Configuring a network printer

Where to configure printers and install drivers?

One would normally want to configure a printer in a template VM, rather than in particular AppVMs. This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).

Alternatively one can add a printer in a standalone VM, but this would limit the printer usage to this particular VM.

Security considerations for network printers and drivers

Some printers require third-party drivers, typically downloadable from the vendor’s website. Such drivers are typically distributed in a form of ready to install RPM packages. However, they are often unsigned, and additionally the downloads are available via HTTP connections only. As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. (Again, it’s not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).

In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there. Such template might then be made a DVM template for DisposableVM creation, which should allow one to print any document by right-clicking on it, choosing “Open in DisposableVM” and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template that is not poisoned by third-party printer drivers).

However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today’s printers and printing protocols, something that cannot be solved by Qubes or any other OS.

Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.

Steps to configure a network printer in a template VM

  1. Start the “Printer Settings” App in a template VM (either via Qubes “Start Menu”, or by launching the system-config-printer in the template). You may need to install it first sudo dnf install system-config-printer.
  2. Add/Configure the printer in the same way as one would do on any normal Linux. You may need to allow network access from the template VM to your printer to complete configuration, as normally the template VM is not allowed any network access except to the Qubes proxy for software installation. One can use Qubes Manager to modify firewall rules for particular VMs. If service is not running, it needs to be enabled from dom0 with qvm-service VMNAME cups on .
  3. Optional: Test the printer by printing a test page. If it works, shut down the template VM.
  4. Open an AppVM (make sure it’s based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works. If it doesn’t then probably the AppVM doesn’t have networking access to the printer – in that case adjust the firewall settings for that AppVM in Qubes Manager. Also, make sure that the AppVM gets restarted after the template was shutdown.
  5. Alternatively if you do not want to modify the firewall rules of the template VM (that have security scope) you can simply shut down the template VM without trying to print the test page (which will not work), start or restart an AppVM based on the template and test printing there.

This document was migrated from the qubes-community project
  • Page archive
  • First commit: 08 Dec 2020. Last commit: 20 Jan 2021.
  • Applicable Qubes OS releases based on commit dates and supported releases: 4.0
  • Original author(s) (GitHub usernames): runephilosof
  • Original author(s) (forum usernames):
  • Document license: GPLv2
4 Likes

This worked for me from Qubes-Os R3.2 to R4.1, though it fails in R4.2.

My template has the network printer running over IPP without any problems.

The VM from that template shows the printer installed, though in the VM the printjobs are stopped. Filter failed …

The app-vm has cups running, that is not the topic here.
Ping to the printer works fine.

Any hints to why template-vm and app-vm with services equally added don’t show the same results?

just curious in the template (say for fedora-39) did you do
systemctl enable cups

welcome to the Qubes forum

For sure I did that. How else would the printer be working in the template-vm?

cups.service is active in fedora-39 as well as in work based on fedora-39.

The dirty fix I’m running is a cloned template-vm in use for offline-work and printing alone. Kind of sucks.

sorry what does this mean? what results, are not the “same”?

The “same” in my first comment:

Printer is installed and PING works in fedora-39 and in work (APP-VM).
I set the firewall rules identical and the services available are identical.
I put the identical print-job to the printer queue.
fedora-39 prints. On the other hand work does not print, but shows a filter failed on the cups web-interface.

I’m lost. Before I posted this problem I did a thorough check on the internet if there was a hint about networking in qubes that handels template-VM differently to app-VM. Nothing :frowning:

I would assume there is some kind of config file that misdirects the reply of the printer. Since fedora-39 does the job, it could be something in the app-VM that causes this.

I’m by far no expert in network-layers and how they might differ between those two virtual machines. So I got myself registered and posted my observations.

sometimes to trouble shoot, some folks might try it as debian-based, not sure why you need firewall rules tbh, I don’t have any , my network printer works, good luck , did you search this forum for ideas?

Seems I’m out of luck:

I tested without any firewall rules.

I tried debian, too.

As I said in my previous post, I did search thoroughly. I don’t want to spam any thread, so this is what I always do.

If there is no .conf in dom0 or anywhere else … shit just happens.

1 Like

I had to do a qvm-service VMNAME cups on . Changed the doc accordinily

1 Like

I just got a printer working for the first time. Fedora 38 standalone VM. Brother HLL2350DW printer on another subnet.
Had to plug the printer in with USB first and install the .rpm as per Brother’s install article, then update, enable cups, and manually add the /var/run/qubes-service/cups dir (cups wouldn’t start due to that missing.)
The VM only has access to certain LAN segments so I had to add that subnet to the sys-lan firewall rules. Then I ran into a snort block on a firewall between the printer and qubes. Once that was resolved, it worked.

URI is ipp:///ipp/print/

BTW, CUPS documentation says to login to the web console admin section use the current linux user/pwd, which does not work here. lpadmin and system-config-printer seem to work fine though.

I am struggling with a brother printer on a debian qube, but I solved this

by editing the /etc/cups/cupsd.conf file in this section:

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

EDIT - Also look for the almost-identical entry starting with <Location... not <Limit....

Commented it out. Then sudo systemctl restart cups and localhost:631/admin/ worked without password prompt.

Caveat - I still haven’t got the printer working…

On second thoughts, that’s probably quite bad for security in a networked qube, sorry. I plan on making a printer qube with no network access (USB printer) for my usage.

Thanks! My HP printer driver was not listed in the CUPS openprinting.org database so had to install hplip. As well is it located in another subnet without mDNS configured. Here is what I did:

  1. In debian-12-xfce run:
    - Temporary set Net qube on sys-firewall or configure FW rules
sudo systemctl start cups
sudo systemctl enable cups
sudo systemctl status cups
  1. In dom0 run:
qvm-service debian-12-xfce cups on
qvm-service personal cups on
qvm-shutdown debian-12-xfce
  1. Start debian-12-xfce again and run:
[OLD]
sudo apt install hplip hplip-gui
sudo hp-setup 192.168.x.x
sudo apt install hplip
sudo system-config-printer

Maybe you want to try this:

Works for my IPP Brother printer (based on Debian).