Always cache apt metadata and downloads outside the image

[DavidS-ovm]

This change uses cache mounts in the generated Dockerfiles for features to ensure that apt metadata and downloaded packages remain available throughout the build process without ever getting baked into layers. To make life easier for feature implementations, this also runs apt update once before the feature build, so that the metadata cache is up-to-date.

This has the following benefits:

• reduced build-time costs: apt metadata is only downloaded once
• smaller layer size: features cannot accidentally include downloaded packages in their layer (see https://github.com/devcontainers/features/pull/1298)
• reduced complexity: features do not have to worry about apt caching and cache cleaning
• optionally, if building on a caching buildkit service like depot.dev, the cache is re-used across builds, further reducing build-time