From d7f32f3ee5e8cb19d0207bc9b55f60090a623574 Mon Sep 17 00:00:00 2001
From: Nathan Flurry <git@nathanflurry.com>
Date: Wed, 28 Jan 2026 01:59:35 -0800
Subject: [PATCH] fix: use Alpine with native musl for arm64 Docker builds

---
 docker/runtime/Dockerfile | 114 ++++++++++++++++++++++----------------
 1 file changed, 66 insertions(+), 48 deletions(-)

diff --git a/docker/runtime/Dockerfile b/docker/runtime/Dockerfile
index 0393865..06c322b 100644
--- a/docker/runtime/Dockerfile
+++ b/docker/runtime/Dockerfile
@@ -1,13 +1,14 @@
 # syntax=docker/dockerfile:1.10.0
 
-# Build stage - compile the binary
-FROM rust:1.88.0 AS builder
-
 ARG TARGETARCH
 
+# ============================================================================
+# AMD64 Builder - Uses cross-tools musl toolchain
+# ============================================================================
+FROM rust:1.88.0 AS builder-amd64
+
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Install dependencies (g++-multilib not available on arm64)
 RUN apt-get update && apt-get install -y \
     musl-tools \
     musl-dev \
@@ -18,72 +19,89 @@ RUN apt-get update && apt-get install -y \
     pkg-config \
     ca-certificates \
     g++ \
+    g++-multilib \
     git \
     curl \
     wget && \
     rm -rf /var/lib/apt/lists/*
 
-# Install musl cross toolchain for amd64 only
-# On arm64, we build natively using musl-gcc from musl-tools (already installed)
-RUN if [ "$TARGETARCH" = "amd64" ]; then \
-        wget -q https://github.com/cross-tools/musl-cross/releases/latest/download/x86_64-unknown-linux-musl.tar.xz && \
-        tar -xf x86_64-unknown-linux-musl.tar.xz -C /opt/ && \
-        rm x86_64-unknown-linux-musl.tar.xz && \
-        rustup target add x86_64-unknown-linux-musl; \
-    elif [ "$TARGETARCH" = "arm64" ]; then \
-        rustup target add aarch64-unknown-linux-musl; \
-    fi
+# Download cross-tools musl toolchain
+RUN wget -q https://github.com/cross-tools/musl-cross/releases/latest/download/x86_64-unknown-linux-musl.tar.xz && \
+    tar -xf x86_64-unknown-linux-musl.tar.xz -C /opt/ && \
+    rm x86_64-unknown-linux-musl.tar.xz && \
+    rustup target add x86_64-unknown-linux-musl
 
-# Set environment variables based on architecture
-ENV LIBCLANG_PATH=/usr/lib/llvm-14/lib \
+ENV PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" \
+    LIBCLANG_PATH=/usr/lib/llvm-14/lib \
     CLANG_PATH=/usr/bin/clang-14 \
+    CC_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-gcc \
+    CXX_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-g++ \
+    AR_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-ar \
+    CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-unknown-linux-musl-gcc \
     CARGO_INCREMENTAL=0 \
     CARGO_NET_GIT_FETCH_WITH_CLI=true
 
-# Build OpenSSL for musl target (amd64 only - arm64 uses rustls)
+# Build OpenSSL for musl
 ENV SSL_VER=1.1.1w
-RUN if [ "$TARGETARCH" = "amd64" ]; then \
-        export PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" && \
-        wget https://www.openssl.org/source/openssl-$SSL_VER.tar.gz && \
-        tar -xzf openssl-$SSL_VER.tar.gz && \
-        cd openssl-$SSL_VER && \
-        ./Configure no-shared no-async --prefix=/musl --openssldir=/musl/ssl linux-x86_64 && \
-        make -j$(nproc) && \
-        make install_sw && \
-        cd .. && \
-        rm -rf openssl-$SSL_VER*; \
-    fi
+RUN wget https://www.openssl.org/source/openssl-$SSL_VER.tar.gz && \
+    tar -xzf openssl-$SSL_VER.tar.gz && \
+    cd openssl-$SSL_VER && \
+    ./Configure no-shared no-async --prefix=/musl --openssldir=/musl/ssl linux-x86_64 && \
+    make -j$(nproc) && \
+    make install_sw && \
+    cd .. && \
+    rm -rf openssl-$SSL_VER*
 
-# Set OpenSSL environment variables (only used on amd64)
 ENV OPENSSL_DIR=/musl \
     OPENSSL_INCLUDE_DIR=/musl/include \
     OPENSSL_LIB_DIR=/musl/lib \
-    PKG_CONFIG_ALLOW_CROSS=1
+    PKG_CONFIG_ALLOW_CROSS=1 \
+    RUSTFLAGS="-C target-feature=+crt-static -C link-arg=-static-libgcc"
 
 WORKDIR /build
 COPY . .
 
-# Build static binary based on architecture
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git \
     --mount=type=cache,target=/build/target \
-    if [ "$TARGETARCH" = "amd64" ]; then \
-        export PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" && \
-        export CC_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-gcc && \
-        export CXX_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-g++ && \
-        export AR_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-ar && \
-        export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-unknown-linux-musl-gcc && \
-        export RUSTFLAGS="-C target-feature=+crt-static -C link-arg=-static-libgcc" && \
-        SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target x86_64-unknown-linux-musl && \
-        cp target/x86_64-unknown-linux-musl/release/sandbox-agent /sandbox-agent; \
-    elif [ "$TARGETARCH" = "arm64" ]; then \
-        export CC_aarch64_unknown_linux_musl=musl-gcc && \
-        export AR_aarch64_unknown_linux_musl=ar && \
-        export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc && \
-        export RUSTFLAGS="-C target-feature=+crt-static" && \
-        SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target aarch64-unknown-linux-musl && \
-        cp target/aarch64-unknown-linux-musl/release/sandbox-agent /sandbox-agent; \
-    fi
+    SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target x86_64-unknown-linux-musl && \
+    cp target/x86_64-unknown-linux-musl/release/sandbox-agent /sandbox-agent
+
+# ============================================================================
+# ARM64 Builder - Uses Alpine with native musl
+# ============================================================================
+FROM rust:1.88-alpine AS builder-arm64
+
+RUN apk add --no-cache \
+    musl-dev \
+    clang \
+    llvm-dev \
+    openssl-dev \
+    openssl-libs-static \
+    pkgconfig \
+    git \
+    curl \
+    build-base
+
+RUN rustup target add aarch64-unknown-linux-musl
+
+ENV CARGO_INCREMENTAL=0 \
+    CARGO_NET_GIT_FETCH_WITH_CLI=true \
+    RUSTFLAGS="-C target-feature=+crt-static"
+
+WORKDIR /build
+COPY . .
+
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/build/target \
+    SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target aarch64-unknown-linux-musl && \
+    cp target/aarch64-unknown-linux-musl/release/sandbox-agent /sandbox-agent
+
+# ============================================================================
+# Select the appropriate builder based on target architecture
+# ============================================================================
+FROM builder-${TARGETARCH} AS builder
 
 # Runtime stage - minimal image
 FROM debian:bookworm-slim