diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 25ac63be6c2..3bdcb869bcd 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -259,6 +259,18 @@ image_packages_portage() {
     ROOT="$1" PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
         equery --no-color list --format '$cpv::$repo' '*'
 }
+
+# List dependencies for a package runtime dependencies
+
+function package_run_dependencies() (
+  pkg=${1:?}
+  ebuild=$(equery-${BOARD} w "${pkg}")
+  function inherit() { : ; }
+  . "${ebuild}"
+  echo ${RDEPEND}
+)
+
+
 # List packages implicitly contained in rootfs, such as in torcx packages or
 # initramfs.
 image_packages_implicit() {
@@ -294,6 +306,12 @@ image_packages_implicit() {
     [ -z "${FLAGS_torcx_manifest}" ] ||
     torcx_manifest::sources_on_disk "${FLAGS_torcx_manifest}" |
     while read pkg ; do query_available_package "${pkg}" ; done
+
+
+    # Include source packages of all sysext images installed on disk.
+    for docker_containerd_package in $(package_run_dependencies docker) $(package_run_dependencies containerd); do
+     query_available_package "${docker_containerd_package}" ;
+    done
 }
 
 # Generate a list of packages installed in an image.
@@ -625,26 +643,18 @@ finish_image() {
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
 
-  # Copy in packages from the torcx store that are marked as being on disk
-  if [ -n "${FLAGS_torcx_manifest}" ]; then
-    for pkg in $(torcx_manifest::get_pkg_names "${FLAGS_torcx_manifest}"); do
-      local default_version="$(torcx_manifest::default_version "${FLAGS_torcx_manifest}" "${pkg}")"
-      for version in $(torcx_manifest::get_versions "${FLAGS_torcx_manifest}" "${pkg}"); do
-        local on_disk_path="$(torcx_manifest::local_store_path "${FLAGS_torcx_manifest}" "${pkg}" "${version}")"
-        if [[ -n "${on_disk_path}" ]]; then
-          local casDigest="$(torcx_manifest::get_digest "${FLAGS_torcx_manifest}" "${pkg}" "${version}")"
-          sudo cp "${FLAGS_torcx_root}/pkgs/${BOARD}/${pkg}/${casDigest}/${pkg}:${version}.torcx.tgz" \
-            "${root_fs_dir}${on_disk_path}"
-          sudo tar xf "${root_fs_dir}${on_disk_path}" -C "${root_fs_dir}" --wildcards "./usr/share/SLSA"
-          if [[ "${version}" == "${default_version}" ]]; then
-            # Create the default symlink for this package
-            sudo ln -fns "${on_disk_path##*/}" \
-              "${root_fs_dir}/${on_disk_path%/*}/${pkg}:com.coreos.cl.torcx.tgz"
-          fi
-        fi
-      done
-    done
-  fi
+  # Ship the docker systemd-sysext image and rip out torcx in same go; TODO: create seperate sysext images for containerd and docker
+  mkdir -p "${PORTAGE_CONFIGROOT}"/etc/portage/profile
+  query_available_package containerd | sudo_clobber ${PORTAGE_CONFIGROOT}/etc/portage/profile/package.provided # use a temporary package.provided to make emerge believe the dependencies are already installed
+  sudo "${SCRIPTS_DIR}/build_sysext" --board="${BOARD}" --image_builddir=${BUILD_DIR} --squashfs_base="${BUILD_DIR}/${image_sysext_base}" --manglefs_script="${SCRIPTS_DIR}/manglefs_docker" docker-flatcar app-containers/docker
+  sudo install -m 0644 -D "${BUILD_DIR}/docker-flatcar.raw" "${root_fs_dir}"/usr/share/flatcar/
+  sudo mkdir -p "${root_fs_dir}"/etc/extensions/
+  sudo ln -sf /usr/share/flatcar/docker-flatcar.raw "${root_fs_dir}"/etc/extensions/docker-flatcar.raw
+  sudo rm ${PORTAGE_CONFIGROOT}/etc/portage/profile/package.provided
+
+  sudo "${SCRIPTS_DIR}/build_sysext" --board="${BOARD}" --image_builddir=${BUILD_DIR} --squashfs_base="${BUILD_DIR}/${image_sysext_base}" --manglefs_script="${SCRIPTS_DIR}/manglefs_containerd" containerd-flatcar app-containers/containerd
+  sudo install -m 0644 -D "${BUILD_DIR}/containerd-flatcar.raw" "${root_fs_dir}"/usr/share/flatcar/
+  sudo ln -sf /usr/share/flatcar/containerd-flatcar.raw "${root_fs_dir}"/etc/extensions/containerd-flatcar.raw
 
   # Only enable rootfs verification on prod builds.
   local disable_read_write="${FLAGS_FALSE}"
diff --git a/build_library/dev_container_util.sh b/build_library/dev_container_util.sh
index a0c07477cd1..dd172987fb9 100755
--- a/build_library/dev_container_util.sh
+++ b/build_library/dev_container_util.sh
@@ -110,7 +110,7 @@ create_dev_container() {
   # The remount services are provided by coreos-base/coreos-init
   systemd_enable "${root_fs_dir}" "multi-user.target" "remount-usr.service"
 
-  finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
+  DEVCONTAINER=1 finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}" "${image_contents_wtd}"
 
   declare -a files_to_evaluate
   declare -a compressed_images
diff --git a/manglefs_containerd b/manglefs_containerd
new file mode 100755
index 00000000000..ff5c5d36952
--- /dev/null
+++ b/manglefs_containerd
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -euo pipefail
+rootfs="${1}"
+
+mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
+{ echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
diff --git a/manglefs_docker b/manglefs_docker
new file mode 100755
index 00000000000..4cb69961036
--- /dev/null
+++ b/manglefs_docker
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -euo pipefail
+rootfs="${1}"
+
+mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
+{ echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/compat-wrapper.sh b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/compat-wrapper.sh
deleted file mode 100644
index 122162decae..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/compat-wrapper.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-set -e
-
-bin=${0##*/}
-seal=/run/metadata/torcx
-
-if [ -z "${bin}" ]
-then
-        echo 'Failed to determine the executed program name.' 1>&2
-        exit 1
-fi
-
-if [ -s "${seal}" ]
-then
-        . "${seal}"
-else
-        echo "The program ${bin} is managed by torcx, which did not run." 1>&2
-        exit 1
-fi
-
-if [ -z "${TORCX_BINDIR-}" ]
-then
-        echo "The torcx seal file ${seal} is invalid." 1>&2
-        exit 1
-fi
-
-if [ ! -x "${TORCX_BINDIR}/${bin}" ]
-then
-        echo "The current torcx profile did not install a ${bin} program." 1>&2
-        exit 1
-fi
-
-PATH="${TORCX_BINDIR}${PATH:+:${PATH}}" exec "${TORCX_BINDIR}/${bin}" "$@"
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json
deleted file mode 100644
index 4480c4e7670..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/docker-1.12-no.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "kind": "profile-manifest-v0",
-    "value": {
-        "images": [
-            {
-                "name": "docker",
-                "reference": "com.coreos.cl"
-            }
-        ]
-    }
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/dockerd-wrapper.sh b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/dockerd-wrapper.sh
deleted file mode 100644
index 19c440bddab..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/dockerd-wrapper.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-# Wrapper for launching docker daemons with selinux default on
-# This wrapper script has been deprecated (euank: 2017-05-09) and is retained
-# for backwards compatibility.
-
-set -e
-
-parse_docker_args() {
-    local flag
-    while [[ $# -gt 0 ]]; do
-        flag="$1"
-        shift
-
-        # treat --flag=foo and --flag foo identically
-        if [[ "${flag}" == *=* ]]; then
-            set -- "${flag#*=}" "$@"
-            flag="${flag%=*}"
-        fi
-
-        case "${flag}" in
-            --selinux-enabled)
-                ARG_SELINUX="$1"
-                shift
-                ;;
-            *)
-                # ignore everything else
-                ;;
-        esac
-    done
-}
-
-parse_docker_args "$@"
-
-USE_SELINUX=""
-# Do not override selinux if it is already explicitly configured.
-if [[ -z "${ARG_SELINUX}" ]]; then
-        # If unspecified, default off
-        USE_SELINUX="--selinux-enabled=false"
-fi
-
-exec dockerd "$@" ${USE_SELINUX}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/torcx.target b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/torcx.target
deleted file mode 100644
index adfd836204e..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/torcx.target
+++ /dev/null
@@ -1,7 +0,0 @@
-[Unit]
-Description=Verify torcx succeeded
-DefaultDependencies=no
-AssertPathExists=/run/metadata/torcx
-
-[Install]
-WantedBy=basic.target
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/vendor.json b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/vendor.json
deleted file mode 100644
index 4480c4e7670..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/files/vendor.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "kind": "profile-manifest-v0",
-    "value": {
-        "images": [
-            {
-                "name": "docker",
-                "reference": "com.coreos.cl"
-            }
-        ]
-    }
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/metadata.xml
deleted file mode 100644
index 097975e3adc..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/metadata.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
-</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-0.2.0-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-0.2.0-r8.ebuild
deleted file mode 120000
index a82f2db3523..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-0.2.0-r8.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-torcx-9999.ebuild
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild
deleted file mode 100644
index 0f46c47f774..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-arch/torcx/torcx-9999.ebuild
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright (c) 2017-2018 CoreOS, Inc.. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-CROS_WORKON_PROJECT="flatcar/torcx"
-CROS_WORKON_LOCALNAME="torcx"
-CROS_WORKON_REPO="https://github.com"
-COREOS_GO_PACKAGE="github.com/flatcar/torcx"
-COREOS_GO_GO111MODULE="off"
-
-if [[ "${PV}" == 9999 ]]; then
-	KEYWORDS="~amd64 ~arm64"
-else
-	CROS_WORKON_COMMIT="3e7173395658a7e43ec0cb0dd2077795931d857f" # flatcar-master
-	KEYWORDS="amd64 arm64"
-fi
-
-inherit coreos-go cros-workon systemd
-
-DESCRIPTION="torcx is a boot-time addon manager for immutable systems"
-HOMEPAGE="https://github.com/flatcar/torcx"
-LICENSE="Apache-2.0"
-SLOT="0"
-
-src_compile() {
-	CGO_ENABLED=0 go_export
-	${EGO} build -v \
-		-p "$(makeopts_jobs)" \
-		-ldflags "-X ${COREOS_GO_PACKAGE}/pkg/version.VERSION=${PV}" \
-		-o "bin/${ARCH}/torcx" \
-		-tags containers_image_openpgp \
-		"${COREOS_GO_PACKAGE}"
-}
-
-src_install() {
-	local generatordir=/usr/lib/systemd/system-generators
-	local vendordir=/usr/share/torcx
-	local libcoreosdir=/usr/lib/flatcar
-
-	# Install generator and userland.
-	exeinto "${generatordir}"
-	newexe "${S}/bin/${ARCH}/torcx" torcx-generator
-	dosym ../systemd/system-generators/torcx-generator "${libcoreosdir}/torcx"
-	systemd_dounit "${FILESDIR}/torcx.target"
-
-	insinto "${vendordir}/profiles"
-	doins "${FILESDIR}/docker-1.12-no.json"
-	doins "${FILESDIR}/vendor.json"
-	dodir "${vendordir}/store"
-
-	# Preserve program paths for torcx packages.
-	newbin "${FILESDIR}/compat-wrapper.sh" docker
-	for link in {docker-,}{containerd{,-shim},runc} ctr docker-{init,proxy} dockerd tini
-	do ln -fns docker "${ED}/usr/bin/${link}"
-	done
-	exeinto /usr/lib/flatcar
-	newexe "${FILESDIR}/dockerd-wrapper.sh" dockerd
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index a215fdea4b0..e04d93c316c 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -95,7 +95,6 @@ RDEPEND="${RDEPEND}
 	app-arch/xz-utils
 	app-arch/zstd
 	app-arch/tar
-	app-arch/torcx
 	app-arch/unzip
 	app-arch/zip
 	app-arch/ncompress
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
index e9a082a32ee..d7369534956 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
@@ -29,6 +29,8 @@ RDEPEND="
 		sys-boot/grub
 		sys-firmware/edk2-ovmf-bin
 	)
+	app-containers/containerd
+	app-containers/docker
 	app-emulation/amazon-ssm-agent
 	app-emulation/wa-linux-agent
 	coreos-base/coreos