From bddc1a8027c75069a15cc0b2e179f5fdaad70649 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 19 Mar 2026 10:48:46 +0000
Subject: [PATCH] fix: use musl static linking to eliminate glibc version
 dependency

Build hiy-server targeting aarch64-unknown-linux-musl so the binary
has no glibc dependency at all, making the runtime image irrelevant
to glibc version mismatches. Uses rustls (already in Cargo.toml) so
no OpenSSL vendoring needed. SQLite is bundled by sqlx.
---
 infra/Dockerfile.server | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/infra/Dockerfile.server b/infra/Dockerfile.server
index 0d0f321..da31c42 100644
--- a/infra/Dockerfile.server
+++ b/infra/Dockerfile.server
@@ -1,22 +1,25 @@
 # ── Build stage ───────────────────────────────────────────────────────────────
-FROM rust:1.94-slim-bookworm AS builder
-
-WORKDIR /build
+FROM rust:1.84-slim-bookworm AS builder
 
 RUN apt-get update && apt-get install -y \
-    pkg-config libssl-dev \
+    pkg-config \
+    musl-tools \
     && rm -rf /var/lib/apt/lists/*
 
+RUN rustup target add aarch64-unknown-linux-musl
+
+WORKDIR /build
+
 # Cache dependencies separately from source.
 COPY Cargo.toml Cargo.lock* ./
 COPY server/Cargo.toml ./server/
 RUN mkdir -p server/src && echo 'fn main(){}' > server/src/main.rs
-RUN cargo build --release -p hiy-server 2>/dev/null || true
+RUN cargo build --release --target aarch64-unknown-linux-musl -p hiy-server 2>/dev/null || true
 RUN rm -f server/src/main.rs
 
 # Build actual source.
 COPY server/src ./server/src
-RUN touch server/src/main.rs && cargo build --release -p hiy-server
+RUN touch server/src/main.rs && cargo build --release --target aarch64-unknown-linux-musl -p hiy-server
 
 # ── Runtime stage ─────────────────────────────────────────────────────────────
 FROM debian:bookworm-slim
@@ -31,7 +34,7 @@ RUN apt-get update && apt-get install -y \
     docker.io \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /build/target/release/hiy-server /usr/local/bin/hiy-server
+COPY --from=builder /build/target/aarch64-unknown-linux-musl/release/hiy-server /usr/local/bin/hiy-server
 
 WORKDIR /app