--- Begin Message ---
Package: cupsys
Version: 1.1.4-3
Severity: important
Hi,
cupsd and its backends should keep track of what print jobs are already
being sent to the printer.
I set the secerity to important due to the possibility of a self-DoS (see
below) and because physical resources (toner and paper) are wasted.
Imagine the following scenario:
1. print job arrives
2. cupsd starts the parallel backend on it
3. cupsd dies
4. cupsd is restarted by e.g. daemontools
5. cupsd looks at the queue, sees the job that arrived in '1.'
6. goto 2. (repeat infinitely)
I just lost about 600 sheets of paper because of this behaviour. (The
diagnosis may be wrong, but the symptoms are hard facts.)
Additionally, about 150 'parallel' backends were running; in the long run, I
could have DoS'ed myself.
At the root of the current problem is the fact that cupsd (even 1.1.6)
reproducibly segfaults on certain jobs (for reasons unknown to me; I already
filed a bugreport). So, you need something to restart it when it died.
At this point, cupsd shouldn't just blindly start a new backend for each job
in the queue, assuming that the backends had died with it. I think one of
the following approaches (or their combination, or whatever) should be
taken:
1. have backends create a job-specific lockfile that contains their PID on
startup. cupsd can, before starting a backend process, check whether the
lockfile exists and is valid (by checking whether the appropriate backend is
running under that PID). If the lockfile exists and is invalid, cupsd can
remove it and start a new backend. If the lockfiles exists and is valid,
cupsd can retry later. If the lockfile doesn't exist, cupsd can start the
backend.
This approach probably also requires that there be better communication
between cupsd and the backends; e.g. cupsd should know _why_ a print job
failed in order to determine whether the entire job should be resent or just
parts of it (I guess this qualifies as a wishlist item).
2. create a pipe between the backend and cupsd; if cupsd dies, the backend
receives a SIGPIPE and exits. This avoids the DoS issue, but not the paper
waste.
3. create a named pipe for the backends to read the data from (probably best
combined with the first approach above); cupsd keeps track of which bytes it
had already sent through the pipe to the backend. If cupsd dies, it can
restart printing at the exact location it left off. If the backend dies,
cupsd can restart printing at the top of the last partial page printed.
4. implement something like daemontools' 'supervise' and 'svscan' to scan
the spool directory for new jobs and start backends on those that don't have
them yet. This doesn't eliminate paper waste because a backend can choke
repeatedly on the same job; endless loops must be detected and eliminated
(e.g. by dropping the job and notifying the user).
5. split cupsd into several parts; separate queue management from the HTTP
frontend etc. In itself, this doesn't solve any of the problems, but it
would probably make the code cleaner and easier to maintain. Let yourself be
inspired by e.g. qmail.
Regards,
Andrew
Ps. disregard the cups version number of this message. The problem I
describe is present in all current versions of cups as far as I can tell
(yesterday's 1.1.6 packages are definitely affected).
--
Andrew Korn (Korn Andras) <korn@chardonnay.math.bme.hu>
Finger korn@chardonnay.math.bme.hu for pgp key. QOTD:
Knowledge is power - if you know it about the right person.
-- System Information
Debian Release: testing/unstable
Kernel Version: Linux hellgate 2.4.1 #3 Tue Feb 6 18:27:34 CET 2001 i586 unknown
Versions of the packages cupsys depends on:
ii libc6 2.2.2-4 GNU C Library: Shared libraries and Timezone
ii libcupsys2 1.1.4-3 Common UNIX Printing System(tm) - libs
ii libjpeg62 6b-1.3 The Independent JPEG Group's JPEG runtime li
ii libpam0g 0.72-16 Pluggable Authentication Modules library
ii libpng2 1.0.8-1 PNG library - runtime
ii libstdc++2.10 2.95.2-14 The GNU stdc++ library
ii libtiff3g 3.5.5-3 Tag Image File Format library
ii zlib1g 1.1.3-12 compression library - runtime
^^^ (Provides virtual package libz1)
[conffile removed because irrelevant]
--- End Message ---