feat: add ARM64 (aarch64) architecture support

[tomassrnka]

Summary

Adds ARM64/aarch64 architecture support to the E2B infrastructure, enabling builds and sandbox execution on Apple Silicon and other ARM64 hosts (via Lima VM + nested KVM).

Changes by commit:

1. Makefiles — Replace hardcoded GOARCH=amd64 and --platform linux/amd64 with $(shell go env GOARCH) across all 4 service Makefiles
2. Go runtime detection — Disable SMT on ARM64 (not supported), use runtime.GOARCH for OCI image platform, add ARM64 fallback for CPU detection (gopsutil doesn't populate Family/Model on ARM)
3. Provision script — Make chattr calls non-fatal (|| true) for busybox versions that lack it
4. create-build — Arch-aware Firecracker and kernel download URLs (tries arm64/ subdirectory first, falls back to generic), E2B_BASE_IMAGE env var for base image override
5. fetch-busybox — Makefile target to swap the embedded x86 busybox binary with the system's ARM64 busybox-static before compilation

Related PRs:

• fc-kernels: ARM64 kernel build support

Test plan

• Build orchestrator, envd, API, and client-proxy natively on ARM64 Linux
• Run make fetch-busybox on ARM64 host to swap busybox binary
• Template build succeeds with create-build on ARM64
• Sandbox create/exec/delete works on ARM64 (Lima VM + KVM)
• Verify uname -m in sandbox returns aarch64
• Confirm no regression on x86_64 builds (all changes are backwards compatible)

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches sandbox boot/runtime configuration and artifact download/path logic; mistakes can break VM startup or fetch the wrong binaries on either architecture, though changes are mostly gated by GOARCH with fallbacks.

Overview
Adds ARM64 PR coverage by introducing an ARM64 workflow that cross-compiles/vets all Go packages and runs a unit-test matrix on ARM runners, and wires it into pull-request.yml. Updates service Makefiles and orchestrator tooling to stop hardcoding amd64, using runtime.GOARCH/go env GOARCH for Docker build platforms, OCI image pulls, Firecracker binary paths, and Firecracker/kernel downloads (with arch-first and legacy fallbacks), plus ARM64-specific runtime behavior (disable SMT; tolerate missing CPU family/model) and a helper make fetch-busybox for ARM64 builds; template provisioning now ignores chattr failures to avoid aborting on unsupported busybox builds.

^{Written by Cursor Bugbot for commit 30ac631. This will update automatically on new commits. Configure here.}

[claude]

The error from url.JoinPath is silently ignored. If the URL construction fails (unlikely but possible with malformed version strings), the code will proceed with a zero-value URL which will fail at download time with a less clear error message.

[claude]

The version parameter used to construct download URLs is not validated or sanitized. If an attacker can control this value (e.g., via flags or environment variables), they could inject path traversal sequences or modify the URL to download malicious binaries from unintended locations.

[claude]

The Makefile copies /usr/bin/busybox without verifying its integrity or authenticity. An attacker who compromises the build host could replace this system binary with a malicious version that gets embedded into all ARM64 sandboxes.

[claude]

The E2B_BASE_IMAGE environment variable allows overriding the base image without validation. This could be exploited to inject a malicious container image if an attacker can control environment variables during the build process.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 589a0596cb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid falling back to amd64 kernel on any error

On arm64, setupKernel falls back to the generic URL for any download error. That means transient network failures (timeouts, DNS, TLS) against the arm64 URL will silently pull the generic (amd64) kernel instead, which will not boot on arm64 hosts. The fallback should be gated on a 404 (not found) or a clear “no arm64 build” condition; otherwise arm64 builds can fail later in a harder-to-diagnose way.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid falling back to amd64 Firecracker on any error

The arm64 Firecracker download has the same unconditional fallback: any error when fetching the arm64 binary causes a retry against the generic (amd64) URL. On arm64 hosts, a transient network error will then download an amd64 binary that cannot execute. This should only fall back when the arm64 artifact is confirmed missing (e.g., 404), not for network/IO errors.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

fetch-busybox mis-detects arm64 on non-Debian

The new fetch-busybox target defaults to amd64 when dpkg is missing. On arm64 hosts that don’t have dpkg (e.g., Alpine, Arch, Fedora), this silently keeps the bundled amd64 busybox, leading to an ARM build with the wrong binary. Consider using uname -m/go env GOARCH as the fallback or erroring when architecture detection isn’t possible.

Useful? React with 👍 / 👎.

[jakubno]

wouldn't it make sense to do matrix inside pr-tests.yml so we don't duplicate the code?
don't we want to run it also for integration tests as those tests much more (feel free to do it in another PR as I suspect much more work there)

[jakubno]

I would read it from .env as devs won't be able to build from local to their remote clusters if the arch doesn't match

[djeebus]

Or maybe a separate build-and-upload-arm64? Or we go real crazy and rename the existing one to build-and-upload-amd64 and add:

.PHONY: build-and-upload
build-and-upload: build-and-upload-arm64 build-and-upload-amd64

[sitole]

Agree we should be able to build for architectures other than the local one. Not sure if putting ARCH into the env file is best, as you can have one env with both ARM64 and AMD64 pools.

[jakubno]

I would keep current logic, we can just start building the image for arm64 as well

[jakubno]

as we discussed this doesn't have to make it arm specific now

[jakubno]

as we discussed this doesn't have to make it arm specific now

[jakubno]

can you link an article or docs why it has to be false for arm64? Also can you make arm64 a constant?

[jakubno]

let's make it cleaner

Suggested change

	// On ARM64, gopsutil doesn't populate Family/Model from /proc/cpuinfo.
	// Provide fallback values so callers don't get an error.
	if (family == "" || model == "") && runtime.GOARCH == "arm64" {
	if family == "" {
	family = "arm64"
	}
	if model == "" {
	model = "0"
	}
	} else if family == "" || model == "" {
	// On ARM64, gopsutil doesn't populate Family/Model from /proc/cpuinfo.
	// Provide fallback values so callers don't get an error.
	if (runtime.GOARCH == "arm64") {
	if family == "" {
	family = "arm64"
	}
	if model == "" {
	model = "0"
	}
	}
	if family == "" || model == "" {

[jakubno]

how are these changes relevant?

[jakubno]

what's this good for? I don't see it used

[jakubno]

Can you update to GCP as we don't want to be dependent on github

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Firecracker path change breaks existing amd64 production deployments

High Severity

FirecrackerPath now unconditionally includes runtime.GOARCH in the path ({version}/amd64/firecracker on x86_64), but the production host init script (init-client.sh) copies firecracker binaries from GCS into /fc-versions/ using the existing flat layout ({version}/firecracker). After deploying this change, the orchestrator will fail to find the firecracker binary on all existing amd64 production nodes because no amd64/ subdirectory exists on disk. The create-build tool has a legacy-URL fallback but still saves to the new arch-prefixed path, so local dev works — but production infrastructure hasn't been updated to match.

Additional Locations (1)

• packages/orchestrator/cmd/create-build/main.go#L445-L447

 

[tomassrnka]

@cursoragent bugbot run

[cursor]

Unable to authenticate your request. Please make sure to connect your GitHub account to Cursor. Go to Cursor

[tomassrnka]

@cursoragent bugbot run

[tomassrnka]

@claude review this draft PR

[claude]

TARGET_ARCH is read at runtime but BUILD_ARCH is evaluated at Makefile parse time. If TARGET_ARCH is changed between builds without running make clean, the mismatch could cause binaries compiled for one arch to be used with paths expecting another arch (e.g. amd64 binary trying to load arm64 Firecracker/kernel).

[claude]

No validation that TARGET_ARCH is a valid architecture (amd64 or arm64). Invalid values like "x86_64" or "aarch64" would silently create incorrect paths. Consider adding validation or documenting which values are acceptable.

[claude]

The fetch-busybox target uses dpkg --print-architecture to detect the arch, but TargetArch() uses TARGET_ARCH env var. If a user sets TARGET_ARCH=arm64 on an amd64 host, this target will still use the amd64 busybox (since dpkg returns amd64), but the build will be for arm64, causing a binary mismatch.

[claude]

Race condition: os.Stat checks if the file exists, then download() creates/writes it. If two create-build processes run concurrently for the same version, both could pass the stat check and attempt to write simultaneously, potentially corrupting the file. Consider using O_EXCL flag or file locking.

[claude]

For arm64, if the arch-specific download (line 424) fails with a non-404 error (network issue, permissions, etc.), the code returns immediately without trying the legacy fallback. This differs from the Firecracker logic below which falls through to legacy on any 404. Consider consistent fallback behavior.

[claude]

SMT is disabled based on runtime.GOARCH (compile-time host arch), not TARGET_ARCH. If cross-compiling (TARGET_ARCH=arm64 on amd64 host), the binary will incorrectly enable SMT for ARM64 VMs. Should check the actual target arch or defer this to runtime detection.

[claude]

Silencing chattr failures could mask real issues beyond busybox compatibility. If chattr fails on a full-featured system due to filesystem type, permissions, or corrupted inodes, the script will continue silently. Consider checking if chattr exists first, or logging the failure reason.

[tomassrnka]

@claude review this draft PR

[claude]

In setupKernel and setupFC, when the arch-specific download fails with a non-404 error, the code returns immediately with the error. However, when downloading the legacy fallback URL fails, no error wrapping distinguishes it from the arch-specific failure. This could make debugging difficult when both URLs fail for different reasons (e.g., arch URL returns 403 Forbidden, legacy returns network error). Consider wrapping the legacy fallback error to indicate it's from the fallback attempt.

[claude]

The legacy fallback downloads to the arch-specific path (dstPath which includes arch subdirectory) but attempts to fetch from the legacy URL (no arch subdirectory). If the legacy URL succeeds, you'll have an x86_64 binary stored at /kernels/vmlinux-6.1.102/arm64/vmlinux.bin on ARM64 hosts - a silent arch mismatch. The download should either: (1) Use a different destination path for legacy downloads, or (2) Skip the fallback entirely when arch-specific paths exist, forcing users to upload proper arch-specific binaries.

[claude]

The os.Rename call can fail if tmpPath and path are on different filesystems (e.g., /tmp is tmpfs and destination is on disk). Since this is downloading to user-specified directories, consider checking if rename fails with EXDEV (cross-device link) and falling back to copy+remove, or document that the destination directory must be on the same filesystem as temp files.

[claude]

The fetch-busybox target runs apt-get download without sudo, which will fail for non-root users. Since build-local is a developer-facing target (not CI), this creates a silent failure where the build continues with the x86_64 busybox on ARM64 hosts. Either: (1) Require sudo for this target, (2) Check if apt-get/dpkg-deb are available before attempting, or (3) Make this a manual prerequisite step documented in README rather than a build-local dependency.

[claude]

The chattr error is redirected to /tmp/chattr_err but this file is never cleaned up. In a long-running VM or repeated builds, this could accumulate. Consider using stderr directly in the error message instead of writing to a temp file: $BUSYBOX chattr +i /etc/resolv.conf 2>&1 || echo "chattr +i failed (non-fatal): $?". This avoids filesystem pollution and potential information leakage across builds.

[claude]

TargetArch() calls os.Getenv on every invocation without caching. In hot paths (e.g., called for every sandbox creation), this could cause unnecessary overhead. Since TARGET_ARCH should not change during runtime, consider caching the result in a sync.Once or package-level variable initialized at startup. This also makes the panic-on-invalid behavior more predictable (fails at startup rather than mid-operation).

[claude]

TargetArch() falls back to runtime.GOARCH without validation. If the binary is compiled for an unsupported architecture (e.g., mips, s390x), it will return invalid values that later cause path resolution failures. Consider validating runtime.GOARCH against validArchitectures and panicking with a clear message if the host architecture is unsupported, rather than letting it fail silently in downstream path operations.