Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I install a GUI on my Amazon EC2 instance that's running Amazon Linux 2?
I want to install a graphical user interface (GUI) on my Amazon Elastic Compute Cloud (Amazon EC2) instance that runs Amazon Linux 2 (AL2).
Short description
To run graphical applications on Linux, you need a desktop environment. Standard Amazon Machine Images (AMIs) for AL2 don't come with a desktop environment installed by default. Use the AL2 Extras Library to install the MATE Desktop Environment. For more information, see MATE Desktop Environment on the MATE website.
Or, launch the instance from an AL2 AMI that comes with MATE preinstalled. For more information, see Configure the AL2 MATE desktop connection. You can also use virtual desktops on Amazon WorkSpaces to run AL2, Ubuntu Linux, Rocky Linux, Red Hat Enterprise Linux (RHEL), or Microsoft Windows.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
The following resolution is for AL2 only. To check your Linux distribution name and version, run the following command:
grep PRETTY_NAME /etc/os-release
You can't use the following resolution steps for environments that use a bastion (jump) instance to connect to other EC2 instances in a non-public subnet. To securely connect to EC2 instances that don't have direct internet connectivity, use EC2 Instance Connect Endpoint or Session Manager, a capability of AWS Systems Manager. Or, use AWS Site-to-Site VPN or AWS Direct Connect to establish secure connectivity between your network and AWS.
Update your instance
It's a best practice to update and reboot your instance before you install the GUI to avoid issues.
To update your instance, complete the following steps:
-
Run the following command to update your instance:
sudo yum update
Install the MATE desktop environment
To install the MATE desktop environment, complete the following steps:
-
To install MATE packages, run the following command:
sudo amazon-linux-extras install mate-desktop1.x -
To define MATE as your default desktop environment for all users, run the following command:
sudo bash -c 'echo PREFERRED=/usr/bin/mate-session > /etc/sysconfig/desktop'
Install a VNC server
Install a Virtual Network Computing (VNC) server, such as TigerVNC, to access remote graphical desktop services. For more information about TigerVNC, see TigerVNC on the TigerVNC website.
For security reasons, the following configuration doesn't allow direct connectivity through TigerVNC. Instead, you must use an encrypted SSH tunnel to access the GUI. It's a best practice to not open VNC ports in your security groups.
To install TigerVNC, complete the following steps:
-
To install the TigerVNC server, run the following command:
sudo yum install tigervnc-server -
To configure a VNC-specific password for your user, run the following command:
vncpasswdNote: When the terminal asks whether you want to enter a view-only password, press n. The unencrypted password is recorded to a file in your home directory. Only your user and the root user can access the file. A challenge-response mechanism protects the passwords transmitted over the network. For more information, see vncpasswd on the TigerVNC website. The SSH tunnel that you use further protects connections with stronger encryption.
-
To create the tigervnc systemwide configuration directory, run the following command:
sudo mkdir /etc/tigervnc -
To block direct connectivity to the VNC, run the following command:
sudo bash -c 'echo localhost > /etc/tigervnc/vncserver-config-mandatory' -
To create a new systemd unit for TigerVNC, run the following command:
sudo cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service -
To replace all occurrences of <USER> in the new unit with your username, run the following command:
sudo sed -i 's/<USER>/'${USER}'/' /etc/systemd/system/vncserver@.service -
To reload the systemd manager configuration, run the following command:
sudo systemctl daemon-reload -
To activate the TigerVNC service at boot, run the following command:
sudo systemctl enable vncserver@:1 -
To start the TigerVNC service, run the following command:
sudo systemctl start vncserver@:1 -
To confirm that the TigerVNC service runs, run the following command:
sudo systemctl status vncserver@:1 -
To confirm that the TigerVNC is listening on TCP port 5901, run the following command:
ss -lnp '( sport = :5901 )'
Install TigerVNC Viewer on your local computer
TigerVNC Viewer is available for Windows, macOS, and Linux. To download the tool, see Releases on GitHub.
Based on your operating system (OS), download the following TigerVNC Viewer version:
- For Windows, install tigervnc64-x.y.z.exe (64-bit) or tigervnc-x.y.z.exe (32-bit).
- For macOS, install TigerVNC-x.y.z.dmg.
Note: Replace x.y.z with the latest version number. - For Linux, you can find the TigerVNC package in the repositories of many distributions. Check your distribution instructions for information about how to install packages. Or, download and install the relevant binary from GitHub.
Access the GUI
To access the GUI, you must first connect to your instance from your local computer with port forwarding activated for TCP port 5901. This configuration creates an encrypted SSH tunnel for VNC traffic. Then, use the VNC Viewer to connect to the GUI.
Create an encrypted SSH tunnel
Important: Make sure that your local computer's firewall allows TCP connections to port 5901.
If you use PuTTY to connect to your instance, then complete the following steps before you open the connection:
- In the Category navigation pane, expand Connection, and then choose SSH.
- Expand SSH, and then choose Tunnels.
- For Source Port, enter 5901.
- For Destination, enter localhost:5901.
- Choose Add.
If you use an SSH client to connect to your instance, then run the following command to activate port forwarding:
ssh -L 5901:localhost:5901 -i /path/key-pair-name.pem user@instance-dns-name
Note: Replace path with your key path and key-pair-name with the name of the private key file. Replace user with the username and instance-dns-name with your instance's DNS name or IP address. The default username for AL2 is ec2-user.
If you use EC2 Instance Connect to connect to your instance, then you must run the following ec2-instance-connect AWS CLI command to activate port forwarding:
aws ec2-instance-connect ssh --instance-id i-1234567890example --connection-type direct --local-forwarding 5901:localhost:5901
Note: Replace i-1234567890example with your instance ID. If you use EC2 Instance Connect Endpoint, then replace direct with eice.
If you use Session Manager to connect to your instance, then you must start a Session Manager port forwarding session. For both the local and remote ports, enter 5901.
Use VNC Viewer to connect to the GUI
Complete the following steps:
- Open TigerVNC Viewer on your local computer.
- For VNC server, enter localhost:1, and then choose Connect.
- Enter your VNC password.
Note: If you receive an alert that the connection isn't secure, then disregard it. You're accessing the VNC server through the encrypted SSH tunnel that you created.
(Optional) Deactivate password authentication for VNC
Important: It's a best practice to deactivate password authentication for only single-user instances. When VNC password authentication is off, any user that can log on to your instance can create an SSH tunnel and access your VNC desktop.
To deactivate password authentication for VNC, complete the following steps:
-
Run the following command to change the VNC server's Security Types setting to None:
echo SecurityTypes=None >> ~/.vnc/config -
To restart the VNC server, run the following command:
sudo systemctl restart vncserver@:1
(Optional) Install a web browser
AWS doesn't provide web browsers in AL2 repositories. However, you can install web browsers such as Chromium on the Chromium Projects website or Firefox browsers on the Mozilla website.
Note: AWS doesn't provide support for software that you installed from third-party sources.
The following installation steps are only for instances based on the x86_64 architecture (Intel and AMD processors). You can't use the following resolution for instances based on the aarch64 architecture (AWS Graviton processors). To check your instance's architecture, run the following command:
uname -m
Install Chromium
Complete the following steps:
-
To activate the Extra Packages for Enterprise Linux (EPEL) repository, run the following command:
sudo amazon-linux-extras install epelNote: For more information, see the Extra Packages for Enterprise Linux (EPEL) on the Fedora Project website.
-
To install Chromium packages, run the following command:
sudo yum install chromium -
On the MATE desktop, choose Applications, and then choose Internet. You can find Chromium listed as Chromium Web Browser.
Install Firefox
Note: You can install Firefox for the current user only.
To install Firefox for the current user on your AL2 instance, complete the following steps:
-
To download the latest version of Firefox for Linux 64-bit, run the following command:
curl -L -o ~/firefox.tar.xz 'https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US' -
To extract the downloaded file contents, run the following command:
tar Jxf ~/firefox.tar.xz -C ~/ -
To create a Firefox shortcut in your desktop, run the following command:
echo '[Desktop Entry] Version=1.0 Type=Application Terminal=false Icon=/home/ec2-user/firefox/browser/chrome/icons/default/default128.png Exec=/home/ec2-user/firefox/firefox Name=Firefox Comment=Firefox web browser GenericName=Firefox web browser Categories=Network;WebBrowser;' > ~/Desktop/Firefox.desktop -
Use the desktop shortcut to launch Firefox.
Note: If you receive a message that the application launcher isn't trusted, then choose Mark as Trusted.
Related information
How can I access my Amazon EC2 macOS instance through a GUI?
I keep getting following error. Could you help? Trying to connect via TigerVNC from Windows 10 to Amazon Linux 2. Putty connections works just fine.
2023-03-22 16:21:35 Opening connection to localhost:5901 for forwarding from [::1]:62131
2023-03-22 16:21:35 Forwarded connection refused by remote: Connect failed [Connection refused]
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I have followed all instructions in this article, but when I connect via TigerVNC I get an empty screen. Meaning, the connection is successful but nothing appears on screen.
I am running CIS Amazon Linux 2 Kernel 5.10 Benchmark v1.0.0.14 - Level 1-abcfcbaf-134e-4639-a7b4-fd285b9fcf0a (ami ID ami-0547e646fff07d3e3)
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
This guide is outdated. amazon-linux-extras no longer exists in Amazon Linux 2023
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Is there an updated quide?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Tried using the latest AMI with MATE desktop connection but the GLIBC libraries are at 2.26 which is too old not not a viable solution
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Hello, we have a AMI product providing GUI desktop that can be found at https://aws.amazon.com/marketplace/pp/prodview-qxpguux4j23ns?sr=0-10&ref_=beagle&applicationId=AWSMPContessa please don't hesitate to contact us for further assistance.
Can you provide detailed instruction on how to REMOVE installed GUI and VNC?
I followed these instructions on a fresh Linux 2 box but when I tried to enable vncserver at startup
$ sudo systemctl enable vncserver@:1
I got:
Failed to execute operation: Too many levels of symbolic links
Any help?
I encountered a blank screen after following the steps in this article. it turned out to be the ".vnc/xstartup" file in the user's home directory, which was configured to start KDE. To resolve this, I commented out the existing configuration and replaced it with the following, which worked successfully.
!/bin/sh
unset DBUS_SESSION_BUS_ADDRESS
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
mate-session &
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
i also got
Failed to execute operation: Too many levels of symbolic links
when i ran
sudo systemctl enable vncserver@:1
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Step 5 under (Optional) Install a web browser (X86 only) needs to be corrected. Special characters are being escaped, rendering the file syntax invalid.
The guide is out of date. It is also not informative/educational enough. Too concise. This is a 'blind' guide. You show only steps but don't show original configuration file contents. Simply showing a bunch of steps is not informative and dangerous for system administration to blindly follow.
Step six (6) is plain wrong now and because you have shown no contents of the systemd unit file one is left wondering what this step may have been doing.
sudo sed -i 's/<USER>/'${USER}'/' /etc/systemd/system/vncserver@.service
Does nothing as there is no USER string to replace in the vncserver@.service file
# grep -i user /lib/systemd/system/vncserver@.service
# 1. Add a user mapping to /etc/tigervnc/vncserver.users.
# 2. Adjust the global or user configuration. See the
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
After=syslog.target network.target systemd-user-sessions.service
WantedBy=multi-user.target
This step is a crucial part of the configuration but what was the intended outcome?
The service fails to start due to errors in configuration steps above:
May 13 22:13:49 ip-10-2-4-188.us-west-2.compute.internal vncsession[624125]: vncsession: vncserver exited with status=2
May 13 22:13:49 ip-10-2-4-188.us-west-2.compute.internal vncsession[624125]: pam_unix(tigervnc:session): session closed for user ec2-user
Step four (4) is also dangerous as you are clobbering (destroying) a config file's informative comments. Potentially future releases of this file could hold important configuration details which would be lost using this blind step.
$ pwd
/etc/tigervnc
$ cat vncserver-config-mandatory
## Mandatory settings for VNC servers started by the vncserver service
#
# Any settings given here will override the builtin defaults and
# settings specified in ~/.config/tigervnc/config or vnc-config-defaults.
#
# See HOWTO.md and the following manpages for more details:
# vncsession(8) Xvnc(1)
#
# Several common settings are shown below. Uncomment and modify to your
# liking.
# session=gnome
# securitytypes=vncauth,tlsvnc
# geometry=2000x1200
# localhost
# alwaysshared
Relevant content
- asked 3 years ago
- asked 2 months ago
- asked 7 months ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated a year ago