diff --git a/patches/neutron/dnsmasq b/patches/neutron/dnsmasq
new file mode 100644
index 0000000..9923e9a
--- /dev/null
+++ b/patches/neutron/dnsmasq
@@ -0,0 +1,4 @@
+#!/bin/bash
+# Wrapper for dnsmasq
+
+exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@
diff --git a/snap-overlay/templates/libvirtd.conf.j2 b/snap-overlay/templates/libvirtd.conf.j2
index 72f9280..e6621a0 100644
--- a/snap-overlay/templates/libvirtd.conf.j2
+++ b/snap-overlay/templates/libvirtd.conf.j2
@@ -82,7 +82,7 @@
 # without becoming root.
 #
 # This is restricted to 'root' by default.
-unix_sock_group = "sudo"
+# unix_sock_group = "sudo"
 
 # Set the UNIX socket permissions for the R/O socket. This is used
 # for monitoring VM status only
diff --git a/snap-wrappers/ovs/ovs-wrapper b/snap-wrappers/ovs/ovs-wrapper
index b13aa75..0c276e5 100755
--- a/snap-wrappers/ovs/ovs-wrapper
+++ b/snap-wrappers/ovs/ovs-wrapper
@@ -13,9 +13,4 @@ mkdir -p ${OVS_LOGDIR}
 mkdir -p ${OVS_RUNDIR}
 mkdir -p ${OVS_SYSCONFDIR}/openvswitch
 
-# if ! snapctl is-connected openvswitch-support; then
-#    echo "openvswitch-support is not connected. Exiting."
-#    exit 0
-# fi
-
 exec $@
diff --git a/snapcraft.yaml b/snapcraft.yaml
index 8a144ce..5d56ddd 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -12,6 +12,9 @@ environment:
   PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
   OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/
 
+system-usernames:
+  snap_daemon: shared
+
 layout:
   # Libvirt/Qemu libs
   /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/ceph:
@@ -265,6 +268,13 @@ apps:
       - network-control
       - netlink-connector
       - netlink-audit
+      - libvirt
+      - opengl
+      - raw-usb
+      - hardware-observe
+      - kvm
+      - kernel-module-observe
+
   virtlogd:
     command: virtlogd --pid $SNAP_DATA/virtlogd.pid
     daemon: simple
@@ -365,6 +375,7 @@ apps:
     command: microstack_launch
     plugs:
       - network
+      - network-control  # could also be mount-observe
 
   # Cluster
   cluster-server:
@@ -573,6 +584,7 @@ parts:
       snapcraftctl build
     organize:
       '*' : patches/
+      'usr/sbin/dnsmasq': patches/neutron/dnsmasq
     prime:
       - -*
 
@@ -766,6 +778,8 @@ parts:
       - --firmwarepath=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/seabios:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/qemu:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/lib/ipxe/qemu
       - --disable-user
       - --disable-linux-user
+      - --disable-bsd-user
+      - --disable-vhost-user
       - --enable-system
       - --target-list=x86_64-softmmu
     override-build: |
@@ -855,7 +869,17 @@ parts:
       apt source libvirt
       # Fix issue with running apt source as root
       dpkg-source --before-build libvirt-5.0.0
+      # Prevent libvirt from attempting to run setgroups
+      echo "
+
+      #undef HAVE_SETGROUPS
+      #undef HAVE_SETEUID
+      " >> libvirt-5.0.0/config-post.h
+
+      # Build
       snapcraftctl build
+    organize:
+      'usr/sbin/dnsmasq-orig': usr/sbin/dnsmasq
 
   # MySQL
   mysql-server:
diff --git a/tests/framework.py b/tests/framework.py
index 928e378..984b03f 100644
--- a/tests/framework.py
+++ b/tests/framework.py
@@ -96,8 +96,8 @@ class Host():
             snap = self.snap
         print("Installing {}".format(snap))
 
-        check(*self.prefix, 'sudo', 'snap', 'install',
-              '--devmode', '--{}'.format(channel), snap)
+        check(*self.prefix, 'sudo', 'snap', 'install', '--devmode',
+              '--{}'.format(channel), snap)
 
     def init(self, flag='auto'):
         print("Initializing the snap with --{}".format(flag))
diff --git a/tools/connect.sh b/tools/connect.sh
new file mode 100644
index 0000000..bb7c706
--- /dev/null
+++ b/tools/connect.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# Utility script for connecting all the interfaces that MicroStack
+# wants. Useful for testing strict confinement. Not useful for use in
+# the deployed snap, as it can run from within a snap.
+
+set -e
+
+for i in `sudo snap connections microstack`; do
+    if [[ $i =~ ^microstack:.* ]]; then
+        echo $i;
+        sudo snap connect $i;
+    fi
+done
+
diff --git a/tools/init/init/main.py b/tools/init/init/main.py
index 2692f8b..ac3b33d 100644
--- a/tools/init/init/main.py
+++ b/tools/init/init/main.py
@@ -38,7 +38,7 @@ import sys
 from functools import wraps
 
 from init.config import log
-from init.shell import default_network, call, check, check_output
+from init.shell import default_network, check, check_output
 
 from init import questions
 
@@ -103,25 +103,11 @@ def process_init_args(args):
     return auto
 
 
-def find_missing_plugs():
-    missing = []
-    if not call('snapctl', 'is-connected', 'openvswitch-support'):
-        missing.append("microstack:openvswitch-support")
-    return missing
-
-
 @requires_sudo
 def init() -> None:
     args = parse_init_args()
     auto = process_init_args(args)
 
-    # missing_plugs = find_missing_plugs()
-    # for plug in missing_plugs:
-    #    log.critical("Missing {plug}. Please run snap connect "
-    #                 "{plug} to continue".format(plug=plug))
-    # if missing_plugs:
-    #   sys.exit(1)
-
     question_list = [
         questions.Clustering(),
         questions.Dns(),