Symptom SUnreclaim in /proc/meminfo grows continuously while Docker containers are running, even with no user-initiated traffic. The skbuff slab caches (skbuff_head_cache, skbuff_small_head) are the primary contributors. Memory is freed immediately when containers are stopped. Left unchecked, SUnreclaim eventually exhausts available RAM and triggers the OOM killer.
Observed accumulation rates: - Idle containers (no user traffic): ~35–137 MB/min depending on number of active bridge networks - Active development workload: up to ~1 GB/min Evidence pointing to br_netfilter - The leak occurs with no browser or user traffic — internal container activity (healthchecks, keepalives, internal DNS) is sufficient to trigger it - Accumulation rate scales with the number of active Docker bridge networks - Setting "userland-proxy": false in /etc/docker/daemon.json measurably reduces the rate (fewer socket operations feeding traffic into the bridge/netfilter path) - Setting DOCKER_IGNORE_BR_NETFILTER_ERROR=1 in Docker's environment (preventing Docker from activating br_netfilter on bridge interfaces) stops the accumulation. System has been stable since applying this workaround. Kernel version range The bug is reproducible on both kernel 7.0.0 (Ubuntu 26.04) and kernel 6.17 (Ubuntu 24.04 HWE). It was NOT present in the original Ubuntu 24.04 kernel 6.8 (which received a fix per this bug report). This suggests a regression was introduced somewhere between 6.8 and 6.17 that is still present in 7.0. Workaround (for reference) # Prevent Docker from activating br_netfilter on bridge interfaces sudo mkdir -p /etc/systemd/system/docker.service.d/ cat << 'EOF' | sudo tee /etc/systemd/system/docker.service.d/no-br-netfilter.conf [Service] Environment="DOCKER_IGNORE_BR_NETFILTER_ERROR=1" EOF echo "install br_netfilter /bin/false" | sudo tee /etc/modprobe.d/docker-no-br-netfilter.conf sudo systemctl daemon-reload && sudo systemctl restart docker Note: "userland-proxy": false in /etc/docker/daemon.json should be set alongside this workaround. With both applied, standard DDEV/Docker development workflows function normally (containers can still communicate internally and published ports remain accessible from the host). Related: Docker Engine 27.5 release notes explicitly mention DOCKER_IGNORE_BR_NETFILTER_ERROR in the context of moby/moby#49306, acknowledging that br_netfilter causes issues in certain configurations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151248 Title: skbuff slab memory leak (~28GB) when Docker bridge networking (br_netfilter) is active To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2151248/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
