diff --git a/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/clean.sh b/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/clean.sh
index 1a21b42..4ddae39 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/clean.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/clean.sh
@@ -3,4 +3,10 @@
 # Tidy up and keep image small
 apt-get clean -y
 micromamba clean -ay
-rm -rf /tmp/*
\ No newline at end of file
+
+fix-permissions.sh -o container
+
+rm -rf /tmp/*
+
+rm /etc/ld.so.cache
+ldconfig
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/init.sh b/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/init.sh
index 47f20d6..c8d77e9 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/init.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/build/layer0/init.sh
@@ -2,6 +2,7 @@
 
 # Must exit and fail to build if any command fails
 set -eo pipefail
+umask 002
 
 source /opt/ai-dock/bin/build/layer0/common.sh
 
@@ -16,6 +17,4 @@ else
     exit 1
 fi
 
-fix-permissions.sh -o container
-
 source /opt/ai-dock/bin/build/layer0/clean.sh
\ No newline at end of file
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/preflight.sh b/build/COPY_ROOT/opt/ai-dock/bin/preflight.sh
index 9a447ff..a107692 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/preflight.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/preflight.sh
@@ -3,11 +3,6 @@
 # This file will be sourced in init.sh
 
 function preflight_main() {
-    if [[ -z $COTURN_PASSWORD ]]; then
-        export COTURN_PASSWORD="auto_$(openssl rand -base64 8)"
-        env-store COTURN_PASSWORD
-    fi
-    
     desktop_dir="${WORKSPACE}/home/${USER_NAME}/Desktop"
     mkdir -p ${desktop_dir}
     chown ${USER_NAME}.${USER_NAME} "${desktop_dir}"
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-coturn.sh b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-coturn.sh
index a48a47c..aba3037 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-coturn.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-coturn.sh
@@ -7,7 +7,7 @@ LISTEN_PORT="${COTURN_PORT_HOST:-3478}"
 COTURN_LISTEN_ADDRESS=${COTURN_LISTEN_ADDRESS:-${EXTERNAL_IP_ADDRESS}}
 
 function cleanup() {
-    kill $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
+    fuser -k -SIGTERM ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     wait -n
 }
 
@@ -24,6 +24,7 @@ function start() {
         exec sleep 10
     fi
     
+    fuser -k -SIGKILL ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     printf "Starting ${SERVICE_NAME}...\n"
     turnserver \
         -n \
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-kasmvnc.sh b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-kasmvnc.sh
index 7937274..5c7d12e 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-kasmvnc.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-kasmvnc.sh
@@ -6,11 +6,12 @@ LISTEN_PORT=${VNC_PORT_LOCAL:-16200}
 METRICS_PORT=${VNC_METRICS_PORT:-26200}
 PROXY_PORT=${VNC_PORT_HOST:-6200}
 PROXY_SECURE=true
+QUICKTUNNELS=true
 SERVICE_NAME="KDE Plasma Desktop (VNC Fallback)"
 
 function cleanup() {
     rm /run/http_ports/$PROXY_PORT > /dev/null 2>&1
-    kill $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
+    fuser -k -SIGTERM ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     wait -n
 }
 
@@ -34,7 +35,7 @@ function start() {
     
     printf "%s\n" "$file_content" > /run/http_ports/$PROXY_PORT
     
-    kill $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
+    fuser -k -SIGKILL ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     wait -n
     
     printf "Starting ${SERVICE_NAME}...\n"
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-selkies-gstreamer.sh b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-selkies-gstreamer.sh
index 97c6eb8..91efae3 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/supervisor-selkies-gstreamer.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/supervisor-selkies-gstreamer.sh
@@ -6,11 +6,12 @@ LISTEN_PORT=${SELKIES_PORT_LOCAL:-16100}
 METRICS_PORT=${SELKIES_METRICS_PORT:-26100}
 PROXY_PORT=${SELKIES_PORT_HOST:-6100}
 PROXY_SECURE=true
+QUICKTUNNELS=true
 SERVICE_NAME="KDE Plasma Desktop (WebRTC)"
 
 function cleanup() {
     rm -f /run/http_ports/$PROXY_PORT
-    kill $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
+    fuser -k -SIGTERM ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     wait -n
 }
 
@@ -35,7 +36,7 @@ function start() {
     
     printf "%s\n" "$file_content" > /run/http_ports/$PROXY_PORT
     
-    kill $(lsof -t -i:$LISTEN_PORT) > /dev/null 2>&1 &
+    fuser -k -SIGKILL ${LISTEN_PORT}/tcp > /dev/null 2>&1 &
     wait -n
     printf "Starting ${SERVICE_NAME}...\n"
     
diff --git a/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh b/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh
index 8c6de02..185f297 100755
--- a/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh
+++ b/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Override this file to add extras to your build
-
+umask 002
 # Wine, Winetricks, Lutris, and PlayOnLinux, this process must be consistent with https://wiki.winehq.org/Ubuntu
 
 mkdir -pm755 /etc/apt/keyrings
@@ -42,3 +42,4 @@ $APT_INSTALL \
     gimp \
     inkscape
 
+fix-permissions -o container
\ No newline at end of file
diff --git a/build/Dockerfile b/build/Dockerfile
index a88f932..953a473 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -63,10 +63,10 @@ ARG WINE_BRANCH=staging
 ENV WINE_BRANCH=${WINE_BRANCH}
 
 # Copy early so we can use scripts in the build - Changes to these files will invalidate the cache and cause a rebuild.
-COPY ./COPY_ROOT/ /
+COPY --chown=0:1111 ./COPY_ROOT/ /
 
 ENV OPT_SYNC=$OPT_SYNC
-ENV IMAGE_SLUG="desktop"
+ENV IMAGE_SLUG="linux-desktop"
 
 # Use build scripts to ensure we can build all targets from one Dockerfile in a single layer.
 # Don't put anything heavy in here - We can use multi-stage building above if necessary.
@@ -74,7 +74,7 @@ ENV IMAGE_SLUG="desktop"
 RUN set -eo pipefail && /opt/ai-dock/bin/build/layer0/init.sh | tee /var/log/build.log
 
 # Copy overrides and new files into a final layer for fast rebuilds. Uncomment below
-COPY ./COPY_ROOT_EXTRA/ /
+COPY --chown=0:1111 ./COPY_ROOT_EXTRA/ /
 RUN set -eo pipefail && /opt/ai-dock/bin/build/layer1/init.sh | tee -a /var/log/build.log
 
 # Keep init.sh as-is and place additional logic in /opt/ai-dock/bin/preflight.sh
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 3c917a5..cb266c2 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -28,9 +28,6 @@ services:
       #- "/dev/kfd:/dev/kfd"
     
     volumes:
-      # For Rclone mount
-      #- /etc/passwd:/etc/passwd:ro
-      #- /etc/group:/etc/group:ro
       - ./config/rclone:/etc/rclone
       # Workspace
       - ./workspace:${WORKSPACE:-/workspace}:rshared
@@ -82,13 +79,10 @@ services:
         - SSH_PORT_HOST=${SSH_PORT_HOST:-2222}
         - SSH_PORT_LOCAL=${SSH_PORT_LOCAL:-22}
         - SERVICEPORTAL_PORT_HOST=${SERVICEPORTAL_PORT_HOST:-1111}
-        - SERVICEPORTAL_PORT_LOCAL=${SERVICEPORTAL_PORT_LOCAL:-11111}
         - SERVICEPORTAL_METRICS_PORT=${SERVICEPORTAL_METRICS_PORT:-21111}
         - VNC_PORT_HOST=${VNC_PORT_HOST:-6200}
-        - VNC_PORT_LOCAL=${VNC_PORT_LOCAL:-16200}
         - VNC_METRICS_PORT=${VNC_METRICS_PORT:-26200}
         - WEBRTC_PORT_HOST=${WEBRTC_PORT_HOST:-6100}
-        - WEBRTC_PORT_LOCAL=${WEBRTC_PORT_LOCAL:-16100}
         - WEBRTC_METRICS_PORT=${WEBRTC_METRICS_PORT:-26100}
         - SERVERLESS=${SERVERLESS:-false}
         #- PROVISIONING_SCRIPT=https://raw.githubusercontent.com/ai-dock/python/main/config/provisioning/default.sh