13:36:11 <gonzosysadm[m]> am I doing something very, very, very wrong, or do lx zones not support setting a default route?
13:36:20 <gonzosysadm[m]> # route add -6 default
13:36:20 <gonzosysadm[m]> SIOCADDRT: Operation not supported
13:36:27 <gonzosysadm[m]> not v6 specific btw
13:37:44 <gonzosysadm[m]> i got my v6 from addrconf, that should have also set the default gateway (normal zones have the same addrconf config, and they do)
13:39:28 <gonzosysadm[m]> i'm guessing that it didn't because it's actually not supported to set the route in the lx zone? in which case how am I supposed to get connectivity - won't do it from addrconf although it should, and cannot set it manually from the zone, says operation not supported. for good measure, gateways (vmadm zone json conf parameter) cannot take an ipv6 address
13:40:22 <andyf> Is it possible to set it with the route command that's under `/native/sbin/` ?
13:44:15 <gonzosysadm[m]> i was just testing that, as i read just now that /native is mounted in the zone; and yes, that way it's possible
13:44:41 <gonzosysadm[m]> obvious question, shouldn't the image be doing that ? :p (debian-11 lx-dataset) 
13:44:48 <gonzosysadm[m]> .. but i still can't get connectivity, i'm troubleshooting (doesn't make sense)
13:46:52 <gonzosysadm[m]> hmm, actually it's just dns that's not working
13:46:54 <gonzosysadm[m]> and yet the right nameserver is set in resolv.conf
13:58:27 <gonzosysadm[m]> yeah, it just seems like some very weird thing happens with anything to do with name resolution. i'm snooping eth0 from the gz, and i can see a ping attempt from the lx zone to the dns going out and being answered
13:58:35 <gonzosysadm[m]> but i try to use a hostname to make ping resolv it, and i don't even see a dns query on eth0
15:33:42 <gonzosysadm[m]> can the root pool be encrypted these days?
15:33:54 <gonzosysadm[m]> vs setting up delegated+encrypted filesystems in all relevant zones 
15:41:35 <jbk> triton only supports encrypting the entire zones pool
15:41:50 <jbk> if you're trying to encrypted individual datasets, you're off on your own
15:42:03 <jbk> unfortunately, there's nothing for standalone smartos
15:42:05 <jbk> though
15:54:45 <gonzosysadm[m]> yeah i'm on standalone 
15:55:13 <gonzosysadm[m]> it's easy enough to manage it individually per vm, but it's going to be brutal to manage. it would make more sense to encrypt the whole thing
16:12:05 <jbk> if i can ever finish writing a tpm2.0 driver... with a bit of work, that could be used instead of a yubikey (unlike the 1.2 spec which was near worthless, 2.0 mandates some reasonable mechanisms, including the same ECC curves kbmd uses w/ yubikeys)
16:12:22 <jbk> which would avoid some of the bootstrapping problems
16:13:16 <jbk> (today w/ triton, an encrypted boot node sends a signed request to the head node for the pin protecting the zpool encryption key and uses that to unlock the pool)
16:14:05 <jbk> for standalone, you'd need to add something -- prompt for the pin or something
16:18:45 <gonzosysadm[m]> well, asking for the decryption key at the console should be enough. like freebsd, linux or openbsd
16:39:49 <danmcd> jbk -- untested but a pool booting SmartOS has $BOOTPOOL/boot unencrypted.  That dataset is essentially an on-disk USB key for most purposes.
16:40:27 <danmcd> BOOTPOOL being encrypted (save boot/) is untested.
16:40:50 <danmcd> Our advise for those  with encrypted zones is "dedicated boot pool please".
21:29:52 <nikolam> Can I actually pass through PCI-E graphics card to Bhyve VM , USB keyboard, mouse, USB audio and use it as desktop?  Same goes for Triton compute node?