Configuring a network printer

taradiddles · June 3, 2023, 12:28pm

Where to configure printers and install drivers?

One would normally want to configure a printer in a template VM, rather than in particular AppVMs. This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).

Alternatively one can add a printer in a standalone VM, but this would limit the printer usage to this particular VM.

Security considerations for network printers and drivers

Some printers require third-party drivers, typically downloadable from the vendor’s website. Such drivers are typically distributed in a form of ready to install RPM packages. However, they are often unsigned, and additionally the downloads are available via HTTP connections only. As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. (Again, it’s not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).

In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there. Such template might then be made a DVM template for DisposableVM creation, which should allow one to print any document by right-clicking on it, choosing “Open in DisposableVM” and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template that is not poisoned by third-party printer drivers).

However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today’s printers and printing protocols, something that cannot be solved by Qubes or any other OS.

Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.

Steps to configure a network printer in a template VM

Start the “Printer Settings” App in a template VM (either via Qubes “Start Menu”, or by launching the system-config-printer in the template). You may need to install it first sudo dnf install system-config-printer.
Add/Configure the printer in the same way as one would do on any normal Linux. You may need to allow network access from the template VM to your printer to complete configuration, as normally the template VM is not allowed any network access except to the Qubes proxy for software installation. One can use Qubes Manager to modify firewall rules for particular VMs. If service is not running, it needs to be enabled from dom0 with qvm-service VMNAME cups on .
Optional: Test the printer by printing a test page. If it works, shut down the template VM.
Open an AppVM (make sure it’s based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works. If it doesn’t then probably the AppVM doesn’t have networking access to the printer – in that case adjust the firewall settings for that AppVM in Qubes Manager. Also, make sure that the AppVM gets restarted after the template was shutdown.
Alternatively if you do not want to modify the firewall rules of the template VM (that have security scope) you can simply shut down the template VM without trying to print the test page (which will not work), start or restart an AppVM based on the template and test printing there.

This document was migrated from the qubes-community project

Page archive
First commit: 08 Dec 2020. Last commit: 20 Jan 2021.
Applicable Qubes OS releases based on commit dates and supported releases: 4.0
Original author(s) (GitHub usernames): runephilosof
Original author(s) (forum usernames):
Document license: GPLv2

marion · March 16, 2024, 7:30pm

This worked for me from Qubes-Os R3.2 to R4.1, though it fails in R4.2.

My template has the network printer running over IPP without any problems.

The VM from that template shows the printer installed, though in the VM the printjobs are stopped. Filter failed …

The app-vm has cups running, that is not the topic here.
Ping to the printer works fine.

Any hints to why template-vm and app-vm with services equally added don’t show the same results?

Clodius · March 16, 2024, 8:44pm

just curious in the template (say for fedora-39) did you do
systemctl enable cups

welcome to the Qubes forum

marion · March 16, 2024, 9:56pm

For sure I did that. How else would the printer be working in the template-vm?

cups.service is active in fedora-39 as well as in work based on fedora-39.

The dirty fix I’m running is a cloned template-vm in use for offline-work and printing alone. Kind of sucks.

Clodius · March 16, 2024, 10:06pm

sorry what does this mean? what results, are not the “same”?

marion · March 16, 2024, 10:25pm

The “same” in my first comment:

Printer is installed and PING works in fedora-39 and in work (APP-VM).
I set the firewall rules identical and the services available are identical.
I put the identical print-job to the printer queue.
fedora-39 prints. On the other hand work does not print, but shows a filter failed on the cups web-interface.

I’m lost. Before I posted this problem I did a thorough check on the internet if there was a hint about networking in qubes that handels template-VM differently to app-VM. Nothing

I would assume there is some kind of config file that misdirects the reply of the printer. Since fedora-39 does the job, it could be something in the app-VM that causes this.

I’m by far no expert in network-layers and how they might differ between those two virtual machines. So I got myself registered and posted my observations.

Clodius · March 17, 2024, 2:17am

sometimes to trouble shoot, some folks might try it as debian-based, not sure why you need firewall rules tbh, I don’t have any , my network printer works, good luck , did you search this forum for ideas?

marion · March 17, 2024, 6:10pm

Seems I’m out of luck:

I tested without any firewall rules.

I tried debian, too.

As I said in my previous post, I did search thoroughly. I don’t want to spam any thread, so this is what I always do.

If there is no .conf in dom0 or anywhere else … shit just happens.

jpph · March 27, 2024, 6:12pm

I had to do a qvm-service VMNAME cups on . Changed the doc accordinily