Install MATLAB Online Server on Red Hat OpenShift

These instructions are for installing MATLAB^® Online Server™ on the Red Hat^® OpenShift^® platform.

Verify Installation Prerequisites

Make sure your system meets the following requirements:

Push and pull access to the remote Docker^® repository
Existing OpenShift 4.x cluster with:
- Support for network policy
- Service account that has access to "privileged" security context constraints.
  You can create this access with the following commands (the commands require the oc command tool):

>oc create namespace mathworks 
>oc create sa custom-sa --namespace mathworks 
>oc adm policy add-scc-to-user privileged -z custom-sa --namespace mathworks

Also complete the following software checks on the client machine before downloading and then configuring MATLAB Online Server. The tasks can be done in any order.

Make sure you can access the cluster’s kubeconfig file from the client machine.
Make sure the client machine OS is supported. Refer to Supported Platforms.
Install Helm^® 3.
Install Kubectl.
Install Docker.
Check that the machine meets the software and hardware requirements described in MATLAB Online Server System Requirements.

Note

These instructions include sudo for commands that by default require administration privileges. Depending on how your environment is configured, sudo might not be required in some cases.

Install Network License Manager

Follow the Linux^® instructions for installing on an offline machine described in Install License Manager on License Server in the Help Center. Configure the server to be accessed over the network.

MathWorks^® requires two license servers: one for MATLAB Online Server and one for MATLAB.
You can use existing network license servers or create a new installation.
MATLAB workers must have access to their MathWorks licenses. Those licenses can be either co-located on the same license server or on independent servers.
Specify the MATLAB and MATLAB Online Server license hostnames and ports using the <port>@<host>[,<port>@<other-host>] format. The hostname and port must be accessible from inside the Kubernetes^® cluster.
On each license server, add these lines to your license file to fix communication with the network license manager and the MLM daemon to ports 27000 and 27001, respectively.
```
SERVER <HOSTID> ID=0 27000
DAEMON MLM "<FLEXLM_INSTALL_LOCATION>/etc/MLM" port=27001
```
By default, the MATLAB Online Server network policy enables access to these ports. Running the network license manager and MLM daemon on different ports is supported, but this configuration requires additional updates to your MATLAB Online Server network policy.
If you are restricting access to toolboxes or licenses by username, you must allow mwuser, the username of the license service that runs in the Kubernetes cluster, to check out licenses for MATLAB Online Server. In the etc folder of the network license manager for MATLAB Online Server, add this line to your MLM.opt options file:
```
INCLUDE MATLAB_Online_Server USER mwuser
```

If the license server is configured correctly, then the license service running in the Kubernetes cluster runs without any errors and checks out the license when it starts. If the license is invalid or the license server cannot be reached, then the license service exits and Kubernetes automatically attempts to restart the license service periodically until it succeeds.

The other services require that the license server is running, but if the license is temporarily unavailable, they continue to run. After an approximately two-hour grace period, the services go into a hibernation state and then reject requests with a failed status. The logs of the services indicate when they enter or exit this hibernation or grace period state.

If you encounter any issues with the license service, see Resolve License Service Issues.

Download MATLAB Online Server Installer

Follow these steps to download and then extract the MATLAB Online Server installer and files.

Go to the Downloads page on mathworks.com.
Under Select Release, select the current release, for example R2023b.
Expand the Get MATLAB Online Server section. This section appears only if your account has a license for MATLAB Online Server software.
Click Download to download the ZIP file.
In the download folder or folder of your choice, extract the installation files. For example, this command downloads the ZIP file to your home directory (~/).
```
unzip R2023b_matlab_online_server.zip -d ~/
```
The unzipped matlab_online_server folder is the root folder of your MATLAB Online Server installation. Navigate into this folder. For example, if you unzipped the folder into your home directory, run this command.
```
cd ~/matlab_online_server
```
Confirm that this folder contains the following files and subfolders.
```
ls
```
- attributions.txt — Third-party software license attributions file, which is also included in each release container image.
- data — Folder that stores MATLAB Online Server data.
- install.config — File containing properties used to configure your MATLAB Online Server installation.
- mosadm — Command-line executable used to install and configure MATLAB Online Server.
- thirdpartylicenses.txt — Third-party software license file, which is also included in each release container image.
The mosadm command is the main utility to perform the remaining installation steps. You must run this command from your MATLAB Online Server installation folder. For details on the various operations it can perform, run this command.
```
./mosadm help
```

Configure MATLAB Online Server

Edit the install.config file, located in the folder where you unzipped the installer, using a text editor such as nano.

nano install.config

Before editing this file, consider creating a backup of install.config so that you have a record of the default settings.

At a minimum, set these parameter values.

Configuration Parameter	Value
`DOMAIN_BASE`	Fully qualified domain name used to access MATLAB Online Server from a web browser. Specifying an IP address as the domain base is not supported. Example: `matlabonline.mycompany.com`
`DOCKER_REGISTRY`	Remote Docker registry to push Docker images to Example: `myregistry.mycompany.com`
`DOCKER_REPOSITORY`	Remote Docker repository Example: `mos`
`IMAGE_PULL_SECRET`	User-friendly name for the Kubernetes secret object. When you deploy MATLAB Online Server, this object is created from registry credentials. This secret enables the nodes to pull images from the remote registry. Example: `mymossecret`
`ML_PASSWORD`	Administrator password you want to use to log in to MATLAB Online™. The default is `password`.
`MOS_LICENSE_SERVER`	Port and hostname of your MATLAB Online Server license server. Use the `port@host` format. Example: `27000@myhostname`
`MATLAB_LICENSE_SERVER`	Port and hostname of your MATLAB Online Server license server. Use the `port@host` format. Example: `27000@myhostname`

Specify additional properties for your deployment as needed. For example, you can update the namespace to use for the deployment or enable TLS security. For a complete list of parameters, see Installation Configuration Properties.

Download and Install MATLAB

Download and install the version of MATLAB that your MATLAB Online users connect to by using the mosadm install-matlab command. The example shown here uses sudo, but if you have ownership of the installation folder and read and write privileges on it, sudo is not required.

sudo ./mosadm install-matlab

By default, mosadm install-matlab installs the latest version of MATLAB into the /MATLAB folder on your local machine. If the /MATLAB folder does not exist, the command creates it.

For additional MATLAB installation options, see the mosadm install-matlab documentation. For example, you can install additional products or specify a specific MATLAB version to install.

Prepare Docker Images

Load the required Docker images from the MathWorks container registry and push them to your remote registry.

Load Docker Images

Load all Docker images and files shipped through the MathWorks container registry onto the computer.

Log in to the MathWorks container registry, containers.mathworks.com, using your MathWorks account credentials.
```
sudo docker login containers.mathworks.com
```
Copy the necessary Helm charts from the container registry. Helm is an open source project that helps deploy services into Kubernetes. This command creates a folder named charts in the current folder and copies the charts there.
```
sudo ./mosadm copy-helm-charts
```
Load Docker images. This command loads the images from the MathWorks container registry into the local Docker cache.
```
sudo ./mosadm load-docker-images
```
From the local installation of MATLAB that you installed in the Download and Install MATLAB step, build an image containing MATLAB. This step can take several minutes.
Note
To build this image, your machine must have a TMPDIR environment variable that specifies a writable temporary directory mounted in exec mode. For details on applying this configuration, see Tips in the mosadm build-matlab-image documentation.
```
sudo ./mosadm build-matlab-image /MATLAB
```
Here, /MATLAB is the path to the folder containing your installation of MATLAB.

Push Docker Images to Remote Registry

Push the Docker images loaded in the previous step to the remote registry you specified in the install.config file.
```
./mosadm push-docker-images
```
(Optional) To allow cluster nodes to pull these Docker images at deployment time, you must provide credentials to access the registry. If your cluster already has permissions for pulling images from the remote registry, then skip this step.
Copy the registry credentials file into your MATLAB Online Server installation. If you have logged in to the remote registry from your client machine at least one time, then the file containing the registry credentials is located at ~/.docker/config.json. For example:
```
cp ~/.docker/config.json ./dockerconfig.json
```
The server uses contents from this file to create a Kubernetes secret with the name specified by the IMAGE_PULL_SECRET property of the install.config file.

Configure Overrides

With the cluster and Docker images ready to use, before the deploying the services, load the configuration overrides.

Enter the mosadm generate-overrides command with the option --skip-matlab-image, as shown:
```
./mosadm generate-overrides --skip-matlab-image
```
The mosadm command looks for the MATLAB Docker image locally even when the image is available in the remote Docker repository. So that mosadm can proceed without its having to download the image locally, passing the flag --skip-matlab-image is necessary.
Update the file ./overrides/<cluster>/<namespace>/all.yaml to apply the following setting:
global: allowArbitraryUserId: true
MATLAB Online Server runs its containers with a specific UserId, whereas OpenShift randomizes the container’s UserId based on a range that is different for different projects in OpenShift. You must set this property to true to allow OpenShift to choose an arbitrary UserId.
Update the file ./overrides/<cluster>/<namespace>/all.yaml to add the ingress controller and its annotations.
MATLAB Online Server supports Bring-Your-Own-Ingress, and OpenShift clusters come with an ingress controller. To use the OpenShift ingress controller, set these fields for the version of OpenShift you are using.
OpenShift 4.7 or Earlier
global: ingressController: name: "openshift-ingress" annotations: haproxy.router.openshift.io/timeout: "365s"
OpenShift 4.8 or Later
global: ingressController: name: "openshift-default" annotations: haproxy.router.openshift.io/timeout: "365s"
MATLAB Online Server expects the timeout to be set to "365s" because the default timeout of openshift-ingress is not sufficient for MATLAB Online Server workflows.
Update the override file ./overrides/<cluster>/<namespace>/matlab-pool.yaml.
The changes you must implement are required for the following reasons:
- The MATLAB pool pod needs to run with a specific UserId. Because the pod also runs a privileged container to set up user storage and proxy to MATLAB, it needs to use a custom service account that has access to “privileged” security context constraints.
- The apparmor security profile, which is enabled by default, must be disabled since it is not supported on Red Hat.

# Allow use of custom service accounts 
customServiceAccount: 
  enabled: true 
  name: "custom-sa"
security:
  apparmor:
    enabled: false

You can change the service account name in this example to the name you created for the account.

Deploy MATLAB Online Server

To install all the MATLAB Online Server components, run the mosadm deploy command:
```
./mosadm deploy
```
This command uses Helm to install all the charts, customized with any overrides that you generate in the previous step.

Check that the services are all running with kubectl, replacing namespace with the namespace you used for MATLAB Online Server (default = mathworks). Depending on how you configured the server and the platform on which you installed the server, the exact pods you see might differ from the ones shown here.

kubectl get pods --namespace namespace

NAME                                                     READY   STATUS    RESTARTS   AGE
namespace-authnz-7994c9866d-675fb                   1/1     Running   0          10m
namespace-core-ui-cfdcccc4c-5bhrc                   1/1     Running   0          10m
namespace-gateway-88ffd446d-mbf2l                   1/1     Running   0          10m
namespace-gateway-proxy-6f85db9cbb-8ftbr            1/1     Running   0          10m
namespace-gateway-proxy-6f85db9cbb-mdhr7            1/1     Running   0          10m
namespace-license-5cc85b97cd-zg4vd                  1/1     Running   0          10m
namespace-matlab-pool-9cc6b6465-9rdz8               2/2     Running   0          6m54s
namespace-matlab-pool-9cc6b6465-t7wp2               2/2     Running   0          3m40s
namespace-matlab-pool-helpsearch-8479fbdc88-4r6sd   1/1     Running   0          6m54s
namespace-matlab-pool-ui-8484bbbd4d-t6777           1/1     Running   0          6m54s
namespace-resource-78f9b97745-fzwlq                 1/1     Running   0          10m

The pods running MATLAB can take several minutes to fully start (2/2 containers). It is important to wait until the pods are in the ready state. If any of the containers do not start running, check the license server and the install.config settings. See Resolve MATLAB Pod Issues.

Connect to MATLAB Online

After you have installed MATLAB Online Server successfully, provide a way to access MATLAB Online from the browser.

The OpenShift ingress controller creates a service object to access the cluster from outside. To get the service, issue the following command:

oc get services --namespace openshift-ingress

This command shows an IP address in the External IP column. Using the DNS service of your choice (for example, Route53), map DOMAIN_BASE to this IP address.

Verify MATLAB Online Server Installation

Make sure the address in the DOMAIN_BASE parameter defined in install.config is registered and can be routed to the IP address of the host machine. Run this command, replacing DOMAIN_BASE with the value of the DOMAIN_BASE parameter.
```
ping -c 1 DOMAIN_BASE
```
This command returns the IP address of the host machine. In some types of installation, the ping does not receive packets. If you have such an installation, this command returns the IP address of the server you ping.
Open a browser on another machine and then go to the address where you are hosting MATLAB Online:
```
DOMAIN_BASE/matlabonline
```
Your browser window displays the MATLAB Online login screen. For a single-machine installation, use the username admin and the password you specified in the ML_PASSWORD parameter of install.config (the default is password).

If you can now access your internal version of MATLAB Online, installation is complete. If you cannot access MATLAB Online, or you run into any other technical error, contact MathWorks Support.

Set Up Server

With the installation process and initial configuration complete, you must now complete additional tasks to set up the server for use in your organization. For example, you need to:

Configure user authentication by specifying your identity provider details.
Configure the installed MATLAB versions and specify which user groups can access them.
Configure persistent storage and which directories, drives, and files users can access.
Customize the MATLAB Online sign-in screen.

To get started setting up the server, see Set Up MATLAB Online Server After Installation.