Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/ubuntudesktopprint.md

Last active December 11, 2023 16:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save plembo/df8d30922fe82b522c605248d1a8638a to your computer and use it in GitHub Desktop.
Save plembo/df8d30922fe82b522c605248d1a8638a to your computer and use it in GitHub Desktop.
Download ZIP
Printing on Ubuntu desktop
Raw
ubuntudesktopprint.md

Printing on Ubuntu Desktop

Some notes I've brought back from the gist graveyard to address the finer points of printing with Ubuntu desktop.

Zeroconf and Printing

Zeroconf, or Zero Configuration may be a dream for developers: but can be an absolute nightmare for sysadmins and users. Zeroconf aims to allow the system to configure itself automatically for all kinds of external devices, from music players to printers. For many of the latest releases of Ubuntu Desktop, the system is designed to detect any and all printers on the local subnet that are advertising using a number of Zeroconf protocols, and automatically set them up for immediate use.

This is bad for so many reasons, but I'll posit one scenario that should give anyone pause: you sit down in your local coffee shop, acquire and Internet connection and then accidentally hit "print" on an Evince (PDF reader) window open to your soon to be filed tax return, causing it to be printed on the shop's printer back with the barristas. Now you have to kill them all [this is a joke, in real life I'd make them all sign an NDA].

The problem was that the avahi daemon (designed to implement the mDNS protocol underlying Apple's Bonjour, a Zeroconf service), in concert with the CUPS service, had successfully done what the Gnome Project designed them to do: automatically set up the coffee shop printer for immediate use.

NOTE: This "helpful" behavior is also the default for MacOS and Windows, although each uses different software to achieve it.

Removing Zeroconf

Want to prevent this on Ubuntu? Then know that you'll need to give up Zeroconf. Period. Because, at least on Ubuntu Desktop, there's no "switch" to prevent the system from using the results of its constant scanning for Zeroconf devices to then install them to your system in the background. The consequences of doing this will be that it may, nay it almost certainly will, be harder to get printers to work with your system -- and the task will be even harder given the poor and outdated state of the documentation, and the fact that it almost all relies on Zeroconf being enabled.

To disable Zeroconf for printing (and everything else):

$ sudo systemctl mask cups-browsed
$ sudo systemctl mask avahi-daemon.socket
$ sudo systemctl mask avahi-daemon
$ sudo systemctl stop cups-browsed
$ sudo systemctl stop avahi-daemon.socket
$ sudo systemctl stop avahi-daemon

Note: It is not enough to simply disable or remove the CUPS browsing daemon. You must also disable or remove avahi browsing, because Gnome doesn't use CUPS to browse and install printers directly. Instead it uses avahi, which in turn uses various CUPS libraries, to get the job done.

Installing IPP printers without Zeroconf

This would be easy if Gnome's current interface for printing provided more options for manual installation of printers. But it doesn't, because "Zeroconf will take care of that".

All hope is not lost, however, because some very smart people actually created a solution some time ago.

Create a PPD file

A Postscript Printer Definition, or PPD, is designed to provide your printing system with all the information it needs to successfully send print jobs to your printer hardware. It does this by encoding printer features in Adobe's Postscript printer programming language.

Creating PPDs would be an painfully tedious exercise, if not for the driverless utility from the CUPS project. With driverless you can create a PPD file for IPP (or IPPS) printing from an existing (IPP or IPPS enabled) printer in seconds.

All you need is the IPP or IPPS URI of the target printer, which, fortunately, is something that most vendors have standardized on: following the examples given in RFC7472. As a result, the URI will probably be either "ipp://[printer FDQN or IP Address]/ipp" (where encryption is used if available) or "ipps://[printer FDQN or IP Address]/ipp" (where encryption is enforced) for the first or default queue. Note that some printers do not provide an IPPS URI, so you may have to use IPP. To those who might be disappointed in this I can only say, "It's better than LPD!".

For example:

ipp://192.168.8.23/ipp
ipps://192.168.8.23/ipp
ipp://printer1.example.com/ipp
ipps://printer1.example.com/ipp

You can create a PPD with driverless by running it with the printer's IPP URI:

$ export IPP_URI="ipp://printer1.example.com/ipp"
$ driverless $IPP_URI > ippdriverless.ppd

Setting up a printer in the CUPS GUI

The resulting PPD file can be imported through the CUPS system-config-printer GUI (found in Ubuntu under "Settings... Devices... Printers..." in the Gnome desktop system).

  • Click "Additional Printer Settings... Add".
  • Enter device URI, enter printer IPP URI (e.g. "ipp://printer1.example.com/ipp")
  • Wait for the dialog to populate and select either "Internet Printing Protocol (ipp)" or "Internet Printing Protocol (ipps)".
  • Enter the IPP URI for the printer, then click "Forward".
  • On the "Choose Driver" screen, click "Provide PPD file".
  • Browse your filesystem for the file and "Open". Then click "Forward",
  • Fill out the "Describe Printer" form and "Apply".
  • Print a test page to verify it works.

Setting up a printer using the CUPS CLI

OR...

You could just use CUPS's lpadmin in a terminal:

$ lpadmin -p printer1 -E -v ipp://printer1.example.com/ipp -P ~/tmp/ippdriverless.ppd

Where -p is the display name of the printer, -E enables it, -v is the printer URI, and -P the full path to the printer's PPD file.

Having a PPD on hand is the key to making this such an easy task.

Check out the CUPS Project doc on Command-Line Printer Administration and Command-Line Printing Options for more.

Printer Hardware Configuration

You won't have control over the configuration for some of the printers your machine encounters. But for those you do have control over, it might be time for a review of just what they're opened up to.

I especially like this support article: HP Printers - Minimum security settings for products on the open Internet.

There are more models of printers in the universe than there are earth-like planets, or so it sometimes seems. For security purposes, most modern printers ship by default with pretty much every access protocol enabled. That is A Bad Thing [TM]. In my home, at least, these are the only protocols left enabled on our printers:

  • IPP AirPrint
  • IPP Mopria
  • mDNS
  • LLMNR
  • DHCP6

What we've explicitly disabled is:

  • LPD
  • Raw Port
  • Web Services
  • Mobile printing for Windows
  • Proxy
  • SMTP
  • FTP
  • TFTP
  • NETBIOS
  • WIRELESS (optional if wired networking is available)

Many of these are there to support Zeroconf using various technologies. Some were adopted as standards at some point, others promoted as proprietary solutions by one or more vendors or industry groups. None are essential to providing print services.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment