diff --git a/flock/container.c b/flock/container.c
index 9e8aaa2d..597e6c42 100644
--- a/flock/container.c
+++ b/flock/container.c
@@ -471,7 +471,7 @@ container_start(void)
 
   /* create socketpair before forking to do communication */
   int fds[2];
-  int e = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
+  int e = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds);
   if (e < 0)
     die("Failed to create internal socketpair: %m");
 
@@ -1161,7 +1161,7 @@ hypervisor_container_fork(void)
   int fds[2], e;
 
   /* create socketpair before forking to do communication */
-  e = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
+  e = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds);
   if (e < 0)
     die("Failed to create internal socketpair: %m");
 
@@ -1196,6 +1196,7 @@ hypervisor_container_fork(void)
 
   /* noreturn child side */
   close(fds[0]);
+  hexp_cleanup_after_fork();
   container_forker_fd = fds[1];
 
   this_thread_id |= 0xf000;
diff --git a/flock/flock.c b/flock/flock.c
index 5c062642..a5a129c0 100644
--- a/flock/flock.c
+++ b/flock/flock.c
@@ -285,15 +285,15 @@ main(int argc, char **argv, char **argh UNUSED)
    * let's spawn a child to do external communication before unsharing */
   hypervisor_exposed_fork();
 
-  /* We also need to prepare all the hypervisor-init stuff */
-  hypervisor_control_socket();
-
-  /* And now finally we can go for unsharing the networks */
+  /* And now we can unshare the networks */
   SYSCALL(unshare, CLONE_NEWNET);
 
-  /* Before resuming, we also need to fork the container forker */
+  /* Before running in multiple threads, we also need to fork the container forker */
   hypervisor_container_fork();
 
+  /* Control socket needs to exist */
+  hypervisor_control_socket();
+
   /* Set signal handlers as this process is init in its PID namespace */
   signal(SIGTERM, hypervisor_poweroff_sighandler);
   signal(SIGINT, hypervisor_poweroff_sighandler);
diff --git a/flock/flock.h b/flock/flock.h
index 81c9ef3f..1abb6c58 100644
--- a/flock/flock.h
+++ b/flock/flock.h
@@ -50,6 +50,8 @@ void hypervisor_container_request(sock *s, const char *name, const char *basedir
 void hypervisor_container_shutdown(sock *s, const char *name);
 int container_ctl_fd(const char *name);
 
+void hexp_cleanup_after_fork(void);
+
 extern event reboot_event, poweroff_event;
 extern event_list shutdown_event_list;
 
diff --git a/flock/hypervisor.c b/flock/hypervisor.c
index 8717c039..50fff418 100644
--- a/flock/hypervisor.c
+++ b/flock/hypervisor.c
@@ -356,7 +356,7 @@ hypervisor_exposed_fork(void)
   int fds[2], e;
 
   /* create socketpair before forking to do communication */
-  e = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
+  e = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds);
   if (e < 0)
     die("Failed to create internal socketpair: %m");
 
@@ -402,6 +402,14 @@ hypervisor_exposed_fork(void)
   birdloop_minimalist_main();
 }
 
+void
+hexp_cleanup_after_fork(void)
+{
+  birdloop_enter(he.loop);
+  rp_free(he.p);
+  birdloop_leave(he.loop);
+  birdloop_free(he.loop);
+}
 
 /**
  * Hypervisor's mapping between external ports and names