Ship static busybox shell in nvidia-container-toolkit image

[rajathagasthya]

Part of NVIDIA/cloud-native-team#299.

NVIDIA STIG policy is dropping -dev distroless tags as approved
parent images. To move the nvidia-container-toolkit image onto a
non--dev base without changing entrypoint.sh or any Kubernetes
manifests, we ship a static busybox shell inside the image.

Approach

Add a debian:trixie-slim shell-builder stage to
deployments/container/Dockerfile that apt-installs busybox-static.
COPY /bin/busybox into the final stage(s) and run
busybox --install -s /bin to populate /bin/sh, /bin/rm,
/bin/ln, etc. Flip both the packaging and application final
stages from nvcr.io/nvidia/distroless/go:<ver>-dev to the matching
non--dev variant. Drop the existing SHELL ["/busybox/sh", "-c"]
directives and the RUN ln -s /busybox/sh /bin/sh symlinks — the
static busybox install replaces them.

FROM debian:trixie-slim AS shell-builder
RUN apt-get update \
 && apt-get install --no-install-recommends -y busybox-static \
 && rm -rf /var/lib/apt/lists/*

FROM nvcr.io/nvidia/distroless/go:<version>
COPY --from=shell-builder /bin/busybox /bin/busybox
RUN ["/bin/busybox", "--install", "-s", "/bin"]

The existing entrypoint.sh and all nvidia-ctk-installer
invocations remain untouched.

Precedent:
kubernetes-sigs/dra-driver-nvidia-gpu
uses the same pattern with bash-static.

Tracking

No PR yet — separate companion PR will be opened against this repo.

Acceptance

• Both stages no longer reference -dev distroless tags
• No /busybox/sh references remain; /bin/sh is provided by static busybox
• Image builds successfully on amd64 and arm64
• nvidia-ctk-installer and the existing entrypoint.sh
  continue to run when consumed by gpu-operator