Created attachment 1592951 [details] selinux-permissive-audit.log Description of problem: We are trying to integrate Thales HSM with Barbican enabled OSP-15 to verify the feature request per BZ#1624491. The OSP overcloud nodes are clients to the external Thales HSM server. During the client setup, the barbican conatiners are unable to access the HSM software directory in a volume mount on the controller. Path to the thales HSM software directory on the controller: /opt/nfast Version-Release number of selected component (if applicable): RHOS_TRUNK-15.0-RHEL-8-20190716.n.0 How reproducible: always Steps to Reproduce: Please reach out to pkesavar (IRC: pkesavar) to request access to the setup environment. Alternatively, Actual results: TASK [Debug output for task: Start containers for step 3] ********************** Tuesday 23 July 2019 11:24:03 -0400 (0:02:31.766) 0:22:08.397 ********** fatal: [controller-0]: FAILED! => { "failed_when_result": true, "outputs.stdout_lines | default([]) | union(outputs.stderr_lines | default([]))": [ "stdout: b064ce367f1b168f09851887bee2dc631c6e6e224cfa006b98aa519987f9cdea", "", "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-barbican-keystone-listener:20190715.1...Getting image source signatures", "Copying blob sha256:3fd1d6bddf52f5739ebe7a52906714c0142e430b2305e8e9e663ee8d19c5d5fd", "Copying blob sha256:3b3d402417deac332eda774ac4b9fbc0e7f4da02558b0b3a0ba54dc283203047", "Copying blob sha256:6bc8d2c3e35d7762fdc45ab9ac14c152b308d183680ac0b5bb85f17bd0962dbf", "Copying blob sha256:7e6d96886d31073321faaa33829e2ebad3bab4f9a191cd0525f13ff68049cf24", "Copying blob sha256:2eb5ba0f0924ad1409909670a3a81b68e19f5df70104562d40daed36eacb5311", "Copying blob sha256:2c45bd68b2019a24f251d7e1ed8d01c7c130ab25d651b92ce0bf25851cafa27c", "Copying config sha256:b064ce367f1b168f09851887bee2dc631c6e6e224cfa006b98aa519987f9cdea", "Writing manifest to image destination", "Storing signatures", "stdout: 8e883f50668d97facb9a641ea697b6bf1be78e90c29291c95dac920abaf91d29", "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-barbican-worker:20190715.1...Getting image source signatures", "Copying blob sha256:259622067d4bf397fc83a9d1daca958ee70e5b8aaab48e05fbacab595bc884bd", "Copying config sha256:8e883f50668d97facb9a641ea697b6bf1be78e90c29291c95dac920abaf91d29", "stdout: 6f88da4868a74fef03b1f19b904fac3c20abeced7115eaf9fd90c7206706c74e", "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-ceilometer-notification:20190715.1...Getting image source signatures", "Copying blob sha256:c04a2527fb85406031cf16ce66d162a0885b78ead000099d66072551aa8eef21", "Copying blob sha256:0b020ea55d84549cdab4e61407bee184ab899da140e7fd0fe512bdf1621301f2", "Copying config sha256:6f88da4868a74fef03b1f19b904fac3c20abeced7115eaf9fd90c7206706c74e", "stdout: a27e203f425253441e7b2aac51a4118f4f461d10c9bca2ea6cb7c5b55d175e80", "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-swift-account:20190715.1...Getting image source signatures", "Copying blob sha256:26c5ed8f4ac3ef16f8eb4fe15bb616932c813115a965d87113da4f41d7c7f968", "Copying blob sha256:1a6777b48b0e00f2274c27a2c3bd08bf12eae14b23fa44be0ac5cdc220ef20f7", "Copying config sha256:a27e203f425253441e7b2aac51a4118f4f461d10c9bca2ea6cb7c5b55d175e80", "stdout: f6f045d9e4fee14fe2388e304c37143a5a37115d5b4c085b51e120c8ecfe89e5", "stderr: Trying to pull 192.168.24.1:8787/rhosp15/openstack-swift-object:20190715.1...Getting image source signatures", "Copying blob sha256:b9ec1307f768121778943be317023b4c0fdec3ec53200a7ee7664777b4a4cdf7", "Copying config sha256:f6f045d9e4fee14fe2388e304c37143a5a37115d5b4c085b51e120c8ecfe89e5", "stdout: ", "stderr: ", "Error running ['podman', 'run', '--name', 'barbican_api_create_hmac', '--label', 'config_id=tripleo_step3', '--label', 'container_name=barbican_api_create_hmac', '--label', 'managed_by=paunch', '--label ', 'config_data={\"command\": \"/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c \\'/usr/bin/barbican-manage hsm check_hmac --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so --slot-id 492971158 --passphrase pew2noises --label titan94_hmac_10 --key-type CKK_SHA256_HMAC || /usr/bin/barbican-manage hsm gen_hmac --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so --slot-id 492971158 --passp$ rase pew2noises --label titan94_hmac_10 --key-type CKK_SHA256_HMAC --mechanism CKM_NC_SHA256_HMAC_KEY_GEN \\'\", \"detach\": false, \"environment\": [\"TRIPLEO_DEPLOY_IDENTIFIER=1563893401\"], \"image\": \"192.$ 68.24.1:8787/rhosp15/openstack-barbican-api:20190715.1\", \"net\": \"host\", \"start_order\": 0, \"user\": \"root\", \"volumes\": [\"/etc/hosts:/etc/hosts:ro\", \"/etc/localtime:/etc/localtime:ro\", \"/etc/pki/$ a-trust/extracted:/etc/pki/ca-trust/extracted:ro\", \"/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro\", \"/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro\", \"/etc/pki$ tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro\", \"/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro\", \"/dev/log:/dev/log\", \"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro\", \"$ etc/puppet:/etc/puppet:ro\", \"/var/log/containers/barbican:/var/log/barbican:z\", \"/var/log/containers/httpd/barbican-api:/var/log/httpd:z\", \"/var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro\", \"/var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro\", \"/opt/nfast:/opt/nfast\"]}', '--conmon-pidfile=/var/run/barbican_api_create_hmac.pid', '--log-driver', 'json-file', '--log-opt', 'path=/var/lo$ /containers/stdouts/barbican_api_create_hmac.log', '--env=TRIPLEO_DEPLOY_IDENTIFIER=1563893401', '--net=host', '--user=root', '--volume=/etc/hosts:/etc/hosts:ro', '--volume=/etc/localtime:/etc/localtime:ro', '-$ volume=/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro', '--volume=/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro', '--volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs$ ca-bundle.crt:ro', '--volume=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '--volume=/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', '--volume=/dev/log:/dev/log', '--volume$ /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro', '--volume=/etc/puppet:/etc/puppet:ro', '--volume=/var/log/containers/barbican:/var/log/barbican:z', '--volume=/var/log/containers/httpd/barbican-api:/var/l$ g/httpd:z', '--volume=/var/lib/config-data/barbican/etc/barbican/:/etc/barbican/:ro', '--volume=/var/lib/config-data/barbican/etc/my.cnf.d/:/etc/my.cnf.d/:ro', '--volume=/opt/nfast:/opt/nfast', '192.168.24.1:87$ 7/rhosp15/openstack-barbican-api:20190715.1', '/usr/bin/bootstrap_host_exec', 'barbican_api', 'su', 'barbican', '-s', '/bin/bash', '-c', \"'/usr/bin/barbican-manage\", 'hsm', 'check_hmac', '--library-path', '/o$ t/nfast/toolkits/pkcs11/libcknfast.so', '--slot-id', '492971158', '--passphrase', 'pew2noises', '--label', 'titan94_hmac_10', '--key-type', 'CKK_SHA256_HMAC', '||', '/usr/bin/barbican-manage', 'hsm', 'gen_hmac'$ '--library-path', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '--slot-id', '492971158', '--passphrase', 'pew2noises', '--label', 'titan94_hmac_10', '--key-type', 'CKK_SHA256_HMAC', '--mechanism', 'CKM_NC_SHA25$ _HMAC_KEY_GEN', \"'\"]. [1]", "stderr: ERROR: cannot load library '/opt/nfast/toolkits/pkcs11/libcknfast.so': /opt/nfast/toolkits/pkcs11/libcknfast.so: cannot open shared object file: Permission denied. Additionally, ctypes.util.fi$ d_library() did not manage to locate a library called '/opt/nfast/toolkits/pkcs11/libcknfast.so'", "ERROR: cannot load library '/opt/nfast/toolkits/pkcs11/libcknfast.so': /opt/nfast/toolkits/pkcs11/libcknfast.so: cannot open shared object file: Permission denied. Additionally, ctypes.util.find_libra$ y() did not manage to locate a library called '/opt/nfast/toolkits/pkcs11/libcknfast.so'" Expected results: Barbican conatiners are able to access the HSM software directory on the controller. Additional info: 1) I tried to manually execute the command when 'selinux=enforcing' [root@controller-0 audit]# getenforce Enforcing [root@controller-0 audit]# podman run --rm --net host --user root --volume=/opt/nfast:/opt/nfast 1d6b1ad73a9b ls -alFZ /opt/nfast ls: cannot open directory '/opt/nfast': Permission denied 2) when 'selinux=permissive' the command executed with success [root@controller-0 audit]# setenforce 0 [root@controller-0 audit]# getenforce Permissive [root@controller-0 audit]# podman run --rm --net host --user root --volume=/opt/nfast:/opt/nfast 1d6b1ad73a9b ls -alFZ /opt/nfast total 40 drwxrwxr-x. 24 root root system_u:object_r:pki_common_t:s0 4096 Jul 23 15:13 ./ drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c354,c371 19 Jul 23 19:12 ../ -rw-r--r--. 1 2061 2061 system_u:object_r:pki_common_t:s0 18 Jan 14 2019 .bash_logout -rw-r--r--. 1 2061 2061 system_u:object_r:pki_common_t:s0 141 Jan 14 2019 .bash_profile -rw-r--r--. 1 2061 2061 system_u:object_r:pki_common_t:s0 312 Jan 14 2019 .bashrc drwxr-xr-x. 2 root root unconfined_u:object_r:pki_common_t:s0 4096 Nov 2 2017 bin/ drwxrwsr-x. 4 2061 2061 unconfined_u:object_r:pki_common_t:s0 27 Nov 2 2017 c/ -rw-r--r--. 1 root root system_u:object_r:pki_common_t:s0 50 Jul 23 15:13 cknfastrc drwxrwxr-x. 3 root root unconfined_u:object_r:pki_common_t:s0 19 Nov 2 2017 document/ drwxr-xr-x. 3 root root unconfined_u:object_r:pki_common_t:s0 4096 Nov 2 2017 driver/ drwxr-xr-x. 3 root root unconfined_u:object_r:pki_common_t:s0 18 Nov 2 2017 etc/ drwxrwsr-x. 2 2061 2061 unconfined_u:object_r:pki_common_t:s0 67 Nov 2 2017 femcerts/ drwxrwxr-x. 8 root root unconfined_u:object_r:pki_common_t:s0 106 Nov 2 2017 java/ drwxrwsr-x. 9 2061 2061 unconfined_u:object_r:pki_common_t:s0 122 Jul 12 2018 kmdata/ drwxr-xr-x. 5 root root unconfined_u:object_r:pki_common_t:s0 4096 Nov 2 2017 lib/ drwxrwsr-x. 2 2061 2061 unconfined_u:object_r:pki_common_t:s0 201 Jul 23 15:14 log/ drwxrwxr-x. 4 root root unconfined_u:object_r:pki_common_t:s0 49 Nov 2 2017 nethsm-firmware/ drwxr-xr-x. 3 root root unconfined_u:object_r:pki_common_t:s0 17 Nov 2 2017 openssl/ drwxrwxr-x. 9 root root unconfined_u:object_r:pki_common_t:s0 113 Nov 2 2017 python/ drwxr-xr-x. 2 root root unconfined_u:object_r:pki_common_t:s0 120 Nov 2 2017 sbin/ drwxr-xr-x. 12 root root unconfined_u:object_r:pki_common_t:s0 159 Jul 23 15:13 scripts/ drwxrwxr-x. 5 root root unconfined_u:object_r:pki_common_t:s0 51 Nov 2 2017 share/ drwxr-sr-x. 3 2061 2061 unconfined_u:object_r:pki_common_t:s0 33 Jul 23 15:14 sockets/ drwxr-xr-x. 2 root root unconfined_u:object_r:pki_common_t:s0 23 Nov 2 2017 sslclient/ drwxr-xr-x. 2 root root unconfined_u:object_r:pki_common_t:s0 98 Nov 2 2017 sslproxy/ drwxr-xr-x. 7 root root unconfined_u:object_r:pki_common_t:s0 114 Nov 2 2017 tcl/ drwxr-xr-x. 2 root root unconfined_u:object_r:pki_common_t:s0 4096 Nov 2 2017 testdata/ drwxr-xr-x. 6 root root unconfined_u:object_r:pki_common_t:s0 62 Nov 2 2017 toolkits/ [root@controller-0 audit]# 3) I have attached the audit logs when selinux was on permissive mode
audit2allow output for the first log: #============= container_t ============== allow container_t pki_common_t:dir read; allow container_t pki_common_t:file { execute open read }; audit2allow for the controller log: #============= svirt_lxc_net_t ============== allow svirt_lxc_net_t cert_t:dir { relabelto setattr }; allow svirt_lxc_net_t cert_t:file { relabelto setattr }; #!!!! This avc is allowed in the current policy allow svirt_lxc_net_t svirt_sandbox_file_t:dir relabelto; #!!!! This avc is allowed in the current policy allow svirt_lxc_net_t user_tmp_t:file open; allow svirt_lxc_net_t user_tmp_t:file { relabelto setattr }; allow svirt_lxc_net_t var_lib_t:dir { add_name create relabelfrom setattr write }; allow svirt_lxc_net_t var_lib_t:file { create ioctl open read relabelfrom setattr write }; allow svirt_lxc_net_t var_lib_t:lnk_file { create setattr }; svirt_lxc_net_t appears to be an alias for container_t. pki_common_t and cert_t are both defined in selinux-policy-contrib.
Julie's correct on container_t being an alias for svirt_lxc_net_t. I think this is allowable: allow container_t pki_common_t:dir read; allow container_t pki_common_t:file { execute open read }; I think these are also allowable: #!!!! This avc is allowed in the current policy # Probably later Fedora version? allow svirt_lxc_net_t svirt_sandbox_file_t:dir relabelto; #!!!! This avc is allowed in the current policy # Probably later Fedora version? This is read-only access allow svirt_lxc_net_t user_tmp_t:file open; I don't like these at all. These give svirt_lxc_net_t domains - i.e. all containers - write access to files in /etc/pki, /var/lib, and /tmp on the host, whenever they are bind-mounted: allow svirt_lxc_net_t cert_t:dir { relabelto setattr }; allow svirt_lxc_net_t cert_t:file { relabelto setattr }; allow svirt_lxc_net_t user_tmp_t:file { relabelto setattr }; allow svirt_lxc_net_t var_lib_t:dir { add_name create relabelfrom setattr write }; allow svirt_lxc_net_t var_lib_t:file { create ioctl open read relabelfrom setattr write }; allow svirt_lxc_net_t var_lib_t:lnk_file { create setattr }; It sounds like these plugins need some cleanup or we need to mount the files used by the Barbican container another way.
So: a) /var/lib/docker-puppet needs a label that can be accessed from within containers b) We can allow the first couple of things there c) ... what to do with cert_t? d) ... what to do with user_tmp_t?
(In reply to Lon Hohberger from comment #5) > #!!!! This avc is allowed in the current policy # Probably later Fedora > version? Strangely, I see the same 2 notices on a fresh RHEL8, with the following package versions: selinux-policy-3.14.1-61.el8.noarch selinux-policy-targeted-3.14.1-61.el8.noarch Not sure what versions are on the host here?
The user_tmp_t AVC denials seem related to a single file that's actually under /etc/, config.pp. Not sure what/how it gets created? type=AVC msg=audit(1494425221.284:3946): avc: denied { open } for pid=225041 comm="puppet" path="/etc/config.pp" dev="vda2" ino=6660370 scontext=system_u:system_r:svirt_lxc_net_t:s0:c152,c463 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1494425234.138:4062): avc: denied { relabelto } for pid=227574 comm="cp" name="config.pp" dev="vda2" ino=113262756 scontext=system_u:system_r:svirt_lxc_net_t:s0:c199,c215 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1494425248.558:4230): avc: denied { setattr } for pid=229229 comm="cp" name="config.pp" dev="vda2" ino=12608319 scontext=system_u:system_r:svirt_lxc_net_t:s0:c201,c464 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file The cert_t denials mostly seem to have something to do with a README file...?! type=AVC msg=audit(1494425226.461:3985): avc: denied { relabelto } for pid=226767 comm="cp" name="README" dev="vda2" ino=88081659 scontext=system_u:system_r:svirt_lxc_net_t:s0:c237,c579 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file type=AVC msg=audit(1494425246.443:4214): avc: denied { setattr } for pid=229163 comm="cp" name="README" dev="vda2" ino=93664 scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file Perhaps that can safely be ignored...? (The plugin cleanup you mentioned?) The others have something to do with Java: type=AVC msg=audit(1494425246.443:4216): avc: denied { setattr } for pid=229163 comm="cp" name="java" dev="vda2" ino=101215 scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir type=AVC msg=audit(1494425248.588:4233): avc: denied { relabelto } for pid=229229 comm="cp" name="java" dev="vda2" ino=6663604 scontext=system_u:system_r:svirt_lxc_net_t:s0:c201,c464 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir Many of the var_lib_t denials appear related to many other services: type=AVC msg=audit(1494425236.873:4136): avc: denied { create } for pid=228172 comm="mkdir" name="nova_placement" scontext=system_u:system_r:svirt_lxc_net_t:s0:c283,c857 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1494425234.822:4099): avc: denied { write open } for pid=227724 comm="cp" path="/var/lib/config-data/heat/etc/DIR_COLORS" dev="vda2" ino=25167830 scontext=system_u:system_r:svirt_lxc_net_t:s0:c289,c681 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1494425227.577:3995): avc: denied { write open } for pid=226869 comm="cp" path="/var/lib/config-data/glance_api/etc/DIR_COLORS" dev="vda2" ino=41943518 scontext=system_u:system_r:svirt_lxc_net_t:s0:c369,c443 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1494425211.894:3920): avc: denied { read } for pid=224733 comm="docker-puppet-m" name="docker-puppet-mongodb.sh" dev="vda2" ino=54526155 scontext=system_u:system_r:svirt_lxc_net_t:s0:c783,c1002 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1494425246.388:4202): avc: denied { create } for pid=229162 comm="mkdir" name="gnocchi" scontext=system_u:system_r:svirt_lxc_net_t:s0:c160,c538 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir And also some var_lib_t ld/symlink failures: type=AVC msg=audit(1494425251.457:4261): avc: denied { create } for pid=229342 comm="cp" name="ld" scontext=system_u:system_r:svirt_lxc_net_t:s0:c859,c898 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1494425251.457:4262): avc: denied { setattr } for pid=229342 comm="cp" name="ld" dev="vda2" ino=62947241 scontext=system_u:system_r:svirt_lxc_net_t:s0:c859,c898 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file There's also a bunch of dispatcher.d errors which seem related to NetworkManager but probably should already be covered by the rules under "This avc is allowed in the current policy" mentioned above, e.g. type=AVC msg=audit(1494425251.130:4243): avc: denied { relabelto } for pid=229305 comm="cp" name="dispatcher.d" dev="vda2" ino=20974255 scontext=system_u:system_r:svirt_lxc_net_t:s0:c410,c840 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c410,c840 tclass=dir (In reply to Lon Hohberger from comment #6) > So: > > a) /var/lib/docker-puppet needs a label that can be accessed from within > containers > > b) We can allow the first couple of things there > > c) ... what to do with cert_t? > > d) ... what to do with user_tmp_t? I am not sure about a) and what creates it, but I wonder if doing b) would be sufficient at this point to resolve the issue with the command that's explicitly mentioned in the description, at least?
Yeah, that sounds like a good, simple plan to start with.
https://github.com/redhat-openstack/openstack-selinux/pull/34
Merged upstream; awaiting build
Created attachment 1609683 [details] audit log for setup prrocess This include setup + restart of container + storing secrets
Created attachment 1609684 [details] audit log for restarting barbican containers Just for restarting the barbican_api, barbican_worker, barbican_keystone_listener with podman restart ...
Created attachment 1609685 [details] audit log for using barbican to store secrets Container is already running here.
Thank you for the logs. It looks like the cert_t denials that were there before (comment 4 / comment 2) no longer show up? All the rules from the denials in those last 3 logs look like this: #============= chronyd_t ============== allow chronyd_t cloud_init_t:unix_dgram_socket sendto; #============= container_t ============== allow container_t init_t:dbus send_msg; allow container_t initrc_t:unix_stream_socket connectto; allow container_t pki_common_t:dir { add_name remove_name write }; allow container_t pki_common_t:file { append create lock rename write }; allow container_t pki_common_t:sock_file write; allow container_t system_dbusd_t:dbus send_msg; #============= init_t ============== allow init_t container_t:dbus send_msg; I suspect chronyd_t is unrelated and can be safely ignored at this point. The pki_common_t ones are obviously necessary and directly reference /opt/nfast. "allow container_t initrc_t:unix_stream_socket connectto;" seems related to barbican-manage as well. The 3 dbus / systemd are USER_AVCs that seem unrelated to barbican commands.
PR is up to add a boolean that is off-by-default and adds the permissions above: https://github.com/redhat-openstack/openstack-selinux/pull/39 As discussed on IRC on Friday, the boolean will need to be enabled during the installation process for that plug-in. If in THT, there are some examples on how to do that (e.g. https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/logrotate/logrotate-crond-container-puppet.yaml#L75)
Requires: https://review.opendev.org/#/c/680419/
This has a correlative fix in ansible-role-thales-hsm --- moving to POST.
The build is now available: ansible-role-thales-hsm-0.2.1-0.20190905145234.1b2df10.el8ost
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:2811