Customizing the Amazon Linux WorkSpace

When you’re creating a custom bundle for your Amazon WorkSpaces deployment, you might choose to include desktop experience settings as part of your customization.  With an Amazon Windows WorkSpace, this is achieved using user profiles and Active Directory Group Policies. Can Amazon Linux admins join the manage-user-experience party? Absolutely.

Amazon Linux WorkSpaces use the MATE Desktop Environment. The MATE framework can be configured to help you create a consistent user experience as part of your Amazon Linux WorkSpace bundle. It allows granular control over configuration changes and locking desktop settings.

This post shows you how to accomplish the following tasks:

• Capture configuration settings for the MATE applications and desktop environment.
• Create a customized desktop environment as part of a Linux WorkSpace custom bundle.
• Create mandatory environment settings that cannot be changed by the user.

Overview

The MATE Desktop Environment provides an intuitive and attractive desktop environment using traditional metaphors for Linux and other Unix operating systems.

MATE settings are stored using dconf, a simple key-based configuration system. dconf stores information in a binary database file. You can change the dconf file in an Amazon Linux WorkSpace using the gsettings command line tool.

Applications using dconf install a schema, a list of the available settings. Users can change the settings, and those settings are stored in a binary file located at /home/username/.config/dconf/user.

Now, say that you must set up a custom bundle for your users. An Amazon Linux WorkSpace has two disks: a system partition mounted as root (/), and a user partition mounted at /home. The system partition is saved to an image for use with a custom bundle. By default, the dconf database file is saved on the user partition. You can find the settings to manage and store them so that they are applied whenever a custom bundle is deployed.

Prerequisites

Make sure you have the following prerequisites before following the solution in this post:

• An Amazon Linux WorkSpace deployed for the template user. If you are new to Amazon WorkSpaces, you can create your first Amazon WorkSpaces environment by following Getting Started with Amazon WorkSpaces.
• A directory service for your Amazon WorkSpaces. This can be an AWS Managed Active Directory domain.
• Two users: a user to create your custom bundle configuration, and another user to validate and test with.
• A sense of fun and adventure.

Walk-through

This post shows you how to preconfigure a customized desktop using MATE Desktop Environment tools.

Step 1: Customizing the Amazon Linux image for custom environment settings

For this walk-through, you take a default Linux AMI and make sure that it is up to date. Then, you define keyboard settings for developers so they can be up and running quickly. I use United Kingdom settings.

To make sure no one panics when they’re browsing for images because they can’t see the thumbnail, you enable a thumbnail for all images. You also change the desktop from the default background to a corporate standard. As a final flourish, you reduce the idle time for the screen saver.

1. Create an Amazon Linux WorkSpace for your template user—you can use the free tier Standard Linux bundle for this walk-through. When you’ve connected, ensure you have the most up-to-date environment. If your Amazon WorkSpace deployment does not have an internet connection, add a VPC endpoint. Start a terminal session and make sure that you’re current by typing the following command.

2. sudo yum update

3. Save the default MATE configuration for the user’s environment before you customize it. You can use dconf in a watch mode to view all the settings as they are changed. It is cumbersome to find the settings that you require when doing multiple changes, so take a settings snapshot.
   1. Launch a terminal and enter the following:

      gsettings list-recursively | sort > gsettings.before

   2. Keep the terminal window open. You’ll need it later.
   3. Keyboard: From the toolbar, choose System, Preferences, Keyboard. Choose the Layouts tab. Add in the UK keyboard (or try something other than US, which is the default). After you’ve selected, save the options, and close the Keyboard Preferences window.
   4. Thumbnail: From the toolbar, choose System, Preferences, File Management. Choose the Preview tab. For Other Previewable Files, set Show Thumbnail to Always. Close the File Management window.
   5. Background: Open the context (right-click) menu for the desktop, choose Change Desktop Background. On Appearance Preferences, choose Background. For this walk-through, set the desktop background to be a solid color. To set a solid color, select the top right-most option, No Desktop Background. Select Solid Color from Colors. To select a color, choose the colored icon and set that color a hex value. I chose #ff9900. Close Appearance Preferences.
   6. ScreenSaver: From the toolbar, choose System, Preferences, ScreenSaver.  Change the idle time to 2 minutes. Close the window.

Step 2: Creating a set of default settings

1. Save the default MATE configuration for the customized environment you created.  In your terminal window, enter the following:

   gsettings list-recursively | sort > gsettings.after

2. Compare before and after to understand what settings you changed.

   diff -U0 gsettings.{before,after}

You can now compile a list of settings that you must change and lock down as part of the customized user experience. In summary, they are listed as follows:

org.mate.background color-shading-type 'solid'
org.mate.background picture-options 'wallpaper'
org.mate.background primary-color 'rgb(245,121,0)'
org.mate.peripherals-keyboard-xkb.kbd layouts ['gb', 'us']
org.mate.caja.preferences show-image-thumbnails 'always'
org.mate.session idle-delay 2

Step 3: Applying the default settings to the image

You can take a copy of the template user’s dconf database on the system partition, and copy that to the user profile on startup to create a customized environment.

You can also have granular control over which settings are applied and control the user’s ability to change those settings after they’re applied using keyfiles and lockdown mode.

To have more granular control, you can create dconf keyfiles under /etc/dconf/db/local.d/ in a format similar to Windows .ini files. In the keyfiles, section names in the file refer to the schema path, not the schema name.

1. Get the schema path from the appropriate .gschema.xml To get the path for the background schema, open a terminal window on your Linux WorkSpace and type the following:

   grep -F path= /usr/share/glib-2.0/schemas/org.mate.background.gschema.xml

   This gives the following output:

   schema id="org.mate.background" path="/org/mate/desktop/background/">

   You found that org.mate.background has a schema path of /org/mate/desktop/background/.

2. You can repeat this method to find the other schema paths for the settings you configured in Step 2. Here is my file, 00-background, as an example.

   [org/mate/desktop/background]
color-shading-type='solid'
picture-filename = ''
primary-color='rgb(245,121,0)'
[org/mate/desktop/peripherals/keyboard/kbd]
layouts=['gb', 'us']
[org/mate/caja/preferences]
show-image-thumbnails='always'
[org/mate/desktop/session]
idle-delay=2

3. Apply the settings by updating dconf. From a terminal window, type the following:

   sudo dconf update

Step 4: Controlling access to customization

It is a common enterprise configuration to prevent users from changing settings to allow standard use, and prevent issues. In the example environment, prevent the user from changing the desktop background by using lockdown mode.

Before you can lock a setting, it must be configured, using the method you used in Step 3.

1. Create a file in the /etc/dconf/db/local.d/locks/ directory.

   sudo pluma /etc/dconf/db/local.d/locks/00-desktop-control

2. Place the control settings into the lockdown file, save the file, and close the Pluma editor. List one key, or subpath, to lock per line. Here is my file as an example, I’ve locked the ability to change the background

   #Lockdown settings for desktop appearance
/org/mate/desktop/background/color-shading-type
/org/mate/desktop/background/picture-filename
/org/mate/desktop/background/primary-color

3. Apply the settings by updating dconf. From a terminal window, type the following:

   sudo dconf update

4. You can validate by trying to change the desktop background as you did in Step 1. The option to change is still available, but you cannot make a change.

You can now create a custom bundle using the image that you have customized and locked down. For more information, see Create a Custom WorkSpaces Bundle.

When you deploy a new WorkSpace for your test user, the test user can have the desktop customizations already applied when they log on.

Happy days.

Conclusion

In this post, you used the MATE Desktop Environment to preconfigure and lock down the desktop experience for new users. The configuration settings are collated as text files. You can manage these files as part of your custom bundle management process, or by using configuration tools such as AWS Systems Manager, Chef, or Puppet.

To dive deeper into topics discussed here, see the following:

• MATE Desktop Environment
• GNOME System Administration Guide
• Managing Amazon Linux 2 Amazon WorkSpaces with AWS OpsWorks for Puppet Enterprise