diff --git a/Makefile b/Makefile
index dca30d252..ac631eb1f 100644
--- a/Makefile
+++ b/Makefile
@@ -165,6 +165,11 @@ demo-network: $(PTP_BIN) $(HOSTLOCAL_BIN) $(TC_REDIRECT_TAP_BIN) $(FCNET_CONFIG)
 .PHONY: firecracker
 firecracker: $(FIRECRACKER_BIN) $(JAILER_BIN)
 
+.PHONY: install-firecracker
+install-firecracker: firecracker
+	install -D -o root -g root -m755 -t $(INSTALLROOT)/bin $(FIRECRACKER_BIN)
+	install -D -o root -g root -m755 -t $(INSTALLROOT)/bin $(JAILER_BIN)
+
 $(FIRECRACKER_DIR)/Cargo.toml:
 	git submodule update --init --recursive $(FIRECRACKER_DIR)
 
@@ -182,7 +187,7 @@ $(FIRECRACKER_BIN) $(JAILER_BIN): $(FIRECRACKER_DIR)/Cargo.toml tools/firecracke
 		-e HOME=/tmp \
 		--workdir /src \
 		localhost/$(FIRECRACKER_BUILDER_NAME):$(DOCKER_IMAGE_TAG) \
-		cargo build --release --features vsock --target $(FIRECRACKER_TARGET)
+		cargo build --release --target $(FIRECRACKER_TARGET)
 
 .PHONY: firecracker-clean
 firecracker-clean:
diff --git a/_submodules/firecracker b/_submodules/firecracker
index 7267a7d73..1e1cb6f8f 160000
--- a/_submodules/firecracker
+++ b/_submodules/firecracker
@@ -1 +1 @@
-Subproject commit 7267a7d73875da3e30bf0901448c56182ba87c20
+Subproject commit 1e1cb6f8f8003e0bdce11d265f0feb23249a03f6
diff --git a/agent/main.go b/agent/main.go
index 8307d4061..f2018bcf2 100644
--- a/agent/main.go
+++ b/agent/main.go
@@ -26,7 +26,6 @@ import (
 	taskAPI "github.com/containerd/containerd/runtime/v2/task"
 	"github.com/containerd/containerd/sys/reaper"
 	"github.com/containerd/ttrpc"
-	"github.com/mdlayher/vsock"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
@@ -34,6 +33,7 @@ import (
 
 	"github.com/firecracker-microvm/firecracker-containerd/eventbridge"
 	"github.com/firecracker-microvm/firecracker-containerd/internal/event"
+	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 )
 
 const (
@@ -93,8 +93,8 @@ func main() {
 
 	// Run ttrpc over vsock
 
-	log.G(shimCtx).WithField("port", port).Info("listening to vsock")
-	listener, err := vsock.Listen(uint32(port))
+	vsockLogger := log.G(shimCtx).WithField("port", port)
+	listener, err := vm.VSockListener(shimCtx, vsockLogger, uint32(port))
 	if err != nil {
 		log.G(shimCtx).WithError(err).Fatalf("failed to listen to vsock on port %d", port)
 	}
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 406daff67..acb1dc77e 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -50,27 +50,6 @@ You need to have the following things in order to use firecracker-containerd:
 
 ## Setup
 
-### Build Firecracker with `vsock` support
-
-Clone the repository to your computer in a directory of your choice:
-
-```bash
-git clone https://github.com/firecracker-microvm/firecracker.git
-```
-Change into the new directory, and build with Cargo.  Make sure to enable the
-optional `vsock` feature using the `--features vsock` flag.
-
-> Note: Firecracker normally builds a statically-linked binary with musl libc.
-> On Amazon Linux 2, you must specify `--target x86_64-unknown-linux-gnu`
-> because musl libc is not available.  Switching to this target changes the set
-> of syscalls invoked by Firecracker.  If you intend to jail Firecracker using
-> seccomp, you must adjust your seccomp profile for these changes.
-
-```bash
-git checkout v0.17.0 # latest released tag
-cargo build --release --features vsock # --target x86_64-unknown-linux-gnu
-```
-
 ### Download appropriate kernel
 
 You can use the following kernel:
@@ -90,7 +69,7 @@ Clone this repository to your computer in a directory of your choice.
 We recommend choosing a directory outside of `$GOPATH` or `~/go`.
 
 ```bash
-git clone https://github.com/firecracker-microvm/firecracker-containerd
+git clone --recurse-submodules https://github.com/firecracker-microvm/firecracker-containerd
 make all
 ```
 
@@ -111,6 +90,21 @@ Once you have built the runtime, be sure to place the following binaries on your
 You can use the `make install` target to install the files to `/usr/local/bin`,
 or specify a different `INSTALLROOT` if you prefer another location.
 
+### Build Firecracker
+
+From the repository cloned in the previous step, run
+```bash
+make firecracker
+```
+
+Once you have built firecracker, be sure to place the following binaries on your
+`$PATH`:
+* `_submodules/firecracker/target/x86_64-unknown-linux-musl/release/firecracker`
+* `_submodules/firecracker/target/x86_64-unknown-linux-musl/release/jailer`
+
+You can use the `make install-firecracker` target to install the files to `/usr/local/bin`,
+or specify a different `INSTALLROOT` if you prefer another location.
+
 ### Build a root filesystem
 
 The firecracker-containerd repository includes an image builder component that
diff --git a/docs/quickstart.md b/docs/quickstart.md
index d183e5d29..914b01401 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -41,21 +41,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get \
   git \
   curl \
   e2fsprogs \
-  musl-tools \
   util-linux
 
-# Install Rust
-curl https://sh.rustup.rs -sSf | sh -s -- --verbose -y --default-toolchain 1.32.0
-source $HOME/.cargo/env
-rustup target add x86_64-unknown-linux-musl
-
-# Check out Firecracker and build it from the v0.17.0 tag
-git clone https://github.com/firecracker-microvm/firecracker.git
-cd firecracker
-git checkout v0.17.0
-cargo build --release --features vsock --target x86_64-unknown-linux-musl
-sudo cp target/x86_64-unknown-linux-musl/release/{firecracker,jailer} /usr/local/bin
-
 cd ~
 
 # Install Docker CE
@@ -87,9 +74,8 @@ cd ~
 git clone https://github.com/firecracker-microvm/firecracker-containerd.git
 cd firecracker-containerd
 sudo DEBIAN_FRONTEND=noninteractive apt-get install -y dmsetup
-sg docker -c 'make all image'
-sudo make install
-sudo make demo-network
+sg docker -c 'make all image firecracker'
+sudo make install install-firecracker demo-network
 
 cd ~
 
@@ -142,9 +128,6 @@ sudo tee /etc/containerd/firecracker-runtime.json <<EOF
   }]
 }
 EOF
-
-# Enable vhost-vsock
-sudo modprobe vhost-vsock
 ```
 
 4. Open a new terminal and start the `naive_snapshotter` program in the
diff --git a/examples/Makefile b/examples/Makefile
index ee4fd0541..a5bf4c80b 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -40,7 +40,7 @@ integ-test:
 		--env EXTRAGOARGS="${EXTRAGOARGS}" \
 		--workdir="/firecracker-containerd/examples" \
 		localhost/firecracker-containerd-naive-integ-test:${DOCKER_IMAGE_TAG} \
-		"make examples && make testtap && ./taskworkflow -ip $(TEST_IP)$(TEST_SUBNET) -gw $(TEST_GATEWAY)"
+		"make examples && make testtap && sleep 3 && ./taskworkflow -ip $(TEST_IP)$(TEST_SUBNET) -gw $(TEST_GATEWAY)"
 
 TEST_GATEWAY?=172.16.0.1
 TEST_IP?=172.16.0.2
diff --git a/go.mod b/go.mod
index 372c1db22..a7500f6f4 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/docker/go-events v0.0.0-20170721190031-9461782956ad // indirect
 	github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 // indirect
 	github.com/docker/go-units v0.3.3
-	github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7
+	github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190920221449-6afccc1d121f
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/godbus/dbus v0.0.0-20181025153459-66d97aec3384 // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible
diff --git a/go.sum b/go.sum
index 163c6d7fc..f392e4c23 100644
--- a/go.sum
+++ b/go.sum
@@ -59,8 +59,8 @@ github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zF
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7 h1:9suT/hW4u++sJdgHLU1duoiRuRHwrGf/RKSKG2prsJY=
-github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190912001513-a4afb10dd9d7/go.mod h1:tVXziw7GjioCKVjI5/agymYxUaqJM6q7cp9e6kwjo8Q=
+github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190920221449-6afccc1d121f h1:G81Ey0lQDWCqwdIRq6aLN5RyYbnSDx2O7FKFl433shc=
+github.com/firecracker-microvm/firecracker-go-sdk v0.17.1-0.20190920221449-6afccc1d121f/go.mod h1:tVXziw7GjioCKVjI5/agymYxUaqJM6q7cp9e6kwjo8Q=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
diff --git a/internal/common.go b/internal/common.go
index 74cb07bb6..182b516db 100644
--- a/internal/common.go
+++ b/internal/common.go
@@ -31,6 +31,9 @@ const (
 
 	// FirecrackerSockName is the name of the Firecracker VMM API socket
 	FirecrackerSockName = "firecracker.sock"
+	// FirecrackerVSockName is the name of the Firecracker VSock unix path used for communication
+	// between the runtime and the agent
+	FirecrackerVSockName = "firecracker.vsock"
 	// FirecrackerLogFifoName is the name of the Firecracker VMM log FIFO
 	FirecrackerLogFifoName = "fc-logs.fifo"
 	// FirecrackerMetricsFifoName is the name of the Firecracker VMM metrics FIFO
diff --git a/internal/vm/dir.go b/internal/vm/dir.go
index 94bb1d20a..8281790c9 100644
--- a/internal/vm/dir.go
+++ b/internal/vm/dir.go
@@ -83,6 +83,12 @@ func (d Dir) FirecrackerSockPath() string {
 	return filepath.Join(d.RootPath(), internal.FirecrackerSockName)
 }
 
+// FirecrackerVSockPath returns the path to the vsock unix socket that the runtime uses
+// to communicate with the VM agent.
+func (d Dir) FirecrackerVSockPath() string {
+	return filepath.Join(d.RootPath(), internal.FirecrackerVSockName)
+}
+
 // FirecrackerLogFifoPath returns the path to the FIFO at which the firecracker VMM writes
 // its logs
 func (d Dir) FirecrackerLogFifoPath() string {
diff --git a/internal/vm/vsock.go b/internal/vm/vsock.go
index 53c22e99a..a5b38e3b2 100644
--- a/internal/vm/vsock.go
+++ b/internal/vm/vsock.go
@@ -15,125 +15,157 @@ package vm
 
 import (
 	"context"
+	"fmt"
 	"net"
-	"strings"
 	"time"
 
 	"github.com/mdlayher/vsock"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
 const (
-	vsockConnectTimeout = 20 * time.Second
+	vsockRetryTimeout      = 20 * time.Second
+	vsockRetryInterval     = 100 * time.Millisecond
+	unixDialTimeout        = 100 * time.Millisecond
+	vsockConnectMsgTimeout = 100 * time.Millisecond
+	vsockAckMsgTimeout     = 1 * time.Second
 )
 
-// VSockDial attempts to connect to a vsock listener at the provided cid and port with a hardcoded number
-// of retries.
-func VSockDial(reqCtx context.Context, logger *logrus.Entry, contextID, port uint32) (net.Conn, error) {
-	// Retries occur every 100ms up to vsockConnectTimeout
-	const retryInterval = 100 * time.Millisecond
-	ctx, cancel := context.WithTimeout(reqCtx, vsockConnectTimeout)
+// VSockDial attempts to connect to the Firecracker host-side vsock at the provided unix
+// path and port. It will retry connect attempts if a temporary error is encountered (up
+// to a fixed timeout) or the provided request is canceled.
+func VSockDial(reqCtx context.Context, logger *logrus.Entry, udsPath string, port uint32) (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(reqCtx, vsockRetryTimeout)
 	defer cancel()
 
+	tickerCh := time.NewTicker(vsockRetryInterval).C
 	var attemptCount int
-	for range time.NewTicker(retryInterval).C {
+	for {
 		attemptCount++
-		logger = logger.WithField("attempt", attemptCount)
+		logger := logger.WithField("attempt", attemptCount)
 
 		select {
 		case <-ctx.Done():
 			return nil, ctx.Err()
-		default:
-			conn, err := vsock.Dial(contextID, port)
-			if err == nil {
-				logger.WithField("connection", conn).Debug("vsock dial succeeded")
-				return conn, nil
-			}
-
-			// ENXIO and ECONNRESET can be returned while the VM+agent are still in the midst of booting
-			if isTemporaryNetErr(err) || isENXIO(err) || isECONNRESET(err) {
-				logger.WithError(err).Debug("temporary vsock dial failure")
+		case <-tickerCh:
+			conn, err := tryConnect(logger, udsPath, port)
+			if isTemporaryNetErr(err) {
+				err = errors.Wrap(err, "temporary vsock dial failure")
+				logger.WithError(err).Debug()
 				continue
+			} else if err != nil {
+				err = errors.Wrap(err, "non-temporary vsock dial failure")
+				logger.WithError(err).Error()
+				return nil, err
 			}
 
-			logger.WithError(err).Error("non-temporary vsock dial failure")
-			return nil, err
+			return conn, nil
 		}
 	}
-
-	panic("unreachable code") // appeases the compiler, which doesn't know the for loop is infinite
 }
 
-// VSockDialConnector provides an IOConnector interface to the VSockDial function.
-func VSockDialConnector(contextID, port uint32) IOConnector {
-	return func(procCtx context.Context, logger *logrus.Entry) <-chan IOConnectorResult {
-		returnCh := make(chan IOConnectorResult)
-
-		go func() {
-			defer close(returnCh)
-
-			conn, err := VSockDial(procCtx, logger, contextID, port)
-			returnCh <- IOConnectorResult{
-				ReadWriteCloser: conn,
-				Err:             err,
-			}
-		}()
-
-		return returnCh
-	}
+type vsockListener struct {
+	listener net.Listener
+	port     uint32
+	ctx      context.Context
+	logger   *logrus.Entry
 }
 
-func vsockAccept(reqCtx context.Context, logger *logrus.Entry, port uint32) (net.Conn, error) {
+// VSockListener returns a net.Listener implementation for guest-side Firecracker vsock
+// connections.
+func VSockListener(ctx context.Context, logger *logrus.Entry, port uint32) (net.Listener, error) {
 	listener, err := vsock.Listen(port)
 	if err != nil {
 		return nil, err
 	}
 
-	defer listener.Close()
+	return vsockListener{
+		listener: listener,
+		port:     port,
+		ctx:      ctx,
+		logger:   logger,
+	}, nil
+}
 
-	// Retries occur every 10ms up to vsockConnectTimeout
-	const retryInterval = 10 * time.Millisecond
-	ctx, cancel := context.WithTimeout(reqCtx, vsockConnectTimeout)
+func (l vsockListener) Accept() (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(l.ctx, vsockRetryTimeout)
 	defer cancel()
 
 	var attemptCount int
-	for range time.NewTicker(retryInterval).C {
+	tickerCh := time.NewTicker(vsockRetryInterval).C
+	for {
 		attemptCount++
-		logger = logger.WithField("attempt", attemptCount)
+		logger := l.logger.WithField("attempt", attemptCount)
 
 		select {
 		case <-ctx.Done():
 			return nil, ctx.Err()
-		default:
-			// accept is non-blocking so try to accept until we get a connection
-			conn, err := listener.Accept()
-			if err == nil {
-				return conn, nil
-			}
-
+		case <-tickerCh:
+			conn, err := tryAccept(logger, l.listener, l.port)
 			if isTemporaryNetErr(err) {
-				logger.WithError(err).Debug("temporary stdio vsock accept failure")
+				err = errors.Wrap(err, "temporary vsock accept failure")
+				logger.WithError(err).Debug()
 				continue
+			} else if err != nil {
+				err = errors.Wrap(err, "non-temporary vsock accept failure")
+				logger.WithError(err).Error()
+				return nil, err
 			}
 
-			logger.WithError(err).Error("non-temporary stdio vsock accept failure")
-			return nil, err
+			return conn, nil
 		}
 	}
+}
+
+func (l vsockListener) Close() error {
+	return l.listener.Close()
+}
+
+func (l vsockListener) Addr() net.Addr {
+	return l.listener.Addr()
+}
 
-	panic("unreachable code") // appeases the compiler, which doesn't know the for loop is infinite
+// VSockDialConnector returns an IOConnector for establishing vsock connections
+// that are dialed from the host to a guest listener.
+func VSockDialConnector(udsPath string, port uint32) IOConnector {
+	return func(procCtx context.Context, logger *logrus.Entry) <-chan IOConnectorResult {
+		returnCh := make(chan IOConnectorResult)
+
+		go func() {
+			defer close(returnCh)
+
+			conn, err := VSockDial(procCtx, logger, udsPath, port)
+			returnCh <- IOConnectorResult{
+				ReadWriteCloser: conn,
+				Err:             err,
+			}
+		}()
+
+		return returnCh
+	}
 }
 
-// VSockAcceptConnector provides an IOConnector that establishes the connection by listening on the provided
-// vsock port and accepting the first connection that comes in.
+// VSockAcceptConnector provides an IOConnector that establishes the connection by listening
+// on the provided guest-side vsock port and accepting the first connection that comes in.
 func VSockAcceptConnector(port uint32) IOConnector {
 	return func(procCtx context.Context, logger *logrus.Entry) <-chan IOConnectorResult {
 		returnCh := make(chan IOConnectorResult)
 
+		listener, err := VSockListener(procCtx, logger, port)
+		if err != nil {
+			returnCh <- IOConnectorResult{
+				Err: err,
+			}
+			close(returnCh)
+			return returnCh
+		}
+
 		go func() {
 			defer close(returnCh)
+			defer listener.Close()
 
-			conn, err := vsockAccept(procCtx, logger, port)
+			conn, err := listener.Accept()
 			returnCh <- IOConnectorResult{
 				ReadWriteCloser: conn,
 				Err:             err,
@@ -144,23 +176,153 @@ func VSockAcceptConnector(port uint32) IOConnector {
 	}
 }
 
-func isTemporaryNetErr(err error) bool {
-	terr, ok := err.(interface {
-		Temporary() bool
-	})
+func vsockConnectMsg(port uint32) string {
+	// The message a host-side connection must write after connecting to a firecracker
+	// vsock unix socket in order to establish a connection with a guest-side listener
+	// at the provided port number. This is specified in Firecracker documentation:
+	// https://github.com/firecracker-microvm/firecracker/blob/master/docs/vsock.md#host-initiated-connections
+	return fmt.Sprintf("CONNECT %d\n", port)
+}
 
-	return err != nil && ok && terr.Temporary()
+func vsockAckMsg(port uint32) string {
+	// The message a guest-side connection will write after accepting a connection from
+	// a host dial. This is not part of the official Firecracker vsock spec, but is
+	// recommended in order to allow the host to verify connections were established
+	// successfully: https://github.com/firecracker-microvm/firecracker/issues/1272#issuecomment-533004066
+	return fmt.Sprintf("IMALIVE %d\n", port)
+}
+
+// tryConnect attempts to dial a guest vsock listener at the provided host-side
+// unix socket and provided guest-listener port.
+func tryConnect(logger *logrus.Entry, udsPath string, port uint32) (net.Conn, error) {
+	conn, err := net.DialTimeout("unix", udsPath, unixDialTimeout)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			closeErr := conn.Close()
+			if closeErr != nil {
+				logger.WithError(closeErr).Error(
+					"failed to close vsock socket after previous error")
+			}
+		}
+	}()
+
+	err = tryConnWrite(conn, vsockConnectMsg(port), vsockConnectMsgTimeout)
+	if err != nil {
+		return nil, vsockConnectMsgError{cause: err}
+	}
+
+	err = tryConnRead(conn, vsockAckMsg(port), vsockAckMsgTimeout)
+	if err != nil {
+		return nil, vsockAckError{cause: err}
+	}
+	return conn, nil
+}
+
+// tryAccept attempts to accept a single host-side connection from the provided
+// guest-side listener at the provided port.
+func tryAccept(logger *logrus.Entry, listener net.Listener, port uint32) (net.Conn, error) {
+	conn, err := listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			closeErr := conn.Close()
+			if closeErr != nil {
+				logger.WithError(closeErr).Error(
+					"failed to close vsock after previous error")
+			}
+		}
+	}()
+
+	err = tryConnWrite(conn, vsockAckMsg(port), vsockAckMsgTimeout)
+	if err != nil {
+		return nil, vsockAckError{cause: err}
+	}
+
+	return conn, nil
+}
+
+// tryConnRead will try to do a read from the provided conn, returning an error if
+// the bytes read does not match what was provided or if the read does not complete
+// within the provided timeout. It will reset socket deadlines to none after returning.
+// It's only intended to be used for connect/ack messages, not general purpose reads
+// after the vsock connection is established fully.
+func tryConnRead(conn net.Conn, expectedRead string, timeout time.Duration) error {
+	conn.SetDeadline(time.Now().Add(timeout))
+	defer conn.SetDeadline(time.Time{})
+
+	actualRead := make([]byte, len(expectedRead))
+	_, err := conn.Read(actualRead)
+	if err != nil {
+		return err
+	}
+
+	if expectedRead != string(actualRead) {
+		return errors.Errorf("expected to read %q, but instead read %q",
+			expectedRead, string(actualRead))
+	}
+
+	return nil
+}
+
+// tryConnWrite will try to do a write to the provided conn, returning an error if
+// the write fails, is partial or does not complete within the provided timeout. It
+// will reset socket deadlines to none after returning. It's only intended to be
+// used for connect/ack messages, not general purpose writes after the vsock
+// connection is established fully.
+func tryConnWrite(conn net.Conn, expectedWrite string, timeout time.Duration) error {
+	conn.SetDeadline(time.Now().Add(timeout))
+	defer conn.SetDeadline(time.Time{})
+
+	bytesWritten, err := conn.Write([]byte(expectedWrite))
+	if err != nil {
+		return err
+	}
+	if bytesWritten != len(expectedWrite) {
+		return errors.Errorf("incomplete write, expected %d bytes but wrote %d",
+			len(expectedWrite), bytesWritten)
+	}
+
+	return nil
 }
 
-// Unfortunately, as "documented" on various online forums, there's no ideal way to
-// test for actual Linux error codes returned by the net library or wrappers
-// around that library. The common approach is to fall back on string matching,
-// which is done for the functions below
+type vsockConnectMsgError struct {
+	cause error
+}
 
-func isENXIO(err error) bool {
-	return strings.HasSuffix(err.Error(), "no such device")
+func (e vsockConnectMsgError) Error() string {
+	return errors.Wrap(e.cause, "vsock connect message failure").Error()
 }
 
-func isECONNRESET(err error) bool {
-	return strings.HasSuffix(err.Error(), "connection reset by peer")
+func (e vsockConnectMsgError) Temporary() bool {
+	return false
+}
+
+type vsockAckError struct {
+	cause error
+}
+
+func (e vsockAckError) Error() string {
+	return errors.Wrap(e.cause, "vsock ack message failure").Error()
+}
+
+func (e vsockAckError) Temporary() bool {
+	return true
+}
+
+// isTemporaryNetErr returns whether the provided error is a retriable
+// error, according to the interface defined here:
+// https://golang.org/pkg/net/#Error
+func isTemporaryNetErr(err error) bool {
+	terr, ok := err.(interface {
+		Temporary() bool
+	})
+
+	return err != nil && ok && terr.Temporary()
 }
diff --git a/runtime/service.go b/runtime/service.go
index f4242c9fe..7dca20958 100644
--- a/runtime/service.go
+++ b/runtime/service.go
@@ -22,9 +22,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
-	"unsafe"
 
 	// disable gosec check for math/rand. We just need a random starting
 	// place to start looking for CIDs; no need for cryptographically
@@ -81,8 +79,6 @@ var (
 	// type assertions
 	_ taskAPI.TaskService = &service{}
 	_ shim.Init           = NewService
-
-	sysCall = syscall.Syscall
 )
 
 // implements shimapi
@@ -127,7 +123,6 @@ type service struct {
 
 	machine          *firecracker.Machine
 	machineConfig    *firecracker.Config
-	machineCID       uint32
 	vsockIOPortCount uint32
 	vsockPortMu      sync.Mutex
 }
@@ -463,11 +458,6 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 
 	s.logger.Info("creating new VM")
 
-	s.machineCID, vsockFd, err = findNextAvailableVsockCID(requestCtx)
-	if err != nil {
-		return errors.Wrapf(err, "failed to find vsock for VM")
-	}
-
 	s.machineConfig, err = s.buildVMConfiguration(request)
 	if err != nil {
 		return errors.Wrapf(err, "failed to build VM configuration")
@@ -485,22 +475,12 @@ func (s *service) createVM(requestCtx context.Context, request *proto.CreateVMRe
 		return errors.Wrapf(err, "failed to create new machine instance")
 	}
 
-	// Close the vsock FD before starting the machine so firecracker doesn't get EADDRINUSE.
-	// This technically leaves us vulnerable to race conditions, but given the small time
-	// window and the fact that we choose a random CID from a 32bit range, the chances are
-	// infinitesimal. This will also no longer be an issue when firecracker implements its
-	// new vsock model.
-	err = vsockFd.Close()
-	if err != nil {
-		return errors.Wrapf(err, "failed to close vsock")
-	}
-
 	if err = s.machine.Start(s.shimCtx); err != nil {
 		return errors.Wrapf(err, "failed to start the VM")
 	}
 
 	s.logger.Info("calling agent")
-	conn, err := vm.VSockDial(requestCtx, s.logger, s.machineCID, defaultVsockPort)
+	conn, err := vm.VSockDial(requestCtx, s.logger, s.shimDir.FirecrackerVSockPath(), defaultVsockPort)
 	if err != nil {
 		return errors.Wrapf(err, "failed to dial the VM over vsock")
 	}
@@ -557,7 +537,6 @@ func (s *service) GetVMInfo(requestCtx context.Context, request *proto.GetVMInfo
 
 	return &proto.GetVMInfoResponse{
 		VMID:            s.vmID,
-		ContextID:       s.machineCID,
 		SocketPath:      s.machineConfig.SocketPath,
 		LogFifoPath:     s.machineConfig.LogFifo,
 		MetricsFifoPath: s.machineConfig.MetricsFifo,
@@ -586,20 +565,21 @@ func (s *service) SetVMMetadata(requestCtx context.Context, request *proto.SetVM
 }
 
 func (s *service) buildVMConfiguration(req *proto.CreateVMRequest) (*firecracker.Config, error) {
-	logger := s.logger.WithField("cid", s.machineCID)
-
 	cfg := firecracker.Config{
-		SocketPath:   s.shimDir.FirecrackerSockPath(),
-		VsockDevices: []firecracker.VsockDevice{{Path: "root", CID: s.machineCID}},
-		LogFifo:      s.shimDir.FirecrackerLogFifoPath(),
-		MetricsFifo:  s.shimDir.FirecrackerMetricsFifoPath(),
-		MachineCfg:   machineConfigurationFromProto(s.config, req.MachineCfg),
-		LogLevel:     s.config.LogLevel,
-		Debug:        s.config.Debug,
-		VMID:         s.vmID,
+		SocketPath: s.shimDir.FirecrackerSockPath(),
+		VsockDevices: []firecracker.VsockDevice{{
+			Path: s.shimDir.FirecrackerVSockPath(),
+			ID:   "agent_api",
+		}},
+		LogFifo:     s.shimDir.FirecrackerLogFifoPath(),
+		MetricsFifo: s.shimDir.FirecrackerMetricsFifoPath(),
+		MachineCfg:  machineConfigurationFromProto(s.config, req.MachineCfg),
+		LogLevel:    s.config.LogLevel,
+		Debug:       s.config.Debug,
+		VMID:        s.vmID,
 	}
 
-	logger.Debugf("using socket path: %s", cfg.SocketPath)
+	s.logger.Debugf("using socket path: %s", cfg.SocketPath)
 
 	// Kernel configuration
 
@@ -625,7 +605,7 @@ func (s *service) buildVMConfiguration(req *proto.CreateVMRequest) (*firecracker
 	}
 
 	// Create stub drives first and let stub driver handler manage the drives
-	handler, err := newStubDriveHandler(s.shimDir.RootPath(), logger, containerCount)
+	handler, err := newStubDriveHandler(s.shimDir.RootPath(), s.logger, containerCount)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create stub drives")
 	}
@@ -740,14 +720,14 @@ func (s *service) Create(requestCtx context.Context, request *taskAPI.CreateTask
 		if request.Stdin != "" {
 			stdinConnectorPair = &vm.IOConnectorPair{
 				ReadConnector:  vm.FIFOConnector(request.Stdin),
-				WriteConnector: vm.VSockDialConnector(s.machineCID, extraData.StdinPort),
+				WriteConnector: vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StdinPort),
 			}
 		}
 
 		var stdoutConnectorPair *vm.IOConnectorPair
 		if request.Stdout != "" {
 			stdoutConnectorPair = &vm.IOConnectorPair{
-				ReadConnector:  vm.VSockDialConnector(s.machineCID, extraData.StdoutPort),
+				ReadConnector:  vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StdoutPort),
 				WriteConnector: vm.FIFOConnector(request.Stdout),
 			}
 		}
@@ -755,7 +735,7 @@ func (s *service) Create(requestCtx context.Context, request *taskAPI.CreateTask
 		var stderrConnectorPair *vm.IOConnectorPair
 		if request.Stderr != "" {
 			stderrConnectorPair = &vm.IOConnectorPair{
-				ReadConnector:  vm.VSockDialConnector(s.machineCID, extraData.StderrPort),
+				ReadConnector:  vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StderrPort),
 				WriteConnector: vm.FIFOConnector(request.Stderr),
 			}
 		}
@@ -850,14 +830,14 @@ func (s *service) Exec(requestCtx context.Context, req *taskAPI.ExecProcessReque
 		if req.Stdin != "" {
 			stdinConnectorPair = &vm.IOConnectorPair{
 				ReadConnector:  vm.FIFOConnector(req.Stdin),
-				WriteConnector: vm.VSockDialConnector(s.machineCID, extraData.StdinPort),
+				WriteConnector: vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StdinPort),
 			}
 		}
 
 		var stdoutConnectorPair *vm.IOConnectorPair
 		if req.Stdout != "" {
 			stdoutConnectorPair = &vm.IOConnectorPair{
-				ReadConnector:  vm.VSockDialConnector(s.machineCID, extraData.StdoutPort),
+				ReadConnector:  vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StdoutPort),
 				WriteConnector: vm.FIFOConnector(req.Stdout),
 			}
 		}
@@ -865,7 +845,7 @@ func (s *service) Exec(requestCtx context.Context, req *taskAPI.ExecProcessReque
 		var stderrConnectorPair *vm.IOConnectorPair
 		if req.Stderr != "" {
 			stderrConnectorPair = &vm.IOConnectorPair{
-				ReadConnector:  vm.VSockDialConnector(s.machineCID, extraData.StderrPort),
+				ReadConnector:  vm.VSockDialConnector(s.shimDir.FirecrackerVSockPath(), extraData.StderrPort),
 				WriteConnector: vm.FIFOConnector(req.Stderr),
 			}
 		}
@@ -1102,63 +1082,6 @@ func (s *service) Cleanup(requestCtx context.Context) (*taskAPI.DeleteResponse,
 	}, nil
 }
 
-// findNextAvailableVsockCID finds first available vsock context ID.
-// It uses VHOST_VSOCK_SET_GUEST_CID ioctl which allows some CID ranges to be statically reserved in advance.
-// The ioctl fails with EADDRINUSE if cid is already taken and with EINVAL if the CID is invalid.
-// Taken from https://bugzilla.redhat.com/show_bug.cgi?id=1291851
-func findNextAvailableVsockCID(requestCtx context.Context) (cid uint32, file *os.File, err error) {
-	const (
-		// Corresponds to VHOST_VSOCK_SET_GUEST_CID in vhost.h
-		ioctlVsockSetGuestCID = uintptr(0x4008AF60)
-		// 0, 1 and 2 are reserved CIDs, see http://man7.org/linux/man-pages/man7/vsock.7.html
-		minCID          = 3
-		maxCID          = math.MaxUint32
-		cidRange        = maxCID - minCID
-		vsockDevicePath = "/dev/vhost-vsock"
-	)
-
-	defer func() {
-		// close the vsock file if anything bad happens
-		if err != nil && file != nil {
-			file.Close()
-		}
-	}()
-
-	file, err = os.OpenFile(vsockDevicePath, syscall.O_RDWR, 0600)
-	if err != nil {
-		return 0, nil, errors.Wrap(err, "failed to open vsock device")
-	}
-
-	// Start at a random ID to minimize chances of conflicts when shims are racing each other here
-	start := rand.Intn(cidRange)
-	for n := 0; n < cidRange; n++ {
-		cid := minCID + ((start + n) % cidRange)
-		select {
-		case <-requestCtx.Done():
-			return 0, nil, requestCtx.Err()
-		default:
-			_, _, err = sysCall(
-				unix.SYS_IOCTL,
-				file.Fd(),
-				ioctlVsockSetGuestCID,
-				uintptr(unsafe.Pointer(&cid)))
-
-			switch err {
-			case unix.Errno(0):
-				return uint32(cid), file, nil
-			case unix.EADDRINUSE:
-				// ID is already taken, try next one
-				continue
-			default:
-				// Fail if we get an error we don't expect
-				return 0, nil, err
-			}
-		}
-	}
-
-	return 0, nil, errors.New("couldn't find any available vsock context id")
-}
-
 func (s *service) monitorVMExit() {
 	// once the VM shuts down, the shim should too
 	defer s.shimCancel()
diff --git a/runtime/service_integ_test.go b/runtime/service_integ_test.go
index 56688f7cc..ed6b3ee38 100644
--- a/runtime/service_integ_test.go
+++ b/runtime/service_integ_test.go
@@ -551,7 +551,7 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
 
 		const expectedOutput = `
 NAME MAJ:MIN RM      SIZE RO | MAGIC
-vda  254:0    0 53633024B  0 |  104 115 113 115 128  28   0   0
+vda  254:0    0 53641216B  0 |  104 115 113 115 128  28   0   0
 vdb  254:16   0        0B  0 | 
 vdc  254:32   0      512B  0 |  214 244 216 245 215 177 177 177
 vdd  254:48   0      512B  0 |  214 244 216 245 215 177 177 177
diff --git a/runtime/service_test.go b/runtime/service_test.go
index 7a71ad2b5..49a7f53c3 100644
--- a/runtime/service_test.go
+++ b/runtime/service_test.go
@@ -14,15 +14,12 @@
 package main
 
 import (
-	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"syscall"
 	"testing"
 
-	"github.com/firecracker-microvm/firecracker-containerd/internal"
 	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 	"github.com/firecracker-microvm/firecracker-containerd/proto"
 	"github.com/firecracker-microvm/firecracker-go-sdk"
@@ -37,30 +34,6 @@ const (
 	hostDevName = "tap0"
 )
 
-func TestFindNextAvailableVsockCID_Isolated(t *testing.T) {
-	internal.RequiresIsolation(t)
-
-	sysCall = func(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) {
-		return 0, 0, 0
-	}
-
-	defer func() {
-		sysCall = syscall.Syscall
-	}()
-
-	_, _, err := findNextAvailableVsockCID(context.Background())
-	require.NoError(t, err,
-		"Do you have permission to interact with /dev/vhost-vsock?\n"+
-			"Grant yourself permission with `sudo setfacl -m u:${USER}:rw /dev/vhost-vsock`")
-	// we generate a random CID, so it's not possible to make assertions on its value
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	_, _, err = findNextAvailableVsockCID(ctx)
-	require.Equal(t, context.Canceled, err)
-}
-
 func TestBuildVMConfiguration(t *testing.T) {
 	namespace := "TestBuildVMConfiguration"
 	testcases := []struct {
@@ -220,7 +193,10 @@ func TestBuildVMConfiguration(t *testing.T) {
 			svc.shimDir = vm.Dir(tempDir)
 			// For values that remain constant between tests, they are written here
 			tc.expectedCfg.SocketPath = svc.shimDir.FirecrackerSockPath()
-			tc.expectedCfg.VsockDevices = []firecracker.VsockDevice{{Path: "root", CID: svc.machineCID}}
+			tc.expectedCfg.VsockDevices = []firecracker.VsockDevice{{
+				Path: svc.shimDir.FirecrackerVSockPath(),
+				ID:   "agent_api",
+			}}
 			tc.expectedCfg.LogFifo = svc.shimDir.FirecrackerLogFifoPath()
 			tc.expectedCfg.MetricsFifo = svc.shimDir.FirecrackerMetricsFifoPath()
 
diff --git a/tools/docker/Dockerfile.firecracker-builder b/tools/docker/Dockerfile.firecracker-builder
index 9c0c44845..9ec8b9225 100644
--- a/tools/docker/Dockerfile.firecracker-builder
+++ b/tools/docker/Dockerfile.firecracker-builder
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM rust:1.32-stretch
+FROM rust:1.35-stretch
 
 ENV DEBIAN_FRONTEND="noninteractive"
 RUN apt-get update && apt-get install --yes --no-install-recommends \