fix: support arm64 build for Linux (#1225)

Users were running into issues with glibc mismatches on arm64 linux. In
the past, we did not provide a musl build for arm64 Linux because we had
trouble getting the openssl dependency to build correctly. Though today
I just tried the same trick in `Cargo.toml` that we were doing for
`x86_64-unknown-linux-musl` (using `openssl-sys` with `features =
["vendored"]`), so I'm not sure what problem we had in the past the
builds "just worked" today!

Though one tweak that did have to be made is that the integration tests
for Seccomp/Landlock empirically require longer timeouts on arm64 linux,
or at least on the `ubuntu-24.04-arm` GitHub Runner. As such, we change
the timeouts for arm64 in `codex-rs/linux-sandbox/tests/landlock.rs`.

Though in solving this problem, I decided I needed a turnkey solution
for testing the Linux build(s) from my Mac laptop, so this PR introduces
`.devcontainer/Dockerfile` and `.devcontainer/devcontainer.json` to
facilitate this. Detailed instructions are in `.devcontainer/README.md`.

We will update `dotslash-config.json` and other release-related scripts
in a follow-up PR.

codex-rs/.gitignore

@@ -1 +1,7 @@
 /target/
+
+# Recommended value of CARGO_TARGET_DIR when using Docker as explained in .devcontainer/README.md.
+/target-amd64/
+
+# Value of CARGO_TARGET_DIR when using .devcontainer/devcontainer.json.
+/target-arm64/

codex-rs/core/Cargo.toml

@@ -59,6 +59,10 @@ seccompiler = "0.5.0"
 [target.x86_64-unknown-linux-musl.dependencies]
 openssl-sys = { version = "*", features = ["vendored"] }
 
+# Build OpenSSL from source for musl builds.
+[target.aarch64-unknown-linux-musl.dependencies]
+openssl-sys = { version = "*", features = ["vendored"] }
+
 [dev-dependencies]
 assert_cmd = "2"
 maplit = "1.0.2"

codex-rs/linux-sandbox/tests/landlock.rs

@@ -15,6 +15,23 @@ use std::sync::Arc;
 use tempfile::NamedTempFile;
 use tokio::sync::Notify;
 
+// At least on GitHub CI, the arm64 tests appear to need longer timeouts.
+
+#[cfg(not(target_arch = "aarch64"))]
+const SHORT_TIMEOUT_MS: u64 = 200;
+#[cfg(target_arch = "aarch64")]
+const SHORT_TIMEOUT_MS: u64 = 5_000;
+
+#[cfg(not(target_arch = "aarch64"))]
+const LONG_TIMEOUT_MS: u64 = 1_000;
+#[cfg(target_arch = "aarch64")]
+const LONG_TIMEOUT_MS: u64 = 5_000;
+
+#[cfg(not(target_arch = "aarch64"))]
+const NETWORK_TIMEOUT_MS: u64 = 2_000;
+#[cfg(target_arch = "aarch64")]
+const NETWORK_TIMEOUT_MS: u64 = 10_000;
+
 fn create_env_from_core_vars() -> HashMap<String, String> {
     let policy = ShellEnvironmentPolicy::default();
     create_env(&policy)
@@ -52,7 +69,7 @@ async fn run_cmd(cmd: &[&str], writable_roots: &[PathBuf], timeout_ms: u64) {
 
 #[tokio::test]
 async fn test_root_read() {
-    run_cmd(&["ls", "-l", "/bin"], &[], 200).await;
+    run_cmd(&["ls", "-l", "/bin"], &[], SHORT_TIMEOUT_MS).await;
 }
 
 #[tokio::test]
@@ -63,7 +80,7 @@ async fn test_root_write() {
     run_cmd(
         &["bash", "-lc", &format!("echo blah > {}", tmpfile_path)],
         &[],
-        200,
+        SHORT_TIMEOUT_MS,
     )
     .await;
 }
@@ -75,7 +92,7 @@ async fn test_dev_null_write() {
         &[],
         // We have seen timeouts when running this test in CI on GitHub,
         // so we are using a generous timeout until we can diagnose further.
-        1_000,
+        LONG_TIMEOUT_MS,
     )
     .await;
 }
@@ -93,7 +110,7 @@ async fn test_writable_root() {
         &[tmpdir.path().to_path_buf()],
         // We have seen timeouts when running this test in CI on GitHub,
         // so we are using a generous timeout until we can diagnose further.
-        1_000,
+        LONG_TIMEOUT_MS,
     )
     .await;
 }
@@ -115,7 +132,7 @@ async fn assert_network_blocked(cmd: &[&str]) {
         cwd,
         // Give the tool a generous 2-second timeout so even slow DNS timeouts
         // do not stall the suite.
-        timeout_ms: Some(2_000),
+        timeout_ms: Some(NETWORK_TIMEOUT_MS),
         env: create_env_from_core_vars(),
     };