From 5a99567a2cfd05c16360fcbb135bd9521a6b24c7 Mon Sep 17 00:00:00 2001 From: Zhang Tianyang Date: Sun, 10 Dec 2023 17:16:36 +0800 Subject: [PATCH] doc: Add some descriptions for runc sandbox and microvm sandbox Signed-off-by: Zhang Tianyang --- .github/workflows/release.yaml | 30 ++++++++++++++++++----- README.md | 39 +++++++++++++++++------------- docs/images/runc-arch.png | Bin 0 -> 47540 bytes scripts/build/build-containerd.sh | 6 +++++ scripts/build/cargo-vendor.sh | 1 + 5 files changed, 53 insertions(+), 23 deletions(-) create mode 100644 docs/images/runc-arch.png diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ae11c556..8d32f39e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -95,6 +95,19 @@ jobs: name: wasm-sandboxer ${{ matrix.features }} path: bin/wasm-sandboxer + runc: + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v3 + - name: Build runc + run: make runc + - name: Upload Artifacts + uses: actions/upload-artifact@v3 + with: + name: runc + path: bin/runc-sandboxer + containerd: runs-on: ubuntu-22.04 timeout-minutes: 30 @@ -120,6 +133,7 @@ jobs: - kernel - quark - wasm + - runc - containerd runs-on: ubuntu-22.04 steps: @@ -129,10 +143,12 @@ jobs: releasever=${{ github.ref }} releasever="${releasever#refs/tags/}" bash ./scripts/build/cargo-vendor.sh - mkdir -p /tmp/kuasar-$releasever - cp -r ./* /tmp/kuasar-$releasever + dir="kuasar-${releasever}-vensor" + mkdir -p /tmp/${dir} + cp -r ./* /tmp/${dir} + sudo -E chown -R root:root /tmp/${dir} mkdir _release - tar -czvf _release/kuasar-$releasever-vendor.tar.gz -C /tmp/ kuasar-$releasever + sudo -E tar -czf _release/${dir}.tar.gz -C /tmp/ ${dir} - uses: actions/download-artifact@v3 with: path: _artifacts @@ -140,9 +156,11 @@ jobs: run: | releasever=${{ github.ref }} releasever="${releasever#refs/tags/}" - mkdir _dist - find _artifacts -type f | xargs -I {} cp {} _dist/ - tar -czvf _release/kuasar-$releasever-linux-amd64.tar.gz -C _dist . + dir="kuasar-${releasever}-linux-amd64" + mkdir -p ${dir} + find _artifacts -type f | xargs -I {} cp {} ${dir}/ + sudo -E chown -R root:root ${dir} + sudo -E tar -czf _release/${dir}.tar.gz ${dir} - name: Update Release uses: softprops/action-gh-release@v1 with: diff --git a/README.md b/README.md index 70a54640..62be0408 100644 --- a/README.md +++ b/README.md @@ -20,18 +20,18 @@ Kuasar is an efficient container runtime that provides cloud-native, all-scenari # Supported Sandboxes -| Sandboxer | Sandbox | Status | -|------------|------------------|--------------------| -| MicroVM | Cloud Hypervisor | Supported | -| | QEMU | Supported | -| | Firecracker | Planned in 2024 | -| | StratoVirt | Supported | -| Wasm | WasmEdge | Supported | -| | Wasmtime | Supported | -| | Wasmer | Planned in 2024 | -| App Kernel | gVisor | Planned in 2024 | -| | Quark | Supported | -| runC | runC | Planned in 2023 H2 | +| Sandboxer | Sandbox | Status | +|------------|------------------|-----------------| +| MicroVM | Cloud Hypervisor | Supported | +| | QEMU | Supported | +| | Firecracker | Planned in 2024 | +| | StratoVirt | Supported | +| Wasm | WasmEdge | Supported | +| | Wasmtime | Supported | +| | Wasmer | Planned in 2024 | +| App Kernel | gVisor | Planned in 2024 | +| | Quark | Supported | +| runC | runC | Supported | # Why Kuasar? In the container world, a sandbox is a technique used to separate container processes from each other, and from the operating system itself. After the introduction of the [Sandbox API](https://github.com/containerd/containerd/issues/4131), sandbox has become the first-class citizen in containerd. With more and more sandbox techniques available in the container world, a management service called "sandboxer" is expected to be proposed. @@ -57,7 +57,7 @@ Additionally, Kuasar is also a platform under active development, and we welcome ## MicroVM Sandboxer -In the microVM sandbox scenario, the VM process provides complete virtual machines and Linux kernels based on open-source VMMs such as [Cloud Hypervisor](https://www.cloudhypervisor.org/), [StratoVirt](https://gitee.com/openeuler/stratovirt), [Firecracker](https://firecracker-microvm.github.io/) and [QEMU](https://www.qemu.org/). Hence, the `vmm-sandboxer` of MicroVM sandboxer is responsible for launching VMs and calling APIs, and the `vmm-task`, as the init process in VMs, plays the role of running container processes. The container IO can be exported via vsock or uds. +In the microVM sandbox scenario, the VM process provides complete virtual machines and Linux kernels based on open-source VMMs such as [Cloud Hypervisor](https://www.cloudhypervisor.org/), [StratoVirt](https://gitee.com/openeuler/stratovirt), [Firecracker](https://firecracker-microvm.github.io/) and [QEMU](https://www.qemu.org/). **All of these vm must be running on virtualization-enabled node, otherwise, it won't work!**. Hence, the `vmm-sandboxer` of MicroVM sandboxer is responsible for launching VMs and calling APIs, and the `vmm-task`, as the init process in VMs, plays the role of running container processes. The container IO can be exported via vsock or uds. The microVM sandboxer avoids the necessity of running shim process on the host, bringing about a cleaner and more manageable architecture with only one process per pod. @@ -82,7 +82,11 @@ The `quark-sandboxer` of app kernel sandboxer starts `Qvisor` and an app kernel The wasm sandbox, such as [WasmEdge](https://wasmedge.org/) or [Wasmtime](https://wasmtime.dev/), is incredibly lightweight, but it may have constraints for some applications at present. The `wasm-sandboxer` and `wasm-task` launch containers within a WebAssembly runtime. Whenever containerd needs to start a container in the sandbox, the `wasm-task` will fork a new process, start a new WasmEdge runtime, and run the Wasm code inside it. All containers within the same pod will share the same Namespace/Cgroup resources with the `wasm-task` process. ![wasm](docs/images/wasm-arch.png) -*Please note that only WasmEdge is currently supported.* +## Runc Sandboxer + +Except secure containers, Kuasar also has provide the ability for [runC](https://github.com/opencontainers/runc) containers. In order to generate a seperate namespace, a slight process is created by the `runc-sandboxer` through double folked and then becomes the PID 1. Based on this namespace, the `runc-task` can create the container process and join the namespace. If the container need a private namespace, it will unshare a new namespace for itself. + +![wasm](docs/images/runc-arch.png) # Performance @@ -106,7 +110,7 @@ Please also note that Quark requires a Linux kernel version >= 5.15. ### 2. Sandbox -+ MicroVM: To launch a microVM-based sandbox, a hypervisor must be installed on the host. ++ MicroVM: To launch a microVM-based sandbox, a hypervisor must be installed on the **virtualization-enabled** host. + It is recommended to install Cloud Hypervisor by default. You can find Cloud Hypervisor installation instructions [here](https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/building.md). + If you want to run kuasar with iSulad container engine and StratoVirt hypervisor, you can refer to this guide [how-to-run-kuasar-with-isulad-and-stratovirt](docs/vmm/how-to-run-kuasar-with-isulad-and-stratovirt.md). + Quark: To use Quark, please refer to the installation instructions [here](docs/quark/README.md). @@ -154,14 +158,15 @@ Launch the sandboxers by the following commands: + For vmm: `nohup vmm-sandboxer --listen /run/vmm-sandboxer.sock --dir /run/kuasar-vmm &` + For quark: `nohup quark-sandboxer --listen /run/quark-sandboxer.sock --dir /var/lib/kuasar-quark &` + For wasm: `nohup wasm-sandboxer --listen /run/wasm-sandboxer.sock --dir /run/kuasar-wasm &` ++ For runc: `nohup runc-sandboxer --listen /run/runc-sandboxer.sock --dir /run/kuasar-runc &` ## Start Container Since Kuasar is a low-level container runtime, all interactions should be done via CRI in containerd, such as crictl or Kubernetes. We use crictl as examples: -+ For vmm and quark, run the following scripts: ++ For vmm, quark or runc, run the following scripts: - `examples/run_example_container.sh vmm` or `examples/run_example_container.sh quark` + `examples/run_example_container.sh vmm`, `examples/run_example_container.sh quark` or `examples/run_example_container.sh runc` + For wasm: Wasm container needs its own container image so our script has to build and import the container image at first. diff --git a/docs/images/runc-arch.png b/docs/images/runc-arch.png new file mode 100644 index 0000000000000000000000000000000000000000..33f8b62ae78551f9d2d2cc6253a39d5b41531c8c GIT binary patch literal 47540 zcmeFZ`9Bn1`v+_*l&poyma;@h%D#*wMV7MfB8iM`>pBx@pr>{0$f+Y#R8+@q-ne#$ zii#FZMMcxaa2WjM0S(=!+*J^b66k)K4Pnp=)! z(>xt~I>h9HU4v(FpMMfKU@C8YU6JP0bdchcis&D;`?9;E4t%hzd*w2JLcG8L@Rac&Jaq<8CZOXN@wSG3*559JC&#sY2 z^d58VlH9((=lEA!OJ(25$sYF;Wh`V_;pKo3e3`gcS;HEG8LaB|S}sLg9}!$krJYKl z-M%{i1vQ9U71q>00|c}q1}N!$T0OrrR0uZ)QM;c}Y=TZag5jR_>B{up>xUjyrfq8G zUj;JC{R*s{Wy^*$KEVtwDQ*SqmTEjUUg89qIJlck8mbgjfcu}$LItuQXzz?uQ;;V zbs)TOja2UZml-Kwumdm{xcb2+$_xTFZ6~B+jyd$-WA2#ZjkX~%mcjxE4sLms2|n<$ zJz&3O$hq9iBkITOy~c?!C-cM|0eBbqbNMJW!>w?t$@f;vUoaPCb!QsA$C73l$rcN& zKn9RB-cFxJ_mOj(V0{YhbQeNp{K!XUG96C=shqL`RkYL$G4cPt$KNsdA8s~nh3E=T`;7YRMTD6$o5i~vitE}K;yp=Lr)L|tr?(}nO1yWNpFx|-h(a78I^Xa+{vY|3vC}PwpSKVxnA(#P8 zN?}nq!FO%wSd;LNUK{a2qekx#s|sxM2{SlC?O64!1Zm|Q5KO($n7K1_0zJ|Q=%K^Y zD>QGVBqK)s{+{(6zsrWRZFN795>DPV6R;68PD^aNY7IMmKd0Xs5SLVmJAH)&@w&i;mX-3w?sc;!;zLtrN6BCC zzwuHR;GYT}=r3S0D|+uMyAc(IgNlMTefTYIxT3O(gGb!IT)1SQv|+xWX*-aqSlT&4W!@{+Y%e2#Z%cUO5VTQ?#*oWD0{y%3#(bNa&%9? zbe6kQ^AL+Rns450HN5{qo#1p&;58w{;2qf^Dw6 z?`V3RsIax3WlkA%`sM>g&4#*1mIL)Cucf_EcO55kmfdDh(hsTX%=7dbs)nkl{x>nS zb9zY2WZrRE!awrZp?iexoow)iP`T+l1>V$pfhQx%UNN3vWLzn~5X`m?m0)W95`M#ro zK?n_ulfHO~)A3Z4f33?na`wZU%Mwek%ONA@*78;=PoQ12?2UcPuFenOW}S>}4Q=Jt zg@#}3j$~b{OIR>ozrD4rLyy$2toOF`?Wqlc`+U5lMAr~%9+mTc1-7fV3eA~+Nl1^aQ5ADfOR|m(5^9oU`M8pPj|7fg z6xiR8$9Nlv!kTur_VbPf|KsMyn_2T`bOPmH(tUVpQ_FS5k#ot}$3`z$Q6HPPBUX%0 z!sgLmn6T$CM8+!Y8RDoc9yc80bR9p~)d`X~03Q$^Esez`1B7%E8~I4wsBI? zigxa&iitS2g|k5xxf}X_Kiaq!=@y?RriR?i_9fUJ|7r}s9A0J518wm%$aW(>)YY7E4Bt$*MMyUF)8@DF%rw-vn8y)I5cAGWI<~%+2 z?}-%1;RfwBDK>u&gphhp7v_L3y2y%9h<=<`kEg!jX>9aG_ff%oy%A%n*_dEIQmNHf zma#4`xSSW;Q@@Z0KMK)3OBBCb7^ufN4~@3oI+M2Y{gDy$`fWGc@`8DX3mnkl&~+X0 zx()u~cG^5;ISkof3Icz5Tq{WxIQTmD8;1@T4IZLXo{&yf=)s?+k0nRK5FC)1jI$p| z;xkXz!v1YaH7(5STwi7d#;Y_SjCNJxq~n z1E4SJ%l-0zr$aOjjK7yTdcX60%%U~)S9`-kR;fSCfE1+*n8(0leBz*{yH*z##uD6e ziQYGmHk+MnuaE0c6aod3RyLqPXuebQ~QVo0&Gl3pSSN`spdaNsFXS)bHz z{fK7#+nDo1A$v9Dzga>4tuN6Lqw#{1+9y2!mXD6qF8wMx_GeK&flOMD5OtFq(!2N= zVD(X>gNUS{FB`f8@uC|MzBg;zIk_99M+TDvaFBjItsZ>HVEfxB(h!9?S&g}S$Qym4 z=e$?nR?zzP>5MuxJ4%G`3`iF5Go=Esn&WIXWJ{$Xgzj_ngd=l|EAwov3T$~l4Wq<9 ziXeGVY7lT-Vj*E&c5MR0d|df|y8L`RqQo-|mlC>6Gb#__HDN%(<<=w{aB;NkJ$0dK ztJMklYjLhm-RHl=?bWSo#+Z2dgv={X_f1oei#neIz6insu2%)}fsu?Kw-f?zS|qVY z*jFvtQ6kcZDvrfXD3H;I*xd&!Wlnq4P|R#6gH^SM^YVyDL)G>}leE5n(ibLDsCPVI z_$k@--)8ln?r0Z(E#6BB^GH&}1NNEX7O8zgUV&h+k`G`mR$>i$Mg9sk13`nT7|o(G zPXaZp@izz_MAVwRS;>x5SR3r#i+FEIxfy0eseYE7V5Lwq*MN_EkD=1XBM`-fN&f@xwuj z6@9{0p6P(X3_#%;+ZQzog-;-hA=ZmSy!S*O94GTbQk|wnJ;u+ULLXGGGXe(*mqNM2;uhZnP@S^8JteY0Owb-*L zx?BjZ55^m?4b%bfkVI#L_7)QNW6#IWm8iUfe0@CK)0c`YxH_ikihOb;Y{b1^nW%81X|SntPv(y2NCF9qoF;)U=G zJ@QIO9Aw)rk0kBU=Cdndc|2F*$o7tkuI*eHMgnH_=Li|n!vfD$Q`#g2e03j@0$;$i zoia&)Pl_v3M4XxNH{Y%48CJCLXHLo`T;u~NFUOo9r6EAW!s#T_l`CtcOj$leF&3Y8 z{zOUbSh?u|J@PG#Qe<4SHE1jbRJMmiOzj6*K6oWWSSQ#~G>w&;l-BsS93iK9knFQG z%Yd;F1J@(}@0*>a37qt@8h``klPiCMsbggPrz+75AmvoMCeJ{=K5KS);#%aubUV1{ zcG;(xPWxX16fUzL04Cmq)8oiIXY0@)yKSu)tr>^Kxg;IaGzj;LJt!(EU~n1O$KJ1x zL3|JHsYeK57|&}SIl8K4^AV6}8TpLqKzoV-Zq3ZcC^$oqbd&nW<}$5E(UwW9XybeG zl;nz46bWQ}r1-N8`CGFQkZps!wVY>t_u0_r*=!CZs10b5L}<((3JDhHvd4eKBBgL4 zE}~H8;xzVOR}Pp6228B9GO$n})}&dM^YPj88qmnKPly=3@fc*lWFsRF>_Druoa_%P|T+gAmb&0!iMM%k1Kex_#sCs2gs74ASuKnA)BZVbY+kG7s#W)C&EpE zy^iNk@YAbYr_HYsWWQ+MJ;06)V5iAMt4F36VoK6F#|2dq$PY%2+gD0o5+nZ)h(`f3 zyul0}6iurU%pUI_&_8OPKc6`YUFwfjt*)=2cnd&R3n>kW^ZcSiKIFj-0k}ZYV*h~H zk|bj>`skJUgDsy4fi08O3MhI*Pj}9{pZ?C3I(@mCrL z6`9QfvJg5`MiEwCwi}`L50D~KI4cdp%tsHV1E^&I)I(E`{m2J@5~8-w%MUj&Pno|n zW1U%>{;*57Tp8Q`_ zh(|!Uj-Fz&qS)L8#&`PGZp6OnSw?%gK0AKOcK@5MMl9W0PwtwZx4w$+yYlec(~z^i zFeCZHWR+zVO#`41mOm?zX=R}Ex?0(pBN_hTCkRU(%KL+4pM){@Az(B_pD~J%MIUl? zbM3XmLzd{irP+%0)vG>F*w8-S-^gB)Tz@FGoT-{PK^8(fnj-6(68XIzLpjD#gLnPb zO>Q~<(g)f(`ve@$kO1WVLn|=B#}n5&{M^08_@dVU&pQ({%yA(83Ul8%PIfjB0ToX}Xx1RGd|7-Fvq-ka3j z#BHoMO)Jhuj4CSr{x8nF6&c|O%!s=oGP2jNCcIj1( zv8*)OI85j5UmzMKIfZOjAXp`>^h=~qx01t5Ve3z(MTNub)#T`vw~_6*gLPCi(;%2j zmJ{|TxoEo;IxkeU#%_L(>?gU%QS@TXL(hpuM8UpMef+(wVOM-+(4zUq>Q77e(FZ>l zOrg!c5cGUzR`tPK!j^@rgwpP@#8%36hc(IqRImnbm?)@R&33!8xjpc(pse@l3tjuo zJ>rt>jjHAbta}6e{E_n5*7Bki__?Dk6~iw@lXMxaq5L6#e_8aqsVy|vD(!bEE!E!q zqsUTh8J%*AjQU3qt`;CPI4QepK~U8-TyjUW3TABN0}AV|E0!FGk5w=hm}!4uuP30a<+aMU_m%Wk3=1YIF%j0k0s$UMM9G zj9_{Tn+xf(Om0g2DI36xWcmx%6pswPZ`vFSTKa;#X(>9h2rsXDaBaP^j!EHXzgYfm zpJ%ku)}17;g&aqr`>^R?Cg4A&DE`A0WE^OT^KH6uVKi4%9yF_G(TEpZ_)XKot|-;; z+oAS{lwUrbt=v{4t(z>{snC!`Y9scTz&@|XamhKR=FU*f5`wu7-sPV1_C5)lc z&l%Od$y@z4EfL(`9wosITQ{z}*#~baaSEN>MGtqsFWa>`8Ew5TCk&#p>tY}f2G#+> z0VGSfOjPM4jprdv#9NzIha)v*QMd2hvCEr~I{dNPL1-&|Rp{_HX^*a?0crYLzPH}^ z;8=%K9!l|c)lqK5R@mmWw&=XgXgf}-V%$!j6U~n13}i>m?f7KQR3w-h_S0MC7P@}S zmz4HhQOF(?dmGG)vW)c^^+s)K?rN$@{E!IiS1jJW++8H`Mrh2z%erg)##4&xd~g*6 zUr#t4MbsNmjLP&nktJa$|@Igzl5X_jQEI`3>!j*B*V*v%hscj1>Idqn*`bL8cC z1s@?_A@+5f(gL$JB1Fs=g|WD}DDLf};G=gAM;EZxywK_}h7|P+HIh70UYN$`2mi+h z>jEiHV|byaKw~rX(X!h3PcB5g(6kaXGt5nL3{&uCH zu&Hq2A!_qn9d4Fq5a|}e-xu^Eq4|BBvyhRXLgDY4^h(Z{dN0R8spVk2`XanPWM*Y# z?*mkifM&KIeEXde)xBc($8nT7>$Yjwy`%F!nfd5r4OQ=#JE-T*cMN74dq1bx;GPt( zB;^S7e0~#mUOwi{m5MVB$7hH2BQ*vp^^0wkKfviTD)^=3VxXe_w{~x*o##OI%IX>; z`94ffK3xBL%iHS0x&_o!Xc}K6sY%V+UM>0A>s?=0y{T8Z*XgI(8?Ax1ZoH|O)*3Hq zsm!cp|C*xJMjRTKZ$sSC!8H`cd6+{{U0Y@?MBQ%sy7(%$QCUAebnO^@zuLNfOy4H& zs^{p3y&6?ZiV=mt=@|JLZaoj9{Wjv*kyeAU)1ywI)j8y%I0Lz2o#A0VjgGtaracEK zsLiCPk9bYM+PeF6+$6eu_4yqgms=QziqD-WZ#2p%tBw0kFEUWRAUY!nn8y)#c zGnCGAZE)ze+L|fyjaqR!p8bNB7;yogX=Pn#CFErbVwZ-)M+!!hFarVa1M)zhAbiH< zcxdL=^PCwn_V zmzp=Oh`berV${^_n6?kYKbA2SyG9;7ngwm>W9w2ME<-ra(hoYP72CMkuCH+^VD*nq zlx1#bH`Lr?D`->`9uzW*GxEibpYyU+SY2^@rgaA;UX0pg>g*rc84Q?IsAWv((!@sD zzIngC%g52~T2in{HxwzTSTH3u)fe(^A!mJ_%mA+t#r9>#f!i=QO;BctNeO$B`B;_S zXl&m9)TdmO;)iT0WKQs4yjk!Cu5&eTdM~lJE4i3575Wl|;?su;+La8FtGx4$+{kdx zy2FMKJo0?19uF-of1n31r_yf_{iG|ihOasyv+QxQ)H^kAs>=zT8g{KvQYX&7o2Xd0 zqi}B191Bgr-B)(%ugQE{y~$8FC_ldL%{-s3*N}gwzFRuut)4Typ?lW9>lr=(bxF+9 zC!{7FuG{{80lgz@IjGx>htA(Qho^3@A^p@CC&3wYPrQ_M3 z(L~Pg)l}FWuYmhi&S^yUFFqae+h0SjP^%beica>X9P7xpSC^`UzTtr2dEWse!x+3r!AV`pt#3Jw^{| zYMVVe{4(_u!V>Upb&{bv@yMXF$GP@1)Zr5ai@kJ^?L$?8+{ z{4qFBW1_L_r03xDPOK3n8b=6|_z=Ew{wRWx z!-Fah(tVyUfx(1|Q!|-X2019}*RjQ{$NTO4tkG89ME^o-@L=&V?1n6fkAWAwNw@1R zD?B%@-$*-Gbp1Rla$zKk5aq}8W1vMi3%}zrDyHh=gL|1{Y_)sMU_h+!+9HVbJKTii zc=v&&9qz4$Qlk`5aNAtFU#LrZidx>lh1bNzL4)@GS`8|2jkk_GtJr&_v*4OwrJC8Q zN?)0qmFx+8N+MGcrNUqd93J%MZ8vs0o|yOI71dn|JzklQZ_~e4Ei9nv00svaS8XG9 zZNbv&gr_-F!nNFIrI;IZ9xN+=8J|4#dgc7F2iNP4X7bZ?X;1Uontm%Tr))}GlW4jp2kmz(_t_G? zCZPwL9Hp_M8O+r-P#lL|J0q^d`F+JWbVa6ctSZFqVKV!7pYKflUOr5C!uf8WPJhF# z^Ek^1lU>*6P3cdHR&c&*i?UO3n9*nKj$}heMdQe37T?jna?D+zhmpGImP;Cky5h{G zWp$})2QLHrE_;JXG2!R}{|+K&axcAYNlM|O1w)&S9w852G&WrS6ndek;@(-)G3Ygf zlw}3Sq4Et!t$?(b#N&9}yjgm?8zI^T?~eRk^I}=jx5WYn!pHUj^MXE;f{A%~R8^W5 zcQHDZP3VA@_iPx6M;8jX{?Z~2)1Aw^U?ueI+|D`WbzD2tNBKm$%?aPkYww<>&kx`C zZnhWaTMf}8Tpv&5$9~F=n=~f6Xh6kn_hwUwucw?#KE_TjM8|2qo>Ohl42Jd9??$2; zyW%a8(Y_8LBbA@x2zc(6nrir9Ml@!99y+R0#R+ZY4|EAAl0;Qir@~gHVg1RJiWevt z{*%iOQBy~%Mv6yEGoD?*npcykGcQu7Qq2ACdH#WC!>)o4B%Tc1&*#FHd`jMhzHHY@^I?)3@*YiG{t)Q! z9a)uRHc(d{7-2LpU-0ymiHFb=V=bSXSdNPtO^X{HqLgyNzxUgzXe`;EL+U^>GC%h{ ztqEFtE%n5R#2M4$8U&NDUl$K@2|J(wkLc+KLFTf>{zvG$MfpIK>wrG3Cff%%qm{}% zZGFr8>lJld914|ACv+%z3Mho#1hJTqwJRxV{3sxBCU3x`;D>gPcDBV2H;dxfFFKC; z{E8Jd%GGZan3rw}TpI5`K0sDDuzofYBx@o)mqAPWR(RNxyuGzD2S$@!XCdP+#-T;& z0RiXjgzSCd^PlAJdD|Ay74R_+T9u&M~$%#^j+m_V@hB`MfVD{`DKN!2Y~d* zh|bIY=T%?iz<_Ar#*itNy=O&JyxxNPXVj-_1tu{!9oZrrtdpJm0omjv5^@5h6emu` z0SMln6L^jJ9oc-l$rUa2+NC&ez;yR!nac^2Q1+sFZ*xHt@zU*tl!584{JuDMm*#3| z)um-hWnSQ-KEOX9PO0u$<2i;0116KVuimjY6n}p^(X~{ncfS3pkb$F)y}7T%t-9g7 zjjBX{cEcP`kx45TtJEX^K)?h7V&HE+XE`XO7i$Ef4+ z8FP`Yf&ljHLCSX!%OEj~bMF8X1f_xk>Ul{f)_k?GRmLX^R(n0X(0%bx23uCp3G`m@r`Ezoo?YwHlEk_{<^Q z&C&Un_x8Ikpejn!#2))_7b|fGo;ui_a0_HVGKylLib-Ve(atyVz|*;FjH z15zp5=N&ib0(jAR^A}30B|ne-@)<-W#x{%S&fY0Z51q39f2-WsCDN6N;pufXiznc= zZ}M{_N*^h;oym;t&n%4?9b!`8rPL-ENsTl+);StF?Xv>EEGnZ=Iw?YrifrplUg3ew zx&S1F^CYJ;IZ%N9dceped?qJ5qq}(v?E#W^5&>;G{DCpKEGn`-tY> z1SR_921L7KTl2Bg%vV738A=uX=3wnrQt9U;!$?>oH{*@p+8x)=Ou%_fRT*gv1ttOt zBq+l%K+8Qzl|_g2KkPJ`Y|kSKw&w&Qtt5>lU8+1jkopOn0`@c%SJWc|$nI`*W~Olv z7GOgW-5e&0;A+MvUntG=Hg77@cy zD*F`0M3Dx9AcPI3^chkw&Uka$OMlVqI;$EM)Xt#^!W9QTVi)kW@io;%;NmG7_G*jr z*w1wv>ySLtu3F_+Arqo>!{=DL!(|ujkN)Fm7Xig+hiFHJm?#KH;c607$G`Iqcucys zgS=0IwwW|>M5?yX1623~`swJjL5t&_IZIYw0+OxzeLUaZI;d%4=^ckjWmmAY45aW_ zN&S3vU`z5$VAWE7MqeXJRY-JEr3xRADFJw?U^)(C9G;UC;>~_xpwK6>3HOjU$ zKB(%EG^OzX^=>(Eirf8blulb1#2Ku4AIq>uD(KfJnKtGm5KzG#31L3>_u+}-rxDy6xr(45T&pEc^;%gh1W-2;P!d6K` z6s_|8l*(`lC}uB~wIqx|>~0FwsSP3}9)md+45{xc=k|l#w+0hN!2KwlgAYFg+j+B) zV#0juiVLrUwsxA6Ex+*4&5#;{Mav&5$;bcC2u0(Hs?})x>Bn9w(A4oRM=yw7D9v*1 z@c1dt1NK>GL1np;rLBw_5yv=-FeJHt-C3_tx7HqMHE|#a=EvkRC^{cW()oJ=b1lJ) zH)dPtZ+nI=2IFW{mOxv$QmMl1AF~N4!JaTDTm@n@$APR?tE8X3EUiP@iCHOwya@3E zU=8x%OE2JU^o!yBX=aE6I}L)$UarxOi?Zw@JNVWMrsHl`A)vhO&=cF^ zXamXS2SDI+G%XI46k=x!R>2wX@YATUePbMzvuWrx#9yXG1OQ^Yf_COq$RZz;0PZDy z>e-;o+2><#gXW9R9(}UdAxu5Wn+X2HVCV8dDHj8LzMqJz(IZGGUEg@`!25QF(Y?R@ z>~z<_Sg-Pd{(u2Dd%s|ZXRR`V+4TBzl`!51pi_7L$zn`PR$;P6BQE>@wiDV zKvYTBdg6%hfdsrI^~yU9e$A#cTzicYuw?lt2-bWB{*t*hGx@-Tqe0lPs2vvw^s;g5 ztW>^<_X#_^Ncas95`F?|@pUD~hY}<-N`jAQgSX6dih|iXNe%`QzevsLXF$>0f7N|H z==A~$!KvifyN8x~H0N|yZN5(GR^)5GMqqX-fPRe9uxlO=_|HV3j4jQws&$C{gZkC5 zOe9c<|Ea1&vPnW1#~c7+t+2)R*w2^sZ5A1oJ0W&DG|M|9B}bb75qECThW4AF&JJLh zt%OZYw~yqsr-wlT0MXO2jC==nNER^fCU{MiPVroJkQb>91$v&uksRz9k6RjcS^z%Y z&$o{q2$ukm)v!OH-@okitgHrQYy$==48U-wTY$qOtpjUtP*`I@#4)^6lWAI-^QAjg z%K89EY2~4almls410exc#^crFFot(XsVw+5ogHv9k3e>Gl#j>ipqpR>l#m?E)|_L_ zs?TpnR_j;l3}c=(?g18vGEFoGHryQ$Ss&RyMqs>wX~~gl@FsK+QmLqD-UDe)R=s*K zfx}vrN@c%!Uzi60$)P*v#w$+}KNBCN_pzP~WkCM&|BL)ZvQ~wx4-e-piaXh4-sqk^ zO!q+-7@vjZ_mm#dMO|>TbDVgcSYjC8wdw3F;KPrsvsVIM62rPJO?(Y6{i{Dm8ai3T zObj)VTOC5)CobZz0JreJo3~UnFMu|ax;eZcQYxgK0rKpFVgCRoVk#K_jtu_owf z++|^}31ly|NdO1`@8+TaNC8LFSxy5b5>RyZO7(_HuG=s=SXp>z7}e*b<+&66#R z+Wv|Q^Tow}KEJNb9j;J^>5>8r@5B9_0NKsW_d)x6`&Cujb#h#T?zQF|ya$sQ4nXrd zV~q5E*ArEitaskpZhxEXZEYy?pBHa6ebh`%gZ25v67T09yxxm5vEO`XyQK&d*?JjK zz0zfc(5$}j2IH9C#+w6gnZbN_zp%yyz413>zq7$2UEWiWL&Agd9)Q$=?2LI1X6YP+ zyx1!HnOyB5{R4YCIH{s1i~J!o-jS3ltNv0xp~@`srdX ze8K0*Vj@jH`}Ujg+X@iX^|h>J%_F8v7wNAn(+5kImMFRRqKJO*o3MfITS@%eF!JUt}E4S_w>ELX&oYO9~6S<>+KG87V@>-i(b0a@b}VF zg^QC4AVe7t@*l-*6zvU*aCYzYnzo+YBDek#C)rZUF<`90Vju}KjeE*)Z=NPiH$ZA{ zPL6B4U*qFB*C~DGn`>@)`l_q(3I-cIz~ZQ=YNV@;*Lyi!|0QTm3MVe=(UfwcZU27Z zO1^5kInK1Kelx9~G1FV$jp^A`edf1(qTgHY`-B{sjhN}RmOHj4bG5Oda|*nx{(akP zGmRCv_07GNPS5M1{-jYEJ7K!}625T8RkiK+@nG^hIN(=>`c35Ynv8}tcOe$H>5Dtf z?WaIrJi1uh$MFN-<$!|&@&3D$vWyE4X+}`wVwxTBRYzPzBgN5KL9?5TCii*r%Y@h` zRce@@^cR>sJ{N;^;ZRyQ!sGv?A0{vs^*pn6`3g%`+GhGzm*2Rk+?TJExeBum3&OnL zig!a{X8tTy_(Cl$65g`k(OY`j^btc$sx7fYdVWJGRJLHTBoDjfpD4fYGhUdvPkBp( zxWov)&Zq3}vAncP+^4oj8jqUP6ENQAWg5zL?5ylR#pw^MdiBps+S(YGrnT2@SB6X! zgj*$_ocu-UF?ZMyNV*Nxob8x?oDuSq-p?3$2``V78Z32i`<&CHU{GGuo+r6#ygJZO zsUuIxGaX6HuZJ5&Qgf=t$~^DmKu+xjk2xKBkUsT2;9He(!J?O*j2tW4@oyo>F;Lyv z@{^F5p`Veh@r5RS)xoLR{vEKB*QaR%r@bRQsLy2hXL-%ZnZG!>ZUi4NvOuoy`s*~YTpJrr! zVlxLLMy(!vmnMZa)4=h@84*I32HqT$%vN-`IDpC!OxUJdj&S3 z6}lnE$^W-?-*x$WYkcSAQNFRW{`wb|VRxf&cNNa?k`E7qXxsg?-~99IYqS>se&0u$ z@lvirN!kte$K1h!RebF{J;-aJE3r#4^CRQF?;|%Ex-`1JhL~peH%3tk8V1Y=^Jwd1 zUn{8ZF-{*($6GEJ(_Q*|v&VXcr{@HlAxCYk7HC)ocTESUeF-qryAduzjzpe=ON*PW z|FXHelEYSW1(`cTb3Tr3XRwnR9$@r^%N)AZ7(};P=T?t=CAYD9@mM}tyAGJYM%e4( zPro`V=$%T-+kwa(`Pv>tceT<;8XarvpvuzDIQNG#zi|h6(iaidDrQb;VTem~wH=82 zpbKSUDUQ+@{-yF}s0x;u*!-{qclVUpGHFZ_OofqR&`8X*&1eaY49)ahO!(qSo;&X< z24t7m`co5N!J#Md0pIjlk~n%MN$*GyJb?Yt$Mh_cW4oD~ae_S=4u3SV7{`dOXrYW< zXBO6)qkQG1(64AUGS$!(v6#-M$vmV0iUM2cjfL$qgHCmYkB$=9t1i*2Do07x%GQlv zj7x8K$f8Y~@sHe!JKM&HKj4Qn$cvzT%i!J0*EFGq@c$0WZW5@;)fZZAmh0Mw&OrJV zY_A41xiOs|BF#sTfs*ffMvD{I-3toF=SLkb0wQ4@aVF3EeM>rfC4!>`fb3nqXnwm z)1ZvZ1Oc1ySG4df8E9EJCiaXFk$eN-&7CHp%Vw781g6(b;mw=aY`+JmJ94~cI2?+x zW=wGAh2fBZ*SwSvIgD(gRD=DOXQyl@ojdYfIVJvf@8a9rSJ#nhyG?D~BJmkEe1?38 zbvK01?}~@dE$`G}_%}AQICM|W?*z~Mu2%2TYS5a6zs?;ON|KrjcA1Q(6{GZ_4fx2i zt(Cx1cBVb~`11*!21FUHd6S#pNVsw(YB*$WXZre*emZirGhWx#$4%_m`gFqhSyr^% zsSFuooK64K^iyB*1PB$4a2N*elfu&af&W9=BZ-ypqu%KIOAyXt>?pUK3O`YFe=;is zMxL{k2QC;Y+}1chy6jN-OSDuoe0%-RKgv5fEV zEe+9B{rW*XJ`rOz1r$M1T$@cy! ztc>CGZe9HTVjq9y+0!mq)%TV|Mp+J7c`12W+AAWh-}VASnkxGCP<3KILFX=jYr(fz z&FHz+pqrSlT;!N!RhhHQk*l5N-D*%D8+qGRi9t8xdR*Q7JD6L)f=F8CR3=Vw>9=iH z_=t43HSrhp0%}vG^I?{h0jZvdNk?H1Z|h8J~F6Z6U4g!MJPLQY|Jqwax9`d`Zca zbo3td>*ct|8&KQNfn|=j#rXRaH`F#-eam#4pR{8`>yk&U_}{QV7m(aHOe06dda<0* zg@gxtVgX$)cuyp^cYWLM;E!##r{F>L*m_+2suwQ3yVtB0X4LBS<`T~IcyV4)#X7EJ zIX!x-xL|Gfa{cCP`VC@2vT6MtWxny%ZN>NzoOPv8W_VigWKMXpVLW+!I7;Z^!{VSn z6Q7&WV?@J*15)&<5F z^Uu8?Y#0|6#w~oX9O@d1qP}|^w$gk4SfT^(7AMw=7uvrkUuE+AG(IIhPK)g$JX&q2 zJ<^(2KQ%9%c5e3Z&W7g}dum>Tn~nqbZojfe3CnH&zbSY#x^^2v{ICpdY(e`&e85{@ zuT{z91^a!F5Nxm9xqI}xG!(Ay&Sf=Rb`lrUf?e&#rer;=6dQ*bV&%sjzphHC;4TRJ zD0fxXC@N$HchtYf#jWhB3fo$ZVa4`?GusN=T^=?Jn8Nx!v(!RtO)|T2R_NaQH;GPh znbteMoHDKUcz1V@oZCtp-3_%nO3QzHo4;$=TF+VyaH->LYpZtf+ogU9@Fq89+5@vo zG8>^cpxYP4&omT;HK`j)K4?E=oNHUSl&!PH34677d$y*q`8HD<&yVx7(drp^QCszU z$3J$pLt!D+>5r_-IiPbXkD84-S`_E?#fF2UTI;LgwtpR0kpHCn*li%e%sUFPB>Z89 zYqxYFzLk(xaeG4RMV_*!0XxUKhHRo>sjlouGQLfVfAz0XrxFtHqIADl{H`S84}a*N zK@(;4WLdoR(W{+l@<^!64AE@FWLiqZzB!4>7`!RB3(ksyp0|ZbtFYLoR=JP&ZJ}V= zt=@61D`VYTPL}h?_U3{v^~nC%Vw46=Uk$?my`s#&D5=!H3w~BhQRm5GXw8C32+B`R~9inWI#E=jKiG9d3&g zm#h5E1u$77{uTzf71!?iRw;IZw%8u}Lanl9=4Vqqu4cxuaIA1E z6Nk-&E$d{!$LU8{h&FzzHLf+~`^!5U(ivw}L;C}l%e(pOY`1q}aHbb5S3u#6HOxQgQ-byue-cb2{iyMO5s(#b2$o`yZfX{F}UMHJQYv z!Q%W)s2nbSzBzGfX4^$a)+_Wr7kCMD$2yeYz=f@`^Zi&`6Xg5$TY0Fphjah^bTtJu zdL~HEq!WKR)KE!bT$Z=AQ$7dgbFR$TWJ&3EN?Yq}L-$!?A?*4RE&G}RVsW)~y1an+ z1$3ktTQ4J}f{DW``nD6Z`r>8mc@_l&3TJ-hwWl_0&%)Z<)6xp*P?_}tE;>7czEk-Q zq?uN7y((h#O7ZXPTy1Z{%caHw63gfeZmOS$9E@{J2;nrkhhjM4#c{(r&1p74?`4t) zLdw{7y{g3;`gg3x->NL2Z(H(HXYL$X+<2NSVG0=Va%0r*{LnIg`6!nk*)?a)zPA~eo0FwL)^^)qFyln z&D}w+yL(^S;5{ZjeXC8l_!Z+;-+r%+${z(dul|B-p2xqkmnoXcGTzP7&%>7KBDDxD zL*Gex0%8Re&Ot3RdKCJ&JkJo7SN|k`#r|S0RWFU+7BhEU-kX&pH|i9pWF01E9h@iT zFFEhYilZ&4??lN?N8d5t|B*?Y30#b~#pYCjw?;zGZSLC0?rc2%YHz)O4(V_2=FJ~m z7lEQW2bryOhOZanv#r$ON%7E?*)Pd68HQbZgY1tK6qu z$md;tb7%gg)2Lkjz%&$ljS%>un3Ve(fTu(xSI6qrbDTDpTL9YTXUBzqXnXz`9aIkK ze%Dy&)$zuGp|S;N#Sz5}9*;mxIg#yq{htfwn`Q4PN$V5!+(arelGh)~`0?_}m5S{j z|D&jYDbE0}Reb*BhgpZ1$>XbbfB2>a`8otFVJqd`(+699v5ghoUPt;W*{U~kS@eiy zw|%-WGarJx)jJ;!_WnGd$?vljvSgr=Ap)d-eebPQ^|?#%e7A?={hRVxEXJl+zkM)F z+IL2WxJN;!yZHH|r|($4uiLO%^gL?^Z5B0^n#TgZ)%I;V#9XgQH;ZLD8E;0dJfc8-0LMg+Oix~V!WVrx_2BC zXZq1qCm_wgb=#WYchYLf#S(SLN4z?BloY%eu6{o6Bp0%rkk)UV4pS7lV>=lfk5jjh ztoI%7100IXc@C}<)2sdl_e#T^&DO_e6npP4?nL733$r#}zk@2~phF~niL0ZX2TZ@1 z+Nv6FO$BuR6Bd#@_uoIin%~BU=C07@&p(DnOu-MGtIj@Ou>cW25qBiNHV@^@_q5|f zSdrMcpnvKHNEwd!s>fmUD z_47Y!-F<*s~VYYjPGB@hx2z_1h{_%fr`4X%M_a19H4C!niM|iIv6Y5NqyAm3mpsS5UGD&vDNA;`6{h;LUtw}HYE3ypwjaK!yVt5r zEP$Ok(Y5j!_jcP(&0A72H>6BtKX`0Tr7^%57e6lYLvI^caUm#HRpb?>|9yMS6Z0<> zi(XD@yUN2G{$$A}sV^vAxX4e^n|vn%2#nPeu<@Uh|K`@>MYFxKxoM^8t;C#^JS~%o zCVD<+SL7{0^r1Kt1(ibT%R*dRb78Ja6MUP>_O%SN~Aj>3o zw>DFL2g}9M$9IP=$uR23Xm5S{fL)ipWNhioTYiGbA;qivc>SB`iGdA;jnB z5!Uh@R}}m)aNJXAc_$k8yxV=~GJV!r#pKMKuJ#PI8Dz-$6DN~O8WyaU-lj|W6|&dY z93Mu?2N8xSuaZdpgrYI-rxOd}+_^_z5gyaXABtjrbG&MuYRM#A}4rJMO01Y%RQ=BWdgFYB*gc zr8L6<-A<`kQQ6K7^a(!Rlyl2iq%!JvcI|xhp`)xx9OD?<_14w%ty0N83hN?#OAj03 zC#vzX+xF!Tm0mUI`N&@OQ{fNh^H;^q6U~&>-t5){55?l*#+-I+IH9hkMO%F1IXjte zR&{0JlHd8)yO&O@h8qc2IE>rZjRfQ=&Lk;?3i`of781+G*A+@o@Pfa5AW|yFX*;-#}jcF_7Je?)&JW@5GYMLlq866;ibGNF_DgC0Pdr zocC6Vq(fm%lldDYrHbbW3N@ru8jLG+BZ}#Ud_uZ3S$n(ZqE>3QtX;_qwYH|v&1&q!P12esft@y&Syu*jh_qbH@2yp`Q9nqM2@B^fw-P!L#wSu zf(MbHXbqum z?M5k69v_#1cUns9#V8%leNa?0q?3AtROp%H=~3|6_%d)a!g>rO_qky_?Re>|a9yy0 zJR^2QBj0TL${8|f!vHki7Z_uMy|bY>hlmW$<}R~G>N~Es-)610SH2@f&Vu52K>UNy zOpisMcJCv&UxjDP7ej0cR!C2ZOcQ>Pduxa%jrq-sq+UfZa?htQ+~+@~+mnCYYO zD!4F{m)?@^Spr^tc{p~q=7dwk_{LwoY2{m!dDo>t-JJ-xF$p+*_Z?}-453XbZNItn zbHZd(u5Jmb)~UUe`38Ve*I4eIY@yz#@D}Ezjg&O43t#4w&Z@TFuIAcJn+z~JdH2dU zyQE6$3sEF1@&Nn*6mdSb_sCeD0CMVU+}vRO%KFoN?&!O%G<$!Xm@m@TWYQk9FC2bj zjH+e-0=nbiOQf*@QpLwTfVpYhh@klGiz-4H7N*e1!|lsV;0!Syv`?yhbxeU&@*$0a zRb239P<(bwQF|gD{K!+{MV4hmz&D;*C+5q?YAep$mbZ~644`?2lp*9XvOboSU{^p* ze}lu0{oB`6($;~@gq3~`UBR9aF)8E~xidGwyszCNsU*+Br(ET~88jA+d1y{J#v9Bu zs%np<3Z7NCLF`bUfvCZ<9~Pqou56-f!5hi6pdIafk~Fz$Qq+j<&@SB}*smCjqiUyP zVZZ*&_6RO)DxyHJP~}M7@^)-;F%bu`wI94aN9tZPj=jx-dsVOCgDJI#PkN+kY_g@B`RwEQW_Ngwak0!ai|=-Y zf`=xUDrr)F#0D_D_*9{%5@XEJ3a`Z@E)xPOhRs7x$ueBJ6&62ZNr#zf%R3zoCD%slOZK~UU zkro_^boA?=KlA);ns8v=eIMTuFhd2ii-SRI6UCqPaN#u0jkcnQzEe(di}-^blt@r7 zp_l5X=?6&d8dh{Zp+c74enPsH>bdIK;1t>pghB_RTV;(12w6lgg^1*xveVbUAD5*B z20o&Q{`B1RufVWa+c^-*5T8l~-`!Gg?q&hpolI%YeyfYd*k@j%Cv8(Q(@1K(G^2{@ z75$%V_7%%Ke1xPoJ*Ik29^i5ODge@y-(Y{zHu$dRh7g~DCe?rq)l&>KUTBp)8QcRT z7dC-4b-OUOgSz^ry4l`y`il^qyTVrlC{RPrkoZtJY}&AS{~_{I^7iW(+ucJk5u=IX5{^>{BD!B?F%yTdAM}i+_0$)@B@?WnqKj{9c=CsdT@(dyTETUqvt z8Y*g?MjHCfD&d6hUo))W9)BACN+DIj!-~TF-wUd(cJxX!jTd1PKvbMwH=xGF-HqiA z7guKqU;T6aD(PVn49MZJv%8?bh;xeY7h4^BQ<96>MOeC7-|+sqtFlhWA}p9n%3mii zb6mu=JaULR1k2u0@aWbL^;o7=^Jt%JisU#GC<^2Hd@$nx<~W+%CJJ(7@ES2WGDv=p zM4scaC(!>7Z(kV|<=XeFh+9xl8kGi-1`(u75m8bk1|=OtLI$LBK(->%ATcN@2uO!? zi@-=o=M0T>cMJpPx`(}==lyWjde=H1&WF9W+kMZK|Bl~96|cB+p|H)6#d@_{(9urK z5wwm`RaO$s#TYcRxzLUo)_JU?k555OqHLSbp|mA{kz#fExz7w@x6V%&#`ojao-s-v zg#5VwEB5a*UPf1*QC2O<#ImfLg2QW;xsZ6+y3rJN(ujlIgP8<}@c^zPCti#Fi_8RM z-}S&y)bW*~3!&1h`T=7}HG3@V9u>tE-6&?{2cuClT;$1)&-c$6W%zZFF2SB0&(SMu zR=Y*!KMUx(xXLBJ)pZZ0hAa8IGb`GN1@&9_Lgs$xFF2UkCE?t&-@0VUe6`!PnM0;z zC?T%rzc)GmK5ZPVX9PDclA1Fl9E2g444DX#$t@1W~VrTqAZx9Yk(RF;%pbOWz z0vav*3%8GrQT=)|K9lr5R!^0;dUmGHW$8RHk4BFq433yrU$dL7mv&?|F7?_Qbrqsv z2$q~7UIQ({=n+mYD4JgYV(4XmMb!Q%naAgkokU*3r;p8K+vSkHf!OI)iatBr@j_3A z;krW2fCl~HJwQh}bk?3`H1-dmp)|Cp_Q_~5<0QkGgIf*CEDi=5p#bhnjz?Hkl7 zix5xnX-5^!26<~dOxp0!pCPaoiwx4u9s~lr^JZro7)ZyUj&Gb5dty&KM-xazneqZ{ zZ4mlLyzbz)&7;w(X$A4J{<0qx_rd%DaB(J_`gCHPVo_mc;@q&2>u5=Qn5N7|W6^^8 zj`zI(7*$oL9Bz3EH0&7-)NFM~(sHM=6SUjO9rn8#A?rGUPyI(=nx z+I8bvFG*(O6>NH`#^rFll&wH$jqb4HTt^f8Y1>_WBgw;cl|P4DDmbYJP-^_v9gs81 z4B^IKi+}U>0%GZ-U*@~n(oBu=*7tgrx;HUuCg{?XU!V^v%IxVbp(e>xin#bQgM2<@ zhB-+oYeGw_28AeXI#9_SeEqRS>j_6Ht6~EcN}hOLpe(pu{=(@hc#@rDa_t1 z8$TY1jAij!|6#+xcnZ^Db=sl*!}IvprQSu>8c>q<5|qYBW4~lf8&S?bSw2iO%w11M zT~|G$I;4`*+^4hLEas-Kd*d`@vOvHYxbp+o`U#bRed+;PncLrkeTgZmE92O^(uQ5eupHPS0)imd(&V*_-2fEyaYchkWmD>(9A(M2&^7j;_WwC`|jyU+)(8j z#Z?B7uN!(m<`cw4@%HUhLepJ>Y4k?n{8{{Lo_ue)PZ<%FKiFmpkY7Q}%<&8yXD|GP zIlbgFL}r}fV|CdXcL>BD4AF;Ls$YI8s2O2ux;1$NXbxbY+?{CkQ_b!-Le|!R$||}N zZYW!wOa_SfcJo=Go1n-~`pb{6e9$ql7SNP$d{-wb&;FWJTXk}bL&+Bo>M{(0NYE@u ziAyIHrf0}femHwqQ@!W3zgQtzo2c^LaFSi64-6&Y8gaz1c_`~n&{;^Z=SJkb=j_s$b;X zGv&8K2qvDt*lxW7>wbDgK4A@1o|j$98iJ_u78&S9xQ^M|h!RS?1(u>yk-PwprP@w`UsDC^}0_r&&z5tR<}$i+Rm5lZ5Tv9jPdL zw*pyRf))dFqjg($CtXvZ1=>*NX#Hnl+$&t`cOzW>ApC0N)|A+;mfVQvS`A;F=w%PY zc!~gl)j!l9O5aig3cCi{{DTjKJ8z;W7>X_^VvX*Ks>kRqw`vq;T)4eZazAm`?Bm1e zSe?YuO|F=H>QAM;jqjB*kGg9y+CB+41m*YmPH-ygavKI$@*6WYd%l`&jxN8@M30Qm z*KO)(%;-MI7kI&0YlQY5E)C^Nf;>uAsOTtQ{W_5+uoqTI!xy1Ty~xh`!@Tfj_toA! z_#j*m^HIOo9^drhF6gim6#9ZXq;0dR3m^{~<$jIOY|uHz`^#?*!r-tZcL?Ys_lf-e z#9P7I!`li(VmsZ-Hzv#+aP~^D1G*mzsI#--uQ)K~Aj})f<-6nB=YAXXFjz)|i_wk0 zN@$bkJ{vTu^P+|4l2~+0TD;qiaK3)CM`l-~g3bZ&T|P>_LjAI=;lB6CheEqYBwvV_E2< z;=t6#%y-!xz9x^<{?VuD45SP)SRAdk7!o8Jk`* z8^a{Nd!=S8A815s9v$fh6`505-ZRBBr9V<{1nVB#2S)*@bqLVP zw@!z5WPg+-%k28j+Sh6+*djjDFB_YgNsbGD)wws^-2XH>vVLdI7n=tXC?{^SVI5*FN%kC{ks>uN1Csk1e2cP_bPlLUTn;}AK&m*T*xDy+O4CLw1zuAdQFU<&T*=9w;BQeDOYY=SyG_G(hoaG zHS@ub<0nB+G^*xsWwg99_qHJ4U)Ee`W%HV*4@p zhj{>j_~R9d?5`y*ZEK<5d3r2^TbItRI$YNN7)Dn@S4cNc*HOr_*=xf3t-7r>=3V}x z{sbm*=o>TCv+^HZ=yHQlr?ncYka>E&sqD!@-eL0Feb#<^(IP@&tv>NUiKIiztPxIA zK1cZrDkzigGVS6gXeqLL3PgjQIqQq7tf5`p&|i6be2_fj>q7b!s-G%tqklzEP>;pV z>bVk7IO<18fc7Y(%&1GC`T%|75_o<3^c!yQ%_XL*BY)SE0WoYLG4E7iKx7OZi$RC} zDHGi$EvP*8S7slAHKDaKIuoe6{AIE$6WE(22uq^Tc+)@HaDilx^%jJ@5OI0iF{4As zd*=IzgZ(A<(`@yNr|3<$%%Sl@R-*^=gyi-$y)Uro#)eO|y|+gWZ$`2lwBMVfI_(ImUIJjpsKr9CXU}BzT7(2oZg>-V`VN7RSP9xrTq(#h$kV^~E7a4*$u@#u+9XR8 z<*d4(>DmBQ$O2_9n*?`o_F+r09!Uw@;B!3M7IlQI0??hP3XawG0L}#J+CYK#Yz2)g zO`$>h<9qcQW`=>%llD-R5iq*rL5LL~_kaRw^&D3xz);+fV(E)`baYQgT~S9k)I8M8 zp>l%?e0_%a+0A4w5nQbi0A_Yoo17-ex$g6!rSg`jhie1wqo?yZY z6FuuLnSdI78$Fa=!P!v(LQ!Rm4%YmTW%Yr#xv<^7J>G%w)DDj!T~E%6@r7RoF)KhU zRg_xS&Qm-x54_QAetr5$^V3jzXbI_>ta9HLfvMHIc1srU-d_+{63xkO2uD^rTh>+d zZL~d3B;vH^rr?V2esUIotQ$hpI1{2skS+P)TQJdwueX(`rf-MX^Gx%j0dgsTG3BCQ z(Q)4Xt|_?v8Pf5|P)kJKuTmR&tvlpeO%gGZp#n*HgdLyp1(p3zUNYX&MpM4f z@_R@vqQxi8@#Jvxnfyq1;aTgH}v~ zgEIr0O`yo>=&ND;y?<)~vZ(IuDj!&D?ndjF0QgR{d5*W{=B3pU*7h1AOcbZ7>~2UJ8o0 z3{STI$gTB>`}32tH@;Ax4{yzI?r|CMrpe8t$7(1=HD*LM8rUdLY49N0W>!)UQ*P6> zVP=WHtz>#XQ${~2T##!qrs=}C8XVp;#TI_AiHg9nvHUT!779(m>-m@k5hky2Sb8Zwb1WDg6eV{bAnR^0$MXSqwyD0xh@^BylPIUV)lgO2n@4PLkE z&8td}b6)wM)t_&qn*#)(GBZG02BwZ~nfFSh?OfxA^qo z%>B1jtUq)(Z5_n2L!WNnXPep0ewV$K>QhP$voMRRZIm3)s*Qa2gntcLX6|cwm(zFg z_JUX-MzoU%#@?Cov^H%5@SUHCJ0{o|JR&0S>PyQ@OFBi6HQtWgl(XpMHN5QrRcWajQ>qTkFjfI_L1Nbs@x`xO9 zSrY;lkipAV+)}swT)&j#$D-UbH!2dZha4VALNpyK8|dOnIZv8|1yIvpYBO@oWO2E-H};Eq z;DygZ!rbl29O3%r<}iFPa^#OHv{*T}@ht%+v$?hJ&i|5|4-w!8LMtj1#Aj-Gc*+l7 zpLA3Bse9ySzKeqi2v|>DwBRMWy~wDH1&gWFaIS|x`o-i^7)$Fc|XxNH}J6f=WD`NHbmRN3KR z#3!v~&Gxd=nWu}l#5et>5 zKYZYvq#&33YBG|Vyn~u9*CQ*~FCa9nf$w+ktNa-2S6^t>4xAWx;||jYbq}b5=-e^Q zrTjVCam>c~)|Hyw8XE5^z5Yx{NzwUz_j184+F`g3zJ9%JW!(Qt5r7Y;KwtHPj0=M7qag5ut8xC{`Z^J zMVVfE&$V&R2hTPle|@*Zs5E8@q!nv28}DJgvl5rTCE``es9w`86-`TNy&2Bia^(9c z_0p%mtT6gNal6)}>%*hN%+MutuvRLAm)AWKS^*-Nqv@rXZa?aZISWQC?P^ z?!jU>D7zqS%;S@4>chy&R7Of9B&XjPqOD4&R5%9Juz{3HB8 zJd6@Bft_AC)P4hAE|B?ZeZf)(M1I9Un926O&I4bu^Yr%?U$XVz92c`W{k|-CkG&cS zDR$BN?uTcAH2Ol;wPj$}iJZ<+#+GdJ^Pb9{mYLH|+C*S`oJ4uB_?`?@%9kz~^=3IGs%KY>#UeKB$J!%jA^Ye8YY zzymYBXqA~G4_rTs8*49=6|MrG^FI?&E7y%pe^S#v z^>URb8aX<18dsw)p%w!_LNN8F9DubR+@GPDc=A$@P1T5rDceN;AfhwM@$c!=Cr$V} z0RA2*Fkly<29+d30AbhF&|T+nIL=IQg3(8(ba@d=6QL3uIh%vNxuBPb(jUO`f2qqHK7f*GWhA;$Qm5eGtcnUK z(*vQ%-)yI$@iWA{Bw5AXi_A;3Ld-}#~A(m0X+|K1$-hqp+!psJwnAu`!4`=DF=nmE7;yT!5~@& zasMhl$;G?LkS9Sz2BPu=N6LUgVrM9#Uok7su)J7_JP?u}r;hDw8X{@n;jRXU1`=-U zjPH3k=miHS1K|$PJz7?nK!EPv^nd!GOtOH?I(kL*+^ z1(U{uOK`rn1vuS8?e9DgwZlPyUe)kJiif~ep=LeBQa?)~%1Y4$H9gxtj!c2(9ssV` zpgTaa_JkG`Lh%o-w;7Q|l3d}lVbD$E#@^*jQVi-iutfLO2pw||u0vr#=+~b?Cy&^) zk`>@L5bGk;Wc&v+0B|_i5kDCJ6A7@)4Im>oqVX~@RDWU4OISBRz5)9gO<=kM5*f~5 zlg`Z5f7g$JFFiRLPk-MIwYoRI)f{B&0=9{5n}RUF#Qx8_Uj@>Du2+}80r8Uq)}OZp z0BU!^_@fMLe-VNYrp-WHU)hkZ5=kU+Vj>a%WmTnTD5)tvfH@-mA~X#FK7?@Vf4gac zHm+~r$GI;RFB7`}VKhq05KR~b3R8kt&%kwbL7>eBHww@BmO&f)2h7KJ6#R#)g)$IE zrU10YHQ_=&Yk@de+8BxODJ_VAaT7KsdcjFTA>-SR+W`p4e_lpg)_`E#>5lnp9432K z-$UDJhu}hXwa=VEP_JJo{%;5S|Bn-|4^U2gI{F=lN#hf_d3O-p&Hu>QP*jmp7(-q- zxc=)D5C$+`p(lQ^mYb)RV}AHCkTT8Q@s|SE!~665l31Vgu3V`pJKurb~YR#@qT=QtBZoJ0wAT zkx-=Ji?R{P3zB`s>xFT?KmQRv04TcAmYflaMl=Iz3W?A zZr9ozf&&XgPA=iQ*RU7g7dBUL<)*f2to@> z@d3Vf6hU8_dG8t|R-?gp(U!m7)Z2nTRN1GV!uu+Km~2uifKNR~0e$2N#K5XwSSvtc zcq9Myzlcl)vH%uisZ(pT?*DQd94;cSB~Ggyp@WZmv9K-_zq_a6t6oCYjUV4BvXRB;xMH72ka#W z+$oHE2v{x8fb)nr%YKuU0vs|2`Dy41QW+B>PM&&EAa*APqznO}N0hz(g7bgJ;3u6g zGWU7Uj9-p?3}LbShx>t8J5C<>H*fr=-i3h6>STDMFyUT5zm5s;_dy5WEX9iO_#^ z2e<~H#cj0SvO}Eq@2vyks)U+h81;4Vqu#icAkWnbiwywtEVf&cd(m~&d9bGrfpnYj zy>LC+u1#~9AZ8URh_|&BkIDKqDF`9iWxzUBLU$JxS=lD8SR=41bd^-m3*)(EW0h15 z00!C4KwYc|q*dPqH9&K-hO_;b$Zm5I?kxElI6@KQsQ2{`h>QY9vzn9KrULww^7Yhl z8U)M^W{6uBD9b@0Rb@F5L~OUE9)^Lx8UrWmsjTrsOI9Zp%A_%l#q#WUVE#t;pFcCBOLp9D*3?-?ZQZ)^LE@Rp7K?p zv-r|Hc|{P<7CU`<fH4sCFqi)>AKjcJj7aGE&q^b%i5CGoHo3}mPkUCcGT zCBUKuVH!$>ZK_ASLbNj-7N=rlnyag6Zf-xb3n1G7gp#%UjX3=;f`E$IyPEt<-X$K3 zapq4o7d_(vXyHY(AN?{)HF$+6<5lU<6>YKEnDCnUNNli}VS4NPrq`8H30o1T$mq8O ziJrCW%w_1g5iSzLS|I6Rn@Ve=VETag=y@)}pyl4{NZFv#a-z!2yruj0*-{(MHf0*i z%?|eRJ8ZO7yLV@zP`E98ofa!v>>t?D4Jx;lo@kH)tEnR7EfA1Kze~wLK|&nrz1z}% zVV5C)oJ6u}EgfFi`cdgc^$Ry`qf5WJZFRY7Lsy&yTvqJ*=?WQ?Pak&ZWlc`HzKLr3 zSGQGiYUKu$tTq!?&qvdF;lN2k@iedEhhx*58>N~fn&ddGy+qJpV6;mr=JDu9S} zOa9C@upR#ezE2SG{Q@vUEIE0nk@;0}$tqJK>U3$X-yiE<%inGGH>_AK1@CQ{w=P7+ zBK{>6RJ|&?Bd0NM_n(t`?I?x|);!D3BQr%biqCBrGwCU>1NTpOZnw6q)ol2{8O z0LL6=OW9597lDTt$e@xBGS_Dbw|oVg^7J0}%3o-~jQO14pBB-5qzb0WIq~td*ve{& z9(P43R+p0>oDQ=X(~>(T0im7)YF#E zOnlc=kg8ZY)(vxyN+h+VOF&fUGg~f0NQAivlgZOhg@0RUP2wJoW9#IQi|$#AnJ8`D zq;t-iqf&KSyOJ3ljF9}Zw~tRikju?A0xz@GRSeB)(8XB+VJub`>&JGAXN10C=6!(moR z_F4NC262v7TOeBZn%( zLP#~Oi=IW={u27uWAQ=7`8uDhptbH^M}l;TQZy4tIK@Kor)S51Y88kSKa8G-r>Ia< z7yR033Pw0v+E#+Gw}DDDFh6aSt|~&3w{zUXc+*EP$o5Dmv2Q3}L@qvK=|E zqs|WNjC=ZL@j!%hv=V!r{;_!$Fa~HeOasP;`t`Fn`pt6h+l?}b`iWm@dRw0ZB)G+> z7fmfxl0aqPcl%NMqPe#Bdu=&(ls8BZMk$!KfZs_h*@GSeI9*J}&;x*1^Z6>%>o6Fx7}0unP&(|#PD1{hp0 zjS~gCGOCwB4mq>QH;BePXMS&?w5_6DGc|+`dXrog{Tus z6rgOEUEOwb#Srpn^@3*x%mJkMK*skEU5bq=D7rU#7W5>k1#F7Tj_Be));jwwROjX2 zBs@yMc9R48Cyh@b*#c}g(f6a_E22tWjn0`V$Y6>BXOzUmn;<#!w*E7a9fN(CK4%*6 zq1LU)N91SgKBx%Yn>-k~{*Vz|XdqibW9Q`(zidsag~-=lpT7x6F0&PYr#f84Irv$- zKvbrTRxsETppq`x%`e7<%FqvR7=8qn%U^5-e>yMUIiKE1xj>ZGi~yHND5b5Fc|=Y` z3rA_(qCHzPsZD*eW`+8Tv@Tz`5cuGIy{BER-fG)+_#{@em8+H*&7D*{Pw^b z^8t5{FTBA?Vnag4=CX5c=!GYEf8m0a-=MK4BJ$+%!j&iU(VSTZG5yNhOh&dQ#!siU zjY!&K6^@p>dd3^8b3Zv<`tCEgGj<+Y46w3oOEPg4a{Sl$hZrP4TYyF^rK zCsU(slBoZqrPgS^xBx1l^y}}1GJ*f_lVU=>U9;T!C}v{DWtK~A=xzO}Ep!92g@E)8 z=-^?5yIx%Uy(J?lDQVI_vpX|8QUGkQbk6nOlfBNlvRie>4Q`7#e5GAi*DJn6=tq(hRy)>s#E+hyo(>s`o^Jy5iGzIK z&TtymbsFD~jjPk>uxxCZ9gJScc;v`!(Ynyqx7KrSRoi?(zDRq&#&b_h3{&@dvSIe5 z5~}$f{po)t=~3jV=X}OjifBW<-NS``kMwL!!lyZx1#*gc=%Evq(62*-5bH*6DP8o-4CaR4x; ziN}1Fx(^WTuaMM^48~BxZUt->E5h*?aVZtI(y~hI?0p2y4|_jQKYR}+)}00yzc?EE zAQ+&P6U=*4hO=Xh)ghOk0}5aP6o7nu;~!NQFj%P$@7I9qxKQOuT5M#|nn(wYjxZ!3 zgwBR^-4XU8L|A|dwu6uPGus1?@Fw`VI`{K)zI4!)W94LNVEQIr8%@A@B89=4Qie|q zmLGI4-wHCCSu;TOVv`X;^2}!w7p{lhkpw4>r|x2it;xl!x8r*`l}Hp6z;N5=NVe4= zv#Wc!5kZ|7x`vHUNT1&K!M2nQl_V`BqwkC+y|C( zOuBw^_NCgj@i_a2i$u;~G-vQ!ly4|;jG#-&-#N5qq{cP%7sbiX`WWo>q^b7OyfK6< z?d7{~#D&-1XO!JuD$`5iXaFl41#Dbp&p}6QO&SFVsUpN3+nP7toI`6g-jSn8JK4;Y zytZgf2G>&5bufu`C>aFR=CaRrw1!8a+qn2Rw<)qW@b*5SI#(_)!|O1KSwQe zGB7Fm+I?nkHPIwj!=zkma7=E@0)M2I*V}Qhk*2rtX*3=oGwUFArH+IT^JkYyXveX1 zL*IJsBvsvZ+$A&VdkFf8=LrkK0avPu2cO1Za3_}9Wl2>vxg7)O1n))Z>W;lVRR5Uq z@Sebmv%S*@{sywc(}2;hUvg@urT)BNgXZM+t=eDb66*6!|ZTQhz@#{9mA!}kZ` z-$uM?v|aV*WDeT3mj^3IMT~R~H=A{ftt!Wjco&D@B(ZM%m}a~sXud49m$zUDQ^J-* z>j7WP*-RH&GVGnBevip`P8nNnVzD+2 zegc*YhNr8|Z-JlXf8W~x)Bf+{)`WqH*Vd)v!TO~_i`caheav!l|#)y~rOr9B|#EKD>9bq8>;wANdAGhV)(%8~%d+ zsPAp8L2K2w=BcG*H-`R)L0n(=Dx~ryd38Em;QqUl6sV9+YKsd*NmN%2mS^iT;NrFA zYJbCoRC+IhXR9c=3$+2BLa(O-41JKfm2UOpnv~$Z=G9`)AL6}1Qo5B2I8o30C6R>$!?uAICQCV`h z;3e5fjRUarH{L|Y5QIg&2WcZpyJl}zdg=V#-#}1mfk~;`!8;*e;uI#wq4-no>*t0N zzG85gZntA)Ajc2St=ZqdGxELEvMZ|-D%StXaHIG|(Pd}7VJ+4Lj<$3eD=Qpj2^(wuu6%<|WAiqSy4}r0!cG40l=Al>5>{7m#c>n>~@9L{{=GNKk z=S4n&7>KU(G1FLTYHE$!dbO>mSMbitC(3jGLF7EedXBi^LS;%+OilS0kg=M?htEc5 z+(&oG8}!E$uL*;QP>%8PqPfmt%xZ1f?EP=c`HD;RPeMoDD6w%PXn;crd2>LQ7Ctt41NlIp#H3Dc-5Mf66U78Lhjy>Z{ ztSkx)Tk5j{7cED+xvp20?^mzB6{^E<2Iw|F&oMFouD!rangam&L=>6J-FuC~YOH4- zvAMv;&OQK-swGD#K$gvGjrvQ(Myv08#hq)4aH|aCa+;9|E5uiq%C^{Oh^k1y?+=|1 zaka0X)4ymK1gVCqyxqjCQnfef?3%R{`a-_Ay*1b~?)j>0mb{hqP=))C!H*{UEgBfu30gO4JOi*M_&uzcfOW6zb6zNnK+ zfXoHT?dfzxYt)SyfUJB|A4`n!zQ`q)-^S&SDeD^^ewqe(Jx;(=S!qUC@COaFp@i)2 zFa3@a|BsRS!I&v*b#=5VZu(+b?)^d^9g6A*yR-KiiU+s2}IxASC( z4kx_<-!s_x>~&me%O>Xh%z5^v!gm|7i{!q;)RrQX%t_{F1^j z;PV4YXvA@4Imy1noj_?q~0sO*A3y9b|0o~&^Yk1r)DfvDlV`bKMN+A4YgN+7 z!}COK9Jhjd;z%>tE`*oD2Y-P^#B%q$y1ZUHJ-mh$#4b<;vww$TYhKQS{n?*Qb{DcR}rv2^^LpX&*jd^;GB_Fd5VjMfNtBZa{ zt0oin;efU2;FJcDh2lwqxBB3XK`ic7#M`%TRUlfM2N`aIH$%F;M&+-cZ&lm!TJF^4 zE%GqJLN*_A&XZk_^hbBCQNyM-FO8AU?$>L#G3s@eA$t3N5%A&kwR!Z*zc zUI}+(Jyxhj>wq%^O!JaKiUT=d#UEnV^pfxmNiditF*QnR@N;)#1?nNk{!`sU>7&a*Ah0!hE(TE4uK9^mR`b zri3no#OnU+!qc6K$Te8qc0*ZK5-veJE2(CO*I<&&`?y0qi@~){yJmahEi%q$Z6B($ z4UMb!mp^tBd9FOdzPfO36!%7us%CHR9RlIJW-Y|-9x#5bL z@?N3Y>atU}CVlG~5?__ze_7r-T2+Cs!nnVmL$(}G8lRA$iy4>)&DI$VKi-uml$8%E z1@3jqCFWe>aN$xMmoroE*ipQ*$70Z0Hx{7x2$3(%KFjY`rY?aE6T~-9q%h98J(`m; zZ`nhe?2oYMO2M#|m4#eL;eP+MlW&NgAq$eejgDBs#qh=my$h6;TXdDS^0~h>Io&9$ zM6O@o{@EDja;(fC_{*c8Mw0_1H=%cC^JWsNdMVbZIvRA<(l z*AtgSs?#*yY#WNsbx3tEVcf5+*A849dhjwy`xpSGix@`hK*y=l!nBD7LGF zHF4_N7*Gn5`>oyT49_Gw{Pry#18bJ6mLIN(4pX6p1Y3n4@H+?Vd(>bIw^h-J`Jxj@33RT2R`Xcmi~g^hvi@A9G~{D+zXY!lCYjmYWoVu)&PNX zGz#)nfjJe)@?NQZZzGPAAQ3rKxQ0w#iH*)%T=ZciK4hivqr|mQ*CMwg#H@hf!py{^ ziC5sZimdq40eA)5px!K1LI>O8oS&EmWFwWSkkr$sLpK;gvezI^b>*mN2I7_^` zNo;G=TZ(^ff`bf&$&hPFEzMFl8H%?=S7c@@s{d5a*Y$3jl>e*=lY1;Kwy@HA=wj>D zwh2*e9a54!Th)J>!cv9xA}C`Y_dL>!<3AatXOY_)9mD!;)QLUc+-ouWRc;}FFt?an zcYv;G&DdA5_~lTlUS%ae-*&kWOW)$#yD;q^EE-GEePI)6I??NTr=_=U6MsqY^(RG^ zZw%k6|Hl0m!iR;l%p~Cl`%R7qWlE+WhYrxNc3EIzi_Ui@XtmSOMK9?8W6Sodf4D| zBs7O+_B!ZSDHEN3&+*#DMbFA0a!ED(>2l!cs9p6*)P&NqhHLir5b|1~wAe=If%?w0 z?cHr3xx+_kNQ8EDTE3U#-vWX8wVOP$Ol2!H@V#-LW6e%nuRKyp3!sZKFsdBw!WWQ< zo8%lHCo0ME7D#ST@(C}M31rmTnrI}=sP|5s;7Ow-2Fh~#(Jc6{x>0iA<<@*9yXpi< zE*ILwO1HQzyeqSvEosc_P>l_mm#8Ylka>YRf6!94n@cU;4U1@3(Vi4WtVqiqXea~d zx@X7w%IFZQEVYVFOlj_#ROk$c3!1&gLQY%#W+h2VW-CV2q|tUS;AyCl_NueXs@aE8 zm$&x=sFN$jjIkT?<$F7eoyUjIh3NkpfKjf~(LAj0KWKinvxu=;)|uKP4@Hjdgx)npi7R(EirU%c+*XARecq|4_%KEzCSF?mV?ZYV19 zKr;BO)iu@lGfgf=OWv!D!~T9)Wb2k$(k68ouBoYTxFWx0Fe^{b){z~CHa@7S8mVRU zB`=5MM`Yvs5qA4E+Hbm?6h5RezgcHPOoU8MW)8QP)PfLapde7Y64NKhm zP65ydp8aq;+2G=;Jj}IqjalzTWNC05Qr*w5-I>pn2+Z(`(kt$--5R{FiFG~RyD*pG zznRO2n({vGTunm5ZZzpuI7DitA@)9)(mRzR>Uvn1;cQRRia? z*j$YTG86mE<=9KD44O7Hg%XM+GPibQglyf2I74?3ub7(haJ^#PSl#<+8#gBSr)biV zk}C%LY3w@B>5}p?n!YsIwsQqOVhKajaM6A(3PPK+v@JOG^c%C3N+J`)F5PF+Yzlgp{&Qw- z>g$1o&)kfgmOd|kZkbYQ>*QPrEiCT5W4o$(i6dq+p{`-uhgV^zZUsR-&0VLnFKxI1 zui(73(j(EG*HSCU_-)JuGgzqajpA^4j6n?Z{H{Fu9MwPb5T_bhjvS8djXwf923dlR z@9jRgfl7oq=24rQBo_QG$wbS`np7YFD36j@`Q$0PI%_OfvMdOUFRc7FBGwTMZ8W8c zurKLr=!6eG&x;GiHaBS9dn`Ch+w?UIZH5`2rBN0ujMuPWDa?5y6Mt)GSGby>H-W1;i(}vehKBM&wii`*#lD~?lYja$9J3Hu(3-N%5oei?L~-2KM7%%t>Afm~ z)1KPD<0PH7kZrOc6NEILvouN?l<4joGyD56qeFAYEbMu!=0T&qvU!_iQ`n4NCGXqb zCyW^==?n2M$%5vBL(%r?W?C{Cph4E|rc>d5j5KVwQf|Q_abMhdf#&G$eFM zim%;Sx4PI^eeIil<)*f=3T!2!G;O-Lq;o@;Nk=c^8oqQ_*mfK@n$p?>=2#wp@b@2^|S0>a^qH6N-Sz3>_FXTqWQ`P_EOc)FUPKZZ43c-H%cI0~uxMum4R7LmTyr!g0C z7||)tq={P>^h^*bJYuGH((s6n$oGm$ia+B12*0L7hi7S{Y@2vJd>@r~;c^g~2|ZV{ zwC2F8@rQuS1{L=K|Ng<3~^V#R%zU7GVKsd|I<+XfVXb>1xs5lQbfye zxY@-XGt0>^s8s5b`38m^9yYE`Xq(=S&glJ)x>C@AsJ4Hg>qyZO)3o`DpbI>oiOk+`vEjyan4n3H3c2I;ICc0pCW_qZcX> zs9OvoBWCzmca2Xd%;NabT%EV|PH}cuE2)0a!z46amE?1tAKVs`mcEQ_k<|VhvAqw^ z&k8c+i?#`Zc(|^7kPeIHc|<$EGjJ6e(^B!t01G1Nt0bKU7qHjiDFDa(2n|^E=$@PX>yMy!Z37bHS>4ZN!6I+ zW>{DlAA+;u3$_LD(Qwmo_BuEBXxQ|@%GRJ2Pdi>DopzdAX19~Ov}eo2>Q_^76pY`I z_hV_=oJaE!vV&WVNHDO;5TD?amv}LV3_i?$Zf3!2IqrD^%XD^*mRg`cS}u*L_jQ7< z@vvn3LFI8^(tCq0-niJAo!6;j%9>h#fFo4&zc;ysbIt1qryuCWxidp-l>N8r9Z$ZNG{G)-=i zn^NBNKH7zpClG4v9Cg6Rm2X_M3t?q8OtZ&X0sik^#7E8a^a-m|yvTU;cFL_MwHWR- z7ttmk^J7wFFi+4<(}PjjB{7PpuF@^@VP4#~#(fQ#c_6wZKOpwz6PJY>G9~%A@r~%1 zMH((Qkg1U|$3~Bq%IMHV^9+cTxJtsSGQ<>5?B4I=D6du~#Md@G8a>E*9l}FrD+hBP zvARDFWLjnz+Hr6}LanwbTyK5Ke#f;!qISsG{K?aln!TkS$DqcopL1%T%X&B6uD2mx zIv>Q{RTH`W;Xpdc$U8WRVSFk!6`3(7l|e=;IB7{gEs^Kde^+pJ!K^}*N!bwT+qf$n z66^2YEH~pYqrb4HXw@uc^@?SS1uoC$LRmD&{@s=qV3YHqjRD+z1?}R9N@-YsuD6|m zFw8UEU{s(}DshZ`<;1Z}FQd#94gPJLedPQ%hF#n{s4VDBYZI_3ib~2s_)j>Xdj7^4 z=XUnKhFb*fGZ*?aRtg`RKizZ`jXH)syR3;E6lzvoF?-5iKWwZ_T z(jPOGe8I%!8AhSs()67RyvBkfk+1zcKhmzm&)uB<6ShLrNi7sNe`4qn${{asl2^nV zifCs|r{BXywah%m2!{yo{U-O3Co(JfgpPL#&TJbm!MJF+kvYganZQOy&VRkiytN}) zwZs@;Uu=R(Y+H3`8JG(u*7>YK7H0k$Un=ZqJgWmsH%zQB6ZQ^$&i{%gT2MLXd$0Jo zRJWjX8Yh>=p?u(CrGo_WAgj(Op=Rl3Ug(lbchh@Bd=*A|>~Sq|P*XI%B8Z{U&juegzYw^1*VeJb75;XG2M6 zHTTvgDfg+A?Zv5;??nt;_cg}(c=F0_t}isUQvaX!uKW?oE$)ZuW~y66lr@BeLCC&T zB-`jFM%lLzV>ieak?gmu*D@+e_J-_h)-uSx%nV`-*>@4@Jr8x?-uG{~{4&g$XP)!j z&Uw!F^Z9<|h$>?V{^Y)yr$g;By*O~=iXgc4{dz% z)YD_0vMiyeu|x;U0uK+ZwOq)5P-#)#s^i!Mo|X-#_RF=MsF@3n-vYEm$~YI?Qr+9@ zY&v;5)LQopvv7)1f3)}}4^6ibrp4l^js$YissJ=$ZiIl$)4A#$y4&_QXmE2J#UrLA zLnG0z^STrRx(Kf_IXx=S3=t9v@XIIqT~x#d7?Mx7n`V|@3~t1!D>oZ{vPiDYABe@0g82xVLc`5)r1AIYlw+Qwt7vAw z2<1d=a~D^JHP7mD*-63m3d_>6rRrNqMAkV?d&Q3TewcdHTi*%G@|}OR<-MH zX*`i)%j#s9jBX@-UH;0`mEeQ&Ni0%N51XDT-6fs$E4YZRGODh0PCvO)eakn#F-V^r z)G0Z9fjvsVW2WNxQBN780f`v&IFkRgVRY=;T$`0))<546iR9es=-6*X@osD(#AaDJ zY-_RYlITw7AhXC`T~A5J<+065+KLWGR1(7KTUn0>q2*=%UcoN$aaCm1ZewF3bReq@ z|57o=$2~Z+!39$%_Y-XVvhI;F9C*+LOZCAgU&43W4Qo@W>>}xYEAF(vo7B@9tBVAE zLRwb^gmtJxKDt=xCf1Rs8_1Ib45(rIXEtJ4z7tj-V_DgC@Nd><^-aJtfN)T6b(~46 z*>xtdXg*cfWLhy`769k1foGYEQ@}xa@`1% zsOjR{`N~_m#;AM_)!OcoVTyWfTZ{(Ilbr8hH}w5f&-0E>*|n zn<(yjQxQG9V0bx^2RZdsyBO^Y%CsAWF?5!astEQDPjeaM7j+d|g(S#HjBA+m!HO9& z2SZ#;jA|XiXgb#Dfk}ndj7!#xZ00ul)Z94t^Inups?EAEtt584LC=`ovKqZ3R(mF^ zv{To^9b1Ic-R_X#+PEqcWcdbWpxd%t!(_!H5`R#(?OF(@x@2s z{H3^)GJe~*f^T*Cep>c#{M^PUiPD?%7uQl72S2dlWb%emlb433c`Q5~CfL_lXIs&z z$|^qFWUZkVz22Ar#=OpJN}I{fcjiBuxG2C^+wP_QExS+&Z!LA!j+6hWXOdj~rW*UO zS;9|i#%_WEpY7E>uz?ft$z)Y6oOq*nv^dQ-5mmZU{J zhkVq+lyAct^+|+I zd3j8~wnM9#Y8visDGx}YOjy#Mu@F)>N~{vDRN`dQ;r1H2J|JrE<^Y9N&GpF zrIj;~$2a&1A*WiWBo5|;eAwbBwd%9!dofI%v5Gf7qG)nQyVoVV372IzJZ)Qcee_9( zdGl1CZ>!?T=@;vNyu6e}WtGEebBx~jpMl!a?6#}5+weBF3R}s>y^n%?;Ea&QIE*~V zw!>}B;b?RPw4B8}@h7^&F1pOy-QAQSF6N z?eNwP-$WNm!!cu5=aW^$>zd$QwR=HZc$Om*pmjsSSZT*~Y>q4dJveAD;D|BGVU~OT zk_7f&p1jD>Rd^UwORmzJzjQ?)Am}RV!r1k_6S?G9n1i$YZsxB`5t^o7z07ITl7*oYI5`H~&alX?jNsck>B6waA%@eda|25L6we=C z^DdsaZR1_a*u7MX)R!mQ-<=e~n7yuyzIuK^cUQyW#drrlPd{WrWTiQzf#bf(+Pg6EIY z9k_bC4Q=)JO;BB`!&%SiwA8=wKO(pNdBb6(8c zUi}G6zRLlj^Os8OcrfBJ}FoHIuw8|see7&flL&4KawD4W* z_N>gcJ!M>v;nZZHy0Q1dOE=Z&$j&rgQl-&su&x7rHDx292Uzyes@uRGjF zx+_LEm)Q~D8m^(FLUCF4BN~xMmLMc~M;O3eAZR|MR$jCQ$ZKw@mO`lJowAt_b)dwy<+ewqyzvK+acx93l*yA^3di5A7XeOFCoz%tZWWD`dK2Pfs5MwKcuj{Mj;v&k6`9S3{`DonRGyuD_3#TJT&w%=U1U)@iPr=K_0s zdo@@c*{CBo$j*F;6u_nB#v~G}vd_Ypv_5ZbmG?Y`04Rq7DW{~RrQbm5^+1Rq2Y{Ih zp#}$V-F-S8^ztacc&N@ZkrV`24q&(k*8j9U2-Me;FXLK|N>ym+yQLe}M=3Be=fAe(g7L)C(HVLd!b zUgayJ&;wkJ0>CsKU<}%$fHo>h&QLFz* zO%XRmp$0f*pBL4;fB!ca;m!lF3O?@cw?PQ_rR$&8P+tV0un@Td*#NKg+r_|3z$_U& zzx!%$X7WFy?-9Izaihh_?d`$&_VK|-_avDIi{5ySvfhP z1DSFINoN3<%8NyWSOV}sL9Y5TW>intZ3dv-@_--Tug{xQxMn`TC0unOas%&ZdS6N& zj9!lXNCoUkc?n2h-v)CC_!@{K6b^HPDWbV!10(aXfSK`6nu$r z(Vc8YSUBHv8xP6NFPM8IX#iGh9oItOc_Hl3y^Z?(M8s!EPVFI(S-oSV1Ou~LcFnOP zJjMC5EKXLkQRgyONjZ{+j56aO(DgY{W@@d6Q$4rh7^v~*%y4*LJJP0A9_N7#&Ndeu zaT;mMvw?urpg5xPLwFb4-LOkn&Aeerf>FfRz~2vSx@Jf(7UZ1K`kvlZpI2q2fz{rE ze`$VDZRC`luUP}#lkZjK2(fCz$D@Y=7lH5VmE7sxh!-y~z$|Gs0h+?^>b-dsh&N04 zg`TmoOmEf`=ifaYLZFF41=)0nI_X>%dY+?c|MdLi*PrX+q~eJG62mJ145=5mD-u+4 z|JOv6aj->FMX`7K$9O?hxG>LQX#Q^jIM0)rtKr{K_2INPzRY$bYCfs#9Ow!nRCc?{ zH&)Tmy$9jrJZv3HHF{17{@_wby#*W~H2u^DMHVJgDto0$2r9pjLRBFtSiSCtg@#^U zSkGe@fNAQwM4OqeB56w8dLzx1qict#h~eU z>R3z0`^SQ*hGz7D4jHNO8Q}0!B3xLq_NB4O1!ynFY*#CC(VWS9&HYy+rqV%F+vAmW z)hMjlBy6Wqd)!g--z~57+rfBjuTtEI$CwefAt>GAXpJFr6iC!VB_C*F{SUe4J}=C> zvwrD4i7MI*nA%P1O0o*MdvE9Kk&e(NVAURUU5EV^tps!PB?tSY3nNn8JgS-sn(~74 zX9aK&{xxd3#((ddZY!svuQUo4=VJlX^Z3u_RQ#uFNCXlc$Gv?ok>_y9HD9t-2b1T1 z9jt+7L1DDa+eKOqbia)2V5c55w!OrxZ2<_#+CvqIXx~w@NxP)MBu>aZvmK z$Yzl{E_hDuDoSb2z_6T2Gro3n7i*4eNH-{uw%L8}x9urUvt7gNXRb@?%Vi9!146ltX~e15yO ztvLf=wEQpi`oK{FO=u?pS74~1o$Uy&DuQub0N~~{g7@2OfbjNnPz~JR)qUPUQ1sT^ zqm~R<^0Y41(e<%dl+FA7ayGv?oiG@B9hYmE=*Q~TJ6Rr8As{dh0qNpsfBf=1aFgKD zJ`5kijCl#0hxPn@#6{i^s?_zN(kLF<$Pi#hne<)wob_SxgE>LOG*HQQbAg!BZ>*?r z`r%lIuyp9F)H}_~D=M1&m7jeP$RLnH-z8lj=GW@gA?}*Ru!5$7u^yopJ{z0EIFQ zEpl)2LE>en-5NF?`6G)seh?CGDpExa*2+y2O6)1jNvEy?qA-9v-4_bq$KNtj=_Dn% zvyuvA89-3AgeI7bC2LVBD4YP$~5{X`|*TmLVH0{}YsD8J*O zqWwa#|8DPqG`@p3c5F2Ei@AjJJSR@B_gqxeylvEb^BlNMUYNvp4o=R(SEXS6wFW^v zq5DMKe!HgUu-#G}zsBX3DAq?)suTMLx*Ys)G{bprAYavA?W?-*@T2`Uk=CWhGNJuP zmmHN}-Cq_c;`{ehg2!tZ_^v==)SBt6P7M&agzEP*eIURPFjal z&8VVW*1c_5o$PCuUiOfwPnq%XevOT=VSxEok{r;OoIL{&p=TiD23s*mX3uG z{#n_476=7=%O0IHSoKXm_8(UD`JtkN}XyQY|3Lie-_OiZ-Bj^(bW48DblA|o2Z6@zrihrL?Pp$X-RNB*MryeX~a6B zYZr#O|LhL8joPDixqQ;4#hbWS-5;^{Zf3yB_;_E+!kkx&+y1k}Z)W_P4gskdEFW@o z2G4$$>i`q}8CPb28)aGQbp94U_Fsz9fkj=}O#Pso*>B7JYcRF6Xa$-78%lr^LM%6$ zKwi*T=-0&$?jR`|%t>~0@}PvtZ{I@$qWK9}g4Mr^IWPezFq!=~iQnXX?mtcZwAKI2 n>0o{O&$0jWiT@vB>wg@D? literal 0 HcmV?d00001 diff --git a/scripts/build/build-containerd.sh b/scripts/build/build-containerd.sh index 3f724e9b..c60078f3 100755 --- a/scripts/build/build-containerd.sh +++ b/scripts/build/build-containerd.sh @@ -25,6 +25,8 @@ version = 2 disable_apparmor = true [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] +runtime_type = "io.containerd.runc.v2" +sandboxer = "runc" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.vmm] runtime_type = "io.containerd.kuasar.v1" @@ -50,4 +52,8 @@ address = "/run/quark-sandboxer.sock" [proxy_plugins.wasm] type = "sandbox" address = "/run/wasm-sandboxer.sock" + +[proxy_plugins.runc] +type = "sandbox" +address = "/run/runc-sandboxer.sock" EOF diff --git a/scripts/build/cargo-vendor.sh b/scripts/build/cargo-vendor.sh index 625ec20c..51239912 100755 --- a/scripts/build/cargo-vendor.sh +++ b/scripts/build/cargo-vendor.sh @@ -23,6 +23,7 @@ directories=( "vmm/task" "vmm/common" "wasm" + "runc" ) for dir in "${directories[@]}"; do