feat: arch-aware Firecracker and kernel path resolution

e2b · claude · e2b · commit 36b17812577a · 2026-03-25T15:00:47.000+01:00
- config.go: prefer arch-prefixed paths ({version}/{arch}/binary) with
  legacy flat path fallback for existing production nodes
- create-build: download from GCS with {version}/{arch}/ layout, legacy
  fallback only for amd64 and only on 404
- OCI: use TargetArch() for container image platform selection
- Tests for arch-prefixed vs legacy path precedence

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/orchestrator/cmd/create-build/main.go b/packages/orchestrator/cmd/create-build/main.go
@@ -408,63 +408,141 @@ func printLocalFileSizes(basePath, buildID string) {
 }
 
 func setupKernel(ctx context.Context, dir, version string) error {
-	dstPath := filepath.Join(dir, version, "vmlinux.bin")
+	arch := utils.TargetArch()
+	dstPath := filepath.Join(dir, version, arch, "vmlinux.bin")
+
 	if err := os.MkdirAll(filepath.Dir(dstPath), 0o755); err != nil {
 		return fmt.Errorf("mkdir kernel dir: %w", err)
 	}
 
 	if _, err := os.Stat(dstPath); err == nil {
-		fmt.Printf("✓ Kernel %s exists\n", version)
+		fmt.Printf("✓ Kernel %s (%s) exists\n", version, arch)
 
 		return nil
 	}
 
-	kernelURL, _ := url.JoinPath("https://storage.googleapis.com/e2b-prod-public-builds/kernels/", version, "vmlinux.bin")
-	fmt.Printf("⬇ Downloading kernel %s...\n", version)
+	// Try arch-specific URL first: {version}/{arch}/vmlinux.bin
+	archURL, err := url.JoinPath("https://storage.googleapis.com/e2b-prod-public-builds/kernels/", version, arch, "vmlinux.bin")
+	if err != nil {
+		return fmt.Errorf("invalid kernel URL: %w", err)
+	}
+
+	fmt.Printf("⬇ Downloading kernel %s (%s)...\n", version, arch)
+
+	if err := download(ctx, archURL, dstPath, 0o644); err == nil {
+		return nil
+	} else if !errors.Is(err, errNotFound) {
+		return fmt.Errorf("failed to download kernel: %w", err)
+	}
+
+	// Legacy URLs are x86_64-only; only fall back for amd64.
+	if arch != "amd64" {
+		return fmt.Errorf("kernel %s not found for %s (no legacy fallback for non-amd64)", version, arch)
+	}
+
+	legacyURL, err := url.JoinPath("https://storage.googleapis.com/e2b-prod-public-builds/kernels/", version, "vmlinux.bin")
+	if err != nil {
+		return fmt.Errorf("invalid kernel legacy URL: %w", err)
+	}
+
+	fmt.Printf("  %s path not found, trying legacy URL...\n", arch)
 
-	return download(ctx, kernelURL, dstPath, 0o644)
+	return download(ctx, legacyURL, dstPath, 0o644)
 }
 
 func setupFC(ctx context.Context, dir, version string) error {
-	dstPath := filepath.Join(dir, version, "firecracker")
+	arch := utils.TargetArch()
+	dstPath := filepath.Join(dir, version, arch, "firecracker")
+
 	if err := os.MkdirAll(filepath.Dir(dstPath), 0o755); err != nil {
 		return fmt.Errorf("mkdir firecracker dir: %w", err)
 	}
 
 	if _, err := os.Stat(dstPath); err == nil {
-		fmt.Printf("✓ Firecracker %s exists\n", version)
+		fmt.Printf("✓ Firecracker %s (%s) exists\n", version, arch)
 
 		return nil
 	}
 
-	fcURL := fmt.Sprintf("https://github.com/e2b-dev/fc-versions/releases/download/%s/firecracker", version)
-	fmt.Printf("⬇ Downloading Firecracker %s...\n", version)
+	// Download from GCS bucket with {version}/{arch}/firecracker path
+	fcURL, err := url.JoinPath("https://storage.googleapis.com/e2b-prod-public-builds/fc-versions/", version, arch, "firecracker")
+	if err != nil {
+		return fmt.Errorf("invalid Firecracker URL: %w", err)
+	}
+
+	fmt.Printf("⬇ Downloading Firecracker %s (%s)...\n", version, arch)
+
+	if err := download(ctx, fcURL, dstPath, 0o755); err == nil {
+		return nil
+	} else if !errors.Is(err, errNotFound) {
+		return fmt.Errorf("failed to download Firecracker: %w", err)
+	}
+
+	// Legacy URLs are x86_64-only; only fall back for amd64.
+	if arch != "amd64" {
+		return fmt.Errorf("firecracker %s not found for %s (no legacy fallback for non-amd64)", version, arch)
+	}
+
+	legacyURL, err := url.JoinPath("https://storage.googleapis.com/e2b-prod-public-builds/fc-versions/", version, "firecracker")
+	if err != nil {
+		return fmt.Errorf("invalid Firecracker legacy URL: %w", err)
+	}
+
+	fmt.Printf("  %s path not found, trying legacy URL...\n", arch)
 
-	return download(ctx, fcURL, dstPath, 0o755)
+	return download(ctx, legacyURL, dstPath, 0o755)
 }
 
-func download(ctx context.Context, url, path string, perm os.FileMode) error {
-	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+var errNotFound = errors.New("not found")
+
+func download(ctx context.Context, rawURL, path string, perm os.FileMode) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL, nil)
+	if err != nil {
+		return fmt.Errorf("invalid download URL %s: %w", rawURL, err)
+	}
+
 	resp, err := (&http.Client{Timeout: 5 * time.Minute}).Do(req)
 	if err != nil {
 		return err
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode == http.StatusNotFound {
+		return fmt.Errorf("%w: %s", errNotFound, rawURL)
+	}
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("HTTP %d: %s", resp.StatusCode, url)
+		return fmt.Errorf("HTTP %d: %s", resp.StatusCode, rawURL)
 	}
 
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, perm)
+	// Write to a temporary file and rename atomically to avoid partial files
+	// on network errors or disk-full conditions.
+	tmpPath := path + ".tmp"
+
+	f, err := os.OpenFile(tmpPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, perm)
 	if err != nil {
 		return err
 	}
-	defer f.Close()
 
-	_, err = io.Copy(f, resp.Body)
-	if err == nil {
-		fmt.Printf("✓ Downloaded %s\n", filepath.Base(path))
+	if _, err := io.Copy(f, resp.Body); err != nil {
+		f.Close()
+		os.Remove(tmpPath)
+
+		return err
+	}
+
+	if err := f.Close(); err != nil {
+		os.Remove(tmpPath)
+
+		return err
 	}
 
-	return err
+	if err := os.Rename(tmpPath, path); err != nil {
+		os.Remove(tmpPath)
+
+		return err
+	}
+
+	fmt.Printf("✓ Downloaded %s\n", filepath.Base(path))
+
+	return nil
 }
diff --git a/packages/orchestrator/pkg/sandbox/fc/config.go b/packages/orchestrator/pkg/sandbox/fc/config.go
@@ -1,9 +1,11 @@
 package fc
 
 import (
+	"os"
 	"path/filepath"
 
 	"github.com/e2b-dev/infra/packages/orchestrator/pkg/cfg"
+	"github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
 const (
@@ -31,10 +33,25 @@ func (t Config) SandboxKernelDir() string {
 }
 
 func (t Config) HostKernelPath(config cfg.BuilderConfig) string {
+	// Prefer arch-prefixed path ({version}/{arch}/vmlinux.bin) for multi-arch support.
+	// Fall back to legacy flat path ({version}/vmlinux.bin) for existing production nodes.
+	archPath := filepath.Join(config.HostKernelsDir, t.KernelVersion, utils.TargetArch(), SandboxKernelFile)
+	if _, err := os.Stat(archPath); err == nil {
+		return archPath
+	}
+
 	return filepath.Join(config.HostKernelsDir, t.KernelVersion, SandboxKernelFile)
 }
 
 func (t Config) FirecrackerPath(config cfg.BuilderConfig) string {
+	// Prefer arch-prefixed path ({version}/{arch}/firecracker) for multi-arch support.
+	// Fall back to legacy flat path ({version}/firecracker) for existing production nodes
+	// that haven't migrated to the arch-prefixed layout yet.
+	archPath := filepath.Join(config.FirecrackerVersionsDir, t.FirecrackerVersion, utils.TargetArch(), FirecrackerBinaryName)
+	if _, err := os.Stat(archPath); err == nil {
+		return archPath
+	}
+
 	return filepath.Join(config.FirecrackerVersionsDir, t.FirecrackerVersion, FirecrackerBinaryName)
 }
 
diff --git a/packages/orchestrator/pkg/sandbox/fc/config_test.go b/packages/orchestrator/pkg/sandbox/fc/config_test.go
@@ -0,0 +1,113 @@
+package fc
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/e2b-dev/infra/packages/orchestrator/pkg/cfg"
+	"github.com/e2b-dev/infra/packages/shared/pkg/utils"
+)
+
+func TestFirecrackerPath_ArchPrefixed(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+	arch := utils.TargetArch()
+
+	// Create the arch-prefixed binary
+	archDir := filepath.Join(dir, "v1.12.0", arch)
+	require.NoError(t, os.MkdirAll(archDir, 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(archDir, "firecracker"), []byte("binary"), 0o755))
+
+	config := cfg.BuilderConfig{FirecrackerVersionsDir: dir}
+	fc := Config{FirecrackerVersion: "v1.12.0"}
+
+	result := fc.FirecrackerPath(config)
+
+	assert.Equal(t, filepath.Join(dir, "v1.12.0", arch, "firecracker"), result)
+}
+
+func TestFirecrackerPath_LegacyFallback(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+
+	// Only create the legacy flat binary (no arch subdirectory)
+	require.NoError(t, os.MkdirAll(filepath.Join(dir, "v1.12.0"), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "v1.12.0", "firecracker"), []byte("binary"), 0o755))
+
+	config := cfg.BuilderConfig{FirecrackerVersionsDir: dir}
+	fc := Config{FirecrackerVersion: "v1.12.0"}
+
+	result := fc.FirecrackerPath(config)
+
+	assert.Equal(t, filepath.Join(dir, "v1.12.0", "firecracker"), result)
+}
+
+func TestFirecrackerPath_NeitherExists(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+
+	// No binary at all — should return legacy flat path
+	config := cfg.BuilderConfig{FirecrackerVersionsDir: dir}
+	fc := Config{FirecrackerVersion: "v1.12.0"}
+
+	result := fc.FirecrackerPath(config)
+
+	assert.Equal(t, filepath.Join(dir, "v1.12.0", "firecracker"), result)
+}
+
+func TestHostKernelPath_ArchPrefixed(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+	arch := utils.TargetArch()
+
+	// Create the arch-prefixed kernel
+	archDir := filepath.Join(dir, "vmlinux-6.1.102", arch)
+	require.NoError(t, os.MkdirAll(archDir, 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(archDir, "vmlinux.bin"), []byte("kernel"), 0o644))
+
+	config := cfg.BuilderConfig{HostKernelsDir: dir}
+	fc := Config{KernelVersion: "vmlinux-6.1.102"}
+
+	result := fc.HostKernelPath(config)
+
+	assert.Equal(t, filepath.Join(dir, "vmlinux-6.1.102", arch, "vmlinux.bin"), result)
+}
+
+func TestHostKernelPath_LegacyFallback(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+
+	// Only create the legacy flat kernel
+	require.NoError(t, os.MkdirAll(filepath.Join(dir, "vmlinux-6.1.102"), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "vmlinux-6.1.102", "vmlinux.bin"), []byte("kernel"), 0o644))
+
+	config := cfg.BuilderConfig{HostKernelsDir: dir}
+	fc := Config{KernelVersion: "vmlinux-6.1.102"}
+
+	result := fc.HostKernelPath(config)
+
+	assert.Equal(t, filepath.Join(dir, "vmlinux-6.1.102", "vmlinux.bin"), result)
+}
+
+func TestHostKernelPath_PrefersArchOverLegacy(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+	arch := utils.TargetArch()
+
+	// Create BOTH arch-prefixed and legacy flat kernels
+	require.NoError(t, os.MkdirAll(filepath.Join(dir, "vmlinux-6.1.102", arch), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "vmlinux-6.1.102", arch, "vmlinux.bin"), []byte("arch-kernel"), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "vmlinux-6.1.102", "vmlinux.bin"), []byte("legacy-kernel"), 0o644))
+
+	config := cfg.BuilderConfig{HostKernelsDir: dir}
+	fc := Config{KernelVersion: "vmlinux-6.1.102"}
+
+	result := fc.HostKernelPath(config)
+
+	// Should prefer the arch-prefixed path
+	assert.Equal(t, filepath.Join(dir, "vmlinux-6.1.102", arch, "vmlinux.bin"), result)
+}
diff --git a/packages/orchestrator/pkg/template/build/core/oci/oci.go b/packages/orchestrator/pkg/template/build/core/oci/oci.go
@@ -56,9 +56,12 @@ func (e *ImageTooLargeError) Error() string {
 	)
 }
 
-var DefaultPlatform = containerregistry.Platform{
-	OS:           "linux",
-	Architecture: "amd64",
+// DefaultPlatform returns the OCI platform for image pulls, respecting TARGET_ARCH.
+func DefaultPlatform() containerregistry.Platform {
+	return containerregistry.Platform{
+		OS:           "linux",
+		Architecture: utils.TargetArch(),
+	}
 }
 
 // wrapImagePullError converts technical Docker registry errors into user-friendly messages.
@@ -96,7 +99,7 @@ func GetPublicImage(ctx context.Context, dockerhubRepository dockerhub.RemoteRep
 		return nil, fmt.Errorf("invalid image reference '%s': %w", tag, err)
 	}
 
-	platform := DefaultPlatform
+	platform := DefaultPlatform()
 
 	// When no auth provider is provided and the image is from the default registry
 	// use docker remote repository proxy with cached images
@@ -149,7 +152,7 @@ func GetImage(ctx context.Context, artifactRegistry artifactsregistry.ArtifactsR
 	childCtx, childSpan := tracer.Start(ctx, "pull-docker-image")
 	defer childSpan.End()
 
-	platform := DefaultPlatform
+	platform := DefaultPlatform()
 
 	img, err := artifactRegistry.GetImage(childCtx, templateId, buildId, platform)
 	if err != nil {
@@ -469,7 +472,7 @@ func verifyImagePlatform(img containerregistry.Image, platform containerregistry
 		return fmt.Errorf("error getting image config file: %w", err)
 	}
 	if config.Architecture != platform.Architecture {
-		return fmt.Errorf("image is not %s", platform.Architecture)
+		return fmt.Errorf("image architecture %q does not match expected %q", config.Architecture, platform.Architecture)
 	}
 
 	return nil
diff --git a/packages/orchestrator/pkg/template/build/core/oci/oci_test.go b/packages/orchestrator/pkg/template/build/core/oci/oci_test.go
@@ -26,6 +26,7 @@ import (
 	"github.com/e2b-dev/infra/packages/shared/pkg/dockerhub"
 	templatemanager "github.com/e2b-dev/infra/packages/shared/pkg/grpc/template-manager"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
+	"github.com/e2b-dev/infra/packages/shared/pkg/utils"
 )
 
 func createFileTar(t *testing.T, fileName string) *bytes.Buffer {
@@ -213,7 +214,7 @@ func TestGetPublicImageWithGeneralAuth(t *testing.T) {
 	// Set the config to include the proper platform
 	configFile, err := testImage.ConfigFile()
 	require.NoError(t, err)
-	configFile.Architecture = "amd64"
+	configFile.Architecture = utils.TargetArch()
 	configFile.OS = "linux"
 	testImage, err = mutate.ConfigFile(testImage, configFile)
 	require.NoError(t, err)

Original file line number	Diff line number	Diff line change
`@@ -56,9 +56,12 @@ func (e *ImageTooLargeError) Error() string {`
`56`	`56`	`)`
`57`	`57`	`}`
`58`	`58`
`59`		`-var DefaultPlatform = containerregistry.Platform{`
`60`		`- OS: "linux",`
`61`		`- Architecture: "amd64",`
	`59`	`+// DefaultPlatform returns the OCI platform for image pulls, respecting TARGET_ARCH.`
	`60`	`+func DefaultPlatform() containerregistry.Platform {`
	`61`	`+ return containerregistry.Platform{`
	`62`	`+ OS: "linux",`
	`63`	`+ Architecture: utils.TargetArch(),`
	`64`	`+ }`
`62`	`65`	`}`
`63`	`66`
`64`	`67`	`// wrapImagePullError converts technical Docker registry errors into user-friendly messages.`
`@@ -96,7 +99,7 @@ func GetPublicImage(ctx context.Context, dockerhubRepository dockerhub.RemoteRep`
`96`	`99`	`return nil, fmt.Errorf("invalid image reference '%s': %w", tag, err)`
`97`	`100`	`}`
`98`	`101`
`99`		`- platform := DefaultPlatform`
	`102`	`+ platform := DefaultPlatform()`
`100`	`103`
`101`	`104`	`// When no auth provider is provided and the image is from the default registry`
`102`	`105`	`// use docker remote repository proxy with cached images`
`@@ -149,7 +152,7 @@ func GetImage(ctx context.Context, artifactRegistry artifactsregistry.ArtifactsR`
`149`	`152`	`childCtx, childSpan := tracer.Start(ctx, "pull-docker-image")`
`150`	`153`	`defer childSpan.End()`
`151`	`154`
`152`		`- platform := DefaultPlatform`
	`155`	`+ platform := DefaultPlatform()`
`153`	`156`
`154`	`157`	`img, err := artifactRegistry.GetImage(childCtx, templateId, buildId, platform)`
`155`	`158`	`if err != nil {`
`@@ -469,7 +472,7 @@ func verifyImagePlatform(img containerregistry.Image, platform containerregistry`
`469`	`472`	`return fmt.Errorf("error getting image config file: %w", err)`
`470`	`473`	`}`
`471`	`474`	`if config.Architecture != platform.Architecture {`
`472`		`- return fmt.Errorf("image is not %s", platform.Architecture)`
	`475`	`+ return fmt.Errorf("image architecture %q does not match expected %q", config.Architecture, platform.Architecture)`
`473`	`476`	`}`
`474`	`477`
`475`	`478`	`return nil`