Dockerize .NET: SDK Builds, Runtime-Only Images, Production Ready

The .NET SDK image is 800+ MB — it includes compilers, NuGet tooling, and debug symbols you never need in production. Yet many teams deploy with FROM mcr.microsoft.com/dotnet/sdk:8.0 because the Dockerfile was copy-pasted from a tutorial.

A proper multi-stage build uses the SDK image for dotnet publish and a runtime-only or chiseled image for the final stage, cutting image size to 80-120 MB and removing the attack surface of build tooling.

Two-stage build using Microsoft's official images:

• Build stage: FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build — runs dotnet restore first (lockfile layer cache), then dotnet publish -c Release -o /app/publish --no-restore with optional -p:PublishTrimmed=true for AOT-compatible apps.
• Runtime stage: FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled — the chiseled variant is a distroless-like Ubuntu image with no shell, no package manager, and non-root by default. Copies published output to /app.

Compose file sets ASPNETCORE_URLS=http://+:8080, maps the port, includes a health check against /health, and sets DOTNET_EnableDiagnostics=0 to disable diagnostics in production.

• Multi-stage Dockerfile with chiseled runtime image — 80-120 MB
• docker-compose.yml with health checks, resource limits, and non-root execution
• NuGet restore layer caching for fast rebuilds
• Optional native AOT build for sub-50 MB images and millisecond startup
• CI pipeline with dotnet restore cache and Docker layer cache