Introduce Slicer Platform docs section

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

Author: alexellis

.gitignore

@@ -1 +1,3 @@
 /.vscode
+/agent-skills
+/sdk

docs/getting-started/walkthrough.md

@@ -2,8 +2,6 @@
 
 In this example we'll walk through how to create a Linux VM using Slicer on an x86_64 host, or an Arm64 host.
 
-The `/dev/kvm` device must exist and be available to continue.
-
 ## Create the VM configuration
 
 Slicer is a long lived process that can be run in the foreground or as a daemon with systemd.
@@ -141,4 +139,3 @@ slicer vm delete VM_NAME
 ```
 
 See all available commands with `slicer vm --help`, or refer to the [API reference](/reference/api) for direct HTTP access.
-

docs/platform/custom-images.md

@@ -0,0 +1,124 @@
+# Build a Custom Image
+
+The default Slicer images ship with a minimal Ubuntu or Rocky Linux installation. If your sandboxes need specific packages - compilers, runtimes, libraries - installing them via userdata on every boot wastes time. A derived image bakes those dependencies in, so VMs start ready to work.
+
+This page covers building a derived image locally. For publishing via CI, see [Publish your own images](/platform/publish-images/). For the full reference on image building, see [Build a custom root filesystem](/tasks/custom-image/).
+
+## How it works
+
+Slicer images are OCI images built with a Dockerfile. You write a `FROM` line pointing at a base Slicer image, add your `RUN` and `COPY` steps, then push the result to a container registry. Slicer pulls the image at startup and uses it for every VM in the host group.
+
+The base images are listed in the [images reference](/reference/images/). For most x86_64 workloads:
+
+```Dockerfile
+FROM ghcr.io/openfaasltd/slicer-systemd:6.1.90-x86_64-latest
+```
+
+For arm64:
+
+```Dockerfile
+FROM ghcr.io/openfaasltd/slicer-systemd-arm64:6.1.90-aarch64-latest
+```
+
+## Example: Python sandbox
+
+A sandbox image with Python 3, pip, and common data libraries pre-installed:
+
+```Dockerfile
+FROM ghcr.io/openfaasltd/slicer-systemd:6.1.90-x86_64-latest
+
+RUN apt-get update -qy \
+  && apt-get install -qy \
+    python3 \
+    python3-pip \
+    python3-venv \
+  && apt-get clean
+```
+
+Build and push:
+
+```bash
+docker build -t ghcr.io/your-org/slicer-python:6.1.90-x86_64 .
+docker push ghcr.io/your-org/slicer-python:6.1.90-x86_64
+```
+
+Then reference it in your Slicer YAML:
+
+```yaml
+config:
+  host_groups:
+    - name: sandbox
+      count: 0
+      # ...
+  image: "ghcr.io/your-org/slicer-python:6.1.90-x86_64"
+```
+
+## Things to know about Dockerfile builds
+
+Slicer images run systemd as PID 1. During the Docker build, systemd is not running, so:
+
+* Use `systemctl enable SERVICE` to configure a service to start on boot. Do not use `--now`
+* Avoid commands that need a running kernel or network stack
+* Do not change the `CMD` or `ENTRYPOINT`. Slicer manages the boot process
+
+For anything that cannot run inside a Dockerfile (e.g. commands that need networking or a running init system), use [userdata](/tasks/userdata/) to run the steps on first boot, or add a one-shot systemd unit.
+
+See [Build a custom root filesystem](/tasks/custom-image/) for more detail.
+
+## Watch the architecture
+
+If you are building on a Mac with Apple Silicon, Docker defaults to arm64 images. A Slicer host running on x86_64 cannot boot an arm64 root filesystem, and the failure mode is not obvious. The VM may hang or kernel panic on boot.
+
+Options:
+
+* Use `docker buildx build --platform linux/amd64` to cross-compile locally. This works but is slower due to QEMU emulation inside Docker Desktop.
+* Build on a matching architecture: an x86_64 Linux machine, a CI runner, or a Slicer VM itself.
+
+If all your Slicer hosts are arm64 (e.g. Raspberry Pi, Ampere), the reverse applies - build for `linux/arm64`.
+
+Slicer images are not multi-arch. Each architecture needs its own image built natively on matching hardware. If you need to automate this, see [Publish your own images](/platform/publish-images/).
+
+!!! note "Private registries"
+    GHCR packages default to private. Either make the package public in GitHub's package settings, or configure `insecure_registry: true` in your Slicer YAML if using a private registry without TLS.
+
+## Test the image
+
+After pushing, restart Slicer with the new image reference and create a sandbox:
+
+```bash
+slicer new sandbox \
+  --count=0 \
+  > sandbox.yaml
+```
+
+Edit `sandbox.yaml` and set the `image:` field to your custom image, then start Slicer:
+
+```bash
+sudo slicer up ./sandbox.yaml
+```
+
+Create a VM and verify the packages are present:
+
+```bash
+export TOKEN=$(sudo cat /var/lib/slicer/auth/token)
+
+curl -sf -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -X POST http://127.0.0.1:8080/hostgroup/sandbox/nodes -d '{}'
+
+# Wait for agent, then check python is installed
+curl -sf -H "Authorization: Bearer $TOKEN" \
+  -X POST \
+  "http://127.0.0.1:8080/vm/sandbox-1/exec?cmd=python3&args=--version&stdout=true"
+```
+
+## Wrapping up
+
+Derived images let you trade a one-time build step for faster, more predictable sandbox boot times. Bake in everything your workload needs, publish it to GHCR, and let Slicer pull it on startup.
+
+See also:
+
+* [Build a custom root filesystem](/tasks/custom-image/) - full reference for Dockerfile-based image builds
+* [Images for microVMs](/reference/images/) - base image tags and availability
+* [Userdata](/tasks/userdata/) - run scripts on first boot for anything that cannot be baked into the image
+* [Storage backends](/storage/overview/) - ZFS and devmapper for near-instant boot from snapshots

docs/examples/run-a-task.md docs/platform/ephemeral-tasks.mddocs/examples/run-a-task.md renamed to docs/platform/ephemeral-tasks.md

@@ -1,6 +1,6 @@
-# Run a task in a VM
+# Ephemeral Tasks
 
-This example shows how to run a one-shot task in a VM via API. The CLI can also act as a client to the API during testing.
+This page shows how to launch short-lived VMs for one-shot tasks via the API. The CLI can also act as a client to the API during testing.
 
 Use-cases could include:
 
@@ -143,50 +143,3 @@ After SSH is disabled, the only way to debug a machine is via the Slicer agent u
 You can also disable `slicer-agent` (not actually a full SSH daemon), however the `slicer vm` commands will no longer work.
 
 If you publish an image to the Docker Hub, make sure you include its prefix i.e. `docker.io/owner/repo:tag`.
-
-### Cache the Kernel to a local file
-
-Rather than downloading an extracting the Kernel on each run of Slicer, you can extract a given vmlinux file and tell the YAML file to use that.
-
-This is preferred for a long-running host, where we need to keep the root-filesystem image and Kernel in sync.
-
-The Kernel must agree with the root filesystem image, which means using a proper tag and not a `latest` tag.
-
-Why? The Kernel is built as a vmlinux, however its modules are packaged into the root filesystem image.
-
-Run the following:
-
-```bash
-$ arkade get crane
-$ crane ls ghcr.io/openfaasltd/actuated-kernel:5.10.240-x86_64-latest
-
-5.10.240-x86_64-3d7a67d1683b524b4128ad338f90b1da710f2fd9
-5.10.240-kvm-x86_64-3d7a67d1683b524b4128ad338f90b1da710f2fd9
-5.10.240-x86_64-ea04b63b9117c966a57e17e1bc1bfcf713cd6276
-5.10.240-x86_64-bb71bdd1cd06bad2cc11f8ab3f323c3f19d41c8b
-5.10.240-x86_64-2f2ebc0bbefe128aa3061e6ea6806cbcdc975208
-6.1.90-aarch64-2f2ebc0bbefe128aa3061e6ea6806cbcdc975208
-6.1.90-aarch64-5c59e9b9b08eea49499be8449099291c93469b80
-5.10.240-x86_64-5c59e9b9b08eea49499be8449099291c93469b80
-```
-
-Pick a stable tag for your architecture i.e. `x86_64-SHA` or `aarch64-SHA`, then run:
-
-```bash
-$ arkade oci install ghcr.io/openfaasltd/actuated-kernel:5.10.240-x86_64-2f2ebc0bbefe128aa3061e6ea6806cbcdc975208 --output ./
-$ ls
-vmlinux
-```
-
-Next, find the matching root filesystem image:
-
-```bash
-$ crane ls ghcr.io/openfaasltd/slicer-systemd
-```
-
-Use it in your YAML file, replacing `kernel_image` with `kernel_file`:
-
-```yaml
-  kernel_file: "./vmlinux"
-  image: "ghcr.io/openfaasltd/slicer-systemd:5.10.240-x86_64-2f2ebc0bbefe128aa3061e6ea6806cbcdc975208"
-```