Slicer Mac troubleshooting and Linux twin explanations

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

Author: alexellis

docs/mac/docker.md

@@ -8,6 +8,8 @@ To run both together, configure Docker for Mac to use the Docker VMM option. Doc
 
 ![Docker VMM](/images/mac/docker-vmm.png)
 
+If Slicer for Mac later comes up on the wrong subnet or the VM cannot reach `192.168.64.1`, see [Troubleshooting Slicer for Mac](/mac/troubleshooting).
+
 ## Install and configure Docker in the VM
 
 You can keep Docker running inside `slicer-1` and access it from your Mac with the local Docker CLI by forwarding the VM's Unix socket.
@@ -64,3 +66,4 @@ persistent access.
 ## Next steps
 
 - [Linux VM setup](/mac/linux-vm) - broader VM setup notes, including K3s forwarding
+- [Troubleshooting](/mac/troubleshooting) - recover stale vmnet or DHCP state on macOS

docs/mac/linux-vm.md

@@ -1,21 +1,85 @@
-# Linux VM
+# Persistent Linux VM
 
-Your main VM is `slicer-1` in the `slicer` host group. It's a persistent arm64 Linux environment that boots with the daemon and has your Mac home folder shared in via VirtioFS. This is where you do your day-to-day Linux work - running Docker, K3s, coding agents, Go/Rust builds, and anything else you'd do on a Linux workstation.
+Slicer for Mac has two types of VMs.
 
-SSH is usually not required for normal workflows. Most tasks are faster with the Slicer CLI:
+1. A Persistent Linux VM named `slicer-1` - analogous to WSL2 - your *Linux twin* for macOS.
+2. Additional persistent or ephemeral VMs ["sandboxes"](/mac/sandboxes.md) can be launched into the `sbox` host group.
+
+Unlike most sandboxes that optimise for a narrow use-case, each VM is a full Linux Kernel with support for Docker, K3s, eBPF, coding agents, Go/Rust builds with systemd as the init.
+
+Additionally, you can share your home folder or any other folder directly into the VM via VirtioFS.
+
+A built-in guest agent can be used instead of SSH for faster, more efficient access:
 
 - `slicer vm shell slicer-1`
 - `slicer vm cp ...`
 - `slicer vm forward ...`
 
-Use SSH only when you need direct shell access outside this interface. You can add keys directly in the guest by writing to `~/.ssh/authorized_keys`:
+SSH is pre-installed, and accessible via the VM's IP address, as shown on `slicer vm list`.
+
+You can add your SSH keys to: `~/.ssh/authorized_keys`, or import them directly from GitHub:
 
 ```bash
+slicer vm shell slicer-1
+
 curl -sLS https://github.com/alexellis.keys > ~/.ssh/authorized_keys
 ```
 
+## Architecture diagram
+
+```text
+                         +----------------------------+
+                         |          slicer CLI        |
+                         |   (vm shell / vm cp / API) |
+                         +-------------+--------------+
+                                       |
+                                       v
+      +--------------------------------+-----------------------------------+
+      |              slicer-mac daemon on macOS                            |
+      |  Reads `slicer-mac.yaml` and controls local microVMs               |
+      +-----------------------+----------------------+---------------------+
+                              |                      |
+                              |                      |
+                              v                      v
+             +-----------------------------+    +----------------------------+
+             | host_group: slicer          |    | host_group: sbox           |
+             | Long-lived primary workload |    | Disposable / on-demand VMs |
+             +--------------+--------------+    +-------------+--------------+
+                            |                                |
+                            v                                v
+                     +-------------+                  +----------------+
+                     |   slicer-1  |                  |    sbox-1      |
+                     | main VM     |                  | sample sbox VM |
+                     +-------------+                  +----------------+
+```
+
+Docker's socket is port-forwarded to your Mac as a Unix socket, so `docker` commands on the Mac talk directly to the VM. K3s exposes port 6443, so `kubectl` on your Mac can target the cluster running inside `slicer-1`.
+
+## The VM lifecycle
+
+It's important to shut down persistent VMs like `slicer-1` gracefully:
+
+```bash
+slicer vm shutdown slicer-1
+slicer vm exec slicer-1 -- sudo shutdown -h 0
+```
+
+If your VM crashes or you kill slicer-mac without letting it shut down the VMs gracefully, you may need to check the disk image, which you can do via the [Troubleshooting](/mac/troubleshooting) page.
+
+If you ever want to "reset" your `slicer-1` VM, you can delete it and then relaunch it.
+
+First shut down slicer-mac.
+
+Then run `rm -rf ~/slicer-mac/slicer-1.img`
+
+Then restart slicer-mac, and you'll get the VM re-created.
+
 ## Folder sharing
 
+Folders can be shared directly into any Slicer VM by specifying paths in the slicer-mac.yaml config file or via an API request.
+
+Most of the time copying folders between the host and guest, will be fast enough and more convenient: `slicer cp -r ./source vm:~/destination`.
+
 See [Folder sharing](/mac/folder-sharing) for setup details.
 
 ## Forward Docker
@@ -72,36 +136,6 @@ kubectl get nodes
 
 With K3s running inside Slicer, you can test controllers locally, validate Helm charts with a real install, or try RBAC changes without touching a shared cluster.
 
-## Architecture diagram
-
-```text
-                         +----------------------------+
-                         |          slicer CLI        |
-                         |   (vm shell / vm cp / API) |
-                         +-------------+--------------+
-                                       |
-                                       v
-      +--------------------------------+-----------------------------------+
-      |              slicer-mac daemon on macOS                            |
-      |  Reads `slicer-mac.yaml` and controls local microVMs               |
-      +-----------------------+----------------------+---------------------+
-                              |                      |
-                              |                      |
-                              v                      v
-             +-----------------------------+    +----------------------------+
-             | host_group: slicer          |    | host_group: sbox           |
-             | Long-lived primary workload |    | Disposable / on-demand VMs |
-             +--------------+--------------+    +-------------+--------------+
-                            |                                |
-                            v                                v
-                     +-------------+                  +----------------+
-                     |   slicer-1  |                  |    sbox-1      |
-                     | main VM     |                  | sample sbox VM |
-                     +-------------+                  +----------------+
-```
-
-Docker's socket is port-forwarded to your Mac as a Unix socket, so `docker` commands on the Mac talk directly to the VM. K3s exposes port 6443, so `kubectl` on your Mac can target the cluster running inside `slicer-1`.
-
 ## Next steps
 
 - [Sandboxes](/mac/sandboxes) - spin up ephemeral VMs for AI agents and automation

docs/mac/overview.md

@@ -95,3 +95,4 @@ See [Sleep behavior](/mac/sleep) for full guidance and per-mode behavior.
 - [Linux VM](/mac/linux-vm) - configure your persistent VM, shared folders, Docker, and K3s aka `slicer-1`
 - [Sandboxes](/mac/sandboxes) - spin up and tear down VMs via API for ephemeral tasks
 - [Coding agents](/mac/coding-agents) - automation to stand up a VM with Claude Code, OpenCode, and other agents inside the VM
+- [Troubleshooting](/mac/troubleshooting) - recover from stale vmnet or DHCP state on macOS

docs/mac/sandboxes.md

@@ -41,7 +41,6 @@ Sandboxes are designed for short-lived workloads and experimentation:
 
 You can launch sandboxes from the CLI, [Go SDK](/platform/go-sdk/), or [REST API](/reference/api).
 
-
 ## Launch, use, and delete
 
 Launch an ephemeral sandbox that is deleted when you reboot it or stop Slicer for Mac:
@@ -111,6 +110,10 @@ slicer relaunch sbox-1
 
 ## Customise sandbox resources
 
+Bear in mind that `slicer-1` is already set up to use 8GB of RAM by default, so if you only have a 16GB Mac, launching two sandboxes, at 4GB of RAM each, may overcommit your system.
+
+If you only need sandboxes, you can disable `slicer-1` on start-up by setting `count: 0` in the `slicer` hostgroup, or reduce its RAM allocation.
+
 Edit the `sbox` host group in `slicer-mac.yaml` to change the default vCPU, RAM, or disk size for new sandboxes:
 
 ```yaml

docs/mac/troubleshooting.md

@@ -0,0 +1,87 @@
+# Troubleshooting Slicer for Mac
+
+## No Internet or LAN access from the VM
+
+One failure mode on macOS is that the VM networking gets stuck on the wrong subnet because the host-side vmnet state becomes stale.
+You may notice one or more of the following:
+
+- `slicer vm list` shows `slicer-1` on `192.168.64.2`, but the VM cannot reach `192.168.64.1`
+- the host shows a stale `bridge100` interface on `192.168.65.1`
+- DNS and Internet access fail inside the VM even though the Mac itself is online
+
+The symptom is that the VM has no Internet or LAN access.
+The cause is that the VM networking is stuck on the wrong subnet.
+
+In this case, the recovery that has worked reliably is:
+
+- rewrite the stale wrong subnet in the vmnet state from `192.168.65` back to `192.168.64`
+- clear the DHCP lease database
+- remove the generated vmnet state so macOS rebuilds it
+
+### Recovery steps
+
+Stop Slicer for Mac and any other local VM tooling you were using first.
+
+```bash
+pkill -f slicer-mac || true
+osascript -e 'tell application "Docker" to quit' || true
+```
+
+Remove any stale host bridge created for the shared vmnet range:
+
+```bash
+sudo ifconfig bridge100 destroy 2>/dev/null || true
+```
+
+If the stale vmnet state shows `192.168.65` where you expect `192.168.64`, rewrite it first:
+
+```bash
+sudo sed -i '' 's/192\.168\.65/192.168.64/g' \
+  /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist
+```
+
+Back up and remove the DHCP lease database:
+
+```bash
+sudo mv /var/db/dhcpd_leases /var/db/dhcpd_leases.bak.$(date +%s)
+```
+
+Back up and remove the generated vmnet state file:
+
+```bash
+sudo mv /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist \
+  /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist.bak.$(date +%s)
+```
+
+Start Slicer for Mac again:
+
+```bash
+cd ~/slicer-mac
+./slicer-mac up
+```
+
+### Verify the fix
+
+Confirm the host bridge and VM gateway were recreated correctly:
+
+```bash
+ifconfig -a | rg '^(bridge|vmenet)'
+slicer vm list
+slicer vm exec slicer-1 -- ping -c 2 192.168.64.1
+```
+
+If the VM can reach `192.168.64.1` again, the stale state has been cleared.
+
+### What changed
+
+These are the only host-side changes made by the recovery process:
+
+- removed the stale `bridge100` interface if it existed
+- rewrote the stale vmnet subnet from `192.168.65` to `192.168.64`
+- removed `/var/db/dhcpd_leases` so stale leases would not be reused
+- removed `/Library/Preferences/SystemConfiguration/com.apple.vmnet.plist` so macOS could recreate vmnet state
+
+### Notes
+
+- `bridge0` is usually the macOS Thunderbolt Bridge and is unrelated to this issue
+- if you also run Docker Desktop, restart Slicer for Mac first, then confirm networking works before bringing Docker back up

mkdocs.yml

@@ -160,8 +160,9 @@ nav:
   - Slicer for Mac:
       - Overview: mac/overview.md
       - Installation: mac/installation.md
-      - Linux VM: mac/linux-vm.md
+      - Persistent Linux VM: mac/linux-vm.md
       - Sandboxes: mac/sandboxes.md
+      - Troubleshooting: mac/troubleshooting.md
       - Configuration:
           - Enable Rosetta: mac/rosetta.md
           - Storage: mac/storage.md