Revisit how the agent handles /dev

[amshinde]

I have run into issues due to container not being able to access all devices in the VM. eg, When I tried to bind a device to vfio inside Clear Container VM, the bind is successful but I am not able to see the devices under /dev/vfio/{vfio_group}. This is because /dev/vfio is not exposed to the container. One potential way to get around this, would be bind mounting /dev/vfio inside the container. But this still leaves the gap open for other kind of devices. For eg, a user may passthrough an audio device to a Clear Container VM with the audio driver. Although the device is bound to the audio driver in this case, we will not see the device nodes under /dev/snd/..

(The current behaviour works well for block devices passed to the VM through virtio-block, since the agent handles bind-mounting them from say /dev/vdc to user requested location say /dev/sdx inside the container mount namespace, hiding /dev/vdc to the container.)

Note this was not an issue with our earlier agent since after creating the mount namespace we did mount the devfs from the VM inside the container.