Main Content

webapps-containers

Setup environment to run MATLAB web apps in Docker containers on Linux systems

Since R2022b

To run MATLAB® web apps in Docker® containers, you must use MATLAB Runtime R2022b or higher. Earlier versions of MATLAB Runtime are not supported. However, you can continue to use versions of MATLAB Runtime going back to R2019b if you are not planning on running web apps in containers.

Any web apps built with MATLAB Compiler™ versions before R2022b cannot be run in a containerized environment. To address this limitation, repackage the web apps with MATLAB Compiler version R2022b or a more recent release.

Description

webapps-containers [on | off] sets up or tears down the Docker environment required to run MATLAB web apps in containers. You must restart the server using webapps-restart after executing this command for changes to take effect.

Executing webapps-containers on:

  • Creates a base Docker image named mw-webapps-worker with the TAG name R2024b that consists of a Ubuntu® Linux® operating system, dependent libraries, and customizations to the base image.

  • Creates a network for the Docker containers.

  • Enables running web apps in containers by setting the use_for_workers key to 1.

  • Configures the firewall so that web apps can run only within the network created for containers and cannot access the internet.

Executing webapps-containers off tears down the Docker environment created for running web apps. Values assigned to configuration keys are preserved.

example

webapps-containers status returns the setup status of the Docker environment. It indicates whether container use is enabled or disabled and whether the Docker base image is present or missing.

webapps-containers config get returns the entire container configuration.

example

webapps-containers config get keyname returns the container configuration value associated with the key keyname.

webapps-containers config set keyname val assigns the value val to the container configuration key keyname. You must restart the server using webapps-restart after executing this command for changes to take effect.

example

webapps-containers net options lets you modify network settings for the container network by adjusting options.

The options passed to the net parameter are not retained when the server is restarted. To retain options after restart, put them in the /local/MathWorks/webapps/R2024b/config/webapps_private/containers-firewall-init.sh file.

example

Examples

collapse all

Prepare your host machine to run MATLAB web apps in containers.

sudo ./webapps-containers on
Installing Docker support for MATLAB Web App Server...
Building base image, this may take a while...
Copying default containers-firewall-init.sh
Enabling firewall service ...
Applying permanent firewall settings ...
Containers support was successfully enabled. 
Run "sudo /usr/local/MATLAB/MATLAB_Web_App_Server/R2024b/script/webapps-restart" to apply.

Check the status.

sudo ./webapps-containers status
Container support: enabled
Base image: present

Restart the server to apply changes.

sudo ./webapps-restart
Restarting server...

The server has started successfully.
   Homepage: http://hostname:9988/webapps/home/
Apps Folder: /local/MathWorks/webapps/R2024b/apps
Logs Folder: /local/MathWorks/webapps/R2024b/logs

Get the container configuration for all keys.

sudo ./webapps-containers config get
use_for_workers: 1
memory: 2g
volumes: 
cpus: 
env:

To retrieve configuration of a particular key, specify the keyname.

If you do not want to run your web apps in a containerized environment but want to preserve the Docker image used to instantiate a container, execute:

sudo ./webapps-containers config set use_for_workers 0
Setting "use_for_workers" successfully changed. 
Run "sudo /usr/local/MATLAB/MATLAB_Web_App_Server/R2024b/script/webapps-restart" to apply.

Check the status.

sudo ./webapps-containers status
Container support: disabled
Base image: present

Restart the server to apply changes.

sudo ./webapps-restart
Restarting server...

The server has started successfully.
   Homepage: http://hostname:9988/webapps/home/
Apps Folder: /local/MathWorks/webapps/R2024b/apps
Logs Folder: /local/MathWorks/webapps/R2024b/logs
sudo ./webapps-containers config set subnet 192.168.24.0/24
sudo ./webapps-containers net firewall on
Rules were successfully added.

Check the firewall rules.

sudo ./webapps-containers net list
Rules for webapps container network 192.168.98.0/24:
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  any    any     192.168.98.0/24      anywhere             state RELATED,ESTABLISHED
2        0     0 REJECT     all  --  any    any     192.168.98.0/24      anywhere             reject-with icmp-port-unreachable
sudo ./webapps-containers net dns on
To make firewall changes that survive a reboot, put this command into a 
"/local/MathWorks/webapps/R2024b/config/webapps_private/containers-firewall-init.sh" file.

Check the firewall rules.

sudo ./webapps-containers net list
Rules for webapps container network 192.168.98.0/24:
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  any    any     192.168.98.0/24      anywhere             tcp dpt:domain ctstate NEW,ESTABLISHED
2        0     0 ACCEPT     udp  --  any    any     192.168.98.0/24      anywhere             udp dpt:domain ctstate NEW,ESTABLISHED
3        0     0 RETURN     all  --  any    any     192.168.98.0/24      anywhere             state RELATED,ESTABLISHED
4        0     0 REJECT     all  --  any    any     192.168.98.0/24      anywhere             reject-with icmp-port-unreachable
sudo ./webapps-containers net dns add www.google.com 443
Enabling traffic to www.google.com:443
To make firewall changes that survive a reboot, put this command into a 
"/local/MathWorks/webapps/R2024b/config/webapps_private/containers-firewall-init.sh" file.

Check the firewall rules.

sudo ./webapps-containers net list
Rules for webapps container network 192.168.98.0/24:
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  any    any     192.168.98.0/24      lga25s78-in-f4.1e100.net  tcp dpt:https
2        0     0 ACCEPT     tcp  --  any    any     192.168.98.0/24      anywhere                  tcp dpt:domain ctstate NEW,ESTABLISHED
3        0     0 ACCEPT     udp  --  any    any     192.168.98.0/24      anywhere                  udp dpt:domain ctstate NEW,ESTABLISHED
4        0     0 RETURN     all  --  any    any     192.168.98.0/24      anywhere                  state RELATED,ESTABLISHED
5        0     0 REJECT     all  --  any    any     192.168.98.0/24      anywhere                  reject-with icmp-port-unreachable

Remove a firewall rule by specifying the rule number.

sudo ./webapps-containers net remove 1
Removing rule 1

Check firewall rules.

sudo ./webapps-containers net list
Rules for webapps container network 192.168.98.0/24:
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  any    any     192.168.98.0/24      anywhere             tcp dpt:domain ctstate NEW,ESTABLISHED
2        0     0 ACCEPT     udp  --  any    any     192.168.98.0/24      anywhere             udp dpt:domain ctstate NEW,ESTABLISHED
3        0     0 RETURN     all  --  any    any     192.168.98.0/24      anywhere             state RELATED,ESTABLISHED
4        0     0 REJECT     all  --  any    any     192.168.98.0/24      anywhere             reject-with icmp-port-unreachable

Input Arguments

collapse all

keynameDescription

use_for_workers

Indicate whether MATLAB web apps can run in containers.

memory

Specify the maximum amount of memory (RAM) the container can use.

volumes

Specify directories to mount as Docker volumes.

cpus

Specify how much of the available CPU resources a container can use.

env

Specify the environment variables to be set within the container.

subnet (since R2023a)

Create a subnet within the Docker environment where the containers will run by specifying a range of IP addresses using CIDR notation. If no CIDR range is specified during subnet creation, a default range of 192.168.98.0/24 is used. Specifying a range prevents conflicts with existing Docker subnets.

Specify a value that corresponds to the keyname value. Enclose the value in double quotes (" ").

keynamevalExample

use_for_workers

Specify 0 or 1 based on whether containers are disabled or enabled, respectively.

When you execute webapps-containers on, the software returns a value of 1 by default.

use_for_workers "0"

memory

Specify a positive integer, followed by the suffix b, k, m, g, to indicate bytes, kilobytes, megabytes, or gigabytes.

When you execute webapps-containers on, the software returns an empty value by default, which indicates that no memory limit applies.

memory "2g"

volumes

Specify two or three fields, separated by colons (:). The fields must be in the correct order. Separate multiple volumes using a semicolon (;).

  • The first field is the name of the volume.

  • The second field is the path where the file or directory is mounted in the container.

  • The third field is optional and is a comma-separated list of options, such as readonly.

For details, see https://docs.docker.com/storage/volumes/.

When you execute webapps-containers on, the software returns an empty value by default.

  • volumes "/var/lib/cassandra/data:/data:readonly"

  • volumes "/var/lib/cassandra/data:/tmp/data:readonly;/usr/share/nginx/html:/tmp/html"

cpus

Specify any real number greater than 0. If a machine has two CPUs and you set the value to "1.5", the container is given at most one and a half of the CPUs.

For details, see https://docs.docker.com/config/containers/resource_constraints/.

When you execute webapps-containers on, the software returns an empty value by default, which indicates that no limit to CPU resources applies. Setting the value to 0.000 is equivalent.

cpus "1.5"

env

Specify key-value pairs as <key>=<value>. Separate multiple key-value pairs using a semicolon (;).

When you execute webapps-containers on, the software returns an empty value by default.

env "MY_VAR1=/hello;MY_VAR2=/world"

subnet (since R2023a)

Create a subnet within the Docker environment where the containers will run by specifying a range of IP addresses using CIDR notation. If no CIDR range is specified during subnet creation, a default range of 192.168.98.0/24 is used. Specifying a range prevents conflicts with existing Docker subnets.

subnet 192.168.24.0/24

Caution

The options listed below are not retained when the server is restarted. To retain options after restart, put them in the /local/MathWorks/webapps/R2024b/config/webapps_private/containers-firewall-init.sh file.

Options for customizing container network firewall settings, specified as one of the following:

  • add

    Add host and port to the firewall exception list.

    sudo ./webapps-containers net add host port

    The host parameter can be either a network name, a hostname, a network IP address, or a network IP address with a mask.

    Examples

    Add an IP address to the firewall exception list.

    sudo ./webapps-containers net add 123.45.67.111 443

    Add a domain name to the firewall exception list.

    sudo ./webapps-containers net dns on
    sudo ./webapps-containers net add www.google.com 443

  • dns

    Toggle Domain Name System (DNS) resolution on or off.

    sudo ./webapps-containers net dns on
    sudo ./webapps-containers net dns off

    Examples

    Enable DNS resolution.

    sudo ./webapps-containers net dns on
    To make firewall changes that survive a reboot, put this command into a 
    "/local/MathWorks/webapps/R2024b/config/webapps_private/containers-firewall-init.sh" file.
    

    Disable DNS resolution.

    sudo ./webapps-containers net dns off
    Rules were successfully removed.
    

  • firewall

    Toggle the container network firewall on or off. The firewall for the container network is based off of Linux iptables. For details, see https://linux.die.net/man/8/iptables.

    sudo ./webapps-containers net firewall on
    sudo ./webapps-containers net firewall off

    Examples

    Enable the firewall.

    webapps-containers net firewall on
    Rules were successfully added.
    

    Disable the firewall.

    webapps-containers net firewall off
    
    Rules were successfully removed.
    

  • list

    List container network firewall rules.

    sudo ./webapps-containers net list

    Examples

    List rules.

    sudo ./webapps-containers net list
    Rules for webapps container network 192.168.98.0/24:
    num   pkts bytes target     prot opt in     out     source               destination         
    1        0     0 ACCEPT     tcp  --  any    any     192.168.98.0/24      anywhere             tcp dpt:domain ctstate NEW,ESTABLISHED
    2        0     0 ACCEPT     udp  --  any    any     192.168.98.0/24      anywhere             udp dpt:domain ctstate NEW,ESTABLISHED
    3        0     0 RETURN     all  --  any    any     192.168.98.0/24      anywhere             state RELATED,ESTABLISHED
    4        0     0 REJECT     all  --  any    any     192.168.98.0/24      anywhere             reject-with icmp-port-unreachable
    
    This particular list of rules is displayed when the firewall and DNS are enabled.

  • remove

    • Remove host and port.

      webapps-containers net remove host port

    • Remove the rule num from the list of firewall rules.

      webapps-containers net remove num

      Examples

      Remove rule 1 from the list of firewall rules.

      webapps-containers net remove 2 
      Removing rule 2
      

More About

collapse all

Details

  • The Dockerfile for the image used to instantiate a container can be found in:

    /usr/local/MATLAB/MATLAB_Web_App_Server/R2024b/toolbox/compiler/mdwas/containers/worker

  • At runtime, a Docker volume is created that maps to the MATLAB Runtime installation directory configured for use with MATLAB Web App Server™.

  • At runtime, when a web app is opened, the .ctf file associated with the web app is copied to the container.

HTTPS

Before R2023b: If MATLAB Web App Server is configured to use HTTPS, the SSL certificate must allow access to a host named mw-webapps-server that's included within a container. In the container's file system, this host listed in /etc/hosts.

Docker Requirements

Verify that you have Docker installed and configured on the server machine by typing, docker --info. If you do not have Docker installed, follow the instructions on the Docker website to install and set up Docker.

https://docs.docker.com/engine/install/

Docker Commands

Execute these commands at a Linux terminal to retrieve relevant information about the Docker environment used to run MATLAB web apps.

CommandPurpose

docker images

List images.

docker ps

List containers.

docker inspect <Container ID>

Return information about container.

docker network ls

List container networks.

docker exec -i -t <Container ID> bash

Execute an interactive bash shell on the container.

To quit the bash shell, type exit.

Build Your Own Docker Image

To build your own Docker image:

  1. Modify the Dockerfile:

    /usr/local/MATLAB/MATLAB_Web_App_Server/R2024b/toolbox/compiler/mdwas/containers/worker/Dockerfile

  2. Execute sudo ./webapps-containers on to build an updated Docker image.

  3. Restart the server and test your application.

Version History

Introduced in R2022b