Improve quality of helix Dockerfiles

[richlander]

There are opportunities to improve the helix Dockerfiles.

• Make the Dockerfiles non-root: The Dockerfiles define a non-root user, but install sudo and give that user sudoer permissions. That means that the resultant container images are effectively root images. That's not great.
• Base on runtime-deps: We already have official images for running .NET code in containers w/baseline dependencies. We should use them and not guess. Where we don't have the correct runtime-deps image, we should ask for one.
• Limit dependencies: This Alma Dockerfile works so why does this Debian Dockerfile install so many packages? We should define the min set and stick to that.
• Use Python idiomatically: There are multiple opportunities to improve how we use Python. Those are listed later.

Opportunities to improve Python use:

• Install pip one way: First, we install pip via apt, then install pip via curl, and then upgrade pip via pip.
• Adopt venv: venv seems to have replaced virtualenv for most use cases. venv comes with Python. In the case of Debian, we can install it via python3-venv in recent Debian versions. Also, if you use venv, you don't need to separately install pip.
• Use the standard directory for venv: The venv docs suggest that env is the default name. We are using .vsts-env. Is that to align with scripts that are run in multiple environments?
• Install packages via venv: This approach will enable us to stop using --break-system-package

Related issues:

• Remove sudo requirement for helix container images dnceng#1312
• Use versioned python3 command in scripts aspnetcore#48221
• Make packages available for latest RHEL-based distributions microsoft/msquic#3625

[mthalman]

[Triage]
To begin, we'll update the existing distros for which we have official runtime-deps images and change the relevant Dockerfiles in this repo to be based on those tags. At that point, we'll evaluate to see how that it's working and assess next steps.