I'm using a docker-compose.yml like this in Docker version 17.06.2-ce-mac27 (19124):

version: '3' services: db: image: postgres:9.6.4 volumes: - db:/var/lib/postgresql/data volumes: db:

If I docker-compose run on the db service from that yaml, it changes the permissions on the mount in the main db service container to 777:

~/d/composetest> docker-compose up -d Creating network "composetest_default" with the default driver Creating volume "composetest_db" with default driver Pulling db (postgres:9.6.4)... 9.6.4: Pulling from library/postgres Digest: sha256:586320aba4a40f7c4ffdb69534f93c844f01c0ff1211c4b9d9f05a8bddca186f Status: Downloaded newer image for postgres:9.6.4 Creating composetest_db_1 ... Creating composetest_db_1 ... done ~/d/composetest> docker-compose exec db ls -l /var/lib/postgresql/ total 4 drwx------ 19 postgres postgres 4096 Sep 24 23:03 data ~/d/composetest> docker-compose run db ls -l /var/lib/postgresql/ total 4 drwxrwxrwx 19 postgres postgres 4096 Sep 24 23:03 data ~/d/composetest> docker-compose exec db ls -l /var/lib/postgresql/ total 4 drwxrwxrwx 19 postgres postgres 4096 Sep 24 23:03 data 

This tripped me up because postgres checks the permissions on its data directory at startup, and if it isn't 700, it refuses to start up. I wrote a script to docker-compose up my db service and then docker-compose run a script in the db service that checks if postgres is running using psql. Since I do a docker-compose run immediately, docker-entrypoint.sh is still doing its multiple rounds of postgres startup in the main container. postgres does a permissions check after the initial docker-compose run, and fails to startup due to the perm change. I was able to work around it by using docker-compose exec instead of docker-compose run, but it took me a lot of puzzling around.

I think this is happening because the Dockerfile sets the permissions to 777 at https://github.com/docker-library/postgres/blob/master/Dockerfile-debian.template#L126 but the entrypoint only sets them back to 700 https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L34. Not sure if there's a way to keep from making that directory 777, but it would've saved me a fair bit of confusion.