How do I install a GUI on my Amazon EC2 instance that's running Amazon Linux 2?

Short description

You can manually install a GUI, or you can choose from one of the following alternatives:

• Launch from an Amazon Linux 2 Amazon Machine Image (AMI) that comes with MATE preinstalled. For more information, see Configure the Amazon Linux 2 MATE desktop connection.
• Use Amazon WorkSpaces, a fully managed, persistent desktop virtualization service. For more information, see Amazon WorkSpaces.
• Use NICE DCV, a remote display protocol that delivers remote desktops and application streaming securely from any cloud or data center to any device. For more information, see NICE DCV.

Resolution

Prerequisites

1. Connect to your instance as an Amazon EC2 user that's using SSH. The instance must be in a public subnet and accessible through a public IP address or an Elastic IP address. Or, you can establish a connection using AWS VPN or AWS Direct Connect that allows you to access your instance through a private IP. These instructions don't apply to environments using a bastion host. For security reasons, traffic to the virtual network computing (VNC) server is tunneled using SSH. It's a best practice to avoid opening VNC ports in your security groups.
2. Run sudo yum update to update your instance, and then reboot the instance. Failure to update and reboot can lead to unpredictable results in the next steps.

Note: The following set of instructions applies only to Amazon Linux 2. To confirm your version, run the following command:

$ grep PRETTY\_NAME /etc/os-release
PRETTY\_NAME="Amazon Linux 2"

Install the MATE desktop environment

Install the MATE desktop environment, a lightweight GUI based on GNOME 2 that's available as an extra for Amazon Linux 2. For more information about MATE, see the MATE desktop environment website.

1. Install MATE packages.

   sudo amazon-linux-extras install mate-desktop1.x -y

2. Define MATE as your default desktop for all users.

   sudo bash -c 'echo PREFERRED=/usr/bin/mate-session > /etc/sysconfig/desktop'

Install TigerVNC

Install a VNC service, such as TigerVNC. For more information about TigerVNC, see the tigervnc.org website.

1. Install TigerVNC Server.

   sudo yum install tigervnc-server -y

2. Configure a VNC specific password with six to eight characters for this user. When you're asked if you want to enter a view-only password, then press n.

   vncpasswd

3. Restrict VNC network access to the localhost, so that you can access VNC only with a secure SSH tunnel.
   Create the tigervnc configuration directory.

   sudo mkdir /etc/tigervnc

   Create a mandatory configuration file containing the localhost option.

   sudo bash -c 'echo localhost > /etc/tigervnc/vncserver-config-mandatory'

   Note: If you want the VNC session to run on all interfaces, allowing for direct internet access, then hash the localhost entry. It's a best practice to only allow the VNC session port from an IP or CIDR by restricting it with a security group.

4. Start the VNC Server on display number 1 and set it to always start at boot.
   Create a new systemd unit with a symbolic link to /etc/systemd/system/.

   sudo ln -s /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service

   Use the sed command to replace all occurrences of USER in the new unit with ec2-user.

   sudo sed -i 's/<USER>/ec2-user/' /lib/systemd/system/vncserver@.service

   Reload the systemd manager configuration.

   sudo systemctl daemon-reload

   Turn on the service at boot.

   sudo systemctl enable vncserver@:1

   Start the service.

   sudo systemctl start vncserver@:1

   Confirm that the service runs.

   sudo systemctl status vncserver@:1

   Confirm that display number 1 defaults to port 5901/TCP with the following command:

   sudo netstat -tulpen |grep 590\*

   tcp 0 0 0.0.0.0:5901 0.0.0.0:\* LISTEN 1000 78547 1304/Xvnc
   
   tcp6 0 0 :::5901 :::\* LISTEN 1000

Connect to the GUI using VNC

To connect to the GUI using VNC, install the TigerVNC software, use SSH to connect to your instance, and then enter your VNC password.

Install the TigerVNC software
TigerVNC is available for Windows, Linux, and macOS. See the TigerVNC website to access the download.

• Linux: The TigerVNC package is available in the repositories of many distributions.
• macOS: Download and install TigerVNC-x.y.z.dmg, where x.y.z represents the latest version.
• Windows: Download and install tigervnc64-x.y.z.exe (64-bit) or tigervnc-x.y.z.exe (32-bit), where x.y.z represents the latest version.

Use SSH to connect to your instance
Use SSH to connect to your instance. Then, create a tunnel to forward all traffic on local port 5901/TCP (VNC) to the instance's VNC server.

Note: If you didn't restrict VNC network access to the localhost, you're not required to use a secure SSH tunnel. You can use the instance public IP to connect to TightVNC Viewer.

Linux and macOS
When you connect to your instance using SSH, add the -L parameter to activate port forwarding. Replace PEM_FILE with your private key, and INSTANCE_IP with your instance's public or private IP.

ssh -L 5901:localhost:5901 -i PEM\_FILE ec2-user@INSTANCE\_IP

Windows
When you open the connection with PuTTY, configure port forwarding, and then open the connection:

1. From the Connection menu, select SSH, and then select Tunnels.
2. Enter 5901 in the Source Port field.
3. Enter localhost:5901 in the Destination field.
4. Select Add.

Enter the VNC password
To enter the VNC password, complete these steps:

1. Open the TigerVNC Viewer on your local computer.
2. For the VNC server hostname, enter localhost:1, and then connect to it.
3. Enter the VNC password that you set up in step 2 of the Install TigerVNC section.

Note: If you receive an alert that the connection isn't secure, disregard it. Access to the VNC server uses an encrypted SSH tunnel.

(Optional) Turn off password authentication for VNC

It's not a best practice to turn off VNC password authentication. When VNC password authentication is turned off, any users authorized to use SSH to connect into your instance can create a tunnel and access your VNC desktop.

If this is a single-user instance and you want to turn off password authentication for VNC, then complete these steps.

1. Run the following command to change the Security Types setting of the VNC Server to None.

   echo SecurityTypes=None >> ~/.vnc/config

2. Restart the VNC server.

   sudo systemctl restart vncserver@:1

(Optional) Install a web browser (X86 only)

AWS doesn't provide web browsers such as Chromium or Firefox in Amazon Linux 2 repositories. These third-party sources don't provide web browsers for instances based on Graviton processors (aarch64).

Note: AWS doesn't provide support for software installed from third-party sources.

Both Chromium and Firefox are available only in the X86 variant. To install one of these browsers, follow these steps. Note: These steps apply to EC2 instances based on 64-bit Intel and AMD processors (x86_64).

To confirm your instance's architecture, run this command:

$ uname -m

To install Chromium (the open-source project behind Google Chrome), complete these steps:

1. Activate the EPEL repository. See the EPEL documentation on the Fedoraproject.org website for more information.

   sudo amazon-linux-extras install epel -y

2. Install Chromium packages.

   sudo yum install chromium -y

Chromium installs on MATE under Applications > Internet > Chromium Web Browser.

To install Mozilla Firefox (for current user only), complete these steps:

1. Download the latest Firefox version for Linux 64-bit to your local computer. See the mozilla.org website to access the download or add the repo for Debian Linux.

2. After Firefox downloads, then copy the file to your instance. See the respective websites for Linux and Windows for instructions.

3. Use SSH to connect to your EC2 instance.

4. Extract the file contents. This example command indicates that the file is in the ec2-user's home directory. Change the path and the Firefox version "xx.y" as needed.

   tar jxf ~/firefox-xx.y.tar.bz2 -C ~/

5. To create a desktop icon, use a text editor such as vim. Create the file ~/Desktop/Firefox.desktop with the following content:.

   \[Desktop Entry\]Version=1.0
   Type=Application
   Terminal=false
   Icon=/home/ec2-user/firefox/browser/chrome/icons/default/default128.png
   Icon\[en\_US\]=/home/ec2-user/firefox/browser/chrome/icons/default/default128.png
   Name\[en\_US\]=Firefox
   Exec=/home/ec2-user/firefox/firefox
   Comment\[en\_US\]=Firefox web browser
   Name=Firefox
   Comment=Firefox web browser
   GenericName\[en\_US.UTF-8\]=Firefox web browser
   Categories=Network;WebBrowser;

6. Use the desktop icon that you created in step 5 to launch Firefox.

7. If a prompt appears telling you that the application launcher is not marked as trusted, choose Mark as Trusted, and then open Firefox.

Related information

How can I access my Amazon EC2 Mac instance through a GUI?