e2b-dev · tomassrnka · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
@@ -35,6 +35,10 @@ jobs:
       - name: Parse .tool-versions
         uses: wistia/parse-tool-versions@v2.1.1
 
+      - name: Fetch busybox for orchestrator embed
+        if: contains(matrix.modules, 'orchestrator')
+        run: make -C packages/orchestrator fetch-busybox
+
       - name: golangci-lint ${{ matrix.modules }}
         uses: golangci/golangci-lint-action@v8
         with:

@@ -56,6 +56,9 @@ jobs:
 
       - name: Setup orchestrator tests
         run: |
+          # Download busybox for go:embed
+          make -C packages/orchestrator fetch-busybox
+
           # Enable unprivileged uffd mode
           echo 1 | sudo tee /proc/sys/vm/unprivileged_userfaultfd
 

@@ -8,3 +8,7 @@ bin
 .shared
 /tmp
 .local-build
+
+# Downloaded at build time from fc-busybox release
+pkg/template/build/core/systeminit/busybox
+pkg/template/build/core/systeminit/busybox.stamp
@@ -3,7 +3,13 @@ ARG GOLANG_VERSION=1.25.4
 # It has to match with the host OS version (Ubuntu 22.04 = bookworm)
 ARG DEBIAN_VERSION=bookworm
 
+# Busybox version from fc-busybox GitHub release.
+# TARGETARCH is set automatically by Docker --platform.
+ARG BUSYBOX_VERSION=1.36.1
+
 FROM golang:${GOLANG_VERSION}-${DEBIAN_VERSION} AS builder
+ARG BUSYBOX_VERSION
+ARG TARGETARCH
 
 # Cached golang dependencies
 WORKDIR /build/shared
@@ -25,14 +31,27 @@ COPY ./shared/pkg ./shared/pkg
 COPY ./clickhouse/pkg ./clickhouse/pkg
 
 COPY ./orchestrator/pkg ./orchestrator/pkg
+
+# Download busybox from fc-busybox release for go:embed, verify against published SHA256SUMS.
+# Runs after COPY so the systeminit directory exists; overwrites any stale binary from build context.
+RUN RELEASE_URL="https://github.com/e2b-dev/fc-busybox/releases/download/v${BUSYBOX_VERSION}" \
+    && BINARY="busybox_v${BUSYBOX_VERSION}_${TARGETARCH}" \
+    && curl -sfL -o /tmp/${BINARY} "${RELEASE_URL}/${BINARY}" \
+    && curl -sfL -o /tmp/SHA256SUMS "${RELEASE_URL}/SHA256SUMS" \
+    && (cd /tmp && grep "${BINARY}" SHA256SUMS | sha256sum -c -) \
+    && mv /tmp/${BINARY} /build/orchestrator/pkg/template/build/core/systeminit/busybox \
+    && chmod +x /build/orchestrator/pkg/template/build/core/systeminit/busybox
 COPY ./orchestrator/cmd ./orchestrator/cmd
 COPY ./orchestrator/main.go ./orchestrator/main.go
 COPY ./orchestrator/Makefile ./orchestrator/Makefile
 
 WORKDIR /build/orchestrator
 
 ARG COMMIT_SHA
-RUN --mount=type=cache,target=/root/.cache/go-build make build-local COMMIT_SHA=${COMMIT_SHA}
+# Build directly (not via make build-local) to skip fetch-busybox — binary is already downloaded above.
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=1 GOOS=linux go build -o bin/orchestrator -ldflags "-X=main.commitSHA=${COMMIT_SHA}" . \
+    && CGO_ENABLED=1 GOOS=linux go build -o bin/clean-nfs-cache -ldflags "-X=main.commitSHA=${COMMIT_SHA}" ./cmd/clean-nfs-cache
 
 FROM scratch
 

@@ -27,15 +27,37 @@ build:
 	$(eval COMMIT_SHA := $(shell git rev-parse --short HEAD))
 	@docker build --platform $(BUILD_PLATFORM) --output=bin --build-arg COMMIT_SHA="$(COMMIT_SHA)" -f ./Dockerfile ..
 
+BUSYBOX_VERSION ?= 1.36.1
+BUSYBOX_EMBED := pkg/template/build/core/systeminit/busybox
+BUSYBOX_STAMP := $(BUSYBOX_EMBED).stamp
+BUSYBOX_RELEASE_URL := https://github.com/e2b-dev/fc-busybox/releases/download/v$(BUSYBOX_VERSION)
+
+# Download busybox and verify SHA256 against published checksums.
+# Skips if binary exists and version/arch match the stamp file.
+.PHONY: fetch-busybox
+fetch-busybox:
+	@if [ ! -f $(BUSYBOX_EMBED) ] || [ "$$(cat $(BUSYBOX_STAMP) 2>/dev/null)" != "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" ]; then \
+		BINARY="busybox_v$(BUSYBOX_VERSION)_$(BUILD_ARCH)"; \
+		echo "Downloading busybox v$(BUSYBOX_VERSION) ($(BUILD_ARCH))..."; \
+		curl -sfL -o /tmp/$$BINARY "$(BUSYBOX_RELEASE_URL)/$$BINARY" \
+			&& curl -sfL -o /tmp/SHA256SUMS "$(BUSYBOX_RELEASE_URL)/SHA256SUMS" \
+			&& (cd /tmp && grep "$$BINARY" SHA256SUMS | sha256sum -c -) \
+			&& mv /tmp/$$BINARY $(BUSYBOX_EMBED) \
+			&& chmod +x $(BUSYBOX_EMBED) \
+			&& echo "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" > $(BUSYBOX_STAMP) \
+			&& rm -f /tmp/SHA256SUMS \
+			|| { rm -f /tmp/$$BINARY /tmp/SHA256SUMS; echo "ERROR: failed to download or verify busybox"; exit 1; }; \
+	fi
+
 .PHONY: build-local
-build-local:
+build-local: fetch-busybox
 	# Allow for passing commit sha directly for docker builds
 	$(eval COMMIT_SHA ?= $(shell git rev-parse --short HEAD))
 	CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -o bin/orchestrator -ldflags "-X=main.commitSHA=$(COMMIT_SHA)" .
 	CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -o bin/clean-nfs-cache -ldflags "-X=main.commitSHA=$(COMMIT_SHA)" ./cmd/clean-nfs-cache
 
 .PHONY: build-debug
-build-debug:
+build-debug: fetch-busybox
 	CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -race -gcflags=all="-N -l" -o bin/orchestrator .
 
 .PHONY: run-debug

@@ -1,11 +1,11 @@
 //go:build amd64
 
-// Busybox v1.36.1 static binary for amd64 (musl, minimal ~16 applets).
-// Custom build added in #1002 — origin unknown, no distro tag in binary.
+// Busybox static binary for amd64.
+// Downloaded from https://github.com/e2b-dev/fc-busybox/releases at build time.
 
 package systeminit
 
 import _ "embed"
 
-//go:embed busybox_1.36.1-2_amd64
+//go:embed busybox
 var BusyboxBinary []byte
@@ -1,12 +1,11 @@
 //go:build arm64
 
-// Busybox v1.36.1 static binary for arm64 (glibc, full 271 applets).
-// Source: Debian busybox-static 1:1.36.1-9 (https://packages.debian.org/busybox-static)
-// TODO: rebuild both binaries from the same minimal config for consistency.
+// Busybox static binary for arm64.
+// Downloaded from https://github.com/e2b-dev/fc-busybox/releases at build time.
 
 package systeminit
 
 import _ "embed"
 
-//go:embed busybox_1.36.1-2_arm64
+//go:embed busybox
 var BusyboxBinary []byte