fix(orchestrator): make go test ./... build and pass on macOS

This change makes the orchestrator package buildable and testable on
darwin (Apple Silicon and Intel) so contributors can iterate locally
without a Linux VM. It does NOT change any runtime behaviour on linux —
the production target.

Background
----------
`go test -v ./...` inside packages/orchestrator failed on darwin because
~50 packages transitively import linux-only code:
  - `github.com/ngrok/firewall_toolkit/pkg/expressions` (nftables
    expression helpers; the package itself has linux build tags
    upstream).
  - `github.com/Merovius/nbd/nbdnl` (NBD netlink ioctls).
  - `github.com/containernetworking/plugins/pkg/ns` (netns).
  - linux-only symbols on `golang.org/x/sys/unix` and
    `syscall.SysProcAttr` (`SyncFileRange`, `CopyFileRange`,
    `ProcessVMReadv`, `RemoteIovec`, `Fsopen`, `FsconfigSetString`,
    `Fsmount`, `MoveMount`, `MAP_HUGETLB`, `syscall.MAP_ANONYMOUS`,
    `UseCgroupFD`, `CgroupFD`, …).
  - cgo-based `userfaultfd` wrappers around `<linux/userfaultfd.h>`.
None of these can ever compile on darwin and there is no portable
substitute (the orchestrator is a linux-only runtime: firecracker
VMs, nftables, NBD, userfaultfd, cgroupv2 are all linux kernel
features).

Changes
-------
Added `//go:build linux` to every `.go` file in the packages whose
compile-time dependencies are linux-only. On darwin those packages
now report `[no test files]` (or are simply skipped); on linux they
build exactly as before because the constraint matches.

Tagged packages (267 files):
  orchestrator (root), benchmarks,
  cmd/{create-build,mount-build-rootfs,resume-build,smoketest},
  pkg/cfg, pkg/chrooted, pkg/factories, pkg/healthcheck,
  pkg/hyperloopserver{,/handlers}, pkg/metrics,
  pkg/nfsproxy{,/chroot}, pkg/proxy,
  pkg/sandbox{,/block,/build,/build/mocks,/fc,/nbd,/nbd/testutils,
    /network,/rootfs,/template,/template/mocks,
    /template/peerserver,/template/peerserver/mocks,
    /uffd,/uffd/memory,/uffd/prefetch,/uffd/testutils,
    /uffd/userfaultfd},
  pkg/server, pkg/service, pkg/tcpfirewall,
  pkg/template/build{,/buildcontext,/builderrors,/commands,
    /core/filesystem,/core/oci,/core/rootfs,/layer,/phases,
    /phases/{base,finalize,optimize,steps,user},
    /sandboxtools,/storage/cache},
  pkg/template/{metadata,server},
  pkg/volumes.

Whole-package tagging (rather than per-leaf-file tagging plus darwin
stubs) was chosen because the linux-only API surface of these
packages is woven through them — `Firewall`, `Cache`,
`DirectPathMount`, `Userfaultfd`, namespaced slot setup, etc. are
used by sibling files within the same package. Stubbing every
exported symbol on darwin would have produced significantly more
churn for code that fundamentally cannot run on darwin anyway, and
would have given a false impression that those packages could ever
be exercised off-linux.

Files that already carried a build tag (`stat_linux.go`,
`stat_osx.go` in cmd/clean-nfs-cache/cleaner, the cgo
`userfaultfd/fd.go`, etc.) were left untouched.

Verification
------------
On darwin/arm64:

    $ go test ./...
    ok  cmd/clean-nfs-cache/cleaner
    ok  cmd/simulate-gcs-traffic
    ok  cmd/simulate-nfs-traffic
    ok  pkg/localupload
    ok  pkg/nfsproxy/recovery
    ok  pkg/nfsproxy/tracing
    ok  pkg/portmap
    ok  pkg/sandbox/template/peerclient
    ok  pkg/template/build/writer
    (linux-only packages report `[no test files]`)
    exit 0

`go build ./...` also succeeds on darwin. All linux build tags resolve
correctly and the linux build is unchanged because we only added
constraints; no source was deleted or moved.

Author: tvi

packages/orchestrator/benchmarks/benchmark_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 // run with something like:
 //
 // sudo `which go` test -benchtime=15s -bench=. -v

packages/orchestrator/benchmarks/concurrent_benchmark_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 // Concurrent sandbox creation benchmark.
 //
 // Measures how many sandboxes can be effectively resumed in parallel on a

packages/orchestrator/cmd/create-build/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/mount-build-rootfs/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/resume-build/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/resume-build/shell.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/cmd/smoketest/smoke_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package smoketest_test
 
 import (

packages/orchestrator/main.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package main
 
 import (

packages/orchestrator/pkg/cfg/model.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 package cfg
 
 import (

packages/orchestrator/pkg/cfg/model_test.go

@@ -1,3 +1,5 @@
+//go:build linux
+
 //nolint:paralleltest // many tests set env, which may cause issues
 package cfg