ci: add ARM64 cross-compilation and unit test workflow (#2255)

* ci: add ARM64 cross-compilation and unit test workflow

- Add pr-tests-arm64.yml with cross-compile job (ubuntu-24.04) and
  native ARM64 unit test matrix (ubuntu-24.04-arm)
- Wire arm64-tests into pull-request.yml
- Add setup-arm64-runner.sh for self-hosted runner provisioning

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: update checkout to v5 and add timeout to cross-compile job

- Align with repo convention of actions/checkout@v5
- Add timeout-minutes: 15 to cross-compile job to prevent hangs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: data races in NBD path_direct and PostProcessor test on ARM64

- path_direct.go: capture deviceIndex before goroutine closure. The
  outer for-loop is not a range loop, so Go 1.22+ loop variable fix
  doesn't apply — deviceIndex is reassigned on each retry iteration.
- postprocessor_test.go: use sync.Mutex-wrapped buffer instead of bare
  bytes.Buffer. The PostProcessor goroutine and test goroutine write
  to the buffer concurrently.

Both races were exposed by running tests with -race on ARM64 (weaker
memory model makes races more likely to manifest).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add fetch-busybox to ARM64 cross-compile and test jobs

Busybox binary is no longer committed to git (downloaded at build time
from fc-busybox release). Add fetch-busybox to:
- cross-compile job (with BUILD_ARCH=arm64 for correct binary)
- orchestrator ARM64 test setup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: e2b <e2b@Onsites-MacBook-Pro.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/scripts/setup-arm64-runner.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+#
+# Setup script for an ARM64 self-hosted GitHub Actions runner.
+# Run this on a fresh ARM64 Ubuntu 22.04/24.04 machine with KVM support.
+#
+# Prerequisites:
+#   - ARM64 Linux host (Graviton, Ampere, etc.)
+#   - KVM enabled (/dev/kvm accessible)
+#   - At least 8GB RAM (for hugepage allocation)
+#   - Root access
+#
+# Usage:
+#   sudo ./setup-arm64-runner.sh
+#
+# After running this script, register the machine as a GitHub Actions
+# self-hosted runner with the label: infra-tests-arm64
+#   https://github.com/e2b-dev/infra/settings/actions/runners/new
+
+set -euo pipefail
+
+PS4='[\D{%Y-%m-%d %H:%M:%S}] '
+set -x
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo "ERROR: This script must be run as root" >&2
+    exit 1
+fi
+
+ARCH=$(dpkg --print-architecture)
+if [ "$ARCH" != "arm64" ]; then
+    echo "ERROR: This script is for ARM64 hosts (detected: $ARCH)" >&2
+    exit 1
+fi
+
+echo "=== Setting up ARM64 GitHub Actions runner ==="
+
+# KVM check
+if [ ! -e /dev/kvm ]; then
+    echo "ERROR: /dev/kvm not found. KVM support is required." >&2
+    exit 1
+fi
+
+# Install base dependencies
+apt-get update
+apt-get install -y --no-install-recommends \
+    build-essential \
+    curl \
+    git \
+    jq \
+    nbd-client \
+    nbd-server
+
+# Enable unprivileged userfaultfd
+echo 1 > /proc/sys/vm/unprivileged_userfaultfd
+
+# Hugepages
+mkdir -p /mnt/hugepages
+mount -t hugetlbfs none /mnt/hugepages 2>/dev/null || true
+echo 2000 > /proc/sys/vm/nr_hugepages
+
+grep -qF 'hugetlbfs /mnt/hugepages' /etc/fstab || \
+    echo "hugetlbfs /mnt/hugepages hugetlbfs defaults 0 0" >> /etc/fstab
+
+# Sysctl — write once (idempotent)
+cat <<'EOF' > /etc/sysctl.d/99-e2b.conf
+vm.unprivileged_userfaultfd=1
+vm.nr_hugepages=2000
+net.core.somaxconn=65535
+net.core.netdev_max_backlog=65535
+net.ipv4.tcp_max_syn_backlog=65535
+vm.max_map_count=1048576
+EOF
+sysctl --system
+
+# NBD
+modprobe nbd nbds_max=256
+echo "nbd" > /etc/modules-load.d/e2b.conf
+echo "options nbd nbds_max=256" > /etc/modprobe.d/e2b-nbd.conf
+
+# Disable inotify for NBD devices
+cat <<'EOF' > /etc/udev/rules.d/97-nbd-device.rules
+ACTION=="add|change", KERNEL=="nbd*", OPTIONS:="nowatch"
+EOF
+udevadm control --reload-rules
+udevadm trigger
+
+# File descriptor limits
+cat <<'EOF' > /etc/security/limits.d/99-e2b.conf
+* soft nofile 1048576
+* hard nofile 1048576
+EOF
+
+echo ""
+echo "=== ARM64 runner setup complete ==="
+echo ""
+echo "Verify:"
+echo "  uname -m              → aarch64"
+echo "  ls /dev/kvm            → exists"
+echo "  cat /proc/meminfo | grep HugePages_Total"
+echo "  lsmod | grep nbd"
+echo ""
+echo "Next: register this machine as a GitHub Actions self-hosted runner"
+echo "  Label: infra-tests-arm64"
+echo "  https://github.com/e2b-dev/infra/settings/actions/runners/new"

.github/workflows/pr-tests-arm64.yml

@@ -0,0 +1,122 @@
+name: ARM64 tests on PRs
+
+on: [workflow_call]
+
+permissions:
+  contents: read
+
+jobs:
+  cross-compile:
+    name: Cross-compile all packages for ARM64
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup Go
+        uses: ./.github/actions/go-setup-cache
+
+      - name: Install ARM64 cross-compiler
+        run: sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu
+
+      - name: Build and vet packages (pure Go)
+        run: |
+          for pkg in api client-proxy envd shared db docker-reverse-proxy; do
+            echo "::group::packages/$pkg"
+            pushd "packages/$pkg" > /dev/null
+            GOARCH=arm64 go build ./...
+            GOARCH=arm64 go vet ./...
+            popd > /dev/null
+            echo "::endgroup::"
+          done
+
+      - name: Fetch busybox for orchestrator embed
+        run: make -C packages/orchestrator fetch-busybox BUILD_ARCH=arm64
+
+      - name: Build and vet orchestrator (CGO)
+        run: |
+          CGO_ENABLED=1 CC=aarch64-linux-gnu-gcc GOARCH=arm64 go build ./...
+          CGO_ENABLED=1 CC=aarch64-linux-gnu-gcc GOARCH=arm64 go vet ./...
+        working-directory: packages/orchestrator
+
+  arm64-unit-tests:
+    name: ARM64 tests for ${{ matrix.package }}
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        include:
+          - package: packages/api
+            test_path: ./...
+            sudo: false
+          - package: packages/client-proxy
+            test_path: ./...
+            sudo: false
+          - package: packages/db
+            test_path: ./...
+            sudo: false
+          - package: packages/docker-reverse-proxy
+            test_path: ./...
+            sudo: false
+          - package: packages/envd
+            test_path: ./...
+            sudo: true
+          - package: packages/orchestrator
+            test_path: ./...
+            sudo: true
+          - package: packages/shared
+            test_path: ./pkg/...
+            sudo: false
+      fail-fast: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup Go
+        uses: ./.github/actions/go-setup-cache
+        with:
+          cache-dependency-paths: |
+            go.work
+            ${{ matrix.package }}/go.mod
+            ${{ matrix.package }}/go.sum
+
+      - name: Setup envd tests
+        run: |
+          sudo apt-get update && sudo apt-get install -y bindfs
+        if: matrix.package == 'packages/envd'
+
+      - name: Setup orchestrator tests
+        run: |
+          # Download busybox for go:embed
+          make -C packages/orchestrator fetch-busybox
+
+          # Enable unprivileged uffd (Ubuntu defaults to 0)
+          echo 1 | sudo tee /proc/sys/vm/unprivileged_userfaultfd
+
+          # Enable hugepages (256 × 2MB = 512MB).
+          # Tests that need more hugepages than available will skip gracefully.
+          sudo mkdir -p /mnt/hugepages
+          sudo mount -t hugetlbfs none /mnt/hugepages
+          echo 256 | sudo tee /proc/sys/vm/nr_hugepages
+
+          # Install extra kernel modules (nbd is not in base modules on GitHub-hosted runners)
+          sudo apt-get update
+          sudo apt-get install -y linux-modules-extra-$(uname -r)
+          sudo modprobe nbd nbds_max=256
+
+          # Disable inotify watching of change events for NBD devices
+          echo 'ACTION=="add|change", KERNEL=="nbd*", OPTIONS:="nowatch"' | sudo tee /etc/udev/rules.d/97-nbd-device.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger
+        if: matrix.package == 'packages/orchestrator'
+
+      - name: Run tests that require sudo
+        working-directory: ${{ matrix.package }}
+        run: sudo -E `which go` test -race -v ${{ matrix.test_path }}
+        if: matrix.sudo == true
+
+      - name: Run tests
+        working-directory: ${{ matrix.package }}
+        run: go test -race -v ${{ matrix.test_path }}
+        if: matrix.sudo == false

.github/workflows/pull-request.yml

@@ -28,6 +28,8 @@ jobs:
     uses: ./.github/workflows/out-of-order-migrations.yml
   unit-tests:
     uses: ./.github/workflows/pr-tests.yml
+  arm64-tests:
+    uses: ./.github/workflows/pr-tests-arm64.yml
   integration-tests:
     needs: [out-of-order-migrations]
     uses: ./.github/workflows/integration_tests.yml

packages/orchestrator/pkg/sandbox/nbd/path_direct.go

@@ -78,7 +78,7 @@ func (d *DirectPathMount) Open(ctx context.Context) (retDeviceIndex uint32, err
 
 	telemetry.ReportEvent(ctx, "got backend size")
 
-	deviceIndex := uint32(math.MaxUint32)
+	var deviceIndex uint32
 
 	for {
 		deviceIndex, err = d.devicePool.GetDevice(ctx)
@@ -119,13 +119,17 @@ func (d *DirectPathMount) Open(ctx context.Context) (retDeviceIndex uint32, err
 			server.Close()
 
 			dispatch := NewDispatch(serverc, d.Backend)
+			// Capture deviceIndex for the goroutine closure — it's reassigned on
+			// each retry iteration of the outer for-loop (not a range loop, so
+			// Go 1.22+ loop variable fix doesn't apply).
+			devIdx := deviceIndex
 			// Start reading commands on the socket and dispatching them to our provider
 			d.handlersWg.Go(func() {
 				handleErr := dispatch.Handle(ctx)
 				// The error is expected to happen if the nbd (socket connection) is closed
 				logger.L().Info(ctx, "closing handler for NBD commands",
 					zap.Error(handleErr),
-					zap.Uint32("device_index", deviceIndex),
+					zap.Uint32("device_index", devIdx),
 					zap.Int("socket_index", i),
 				)
 			})

packages/orchestrator/pkg/template/build/writer/postprocessor_test.go

@@ -2,6 +2,7 @@ package writer
 
 import (
 	"bytes"
+	"sync"
 	"testing"
 	"time"
 
@@ -12,14 +13,37 @@ import (
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 )
 
-func newTestCore(buf *bytes.Buffer) zapcore.Core {
+// syncBuffer wraps bytes.Buffer with a mutex for concurrent writes from
+// the PostProcessor goroutine and the test goroutine.
+type syncBuffer struct {
+	mu  sync.Mutex
+	buf bytes.Buffer
+}
+
+func (b *syncBuffer) Write(p []byte) (int, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	return b.buf.Write(p)
+}
+
+func (b *syncBuffer) Sync() error { return nil }
+
+func (b *syncBuffer) String() string {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	return b.buf.String()
+}
+
+func newTestCore(buf *syncBuffer) zapcore.Core {
 	encoderCfg := zap.NewDevelopmentEncoderConfig()
 	encoderCfg.TimeKey = ""
 	encoder := zapcore.NewConsoleEncoder(encoderCfg)
 
 	core := zapcore.NewCore(
 		encoder,
-		zapcore.AddSync(buf),
+		buf,
 		zapcore.DebugLevel,
 	)
 
@@ -29,7 +53,7 @@ func newTestCore(buf *bytes.Buffer) zapcore.Core {
 func TestPostProcessor_Start(t *testing.T) {
 	t.Parallel()
 	ctx := t.Context()
-	var buf bytes.Buffer
+	var buf syncBuffer
 	core := newTestCore(&buf)
 
 	interval := time.Millisecond * 100