docker permissions on `sssd.conf`

Question

I know it is awfully specific, sssd.conf that is. But upon COPY (or ADD) sssd.conf I receive the same error:

ERROR: Service 'samba_adc' failed to build: failed to copy files: failed to copy file: Error processing tar file(exit status 1): Error setting up pivot dir: mkdir /share/CACHEDEV1_DATA/virtual_machines/container-station-data/lib/docker/overlay/332546c2c487355deb45468b291abacce80701b04c6061575887eceb3858a6cd/merged/etc/sssd/conf.d/.pivot_root030453588: operation not permitted

Putting anything in the directory later at runtime fails:

# echo "sssd was here" > /etc/sssd/foo
bash: /etc/sssd/foo: Operation not permitted

chmod fails on anything in the directory

# chmod 755 /etc/sssd
chmod: changing permissions of '/etc/sssd': Operation not permitted

Putting a USER root before the command does nothing. This is docker 17.07 so --chown=root isn't possible.

Runnng lsattr / chattr is useless too:

# chattr -i /etc/sssd
chattr: Inappropriate ioctl for device while reading flags on /etc/sssd

Some other attempts to figure this out:

# rmdir /etc/sssd
rmdir: failed to remove '/etc/sssd': Directory not empty

# su sssd
# echo "sssd was here" > /etc/sssd/foo
bash: /etc/sssd/foo: Operation not permitted

At this point I am baffled, google has yielded me nothing more, I am hoping I am missing something. If you need my complete sources they are here (github).

edit, adding information:

docker -D info

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 59
Server Version: 17.07.0-ce
Storage Driver: overlay
 Backing Filesystem: extfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:  (expected: 3addd840653146c90a254301d6c3a663c7fd6429)
runc version: N/A (expected: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4)
init version: 949e6fa
Kernel Version: 4.2.8
Operating System: QTS 4.3.4 (20180315)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.682GiB
Name: NAS
ID: CTVG:6D5G:WCK4:PXAX:GCYG:HPKN:25A2:N4AC:TRXT:ADAS:XTPB:DI2E
Docker Root Dir: /share/CACHEDEV1_DATA/virtual_machines/container-station-data/lib/docker
Debug Mode (client): true
Debug Mode (server): true
 File Descriptors: 70
 Goroutines: 80
 System Time: 2018-03-28T11:11:47.511378666-07:00
 EventsListeners: 1
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No kernel memory limit support

docker version

Client:
 Version:       18.03.0-ce
 API version:   1.31 (downgraded from 1.37)
 Go version:    go1.9.4
 Git commit:    0520e24
 Built: Wed Mar 21 23:10:06 2018
 OS/Arch:       linux/amd64
 Experimental:  false
 Orchestrator:  swarm

Server:
 Engine:
  Version:      17.07.0-ce
  API version:  1.31 (minimum version 1.12)
  Go version:   go1.8.3
  Git commit:   fd7dc00
  Built:        Thu Feb  8 15:57:38 2018
  OS/Arch:      linux/amd64
  Experimental: false

host's uname -r

uname -r
4.2.8

Answer 1

The users you are using to perform your operations have no write permissions on the parent directory.

Answer 2

The answer it turns out, is that the issue is layers. In some cases once a layer is created, the permissions for that layer's files can not be modified. ( Note: I am not sure the precise nature of which cases lead to being able to vs not. ) So while nothing I do in any prior layer would possibly allow me to change permissions, ownership, etc of a particular file created in a past layer. If I do it in-layer or prior to, with something like touch <blahfile> && chmod 600 <blahfile> that is entirely workable. As is something along the lines of (and my final solution):

apt install sssd <and other requirements> && chmod 755 /etc/sssd