Investigate removing py-spy from notebook images due to SYS_PTRACE restriction

[coderabbitai]

Summary

py-spy 0.4.1 now fails when the container lacks the SYS_PTRACE capability. Our notebook images are expected to run on OpenShift under the restricted-v2 SCC, where this capability is not available to end-users.

Problem

Including py-spy in production images means:

• Profiling fails at runtime with permission errors.
• Users receive confusing error messages.
• Images violate the principle of least privilege.

Proposed investigation

1. Audit all notebook/runtime images to confirm where py-spy is required.
2. Decide whether to:
   • Remove py-spy from production images entirely, or
   • Keep it only in dev/test builds and CI where SYS_PTRACE can be enabled.
3. If removed:
   • Update all Pipfiles / requirements.txt accordingly and regenerate lock files.
   • Adjust documentation.
4. If retained:
   • Document the cluster capability requirement and provide guidance.

Acceptance criteria

• Decision documented in this issue.
• Corresponding code changes PR opened (or noted out-of-scope).
• CI passes for affected images.

---

Context: PR #1591 · Discussion

/cc @jiridanek