bwrap: Bind-mount host /dev instead of creating fresh devtmpfs

Replace `--dev /dev` with `--dev-bind /dev /dev` in the bwrap
container setup so that lsblk inside the sandbox can properly
enumerate partition children of block devices (e.g. loop devices).

The previous approach created a minimal devtmpfs that lacked complete
device information, causing ESP partition discovery to fail inside
the bwrap sandbox. With a full bind-mount of host /dev, the
per-device bind_device() mechanism is no longer needed and is removed.

Additionally, bind-mount /run/udev into the sandbox when it exists
so that lsblk and libblkid can read the udev database for partition
type GUIDs and other device properties. Without this, tools that
query device metadata (e.g. PARTTYPE) would get incomplete results
even with /dev properly mounted.

Assisted-by: Claude Code (Opus 4)
Signed-off-by: ckyrouac <ckyrouac@redhat.com>

Author: ckyrouac

crates/lib/src/bootloader.rs

@@ -122,21 +122,10 @@ pub(crate) fn install_via_bootupd(
         let mut bwrap_args = vec!["bootupctl"];
         bwrap_args.extend(bootupd_args);
 
-        // Collect partition paths first so they live long enough
-        let partition_paths: Vec<String> =
-            device.children.iter().flatten().map(|p| p.path()).collect();
-
-        let mut cmd = BwrapCmd::new(&target_root)
+        let cmd = BwrapCmd::new(&target_root)
             // Bind mount /boot from the physical target root so bootupctl can find
             // the boot partition and install the bootloader there
-            .bind(&boot_path, &"/boot")
-            // Bind the target block device inside the bwrap container so bootupctl can access it
-            .bind_device(&device_path);
-
-        // Also bind all partitions of the target block device
-        for part_path in &partition_paths {
-            cmd = cmd.bind_device(part_path);
-        }
+            .bind(&boot_path, &"/boot");
 
         // The $PATH in the bwrap env is not complete enough for some images
         // so we inject a reasonnable default.

crates/utils/src/bwrap.rs

@@ -17,8 +17,6 @@ pub struct BwrapCmd<'a> {
     chroot_path: Cow<'a, Utf8Path>,
     /// Bind mounts in format (source, target)
     bind_mounts: Vec<(&'a str, &'a str)>,
-    /// Device nodes to bind into the container
-    devices: Vec<&'a str>,
     /// Environment variables to set
     env_vars: Vec<(&'a str, &'a str)>,
 }
@@ -31,7 +29,6 @@ impl<'a> BwrapCmd<'a> {
         Self {
             chroot_path: Cow::Owned(Utf8PathBuf::from(&fd_path)),
             bind_mounts: Vec::new(),
-            devices: Vec::new(),
             env_vars: Vec::new(),
         }
     }
@@ -41,7 +38,6 @@ impl<'a> BwrapCmd<'a> {
         Self {
             chroot_path: Cow::Borrowed(path),
             bind_mounts: Vec::new(),
-            devices: Vec::new(),
             env_vars: Vec::new(),
         }
     }
@@ -57,12 +53,6 @@ impl<'a> BwrapCmd<'a> {
         self
     }
 
-    /// Bind a device node into the container.
-    pub fn bind_device(mut self, device: &'a str) -> Self {
-        self.devices.push(device);
-        self
-    }
-
     /// Set an environment variable for the command.
     pub fn setenv(mut self, key: &'a str, value: &'a str) -> Self {
         self.env_vars.push((key, value));
@@ -79,19 +69,20 @@ impl<'a> BwrapCmd<'a> {
         // Setup API filesystems
         // See https://systemd.io/API_FILE_SYSTEMS/
         cmd.args(["--proc", "/proc"]);
-        cmd.args(["--dev", "/dev"]);
+        cmd.args(["--dev-bind", "/dev", "/dev"]);
         cmd.args(["--bind", "/sys", "/sys"]);
 
+        // Bind /run primarily for the udev database so that
+        // lsblk/libblkid inside the sandbox can read
+        // partition type GUIDs and other device properties.
+        cmd.args(["--tmpfs", "/run"]);
+        cmd.args(["--bind", "/run", "/run"]);
+
         // Add bind mounts
         for (source, target) in &self.bind_mounts {
             cmd.args(["--bind", source, target]);
         }
 
-        // Add device bind mounts
-        for device in self.devices {
-            cmd.args(["--dev-bind", device, device]);
-        }
-
         // Add environment variables
         for (key, value) in &self.env_vars {
             cmd.args(["--setenv", key, value]);