diff --git a/comanage-registry-postgres/Dockerfile b/comanage-registry-postgres/Dockerfile
index ce28e14..5b0b5b5 100644
--- a/comanage-registry-postgres/Dockerfile
+++ b/comanage-registry-postgres/Dockerfile
@@ -40,4 +40,4 @@ ENV COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD ${COMANAGE_REGISTRY_POSTGRES_USER_P
ENTRYPOINT ["/usr/local/bin/comanage-registry-postgres-entrypoint.sh"]
-CMD ["-c", "hba_file=/etc/postgres/pg_hba.conf"]
+CMD ["postgres"]
diff --git a/comanage-registry-postgres/create-pg_hba.conf.sh b/comanage-registry-postgres/create-pg_hba.conf.sh
index f139871..84ca1da 100755
--- a/comanage-registry-postgres/create-pg_hba.conf.sh
+++ b/comanage-registry-postgres/create-pg_hba.conf.sh
@@ -21,21 +21,35 @@
set -e
-mkdir -p /etc/postgres
-
-if [ -n "$COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD" ]
+# Measure the existing pg_hba.conf file to see if it is the default.
+# The default version written will depend on whether or not passwords
+# have been injected.
+CHECKSUM=`md5sum /var/lib/postgresql/data/pg_hba.conf | awk '{print $1}'`
+if [ "$CHECKSUM" = "d3cf011ed2c2f5ff9b7664911969c0f5" ] || [ "$CHECKSUM" = "42f44484c701461a44b713b1b6c0b901" ]
then
+ PG_HBA_DEFAULT="1"
+else
+ PG_HBA_DEFAULT="0"
+fi
+
+# If the pg_hba.conf file is the default overwrite a more restrictive
+# version.
- cat >> /etc/postgres/pg_hba.conf <<EOF
+if [ "$PG_HBA_DEFAULT" = "1" ]
+then
+ # If a password has been injected require it, otherwise just use samenet trust.
+ if [ -n "$COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD" ]
+ then
+ cat > /var/lib/postgresql/data/pg_hba.conf <<EOF
local all postgres peer
host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER 127.0.0.1/32 md5
host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER samenet md5
EOF
-else
- cat >> /etc/postgres/pg_hba.conf <<EOF
+ else
+ cat > /var/lib/postgresql/data/pg_hba.conf <<EOF
local all postgres peer
host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER samenet trust
EOF
-
+ fi
fi