SOLVED How to make CUPS server work in a jail

[NinthWave]

System

• TrueNAS-12.0-U6
• Jail 12.2-RELEASE-p10

I'd very like to make this work.

I have been doing these steps: https://docs.freebsd.org/en/articles/cups/

But at the end of step 3, when I try to restart using these:

Code:

# /etc/rc.d/devfs restart
# /usr/local/etc/rc.d/cupsd restart

I get:

I searched the web, but most of the solution are circa 2014 and don't work.

Any help here ?

 

[sretalla]

I'm not sure why you're calling it Debian-CUPS.

Are you running those commands in the jail or on the TrueNAS host?

Have you set a devfs_ruleset for the jail (probably needs to be 2 or a custom rule).

You can check with iocage get all jailname

 

[NinthWave]

I'm not sure why you're calling it Debian-CUPS

I was thinking if going the VM-way then realized a jail would be simpler and when naming it, was still in the VM mindset.

Since I don't like calling a FreeBSD jail with a debian name, I juste scraped it and started again fron scratch.

 

[NinthWave]

Are you running those commands in the jail or on the TrueNAS host?

Have you set a devfs_ruleset for the jail (probably needs to be 2 or a custom rule).

You can check with iocage get all jailname

I runned those commands within the jail, not the TrueNAS host.

The jail had a ruleset = 4
I briefly searched freeBSD help to find info on the meaning of those ruleset values to no avail.
Since you suggested a value of 2, I changed it but if I am right, this is less grants that 4...

Code:

root@CUPS:/home/nick # /etc/rc.d/devfs restart
devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted
/etc/rc.d/devfs: WARNING: devfs_init_rulesets: could not read rules from /etc/defaults/devfs.rules
/etc/rc.d/devfs: WARNING: devfs_set_ruleset: you must specify a ruleset number
/etc/rc.d/devfs: WARNING: devfs_apply_ruleset: you must specify a ruleset

So no progress here.

 

[sretalla]

You don't run those commands in the jail (or at all really).

devfs_ruleset = 2 basically allows the entire /dev structure to mount in the jail... you also would need to set mount_devfs = 1 (if that's not already the case on that jail).

With those 2 things set on the jail and after it's restarted (assuming it was already running), then you should be able to do what CUPS needs in the jail without those ruleset commands.

 

[NinthWave]

With those 2 things set on the jail and after it's restarted (assuming it was already running), then you should be able to do what CUPS needs in the jail without those ruleset commands.

Still a no go

Am I missing anything in TrueNAS host? I have three other jails running without problems.

 

[sretalla]

I have three other jails running without problems.

Are those 3 other jails running things out of the /dev structure? (most of the typical apps don't).

Still a no go

Are you judging that by running those devfs rule commands in the jail (which you shouldn't)?

What CUPS needs is access to devices in order to connect to printers.

Devfs ruleset 2 should grant that.

Have you looked for experiences from others using TrueNAS/FreeNAS? like this one https://www.truenas.com/community/threads/cups-not-seeing-printer.48460/

From what I can see in the article you're trying to follow, they assign devfs rules to the cups group, which if it's needed, will need to be done in a custom devfs ruleset for your jail and modified on the host (not in the jail). WHich may also require creation of users/groups with matching UID/GID on the host.

Maybe following this will get you closer to the answer required.
https://www.truenas.com/community/t...talling-cups-in-plugin-jail.22279/post-172869 (you need to follow the thread down a bit)

 

[sretalla]

OK, so what I did as it seems you're having some trouble getting further is to run some instructions for how to get the CUPS service running and have access to the USB devices in a jail.

On the host:
iocage create -n "cups" -r 12.2-RELEASE vnet="on" allow_raw_sockets="1" dhcp="on" bpf="yes" boot="on" devfs_ruleset=2

You could change it to have a static IP or whatever...

iocage console cups

Everything from here is now in the jail:

pkg install cups hplip py38-pycups

Agree to instaling the pkg utility and then to installing all the dependencies and requested pkgs

sysrc cupsd_enable="YES"

At that point, you can check that you have all your USB devices there (ls /dev/usb)

I don't really know if it's needed, but if you have trouble with permissions here (on the usb devs) you can look at running the commands from here: https://www.truenas.com/community/threads/cups-jail-keeps-losing-permissions.45265/ or look into what I mentioned about it in the last post


Now that you have installed cups (in a fresh jail with devfs_ruleset=2) and seen that you can find the USB devices, all that should be left is to run the service:

Optional, set a config (if you didn't already have your own):
cd /usr/local/etc/cups
mv cupsd.conf cupsd.conf.org
pkg install wget
wget https://gist.github.com/chetan/b147bb584d8c7b3554f51f4a84f1b67f/raw/46b12f782ad5f435f2475a5b6debb6ad628dde75/cupsd.conf
ee cupsd.conf (make your edits and esc + save changes)
service cupsd start

Then check that it's running with:
service cupsd status

Connect to cups with a browser:
http://ip.of.your.jail:631/

I get a working CUPS website (but since I don't have a printer attached to that system over USB, can't tell you anything more than that.

 

[NinthWave]

On the host:
iocage create -n "cups" -r 12.2-RELEASE vnet="on" allow_raw_sockets="1" dhcp="on" bpf="yes" boot="on" devfs_ruleset=2

You could change it to have a static IP or whatever...

Thank you for your time.

I deleted my previous jail and created the new one.

Code:

root@truenas[~]# iocage create -n "cups" -r 12.2-RELEASE vnet="on" allow_raw_sockets="1" dhcp="on" bpf="yes" boot="on" devfs_ruleset=2
cups successfully created!
No default gateway found for ipv6.
* Starting cups
  cups is not using the devfs_ruleset of 4, not generating a ruleset for the jail, DHCP may not work.
  + Started OK
  + Using devfs_ruleset: 1003 (cloned from devfs_ruleset 2)
  + Configuring VNET OK
  + Using IP options: vnet
  + Starting services OK
  + Executing poststart OK
  + DHCP Address: 10.0.0.225/24

iocage console cups

I had the habit of working from within the jail but I get it is not good practice. I'll read the documentation about that. So I did what you asked.

pkg install cups hplip py38-pycups

hplips I don't have an HP printer but a brother. Now, I don't know what protocol Brother uses but later in the CUPS management GUI, I chose "generic PCL Laser"

py38-pcups No mention of that in CUPS on FreeBSD but in the end, the server works so I guess that is what is missing from the FreeBSD docs.

At that point, you can check that you have all your USB devices there (ls /dev/usb)

I don't have any USB printer, just an ethernet one. Anyhow:

Code:

root@cups:~ # ls /dev/usb
0.1.0   1.1.0   2.1.0   2.2.0   3.1.0   3.2.0   3.2.2   3.3.1   4.1.1   5.1.1   5.2.1   6.1.1   7.1.1
0.1.1   1.1.1   2.1.1   2.2.1   3.1.1   3.2.1   3.3.0   4.1.0   5.1.0   5.2.0   6.1.0   7.1.0

Optional, set a config (if you didn't already have your own):
cd /usr/local/etc/cups
mv cupsd.conf cupsd.conf.org
pkg install wget
wget https://gist.github.com/chetan/b147bb584d8c7b3554f51f4a84f1b67f/raw/46b12f782ad5f435f2475a5b6debb6ad628dde75/cupsd.conf
ee cupsd.conf (make your edits and esc + save changes)
service cupsd start

I am not sure what I am supposed to edit here since in the FreeBSD doc there were no mention of that.

Code:

root@cups:/usr/local/etc/cups # ee cupsd.conf
=====line 5 col 0 lines from top 5 ============================================
#
# Sample configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Only listen for connections from the local machine.
#Listen localhost:631
Port 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols dnssd
BrowseRemoteProtocols CUPS dnssd
BrowseAddress @LOCAL

Then check that it's running with:
service cupsd status

Code:

root@cups:/usr/local/etc/cups # service cupsd status
cupsd is running as pid 95265.

Connect to cups with a browser:
http://ip.of.your.jail:631/

Working!

What about that:

I am mainly printing from my Windows PC. Should I care and edit those two files.
(I know at this step it's not TrueNAS related but you seem pretty well versed in FreeBESD stuff)

Thanks again!

 

[sretalla]

I am mainly printing from my Windows PC. Should I care and edit those two files.

I'm not really sure, but I'm guessing the reference to "certain Windows Clients" means legacy ones, so if you're on Windows 10, forget it. As long as you can print what you want, it's all good.

I am not sure what I am supposed to edit here since in the FreeBSD doc there were no mention of that.

The file itself points to the manual (man cupsd.conf)
If it's already doing what you wanted, you can leave it like that (although I'm assuming you're behind a properly managed firewall, otherwise, consider looking into secure configuration).

I don't have any USB printer, just an ethernet one

OK, I assumed the references to the devfs_ruleset at the start of all this was about getting a USB printer connected (it also seems to be the problem which caught out most of the others posting about CUPS in the forum... we could have left it at devfs_ruleset=4 then.

hplips I don't have an HP printer but a brother

A lot of manufacturers are using HP patented technologies for inkjets, so I wouldn't be surprised if this were a crucial part of it somehow.

 

[NinthWave]

@sretalla Thank you very much for all this help.