Migrate from containerd v1 to v2 and docker/docker to moby/moby

[jeffmendoza]

Looks like repos that import docker or buildkit have a critical vuln, and can't update to the latest as the older containred/containerd does not build with the newer opencontainers/runtime-spec. Osv-scailber seems to be holding on
to the older 1.7 containerd.

Edit: Also update docker/docker to moby/moby to remove more vulns.

Edit2: Some dep updates required moving from Go 1.24 to 1.25. This introduced "sync.WaitGroup.Go()" which the linter was now recommending.

Summary

Migrates from github.com/containerd/containerd v1.7.23 to github.com/containerd/containerd/v2 v2.2.2.

Background

buildkit v0.27.0+ requires containerd/cgroups/v3 v3.1.2 which in turn requires opencontainers/runtime-spec v1.3.0. That version changed LinuxPids.Limit from int64 to *int64, making it incompatible with containerd v1.7.x:

• cgroups/v3 v3.1.2 dereferences Pids.Limit as *int64
• containerd v1.7.x/oci/spec_opts.go assigns to Pids.Limit as int64

These are mutually exclusive. This PR upgrades containerd to v2 to resolve the conflict.

Changes

• go.mod: Removed containerd/containerd v1.7.23, added containerd/containerd/v2 v2.2.2 as direct dependency; containerd/containerd/api upgraded to v1.10.0; containerd/cgroups/v3 upgraded to v3.1.2
• Import path updates in all files using containerd v1:
  • github.com/containerd/containerd → github.com/containerd/containerd/v2/client
  • github.com/containerd/containerd/metadata → github.com/containerd/containerd/v2/core/metadata
  • github.com/containerd/containerd/namespaces → github.com/containerd/containerd/v2/pkg/namespaces
  • github.com/containerd/containerd/cio → github.com/containerd/containerd/v2/pkg/cio
  • github.com/containerd/containerd/containers → github.com/containerd/containerd/v2/core/containers
  • github.com/containerd/containerd/oci → github.com/containerd/containerd/v2/pkg/oci
  • API packages (containerd/api/...) remain unchanged as they are a separate module

Testing

• All existing tests pass: go test ./extractor/standalone/containers/containerd/... ./extractor/filesystem/containers/containerd/...
• Full project build succeeds: go build ./...
• No CodeQL security alerts

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[jeffmendoza]

@spencerschrock @another-rex This is good to go. Thanks!