From owner-freebsd-arch Wed Jul 5 20:34:32 2000 Delivered-To: freebsd-arch@freebsd.org Received: from astart2.astart.com (astart2.astart.com [206.71.174.194]) by hub.freebsd.org (Postfix) with ESMTP id E94CD37B5CD for ; Wed, 5 Jul 2000 20:34:25 -0700 (PDT) (envelope-from papowell@astart.com) Received: from h4.private (papowell@h4.private [10.0.0.4]) by astart2.astart.com (8.9.3/8.9.3) with ESMTP id UAA38828; Wed, 5 Jul 2000 20:36:56 -0700 (PDT) Received: (from papowell@localhost) by h4.private (8.9.3/8.9.3) id UAA23827; Wed, 5 Jul 2000 20:33:51 -0700 (PDT) Date: Wed, 5 Jul 2000 20:33:51 -0700 (PDT) From: papowell@astart.com Message-Id: <200007060333.UAA23827@h4.private> To: sheldonh@uunet.co.za Subject: Re: was: Bringing LPRng into FreeBSD? Cc: andrews@technologist.com, arch@FreeBSD.ORG, papowell@astart.com, will@almanac.yi.org Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > From sheldonh@axl.ops.uunet.co.za Mon Jun 26 02:46:32 2000 > From: Sheldon Hearn > To: arch@FreeBSD.ORG > cc: papowell@astart.com > Subject: Re: was: Bringing LPRng into FreeBSD? > Date: Mon, 26 Jun 2000 11:46:23 +0200 > > > Could someone just enumerate the advantages of importing LPRng? It > seems to be a package which can me made to do everything FreeBSD's lpr > can do, but it does not seem to be a superset of FreeBSD's lpr. This > means that there is a cost associated with bringing it in as a > replacement. > > Are we sure that the cost is justified? Is it so much better than the > existing lpr that having it available as a port is "not enough"? > > I have no stsrong opinion one way or the other, but I do get the feeling > that this thread has skipped an important issue, instead focusing on > licensing. This looks like a little cart before horse. > > Ciao, > Sheldon. > Dear Sheldon and others: A very perceptive question. I have written a small essay presented here which hopefully provides answers to the questions asked in your posting. The Joys of PRINTING Printing is one of the more critical areas in any major computing enterprise or facility. But it is NOT glamorous. Or exciting. Or interesting. So people do work on it only when they are directly effected, or when they need some 'enhanced functionality'. And they quickly forget about it, don't document it, and then the next person that has to deal with printing adds more to this mess. Anybody who has managed large installations knows that the one area where things do not work well is printing, because there are literally dozens of different print spooling systems, no two of which have the same configuration or management methods. The LPRng print spooling software compiles and runs on an extremely wide range of systems. And configures and runs almost identically on all of them (or it should!). If you think that writing a print spooler is simple - it is. MAINTAINING it is a lot of work. Removing some silly little compatibility problem is a lot of work. DOCUMENTING it is a lot of work. And enhancing it to provide additional facilities without breaking other things is a lot of work. I started the work on LPRng with one major goal in mind: make it secure when used in a Computer Science Laboratory. For example, LPRng does not need to run SETUID root unless compatibility with vintage or legacy printing systems such is required. The code is extremely paranoid about all buffer sizes, string lengths, and so forth, and goes to great lengths to check for various know hacker attacks as well. In addition, there are facilities to use encryption and Kerberos based authentication to prevent abuse of the printing system. Another of the goals was to make a system that would not fail under stress. This means that the LPRng system does not start processes, accept connections, or do things when there a limited amount of system resources. This has the side effect of (mostly) preventing LPRng from being used as a simple conduit for DOS attacks. The code was written to be testable and traceable. Over 60% of the code concerns itself with checking error return codes and logging messages for failure conditions. This, of course, has a certain overhead in terms of system size. But the verbose diagnostics are almost always preferable to the print job mysteriously vanishing into limbo and users wondering what happened. Finally, there is the LPRng documenation. It is available in HTML format and is generated from DocBook compatible SGML. In addition, hard copy (PostScript) versions are available as well, all 360 pages of it. This documentation includes a Tutorial and Reference section, as well as an index to the various LPRng facilities. Question: a) Is LPRng better than what we have? LPRng has functionality well beyond that of the current FreeBSD print spooler. The one thing that it has, above all, is the ability to provide diagnostic information. The tracing facilities are, to put it mildly, exhaustive. At least 60% of the code in LPRng is error handling and reporting. Perhaps higher. The LPRng software provides Enterprise level printing facilities. such as the following which are either not in the FreeBSD LPD print spooler or are greatly improved. Load Balance Queues (sometimes call Printer Pooling): You can select which of a set of destination printers by using (default) LRU, or by providing a script that tells the LPRng system which of an available set of printers to use. Authentication - Kerberos, PGP, MD5 The RFC 1179 protocol has little^H^H^H^H^H no authentication facilities. LPRng provides a simple set of hooks to add authentication. A simple scafholding for using Kerberos, PGP, and MD5 authentication is present in the distribution. You can add additional methods by adding or replacing the ones already present. Permissions There is a flexible and extensible mechanism for supporting printer permissions, on the user, host, job, or other basis. This can provide very fine grain control over access to printer facilties. If there is need for highly secure printing, then the Authentication and Permission facilties can be used in combination. Remote administration The 'lpc' command supports remote administration of printers and queues. It has a very versitile set of commands to enable and disable queues, start and stop printing, set serviced job classes, kill, abort, or hold jobs, and perform other administrative functions. Status displays with lots of detail The status displayed by LPRng provides a large amount of detail about the current print queue activities. Needless to say, the short form (lpq -s) provides a succinct summary. For those with a real need to know, the verbose (lpq -v) tells you more than you ever wanted to know. Accounting The accounting system used by LPRng was developed for use in one of the most hostile environments posssible - University Computer Systems facilities. The basic facilities can be used for simple accounting procedures, with the ability to restrict access and record usage of print queues in various manners. Routing Some system benefit from the abilty to have a single queue for printing, and then have the jobs sent to the queue selectively forwarded to the appropriate printer. This is easily supported by the LPRng routing facility. Redirection If a queue or printer is temporarily out of service, jobs can be redirected to an alternate queue by a simple adminitrative command. Form Support Many printer jobs require special setup or forms. LPRng provides support for these jobs in an extremely simple mannner. Job Holding and Releasing Jobs sent to a queue can be held until released. Job Reprinting A queue can be configured to allow jobs to be saved and then reprinted if they have errors or even if they are successful. Diagnostic and Tracing Facilities The diagnostic facilities in LPRng allow extremely detailed tracing of even the most complex jobs. These facilities can be enabled or disabled dynamically by the system adminstrator on a system or print queue level. Question: b) Do we need something better? Is the cost worth the benefits? Just about every site with more than 200 users discovers that their printing facilities do not do exactly what they want. They then assign a new system administrator or programmer to start modifying the legacy printing software to provide the facilities they need. After several iterations of this process nobody knows or understands their current printing system and everybody is afraid that it will break. And when it dies, nobody knows how to fix it. Given the large number of modified (and broken) versions of LPD in existence, there is obviously something lacking from the baseline LPD software. Over the last 10 years the LPRng software has had features and enhancements added to it that reflect the needs of the various sites. Many of these are specialized, but some have had surprisingly wide application. Most users of LPRng find that they can replace their current hand crafted software with LPRng, and run the same software on all the different systems they have, including a wide range of legacy systems. FreeBSD is one of my test platforms. The documentation for LPRng using the DocBook tools which are part of the FreeBSD Documentation Project. If LPRng is adopted for use by FreeBSD, I have stated that I would update and edit the current printing documentation in the FreeBSD Handbook and bring it into line with LPRng. Actually, there is very little that would change, as LPRng is largely backwards compatible at the simple, single user/single printer level covered in the handbook. In addition, I would provide support for the Makefiles and other items which are used as part of the baseline documentation. The LPRng distribution would be able to be compiled and installed using only the basic system utilities including BSD make, perl5, awk, and sed. The benefits are large: you get a much better print spooling system with documentation, and active maintenance. Patrick Powell Astart Technologies, papowell@astart.com 9475 Chesapeake Drive, Suite D, Network and System San Diego, CA 92123 Consulting 858-874-6543 FAX 858-279-8424 LPRng - Print Spooler (http://www.astart.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message