The postgres container needs the dac_override capability to create the $PGDATA/pg_hba.conf as root user, when the $PGDATA is already transferred to the postgres user.

From capabilities manpage:

CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks.

As described in a Red Hat's article no container should need this capability.

To simulate this problem I have the following scenario.

Directory structure

./docker-compose.yml
./psql/entrypoint.sh
./psql/Dockerfile

./docker-compose.yml

version: "2"
services:
  bd:
    build: ./psql
    ports: ["5432:5432"]
    cap_add:
      - net_bind_service
      - chown
      - fowner
      - setuid
      - setgid
    cap_drop:
      - dac_override
      - fsetid
      - kill
      - setpcap
      - net_raw
      - sys_chroot
      - mknod
      - audit_write
      - setfcap
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=abc123

./psql/entrypoint.sh

#!/bin/sh

createdb --username "$POSTGRES_USER" testdb
createuser --username "$POSTGRES_USER" testuser
psql --username "$POSTGRES_USER" -c "ALTER USER testuser WITH PASSWORD '$POSTGRES_PASSWORD';"
psql --username "$POSTGRES_USER" -c "GRANT CONNECT ON DATABASE testdb to testuser;"

./psql/Dockerfile

FROM postgres:9.6

ENV PGDATA=/db

COPY entrypoint.sh /docker-entrypoint-initdb.d/

EXPOSE 5432

When running the docker compose I get the following log:

/docker-entrypoint.sh: line 97: /db/pg_hba.conf: Permission denied

And if I try to login into the database:

$ psql -h 127.0.0.1 testdb testuser
psql: FATAL:  no pg_hba.conf entry for host "172.21.0.1", user "testuser", database "testdb", SSL off

If I change the docker-compose.yml and start allowing the dac_override capability everything will work fine (no error in the startup log and login OK).

Could we just create the $PGDATA/pg_hba.conf before transferring the ownership of $PGDATA to postgres?