diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
index f0f73dbcdc..37b8cb7be7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/Manifest
@@ -1,2 +1,5 @@
+DIST gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 8064097 SHA256 34aec5a59bb4d0ecf908c62fd418461d0f3793238296897687305fd7a1f27299 SHA512 40b93e194ad41a75d649d84d1c49070680f253a13f0617803243bc61c44fed1ca2d0a7572a97ebb79353f312b58b5f6360be916dd7435928cc53935082e15269 WHIRLPOOL bbce19e7fe5c30faa55ddd4e29070f0d1fdfca3a04e8d68e0772260fa9be89ccde63ec92badb490209008df5fee6e53dfdeec4ae51857b90ba298a79315a199f
 DIST glibc-2.17-patches-8.tar.bz2 83707 SHA256 477946a4915dcd0cc0565ff8532d219e2ee868f6e821ea71ce579652d01ccbb3 SHA512 6675357e62b554d9d0f8ef70341b8038f8f89591fba384bc3783ef81aead0532486e2218af71da9c6f88a3b8b382edec81bed36eb636ee231eac80e111acbfd8 WHIRLPOOL 946f431b28ec60cc61d44364187f64a2d6e92ed7c9071126cf70277843c656de4dfac9f184f572f9a72c0cb452d879cdb7aca5b9f92f8ff02a8b1a521fffef43
 DIST glibc-2.17.tar.xz 10981956 SHA256 6914e337401e0e0ade23694e1b2c52a5f09e4eda3270c67e7c3ba93a89b5b23e SHA512 384e54037daaa344a26ce58242acc3f9a249d0765088d18a540a305745afa33ae6dec4024adae958eacd7100be9c713d117260ace8340f6d8c8396dbde4868d2 WHIRLPOOL 9b98c1c298aeff607aaa554341c300c15491b7314f127524fc5c048c67c5059daaf706e6cf206bb69213d5307e37bed87137ab46f504d8072bb778310081fc23
+DIST glibc-2.19-patches-3.tar.bz2 80664 SHA256 6fb03292e224199e0dd9ba7ee83aca723e1560f26831e85cdc6302b187c6de3c SHA512 d281d6a2757920124cf8a3f02b97e75192598b08d96ae48840df34c7ffdcb212952d171f233e6f12a429b19437d0a296212fe1f2eae164d6a1c6793cb3cb69f0 WHIRLPOOL 6f28a2d0dff42e8ad0e77859938e3093753f77f78821375777eebb2db5568bf1c56e8b8208f02280f23acb2dd26dc8a313fedd5b2c10755f1659e6d324a1dbc3
+DIST glibc-2.19.tar.xz 12083312 SHA256 2d3997f588401ea095a0b27227b1d50cdfdd416236f6567b564549d3b46ea2a2 SHA512 9e021fcb3afbb9ace2a0e37fded231a62de861bd766e29d47163a03182e37add718b7acc3963d1c525f9556773e842297725715acde48dcfbaab6e756af1a23d WHIRLPOOL 9581a3a23ebdd56bc559b56b95b7bcd21ca039546ec19c6c0e4e0738597542164fdb21ab1d1f36d5e73a205fb51f0974c7d497972615bce69ae002298f6475b6
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.19/glibc-2.19-hardened-configure-picdefault.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.19/glibc-2.19-hardened-configure-picdefault.patch
new file mode 100644
index 0000000000..341d8c5028
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.19/glibc-2.19-hardened-configure-picdefault.patch
@@ -0,0 +1,30 @@
+Prevent default-fPIE from confusing configure into thinking
+PIC code is default.  This causes glibc to build both PIC and
+non-PIC code as normal, which on the hardened compiler generates
+PIC and PIE.
+
+Patch by Kevin F. Quinn <kevquinn@gentoo.org>
+Fixed for glibc 2.19 by Magnus Granberg <zorry@ume.nu>
+
+--- configure.ac
++++ configure.ac
+@@ -2145,7 +2145,7 @@
+ # error PIC is default.
+ #endif
+ EOF
+-if eval "${CC-cc} -S conftest.c 2>&AS_MESSAGE_LOG_FD 1>&AS_MESSAGE_LOG_FD"; then
++if eval "${CC-cc} -fno-PIE -S conftest.c 2>&AS_MESSAGE_LOG_FD 1>&AS_MESSAGE_LOG_FD"; then
+   libc_cv_pic_default=no
+ fi
+ rm -f conftest.*])
+--- configure
++++ configure
+@@ -7698,7 +7698,7 @@
+ # error PIC is default.
+ #endif
+ EOF
+-if eval "${CC-cc} -S conftest.c 2>&5 1>&5"; then
++if eval "${CC-cc} -fno-PIE -S conftest.c 2>&5 1>&5"; then
+   libc_cv_pic_default=no
+ fi
+ rm -f conftest.*
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c
new file mode 100644
index 0000000000..a8ab9d8a3e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c
@@ -0,0 +1,299 @@
+/* Copyright (C) 2004-2014 Free Software Foundation, Inc.
+   Copyright (C) 2006-2014 Gentoo Foundation Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+/* Hardened Gentoo SSP and FORTIFY handler
+
+   A failure handler that does not use functions from the rest of glibc;
+   it uses the INTERNAL_SYSCALL methods directly.  This helps ensure no
+   possibility of recursion into the handler.
+
+   Direct all bug reports to http://bugs.gentoo.org/
+
+   People who have contributed significantly to the evolution of this file:
+   Ned Ludd - <solar[@]gentoo.org>
+   Alexander Gabert - <pappy[@]gentoo.org>
+   The PaX Team - <pageexec[@]freemail.hu>
+   Peter S. Mazinger - <ps.m[@]gmx.net>
+   Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
+   Robert Connolly - <robert[@]linuxfromscratch.org>
+   Cory Visi <cory[@]visi.name>
+   Mike Frysinger <vapier[@]gentoo.org>
+   Magnus Granberg <zorry[@]gentoo.org>
+   Kevin F. Quinn - <kevquinn[@]gentoo.org>
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <sys/types.h>
+
+#include <sysdep-cancel.h>
+#include <sys/syscall.h>
+
+#include <kernel-features.h>
+
+#include <alloca.h>
+/* from sysdeps */
+#include <socketcall.h>
+/* for the stuff in bits/socket.h */
+#include <sys/socket.h>
+#include <sys/un.h>
+
+/* Sanity check on SYSCALL macro names - force compilation
+ * failure if the names used here do not exist
+ */
+#if !defined __NR_socketcall && !defined __NR_socket
+# error Cannot do syscall socket or socketcall
+#endif
+#if !defined __NR_socketcall && !defined __NR_connect
+# error Cannot do syscall connect or socketcall
+#endif
+#ifndef __NR_write
+# error Cannot do syscall write
+#endif
+#ifndef __NR_close
+# error Cannot do syscall close
+#endif
+#ifndef __NR_getpid
+# error Cannot do syscall getpid
+#endif
+#ifndef __NR_kill
+# error Cannot do syscall kill
+#endif
+#ifndef __NR_exit
+# error Cannot do syscall exit
+#endif
+#ifdef SSP_SMASH_DUMPS_CORE
+# define ENABLE_SSP_SMASH_DUMPS_CORE 1
+# if !defined _KERNEL_NSIG && !defined _NSIG
+#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
+# endif
+# if !defined __NR_sigaction && !defined __NR_rt_sigaction
+#  error Cannot do syscall sigaction or rt_sigaction
+# endif
+/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
+ * of the _kernel_ sigset_t which is not the same as the user sigset_t.
+ * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
+ * some reason.
+ */
+# ifdef _KERNEL_NSIG
+#  define _SSP_NSIG _KERNEL_NSIG
+# else
+#  define _SSP_NSIG _NSIG
+# endif
+#else
+# define _SSP_NSIG 0
+# define ENABLE_SSP_SMASH_DUMPS_CORE 0
+#endif
+
+/* Define DO_SIGACTION - default to newer rt signal interface but
+ * fallback to old as needed.
+ */
+#ifdef __NR_rt_sigaction
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
+#else
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
+#endif
+
+/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */
+#if defined(__NR_socket) && defined(__NR_connect)
+# define USE_OLD_SOCKETCALL 0
+#else
+# define USE_OLD_SOCKETCALL 1
+#endif
+
+/* stub out the __NR_'s so we can let gcc optimize away dead code */
+#ifndef __NR_socketcall
+# define __NR_socketcall 0
+#endif
+#ifndef __NR_socket
+# define __NR_socket 0
+#endif
+#ifndef __NR_connect
+# define __NR_connect 0
+#endif
+#define DO_SOCKET(result, domain, type, protocol) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = domain; \
+			socketargs[1] = type; \
+			socketargs[2] = protocol; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \
+	} while (0)
+#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = sockfd; \
+			socketargs[1] = (unsigned long int)serv_addr; \
+			socketargs[2] = addrlen; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \
+	} while (0)
+
+#ifndef _PATH_LOG
+# define _PATH_LOG "/dev/log"
+#endif
+
+static const char path_log[] = _PATH_LOG;
+
+/* For building glibc with SSP switched on, define __progname to a
+ * constant if building for the run-time loader, to avoid pulling
+ * in more of libc.so into ld.so
+ */
+#ifdef IS_IN_rtld
+static const char *__progname = "<ldso>";
+#else
+extern const char *__progname;
+#endif
+
+#ifdef GENTOO_SSP_HANDLER
+# define ERROR_MSG "stack smashing"
+#else
+# define ERROR_MSG "buffer overflow"
+#endif
+
+/* Common handler code, used by chk_fail
+ * Inlined to ensure no self-references to the handler within itself.
+ * Data static to avoid putting more than necessary on the stack,
+ * to aid core debugging.
+ */
+__attribute__ ((__noreturn__, __always_inline__))
+static inline void
+__hardened_gentoo_fail(void)
+{
+#define MESSAGE_BUFSIZ 512
+	static pid_t pid;
+	static int plen, i, hlen;
+	static char message[MESSAGE_BUFSIZ];
+	/* <11> is LOG_USER|LOG_ERR. A dummy date for loggers to skip over. */
+	static const char msg_header[] = "<11>" __DATE__ " " __TIME__ " glibc-gentoo-hardened-check: ";
+	static const char msg_ssd[] = "*** " ERROR_MSG " detected ***: ";
+	static const char msg_terminated[] = " terminated; ";
+	static const char msg_report[] = "report to " REPORT_BUGS_TO "\n";
+	static const char msg_unknown[] = "<unknown>";
+	static int log_socket, connect_result;
+	static struct sockaddr_un sock;
+	static unsigned long int socketargs[4];
+
+	/* Build socket address */
+	sock.sun_family = AF_UNIX;
+	i = 0;
+	while (path_log[i] != '\0' && i < sizeof(sock.sun_path) - 1) {
+		sock.sun_path[i] = path_log[i];
+		++i;
+	}
+	sock.sun_path[i] = '\0';
+
+	/* Try SOCK_DGRAM connection to syslog */
+	connect_result = -1;
+	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
+	if (log_socket != -1)
+		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	if (connect_result == -1) {
+		if (log_socket != -1)
+			INLINE_SYSCALL(close, 1, log_socket);
+		/* Try SOCK_STREAM connection to syslog */
+		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
+		if (log_socket != -1)
+			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	}
+
+	/* Build message.  Messages are generated both in the old style and new style,
+	 * so that log watchers that are configured for the old-style message continue
+	 * to work.
+	 */
+#define strconcat(str) \
+	({ \
+		i = 0; \
+		while ((str[i] != '\0') && ((i + plen) < (MESSAGE_BUFSIZ - 1))) { \
+			message[plen + i] = str[i]; \
+			++i; \
+		} \
+		plen += i; \
+	})
+
+	/* Tersely log the failure */
+	plen = 0;
+	strconcat(msg_header);
+	hlen = plen;
+	strconcat(msg_ssd);
+	if (__progname != NULL)
+		strconcat(__progname);
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+	strconcat(msg_report);
+
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message + hlen, plen - hlen);
+	if (connect_result != -1) {
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+		INLINE_SYSCALL(close, 1, log_socket);
+	}
+
+	/* Time to kill self since we have no idea what is going on */
+	pid = INLINE_SYSCALL(getpid, 0);
+
+	if (ENABLE_SSP_SMASH_DUMPS_CORE) {
+		/* Remove any user-supplied handler for SIGABRT, before using it. */
+#if 0
+		/*
+		 * Note: Disabled because some programs catch & process their
+		 * own crashes.  We've already enabled this code path which
+		 * means we want to let core dumps happen.
+		 */
+		static struct sigaction default_abort_act;
+		default_abort_act.sa_handler = SIG_DFL;
+		default_abort_act.sa_sigaction = NULL;
+		__sigfillset(&default_abort_act.sa_mask);
+		default_abort_act.sa_flags = 0;
+		if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
+#endif
+			INLINE_SYSCALL(kill, 2, pid, SIGABRT);
+	}
+
+	/* SIGKILL is only signal which cannot be caught */
+	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
+
+	/* In case the kill didn't work, exit anyway.
+	 * The loop prevents gcc thinking this routine returns.
+	 */
+	while (1)
+		INLINE_SYSCALL(exit, 1, 137);
+}
+
+__attribute__ ((__noreturn__))
+#ifdef GENTOO_SSP_HANDLER
+void __stack_chk_fail(void)
+#else
+void __chk_fail(void)
+#endif
+{
+	__hardened_gentoo_fail();
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c
new file mode 100644
index 0000000000..4a537bb52c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c
@@ -0,0 +1,2 @@
+#define GENTOO_SSP_HANDLER
+#include <debug/chk_fail.c>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch
new file mode 100644
index 0000000000..35eabe9401
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/2.20/glibc-2.20-hardened-inittls-nosysenter.patch
@@ -0,0 +1,306 @@
+When building glibc PIE (which is not something upstream support),
+several modifications are necessary to the glibc build process.
+
+First, any syscalls in PIEs must be of the PIC variant, otherwise
+textrels ensue.  Then, any syscalls made before the initialisation
+of the TLS will fail on i386, as the sysenter variant on i386 uses
+the TLS, giving rise to a chicken-and-egg situation.  This patch
+defines a PIC syscall variant that doesn't use sysenter, even when the sysenter
+version is normally used, and uses the non-sysenter version for the brk
+syscall that is performed by the TLS initialisation.  Further, the TLS
+initialisation is moved in this case prior to the initialisation of
+dl_osversion, as that requires further syscalls.
+
+csu/libc-start.c: Move initial TLS initialization to before the
+initialisation of dl_osversion, when INTERNAL_SYSCALL_PRE_TLS is defined
+
+csu/libc-tls.c: Use the no-sysenter version of sbrk when
+INTERNAL_SYSCALL_PRE_TLS is defined.
+
+misc/sbrk.c: Define a no-sysenter version of sbrk, using the no-sysenter
+version of brk - if INTERNAL_SYSCALL_PRE_TLS is defined.
+
+misc/brk.c: Define a no-sysenter version of brk if
+INTERNAL_SYSCALL_PRE_TLS is defined.
+
+sysdeps/unix/sysv/linux/i386/sysdep.h: Define INTERNAL_SYSCALL_PRE_TLS
+Make INTERNAL_SYSCALL always use the PIC variant, even if not SHARED.
+
+Patch by Kevin F. Quinn <kevquinn@gentoo.org>
+Fixed for 2.10 by Magnus Granberg <zorry@ume.nu>
+Fixed for 2.18 by Magnus Granberg <zorry@gentoo.org>
+Fixed for 2.20 by Francisco Blas Izquierdo Riera <klondike@gentoo.org>
+
+--- a/csu/libc-start.c
++++ b/csu/libc-start.c
+@@ -28,6 +28,7 @@
+ extern int __libc_multiple_libcs;
+ 
+ #include <tls.h>
++#include <sysdep.h>
+ #ifndef SHARED
+ # include <dl-osinfo.h>
+ extern void __pthread_initialize_minimal (void);
+@@ -170,6 +171,11 @@ LIBC_START_MAIN (int (*main) (int, char
+         }
+     }
+ 
++# ifdef INTERNAL_SYSCALL_PRE_TLS
++  /* Do the initial TLS initialization before _dl_osversion,
++     since the latter uses the uname syscall.  */
++  __pthread_initialize_minimal ();
++# endif
+ # ifdef DL_SYSDEP_OSCHECK
+   if (!__libc_multiple_libcs)
+     {
+@@ -138,10 +144,12 @@
+     }
+ # endif
+ 
++# ifndef INTERNAL_SYSCALL_PRE_TLS
+   /* Initialize the thread library at least a bit since the libgcc
+      functions are using thread functions if these are available and
+      we need to setup errno.  */
+   __pthread_initialize_minimal ();
++# endif
+ 
+   /* Set up the stack checker's canary.  */
+   uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+--- a/csu/libc-tls.c
++++ b/csu/libc-tls.c
+@@ -22,12 +22,17 @@
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <sys/param.h>
++#include <sysdep.h>
+ 
+ 
+ #ifdef SHARED
+  #error makefile bug, this file is for static only
+ #endif
+ 
++#ifdef INTERNAL_SYSCALL_PRE_TLS
++extern void *__sbrk_nosysenter (intptr_t __delta);
++#endif
++
+ dtv_t _dl_static_dtv[2 + TLS_SLOTINFO_SURPLUS];
+ 
+ 
+@@ -139,20 +144,29 @@ __libc_setup_tls (size_t tcbsize, size_t
+ 
+      The initialized value of _dl_tls_static_size is provided by dl-open.c
+      to request some surplus that permits dynamic loading of modules with
+-     IE-model TLS.  */
++     IE-model TLS.
++
++     Where the normal sbrk would use a syscall that needs the TLS (i386)
++     use the special non-sysenter version instead.  */
++#ifdef INTERNAL_SYSCALL_PRE_TLS
++# define __sbrk __sbrk_nosysenter
++#endif
+ #if TLS_TCB_AT_TP
+   tcb_offset = roundup (memsz + GL(dl_tls_static_size), tcbalign);
+   tlsblock = __sbrk (tcb_offset + tcbsize + max_align);
+ #elif TLS_DTV_AT_TP
+   tcb_offset = roundup (tcbsize, align ?: 1);
+   tlsblock = __sbrk (tcb_offset + memsz + max_align
+ 		     + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size));
+   tlsblock += TLS_PRE_TCB_SIZE;
+ #else
+   /* In case a model with a different layout for the TCB and DTV
+      is defined add another #elif here and in the following #ifs.  */
+ # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined"
+ #endif
++#ifdef INTERNAL_SYSCALL_PRE_TLS
++# undef __sbrk
++#endif
+ 
+   /* Align the TLS block.  */
+   tlsblock = (void *) (((uintptr_t) tlsblock + max_align - 1)
+--- a/misc/sbrk.c
++++ b/misc/sbrk.c
+@@ -18,6 +18,7 @@
+ #include <errno.h>
+ #include <stdint.h>
+ #include <unistd.h>
++#include <sysdep.h>
+ 
+ /* Defined in brk.c.  */
+ extern void *__curbrk;
+@@ -29,6 +30,35 @@
+ /* Extend the process's data space by INCREMENT.
+    If INCREMENT is negative, shrink data space by - INCREMENT.
+    Return start of new space allocated, or -1 for errors.  */
++#ifdef INTERNAL_SYSCALL_PRE_TLS
++/* This version is used by csu/libc-tls.c whem initialising the TLS
++   if the SYSENTER version requires the TLS (which it does on i386).
++   Obviously using the TLS before it is initialised is broken. */
++extern int __brk_nosysenter (void *addr);
++void *
++__sbrk_nosysenter (intptr_t increment)
++{
++  void *oldbrk;
++
++  /* If this is not part of the dynamic library or the library is used via
++     dynamic loading in a statically linked program update __curbrk from the
++     kernel's brk value.  That way two separate instances of __brk and __sbrk
++     can share the heap, returning interleaved pieces of it.  */
++  if (__curbrk == NULL || __libc_multiple_libcs)
++    if (__brk_nosysenter (0) < 0)		/* Initialize the break.  */
++      return (void *) -1;
++
++  if (increment == 0)
++    return __curbrk;
++
++  oldbrk = __curbrk;
++  if (__brk_nosysenter (oldbrk + increment) < 0)
++    return (void *) -1;
++
++  return oldbrk;
++}
++#endif
++
+ void *
+ __sbrk (intptr_t increment)
+ {
+--- a/sysdeps/unix/sysv/linux/i386/brk.c
++++ b/sysdeps/unix/sysv/linux/i386/brk.c
+@@ -31,6 +31,30 @@
+    linker.  */
+ weak_alias (__curbrk, ___brk_addr)
+ 
++#ifdef INTERNAL_SYSCALL_PRE_TLS
++/* This version is used by csu/libc-tls.c whem initialising the TLS
++   if the SYSENTER version requires the TLS (which it does on i386).
++   Obviously using the TLS before it is initialised is broken.  */
++int
++__brk_nosysenter (void *addr)
++{
++  void *newbrk;
++
++  INTERNAL_SYSCALL_DECL (err);
++  newbrk = (void *) INTERNAL_SYSCALL_PRE_TLS (brk, err, 1, addr);
++
++  __curbrk = newbrk;
++
++  if (newbrk < addr)
++    {
++      __set_errno (ENOMEM);
++      return -1;
++    }
++
++  return 0;
++}
++#endif
++
+ int
+ __brk (void *addr)
+ {
+--- a/sysdeps/unix/sysv/linux/i386/sysdep.h
++++ b/sysdeps/unix/sysv/linux/i386/sysdep.h
+@@ -187,7 +187,7 @@
+ /* The original calling convention for system calls on Linux/i386 is
+    to use int $0x80.  */
+ #ifdef I386_USE_SYSENTER
+-# ifdef SHARED
++# ifdef __PIC__
+ #  define ENTER_KERNEL call *%gs:SYSINFO_OFFSET
+ # else
+ #  define ENTER_KERNEL call *_dl_sysinfo
+@@ -358,7 +358,7 @@
+    possible to use more than four parameters.  */
+ #undef INTERNAL_SYSCALL
+ #ifdef I386_USE_SYSENTER
+-# ifdef SHARED
++# ifdef __PIC__
+ #  define INTERNAL_SYSCALL(name, err, nr, args...) \
+   ({									      \
+     register unsigned int resultvar;					      \
+@@ -384,6 +384,18 @@
+     : "0" (name), "i" (offsetof (tcbhead_t, sysinfo))			      \
+       ASMFMT_##nr(args) : "memory", "cc");				      \
+     (int) resultvar; })
++#  define INTERNAL_SYSCALL_PRE_TLS(name, err, nr, args...) \
++  ({									      \
++    register unsigned int resultvar;					      \
++    EXTRAVAR_##nr							      \
++    asm volatile (							      \
++    LOADARGS_NOSYSENTER_##nr						      \
++    "movl %1, %%eax\n\t"						      \
++    "int $0x80\n\t"							      \
++    RESTOREARGS_NOSYSENTER_##nr						      \
++    : "=a" (resultvar)							      \
++    : "i" (__NR_##name) ASMFMT_##nr(args) : "memory", "cc");		      \
++    (int) resultvar; })
+ # else
+ #  define INTERNAL_SYSCALL(name, err, nr, args...) \
+   ({									      \
+@@ -447,12 +459,20 @@
+ 
+ #define LOADARGS_0
+ #ifdef __PIC__
+-# if defined I386_USE_SYSENTER && defined SHARED
++# if defined I386_USE_SYSENTER && defined __PIC__
+ #  define LOADARGS_1 \
+     "bpushl .L__X'%k3, %k3\n\t"
+ #  define LOADARGS_5 \
+     "movl %%ebx, %4\n\t"						      \
+     "movl %3, %%ebx\n\t"
++#  define LOADARGS_NOSYSENTER_1 \
++    "bpushl .L__X'%k2, %k2\n\t"
++#  define LOADARGS_NOSYSENTER_2	LOADARGS_NOSYSENTER_1
++#  define LOADARGS_NOSYSENTER_3	LOADARGS_3
++#  define LOADARGS_NOSYSENTER_4	LOADARGS_3
++#  define LOADARGS_NOSYSENTER_5 \
++    "movl %%ebx, %3\n\t"						      \
++    "movl %2, %%ebx\n\t"
+ # else
+ #  define LOADARGS_1 \
+     "bpushl .L__X'%k2, %k2\n\t"
+@@ -474,11 +494,18 @@
+ 
+ #define RESTOREARGS_0
+ #ifdef __PIC__
+-# if defined I386_USE_SYSENTER && defined SHARED
++# if defined I386_USE_SYSENTER && defined __PIC__
+ #  define RESTOREARGS_1 \
+     "bpopl .L__X'%k3, %k3\n\t"
+ #  define RESTOREARGS_5 \
+     "movl %4, %%ebx"
++#  define RESTOREARGS_NOSYSENTER_1 \
++    "bpopl .L__X'%k2, %k2\n\t"
++#  define RESTOREARGS_NOSYSENTER_2	RESTOREARGS_NOSYSENTER_1
++#  define RESTOREARGS_NOSYSENTER_3	RESTOREARGS_3
++#  define RESTOREARGS_NOSYSENTER_4	RESTOREARGS_3
++#  define RESTOREARGS_NOSYSENTER_5 \
++    "movl %3, %%ebx"
+ # else
+ #  define RESTOREARGS_1 \
+     "bpopl .L__X'%k2, %k2\n\t"
+--- a/sysdeps/i386/nptl/tls.h
++++ b/sysdeps/i386/nptl/tls.h
+@@ -189,6 +189,15 @@
+   desc->vals[3] = 0x51;
+ }
+ 
++/* We have no sysenter until the tls is initialized which is a
++   problem for PIC. Thus we need to do the right call depending
++   on the situation.  */
++#ifndef INTERNAL_SYSCALL_PRE_TLS
++# define TLS_INIT_SYSCALL INTERNAL_SYSCALL
++#else
++# define TLS_INIT_SYSCALL INTERNAL_SYSCALL_PRE_TLS
++#endif
++
+ /* Code to initially initialize the thread pointer.  This might need
+    special attention since 'errno' is not yet available and if the
+    operation can cause a failure 'errno' must not be touched.  */
+@@ -209,7 +218,7 @@
+ 									      \
+      /* Install the TLS.  */						      \
+      INTERNAL_SYSCALL_DECL (err);					      \
+-     _result = INTERNAL_SYSCALL (set_thread_area, err, 1, &_segdescr.desc);   \
++     _result = TLS_INIT_SYSCALL (set_thread_area, err, 1, &_segdescr.desc);   \
+ 									      \
+      if (_result == 0)							      \
+        /* We know the index in the GDT, now load the segment register.	      \
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/common.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/common.eblit
index 91df3f2454..2f7471ed32 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/common.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/common.eblit
@@ -1,13 +1,21 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/common.eblit,v 1.34 2014/01/16 17:38:31 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/common.eblit,v 1.45 2014/10/18 23:09:51 vapier Exp $
 
 alt_prefix() {
 	is_crosscompile && echo /usr/${CTARGET}
 }
 
-: ${ED:=${D}}
-: ${EROOT:=${ROOT}}
+if [[ ${EAPI:-0} == [012] ]] ; then
+	: ${ED:=${D}}
+	: ${EROOT:=${ROOT}}
+fi
+# This indirection is for binpkgs. #523332
+_nonfatal() { nonfatal "$@" ; }
+if [[ ${EAPI:-0} == [0123] ]] ; then
+	nonfatal() { "$@" ; }
+	_nonfatal() { "$@" ; }
+fi
 
 # We need to be able to set alternative headers for
 # compiling for non-native platform
@@ -21,7 +29,7 @@ alt_build_headers() {
 	if [[ -z ${ALT_BUILD_HEADERS} ]] ; then
 		ALT_BUILD_HEADERS=$(alt_headers)
 		if tc-is-cross-compiler ; then
-			ALT_BUILD_HEADERS=${ROOT}$(alt_headers)
+			ALT_BUILD_HEADERS=${SYSROOT}$(alt_headers)
 			if [[ ! -e ${ALT_BUILD_HEADERS}/linux/version.h ]] ; then
 				local header_path=$(echo '#include <linux/version.h>' | $(tc-getCPP ${CTARGET}) ${CFLAGS} 2>&1 | grep -o '[^"]*linux/version.h')
 				ALT_BUILD_HEADERS=${header_path%/linux/version.h}
@@ -38,6 +46,10 @@ alt_usrlibdir() {
 	echo $(alt_prefix)/usr/$(get_libdir)
 }
 
+builddir() {
+	echo "${WORKDIR}/build-${ABI}-${CTARGET}-$1"
+}
+
 setup_target_flags() {
 	# This largely mucks with compiler flags.  None of which should matter
 	# when building up just the headers.
@@ -160,7 +172,7 @@ setup_flags() {
 	filter-flags -frecord-gcc-switches
 
 	unset CBUILD_OPT CTARGET_OPT
-	if has_multilib_profile ; then
+	if use multilib ; then
 		CTARGET_OPT=$(get_abi_CTARGET)
 		[[ -z ${CTARGET_OPT} ]] && CTARGET_OPT=$(get_abi_CHOST)
 	fi
@@ -183,7 +195,12 @@ setup_flags() {
 	# building glibc with SSP is fraught with difficulty, especially
 	# due to __stack_chk_fail_local which would mean significant changes
 	# to the glibc build process. See bug #94325 #293721
-	gcc-specs-ssp && append-cflags $(test-flags-CC -fno-stack-protector)
+	# Note we have to handle both user-given CFLAGS and gcc defaults via
+	# spec rules here.  We can't simply add -fno-stack-protector as it gets
+	# added before user flags, and we can't just filter-flags because
+	# _filter_hardened doesn't support globs.
+	filter-flags -fstack-protector*
+	gcc-specs-ssp && append-flags $(test-flags -fno-stack-protector)
 
 	if use hardened && gcc-specs-pie ; then
 		# Force PIC macro definition for all compilations since they're all
@@ -201,15 +218,8 @@ want_nptl() {
 	want_tls || return 1
 	use nptl || return 1
 
-	# Only list the arches that cannot do NPTL
-	case $(tc-arch) in
-		m68k) return 1;;
-		sparc)
-			# >= v9 is needed for nptl.
-			[[ ${PROFILE_ARCH} == "sparc" ]] && return 1
-		;;
-	esac
-
+	# Older versions of glibc had incomplete arch support for nptl.
+	# But if you're building those now, you can handle USE=nptl yourself.
 	return 0
 }
 
@@ -269,6 +279,7 @@ use_multiarch() {
 setup_env() {
 	# silly users
 	unset LD_RUN_PATH
+	unset LD_ASSUME_KERNEL
 
 	multilib_env ${CTARGET_OPT:-${CTARGET}}
 	if is_crosscompile || tc-is-cross-compiler ; then
@@ -297,6 +308,28 @@ setup_env() {
 	export __GLIBC_CC CC="${__GLIBC_CC} ${!VAR}"
 }
 
+foreach_abi() {
+	setup_env
+
+	local ret=0
+	local abilist=""
+	if use multilib ; then
+		abilist=$(get_install_abis)
+	else
+		abilist=${DEFAULT_ABI}
+	fi
+	evar_push ABI
+	export ABI
+	for ABI in ${abilist:-default} ; do
+		setup_env
+		einfo "Running $1 for ABI ${ABI}"
+		$1
+		: $(( ret |= $? ))
+	done
+	evar_pop
+	return ${ret}
+}
+
 just_headers() {
 	is_crosscompile && use crosscompile_opts_headers-only
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
index b54487d196..0fcb24a09e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_preinst.eblit
@@ -1,10 +1,13 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/pkg_preinst.eblit,v 1.11 2013/06/29 03:22:32 heroxbd Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/pkg_preinst.eblit,v 1.13 2014/08/10 03:35:56 vapier Exp $
 
 # Simple test to make sure our new glibc isnt completely broken.
 # Make sure we don't test with statically built binaries since
 # they will fail.  Also, skip if this glibc is a cross compiler.
+#
+# If coreutils is built with USE=multicall, some of these files
+# will just be wrapper scripts, not actual ELFs we can test.
 glibc_sanity_check() {
 	cd / #228809
 
@@ -18,11 +21,14 @@ glibc_sanity_check() {
 	pushd "${ED}"/$(get_libdir) >/dev/null
 
 	local x striptest
-	for x in date env ls true uname ; do
+	for x in cal date env free ls true uname uptime ; do
 		x=$(type -p ${x})
 		[[ -z ${x} || ${x} != ${EPREFIX}/* ]] && continue
 		striptest=$(LC_ALL="C" file -L ${x} 2>/dev/null) || continue
-		[[ ${striptest} == *"statically linked"* ]] && continue
+		case ${striptest} in
+		*"statically linked"*) continue;;
+		*"ASCII text"*) continue;;
+		esac
 		./ld-*.so --library-path . ${x} > /dev/null \
 			|| die "simple run test (${x}) failed"
 	done
@@ -54,7 +60,10 @@ eblit-glibc-pkg_preinst() {
 			eerror "you have devpts mounted at /dev/pts with the gid=5 option."
 			eerror "Openrc should do this for you, so you should check /etc/fstab"
 			eerror "and make sure you do not have any invalid settings there."
-			die "mount & fix your /dev/pts settings"
+			# Do not die on older kernels as devpts did not export these settings #489520.
+			if version_is_at_least 2.6.25 $(uname -r) ; then
+				die "mount & fix your /dev/pts settings"
+			fi
 		fi
 	fi
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_setup.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_setup.eblit
index 1bf06c2596..bd5b093d10 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_setup.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/pkg_setup.eblit
@@ -1,6 +1,6 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/pkg_setup.eblit,v 1.11 2013/06/29 03:22:32 heroxbd Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/pkg_setup.eblit,v 1.14 2014/10/17 17:30:04 vapier Exp $
 
 glibc_compile_test() {
 	local ret save_cflags=${CFLAGS}
@@ -12,7 +12,7 @@ glibc_compile_test() {
 	rm -f glibc-test*
 	printf '%b' "$*" > glibc-test.c
 
-	emake -s glibc-test
+	_nonfatal emake -s glibc-test
 	ret=$?
 
 	popd >/dev/null
@@ -48,7 +48,10 @@ glibc_run_test() {
 eblit-glibc-pkg_setup() {
 	# prevent native builds from downgrading ... maybe update to allow people
 	# to change between diff -r versions ? (2.3.6-r4 -> 2.3.6-r2)
-	if [[ ${ROOT} == "/" ]] && [[ ${CBUILD} == ${CHOST} ]] && [[ ${CHOST} == ${CTARGET} ]] ; then
+	if [[ ${MERGE_TYPE} != "buildonly" ]] && \
+	   [[ ${ROOT} == "/" ]] && \
+	   [[ ${CBUILD} == ${CHOST} ]] && \
+	   [[ ${CHOST} == ${CTARGET} ]] ; then
 		if has_version '>'${CATEGORY}/${PF} ; then
 			eerror "Sanity check to keep you from breaking your system:"
 			eerror " Downgrading glibc is not supported and a sure way to destruction"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
index d02f0d5223..7704d83fcf 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_compile.eblit
@@ -1,254 +1,24 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_compile.eblit,v 1.37 2014/01/17 06:23:22 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_compile.eblit,v 1.45 2014/09/10 18:45:21 vapier Exp $
 
-glibc_do_configure() {
-	local myconf=()
-
-	einfo "Configuring GLIBC for $1"
-
-	# set addons
-	pushd "${S}" > /dev/null
-	local ADDONS=$(echo */configure | sed \
-		-e 's:/configure::g' \
-		-e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \
-		-e 's: \+$::' \
-		-e 's! !,!g' \
-		-e 's!^!,!' \
-		-e '/^,\*$/d')
-	[[ -d ports ]] && ADDONS="${ADDONS},ports"
-	popd > /dev/null
-
-	myconf+=( $(use_enable hardened stackguard-randomization) )
-	if has_version '<sys-libs/glibc-2.13' ; then
-		myconf+=( --enable-old-ssp-compat )
-	fi
-
-	[[ $(tc-is-softfloat) == "yes" ]] && myconf+=( --without-fp )
-
-	if [[ $1 == "linuxthreads" ]] ; then
-		if want_tls ; then
-			myconf+=( --with-tls )
-
-			if ! want__thread || use glibc-compat20 || [[ ${LT_KER_VER} == 2.[02].* ]] ; then
-				myconf+=( --without-__thread )
-			else
-				myconf+=( --with-__thread )
-			fi
-		else
-			myconf+=( --without-tls --without-__thread )
-		fi
-
-		myconf+=( --disable-sanity-checks )
-		myconf+=( --enable-add-ons="linuxthreads${ADDONS}" )
-		myconf+=( --enable-kernel=${LT_KER_VER} )
-	elif [[ $1 == "nptl" ]] ; then
-		myconf+=( --enable-add-ons="nptl${ADDONS}" )
-		myconf+=( --enable-kernel=${NPTL_KERN_VER} )
-	else
-		die "invalid pthread option"
-	fi
-
-	# Since SELinux support is only required for nscd, only enable it if:
-	# 1. USE selinux
-	# 2. only for the primary ABI on multilib systems
-	# 3. Not a crosscompile
-	if ! is_crosscompile && use selinux ; then
-		if use multilib || has_multilib_profile ; then
-			if is_final_abi ; then
-				myconf+=( --with-selinux )
-			else
-				myconf+=( --without-selinux )
-			fi
-		else
-			myconf+=( --with-selinux )
-		fi
-	else
-		myconf+=( --without-selinux )
-	fi
-
-	myconf+=(
-		--without-cvs
-		--enable-bind-now
-		--build=${CBUILD_OPT:-${CBUILD}}
-		--host=${CTARGET_OPT:-${CTARGET}}
-		$(use_enable profile)
-		$(use_with gd)
-		--with-headers=$(alt_build_headers)
-		--prefix=/usr
-		--libdir=/usr/$(get_libdir)
-		--mandir=/usr/share/man
-		--infodir=/usr/share/info
-		--libexecdir=/usr/$(get_libdir)/misc/glibc
-		--with-bugurl=http://bugs.gentoo.org/
-		--with-pkgversion="$(glibc_banner)"
-		$(use_multiarch || echo --disable-multi-arch)
-		--enable-obsolete-rpc
-		$(in_iuse systemtap && use_enable systemtap)
-		$(in_iuse nscd && use_enable nscd)
-		${EXTRA_ECONF}
-	)
-
-	# There is no configure option for this and we need to export it
-	# since the glibc build will re-run configure on itself
-	export libc_cv_slibdir=/$(get_libdir)
-
-	# We take care of patching our binutils to use both hash styles,
-	# and many people like to force gnu hash style only, so disable
-	# this overriding check.  #347761
-	export libc_cv_hashstyle=no
-
-	# Overtime, generating info pages can be painful.  So disable this for
-	# versions older than the latest stable to avoid the issue (this ver
-	# should be updated from time to time).  #464394 #465816
-	if ! version_is_at_least 2.17 ; then
-		export ac_cv_prog_MAKEINFO=:
-	fi
-
-	local GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-$1
-	mkdir -p "${GBUILDDIR}"
-	cd "${GBUILDDIR}"
-	set -- "${S}"/configure "${myconf[@]}"
-	echo "$@"
-	"$@" || die "failed to configure glibc"
-
-	# ia64 static cross-compilers are a pita in so much that they
-	# can't produce static ELFs (as the libgcc.a is broken).  so
-	# disable building of the programs for those targets if it
-	# doesn't work.
-	# XXX: We could turn this into a compiler test, but ia64 is
-	# the only one that matters, so this should be fine for now.
-	if is_crosscompile && [[ ${CTARGET} == ia64* ]] ; then
-		sed -i '1i+link-static = touch $@' config.make
-	fi
-}
+[[ ${EAPI:-0} == [01] ]] && source "${FILESDIR}/eblits/src_configure.eblit"
 
 toolchain-glibc_src_compile() {
-	echo
-	local v
-	for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC {AS,C,CPP,CXX,LD}FLAGS ; do
-		einfo " $(printf '%15s' ${v}:)   ${!v}"
+	local t
+	for t in linuxthreads nptl ; do
+		if want_${t} ; then
+			[[ ${EAPI:-0} == [01] ]] && glibc_do_configure ${t}
+			emake -C "$(builddir ${t})" || die "make ${t} for ${ABI} failed"
+		fi
 	done
-
-	export CC=$(tc-getCC ${CTARGET})
-	# Glibc does not work with gold (for various reasons) #269274.
-	if $(tc-getLD ${CTARGET}) --version | grep -q 'GNU gold' ; then
-		local d="${T}/bfd-linker"
-		mkdir -p "${d}"
-		ln -sf $(which ${CTARGET}-ld.bfd) "${d}"/ld
-		CC+=" -B${d}"
-	fi
-	einfo " $(printf '%15s' 'Manual CC:')   ${CC}"
-	echo
-
-	if want_linuxthreads ; then
-		glibc_do_configure linuxthreads
-		emake || die "make for ${ABI} failed"
-	fi
-	if want_nptl ; then
-		# ... and then do the optional nptl build
-		unset LD_ASSUME_KERNEL
-		glibc_do_configure nptl
-		emake || die "make for ${ABI} failed"
-	fi
-}
-
-toolchain-glibc_headers_compile() {
-	local GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-headers
-	mkdir -p "${GBUILDDIR}"
-	cd "${GBUILDDIR}"
-
-	# if we don't have a compiler yet, we cant really test it now ...
-	# hopefully they don't affect header geneation, so let's hope for
-	# the best here ...
-	local v vars=(
-		ac_cv_header_cpuid_h=yes
-		libc_cv_{386,390,alpha,arm,hppa,ia64,mips,{powerpc,sparc}{,32,64},sh,x86_64}_tls=yes
-		libc_cv_asm_cfi_directives=yes
-		libc_cv_broken_visibility_attribute=no
-		libc_cv_gcc___thread=yes
-		libc_cv_mlong_double_128=yes
-		libc_cv_mlong_double_128ibm=yes
-		libc_cv_ppc_machine=yes
-		libc_cv_ppc_rel16=yes
-		libc_cv_predef_{fortify_source,stack_protector}=no
-		libc_cv_visibility_attribute=yes
-		libc_cv_z_combreloc=yes
-		libc_cv_z_execstack=yes
-		libc_cv_z_initfirst=yes
-		libc_cv_z_nodelete=yes
-		libc_cv_z_nodlopen=yes
-		libc_cv_z_relro=yes
-		libc_mips_abi=${ABI}
-		libc_mips_float=$([[ $(tc-is-softfloat) == "yes" ]] && echo soft || echo hard)
-	)
-	einfo "Forcing cached settings:"
-	for v in "${vars[@]}" ; do
-		einfo " ${v}"
-		export ${v}
-	done
-
-	# Pick out the correct location for build headers
-	local ports="" myconf=()
-	[[ -d ${S}/ports ]] && ports=",ports"
-	myconf+=(
-		--disable-sanity-checks
-		--enable-hacker-mode
-		--enable-add-ons=nptl${ports}
-		--without-cvs
-		--enable-bind-now
-		--build=${CBUILD_OPT:-${CBUILD}}
-		--host=${CTARGET_OPT:-${CTARGET}}
-		--with-headers=$(alt_build_headers)
-		--prefix=/usr
-		${EXTRA_ECONF}
-	)
-
-	# Nothing is compiled here which would affect the headers for the target.
-	# so forcing CC/CFLAGS is sane.  unless you dont have `gcc`.  then i
-	# dont care :p.
-	set -- "${S}"/configure "${myconf[@]}"
-	CC=gcc \
-	CFLAGS="-O1 -pipe" \
-	CPPFLAGS="-U_FORTIFY_SOURCE" \
-	LDFLAGS="" \
-	"$@" || die "failed to configure glibc"
 }
 
 eblit-glibc-src_compile() {
-	if is_crosscompile ; then
-		export \
-			libc_cv_c_cleanup=yes \
-			libc_cv_forced_unwind=yes
-	fi
-
 	if just_headers ; then
-		export ABI=default
-		toolchain-glibc_headers_compile
+		[[ ${EAPI:-0} == [01] ]] && toolchain-glibc_headers_configure
 		return
 	fi
 
-	setup_env
-
-	if [[ -z ${OABI} ]] ; then
-		local abilist=""
-		if has_multilib_profile ; then
-			abilist=$(get_install_abis)
-		elif is_crosscompile || tc-is-cross-compiler ; then
-			abilist=${DEFAULT_ABI}
-		fi
-		einfo "Building glibc for ABIs: ${abilist}"
-		if [[ -n ${abilist} ]] ; then
-			OABI=${ABI}
-			for ABI in ${abilist} ; do
-				export ABI
-				src_compile
-			done
-			ABI=${OABI}
-			unset OABI
-			return 0
-		fi
-	fi
-
-	toolchain-glibc_src_compile
+	foreach_abi toolchain-glibc_src_compile
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_configure.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_configure.eblit
new file mode 100644
index 0000000000..5a85488dfa
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_configure.eblit
@@ -0,0 +1,252 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_configure.eblit,v 1.3 2014/12/31 08:20:02 vapier Exp $
+
+dump_toolchain_settings() {
+	echo
+
+	einfo "$*"
+
+	local v
+	for v in ABI CBUILD CHOST CTARGET CBUILD_OPT CTARGET_OPT CC {AS,C,CPP,CXX,LD}FLAGS ; do
+		einfo " $(printf '%15s' ${v}:)   ${!v}"
+	done
+
+	export CC=$(tc-getCC ${CTARGET})
+	# Glibc does not work with gold (for various reasons) #269274.
+	if $(tc-getLD ${CTARGET}) --version | grep -q 'GNU gold' ; then
+		local d="${T}/bfd-linker"
+		mkdir -p "${d}"
+		ln -sf $(which ${CTARGET}-ld.bfd) "${d}"/ld
+		CC+=" -B${d}"
+	fi
+	einfo " $(printf '%15s' 'Manual CC:')   ${CC}"
+	echo
+}
+
+glibc_do_configure() {
+	dump_toolchain_settings "Configuring glibc for $1"
+
+	local myconf=()
+
+	# set addons
+	pushd "${S}" > /dev/null
+	local addons=$(echo */configure | sed \
+		-e 's:/configure::g' \
+		-e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \
+		-e 's: \+$::' \
+		-e 's! !,!g' \
+		-e 's!^!,!' \
+		-e '/^,\*$/d')
+	[[ -d ports ]] && addons+=",ports"
+	popd > /dev/null
+
+	myconf+=( $(use_enable hardened stackguard-randomization) )
+	if has_version '<sys-libs/glibc-2.13' ; then
+		myconf+=( --enable-old-ssp-compat )
+	fi
+
+	[[ $(tc-is-softfloat) == "yes" ]] && myconf+=( --without-fp )
+
+	if [[ $1 == "linuxthreads" ]] ; then
+		if want_tls ; then
+			myconf+=( --with-tls )
+
+			if ! want__thread || use glibc-compat20 || [[ ${LT_KER_VER} == 2.[02].* ]] ; then
+				myconf+=( --without-__thread )
+			else
+				myconf+=( --with-__thread )
+			fi
+		else
+			myconf+=( --without-tls --without-__thread )
+		fi
+
+		myconf+=( --disable-sanity-checks )
+		addons="linuxthreads${addons}"
+		myconf+=( --enable-kernel=${LT_KER_VER} )
+	elif [[ $1 == "nptl" ]] ; then
+		# Newer versions require nptl, so there is no addon for it.
+		version_is_at_least 2.20 || addons="nptl${addons}"
+		myconf+=( --enable-kernel=${NPTL_KERN_VER} )
+	else
+		die "invalid pthread option"
+	fi
+	myconf+=( --enable-add-ons="${addons#,}" )
+
+	# Since SELinux support is only required for nscd, only enable it if:
+	# 1. USE selinux
+	# 2. only for the primary ABI on multilib systems
+	# 3. Not a crosscompile
+	if ! is_crosscompile && use selinux ; then
+		if use multilib ; then
+			if is_final_abi ; then
+				myconf+=( --with-selinux )
+			else
+				myconf+=( --without-selinux )
+			fi
+		else
+			myconf+=( --with-selinux )
+		fi
+	else
+		myconf+=( --without-selinux )
+	fi
+
+	# Force a few tests where we always know the answer but
+	# configure is incapable of finding it.
+	if is_crosscompile ; then
+		export \
+			libc_cv_c_cleanup=yes \
+			libc_cv_forced_unwind=yes
+	fi
+
+	myconf+=(
+		--without-cvs
+		--enable-bind-now
+		--build=${CBUILD_OPT:-${CBUILD}}
+		--host=${CTARGET_OPT:-${CTARGET}}
+		$(use_enable profile)
+		$(use_with gd)
+		--with-headers=$(alt_build_headers)
+		--prefix=/usr
+		--libdir=/usr/$(get_libdir)
+		--mandir=/usr/share/man
+		--infodir=/usr/share/info
+		--libexecdir=/usr/$(get_libdir)/misc/glibc
+		--with-bugurl=http://bugs.gentoo.org/
+		--with-pkgversion="$(glibc_banner)"
+		$(use_multiarch || echo --disable-multi-arch)
+		--enable-obsolete-rpc
+		$(in_iuse systemtap && use_enable systemtap)
+		$(in_iuse nscd && use_enable nscd)
+		${EXTRA_ECONF}
+	)
+
+	# There is no configure option for this and we need to export it
+	# since the glibc build will re-run configure on itself
+	export libc_cv_slibdir=/$(get_libdir)
+
+	# We take care of patching our binutils to use both hash styles,
+	# and many people like to force gnu hash style only, so disable
+	# this overriding check.  #347761
+	export libc_cv_hashstyle=no
+
+	# Overtime, generating info pages can be painful.  So disable this for
+	# versions older than the latest stable to avoid the issue (this ver
+	# should be updated from time to time).  #464394 #465816
+	if ! version_is_at_least 2.17 ; then
+		export ac_cv_prog_MAKEINFO=:
+	fi
+
+	local builddir=$(builddir "$1")
+	mkdir -p "${builddir}"
+	cd "${builddir}"
+	set -- "${S}"/configure "${myconf[@]}"
+	echo "$@"
+	"$@" || die "failed to configure glibc"
+
+	# ia64 static cross-compilers are a pita in so much that they
+	# can't produce static ELFs (as the libgcc.a is broken).  so
+	# disable building of the programs for those targets if it
+	# doesn't work.
+	# XXX: We could turn this into a compiler test, but ia64 is
+	# the only one that matters, so this should be fine for now.
+	if is_crosscompile && [[ ${CTARGET} == ia64* ]] ; then
+		sed -i '1i+link-static = touch $@' config.make
+	fi
+
+	# If we're trying to migrate between ABI sets, we need
+	# to lie and use a local copy of gcc.  Like if the system
+	# is built with MULTILIB_ABIS="amd64 x86" but we want to
+	# add x32 to it, gcc/glibc don't yet support x32.
+	if [[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib ; then
+		echo 'main(){}' > "${T}"/test.c
+		if ! $(tc-getCC ${CTARGET}) ${CFLAGS} ${LDFLAGS} "${T}"/test.c -Wl,-emain -lgcc 2>/dev/null ; then
+			sed -i -e '/^CC = /s:$: -B$(objdir)/../'"gcc-${GCC_BOOTSTRAP_VER}/${ABI}:" config.make || die
+			mkdir -p sunrpc
+			cp $(which rpcgen) sunrpc/cross-rpcgen || die
+			touch -t 202001010101 sunrpc/cross-rpcgen || die
+		fi
+	fi
+}
+
+toolchain-glibc_headers_configure() {
+	export ABI=default
+
+	local builddir=$(builddir "headers")
+	mkdir -p "${builddir}"
+	cd "${builddir}"
+
+	# if we don't have a compiler yet, we cant really test it now ...
+	# hopefully they don't affect header geneation, so let's hope for
+	# the best here ...
+	local v vars=(
+		ac_cv_header_cpuid_h=yes
+		libc_cv_{386,390,alpha,arm,hppa,ia64,mips,{powerpc,sparc}{,32,64},sh,x86_64}_tls=yes
+		libc_cv_asm_cfi_directives=yes
+		libc_cv_broken_visibility_attribute=no
+		libc_cv_c_cleanup=yes
+		libc_cv_forced_unwind=yes
+		libc_cv_gcc___thread=yes
+		libc_cv_mlong_double_128=yes
+		libc_cv_mlong_double_128ibm=yes
+		libc_cv_ppc_machine=yes
+		libc_cv_ppc_rel16=yes
+		libc_cv_predef_{fortify_source,stack_protector}=no
+		libc_cv_visibility_attribute=yes
+		libc_cv_z_combreloc=yes
+		libc_cv_z_execstack=yes
+		libc_cv_z_initfirst=yes
+		libc_cv_z_nodelete=yes
+		libc_cv_z_nodlopen=yes
+		libc_cv_z_relro=yes
+		libc_mips_abi=${ABI}
+		libc_mips_float=$([[ $(tc-is-softfloat) == "yes" ]] && echo soft || echo hard)
+	)
+	einfo "Forcing cached settings:"
+	for v in "${vars[@]}" ; do
+		einfo " ${v}"
+		export ${v}
+	done
+
+	local ports="" myconf=()
+	myconf+=(
+		--disable-sanity-checks
+		--enable-hacker-mode
+		--without-cvs
+		--enable-bind-now
+		--build=${CBUILD_OPT:-${CBUILD}}
+		--host=${CTARGET_OPT:-${CTARGET}}
+		--with-headers=$(alt_build_headers)
+		--prefix=/usr
+		${EXTRA_ECONF}
+	)
+
+	local addons
+	[[ -d ${S}/ports ]] && addons+=",ports"
+	# Newer versions require nptl, so there is no addon for it.
+	version_is_at_least 2.20 || addons+=",nptl"
+	myconf+=( --enable-add-ons="${addons#,}" )
+
+	# Nothing is compiled here which would affect the headers for the target.
+	# So forcing CC/CFLAGS is sane.
+	set -- "${S}"/configure "${myconf[@]}"
+	echo "$@"
+	CC="$(tc-getBUILD_CC)" \
+	CFLAGS="-O1 -pipe" \
+	CPPFLAGS="-U_FORTIFY_SOURCE" \
+	LDFLAGS="" \
+	"$@" || die "failed to configure glibc"
+}
+
+toolchain-glibc_src_configure() {
+	if just_headers ; then
+		toolchain-glibc_headers_configure
+	else
+		want_linuxthreads && glibc_do_configure linuxthreads
+		want_nptl && glibc_do_configure nptl
+	fi
+}
+
+eblit-glibc-src_configure() {
+	foreach_abi toolchain-glibc_src_configure
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
index f7d00cd76c..8030d935a6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_install.eblit
@@ -1,28 +1,16 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_install.eblit,v 1.33 2014/01/17 07:45:29 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_install.eblit,v 1.38 2014/09/10 18:15:55 vapier Exp $
 
 toolchain-glibc_src_install() {
-	local GBUILDDIR
-	if want_linuxthreads ; then
-		GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-linuxthreads
-	else
-		GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-nptl
-	fi
+	local builddir=$(builddir $(want_linuxthreads && echo linuxthreads || echo nptl))
+	cd "${builddir}"
 
-	local install_root="${D}$(alt_prefix)"
-	if want_linuxthreads ; then
-		cd "${WORKDIR}"/build-${ABI}-${CTARGET}-linuxthreads
-		einfo "Installing GLIBC ${ABI} with linuxthreads ..."
-	else
-		cd "${WORKDIR}"/build-${ABI}-${CTARGET}-nptl
-		einfo "Installing GLIBC ${ABI} with NPTL ..."
-	fi
-	emake install_root="${install_root}" install || die
+	emake install_root="${D}$(alt_prefix)" install || die
 
 	if want_linuxthreads && want_nptl ; then
 		einfo "Installing NPTL to $(alt_libdir)/tls/..."
-		cd "${WORKDIR}"/build-${ABI}-${CTARGET}-nptl
+		cd "$(builddir nptl)"
 		dodir $(alt_libdir)/tls $(alt_usrlibdir)/nptl
 
 		local l src_lib
@@ -185,7 +173,12 @@ toolchain-glibc_src_install() {
 		version_is_at_least 2.16 || nscd_args+=( -e 's: --foreground : :' )
 		sed -i "${nscd_args[@]}" "${ED}"/etc/init.d/nscd
 
-		if [[ $(type -t systemd_dounit) == "function" ]] ; then
+		# Newer versions of glibc include the nscd.service themselves.
+		# TODO: Drop the $FILESDIR copy once 2.19 goes stable.
+		if version_is_at_least 2.19 ; then
+			systemd_dounit nscd/nscd.service || die
+			systemd_newtmpfilesd nscd/nscd.tmpfiles nscd.conf || die
+		else
 			systemd_dounit "${FILESDIR}"/nscd.service || die
 			systemd_newtmpfilesd "${FILESDIR}"/nscd.tmpfilesd nscd.conf || die
 		fi
@@ -207,8 +200,8 @@ toolchain-glibc_src_install() {
 }
 
 toolchain-glibc_headers_install() {
-	local GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-headers
-	cd "${GBUILDDIR}"
+	local builddir=$(builddir "headers")
+	cd "${builddir}"
 	emake install_root="${D}$(alt_prefix)" install-headers || die
 	if ! version_is_at_least 2.16 ; then
 		insinto $(alt_headers)/bits
@@ -246,29 +239,6 @@ eblit-glibc-src_install() {
 		return
 	fi
 
-	setup_env
-
-	if [[ -z ${OABI} ]] ; then
-		local abilist=""
-		if has_multilib_profile ; then
-			abilist=$(get_install_abis)
-			einfo "Installing multilib glibc for ABIs: ${abilist}"
-		elif is_crosscompile || tc-is-cross-compiler ; then
-			abilist=${DEFAULT_ABI}
-		fi
-		if [[ -n ${abilist} ]] ; then
-			OABI=${ABI}
-			for ABI in ${abilist} ; do
-				export ABI
-				eblit-glibc-src_install
-			done
-			ABI=${OABI}
-			unset OABI
-			src_strip
-			return 0
-		fi
-	fi
-
-	toolchain-glibc_src_install
-	[[ -z ${OABI} ]] && src_strip
+	foreach_abi toolchain-glibc_src_install
+	src_strip
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_prepare.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_prepare.eblit
new file mode 100644
index 0000000000..dc57faee3e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_prepare.eblit
@@ -0,0 +1,63 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_prepare.eblit,v 1.1 2014/09/10 05:59:03 vapier Exp $
+
+eblit-glibc-src_prepare() {
+	# XXX: We should do the branchupdate, before extracting the manpages and
+	# infopages else it does not help much (mtimes change if there is a change
+	# to them with branchupdate)
+	if [[ -n ${BRANCH_UPDATE} ]] ; then
+		epatch "${DISTDIR}"/glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2
+
+		# Snapshot date patch
+		einfo "Patching version to display snapshot date ..."
+		sed -i -e "s:\(#define RELEASE\).*:\1 \"${BRANCH_UPDATE}\":" version.h
+	fi
+
+	# tag, glibc is it
+	if ! version_is_at_least 2.17 ; then
+		[[ -e csu/Banner ]] && die "need new banner location"
+		glibc_banner > csu/Banner
+	fi
+	if [[ -n ${PATCH_VER} ]] && ! use vanilla ; then
+		EPATCH_MULTI_MSG="Applying Gentoo Glibc Patchset ${RELEASE_VER}-${PATCH_VER} ..." \
+		EPATCH_EXCLUDE=${GLIBC_PATCH_EXCLUDE} \
+		EPATCH_SUFFIX="patch" \
+		ARCH=$(tc-arch) \
+		epatch "${WORKDIR}"/patches
+	fi
+
+	if just_headers ; then
+		if [[ -e ports/sysdeps/mips/preconfigure ]] ; then
+			# mips peeps like to screw with us.  if building headers,
+			# we don't have a real compiler, so we can't let them
+			# insert -mabi on us.
+			sed -i '/CPPFLAGS=.*-mabi/s|.*|:|' ports/sysdeps/mips/preconfigure || die
+			find ports/sysdeps/mips/ -name Makefile -exec sed -i '/^CC.*-mabi=/s:-mabi=.*:-D_MIPS_SZPTR=32:' {} +
+		fi
+	fi
+
+	epatch_user
+
+	gnuconfig_update
+
+	# Glibc is stupid sometimes, and doesn't realize that with a
+	# static C-Only gcc, -lgcc_eh doesn't exist.
+	# http://sourceware.org/ml/libc-alpha/2003-09/msg00100.html
+	# http://sourceware.org/ml/libc-alpha/2005-02/msg00042.html
+	# But! Finally fixed in recent versions:
+	# http://sourceware.org/ml/libc-alpha/2012-05/msg01865.html
+	if ! version_is_at_least 2.16 ; then
+		echo 'int main(){}' > "${T}"/gcc_eh_test.c
+		if ! $(tc-getCC ${CTARGET}) ${CFLAGS} ${LDFLAGS} "${T}"/gcc_eh_test.c -lgcc_eh 2>/dev/null ; then
+			sed -i -e 's:-lgcc_eh::' Makeconfig || die "sed gcc_eh"
+		fi
+	fi
+
+	cd "${WORKDIR}"
+	find . -type f '(' -size 0 -o -name "*.orig" ')' -delete
+	find . -name configure -exec touch {} +
+
+	# Fix permissions on some of the scripts.
+	chmod u+x "${S}"/scripts/*.sh
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_test.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_test.eblit
index 532bc8ce09..210cca3a46 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_test.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_test.eblit
@@ -1,56 +1,30 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_test.eblit,v 1.5 2013/04/11 20:42:56 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_test.eblit,v 1.9 2014/09/17 22:53:43 vapier Exp $
 
-toolchain-glibc_src_test() {
-	cd "${WORKDIR}"/build-${ABI}-${CTARGET}-$1 || die "cd build-${ABI}-${CTARGET}-$1"
-	unset LD_ASSUME_KERNEL
-	emake -j1 check && return 0
+glibc_src_test() {
+	cd "$(builddir $1)"
+	nonfatal emake -j1 check && return 0
 	einfo "make check failed - re-running with --keep-going to get the rest of the results"
-	emake -j1 -k check
+	nonfatal emake -j1 -k check
 	ewarn "make check failed for ${ABI}-${CTARGET}-$1"
 	return 1
 }
 
-eblit-glibc-src_test() {
-	local ret=0
-
-	setup_env
-
-	_maybe_die() {
-		if [[ -n ${OABI} ]] ; then
-			return ${ret}
-		elif [[ ${ret} -ne 0 ]] ; then
-			die "tests failed"
-		fi
-	}
-
-	# give tests more time to complete
-	export TIMEOUTFACTOR=5
-
-	if [[ -z ${OABI} ]] && has_multilib_profile ; then
-		OABI=${ABI}
-		einfo "Testing multilib glibc for ABIs: $(get_install_abis)"
-		for ABI in $(get_install_abis) ; do
-			export ABI
-			einfo "   Testing ${ABI} glibc"
-			eblit-glibc-src_test
-			: $(( ret += $? ))
-		done
-		ABI=${OABI}
-		unset OABI
-
-		_maybe_die
-		return
-	fi
-
-	local t
+toolchain-glibc_src_test() {
+	local ret=0 t
 	for t in linuxthreads nptl ; do
 		if want_${t} ; then
-			toolchain-glibc_src_test ${t}
-			: $(( ret += $? ))
+			glibc_src_test ${t}
+			: $(( ret |= $? ))
 		fi
 	done
-	_maybe_die
-	return
+	return ${ret}
+}
+
+eblit-glibc-src_test() {
+	# Give tests more time to complete.
+	export TIMEOUTFACTOR=5
+
+	foreach_abi toolchain-glibc_src_test || die "tests failed"
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_unpack.eblit b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_unpack.eblit
index 15e8895d4e..94f33b5e72 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_unpack.eblit
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/files/eblits/src_unpack.eblit
@@ -1,6 +1,8 @@
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_unpack.eblit,v 1.24 2013/09/28 22:07:57 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_unpack.eblit,v 1.27 2014/09/10 05:59:03 vapier Exp $
+
+[[ ${EAPI:-0} == [01] ]] && source "${FILESDIR}/eblits/src_prepare.eblit"
 
 int_to_KV() {
 	local version=$1 major minor micro
@@ -109,71 +111,11 @@ toolchain-glibc_src_unpack() {
 			mv "${d}" "${S}" || die "moving ${d} failed"
 		done
 	fi
-
-	# XXX: We should do the branchupdate, before extracting the manpages and
-	# infopages else it does not help much (mtimes change if there is a change
-	# to them with branchupdate)
-	if [[ -n ${BRANCH_UPDATE} ]] ; then
-		cd "${S}"
-		epatch "${DISTDIR}"/glibc-${RELEASE_VER}-branch-update-${BRANCH_UPDATE}.patch.bz2
-
-		# Snapshot date patch
-		einfo "Patching version to display snapshot date ..."
-		sed -i -e "s:\(#define RELEASE\).*:\1 \"${BRANCH_UPDATE}\":" version.h
-	fi
-
-	# tag, glibc is it
-	cd "${S}"
-	if ! version_is_at_least 2.17 ; then
-		[[ -e csu/Banner ]] && die "need new banner location"
-		glibc_banner > csu/Banner
-	fi
-	if [[ -n ${PATCH_VER} ]] && ! use vanilla ; then
-		cd "${S}"
-		EPATCH_MULTI_MSG="Applying Gentoo Glibc Patchset ${RELEASE_VER}-${PATCH_VER} ..." \
-		EPATCH_EXCLUDE=${GLIBC_PATCH_EXCLUDE} \
-		EPATCH_SUFFIX="patch" \
-		ARCH=$(tc-arch) \
-		epatch "${WORKDIR}"/patches
-	fi
-
-	if just_headers ; then
-		if [[ -e ports/sysdeps/mips/preconfigure ]] ; then
-			# mips peeps like to screw with us.  if building headers,
-			# we don't have a real compiler, so we can't let them
-			# insert -mabi on us.
-			sed -i '/CPPFLAGS=.*-mabi/s|.*|:|' ports/sysdeps/mips/preconfigure || die
-			find ports/sysdeps/mips/ -name Makefile -exec sed -i '/^CC.*-mabi=/s:-mabi=.*:-D_MIPS_SZPTR=32:' {} +
-		fi
-	fi
-
-	epatch_user
-
-	gnuconfig_update
 }
 
 eblit-glibc-src_unpack() {
 	setup_env
 
 	toolchain-glibc_src_unpack
-
-	# Glibc is stupid sometimes, and doesn't realize that with a
-	# static C-Only gcc, -lgcc_eh doesn't exist.
-	# http://sourceware.org/ml/libc-alpha/2003-09/msg00100.html
-	# http://sourceware.org/ml/libc-alpha/2005-02/msg00042.html
-	# But! Finally fixed in recent versions:
-	# http://sourceware.org/ml/libc-alpha/2012-05/msg01865.html
-	if ! version_is_at_least 2.16 ; then
-		echo 'int main(){}' > "${T}"/gcc_eh_test.c
-		if ! $(tc-getCC ${CTARGET}) "${T}"/gcc_eh_test.c -lgcc_eh 2>/dev/null ; then
-			sed -i -e 's:-lgcc_eh::' Makeconfig || die "sed gcc_eh"
-		fi
-	fi
-
-	cd "${WORKDIR}"
-	find . -type f '(' -size 0 -o -name "*.orig" ')' -exec rm -f {} \;
-	find . -name configure -exec touch {} \;
-
-	# Fix permissions on some of the scripts
-	chmod u+x "${S}"/scripts/*.sh
+	[[ ${EAPI:-0} == [01] ]] && cd "${S}" && eblit-glibc-src_prepare
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.17.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.17.ebuild
index 076534e68e..24083dc217 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.17.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.17.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.17.ebuild,v 1.31 2014/01/31 18:22:06 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.17.ebuild,v 1.34 2014/04/05 16:05:07 vapier Exp $
 
 inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing
 
@@ -8,7 +8,7 @@ DESCRIPTION="GNU libc6 (also called glibc2) C library"
 HOMEPAGE="http://www.gnu.org/software/libc/libc.html"
 
 LICENSE="LGPL-2.1+ BSD HPND ISC inner-net rc PCRE"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh ~sparc x86"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
 RESTRICT="strip" # strip ourself #46186
 EMULTILIB_PKG="true"
 
@@ -24,6 +24,7 @@ case ${PV} in
 	RELEASE_VER=${PV}
 	;;
 esac
+GCC_BOOTSTRAP_VER="4.7.3-r1"
 PATCH_VER="8"                                  # Gentoo patchset
 NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.16"}       # min kernel version nptl requires
 
@@ -88,19 +89,19 @@ else
 		!vanilla? ( sys-libs/timezone-data )"
 fi
 
+upstream_uris() {
+	echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1
+}
+gentoo_uris() {
+	local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI"
+	devspace=${devspace//HTTP/http://dev.gentoo.org/}
+	echo mirror://gentoo/$1 ${devspace//URI/$1}
+}
 SRC_URI=$(
-	upstream_uris() {
-		echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1
-	}
-	gentoo_uris() {
-		local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI"
-		devspace=${devspace//HTTP/http://dev.gentoo.org/}
-		echo mirror://gentoo/$1 ${devspace//URI/$1}
-	}
-
 	[[ -z ${EGIT_REPO_URIS} ]] && upstream_uris ${P}.tar.xz
 	[[ -n ${PATCH_VER}      ]] && gentoo_uris ${P}-patches-${PATCH_VER}.tar.bz2
 )
+SRC_URI+=" ${GCC_BOOTSTRAP_VER:+multilib? ( $(gentoo_uris gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2) )}"
 
 # eblit-include [--skip] <function> [version]
 eblit-include() {
@@ -153,6 +154,7 @@ done
 
 eblit-src_unpack-pre() {
 	GLIBC_PATCH_EXCLUDE+=" 6600_mips_librt-mips.patch" #456912
+	[[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib && unpack gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2
 }
 
 eblit-src_unpack-post() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.19-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.19-r1.ebuild
new file mode 100644
index 0000000000..df31e72091
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.19-r1.ebuild
@@ -0,0 +1,209 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.19-r1.ebuild,v 1.11 2014/10/26 08:05:50 vapier Exp $
+
+inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing
+
+DESCRIPTION="GNU libc6 (also called glibc2) C library"
+HOMEPAGE="http://www.gnu.org/software/libc/libc.html"
+
+LICENSE="LGPL-2.1+ BSD HPND ISC inner-net rc PCRE"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+RESTRICT="strip" # strip ourself #46186
+EMULTILIB_PKG="true"
+
+# Configuration variables
+RELEASE_VER=""
+case ${PV} in
+9999*)
+	EGIT_REPO_URIS="git://sourceware.org/git/glibc.git"
+	EGIT_SOURCEDIRS="${S}"
+	inherit git-2
+	;;
+*)
+	RELEASE_VER=${PV}
+	;;
+esac
+GCC_BOOTSTRAP_VER="4.7.3-r1"
+PATCH_VER="3"                                  # Gentoo patchset
+NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.16"}       # min kernel version nptl requires
+
+IUSE="debug gd hardened multilib nscd selinux systemtap profile suid vanilla crosscompile_opts_headers-only"
+
+# Here's how the cross-compile logic breaks down ...
+#  CTARGET - machine that will target the binaries
+#  CHOST   - machine that will host the binaries
+#  CBUILD  - machine that will build the binaries
+# If CTARGET != CHOST, it means you want a libc for cross-compiling.
+# If CHOST != CBUILD, it means you want to cross-compile the libc.
+#  CBUILD = CHOST = CTARGET    - native build/install
+#  CBUILD != (CHOST = CTARGET) - cross-compile a native build
+#  (CBUILD = CHOST) != CTARGET - libc for cross-compiler
+#  CBUILD != CHOST != CTARGET  - cross-compile a libc for a cross-compiler
+# For install paths:
+#  CHOST = CTARGET  - install into /
+#  CHOST != CTARGET - install into /usr/CTARGET/
+
+export CBUILD=${CBUILD:-${CHOST}}
+export CTARGET=${CTARGET:-${CHOST}}
+if [[ ${CTARGET} == ${CHOST} ]] ; then
+	if [[ ${CATEGORY} == cross-* ]] ; then
+		export CTARGET=${CATEGORY#cross-}
+	fi
+fi
+
+[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.16/2.6.20}
+
+is_crosscompile() {
+	[[ ${CHOST} != ${CTARGET} ]]
+}
+
+# Why SLOT 2.2 you ask yourself while sippin your tea ?
+# Everyone knows 2.2 > 0, duh.
+SLOT="2.2"
+
+# General: We need a new-enough binutils/gcc to match upstream baseline.
+# arch: we need to make sure our binutils/gcc supports TLS.
+DEPEND=">=app-misc/pax-utils-0.1.10
+	!<sys-apps/sandbox-1.6
+	!<sys-apps/portage-2.1.2
+	selinux? ( sys-libs/libselinux )"
+RDEPEND="!sys-kernel/ps3-sources
+	selinux? ( sys-libs/libselinux )
+	!sys-libs/nss-db"
+
+if [[ ${CATEGORY} == cross-* ]] ; then
+	DEPEND+=" !crosscompile_opts_headers-only? (
+		>=${CATEGORY}/binutils-2.20
+		>=${CATEGORY}/gcc-4.3
+	)"
+	[[ ${CATEGORY} == *-linux* ]] && DEPEND+=" ${CATEGORY}/linux-headers"
+else
+	DEPEND+="
+		>=sys-devel/binutils-2.20
+		>=sys-devel/gcc-4.3
+		virtual/os-headers
+		!vanilla? ( >=sys-libs/timezone-data-2012c )"
+	RDEPEND+="
+		vanilla? ( !sys-libs/timezone-data )
+		!vanilla? ( sys-libs/timezone-data )"
+fi
+
+upstream_uris() {
+	echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1
+}
+gentoo_uris() {
+	local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI"
+	devspace=${devspace//HTTP/http://dev.gentoo.org/}
+	echo mirror://gentoo/$1 ${devspace//URI/$1}
+}
+SRC_URI=$(
+	[[ -z ${EGIT_REPO_URIS} ]] && upstream_uris ${P}.tar.xz
+	[[ -n ${PATCH_VER}      ]] && gentoo_uris ${P}-patches-${PATCH_VER}.tar.bz2
+)
+SRC_URI+=" ${GCC_BOOTSTRAP_VER:+multilib? ( $(gentoo_uris gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2) )}"
+
+# eblit-include [--skip] <function> [version]
+eblit-include() {
+	local skipable=false
+	[[ $1 == "--skip" ]] && skipable=true && shift
+	[[ $1 == pkg_* ]] && skipable=true
+
+	local e v func=$1 ver=$2
+	[[ -z ${func} ]] && die "Usage: eblit-include <function> [version]"
+	for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do
+		e="${FILESDIR}/eblits/${func}${v}.eblit"
+		if [[ -e ${e} ]] ; then
+			source "${e}"
+			return 0
+		fi
+	done
+	${skipable} && return 0
+	die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/"
+}
+
+# eblit-run-maybe <function>
+# run the specified function if it is defined
+eblit-run-maybe() {
+	[[ $(type -t "$@") == "function" ]] && "$@"
+}
+
+# eblit-run <function> [version]
+# aka: src_unpack() { eblit-run src_unpack ; }
+eblit-run() {
+	eblit-include --skip common "${*:2}"
+	eblit-include "$@"
+	eblit-run-maybe eblit-$1-pre
+	eblit-${PN}-$1
+	eblit-run-maybe eblit-$1-post
+}
+
+src_unpack()  { eblit-run src_unpack  ; }
+src_compile() { eblit-run src_compile ; }
+src_test()    { eblit-run src_test    ; }
+src_install() { eblit-run src_install ; }
+
+# FILESDIR might not be available during binpkg install
+for x in setup {pre,post}inst ; do
+	e="${FILESDIR}/eblits/pkg_${x}.eblit"
+	if [[ -e ${e} ]] ; then
+		. "${e}"
+		eval "pkg_${x}() { eblit-run pkg_${x} ; }"
+	fi
+done
+
+eblit-src_unpack-pre() {
+	[[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib && unpack gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2
+}
+
+eblit-src_unpack-post() {
+	if use hardened ; then
+		cd "${S}"
+		einfo "Patching to get working PIE binaries on PIE (hardened) platforms"
+		gcc-specs-pie && epatch "${FILESDIR}"/2.17/glibc-2.17-hardened-pie.patch
+		epatch "${FILESDIR}"/2.19/glibc-2.19-hardened-configure-picdefault.patch
+		epatch "${FILESDIR}"/2.18/glibc-2.18-hardened-inittls-nosysenter.patch
+
+		einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler"
+		cp -f "${FILESDIR}"/2.18/glibc-2.18-gentoo-stack_chk_fail.c \
+			debug/stack_chk_fail.c || die
+		cp -f "${FILESDIR}"/2.18/glibc-2.18-gentoo-chk_fail.c \
+			debug/chk_fail.c || die
+
+		if use debug ; then
+			# When using Hardened Gentoo stack handler, have smashes dump core for
+			# analysis - debug only, as core could be an information leak
+			# (paranoia).
+			sed -i \
+				-e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
+				debug/Makefile \
+				|| die "Failed to modify debug/Makefile for debug stack handler"
+			sed -i \
+				-e '/^CFLAGS-backtrace.c/ iCFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
+				debug/Makefile \
+				|| die "Failed to modify debug/Makefile for debug fortify handler"
+		fi
+
+		# Build nscd with ssp-all
+		sed -i \
+			-e 's:-fstack-protector$:-fstack-protector-all:' \
+			nscd/Makefile \
+			|| die "Failed to ensure nscd builds with ssp-all"
+	fi
+}
+
+eblit-pkg_preinst-post() {
+	if [[ ${CTARGET} == arm* ]] ; then
+		# Backwards compat support for renaming hardfp ldsos #417287
+		local oldso='/lib/ld-linux.so.3'
+		local nldso='/lib/ld-linux-armhf.so.3'
+		if [[ -e ${D}${nldso} ]] ; then
+			if scanelf -qRyi "${ROOT}$(alt_prefix)"/*bin/ | grep -s "^${oldso}" ; then
+				ewarn "Symlinking old ldso (${oldso}) to new ldso (${nldso})."
+				ewarn "Please rebuild all packages using this old ldso as compat"
+				ewarn "support will be dropped in the future."
+				ln -s "${nldso##*/}" "${D}$(alt_prefix)${oldso}"
+			fi
+		fi
+	fi
+}