Description of problem: This is a similar issue as bz#1120347, but this time the request is to ship nss_wrapper in RHSCL channel, because it doesn't seem probable to have the nss_wrapper in the RHEL 7 any time soon. Why we need nss_wrapper: In RHSCL images (e.g. postgresql image), we have a need for nss_wrapper that is not used for testing (testing purposes are primary use case of the nss_wrapper). The problem we're solving in postgresql docker image is that we need to run the container as any non-root user (important feature for OpenShift), so something like `docker run -u 12345 postgresql-94-rhel7` should work. However, postgresql requires the UID be present in /etc/passwd file, otherwise the daemon doesn't start. This is what nss_wrapper allows us to do. Without nss_wrapper (of similar functionality), we're not able to provide the feature of running the container as arbitrary user. Current solution internally: Currently we take nss_wrapper from rhel-7-server-ose-3.2-rpms channel internally, which customers don't necessary need to have a subscription for, so they are not able to rebuild container images provided by us. Why we need it externally as well: Especially in containers world possibility to rebuild a container from original sources is quite important, since the container images only support limited set of use cases by default and users are expected to build their own container image for the specific purposes. In some cases it is possible to build only thin layer on top or our image, but sometimes it is necessary to change the existing scripts and in that case only rebuild from original sources is required.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:0976