Build containerd using runc v1.1.12

Fixes CVE-2024-21626 for the bundled containerd binaries.

K0s cannot use any containerd release past v1.7.8 due to dependency
conflicts. Hence ensure that the binary is built linking against a
non-vulnerable version of runc at least.

Signed-off-by: Tom Wieczorek <[email protected]>

embedded-bins/containerd/Dockerfile

@@ -23,14 +23,17 @@ ARG TARGET_OS \
   CONTAINERD_BINS
 
 RUN go version
-RUN make \
-	CGO_ENABLED=${BUILD_GO_CGO_ENABLED} \
-	SHIM_CGO_ENABLED=${BUILD_SHIM_GO_CGO_ENABLED} \
-	GO_TAGS="-tags=${BUILD_GO_TAGS}" \
-	COMMANDS="${CONTAINERD_BINS}" \
-	GO_BUILD_FLAGS="${BUILD_GO_FLAGS}" \
-	EXTRA_LDFLAGS="${BUILD_GO_LDFLAGS_EXTRA}" \
-	GOOS="${TARGET_OS}"
+RUN set -ex \
+  && go get github.com/opencontainers/[email protected] \
+  && make \
+    CGO_ENABLED=${BUILD_GO_CGO_ENABLED} \
+    SHIM_CGO_ENABLED=${BUILD_SHIM_GO_CGO_ENABLED} \
+    GO_TAGS="-tags=${BUILD_GO_TAGS}" \
+    COMMANDS="${CONTAINERD_BINS}" \
+    GO_BUILD_FLAGS="${BUILD_GO_FLAGS}" \
+    EXTRA_LDFLAGS="${BUILD_GO_LDFLAGS_EXTRA}" \
+    GOOS="${TARGET_OS}" \
+    vendor all
 
 FROM scratch
 COPY --from=build /go/src/github.com/containerd/containerd/bin/* /bin/