diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest
index 32ec50c7d1..b10be1a69a 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/Manifest
@@ -1 +1 @@
-DIST containerd-0.2.2.tar.gz 635882 SHA256 a21efc7ea4bb97306ae9807caadca6782358679f38d3afd606cb599b6853bc52 SHA512 db6111984ccce01e928d46f0a22aaeed8d0eb50c2578df4e0cd5f56f43f8bdea43aad3203c2afb743ccf82908bd5961792681eafe07818a4057ca5f5f31c5396 WHIRLPOOL ce80bf79970faeacc3329cb4e365973a88539508904003da3d0f32afce9966e89bdf13a8894657e1fd983392cf2ab88b053393cbbc2018f509d9cbc57ab835cc
+DIST containerd-0.2.3.tar.gz 997239 SHA256 247c459179b451cb235354d3f23876ad1a326a6bda430608f9306beeb0364287 SHA512 f850ea7558a3c772930d42352d7913ec00ec24536676720f8872153ec87b92785259645648d885bb5b27514ca01de7f207a931665c3074e787d8b74b48c51952 WHIRLPOOL ac5f5f38ce874146571017bb5ac0229af43782ccf7eb378c6c39ecfb4725cf6941a12a1b05b9a6840a75c85599a881d429eaea030148356a36d2b401874e01e4
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.3.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.2-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/containerd-0.2.3.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.11.2-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.1-r3.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.11.2-r4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.12.1-r3.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
index e9851becdd..b31a458b58 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@@ -13,7 +13,7 @@ if [[ ${PV} == *9999 ]]; then
 	DOCKER_GITCOMMIT="unknown"
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="569214bb43beb1a094beeacfbe6b1cf7df2ab0cf" # coreos-1.11.2
+	CROS_WORKON_COMMIT="7a86f89a77eb849ed9e4ccb784dec402df224e3e" # coreos-1.12.1
 	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
 	KEYWORDS="amd64 arm64"
 fi
@@ -65,8 +65,8 @@ RDEPEND="
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
 
-	>=app-emulation/containerd-0.2.0
-	>=app-emulation/runc-0.1.0
+	>=app-emulation/containerd-0.2.3[seccomp?]
+	>=app-emulation/runc-1.0.0_rc1_p20160615[apparmor?,seccomp?]
 "
 
 RESTRICT="installsources strip"
@@ -217,8 +217,11 @@ src_compile() {
 		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
 
 		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary || die 'hardened sed failed'
+			-i hack/make/dynbinary-client || die
+		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
+			-i hack/make/dynbinary-daemon || die
+		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
+		grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed'
 	fi
 
 	# let's set up some optional features :)
@@ -260,7 +263,12 @@ src_compile() {
 
 src_install() {
 	VERSION="$(cat VERSION)"
-	newbin "bundles/$VERSION/dynbinary/docker-$VERSION" docker
+	newbin "bundles/$VERSION/dynbinary-client/docker-$VERSION" docker
+	newbin "bundles/$VERSION/dynbinary-daemon/dockerd-$VERSION" dockerd
+	newbin "bundles/$VERSION/dynbinary-daemon/docker-proxy-$VERSION" docker-proxy
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
 
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
index 2a0510617f..3b283f1205 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
@@ -5,9 +5,14 @@ After=docker.socket early-docker.target network.target
 Requires=docker.socket early-docker.target
 
 [Service]
+Type=notify
 EnvironmentFile=-/run/flannel_docker_opts.env
 MountFlags=slave
-ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/lib/coreos/dockerd --host=fd:// $DOCKER_OPTS $DOCKER_CGROUPS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
 # Having non-zero Limit*s causes performance problems due to accounting overhead
 # in the kernel. We recommend using cgroups to do container-local accounting.
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd
index 4b4f58767f..9260e127d8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/dockerd
@@ -87,4 +87,4 @@ if [[ -z "${ARG_SELINUX}" ]]; then
         maybe_enable_selinux
 fi
 
-exec docker "$@" ${USE_SELINUX}
+exec dockerd "$@" ${USE_SELINUX}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service
index bdb605c416..3ff77d4eeb 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/early-docker.service
@@ -5,9 +5,14 @@ After=early-docker.socket
 Requires=early-docker.socket
 
 [Service]
+Type=notify
 Environment=TMPDIR=/var/tmp
 MountFlags=slave
-ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// --bridge=none --iptables=false --ip-masq=false --exec-root=/var/run/early-docker --graph=/var/lib/early-docker --pidfile=/var/run/early-docker.pid $DOCKER_OPTS $DOCKER_CGROUPS
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/lib/coreos/dockerd --host=fd:// --bridge=none --iptables=false --ip-masq=false --exec-root=/var/run/early-docker --graph=/var/lib/early-docker --pidfile=/var/run/early-docker.pid $DOCKER_OPTS $DOCKER_CGROUPS
+ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
 # Having non-zero Limit*s causes performance problems due to accounting overhead
 # in the kernel. We recommend using cgroups to do container-local accounting.
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
index 6a23ea9eac..6f96bd8062 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/Manifest
@@ -1 +1 @@
-DIST runc-0.1.0.tar.gz 496358 SHA256 681d6d89541ae2e06757f999a242a1f97bbcb1ad6e10f4cdee287ec4a9d2bff9 SHA512 8a9ff02b0161eda0a730194b0fbf7ad76e8f379992e74061ef49302da3492fd0c53f06db9153ded4d934d67bbf6f4291d6154254f1b924ef73c97c44cd14ffcf WHIRLPOOL 81f488a4f1e23e8704a9fa8404965b2f12f74a875ba8e67dc15de93f43b075dc538cd0d89c7a1187cb74ac6320317b5985855945fb8bf8f749d6736df47b844a
+DIST runc-1.0.0_rc1_p20160615.tar.gz 535401 SHA256 196b78c6caf1a4c6257314b393381baffa7c82bb2690ac02a7b3d6cd6cfe7776 SHA512 0bf8ce3bb15caaf09214f23a411003fd5b660d291662ad513c3d944647a0fa9b270d18902706b7e6aa3c30eb0f676e73af46b8249d1e2484e1dc40d6ffd5a80d WHIRLPOOL 9d15d069e00fe38e2bbda84b477dc0cf9f3431d3587919a80164d550a6d882d8742a5c2a8cdb7645509dec8d55b545912c0287785d0ca7e79acc0a08eace6f47
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-0.1.0.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-0.1.0.ebuild
deleted file mode 100644
index ae8be7d8a5..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-0.1.0.ebuild
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-GITHUB_URI="github.com/opencontainers/runc"
-COREOS_GO_PACKAGE="${GITHUB_URI}"
-COREOS_GO_VERSION="go1.6"
-
-inherit eutils multilib coreos-go-depend
-
-DESCRIPTION="runc container cli tools"
-HOMEPAGE="http://runc.io"
-
-if [[ ${PV} == *9999* ]]; then
-	EGIT_REPO_URI="git://${GITHUB_URI}.git"
-	inherit git-r3
-else
-	SRC_URI="https://${GITHUB_URI}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-	KEYWORDS="amd64 arm64"
-fi
-
-LICENSE="Apache-2.0"
-SLOT="0"
-IUSE="+seccomp"
-
-DEPEND=">=dev-lang/go-1.4:="
-RDEPEND="seccomp? ( sys-libs/libseccomp )"
-
-src_compile() {
-	# Setup GOPATH so things build
-	rm -rf .gopath
-	mkdir -p .gopath/src/"$(dirname "${GITHUB_URI}")"
-	ln -sf ../../../.. .gopath/src/"${GITHUB_URI}"
-	export GOPATH="${PWD}/.gopath:${PWD}/vendor"
-
-	# build up optional flags
-	local options=( $(usex seccomp "seccomp") )
-
-	emake BUILDTAGS="${options[@]}"
-}
-
-src_install() {
-	dobin runc
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r1.ebuild
new file mode 100644
index 0000000000..8bc6fbc74d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/runc/runc-1.0.0_rc1_p20160615-r1.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+
+GITHUB_URI="github.com/opencontainers/runc"
+COREOS_GO_PACKAGE="${GITHUB_URI}"
+COREOS_GO_VERSION="go1.6"
+# the commit of runc that docker uses.
+# see https://github.com/docker/docker/blob/v1.12.0/Dockerfile#L236
+COMMIT_ID="cc29e3dded8e27ba8f65738f40d251c885030a28"
+
+inherit eutils flag-o-matic coreos-go-depend vcs-snapshot
+
+DESCRIPTION="runc container cli tools"
+HOMEPAGE="http://runc.io"
+
+SRC_URI="https://${GITHUB_URI}/archive/${COMMIT_ID}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="amd64 arm64"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="apparmor +seccomp"
+
+DEPEND=""
+RDEPEND="
+	apparmor? ( sys-libs/libapparmor )
+	seccomp? ( sys-libs/libseccomp )
+"
+
+src_prepare() {
+	epatch "${FILESDIR}/0001-Makefile-do-not-install-dependencies-of-target.patch"
+	# Work around https://github.com/golang/go/issues/14669
+	# Remove after updating to go1.7
+	filter-flags -O*
+
+	go_export
+}
+
+src_compile() {
+	# build up optional flags
+	local options=(
+		$(usev apparmor)
+		$(usev seccomp)
+	)
+
+	emake BUILDTAGS="${options[*]}"
+}
+
+src_install() {
+	dobin runc
+}