Dockerfile: consistently use Alpine or Debian for building the binaries

[AkihiroSuda]

IIRC static linking didn't work well with glibc, at least in the past.
Basically we should rather try to use Alpine (musl) for building the binaries

Originally posted by @AkihiroSuda in #4012 (comment)

[apostasie]

Breakout of #4021

A few data points:

• my fork builds everything on Debian - there is no particular difficulty with static - https://github.com/farcloser/lepton/blob/main/Dockerfile
• the projects concerned by this change would be the ones which need CGO - that is:
  • containerd (not ctr nor containerd-shim)
  • bypass4netns (but not bypass4netnsd)
  • runc
  • soci
  • of course tini, libslirp, and slirp4netns

I do not believe you can build containerd against musl (eg: because of pkcs11).
Also, compiling containerd statically as we do right now very likely breaks pkcs11 on any system where the glibc version is not exactly the same as the glic used to compile (the irony of dlopen).

[AkihiroSuda]

pkcs11

Probably we can just ignore it, as it seems only used for rarely-used imgcrypt.
Anybody who wants to use pkcs11 will have to rebuild the binary.

Anyway, if Debian builds work well, we can just depend on it, although Alpine might be able to save the binary footprints

[AkihiroSuda]

Alternatively we can still consider adopting Nix:

• Consider using nix for building nerdctl-full binaries #2776

This is more ideal for repro builds, but maintaining the nix files isn’t really straightforward