Particularly with FIPS mode, it's required to have /dev/random and /dev/urandom in the initramfs. Today we usually run dracut in a fully privileged environment (e.g. a host system as root, or a build system for Image Builder/rpm-ostree).

However, with https://fedoraproject.org/wiki/Changes/OstreeNativeContainer we want to enable a use case that looks like

```
$ cat Dockerfile
FROM quay.io/fedora/fedora-coreos:stable
ADD /path/to/foo /usr/lib/dracut/modules.d
RUN dracut
```

to inject a dracut module and regenerate the initramfs.

The default podman/docker policy denies creation of device nodes. However, we don't actually need to create "real" devices - we just need them to end up in the initramfs file.

https://github.com/dracutdevs/dracut/pull/2331 is an upstream PR that aims to address this. Can you take a look?

Basically we need to ensure that we always have the device nodes in the initramfs, regardless of FIPS mode or not.