Print Release Notes

Printer Setup

Note: Don't use auto detected HP printers. Instead manually configure the printer using HP JetDirect (socket://<printer's IP address>:9100). Auto detected HP printers will break the first time you put a job on hold. Good luck getting them back.

Enable Print Queue Sharing

• On server browse to localhost:631
  • Administration Tab
    • Share printers connected to this system: CHECKED
    • Enter root password when prompted
• Restart cups. It likely hung from the previous step:

  systemctl restart cups
  

Install Printer on server (There are options for connecting to thin client as well)

• Applications→System→Print Settings
• Make sure printer is shared

You can setup a printer as default

• /var/lib/tftpboot/ltsp/amd64/lts.conf
• LDM_PRINTER_DEFAULT="CANS-HP-Laserjet-M401dw"

On thin client

• Actually didn't need to do anything. Printer just showed up. Didn't even need to rebuild the Image.
• If it doesn't show up
  • System→Print Settings
  • Connect to server IP

Printer Setup with print release

Here is a solution for basic print release control for use with or without Libki. We will setup the default state of new jobs to "Held" and modify default cups permissions to limit who can release jobs. We will also tweak PolicyKit to allow the staff and printrelease users to release jobs.

First lets force new print jobs into a held state. This needs to be done for each printer on the server:

lpadmin -p HP-LaserJet-400-M401 -o job-hold-until-default=indefinite

Add the staff and printrelease users to the lpadmin group:

usermod -G lpadmin -a staff01
usermod -G lpadmin -a printrelease

To allow these users (members of the lpadmin group) to release jobs they don't own create /etc/polkit-1/localauthority/50-local.d/allow-job-not-owned-edit.pkla with the following contents:

[Print job release not owned allow]
Identity=unix-group:lpadmin
Action=org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Below are my documented changes to cupsd.conf. Alternatively just download an already configured file cupsd.conf

Changes to /etc/cups/cupsd.conf

By default normal users can't see job information for other users. To allow the display of job names and user names edit /etc/cups/cupsd.conf and edit the following:

<Policy default>
  JobPrivateAccess default
  JobPrivateValues none

Now we need to edit /etc/cups/cupsd.conf and remove some rights from OWNER. To do that we create a new group under the default and authenticated policy and MOVE Release-Job Restart-Job Resume-Job Set-Job-Attributes to that group. Here is the whole file for reference. Notice only @SYSTEM has access to these actions. @SYSTEM refers to the lpadmin group:

LogLevel warn
PageLogFormat
MaxLogSize 0
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Share local printers on the local network.
Browsing On
BrowseLocalProtocols dnssd
DefaultAuthType Basic
WebInterface Yes
<Location />
  # Allow shared printing...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Order allow,deny
</Location>
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>
<Policy default>
  JobPrivateAccess default
  JobPrivateValues none
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Purge-Jobs Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Release-Job Restart-Job Resume-Job Set-Job-Attributes>
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
<Policy authenticated>
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Purge-Jobs Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Release-Job Restart-Job Resume-Job Set-Job-Attributes>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

At this point we could give Staff access to the CUPS web interface. Since they need access to Epoptes anyway lets just manage the queues through the desktop on the server.

To release print jobs access the desktop on the server and do the following:

1. Goto Start→Settings→Print Settings
2. Right click your printer and select "View Print Queue"
3. Review the available jobs
4. Right click the job you want to release and select "Release".

Note: Indefinite print job holds can be removed with the following command:

lpadmin -p CANS-HP-LaserJet-M401dw -R job-hold-until-default

WebPrintRelease

Do the following to install Web Print Release:

1. As root install required software:

   apt-get install python-pip git-core python-cups pkpgcounter
   

2. As the printrelease user, use git to pull down WebPrintRelease:

   su - printrelease
   git clone git@git.pls-net.org:/var/cache/git/WebPrintRelease.git
   

3. As the printrelease user, install the required libraries. These pip libraries will be installed in the users profile.:

   cd WebPrintRelease
   
   pip install flask Flask-Caching gunicorn
   

4. Copy config.py.example to config.py:

   cp config.py.example config.py
   

5. Edit config.py with a custom SECRET, user password and set port to 8080.
6. Start the app in development mode:

   python app.py
   

Note pip libraries will be installed in users profile.

• /home/printrelease/.local/lib/python2.7/site-packages

To run the app with gunicorn:

/home/printrelease/.local/bin/gunicorn -w 4 -b 0.0.0.0:4000 app:app

Setup WebPrintRelease as a service

As root create a new service file:

vi /etc/systemd/system/WebPrintRelease.service

Paste the following into the file:

[Unit]
Description=Gunicorn instance to serve WebPrintRelease
After=network.target

[Service]
User=printrelease
Restart=on-failure
WorkingDirectory=/home/printrelease/WebPrintRelease/
ExecStart=/home/printrelease/.local/bin/gunicorn -w 2 -b 0.0.0.0:8080 app:app

[Install]
WantedBy=multi-user.target

Reload services, enable and start WebPrintRelease:

systemctl daemon-reload
systemctl enable WebPrintRelease
systemctl start WebPrintRelease

Now exclude the service in LTSP so it won't run on the client:

vi /var/lib/tftpboot/ltsp/amd64/lts.conf

Add the following to the [Default] section:

# Prevent services from auto starting on the clients.
RM_SYSTEM_SERVICES="x11vnc WebPrintRelease"

Note: If the main page is slower that expected delete /tmp/webprint and restart service. The folder may have been created by a different user and ownership is wrong.

Clear held print jobs

If we implement CUPS print release there is the possibility of unclaimed print jobs sitting on the server indefinitely. We can setup a cron script to periodically clean up jobs X minutes old.

create /opt/purge_old_jobs.sh with the following:

#!/bin/bash
#
# Purge print jobs after a number of minutes
#

# Die if number of minutes has not been provided
die() { echo "$*" 1>&2 ; exit 1; }

echo $1 | grep -E -q '^[0-9]+$' || die "Numeric argument 'minutes' required!"
age_in_minutes=$1
age_in_seconds=$((age_in_minutes*60))

time_now=$(date '+%s');
count=0

while read l1 ;do
    set -- $l1
    job="$1"
    job_date="$5 $6 $7 $8 $9"
    job_timestamp=$(date -d "$job_date" +"%s")

    time_diff=$((time_now-job_timestamp))

    # Debug
    #echo "Job: $job at time: $job_date time_diff: $time_diff"

    if [[ $time_diff -ge $age_in_seconds ]]; then
        cancel $job
        count=$((count+1))
    fi
done < <( /usr/bin/lpstat -o )

if [[ $count -gt 0 ]]; then
    echo "Deleted $count print jobs."
fi

Make the script executable:

chmod u+x /opt/purge_old_jobs.sh

Now add a cron job on the server (crontab -e). The following runs every 5 minutes and deletes jobs older than 360 minutes (6 hours):

*/5 * * * * /opt/purge_old_jobs.sh 360