fix(orchestrator): make go test ./... build and pass on macOS (#2608)

This change makes the orchestrator package buildable and testable on
darwin (Apple Silicon and Intel) so contributors can iterate locally
without a Linux VM. It does NOT change any runtime behaviour on linux —
the production target.

Background
----------
`go test -v ./...` inside packages/orchestrator failed on darwin because
~50 packages transitively import linux-only code:
- `github.com/ngrok/firewall_toolkit/pkg/expressions` (nftables
expression helpers; the package itself has linux build tags upstream).
  - `github.com/Merovius/nbd/nbdnl` (NBD netlink ioctls).
  - `github.com/containernetworking/plugins/pkg/ns` (netns).
- linux-only symbols on `golang.org/x/sys/unix` and
`syscall.SysProcAttr` (`SyncFileRange`, `CopyFileRange`,
`ProcessVMReadv`, `RemoteIovec`, `Fsopen`, `FsconfigSetString`,
`Fsmount`, `MoveMount`, `MAP_HUGETLB`, `syscall.MAP_ANONYMOUS`,
`UseCgroupFD`, `CgroupFD`, …).
- cgo-based `userfaultfd` wrappers around `<linux/userfaultfd.h>`. None
of these can ever compile on darwin and there is no portable substitute
(the orchestrator is a linux-only runtime: firecracker VMs, nftables,
NBD, userfaultfd, cgroupv2 are all linux kernel features).

Changes
-------
Added `//go:build linux` to every `.go` file in the packages whose
compile-time dependencies are linux-only. On darwin those packages now
report `[no test files]` (or are simply skipped); on linux they build
exactly as before because the constraint matches.

Tagged packages (267 files):
  orchestrator (root), benchmarks,
  cmd/{create-build,mount-build-rootfs,resume-build,smoketest},
  pkg/cfg, pkg/chrooted, pkg/factories, pkg/healthcheck,
  pkg/hyperloopserver{,/handlers}, pkg/metrics,
  pkg/nfsproxy{,/chroot}, pkg/proxy,
  pkg/sandbox{,/block,/build,/build/mocks,/fc,/nbd,/nbd/testutils,
    /network,/rootfs,/template,/template/mocks,
    /template/peerserver,/template/peerserver/mocks,
    /uffd,/uffd/memory,/uffd/prefetch,/uffd/testutils,
    /uffd/userfaultfd},
  pkg/server, pkg/service, pkg/tcpfirewall,
  pkg/template/build{,/buildcontext,/builderrors,/commands,
    /core/filesystem,/core/oci,/core/rootfs,/layer,/phases,
    /phases/{base,finalize,optimize,steps,user},
    /sandboxtools,/storage/cache},
  pkg/template/{metadata,server},
  pkg/volumes.

Whole-package tagging (rather than per-leaf-file tagging plus darwin
stubs) was chosen because the linux-only API surface of these packages
is woven through them — `Firewall`, `Cache`, `DirectPathMount`,
`Userfaultfd`, namespaced slot setup, etc. are used by sibling files
within the same package. Stubbing every exported symbol on darwin would
have produced significantly more churn for code that fundamentally
cannot run on darwin anyway, and would have given a false impression
that those packages could ever be exercised off-linux.

Files that already carried a build tag (`stat_linux.go`, `stat_osx.go`
in cmd/clean-nfs-cache/cleaner, the cgo `userfaultfd/fd.go`, etc.) were
left untouched.

Verification
------------
On darwin/arm64:

    $ go test ./...
    ok  cmd/clean-nfs-cache/cleaner
    ok  cmd/simulate-gcs-traffic
    ok  cmd/simulate-nfs-traffic
    ok  pkg/localupload
    ok  pkg/nfsproxy/recovery
    ok  pkg/nfsproxy/tracing
    ok  pkg/portmap
    ok  pkg/sandbox/template/peerclient
    ok  pkg/template/build/writer
    (linux-only packages report `[no test files]`)
    exit 0

`go build ./...` also succeeds on darwin. All linux build tags resolve
correctly and the linux build is unchanged because we only added
constraints; no source was deleted or moved.

Author: tvi

packages/orchestrator/benchmarks/benchmark_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 // run with something like:
 //
 // sudo `which go` test -benchtime=15s -bench=. -v

packages/orchestrator/benchmarks/concurrent_benchmark_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 // Concurrent sandbox creation benchmark.
 //
 // Measures how many sandboxes can be effectively resumed in parallel on a

packages/orchestrator/cmd/create-build/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/mount-build-rootfs/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/resume-build/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/resume-build/shell.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/smoketest/smoke_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package smoketest_test
 
 import (

packages/orchestrator/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/pkg/cfg/model.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package cfg
 
 import (

packages/orchestrator/pkg/cfg/model_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 //nolint:paralleltest // many tests set env, which may cause issues
 package cfg