Find solution for "failed to get reader from content store" error when re-pulling images for Firecracker

In #27285 (closed) we were able to get Kata+Firecracker running isolated workloads, but there were some problems seemingly with containerd itself (see this issue).

Maybe it's a containerd specific problem that might go away if we were to use CRI-O as the container runtime interface instead?

• Investigate using CRI-O in GKE with nested virtualisation and see if we can run Kata+Firecracker workloads on it

Otherwise look into other possible solutions or workarounds.

• Patching containerd itself works (with this patch) but is a bit of a blunt instrument. Let's use this as a last resort.
• Have GKE not set discard_unpacked_layers by default. We should be able to achieve this via the use of a custom startup script.