feat: add initial ARM64 (aarch64) architecture support

[tomassrnka]

Summary

Adds ARM64/aarch64 architecture support to the E2B infrastructure, enabling builds and sandbox execution on Apple Silicon and other ARM64 hosts (via Lima VM + nested KVM).

Changes by commit:

1. Makefiles — Replace hardcoded GOARCH=amd64 and --platform linux/amd64 with $(shell go env GOARCH) across all 4 service Makefiles
2. Go runtime detection — Disable SMT on ARM64 (not supported), use runtime.GOARCH for OCI image platform, add ARM64 fallback for CPU detection (gopsutil doesn't populate Family/Model on ARM)
3. Provision script — Make chattr calls non-fatal (|| true) for busybox versions that lack it
4. create-build — Arch-aware Firecracker and kernel download URLs (tries arm64/ subdirectory first, falls back to generic), E2B_BASE_IMAGE env var for base image override
5. fetch-busybox — Makefile target to swap the embedded x86 busybox binary with the system's ARM64 busybox-static before compilation

Related PRs:

• fc-kernels: ARM64 kernel build support

Test plan

• Build orchestrator, envd, API, and client-proxy natively on ARM64 Linux
• Run make fetch-busybox on ARM64 host to swap busybox binary
• Template build succeeds with create-build on ARM64
• Sandbox create/exec/delete works on ARM64 (Lima VM + KVM)
• Verify uname -m in sandbox returns aarch64
• Confirm no regression on x86_64 builds (all changes are backwards compatible)

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches orchestrator sandbox/runtime path resolution, Firecracker/kernel fetching, and OCI image platform selection, which can affect build/sandbox startup on both architectures. Changes are mostly additive with legacy fallbacks and added tests, but failures would impact infra execution paths.

Overview
Adds initial ARM64 support end-to-end by introducing ARM64 PR CI coverage and a runner bootstrap script, making service builds and Docker publishing architecture-aware, and teaching the orchestrator to resolve/pull arch-specific kernels, Firecracker binaries, and OCI images via a normalized TARGET_ARCH (with legacy fallback paths). It also hardens several concurrency- and environment-sensitive tests/paths (e.g., hugepage allocation skipping, Connect response reuse, NBD goroutine captures, cleaner statting) and disables SMT plus CPU family/model strictness on ARM64 to match platform constraints.

^{Written by Cursor Bugbot for commit c9e9314. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 589a0596cb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[jakubno]

let's make it cleaner

Suggested change

	// On ARM64, gopsutil doesn't populate Family/Model from /proc/cpuinfo.
	// Provide fallback values so callers don't get an error.
	if (family == "" || model == "") && runtime.GOARCH == "arm64" {
	if family == "" {
	family = "arm64"
	}
	if model == "" {
	model = "0"
	}
	} else if family == "" || model == "" {
	// On ARM64, gopsutil doesn't populate Family/Model from /proc/cpuinfo.
	// Provide fallback values so callers don't get an error.
	if (runtime.GOARCH == "arm64") {
	if family == "" {
	family = "arm64"
	}
	if model == "" {
	model = "0"
	}
	}
	if family == "" || model == "" {

[tomassrnka]

bugbot run

[tomassrnka]

One more check so this does not break current production:

  File: utils/env.go
  What changed: New TargetArch() function
  amd64 prod behavior: Returns "amd64" (default). No existing code calls it on main — only new code below uses it.
  ────────────────────────────────────────
  File: fc/config.go
  What changed: HostKernelPath/FirecrackerPath try {ver}/amd64/binary first
  amd64 prod behavior: os.Stat fails (dir doesn't exist on prod nodes), falls through to identical legacy path {ver}/binary. One extra syscall, no
    behavior change.
  ────────────────────────────────────────
  File: fc/client.go
  What changed: smt := runtime.GOARCH != "arm64"
  amd64 prod behavior: "amd64" != "arm64" → true. Was hardcoded true before. Identical.
  ────────────────────────────────────────
  File: machineinfo/main.go
  What changed: ARM64 fallback for empty Family/Model
  amd64 prod behavior: On amd64, gopsutil populates both fields. The && runtime.GOARCH == "arm64" guard means the fallback is dead code on amd64. The
  else
     if error path is identical to the old code.
  ────────────────────────────────────────
  File: oci/oci.go
  What changed: DefaultPlatform var → DefaultPlatform() func
  amd64 prod behavior: Returns {linux, amd64} via TargetArch(). Same value, all callers updated.
  ────────────────────────────────────────
  File: nbd/path_direct.go
  What changed: Data race fix: capture loop vars before goroutine
  amd64 prod behavior: Bug fix only — captures deviceIndex and i into devIdx/sockIdx before goroutine. Same values, eliminates race.
  ────────────────────────────────────────
  File: clean-nfs-cache/
  What changed: Data race fix: pass dirPath string instead of *os.File
  amd64 prod behavior: Bug fix only — avoids race between df.Close() and df.Fd(). Uses filepath.Join(dirPath, filename) with AT_FDCWD instead.
    Functionally identical.
  ────────────────────────────────────────
  File: provision.sh
  What changed: chattr wrapped in if/else
  amd64 prod behavior: On amd64 where chattr works: enters the if branch, prints "ok". Same effect, just with logging.
  ────────────────────────────────────────
  File: uffd/testutils/page_mmap.go
  What changed: Graceful hugepage skip in tests
  amd64 prod behavior: Test-only. Not production.

No new required env vars. No changed function signatures that affect callers (the DefaultPlatform var→func was updated at all call sites). No changes to Terraform, Nomad jobs, init scripts, or .env files.

[tomassrnka]

Rebased on latest main and addressed all review feedback. Verified safe to merge — zero behavior change on existing amd64 production without any .env
or config modifications. All ARM64 code paths are gated behind TARGET_ARCH env var or runtime.GOARCH == "arm64" checks that default to amd64.

What's in the PR:

ARM64 support:

• TARGET_ARCH env var for cross-architecture deployment (defaults to amd64)
• BUILD_ARCH variable in all 4 service Makefiles for cross-building (BUILD_ARCH=amd64 make build-and-upload from ARM64 host)
• Arch-aware kernel/Firecracker downloads from GCS with legacy flat-path fallback for existing amd64 nodes
• SMT disabled on ARM64 (Firecracker rejects it), machineinfo fallback for gopsutil missing Family/Model on ARM
• OCI platform respects TARGET_ARCH
• fetch-busybox target for ARM64 busybox-static swap
• provision.sh chattr made non-fatal (ARM64 busybox may lack it)
• protoc-gen-go-grpc upgraded to v1.6.1 for ARM support

Data races fixed (found by -race on ARM64 CI):

• NBD path_direct.go — loop variable capture before goroutine
• clean-nfs-cache — *os.File fd race between Scanner and Statter goroutines
• ErrorCollector test — race on ctx variable
• envd legacy conversion test
• Upgraded go-nfs fork with additional race fixes

CI:

• pr-tests-arm64.yml — cross-compilation of all packages + unit test matrix on native ARM64 runners
• Hugepage tests skip gracefully when insufficient pages available

Still possible TODOs (separate PR):

• Merge pr-tests-arm64.yml into pr-tests.yml as a single workflow with arch matrix
• ARM64 integration tests

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6474bd3e09

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}