diff --git a/sdk_container/src/third_party/portage-stable/eclass/acct-user.eclass b/sdk_container/src/third_party/portage-stable/eclass/acct-user.eclass
index e3ec396603..cf47470c15 100644
--- a/sdk_container/src/third_party/portage-stable/eclass/acct-user.eclass
+++ b/sdk_container/src/third_party/portage-stable/eclass/acct-user.eclass
@@ -1,4 +1,4 @@
-# Copyright 2019 Gentoo Authors
+# Copyright 2019-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: acct-user.eclass
@@ -7,7 +7,7 @@
 # @AUTHOR:
 # Michael Orlitzky <mjo@gentoo.org>
 # Michał Górny <mgorny@gentoo.org>
-# @SUPPORTED_EAPIS: 7
+# @SUPPORTED_EAPIS: 7 8
 # @BLURB: Eclass used to create and maintain a single user entry
 # @DESCRIPTION:
 # This eclass represents and creates a single user entry.  The name
@@ -26,24 +26,25 @@
 # contents:
 #
 # @CODE
-# EAPI=7
+# EAPI=8
 # inherit acct-user
 # ACCT_USER_ID=200
 # ACCT_USER_GROUPS=( foo )
 # acct-user_add_deps
 # @CODE
 #
-# Then you add appropriate dependency to your package.  The dependency
-# type(s) should be:
-# - DEPEND (+ RDEPEND) if the user is already needed at build time,
-# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
-#   in pkg_preinst) or run time.
+# Then you add appropriate dependencies to your package.  Note that
+# the build system might need to resolve names, too.  The dependency
+# type(s) should be: BDEPEND if the user must be resolvable at build
+# time (e.g. 'fowners' uses it in src_install), IDEPEND if it must be
+# resolvable at install time (e.g. 'fowners' uses it in pkg_preinst),
+# and RDEPEND in every case.
 
 if [[ -z ${_ACCT_USER_ECLASS} ]]; then
 _ACCT_USER_ECLASS=1
 
 case ${EAPI:-0} in
-	7) ;;
+	7|8) ;;
 	*) die "EAPI=${EAPI:-0} not supported";;
 esac
 
@@ -67,11 +68,17 @@ readonly ACCT_USER_NAME
 # @REQUIRED
 # @DESCRIPTION:
 # Preferred UID for the new user.  This variable is obligatory, and its
-# value must be unique across all user packages.
+# value must be unique across all user packages.  This can be overriden
+# in make.conf through ACCT_USER_<UPPERCASE_USERNAME>_ID variable.
 #
 # Overlays should set this to -1 to dynamically allocate UID.  Using -1
 # in ::gentoo is prohibited by policy.
 
+# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
+# @INTERNAL
+# @DESCRIPTION:
+# Status variable which indicates if user already exists.
+
 # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
 # @DESCRIPTION:
 # If set to a non-null value, the eclass will require the user to have
@@ -79,10 +86,18 @@ readonly ACCT_USER_NAME
 # the UID is taken by another user, the install will fail.
 : ${ACCT_USER_ENFORCE_ID:=}
 
+# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will not make any changes
+# to an already existing user.
+: ${ACCT_USER_NO_MODIFY:=}
+
 # @ECLASS-VARIABLE: ACCT_USER_SHELL
 # @DESCRIPTION:
 # The shell to use for the user.  If not specified, a 'nologin' variant
-# for the system is used.
+# for the system is used.  This can be overriden in make.conf through
+# ACCT_USER_<UPPERCASE_USERNAME>_SHELL variable.
 : ${ACCT_USER_SHELL:=-1}
 
 # @ECLASS-VARIABLE: ACCT_USER_HOME
@@ -90,6 +105,8 @@ readonly ACCT_USER_NAME
 # The home directory for the user.  If not specified, /dev/null is used.
 # The directory will be created with appropriate permissions if it does
 # not exist.  When updating, existing home directory will not be moved.
+# This can be overriden in make.conf through
+# ACCT_USER_<UPPERCASE_USERNAME>_HOME variable.
 : ${ACCT_USER_HOME:=/dev/null}
 
 # @ECLASS-VARIABLE: ACCT_USER_HOME_OWNER
@@ -97,11 +114,14 @@ readonly ACCT_USER_NAME
 # @DESCRIPTION:
 # The ownership to use for the home directory, in chown ([user][:group])
 # syntax.  Defaults to the newly created user, and its primary group.
+# This can be overriden in make.conf through
+# ACCT_USER_<UPPERCASE_USERNAME>_HOME_OWNER variable.
 
 # @ECLASS-VARIABLE: ACCT_USER_HOME_PERMS
 # @DESCRIPTION:
 # The permissions to use for the home directory, in chmod (octal
-# or verbose) form.
+# or verbose) form.  This can be overriden in make.conf through
+# ACCT_USER_<UPPERCASE_USERNAME>_HOME_PERMS variable.
 : ${ACCT_USER_HOME_PERMS:=0755}
 
 # @ECLASS-VARIABLE: ACCT_USER_GROUPS
@@ -110,12 +130,18 @@ readonly ACCT_USER_NAME
 # List of groups the user should belong to.  This must be a bash
 # array.  The first group specified is the user's primary group, while
 # the remaining groups (if any) become supplementary groups.
+#
+# This can be overriden in make.conf through
+# ACCT_USER_<UPPERCASE_USERNAME>_GROUPS variable, or appended to
+# via ACCT_USER_<UPPERCASE_USERNAME>_GROUPS_ADD.  Please note that
+# due to technical limitations, the override variables are not arrays
+# but space-separated lists.
 
 
 # << Boilerplate ebuild variables >>
 : ${DESCRIPTION:="System user: ${ACCT_USER_NAME}"}
 : ${SLOT:=0}
-: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
 S=${WORKDIR}
 
 
@@ -143,8 +169,8 @@ acct-user_add_deps() {
 # << Helper functions >>
 
 # @FUNCTION: eislocked
-# @INTERNAL
 # @USAGE: <user>
+# @INTERNAL
 # @DESCRIPTION:
 # Check whether the specified user account is currently locked.
 # Returns 0 if it is locked, 1 if it is not, 2 if the platform
@@ -152,7 +178,7 @@ acct-user_add_deps() {
 eislocked() {
 	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
 
-	if [[ ${EUID} != 0 ]] ; then
+	if [[ ${EUID} != 0 ]]; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
 		return 0
 	fi
@@ -176,8 +202,8 @@ eislocked() {
 }
 
 # @FUNCTION: elockuser
-# @INTERNAL
 # @USAGE: <user>
+# @INTERNAL
 # @DESCRIPTION:
 # Lock the specified user account, using the available platform-specific
 # functions.  This should prevent any login to the account.
@@ -189,7 +215,7 @@ eislocked() {
 elockuser() {
 	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
 
-	if [[ ${EUID} != 0 ]] ; then
+	if [[ ${EUID} != 0 ]]; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
 		return 0
 	fi
@@ -221,8 +247,8 @@ elockuser() {
 }
 
 # @FUNCTION: eunlockuser
-# @INTERNAL
 # @USAGE: <user>
+# @INTERNAL
 # @DESCRIPTION:
 # Unlock the specified user account, using the available platform-
 # specific functions.
@@ -232,7 +258,7 @@ elockuser() {
 eunlockuser() {
 	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
 
-	if [[ ${EUID} != 0 ]] ; then
+	if [[ ${EUID} != 0 ]]; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
 		return 0
 	fi
@@ -284,25 +310,33 @@ acct-user_pkg_pretend() {
 
 	# verify ACCT_USER_ID
 	[[ -n ${ACCT_USER_ID} ]] || die "Ebuild error: ACCT_USER_ID must be set!"
-	[[ ${ACCT_USER_ID} -eq -1 ]] && return
-	[[ ${ACCT_USER_ID} -ge 0 ]] || die "Ebuild errors: ACCT_USER_ID=${ACCT_USER_ID} invalid!"
+	[[ ${ACCT_USER_ID} -ge -1 ]] || die "Ebuild error: ACCT_USER_ID=${ACCT_USER_ID} invalid!"
+	local user_id=${ACCT_USER_ID}
+
+	# check for the override
+	local override_name=${ACCT_USER_NAME^^}
+	local override_var=ACCT_USER_${override_name//-/_}_ID
+	if [[ -n ${!override_var} ]]; then
+		user_id=${!override_var}
+		[[ ${user_id} -ge -1 ]] || die "${override_var}=${user_id} invalid!"
+	fi
 
 	# check for ACCT_USER_ID collisions early
-	if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then
-		local user_by_id=$(egetusername "${ACCT_USER_ID}")
+	if [[ ${user_id} -ne -1 && -n ${ACCT_USER_ENFORCE_ID} ]]; then
+		local user_by_id=$(egetusername "${user_id}")
 		local user_by_name=$(egetent passwd "${ACCT_USER_NAME}")
 		if [[ -n ${user_by_id} ]]; then
 			if [[ ${user_by_id} != ${ACCT_USER_NAME} ]]; then
 				eerror "The required UID is already taken by another user."
-				eerror "  UID: ${ACCT_USER_ID}"
+				eerror "  UID: ${user_id}"
 				eerror "  needed for: ${ACCT_USER_NAME}"
 				eerror "  current user: ${user_by_id}"
-				die "UID ${ACCT_USER_ID} taken already"
+				die "UID ${user_id} taken already"
 			fi
 		elif [[ -n ${user_by_name} ]]; then
 			eerror "The requested user exists already with wrong UID."
 			eerror "  username: ${ACCT_USER_NAME}"
-			eerror "  requested UID: ${ACCT_USER_ID}"
+			eerror "  requested UID: ${user_id}"
 			eerror "  current entry: ${user_by_name}"
 			die "Username ${ACCT_USER_NAME} exists with wrong UID"
 		fi
@@ -312,15 +346,54 @@ acct-user_pkg_pretend() {
 # @FUNCTION: acct-user_src_install
 # @DESCRIPTION:
 # Installs a keep-file into the user's home directory to ensure it is
-# owned by the package.
+# owned by the package, and sysusers.d file.
 acct-user_src_install() {
 	debug-print-function ${FUNCNAME} "${@}"
 
-	if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
+	# serialize for override support
+	local ACCT_USER_GROUPS=${ACCT_USER_GROUPS[*]}
+
+	# support make.conf overrides
+	local override_name=${ACCT_USER_NAME^^}
+	override_name=${override_name//-/_}
+	local var
+	for var in ACCT_USER_{ID,SHELL,HOME{,_OWNER,_PERMS},GROUPS}; do
+		local var_name=ACCT_USER_${override_name}_${var#ACCT_USER_}
+		if [[ -n ${!var_name} ]]; then
+			ewarn "${var_name}=${!var_name} override in effect, support will not be provided."
+		else
+			var_name=${var}
+		fi
+		declare -g "_${var}=${!var_name}"
+	done
+	var_name=ACCT_USER_${override_name}_GROUPS_ADD
+	if [[ -n ${!var_name} ]]; then
+		ewarn "${var_name}=${!var_name} override in effect, support will not be provided."
+		_ACCT_USER_GROUPS+=" ${!var_name}"
+	fi
+
+	# deserialize into an array
+	local groups=( ${_ACCT_USER_GROUPS} )
+
+	if [[ ${_ACCT_USER_HOME} != /dev/null ]]; then
 		# note: we can't set permissions here since the user isn't
 		# created yet
-		keepdir "${ACCT_USER_HOME}"
+		keepdir "${_ACCT_USER_HOME}"
 	fi
+
+	insinto /usr/lib/sysusers.d
+	newins - ${CATEGORY}-${ACCT_USER_NAME}.conf < <(
+		printf "u\t%q\t%q\t%q\t%q\t%q\n" \
+			"${ACCT_USER_NAME}" \
+			"${_ACCT_USER_ID/#-*/-}:${groups[0]}" \
+			"${DESCRIPTION//[:,=]/;}" \
+			"${_ACCT_USER_HOME}" \
+			"${_ACCT_USER_SHELL/#-*/-}"
+		if [[ ${#groups[@]} -gt 1 ]]; then
+			printf "m\t${ACCT_USER_NAME}\t%q\n" \
+				"${groups[@]:1}"
+		fi
+	)
 }
 
 # @FUNCTION: acct-user_pkg_preinst
@@ -330,26 +403,33 @@ acct-user_src_install() {
 acct-user_pkg_preinst() {
 	debug-print-function ${FUNCNAME} "${@}"
 
-	local groups=${ACCT_USER_GROUPS[*]}
-	enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
-		"${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
-		"${groups// /,}"
+	# check if user already exists
+	_ACCT_USER_ALREADY_EXISTS=
+	if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
+		_ACCT_USER_ALREADY_EXISTS=1
+	fi
+	readonly _ACCT_USER_ALREADY_EXISTS
 
-	if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
+	enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
+		"${_ACCT_USER_ID}" "${_ACCT_USER_SHELL}" "${_ACCT_USER_HOME}" \
+		"${_ACCT_USER_GROUPS// /,}"
+
+	if [[ ${_ACCT_USER_HOME} != /dev/null ]]; then
 		# default ownership to user:group
-		if [[ -z ${ACCT_USER_HOME_OWNER} ]]; then
-			ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}:${ACCT_USER_GROUPS[0]}
+		if [[ -z ${_ACCT_USER_HOME_OWNER} ]]; then
+			local group_array=( ${_ACCT_USER_GROUPS} )
+			_ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}:${group_array[0]}
 		fi
 		# Path might be missing due to INSTALL_MASK, etc.
 		# https://bugs.gentoo.org/691478
-		if [[ ! -e "${ED}/${ACCT_USER_HOME#/}" ]]; then
+		if [[ ! -e "${ED}/${_ACCT_USER_HOME#/}" ]]; then
 			eerror "Home directory is missing from the installation image:"
-			eerror "  ${ACCT_USER_HOME}"
+			eerror "  ${_ACCT_USER_HOME}"
 			eerror "Check INSTALL_MASK for entries that would cause this."
-			die "${ACCT_USER_HOME} does not exist"
+			die "${_ACCT_USER_HOME} does not exist"
 		fi
-		fowners "${ACCT_USER_HOME_OWNER}" "${ACCT_USER_HOME}"
-		fperms "${ACCT_USER_HOME_PERMS}" "${ACCT_USER_HOME}"
+		fowners "${_ACCT_USER_HOME_OWNER}" "${_ACCT_USER_HOME}"
+		fperms "${_ACCT_USER_HOME_PERMS}" "${_ACCT_USER_HOME}"
 	fi
 }
 
@@ -360,16 +440,23 @@ acct-user_pkg_preinst() {
 acct-user_pkg_postinst() {
 	debug-print-function ${FUNCNAME} "${@}"
 
-	if [[ ${EUID} != 0 ]] ; then
+	if [[ ${EUID} != 0 ]]; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
 		return 0
 	fi
 
+	if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]]; then
+		eunlockuser "${ACCT_USER_NAME}"
+
+		ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
+		ewarn "due to set ACCT_USER_NO_MODIFY."
+		return 0
+	fi
+
 	# NB: eset* functions check current value
-	esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
-	esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
-	local groups=${ACCT_USER_GROUPS[*]}
-	esetgroups "${ACCT_USER_NAME}" "${groups// /,}"
+	esethome "${ACCT_USER_NAME}" "${_ACCT_USER_HOME}"
+	esetshell "${ACCT_USER_NAME}" "${_ACCT_USER_SHELL}"
+	esetgroups "${ACCT_USER_NAME}" "${_ACCT_USER_GROUPS// /,}"
 	# comment field can not contain colons
 	esetcomment "${ACCT_USER_NAME}" "${DESCRIPTION//[:,=]/;}"
 	eunlockuser "${ACCT_USER_NAME}"
@@ -381,7 +468,7 @@ acct-user_pkg_postinst() {
 acct-user_pkg_prerm() {
 	debug-print-function ${FUNCNAME} "${@}"
 
-	if [[ ${EUID} != 0 ]] ; then
+	if [[ ${EUID} != 0 ]]; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
 		return 0
 	fi