*testing.T, logging.Logger, *EngineHarness)
-		setupMockStartReq  bool
-		timeout            time.Duration
 		expErr             error
 		expEngineRestarted bool
 		expLogContains     []string
@@ -2029,7 +2028,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 				Hostname:    testHostname,
 				Timestamp:   "",
 			},
-			timeout:            1 * time.Second,
 			expErr:             errors.New("bad event timestamp"),
 			expEngineRestarted: false,
 		},
@@ -2041,7 +2039,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 				Hostname:    testHostname,
 				Timestamp:   "not-a-valid-timestamp",
 			},
-			timeout:            1 * time.Second,
 			expErr:             errors.New("bad event timestamp"),
 			expEngineRestarted: false,
 		},
@@ -2060,7 +2057,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 					t.Fatal(err)
 				}
 			},
-			timeout:            1 * time.Second,
 			expErr:             errors.New("no instance found for rank 99"),
 			expEngineRestarted: false,
 		},
@@ -2079,7 +2075,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 					t.Fatal(err)
 				}
 			},
-			timeout:            1 * time.Second,
 			expErr:             errors.New("no instance found for rank"),
 			expEngineRestarted: false,
 		},
@@ -2094,44 +2089,12 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupEngine(t, log, h, false)
 			},
-			setupMockStartReq:  true,
-			timeout:            2 * time.Second,
 			expEngineRestarted: true,
 			expLogContains: []string{
-				fmt.Sprintf("rank %d:%x (instance 0) suicide", testRank, testIncarnation),
+				fmt.Sprintf("rank %d:%d (instance 0) suicide", testRank, testIncarnation),
 				testHostname,
 			},
 		},
-		//		"engine stops during wait": {
-		//			evt: &events.RASEvent{
-		//				ID:          events.RASEngineSuicide,
-		//				Rank:        uint32(testRank),
-		//				Incarnation: testIncarnation,
-		//				Hostname:    testHostname,
-		//				Timestamp:   validTimestamp,
-		//			},
-		//			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-		//				e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-		//				e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
-		//				rCfg := &engine.TestRunnerConfig{}
-		//				rCfg.Running.SetTrue()
-		//				e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-		//				if err := h.AddInstance(e); err != nil {
-		//					t.Fatal(err)
-		//				}
-		//
-		//				go func() {
-		//					time.Sleep(200 * time.Millisecond)
-		//					rCfg.Running.SetFalse()
-		//				}()
-		//			},
-		//			setupMockStartReq:  true,
-		//			timeout:            3 * time.Second,
-		//			expEngineRestarted: true,
-		//			expLogContains: []string{
-		//				"suicide",
-		//			},
-		//		},
 		"timeout waiting for engine to stop": {
 			evt: &events.RASEvent{
 				ID:          events.RASEngineSuicide,
@@ -2143,7 +2106,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupEngine(t, log, h, true)
 			},
-			timeout:            500 * time.Millisecond,
 			expErr:             errors.New("did not stop"),
 			expEngineRestarted: false,
 		},
@@ -2160,8 +2122,6 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 					setupEngine(t, log, h, false, uint32(i))
 				}
 			},
-			setupMockStartReq:  true,
-			timeout:            2 * time.Second,
 			expEngineRestarted: true,
 			expLogContains: []string{
 				"rank 2:42 (instance 2) suicide",
@@ -2172,7 +2132,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			log, buf := logging.NewTestLogger(t.Name())
 			defer test.ShowBufferOnFailure(t, buf)
 
-			ctx, cancel := context.WithTimeout(test.Context(t), tc.timeout)
+			ctx, cancel := context.WithTimeout(test.Context(t), time.Second)
 			defer cancel()
 
 			harness := NewEngineHarness(log)
@@ -2185,54 +2145,45 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 				log:     log,
 				harness: harness,
 			}
-			finished := struct {
-				o  sync.Once
-				ch chan struct{}
-			}{
-				ch: make(chan struct{}),
-			}
-			restartRequested := false
 
-			if tc.setupMockStartReq && len(harness.instances) > 0 {
+			var wg sync.WaitGroup
+			var restartRequested atomic.Bool
+
+			if len(harness.instances) > 0 {
 				targetRank := ranklist.Rank(tc.evt.Rank)
-				for _, inst := range harness.instances {
+				for i, inst := range harness.instances {
 					rank, err := inst.GetRank()
 					if err != nil || rank != targetRank {
-						finished.o.Do(func() { close(finished.ch) })
 						continue
 					}
 
 					ei, ok := inst.(*EngineInstance)
 					if !ok {
-						finished.o.Do(func() { close(finished.ch) })
 						continue
 					}
 
-					go func(e *EngineInstance) {
+					wg.Add(1)
+
+					go func(e *EngineInstance, idx int) {
+						defer wg.Done()
 						select {
 						case <-ctx.Done():
 						case <-e.startRequested:
-							restartRequested = true
+							restartRequested.Store(true)
 						case <-time.After(2 * time.Second):
 						}
-						finished.o.Do(func() { close(finished.ch) })
-					}(ei)
+					}(ei, i)
 				}
-			} else {
-				close(finished.ch)
 			}
 
 			err := handleEngineSuicide(ctx, srv, tc.evt)
-
-			//if tc.setupMockStartReq && len(harness.instances) > 0 {
-			<-finished.ch
-			//}
+			wg.Wait()
 
 			test.CmpErr(t, tc.expErr, err)
 
-			if tc.expEngineRestarted != restartRequested {
+			if tc.expEngineRestarted != restartRequested.Load() {
 				t.Errorf("expected engine restarted=%v, got=%v",
-					tc.expEngineRestarted, restartRequested)
+					tc.expEngineRestarted, restartRequested.Load())
 			}
 
 			logOutput := buf.String()

From 8a79efb12743b8105a7a3e6cb502d892cbb0dc93 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Fri, 27 Mar 2026 13:05:34 +0000
Subject: [PATCH 06/45] fixup tests

Features: control pool

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/lib/control/event.go        |   4 +-
 src/control/lib/control/mocks.go        |  10 +-
 src/control/server/server_utils_test.go | 338 +++++++++++++++---------
 3 files changed, 219 insertions(+), 133 deletions(-)

diff --git a/src/control/lib/control/event.go b/src/control/lib/control/event.go
index d316a4e7cb1..7934b921424 100644
--- a/src/control/lib/control/event.go
+++ b/src/control/lib/control/event.go
@@ -1,5 +1,6 @@
 //
 // (C) Copyright 2021-2024 Intel Corporation.
+// (C) Copyright 2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -170,7 +171,8 @@ func newEventLogger(logBasic logging.Logger, newSyslogger newSysloggerFn) *Event
 }
 
 // NewEventLogger returns an initialized EventLogger capable of writing to the
-// supplied logger in addition to syslog.
+// supplied logger in addition to syslog. Should only be used in production code,
+// use MockEventLogger in unit tests.
 func NewEventLogger(log logging.Logger) *EventLogger {
 	return newEventLogger(log, syslog.NewLogger)
 }
diff --git a/src/control/lib/control/mocks.go b/src/control/lib/control/mocks.go
index 83fd078c8ac..bfb417acb50 100644
--- a/src/control/lib/control/mocks.go
+++ b/src/control/lib/control/mocks.go
@@ -1,6 +1,6 @@
 //
 // (C) Copyright 2020-2024 Intel Corporation.
-// (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -30,6 +30,7 @@ import (
 	"github.com/daos-stack/daos/src/control/common/test"
 	"github.com/daos-stack/daos/src/control/lib/hostlist"
 	"github.com/daos-stack/daos/src/control/lib/ranklist"
+	"github.com/daos-stack/daos/src/control/logging"
 	"github.com/daos-stack/daos/src/control/server/config"
 	"github.com/daos-stack/daos/src/control/server/engine"
 	"github.com/daos-stack/daos/src/control/server/storage"
@@ -945,3 +946,10 @@ func MockHostFabricMap(t *testing.T, scans ...*MockFabricScan) HostFabricMap {
 
 	return hfm
 }
+
+// MockEventLogger returns EventLogger reference that has no syslog handlers registered.
+func MockEventLogger(logBasic logging.Logger) *EventLogger {
+	return &EventLogger{
+		log: logBasic,
+	}
+}
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 42d98c8cfdb..e7bdbde8b70 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/daos-stack/daos/src/control/common"
 	"github.com/daos-stack/daos/src/control/common/test"
 	"github.com/daos-stack/daos/src/control/events"
+	"github.com/daos-stack/daos/src/control/lib/control"
 	"github.com/daos-stack/daos/src/control/lib/hardware"
 	"github.com/daos-stack/daos/src/control/lib/ranklist"
 	"github.com/daos-stack/daos/src/control/logging"
@@ -1988,7 +1989,15 @@ f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 	}
 }
 
+const (
+	testContextTimeout    = 1 * time.Second
+	testHandlerTimeout    = 1 * time.Second
+	testSubscriptionDelay = 50 * time.Millisecond
+)
+
 func TestServer_handleEngineSuicide(t *testing.T) {
+	const testRestartRequestWait = 2 * time.Second
+
 	testRank := ranklist.Rank(1)
 	testIncarnation := uint64(42)
 	testHostname := "test-host-1"
@@ -2132,7 +2141,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			log, buf := logging.NewTestLogger(t.Name())
 			defer test.ShowBufferOnFailure(t, buf)
 
-			ctx, cancel := context.WithTimeout(test.Context(t), time.Second)
+			ctx, cancel := context.WithTimeout(test.Context(t), testContextTimeout)
 			defer cancel()
 
 			harness := NewEngineHarness(log)
@@ -2170,7 +2179,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 						case <-ctx.Done():
 						case <-e.startRequested:
 							restartRequested.Store(true)
-						case <-time.After(2 * time.Second):
+						case <-time.After(testRestartRequestWait):
 						}
 					}(ei, i)
 				}
@@ -2197,52 +2206,69 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	}
 }
 
-//func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
-//	log, buf := logging.NewTestLogger(t.Name())
-//	defer test.ShowBufferOnFailure(t, buf)
-//
-//	ctx := test.Context(t)
-//
-//	harness := NewEngineHarness(log)
-//	pubSub := events.NewPubSub(ctx, log)
-//
-//	srv := &server{
-//		log:       log,
-//		harness:   harness,
-//		pubSub:    pubSub,
-//		evtLogger: control.NewEventLogger(log),
-//	}
-//
-//	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
-//		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-//			switch evt.ID {
-//			case events.RASEngineSuicide:
-//				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
-//					srv.log.Errorf("handleEngineSuicide: %s", err)
-//				}
-//			}
-//		}))
-//
-//	evt := &events.RASEvent{
-//		ID:          events.RASEngineSuicide,
-//		Rank:        1,
-//		Incarnation: 42,
-//		Hostname:    "test-host",
-//		Timestamp:   time.Now().Format(time.RFC3339),
-//	}
-//
-//	pubSub.Publish(evt)
-//
-//	time.Sleep(900 * time.Millisecond)
-//
-//	t.Log(buf.String())
-//	if !strings.Contains(buf.String(), "handleEngineSuicide") {
-//		t.Error("expected error to be logged by handler")
-//	}
-//	if !strings.Contains(buf.String(), "no instance found") {
-//		t.Errorf("expected 'no instance found' in log, got:\n%s", buf.String())
-//	}
-//}
+func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+
+	harness := NewEngineHarness(log)
+	pubSub := events.NewPubSub(ctx, log)
+
+	// Channel to signal when handler completes
+	handlerDone := make(chan struct{})
+	var once sync.Once
+
+	srv := &server{
+		log:       log,
+		harness:   harness,
+		pubSub:    pubSub,
+		evtLogger: control.MockEventLogger(log),
+	}
+
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			log.Debugf("ErrorHandling test handler called for event: ID=%v, Type=%v", evt.ID, evt.Type)
+			switch evt.ID {
+			case events.RASEngineSuicide:
+				log.Debugf("ErrorHandling test handling suicide event")
+				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSuicide: %s", err)
+				}
+				once.Do(func() { close(handlerDone) })
+			}
+		}))
+
+	// Give the subscription time to register in the eventLoop
+	time.Sleep(testSubscriptionDelay)
+
+	evt := &events.RASEvent{
+		ID:          events.RASEngineSuicide,
+		Type:        events.RASTypeInfoOnly,
+		Rank:        1,
+		Incarnation: 42,
+		Hostname:    "test-host",
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	pubSub.Publish(evt)
+
+	// Wait for handler to complete or timeout
+	select {
+	case <-handlerDone:
+		// Handler completed
+	case <-time.After(testHandlerTimeout):
+		t.Fatal("timeout waiting for handler to complete")
+	}
+
+	t.Log(buf.String())
+	if !strings.Contains(buf.String(), "handleEngineSuicide") {
+		t.Error("expected error to be logged by handler")
+	}
+	if !strings.Contains(buf.String(), "no instance found") {
+		t.Errorf("expected 'no instance found' in log, got:\n%s", buf.String())
+	}
+}
 
 func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 	validTimestamp := time.Now().Format(time.RFC3339)
@@ -2286,7 +2312,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 			log, buf := logging.NewTestLogger(t.Name())
 			defer test.ShowBufferOnFailure(t, buf)
 
-			ctx, cancel := context.WithTimeout(test.Context(t), 1*time.Second)
+			ctx, cancel := context.WithTimeout(test.Context(t), testContextTimeout)
 			defer cancel()
 
 			harness := NewEngineHarness(log)
@@ -2309,85 +2335,135 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 	}
 }
 
-//func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
-//	log, buf := logging.NewTestLogger(t.Name())
-//	defer test.ShowBufferOnFailure(t, buf)
-//
-//	ctx := test.Context(t)
-//
-//	harness := NewEngineHarness(log)
-//	pubSub := events.NewPubSub(ctx, log)
-//
-//	srv := &server{
-//		log:       log,
-//		harness:   harness,
-//		pubSub:    pubSub,
-//		evtLogger: control.NewEventLogger(log),
-//	}
-//
-//	registerFollowerSubscriptions(srv)
-//
-//	evt := &events.RASEvent{
-//		ID:          events.RASEngineSuicide,
-//		Rank:        1,
-//		Incarnation: 42,
-//		Hostname:    "test-host",
-//		Timestamp:   time.Now().Format(time.RFC3339),
-//	}
-//
-//	pubSub.Publish(evt)
-//	time.Sleep(100 * time.Millisecond)
-//
-//	logOutput := buf.String()
-//	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
-//		strings.Contains(logOutput, "no instance found") ||
-//		strings.Contains(logOutput, "handling suicide")
-//
-//	if !hasHandler {
-//		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
-//	}
-//}
-//
-//func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
-//	log, buf := logging.NewTestLogger(t.Name())
-//	defer test.ShowBufferOnFailure(t, buf)
-//
-//	ctx := test.Context(t)
-//
-//	harness := NewEngineHarness(log)
-//	pubSub := events.NewPubSub(ctx, log)
-//
-//	svc := newTestMgmtSvc(t, log)
-//
-//	srv := &server{
-//		log:        log,
-//		harness:    harness,
-//		pubSub:     pubSub,
-//		evtLogger:  control.NewEvenEventtLogger(log),
-//		membership: svc.membership,
-//		sysdb:      svc.sysdb,
-//		mgmtSvc:    svc,
-//	}
-//
-//	registerLeaderSubscriptions(srv)
-//
-//	evt := &events.RASEvent{
-//		ID:          events.RASEngineSuicide,
-//		Rank:        1,
-//		Incarnation: 42,
-//		Hostname:    "test-host",
-//		Timestamp:   time.Now().Format(time.RFC3339),
-//	}
-//
-//	pubSub.Publish(evt)
-//	time.Sleep(100 * time.Millisecond)
-//
-//	logOutput := buf.String()
-//	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
-//		strings.Contains(logOutput, "no instance found") ||
-//		strings.Contains(logOutput, "handling suicide")
-//
-//	if !hasHandler {
-//		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
-//	}
-//}
+func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+
+	harness := NewEngineHarness(log)
+	pubSub := events.NewPubSub(ctx, log)
+
+	// Channel to signal when ANY handler processes the event
+	eventProcessed := make(chan struct{})
+	var once sync.Once
+
+	srv := &server{
+		log:       log,
+		harness:   harness,
+		pubSub:    pubSub,
+		evtLogger: control.MockEventLogger(log),
+	}
+
+	registerFollowerSubscriptions(srv)
+
+	// Add a secondary subscriber to detect when event is processed
+	// This ensures the event has gone through the pubsub system
+	pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			if evt.ID == events.RASEngineSuicide {
+				once.Do(func() { close(eventProcessed) })
+			}
+		}))
+
+	// Give the subscription time to register in the eventLoop
+	time.Sleep(testSubscriptionDelay)
+
+	evt := &events.RASEvent{
+		ID:          events.RASEngineSuicide,
+		Type:        events.RASTypeInfoOnly,
+		Rank:        1,
+		Incarnation: 42,
+		Hostname:    "test-host",
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	pubSub.Publish(evt)
+
+	// Wait for event to be processed or timeout
+	select {
+	case <-eventProcessed:
+		// Event was processed
+	case <-time.After(testHandlerTimeout):
+		t.Fatal("timeout waiting for suicide event to be processed")
+	}
+
+	logOutput := buf.String()
+	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+		strings.Contains(logOutput, "no instance found") ||
+		strings.Contains(logOutput, "handling suicide")
+
+	if !hasHandler {
+		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+	}
+}
+
+func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
+	const testProcessingTimeout = 2 * time.Second
+
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+
+	harness := NewEngineHarness(log)
+	pubSub := events.NewPubSub(ctx, log)
+
+	svc := newTestMgmtSvc(t, log)
+
+	// Channel to signal when ANY handler processes the event
+	eventProcessed := make(chan struct{})
+	var once sync.Once
+
+	srv := &server{
+		log:        log,
+		harness:    harness,
+		pubSub:     pubSub,
+		evtLogger:  control.MockEventLogger(log),
+		membership: svc.membership,
+		sysdb:      svc.sysdb,
+		mgmtSvc:    svc,
+	}
+
+	registerLeaderSubscriptions(srv)
+
+	// Add a secondary subscriber to detect when event is processed
+	// This ensures the event has gone through the pubsub system
+	pubSub.Subscribe(events.RASTypeInfoOnly,
+		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+			if evt.ID == events.RASEngineSuicide {
+				once.Do(func() { close(eventProcessed) })
+			}
+		}))
+
+	// Give the subscription time to register in the eventLoop
+	time.Sleep(testSubscriptionDelay)
+
+	evt := &events.RASEvent{
+		ID:          events.RASEngineSuicide,
+		Type:        events.RASTypeInfoOnly,
+		Rank:        1,
+		Incarnation: 42,
+		Hostname:    "test-host",
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	pubSub.Publish(evt)
+
+	// Wait for event to be processed or timeout
+	select {
+	case <-eventProcessed:
+		// Event was processed
+	case <-time.After(testProcessingTimeout):
+		t.Fatal("timeout waiting for suicide event to be processed")
+	}
+
+	logOutput := buf.String()
+	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+		strings.Contains(logOutput, "no instance found") ||
+		strings.Contains(logOutput, "handling suicide")
+
+	if !hasHandler {
+		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+	}
+}

From e9c689647056455d6f3c7408676eeaf0d9c5a74d Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 1 Apr 2026 19:56:57 +0100
Subject: [PATCH 07/45] rename suicide to self terminated

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/admin/administration.md            |  2 +-
 docs/overview/fault.md                  |  6 +-
 src/control/events/ras.go               |  2 +-
 src/control/server/server_utils.go      | 20 +++----
 src/control/server/server_utils_test.go | 74 ++++++++++++-------------
 src/engine/drpc_ras.c                   | 10 ++--
 src/engine/init.c                       |  6 +-
 src/include/daos_srv/ras.h              | 10 ++--
 8 files changed, 65 insertions(+), 65 deletions(-)

diff --git a/docs/admin/administration.md b/docs/admin/administration.md
index d9383c569c8..db8c753f994 100644
--- a/docs/admin/administration.md
+++ b/docs/admin/administration.md
@@ -55,7 +55,7 @@ severity, message, description, and cause.
 | engine\_died| STATE\_CHANGE| ERROR| DAOS engine <idx\> exited exited unexpectedly: <error\> | Indicates engine instance <idx\> unexpectedly. <error> describes the exit state returned from exited daos\_engine process.| N/A                          |
 | engine\_asserted| STATE\_CHANGE| ERROR| TBD| Indicates engine instance <idx\> threw a runtime assertion, causing a crash. | An unexpected internal state resulted in assert failure. |
 | engine\_clock\_drift| INFO\_ONLY   | ERROR| clock drift detected| Indicates CART comms layer has detected clock skew between engines.| NTP may not be syncing clocks across DAOS system.      |
-| engine\_suicide| INFO\_ONLY| NOTICE| excluded rank suicide detected| Indicates that a DAOS engine rank has performed a self-termination (suicide) due to having been excluded from the system's group map. The rank is automatically restarted by the control plane. | An engine was found to be in a transient non-functional state and excluded from the group map. The control plane monitors for this event and automatically restarts the affected engine so it can rejoin the system. |
+| engine\_self\_terminated| INFO\_ONLY| NOTICE| excluded rank self terminated detected| Indicates that a DAOS engine rank has performed a self-termination due to having been excluded from the system's group map. The rank is automatically restarted by the control plane. | An engine was found to be in a transient non-functional state and excluded from the group map. The control plane monitors for this event and automatically restarts the affected engine so it can rejoin the system. |
 | engine\_join\_failed| INFO\_ONLY| ERROR | DAOS engine <idx\> (rank <rank\>) was not allowed to join the system | Join operation failed for the given engine instance ID and rank (if assigned). | Reason should be provided in the extended info field of the event data. |
 | pool\_corruption\_detected| INFO\_ONLY| ERROR | Data corruption detected| Indicates a corruption in pool data has been detected. The event fields will contain pool and container UUIDs. | A corruption was found by the checksum scrubber. |
 | pool\_destroy\_deferred| INFO\_ONLY| WARNING | pool:<uuid\> destroy is deferred| Indicates a destroy operation has been deferre. | Pool destroy in progress but not complete. |
diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index 8abcf451274..92f14a1aa68 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -89,14 +89,14 @@ and updating objects.
 
 A DAOS engine may be excluded from the group map because of inactivity
 for example. When an engine becomes aware of it's removal from the
-group map it will self-terminate (referred to as "suicide") to protect
+group map it will self-terminate to protect
 data integrity and system stability.
 
-When an engine commits suicide, it raises a `engine_suicide` RAS event
+When an engine self terminates, it raises a `engine_self_terminated` RAS event
 (INFO_ONLY, NOTICE severity) containing the rank and incarnation information.
 The control plane automatically handles this event by:
 
-1. Detecting the suicide event through the RAS event system
+1. Detecting the engine self terminated event through the RAS event system
 2. Identifying the engine instance associated with the rank
 3. Waiting for the engine process to fully stop
 4. Automatically restarting the engine to rejoin the system
diff --git a/src/control/events/ras.go b/src/control/events/ras.go
index 8b925183dfa..bf7446fe4bd 100644
--- a/src/control/events/ras.go
+++ b/src/control/events/ras.go
@@ -49,7 +49,7 @@ const (
 	RASUnknownEvent            RASID = C.RAS_UNKNOWN_EVENT
 	RASEngineFormatRequired    RASID = C.RAS_ENGINE_FORMAT_REQUIRED     // notice
 	RASEngineDied              RASID = C.RAS_ENGINE_DIED                // error
-	RASEngineSuicide           RASID = C.RAS_ENGINE_SUICIDE             // notice
+	RASEngineSelfTerminated    RASID = C.RAS_ENGINE_SELF_TERMINATED     // notice
 	RASPoolRepsUpdate          RASID = C.RAS_POOL_REPS_UPDATE           // info
 	RASSwimRankAlive           RASID = C.RAS_SWIM_RANK_ALIVE            // info
 	RASSwimRankDead            RASID = C.RAS_SWIM_RANK_DEAD             // info
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 550eb7bee0f..01141c7edbe 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -769,10 +769,10 @@ func registerTelemetryCallbacks(ctx context.Context, srv *server) {
 	})
 }
 
-// Handle local engine suicide and restart engine to rejoin system.
-func handleEngineSuicide(ctx context.Context, srv *server, evt *events.RASEvent) error {
+// Handle local engine self termination and restart engine to rejoin system.
+func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RASEvent) error {
 
-	srv.log.Infof("handling suicide")
+	srv.log.Infof("handling engine self termination")
 
 	ts, err := evt.GetTimestamp()
 	if err != nil {
@@ -793,7 +793,7 @@ func handleEngineSuicide(ctx context.Context, srv *server, evt *events.RASEvent)
 	}
 	engine := instances[0]
 
-	srv.log.Infof("%s was notified @ %s of rank %d:%d (instance %d) suicide", ts, evt.Hostname,
+	srv.log.Infof("%s was notified @ %s of rank %d:%d (instance %d) self terminated", ts, evt.Hostname,
 		evt.Rank, evt.Incarnation, engine.Index())
 
 	// Wait until engine is stopped.
@@ -818,9 +818,9 @@ func registerFollowerSubscriptions(srv *server) {
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
 			switch evt.ID {
-			case events.RASEngineSuicide:
-				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSuicide: %s", err)
+			case events.RASEngineSelfTerminated:
+				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
 				}
 			}
 		}))
@@ -904,9 +904,9 @@ func registerLeaderSubscriptions(srv *server) {
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
 			switch evt.ID {
-			case events.RASEngineSuicide:
-				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSuicide: %s", err)
+			case events.RASEngineSelfTerminated:
+				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
 				}
 			}
 		}))
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index e7bdbde8b70..a1a29185034 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1995,7 +1995,7 @@ const (
 	testSubscriptionDelay = 50 * time.Millisecond
 )
 
-func TestServer_handleEngineSuicide(t *testing.T) {
+func TestServer_handleEngineSelfTerminated(t *testing.T) {
 	const testRestartRequestWait = 2 * time.Second
 
 	testRank := ranklist.Rank(1)
@@ -2031,7 +2031,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	}{
 		"nil event timestamp": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2042,7 +2042,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		},
 		"invalid event timestamp": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2053,7 +2053,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		},
 		"rank not found in harness": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        99, // Non-existent rank
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2071,7 +2071,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		},
 		"filter instances error - nil superblock": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2089,7 +2089,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		},
 		"successful restart - engine already stopped": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2100,13 +2100,13 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			},
 			expEngineRestarted: true,
 			expLogContains: []string{
-				fmt.Sprintf("rank %d:%d (instance 0) suicide", testRank, testIncarnation),
+				fmt.Sprintf("rank %d:%d (instance 0) self terminated", testRank, testIncarnation),
 				testHostname,
 			},
 		},
 		"timeout waiting for engine to stop": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2120,7 +2120,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 		},
 		"multiple engines - restart correct one": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        2,
 				Incarnation: testIncarnation,
 				Hostname:    testHostname,
@@ -2133,7 +2133,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 			},
 			expEngineRestarted: true,
 			expLogContains: []string{
-				"rank 2:42 (instance 2) suicide",
+				"rank 2:42 (instance 2) self terminated",
 			},
 		},
 	} {
@@ -2185,7 +2185,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 				}
 			}
 
-			err := handleEngineSuicide(ctx, srv, tc.evt)
+			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
 			wg.Wait()
 
 			test.CmpErr(t, tc.expErr, err)
@@ -2206,7 +2206,7 @@ func TestServer_handleEngineSuicide(t *testing.T) {
 	}
 }
 
-func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
+func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
@@ -2230,10 +2230,10 @@ func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
 			log.Debugf("ErrorHandling test handler called for event: ID=%v, Type=%v", evt.ID, evt.Type)
 			switch evt.ID {
-			case events.RASEngineSuicide:
-				log.Debugf("ErrorHandling test handling suicide event")
-				if err := handleEngineSuicide(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSuicide: %s", err)
+			case events.RASEngineSelfTerminated:
+				log.Debugf("ErrorHandling test handling engine self termination event")
+				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
+					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
 				}
 				once.Do(func() { close(handlerDone) })
 			}
@@ -2243,7 +2243,7 @@ func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
 	time.Sleep(testSubscriptionDelay)
 
 	evt := &events.RASEvent{
-		ID:          events.RASEngineSuicide,
+		ID:          events.RASEngineSelfTerminated,
 		Type:        events.RASTypeInfoOnly,
 		Rank:        1,
 		Incarnation: 42,
@@ -2262,7 +2262,7 @@ func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
 	}
 
 	t.Log(buf.String())
-	if !strings.Contains(buf.String(), "handleEngineSuicide") {
+	if !strings.Contains(buf.String(), "handleEngineSelfTerminated") {
 		t.Error("expected error to be logged by handler")
 	}
 	if !strings.Contains(buf.String(), "no instance found") {
@@ -2270,7 +2270,7 @@ func TestServer_handleEngineSuicide_ErrorHandling(t *testing.T) {
 	}
 }
 
-func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
+func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 	validTimestamp := time.Now().Format(time.RFC3339)
 
 	for name, tc := range map[string]struct {
@@ -2279,7 +2279,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 	}{
 		"zero incarnation": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        1,
 				Incarnation: 0,
 				Hostname:    "test-host",
@@ -2289,7 +2289,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 		},
 		"very high rank number": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        999999,
 				Incarnation: 1,
 				Hostname:    "test-host",
@@ -2299,7 +2299,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 		},
 		"max incarnation value": {
 			evt: &events.RASEvent{
-				ID:          events.RASEngineSuicide,
+				ID:          events.RASEngineSelfTerminated,
 				Rank:        1,
 				Incarnation: ^uint64(0),
 				Hostname:    "test-host",
@@ -2321,7 +2321,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 				harness: harness,
 			}
 
-			err := handleEngineSuicide(ctx, srv, tc.evt)
+			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
 
 			if err == nil {
 				t.Fatalf("expected error, got nil")
@@ -2335,7 +2335,7 @@ func TestServer_handleEngineSuicide_EdgeCases(t *testing.T) {
 	}
 }
 
-func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
+func TestServer_registerFollowerSubscriptions_includesSelfTerminated(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
@@ -2361,7 +2361,7 @@ func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
 	// This ensures the event has gone through the pubsub system
 	pubSub.Subscribe(events.RASTypeInfoOnly,
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			if evt.ID == events.RASEngineSuicide {
+			if evt.ID == events.RASEngineSelfTerminated {
 				once.Do(func() { close(eventProcessed) })
 			}
 		}))
@@ -2370,7 +2370,7 @@ func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
 	time.Sleep(testSubscriptionDelay)
 
 	evt := &events.RASEvent{
-		ID:          events.RASEngineSuicide,
+		ID:          events.RASEngineSelfTerminated,
 		Type:        events.RASTypeInfoOnly,
 		Rank:        1,
 		Incarnation: 42,
@@ -2385,20 +2385,20 @@ func TestServer_registerFollowerSubscriptions_includesSuicide(t *testing.T) {
 	case <-eventProcessed:
 		// Event was processed
 	case <-time.After(testHandlerTimeout):
-		t.Fatal("timeout waiting for suicide event to be processed")
+		t.Fatal("timeout waiting for engine self terminated event to be processed")
 	}
 
 	logOutput := buf.String()
-	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+	hasHandler := strings.Contains(logOutput, "handleEngineSelfTerminated") ||
 		strings.Contains(logOutput, "no instance found") ||
-		strings.Contains(logOutput, "handling suicide")
+		strings.Contains(logOutput, "handling engine self termination")
 
 	if !hasHandler {
-		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+		t.Errorf("engine self termination handler does not appear to be registered\nLog:\n%s", logOutput)
 	}
 }
 
-func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
+func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T) {
 	const testProcessingTimeout = 2 * time.Second
 
 	log, buf := logging.NewTestLogger(t.Name())
@@ -2431,7 +2431,7 @@ func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
 	// This ensures the event has gone through the pubsub system
 	pubSub.Subscribe(events.RASTypeInfoOnly,
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			if evt.ID == events.RASEngineSuicide {
+			if evt.ID == events.RASEngineSelfTerminated {
 				once.Do(func() { close(eventProcessed) })
 			}
 		}))
@@ -2440,7 +2440,7 @@ func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
 	time.Sleep(testSubscriptionDelay)
 
 	evt := &events.RASEvent{
-		ID:          events.RASEngineSuicide,
+		ID:          events.RASEngineSelfTerminated,
 		Type:        events.RASTypeInfoOnly,
 		Rank:        1,
 		Incarnation: 42,
@@ -2455,15 +2455,15 @@ func TestServer_registerLeaderSubscriptions_includesSuicide(t *testing.T) {
 	case <-eventProcessed:
 		// Event was processed
 	case <-time.After(testProcessingTimeout):
-		t.Fatal("timeout waiting for suicide event to be processed")
+		t.Fatal("timeout waiting for engine self terminated event to be processed")
 	}
 
 	logOutput := buf.String()
-	hasHandler := strings.Contains(logOutput, "handleEngineSuicide") ||
+	hasHandler := strings.Contains(logOutput, "handleEngineSelfTerminated") ||
 		strings.Contains(logOutput, "no instance found") ||
-		strings.Contains(logOutput, "handling suicide")
+		strings.Contains(logOutput, "handling engine self termination")
 
 	if !hasHandler {
-		t.Errorf("suicide handler does not appear to be registered\nLog:\n%s", logOutput)
+		t.Errorf("engine self termination handler does not appear to be registered\nLog:\n%s", logOutput)
 	}
 }
diff --git a/src/engine/drpc_ras.c b/src/engine/drpc_ras.c
index d1b62fdbb60..6287a1115e2 100644
--- a/src/engine/drpc_ras.c
+++ b/src/engine/drpc_ras.c
@@ -369,14 +369,14 @@ ds_notify_swim_rank_dead(d_rank_t rank, uint64_t incarnation)
 }
 
 int
-ds_notify_rank_suicide(d_rank_t rank, uint64_t incarnation)
+ds_notify_rank_self_terminated(d_rank_t rank, uint64_t incarnation)
 {
 	Shared__RASEvent evt = SHARED__RASEVENT__INIT;
 
-	return raise_ras(RAS_ENGINE_SUICIDE, "excluded rank suicide detected", RAS_TYPE_INFO,
-			 RAS_SEV_NOTICE, NULL /* hwid */, &rank /* rank */, &incarnation /* inc */,
-			 NULL /* jobid */, NULL /* pool */, NULL /* cont */, NULL /* objid */,
-			 NULL /* ctlop */, &evt, false /* wait_for_resp */);
+	return raise_ras(RAS_ENGINE_SELF_TERMINATED, "excluded rank self terminated detected",
+			 RAS_TYPE_INFO, RAS_SEV_NOTICE, NULL /* hwid */, &rank /* rank */,
+			 &incarnation /* inc */, NULL /* jobid */, NULL /* pool */, NULL /* cont */,
+			 NULL /* objid */, NULL /* ctlop */, &evt, false /* wait_for_resp */);
 }
 
 void
diff --git a/src/engine/init.c b/src/engine/init.c
index 887a49613c6..6820131cbcf 100644
--- a/src/engine/init.c
+++ b/src/engine/init.c
@@ -599,11 +599,11 @@ dss_crt_event_cb(d_rank_t rank, uint64_t incarnation, enum crt_event_source src,
 			       self_rank);
 
 			/**
-			 * Send RAS event to inform local server of intentional suicide before
-			 * raising a SIGKILL to ourselves. Local daos_server can then decide
+			 * Send RAS event to inform local server of intentional self termination
+			 * before raising a SIGKILL to ourselves. Local daos_server can then decide
 			 * whether to restart rank.
 			 */
-			rc = ds_notify_rank_suicide(rank, incarnation);
+			rc = ds_notify_rank_self_terminated(rank, incarnation);
 			if (rc)
 				D_ERROR("failed to handle %u/%u event: " DF_RC "\n", src, type,
 					DP_RC(rc));
diff --git a/src/include/daos_srv/ras.h b/src/include/daos_srv/ras.h
index 1ae83c75151..5a895c33116 100644
--- a/src/include/daos_srv/ras.h
+++ b/src/include/daos_srv/ras.h
@@ -43,7 +43,7 @@
 	X(RAS_ENGINE_DIED, "engine_died")                                                          \
 	X(RAS_ENGINE_ASSERTED, "engine_asserted")                                                  \
 	X(RAS_ENGINE_CLOCK_DRIFT, "engine_clock_drift")                                            \
-	X(RAS_ENGINE_SUICIDE, "engine_suicide")                                                    \
+	X(RAS_ENGINE_SELF_TERMINATED, "engine_self_terminated")                                    \
 	X(RAS_POOL_CORRUPTION_DETECTED, "pool_corruption_detected")                                \
 	X(RAS_POOL_REBUILD_START, "pool_rebuild_started")                                          \
 	X(RAS_POOL_REBUILD_END, "pool_rebuild_finished")                                           \
@@ -240,15 +240,15 @@ int
 ds_notify_swim_rank_dead(d_rank_t rank, uint64_t incarnation);
 
 /**
- * Notify control plane that an excluded engine has committed suicide.
+ * Notify control plane that an excluded engine has self terminated.
  *
- * \param[in] rank		Rank that committed suicide.
- * \param[in] incarnation	Incarnation of rank that committed suicide.
+ * \param[in] rank		Rank that self terminated.
+ * \param[in] incarnation	Incarnation of rank that self terminated.
  *
  * \retval		Zero on success, non-zero otherwise.
  */
 int
-ds_notify_rank_suicide(d_rank_t rank, uint64_t incarnation);
+ds_notify_rank_self_terminated(d_rank_t rank, uint64_t incarnation);
 
 /**
  * List all the known pools from control plane (MS).

From d903017184dad08fb59a9be4bd300b095a7322dd Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 1 Apr 2026 22:22:06 +0100
Subject: [PATCH 08/45] rename registerFollowerSubscriptions to
 registerSubscriptions

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/server.go            |  4 ++--
 src/control/server/server_utils.go      | 18 +++++++++++-------
 src/control/server/server_utils_test.go |  7 +++++--
 3 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/control/server/server.go b/src/control/server/server.go
index 4ea72603f3d..dfcdbe23690 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -464,7 +464,7 @@ func (srv *server) setupGrpc() error {
 }
 
 func (srv *server) registerEvents() {
-	registerFollowerSubscriptions(srv)
+	registerSubscriptions(srv)
 
 	srv.sysdb.OnLeadershipGained(
 		func(ctx context.Context) error {
@@ -505,7 +505,7 @@ func (srv *server) registerEvents() {
 	)
 	srv.sysdb.OnLeadershipLost(func() error {
 		srv.log.Infof("MS leader no longer running on %s", srv.hostname)
-		registerFollowerSubscriptions(srv)
+		registerSubscriptions(srv)
 		return nil
 	})
 }
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 01141c7edbe..6bf372f446c 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -807,11 +807,12 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	return nil
 }
 
-// registerFollowerSubscriptions stops handling received forwarded (in addition
-// to local) events and starts forwarding events to the new MS leader.
-// Log events on the host that they were raised (and first published) on.
-// This is the initial behavior before leadership has been determined.
-func registerFollowerSubscriptions(srv *server) {
+// registerSubscriptions doesn't handle received forwarded events but forwardable events are sent to
+// the MS leader. Received events are logged on the host that they were raised (and first published)
+// on. This is the initial behavior for all servers and only changes when leadership has been
+// determined (when we change subscribers via registerLeaderSubscriptions). A handler is subscribed
+// for local engine self-termination events.
+func registerSubscriptions(srv *server) {
 	srv.pubSub.Reset()
 	srv.pubSub.Subscribe(events.RASTypeAny, srv.evtLogger)
 	srv.pubSub.Subscribe(events.RASTypeStateChange, srv.evtForwarder)
@@ -887,8 +888,11 @@ func handleRankDead(ctx context.Context, srv *server, evt *events.RASEvent) {
 	}
 }
 
-// registerLeaderSubscriptions stops forwarding events to MS and instead starts
-// handling received forwarded (and local) events.
+// registerLeaderSubscriptions doesn't forward events to MS but instead handles received events by
+// subscribing the management service membership and system-DB to StateChange event-type. Received
+// events are logged on the host that they were raised (and first published) on. This behavior is
+// triggered when a new leader steps-up. A handler is subscribed for local engine self-termination
+// events and another for handling forwarded rank-dead events.
 func registerLeaderSubscriptions(srv *server) {
 	srv.pubSub.Reset()
 	srv.pubSub.Subscribe(events.RASTypeAny, srv.evtLogger)
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index a1a29185034..7e7daa9fc71 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2335,7 +2335,7 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 	}
 }
 
-func TestServer_registerFollowerSubscriptions_includesSelfTerminated(t *testing.T) {
+func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
@@ -2353,9 +2353,12 @@ func TestServer_registerFollowerSubscriptions_includesSelfTerminated(t *testing.
 		harness:   harness,
 		pubSub:    pubSub,
 		evtLogger: control.MockEventLogger(log),
+		cfg: &config.Server{
+			DisableAutoEngineRestart: false,
+		},
 	}
 
-	registerFollowerSubscriptions(srv)
+	registerSubscriptions(srv)
 
 	// Add a secondary subscriber to detect when event is processed
 	// This ensures the event has gone through the pubsub system

From 2b8b16f1fc3def8cb3209e733a3f8a2c6eb5ca64 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 1 Apr 2026 22:24:13 +0100
Subject: [PATCH 09/45] add flag to disable automatic engine restart

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/overview/fault.md                  |  8 +++++
 src/control/cmd/dmg/auto_test.go        |  1 +
 src/control/server/config/server.go     |  3 +-
 src/control/server/server_utils.go      |  6 ++++
 src/control/server/server_utils_test.go | 40 +++++++++++++++++++++----
 5 files changed, 52 insertions(+), 6 deletions(-)

diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index 92f14a1aa68..f2bae61ebbf 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -109,3 +109,11 @@ system with a new incarnation number and resume normal operations.
 This self-healing mechanism allows DAOS to automatically recover from
 transient engine failures without administrator intervention, improving
 overall system availability.
+
+#### Disabling Automatic Restart
+
+The automatic restart behavior can be disabled by setting the
+`disable_auto_engine_restart` configuration option to `true` in the
+daos_server.yml file. When disabled, engines that self-terminate will
+not be automatically restarted by the control plane, requiring manual
+intervention to restart the affected engine instances.
diff --git a/src/control/cmd/dmg/auto_test.go b/src/control/cmd/dmg/auto_test.go
index bec414701d2..d67231c14a7 100644
--- a/src/control/cmd/dmg/auto_test.go
+++ b/src/control/cmd/dmg/auto_test.go
@@ -606,6 +606,7 @@ mgmt_svc_replicas:
 - hostX:10002
 fault_cb: ""
 hyperthreads: false
+disable_auto_engine_restart: false
 `
 	)
 
diff --git a/src/control/server/config/server.go b/src/control/server/config/server.go
index c6a808baf29..8cad5d97973 100644
--- a/src/control/server/config/server.go
+++ b/src/control/server/config/server.go
@@ -98,7 +98,8 @@ type Server struct {
 	Path string `yaml:"-"` // path to config file
 
 	// Behavior flags
-	AutoFormat bool `yaml:"-"`
+	AutoFormat               bool `yaml:"-"`
+	DisableAutoEngineRestart bool `yaml:"disable_auto_engine_restart"`
 
 	deprecatedParams `yaml:",inline"`
 }
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 6bf372f446c..6edc044ad35 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -774,6 +774,12 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 
 	srv.log.Infof("handling engine self termination")
 
+	// Check if automatic restart is disabled
+	if srv.cfg.DisableAutoEngineRestart {
+		srv.log.Infof("automatic engine restart disabled by configuration")
+		return nil
+	}
+
 	ts, err := evt.GetTimestamp()
 	if err != nil {
 		return errors.Wrapf(err, "bad event timestamp %q", evt.Timestamp)
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 7e7daa9fc71..46c2833dbd1 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2023,12 +2023,30 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 	}
 
 	for name, tc := range map[string]struct {
-		evt                *events.RASEvent
-		setupEngines       func(*testing.T, logging.Logger, *EngineHarness)
-		expErr             error
-		expEngineRestarted bool
-		expLogContains     []string
+		evt                      *events.RASEvent
+		setupEngines             func(*testing.T, logging.Logger, *EngineHarness)
+		disableAutoEngineRestart bool
+		expErr                   error
+		expEngineRestarted       bool
+		expLogContains           []string
 	}{
+		"auto restart disabled by config": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSelfTerminated,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				setupEngine(t, log, h, false)
+			},
+			disableAutoEngineRestart: true,
+			expEngineRestarted:       false,
+			expLogContains: []string{
+				"automatic engine restart disabled",
+			},
+		},
 		"nil event timestamp": {
 			evt: &events.RASEvent{
 				ID:          events.RASEngineSelfTerminated,
@@ -2153,6 +2171,9 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			srv := &server{
 				log:     log,
 				harness: harness,
+				cfg: &config.Server{
+					DisableAutoEngineRestart: tc.disableAutoEngineRestart,
+				},
 			}
 
 			var wg sync.WaitGroup
@@ -2224,6 +2245,9 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 		harness:   harness,
 		pubSub:    pubSub,
 		evtLogger: control.MockEventLogger(log),
+		cfg: &config.Server{
+			DisableAutoEngineRestart: false,
+		},
 	}
 
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
@@ -2319,6 +2343,9 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 			srv := &server{
 				log:     log,
 				harness: harness,
+				cfg: &config.Server{
+					DisableAutoEngineRestart: false,
+				},
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
@@ -2426,6 +2453,9 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		membership: svc.membership,
 		sysdb:      svc.sysdb,
 		mgmtSvc:    svc,
+		cfg: &config.Server{
+			DisableAutoEngineRestart: false,
+		},
 	}
 
 	registerLeaderSubscriptions(srv)

From a593f54370639f95478572d539d8568c09b560ba Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 1 Apr 2026 22:35:18 +0100
Subject: [PATCH 10/45] fix intermittent test fails with delay before txt comp

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/server_utils_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 46c2833dbd1..8d0cc62a966 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1993,6 +1993,7 @@ const (
 	testContextTimeout    = 1 * time.Second
 	testHandlerTimeout    = 1 * time.Second
 	testSubscriptionDelay = 50 * time.Millisecond
+	testProcessingDelay   = 100 * time.Millisecond
 )
 
 func TestServer_handleEngineSelfTerminated(t *testing.T) {
@@ -2418,6 +2419,8 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 		t.Fatal("timeout waiting for engine self terminated event to be processed")
 	}
 
+	time.Sleep(testProcessingDelay)
+
 	logOutput := buf.String()
 	hasHandler := strings.Contains(logOutput, "handleEngineSelfTerminated") ||
 		strings.Contains(logOutput, "no instance found") ||
@@ -2491,6 +2494,8 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		t.Fatal("timeout waiting for engine self terminated event to be processed")
 	}
 
+	time.Sleep(testProcessingDelay)
+
 	logOutput := buf.String()
 	hasHandler := strings.Contains(logOutput, "handleEngineSelfTerminated") ||
 		strings.Contains(logOutput, "no instance found") ||

From f445e51deb00984f3e93e73b48cec27a4b37de90 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 1 Apr 2026 23:48:07 +0100
Subject: [PATCH 11/45] implement basic rate limiting

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/config/server.go     |   9 +-
 src/control/server/server.go            |  20 ++--
 src/control/server/server_utils.go      |  31 ++++++-
 src/control/server/server_utils_test.go | 118 +++++++++++++++++++++++-
 utils/config/daos_server.yml            |  21 +++++
 5 files changed, 183 insertions(+), 16 deletions(-)

diff --git a/src/control/server/config/server.go b/src/control/server/config/server.go
index 8cad5d97973..8bfc7f79569 100644
--- a/src/control/server/config/server.go
+++ b/src/control/server/config/server.go
@@ -1,6 +1,6 @@
 //
-// (C) Copyright 2020-2024 Intel Corporation.
-// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
+// Copyright 2020-2024 Intel Corporation.
+// Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -98,8 +98,9 @@ type Server struct {
 	Path string `yaml:"-"` // path to config file
 
 	// Behavior flags
-	AutoFormat               bool `yaml:"-"`
-	DisableAutoEngineRestart bool `yaml:"disable_auto_engine_restart"`
+	AutoFormat                   bool `yaml:"-"`
+	DisableAutoEngineRestart     bool `yaml:"disable_auto_engine_restart"`
+	EngineRestartMinDelaySeconds int  `yaml:"engine_restart_min_delay_sec,omitempty"`
 
 	deprecatedParams `yaml:",inline"`
 }
diff --git a/src/control/server/server.go b/src/control/server/server.go
index eddfc86a2bd..59574d93203 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -1,6 +1,6 @@
 //
-// (C) Copyright 2018-2024 Intel Corporation.
-// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
+// Copyright 2018-2024 Intel Corporation.
+// Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -167,6 +167,9 @@ type server struct {
 	cbLock           sync.Mutex
 	onEnginesStarted []func(context.Context) error
 	onShutdown       []func()
+
+	rankRestartMu    sync.Mutex
+	rankRestartTimes map[uint32]time.Time
 }
 
 func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.FaultDomain) (*server, error) {
@@ -183,12 +186,13 @@ func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.Fault
 	harness := NewEngineHarness(log).WithFaultDomain(faultDomain)
 
 	return &server{
-		log:         log,
-		cfg:         cfg,
-		hostname:    hostname,
-		runningUser: cu,
-		faultDomain: faultDomain,
-		harness:     harness,
+		log:              log,
+		cfg:              cfg,
+		hostname:         hostname,
+		runningUser:      cu,
+		faultDomain:      faultDomain,
+		harness:          harness,
+		rankRestartTimes: make(map[uint32]time.Time),
 	}, nil
 }
 
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 6edc044ad35..63026bf6a80 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -1,6 +1,6 @@
 //
-// (C) Copyright 2021-2024 Intel Corporation.
-// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
+// Copyright 2021-2024 Intel Corporation.
+// Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -18,6 +18,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/dustin/go-humanize"
 	"github.com/pkg/errors"
@@ -802,12 +803,38 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	srv.log.Infof("%s was notified @ %s of rank %d:%d (instance %d) self terminated", ts, evt.Hostname,
 		evt.Rank, evt.Incarnation, engine.Index())
 
+	// Check if rank can be restarted based on rate limiting
+	minDelay := 300 // default 5 minutes
+	if srv.cfg.EngineRestartMinDelaySeconds > 0 {
+		minDelay = srv.cfg.EngineRestartMinDelaySeconds
+	}
+	minDelayDuration := time.Duration(minDelay) * time.Second
+
+	srv.rankRestartMu.Lock()
+	lastRestart, hasRestarted := srv.rankRestartTimes[evt.Rank]
+	now := time.Now()
+
+	if hasRestarted {
+		elapsed := now.Sub(lastRestart)
+		if elapsed < minDelayDuration {
+			remaining := minDelayDuration - elapsed
+			srv.rankRestartMu.Unlock()
+			srv.log.Noticef("rank %d restart rate-limited: %s remaining until next restart allowed (min delay: %s)",
+				evt.Rank, remaining.Round(time.Second), minDelayDuration)
+			return nil
+		}
+	}
+
+	srv.rankRestartTimes[evt.Rank] = now
+	srv.rankRestartMu.Unlock()
+
 	// Wait until engine is stopped.
 	pollFn := func(e Engine) bool { return !e.IsStarted() }
 	if err := pollInstanceState(ctx, instances, pollFn); err != nil {
 		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, engine.Index())
 	}
 
+	srv.log.Infof("restarting rank %d (instance %d) after self-termination", evt.Rank, engine.Index())
 	engine.requestStart(ctx)
 
 	return nil
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 8d0cc62a966..ebc0b343904 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1,6 +1,6 @@
 //
-// (C) Copyright 2021-2024 Intel Corporation.
-// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
+// Copyright 2021-2024 Intel Corporation.
+// Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -2175,6 +2175,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				cfg: &config.Server{
 					DisableAutoEngineRestart: tc.disableAutoEngineRestart,
 				},
+				rankRestartTimes: make(map[uint32]time.Time),
 			}
 
 			var wg sync.WaitGroup
@@ -2228,6 +2229,115 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 	}
 }
 
+func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
+	testRank := ranklist.Rank(1)
+	testIncarnation := uint64(42)
+	testHostname := "test-host-1"
+	validTimestamp := time.Now().Format(time.RFC3339)
+
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+	harness := NewEngineHarness(log)
+
+	// Setup engine
+	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+	e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
+	rCfg := &engine.TestRunnerConfig{}
+	rCfg.Running.Store(false)
+	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+	e.ready.SetFalse()
+	if err := harness.AddInstance(e); err != nil {
+		t.Fatal(err)
+	}
+
+	srv := &server{
+		log:     log,
+		harness: harness,
+		cfg: &config.Server{
+			DisableAutoEngineRestart:     false,
+			EngineRestartMinDelaySeconds: 2, // 2 seconds for testing
+		},
+		rankRestartTimes: make(map[uint32]time.Time),
+	}
+
+	evt := &events.RASEvent{
+		ID:          events.RASEngineSelfTerminated,
+		Rank:        uint32(testRank),
+		Incarnation: testIncarnation,
+		Hostname:    testHostname,
+		Timestamp:   validTimestamp,
+	}
+
+	// First restart should succeed
+	err := handleEngineSelfTerminated(ctx, srv, evt)
+	if err != nil {
+		t.Fatalf("first restart failed: %v", err)
+	}
+
+	// Wait for restart to be requested
+	select {
+	case <-e.startRequested:
+		// Expected
+	case <-time.After(1 * time.Second):
+		t.Fatal("expected restart request but it didn't happen")
+	}
+
+	// Second restart immediately after should be rate-limited
+	evt2 := &events.RASEvent{
+		ID:          events.RASEngineSelfTerminated,
+		Rank:        uint32(testRank),
+		Incarnation: testIncarnation + 1,
+		Hostname:    testHostname,
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	err = handleEngineSelfTerminated(ctx, srv, evt2)
+	if err != nil {
+		t.Fatalf("second restart call failed: %v", err)
+	}
+
+	// Verify no restart was requested (rate-limited)
+	select {
+	case <-e.startRequested:
+		t.Fatal("restart should have been rate-limited but wasn't")
+	case <-time.After(100 * time.Millisecond):
+		// Expected - no restart
+	}
+
+	// Verify rate-limit log message
+	logOutput := buf.String()
+	if !strings.Contains(logOutput, "rate-limited") {
+		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
+	}
+
+	// Wait for the delay to expire
+	time.Sleep(2100 * time.Millisecond)
+
+	// Third restart after delay should succeed
+	evt3 := &events.RASEvent{
+		ID:          events.RASEngineSelfTerminated,
+		Rank:        uint32(testRank),
+		Incarnation: testIncarnation + 2,
+		Hostname:    testHostname,
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	err = handleEngineSelfTerminated(ctx, srv, evt3)
+	if err != nil {
+		t.Fatalf("third restart failed: %v", err)
+	}
+
+	// Verify restart was requested
+	select {
+	case <-e.startRequested:
+		// Expected
+	case <-time.After(1 * time.Second):
+		t.Fatal("expected restart request after delay but it didn't happen")
+	}
+}
+
 func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
@@ -2249,6 +2359,7 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 		cfg: &config.Server{
 			DisableAutoEngineRestart: false,
 		},
+		rankRestartTimes: make(map[uint32]time.Time),
 	}
 
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
@@ -2347,6 +2458,7 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 				cfg: &config.Server{
 					DisableAutoEngineRestart: false,
 				},
+				rankRestartTimes: make(map[uint32]time.Time),
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
@@ -2384,6 +2496,7 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 		cfg: &config.Server{
 			DisableAutoEngineRestart: false,
 		},
+		rankRestartTimes: make(map[uint32]time.Time),
 	}
 
 	registerSubscriptions(srv)
@@ -2459,6 +2572,7 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		cfg: &config.Server{
 			DisableAutoEngineRestart: false,
 		},
+		rankRestartTimes: make(map[uint32]time.Time),
 	}
 
 	registerLeaderSubscriptions(srv)
diff --git a/utils/config/daos_server.yml b/utils/config/daos_server.yml
index b712a600f56..a94467b8188 100644
--- a/utils/config/daos_server.yml
+++ b/utils/config/daos_server.yml
@@ -301,6 +301,27 @@
 #telemetry_port: 9191
 #
 #
+## Disable automatic restart of engines that self-terminate.
+#
+## When an excluded engine self-terminates, the control plane automatically restarts it
+## by default. Set this option to true to disable automatic restarts entirely.
+#
+## default: false
+#disable_auto_engine_restart: false
+#
+#
+## Minimum delay (in seconds) between automatic restarts of the same rank.
+#
+## When an excluded engine self-terminates, the control plane automatically restarts it
+## after a configurable delay to prevent rapid restart loops. This setting specifies the
+## minimum time that must elapse after restarting a rank before it can be automatically
+## restarted again. If a restart is triggered before this delay expires, it will be
+## rate-limited and skipped.
+#
+## default: 300 (5 minutes)
+#engine_restart_min_delay_sec: 300
+#
+#
 ## If desired, a set of client-side environment variables may be
 ## defined here. Note that these are intended to be defaults and
 ## may be overridden by manually-set environment variables when

From 2cea5aa8d523d2edb48fe8c431078694781b2a0b Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 2 Apr 2026 11:04:34 +0100
Subject: [PATCH 12/45] improve naming consistency and fix config unit tests

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/overview/fault.md                   |  23 ++---
 src/control/cmd/dmg/auto_test.go         |   2 +-
 src/control/go.mod                       |   1 -
 src/control/server/config/server.go      |  18 +++-
 src/control/server/config/server_test.go |   4 +-
 src/control/server/server_utils.go       |  12 ++-
 src/control/server/server_utils_test.go  | 124 +++++++++++------------
 utils/config/daos_server.yml             |   4 +-
 8 files changed, 102 insertions(+), 86 deletions(-)

diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index f2bae61ebbf..b1afca11af1 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -89,8 +89,7 @@ and updating objects.
 
 A DAOS engine may be excluded from the group map because of inactivity
 for example. When an engine becomes aware of it's removal from the
-group map it will self-terminate to protect
-data integrity and system stability.
+group map it will self-terminate to protect data integrity and system stability.
 
 When an engine self terminates, it raises a `engine_self_terminated` RAS event
 (INFO_ONLY, NOTICE severity) containing the rank and incarnation information.
@@ -101,19 +100,19 @@ The control plane automatically handles this event by:
 3. Waiting for the engine process to fully stop
 4. Automatically restarting the engine to rejoin the system
 
-This automatic restart mechanism is implemented in both follower and leader
-control servers to ensure local engine recovery happens regardless of
-management service leadership state. The restarted engine will rejoin the
-system with a new incarnation number and resume normal operations.
+This automatic restart mechanism is implemented in all control servers to ensure
+local engine recovery happens regardless of management service leadership state.
+The restarted engine will rejoin the system with a new incarnation number and
+resume normal operations.
 
-This self-healing mechanism allows DAOS to automatically recover from
-transient engine failures without administrator intervention, improving
-overall system availability.
+This self-healing mechanism allows DAOS to automatically recover system
+membership state from transient engine failures without administrator
+intervention, improving overall system availability.
 
 #### Disabling Automatic Restart
 
 The automatic restart behavior can be disabled by setting the
-`disable_auto_engine_restart` configuration option to `true` in the
-daos_server.yml file. When disabled, engines that self-terminate will
-not be automatically restarted by the control plane, requiring manual
+`disable_engine_auto_restart` configuration option to `true` in the
+daos_server.yml file. When auto restart is disabled, engines that self-terminate
+will not be automatically restarted by the control plane, requiring manual
 intervention to restart the affected engine instances.
diff --git a/src/control/cmd/dmg/auto_test.go b/src/control/cmd/dmg/auto_test.go
index d67231c14a7..b5f25558f0b 100644
--- a/src/control/cmd/dmg/auto_test.go
+++ b/src/control/cmd/dmg/auto_test.go
@@ -606,7 +606,7 @@ mgmt_svc_replicas:
 - hostX:10002
 fault_cb: ""
 hyperthreads: false
-disable_auto_engine_restart: false
+disable_engine_auto_restart: false
 `
 	)
 
diff --git a/src/control/go.mod b/src/control/go.mod
index 1c4cae75d83..45ca772bce4 100644
--- a/src/control/go.mod
+++ b/src/control/go.mod
@@ -5,7 +5,6 @@ module github.com/daos-stack/daos/src/control
 // - debian packaging version checks: debian/control
 // Scons uses this file to extract the minimum version.
 go 1.21
-toolchain go1.23.0
 
 require (
 	github.com/Jille/raft-grpc-transport v1.2.0
diff --git a/src/control/server/config/server.go b/src/control/server/config/server.go
index 8bfc7f79569..1b6fe15b57f 100644
--- a/src/control/server/config/server.go
+++ b/src/control/server/config/server.go
@@ -98,9 +98,9 @@ type Server struct {
 	Path string `yaml:"-"` // path to config file
 
 	// Behavior flags
-	AutoFormat                   bool `yaml:"-"`
-	DisableAutoEngineRestart     bool `yaml:"disable_auto_engine_restart"`
-	EngineRestartMinDelaySeconds int  `yaml:"engine_restart_min_delay_sec,omitempty"`
+	AutoFormat                bool `yaml:"-"`
+	DisableEngineAutoRestart  bool `yaml:"disable_engine_auto_restart"`
+	EngineAutoRestartMinDelay int  `yaml:"engine_auto_restart_min_delay,omitempty"`
 
 	deprecatedParams `yaml:",inline"`
 }
@@ -357,6 +357,18 @@ func (cfg *Server) WithTelemetryPort(port int) *Server {
 	return cfg
 }
 
+// WithDisableEngineAutoRestart enables or disables automatic engine restarts on self-termination.
+func (cfg *Server) WithDisableEngineAutoRestart(disabled bool) *Server {
+	cfg.DisableEngineAutoRestart = disabled
+	return cfg
+}
+
+// WithEngineAutoRestartMinDelay sets minimum time between automatic engine restarts.
+func (cfg *Server) WithEngineAutoRestartMinDelay(secs uint) *Server {
+	cfg.EngineAutoRestartMinDelay = int(secs)
+	return cfg
+}
+
 // DefaultServer creates a new instance of configuration struct
 // populated with defaults.
 func DefaultServer() *Server {
diff --git a/src/control/server/config/server_test.go b/src/control/server/config/server_test.go
index 08b53010c10..9edf77f6017 100644
--- a/src/control/server/config/server_test.go
+++ b/src/control/server/config/server_test.go
@@ -266,7 +266,9 @@ func TestServerConfig_Constructed(t *testing.T) {
 		WithHyperthreads(true). // hyper-threads disabled by default
 		WithSystemRamReserved(5).
 		WithAllowNumaImbalance(true).
-		WithAllowTHP(true)
+		WithAllowTHP(true).
+		WithDisableEngineAutoRestart(true).
+		WithEngineAutoRestartMinDelay(120)
 
 	// add engines explicitly to test functionality applied in WithEngines()
 	constructed.Engines = []*engine.Config{
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 63026bf6a80..dd946e295cc 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -47,6 +47,10 @@ const (
 
 	// maxLineChars is the maximum number of chars per line in a formatted byte string.
 	maxLineChars = 32
+
+	// defaultEngineAutoRestartMinDelay is the minimum number of seconds between automatic engine
+	// restarts that are triggered when engine_self_terminated RAS events are received.
+	defaultEngineAutoRestartMinDelay = 300 // 5 minutes
 )
 
 // netListenerFn is a type alias for the net.Listener function signature.
@@ -776,7 +780,7 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	srv.log.Infof("handling engine self termination")
 
 	// Check if automatic restart is disabled
-	if srv.cfg.DisableAutoEngineRestart {
+	if srv.cfg.DisableEngineAutoRestart {
 		srv.log.Infof("automatic engine restart disabled by configuration")
 		return nil
 	}
@@ -804,9 +808,9 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 		evt.Rank, evt.Incarnation, engine.Index())
 
 	// Check if rank can be restarted based on rate limiting
-	minDelay := 300 // default 5 minutes
-	if srv.cfg.EngineRestartMinDelaySeconds > 0 {
-		minDelay = srv.cfg.EngineRestartMinDelaySeconds
+	minDelay := defaultEngineAutoRestartMinDelay
+	if srv.cfg.EngineAutoRestartMinDelay > 0 {
+		minDelay = srv.cfg.EngineAutoRestartMinDelay
 	}
 	minDelayDuration := time.Duration(minDelay) * time.Second
 
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index ebc0b343904..1e488437e36 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2026,7 +2026,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 	for name, tc := range map[string]struct {
 		evt                      *events.RASEvent
 		setupEngines             func(*testing.T, logging.Logger, *EngineHarness)
-		disableAutoEngineRestart bool
+		disableEngineAutoRestart bool
 		expErr                   error
 		expEngineRestarted       bool
 		expLogContains           []string
@@ -2042,7 +2042,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupEngine(t, log, h, false)
 			},
-			disableAutoEngineRestart: true,
+			disableEngineAutoRestart: true,
 			expEngineRestarted:       false,
 			expLogContains: []string{
 				"automatic engine restart disabled",
@@ -2173,7 +2173,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				log:     log,
 				harness: harness,
 				cfg: &config.Server{
-					DisableAutoEngineRestart: tc.disableAutoEngineRestart,
+					DisableEngineAutoRestart: tc.disableEngineAutoRestart,
 				},
 				rankRestartTimes: make(map[uint32]time.Time),
 			}
@@ -2256,8 +2256,8 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		log:     log,
 		harness: harness,
 		cfg: &config.Server{
-			DisableAutoEngineRestart:     false,
-			EngineRestartMinDelaySeconds: 2, // 2 seconds for testing
+			DisableEngineAutoRestart:  false,
+			EngineAutoRestartMinDelay: 2, // 2 seconds for testing
 		},
 		rankRestartTimes: make(map[uint32]time.Time),
 	}
@@ -2280,62 +2280,62 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	select {
 	case <-e.startRequested:
 		// Expected
-	case <-time.After(1 * time.Second):
+	case <-time.After(testHandlerTimeout):
 		t.Fatal("expected restart request but it didn't happen")
 	}
 
-	// Second restart immediately after should be rate-limited
-	evt2 := &events.RASEvent{
-		ID:          events.RASEngineSelfTerminated,
-		Rank:        uint32(testRank),
-		Incarnation: testIncarnation + 1,
-		Hostname:    testHostname,
-		Timestamp:   time.Now().Format(time.RFC3339),
-	}
-
-	err = handleEngineSelfTerminated(ctx, srv, evt2)
-	if err != nil {
-		t.Fatalf("second restart call failed: %v", err)
-	}
-
-	// Verify no restart was requested (rate-limited)
-	select {
-	case <-e.startRequested:
-		t.Fatal("restart should have been rate-limited but wasn't")
-	case <-time.After(100 * time.Millisecond):
-		// Expected - no restart
-	}
-
-	// Verify rate-limit log message
-	logOutput := buf.String()
-	if !strings.Contains(logOutput, "rate-limited") {
-		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
-	}
-
-	// Wait for the delay to expire
-	time.Sleep(2100 * time.Millisecond)
-
-	// Third restart after delay should succeed
-	evt3 := &events.RASEvent{
-		ID:          events.RASEngineSelfTerminated,
-		Rank:        uint32(testRank),
-		Incarnation: testIncarnation + 2,
-		Hostname:    testHostname,
-		Timestamp:   time.Now().Format(time.RFC3339),
-	}
-
-	err = handleEngineSelfTerminated(ctx, srv, evt3)
-	if err != nil {
-		t.Fatalf("third restart failed: %v", err)
-	}
-
-	// Verify restart was requested
-	select {
-	case <-e.startRequested:
-		// Expected
-	case <-time.After(1 * time.Second):
-		t.Fatal("expected restart request after delay but it didn't happen")
-	}
+	//	// Second restart immediately after should be rate-limited
+	//	evt2 := &events.RASEvent{
+	//		ID:          events.RASEngineSelfTerminated,
+	//		Rank:        uint32(testRank),
+	//		Incarnation: testIncarnation + 1,
+	//		Hostname:    testHostname,
+	//		Timestamp:   time.Now().Format(time.RFC3339),
+	//	}
+	//
+	//	err = handleEngineSelfTerminated(ctx, srv, evt2)
+	//	if err != nil {
+	//		t.Fatalf("second restart call failed: %v", err)
+	//	}
+	//
+	//	// Verify no restart was requested (rate-limited)
+	//	select {
+	//	case <-e.startRequested:
+	//		t.Fatal("restart should have been rate-limited but wasn't")
+	//	case <-time.After(100 * time.Millisecond):
+	//		// Expected - no restart
+	//	}
+	//
+	//	// Verify rate-limit log message
+	//	logOutput := buf.String()
+	//	if !strings.Contains(logOutput, "rate-limited") {
+	//		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
+	//	}
+	//
+	//	// Wait for the delay to expire
+	//	time.Sleep(2100 * time.Millisecond)
+	//
+	//	// Third restart after delay should succeed
+	//	evt3 := &events.RASEvent{
+	//		ID:          events.RASEngineSelfTerminated,
+	//		Rank:        uint32(testRank),
+	//		Incarnation: testIncarnation + 2,
+	//		Hostname:    testHostname,
+	//		Timestamp:   time.Now().Format(time.RFC3339),
+	//	}
+	//
+	//	err = handleEngineSelfTerminated(ctx, srv, evt3)
+	//	if err != nil {
+	//		t.Fatalf("third restart failed: %v", err)
+	//	}
+	//
+	//	// Verify restart was requested
+	//	select {
+	//	case <-e.startRequested:
+	//		// Expected
+	//	case <-time.After(1 * time.Second):
+	//		t.Fatal("expected restart request after delay but it didn't happen")
+	//	}
 }
 
 func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
@@ -2357,7 +2357,7 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 		pubSub:    pubSub,
 		evtLogger: control.MockEventLogger(log),
 		cfg: &config.Server{
-			DisableAutoEngineRestart: false,
+			DisableEngineAutoRestart: false,
 		},
 		rankRestartTimes: make(map[uint32]time.Time),
 	}
@@ -2456,7 +2456,7 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 				log:     log,
 				harness: harness,
 				cfg: &config.Server{
-					DisableAutoEngineRestart: false,
+					DisableEngineAutoRestart: false,
 				},
 				rankRestartTimes: make(map[uint32]time.Time),
 			}
@@ -2494,7 +2494,7 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 		pubSub:    pubSub,
 		evtLogger: control.MockEventLogger(log),
 		cfg: &config.Server{
-			DisableAutoEngineRestart: false,
+			DisableEngineAutoRestart: false,
 		},
 		rankRestartTimes: make(map[uint32]time.Time),
 	}
@@ -2570,7 +2570,7 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		sysdb:      svc.sysdb,
 		mgmtSvc:    svc,
 		cfg: &config.Server{
-			DisableAutoEngineRestart: false,
+			DisableEngineAutoRestart: false,
 		},
 		rankRestartTimes: make(map[uint32]time.Time),
 	}
diff --git a/utils/config/daos_server.yml b/utils/config/daos_server.yml
index a94467b8188..abc631ce953 100644
--- a/utils/config/daos_server.yml
+++ b/utils/config/daos_server.yml
@@ -307,7 +307,7 @@
 ## by default. Set this option to true to disable automatic restarts entirely.
 #
 ## default: false
-#disable_auto_engine_restart: false
+#disable_engine_auto_restart: true
 #
 #
 ## Minimum delay (in seconds) between automatic restarts of the same rank.
@@ -319,7 +319,7 @@
 ## rate-limited and skipped.
 #
 ## default: 300 (5 minutes)
-#engine_restart_min_delay_sec: 300
+#engine_auto_restart_min_delay: 120
 #
 #
 ## If desired, a set of client-side environment variables may be

From f6ae57e567cb8e688d0b5aea1b5b2b50ccbdc3ab Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 2 Apr 2026 16:03:39 +0100
Subject: [PATCH 13/45] add rate-limiting unit test

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/server_utils_test.go | 210 +++++++++++++-----------
 1 file changed, 112 insertions(+), 98 deletions(-)

diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 1e488437e36..50e3b73531f 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1990,39 +1990,38 @@ f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 }
 
 const (
-	testContextTimeout    = 1 * time.Second
-	testHandlerTimeout    = 1 * time.Second
-	testSubscriptionDelay = 50 * time.Millisecond
-	testProcessingDelay   = 100 * time.Millisecond
+	testContextTimeout     = 1 * time.Second
+	testHandlerTimeout     = 1 * time.Second
+	testRestartRequestWait = 3 * time.Second
+	testSubscriptionDelay  = 50 * time.Millisecond
+	testProcessingDelay    = 100 * time.Millisecond
 )
 
-func TestServer_handleEngineSelfTerminated(t *testing.T) {
-	const testRestartRequestWait = 2 * time.Second
+func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
+	t.Helper()
+
+	rank := uint32(1)
+	if len(ranks) != 0 {
+		rank = ranks[0]
+	}
+
+	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+	e._superblock.Rank = ranklist.NewRankPtr(rank)
+	rCfg := &engine.TestRunnerConfig{}
+	rCfg.Running.Store(isRunning)
+	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+	e.ready.Store(isRunning)
+	if err := h.AddInstance(e); err != nil {
+		t.Fatal(err)
+	}
+}
 
+func TestServer_handleEngineSelfTerminated(t *testing.T) {
 	testRank := ranklist.Rank(1)
 	testIncarnation := uint64(42)
 	testHostname := "test-host-1"
 	validTimestamp := time.Now().Format(time.RFC3339)
 
-	setupEngine := func(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
-		t.Helper()
-
-		rank := uint32(testRank)
-		if len(ranks) != 0 {
-			rank = ranks[0]
-		}
-
-		e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-		e._superblock.Rank = ranklist.NewRankPtr(rank)
-		rCfg := &engine.TestRunnerConfig{}
-		rCfg.Running.Store(isRunning)
-		e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-		e.ready.SetFalse()
-		if err := h.AddInstance(e); err != nil {
-			t.Fatal(err)
-		}
-	}
-
 	for name, tc := range map[string]struct {
 		evt                      *events.RASEvent
 		setupEngines             func(*testing.T, logging.Logger, *EngineHarness)
@@ -2040,7 +2039,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			disableEngineAutoRestart: true,
 			expEngineRestarted:       false,
@@ -2115,7 +2114,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			expEngineRestarted: true,
 			expLogContains: []string{
@@ -2132,7 +2131,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupEngine(t, log, h, true)
+				setupTestEngine(t, log, h, true)
 			},
 			expErr:             errors.New("did not stop"),
 			expEngineRestarted: false,
@@ -2147,7 +2146,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				for i := 0; i < 3; i++ {
-					setupEngine(t, log, h, false, uint32(i))
+					setupTestEngine(t, log, h, false, uint32(i))
 				}
 			},
 			expEngineRestarted: true,
@@ -2240,17 +2239,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 
 	ctx := test.Context(t)
 	harness := NewEngineHarness(log)
-
-	// Setup engine
-	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-	e._superblock.Rank = ranklist.NewRankPtr(uint32(testRank))
-	rCfg := &engine.TestRunnerConfig{}
-	rCfg.Running.Store(false)
-	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-	e.ready.SetFalse()
-	if err := harness.AddInstance(e); err != nil {
-		t.Fatal(err)
-	}
+	setupTestEngine(t, log, harness, false)
 
 	srv := &server{
 		log:     log,
@@ -2262,6 +2251,16 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		rankRestartTimes: make(map[uint32]time.Time),
 	}
 
+	// Get reference to the engine instance for monitoring startRequested
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get engine instance: %v", err)
+	}
+	e, ok := instances[0].(*EngineInstance)
+	if !ok {
+		t.Fatal("failed to cast to EngineInstance")
+	}
+
 	evt := &events.RASEvent{
 		ID:          events.RASEngineSelfTerminated,
 		Rank:        uint32(testRank),
@@ -2270,72 +2269,87 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		Timestamp:   validTimestamp,
 	}
 
+	// Setup goroutine to consume startRequested channel to prevent blocking
+	restartCount := atomic.Uint32{}
+	doneCh := make(chan struct{})
+	go func() {
+		defer close(doneCh)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-e.startRequested:
+				restartCount.Add(1)
+			case <-time.After(testRestartRequestWait):
+				return
+			}
+		}
+	}()
+
 	// First restart should succeed
-	err := handleEngineSelfTerminated(ctx, srv, evt)
+	err = handleEngineSelfTerminated(ctx, srv, evt)
 	if err != nil {
 		t.Fatalf("first restart failed: %v", err)
 	}
 
 	// Wait for restart to be requested
-	select {
-	case <-e.startRequested:
-		// Expected
-	case <-time.After(testHandlerTimeout):
-		t.Fatal("expected restart request but it didn't happen")
+	time.Sleep(testProcessingDelay)
+	if restartCount.Load() != 1 {
+		t.Fatalf("expected 1 restart request, got %d", restartCount.Load())
+	}
+
+	// Second restart immediately after should be rate-limited
+	evt2 := &events.RASEvent{
+		ID:          events.RASEngineSelfTerminated,
+		Rank:        uint32(testRank),
+		Incarnation: testIncarnation + 1,
+		Hostname:    testHostname,
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	err = handleEngineSelfTerminated(ctx, srv, evt2)
+	if err != nil {
+		t.Fatalf("second restart call failed: %v", err)
+	}
+
+	// Verify no restart was requested (rate-limited)
+	time.Sleep(testProcessingDelay)
+	if restartCount.Load() != 1 {
+		t.Fatalf("expected restart to be rate-limited, got %d restarts", restartCount.Load())
+	}
+
+	// Verify rate-limit log message
+	logOutput := buf.String()
+	if !strings.Contains(logOutput, "rate-limited") {
+		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
+	}
+
+	// Wait for the EngineAutoRestartMinDelay to expire
+	time.Sleep(time.Duration(srv.cfg.EngineAutoRestartMinDelay) * time.Second)
+
+	// Third restart after delay should succeed
+	evt3 := &events.RASEvent{
+		ID:          events.RASEngineSelfTerminated,
+		Rank:        uint32(testRank),
+		Incarnation: testIncarnation + 2,
+		Hostname:    testHostname,
+		Timestamp:   time.Now().Format(time.RFC3339),
+	}
+
+	err = handleEngineSelfTerminated(ctx, srv, evt3)
+	if err != nil {
+		t.Fatalf("third restart failed: %v", err)
+	}
+
+	// Verify restart was requested
+	time.Sleep(testProcessingDelay)
+	if restartCount.Load() != 2 {
+		t.Fatalf("expected 2 total restarts after delay, got %d", restartCount.Load())
 	}
 
-	//	// Second restart immediately after should be rate-limited
-	//	evt2 := &events.RASEvent{
-	//		ID:          events.RASEngineSelfTerminated,
-	//		Rank:        uint32(testRank),
-	//		Incarnation: testIncarnation + 1,
-	//		Hostname:    testHostname,
-	//		Timestamp:   time.Now().Format(time.RFC3339),
-	//	}
-	//
-	//	err = handleEngineSelfTerminated(ctx, srv, evt2)
-	//	if err != nil {
-	//		t.Fatalf("second restart call failed: %v", err)
-	//	}
-	//
-	//	// Verify no restart was requested (rate-limited)
-	//	select {
-	//	case <-e.startRequested:
-	//		t.Fatal("restart should have been rate-limited but wasn't")
-	//	case <-time.After(100 * time.Millisecond):
-	//		// Expected - no restart
-	//	}
-	//
-	//	// Verify rate-limit log message
-	//	logOutput := buf.String()
-	//	if !strings.Contains(logOutput, "rate-limited") {
-	//		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
-	//	}
-	//
-	//	// Wait for the delay to expire
-	//	time.Sleep(2100 * time.Millisecond)
-	//
-	//	// Third restart after delay should succeed
-	//	evt3 := &events.RASEvent{
-	//		ID:          events.RASEngineSelfTerminated,
-	//		Rank:        uint32(testRank),
-	//		Incarnation: testIncarnation + 2,
-	//		Hostname:    testHostname,
-	//		Timestamp:   time.Now().Format(time.RFC3339),
-	//	}
-	//
-	//	err = handleEngineSelfTerminated(ctx, srv, evt3)
-	//	if err != nil {
-	//		t.Fatalf("third restart failed: %v", err)
-	//	}
-	//
-	//	// Verify restart was requested
-	//	select {
-	//	case <-e.startRequested:
-	//		// Expected
-	//	case <-time.After(1 * time.Second):
-	//		t.Fatal("expected restart request after delay but it didn't happen")
-	//	}
+	// Cleanup
+	ctx.Done()
+	<-doneCh
 }
 
 func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {

From 180cc0ce6012f77066edf7a79d383081dc5d3d75 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 2 Apr 2026 17:08:20 +0100
Subject: [PATCH 14/45] documentation updates

Doc-only: true
Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/admin/administration.md |  2 +-
 docs/overview/fault.md       | 36 ++++++++++++++++++++++++++++++++----
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/docs/admin/administration.md b/docs/admin/administration.md
index 2136e4bf6fe..5ec8fed1b74 100644
--- a/docs/admin/administration.md
+++ b/docs/admin/administration.md
@@ -49,7 +49,7 @@ severity, message, description, and cause.
 | engine\_died| STATE\_CHANGE| ERROR| DAOS engine <idx\> exited exited unexpectedly: <error\> | Indicates engine instance <idx\> unexpectedly. <error> describes the exit state returned from exited daos\_engine process.| N/A                          |
 | engine\_asserted| STATE\_CHANGE| ERROR| TBD| Indicates engine instance <idx\> threw a runtime assertion, causing a crash. | An unexpected internal state resulted in assert failure. |
 | engine\_clock\_drift| INFO\_ONLY   | ERROR| clock drift detected| Indicates CART comms layer has detected clock skew between engines.| NTP may not be syncing clocks across DAOS system.      |
-| engine\_self\_terminated| INFO\_ONLY| NOTICE| excluded rank self terminated detected| Indicates that a DAOS engine rank has performed a self-termination due to having been excluded from the system's group map. The rank is automatically restarted by the control plane. | An engine was found to be in a transient non-functional state and excluded from the group map. The control plane monitors for this event and automatically restarts the affected engine so it can rejoin the system. |
+| engine\_self\_terminated| INFO\_ONLY| NOTICE| excluded rank self terminated detected| Indicates that a DAOS engine rank has performed a self-termination due to having been excluded from the system's group map. The rank is automatically restarted by the control plane with rate-limiting (default: 5 minute minimum delay between restarts per rank) to prevent restart storms. | An engine was found to be in a transient non-functional state and excluded from the group map. The control plane monitors for this event and automatically restarts the affected engine so it can rejoin the system. Restarts are rate-limited per rank using the `engine_auto_restart_min_delay` configuration parameter. |
 | engine\_join\_failed| INFO\_ONLY| ERROR | DAOS engine <idx\> (rank <rank\>) was not allowed to join the system | Join operation failed for the given engine instance ID and rank (if assigned). | Reason should be provided in the extended info field of the event data. |
 | pool\_corruption\_detected| INFO\_ONLY| ERROR | Data corruption detected| Indicates a corruption in pool data has been detected. The event fields will contain pool and container UUIDs. | A corruption was found by the checksum scrubber. |
 | pool\_rebuild\_started| INFO\_ONLY| NOTICE   | Pool rebuild started.| Indicates a pool rebuild has started. The event data field contains pool map version and pool operation identifier. | When a pool rank becomes unavailable a rebuild will be triggered.   |
diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index b1afca11af1..2de1aa61d98 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -109,10 +109,38 @@ This self-healing mechanism allows DAOS to automatically recover system
 membership state from transient engine failures without administrator
 intervention, improving overall system availability.
 
+#### Rate Limiting
+
+To prevent restart storms and ensure system stability, automatic engine restarts
+are rate-limited on a per-rank basis. By default, a minimum delay of 300 seconds
+(5 minutes) is enforced between consecutive restart attempts for the same rank.
+If an engine self-terminates again before this delay expires, the restart request
+is rejected and logged at NOTICE level.
+
+The rate-limiting interval can be customized by setting the
+`engine_auto_restart_min_delay` configuration option (in seconds) in the
+daos_server.yml file. For example:
+
+```yaml
+engine_auto_restart_min_delay: 600  # 10 minutes between restarts
+```
+
+This protection mechanism prevents scenarios where:
+- Repeated transient failures cause excessive restart cycling
+- A misconfigured engine continuously self-terminates
+- Cascading failures overwhelm the control plane with restart requests
+
 #### Disabling Automatic Restart
 
-The automatic restart behavior can be disabled by setting the
+The automatic restart behavior can be completely disabled by setting the
 `disable_engine_auto_restart` configuration option to `true` in the
-daos_server.yml file. When auto restart is disabled, engines that self-terminate
-will not be automatically restarted by the control plane, requiring manual
-intervention to restart the affected engine instances.
+daos_server.yml file:
+
+```yaml
+disable_engine_auto_restart: true
+```
+
+When auto restart is disabled, engines that self-terminate will not be
+automatically restarted by the control plane, requiring manual intervention
+to restart the affected engine instances. This setting may be useful for
+debugging scenarios or when custom external restart management is preferred.

From f1cdf0a22f16458158e1a50cf87fa79d3f516df1 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Fri, 3 Apr 2026 11:33:11 +0100
Subject: [PATCH 15/45] Q a single restart request if received within timeout
 period

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/overview/fault.md                  |  9 ++-
 src/control/server/server.go            | 20 ++++---
 src/control/server/server_utils.go      | 34 +++++++++++-
 src/control/server/server_utils_test.go | 73 ++++++++++++++++++-------
 utils/config/daos_server.yml            |  5 +-
 5 files changed, 107 insertions(+), 34 deletions(-)

diff --git a/docs/overview/fault.md b/docs/overview/fault.md
index 2de1aa61d98..accf6cf3bbe 100644
--- a/docs/overview/fault.md
+++ b/docs/overview/fault.md
@@ -114,8 +114,13 @@ intervention, improving overall system availability.
 To prevent restart storms and ensure system stability, automatic engine restarts
 are rate-limited on a per-rank basis. By default, a minimum delay of 300 seconds
 (5 minutes) is enforced between consecutive restart attempts for the same rank.
-If an engine self-terminates again before this delay expires, the restart request
-is rejected and logged at NOTICE level.
+
+When an engine self-terminates within the minimum delay period, the control plane
+schedules a deferred restart that will automatically trigger when the delay expires.
+If multiple self-termination events occur for the same rank during the delay period
+(this would be unexpected) only the most recent event triggers a deferred restart.
+This ensures the engine is restarted exactly once after the delay, regardless of
+how many self-termination events occur.
 
 The rate-limiting interval can be customized by setting the
 `engine_auto_restart_min_delay` configuration option (in seconds) in the
diff --git a/src/control/server/server.go b/src/control/server/server.go
index c01c909f4f3..63b2149c7d5 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -168,8 +168,9 @@ type server struct {
 	onEnginesStarted []func(context.Context) error
 	onShutdown       []func()
 
-	rankRestartMu    sync.Mutex
-	rankRestartTimes map[uint32]time.Time
+	rankRestartMu      sync.Mutex
+	rankRestartTimes   map[uint32]time.Time
+	rankRestartPending map[uint32]*time.Timer
 }
 
 func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.FaultDomain) (*server, error) {
@@ -186,13 +187,14 @@ func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.Fault
 	harness := NewEngineHarness(log).WithFaultDomain(faultDomain)
 
 	return &server{
-		log:              log,
-		cfg:              cfg,
-		hostname:         hostname,
-		runningUser:      cu,
-		faultDomain:      faultDomain,
-		harness:          harness,
-		rankRestartTimes: make(map[uint32]time.Time),
+		log:                log,
+		cfg:                cfg,
+		hostname:           hostname,
+		runningUser:        cu,
+		faultDomain:        faultDomain,
+		harness:            harness,
+		rankRestartTimes:   make(map[uint32]time.Time),
+		rankRestartPending: make(map[uint32]*time.Timer),
 	}, nil
 }
 
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 21f07ff50e0..18844a94804 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -822,8 +822,40 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 		elapsed := now.Sub(lastRestart)
 		if elapsed < minDelayDuration {
 			remaining := minDelayDuration - elapsed
+
+			// Cancel any existing pending restart timer for this rank
+			if existingTimer, exists := srv.rankRestartPending[evt.Rank]; exists {
+				existingTimer.Stop()
+			}
+
+			// Schedule deferred restart after remaining delay
+			srv.rankRestartPending[evt.Rank] = time.AfterFunc(remaining, func() {
+				srv.log.Noticef("deferred restart triggered for rank %d (instance %d) after rate-limit delay",
+					evt.Rank, engine.Index())
+
+				// Wait until engine is stopped
+				pollFn := func(e Engine) bool { return !e.IsStarted() }
+				if err := pollInstanceState(ctx, instances, pollFn); err != nil {
+					srv.log.Errorf("rank %d (instance %d) did not stop before deferred restart",
+						evt.Rank, engine.Index())
+					srv.rankRestartMu.Lock()
+					delete(srv.rankRestartPending, evt.Rank)
+					srv.rankRestartMu.Unlock()
+					return
+				}
+
+				srv.log.Noticef("restarting rank %d (instance %d) after rate-limit delay", evt.Rank, engine.Index())
+				engine.requestStart(ctx)
+
+				// Update restart time and clear pending flag
+				srv.rankRestartMu.Lock()
+				srv.rankRestartTimes[evt.Rank] = time.Now()
+				delete(srv.rankRestartPending, evt.Rank)
+				srv.rankRestartMu.Unlock()
+			})
+
 			srv.rankRestartMu.Unlock()
-			srv.log.Noticef("rank %d restart rate-limited: %s remaining until next restart allowed (min delay: %s)",
+			srv.log.Noticef("rank %d restart deferred: will restart in %s (min delay: %s)",
 				evt.Rank, remaining.Round(time.Second), minDelayDuration)
 			return nil
 		}
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 453ffb7eb7e..3db15231a54 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2174,7 +2174,8 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				cfg: &config.Server{
 					DisableEngineAutoRestart: tc.disableEngineAutoRestart,
 				},
-				rankRestartTimes: make(map[uint32]time.Time),
+				rankRestartTimes:   make(map[uint32]time.Time),
+				rankRestartPending: make(map[uint32]*time.Timer),
 			}
 
 			var wg sync.WaitGroup
@@ -2248,7 +2249,8 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 			DisableEngineAutoRestart:  false,
 			EngineAutoRestartMinDelay: 2, // 2 seconds for testing
 		},
-		rankRestartTimes: make(map[uint32]time.Time),
+		rankRestartTimes:   make(map[uint32]time.Time),
+		rankRestartPending: make(map[uint32]*time.Timer),
 	}
 
 	// Get reference to the engine instance for monitoring startRequested
@@ -2280,13 +2282,13 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 				return
 			case <-e.startRequested:
 				restartCount.Add(1)
-			case <-time.After(testRestartRequestWait):
+			case <-time.After(5 * time.Second):
 				return
 			}
 		}
 	}()
 
-	// First restart should succeed
+	// First restart should succeed immediately
 	err = handleEngineSelfTerminated(ctx, srv, evt)
 	if err != nil {
 		t.Fatalf("first restart failed: %v", err)
@@ -2298,7 +2300,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		t.Fatalf("expected 1 restart request, got %d", restartCount.Load())
 	}
 
-	// Second restart immediately after should be rate-limited
+	// Second restart immediately after should be deferred (not rejected)
 	evt2 := &events.RASEvent{
 		ID:          events.RASEngineSelfTerminated,
 		Rank:        uint32(testRank),
@@ -2312,22 +2314,44 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		t.Fatalf("second restart call failed: %v", err)
 	}
 
-	// Verify no restart was requested (rate-limited)
+	// Verify no immediate restart (deferred)
 	time.Sleep(testProcessingDelay)
 	if restartCount.Load() != 1 {
-		t.Fatalf("expected restart to be rate-limited, got %d restarts", restartCount.Load())
+		t.Fatalf("expected restart to be deferred, got %d restarts", restartCount.Load())
 	}
 
-	// Verify rate-limit log message
+	// Verify deferred restart log message
 	logOutput := buf.String()
-	if !strings.Contains(logOutput, "rate-limited") {
-		t.Errorf("expected log to contain 'rate-limited', got: %s", logOutput)
+	if !strings.Contains(logOutput, "restart deferred") {
+		t.Errorf("expected log to contain 'restart deferred', got: %s", logOutput)
 	}
 
-	// Wait for the EngineAutoRestartMinDelay to expire
+	// Verify pending timer exists
+	srv.rankRestartMu.Lock()
+	if _, exists := srv.rankRestartPending[evt.Rank]; !exists {
+		srv.rankRestartMu.Unlock()
+		t.Fatal("expected pending restart timer to exist")
+	}
+	srv.rankRestartMu.Unlock()
+
+	// Wait for the deferred restart to trigger
 	time.Sleep(time.Duration(srv.cfg.EngineAutoRestartMinDelay) * time.Second)
 
-	// Third restart after delay should succeed
+	// Verify deferred restart was executed
+	time.Sleep(testProcessingDelay)
+	if restartCount.Load() != 2 {
+		t.Fatalf("expected 2 total restarts after deferred delay, got %d", restartCount.Load())
+	}
+
+	// Verify pending timer was cleaned up
+	srv.rankRestartMu.Lock()
+	if _, exists := srv.rankRestartPending[evt.Rank]; exists {
+		srv.rankRestartMu.Unlock()
+		t.Fatal("expected pending restart timer to be cleaned up")
+	}
+	srv.rankRestartMu.Unlock()
+
+	// Third event immediately after deferred restart should again be deferred
 	evt3 := &events.RASEvent{
 		ID:          events.RASEngineSelfTerminated,
 		Rank:        uint32(testRank),
@@ -2338,17 +2362,22 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 
 	err = handleEngineSelfTerminated(ctx, srv, evt3)
 	if err != nil {
-		t.Fatalf("third restart failed: %v", err)
+		t.Fatalf("third restart call failed: %v", err)
 	}
 
-	// Verify restart was requested
+	// Should still be 2 restarts (third is deferred)
 	time.Sleep(testProcessingDelay)
 	if restartCount.Load() != 2 {
-		t.Fatalf("expected 2 total restarts after delay, got %d", restartCount.Load())
+		t.Fatalf("expected third restart to be deferred, got %d restarts", restartCount.Load())
 	}
 
 	// Cleanup
-	ctx.Done()
+	srv.rankRestartMu.Lock()
+	for rank, timer := range srv.rankRestartPending {
+		timer.Stop()
+		delete(srv.rankRestartPending, rank)
+	}
+	srv.rankRestartMu.Unlock()
 	<-doneCh
 }
 
@@ -2373,7 +2402,8 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes: make(map[uint32]time.Time),
+		rankRestartTimes:   make(map[uint32]time.Time),
+		rankRestartPending: make(map[uint32]*time.Timer),
 	}
 
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
@@ -2472,7 +2502,8 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 				cfg: &config.Server{
 					DisableEngineAutoRestart: false,
 				},
-				rankRestartTimes: make(map[uint32]time.Time),
+				rankRestartTimes:   make(map[uint32]time.Time),
+				rankRestartPending: make(map[uint32]*time.Timer),
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
@@ -2510,7 +2541,8 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes: make(map[uint32]time.Time),
+		rankRestartTimes:   make(map[uint32]time.Time),
+		rankRestartPending: make(map[uint32]*time.Timer),
 	}
 
 	registerSubscriptions(srv)
@@ -2586,7 +2618,8 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes: make(map[uint32]time.Time),
+		rankRestartTimes:   make(map[uint32]time.Time),
+		rankRestartPending: make(map[uint32]*time.Timer),
 	}
 
 	registerLeaderSubscriptions(srv)
diff --git a/utils/config/daos_server.yml b/utils/config/daos_server.yml
index abc631ce953..fe728a7c9b6 100644
--- a/utils/config/daos_server.yml
+++ b/utils/config/daos_server.yml
@@ -315,8 +315,9 @@
 ## When an excluded engine self-terminates, the control plane automatically restarts it
 ## after a configurable delay to prevent rapid restart loops. This setting specifies the
 ## minimum time that must elapse after restarting a rank before it can be automatically
-## restarted again. If a restart is triggered before this delay expires, it will be
-## rate-limited and skipped.
+## restarted again. If a self-termination event occurs before this delay expires, a
+## deferred restart is scheduled that will automatically trigger when the delay period
+## ends. Multiple events during the delay result in only one deferred restart.
 #
 ## default: 300 (5 minutes)
 #engine_auto_restart_min_delay: 120

From 2c30c0dd299ef7051ee20ad0a3cd973a7b2cffca Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Mon, 20 Apr 2026 13:29:12 +0100
Subject: [PATCH 16/45] address review comments from mjmac and kjacque

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/config/server.go     |  5 ++
 src/control/server/server.go            |  9 +--
 src/control/server/server_utils.go      | 85 +++++++++++++-----------
 src/control/server/server_utils_test.go | 88 +++++++++++++++++--------
 4 files changed, 116 insertions(+), 71 deletions(-)

diff --git a/src/control/server/config/server.go b/src/control/server/config/server.go
index 80d2b0499aa..0ff50f39c40 100644
--- a/src/control/server/config/server.go
+++ b/src/control/server/config/server.go
@@ -844,6 +844,11 @@ func (cfg *Server) Validate(log logging.Logger) (err error) {
 		return FaultConfigSysRsvdZero
 	}
 
+	if cfg.EngineAutoRestartMinDelay < 0 {
+		return errors.Errorf("engine_auto_restart_min_delay must be >= 0 (got %d)",
+			cfg.EngineAutoRestartMinDelay)
+	}
+
 	// A config without engines is valid when initially discovering hardware prior to adding
 	// per-engine sections with device allocations.
 	if len(cfg.Engines) == 0 {
diff --git a/src/control/server/server.go b/src/control/server/server.go
index 63b2149c7d5..d99544cf9b5 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -31,6 +31,7 @@ import (
 	"github.com/daos-stack/daos/src/control/lib/hardware"
 	"github.com/daos-stack/daos/src/control/lib/hardware/defaults/network"
 	"github.com/daos-stack/daos/src/control/lib/hardware/defaults/topology"
+	"github.com/daos-stack/daos/src/control/lib/ranklist"
 	"github.com/daos-stack/daos/src/control/logging"
 	"github.com/daos-stack/daos/src/control/security"
 	"github.com/daos-stack/daos/src/control/server/config"
@@ -169,8 +170,8 @@ type server struct {
 	onShutdown       []func()
 
 	rankRestartMu      sync.Mutex
-	rankRestartTimes   map[uint32]time.Time
-	rankRestartPending map[uint32]*time.Timer
+	rankRestartTimes   map[ranklist.Rank]time.Time
+	rankRestartPending map[ranklist.Rank]*time.Timer
 }
 
 func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.FaultDomain) (*server, error) {
@@ -193,8 +194,8 @@ func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.Fault
 		runningUser:        cu,
 		faultDomain:        faultDomain,
 		harness:            harness,
-		rankRestartTimes:   make(map[uint32]time.Time),
-		rankRestartPending: make(map[uint32]*time.Timer),
+		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}, nil
 }
 
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 18844a94804..21fb5f2baa3 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -779,6 +779,15 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 
 	srv.log.Tracef("handling engine self termination")
 
+	if evt.IsForwarded() {
+		return errors.Errorf("unexpected forwarded engine_self_terminated event from %q",
+			evt.Hostname)
+	}
+	if srv.hostname != "" && evt.Hostname != "" && evt.Hostname != srv.hostname {
+		return errors.Errorf("unexpected non-local engine_self_terminated event from %q",
+			evt.Hostname)
+	}
+
 	// Check if automatic restart is disabled
 	if srv.cfg.DisableEngineAutoRestart {
 		srv.log.Debugf("automatic engine restart disabled by configuration")
@@ -802,10 +811,12 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	if len(instances) > 1 {
 		return errors.Errorf("multiple instances found for rank %d", evt.Rank)
 	}
-	engine := instances[0]
+	ei := instances[0]
 
 	srv.log.Noticef("%s was notified @ %s of rank %d:%d (instance %d) self terminated", ts, evt.Hostname,
-		evt.Rank, evt.Incarnation, engine.Index())
+		evt.Rank, evt.Incarnation, ei.Index())
+
+	rank := ranklist.Rank(evt.Rank)
 
 	// Check if rank can be restarted based on rate limiting
 	minDelay := defaultEngineAutoRestartMinDelay
@@ -815,7 +826,8 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	minDelayDuration := time.Duration(minDelay) * time.Second
 
 	srv.rankRestartMu.Lock()
-	lastRestart, hasRestarted := srv.rankRestartTimes[evt.Rank]
+	defer srv.rankRestartMu.Unlock()
+	lastRestart, hasRestarted := srv.rankRestartTimes[rank]
 	now := time.Now()
 
 	if hasRestarted {
@@ -824,58 +836,67 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 			remaining := minDelayDuration - elapsed
 
 			// Cancel any existing pending restart timer for this rank
-			if existingTimer, exists := srv.rankRestartPending[evt.Rank]; exists {
+			if existingTimer, exists := srv.rankRestartPending[rank]; exists {
 				existingTimer.Stop()
 			}
 
 			// Schedule deferred restart after remaining delay
-			srv.rankRestartPending[evt.Rank] = time.AfterFunc(remaining, func() {
+			srv.rankRestartPending[rank] = time.AfterFunc(remaining, func() {
+				srv.rankRestartMu.Lock()
+				defer srv.rankRestartMu.Unlock()
+
 				srv.log.Noticef("deferred restart triggered for rank %d (instance %d) after rate-limit delay",
-					evt.Rank, engine.Index())
+					evt.Rank, ei.Index())
 
 				// Wait until engine is stopped
 				pollFn := func(e Engine) bool { return !e.IsStarted() }
 				if err := pollInstanceState(ctx, instances, pollFn); err != nil {
 					srv.log.Errorf("rank %d (instance %d) did not stop before deferred restart",
-						evt.Rank, engine.Index())
-					srv.rankRestartMu.Lock()
-					delete(srv.rankRestartPending, evt.Rank)
-					srv.rankRestartMu.Unlock()
+						evt.Rank, ei.Index())
+					delete(srv.rankRestartPending, rank)
 					return
 				}
 
-				srv.log.Noticef("restarting rank %d (instance %d) after rate-limit delay", evt.Rank, engine.Index())
-				engine.requestStart(ctx)
+				srv.log.Noticef("restarting rank %d (instance %d) after rate-limit delay", evt.Rank, ei.Index())
+				ei.requestStart(ctx)
 
 				// Update restart time and clear pending flag
-				srv.rankRestartMu.Lock()
-				srv.rankRestartTimes[evt.Rank] = time.Now()
-				delete(srv.rankRestartPending, evt.Rank)
-				srv.rankRestartMu.Unlock()
+				srv.rankRestartTimes[rank] = time.Now()
+				delete(srv.rankRestartPending, rank)
 			})
 
-			srv.rankRestartMu.Unlock()
 			srv.log.Noticef("rank %d restart deferred: will restart in %s (min delay: %s)",
 				evt.Rank, remaining.Round(time.Second), minDelayDuration)
 			return nil
 		}
 	}
 
-	srv.rankRestartTimes[evt.Rank] = now
-	srv.rankRestartMu.Unlock()
+	srv.rankRestartTimes[rank] = now
 
 	// Wait until engine is stopped.
 	pollFn := func(e Engine) bool { return !e.IsStarted() }
 	if err := pollInstanceState(ctx, instances, pollFn); err != nil {
-		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, engine.Index())
+		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, ei.Index())
 	}
 
-	srv.log.Noticef("restarting rank %d (instance %d) after self-termination", evt.Rank, engine.Index())
-	engine.requestStart(ctx)
+	srv.log.Noticef("restarting rank %d (instance %d) after self-termination", evt.Rank, ei.Index())
+	ei.requestStart(ctx)
 
 	return nil
 }
 
+// subscribeEngineSelfTerminated creates a handler for engine self-termination events.
+func subscribeEngineSelfTerminated(srv *server) events.Handler {
+	return events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
+		switch evt.ID {
+		case events.RASEngineSelfTerminated:
+			if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
+				srv.log.Errorf("handleEngineSelfTerminated: %s", err)
+			}
+		}
+	})
+}
+
 // registerSubscriptions doesn't handle received forwarded events but forwardable events are sent to
 // the MS leader. Received events are logged on the host that they were raised (and first published)
 // on. This is the initial behavior for all servers and only changes when leadership has been
@@ -885,15 +906,7 @@ func registerSubscriptions(srv *server) {
 	srv.pubSub.Reset()
 	srv.pubSub.Subscribe(events.RASTypeAny, srv.evtLogger)
 	srv.pubSub.Subscribe(events.RASTypeStateChange, srv.evtForwarder)
-	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
-		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			switch evt.ID {
-			case events.RASEngineSelfTerminated:
-				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
-				}
-			}
-		}))
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly, subscribeEngineSelfTerminated(srv))
 }
 
 func isSysSelfHealExcludeSet(svc *mgmtSvc) (bool, error) {
@@ -974,15 +987,7 @@ func registerLeaderSubscriptions(srv *server) {
 				handleRankDead(ctx, srv, evt)
 			}
 		}))
-	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
-		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			switch evt.ID {
-			case events.RASEngineSelfTerminated:
-				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
-					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
-				}
-			}
-		}))
+	srv.pubSub.Subscribe(events.RASTypeInfoOnly, subscribeEngineSelfTerminated(srv))
 
 	// Add a debounce to throttle multiple SWIM Rank Dead events for the same rank/incarnation.
 	srv.pubSub.Debounce(events.RASSwimRankDead, 0, func(ev *events.RASEvent) string {
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 3db15231a54..4e38402d102 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2026,10 +2026,41 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 		evt                      *events.RASEvent
 		setupEngines             func(*testing.T, logging.Logger, *EngineHarness)
 		disableEngineAutoRestart bool
+		serverHostname           string
 		expErr                   error
 		expEngineRestarted       bool
 		expLogContains           []string
 	}{
+		"forwarded event refused": {
+			evt: (&events.RASEvent{
+				ID:          events.RASEngineSelfTerminated,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    testHostname,
+				Timestamp:   validTimestamp,
+			}).WithForwarded(true),
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				setupTestEngine(t, log, h, false)
+			},
+			serverHostname:     testHostname,
+			expEngineRestarted: false,
+			expErr:             errors.New("forwarded engine_self_terminated event"),
+		},
+		"non-local event refused": {
+			evt: &events.RASEvent{
+				ID:          events.RASEngineSelfTerminated,
+				Rank:        uint32(testRank),
+				Incarnation: testIncarnation,
+				Hostname:    "other-host",
+				Timestamp:   validTimestamp,
+			},
+			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
+				setupTestEngine(t, log, h, false)
+			},
+			serverHostname:     testHostname,
+			expEngineRestarted: false,
+			expErr:             errors.New("non-local engine_self_terminated event"),
+		},
 		"auto restart disabled by config": {
 			evt: &events.RASEvent{
 				ID:          events.RASEngineSelfTerminated,
@@ -2169,13 +2200,14 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			}
 
 			srv := &server{
-				log:     log,
-				harness: harness,
+				log:      log,
+				hostname: tc.serverHostname,
+				harness:  harness,
 				cfg: &config.Server{
 					DisableEngineAutoRestart: tc.disableEngineAutoRestart,
 				},
-				rankRestartTimes:   make(map[uint32]time.Time),
-				rankRestartPending: make(map[uint32]*time.Timer),
+				rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+				rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 			}
 
 			var wg sync.WaitGroup
@@ -2249,8 +2281,8 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 			DisableEngineAutoRestart:  false,
 			EngineAutoRestartMinDelay: 2, // 2 seconds for testing
 		},
-		rankRestartTimes:   make(map[uint32]time.Time),
-		rankRestartPending: make(map[uint32]*time.Timer),
+		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}
 
 	// Get reference to the engine instance for monitoring startRequested
@@ -2326,13 +2358,20 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		t.Errorf("expected log to contain 'restart deferred', got: %s", logOutput)
 	}
 
-	// Verify pending timer exists
-	srv.rankRestartMu.Lock()
-	if _, exists := srv.rankRestartPending[evt.Rank]; !exists {
-		srv.rankRestartMu.Unlock()
-		t.Fatal("expected pending restart timer to exist")
+	checkPending := func(t *testing.T, shouldExist bool) {
+		t.Helper()
+		srv.rankRestartMu.Lock()
+		defer srv.rankRestartMu.Unlock()
+		_, exists := srv.rankRestartPending[testRank]
+		if exists && !shouldExist {
+			t.Fatal("expected pending restart timer to have been cleaned up")
+		} else if !exists && shouldExist {
+			t.Fatal("expected pending restart timer to exist")
+		}
 	}
-	srv.rankRestartMu.Unlock()
+
+	// Verify pending timer exists
+	checkPending(t, true)
 
 	// Wait for the deferred restart to trigger
 	time.Sleep(time.Duration(srv.cfg.EngineAutoRestartMinDelay) * time.Second)
@@ -2344,12 +2383,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	}
 
 	// Verify pending timer was cleaned up
-	srv.rankRestartMu.Lock()
-	if _, exists := srv.rankRestartPending[evt.Rank]; exists {
-		srv.rankRestartMu.Unlock()
-		t.Fatal("expected pending restart timer to be cleaned up")
-	}
-	srv.rankRestartMu.Unlock()
+	checkPending(t, false)
 
 	// Third event immediately after deferred restart should again be deferred
 	evt3 := &events.RASEvent{
@@ -2373,11 +2407,11 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 
 	// Cleanup
 	srv.rankRestartMu.Lock()
+	defer srv.rankRestartMu.Unlock()
 	for rank, timer := range srv.rankRestartPending {
 		timer.Stop()
 		delete(srv.rankRestartPending, rank)
 	}
-	srv.rankRestartMu.Unlock()
 	<-doneCh
 }
 
@@ -2402,8 +2436,8 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes:   make(map[uint32]time.Time),
-		rankRestartPending: make(map[uint32]*time.Timer),
+		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}
 
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
@@ -2502,8 +2536,8 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 				cfg: &config.Server{
 					DisableEngineAutoRestart: false,
 				},
-				rankRestartTimes:   make(map[uint32]time.Time),
-				rankRestartPending: make(map[uint32]*time.Timer),
+				rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+				rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
@@ -2541,8 +2575,8 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes:   make(map[uint32]time.Time),
-		rankRestartPending: make(map[uint32]*time.Timer),
+		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}
 
 	registerSubscriptions(srv)
@@ -2618,8 +2652,8 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		cfg: &config.Server{
 			DisableEngineAutoRestart: false,
 		},
-		rankRestartTimes:   make(map[uint32]time.Time),
-		rankRestartPending: make(map[uint32]*time.Timer),
+		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
+		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}
 
 	registerLeaderSubscriptions(srv)

From 7e953332c9b26f9dae08f36b86c7b7ba8cea21e2 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Mon, 20 Apr 2026 20:18:58 +0100
Subject: [PATCH 17/45] use channel-based restart manager for rate-limiting

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go  | 221 ++++++++++++++++++++++++
 src/control/server/server.go            |  14 ++
 src/control/server/server_utils.go      |  76 +-------
 src/control/server/server_utils_test.go |  17 +-
 4 files changed, 253 insertions(+), 75 deletions(-)
 create mode 100644 src/control/server/instance_restart.go

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
new file mode 100644
index 00000000000..b805d2bd9bb
--- /dev/null
+++ b/src/control/server/instance_restart.go
@@ -0,0 +1,221 @@
+//
+// (C) Copyright 2026 Hewlett Packard Enterprise Development LP
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+
+package server
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/daos-stack/daos/src/control/lib/ranklist"
+	"github.com/daos-stack/daos/src/control/logging"
+	"github.com/daos-stack/daos/src/control/server/config"
+)
+
+const (
+	// engineRestartMaxQueueSz is the maximum number of engine restart requests to be held in a
+	// channel at any one time. Additional requests will be dropped during exclusion storm.
+	engineRestartMaxQueueSz = 100
+
+	// defaultEngineAutoRestartMinDelay is the minimum number of seconds between automatic engine
+	// restarts that are triggered when engine_self_terminated RAS events are received.
+	defaultEngineAutoRestartMinDelay = 300 // 5 minutes
+)
+
+// engineRestartRequest represents a request to restart an engine instance.
+type engineRestartRequest struct {
+	rank        ranklist.Rank
+	instance    Engine
+	requestTime time.Time
+	eventTime   time.Time
+}
+
+// engineRestartManager manages engine restart requests with rate limiting.
+type engineRestartManager struct {
+	log            logging.Logger
+	cfg            *config.Server
+	requestChan    chan engineRestartRequest
+	stopChan       chan struct{}
+	lastRestart    map[ranklist.Rank]time.Time
+	pendingRestart map[ranklist.Rank]*time.Timer
+	mu             sync.Mutex
+}
+
+// getMinDelay returns the configured minimum delay between restarts.
+func (mgr *engineRestartManager) getMinDelay() time.Duration {
+	minDelay := defaultEngineAutoRestartMinDelay
+	if mgr.cfg.EngineAutoRestartMinDelay > 0 {
+		minDelay = mgr.cfg.EngineAutoRestartMinDelay
+	}
+	return time.Duration(minDelay) * time.Second
+}
+
+// canRestartNow checks if a rank can be restarted immediately.
+// Returns true if restart can proceed, false and delay duration if rate limited.
+func (mgr *engineRestartManager) canRestartNow(rank ranklist.Rank) (bool, time.Duration) {
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	lastRestart, hasRestarted := mgr.lastRestart[rank]
+	if !hasRestarted {
+		return true, 0
+	}
+
+	minDelay := mgr.getMinDelay()
+	elapsed := time.Since(lastRestart)
+	if elapsed >= minDelay {
+		return true, 0
+	}
+
+	remaining := minDelay - elapsed
+	return false, remaining
+}
+
+// recordRestartTime records when a rank was restarted.
+func (mgr *engineRestartManager) recordRestartTime(rank ranklist.Rank) {
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	mgr.lastRestart[rank] = time.Now()
+}
+
+// clearPendingRestart removes a pending restart timer for a rank.
+func (mgr *engineRestartManager) clearPendingRestart(rank ranklist.Rank) {
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	delete(mgr.pendingRestart, rank)
+}
+
+// setPendingRestart stores a pending restart timer for a rank.
+func (mgr *engineRestartManager) setPendingRestart(rank ranklist.Rank, timer *time.Timer) {
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	// Cancel any existing timer
+	if existingTimer, exists := mgr.pendingRestart[rank]; exists {
+		existingTimer.Stop()
+		mgr.log.Debugf("cancelled existing pending restart timer for rank %d", rank)
+	}
+
+	mgr.pendingRestart[rank] = timer
+}
+
+// waitForEngineStopped polls until the engine instance is stopped.
+func waitForEngineStopped(ctx context.Context, instances []Engine) error {
+	pollFn := func(e Engine) bool { return !e.IsStarted() }
+	return pollInstanceState(ctx, instances, pollFn)
+}
+
+// performRestart executes the restart after waiting for the engine to stop.
+func (mgr *engineRestartManager) performRestart(ctx context.Context, rank ranklist.Rank, instance Engine) {
+	defer mgr.clearPendingRestart(rank)
+
+	// Wait for engine to stop
+	instances := []Engine{instance}
+	if err := waitForEngineStopped(ctx, instances); err != nil {
+		mgr.log.Errorf("rank %d did not stop before restart: %s", rank, err)
+		return
+	}
+
+	mgr.log.Noticef("restarting rank %d", rank)
+	instance.requestStart(ctx)
+
+	// Record restart time and clear pending state on exit (deferred)
+	mgr.recordRestartTime(rank)
+}
+
+// processRestartRequest handles a single restart request with rate limiting.
+func (mgr *engineRestartManager) processRestartRequest(ctx context.Context, req engineRestartRequest) {
+	rank := req.rank
+	instance := req.instance
+
+	mgr.log.Debugf("processing restart request for rank %d", rank)
+
+	canRestart, delay := mgr.canRestartNow(rank)
+	if !canRestart {
+		mgr.log.Noticef("rank %d restart rate limited: will restart in %s",
+			rank, delay.Round(time.Second))
+
+		// Schedule deferred restart
+		timer := time.AfterFunc(delay, func() {
+			mgr.log.Noticef("deferred restart triggered for rank %d after rate-limit delay", rank)
+			mgr.performRestart(ctx, rank, instance)
+		})
+
+		// Overwrite any existing pending restart
+		mgr.setPendingRestart(rank, timer)
+		return
+	}
+
+	// Can restart immediately
+	mgr.performRestart(ctx, rank, instance)
+}
+
+// requestRestart submits a restart request to the manager.
+func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Engine, eventTime time.Time) {
+	req := engineRestartRequest{
+		rank:        rank,
+		instance:    instance,
+		requestTime: time.Now(),
+		eventTime:   eventTime,
+	}
+
+	select {
+	case mgr.requestChan <- req:
+		mgr.log.Debugf("restart request queued for rank %d", rank)
+	default:
+		mgr.log.Errorf("restart request channel full, dropping request for rank %d", rank)
+	}
+}
+
+// start begins processing restart requests.
+func (mgr *engineRestartManager) start(ctx context.Context) {
+	mgr.log.Debug("engine restart manager started")
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				mgr.log.Debug("engine restart manager context cancelled")
+				return
+			case <-mgr.stopChan:
+				mgr.log.Debug("engine restart manager stopped")
+				return
+			case req := <-mgr.requestChan:
+				mgr.processRestartRequest(ctx, req)
+			}
+		}
+	}()
+}
+
+// stop shuts down the restart manager.
+func (mgr *engineRestartManager) stop() {
+	mgr.log.Debug("stopping engine restart manager")
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	// Cancel all pending restart timers
+	for rank, timer := range mgr.pendingRestart {
+		timer.Stop()
+		mgr.log.Debugf("cancelled pending restart for rank %d", rank)
+	}
+	mgr.pendingRestart = make(map[ranklist.Rank]*time.Timer)
+
+	close(mgr.stopChan)
+}
+
+// newEngineRestartManager creates a new restart manager.
+func newEngineRestartManager(log logging.Logger, cfg *config.Server) *engineRestartManager {
+	return &engineRestartManager{
+		log:            log,
+		cfg:            cfg,
+		requestChan:    make(chan engineRestartRequest, engineRestartMaxQueueSz),
+		stopChan:       make(chan struct{}),
+		lastRestart:    make(map[ranklist.Rank]time.Time),
+		pendingRestart: make(map[ranklist.Rank]*time.Timer),
+	}
+}
diff --git a/src/control/server/server.go b/src/control/server/server.go
index d99544cf9b5..759f1f4b63f 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -169,6 +169,9 @@ type server struct {
 	onEnginesStarted []func(context.Context) error
 	onShutdown       []func()
 
+	restartMgr *engineRestartManager
+
+	// Deprecated: use restartMgr instead
 	rankRestartMu      sync.Mutex
 	rankRestartTimes   map[ranklist.Rank]time.Time
 	rankRestartPending map[ranklist.Rank]*time.Timer
@@ -194,6 +197,7 @@ func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.Fault
 		runningUser:        cu,
 		faultDomain:        faultDomain,
 		harness:            harness,
+		restartMgr:         newEngineRestartManager(log, cfg),
 		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
 		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 	}, nil
@@ -290,6 +294,11 @@ func (srv *server) OnShutdown(fns ...func()) {
 }
 
 func (srv *server) shutdown() {
+	// Stop the restart manager first
+	if srv.restartMgr != nil {
+		srv.restartMgr.stop()
+	}
+
 	srv.cbLock.Lock()
 	onShutdownCbs := srv.onShutdown
 	srv.cbLock.Unlock()
@@ -413,6 +422,11 @@ func (srv *server) addEngines(ctx context.Context, smi *common.SysMemInfo) error
 		allStarted.Wait()
 		srv.log.Debug("engines have started")
 
+		// Start the restart manager
+		if srv.restartMgr != nil {
+			srv.restartMgr.start(ctx)
+		}
+
 		srv.cbLock.Lock()
 		onEnginesStartedCbs := srv.onEnginesStarted
 		srv.cbLock.Unlock()
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 21fb5f2baa3..07ce0aed368 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -18,7 +18,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/dustin/go-humanize"
 	"github.com/pkg/errors"
@@ -47,10 +46,6 @@ const (
 
 	// maxLineChars is the maximum number of chars per line in a formatted byte string.
 	maxLineChars = 32
-
-	// defaultEngineAutoRestartMinDelay is the minimum number of seconds between automatic engine
-	// restarts that are triggered when engine_self_terminated RAS events are received.
-	defaultEngineAutoRestartMinDelay = 300 // 5 minutes
 )
 
 // netListenerFn is a type alias for the net.Listener function signature.
@@ -776,7 +771,6 @@ func registerTelemetryCallbacks(ctx context.Context, srv *server) {
 
 // Handle local engine self termination and restart engine to rejoin system.
 func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RASEvent) error {
-
 	srv.log.Tracef("handling engine self termination")
 
 	if evt.IsForwarded() {
@@ -813,74 +807,18 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	}
 	ei := instances[0]
 
-	srv.log.Noticef("%s was notified @ %s of rank %d:%d (instance %d) self terminated", ts, evt.Hostname,
-		evt.Rank, evt.Incarnation, ei.Index())
+	srv.log.Noticef("%s was notified @ %s of rank %d:%d (instance %d) self terminated", ts,
+		evt.Hostname, evt.Rank, evt.Incarnation, ei.Index())
 
 	rank := ranklist.Rank(evt.Rank)
 
-	// Check if rank can be restarted based on rate limiting
-	minDelay := defaultEngineAutoRestartMinDelay
-	if srv.cfg.EngineAutoRestartMinDelay > 0 {
-		minDelay = srv.cfg.EngineAutoRestartMinDelay
-	}
-	minDelayDuration := time.Duration(minDelay) * time.Second
-
-	srv.rankRestartMu.Lock()
-	defer srv.rankRestartMu.Unlock()
-	lastRestart, hasRestarted := srv.rankRestartTimes[rank]
-	now := time.Now()
-
-	if hasRestarted {
-		elapsed := now.Sub(lastRestart)
-		if elapsed < minDelayDuration {
-			remaining := minDelayDuration - elapsed
-
-			// Cancel any existing pending restart timer for this rank
-			if existingTimer, exists := srv.rankRestartPending[rank]; exists {
-				existingTimer.Stop()
-			}
-
-			// Schedule deferred restart after remaining delay
-			srv.rankRestartPending[rank] = time.AfterFunc(remaining, func() {
-				srv.rankRestartMu.Lock()
-				defer srv.rankRestartMu.Unlock()
-
-				srv.log.Noticef("deferred restart triggered for rank %d (instance %d) after rate-limit delay",
-					evt.Rank, ei.Index())
-
-				// Wait until engine is stopped
-				pollFn := func(e Engine) bool { return !e.IsStarted() }
-				if err := pollInstanceState(ctx, instances, pollFn); err != nil {
-					srv.log.Errorf("rank %d (instance %d) did not stop before deferred restart",
-						evt.Rank, ei.Index())
-					delete(srv.rankRestartPending, rank)
-					return
-				}
-
-				srv.log.Noticef("restarting rank %d (instance %d) after rate-limit delay", evt.Rank, ei.Index())
-				ei.requestStart(ctx)
-
-				// Update restart time and clear pending flag
-				srv.rankRestartTimes[rank] = time.Now()
-				delete(srv.rankRestartPending, rank)
-			})
-
-			srv.log.Noticef("rank %d restart deferred: will restart in %s (min delay: %s)",
-				evt.Rank, remaining.Round(time.Second), minDelayDuration)
-			return nil
-		}
-	}
-
-	srv.rankRestartTimes[rank] = now
-
-	// Wait until engine is stopped.
-	pollFn := func(e Engine) bool { return !e.IsStarted() }
-	if err := pollInstanceState(ctx, instances, pollFn); err != nil {
-		return errors.Errorf("rank %d (instance %d) did not stop", evt.Rank, ei.Index())
+	if srv.restartMgr == nil {
+		return errors.Errorf("restart manager not initialized, cannot restart rank %d",
+			rank)
 	}
 
-	srv.log.Noticef("restarting rank %d (instance %d) after self-termination", evt.Rank, ei.Index())
-	ei.requestStart(ctx)
+	// Submit restart request to the restart manager
+	srv.restartMgr.requestRestart(rank, ei, ts)
 
 	return nil
 }
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 4e38402d102..bc11ed4c566 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2026,6 +2026,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 		evt                      *events.RASEvent
 		setupEngines             func(*testing.T, logging.Logger, *EngineHarness)
 		disableEngineAutoRestart bool
+		engineAutoRestartDelay   int
 		serverHostname           string
 		expErr                   error
 		expEngineRestarted       bool
@@ -2199,13 +2200,17 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				tc.setupEngines(t, log, harness)
 			}
 
+			cfg := &config.Server{
+				DisableEngineAutoRestart:  tc.disableEngineAutoRestart,
+				EngineAutoRestartMinDelay: tc.engineAutoRestartDelay,
+			}
+
 			srv := &server{
-				log:      log,
-				hostname: tc.serverHostname,
-				harness:  harness,
-				cfg: &config.Server{
-					DisableEngineAutoRestart: tc.disableEngineAutoRestart,
-				},
+				log:                log,
+				hostname:           tc.serverHostname,
+				harness:            harness,
+				cfg:                cfg,
+				restartMgr:         newEngineRestartManager(log, cfg),
 				rankRestartTimes:   make(map[ranklist.Rank]time.Time),
 				rankRestartPending: make(map[ranklist.Rank]*time.Timer),
 			}

From 6252edf7710d5182ff91a147a483b94200d1ebf4 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Tue, 21 Apr 2026 13:54:09 +0100
Subject: [PATCH 18/45] fix handleEngineSelfTerminated unit tests

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go  |   1 +
 src/control/server/server_utils_test.go | 225 ++++++++++++++----------
 2 files changed, 129 insertions(+), 97 deletions(-)

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index b805d2bd9bb..aaf3abc6e4e 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -127,6 +127,7 @@ func (mgr *engineRestartManager) performRestart(ctx context.Context, rank rankli
 
 	// Record restart time and clear pending state on exit (deferred)
 	mgr.recordRestartTime(rank)
+	mgr.log.Noticef("recording rank %d", rank)
 }
 
 // processRestartRequest handles a single restart request with rate limiting.
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index bc11ed4c566..81b67d90ccd 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1992,7 +1992,7 @@ f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 const (
 	testContextTimeout     = 1 * time.Second
 	testHandlerTimeout     = 1 * time.Second
-	testRestartRequestWait = 3 * time.Second
+	testRestartRequestWait = 5 * time.Second
 	testSubscriptionDelay  = 50 * time.Millisecond
 	testProcessingDelay    = 100 * time.Millisecond
 )
@@ -2029,7 +2029,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 		engineAutoRestartDelay   int
 		serverHostname           string
 		expErr                   error
-		expEngineRestarted       bool
+		expRestartRequested      bool
 		expLogContains           []string
 	}{
 		"forwarded event refused": {
@@ -2043,9 +2043,9 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupTestEngine(t, log, h, false)
 			},
-			serverHostname:     testHostname,
-			expEngineRestarted: false,
-			expErr:             errors.New("forwarded engine_self_terminated event"),
+			serverHostname:      testHostname,
+			expRestartRequested: false,
+			expErr:              errors.New("forwarded engine_self_terminated event"),
 		},
 		"non-local event refused": {
 			evt: &events.RASEvent{
@@ -2058,9 +2058,9 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupTestEngine(t, log, h, false)
 			},
-			serverHostname:     testHostname,
-			expEngineRestarted: false,
-			expErr:             errors.New("non-local engine_self_terminated event"),
+			serverHostname:      testHostname,
+			expRestartRequested: false,
+			expErr:              errors.New("non-local engine_self_terminated event"),
 		},
 		"auto restart disabled by config": {
 			evt: &events.RASEvent{
@@ -2074,7 +2074,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				setupTestEngine(t, log, h, false)
 			},
 			disableEngineAutoRestart: true,
-			expEngineRestarted:       false,
+			expRestartRequested:      false,
 			expLogContains: []string{
 				"automatic engine restart disabled",
 			},
@@ -2087,8 +2087,8 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Hostname:    testHostname,
 				Timestamp:   "",
 			},
-			expErr:             errors.New("bad event timestamp"),
-			expEngineRestarted: false,
+			expErr:              errors.New("bad event timestamp"),
+			expRestartRequested: false,
 		},
 		"invalid event timestamp": {
 			evt: &events.RASEvent{
@@ -2098,8 +2098,8 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Hostname:    testHostname,
 				Timestamp:   "not-a-valid-timestamp",
 			},
-			expErr:             errors.New("bad event timestamp"),
-			expEngineRestarted: false,
+			expErr:              errors.New("bad event timestamp"),
+			expRestartRequested: false,
 		},
 		"rank not found in harness": {
 			evt: &events.RASEvent{
@@ -2116,8 +2116,8 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 					t.Fatal(err)
 				}
 			},
-			expErr:             errors.New("no instance found for rank 99"),
-			expEngineRestarted: false,
+			expErr:              errors.New("no instance found for rank 99"),
+			expRestartRequested: false,
 		},
 		"filter instances error - nil superblock": {
 			evt: &events.RASEvent{
@@ -2134,10 +2134,10 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 					t.Fatal(err)
 				}
 			},
-			expErr:             errors.New("no instance found for rank"),
-			expEngineRestarted: false,
+			expErr:              errors.New("no instance found for rank"),
+			expRestartRequested: false,
 		},
-		"successful restart - engine already stopped": {
+		"successful restart request - engine already stopped": {
 			evt: &events.RASEvent{
 				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
@@ -2148,13 +2148,13 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupTestEngine(t, log, h, false)
 			},
-			expEngineRestarted: true,
+			expRestartRequested: true,
 			expLogContains: []string{
 				fmt.Sprintf("rank %d:%d (instance 0) self terminated", testRank, testIncarnation),
 				testHostname,
 			},
 		},
-		"timeout waiting for engine to stop": {
+		"successful restart request - engine still running": {
 			evt: &events.RASEvent{
 				ID:          events.RASEngineSelfTerminated,
 				Rank:        uint32(testRank),
@@ -2165,8 +2165,10 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				setupTestEngine(t, log, h, true)
 			},
-			expErr:             errors.New("did not stop"),
-			expEngineRestarted: false,
+			expRestartRequested: false,
+			expLogContains: []string{
+				fmt.Sprintf("rank %d:%d (instance 0) self terminated", testRank, testIncarnation),
+			},
 		},
 		"multiple engines - restart correct one": {
 			evt: &events.RASEvent{
@@ -2181,7 +2183,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 					setupTestEngine(t, log, h, false, uint32(i))
 				}
 			},
-			expEngineRestarted: true,
+			expRestartRequested: true,
 			expLogContains: []string{
 				"rank 2:42 (instance 2) self terminated",
 			},
@@ -2205,14 +2207,16 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				EngineAutoRestartMinDelay: tc.engineAutoRestartDelay,
 			}
 
+			restartMgr := newEngineRestartManager(log, cfg)
+			restartMgr.start(ctx)
+			defer restartMgr.stop()
+
 			srv := &server{
-				log:                log,
-				hostname:           tc.serverHostname,
-				harness:            harness,
-				cfg:                cfg,
-				restartMgr:         newEngineRestartManager(log, cfg),
-				rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-				rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+				log:        log,
+				hostname:   tc.serverHostname,
+				harness:    harness,
+				cfg:        cfg,
+				restartMgr: restartMgr,
 			}
 
 			var wg sync.WaitGroup
@@ -2220,7 +2224,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 
 			if len(harness.instances) > 0 {
 				targetRank := ranklist.Rank(tc.evt.Rank)
-				for i, inst := range harness.instances {
+				for _, inst := range harness.instances {
 					rank, err := inst.GetRank()
 					if err != nil || rank != targetRank {
 						continue
@@ -2232,27 +2236,29 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 					}
 
 					wg.Add(1)
-
-					go func(e *EngineInstance, idx int) {
+					go func(e *EngineInstance) {
 						defer wg.Done()
 						select {
 						case <-ctx.Done():
 						case <-e.startRequested:
 							restartRequested.Store(true)
-						case <-time.After(testRestartRequestWait):
 						}
-					}(ei, i)
+					}(ei)
 				}
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
 			wg.Wait()
 
+			if tc.expRestartRequested {
+				time.Sleep(testProcessingDelay)
+			}
+
 			test.CmpErr(t, tc.expErr, err)
 
-			if tc.expEngineRestarted != restartRequested.Load() {
-				t.Errorf("expected engine restarted=%v, got=%v",
-					tc.expEngineRestarted, restartRequested.Load())
+			if tc.expRestartRequested != restartRequested.Load() {
+				t.Errorf("expected restart requested=%v, got=%v",
+					tc.expRestartRequested, restartRequested.Load())
 			}
 
 			logOutput := buf.String()
@@ -2275,19 +2281,26 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
-	ctx := test.Context(t)
+	ctx, cancel := context.WithTimeout(test.Context(t), 10*time.Second)
+	defer cancel()
+
 	harness := NewEngineHarness(log)
 	setupTestEngine(t, log, harness, false)
 
+	cfg := &config.Server{
+		DisableEngineAutoRestart:  false,
+		EngineAutoRestartMinDelay: 2, // 2 seconds for testing
+	}
+
+	restartMgr := newEngineRestartManager(log, cfg)
+	restartMgr.start(ctx)
+	defer restartMgr.stop()
+
 	srv := &server{
-		log:     log,
-		harness: harness,
-		cfg: &config.Server{
-			DisableEngineAutoRestart:  false,
-			EngineAutoRestartMinDelay: 2, // 2 seconds for testing
-		},
-		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+		log:        log,
+		harness:    harness,
+		cfg:        cfg,
+		restartMgr: restartMgr,
 	}
 
 	// Get reference to the engine instance for monitoring startRequested
@@ -2308,7 +2321,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		Timestamp:   validTimestamp,
 	}
 
-	// Setup goroutine to consume startRequested channel to prevent blocking
+	// Setup goroutine to consume startRequested channel
 	restartCount := atomic.Uint32{}
 	doneCh := make(chan struct{})
 	go func() {
@@ -2319,7 +2332,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 				return
 			case <-e.startRequested:
 				restartCount.Add(1)
-			case <-time.After(5 * time.Second):
+			case <-time.After(testRestartRequestWait):
 				return
 			}
 		}
@@ -2357,17 +2370,17 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		t.Fatalf("expected restart to be deferred, got %d restarts", restartCount.Load())
 	}
 
-	// Verify deferred restart log message
+	// Verify rate limiting log message
 	logOutput := buf.String()
-	if !strings.Contains(logOutput, "restart deferred") {
-		t.Errorf("expected log to contain 'restart deferred', got: %s", logOutput)
+	if !strings.Contains(logOutput, "rate limited") {
+		t.Errorf("expected log to contain 'rate limited', got: %s", logOutput)
 	}
 
 	checkPending := func(t *testing.T, shouldExist bool) {
 		t.Helper()
-		srv.rankRestartMu.Lock()
-		defer srv.rankRestartMu.Unlock()
-		_, exists := srv.rankRestartPending[testRank]
+		restartMgr.mu.Lock()
+		defer restartMgr.mu.Unlock()
+		_, exists := restartMgr.pendingRestart[testRank]
 		if exists && !shouldExist {
 			t.Fatal("expected pending restart timer to have been cleaned up")
 		} else if !exists && shouldExist {
@@ -2410,13 +2423,6 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 		t.Fatalf("expected third restart to be deferred, got %d restarts", restartCount.Load())
 	}
 
-	// Cleanup
-	srv.rankRestartMu.Lock()
-	defer srv.rankRestartMu.Unlock()
-	for rank, timer := range srv.rankRestartPending {
-		timer.Stop()
-		delete(srv.rankRestartPending, rank)
-	}
 	<-doneCh
 }
 
@@ -2424,33 +2430,40 @@ func TestServer_handleEngineSelfTerminated_ErrorHandling(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
-	ctx := test.Context(t)
+	ctx, cancel := context.WithTimeout(test.Context(t), 2*time.Second)
+	defer cancel()
 
 	harness := NewEngineHarness(log)
 	pubSub := events.NewPubSub(ctx, log)
 
+	cfg := &config.Server{
+		DisableEngineAutoRestart: false,
+	}
+
+	restartMgr := newEngineRestartManager(log, cfg)
+	restartMgr.start(ctx)
+	defer restartMgr.stop()
+
 	// Channel to signal when handler completes
 	handlerDone := make(chan struct{})
 	var once sync.Once
 
 	srv := &server{
-		log:       log,
-		harness:   harness,
-		pubSub:    pubSub,
-		evtLogger: control.MockEventLogger(log),
-		cfg: &config.Server{
-			DisableEngineAutoRestart: false,
-		},
-		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+		log:        log,
+		harness:    harness,
+		pubSub:     pubSub,
+		evtLogger:  control.MockEventLogger(log),
+		cfg:        cfg,
+		restartMgr: restartMgr,
 	}
 
 	srv.pubSub.Subscribe(events.RASTypeInfoOnly,
 		events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-			log.Debugf("ErrorHandling test handler called for event: ID=%v, Type=%v", evt.ID, evt.Type)
+			log.Debugf("ErrorHandling: handler called for event: ID=%v, Type=%v",
+				evt.ID, evt.Type)
 			switch evt.ID {
 			case events.RASEngineSelfTerminated:
-				log.Debugf("ErrorHandling test handling engine self termination event")
+				log.Debugf("ErrorHandling: handling engine self termination event")
 				if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
 					srv.log.Errorf("handleEngineSelfTerminated: %s", err)
 				}
@@ -2535,14 +2548,20 @@ func TestServer_handleEngineSelfTerminated_EdgeCases(t *testing.T) {
 			defer cancel()
 
 			harness := NewEngineHarness(log)
+
+			cfg := &config.Server{
+				DisableEngineAutoRestart: false,
+			}
+
+			restartMgr := newEngineRestartManager(log, cfg)
+			restartMgr.start(ctx)
+			defer restartMgr.stop()
+
 			srv := &server{
-				log:     log,
-				harness: harness,
-				cfg: &config.Server{
-					DisableEngineAutoRestart: false,
-				},
-				rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-				rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+				log:        log,
+				harness:    harness,
+				cfg:        cfg,
+				restartMgr: restartMgr,
 			}
 
 			err := handleEngineSelfTerminated(ctx, srv, tc.evt)
@@ -2563,25 +2582,31 @@ func TestServer_registerSubscriptions_includesSelfTerminated(t *testing.T) {
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
-	ctx := test.Context(t)
+	ctx, cancel := context.WithTimeout(test.Context(t), 2*time.Second)
+	defer cancel()
 
 	harness := NewEngineHarness(log)
 	pubSub := events.NewPubSub(ctx, log)
 
+	cfg := &config.Server{
+		DisableEngineAutoRestart: false,
+	}
+
+	restartMgr := newEngineRestartManager(log, cfg)
+	restartMgr.start(ctx)
+	defer restartMgr.stop()
+
 	// Channel to signal when ANY handler processes the event
 	eventProcessed := make(chan struct{})
 	var once sync.Once
 
 	srv := &server{
-		log:       log,
-		harness:   harness,
-		pubSub:    pubSub,
-		evtLogger: control.MockEventLogger(log),
-		cfg: &config.Server{
-			DisableEngineAutoRestart: false,
-		},
-		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+		log:        log,
+		harness:    harness,
+		pubSub:     pubSub,
+		evtLogger:  control.MockEventLogger(log),
+		cfg:        cfg,
+		restartMgr: restartMgr,
 	}
 
 	registerSubscriptions(srv)
@@ -2635,13 +2660,22 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 	log, buf := logging.NewTestLogger(t.Name())
 	defer test.ShowBufferOnFailure(t, buf)
 
-	ctx := test.Context(t)
+	ctx, cancel := context.WithTimeout(test.Context(t), testProcessingTimeout+time.Second)
+	defer cancel()
 
 	harness := NewEngineHarness(log)
 	pubSub := events.NewPubSub(ctx, log)
 
 	svc := newTestMgmtSvc(t, log)
 
+	cfg := &config.Server{
+		DisableEngineAutoRestart: false,
+	}
+
+	restartMgr := newEngineRestartManager(log, cfg)
+	restartMgr.start(ctx)
+	defer restartMgr.stop()
+
 	// Channel to signal when ANY handler processes the event
 	eventProcessed := make(chan struct{})
 	var once sync.Once
@@ -2654,11 +2688,8 @@ func TestServer_registerLeaderSubscriptions_includesSelfTerminated(t *testing.T)
 		membership: svc.membership,
 		sysdb:      svc.sysdb,
 		mgmtSvc:    svc,
-		cfg: &config.Server{
-			DisableEngineAutoRestart: false,
-		},
-		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+		cfg:        cfg,
+		restartMgr: restartMgr,
 	}
 
 	registerLeaderSubscriptions(srv)

From de033c1165f55d851891b221a6fd7eb4dcc86834 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 22 Apr 2026 14:57:30 +0100
Subject: [PATCH 19/45] add unit tests for engine restart manager

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go      |   7 +-
 src/control/server/instance_restart_test.go | 709 ++++++++++++++++++++
 src/control/server/server_utils_test.go     |   6 +-
 3 files changed, 717 insertions(+), 5 deletions(-)
 create mode 100644 src/control/server/instance_restart_test.go

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index aaf3abc6e4e..fd23ba900b0 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -42,7 +42,7 @@ type engineRestartManager struct {
 	stopChan       chan struct{}
 	lastRestart    map[ranklist.Rank]time.Time
 	pendingRestart map[ranklist.Rank]*time.Timer
-	mu             sync.Mutex
+	mu             sync.RWMutex
 }
 
 // getMinDelay returns the configured minimum delay between restarts.
@@ -57,8 +57,8 @@ func (mgr *engineRestartManager) getMinDelay() time.Duration {
 // canRestartNow checks if a rank can be restarted immediately.
 // Returns true if restart can proceed, false and delay duration if rate limited.
 func (mgr *engineRestartManager) canRestartNow(rank ranklist.Rank) (bool, time.Duration) {
-	mgr.mu.Lock()
-	defer mgr.mu.Unlock()
+	mgr.mu.RLock()
+	defer mgr.mu.RUnlock()
 
 	lastRestart, hasRestarted := mgr.lastRestart[rank]
 	if !hasRestarted {
@@ -81,6 +81,7 @@ func (mgr *engineRestartManager) recordRestartTime(rank ranklist.Rank) {
 	defer mgr.mu.Unlock()
 
 	mgr.lastRestart[rank] = time.Now()
+	mgr.log.Debugf("last restart recorded")
 }
 
 // clearPendingRestart removes a pending restart timer for a rank.
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
new file mode 100644
index 00000000000..3bc14d5cb2e
--- /dev/null
+++ b/src/control/server/instance_restart_test.go
@@ -0,0 +1,709 @@
+//
+// (C) Copyright 2026 Hewlett Packard Enterprise Development LP
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+
+package server
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/daos-stack/daos/src/control/common/test"
+	"github.com/daos-stack/daos/src/control/lib/ranklist"
+	"github.com/daos-stack/daos/src/control/logging"
+	"github.com/daos-stack/daos/src/control/server/config"
+)
+
+func TestServer_EngineRestartManager_GetMinDelay(t *testing.T) {
+	for name, tc := range map[string]struct {
+		configDelay int
+		expDelay    time.Duration
+	}{
+		"default delay": {
+			configDelay: 0,
+			expDelay:    300 * time.Second,
+		},
+		"custom delay": {
+			configDelay: 60,
+			expDelay:    60 * time.Second,
+		},
+		"long delay": {
+			configDelay: 600,
+			expDelay:    600 * time.Second,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			log, buf := logging.NewTestLogger(t.Name())
+			defer test.ShowBufferOnFailure(t, buf)
+
+			cfg := &config.Server{
+				EngineAutoRestartMinDelay: tc.configDelay,
+			}
+
+			mgr := newEngineRestartManager(log, cfg)
+
+			gotDelay := mgr.getMinDelay()
+			if gotDelay != tc.expDelay {
+				t.Errorf("expected delay %s, got %s", tc.expDelay, gotDelay)
+			}
+		})
+	}
+}
+
+func TestServer_EngineRestartManager_CanRestartNow(t *testing.T) {
+	for name, tc := range map[string]struct {
+		lastRestartAge time.Duration
+		minDelay       int
+		expCanRestart  bool
+	}{
+		"no previous restart": {
+			lastRestartAge: 0,
+			minDelay:       60,
+			expCanRestart:  true,
+		},
+		"enough time elapsed": {
+			lastRestartAge: 70 * time.Second,
+			minDelay:       60,
+			expCanRestart:  true,
+		},
+		"not enough time elapsed": {
+			lastRestartAge: 50 * time.Second,
+			minDelay:       60,
+			expCanRestart:  false,
+		},
+		"exactly minimum delay": {
+			lastRestartAge: 60 * time.Second,
+			minDelay:       60,
+			expCanRestart:  true,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			log, buf := logging.NewTestLogger(t.Name())
+			defer test.ShowBufferOnFailure(t, buf)
+
+			cfg := &config.Server{
+				EngineAutoRestartMinDelay: tc.minDelay,
+			}
+
+			mgr := newEngineRestartManager(log, cfg)
+			testRank := ranklist.Rank(1)
+
+			// Set last restart time if test case specifies
+			if tc.lastRestartAge > 0 {
+				mgr.lastRestart[testRank] = time.Now().Add(-tc.lastRestartAge)
+			}
+
+			canRestart, remaining := mgr.canRestartNow(testRank)
+
+			if canRestart != tc.expCanRestart {
+				t.Errorf("expected canRestart=%v, got %v", tc.expCanRestart,
+					canRestart)
+			}
+
+			if tc.expCanRestart && remaining != 0 {
+				t.Errorf("expected no remaining delay when can restart, got %s",
+					remaining)
+			}
+
+			if !tc.expCanRestart && remaining <= 0 {
+				t.Errorf("expected positive remaining delay when cannot restart, "+
+					"got %s", remaining)
+			}
+		})
+	}
+}
+
+func TestServer_EngineRestartManager_RecordRestartTime(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	beforeRecord := time.Now()
+	mgr.recordRestartTime(testRank)
+	afterRecord := time.Now()
+
+	recordedTime, exists := mgr.lastRestart[testRank]
+	if !exists {
+		t.Fatal("restart time not recorded")
+	}
+
+	if recordedTime.Before(beforeRecord) || recordedTime.After(afterRecord) {
+		t.Errorf("recorded time %s outside expected range [%s, %s]",
+			recordedTime, beforeRecord, afterRecord)
+	}
+}
+
+func TestServer_EngineRestartManager_SetPendingRestart(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	// Set initial timer
+	timer1 := time.NewTimer(10 * time.Second)
+	mgr.setPendingRestart(testRank, timer1)
+
+	if len(mgr.pendingRestart) != 1 {
+		t.Fatalf("expected 1 pending restart, got %d", len(mgr.pendingRestart))
+	}
+
+	// Set another timer for same rank (should cancel previous)
+	timer2 := time.NewTimer(5 * time.Second)
+	mgr.setPendingRestart(testRank, timer2)
+
+	if len(mgr.pendingRestart) != 1 {
+		t.Fatalf("expected 1 pending restart after replacement, got %d",
+			len(mgr.pendingRestart))
+	}
+
+	if mgr.pendingRestart[testRank] != timer2 {
+		t.Error("pending restart timer not updated to new timer")
+	}
+
+	// Cleanup
+	timer2.Stop()
+}
+
+func TestServer_EngineRestartManager_ClearPendingRestart(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	// Set a timer
+	timer := time.NewTimer(10 * time.Second)
+	defer timer.Stop()
+	mgr.pendingRestart[testRank] = timer
+
+	// Clear it
+	mgr.clearPendingRestart(testRank)
+
+	if len(mgr.pendingRestart) != 0 {
+		t.Errorf("expected no pending restarts after clear, got %d",
+			len(mgr.pendingRestart))
+	}
+}
+
+func TestServer_EngineRestartManager_RequestRestart(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	// Create mock instance
+	mockInstance := &MockInstance{
+		cfg: MockInstanceConfig{
+			GetRankResp: testRank,
+		},
+	}
+
+	eventTime := time.Now().Add(-5 * time.Second)
+	beforeRequest := time.Now()
+
+	mgr.requestRestart(testRank, mockInstance, eventTime)
+
+	// Should receive request on channel
+	select {
+	case req := <-mgr.requestChan:
+		if !req.rank.Equals(testRank) {
+			t.Errorf("expected rank %d, got %d", testRank, req.rank)
+		}
+		if req.instance != mockInstance {
+			t.Error("expected mock instance in request")
+		}
+		if req.eventTime != eventTime {
+			t.Errorf("expected event time %s, got %s", eventTime, req.eventTime)
+		}
+		if req.requestTime.Before(beforeRequest) {
+			t.Error("request time should be recent")
+		}
+	case <-time.After(1 * time.Second):
+		t.Fatal("timeout waiting for restart request")
+	}
+}
+
+func TestServer_EngineRestartManager_RequestRestart_ChannelFull(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	mockInstance := &MockInstance{
+		cfg: MockInstanceConfig{
+			GetRankResp: testRank,
+		},
+	}
+
+	// Fill the channel
+	for i := 0; i < engineRestartMaxQueueSz; i++ {
+		mgr.requestRestart(ranklist.Rank(i), mockInstance, time.Now())
+	}
+
+	// Next request should be dropped
+	mgr.requestRestart(testRank, mockInstance, time.Now())
+
+	// Should see error in log
+	logOutput := buf.String()
+	if !strings.Contains(logOutput, "channel full") &&
+		!strings.Contains(logOutput, "dropping request") {
+		t.Error("expected channel full error in log")
+	}
+}
+
+func TestServer_EngineRestartManager_ProcessRestartRequest_Immediate(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 10,
+	}
+
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+	instance := instances[0]
+
+	// Run go-routine for engine to consume from startRequested channel otherwise
+	// requestStart() instance methods would block
+	go func(inCtx context.Context, e *EngineInstance) {
+		select {
+		case <-inCtx.Done():
+		case <-e.startRequested:
+		}
+	}(ctx, instance.(*EngineInstance))
+
+	req := engineRestartRequest{
+		rank:        testRank,
+		instance:    instance,
+		requestTime: time.Now(),
+		eventTime:   time.Now(),
+	}
+
+	// Process request (no previous restart, should be immediate)
+	mgr.processRestartRequest(ctx, req)
+
+	// Verify restart time recorded
+	mgr.mu.Lock()
+	_, recorded := mgr.lastRestart[testRank]
+	mgr.mu.Unlock()
+
+	if !recorded {
+		t.Error("expected restart time to be recorded")
+	}
+
+	// Verify no pending restart
+	mgr.mu.Lock()
+	_, pending := mgr.pendingRestart[testRank]
+	mgr.mu.Unlock()
+
+	if pending {
+		t.Error("expected no pending restart for immediate restart")
+	}
+}
+
+func TestServer_EngineRestartManager_ProcessRestartRequest_Deferred(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 2, // 2 seconds for fast test
+	}
+
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	// Record a recent restart
+	mgr.lastRestart[testRank] = time.Now()
+
+	req := engineRestartRequest{
+		rank:        testRank,
+		instance:    instances[0],
+		requestTime: time.Now(),
+		eventTime:   time.Now(),
+	}
+
+	// Process request (should be deferred due to rate limiting)
+	mgr.processRestartRequest(ctx, req)
+
+	// Verify pending restart was set
+	mgr.mu.RLock()
+	timer, pending := mgr.pendingRestart[testRank]
+	mgr.mu.RUnlock()
+
+	if !pending {
+		t.Fatal("expected pending restart to be set")
+	}
+
+	// Cleanup
+	if timer != nil {
+		timer.Stop()
+	}
+	mgr.clearPendingRestart(testRank)
+
+	// Verify log message
+	logOutput := buf.String()
+	if !strings.Contains(logOutput, "rate limited") &&
+		!strings.Contains(logOutput, "will restart in") {
+		t.Error("expected rate limited message in log")
+	}
+}
+
+func TestServer_EngineRestartManager_Stop(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{}
+	mgr := newEngineRestartManager(log, cfg)
+
+	// Add some pending restarts
+	timer1 := time.NewTimer(10 * time.Second)
+	timer2 := time.NewTimer(10 * time.Second)
+	mgr.pendingRestart[ranklist.Rank(1)] = timer1
+	mgr.pendingRestart[ranklist.Rank(2)] = timer2
+
+	// Stop should cancel all timers
+	mgr.stop()
+
+	if len(mgr.pendingRestart) != 0 {
+		t.Errorf("expected all pending restarts cleared, got %d",
+			len(mgr.pendingRestart))
+	}
+
+	// Verify stopChan is closed
+	select {
+	case <-mgr.stopChan:
+		// Expected
+	default:
+		t.Error("stopChan should be closed")
+	}
+}
+
+func TestServer_EngineRestartManager_Start_ProcessRequests(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx, cancel := context.WithTimeout(test.Context(t), 10*time.Second)
+	defer cancel()
+
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 10,
+	}
+
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+	mgr.start(ctx)
+	defer mgr.stop()
+
+	testRank := ranklist.Rank(1)
+	instance := instances[0]
+
+	// Run go-routine for engine to consume from startRequested channel otherwise
+	// requestStart() instance methods would block
+	go func(inCtx context.Context, e *EngineInstance) {
+		select {
+		case <-inCtx.Done():
+		case <-e.startRequested:
+		}
+	}(ctx, instance.(*EngineInstance))
+
+	// Channel to signal when restart is recorded
+	recorded := make(chan struct{})
+	go func(inCtx context.Context) {
+		ticker := time.NewTicker(100 * time.Millisecond)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-inCtx.Done():
+				return
+			case <-ticker.C:
+				mgr.mu.RLock()
+				_, exists := mgr.lastRestart[testRank]
+				mgr.mu.RUnlock()
+
+				if exists {
+					close(recorded)
+					return
+				}
+			}
+		}
+	}(ctx)
+
+	// Submit restart request
+	mgr.requestRestart(testRank, instance, time.Now())
+
+	// Wait for restart time to be recorded
+	select {
+	case <-ctx.Done():
+		t.Error("expected restart time to be recorded after processing")
+	case <-recorded:
+		t.Log("restart time recorded successfully")
+	}
+}
+
+func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx, cancel := context.WithTimeout(test.Context(t), 20*time.Second)
+	defer cancel()
+
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 2, // seconds
+	}
+
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+	instance := instances[0]
+
+	// Run go-routine for engine to consume from startRequested channel otherwise
+	// requestStart() instance methods would block
+	go func(inCtx context.Context, e *EngineInstance) {
+		select {
+		case <-inCtx.Done():
+		case <-e.startRequested:
+		}
+	}(ctx, instance.(*EngineInstance))
+
+	// Set recent restart time
+	mgr.lastRestart[testRank] = time.Now()
+
+	req := engineRestartRequest{
+		rank:        testRank,
+		instance:    instance,
+		requestTime: time.Now(),
+		eventTime:   time.Now(),
+	}
+
+	// Process request (should create deferred restart)
+	mgr.processRestartRequest(ctx, req)
+
+	// Verify timer exists
+	mgr.mu.RLock()
+	timer, exists := mgr.pendingRestart[testRank]
+	mgr.mu.RUnlock()
+
+	if !exists {
+		t.Fatal("expected pending restart timer to be created")
+	}
+
+	// Wait for timer to fire (with buffer)
+	time.Sleep(10 * time.Second)
+
+	// Verify timer was cleaned up
+	mgr.mu.RLock()
+	_, stillPending := mgr.pendingRestart[testRank]
+	mgr.mu.RUnlock()
+
+	if stillPending {
+		t.Error("expected pending restart to be cleared after execution")
+	}
+
+	// Cleanup
+	if timer != nil {
+		timer.Stop()
+	}
+}
+
+func TestServer_EngineRestartManager_MultipleRanks(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 10,
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+
+	rank1 := ranklist.Rank(1)
+	rank2 := ranklist.Rank(2)
+
+	// Record restarts for both ranks
+	mgr.recordRestartTime(rank1)
+	time.Sleep(10 * time.Millisecond)
+	mgr.recordRestartTime(rank2)
+
+	// Verify both recorded
+	mgr.mu.RLock()
+	time1, exists1 := mgr.lastRestart[rank1]
+	time2, exists2 := mgr.lastRestart[rank2]
+	mgr.mu.RUnlock()
+
+	if !exists1 || !exists2 {
+		t.Fatal("expected both ranks to have restart times recorded")
+	}
+
+	if !time1.Before(time2) {
+		t.Error("expected rank1 restart time to be before rank2")
+	}
+
+	// Verify independent rate limiting
+	canRestart1, _ := mgr.canRestartNow(rank1)
+	canRestart2, _ := mgr.canRestartNow(rank2)
+
+	if canRestart1 || canRestart2 {
+		t.Error("expected both ranks to be rate limited")
+	}
+}
+
+func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	ctx := test.Context(t)
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 5,
+	}
+
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet("1")
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+	testRank := ranklist.Rank(1)
+
+	// Set recent restart
+	mgr.lastRestart[testRank] = time.Now()
+
+	// First deferred request
+	req1 := engineRestartRequest{
+		rank:        testRank,
+		instance:    instances[0],
+		requestTime: time.Now(),
+		eventTime:   time.Now(),
+	}
+	mgr.processRestartRequest(ctx, req1)
+
+	mgr.mu.RLock()
+	timer1, exists1 := mgr.pendingRestart[testRank]
+	mgr.mu.RUnlock()
+
+	if !exists1 {
+		t.Fatal("expected first pending restart to be set")
+	}
+
+	// Second deferred request (should cancel first)
+	time.Sleep(100 * time.Millisecond)
+	req2 := engineRestartRequest{
+		rank:        testRank,
+		instance:    instances[0],
+		requestTime: time.Now(),
+		eventTime:   time.Now(),
+	}
+	mgr.processRestartRequest(ctx, req2)
+
+	mgr.mu.RLock()
+	timer2, exists2 := mgr.pendingRestart[testRank]
+	mgr.mu.RUnlock()
+
+	if !exists2 {
+		t.Fatal("expected second pending restart to be set")
+	}
+
+	if timer1 == timer2 {
+		t.Error("expected timer to be replaced")
+	}
+
+	// Verify log shows cancellation
+	logOutput := buf.String()
+	if !strings.Contains(logOutput, "cancelled existing pending restart") {
+		t.Error("expected cancellation message in log")
+	}
+
+	// Cleanup
+	if timer2 != nil {
+		timer2.Stop()
+	}
+	mgr.clearPendingRestart(testRank)
+}
+
+func TestServer_NewEngineRestartManager(t *testing.T) {
+	log, buf := logging.NewTestLogger(t.Name())
+	defer test.ShowBufferOnFailure(t, buf)
+
+	cfg := &config.Server{
+		EngineAutoRestartMinDelay: 42,
+	}
+
+	mgr := newEngineRestartManager(log, cfg)
+
+	if mgr.log == nil {
+		t.Error("expected logger to be set")
+	}
+
+	if mgr.cfg != cfg {
+		t.Error("expected config to be set")
+	}
+
+	if mgr.requestChan == nil {
+		t.Error("expected requestChan to be initialized")
+	}
+
+	if cap(mgr.requestChan) != engineRestartMaxQueueSz {
+		t.Errorf("expected channel capacity %d, got %d",
+			engineRestartMaxQueueSz, cap(mgr.requestChan))
+	}
+
+	if mgr.stopChan == nil {
+		t.Error("expected stopChan to be initialized")
+	}
+
+	if mgr.lastRestart == nil {
+		t.Error("expected lastRestart map to be initialized")
+	}
+
+	if mgr.pendingRestart == nil {
+		t.Error("expected pendingRestart map to be initialized")
+	}
+}
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 81b67d90ccd..5175cdea06b 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -2222,6 +2222,8 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			var wg sync.WaitGroup
 			var restartRequested atomic.Bool
 
+			// Run go-routines for each engine which consume from startRequested channel
+			// otherwise the requestStart() instance methods would block.
 			if len(harness.instances) > 0 {
 				targetRank := ranklist.Rank(tc.evt.Rank)
 				for _, inst := range harness.instances {
@@ -2378,8 +2380,8 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 
 	checkPending := func(t *testing.T, shouldExist bool) {
 		t.Helper()
-		restartMgr.mu.Lock()
-		defer restartMgr.mu.Unlock()
+		restartMgr.mu.RLock()
+		defer restartMgr.mu.RUnlock()
 		_, exists := restartMgr.pendingRestart[testRank]
 		if exists && !shouldExist {
 			t.Fatal("expected pending restart timer to have been cleaned up")

From 09cc634e93e03a783db6491ada331615c4fedb72 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 23 Apr 2026 23:19:06 +0100
Subject: [PATCH 20/45] remove deprecated code

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go      | 14 +++---
 src/control/server/instance_restart_test.go | 47 ++++++---------------
 src/control/server/server_utils.go          |  2 +-
 3 files changed, 20 insertions(+), 43 deletions(-)

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index fd23ba900b0..ddfe335b31d 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -28,10 +28,8 @@ const (
 
 // engineRestartRequest represents a request to restart an engine instance.
 type engineRestartRequest struct {
-	rank        ranklist.Rank
-	instance    Engine
-	requestTime time.Time
-	eventTime   time.Time
+	rank     ranklist.Rank
+	instance Engine
 }
 
 // engineRestartManager manages engine restart requests with rate limiting.
@@ -159,12 +157,10 @@ func (mgr *engineRestartManager) processRestartRequest(ctx context.Context, req
 }
 
 // requestRestart submits a restart request to the manager.
-func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Engine, eventTime time.Time) {
+func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Engine) {
 	req := engineRestartRequest{
-		rank:        rank,
-		instance:    instance,
-		requestTime: time.Now(),
-		eventTime:   eventTime,
+		rank:     rank,
+		instance: instance,
 	}
 
 	select {
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index 3bc14d5cb2e..b2863c0caad 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -210,10 +210,7 @@ func TestServer_EngineRestartManager_RequestRestart(t *testing.T) {
 		},
 	}
 
-	eventTime := time.Now().Add(-5 * time.Second)
-	beforeRequest := time.Now()
-
-	mgr.requestRestart(testRank, mockInstance, eventTime)
+	mgr.requestRestart(testRank, mockInstance)
 
 	// Should receive request on channel
 	select {
@@ -224,12 +221,6 @@ func TestServer_EngineRestartManager_RequestRestart(t *testing.T) {
 		if req.instance != mockInstance {
 			t.Error("expected mock instance in request")
 		}
-		if req.eventTime != eventTime {
-			t.Errorf("expected event time %s, got %s", eventTime, req.eventTime)
-		}
-		if req.requestTime.Before(beforeRequest) {
-			t.Error("request time should be recent")
-		}
 	case <-time.After(1 * time.Second):
 		t.Fatal("timeout waiting for restart request")
 	}
@@ -251,11 +242,11 @@ func TestServer_EngineRestartManager_RequestRestart_ChannelFull(t *testing.T) {
 
 	// Fill the channel
 	for i := 0; i < engineRestartMaxQueueSz; i++ {
-		mgr.requestRestart(ranklist.Rank(i), mockInstance, time.Now())
+		mgr.requestRestart(ranklist.Rank(i), mockInstance)
 	}
 
 	// Next request should be dropped
-	mgr.requestRestart(testRank, mockInstance, time.Now())
+	mgr.requestRestart(testRank, mockInstance)
 
 	// Should see error in log
 	logOutput := buf.String()
@@ -296,10 +287,8 @@ func TestServer_EngineRestartManager_ProcessRestartRequest_Immediate(t *testing.
 	}(ctx, instance.(*EngineInstance))
 
 	req := engineRestartRequest{
-		rank:        testRank,
-		instance:    instance,
-		requestTime: time.Now(),
-		eventTime:   time.Now(),
+		rank:     testRank,
+		instance: instance,
 	}
 
 	// Process request (no previous restart, should be immediate)
@@ -348,10 +337,8 @@ func TestServer_EngineRestartManager_ProcessRestartRequest_Deferred(t *testing.T
 	mgr.lastRestart[testRank] = time.Now()
 
 	req := engineRestartRequest{
-		rank:        testRank,
-		instance:    instances[0],
-		requestTime: time.Now(),
-		eventTime:   time.Now(),
+		rank:     testRank,
+		instance: instances[0],
 	}
 
 	// Process request (should be deferred due to rate limiting)
@@ -469,7 +456,7 @@ func TestServer_EngineRestartManager_Start_ProcessRequests(t *testing.T) {
 	}(ctx)
 
 	// Submit restart request
-	mgr.requestRestart(testRank, instance, time.Now())
+	mgr.requestRestart(testRank, instance)
 
 	// Wait for restart time to be recorded
 	select {
@@ -516,10 +503,8 @@ func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
 	mgr.lastRestart[testRank] = time.Now()
 
 	req := engineRestartRequest{
-		rank:        testRank,
-		instance:    instance,
-		requestTime: time.Now(),
-		eventTime:   time.Now(),
+		rank:     testRank,
+		instance: instance,
 	}
 
 	// Process request (should create deferred restart)
@@ -618,10 +603,8 @@ func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
 
 	// First deferred request
 	req1 := engineRestartRequest{
-		rank:        testRank,
-		instance:    instances[0],
-		requestTime: time.Now(),
-		eventTime:   time.Now(),
+		rank:     testRank,
+		instance: instances[0],
 	}
 	mgr.processRestartRequest(ctx, req1)
 
@@ -636,10 +619,8 @@ func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
 	// Second deferred request (should cancel first)
 	time.Sleep(100 * time.Millisecond)
 	req2 := engineRestartRequest{
-		rank:        testRank,
-		instance:    instances[0],
-		requestTime: time.Now(),
-		eventTime:   time.Now(),
+		rank:     testRank,
+		instance: instances[0],
 	}
 	mgr.processRestartRequest(ctx, req2)
 
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index 07ce0aed368..e4f0eae061c 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -818,7 +818,7 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 	}
 
 	// Submit restart request to the restart manager
-	srv.restartMgr.requestRestart(rank, ei, ts)
+	srv.restartMgr.requestRestart(rank, ei)
 
 	return nil
 }

From d89a387d7dca332b91131912de57868ca424fe77 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Fri, 24 Apr 2026 16:02:35 +0100
Subject: [PATCH 21/45] DRY-up unit tests for engine restart manager

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart_test.go | 329 ++++++++------------
 1 file changed, 136 insertions(+), 193 deletions(-)

diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index b2863c0caad..4773ded66f0 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -18,6 +18,103 @@ import (
 	"github.com/daos-stack/daos/src/control/server/config"
 )
 
+// Test helper functions
+
+func setupTestLogger(t *testing.T) (logging.Logger, *logging.LogBuffer) {
+	t.Helper()
+	log, buf := logging.NewTestLogger(t.Name())
+	t.Cleanup(func() {
+		test.ShowBufferOnFailure(t, buf)
+	})
+
+	return log, buf
+}
+
+func getTestLogger(t *testing.T, loggers []logging.Logger) logging.Logger {
+	t.Helper()
+	var log logging.Logger
+
+	switch len(loggers) {
+	case 0:
+		log, _ = setupTestLogger(t)
+	case 1:
+		log = loggers[0]
+	default:
+		t.Fatal("multiple loggers provided, want one")
+	}
+
+	return log
+}
+
+func setupTestManager(t *testing.T, cfg *config.Server, loggers ...logging.Logger) *engineRestartManager {
+	t.Helper()
+	log := getTestLogger(t, loggers)
+	if cfg == nil {
+		cfg = &config.Server{}
+	}
+
+	return newEngineRestartManager(log, cfg)
+}
+
+func setupTestHarness(t *testing.T, rankStr string, loggers ...logging.Logger) (*EngineInstance, ranklist.Rank) {
+	t.Helper()
+	log := getTestLogger(t, loggers)
+	harness := NewEngineHarness(log)
+	setupTestEngine(t, log, harness, false)
+
+	instances, err := harness.FilterInstancesByRankSet(rankStr)
+	if err != nil || len(instances) == 0 {
+		t.Fatalf("failed to get instance: %v", err)
+	}
+
+	rank, err := ranklist.ParseRanks(rankStr)
+	if err != nil || len(rank) != 1 {
+		t.Fatalf("failed to parse rank: %v", err)
+	}
+
+	return instances[0].(*EngineInstance), rank[0]
+}
+
+func startInstanceConsumer(ctx context.Context, instance *EngineInstance) {
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-instance.startRequested:
+		}
+	}()
+}
+
+func waitForRestartRecorded(ctx context.Context, t *testing.T, mgr *engineRestartManager, rank ranklist.Rank) bool {
+	recorded := make(chan struct{})
+	go func() {
+		ticker := time.NewTicker(100 * time.Millisecond)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				mgr.mu.RLock()
+				_, exists := mgr.lastRestart[rank]
+				mgr.mu.RUnlock()
+
+				if exists {
+					close(recorded)
+					return
+				}
+			}
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return false
+	case <-recorded:
+		return true
+	}
+}
+
 func TestServer_EngineRestartManager_GetMinDelay(t *testing.T) {
 	for name, tc := range map[string]struct {
 		configDelay int
@@ -37,14 +134,9 @@ func TestServer_EngineRestartManager_GetMinDelay(t *testing.T) {
 		},
 	} {
 		t.Run(name, func(t *testing.T) {
-			log, buf := logging.NewTestLogger(t.Name())
-			defer test.ShowBufferOnFailure(t, buf)
-
-			cfg := &config.Server{
+			mgr := setupTestManager(t, &config.Server{
 				EngineAutoRestartMinDelay: tc.configDelay,
-			}
-
-			mgr := newEngineRestartManager(log, cfg)
+			})
 
 			gotDelay := mgr.getMinDelay()
 			if gotDelay != tc.expDelay {
@@ -82,14 +174,9 @@ func TestServer_EngineRestartManager_CanRestartNow(t *testing.T) {
 		},
 	} {
 		t.Run(name, func(t *testing.T) {
-			log, buf := logging.NewTestLogger(t.Name())
-			defer test.ShowBufferOnFailure(t, buf)
-
-			cfg := &config.Server{
+			mgr := setupTestManager(t, &config.Server{
 				EngineAutoRestartMinDelay: tc.minDelay,
-			}
-
-			mgr := newEngineRestartManager(log, cfg)
+			})
 			testRank := ranklist.Rank(1)
 
 			// Set last restart time if test case specifies
@@ -118,11 +205,7 @@ func TestServer_EngineRestartManager_CanRestartNow(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_RecordRestartTime(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, nil)
 	testRank := ranklist.Rank(1)
 
 	beforeRecord := time.Now()
@@ -141,11 +224,7 @@ func TestServer_EngineRestartManager_RecordRestartTime(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_SetPendingRestart(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, nil)
 	testRank := ranklist.Rank(1)
 
 	// Set initial timer
@@ -174,11 +253,7 @@ func TestServer_EngineRestartManager_SetPendingRestart(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_ClearPendingRestart(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, nil)
 	testRank := ranklist.Rank(1)
 
 	// Set a timer
@@ -196,11 +271,7 @@ func TestServer_EngineRestartManager_ClearPendingRestart(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_RequestRestart(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, nil)
 	testRank := ranklist.Rank(1)
 
 	// Create mock instance
@@ -227,11 +298,8 @@ func TestServer_EngineRestartManager_RequestRestart(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_RequestRestart_ChannelFull(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	log, buf := setupTestLogger(t)
+	mgr := setupTestManager(t, nil, log)
 	testRank := ranklist.Rank(1)
 
 	mockInstance := &MockInstance{
@@ -257,34 +325,13 @@ func TestServer_EngineRestartManager_RequestRestart_ChannelFull(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_ProcessRestartRequest_Immediate(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
 	ctx := test.Context(t)
-	cfg := &config.Server{
+	instance, testRank := setupTestHarness(t, "1")
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 10,
-	}
-
-	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	})
 
-	instances, err := harness.FilterInstancesByRankSet("1")
-	if err != nil || len(instances) == 0 {
-		t.Fatalf("failed to get instance: %v", err)
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
-	testRank := ranklist.Rank(1)
-	instance := instances[0]
-
-	// Run go-routine for engine to consume from startRequested channel otherwise
-	// requestStart() instance methods would block
-	go func(inCtx context.Context, e *EngineInstance) {
-		select {
-		case <-inCtx.Done():
-		case <-e.startRequested:
-		}
-	}(ctx, instance.(*EngineInstance))
+	startInstanceConsumer(ctx, instance)
 
 	req := engineRestartRequest{
 		rank:     testRank,
@@ -314,31 +361,19 @@ func TestServer_EngineRestartManager_ProcessRestartRequest_Immediate(t *testing.
 }
 
 func TestServer_EngineRestartManager_ProcessRestartRequest_Deferred(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
+	log, buf := setupTestLogger(t)
 	ctx := test.Context(t)
-	cfg := &config.Server{
+	instance, testRank := setupTestHarness(t, "1", log)
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 2, // 2 seconds for fast test
-	}
-
-	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
-
-	instances, err := harness.FilterInstancesByRankSet("1")
-	if err != nil || len(instances) == 0 {
-		t.Fatalf("failed to get instance: %v", err)
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
-	testRank := ranklist.Rank(1)
+	}, log)
 
 	// Record a recent restart
 	mgr.lastRestart[testRank] = time.Now()
 
 	req := engineRestartRequest{
 		rank:     testRank,
-		instance: instances[0],
+		instance: instance,
 	}
 
 	// Process request (should be deferred due to rate limiting)
@@ -368,11 +403,7 @@ func TestServer_EngineRestartManager_ProcessRestartRequest_Deferred(t *testing.T
 }
 
 func TestServer_EngineRestartManager_Stop(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{}
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, nil)
 
 	// Add some pending restarts
 	timer1 := time.NewTimer(10 * time.Second)
@@ -398,106 +429,39 @@ func TestServer_EngineRestartManager_Stop(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_Start_ProcessRequests(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
 	ctx, cancel := context.WithTimeout(test.Context(t), 10*time.Second)
 	defer cancel()
 
-	cfg := &config.Server{
+	instance, testRank := setupTestHarness(t, "1")
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 10,
-	}
-
-	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
-
-	instances, err := harness.FilterInstancesByRankSet("1")
-	if err != nil || len(instances) == 0 {
-		t.Fatalf("failed to get instance: %v", err)
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
+	})
 	mgr.start(ctx)
 	defer mgr.stop()
 
-	testRank := ranklist.Rank(1)
-	instance := instances[0]
-
-	// Run go-routine for engine to consume from startRequested channel otherwise
-	// requestStart() instance methods would block
-	go func(inCtx context.Context, e *EngineInstance) {
-		select {
-		case <-inCtx.Done():
-		case <-e.startRequested:
-		}
-	}(ctx, instance.(*EngineInstance))
-
-	// Channel to signal when restart is recorded
-	recorded := make(chan struct{})
-	go func(inCtx context.Context) {
-		ticker := time.NewTicker(100 * time.Millisecond)
-		defer ticker.Stop()
-
-		for {
-			select {
-			case <-inCtx.Done():
-				return
-			case <-ticker.C:
-				mgr.mu.RLock()
-				_, exists := mgr.lastRestart[testRank]
-				mgr.mu.RUnlock()
-
-				if exists {
-					close(recorded)
-					return
-				}
-			}
-		}
-	}(ctx)
+	startInstanceConsumer(ctx, instance)
 
 	// Submit restart request
 	mgr.requestRestart(testRank, instance)
 
 	// Wait for restart time to be recorded
-	select {
-	case <-ctx.Done():
+	if !waitForRestartRecorded(ctx, t, mgr, testRank) {
 		t.Error("expected restart time to be recorded after processing")
-	case <-recorded:
+	} else {
 		t.Log("restart time recorded successfully")
 	}
 }
 
 func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
 	ctx, cancel := context.WithTimeout(test.Context(t), 20*time.Second)
 	defer cancel()
 
-	cfg := &config.Server{
+	instance, testRank := setupTestHarness(t, "1")
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 2, // seconds
-	}
-
-	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	})
 
-	instances, err := harness.FilterInstancesByRankSet("1")
-	if err != nil || len(instances) == 0 {
-		t.Fatalf("failed to get instance: %v", err)
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
-	testRank := ranklist.Rank(1)
-	instance := instances[0]
-
-	// Run go-routine for engine to consume from startRequested channel otherwise
-	// requestStart() instance methods would block
-	go func(inCtx context.Context, e *EngineInstance) {
-		select {
-		case <-inCtx.Done():
-		case <-e.startRequested:
-		}
-	}(ctx, instance.(*EngineInstance))
+	startInstanceConsumer(ctx, instance)
 
 	// Set recent restart time
 	mgr.lastRestart[testRank] = time.Now()
@@ -538,14 +502,9 @@ func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_MultipleRanks(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
-	cfg := &config.Server{
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 10,
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
+	})
 
 	rank1 := ranklist.Rank(1)
 	rank2 := ranklist.Rank(2)
@@ -579,24 +538,12 @@ func TestServer_EngineRestartManager_MultipleRanks(t *testing.T) {
 }
 
 func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
+	log, buf := setupTestLogger(t)
 	ctx := test.Context(t)
-	cfg := &config.Server{
+	instance, testRank := setupTestHarness(t, "1", log)
+	mgr := setupTestManager(t, &config.Server{
 		EngineAutoRestartMinDelay: 5,
-	}
-
-	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
-
-	instances, err := harness.FilterInstancesByRankSet("1")
-	if err != nil || len(instances) == 0 {
-		t.Fatalf("failed to get instance: %v", err)
-	}
-
-	mgr := newEngineRestartManager(log, cfg)
-	testRank := ranklist.Rank(1)
+	}, log)
 
 	// Set recent restart
 	mgr.lastRestart[testRank] = time.Now()
@@ -604,7 +551,7 @@ func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
 	// First deferred request
 	req1 := engineRestartRequest{
 		rank:     testRank,
-		instance: instances[0],
+		instance: instance,
 	}
 	mgr.processRestartRequest(ctx, req1)
 
@@ -620,7 +567,7 @@ func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
 	time.Sleep(100 * time.Millisecond)
 	req2 := engineRestartRequest{
 		rank:     testRank,
-		instance: instances[0],
+		instance: instance,
 	}
 	mgr.processRestartRequest(ctx, req2)
 
@@ -650,14 +597,10 @@ func TestServer_EngineRestartManager_CancelExistingTimer(t *testing.T) {
 }
 
 func TestServer_NewEngineRestartManager(t *testing.T) {
-	log, buf := logging.NewTestLogger(t.Name())
-	defer test.ShowBufferOnFailure(t, buf)
-
 	cfg := &config.Server{
 		EngineAutoRestartMinDelay: 42,
 	}
-
-	mgr := newEngineRestartManager(log, cfg)
+	mgr := setupTestManager(t, cfg)
 
 	if mgr.log == nil {
 		t.Error("expected logger to be set")

From 6b4528db92c084bf89b6bf7f884c6a5c911dd68d Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 6 May 2026 22:46:11 +0100
Subject: [PATCH 22/45] DAOS-17427 test: Auto-restart after self-terminate
 tests (#18006)

Functional tests for the automatic engine restart feature introduced
in the control plane. These tests verify that engines automatically
restart after self-termination when excluded from the system, with
cases to verify disabling, rate-limiting and configuration support.

Test-tag: hw,medium,dmg,control,engine_auto_restart
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>

* try to fix test issues

Test-tag: hw,medium,dmg,control,engine_auto_restart
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 docs/admin/administration.md                  | 107 +++++++++-
 src/control/server/ctl_ranks_rpc.go           |  34 ++-
 src/control/server/ctl_svc.go                 |  10 +-
 src/control/server/instance_restart.go        |  27 +++
 src/control/server/instance_restart_test.go   | 115 ++++++++++
 src/control/server/mgmt_svc.go                |   2 +-
 src/control/server/server.go                  |   1 +
 .../ftest/control/engine_auto_restart.py      | 201 ++++++++++++++++++
 .../ftest/control/engine_auto_restart.yaml    |  25 +++
 .../control/engine_auto_restart_advanced.py   | 168 +++++++++++++++
 .../control/engine_auto_restart_advanced.yaml |  26 +++
 .../control/engine_auto_restart_disabled.py   | 158 ++++++++++++++
 .../control/engine_auto_restart_disabled.yaml |  26 +++
 src/tests/ftest/util/control_test_base.py     | 175 +++++++++++++++
 src/tests/ftest/util/dmg_utils.py             |  12 +-
 src/tests/ftest/util/server_utils_params.py   |   4 +
 16 files changed, 1074 insertions(+), 17 deletions(-)
 create mode 100644 src/tests/ftest/control/engine_auto_restart.py
 create mode 100644 src/tests/ftest/control/engine_auto_restart.yaml
 create mode 100644 src/tests/ftest/control/engine_auto_restart_advanced.py
 create mode 100644 src/tests/ftest/control/engine_auto_restart_advanced.yaml
 create mode 100644 src/tests/ftest/control/engine_auto_restart_disabled.py
 create mode 100644 src/tests/ftest/control/engine_auto_restart_disabled.yaml

diff --git a/docs/admin/administration.md b/docs/admin/administration.md
index 5ec8fed1b74..89db48fd4d8 100644
--- a/docs/admin/administration.md
+++ b/docs/admin/administration.md
@@ -975,6 +975,94 @@ specified on the command line:
 If the ranks were excluded from pools (e.g., unclean shutdown), they will need to
 be reintegrated. Please see the pool operation section for more information.
 
+### Engine Auto-Restart
+
+DAOS automatically restarts engines that self-terminate after being excluded from
+the system. This feature improves system availability by recovering from transient
+failures without administrator intervention.
+
+#### How It Works
+
+When an engine is excluded (e.g., due to network issues detected by SWIM), the
+engine detects the exclusion and performs a self-termination. The control plane
+monitors for these events and automatically restarts the affected engine after
+clearing the exclusion state, allowing it to rejoin the system.
+
+The automatic restart includes rate-limiting to prevent restart storms. By default,
+an engine must wait 5 minutes between automatic restarts.
+
+#### Configuration
+
+Control auto-restart behavior in `daos_server.yml`:
+
+```yaml
+# Disable automatic restart (default: enabled)
+disable_engine_auto_restart: false
+
+# Minimum delay between automatic restarts per rank (default: 300 seconds)
+engine_auto_restart_min_delay: 300
+```
+
+#### Manual Operations
+
+Manual `dmg system stop` and `dmg system start` operations are never affected by
+the rate-limiting mechanism. Administrators can always immediately stop and start
+ranks regardless of recent automatic restart activity.
+
+```bash
+# Manual operations always work immediately
+$ dmg system stop --ranks=0,1,2
+$ dmg system start --ranks=0,1,2
+```
+
+When you manually stop or start ranks, the restart history for those ranks is
+automatically cleared, ensuring no delays from previous automatic restarts.
+
+#### Monitoring
+
+The `engine_self_terminated` RAS event is logged when an engine self-terminates
+and triggers an automatic restart:
+
+```
+&&& RAS EVENT id: [engine_self_terminated] ... msg: [excluded rank self terminated detected]
+```
+
+Use `dmg system query` to check rank status and incarnation numbers. The
+incarnation number increments each time a rank restarts, helping track restart
+events:
+
+```bash
+$ dmg system query --ranks=0
+Rank UUID                                 Control Address  Fault Domain State  Reason Incarnation
+---- ----                                 --------------- ------------- -----  ------ -----------
+0    12345678-1234-1234-1234-123456789012 10.0.0.1:10001  /node1        Joined        3
+```
+
+#### Best Practices
+
+- **Leave enabled**: Automatic restart improves availability for transient failures
+- **Adjust timing**: For frequent exclusions, consider increasing `engine_auto_restart_min_delay`
+- **Monitor events**: Watch for repeated `engine_self_terminated` events indicating persistent issues
+- **Manual control**: Use `dmg system stop/start` for maintenance without worrying about delays
+
+#### Troubleshooting
+
+**Problem**: Rank keeps self-terminating and restarting
+
+**Solution**: Investigate root cause:
+1. Check network connectivity (SWIM may be detecting real failures)
+2. Review engine logs for errors
+3. Verify hardware health
+4. Consider disabling auto-restart temporarily for investigation
+
+**Problem**: Need immediate restart but recently auto-restarted
+
+**Solution**: Use manual operations (not affected by rate-limiting):
+```bash
+$ dmg system stop --ranks=X
+$ dmg system start --ranks=X
+```
+
 ### Storage Reformat
 
 To reformat the system after a controlled shutdown, run the command:
@@ -1018,15 +1106,16 @@ the storage server has not changed the old rank can be "reused" by formatting us
 `dmg storage format --replace` option.
 
 An examples workflow would be:
-- `daos_server` is running and PMem NVDIMM fails causing an engine to enter excluded state.
-- `daos_server` is stopped, storage server powered down, faulty PMem NVDIMM is replaced.
-- After powering up storage server, `daos_server scm prepare` command is used to repair PMem.
-- Storage server is rebooted after running `daos_server scm prepare` and command is run again.
-- Now PMem is intact, clear with `wipefs -a /dev/pmemX` where "X" refers to the repaired PMem ID.
-- `daos_server` can be started again. On start-up repaired engine prompts for "SCM format required".
-- Run `dmg storage format --replace` to rejoin with existing rank (if --replace isn't used, a new
-  rank will be created).
-- Formatted engine will join using the existing (old) rank which is mapped to the engine's hardware.
+
+1. `daos_server` is running and PMem NVDIMM fails causing an engine to enter excluded state.
+2. `daos_server` is stopped, storage server powered down, faulty PMem NVDIMM is replaced.
+3. After powering up storage server, `daos_server scm prepare` command is used to repair PMem.
+4. Storage server is rebooted after running `daos_server scm prepare` and command is run again.
+5. Now PMem is intact, clear with `wipefs -a /dev/pmemX` where "X" refers to the repaired PMem ID.
+6. `daos_server` can be started again. On start-up repaired engine prompts for "SCM format required".
+7. Run `dmg storage format --replace` to rejoin with existing rank (if --replace isn't used, a new
+   rank will be created).
+8. Formatted engine will join using the existing (old) rank which is mapped to the engine's hardware.
 
 !!! note
     `dmg storage format --replace` can be used to replace a rank in `AdminExcluded` state. The
diff --git a/src/control/server/ctl_ranks_rpc.go b/src/control/server/ctl_ranks_rpc.go
index aad15ece736..539a48f16eb 100644
--- a/src/control/server/ctl_ranks_rpc.go
+++ b/src/control/server/ctl_ranks_rpc.go
@@ -1,6 +1,6 @@
 //
 // (C) Copyright 2020-2024 Intel Corporation.
-// (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -206,6 +206,22 @@ func (svc *ControlService) StopRanks(ctx context.Context, req *ctlpb.RanksReq) (
 		return nil, err
 	}
 
+	// Clear restart history for manually stopped ranks on this server
+	// This prevents rate-limiting from interfering with manual operations
+	// Note: instances already filtered by FilterInstancesByRankSet() to match req.GetRanks()
+	if svc.restartMgr != nil {
+		ranks := make([]ranklist.Rank, 0, len(instances))
+		for _, ei := range instances {
+			rank, err := ei.GetRank()
+			if err == nil {
+				ranks = append(ranks, rank)
+			}
+		}
+		if len(ranks) > 0 {
+			svc.restartMgr.clearRankRestartHistory(ranks)
+		}
+	}
+
 	return resp, nil
 }
 
@@ -319,6 +335,22 @@ func (svc *ControlService) StartRanks(ctx context.Context, req *ctlpb.RanksReq)
 		return nil, err
 	}
 
+	// Clear restart history for manually started ranks on this server
+	// This prevents rate-limiting from interfering with manual operations
+	// Note: instances already filtered by FilterInstancesByRankSet() to match req.GetRanks()
+	if svc.restartMgr != nil {
+		ranks := make([]ranklist.Rank, 0, len(instances))
+		for _, ei := range instances {
+			rank, err := ei.GetRank()
+			if err == nil {
+				ranks = append(ranks, rank)
+			}
+		}
+		if len(ranks) > 0 {
+			svc.restartMgr.clearRankRestartHistory(ranks)
+		}
+	}
+
 	return resp, nil
 }
 
diff --git a/src/control/server/ctl_svc.go b/src/control/server/ctl_svc.go
index a70348f8854..9417723fafe 100644
--- a/src/control/server/ctl_svc.go
+++ b/src/control/server/ctl_svc.go
@@ -1,5 +1,6 @@
 //
 // (C) Copyright 2018-2024 Intel Corporation.
+// (C) Copyright 2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -19,10 +20,11 @@ import (
 type ControlService struct {
 	ctlpb.UnimplementedCtlSvcServer
 	StorageControlService
-	harness *EngineHarness
-	srvCfg  *config.Server
-	events  *events.PubSub
-	fabric  *hardware.FabricScanner
+	harness    *EngineHarness
+	srvCfg     *config.Server
+	events     *events.PubSub
+	fabric     *hardware.FabricScanner
+	restartMgr *engineRestartManager
 }
 
 // NewControlService returns ControlService to be used as gRPC control service
diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index ddfe335b31d..28e91938e2d 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -190,6 +190,33 @@ func (mgr *engineRestartManager) start(ctx context.Context) {
 	}()
 }
 
+// clearRankRestartHistory clears the restart history for specific ranks.
+// This is called when ranks are manually stopped or started to ensure
+// manual operations don't interfere with automatic restart rate limiting.
+func (mgr *engineRestartManager) clearRankRestartHistory(ranks []ranklist.Rank) {
+	if mgr == nil || len(ranks) == 0 {
+		return
+	}
+
+	mgr.mu.Lock()
+	defer mgr.mu.Unlock()
+
+	for _, rank := range ranks {
+		// Cancel any pending restart for this rank
+		if timer, exists := mgr.pendingRestart[rank]; exists {
+			timer.Stop()
+			delete(mgr.pendingRestart, rank)
+			mgr.log.Debugf("cancelled pending restart for rank %d during manual operation", rank)
+		}
+
+		// Clear restart history for this rank
+		if _, exists := mgr.lastRestart[rank]; exists {
+			delete(mgr.lastRestart, rank)
+			mgr.log.Debugf("cleared restart history for rank %d (manual operation)", rank)
+		}
+	}
+}
+
 // stop shuts down the restart manager.
 func (mgr *engineRestartManager) stop() {
 	mgr.log.Debug("stopping engine restart manager")
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index 4773ded66f0..d075f244143 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -631,3 +631,118 @@ func TestServer_NewEngineRestartManager(t *testing.T) {
 		t.Error("expected pendingRestart map to be initialized")
 	}
 }
+
+func TestServer_EngineRestartManager_ClearRankRestartHistory(t *testing.T) {
+	for name, tc := range map[string]struct {
+		setupRanks     []ranklist.Rank
+		clearRanks     []ranklist.Rank
+		expectLogMsgs  []string
+		remainingRanks []ranklist.Rank
+	}{
+		"nil manager": {
+			setupRanks: []ranklist.Rank{1, 2},
+			clearRanks: []ranklist.Rank{1},
+		},
+		"empty ranks": {
+			setupRanks: []ranklist.Rank{1, 2},
+			clearRanks: []ranklist.Rank{},
+		},
+		"clear single rank with history": {
+			setupRanks:     []ranklist.Rank{1, 2, 3},
+			clearRanks:     []ranklist.Rank{2},
+			expectLogMsgs:  []string{"cleared restart history for rank 2"},
+			remainingRanks: []ranklist.Rank{1, 3},
+		},
+		"clear multiple ranks with history": {
+			setupRanks:     []ranklist.Rank{1, 2, 3, 4},
+			clearRanks:     []ranklist.Rank{1, 3},
+			expectLogMsgs:  []string{"cleared restart history for rank 1", "cleared restart history for rank 3"},
+			remainingRanks: []ranklist.Rank{2, 4},
+		},
+		"clear all ranks": {
+			setupRanks:     []ranklist.Rank{1, 2, 3},
+			clearRanks:     []ranklist.Rank{1, 2, 3},
+			expectLogMsgs:  []string{"cleared restart history for rank 1", "cleared restart history for rank 2", "cleared restart history for rank 3"},
+			remainingRanks: []ranklist.Rank{},
+		},
+		"clear rank without history": {
+			setupRanks:     []ranklist.Rank{1, 2},
+			clearRanks:     []ranklist.Rank{5},
+			expectLogMsgs:  []string{},
+			remainingRanks: []ranklist.Rank{1, 2},
+		},
+		"clear rank with pending restart": {
+			setupRanks:     []ranklist.Rank{1, 2},
+			clearRanks:     []ranklist.Rank{1},
+			expectLogMsgs:  []string{"cancelled pending restart for rank 1", "cleared restart history for rank 1"},
+			remainingRanks: []ranklist.Rank{2},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			log, buf := setupTestLogger(t)
+			var mgr *engineRestartManager
+
+			if name == "nil manager" {
+				// Test nil manager doesn't panic
+				var nilMgr *engineRestartManager
+				nilMgr.clearRankRestartHistory(tc.clearRanks)
+				return
+			}
+
+			mgr = setupTestManager(t, nil, log)
+
+			// Setup restart history for ranks
+			now := time.Now()
+			for i, rank := range tc.setupRanks {
+				mgr.lastRestart[rank] = now.Add(-time.Duration(i) * time.Minute)
+			}
+
+			// Setup pending restart for rank 1 if testing that case
+			if name == "clear rank with pending restart" {
+				timer := time.NewTimer(10 * time.Second)
+				t.Cleanup(func() { timer.Stop() })
+				mgr.pendingRestart[ranklist.Rank(1)] = timer
+			}
+
+			mgr.clearRankRestartHistory(tc.clearRanks)
+
+			// Verify expected log messages
+			for _, expectedMsg := range tc.expectLogMsgs {
+				if !strings.Contains(buf.String(), expectedMsg) {
+					t.Errorf("expected log message %q not found in: %s",
+						expectedMsg, buf.String())
+				}
+			}
+
+			// Verify remaining ranks still have history
+			for _, rank := range tc.remainingRanks {
+				if _, exists := mgr.lastRestart[rank]; !exists {
+					t.Errorf("expected rank %d to still have restart history", rank)
+				}
+			}
+
+			// Verify cleared ranks don't have history
+			for _, rank := range tc.clearRanks {
+				if _, exists := mgr.lastRestart[rank]; exists {
+					found := false
+					for _, remaining := range tc.remainingRanks {
+						if remaining.Equals(rank) {
+							found = true
+							break
+						}
+					}
+					if !found {
+						t.Errorf("expected rank %d to have cleared restart history", rank)
+					}
+				}
+			}
+
+			// Verify pending restart was cleared for rank 1 in specific test
+			if name == "clear rank with pending restart" {
+				if _, exists := mgr.pendingRestart[ranklist.Rank(1)]; exists {
+					t.Error("expected pending restart for rank 1 to be cleared")
+				}
+			}
+		})
+	}
+}
diff --git a/src/control/server/mgmt_svc.go b/src/control/server/mgmt_svc.go
index 947f97e97d6..1334e23dd63 100644
--- a/src/control/server/mgmt_svc.go
+++ b/src/control/server/mgmt_svc.go
@@ -1,6 +1,6 @@
 //
 // (C) Copyright 2018-2024 Intel Corporation.
-// (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+// (C) Copyright 2025-2026 Hewlett Packard Enterprise Development LP
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
diff --git a/src/control/server/server.go b/src/control/server/server.go
index 759f1f4b63f..4a9f6020884 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -267,6 +267,7 @@ func (srv *server) createServices(ctx context.Context) (err error) {
 
 	srv.ctlSvc = NewControlService(srv.log, srv.harness, srv.cfg, srv.pubSub,
 		network.DefaultFabricScanner(srv.log))
+	srv.ctlSvc.restartMgr = srv.restartMgr
 	srv.mgmtSvc = newMgmtSvc(srv.harness, srv.membership, srv.sysdb, rpcClient, srv.pubSub)
 
 	if err := srv.mgmtSvc.systemProps.UpdateCompPropVal(daos.SystemPropertyDaosSystem, func() string {
diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
new file mode 100644
index 00000000000..4a606b1a31f
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -0,0 +1,201 @@
+"""
+  (C) Copyright 2026 Hewlett Packard Enterprise Development LP
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+"""
+import time
+
+from control_test_base import ControlTestBase
+
+
+class EngineAutoRestartTest(ControlTestBase):
+    """Test automatic engine restart on self-termination.
+
+    Test Class Description:
+        Verify automatic engine restart behavior when engines self-terminate
+        after being excluded from the system.
+
+    :avocado: recursive
+    """
+
+    def tearDown(self):
+        """Clean up after each test method."""
+        # Reset restart state for next test method
+        # This ensures clean state between sequential tests
+        try:
+            self.reset_engine_restart_state()
+        except Exception as error:
+            self.log.error("Failed to reset engine restart state: %s", error)
+            self.fail("tearDown failed to reset engine restart state: {}".format(error))
+        finally:
+            super().tearDown()
+
+    def test_auto_restart_basic(self):
+        """Test basic automatic engine restart after self-termination.
+
+        Test Description:
+            1. Exclude a rank from the system
+            2. Wait for rank to self-terminate
+            3. Verify rank automatically restarts and rejoins the system
+
+        :avocado: tags=all,pr,daily_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart
+        :avocado: tags=EngineAutoRestartTest,test_auto_restart_basic
+        """
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 2:
+            self.skipTest("Test requires at least 2 ranks")
+
+        test_rank = self.random.choice(all_ranks)
+
+        self.log_step("testing automatic restart of rank %s", test_rank)
+
+        # get initial incarnation number
+        initial_incarnation = self.get_rank_incarnation(test_rank)
+        if initial_incarnation is None:
+            self.fail(f"failed to get initial incarnation for rank {test_rank}")
+
+        self.log.info("rank %s initial incarnation: %s", test_rank, initial_incarnation)
+
+        restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
+
+        if not restarted:
+            self.fail(f"rank {test_rank} did not automatically restart. "
+                      f"final state: {final_state}")
+
+        # verify incarnation increased after restart
+        final_incarnation = self.get_rank_incarnation(test_rank)
+        if final_incarnation is None:
+            self.fail(f"failed to get final incarnation for rank {test_rank}")
+
+        self.log.info("rank %s final incarnation: %s", test_rank, final_incarnation)
+
+        if final_incarnation <= initial_incarnation:
+            self.fail(f"rank {test_rank} incarnation did not increase after restart. "
+                      f"before: {initial_incarnation}, after: {final_incarnation}")
+
+        self.log.info("SUCCESS: rank %s automatically restarted after self-termination "
+                      "(incarnation %s -> %s)",
+                      test_rank, initial_incarnation, final_incarnation)
+
+    def test_auto_restart_multiple_ranks(self):
+        """Test automatic restart of multiple ranks.
+
+        Test Description:
+            1. Exclude multiple ranks simultaneously
+            2. Wait for all to self-terminate
+            3. Verify all automatically restart and rejoin
+
+        :avocado: tags=all,full_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart
+        :avocado: tags=EngineAutoRestartTest,test_auto_restart_multiple_ranks
+        """
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 3:
+            self.skipTest("Test requires at least 3 ranks")
+
+        # Exclude half the ranks
+        num_to_test = max(2, len(all_ranks) // 2)
+        test_ranks = self.random.sample(all_ranks, num_to_test)
+
+        self.log_step("Step 1: Excluding %s ranks: %s", (num_to_test, test_ranks))
+
+        incs = []
+        for rank in test_ranks:
+            initial_incarnation = self.get_rank_incarnation(rank)
+            if initial_incarnation is None:
+                self.fail(f"failed to get initial incarnation for rank {rank}")
+            incs.append(initial_incarnation)
+            self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
+            time.sleep(1)  # small delay between exclusions
+            self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
+
+        # Step 3: Wait and verify all restart
+        wait_time = 35
+
+        self.log_step("Step 3: Waiting %ss to verify all automatically restart", wait_time)
+        time.sleep(wait_time)
+
+        errors = []
+        end_incs = []
+        for rank in test_ranks:
+            failed = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=["joined"], max_checks=1)
+            if failed:
+                errors.append("Rank %s unexpectedly not restarted when auto-restart enabled"
+                              % rank)
+            end_incarnation = self.get_rank_incarnation(rank)
+            if end_incarnation is None:
+                self.fail(f"failed to get end incarnation for rank {rank}")
+            end_incs.append(end_incarnation)
+
+        if errors:
+            self.fail("\n".join(errors))
+
+        # Show changes
+        for idx, (old, new) in enumerate(zip(incs, end_incs)):
+            actual_rank = test_ranks[idx]
+            if new > old:
+                self.log.debug(f"Rank {actual_rank}: {old} -> {new} (restarted)")
+            else:
+                self.log.debug(f"Rank {actual_rank}: {old} -> {new} (NOT restarted!)")
+
+        # Verify all increased
+        all_increased = all(a > b for b, a in zip(incs, end_incs))
+        if not all_increased:
+            self.fail("ERROR: Not all ranks restarted!")
+
+        self.log.info("SUCCESS: All of %s automatically restarted", test_ranks)
+
+    def test_auto_restart_with_pool(self):
+        """Test automatic restart works with active pools.
+
+        Test Description:
+            1. Create a pool
+            2. Exclude a rank (not in pool service)
+            3. Verify rank automatically restarts
+            4. Verify pool remains accessible
+
+        :avocado: tags=all,daily_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart,pool
+        :avocado: tags=EngineAutoRestartTest,test_auto_restart_with_pool
+        """
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 4:
+            self.skipTest("Test requires at least 4 ranks")
+
+        # Create pool first
+        self.add_pool(connect=False)
+
+        test_rank = all_ranks[-1]
+
+        self.log_step("Excluding non-service rank %s while pool is active", test_rank)
+
+        # Get initial incarnation
+        initial_incarnation = self.get_rank_incarnation(test_rank)
+        if initial_incarnation is None:
+            self.fail(f"Failed to get initial incarnation for rank {test_rank}")
+
+        restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
+
+        if not restarted:
+            self.fail(f"Rank {test_rank} did not restart. State: {final_state}")
+
+        # Verify incarnation increased
+        final_incarnation = self.get_rank_incarnation(test_rank)
+        if final_incarnation is None:
+            self.fail(f"Failed to get final incarnation for rank {test_rank}")
+
+        if final_incarnation <= initial_incarnation:
+            self.fail(f"Rank {test_rank} incarnation did not increase. "
+                      f"Before: {initial_incarnation}, After: {final_incarnation}")
+
+        # Verify pool is still accessible
+        self.log_step("Verifying pool is still accessible after rank restart")
+        self.pool.query()
+
+        self.log.info("SUCCESS: Rank %s restarted (incarnation %s -> %s) and pool remains "
+                      "accessible", test_rank, initial_incarnation, final_incarnation)
diff --git a/src/tests/ftest/control/engine_auto_restart.yaml b/src/tests/ftest/control/engine_auto_restart.yaml
new file mode 100644
index 00000000000..a0471f36e7d
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart.yaml
@@ -0,0 +1,25 @@
+hosts:
+  test_servers: 2
+server_config:
+  name: daos_server
+  engines_per_host: 2
+  engines:
+    0:
+      log_file: daos_server0.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos0
+    1:
+      log_file: daos_server1.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos1
+pool:
+  size: 2G
+timeout: 300
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
new file mode 100644
index 00000000000..edfa79f4980
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -0,0 +1,168 @@
+"""
+  (C) Copyright 2026 Hewlett Packard Enterprise Development LP
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+"""
+import time
+
+from control_test_base import ControlTestBase
+
+
+class EngineAutoRestartAdvanced(ControlTestBase):
+    """Test advanced automatic engine restart scenarios.
+
+    Test Class Description:
+        Verify automatic engine restart with custom configurations including
+        rate-limiting, deferred restarts, and disabled restart behavior.
+
+    :avocado: recursive
+    """
+
+    def tearDown(self):
+        """Clean up after each test method."""
+        # Reset restart state for next test method
+        # This ensures clean state between sequential tests
+        try:
+            self.reset_engine_restart_state()
+        except Exception as error:
+            self.log.error("Failed to reset engine restart state: %s", error)
+            self.fail("tearDown failed to reset engine restart state: {}".format(error))
+        finally:
+            super().tearDown()
+
+    def wait_for_rank_state(self, rank, expected_state, timeout=30, check_interval=2):
+        """Wait for a rank to reach expected state.
+
+        Args:
+            rank (int): Rank number
+            expected_state (str): Expected state
+            timeout (int): Maximum seconds to wait
+            check_interval (int): Seconds between state checks
+
+        Returns:
+            bool: True if state reached, False if timeout
+        """
+        start_time = time.time()
+
+        while time.time() - start_time < timeout:
+            failed_ranks = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=[expected_state], max_checks=1)
+
+            if not failed_ranks:
+                self.log.info("Rank %s reached state '%s' after %.1fs",
+                              rank, expected_state, time.time() - start_time)
+                return True
+
+            time.sleep(check_interval)
+
+        current_state = self.get_rank_state(rank)
+        self.log.warning("Rank %s did not reach '%s' within %ss. Current state: %s",
+                         rank, expected_state, timeout, current_state)
+        return False
+
+    def test_deferred_restart(self):
+        """Test deferred restart when multiple self-terminations occur rapidly. Use custom delay.
+
+        Test Description:
+            This test requires custom server configuration with a short
+            engine_auto_restart_min_delay (20 seconds) to avoid long test runtime.
+
+            1. Exclude rank and wait for automatic restart (first restart)
+            2. Immediately exclude same rank again (second self-termination)
+               Confirm restart is deferred, not immediate
+            3. Wait for deferred restart to execute after delay expires
+               Confirm deferred restart executes successfully and rank joined
+            4. Measure time until deferred restart executed
+            5. Verify delay matches configured value
+
+        :avocado: tags=all,full_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart
+        :avocado: tags=EngineAutoRestartAdvanced,test_deferred_restart
+        """
+        # Get configured restart delay from test params
+        expected_delay = self.params.get("engine_auto_restart_min_delay",
+                                         "/run/server_config/*", 20)
+
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 2:
+            self.skipTest("Test requires at least 2 ranks")
+
+        test_rank = self.random.choice(all_ranks)
+
+        self.log_step("Step 1: Automatic restart of rank %s", test_rank)
+
+        # Get initial incarnation
+        initial_incarnation = self.get_rank_incarnation(test_rank)
+        if initial_incarnation is None:
+            self.fail(f"Failed to get initial incarnation for rank {test_rank}")
+
+        restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
+
+        if not restarted:
+            self.fail(f"Rank {test_rank} did not automatically restart. "
+                      f"Final state: {final_state}")
+
+        # Verify incarnation increased
+        first_restart_incarnation = self.get_rank_incarnation(test_rank)
+        if first_restart_incarnation is None:
+            self.fail(f"Failed to get incarnation after first restart for rank {test_rank}")
+
+        if first_restart_incarnation <= initial_incarnation:
+            self.fail(f"Rank {test_rank} incarnation did not increase after first restart. "
+                      f"Before: {initial_incarnation}, After: {first_restart_incarnation}")
+
+        first_restart_time = time.time()
+        self.log.info("First restart completed at T=%.1f (incarnation %s -> %s)",
+                      first_restart_time, initial_incarnation, first_restart_incarnation)
+
+        # Second exclusion - should be deferred due to rate-limiting
+        self.log_step("Step 2: Second exclusion of rank %s (should be deferred)", test_rank)
+
+        restarted, final_state = self.exclude_rank_and_wait_restart(test_rank,
+                                                                    timeout=10)
+
+        if restarted:
+            self.fail("Rank %s unexpectedly restarted. Final state: %s" % (test_rank, final_state))
+
+        self.log.info("Confirmed: Restart is deferred (rank still in excluded state)")
+
+        # Wait for deferred restart to execute (after delay expires), add buffer
+        wait_time = expected_delay + 5
+        self.log_step("Step 3: Waiting %ss for deferred restart to execute", wait_time)
+
+        if not self.wait_for_rank_state(test_rank, "joined", timeout=wait_time):
+            self.fail(f"Rank {test_rank} did not restart after rate-limit delay")
+
+        # Verify incarnation increased again after deferred restart
+        deferred_restart_incarnation = self.get_rank_incarnation(test_rank)
+        if deferred_restart_incarnation is None:
+            self.fail(f"Failed to get incarnation after deferred restart for rank {test_rank}")
+
+        if deferred_restart_incarnation <= first_restart_incarnation:
+            self.fail(f"Rank {test_rank} incarnation did not increase after deferred restart. "
+                      f"After first: {first_restart_incarnation}, "
+                      f"After deferred: {deferred_restart_incarnation}")
+
+        self.log_step("Step 4: Measure time between initial and deferred restarts")
+        deferred_restart_time = time.time()
+        actual_delay = deferred_restart_time - first_restart_time
+
+        self.log.info("Confirmed: Deferred restart executed after %.1fs (expected ~%ss), "
+                      "incarnation %s -> %s",
+                      actual_delay, expected_delay,
+                      first_restart_incarnation, deferred_restart_incarnation)
+
+        self.log_step("Step 5: Verify delay was approximately correct (80%% to 120%% of expected)")
+        min_delay = expected_delay * 0.8
+        max_delay = expected_delay * 1.2
+
+        if actual_delay < min_delay:
+            self.fail(f"Restart too early: {actual_delay:.1f}s < {min_delay:.1f}s")
+        elif actual_delay > max_delay:
+            self.log.warning("Restart delayed beyond expected: %.1fs > %.1fs "
+                             "(may be acceptable depending on system load)",
+                             actual_delay, max_delay)
+        else:
+            self.log.info("SUCCESS: Restart delay within expected range [%.1fs, %.1fs]",
+                          min_delay, max_delay)
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.yaml b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
new file mode 100644
index 00000000000..0367b56c025
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
@@ -0,0 +1,26 @@
+hosts:
+  test_servers: 1
+server_config:
+  name: daos_server
+  engines_per_host: 2
+  engine_auto_restart_min_delay: 30
+  engines:
+    0:
+      log_file: daos_server0.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos0
+    1:
+      log_file: daos_server1.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos1
+pool:
+  size: 8G
+timeout: 400
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
new file mode 100644
index 00000000000..1ae250d237b
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -0,0 +1,158 @@
+"""
+  (C) Copyright 2026 Hewlett Packard Enterprise Development LP
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+"""
+import time
+
+from control_test_base import ControlTestBase
+from general_utils import report_errors
+
+
+class EngineAutoRestartDisabled(ControlTestBase):
+    """Test automatic engine restart disabled configuration.
+
+    Test Class Description:
+        Verify that automatic engine restart can be disabled and that
+        excluded ranks stay excluded when auto-restart is disabled.
+
+    :avocado: recursive
+    """
+
+    def tearDown(self):
+        """Clean up after each test method."""
+        # Reset restart state for next test method
+        # This ensures clean state between sequential tests
+        try:
+            self.reset_engine_restart_state()
+        except Exception as error:
+            self.log.error("Failed to reset engine restart state: %s", error)
+            self.fail("tearDown failed to reset engine restart state: {}".format(error))
+        finally:
+            super().tearDown()
+
+    def test_no_restart_when_disabled(self):
+        """Test that engines do not automatically restart when feature is disabled.
+
+        Test Description:
+            Server is configured with disable_engine_auto_restart: true.
+
+            1. Exclude a rank from the system
+            2. Wait for rank to self-terminate
+            3. Wait additional time to verify NO automatic restart occurs
+            4. Manually start the rank to verify it can still be started
+            5. Verify manual start succeeds
+
+        :avocado: tags=all,daily_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart
+        :avocado: tags=EngineAutoRestartDisabled,test_no_restart_when_disabled
+        """
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 2:
+            self.skipTest("Test requires at least 2 ranks")
+
+        test_rank = self.random.choice(all_ranks)
+
+        self.log_step("Step 1: Excluding rank %s (auto-restart is DISABLED)", test_rank)
+
+        restarted, _ = self.exclude_rank_and_wait_restart(test_rank, timeout=35)
+
+        if restarted:
+            self.fail("Rank %s unexpectedly restarted when auto-restart disabled!" % test_rank)
+
+        self.log.info("Confirmed: Rank %s did NOT automatically restart (as expected)", test_rank)
+
+        # Step 4: Manually start the rank
+        self.log_step("Step 2: Manually starting rank %s", test_rank)
+        self.dmg.system_start(ranks=f"{test_rank}")
+
+        # Verify manual start succeeds
+        failed_ranks = self.server_managers[0].check_rank_state(
+            ranks=[test_rank], valid_states=["joined"], max_checks=15)
+        if failed_ranks:
+            self.fail("Manual start of rank %s failed" % test_rank)
+
+        self.log.info("SUCCESS: Rank %s stayed excluded when auto-restart disabled, and manual "
+                      "start succeeded", test_rank)
+
+    def test_multiple_ranks_no_restart(self):
+        """Test that multiple excluded ranks stay excluded when auto-restart disabled.
+
+        Test Description:
+            Server configured with disable_engine_auto_restart: true.
+
+            1. Exclude multiple ranks
+            2. Verify all self-terminate and reach AdminExcluded state
+            3. Wait to confirm none automatically restart
+            4. Manually restart all ranks
+            5. Verify all successfully rejoin
+
+        :avocado: tags=all,full_regression
+        :avocado: tags=hw,medium
+        :avocado: tags=dmg,control,engine_auto_restart
+        :avocado: tags=EngineAutoRestartDisabled,test_multiple_ranks_no_restart
+        """
+        all_ranks = self.get_all_ranks()
+        if len(all_ranks) < 3:
+            self.skipTest("Test requires at least 3 ranks")
+
+        # Exclude half the ranks
+        num_to_test = max(2, len(all_ranks) // 2)
+        test_ranks = self.random.sample(all_ranks, num_to_test)
+
+        self.log_step("Step 1: Excluding %s ranks: %s", (num_to_test, test_ranks))
+
+        for rank in test_ranks:
+            self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
+            time.sleep(1)  # Small delay between exclusions
+
+        # Step 2: Verify all reach adminexcluded state
+        self.log_step("Step 2: Verifying all ranks get excluded from system")
+        time.sleep(10)
+
+        for rank in test_ranks:
+            failed = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=["adminexcluded"], max_checks=5)
+            if failed:
+                self.fail("Rank %s did not get excluded from system" % rank)
+            self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
+
+        # Step 3: Wait and verify none restart
+        wait_time = 20
+        self.log_step("Step 3: Waiting %ss to verify no automatic restarts", wait_time)
+        time.sleep(wait_time)
+
+        errors = []
+        for rank in test_ranks:
+            failed = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=["excluded"], max_checks=1)
+            if failed:
+                errors.append("Rank %s unexpectedly restarted when auto-restart disabled"
+                              % rank)
+
+        if errors:
+            self.fail("\n".join(errors))
+
+        self.log.info("Confirmed: None of %s automatically restarted", test_ranks)
+
+        # Step 4: Manually restart all
+        self.log_step("Step 4: Manually restart ranks")
+
+        for rank in test_ranks:
+            self.dmg.system_start(ranks=f"{rank}")
+
+        # Step 5: Verify all rejoin
+        self.log_step("Step 5: Verifying all ranks successfully rejoin")
+        time.sleep(10)
+
+        for rank in test_ranks:
+            failed = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=["joined"], max_checks=10)
+            if failed:
+                errors.append("Manual restart of rank %s failed" % rank)
+
+        report_errors(test=self, errors=errors)
+
+        self.log.info("SUCCESS: All %s ranks stayed excluded and manual restart succeeded",
+                      num_to_test)
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.yaml b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
new file mode 100644
index 00000000000..d95257c5357
--- /dev/null
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
@@ -0,0 +1,26 @@
+hosts:
+  test_servers: 2
+server_config:
+  name: daos_server
+  engines_per_host: 2
+  disable_engine_auto_restart: true
+  engines:
+    0:
+      log_file: daos_server0.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos0
+    1:
+      log_file: daos_server1.log
+      targets: 4
+      nr_xs_helpers: 0
+      storage:
+        0:
+          class: ram
+          scm_mount: /mnt/daos1
+pool:
+  size: 8G
+timeout: 300
diff --git a/src/tests/ftest/util/control_test_base.py b/src/tests/ftest/util/control_test_base.py
index eff064f53f2..d8487028734 100644
--- a/src/tests/ftest/util/control_test_base.py
+++ b/src/tests/ftest/util/control_test_base.py
@@ -1,8 +1,10 @@
 """
   (C) Copyright 2020-2022 Intel Corporation.
+  (C) Copyright 2026 Hewlett Packard Enterprise Development LP
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 """
+import time
 
 from apricot import TestWithServers
 from ClusterShell.NodeSet import NodeSet
@@ -46,3 +48,176 @@ def verify_dmg_storage_scan(self, verify_method):
 
         if errors:
             self.fail("\n--- Errors found! ---\n{}".format("\n".join(errors)))
+
+    def get_all_ranks(self):
+        """Get list of all ranks in the system.
+
+        Returns:
+            list: List of all rank numbers
+        """
+        return list(self.server_managers[0].ranks.keys())
+
+    def get_rank_state(self, rank):
+        """Get the state of a rank.
+
+        Args:
+            rank (int): Rank number
+
+        Returns:
+            str: Current state of the rank
+        """
+        data = self.dmg.system_query(ranks="%s" % rank)
+        if data["status"] != 0:
+            self.fail("Cmd dmg system query failed")
+        if "response" in data and "members" in data["response"]:
+            if data["response"]["members"] is None:
+                self.fail("No members returned from dmg system query")
+            for member in data["response"]["members"]:
+                return member["state"].lower()
+        self.fail("No member state returned from dmg system query")
+        return None
+
+    def exclude_rank_and_wait_restart(self, rank, timeout=30):
+        """Exclude a rank and wait for it to self-terminate and potentially restart.
+
+        Args:
+            rank (int): Rank to exclude
+            timeout (int): Maximum seconds to wait for restart
+
+        Returns:
+            tuple: (restarted, final_state) - whether rank restarted and its final state
+        """
+        self.log_step("Excluding rank %s", rank)
+        self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
+
+        # Wait for rank to self-terminate (should go to AdminExcluded state)
+        self.log_step("Waiting for rank %s to self-terminate", rank)
+        time.sleep(2)
+
+        # Check if rank is adminexcluded
+        failed_ranks = self.server_managers[0].check_rank_state(
+            ranks=[rank], valid_states=["adminexcluded"], max_checks=10)
+        if failed_ranks:
+            self.fail("Rank %s did not reach AdminExcluded state after exclusion" % rank)
+
+        # After triggering rank exclusion with dmg system exclude, clear
+        # AdminExcluded state so rank can join on auto-restart. This enables
+        # mimic of rank exclusion via SWIM inactivity detection.
+        self.log_step("Clearing AdminExcluded state for rank %s", rank)
+        self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
+
+        # Check if rank is excluded
+        failed_ranks = self.server_managers[0].check_rank_state(
+            ranks=[rank], valid_states=["excluded"], max_checks=10)
+        if failed_ranks:
+            self.fail("Rank %s did not reach Excluded state after clear-excluded" % rank)
+
+        # Wait for automatic restart (rank should go to Joined state)
+        self.log_step("Waiting for rank %s to automatically restart", rank)
+        start_time = time.time()
+        restarted = False
+
+        while time.time() - start_time < timeout:
+            time.sleep(2)
+            # Check if rank has rejoined
+            failed_ranks = self.server_managers[0].check_rank_state(
+                ranks=[rank], valid_states=["joined"], max_checks=1)
+            if not failed_ranks:
+                restarted = True
+                break
+
+        if restarted:
+            self.log.info("Rank %s automatically restarted and rejoined within %ss", rank, timeout)
+            return (True, "joined")
+
+        state = self.get_rank_state(rank)
+        self.log.info("Rank %s (%s) did not restart within %ss", rank, state, timeout)
+        return (False, state)
+
+    def get_rank_incarnation(self, rank):
+        """Get the incarnation number of a rank.
+
+        The incarnation number increments each time a rank restarts, allowing
+        verification that a rank has actually restarted rather than just
+        remaining in the same state.
+
+        Args:
+            rank (int): Rank number
+
+        Returns:
+            int: Current incarnation number of the rank, or None if not found
+
+        Raises:
+            None - logs error and returns None on failure
+        """
+        try:
+            data = self.dmg.system_query(ranks=f"{rank}")
+            if data.get("status") != 0:
+                self.log.error("dmg system query failed for rank %s", rank)
+                return None
+
+            if "response" not in data or "members" not in data["response"]:
+                self.log.error("Invalid response from dmg system query for rank %s", rank)
+                return None
+
+            members = data["response"]["members"]
+            if not members:
+                self.log.error("No members returned from dmg system query for rank %s", rank)
+                return None
+
+            for member in members:
+                if member.get("rank") == rank:
+                    incarnation = member.get("incarnation")
+                    if incarnation is not None:
+                        self.log.debug("Rank %s incarnation: %s", rank, incarnation)
+                        return incarnation
+                    self.log.error("No incarnation field for rank %s", rank)
+                    return None
+
+            self.log.error("Rank %s not found in system query response", rank)
+            return None
+
+        except Exception as error:  # pylint: disable=broad-exception-caught
+            # Catch all exceptions to prevent test framework crashes during rank queries
+            self.log.error("Exception getting incarnation for rank %s: %s", rank, error)
+            return None
+
+    def reset_engine_restart_state(self):
+        """Reset engine auto-restart state between tests.
+
+        The engine restart manager tracks last restart times for rate-limiting
+        automatic restarts. This state persists across test methods when servers
+        continue running, which can cause unexpected rate-limiting behavior in
+        sequential tests.
+
+        This method resets the state by restarting all servers via:
+        1. dmg system stop (automatically clears restart history for stopped ranks)
+        2. dmg system start (automatically clears restart history for started ranks)
+        3. Wait for all ranks to rejoin
+
+        The automatic clearing is handled by SystemStop/SystemStart in mgmt_system.go,
+        which calls clearRankRestartHistory() for affected ranks.
+
+        Usage:
+            Should be called in tearDown() of test classes that use engine restart
+            functionality. If this method fails, tearDown() should fail the test
+            to prevent subsequent tests from running with contaminated state.
+
+        Raises:
+            Exception: If server stop/start fails or ranks fail to rejoin
+
+        Note:
+            This operation adds ~5-10 seconds per test due to server restart overhead,
+            but is necessary to ensure test isolation and reliable results.
+        """
+        self.log.info("Restarting servers to reset engine restart manager state")
+        self.server_managers[0].system_stop()
+        time.sleep(2)
+        self.server_managers[0].system_start()
+
+        # Wait for all ranks to join
+        all_ranks = self.get_all_ranks()
+        failed_ranks = self.server_managers[0].check_rank_state(
+            ranks=all_ranks, valid_states=["joined"], max_checks=30)
+        if failed_ranks:
+            self.log.warning("Some ranks failed to rejoin after restart: %s", failed_ranks)
diff --git a/src/tests/ftest/util/dmg_utils.py b/src/tests/ftest/util/dmg_utils.py
index 106f0e50426..e4b51e72c40 100644
--- a/src/tests/ftest/util/dmg_utils.py
+++ b/src/tests/ftest/util/dmg_utils.py
@@ -1212,7 +1212,11 @@ def system_query(self, ranks=None, verbose=True):
         #         "uuid": "e7f2cb06-a111-4d55-a6a5-b494b70d62ab",
         #         "fabric_uri": "ofi+sockets://192.168.100.11:31416",
         #         "fabric_contexts": 17,
-        #         "info": ""
+        #         "secondary_fabric_uri": "",
+        #         "secondary_fabric_contexts": 0,
+        #         "info": "",
+        #         "last_update": "",
+        #         "incarnation": 10
         #     },
         #     {
         #         "addr": "10.8.1.74:10001",
@@ -1222,7 +1226,11 @@ def system_query(self, ranks=None, verbose=True):
         #         "uuid": "db36ab28-fdb0-4822-97e6-89547393ed03",
         #         "fabric_uri": "ofi+sockets://192.168.100.74:31416",
         #         "fabric_contexts": 17,
-        #         "info": ""
+        #         "secondary_fabric_uri": "",
+        #         "secondary_fabric_contexts": 0,
+        #         "info": "",
+        #         "last_update": "",
+        #         "incarnation": 12
         #     }
         #     ]
         # },
diff --git a/src/tests/ftest/util/server_utils_params.py b/src/tests/ftest/util/server_utils_params.py
index 36c9f5eb946..814beb331ec 100644
--- a/src/tests/ftest/util/server_utils_params.py
+++ b/src/tests/ftest/util/server_utils_params.py
@@ -176,6 +176,10 @@ def __init__(self, filename, common_yaml, version=None):
         self.fault_path = BasicParameter(None)
         self.fault_cb = BasicParameter(None)
 
+        # Engine auto-restart parameters
+        self.disable_engine_auto_restart = BasicParameter(None)
+        self.engine_auto_restart_min_delay = BasicParameter(None)
+
     def get_params(self, test):
         """Get values for all of the command params from the yaml file.
 

From bdfde05ff85538e54984d163353429dfb9ff52f4 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 7 May 2026 13:12:40 +0100
Subject: [PATCH 23/45] fix server package unit test helpers

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/ctl_ranks_rpc_test.go    | 15 ++++++-----
 src/control/server/instance_restart_test.go |  2 +-
 src/control/server/server_utils_test.go     | 28 ++++++++++-----------
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/src/control/server/ctl_ranks_rpc_test.go b/src/control/server/ctl_ranks_rpc_test.go
index 848618cfa21..b565881bba0 100644
--- a/src/control/server/ctl_ranks_rpc_test.go
+++ b/src/control/server/ctl_ranks_rpc_test.go
@@ -76,17 +76,20 @@ func checkUnorderedRankResults(t *testing.T, expResults, gotResults []*sharedpb.
 	}
 }
 
-func setupTestEngine(t *testing.T, srv *EngineInstance, idx, rank uint32, stopped ...bool) {
+func setupTestEngine(t *testing.T, ei *EngineInstance, idx, rank uint32, stopped ...bool) {
 	trc := &engine.TestRunnerConfig{}
 	if len(stopped) == 0 || !stopped[0] {
 		trc.Running.SetTrue()
-		srv.ready.SetTrue()
+		ei.ready.SetTrue()
+	} else {
+		trc.Running.SetFalse()
+		ei.ready.SetFalse()
 	}
-	srv.runner = engine.NewTestRunner(trc, engine.MockConfig())
-	srv.setIndex(idx)
+	ei.runner = engine.NewTestRunner(trc, engine.MockConfig())
+	ei.setIndex(idx)
 
-	srv._superblock.Rank = new(ranklist.Rank)
-	*srv._superblock.Rank = ranklist.Rank(rank)
+	ei._superblock.Rank = new(ranklist.Rank)
+	*ei._superblock.Rank = ranklist.Rank(rank)
 }
 
 func TestServer_CtlSvc_PrepShutdownRanks(t *testing.T) {
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index d075f244143..ce219b3449f 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -60,7 +60,7 @@ func setupTestHarness(t *testing.T, rankStr string, loggers ...logging.Logger) (
 	t.Helper()
 	log := getTestLogger(t, loggers)
 	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	setupAddTestEngine(t, log, harness, false)
 
 	instances, err := harness.FilterInstancesByRankSet(rankStr)
 	if err != nil || len(instances) == 0 {
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 110553b44f7..572ddce1ef6 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1997,7 +1997,7 @@ const (
 	testProcessingDelay    = 100 * time.Millisecond
 )
 
-func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
+func setupAddTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
 	t.Helper()
 
 	rank := uint32(1)
@@ -2005,13 +2005,11 @@ func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunni
 		rank = ranks[0]
 	}
 
-	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-	e._superblock.Rank = ranklist.NewRankPtr(rank)
-	rCfg := &engine.TestRunnerConfig{}
-	rCfg.Running.Store(isRunning)
-	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-	e.ready.Store(isRunning)
-	if err := h.AddInstance(e); err != nil {
+	ei := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+
+	setupTestEngine(t, ei, 0, rank, isRunning)
+
+	if err := h.AddInstance(ei); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -2041,7 +2039,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			}).WithForwarded(true),
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2056,7 +2054,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2071,7 +2069,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			disableEngineAutoRestart: true,
 			expRestartRequested:      false,
@@ -2146,7 +2144,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			expRestartRequested: true,
 			expLogContains: []string{
@@ -2163,7 +2161,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, true)
+				setupAddTestEngine(t, log, h, true)
 			},
 			expRestartRequested: false,
 			expLogContains: []string{
@@ -2180,7 +2178,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				for i := 0; i < 3; i++ {
-					setupTestEngine(t, log, h, false, uint32(i))
+					setupAddTestEngine(t, log, h, false, uint32(i))
 				}
 			},
 			expRestartRequested: true,
@@ -2287,7 +2285,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	defer cancel()
 
 	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	setupAddTestEngine(t, log, harness, false)
 
 	cfg := &config.Server{
 		DisableEngineAutoRestart:  false,

From c76507f54cbe5ee7adc005fd7fb1ed83115cbaac Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 7 May 2026 14:10:17 +0100
Subject: [PATCH 24/45] Revert "fix server package unit test helpers"

This reverts commit bdfde05ff85538e54984d163353429dfb9ff52f4.
---
 src/control/server/ctl_ranks_rpc_test.go    | 15 +++++------
 src/control/server/instance_restart_test.go |  2 +-
 src/control/server/server_utils_test.go     | 28 +++++++++++----------
 3 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/src/control/server/ctl_ranks_rpc_test.go b/src/control/server/ctl_ranks_rpc_test.go
index b565881bba0..848618cfa21 100644
--- a/src/control/server/ctl_ranks_rpc_test.go
+++ b/src/control/server/ctl_ranks_rpc_test.go
@@ -76,20 +76,17 @@ func checkUnorderedRankResults(t *testing.T, expResults, gotResults []*sharedpb.
 	}
 }
 
-func setupTestEngine(t *testing.T, ei *EngineInstance, idx, rank uint32, stopped ...bool) {
+func setupTestEngine(t *testing.T, srv *EngineInstance, idx, rank uint32, stopped ...bool) {
 	trc := &engine.TestRunnerConfig{}
 	if len(stopped) == 0 || !stopped[0] {
 		trc.Running.SetTrue()
-		ei.ready.SetTrue()
-	} else {
-		trc.Running.SetFalse()
-		ei.ready.SetFalse()
+		srv.ready.SetTrue()
 	}
-	ei.runner = engine.NewTestRunner(trc, engine.MockConfig())
-	ei.setIndex(idx)
+	srv.runner = engine.NewTestRunner(trc, engine.MockConfig())
+	srv.setIndex(idx)
 
-	ei._superblock.Rank = new(ranklist.Rank)
-	*ei._superblock.Rank = ranklist.Rank(rank)
+	srv._superblock.Rank = new(ranklist.Rank)
+	*srv._superblock.Rank = ranklist.Rank(rank)
 }
 
 func TestServer_CtlSvc_PrepShutdownRanks(t *testing.T) {
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index ce219b3449f..d075f244143 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -60,7 +60,7 @@ func setupTestHarness(t *testing.T, rankStr string, loggers ...logging.Logger) (
 	t.Helper()
 	log := getTestLogger(t, loggers)
 	harness := NewEngineHarness(log)
-	setupAddTestEngine(t, log, harness, false)
+	setupTestEngine(t, log, harness, false)
 
 	instances, err := harness.FilterInstancesByRankSet(rankStr)
 	if err != nil || len(instances) == 0 {
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 572ddce1ef6..110553b44f7 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1997,7 +1997,7 @@ const (
 	testProcessingDelay    = 100 * time.Millisecond
 )
 
-func setupAddTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
+func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
 	t.Helper()
 
 	rank := uint32(1)
@@ -2005,11 +2005,13 @@ func setupAddTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRu
 		rank = ranks[0]
 	}
 
-	ei := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-
-	setupTestEngine(t, ei, 0, rank, isRunning)
-
-	if err := h.AddInstance(ei); err != nil {
+	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+	e._superblock.Rank = ranklist.NewRankPtr(rank)
+	rCfg := &engine.TestRunnerConfig{}
+	rCfg.Running.Store(isRunning)
+	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
+	e.ready.Store(isRunning)
+	if err := h.AddInstance(e); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -2039,7 +2041,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			}).WithForwarded(true),
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupAddTestEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2054,7 +2056,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupAddTestEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2069,7 +2071,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupAddTestEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			disableEngineAutoRestart: true,
 			expRestartRequested:      false,
@@ -2144,7 +2146,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupAddTestEngine(t, log, h, false)
+				setupTestEngine(t, log, h, false)
 			},
 			expRestartRequested: true,
 			expLogContains: []string{
@@ -2161,7 +2163,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupAddTestEngine(t, log, h, true)
+				setupTestEngine(t, log, h, true)
 			},
 			expRestartRequested: false,
 			expLogContains: []string{
@@ -2178,7 +2180,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				for i := 0; i < 3; i++ {
-					setupAddTestEngine(t, log, h, false, uint32(i))
+					setupTestEngine(t, log, h, false, uint32(i))
 				}
 			},
 			expRestartRequested: true,
@@ -2285,7 +2287,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	defer cancel()
 
 	harness := NewEngineHarness(log)
-	setupAddTestEngine(t, log, harness, false)
+	setupTestEngine(t, log, harness, false)
 
 	cfg := &config.Server{
 		DisableEngineAutoRestart:  false,

From 8d5a1dafd1a8a3acb8251d740f7508411764394a Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 7 May 2026 15:14:42 +0100
Subject: [PATCH 25/45] fix server package unit test helpers

Features: control
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/ctl_check_test.go        |  2 +-
 src/control/server/ctl_ranks_rpc_test.go    | 14 +++++------
 src/control/server/instance_restart_test.go |  2 +-
 src/control/server/server_utils_test.go     | 27 +++++++++------------
 4 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/src/control/server/ctl_check_test.go b/src/control/server/ctl_check_test.go
index 1a998e6eca9..ab766988378 100644
--- a/src/control/server/ctl_check_test.go
+++ b/src/control/server/ctl_check_test.go
@@ -116,7 +116,7 @@ func TestServer_ControlService_CheckEngineRepair(t *testing.T) {
 					t.Fatalf("setup error - wrong type for Engine (%T)", e)
 				}
 
-				setupTestEngine(t, srv, uint32(i), rankNums[i])
+				setupTestEngine(t, srv, rankNums[i])
 
 				drpcCfg := new(mockDrpcClientConfig)
 				drpcCfg.ConnectError = tc.drpcErr
diff --git a/src/control/server/ctl_ranks_rpc_test.go b/src/control/server/ctl_ranks_rpc_test.go
index 848618cfa21..8057325710f 100644
--- a/src/control/server/ctl_ranks_rpc_test.go
+++ b/src/control/server/ctl_ranks_rpc_test.go
@@ -76,17 +76,15 @@ func checkUnorderedRankResults(t *testing.T, expResults, gotResults []*sharedpb.
 	}
 }
 
-func setupTestEngine(t *testing.T, srv *EngineInstance, idx, rank uint32, stopped ...bool) {
+func setupTestEngine(t *testing.T, ei *EngineInstance, rank uint32, stopped ...bool) {
+	ei._superblock.Rank = ranklist.NewRankPtr(rank)
+
 	trc := &engine.TestRunnerConfig{}
 	if len(stopped) == 0 || !stopped[0] {
 		trc.Running.SetTrue()
-		srv.ready.SetTrue()
+		ei.ready.SetTrue()
 	}
-	srv.runner = engine.NewTestRunner(trc, engine.MockConfig())
-	srv.setIndex(idx)
-
-	srv._superblock.Rank = new(ranklist.Rank)
-	*srv._superblock.Rank = ranklist.Rank(rank)
+	ei.runner = engine.NewTestRunner(trc, engine.MockConfig())
 }
 
 func TestServer_CtlSvc_PrepShutdownRanks(t *testing.T) {
@@ -207,7 +205,7 @@ func TestServer_CtlSvc_PrepShutdownRanks(t *testing.T) {
 					continue
 				}
 
-				setupTestEngine(t, srv, uint32(i), uint32(i+1), tc.instancesStopped)
+				setupTestEngine(t, srv, uint32(i+1), tc.instancesStopped)
 
 				cfg := new(mockDrpcClientConfig)
 				if tc.drpcRet != nil {
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index d075f244143..ce219b3449f 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -60,7 +60,7 @@ func setupTestHarness(t *testing.T, rankStr string, loggers ...logging.Logger) (
 	t.Helper()
 	log := getTestLogger(t, loggers)
 	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	setupAddTestEngine(t, log, harness, false)
 
 	instances, err := harness.FilterInstancesByRankSet(rankStr)
 	if err != nil || len(instances) == 0 {
diff --git a/src/control/server/server_utils_test.go b/src/control/server/server_utils_test.go
index 110553b44f7..1dc57554699 100644
--- a/src/control/server/server_utils_test.go
+++ b/src/control/server/server_utils_test.go
@@ -1997,7 +1997,7 @@ const (
 	testProcessingDelay    = 100 * time.Millisecond
 )
 
-func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
+func setupAddTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunning bool, ranks ...uint32) {
 	t.Helper()
 
 	rank := uint32(1)
@@ -2005,13 +2005,10 @@ func setupTestEngine(t *testing.T, log logging.Logger, h *EngineHarness, isRunni
 		rank = ranks[0]
 	}
 
-	e := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
-	e._superblock.Rank = ranklist.NewRankPtr(rank)
-	rCfg := &engine.TestRunnerConfig{}
-	rCfg.Running.Store(isRunning)
-	e.runner = engine.NewTestRunner(rCfg, engine.MockConfig())
-	e.ready.Store(isRunning)
-	if err := h.AddInstance(e); err != nil {
+	ei := newTestEngine(log, false, storage.MockProvider(log, 0, nil, nil, nil, nil, nil))
+	setupTestEngine(t, ei, rank, !isRunning)
+
+	if err := h.AddInstance(ei); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -2041,7 +2038,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			}).WithForwarded(true),
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2056,7 +2053,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			serverHostname:      testHostname,
 			expRestartRequested: false,
@@ -2071,7 +2068,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			disableEngineAutoRestart: true,
 			expRestartRequested:      false,
@@ -2146,7 +2143,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, false)
+				setupAddTestEngine(t, log, h, false)
 			},
 			expRestartRequested: true,
 			expLogContains: []string{
@@ -2163,7 +2160,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 				Timestamp:   validTimestamp,
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
-				setupTestEngine(t, log, h, true)
+				setupAddTestEngine(t, log, h, true)
 			},
 			expRestartRequested: false,
 			expLogContains: []string{
@@ -2180,7 +2177,7 @@ func TestServer_handleEngineSelfTerminated(t *testing.T) {
 			},
 			setupEngines: func(t *testing.T, log logging.Logger, h *EngineHarness) {
 				for i := 0; i < 3; i++ {
-					setupTestEngine(t, log, h, false, uint32(i))
+					setupAddTestEngine(t, log, h, false, uint32(i))
 				}
 			},
 			expRestartRequested: true,
@@ -2287,7 +2284,7 @@ func TestServer_handleEngineSelfTerminated_RateLimiting(t *testing.T) {
 	defer cancel()
 
 	harness := NewEngineHarness(log)
-	setupTestEngine(t, log, harness, false)
+	setupAddTestEngine(t, log, harness, false)
 
 	cfg := &config.Server{
 		DisableEngineAutoRestart:  false,

From 4a2938fb4d0fc246437e05ef19057e380d5254b4 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 7 May 2026 16:04:00 +0100
Subject: [PATCH 26/45] addressed review comments from kjacque pt1

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/ctl_ranks_rpc.go | 51 ++++++++++++-----------------
 src/control/server/server.go        | 33 ++++++-------------
 src/control/server/server_utils.go  |  8 +----
 3 files changed, 32 insertions(+), 60 deletions(-)

diff --git a/src/control/server/ctl_ranks_rpc.go b/src/control/server/ctl_ranks_rpc.go
index 539a48f16eb..18f9833af20 100644
--- a/src/control/server/ctl_ranks_rpc.go
+++ b/src/control/server/ctl_ranks_rpc.go
@@ -153,6 +153,21 @@ func (svc *ControlService) memberStateResults(instances []Engine, tgtState syste
 	return results, nil
 }
 
+// Clear restart history for manually stopped ranks on this server. This prevents rate-limiting
+// from interfering with manual operations and vice versa.
+func clearRankRestartHistory(mgr *engineRestartManager, instances []Engine) {
+	ranks := make([]ranklist.Rank, 0, len(instances))
+	for _, ei := range instances {
+		rank, err := ei.GetRank()
+		if err == nil {
+			ranks = append(ranks, rank)
+		}
+	}
+	if len(ranks) > 0 {
+		mgr.clearRankRestartHistory(ranks)
+	}
+}
+
 // StopRanks implements the method defined for the Management Service.
 //
 // Stop data-plane instance(s) managed by control-plane identified by unique
@@ -206,21 +221,9 @@ func (svc *ControlService) StopRanks(ctx context.Context, req *ctlpb.RanksReq) (
 		return nil, err
 	}
 
-	// Clear restart history for manually stopped ranks on this server
-	// This prevents rate-limiting from interfering with manual operations
-	// Note: instances already filtered by FilterInstancesByRankSet() to match req.GetRanks()
-	if svc.restartMgr != nil {
-		ranks := make([]ranklist.Rank, 0, len(instances))
-		for _, ei := range instances {
-			rank, err := ei.GetRank()
-			if err == nil {
-				ranks = append(ranks, rank)
-			}
-		}
-		if len(ranks) > 0 {
-			svc.restartMgr.clearRankRestartHistory(ranks)
-		}
-	}
+	// clearly state history for stopped ranks, instances have already been filtered by
+	// FilterInstancesByRankSet() to match req.GetRanks()
+	clearRankRestartHistory(svc.restartMgr, instances)
 
 	return resp, nil
 }
@@ -335,21 +338,9 @@ func (svc *ControlService) StartRanks(ctx context.Context, req *ctlpb.RanksReq)
 		return nil, err
 	}
 
-	// Clear restart history for manually started ranks on this server
-	// This prevents rate-limiting from interfering with manual operations
-	// Note: instances already filtered by FilterInstancesByRankSet() to match req.GetRanks()
-	if svc.restartMgr != nil {
-		ranks := make([]ranklist.Rank, 0, len(instances))
-		for _, ei := range instances {
-			rank, err := ei.GetRank()
-			if err == nil {
-				ranks = append(ranks, rank)
-			}
-		}
-		if len(ranks) > 0 {
-			svc.restartMgr.clearRankRestartHistory(ranks)
-		}
-	}
+	// clearly state history for started ranks, instances have already been filtered by
+	// FilterInstancesByRankSet() to match req.GetRanks()
+	clearRankRestartHistory(svc.restartMgr, instances)
 
 	return resp, nil
 }
diff --git a/src/control/server/server.go b/src/control/server/server.go
index 4a9f6020884..69fa0703a4d 100644
--- a/src/control/server/server.go
+++ b/src/control/server/server.go
@@ -31,7 +31,6 @@ import (
 	"github.com/daos-stack/daos/src/control/lib/hardware"
 	"github.com/daos-stack/daos/src/control/lib/hardware/defaults/network"
 	"github.com/daos-stack/daos/src/control/lib/hardware/defaults/topology"
-	"github.com/daos-stack/daos/src/control/lib/ranklist"
 	"github.com/daos-stack/daos/src/control/logging"
 	"github.com/daos-stack/daos/src/control/security"
 	"github.com/daos-stack/daos/src/control/server/config"
@@ -164,17 +163,11 @@ type server struct {
 	mgmtSvc       *mgmtSvc
 	grpcServer    *grpc.Server
 	controlClient *control.Client
+	restartMgr    *engineRestartManager
 
 	cbLock           sync.Mutex
 	onEnginesStarted []func(context.Context) error
 	onShutdown       []func()
-
-	restartMgr *engineRestartManager
-
-	// Deprecated: use restartMgr instead
-	rankRestartMu      sync.Mutex
-	rankRestartTimes   map[ranklist.Rank]time.Time
-	rankRestartPending map[ranklist.Rank]*time.Timer
 }
 
 func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.FaultDomain) (*server, error) {
@@ -191,15 +184,13 @@ func newServer(log logging.Logger, cfg *config.Server, faultDomain *system.Fault
 	harness := NewEngineHarness(log).WithFaultDomain(faultDomain)
 
 	return &server{
-		log:                log,
-		cfg:                cfg,
-		hostname:           hostname,
-		runningUser:        cu,
-		faultDomain:        faultDomain,
-		harness:            harness,
-		restartMgr:         newEngineRestartManager(log, cfg),
-		rankRestartTimes:   make(map[ranklist.Rank]time.Time),
-		rankRestartPending: make(map[ranklist.Rank]*time.Timer),
+		log:         log,
+		cfg:         cfg,
+		hostname:    hostname,
+		runningUser: cu,
+		faultDomain: faultDomain,
+		harness:     harness,
+		restartMgr:  newEngineRestartManager(log, cfg),
 	}, nil
 }
 
@@ -296,9 +287,7 @@ func (srv *server) OnShutdown(fns ...func()) {
 
 func (srv *server) shutdown() {
 	// Stop the restart manager first
-	if srv.restartMgr != nil {
-		srv.restartMgr.stop()
-	}
+	srv.restartMgr.stop()
 
 	srv.cbLock.Lock()
 	onShutdownCbs := srv.onShutdown
@@ -424,9 +413,7 @@ func (srv *server) addEngines(ctx context.Context, smi *common.SysMemInfo) error
 		srv.log.Debug("engines have started")
 
 		// Start the restart manager
-		if srv.restartMgr != nil {
-			srv.restartMgr.start(ctx)
-		}
+		srv.restartMgr.start(ctx)
 
 		srv.cbLock.Lock()
 		onEnginesStartedCbs := srv.onEnginesStarted
diff --git a/src/control/server/server_utils.go b/src/control/server/server_utils.go
index e4f0eae061c..013944148e1 100644
--- a/src/control/server/server_utils.go
+++ b/src/control/server/server_utils.go
@@ -812,11 +812,6 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 
 	rank := ranklist.Rank(evt.Rank)
 
-	if srv.restartMgr == nil {
-		return errors.Errorf("restart manager not initialized, cannot restart rank %d",
-			rank)
-	}
-
 	// Submit restart request to the restart manager
 	srv.restartMgr.requestRestart(rank, ei)
 
@@ -826,8 +821,7 @@ func handleEngineSelfTerminated(ctx context.Context, srv *server, evt *events.RA
 // subscribeEngineSelfTerminated creates a handler for engine self-termination events.
 func subscribeEngineSelfTerminated(srv *server) events.Handler {
 	return events.HandlerFunc(func(ctx context.Context, evt *events.RASEvent) {
-		switch evt.ID {
-		case events.RASEngineSelfTerminated:
+		if evt.ID == events.RASEngineSelfTerminated {
 			if err := handleEngineSelfTerminated(ctx, srv, evt); err != nil {
 				srv.log.Errorf("handleEngineSelfTerminated: %s", err)
 			}

From 049509cedbd3ebfa67b0bd4abc06a7fc3898abb0 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Thu, 7 May 2026 21:37:06 +0100
Subject: [PATCH 27/45] allow restart manager to close and open again

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go      | 18 +++++-
 src/control/server/instance_restart_test.go | 72 +++++++++++++++++++--
 2 files changed, 82 insertions(+), 8 deletions(-)

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index 28e91938e2d..4edfb36bafb 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -126,7 +126,7 @@ func (mgr *engineRestartManager) performRestart(ctx context.Context, rank rankli
 
 	// Record restart time and clear pending state on exit (deferred)
 	mgr.recordRestartTime(rank)
-	mgr.log.Noticef("recording rank %d", rank)
+	mgr.log.Debugf("recording rank %d", rank)
 }
 
 // processRestartRequest handles a single restart request with rate limiting.
@@ -173,6 +173,16 @@ func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Eng
 
 // start begins processing restart requests.
 func (mgr *engineRestartManager) start(ctx context.Context) {
+	mgr.mu.Lock()
+	// Reinitialize channels if they were closed
+	if mgr.stopChan == nil {
+		mgr.stopChan = make(chan struct{})
+	}
+	if mgr.requestChan == nil {
+		mgr.requestChan = make(chan engineRestartRequest, engineRestartMaxQueueSz)
+	}
+	mgr.mu.Unlock()
+
 	mgr.log.Debug("engine restart manager started")
 	go func() {
 		for {
@@ -230,7 +240,11 @@ func (mgr *engineRestartManager) stop() {
 	}
 	mgr.pendingRestart = make(map[ranklist.Rank]*time.Timer)
 
-	close(mgr.stopChan)
+	// Close stopChan if it's open
+	if mgr.stopChan != nil {
+		close(mgr.stopChan)
+		mgr.stopChan = nil
+	}
 }
 
 // newEngineRestartManager creates a new restart manager.
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index ce219b3449f..5e7667cf30b 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -419,12 +419,72 @@ func TestServer_EngineRestartManager_Stop(t *testing.T) {
 			len(mgr.pendingRestart))
 	}
 
-	// Verify stopChan is closed
-	select {
-	case <-mgr.stopChan:
-		// Expected
-	default:
-		t.Error("stopChan should be closed")
+	// Verify stopChan is nil (cleaned up)
+	mgr.mu.RLock()
+	stopChanNil := mgr.stopChan == nil
+	mgr.mu.RUnlock()
+
+	if !stopChanNil {
+		t.Error("stopChan should be nil after stop")
+	}
+}
+
+func TestServer_EngineRestartManager_StopStartMultipleTimes(t *testing.T) {
+	ctx, cancel := context.WithTimeout(test.Context(t), 30*time.Second)
+	defer cancel()
+
+	instance, testRank := setupTestHarness(t, "1")
+	mgr := setupTestManager(t, &config.Server{
+		EngineAutoRestartMinDelay: 1,
+	})
+
+	// Test multiple stop/start cycles
+	for cycle := 1; cycle <= 3; cycle++ {
+		t.Logf("Starting cycle %d", cycle)
+
+		// Start the manager
+		mgr.start(ctx)
+
+		// Verify channels are initialized
+		if mgr.requestChan == nil {
+			t.Errorf("cycle %d: requestChan should be initialized after start", cycle)
+		}
+		if mgr.stopChan == nil {
+			t.Errorf("cycle %d: stopChan should be initialized after start", cycle)
+		}
+
+		startInstanceConsumer(ctx, instance)
+
+		// Submit a restart request
+		mgr.requestRestart(testRank, instance)
+
+		// Wait for restart to be processed
+		if !waitForRestartRecorded(ctx, t, mgr, testRank) {
+			t.Errorf("cycle %d: expected restart time to be recorded", cycle)
+		}
+
+		// Stop the manager
+		mgr.stop()
+
+		// Verify stopChan is closed/nil
+		mgr.mu.RLock()
+		stopChanNil := mgr.stopChan == nil
+		mgr.mu.RUnlock()
+
+		if !stopChanNil {
+			t.Errorf("cycle %d: stopChan should be nil after stop", cycle)
+		}
+
+		// Verify pending restarts are cleared
+		if len(mgr.pendingRestart) != 0 {
+			t.Errorf("cycle %d: expected pending restarts cleared, got %d",
+				cycle, len(mgr.pendingRestart))
+		}
+
+		// Clear the restart history for next cycle
+		delete(mgr.lastRestart, testRank)
+
+		t.Logf("Cycle %d completed successfully", cycle)
 	}
 }
 

From bd15522c203539d71553a25b25c6684f10f95067 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Sat, 9 May 2026 10:59:11 +0100
Subject: [PATCH 28/45] Revert "allow restart manager to close and open again"

This reverts commit 049509cedbd3ebfa67b0bd4abc06a7fc3898abb0.
---
 src/control/server/instance_restart.go      | 18 +-----
 src/control/server/instance_restart_test.go | 72 ++-------------------
 2 files changed, 8 insertions(+), 82 deletions(-)

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index 4edfb36bafb..28e91938e2d 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -126,7 +126,7 @@ func (mgr *engineRestartManager) performRestart(ctx context.Context, rank rankli
 
 	// Record restart time and clear pending state on exit (deferred)
 	mgr.recordRestartTime(rank)
-	mgr.log.Debugf("recording rank %d", rank)
+	mgr.log.Noticef("recording rank %d", rank)
 }
 
 // processRestartRequest handles a single restart request with rate limiting.
@@ -173,16 +173,6 @@ func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Eng
 
 // start begins processing restart requests.
 func (mgr *engineRestartManager) start(ctx context.Context) {
-	mgr.mu.Lock()
-	// Reinitialize channels if they were closed
-	if mgr.stopChan == nil {
-		mgr.stopChan = make(chan struct{})
-	}
-	if mgr.requestChan == nil {
-		mgr.requestChan = make(chan engineRestartRequest, engineRestartMaxQueueSz)
-	}
-	mgr.mu.Unlock()
-
 	mgr.log.Debug("engine restart manager started")
 	go func() {
 		for {
@@ -240,11 +230,7 @@ func (mgr *engineRestartManager) stop() {
 	}
 	mgr.pendingRestart = make(map[ranklist.Rank]*time.Timer)
 
-	// Close stopChan if it's open
-	if mgr.stopChan != nil {
-		close(mgr.stopChan)
-		mgr.stopChan = nil
-	}
+	close(mgr.stopChan)
 }
 
 // newEngineRestartManager creates a new restart manager.
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index 5e7667cf30b..ce219b3449f 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -419,72 +419,12 @@ func TestServer_EngineRestartManager_Stop(t *testing.T) {
 			len(mgr.pendingRestart))
 	}
 
-	// Verify stopChan is nil (cleaned up)
-	mgr.mu.RLock()
-	stopChanNil := mgr.stopChan == nil
-	mgr.mu.RUnlock()
-
-	if !stopChanNil {
-		t.Error("stopChan should be nil after stop")
-	}
-}
-
-func TestServer_EngineRestartManager_StopStartMultipleTimes(t *testing.T) {
-	ctx, cancel := context.WithTimeout(test.Context(t), 30*time.Second)
-	defer cancel()
-
-	instance, testRank := setupTestHarness(t, "1")
-	mgr := setupTestManager(t, &config.Server{
-		EngineAutoRestartMinDelay: 1,
-	})
-
-	// Test multiple stop/start cycles
-	for cycle := 1; cycle <= 3; cycle++ {
-		t.Logf("Starting cycle %d", cycle)
-
-		// Start the manager
-		mgr.start(ctx)
-
-		// Verify channels are initialized
-		if mgr.requestChan == nil {
-			t.Errorf("cycle %d: requestChan should be initialized after start", cycle)
-		}
-		if mgr.stopChan == nil {
-			t.Errorf("cycle %d: stopChan should be initialized after start", cycle)
-		}
-
-		startInstanceConsumer(ctx, instance)
-
-		// Submit a restart request
-		mgr.requestRestart(testRank, instance)
-
-		// Wait for restart to be processed
-		if !waitForRestartRecorded(ctx, t, mgr, testRank) {
-			t.Errorf("cycle %d: expected restart time to be recorded", cycle)
-		}
-
-		// Stop the manager
-		mgr.stop()
-
-		// Verify stopChan is closed/nil
-		mgr.mu.RLock()
-		stopChanNil := mgr.stopChan == nil
-		mgr.mu.RUnlock()
-
-		if !stopChanNil {
-			t.Errorf("cycle %d: stopChan should be nil after stop", cycle)
-		}
-
-		// Verify pending restarts are cleared
-		if len(mgr.pendingRestart) != 0 {
-			t.Errorf("cycle %d: expected pending restarts cleared, got %d",
-				cycle, len(mgr.pendingRestart))
-		}
-
-		// Clear the restart history for next cycle
-		delete(mgr.lastRestart, testRank)
-
-		t.Logf("Cycle %d completed successfully", cycle)
+	// Verify stopChan is closed
+	select {
+	case <-mgr.stopChan:
+		// Expected
+	default:
+		t.Error("stopChan should be closed")
 	}
 }
 

From 06f3f6e823f7af5d9620217bf9d3056a85346ab9 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Mon, 11 May 2026 12:58:28 +0100
Subject: [PATCH 29/45] address some review comments from kjacque

Features: control full_regression
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart_test.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index ce219b3449f..b93c47c68cd 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -484,7 +484,7 @@ func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
 	}
 
 	// Wait for timer to fire (with buffer)
-	time.Sleep(10 * time.Second)
+	time.Sleep(5 * time.Second)
 
 	// Verify timer was cleaned up
 	mgr.mu.RLock()
@@ -600,7 +600,9 @@ func TestServer_NewEngineRestartManager(t *testing.T) {
 	cfg := &config.Server{
 		EngineAutoRestartMinDelay: 42,
 	}
-	mgr := setupTestManager(t, cfg)
+	ctx := test.MustLogContext(t)
+	log := logging.FromContext(ctx)
+	mgr := newEngineRestartManager(log, cfg)
 
 	if mgr.log == nil {
 		t.Error("expected logger to be set")

From 5feadfed0d39488a6d5942e9f5fef12c9ad076d8 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Tue, 12 May 2026 12:30:42 +0100
Subject: [PATCH 30/45] comment one start/stop per process lifetime

Test-tag: pr control full_regression
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/instance_restart.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index 28e91938e2d..6526879db6b 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -171,7 +171,7 @@ func (mgr *engineRestartManager) requestRestart(rank ranklist.Rank, instance Eng
 	}
 }
 
-// start begins processing restart requests.
+// start begins processing restart requests. Function to be called once on server start-up.
 func (mgr *engineRestartManager) start(ctx context.Context) {
 	mgr.log.Debug("engine restart manager started")
 	go func() {
@@ -217,7 +217,7 @@ func (mgr *engineRestartManager) clearRankRestartHistory(ranks []ranklist.Rank)
 	}
 }
 
-// stop shuts down the restart manager.
+// stop shuts down the restart manager. Function to be called once on server shutdown.
 func (mgr *engineRestartManager) stop() {
 	mgr.log.Debug("stopping engine restart manager")
 	mgr.mu.Lock()

From 969c8375d85b066255088ff990b28309ac8b4719 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Tue, 12 May 2026 21:36:59 +0100
Subject: [PATCH 31/45] address more review comments from kjacque

Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/control/server/ctl_ranks_rpc.go         |  4 ++--
 src/control/server/instance_restart.go      |  4 ++--
 src/control/server/instance_restart_test.go | 10 +++++-----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/control/server/ctl_ranks_rpc.go b/src/control/server/ctl_ranks_rpc.go
index 18f9833af20..5fcb092f3ea 100644
--- a/src/control/server/ctl_ranks_rpc.go
+++ b/src/control/server/ctl_ranks_rpc.go
@@ -221,7 +221,7 @@ func (svc *ControlService) StopRanks(ctx context.Context, req *ctlpb.RanksReq) (
 		return nil, err
 	}
 
-	// clearly state history for stopped ranks, instances have already been filtered by
+	// clear state history for stopped ranks, instances have already been filtered by
 	// FilterInstancesByRankSet() to match req.GetRanks()
 	clearRankRestartHistory(svc.restartMgr, instances)
 
@@ -338,7 +338,7 @@ func (svc *ControlService) StartRanks(ctx context.Context, req *ctlpb.RanksReq)
 		return nil, err
 	}
 
-	// clearly state history for started ranks, instances have already been filtered by
+	// clear state history for started ranks, instances have already been filtered by
 	// FilterInstancesByRankSet() to match req.GetRanks()
 	clearRankRestartHistory(svc.restartMgr, instances)
 
diff --git a/src/control/server/instance_restart.go b/src/control/server/instance_restart.go
index 6526879db6b..a47605fdc0d 100644
--- a/src/control/server/instance_restart.go
+++ b/src/control/server/instance_restart.go
@@ -121,12 +121,12 @@ func (mgr *engineRestartManager) performRestart(ctx context.Context, rank rankli
 		return
 	}
 
-	mgr.log.Noticef("restarting rank %d", rank)
+	mgr.log.Noticef("restart manager is restarting rank %d", rank)
 	instance.requestStart(ctx)
 
 	// Record restart time and clear pending state on exit (deferred)
 	mgr.recordRestartTime(rank)
-	mgr.log.Noticef("recording rank %d", rank)
+	mgr.log.Debugf("recording rank %d", rank)
 }
 
 // processRestartRequest handles a single restart request with rate limiting.
diff --git a/src/control/server/instance_restart_test.go b/src/control/server/instance_restart_test.go
index b93c47c68cd..689bacec53a 100644
--- a/src/control/server/instance_restart_test.go
+++ b/src/control/server/instance_restart_test.go
@@ -488,17 +488,17 @@ func TestServer_EngineRestartManager_DeferredRestartExecutes(t *testing.T) {
 
 	// Verify timer was cleaned up
 	mgr.mu.RLock()
-	_, stillPending := mgr.pendingRestart[testRank]
+	timer, exists = mgr.pendingRestart[testRank]
 	mgr.mu.RUnlock()
 
-	if stillPending {
-		t.Error("expected pending restart to be cleared after execution")
-	}
-
 	// Cleanup
 	if timer != nil {
 		timer.Stop()
 	}
+
+	if exists {
+		t.Error("expected pending restart to be cleared after execution")
+	}
 }
 
 func TestServer_EngineRestartManager_MultipleRanks(t *testing.T) {

From 835156b579bba5863c94fd4e16f10732898ada16 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Tue, 12 May 2026 21:51:36 +0100
Subject: [PATCH 32/45] pylint fixes

Test-tag: pr control full_regression
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart.py          | 6 +++---
 src/tests/ftest/control/engine_auto_restart_advanced.py | 2 +-
 src/tests/ftest/control/engine_auto_restart_disabled.py | 2 +-
 src/tests/ftest/util/control_test_base.py               | 2 +-
 src/tests/ftest/util/server_utils_params.py             | 6 +++---
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
index 4a606b1a31f..87dbb2fc5fc 100644
--- a/src/tests/ftest/control/engine_auto_restart.py
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -24,7 +24,7 @@ def tearDown(self):
         # This ensures clean state between sequential tests
         try:
             self.reset_engine_restart_state()
-        except Exception as error:
+        except Exception as error:  # pylint: disable=broad-exception-caught
             self.log.error("Failed to reset engine restart state: %s", error)
             self.fail("tearDown failed to reset engine restart state: {}".format(error))
         finally:
@@ -138,9 +138,9 @@ def test_auto_restart_multiple_ranks(self):
         for idx, (old, new) in enumerate(zip(incs, end_incs)):
             actual_rank = test_ranks[idx]
             if new > old:
-                self.log.debug(f"Rank {actual_rank}: {old} -> {new} (restarted)")
+                self.log.debug("Rank %s: %s -> %s (restarted)", actual_rank, old, new)
             else:
-                self.log.debug(f"Rank {actual_rank}: {old} -> {new} (NOT restarted!)")
+                self.log.debug("Rank %s: %s -> %s (NOT restarted!)", actual_rank, old, new)
 
         # Verify all increased
         all_increased = all(a > b for b, a in zip(incs, end_incs))
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
index edfa79f4980..5e6d567dd07 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.py
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -24,7 +24,7 @@ def tearDown(self):
         # This ensures clean state between sequential tests
         try:
             self.reset_engine_restart_state()
-        except Exception as error:
+        except Exception as error:  # pylint: disable=broad-exception-caught
             self.log.error("Failed to reset engine restart state: %s", error)
             self.fail("tearDown failed to reset engine restart state: {}".format(error))
         finally:
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index 1ae250d237b..9dc582b5e77 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -25,7 +25,7 @@ def tearDown(self):
         # This ensures clean state between sequential tests
         try:
             self.reset_engine_restart_state()
-        except Exception as error:
+        except Exception as error:  # pylint: disable=broad-exception-caught
             self.log.error("Failed to reset engine restart state: %s", error)
             self.fail("tearDown failed to reset engine restart state: {}".format(error))
         finally:
diff --git a/src/tests/ftest/util/control_test_base.py b/src/tests/ftest/util/control_test_base.py
index d8487028734..d77a0cbca7d 100644
--- a/src/tests/ftest/util/control_test_base.py
+++ b/src/tests/ftest/util/control_test_base.py
@@ -134,7 +134,7 @@ def exclude_rank_and_wait_restart(self, rank, timeout=30):
         self.log.info("Rank %s (%s) did not restart within %ss", rank, state, timeout)
         return (False, state)
 
-    def get_rank_incarnation(self, rank):
+    def get_rank_incarnation(self, rank):  # pylint: disable=too-many-return-statements
         """Get the incarnation number of a rank.
 
         The incarnation number increments each time a rank restarts, allowing
diff --git a/src/tests/ftest/util/server_utils_params.py b/src/tests/ftest/util/server_utils_params.py
index 814beb331ec..273026d94e7 100644
--- a/src/tests/ftest/util/server_utils_params.py
+++ b/src/tests/ftest/util/server_utils_params.py
@@ -57,7 +57,7 @@ def _get_new(self):
         return DaosServerTransportCredentials(self._log_dir)
 
 
-class DaosServerYamlParameters(YamlParameters):
+class DaosServerYamlParameters(YamlParameters):  # pylint: disable=too-many-instance-attributes
     """Defines the daos_server configuration yaml parameters."""
 
     def __init__(self, filename, common_yaml, version=None):
@@ -447,7 +447,7 @@ def _get_new(self):
         return ControlMetadataParameters(self.namespace)
 
 
-class EngineYamlParameters(YamlParameters):
+class EngineYamlParameters(YamlParameters):  # pylint: disable=too-many-instance-attributes
     """Defines the configuration yaml parameters for a single server engine."""
 
     # Engine environment variables that are required by provider type.
@@ -888,7 +888,7 @@ def _get_new(self):
         return StorageYamlParameters(self.namespace, self._max_tiers)
 
 
-class StorageTierYamlParameters(YamlParameters):
+class StorageTierYamlParameters(YamlParameters):  # pylint: disable=too-many-instance-attributes
     """Defines the configuration yaml parameters for each storage tier for an engine."""
 
     def __init__(self, base_namespace, tier):

From 95c061a7028403a84b9f91e400675821077ee1c4 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 10:17:18 +0100
Subject: [PATCH 33/45] using self.register_cleanup (#18240)

Signed-off-by: Dalton Bohning <dalton.bohning@hpe.com>
Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart.py       | 12 ------------
 .../ftest/control/engine_auto_restart_advanced.py    | 12 ------------
 .../ftest/control/engine_auto_restart_disabled.py    | 12 ------------
 src/tests/ftest/util/control_test_base.py            |  3 +++
 4 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
index 87dbb2fc5fc..2601cf8b838 100644
--- a/src/tests/ftest/control/engine_auto_restart.py
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -18,18 +18,6 @@ class EngineAutoRestartTest(ControlTestBase):
     :avocado: recursive
     """
 
-    def tearDown(self):
-        """Clean up after each test method."""
-        # Reset restart state for next test method
-        # This ensures clean state between sequential tests
-        try:
-            self.reset_engine_restart_state()
-        except Exception as error:  # pylint: disable=broad-exception-caught
-            self.log.error("Failed to reset engine restart state: %s", error)
-            self.fail("tearDown failed to reset engine restart state: {}".format(error))
-        finally:
-            super().tearDown()
-
     def test_auto_restart_basic(self):
         """Test basic automatic engine restart after self-termination.
 
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
index 5e6d567dd07..7a04432261b 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.py
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -18,18 +18,6 @@ class EngineAutoRestartAdvanced(ControlTestBase):
     :avocado: recursive
     """
 
-    def tearDown(self):
-        """Clean up after each test method."""
-        # Reset restart state for next test method
-        # This ensures clean state between sequential tests
-        try:
-            self.reset_engine_restart_state()
-        except Exception as error:  # pylint: disable=broad-exception-caught
-            self.log.error("Failed to reset engine restart state: %s", error)
-            self.fail("tearDown failed to reset engine restart state: {}".format(error))
-        finally:
-            super().tearDown()
-
     def wait_for_rank_state(self, rank, expected_state, timeout=30, check_interval=2):
         """Wait for a rank to reach expected state.
 
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index 9dc582b5e77..0d238a1491d 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -19,18 +19,6 @@ class EngineAutoRestartDisabled(ControlTestBase):
     :avocado: recursive
     """
 
-    def tearDown(self):
-        """Clean up after each test method."""
-        # Reset restart state for next test method
-        # This ensures clean state between sequential tests
-        try:
-            self.reset_engine_restart_state()
-        except Exception as error:  # pylint: disable=broad-exception-caught
-            self.log.error("Failed to reset engine restart state: %s", error)
-            self.fail("tearDown failed to reset engine restart state: {}".format(error))
-        finally:
-            super().tearDown()
-
     def test_no_restart_when_disabled(self):
         """Test that engines do not automatically restart when feature is disabled.
 
diff --git a/src/tests/ftest/util/control_test_base.py b/src/tests/ftest/util/control_test_base.py
index d77a0cbca7d..6b62a9b18ca 100644
--- a/src/tests/ftest/util/control_test_base.py
+++ b/src/tests/ftest/util/control_test_base.py
@@ -87,6 +87,9 @@ def exclude_rank_and_wait_restart(self, rank, timeout=30):
         Returns:
             tuple: (restarted, final_state) - whether rank restarted and its final state
         """
+        # Make sure we reset the restart state even if the test fails
+        self.register_cleanup(self.reset_engine_restart_state)
+
         self.log_step("Excluding rank %s", rank)
         self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
 

From 9ab86a9f97e182995fd4163e22d0b3b24227b330 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 10:22:09 +0100
Subject: [PATCH 34/45] Apply suggestion from @daltonbohning

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
index 2601cf8b838..79129b4a333 100644
--- a/src/tests/ftest/control/engine_auto_restart.py
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -88,7 +88,7 @@ def test_auto_restart_multiple_ranks(self):
         num_to_test = max(2, len(all_ranks) // 2)
         test_ranks = self.random.sample(all_ranks, num_to_test)
 
-        self.log_step("Step 1: Excluding %s ranks: %s", (num_to_test, test_ranks))
+        self.log_step(f"Exclude {num_to_test} ranks: {test_ranks}")
 
         incs = []
         for rank in test_ranks:

From 1913fd936788997a08bb29334ab8e097a426d3c5 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 10:40:50 +0100
Subject: [PATCH 35/45] more ftest related review comment updates

Test-tag: hw,medium,dmg,control,engine_auto_restart
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 .../ftest/control/engine_auto_restart.py      | 20 +-----
 .../control/engine_auto_restart_advanced.py   |  9 +--
 .../control/engine_auto_restart_disabled.py   |  4 +-
 src/tests/ftest/util/control_test_base.py     | 63 ++++++++-----------
 4 files changed, 33 insertions(+), 63 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
index 79129b4a333..dc5c1a12efc 100644
--- a/src/tests/ftest/control/engine_auto_restart.py
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -33,7 +33,7 @@ def test_auto_restart_basic(self):
         """
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 2:
-            self.skipTest("Test requires at least 2 ranks")
+            self.fail("Test requires at least 2 ranks")
 
         test_rank = self.random.choice(all_ranks)
 
@@ -41,21 +41,16 @@ def test_auto_restart_basic(self):
 
         # get initial incarnation number
         initial_incarnation = self.get_rank_incarnation(test_rank)
-        if initial_incarnation is None:
-            self.fail(f"failed to get initial incarnation for rank {test_rank}")
 
         self.log.info("rank %s initial incarnation: %s", test_rank, initial_incarnation)
 
         restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
-
         if not restarted:
             self.fail(f"rank {test_rank} did not automatically restart. "
                       f"final state: {final_state}")
 
         # verify incarnation increased after restart
         final_incarnation = self.get_rank_incarnation(test_rank)
-        if final_incarnation is None:
-            self.fail(f"failed to get final incarnation for rank {test_rank}")
 
         self.log.info("rank %s final incarnation: %s", test_rank, final_incarnation)
 
@@ -82,7 +77,7 @@ def test_auto_restart_multiple_ranks(self):
         """
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 3:
-            self.skipTest("Test requires at least 3 ranks")
+            self.fail("Test requires at least 3 ranks")
 
         # Exclude half the ranks
         num_to_test = max(2, len(all_ranks) // 2)
@@ -93,8 +88,6 @@ def test_auto_restart_multiple_ranks(self):
         incs = []
         for rank in test_ranks:
             initial_incarnation = self.get_rank_incarnation(rank)
-            if initial_incarnation is None:
-                self.fail(f"failed to get initial incarnation for rank {rank}")
             incs.append(initial_incarnation)
             self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
             time.sleep(1)  # small delay between exclusions
@@ -115,8 +108,6 @@ def test_auto_restart_multiple_ranks(self):
                 errors.append("Rank %s unexpectedly not restarted when auto-restart enabled"
                               % rank)
             end_incarnation = self.get_rank_incarnation(rank)
-            if end_incarnation is None:
-                self.fail(f"failed to get end incarnation for rank {rank}")
             end_incs.append(end_incarnation)
 
         if errors:
@@ -153,7 +144,7 @@ def test_auto_restart_with_pool(self):
         """
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 4:
-            self.skipTest("Test requires at least 4 ranks")
+            self.fail("Test requires at least 4 ranks")
 
         # Create pool first
         self.add_pool(connect=False)
@@ -164,18 +155,13 @@ def test_auto_restart_with_pool(self):
 
         # Get initial incarnation
         initial_incarnation = self.get_rank_incarnation(test_rank)
-        if initial_incarnation is None:
-            self.fail(f"Failed to get initial incarnation for rank {test_rank}")
 
         restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
-
         if not restarted:
             self.fail(f"Rank {test_rank} did not restart. State: {final_state}")
 
         # Verify incarnation increased
         final_incarnation = self.get_rank_incarnation(test_rank)
-        if final_incarnation is None:
-            self.fail(f"Failed to get final incarnation for rank {test_rank}")
 
         if final_incarnation <= initial_incarnation:
             self.fail(f"Rank {test_rank} incarnation did not increase. "
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
index 7a04432261b..23d764dd601 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.py
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -74,7 +74,7 @@ def test_deferred_restart(self):
 
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 2:
-            self.skipTest("Test requires at least 2 ranks")
+            self.fail("Test requires at least 2 ranks")
 
         test_rank = self.random.choice(all_ranks)
 
@@ -82,19 +82,14 @@ def test_deferred_restart(self):
 
         # Get initial incarnation
         initial_incarnation = self.get_rank_incarnation(test_rank)
-        if initial_incarnation is None:
-            self.fail(f"Failed to get initial incarnation for rank {test_rank}")
 
         restarted, final_state = self.exclude_rank_and_wait_restart(test_rank)
-
         if not restarted:
             self.fail(f"Rank {test_rank} did not automatically restart. "
                       f"Final state: {final_state}")
 
         # Verify incarnation increased
         first_restart_incarnation = self.get_rank_incarnation(test_rank)
-        if first_restart_incarnation is None:
-            self.fail(f"Failed to get incarnation after first restart for rank {test_rank}")
 
         if first_restart_incarnation <= initial_incarnation:
             self.fail(f"Rank {test_rank} incarnation did not increase after first restart. "
@@ -124,8 +119,6 @@ def test_deferred_restart(self):
 
         # Verify incarnation increased again after deferred restart
         deferred_restart_incarnation = self.get_rank_incarnation(test_rank)
-        if deferred_restart_incarnation is None:
-            self.fail(f"Failed to get incarnation after deferred restart for rank {test_rank}")
 
         if deferred_restart_incarnation <= first_restart_incarnation:
             self.fail(f"Rank {test_rank} incarnation did not increase after deferred restart. "
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index 0d238a1491d..34ba5d8bde2 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -38,7 +38,7 @@ def test_no_restart_when_disabled(self):
         """
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 2:
-            self.skipTest("Test requires at least 2 ranks")
+            self.fail("Test requires at least 2 ranks")
 
         test_rank = self.random.choice(all_ranks)
 
@@ -83,7 +83,7 @@ def test_multiple_ranks_no_restart(self):
         """
         all_ranks = self.get_all_ranks()
         if len(all_ranks) < 3:
-            self.skipTest("Test requires at least 3 ranks")
+            self.fail("Test requires at least 3 ranks")
 
         # Exclude half the ranks
         num_to_test = max(2, len(all_ranks) // 2)
diff --git a/src/tests/ftest/util/control_test_base.py b/src/tests/ftest/util/control_test_base.py
index 6b62a9b18ca..2f6e18e3bff 100644
--- a/src/tests/ftest/util/control_test_base.py
+++ b/src/tests/ftest/util/control_test_base.py
@@ -148,42 +148,36 @@ def get_rank_incarnation(self, rank):  # pylint: disable=too-many-return-stateme
             rank (int): Rank number
 
         Returns:
-            int: Current incarnation number of the rank, or None if not found
+            int: Current incarnation number of the rank
 
         Raises:
-            None - logs error and returns None on failure
+            Logs error and raises exception on failure
         """
-        try:
-            data = self.dmg.system_query(ranks=f"{rank}")
-            if data.get("status") != 0:
-                self.log.error("dmg system query failed for rank %s", rank)
-                return None
-
-            if "response" not in data or "members" not in data["response"]:
-                self.log.error("Invalid response from dmg system query for rank %s", rank)
-                return None
-
-            members = data["response"]["members"]
-            if not members:
-                self.log.error("No members returned from dmg system query for rank %s", rank)
-                return None
-
-            for member in members:
-                if member.get("rank") == rank:
-                    incarnation = member.get("incarnation")
-                    if incarnation is not None:
-                        self.log.debug("Rank %s incarnation: %s", rank, incarnation)
-                        return incarnation
-                    self.log.error("No incarnation field for rank %s", rank)
-                    return None
-
-            self.log.error("Rank %s not found in system query response", rank)
-            return None
-
-        except Exception as error:  # pylint: disable=broad-exception-caught
-            # Catch all exceptions to prevent test framework crashes during rank queries
-            self.log.error("Exception getting incarnation for rank %s: %s", rank, error)
-            return None
+        data = self.dmg.system_query(ranks=f"{rank}")
+        if data.get("status") != 0:
+            self.log.error("dmg system query failed for rank %s", rank)
+            raise Exception("dmg system query failed")
+
+        if "response" not in data or "members" not in data["response"]:
+            self.log.error("Invalid response from dmg system query for rank %s", rank)
+            raise Exception("dmg system query invalid response")
+
+        members = data["response"]["members"]
+        if not members:
+            self.log.error("No members returned from dmg system query for rank %s", rank)
+            raise Exception("dmg system query no members")
+
+        for member in members:
+            if member.get("rank") == rank:
+                incarnation = member.get("incarnation")
+                if incarnation is not None:
+                    self.log.debug("Rank %s incarnation: %s", rank, incarnation)
+                    return incarnation
+                self.log.error("No incarnation field for rank %s", rank)
+                raise Exception("dmg system query no incarnation for member")
+
+        self.log.error("Rank %s not found in system query response", rank)
+        raise Exception("dmg system query no matching member")
 
     def reset_engine_restart_state(self):
         """Reset engine auto-restart state between tests.
@@ -206,9 +200,6 @@ def reset_engine_restart_state(self):
             functionality. If this method fails, tearDown() should fail the test
             to prevent subsequent tests from running with contaminated state.
 
-        Raises:
-            Exception: If server stop/start fails or ranks fail to rejoin
-
         Note:
             This operation adds ~5-10 seconds per test due to server restart overhead,
             but is necessary to ensure test isolation and reliable results.

From 9dc146cb5708ea8b3a0c03c1e1b853002301ec91 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 12:51:11 +0100
Subject: [PATCH 36/45] f-string updates and remove step comments in log_step
 calls use CommandFailure exception for helpers and register cleanup in setUp
 for each test class

Test-tag: hw,medium,dmg,control,engine_auto_restart
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 .../ftest/control/engine_auto_restart.py      | 26 +++++++-----
 .../ftest/control/engine_auto_restart.yaml    |  2 +-
 .../control/engine_auto_restart_advanced.py   | 19 ++++++---
 .../control/engine_auto_restart_advanced.yaml |  2 +-
 .../control/engine_auto_restart_disabled.py   | 42 +++++++++++--------
 .../control/engine_auto_restart_disabled.yaml |  2 +-
 src/tests/ftest/util/control_test_base.py     | 36 +++++++---------
 7 files changed, 71 insertions(+), 58 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.py b/src/tests/ftest/control/engine_auto_restart.py
index dc5c1a12efc..e2689ada126 100644
--- a/src/tests/ftest/control/engine_auto_restart.py
+++ b/src/tests/ftest/control/engine_auto_restart.py
@@ -18,6 +18,13 @@ class EngineAutoRestartTest(ControlTestBase):
     :avocado: recursive
     """
 
+    def setUp(self):
+        """Set up for engine_auto_restart tests"""
+        super().setUp()
+
+        # Make sure we reset the restart state even if the test fails
+        self.register_cleanup(self.reset_engine_restart_state)
+
     def test_auto_restart_basic(self):
         """Test basic automatic engine restart after self-termination.
 
@@ -37,7 +44,7 @@ def test_auto_restart_basic(self):
 
         test_rank = self.random.choice(all_ranks)
 
-        self.log_step("testing automatic restart of rank %s", test_rank)
+        self.log_step(f"testing automatic restart of rank {test_rank}")
 
         # get initial incarnation number
         initial_incarnation = self.get_rank_incarnation(test_rank)
@@ -93,20 +100,17 @@ def test_auto_restart_multiple_ranks(self):
             time.sleep(1)  # small delay between exclusions
             self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
 
-        # Step 3: Wait and verify all restart
+        # Wait and verify all restart
         wait_time = 35
-
-        self.log_step("Step 3: Waiting %ss to verify all automatically restart", wait_time)
-        time.sleep(wait_time)
+        self.log_step(f"Waiting {wait_time}s to verify all automatically restart")
 
         errors = []
         end_incs = []
         for rank in test_ranks:
             failed = self.server_managers[0].check_rank_state(
-                ranks=[rank], valid_states=["joined"], max_checks=1)
+                ranks=[rank], valid_states=["joined"], max_checks=wait_time)
             if failed:
-                errors.append("Rank %s unexpectedly not restarted when auto-restart enabled"
-                              % rank)
+                errors.append(f"Rank {rank} unexpectedly not restarted when auto-restart enabled")
             end_incarnation = self.get_rank_incarnation(rank)
             end_incs.append(end_incarnation)
 
@@ -147,11 +151,11 @@ def test_auto_restart_with_pool(self):
             self.fail("Test requires at least 4 ranks")
 
         # Create pool first
-        self.add_pool(connect=False)
+        pool = self.get_pool(connect=False)
 
         test_rank = all_ranks[-1]
 
-        self.log_step("Excluding non-service rank %s while pool is active", test_rank)
+        self.log_step(f"Excluding non-service rank {test_rank} while pool is active")
 
         # Get initial incarnation
         initial_incarnation = self.get_rank_incarnation(test_rank)
@@ -169,7 +173,7 @@ def test_auto_restart_with_pool(self):
 
         # Verify pool is still accessible
         self.log_step("Verifying pool is still accessible after rank restart")
-        self.pool.query()
+        pool.query()
 
         self.log.info("SUCCESS: Rank %s restarted (incarnation %s -> %s) and pool remains "
                       "accessible", test_rank, initial_incarnation, final_incarnation)
diff --git a/src/tests/ftest/control/engine_auto_restart.yaml b/src/tests/ftest/control/engine_auto_restart.yaml
index a0471f36e7d..abd52cd9ad0 100644
--- a/src/tests/ftest/control/engine_auto_restart.yaml
+++ b/src/tests/ftest/control/engine_auto_restart.yaml
@@ -1,5 +1,6 @@
 hosts:
   test_servers: 2
+timeout: 300
 server_config:
   name: daos_server
   engines_per_host: 2
@@ -22,4 +23,3 @@ server_config:
           scm_mount: /mnt/daos1
 pool:
   size: 2G
-timeout: 300
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
index 23d764dd601..87c20959a2f 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.py
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -18,6 +18,13 @@ class EngineAutoRestartAdvanced(ControlTestBase):
     :avocado: recursive
     """
 
+    def setUp(self):
+        """Set up for engine_auto_restart_advanced tests"""
+        super().setUp()
+
+        # Make sure we reset the restart state even if the test fails
+        self.register_cleanup(self.reset_engine_restart_state)
+
     def wait_for_rank_state(self, rank, expected_state, timeout=30, check_interval=2):
         """Wait for a rank to reach expected state.
 
@@ -78,7 +85,7 @@ def test_deferred_restart(self):
 
         test_rank = self.random.choice(all_ranks)
 
-        self.log_step("Step 1: Automatic restart of rank %s", test_rank)
+        self.log_step(f"Automatic restart of rank {test_rank}")
 
         # Get initial incarnation
         initial_incarnation = self.get_rank_incarnation(test_rank)
@@ -100,19 +107,19 @@ def test_deferred_restart(self):
                       first_restart_time, initial_incarnation, first_restart_incarnation)
 
         # Second exclusion - should be deferred due to rate-limiting
-        self.log_step("Step 2: Second exclusion of rank %s (should be deferred)", test_rank)
+        self.log_step(f"Second exclusion of rank {test_rank} (should be deferred)")
 
         restarted, final_state = self.exclude_rank_and_wait_restart(test_rank,
                                                                     timeout=10)
 
         if restarted:
-            self.fail("Rank %s unexpectedly restarted. Final state: %s" % (test_rank, final_state))
+            self.fail(f"Rank {test_rank} unexpectedly restarted. Final state: {final_state}")
 
         self.log.info("Confirmed: Restart is deferred (rank still in excluded state)")
 
         # Wait for deferred restart to execute (after delay expires), add buffer
         wait_time = expected_delay + 5
-        self.log_step("Step 3: Waiting %ss for deferred restart to execute", wait_time)
+        self.log_step(f"Waiting {wait_time}s for deferred restart to execute")
 
         if not self.wait_for_rank_state(test_rank, "joined", timeout=wait_time):
             self.fail(f"Rank {test_rank} did not restart after rate-limit delay")
@@ -125,7 +132,7 @@ def test_deferred_restart(self):
                       f"After first: {first_restart_incarnation}, "
                       f"After deferred: {deferred_restart_incarnation}")
 
-        self.log_step("Step 4: Measure time between initial and deferred restarts")
+        self.log_step("Measure time between initial and deferred restarts")
         deferred_restart_time = time.time()
         actual_delay = deferred_restart_time - first_restart_time
 
@@ -134,7 +141,7 @@ def test_deferred_restart(self):
                       actual_delay, expected_delay,
                       first_restart_incarnation, deferred_restart_incarnation)
 
-        self.log_step("Step 5: Verify delay was approximately correct (80%% to 120%% of expected)")
+        self.log_step("Verify delay was approximately correct (80%% to 120%% of expected)")
         min_delay = expected_delay * 0.8
         max_delay = expected_delay * 1.2
 
diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.yaml b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
index 0367b56c025..baf9e429ffd 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
@@ -1,5 +1,6 @@
 hosts:
   test_servers: 1
+timeout: 400
 server_config:
   name: daos_server
   engines_per_host: 2
@@ -23,4 +24,3 @@ server_config:
           scm_mount: /mnt/daos1
 pool:
   size: 8G
-timeout: 400
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index 34ba5d8bde2..c89dfdcb78f 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -19,6 +19,13 @@ class EngineAutoRestartDisabled(ControlTestBase):
     :avocado: recursive
     """
 
+    def setUp(self):
+        """Set up for engine_auto_restart_disabled tests"""
+        super().setUp()
+
+        # Make sure we reset the restart state even if the test fails
+        self.register_cleanup(self.reset_engine_restart_state)
+
     def test_no_restart_when_disabled(self):
         """Test that engines do not automatically restart when feature is disabled.
 
@@ -42,24 +49,24 @@ def test_no_restart_when_disabled(self):
 
         test_rank = self.random.choice(all_ranks)
 
-        self.log_step("Step 1: Excluding rank %s (auto-restart is DISABLED)", test_rank)
+        self.log_step("Excluding rank {test_rank} (auto-restart is DISABLED)")
 
         restarted, _ = self.exclude_rank_and_wait_restart(test_rank, timeout=35)
 
         if restarted:
-            self.fail("Rank %s unexpectedly restarted when auto-restart disabled!" % test_rank)
+            self.fail("Rank {test_rank} unexpectedly restarted when auto-restart disabled!")
 
         self.log.info("Confirmed: Rank %s did NOT automatically restart (as expected)", test_rank)
 
-        # Step 4: Manually start the rank
-        self.log_step("Step 2: Manually starting rank %s", test_rank)
+        # Manually start the rank
+        self.log_step("Manually starting rank {test_rank}")
         self.dmg.system_start(ranks=f"{test_rank}")
 
         # Verify manual start succeeds
         failed_ranks = self.server_managers[0].check_rank_state(
             ranks=[test_rank], valid_states=["joined"], max_checks=15)
         if failed_ranks:
-            self.fail("Manual start of rank %s failed" % test_rank)
+            self.fail(f"Manual start of rank {test_rank} failed")
 
         self.log.info("SUCCESS: Rank %s stayed excluded when auto-restart disabled, and manual "
                       "start succeeded", test_rank)
@@ -89,26 +96,26 @@ def test_multiple_ranks_no_restart(self):
         num_to_test = max(2, len(all_ranks) // 2)
         test_ranks = self.random.sample(all_ranks, num_to_test)
 
-        self.log_step("Step 1: Excluding %s ranks: %s", (num_to_test, test_ranks))
+        self.log_step("Excluding {num_to_test} ranks: {test_ranks}")
 
         for rank in test_ranks:
             self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
             time.sleep(1)  # Small delay between exclusions
 
-        # Step 2: Verify all reach adminexcluded state
-        self.log_step("Step 2: Verifying all ranks get excluded from system")
+        # Verify all reach adminexcluded state
+        self.log_step("Verifying all ranks get excluded from system")
         time.sleep(10)
 
         for rank in test_ranks:
             failed = self.server_managers[0].check_rank_state(
                 ranks=[rank], valid_states=["adminexcluded"], max_checks=5)
             if failed:
-                self.fail("Rank %s did not get excluded from system" % rank)
+                self.fail("Rank {rank} did not get excluded from system")
             self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
 
-        # Step 3: Wait and verify none restart
+        # Wait and verify none restart
         wait_time = 20
-        self.log_step("Step 3: Waiting %ss to verify no automatic restarts", wait_time)
+        self.log_step("Waiting {wait_time}s to verify no automatic restarts")
         time.sleep(wait_time)
 
         errors = []
@@ -116,29 +123,28 @@ def test_multiple_ranks_no_restart(self):
             failed = self.server_managers[0].check_rank_state(
                 ranks=[rank], valid_states=["excluded"], max_checks=1)
             if failed:
-                errors.append("Rank %s unexpectedly restarted when auto-restart disabled"
-                              % rank)
+                errors.append("Rank {rank} unexpectedly restarted when auto-restart disabled")
 
         if errors:
             self.fail("\n".join(errors))
 
         self.log.info("Confirmed: None of %s automatically restarted", test_ranks)
 
-        # Step 4: Manually restart all
-        self.log_step("Step 4: Manually restart ranks")
+        # Manually restart all
+        self.log_step("Manually restart ranks")
 
         for rank in test_ranks:
             self.dmg.system_start(ranks=f"{rank}")
 
-        # Step 5: Verify all rejoin
-        self.log_step("Step 5: Verifying all ranks successfully rejoin")
+        # Verify all rejoin
+        self.log_step("Verifying all ranks successfully rejoin")
         time.sleep(10)
 
         for rank in test_ranks:
             failed = self.server_managers[0].check_rank_state(
                 ranks=[rank], valid_states=["joined"], max_checks=10)
             if failed:
-                errors.append("Manual restart of rank %s failed" % rank)
+                errors.append(f"Manual restart of rank {rank} failed")
 
         report_errors(test=self, errors=errors)
 
diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.yaml b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
index d95257c5357..f19b896bba9 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
@@ -1,5 +1,6 @@
 hosts:
   test_servers: 2
+timeout: 300
 server_config:
   name: daos_server
   engines_per_host: 2
@@ -23,4 +24,3 @@ server_config:
           scm_mount: /mnt/daos1
 pool:
   size: 8G
-timeout: 300
diff --git a/src/tests/ftest/util/control_test_base.py b/src/tests/ftest/util/control_test_base.py
index 2f6e18e3bff..7d8e06e9d4d 100644
--- a/src/tests/ftest/util/control_test_base.py
+++ b/src/tests/ftest/util/control_test_base.py
@@ -8,6 +8,7 @@
 
 from apricot import TestWithServers
 from ClusterShell.NodeSet import NodeSet
+from exception_utils import CommandFailure
 
 
 class ControlTestBase(TestWithServers):
@@ -66,16 +67,15 @@ def get_rank_state(self, rank):
         Returns:
             str: Current state of the rank
         """
-        data = self.dmg.system_query(ranks="%s" % rank)
+        data = self.dmg.system_query(ranks=f"{rank}")
         if data["status"] != 0:
-            self.fail("Cmd dmg system query failed")
+            raise CommandFailure("dmg system query failed")
         if "response" in data and "members" in data["response"]:
             if data["response"]["members"] is None:
-                self.fail("No members returned from dmg system query")
+                raise CommandFailure("No members returned from dmg system query")
             for member in data["response"]["members"]:
                 return member["state"].lower()
-        self.fail("No member state returned from dmg system query")
-        return None
+        raise CommandFailure("No member state returned from dmg system query")
 
     def exclude_rank_and_wait_restart(self, rank, timeout=30):
         """Exclude a rank and wait for it to self-terminate and potentially restart.
@@ -87,36 +87,33 @@ def exclude_rank_and_wait_restart(self, rank, timeout=30):
         Returns:
             tuple: (restarted, final_state) - whether rank restarted and its final state
         """
-        # Make sure we reset the restart state even if the test fails
-        self.register_cleanup(self.reset_engine_restart_state)
-
-        self.log_step("Excluding rank %s", rank)
+        self.log_step(f"Excluding rank {rank}")
         self.dmg.system_exclude(ranks=[rank], rank_hosts=None)
 
         # Wait for rank to self-terminate (should go to AdminExcluded state)
-        self.log_step("Waiting for rank %s to self-terminate", rank)
+        self.log_step(f"Waiting for rank {rank} to self-terminate")
         time.sleep(2)
 
         # Check if rank is adminexcluded
         failed_ranks = self.server_managers[0].check_rank_state(
             ranks=[rank], valid_states=["adminexcluded"], max_checks=10)
         if failed_ranks:
-            self.fail("Rank %s did not reach AdminExcluded state after exclusion" % rank)
+            self.fail(f"Rank {rank} did not reach AdminExcluded state after exclusion")
 
         # After triggering rank exclusion with dmg system exclude, clear
         # AdminExcluded state so rank can join on auto-restart. This enables
         # mimic of rank exclusion via SWIM inactivity detection.
-        self.log_step("Clearing AdminExcluded state for rank %s", rank)
+        self.log_step(f"Clearing AdminExcluded state for rank {rank}")
         self.dmg.system_clear_exclude(ranks=[rank], rank_hosts=None)
 
         # Check if rank is excluded
         failed_ranks = self.server_managers[0].check_rank_state(
             ranks=[rank], valid_states=["excluded"], max_checks=10)
         if failed_ranks:
-            self.fail("Rank %s did not reach Excluded state after clear-excluded" % rank)
+            self.fail(f"Rank {rank} did not reach Excluded state after clear-excluded")
 
         # Wait for automatic restart (rank should go to Joined state)
-        self.log_step("Waiting for rank %s to automatically restart", rank)
+        self.log_step(f"Waiting for rank {rank} to automatically restart")
         start_time = time.time()
         restarted = False
 
@@ -156,16 +153,16 @@ def get_rank_incarnation(self, rank):  # pylint: disable=too-many-return-stateme
         data = self.dmg.system_query(ranks=f"{rank}")
         if data.get("status") != 0:
             self.log.error("dmg system query failed for rank %s", rank)
-            raise Exception("dmg system query failed")
+            raise CommandFailure("dmg system query failed")
 
         if "response" not in data or "members" not in data["response"]:
             self.log.error("Invalid response from dmg system query for rank %s", rank)
-            raise Exception("dmg system query invalid response")
+            raise CommandFailure("dmg system query invalid response")
 
         members = data["response"]["members"]
         if not members:
             self.log.error("No members returned from dmg system query for rank %s", rank)
-            raise Exception("dmg system query no members")
+            raise CommandFailure("dmg system query no members")
 
         for member in members:
             if member.get("rank") == rank:
@@ -174,10 +171,10 @@ def get_rank_incarnation(self, rank):  # pylint: disable=too-many-return-stateme
                     self.log.debug("Rank %s incarnation: %s", rank, incarnation)
                     return incarnation
                 self.log.error("No incarnation field for rank %s", rank)
-                raise Exception("dmg system query no incarnation for member")
+                raise CommandFailure("dmg system query no incarnation for member")
 
         self.log.error("Rank %s not found in system query response", rank)
-        raise Exception("dmg system query no matching member")
+        raise CommandFailure("dmg system query no matching member")
 
     def reset_engine_restart_state(self):
         """Reset engine auto-restart state between tests.
@@ -206,7 +203,6 @@ def reset_engine_restart_state(self):
         """
         self.log.info("Restarting servers to reset engine restart manager state")
         self.server_managers[0].system_stop()
-        time.sleep(2)
         self.server_managers[0].system_start()
 
         # Wait for all ranks to join

From 28e49052647bb9f97be4f20b4f83ae45e493d48c Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:26:26 +0100
Subject: [PATCH 37/45] Update src/tests/ftest/control/engine_auto_restart.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.yaml b/src/tests/ftest/control/engine_auto_restart.yaml
index abd52cd9ad0..ddd35a39456 100644
--- a/src/tests/ftest/control/engine_auto_restart.yaml
+++ b/src/tests/ftest/control/engine_auto_restart.yaml
@@ -9,10 +9,7 @@ server_config:
       log_file: daos_server0.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos0
+      storage: auto
     1:
       log_file: daos_server1.log
       targets: 4

From 69c73275a71cc50a9671c36cfed296327609b7d3 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:26:58 +0100
Subject: [PATCH 38/45] Update
 src/tests/ftest/control/engine_auto_restart_disabled.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_disabled.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.yaml b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
index f19b896bba9..c7f9f7e266f 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
@@ -18,9 +18,6 @@ server_config:
       log_file: daos_server1.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos1
+      storage: auto
 pool:
   size: 8G

From f1c54c9a94f84f9ddc53fbe0f9ae12b09ea91de2 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:27:32 +0100
Subject: [PATCH 39/45] Update
 src/tests/ftest/control/engine_auto_restart_disabled.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_disabled.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.yaml b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
index c7f9f7e266f..c9534640f58 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.yaml
@@ -10,10 +10,7 @@ server_config:
       log_file: daos_server0.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos0
+      storage: auto
     1:
       log_file: daos_server1.log
       targets: 4

From 335590eb50a498d8e8013cecd1908fefb1751d9d Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:27:57 +0100
Subject: [PATCH 40/45] Update
 src/tests/ftest/control/engine_auto_restart_advanced.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_advanced.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.yaml b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
index baf9e429ffd..c168ee0f0d2 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
@@ -18,9 +18,6 @@ server_config:
       log_file: daos_server1.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos1
+      storage: auto
 pool:
   size: 8G

From 031e5afe14fa74f1f2f539346264614b018dfc2b Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:28:22 +0100
Subject: [PATCH 41/45] Update
 src/tests/ftest/control/engine_auto_restart_disabled.py

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_disabled.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index c89dfdcb78f..dc17235680e 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -134,7 +134,7 @@ def test_multiple_ranks_no_restart(self):
         self.log_step("Manually restart ranks")
 
         for rank in test_ranks:
-            self.dmg.system_start(ranks=f"{rank}")
+            self.dmg.system_start(ranks=rank)
 
         # Verify all rejoin
         self.log_step("Verifying all ranks successfully rejoin")

From d6b79938994b8aecdc0c61490a30b20426e63d42 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:29:40 +0100
Subject: [PATCH 42/45] Update src/tests/ftest/control/engine_auto_restart.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart.yaml b/src/tests/ftest/control/engine_auto_restart.yaml
index ddd35a39456..24a512d1c2b 100644
--- a/src/tests/ftest/control/engine_auto_restart.yaml
+++ b/src/tests/ftest/control/engine_auto_restart.yaml
@@ -14,9 +14,6 @@ server_config:
       log_file: daos_server1.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos1
+      storage: auto
 pool:
   size: 2G

From de28a9f11b947965d739910f50ccb6f42c3c5599 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:30:37 +0100
Subject: [PATCH 43/45] Update
 src/tests/ftest/control/engine_auto_restart_advanced.yaml

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_advanced.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.yaml b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
index c168ee0f0d2..0b0b3045d17 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.yaml
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.yaml
@@ -10,10 +10,7 @@ server_config:
       log_file: daos_server0.log
       targets: 4
       nr_xs_helpers: 0
-      storage:
-        0:
-          class: ram
-          scm_mount: /mnt/daos0
+      storage: auto
     1:
       log_file: daos_server1.log
       targets: 4

From 42441e3a895616dde77e82b9c9e757e3e2e91c04 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:31:28 +0100
Subject: [PATCH 44/45] Update
 src/tests/ftest/control/engine_auto_restart_disabled.py

Co-authored-by: Dalton Bohning <dalton.bohning@hpe.com>
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_disabled.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_disabled.py b/src/tests/ftest/control/engine_auto_restart_disabled.py
index dc17235680e..f1a52803a4c 100644
--- a/src/tests/ftest/control/engine_auto_restart_disabled.py
+++ b/src/tests/ftest/control/engine_auto_restart_disabled.py
@@ -60,7 +60,7 @@ def test_no_restart_when_disabled(self):
 
         # Manually start the rank
         self.log_step("Manually starting rank {test_rank}")
-        self.dmg.system_start(ranks=f"{test_rank}")
+        self.dmg.system_start(ranks=test_rank)
 
         # Verify manual start succeeds
         failed_ranks = self.server_managers[0].check_rank_state(

From 8c14077f9042da903327d9edc82b3c8a2a746984 Mon Sep 17 00:00:00 2001
From: Tom Nabarro <thomas.nabarro@hpe.com>
Date: Wed, 13 May 2026 21:58:57 +0100
Subject: [PATCH 45/45] fail if delay > 200% of expected

Test-tag: hw,medium,dmg,control,engine_auto_restart pr
Signed-off-by: Tom Nabarro <thomas.nabarro@hpe.com>
---
 src/tests/ftest/control/engine_auto_restart_advanced.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/tests/ftest/control/engine_auto_restart_advanced.py b/src/tests/ftest/control/engine_auto_restart_advanced.py
index 87c20959a2f..bc902be5e89 100644
--- a/src/tests/ftest/control/engine_auto_restart_advanced.py
+++ b/src/tests/ftest/control/engine_auto_restart_advanced.py
@@ -141,16 +141,14 @@ def test_deferred_restart(self):
                       actual_delay, expected_delay,
                       first_restart_incarnation, deferred_restart_incarnation)
 
-        self.log_step("Verify delay was approximately correct (80%% to 120%% of expected)")
+        self.log_step("Verify delay was approximately correct (80%% to 200%% of expected)")
         min_delay = expected_delay * 0.8
-        max_delay = expected_delay * 1.2
+        max_delay = expected_delay * 2.0
 
         if actual_delay < min_delay:
             self.fail(f"Restart too early: {actual_delay:.1f}s < {min_delay:.1f}s")
         elif actual_delay > max_delay:
-            self.log.warning("Restart delayed beyond expected: %.1fs > %.1fs "
-                             "(may be acceptable depending on system load)",
-                             actual_delay, max_delay)
+            self.fail(f"Restart too late: {actual_delay:.1f}s > {max_delay:.1f}s")
         else:
             self.log.info("SUCCESS: Restart delay within expected range [%.1fs, %.1fs]",
                           min_delay, max_delay)