diff --git a/src/mailserver.js b/src/mailserver.js
index 1011f15d1..fc179993e 100644
--- a/src/mailserver.js
+++ b/src/mailserver.js
@@ -31,6 +31,7 @@ const assert = require('assert'),
     docker = require('./docker.js'),
     domains = require('./domains.js'),
     eventlog = require('./eventlog.js'),
+    fs = require('fs'),
     hat = require('./hat.js'),
     infra = require('./infra_version.js'),
     Location = require('./location.js'),
@@ -153,7 +154,9 @@ async function configureMail(mailFqdn, mailDomain, serviceConfig) {
     const mailCertFilePath = `${paths.MAIL_CONFIG_DIR}/tls_cert.pem`;
     const mailKeyFilePath =  `${paths.MAIL_CONFIG_DIR}/tls_key.pem`;
 
-    const [copyError] = await safe(shell.exec('configureMail', `cp ${paths.DHPARAMS_FILE} ${dhparamsFilePath}`, {}));
+    const [readError, dhparams] = await safe(fs.promises.readFile(paths.DHPARAMS_FILE));
+    if (readError) throw new BoxError(BoxError.FS_ERROR, `Could not read dhparams: ${readError.message}`);
+    const [copyError] = await safe(fs.promises.writeFile(dhparamsFilePath, dhparams));
     if (copyError) throw new BoxError(BoxError.FS_ERROR, `Could not copy dhparams: ${copyError.message}`);
     if (!safe.fs.writeFileSync(mailCertFilePath, certificate.cert)) throw new BoxError(BoxError.FS_ERROR, `Could not create cert file: ${safe.error.message}`);
     if (!safe.fs.writeFileSync(mailKeyFilePath, certificate.key)) throw new BoxError(BoxError.FS_ERROR, `Could not create key file: ${safe.error.message}`);
@@ -161,8 +164,9 @@ async function configureMail(mailFqdn, mailDomain, serviceConfig) {
     // if the 'yellowtent' user of OS and the 'cloudron' user of mail container don't match, the keys become inaccessible by mail code
     if (!safe.fs.chmodSync(mailKeyFilePath, 0o644)) throw new BoxError(BoxError.FS_ERROR, `Could not chmod key file: ${safe.error.message}`);
 
-    await safe(shell.exec('stopMail', 'docker stop mail', {})); // ignore error
-    await safe(shell.exec('removeMail', 'docker rm -f mail', {})); // ignore error
+    debug('configureMail: stopping and deleting previous mail container');
+    await docker.stopContainer('mail');
+    await docker.deleteContainer('mail');
 
     const allowInbound = await createMailConfig(mailFqdn);
 
@@ -191,7 +195,8 @@ async function configureMail(mailFqdn, mailDomain, serviceConfig) {
                 --label isCloudronManaged=true \
                 ${readOnly} -v /run -v /tmp ${image} ${cmd}`;
 
-    await shell.exec('startMail', runCmd, { shell: '/bin/bash' });
+    debug('configureMail: starting mail container');
+    await shell.exec('configureMail', runCmd, { shell: '/bin/bash' });
 }
 
 async function restart() {
diff --git a/src/platform.js b/src/platform.js
index 09ed944df..4018b21bd 100644
--- a/src/platform.js
+++ b/src/platform.js
@@ -49,7 +49,7 @@ async function pruneInfraImages() {
 
     // cannot blindly remove all unused images since redis image may not be used
     const imageNames = Object.keys(infra.images).map(addon => infra.images[addon]);
-    const [error, output] = await safe(shell.exec('pruneInfraImages', 'docker images --digests --format "{{.ID}} {{.Repository}} {{.Tag}} {{.Digest}}"', {}));
+    const [error, output] = await safe(shell.exec('pruneInfraImages', 'docker images --digests --format "{{.ID}} {{.Repository}} {{.Tag}} {{.Digest}}"', { shell: '/bin/bash' }));
     if (error) {
         debug(`Failed to list images ${error.message}`);
         throw error;
diff --git a/src/services.js b/src/services.js
index 2e89de378..3a12daf79 100644
--- a/src/services.js
+++ b/src/services.js
@@ -952,8 +952,11 @@ async function startTurn(existingInfra) {
                 --label isCloudronManaged=true \
                 ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    await safe(shell.exec('stopTurn', 'docker stop turn', {})); // ignore error
-    await safe(shell.exec('removeTurn', 'docker rm -f turn', {})); // ignore error
+    debug('startTurn: stopping and deleting previous turn container');
+    await docker.stopContainer('turn');
+    await docker.deleteContainer('turn');
+
+    debug('startTurn: starting turn container');
     await shell.exec('startTurn', runCmd, { shell: '/bin/bash' });
 }
 
@@ -1159,8 +1162,11 @@ async function startMysql(existingInfra) {
                 --cap-add SYS_NICE \
                 ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    await safe(shell.exec('stopMysql', 'docker stop mysql', {})); // ignore error
-    await safe(shell.exec('removeMysql', 'docker rm -f mysql', {})); // ignore error
+    debug('startMysql: stopping and deleting previous mysql container');
+    await docker.stopContainer('mysql');
+    await docker.deleteContainer('mysql');
+
+    debug('startMysql: starting mysql container');
     await shell.exec('startMysql', runCmd, { shell: '/bin/bash' });
 
     if (!serviceConfig.recoveryMode) {
@@ -1378,8 +1384,11 @@ async function startPostgresql(existingInfra) {
                 --label isCloudronManaged=true \
                 ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    await safe(shell.exec('stopPostgresql', 'docker stop postgresql', {})); // ignore error
-    await safe(shell.exec('removePostgresql', 'docker rm -f postgresql', {})); // ignore error
+    debug('startPostgresqk: stopping and deleting previous postgresql container');
+    await docker.stopContainer('postgresql');
+    await docker.deleteContainer('postgresql');
+
+    debug('startPostgresql: starting postgresql container');
     await shell.exec('startPostgresql', runCmd, { shell: '/bin/bash' });
 
     if (!serviceConfig.recoveryMode) {
@@ -1521,8 +1530,11 @@ async function startMongodb(existingInfra) {
                 --label isCloudronManaged=true \
                 ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    await safe(shell.exec('stopMongodb', 'docker stop mongodb', {})); // ignore error
-    await safe(shell.exec('removeMongodb', 'docker rm -f mongodb', {})); // ignore error
+    debug('startMongodb: stopping and deleting previous mongodb container');
+    await docker.stopContainer('mongodb');
+    await docker.deleteContainer('mongodb');
+
+    debug('startMongodb: starting mongodb container');
     await shell.exec('startMongodb', runCmd, { shell: '/bin/bash' });
 
     if (!serviceConfig.recoveryMode) {
@@ -1669,9 +1681,13 @@ async function startGraphite(existingInfra) {
         --label isCloudronManaged=true \
         ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    await safe(shell.exec('stopGraphite', 'docker stop graphite', {})); // ignore error
-    await safe(shell.exec('removeGraphite', 'docker rm -f graphite', {})); // ignore error
+    debug('startGraphite: stopping and deleting previous graphite container');
+    await docker.stopContainer('graphite');
+    await docker.deleteContainer('graphite');
+
     if (upgrading) await shell.promises.sudo('removeGraphiteDir', [ RMADDONDIR_CMD, 'graphite' ], {});
+
+    debug('startGraphite: starting graphite container');
     await shell.exec('startGraphite', runCmd, { shell: '/bin/bash' });
 
     // restart collectd to get the disk stats after graphite starts. currently, there is no way to do graphite health check
@@ -1714,8 +1730,11 @@ async function startRedis(existingInfra) {
 
         if (upgrading) await backupRedis(app, {});
 
-        await safe(shell.exec('stopRedis', `docker stop ${redisName}`, {})); // redis will backup as part of signal handling
-        await safe(shell.exec('removeRedis', `docker rm -f ${redisName}`, {})); // ignore error
+        debug(`startRedis: stopping and deleting previous redis container ${redisName}`);
+        await docker.stopContainer(redisName);
+        await docker.deleteContainer(redisName);
+
+        debug(`startRedis: starting redis container ${redisName}`);
         await setupRedis(app, app.manifest.addons.redis); // starts the container
     }
 
diff --git a/src/sftp.js b/src/sftp.js
index 3ff0dcc86..d15ab1c79 100644
--- a/src/sftp.js
+++ b/src/sftp.js
@@ -34,7 +34,7 @@ async function ensureKeys() {
             debug(`ensureSecrets: generating new sftp keys of type ${keyType}`);
             safe.fs.unlinkSync(publicKeyFile);
             safe.fs.unlinkSync(privateKeyFile);
-            const [error] = await safe(shell.exec('ensureKeys', `ssh-keygen -m PEM -t ${keyType} -f "${paths.SFTP_KEYS_DIR}/ssh_host_${keyType}_key" -q -N ""`, {}));
+            const [error] = await safe(shell.exec('ensureKeys', `ssh-keygen -m PEM -t ${keyType} -f ${paths.SFTP_KEYS_DIR}/ssh_host_${keyType}_key -q -N ""`, { shell: '/bin/bash' }));
             if (error) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ${keyType} keys: ${error.message}`);
             const newPublicKey = safe.fs.readFileSync(publicKeyFile);
             await blobs.set(`sftp_${keyType}_public_key`, newPublicKey);
@@ -122,9 +122,11 @@ async function start(existingInfra) {
                 --label isCloudronManaged=true \
                 ${readOnly} -v /tmp -v /run ${image} ${cmd}`;
 
-    // ignore error if container not found (and fail later) so that this code works across restarts
-    await safe(shell.exec('stopSftp', 'docker stop sftp', {})); // ignore error
-    await safe(shell.exec('removeSftp', 'docker rm -f sftp', {})); // ignore error
+    debug('startSftp: stopping and deleting previous sftp container');
+    await docker.stopContainer('sftp');
+    await docker.deleteContainer('sftp');
+
+    debug('startSftp: starting sftp container');
     await shell.exec('startSftp', runCmd, { shell: '/bin/bash' });
 }