Add an option to prevent containerd from using upstream registries.

In current registry_mirrors settings, we're deriving host_config

registry_mirrors:
  hosts_config:
    docker.io:
    - mirror_url: https://your.mirror/docker

into following /etc/containerd/certs.d/docker.io/hosts.toml containerd configuration file:

server = "https://docker.io"
[host."https://your.mirror/docker"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true

When this was introduced in sylva, this configuration format was not extensively documented. But @jonathang recently noticed that in case of failure to reach the configured host (your.mirror/docker here), it will fall back to the configured server. This behavieor is indeed documented here:

When host(s) are specified, the hosts will be tried first in the order listed. If all host(s) are tried then server will be used as a fallback.

This may not the the desired behavior in certain controlled environment where you want to avoid reaching the upstream registries.

In order to provide a backward compatible way to control that, we could add an optional is_default_mirror flag to the host config flag:

registry_mirrors:
  hosts_config:
    docker.io:
    - mirror_url: https://your.mirror/docker
      is_default_mirror: true

That would result following configuration:

server = "https://your.mirror/docker"
[host."https://your.mirror/docker"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true

And prevent any attempt to reach docker.io