Comment 2 for bug 1860607

> This usually happens to /etc/pki/ca-trust/extracted where this folder is updated while a container puppet execution is being run.

I wonder if using the overlay-type mount could help to ingore any changes in the "upper" and only kepp it going on with the "lower" contents?