zombies inside of docker

larsks pretty much nails the reason, init (or systemd) on linux systems reaps zombie processes when their parent dies. The parent should cleanup its own zombie processes with the wait syscall. However, that automatic cleanup does not pass the namespace boundary of a container. So whatever process you run as your entrypoint, and that becomes pid 1, needs to handle these zombies for you.

With recent versions of docker, you can include an init process just by passing --init to your docker run command. If you are using a version 2.2 compose file, there's an option init: true you can define on your service for the same result.

In addition to dumb-init, there is also tini which is what docker uses under the covers as their own docker-init.

You need a process that will call wait() in order to reap any zombie processes. On a regular system this is handled by /sbin/init, but inside a container you will need to provide your own tooling. If you're developing your own application, consider just calling wait() in a loop periodically.

Alternatively, you can consider a container-specific init such as dumb-init and see if that resolves the problem.