fix: busybox crond statt dcron, pg17-Tokens aus Checksum filtern (#87)

- Dockerfile: dcron -> busybox crond (kein setpgid-Fehler im Container)
  Crontab in /var/spool/cron/crontabs/root
- backup.sh: grep-Filter fuer PostgreSQL 17 Security-Tokens
  (\restrict / \unrestrict) die sich bei jedem Dump aendern

backup/Dockerfile

@@ -1,14 +1,17 @@
 FROM alpine:3.21
 
-# Install PostgreSQL client and dcron (lightweight cron daemon)
-RUN apk add --no-cache postgresql-client dcron
+# Install PostgreSQL client (busybox crond is included with Alpine)
+RUN apk add --no-cache postgresql-client
 
 COPY backup.sh /usr/local/bin/backup.sh
 RUN chmod +x /usr/local/bin/backup.sh
 
 # Crontab: run backup daily at 03:00 UTC
-RUN echo "0 3 * * * /usr/local/bin/backup.sh >> /var/log/backup.log 2>&1" \
-    > /etc/crontabs/root
+# busybox crond reads from /var/spool/cron/crontabs/<user>
+RUN mkdir -p /var/spool/cron/crontabs \
+    && echo "0 3 * * * /usr/local/bin/backup.sh >> /var/log/backup.log 2>&1" \
+       > /var/spool/cron/crontabs/root \
+    && chmod 600 /var/spool/cron/crontabs/root
 
-# crond -f: run in foreground; -l 2: log level notice
-CMD ["crond", "-f", "-l", "2"]
+# busybox crond: -f = foreground, -d 8 = log level debug
+CMD ["crond", "-f", "-d", "8"]

backup/backup.sh

@@ -20,8 +20,10 @@ TEMP_DUMP=$(mktemp)
 export PGPASSWORD="${POSTGRES_PASSWORD:-}"
 pg_dump -h "$DB_HOST" -U "$DB_USER" "$DB_NAME" > "$TEMP_DUMP"
 
-# Compute MD5 of dump content to detect changes
-CURRENT_CHECKSUM=$(md5sum "$TEMP_DUMP" | cut -d' ' -f1)
+# Compute MD5 of dump content, excluding lines that change every run:
+# - pg_dump comment lines (timestamps, version info)
+# - PostgreSQL 17 security tokens (\restrict / \unrestrict with random token)
+CURRENT_CHECKSUM=$(grep -Ev '^(--|\\restrict|\\unrestrict)' "$TEMP_DUMP" | md5sum | cut -d' ' -f1)
 LAST_CHECKSUM=""
 if [ -f "$CHECKSUM_FILE" ]; then
     LAST_CHECKSUM=$(cat "$CHECKSUM_FILE")