diff --git a/bootstrap_sdk b/bootstrap_sdk
index 834506ee6d2..0c636beda2b 100755
--- a/bootstrap_sdk
+++ b/bootstrap_sdk
@@ -65,16 +65,7 @@ ROOT_OVERLAY=${TEMPDIR}/stage4_overlay
 if [[ "$STAGES" =~ stage4 ]]; then
     info "Setting release to ${FLATCAR_VERSION}"
     rm -rf "${ROOT_OVERLAY}"
-    # need to setup the lib->lib64 symlink correctly
-    libdir=$(get_sdk_libdir)
-    mkdir -p "${ROOT_OVERLAY}/usr/${libdir}"
-    if [[ "${libdir}" != lib ]]; then
-        if [[ "$(get_sdk_symlink_lib)" == "yes" ]]; then
-            ln -s "${libdir}" "${ROOT_OVERLAY}/usr/lib"
-        else
-            mkdir -p "${ROOT_OVERLAY}/usr/lib"
-        fi
-    fi
+    mkdir -p "${ROOT_OVERLAY}"
     "${BUILD_LIBRARY_DIR}/set_lsb_release" \
         --root "${ROOT_OVERLAY}"
 fi
diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 0c2729159e6..d9c6a53172c 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -102,32 +102,13 @@ zip_update_tools() {
     --arch "$(get_sdk_arch)" --output-dir "${BUILD_DIR}" --zip-name "${update_zip}"
 }
 
-# ldconfig cannot generate caches for non-native arches.
-# Use qemu & the native ldconfig to work around that.
-# http://code.google.com/p/chromium/issues/detail?id=378377
 run_ldconfig() {
-  local root_fs_dir=$1
-  case ${ARCH} in
-  arm64)
-    sudo qemu-aarch64 "${root_fs_dir}"/usr/sbin/ldconfig -r "${root_fs_dir}";;
-  x86|amd64)
-    sudo ldconfig -r "${root_fs_dir}";;
-  *)
-    die "Unable to run ldconfig for ARCH ${ARCH}"
-  esac
+  # This wrapper is created by setup_board.
+  sudo "ldconfig-${BOARD}" -r "$1"
 }
 
 run_localedef() {
-  local root_fs_dir="$1" loader=()
-  case ${ARCH} in
-  arm64)
-    loader=( qemu-aarch64 -L "${root_fs_dir}" );;
-  amd64)
-    loader=( "${root_fs_dir}/usr/lib64/ld-linux-x86-64.so.2" \
-               --library-path "${root_fs_dir}/usr/lib64" );;
-  *)
-    die "Unable to run localedef for ARCH ${ARCH}";;
-  esac
+  local root_fs_dir="$1"
   info "Generating C.UTF-8 locale..."
   local i18n="${root_fs_dir}/usr/share/i18n"
   # localedef will silently fall back to /usr/share/i18n if missing so
@@ -135,8 +116,8 @@ run_localedef() {
   [[ -f "${i18n}/charmaps/UTF-8.gz" ]] || die
   [[ -f "${i18n}/locales/C" ]] || die
   sudo mkdir -p "${root_fs_dir}/usr/lib/locale"
-  sudo I18NPATH="${i18n}" "${loader[@]}" "${root_fs_dir}/usr/bin/localedef" \
-      --prefix="${root_fs_dir}" --charmap=UTF-8 --inputfile=C C.UTF-8
+  sudo I18NPATH="${i18n}" "bwrap-${BOARD}" "${root_fs_dir}" /usr/bin/localedef \
+      --charmap=UTF-8 --inputfile=C C.UTF-8
 }
 
 # Basic command to emerge binary packages into the target image.
diff --git a/build_library/catalyst.sh b/build_library/catalyst.sh
index 3d2eb051806..698bb72d4c3 100644
--- a/build_library/catalyst.sh
+++ b/build_library/catalyst.sh
@@ -25,6 +25,7 @@ BINPKGS=
 DISTDIR=
 TEMPDIR=
 STAGES=
+unset QEMU
 
 DEFINE_string catalyst_root "${DEFAULT_CATALYST_ROOT}" \
     "Path to directory for all catalyst images and other files."
@@ -97,6 +98,7 @@ cflags: -O2 -pipe
 cxxflags: -O2 -pipe
 ldflags: -Wl,-O2 -Wl,--as-needed
 source_subpath: ${SEED}
+${QEMU+interpreter: $(type -P "${QEMU}")}
 EOF
 }
 
@@ -207,6 +209,16 @@ catalyst_init() {
         SEED="seed/${FLAGS_seed_tarball##*/}"
         SEED="${SEED%.tar.*}"
     fi
+
+    # Emulate the build, if needed. Note the SDK itself may already be emulated,
+    # so check the requested arch against the kernel's real arch, not uname -m.
+    if [[ ${ARCH} != $(get_portage_arch "$(< /proc/sys/kernel/arch)") ]]; then
+        case "${ARCH}" in
+            amd64) QEMU=qemu-x86_64 ;;
+            arm64) QEMU=qemu-aarch64 ;;
+            riscv) QEMU=qemu-riscv64 ;;
+        esac
+    fi
 }
 
 write_configs() {
@@ -226,6 +238,9 @@ write_configs() {
 
     ln -sfT '/mnt/host/source/src/third_party/coreos-overlay/coreos/user-patches' \
         "${TEMPDIR}"/portage/patches
+
+    [[ -n ${QEMU} ]] ||
+        rm "${TEMPDIR}"/portage/package.env/qemu
 }
 
 build_stage() {
diff --git a/build_library/portage/env/releng/qemu b/build_library/portage/env/releng/qemu
new file mode 100644
index 00000000000..de86517db4d
--- /dev/null
+++ b/build_library/portage/env/releng/qemu
@@ -0,0 +1 @@
+FEATURES="-pid-sandbox -network-sandbox -ipc-sandbox"
diff --git a/build_library/portage/package.env/qemu b/build_library/portage/package.env/qemu
new file mode 100644
index 00000000000..60c290a8ba7
--- /dev/null
+++ b/build_library/portage/package.env/qemu
@@ -0,0 +1 @@
+*/* releng/qemu
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index 25d14d9b012..4987b283777 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -139,6 +139,7 @@ create_prod_image() {
   sudo rm -rf "${BUILD_DIR}/root_fs_dir2"
 
   # clean-ups of things we do not need
+  sudo find ${root_fs_dir}/usr/bin -empty -delete # Bind mounts created by bwrap
   sudo rm ${root_fs_dir}/etc/csh.env
   sudo rm -rf ${root_fs_dir}/etc/env.d
   sudo rm -rf ${root_fs_dir}/usr/include
diff --git a/build_library/set_lsb_release b/build_library/set_lsb_release
index 17d7c186e26..dbe64d335bc 100755
--- a/build_library/set_lsb_release
+++ b/build_library/set_lsb_release
@@ -42,6 +42,7 @@ sudo ln -sf "../usr/share/flatcar/lsb-release" "${ROOT_FS_DIR}/etc/lsb-release"
 
 # And the new standard, os-release
 # https://www.freedesktop.org/software/systemd/man/os-release.html
+sudo mkdir -p "${ROOT_FS_DIR}/usr/lib"
 sudo_clobber "${ROOT_FS_DIR}/usr/lib/os-release" <<EOF
 NAME="$BRANDING_OS_NAME"
 ID="$BRANDING_OS_ID"
@@ -60,10 +61,6 @@ CPE_NAME="cpe:2.3:o:${BRANDING_OS_ID}-linux:${BRANDING_OS_ID}_linux:${FLATCAR_VE
 EOF
 sudo ln -sf "../usr/lib/os-release" "${ROOT_FS_DIR}/etc/os-release"
 sudo ln -sf "../../lib/os-release" "${ROOT_FS_DIR}/usr/share/flatcar/os-release"
-# Compat for split of lib64 into lib and lib64
-if [ ! -e "${ROOT_FS_DIR}/usr/lib64/os-release" ]; then
-  sudo ln -sf "../lib/os-release" "${ROOT_FS_DIR}/usr/lib64/os-release"
-fi
 
 # Create the defaults for the coreos configuration files in the usr directory
 sudo_clobber "${ROOT_FS_DIR}/usr/share/flatcar/release" <<EOF
diff --git a/build_library/toolchain_util.sh b/build_library/toolchain_util.sh
index 8d86ff515ce..1de32c5ed6c 100644
--- a/build_library/toolchain_util.sh
+++ b/build_library/toolchain_util.sh
@@ -164,10 +164,6 @@ get_sdk_libdir() {
     portageq envvar "LIBDIR_$(get_sdk_arch)"
 }
 
-get_sdk_symlink_lib() {
-    portageq envvar "SYMLINK_LIB"
-}
-
 # Usage: get_sdk_binhost [version...]
 # If no versions are specified the current and SDK versions are used.
 get_sdk_binhost() {
diff --git a/changelog/updates/2026-05-19-docker-cli.md b/changelog/updates/2026-05-19-docker-cli.md
new file mode 100644
index 00000000000..795bdfd0b0b
--- /dev/null
+++ b/changelog/updates/2026-05-19-docker-cli.md
@@ -0,0 +1 @@
+- sysext-docker: docker-cli ([29.1.3](https://github.com/moby/moby/releases/tag/docker-v29.1.3) (includes [29.1.2](https://github.com/moby/moby/releases/tag/docker-v29.1.2), [29.1.1](https://github.com/moby/moby/releases/tag/docker-v29.1.1), [29.1.0](https://github.com/moby/moby/releases/tag/docker-v29.1.0), [29.0.4](https://github.com/moby/moby/releases/tag/docker-v29.0.4), [29.0.3](https://github.com/moby/moby/releases/tag/docker-v29.0.3), [29.0.2](https://github.com/moby/moby/releases/tag/docker-v29.0.2), [29.0.1](https://github.com/moby/moby/releases/tag/docker-v29.0.1), [29.0.0](https://github.com/moby/moby/releases/tag/docker-v29.0.0), [28.5.2](https://github.com/moby/moby/releases/tag/v28.5.2), [28.5.1](https://github.com/moby/moby/releases/tag/v28.5.1), [28.5.0](https://github.com/moby/moby/releases/tag/v28.5.0)))
diff --git a/common.sh b/common.sh
index 56420241977..209d2aea567 100644
--- a/common.sh
+++ b/common.sh
@@ -51,9 +51,6 @@ fi
 # Turn on bash debug support if available for backtraces.
 shopt -s extdebug 2>/dev/null
 
-# Source qemu library path
-. /etc/profile.d/qemu-aarch64.sh 2> /dev/null || true
-
 # Output a backtrace all the way back to the raw invocation, suppressing
 # only the _dump_trace frame itself.
 _dump_trace() {
@@ -957,38 +954,3 @@ BOAT
   echo -e "${V_VIDOFF}"
   die "$* failed"
 }
-
-# The binfmt_misc support in the kernel is required.
-# The aarch64 binaries should be executed through
-# "/usr/bin/qemu-aarch64-static"
-setup_qemu_static() {
-  local root_fs_dir="$1"
-  case "${BOARD}" in
-    amd64-usr) return 0;;
-    arm64-usr)
-      if [[ -f "${root_fs_dir}/sbin/ldconfig" ]]; then
-        sudo cp /usr/bin/qemu-aarch64 "${root_fs_dir}"/usr/bin/qemu-aarch64-static
-        echo export QEMU_LD_PREFIX=\"/build/arm64-usr/\" | sudo tee /etc/profile.d/qemu-aarch64.sh
-        . /etc/profile.d/qemu-aarch64.sh
-      else
-        die "Missing basic layout in target rootfs"
-      fi
-    ;;
-    *) die "Unsupported arch" ;;
-  esac
-}
-
-clean_qemu_static() {
-  local root_fs_dir="$1"
-  case "${BOARD}" in
-    amd64-usr) return 0;;
-    arm64-usr)
-      if [[ -f "${root_fs_dir}/usr/bin/qemu-aarch64-static" ]]; then
-        sudo rm "${root_fs_dir}"/usr/bin/qemu-aarch64-static
-      else
-        die "File not found"
-      fi
-    ;;
-    *) die "Unsupported arch" ;;
-  esac
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
index 961fbed4778..921d345eef0 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
@@ -12,7 +12,7 @@ SRC_URI="https://github.com/jepio/azure_keyvault_pkcs11/archive/${COMMIT}.tar.gz
 S="${WORKDIR}/${PN}-${COMMIT}"
 LICENSE="MIT"
 SLOT="0"
-KEYWORDS="~amd64"
+KEYWORDS="~amd64 ~arm64"
 
 # libcurl is only NEEDED because of the Azure SDK.
 RDEPEND="
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/rust b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/rust
index c467aedeada..d72efdb3d5e 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/rust
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/dev-lang/rust
@@ -2,5 +2,6 @@ INSTALL_MASK+=" *rustdoc*"
 I_KNOW_WHAT_I_AM_DOING_CROSS=1
 
 RUST_CROSS_TARGETS=(
-	$(aarch64-cros-linux-gnu-gcc --version >/dev/null && echo "AArch64:aarch64-unknown-linux-gnu:aarch64-cros-linux-gnu")
+	$(use arm64 || { aarch64-cros-linux-gnu-gcc --version &>/dev/null && echo "AArch64:aarch64-unknown-linux-gnu:aarch64-cros-linux-gnu"; })
+	$(use amd64 || { x86_64-cros-linux-gnu-gcc  --version &>/dev/null && echo "X86:x86_64-unknown-linux-gnu:x86_64-cros-linux-gnu"      ; })
 )
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
index e69de29bb2d..21b5b3ee045 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.use
@@ -0,0 +1,3 @@
+# Don't build the user space emulator for this arch. It's not needed and gets in
+# the way when using Catalyst with QEMU.
+app-emulation/qemu -qemu_user_targets_x86_64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/package.use
new file mode 100644
index 00000000000..c3e3f1eaed4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/package.use
@@ -0,0 +1,3 @@
+# Don't build the user space emulator for this arch. It's not needed and gets in
+# the way when using Catalyst with QEMU.
+app-emulation/qemu -qemu_user_targets_aarch64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/transition/parent b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/transition/parent
new file mode 100644
index 00000000000..627544f8c19
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/sdk/transition/parent
@@ -0,0 +1,2 @@
+..
+:coreos/targets/sdk/transition
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 49b910ee220..af0cb36190b 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -121,3 +121,7 @@ sys-apps/azure-vm-utils
 # Our own ebuild fixing issues in Gentoo, hopefully will be fixed
 # there too eventually.
 =sys-libs/libselinux-3.8.1-r3 ~amd64 ~arm64
+
+# Use unstable version for cross-compile fix. This needs to be at least as new
+# as app-containers/docker.
+=app-containers/docker-cli-29.1.3
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
index bcc7b1d0815..72701a012f9 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc
@@ -1,8 +1,6 @@
 # Dumping ground for build-time helpers to utilize since SYSROOT/tmp/
 # can be nuked at any time.
 CROS_BUILD_BOARD_TREE="${SYSROOT}/build"
-CROS_BUILD_BOARD_BIN="${CROS_BUILD_BOARD_TREE}/bin"
-
 CROS_ADDONS_TREE="/mnt/host/source/src/third_party/coreos-overlay/coreos"
 
 # Are we merging for the board sysroot, or for the SDK, or for
@@ -112,12 +110,6 @@ cros_setup_hooks() {
 }
 cros_setup_hooks
 
-# Since we're storing the wrappers in a board sysroot, make sure that
-# is actually in our PATH.
-cros_pre_pkg_setup_sysroot_build_bin_dir() {
-	PATH+=":${CROS_BUILD_BOARD_BIN}"
-}
-
 # Remove any debug build-id symlinks that are broken because of INSTALL_MASK,
 # and also remove their associated debug files to avoid wasting space.
 cros_post_pkg_preinst_rm_masked_debug_files() {
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults
index a73848f3615..7e04c913d3f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/make.defaults
@@ -10,12 +10,6 @@ FEATURES="-splitdebug"
 # Enable CPU architectures needed by Rust builds
 LLVM_TARGETS="X86 AArch64"
 
-# Both x86_64 and i386 targets are required for grub testing
-QEMU_SOFTMMU_TARGETS="x86_64 i386 aarch64"
-
-# For cross build support.
-QEMU_USER_TARGETS="aarch64"
-
 # add cros_host to bootstrapping USE flags so SDK / toolchains bootstrapping
 # will use vim's vimrc instead of baselayouts',
 BOOTSTRAP_USE="$BOOTSTRAP_USE cros_host"
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
index 641b433bda1..2108e23b8b9 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
@@ -12,7 +12,7 @@ app-crypt/gnupg smartcard usb
 
 # for qemu
 app-arch/bzip2 static-libs
-app-emulation/qemu -doc -jpeg ncurses python static-user virtfs qemu_softmmu_targets_x86_64 qemu_softmmu_targets_aarch64
+app-emulation/qemu -doc -jpeg ncurses python static-user virtfs qemu_softmmu_targets_aarch64 qemu_softmmu_targets_x86_64 qemu_user_targets_aarch64 qemu_user_targets_x86_64
 dev-libs/glib static-libs
 dev-libs/libaio static-libs
 dev-libs/libpcre2 static-libs
diff --git a/sdk_container/src/third_party/coreos-overlay/x11-drivers/old-nvidia-drivers/old-nvidia-drivers-550.163.01-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/x11-drivers/old-nvidia-drivers/old-nvidia-drivers-550.163.01-r1.ebuild
index 6e3b131d18d..42943161397 100644
--- a/sdk_container/src/third_party/coreos-overlay/x11-drivers/old-nvidia-drivers/old-nvidia-drivers-550.163.01-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/x11-drivers/old-nvidia-drivers/old-nvidia-drivers-550.163.01-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -176,6 +176,14 @@ src_compile() {
 	local xnvflags=-fPIC #840389
 	tc-is-lto && xnvflags+=" $(test-flags-CC -ffat-lto-objects)"
 
+	# Same as uname -m.
+	local target_arch
+	case ${ARCH} in
+		amd64) target_arch=x86_64 ;;
+		arm64) target_arch=aarch64 ;;
+		*) die "Unrecognised architecture: ${ARCH}" ;;
+	esac
+
 	NV_ARGS=(
 		PREFIX="${EPREFIX}"/usr
 		HOST_CC="$(tc-getBUILD_CC)"
@@ -183,6 +191,7 @@ src_compile() {
 		BUILD_GTK2LIB=
 		NV_USE_BUNDLED_LIBJANSSON=0
 		NV_VERBOSE=1 DO_STRIP= MANPAGE_GZIP= OUTPUTDIR=out
+		TARGET_ARCH="${target_arch}"
 		WAYLAND_AVAILABLE=$(usex wayland 1 0)
 		XNVCTRL_CFLAGS="${xnvflags}"
 	)
@@ -211,6 +220,7 @@ src_compile() {
 			CC="${KERNEL_CC}" # needed for above gnu17 workaround
 			IGNORE_CC_MISMATCH=yes NV_VERBOSE=1
 			SYSOUT="${KV_OUT_DIR}" SYSSRC="${KV_DIR}"
+			TARGET_ARCH="${target_arch}"
 
 			# kernel takes "x86" and "x86_64" as meaning the same, but nvidia
 			# makes the distinction (since 550.135) and is not happy with "x86"
diff --git a/setup_board b/setup_board
index 3924776ca89..9cfbc061bf9 100755
--- a/setup_board
+++ b/setup_board
@@ -92,6 +92,13 @@ generate_all_wrappers() {
   # the board arch matches the SDK arch and therefore emulation is unnecessary.
   qemu=$(type -P "qemu-${BOARD_CHOST%%-*}") || unset qemu
 
+  # If emulation is necessary, then we need to create a placeholder to bind
+  # mount QEMU onto now. This avoids needing root to do it later.
+  if [[ -n ${qemu-} ]]; then
+    sudo mkdir -p "${BOARD_ROOT}${qemu%/*}"
+    sudo touch "${BOARD_ROOT}${qemu}"
+  fi
+
   info "Generating wrapper scripts"
 
   for wrapper in emerge ebuild eclean equery portageq \
@@ -113,8 +120,20 @@ exec ${BOARD_CHOST}-gdb -iex 'set sysroot ${BOARD_ROOT}' "\$@"
 EOF
   wrappers+=( "${wrapper}" )
 
+  # A general purpose wrapper for effectively chrooting using bubblewrap,
+  # together with emulation by QEMU if necessary.
+  wrapper="/usr/local/bin/bwrap-${BOARD_VARIANT}"
+  sudo_clobber "${wrapper}" <<EOF
+#!/bin/sh -e
+_ROOT=\${1?Pass a root directory as the first argument}
+shift
+exec bwrap --bind "\${_ROOT}" / --tmpfs /tmp --dev-bind /dev /dev --proc /proc --bind /sys /sys ${qemu+--ro-bind ${qemu} ${qemu}} -- "\$@"
+EOF
+  wrappers+=( "${wrapper}" )
+
   # ldconfig cannot generate caches for non-native arches. Use QEMU and the
-  # native ldconfig to work around that.
+  # native ldconfig to work around that. Don't use the bwrap wrapper above
+  # because it's unnecessarily complex for this use case.
   wrapper="/usr/local/sbin/ldconfig-${BOARD_VARIANT}"
   sudo_clobber "${wrapper}" <<EOF
 #!/bin/sh
@@ -363,11 +382,6 @@ if [[ ${FLAGS_regen_configs} -eq ${FLAGS_FALSE} ]]; then
       "${EMERGE_TOOLCHAIN_FLAGS[@]}" "${TOOLCHAIN_PKGS[@]}"
 fi
 
-if [[ ${FLAGS_regen_configs_only} -eq ${FLAGS_FALSE} ]]; then
-  # Setup BOARD_ROOT for QEMU user emulation.
-  setup_qemu_static "${BOARD_ROOT}"
-fi
-
 if [ $FLAGS_default -eq $FLAGS_TRUE ] ; then
   echo $BOARD_VARIANT > "$GCLIENT_ROOT/src/scripts/.default_board"
 fi