diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
index dc86acecc6..7404e43b95 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
@@ -1,5 +1,5 @@
 DIST gcc-multilib-bootstrap-20201208.tar.xz 5528452 BLAKE2B 16699a6e4df5b2f28a21776ae9e3728b26a9ea251f5580aa5349545ad7c9f6145b9cb6a12ca8f5f96b9cb2a3c70b7e66ca702e4c6f083ac00408e0a20a69e613 SHA512 a243f505e17d0a7e144e8713c077582412f61d6cf7f79baa846de4fb77f5e0f27e11c9a785e14624e04ac52287b32164e7995323aa11caef59113ac438254347
-DIST glibc-2.35-patches-9.tar.xz 183612 BLAKE2B 921664953ed39560ab850754209dbda1f71fbcc5bcc9ec21c187385ea659b90ea055e60961eca266ab3cc81213ed04747aa925dd96a352676fa19d2e63306968 SHA512 24c9ecb6ad890c95bc0e7db3e0c1f20768c728ac0590450fad05aed578623bc33d256d2c4d14a8d8e5c5e9fed7acfab3683053d236f51886cd5a6de93f925ddc
-DIST glibc-2.35.tar.xz 18165952 BLAKE2B 623c728884f070cd87ffeb9203f74206197c52405ac9bc44f3dd519a3468b8e8ae2536c883e5d17d94417dbd1e91775de2e674314e4ff7424f9720026d6b7063 SHA512 e7336ce27561be5d7c217832a1136fb327e057bd8d3f92925b35c97e3e9f9e486948b5a1e03e5e4090772ef06437a074d10b82e68f17f1ad8f22077ee39e1b66
+DIST glibc-2.36-patches-5.tar.xz 81348 BLAKE2B 003a59a992302c21132474bcdc994d10b5d50a94368e949ce28cbe389cefd104f66c48cb61a63d24e2f6db94d010e4220bda3fb5291d088cda88069b928c92e0 SHA512 6d6a16114df2223bf04729a79d12a52e41c9b8e756863c1acbb909dc34696958073604ced1b691579271218738511191ddf517e03a700d3948752c455201bcc4
+DIST glibc-2.36.tar.xz 18610836 BLAKE2B f8375e084043f032609e66fd98c234249df57a595c59672acb1bb8c69aed64d339d526611553449492b097cda900ad1d9bae8873d7f5932b10a9a0d8c9210c55 SHA512 9ea0bbda32f83a85b7da0c34f169607fb8a102f0a11a914e6bf531be47d1bef4f5307128286cffa1e2dc5879f0e6ccaef527dd353486883fa332a0b44bde8b3e
 DIST glibc-systemd-20210729.tar.gz 1480 BLAKE2B 37722c7579df782d890e44dbab99c3de52ab466eb9de80d82405e9bb5620bf39ffc8c5f466a435bdb86ef6d36dd7019c0736573916bda6c67d02a2581e0ec979 SHA512 efd75af58b50522c28cdac7abd1fc56555bc1bb042512c90d8340c1ec09c5791b3872a305bf83723252bbde5855b75d958c041083457765c4cfd170732d09238
 DIST locale-gen-2.22.tar.gz 7971 BLAKE2B 2dc66fa69bf51799d0c34459b654fba6998b80a7e322e9b670036c967e269ad921f50195e6e34c4a83c1f0bad191fd5aa3f37defb82271b73acbca07b7e49d08 SHA512 9798b10dbbc792345a7b7a121dec5f4bba9839a8aec010f01a09f3402fd5bf2376f79e03a6a19bc357010db780037a8811c381136ce19be1f1370374906dff38
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
deleted file mode 100644
index 0bcb9dd9ee..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# GLibc
-
-The system's C library, sometimes referred to as "service pack for the C
-language". The build recipe has a single modification over the one Gentoo
-upstream uses: in the installation callback `glibc_do_src_install`, we remove
-all of glibc's `/etc` files right after the stock glibc build diligently
-installed them, since we ship our own `/etc` stuff via the `baseimage` recipe.
-The addition sits at the end of the `glibc_do_src_install` function and is duly
-labelled `## Flatcar Container Linux: ...`.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
deleted file mode 100644
index 0cf43dcb7a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd-conf.tmpfiles
+++ /dev/null
@@ -1,2 +0,0 @@
-L /etc/nscd.conf	-	-	-	-	../usr/share/baselayout/nscd.conf
-d /var/db/nscd		-	-	-	-	-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service
new file mode 100644
index 0000000000..25a3b1d9be
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Name Service Cache Daemon
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/nscd -F
+ExecStop=/usr/sbin/nscd --shutdown
+ExecReload=/usr/sbin/nscd -i passwd
+ExecReload=/usr/sbin/nscd -i group
+ExecReload=/usr/sbin/nscd -i hosts
+ExecReload=/usr/sbin/nscd -i services
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd
new file mode 100644
index 0000000000..52edbba673
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/nscd.tmpfilesd
@@ -0,0 +1,4 @@
+# Configuration to create /run/nscd directory
+# Used as part of systemd's tmpfiles
+
+d /run/nscd 0755 root root
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
index 19c1440db7..2a08c5b11f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.35-r8.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
@@ -20,7 +20,7 @@ SLOT="2.2"
 EMULTILIB_PKG="true"
 
 # Gentoo patchset (ignored for live ebuilds)
-PATCH_VER=9
+PATCH_VER=5
 PATCH_DEV=dilfridge
 
 if [[ ${PV} == 9999* ]]; then
@@ -29,7 +29,6 @@ else
 	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 	SRC_URI="mirror://gnu/glibc/${P}.tar.xz"
 	SRC_URI+=" https://dev.gentoo.org/~${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz"
-	SRC_URI+=" experimental-loong? ( https://dev.gentoo.org/~xen0n/distfiles/glibc-2.35-loongarch-patches-20220522.tar.xz )"
 fi
 
 RELEASE_VER=${PV}
@@ -44,7 +43,7 @@ SRC_URI+=" https://gitweb.gentoo.org/proj/locale-gen.git/snapshot/locale-gen-${L
 SRC_URI+=" multilib-bootstrap? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}.tar.xz )"
 SRC_URI+=" systemd? ( https://gitweb.gentoo.org/proj/toolchain/glibc-systemd.git/snapshot/glibc-systemd-${GLIBC_SYSTEMD_VER}.tar.gz )"
 
-IUSE="audit caps cet +clone3 compile-locales +crypt custom-cflags doc experimental-loong gd headers-only +multiarch multilib multilib-bootstrap nscd profile selinux +ssp stack-realign +static-libs suid systemd systemtap test vanilla"
+IUSE="audit caps cet compile-locales +crypt custom-cflags doc gd hash-sysv-compat headers-only +multiarch multilib multilib-bootstrap nscd profile selinux +ssp stack-realign +static-libs suid systemd systemtap test vanilla"
 
 # Minimum kernel version that glibc requires
 MIN_KERN_VER="3.2.0"
@@ -183,6 +182,15 @@ XFAIL_TEST_LIST=(
 # Small helper functions
 #
 
+dump_build_environment() {
+	einfo ==== glibc build environment ========================================================
+	local v
+	for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC CXX CPP LD {AS,C,CPP,CXX,LD}FLAGS MAKEINFO NM AR AS STRIP RANLIB OBJCOPY STRINGS OBJDUMP READELF; do
+		einfo " $(printf '%15s' ${v}:)   ${!v}"
+	done
+	einfo =====================================================================================
+}
+
 is_crosscompile() {
 	[[ ${CHOST} != ${CTARGET} ]]
 }
@@ -328,10 +336,14 @@ setup_target_flags() {
 				use stack-realign && export CFLAGS_x86+=" -mstackrealign"
 
 				# Workaround for bug #823780.
+				# Need to save/restore CC because earlier on, we stuff it full of CFLAGS, and tc-getCPP doesn't like that.
+				CC_mangled=${CC}
+				CC=${glibc__GLIBC_CC}
 				if tc-is-gcc && (($(gcc-major-version) == 11)) && (($(gcc-minor-version) <= 2)) && (($(gcc-micro-version) == 0)) ; then
 					export CFLAGS_x86="${CFLAGS_x86} -mno-avx512f"
 					einfo "Auto adding -mno-avx512f to CFLAGS_x86 for buggy GCC version (bug #823780) (ABI=${ABI})"
 				fi
+				CC=${CC_mangled}
 			fi
 		;;
 		mips)
@@ -418,6 +430,12 @@ setup_flags() {
 	# https://sourceware.org/PR27837
 	filter-ldflags '-Wl,--relax'
 
+	# some weird software relies on sysv hashes in glibc, bug 863863, bug 864100
+	# we have to do that here already so mips can filter it out again :P
+	if use hash-sysv-compat ; then
+		append-ldflags '-Wl,--hash-style=both'
+	fi
+
 	# #492892
 	filter-flags -frecord-gcc-switches
 
@@ -440,8 +458,13 @@ setup_flags() {
 	#  include/libc-symbols.h:75:3: #error "glibc cannot be compiled without optimization"
 	replace-flags -O0 -O1
 
+	# glibc handles this internally already where it's appropriate;
+	# can't always have SSP when we're the ones setting it up, etc
 	filter-flags '-fstack-protector*'
 
+	# Similar issues as with SSP. Can't inject yourself that early.
+	filter-flags '-fsanitize=*'
+
 	# See end of bug #830454; we handle this via USE=cet
 	filter-flags '-fcf-protection='
 }
@@ -512,15 +535,20 @@ setup_env() {
 	fi
 
 	# Reset CC and CXX to the value at start of emerge
-	export CC=${__ORIG_CC:-${CC:-$(tc-getCC ${CTARGET})}}
-	export CXX=${__ORIG_CXX:-${CXX:-$(tc-getCXX ${CTARGET})}}
+	export CC=${glibc__ORIG_CC:-${CC:-$(tc-getCC ${CTARGET})}}
+	export CXX=${glibc__ORIG_CXX:-${CXX:-$(tc-getCXX ${CTARGET})}}
 
-	# and make sure __ORIC_CC and __ORIG_CXX is defined now.
-	export __ORIG_CC=${CC}
-	export __ORIG_CXX=${CXX}
+	# and make sure glibc__ORIG_CC and glibc__ORIG_CXX is defined now.
+	export glibc__ORIG_CC=${CC}
+	export glibc__ORIG_CXX=${CXX}
 
 	if tc-is-clang && ! use custom-cflags && ! is_crosscompile ; then
+		export glibc__force_gcc=yes
+		# once this is toggled on, it needs to stay on, since with CPP manipulated
+		# tc-is-clang does not work correctly anymore...
+	fi
 
+	if [[ ${glibc__force_gcc} == "yes" ]] ; then
 		# If we are running in an otherwise clang/llvm environment, we need to
 		# recover the proper gcc and binutils settings here, at least until glibc
 		# is finally building with clang. So let's override everything that is
@@ -575,10 +603,10 @@ setup_env() {
 	# around the original clean value to avoid appending multiple ABIs on
 	# top of each other. (Why does the comment talk about CFLAGS if the code
 	# acts on CC?)
-	export __GLIBC_CC=${CC}
-	export __GLIBC_CXX=${CXX}
+	export glibc__GLIBC_CC=${CC}
+	export glibc__GLIBC_CXX=${CXX}
 
-	export __abi_CFLAGS="$(get_abi_CFLAGS)"
+	export glibc__abi_CFLAGS="$(get_abi_CFLAGS)"
 
 	# CFLAGS can contain ABI-specific flags like -mfpu=neon, see bug #657760
 	# To build .S (assembly) files with the same ABI-specific flags
@@ -587,10 +615,10 @@ setup_env() {
 	# Note: Passing CFLAGS via CPPFLAGS overrides glibc's arch-specific CFLAGS
 	# and breaks multiarch support. See 659030#c3 for an example.
 	# The glibc configure script doesn't properly use LDFLAGS all the time.
-	export CC="${__GLIBC_CC} ${__abi_CFLAGS} ${CFLAGS} ${LDFLAGS}"
+	export CC="${glibc__GLIBC_CC} ${glibc__abi_CFLAGS} ${CFLAGS} ${LDFLAGS}"
 
 	# Some of the tests are written in C++, so we need to force our multlib abis in, bug 623548
-	export CXX="${__GLIBC_CXX} ${__abi_CFLAGS} ${CFLAGS}"
+	export CXX="${glibc__GLIBC_CXX} ${glibc__abi_CFLAGS} ${CFLAGS}"
 
 	if is_crosscompile; then
 		# Assume worst-case bootstrap: glibc is buil first time
@@ -792,11 +820,19 @@ sanity_prechecks() {
 				fi
 			fi
 
-			ebegin "Checking linux-headers version (${build_kv} >= ${want_kv})"
-			if ! eend_KV ${build_kv} ${want_kv} ; then
-				echo
-				eerror "You need linux-headers of at least ${want_kv}!"
-				die "linux-headers version too low!"
+			# Do not run this check for pkg_pretend, just pkg_setup and friends (if we ever get used there).
+			# It's plausible (seen it in the wild) that Portage will (correctly) schedule a linux-headers
+			# upgrade before glibc, but because pkg_pretend gets run before any packages are merged at all (not
+			# just glibc), the whole emerge gets aborted without a good reason. We probably don't
+			# need to run this check at all given we have a dependency on the right headers,
+			# but let's leave it as-is for now.
+			if [[ ${EBUILD_PHASE_FUNC} != pkg_pretend ]] ; then
+				ebegin "Checking linux-headers version (${build_kv} >= ${want_kv})"
+				if ! eend_KV ${build_kv} ${want_kv} ; then
+					echo
+					eerror "You need linux-headers of at least ${want_kv}!"
+					die "linux-headers version too low!"
+				fi
 			fi
 		fi
 	fi
@@ -856,7 +892,6 @@ src_unpack() {
 
 		cd "${WORKDIR}" || die
 		unpack glibc-${RELEASE_VER}-patches-${PATCH_VER}.tar.xz
-		use experimental-loong && unpack glibc-2.35-loongarch-patches-20220522.tar.xz
 	fi
 
 	cd "${WORKDIR}" || die
@@ -875,20 +910,6 @@ src_prepare() {
 		einfo "Applying Gentoo Glibc Patchset ${patchsetname}"
 		eapply "${WORKDIR}"/patches
 		einfo "Done."
-
-		if use experimental-loong ; then
-			einfo "Applying experimental LoongArch patchset"
-			eapply "${WORKDIR}"/loongarch-2.35
-			einfo "Done."
-		fi
-	fi
-
-	if use clone3 ; then
-		append-cppflags -DGENTOO_USE_CLONE3
-	else
-		# See e.g. bug #827386, bug #819045.
-		elog "Disabling the clone3 syscall for compatibility with older Electron apps."
-		elog "Please re-enable this flag before filing bugs!"
 	fi
 
 	default
@@ -911,13 +932,8 @@ src_prepare() {
 }
 
 glibc_do_configure() {
+	dump_build_environment
 
-	local v
-	for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC CXX LD {AS,C,CPP,CXX,LD}FLAGS MAKEINFO NM AR AS STRIP RANLIB OBJCOPY STRINGS OBJDUMP READELF; do
-		einfo " $(printf '%15s' ${v}:)   ${!v}"
-	done
-
-	echo
 	local myconf=()
 
 	# Use '=strong' instead of '=all' to protect only functions
@@ -1274,13 +1290,12 @@ glibc_do_src_install() {
 	# '#define VERSION "2.26.90"' -> '2.26.90'
 	local upstream_pv=$(sed -n -r 's/#define VERSION "(.*)"/\1/p' "${S}"/version.h)
 
-	# Flatcar: override this and strip everything to keep image size at bay
 	# Avoid stripping binaries not targeted by ${CHOST}. Or else
 	# ${CHOST}-strip would break binaries build for ${CTARGET}.
-	# is_crosscompile && dostrip -x /
+	is_crosscompile && dostrip -x /
 	# gdb thread introspection relies on local libpthreas symbols. stripping breaks it
 	# See Note [Disable automatic stripping]
-	# dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
+	dostrip -x $(alt_libdir)/libpthread-${upstream_pv}.so
 
 	if [[ -e ${ED}/$(alt_usrlibdir)/libm-${upstream_pv}.a ]] ; then
 		# Move versioned .a file out of libdir to evade portage QA checks
@@ -1463,23 +1478,6 @@ glibc_do_src_install() {
 		run_locale_gen --inplace-glibc "${ED}/"
 		sed -e 's:COMPILED_LOCALES="":COMPILED_LOCALES="1":' -i "${ED}"/usr/sbin/locale-gen || die
 	fi
-
-	## Flatcar Container Linux: Add some local changes:
-	# - Config files are installed by baselayout, not glibc.
-	# - Install nscd/systemd stuff in /usr.
-
-	# Use tmpfiles to put nscd.conf in /etc and create directories.
-	insinto /usr/share/baselayout
-	if ! in_iuse nscd || use nscd ; then
-		doins "${S}"/nscd/nscd.conf || die
-		newtmpfiles "${FILESDIR}"/nscd-conf.tmpfiles nscd-conf.conf || die
-	fi
-
-	# Clean out any default configs.
-	rm -rf "${ED}"/etc
-
-	# Restore this one for the SDK.
-	test ! -e "${T}"/00glibc || doenvd "${T}"/00glibc
 }
 
 glibc_headers_install() {