diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/Manifest
new file mode 100644
index 0000000000..924b6e7011
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/Manifest
@@ -0,0 +1 @@
+DIST docker-17.06.1.tar.gz 9682381 SHA256 2ca8615162873b32d9565f95a4b2977d025fd44c69e087046e004f5dfb1ce30c SHA512 0a7dd578b3f5aa2be9e8df270b74cc5ad698b9c00ed4c314ecfea588cddddef26c0696265978d09abc5799f22f8bd8013b4f1a818e78eb7f7a4e7c15e082b5d0 WHIRLPOOL f6cf32cca15b36b4fa17239ee800d7e9347fc5f97050eca3590c75a76ab4d36ffff676508e7240aef5bd440795a870aa4349f7cede4e9fb4d610a3146693f8d7
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.05.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.05.0-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
index 156995c21d..2b63b648bb 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@@ -1,39 +1,45 @@
 # Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=5
+EAPI=6
 
-CROS_WORKON_PROJECT="coreos/docker"
-CROS_WORKON_LOCALNAME="docker"
-CROS_WORKON_REPO="git://github.com"
-COREOS_GO_VERSION="go1.7"
+COREOS_GO_PACKAGE="github.com/docker/docker-ce"
+COREOS_GO_VERSION="go1.8"
 
-if [[ ${PV} == *9999 ]]; then
-	DOCKER_GITCOMMIT="unknown"
+if [[ ${PV} = *9999* ]]; then
+	# Docker cannot be fetched via "go get", thanks to autogenerated code
+	EGIT_REPO_URI="https://${COREOS_GO_PACKAGE}.git"
+	EGIT_CHECKOUT_DIR="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
+	inherit git-r3
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="89658bed64c2a8fe05a978e5b87dbec409d57a0f" # coreos-17.05.0-ce
-	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
+	inherit versionator
+	if [ "$(get_version_component_count)" = 4 ]; then
+		MY_PV="$(replace_version_separator 3 '-ce-')"
+	else
+		MY_PV="$PV-ce"
+	fi
+	DOCKER_GITCOMMIT="874a737"
+	SRC_URI="https://${COREOS_GO_PACKAGE}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
+	[ "$DOCKER_GITCOMMIT" ] || die "DOCKER_GITCOMMIT must be added manually for each bump!"
 fi
+inherit bash-completion-r1 coreos-go-depend linux-info systemd udev user
 
-inherit bash-completion-r1 eutils linux-info multilib systemd udev user cros-workon coreos-go-depend
-
-DESCRIPTION="Docker complements kernel namespacing with a high-level API which operates at the process level"
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
 HOMEPAGE="https://dockerproject.org"
 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="apparmor aufs +btrfs +container-init +device-mapper +overlay pkcs11 +journald seccomp +selinux vim-syntax zsh-completion"
+IUSE="apparmor aufs +btrfs +container-init +device-mapper hardened +overlay pkcs11 seccomp +journald +selinux"
 
-# https://github.com/docker/docker/blob/v17.05.0-ce/project/PACKAGERS.md#build-dependencies
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
 CDEPEND="
 	>=dev-db/sqlite-3.7.9:3
 	device-mapper? (
 		>=sys-fs/lvm2-2.02.89[thin]
 	)
-	seccomp? (
-		>=sys-libs/libseccomp-2.2.1[static-libs]
-	)
+	seccomp? ( >=sys-libs/libseccomp-2.2.1[static-libs] )
+	apparmor? ( sys-libs/libapparmor )
 "
 
 DEPEND="
@@ -49,26 +55,25 @@ DEPEND="
 # or an explicit copy when installing binary packages. See coreos-kernel.eclass
 DEPEND+="sys-kernel/coreos-kernel"
 
-# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#runtime-dependencies
-# https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#optional-dependencies
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#optional-dependencies
 RDEPEND="
 	${CDEPEND}
-
-	!app-emulation/docker-bin
 	>=net-firewall/iptables-1.4
 	sys-process/procps
 	>=dev-vcs/git-1.7
 	>=app-arch/xz-utils-4.9
-	>=sys-apps/shadow-4.4
 
-	>=app-emulation/containerd-0.2.7_p2-r1[seccomp?]
-	=app-emulation/runc-1.0.0_rc2_p137[apparmor?,seccomp?]
+	=app-emulation/containerd-0.2.9_p7[seccomp?]
+	=app-emulation/docker-runc-1.0.0_rc3_p53[apparmor?,seccomp?]
 	app-emulation/docker-proxy
 	container-init? ( >=sys-process/tini-0.13.1 )
 "
 
 RESTRICT="installsources strip"
 
+S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
+
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
@@ -193,34 +198,30 @@ pkg_setup() {
 	enewgroup docker
 }
 
-src_prepare() {
-	# allow user patches (use sparingly - upstream won't support them)
-	epatch_user
-
-	# remove the .git directory so that hack/make.sh uses DOCKER_GITCOMMIT
-	# for the commit hash.
-	rm --recursive --force .git
+src_unpack() {
+	if [ -n "$DOCKER_GITCOMMIT" ]; then
+		mkdir -p "${S}"
+		tar --strip-components=1 -C "${S}" -xf "${DISTDIR}/${A}"
+	else
+		git-r3_src_unpack
+		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
+	fi
 }
 
 src_compile() {
-	# if we treat them right, Docker's build scripts will set up a
-	# reasonable GOPATH for us
-	export AUTO_GOPATH=1
+	export GOPATH="${WORKDIR}/${P}"
 
-	# if we're building from a zip, we need the GITCOMMIT value
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ROOT}/usr/$(get_libdir)"
+
+	# if we're building from a tarball, we need the GITCOMMIT value
 	[ "$DOCKER_GITCOMMIT" ] && export DOCKER_GITCOMMIT
 
-	if gcc-specs-pie; then
-		sed -i "s/EXTLDFLAGS_STATIC='/&-fno-PIC /" hack/make.sh || die
-		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
-
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary-client || die
-		sed  "s/LDFLAGS_STATIC_DOCKER='/&-extldflags -fno-PIC /" \
-			-i hack/make/dynbinary-daemon || die
-		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
-		grep -q -- '-fno-PIC' hack/make/dynbinary-client || die 'hardened sed failed'
-	fi
+	# fake golang layout
+	ln -s docker-ce/components/engine ../docker || die
+	ln -s docker-ce/components/cli ../cli || die
 
 	# let's set up some optional features :)
 	export DOCKER_BUILDTAGS=''
@@ -236,24 +237,42 @@ src_compile() {
 		fi
 	done
 
-	go_export
+	pushd components/engine || die
 
-	# verbose building
-	export BUILDFLAGS="-x -v"
+	if use hardened; then
+		sed -i "s#EXTLDFLAGS_STATIC='#&-fno-PIC $LDFLAGS #" hack/make.sh || die
+		grep -q -- '-fno-PIC' hack/make.sh || die 'hardened sed failed'
+		sed  "s#LDFLAGS_STATIC_DOCKER='#&-extldflags \"-fno-PIC $LDFLAGS\" #" \
+			-i hack/make/dynbinary-daemon || die
+		grep -q -- '-fno-PIC' hack/make/dynbinary-daemon || die 'hardened sed failed'
+	fi
 
-	# time to build!
+	# build daemon
 	./hack/make.sh dynbinary || die 'dynbinary failed'
+
+	popd || die # components/engine
+
+	pushd components/cli || die
+
+	# build cli
+	emake \
+		LDFLAGS="$(usex hardened "-extldflags \"-fno-PIC $LDFLAGS\"" '')" \
+		VERSION="$(cat ../../VERSION)" \
+		GITCOMMIT="${DOCKER_GITCOMMIT}" \
+		dynbinary || die
+
+	popd || die # components/cli
 }
 
 src_install() {
-	VERSION="$(cat VERSION)"
-	newbin "bundles/$VERSION/dynbinary-client/docker-$VERSION" docker
-	newbin "bundles/$VERSION/dynbinary-daemon/dockerd-$VERSION" dockerd
 	dosym containerd /usr/bin/docker-containerd
 	dosym containerd-shim /usr/bin/docker-containerd-shim
 	dosym runc /usr/bin/docker-runc
 	use container-init && dosym tini /usr/bin/docker-init
 
+	pushd components/engine || die
+	newbin "$(readlink -f bundles/latest/dynbinary-daemon/dockerd)" dockerd
+
 	newinitd contrib/init/openrc/docker.initd docker
 	newconfd contrib/init/openrc/docker.confd docker
 
@@ -273,18 +292,19 @@ src_install() {
 	dodoc AUTHORS CONTRIBUTING.md CHANGELOG.md NOTICE README.md
 	dodoc -r docs/*
 
+	insinto /usr/share/vim/vimfiles
+	doins -r contrib/syntax/vim/ftdetect
+	doins -r contrib/syntax/vim/syntax
+	popd || die # components/engine
+
+	pushd components/cli || die
+
+	newbin build/docker-* docker
+
 	dobashcomp contrib/completion/bash/*
-
-	if use zsh-completion; then
-		insinto /usr/share/zsh/site-functions
-		doins contrib/completion/zsh/*
-	fi
-
-	if use vim-syntax; then
-		insinto /usr/share/vim/vimfiles
-		doins -r contrib/syntax/vim/ftdetect
-		doins -r contrib/syntax/vim/syntax
-	fi
+	insinto /usr/share/zsh/site-functions
+	doins contrib/completion/zsh/_*
+	popd || die # components/cli
 }
 
 pkg_postinst() {
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml
index 907d5d1da2..16f7009d5e 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/metadata.xml
@@ -8,23 +8,18 @@
 		scale, in production, on VMs, bare metal, OpenStack clusters, public
 		clouds and more.
 	</longdescription>
-	<herd>proxy-maintainers</herd>
-	<maintainer status="active">
+	<maintainer type="person">
 		<email>admwiggin@gmail.com</email>
 		<name>Tianon</name>
 	</maintainer>
-	<maintainer>
-		<email>xarthisius@gentoo.org</email>
-		<name>Kacper Kowalik</name>
-	</maintainer>
-	<maintainer>
-		<email>alunduil@gentoo.org</email>
-		<name>Alex Brandt</name>
-	</maintainer>
-	<maintainer>
+	<maintainer type="person">
 		<email>williamh@gentoo.org</email>
 		<name>William Hubbs</name>
 	</maintainer>
+	<maintainer type="person">
+		<email>mrueg@gentoo.org</email>
+		<name>Manuel Rüger</name>
+	</maintainer>
 	<use>
 		<flag name="aufs">
 			Enables dependencies for the "aufs" graph driver, including
@@ -37,23 +32,20 @@
 			Enables dependencies for the "btrfs" graph driver, including
 			necessary kernel flags.
 		</flag>
-		<flag name="contrib">
-			Install additional contrib scripts and components.
+		<flag name="container-init">
+			Makes the a staticly-linked init system tini available inside a
+			container.
 		</flag>
 		<flag name="device-mapper">
 			Enables dependencies for the "devicemapper" graph driver, including
 			necessary kernel flags.
 		</flag>
-		<flag name="experimental">
-			Enable features labelled by upstream to be of "experimental"
-			quality and not yet ready for general consumption.
-		</flag>
 		<flag name="overlay">
 			Enables dependencies for the "overlay" graph driver, including
 			necessary kernel flags.
 		</flag>
-		<flag name="lxc">
-			Enables dependencies for the "lxc" execution driver.
+		<flag name="pkcs11">
+			Enables pkcs-11 support.
 		</flag>
 	</use>
 	<upstream>