From 8b29e07d9e833ff157d1af500781a15e8d0df2bb Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 24 May 2018 13:59:38 -0700
Subject: [PATCH] Update postgres "arbitrary user" notes to reference new
 nss_wrapper functionality

---
 postgres/content.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/postgres/content.md b/postgres/content.md
index 96183aafad84..6c474493120d 100644
--- a/postgres/content.md
+++ b/postgres/content.md
@@ -106,9 +106,11 @@ $ docker run -it --rm --user 1000:1000 %%IMAGE%%
 initdb: could not look up effective user ID 1000: user does not exist
 ```
 
-The two easiest ways to get around this:
+The three easiest ways to get around this:
 
-1.	bind-mount `/etc/passwd` read-only from the host (if the UID you desire is a valid user on your host):
+1.	use the Debian variants (not the Alpine variants) and thus allow the image to use [the `nss_wrapper` library](https://cwrap.org/nss_wrapper.html) to "fake" `/etc/passwd` contents for you (see [docker-library/postgres#448](https://github.com/docker-library/postgres/pull/448) for more details)
+
+2.	bind-mount `/etc/passwd` read-only from the host (if the UID you desire is a valid user on your host):
 
 	```console
 	$ docker run -it --rm --user "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro %%IMAGE%%
@@ -116,7 +118,7 @@ The two easiest ways to get around this:
 	...
 	```
 
-2.	initialize the target directory separately from the final runtime (with a `chown` in between):
+3.	initialize the target directory separately from the final runtime (with a `chown` in between):
 
 	```console
 	$ docker volume create pgdata