diff --git a/.gitignore b/.gitignore
index 7c19065..d857657 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,3 +104,6 @@ Cargo.lock
 rust-project.json
 
 
+
+# Local cargo config (dev overrides for vm-manager path dep)
+.cargo/
diff --git a/crates/orchestrator/Cargo.toml b/crates/orchestrator/Cargo.toml
index 1319c9f..df8d7ec 100644
--- a/crates/orchestrator/Cargo.toml
+++ b/crates/orchestrator/Cargo.toml
@@ -8,7 +8,7 @@ build = "build.rs"
 
 [dependencies]
 common = { path = "../common" }
-vm-manager = { path = "../../../vm-manager/crates/vm-manager" }
+vm-manager = { git = "https://github.com/CloudNebulaProject/vm-manager.git", branch = "main" }
 clap = { version = "4", features = ["derive", "env"] }
 miette = { version = "7", features = ["fancy"] }
 thiserror = "1"
diff --git a/deploy/images/orchestrator/Containerfile b/deploy/images/orchestrator/Containerfile
index 1e42ddb..10b7f21 100644
--- a/deploy/images/orchestrator/Containerfile
+++ b/deploy/images/orchestrator/Containerfile
@@ -1,10 +1,26 @@
 # syntax=docker/dockerfile:1.7
-# Solstice Orchestrator container
+# Build Solstice Orchestrator
 # Uses vm-manager (direct QEMU) instead of libvirt — only needs /dev/kvm at runtime
-#
-# Pre-build the binary, then build the container:
-#   cargo build --release -p orchestrator
-#   docker build -f deploy/images/orchestrator/Containerfile -t local/solstice-orchestrator:latest .
+
+FROM docker.io/library/rust:bookworm AS builder
+ENV CARGO_HOME=/cargo
+WORKDIR /work
+# Install build dependencies: protoc, DB headers, pkg-config
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    protobuf-compiler libprotobuf-dev pkg-config libsqlite3-dev libpq-dev ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+# Configure cargo target-dir so it can be cached between layers
+RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
+# Copy source
+COPY Cargo.toml Cargo.lock ./
+COPY crates ./crates
+# Build orchestrator (vm-manager fetched as git dep from GitHub)
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
+    cargo build --release -p orchestrator \
+    && cp /cargo/target/release/orchestrator /orchestrator
 
 FROM docker.io/library/ubuntu:24.04
 # Runtime: QEMU for VMs, qemu-utils for qemu-img, DB client libs
@@ -13,7 +29,6 @@ RUN apt-get update \
     libsqlite3-0 libpq5 ca-certificates \
     qemu-system-x86 qemu-utils \
  && rm -rf /var/lib/apt/lists/*
-COPY target/release/orchestrator /usr/local/bin/solstice-orchestrator
-RUN chmod +x /usr/local/bin/solstice-orchestrator
+COPY --from=builder /orchestrator /usr/local/bin/solstice-orchestrator
 EXPOSE 8081
 ENTRYPOINT ["/usr/local/bin/solstice-orchestrator"]