CUPS Snap - Call for Testing

Hi,

I am Till Kamppeter, leader of the OpenPrinting project, home of CUPS, cups-filters and many other projects to make printing just work.

Now all needed changes on snapd got completed to get a fully working CUPS Snap into the Snap Store! See also the OpenPrinting News for the state of the art of its development.

The CUPS Snap is the complete printing stack for LInux and any other Snap-supporting operating system in a Snap. This integrates printing in operating systems which use Snaps or are even all-Snap, not using conventional (DEB, RPM, …) packages any more. It contains everything needed for printing on most modern printers in a single Snap: CUPS, cups-filters, cups-browed, Ghostscript, QPDF

The printing environment is protected by the security of Snaps, especially any inquiries from other confined Snaps go through a “cups” interface for standard user tasks like printing. listing jobs, removing one’s own jobs, … and “cups-control” for administrative tasks like creating and modifying print queues, removing anyone’s jobs, … With only “cups” being auto-connected without explicit permission when applications are put into the Snap Store one gets an additional level for getting applications which print from the Snap Store.

Classic CUPS printer drivers cannot be used any more as their components cannot be installed into the sandboxed CUPS system of the Snap. The CUPS Snap only accepts IPP printers, either driverless IPP printers, modern printers which do at least one of AirPrint, IPP Everywhere, Mopria, or Wi-Fi Direct Print (the printers on which you can print from a phone without needing a dedicated app), remote CUPS printers, or software emulations of IPP printers, the so-called Printer Applications, which are replacing the CUPS drivers (they send the jobs they receive off to a physical printer, converting the data to what the printer needs).

So in an all-Snap world a user application Snap (for example LibreOffice) sends print jobs to the CUPS Snap, CUPS spools and converts them to the needed format and then sends them off to the printers, or to the Printer Application Snap which serves as the driver for the printer.

In this post I want to ask you to test the new CUPS Snap

Before you install it, stop and disable the already installed CUPS, on modern Debian or Ubuntu distributions via the following commands:

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo systemctl stop cups
sudo systemctl disable cups

The “stop” commands stop the daemon immediately, the “disable” commands exclude it from being started during boot. Any configuration of them stays conserved and you can “enable” and “start” them again later (when you are done with testing the CUPS Snap).

Now install the Snap, either search for “CUPS” in the Snap Store/the Software application and then install the CUPS Snap, or enter the following in a terminal window:

sudo snap install --edge cups

The CUPS Snap (at least when their was no classic CUPS running when it was installed/started) uses the same socket and the same port as the standard (upstream or distro package) CUPS, so any locally running application and also the command line tools of your distro’s CUPS package use the snapped CUPS daemon now.

To the CUPS Snap’s CUPS daemon there is also a cups-browsed (included in the Snap) attached, so probably some print queues get already created automatically. lpstat -t tells you which queues are available. Administrative commands. like lpadmin or changing settings with cupsctl, can be run without sudo and without getting asked for a password by users in the “lpadmin” group or, if there is no such group in the system, by users in the “adm” group. Other users must use sudo to run the command as root.

The snap’s command line utilities (cups.lp, cups.lpadmin, …) can also be used but they can only access files in the calling user’s home directory if they are not hidden (name begins with a dot ‘.’). So you can usually print with a command like

cups.lp -d <printer> <file>

For hidden files you have to pipe the file into the command, like with

cat <file> | cups.lp -d <printer>

or copy or rename the file into a standard file.

The web interface can be accessed under

http://localhost:631/

To make administrative tasks working, you have to enter user name and password of a user in the “lpadmin” or “adm” group, or “root” and the root password if your system is configured appropriately.

Driverless IPP printers and remote CUPS printers should get available automatically, other printers will need a driver, which for the CUPS Snap must be a Printer Application. The first fully working Printer Application for common printers is the PostScript Printer Application, also available in the Snap Store, to be installed via the Snap Store/Software application or by the following command line:

sudo snap install --edge ps-printer-app

The Printer Application will automatically be started as a server daemon and all needed interface connections are done automatically.

Enter the web interface

http://localhost:8000/

Use the web interface to add a printer. Supply a name, select the
discovered printer, then select make and model, or simply “Automatic”, as most of the ~4000 supported printer models get correctly assigned automatically. Also set the loaded
media and the option defaults. If you ar not so lucky and your printer is PostScript but not under these ~4000 models, you can take its PPD file and add it to the Printer Application using the “Add PPD files” button on the front page. This is usually the case when your PPD file is under a proprietary license and so could not be included in free software packages or distributions. Once added, your PPD is also considered by the automatic driver selection. And to see which PPD files in the long list are user-added, they are appropriately marked (and also listed when clicking “Add PPD files” again (then you also can remove the ones you do not need any more). It is also possible to update the PPD for a supported printer simply by adding your own PPD, user-added PPDs are preferred by the automatic driver selection.

Once your PostScript printer is set up in the Printer Application, the CUPS Snap will immediately get note of it and create a CUPS queue.

Now I hope that you have a CUPS queue for your printer and so you should be able to print.

Any classically installed application (distro package or from source) and also classically confined Snaps should print (and otherwise work with CUPS) normally now. This is valid both for user applications with print functionality and also for printer setup tools.

Fully confined Snaps with print functionality print out-of-the-box if they plug the “cups” interface. This is how all such Snaps should be made. Older Snaps from the times before the “cups” interface was created, plug “cups-control”, even if they only want to print. In this case the “cups-control” interface needs to get connected manually. Snaps for printer administration (printer setup tools) must plug “cups-control” and require explicit permission from the Snap Store team if the interface should connect automatically when installing the Snap.

For more advanced operation, like running the CUPS Snap in parallel with the system’s classic CUPS (2 cups daemons on one system and each has its own cups-browsed attached) or managing the PostScript Printer Application with its own command line tool, see the README.md files of the CUPS Snap and of the PostScript Printer Application.

Please tell your experience here in the thread and ask your questions. If you find bugs, report them at the respective projects (all use GitHub): CUPS Snap, CUPS itself, the PostScript Printer Application and its underlying library PAPPL.

News about all this and the state of the art of all the projects you find here.

10 Likes

Hi Till, thanks for working on this! I have a lifecycle question, will the releases of the snap (once in the stable channel) follow upstream releases? I’m wondering if this will lead to fresher drivers in the LTS over time.

The Snap will always be updated to the current upstream releases of its components. So when CUPS 2.4.0 gets released I update it to 2.4.0, when Ghostscript 9.54 gets released, I update it to Ghostscript 9.54, … Recently I updated it to QPDF 10.3.0.

The Snap is independent of Ubuntu release cycles, as most other Snaps in the Snap Store.

Printer drivers need to be Printer Applications to work with the CUPS Snap, also one cannot snap classic printer drivers, also for this one needs Printer Applications. Printer Applications will also be uploaded into the Snap Store independent of Ubuntu release cycles. Also note that Printer Applications also work with classically installed CUPS, so you can get printer drivers independent of Ubuntu releases via the Snap Store, no switch to the CUPS Snap needed.

Snaps from the Snap Store (at least the printing ones I mention here) are OS-distribution-independent. They work on any distribution on which you can install snapd (or which comes already with it). This is a basic idea of Snap. This means printer drivers can get developed and released independent of Ubuntu release cycles and you can install them also on old Ubuntu releases which came out years ago.

So printer drivers will get easy and you will always get the freshest drivers independent of the OS version you are running.

6 Likes

Is there any plans for HPLIP and other printer drivers to be shipped as Snap?
This will really ease printer and/or scanner usage on any version of Ubuntu.

1 Like

The ones which come with Ubuntu will all get retro-fitted into Printer Applications. Also there will be a retro-fit of HPLIP as preliminary solution until HP switches over to do Printer Applications. All of them will get updated on upstream releases, independent of Ubuntu release cycles.

5 Likes

And for the Snap developers reading here, here is a simple way to try out the interfaces for user application and printer setup tool Snaps.

We simply make primitive sample Snaps from the command line tools which come with the DEB package of CUPS (binary package “cups-client”). The first one mimics a user application supposed to have print functionality, but has some CUPS admin functionality slipped in (Malicious intentions? Bad communication between upstream and the snapper of the app? …). Here is the snapcraft.yaml:

name: cups-user-app-test
base: core18 # The base snap is the execution environment for this snap
version: 0.1.0
summary: CUPS command line tools out of a Snap 
description: Testing interfaces for the CUPS Snap (no cups-control plugging, so admin tasks should fail)
grade: stable
confinement: strict

apps:
  lpinfo:
    command: usr/sbin/lpinfo
    plugs: [network, cups]
  lpadmin:
    command: usr/sbin/lpadmin
    plugs: [network, avahi-observe, home, cups]
  lpstat:
    command: usr/bin/lpstat
    plugs: [network, avahi-observe, cups]
  lpoptions:
    command: usr/bin/lpoptions
    plugs: [network, home, cups]
  lp:
    command: usr/bin/lp
    plugs: [network, home, cups]
  cancel:
    command: usr/bin/cancel
    plugs: [network, cups]
  lpmove:
    command: usr/sbin/lpmove
    plugs: [network, cups]
  cupsenable:
    command: usr/sbin/cupsenable
    plugs: [network, cups]
  cupsdisable:
    command: usr/sbin/cupsdisable
    plugs: [network, cups]
  cupsaccept:
    command: usr/sbin/cupsaccept
    plugs: [network, cups]
  cupsreject:
    command: usr/sbin/cupsreject
    plugs: [network, cups]
  accept:
    command: usr/sbin/accept
    plugs: [network, cups]
  reject:
    command: usr/sbin/reject
    plugs: [network, cups]
  cupsctl:
    command: usr/sbin/cupsctl
    plugs: [network, cups]

parts:
  cups-client:
    plugin: dump
    source: .
    stage-packages:
        - cups-client
        - libcups2
    prime:
        - usr/bin/*
        - usr/sbin/*
        - usr/lib/*

The apps here are simply CUPS’ command line tools, from the “cups-client” package pulled in by the stage packages. All apps only plug “cups” and not “cups-control”. If you build this Snap putting the snapcraft.yaml into an empty directory, switch into this directory, and issue the command

snapcraft snap

and then install it via

sudo snap install --dangerous cups-user-app-test_0.1.0_amd64.snap

As this Snap does not come from the Snap Store it is possible that the “cups” interface does not connect automatically. So if the following command examples do not work, do the command

sudo snap connect cups-user-app-test:cups cups:cups

first. On applications from the Snap Store this connection should happen automatically.

Perhaps also “avahi-observe” needs manual connection:

sudo snap connect cups-user-app-test:avahi-observe

Now you can do thing like

cups-user-app-test.lpstat -t
cups-user-app-test.lp -d printer file.pdf

and the CUPS Snap does what you expect, showing available print queues and printing a job.

Now try

cups-user-app-test.lpadmin -p newprinter -E -v file:/dev/null
cups-user-app-test.lpinfo -v

These commands do administrative CUPS tasks, therefore you will simply get

Forbidden

as an answer and no queue created and no discovered printers listed.

This is how the security concept of the CUPS Snap in conjunction with the Snap Store protects against malicious applications. This Snap can print and provide the user with the information he needs for that, displaying available queues, jobs, options, … The user can even cancel his own jobs, but not the jobs of others.

Now we edit the snapcraft.yaml a little bit, switching all tools which do administrative tasks from the plug “cups” to “cups-control” and also change the name and description:

name: cups-admin-test
base: core18 # The base snap is the execution environment for this snap
version: 0.1.0
summary: CUPS command line tools out of a Snap 
description: Testing interfaces for the CUPS Snap (plugging cups-control, so admin tasks should work)
grade: stable
confinement: strict

apps:
  lpinfo:
    command: usr/sbin/lpinfo
    plugs: [network, cups-control]
  lpadmin:
    command: usr/sbin/lpadmin
    plugs: [network, avahi-observe, home, cups-control]
  lpstat:
    command: usr/bin/lpstat
    plugs: [network, avahi-observe, cups]
  lpoptions:
    command: usr/bin/lpoptions
    plugs: [network, home, cups]
  lp:
    command: usr/bin/lp
    plugs: [network, home, cups]
  cancel:
    command: usr/bin/cancel
    plugs: [network, cups-control]
  lpmove:
    command: usr/sbin/lpmove
    plugs: [network, cups-control]
  cupsenable:
    command: usr/sbin/cupsenable
    plugs: [network, cups-control]
  cupsdisable:
    command: usr/sbin/cupsdisable
    plugs: [network, cups-control]
  cupsaccept:
    command: usr/sbin/cupsaccept
    plugs: [network, cups-control]
  cupsreject:
    command: usr/sbin/cupsreject
    plugs: [network, cups-control]
  accept:
    command: usr/sbin/accept
    plugs: [network, cups-control]
  reject:
    command: usr/sbin/reject
    plugs: [network, cups-control]
  cupsctl:
    command: usr/sbin/cupsctl
    plugs: [network, cups-control]

parts:
  cups-client:
    plugin: dump
    source: .
    stage-packages:
        - cups-client
        - libcups2
    prime:
        - usr/bin/*
        - usr/sbin/*
        - usr/lib/*

This is how a printer setup tool (or some system manager which contains CUPS managing functionality) should get snapped.

Now let us build and install this one (put it also into a separate empty directory):

snapcraft snap
sudo snap install --dangerous cups-admin-test_0.1.0_amd64.snap
sudo snap connect cups-admin-test:avahi-observe
sudo snap connect cups-admin-test:cups cups:cups
sudo snap connect cups-admin-test:cups-control cups:cups-control

Note the additional command for connecting “cups-control”. Applications simply uploaded to the Snap Store will not connect this automatically without permission from the Snap Store team.

Important: If you set “cups-control” into the plugs list of only one of the apps, the whole Snap gets CUPS admin permission, also the apps which have “cups” in their plugs list.

Keep also in mind that you can print and list print queues and jobs also from a Snap which only plugs “cups-control”. “cups-control” gives access to everything, you need not to plug both “cups-control” and “cups” in the plug list of an app.

Now try

cups-admin-test.lpadmin -p newprinter -E -v file:/dev/null
cups-admin-test.lpinfo -v

and you get a CUPS queue and a list of discovered printers instead of Forbidden.

6 Likes

Note that I have renamed the slots of the CUPS Snap from printing and admin to cups and cups-control, to do it the standard way as slots have the same names as their respective plugs, as of the discussion here.

I have updated the sample command lines in my initial posting and in the posting with the sample Snaps appropriately. If you have already installed the CUPS Snap, please update your CUPS Snap via

sudo snap refresh --edge cups

The last needed interface connections are now approved for auto-connection or not needed any more, so for everyone who installs the CUPS Snap from the Snap Store now, no manual interface connections are needed any more!

I have also updated the initial posting appropriately.

1 Like

:clap: this :clap: is :clap: so :clap: cool!

:thinking:

a hint at future announcements? :slight_smile:

Yeah, as soon as lennart convinced the BSD crowd to switch to systemd by default :stuck_out_tongue:

6 Likes

The CUPS Snap has a new feature now:

If you share a print queue it is advertised as AirPrint and as Mopria printer. So you can print now from iOS (iPhone, iPad, …) devices and also from Mopria clients (Windows, or Mopria app installed on phone).

As usual, refresh the CUPS Snap via

sudo snap refresh --edge cups
1 Like

NOTE: To run the CUPS Snap’s CUPS on a system with installed but de-activated CUPS you need to enter this additional command now to make the system’s CUPS invisible for the CUPS Snap:

sudo mv /etc/cups /etc/cups.old

Otherwise the CUPS Snap will go into the new proxy mode. Alternatively, one can suppress the proxy mode altogether and make the CUPS Snap behave as before:

sudo touch /var/snap/cups/common/no-proxy

(remove the file again to return to the new behavior)

See the README.md file: