I ssh’d into my printer and got a notification of updates available. Is updating recommended or asking for trouble?
1 Like
I have no experience with a Zero.
HOWEVER,
My Sovol Klipad ended in a boot loop due to a kernal update.
Proceed with caution
1 Like
Definitely do not update the Linux operating system on a 3D printer. The entire system needs to work together. The 3D printer bits were written to work with a specific release of Linux, which is an entire system with the kernel and a lot of other software layered on top of that. It’s a good idea to keep desktop and server Linux systems updated because all of the software is updated at once with the help of a package manager to help tame the complexity. Updating Linux will almost certainly break a 3D printer because the 3D printer specific code is written to work on that specific “frozen in time” Linux system. It’s very unusual for Linux based appliances to have routine OS updates in the manner of desktop and server Lixux systems.
The outdated operating system is a good reason to keep your 3D printers off the internet when not receiving an OTA update pushed by the printer manufacturer.
2 Likes
NOTE: If you don’t install any remote access extensions on your klipper host your router firewall SHOULD effectively isolate your printer from the internet while still allowing you to use the “local network” to interact with your printer.
NOTE 2: A “back door” into a nanny cam (or similar) would give bad actors access to your “local network” but why would they mess with your printer when they want the data off your PC?
And yet Sovol has forgotten to disable apt-daily and apt-daily-upgrade timers in the system. 
Because it’s far easier for the bad actor to integrate the printer to be part of a bot network thanks to a fully writable root filesystem than it is to do the same for a nanny cam.
But they have to get past the firewall first. Assuming, of course, your Printer OS is free of intentional backdoors.
You may not recall but a while back there was an issue with low cost cameras SHIPPING with back door code in their firmware what punched OUT through your firewall.
Looking at the available updates
root@SPI-XI:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
avahi-autoipd avahi-daemon curl distro-info-data e2fsprogs git git-man libavahi-common-data
libavahi-common3 libavahi-core7 libbluetooth3 libcom-err2 libcurl3-gnutls libcurl4 libexpat1
libext2fs2 libglib2.0-0 libgnutls30 libnghttp2-14 libnss-myhostname libperl5.32 libpython3.9-minimal
libpython3.9-stdlib libsepol1 libsqlite3-0 libss2 libssl-dev libssl1.1 libudev1 libxml2
linux-libc-dev logsave openssl perl perl-base perl-modules-5.32 python3.9 python3.9-minimal
systemd-sysv tzdata udev
41 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 35.4 MB of archives.
After this operation, 433 kB of additional disk space will be used.
Do you want to continue? [Y/n] n
there’s no kernel upgrade available. It’s mainly the Python packages that could produce some unexpected side effects depending on the quality of the implementation of Klipper and the other printer related packages + those additions Sovol has written just for this model.
So THAT’S why msheldon’s Zero is working overtime and running hot when it’s idle.
Obico Cloud is pre-installed, running and enabled by default. It’s up to you if that counts or not. I’ve stopped and disabled it in my printer at least since I have no use for it.
1 Like
Yes that is a back door… or a feature waiting to be hacked.
@sovol3d you really should ASK before enabling internet vulnerabilities.
I thought I disabled Obico on my Zero, but it’s running. I must have been thinking of my SV08, where I commented out all references to Obico in the configuration files and that eliminated it. That trick didn’t work on the Zero. I can turn off Obico in Mainsail’s pull down power menu but it turns itself back on as soon as the Zero restarts.
There is a procedure for uninstalling Obico.
https://www.obico.io/docs/user-guides/moonraker-obico/config/
I don’t want to make changes at that level. I like being able to tell someone, including Sovol, that my machine is running the latest stock software and firmware.
I just wish there was a persistent method to disable Obico, to provide more available processing overhead, to run a little cooler, to reduce security vulnerabilities, and to eliminate a service I’m not using.
I finally bought a managed Ethernet switch for my 3D printers to take them off the internet while allowing me to communicate with them over the LAN. I’m a betworking noob so there’s something for me to learn this week. I prefer a hardwired solution and this is the next best thing to air gap separation from the internet, aka SneakerNet, with G code transferred via a thumb drive and no remote monitoring or control.
Sovol & Obico have some kind of deal with the SV06 ACE & up…it is baked in so users can easily turn it on if they subscribe.
I had to update Janus, but otherwise it worked fine.
Only two steps needed:
- In printer.cfg, add a # to the beginning of the line (followed with save + restart):
[include moonraker_obico_macros.cfg]
- Login with ssh and execute these two commands:
sudo systemctl disable moonraker-obico
sudo systemctl stop moonraker-obico
That will not uninstall Obico but it will prevent the service from starting. Use “enable” and “start” keywords to re-enable and restart if needed some day.
1 Like
Yes, this is why I was surprised to see the updates available message. My thinking is if it is possibly dangerous why not take steps to reduce the risk? Perhaps even a motd saying something like it is not advised to update or install Debian packages but to do so uncomment the repositories in /etc/apt/sources.list?
Sovol clearly doesn’t expect users to ssh into their printers so they didn’t bother disabling operating system updates or put up any other guard rails. They assume if you’re using ssh to hack around on your machine, you are not a mere user, and you’d know not to do updates that break the system.
I included the link to how to disable and uninstall Obico for anyone who is interested in my original post in this thread. I’ve often stopped and restarted services in Linux to fix things without rebooting and for other purposes, but didn’t want to ssh into the Zero and disable Obico because if there is a problem with my Zero I want to tell Sovol that I wasn’t making superuser changes to the system. That’s a likely “Your hardware problem is caused by changes you made to the system software and we can’t help you with that”, but also because the next firmware update is likely to re-enable Obico so it likely wouldn’t be a persistent fix. I’ll just turn off Obico in Mainsail. I don’t reboot the Zero that often so it’s not too much trouble. I just wish there was a persistent setting for Obico enabling/diasbling in Kiipper that I could do once after each firmware update, as I can on the SV08.
Not expecting their users to ssh into the printer might make sense for Bambu but I expect a factor for many of us in choosing this printer was an expectation of being able to learn what is going on under the hood.
I don’t know what Sovol expects users to do with the OS. It feels like all the Linux side stuff is actually done by MKS (check the copyright inside the custom python modules for the Zero). How that works I’ve no idea. Do they pay by the hour? Do they submit a specification for bid and accept whatever MKS spits out? Whatever the process it seems as long as it’ll boot Sovol doesn’t care about versions or security or klipperscreen auto starting even with no screen attached.
I really want a printer like the zero. I don’t, however want a mainboard that has an integrated Linux computer with a minimum spec Rockchip CPU with not enough RAM, not enough storage and won’t run a generic version of Armbian. And why “reinvent” klipper screen to run on a proprietary touch screen?
My SV07 though loves the Microsoft Surface I picked up used for $60 and put Debian Server on. Kiauh makes the Klipper install stupid simple.
1 Like
I carry out updates and upgrades. No problems so far.
As for me, I tried to update Klipper on my SV06A ACE.
Very bad idea, I broke the motherboard.
I had to reflash it with the stock firmware.
1 Like
If you are building a Voron or similar printer based on klipper you will probably be using the latest Raspbian linux, which is Debian. There is either a canned version of the OS with all klipper packages installed, or just the command line lite version of Raspbian and you then run the klipper install scripts to install the latest version of klipper along with the required python packages. You also have to build the firmware images for your main and toolhead MCU boards. Unlike Marlin, most of the hardware specific stuff is in config files that are loaded at run time, Marlin has you compile in all the hardware settings at build time.
SO … it is safe to update your own build, but you might have to update EVERYTHING the same way that installed it the firat time.
BUT unless you update your Sovol to main line klipper, you are running pre built images that work together. Even though Sovol has tried to open source their printers, unless you can find all the source files for the pre built image you are running, trying to update pieces could break things!!
Does Sovol have an official repository that the linux system on their printers can point APT to for updates? Or does the APT command ‘phone home’ to Debian? If Sovol doesn’t have their own repository, they should remove the apt command from the printers linux shell!
I usually edit my printer’s config files over SSH using nano. I haven’t yet found anything that needed to be changed except for adding the mount point for the USB flash drive to the virtual gcode file chain. I still need to find a way to get the mounted USB flash drive to be seen on the LCD print menu though…