From 46526843d3c230a60aac747a121da1c1e4a8327f Mon Sep 17 00:00:00 2001 From: Anvith KS Date: Sun, 23 Dec 2018 06:54:18 +0530 Subject: [PATCH 01/47] Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S. (#11752) * Added documentation about Poseidon-Firmament scheduler * Fixed some style issues. * Udpated the document as per the review comments. * Fixed some typos and updated the document * Updated the document as per the review comments. --- .../poseidon-firmament-alternate-scheduler.md | 111 ++++++++++++++++++ static/images/docs/perf-test-result-1.png | Bin 0 -> 97114 bytes static/images/docs/perf-test-result-2.png | Bin 0 -> 95896 bytes static/images/docs/perf-test-result-3.png | Bin 0 -> 98942 bytes static/images/docs/perf-test-result-4.png | Bin 0 -> 53264 bytes static/images/docs/perf-test-result-5.png | Bin 0 -> 55285 bytes static/images/docs/perf-test-result-6.png | Bin 0 -> 56613 bytes 7 files changed, 111 insertions(+) create mode 100644 content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md create mode 100644 static/images/docs/perf-test-result-1.png create mode 100644 static/images/docs/perf-test-result-2.png create mode 100644 static/images/docs/perf-test-result-3.png create mode 100644 static/images/docs/perf-test-result-4.png create mode 100644 static/images/docs/perf-test-result-5.png create mode 100644 static/images/docs/perf-test-result-6.png diff --git a/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md b/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md new file mode 100644 index 0000000000000..709db849dd8cf --- /dev/null +++ b/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md @@ -0,0 +1,111 @@ +--- +title: Poseidon-Firmament - An alternate scheduler +content_template: templates/concept +weight: 80 +--- + +{{% capture overview %}} + +Poseidon is the [Firmament scheduler](https://github.com/Huawei-PaaS/firmament) integration for Kubernetes. At a very high level, Poseidon/Firmament scheduler augments the current Kubernetes scheduling capabilities by incorporating a new novel flow network graph based scheduling capabilities alongside the default Kubernetes Scheduler. It models the scheduling problem as a constraint-based optimization over a flow network graph – by reducing scheduling to a min-cost max-flow optimization problem. + +{{% /capture %}} + +{{% capture body %}} + + +## Introduction + +Poseidon is the [Firmament scheduler](https://github.com/Huawei-PaaS/firmament) integration for Kubernetes. At a very high level, Poseidon/Firmament scheduler augments the current Kubernetes scheduling capabilities by incorporating a new novel flow network graph based scheduling capabilities alongside the default Kubernetes Scheduler. It models the scheduling problem as a constraint-based optimization over a flow network graph – by reducing scheduling to a min-cost max-flow optimization problem. + +Due to the inherent rescheduling capabilities, the new scheduler enables a globally optimal scheduling environment that constantly keeps refining the workloads placements dynamically. + +Poseidon/Firmament scheduler runs alongside the default Kubernetes Scheduler as an alternate scheduler – multiple schedulers running simultaneously. As part of the Kubernetes multiple schedulers support, each new pod is typically scheduled by the default scheduler, but Kubernetes can be instructed to use another scheduler by specifying the name of another custom scheduler (“Poseidon” in our case) in the PodSpec at the time of pod creation. In this case, the default scheduler will ignore that Pod and allow Poseidon scheduler to schedule the Pod on a relevant node. + +## Key Advantages + +### Flow graph scheduling based Poseidon/Firmament scheduler provides the following key advantages: +- Workloads (pods) are bulk scheduled for enabling scheduling decisions at massive scale. +- Based on the extensive performance test results, Poseidon/Firmament scales much better than Kubernetes default scheduler as the number of nodes increase in a cluster. This is due to the fact that Poseidon/Firmament is able to amortize more and more work across workloads. +- Poseidon/Firmament Scheduler outperforms K8S default scheduler by a wide margin when it comes to throughput performance numbers for scenarios where compute resource requirements are somewhat uniform across jobs (Replicasets/Deployments/Jobs). As shown in the graph below, Poseidon/Firmament scheduler end-to-end throughput performance numbers (including bind time) consistently get better and better as the number of nodes in a cluster increase. For example, for a 2,700 nodes cluster (shown in the graph below), Poseidon/Firmament scheduler is 7X (or more) better end-to-end throughput-wise that includes bind time. + +- Availability of complex rule constraints. +- Scheduling in Firmament is very dynamic; it keeps cluster resources in a global optimal state during every scheduling run. +- Highly efficient resource utilizations. + +## Poseidon-Firmament Scheduler - How it works + +As part of the Kubernetes multiple schedulers support, each new pod is typically scheduled by the default scheduler, but Kubernetes can be instructed to use another scheduler by specifying the name of another custom scheduler (“Poseidon” in our case) in the PodSpec at the time of pod creation. In this case, the default scheduler will ignore that Pod and allow Poseidon scheduler to schedule the Pod on a relevant node. + + +{{< note >}} +For details about the design of this project see the [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md). +{{< /note >}} + +## Possible Use Case Scenarios - When to use it + +As mentioned earlier, Poseidon/Firmament scheduler enables extremely high throughput scheduling environment at scale due to its bulk scheduling approach superiority versus K8S pod-at-a-time approach. In our extensive tests, we have observed substantial throughput benefits as long as resource requirements (CPU/Memory) for incoming Pods are uniform across jobs (Replicasets/Deployments/Jobs), mainly due to efficient amortization of work across jobs. + +Although, Poseidon/Firmament scheduler is capable of scheduling various types of workloads (service, batch, etc.), following are the few use cases where it excels the most: +1. For “Big Data/AI” jobs consisting of large number of tasks, throughput benefits are tremendous. +2. Substantial throughput benefits also for service or batch job scenarios where workload resource requirements are uniform across jobs (Replicasets/Deployments/Jobs). + +## Current Project Stage + +- **Alpha Release - Incubation repo.** at https://github.com/kubernetes-sigs/poseidon. +- Currently, Poseidon-Firmament scheduler **does not provide support for high availability**, our implementation assumes that the scheduler cannot fail. The [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md) describes possible ways to enable high availability, but we leave this to future work. +- We are **not aware of any production deployment** of Poseidon-Firmament scheduler at this time. + +## Features Comparison Matrix + + +|Feature|Kubernetes Default Scheduler|Poseidon/Firmament Scheduler|Notes| +|--- |--- |--- |--- | +|Node Affinity/Anti-Affinity|Y|Y|| +|Pod Affinity/Anti-Affinity - including support for pod anti-affinity symmetry|Y|Y|Currently, the default scheduler outperforms the Poseidon/Firmament scheduler pod affinity/anti-affinity functionality. We are working towards resolving this.| +|Taints & Tolerations|Y|Y|| +|Baseline Scheduling capability in accordance to available compute resources (CPU & Memory) on a node|Y|Y**|Not all Predicates & Priorities are supported at this time.| +|Extreme Throughput at scale|Y**|Y|This is due to Poseidon/Firmament bulk scheduling approach superiority versus K8S pod-at-a-time approach. Substantial throughput benefits using Firmament scheduler as long as resource requirements (CPU/Memory) for incoming Pods is uniform across Replicasets/Deployments/Jobs. This is mainly due to efficient amortization of work across Replicasets/Deployments/Jobs . 1) For “Big Data/AI” jobs consisting of large no. of tasks, throughput benefits are tremendous. 2) Substantial throughput benefits also for service or batch job scenarios where workload resource requirements are uniform across Replicasets/Deployments/Jobs.| +|Optimal Scheduling|Pod-by-Pod scheduler, processes one pod at a time (may result into sub-optimal scheduling)|Bulk Scheduling (Optimal scheduling)|Pod-by-Pod K8S default scheduler may assign tasks to a sub-optimal machine. By contrast, Firmament considers all unscheduled tasks at the same time together with their soft and hard constraints.| +|Colocation Interference Avoidance|N|N**|Planned in Poseidon/Firmament.| +|Priority Pre-emption|Y|N**|Partially exists in Poseidon/Firmament versus extensive support in K8S default scheduler.| +|Inherent Re-Scheduling|N|Y**|Poseidon/Firmament scheduler supports workload re-scheduling. In each scheduling run it considers all the pods, including running pods, and as a result can migrate or evict pods – a globally optimal scheduling environment.| +|Gang Scheduling|N|Y|| +|Support for Pre-bound Persistence Volume Scheduling|Y|Y|| +|Support for Local Volume & Dynamic Persistence Volume Binding Scheduling|Y|N**|Planned.| +|High Availability|Y|N**|Planned.| +|Real-time metrics based scheduling|N|Y**|Initially supported using Heapster (now deprecated) for placing pods using actual cluster utilization statistics rather than reservations. Plans to switch over to "metric server".| +|Support for Max-Pod per node|Y|Y|Poseidon/Firmament scheduler seamlessly co-exists with K8S default scheduler.| +|Support for Ephemeral Storage, in addition to CPU/Memory|Y|Y|This feature was working earlier. However, for some reason since K8S release 1.10 onwards it does not seem to work as expected. We are looking at resolving the issue soon.| + + +## Installation + +In-cluster installation of Poseidon, please start [here](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/install/README.md). + + +## Development + +For developers please refer [here](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/devel/README.md). + +## Latest Performance Testing Results + +### Scheduling time of Pods with CPU/Mem requirements only (without bind time) + +![Scheduling time of Pods with CPU/Mem requirements only (without bind time)](/images/docs/perf-test-result-1.png) + +### Scheduling time of Pods with CPU/Mem requirements only (including bind time) +![Scheduling time of Pods with CPU/Mem requirements only (including bind time)](/images/docs/perf-test-result-2.png) + +### Total time for 10k Pods and Throughput Pods/sec using Scheduler Perf. +![Total time for 10k Pods and Throughput Pods/sec using Scheduler Perf.](/images/docs/perf-test-result-3.png) + +### Scheduling time of Pods with Affinity requirements +![Scheduling time of Pods with Affinity requirements](/images/docs/perf-test-result-4.png) + +### Scheduling time of Pods with Affinity requirements +![Scheduling time of Pods with Affinity requirements](/images/docs/perf-test-result-5.png) + +### Scheduling time of Symmetry Pods +![Scheduling time of Symmetry Pods](/images/docs/perf-test-result-6.png) + +{{% /capture %}} diff --git a/static/images/docs/perf-test-result-1.png b/static/images/docs/perf-test-result-1.png new file mode 100644 index 0000000000000000000000000000000000000000..ee8ed76b7d59cef3250da29d533281b5ba4a17dc GIT binary patch literal 97114 zcmZ^~byOV9)-Q|)cXxLiAhjnXVOY^S}q?{V{H3Y8UFVGfjL+z`Dc6*^8ah+nDL^I2#w=u0P|5W!v(&yvTCl}=9&0qujJTavHqF57{h4jrfF8QRtuF~c;EvcGPg zl;-9%u`{xCY+h(-0L<6b&wjLQ3S4!lmn_?u%p?>Y32Rksa+%2lUB;NN{A?l;p>Aw! z)L3?j?;mC! zwdUim3UY)1xR00YCWrUuj;HP-CLMuGZh1B)b-Zy7)Xli>cI=Y1y0T0L#+y?sBm@im z-q_TI)hCW?WJ3WrbW1-?aoXBb>xevXCNO0yHTC|uGWO_q!EnVYDJqhHNqpk>Db4S- zpBv_8pLrlXQ@+NHu3=tBp>h;ER+&TD=B5?R?xM zn!!c6ejZWw7dHmST~ltd(6(dfNOBp|L%kAxT5@=DH}*2`>o^Y2vdeNHe;q(smUjv2 z?5R~?#>Wtye<~zxotU2MaKtbC$;Tw-24Kb00>Bvzez&VxA?Eso?hD6=~8#4Dc z2S2#~ubaw*iOj|B@r&?~7%}U5Z2*UAD?rD0?kbmjzoC5@jWlB>RUorGilh%X;YU&} zEYLt=Xv0USx5B1LYogG^kgDrS)&{E^RUrAwCLxdMWg=54+NAOYw@q5`8d~?J!zMb2 zH}6DPm*$8Ca)qSplrm63Vl`L2;>SNnDPye_Y{-mi$QKL^%q#k3Or&*}=-HUtS(V-m z7T6ckXT^t7Ct9wOqDFwqH>;XPY7Lm`m*#p$%4jGmrV*IVQ^Cv?ll;;ZfG^&Qi54s| z6X|%;v{MQ#)~+x1@(nrZTzLhL=C|o!n%OYl)GLyCO>tkdfv=!NtE;N&+vxj|NpW4q zwbQCFYlkty_@AJWL>zh#zVDpwT-vKtJf%}Zq#vXcGfHJZn z^OjO)O0;s9OlKVxB$bXQcsLzT7AwWZ#7^&zY6j!(+wOZAB@grZ_xD#n!XJ~U@Rlmp z0(HLN#2Zjts9K@>WV3xIADuF38VjRdHole2Oo34X5xD-*W03-*72}z$q!M*XHO$zOY$&2|_3k6hHZS6KI5?-8S7C~RML+Km~H^&8s+u6MA z%Wz4K7|fHxdEJv{pkX{NwUyI*ufH<16RvEjaEiWZMv7bt0T^-UL0lv*v=qSpMSll4 z&QWO~&oVoO!e9wkT>E4G`O&e;m1P|vf1W;@sH&dZT6@DPn_7U|Dw}bZT3NQ!*h*#8 zM|Nkz=+x?b-gGq1woTdaV3o#zHs!zTKLb>9wQCFlUkws#D>+_RvM{4xlIIf8y7!~N zXC_3aOE8a9=TWh2P;xL45e@iOTco-d|M;nUqwPOK24Jv#EY^@BP#^o=4`%p*MnmHw z`Zo?zCuj0|UVClIS=*x2j;S-EY{YVVD}E0l1A9n>7R}g=8G=qKWwZ{vtiF=KMI%rp zo z$izZHX!0B3PP*mg5H$l_3NXb;I>W$5jo}Lu-Sh=mCw4A$s9uja02}1gKb$0(9<{U9 zYPp!2cmUI6Su>=V9pf&~gEWFK6y)H_lEv~9gTi)}UW^a)6-X%cbK@FZH=d_aa*d6L zE9P0eSoW|ks7EL=UZkBaR(`aQ%=R%%B*wIxTuqTF?cPXVXZ*zN8fpt79m!{vJ(@@cDH0@qG5qJ)bS~+;W%>ojHUL1 zN1tK?%DPD~iW&kaFh&=pviGvEk;A^ylI2;WT+5=9CX@DoL!Oe*?N({&)N^6=I)oMB zyYFS2HBD2$X$gZ)`SA)i=m7kSjH#R_llJn!?gD#pVHIi4?Xj4>WtuW+QpYPr++ylk z!W}ne^bh8UYrC4Nx_k^KSh{XTY`qlpg~eAmLkh1*pyfDE1Cj04Kqrl)-e(g}N*?~E zB^B|?uFg{Wq&Iw<`o=m;rWIfimY3dXG*VJl3`c{g&=ZUug?6NctGyd(C}ryN4}O*x zhk&hp%ucym3)D?&=3#VV9htSj-+{0Ui(tLWI{&>~UYfX^Wnk!nDZW}2hFK7KiYeKV zw`@VWFaW2Ymi@(WKGV}CQp9{IzZIXTcpwl0z*i$VkeA}f#VF1V%qLGQ!vwD2qf_2q zhtYHYR5U#=nLqIil&WMJXvSPaoHKDy6HID?seoWlZ+U-vkzrC2`aN&YRNoV=P{cq- zd)gsuJYZ9D`T57KflG(9&G-D-lqvn>7mS)ohukoyCHTfxNSA&Ro?AO!7aF0+SbORlhP;tea~o&GIA~O z>|PjJNkg%cAbd1TJe2@kQ2lg69wgc@6)Vk;Reqbp@ejBqj2HDJYsYrM(npoTS4B)4 zt%e!T{)zXp9p8HGBc6iNF&ZI*(W_oYj}!W^-z%zSqcER1do(`WTu>Wgzfi}cl1NL{ zPrG*gk(#C=E>U?^*YXRw#4&!AKSHaN^5x%JBbzB#k|=}AST8)mhPvr{SVRx7#Z}Bi zFZ7^^@+{)J{^rW@29#*VNFP1Fd4@_Gao278XZyZ}rG|}+%{y8;1w1%pT#)fdigH_c z^LeuY=**}glh0~{wmDuNHP^SVbmVRMCu3%6+%D_bgV)Xvyhqj1;auH2wYvtIqcjVi z3q~i0X1s##?nD;BGia$osKN(vv=Hf?iL{u^vE&rtQ4g6#2SoksA9$Sg7ZYzIzq$Hx zn)xqoQwS3~F;SSW%t4k`LsM$OYCBWxJtFet$;7Z$Q9uW_cITh-X}L&-2xG(LQ^+koLDwS!Z7vDr41=zMmvDVP02-on{ z?1SIU%v2pqJ?2+tB{R_cmqbws6;1zktfz9!Xq=+M>+k@q!6c6j)&8@w?z0f!!ystZ z`iwDOrQ1NOl%>Pg`rNHl;O|Q0^joYrMpcTz9p&5{CKY2&Pb1wSTKJ+eGcfESawyzR#Fb?pG7=RtDZySCc5LBT7;=G@(Udb|HBeQInh<}D>sZ{ zNzU5cb3`w=OL$nKf>HOX`dCSP)-t6(`>xbkYc;4J`@GEcU>i>9ZSh^F04JNPucRM> ze!HH*mf`-lwhDZs$P-@@S^v=#2{W6Yq@YEGKlD#d^6&hWQ9&`fd(7)*F#fN~Y&rl& zD+e23+8Y9ApRSnrZye1dgn6pimcv+puqF5(1^A&CCzQyQBGdRi>?q);Tpc`*YF{-e zR5r}9D$No>T=qHnRNJ-}$fRZXFAHvrsQ?z{xni76F?`?B8#jQ}%%3CE za##X25=fxiNDI+xkk~rdD_a4qG?n#DVFvhQ7r)-$PN*uRof-5rK!ZHi9C^j8!=5Ny z{@1}|MXa*F;ASi%IKO3lLmp_by4@eaN!(9JCCvb*FKDXcU_Z^}zH#B`oSFi!=xSOY zH+|JrH2}7=MK-W_4U4xqbRPLsnl>FH|L`~hS1IDPkJGY>Mp&+RR&5F`&N7|4(uK_u z<7v_G4BavAl4PZWdfQye7dhgJ$DvVq^VErT5-YZa)KkGA29@!lG#|hW&~2~cKVu2e zCqHZKl^Y7W{mr36v8CZiv}Y78AI)f?P>8rdlYKBLaHU{QPNi0l*tY-na;3ayni%5B zOiZu|i2o)6vhZr09zp9=V>!vjj#w)=`xwTqj~Sqf5zSl7+PD%8+__ z7yWOqg2yCn1Lq!C>L|?C@V=tQ6CVRPl%XMh2QRnwupj^6zlP}aEodZnY9+Dd1S{TS za76a;v^ZKZ3@0w?Ptyv*=?jxUp`3cnYrk>1u#wesHfz30#+gr< z6J+)^|NX$9f<*a1v6i1#Y#lDYzHki<8&19I!oj#j0HKc65b7Mz8y2~oZ27o z`uc1_71@|Ja8So2$gsMmQBQ@9X@H;e;NL&|=4oh=&GJjH-wCX<5^gc;G8Y#(1WV4M zll~IuDNI&?Lpj_y3|6nAojbC;Rk3@GX?)#1%WYAzcrWHt7ObhBtB#+iMKOMIxu3{^ z&1K1EPG&6I!mRXOGxTu{Pfas`v6i)Mk!EM@_F2Bv;SaO%&}f3SfiFuX|L|UR{>9qN zD*8}?D-TEhEy_o-`_-v`yhZf&&e!K@x+JC9rzo@|zmkL5w8a@JeQX?3&$&M8-*hF6 znfWM3yS``n$#^=agpk;mJB{SraKtiKzw3P{tLhA560 zmiC68>0v;|maH9Eb)h-$p}`B(U8Sr&{<96@FgU+jykNf$z&cAUv|G=ccaeLtIGs>K zo1>4%jQ@-H7}fo1M%I2FTS@)$;f-MKnk>?tmF;n9{-ch-LrG!tA9B|*c%)yW1TD=H zL*G;$yO#;>o=++oo<`g2kl|XhpCMkx z%Mhduno(oGgEss~c;vjfgSnQwd?8H)k~Se_VSE=hmQpdjk3ExzX4envE6AFki4k%Z z5jLs~4Lx6uEnVm((THTzMcETch$ym$zASG%3`)lXo zQz1u?&sybS?)RcTo3Q0)#fN7(x@_#Fk(^GWQ=tQm#HupWwvLtJ){uhx&?dvr3-^k$ z0k&>f&Fxp2Swz|O(5N>qCv)p60ok_aqyAv&I0FeaGelcjE3>mc*7n1!0ux44{1&GN zy%pZIC80%O_LFoCapwj&AB4+oO6Y5M&Fa(A`ciJTh$lng6Fr{=p)$ zC;!7){)sSe)E|T__x^|e|06b&a%392X%PAUf0d{zl%J+eP7*d!a!>=16 zZ+jw_A2wz1C$vl7n${1s<@EESdF$<=C5t>uz=xOMt|9mJd{&;V^SpkndDG`?adEMW zhr`bAVa59U?@Hqh_c_Im_r;d3-=*K5ODk)-d|G1Cd7L(>;sjmCSXw$h;F8O^VS@Y2 zQ`N$6FNUXER@-bjL57siYCP?>cp_JXOgrqfB-7F7Fx?u?821f>%jP3*ECJg32jVkMEmSh#G3#8vY`wpw{`z~6q%17=>+cNN>r8$aDZk@->t@;g z>*Ln1m&>0gtsi`753H`FYaa92r!a;7F8BRU?p5nvtjPPFNGTtv$?s_=?8DqeOR;a+ z@Z9<{`PI&PuwOCk=WcQ5JZ$Huj#C3&g$3Kdu@n~H-wWC`ZHI)h z-`)p#x?KJhLrj9y@4Dye`}@l$GQaD%?|=7tPlezAx;b`!V18R?XZ9yuvgM>ov&k$z z{O-L_o+ab&-&CQkrgFaZz~XJ2|9bmf^XoRb#(iYCxw#pC6kkG1-=XRI>(cih)GxEe z@>lI=)$b2mZ)>@)E4lyTjL8-N#ca&*B+3${Y`uQ}t|+eAx~66+s8{g-r`cDvnq+RY z4{GfF+|J1Iqq@(TRIs%7u7KU z-yH}&bCR}j@96*w|$N zXZ$r*=t1ZClI(4V?1RiTIIi^x#x#E{FZq0ARf6%tlP>|o6g4TH?IY{&Nqjn`#fDxx zAc6DRzFO11w9{W7>@DG~X~}5K>DTKd|5;VbrcdP@W<@dtGVS{C}{^1 z&D8Dk`}@MvPA6c_yyR?C;Z!pcvzLm)DJ1D3w2K zpfX5TL8}zzNo}I#tYGlxXp@qr_Qb!b6&E3-e~JI|N$HZVHA%0;Wyjs*2jM;1__{?C zdmb-=y0gZJ;Q+6u0Q7BI`CH&WE%piEaJ-;5ian|ACO-Q#(&;Dv{e#?gJncrUIsSAI zft!B)dn7_8?8iH2PD@e7_&3gZE~%_TJpsrIkc*;zI3YH7uhD}H)04{Xt)*I4fU8p3ZYRO@Xamf!9&x6Us< z*)*&E_3xWP79^aN@}J+)CVtzO;q4_QIDP_^Yx9X_T3edp6iUbNzdh|ueaMi5vDDPI zpBPJTyKHZ}bwi|Qb`T_=Z_(*cW6uxPhMn}vF5(fW2($@e;WfDfsd&Pi4;Dtis9NG?2%!gtRd z@r9XAcA`~xKg55fpE4y)ilmWGF<}Jud_39%_0gP@yoIh(RkeX-zT?XL4!$7N03Tk9 z;rLNaWILGd+tKUU6$67*ulx%(x(OX)YZ6bKI$DF^5 znjVR`%R?|4$Itk!3;)AYRT3eL?aZxm4v+lCjs#ev-dcNUEmzp;UC(8pKB_0=twE%4 z-q$n@cR7qRnLT;UjYmCXw}vRz_VC{-pJl1i?>|;E>(LCKlZ-CEQvBp`rkJWLB&clm zo+CQ=cv9m;-qLV_WLc_os(^vGv(_;2N6Vfu?52$s!j)W_{o9L=d-@gGkRc`(TGo#% zSXn=x7WJJDS~`U*>nguRn%eI_Z(RAOHZ>Yfe0d(E{lM4d*Dq)P2GAH$2n1+=&4$O) zgw$efqD!iwr>P6gm#(*?_rJLcfi^6@m+VNp{Jv`qdfd$uyHya2oRKFqM=F{@QGv)1bk?wJH4O-q2Pt@_=A`tP(%o^<`FJ-7y{7Z0ojn{v6|KRT8*NsuFIxj zbxC-B@I(|T6q=*Ga-IZHo+RJyXU-XNqGBy_$rn@Vd7}=BnM-LxnRLfw3|3r*NLGH> zf2>Bo)x1Bm$(AVBbUoYM8wfuKi#$OG{hIZ_^{%r>KIO#?NTS!F60{rz=K-^%RI%?F zFf^G_%mpa2!nj1A-rs(`qb(Ku3a2t3p~K1kD3ASOMVQA1v<3Etk|WGL<{)gO^2ikB z?>qSWmJ3Aqbw@WtWS?M}n3M%?BsmhJXt%AZe9ig@J&CPPu(IWW+~i>hV};j#mq;d| zoJDwNYLH_xADGRj$l6eWs$AmyjJ;*@hw)K~D+SMSoTa-B{e0+g>;2`sH3GLiLdb}g zq%#wzDS2%U(o;wNSnG+6MzgUE?OMAji_Y?D9H^7e5c4~d6C@#N&JU=Td@k-gVRpG#2-@qAQ4gYF4eZ;~Mj!KpS)Ku%kRyI#$SruTd%+n$AqVcMujdGx(SNKu&B3n(69tog zW!eY}m(xdlO?QcSIc9smWz%&Y^@pvc1W?OGluuh>!@}#}qXeV_O~h_~{T=(oPOnPR zDWR|PcbFZ?uN{u+#9e_>Xp=Nt7Pqq3mbMUPL(%w-F5By)R=JjZ8cPZsydKCFKN^&= zcSE48-`jtGaC(Qc7$iowVNw@5k?v{W$3B(>Gwp3XMeWr5HgjaFPCka?jfARHik9V!;hB^Yr%s{sp* zn#mjX_2q2w>ed2yGB+uhyP6}}0KsMPf!1^-~o*650;~n~iIOm8~Nw(&u zk90}bHHr=oR(>duBuDV<4^VVUnxlFT&YghFMg7j8B<6`*;Mpaii#8*T`JRL%130)A z==QNAWcIfOjA8laJ_VHbGq&}is(8!pUkx!f=PS<91dNuQar$SM_t(dvFz?GDe&|7z z@jWKQPcH0^ci%m0#b3<(t?0L3;978g_N!^Da(3tx!U!@HDDmLUpJ!02Y$&dLsjwwf zr}_{{geT!XfWmgvIcqv87$aKO{)w9buD5-ChAovps}oo6e%3LD=DPz$7#9J999!Ec z@@5!#PphL}U9@P`;Ej*@s$wwHG;dFozdx(f7L?;+6L-BPrRu^k1w4t9iJ2-?L|~fn z@Rul$)1%Y!ItQ>#j0d5sq^%69Vj76SnnVsidek@Mvs-0m^QF( z<|WF0=F-=_jI=EDu;4+zOafXs@<(=|LWDXZy)5j&$pM7`TWDA_XinCyDy-U26b%`u zio+*Wd#l3{gM>E3UIOEZbWskc=m*y)sw95ec0ZsLIBr4*r$` zLP6A%3)`LwKuDl&V|6~xnQp?~wCCfv<#X6F9(KYpZWY_l6>0*Y)t;ezD;g=vch(vf zk7ht815B833~I!TkTN2>G4cmhP>@M;32!omP#4wYdz$km^gaAI7*!&R% zA6+JFI;nuzbW$wFdQK#>c2IA)B$V}`wkj`4WI=*bWVeY`W>rYRuQVF~O&?F%`HtRr zdwvfy_72)zS_*U^W?5=nZJ>XV6g+Vmrt=|)>5z9XMnT3_;Esz>9xKmf9558ZibW^I zJ|eknxq-!U;0#w%PY%LgtE5`u*Z@J-%PvD?l?AcFk^A!Qiig9Fzt)C4;CgZi6IgFh zTEyd@V7-N_$I}4{AhZB1{kATgr@K?48z1@B@&65CL9P!qMJ3nO~5S)B>P$PndiFuVWX{ zdoy_R1K(tzjC6v|#XYf6iil}jx+PV*eQ)BIo#PV%yQE+8(5-scf$K=|rn6BHArAQH zmwHcTuCc&ghv9FLlLP%k0H}mmT6R_dBE|U3=XEGvBGGA*x1skZGB2nW3LYwd%nHPK ziS1CvS+xrI--sj78<3!&$YVTYX@?zu3+nzpTMYDTCLhSsUI%>K*&PTk=0{XLxB@u( z4B&5GlDyl9OsH+sVVgyJVn?N{(u}3h(xFl{x;v>5#CBqp%e}M#D_Z(a93-G8!HFLLI`WiDiG@2 zzz<@zM$K^jfq(CzV@S_Tpd$}v$sSXYTVn{x1Tnc2JR%*q1yeD*elMmHt;0kU_OI&}^z^6qQGuW?jOOv|m%wn53#-sNc*L-Rx6M4B~NLmiJGF$A|{(eX|?msfd z<4>D1{_|-!IYSm7c8=muPys{LqAcnU&JHF$o8OKVRQK1fP!3Oy6IqCL(LR7U1mq;| zlKydo^lC{Dzb~bf{mdoGGcZ;%elaD6w>L{{_1c;lWb zQBQWLh#^Id$^<|ZepD?0pc}s=$}f_J!7Ao9U5VYJ-%3~tt$@O>REF1N6f)Ofh(nuN zC?frL0;weht&{?S*{5%(yHb_5NKWxMh)XTAVhYJ(fh+X9A+pn@`<9M_Rf%T`X6eSN zyxg3>fRH{#Vwa|y!yQn)3WD9k=ak}f+i{)}^KjzG4XBjBv?=ltQ~b}A448`O`9b3* z2o~~S(V=rLhom77U|tkbX6|pu<&p-fve;X(uqFk?x-8TI!HlVB`d)CFEvI2W#B-20 z2`2JHDT@MZdd4B|9C}qR=5hW;KSi?_M^byEA`X^4?I3{ z!grcsJwj9>O;oWkimHe!5|+c(^<{1dQ@fjk)fBT%92sv}nIj9b@462C%$7IAg*tBs zt)oCE1R~nBY-e%%&I+C@9aOUKCXDoO_T79BJb1% zPHr5CgE0!HYg&V#?~o~}3L#6>nBi1}<5l}>;{$_+48nuGV2@j6M{IUMux1om7?(iY zVHK|r)WByGy{Q!C#ycr2F6z;?g)$06x(N{d8)?HkJ5AgXrBvj3E{PE1b-kPr(|nf` zjhxmf6f?e#F)#ZEB8*yGXF0lE@{B$nBU;%-3QmpD(%p<}kGm8B8PAli$!%!n;fYh9 zYTEVlVSovXnb1mG>9me5EI;ogf_0J3Dt;lLQ0SH*PW-KZNSp%YQB*fdhi~(mCL|Mf zA^8RTk|0)N6Xptd$lUuL{Rut}0?~q5ss}B#BnCMGnIYP6x=&=MTPQsD`dhFv1Mw@K z_E6{oY)c zY#2j3QyVwlucd9R9t^*Z>u5*j4JbBhx%I>XvscZb5M=X=;frQyzvgnN4ZMyqS?ffT zw#`&U->715;YY^0mZ$XQ;vx=pYk174(l9bI(=`p$m5Gzd8ztd3K*H%&qeADSyqK|sOGKPn;2mdu~U$*(FU zST0b^kYX0ptmGw+CpM~G%A91fl`^ViX8GuN`9oiIB@z7(CLK@5iFpwz*tYUVq9mn! zy5xp<`yM^2?{ef+&wFv#)`lFPsbkAn)iC=*a0g+c%VCp`HPg1Ok=s(49B;6(A^SQ?8s9{g^+ubUx|<2`9d{p0ab7DXPlW@gg1pgvk6 zIDoSGZci2kP~u@%$c1%WlyQCWQ?M%FiDS^|%|dM3q<4xd7}boU&mvk^9Xr-*2pnxB z%Y%&)K`%RAXwAT=38Y3V2B>~@Pm0oB$1 z8HqMPsJrn#R-Y$r*BmZM!z*jUno*I(8k|E%?D;tj#kle(Gx`{HWsZ9{3z4zl)C;;L z?ebQ2naoiEZ)hVh2%QNgfuRnI035-}$g&D_gl4Y4#@HM-0MGWOpV0axi;Krx+~YV# zqqJHQyY?a#!=X`+A~?wen`n{Q$-6^7VkhZr-eK^Qb8i)3=}VUKwCK(p80*kSQbvblH4v(z|Lr$BiFIR#a0{GS`8-ol`} zg20mpgbixX#l2D}3tBUl^i#L1>&WfTWd));hAtZNj4XO2lelnq1@Q$)`+b;Iy+`># zUxu(*lOW`v9{QSuAM&Y#D(vBCn>yPm2|W-B&}Z`LSsVJJ?aCA zun;2hOnfNxVgd$KqD9z62fF2nBz#K7w+S9fwWz}T*?2 za`Gn=Rx<>yp&Q~fxTx9{1$wc0C%hxdNX@#v&weY4gZ&*%>V?XKcS=2l^d<>9>cPgh zMG{&&ITnMm54DIN+75@>pa{p^Qh!q5bxD7I0bUhec6zHx}M92^g#f zAKO7;`GkMv0>RIpB6uf4F%m*E=$O1b#YPzo(YArWSU1G=DwWqN9%h}VCIe6Q?1Miv z9w;MwNx9UfDu=Zs7msx{%5#3+Fjc+JY+4aJA} z23tILslrntYp&?w|MHF_li`pXDWG``Sg`43ln|_3-5AKALFqk%@8#Bj;lKkH1#||a zQm&cLe*HxlU(%6of(0?ibWbRNV-w@*I9w^Z1Uvp9qVxkj@E50Q1$+*9i??{IFFIq< z1@nB#3VZ2c)(enUp&?pQ?rNZ+6U?~o@yK%QJ?15!z^54+Qq@~7B8RHe@;y`lkzA*CA%Z5P;>Gy;yVi_ARHJE0)N#bTmra=r$ zP1b7zzU$BgNF*q>pFMA)Y^`Smf*hVyuv)*hM&P43_o}J8fQ@sY*0%v)Oian$=Hs_* zF*bvILs0P_?ROmX8;cn%|1dXV&*#%h{-N-)99XeOXhoDD1~Uq-BoSd@;M&rDv1slt za7-r-HWHPin2uiX+aVf8HxS#U=x2+eI7ly=1-40|Vu(7!Nw$|IbV-bhlTdZU#-;Iz zL*)O!{KTZ7ULjDwq&j}%24>s+G?yntEUs{t7c!*NG|?FAQAe3&vyVJJ%Ypa zzRMm{Zoq>`bdfAUM>)Hzd)3TKywGpY@L#C(IucpwKd*v+8J(iW_+oud4-7vT+{umh z{VPW{kYQ%*A(j^|KJ+04;N;TeCro4&eR&ee6-jmWv$*rA#XP?c-NNG|(KjUatpY-u z?xp0-39(8zew(3Ym24R{r4R_SME)Uy#of?qVD-_UqM7c7X;n@tOCTx4mrhI@@C^-u z2|TmC-yTyhzvx!?feS2X#~-kgp^#3qzh(;s;2uZ{&6YBQsPL&A&i%5!siFqQ^%|u5 zrNzopabG3u^DmgX1m7$2^K7U3l%NkL8=$IIVan`Qs`1L1X7R>lo@@WHVY4jx#Dt2q zW^%`PCA(rg(|(Vnn@axZwEMJ^Atk3!7w@H0j^V0l-`qPjOtD|AP4laON&`St?yR+b zci3PNTC6(TMP8!d?+Zc8p`SF5* zY5ynnpztwz9Avd+bTG!geMYp6c(k;AR9_JjVGv-&@<*}+tw4+5U739;XKAmXaD{(C>VZ8oWks35-Wr^iZyvIsoz;Nau;r7gAgMqm8H$bNqSu+67f8T zW+j$hUA}BN+tVQHlQ=xfWu(&3Dl7P`Ak*#`%Ih(MP+Hg90@TYQ~9;S{Mb* z+22Af6n@dIBL4WptKBtF$!G&3(Y5IX^tDIDI}lHFUygJOM=wUKy#M;(y)+#d$#DXg zBz`b;81Vt@tUajZX=hy2R7}$sh@KE!NhjzCk+k>UD47$sjbyJbCeg`iEuA$MY{~}^guCZ|J950+tej7*l+W`*HdI|;X41Q<)Xore z*B{@FBD~AWX{6&pp{nK1Heb;E@^d3HXW7Z>z_)!>^JN1lcl*O|vMppl7nE&!%0*Ly}DJSYl*jlm?h@XXEV8 zvjsjk@i=49^mjyw1#5HNs-_{CN~LL$YV|vXEwLQ z)!(+n3%87-gb5%Js8n|wTbY(Xs1@HUD>BNE3xSWM);}3w^=gDl4zUp?XQ!}`)|TUI z<62hOh9i<6=+VKVr9rbFMAV;qq&K**CX-h7uNE!k&%L8cHYX0XSykLkM<>~WCO4kU)m39LL@CGr>u@rdc?9?pl!J`LlXAW{ojf|HXjL=uLFWGZuR)R`kD_yG6(? zg<5TRULNXueS~U4W@+tw!S2Lxk{=RHXRpfpc4D3N%CmVDeM40}wIwI60 zok;P5-p=&MyES0|)i`5%fg3dq*2Xs3OSU$qcSuKgf!Ht3;^;ntC*cV8uvW`B8tV9c9 zw@7=yN`rnsul6e%V#i$p;90tot~K6>*Y?@2OvjwKq$2l;%(>b-N+XI1n6NP(UNetN zR?tqBk2~YHDu2;| z9*%)g3%PAcjQ=?42(?^%n3Q(VC`eKU4lWdx7o;Xen(wQFb`M9h>&*ug;6b=M^c-O`+j zY{)p(cVoeypocDFvf?ONA6S^dL!k3iI{y%onlXBYt@ZOZKOu|a8W~eh6RmYDV{iS` z0;fgM#Tn_kq(WF71*02r8&x1#s0K|?zHE}W}x)()H;#ozoz zQ#oa9{!3Wk;TWbA!1WfT;_vn3H*EdyyW-Iot*nJG=I|}tW2XdbW4zMzj>*2L5fL+m z=_dl*Ix1%n_<{bzQGdge5u+1`w`8YWLKoG3iQ{|@#v~_}5&ydPh~Nheg{=4_4Vu`; zSdWPu#f$B`%MJ{^7NYBtyRF2D(?+hGW=#4m5ZEC;)bjUuEN!;`F}jw6#1iLwNnY^! z@AcebJ$&Ei``XvPhw)7LV9jhjeH%{@RxK%a&-uqb;Z%5bbL8ZZW%@pk@l>VM;3pAM!;gAB&cy@=_0+UG%rSBq0OSv=}XN4y#ASLJR8QB6@E%$y7fo zPZgHmeaa6$RY0X(665;90*)!{E}o$h*N(DcahXU(y^*w-ZTU`R<2#_#%``=|ATf05 z=!L4zu`K?$U+|AJaTw+fl6J`&Ps}@i7xI=~}5#jQD;l0fRxaPa~d$zMS$6x)BEK_8m-XU|Fj8^FMk7?AiU zJVKq?WU{-i)CEkz=7%{GqS+`lz-%?2mD#i8qlG=oUx2?%8*%c9ZiNOGvJ(OXQW7(x zZ#Tm6efyL9&gaf$->pH;Nh1xDKbFRuzXcfW$#p!q=jTWL6FqB#*I-j1TTo|VF$fZo zbS4(_-rp4hO~X9LYU*`F^y#Nxn{yTld8G$pImiIb@DcEf6tY6n*^iIS`U%s>4QJG` z2YjDF!Ub2yXVY(9E}%nb&cksFWX@Tlv?L6|gn)a6{FO`wR5I#zn7U{J=DX{HXEsqA z-eOZyepFI%Uvq0A=6;?sR4TEFT-DE$5;0!dS<0h0{0T65ND)}@>$K>HwHl6Cn|UhJ zu_ zxqw8w3E+bY>DwV9V5nRW6rk`tDR=Y8gP}sPrT8d<$Twr1OM96@nH#V4A>=)lTB z!6n&GqZ8+a>?P1@bnr$ciAXpVUpph5AHmu^Aeu1KpiH4kjD=xX&1m#ta_fK-Z5Q0cPJdV&3#(ZUHQG~B(%rS_E=j3HcXvsHgdia)-Q6Lz=$4j7x}=ekZVBnGJ3064v-iHw{ZD*W z%r)bSG2ZceDV%ONkxB%{?88=x2np#K-4dgA5tB}K`OM$``qZo66{-YLn>pg-a%N~GFn=M;pwf6b zoqIHxcW2)v1bW0LSig~rAw8{$NJv-TMurHcW#-PPAfEdcDOh7GaLK^?S{ld@oD^pw zVwuPITMlIMbatp33T>0*hh4fOa;FGUSir1N`1)PKDsCuqQ3jKW07iiuc_H9sQT6&r4ri zNE9OrXAzk$XcLVbG>vo!u)IqlA<7G0F&Bey@$jlpSz-DN+otfnY`jhcRIsmHoz6K! z=~8&m_$?a8k+=D3QqA|mzsIWUHg_+N9!34yvim-o+hqfB0x%zIzYz7Q^QDN!NXXC} z`{hr)cea+$!m);5b#hNwG;usVzf{aUg!c~!I5^M*m1&Tg)4wI`5gnlD55pve$sO7t zrt}WgfS%$DBU}%6LYgt4BLqPu#YLojFP@SSz0x4sL?Ysyj9j1RM&*5nINF%C9tkCs z8HaBM7U)A<<0fARf!muPd&c$f%M)> z@X;YAB$DtyLDA?pWI|-pf2J_{P2eWzsTuPmZJc!&!GdNw6xuDFKvnZoP#4^0J}$K- z+#0U`x1{hN`1%1;$9&=v!W%V%1N2%;(ie7D4i=*M^#tVZwQ<3!XoMM6yF9y=#UxL~ zhHwOGq&(*a-@PIQ+%nsK_jSBCyb*aAd{EG!f%O^v#|AFN<^t~-w94ljg{UHoHlJw`}sAzbufLcf%T5E z(_QryC*i@Vhxs(7UpH^lTvNP9E&fK~Jz{equSX0N+_5Q+BI_vXtCX9{54elRHjM^WHR zHkLUDhc06aPP_-2F=}N0{MiT@SBr+Qucb02z1};{H=3ls%xD6q!-`{*olF5&_Ov7~ z(7mMZe#!Ma{5W4cNGNbH!LxFPi^fYRZ>3hu12RXAj>4tp%Kxl@%5Y9kEf~LSVnP#x z6FnO8UTe-IZ8vkFaVjmQF5-i+ekCQmPvy*SXa%k`L!2svt=FupbLpI?sL5X|YgYL^ z6Np`?)BphO(QO{r;XJ2*<16z~+8_|_=PYm0<9!Ti8OZVW*N>cwoKsiZ@0 zMr5QfLrTX8C4RE$+|-&9FguwwzyvH+W6)b&-%38)&)AJ|34Zn69V_T`5+8F~0!B>= z#%PEB2CUYk@vM@gsW2y?VPMH zIjH|2PG9F5v4|N)AvEO=rSx)9Op6Fk!|_x}BKeF}qpg8CecW_VLtPb`)yA-zDHFac z!J_(#BsbnrBK<8T3WY_>YE4jEH7answi*0zlQw54kjtP@uG;#Q*2N1)yT1h%6D8`A z5iSfmjKN}xQTN@s zFg{A#4>=zH=>kN^ba6xwpEo_Nh%*)!GK@igEAq?7fKr>N^@gi8-+XdXxygg9}-gOp*DHu_=`PgoHzfE6t}Mv(Unzf`fgavA;G zbjCeltROClVl!E9A^MhbaUu^H62tU#p)Xa>WwTc7jGQyBV- zQYH=%l9YG+{i>PkFu4 zJ|0H@{g85Q#=>l1t<`BIUA*Ke>ac$C+LuS(VNH(Q0@aLQ2sNqMzfi-@Fym8UNeMTc zq<^y$o2?E5Y^@XWoesk@gSV)8EAu6|YP0ry%kB;^$`3EQrFC4KSgWXQbxa0jIhlWE zU$)!P8xu+oH&SU!x{?-+o9=lE%jtksVS>;&j-!|FrXs`PIE;IVBn-ZM&BmsHiIia~ zYHhZD^+bIZzuM_#Bx#?5!Qlc|R}HS?VX1gkP8AY^k(M`^)bP%v^OxuvI!EOKLCa^} z(sk6eY#N8897lI5Zf`UDT)6k4qI1BP=?njm>;Pg#DQy126e`P($-?aOjQcTu!djmU zXFK7w=S=RHL#lisZyb+E48C*HQ+?7&>xm#Xh1M|)<^f#qLS@Xdwenp!9o)VrALcSD zs1(FpK3vSpOq!sINi!sUp1b_rpFfq5WWGCbv)c|Yi8W|+R@25O`}NjU&&IwgYnb+F zFhioE?Miz{5vA}*4;--_Si5To(%h}++OmQ*t!T1BIvWjnoc+*RZvb-%&Q(A$JZ9Bq zKo0xBB8kpXfuFJXHws}t3`$T4lcp=hE$DMZFs70J`1_c z$rFi~7*lOv%IgYZtKkuYI;OKUEN2uXb7f-+d*1;uG;YWpuE_}BvjnHipT>Qu={P)w zwOtU!mZth1x7-wVYcWtGTvBgSzV<0Y=W>YFf{*ULoQDOOnAKkoq+(9qqQ|A`MXhoV zS4Lc=c7ODyBb+*{r zhgJQ)z9%`0E5CBgIxkarV!G`s%ZMWi9}A@FZ7nxr_N&DA8hwqw9>)w}3+IPe8yQEk znx>8tMs;NT;u(*^^qT4ldI3h@3ayGhhfDji-aoMmGH@I7aCn9vW61msnR}>RSU*(< zHkAR}y7v^qm}6~x0r`6-Fq)<1QpjDYc{P(p+s%280ov4ZO`&H7lr(7t#G$;y&h4Io zTxzEhYq}T%#~1Gn@mQgeT*5^~Dn1@1`1}jK^fyrwuD4GRI~#=bE~ zy>bXFJ7E7KKG)iA@%ta}2SxGkK6@EO<@P22jFSJIvuww7Y?f=kOuPE$m;D_S<;H`? zZRy`v)(8D7WcwE%QRM>=nc1%#sMr4g20L?W5KAWBX!$M@{WqBuh&2ynFaeOnFc8n< zw!ZgVtN_xQF6EVt8SEzAFZs@~bgtrr4dI)$Kp;N$xM=&;u+80x=C^#|?MV;%HSjl6 zRg)=@8%j<+2ZC`&b>qT7cJCJuJ(S-Tc)XZ?UI)T`o3SEQZ93}z`$hf&G%Bsg%eTfI z`#9y6e0&>1Uad8C@@8pMh zS7o7_AoD`;sLIdJPq-+Y@&>YB-g}VH z77etsr8yutd4JsLJCs0E81Z-->-!Qfok{^Rl-X%kfT8r?6Rv^}7eVjhU1Muwv;NxD z1orbwUJLW9;GZVYJ%ew*E7sP>zDpo0nqSVx+I9l|%y-1CT_%vqnXWgV;-KRNg!iPy zjesDik|L)+5S15)`As{z>=GsKM2CmQ2mCvRha}h*WtTzY;rf9VQGwvRcx+G;agJM#G{LX)+JiN}|VnI9|M0;Kx1 zOo!NfZ%1CT+=UP2op70NFppKHtQS^8Bh$sOr3l?3}kq zH4H%^oGMIEWd7gnyPqU#1Tg~#aQ7>h1|yTI4**fc&{%hi2Cmu@D+4+)w;fSRfa$?G zcdOYZ&xNp`0kAq~6!Q0n66x@1JAepiqUP^u2c5`mZt93dfRo2mGt3R>zTc3{Kd8aS z$tKbk=1pY{jt-(`S6O{f3yG;9>389ESW$zO98)^uG?E0SGg$5P8qC+~xCmtK?-E?y z&l7VVsD-=F3{=>~Y4GbnEZU|w(X+UZ=>@+uh=tAG+PXsy&57>=$sZ^#$9BGaAR|w9 zB7o!cEOY!`{OKhReW5U9V=j40^{vkg@z=+0r^!$Tt#vQmfib)Q4BVcpD=RBKthu+M1aI9>h-@n`N9lgB zNC7#uO%c|*`E!88Ni~7u0+Nc-0Ya)wQQQU=$(nll`aL_l*#4Pf;IcbON-YFdj4 zRMbqd`%~)v2%DHx%a9}BsH}7>nk+OeZSk6=HPdla9qO$};K`5z0_<{rVxZ-@Hfa;t z3~e_T(-QveB=tPFKNBvAmZ4};*%!_*!5UZ_Vl@n}kLyyBh=|2UBJl&>ML3&WYN>5k zM^JMATIp6rTcFYGx<~dcoQP}@10YN)IPK{dY%LVGWM@mS@D1X!T^<%}+Hdr6f{8)x zg?Vy93N>XKTYQ`(oW@#dk&EIp)aksHS$E7IjE>ZYlT4bw;OkO^DAz~}lK^X6@yUv}8X(;aqJS*~~uj;FrBjow9T8mOX>K=2uD5-*7VD&d#woFQB5VXg0NsxO2E z2!#uAxB#&#b?Pvo-;S0mIY6rRH6HT~kTMsGbQke`dYJj$`TTfX8gNz`>9blJ`98<@ z$>XX_@N5ud^NJ^^VfAkITfpw>Av9(FQ;2& z-@c5N1LVGMhvy2x`EDWV~N9=|?cb~?0QYF!zCWKe5xFGIQOEJwkNU@UMai01v` zcB*kqLEnAwYkW0^Gm=l-wQCo@r*#u#T?>5IgYoA@qj@ubeBZHcE4cu|nMCUkcJREe z`!hKBQmXWd_ebBzp>KLZP|Y40@)#q2z68r5(~rBpPrEM>e@Rgbj~kpYI9bkmmLN&a zr#at8eES6eW$}FX^*N($FD=aUotX9J2zn=LCXmU0K^SaL&nt^OUhJ2DrEQFnqEyUF zT33zxF&la6d(P`CzD8!{6lc5CVS zISHmn5sT=Px$$}cID`LQIPDFvJ~$_aZ*=kj0LDO?Izn-8;vQqsJ@CnWkTUdy0pi>Y z5{uiVhc>gm0SF9t zR(}L6HJifqx1n7uGUOD*^cIo~jb}A&U)!_VX{UyL(SgA#$%KN4OIp0qNY0xx3${~@ zuIR30NwlxosZSDBuSY_JTVNNW9hVha2NmVVGtGWW!8)TtMN$iTx80P%L*pqybW-<) z1&ZHL`UA_uQE^F6!ScaNkUj{<_a(o$p}bU^kn`SMN8*QTul|3AA$eEhw;@wkVGG++ zILU4U<-=_H4Vz$V6GV=sKpP*Xc&9J}otxyZ-oX@XR3kA!$ofhJ)W-BA!3gdLm(y^g z#3M$>UQd8_Vgm6o8dWab0|P?%`WW?acyXvQLn|jbRFbOn=wMpVpgJBkc zi5(A4OoF?Yp}tOOXh2V6G2kpr^M=RYl37kNy<0D(K@D*fA#$~zRV^~5MB1t==4Nx^Q5k$&W4-R%3O zVt>??g>asqm@#*Kx`8?#N`BL-Uho1V`|t9&K`Qq(vY~^&PK5NJp|UR?D}A|n)yQ?HoK~J| zIOx4$gwgM^hF~7;y}ndQU!HX9Io{xPD`y9t#w`f zm0vgjWU8AYA4T?BuLjQVdnhah27>wzip!5QTQcTiv-oCQ@gZTA6+ikC!{1AA6?U@6 za)&tu%Na1({(h~s)=y-F3|SxaF8Rm@1+URv9ZK>8*mV8($ptWS_&6;U4Bn%1&M20z zBm*~FzELC@*R{4(RH#eoo_kue7*7~_&N4V+%jE9DQC&35APZ}RXRZZUV(#|iRA%I1 z+%wik^oCIws@wy0?WHcNt^QPtKCR{xTAq(=@l9NDEd04(`BY|trnvI8wwQP6?0O}D zO~E}iKGeA${qVW2d{>DAzjh0VWmQ^N3|Blz8qSQI={LH+wuoyBI)qf^=|kKw4^x&0 zDy@eG^-JoRlTkI}+kd^VSLS1)C%||xyB}-h@L3WRPx(x7ZE8Q-Mixlh| zVq{4(>F|8HT0E$C3{rwqSLm|?gKU@=%$&bhbyzd(8*!6_C%)-4Wa$DxXaBwVb5oF9 z#2}jp4;QUIZd|S@rl+r+xj9>-!ek|p%|$`w=EB%&dgCBzdb)dCM)^dwHgVpH(Fo7r z7EzY#sz%vdC4dWsPefuO*1W0P)a8t+0BNN5$YW=W7W}4i7}*!q3}M)6F37;e(+uO@ zYNi+QicsRAsVt#>-~lvtSlxP^^)V>d#gU(!f?BA>Q+r`sWCqG(iAMoyXyVrvUYU6j z!p(abnFvyLhNVvtfqv8ZmB15$g7IEKk8&)tS2%!sA%%%EMeoj#Wz5wOjfrV;4spkH zolaHT1@B9$DafrwoJf%Nmo+>#d;uhSu3Ci0lVJhCJ!6j97KZHpA&_;|ooVx;A z17P^{OMXliflm3Em3ibxb@k%9AUf~4AiCX%>j0cT`jk_eXw5=9sL%w-+n~vsL44QP zb8^J@W?uyYjvdKnBP`J)MWrK4L}y=HDM$E05zp7GuKM18ct-U^^d;f$>iAsqNaFRQ za1-=VDS&Z!L!Hsogqa-kdf;xM2Td>vIt7~y<1milHs_2Z{6=uhgF+=HiA1)`)QH{! zJu)mB5y?La);=5(*$(6L7r27Lzn}8EcKHQJNX1pg)8bxjV(%bCw<&jEN`T$4yA>@@%&5}KAz#h=EjA#TvPnHVq|Xzu#}fP zn@#-Tnwe~@BQ74&>)3g@`-(Z1wy}0Yl9Fm>=F>>GsXh?V)anu}eWWdnDvjWdqa`L7 zP-FF}h?=ud-Ie;iMXXCszsbIUHrk?l<@qN)fr_{85ina>_%|bk6`axH&J_;P2L^A| zT8uybEY1QT`(78BQ_dU}n?@?OH%YL2H0q*~+7HC2s*=O2E; zjWv)1mqc0K=hc`ee>|BmI4D_#VGyDe^u9l*V%q$ad6*Q&vyDz8I$}fUR|zB^q7Wa6 zADYtN_0@Y=%faa*(;fct;A0=UGX8ZfhB+HdCz z*wkt>@hD?WIdHepbmP>St!X);m{DUqF!vsMRr>-c zbm`d(jhu4zn-#1q2Tc#R9!v67=;2Djhf2 z!HAW`CqkweOjIBZRI!MudDiHOx+E+oMnL<&AUj38M2Ke%n3?Dd^ApdENJ4b3vl>@A zjz3}-E@%*2RbZmyNvUcPD@MVlS?8GqN2!&-l;thw zPaS5a4-$=)YnBNZ>?3oO$#JTG#Um{xA)qI1c8f?86Fa3B1Z-9*b0p=btDIe=;VApN z(2_`eVK5fBhoc^MrV?~AlnV*Ouf?F`2P4;HYWa*nkfPPwqzhfS`3 zo}S*UvF~FZi!abG<%YXBYZ>6f7;IhkkUz1fGF2S|J5IxG0279v4Io~!b^s?WSw4!x ziS)dd+_mRrE6*R1cMFuzzC;Um;Rv`RRyu!MR+!fh#h^<{hjY4_iUR(Lxb);Y$Is+Z z$ze4!kmhuXfvN?3eKrtGz={x1*f5?4BAWExJcUNAy~)`O!5!KW_N4>rs;jJKEZeCb zX(`PNM6J{IS^vBhh{6GxOWYq!bg;KaUpSHFwrB$oZH(}sb>pT6yAObM`_Qln&KW>n zaekapSFZGy6JJ+QFIGsOVzAyvw)I&4e1D|-g#p@ZBfny54%N0MGatb9iA>y45$qJHe5fwo5wr=9Nvc%QlIU+wM7@LV z#D`1nR=kc`9!vro&7~_jVfBJ7dF?rG&IjpT(zaMmqh!2ANzuc=rjsMVRbV^;jThc0+7{h&zuF3CoUXZr>J=*!6!J|x>Vb(!~bo3#ocxFu7M6b@;{Hz0FOF}J^L z{#BG3RhQYPm{Db+w!cyS(tI7g0k6PIdhH(e1o15Js!Ny*xk!!$b3j>!ij@tby;{h- zDVa{Fn+s^i7pzo1X1mnvC9=+4#;2`}TaF9KMJ%Q?ASZro zup(_`_nQ4V(!?8#V{iA9bZ5zVob;re=jms6S}y9pevdJXcj?YASJnI0YIMV(IoztZ zG#R-iO1k@=#d)+4q)YF=k>c?~6QB)&4+-zJhOE_ZXHzOZu+VH50GKjU@}Acl z^4=QnBU>s4yJIn^M`S-YSN%Y>MqQfJv>|Gml0r_TRb*tw-of3kD?FqWMDM!6LH&lM zO7Jbpp8Vz+z?_w|74q8xmxH`;`LyMFL~C0s{okbMJxv%xl|9R`OhR=POQJRaFH3A+ zuR7cNq7K+Fh8yS3cSmJWh1qyFJ{VBiEH1tLgg+r3S&JWlXP-jaPoHh$v+72IN(@1~ zo7)K4^-}v}5xui%KEbMKh1rCB83Ip1B}+}jU`G;ZauBl#i`F(8c^J!n?eEeJE0KHM zvb>Y(fNp5TYkFlra@SlUnb+5!Kx{czDiCqi!l04>7$%13)p|7GS(`fdRV|l$!)Rqs zc-=2K{l{H5T`lzAbnpF`mwi&b91pNyf~NR^905Pz`az8Td|qiTa+{v(*~B-86PlqS zM4l^?Om75dxzNgWcbmvy4i3;Hlv2W^u$!Q#v&O#EPgPG(7VQn8OV+T%S@1H*59_(9 z+OvX86$L~P%4T$LQNCb~&rcrI{@{BZ#Jbac0wCMcrs4yZ$ z6Gxd@n9Hi2>*y$prYA!Lzd5$DGBP%>HpJ<;3CatP>VB#QoF)*g!*!A%luNmADWiT%l(ZAufwXX{HoQKdn!cl0z&Rg$Ce8CyIw@fe!v zKG$!3Z(mk8Q|ggiKgNx!@ZFiG{8#gWKmDg^ix0PUh1=3!@}%9QSR|EWlx(r;2AnJr zGBY)G1I=(Yo|pEL1drbkX4)}{Kel^_X}KK{uxOliadjoqGYm}^_PGNL&aX*C<7MDIA6GqV zhJTH7;{UBtcmmWuZtB>jGkI{q%d>l{~AmFp6WH^azk)h

@SHTnHxH9-^x z(CuMeixmHT|Nr%h67iP~0P{8(e;Y)AUHk{j{h;n@gxugMzdR+=>1jix)qJRPrRCz3 z_ZJ@9!JdQ1jx7bu(UH87=lc1%?`_xW!%(ZQItRJ00dD*3ZEDSw^EM@3+{m5npGn)U7xs|3w|+n$um$gcIYbo+zvY>kV@K*SX^ ztUf%711Y}#XjF1S4Ij!C3XW`%c{o3_ki7St!3O% zW@eEr=K)X`tK9&qZEv@l8 z=*JONT}eA=kMIPDfXc$RTL9d)8fZON*|Pt< zeG5p<9e{86;=g{KbpVzMqAVByk(R&%Il2^5XJG4}#3PgI1y|-}XL@bNu5E@rF+kMn zTfWk=FA!zbtkoXKtOD~Wx#q9E$m(moU`yVRKWbq-_z@J+NYc2R3;IORwllv$wVWpz z`LYBAys$sz#*d6(_ytv79>C&UVbiIGI)d%0>RiOVq#BAQ738t=0$7#6qVnE|}y~ zn8hj&?0G-mZm0SJOx&rH7tr$Pn>ht|U*MWvulkBOxB(|ZyWN>Z1z5H*z+5_|*eX&^ z6a4dG=f?8?B>bWCXkq)SPiE?_HR!bgKI>7_`7JJ6+iGK5@5g>jkW?-vT+T#-wMH?9XTrPROl+f__c7bY9f_&C^!4pNw+P3h zIZks4_&H3Pul{g&URa9;dr?GT;Yr64)iSKx1UFBN#0gJQh1UVr{pN5eJz!S&QW{X{ zVjW5iQXa2*?2>}VLS9f{f@=-@0 zF-S(acL0FG=G$ErkdHC}`>{9vvw+f_yenq-O>C29;utP0b3CNbm1!W}@{^&dgumU0w?&8$8XHkJdN>n-E4gvd@+FI~9%mk#c`{znS0qX-c6kSx5Wl zhv0TDAf1bm>wajzRKZ5{qoP7Wf=}K8{CWv!8ylNuV7-S_0s8z>bOBoX18fF%eZeV% zeJ_OT>n+n$P;;2!i&YQEj>4v;Dn>h_U!*AuDA5jp_I}dH<{rO+rXb^{qQcwbp=6%) zQ=kJ1C`_JUg&w^=U}Sh59U_KKgBTw(7lF&fUYef|OB&Py6t}QZew4_A_~iP%^t6+!SkKo=F2A%!8gH~6&d3b0NvvUSkCfI+W1H=+ACTF1>~5HPN! z6qXjy3EKC5oO*lygR4Y@-nN(c38>}(aijmnkPTywgNSAT2IDtO{1A^4@VvMRZVEOC zkHasjC9Z%fuVo^cKH?pBK&K3PL>ZrWRa{J=Jf4uta{$7hb;Z*&=oahAwFX+0U*01r zVu6uG{!kF-Tqx2Gv1vqwK*nWMDn7u|i*_MA?o#?x$9)NmQ-1s{jC(rNuZ^DIFqh?U z>+gn{zV?dKSGTu60>e7hPJ9&{vm?fD_xO;@$~XwU>BLRaXUND6;@C;CqdDK%#@iYB z=c(ie*ZlM#n{y<|fOZ(!SFgSCx)-q;{Q1))cPuGQg!sx*ork4NUQf~ni z&@_myk&_+sd9Ni#83y;4O#B2R*oZGV_ z8}RJO?J>*H?ZwXbcxg~RQ42Q9_^|>&JH;@I9_l30DfZ3{p#EKZUP9OCmyDJ&2Q zL`RhYVqVXL0#C|`YO0u~NX!u!C2>UAGpV2#)GcH4AWJzIuMyoMjT9#5t!Js+o_+K2 z*Woz6u)A+M20!w#PL1irzAf69`k&ub^942cWc(0=yCv~4(n3z_Bl`*-&?8h%Rr2>7 z?wDE<-U(zPKcYn^MAc`kiLoc(8=~a+(~*uw#?ayu_d}*3@362#^CHNnl4abfbGJ^Q zJ+Wa+a0YMaG#E&BaDq`a#E_bxpewMyc= zkgoVt;X?jHrqEOBB63y3Q*3kFwfNK{7PhUs0hxAjIyi|zllc0==5-gRZxTO9JQtiyLp5}CnO4UC>r0!lLG|DYnl zLg11kuG_@K#Gk?8;wj)S?|#$Q66H|YLHa1Va^)x*9D@~`FdS4iFc>C4^AaehRA_i% zP~1T%+?X@i-1zm3aH&8^Lo)r_84PorvhPqAd>>UQ%E&|du;hFBHY({e+mgQPX-iZA zG6zym6PUFEd@oJ~$vX^~1rH;No5xnanZYy1PpS<>7bf_n;-TWm9$trrLFFOYT1^rk zgTFzfHx2-$`*6$pc~%lJVMYDH(w^Y0xQObY$Tk=d!=x=nAVxNZ&&CYmR9rS^`6lwK z!g@BtsSfu^znI!T(DO8rw{tYa?_!3f*s!B6n4A^2mIKrQ4(#it+)OF-|&x$%6kgvAnUY z-}9Q?#cSISPPjAmVII^tI7d+;m^*Pl>2uUc=ef|V@+DoY2Z4H!(;H%ojhvhP)XC7u zxMxQ)2jr?CWCeYCWKGN-!2I3Qi3z0JJTW-NGRFqAG*oe*C6r0aRLDP7xm;@hpVHqP zNhCZ(CB~x()L2nH5z0t7dw~T_`0V!_8S0uj;tvzFafV>2byT(28;JXA)RET()Ma6D zG~Ijj{&_Ow9w6-!4OO&&SH4sM7$!jxPW^;d-p5|6n;QP~>Cdu(Fx^ZIk-ZR?6A_Dq zkUV;Ri5wMQ_CPoj-1kZhw5pPJjv*K4(I316+n9e!bV2Z3z5%6tpBL+GUg}=TFy5?sB1ZKF6n-Zys2x65q6wM zgd0&BAqm^YrH=fF$SZEuYv(udDhNV(nC-EX{!)md(xGMuSAm%@WNJc%+**ID=Hj_; zJs&b6DSa-C7ZE^I{o8YrC*(NTIS<#Aj^l-;O_;$<8dTwSm&$fWvF2p^)(?_2k$XC?sM}6k4%AN3e2N?t{ZO4 zd8hX!8>#I-+JOP}p%^;0hu>AR7+h>)iTOO;B?Xm2ie`m4nPI7`B2ENm;y7V+88h9P z8i~c3#Kz2`DJd;2_WRf+665;IZon0kK@ru=Fu91;V0%i&hPljwYu zuym@Km;+{ONp|okLp?%B&0fLOXSOu~!)MK(Y)I#9rsW@od0qh`?#YX`VlduNNIaVjv_D8S_=qHV>OT0iGhK+6-sF!|4S_diCTjBcS*Ujj zEt0FdHf-5e7Whr=cBE)?^X5xV?d#)DRR#X#-S@nNDtwNTs?C%%nudHlMGz1#Pycs< zuRy(Htg%I1P<}MO?PU$8Qd$cI0?V#^Fq+DZ%I0JbOlAqwt{K2V2C9V0+O6-vbt8NV z4A)9?^0(&eo27qsanbU$8PILG?=dn)Q=g>)Dq2tO=#I4C)<3Lk|H5No>PT}+e1nkP zHn5h(OU7NVqd^#nu@Fc;2^YUzk{<)^^n=xdJ%@3NH(Mt62bbUm#bUxpal#RG=j+5o zeD@E*9eKnszyKjifD<>UT5xM6dj%j?l=c*6lt#Ix)e#u&fiSuQa&2T8h&_BX7&d)V zGQFG^m@o%2;^|KA^ojWU7Bwsu{T-GXqgUp31OsP1ajJ3J?lFl_BW9ntvJY!GNUj{? zx8uTuW#kQdEnTn=!_ACJ5f{REqx$P3ZE)mq7%=KS{j%p}_D8Q=lkLipd0TN{uFY9H zL9ao8#oj7*0Wo4#V@nR;m{rOHo8rEyeV53T)RV)UVqOGKQ$WJn?_k}&^*J)f<18|g zP3PeUcHuC2XI|Lp~);2$+^=sy5QmNoBZt|ET*kHkIjVexAK^pWC^JIbAj`n1Pv zItry^DzgDEL7E3XV=f}WnwT?K7s!%7KZR}!xJU{ih-j0SY=X1(4F*n+4_)?j;;qVLdk;t~PVMv+Y^V0b zHE)Uy8F!`A9I07^7lVWG>1II0QiGv_>hZ1U3N@@n-EM#XS*Pd;gQ9#T+TxuK;n&FQ z(H1%Cv0JsOpo$L#vBRHGHBZckgvJtjw!CYTx)_9zYS9vX-daS;jc$OWElElP zN>p7n&lMGlJopA@p;@Fex*>P+*OJWvC^-Jw1R-jH*4{tS4b(|lZ zRtcO3<5|SDue{bHSGurk=WHyQuTVrFN8E|mHMIm

=)4@6YDD&nIp3=&WdOqiMe5 zU@^%K5s)gX8c3XplS@(Gg$YZ?=08 zhAK0J!!C+RDNKoE<0;dHbfhf90t$a_6PR~B8CFNMQoVM7Ea4a+y8I{PUEKce#j5K^ zV%A-8S{)hj^&U+CJ-e<8ix|c|DGK^d(x5YYJ-;rfA^IRDxkI^nlDP6_&Okg$O_K1v zAf|mYP(6!udSK6`?R~n?_RGQh_}=$s5u$Fi{2}#b;QrI|#gAs*XSZ9coQp* z^dKuDQbGs=f5N7=8%_eloUQhR=X1nR$}Avs>oP`l{SG;`1T;@%BzB^$l=Wh65(KS% z&{SMaHFw9gi)*sLHxW4m$x~breF||ggYouSGZ095xbI6vLq&enWVm)CN%tT6=5nch zehb9vWiiJwA&M|H=01K`MF%zw@K0n=*YDHplW_rsDw3r)RVp7EQw+pwo7GaX)68E0 zSv5!~q}+az6~5KSYa&9{gGjAtD_$dFp&vx{Djq`~ZYjlMmrN!y%#d{7!$Ae<)^sF{ zJ{kL5{&blFXYruCLLN!?n9N*p03S4+g02^>E{{L^UW(j~I7#QQzt4f~C%bJ(_I)}v zj>_=-o_orKPFz`vFJ@nXyPZDvt+d|6SW#D}nS;5_;zMg7ngIPLZ~JYUG{DTUhI(;u z_-1HF^=tDq9X=;KF=u|m$(q0eo3Fp$J}^;tqh--adnyQ`mOWF=uy*~q2>#;5M{WyM zT!VzQ#|6WzHM%mV%65Q37)cO3g{579r`EqbJeqx#8+B3Q%HdYC*P%Xg3!mB8XkKVy zCpuKFvNUevRv?zJDQH?2kXOxKwxj4a>2rmE4K(1>1tJ{X4pE=8c*<}JJ6`05pE+gzK9@vjUU8moUeq|KE+z7$+WV2K{nw;_m&i+RKfQEdi$ zcC(J5yxOy6M*oqLVxGY#mp6@H{z@EG?6v3G%D*S%J0&` z(W9?L`jZn7Ho_pNg`ADOKSbzlyj>@fBwMRx}HBQ0-r>z*SC3nIinSqwaW<~9NgZ4FE5a;SU z-wUOqG1_+@yLm)|L%{{y3w%vvdh!(F>9|scoWEX9w+Dc*nwh(bgP)j^DiZF`+ z1x5SzEDPQn3SxK3fH=g-&DwQUjjUueRsEN~`IG5HBv?Q z#Z>Bk+3d5q)Z`IUn6sS;lQ3UFIFJ6<%E;va`w#1N=b_=L51*_7B z9x$Lz`r52az1VVO&WD_8@1Cy;8{~7l5FJ~$@h+UWigb$k7#gaFsAam5ZQ{UcL|d_k zqB!NoBPfcx{IOz1Gps3)#vt>==;RSJQWQBG9Mb~1NnfXV>s0u5_=9aDd!<>E4VM`W z()PH!RMs#$y)l!p0R`n2HMgnb-)n1NMSi@g9hY@Aw8Tm(Tl+t|Rcd5k^ktXJ-?13{ zUB2>CO(5*Qq+2C{u(dBkmuD$5oaL5^x4Bj2{9wRXxhIC(9GRqk0X3`Uq26Aa;!b*CiMpXEh$}WeR8tDdnTJl>dDWR|$B57R9ZCbMrqCgw##*z_451M2J6=vpWeFCb zl#aO>);B-1TYWG;!ft~TEzz}lDZP3~LvEzS>B{pf+0%h;RaT7lzpj%g4czemVeiYs zYI?u7KhlSagj6(>M5Aa<^DLEU&|I2l&6+!?D3wUjoJ5-Ec|eoqqv zZ}!$Mej|b$r%}%tB(A-<7>BR%`w~E8(;F<9=7VP&Ox;+2Sk=-kR3{uhzKu)L$ zOGmgWUA6zrycDXG`eZDV{EhI2x+a6Q$`QJ)dbaY0CBRN{ua_`YkX?Rr?d1)bgOwIn z%m$#9?`EilSk_e??v$$ewpk03=P!(*Z#9+z_oU_R(eowgt&J}zEYB%KgDQlfwX-;J zH4W^u?`=Eki2fsRdp!=~w~Xt}IF^i%7b zhp3-Vy@P4QcUQk{24GV2r1$!#MoHRq^qj*EV5&z5egL}1gQ2hR%Uhu>)6Lq)D==L< zXyxY=@4E{9AyLkU7M=h>=!)M}Q$~?Zr1P*{Sy15FGXNTCTWH7W`)1*PuZ0@G@Qmhe zP&Av;6xXJ2WJlIk8He3|R`ihU3g?;n3vVNjV>}n*Y37XIR-LhYpeu#yI{ivXvO3`G z?3^H>X6O3?vUoXiJHFH?&5#VhM2&9R21`opzrg7I*+yXN(ucQQU-Mi2!g=?l+~A(u zJ}9&*VtbNW<6Smu!55t9L;I4H$YvGa8DG8dkw@>Tx$_OBZ_g5_6>deCeOP+sy= zu@Bu1^0#~Tx(H}7ubUDJi((yC7d@;MZWkJU+TL~ey~XSKTv4@(7vu?Q?mq}pv~mqa zkZ2sT8?(w!UM>|mM1P$Q*Yus&vK8)Q`NJaudJ!mGzupAtx|$mAMhc(clKN5iG+#Pj?! zy>W#$x|(lLd_H=!A|P(UXCp3(r2W%vJyXVvYlvmOZloNYm@Fea;T=LVazzfsKaGDfTo%bt-w3oU;u?Jfy^X5GL-1w%cs|L|wZ?e2*1xhLEMz>N zm%MPpXiQJpaU)Li^ab*SUX?& zBnRFo^7vhIY}eDP{`m17Q*l!;UdqE%eUqZ^Pi3<-y65b0$krZaFsm4zqdTR3vw}&D zO|4w3mm;)P%9P$V&+XHGF0zJONryh&T73DGf}`$U~6eh?YfBgm}w;#vD`l$(_afio*UpXq}O^ks00w950RK8^bHRL17G$)?&Z ziJ|*?)+?d`VKnoatN77R&h|YS`L^gP4;ma2`Y-(;c1v>PvHO9hzR9N}&rij8&_y3ehQ; z%EbtNdq{_H3E(u;tMVfOe$0Rrjk`U}v`x+JPzMwm^ORl|VPybb*QZTB`>tbg+p5_+!Z5w z(EL8`c(AY|O_2q&#cdrY4%J<` zd7IArlLYVBqfqybSw%jt+{1o1g5G}m$foU06#j~+^}4S!eGm(|L_b^94XNk0J54b{ zG24U@(7js){oyIuO?-$6YG_bob%W6%Cl*2{!EHeZLka>*C+2Jr%1L-15K^EqRq3j3 zgEI{D_9dcel4yBM!5t_svJ{`A<=AD2Fh6SDVK}$w%);K_67>pK9lAsn>5_<_5iWlC zm@B;;iE9?KJ2(B-hNGF@)^T*rc>c_K)%-YL1GL9BTkuEu*hj+H^miVnrbJAJTNma} z?I5#G8)4G4TD)JZXP>rchd8cV@pa#XzsIBSxRPtJAf2hF99LCwABn;+8==vjuY z`EZ4uA)ReQ5UQZd3!DUV;o$2d!Ylv^^U1Wb@WV*Dk}bt=gE)+RjXU zSCfpcJx*vmT)3WhY9ueZ8B_mJrR|BRD&`?)SuMVj)1}_;7cD&$an@f1ex}EPN%E4) zqqmL;0V(AKhbS4+h)e#6u+Y+%%JIb&=lL%m?tgBBru|1ZB4P45clny!>wJb7x2KmS zfp3)oOsVx^P-93+POEz>w6oS+E2=~VW`=ik$*N?ox><0;0{A;_un)?%rmS!NOK~LY z(-+r)4eGBBg&vUtu8z!)miD}PV5Y1ZeRBG!%^Ck#6k{Ufv%)BK2pg})vg5%h@`KPB zzGf6*>2o;DQgK>Akg?=rRh*b__0y3>0$w&(!!Peqg-qU~(!{lHdm_F?e$@8XEAzuz zJM;O=2Tmh8JqJ*?FDG4v)(Xa^YPJ-Z>-dD-p7Qv|BxRglp7*FH`S`@=CSi8Bcx@`M z$9ySm@o*?N)-BtjUZBxKZNFGp`cBAaJEBid`hA^$# zoUO`frGA)?^cQ1`p6Q{k#y;^9e4`3FF`#gCnuISjj1?$irjPY+1-I}F?GFxIphORL zl0K-Qu_{|LVtrK*1^xArcqnQo7{VUgmFddnoAW9qbApnbrbgrr?cs@Ag`Zkf>kJwv zf#F_B-l?;*jzRhhi`%qdWVN&hu;DHyIJ~3Tqk?f3t&7X2IJ$bZTbD487kk4>{{Pg_ zag56xqy0vU_c{lfK7db`=#b(eVWQ8?Cx6>ej1Omm_C3X!FFdsOX!(!aD;N$p=ZSb; zPzX3}G}S22m*=rp0!g%irE~D$6cEcTq>+R|(`77S^LV}MrL4~QdZeL(lwbA+D*wRued}|;R1|MDum?+UPPtCm@&vzu`i^QeC`@;49RHL0! zR^YHhvb)WaFEl%Q{!)k8hky6R1Hs?Nz28yYtqUS|WCX?TgAZSV<_~w3*FJTm_yr$7 zwue{*aCXpk!SMHIO~Jb5h0@g#_QJRyX;h_CuDo5?W1%4o=wga5GCIGE;m_m_dQ(~t z?#aaV{&>9@_ifnNq5$2r(0B z*}rP5XWVu#_=3BcMB3@IqdvLdH*EDto_8AkOp{u?o|V3fkF+lzk&FnT=f9JX)XEas zSY`c>jgIQ7zVPQv_9W?{5x=X-Phy{DvL`4U6mh(-ZD;iL0&(d}cP`YKG%~@6SKP7! z5wGZMr&a6pS}rHdGicck5~L=ahIS8$zGB|K_bPikfnq%%_TV$3-JAEVRU>U480W1o z2Zf|9jgH(8A;r{2L|I?NcLp9}p$G6{N#&o^U9Wfylt-m|oJJVM4LEXQ8f`)AfFarC zHcM#hlUK@0x8qEK37mHPi}rA!enYLHf%w&x4J2QCUh(O8JRzB#?a9Ixmd)0fZH_vF z*WZl23euf#p8t0^iS;sao4J_Q!Sr0T;G*w_?_H#X|SdRSzAGCjk>k zOGV3tN8;y`)Iy8;-@TVf6#eR#A#WG#^&%X}TNBQvoeuriPC0io3{OCyX5ETAj%N@MN11pN#$H;_YxsOf`<- z`%^6lK@L*h5nh>p>Oac$$(V-TyHurGZ?so_kUg8I1C(2`Z<_yrDPO43`#uQGx9<%R1K9s?l(ok7Es&pl!fPbdsvinthnWqhD zY!irJ09jsgIbX92Jvs;XcB848pdWtGwcb>>#q5|ZX7@_Mh~=PUgD*+Arm$lqPj~R1 zvpM*Vl`u|80Fu)4B~LSh6(>S&%D<~T*@}zGIi}}bOc46br&@h+pVD|2s>~56H{zyu zyXnI;TTFw{*o7=w2oqU`{}JK1AMpm0ziN_LY<#e;-1O!~>B^>)`?zLvK_c9^xq zi;Qs@ZfA4|E{DGLVLx5XZpj+{bWCMe^T4USM18_`DpGy*>Avj# z;w-=A`%FduDCd0Cx$h_Fb?3$CrJTG;WClY90cRF1p|N|q(u6$dU`!H8gWi6%-qk`U zk`L;C_CBJy5%H`B(ifo@J)*K|Td(?Z*hPhLwHE!~P z-!=6c-_?hRzg&I8{peV`A&bE!O1m!)?PO~4Zb@%!+gEg_B!>CZOb+&E@!@muqMnS1 z;tX=J73mpLw!RcTR^vNUb3)Gd&_DiqZEJ(Uax;lM7wi-b< ziNU!wXmN`B<(rxQF-@f4r|2pJUI( zksEf3LN4~CO2lJLoJ3iUpgFCG< zcej4Tc{Mf}*Qha^)8<=c+VG`PTt-kYRBoyZIhvSOaV`C)PlOuqy8Vp)|bB|j8Uf!tnxP7{qEZ9(Q4{+u$upC*2=oG%@M2#6_s=uh3*edndio!q{Q2062s98h`||IvSQtkD zK^Ff1*ZP&BN33;(l%YJs%dv;gkW)=v=WxJofAM?rtyKa39zot@gQu&;NRFi863+ zoLwyBds2ApH^T?e9MFvazetJ7K~j@kYxVh;puitDfqHWqHXnzUrP$v$x7ky;H#tZD zy%^h`UCu!WLZolT%qSTDh{CYHas3(Gn^~3y$JM{TR#QZXR8F<$zvv-^gJV#A*7r*B z@2^!3p-Y<HnoAk2S1*e2VzowM3boUyqO4W_YjaeYr=z zCh&*d?-Yw2+Or&ha{jC)34zkv$8#w^?EXf%WveZI8xBe>+ej{wCzF)lf6qhg`7zuN0Ye?~1OAI)^CE_gp(j84SK~n|A%>k)Y?<=+ zduxPyOD<&nO#Az>_gn|w02sDXpQZkPG3-FNw?>CY2ln`#U$1W;KFI8VVUJr;Kx5aQ zf5!fJ-3~GAG+B;6P`_U6cCl-CIc#c|c2@E|*JF10Hs%K!is!nW^S7;+lOSuET!rP@fgiMaG1zMx$D9krxDI0 z_}lWMAL4fRsJd-_-R!XrcdxPzE#H}bIORlM*h8I~oDyou_}Na3JAz~R;h^Mnjz)ck zUVwBQf#r?3WE^pS?2Gxsqclp!##>fB#TYe~&K2=ublL@tmlH2+q^+l#CP%uhGro-! zG#mG*$m?|Zd7-atA8MnywBnxqjfrg)=UsAQk+M|$qhx-%z2;&jZPPrEs zQ7zL@xJM5n!qR}dxxrIPO}c`<(bFR1bnK}_i&{U2c&~V(;l4cE!NP>}vd4$Hr&pgz zP8Y7kwqp`!9GCK!811+E_II%Do=3u-M{j{(G<3WdQ#p3(0T!xX{TSMcMWia8Ah`51 z28C^4v8*mYo3JOqDgfw(QGu*+Zo7(DgjkU4w?_;rS`Nzd@-HuWGts!s?z=$7rdTzJ)N3B6+R8PmMiOW(EETd~mrM7(mnC3!=vWc)YKVtypz?o`=MF8Ca&Z6M z%VuroIrz5?Y8g$@!vzQo@~YS!^w(*ivmH7K+q=8#b{@3BqDWbn%pK5kdW~Xw1Uk@i zucq+A{S7KRg8f5o{7!-$HbhBIetOWP#_Lzs@9x0|27Sbh{UkWk29s=_Bm~YYP0>O~8o6n*e^S;Gz45bd!&M zj@O%Ch}nruNI~=;pvxOkb2wey2d&f=vQqD;2SC^64*tzO= zz8O1eiA1WmACl1RV*zivex7NlH?$eItFpMYwfGkLm*3LRaK!4b1{M=`ue@Jw$J}-o z8RU!^P+9B1Bu^1|TR}4=qkU;z*T)DTIx&} z|8L(HTHXJh>nWAXXxw>sgI?G~JWk)Bd;d25B=9PRE>V z(QfwJTKTN*V{0P%H8#2viKWXFIZZ|GreZoBRWm7>vNAKJaGVFF(#z`7qsHZZ3>i_P z0DNoz1ipQgM!})6sHA2IQ0n5l=|5+hxMAEJ?G73t@ntqoCL{q|00{f&H7D@uuPQ-_ zBXlV30S2}a5IUT|Z_g4lC9A2$316i8NO?(<`H_SVqF8?6vH^dN5NXSeHXjPBlNy+{ z-_fvxaBO_MWq+@CP(!5C0%84ttLx~wh=Bf;*suJPS4?s_$KS7#b7cbfT}M>zW|*Qk z$SH^8AnXX7H56w4adMPy)tw5{AMiSRJ`%M1noL~#UDa8!w$Y|owbA*2W7V5rF zq%LhUdN%x5a2jxEZl&?iOP83RD zKc7w(^-ujHyT`T3#_Cu3C1h)d3k^0&5H(MlXt3L21ZpU4zdu>xGC6hWwN;Ojm`~WF zIP)B_F0+S4f2H-J)=y`^F;hbwZntE3Xr|ow%O^#BB7URZOopsVW#=@a_3PegM6?>- zSdYIq+)LEMvADu*yu9f;9qGPiO)9hjU(HSFx;Ph4#A7hqP3X!hp6cL3pq0Ax5bHL6 zy&@z^MU~OLuePi2cX#biEswBUqAxjBw$(H!&*R)S?MkTbuvB*W)tLE>ICB@WqkoHP z8?VAUm``965L$7<#G-TAv@W@n->>%E(x@n(Z%4&Tax*>MHq9r{+PRajg545(?*Lu? zBSv5SB$nNEcN*n-Fpyec866LS!$))gx8tj(c*BP%sSz1ofyrhv2byo@(ChXDoM@Z+cpgUA;XI;)Y(?Kz; zY1cJR)K8H)n8w5%-Qy4>lAPADQhiGw>Qb%5fBo+4qocRV+-eUsHx+&zU(4^SbUk80 zwX<}ytoN>!QZ{X3ts}Uz|5ouz*ry|GN4@Ak@SpxMRQFm)}@6`LT-a3ctZ%V>Puq4nzJCZP%!Eb6Gm| z6j98>QnQG^J;3{&)9BB6x4U|*n~H~gcrn^Y*dsYz(z8meKwUWTy+gV8ZkkGoxObY0 zizxr!t{~iwZ_lig_kGQHBx|mhD&Ick7W=T5SWV2G`3#o)Q#>sJBS}Y!H~vjRJH$ls z{;i52%tCCUQ*!sK7*Rvn_>FCADsGR-uQiVa<_k_+T~T#)e)_sMELse} z48z?!sIu;S9}F&@&V>D_D^4wS0V9%+Eg~hkG-VNf7Q5cZ2R`Ouzlsg9e7LJgcZ_<*LfUOYg(j5`zDxKW zfA-U%%S^t$s-cc{>Isk?xa%;hZXOh#HSno#<-6QWyGiYHtPbm2`6%@lh6$qFhIJuz z^_LPr#X@?w)gk0Du1k=YV27&(Mb`J9#4qJh@)iY)U)9$DNyPSJnB5G9OEj!+ZGZNy z$nSSt-1a@ZQ>Us?lip&&lG?NUK$P3EJLe$t5gmg=)BmK5p zy%Xu0b6s!goCeG{G3A`M-)cP{8Ltw7QA!DKb8h}E!#(lC{~5a;Hy3nk-B?8rW7Ur zaE3nO3%pQff=l07mQ@6nLi7Gs4nonQKX+7n*im-!jnw&vmdqa)u^SBB;*%0PtX)qm zGSMsr_n+RJ1G5mYwuf~isB;YHOt-ZbBr9CYM*{GkNj6Ej=&U-7!l}#(*3`jjZr+!C zmSqH5QI3(nCNyE)7x+~4>mMF)bCH;mAoEK!zs7;wK;F?=8=Z||w2VgXVVeHe;^XCA zjP^?dzIoWM-TV5_ody@aFv4iPFt`i` z@Lyzgf7${~nb1y?#;~SyZHuZ7bzYS!;>Th{%!}qU`&M!ZwECRl2>;YMP={#gI^ zu#vvSoAcR-tS zr@vU^01>qvT5qsyIUw#?p2aDy6qH7vlHASzT0?Ck*~b+f!EgLw|4KvI{5J{6HSVV3 zLzTc0?0drcmTDuqQywg6?9BgIJ>>35@iXRnvsU_}oN5}8GiXWG*Rr&+V6g1NdWVR4 zin9N(*-aw&_|iYoYJYWLGe>X1V=}Qd6|dzlSe2Eze<)FOow~eTX&un%@fO^=%Ue;| zDFrAfZpjQ3{q+*3;T3@N(%NX`fOa9I&_tAc77Zd&klRmGa1FdNOr&V$d{YkPP^0p0 zAQU53Ago0UDFe4QNUbd|FNf)PIKyxdge@c`C8d=wJ^1T;gcET2x_gEjBws|hS4sHC zc-)@ln+Oz`?_@tnC1_Ae$i(u&-a#6QrAPSXuzg7Z@?W4SrU10+1YrOTOa+@x2-7Ya zPfCWO(&y2DJojI3Qdd~2$Io!4?DEWVgt3nMSXO@j$?fM;)ifIc!LE}6CIOrYt({Qk z1=%^Qif=3{{uP*K2BM`d--D&_;*kkFh|nF33@fsDB>Bt5p#0!$(a2jIB0~(zIlmuW zcIWHpyNv*$xsb0tQ=NQ97FC8XGPDs`$-LP#|K|}2imC|r@(>wo2~ZOd5;N#wTS8R7 z|KNH;0*b%)4YpW)5%GTtS1yedF_B%l)BIkqqK49KwNqc7lF#NwJvy$%^Z<@Wm!*$( zUck@CMe)(yffS)3TEG=FwGh%SWN>!<@bzkBW@*?H8oaYL1SG}_Go`M}&&k+4hHF1e zqzNs58my+g+X<0jV#(o~9sF>vyUd78?S_*av?wUGSkHg2^`-H+D=S-1tZ;?h_PcaH zhc3V6Q|zVX6p)D1aHgcH+RhG+z9?>APlt`U8h5+z-{0L=aT+WfwhatD1*(S7BUVUm zX^u65#1{aGHv#eYJC*U$I*}{XQ zOc;hkA!@aJmti3ONIG@}Z&bguChxRt+7Es~Y4eF97-h7xK9Mf8_Wc<$@@TQ3(_6uhlaq~guYC%ogiAAl8lh$LHzro+DjNgBvu2(+V64??8_~1Z zN8iXrsC0H}@35DgTJ4s^K1Y(M*VIT8Xrv7W@&}>|iRF1v+%VE^Qc;R(sftX;VE;tY zjWF-uN3aJH700+2=~hQ&rx%#iE;Jw3_N>U1@~~{!=gSB|Wl)k~4N+R*B`Q%chQ`#@8%9$M3iqkDxC(`W&)9 z4>fcHt|O$wAbsa~AEcI{@J0kPR)z|V91ryD4k0l)i8BTL7A})|q9de&i|;}43wF%+ z&iFDe`_@K{D@T&`)(Z|2D#lIhyONDPXVLt)h>wEG;vFbAMIK=XYWR^nGjsEas3d0P zUkB=39gS^$kPU@O^dI#8El z-*LSmzOY!vvWt;%ocvKVFI!uO$mXnz71Y0jI`zVkBQ>#anKGw)oUr3YL@P14WP!Nf zLkeBI|4HfvtFS>z9F(r52wnE^E{TQrSsEdXQ;|j+Hb|o*H8Zk3mhB^Up7vmecLb(BtmEI|!{^ z9+2Yq!kWQ&KU=8j<}zho!T#P^uo=GYZWXu9xlLDa8n=&FQ)SJ)(GTMDSoAnZq-|W< zpVVSI5eZOUlvC{RuKOhqeh&n|4o$m8m=2iT;Q-wWkr(wuWo2dQxZ1d|E)?yB#Ltfd zMy!f$rmfS}=jMFr9D4&G_?<4QiB(oLf8Wvlni0Vmk4yh9sJY-ef}AT*9^GKtB@9;+ zj^60VFRO}6YiH_z`YX^Dwm!BBf%w~z?dk9}r-AOz{gS=CtFUP-x$k^WMDCg59^A8- zeS82mk|0HaJYX>Jq5Y;oo&F`1r2MrhlHK!QqTY{RK}nuPfBsyiyZup$`h{KNkUzD1 zhC?qSqAH!f3s0@bb&xP!SHaRl!#uqyYUzxIAa^ zWb(gQcZWU%0Vu25=HxSY5yc~c`}Xrm&UjuN5k1`F(u1OtS{Ah=?aIL2%<9R|GOyUZ z?IqbSmBb2eKrFT{p2|ZM>PTfB8lz5$VYEVr ze?6fp9+G!dtc>hz=kcm)Wqp4h<|7x$5g0H61#m!!ToMEiS=z%U59qJRQ}}5E*L`uR zAwB?p_wisWm=s6>^1bdWeVC3872hfJFD+*BXMn{R0?25H)J0Z`&3goQEZWjsVIdwy zIayPco9T0Psw@e@p6oZa_!ZXL2fv33@bcP7jFY|n6Km+&DVeWh5~$Dh$CJZOass;^ zy_JQae@&%d!~eZJO?mOom(eXEH3%YAdJa>vzsgU_={<)q;c=rZh4E(-x{%G6Ulq%3tzJC0myGlr zNEw~q6S&RuE$}%6vFP+%kLjTeBxUuSoX8sfnX+zZ$Hn7=cjF()XN6Ic5UW5ra|HsW z8NFi;V}azm129bRaH#4-S=`+_?rqGdEza%-kTeh+KD#d^FBC)$9HHqyI+cCQU7Yqr zk!kB2k`9a$H0&s9r2cXY>kJtX-3C(f&IA0_2WyD;hT@We^j3Z?DR!GΨJW7b|= z9JI44aQWcwL}X$~<^DbnNmRfqU1)AM59@f<$7rA1$<)2e#xSwPK^!y;CD>|_WwV6B zW`tGI7&J(IkvS$eeVl8zhXO4GP-TyiXXYIwg)Ot6dlp2ft)H6dOI3Qw#i~MXy@uM{ zQWG)cp8ULBqWSfF+*{x3>N8^Q=JMwYekI}9k~gUa(kLUN_O8*cpRd#IU2ySOzisj?L8tgzhoeJnVOwyAM< z?+n#BHJa|@&=s?!mqVcCzW7XKH@FD*dk?<2=4&c4?HI<#mO;c%18oLC-5B}@OWimE zHUFl<^(;f{5-zu7%WA6nYP*di+UBB!+>)*258zAh+rMta9$&|it$;vn$lTb5mzTqs z)ocMNbPhGATS~XwJ!cjvP=SGn7PjE_>|`?A*0*m9!}TxZ(Bs(?zCJqE$)FMl&jG2)C?lukoS~y zS!6dBw9r~+pTZ`Wi^QlSXBJ}I&HClawdPwEU{@QaexZ}M(pqm>*e~^%(sh+x2M$+7 zp_it)a#!E870Y$cacS&2`g+{5wMOee8lmmj`$xJ#4!+|S$VrO%v}NUXV`&Y-T1RiO zL;3ua6N~Fe>eCKK`@@u+E~`iQiPY^9bId>^W5YQVHI$V1 z#>m%|agf06yiE|unL<9|2EDrd%R>{8gG1=VXnJUOGjUMuYvXQuXcDm{u@;)ord70g z-zg$6kT7i@tmuCvBY;Euc3NA(0g8*Zgo7@UEE9pu!JWgH^&qTMLtnjjxS9m=ZKr04UpLy-dB4Qmts-5k9TA5pa~Uz>MWYF8Bk zJ^{0RfRHmZ$qhRaYV4xwqZd$t%Z`q*6g;*{FYl=zAfztocyM~c65U$Yz=ldg5+lCL zcE28kAGaUQacE^;L;_3xg>^73em*{=_JU>3#a_U(XNEALYJ{}cvzcHyZsU?}`D}Yj zH{acl-AKg}&6v#f?+FSueIzwX5#x~hX-eoyTtsK~CP@Bj{F@F@e2;gU+$0&7*6x41 z<5)1}f6G=NYbbGA1`iYIYz^ouUEY8xI-Gc(9x#EN;cftAPIy}h%gU}yTn14jS$M<6 z-y0aPZ9 zx7FG0O0z!fCT%;mPu?I($g_4qfvsR>nx0KiC^p`GHLoYAf946q)LeHKPm-3hx=sWb z&Xl%t86TlRU?mar^vm{xjp_%8(&EpVnF$=0AKaU5aw|d6CC;7nm$QmLHu`0yl&D{0^Sl0nac}14 z{gs31+1sDA7=n5&gOHl2t{2lSiqztXWC38iMe*eph#DW(a(8&!(LswE_epNk-Ou@M z0H|_X{r@f*BF(I9`lH~L{h?}r44AIJV2=!pM!L0$sQ7Zq_(XrzT1H)QresO&&f{t{ z#i4Uq)Oj|UdIGv#cl0zYI8C0nulJuc4-pO&etEJ;TPN+dG1h=-Q3UuPNkDwM`B;Hd z&yF)f2=JEGVPZxbU|%%{5%ADRm;|@)d~h$1u^Xy7L{pM(*qOn8kg~|OzA(!1X0$mq zcj7=Opib5UriHtk?K7SmsM}=X_dzGH-CPx!5FEb`+62}|;~{mnv9c?YG%uXOW-&ko z>r}Tw#sZYC0V1TCXWvmT#{H6KI&rWD&?)qzXX-wO$JDxpLxpt^FLtP|yvU4G@Ykj_rg^(26pWt&5)k12yWpgAsSQg_I9-%pL%SxI&l>9ocAy=^ddL)oyh?eQNKvL(dtg*FaXQ`__+1t$yt)PqMT zSQ+r!{%0jsufiv@Y^eukt~-^vAqfn0=6Lm4Jlj2=Nsf<>nnZ9reI^cSSeqhQur7ZG zrMlqa8Q$#&Hzj9EcfRCeQZqmo50oYF`PhHeSSbPYg{$XYYssQx<)Sj;$Hk0&;1k8FdWxQ_1RDf~QoyO+?vR;wT*j0+% z(87cghuNldC{%+Q$R$t(UWJ$$A&d3;rrEe)LU;WH<2iI06pu!tqc@7pSM$GBtoT}I z_W@cV2vcc%Ei!DNBz_%dNd%4;!F3s?-LqLvLKn;piSmeezIfe-w^BG1nr3Uscras^ zmHx}K0EkjJ{>}UHjOD3I27m@W9=!fg>l~4~1LvA_>>Og!+A-Z{c1^mE7@`a+L<%29 z?GV1Rf;f&L%DyF5G8Y!CLe>2^cNd?B4fn0{H(6-$O$?o;u;y9@pF-)_knu=^ zwq04p=iS-s#&GbCr&MsL?w+iNaU}yO3xS{bW@-eP9oo^+VPsNZxf`W(@S~QO^LTZb z-4;Ipc+I{u-NW1E{#|?HF(3qruG0bl12rD0S?10@r8L-5h|KaqpS1KB8?lxt;5<>&c4F zzE49Z+Rk{axj>PHwRkcM2AW_DWjWNbJEIQx%$g4wxkr4GNBZ5i{F;R*GAo(}%a+^1stS$hUo;Iqz@ZK1U=mD>>w@)&rc+f`zBUa&vWQaY@E1B?t4lV* z$s^(pKF!S(|1pY+g8&6JWL-dCAZVxv;`#Ov3h!2+t&vtFilpxYFwY4hlDjY-0}!QS z-}^xytY8(g*o3GVD9?zbl^}C_x*(bp&w}(IOGDmZb9FEXa=U#`6-5bFTw%x#EMY$| z$GYi@0=~V-`$>9Dx*D5m3F#NB+vqlOcbZTnE9 zWmn~2d~rVSfL0FQZGQ&obvI=m2!E2Md6H*5IyYu^w#wt}5(YJ`VY`gAz9pjIN>Rrh zZis-sPy ziSnx15f%rkV>oD_aN#?~>-U+5@r1}+ab2E-IGfm=uzfPpuIUt~SsTodP8|yY4s;$+8+_^1pi0kQn* za#%Vdo;Uv4So}SbFDY86i*7)Kk(yae{^^dJAJ+l<2f0D0H7)O~F5rJVmX>g2CN|?sHfOV?xfHFpJ z{gTf#%&+KzF+fj>I$JHrS`tu?P8NA?DgK|dsO6g1h1ve{ZZfa_Z(W%t+@~xsDOVf576-e(N*63mi zMPrYT&IHl>JT6j+CtL{NY zzD2ZHm+iF9_K?mk)nf3JMkIWqU*#dDjuc%11ELuV5Pd3I^O+R(8IAW@@4%_?hudJy zr@XD2B6$JVl9#$MTDI%deduAx-6f|cFI64w?JuSE1J2p{tDizs^G@Z|e;1*!XuEV* zx+1UJr=4V9ndAJwL2TBgX26h0|CW0PU&;9r^L6|a#}m`OocZd*0Nm3tS?|EnY-Lrg z=jl?2?9)@qa8+jUAxfX}t)6nKORwt&zVLc20fBTICcu3RK7m__$l_4qW&!|z{$uHB+l>?3XIrRcKpBGWu@Jt^PFpatQw$J^1I#$`h zXOt~!X_H5N9evKINaQ5yBQwx0^#<}!ORrHDt;3AH5-2}F*?qpmc_9s|;-FrQR~5ib zIqyZ!Y(*~~cvDC1AOFXnWYQ;Dr7C-&Z($p{43H${ZImNh%rx+0S*ubWnnA#Ej(aB6QbBaPe-?yM&CDHWs1gH2dYwU8cVwdslGZd>dtQ*QFegGJ&V>Jg;Glx4X0;!#P zF%Z~A&1+6M#gHxwpv*kFrXUVb+>I&r;oIN;=jH*f2r(WFi0JSAd+7Rp{5ON>b~uEn z-dVx4axfqU{PQopc#hm1YUqIC-Xnt)SBbZS5|U@H1U{lYWn6AshRdKn>j7uMLwf^+ zxqft2x|&h_Y)KN0R8N3P1h!IVjN47dicFqB>fX~(iks_VfZ~QT63qhH(>EnwFQ!XZ z;&>t(PV@;yovnmiP!=dURA-hG9NwM|yV#>j$MZQT&8{0hXWD1ZRx*ndXJ#>7J#8%w z>R5Sd4i!MI(#gdx1Q9Nu3bW4K7z0980cInc>&lc!a;hLu$)u(-SDp}ZTdmo;s_7gz zF~WfmcDO%(>iFtTPchMIVzS%L&daC$#OkA^cn=9lNZyeuT|c^yr1;~jo|Wm+;+5%{ z^6CE46)PP~Uv5SUp~x|&TZ#8>yk?@pk)9cIxU{qrz4q~BtMtdSFXzeKXQj*5JepS` zM|c++BNgOD{@I6n6i)yJp5D~yA-KmF@)vK|tzgD*S)LAF>Fp=_xJQNIcg|dUZ^@M2 zS(-f>ze3ROT;XxYQ**$>l=$4+eh*cP=KcpGXHrDhNbhKQdCJc{~sj8>Eklf%Er%BeE;hE)Dq)-V1$d_GWT&i{o|rXKj8SGm&RI+VShp6Ot((1>&i5_ z0@(-Z6IAdV!vCOjPt5X6F6&GAsj{}B3$p?ynBR@n>Q^Vo6$yRy`w$w^rrW^oEK2+E z--qabZHAt3?yiQiFon4NWT#?gA%xGMzIFs@ui=*vH`9pi{qb%^7{9QxWlwdgn5Q4UP9CIm! zK{z@dYxHnkBiY!tpVvMA+|t+{j#Lz#JmMQkSKc{$s%s!lt_mdUan=qe`Z=^=F1d z1jEglQ(Xzi>`a~dpK(o37nE(uv1f|BG`!?3Y=Sqd$IUVRNb}6k*Q3^>{7H`dd z_%`IfFc7Y_JS1rzk@wE&u|mXMoy}OLhDS0Y;ig&M!qWIh;|{$WKa>5_+Qog|Lk8{d z@2{|?ZQK+&clS!LqSe($KaKAqL4mAnUB2ao%`a0Qi3aSV1)kkm)2$lLS=PMvmi5C6 zt@#JSCIoQ3Mi)BF&+9$N^{O>!`QCw?KJVT}hqLQT4wSj8`Ld=kMSlFToVf42YR2wF zUeV4nlh`ilN|;c2Nqqd7bs?SQeA|N$V$5Twe%`1F!3&i%&6m%glZ3xy*u6R}`a8~g z;>EtD0;|E7pWQq=H|lk^TkmZy4{l-_C}13}BTm(un1)jW%8lOrg8Zlf<`cY5lk zHnL?gsjOP%)z8ByFrK{q9SBh_W0N{nI%Oid#9{2lf9+vz4zXGWv~0ZeRO@h ze)s*j|F}FJu0GzM*Ep}|Ip=wv=k>0PuY)^%o?z?f>u)X&kl|s5%eiuPTIW0svwT8U z4@IL0A<<1wp}nVV39?Q*zgwDl65H~D5WyGRq7)PqygBDBdThWZ7!)Bg5u)8WW=xtH zSH=e~sn4*D+)}Nqe^Y41i%3 z{v|PcX3OxCG$`kjRMrh6TKo8ti zxDCgiKkYLWszY`8Kn?J?00;Mc+GT%1L!;GdwaW$R-=D9~dVoUk@i*Z$HI5bzgVnndN8n9>egCB2Pg5b=xbaL~tTnw5GgW;l zS((dh%z(3Jlr^>Gr0|+p6&NtxrQjgk>NxFi&q{m{%MCh1<@{8?8x0PY*!=_1Z28jtC4ZB>XEcU~!zFbJ! zKEKOBq`xBL=bN454|5Y_!^649PaEsaEi*92i%@<+z|m&?J0iI=-gdXusZTHM`pC%bKz-puq0EHu8|5lS<2QMhLkFc|)e zP&mfx1R-xY<{!86p={)*r*g{U5zBlyE88>M%6fXV+SBe|{Ht+}+{Y#Cyn!_LqVElJ zxI1&N*GJ6wWHT>q9TpcH+LCQP$FzYBK04varJhZy-sAcBLoW zVlHqytj1N1eT__on~M~A&Rd7k-Z?hs4A;V<{v3Vf7Re>zB7rXFCt4=yf`(&s@q>bb zIm%iA9i+c5(-~un!R8d){c2cy44>F%>OTq{!ZomxzMwR*H10|pfPfrSlhQIWcfJtm z5Th6K3BhundSid&cRXXF2*v|z!@#;A_PvDPHTc&DZ}s;kXxtiq&rj*K$Xp?oGbQ}b2lsx(+{*^~zc zs#R53&k(LrUv(GO1*pjS=MPlyy1l(XM&q8|{yYoto-L*M`T1VWc;vi~ ze$Kfw7wTZ6cX*g!*#Py1Em5X)t7tfthbCD`Oyy=xtf|yTevX+PveZ=7e6NoLr677=AF^ju;*j$#+*p2>BrrDBz$dF}fS zDy{23vu4#-ms?s?$W^(``YBFg&eE0X_wVpnTs+|+i2#OP0ax;~tt-0gRT;lSGBhgxP`u1S_oj$HnJT9)IYU+Er$mAvJRpjSmy1U(oD zL5#|Jy1L?=81a%v0o4gNRjl6+pBBtn?02)pZXbM0+)jONsG2NM9~2n4HxF-SgzGiq zo?5qGI3CTTi{>H0-5c{ryto}gHZU<^af(@%!Xh*0^|v_v6CNipL~cBJKDhr`w{v;q zXYy17*(Wkilg9*l;Ww{=lO~<`G;sRPjh{LkM>qO02N=!nz-J7lQ))Aa2%Y60qqTse; zFmybL7m{2(sPVhyA1t$`jzxkD0msAv4*GT9m5kz@^U=7wy@{?PNJ5})9Bg?Uo|I$2 zr3LYov4rs;?0RW=q7f{bj3-MpuoKTkgtQ-T*~N zU08%djs@yRpIKnasVd>v3-n<~~UL3wi|I~|2Pi#}KF!*~R*iN3f&i}8Oa`Wyo^i0o9>;hhjm z_hR8*MA{dC_Ka?uIa^%*C#@u92LC}W=||+WrFjsM9&9!+U(b`gKG|PULA<+pk>%jl zX8hFZpndjq09M*w(W@U_2}4#ct6v}?vqotT=M(?VTrNmfob9Vob5bsTIF3}WCE2c_&}jb~1zeJ*F9QT)>AJpN#N5|1{M z27(rF2()J@o=HjJnh{8Q3XdachvjUz|8d$ej{z}PKH=Loi8XLw#a)}ELe52#1*|O` z-Hd*FM?0;KAT_r|)^G2Q-ni_^U;Gs0ev92S4&$k}2cC;%;QXqH2*AJ)p$6+PNOFIN zHaUV745VX(uA~c~M_O7s_@>I|bl}jx^rX*EkglYjIst%4xrd}5W4|n_R$^_4I>s!Y z&*$8@Xn=P(DSU<+S&LtaJXjLwwJ^X^O4r<<5;}AM8nuqGxHDbrzCE)+^1F9OgT#CQ zNqtwj)#B>+g4W;m{Sy;ud9j5nxFnAf~UO2lUB*n-Z2C}5nAI3`f zT)JKUEaS_{L<9lu@iY=@-Y#wNGF{VkA6CSPaMDqtet&z=RemXJK&U?W*ZN z5Buu;Bd_$u=5hpJYlv|Y;gEMi&{SUVoc_u&G}6Bh2xx;~SFj{RFaP-qwXT(8t2&F- z&#Wv`0&Ic@?qGxCm?E6gmejuR0Dt3~U+HOS(}v38$X<6D)0$j*_V7Apxe9CqcNeqn z9rQ+sVX>#Khl60?*Cr{y{qhHDN%jE_u{zNlbb9bbRyacR(R`m;(fn8umnQvz^@qgr zVEY9;!_EGW{Cf%0=c0)Gb|*zMd;I-Lg{Hm6TXHKmW^w5;uwQ+IKxjExLHc+Xs&U~` z_YEk-M^8B#swq3w-70vW{s`wNU49@{rtt8o(DOL!b?J&p9Fn3jZU=q{c`GJcmz-{_ zZxpuD3B7l2+JD)upa#(*P@`fYB9dhUJpk?^_8!jcN2ls6%^@X*bczk&A7 zqH4nsW7gNzWo~OG-v1a4`WtI&YXg$E{nSU_I(%W7o4heIv5qsH<%Oduobn!9)7%{6 zkG!^`J5Km?enmV5PE|L&D|(q3w-fqUuWrjt-f1HWl5rVssjrH@_i^>fURhnk${ArQ zSK-G<3S4It{{U?(uj0zU6%hHgA*6yr!aWBBW8gBB#eu@jg}yG6$vZN4JL$uYPQ#W& z*@7+cMT7W!$gk@nb}egqo9MF=^&rTq1O@J+Y3EvSxR4-yi zXuTRX=O&6Sgbo`DhjGFjt5la%3)-XUUWYUR3L3SFRUdAAuKM z@8W&SG3;``Jk|+x{Da@3NpL%=KrDlWrvc0D4aqGkYhXc=nSqo!>$jzP0v(t^AjoJA zeQvRmenxt8f%FQ`H|A?@cI}i~P@v~{#$H`c-&Ah9v%zDjG~O_ELXGor8=HLPyN0}_ zk?{yK@0nJgWp&(+v$^7wIspD2_Y^-oM6W58@<2^-tfCYeu?OofrL^x zJlIFxu>x=Vv*(Yl){gmgbhJchV`!$NWf(UW=v7xgJhQ6!$h^UQ}wUMb)w|GQH@snAK4)b(;xDNVxBC!=n0uu|)E4J!d|Q`vF4EGjNCt9*>*S zjmK(oe0=-{e`5Uf=;)}tf`TmV!n-P5G;CfZXcp#~3RBP}>v9N*jNt0aarDe~s%p2e za}0?jbC9v#^<{cbX9|h^Q$RxI`J_OM;}ze*xP1BYSf!66G_oCayF}Z6hEoNzDpjIC z39}-2jzN)Irx`5#s? zR@7b0udBO|Rw5_U7(d`-20UYUK)_toc{(IeB)Lc_YWI}7@yG*!znCO^4EH=8LdhEV zb;n*(Dn357A!o#60c{Nt!JB4|`^4rXM@Q}qun1SG{DRW9`44@Rv!5pKcYo;CbZVs? z4Ebc3+J&F1mm_fo))PAqfZR2}pYnJL?D9|GjT+RFzLA1XJMW}f$cx~1qXs>}EOz;z zx}zv;mIWg2Nd2ZjRL}dvjVlY-Py66Cp0b7Qe3gkqhX$+Dx1pHPAw=IO1}j8*z07mq zw1oxhpT~bHgDa|#DiQvrTf!^c4JHd6$;!Yw$HvA&?-;LlMe8drT0=By0Q3Iv6RK;Y z+;6ZhV$E`9HYlMxbo@hZoN-M)AMLO88GTQ7qr(TI_eqTV)mKLS`YSxnD4&)4xcZuT^G}#tJTPwa46u7ta!Dl-kdh4nCZPPSxsk@s?T%T=8B%f*{txQmc;Ut}S@NBu9o2h!D#oX-|1 zZ#Zr`Lu(QIqC;K~lYIS%9D0=pWW4ocG}Er7)ekHc*l%@L% zl;$B&1Rx{hGiv_=Ej@3esNB>1s}a_NARNO~Eq}lH$7oO;U^>)k)VK3jLNuc}Cw}~{ zQ2;NM5f|^Nmr>0D(M1s$<@JdySiGCrB-j?ilgb+s7G{{+x3;!sx6m7( zpO$imgfsh|2r~TO^UK`}z6x}8o#{0$YuWC(Q%YB=eP>#kZ1&>bef6WkCqtnkI^-{p zmB9G_%h5f?6olS;;5(h>I#a!>oDd;Z$*!rTrKO5W&wNj2_TvZN#{FL$rCG1SU4tX7 zCMJT-`aTy^u1*%I7Z^s-a4<~-^TEt&Q?<1VZ2eXjWPc%mWgv30tu}~}!y^vMsx0-7 z356b$AQR1Ou{DR^HbIqemXzH98dvG=NAIopxumcF_ZS=yur{#dto)%60=6fwsmzY- z`^Syp6{z*hOP&jI$<8+!BiXo6byJESN|UlhrUvRCWuPqcBUFDCT+RsNU(^Um3)!c( zs-a~jKAJmYlIq4MPB;omiHSUl;lcc#nF)2pfh%^S6dxFb$-LXc&2;il^*zyRjO;NX zEPw+4E{M=N_Bx>vCsm_x!{u<(rOaUSVkl+IbMMQ(eWFTs) zvo-sp@(U;7(-y_Mv}Z4q3N5crr)&^PiGBiV+ymfPnG4DG5@|C|GUR_oMUJwVYbIdOjlu-BM)EdFzaYxQ4SeYA+` zBcg@Bqc9O`BH43rl{0mo4>K|hp(>J;DW_myNLK3L1;tM!19mArhdY;OF}ra>*r zuEKUn_q*!LLd@}VQ09K*s**;ixtCv*C`2G`9TGZ$mM zWb+%;kPx^LkUR-Cexpp;gI+btXPENx@&z_?686l`7$V&f=ix@U{HPl|KyaE$7}sWy zJJu4=K;8>hQoRD3`u&Fnqw7Dho3JFp9>F@&V}(xi1{TEm9Fv)UU^Ebe!ttk8)yWd|qTkwfhEhPr#SQJ6!<-<^?Dmgr?Y}(g3}0PV0cDaxZlN?Z zkMSqMB`}aUd0*UPYu$5hNbSuxc9!4}=5n zmH>XdtGztV@4w4yZh--BBmL5xD zy!s7pw?O^;R!;=ZmP!$biMUSwiT|#wyJFdxHSd}wLY3N2$;uit4SgT<5B^{|*L{|W zhfB}o-jwM>J>JY8st)4-i=;GVcTyjksG~`Tf7hj%2;#58yf0La$}Lq_#~Yl#>P)nL zxp99K56J_1w`z{`7j*0uD5(nwwyGeBz+BV7F|7XCpvE(hjzOWqOGqt^W{T*O)nqg< zjVe3i|FA7Oa<7EXF&WO>MfUgqaE|bQju!VC^>9XCl)hXLYK!Wyp$liS)UN&b%r;Ws&F4%t z^z>Xq(SqwO?R|^y7CL|GWS<@tjB|r8#>|HE6O%^4>iO?-Ame$J3Opb))7S3OT!WVK zy{<#Wq8D#J+eqDcoiMa{w|8K(62GWFGL$GsH}MIK;J;q^&w_-jm1$=p(YVUG;X!{0 zE=kE8w+(BW*5Pj{1rBTGl>#!R%V7;s*A|iQ&iVoaxi~R3`JV|1zdB=o#dfNvO*f)* zqA3C~lpGDd&wX}x$?fdmd_^{vX_FZc=5M5}tw>&3RU6u$G1Q@a{?9dyAYG z(sJ_>Y~-f1xGU4yOfMtLlGchz^XJM8|n=r_P%=VusL@jWNi4etyB+%NAepYxJu!IUp~7< zb}9p}??56!_F==Ql+vAN5liT_3wm~-40fP>5?bi?z~y1GHEfa1P*^Ko;j%OSh~I|goN_ZsRk$+`O|p&mk!P7I2~HbwPuZijy7 z-{02i>Fo>++qW|+8FH%@EQv2d+5U$5mfWIornFKjd&MtWpCT2t>;&Hkpe{esb8@CQ z+(1a(=39U^y{Wu5w8TPG77fzQuuqBMo;h&EQ=OyYxRCbyZ`RiDIL6G}c}CT;(Ro>TWmViE z{V>^n#j}^33e;XRn}UIY+dp10rf0;(mA^r7E==Y(C?jQpqboyjr9zL2hlR|JN9#-R$aeKe(gJ)W5vf5*M!knf{(+V1nU&a^w!2cpE+a}`H4MA~aQNu-Di`64UgV?F%D8Kd5N?f^$mF9T@l|peh za@9xp3E4gSr3s{O)sK|J2riLUN?yP3veO32Y$s@)FdFXb&$l9esbG?pm1Pa8O`KeK zxv@BIEAnDPFw?`D`_7;9B7PmNhLoy1Oawvh){I@)5-Z8bpKCrMisJh8&|bAn&PqGL z-=95XBS=|u`v<=B``}=u_%Ndi-p<6aRBxc?=!WU(nbmeIT6WFyS1ptE2YU-pz%-~j zHimsPUTmh{XssJdFJaD6!v~2_bx`10I4^N$rcZs+lvOoSSa8e-43c*^??>cTX8W32 z+{cnr3&E(de5|{2m73519{0@8#$|r#7kKyFVQ5vl0R7k zd81g8t6=X;TlhgyZ`=v7>F~giUxe7^`j;MHCgEao4!fIo<6`Fg5R-eg_!3{R`GulS zXj@!6WKkMqVg~mj&l%+xq@>(j*oztSYAy!BFX?SA%kgS=cMK;17&M&Mh2HEr=*W{7 zyT4Khw;+fmw=@7B56#)U3WbG6d*lQVvpA;2>u~ zii>Sh7GINDho`Da`3;Zu9kq4u_6T$n!8?85S2koDbx8AxgE3E6l9{zn;;XtfhW01D zi8xq*iU8zs#F+}eW%&w>jNc&rmXJah82x%f=;7f3wWGHC-dgMe{`QY=sLEBWDecyQCD`35{MMj@qVRwWDG9Use49K;mvSn2w?oodGsTh7U z;`)_xjI0cTw4&hZ=Wt9f`F%2eTRRes_}MQw_K|XShHp_#jpdtz41Gle;(xx+$yNAA6Sn0u zj^tN9w!#DJ{B|N!ojPxo9x4+5%M>Udcq6$XS1xN^K4^z9W^!AIN97KBUI}$(7 z)XU*iN#W4c_j>EIFvyr-jIVwaK9XJ+ew8Mo9{CP|%|DSK_N#n^&*68h%yE=lY4uyv zbiSrPIph`MJj#6Y%|Zv4&HO+Z;F)D#R0}zucv!M6oowfHcXV-pL_gFCl|#uM^25|9 zn;}NTV3L0R*OOt5uyG8UBMalYE%pp%Ds8Zq>Kh`~{r0%D7>5pmXl~Q5ydIg^6zDbD z*=(g7_{ct*5ZJdQoxhNlH|WGf{}ps$(tKmTem!PoMT9|q5G@TxzQ5#tLgz9P8cQLe z@z=lyU3*pu=C=XJm8@NTa&?p6;W6=G52^3`BA#ctiYj%yUOfwBc z7CPLQurLZy&u#_3=g-apB#$?y{Iz(s`}9xvXQh1|L`Mf@mc9jMMk`|CZv3lR3*AXh zs@b#Zfqki|fO+a5gMGI9+k3IO=L(6kq<`<2Vo2!cSPuWR1G`CttDaOEpor{wH zZ=T434NzHn2ms8A{HqsRu(H_74I8RRae^oXzRybq{?A+gg~;% z7;ivNqN|)>H8JZqUbZqx0Y8Xf}efa;ob9fic`%D_y5^L>Dn0B^a_Pgv;FU3zm zYz90A6mtuA2bJ!>;9C1p6<~VB5Y^|qtp3s>A4W}JzCYG$-+sGjdK6Q13YB4rO*skX+N z`JBlcdNY`^UP$GLI(UyLL6HK(zqoQ#Y5-yh!c*HU>z^dsYnn}A+qsCGbYng%E`bh@ zENEqTEVX3qW!78B@d`jncm8<=broV(uYla}{)Us7_n!xjVnlo4Ky>Z}>}|-4z}@sI zORX*AmG6E79#}{!G04+W*xDb<<}c~@cCouh$LHM2cYi13EXhNtE-o#rAopjc$egha zPvV7Jg%I({U199YN_%o}1uwkLWsPG2`;*Otzv-n9x7Q!yh0B!c8|@LlWcq4&O+%g) zac*KUkUnCkSbO~kND<9gUsOI1@$Lo@i&o_3DlQMpfuc;K;Ux`|+-T6gH@z7BT3_{1 zx@5vPlzHIZ?c1Lo-C8}8RGUMUg&cMA-)%S=oWx1LzEr%cSLpmgP(2T}79;Z64uiR- z;=i+Sg*_WPpH3cbaY!9T%FZ?M<5hB6c3k{F+9#`zG-blYKrnSgcwP7}GU^dRA4S?; zzt^dr3dZ1xVqUf>4}Bb==R;7p0wDv!v2S-Pq$W7s*ZO6}gX;Km)!@aa|UnijC9_75{Q_x!VmTl=3LV*mLpTKZYmhGq3}fZFnA(uEX~uu$0ro_pHZxG*I!qEbijKqr~bCG>gMuROt!&NZnGfX&4BD~y=#e){mp%KPynQ%ET66AYT zZ?)seN~&F~HhM@7!-ZUYQB86(s?VVca~c1>F~^vsq1_Of&@!uxrR5e;gg<&ikOq|4 z?mV=J_0KAP5eL1_NPWZC?!rR*8A%=(&mLQajF2rc5m-nB^fRd%GJ~f7@uqpqGj- zCY>^cyzK`A$Uy`qbkjzk?T(zvL232aqPmn)A5!=!g?lgbaG5qwtn8l_%Uv??dV8kx z{Ck$8G3ycE5?FF>VKqja;nJ*6Gahuft7O9NVe`3xDi&1Ao*Ef99uS;qu5|yxDte6( zn0+?=#_OUaI302nP~cF(VmFYB$l$eV?A=)WjykN((f3UL)*Sgh#$FwI8^(6ENc##u zj#@W_)0v_xC%^wRlvveX{rR$Fqnh$>e}Vb-C|a_K7E~;;vHG!VHUV+Xpz-0&zAWZi z6RArtP#}fM4PW{BZkIwXZ-=+sN<>~;2dOP$6T{*9B(E@zFsA={Gu3-#W9E4{s|%hb z%-efy{at#|PKzuaSBn<7ov$a{Nd!4{PB^?5naw%ydDW|KielLe3#MQh(<4wP_>NQ- zb7rf#{~jWHHo{c00DqVIHN^vWs3j)9KSb-s{xcg8$(wHv1DxnJZav*;uR8B}Hd{xB z(?;{|Rb)(*?+`(l#e_WjUjrmCh(mghfTsbWF=&4W=T-DS?plo$t}&c*A|K#noB*j8 zhryzwkW}$pbl%{8{mP0@(LW*RQvd&#&){Z(Bbs9g;Ypt_%HwMB5;^;3lS^QV>de51!YqR%*!XP&mH+|5qeN1+(`DghaM_AB!Gei z@Sw`h(I8dvDlSAh+V++XF7aEb-Wf?sOnM0+J8vSin?#1W)H#i$gNG`RmKkNa94fdn z*g3Q1VhLx!?qF}wc zFPEI??EieT*y7abunPg@cyCsZAOjO|4wT6R-;YA6KM@ZJU5v+gZLUeZ(@Kx~wiP>T zqoVqJPEXdnxwVv=`G6 zd!N>?h=w=0xaL`YUXeM}ijl8e2Z&K-p_Ti)Oykx}uxxL_mrGJ2G?ZiP862GKuU}Pj z0d#d2OSsaX3>pLWi{F_t=__TWOQap(W>_1U0W@@KZQl}64h;yn6Z>r(-L0pNIAa-E z`E!3;=Nqrqz0THkGLEy=BKlVZ&R_zvG%*d2$tBM@nB)|gKFRonpLcW2txDBplMX07BA1FM zR?Vq^Y0{8ax6_ktX*r{eFGb;`27${Cub8w1 z=g}YjA5H0z+o2T2EF#MchA1!U+tq_!#Yd0rz6zX^T&J0(!t{D}L_1(2TEF2G5=*q! z@AwNzj{L!QR%KIPy&R*Tp5^y1ju$PP{3tYIkW=0a0$D<*66%tGB<_*o0-FLr=!XKy zIOg9V#C#LvQykKb4m&#H8;kx;!G=PeY%bfS3WsZltNKmf7kc%)e4vL{+sh}FxCEN&jFgB9i1I z(~k8A5I!5vzmHu+snTJ-(u@I>};X?^ulTUw~OuZEe<21=%->Z!*Lys zyZ)aIb0g#yQeO;gxWvrW#iuUkmJj_dAk&gJuBljG_{cliSYM@=wViutwExlt>FR_! z<#jx=DC?hZAiqm`7ssX&%QSQO?H$v*1mB{%MzP++!43! zL)(*aV=4P8f6O5S-VgNxc$h^lJkl<(_FiaVOi=TKEHE`ZT@{rV$taZmVlH@;SZ3j$ z%|b>KaE>5I=1smcI(+Tz9m#3$7$(8X=xx+K*|xSw!jy?zCtv&yq|bSS^r~xTFmu@Y zUu;jxeWDg7!;LDy@rpd1^8->}FKLYR#u=FMca{qp-aIne|m$w!D5Bv(F%=CnZ@rneNX*N`{YCfj3aJxzR8OrqdP(v z_77!PRMsjgDzetv{^*ulP?3=|n>$uEdpxJ{cfoX5Duez1T#jPg3=HYEBCj&r?L>@Ny6k;qD?PONQ3MNYTFSVVk=T3i`!IX^pwu`|-Tif4yslW- zbkHl~*cf%R3m_i0d+HR=eUv}_nR61(rR2H^WlfF6o;H_ebDmV@+-{56ylj-x=mQud zr%WK<~*dwEk{9s_bpfccA7CyF-k@(#etka?QYmBheWKcUe?ZwG_%RS zkw~4kmHT|J5OuhJn7x4);$5o#bE5S!bJs0{#-lxda|zIoP@#i}=zr+v=1s8G zIcpigMZ|2+H&s!}z+h);lW+BNLIU)W-`4${2REi*#iXdsd}n%Jc1$pfM#&tZI2BZM zG~(LXCyr7l^fts0V!&rB#35H=Ec!VS?7*eHKW0`Gkzr($kJ5U6#W&9x{yhx-JJgC; zI%G$c2V&xd$aI+VC{UYL(V&q>ECF!7I>k=MFKb{(Bu z^bZ1OjG?n3b%Pq;pBWC$u|ysGG|O6eX_nWoOp(a8=*f+EGl|Q#BIp-h z*Li4Z$Dn&g8=&(pE$l}=`CrlJkL%{9Y)V7s`AlTqSp|`=>l~Cr9CNnXDjF54Vv8d( ze1D${*?kLN0sIG0vuz$DmOmc79mhI4dcTqQ)0tcz<1ar#dLw4U(sXIoQr~3PmSp#J zUDWnZv&Ox}u5Gg&r4Y8)bv{w=c@}n2hhrfqXZUEq7>jnE`l%qE<9ivNgP%|4B0dsw zqSu#_pcR=mpJs_}tQ}kD)W?=t%lwiN%X6s8q>hQ#@YLNJm+bxRbfkk}^-Tn{1hQ3B zzP8S<;YUyO2hzE{HTUMqaWw!rN6q#K1Z`}=A9u|N?d|+ta-JY(&K&^9L}@d>rPSsF zdp@F}vG|=4IO7!NE_>@VwBf|KA-VS8$g}>tkZ#x) zxN|QXLz3(?PU7wp=SHha^Ze51o^?@zgsCHzKPA8d_W>$kA&b%G z$WigFK>buG&v6egEkf7C6rJH@xnT34!-PY%_*gjIv(x1!PvX% zgYzy?2m5V_&YQ{Zxtd+(JVUdVAx3%X$umL*yP0sA!C@lor1CBGwCJM9ZTBAkg9q3FyVpdwRH53!}Sm7dlcHB89-AS z7#NK;qO^QWjK0gJY3f!VADoZz@sLMhiD-fn5ON@qAb$^YBJ;vpJ5!cz6BXcLNQI|Z zo`SFk(Th_E&=zRxyS$hCIl<2vQTVw$%&OA)Nh#MCJM)iY%OZGzV9PVWH)}j|-0)c! zpGZOVMLc^}{^1=fdS?k%F-YDt>+0%yydb1Mjxn*>eOzDnv4OWWkm7KM3sis_(f@cT zvpwlUkr<2fs>Y=AU3)tp?c-Lq7a94hUU#&VA^&nIP9Fsik^v#;;CuC^L5Rl6R+Rz zvZ|;f;kzHz`mQUEFc#GQSqr6y-v?Zv{1H3UGMEDW90bwEoknAN=*?u02k=g4r$POD z@=jtVoiWhDULbtP^{zA28*V7Dsn6>i+RaVT+W*vm?-KpIO91q@rgGAvf80{}eQ+&X z9rQH+OQf)QPo{EBF*A1L@l<`iK-}Y~PE%o{-*V;S`|axA^)o~FixwrA?vm(ES~)g% z&_fr(5umza>?Pn+(n|exXwBt>Uk-!#J*^xARhHy*tv1)RrQ9k!@A+)kp-R>`wVlPo z0r}2O6j9urKSTwU7!2ptBle2_c{+n!5}o(g0!sJb&Z9%sEc;KWB>-58ws~usDVPer3W=k+h@hW z;BIuP;!g5>!_$NJm9=U3C38n#-g}ykWgMjT4^q#3^r%tW4r*KX9m4jv9#*wb`;JM@ zOX3?J{-bR1p+=|kVsgT?fx?St_dI=Dpx4K4o~SLu>RuIdaMo{Vjk_V$qa3lSe^>{- z67tFNoC+o;t<4{ho+~Exm+{@>e?;gQ*Nz3li0Fw<;uSMNSsdXChTFnfNq)K$98d!? zxQKTi+vMdn(Jsmta_8=xY|yY_xURo>dh&{G)r^9#w&Z-3FE^1tpKZIv#-qSKE9UDY zT}gvG#_dQZ4d7iiade3Ii8fF%XX#v^qp5}y2b&8 zxo=!qu1}HCOnocF!EM6(pui8A*_h-2F=s$Wl0o=EZd}6l>*^@KTATTK4gN-*B>kN1 zbmN*@-HE;&?xyJ5DzUMBc5g~weB(6BW-ZN*cK-wA|6as%?FRDw*ck68Xh~vxICw1V z2S7yd8e79Y`<%3bw`-m5*$-=JjLJ`~BDqb4EUU@<*6>2Ch$ka{d-=Zg^5v|m5YOFg z)adxt0Uenf>W$$&(kBbO18qV=9O)`Gt$9hp@cz^u-Tw7c!jGQt{d9$wHM??3BpbX3 zLCjggg3}{bmetty{S=-`fqYzc9br~Vbu~SHhNDSb3~=RL|CsHrM2+~ImT_|D?WxH$ zTi?ZY9^T~GU@zP-fB)mQtZ?PBv9}C%_R^?_wjs_@65?vIw>!TCatEyUtEMzWL{Juz zp_!ZuwulLMlH+56Bp-G2#G4O+Vn?I6YsB|dQ^{{F;(cUt-s3ezpX~8>WsxA%)oJNh zG`rgv89A?USI$bA&)WCl-85}|8B1xRU-< z90y*VP{*v>L$+brc6?Uy>P{r?*uqNgtY@gKMO2t{7~UZc>KyeYuk*Ly)Rf(zrv6mM zd5OyULyJ*)R$%Y=$X>tV5-mQRFC$o7q}@kPZAnOfdt+^$T=|Um|M};e`&9*44X2CrgE4 zH_HA$b^{mJo_~n+2518Ntk>TY`nSEtr%0^hl5XUC(C8m_Io4zR9r46(m&C@&?!1eQ zLdS}CN*yfre2(C=A=ds&$5KfRYPML><@cLeDqs1?I-%q&P@)IcgfS%9f z6huLp*RM<1O^<6lY~+(p^RBE_k#GHc^QPB@Nv2n$2vBFAF%V2>Bc6D>`s?w%4_DZ5 z9^q#2#Re~$A8e0#^`386nnEcwxD*JbX&8;4i=`GN`LZFw3)f)4iMUmZ{RqxO3j^tO zf}_(YvK85X1tYw0_IKsjyF&o#t>Az)(}JYSDUd{U^zg!7^!DZy6Z)^63siWLh6=Wm zQPMoJ2*R7gZ@s?reO|5Occ@q#!x~II%bUxZE6o~zJ@grit?}Y5eZ_kU&!3->rJgL( zvd>!gUlD)wwqb3LbvJxIX-$nW_WG|-y?!FAzL;tcT2Ycov-4hEqlo$D+FMi$6W{=2 z|4rVVM+O*skoo7QQPY_P-LXt_f1$;{_-+4-*-(eJq`(FaoB>*VNIcB=7yCPt2fHKT zo&sr?>?y=rUIn_2lAqIm zZOpWztx>-f2bgM}W(B#4>U+gT!TavBH*t%LGC21c-}l~Miy9WtNR-Iue~6_!=$g>= zO`Y$vBg>;la;cB#0u{xGgB>~-t!5&5XQgg87p8edbFx|8O zOUtRMT8I;~8I8* zt-5yPthi;Ro0~pM{a{@^F!N&FEopVx5v3>NNneP6y!Pdw)1^=#r@}*x;gs04s&w?O zgcov3K75woA)^AO?9Ig~iK9ajE5#AuxQ(dDMiuc(c<`-^@k;4g}nu- zg#G}b9Lcftw3dgYL-&Y(p+MK2kI8;xrtarrMPH;AxouEiQ-v7OZnZR*-=Z0LXH##y zVqKMAI4*VBCVlGii=4joN@&E{=I~oH3Nm?aZtxrR@-rFl#!kdjgCWwSNwU&OvX@Fu zlo4Em6Xc(i_9X`?L+rA`oo6?EmD;$awawo37C8gwXT4;bA`Oe=9IK8&~! zP^^K899?1iGdC_~&cw`pWSsYG?7VfJ{#s`o<-i#A=L_0rS~(I%{U-81YM2bY_}1ys zO5{1)^<&k$@R|QJ*#oJV0tNEej-s)yMn9#sa{_FyKRL1SFYIx1ES0hQ{Y155b1cPh z4iRu_Q)O-%`)FCs;0Bnz>&rzxrrI#?lkQNJ6jl`5@w+wmVCYq4wKVmM$-{ETVEWq6 zYYpKvsrjvg9vkdl4V$Gkd^WtjyXjQMQ!e8I*Lu0)dp8w^!Y&SVRnnBKanR>gDu)fQ zIR=dt%bt^DD#KYaEG|7PU^IP_SiO(u?1rtOq@<)B&iRMR5XQt#QO~!8%xy`(?ed3R z6$XsiZ47u>r~1Pkt(EWI{o9Ws_#ctp(C_N+i1lpr826>Hn4EadM=|(5a`O;~;Lm(y z*YcTnx_Xm*E=I&M1CwTt$sQ~@a$Wm@-{(`a#mPg1%^xIxC`3}$yv49ePy6mtlGsTg z?`hpu+*Q%fTisiKjo0N(5^tajQ>Lo(qcsDLCB^J}p1xbmPw$I{B+@)Li(8J=TT+eC9kNX1Gn%@+S*oNoJw(b##oWuj zC_UFcN6q`oL~Qys{#DJW>NvlFpRe(7{XGeLgek?aF!YEosXO)m*68P*Wo!f57ghypOeKK{Mvf(bK3em=W@*om5obb+R`) z`04;Dp=-qdI=yDfaWKYg*`4nV2eh+>wvflC*y#sXL(<%jmAW z8&ktj$_(A$X3C_=j;N8MRzcFYqDerXTlJLN{5U)t@p9ygp1a%L{kljbNl(o>LDXY=To9a5UJN|-fW*PI#( z>8)cZ(mu7%lC8Ed+DqTIH}^IpOse6EX4?JAh@~rf`J5j)?Eatj-aH=4HvId)Q>2kK zTb2|lMhIh@k}dl_X6$PuMks5^lC5OT7AfnPF=i|gVQi%=DZ8N*iiEL6CXDSl-TVFh zegFRb^F02VdCiz>Ij`%yj`KJ^$LAeq_`5cF@F8MEQjH%I1JnH@wvGDnn&Mh(8#Nkt zX*1uw|9;O?x%SROi|N_G`3y({SMT+f%1aAR3El__%YRBNUE5|;j``M@X2rGoQ_9yn z`WpuaSL#onRkpFp_5ji-h{2;M8tiLPM>BCs}m|KHy#x&AaTR*v()x5M11B6p;8VTN~?9owKfp(PDkn z$3nFKcCesp8vV#~UD zad5iFXZ6d)fY$PQq7Lh)&{N7YALS@HwaN`Wtyd4tHsVbnAd*m3Q>Rz`Q=2t(k%O(Jp@%)%j=57Ku|Qbw}J?W4=9FxY1+p zQgM@zuRY+w@;#vGTz23{r1W0ZPSGsl}TC8yS-GLfitAJ*#%=f zvMG3WXPSnOt&df=;$_|EC%KpuSoqR}sWqyBxEAk?GrGaONO!||+B{6usyvF!&~9H-+d@Haet8MaMHI!~-Xk#2Ggr;m zZQV$+6%oDQ=6<)V-h{iz0V(XyGgw{69l-q__a?$7`?APxSE#maLFuh5(yvzpYpx54Yb~)r`~@d#phGtKo=vwb#gUypJ?c8W&g=s!CtvMb(#xmm z_w$mQs}G~T9LrCncg#5ykVN-;UNYdSqV;#66Yadc)CzcoU<0QvJat~dLUE)@C-g$r zS$jbhJW;g2RzRsjo6+5WfS}T&>?wHIc;up?w%nl(2lmi;tVL*l?Aq(^sc`Py^~_3| zjT_%dh47}SL}`J5grC6gEr>O#dC_;i-VdF(HOH?;=?^h9Dqr*Vo7>W;Jntf8c>i5P z1(wd0HeA3gMaB4aG&ydu1i!x4+$0^!Lu>A1$C}=jJFurF7j9@o55rjnwWa1DnIBtEKfr?SGZ5)X2pFM!?`Uac!U&8*@V8|i{a*z`}GR;t7|QE{z8Y+73H8e zN{%MKMN~{I2M6A?w>>V_6{6|$Zr$gBd?3RY^2q~QE-e?oWj}9ko^fSn8ZL2bsFqcg z5&oW?D+xbTt*$ls&2(S>hL+b3(=R$awvyl<+)281;MbZ+ zqm|bi2D4-=H?cQmSjTu(Ryl}4Xsgp!he!$86Ev{4Tg~Z#Yv}I4txhzaqE$)p%tmj` zC=91`zym8wLr_hv&duEto?|CpW`0)mlbiP^g7do<5Le^z=qfhFS-uGGZkaJXUPG6| zt^X;os9Y~H&Ka!ChM!(pJX4S<&F*u^NO}x8co79z+{DXx@5(Q1um3WsEWH>$7}Up` z_pAGdl;A~0wf9+Ba|VT@sPU+At~XbjX52rxh9vB+pFop2ak&W%|KGYUyk~VvYg&ht_ULs!grI$d}hJtyc%m{PXAB*;x zD2dmWcNMss13sM=W%@laSEmn^k_rQ@QJ_6eR!*)XStu_hh22J-G}sbKa;55<#FQmX z+78I2-A_zfBb)$u6Zy8ZP#w#v3A`vH(0Y82VwZ?yCtuk zjaIdi|BSS~NNkTqOtGM6Kikd=+7vVi5T0F60Qi>t$2tK0(Zxw(n0~*6Mz{LwV*o&eN0AVUKdV5+@_~5k_dC z_DEpl`>9vZ3au673+@x*nI||uo*mN|zF>afqr;-%y4|s{S{2NUaAN@M_R51kd1V>J z*c-oxNCIh-BVr&#a{eboN=(Z!o&g#`;F`4GoCt`Ox|-eIfRD4Wv7vpMjK~z&?H){$ zw$T1KpU}rl!o6tV%}379TN)Q9P5;;_CRZNaQ=Hl0KGERh56`b{xN*MG zq4p>roVU&hxarppTm9CrsHUVd;_o1k8|rh*N!VH!E0t zwp1NG9%`159(vfNjIXGjp;r6ve2ZTAz5u(JI{ywMX&1gjC4WZZ{s5R@D z6pHuBx%tY_!hwwvdDik$!KGsdJq`LU1TE8vJVG~D(^_q*y?&uMZfFg&V*~82ar~>1 z6yI6}+y$xR9$gsf$eknRrwCAIX-Cz;20qJ-L-E(;1{3VISP*leQ3T#p=cK z-N(L>-XO@NPBZU5bsTt?*SaZVJwZ7#a^Cb^kb0ssj_Cx9p$0XAw}W(hUC$)k>e#GL zsY&ls6j}YO_H2}`nwHg$CO6gJUo9%t? zD+3s*ZuA5-WALAWCdTphG?&&qF!3gw#>P;tD@;ThzFMbk=TwlS_pYH=j+jfDNi~Ri zPuHj#ABUeiv(oBv@TWmj{42%6bUsxSC1-6U%af_A@pTQ~3gJBW48afQ?DZCHrd&ou zB`-ivqmrLD^4sziZ<<_c`8r)Mu#pr#7)`m@{o%~d$P$!FcU@cUPbUFFx=n)5acP&O zf<5dh)!q90yHVWnK`YXdj~q9#QQ0IbQA*MIG=-8O$Q4wzd}U=Y{vD(4@q-_ezH5ip ziFhv`pWwJs(>QuY8F%!B<5-y)`E#rVmqTVq^T^L(+-%4b9|aF;W(Qdkb7gzFN1{Pi zSiBLMJ8+Wi0G-VRB^jAYJtqA>dI=-&AnkTQ>wl)*6pbySy@CH2fP&rtmK=iYB;eH> z2>P*E?qk?%-6;kfTgF26jX&d_)>M|S@-5eh{G=o|7)mB|mzq2+De>cfG1mYs{0!Of zNIAVzVU_x>;qu3NpTwx4$vkCVd8K4#h#+=NFYS9IurdEF;w8lD+@r1KmT-Vii7aTB;cceD@JxQB{y#$NnKm;oyQ|99q%=$}?rY_YBp%VFycs(YKg z@-6b0c3T^Av}HN3{?ljnFMsoYio^S_@bHy6&N9LF&<*8 zY81_(Tge{hVrl9@Qr6u5=a8K^6IK@ z!&rG4)bNZCGmVwv8Q*qA;GDR4zlU-0Ai9Q62MT0K(2FOMKVJW}hp(%%nvp0WrO7Wj zC|f`22Dva?6v_0+3nep*Tz(ZleM%NY*ctOoc$G+r?YUWR2S+qLBfVJ+w6s9E`9G-J z7N7MLvEJNbg&H-b9|*4^oD`9R7iJFh8zl~+8}4A3#{GHpHIJ9ug{b;YPZG24rOqBj zVK&e0>DgJ>)tVO#iaA!A z<`x!-lSrIt4=QlV!%2y^ZDnf1Q(YD1SrKOb;CT1@jg-A6)B2=@sP@E!%WLKb%|~cL z7vSo>g_I!67oH7wG}*J4LJoE4)!$i5dl<;zi zB(`*^($vzVjqvqNo?r4%gFS}5sapN99dz2Y(%bJqm%DY7F^Fl*E}Z??2@1N`l&TiQ zymo*`Hq~#k)bEd!gGQ}$=;n0hz9A}4vn4QTPfbgsKDOc_IlZD2?C)4%5rpIUF|42W z*?pilnpHrl57-2}dGiLUzW->RJ9b-NKd#?ksQ6pG-%J=_0^8PlFAiW05Qx-Nauc_d zU0vX!4R*LW^iJsAVGqzjZCiPz4bUM1L_~=uU-QCfbA?**z!nv|=sh?v5c#455rid* zRQk;rX9NK!$$NK^s=FIgy{db5oL-~VGI6TmyW7C0QBc{p2yDK!qL2nW0!j`SPVJ7z z&mJP$bar)dWWswJ0vBadCB?){t40GZ*Zcx}F)8aRSKu82+yP~WJP6$;mo_iU7y1N9 zmjKInWX-un;F<~=!wIyps4~>MeW&1k$RcjEmkt&#M@e&8X!EdNdSg-u zU_%3w4`ji>;9$TgjXED-S_YGnDhD2>s7QZwfWD5sQqJ{s8%GJFo8t60kDIaDmqW-c zg@ca?g8&>y(S{eEz@RUa*8ySoowbn-q1D952!+ts86t>}jlE=5uoY1)v~3Ql9}lKs zs$_ixI2(M+qq<(qt|?gF-uL`}P%=bd%z1Wa-CJ4LFlG_>BV?S+$p-dTTL9^XdB?0L zzW~4|Y94Oat`SdMEsSb^uIqCwr((UihZA>#zAIIs(PEk)OR+0mN<<}HB&! z50$^8JPT71`oU_d%?NE9-{jkbyz#j?twP5`b zdQ~Ni`q{LLKu@kYK_#4YrkGVU%;SP{XVq^4mMUn!IXsg)rCl=f{xN1k8g${CV+OV= z@pxTEH2);(<{Js23=LF%E6oO_y?Sxo5*n{QVqr>`U_oKBoV z7s3ng*Fy`#_jdIyf`(jlyim)WS530uMyQg*b>79-@sJ^ljJjMhfnMH4<$jdk#rvaH z#>Pp$HAX?-+@2gB)KWAbxvgRTb?F=NgAl>L06qUF#GdZ}W56kIO^M^{%nq1b)!gROVHR_KXP*O3}pLV0J*i;AYj7oXOSIOuSG zF%8iVUDzk9sj51@ggYFK;1qG^idrJ{9Ir$Nx=gv z8l4Hk0=)3jy;fIfW~%_Sc^gZ}G$uAW$0D^(iG_dYyvtS7gH%F|0v8(7yc?hy>)08? zzE7qHPSRTpeKh|u31HWVTK!k&1kG6Oj++MTlNQ=NDC77?sQOk*R=a>ASX79jbHMAN z(?g~)xSkhr(n2LHCobLs{xet1Zj(=?H|8$^m%jsqsIw|Ny4UpQQVpb1q9R$K*QcHE z8jrPkMx~wBlr!>23)lZX5XwqQu++Svf#54WJKT3b>qs3w}n(1~HQ3 z;z##Q$nn|R#M&sR#shrZ&Z~;=!I>lLmmmVVR+8pgKdvDjXWpY@ljVtNwuoYnJVA%H zM0-GS!7UVBBKMjI^_!@*GNfd^nT0SsL`mn;(q3CkR2;_-;~|K5nW-!k>w*)zU=@UQ zJ$eDbCDv2;qU_>qebIQ0O+|L~O0I0-9a;($T>No;V`SZgIz;HZ&j~Z)uY-LEW^b# ztwZY0`f6AUks*K&4KekyYGI=uE!plQZ`ri!cV(I5DT5gy;u(`kz2d6)L1@@`}Hi>i#8?`g#3?1=Ga z!AT`3`~$x5z|?jymEU>ItSI)0cJ;JchW+BN!>St*HaTJa^BgsmfHJ(;b72{|D8_!A zufTN*%b8x6`v{%Z&Q6Y}%OAaLAP;VDh`>D7J^uuC)ZCz#xoMEA$fD}GTQ{PrD>b*W zeWHo;G-~=1AcN>%KAd>Cxv;WjqfNS;L?Hm5lpPAOf~AMeFR`}(2u#kzoTA>i-rm7e z`=&$3stESFkEj9Wl^jd!}^M^qR50q%ObLN zfwTjj_5rRV)Ie_PFLn+$CRYp=`-O6^>&y-*_aFABrUevS5ugl}R1_NT?&IpFXuM@# zPtjl%MMH~7X)Qt3(6Wa4*VS}~D4GPhy#WL1IUPzh@ob+4G_kQPSe#;tE5S}KX%&z~=Aa*@!1wfj0tz6h z<_Gx!>Wj&a73$$G*`w>;i40P_?B_M(#KtI@a-&OVUVRN_REh|5nAvILRLJSK>dQs} zFQ_Lhbw+u&N>U;EK7J}HoC0Rf63HmDv(~#B#N4wrDm4gHBHHK(^v7AN#IF9wkl5K~ zQi(&{EAiICq^2v!<8o*1F~K8E31(?s&&F9um?XTYL`s)Qv9<=R`zkt(V;F--p;I}S z;hdp+N;ff%d`vCHQA-$!RtZB%?I4Y8`r+c@rI^`g`h=57!aVu~T~QhZdlc(O_q>Z; zQAUtyqPRZlm8X_W0>xa&(MObCg<8`WT`?7>BF>2A7r!6piEqz1JZ2VTNydAL$r-&q zmW3qKQ6;pU?Nsh0%H*OY5h$3Bj|p?hu~_}0b`@Uz*(3OGmp?rKp*Myc_z5H>wBmn)b;$Phk?37roMS_99WyWnK2Y&e4Q2#|CTX~|FU#&kDj2R^M}D@* zg67}glsC8X`?c^f__Me$E}41XH7OuFOz4OaJ1l&7&DHeXh}>m*MHYgTD?U9y1od#( zb`XP_oBvvJBX@ibokq$W7bN}YP~EKzLsxr+p6h=I-??h$!`74>w)JTO8jL5I8@;tw z9ALYs(tva{I(TdYY1G@`Sp9xrd7YwnN5nr^f?+qeC|2$Ck=fepz2t)_Nbj!E5b)Uj z{+uQL0#KU(F*kri;A@$v+?-bjPf8~a4CtUkTZgY%CvKQdyym6Dc|U13tq@#nea8Ye`YC_uL~+x@h`fS~bPY2;Tye|8 z7Qp=h>;}d{@6;r*lZDB}C4DpJLET6DjCnO-pI3F+QSMrs2_Z~?Pc zGjq2gTEJk5?>&nPY2BrvH2P#yY~FR27_E)2R$Ybj96 zB0GbJBrLE+{z3H5(o3rd5QOCH5zI_|t|bl2R^8Z@b%LIDG{0a%`BjuYSubK#_6_v8wtUuuG^RWmbqAksLc2fi@6u6p&}ood3#lp@Q?q3MrV{FTvv)%n zwSdz%YP7X#sY6^Y8HUjkWMivZWI`5W`Mfc_YcQs8VG{HZ@TZ<)(bHt$Hk z8u_@^cO19_cUh^t-j=zDgrD9uZ6 z0ntu35A|)kj4al!YJYFEXAo2|S?Z(d?tq%Enyt)NkBp;OupA?vBiAySij-bdZ}1g{ zIJn<1O+0pos$eEEvY|7k;bD>IS{Aih`qU<|xWp|gaPr33vSWt*sq=09oH=HvHO|gU zT92uJuUVmJ#KaL`8dJF7d$ZWOdrMc|N1)bpB9QclxX#Khp+v1!ei84^!yb?P8n6E{ zSh8tiI;4HFz0R^}4L0l;$~lj`@wr7%Cu4HR3O(g(UpS*lohfP!j9U|jRK&J~AIpH& zNjn*-tK%=-a*U#ijv)JEkIa`Cnaqh9@9d%YyTLap z9{6~osyzRvV(9szX|Vk58P%OR6Zy}Yr=VK1 z39gB2WlIs&=A9{Nnt=p3#P)WR+E`$*e>R=>RYxshY_N`idTXLOI?Cv(UcxU8C22or*X+@PYnA3^qfp;%qFm#zL z?q)&KhUY8%N^oudql;!*gAb+Jf??Gbd*~lkl|sZ*PO#G%<#ACf57%ZseaQJJ^l(*( zCsun1dI@#)M`olyoh1sQFRfZ31v@VxB-7JRl=WdNPqnBY;yYZ7o6gfMzgNuF4I}BN zTu6LNKnP%l!Vd2(p9znQL`3cy9o_EWT1Qs#t(GXpw)^sVjho6kWXMRU3cVo?CUAQq zy{SyLRc6DteXiQ_p)E769gyfOKODoJQ#$E%kxPQ7@0O=!7^C~G>r}l#T3d01iz=-@ zIX%C&*{s+Ve~JWUssfi>B2oBOJ-f2dfplpVt(4GuJY(x61Z_TRu&<^wMB?n#EhFk%;w}*(r_C++iDC3W{J^Ax9N)c{gG@kPwHssBzq) z*LsWrQ=8u$-G%*_2^X_+hT=+`8KJo5VGoLme#z=xCYLrm)6#sge|qFi(8`yVn(-{9 z^kt%6tiFzlL{9$ptSddUd}(`K!;b*Fl@ccHgHg}8kq!X`8R1;kWm@;3&H6=wo_F!4 zkn=|z*-a9IY25>$NRA-5-|B9VKwMDq=lfx7D)eV}5?MdCBXB*Ua}mPIxCe zU8dfwYVS!Pa2CvYk}=JF&$XoGk=P2TdE1;ujk9RED^-9Ew^V*Cy_DT$KpCPumxDD+ z)Ymzjfz0^WCD~(T%K+OpDqyaG81a#h24$G_A`*WaxT$h5<|N{^`l2~AiUpd#a$aTt z)~Z6j9bgx()SqC}G?*yUvwM+Oz7U>T#4tR^O&eBHXBAM1PGrnXnsp%PIB-efr&6#yGGW%hrc-)G>`SH#$hqtq_J*ACB zQH}%d4@sYOEqo3&UGRT^=xc$O-%rR@*0+!}&mbP1-OQ&9drXqmR96VTfXB_pg<{mZuuLjh%o zw_B0d|1Ky*aQ0oZ2;d#s85Y)|brLIo%eE{mkGZr=a4D^~qQcKNpBuD zWqqLToluy1Z zT0JinAc-cr1zdD3cZib_Gnt!p6~&(?;%mHfv_>4GRa@~D&3XMD=I1q<>}p^o&_G-g34+b6tS?Jq zG&+li`+H5-6~oiu1;G^`>SEZ}WD3c2u`1@=u zAHf(b_{)mKa?f~Bw7be~W}~gYfCr}&HGu!1=CN4hcK6%ZHs05)R6|ou)K-6#@uEIh z#YhNb=yq%Spaf+imEeVu^NS0PS9@cpQ6ITAy-=)H-Sg>X`{v?gQ-x%ST3QDVGEu>?XaaMn)vpnAnPv$H^7cPy4?D-G2) z7t$t!G8Z0rZD(>&lz2z{V$smrbxSTL>lV6%!EY6@83aVjLW1h4S@9x~uH@0Xgdp^8wI9SP@FD2ZgBN z0c{SxFwmz?eOc3VH(XK@gk#1T_V(S-7*vby0j7We=wY3qgO+wJ(;0 z3x{Aa#x)$AHE26bK!V_@A!`&D(T1FdocYX4TbD;>l(rs-yG0N|pXb|VMX zr>2I^?5NwmR%h0ewAh1~a}wy4@hxT7B3t1!$$XoKUelMJLCS?tbGj7C{Pq&7dvuzs z$VSZvc+avkWs1$Db;=!2tH-lQ`CuUrWIDx$>#VIH(yh8J;@j2o^%U6>+gZtcUi`q3 z@1efrb2WpJGP-@dAFzipUBuzSFG;c$vV_W#u`Zny!I&^42tk4eDCz~$)f|Q4FRSR( z2r`|H*O;zZ3V|?{77{ykmc+$G~Z>4&IC9XUd3BpDc_54w~jLeKKcU5RKKYLXT(95`su8N6nZ({=dZIortKX zp_K(*H-qSUwfq95pgY7&N>vDR|Q*uM*|(1Jtm9FHYhD0TBhPhb?qz5z)4w3 z&Ia9_zC(Y_p!_M((Q7q9-lt!!m12EWdgM#RC0|}Tx`;6anL`jm?kAvQaCqTcLFjAH z6$JWG7l+lB{;&|*w~dI@2CmytIA|y1AC>LDqOv~=-4onSf^eI^@a2C${eJ(JB(Sh5 z7p2xK{;&TDR6Ga&$B+H-wz>!u#UBmLjQ_8n0?#?-|8C~bul1z@VUP_X@6LY>KL7j_ zzz!Auun+lj$N&0qHG_SJ5xvl*fB9Mb>nrT=(SN=B*Ma>1esF(6l51SK>;5{ShbsRx zvpX8RZ)SJ0{A|@9P2~H#%(nI)ieS_46hZn>cHkJNF8OC$aej~RW2T#6>W#H@^1BA6 z-u<>>pxbDG)c<9e2jXuf2=Ke{7{sBZ1;UTAc0h^^|2ld9J~hDACtAv%68H4)b@;!& z6^#L7dZQH8^*>M^zYhr;9E_Ysad{^IjsAaz7Hl1~FLu~q|Fh9P7~P5F4!7rAJUl=r z0?#p?IuqE?R8(~NFjb`X(^&om33mHw6N384@GakI0k}X?yC|Lmh)NWz&%qt(Wy%M5 zfQNwWN-<`NHk$8wx!wOkK9ba)fv2IQGT-HChK|L$24qwX#a6*49qfP_#ChLTV}Y1O z_wR#KdwIy$&o2+q5CDH5h_*KOE>l`j_`-f691sdhqof;uw1P@EC0x$F8DN2d#>ZlB zc#lBpz3BHnLG^w-w?<+Y=P=!CY z^Ifr}ewQ}Sb?#knZ_5`^l(E%wx5UU~<|h4_ndxc3YXC|Vl%rz+83nlH?_H8r&JOBANOR2i?C9rNMx~E?;X@4j)b=7bY=5~qV=mIZh z=t6BcWKVer$hfspq5;hA^X-`&K;0OQp{10|;~FR&IoF?JDiS%@%yTfFJGDRa+)fj} z`ohcd^VJ@RrEUNsqbhaC97qD%Z%$!h)QTkD!_+ds0oeoC0YI?CBsPeBD84u=Fs)N7 z*GwKEz36&xx1;Nk-915Z37qZw3ShmPfW0CAzAwD_rYGjyy{weF2)AurorK3PwEMM_ z1okWSbKKgwJI^0bMMCGV_19{nwIeg;wPrR93WT`0xWw7XP8AMKVXJ9*pMhPw_DVpX zn9nq+ZzLm`chfR95Y$5n7g|!i2}jS*)l5%3{RV6;IG?$nf3b2F#5pJX+z%K9cD{dq zeQnw<_9Z<)qVSxajPBZ(c05t^+3oX-83+%4cI4Xc5-iOxK-C~4BSX>iz!fzwj#T8e zyUxX)@!j2BZ&73zZlVs`?rn6aa&T~Pt~>_JbMb9eH>cY7c9-{tPnJsA zlf-} zpApyDQJ@gnua=k8kW4!Qz5_!PP9}2&KpIa^PcL%zgq#0#xYqM@6HrX91GeJ+_F!hn zo1$auVEFf02uk6*A=nDJ3{+z7);q`D!pev)gs<-^Hq#+^^_w2HqCxCcdOByuJh zzeKTu0s`i4dP?)kXhTp%*a7O|C(F4FRtNzgxqz)0P@Z_8(FAScoCB%Gd#zz&r-!lE zqb{$RoE*Km)UdoXT4OL6CYm483^MW1I>bH_HoZBl$n1Xj&b%X4tJpXPh^sCEAgSZ_ zBoDNC04X^ezn{y}_X4sNpaLP61(Z$RBsHA*gr<~x7d*tSmQ>AiXX6O!H|R#xb8zA$ zI?i0mUDZ)l~iP6_qcFkPbmt>YPJ&SWY$VsD-#T{Q{7gV?LZNJ$Ct8^voIpX*}cEym*lHVm=Wm z%*@d^87F~M!&c0_CB+zZNI)HO$K2%q4X{1Ac)=j~7O`K^`6tA}d3d#ALBb>5*3;0gDqYd*H4?F6f;) z+m;OSDyE-1VnvTjx0S)D16gki-cbif1IH4P>n3v4o8@&FARHGjOc!_aFn_!clemjrNtW4YbO+5XF zMnmFg;#T#5V?7#JhGI|0>BDbMUZ!7#-S-EyjJSM{>p7}MZ9V?k>71$NUknc(t$Fmc z(1WiQpW{_X)o9cs7FUNoIOO`Bp7a zgn&7reKhh)zcQp({Qb2zUpQxB&8F9p{h9~R^G7nOQxYElZ0X4=@Ho^8+%XUSTW<=a zm32xH07CDvi(@bm&qXPV(wD8t4i^w-1pRS^ZrM2m>Rk0J{FyZL!V?7?{^t4-=H&rS zGv@DzFNTT(wW#5{#3>xy9C*xoelrrE^-cV44sXBW*Ul3x?u~yHnypM688lHXK3v{|)%v3N+og~r9%_#!t@$dk zZ=diL%d zuNG41apQ3%?8&_%j~#g<7L;%{H$mFp^lE?SrS1Xp$r=z8NvOMI9&IC}$DWA*=YOLA z16f^K!~kA?sc3s#xn#?I}{vyCJ@t*nZ zfHJpS$`aqlV$P$5(AR6Q_of{vfgId{o7pLZZT?+tQH%0BSM_Re*0nb7CjE#QM-*JN z+*6)n+L>t|_*kmH(MghAJOmTk1mw{>0E{Jykx9+gC4PLv4A?gN*7Q$#z!GVcZhx9x zNHsao$)*>b1ME>22-O};oB(zK_cyY&-M585C6=$8%XgN#Ig=-mgpnVG{Y36TPhuZD zjvE$V!aN)K_UsG`G;zPBIvFK zO@!78UmZQD{?ir&BB-_nPA7zb{(%cxvHsGF51q1(^Gk~%iW z@Q`sCb8(c7zDa~6Gq?Fm<0l4q#{K$VTyYx8N^ADpmkN`ZaagA@zcii^?p|tAd>d!e zVDx$dW{z@JpQfalTr#VNd7|2oY(|4VD66Xuq5~Cj^exqWPh_@@(j01(axB8lqm2in z+cue_vyn3LPlp-I!6`v;JDYx0$!sA9sgZAMLllPrvOiu>Nbq_0LMV z&k1au`OMV6O%MOs5jwFiWADfxBA)yX>DgZmn%V=*$cJ|s_x53he=g=;wlVSEsb|@T z*(1go$G}raYWGCZUA5CpuGg*spzMWIda*m^OrUk&M(ORppO^pJvLNLUB z?GWABKT{|#u{!#UAqGxEdyj-8)imiJ?OnT~DP6L-4G3i%1x%c0=Ke`(T&}vyUhqW0 zi;tb8>&=kfbOgj3@~5QqbhM7MlYV2cQ)BjtxT^?Us=kgniT&eS3gEay>;*0){pVyl z#eYoq{xEg@ebt`N0Pa#4(|;b|e=O$@9I`=xE-nL#pU?mLDOmqA{O1Px>xKhps9(Nb zATK7UK)1lju7EoJl>W#@>)tDCLtiej{oUL%W{>DP^{>M_$yP~MvpC(wON#a4;1u}l zm;SY%C&dl{r$kP&+8GUd0Q4$wh*HnpyUY3jvbvhu6wk?cE2^KD6#t$h^WQnVyN*ty z)gEMdu&WwujCaBO_S?zS%ZqdeSnKWzj?=-i;wv0;DLngu43GGYl*~c81C6>7@r_Tp z8NX;j?7mG`zwD!TeKfB%Ecl<_{reucvCn3eic60FC+qpIQ&Oi3&MnW8&gp+Hi+{bc oO9%TCKRI>fe?7ZWh%bAGznN5L$Eim9{s#W^w2Uv8YdA&zAJYsPTL1t6 literal 0 HcmV?d00001 diff --git a/static/images/docs/perf-test-result-2.png b/static/images/docs/perf-test-result-2.png new file mode 100644 index 0000000000000000000000000000000000000000..147c9870fc4a2d66c0c8837cf4e2564ec28f0ca9 GIT binary patch literal 95896 zcmZ^L1#lca)~%VDnVFf!FlLN7W@cvQF*7sAn8eH!Gc&Utvt#C%;d$$S|EvAB_El+W zTAD6NE$QBS&XIbeloh3s5eN{#z`&4YWh7L=z+ia5z#v-TAU;d9TGV7dzrbBprNzLi zr-+U}Gw@C_+OA+=IMo08fXk{v5JcPgkJHvP=2Sj$dqXQ=q^xN|l8^j4$mhsy?8+TlrzPPms;r_{ z`0d-n#dG&wMsDtg?pJ+X&#j-&i~ap-{-;b^-rcT>o3|C0xw8L-+1yMj*1mPM~=rQJ}<{p26;1kKf^wmX3Xf}BWZ3|6Q ztR5zKv#d^7U!y2lb!{Htsw5Cf;=d*`QwZw6fB%yD-_4@pAWgTznPY*Yvq2~sE*jDy zWcI8z*-FO|eCO|+{7(qFAZ?5hjt-wfFbi3-@v{>UL?$(esi6WE!6+T7e&TnC zP%W4Ie476Mr{_SZdMdIg2Kk^d76=Nm|CSP&!DZD~G1LRl(ZK&(0x`kM6pdjN*2e_F zMgF&BCJ!7gwUn;~+1sQo@owZ@);*u?QN(`)xU2MCE;qci2Un??utTpxAB< z_~00qXE}-MGa6la2TFO(1-g9IQ5=)q9MsCUD)Rc1=jmb+YZ%$~yOV=)YtjYZsHII{ zFTWtGcht45CP6X6?+?y) z{M@-z0txa#W4)WC$;9tk?Y;I^OmiE+euzel^u<rRs89!VN!n*3C11S*3>@fM>NUX`-vDT`QV^6p((zTe3d_)iY$g zQ`S@KVB_ZmLJ43po10O^z-Kd#_je|hs70DZ7Na|^QYIVt%luCi5tv+CNVc@){n3;x z0XJG+6j1!F2t-+V+j|_=Qfy?5ad1a)d+4jk1U&X7$lacbkr^Ew%+l$$IOtPoEE@(2kshe% zLLj#tX4|$Vr~Am5+81Wcg>FP$rA9lL$Z7CSs2qhmzlDL1r!&j5_<3#?j&zy9pqNIt zvA-0l2meQ36EJ1G^aN%Z1IU69%j?}U5aHn?P_JS-yLTx_$Q>r&FfuzXO#EI8tAIdd z4Am}V2V-l=y60VUY-&T;Y@rh8@F!b!OFZk>E3^-RatVG){l{d|d9#9N;0Z-#B}5xV$F_zQzjYQXQqW~NFHb8?kYGIFpw9SU@2`k^)s?Od zOzZDc-_^Ms>d^@7J`=KB+L=j+5U%P#$o_#Oc+`8UC4rEtXe|BM+E45GGD6Z0PdJn7 zu$m^;xQDuVBS+ zAtKa@c$@wSX%(XPXpULeH=$>ak+<+zr>9NdjCKjroe|xRr2fF7nxhqoAHeC?h&K$= z|5mi1q*h;433`8GT2l2K!Mdzc=(uQ^N?uK8haKYq)8X*FbUe9!cx*l0;SGqDN;W%0 z0VoW|UURw(64#riC-#&!+WQ}($XjUY;ruZy@LtJDANPUqPPtVYSX#^Uso2x8{rd7+ z-HbwcWtvMVd}BUkbOk#~o4yq0HUaq~juIYE0@pbgN)F!Mw2p)hNyor(no zNr+dh3I`VlEAm5*qmrpOFg<1Ucxr_en+HR#B*9xX~PF>9AJ`SF(>=X~e z-B;c&h)vcRn~;=!B0Bl)X}lfsGvPRZK`yoPpST|NGt|IS{v}ulhri`~fdqG!Aw672 zFAKkQE8Z@4$}|XHK);XZprz!tV@4gzri$d=&A%!ABQ_P5!#gJg&v zR3761jgcv$XKF2|k!j(1E@E~NG5EVCOk^Vo@jF7AuTEeHjh)s598{>5g}|0r&#zSM z+)vV#!y7pKsydP2Fh=}gx&}WvZQDq!@~GKD;0%I)0 zIb{bm;e~%~`R!BTim9!~*sADD9QZ+3mqaPu{x16nZ@aCRw;&#epQ|k;(hCMC92Pu) z$@VqvA4cUUf_K0ha<9vCID{Qj3FcomaQMJ|OE>$$Xa4s5mkP2_UeII!?so?r$yg(a zIc1-Ii_dlZB&sm=GII**eQlF=JD+!uDg&2H2=eRYZpm3{#kxZWv$qGXf|;=fe;t)W zT>C|7tyRnWgtIjB7}DXvi6oV5gw{pjB@c(%zlk)^0F0U zi^NwmBl`^|v@7O^3VBs`U~D6I8ZrNVzUE*NV;ZHSoqy)Vjxf`c*2zn>I1KO=X3b>I zV8@HpaKO1;ww#;Bc-{K9Q*i4N49-pfBSstc=GdU8G9rgu`8u{*%M!wauWz}x8rH~> zJd&1(!H@Z5S+w{)d1}ofuJGk$L=@tIL8Bb~k+J4%G-u$?j`5P6m zNc36^J+|x|%;W^~wW)Co&wl!M#e`;>N7|YkzvFBixHs36hD)Yw3uv*Phyn@)k*q+J zyxCetx0|b5(%1I-PL8DCWpK6vHDcy8SB0nc6JUIY}H0bLSf{{&%H?B(KV(^en3@RX%4(I{0_cx*XQ%B@Mg#~ORL zKQ!<_LI@16d9l_b5(Ns?75=O(!9Zz7a7??ibvuT%c&viU*w(ZsM^(&ez{Bj`2>?qn zlz&_yD@gcyaE3*30amuNOo` zS4K(>_Ao3cq~!+!_C*bGeL`CaUl1k4_#t*K!A`NG>^v~*&E3+5;u>!(6-h0&H!6Cf zRCbD9@4!R!Nm01Az7n?-KuLXPoM%ArG@6UJex8qXo zU*RzpKgomIRu(q4b(Pgwt-i>pk{bg7-Y9{MF@X^D$v&Z{^2@yD-wf6n=oNyf%EXJM zg~&q6#E2_WLl)=oD*XDV!!=z0svM(Abb=9T}GlOzE1u7G{cb3 zj&=;j(mF>7pRysYU0Wm1-(x*FYfPNBzDAz{THA>w~uXGBY79$7fy}V@6wD8zR>0ek0!=>v{+$ z$h+-t##9kQ5X(23fA6qFD6pvGG0YgL&1z zJrFPz{wOLyU^L7d#c@E2M@c+3l6X+Lpa#B&l z^7PE@_jm|wzh)-ia4JYbvSlc*Eq@9u#CPHhmkv4%QD=)|7+&e;5;fKl~BBt!-Cr7O2Tb&BZj zN)WNAN(s&t_vEl}T0W0Zdea3`e0pIa_z%P3Y)Xs_D$5)-&=Vd_|Du7{BD+cr3~BLe zLI%pr|FKlE&?6~ToQJ!O`@>h3Yd*Qpl40B<2YM!O{eF(^d0nDrU0vKH%;XEBN82r#o~#9R_`u zP~l^&{-M>EG2%Q-j62d-a9E@3*twWN_B3CuW&!M!Lk~;-hp7j_NrVCY{r&Cjt8~S~ zx1cog-)&ODBHl)$7p9LaWmW5$MYW@;lrSIEL^2Ekmzx}m-Ba0|zP6mTYTD5eVB?2k z_I4+fYj9Kq3#ohImO*LbVi4W!J+FI~53r9UzGt)ae%*9iViqumup)p!m_x1?u3eU9 zDRZ`B7`RMCh2S0Gne+2tfSmJXf<^Z8?~gg2l{6aGIGC<-yMZxRPn z9@ogoP|~fXV%t7Nc+tQdwb$N_=|O??Om-Yo2V?~=^}-bi4RdRI2_hO!iNbZb6>ul{ z43;kyLlW(r%l#PGI-Hc*(XVRz8^>aP`@`d8G0MTR@|pW`;yJC?LxfSojX|n*_aTgX zismxA(`< z$mqzhO9_or%`yy=6J_V~6=)I8Mi3{MX{@is(ws1cu7^pd!KEB@fE6yiX;EeMKqs7C z8H1OpMqghL#S@Q^VS(5Ms@(u*TSNx&`F>!uu=#YQOkcEVc`nugNr$neio3vi2ds$} zBZU8SQxdOpOQ4BO`zCiy9?L)7df^q^K+^Y(qA8tIY2MmcH>Fe4yzO+NvutC}gi=(& zTt@WzMiOCji`KLRp%q4lQ6`n#%5-sC#OZ6BBseN^qvzC^f*V?J!q|JX7AJTsA!l(f zh(1hw*+Ub9$5c8(!Zz^P)#^}2ijJ5f3h?BVoa|hjbTfuqM6)^IKEw7q+OnaZL_s}2 zk){X1uGw?ye2`uSoJ3C&&FHl;KS*KGZ%<2Q;ovo%`o|^vbQCp%#6M#R*)UX}(jB7U zdCv3e?TWWcx;9!sbb-FowYTaILC|>3a)4$F1BCZmLi+lWcra3IvnQ6`Ch+I zx|2~lJdzDz)CGE0*N>?1ZlNXS8MMg{dk(Gjt!2g zUO%H+V~AUNZZG@ZZ)6D~f_RBxhqrc+mHGm#jadP#kJIYNZfsjGQ{3-@m!45UKc;G( zw#KWv??i9$u~-VDRo$QRA*b*C8P?CQ82nT5g4YAl(a{&4!^zb0 zB!REj(1`RZbG89&mGW^G(N+#a5HS=#S@`51+@K2=9+c z$ADX<5rvP*X2L?%29Db!0Yuem(!O2!(=NRN5EAttkFOkp2rmbAN8+a zsaYrUZ;%%K?^pi-ww~gX{ygz;*<5x$9DeNdM_8IFop^ujE4_zCxXeK&@a;w}xVl@9 zov*iu+)i+QJQaLAt=ZP>WQaT$iwJy{z#Ue>qbr+h%7(w?Om9!ZGpC|*HXFj?@au}R|UV@-(_XDYD4Kn87CXMvz5 z>dgL}I(|k;CE+Kt=v9%A*IV1_w(v{D3*Da;6>1ZuX6WQS&c~Rvim|4#oAFq4{fLV= z=tt-fZT@}!30$ISG_+*6e>71)*E5C?4(}g@)?3rTuv9cJ;?JpPT5A)vb99{cE(Jj- z@$G~LygjF-r@QnI+xu&3;<6M_L$xryy*v!VNTf@^IO!&Y_o+p-X!OO?To{KscpF_f;2p(pd&LD8I409AI7-KvWBmQh}Z&#G> z_`9TwD)M?I?EhT5WS(Sny!AQMYKr^^zFRN9BS-^Qtl`__g22CXvi`aft45gU$_;$V z2z**<>H53jI$g&kc+tA&v1VQV*)Z#i$zJ-EXW)Y;T;9RKfyn!H0(w;YcO1t1PemE< zsg;v@ZG&2y$c)bG$62&)`bpo>b}HqWWjmcxAto&B=Vxb=e5%F1c)y&tkb0~bcfTI6 zA~u2et#Rk+Z+EtPLr?{;fK> zroJ$UK)W*L{wme{+$H(Mo$jCJ`CtUM*!_OmeSf~5kz*Phn~42LdO(rW+JMN?x?L{v zMo%2HK796c8}d=9-GKH>l_`3w6JF0`b+7!-bQmHo#S9gKrF`8L)hHUZ_AOfV!5kV~ z&-C9}_-`i2qpdxx#Zqx%;#Bof-zge@ovo9!gmypWbU)pSe7FXeyUZac6OM}E&Q79! z)A{Aa9*sSRhp#fken`0WD8;LlEHJTHq4{vJ`I0D(LQhXGE2R0YY(D}ybzTtRo5`=~ zJOHkCH$bRw?56V(6gyDbprC^goOaiyPd5{V58gGz5%-;-l?=A~!lr z!1z|v(4TvU->#YBcb7aqde=h8GuD^la~!d>Us;tZut<0_p9P2Ll8Xxqp+A_?hU1Cl zwVu;74YJy)upG#4a6F&#nuP{YdcFjHy5N&>FB|DF@(e@ap&4dZtFJ3w>;8K+e&6GT zXBwvdo=Y&je-b-jFJi^Nn2$uRYzj^3QKVbSY>W57PeM0=_*ZfzA}EOKan^3T3W)}) zzbvT^@|^NYNQm>>2EONM+V>FSgSCSpv3I|$aFg2ZSj5~KlA<}R=!>H+=k+}|xkG-j zAVPw6633R+%A45Y78Vu?x!kik93ZkyP3J$bZYw#>ZaHNse7`5vgzr=5fcvpp8U-C3 zbkOjl9q!~fc4Zmt1EBk@+!xAzObAx!NdYm^eExUiMIsWcMZ1~H9Z~(lybaS_4NQ~o zdt_$-I!8<7m(^Bh%IDOVPTWf;+x&DYEK#q`zziiXGLb0Pd>JTfzLc)VUBvruts>Vh z35;#}AVmLYwYZhmv7Bl;5n6MHwZXB|0MGd~ciX3B|lm&c2{cU;2N;@f{xc($#nJj>|4zvgY7P zJ!xWhte5eX`RN|y&&!_xf>PL|gXn;) z6)Ia=3r$+B?oT|NUpz(qR%e^2Sqd?LSgYk<1lYJA!glaqrfA_xQOB0M+<$Ui7=mI_ zoc{77rJb)Ns+H};q`T*#`@^3x?zB>CrK)ELD&C)(DGaV2*U)cv>lZMN$WC+ss+<4z z`E%X-rt{WxzY7qae$S>%k?BDv&&5}OR{53;Uh+Z$VHKIx4Y}FZH1moZc7yb-Lphv!VMN3oY7qu1R;rPDE99{tBQzYZwP~09_GG&6`jc4}@G1X>y zE=+LYsPxv`g(v)n^Kx68eS6sQq~6wR?suYqr*1%u@+UppjMNo=FEUNccq29%$p5rG zY%Dt#(_sYsQAx}ri!+J68HD%?i&KgzYHHZ%{!nI;JHH`lwkpn6T-{r+ap_{|gtAdt z9-P?}dZL0k-j&|rmAavuB0^3mKB7F%w)d@%m%uZzFyV&HNg(z)U2S~9=mFIHDT72~ zgeW((8$l{YnsEL5GdOd#@<}4sWIUKKBTI@N2R#UxUg`XyvjY>rheHXod*TiqzU>6e zANL!sO6^4b%!2x@sdx4sqV-AO7se>(g}LREdPU*XL@RO|!;%Y=xn87NAMW z|LqVdV?k(YP168%F|_;|g-PmjM2^yI89_6X*@Z{Xw=BH-9e|dUr}!RY_zE#H!GD&$ zFVr6`=Zy9zQWrIp8UE}WvchKKw*o*8Igk_#y>wRL%u?v76cM4pAN=m&Hfd*4q zc}?hHLwrX8>#?r@QojyKsw*6chIKttsuYPuwI2+ror(EK(n}&>+3K#q7b>I1?H@ZQ12p7Vzamp-jvhvjZHV)qE5UGl)Qzc)9W4K?)+=N=_`H=(63O&XCu81mP!) zCKg$tQ?Ahj1_%}_&0*3Z<2r@aprV|a3h$Rd2%s7QOCp#zSJI?do*{+O*O4xyG9fV+ z6=5N{{WHB|FXCMBO|}OE!UYvZWKj1386Xkw8?!EHwh+a^!aXL*XAzISf*iC%D5P7) zBBH|8JdAS_mK)1hMG&3n1^iL#U1Tl}4d+cB&|%tQ%98-vx?3;T&|$KwyZyY?Eo4G2 ze1zUX>Rid8%Bz{!mN~%9otAq=x-z@fw5)E!_c~l3R9W37zlY=qaY!GkD^8Lm4$oBa zco$CSu&pt%7#!Mr&f(p5Yl;aamly_J_mfI7RM&n9bzsqzbL_|ZMu#gPCb-8wH?MpO zJH59ui7!0;jK~I(?jl+H!KGoGxCC&VWe!h0gMbsU!Cj9be%;GZ0-HXTIux8jjRWHp zGyNP&vl1oap(ntbw_({pQ3SLz8g)MTQI1g`imWaT@$-<}ZDnFEM%T-d@;TSb`16kFbN4e#Q2rH~d^{Q{McEz;7c*&i5!b(sl&L0g%0Or}OH z?z-k3pY1CP94{s~XM79H_aTBRX2{=aF~|V6gy~!| zc2-bM7K2t{d&&-5o6g606T)iED%-4~v>I}E$T*yC%;`ciwFOP=3GP4gG~_$|LXjVn zaO(Oj!@w*J+y=oceJI<>?Je6RO|2ogrT~|Mm^7aaERi!2uK3BxYirh~L(&gurPQX2 zHwHtt2d#n;RY2fECc17MiB+a+&zr!XBLlL9t(64LsFh3_MIMW%R-#5Kqw5faQqy=g zW7{9+73G~-+l7`eGzU*&xb6aT2L39&l06w6if_ ze=#yJ!4b>q<3<7(AOvdJeVkc}6w|UH;m6)#reFst5R}M%uV- zGGcRq+)K(zBvFhB0(SQyx-qmP&j$m@b4bQlL`B83!J%z6k$`K!_;SK45)CA@XY9_f zuDGpPZMr!6usYc|1&v1PjU-@nc28xW9+dIMK!M;QsEiz8hE589Fa9{yJA{5YUj%5m zP5BHXMEYwb92{us1YRI_EOTWE(NZ_9MFVacI-sz5hi0K;!3ki=%MU^5NgS4Gr^W>( zP}iEbm+8AH?qj?3#wo%X`+WhG#j_jG;du6dMpJeY*2I*+SScfAhjb<6P=;7L;}vCm*&$!7Db+|*sN{s+kSmS?kf>uSOfi)SX##d#-_%4Z@S=lZ#_*FSbqf^S7>5ctD%D+BUCAfP;bv?FPk-q8t_ z5!?(>2~k&V;ulDs6;IMF4mVRZ<}Vh5dwc{VZaPxzn#wTtJQlz#EvYypvjOQ}{Ta9^ zR0VV3nVMN3d^ro$J1dCab-#!pWDHHjEJ~c9DMjVZQ%7-O=gEpO7Cue+yEFBC2XY`% z;rz|-X2t%N6CT2oAB?heA}KDBK3uqqES;yn)`(FU4HBno75%@hIb0xZti7< zK3GsPq%D{yCJyit&#i7H<{!hM8>dbTD*so`xrqZi)qO!vJAgf+Q6yx+H*)CNrVH6+tvb`miS~;yz4P!fRtW z_ggO3$rMv85IL|^!EaQ#_{w#(x=Y#Z!ekJ7R+^uK4&K`s8pCug(^EG@>-8j9cESm< zHY__Dq7xa=IBKKU{bP+g2g3Rwl~fD7Zp9v^1tFqjxZmh&Sw0@&`6z zQu4ooM+WsH496#xu^2RFH(!MV)~;|whz4%JurlL9dpUX(NsO<1zOXH~aa+>M?5s?@ zwFGv-_`o947SWPTAi&0Mj5Q2V0$#PLY7tDHK&|2m;D}&c^hm{04o#m@kQ*Y7Dg5wT zdoh%N!`r5cwq7}u9+5-W7Oc@JigLNY7%cHpz08mcQM5N#0e8;ZS*%#^4J70hv^+W& zT(*+#Oitf)dKtM^81;E9HhUIan3jKFlMN>14cvAi%kTorq*`CZYuE!#FU~nZ0`3@EX(>xps zczezC9K2{dh9#71wod^Vnx}r$4x2kW1>15a-UCTx#cI&dt&_`l*sbkLvXj1D++y+wdS$r$2U5rxtpo@wIHL3VRgKRUpvm zj38vg3AdbL(chISo=Q-W3@RvQolMtuim#SKa%}t{H;~ZsNh=Wyz-{%<-(RH&DtKqr zQ#4YF6IXT+dfc?mzJQ5Qj8Fb`e%ozr8=bEaNTjaDtWy0m)}tAlGXZJHKI*H2rI#3o z++4d8Ry~kMI!<*lk|dLx*h`V?4$-2w@kv3gros1xV`Ddn*PfSzjN&B`5g}VZ@r26j zjJ=XX16AY|ZV(8sdz#u%I^_H2#y|rug1Lt3TJ|u(UiaS(47DklXR($5)$DK?zRpiT>#GH^jA74deGGs-=Tu}ftVD<@BMHIgS5nQ^_JykyS_9qSb=~I;e3(A= za4A?@#aha_5W|XnLo;@r*X27Ztz&&|bbuOs)Jt=Qot>lB-XXuS%d-Sr3Fil8~EMI}{;(ipwUYW4pO%Na+u; z#0EHBP+zI=d@_V;deSVanx`yaZi^CIeM2WPCJLv;)9zJKN_(M*qp92fN~NL<(J$^$ zW{0@h5|UJ*sztH}t$9}O+39bxvwO~TzJc2!m)lrELZ)n^_laExHxWQb{K$OofilNr zwdXodA zmJZv{uIHmMS#B~bz^2Y$Yw4?kaRikK>4BDIEh~Bs&iCw9`dPOx@JQmJk`vALhFpoi zvMPWRq-d!OHD)F#Te^B^6 zGI%mV{OoagSTx;wj71OG+bYjz_A0nkBRFt$y;#7Y9$^NBVqi~6 zIW;M>lv~xq?dVcDp@-nDm(-n7!7(u>>-xR@T^|0L2hsL@t;@N;G-*@eK+RBRtVgFJ zxQLETzlymfUd8%f=M9sQc*8R#eQpC8D3^75ttiZT9MLuL9C)m2@!)U=k%>fP!~TE= z{;X5lL^AReaoFczy$-Xa6cFT3oUFL=BN4?Y$zFepmhi6S6II#O^zXx8$&g_Dp7G*> zGZB!&EI3><6@hO>PeMBuJ~we(S&c5Lg?JsqehRhnJk1j=PhXW^Fv3067qn%~&HFsl zU|?fwM}Rj&ki3#87pGxYXme`!tEbNIyNi@DiQH5~PWOWxmT@AF?3w z!H8|uC0oY6YJ#0KLIQV`Ko9)3M@Cim*x0X!cQX|W26f+2muvCJ7MY2B6dFa+5p_3e zHx1U}YjH1C7s`p8jWerzL_!nFe_68F$mSseV1{mz<=5z<7w!@`&H!o}M~A3JPkWjg z6^Rvnc}#nT9y(92Hr<9Uu@sBrI~sn5fq>PV;fs89a+UF7xUFz4rQXE>LZJyjGNdg= zUMjmLMnrn=P-)==7+OZLR`p_~Kj1{N01jv5DN<7kc#d45;FW8_UC^C&#wklBN|E1l~+ z&XVc$upw_zaD#~!Yf|9QrY=x<8!B?%*6VWilSL<<>~oxV=XJqo{PN4g8}dNex2Q%k z@X&cR%gIU@r+t`G3mz2FPQ$(!aAqvg%DN=+1(C34nT``9Y<;>wLmtKq;{ZVcdPmeA zGV2LynR1DfZ4*v%xSWRbQ&AZM}rh$TVJO3SB>l5%7a&_J@!knZIC zVGPNWW^7A0GHA7%!BT+KzZ!RRHDiHLpCbB(dr%k>3QL0-pHt~|iNTis^jwEd963)# zGx$YKhGD`;1O1`WL8qSq5W^K{*tk{>GTJYbHk1jrNglE3etMtAz9@(LtsG-$VHvbsfEQk#equ1Cy8-Nkwx6^EGOVDGzaoqp zMw6VB-rnVzJTb>A zK2s&KUwOkykD#zz7nwq5daT-wJd6&Bt|J`kjudHB=mBF$9yf5vyetPD#flv%v1g{1 zjH$b^^>-ubj=r8&dy}ru7P_nrJARAW@anfmD3v*V^q(tMA#Q}rY_Zan0|C2~WYfW< z%&~VznMcw%CRq+dZYNL*c4BVw*GcwKIE&7AhQ-R zMxfEmuo#e$v_gZ_^$I$Xmxh%UlqviOnX0KaZze6Gi+axFiy>!3R<(zCgu-cIEzlh- zI;J65E0(*hT)sZ~oG=%8H2c?epxO6@r5)JN#^FodWeFjZjc1%PWJU2g+y3#y?MhRI zUlkeI@5zlii_|%}Bt2U=+xKxuKAUppw^J!!8amfh`0J;=UDgA4-p)@B35a2q7enX0 zc%C;Tx*1Q0UkA2R?xM&ncI%SVK(jEqD)YD{#3 zu%ii$?l<31+A7&0GXT7W0wH||zHVd$wkyMYEl&>X@Z+(-$OHnR)`*Db;>(SNa^>!G zOTOjQofu_&|7englLaGiCqJ)alR7b9fWi`wDIHrO@j)?$kbp=30n&o^?o;S%$(9h* zrX5iKh_VLx%#yZU9}eKe?-`#GiP2IR6>X^mIj%#a-4Y;X5JqJ4o@7DY1;`{>g6o@B^0%c@VGz{Me%xP~P+HMyH7{69ZV8II8QKtb zLk$a&CP#8TFch9=O24w`3=*O!AhGFMDWuREG$V&hFoX;vd@DU_msHT>9rK&CGrlU9ne-wb1P;%i&5A3tZAT`{;$E}Ff#)xE9S&i~(ZoGQvfbK%v zB!kye61od&`f^f-=bS^J#hF5r^fgb1kf+0PSRuXos|WfBKj`Yg#0w0D!5l)iOMi-| z_~{l*6xLas2LBtL(XHynx|#&S4NRBzc`VfuSU_e%chgLU4BU^aVy{-qN&fzPhQyBQ z)-e>n*OAx#!z@N;{El=zx!hnMJk4mAj@Q0*u{=^pjn#VvgB^!G6j8)L+fZK>CFhGd zA9O1%l|musxvD|gy7d^|O3f$%sxGi?2?aD8V_H@!UYNS@b+!CIgMAa~41Jh<=z?j0 zW4D~qzF0!rrIQ`Jbj6q=^0TMX(%gh8n=!+$9@)H!U~-j<-Vo^W+&KKXoIx6CM{ZOC z{4oMtDC<8&RW|xCa0b|wnEKT8$T8~%$?Ge3=@8<=kHebiJohD#Yb#CS#zIE5j`0Hl zcf4sUn0MS7!jE~}X?e<1n^ds6FhmFa$ojV9bUGn^^RFrhdeN2M?PWKf_HdZh6gCq;J9;t%4*0mQ** z#qn>7@A=v4OeKNs#6OUv5R9)U+BlhlR&&BN#h+~1_t=QL1 zBM|wLtlfh*MC@HvcsEfbs7hH_GBH-d=cOJ7bS2-5R=}>Ph%+zp_VKb6$!m)f9gP{p z;-HI5Ejw8DGV&b*Z-(sCnyNfJkoZaKH1@B^G-Kek?m4Z-gI!3>0CC5n&Y89GYFw#Y5rT8Xel|Lxz z+9Z_sbWco&)|oPEKfVR^sLq5ntb@nAyC0gB!M$v?v+UvOsji{EDD z@twzCwl46R-$F~cW=dvVsZ}me@8!UOVs#13JfF=NR-d}=|3s+QyJf@hqTkD>Xp1^6 z!G|&miq~C(t}gdlz_(pq$dHO62)`hC zr28KO)79tPd@s2R`$9%^g+USo4&le%Fvpn`SuhA8{fnGomH!6|u4ZPSLJ3)CpdZGl zS8NPGm%%9Z{0oXBZ-Z&V$U!+T@tDny$3UEaxFAT!gLu3@!ua4v;CXC$Yd7r7L=VY? zg#G?fI;*2AHLorU{v3Hg-6i5LG+wdaHETQp0)H9Mj4jtWy?2Ux5}?w@KVSVL?CYdc z+T5QwTq63p(Nae}9Q>`d?|74_dD0}Pi726*-8k%pVana4N-P&Wz}UNIEVoq>=hbXS zBmb;2Qo(p<1>NCSE3&yPm~1<*v_{>SX1(iC#%BJ@)epoU9Hlhihj9+p|{P``U;IsI0_LB`LL7P{b^U21GPgyk5~oUI~U*=w1EGGy&JU2$Qg7%mkxW z7OlK&w3J*-;KHA0k5cj@gZ7vL6_v%9#b8X#u{FV<;gHL@Cd5YyBW4T$`iO|fgz6DV zg@;NN*;C?icPzeg#G0Rn34oRaq-c0FXcmx&{h_=}v(BKvqo^hnHq;k%ijHYYYP=8Qcu#pjFKEr%Nz>?<`J6}ltel>XsX92w#W(GPzz5s!^i*{ z*Q3aU>{~FzA(kY68AM^dXb>nQX}>h<>f1EcGeUD`z#X*|7t1!Xe@MQPfj~}RV#=2h zqY_m@8aKttrgE0r#}e9YTr1Z>3jgn$@v1J`eq^mVkb0S;&b;c!xv|^=R6?uttP_&W zbfq>#5=whSbO7_!z8{}&^jT)Ve*WzNJ7i*VL*pu(6a)<>AZXRVDF}l&fs4j;6?64* z9!eUag$4BX3pnXveW*Hj6*p8V=7e7y&ZQOaNkJSF41xq8dP@_iXAq9^8* z%3}NF8GSz~?O6Wai8qr>l~W-T1nSphi#q^e3^ev-UHpO7HD&{5#$^qIO{vEghUc}y z&>ZP0_eCw((r&1*u3AGw4qFFfiFLjS{yQW;`}Lea%%1<=OJX`C%8a^kwI zTEC^;9BLO@9Tl^_V+p0=;HaBHrH_j+nqkND)C&y~5}lI^A;(b-CTt~XXpLIfS zw&He7ge3VqNpRNk^H>D5H#9OLNrES~WubgEju3@U305cVlpOR^bl~Iul%5k(ay823 zUI>Evxk1Qg$&<)f?W&hvJ^DMAM@2{Qys;v-Mj>}fb>9b18z^$tMu`>-t2iMCKUXXi zB`gQ1b24`I>FuDCBfYZ0fM_G!QI{6zUJNCSGM-6;*TC`YNn@e-`nRt=RCg?xrv3P z3xP}t8Lz}QZBMKleen1OLd;{z&3lv;lm|wd`5DWC!*9y|$m>UXC!SP%(3B0W0b{L* z)$E>9b6BeWe2~9&ha9s#nVxHFpY)X4rBWm0u3V&ZlXf+iw?Z@B?KpwwFhRw)F@=ao zu7?E3M!Wiy9D2ptmmJ6WTr7 z#2#bAru2ng6s0o@1Xl~yFt6SA+dn{L#_(n-NQp%``fOqyP{HVqt6)L!D0N%f6fLf! z76@xlCN8>*#D83)m2v!v=)$=Y*}0fqjJ5S!Kd{|>{0&ue*xSgbV9S^wR*8TuL^`_5 zcQ^F>bs>E6U3B!~K?^j2u^B6nzhgAonM`(# z;xwJ_iZ2#ve^hTg{7qg(P-)}Y(v?5vYi>p}tek++{uXm?uw?PEWtUuL)hr#)$c=0s zt*Yf$UkmuG1CV#*C7I)o7%-Tr(p|_0ej{u$|i|A2YJDJ|7yh@%oWt? zRl|}#`x7$=78w2pxUGnwgoe+M)Vl0Z6pWUS3zSpN;~!iwu)CkPl2d}vWU=IWop=ek zR#MGr!Zh+t_%LzHsBuuJ6k(1Hl)_a-NXo%9%c^}>$5KsBC5H_Vk^F{gm|5&{TdvF} zcf%==p^{ee$8T2%1%qNVsi&wB3V7(TN_xHf5qXF4@{^HGg?rZSFR4Ghv+d_Er38}| z!8FDmDTVTi?Ne;FD1imL9^mn!#X-GR@I6O+fvcgSPtct)x*?s%%o-)k6vrf`sYd=m zfm|*QZug`m706R(VBpzV`UZCdNeVA@hj5@5H&rby%L)lBkdT+W<6^;0X##~>-0f3J z+Ni2=!>ZsX0$P6oxo{#WIc7w>H)zSW{Ok!IC8;(;eAIQx8|#W4(Aqg6ZgWUhed*64 zND)8@8J@G4dT|ZZVtu>_G9ZcqtKw6#_08ZCqpf|SXqy_ZYrXYoxVIy$j1wc@gOtmwy)hWW;*bvvGGF7s4FD9B9%_X3ub>CF0fjV11qKg~~jzG*B+MiIPAwBFOrz*?JLZ4unT{>FnGFH z*%R$Vl9WF*8X|S&g;%P;&(BzDr;rGo%eda@2soc=1>|BON5T=5h4WI8=jH67(Z8qb z3&vulA!5TeeNOAVaGdj0sYjz-M)@sR^!$vK>$S!#`u^&4r%#r4hhJ^3u zZzWKT1RbGP_2IaZh=>sogBxF5gM-iq7!VWq`Oj#w(mZ&#HG>(@sxtVqC<@KZ8a2&= z*`6S^R<2<-)DI0?R}~(>d*5DiRi+{e=ejGEKZxd~c}%>AKFZf|vKM>5D6$jgr4d`` zwOcUq>KtLrbI%usZq%MAN^7^RipqjF?f^ZU;4B=^*te_48FcR@?3!byC9UIpuf(S{ z>V)=ny&!PWTmAdcX0k+}V9t zjsRS<$G9y-N5NoYDNgxh^+%5LYYa+@xplZZgc09_kK2y?6^@&l^_T-}T}5!+gE%0* zoKayNJ!gO8;(Hq$*LBj#m^-LmtusDr^gDgTfgCSh69_+U~mYwWWk*WIKnipv$s+jcTx?`OEaD z_`Gft&THmyICK@-ElKe!`iSzHcC5_{w%f`0}+v-ph#uCLhs|JV*Jnki!V=yxnw` znz;jVtE74XgP;jPb=VO19U^CGAYNp*)t5z4ns^9!UJ1cQ;R`eST!+?jO zPAIOtxf;pBrjlPt!fCUs@9GL5H6jim*oVFn(mWyo-tAWUhg9?!^d zR1Oz7$2br^Dp(zZ7^B4B{#HtD#RDTOpy2_%V z;kF~{!wTi5Xxf$;EYCti;yKD>>_T(Hb%y;3%ZM53A(!n~dbi{(4s&Pw!IDQI$WFT& zB^-B)Yfku(E%8mC*YgA3$6sLIK-mag+^$8MX%|nHweWOs5LLJ(83~++$a*5OwtCk$)Hpt%t_0f6h+$ zP$7@AEn`8#K#)&-mhwFeIScW%4ZXOnZ<%=p>H|GJb;0RJi`;8}sm6@0{k*Fn$uL(Y zyxmY;12zq9q(&xw^f2wfa7k`LBVLkj@dzx1?r$AmY}!n7a9epM*(0^O_|XK6njdTr zf^p|mr83dIjCnl63EbRZuu!CJ6t+{K+&1ru=G_AXO7pp4|79K&(u0h^OKDa(+|S=v zE&q@APnZR5wI0itYDbgqGxr1vH%{P}S_0U_(Tm}59LvSVI7mf4>1}4JhKlzpa6odhYSf9PT~yr81^f8n@b9yH zwoR12lO=xEQoUOs)M5k|koe;s`~~+bBM=w`{Ux%dXJvFXUr!+$2FF9UcM-P2b=@-H zA*-8Scw|OGfk$CxZqzYZSODXwI5agY3I{)ZEt8)@OwtkQsbw<|a?pX5Fr5eI=j1*o0h6Dx* zHLKXatLemZv0-LC>ks*iFTjPcF3?zhsDP$NBS2zY^^@$lq(4_jBAj>IuCA^n%(Kmo8vv2d z3vi2aaB_Z)7gS0I3ivJq(d3%}UmqSWt}@e3-MAp%USYzkMRj|7Tf7DEeuU>dZc=4% z+RA*_`~pxF|8t5!>c=u{pG&{vJh6NP^I!i5xxnhW&6xtOod>Sx6YIW697;oaz1GXa zx^YG(CWWS1ei=W&!HP&E$S=GKEp+>1do&}VX&oQ{Y1bI_0uF$S9lz(DMSgF<_E1uf z+gR0h4tK9gk10#xlh2-_>of?@)E2AGv#Wxo=Q0U6Y17lwQ8B!Z8fFA9C&cQ%eE%+h zcaf;^*BGCF1`r(KUf<&5QIAo&ZC}BEccC+{5Do=^0Fgi(J6stKjRP-#_TF1_;UJf<2DYvT{KZg zcchzxI(5qRo>p#_+*in3 zp4XY4*NY3HOUujU%1kK!J;=aNzvlfU^Nr5@IeW&#)+i8VQxNeuPf?ik`AOmZ=3P;5 zWd-404W2DyOx>0Ycg3$5%@Tu#(ipzuW`}hE``D$mB{hxv=A?6G77m(ZOyqM6HlEOT!_E}eZ)>%eUL&8GOM;itCa)`RlmH*y(+ z5T_ORi<`|$4&8{pYq@>ap#97Pl}nBMDnbn!b(RImMM;`;4HcETX?Z@9*1Y$5jk5=R zc=nO)Qa`e~sdBuh028Z`EE+|@op5n+F*dJDF-MLt72b^BW4~XfNyh>(CQ`*HyZ2WI zO~Z`e3bCy@Jx*6^YgyUMwuX`d>1`Jp83HH`oWnU}ze#2a^BSKg3MqArX=I->VPP|7e+N$F$If^&0Tjfk+3L)@TD~hbSHIq; z{j-izsa5Zkm@yd>wm5NkEXKo?4k6NBNg|&fE!A;>8+_3bz_?a>v+RXtBvy_L(tyXL zUmfSL{=NEj$!#GDE$%eSYh`|3=FYneb-TN$ZNg|G9&l4~Y>FKE-;8ShS}v&CD^)P|MEZLX-Dm8YeZ zy9_v-ce>_6l)+kSEBC*f=(m{s?qvB$A{cyu`;k>6bgh=IjpueXphzz5{Q2R;nHjV1 z;`#f{GQ3M9u((Ckm6hvNwcpd`Ec?AYVY@xw?M$EkVetlRtZ*eSWq%=ndfyX&uPgRu zvFHg!vAc?wBA3zNce;E^QsZPy5xs4%u0xCn^rr{I6&HoXH;0SFR71{BybYcOoch)cT%;Jf1 zt{Bw$d8$W4D1Ivl>*Fo(xKtL5dRmWQ+8)nQaKVTY%@CtCvI7A!H~>EKH# zREh*Z@g&T8gx>Z_{1ny|W_zAEZiHb&LqoA| zs1Z~9EvYknqodDUttkW)LUlkfa+_khN5C6*z{`G01H^64XOl(LV8#}=Y3A8?ugnQ{ zL`UQg$QvY`2-3_NW8d=O{uTt-k;P_?&H!3wRmxZ6W0mnBCvv=0~<*G!PRWNY%*{N|cf_ctQ_ zsJx4n{@6V^$GOFw!K1G;B2!=j@o|qmt^?KQs<}%ga_>Nd$W)QT2w4WwXTkQ2j1w*? zB>x@28tC#4Wk~0BrQM-MSvB^{Ps-h3hJ$%0N+GhjE}(BHuIG5qJ@hUf(>^v<(R@}a zbTd%AYj=aY@acLXW;J)^`MRl)B&9?ZEj}sS7eWp6aU)H@-at zxtl~W@RK1#uTdf3Xp|wx+hpc!a76J5p|>yzWEB9I3Dic#QpIecl3Ap+M;`TW_Yljl zvjcH!n2;=?tmoz=N!a_N4@7arbPMzjMI{o}gRVC@*A0a|Zt(laWR>70#cRG-)?fPB z$F547L%|C~O)px$%`<^9tj>3p3-&g-MoY2`R>JZ^1&|o7pUr9Dxj* z43(!UM6`JX?7>@Y<;sU4MGL;W1H>dkEQQeIvBkZ{9{>LMHk?cXeSqxi^)p|hS((Zd? zVsYNeR{HpTB<^$0BK9_&5cz1W`Mt(jJtQzhW&xt zkRgRaZb$%;L$SRrsUOAtzGI^)@-&uDjuRA`)0AaV)_aF2OS({c$|vF~&Bz!U^~W&O z9?4LGNBgPZ?~>KkQuvJdOSvp0(a3&*#U{`sLC$f#VIsRCp;|pcs1FxFI53g*4DeGR zl_J?UC8njfE-5w{5DdhKL{UT3&e}wsQ0@b}KL37yfb5@HnAF20PCJRYi9MC+d%tJ# zzF0^cRKv!|Z{G>syU+A;&IBYLerdI4u>JH@B<4d4n=(=$N`8ZU>+lAAKQ#ik;A3Sf zVF+U%rmPL+Z-j=p(J(3Bo(7h+Ri+U#L@QOza2XSZb_2A0TjN4x+~~0&dI{)Ge^qR= zL4aKTCln{Q47QL;>F&2f(N;1dJqYaL-UhhQ&q@iqfqb>dE~{giqNHa9HZVD`OoA1dLfX?ud>3^W*$ws6rm1SW znEL0rR$Xf4a;0u@Ds6+)b;Y`DYzt+(LJy?;GeI%lMj8QPfxwQoKqhh3%Pk}45HO66Y)_<11!X}owXC{YdT|;`xF4$VxPatEz4SJ+Jkkon@nR#~q_ zp`2=zP*|b^YCI+g=XLjg_kEC#oSIe;`ml@nfmjfz{c@hjYWiilM(sl#oEkni!pWX| z=q9Y$%A_6MW{N1eVZ316N9TCq`@ycXT*6 z{g@Kzem^?bm<@oT8V?g%CvAxrf{sPB!*_@#zr68#xuI5pQKMGB^sEb?9jw;w$?Wdq z1s24iJa6!l*`3g~UXtBF4#$reYZ{kajl*|TU&+X|bg^|PpEjmQI!V+s@2;Bs9-1b^ z?$+yF$F6J1in+~)vhoNWSZawMP5?Ls$Xk39O9y70_kf<XP~w3_=c zQ;|m5iIMLCCvP(+)h;9s1=2i*gFJj_41QYnudN_l$Qv&6MZFdQCP$*BQN0q`&Z82J zZ2jIRT{|I|j^c-zr~asi8MN<3_#LhCb_JSolnQx8O@_O{KB^0q3U^GQ2-TMXuh zJzz&1eWw9q`?Q0xZS@12u!qMz&eI1I(7E0bXs%Na343*$LZ`}&mqV$Xj+WW<4iTxI zWr*=Bh8Yj_I%iJI;-Up?*E8J6iy@N^zv}E&WjCZ1)fcvrDgo(xaeWFP+$sJ%weD-Z z`CFfwW{Itnhbp6(h@8A0gVbL!uKZ)Ys=VDgFD~N43_T(r*c~dBa9GbZ6^X>I%ysrg z@uF7`I;&G0T_6@oA~D_>mCmnOp-`6~e9IG9^?XvVaU~fTX(_hN_1=Pm!!tkcAxHV^ zM?py9Wik(vT18@{`EFHmDk7{>WTa=YP?4LO1Di`R-1ib+FyDQtO&C6skSU}ys+wpk z|46^X?-9(o72A1DXjIJseH4Z}CqH1QSsxLxJBe>=r$Ex<;kH>LfcycD8|FRv?R8T} z)K=!FL9sKBQsP?l{a-*}8nG>LP)tx*Y%@llNaI$KPLYWigA*tcg~v5UZ&JX5iZN=~ zL_i{M;C>R<31h~;87oGekZ5sMENkPj+2&UGkv^|m>`e<|Uid`|ck!@tZ2>Yxgb@qI z9-Lle!J;LllFeas{U@d4*eQ=z((+rs-f)biX$iH6zoxH=!fRsySobD=JnAH4mv17; z#u6gUD)ERSO9la@$egToH#gTJbjgQE&5f@z_#s(JeBX;KUa9tq4)-7V0%k%g5 zt)eFyLk&z&ej*-2dBk9LPi|imVnDI<77{&+lZqU|bVwo^s-(W9%NtO{m83-R-c-&X zn=MLQT`tHb_RCe)N<{@nW>G9=OGY)d0tiIM0<9Q*8I2f%^?2}>FbuUZ#oz#^gVYVy z7++^W%sjXS3pdISliRZ-9npoHxglEj_|6?&3f#*hC&)sH220wYg&P{~Xnf4Q-)uNk zM&iJNo`^)^EH0vVxzQHyKCaQJ;JCwSCPpBn*XAfR+`&(;sS=$MG3mG0}*6( zU>mg^c^%s}fz{(!Q6ZPƦaCR(`z_XX6#?Mh&m%Z2~Qu_Nl z{y3JBf5p~>{xxL(0J;hz0UXy~-R~5y{yLZc=x_h}4+Z}i5*$Cld-{LqfVE!HvRHoq z_)=;Q@JtB~$MqfuHdozGKfZlLJfs9~5y)uCh*am;0|tLO@7IN;^8ph<%JKza(%Zj( zVUQ@$T>~qe>est}eB__P9yK>OZ$#;;ZYk7%kw*XhV}#pLV#Sl}2@}5m{Zs!sR&)Sx zv>2JPzli_$=MQj!#}}WE8rS|!_xkhq0tax>!i5y2fLKJ!y=@iy|6I$?7ZPOsd{Jy# z8X6oyZx3DVleUX@IZ!vy_zrG2yDhMCicvB|^aTA9C=ci@Lkk^WngLXYT0l~zpwL@!`#eyAaaSx;VjIuEq? z=vd8*1r(HwgA_eCEzR#TMs#IyuxOMn^Vs{W)}8`qJ!tKtiT*6taZIkJ1`Nq6wHU4d zs>01G2{lysBbqR`L8o>|5sBSqdaVIj`ishB*5JW=>VSbgkw{&%FAJaWos^S7vME%l>P z57EBe0MLisP=QYpxEkM9C?0Vh001B2C1VE}gI?=THJ4v%8a(CzGMJa?k%H{6u5Mx_xZ9$!|w{69s08y1T(V=w%`Vpa1rP%+$u;?yXaeQ zprY~eQa*m#0~(1`3`VMR@%zC1JSct7g~Q`i_(CIwq(qjRZEnC|);!M=!}H^pk(C$w zQ~Us}O*Eelc>7Cb%<#5%o{ zT#PZAwi`YB&t~yVUmwp?{<(gDp@ho5suc8{v~72cao35-lo*b{C0I`lW%>`H zC}fN2v=G)$^r~@=-*_AJ0R`6z5*fV`XjxLNmescuSeFa=1r>J>$aU0`#|p+_Zq%BX zRj5eEicaJfY=4eCf`w5S(R2LXw}_2g9X|s@p)XX6UD+IOs_XZ5v!dD6u;}CyK6(>c z{0*=XsMqri>+)s$S`_)$wEbfxT9P9c2n%QMb@c0hN6)jEv-U+Qe0UyRtQfpnGavcu z8Y7gId#myv8)Vb4U!&2guA~zfkTztt!amhxpxLsdPpT1F7`@nXTP{2^vHrx-Hcy)g z3Y3;+`@c#3fQs>Q>u&+Y%9&NIpS|UW5F+;0ENHkPMSsPs+V+Rst;v)3eQ-2xM!lmm zP+QzfT;6iWsLj;~{z4sbRI9Og6vFePSoH5J1#sLN0)(`$xJ8>dhpic=rWJ2RT9o#gu$0Qb(Z$Ez- zQ>6K?sn8k){Dh>3@9A~29xW6i`A=kNM`0V>@#0>*sE##cnF;htp#%=_dGr-qH;+Fx zwwJc0)X2eGDEtvbT;$>fDx{kBvWJ5^2NfM`Hj(V?H5De zSFVrPb0sLseuP%O!^_+wd~^BMJ&;hoRAy_SLwKfEVZEZ&d2JEx`e#886x6sBp+Eh93AU=F!(3EW!`>5$vn1481 zOO<3mXCAqyk{nb)VJAIU+SluO2Tco9r&L)@l0NCKj4rAEa%BTk@z#Azgx4m48WJLp z?!*+L?dN<0MXHOC>WKma}uj&XeZ=f-oal>*VW*^BdSHuEjJJ`JCDwUrA9(;~RJE(3Nk@3TG8_ zH#kZEeC`TJ=eD=EH#Ytbk~|BB3Gx@QTZo`oFpd$R2l*`t*ky+FJbbx}3Aw4F`lP@E z+K=CX6WYda88UVJdXGf8GYvc$^|LnLiNglg<%*%!M{^Yb*Q2z)Yc2U8P2)=)O%6$^bwz;e0OK*3U-B=m1eqM5B zAo5SM6)o;o`bd)g-q-zJVJ5#P|LOxoT=}lk%y4IA{LC`8~tJg5~ z9JJ%0*unqE;_EW!FGvw)wH8-y-+uS?We?zOx^=-)0X$eNfXY2c5`w>;t&{aVYc54m zL*oW`JianUjr*fV+v~|G+JGdcecKrnQt_(}u2&1Bq#S$z5gWkJDr`5nyRcV!7ufx1 z`>JN|#?IL@KTlm+m|t73-{Bh)S(eTFecTtCoHi5Mg@*1=f2xafEW~fx|{|Q6)q5-R-nhV5Taut z0t?_7$A1L3LG}xe?F3>7=t?#b1Oylj%Z-r&5ANj1 zNbRPN1GHes-ktHuR{21xNDUeLh0v$qDh$Imqw!fJ^IYHb%lB(S?N85f82yJjzdHc2 z3r=kvkZMKlc@C?)-IiQ6YO8cxoPgAXBs{>=1bDvo5)u+f`SU>X7m(K@t@Pxktgk{b4*WfLtBM)Ck$?oXpAONO{=Xdtv4+b%!1@w-i3Wr+?CoXVE z4h{|m#sw`~Vq)$smacz$!s0eSWd6oXcUb}?a67(#&q5_upxU!CMP6t>i?Szf3i8r3 zHKmvVM#NsV6rq~#k6mmaY~pM8J;>1WASzy9$(lnZZuKh4avS;zxfR6?EJW+?;8Ig` z{D5^Ua|!WILil&MKg=aDC^&f*jc$Hrabj|wa0PC?)Q$aS-aKUrMN9^^H2mRyH2?`0 z4=;`iU`#qMlYP$hZv&E5Jr$>faiK8jKsxpnh72@<+ahJ*2wdQQzTL1O3MB&)b;J{} zL1h&cQOK!4_A@mRvWqwud7~R%YYjj_zuz|KGMUEVOP}n337!YSiv$Hh>DhOt`ToRm z^xE|R$68Rk!3qN_P6N4U*1Zp7=;eHvY0fJ&E>x0&f+AI1LRV5)q+_)J$P^~dE2&lE z7{lOpF^_DM^-vC(M=Ujooxqve)Xf5xGLBGyLT`qv<3awZE<#&qIhNYEydp`nbV%TamWY+z4tIU2_ zdMq{S8$|fEH;@C><`>ys$9Z3RbR6IQ)Re!(kzWMR(wVQRq}X+u=QiLD8M$Hxd;4V# zJ$(?5amvbsJJ~+BQ$_q&O>_XKp_T{YjN)5%YQwdzAO(Rd^zWaU8BIRer1H5ln#N-* z!Ir=`2?C_lpR!fC$mi==_Ym^ldtXvk5v0?Fap8)TD<@ikr12UPFE)v)CZEf$;%x%L zF9g16imFRs$)yJJ()=S-E01W{O*er|;|*0^Mwo%#mfTq%Q$R|JFK!)oE|rFa z`}`*3!D_{7;Z#jB{&#)-&AhV|4XxVB(5=^#A`UX^1k*(D(C{z{8O)#vz3_wZu(0tb zAd#;$KKIg#r<@;OJzY^=j^G1U5tvG5LhLIfCLxMw2!V^$^4UxTWFZXX*l@f9XGPu* znQV)j3QLIAaRa+56arv}5mFCI4H9KB8^M+l#x#`0;)SO~=?Jj-fx%f$q86JvMV)|) zk`!xM9ez-h{fSmB*GLhD_g$V?;TmE%o-(`{aG`5Lbq6$eDeKd}I>zlQHZa3}Kny5( zn*bDrZV@LEM-vy5Sdx^S3X!NLnmPS?rR>^KS^0XocEigqG}(TLuc^215PXQN#BVpJ zMa8g;b$avpM_Zm{kEbDLMF3tt#`VPx(0$R8Mw3|BxQ3`C6!HxutH!Faov2X0TqD;y z`f~NJxcD>5L<>P>tP_wh>@5nbx9yrt<`@RT8~Au4ke+T2)N>)64EIs}Gqj>~#=<_L|I$ z>SBLB+<^m9k=(p58qPXZnp6GPXO?1Y{l!#l*s!bRbz`FGHA}XK*P=@XVmMA1Cvm9U zkD;O1fq)@$f=MwQCQo!)q(%5rgj{se0Dc)*iZAGSeD2ciV7Zi zlDS&M1|)vkDs)a!X12(*jEi`T3Lp7ToJVF=C>^0Y{s}k~vuDE{85x*fJktLPrjr zjP)1eJFab-SmH0bf^66!!M?(`RFC~4A0PWxp9g@NgQsQ{Lr z5nC?gMh#{osfIYxksDGujQC$(A1R>M=1Tj2le>UWH&zxL;#0~c<4IfRvyaRtDuGLU zj&KKzO_FFjQAOdr)gVp~Imq`%Q87d)?lqxhz)MNe%Opy(9W7Mtz^n542yzm~rRyO_ zH6fTfrPA`~jv&Sz+KfH1_c_pc1@*qRB7-ER%QQ(0#s&)Z74j*`I@=8@l&31q%s^PqmG0Yu2O z61dfh?QuI%Jf9Cdehlcm)U=DQdHnXa-IRVW<`EDav>xW-3d9t3OXKrKdn)7we{|=I z4g9x8760=0J71hQ1_q&majvDba2-iorb{CyJbuYartH3NWoyTrZSBn$Vm5Hd$y~-f zb`)0Qd--@QBj{GtR@ivVy+PSsmH10a^XkC}_Ck{ls7c;pY#34t%*PnTp!y$p*Ktae zQ&1>kM@F=X_3dI#8#0=qyphl5_&=EQuYJ9khj%%V-oU) z{8cU@N$MIYZj?$%zYrMlSjl_iYht_WLSc+M2;1v|yAu>y*E4iUY_baUieoK457>Ua zJj?$sUY55qsR`K(M2LY05@w(IDK1ccSj0k8T2bPVNW=CBE0HND5`?{Vn?9F9;N4&M zn>zhWxY?~Xu|=J87@Wlw_z4A5k}kBb%Z5>#Q8}Hz^p6H$Cep<1;z7(k^%A@G%`S}d z_VkaO>wZHyZcji_$Ggqi1O8c3y;rqP-PiUHwT?-MCAs+k)M#RG1kmNn>zk3bcYjJz zAcG!BJN+BpDU8SP4)&voH(YcJmD8z8hh)tA6->52QLoouPVu{YYc! zLX4?}uHXS0y)9qjWn>C3_EDyfEZuw-5`fa(!%7{{=3;|3J0wqNDWm9k#Mo*lUjW9{ zNi?^uerAnq_bJ%G znb~7s+cZ9UzFq5X{2Aweut}O8e58l(6NMU>=l}${3H~OT3r|3g0wow+xE;3wx;#GS zEL5QC7HwwEA>{G3sm5!`8(R*kh7xg~!z^b%5=n_-R+fG5kLAZ0eo!FD6Gp9Aq6bom zkD@vVu{UtuzGVwjWHjEMou75ihv|kKf z5|mr`I$={m=%0fU#ijw8_;UoOQ#)!aHaO-Kf|6|3kb@zX#&M(MO29h?yi7$9Em5oW zN&r&DEXT9R;c1>y>ge7!dmz^7`Ij15yFMwfV~+i%9?4F{1UM1-tcp<1tiM$O4PF?8LM_r}er-zd#(o zC4&J{;yS55!m%Vqt;4(gCu#7MzW6g2*mkMgZR7kl0A8s~o@(@|y`$>eF>hVMjgZy?9PL^W12JG}qHCw_+ zJrkZlhYIi7I)KK*sW|lCGHm6<9OvtW;O_#Kn8FVh_0CAi#F7GN>Aeh~P9xR@5bNKc zW$T!mhtUOw%xk6{V`yRFnKUZt0=pZq4BMeDQ?M2x9#FI32lg~){b3)^TQ8DT84WX3 z>!ri}2lhi54Rpr751cO#l}(T>S2LMB&SvA;de{)U6@a?GO9&ptP~-K{%ICJBag=Wz zUpna1RRtPtG=W++^;Gyq;GqK%IV_)V=#2$fo6QU!3VWk#1Pl!%_(v%=o0-~EiWGmY zwh3;JGn$q~P67DtwN^{s##upF2aTn?|5Xu?y zyE{)Chra|rk%6eKY3q2!UjN+Y7N#ct{2UBTp`_(jhg$2f9R7xAbsBDg%baO}OVaB| z0apUNdctaV5;=mePG!fIs^IBe55~fa1s|hjm92-#U|$jX07m$_KuhQ^QkF92Wu1QJ z^ISK|IYC7@u#_O(xFE>3HMqe;6BdLGh4Nam?;c_p4%@tH8%)oeWar93I3tpY-57j6 zIbuI-=!!qSYA&&Gpg{K-IbN8%YgY`9vkwWIaQS@0sIm@#^nFJI=qZ+d@tt4R6x;>u zTtN|`mnG!zg=b}*v>k3Ktgl+HZ#P@Dq841zoA?iToTEhQ&t84t9n}=}9D91W%aHGL zw!YwhTyv5l!k+YXtt{@8is2h)#^|Zw)%~W1TRd+Q(HyZcFQ>CEA0T)n{`kaBBfs7L zEddL!k#n^`mC|{o%K_AKg(XCcwf{!r8?c_WMt7RK65O;eo-eI%%02I0C)nMd_?bW3 z^sg)~-Hz=4u0ZsQ4TM|meP;Sx7`n6nqp><7c9)sdUygft_1EP5RQ3MoxZl~dD^||M zF^y!4AJG{9O~lJ%N?()uId(5X_)#l;sQ4o`oBcAs_L6IZi#96|g;K2p(mjBA0xp;! zNZfs9FH2$zTIa0bJG`Pyy`;e1@)h|Mu27zNqcvHz03?r4n-367mM+%md7jJ~8;07%-gdTwoDwID9c=)UBDUr@ts~r74e8}29m`oaC6c#yjVHTarIdi?gK+kh4DeM|5*cx^=ZOG&ptIIc*{5wUJ0QGAZ zuJe>P{YqJGigz*cCr?i*UJ5+r>zhx*MFd)B1=DmL?lM~}56MV}(|0tgo|A5FI|M+C zZ}ViFU=V{nl7fzkfdoe$NLzu{?_(`HM0X!KU$q@?kMxv4gp}=h*O>s21iXLCr}+8p z5b3EoPjY#ku%#Dtc@?^b(Ng>l^I%CI!5qjY9j_n|LaB+0D|-JPE;6HSt2xp^CE# zvZu7A+G%-yGxRJ;R$y5pJ&<}zE6W-+dV3uTHQOfuKf)XgOYUTGKDd}g(%WdK0UqtZ z#vI$-kKR`??9+SuNhN=9(G|*Rl1Q27TlF+y8RQ=mMGQQX?N^8U;If#kfwLmHN6Hw!CP~{Ud3wqxd1tuDH6gGUTrmUpY zJ{{X0LMXV~hQl}dYAxJBG zE@0F~3uJRcDM6Ryw7)~zcQ@)YIuGd%<<092&4JfEQdZs%J+GN|6sC^D`bZa_@u`e zE&*0UdrQMaAH=NEOHh~m)^k|k5v0|n9rCj`ubQTmHcNE31d=_|*tBFxJ3JH(d9@1? zH7(tnwVy*BeQ`Z`H3v1d7_Pim^adk=I(al_q=NdMyycdFbmi%n%9HpNpoX|`fNG~c z`q0TjUD4t2=N7i=!>+65lTCe_kFTU7N(zUl`?OC@8ZDN8y~wW=o#7uoGzC)I3UC)q zqa|P_PG3)Srl7^JJ)sGLInPwEhyJoh@j5MeNPwcqttw?rqE-RHa>RcZS|v%xM@cwl zj5fi_PLn@qd0*7lCrhX`w#b;y0!-7)W!zQ%O`2lRIQCiKvTZ4c&?ieHcNo za462PCb+O#gi*{9CVf!J9N|%*Rl?RT`cV{i4T6%BK@X3pQ(lb1rXd={{)aM*3?>OA zt!S&yU4})~Q|ZBvRDM(0aqLz}X=%J>BF@SF%tVw{Kt4Aq!h4~-Y#A{ECBYgE>&Mv2 zDX1V((m&efk$MO&@&;=fAQ87*%SGppG(uHnGr!h_1V{7`gnF6uto4)}i3E~mrW3zb!){)m843*3GDF-3q!(w3 zlg&eU-Ad>BT7ujtJSRRjtN`t0lY^YK(B*yGroQosjvI(sh=~{nyz4`(-FA2q@@KqNI3@+yCcZYbcO)U<5BS z`v0;H$`r(5v}(#SRR73vy{=yW`kRn|l(Dk5ruj5mZK$UT3jcS32*{hN)BQ`d?6^DC zkni744it*K+I;!iO*ks-H`)^^xU5;IFchTI!)-MJf?{$dB{7ye$J%0Yj*j16m~YEf zw9MbT2UDAY-<^qf7+uHCGydlU{ydXE4kTn>9a|L#za0MdrGJx@L*ZT>TW5iXe-?K9 z;{cQo{M=Fty{h2<$FZgQ>evdWG70(L6&Qe!EhVekad)p)->%gCzprVo6iiP_ab^4c zeteaFcL)-ae=3J{vJX0P3?_rN$;=?$fYHB7G^YPuq9H|r<)+O5lyXGpEOS6!JRaa^ z9^eudlVV&XzK1-I_QxXw#U1o%Fa98GO0zpG6yzbtopci@*QKiE98@)9dv9RI{D8A@ zO;hFVh;PRlkVoJSb-l38#S9xF%)_Vw1j}(9`0rOtLG#^=%vEo#6xh>tN;=NJ=nu;O z;~MVDgF6CG3RFB!n^2#p*6Vrer?<2xTH&*jyOQ$dYlzzMdQ?>%o5W8*>)_EVz%WDK zCj4PabtIM9P?VP5X3(l32k7a?7_ow^zYox4>D>`;%A|Vv0aHsGS?8=H885TblCZ%a zW}Yn0sC?aIbSh|ZOtb9M&~4r?uX~;~87hTrn>`=v1O?L(S)d!6S~K<6DxmY9rezzi ztpPf!aBwhRz>=J`QS4~vBll@BA@PkseyhU`A?%Uq(U&63g@V3?U0SF8vRo#7>c;)axCAvLwJOukv5 ze*#&jzX&E>--}JDk_;!AIGs|33$wD`v&GO2MIE2IB$_<`NIlh*XT8{rh(H^y5A#k5 zSMXVROH6g6F)N9lwE3+w5;k>nyz|*ae#q`(<^$JKqD+Ve?mvbK=(71QqbxmbvPqa| zT4+8mpzwci-H<$KKG(@V$g*;MWF}m$oU&v@rT^IGak)EbSO)ZT1NsfOMpj(miCPHv z9m#xw1>9V5q{yM>g%{tJbR69W-$t4fSLt^wGoJU2Qk5W)Lb+-SQ}eXpaRD8yvE(CQ zR%Oasiz)i_0dvuZ*-~-7#1=uP%>e}MxPb@9r(Ox6MAzfR7RM%K)E5bE%~|Y@rrQKh zuvjKYzCL^hU(% zHKyc}pomUy#?8g+9et!(isu8X&6VqPps%`2Ui5dQg!tq`ibEo)G)460E*qG$372oU zQ!W#CZ;)-?6G*mkuX59E+(3nKVAM*kRQr+9f2EiWO3b(&)X2fgn)~SGar8c{b9kl4 zb**Ud9zTqf-5=`%o>2ET*?8Va6Et~Va&enu)vr=%$ni<;)e9A5FNxl;qLr#0*UfzN*Um|QeyyvX zx4u3?7rydYna1_K+z+EA8RD#;dD;WABUx!NBpD@P)jwNx6y61$gP^un}VE-tWv&=Az-J_!_V>IJ#JqLA^$&d2RY z-fTTtmL;^N!#aCpRDiWEiN?qOIe!4^yT&;Alprs&-$@3US48FhWd%_q1YCqTq3?#K zXYR|@rC%{W_l$~gxK7e#62O)#{#+ccv`ivRLpCEeA=MFSw?rE*Hq}SP`-e!5E&>Sq zCJpTvu4>6Qvjwk)qP;aQqFIPrb)-wM;?^auDojV*@V_iC1=#HPNyh^hhC5f|ibF@r z-az~D5NXk}sGc6}5!aO}ozz#yC`_Q~3|hIimZ$QjBjh&5REkWDjCvap;`^&Av87+% z#QR@V_8zM62}aNs$vMnmm49@q-v#ppri~-<^ejc|bJ>QgA9dc{cN5AY*%6QAW=Nu1 z3IM}R4ThMT|Hg0$GWF$hPntYf3)`UckWgUxVOuUt`iq~gfGZ=oXfx~ zu|(CBN6vwKH`7v6U(c7Tl4{%C7K-TePpK2!%8!hsE#i6hmvB#9I2;;XUAH#1Jn2Du z{TXBs8P^zfb`fTH5MDmCXg4=EKR!fAaE9yI@e|p?BB=WvJ~0z*R|@{bq4>{)xOzek zVib>~>gH4?pZ@Zvc={#kp*judj@dwW{OCnQpZP zjg9>eu^C5(t%l-ST|^Ymc`eF*p~O&gr#0h$%K&%q)C>0ndz%^VGWq+^mOLDs)~fAT z1L1VTA((Fg0zraW+Oy&AIU^~r@YP1a4Mo}a!p*{^?Eo;|@C~Pwb;i5@i2>()goIzX zm#uyazWwFd;O$8L)SYl@bqK4F>F`jtRsTXYTU|Um9cm zV%weKF_mFdPqV}@J;`IgzomU)w!bX8!~HLaermKKPZ@_?_|cL05Dru2YyNeNvLWlPJ6&;=Iza7;HUe4_56wk456^9DI1oiUH1JLx)@``*Tl^{)lBR zSzHvqa)`S(3C!@-jIyz7`@zB4q#di3D;CEw<8b>cNo>>b#=A9T|H|Cw`kUYVN209=QB^) zR=L6Ll0Fd{l5>oV7L&kFijl;TIE$S4=r;Qq;hn)KVuLw8yYFNWI-~NYIF7tDek^x- zNolrVLjw9mVwt&1#E;UeeS@jl73kS!VO>;RFP<3+-L_R*k66e1di+e0 z!b)FXa#j3^A7oeS&yltIy>R#BUCHyn63ZLM5_>=)wp{FNxioR!8z~r&~m25L@Cw1ay{}G4i`_x6%&zBxr1$y9kkg`(p zJETi-+s_Tmbcca%GHqtfbr-iQPz(9iT+Heu$^0rDa5L*t{jIawcffie@eHZ+m*oZ8 zd+SS0<22Fqi_87qgh8KFtbpsG^D|y`xVy^udx@gh{c{Tn%>roe)I>XT8PQFIBkKJfL_zL_xLqs-YGs` ztAwK+XDn34J~Bq(iiABhpZ(dao%TI*Im%8r*g%54bJ;B-c;FsLY|W@nv^}XGU{B5j%B{(rx-6U5mSQcmC?*#N}Wnm44^({J15N^5Z!%d>(JZcw&(HVd z?nS3QL?xd6>X!3(a&GEH1X2V1N_`CXnv6hzVGBBzCcLX7;9+d_%nK8CtR}qM>}63R zH$Pl&7i;R1rLQt|HMpUj^HoMyl&iyxyJn1d~39;k7YrD-VOMPD#&0Eu+7@gYBQGb`#GD7C- z=7Nw77i~&aol4RXy=AiSis&mz+Rd4%w1oz2gyBn=mWib-k!7txUy@-aAl;z|}0dgcUz_e15M7AMV{P2Cy~i&_f% zI*>F=&w0Y2Ed4{1tNW6x0v&A?TU-hDq2LaHX!o1{6QDUO!O{e+5ozTX#$^|$~*4?h=q^H{KXnYOiA%6PMULCk9T zMc5Czvh!h;^qa|I5JrLJT7-I`lf4L~W(mH}-RLMO z|J68x0#bB7b+XN5yF%oR!KblTuCRdy_D-h*qspFqdPzw`De3P(O@dUtLip;Ff{2q* zBCASVY%11&{=MI?zxCrpoL5-5NbfZv~ZM5{@Mb6yy1f+05!}9U)le@3*r%DG|7z0|M3QD6d=Ky=cBBCU)JBN zLrVny0x24m@?UR=C4q)LMuwFS{|oH=|KCzTzXr6_KyaFqx%tc< z%P)H4;dCXmJ&>wJHf#R12%zKO!BBMol46X!2B-yTvD~{$@1-!P_cZeCI4y}iPVrx zXq=qv@8+YuHOY~@T7K!Tr@MD^=ug7eyO%VYMF0Eh zMBc))DbKy}?B5YUD22#J1jQVx%=>5X`+cRTR8roJ^Ej({w0($RP|+icNY-! z2rVZD^E=wqwTJ)RrxSh&7rHtPA>{wa^lfTwWz{Kkf)wd#y=;asj)Qw~dxoi)Cwa4C zMqIZAHI%US51dhcrQtezp790a^KJ!&y~hGCN~95mFz4!t2TAfB|8aXrklXY5=oR6A zuO0UQWM?cE{#O<36*cS(5(^*VKmYFU*YefK&PZEow)ywNcf&z;#@)v+_m;z7FVMP( zt>L?Zq|E;)lAS|}WKT}(Kl%6CInIXcj0xuqt$$w~%{5rM=Q^qXBSHT^;|SzW;pkqx zm=I=Wq`BfywQ8L*H1yd>i7Q>01jQxvXFvSjPNT+tDocIRv?tSgEzP5Fd9Y4kt7L0! z?xW7!oyNMvj>VDBEpmbk^QFV#&aY$c?^6){eFFRu?~ik%7gtwnY}ajmcJ{Ogrp3&9 zss#1e$IaHXX0qDbRONSY_3(%>qN2O5lc1vAeE&WO_IA!|;#=2y7Tf8@!<^y`zC2Gk zY571$Ol-W=+crP_r79+~Mh8!q1h#Gy|K3ObdO>{{n}XsZm1Wy%alY58`8}yoBcry$ z<=E0zor(yr&vlG1Ff-2ae-r(?S7AkgRy8&K*%7BMut|UWM2c5tQlXjV%AMBl^83z9 zMKJE8!{Gg1WPjX0{u|USE$!=@c?G&D=T1V;mU_2Vquzy~>m|_g{z)ozcbfO#zw|Tm zphDEel22^$$S9}d!IJ&2x-MFii2mZm9((_R1AabtS}kW>S;m;EuONkK1i zoA~W4Mtzy>qs>t3CH|kwnqC@AL{04mOX@Z^%Tm0&L@qLqHb&oRum0q(t?&-F!MGWO zgBN6jPt_{i)X^z&TA72M^AC!F4RAc*;Kgg@*)+u{^xZ55_ILfhg~djRf6O_|`q;kI zKM+i=w-7Tl+(m7UmKCkmxR$hc^tEW*)b2K%xW=os@>n2pXClo`TZ-ynbmpbWrw9IF_^gMU@oK8>dmrH zc{aTk7FQPz_2ynR|LOG&s>wOh)+3ukej8pqnb6fCZ0w+t0jpmHc&a=^H;ojI14gTm$cUic(y)cBn(kUIucZj8Mc-LErgo~*y8F6Z}l20+Q~h7otlb0 z;4^+fBBGK*!SA0s2KjIt-O0%sP*pCxUmKe$h?`84Tcfhqta<9cDCpqyUH1BBR>}GE z6QfM0l@!~fEz!CoukXO!C5dPJn{eBCLgB@@U)42&x>aj`C_<0rNskhYtYF?ygymdJ z;TFFWrkK35pyriGb3r~T=wC5XsGHcWgvZ9LXS0({W2!LW#~^8?EjiCf@Zp0Yyao5` z3M3gB=Mp*U*;PqU>>D(3e{G!I$PsZ3?$$z@X9uOLQI%E}XM$FvVfE%?mTaS5i8ocY z6eo|a;eW-KP&&{j&avkJy!&C~8>xqJbj{7nZ)#BGTaJHr>=@6SrxHvV>Z@9%xM!tS z(;M818aN;s!8k_{KJ?F%;42-Gsj;!$LP@UUbf@;3zJ#cKbHMQZs}5oHYyOMltoqz^ za83=2qr(4r6GD%chVf>M4vZ0-@W0yt>w zRKTAJ+FtDWMvFYyi&P0c5T@fLu8IISUP8aEw?3jSky3U_Z_?fU34nizOf5~d zmp)~Rot&8|Z1JR8;$4pkBuiVR;(G5?UR&~r8hg@L?i|6HLm%4{Eug?3V>Luimcfdh86C&7BJ4Tz&Z~ zS~>2)e;fE?dK`0_QQqc&X z6Ae$sBl5lk3F&7Gy;oVXEVW4lJ_syV7biK9xDF*AJM|vu2en7+UcuAV2n8K=canNM zxw@}HmJ9S2iIO!`%@;=-pVMvJ+koQSL|2}zP=s)$+!sIu`Dx$XCVL zRF>EeCThdffFBY{c0YAC2X%xoc6S>a)2?9@ zu3uHp-Xc~q;Kl0lNN{c6@Yi`PjPwU@-^Z^26S!P{9mj$Ts%!o_^ZWyMWkbiDi?10p zb3D?+!TpfhNSQl-{sl&A7IT-leAYo#h*q3B>$MopY1La7U}n?-T7_A&LhJFC?^F52 zv^Qpo1-t^mgXasl=PIC33nipF!FGKw^h#e|3vdAAYP`^PXr~=(Zi-dhe^%*0i$>F# z-|>W+$kg0iJMWI;q$01jdP{w0=T?kfTrFSL{pIq8EyuuXm%~S9IWOeqwcH!!pCaF5 z`?^GKK|eH&nY$0Y_D4B|*_j_-K*?bjI?v^@Zr3p-_K-`x8TQwMUi6{+(n8QC&-Fdp zWN%N2gqz}i4GcQ1?ec!An>UNqIrD>U*ce+a8JqzEk&ABxnmO{>m{BCCXT83=oE(Vi zL}e*J*)`ALNX*S)(V2anfcvY~05{{?`>k5GN6lud@|3G??Oj^L1&Gj@D^;t8p>6kD z6Fix;liHl^7IGRfwO8}*dlOHXFqvGbH_bnX8CelI`FjuUJ}7ux`ZCll-7TpuU72E} zEj2}vgOLl)gk&mg&O;CT<(L85##bq0XS2ByJg*>QbH>?{C7vuzT2NQd^64cakS__*M zqY3#IUbmou1Yv8U~5)$eQ?nBq$%{GT6BaXHB{`evXB?M5x58G#eW>S7)c!wLJz*dps{6 zNsL)L&;3v1rR~*1LIi+gJj-0?riN`@Cs+XZ5q{5csI+f3)RE`DKmB^{zCsl#Bv*4K zimCr(b*RPRA$I4^>QQ!N8FZV=nD$JuIZTBAWI1EkFyO9LbXFDm_eoGLD^kBV>F)>l z5O@98x%ac3LxU`tssrtDM!`E4X=1^MPi+9pLvUAvDbeqH&|1)SSY_ z*o(GXp|lN5&nA_fYY(6dLp8W{^^{T82%h-o=g%Q%;rq;w%rdI@AXl-f zT*6gKtC8@-ER=UYOAKDOy(monv`Jq=>FIz>hUh;YKYjq9q$uNs%7nwyU5jmxDUR|U z47M|=5%pi-pLa_gyY{qmqR%Mk9Hwt3P5obtpuH@0OH+D(l!5h9ch1Jju;dzHjKBkv znggV8h*}wk3D|dE3D`P>B*%omqr)G7H$rA7y$Ex0LI9_FLBvw1BLGh4-T^iy8!Afk zJOeFqKzdPFQWF0}dbw~72^lMomooY1gu0wbb1+#vnnf$ZjKXaEDpG~!IEx&<9C_n4jb@;utXy-F1+JLg; zYlyJSKO`1taR@8SuL$rpvFKiB=< z>wzai@fjH_U0GTDskg=-FJ+i-rfyv>Yps6w9nOlXgVVlm=1}772=n?;M}Ie^-}^Yc zI8KXJeW2Jso@AzVDXDO=;&npDTCnbf`d&AEe8t1ZR3 z067OrCJKsi=uBZJU=_H0Yd@-0q6`1_UkB7FSvyA9Fc$7ItpF; zwVa(7jW-&-Epyf~KXSx5OlMfa!G0*z!J%Zz@wmQYb4)tWosx(BN&cAw>kCtZYHMz@ zJ;9r$bG3Lqla+Hpu&*s})PG)Zb$KqtruM_tL58akmGEn${%Pze@=_>1Cl=_!@spj3 zTh$S&No~avh6I5EX?0l7eF;txU6wMC^@gR;tT%#6`3EvME`U~zcQ)->JfC6xbJ|FC z^X7_ANL(FH5*%#>OYPAg^7Chcl1_d^v{RKazViRr6(ZCW+e@0OiPhn_GiJ2QcJ(D0 zFLa#km*dOOZL=6X9+@tR@U{xsYM%cnIiM{rAY6dUaDq7@Yujr1qs0V`gJ-zj-znWW z+@dWqMVbc>Am`hU3uOOV4l5$zk+HALovjZKnM32Ngs4ID00Yn&*>#(Td>1GEP61M7)0XB)d#er8!!DW?SB!E;cIwS>=V5+v8!}c zrY=j9sezyNdj+*^J$b{pbgF*iZA_`#F%TUkc)AeV23P;19EKJ@hQxJ?)%48(Q6QuW zMiWj1bEBMV)6s8geFaV!XNlHbl~Ahx`GT2b4^r&CK=T2UU~azBTd-P2*_nGwyTkDG z8l{U;%>md0i%;f4o)1YJ*1z+=wbl%f{)+1Et(h#rI$QI{zTP~_w=f?#%C>gK$>@7A zX5GXs-t&JM#)QtNA@azu?8tTg{s8uXncbi$K^TUozjG{&bp(O8bME;jFJ5~7FWo_) zaR4I7v}^g^hN5?K7h9J7WMKE2SE7LJYVjL76(_x={A8UQH{L)vF-Uj){dC@Q! zWayO`rLm=D5ts`N)rP=mr>ZsG=Mjs0@j~PwK%b|Ei{{P)=mf&9p3K2Gm$Ea0My2ta zViYRS-HEG8cWmw*d^4X-sPqouaSI!y%pJMbm<1+{e8f zW8eVV>tpG&R-IVK-q1;pFct=;xIn8r2r8m*lsDemw7*^S^5qrScM6MMX4}u6UK<;J z>J)f@xkZul+Dw31S|hZ5^clQ=`};Seg~Y_xhLUWU?cdfodnOgBr&J|F<7u40&(6wM zj!TSwnM4N&2Mdml-LRh)=GZRGYB?>?Q1zZg{X(6)vMKHtCjm1xmGV$FFT|)DC zU)$9+1Xk~MM2KZp7exY~T7AhMvkKAXLg>xHajpotyciD=*E5#=x8XalQ7TI2$^Sq10jJ(1OhD5>xBtxZizm&}!Z zyZp?#35n@l|H8!D)aAP5W#A#TwwS=*Y!fB zR5eBSK;5*SAywWwbb!sTjwd}ZSX-QoQ37V9MEKh83a;Bew5p?H$8b<)t3ZZ9_oQcB zcYLRw$b#?BxC?TzV2Feh{|4^>5(2S!P%_&)5m4nBFM+$g#gX6%2fTs7gPwXZsv0#V zu$<{gHIQOHS=D1xaeptBU8h0zs@jqOFA(8*aSLy}S1FyYep1{hlVhgJm2%+_X&FMq z9rgpv0gS(boBT2k0r!B9TG|~7hmrR%VGJf6%>%hr?T1VP1L>^7anz4Ior^o+6m3N0 z#=*sr;G_rmt{HfV_$Y&7i8rPn>n0q_vr{o+MyKeR@R4owc|J~kJAV2^p~EIWIen@y53>Kl zbWHBp%LkackQT?Lcdsie^NpV#sgXm{xkk%W^TYu@I8(N5GeAP}7fA`@Cv`@UJp$_*FPMpPaus<^ScqZqLW0!+-zHteqVW4MBp zlZ-a3^x~sd2s3T0(k;K|>lvGOt@EDtFVeiMZv^zevJ7|9Quo?o!`b}`)_2~w1NkJ+ zAGg!;JHUnYm4R~DcCLah4E%_|qH2{TZ-V9pV-Y{&_)f|dK8$O{&cTtWonrlCJ;_DT z@TWPKW#J^(y3SHDKWqsj?IlX@$+*0w+P6zRqx^Ta#$o}kU5y2l!fzOF!lM04>y_>T z$8$-Q(8ZlJ2K`~D_Rn=a7mQA>o)1Zjkq&TJ{B8(NGH(T7{7@PhW>2jIbL6bpIob2) z`dY+JrpG&mJ&fJ5kTo_2mSwtNk%2xCdR~@knIS$R)hYVye%V0w znXigWVlO9}#|eu(f%Ddq+}0sjGuWKiRq2zFyyLMRdr8LT6H^K!^&SjKXRf_R8K}NZ z-8)c@GocrAd1QqwVbMG7OHqY{*X&z3nl4P4TbFfIv7}ulqQT9%_$!R`9_ms z%41UM&jJ4v=<;d@AC|~I{8M}$ zB{#y;UzRQU9mPm=Pl0I*a2h40Hzqx)A)FFhxl8XrC$x63_huW|>_Tk@3>lH3j`oX* zwGlV7_R7`b9{Y-{{pP2%IFlLGSf(x=oL1s?s!Nwt)+HXnhlrN@2vfNmZq4wLODw@Z z6}HkSOjJsRlYQ=C(cIje*PXHTe{+gJARtXXA%Yw> z6K#O78Qn3b*3j*{jN2&Dh>?kzdV%iv^`+)6SKIMtgliM7w-)S4Q6cv%w)9F>!npKi zqEzORpxjGPIMWcq5(K|wu-Pz7C#THK%0ynBctjX^MnsA3yXBOZcoR9pp=MJWMJ^l2 z)J-t&%#B_%&`DKiGrniJN96#~ERF1qjB-HP-6@#-04vt?An zIW7~+{UVIe;}gt(En)X}$>M=eY*3Fz-sJ3|@u8mj`4&maIu+-|18(xaNX3q&E&Z)k zGS~I-bZPJ(n*w?ovlbAydo+v$7X$LG*enE{pmU)Mh0F4fVDfr<&ZxbGOwWj&qAIqL zNs*MVnsuu?Q`9?sy6tjrHr`{FV2)d#D|l{WVt9mavnzAuJ^djDS}TOO3;%{2510wI zJ%9}!Xj+7(6@PHEmjH|6K=0;VWkR_Z!X*KZ-Vy4OZ_zz@G^s#Sz)pN2V3;7cx6kDe zg|ad#MC*IyMQnZ{I8X_NRQz_f>Nf^7?{t1ze7qUVc?^DC2u8v8&Y%FdN9X+3vpUuj+aURrpF;@MRc$LPySVp?uDj5u{nz=0b=6j{Y*FgraS$8oW0!;rCn z6YH_6%!`BmI&-e*beWpH`%(T#=;fPwF6T_W3O4JXLsMWuYdkH0dQ%%8Adm)JxbIQQ z*P@>)8L|11WSx*#XiuuFiG4;O1DbX@mo9=6>tctc;7IsmTnq`*9LbinoWZ((j z0?7uOAvM#9v7L@e3r(Xa!;n_ML=BP@kF*C0Xs3f%UocK<#T?w`)sCM-gAj&`ogI#a zA*hTA1qX7P2ZF<;kC$@f4v`9KTnY-{t8Mb5ZcD=54yh-f+dgp0V>8VBlVHU+|v-7_7~4ZNG}s|>$PD;JI@k1-542fNe}r!(-JSng zw1WFuMu_Z1(~eR%i|do6Zf( ztwl>HBf{O2;|h8|wnsWU_z1n!i4o{&nki-K2y=)SeB)jDe4=x!TyND|@D-d8P8-rE z3Ph->@a}5x!Z?%U!Sj$XLHRli>Y4(XlAInwR=7kHNL_QJjaKTutPo2rcLU4COS@oU z+IiX$nX?Nh*{Vg&aAC4z3CiMyW0*KbCZ;^!ApAY<){OwIs;JkPXUUbHY*i*zb@eHx z4*mSd)gK=U4^iGM{K-;(`Q}^1p##j*O(S&=J?sJ3p6)`)n&z8YKOjd<8<}J{y zni&!Imwq%42kSUb%?qqi$+u_e2&4;fx(hu6RBM1M`+etkg-hYhh!jCR^9b3MCx=$< z8SzYmj-TZ~;^#e#iT5jgAlG)xnS!&6l)rjyv+N}myWY^l7tzX)?1ys6opci-MP}EO zJVfRHMl*Y4v=yk{fcdLmT{S#uj<{~evHBe)*R(F>=4fOYwf&Xr)ZQO|KunJV#{vE) z50mXN&_cJ5wdLFYgb|h{w9fc>0VccpaxfS1Dt%V!XKCgL?re36Xh^8*ywUJ1LLCq`of(!=Zv!CcrOV)mgylrZTB9+Z$< zkV1^K8g0NfdKI`Q6}p9^`$Qs1M`f!?Ph%>eV|i$9?tPw87>D(@1EdSwGd>Mi`$Z*i z+!5V#gmnS=Hex0+#vU9T^yZr@2RXwGO!}lzNYKnlg`Vk#lT}yuLho^iG3?Y*%@>1< z7JeL<)N!ewPNqGmb$1p?7u)ni@N@h`aPSdPukd1G`!>LWx{nup?-v4IGeD+L0B;9d zW9u`h&D@)NEDSLyI5J#TD;9@C+pkz!eDSD~Tw6*4KecdUwlz=QT&Nk+!}UY!3)RjM zgT^Jc>-XehR(GezfCwnrcDg%1HYUc+=f#!XjV(g$j7=fqDPyWk%#E_0)~Xrr9_Kfy z4v%GnYIYXjH#>Ko)j@{mxW^ITdSFC}L*m!5OznyXoy+a#Ffh{kC%_rU`EgR-&GwFt zpIHj2nmdU(#BwpmH5HvHyW0$XO^fZ(4kfz#<${&i^dKD2-Ni>Kyiw>E?cD-(dKBeu zWrLXJZu!~gZEx0Yc#^|VMCxW>7x*BNhWuGhZr;NuOy7NH|9yZx*V(!L$+6=k|4lAe zi^ef7Cfklkhsu@5A7!W67Q+Dv-ekHSEAl_(_4e0pO|+$45T$UQuZIap2%?R4+UVow z-JFZS`(3W?CB)H9@tRyfutZjGsJXXb6PO+s(Rx!Lk>Sk+)I{cUBDmvEph9&sY4@Jf zlZ^BfZNdEDA2iXp9~xeaD$Ktz+eQ0!IJ&^ug*hn!wU2NKAeV#00A(1g#Wwlc+U^lBP`vF?IRv^_T_b8dGaQMDWSAb4k3@K(WmVBhBI(dvQ!?_}j zFWk15A({{>4_oyJ8=>jM2YNAa?}x`b=j|9WcAkM1A^N=3TV~DdnHCL8b5m1bnW`Y0 zDGi#6RnORqj`{%GJDb+0IyxvFjjGmpgSxe~a)z~=hc)E^Un1yow2SUBHXJwqqsZh# zg=0~)u?QXX=AGHEdSmsxxQAeH!r5R($Ht3S;-K!vl_->#4bCOCHOY*e=Iu{z+(`8n zSdD>Ax#oa+wDT(gPkVVS=3YDs$kTQ!e>IxYlY{ffDZvz|NbIKz*1SA%`f2Cg3>lpJ zlHpJC~>4gpV_X}<^^>;_yp$v;6&=WXy|GKmdFVGLMOOV0mBdKqve!~ zJ|*fDh4Mcxa9p~9M#M3M_-BBeT$?W1f^gB&)Z_$1oS&b$Uk>xGzluS2e|0$Hf$G{& zO;F0YDu+C>5X=rAkDh`GyRk9w&tK;JGg)177aHXl7f*f46xc)&^rZ3D$ZOH~h~YqQ z4jTd)J|U2yGeP#a1_~8il-oUGyWfByyOhaTX@4sKa2DM=DQu){BrA9^y+*FJ?B&mNN;-@%fJo zRXmVmQ@I18>2O}^ii_Kt`8uAUk(KK2Bgk-O)O|Tt4vZ4uGRSzWVo+J*iFt{dIXBC0 z8AxdFOjE`8hH8BRqL2-9%!CAiS6lUFLskzI*IJ~DJ^qS#r1h}pioG>QFcjz^ zxeUy&WIc(UqeV!1I3wRAS~FN>YRpf=b-_(!0XnP;H&@4PlQY#q1TfO zDNEfJj`xf^4ozqHzkU0XOygcP-k{@@C^f2(Q_{wxxD{vl)BRrHfDRrRF`-0$U2-L> z&97g_TO*#S!{YTpgM@tN=haxc{Dl0Mb1)_)Wfm6WYS*-j{~Nuk9_J;k#i+P&7@UhoGMs+xQ{7A9Uk(DJxiqp-i8*9_yMR$02mjSWFDX`$ zB#g{9ta~ceoBV}9BUQhGO{b`Ba0!%pMA^Ou4}eYi2_o3EoN2HCij?Lgp%G5$vV>y5 zx*F7_9EIbEl9#bORT(iCg59sTM9KZ$E^~p!RJA(m1O2P*(O1bp97|exP+28}GwM$J z`3(ZWo2yFNj>@HCoF}dm=WRp*Skngep zF-ZQ+UXY)wEzExw?@ z`KJnq`+7DfB8IG|{T9dN+L|8XMc>6ifxL*{=pE)H_#TFPx~xoH`@XG6kk`ZkC-mnS zqH!f1ou1Cl;5UyOJUqhHcLft_zltG6OSPGFl$apFEaRHW${)0Gbvfay!N$&uyh5u= zCpG<0IIoGn-4I+L+(DFXG+5Xlr;4^VpBK4YR84+JTfMNHProX`xdV17e--?-AmcDE zaMj+35aT7cnHRJXu6Y^oRSs#CmhCJA*IBV-pY{3Nmt`3?c39LD ztl!R~0cwnxU|+UrwOmf#44}*GWXqaeP^q*bziC~XgB0MW&-TMou(qBA4zI?gsN3&WSPRC7^VFHz@Sf$7ookaN-lNV1}2;ckLXf!_M9i^Jdg$q zb-}gtx=+s`xmRfZzy_2x^VcC*)2<@n;KY%S{BM)#+9DFa0=*9EEg?_2X zg~ICFwf1q+vw{`JfBg;gXKK)w!i=J4{-H^E(-yU1G;d9MpS(F#^Nyo;`B;@Lner(a zB_?Fff_OwFtzm`I_QxWqli?%>T{a&~(t^6yFd)7XM{R3sYnvN>zpT1{T`D)i{aUQd zYyb$NwZq&iF+GuYBu>E81cc`c{E+#$Y&^L66dx9YxCf*t>311+RVG&4=;k;TzswZ~O?N=bF`1=3Q@m?F(AKNs1y;x2DZevFP87uAgwn2o}5@WlJcwJVk5Y+U~w{P`uoci#z@=& zq(A!%TIupmD($0)4an#bdu%WXYNx4G6w&o|FAfd^x=^>B4tXL!JJE@zlfeXBPTRUi z=R3`pj!;)LL}b6pQm5F=-i0a?k%g5LZ9hY|9fFCNP4c%<%m+yXJmq;iqy%ld9r+Gh`-9mY*MY)THXCvkjEjNn#rbtb;jpe{wVIAg4Yrz2pRcX&F zCp=2PIjRtV`bY-w?=TYr3Puqo856sC5-udW>FG}CF3^QJ1_^rd`XK07nhk?B*ft6J&SL_T(?N3>%>L+OXEuyA1(;w2OVz79N>j(`tE4>mx*sZt_v*fjL@#siz|#0EKuOla%Vcs~~clEyx*doUA(8T2rJ~mRfS& z&u_mRlws!sHoPfy5V6N8`eX11`hZ%B3f+wq3g<4_&D^RD77hk%sqaA*v<4Q2NX3N+ zL+>E96Zb`)35hA{fqWQpDk5iht^%1X~3Ix?r`qjQ?kxUXH1a^x_U~bwg zaY2r6_A6ou2v$OVOe&Nx@(uEnP2k+J;aTLcHANa_?IoJ5MYGL6MOXT$rGMN2G)l zF&Pv;`uh9Z29aUJcZh;H*xxxhK>B9#FPx%_rj|k4h4VdfQ#Yf`^s}=dDm_}$W_U=__-J_g+ z(fIiIU-uZLVj{O^U*7Lu8y8epTB+`Ae`LJq0q= z9NQV62&N>~!o`mh{jyefhRcj6&{eNsFgsUntG0!=QftQ>VRD@M4hdtQS+ILsp944 zEQyN3y&q93Y&on;zHGq;#HcP-Wq>B08kwffsMe@~Q?tYfb~Nlm6Q; zuYTNZav~N#4GW{8)X!vlD!UL5kz2H=A@L*-H$)1e>q<5@HWCsqu6y^6_TJ98_Uq~P zj^K){_}%I0&L!+gvKvcjU+Ss2?}*Qm{iMR#-Y{&OWzyNoVAKd6og+jp1Iw-QZF?E? z5n80sn61e|?p$(0r4#5!!R1ecE~h#`4g>ZGUsfLl{zAiK*B?^puW!nK-|S5c`GJvC z9{0%NYiR53$xd9&AY}@3X)3bdxU5*B(j#xRaP)iGnc*1+wu3$(uL(fBE7(z-G)?4&C=-#%9$)>{0rw2`g`+?NdA7EB9;Nv4z1cs#8`I0L#tyfIJhD|Uy@bn)W=3ZqPwhhjG0#+56cbzBO-1eC?0pE4mpz=62TN%6M+R`*#w;G9`=lVIt z?cl&8MooT%6N1XmA=Bz1UTF#GeesE2>`lX=4tFZ%)p86&`x!@@bMUP*;kM!v-Sz3l zW~;DygH|!jyY3%t95DLGD zjlLLEx#i+Ixi+2txI7?C$Lc#rRL^?oB`9osAj2ArkYsy~;od%?jAeTRO%qp!xQgr_ znDtwqBdK?HF`l~5A%|?UD=&naroEe*GkbKs&a$GE&%Kto)uc>ZZiHPa>Q_Idg3M!q zx0y+WhllqfKjFjPxdk7kU+%V;;lD zC*2uIyvfo?q0;yleWUUC1N!qXTK&YMAjh*uu6H~-1 z`L&A=P8_#8NKo1EDATwVtBIP}2r>f3g`+#q2&SFGNYE9iJ{u*LD03&Hu;OS3p&{HsLCwgi0d<5`uuVfV6}NNTY1J zMY_8~6h%O~JEXfiRHPf}l$O{avFW()N1XpZ|Gn$3#X5&|)^WSP?|onU+6F`In(=fd3r1i? z*0YRX3d&x#O`t)m+gjg%%!!W&^um!3qE))@mL$Tb>Rk5!&SXvD0Q!JW5~9q~($e@$ zJ{WJvfthNNv(nBpz?p0Yw)f_GG@6WL{49>tQH6I)&HHPNAGTUd=xeJ?BwuB zG|+C3_;)+=-yP!Lgj`%M6Z-&C(ADm5)s|3;CrU&R0BUl?|H91_$7WpeJc6RQ_u2G2 zLDf=3e+RKTjPl`ob93{`$_khi3~1#bLL5SWQU8m&vluOsv{6QcyYlA1SA1E4p-Oju zgTK8gCgu!P3+2bOzn2SO+VCBl?qe=btrO($EX#hfyWe_AiWgsmR+(+f z<}C7=q{XY2M^(9eB+z)xI#>R~ui%UH>UL>nnV`PS0C z{!#5VV^{u3@lzhKX!6C^P1f0+2BS7-jSzx~R<8yw`$ETYKMxEZ3>Rc+{*`E&OO00r z7k|5(KeCl}Hp5zmYcx91;^Y=l_qe8{$!MKrYGm%yYH?4&P z-Gw&*l(7H%{%W+jX9O~+F6@ET&dpucNlnMO%7O|XUKdJx@8U4bsG)wa z^A_OCp-S^I0|2XXEVT8tz7Kpb$}lyok^<1A5Fdgm*51%YCa5CiNsY9<)YAaWr7gDG zMgKTYqlN>==kpb;9r1f7&Rh1r6xM_FOrc`uh0=4+aQl^radc)Dqm0^JR^=gJi6cPh zPDjl9@>0XD`@|EN9nS-dYlWrLs|5{HIZDjiidSPZM!?F+`h2U#v6!3N*cryt58?9U z8@b}bGWZ(2d`mykx{r}!M`+o=>B~XW#N;=_)-Hr`tqe#&mf^8cx3{&u4Gk>-&EC+u zY>CJO6+Xed^X__L+`@htvvD~9vOmKBq#_ur;XN9`^|g2e9~gd}6=vVwoF8gLp=|=d zlqsB)@B)(t6(Off$J&Fb0~$aYp)1t@WO9;{l5F=rUKWkD$&gaxg@TIvW%v-v3$Q>C z78eM0)8bdyx69veGw7~EI7;R0p zjJ=OwJ7hwv`60=dpDyy-hbDpi?cq_8+4uK1!Nzd|jfO82NzE6<`4R7HMj6M%Ly9f^ zGJ~}z&I21gysL2`YW147aA|Iugp^X)?q(PRwr3ca4n>zXNpl&h`Xjy>B)ZuH8HxsY z%S!52H=VLX10F2fuBh>vP3C<%hht`F!oUOvTMbuS0_Vc-N zrsCfuc*`tgCtDQ9vV3XsN?}vaKltTW*XuUJ4`9q&cOIBZ=IDXu13`3LOHj4M+D5r^ zKj?>l(DKD=q38|2R0b;zSr)DdoNfjJ*Gk90a0eL)aMilvFQd^v3PJr6K(t|PZC%}R zXYgX1MNk{E7%zTS)|N+A)=X#`B9Y-Pe0phF;K@=dT2+SZj{k!>hR3bCT*fuvFJD3n z(z9z1qs{BE`nz8PrVF)&(m2#(gp(shOT7#7E_&Od&+1ufQ3G%ZlT1ETwd3%C>=y7c z-KpZCt>L5w>w8C9;08mrCNEf81m)%4AaIMw;qux?L!WvCva}B0ST120n49nJ<3{~j zBIeZmbtu;z%c_jLCZ3d+VIsX#lF@M4SSk1k2S{UYgI&5TCPNJFd^}(nLFXz6FW$od zj3m1WbwN5o&vgncM5w*73BW!<_SuIE%41n?n+aqSjnd*{K$Cvf`qqaPY|l<;Sf7ns z!KHR#BnT3Ifn}KzsDpqNI00pW;%}Uy#c_!{w8T7;=c*0CF)TxHbf)49zXBDX9f-}X zgs)%!;G17tue%7p31bH5S!z{EM1jNsWGU^77$HuV7g^#rn6;6}Wt9@W4h{bR0ErIA zNB8k<_KWs_q*c_vZ^iUP=GuFd^8$ZoRX34w*=(aTgRQ1t#{HNYnmL{08du@f?F#4f z*&jh#gwrd6!Tyn8ifzF#Ab8x1Gboh~T={ubX=5*eV);#d*M0nkUs%8mvhST1H&=^I&^HO zOdv0)7>~aWSH!)5YSkaW=fCGIA9O1$Jl^!q)^z5mG%pcQh;a%*}tUvTu;Ci_2nr~jwQ)kR&hEPNSENAd+gJ| znXfwY5I&$V9Nt-(_uDlsUg9P}yC}Ap7L+&+R~ScMfJ1bg5zr>|Y2=>2C^X{)Cc~}w z_xE>Tg~_iT-&CUvz4+p5!sI&rGHx;>@&|7*hZx-xOJO$&G!=!$vO4k+{@l$ogQ?cM z2a@HV1s5TY=ftn%cku^JrL;kS1&W|fpihvn-T|r7ED(RVf-FjT62O0bI{~vRGrf)! zeCSLMABZhbHOiQBX6)|`aya~{$!1Pp&lF*wEohX%a}7*Zdx!c6652evp>Wk2(MyQb zxkkyx^Bo45aY$4CuR3?t*8P4j`RoRYLy}bdxpUEY2~ytSB89fg zr?(tH2CNrQEJG`N00c5R-rxKTLzV-xtmna0meT7T2YuBb{-@Y#OZdjBNOQp zkF+PfH+XHVZ>MXF`IW*VwdRP~x@Qpjbi`%AT)x#qtjREE@x_cz@*8OCjx!(q?lDrF z;k6Gy!>a9TAb~c};e-9U-OB?N_P2IX*;OD^77zojD-tm$@CrKXAC8yI)|U;6w6!+x zR?Nq_W|t)W&6FHC9~jrmh`duc&KUL22%raqkmOW0j>`&6KX;h0LV+CzrP0yReNL03 z$flgjIG3H0e??O^%CHZyUzzl6A#q>0tvX7lcSYL z<~+y4B3~L(bLE4on(22b^g2cv=^C?ysim-&X!71580|nK6ZxKN*j)rm=qN9K1m#eL zDNugN@QIFP?L8PB1)msQfv;(mXVJ-mQNT=#$UG9xI2Qa%Ubj5T^m!SBnb4+KFtVI8@pFdH)S{aKhp!>Nc8c=^Pg8{2o}$FkSYgiAbgI``zmYq!)VhnWZfR9OSV0hMZ@k8Wk=QR|7nk1+@Yx?L@HU($Zn9oc z82>y-{d>XG)V%~ktB)wSA*MSca4cw_2cDfeN%!$?L&A`9_18Cmans2i&RpsyzT)|QX@oc2%Ev!XT#d!d9 z<9-z#`bzU?_PHZ$i7lH{(L6)E)=3q`9nVb&x07rfQ&S`*bR}$l;^rw&Gy)%e=V51w`kr?j+ zu}kg?qdu2@zHH#nl8#Ux`(__0=UgQ_|J-u1N7`xeW3@$#dBb#z{K_YX9l{m`49*|mmAMlgVpVG7) zMATc&k<_oPbBH4@@HTK1#s2iVSA55nvpU523|@l#_U@{%Ot8H#-ZJ?1gcbO*iNIIT z0VCf*)Tx3ps--Tt6(oc-Bp2nich)OaG`f;gI4hX_kAeNsgdRcfZX$Dm>!KBSCm9{BA2b~g*r`g^A6Ndd?jZ+mU(+L# z1Ndw_sK9+Qp867P{qtqkUXbJX49Iha*c+eTUI4ISgVB2&_Jlpcer1KYIFN9ov%5U7 zsQ8>hF$GPf;b#B$IO;XXKt1zfO{P>{ZH{~xEU3rJf7}yqsS07*XfYsLuG`Kf4dH{6&e0qiYBz$|y@MWK;7w=y7C9nTW{Y1MAgPe(fMI zbZVBxTwQ}|IP$J}Dlx|Z(*Le_AC=K+yDMK%Y_l$ne zD?YExRC@{zOe;6I8i6zkn{BX~N9lR8#ZDzdq~9?NBa-cCWNw=}A<}I^e4RgLX!vgT zYkY7pMnadt1s5fU@baK6y^!16+rgYhVhpm*%wn*c1a##jtu{F*DkuP9r8#K0Lcw@I zPS}ARk=qDeGV;5q$mM2vZhO*a=?HH#$;$MYecH3?K@iXY64p9O2ch^-o`_3R8nV^v zz}h%0-%DK>I+QoQ<3~V^N}$itygju=SA-Z7wdJf2jZ7R@AKX6H88vFG+-w}sdg@FBWZ{vK+YtwDH&8HiF;SpSlxy@i zo#tuo=#9wQW}yccj9C zj7}ku-z~1lhYsXlpfLbdp{lAXV8nNsKQWNjQ{rW~>0dffWcU_<+?ye^fbs)@2#6A$ z?q2+R_<;Z8tI!-FbeLy}NBRn)Y%}lfX8u*M`uSzV-u)&_7EDxeP@8WYe1&ykM?eRvFk-q^}%ASjkPt- z(X|wXXR!*#h`SeJOh!~;%9-3xpA4n#9FK;Y6%sjJ%byi4bmV%mQ>o(ER9W{lRQ`<^ z52Mm>gTCAeDwYWuX2nMJP#MA&%urm7%9-z^2%6Zm)Gv|@9%^r*oz0|X3tcUE8j;y5 z33{>j+_z(=*QOf;-oP3T2Md_0=0m^&BXE;fK?+RiwF3GSOiWE{*Q-}i3nkWW=w{4L z{M5S+%kgeKpBPbyiu|Fkdd$#CMRz;B^%Hwvo|gXLknX~~zDUYrMHSCf9~1ctPuy z#%P&e5%5Sqv*id5e~J8te&v++zqL-cB7-SkCV&dEuw+sH^j`fQ-@Prh68*bX{Rcoq zNyaw=w!rft>^fcAYuUWj^RbUlu|Xk%13y0(6+S|$+Q3t6}h!^#IO8HJ$_f&{+g8a<>gxO0$-&H(CNa+yhbiu?5FgTNw#N&8#URbNvk>#K- zdU_9ZzXgY(=lP19fX!h(K;0p)sOS!a?!dljU`Vi>8yByai^0?I$^EQ6jPURS&U};o zS+=u7_T1^E&aUk{q#=B#UTbdy_xy=g>6Y=ca`MjpG_DM5?OIIT&&tw|7C=gm8|7ZF zKiTe1kO!s7sfUfi%IASNsS$b1x!OM1S7&d15-eEWuiF`D_2NPeI{IXt^ESs4*dh?Aslf%u0U#%<{ki=)v&n~Aim=U7 zm*4#xm@DRn)OL4N%#GA&1gVOvEG|afBMt0JG(LEJK15KE1`X>PepViuQp6FbxuNnV z+8Y3q8S$y>U|_LK8@9vuMt;q z?#eyeQeq)EKkdSe)DN5xIn1Q{<60Qc_6cS)QalB_+cLr@Y)zKqr|Ch(2GoVh3S_U} zv}%uzq;aF0JoFv|{#jcRfFsl8dxZak5iNI+QyAD)HSkC3%gozSd}+wIEzij46J35Z zSk={7G`t7%XA%AzJEudFB1)Q(eCx^?#cL#dn(^oETLan~6FI9e^WWeC{66`doanFj z?#6b3ipqBL@fOOdoc%PJ$&?eNx>|>6{VcKhvfI+0b5}K`M?W4X{U-N=$u~hO7tadv z{E*B5oG6U{$-N6PJ;l6CVc+A&S3$kZb$7G)=uCcd{wv5dswE}R)73{-SEtwbj@DC5 z(kbP+w{Ne#En~Rw`-aj`HSy#BAe9wt@*{UB_>`5>GRZV;y^j#YW@@{bW(fEjI5EsXC4- zD30J|^)lDBb6S@+Mw+$UYW=79{9C!w@?i_+{U^T-yZiqcyYl>!;lIVMEDeQJ&je~L zBhxSPN;e%gOx3qV=CbimrHNDA8%hdWIgO>deKPg~2scPrJEKF#f9Ypmj8X6mz={GJ z$HQo0s)@^)Sy?Kes|vL2@yca)gG*sZT?mH%0vg}@2t!VVg*rq0HEPTsl^#99xO;Qs7 zDO_JAa+tW}Vs!H51y)_zz$sxK!+TKHkKV$6+zdWc)yJt?h31rtdBlh+-VqC)Y!zz$9Xu8=hO?O z(1;(QUee(`ZkeFc8&~CY5SqSwI2K=r7F&I~7>7&4bsJseV(SF?S4cDc*dgcYGF;>> zy==%S-^riLoicL{)gS2}OmEQF?CmKObl!$f&JnXz16I}rm&2~b0X_OY}5P~EmX+qY54Z7;q+8< zc%o8IqLTetBE~VCIa9vx)f0ywMpPB9d3zP^uUO|egfi8s>eePPR4yu>y?Nk}?dZ)F zt`yc6_P;DaPK5C>C+9tH#jxAX^Cn!6iXZ6-ZqEvh>T0ykfS=!x9vN_O7apUXjk?whBPLt7%Z)nw21G%4WEM3hWCi@1%=Ye58G7mY3 zdGc62s;jquImI11nO4_ywLW9)y!G*amK-F#K>jf!W+rVp9B>#&pu~Uj_zlns@%I<% zr{yRaeZLtQ<~}#>C5^Ae#s_k!_$nuoY(bif@286eP(IDM z5^+@=zYlIIeEfB{9?~iu(MFVK7 zR}STVq_0=zXpf~Oe1Ab=?(mYn@2a#0;+leJjn<`*;|eS6q6&Wv{&d(|&*vqfP`AJ4 z$?YMSn5|XL)v?gdw;iX+*3fqZoI|v`$vSOD4Z5H3)%<53pd(W-__O@)9b;m$NZ`t; zD-e#9SFL|==pZ{Fego?7{J10agKWCWGkQw698ElK05>g=@b}Lk(rJ*&Brc$z3kX3g znp4?Vle{mCWlfsAf8_pHLxI(xZ?=-=S-OX?5{_EFo z+-9y%*@>NA-JT@F*Kmrr*x@p;mr=T(bU7=CH4a?xI~&)o1gGafK`gH9gGa%BHH-^TV}?vukBLZzFQT`Q_BlZGhd`;=?WnpMn}Sus|w}aK?YJ zF7{ANp)6znKFPZp!IZmNS{=hR$4>x)ZRmd%7OzTTs>K&}r2jr(VM$ zbZLXBnAcl=e7tSc_3rwO{tRhI?|4qQJPN-UWGQ1DOm|)sat;xEiiJ8nW?|OaRjJ z9kUw1E>1qb5>W=k$iKt{t*S1lt|&RuP|-VFc<{OGpQqqHt6_f@rnrlkiHZ3ZA$?cN zb*S>t?{@(F{vRedoS2h;>1Sw33)#l{`1FkRc)Ky-IblE%qz`2VL&6PDZAxP<{?ipr z#fT>S!P8RjF*Wf&)W68E?pRl*AhgJB;d z)t5Q8QiO8voO~amnwYV`=x*fw~u2PL~Wxr z)-fR`RjHj__0|O*)5U`V!-6^ce=U6yCZ|I4%E?*bSH+tsuVP$%p?9o{oo3732(GZ}m*RQsia5RuHmnc^ez5KZQ(8n!Wvj2BM4+sZ>DB?dJjA=FW%pkBB zMM!r5`U>}$y1CBpR`MVK&ooEs!puOm31IwzO=BRcy?B{WF42zlS@Z=;J4G2goOsQW ztCmt!4|L~)Xu>KTdMO2>=mleX!Vj-{NtvrmuPT4Er}{(_Q{yF(U8=#9w6nXGaQjCzIYHi?KElxq_AgAQ~ECR#QhD z!}L5(CKEi)oJO_WVIUX(+|b8sn(FY!(m+N=ZGrchW>3(YbdcF z3i?-djS!%gJ5Su0OC3O(I9R_e+BD(4d$!oHd$K4%pWs$&)g=)UZ$RcCH?uGtHnlnF zE^y$qVR1%&v>!@B+Ve&`_@nXu=VO};=UaEXUWHx0dchS)&w9u&e^rG%Hz~Q#f{$>F zOi?4rw1evpWd-ux4-P;ESGtjK_PAyPlih+Db$xPS{TK6D+%~ApjV`Sx?w+*uNLrlP zgUU|phXj{)!kYvd5qzh}2IiWxa&8y}!+^~Gen0?Z)#+@2jDls-w_Y{_zCh*r$J6S1 zf{f(P9Z#Us1nnQ?Y*c^LV?k14ww`ovk!n~A^37liqA~XQba;D8th+bA`uhWQ#g^2~ za?>pf^^NIbTHtC*lfMVYcirLd7dsFQ*bI08fN?vU@4Xa#r?EZ`u%m zK4Wr-qQmmEr2+u@#;Mqg8@IPrmU}q!FkP##ReWF34p14$Fg=&mjoR`jTq0p1(rZ^3 zYnie4VENa3Lk{9r{&9eTaC+CjZ}c1wkT^ z@Vp4F9s}J7--ei1BN(zl{(s_8YcO4KRyP}bv>NGtKR<8tF0qQ`sR&g`ecxV-z*{=4 zHpYsDc=k5cFB@VzwBNWNtcUckZPF~p+4>rM6I_NFO+*er!3(?fF=UzTlg9tO8dgvV z`|~X%soC4>qmz}+dY};@T)_IQ-sRM0dgHXlc!~|!UF-dDn^{^BC5`DLHHW=}WoBoO zrI#W~>LyeX?Xca<{H@RJ7fFa1BlsKSI<)@j)r0Kj8yLX#hI;d3dj}}LcL)gi(;cmz z;XJYXZQ+scb_VbDWbOI(+-XUMvFgCY&0}BI?X2f)c-3UOQ((`vIQFaZXcl4dMH~Wk z;S?1W&sU0OZwJUaeYZr%g8@#m(~YzJXN>Q;$9anT`PPS-n3dl8x>JOS2|+znpK)tA z2y|;Wt?HEH_1&$Z^yBne^tgAZ?Pl1O-GwLtGLHH z9j#TRdVG$Y!G$wU#qqR!WYTfkN}q@_eN3UgWZ|2zWMd?J;PLroCsZnn3%%< z?o7Kxf8r5m{$5L1mf?#!pxJNj-rRw25VJS)T7R*aHw50RdqSPKLiAD=Ym0ws0 zd;W1P(BOk9$-{1Y$493E$JNfKx4$!LRc~$C$nur!$1H>J`L+J+Z%(-SkC9>03E)5!B_g7TiD~S zKE40tkT^I^2p6^a^2c)3j{t}PW9=pRjlWMU*TY2YZ(9978>089|wj{<$m3_#+GfPe4l<)M~7 z!txhBxgIe;$6RXTGS`golx~#+w!Lee%0|-?t@Ve5|NT4Kl(bjr>QreMkzn(t0917M z93cNzTcuyu780#`TXyXsCY}V0ktlRJByNSM#Q5zG*jgDCw~9q@T5fzqGahcj7bLwl z*)BQxwVUtd*Ih)V7Bwc;DG$U>%Lwcz z3+v;|E(7;BGK*T}5|SI^xvPZEsTU)uYa}hg*KP{E)(tZaq#TY_2$~ZNC|dfo80B3e&tWEn#vJ*f;yN&#N_9+Nu%tk<<=l`3b!X*lnb3+;c^xAr8OK6~Zj80?#wqv;ed-o34E zU#vLN8X~OM<0qq-hUqyU;Qh;6lBi6WNrusY`s(pGzM=_#o#%fU;mg5sYj3?cB~7PY z-f|B^@mPO|ln1z7RKNjEVIxcVTkS39H0`riH-e`4AVTCIspIdtd3wQn!=LI$NJllq zIqGv~>f+~6xHAGAFzKugtCiTEKP;I|m_10Cee+71IfiGz&^R~SdUQbXnKAvfrai+(Z@AAcvjy+0x5MIuF? z@&qgtFFa_2He>-)Z}91pqJU@ztC=>r7_5XSKZCAvlaRy|T?ba1_1V`lEOoT}*gZH2 zj*>67V#BCSx=DyaUngyq#1EN#72F(J`V+NlJ3r}dKUwjlQ1?aD+H&cn>3x-`Ij%RK zx4X0Izt^S8sz?E~k5fi}FhwsmgwPy*BE|n|LY|*xx)nD+3oH;obo)SGT+c_?g-Gc{ zuhWTyj`mnS^!P@Pm3l556#sa*xLHJ(Xz=%yb>dM}7pL`?jI(RrO3MNvUYboHj-+B- zmrn@i{ej7FCwI!}Gryjyc9#4}e1*(b0(W-Z16Smm(LQ$GXl})e)9lhUx0Cpy1!=yr zu*`JF*b}&n?@-*^n}3<+OKmJG>S!F`$P;zlH(t~T{N~%lr-Ci3kFNO)r#&R?fmB+_ z_fOaMx>tJN<0tzb8a}~8RObH9WqVmuATT*Oh!lNS)gzT!EQLo-jz^-7j9_--90?K}Hyuv}; z$ENz=uek~bsIf%cLkjXgGt=ey;W@J7QYptA;@3NXxUz z50aB4M0Y-Ri@5eahtsAD29MI+JJf}9ZoV><^?xqu!pfbH+c}FunUJeZ!M4;baW=2R zs-fr^Z9o8v5rgCTd9k9)Gu)78IKh>}Ysr}S6j4z@S6o3i#ydUQFye`q$p{vJ(IHT< z|EQjyVqP9y-3xGv7;jdKLPMZay8BuHNni%~Nk`VKWWy_ZL$zngv7l%}A)?-4UGt+!& zZeN0-C*2Zi85+$uU|jYnyAw#yrud*r^g3y*LdR>s3k9Mp1(L<7dw@;6R^ILJ?obJ? zZ@&}Z2rpnMv~kh?b*Q|)eK*<7<(iK4LPy6o2C>MxP5M^w(ZpcR!1s-&5db){IwjZZ#7; z{E;*^-C4>@pXb=Y?NC&ip)8LlImx1McP8uca4_5sZ&BG(2Ao#NGx`=>3cMqy4!?DS zG$I%@KV@JmGFO@pI)Mz$BerikP)+yzAtV?#I>zK_u>b($_YKuv9T*)pgaZWGGU-fd#Ku`6(3&xxv3l7ro`8pp^h@X z@MlwcR0JMwEQYbH_i*x;5n*GREkf+xpU6Cl3vVUj4+7`qC+{y@d!NvHZSZ#>2Xda? z(SEDt4Kkh3zN2?vuER|YWph_KlSW<#!CN=EeQg+MeZ?M2T5qZH=H1U+%l)xqEx}_~ z7-r)4C_Bt1`i>0C`7#+xpa7|RO$emPh1>^$tR6p2~kLPe|wA;ZU;87`%MHJ zptG1D@-06!@CAKv=Js&S+M9oaE?lPOAgSg8fJdIm;FDN@?j1*{{X+Lr6zmcL=>x=%L#Me_KT}uvo8*R+4v@XizSd*PK#`W=yp`Gb)v;* zc?Fj7mgNpB#L5B*3y;eVmxU=^BAY-%hH3^xDu&2hTb?groO#KQnm;ybjYFj3OC4a> z74?TuPNEr}Iy@o&`#D+`cQI}LBEU7(Vq7r19Q`h!OGgS3_!(N+*L49A{;5iutlPf{f8vz2VcBMbMZFBx9hU9tEX* z{Zkl`yhXH|6H7oB>?uvG!vZ5lQsZQ63VgcsQ_2YivkW+(<(`)=x9(Uwx@8Fo*#i~# zgNN7WL+-jzU^b8`7jOO*4+)ZF;_h>sTqaFFb<>MRNlR1S?|*3Vw!i=TZ)*N8AK5=P zs`w}C7ty9ukfiXbWW!1y>Yi9Ae$|n~(}DGd4Aa@An^`FLysop z(m~`=JbnkMLZ4E7ds?9+fH`?4^F*vYjiY?VEsm{cGmfPnzh?rkhaiEgEkJ&@GlViJ zOJOaf?3bY|bv^C9Jza4b#W8ArbQP6m|CE7TdUhXa6utCCLVF(+EPGul44N2PYPzOV z$M~k)>P5aT9oY7D#XEQ?l`i@#v!^kCaLH~>tKbUdBPqFleJJLc5oqhSLBT97_NzW! ze-w&8yv`yVX}ISw(MM{mR0P08rGH>zc`QVg(j~g*9+pL-rW$LozkUrEuGfxz3sMue zU8~vxS@jn9r{AeB>>L6L;{-)NkZ6^JFT%+c$bUwDb?xSWIx{rz3p`=0f`g@WwFZ9Q z5<|7m(YNX zQU6R=*YBx{FXFZ>ImyePk#*Pt!3O-J8zzaVp#L_eMbggF3EeDSs(I z`32pgmWqi&EjL@LdPwJ}Upw!qrjD`31E(*waoyNM2^Tnw%A7of0}^s_0*7m=mooI17)jRW@=cerh=T{=wx>Ub&mF7pA~ z^Dmx!B{FE-Z!jWh;EK;AgCa0KaZ!EZXKye+47>JV@ehkpetusJk5bR^r1rg>0Tmv3 z@*Mu%X=iv~9ik*Ij!G!`8g`2p7GB4wF0F*AE*8yOXI^4s`7?^8k?S(8l#D8D%M$_5 zv?7MX6@uO#Q1qx4b-U``DE-ZXNN zdLkurI@Ko9Yc$yKIz>tbpMUn#>F3ouu|2z)jlfTWVHDCklF%@Ua!MeZEQH6Y;lN}$Ns`H2cTC4v_Apq2V5zJ(@0_&KD~=UGL=@IWr;0z&ole* zPrvlcu#(r%8v56PpB0`|-8O+%(tJaF#RZ|)63s_+4q|6*{^(dqby;9$zm^^gr6R?i z)qNi|yS>~SPK0Xc+f~lSw)QGX=hu45+7e8rNGJ~HUTTT{Ac?x~dJ>Tynru<{a&K%D zA3(V=A@4&wvbcNOV$=*Y)lhy4#p%G{s`}CdKXHGgjF0}_E9|@8xo>R8)i&?4`4%)ZP1eX-o574IKq)xL^qvK3m&SvM zN}4wdC5th>)_FVq!*PqG^8MKUE3Z7W?zYiJ{HDbzdqhLe>}Z2dv)HRr5c`u_(ve3h zAY-IdI5eA<#mZ4FB-F=Kr&(P}rr7JzY*VgaM%4UIHTxJoZvL0%Yu6|R^lCy2=NE^H zTPH9-+#dEStZEX)btd3}BHaQlsZLh)k3KrUl_sG;Rq*Hg**uh}j~t%GVYkZV1p@`I z6GPQ$h;X>-RAgB^)wdY6@7hwK#i#F&_K+*g?wU?Z2-$+QsalFpJ7y3(b(-G8ON39O zKHP}qWSJ{q4EK$LxvifXomMTGl+|}vi!M3bzOJ9hSN-^JpJ=fsS$+M(G@0}SY2I$Q zb(2sWhD=h)qYT5216%4l*|ZLo;pJJ}F+Qf!5mR2MdQ{e|RdG7sr6W)W@pgW0>L*t# zBg0@6884=qQxaqLe(Dc$i=R$D;%*v9i^>Gqdai(0$-FMVugJ59VosAohYpjqeWg9+ zpUB(=3iTQW|8iMYu;n~yu^JN_{^CPw=un~nZE8v)hPvTywPsU%MT6c#-(&cgW7SB0 z0(Y&(fA0FV>-6&3DxtmugSQ+^F-@o6lk0_LiM{>M2!9@7?O2;1qB-^b1>cKLPTqHb zCUu46*`q>}m!KrH8p-54Fie(ioRRbU__j+|bt9Xh7|NYrv=qJZ$er!B7WsGhw%oO4 z6;-oz4pU~5&E<&;2zyQ)JWpPgz)qYv*m33gEQ=AXpLH~*Zn z$Kn@+w+#NGc=j>&%t+96U5g|iiE2v*sItixRdzjUDB`k(CU>bZ5{yqgXY7>BZ-5B2 zJv}%!Ho3fSuADU6K2q|@5d*uii%sdkX&tgVxfmf-UfJlymW~++O3n|F^F9h1c!KB< z$aY+Nc-Cz9D6?2dB8JmICZOgliGTXwb+-?V0k&m|G;($DyJ)%L2Mc(97QQsrJeAX_ z_Btib=Hzi7CElxV4P|4g%JCA@xA%PwR+3u(d+)W3=v(74!pOLo5I*(=Yax+#e`(+xL^o|6=aYzG(F)Sf15bsI@VQ^5`&w7?rPJ48=h#tb zvw^aQ=^|Eis6CV_%J4p0?j;A=NNp4pXwNe&4m7VuY7fi;9Exu*q!~WE2B}>J#uoWF&IVpMLEFKl!Se$3r z(?6wnl-Xr-ON8Q9PE_3KlO18Rf2*%Oi7ozAQer2XS{~#)sd94^BQb;4jmyG+UN<7= z?Nl6M2;G5|yQxdJT3@=|BtG+8;KB-ZGE42&k4=%BC&n0l3N5dJN;?oo8IvsG99q0_ z$UeltEfh)<0_XeQ6V$V)rP1}!-HbQPMGvTD+Gh}sx9;rTDNEl_DF$b}uIZ-gCE=Ea z5AqjK_&Oox^rCOqprV?Z`RYpflGkRteoL6davnJ-4R!m#)+9>hwc4)Q^=G*(4in@{ z;*ILHf2;CZNq8+HM({ArjnVaZ9@Wz_akDoR4m=L~%JVZl2tnrWb7!_yJYrWEJtN(8 zc4(q{gcOI{>I)(w&nUTi@f~$2(KD7n$7hGM2^~HJtsV+@wH_*w2#nalm)GCk;(03< z_MyrM%H6?F03@TKG)SWqNuoS|0iSR3WcUGYRpSm62^3TOCMCSazNHZaI`q@`jbl zt(3MiH`CEm_;qrWx^>7=DK=9vrCogrCBwtlrp5`P!w;szp5&}2t>F3GQc3A%kThU@ zdb3N7{<$N=8<@>vdisf|XYoL$W4q;7DgdU@Xyb5pW7TC0U#pPP(D$-4${T3@r0!}0 zA&>QAiH^pv41HFOwY<5n{>dQUGv~F8S~$K#NHNUB-^XVXQX%_%ua93SW;(n0#58HyN@!t@&jPt3C`(lie#8!ENZ!#h zmY5lctIhgI)TGNJsj;PuOAN}o;w;f^QeR8#RYOAAE11Urym}!1E@@mYH^6wjR$%Mr z>~9y77y5L1e*XQbN$RUGvyzRtBDKfBfI$?Y3t9)#u@R4*h+I1`q+?Snc{#fQM5sq#b>W{JBLKTVJN zi-+mP8oI1AHvE0?4}-rC;~Ux8)hMK<7GyJa6c+Zb1iw1=@6w{)#qVQhW5UqhQJ6)< zZ`V+wx)<>Q-Yl8fUYW(@vDMR|Rr@<|c+}Hwx91c=rUxxA1a%Clwdaq-#YrhTY*w;9n7kKLq0x1qG;Oq2yWO z8rB^6P2)dzq-yQUhGOFwsVBIxbhdOl`c;T>mD+lNbp{kc?m*R)mMA+&;R03J zMl{Vr*;$~DDm$29f$ZmeJj?3*xo1{j6(iAJ(X&~uva9rQ7c5z z$^>~vh5G#}M+eh}3)Zv0ModhoYA7eZ$yD2hQHCYG7_S&$K25azp2}owQpJB-qM>*pitbR#^D}3czcGOpi>YWy`sY% zJ1Zw|+ECWgPGFuA7n9z>?jzAm_ zUi_g!_j1V+5Vrs%d>T@g^%A;g1127~lo>!$7kXaK0A<-DHR9XhtRQC2WVe6YWz^*f z)C(`xr4=&Qi3y{U3>KxkM>iO@JTYnUPFg5URghXDvzX~{D7zPBRVY`mgyYZq|ryt_*%f1*|0t!q1ecxQ0iAWO2gY?t#VzdyXfKBSeF zlvm%HTSX-fBRDaJqGL8XLCjPb3&v24#@!|{uG_@fq=`HI(}W^c$`xknG2}V+r*Q*C zK%Ic1?BEUO(*mm-@eWc&_YkWpW7$^=)UNd7)e#W?q+yaHv4M5Hs`AB%^IGcp`2}*b zn$dA2%SABg(ZX~&D~cslXw!1vWmziR{QgS+7Fh?}2`!w6<411&%hIr%q;KdMMVp_V zmYfJ8BXpOWv3?EVaL(VSaMqXF30RAr-{G4_$f%bx-J8bqv->~oy=7QbZx{AWOE=Qp z2-4l%AOeDPr_x>0J%k|Lok~fGbW0;hN=YdoB_RmUHO4>g`+nZ9&zF~jgJWQZnZ5V5 zuUhL|=g*FIVu-S#h+f%*=KVVhRL6&TxSsty<+{muE&Y?rdX}h;W8@#X!jkC4TMTDe zTXZj;C#GZ=5$z9+RMZ>sRBG%|PhKRdM--trR%434;c2dpy>Uy!l*BAoRzEgy&9Ihm zW*Dt)I4Y)|{z$XfEDk0vu?d-`z_HdcpO_O#M{hfPPWNfp(6l}Aos zaZm0?I=*8uq;4o$>FjA~@$q=#jlGnNR(@U|e@38?N58`PD4wYK)uP^n%BHp%h)g3PY% zk+E8uqKTq#bpFYQFS}_nBa~iCyLUye(o!OLYE#^=Ve}xOmKAS*@B3YWaMGmORWMz2 zt>y)Th^fPJKG?c_e9u$)QV^Zx9(G-K3Fb^1$e%8_Mq;`@2sLxaPM7;YQ^!oP0_F-k zu@Tdz*NeK7UqjqY8MF?nYFbIXqCT<=yJzur3+{WJ@7&yfUTFVY?FtKIXfl?rcZS-M z8KG63!y5{qdZ({^bLRIr(;-|931?GfxyKj6ZlGydu93n@pdapd#m8_ixa5Gxw)uH^ zV3uTiTBAHLq0g~ zY8-Gys5R0DskEpWDtH;u93N$?1eZ$J3+Ioe@$O=7IVz>eeW;SQ-1Nd!dm~)Y;=Vke z8rOE8sd|~*sFtnHTl^lP6$XoQEafL5D=@!Y$F*UT|3Q|CLM!~Sx^-rVC7~lttVD_( z1UjRc|C!M;XStqMohW7xdL<`lvo!do4l!D$tf9R~#i=zf`6}oqrkqe$r-Z=^+Nr=S zWxJkjL}rb-JC{L@!*S~{p``-%WyBo zYg+3~2~1fUmF3XGTKtVRjxR7<*7Xb~DX+Qm1|(DH8R|Bz2e?H0j$`U0qTJhN3fvp_ zHU6>^U7-0L>Kh~GFbSOdtLla<<(ClrZWcbhM4o0*Bg5zOh{}qrmKMxc|zq=Zvxy*lh*VvI@m47=!k(f7=PS&V*I@sDp{q=XNi1X$Vu z1v;P5U%JRorw$!@jBtjkR4vq`hEJ=9zruiV5`MzxFd5u`8d{<|!)lMnZEX%6^^AW^ zxk4&+LeIXwb9wU?{?4|FK=tbSy~hIMYfq)ch3K?ch!)-~Mkkpetzg=Nwb&C%T*wg1 z=HUe^GfR%P-42JRvtmlUz4qPY5-+*Z-WPilQMe!KV`QZsE8)dVYk$y(!{fp;!xO^K zSBG>}v3MXAxI?T;36R`v{E`TcEguTgZ~1bad~Lgbr&g_2f^lH>M`AWXqC}af@v>XW z_IGZP;>(Pv*&&MR>ED4_Dsp6-0%IXBji)u-&{)9!(p2ngRSb>F|*z%p{{P?lAp>8H*G=1PCAQl4hRv#L^Q`BiaA#Mi}+cg*KJ_}|Y zMRq)vzFXb8lYB*#7u{kYuEoUtIAcQrb4; zy4YoE63uQBkBBXIsffCgG0TCiiOVWMx64{Wl~>%3^W(=Jv$u0k-gr?Q5sG1o)$=r$ z4o6Q3?WJrCeP6R|cO6I^(#O?~Hd6Tu`~DnSzQ$!+!HQ!8nsCDur;!@AWiDLJcHq}M zXXo89v|xkp|G87z6{x^K1@s6ksG8XU^`^M+eWkPL?f$+G3RTRQ?`hfH8pVMza|w(u zna%Q#m~Uv+Fr6Q*tp0axf2?8j6HE=vn9$)E&xtee58p^@XDP}J-;vT(kbL<})Z!*+E&(e^wM>7;Uk26p0jBsg!27LCX0s9x6 zRKFeM-p+LdKwc6;vtQO z3(5JE_(=uI+m?Yz)&G5YQin(IA>efFX645ELgKNoB~Po1 z-&oB%ix68D@xN0)BBVo(N94DhdEAm!HNj{fzMSuR zaPfYDxaN7BYeAG(-HkribiSlI%4LpU?aY_;sfVoJhj4R1Dl}i+>X=`i)r`hl9Qm(RZWlAQPt%GwaR zg@&T7($%07lS--WJAk%obW_fh1G2Pq28}SOe89{A7y}+6bO4ew1^(d(M8%KpbS@A) z^BFw8@Om9%$3b3<(?YQ~U0emUr#QeV(8BopWKYRA(_T>D+4y$2W-D4BtbqLaA z!?fyCT~S^|=Z$w8X|pxeL|!yUd2vaqBS`Re96pZ{+3YNuEoQa<>ky_Apzg+cdh{6C z)jypmp=A@+$W;a{E`tfwFXy7&Y2{+QuJ)VK&p)KY`F>hDOqc{nsItOQ`RvFZZ6lt& zscDxE&%|xYSEo0}LMuSPcza_%kL54yIhHNh@s@Xc#o_SB^o#a4?8gD-b=xKNB04IE zD&$`oTBe*s40?QpukZzsUnorydyB5)X#aJKQNiuwIsNStLj(4fz`GEb1MI}o3pK?c zgSZz$V@x!tl;UEG{`}GRD;qO&3vizulHzsz*aq-gnU3v(jEszvkBiC|I-WfXHCXpp z7F)TyeDR6Y`jvkh$Ak12Gi`$g!LQ$(ga`O_v!#xS6gSUVe~=se>3szi(So{xM{tOU zh`p1Z?k_TSKFow_2b4hbngY|d3w1wSYT1^jN;HPP=^!a-$!Gwm5d>fBsiGEeR)o6# zS5z!0%YE$e@6Y}sd=OFZAtG95RecXvnbUpeY-@s44E@a)&$sCWPuPvMv6`g*z^$Q| z-xG%_G62*i0D!Bdjt)~)MI}n*waU*$V##!a<<+K{eyc37258;{47INxUabJ&S**;r zZZvi+9i0^b9bhXcBOxV4>19Z%P-cDbr_kkR`PZ^qAU;y)gW5b-oe!*k-kItL&Au-X zZU3}eg|F1u7^-r_OWRC0@7T z{iRz6Tma=&VA?@7t|cqm2T<1@2TR_7S*eu!nN>6U7bomj8QP&XLPNod4$jo}?_$FQ zQ(!OwoC#TuG@(#w;A^cub&3w3xAjk(!BZFz#3T|d* z1_J{F0)dRp_3I60*?5Han9h>%_YOB%C+(kC>NJqyydeiGHGaK0KmgsKr zWzc#r7R;G&*oa&CyocM>ySSGNXYj zI$sINN>%Y~+G)FKNByP@Gv{l6@0v|61_hJiUQlA*4>#|Z3ZzU7I%7zz+Wx>>c zBWfryy-sMgBt;^tf8of$%Gk~Cdl6Z$*Qx%5s?Pp zegLjM5`}&toJOqM8D@}a)jM%3assha0x{7K&CXgm)53e%d%WJPKjnu&R=7vI8F&)l z^LlT4-$b&TR3J;++iQ|9EpR>u`p7eaQ7>7T~bt8h9@<=>DeT!pS zdi`*Jpa@@%!)7fO z%z%$KY;qtUE6^t~r@98lS{t-Vfw;b9F>%AilGH>JwbKw$RDX z_ZJ6Xy$~)0km1-4DBNV@x)75Ub&TJ5u;mnl0@hq$SSE~-)sd!0H@1$;tGv0oI<9D5 zvAz(FqBC%vl7+E69>#GV1MX$7)q$))@)-8{7LG^Ffp~0xN@}V(N0Soz*7G7Zw?5!8 zm4lYv4p9t2!Z2fOQkq?YA=GKjZ!qma${2_CjWYcm8T3ZU(Q&M!kIJ@Ca&D@4^6L28 zLHy$p?(vD*@?^1*0HGS@yFE-PF>ueE*90Y;G+SoF=Z^Sfdp(oE@Sn0YsrMuKc{`_4QDPmJ9 zfF>eP_N_4*JwFxl*#(AM==VOuVTx@kU+xAF$$oy##=oTfRhYRZ|^idU8U)L%)>wl^P9`8LYdhOyIEl@Eu z@-xb!?wxBo4&nbO@N|Jkj$I@o+iglwBs5~xq|Uf6)@+|g>;azOi*2tQ z2I80kefl_V;!lTZV}k?e%3jB$0K5bG-spw^EfdA*e7sm+J=M&S%or{01}sum8|bh| zQYho)$(<)m((}Mo6+jz`MZ!*&Y(G`!tWRJ1PGzVEShb{|^KdmLe0eaNH8G@JK#&2h12MP9oS=lC5D$rY?$W|rRGd)0<( z6KU+!V~Jj=%XPe9|7z1ayMmdxO(d>9f*M=>4BgS`j#w)o0jh}{$-I=Qu+i|{rgk$# z!IpSzjy#GS;UGuqjUlaIVw$V9N!%is)40ls zIhmy4^XJ@G8fqgK^=Tmfq)C`i4s{w6-b~iq=|^{*69i@MfU%N;J5q+C9iu_~gA9Tz z?jlKy0~>FS@);(?&&Z9uxF{LDST^Ravvi=VK>=4Vm9)}*BL}nw^043|K9gO;oks>+ z66P14@7S6G3AgfkRGpKUU>Ug>cobUTIT$F#1FiuPXK*xV3`Lv8@(D^0)cZRo%)I&S zgwE(PJTYQ^=yZAFmvvwZy(R{)jh7Mhp(f}ZM6X$bnv+R$h>iUL3_cov+#SLuWI9}j4rH38&W`_XpJe9Sw)m|eIZ^svEce(dM*u*ij@4ru zB0f&3%!~0c|3I(^s!~HrdF(dT7Tnz{e>ud1(gE9F)N$eB%!JSVCl~L=V^?m@nuujj zlCL3-ej)id@mrDPBIL)t;Q?KRBJr^u;2MB>#O_6}A}saAYl&fVOA)Cc`KLMT-Yk|* zW2ISxCzM7xy!LmmycI0TVvG)fdmm?`DOGRCmE*Ik#V9;RF0HbPiq_8+m1Wrx3P^@F z+EMDa<$dXE80vE(yT?><54zKm)=*KYLQn%%i;KbJN(V2V(?}SBje~qNOE;1yO#}@aq3Tpn=xl>g!8&425Y6!6ahgi`}?B;`4M3o$e zCOh3G6maO#L=o^99ZslX1>DjwZY47?`7!HUcyc%^JFTk)0~v|9FvQm!@AJv}rO@9# zfWe_>M%BTk3A)$9)J*2YzwxX;<$~mc3D(Aa0oP?`!&L($sk1v{0vN<_h%63lZzGQw zQ`rh_gxEqvNe0741QOod;m4B;N3Lo^B$4MbT35h7^fH$Wir-1EW_RU*<8yQM;o5%4 zoW~KUG-;EEsz^i=xr!*#2ScFTY`%(I=2AU*r#VCejuf*P>{!L$_A!0PnIra^*0(|X zfnW)V8weX>3uXumKB}M8z9bH02+8n8D-(>V%+#Ea^n$#^>9Cz3aK7`IV!P3Xi|gLz z3C?p^emjS@GOttXgA=Xj>C5B_XPN>ccW34`xc%tkfg%sp@?lh!cuG}+Z{r%I3gi*;xKL|iX|#B=v)Bs-VFaadpdot3MG z#4GOBncUlJ>$8dZophcQ*@O+Btn{#ml!2C#%dGCr&e1NJHW%@2BN-Pv<^h>{6EhG4m<_(e(feAK7S(o+!b15W6n(yw%C^%Bw5rT&qc$;Q;B5E4bu@P8GuZ!i?@e6NI?Je>uO!F+)o{szBe?HRl8Z$3cp$PKY z*$&F=A!Ntlp@ubl1UdGOOU&tAnwaF`ACd+#mWqPYW$?8ss?^*X9xsi#A-gcoVnZ!7P z^PzMhP@hB3^~xCV7g^zM3}Vwd!Y?3-hB2p8lbl^!BXx)IJj~rC@)~7g6Z^NijB<~z%7MDu7v%>mZ2M)oQT1V`nzBPj($-5m{e&WyN$O2;!!i!Cv+m3 z@3@Ukaerc)`XyHLd9fl5ocAvL%T`>XVgf z@?J$D33Y=8HFXnz>A4`Qf|26XH6`@YhGft%!%_N_7N6;$GqTzQR+xi&=o~+s4+RoP5Qr;>ILp-7n)Sts+gsZLt_7~v5*XQ6BLfMYx#8v zbHywan=?(Fm{Vc}q-uNl62a%kntf;uwX&{yU-Q{)6pxmS*fPR1)0pR_a_yG=!bM}t z6E2BpsUue%;y8uzu(s;#Ox3@LmUr_xFv5%Xubqzc9#Q883yG1>kf|&#em0CfoW~SC z!L&@tXJ{f%YK}0&BXByKsMRlevhh^p#Cb{0qrdMoIfRTqt&6*ks|k+8rl3<|q1Eto zyHTimNXmci+nWTpeAUaX`=e|zA9~X!a&c_dh4FS_JHk@ur%3{oU?R{v!g|fW#4g2W z#P*_dPEYF@OfE?+e%2bimpm(Ei^CBWA!YZ;I@7Cm$pRP0nYw`~MU+jzRYZ8P)p?${ zSuqhay;&^m^^)AghKd#gf6`rurTTi&>fP$X>4MP4=G(l?LcWilEB=FVd0Y5deerkP zo&?;H_3B2nDpfQlSShRIow<8XCcGi4w+QMx**MAn3Pk}!w~OV>0U5l&o|RUL7=26ttaZpY*a`%S*5t- zXsae!O~x{3P&I`nK#*V63ZA5Tqr>}=755XYMY{qzWEuzYxV28J>NgBkQ&6oo=Su0ZHO%V&2f4&J|>6KQq3@t?{O*=<(@CSmn^O`bb$IPF=S3GIP$)mDCiA zKgi2`Lki_eKmJzL&`MhvXZgz|CA(aEfqU9q3k#p^cz{&ZdLJwYGty7gAc z>-)2AtIg`8qDy|%{T=Kh%Oj_*8A;UOuw1GTHI7QUT*>kn`nF=3m&#Pn(Cp>GM zY7Q zP9%Li*xgPx?8{NNd)8&+r^HgSL}z#l5|ye=@e#RH73;4G^}b_NG^3Xz`i$gRY{fCB z2ugZosh6iNw9M|{T9xy1-$}TQjeE$+(EW+a+KTDKIP$>sK1;d9NOPic+N~G$N8MKX zQEM!Wc*biptjL`pwugNoVd<7jx`)X063=hRVjtOCsjf>BWn5;KV7pr8!#Sao{z#8M zM2y>_-Q#@ix;yW8S>JQ!<3Nb;t@AFyP|>r3FWtRPTW4^0^^~j&A$i=%JDo>q%yD!a zHQ)9O>)~h*%!etmTHJdvIEK*_c4xFCRg}oYHv9|%C5AW|s3N1A4`OG{54@PW((l41 z5tol}6-J~r)=V<)nk-4F+7Ok&I{1*}x)2uEE(r;c2kym&@MfT0>3_oD>3fLZ=OScC zNFRpH(heuk=eJmwi%H3TS4WBcwwqol`ngkm>FBK-_h{Slg%rkK{uh@KQ+DD9h1-phmfS1dOP7K% zm?I6wXC~;vikgF)@Y+h;#)(eh;{142=2!u?)kU7C!ozpB6$|RZNG(GDcvVT*!^LI+ z+jkAFzQg2xi7*6gkyP$*3z^;?;vjU9;vP6~rz22LfQ5B#Id-HAPC*)(=mU@X;Vm)Rd(tn6kXuL)7(1j)L<3<)S z-w6V`uHGm|NQ4QujrDz$@%0Ilnl6eo=~z=b-wUjiW-+*XbB#G)a40hhe29o+`A?2h@YofsaChXF1=magfB&66L{ha4J9!1{P=WN|cxl1$s*@9IZ1QdjG=r?i~FW&PUj{exDZJE=_-2XUH?oyC%jsz!%uDx z;cC-gzhz2z19|*DHdHLoa$?Ls$kz*T=$iCPsm z#KVrqFhdx{J^dBDQi<+xsJQk?ii67Az)d;GbJ<6{NsKWL;{h+*8yn!SI`6QaBedr? zuLLK5Q0YZ_V=I=OwB0-l1xr?4xl>_W(B)hmW+0%Cu@^g!Bt%(e|_+hS&0FSG~D?yPQ##@Yx-RJ z$>hQoO<(HcZzne6?~lMTDGK5Fo9?%B3;%G2nVGF?F7KlwsHT6x@Y3SCf1BjL zz|sOUXW3hZ7Q!^%i>~FBvw@PcErPq=zd>cgbtPCOdlwh(-h($@a-U#I_|oJ(0_+&x z2SaM{`i^%TAC)uevy8`CVDl^bd9l!wg=}lYa*7L-(&(Dk4;{&zBQb0U<@neZ2BDbt zbE_y)J&es3k*kl$M_xl0NgjB1BWrESx*$Xco64!*D^u4wecd(!&nQehk|3IDiXNIs z2pi|>ePcz}Be25y4$-xulfrI*U1T=NnYdD5@{_ZAKE`~q21X&W9IYJPIwCDie^Nt+ zGbVNd9Pve>X-1q<$2!q>!MAabxLHkw?AAHrYnlApzl|ul=^G5K4%q0T3lG(Yw?+^4 zCA`?pk_agc8k&f~Aw+tBKgWqA&#_>EA8qVJEUozx=Q~V9x|=fJ%8sqUB!i$3B%1wE z+_hxtMvg?`&ZjcjQ~m`sZ*K4CE$#xVAT~O5_>~6yv8;EGqgY-HSvwY#!6+LVu*ZHB zB!mrvm{usVsn>E?z(l=iv3t<|Adl$OC9}Jz?^tC*A*90~K(I$Lq2rdG@+;T=`FMZO+K zRC&c9Zc%8wE>Ogba(j5r&O~cKR0!#cH*#|4C)~#bq|rUX;<9nL$YX} zWMVu@CGePHlvJ%n=JBI;L0M%!p!VBd*K~N$wB!=QJX=*Nxm}vHf!TWR-1;T?>U57H zHj>}oT5$KbB~jgxgR*teH!I9bjJu41#if#gV{+25a|qJ)FlDvT_F1!u5~!>oI)3tr z4GYC!qs+?ynH3SciSj|71NFGGY(iM{BKr^GHnRBVvZ+>KVihGl+#jZ#N_5ZQb3d?3 z4;jV?6InhVCBJCS5f(H~EYoqrbr2@Qx;`lVa7nTV{5qopvaKs|WjX=qVY8?AeK_E% zlL{4+Lp>{itrxVM?e}Km=Q75FArI_9_Q>b|?MD39OF-p7OBvU~4?uT}tnAmX zb3xE5WiLs-|M_er038G6@ZTuzebmWzzq+EWfUX1rNwI6YmG`0ua?-ij99f*pmPr0OV~{r2q3-8NloVZre8J zmC$kTe|($V`3c`K8vv%WdnS-S$YNMh+|@TOXM6K}JSu+#8NUt59I*)$f4TRC^zr}g-jV`Y^Kb#Z(O;0^|7xBqz!J4IUK!;2A1w!7Jcte6o~w7# zuH+xb11^H9p5fLwZz#A?}?-R){~ zSn?BAkp&2@z`4z$6x*89TvlI9czC!BgDxEB8Iha3J#L>FZXd;d)KhZGC>f?2b0coc zhj1AA2^Q%^F3@Jn^9M)qUiv>;5EIvH|Mdp|N_k1@&>TdN3Q$28t56}%{CI%J$teHr zwD^x{DCt+L#^dWp|8dcC5dedccYh=dRuCp@o*h?)dzUAYJL|RgiPb_FhWO=>`dxOT5qWKG?Rb&nK|t2-9s@bx>oTPh4Jhsw8k&ZJ zK+Dvgd@(t#gOKvyeAem6;56@#e|EhA(#Rd~ed}+;dmAycDm8ze5IpEJ?l2i@zo9(8 z`b1Czz0>9kotuu^^IHI-{SGpw&o0&?${4M)ocotOS0E03x6^9E`(=9VCSAdCyR=Vd zf~6XOi9bl3obz#vvz{PuGE8DM%Zdn`Vc*S>&~bU=3ZV5Q?0wB9y2o%4^rugc1hgP;UY zz+nC=F$Bo-0pJ1)I~DvqfuJ}Xrz2nF&j1wPBka*W20Y9-5WI$&0oerd7un?1=DXBf zpU>sxvJ$gUSqP9XrJ?v=%X>4kvXY5-IaylLH$BoyYikp+8WJSK$^m zyYPck@w1)CF!FB0re5LWH27N;{#}zFub`Wjm}seB_U8F@*s3Zs3|DapPR@o zVCrX%l&4zs>639<$$eC)(TtH||PWe!m}o_p6D=v(@^*H1x(9@U9TZsGI%1@0Q9O zwOt*&fyS>d+(6z4=w!~9Jt1@DYvxvm);UV{+g`|UGS40ikd)veF* z5Th*|aARA}Bz$)H&X~gQunTa$NM=Shjzmr;q@mfP+TMMScp}bq0QC8>a{FTi5WyyR z0s==yM|pE3%kwXhc|dwT`YPH(W0G@#EJTz{++$Do6Zf9v$oFl)h_YL&0)h?7t6IGI zo$}J0ZiT8oz7nQ@!>&6ceehi3p%W5u@_~gYV3&u3P!MYUP^B$_0je|Us0%^MY#XI90Tr8ST&O*+*Ca~m4H3RP}e+p2AfYGsb#N@6F zjsOj`l7dp>g;1FabXY8Y8){uW~6aMnn~G= z*IB+p9>0uuc5&yF`HTw7|N3Zv$!z8OY*U(*%_(!}^UITMyv82W=@M016nwK`sF>|R z*pptB*2hl1eCx!dk@Ahg% zo{eTH%8QA0?Oq6(K9lNPltj294@A(DNq&ddISO?dqB&8+B%)DJK&=v8^pF9oVBiSH zmm`GG=?zGUPwc{keV4wB6yq>u++Y6&&?aRu&lATZ&84&oP@wv<^ew4t5+s-i24nwk zGh{uzq9f9QAxPgf3>eKABXAy^J-Zpd&37_cZ$`V{3k)Ykgr*PJ>jJ4@cu+z#=CS)mnDeB6NSX)%fdKMXn&)Vv zJ7A_H=fY!8OM%X}E_Z9qqqM15x}rHaJ-QR55|Z>510Q5ww@b~$NCaPfr%eO{%2>PFTo1g2D zpd3ag0Ou;~zvHk*}lGWp!tje+jzVB8mo7hov zipemhAD6!?vKH!Y6(CycSI|3h#i?E|J_>G9FsZj1?6n$p#Kb)tf>0!1!+Vr^&w7s=%c>Yptxf;X4`xwoE)oobeHoU_Fxt%{|m)n{7Bf|;Ph;w_($JDD6aztc}tjXz^KDm zFsIWfbqBg&1vqW8UAA_3*)RD2UU3B_)0((AW@arh{NS6OjeNt2(wHcoh8$idxlV^b z^_(&t=3Y|fQqekJ`Rh?MF{y8>;)$xgdo?Fu`9WI}#iJsFREwu-Jy{^TWuloqkNlWs zDk6^pm)n`BOYFzhIb-0UuBA&tCat%9qgS`PktX8wm$F3HC>R=%XeR0gf>6G*L%4br z!fuXXkQm|E9e;Mi-SQIKW}*Ucs8k5(+|3rq=ksvi+Gg1D6=mV62?P<*!^N%Q-9e=J zY}O^VwZb{iffJ{wNWo}@AP`LxPmpxiR&1C&OHn@TDY&pfTGy*Gj}vI;)nn6anZt;b z_IT73llz$xu=(QXbVpR?dxS?edo!OP2Q$RR=yITk3vypEU9Q~huPCg_4gt{(w@G?L zn#49=Q7`X+`*yge+^u5`mnf!&8HAxUa!xbx_V4PQ0v%!$>1zkVsul8!0DZ!H{p<`FnFXp){+)PCLM6^v#g-mI`tH(U}l2*Ah{aB z`?%OJA?fat4@SO_jiHy8CeOd3$fEe-&g0t3B01ODXppCW5F}TH)Uck?>IE&Ca}}Bs zcyz-)jSLA2ROy%Jfoz$uagoubOGl*0pn4A`B}QvK$da0v2P&grZ?X}48PV?fg!F{* zkv$PU7@AI4)3GeUP=8{?gryUkXEshecd&wkX@?+TT(S_8F5^!rT;+8ft04a?TVEJt zaY54$sXC*3bcgGy;C{n&T0-PzYj$iFaqU}s??8F;~pz>dHgoR1(6-Mabw)VKoycZizC z%ztinCdd)eqKR^G(gpJCgg-wbhd%#*XZ|uP2VTZj6%58IZ)tHEvs*4w_W&vV6x5r- z?d;{ke{Gepsr+Yv3h3LEGCNpi`?HEMF+e}SL>g>6p6uYK{{#g8=OIzSrOSe;+Uioj z`fsK6zc#m|xK1^9nXNF0I6A}ohvZC`iIOL`r*RAw~TwM zdy-XZJ=Ai|36ysUy+EP@reKD(Fza^ zSVjDQ*YxIV-C=W_CY>wZZ;}rBF3f*KEB*?b z&831s+SPZtl)p+w|9a}@+#C)i+faj$?_Y&C{|Y&DwnGDHANcEjQilHZ)X#tuS11@@ z(48AH{uJ8&>s+be&Oo``aC>{A<$wJB_pjg#Kp-u$aOS5g?|(&VaBA3Lg0CbdjQE`s|_%-|zneE}h-10H_Z23XlC2G2&*xl1D!^6mb0CR7+GBRQgP+$%v{ zSbphD5d}50q&c2P@x4{V>La@PI0zrej1^3|Y8k|6Iw*bMpP2~K} z`Tx(o@71kWb*tX3Y6vr(neN_SfBRc&?X^2tQCbcBM!p?>&*mQtoVf`YoQmJ$_y<*K)r0-x}z z>#Wuc_Hlp*HX1q__W>aTh=F0bIm5@kjR}uSJO)qdgeO=^mZI);Ivyrh@caDWMsIX% zH0&R`XlUrOKb#ZJ-W^k&soIX5o;v+-S~|E}3=GWM{Hi72lvil`rCv4f#LCk0#EDw~ za`}Dp$Nqfn@pmN@VGu>yCqD9%ZHiKNv2+%Y<%dE-iYPab<(mStPefuuFrsAqa9Ac1 z?5_~e(V+ij>qP-^Oqm3dsQ&AI2opJ(v0NOTa@YT*ABICq;4qc;B%U^n*HvTvbiCSw zO8As1&cH-jy|)2oSzuctSmSkbIZWAt*+?p}%yKUqO@?lHdJt>;g%LTba#v>0#W-r` z&O{#StWwtd_emJ&e;)*h8+@;Z3M&OH5Zzv0kOp*j1aY!s*EvF1PB$%^&0JO4td)Z% zKSLv2koTWWXbLl`oMu`PHGFBtYDF&_GY~2xq{5&L^h_~Jg!+Tu z-%qgD=;7ulcTnX*M}xS*UChVgFl(7)XsU7AuZVIg)D5xD(BHHM9|j%Q3P)E{AG}^% z$!#2=q$TmW{4txMqE3EmqsYQ97)sY2?~jPvV8Z_6^k6YrFrGzs$98U*tkHcIZuu|` zVei!m`_=o#YtJ#s9@eA*c84D-1_RoZ(gdFcBaojsJuLHLLcbC<+c4*Xh`!I|Mi&K^Imm_Qp7 zPO^gvHu(<$ED^-oV5kZvwD(IfvNVO2DMSHoSA8=pJ)Y%+HjdHM=<|RBek z`+%fdsc6j?(F4?z#Zl2X#QUDR74%wn8WfOB920pQt9PZ;C4Yu{IGX42N>}y9`jZYa zqk+&mMa2?ZCnNNkVgnZ?d`a5=vE^tQJVt{x?4{IV4Hz}Nzhz$t6Ah48aTwLbFrm@& zQ-n&uAWk2r!>=zm{+(qCtYecd1%zvBKeniwWnvg0I6#7@<@P=FCfW`;% z$u*Eq*65&Xox7M*>;$c|65(V1W?)ZFP|l>LyTq z4CEUfs%4_wi&TB<+n~mUvBd*(Dv$)PFg-WXP;|H>zHtrICL9ethe1ghHN!Ax1il25 zReXHpFiCyTvx;v8``A7tG;Ab^(|YmXRvSgEzLXdOM>M|czap^V5wJzDxXC5r!K7a*$$33Vswj8^p1fhf?ZTB)9w zIX;<(BwH9q+Q~~DiLJcmXiqm5f8t1;e1+Kes0TdV2uqJbu9<1n<%COE`f=Td=uuB# zqXZ-kj$*eKJ8K=t!HOz5C(eESuH% zCW2#iw6m6c*sQ9cUY^Q4q@r*BlI@|SYwFwtZxGJu34py{)xbQ=fDt0KMPEOK?B z*1I)|ChulLwiIB`wdmRmVRwJ&+Xd}-b8+0uX+2XGuz`&);6hDP6zcf=(Ffi*lG0Bn z4cYJ8sq71-g@0z=f8^YDNisG@!e@2{6qP}2actm3w;u<@X-(ZcT4#H+oEu2kWri>~ zEIN3#O*H2pHwF`5E_>cyX<|80>En8=^+sn@On2&iV)Mh2&GWB&r`1yXt+SRbUzOum z#7$lRA+FHtVn_!@V+(Gk3X{@5<>0x~mg3##yQ|%owC0p>YtnLUi`F+|5~SgjMX-oC zXjTh#_EgS8+|!-WKADr!27?Lg2Mfo6q@D?E=7r_q!JObhGRow~G4WrJF(19X@Yt`O z2A4NKM#3}jmvh5+M9Uo+{bJH{o)JhA@~8qow!}g zrs;0Sb7Y7gwSZv4p2=TVA8Z|4IUD2*R#{98TH^PH3XTZgyWjo5ox9*)rcl2XMITw( zTxWP5+=#GIOV(nploYAYP4R|PGu%0xz3c^T#ifSjC#fsY^xQbT_37hX#!qSq3t=K* zc>*>qN)lr}_jKu7t>SrZKVtC_8b6BbFsUyYvC|mMRIlLmHLTV0L18{gTbfkJl>PW@ z43|><9qb3~U$=%Bu#QQgo10QTOt%OjAPL)?SPVZ)K>c1lg>Pkz@NE^r8Y@Y_gD><_ z7m7!dn%*U}?s|~%<7-$jhbNYx#>+E|8D)qy!~$aqb9~LSDH)cIUIb(2DLbs6i3?Uj zpkq(2?8^Woi~Jb`Qc`G!51LX9Zw?POYMU4R+}4XpZrJwcvGc*uHYby5?=U@&mfLW~ zYyvn4jSRlPf9c+naM9#<@Zw`kT|BOBBJ=*j(}>2s?Cv+WKCqW0TakqN{(1-v|HkK8 zn>)M*B&EtzChr2m^=Ml(P->a3(^a}<4RPC3VoYRNiJ}QvtcK>W3ZLz^?n<0G7zVG- z7*e7iq8D1MhwpCovY5x?0YyJ-kTnb-i_|~=ko1ryCKbHj`j^msGoo4ba@`!3<5}#y zhsY`4iIaoTE5SqU&8s!}GqpzZv__G2l90C%LxDEyEix19dM(BGgzdQpgL+Jem}F&; zfpcnD9E5rkYfGE>jMNVwvqbk4hM( zgk%p{=sEFtE2Hmw9lk}gLSY9db43ZkR_>T7)W4s1FHVR^Jq|ty?Xkm0HmgZ^{VoOfQiadOUTxRm1s5NK)mpg>#n zFL0KNp{G`S%`7cMiM%7bWAg@CS`PBSn}uK;0=?CyCi(bBaSkmG_brtrI84yP1Ocus%P zC4QnJ-HIIZqB=$8;6x6)=4%`Cu7R2U+FD|WNfvu0L7l0Z^DK2%QMaX5B*_aMwt4qW z_3d5+9J>o6`&C;3uD7*=e&@Dmna{L?pRX2AJ>DwHVu5pRE3Oro?#dR{3TmD&V!{8& zSVSi>rG4J&{gqm^^yauvhgIRPX)yx;cT9dpf2^N#1dZ)Ys_pfom~WD#pX@iW5NvVeoN=X!%6{=9sy)WO!6viE=x`)?jsL;vrd@acb*1Fok1_~)wkNKmi zmf^WM)HlW3)EHrgHQ=)??g&8fDJeuA=jJR1i$wh5vqpxUFoR5L@=vwjpe<%eFwry0 zV!$Vibq=$xIz$*884(r;FEs`6n+9u4s+yH%WX_Gh7xsP3%d5-HSqXQa+=!!%i}`Hl zt8ALu{-d*r2m}sJIWjp8?jPlz&CZaJoJ*J$t&G9lkaugfxW!Lv`g2(h<&~;%$j}xS zFp0rfMq@>CzEx<6SXKpl;1ZAM7aU*GX^I{A}!7{DXn8VI0hQ)ZJtX zi3hePd*!@&?UXXVR0>0<^B6Xj|(-JZ{CwW4&31ZotwL**ll69tFzo70HATmKd^Odn3#vmyUugQ_2uLmTZ+dZp1B8~BiqFJK0}{Ja7az2|$-FJs?|F>OX3m3&Qu zV;4M~IHje9Tw1_Aa(kcM$rszuL}PSaZS+Jx&oWM*q>aPjn-RwmL;wHUX9|9IHxYFtRS?eGP2-+ zb?FqX-b|s03tip6mrrONQpH&^A;U`^h| z56cyyCa3ET;@u|Rwc z{9;MtZQ=AF;^^?+Q1=G7Y)1VrK(J7~nhOcH$D@1mLf!FBKAd-?!}k3YdJ-jt=F>Tp ztln$>#)ZG9(r;Oq&NE>vy%$J@Vl3c+wh1M*N}K6f9}-)PBS`cYIhfTH@ez7!h# zCyamXBm)6Q?oN`OOfq?(OaE=_)p`h6iKQyrzwAVV$Wldtjfd<7ud^5HU(dFXF4ktV z_$<|(dVtVoPz`uqyIa4daZm^!T0) zFWz+Zn4Is;Mq7rn7FdU18(4X@Gjwx|i|Zi7>$+%$l~eeh0o=sNoc=(`w=;-;>9JV0 zcXVCUXW?KjE;bL8#Bm(UaB~Gr@1q? zbpvJN>F1j800QYuJf4Yk28aA`#>>E|n;%KsR&jlYtZlt@82*X|t$e+J$|T%gZrsyd z;bhe20}DgKV@otv3J9ZUILzA=Z9U~~7vBP<(t?dvov~E%m4_h;~qpMBhQjD zitqXArF!Sdq*7)@Fdl%quC(Kul#!ItfcSf;^FxK^!ni}#_Kr;XUMuonV^Ydv*_3GL zqnn-$b+DE?Cl}68QI}jlD1F$lLHmpO&YM9k{jFB0>iV(?^eyT3ueg zjc2;NZ@jmr4bp|CjF|WC&dQOAe=G#=T*7VE?g#()GB?@Q0oq+{IOvh;9+qEQMaSz# z(wXdKWjO220xNZbU_e}*H!6=MTMJba55qGYzp7@Gu0_k~|MG=a)YjJ_c(UPiM4<=O zzy?wm;hx?!_>nip=X7_P)y)fI=JEP@VA99zLxPlRLusU&Z3p;07pLlhkUkZ4J*!2C zV3xX4OH#dF`_-4hLJJ@cg*iYR3=hJ5UMc?!1tbBkjO~i{nk!0Mh{~t;aVECqX6?yiY);$k9WJgI9#NZtgcNdb}VP)3cEe z84zh`jfUQF+Y!KMkk!=@Sj;?4DUPtS(lc<#(-MHDC5i;`R77W8?PSjzv2bNVDb z&1-j%6&+|T<*c)<>Ik~VyE^D@9Y-ABZd&{!gB)=jECXT{(?MSG-L%ZtDIzh?@i$Oe zZxEFVb*O5E(w6JQcG_|2IS`+)xjB~Md;?8uF@ki{=vl~kji!^7g!bsdC;Jqwq#p6e zJy!R+2{BWhRIL=MUi0*|)M|33tgn7mGJYIJRSMpU6sl;%&#haeuEl2L{uLK449WR^ zf^IuO{?elGwbXZxj~I=1bP+lCMxQ=8vz5Q#Pu0N3E2|*ssZlIX36WF1*&VM*5cCqb z9MCeWuXmXM6BiQ%G1YlgxO_)QF0V_WjG>V`F;j%V2T*V2;@_k`v(NNU0Iz;XzR*kp z)Z1b1J;+IWrw4{vfxqFV3WMN6JM=E1tbS|N3;F;S117s*MCVvH(|3l}p_l{s`9&yM z!p#7&zg&`gKNQ>Aj8}B2R?D1iA8|{8&Jzk2x8d;H$@Hm5;B{D&EHW;>bil6oWJ@mn zA#|Mf!Zgo_@S_$px_SRdyU2-`0VI`vK)7a6A-911Wx&Pk*n+!4?br{JBuOSHd-?>i zFIViGYxRP83Td`&#nD$?CvECzxnjdB!8M@ohHnB9qid&3`j9ozLMKwtDq#-C(@ zHLObW!FYx7{=dr-lDH5j0xM64a~2I%oxa%>zdjniphKixQK&HfJ=c?$!#8%EUPkHl z>y7uvDo3H;8|{1E7<^>uH0+&b{uHrbYY;d_G>Fy7aQd&6F&pFbAy=bl zy{Dah06WrbS7HtB+AznC#k*l9oAsnQD>!db;wFm>Oidpj)WXl#9h8V6Tf%`OSAgFw(ubM_o>4SHVEu_!&^$pFoKr*>)j#mPUShV? zPh48*b1JcfvAPV`dLhr%QhQyQiQS%Ol-3yw*gD}uFCqFG8(D2HYAU&tKK+hhR#0~f zd%#BQ^(cb4M#R7o>Km!r%KiB*JxnpucqpX-%hLrH!p+Joulu_N9^(2J=8z%tnkV7* zg^Eusu|CY!e4iPPZu5Qez2*CYiIv&2E7}SYzN~Cb5}Q2nWe05scW0P(lY_)jr3Qbx z5`O74G%{ms!u^>~)OSCAWC23SW@X<{o2>5`tJ-b0r&rYO?9559YfS@f1mihFQa!g^ z3CDRz1{jZ@QKS(6DO~*Tl7$J(!*FUy8w+@|w!AA(skQk$xE;pt*QgfcS6+AEfJ3x^ zq-|Mqu<;|yWeAQtTU>JUs%>PL>Di2q_3&Xc>iqKwn#|!xnJw*UP%a6uG><8gk{=(~ zEtRa4BP-TeXHV&F70|n0ING~#P55Zqd>lckjOI0CysJ{nf7E}b+xM8EvYy}@M{kV_ z%`#Lks7@vAHj0HZS!ud3qQO$@BJu!5lH}L?K81&z>QdyEddJ`bmzvsu(rHn~GQ0t1 z#7UNSxQ3~X>T&z5rCZD1y9NynM@hMN=^#8xGya;awl`311fIBInlWCPHU@%l zFQxA3TT;fL-z08Y+kAi+y7F*FGt08@qYA>dvd>;i(n>F9`$L3jnuMeMld4Q>BGtJJ_Nia{0e-4YCvgD~{;+e~0{N5b*~Zl(nL|@~?z}Vw4Tw1YBY9 zBLB*gf`qa#deZ=9Eeo99`4=1edCfiWTdzimN}(8<9{@O4tTz!7PprnrZ|iz2@^-*@^AiBtQ&7(;f(;(0# zK$Zr{oAxROZt`xnNzj>&B??#_a@Wj>LmM++S+~Q?$>heeKUo*mkUJ3^@hfGYdLf~i>)fSNr1J~LImMf*igf*QL`b4Qk_PLG zTM=)!RyHN92pC`T7(&Q{vw={~cEy>}d z(ANk*U~7HXRy<`XQlf^}Uinr^cQHO$nt z6P{N`XQpinQIzSW-s7t{G#}9`HLkzGuoV2fv8>>3?k`;uLQPnm@vYwHQ}#^oOtA@^ z=j8@0iW@v#a{$fc4-~^Ikx(lw*TqO*ll5JQ5?BfCD@fuka&%W4UHR(Xot|MVWz}s{ zW3cb98KVm*ZU(RH!sgUzN-!1pQ^|@)y{1wdW+Pymg2_FG=oLl#!5dbPml7W69$tyx z>l#15#UW6%N`HrheIFI0;HR37%N_HkZvqS_@-}0C4(t}L3juv2*I~YzE_RW<`278_O3NBLmpwHB7cK)Cn$fqfP zHm&100bU)}MURm;*qJQAq>;_%);##mwav>Q z{F^}b(tz*{irZLPpEZ8^;qjE7($v(@g@9L>`bTf_pnDvXW_wnzCNd6b@`U)?*a{5) zr<5CblX^@bX!v+$ZJfG^rgv|A@%t*RrawKWkamw0L8SfYV~D#uTbb9_eP~tMH1)O< z?m`GY?}nEJdx$v>Ki%2tvyKCidVa`jJsD6_jzxcqdFpwgR)dqpvJxOXQwWOq6^3cj z4<3E%Slom`2%;aV$%AFN8VSY(DkP!qokcc#Gv!$lk;Bpg46(n{MyDLvqcCp!cscZk ze332;bF-b92u={J^N(dZj%msje*Tg$A<@tPR>E9t2))g^LE!Dl8WH{Lr`QwC`NtML zdvgiKApPmV;6~=?2%Y6_N^LaUOI6Bbx&o%(IRxzqkgry}bLoKBnv$)#p|*{tYlU=R zf@ys(51hE?Jt3VI+_EU#oJb$$lo0j@mJYBOj;Um^KrUZnI4vtJlKg8uT`M>2>^YBu z_|Jowt)rjNApEgatvv(2+~G6mM&X!JLg~Oh_7*fJjV3`{ks?>EcbpN2vob0|7Q)LC zesi?zQ-6yayqSYFF6P~(ve%XGOlsaBs@yzyJ|rkFl421oYNw4_-2+{~o&mG*}BRQCet?wO0g35y;1y13-(%SCb{?rpP6$himBevm93)9 zh_@cU=qE0;kHzBQ0vEu$&(v1mdio4v+^&wV^vWoWOB&3S8G;MOII6fTGp34<;rB_) zrSSM0l1ahQ#~xzGMn(fjJaUmPIg{sIqvV;wu_zwa%a@UEYdrs_N| zvLIbDf--wlH%k_cRDj-gn8pu?H<Q${W>6 zrYqh##TnhZV($K|wSFQAOLBZFF#@XvnDHn+$FL7$f>&Gy(m{txL|YhP7#JsGGT+oV zFP-O~9C&fbqe=E>n!#L(=b!`GmX9vaYAII4qwK+8FutW&@wC=Yo0C!vYS~ zj#f%MDl$2FsT0J?F20IP_{ z^|?)U=Lc)72Y=}f`Oor1f9-?6bQ>_3rm>tD_NvdJ`r=UeKHNkm6wsH&eWE2&;NMy8 zA0jEF_yH?T6{`Igr_Y}ZDEc6uW=>I6{u6}!0wh9H4^YHPwaDim-j_dU1voNb3He`W z!fTG{22(il|2#AV4Q;d_om|mJ^x;GyvJ~lAjVjs9#0v=&qv*3ip8+^1)NrDjqJVpO zv{}>;%|aaP-q0IJu5TfTq!oqqFnyzfVXBZB{trPUK&$@W4|bwqG5%9)jXSSWz|Cq# zv8C9D^s)!Drr8=$krUsU2rf*_R+?Q$0!~k?fhDn(PTZ&HgU&wpTS*Hnj zh-iEyLhn;YV;-3HUkZJ!=a^sdDMK>CPKEt9#w6o|AhAuc!D*Bk2oFt9xBDaZL=YFD zyHI=~aAWh!CigE9B)TZ@fvm?AOIxvf@2u-zal=|L6~ zxrr1PUMro!pNu$kwtc>0$vx!uX+Kbm>kW;7`fC1TnMOi zPggzGnh(?FpTqMmy#BU?OKA625ZLb0rdg z2~VjN%(B;KvM5;w8B$lJ*w9Gu(7DIeb2?=@s03WSepPzMfRV?U!+14<%Rew%l$YXh zcm&RLseViENhZCXm+fbE*CT@}i#F@EWnj!^NJG}(_^?%e1OH4+xW@AC=DhmpdTg32 zAsvQDd2a>1=%p9{oQN}VHp7@}TMlYn;_NGnvxc<-W+cqpXeYxo_wpLMOD=1t-T5x- zd`rWNZ#1+wQf#1PVdiEDWl<~;Uc398XD?l(AJ<2it@y2i3msCi&ktaRCm^7bteyt@ zDXzBsR*U(LzX7AY#soxU7r7V;NL&XC_03|r(GE%#zgAd^C|{U%+v4C?eJfp|R=Rmn zzWp-N(X(5^e7cP;>t6Gx-_E11wc#liVUDnL(HQ%)vLzG7f(zGm~ypZ!9|jX%{CUDH)q8FBSMx?0RYk=8vxoVQE)U#l+-*`RCk3Nl@j+% zU_WN-JgRQ>)c#H+;9hsz7a?X;?-BZqUS3|R!lVzQU%TiBKG%9P7h1rVtl?s?mg8-S z2bzPGodZHT0^{$s&KbRz%@{dGRiIhd>-KEiyaH}U0!&EGu4SaNUK8J;$wC;@rMc}F z<1L3R9!awQnYk>d-B$c9)^LSnp$6ROs)alrV*Zhz;k6Cm@EpQnvz(+$D$G6oHWra+ zuuulQUpC$MHm$sC?0^z&$1%AexR>%E0jy;2#A%fu!t__6nj3~=P@^N&rF-@&EUvh} zt>3X*!}h2X)r$zpEVUuV{{4r7adgNLT9D3_-~RYu+poKBoD77wyfu+P`jjpXlo#*q z!O7;xz>j(ReQumF!GQ;ar>Pj8)n-Xhv&$FnvNe#{eo4003^hxyL^qj=@#3Ua6#aLt z4MId4CDl#9#C@SXRvT}ksyV+;x(JO%+G*|Y7|WV?)r%h}Zf&MgqVArb-Sy=PAHVgN7f>01B7zz9m3D(VusHPq&T- zKQj%w4{=}ZOo;W#NflbQin?D3B^vG{Hr&C^{@Jr31Ovz>oMGI>$z95;rIpCMQ&FL2 zwAp~KlIW&Wz>(y#y%96i?R4wgFhd1Y`Evx`z|)Y;hzSn%gqS)DD(tVklWWnuo;8L* z!W-8fXWNYU!clfkQakJN{!OfeAxpGLsED^bQXqjytT2r08BBJLe}AG@K35Rm4L17* z+>-nW%8dSA^xKKZR}{V>lFosJ*%;!#XS}jp>pnHgKI*&K>w{epMoX-=4ZwnmQNGXg zc$hCdHZWPh@~+c;+2=T@?mUkg;}8C#|B1i4YDOX#%As=MiY;t8{{z8xnHv?pGPQrI z4L-^LYBGUGrqatpLc!lKUrjd9tEE|@tG_CRQ4`yt&*Qp%aYzis@z~BIt9n$Ddi*5@ zlXaEH+jf8jyFqFRy&mgnu$YqYa%)mLr<63!t;CV9J&<5>TGr#ABzOYe@AixN;bAZ1 zsx=S!Th;0HjP7s`n;VmO!q=M2KS*H*&47_?^7r#|&n|z=aTgH=W%H()KL3$Q`~^vl z9y&QWsZ87LNDJghiKOejgI2o<+NJo4N>O?4RB||#ka-NU*J2RY6ih?EH}bIJfJV$$ zhE3Ej?gLr|YiO?Vmyg~@&Cg+U65hGQ8$e_0{tRh)G~C|lc-l_abKbrU?|(W&IiiKY7XTQj`1hK)5X=f0 z0KJGt|FTj(MB#56K`5Z)go~+dhx`Fl|I~qqfUeoWwRBdT;2VPlw_-_>?;A&ED6`7~S0-B^%_Uhy^H%3;PolAJjjc7qIp z1*MH=UnX-C%Xl+aH++(or@uPgUQNZ|sao$hZMzA;G*>aO-$C4Z5g+Vdv*-C^tHt&v zPBI3m$)S*e44JCEG zzC&%A6o!7VnUf?2q7Wl|k$mfor1vAppy}NYmo`@}@F3oG4CxL2&xww-hFq+G#N^q9 z66FQd)oTfw5re^pC}>NQWdPR$O<7g`+%Ik@=+*DBF?yRBJ*Cltw-_;#d`L| zS{eQcfgb#8rxP)ROg%@%e=ii`rp7CJ`2JuT#1B);2$6H9L zplHpQhJluqS|uPNrpH#r@CZbACkb_d;da515b1+m>ShTGCDFM)3Hs`xokzf~+gkdj zU3bt_BHJ5LLz<<0RrYks7ORtaTn?Cx`)~%;e2kIU26V-o>ku@>kFy|-m20`&sK~5_ z$9ykaN?`d^E4`mo*fo^{8cC}<*3ZcT*`tYqo=?YN(y#-J({dhP;LNXJO2=`3+X1J8l3Cj5*!vM;*DKfnfaEnZ%4 z%tq6NCvxQ~AB4vP^fowana8)!NTqoOe5HvR13*!|aY-)F zZBAVqdMmxM~B?m?A2In}|yQ01YjUlx(*eD~SyLuP~NNsJe16T$$d= zrSLfeu7q;GFr=5$((_24Nmpg0%YRRFvTHaK@AB@z;chTZ5zq?cd2T^rN)3oi^e#A? zjcrTcNqJSM*8m@P6te>-FS-p0;kr^k0`^>(wI#ZRjZTfVrqBjZYa|?$OnpFV=t?W^ zu(Y0SV<0)F$7=0=fQ~MU2F&g;$yG_MS%6ogZqa6&A?PGrzV(WQiDSyn+-Mj%#C^)| z^GVs94=W5!cA|73Dk%v)r+}iXRM&XiOTDkf=p$jQ!)zf_3-OQpd!LZkMs$bBN-}Xf zFTf>UfOc!c4;o_m$w3Dgmxq^HuXp> zS^``qbGYv+!%>Ky9RcOx>goy&JCjoQO0Z@DBxO>7fh{dkN6t7k`_eTF)|PxM>#bSd z2g3+^#07KnnzYG+aedz`fu~drF?he#A?hghZUXI$)~K`y%-rH9NV!$;o&u5zmLfJD|G82|JPREk#8S3!*}--X1qBD!!)$LoJih)0?%b? zQ&tW=J#)>&QnszJJq{hXRRC_WD-0(?Erl#l?i$l7q!K;;M*Wk|1B-xPj8He86_J2I zxMftzLjT%1pO~f*W>>xMjX-Ax%KYrBU2IZI3vv`@(O{!b{);~h=d*JeRp1h|Gh3VG zm&9VL<9iov5|vx`;$rXx)bPyAUurT*C-{X7jy(dF?A%gG88{S|ivu)`K>f6$)GQ6R>s*tvc0D28Fdx6r0TB}slWPMHrI z*1athOB@Flu@Z@@JH^pcUX8Fs@9HI(ioO*Q?oZZ8ly@wCwbihz2=GOq_zlE^F?*qm znvDcMQR>GTl51uiHw%>FT z%XebXZtBEHY+%j>)E~bH(JdrGwP-Fcn}k8(VZU(UNYZtkK97_iu($n2FL0ZzX$d-4 zB#2MZGmBrU_m^;$GJ>I492#G+{+4G`bSzvikr~ed%J2R>auGhDM){a&Zum>>Jf|st zwsi;n(9;8zoN-l`^*{U}T!!q1HU{X`^f+8I85~ME3MG!R0|Ybj=-Kd)1v2>T^LYWE za*o-%wPuA>iHOg{Tg%c|>q>Jn#26o(+8Sp?~YjTll~?%Rl~1jE_mq{ilz_6`KBRYmDY&CG2+V@n5J1`rDLV1KeoZ} z8tqm+%*ysorr&K?i#zpM(OPa4{n{#>^YXsN-Z~bpv zv<8Bt=v@)M*^W@YPip;z;TZ7>Xvt0r%xrl>9^@qNlaf$xEz^dbfPX7BK60Njp-}sG zYa$uw_`$a+U>ovNsQXQ9|7K1M7Xb=t;%$YZ|5~dPB@+PTway;7KdJd|=AM*cAee;Ivlpsr6rCJRw(D*M$E`N~F$`zG=w>3)q#Bdz{mtZ(H;~}6SdWy4Mbw89B~V%vGX#3VQg|uuy`&zH zn|ygs82%$w+WFCpmp$Qx>P7i5lw~gvIzvwA_H$4kT>=hGE&fxB)kUu#KNpbb2yM4dC zn3POEcLomLOctg$kzP!<|8n*za$K^bIOr#GYbmM<*!U5?#UA&GW7KsOjdD<_LgU)7 zn`QRlJ_HuCn~^>Cwe@cwSdHZzoUwQ}Pit5x{%Y36C^a7A{+iW?C0a1_M~WLQV%N?z2)<;3+4VQ7 zGy~@lYBwPX&uOgDM*M9fDb9iRhtm`+{*r{#6djERN4T^Hmv2qI731I9X_xvqmd9BApQ5AuD2nkwMoHr}P;6O6X3 zy6MK*QbPSccO};!DtzGZQ3{e0frZxEt6a1MKIa`jcuY$%NHZP-n?Vo?0~;2)>R+Ud zG77(&Ah*D{Cn5!CCz^~C1l-A40H)gvVftB()3au$RS3|^9oe`Rg z+kT}}DNFqF%E1lknPw$h^h@;e-?Rl9oeczN+HLq$k9M`x-6f;#F_*P*a`Dp`tW5AI z_-j#MqWCxKjv0)^(aNabMNd_Qq3MZ;(|QLlm6&&!7;AsE{@QC&@u?arGsy)6PQriT zR;7*o9C&JgS*cW`D@M8+Xrqo;j$O+UaiJ`v0UdVEMA#_1iN=ABqW!Owh;Ll{%>)|9 z+uR^!fnlHyp)f4q)&w$W*I%Lm{@lgJXjk#lp-a({B1#-oV>0rFAy(Wl*4Y8xV5Ns^ zb|^Mi9bBs7nWG zyNXoX74(0VkQG7rWfhO(NjKc()iK~_hP}k)$0kf_R$o)+bK5n|kHyfrOi`KgClmB@ zA^?~zqQMYAY!U`8PrrN!vQeJ+Ko6tA)}@EE#EbsU(!E6qz>n2TV~Lq^Yfgk1SzO~t z4Dv3a1UdGz@A{Wi304)U8iNa*{-hjSNExA(wdNB&v0iuNj587r4O<9hE%(3vJ`mak+*cQ=k zj4>V*5nP`PJCU|1Y^AW+>tV_!%M2KnmFSN0!jk(;Q!6GjxyEDr(!(+_%@tQIw-iN> z{!|e1;QSUfIwW4-GcnSry9C&;MU(R8)N~>aXcB&O!judgTH7N&dfk8-dXc*QOFEO* z8D^4iBhE85H90vPo^KawMVtDtNF+E9_Y63-F!qSda=0ZXZphFFa5OyASWh2_2f5h; zrUsE;-UKn^C7zfR3p5{l}0H94K z!!3I!gz6=cH^yg{#35X-p#JK$E2fUpe3Hy>EC&t_uX?bRd>DLX{uCBQlw*^4n3&AV zNWjj}6~^m&0!2Ca4?KhI0N`0zjmP;L0(P;o>ydgWyETC6;V=UbCw;FbZ@hHI6Y3zD zH-XW6uJn5x9P~J-=BsRnRI^?=CaS@P{IuN-j9l^oip>x`-?2LXAO30FxeOw4v;EcdU>}DUEBIwVltiD=e&EN?oeypM5LwzI!OET^T=DLt?5$qe zN7eG&K&F5QtF}5ud3C;wm5@Sz7A-2mAsNCorASvB+s)&rX?W}C|0vG?f`q!At+@`6 z)X=_~9atYhXJt2%np58Ggs~~GwMz*!Yhk@BZqP~Qoew8XXR*@Vn>97>MJgopbVM9I zZ%Or^0uw~>`u6rH)q3#kL!y1}=|*kD@k2VvUnXRk)Sh?9>Qy`lxI(#@GjI9Cr#=xN zsI>jIps`8CGFAk+H*hikKNdD2W!Hedmis@|*B+kZu&{-t^bc9>HwzYmd9MIqvo%iD zkiRm;KmI^_Xp3JF&->E=_cv7c@c*LR0q91RR-pXQvG?D%hrWHFy15XI{a=ort_R}7 zuF?}l`1O6un4@Eh^o6K=b?jp4lojX?nj*w$y@(Ge<9-`a2kc{f82>-Ak9BBF0JzNk zkN_xh(o~@M4py3tJT?)+aOG=wsBqrL3NB_ronMgnLyKqu@@@w2iV~8e(SdtmHB~GdRV9xP;IMd?OI#Km^PL~m_<+Xt#c6D7}Zt4QP~>Pg_lT90|t@wBgH) zl8gzBcRh7$1`rKM%`@IK#D%Xyuq11BXR)z%0*nBIsDP8G%;OF_Ms>;gp8Urxu9_>^ zG=mhNM?K1-Zx=faM1V}1J5?8sUwv&|rb3YtA*2qiCe_-&`03`W@NK;xobS-2O2+k9 zshP=2>}MEASnM}7-8DbLoz%-;m#s?h(Eq^VMb9$Wh+ahjpLv@1!o(2HUE|fmb7a_fYa=w2+l`^y5=VuKcYql)_?8Y(! zfTLXb6oQ)Z^}6TgFin#PhCuN+OFY~m5_n2M>wFbZ{NU+XAUk&Sxs?wpG^Q3hz#nea3=U%dyA z()W8nHPcYr;BSl`Ns6+G`o^f^=B&aVb8KE@E1q ze;OCdVgR4hk)78B_>m|P0;x z{BniC?<=PLR6L+Lkqb>|UUxt>jvmgG{}h-!FCA4xsxa%ff^&Q361Ao)%8O|X!Up7Q z8LEHNPf?7AU=3K_*dRVULTE{b68DW{<3lzaB?CR({l3UMThIA4&CIh`bgZ`bf>Rt! zd4;t=Hb;**=r_tG8F42pl0R57yo@MF1Eu{uhp`HVEj3eOFI#p)S7yyhPPfrQL_2B$ zeK78Su=iF`aV+h>FzznH;O-OLb#Q`PaM$3F;2}5!5AFm41Si202r|gv?(Ps0AVC6w z0O2%y@9cNK|Fh5f*7~l_#aU}EW}2qEs=BKBsd|1Qg9?(IoX{%j#GgcbOh18l~@0nhFD`ojqE#BOjZerdeX2uL^_* zjO9%j*r$$?lHH8ePW{%3aRh5BYt+n$j$~>6-ohmOw!$tI<#&e`#63$Gd|o* zl$8#Y<6)Y_bSlwRqjSg;@-}rOai#048 zN8nOJU(!C$)}sB;y5kGlqeD86F@66C>VDixU|$82-M~nlteHt;lSJe5EvNhIVStLjS=7NQ(>JE(i zPD?Gq!86a*e>zK#K&rSf5 zFap+$$LsPJ)=%6SXiI4!5=qYKOu7U8p_5X_GnI70Z#}3T>27hREU9cw(;#y}42C2I zeg~SjNrw*zmsjMF3!FZYEI}=A>S<)jejVP5rah#8B#aUE7tx|uhOR*5wfR-* zgYMA+=}!0cjzyguHI5epWvV8B2>~526zXTcZM~Nnq>T!EbIbEs<`2CX04F|xP#~Bc z{pjCO=J)dokU)Hydq0)@S7!0gpU`4}ym@ePnbdpei(Ep5o3iRHC*}O4(YR{icX?V+ zSk!ZvY}A)#Ggswy8n+V|fY?G+{Qp>^-sc|DlP?ZvJO@!Tt{o|&-!8uy21cPcN**8;kD5m$9tE> z?o8JAK8F8ng!_wR*7YU0^Hoa_{W(tl*q}T;y&+802-ivYm$>(S-9d1_Cn`UbbdLxA zw~tN2mw)YXKw={r=u`AMQS$#3I{e370G%rIzvK7+`a&lUbY{$CKBn0J?oPjNG+1B5-%|GCs_|dHhN9@7*o5|8XIg zd$?({lm6~s(7XR`*#TvsgtjG1OpX8c6rs)ca8vml*Yor9FIDfNluIY#o-Dh*M?4zg zAIC{AQTB!*qG!oI`@VnDg-#ox(zf3nLF`yElFi_NRF2w(d7&+mYy<5DB+e82c5%d1kI|CAP(N$8M79jdKVCdBqQ;XbLO78Z{lJ@S4; zw-aM@F(-6YckGbwt-r)+cbFoqymWf{q|kM}L-GjK3+ZNGN&4q!&ETJ#FKBaQ0a49X z0Qi^|KtV5YjMHm`J&_`g>cE`F;)dh{TvzkD0(e|d-=|JR9Uih zPrz=vff}}HLb7VRHQVnIaNiN36qq}Cby4hy{GY(@*nCoz^IIkZw=0PKt<&->@2j)i z?CLC0VXY?WGuT7t8Xp;p)8}>j_2aiSAc6Ye{Yw4Gfpbq3t`e1}{0gQJ8-vAm!c()l ztUe3B%}8J+*KBzMd)u4$bhXtRcc}a=tVv%R1nSy}Al9(7&rLIx&5h;^qAGn+LK6G% zSJ3qlx@%T$Z0F7CaM`PXFF!i(B-4+_gMU5Mc{11~@ATYrA`n3w*y*cfO~y<(iRFA- zNJ%B=Gy?>lZmR?MLC4`t_Q`e+7qhi)-u1lZGiv}Ozizze&3v~Lgx{LB@DUI5xvxo> z-`+1O$_j#VVorrCNA7;kcha2!i#mt$CzPZbTui?PSqpA9@q@v_ZYu}xI@ii~Z-Jf# z%+242EqtkR|Gx19FX{lh9@0$OMY)wG;XtNW@NRY&(Jzs1Yiv`J_AwsrgYdbHNoCi4$ z0i{~~YC{<(;AB?p;%Z9Asgj5FQ{x?8hiYuU<~OyhbiY~v4SILod1qs-^-Vz>EBAQu z0sgmLqU$8KI-DKPXxZ$(CP z1o>SRzD~1qaA2h~B(u`l#(^HF$p)d&XzLiTkwFsRF}=>+u+F!#Z?u;_H2gYj7>^bQ zqFX(mFo%NY7r-bOi}zftx6@|o{IT|om+ATS@_GkAYzw$J#Prc$teuNGr)#50Y5KrY zFI)e5JBIZYECe3L*rzi%%I2mns3<=#TXX*A^5@CR;E^XdB65@s$%34qrNXbk)xOP{ zxYtxvJgie*%*;Qiek>zUKxPq`EN=NJ+^QaH7zaiDwGvJRPFYHN_0;{l5fCS~{OVvd zA%`y+aUOj8^ZYzY^La><^SrhEKJb$NG?xG12OyTgz;hr7Hd~1G`)P}VH7<1xIWwPQ zEj1so-Hj&1dWw0GgXU_hq4L#bv)^DTRa0v4r)k5=BR#!Zj@a|d37vG-z%+4a}Ff91^>D9ASG^-}MWyhZ84tqd`1mF<5OqY(n{rELjG?%Y_VsAIoqE9Ux z@iuq;h9$0veGFJGzm&XKn3~e*qa=wqXRn*UumZ=zhE$|58=dF5(zi}_UuqI&9YJvi z3vPB;wd`g|A5e@<*oUGW_~^3hTW`mc-kzmO2!>c31))${l) zF8OVp{$kAdIIe@?R%#i8NS<7={47j@1zD#~bVa3iImi7}1B{egeq(V^njYZT+uPUy zjmEM~UAIEFfh^-*W>{+@iC11uGe3TV7g+7_p*p^g9#+QHg{iqgX6_e?pce(D-mr(P zKnQ#3B$x$J7YnqxI)aW-m)Lk#_kg5OtQJ3e>1xf>Vv+K18F z?tBdE?hOH%P8YU$Up(^f<$WZ)AIWIDSQG;>`x)Bx39<#`+D7sIZIhRpDVX3 zB({@tl-x%e^7OUy=Fjp2zEl9nxxL8la#*u%)FnwPJz8HrDYg|y`VJfeUG~YafhyNzXj8(qb{M&lCECi5**d~E{((V)V#=Wy!K4U zUN}v@5wt_yTb8f;xpCQ_qCm$!zoqtC&k{Q%NdN{_k7_`aF#?Tn1e$GKMe;ENVxx4R z*^rqXPya5gfc4w2zPJ0lvDB&s2$Evt^VK*=PH=^|f?`IH5!UubK!b4{rjAB;ta-(j zvz@ngLiIwj%VvCQ%QvFBO1Pizr@ z8tW1r)4KB2eJJ)S@N}>m+18t(>+6SYylaLpQ9tn#a(PhLt<}{LY%UlZ4v!V*o6dZ=1#Jq(}(UX;$t4UR0e*F&m0*!APc+H6V zl+QY>ZkfTe(!KLmC}!bPG7PRk{#8DQ17c{VOv#aQRwnnf)>fuhU4J1gt`&tj<2m1J z1>GbsXRZmx*>p^yu5thzi1Bdr`;Vf#UG89dhDOJjQjxGaXuwjV;~4iNIXk=vO(yJ; zH&Xl$%J>?-hqv>G<{VOxHKQS!Sac!bIx&vcnh#DwnmL^C@OH|1q=6u?#(yqAv_v4# zc{N(T3}rLKj>o6&;E1?(W@50AZoVF(J2u%c>9a-l;dn*Ac_DG|@D=-iq3;Kyg$n}$sukuAOGbip}xdQlC;!$)C4+U;-1;TX9h z0&nP$=$W7eu*vhhur591THFwwfCFzW04v)8Qei zW(=J3rI`c-XLD8&Vw%U(ZI$w^6K{d5_cT<-!oo$!lj@jy%!g8?G~D(te+hWn<(zwYC@o zH{|u`bQv%#?Mln6DaK)!Kyadf9hwP2Tnju?znn(aWrMI(lX+MOJonE^Jk7C(^^6o8 zS}Hp!(fBj5E5+in*?J5+VL%HUKaM4{KEdfBg9xomVlJ2Wm>tVVAn0fsdc=YZd63vZ z{6D)k1}{7~Ubnwib_F6cnfWmTjgknMRal6BG=5Nr908teH#)(hXMuYJh>$LV6+3Mh z1D(0(c`tNW<64iWj|T&`9AT^i;Sg$NL7->A*fNg@&L3!HkZIB&TfKl8~wW~b@7^x7zZ*R0laze>Ezr8ErKWYuC=f0*#nI+ z0P#Y}h3tZ9DaXx`FDI!^2UAyFKTOOy1Tn7Y)3U->xCUs<^m+S|Dl+KITmytECy z!>Gn={KRA|OraO*m&|WvGst#IheM1U@%pv_EmS%=DNaZ;$7{cB7UF5|Mne8hPol`i zTY$%*wtY9-;nl;f97+4ro$meKh#dwcK3SYTwI;VHYaQEWrUjyTM-;m{r;s|5H&0cV z1QVfK>2gkw7t53w+S~@0PEj%HzB~eP1H3b<$Z9jeLcCtXxI7#jPJePn1Y^2<<7Y=` z6}d2>FHYs1Q>{rt0={ccU6dF=f(f!G;f@?T*&4+pRjMmx18qkHq|dWs2@#6vx53@h z(KykOIEJF4T%plmnY=BGsI79$!TJ|0DX7h?Om#yecS0!_&h>&^0i=~x2b`ByqqS?; zqt@pe`J=rd#D?HRo*g(np*qV12epom(nk%1WY};tE6;kg_F=#^3Ko2)SKxreHk-xM zTe#FPUR{qqMQ}#{k;t!+w#V1t)TtrM>wf89$+k6#T_AD7(Sqc1=T3b!G3H9%R5=T@ zxzz27NpF=#uOA$*@8gsD>V)$-z5z zsb?TIQ$&|cOtF-+*ZND?dFr5TJLe;3X4v;vV+6^{d5HAO8%MucMJTI|9&RJOO`9ff#R`&d2b)hSNn;n(6hiB{G~Lw`Wb+%&4YWW@-De>I7DT_~ppw+T#;dw9H59m<{&B4eG7Kx%z;MATqIvQ{2jz=ZN!|img?9W(A;o9W$Yg#! z@-gkvXw@x&1auldgi8AgL^AJOte5N&IooCUKJiLmY7FRVVN?<}8&cdynXan5>u41? zoqD6(b!1j&MFK}e&Ol~SGByr7aXIjf^630>2jVzh;@(wh}GM+7GKkxloByP%m~U+q+OVe^9ru^KEaldMF!}t!q>1*jx zOpI`A6x1577&ccBgcVVvnMc`_ZDQQ4lp|#Lv9VkZBfViHL(bsS>ONWaX8z$Z!d?lh z^|(XB0KJ}&@Jy^P#VT2KgR*E6wF}NMFb&T=q>P-T>V|Bh!7xcBWox@n!BPV#PQduX zVf+5z?K__J5#Fi2V%l(fF-{H+Mp3CsOBMSE_))n}$3*+HT^{2_r9~ZzA<83hTiAT< zybF^42!_9XuSuu71kuL~0GH7X3mC0^V5cKXf59PNAGK78hXnYAUpMd z9nt8`VF`YPX~N0EZ>#pn5S@o>rZx5jk6MXqv4GHb&bJ@J1mhvx3T2NGtqemfKP1IY zLgoN&#dsOZja4y={4U|Q#a>A;Lh2jlHtO>CGXy4yqt|g1kx5NUm4T0}Ni0>yhx4}! z=x^G;J%72R47ZPUb4W2}x9nD5Q;PS-RGi(#MpQ30w;>RW)yAT?N)(J}kRR34cJ}UG zio8XoM09_|v^h*H7z_wjETATJWq5y#!|Ks`(Hi4YQp3xi%+3ehYQbPlUzVE0}E_o5F z@bvrP$iingzi_^g!v6P>XrEh=+|`#+Y%TBulSiD~5>@NoEjyqe>JNOgKq>Cu(ca>& zMIc}?aLGZSATt+Ldj)7~`7hdp_YeBRbmT0}*KRafDG73=7svXFVdWTjp`>g=1vqU_ ztmn<-oC%FFX5KHHspt>vD<6zT&WB9y!7Z;XF130%3z)0*Ge=J0A?!&c<*usHHJ|u= z`GpV?UR68@wCg9R!8y~Ks$z&?O;La`ZBkHFB|luOvE92}nwZtZ!}gBaq&P3wq$u~N zJxkd;O5BWccgCR}(X*1OmH8s2(MrNVwysDfej(MhMAsYx#n*LLh?PW85q_B!D1+7L zWl}zZFnMQ4ZNd4Jy_j9-J)eiI-zbG-xZ`a4xCPEO5+6_Yj<#hj<>G9wxp^c>s0(w* zRf>V=GWy76w+of3Kx**PJEM_R1x}lQ@q?%q+9+f-iIKYO>eC=AUxYb_Wy3B=+-EFe z=~j%jZQNDg!C{PTR9(7dupK{Jz4*7bGs8LUDp1zG*!yZPJTI~ZGM-=*sVgluAs2?W z^fb%1U;C1N!6#0SC$@5IAEBM@QZi*=o3p72x=z5qXBi1^D?+f_dR?8ty4KZKZ6MxV z=&X>H6ucDKLi%(@8qd**wO)J1MGKs6*OxrWx(4-o;0isEBx+y>*<^JnBgjQQs4Lef~47?&yKg1fSUg8r$BL{Y1&> z1OZIBo+N|eX=>%L`!yP|*^`-2G;*P1sYo1qNIYshmm$^Av-S7cI#s;0Cmg-c5Sr#Q zG~_T%ci_%sACYGV?UeG%ytQaugoz(St3-a~;aIF7^l>A+(IzO$k(NT@34)0z5TkXF zpCTyOF>-%l^4ES)QIs}gO4naQAkjw|Y&rU!+~IRefpH=Lti#~ElVbknOAhVNAM6$R zIO=!NH=)B&1yQlq*L?h+w@}sQM>2T}7p*5-Gu-%6U|-y;Tp4d)wt5dFTjzqTNj}P0 zwBDSuya5T4ScYvDGu8-unzt(EE_L^VIzI8N!PDbMXU(c&1m=!s(6~T-Uj3?dYgAWK zJ>oGxB!PiL@F3AZJSvxo26+-}wBVQKnf^%jeQx{O=^OR>v`06vz zD5<@aMJGn(?Pe^()!xK*O&-ag&n~w)Ez=D3x#VMA_TH{X*S%31gfow6a<29y*%w*iFuCzLRmk;Mzzfu z3V5_9?Lz6eKSW`E8_$_#!bf;64B{27b~d8o4-8I>0A}inhYu_Xlw4TaS4!yEJ>rHT zB)*5$V;*F*5?Rk|vb&cQ$Qli(*KJsNd@)wkpfXS-k_?14l^jC1yA6rJlkQ6pFjEW@bTYF#YJJ29-)o zyljm*_D zNoi9G?$~Jpu{_P!kmO;_JdK!lKcRSfHa{=e_?S{YZULxDc~)32njA85?m#B?Q_5Dl z>Q>z6>8UK-^2Px>im&>#luA&`c%M`Vs$cTV+BSwvTZ04_N+@y(iEZ=+jx}PKEV(3H zKB0#4M)0Dddbhu7#^~|YvQJlQ$-Y_l+fInjAU{vWuoo1zc>995rp7i!) zFwbe$oy3|M1b(s^#OXs-M2&~K>_@w-$mAM&+>rBil4podgIk5BrP)zNu-Y`~dwy{< zscEq*53@46;8tVqiepiJ01KY9Bt!f(PXxNYv$O9C1|!8VMOH+2 zya>mZ<|il&@X$tQ5Y(^~Nq5{ z%4cR>bsS-+jcCE$=|yn}S#u!^RtB~CRWke~L-XBj*~tfHoj9V*Ay8y%dq+@Mvz|!p z05hmWyJYM9Ge=B5yLpu-|CA@S;}Z5lCj&LHqW$PZp1X)khP|Yag)I1omMgfLr@Kcl zO$4f=ECYIIif*fbCXQ^HQGB*+;bngfO7(^>u+A)@q%eoS>G{z4b}i-_GpAg6T{ADJ zcy84nXQOB!Y2}pTUURzuf!6Pf*|&J-_<{Fo3p{+%0%uCa=G9p+TB^5lhg&9O?^LN= z>dgB_+gB^I*;0Ca2ZUMh^<8U&(D?~2NcxcTbUm++-fvHF)s9Eca(%A~jES*ZM9RPu z%JeK{au&_LEpiJkj=eImn^oIU=rntmz;5(~&KE?$TmMEY%LUw6D?yct3-AA|S^wmr zwOF$S4kOZ6W1eg)18a#zzqn2w%)01OeZe}vp?s{&UL?hbSXN-ASq>cRuUoH1wM7@( z_Kazz4GGkr_3k}>mVXl$Fl^Y$MXsaou8VBif&xG~bT!j!Z^@d*NROUAZ|`SVGFQ)` zJrqeq}MUd#8w-(rfl>fT!C^h&+2*NgTkgW_SE_%HXt_pIarcg z6xd{pTgErHg9BQMBC-l zu#fuQ)0oQRGQM}GpcqZWCpDSK2V}lj9lLu_+Ax328?t^ge(?sj#^&R)nVbM;KcvFk zNi=$)jcbpZ!BpEa*g_>VJ{^zCz+J8POYxOR>~tYpTQWNzO=63N8LK$k3JKiVw~fLO+gXA5TO4V^ud3M~_v=YPOO^|6oS^Oa%))6C)wHRj-O? z0p%znqpyQ*Ji1Ds+=GT{0b_2Vo9&haaAhr}*--n18QLWNBz8DJg2qa{mg&nWzeB$m z-@}XbkKa89Z|n2J0_5By)$`*GcW6Cs>{}XGc-Z-&DfRd&3x~+XTx;vvDk>IH2BK@X z@;jrSB5Wg3>pT`8Rr!?|9jN3nF(kBun0cq6I&I4?p6VMPXz_6BIh^9Skqpd~iPNTU zlu|GX2$8%osk5iu0$WZx{Y9;OO`yKL)(-Eu(Ux~jbs7chEiWG{CIyU333EpIuX&TH zOYvB$Fvacn*6!r^+~li(m=&jy10RPp38}elA!e3TH+09t?{LhIE{~zfMjO;0pV)jO z22-U%Xi$)d6lHyeumpTAs1(TJy}$94@XfdOqylC(U`ORESr^1^x@D#iN;-+H769G24ZMoGz#Os%SSBAbFY4z_8jxWPVdv z6Hi_AaOl@~f_-nsxEST;9~qH)(Y@|m`dNzej8@eUmr}g8+JVS-={{f|20d+F_TxDr zU)F_gp6~oR)V$UxRED-Bj?bJP`viXAd)IzWb3>BN7po{ig*k7mrsrb*Y(gA$lb_?m zC3S`8oSbJH8m-DIuSs26H?!e>$CHA|isdiH*gTbZCC27y2+?r!ra;}J) z&qPQv*4XkIm6H8q>Rr-x7M$bnYUDrcVdl*cyl-qKi98pq9%wS%kGo1>{J!tFg**b` zb_r_vKBfAA=bN+|Y1?aZtU~Jfnqs9r_Y$Lb+qWOEtqE=3DPY=@FpF*D-)s{hIQ$aw z{v_)OY1=`c3pg90^`DIu@Dz0fr1Op=4#z|G~h-bK- z6&Z-POHtZ+6j=J0|5S^pL)(9X1Km3)TCCyO zX-R5)u1Y@yf82-XYlBX;ntbr~VFVUFxxtYQyFsAU<*{>Ii>2!N7LKcZsTHp1r^&ud zzB(<=gtWM30$+w$Hl#)MkRxO@7RU1ue&hzF4AF*X`ENj>50LG9Jq>HIQCRFp-o$jv z=dTLxR9K0t5$9UTl$%CUa(?0xoKt1= zVf4uF45UhRP{cHKEZGKzsC_${?5w0rUD*KPqbSL&JS}}zFX9R$i zmOPG)A6YG0s-|v-#-g+v8atEb1TEHQC=Ms`?kT*^cT8bbDC2 z{E9Ip%Maw|vS##ViD{Ejg(K`pthTy4Fm0`bnVUoIS&4mCg~)NpX7AArevoX3jk#hg(^zplCQ z9TYyb0xkIkxR#`OvTG)@i%9alfk`QNUKXrV#iaC(R*kSeOr6I`bsdiMj=I^aUfEaZ z!5TBh!66vQy!;t@N6|e!EqOY?$cAzF_(e$`jgf(@@Vu69I4+#>*#oD?L!eiTKda@x zO89l6wF-3pX#XaYPD3j_@s@)R6pB;jabWCe#yNGl^WCP-5w(GkqmqW^4lz{_`qc!x{%0RF>2@tBtgYd`uN!|3I zg0XAa$!rMgeZ1Ft%Z1Vd)EVCmOhK&O& zFXzc$Ij_cWG^$6TkDRr*`1FsUpUG@o<8l*D?WFgHJr@5Fk|f{7bx3PNg8sDk*~OxR z=Zq7-e`!--AEUbc@b_$=6@0hH*+h&j+2Cs0ZQ<)kM$Pg@W*!`GqDBVPp>9shXXvsF zG?hMO zFa};Gj_AXw*M8kthU)-$_^yTYo~mpGF-S8U;)cp<1d6h(M=upWq8!HKhWy%5SCYwV zkGhifyhqzTNv)Lino01xv8To@B`=oQdQ9u@XPl{Ia;A^QcGHq|XI46GNL8ND@gOD! zIk(A(GVCQPMBhGB=1C=6Dr%JELb~btg6mA(T|yaC2)_5<0?GZAWB z;m=T`4H#wOHLlJhFp{o7tXfyL`iWcVb*cQ#%gx0Qrl5sbQsOKTDl1C<)vDbvkf9f> z{~|z?ATzyDWWQ*>@1XX`b<p4Za}I!6ZEi&t-}<&Xc&{% zKJshlbY4vRM2m21DCWZt}J+e3f-ga#V9-ZTQU(%S$$Wj;A zNVD=+^kke7{s+YInOqMrgatxD@;ZPRCJe0?drd_tylILzKAP(RvPfq#Uq_dbAR+ne z6(R9pk-6yzdG#27RD;+{9kuv?ZK4oV_IPbNSQMk8@mnN>E^qy@1L7XKj?YF_~GwLQiNw%WKpC?=p_}FcpUM;WxQoM7dw{gGz{$9U=t^WRXQ}b=6 z3N{Z%Bjvw<;RsAJGQV-Jiye(jKx;>kc#>;!$j%Aid;n?z*p0W-x>e&xx2SmI^HxEY z@irL|T(aRf6QdrgDZKSJcm1W~0RWQpYJ6meQFE#ES#Nz0WyUwjL-G_n;u7t-0BLvgT#9yG4q^XR&W%9LT2~(PkWrD!| z9YcvT1rZiBexEArap@JwsNlOE4TXXh7;A@*X*^YjAJTSXj8J7gq|2AE25e-Lzs~!l zi6HVgX{p&?e@_b32uA?9>Xah)SC6YMMlml?WEC?&H!N8)@p?3*CVAVsD!aR#rWuv! zp6;X?IT7F!r$l~|D;#|`$@dlqtdqh%8@_5-0)1YqM$VWF@zh3#_o9p|Y_Y{DwP`U3 z+Zz3puhU&7q--F6Dc;cZO*VMaX7{aK8gfPsz`-a0j4$neow& z)T$#ytKq#a448Sw$GEll`E$HtZHtF~X1-j+olQJy+r-1g4C$wcxR3abVGF%jb{o1N zPC?YVvocCAUL-0Z7jUzL`FcsX#>1r6h}TKyQZu-{j51E*d`aTWMW&BaNr%!%YETmm zlq@Cy|G&uWoGSVSkuQ?btEMukWT9943dj*?rxT>d_Wk8wXg{wOTKCa_uZ*}|*!y z)g$&b`+z03@g50e5hx7VN-F;PNB z@19Ap(onZk_n8_%T6rKV(N@%JZDWsZ3j=2`U~ zH2WxTA9rX*&pB%#*6LYS4a>4)9NXBtL0nmifyOl~atwDRB8E0ca{p?(Sqhv%D?r)-)|CmvFJw)T50(@lMkrq#%pTzJI@R1wc-+RvSP2PsGd}$Os;jqQ z-wn&kmA}4$LB<*HD|W7+Red3!fZiea8bv&18i@Arz9W-lNKHFA79Pzn=Pq76(ecPo ziM4;Q`o*8B2690Ic7l zb?)q&K@!Eo@V2xoqEbVb`eb69jy#*_vh^OZZ{J4XhuzPA)?stEO(=2)wsq-*IOaYL zW|*ft9?gy<4LlLjWhcz`;p?~0AzMI>Bn;L35m;W<#b<1@<=acB!eWp3r+tS03 zUCv+7#V!@jY%D;ZJ#O>TQU>uXSk@Ye4n!lizwCMSS#$HlxUdJ-7?zC5<^W1ecG;p` z7Cs|_Bu#L=YMk9my*;S=%SE_p-UR-HHb4F+sNEA*JG|73c~%_{B8LoBtV^S(KC#dy zL^=@G-V}JkM&b(WOjsS#Q=7U*T17x;)EW&!(qkv2H-bZzu_7^%FSFYNolEnYXK`Gxh7&ei*GBxk(CT4;hJsqhJ$e zFiJ@qDzE8|ZQ|8UkO^jg<1!RBO;_wBfQHy4ibf?g_R2bgSr9aIItt8UHK~g?R+Ka{ zQQ3LkltE@Z)?VqU@)aEs5S8pRs|0rgjw1Y!yE^w!A2uR&Om8{|I)=)UodgRQuJpJCfj@ zl-qnqK#(bOV-)4qA40-fwpT6)fxj41v@5jknRC%Bk16e9>t5ycf2<{7h@{&^5EZLJ z8PO@Ol-?YJnJ%X04wWhTF;%-2N8%S_{_YvNDpq#I4#8fqio**zUJ?25v5!2)dnSbE zi#Lz1`3gxk7^R57jRtYCWAc29;Wv;rho>&;&Z z2h?{Y3qhVmfTVGJ?WrHvzX75SyL?z$_U+LkeVvPsUJ3!QloX84kJI zRx2NE#qEnsmer`f0IQ&rFmqCv{?Ldflz+yN>WT&o< zXB|^FP`zT6plNx>ec%io3cv!rURYwjr>4@g0tA}@Ql=B2K2IVMu**Cnhgsz>l%LiG zQI@GzAHwnDs5#02FGm=wrAdKT4B&QSX+Ipr=;O3e*X?f%4-D_ozL4J_PH@FY{^(2j zsD$cao;q(}`Q?~z2l2LI4OJJB4euf};@X7k;#*dJa?Xf*+m5A)Eir+(wY8ecy}{>{ zav_1Rg5!v}(VzA&GY_RMHu}+nxkMzoH=?n@`iwf+o|q8^_McupL;w^>x)ouxBLMzsp^?%5zG2c3 zKB;?L5YxJNO7+9>@uF;BC+LTKdJMeQ?oXCMcv*QVVPD2!^2G2}NP~_<&6YU{*}Moz z+^tr$N1CF}4hrHIj&1ZjwFV@@9$YSa-sugU%-o(A_%DOd9%~@z&@0f%VGMM6M6sz@ z|D`z)f^m}x_ytvQ{Y?n7r9~74k4fcM%KydB`fq-kku2b-S}&i>5%m`rYKIO{oH+K* zTSO1f$wJ{b(e{whvY3Jk@C(vx;Yj{{Cf4sW-5cs~>T`Jt=2w@aG+@@Vrv$Nv5!;9Hvjv`BU-@8EAyzyGRN((HYuoX#sf z{_F7Xr<|<_w20bt*3REjN&l?cfYW`YngSk){7a1iX%|MIMM@pjek)r1ljH?hJ_v^1 zqGtIg-Mo!5Tmq78dF_|qvEnG-O~f+i9iD~WjKBs`5si)BY@kt?hhb62vfzN@sp z6?=r;nNvBGLoIH7Ye0HnU9d8lrULMjEl~`$7)k!~l#*)hpPc?^rRiVCl15Qn4pO=P z^Cg*#RaR#jAw#H|vmTWJSrYa_?LE(HFe zMF!}4D-#VW?0@ldTNLiEpt{acgV8ICu&p}1Wq1d7t&ky#=e|)k&;=z&{@p}0h`~Im{(U+3%E$nj0JzN+0G)Ssa%%NCa#C0Z)FO2?CC|SF-(3Uxf_JCG z+yK9wg2fL>pH+5VSFj^21BRh=Kq+f;1!SCqXP%K8+JFJ)L~ zjry{7UIM_|0tx4@0J~Tt&2_n%muunvEs8PwuFJo{bM zshpMiqQCXqR58CFEeq$W_`pdG;;F?iHp20_I5j$*T5R=p z2AGO>?;WT66s(TajEu;CJWv5-)Nk0T-)(B6O(vE9-6zQHs{tmBs^Qn+A%_leUPY^7 z;%)rKfgCFw;lmUATOKlt)XUUdNYP@Wqb}gn7CqJIIQ>fU8DC(RIV1c(9*@ug%#DH4 z%F0T8dfuTKr(i43x|(;Be@n+EP5$BL@zzC(liV}!7@(5pGYj3Aw+9H`3A?YY&{*Yc z2BUGtKRI^ZzB#hm+VnNseig4@67i>_@IRx6`-KJ`($xYV-&>}8`YzwLF}_j&(0)Ry z_9CYtj6{7eX}=9U0mRLZqoqaVLTL|^>XqKF`cO*6j7$DliRWxW`76G>7jXP57`S~U z9o%vC?!?`mjjip_Gl_W2*<(bB@G`aM)$#N^AaH(t>IE=}PWI#Z$1Z_Qx~R_0Z-Jl0 zL8tk?YxFz#!IwSv6zzLjY(K6xnC@gBz{wKFC2EQv35*$HSZXm&P`X#ef=V`dTN6gyablJ=sg#0hir6*8xw9UzRM434%C~4nQ;skVxfY5Iv}F z05-)7O2Ez;+!h_4+kGGEIEsEpgisQsEXsS`RT6nOw(vK7%$ERdTNGPE=gGt841g)u zv;0e__Xux4V5=zd1aUoZ{pZ|!q&|uZMfEJ6O@RIuJ89SeFr{6LJxBI@A%c)54Ug)) zfZ0#ViSdov1U_=?Y!MV?KVT^F?WNuabMz#d43h@i2q>tYtp$%Gk`OAp(6K-1`Fx&Y zCOiRe9Ar;*((5QI6Ywr z*vAa!GH%=lDr?7j2@J@A%yxk1OP-6W&7zSvK(8xLA6Wv!f68DHbj7^IE8^u)@WN<` zDlGy3E!a70P=pp$6obA|LFi=xAW;t}Elgl#4~Kb{(_(cqght~iZv;vQA%w(sicVj9Tu1A@FIZtG3ggi9f2~|2FL|gY005s7+~Ie0MGaQ-p_OX z@E{U1d++;-wbpel1YLR@h>_vDN&LUVeQ5K|oTeOAKXHqF|2p&j>OUhz+DH(LiGG7! z5G`W6U|h<dh&)wL&$MJ7u;Mhe$XS?1p%E;}K($%YEsllKB$jP|vBbL|!Wj35_$b-eK;+ z^g?HZYJu7#!;V`bw>WCa^tLKJg( zK;|0>*ckJz($^Af@z4?nueLXyFVqog`3mwZaqPJ7RtxDB@8gy1b-yyt*Zczp8(*l2 zTbIGr-Mt!E?CLRSQ2!X@n=kzLR3Yd4Ag+<0TCc4p~{oWSBVIX5b^oGup z+=4JQ=0o-4k&G+$_tiVp%6GY~opiyjFyB)t4~eGN^HglxIE=2s7?0X%-u?OcL*1}C z^tM0KH74-e~=|uX#lVdaQvLA`6HvH6nYgPBkLq^FKCdz z(tDRNU9bzcMa2rD;|!mka{k!+KzPVDIf&+Lg8T*_>BnbvM!B7A!O|N4SBL)_^g4Jj zK#=a_+0Xgk{bvoj+tM1W?)smt+AVaq<)`t4@PD_qqv+PwfW-kc*}BEx}Q^U*Y9TN6Rq-ewy*0dQ#<}q zP?XW|r~Phk$KIxhYqfJ*2A$6R#afm2NSMRuo5pPO`A^U7C8Z~qbakqdN8OG$tl^qI3(mEWLQ~!YuOnC6M%4OaXl-h`&fZzpR2O zzJ4Di^;v^7oW2y_B@O--93B!Z);<5ml4p_LseIr-SY zO=i(srMIBbYI50xpcEOe`^`AtOhoiBBWm7DyTOVTTGg<<8e_nr^Kd<IAW+-=gg?tNu+duNy*?bgGz~{3P;)nly)i&5xgFEfaf_5oeIxvQSY|NdFl^ z##zIBwRYr9qw_EFc2zd*r|&sA1e}Lup!AiToDC&!7kB7q1Z@^&pf55$GU98!TYa>S z2ixkHX*}8FW8PnGmemqn{ISX&AD~?0HXP?}tt&i7Y$(=Ic_>>Vqr7%@kew-7|E|@> z3*xenE3C1zaa&Wz!)urw$|#iLxt|VKX45oRDE+*ipRComwICk!M!*eW<8|$sb@Gofcma=pv%{bac-UY4xkCj^1%%9U(K&T4XO#{5yE*aUW%V6`Z?3 zFL(UxhY&Rf@>d_SZWFS!8Q(?5PFwG*S^Bnh71nN-J^zgcg6uOQ>5f@Cb=D<}j$`M1 zG6Uw}r`l%JC%k{wicXaeUaK(hZ=KqM=VrFwT-j?*CUsi<;-?(%Od(h8)Pu@cKXsNq z5b8J(Yjx4TV(v9ITlhvaKAg}9S!YwpKbI3CdL$Wi<~zn-IlCSpM%D|K0d&T-im4kq@Kpn8FUrCR@*iR+_byl<5c#xKA$`$#bvM;=xz zm8m026{`x==AkD3U5z257~!R?+NWYypiN7W&MQ$fy_`&wW;~_??@lAJyJ9@17s;TU zPmZfeC8(#i^O8#+nGX&zsS# z7l7P=I=Je1{Wu7naSpO(`ZF@lsbn=V27U-cWU(i)t_V;D&kUIWRDm8zx@7=Iffn1`udPCDU zNP2qA2hg^IbPg+rV*#r^;VMIvuZ2_OsFI46+ga>~foQ9KXvR3-LFRATLXE0E%O_gY z-nKF@2ToImwwg@ekm3nQVb+N#1B<(cyu5sbl6U{T96Q2u@3QB#Waxq*NJBOD;xIM6 zPI)`r#ZwhJb2MbYevJyYnFfCtVMBLFum9~w$c^nMbybf`d*5s#W--1>BO zwZ&n5ap?UfLB&bWs^Xa1p^7KV9uQ)7a>vb`WRxuo34eFAc_@u9Sn+mWD!QkD3PmXt zx)Oxvtf4&C;hWnO(2}orb}fE~ciCvboJCYAd^~FHB0+ z0|wA|WuX~qg|*_(w9MPc&|IU%owz`1WlG+;>;QIE;};r-qoPrsdpa3p%O_bfrv<2p zr!QVqRtYkpXLnFZYgP#{J5U>t23{4$Z*TtLA0WpaOX*GO(N8sP1sM*C17$?Z(-k zA(4LQ(wSr9k}6g&%D~&qbVW^t$n!-fq)MlFqNJ#oe7VH5mHw{n!=BoBH$0LcJxkxW zQF1Um=-^s%zhZ4x!@+0zXqv3O90Moh8q|Zo_u%B^Ga`AH%krs13k@+BZPL|TfCVbI zb0$jkH!_4qQ2Vm;vTBx2OJ|v#mL3Kua ze4_$0b%`si6O(mI+~%x=mOQ_#k@mT)9@lB+@fNjbzqUh$6fli%b?83&qc$z%S#|;s z4@)%T&{5kS9;h#-CaKG>mR23vv2;7ItAgX2@O=dCq*ZIPK`}-=rJM<2W!_O2=c2eOTS0ut0I%4(zCz+n)-;UyTu$$Me^4Wu?b!E zm6$!>xwu;k_kFD3jg|J3jz-D77Vc+Eldjw=u?blCHJ=~L7%f$=F+6e7bsXH+G;S=} zkBU*9IlzW&{N}mF$5GwA=#eSY|3v=aOeo%XU3e$AlVd7wvs||mLz+et`H`blr@USq-tsi;ZYb15V?i@}Hdxi<7 zQ;^-K06uAO8NEx*ae8%drO9c-A?HM0X@~<_n_6O}*>kVB;$eMO%@3n?*^s-L;}`n5Hw`b>zQZT{{AD^+V_R`A`qXUJ}iv9?Qc*xSgR|Bv%su zccJ3ET12YEOTIsJ(v*d=BEE~FYiB#{JkHZ`-Kt*p;oP!%cE+@?c*WP({Fkzd2s-IzA${> zyi@OPJMoBXV+s4N!ceKhOEN~ICfPV{v%NpRqN)2VETtp8xs1XMrCxS>+d0Z-_ien? z))*^O&gx(jC=dM(z{D+=Dd55}H#fJ=s+|?{IbukqNK0K=xe{hwXXK_{rf>$90ur|@ zG)RQrRagK1nv*yW0rrY%RGPmai+QCE$Y+%ix~B?%*Ll*u!AKx#Df>KJ70SuPZX_F0Ha<(+Y|zDiFst7326vwDPz9-f156oi4nKdqJ>;MPYWu zu<1A=Z-VM^!v0UEmBbfw$YCRvd_%Ayy6kJ$tU;ehw0U&qpXDugdJMQi$zy~+O;g!N? zEptUvTfMgx4Y2}g^(a%0L@oWF8Tl1G98^NV5sKvZAbx+jNVdORq*^yi+(r1Q#!)KL z>AcDppX5>S0-EmR7W-r?>;q}$ETR0sB{p~wa^HiH`_~>E;9OTh$W5%VKe1s^Ei^^; zO4~AO)vsA2u-w4Lr#a>4moFGJil+QmZxT`Vy?%7b<)z%i%;U9I<67wh8`K;?T3-CT zxCE@S$7*Gs5z49k-#6a!0sMr4jP;6U=4E&E$Y%pyU$fITv-u4r33F%!?z;|g2NMsV zIZUmOnS}oPtv%>(HC~Y(xM&p&Z}_YhYL1BRE%O{sDNklv_`|)RFHqtyHiQhn>=9mE z@k{d26R=Q{H13NR+cd)(FuO!fO@|BlEEAFDYlD5(4t)rj!;_a@5e(y+T2bd4;xFGC zZ7lj*8Duj5Vv9VBiwTDA6PO9@%!PXrFqx{{H~$wJMSlRce}i4WI5C$?i$9BPV4COU^NFI? zS2ewoRpozyVgW*7Zx1rz?#^y2p#A?tqEbkK82yP*@o!qfA2@ts2KTgxEJ+GEE<l6}6ZFXorW~0T)t`Dsz`a&(QYRn7D_ZZZ9}lU)f3f&qc=gpc z@bKY2P`V_i1SIu95nc%5vr)3g*iymm!hYf6mAmdsWF*UUxFj0?d84$Q=v(qwj{fp| z?qlXvS!;v-sq%0}dni>AX%oy$ZTn8%KSW*EoJ8)w-)V&YPI7aj%NTwWvunw-{y4-= zQ#XEUr)3b9fb2D%8RLXX4q7sO>-rBtcmEaz8rOJ9LU_?H(@tWVcXjhUIpxn5StKK= zq;WLsHt;8QUZJr5N}qTcC(&0*>?KOI)7>ZchtAIoj6+l-D$rZKS( zWWdnBU$Pk64q94`-VkbiLaDz@zF< zovcjg^UzqkS{IKx)sj(<{rT_1<>!Mg2QO`KuinNX^T`7Q&Kcrv-?H^Uxid28Wfi}@ zo<8j0JgA8^VLlXbI_~70NO08w@I{n`N^$MRH7YJpb$ZFXc+q6W`mfl*#}AEs+!DFe zeRPOmz@}XthBxNFl|ckH)_F}5N8j}~>;?su7k>jf5U~_9_!B`bw-?#@ZP8RNuXJRl zvsU^G8rQO9WKYZ8)>O9tJ^HU6fW$F?qkD<5_yvjWLkibW+oPc6RU3n_`#Z$o3l`-V zEZYV!nLVdn!Q8=<3Z)*{-l2hOy;YpBZ~uU>V3;Ze&m(NcGao=vD>eVRAKmg%L!VJR z`j40Ou@{EXuBf_W`;k>~pSi$724vZze7q5RfzK-Lv{eQ7#cvA?8Mgy-)Ks_7=~gzq z|6VsM+oZ6;aa^6v_*Oqu)oPmV>A#@|nD`mUtj4lRT--?8+d0gfGkbf`kvG*mqN31^ zk27YjCjqV6b^g-NB^9y%YGM>taq>HzI7-RAyub+;YE-K@2z4%Q-2Y@{)1aeRRNfGQ zp%!p?OU0gC-#!NZ!6iYM?U6~@GA!>Xy>9f3Zz7@P$`A9VjaTSim)1fB-^^GBvd z$lZnnlFI#k0Un`>7KYKaPhFfBMISl{WPB>OzqkkBq3lv-9eGo0F|QcPGi8zNG*h2} zn3W)bSdwturVqx+h!V3Kwcg-3;gzvTH7o@MuR84=OQrJ ze*h1>K&ml`!g;{@&R7D9(0uqEU7&CPkOS=a%dCtW{Hv}S6I$f-6|=+uLgSzuzbirF zxS~*FkEn%C_y0K1)OD@NDtKM}Z(5*0@0Jg4S7E;3&iq2e0E)SGx84Ro0D*P;dc$HX z?+pSc9B~pO314A0Jx{6L<=E(>8D8ls&HN{n*>uDbwpLt_HF&zS{rb1vc%C8-Lbcf~4y+6I46L&rhC!@d_EIao8?#fC z^PR{%vlmOB1qwQMc7(q&z5R;DC+&b5mgFv;O`|oq^KBkaN($0|IPRn8^{ycxXyH*- zUWt$vxMUE;NYPOlFDmc;1uA=l>Ev;+vRY@;CM&b@sJ)8X%L}w44z#7Wz`wUhq%8by z7W9C3Ii)wYub2%}j@Y;?q$-0BerI5J7*^F9lk$I?|DS`O{Ic@t`Awv?z#WQ=v2i=- z5KJPZMNgBEeCooz+W0(8W}IcL|*Q2o=bt>|vyL zV@X!tV`T*Y(Vyrr!dTSxDm9)f1hLa{_Zhy8^Yn{ef|d4y$1y%R z>-WR7FzB(VdI;kWW@-y0i$#Vtd2L)yX!1Af?RIzjOV=LOkTav_h|hnPI0k};hetro zl0^ODg$Lo5gcx@R4T8$UQd}}4ptpSE-o#z$$2ug|8A`d%q+?MbD0$`k`=1#>640Hwx^7t_N$X!Sc-GTE{gh zDS!$8Ng;Z}??V&Zp0S>O$SdP++}+Kom&MFvHNNwWNF&k1Eg}g-<3I||K@G(-z)RK4 z)Hs;XX7F1Wk>UB!OGhs(FFOMUUafD+U^Z&vAqfcyt7=g}Ufu*)_N@?KZXXmN=ISbN z{q4?lx{NVY3g4X5rz#;JojOylljp&XZ z=j1`Qc@@eEqytE3%a4Kum;Ut}<}@I;z;4o(0rfg3D_~_0F2HNyps);E@Qw}4?Z^}- z!P4bq#}ReFE9rve~tgUr_2jNR@ zF1CajJ51TVQGSyVao;u*P-LqPRiLVi3FrEIiV!Ug2N$>1~{* z@)N5WgF>FDRSY>mhq)yUPoI$#3Z(E?yU11c+8Q*JzG+ zkC_Qb9XF;o<6|oBxLE4f;dl0knFWZ|;?|!Yz$|yioo77LZSKtuveL9o4TJ*%x3Zw% zi_H@AE$E645)Ft7eW}S?nMMvPMcTM+b^?IEVtc%O+ce_CWYovY++j!r(s!9;JWCMz z6CiVJz@g>GMU>ss-r2*rj8%XGDfh(h;AH8OCuMOuAp9;Q3v3_V4>zq?Egp82V68`M zT9XSot=o9*#)B!S4M6ZA*G7wFgUzy32C#aiG;Ti096a=%TwUPW)-5-fW?b8>v)BjK zIqJ9e8)SgdAoFPC6ZVPWXjN^A)|%suhe^_+V?I^N^I==GVcAJbNgO#-zYK zsC6!}j%$F}I_8$#E>Ls`O5eP#Sz+o^o&+{4laldPXT)-u^Z_Le3+ppGd#AxhcSnE| z3hA89ho9m%VYMxJi&iadYN89l{iQ?^qj#4q)q9*FX|Zha;hDZTa&u9T?# z(7?rRjT`*6uFx}?+BFZqFmslbw~Kvda`;o|WzGm7_JO<4NEP`fvPKnVIZ91;=2p?(o}u-izn47;&j#TCB!> zC2p54t^T~0-=mFwo12N;LLp1&Z@JHnv7SA4(lo@*l|@!z1>3160%XAZC>}{^ZQPGZ zVnyT@C9RV{KID==yUzF~E=O4uY#J6Fi5-*`J@vu9`@0~FtB?NysliR1z(?cUMNRqn z`O_YiJDJ|9o(GZutQ0@g#zWF5zT4YIWU@yjab}C#jorc;HItJxiI2qG;ASHIC@C&E z8$0>D1j}-~>|>^_pe0j{UPKgy=ROc4$jN0aK2cX^N_>u!5_gl5w`5MaE$;clOBz$m zn21TY)(?wkF`1J|pjtO5{Tk24xDcnPXn7Fb3gs)>(Jwql>1e%^*Iqh}-Q%j%CJzU& z#2-}6p;mInjWyeCl;byAyW)VlD3W~iBbkn=54>hMDLg#9ykA7=KBv$)H>3fB>=HbZ0h=5JH zx<_Ryar=aNU#GgFSW9u%Au#LxYbx)Di1en2fW+bZMCZ_Q5!D*~dvpHM+lm^5!8{rd zG&r5GF7gi!-c|hN>7BVf9wO^Pjk?7pzEIh(QSsA}a72==-x}sf7nT3a6%S23Wxba@7Ey#!~_Po6bg z@**RKi!J7ntTD_4g$`sj99K{a|a<6RnUe!X$}7u55W<*iYUOX`9PO+9=pWug7Dpd zprB+jcUm`fo%|W@i_dO8Bd=v2D^_IX+a;oHoTKM>c|g-h<{WUpSVV14AcbRV=eT@_E?g_=dsymfhcF9S|3!6BeJd~pof7h z>uS06Y?lquC6_4>`wS79+AVy?Hz+c9pZ?fNEfmA43pum#)^LQ~)HH^wHF#>8W64|p zy|xO#Rft5P^)KIu143W}xcAKNhlSDY2|t(CzXH@eQdf!XG58L3u@sjWYb(wpmG*qE ziMgC~JgGRFc;xDYJ6!9qN>r6iGfq`I5erM{_TQ@XHadJhmA%9QDT1!hjPU_VnLoD^ zC>#Mvr*TuDrn;LWI4X7kz)-J` z#(=9vvLXQQf{zPmTN9mss10s|(%LtK)pYtT3}#bMa~R@Ca8~NkITx3g$HrO^_}~%| z`Gq@{^GO<55s_TnfLrLMto`d&EppS?NG5)Exk_YZkD>11##awQdP7XKl|+AHbL!J9 zpNxRPlQ1u8j)t_Uk2BU~Yu2D*wQ^aX9d`aQBW$3tKf*5A{S5c79^uc$?}_`lCWV1c zyJCH}m{2=GmEQI4pitz6nV>*xW^UK=9w3MUif$xInD&WRvc>h&HjaEPK>zv_2-K!w z7K~Fh2mObefC`c^GAbIBM_jfwU(jt$mMzKoRKQco_pxKqF=q`2NibGb4#0VCjhNi9 znW(e*;D7X~EQL@COb*=zh3nk`{XLQmiD2t8cQ~NM`9!um;)HCPK6TraUQRCfOrqhD z%|9CSXe7}m>>SfL)!m#qT1c01+iQujT}k=zu@Lr2NhJVacR!CXufre~o^3VM#Yd7W zcFotNq^rD-rsI&C8oTXv&VU>SO3UqCRs6p>*b6*F8M@fv=K!01G#Y$?@aZt2! zzdw5)G&h}YB>C^rpSY!fp-jnVeT4K~qwy*!k*NcKo06al(_Pl5Ecq<}sC$L&)1+dh zk?iKw-d$`huonpkNq~}l*37RwoR&Y>#^!$@>;Jq<@$wN>K-(G-`>60<{5BDv4VwD8 zrD+%hdioO3C=~*S@h-U?oE)V0(GS*Vx}TQGr-B~KkEzDFVHPwHajUq4z12Ev{ZyIZ ztl*}6K1N$%k!P?4u%J&C`Rn(+c=6d!8V=6t@_B76Jx6d(81fN_O9YaOUD6nKvNfw-*ulYWXQjs+XTW4CCl0ES`3%{sgIa=%`Aoj)|tBr>Z!>sZZt>-P`)WAhR>=UT)vD z&>MlhOGVSATP5CK)#E=GptCD#r6fynEiilH5xKUmSFG zW%Xk$Acu){;R60E3ZH6n)?Kwy#NoL<%xSnAs)71VqdFyMy_U}<;Lfo)$Mo#-s=vYq zrFwX?eC|aQ=EqQu=e2fOuvyDK`8eo=hH<0Yla+=_%a71sAU1#dyS{6ke0mTERU&jo z+*Kyt%G2r~&V6%i>ku1sivZU&tM`a1yKDrw3BgaNz%2+rk1SO5CE#%dD31d&zPOVA ztr%>V!_vzZdNMahWt93BAPN~_VqW6n(?0&hp;W^=J-dMu&IM|acT+PA#f_(*3d?m0 zrXf5ZKQOWWef1bVO>0GU9Jrks4+DUs&ss0v%n7i}5<#8p1_lNKs|_%23AF3Lcwz>a zI|03>;c%WZwctC`rjftT(JXRBt92~bPfYP{GWkk;@R=|P5 z=Isp*R+R#mGsN<8f3gi5@U1br{u0&HN^n+zJW1lQAe9dc3L;}udkB=HJ%Rzh6)&1| zpH~<{BJouRvP6*jJ$U#(_^mMyyUnjlNnwK20R|?YrnJsVI37(COe8tm0Tm02N}(1i z6bdkNDr%+5Yd&Vb{4a%hru;rPxJK&1{ve?GrxteE0@BwbZ{W!Vs!EZ}Ghkk&W<3ZB zJA=kX09CXl=c~enajwkck4Rvkw>$XLcpZVhD#0^*wwn0aMUD6>#aLo|2~c^+Wp|d* zVhhjXEp#hAQC{^Boo&V3aEajqg&PPm=c6BEr2mAnqiX;mPy@jG9K9Q$Z#(De^YZq( zvL-Kb=X2n24WyVWztXX<#T04R@dB4+ll~;OM-vdM>}2l)zEYO;jt8NJ_qa#D`}~7& z0FFv*Y3eohM#&3|zvW*)f<`mtO6W`cwbX-y@jt+6|wxo?;y>oZ1>|&fmNPb#1Fy?Txqh zdk+S}&`~2S^;~F=5j*8PGo@A@cTMv(aNId+Fz%%|t72c%`eu9tEht#;=7bs|jezI- zh6qCvDZ55wOpHkmgzkK{!p~n!#%K{Jh_*9p0X3q5FObiPU6H1+zaPu=MLq7Dz*d~fDF)Xe=FcAlrKt&i6Y@5)AVkc+=C|dMvDBEJ0o$88t2^%1bd?BmF1D z%wdOI#%;folcP_BR-g5DBM$$~K*#L_~152)kM-&!g z(njs6D;Kn5PLx>hC&wrU<0T*p(qGoTj{oF-F?`zf1%+*XS&LLkPR?hdD{pU7^CW!X zk^J$^Goa;dLFy35k5;a(ZEYqr#Ygs!gi_-+D`mUqWi4HMwn3d|NE0C!1!U-QxesW; z9J>Apei@KQqczgyisCl)+t-|8{~-{z{h1la&q9$soc3#q=$H51lr)1@s!!(O++*c53 z)JE+10`-4>H{;c=hcl>0T4fRH8Ocb76cTg6r1Oa}84@PnL4T8NHhCm~`aPV@G;#Sls z4tIyzvm-$2LVDcHb{#_DM;`isPy?#O$(k19t*|Cu`=((gN2#{Bmp|e%o*NZN5_Ysn zy=1kZ2(kufOV1 zI%!uGaIdSr9gXfA@6;6Kc+rn4{Z#>$z`3 zn|AeAUmWsZ%i zXoxksZmR%-zww^YoYCs%`^QfD3sYS4b2SRUONFpw-?VmZl9WO0P{CqWEsfIbKL&!*Jyk)% z#V?>=&G+Oe*K8u&W^mda%;YK;si~BDsE=dAqd8G|B`?eX7c9ucqRtXs%Aih1`G6Xf zaK7e*gOQ~S0S_seb2BI{u7}hA0alD#c)r2Lz=2ZjWgl2#jvnHHLOZ2&S1wXy#wW4y zY?{J&4>+LOc~^dwZwSn^_&$^Orz`&YT1Gtb931BUEC!&|D(Hec(0z#m3Vn%W!6s3_ z093eEN24>WqeW(Ng4h3gw+0ZsiYxu(8?9E`r1HQ?wA9+4CgG9w4BsW#YKZBR2c8p= z(_%;O8mRr$MD#ORGp>^p(A6YoWATuu3gd!g8+HQ&t2f>tb<-9R3R*#4YYVg@`_%Wa zu+iXTWK=hIx{;k+fa$MqF_0AveBnuG@k@>ao}lK4oyDV%>b38f{U3v{z{tQ%{OY1) zDMaf_s-UQYT2a}_#}+SvqV5++u^M-UGD;ldE3Rjr)04DMFyjt3VO~R-)a@rZ2yy>1 zY;(Y5T5Q%BG(R9vE>cgt>l2xOfkkcJ2JdzWJv$`X8^qb@0;Y5fs$F+``2>7dz`SVh zlMI$p^j8|*@yWZnhQ?*qvW3;OAr1S?CJ+G&%;nLg#bpzWHYN>mq$fkED)>)CEc>hH1_i#%&;jIy;pJp>mxt%f3k? zQlF9G=MZD7*(~F8Awa=lze+k}={aAC#yCI_k6Cw?14TU>HIQMvc*=%_-vIn*Oqi>zIT*BPAYfMWE`k z`!fK{!n#(bPR7$-;CVT4Imr`WP`k8Im@KLsGY=Pk1f$}fW);ecX77_PbFYjGMPV>; zqI(1!QJ<5vG?1cKP6pSU+)B-+vfd&F_6bBw=8jRYt(J7qsVyq2`a^Lp!uoSsBHV>h zx&!s!6Bfn6I_m%v6(Op5WqjT_zQq93BQPCrqwaOGd|oSSyRqB71VUxi$Rc$u9TIjV z&g%=6o=Op7clmGw7DIE^yUtoBMU3ae2|Wqd0~M4t@GE7TrKB*1x!X9XO^3*e=H(X9 zacE{r9Xv?^FsLS#my$dZ-xVvs3)3n`n4HWDIFlj}2yO7dad7nU&z9@_28~S=tE#=o zo^{E6B&O%b9C$JK6vl>eL@@o>p)HG%CLi=mKzdgADRH7g zcE%&ICy}jDit*#WJmF)l|KkbM*uWt4%19w)_f@uD08Rs|(IPC3XJ4PUbV{28-i}U1 zLqlWC^ob@=qX86D&8;WQ82oQ2)j&ttXgHdkXHkeH+PgKd6{s4fKuHm0p<3>mS5iTb zVl1{D4B$sd=f_Zjx*t*|}sUOXj#a;C6&4 zd?VP9W00-oo3axq_6%1T?5G4C(LIMdWM9iUv)?3krPQQKGJEjeW-^CC_C8;weyLm9 z4Y!_JjPd?1lk-rOLsv!6MJ;}pgJ~R< zQvVXU&i3N781LUOkd_FL_goJA~f>$`c zsLBU`V7qe9gMLot+=&W(7-ezM>Ac?}>JYp}in`5I(ek-0HzcH*OW{Hk>7(@kM4g+@ z$eo_f;xBI(b9$9nev7ZUrnGpDAZ*?GZMeBX(*WJ{k<`>Vb_Rs@M1s3`{yj#L%BdRt z=Rj8r7V7a@j@=^v5|5kIe@lAgdW1UWbxnx5*PmH5nz#nHUO8Ud22x=akZedIxr?WP z!~#s7og$_eN6%akoW(z^8&6NG@~cjl*Nly$odj#EN_lRi*=!H z`{oBX=9`uPUHjU$TZKjaBIW=wS3%nh_x?(6zi5#3$7o;w3Lryem~!ex7S9A*vgCG! z`(i3Am46x}JR;=*bDCAvOD3X7at_Nr!L@?>H4kugd!>E)SDBqn}DeYLL^0DuIAd6srnbe||2r<#62AepW2c)rE3~p1jEZxQ7rd-5kOh)^f2?W70Xr7Wq1}a=w4AONu(mi7J$X%^dY(kceG>7^r(OTiZHi)z z;e)|b(BSf z|7x2O`DgRUFrS$fR%&|&MDon;sEv(e52XgjpiJLT%KG|p&PqW4$8R8lKeTu#v@vQ1 z8m#=;B>u-n&PlMgPP|%yMoq#wJIU48{>J>TsiG_VxwBlO=zR&Tqhz8<-e(9f`I;t9 zuXG_M_rb(fD$*#OEoEM#L1=<%dQGw4+F{8Ra4DaaemTT`2cSG%AgKD6 z`VzZQWkU=0g{G$CyLNNc{b$wXD?4kHb*Hls{F$2i7tjZIQko-?R-DMKhJ6AVowM#_ z+nvKWBqK<3!+GrSlyQxhS;~;!Cj(L7x|*Av^*VM3_+UGje(*M;=OH=APoBQIveq-A zYEqmi44yBW3jS(c*w=IoD#v#|D*T`1lnI#!arDacnQuNz3?O3Mu~NhbD}Q|Szs69@ z${bEt^}3QdA@+}~`6hqpD-?LJnT`iWK)Xc{w#|{)swb;)Mxv)b;v}7|J*{{fXPfU= zEnM(_0CUZ-@qiV75X=-#RQ$qNCL`q?Z;Z;O~%%xHMUu; zU(l{tL5zf!6`@=NFjLj6vhMAa%Z(5dSiIu{cK&{N^T@MTCHOn)W7f_xg1(PcVJ72UR&civc%n zN4aXM1ToXET%-}3J*<-_aNZkfV}>v39f5@pxlujh*wm5QElL#VdhQkDRS#0jSOEjr zr0Py!eB@n$5+FG=3ZCzL_f~m2_T~3O`pF#pPwFaM=0iDX=ooa)H_WCz54EXwpKP}f zfu?kDF7DPy+!u$3lX9O(blKUFTT_YCpJ%+moT8K#Ozk?*d4iHyuk(zbP9z6Vz4c8^ zpRy9-w(K7!Q1opt-p6jx5&<)CEpp{2@b7+Z|Edy~9il6&l zV;W2JMN{w|O`jbcPEQCT7XvxT_<*LW7fE0~;%p;N=rc+8`wPzvVJe>(9XIs6Nbprd zur7uQ?_+WtQ1a|o&xfpym8P@t1pg4&<}ROBo4=*ZhROqKu`0Om%he5_!8B)KMHy6% zXKI3^%_;EvccMyspY{%35Mg#)3o)P~?)PLcg0YK%uMB+RfH>&pTFIsVrPiFMLsYy~ zyH+F}m;#_x#Ih)=lOMO(osAF#;3`*Lu<3L#F)1ukEAlh?T`VwMZA`IFI_LoiZ#QR$ zjq7AdG-HAmm^`pflgoW^1;eIcf8?G&RZ}P!NiWu}i-tctvE_>h$&pPKIa)Gs@og{$ zCFPuEBmlMi6CyFe)cSM5%*;%6?-DotZWS5#jbCXfu``~HI%oNOULGS@ew9`JL`AB{ zuMc1-Z{lFJfI7K1f4ZVHB_rcKh32imO5TLK(y&e}Ec#55Z2sHFd?K}6=hCmhauui2 zTRC}oPsROOY&6(rNf`Dq)q-JQrwXX9%Zwj#f&2}0vXZ;%yWlKAfiwh-FaQualz$G# zYm1SO=(f@&dv4Cc0s%A9wb-cYjowkI1EG|S4*3iITFVgB%@m>Eqf~WV0Z6t3yx;VU zdO^wT1el9Za;|Fzy=bw?uWa$t{ir}Z220Ud0!`G3Jz|9Vrh}}|>1o$&m5pZEOMiVH zoec}Mu7oRNJ7f2#iz#6HpM(Tad#Z)9LUo{ZW5>fCnXDRm9}|-#Y4K@r;f`D-%Nr1xfNh#tXj735RZj@a`Vk%JBiJ={Pt&1Mj+W}S&y$FTmE?xP=*jL_Ff^!nb@RpV{|T!g@GAZA`JUFMrEefcx_vJY2a3FPC-$;piS|-g zY;49Lb6g*?gnLRKz*a`Hs@+3R7-Zhk#x2lJT#GVHk(7A@O9>C;LIeQC$4)E*Pb;0Z zuf2P1#6g;NqlZAg*<=dd==v8HfU7{m%}c^WE5x$AS? zA1wPQOR7>Ze)@axfd8$bKdCE1S7dwFf5h|1XgJ=cVHcprWhB(29c(ynGk1ZS5Mt2o zZM+WW%$=71%4e>(?J7YGFO_a)LH+1c<~?jsYcz9jj$Y>GEv1r$0zu1wPrFn7 zNxQbUw`NQ-DyvuhLEOPO7u0O9YdC*P7J3Xsgr_HYV4*{6oA(=L-G|U6D9MBN)Z8O< z+`aV_0|YZ$HjEitOB!l2Q2-nC-ilT~*9n8ALy??16@V$=6G1RFUeibhBMxBY=72

N|R&~sh59CdEaq)pqvZZ3p%mn|i^l{ zCSVs$?S_7VS@Gfh!z!nm181vG$)V2iC&u(3wE;wAahS-a*}Q!2*n&^^_-6UM`52B@jGfZXpBpTq)sQHuNCpC54)4lF&Ta+cy!b-uGe zzNYtdLajo=(d&@{wd=xHwyN>E=C=N5)q(2!XloC*cJeA~Pe=8b&}d8d+2);% zMIPrjoXa$L`W)X%Hs;(R#nVd7MLBk|8~nQ?h3zQ)wb&}_IwXP`@_K0*#e`fm5E`*Y z^oPgFA6lcvXSzo$&rqzUMV=Y!OD4_*Ga6ir!+|rRH3pT3OwXc{THlgEtlB4f@MF$W z*5EcPJKZx?0`R8?&$b_>*q_!G7WZm6z^S{>;1aA}$X)dKFdF6{X3sl4Lw6LAob%pt9l(QUnh3{)Y_!AglfZc!yx~plZ$m)N6Yc}UMrDA6jg)sF9*1C!((V(L7G>kuJ@aAn&hDh ztDuwH5~Qe;iY#i)%?iVn>jFMaBUYM#Yw}0;#QS{Ch~b--C5s6*!Xv6yYEZ|`1RemL zjiXL&5ykC5GhjdN4|jklbp$;?vm?)G>u~9Me?0tl=XFnlKtxp4$&xRD$x}Osk<+~5 z%J~;CqX!1Z1Wg!p`FF1e-H|M}Z77NAGkSepgFZYFlLGeR;Sk!@I~v#Emca3!bOG$V zYL{h<==`Eu^Cmys0@}O6F1B6kJjBt;Tn+ArMFj;5?sr5O0A6KZKkz$XX(Jpi>S9F3 z75V#i&0>+itge?W+>yv_e|`I;jfhhOvd@f70)2QI>zd3SS9+RIj;sX4YKtfEK|QrnhB)e^ZJj3*0iFdS-fG8CL>)^&olMeG^~$cfkn)z ziMou8<+b zj#AYawPr1>=grIr;~jg*mENppOel>yd`kY)hrX*t{#bT*Zgk(rl5Okq zlzfl*inaomf8A-maf)P3MdMB4kkcxmfO$fZ179rH#0NawFtKNtC$uB4h|c;Fh2*V> zlDfAFZVSg!-m*~8gs7WTx9E}GEzu;8exWH#9aQfn7E{g0F>Kv+lBnkUFb7ri!6CS^ ziHXQ4I^I7&{@zHA(MwawtNs8K^vB^@FmQ5xiskX@$KxxQvl_Bgl~iK})6jPNlbrOj zr&Kk<_Z6m!(rYC+WkRR(4ibsK$|v=FzP96+RD9UV%yztZFSfQA`4-trOG|Y<~BoSsIyu)GCmNwL(x`ulc_g=P@Vrb(ok2!H#&DX?Hn@z4@ z#skm>=(&t}0k~b0=djv+q$A>5F)PJGHC|O3^75>=s}hHFSuI_&*nV>=pBJ9yQP1LA zRsF`F-zjiiVI2IycJIb&cw-(;aQ%1^4^E-^39&~Ny|lA?--vY%H+47n`gB0oOjeKY z!H#{Y%tw)@u+)emJ{Ir8QK!wkFQoX{SsZLrQ%Y~oCX+JjP9^KeJxkv?bEP00$RuMn zbpRF{s1+!6GaB$sa}QLGiEbh9UnQjV(YyD%L@f_u^YZ>|*M9zQDc|Q!^79Pxxwxde zb_uC6S6uaf$AC3z&a`{DnS_leJJQwvV6xPj0HH)jxWmqZ_<_QzY$~;Sxf7y_fmdJthyh_R3i?ey^-$SWYe#Ynj4ONnu-5EvfctH ztM3aN6{NenJER*VrKP*OyFuyhF6mA|N=mvLL|VE<8bLz9yI+6*d%thy&N#{lyl084X@(^&p594st+zw7hyT4G1bvM^a_8Zl^^Eox|^x9o8=JcNXV zXC;FpkB@%j@i|i|FTkF?z^dP~$ejFJZn0qyIY!{V64!R@G~04c&^fm~Dn~JhumxWc z_;hUC7P$fnR;^C!AaWFF<3=apzu5fy>}_RLUZ6>wwi&_N1hx>2*y&1>H2}LYF)?4l zq5PPuNTe&*thOECLv9V^4?Il4&0#)i*iQ&s9kz)?|7ob3y}8ohxB4mc@7*~Yy>h_> zXT{WgU(3(J1r2(YD$S4`jbQ&iw24lZj74onI%!N!F^RtAMI*v}5Fq|d{}cx=gd z@9|VwH!z@dE7Y5buU6)uStUpG@D1cy1=AJga#<&657z@#$H&sp{tQG!L>mmb1FagJ zVDiAEmSN`8CQQhIK!AcqYihUq_0VV>$W1;oe@lqrzM}bHt zGSaVj_}^Ne^bw6!e`TrPkw;!IRK7;_)Yj9B2~CB&8YJmn#Xs|9z<()Bv_!ah)1Q%} z_yY0Vl;VVpc!CILs{F?)X>3f)XFV2H*L;uN0IuC;m;ul=q1Wa@IeiKuL{pc$BScX- z#R3shOEzIb=383GSx%xf5%DZ`d$JoiJFVWEuT&lvz)b z=ll_&tX+wWT~5A#+GRgm+ZnR^;@ybY)N#0gefG$dvoD8r{H6+D9ktwH4WaP+Yg}yu zs0KLG1)U2x@`lED>ib5JlZhb@bE27!`!N$g@IHFGH$SRx0NZLkx<|uKVr($?Z6%i2 z_y=^+N0l0Pm|!^D_uE2o#YlHjcA)8?vXZnK`><1X3mS%EoMOdgE$&$T`Fuz#Fp&P} zd8A}mL4}qEiE8??q)ap*=THCNJm0J5M{lEnzasXkl%|lQ51v41&{BWl7J3}h`t0oN z=y2puL?937wEl(1|8uq})|muYpc#xpR^&Jy3t+ozrKjO=ISQWHq^r(S^2#Vh!aOSU zikhl?m6j7eyhP=xsXN{CxH z^cmNePwOSp@rfjYYB{s2n1rTmY)#r)%knXbk?2}AhPv&xdG~v+d-T%XIc~AxrYZp~ zs=FQL1RA@#uoiD4#9?84Qw49{6QnJf)w;X6bw5AYOG?xlb$tQUHG~GBCMpu(Z};uG zjRSI*VOUUUV+?;CRWH|OCg~HT6Noa|f1zXg!;hwqt7KCjNgyh zB<-*RqGNDL-*XY&B%SX-KFo^j?%?%w?Je z!vRJ`0IK^%hu7)P%^pz$+waZxku+5}{2^0uBz1ogD)pPA^Sz|5)B^#4BFdO3ip_Pe z=4qF$P*k5QM7>%+e*G-!{`cDCjF>Hhsg4*4CnVn1dGw*kv*Om&{^gDaq&T1yDkX!CuJO6nzeP|{z85&N)Q8{LS@oK=;b6uwH>3`W6LQ>v*zb}oi_2INLr0<$3!Bc zHIx5kH@&=Xh0 z>g^J2azCom^j7u!Y;52Ah3uA7RpQx{9QAH9xefg~3*j5Fv(3Xa)(?r_wi1#?QE<)h z_B`p-|-x@dlHViz``!K$MRXeG_!a0bX7<8mZu&yU0l_4CDuudrf(@9oKbQ zF2DfTuQxw%g`SA~3!v_%zW${)O{Bq~gYnZtMcV(O3?!hxSc#`QSyc8J#vX!$uUp$q8%Gv-_Fj?aFbhKHTd#tz`$8vgs{-0wUU4WovX2?8M5ON z*~7-uP1hg9K6Sn4$eRUI*c)CxKKz&$NPixx(OZt8plAq!gD)=f^YhQdxz-l6VN8g8 zK2dxm1upM;8@N2!1~}+%W2y99oSZ7GMTLbgM5Rr|-@PrZ-%j3(&TC^sObQxAT>e;% zBGjT$qi@N~9Q{Lx!EMsVQ~qsqV%7k4@K=g0^#-_n9zcD8xdHq{3M{*y^Hrl-)Sub` z|N5-`kn9mPSe7A%r^rRreq#Tl!=e>r%0|XYq&?-l!t0;|?6x zOL(->vNG|$WPUBQM99X<7Vq_Vg+25NFoe~H2Zt59UV}j2(nEpk`!*{$OH&kEbL^GC zpKLABxk5B`ReWr5{|>J1BC1@j!B||Jd^Ma(>1vD* z6#+J z+rIo7x34{tLnMqW;5Lu9-9h~SUmxR%!%c;!iHS?Tjq>AJeN0SSX2wrzokd$cf2W^& zWZd(8zxbS413$5KEFT9ki5NsMgB?V#@?&@|N(e>#?m$=amgGz8@4yDba!#T0tpyq9 z4#yL>20T4{-5Syb_9rPwtan>X(*KgrIF02I@p<`jX(pz9$4*lMxt|gQw>VH7`l!zj zmHa>>3L8Maf%@xqhyz6gpZF+~4Ea^)%zJ3QYCw-KFGmHx!8&gfI=x@gpMFQXeIRt* z^+0)CUt9CpZneBWadRr*_hoL6u;%0b$Z%IjQdwKosk`sLgc1kp@)KNah1nE1b;&u> zxvQWlFp*qT#P%BvM-_WRf>2ml^&2`EETxK9CQgX)(*p#9$BSx>YV7)zDdASyxWO=k=e zJ$;c|CL_eA=gM=T7s)CuSB=%A`pBYB6o1&1_a1Mmif2SYeu>7X15E>oBn#=bj?Ceh zyr>^EBo9uZ`S{fOs1_E70M-Ra;-= z@B98!Z>ekYxJlQRn5*jb)!6PkhCg-65^anR*Zu3v3U;<=kex2caFetacj&CLy8X4IgfqdZh1f-RLMBoa#T{Se84I2eMvrEF{bG#h; zTB+^$0+FX1Q*kksOhWVzQQ7rsRJG9+W~MDI^Qj4rlXcDZ0MCVKmJD}mOD$#^GFW?A zp2 z#PbtK!ux>A{%{;&D0vyi%LJsnfFF5=;Agl~f+Wa`jyIT}BXp|*{oD6ro#{5-1r8=* z%Bni>X%M2HFh3vsIyo$uet$3pEy} zRx-aCJ<7y(kj0SjBJn_Nk=YCS74CJgx#tJc9nYZScit+ey=cY7kKjd}P5?1wCE}?6 z<(!J8W!VSw4*;eDmn4OXoKRP>m)pOUGJeaFM@%1A3eZoz)Y|mVc zXM-V8W;>^~)KSo_Eb6mg-$ET`Yp_D0(CWCl=)7nu6HgyRj%Y&hx^sZJ_|n()Z4YLU zEr?gl&CFb)f0e4=<`60i+y5kmPbX5I9Dty8(6YULS3YBp&hmkec!`#-+J@xbPYO&t zP~7kxbWn^KHcOxKIx>P2YgSocJ6up`zRE&lSbioI9GYqqxyd@5dw%wc{X?EeB5ahk z3{91AP|+Aql*bD1__t&A)(a+n`tbi6aomWJFz+8(~XI z@2SX%(NJhtH4~EVlpCi$93JX-J=B#(=7;^Nsg`OSu%m#P>G{C^KlZog&K4q36A23r>CFQgKt|r!qmct?-jD$E1 z6X-fH9{c?iE*n^ zCj36R^SLG;o4vPz0n+=dw)qat`aG>}xA6gDjfo}p~y3wa5RPx_iI7Eouy#nN%n zT~~sN59bnOrCb^bVIY8$>UA#b05#jt{!9iJU4vI?iQ-q;K=Uw|qKvHTAz; zOo7*BHWhP4+p|;A^rHdWoUKPMZ}Iz5UZX$QUe1^o&DN;7;jV9gfgFSlwB&(st_R51 z>}MLI1;%fA301u@E=szcP-%(DBxY$0aU02!82O$0dksq_Oe>$DOa*ScghAN8(=+D2 zlCseoVHCwFa2hun3WdTp)V_F=zAoBiSD^keNDPW07rd0fo* zQWhSgmAuzAm$RnlwN^*EyDTZ)_A+1cdBB)pF!uod6Bv2CshH35?_LgJRG#|UoV|y> zXlAI>H?O~!jL#``+#LI5wE_(etSI8$_a-age_>%^0Z#!hCggmz^&GH!q}8?o79ga7 zEOD42s6|@Ox^6G5Zqd48S-XR4-oZ$JtJNHb%sCd3&-45mHD^{^#bh0o6 zH4AZdi$mJ+jVkrXjttkkN()3sGK@1RXmR=8B{K+_2uzQd1#-Hx=~kdG28b(&c%A4- zN=hbS*-zG^=QXj2n&>w!>Dl5G7r$@OQu=1FDmNv zS)Z4v3`lI^xG`~I?0cU2>NS^wYUjMN4Z|I;yEd{*hq3`f0`};3i^jnIJ5bNL5k%nq zFNmhyV$Z7fatu9gH)&2C@hP4b>Ck;wC3128@ry zE@owUNg7zzt=HdA#w;_GNr)6Txv8=32ce{EotB_=t-Kl{a{hKLuHVPHn5*qr4YN>g z_v<|XAzQv-`AWg6tx{+piSUc`E{dg&mckm7Rr2zn3Ar^(N82dIcH->S`(L;NW{fqcH#2KE~Nn?gub^yX7S37+G@7O{>v>M zb*DB7Q+BDe(i0;dnu=#-cA2Fra(}+dH4In4M;yjS#_7yaAj$Gtr4HEO7}15U+YC+w zr}6d69QwMJ6+NJ83G#{bKwa%3*iTwTt{(_o#C{I?tZ9epK_b9STB}sPptpzAu7!_@ zU-31XIWN#t@Nww9E7vx&tf*e?7R;UjLGrcX*tx&D0!T+WN%r(*jnzI|u^n3GI^ zaAvnU%jP_SaFW|}tjGdUQsMcs)H-}hlK7)dkaEMo0s4?kk(acyz&^3~oNKBZOp(kT zg5qIkcgfc`511Ad4ksER*Zsy0Z-x#-M$m_d>T->`?InxN;`>ZoZn1xZMg&fXv*r#C z8ZZ@n4}-=toTsnJqTg2}y&0%7n&w~w4eulmT_g(*)D!@+Y@7Ai#LmE2EVKoSfo7|& zr!dDAk>f7|4CgFcg0%{qhT;UoqYz4`b~rMI9xTob^HKjlb%!o zX~o*EAN8;cB_RF~Qx`k8#Yo$60@Xh^1_R)flh zkgzI8ix3U5r~Io%gS$Zf8-;3zr57(k%;Y4+HEv}aq?s~oOh~{RbD$^y8I(z8ZKuKL zP$)tj(jjrvn3fh?D=C6-OQYJ}56rZ}Z&+CaQ0egYVYyS9n*GDP#Kqq)uZV@y_9b9h zi{$ZBxJQN&iIVhc<6OIEZPHvX8NMbc2v^@p7RhI7MFP^?ff{`U)9#KRpDeg#^W*f4 zGKR&i0y8hK-yl(4s@2y%rvYs`N9kk#RhZfspzKYd8WFUe3_|}tB@akT#b*V@e869i zCH^mn2eBUK$_7^p?jOgATYY9liFfBBN8qo9b^Ye^L66`hGQBrN_gcf(^tETU*a8c1$4mlJ z>0#Q9zno*3bbVg_b(-P2QmMHNU+7#e#~C7GQ%Y2X1i)fVh+C0FZQlwx`L5<|ggm43 z`4v}H5n{I>C4>|hhDDgKH7*~;k%-%tPhQ);dFNa!FVfkBfeX7$x3%BJxCnF6YooA) zV^8#kQDs%uu;vmEKT0HmsqKDriy9#^Z(RPd-}+;X3k65hg4vrzvPuEG*f$ps4ZSZ% zwe(KJ#;rRU86%p|yPNUwc^qFMg>wq(rKglDIaVpjsh5>isa=%Q!jOiG6kjR=JN^1& zkb_(U9mVnrBd}ESh&pbKAfc@M-l zMG}d3&d4#+MV;PmHGVZso!&WkNa_7ThTJ8%F+5X22Q!8Yi+8DB>VJ^%8_KH;ey$ru zEpSr3DMpb<=zAePVq_Gts%r0*!NW)F{0jCR+M9*&4hfZXPF5(SgvxaWb#)%w+M=UM zEdBW$x-7GJZH2=QY4CvwEc$dHw3mmz^B<`9l>tG~!5qEk`gl zBoO*57VQr>a=AM&qc3NiG-qfbxxyOG;p}#Nq`TFkL~KC!b!@YZ;eqPgxKmABo*+mKv=ThGX>ek zmQpY6Vj)hN{S$!CtY-2RRi5eV_dg{0_?VZYdX{|sQ?E2WCaf7M$Z$gx_?8#P{?Yk~ z?nbtuT(0f0lVgae;ANz!k|ynE;#i6uv2oXG0VVMfEuA0-A$+1BiK?iCj3L@lZ0wR% z3;w2U4eMc5I+`oE<--4kFOj->pe+pdTQTw_!(@1Y_{Q}fcHkvJWED-WQ(U~wabC8PYG`r{Q zpDu<+VgEgx#|b#)@0^Bmz>Ys_QA}QO7UE1uU)UMTw48#pr|Mlw0yf8 z+kDe6@#JDgD|;1Lao%Tq*5NYk4+BjQ$e*}BUf+Nl`I)_UhbG zSly=eyQQt`6~}s*o@(t*GSeJASE0@>cFl%;npym<&ifwP7@iI5p9^?7x?fhES`l^Q zVPPu-3tXps^-a6iExvpuz(vw@Si2A7cgp9NpU2mJ;GoRXmV2n=0IS8Y^g3G;09*$k z&+-Ix^@KnvIGe}*;u1*V{lY}!eG42zKMV<7$!+Fvj53LK`enag)|3||k$f3bQTSH0dMbvD;gbk#SrtvftoK0bXPwZv zeo$2y0NRWb0i?V+&Gm(Xx$-rySR=F$%c^2nU+aYH8J2A2*1bX# zm&r=2iA%7(mJIcL1D-C`JZOdyYwpXbtgHm=2dNUG*ZBXkLmH@#b&pqbJ}w29y+-;{ z?cMq_qpG{yM}+ZfIgl+9h7LAupUv@({K%I92@MUaPg7>;w9?W0U7Dw$RRMmYH&oZHE`YLqIF{I`I_~E&})g8aa>((M)}-6epc&suMKP|1zVe!`-eaBKoIg-}R}gd=xcE6JHp z!%%WCIwr!dB*HE=H^yRk`e8?jr$Q>lp!T=0D%&lEZ37&K3IKG84Q!E+k=GBOKurCf z@MR7_d=Y4&Weo$*;*PeSs|{BjhQhxm7*a*X&3heFYTwb_TQC&u8pu+_LC%-g?m54$ zJ}_9%^|jwL`hqzErq+b5+%=Ge2}| z5(^%$4^#LOwJL=fQR;2rq00&|GN{n{DL7E3Uc3w`9U@8#kyxAiz+rAzRM#QBQvnqz z0~{;r=FX5 zQ#J8w@yC6slNGhoZnb#a1Hkr0oHp(NsSEzm!S$Pla)J5BHf8o`9#qqY)mqx2W*icq zeS~NJa9GaB!gap3LT=62QoXXOd6zLcr3~339k4e6kO%}$t$`r&=?Ha(A=q><%usKg zS_FQ%ES!;o+S@{vZSsK3(I3>5kJ-MyWHki*P5@K4!Yb66Q*imVdTNmDKV`a_BAiiU z7CFUgpIS(;YA9=wO2q6e{mwat=UdaoxwIrC2`Sd0wmdd*D56;8X4qM-fxYLU)Zm%s zmk6$YZ9gW}NHoDiq^(-LDJQ^^lCBysRlsc9Z~%N0F{qG%nt$!w5luj$yAQ-2(Y)AR z^SE|dXi;3OaUaK%!+awn{hOR->FNunSWdk?7J>*k*&#Dl_#~IlO~3d5)H46p&b&Qa zkmhKpuv2KI%e*bup}u?>3XTjaWNC|tt_|f-*J!crbm$3h`^1%UUo$rnWg5Tw*dQW- zQdGSkS7MhO7dFye-we=@cfSr;4BA`(>!O)S%n%e4x=s3c0fZZp@PZRQ2aS~dWW!X% zUjh>wTfoL=u&@X?u)-V!cm-fWUBJ4aouKQ`UpVm)bJo7S{qB`7`OY~~nwES+PM|8Y zQTaXgxGw-;z8H3{QVbEDUtK%d&Fw>qDHCkwAs%H^kAEDkZ52g;{nz8th;JcA^)m}K+xpmoM zjAQz0qf3)88Y%s1C$(J1-BlWDJ;Y2=?9#Z@J%&fE1#MWm;eZNG!nXQ~(^{435E+f1 zm9c_?yljN+)eZwTR-SEK-hSnD1s|TgI?q*a(q|oaAbkVa4jzEK#KFOF_UmYEC1=Q+ za>QY^1y#mQOG^ucjX)J!P}>-2gMIIO*TjHJh!O!*tW93~BpPmAh1w;l*ir0TSXfYW zp_w-my_Z<+*%yFA_B;zmkln5y_LNWk2bFyv>ShWKlh}Z}0LLKby@M2a8 z{`=yq-?}nVkSMn;GBt*l$;KJG<{L2at8k?nr2lV=3=ZY}qAS0HR5&X<$=hzOf(DBH zJzeBqY~Nlr62)G{tM{pPgjA=fr*Ski|4s*Y284V>ZsygymDoGMqxV^)p{3nMU9&SV zQ&d%*1$|EN_tLLKnmvxb<>uys(X`~_n2Q5PR-og|r4mp+Z)0$oLA`SU)Km{vb9_O; ziaR7|z#>G!e7R%J<1T2x4!6@bBC$XH6K01SHpB=YV1RbH~N-xcYB zGwzFi=2G0d63ql? zu>%3>w&#aq%zZ$hqh4uqrKT#ncm|@(WZX6wB#uTT2 z*{hpvIW9b3p?ABu_~Dvr#+HNWz3<79$`(x|LRWnL!tl^3Tgy?y^%5z5*pzpdu;L3_ z&Xkds-P9N-sgT)nQgUv1bK zJ5&^9?MkC=N>pL;VUt=H5?NYX>(^>6LB+4T-iRlqdCLqf0+%fb9irfVEqmV>PP;i% zyVfbb&P#py34XUOCwhVe69NuE@BwwiLCMjI8&%=gitf8Eo_e{(lO}&XD{jbRCpR4$ z_c8=e5R!KQSO79b@N}tz^tOI#IRdh#v~oB1^TBE=*|YjY=JV{qK;8GhclxU{hpq2V zH^&km8Mn(>#PPbdE8rh>1tYMG73IG#8v>GIH5*3HXfmy7u3G0?VCVTI+o|)C8lNd1t7-kXg7O#IOA2h6rS9feRfENktlc(kT51< zE%d(9ZV632Aiwd=VWp~hGwD%3-b2PAid^9(3=UG-#I;hF0zYCRsgTxWtoPn1=4E`x zq06oe?Gp>1!*adXsh*_YM~!L_sr4o5Onz;3Kb$5He4KrvXGq&35%Fu2F3|NdeR0lS63r01IB1eY1xKhA$x?9slD$M<*HZ?*t6~x#mZ|B5DA5F%lA~NFz*yuMMV#!3tV@*|zuYJhAQU(6%V;61JK%s&K=DC;B?1G*_Hk*pQ=8!Ar;4Rw z!K8Cxv%#p{k;FQKcC2(hsV+Fo%{#ltyGvF|xUoMNm+>h6qEFZAw`c1O_+EWh%Wza^ z{k>h#qCxQlED4G-r*CidZgcU*ePwL+2Ewj3s*N1e1e@7e0V?rX$^1*X&K!Y!@b?Ha z#llg(M&lSDv4mSWRrexijs-ee%^DO_?T0A6mJG?#QaA zIaVNO3WFJNslt8BE=F7BeF+=&#gVF+ z{Y(}@6h1N7vJ6dBvAf8@Lec<<4a$`ws2ZI4sL;I_Dt+W)`Yi!XDc7rI5S4p4^y@H# z^{&s9cgQF}^P7L7Gzy7C86C~k6r_d>lkuWBOVI0tfr)2SJT)sTI@faR!P@W@fgzr^_-IX#BJ;KDJ&UEa=Dsb3&TYdVM7 zm3T{zl7j~NTfTSi-c_=pomv6zIVDERDRsR=1`MlMua=s_T2F=9&DD4_vnw?T&wIZ$ zO+K4d?_!040YG@_oq_3Z^5El~rLgz|rYJe@+nIY`e7?+H9k0wQ;9L$*Oz(0btC zCqNDV%_a2c2O~pv8?epaWI2IH^R-V_4~$o+8&q+8B|Dv&o*uqSyj8f>yE{BnV(CqT zaRTG8Z+WmQ^U=#eDuM{-b1cE@*LL&#QWhHZGqJl6oJS49*Lzgj&F=pX7bGp^`tqYb zIo}!RK7yk7@n%m?Wq%u6n>fhN(YI}0n-8Oe#SBE>RfFC)8v>kSvWrkWoPyZjtWT(J zOrJZN%)Kl|G6*y)J-%~(Uv9O0_xE!n0n55Wsk1PIfe-{E5&YuONEK=Pmz|0k5!2X!SEpfW)OFNw06;CjsaXyHwNLvfdRcNlpWI_$ch zescdJ--Lm03Q}lO+Qq1a4ooKzr!{`>}cRmnw6${>PtJ8{!#m-keC^%Vm4Dr8vqr%7$z z+Ak*nv5+<)eE_7_l~ONkL#IX(sA64)oMWe~m5#pL#`K)wg^6&SMMok57+w+q^2FE7 zAZb!>5Y&aGm$Kl?Cs@J@{8q_$AVP?>KC{jPeC;^Nq#-Y)SE`)w7x=TYtvjtbY0lVTy%){jbFdqug2J~^r?@Dri*c10- z24N!EH_tO7@6#zznP)0_Q@!;OM%Enx*bg#H1o8$e05@Y;CcX99A5WjK!y8NigJP;c zBnia9K!OoU6)LD=J{%X!5K2)67={vk;@zevu`HC=Tg-V%hnSZXD}-jK(n#dRcMO^{ zi{lB5^6~QdhC8Ed?kB?Lp?2mCV|v4k9(G8)!3_*U*}X2#26g|iCKCwOMDQT(ed5_L zjBKhhsXJ%$%k>Rb5<7s4{2oe=M*9G+!6KmhK;};+6TjejMz@XWZUa`m{g$Gpzp#I4 zQn5gwzpx&g)2VG|=oRnCf%$Js-&!H1@6`%uwR$3@p`he$x!E#~fJ&QFPW{^fJwp85 z@Jy>O7s`06pRiM&sR|kOwd2cfgiy6RuTh7*e-%55xm*Fw1}mw5BvgF_`s~5gGo`jC zRwkZre5C);YH3_dq3z22EUfpRQs)B+O3uEinYKcb!DsvE{nUjFYJrdv)PK+y$UKth zpdd|%5h&OrdbZyaOQ@g{5%@_mPHJL2Kfdk$)9A6C=vK?RogsvE{$6FXqt0OaXsE9w z*wq@6wtznuWWl8bL+LLU5{-(x-q#CK%IE7_74$4z9Z1YQ)*cj(e`So=7dCN-h8PlA ziVK+6{$w5d8Tues!oGXw0w`C|iZmuu6Sd3rEfyO~Wysx`E2o!B8@V2T%^yTwGR$#f z((nPJ2QGzx22HAt-zBg?ZK3k;C7{JYAShv;QJl!aqj#kOJs2C;7^|{MOV1lf$Yt0rfvC+>X7uPGA_S} zv30SC zN(%+0a2PuT{z)tKgKa>@!VCQMZsEZ5`=|9(viD49-*e^}72u~!04eU@HGWbi5z)(- zp379&s_qFCLd538|M*1XECnHPA)H4Hc#Ih9e+wPL1vUYixUxT1he17-Nj~7XIM# zXB{-AAOKqGe@~|{83xB~B`Kl$51s89NyXWUUXjKqFDdT0?_ck9%fA90W8X)u+6e!* z6dy?tN6Xx`aUsfv1g$#>c$d4K#uPh?u<2i?QVGHlDemOm9)I!39K7I1_u%utKk#S-1mQ$5ONpT-a}1>Iu_!|Md$NQiD7Ap)d@U8bk~g zIgpa7*1&?qCqF+s$#7kr?jaq4u4iKaVgblsn;PG!`Nx) zQ!Owf6sWZ?I?&|iC>Gx#}c z`$_;<{dp#3V5l{#GKw-tN!J{ULqza6`Ef7^ZEucd}1wEM6J zpC3iSDFHG9K7#3dV9MeUNCezy;;bgB;Idy}t;GE(e*Z+bPHN6Q*5KA|05?N~^V`V( z>%+a^#9Ps&TZGT2Dkn>>o{q5lT;L?B@PJEkg`j&2zKHy-I5JUD~&riS`RVR56OnzmX zw#`X!aKmUoQ)?gwU`KvXE~xq5J_S%k1=d6oPENaPA4`d1(FZGX$hM)712&e%Hlr7v ziNZ{A-8QEt;n6L!^1E2y7#40WR^*skASPp;UIxi8q0@59T#6qy3s=2dH$M?TR*GAZ zNnE0{YgxGAlwcO$8vVXqIEKdvZu~%2YzO8<Z; zr0Gq6I*$VokD6U;o7-fQY=@O+Ek0*H_6mqWj@kt|RHn|Z5jL2yrTIyc_n8>UHw7zr z3k%#m7j-~23L1Zpwu?N8wENSgx?XdQ6nC!Ev^}4S%f&Z)nx6rHOC?|N_Ot;~ANFMD z1?3^WB>bUl&^Z{BYB@~=CP@z@9%hqiV>87HZx?+%I7%GaqUSUM z0nNNI0#|mo|iDkJ&@hHKQAn;9} z3^9mnn$>YGC?j*C4iZrYH*h&~Kv(G@Q6;?YAGuTqMPk1Lwg2keKYXTZoIOc1!CA_g8`R(eZ^oi!xI5Q8>V2FGfd9Qx*Ep^p3Z z%aZX|!^+W=8fK)f;MrCM-!bxkr=bpzuOTI4d)OLHHOG;4SnCWoQ~cF-Z_O6N^Sr%w zV)R3I&cWk(CD|-KkiQ8Z>w*$W-!=JuvZ}f^2gTQ$siYY6j7JgiD1DmyQ~#FtU+W5` z47luQ*1QllcvBh)S~)fK#b3PmcPf&Gb!w=MY(MqTrmN*+(1u#fArZRdevkhVfnAkO z-Fhj7AH#z$h0}`)YK|BI|AY0Q)&Q*cV!O#6>mn_vwr1Y#_h*W^lNCzskKoF2L;^~f zq^GtWYXy+=+@A=}^F`CU5-SA=v4gb*Q=%+vTwQ6QT(6I@AyY%J=J&&G+ye4Ve>lu= zu^)A3@(8$pU0+{tU32o$bHFG|37~!ea3X?i@LHIeBE?aYGnNf6l&>bO8UnGGBj3pe zD6OAmAdrR4OyBaP@Uvy+mPDYuV za$endS1ygFnoW-=M{n>kHpFzE%w6=#DJp7y%psQBFClEy&58rPkcrTc^ZftqukSD? zaH0E?as$C#n#44!qr%6?7lG|>;nf^c4 za~j))AU>mpYxvC{X1*G!7aEd1!L#aY+N};!(*L_GC_?QD3?w-On<<)1>5+==YdGdg z4Z>np5L~LaJdEJhrdAYt@iRpUeN>6Ijl(X+$rij+56;v6aIFMtQxTx_>G~3K;b3U? z*Awkri)$nuLp6?@a_RHjfvEHGyreUb*c;4>IbtQnYuaDa1+au>4xbM4)r~*AWMV`Eq3Rw!thsSpxJ6@07SXDNmq zldhylkkFXs1OL%vQhu)Zwqf`-PWWdqBuez_;Tj^^KFuGlUuklg(9w z;IdSG<^q!@{I1Hbhq!H9Y|!;#3m64L(S1XA;B#1&>sqA&aw^;PUv)N3#r~ahm)h^+ z#O&Xs9CYmxMRD=5WTHHF*LTRrJi`O0k#a! zsUYuyaD|+3#KmxkLTaj`$h%IrQ~9~9R2Pq!e7CG_>jI2?&I)OWMS-FLk#5jM*%}Y9 zW%}^u_LW2$S>lzVw3WOI%>&`LQ3Z|M7^1jksTG47nT6HS1!}#tG9@YeFXYe@&EiX^ zs8j#Fa6igL1{#sWdLpCP74)5SmkH9Jyo9jl-MY>8f5I!!14$e(d>2pwg^o|Ns%pV) zA%R7A=5Lrw@$oN`7zzkH8y7zob9hK6MR$2-et?jYhN_}(^&bJRwU75 zlw^9_RuQZ!dd|6kG|+CdQ|fli@B#g~GVoGx{VA148&wVc^#5V&EugAu+jecbySqzT zTDn2HyE`SMOIkVv1rcfK?(S~sl9ZC}5aGY^dEWQ?{=N4YYcSSOSZl5|=e*;*&g(b} z6`UyNXOk0xiN~u1e>YRtJMrqT>N)uQvfm;XE^XclDW=~gTGMlQv`Vr(GF|>|;QOuU z(P4mcA_*JJW(cUyt0s$q2*{ALD3X^v`|UEbWy^T)?yBsa^UXhNE;nd6{;*l;7|=2Z zy>i}U&&22@x;UfOiR48~`d&v^EUE8W-S^{+g~x+COnOB`%ZY-=eN(5bf<{tCPQoQs zVXoV+lH<7{(nD&<(-`;9iTV5Q$b} zJA@~X3+xAmJ%2I@jqisp_lYh(2+g%wJA~n)eGy9Kb1ntfz=ne8E9>!e=Zp@?9V0;8 zcyXc9T`JPtZ_dQVWPEQwN;?fYSAcjME$od>g-nxLOu9_+al4uI2h&`6sZI;nOT@@Y z%ykD3cJ+W-18c@_U9d^*4=EI_?f>uvb{DNl`is!+3;TdKKPMB-whG>~%$YW9cqEEJ>b$naD)QcMda)zfqVnq-QB&Clo$*CmNv?nHTDsry1Jmp zCMrrCN>uFwMbOlgT9d)5AT*_fVxCr5Q-pa@*aI7Hv*y!&Bk=+fDI6nfn?ujix4g;=pPeEkyeM4Xa`tUO^IHuW!CLVI}73@}GVFg9VTMk}qY7pIKn-aWPh z4}RZU5tiR~zVg?)nsz0r@)ZgJx5@wwLd@xsX3)pC@65-__jmStzTY5=FhtKzl!~HW z{?On>Qy1Y^ytr3vj<=S1xEYT~shAgH*L^!?a&DfVnqmBt zzb-w{Y8D&cdH!$#5k2_a0UUw?p&DI|OJ>lazhwP=u!u8z?CLXgVf6|04&I={2v zsmyk^$K#Prr$_B7SHkqv8OJFwn`T_@WhRmPFmCKD=kzOu+Tvss6=0cnZai1knL|A9B2Cst(^%tFy?EeWLVwKqeF$j#R=+Y^6?{h!u0qL%-<07n(1oq>RZ+Zm zQ7SSYc)eWF!u(`t8}O$6EJGQEbB%lDCh{zdT#>w@o_W>rhyT(ia_+VUk-3J^SbX3-hPN#4BSZMiQ z?xP}a;%|PzSh3*uA*iylM1IHk=d9&})6;teE`Xh*#7@XJ-vw%)T)^hj2Qoj7$NSH! zx&3y_p2-K7Q(ur|{w^2)nbv7e1)$`@1Yhc{mc*LLIn5rKbG^$b|2AFIO$-v2;vZ_7=d>h%kFp}Cl=f**fggNVReqD1F$B= zs3|#E?@~Avxo60@d36E9Vamr%~tK51n@LWQ9M?;?jSJH=vPqmDfG`Hhi2W`yZ+vi6CSUW z>P?Tes1uE(@E%PPg{U|pDx6$#^?=RIp#F7w=h;5?y4&>Ts?6!C*Qx0ET83P}!;@LQ zfyeRLZwoE?;pvGX4LM)k#r;Lz=+9a!o@`H!E&%9K+j#PQuPUk6?NxRIg+Iqs{woyC z>teZ!&(pH})Opsdtlh>8E3A zd;$8)R_t%UL}K2Z@`3_0Lsvhr8570k|I={I=YP+Y6R)POKKm<;aV6lOMVC}8_m%d~ zKQKfR@Ilg9h@(SDYrP)e^(P>o4qiFAWnt2jYS7ccuGDE!}Q zZLQFWv*c;^5AS#`?g_Er$-jBS>dI5^$dsqPPQ?vnRYM5Z-Q(-y(>&APe-;R#0E)SU z*w`WR>GYy2PF6su5TCOD4ZM>pb-c(ddMvWm$PH;f>7R<_9D;D~oH~#^;{i#--LQrD z`iLWwFY#e-nn6%QzI4d@aYDs|Dm+GXiO771a;y9Zh>`@Jv#1Q1n)lP5pvC3|Rj$ft zq1m5bdy(q)k=zU?U;oV018B>>?^SHsgyVp{`jwM}>?O2q|C_>IVjQ}LogD<+uTjX^ z-x9})BWO?V>_su5g%VxO`@5xb_~;!XK{D} zdrm*JF9{uIdn}0%SyN~gt(**Xh1}BG8lGq9x>~y*qPXu*JyaTEocB{VqzF}TEh&Ca zxN=0MZRNgBpjmPW?Q3QG+_6+4dwgt;z%}1QY zs0~T=LOD4xt|W@d&X9afdrJqKdkomBJ3hDP{gn*~7%XD9a6CXoDzR}$LbSAr-8316 zSJy(*3f{nV9Vi;DBydU4PIhyAYsmJYsOigmYhNtrN+e48j>}+I`518}N#G?(S|zz< zDn9MQ?vn2M7U0Jl9bv55;M5OSLzNA$zRbnt(R%S`V|=S@C|m+K5oq36{@sba$0vX) ztYU%V70a#qn35K6MWut%&Z%X?B_;K1Za?i3I!Bp*)EaHN7#4Ulm33$=Y^U| z+%jIXHbP3fq&7lkS)VBWAlSo{$zX)oY2^^%Yi3xH!{M)jy?A`5Pl+yYg-{K71ZP0l zIY@kUvE$Ojumlzsq%K9NuwZOO-4|xPTxH9}`pA?@z}KbI^kVO5?C)&WdGc3LR%HX< z>0e*5*AG!10ga3cCH~XNB9B?jUec!1cD+T+RHHr%^37`d-l{y;v-7@2nq< zwPdZB^9aX+N-i=Q-s4W|J{1<*Uy#Yjfh#ZI-m5_j9N159sx>1u@6~w>e0&&>`qwzY zB5ez(-MW}^X&9O}JLG!b6b z?z4z*Z0=U3hTYPsW(`enX7aPTDI3N(MRZam>E5(JQENO~OYv=aG8;=GCZy zhPGla4wzTNAKi8Apm)3;fVc?63*Hu>E{sXIgg1i+>7TPOhgu3uy!$q1}(g6`M)$omg7qkdz%JJ6aS|Xx-`c%BVe5shbN5w^= zNeH+|Y;bNUy;VyI1w2X@s#C5sBC*}bS1&};Koht)E2cK%PqaZUupo-x&p+Q}R#~Vp z4nI%ps^eUpST?(xaN6;uw<|Bd&`k2__-ziIoCesgj~fyaT2(?Xc3K&x8I2y#ubRQ+ zSx9tyh*IV$RY-?gT|`ViTy36GZrg1DgPs<3ZWlziOH$0IyCEE+?LwK8$wkU9mi4_> z3Ey=xuP#x{b?e`f8yw7@E;gL>n{gb_#q~ao{3csxOJ+gwxHu6pJo|iRXmHEzDCqL7 zus}SgK?$8eJd+r@Mg|@FL9hUyX2wOLE-O80S2TREQe8FpMNHRAzMe+AS~5Wr*pxvD z(4!3>Kd*n0qqB9t{bHprt;6UW?op`x=t`_rwBq&g(LF)ie8yeoWB)>1o$C%lW(4=? zSktb0kFnJrT)nz@saWT)Lzi7-O>x)$dnaC9kBn*|4$Utl2X(K#{|uJTQtSkClm93h zFxJ=AU1Ym}x%r$!Ws#GZi(}mq7Ywg>z(X{%0EFEulZC%1jf6lLaE&Kssphdii)WSH zu>D|7H4JB$r!#%{LMQvYafYO;sDS@2F0}|=FFrL(=5iDB!9RUDVkq@2X6FYi2P$K} zfK)nBnaq*GdkJ;goW6=?&Cu!=X-IW%Z4J0XKMa*8#JdGuY4wZ*)?;Bd=P$~?4f1?x6=-=o^fl8pH!9anSI7>BnCMWbK z%>h?xC@t9Co?e?*AKF{)MrhYiK73lbn-U0Kx)DyGedWQn~6Ga$&C*k{u(AV$$w2h;=GZY{usA)BWEkfSI zQp&^+sRoS>~Toawcfp|6Z)hvPjD^D#OS%iwTVPVO)M4A0< zyKl_GYR*$#$hHhQB|?xG>9m3vV#k>HAH^5s)sviaeJawj5Cqj|C5>ntVf%=Tb*BF{ zm+7)p<*%&Yx`u4Ocl?B30l?f92Hu_go*{iyp<4)#uGl_>tVadG{52a9xL*)A%O&Wv z2gBV|R$ofhs6uPAH!|&t}&DZ2_A{k~gBtV3BgIej;c)!s@Ybh-UER z@kGw?izICS-4DExom?J+c?_6n(K1j_%`%$(K{~c+_j}r-gbC$W>=$RyBon}6I;9dW=UlRh;U z)X3PBgBSEaJ*3OG#(USsS{6zMLn!NYXy*~1aS}m(v~h)vuX=<5feKoQ6ZxBdym@Z~ zjan#Gx@rg=6{}K+GYj1hjh{hvW)KehTY}iN4%&%AaICMH7rE*+K35ffM#z;rGMIc` z>u9`ObsL7%L9<-OKdcnR^WW7HN*5rzUqM()+J_E3{kHwP^h^9=#^>^|h>$C9%WE07 z@8X1iY+Eo)FSDnswkOtzvg23z3_`A=J@i2#uQod}mby%Rh31 zE)@Z7R6lWlZ8mMsyWh9Miec|u=6yaz#G*~txX~$5@JT0x8*D)6B?o0Z)lD6aKH$!y zU=gi(%>c3kuASKlZfr_vqXeFMYcy9Mh4GOg2G=P@^z}`uNR3f(o5=cn+tnC zIgyqP$>OMufkHTJiU~k=U#)+xr>d37jw55<-BQN-H001Zbwbi zm$uU-{%9enBevGXcImtt)JR<@NC&URu|=)5Y3)!m?G1mB7*WtDJ}HM020>0$x+0ca6uzVn-jJ49tw02hPtN{N+lsLVkW) zI=Nq9Z%z6&G*UY#77`zCNcHmo09ix~_Xt*uJ{!Nu@0q|}!;>G`6(2)&Vy0aC9RFoYa12x-+pgEf-RbaT&~S_q1JHHnf) zu1p746q;C_K~l#35+MFPwKUxK_IXhpn0X~M$f0`BjA07=Ibr0?$!Txp&6zu%2(TVy zbcyh`1N)Z?QEUC@Z8}EOb0I57vyC0p-HZbFM(99o>_d5hBhZGEO~xK4eG4iCtc59c9ji1o^g|Qg=zT)jkW6Z_apwuo7Yb!O|;`Uu6_1Nvv zQ(>O8pF#R8M>}B5{m4ja_l;x;qm}#=?wuy1Df9-@uJHy_SWgq}xhulEu#cNWwObE+ zE7i@g^F+9M9^AnQ_{RL8)AVeoiarYV-Dg!6sz&^vZf*LDqa0@n)&z8wKlc@!wfgbP zj}5CaAKaZOC1#IC?n_k3^pkn+^X6^h#|`hT7_4J8T3{0O9GgQ493uUHsPCG{!$|vc zwAAZRA5*&vD3Ju`c@8j0}~$7 zx<~WGyJ%l3g8=>osg-%!h#9--Z{a4KhrhS|F=c6((bhkoC|DyoWUgVWj@0xUmfm^P zz*=S)P^vDJBmz1$<=o0uV%JW>4{jsqOzP2t5A%#)Xy!~j^K>46qt23vvT}g$9$cfY za&L`+t;d8uP@iGNWJ7Dn4%@Z7r(^1f_5q2$w06juTPZrJ1!_FRe=Z{i^kLFpihBXe zJ{B+Q|7suQmM%Tp#mSnBcq7LBMzZ4ux0=5#U|pJ~)x`&{$(LaEP_vD#H8hk3)|j$k zuK3Rf=2LdpHzv5Pv7tQQnnYLj*M@KRETTb8Jeua~CprY<_+oo`Db+Clk(W%#vaMic zC7$h&NmF@m@(p&J8+y5fl+zL!R~4LFuYE`|?i?vG)gLf1}3 z+x2P*uuVAMuKd?R2Kr`YAmZQ0)_j-}Db00t z)26k%QrItRZp|dpRjDA(Y4>ituUAbIiJM*F6uaoO7|WgJQZ_9A)3L9|C*A7y70uH5 z(IxuWxZ&42R*-DU#7SJLZzh>Al86x2*#UN<{38ycb+o0jOu%oG-jthtkllFmOEsnc zDmbMxDaE#T9y`VMI5SVIHTpK~m74!71veaZdxDUM3cO`z{cOeR{;<{=l7gh)H$G%8 zUfV7<$5q2U-M8&-4FZeS?NU^x@OJd3+t=8)Eb2VFj4U}(8NVT4%GE<2X}qX%UD5CP zzQe}phQQ}@XN~;cKKd0ra(OmOJ}W-Oos`Xm zevMPDJ6Uy}`m|dv z@N;FaT2WRql0AIq*sel@El5-vap~}4Rl|>kC}D_D$iEZ}O>V3^c*(}=sYTB6G8kX_ zbNp3z0Bz5!eO(0d5x$3ZVgF*Y@an8pK;g=YK_n=aGy=MBP*ob|8=;C7RGp9uZSND* z&yO;DZcUJ15bh8*-bUlss}6^$WjRmI7XQQ)w^Z>Cm1dxb_~};&6Eym+uxp+w4PTm2 z$R5g9TDIQPXHIsGYqN7tm)a8gd(B^qOx}(zwTpofd4`H)>91A-b<0m5oBDz`lqO8- z^@nTVJtlp?FM|3GNyP*W1Ciiow#GE&BlV<<`J9CZx}_?RppJA;%TnQJ5L)ue^=yD1L;Ez4tQ()UPc!dCKDnPGw5Qw&51rl8WuU zqM=1nE#K$7s+K?6Z&aS-=UBoiv9JNO{{3a4| zZpP2{5anm08NHq7BZo5S>@9gODoAtSV)Y(=c*;nXz3mIW!2G3bdXvSM&L<1TtSst4 z`IOY3=<^m2&^!orWELN#30W%{AXL?8Z@Y1{5ax4QUEvMrz_A{)e{Q;_Ui3g1K8;v> zHy7R<;5)vMIEt*T!SH)IZdql<=|Yvb+W$zvT)=r8BqyMSk+M*S;<=*Gq~0>Xs%6yK zXN%gl3Oi~Raz@w-Pc17Se#=l0xrxSEkvZ5 z6BPcLc7juo4*`!tKv8d?qm!DN8o_(a2fqFfz&&T_!T0alYFnF|d9S+J$v=)+g#DCs=`>@59)?k>&zo-=BaO~ zWEb9teW^toLTY-cTr#_fwL66H!^x_9zNQ~LIOqrdz7vNYgG$h{KS5*bW+pk_NepVo zl^(N4(sv`Hs1crkBTYJ*VO+UZRhv3MM7#Zy@^`G0jSO6WfXc+*s7Sz4_A}l>*fP*f zLYCIq7e!Ul{iw^(W6PdC zg6S9N&bZMw4GY)KzNx+2a5h(`E7uAwi03nB&j%>~wDeF(7UzCQnYJ**X}DPUc(wL*|+{3CA+H8o)=r3y;Mx0YkR^Cwgf z*;Epvcs#H$RsGyq7?D#Ph|_ud7AFCIKv7dtl7WlJ(lv@vShf7_tFba?^VTzXn#Nfb zYSvU{mMZ$o(x!&RI6UnuDMG$M(RV>1F z9OHzYd3BJ-R#pzC@=-T57#tWfvWDNqE;tte<2KgUcM*}1h^0dh(*l4i=lsTl4K(D(j-v|z@%S$s5ZFV6L=J(?0X-q44!QB8 zcxhx@+?y#Fm>WWBs6&cL4PE5(G5WZTin7W{y;SRp(n+_yQroZPwn^o7ALDpkuTK2D z(`GPv0W*dI5+l$ldb&hP;gPD4<;^%-T`fWOEoSuv(q{DZQ{RhfzT8jD9yYAAM(mTu z>DAGyd4mj^>O9*b#DV)Zsw)V$InvnKr&Y*4>mYJ3M;iPUm?Qof?T`+=ML z0S|_ag=@F~>;Yw$OH$xFgb3XHub9&A!SM!6_T7mwc<@y532m^O$g9z4Y~0_ayNS=t z$9$R=870ZY-iaA`blvq4zRi2zoukP|YD&>Nm=LUe8c}rpu1n@SCLAtOD-PZ-^0>oq zkzlRP1>*pEIHK{{0)8gS80gX)ftZ7A0AeE-CJDM!>?QI0q7H=ZvH!(*0J>7|GZbJG z4(aD9EAt#*f`32ZW~eAVDAE8hayl6o>|C(mXSpKVwb#pxhCkq-6q}nZOGK4I{DCjl zAORv><`?VWtQoG|+^kVALw2)#TP%W|ynieOEL(eVi>Pv!9Sj~NVS83?RK=~o(uiQEtv zgXhoY#tvwnY^V9pnDrNPr+$eP&&o1al)da8A8pbHYkz?g}>*FZr)_3+cS?z(Tb zuc8!p{gon1WS6JJgc_Fz`Sn|2b%u*M!Eqh5p@i#>U6D1vWw=lH5succMS`^GZ*dXO zs0fg9-NrSOI9QDoL9CBdunGn+=S_pTVI9>3$!XGEwy_GipJXVhD-!UfWxJyBH$PxL8zh)UA5aPaHR9Q>RPFw3+5z6jJf|$tI28V%SX0I_H2pNe-hp-IWq@A3G3hBU!2#JB{xOXCrs|>(7VN zz8QLVe3u(NWDjP}xf=H{RoNJ|2Fw{ly!+pOpxmMN9S&Hf?f(R@+T@jEh1N1V%N7-2 zicu96ocUZViBpMjcQqq#hSy$M7RpAH)3>V5X#KL4q@SLf_YzO8bP-RU)DXu>xBQu4 zoA-{-C6w~--Ink0!CKMCXqD7+B{3-pn*$z>{y$CBkd%R!?}2)L510*x8D(R{;lD}I z~dowKdv;s%5tWqxG$!l zj@;9un$xadfK`-C&_3*zdxM{e$?QA(>y)Ar56k5vcze_;vyHh|uvLu42HutuW!> znn<4#v9UC6CTeQvFofW@N+jI>S`k8#!QDk^vmX_ObP-qf-LSbxT}{H-CtYnFp%XVx z+Pa9f*3Zb}&VS#MhBs&#IoJn-B-DgT5;{Ar`l4d}!c5fCGA|ofTMs5vST#6uDtkB{ zia(kn*=8Fv!Thx0KDUxXP5A#!5DqCm6{&f4w7ED3$;LdD|Qs;g!_e_H~Zl3jW>-?YAtmp44 zpzCl=3Fsp!4Q{?A9=U#Fso-QYF z{x!lp*DDJZ!M`AoVdL0~PZqvW$2vcm`xz|OZ18gqH<~;$;N@(SN%}IyhWy9xXt;2} z^0Cwkb+?PQicJS6Pc6%oHb6hYf>W5Lsm(U5)%OH3%+Ock`6zFXkuB=oLRTQh(7&MZlZh{mDyc}jN*p)NEb4qw+~9W6wKy5NzDuMc53 znjntm7n^t*K~t1>VaOT8X6oyI&_(83Z-4!JlVMap%Tigkz)3n#sG=h&Lx98Mswq=^ z7F?veA0t)FF_M4`SC^307cu1dbvQZ|Gk*zLdJuuy;^)WgLrxlkST%q>!tc`l9i-mcbHz zrkUuK>(4B)5P-d@3;-ccAmy)@Rj;hxdLjcf6-UI!58O{pO?{J30bsFt8?OBPd_aJx zQ!h}m<9;gRS>rDka-nXv82SKc3L$nCMs1a3_Hz}+9hM`X&d<+#dnE;ZFZZWq3Z^%h za8lnZf?S=j)_Kq#->bd9zprDgtJ`GS1DA@x0cXzs)D#0!E=l2ct z?d{nXK-$IgxZoYGwhJ-01Ld_ccgCCl>PI`jBic z^dZFw^fQ8PR839I$`?w_raj@_!maF1lx%D#AY6mr`#jHp^<**|+GdL_6@o)$O9A*? z0ZqJfh_*U-DByPEJqQO_KZD*K2MxY1WTry(4`4Y6PO&-1=MNt~n2-_`63XDqF>J2E zFbAtcJW(9CUMOi(%Pv0wCewyCRdgRzcO}AO-@1Ow546MEl+d>@PoB-5CjncryivYg z?Q8xwq^zEmY>#1vzDISN9qbEe)`Ut51|ZPYc{usSChM^$-|(xqJ6z^yD~|-R^3J6*TPv}U2W)R7v2=x`fIBD zl#~;eeqND}jR(*`cu$q<5tVC)+`}og@4~v@=~NSm3S?tG4eVid(P+Q;=CS7@_*^*U+ifG{^p5vG9nvU%MAhV)6B(?+k`Q_~eu5TAgTGkU%~az;aK z_p(uSwaQ$^)s-XTvR>>m<4jYBCuY-yhYM@++cjI+YMDTZnH56DUDPGN4#@ zmT^X>`S!gL@H`H!I!&1VCXe4K^Tlfr#t(rP{6X7D0D^@)Xt~9 z@3~&BK}QtWqD5i?Ao;HIg0VE*@Dv4l+1oPIba`-py1)f%qpRJ1zP!<4Q!pwf1_qVn z3D6%fiL`A$rP z2XpyCfHy@{Mc(sh3HB=yeah|@N+w<)rry)T-Nl(jEHb_l%mWIA5;^|2la42{S}`&; z4hQ%nEUl2Nn49Oop-|3;lI|x`S$1}88sggP?=s{Y7EQm3ODbv0ZQrAjc8gFLKxE5- z3>KU9&Y%NsT>TnaS4D?JKTa3m zR3tySzjqW+TJTJ-typpT;Wtx%mwMFTKWX4_5VugD8MtG%=8pswOA0jxT+d38xwXTp zDsi2(VtzsFp$;vPsw$>1i207luiQR~k!oQ37Uy4UDIVoE`y}j41^hY_(f~%;aCbHF zto>=N1QY&mjIfAw;7K|yxO8!-3MdOe$1uRpfjwL}e;1+Kpwvn>mcZGI~SNSm5xS(qNHJmcH7xXUF3g|?@<{fri zs_p7Qw;;8FvS1MvPbNBqA}1+C!9b{t-iz<~MhKGywI0)%L_>Ca=7sp4L$xT# z9$3l<@17?|Wd$erKn3DGw@N!^5}p`(87XSUb;kdfeK9 zkcvtG*2+?ma(NMgSw%)qfdbRhC2fNQ7rY{|6iW|bMu8ZP(cQTM@+hOZ!DJGGj51Eg zz|qJhX52rEs74nc*r|IB7#QY4toF`BU7DD1!M)*60xEU@$-`o_os}i#5)uK|hx*Q` zX&dh_I0=D~*Z|pdP0tK5vRXe>HsoO8X9hQ}58%}JTp~wyA6)cWd z(a(>sT;)g?Y0(-B(^;xBU({wYR%VVikWbW*kJMQs$sx6BIGidky5YQeG4~O^wBx9T zb4d?8v_6``;rS)o|9nYtj2X<-VltG}GoCeSD;Ub+TIiZp-S& z#XM5QQ;XW~K`vCI8|A4{BHGq+k}S{&?4v_J+vzbp&Vp-u7S+puP%UWnU)z0}GKA+) zM54>9jzSGa!Jc(1BIS>b@B4*Vg>$YJ7IXwx*Nd<^{HQ!28kSi9z}`&XI$|H3rH6E= zIQG8RT#4xU4jm5=vu_@68w-*G35-K_{Rm_wgA35SAVnpy+g8_K1m5T%mWZi`%o^My z^K{BAjMqgIPzP3`aWNc=kB-p=X5O5kAijc|h&qn#^PJe)eLav4Cz=+s2+bcw}k2%4` zPuNOfu-`>bH5dKmPKAQHtIPFFtHcO(8<+1#ln&yTSuPs%+RLn=W9Lct z&E34(g?{uHxH8(1!YqUKW5eidSb@d*(T@}d??8E(W#mSem#pqs*jym(Ag~*1fKXN( z;VCjUp&=&4Q&#oTu8d$x>{WZquj=;VgK(QS#AQvMA9f-~V8XVW>}%N!D}1k{S#Umi zzL{+k0&GOZ=9G%*u_n2jQMV(|M?#jC)8rexgKiFMxO1QVs|2o??WiDaMV`C9#m>u` zw)V^FeiZ1iKpVf!P1b>hN=azMxAkxOcaH>uranWw@jgpO>_E9h4uXRu!mv4AfijK> z&%lyW%|GU=5^yIpPDSssIjs!rzzSgXsEglC2$#eY6q>Ua5L{l@ox!I@+2s+#?ZmXd zz5#ILeXzU&i=6d#7>Y_X2aOaIC2~oGIe8Q<3HuF{Y5ceEJy3Ar61f}mH@e8mU!Eog zDMUsSu4A9y*e^PR zw&59=zc3q@HTczuotoZxakpxWk~8y47`ZSq=g)8SoR{pMAS+Zn*#%gC&g$^1*IL-# zCDmeJCgyN#QCdQ?ULMDN6~z>4@sa@{R+6QtDgsOG(k_=|N|n3(%lU`)V*B@npoPB4 zGv_)|zHY+k#cgG)&Q{O)c-j5C@u`l0q+?n!)9=D>!{C+$xisHSNb-hRCJ?=0euEU9 zqugBmrLdBQLCx$ZqAF4-eifb?21z5}OZ;=1xZ)t798XIl3Q_mCW0ynp@6sVMh!cBZ zMA)eL`**)qh2&#*V$)sX-+u3`d1fBoo{_skD9l}cYJ9JZ(AfZ0mF_k3v@7z2_yQG) z$PZDffsU010?c&cKiLyTaNqKd22YcUrj0ZM?emhBd=R(%(gKpuXk9VelXD-)>{XI*3J7J z?t{u3!fYRt>T6(n0G56K4ZTnV#EJ&1{nZwUr|U9)NyIk4kmDwMw+VwH|4oju9;LAD z@n?l7wr55g5h;4ThoihDLE2LV9%$HZ_TK^v6q-4Mx#tPt#+2ixGA)36X z+FMtH8e&FW$g1LC6o}V{34>+xs&4iAipJ)5wZ~=QfNA9Hi)pNVsckrC9Gk)^Ret*G zyIv4ZlUJQ$Kk)v^DE^la-Y#8>L)odF%3K}Qi z7}2p2edk*vdU$?816!y>Gy0@a#WYe zKHFnbganH9=l*wG%jNU~69q`4d_P zatGTJv&KpMMl9xIqdZ^t)l|9|v6mqt_bJ(Ka0HPx(p34;+d@dk+)AMsV zswQ^HG=@dBWVKUjMeVmaD@D%py9AvcWjHO=WqfOCvlOfU2Wj)H7Scm8|2U$b3_6Bu zXq8W4?JHxM;-B%c8R(&j!srTt_Uv?S>zbxBa8mh=sLb5R+3(1;n&rT_>6S%dB4&gu zn6gQ4KZ-cs_b|uuGd4~m|g;#TTgzo!{2@tAYfzZ@YMN^_wEURu}4I=3f_H-TP zD0xlr^$@X}%gthsdyo~T3MKxg5=seA2OeL70Bx5@aH*1v zI2yM-aUZUmL~XTGw2}fPG~a~6VAG`CDkio?bPl zA!=(m%gI1-?js_L`d3sEg%XnnYFYweX;V*M4bo*Ah^5*z^3WZFdLMmx>9zvDB~5rU z)+p6~0T`RPrwCC4xGN-EtN3rAa)LwNzt)h)4I=};v=6(St1C#Y2-50~8mT1H1f-9( z6*~<}yBGzjHnTAc7>A`cy5NGy*gq4jKu(|)La@VRh?wH|(F&jTcr0MGIQ(eF{T;<) zd74HqLokj|)yb1_eKr{};5#WDM_C)01ogSUOkl zs81k%`6AE=8oDbBY$6FMaM6kby*UJrkuy2=1{;UP-UbDkunn>%aJv{{wS5jGf(zc{ zG3kVWc^yRH5fqFlh8o2=!<()G5ZOVE(90WnJ$)E(!O3uzkl{T>p(}z=?tMfyTnQ!= z_gga%7JjW@&%wdL;jAZC(G?k90}kB1v2o*R9Hg(s2UMY6a;Gca;)fffQCRexVGx_+ z8(f}-Kr+_>Rmf(M9q&;yQo_BXC$T4C>?c3w&O54YzZde47;`YBTM_7QpQbtxly z??2aUl|}xzJwDu-H8cM$q=NhK|9DU+LQ%5LQ4~51eV_%@<;MN|F9~UAUA5qkYq(gt z{$lq2k)r>9KM_J3bwbh=2E*L}u9*rQo8wjPF*TOu_tXFL_5XQ03f;f&vNzP$DtP`m z*E!H4wkzl#C-Z+7asNIMjfmzh43Q%Khh6i3{VxV4!r9c1=b*TlGq4AXrW5;o52)R3 z_rFT6^bn+Shet+22EG1aIDtQg!GwgN>*_lK@3?%#Xgn@?fejr{y5U*rnlC$9)Gd2zyHK)`(Q($Lz&Xd`CZLwFD@>|3tguU0#&098K2efZad|m4|O6fI2h`kUaUlq8IPU{V!EtFNTEt z<-$H+Nj6wOkXP*Pi~X-jDL6RrH>pwtJpmb?vx$PjD2Qfk07@v(qbw~g-A`797-D+G z{^t_=Une${J_rNfesgOJl=xXwMzUu}gnVk9*4lwmimELCcJ9C5-v53gCiZ;MEo6Z~ z{oTVBIVR%Oqy)MlsK$z!;-Y={e_g16iWu6igI%A$-TUuBQ~X5C!ok^z=-4FwUl%II z%-=L+AjmJpkqG{$Si=ojWyAXz<@C3h^3TDGs$gTB*i{aaqRFUC(1gM})hsH|CCxTv zrF~Q?c&mtaz{JE<1vzzQ!$m}+>fx`crDetQ#Z>E?8X+NJ(X3rxMP=J}o7&|gATKL! zlwe5j-pv4rItm=L^DGrg`1bbp@sW&-Omx0&1p8>Hp-K$Oa^b9<1NyX=aJPzMHeu)& z7yeMjHmeEb_Y8ycONQUnD39>9=Kk=!c=38A6+eCF<;}#lP%WEqDco$UdA#p`uYB3h zq68n0KUEX5^4A0HnH&&^D=SZd)(li@0uGCaM&#oTULe7^Y)MCO+@_|b`5e{Fi$h^# z7OC7b($mAAP;R0S^Em8HW+%X%64cv#&lw$6*c0}GIG8D#uC<+BnazwwqbubJRI72_ z9tKjhL}?dP_q@T|*usdQ2OzRZEp562EcrFaK!pl59SB3l|CF3;venqwD9_rI2Y864 zeKoI>92qyP($N%&lv5pI4tl`4bcH^eNg43hK}@4?=>x#wdH?}$XrZpFWGl(&4U3pWIfmkB&vK)Ntti)bn?3b+I5DIuLt15Q%lDLI@i4U(OhoWB5tYE5%32D zO#`c1qswVsm#^1c?K8*efVR@C4+#TA4DfNN4fOX1v!~u1%%c-a2n)FXngI%TZ13#m zhs4C}`2%7ql!EvP;om4wglWIN=fYod*ocO}q2|0*lo&8lN95gdTQ@aMfq*eEAU7BZ zgoFn7u9;5rw;|6WZo1VHVL0Z8I4B7U{&IAGo%L#zSsuVCOR@QaJ8SXR)B=FJR6w=4DFOAIXtq?Z(d zk-M4}Hp`-{pY!ND6)R~~?ZHdU!-2_1Kzn|eT+gT4s z*t)Av{OVe>gZZX^Uvvha4x&LoaJS`B&H+UgiyjKf=IN^9-Nw3%35C{q@K!W*5#azQ zn{Ycj%at$R{DLNFWf*|mgR7Y>1BpinI7e9ym6?!GBFgo5B#$%q__*FHJ<-@hrjQG z@bbBEIgy3BoiC-k7f#pXRzJqhX(#^Yb}Rlio0!nrpk>SZ3S|CZCwWp>vx9gRHzF#9 zb4A({mTr7L(lq|O$|YeYCggGp2In1Ndy)$kdY4h^ICQaK=k0|yUtTu8c0Tr2FYn#H z0em<>xBl-s;$OXa$(}TO2R7i32lsn+lCyjgGV;QO&3hy#l|uaoMoP-;Rl`=E`~-Uh z7jiI9Nab%ZRkTjwLc@k5*t>2QiOnHaW!%6bM862_r8>~*^)I64a%<%ZapqKd4+O}z zSJ|^A+R@&1hOwJjeWoYPft`KQ4^j9ePOcTUC4>WSB~m<%{QOKQ>i=Ro|2eh*fDr6= zDr}p>Jl@$j4jS!BustOSV^7Cp(aUldG|Q&oRg*WNZ5M~keRy~PjMpeNsMQ`#n1eHX zBA8&sR-P$g`AKI4V!HshiVn+!0ps})(^sy5=?MuOrZ#%zD=@;5~OFR94%Bq zJDPR1-$oRyB$)4fMdW@yboi4PZXErtZxW>pyTY&15uRDT<@B2`V?qcA*wK8Aoc&x7 zxVF6B?46HC$FrgIJ|~U*dwX>{!6d)k89mdtJ}mTx0Y^92=Id!8i|IM=;{l9!oYI+)S`J3cCk-}NU# zoDs>>IpF-}uW+!+MFjzv$$X#DU8!~x%{KK#m zTnKa4g@{Z;oR`#@gp2oZiTVvLQoM@n_vXMUh_xjZ^up+fMJMJN6&n5j+Pm^_DAzVV z#?UCs*lJ>8G$Ktnm1PteOE{fEl> zh#X7DIwiY0_p4?mzOL`@@4K$g<#N5o^LpOreeUPpp8NUz)KJ@!f-d+iLs>a!iHC5} zrQ*S`#k!ztXgy9MUfIxgW!*86%Au=_wfTn!cT@D#wvhc#6q-u>lxB&t;yP45p)5iF zaEJI#Zh|DegDZNUvL6?@R#dj;kfa^#b)lE(Qg-Luw$uG;{LYaQkdckWp$4=+zrRr4 zc4FVbg9AhDk2nu2e8JZQ;;@=s#pK_{DmxefhPR#Db}Mk8^lt1)P~R!c)Qqtl@S{vM z8BPkL1^~LuJU<28^c<_q^w@#x17wo}84nS6Iqa|ml@$W!9Ou+>Z;$CsgW8zoG5R06 zpOpje2C`{>aiGnKxiCSr9eARVJ$3h>b^}-}6&u*oo{>gA;dMcT8DKSmnM$DA%Y|(- zXvvX1C^L95^Ac(vz>&3CBO6TEG=xw{*b;yv$s(3jz`U?fafN;0m4%{(t;W;C&zJYd zh|yW9$H%gKL=_5gT+&X0gpW&a;!guvQ7Urf#Usr=i4Agl+&W3|#!IuSR{J!rj2MX` z`#w#>gr|Y_Zp&A-wwoQc;8tQ1?u)&sApC4BWKxhpp?oz?!g1!Def;Z;r}i-Go2IE4Edj zqdGuu`vF);WR2*ou_2SlM9nW*iobn6;7Q|M=PeD2FLzFk^v9Y>E?JugGDhCcqHb00 z(Z#uBmrd+vSz~_&&;%f3^J1}B5f)OdB%Wz=gsHR=LoXTV2vi9yYqxE|jljiLp(^i= zz(uxdfWCTd*`zYJV?8Q0Fx#mlIENe{<>F4G(W+eDIpVa>B_=}Y0DWTE8@r0uzhzV` z$M&Y=?K=T}RU{y`($+s7i2~$UZ$N4BAs1 z_>RpGZBGj5dzGW1Ux&mW>gI4T+)}c_O&}LQ>f5W?qtW+hGtw7T31iuvx*>KUaJA4Z z>2x{-Bsx+P2wM7XC_TarWA3FCFAgV>NbS);2NM98+{ND@d$*lJ_(z=x|7+5+w{a36t_9dEDU zk>ON++(b^seHwgV4gk<6DfO&NaIacO940FAKypsyRUx6^0x5-zh=>TH1}7_d1~Esz zy1M&?P)*P1YqS~asXpAC-tP3_U#8QyAk>4-NyGjtu|OZh9m1A%Vrl)m5j ziX+#Gig?w^oL%<^oqbDBvJ7d>sXp07H-O6Nnem6y4f`(Xc_&@0^#n$DJ7ZoIxSQxz zrXyh2+O$NB2!9#>!kiR_#$l=wnFjrcE|BIO&Be=gmi-a$?zZEL0YrYbEkO?$t^r1K z>23M^dPL!0XKeUxHIO?pz6r~hJ1Po$YMjEmz{x^WGj<8$#Nf2B;2liB1}$jFH4(h< z6S6qb%pqtyb@I}*VAjVHzP6RodVo}yedl}M3M6b@R^316ZSoCZ6x2P9;dIjG%rD=m zx`B|CInY`FGgn|Vzqts7(`Iop?YaNsoewE9VE2$&(N-|^!2rg-Uxr|UL1pZvFMN|+u}S9oI=WrZA;gsyjj zdZ4nY_djtjsXcVvi&txNm^&-%IOt488oFX=;$&rcQy-o^T*t*6-$W3Z`&<}g-vPz& zDuBiZF`p*5q!`_Ce{3yy z{XUsRFD@Hf67rsxc_KCEoE2>s_8d2gNCWLRPbE0>+O>$sr!Be*+c#C7W5Yp^%0qu& zGUQJ@wFilCCJeeHe-FsQKiaw$jNXTmnzg_@E2$ zJ1K{*^KC7G0y_?e^CZJm^<3qf;Ep(AWn~s9oEOXLA<;$?q_~I-d*qclXxD`#f=3eE zlNFWw;DPCw21X4 z#^6sRdg9Y5SAr0-S;#hsEh9>&&ek79Ni32?!f#4OfOQje7-yEOTl#S@*>1g-wCrLp z+`S029WWMitkuO;fVV7WZSm#3S;&I5xAZ(b@Od zWPbrrT9E|?-z@i z#_W4fv)2)T`R$NiK)yQB3=L_V(*FF{RjHfb$|)-^$VdhEKN@IqqvbWLMsKqF%TmTv z(kZn7Bjf=mDj?UVSnmHTbL|`24Y!p;EVCcZVz&6%AWBBPKEd&M?Vm+_7sL~!h2wRXuycIWfIUT$xC#gRyu;w&EbT#z&>#f>f4_Lbh|n zNRHXFR6mn!Bj2z0Vt1l-aw7G!!W$zA6ux)?hCRTw^Psfp%d*9J0O|@!jCpcoFl8&T zr5k7==KwQWRoe2aV&l)oA8BYT41yU z7h|z7CXf}=S$aaCGXReRxI9Fn(*!rnx(F+W$K@^Z9uaJP3GSS^hyx(18~^Wo);pUq zY5!%fy_Mt#iT*+T>hnSmgSr!Jg-x9bL5eS&RCjD3xN57?=*mLHi?u>>F%A0(YxvFh zHX9i=wH9%|b0PUH{Kwz8F5!t_K3(&aYUbFfufji556<#7S|#jG=wC5h)rmk5HOi#7 z2>Yf|Z;4peFbW0 zV{*s=;UrP(WnJ+O-*LFVbdKE%BQ|d;zNGx!5!cJYhyyh`!i0U6aB2SjK+368UqC?2wa7_|X?hx;=ECO~E_$`;xl>n#Kt$4J9g<^2 z&?X!z1u&GYEH96`Dw^jk$NA*&HRSS{0EiR~VR*Kn5EOaIJ0;JR@B~~!JaJrjiIQN?E@c8}yb&kKy?)YbAu}r-2NHI4Qy2#5n=T$<& zK?axa2r_)B8yY11al|spRxrf;sV>)fJL4|9nxX|duwK)YkchIPP=JI07;19x%K}J5 z`h3D~KO7tX@A3aTrHTl-r$O^`n(Dtk%|#A=7y3)5QriFf>;L;{Mv4TsN4LFHojlL& z$kgWIy6g4Nb02m%;Zu$~J4ikeivmb>-TC}qtsgGq{c}k8Z`bDK^|hV#Aghwpk9p@Z zZSpcngpBo8>SobMMHkQM51psl4=nu)AH@96It~O3<&A7iFZitG@7aC3LD=igjTT{3 z_6sF)?q5^gYFs{Wm|oH3f9iX^Bk@>Q^HLRZ?jIzLBtFRX_)U{;xX_TOwNy#Kf|3n$ z(6#wm*Y|4$?fqD%kI>ogDmnkbp=e88HeHLn>JM^h(kRe62xZLJ=Tu7$^ELy1Ebdv6 zvg!41t(f4rp|DjB3NTIr={ME^Qq184dZck@i18<>fNnWBF2aav@C1Gt`u4_IRs8uG zlXjzN9nI1@kNBy&&BdR9UwEPVPxZj4J3QnWKf;tImf!S!?|si%#j*f3dEh8*KwI#a z!9_aZUp2E-D>Mi4vvc`dd) z9Gy$s<)@rvwIsa9kR_iHVjE3poN~&9o725DDDwBySb*2*s zIJH{bk`Q!Z?S>qlPd7*0mfdCY*jqETl^ag@=+6(2qxU;+J8l7I2PTFV z#=BU?=WoyF`6q&h1;Oh&)N2MSdeVkMUibq14WJB*IR32w=mkT}y!6ksbgg>>F5lv{rEPk{bCE$RVK6?Ug{ z{FC%wac7?qa8(&5sPf}uIz+Ym$E62l{oiL_md*JwQ zmI7aTh1-htzvCZ-;QP(RtIzK>jm6-Xvr^l@f899%MnJs4Zhty6+o{*9-Z-pKe*i8g zkxJ%Ehz)cpj&kJeCp_gYL_%9?9BwVXTmt>L9BJCE@yeR}p8t$K71MS(@kjG}Jl^l8 z4Kb~9?LV-j7s>Z_gY|L#Mvp(Wb)I}QR*WpbvE1V4Zrk@y3bN&b!lF}-p=HX~Klk3# z=t>W{sx*J(@_X^L^6G+~hWW=vayl5#m)zat&v&j13|ZerVYCe#Tj1<#l~VtiDR)Wm zxMgzfH2#zC{%5uW>!=HSkL5elSpF-+{lpB^-u+?Zv9WjqQk$RV>lnc`a2EdByPKr& zFx}?}?CuC;hTN^D{tOl!!{fO~Y=s zx!G+DX9%Pi$)VvLCi7?%Ltq-8)Yas^XJ9M;zsnH#L^~hl+j)@ZQ#7OJB2e{oXERxa2&jvb~x%>a} zs0uo$+HtxsX?(j063!}Y?OQ>%jDGCD*~yfJA1yDh{goLFvv=!VSh!E z3c;HVm&FaW8PaeGb8@NSryNWU(y6SAFp?at;BuGyX)Hjlz44~-z5E-zMbRB|tQ+mL zvL-T=ULsRVG`gBTQbz(Xz|w%kM!gP$UvKq=;47h#UO*kWMQfBK>1{R%`Y9BOnb&tI zyizpOY%1fizRjm!Z4aWEW{%qlogCZ=^cuMO*vn0|AKM;j{|C^(3tXWC6?%nuPq^W_ zYFAF;doduJo8iX$@X7AqG139cd4FQW$&0{ zp5LB3DSW2}bD4*>91EBeJXw(^1L7qPyGT>XiM6dgi^+1NHeDRqNsRL#XVFX7x0WSi zroIbHXO)&ZiLxx+f3cHah}e^KLRZdDO^qdu(!E!cOpaD1zV>3*lDdd3+C@mduMxqZ z&GWAF-r6!rqY#_;R|+S_rj8B6l@^s+T2f(O&#q8Os2FMpsp7`0Z*ISBEx6dLa~nIv zVXflP5CKmgxSSJWz8Tw~ofJL~?whaC^V8A;yrU|tW#aQ3jbv)Md;ZBu38G3^4;j8u zM_=@8cxN`Ny{R%4q(RK}j2Rs|hHArF=D2zW*<=_(kw^YOROYy-Hkt}=i)dt&p9oDsoY8+$W+{e&kwTw|_psxOI`Es7n|RCJ+gYge5_FS5_nD)`db=YGnw`M)Vx6zW!f z>wT&`0@~6-><~9=rp$5CUg*p-q;(K89zo);A}AQqr{UU|?-%A6y)LDc9q=7B+oHN{ z`7@<5$5h?+*Usw2-+;Yg;tpLooJMwS`cz?C%v1ANRd(ixUF=<@<{z39cTw+K&ki_; zoeA^Au*h@zEQ~BDJJ19cFBs4xbE9E<;RxHfu2e~MEz;q5jC!KR=k$dh*4Zzux6lgXWaz5r-a z_#c3QM087ncr#e_u1&occ5l3KZ5%^saQ&S{$k{uuoO;Tn8V8I`2+L6So=}H9wSptT zEQz4qyQnz-wTID8`wuAy45OJ({$4I5QQvf^p;Iuca#P8qzcj%SE9?#^SfTmL;QvDq z{19$@Zx}?FnZ%D6Gk{fI5o2wGP&Wd64JmixhtjrXQhTrETPtuk&TgkK*TZcow)qBn{pNwmi9t0i{dBieVlQ+a>`u!LrXAYbB;zh z>vB1QM+Szel`^Z1CkBl&Ne;A#*FzZ*N-Kfum+QIf1K!?C)VIx7V8)C zC)mANhK*a9l3y2tEcpLDNb3I4J-yAFDU&x>-ArGNUM0H61b_^Oubw*XX3y4|YywN* zaHKc_L@#PSU+w`4sr`#wtZ(Whos~LNWnJC##Wd%fn-NIO6(b^88~%76eZ>zkW+j+2 zFlcyXc5*xFW`#3_tfTQ(8eRHyg_PM*;sAu5t-n5cG9Lwr<&0Fr@?9xKRgn#qI!jS4 zF*jKc$`mwrk}0bVA++W(5d(1cyUyP1etY^ugHpFuZSt~>7YvVXO!fH$ye99rChy$f zYATgUM_bi2ypf!QPBG)+x6ipdy$%l6`^@IcjQ5|~^k$b<%NlV9|I26--#@i&Rk{|B zQX4+!Ju<{D!}Em_9&3(m<@tV{FEOPWeg}e^E1o;C4Bh&$r0ze}x(Bww{L87WzdX;| z{{8j-eXZ|x4bQ|karpht>Ae+9_i*1~nhlg;5#Q$CA4PmlTb7h~H#Eh5*NwYg&+wA@ zJ%GUV+bsAR?-xVp9#S|f9CKh7IBi`!1M>?jJgsKi??wKP>HdXM&DD#HXT8s7RPjPr z=Wl1{#$Rt2tClg)&v{lXlfiU7&*!WoB@%VX*oOr=CVRz3_&O6@V!ocgzn!ZHT@KUb zc@}LD+RS9#-q!oSCg;Cc@(;CdEOc@XIJRwk*$RYz`yukG;h}AB1g=G75V!hDnM1$R zk+zMYQ^fD?WPSh!?xtUK;lv+!J&`IO*p=tvDm&iEZYFJw5;;*Ld%QTWNBXJywLh;g zQzN(GtE3Ym@`bP|NLRHV7DZD6U5NZDuIMG08WF$geUSSWdWV}njE({-IPuyh#h~(C zvTp(NF#S8B>2P#1QX4R566-H7Fox2G)uVLzB5l}!iqrC7k!d^l;eK61D4UgLQh!$N z20{YLCU*{o(@x=tAzBSBIGk(;>LY>dgW2~{RNi&=-Vrh-C2I^oYf;p;_1oi|KP$qQ z#Qh*-)@6^)uYz+WjR0^t)M`2qWD)=2?xV>wA*5WK*-+T)7Q6@_IHJ>7jr8?0_YR7V z?>GJXwxU=?d=4~Njl1!QFrr4J%y3$J9{01Ev}+E1rASyH^U>{izdqf7$rvnRc>czB zz^Z(o!dIX{S zKTI;!Z`FS;bQy8)onD|}HtF>R4Tc(dNPTWleE=_}5=*WA;6=e70w1l8Wv{54ru^3v zaPrvnI>>e50hg>wrAsFMuO5BRMtR;jeosfTEnwD_ef-drqiiFZmfv12SS_*lnWFFc ztn0k{S~=V`6U@U7#lTFOVJ2n}T7ub(U`{IOd^Uz{UD8mI*aRDG^U6sZLQ)~)5@*xZ za!8(LHFMou$mr$SK|Tsep#o1vr2F8B?_nl_!Hd{e8QA9V2P3~yW5J6W@`~dPg&cGr zUc(rmQRCz#uY=+|odF!kq^b>z5;15gWHd^kJ;%|BLaj(~@F+gDXf!9L@AO0oAZN>K z#8;fx*`1U>)7>0t143hjYOiB(6xHi%mG71scY{)xeo2-x6*1~EGKJVQFB6aLrJE=V zfdb)4$wj|c)m79)Wlgp0XMHScKDxPGGUNsk8JNmLeoK4~)K_=^huFFRyp zUvIwujmGzvxp&k4x~{X;I#hby?PMKeFPcPSK;Pvk(K;f!;0gN~#OeO&3XGxfH1yy@ z9(VEdDi}4y@^G%2+oo@5lSPdH^eHNOPTcEfHU0#1M=rfhNtIf2+$@!Bcl%6R5k#@c zlN#^a?BcMcd(_C@k^3RDCGHL5<;y%bjF)Xe*RV+tD-!Wr!&IYDxAqOaN&^)R4Q?M+ z3^x3Wzx_I^Yf>Fu$Os2P}i{iTU zd<~us7prx6fKouuh!QQJ>{=coj^ErK^p}`=cK>^8i(QG998c5xRVzopq4r<@{}UXx zmV3))5rsGF!Be32@{-5QP^D^pQ|VUhwLHhn_Hxvj*@5SSUh)7}D`7)>l;nQTuVP3) zMR)gm94T@hk$Cv^FfQoEO@?QEID~5fFQh~qzg&rME2p+-Ijjn0!Q2RMq^Jkcb0N)v zMM!Kq>Oi}EvBe%IwzMcHfG8peV$+(A6;5k4S~N-&OTNVuURK(Dz-=tT3P+*6Dxj(+ zAwzYns9<-QqBKKcRDjr57`OAHo0C{0kCp?X-|v^6&1u6JsYDnG0k{26aC-l^4^vi^ zSt6NZR$bdl8PfPeSuilvi$iayOeuR5i5|&@26_P3dOyU$0)WQDP8WWGOjeOKmH9jr zL%=yJbglS_Hiv>LUG!=pqk4z~y^~yV4@h?zy9;ebq%wv%ml0SAJ8*m`d}7&1yaa_R zDGjKPfE0}-a`*;0TCkQ`EeD$J_C72OZ$#TBdw-B2b?5vZN4NR@3jXex`-;X_@UaE2 zB1mk|wuC+n0th7Bk(&tlKpM#D>Iw6aDWjQ?icN^t;e@3B| z{;BI?y~xZR87@hAWAlGRo)UVn2Q!0FPZWy{WV$BH2tgn+1X7 zZtHJIQ0ag?CZ3>BMG|V@k2^HJEeO`|L&M(E&&Ws=VV~#4;4fJUah}q-4E2OkCY0yR z6z&ES8L;H;;0h#w()lMOOMGUA6cM>oh+Pt5AVV%}kA40Ovw2@aR)W#O0r zR|AJuJAOLD3FYFf?Y{i!dt(ZIk7B9|pdJ~-P42x2WlIQE{gM(;R)lPB>)3VLD)Km? zqM!S$BtLtN5M#H1-2&b?0m%B^e3#*$n}OsI!U+YuPKCxKio8G0Rc3id9sz$Ik)S|h zVkKpcjLDKywezVEqDiw^;zOh4Iqy-e56^%W6xjBlTO0C@!IQkR@bGdVqC$4r^jxX( zl`%HF8xkF)1H0M3AbINKpS|b5QaGZ) zKl?eon37ot6oS=WB-byxO+YVFe*_;C2xDK@*zT;m9ZFz`?7NQ^(9&PXr5r~lB5WNx zFR(AL;A?LKaqTsm!=F=57U{nb{C-LHK45Dz&3VK3q@d&~ij;zLs@ZXP`wWU=x5vpGP#B8Nqnr zs8yu$P^MTms8JaYE?ApXXTr42u?G3J;QDRt8q~L`J$iy#c(F5rC`PV{Dw(=GnSZ^^ z2RFp9l$ne3(H4$;+n0$>6}jvH=W&jw${;gbDbS--LM$0+ceA`LBt%TUNX&bUL=05M|-W4LQsrJ6P}gZGEpS zq;NAa@NEyq`47W%53!PBps33q(FcM1Vy4bpH=J^C6T|a^O`x$qD4mS>;!TB$`(UE z$B2hnO1|4xfygNgC1hq#J+43|2!4*3afAQFM3xjEYKA?v;}ruk$Pp@w8lY&oCj)!Q zWx_?EYRRr%`-e}0TGv?i#H5Wu!(c@+d`YJI5I<*`#`wJXmd#Bmi|B> z*(ck9Koex*Glg|7Sw(7?sYIl4cWK%oboA6&D+tb`PR}z+JTw%B9Dp;g*O!3%iHf(^ zbN@N7b;%vBHY7QFpx!v3Z%T1KAWGz=mJ43y`@q&gy>N1J;}L+%4&v# zut-Ro>4oFB(X^2cx+$8v$m^)5CHp- zAq`5+`Ikc#qEh)^?^Y<#f(H`pZ(JO|UrhA6Y6tSH8X zD=BGYXu(hAi5buMi!Nd1D3XRpVzTOf>o}F6f;gkYoE+cC9q=7q)>>+^t6j{ek7=!O zIMheqzrTCuH%wmkIu&lj)%+>tBv(`V%sg=G_&0aW_ z7sJ@-b7@sQ^$Au_v6m~SZrKaH4f;Ori0pyJ<$`E#=XV0}cU)4xov|%}i;rV$yq_Q$ zBg(U1Dt6`*NOkrn=<;KnyciYjUSO{1ydDRvSy4smUgAdUg?}UdW)$WXd3nH}cLYMn zG>Eg^)(qv;{L`FOy3y#+&c)TG5(9=!1TgYXf3e;Tj~N6^;8Tom2#vmw!nffcZ;gT-WnY|DDi zy#0ls0iHOj9nP2mwgIv|Gx&Va1gB{ZKqz|)LL!WwRA?^St3r{D3iD{}A#IK?XdLlP z^8PA?@E(Eol0_gvc>o%k(2rjk{}@w;qqnrHA;jk0jb3{D?3%wTmG~2-5k@`GG+|3{ zyL7}V)JZ;>fXG)`4hjPnZ4M#=Ym{K!mbA@+k;VdFrEJFlVJjc#cFEo3jNd%JV?b=1 z!n1*SrC8i3np69ruR=oL zpq=O4Es7bO1YY2nPI~|_kbRJE_>z1gKLcK|j-1s-THobBoi>HCl^}MnJgxkp0s%(7 z8P;rwB#boj_dA%UnN05#4LM*7Qek=IKkMQ{e2`{K2UI1UgxGZCAo2~j@zp#G+z@gh zg%Pw^XG6llw4IPAI1*QMa8*w4co+S z34kkOBo* zggs&@D1{22x9g-9ZQVNq{27oKLe=+*A{;esnRS50p>*873gqcNu;?-ELz0WsJ3*y= z82vAip)PV)nPziXG$;~pmo?!q`* z54jZYxQZ6LIzf_a3EeGQ2qhFT?S#z*LZSegF?d-8(iM^pDbp@+T8h)`ke?U@(ClQ) zsr7C!?;*1$&XEDEXLReRs!N83uo8nJG^&4Kg_4isfMmx0%nyEpu4Db$=u+Rs1ha%SMNg3QFmDShCUnoQ9Q(kz28 zz-fU_qpzg$t6ttpIzuUc$V!~TUbDSK%L5)tt%F1nzugC2V8ym}d10v63LNcVWv7E1 zQy~+Ymz9ilYbVzh@?hBFpt>Hv;x`JeVRRw*89KN@2}8efJMvl7z7(N&7+B5|7qJJg zolBN8S8wu3bo(b($}5_K|Ub8!RQAw#?Q*LKxW;zAHVhpD;KLv|nN6&}T9ZzCcAa;Er#uLi33q5Ezu3+Ze2Ryffh=^Ai7qHbgdu#5W_`|&AJQbvQq`=xv? z`7lk_w>;BK%(>B6-LaJyQzRnbA^}Z$7o6te$hWTZ7=}68OVsT8&VO7uJl$dmQo`7W z{KXfy$aX?aIa@Km@0rBNeJPtQH9k~hh_90i1GXmtlaU@gUmkM#xP%T-(H<%lDX8>1 zr}-sBM%yw5`Ya16_{s{2Me#P1Fv|(DFGrod2ylc>%DZ+9yy0yc8r5`ikZthdc_2o) z_~D=z2+L7zuzNxnBb*-le~LAGh*8W3kjl&>C)H++$p(m`*mcWwri!?5F(h-oOtiz| zZ3H^a(1;SwngTXQYpCHAU2Y;VBgjDpa1i}ez$I`6uRP|iOxv>9Va76AkYC)e&UL64 z2CNeyriVA1xQ=EI(?7&?1~sX3Ph7}Hwhhst6wteoTT4#F(4)P$3V|P%3~&D_R9!?jKvbQ_gndzTjM;TctXOApI7Qj!!H(${%H^aJSFlScdI8K4S z60$K96~}K-GSDY6(j0IPoH1OAA%jDY{O)7OpvLV1Cx91&z}PF5!`^ySV9QLE@N71+ zgssEcqCq7E6!!8R`Wg^7l!1@3E@Efo%@dXD_SILRoLmDKP!~@`lHVaRKLQNrhr_=& zgE2!<{&qnJojo8Ll<|XTiNV7z44&7Z*~DdRWN)Gt1;LG%*SV2>_ItAId{nlRG~#Z) z=zR}Qn>j8JlgV*L$A#ZIMf59HMDD$(^!UIJc~Y&b-R!XgS@LyQzhwk<&^u_x8AEYP z&p{|7M$V=EWFi*f6mvCl?1k?G*nv57Ahwq;-3U~;)Wd?4diN{`{BU45N9UZgn88)R z<6fEc)pm`k&>3ytYerQ2U|Z@XJg7msw9-(ewcf{@7}~jo6P;&S9Mi1zcEk@renvSgm_it!p9LSe6RN zZQK{5oNvo? zrf@#N&?xdnXAmXA-$1w&Zlgj-3>G$$2QZiX$V>|NjUxDpVi5+T9_V5~`+l;RPT~%` za%7d`&T2_~3873JdE7YnFj)i4X0FzepdIE5IVeZH{MomNN4Ym9%aSM>kJWD?1{x0J49TCFBW3b- zN#DtBRU|j#5&GP@Eo#+pSG=(_E_qTaDmARFwz%QM;+F@+5zO=-DK_-`?iDq`MVA-Q z8l7%aExCr_{y+e`rr(^+n_Zw-PFKT1j`5~_81jXQ2FPMngj|GBk5)T%LP8nd&>KoR z{Db9UbUV?%3m2f(KSQ~k@swq*cNd&Lb8Uw-*Li!os<#1iN@%iiOwTe*d^WO$9=RquLn*SX`t%Bo29)5mh6olv1^Jvzf8S zYr5Q6xU0&CjhmJE)O@P?WRV#uZHKx9-Wn;7ObM!T)Q|! zDxV!yET?c;H+dQFeZvkPR>!$QRXM4N7APzU8~@T|AMyY_l;;{{LzHF#VW-@cJ?pMPBAm*y1@K5Y>+o zMhpmY%4F2G#+p4G3^ID> zWYZlX8sValhG}%q#m+MRhHYkKk-EhMfdUcmn_8M~Wns@ncNj&19B7%Sy7RbDGBFi# ztBTGsULEU-x~L<^N-089*X)TLE2(^A}y=l4XY^6WKu5^dPp{Fai_A?NAfuoh6hW?UBkbxy)tz8_wym7??k zjbbeLSldERFVyG42!5N$YS0R$*?RpbQdRhS8|fQIcW1)E{EVUrS&EJ7KM zl!eRHh4*)Kxdus!=^!egcW@#`I-_e!uV@3t4<`Ryd=8vfEUaVGaor;1ZPEU3$)ro< zMU>WR>LiE>1VEqUJabecI8($;$~sdV*XY98*)$aN{S#1cGRa6Bd;eD_Ex?a2lf!Qq z$|$a3tTqV7zzbbGybZODU>OL}=n?l66dO`_Y^Pe|4f!>e*sveZ(*`?1v5r!!GvZL* z30vrpTy@yq)J2MlAr?XbacDsz9y-lTcsjC@c`hY*IL>g0!=_vP0R@R0H{H#s>tlz8 z`}!I_-Iy6v#sbrit|xP4pigsJ@dPM5evyNuXZ%9xW^P&+Zy!G;36(`|eBGw;(H&8n zRq84p%{GSmpiKVQLpENHl*fDH3Eepc!H!tY@^g>@h@j9vP|0G`DGN(QJePeaX-naU zw*o>M3k{H{NiZ`<&v%)0x%WztgA!u*ZSgFXI|`n_&xlQ*3-ftV+(u}u$M&Q4v-zT? z;WLtQ`(c(CfRG!I9lhDl>d1T%(UUjDugWbeNU5gyZt+Da916Bw%z+ScObeztG>9pu7#6@#sNn9F9)=(#eTtgkq1RfMal_=u zz|1xT{#wLvfT6;rixQ+rNpII%VBeTj5?Im)T_S7)gRMAVYh_nv$c#T_-bevgF0$pfQhdk^~!7|R*2KB z{LSd0B4zm(@qUbM>%F8=N)zq3jif2X{`nDyarR0S9bukqv!7=8T&f%mR9^h01L2rc zp9$*3vY>tIWS&A7WrPy8X+`lkl|3zo7UiX06g)~$S++#WgA)@+S<(++V`$)@(Xl5h zNt!YzrVaV-W_AWG`Js=aYpw7#QP6)Gq-n_VpaQb8`IANTSf_e|vZ>qLSdq3DSL zlf5xRoJ~VnjvjHysgOVFL5?h9c2!*0pfZziPu~E>MFOdja=O#sXBWf~Q=|gMl0AK7 zNzl^9cl>wiw}?Uuwr!FS03d{YO-ZOAeA_BlU$MN}tL3}`$T_^sv$=YzKZ(v80!=NN z21|XX@U#HRiblS+O4-&r9rOFiaRbPT@`E=@Dwwo$%Y5~sIX z6GLJ}22o1w24KtJ4umNL;xgLMAS$x}@T8(z#j4qNU|*%z5b*)N{f|R!qaOzGUpzHg z-v|T|c3fKoHzK+%2XrJdB|WambI{xO+vBlkbtHT6NmJsFtu69Ss-2cU5tS!=LsSoU zM0t#&JIh7qH0Q~JnTgcm!aa(hq=Zr>H&PD=kcwH5o3DH(I9+{b^epLxZ3r;!v+{^9x(4CdDg)jWintp?7k_fKCiNHUgRHRNJ~228H3& zI)zyJ@9WuMh&vatw&K0j4?-FsNOpSJT@8SIs#z0 zo6s+tf6j>_&i#d8@0)Tk;Gr;39%xSnmvqlu^u%+3;Eh_WyFD_Qy4d}NXa*#cgGf;MjVvf zj4%|6841Oxj5>$e>^7$xawV&x&=dgmZ#kfm_1JNk8=PdeF+wfA4A5d!mIn}g5a-_= z3`6LUL`;!mdcY;mDa7cF<$(&hW>@h+8MQ229?TwI>Gq}7Lnzneu>Ncc0c&n{B8J|u zj1oL(kqE%3NVjy8x!9#{NsflHsKk%lss2V0TaC}t5bi_0k78G3$xK1BhPc%UGNv=( z6pSerMT)Ei4Ot6YsHenu;pac)4&X*&rFqh5S|a*R zI^M?N1x_{d2^LbX+Xex;y(7w>8%n8rl36I$p1B~A85oIXOYQ9geQ$(YoN2#g#Z}X; z0=f)`mp?KQDoWSHnkBFbEGGfoQLS9Vpe%-^ads)4PNMq}Ky#*~#I|@g?BvoqX%fuc zD9`*Vfy>e$7n7(p<&-q;08TE(R#^%>n$K{YVff7Gn<&_tj)L;yRW5k>yhm*`3(pF@(oAJ?iP z>oR2p7t0wd!jk<9ltrtKM)3x-Q*mk?LbvhlH1`;OQKBS)DWtshQE(x?=CpL#E!a-9 z#v@V8RmCv6C6etKvS@{USH&tMwV|1rlHvHLd(&}ewxF`~02uEOQEg#rzet8=5 zKp}u>DB?%ujIxn#Y*JFr#VAuejoF1i9#^(*r^}KBkzT^n$6|3;(&WD~8U&(gXcXbA za;0tUlmO%$6GC#Vj@AtTH}hG?CA;!0n3C^*l}rfq`2ylo&ES_tSmY>!fKXlRkmz`W zxhnKunI*i_zufe~A1aypFq%vxVsGB0PfaR77IC5kTvlOFZ z>LUoJ(e_=`Y~s=e%VsE`YQ9FLS8DlgnSFy*wOY|I#>L+%OVL26&JmOHW<<5l0ogJ+ zJ<{N%_s8k(WoQa0;ZF|?oumM&qg1X~Fw_lXP1xy|b0fKq?&}V&rKbzGX!lMe^(JkSdsT7S+KqbN;f!m`CnrW{fTsybTZf0*unl z#W`2KJ9L3+&}C&k*40@lh1XKWR1oND#zh9NOJ_1z*jmNP_MPtT&WtVHm72Os6EvQb zM>hv&vO|i=vHKZ3dl@xNeUizILVFycP#W}-agwg zXP+jdFG9KGrJRf=J7N<(mn30IIlLwJ?lIko$@?cIwydh5bs=7|m?R3Pus;R9YEc30 zS&}Zb1oUu{G}BXvHVA8$&6$|O>^OW2uz3=CL(Eb{B>*|}>^`ar>Lx&I{ZsNPSrwQ7 zT#{kS`0;F5h5WLVn29RWh6GaTetjEUiKeaWqYuOlyuru?)r(XOMli_YP;5SoB_x7X zT2jiBg+?)y+V6rA%yb{bW#&m-)W+WEjl5N1aZ<0}+E}@V2EmTWN_hc%3{i;nm}N6` zILoY31dAY*r5kI4^SFV%Gqe$NE*v?2Z^L9GOd}umJ~uQ?J!&dj4pfZ~!oTQ$aig)w zAb~Ao9Auwu3c*tn&vJ-<5IGa+yxZapW z&=idG-gy4G^~Irwt186oL$MIbbVOT-%$gzdGm&*!ow z!P^bd#@NjAFI{oLH4IX*O8e0zS1$ZTp&SP3QKTOdW=T8bZ~FlUrbf$Rq>A*C=nG-0 z2uw4K?t_eOyr;qk*|}#bWb3V3X%*NKeZEh!m;_tQ@9 zZqoPVY^iwv-c0Ld42uYLN%E$$O+ZT_y?%X2_Sc9hs_ufE!ej(B1_KF$wstME_|j?5 zTkI9*l`+dxXlZwF@>Qs{r*$5*NV{} z#vX~jjKNL$8)=JNPy-K-2u`c9q(Q$w*)A|AGO3bgt9ez7!Q!y(lu2i#x`japg{h3HlPg zv#~ZgqxsQ*cvSFUCea7Y@OeU%5n}OtqNDCw}w+S*rjQCX3`vB=bwOH3CSop2Yv<(hUDkTmlBL zjfIjWMPdxIjzKp}6Kxl*G_o?L_P9UDb?^k+@#7Rblr8Wg14(yQ8gGOI`?iR#si>|$ zV|&>;T;I|BUw%bM18&A~u9pzIRFAt5_KM1fA{2^|fevvZ3B>N6Hs4I=1ggY431WYp z6pz8z8OCZf&~}645`cM*-T~w?G`an*$up}2XnltB%GACsa7>D^YoUj*wy?59>G^&f zB3+`NWk+DJtY)o`E{zfu7ws&sjZ^GSp+Vj=F4eP~cK1i(IH4!%<0!tkEOv=<>ooT5 zplq0VKZyFU@fzKLI|fQ)9k43b4!7Jqf{;&O1X<`|HM;Vrw3+QlPhr zHD@+{f`HSy`{inCMcb`+TAwX2P7wS!>-%r8NO3QTMq$!n_U7n^9@YKL50!Lf|D)1$ zWB=D%hd4v)1`_!%U}ezt>-75Dba%?GI{fXK1jatEq9M?Hdi(qy!e5 ztqZQD#e3<>`Px|Dk+x+qg#t-`dvT%K>5C_X^yMjG9Me1MV4V2?;J~{h3P9BQVZXCw zh!sX0f8UOZJT~wZa)}V zbC3fEd`EC}G_B-0Yx6|>-=c7s7{48?eylJ32yPSA5IBE6@0)vA0pIY*txm9vSA$B= z`LgeM%# zA9(WdvjtmM#a~m6{UJxBNPutN(hD3WZL9W7>tnNAX%|aif8WRi ztWNs;)!*Oyzw;KCGKRi`h4@%=~WFS^`V|5m92i9I5z=C%#Sfy&ziz(0#Nl zw6P%N7&8ke`2v=IUj9};d#s>+qnW`2i}}ud4+QO~R?t>{6%Gr@fyQpY;?O^;b*_MG z(UAQD{OYSZ5V%L-QX~KAXW#pCUz-6p6i&uzFI0y6NdC(%9WY)2z~Hl=X+s%B|I+!V z4q8}4-!$nr_4C^1TbiFF^M{A6V8e{Ry^mh91DrK|kJ)|vV6}6{q2EO?nR6a;)E@-9 z*CDdEgt^l!d#JyO(nyj#zJ8|G@I5s*S;l0&=Er(#<8`Jg6t}2puKTZ*t>WN0nBjSx zgM5EsU^4js3Z#d3P0tN$QBsd^8s#N9bRLy~doW0@XD;kKpSr$F6J7R`g2Xf~lY7DX zNh*BVi|hP%A?58K3CJ@N^!Pe&cWX}X+jxEWb{9%i>>Qu>r`f(9DWv@E#xMq}JY8JV zjlMjB?dvDdE`I&nK{OcrDE|Ib|LzTL$)J+@?Rz}~lWubiLsldJ6<}DUE8aMSE<*g# zi#*mZ0z>s~ODkh247K>ka6?hNSZbGY;OqT{jKYNHy35!lHn9Z)q!}Z6_vJ)JPozx5 z2cf~uFKdooX=H`$K{WWtHdFs6(tGzF&eHVI()Z*vMe^d~N|)RwhRU6&>Kz0l09-%S{#;fYJo zUV!BC(oPtHgde>B4|8uBRpl174b$D--Q5DxUD6#&hjfRaY`Pl+=|;Ly1f;u5LTM0D zl#&wVTibKg<2RmXjQ8LBj&Xi?Haph6)?72LIp;Oc7EN5^UHm~)u&}Z~`sd} z13h7)2uKPknb>K;!;zfQ{Owe5%QY&u+mb)vuVA%HXoTnyLvJ4ZIC;8{^<$v8^o~fh zi=7kB=_W%3J>vuE;K$`!n(@RFye1g#@^d6WU7t&=(*-{#xH}Tt%|xcK2KruJ4@`2% z&U1&t5_nOVsrk;i#Q{@0M4B}}+;b*$P!#ydVgnbuM1g^ewW%&Zb%0J4bW{I`Opb=5 z7JNvMp~F#o^QP;(B~u(SD^Qf=cQJ>IpQ#rk&N$oK*@P%DU_P$^K(&??XrV+|Ya z2|z@$j;vq&_+%#;iUJ?{P~49eyJS0#gBR8 zPzj)YTn0poMeQ#~aU2i`eODZqS&mPPCUJOez1({;GDl7t#>OR~ZEjw?ki>gy+mSW> zUUgipC1bIP_YgWGMz&CW6HllYo~dGU5Bj9#Mo>Hc&?I|yAaf( zmH-@5ztwf5OU@m`A#CEOwT}?OEG$rg_*SRmPK=D;X4Piz)`P7PS|u6mqk8}S=|Zsp zX3`ayx`bIbL-*<9+e|lkPBF>BPI^WII#%U;k`4P5K7HYh^G)HCEYKCI<@mw~SNLJ< zayJD2c-0=gMnUN41%lu}{^f-5lcmJ<5z@R6dSf7Q;tUk6w6=bEUZ9to_ZVB)ui4Kb z^B$)_jHv?}5!EJWq(}&j`raG>TAu zcO>N8cJnc0CYw!Px*WIf$0|nA2#_Z?Lr>(w>EP+^iihuXAC}Q;MyIJEAPo^5!{0Ar z_aX(gT@uX4!|utvta|sv!YbWgiIBjHeJw{lL#aK2)}GVXYZbEcMwo#jZGsR|6kU}; zR3zLF$;I|7pc%5*2PYMSaOVM_NZ^SJhR<^ucM2mcid`p|+%9fni?dBBHK@B^5nz1< z`ii=HCqIP{u?_eI>rggG6k!VBXS1?Z!GGuhG#<%z2n6BkG}DnjjHD~Us9C~qDeU3j zdR-^06vq3L48ADktWmdP$iTVJ9vA-oz! z(K81v9#6T79jCRr%W18nAMY@%a=7P4grB`jqLn34I(F-qg%Vm!;jx&0n{Qe)1U;Ub zq_A*^{fvJ7V?CZ9abP}dyyU*mJ+W+ zO(m8EfbTr(9aQF=;J(Py_|*QsM{2#XbmG^LI6ugKOf?k?lKge%OGO@7J)CTR98xLH zX@QcJ0_o7B%7*v=cUj)Jy#m7`!qPWo+XtJQ$6q#jLRk@>-XRUH!_Y8Jo1AXOksKcI zSmbCBj#NS%+}Jw_%WI{Fxg0ZL$I*zc0vWKON@W6Q+?}C_Px0X6y393u zvLr|3H4{u5aL}>5=n6>MP{ZGR%vh{?UUl8Y3n>q9B*lZ zQ^N0v;so3^<}fMW2$9rV7Nk4HZ%U6FDsyxc7tA}tqr_^F&}zNI?-flj5EP-Bm<>;j!dl$?l1|fi zd6Mp~&!FMNIWaxInU0d>iu!Bo1>-6rfL;PIyMwbYOZj&BRbd%fjf^m(sJd`^k42G| z;zgb7#mQz5KOaqCfN6WR=MU*H$z)^^vz9(WJo*`GbK_e>pfAMD9pQ_lTpx z-ZwqzJ<)~McsgX^a)ZMI#a>kW+urgEVy?DqTA$XU9VeBsW{LOPonGN!h&kELQsz&r-~QXd0|i6Aa`N` zLYH7}`d7y+*l>L8J{E{D>P+J7VJVIR3TEM))eL$%9qN(g^90wKkxWcOiU85r6p>*# z4Fn!_AzY;`1_q|d;LkE&c@fhz@d}x%krlGWwceuk({oNmA^=o%3UYm4dH))Hfp{&2~%IRTYi#82)ZMqMTqQSTat zNDf)~?cnzYXTtlVN*C}OQQ$ca9S~AWC}H)vj73aF4nvlp zXd1&w8Xhog4P#?z>NFycnj(l46qaSr^dAVTXx5B5F^O+W>tinM=_xhyx}(RFn@A!f z+;c`e8BisU8{T)DU?W1&|J-s}I}(eI-@b5XkB%()RZhPo*U~K6ir<14#R`)(QmZ?T zW-s^9d)o<&tw>adw4`{BaPcU#Es?N$IGbS{nuVr(%NrOc!KWyX0VVsHd9;Iq#gkg^S8mI}Y$N?DDZyHKi=hQ&Dv^+{A9favWzS1X zLU0SGsiR!>i?C%2UJFd5$Rn}sa&7(h__%bfp>Uh<$MJ??`hhqs-5$N@FJ=UCTC`Ev zHoWXh@GPwEvyc%gl46tl<}6#PAtG=j)0Nl~pe%+Xgw35c$sPZc`uzzwq=Kfk+z>a0x{^kQ|6$1M8>#|Vbmi=2r;_#$9)6U1o3di@2g zO^l!Am0mR@C1w)JM!{fhmDl_zGWie`f$W19P?|Nb^k({D-kWK33@Rk@r-WvM-V;j- z4N1bS2?g|q3xjlA81(c+t)j{4rzCwDBwpg%k$I)#^MX@bZAWutl`t>h6%xP z_PjFtG}j@k=g9u&)J{*F-Az8wcJ|TOhWWHivKc`RA-66;~{EJQnj7K>uCs^)`$6;LW@s{F5W?q@SaO`iHrsWthPcekGVY5-dNpJMNn=Ps-s7|%U%pc{pcuXAaedHx3 zKC8a096T1~sbFRG8n(-Fg`_b)^5YVY&IVd#pN$K;^NA4V`VjTF`sPUT*;+wJJUxv*z!eZSqUFIW%jW2Mh_7WF$j=*)w`Fs@-js%WBZg5H;}|6f0afvESWunBiyr z9mHucRMugdGD#aYMJ8@KmlWui_@qVcSViPt`JU9lF zyT{vCM432)?`7$=oSdYSITZ0|s&HI|L(-(?f>Zb6lBq212`4qp#N-mw*$7ZrZe%LA z;qC0PTIRI7di`Q#Y^PZ&X;e9aVc|GszF3f)_n!y3rE?mcaG=L*@Tt%{?Lqz zgFW$J%9dE%k)v(!r`$`XTCLB}KjK^%u%uNf(>jXtH!@VUoYXPska_B%6sNbOd>-|( zRKG-e%%GWN@6Ie&f&7|NTS}&NV0yeFBo=fiVPZJ;nMj>qS>g3+Du?M zAd}lwR%-g7Ipm}`Y^k2hxfy4$*lhdzSNlAe%oQpVBc7xRIR0U!g(Za%_mneUl1uz= z#g5vj&mFf)HQePD-z4#R-&0W_8;@NpJR+eD%qFAS&LQiOf2KU=k%nW9 z@)WmDHhj=S1sjSrz0-iXjc1n7sylg3@PtqXRkZgxhPuIU`RCWshE^FcwG59EnjXdu zsEg4Mt52fhh{>(vDUE!V$oI@v&5Q(9QH)w-MWQXMF?boLpMsH!hERBjB9lKhjtHp$ za!6W8b)d(|eXP4mslap@({=NE+tM`*hH?(DEu|D@JToS4Z7fIOUsiDqc|eR=ld4ef zgH<@@rPHF5dsZ=#Bz1^i5fW%=E21jKF5B~sJqtq$RZMal9=Q(RBE{FFw6tAGIb)P< z!kNpM7)RJ}7}uwaAC-@KRvCuq4s%d8j+U|e2y8w*dd?K94FvXiXeA1dpvX#ggtRog zPO5VLLydSgUUQ|sC>5i|{n-&~+14Y=Ps?Y|eT{7l+ za+gU{MaE3$pWe1Mks@(R*xG3QxK}eSvp8IsE80G%Y~!7!3U#qX5GrZ%N1vC~2mq>( z)dAuM6w79GBThQQZYql3E}%1zG@dPYTk6H{-ajIcb1W9t$nl=ay)d+LfUO>>HS34IY&`k zq@y@fhP?-TTi-n+uJ!sNpDcx!EXp=aJ zo`()^Vqos9Ry=*ed$;wK{DyqMO0TLpnp&^1H6c>@X*IEi;}0nUw%pt;`^P1Phc_dU z`VF3W0W&!tSY4|ys$>Rb{==hmqFlgp9d=5Ycy)|Rf7$)oFaFps&+Zm6@%^#;T%Vum zRaDHzS0Z)@ffNlUFaBu1a%o1C#4&e%sw{Q=CI7)dWwlb2^?dAU?#*7cXO6~VX^o{0 z-^#)w!b^LJEm)W3HqzdgXRE49sWnoW$(>Ra^^Q79C~^d+QoZUz)?+@%NYm)bhq_OB z;#HpUs3cfqc$rIkBc2bnA*PDV*dq3^&YRO4mU~D~>$#gP9eUu}Y(o?z6${ex4 zXyx!9LLv|nvgG>}Q72yc<5ALsT0B$DQ|t}S>_|PeSSfzYe=%rH!f3qI!e}ZBFI>kl*>nfT-?Sh`7awRd#eiWu} zrTXQy%-tdOAGEzyx;Y2BEUA+@Zjx9iP)MHThvc~9nHePb*Q`v9IC<3y-!o4PzF*N| zSpQUL9sMqTpJ_a4{C|nvxFF}d_@Au;Y^OLR7;w03jY-p)ba*YeYc$as(sEIWV5>6c z-yASG1ok*zCt+5(N%t6XFjOP-h6oLce zz>Cdj{pL38CYW|^6%LWNvpF8YM8#|1)tZCHGhfA29q+KrSv!sqEM^HsCC;+(@aJ*0 z9{v1~Q2|WBLowLd<{Z#D&o-EMX2OAP{hTWFrCx-%M3MlMHaYDVPhO={P*vDV0yYb2z$G z`P^Fh^t%-0ZrGNA6ibbBZ#e1Ge8^!ZC~uDSNI{o zOmd;>#q7fGcol?jrtZZG@mm8rEtd5@D!;w~g2ddt0wumf4hvWkE&A9#_YPO3o>1M! z?Jf8}E<@EneAi~u1+}dS`)E=bfB%wFL1yqwxpr|cjH(SRQJugYE?*3#f&^3!)7g_Z zZw$Jw)<*T)IE`Ce=UU0n*38{>>TWM=zlbtv<(6?i`M$uYaqGR?8(u^7#%{m;d)r#; z)P{GZPF5-OAuFP!gs$haed~P&$hFw{IDE7ACUfsv4=26NO2-Zj(>GlUHM*pm( zgQ~i`M3;Fq5IOZBl!-NLZ9RIrertNVU02QV<96ohGgkL)+D@de+^UkC#?AJ-qv?Q` z>O(!HS;poe$ccaiK_T5+W1jJ$9AUh@rQh$KFhg{Ul{zK6V$U0!s0_nA7^H9u2R@jqy9gR*v z=R+CbzRq6PadNqxc=2WZNy~!%M>YI$c39Li4%nNvnPSCA%+DQfnu072e;%%;6~day zJfE*L`t79S;jQnwtH0ypv7*wN*IL_9&W|sN2~hT1K+igq#;TJCc&$un{Q#XFF_-C! zMPo_i@&p`bcwqzz5);{X>flNJJ*_@Gz0;a& zzT9Zj8Sr%l(6S{6Z$(LmBE17kngXmmReJcs#vp;&wqzL#3y+lMN^VgB5`poSBO!TV z7!W};*4GHy+T1g2F#edk)P@Blx^rVU3b1UgE;#b07 zxBasB!Mb-zU*!4VRxc~h%-!uce(h0p8J1zH&J4lgV6`)cGhKI8{2cwO=4XtnL=utW zM*P}Usd^4hcFyefN`ZQNhBaKWs(@(nVFC=9RVOyKZE~T&=gy1!mSp^Z(iS91>mGlt zB6oSQ393SFKz8>Aq}_x<*Z{fRAs{=uhy^@E0-)i zlWSLc?RUHd`0yfAl&26{eb@ZoCo57F)}BsD=F30}1@=DN%NB|k2z(6k?wQSl*1g_~ zM&-U=*51NAxp=j1f$9&Wca**MMF7Niaz72PpkqdP7lEhx-mYFV9{7e#?PD6xUN$?=>lOa!d^ zsC;-K#i8B3q}p^xQQNS{S}V?m)k>fcRU1w(NyE(UfvW15ZMO5G%hlT-c~5@$<2?by zh&zM6;HI3$MZVfpX3m{|xYl4b;^;pbLhqPK*G)M6B02ddj>t3HhjW1}N!(-#+$J3G-#s#oD7& zQq&%U{uh@q2q^G;CxoTp*F|dm-GD?~{wvr^|uE|JBO$qX`-K3Hw=<}ta~jX zE@So<^#aT|0HrAr>$qv~b>h;f1P zdrx-wJD^t#UjyPc5<@>e=m+D{`E?PQ%8y2xt!(xX6jJ~#K{6ZbifSQ^?Ls2sBM~Vd z)d2J|l}g8RY|R1~UAdio4iEP{j}2vebdJD*L^8&HIqAoWC~POBeD+!;d`DF?`eVSi z2*?BRijJI8j4bAdtf0kvfQ>lKPfSC$Nh?_sE?HuM1pCL!&{J1Ab>pC-{CE*frtlID z;TADQQNSTuOsi$y8bdHj!${i4`kwz##R6GE_Z@ke)S32yGnGJViRh7WG+vE{{KR^Od4qKdLAN$Tx4OnL(rCXN;0>2{jRlf`W<3O&V#P4EE45MshKl~ zshUP3y-xk!f5EU|e$qOF~ zpOHH^G*rs7TJ+6JZN5;fX#O$e0!IZdFw;RiGWa)y+sg7YM__ zV?49#!RUilynvFySKEf^oP~OQnsB@y3(WJ#gJMKuQk6+xuQt3L5ceRd1<8U6pwhBN(en))x@C`;|*eqA@DJTzv6v3#oafW!*RMPV)@a+T) zoBc#&c5!IZdJ?gar|LC1SkbA39{aqVzKnaCNI&@+q4*N#fxK>x=E&o3heO!M^%i|w z@A*y?_++?P#VwJ_sRg~aqM1)(0Z|5obymk|A2Y!+yGgQVp9L#rAX1oxsA@2t+_xJR zx!_e2dw+3JPV3{YG1|E-fre#x%poC$325Ql!SnLRA5fGrM{~Mgz~+Qj}V|(rzSeT}lTykv4cN9j;94lzRAF zf>iz}I`8u?x|d$L z7LKk=+<%845JN*U8?{01EX`|)eJHPq8=#Ubz*ZX1LZQokI~XR5vB#hK8HJ+M&eMWQ zCanWkkPTmz!`AAF=ayE5zDmM!u#IgU7ZKDEXpfTmcJbmu;4W7fI; z*ZQ5O0vdI)@vM2GBrPTKtdwjuHT`}gQOH<1A1Vn*!kZ87hYFAzDC57E2_fni)r7+p zWlw16SH=>MI!G=N)hrnq(`cY1kddos6wh2Sp-Ylk*YfZVx0#P!Q}smOR@2WP%G%06 z%CHvMu8|@kwuAWl@E}vbDK0N*84HXXjK>$EO@@`pxXT}*Ve!7?-AiaCq^sIuX=H)M zCebjs%z<9EWw^^y1hj-IeHL5PClMo$oV>eDU+I@84O9y~j`JH2dn*&qvs>rYP-17f z3Op@nAttR@CbAL^)1r#^d-Q~gYhV|wo}l|6*$GivFg})rRtx>G9*PCgR#}VM3`N%Cb+Dd0;(Vel6OvPJF58>g&bnGd(v52(Xq~7_z{o(aQ<@v8Gwu6) zXV!|<*w`%%o;kbJ9An6!W-+^yMH>~8R)-eFILWwCzl|RoJw_o3(WLS;I}2gwnb3~tlQ zL?NO4HD!uSS~L&jSt4piMr6*SPYH$%0+k$C@>5Hsg&S!5K@6mR6P9YdgF#)-lNI^> zIE$l#BW574o&t8T%u~*L^h?XGYZvdg*H3OfL0&z*ygl@sa%hoa3x`Sc>O&$UAK40| ziAl{wQ2;JMQRkS`J^Ee6fz8xgV@Mg``Zk&?Qv-^l4qOcOD%wLl*J!o*?7MMX-tz@xq(BfW1yACGew>IYLQD?)_z+=@+>vG1tk-4?Dzz3<1}O8pUIOag;A zHc}~1ML#D*_*^ZnzvIlViW5=YhyF68!mP>&g|4(=C>TR{8S^tJCTD)-diRvdYJrqu zRzMYRnwUqqU*`48NVyiIh+QQb;CwF^TyW6`B$~c9sJe9(uYN=H@vCvr!r~iiK4*?^ zYkG7-YMWNij6S{XcH$+=`>r+|a)iPR3J#MaSRammr|0SI$AkX>W_Xq2V$RKB%z9 zRzIwpb3?mv*A<@G3onakJQB$a#&>;!1~=bU$uGv@3d%Mqsvm znUe0nOu4SHp&^A`g-S3Z+LVIO3Y^~CHK#!O(Gi95*~;vw-qIL2t#fO4Y+GlRgy_;G zGoQY079l-dLgAW0AML|Z^7M_8j8=4JLFUyR0@`tfrCABBe670TG4qVed>X4$)agh;S-!h;}3*B zw%F9YUOBi8D}T0rOA|4-jZDk>7{!lNHB18V&HX>bH$NvkU5~nl ztHt`-X|KK^nKC)+^SWqJApPCcltoDRle^6?*vn3F2Sz`e&ye!}1QAfcMLF{*IA{Ly zH7fd@sl)hJ83{e#z593CdJq1^s&biwi>I19u^gD$;td!Us(gwd0-P&Lw7ugD)@%hU z&t<38I3PJ-1VPZW^s!}yVdf6)Uzn0ofgao_Gjhal?CU3(2WbRzl+L5g97k0g=>YsP zhwx%cA)ai&&X4bYA{`b`+srS%c#-XXVf4|y?qbVV%X0WRHH(KTi zvg*0pb}oOvY5~52tgOnp;;$#076GWn>q3ufUvJ5Yqi?b^8=xK-~MwER(-p z1#2EHkNEJAob9iT^h%KW0?3D*`=fAk*-KnJr*iN54kyuiuXaodstGe*rU#z_-g_{G z!{h6M!54}jTvOk{;3cuMX<2B{F0|@2SFS;QkPUhe0D$59?XXQFUm~bG7#48+e_p71 z127UHn^6L?7VD7|K;8cJ^Sf^#@_GrT0RSr5H4)D}Xn3&0xDCoSrA9$pNl2VyU8fLf zxq7aOLZxAcpS$&^6DFfS!&fSz!1%xYnPU2?nerH%XUcG2)i)CEewM-&zr8t~n3$N+ zFPRTPM8}f2G;gNPf6Dz}vStUsNt6JzfWi?|;ujqt-fyy<00#Y4>sya85N=C=C^Avv znq>q^-tT|9N9i>!?O6MgDgP;_NksoM5l^Nz+U8{dWkgOJzx1%_#BT}ub-?rRV5`N? ziky?A7EmcXhG~@w%F4=g`DX0_6vu2BkMj&bS0V2Kx|eHEr;vG?~rrTyHo!DiQA()^4cJLk9+% zi|+q)xPPjq0)B+0%1ZXPg2fu86=demIl5;F>04SytH<`|zC5{ow8)BUWVwwj6hl+c zFM;DU?F-;q{@6sNd4MX$(zOF{^{ReS^dqzv#By>CaLo4^AQVGkLNEj@hw=(KLlE@l zpSbRjv~2rt%Dtl{{rGC3NRn^YHEU-W|((VPoDP{*0xrw znJj+Z5%<}A^>xuCODA#755>^kzw0i@Btyb^Qn3m`v>{w`c~6eC+Oa0WtaRS%6l}#A+ zX$AB-qZ{-3XRPlp_$K}gx_Kwn4RkYXquzg%IQZvRg#y*{;)**;t%|=z;h%SqKfR0e zD=+e|jHD@d@9Sh0s4@M%MbI}0h=MCzoCveZ{nyKB%HV=Av84VU0`&8*@#<1n^ZWGO z=l^N!1ixnkCIhCUj#~ec#-B@&DhB3D@EWE5``<5T0i|sd!k6`XzoE;U-UqM7OTan( z8NUa8S(6DY?*H8-KPywu6?IywR~Rz?#yD;EkF^y9`0(e->45+2zNox8m@c?Il$b~- zk)*Lb82?e%|7*7Yzj>+kbMH!o6Z9emd*_?nO7;6|eion(f{~98JKzN${3S5^T);Yh zrgIkm`>f)jLy-KCA9nrqgJ3ye2$KBDe;*OZG8uD0VC6B^eBj?d_zGC`_SojHzaHkF zOs*i1B;9SwimShW&=(iXm?U=i_@Bfokb{RgV8-O&UCq%j+3z;I-lt;yD8PhBV8Q4 zVdiFXhy*_lX=mVZm@NSbK*hO#q@-%h$EQn+-)<6kAJ*^3o{!;yJe!GX_vT6VKSt-H zhwc&!>O3#xTfS@8W&>eeSChx?Xh(D7bBA1ioL@K}O3UpY8a8+kHqUL@_&2FOf^OzKCpd|BJ~fy> z^%&$KF3pR%-X|}`^joWYZ~rkl)8bH3>RUGc&*p=zcm@@vE3RhPzop{>c#_`Oc8>o) z>Bs|zwfAZo>2C>pCkqZ-Jf}wfFF~*H2M7M_iwyan!-oE}7dBYxgb+ENA-Il34(=swH{qR!^A)^SgY!|H&p^sJP|AF5E2F85BUh+c zBvSaCYWdrI!}nIx_4kD$pD6BudXR&#?h@tH!9;56_$y$c$nVsu8|xq1f|+xkJHyEf zTrKLO`0CLK9I%mN(2%Jw61y(d-JG9cngpuHXQoz#5n6jOEmFEfC_d!lG=Z@`Rd)0i+;QDQ^Dxt$}8Iy?UA?-}{ z3;HI9*P9Js-Vqk1sMi>08-w*3n3e1b#(=*1)QJ9GOEbs+YWL|-9BC79_MJg48qA%g zYma&oE$wdmX{iAOHDC(Kb+u6w%Kc;;5Wtv%zyQa1w7i|_u8{ga!lP*bq|SRGS4aWQ z?A`_lu%yXoA7!SudF-l$s6xpBz(})x0kK|{@82%$(5RCcZ9n4%fFQx>g&XbMDH0aN zi}MvnY%&3q0eO`!Myl}Ytp{*M3?CmhasIKAy5UlDU}oV^Jh?%7<3Sw`6KjK7>5mn? zbRyJpgh4zv5D5r?ey_b=y;9=#mpCD+ARK(hJ46vmCnND4WD-#c1%j@<%8uMmK)hxy z!f1(_J`lhx@xXn6aQu1|9Bo#IFAx!EHm*8FMh@0uLC*k0N{-QTl>R%(fs?I>jJ8UZ z*>~R@sNfscmwX8MhV=HK9N`aG{w?rhe)gc9HNdT)%2MH0e?f}e98#EcF zHCnE%q=%Bu8dixh_l&FL{x1GX^dYsT1gMmdg%dv==T|$B1J1i24IbG99PUUsHWL11J#gO$liG@|Y>bFsEy5aE2*F?xp3_w&iF zi>{<0XLTR)nZUPP>_TRCHo3fQBGCISDjWR1W0-kw%&ROZ&EQIxO9ATCzil`<_VQ-U zUjyH-%JmW@wn{M0jb;Z20r z*bR0M-lt!-V!0(iJpMBGUKZc(l2xLO$(Sm4r&lPZ5Q=-ce3YB^T|J@m@dbH=Jx&*q zZ-cwOV!1;oQ}<2If1Ira0j0NmX*PdF1gbyg*WVWf^4Ftl>*Cjp&Zg!c{|LR%@72Q$K3iC}iRpq;f zjMHwwag7?Of92cP@)k+8AOn>osB(90&If7>a~Y-19BwX;wPH*Z(~3UqbmDo1>5%4p zUiME^b_cVYjO|oFm{Fw81;rBNt{umq9r_x~ zf`iU>Ti&j9F>&nst@NcdptCtOG~3isyqGwR_WzD!M@IXKp{f}*{;uYF&o;?SLdPLzn(FqE)GY4vtk|3V*BZR;=)$LUynLMNjB_JP5oQ3`XGCQGQOR2vX5aR6%!1}O3>(K5jnTKvtQ{KCG zFPCcp?$`Q&fc%hzFs)(pJ1y}f1G#-C8_e!9U!i3+822IO!0!t__qfea6hJ&&0dfXP z`wgU8#|IgBT;0cvbTZVlXL9=XzKAzoJh%Gh{IY9G)^kbZ83WK|s1W5;repm~`*GwG zhqo`>y=NOA-m&^O0>HO{SsApW))!%8&}2s7>bl$lpFReqITl3g0G?#l z$m_5ih!J(jhIY#Q`>0nm1%acAlJ?;UqW8=ftBnv;@4R)B&5(2ksteShm3;~NpD&C$ z3XjPbFnDt3P(y7K_zYtxQX-yp>g|iRzi&A?xGHbG!huiZi2zJP7}V(itxo~KYr4Mp zGL;X&V_d;M;4upWxQc4fi|*7gK-9tQ3r6@@OmzY{5)vKwxx;|j%#r`s`3z%%Ywpr6 zBg+6lXej0jOf|I0paIgqohT{cywbe4C+5=l_ND%_KY;TY1Ne}}Y?}+JZZgc>FYzS2 zbobL=fpMHrb3acG>@|-TVv$7mxr3w_a3c9uuhPesnUz9DVn={O*?pE6G)+Utb)M z0(4hiiR(MO3Od-ib{a-2i@jd-C+P7?|?=q65S#Z=lpgEEOOa(e0!|Pm_WN*q)$y`RY%ey6At< zgKZ6P^Ld~rl%!^0>OKIVcOzJUR2vlDn0?dzUvH07OB)DiC_pe2*1F{Xr5|6z>wV|{ zcro`-#eQ6FcYKca4}iu^pla|OR24UNJOrs3pg#rIh5i%2pMY>9t$b~o2-Pd6yGTA3 z#9ux;b0Fv7*QYoHh`#th0_Hya!tu%YpR2?$4UomuP+2%Z4fFC`AIq#c5E7~Evp#xp z4xog^-%vslKM=4S@2EYcf=~n~MHE!C07HKt1R+RIZro1pBO5(4{T;$K1I%Fu2jnvG z{lLD?sMk=9?^hkRI&}Whfq28DKr>8=%6T$OOT!f_Ca%@Q_l-QFw08JYOa70PwlneA zP39~+Q#d`i|K?ts`)@y`;1%%C4qUbtnIQ*w=Gi9(E5e{XRo?kO9Vk~jBuQWm!oXpM zYAk5+Y<*ENh#Onp3Dx{Txu=+}04`i47G*mqVm@N35RQ`&Tw|#p__aY^P}J$oNsAY%7dgms9yZUZ zFW=c`%Wuc*BK(DBPt$-W!JM5DYWjf+ox=@MFcYA3+Xc7}?>n!*c$@snG)Y~61W@rd zNZon6mM$_u1{r^2DY}$B*nm$85uFHXL|FH|K+Jw|xY~9=XjFhemek!bz-f2SNYq(@ z>H$*y#qe5r!eQI)wFI_vH^dt8AN0$0FOZi4f- zBZmg{dhnrk1Ui-(%7WK}M9#y{gJt)5LHW(fZ*A-Wgg-62b{YrOE1?_Qk;%%+PcyH4 zzx>bY{cn&b4WP5SL`?X<4(Q*%0z-iG(+~hZ7hon|GsZU;alL0-emh!_w*V5{En^pu zgUh9N19eM3OVOsLqJ{t&0@J)PM$!@v7UNg4K*qQT z8@qoNc=4J#`xRik=o)~7K!*U{>^{iDJ_6DN`Uj!{p+1aKg!b0Xr{yMPf3S+z7n|-N zLiV7lkyqHG5FM#+7q|I+_q`~g!r#zhjq1e?0mc@}*kyLHVp^mu*G5+hoskLvmTYK8 z1n4oq5l=)u6&PHx5V$ zF)5gcEX4<}`A$@`TJ2XjsSd?u;qr_aLCgZ&)@87pP>9Q0Qnd2his?KqFC(40hQt*E zD1EMJniPeO0T!^wp(f(KKTf(PAP8EqelQZWf@$PTm$=berw^-YA}pX8Xoo2MzD`^9)}(8^~pY`(VZ`e5O} z(hI$58-(4(rK(ShG!{oGK;`t~76Jmg$YtNE+IF_<$QCuZ_BFq4%=sCx;t5mfNtz0P z2Ps)QfGz$E(!}ds0D}Qxy`}fubfGLS_PwuQ`gXz7wI{bhd@i7IgdrPPSKP|W97Gv7 zEbH`01P>YWk;e23$=4^lZKo_>?~uK9jEsM_NR^4N`wVJ-Xt)uMLMnGrHebh6iHioN zGcEGR0eICo&onnZ)HSl)#4f&4-!n`n1o-BE(#ur~xE0CJCKKRR?14IeoNsqZwgJs$ z-Qs85VOradhxL6}9Cgpc{P|)kK(0IIYKK{J1fip?g6lSz|0!&AF0p~)m4G0V4x^(FeB>00-(baZXV7QIRiqmp^j8Ox|0+|u zKK2x$AWE*G9aTOI7NJkm$X*O2oOj6_t9#~U=5dX*2e+7I)!$d?4;iVqpak+Tos#&+ zoQvGH7=L#HaFdi7?tamo7bHP!f-1jKs=DIW^WqmGwp;Jq`Y=Hfmv*5O@Q4DtWW$Ny zPz-IA*q;NaivQeP&JO2Y1%qBWG_vjk?-#*yeD2zIP=ldW;J!g~sd`lJ%+Hhgd+^YhBQO+5j5NH#C$cGUn zmDUfkF1QNs;lC*yso8^IBsNYkLe}$FoNBKNr;r~fp(lJEFR{yW-Jd36I|}Mhe5&Po zJ3oDlH-@DM~9yOGv4digb!d3(_GW zN(ussbazRrl%x_8(jncQQqr9Hpn#t7zGHkh=Ukj|yx3#QX8&V7E9U&w`i7d*oP<4! z-*cMt8deXp^E^!%LA9fWi(#tzR2+Z?2*$D?_n-A7wtz{z8^C0$3`bjcYECdPnV`98%D8~ho1=~t$C{z11#0d>#QxX9_H zkL(yL7mnu|3`Q8wRxbkb_j8w)!z6jQYV1Y_{bA)Gh++%aRIRLuo);>Q&>&Qu+5_lT zg|NGCK}X>Lt-ynsh=K^#+V=d7ns9r* zwE1(@j`nzjeOf-tB!p5xQ5Iedz`q_?Kh6*`+wX2nm=sQ3>i_ocOdb2p!~db}3~bTG zEAexBHYl?NzhG%*!d_+QXu-~hcl_u((gVmPN0eN7J30xyXnoiVK)+tVAR9|fVU&_K zzt|l-?qmgc4t8@&J?&3X6}KvQ&Ed$}9Th+IdGR{wNs=QLx$rG~P=+bxT-3rhWw6Cs z0j}8_zzy`9$3W^q38#k+FXlF>L(+wgIu8ahVJvQ!Jb@>B%|i{(UN;u>#EYn!}?B-51At~<|?X5sIaZtzyYlm!QGo*B>lNt z=isb|?ctrw4Y&SRw0G4|kYfWv?%@0-$Yt^U`bnmp*68qbLt0O$Y`^0}OQQpBB7oPw zW{h=xeO+f*Vt7Q-{ZrT0yrqS@5`TH+ht&c=PtyG}6cYZ2b%C=L(j-$Mxjqc??|;~g zyzbKW{Uq~}-?7c=>qqs&hc@a9aE_BhtSH_j`f>GN7H#*$vupaHrv@-TAD^FxYoTh4 z?6|)2K?6zC#1Bt-%UhDtc^f|;Fk7deUK+j7+*>=@u)bNahAdiujFwFb&L8wJ-<`F=`ZUcfn8=8-($-K7%iOJ-Zr10T+-1adeeN2hNjRy!l z)c-l5mlf0X?G1I>f9ehUOc%jjglo*R+9oT^l8)GpGCpU(mVTzIg*XJ}(wk=kxyV44 zIfZeVYCTV1)%(q|6V1DqvL+q8>vcB5n1=PPk%*53di6=`g88Bbx5{G^QKV);v8;hYM; zEq5}`^;Yx*MpnxdAUaN<8&pEAbQkqHzdF}rJy_;EPuINc5O?z6>-@bRAhaRuxIECY z1_~ghESN)@V5j1>n*E_(TvSiu_!Rw*CWOM79=9no74MeU8$lU-E=V!9J;}jRPdn*i zzyrNA=YYMrdNT=2%jyvThd0RwLoh+4`~uZXNVC7lw!W3*s#XQ!$%8T-qP5Qwv+F@9 ztJRV^bD=o(!5Ac;fkj+6DMmsGhlZzG-9iniG4W9T(d)L;0$a~4BjGRTiyO@GgxLR= z&o|PFXuEpizcyjee{4MPEj9=vep|)^U<1ga(hGnUbgI7j;H#rz3G62%_jL256#zi+b*BOd(C+A-dsP1ZP!CkD0QI ze0UOnxC2d!q3|g7q4%WHG@V2ZWK{Yx6DgmeT7Xzw*M170Y(H7VbSTDhy96&eIiL5_ zQc!aP%C}y#GfST7)W&=3c!Ls76d4UYPgHu!EZ}_+F(+zhE|daqE((BR z7B71INTcusUoVu$lAfVK6mVG(8XSs4l-qA?FMfR@8Y1RPKDS+LV453_M)w!6D~$Eb zch+J0hoefy!g3R-mCq&EGA(Z&Xo;%qDWYr?Bo8qjndSeuj?+yMQ)p2-*;)hNa(#)z zmV6pj-5c<(0j^`V(6i6-tefD|NuR~ye{aTjD>@g06l&-$g|W@<-tKwnL%@Jy0QTvP z`HSiPg3nOV{fu{pt|FZQzvD;v6V$VCa3H}j@d(1Xeq8ZVfM6sBqLszAw@?La3G|Se z^6wSj=)U|Ub-1;*A#&aCmLb4AS)w2%Zs}I@PgvBp>7P2@zB_!7eu9=TFH-ATTabDZ z{G%JX0zA+`Yy({ms;Fw7udfb1K(Z`MSe`k>uyz|%o5%C%7s(KV9R&W-Wf~V6oJYCE2cl379*fo`OxW4`QPURiBoR*7!r| zVa$(kIglq^!n{R+d+~GY6u}EfS-wa$Sf}UvOA>X21J| zu%s*sP_Wg$rz(HZEy$J}=ByHdTKK9AV!v;IqQFlQTCE`&x&=!D!#V^Q*srth!8j6s zns{Q}hx-FsPFoe`t%dA!)6n+DH9A*Lq2{7!ZWuvsd zke`VHOR7(du)E`CYZP=zCIoePM}Rg3AZw5ICn`Kagh^TJ(!JQhPi8adeBu<=dw;jT z0o=cldys7=LW#QpQT#vQbc}*$3|(MiK|z7J=wIOatwE$(w_m@pA5}()u4KLb8IH! zhm|kJGvGgFLet)d=a9;76_UaGLfB zA5K=@ zl=2~C@fW^y2Loz}8?Xfseh!q0_?O2z zsXL-8C9dyCk6&!eYp9*!UF+jx5ZfC7~x zD3D<9R8AeUmq#m94Bw-~qNe}L%n?5}R}qPutyY0JrZ0`ly_2a6WO@dQ6@*BIGqXPO zMi}Sv{W_SqHBnAGi#9N_Tm_otFQ9|*(QXvj+a9j;8limvntLjuQ&ZF<0PXM8vo-q7 z1}Lbf#J>5*0&!F|hEhDg26VonkvuzIl1NW?{QCa zQwEoznpp(U^zAXq6_7L!*v+KVdUF z^e{a;pcMyW|4jfk;oYrUXK3%9cXn9oa`$Kj;^n)TJp%8;5|*!gUFUg@vW9;(MFycM zTw-o6*GCCBfyiYCA`Kk6^^-s(=93@~P;(OyfS}lD!{qpZ@c(Kh_8ahA-28YqC*x{v zxxDfg35U!A*PUMjd(e!Dyu9(V0^cRK)*#07;M4d)MRS*b)dE|w6g5@k`5cuS7MUFs zCU_f4kS-wrn(hbp_@5Mv1tJ`2YZA6ekTQbDV-kx58-jP>Dke6!ix|~=5n1TuN!|kc z_Cnwh&&8`(bBv09RzdB7H3fn8b*FNbs=p0=b%!=*OV0bPoM%Git!Olir^QUFSy~M$ z4CD0;HGAKeCqBJby!Z0*btO2l1h1e-)h7>SXZtDBvcj4Jpy{+Y7a7?JTCoPu%UzNT zer`0W7ed>DUo2FHIQ7v9&R+sWj|%FGb#H#p0{eEJrknNOh39bYOm}7uzz*XANwdNz zugQ3=%AOy$m!LWAi2zK!!0OqTOsA&#-M_^m$pauGLdfFDV&TZES;~ER%=ktt;e6Bw zF}&RSvT|vij7jvU<1EJ96M^HrQ5%}v8vQ;u^7MEfcLq=gmgdaX(BVik6@*~+=+2ez ziI8vZPqpm&&#M?^BZ%1xk1O}K zVE=mxI3|8rZ7rP(>G0_Sf+dV%k+ZJ`FVLqkZL9#A92=c#RyyN$^9RMF-M8uz^6U=z zvSQ3W{Kd*0ik}iR7J4tdJ3}9FO{@H^oTIhO-j;fDL*vsV$t$%*GnW|nv-`ciF08jM zotjrm;Ff8QOibigG45Lk_TQY%H@6J?-8j}#mc^+Qy)(O?8z#2V#vHpBBAN`17|)_V2xf-AOFZhcR7&!z9;*JVhoszpHt7|hudiiS1q zG+T4RXI-TKY%BC8(YWY?W>8Uojth{fO{%R@<*ZBk3g|Z|`;fS9q%mcknDb_9(7Z_| z5%Z(ANHFk02dPCgT1N;Ovz|URMS%dSt5JV5?ayf=vb<-0J4f%RXb=WK#n?D%7 zGw|CC$@^frv|9Vlm)0c~Z{=5fBJR6(AZ&Q^!FV@IAE|)rmr{g{i=QfCjmefez7*JT z{Uoz%be*UC8nR!kTyQp8sTpV|pFv{?6#Rsq^{4`bAQ+fPpH>kaOjhmgfh(7GI+sHH z()SQHcd42;Vw1v&{a4lezTtIyMo_Nxn#*AceXN--cj|Onc#%S?b$FEgpWVR!7hJojfB6~0 zp7p_O;!)msK*VVdeTgmg;AnBts>j+vag7v@f^dOKS;Q}cXn*ztma_6EJ9qUaw13_(8Vvy${$Kgf2krz$>_oknsKn04 z6nc~I#Z`F|wW7a%;=;kdTvdBf?UQ!LXC`i=*@^1ah%EDg>!&!znsP(g^#9U{2O^S# zt940O1*=~kBYVwqCyC`V z*Q}Bg!0M9r7pp1!Q7T*o9!{^7lqIGtzg(5<(Uf|=$6-2LkyTss%yx!s?x>|kFaWbV z@aS57ni>CjbQC7YT$#cB|G&Jya{f<_#)12(C?w$q9-z?ssdf;LC0Wdo)!e;WPr~42 z(f(FxA$K%uDC%OT^_K>RPSPKsO*d$WxAjtK2+gtR_8uoyE&+19nlXxJwBt-r@wQff zz2S7H$zoDz)>=)}_ppb*ITK-2L|_f=*tezM(iZn6PU+!4eUWK*PfXzHB-9MNr}^7Z zgt6MMFJd)wm>NT;Yu0nU{kkMfDVedOy=~tE^Oc@%VJzMHAv?<0%cFs(jXAL=oQ5u`u^}XABv*6e?h!n^)eMZ}AHn8=;;KI5=+`br> z6#k}bt&aSYtXtmPenIvz+1#@z`VpNBw@XbeIa&>~1*Kc7Up^;6@?1FKIjQ2!vt)%; zL*khZExKWLzZ$&c`t;mEeJA!q9=86&{o8p7{Uf7B3HXQ4_wvw+cVpD4$YN)Bf+s-9VJb(^vqW{yA11uBS@I|5@Lk(`;Uz=18*U~@Q_?XU{exKix?#T?2GukwV zir{a0&9x`bgf9Qwt93o29LNO0!U;V>iZOo>iqoj7TMtgh);;@ue!^c|x8x&VecR|x zqRv$*nC{7Bv^B6>ezB1@DxAf>YA~Jm(_@!9Z|a8jE!hQr+v)oIxj>TSM4HVZkG%aG zs?Ff_y~LUR-GRLZN|%1a_uR7syM|@CyrWII85~zWuif5=w@-aqbS3JY3;|ZeW^JJP zhJ|1zU7(sxM-E|Ro!m$F$JK_UmfOnJ5xv&MtA>xcE=SSNT-l#d@bUnQ%{t`yeA6w} zLvS2tdVIz0Z!f>s$24|Ha<7f5Ev-|3H<_?7a|+lh8{VH+(Ix2c2}?FxJCNc2hND=Z zZCY15PD-UzFzFCTG10_|xNwkPeFvbVnaklr`Tcw@BmOi-$xDBJ2l=nbBq$7_3bwy? z0y!tfCin8j^NLE@b^X(45=+y%aq@gFyCQj#`}GJk{i)Vjkt~c8D&n)I1Kd*9YNcjF zUn1#NP0ws*2-x>!I+?WJi(A%FR9VZn6nT7OtOGZ|lubbaU$I0hU_ys;U~&D`M89%Z zyJdiqV=H~y+1UYhoe%w6CMEBGsdau{RuAbdWKsgk2(BTU$t_I3g@P%qIo*~5JUX&J zyfjY^8)tw4yn_s&^7l{wZU6*c>36`fkgEC7FBLd|;=tQ^Oc84q^MP&|+*wnypBV)P zBf{Rv$Stf$pZBmQ7I3sbr?rxDP7*FB-@hALEQ-f=uU5qhUi?O^eX4iZQp&4dgY3&3 zszYSPOcLiO^mwJz$2g*$7TP=YU@p1&@&6jHb=q8R$s3=bU3u4pIr+Kvhg6_L!2nZj zQV}K{tSn>SWE^@~^s%M%0Sj6&pQV(BLbZ(tO78Tq%o6QWsq#V@QWI<|TXc1btj9(Z z*dmP{4oUN4p?E`#rqy?9Ulq&GWC~MqYz)&;PKINp>e(xwtl!Cyk%*OWaN4xj3oa=B z3ROOWL~)(R3(N_ni*1M6R010v%`1Dkxi_3PNHSRp_vTOL^_KOZPow8by@7tTmah7* zHlEixK!T97F)B)!L4jHMqkYE=gM+^c)|Qxmp&LvY!+hn`!=4|hrtVt9kHB%3li`y5Bz71l!eux+yS5Bg+8RfG&Cqq>7DE0;QFN?#99TeLiS+K2YMMIszw7ySq9Rvf@C1sKY?3q?r*Syze{1WJ z6U8S`iE|3T8!P!6hwdDuQEt#^v}YuKcXg{y?>HX7E%e4?A}H(a46 zT(MhR3*0Vl$obW@+Oa!4usWc#MQUc)9)D6oxuMj2Y^QPT-t*clA)j_>UDl75-})J-g0vexIQ zVjLjcqkKKZ+C=QJr5o)o$p@X-^JB6p$D{4(g~Z`TgM0jakZCweVhWsRfS(L<1tMPB zr4EsF#e{|7#Bv6ODgUnnZ;vxAqp?JOm|jYd+USXjE3nQyc>;}T!C%}s-D<2hFp*Zu zki}#(xS{cO(yu2np$K66`7XC&wc{MyPa%-?$+o@LPK{W$Hca_>j^&ozYt zLYaZ%&fgcX)OqqWm)Ze2|D!JEl@P<;@>3sdApb z56~962#Xd#z#W0Di+iJZN)E>X;Ju{t%&Lm`ODT@x*-U?!#5RuOH)Rl#TCN)g=)fkl zVZ$>fi(!ly)d1fA1xa(1!fpuTfv8s@YPAL8IBV~Q9gtT*16_xl{#v!RoHP;>ut39A zWMB@!TmvrS)J6M6V7z{SOa=7#;-6$2*E~KQ@YQz_R(a#SBv@e{xR(KbvKx?TKc+IU z*#Xi34b~@_JOqlb4j1@8t9VJ|IT_Z#vxOV#A3uTS`qzL{)ZB=z(^ZwK&t;4<#cfwq zCTp#p`Abj89bcYkoDg0!=eFg293Jxd`LQ1V9I;nB_@S2Q z%yqt}gJp|_cP5^+MNaux#W`_puFiDE)arZ>6*b|901gmXixW48ZI`g3t^0e0KD#NT z&nJv9^~yV`!mFYAawrzZBfh!zHajww`#(b|t|zE<_?)h-S^&6rFX$Q80L=9!zCOJ% z5jC;wO~i(Ld|+Qc*fbi?R(z8$&C!*>AKZjnFD>FXG)I6T zl0+ZAX3!TzUWr&J?kTCf9y_%Pm@PT46(b1_0{Gh0!^B{n+6WliEnRNl1+!u@1~|Nts|Nr$Lb=zn@ZH3;!1pzR+uJe_DKr4JOm7@&-(9I7ulBvz z=r1(N{w5isV6cPiAbgpxqswvYOXt&}kRjY*4_VO-`H-AAR3M{cka$@aeCf%%Vpdll z<6hwnTB0gPa%v>DJg7nCIZmUn30TtIyWPOVYy+)s1e&-WqYs#U#Pn&x*F*DBk7qCz z4#Fo`Z%g8DC%UWJjIL%}RBtp7-5^x*!tzn3x0Dv~x&W7QQpmrf8 zTm>pzxk#5&rg!}`ZJEN^6B$22ex1&S#wo3y>oYjMu{Y+Q`Ta@SLZ5ABg&ZXWXMkw9 zs-RuI5$_($0qILE4mWnT?PGe=t7Cp2LnPXibW^Ra7KWqA$y-FG%v z%1Zt-EQHaT5`<;v2~M-~U=@W|Sl`ywvq6nme~vb8F3(@-Z)7Ga@Rp(Qy3VAjTPBcZ zSmO_=LM9z{MJD3u2DWc+Uf>9?MoYaUC{zUmVURzfRG~9HHfgb2;eSaY-Zz$O8H_K3 zPi46pRc}`j)ncbh}Hg z=IbrK&*(*)fQ$7nDmSZ1LL{LHZAiQ4;dWSCazZA$YMdx>mT?C##> zxIi1NN=Cy==oI>QrAEhku6HO>ucFgFb!#T@;6F=MJp{5FrTz~F9s8Sy-IJJ`E!z>AYPgWh+)-iqr-%UlR0ys zWNs-?&8&vDK6O~ZPoo5sA>mngrLNndc#ntAHd5GbUbmQRg6;OyDUSgoorgbFJkA7+ z;@?BJze0X{Nx~KqI2VO)X}{Es-6q9*SVpPyiccu%kq`Gci_=CO_>mhkFR9x|qEyfg z^7#weaMTbLF%%uQ3ZzrtM091s5?L?A`_!aksu+-9Z%?+D%-eKpcZ3{){UMoq737^) z8+EtxVeE%p5V*PFS6SSlF&2qh_owS}!9~Zpy5lBYjY-8T6Gw!m9Zx+O4fT(|j}98Y zu~MAvCs+v7MJd`M0IVxUBVE=eLtwNEs%N%s|r1a zeVE`ZpBqk?cI;;lWxpWL=(7Zp^pS)QMt0=MmJ1xGu2daUfC$i5%tgb8b=M`VpT4d0 z^Qn@dC9*MnH{}6*Z&13$B(+-wC_t-Qp=TzNx)X1+!2iLV=sukC42HP^Ed)s$9r| zhG%V~bDot0N22!>>+>*ysEvfd<4P{L=B8BP=hl zCjVq>;Ck6piQHAqY~Fw6{+5H{*m>Ckyfwa%VHdx=WSxaqg z__i-2thD6EGA~i_pC5w<_xz2?Ur*xcmaPXl zeM0V~qCw3Y-sczF`gHjec2-kXJNJ?H^%vJodi+dN`w?MU#V0{5& zg5%Z4ncIzz8x$rVqLJ@NTNM(VSS%p< z(D_Q`yJh)lD&`vGO69x5KlI{W+gKgDJ>R&(h@C~n=uONG{9(c8mJch`ix|htiN2g$ zf`Tp4^Ii6&#}<7MhqW5sGNU)|2_+mgi>s$zx-g6FA>P*&-utJYd?hOMWZ)sMy-P;4 z;atY|0H+kCH{^=*yjSD7n;NpjL97hqL0RNF^cJ&jN zt+V>;wOjT-{k~;5Tw9udjc7RqOVFdO*5yVzgD&23w1bO8@2`K~u2>4IUAQcemoK$_ zY#H^P#>(vYLIv&9I`li?(D~>wIZ|&78Rgk-8{EGpw-}>oOdffj{8%KZK#z^dP=f78 ziDLyXwg<~fk6)3Ao8m$x&|OSG!zTA;b1{EOm2k?Fx4E)wRn!92n5aA!q{@Dd6|`S| ze%Ya={rX(>NxCv+#ZSl%dz+6sgq5mkc$|MEvD!Yy3i};*?$wObmrR=%+9X2qz0ZC5 zW|WsKCM~GY5@T^gUH`qLFvU=}*~#X<%ZfbbZlBfth}lVY;)JR<4l{d(@y(_cYJI=k z&TnpBz*g-Pq4&V4qA9b&F2r!I_#U5L$wVWFhF=@4E_Nm^t?wEn>*2jnA5j)&Y<`Nu zWpTQ%`ti*Pv$*kbZ+ai{cwZEXPT~pMFO`)N-h^4lnG!2o7K*qc9Y=kLTi2+lf6XN) ztZQnr(x5xw=uu$~Pk>(F@%%B-O5VQoo7pP@3)AFq1?xGE&GbQuskQECJJ;O z6+QxfOvjSgiGITw7%-!?tQv-yU4ltHZuS2tFdQgR~ESjsCj_B1NCOiqZWHH5I?ZRpRe z>ZOFeedvM%!p#N8dGn|^b+i-CiO8kTjKxtRo?=&jBvW-PE>4Cvy43lhN)IwR(fD1< z=*m~-)*6$1{+P9CmC~5|go>7D5x(!p8I5(6VS4(T4!FY67rAAktdiGq@x=4Y?y+IL znT+vEyKh!}9y9#rQb38bv#$o!s4noeRd_wlMJpY?MI27w5T6wGk#+QZ zsh1?t@a5$zmRI42FQoZaE7&};PWUSKJuTh7in=j*J#lg{j@1?IqDO&XxF>;>h@TC4 z{fMqM-h^ptPJ}3(Tbvl(wdK@wM-ll-zT)8vkKUF2&E*Icjy>yd zs7or&VRfuuJI)w+QCuQe>`Oeq{WW>EWd^UXIuja!*V>-!+aIfM^ShhZFPPd7p4E8s z+~nt4aLY@~b;Wwlks9{pDX(9gjnpOfKTz%Y;=#LeI*F*j%cSMCEMW0-A$n!0iZ zIiYO|8*7Q=E6e=2@EWNnsXJyq*b6Yrm6>Iq*nmx0=jCx4Lt<=uQRYkXR~;BspI$N+ ztrnGtjWv2bB{?l+=6W^z>v4xy=8egZ9EpDs6-_X^+FyFAU{nvWF^$bbv7@1iVSL6h;$TjA~s-{H6;LEx$#8zOm)hUMagMd=cVONtcQk$MaU>mcC zh0K5pJLw+3Ui`52f<l!@1xuyWVyc!3n745J-DAFdxNPnM7x6$sT?*K_>j)D)*1bDE0bx zAB7zuZ(%_Vqr~|om;T=m9S9%Vpy1cXBeTfPf9(f2Uk zD`pRaNJ`_Q-aT`3bCt8o$_P`E`*i3F$idFpk2lJjo0g%oVpomqfbpDiK<^^m#n8gu?t-}Yg=Tpqb#x4_XGGlHrHigCiyN+l z>WFsTmwP-IuCo~i_vkP;e}#7BIJJ{vK#S zb@W+~;t1?a$z(#Zte=eiy6@h)FPNRq&k51E>s#7WTyVvr#HlFf<7uFfUbg~OcNbfX z;;pjVExNi*_Zk4h-k`s!5>JD?@ zElHYxL%YR1l09VC>#V$6x{1HT}h8+5F^+U6wDADq~44L&wv4nXRsgN z;me(>O*M=*ioA(QbS)n3>>LI@h&b&qxB%d0UCsBdF%3EMwDh7OuGSVDG;9K%LaOV> zNvL7}6LEKfnu+ScQ)$S*kO}z~4@yO(1})wAZgSZQFdE@&xcpSS0kJvB?8>6o)SuJ{ zVW5*U3N?UtLanGa{6ZUGFT_y=q5|+(0ol1m%a-CB%eoG_O;yM@NXC7c;;QYEga9XR zn@hV=@du3*L(+_yMN%JK(HQxV*Je3~-oYl+Hh-~t(p830Z- z6Qrm~0zEpFOTYc{cks3>gV|2!3htK?u;U3Yvo`za5m31|(g+5ITeRGU)J*EOm+D%T z%@75~ztz<^9LLIO(iANu?2eW2IKBvgE)NQaIYSLeXMSd4F;w1gUY5>wqvu zaE62kDPs|Vxw4eKK0Fw)C@?mhRdSW5v|o|gTag*q+x-Q?XPt&q`H%@}W8U3uTwE;DAo%C+CPejKKvC3UMJ7&kZY3 zTo;1eFgwJLxH-wn>pCPy->pU{p56kEKa%^V6R2Qyy`hbP-;cuzIdJ-l&x;=Bke+d0 zFRQ=d1JLZYuhTa5@=P#p^($)a{W7wHEW2b9fRZ!3!Xje#W4-R))%F#Y4ZmVca5WZj zN$2CV?(NPE>|(~WhXjffWbeMpB6vFmf>}xtw>J@2I*MRAkRd)AA-ZnVKTEd+9Vc68 zI&1n$dZrF8?wMDL&sQLCjGQ&iDYP7Hz4;i*)M@OKdJtmTzHUh4yfr!FsB<-{qt zKdcZmn-JQf#7=O{ldUpcba7?AFD&JyBq0)%cR80$vA)#Zh$0-sn+lM{L zos!HR2YzW9kqu$-G+#nCW7se4f{$rYf2Klrb{W-#I|&~@$jOu62W?3#xCjudC#I+Dg=u6dhWYLJ`gjLfp05|$C3w5Rmt%9AOc_Hag$7qCwt!E^o?IwVy*%wVRDZblz0 zl?vy&s{CXnrP*#^?T-_!Ft7~Pp|qms&P>Y#PA%T9TlYHUHRf8nOd=w_d%C4Wq`vN0 zqPgo2v+8=+6XHKP0pFO8k9Y5Y?Q0Kl9-oe7eLGi)?8_4!gDq~j7Q^MsFr`)F)(mrD zMykOfvTxt~^9X()S;iO;UZ2uVW;C5!$svhyR@{Vmt z7KD^#P}QNga9=fWLmW6(^VxJn$o!{FfEP~&3OOlsnt4As0x2E-tO_4kB@;hXKK%2& z@5&-iyH-0B%v>T}ub}ar8{TR+9ceS|6#?IV13dA+cow$B9Q`pb{4yqChizw<; zbTBbo7Ssf@T)Fz#F zFYL}?>%MOn5u-5Vm+occLn55&se$P(pkmP~NjX6D>`2wKhGWBGd) n48dp+XVg8(`gcT$ocGRD?b^2asZ|FYgFm-LrA0DsYQFei5xm37 literal 0 HcmV?d00001 diff --git a/static/images/docs/perf-test-result-5.png b/static/images/docs/perf-test-result-5.png new file mode 100644 index 0000000000000000000000000000000000000000..114e079177f72c9e4fac55a516d0a1e1b51264fb GIT binary patch literal 55285 zcmb@OWn3K3((iF6xVyW%ySoOL#R={NcXyZI7A&|2ch}&uxU)bYkRW$+p8K5tIrsH_ z!G~pLwx_G7`&U&x-y%j`RSp%25D5YT0#!j?S`z{S#ti}j3KIbee1r`(XcPPk(p^(d z5~6;V_ze69qKmw~I|KwS&EFqL1x;!Y1jK5tg0zITkIB_{_#T~=oW8m8m}pdKNSsFV zkJuxTq2JAKXh*T7XlE=jmy~I_X0xAZ(sC5IzhvWM@jMdZ2vw~$7MJKXSbU6K?0l#5 zrMu{Jzy5x5?RO*atHmbh2_)cMsI&7>+xpA5?~n1Ps|uMo+y_u{Fbp+0B%-`H6z0D^ zhRkBx=8E`v+1%%<{oh0XKKq$lC5KZ6<$o^x_fhJ3J1CX*ozI^vueZB@oi3CL8LJ1_ zI;n71~LDu3y_H1 zoRC&JRKI#1v;M1hisIt>I#AKL6#v{C-1YxI7Z)j7t>}C-_I$Y=%PI0r_wZ$ds zF8;N5V|C>R1T`>3=VM$=>5JIY09q4OWuk#@Xa%;BZZM-nv8VR1UFDZd5@8el_1>8e zq~a?Y?cS{nTkcJL>MuoNzqZ_sSz3DUxO|AYM!K;@cU+L1_}4jxta$7e%YJt;cP;1I z#onc`G-XC@w?~yU3cP{`nzVqnFUx`x3D{4=5x*R51HONpamT< znIiJPKNr5Aam9r;7P8ieYny(QMKl=7M&u;!zG^c>RIH7obb0ESqvkYp{?21i!fIem zMNJ-JPuG9L&zB#AMW@?cjB0JlGg%FaB;fFwK>a~N@`<(AY>ac+(_U8Tb8PbjZQdzy z`^sj=NIWqaZr(_HhX8Pk zO01oh-@ZS_0s;NSX3N5FPX``K(O!%#}wi zm%;!}*G&$>w1^=Qo2%BJ``7G*8P6Cd>0S{32v18m1*y#0@KRg>*gkcU(h<20yBrU;rAv6=O*Qn|OQE$Hg+WGqR z&sBTjpL|OpQ6a;axN2gH64@!?yK$;t>o$elC*da-`Ck{>(uXd&Dd6Si$z33UmsTU_ zoCrpV7%et^iXtg@c(G=y8pEGVXfF?oP~< z|7t{>1XEpi#k_KZ`X4a@uk#`yMEaVpv^GzL|5d1eEq+h=q8PlJ3hRffP49_R8qYPw zJnH{a1^FTenB3#JLb8at94?!K1itI_r6(Px2Ai2&9=F5srUyw!Jm!4LSGvE}-g$v- z1?v*k9$1t3ZUn$mrFw#3>HhlObPjUQbrQ13sL#@~p}D*-BwH*oCArUSs;(<|FxeXM zyDd{lJHM=M6!^C>Mc0VR`TQFCDk-!# zIQpj8CCf#a+aC-GP1yCyYx3{GTIL7KV1jqivC@Cpo%ATJ5ZUwz3em&|2#X1N4}mAm#xmB{7LgmobUbC-@esr92TRWeNg=NQ;1?W;CpTi(BL=}W*0k>9qcuh^)f!&q&X! z|Gg_%r|9%7zk@(l?=L4}e-&?ijxOIt(%l_==ZKrEz84xq-VIwS%!V{S)yWkGZT2@g zvELXoF$a0OFSIrggDK6%+d0fiL=tx|_j7n>75kAS?$aE6+a6lo)yxCHAyU6f4Qc%m z{2}T{xsz;NN^nHot3;Fo)fR2ks9i*7#9kk~0P8ll|mV>J_iB!z=f#Tcg*53MMp z%~Y#}@p2%$N<@k33t}_YN@)MbL&d9osq{=qZc7yMb=|R?bf#goOx_^bLfMbFMNH$_ zb(AS`I5uNa-4IePCLRkiU!{hQqi=5C+j}2aMAfbJ^7zZ@l~Jh~Ga_(db=y3zcz6Gq z6XH;)l0_=|5t|7G&xdqko$qgds6qgDJ8O*=Fa-y|W~C`amfOb^$~-q&|C)Z+-W(LeF9mM&t6K-Pc`libJMo zBBKf@;*hw7QMwfc6?P2%QRetD5z7zXZvv9;3&D>t=%L0`W=NxQjet(ddU&9n!76=p z0xYO;?-GiWcS_Ag0fuCGWE3G?jr!Fgchz<33yv>F+&R87BcUac;jHR@#x{;k+pCBYB9*%&AVYNOd-W1MNS6yu zHeoPWET+X)i)WWF&d}A0{18vYgg0a`jP~C5_WR-`DH#I0oTBB4s|8msQ#QCHgo3(h zkQ3XWn(5rp^UhM6&;JRO&fmQq=)p~J7Hvs1BmKdg0+Y`z;%H)gKfP&}c0K=U(gCVk zyl@DTX8QS~X#h_UaAHrfwO*l04RmPVkFD9w zBoNV8qKTA*Zy_;vyt`dSS@$Wc6Y)P5C}D{BMHAy=RrHZUqeG0CkRTd6U2pbIq|z7T z`z8CG=)4rp68f{~2l+;PW+V!UVHbc!q?dR7l%2gmY6O0Cu!*5-W#)ry1FNHAihKKS zgd!Y7Qfnr~KcPkLl<~L**CTkQ%7vS-m>l)lCfT@WBga^4qDWG?PibNmn2G zuAPm$XZS+?5l!(hbXyr+nJsc6A<4PmFqK0^SXe$0NpoP4oHXT6oq>VjzBNR4;_GNX zZ03QImTbAGnZ^gBOHT~CoVwMs*I}iV9m=C&qi(&gIBp!e;y7Zq7*_yPO?Kw!7wkio zmZkKm$JqCaU+awXeiU^ANVsjS2HFNbqwt)gPZZYpL`rUEnm@H4qrY%1_RJ&)$=BjT zP@EW$Ztr#p|5T>>FNyt^BSRH^$*LE_4?zzDDNA{m3^j8(c>#%HdIjt01fV-7fdKU={g|D@BjHbZMtv#3y zIJpEuotJV))Wq?B9Aro}rFe_|%hT=pE9{#&rkT#VfzIgiOeW4zQLasap}=`v4Cj5n zE2f!>N4f03l_x~H=!m-i-BeelP&8nx!*$R;L!9)a!+Zg;QhxO$q_oz4?bBG~{|=9O zDU6Y!PAN&{`hOS-?(73*6$tKP1zC3LKPLX)kB3x6wUc8L+W&QVFw6#dQLUTpzca7@ zdE%#-A)1rbD!l85*WEWxtNC$ky&Y%H@C*k-L9eSpBZYOO{(mCa{EN2%pJ*V{!R|Z) z>JyqUNIaK-E=-n~!75aCGCgaK!Ac^e?yl@Sy#VcNmG*~L%c)|%=9L9xN1avAr>}>Z z0o$zk!z>)rl#HCT&y2{7JnR{1BO@mbEN17X^!%akz3qu->dMK;!jxZs&r*niX@FzG@mIA{e?ekr~F3MyHmTK1S@W%-O`GtZAZH@$%%pKODo>_u}@u z+L*u0(ro@Eoc?YQQuOq(jkzqL*x+DXw`)O`==<;Un)P^eDP^~UH2GHXvBGq;`=-G& zV&GqI9tMYMAmZ-OzU}pXFZO;94*ords8AY+Kc5!6pUht6-x|-2nBj9;j$f`f8{$Uj z#5+c=Z#wsFKg0@Z3lkYkTN8}(5EN29PhR{w} zqLReke7a$0^99@s10J6jvwE@lu&&+yCZYv7$XA(LPNDB_H}5;(=A1i^GQG6C)Iz~& z=|i&A2LfRqP~#ZsA8FH--eenm63INs+z)JYcvlt_Hs zBTSm|6e9#apk2-nX$g{h@g*sN;12BH?iKH6X$4BxG|i9`9J$;DLw_iey)K}pMJD*V zUlPX}I~?xea^1c2=EMYvmoH0mn|vPOXvm1L;rJD*cQA}V)ZZt)dFS&*#O%O!CGJ)$ z%UM%=u2++op$bh9Ys8bX$~zb=Dq7iJX}Y+iKnGE)-d}x`TdK1`SdP zpOvMF{#l=^Z~b9l%)pZ8y-*^<-5H+n`?NF(qSgQT&Wk0Si@}_~8H$5|*W@}#$nd!zc3&`pmNOP#?WsOW;g zkEV0Y)bFab@a2&1;;I{ zk=>C;f%DW?4mU1KLC>!CNkbh2i+nj5wM-hv9Pwd)R<>+9NVixMPXAekOm1uG+37J;+AQYjM9d(cc~yN zgv7-^--Z9;N`AcXcq>riE0cIPa3-zvccCns5q~stg`LZY@!#>g`CfOPpqg$Pr|)w- zBWy`}i#~fE_$Nh&|0|3a2;29ksLNjeb$js^PvEca-GIx+vB!;1-%>vgPqoJ6`(L{k zDlNDL79b#z_=5&$zSUsCih@Up?fcI~I?>yh_h0XCWKGqS(6w0BcoR)`lT7!_$8DQV z(0NE$U*Ie+Qot)~3mh7d(=)-*jw0I&7X3ouawFO$vH}7kh%l&@OR* z|I_y#2Pt&jVbRT7q9b(Gf)#^k;z}ocS`^j+-ICYdgxKL9J!S51H8ZaN z2mI8=ztL$axmEDxz<{%~ye7sA6FGcFp&O=xqXU3-xpoakd<&%1tq!XI2A1H^rYwHh zv$Ft~t_`P=ONmR}M&zyvQcGQ=Qq%iTD$eEt1k z2sYX8*Y)-p=Efv`BgVcNL*(db1?#Bq#KpOEh~7ws%n9W-$JY;nS+w(cMr<+c15BYM z(i4IMmD|i)evsqkjT`nguAV>7SK^rS2jG(L#H?K~8^^Ypdsza1UaoWHWtZR!OYbP+ zFFVeKs|L;;L3_pDSiW7)jE+ay7d)B&+OTrOtb+KPCh_89ZZOp30`{?3t-bb5ryh7M zDfY4J?PqOuT;Wb3Y2C5-YU&7r>v)j{=fhaUj2m~DJMSnwo7~stKZc}4rorm;U*2E3 z73DYIl`Phl6s=+^@p~eu%CQtDK*0Nhu+b(GYxfq%a>+=4rmyhTWD9zm#nK&%^H=Cs7f&RoCnpVjey$Euu=lGy@EL%`1KH*y z`Ux}G1Z-4_J}~SB*Xzt`5427nDQJMx(WN(m|r|ojj|5Hr=Nf0~h16 zDe6t65+r=|i!b%xA2-0#m{Si7hGUuxo?~XCn19k*E zJc}gVv@eZFl$Q+bVb3`*q0ts=kGU)wVsCJ8yGru9tFLf1hus;$KDGoSdQ|@ICcOdVMxh*4>1(?jv)vN zE+k^!jwDCN3*UZLYO8!7h9Efq`5`hSI%Z}X&XPJA!ziB)6}}XYGaeF7t>X!!VE@?V ztUT)uax?JH=5EtlveE(gIdcaLt6hzWJ~ncbf}}G?T^O|q7ZqS5Zlwe|RC+foL zi-|Gky^R?1D+ThLx)^E(n=S^v66{H5m25Xkl_hv zW`-42$xW!VVhIc!Y(-;o7=oxMZEqF+R`+S<93V0C)y|lN8EHyLzl0r zjkHNGEbCB;q_{@Qr$)T^y|HamVr*Xn+752*EdNLe-2tKDY&yPPI zd}7lTM!`V^S>O3tWnrQ-22qFN@~o7Tt`+*gIA#&OTk%*!vPs3&@*u`*;(+;do^$Vn z2&y;M91dQZSSdOjT|J}KzT*D+lI7>ZsfHC9xt820?C_=A013j2^`fZN=*mzfMZa4v zh(xiOY&Q0c^D1QDFvFM`5BO_lvecUhbL^=D|9GHbzF0;607dIBqTMIB0<2yP#f)`V zpAZJNp@Km~C~{<1rf+?3pN&=y)!#1q-k6-o?AbrVoN#s@KpDd|I;5Q`HnbDAjt9y> zr4}24JQ#3ql39nOVBHR1UvGluSYUr)e?{Sbk!eACHBskGWDpbNPxKje38S8&v&8U> z*htdD{lHDqGJUk?skrTUwGH8IU(}k34pSQM+2>A9|CRByK?KU{r4{x2|9D9VusHhecLlA4! zXPYrTo&<%5z0ZgW_u^Ck0St7s#m$vO zDkZU>(P2n3oSxnmV<{CV8#IudGUtrmj*N}xjW3uxFg>EQTio=_8V4O0SeQd!{WEbSiMz5j_Qq9^YraC}gXt=@+`~JaMn2 zij21fW>}_JW8t9Phg`BRqxYp9`==_A1eqXYCAt#6j?7LoXr*`^6s1*d?UYP8P6PZk zSD}RAt+A>^F5v)jNhLJN)VqUvd6uoO?6d`6LSP4m%nsB9BgW8;g14}2dD@ZT7~44u zs@csX^<7~(dO9i0UMA=YzA|up!Pc94u^aHzmGzM0gO-&2~gr zrS#xWuzdMLYAqfqB(P4ve)}{e1?8zqE{yUa@FbOrs9Rck$~CX)gH!(DrUxg@0WDFt zk>!-aZYqsiMEIW6MiZrPyN0u+TA@NF50%xNuJ-lZ%T9VV(gvoVn`P2+RZAotYPWp; ztW7tS5Hy#e!9D@qL~0w`9Hy$irog(>k)d1pInv|$P*3{z3m2sNMkub02&~K&LG~t# zCaX=uPNpqBxl6YaPk#yV7RHunMatf{;Q?o{q$sIaX+qM>gWWw% z5YsrD;5F2FbY=0&+QDfuDc%WqpCQ`WH&)s1h5L@q_nE>*^@CW~OK&7!@MSgCZuz@}l9_S+<-T=~d zMSsSH2E`*D?{!6Rw8RNWW*K`Cpydty8M7%D&!>i?V}(s}TQKH_UvM!Z9%g6dDRe!y zWq{12&##_PvMZ~k@NwYh=rEOtfxf|Fw&lv-$TXIfvK0alaRIt8OkiyWJuAeuVH|-W z2tdM1W_n1uD0m=$di*pyTo9~S#tE%|B;8!Rt1ieV6dHv9=<_ICcuc|lJ>H{??7&d; zfSi)+2}@*J%W;b~d$|2nN)UDq#rElf-=<2@X!p?F|3H_ujM;+!$b_T`i z7AX;`7V`_2kI7#*cY1A)3kfTj-rWaI9Q=-X&*a{RREvRN$S0L#R}!Kxp*RjLH)5zL zf^>IZueARxu_#JOE;y9;j({V$q=>>Nmcy1KTkZ@+sYfK(JJsOdF+>;M(mYK$ef=9LWsk{3t<(F;(sBm>QNxE2k!8!mv`@PXckj$cR3C2VZ+aU0 zNyv?~0aYIjN{)|QLIU&{VY`sixW&as(|7Tp-{NE}Qf`bCq7VtDJT5YvQf80Y*HmS3 zz1SyzY1CF{i*Ug*gMj8DMBqqv6OewtGn`W&II~H=vssS*Vzjr0tDTY}oDpp3!`zZZ zgh8yXm5wMFiHirjnCRR&+Ns51jX!r-Zuc_Ln)Es8E(Fe9)**Y+Q_;c~TXR03|KvA7 zd&yta-MCaLx|$-`PIarbiV#%|46>78Ab zYiZQ*6K^nEtdX5nL6qy#cQM?2T(SUC1KV2_2FIof*#f}MuG+!l3UskrfT<6-F1ckv zt#pY*vfy{}F#2Ho@tOsqELM&zARS)E!)gm8z#c3SD!V@_bK<6enJ|pmTjHh7?I__b zGe+?&AFmxJx-Tlu^&B9vG4dMT4OyKRS7RpsR0(7M1%mG-los31S%-S&x-paV-o}D~ zfuMab^ntOl*a%xPbA03-<5oT|Ms6#TD_@PKa;~x4n3Jk|z8sf^&C!m)UP&3Vaak>e zUx~A|YfnV`%zvN2rim!Z60x1R(yaKS*Dh%JVWI(ZkPSZ_*183mj#*)%Dbi}pa;mKz zX5~Da4Pm|41p4<7XU1#R8Gaz32NtU=7oLD`gn4j?V zNP;Sw`g5_$?tU(4YBK)I6RtNwXXuXj%kVj}Fwr82ig1-vF|u&wCkt2=T5Kw7Quu!; zC1*WBOTt!i%@#$2+Ma{q#c^W?4GMG)=v^>Bxi-ruNh@=p8llHiP)gV_S0UK8;HhDo zk0vD9yvykR*|V1eYO4r@dnB`RFu}c3(T=LK!J`g5*m=%ChoO3torKA4XG_>2@V+oE ze+cB-LFBa{0@}WfWn0>u1I{BzGw!PLEb+tQ2)LSplQ8?qMizhrE-w8+R*Zxbp#tzW zr(;jJTu+6}+%Qo**s!PjhMfD#7F;HT_3Wjgdl1_syNg2nDaHhT>plDfK3$OP6`LIR z$y@yH{9jM$mnHqD;48>WCXlNm;ePUmnj|}{2+Kmj0OSv>7VBPOpcQlSfoh{H9j71s zome3kUEtE5c&+(3%nW2}@Iw%AdaWQJgfZQ}7nPoR7@b>c8h#=A0YK>zB%D$s5}9I` z#q1ApL(dmpMX;!fAce&1W!6bUan4Xc0wF@vBLzegXmC=+LI;tcP7EVhSZ*}}i~xynBoln|0>VI=u#yxtq_%#nJ*R6DpSd+N4gdEzU}8OdtS zK^wyXDhVm0E|QSL{>g@lSm2s7++JtGiLF#PNFB*~Y9_ybiQ>ChW{!1VXu+((S)BoW zCmduhE{Tt!YG^=WtUcfvGGnwFPX>n;vk+p$puyt}Cx{o1z|t$z!rpdPWXnvI{KvfV z8$-R3eWh$H!2eD!>JJ1-6bA=>N6=yyw;h7e+3%-JRf%2zgfSVPps0ILQJe*<2MYW3 z5W)z4z8O#rjyEg>hJ%m4Uh8@h1u~RkHi_3)bN0Zi48sXV%m=0wgnaA9k01)V zjlIJ z_nj`wo8;rikD-px^=nJxCCY?vm&Asi?^8RDJ?~*Kn|R(Dqc#ztsFPSr1IhP;jAE%L z2ETvu1nsHb8sQc)UkC%E_uyn2YPKn&9{X{QA-UcJNrf*c$K^wwl=a4KNFSF}zG{IS zvSXz@kZCo1@W~2?$P(yaJqS=z);oe1wmXbq+^dl76uDgA@Dc4a0fwv&-72;`5^XIm zHqg$)Fo2*?OLs4Pj}k#7HUE$dduCUP(`j+#oE`4P`AXKB{we5a=>Vys6A>?*)C9qw77lIMj+Pgc#fr7Q8Cv8=qKIE%j)E zH6{EUfQwI(EN;;tCy=M^ukpZ%?yKKNo!FG>)aK zxLQ2cXI>B(CVi6|@FKiAo}nE-Ly2gGg&9Ocew}wJr>-bh&X!;XUKNMrz)F{K{Fs{$ z^XZ2*F$hQ4XicVvxyBoqSYE}RYNC8`F0j$^`LXT1I=e_~yZW@KD`!V>4#Hbd6_&F} zre>a&wo=3w1j8^X5mYtnP=xR@o}WL>pv!1Lz2p6qOefQU52xG?m$W#?yKl`djG+gV zFq?=92^Rf8f^hpX+Kq~_S&Ii4#sn5mRH;x}$RkI>*eLF>EstnH|G?vTPRL0!8XvF5 zc4YEpJ7GZAiEjc>qesb^Lxo4$m>R6{jM%I7%LtAu4-vVzX?2JMBI-SOMXxc@C9emT7jtpcVU zon)d>?%lsi=3t?WPO(| zdl)57@SB*y&;^mYHD{87J$j8?I$4Kdm2E5f^dTNHknm7>zZs$P&DvF*r+1CoIqw*AMN)wj}01Cl#RB&nGiW z(fITsWGw7T*TPh}M(TS5EN-*wJYz_N42XX+TpDD&QAfC&2>V-@{g}eF%m$9?4V-BY zGd8oHNdWXucjhH)o#?m+xTzoS=}q|4BG}_~-kAG~x~VuqQL_l)a}AzwtCfQWjSrZF z&8Ag1GUO55IA+-P6$ECze>ZP?wPrwg;|>H9pwLy56QH$WWWp{sE*;^`MfXLMDGa6H zDyzkg?!N$0OPNwrVkCLC@j%tPD@?{ z%un(GN+>5IhM)4%<=N_EJ`f}%FhSS#wg#;A$%(>$WksJaFGT!}i8 z7CNWbD;|B8IOKYibMAdF=PH0sb2>=`D7=9&gQV92!r#n2JomrvY*G9AV|62qC_y#G zQq8G!myYI{K;h5@L+1zlo)_9dpA6|eAGU~zZLjo0p)dL&lJP^4WsqS}%Xe?@@;Jw9 zG3GW{PL-RA8?!I#vLixDDwtAtk6j{qj{jmDg4911Vh)9j)nr2R#Y_|4`rx%0l3c8i zKl;)=A}B^I*O+_7grl=}Y(k2#n9L>UmTrwF5th1<&a(izHSCbeZG>CW`pkpAA=qy? zQ};4+;6(vfsMs-C5B6KEBCmLcL9ha@*R`a{e#Ktrop2s)I3rVFay*M~bOVOr(5_5R zBM(ASphY3#vB$0W7hQC&Vhv&AioR31AB%e>IBYp*B6^|MBR+(Z4lo!Iu|s*%)O*jx z-PtW+p(AzDY!pcZT@x}E+aCrL*Z~xGVI@!B>9c89O%4p63wA8+(Ki{pxO0>s zfYK}RtQBp8jQdq6&|NqSBW=m~(gMxaF{;vat)HEXJ^e=@q)0*CYL8%-KQgjr*3*j9 zSX{m~r%8}*I88krRAd79mZOHn0tY_N3P)Hjk=J$RaK)q_b!;(pD7Yz| zl#us+u{2EK{EAnM0Iv&5Eii@TY;wuM(KRAz+!UJI>tECuQf3P|r&A~Yk`JTzYFrV4 zc}fjQYO@bZ8N#oZn`D|u7B+`18CR%AsT$6fori&l@VThd$ z<%bY((bKA?rj0OWER0Axp|++>KsyBdcG}_MNCWn0uVM6?(5BA8xR-4T&a76g#J&V4 z>aaq|1V6Xqj1d&=B5Zl=6C}e2R>=<^p%c<=%8_PS7xBttk0plK-QkSoHWAq|Yx^07 zPevUF@n8Iw*#e1#NDg9Kg&bpgEC-^b8l}DO_wvy?E;}-?XFp0$;FG2&5!%=kUDo)m z;S$@Vup?teJK{XY()~0>Qv&cBz_P^ZaN{b(Xi@^y$?Y_wFjXb|$eq@S2vyb|7~+)C z%T0Q|`-EV!a;jM1w_~GV6d#?F%R;(C?9+1*9vn^i3i26Xbbnf`bQy)MB*r}nXS5Cv z%c`TgO%h1zw;dJV7Fr)}r(`#yT;8A6AnPNarbl7`Z zThQHncCi-R+?}P#SP&S_RhpIj;rqne9@8lFWH?&G zk>Ry)G*-RUb#jr?H>pEN$UkF6CksA@M`wtiN;dC9OAs;T%v%a zi%uG}|6;Bb(E<)|$Xa&_IM)m5j@2uwYx?wn*k`4}E>9dvXk|((+rn{HlPYc8%dk6K zeJT2VkYm`plv~J{!!N{v%>r}I)E~TG2#y*)gkwHICUPlHm*Nrw3bO87Qq%3EBG#M< z-`S25yxaDpwfr94(}{09CD?$ka=4_g0P)L~0fIMbi5{QWH0n~%7qS`PSl&AaGf%=M zVI;7wVqQN#hB5lR>?ezsWLTGvPhmU|Wp3Gyt<#pam`G9FujM=d4!6mSQ4i3UJWPQ! zb{RTDr>O?X^*P*aJOUM?BnFc{O&7!>&M!sbPvi)LaAIEYC>*aK*SNwT)9m}K+=QJpNAEHmq zM@re$tQ6&Y2KGn*q33OEL3Z5+r%*B7)~8VX9>Ew}aR*n08%w3}M^Tl2$=J!rps%?G z(QIUYA+Nz*VsS>Tt&eQ2{(HkQiCFYd>0)PU_AC;G#|F8Rcj z4G+IDLVyyzka2{LEHo52t3}?X;j@*s--cCgg}R555L>4|E;ErofYOxQxVMR~x~2@I zrk9^?*MNQ0GHA-_j27lDmKopBZJ(DvGL!Yvp*v|_rFxW(lC62>^<&y=hX@%EVXuG| zr>bX&9-uI(N59(V!d*m?MOf8fKiSkf&q;3M@hCM>j4q)R@p4NU?K$O#j_q);=yjF2 z8J?5a61+Q9(IPI5^=OZ2%#Hl~29I865?qij-ipy5ba1QwgV9Q-UUc$+_=K^F6blUG zeLD`(`k=3q1YO7JSmNzduZB*(rC8Af%FfZ3lAd0qET7cV#cRF8v{`1;2#t1k`wqf_ zJxAzSmce@ehCxx2jWJ2f!NMoLb2NQmd=w`6UpA53EM_zDAdAY3O_VBe<7cau>O9@u&X+ju| zkvW7Aawdrq^oB;y*)nU{>#7V?e$)$6h*PIMXBurxN7BfTY;E7!RSQa3bAgL-9ueqk zHmDANf!l`0B6k?XjMnoAzewtytH%7%SjKn4%bthH{iW5WcGrwSj43xebfkr*;=NI@ zoH*{MqFKGnG6rPDMB`d2Y+5b94Kc31hOS&f8w0qt97J{kkq@}KquoHkfIXK6ERB<< z%AQ)o{!bHH2yxZsQlA-7<@15IOwMnqhME1NM!w4DpL1=M(!&PUXW=pE)=3$^9IpFL z5iYgsW1ms4BR7TT>A7$kD%BiW3UyJtXj(Lnws7Y;FHNLlemJ8(YAIXA)F$ML@fujV z)mBZ0@|w@x#U$3M~M zm=@BMPjkd5TnD!3Om)9gx7{MeWj;jCIG9a-?6FPC(v~LN^4{S|SDEW=Pl*r9*uBj} zAuLeU3>;J%(s%fXjuqE)d6VCUPYdZsumro-k6Z6Q^GW2}A)Pft}?z8PYxPsz4N*Jz6KuRkGx4oex z_K5s9ndI0@3MwfsX$nhtyPEaQbBsGp+5n8SQ$>Vuyk+Sm7w~S%;-xMuipmr#K5~w< zoj-!HO33=2{c>n%f-?c#x;Rq^Gxg`xbe2tgQ&`Gs>z8}TZJbpEIcY7C|A3DPWB&zQ z>C58BKB-A!Nniq?^nZ1&BzS;0scg|d*v?WNDY81}E@w4|Q%;~0`K$m9@zA6_zSrl| zU}Ff3uV!wbMUl3uqZcW80)JxdD!s~ZzLg;(2v>C4Pe)OQu2%ax#>AHK$&2?zX){eo zAYd$z9#E^yeX{eaDegp|r{MxvlfzmAsb|tsX;x++#uJqzrE?S4beHH^LM^Z{(U2hq zPaHaGsr8tp|6^Y1{;i#8qKKPU)nCDOg~n~MqS0UOD05KYGSCA86Z9YtINF*$ps_x_lOwgNJkn zQ?SS~>4&VCHD)42G?wrXX^4hj)bvt&qa{yIm-}G8?OTSd$G3-a=r)uwR*E>D$>yT8 zw?PGe1!WHshGF@Yc+a1^-ep@PhM1)Id{m`Uq5X%{SC{&W9s1k@_3l|y*5n{<_(Trq zv_oeHyrr2(YUy6?GC$SuW8J?#wMi|2%bKENM*Q0{n>z)^asx0L#5!-jFqMUOA`nMt z74WXd4N6g21$ZDp^s)FVm=<+B@#ew0=IN-6M@EB&F_dN(3ve~qL}ooYp5k|;1d@Z% zIH-}@98U$|2{S(9k|c5#PiI=ol`eMii@HZvlqb_hE)c6~8sx^0Q3Yc|B5TFSm4A&~ z-==-amwTa-(<)>AaXd1MtHD3iTGUm4&!B_IWi#s!hG7&R97?oxb=ru-Z#CpdcmTuE zHT7NgUP4g?{v-3220c*#y;I=wj3|yOLeFU6j1ZXkC*?UKE_+MW z@uDNgCfaD&UqN|Ha%C*ay&wV>QpT+f9zpE?`vmvk-FPA~#%=aa(O z$@6f&f~*ozGW#BBY9cXo;q+9P`U?zoPqB8_mR}^%&8V+?EUEZv_6Gy&N)=3jCP_qm z9~^&VjP`=7#YXaeoDFtTcA(ey+)buVr&O%mAI})JIq1_}c7l<((_An%Eo8GpSKzY` zrhwlj)B*?N8pa1-@8h{<*FIm=`R-l>y^IBcy!cfEpMX&gG2P(XvPE#M~GA6!l5tO{Hr8#ujj~85LX`Qh{$NJx*lk`aOnwz@GXWA<4+p12qy571fd8WIbfT~b* z(2iTLR41{lu0XyUw?I&i?_T=BcO5YMDP>26eakH1qU<}u*h|}M9C*;pMT0huCUnXE z03VaJYTXzod1WV?_r7@@1_G6K*iXO8Q5gERN+}3-gXBzwfCtvJ~I{j zjSb8b3fsyXHhWb~Q%~F-mLQ|AfU&+~FepC}OouEo6^2h*>q6`?FJV&{z40@DN<>#O!Zu1R{JmWH_ABT;iw@cL35*CIMBCWEfXy6( zCQlW4+6yzvHhrG_=;Jd0-Sn3t7X+7HcbxXVzuvePAjhVrY4tYWRhpYf5s`J-{4bS>-8?0D3*ehbH4YE@37uq zL~nl=9e+52GJJ%~43G+zA0U{b9O>aXe!Xk)0rQwAkYb_XgSUk~=kdwp18PCPm-u78 zNwKz|b66U^fal6VbK$E)*?>)g_++hqv*@qRIgO3_?(5Is+Vjx~60bEN_$yd8dJVt8 z<+0yEDCAcc38IWzeZOsJ0@9G_6+#LC;RE0VXa|O(&xV=5yF3x<_XL< z=kfh}4^x#~mX;FJhh=?!%yN15_*Qg%|8w0vf%5W1ArhX%e~ zfA^o$;93oS1(=NM(#Cv+8|pn_tb24)dGcfO#fAu>uO@mT3$ zYidC9`;_S$=Jvq5PuEXcx`q3ARDg6ojAz*)6T_vzORVbTwm$!dy|<34a{a;p;n3aP-5t{1 zB`qc09FP#Dq`SL8N~F6)q#L9`Qt1*TR0Kqw_uPB+-ruY>|IL~;v)26Q($DYx&Rcu$ zXYc(yk%%o{{|oO-~WQA*&1`fS99VK)#I z`MReL|6J?&u?8AV;`)$ydV4+h@w89O{ZAE%;#KPy{D>(?xx(esezZhuDc8*$ndyD; z*WhtjGDEa~)!CRy2G19lG|HZZEUEsn@Y&T0Ym@^)yqNW~co`+CBL=T$yPo+d!Juyt3*NqO=08ZQjT_jxpe7yG9T06ZVEW0Ol#Kd zGg|MAMi)L!A=BTW?>{b*`R8;tfn5Zaiv;y~4rITOVL=?H#RL>#>BcviNX%E)v?;7h5kJB*ILE=#E82*DNc z>GXM&t;r=AYv#mG!u^xzfmw)of1pVMN)9Ki2YQyhy1rY?Sy*dZ5+SW$zW4<~eY*84 z1`p(sf=$AV154X|2iIbMV< zwK0Wo83jLEc9W-|udssF4AcNNH9Y#zO*%{|A+ecFhsH5TD$Sig^3-9G40IMu7fR}U zAN@-4s4Io3V+Bb-KlTFdrI>Y?0*fQFu%5mljjl+Yu=m#J!X@Nukr^nW02x z=}7Kl{e|0p$P^AwHK@JCfy~Q>#~6=`OhLl18p*7UP1J|@RmBTGh!G`|_Th|^1eO)) z;JP$7JhdyWA816mPS2LZ^_S3~8x51N=bUxvEz?DvkLf+whA_hmis2z>dzfL5ZqD?6 zfou$3A8=F^?aWNCc;uBB5DxX06D#3`kue-KWo9v630ThfxYWN9PLZdjb#r2NKVS1&nS+8w+t2^ipCCJB5MB-U)(8 z9BnhmohWgDZIzsOKVX}{XFy_N#CR)*Pl|8Medjzgnap-q;63IP2ie84w&6vI05#*z zAV?f;@!>PcVG;JrKkf>WA}FJWKgPHhhfCZa=1q7l(_xsB61DBfsK#I${-9;}Lt@4Q zbFy|c|I`%F14fxht0g)`fb*RX?JV}oAv*syRmr_3v0^5Uxe-j6P@Ia0<=Jo*2zzKb z-Ih;4Vtaz?LY#lBl^_ZeK`m=HGc^hBbkZ*rY)Tcn>*z7K07sv>lE;zd5v+1b`^E%A z+cfkPq+#FH2ZP&o{4R5@WlToAfr-B)V#AA4F&yO`h^=EJl>R0j(%vUaZlb2hYLLx)fL@=4O0faI47ErG@IJp-?pEJ&5s{<*0)x<8UWK7HZ*vMl zU+~9xERm0QJ;znmsZ>4rourI+Nyojn5-Lznh*u>a>abQRxM{&JQ(&1? z{|m`|Q&gJPu5OV5A$&fLaNKEZ(zHs9rX#YeyD^n8Mqx`XDl9~5L2dC;`ZeP+M$Py| zs5C$SyikOG`Dyx6RjkXR{(V@3FYCRK_v^WORO>tA4=qkJdGhI>vE+02TlMQ62*>g0 z^59gZplp5IIkqbZoZ2keDh)>cg0FH) z@41Et0trbV!DIexl=^q?L*-Su3%~44>M$TRl^`GR=V7STuy6HA)N%C(8$R{($05WB zX{vD*%tZ4)#I?61hIXw~?ahiCQM@654qWdBZ$FJh?elbuN@U6%fvV!~cQ-_W_-WZr7V)4M)@h>Nsb5neeCT-T`re!_eOC!+GQMNm*ha`go7- z7$f`#bbNBCl9A-L>}at20m@v`CV$LV2-a?vfgDuepgRK+RVv?chdVZ^OMn7H;_ zPveUw>DN?b;`bH&+1h%~cq*c?(I=cd%`lM2N(n?`5JPc1vuG^Jn762=^h6vQXvpM6 zzd#Ms^q?p7quFJM-HLv*CG}VKw89o!0&EN&Bw4~q z4?1jTI#F2^9+>ic*|9==(by5EN)Ugq-wi2KkKF4n`G=XCer^XyEx#|*rS`J4(xA~q zVQvk$)pkz}8PVyoi2Xo(X9#N~CqdhU8=0>V@%xO*CFKz}9XLDWe9Y+&-zw(vkR*>G zpC0aWZ(o7ySIv=!CnRRBg)}4;l~WlpVMFqc`|(>9TPO#dY3^9myoGw`tQT~O>X$~L z6GJxswnU*Jq)5JK#zoS`0r)OU7qcm@9WkyM!vj7oOy-{R;(@tc_TbQ+$$RzxF130GF&OvdSy$W9cC$$?~cdkl#rV8LxV}toZlKj zjuP+f4uUCG;A0&*oN{jM}^(uHeI-#Oll;9MP$wp51hv zO%*OZ66Q+ny+gjO(zuT(jbnj(hK16|Wy6~Am63BpR`Y^0Uj@}g<@}BpIV**U8@5W^ z-FC->Zy9-JGmZr*+VE5My1ii^6I>*Nmep187NR+xl_BY zWDb`*I0bSNDk$-Xqkf}{T|MUM%y{qMW64r%lB=5V7^_w(bPfZP8kr)C=;5&U+hwJ( zWRbR-A_gO&5qdsM1_t6bF}lppqyvVOk0p1a3SUfys;4UPO(##FhYgqr5<%j1WZhGx z)bJj35r{#wNyj=$oEgPf*pk;!_dW10F*jIQmR=D}2A<5o2{!@`f{-~t43&}j@`Y*< zHX1IWwW^rj<#HxgOsari7|X~ME_5;C!!RP3AabCqsW}5TGc~@OMW4BQ$KysqmU8Cp z@U7UbVLTN1=bMrOD>cC)8T|7xYAe=-Zy77d4{++!PYK+&FBoDH&IKhUA@^5QgE?a6 zm27ODBXnEel6fXZT`c439idm*DA7>hG`N^OVUd9j=RwJS#Z(4QhHJo+K_DHYgIUWh zVbOX~0SaasO$5K-g*f(b6~kAP$ylBT@PD+OF%fL8J*Q29FY#j4h~Mg!b>K6{yZ2_% z>TMPKelQ<)|ke2oyL!e&CH7_L&DV}-w=Fkpj4hjRJ?Py_aqDK|9gpgbe-C&GVG%*sgV zf+SzjKtq*;IfEa4p82SS$I<&lFN#?iv(){v=P=&$5QF%-_!f1A5806?G-RLQCHzo; z%C5(gp3KmyO1y~`8c091Z=_;4mEL1&X0atvNIzP2oJ9)RAvADM;0Qt}WP^M$wp>b( zGla6Z%$8o&7!Dd7H0(5~RBmQGG2K;D;|CY|nKVqZxtIC%6>~J;wEE;fp@mmPi{bBE ztMooE9_8)D%pROT!^@9%RU4MWw27qiBSjlw*Nh**FC!_TfhSQFw2M+czzX(@6(kE!zR zZ))*1s>O-r?zMP;@N(`pno zHMx!OZDfy$7fg%SmsL_5nAnv#x)Bi0FR~ScW3s{FBRKRZjL#33;cOkzGJDdE#2k*t z;>Z%4P|K6LcO5;-r9g#E&om>rS@z1IEQ*voQb3;sXTydG6A6MIlyZFCOO`8t+LB(+ zTUe4zBN)p*ijM)6Q{QZ}CcPSb66%p^rmw6P&oeWiQO0N&-rWDwJ%9{hcTYq3S#om=~ zc9~>rbZnz99aOeSb!MOHV30X6N1Tf)U|gY?{~YW`%}8MzZ6Gdi8c} zVjZ2$aW3@bIgz4{W$sQ?pY3#=bLm}Z$)+lCC$sRhif|g|D6Tm}ca&JdUM@9^e5La_ z+)s-8p-o@et3AKUQ6Gprko}siBBJOggp=<%TIEOS*t)=Mrg5d@U_u^O=~HB`UVg8v z7Lj814WfC|>)m(UXtqRN{4vK3f{jm1bp|~P*=A%EXyL~)tqwY&O$lIoRwc`*8v`yG z_7mp6c55D-6{5XhV|KU!Q^7KNNgIVl*itiP9GS<^y^r;M_KUS+HE-qN1Y8X?4cebU z2N<>U5Y^bKvm2&j=cYV1z4IrTiV&%rFG9lFi+G=Q)z0ZYEMrtZV6RoFb7U}hnW^M2 z8r*v$gQx6lBDTU#(4g#xem}w5N;Myv6ESB}h$x~wuBDSw;JIyE-I|_h6`ICHtQUr< z?5w}kaLw*RjEQ{NMwuokfR~7)BR9cJ!iXUiBY)iVDMZg?A=A(eqG4d|ftr>s)^cO@ zsy^_L{x;8k=odEy9oJ* z3wb9mb!2%a7+1`Cg}Y+6ZBhkwe2AeFQs|C4-k}66rB`*mRv4aF8XRMA&A9(zfN`S@ z{$;4G{&BV{+P+NrtLlpvBX=teN)yQ{!r1e=Tde`h_aB}NPYkg1Bi&6qNa1EhN2C8@ zvC)lZDlx#z?^_(+w8d|A2ot7C&fe1?*O(IfSYybs^(?xWX8AID!=C|5{r!N)bm1-= z6@`)=MhHTpRNk6r>aQ`ahbNoqbLYGKc}UtS(GUS%+5$%L2yLe_t3hq3F#2F7@{0sq z;*bHKQF3BeOy*uydtQ_60I?#fH4UO81J7Aq;rk3&;+jJ!*gp2~p2&_B^%bEPWbW5# zms=KwB72k>nOy%#N|8fcwIG8}HKzCHcLmo+lI>1<3A_eoMDgtUdG5cSFK-~SXw?^i zCS*Xcp(z?UT@s8X2G<>UwQ6(pCS%Wacns|h9xL*z4ba)QFR4rxY9W31Oh-0&r`Crw z5}2+#VI68aQBOOsOVrRqFkaQcr4q^*t1?#Zequ>sEEhdRYSXtYo4aH%m9Lb5Qh@ujz zJF^j!c`Ciz(Vw?ScNMR3=Vg1W;h+ATS+{2m*mX~mITn-nA4WhwzJcR#=GmSq& z^^nl*S%5)92U7`6{&eThp}gDx3pKZo2??Z>L{=-2?Wyp@&0`J|;JfZblE&T9?Ya7t<}WQj4HB)lvv) za&E4zd#CIQ`N9;GWXvn6gV}kCgvJ`}Wryy8XqflonPT`6hSDQa+zy5~0S~H&% zAh+9~%j(*gJU23iE1|l6DV#K;$QU=4Ry&TPRq_!XQ@ua?a{zN7Q3*FXD(yH}?=}jn1}Iw=otuN!0i5g)>X5wg{vM-2sl+i2=ENy`D{9yV`3RV&6Acu5CtH z0r3l$&biJKp+%$5SGV|}zSdfEVDb5G9N&czvFL9f81u@BCY(mu!!`w6g;S#F=nzt081RLCgdjo8X zOg8`WZ^}Sk(9ggdE1omHRkevEokJxdP{rk_pZg*Z@Tmn-wO9BKZ!?xwLzq@O^~w?_ zvUQImt1LE^L@ofWVa3{}J_1^V+@?A|yjlnq;l{|BrVCsyr_Vt9tnKC$W5Q`^qe{Ud zpX9+iozS&FA#Ph%na6j^Tit51s_n_yxXPZmT#A!IR*O9_7t1sCGCg1U^KOhmBy9QQ_^t735Iv%z+mMMjMzfcU!o$|1;rnh+?$W{q+fB_9D4-3GQ!W7~Lad zY@Ot2v0V^ltj}U=^5Pis-eV6^19CmH`3&LBonbd9VZVgT&*>i9YL2g&>^yb8hL8v) ztTKBVx4QeV)E4V%khQ_xWckxM-gYTl5y4m^TP`9%E6-P9OhP-lh-T8}tpVVWqjQJ@ zChvE>!69x4^LryAvU0%Y;I`g@ZCBSe7~XRpyteVHmcV{GSIA{|G^Jp48PzykuPp0x zuk4g&HgEBwfoTG7Ahh()Ybrz`*N>1mlEiRpt1g%D5pD3aLYfG3|LI#-)Y0;tj)c0w)}&G(ovUaFw%h3sS! z8A$aD{Y#Neh+A>M#c=}t*S!2SCJ~)w3p>e`1YeXH(xMIh7HMtOh=*$);|x3mgIGxV zW;OPnl+o;Qw<^asr&Z4l^N-ljb$({AN)VJJZzCo#5 z9F2y)2FR%ggsaqGyvnSg#PhJkb5!vaHNhU4s1~GVq_ABxL2+|6D$D%)dDAzNmToF8 z=i^{ke;TRI>DB7JIRlz!Uv%ot-x!)Wy*LiJ2ApmZfY%Gaw^!wPZn+<-Kwj5+t3P55 z+N{|V_~Y`xMC#Eeln3S#XTvW3oEGn$>&gRvEQwrR3nfbN1?6z*UFu$g?9`*aP$WPG zG!L@4I$aeY+w~3PS}1reW%}rshvG=W>;Nwnj65jN#ys%G&RlTXFCHYbcBk#sfXA?k zDuULq>ZjoU*BTe?qXnGne182o?g z3IwzYC2jycLmfM7v%|DfNKNA~IaQPMUdDq!K!=ioOEtdO>j;&br<%{l#4)|r(+Z1UI=>oNgh7d!HWkIuzGj%IYkwu60KhEbD6fq55kDDWYt>8 z$SZ?>{XES~)@%UysxB?ghFJQ9q^YrwIOJ!`!UBbQh9Y^JPsP}ZftMj}ObeN))GeAJWK1t>qh{92p zqpjYbDp(7NAH0k0iD)`SL`?L%I#Go?25CNHy9|R*J--4=RBH`2i=4hLKKNjprYT0K z$^i8S)X{pJb|nII^RJ&iLO+uE==Y`Qz12XZ4&m9_iMA2}I0^<@Md?kk;u9NBKRm2L z?g3mgnwr1vS%l);<-D|o(q07pINd}D0-UiSFw*gA-$vn2kw@}{>|zDT{@d66B;B|X z3Ka8w&$DwS2M%O%r{?o*Wdt)B{Q0|I#D;oq2aL~MI?&Ey)3S*(nwsP_i(fXYMG`$G zCThKn%NPZ>jW;|>b_-Ol>7_v-nu)U~{J>!cl;#Ee^Jwoc--M*;VMMTB)!Y1 zg`t$ne0uZE+?o~?qI7|TXds}Z-2kj7fY0w8;NbcR*vGj;dEY&Jx&chYcaX_F0kl^B zzkYm+$uaYKD-@71h5JJF2qb>`(+fvQk8-k~PD_5%=0Ad^T0xP-*;W)yc^#;ANRq4T zzCBi^_O(4;s4Uz1i~z_K0ryzFQKNNj>youI{kKjSL!6P^drph{&|rEO5*N2 zGUL^P2S0d>P$fy-vTF9)2NSUDn!25pDRAQPhD(#Fh9#o!;K|LGYck|VZ-z^(OI>dw zl-YmiewIUjz4qZJG4@QympOI#pMa@1U&;^g)sLx+CSpS{98_Y?89t#<4m!76HPVAa zMS%)P8#AWY_xJY`gjXvzE?-ed{kr?i_!CsujXgUD%!~p_p&g=y?)_-B`&8mjpzV?z z{Szb9(4CH({XBVzbFZ&A(?L>NN)&uTKW<8CejEaxyIz%5@9h|t;hVE(XZ~C3pMMR; z5bW5h#6c;705e{>Cu?|#9L`D4ub&>&XVM&&O}Vk@4h7!CJ==_72Y>>(mem(Emf%L=YDz1#oP`yXIFun-;1TR_ z;M0-gKVs(5}pv^>`~G7su9h%gkmAnSooSL{ff`wABgO}U66Iwbcx!7j}BsuEtT zP1x0j6cKDFo1lFO>R_Ip_n~-2va2Ln-E}|aG%<+v2!=3rDV+*pg?t0NN^)m2@;G)w zqbdTh?xHITd~c8@%cDMU zpc=^x35DX8+sT_M$t#m@GEmGg|IZbSJAWYhTv`RgM=_@tQbhMK{yMQ zEIa=;!Op$UIZv1x`=an~M~uCrD7RG^k?-5QQS42vDKl>;b_IZ}(8dY^3Q$NmC(!G(8H9X@I3K z-aQ4>UpqX*3^#<2RAosezWbC+_fdg(=z5UrKp`SBrU+%6?xslOHYGv@5~1KU7QrQx zoS?ILrYkN@!G@tFZLg;=fIf&pG-RrEbO`0KwknXQ(A8DLBcPpB$Au>Z%JWOzYy!MaVTLUMims?gZE?MQm>M>WxHTv51r}Uj+GNj)rA-60_X&SoRUM7oUqazvl{yT#F5Q zzH6M4X=_7h9M$2olQWoc>?%~2%tf4GU}+UK+Ll2|9z91pfT9wqtJrQUiA#OFCWTL!K9%Wk!gd3hesEw9UIe%p1e=+(WTOqem_%* zK^@Y-TcbJ8+>F#Opzwg)=ZjD(r&cP{+SeM}XybGw(j)#}1WXyG`lI30Kfo2-mhgwtP*dIyNZmNf+*ZkwU}OOq+nKg=dGZ_|B~{nxNlK zBSHRUqZa4eQjFFmx2rkkA|1rH*P;wY%BI?>%kutsCgD}Oy9sJe4C5$56TkR8@WO5; zcO@a3NYc@$`j<-SY%G~ZoZoN0Aj``Ug1vs!q~$w^+p%Gr z)y?>T;!HR~$YfE)sT=IMB~Ntgh18|?#}zGY_&cqom^Ng(s_2u%_ypJls#3P^p3x!G zd#KDaQeOw(s__@~vUe77(Zy01iLyP@;u>U3Hl!$IL`)4MSC?AkS_;$gHud7EOxZNA zhVWav9lj|`&&EkJNl|d>&s)m&U>3eB(k0Yk<#Tk{t>4? zbs5bG$bKr0qV7Ctn!sheOUG@AX*EipaeXMi2qO^w?%WV2+I)#Be?id+YKSga#9cLV z_?c=m(9^P0qgEyd7#~z<+TZp?iTY3as`9m~OzzVwblOj5_l4Onkdt?8*x9rcGTtBVsfwX8Xhxj2^iSSStcA_a5$HaLu?_T;pZ9=wi595+!sMMP_Mm@_2KR;DZNfH0es z)EYaC#z0x?EyuJ?U(G!pw}oTxtQE3kVx&=|Q(wi0-gVCJ(DB>^%W$EF539I5IODtE zsnqnjB&79xLG2JwUi-Y{9lB9*pGtCxt{FDlsM7rmd9Td;X4up+F*ZPbllBx362G1< zmOiEEX-Z~Ry&7Zvks&^YRum!*tD+4zIy$# zLQhLH0(%>CIj0(pIM%w8Rz+T^$qqH5VIM0vps1%8A}A&BEy%TIvo&m* z2AVZT9VR7>QDurSof((JjAhUSk}-m0V3MP(2^1 z;zbo`(G77dgpMZ8^$V#=IAJ_*{*l@m64i?2F;T%yfi=Mmr!M@MDvk*R@vU-}ao+x? zye02O=_E~mwBO7W=GDx5EoS^W6E>e=Eq`wJfkiz$sxnyPK^zr>d!Op_9~#kN?&vHG zcB9C5frNPIAz=cw8pBp26x*n&Gl3(c% zST5gXn&)HqtMOkzZ#6R+J>iW&(1R-zo40{^t}BlwTn))zDOUfwJ?r?amUm}B-YQW+ z2tgfcpd;_cJ3!EJeux;S{VX7QAM@R#;w8*Bf?Jg_n%M zv?YR5?g}V6Dn}KlVqgVO9ef6?Y{mY}6-~hi`+!^{(JYKJ}PGJ5rL;uwHcw z$5UtD{4wgSAx~{j=-14)Tw3ERFA3y00le&S>dM$<&P2qOu0}hgqxmQ(-G%6rs?p)M z+g@#B9+BTn2p8VZN@GOI!A%a|HWit)-P7z;sV`-ZR@9p(fn_K5tl@iGFiV{S|_T1^KQTA6-}d#!q??BD|Kyb30^yfSnNGp zZ@sP$mGZB0SM+Uub}`lWbndo3F!|B`B|&sT`tIX;e=N-;+%8LSma+FJJ~J^tLfXA& z-mFZYWTdxXbKZR@ z9f;-EKo~A?{9bhA7rVB8db1SPth4A?_fbb4;qH(91Hi3c8zJIaOkg0*FRX< z;{D)OgRYl!uWv$44R?=QB`9!q|81iLAl6qO<7MXGZ$8cmHZ@%EI$IU~{WpKZG4wFK z1H2PM_J6Yq08v}O0qR6QzP#W9qFMie=Gf(cNZbE=9}Y1G-1SN=_JFA#NZ3?7&&+6H zI_v)asYo_V&BXQxAv35C%R!m?ax|};NcjqYJ%%^g*<#+u0JZS}=z{clF9Ho<+CJYJ zkiI(~_z1{16U9Ge^Vui?s0v}s*r4le~UxPSu1F#TlE5pzc0AYRm5ELXx_dJXH;W*bm z5D%jgu%Fz|dlU#DkS^e{f{(rhAkZ6tLM2j(U%@bTP?M-4?7G_W%In}0$fCgNZJ%dx z8i#%Xuq|=>ORl!%Z7@ml!L>$>B{o+%CVwDn{Y0Sr<#|$T3=vWcKAb0asR?PK-)>nl zaS;*{qRSC}?_*Q4j#>udTLL zdf?~04`u-uL*d1_d3hw9Ml$X(D}Jo>-Fukxkaxxo1>MiSU!8pjdXZsh(&fW9kCa0h zJ$O9-66f;|ZS4gWB|<_^4*uaBn9>2KEu;7ahuXxWJhtDXCCk{M3Gzj;a9UnXfq;SC zMRRd!>I)~*Kw46aS>#AaS>{uXxXYoEG&+5N3_vfOkAHWtr z$@iMN0o^||6JxL(<2;xTKtaqLsHh~k2o~@4ihbTGSl0k8L!bubPd6s<=Qzq7pq_Jf z=&vzt9so@;K9|VZswwZ-SBx`8h|9L2j`%nv*{|Ax%wHGal-HP(Cjo6->MJXL`E(K) zSb~jyu@3i;idjOb?F6r?d%*g*)`^OP*rnVW=Ap#~Daju2g@^zudd@1ha zbS6WYkq^v$_kd~_*bGeyCx-y-fORz(p(rxOj)g$AW#M9fu)xGiz`@90309~}6gy^3 zpA&iqn7%V@9)f=WO;Whs^giCBbWsvl%Qh#tKF5_WoBC+UVpj2{I>86UIMTgu%7ZWI z%O^HU`i8UikNn%A6hx&-*Hvhp-{eKj_+kos6gPX6S^7slox&77f;70C;1T8{#L5|A z)_gEo6d{A}gF!Up9i^4Ruxmq_g=vW*U{Q43EzH>IJQ51g`Zx3^{`qq=$ob z!TDBCEHuvLLH+WeEhCwA{B#)^uO-|Vu1z`(*~)lHjnyr?a_yg6LSGc#cJcaRr#X*@ zw03;a&et0I6?)Z(0$`&7)_6gorHWd)&h_7vO#$O(CQ$*R!~b6QG7wih)*Uxex&P!@ zVTNc16{z_o%uKZD{Mi67?HX1FU(7MyYN;4o z!u&r0FV&=4*dR`G6((6)M2)uDqX~}T8b6>k2%P#&X`l?q40cw9Rg0(~>RI19zQ))E z`Pv@k(9`1X}J-`oqb`s{Lcujl#-T`HX_gy=85A(_bFrtz)6(_;9C zydgwyC5gG6nC%T*mA$-@6xDM{9=z=ublxeIgjt|*1z^&d8;Cjnw*M8F@QgIu-x#b!;skuUr4`;-nC7P)+-UOTElz{sm*vhIkjoP$e#GfI(>k)4q?wd<^+kbrv zIhnQjmhwi6dhO{vos_8e3<%`#SxMmAYDi&uxN7&OkjbIdx1VAy@wG^{I{N(T;${@^ zEBJvCVE>5w7UqP^)FQ5KiDI(7d6#q9%m;gj( z7yti<|1lx|_sqs$B3|r)0GhL_87~12`x2@n9Sze1}oXa)T6nMw??DmVt&hVnDy!uAGakIT$Wk%=qD))U6 z#akX6O74k&Y;oI2$dYh++7tJ<2_Q?J^0V5`Rht#0=tiUO8}tH|M^>5c)JXn|L_RF{wR|LhVKlYp8W06 z{dEk3!Ht^ue;NhykiMwq7+*@@f43#rtD?yNI||zW^B)RIyI`%TV`(fr4?EK(Fo-!j z_A*U>0^h{KcP|5$ZHp!15b*_$vITI&vdsOCfPwFVuJBI*GEP09c{8L)@=(zGc!5bh zQ(<_`?RA2!ElgMAMW%qPzaOy z@nv2W6{dLw^cIf#BQSus=+-imc3(==W;h;nmpNn@7{2;g_ZlXy0}{q@I6uCBvjA#S z)WFqdBsTd7a5O)VBL>dt4iLfC%oBFK*dEGf+1cz10}{{%Q(YjR{r2tKj7JT`|Ev?( zGXY?+ZbWj_0E99dro9MSQWqB%2zl+N3*YnshaPwl0MRGmN2~ohr_NJcq?AN0`Q*gt z@hmK{e*3YWpm-bXb{h~Q0JohdH9j814uQ6enzm+O=AHr(5#W&*q>7TIaO3=mzO)Iz zm_oCfu z21&z(1<+}@RBs_oucK0<(gsNUlRdx@bY!1OP9=RXehsiLvf8SEESEo;h_BFK3g1jj z!$V^Qv*BRZI{kf4V=c9uVma=!XAQcmyftw(-8N0jxVCV-%6ibKiAslacGyBX3%X|ex8u6i zJ)rhWv7b%u_kDqTex$~eF3!_*0I)e&C<2o4aZT373m{+n?W4u7ThQgZZwp%d5qPrVnp%IpdSReRtFJ zCU%l#i7AhNylh!RFhyPxp;p$^aiyRs)tGu3h8>cax%Yu2wC`pJ3J7u2xZq)Jw@u$zZ=V|~bx{7|sno*+=b&~?|7QU}ffn1NFbE5WR};95 z(n4o5K9>*{TJi@YWO=KD2Yd(!VL7Qw~Da=h=%O zwwzcB8Z1ENXyl;vcnOONM&w4>_u)NBY({$Iu|>l>DEZ?zc%m&*QeFjpKWWBMZG)(U?&VaCl5y+zQFE50Q{XQRdz5N|34Md>$X4xF z;4w@#+bQa`e@^?#+{9%2NyElxSnzM=_=b=rpI$Nt1zRqHt-Nuj;uc2`CysXotso{y zAs<)zZn`#%i*@D!P>G5b0GG=rShsmwNEwizsiDR2f~>&tZlAI3fH+%=JJ%vP<+A#D zB(X4m$k2q}`mgoNtoN0}F;50izOK9Z)XO6Ld^A6$^oe_U<}c={aNaDXTL0Lkl#8&vMbJu!#n@GugC2tjLCRsQnaNA>Qv^2&?>$*M4XYEZ3(!SJ(fsM=~3D;I4g` zwMzTv3WC|SB7c|$cUF7r@0b2B26b|_IJT>N*08Zd(0kjoZ+1!f2ygAx>IOYwAHZ-e*u0CRut z`)U0Z!1~6z>s)3X=Yv3p9KeM)fZc}W^UJ0x z9p&)T%zu2zqAu8P*>gFTq)y;im30a25cHN>SF||HL>lWWePdhg+m)(xyVpM(+U7P;*=CJ;MYV z>7M{F^k(TjJ|wIC?a_j!I@aprT4mQHM11)2J1&dv0Ki=UXg8LCM+Y-6KeLj4&nCD_ z$H0xCmbd_6(&j?s2GatB+knpIPD~F?U2Ron_bm4By>J`{KDzsMeo2K^eiJ~Yq~DX2 zrwh$5vGIOC!Km#Axixy>;2eWrfe-1ba|X`a3h-Roets{msY4$Wm0pE~<+Ghy-yhmA}G_B>+dMuD+F4 zR#uwC&;R*CMr~!pT%SBm=c$=u`HvM&!itbq*7UtuLkq`c#V_230kqJxp!P7pH47M?A6Y2aSxh|H^o9DD9_}y+Ou&J3 zQm2)CT-*MB)%T#_)$lWKgE3K4OB)ai2-)|n{k1V<;eNRSiCANDsc}!JN|77d9jMuQ z|76V-M`RPu9wCuh@)q0(#(=zMqirej&jlVb4sLpb#5Y3fMU#l;K|j1pY5-*o^+a{s zvUMDQx(B`)W{|xa`W=JJ6oEa8wR$1^8V{BC<5^X8-S(-022vMDMxz>uA~fLLZV1ET z^}m9mAK=-I>2-3Z8BIj6;vMh^$T068#y6nGQ9Jm2yvj}Pk!I{MoLoqF{)z6q6!Q5Cta=pGe9_Zw}uDu1H>28ajK!D0yS`qofT{@h- zf5Y?-fC>8&ZBOuUDnqLbnmz`+IlP4ZBq_cAT@P?7UlCZgK8}C#J1Y5)p$uZ-1^7J( zY@)La8{gi7$mgEjIAME@`{Uma(*mgu@Wo+Oc4|fJsAi966+zi)0Jy&M^74R^{a2X( zz0zc7V3niv?|-=k7N@HIXNwU2D6S8vIE7uv%jMR+!SIi|ZR7uS6P_YK16=et+u%aR{?St?dQ4 zOI#-WYBOZ0aR0)+2=eK>$5Fjys%apkN_vo%yC4|! z^X@tfWo&0Sq564SW((6_5fz8iijYONd+cK?Y7w(ckZ2_ph8m4ULBtNSdhYf>F6yma z4^UwSvEOq=7?J+z0WRzfu#r;?((e}Q z12d@j-v@qo&6V#sy8Aq>{ERLERkg9kB|&HjRuH>#{sWY!c7Who$5DlIe0P_m=UNfs z0;2w)t zI9*t^uUUg7JVy;E5q74=dhF-A2=acg>d$^X)R!<45g|pL^e%vaTpcgEfVx&Cw?+=+ zB&SGBGC8R8`DUMnRQ|n3)Ws~J55kLYznvwO)5j|E^SgE5>;vR#1w@y)mLAM@W@846GOAFct9^BiD5&b7!>s)G3^U|7%(1Q*#3(|Gm7caO!HB$GnGM`WZrY{Z1 z9Zacrk0*%i4PuA@*yvy8@AquSawHpRI4ba85TeXR$jI^Yy-i|W0r{=C8nKgxf$X^J zSJTh1Zxn``K~@RyMeT5)GctG~@nviX`RousCs+e#on^_+SEWb|b<$$}OO*fj4e8hS zGnUhYY`&b^DJPmpSZfPuY1hb^!OWc?HvAodAz6Ca8>MQs&{;W{uM9Fkd?k{sIj{oR zXxzA5qi)58iuvk{_d&m&ZEFFI_YtY@C-RM`!fmB8S4B-tR!ma?fH7_*3%fbp1@s^w z)zdMP@mJC^d^aNWHRbE$!$H$03F)c(Q9ZX86x3Q%S=s6ClqM9r!1Yi9?o50gG*LzLP@v$tD z0D+>7D_TB4E*A2?f-;loGHh|C;w70h*^Wh!n2)ZqA9sSqo?B(NzilLrYc&91#uLu* zP9R7fZ3f$@h<(eJ2w}cnd=_{|o~{Nge&d`QO1-TH8jOR|WBbTw@BY6^H$|l=yhB{mEiMetsw1%3)vrCN_E&<6K3haUMw$ z^?zw=_vmIm0-nC;)C*6eHSIzZ=k5jIbY`LH3w?;c6a>0!9s3~z%=wO~MvnTaVPwIR zO*^snZPaV(wm7?L2mK#Tc19jcwPkGv)$D;KYrTG+2GwpnZCfiTUCyOXou!<@ov_|p z1VEG)Ci-dk;VPgROfg{G`IVl6nBQlTT3oqo85R$$8zwRa8_mDLu@koiQ31E_by49O z)|rr_OvaSX$>Z0Ptg!IY4+J`m&XO)kX>eX&wF)cE{*%>855V7i6!d*9^i|N995cLF za~*ZP+?qZ-1a!i{J+6lRZfzk%z>P2Tu$T^?l>)x7;ACNV_DD6@PGBkYUuRho_xz2) z*O|CBS%@*@WNM@vua;V|Z8fdWOd< z03BDFB>Y=iGZdNLwz~cCG_=11>(}}rs!ayG6(D6|(6UeI(ovCrUUx_h3+A_=T=*dS z*~NYgy4x+gKfw4ppPVcM?=kn?+3=QD@Wwl=rQc453_wgEQ~}v{t}^ zK=~kP!y2PmOH3#XC;!``9%92@Uj(HBH7_AB`cH7PiJvqeJZg#^a5PX9>sR|djTQdj z$<8xtiscSOBhyw;h-mi#v!=#*eb#c~_cN?4u-|@U(uT;cW(lOmLDP*3%l*QD`42cx zAvKOsMz4Mk?5$oD^EOLwClZ^=q#di(3ctb-Vir~k^0Wf>8e>>@Kfm=z0~@3%yuyf7 zsU`V!0odpCE_&ecBjEorW@hFQt{&$x>NeVqjo-*sSV5T{D6$9uh!xn6>h=C67uuQDP8}GvPvG_Y45-iB7vF z_%(lA&JwV^L_?4E@L5?xKn6Tb(V(VQEy|^Od~B`h_pCXZftejX^*1&DhIqB^H4WU- zKwus1BCRN=;A*~WwTJwEpME$nZ1l^u`j8FTO%N8_FB)DQE>=Hyst*?M&zS$shWz6< z!A^=Z7)6($RpQUygKdF7sS~&VqrI<=%4+TQ6+{HZ07ObaKtNh)Bt;295S5qimJ*O| zR16vkX;74Iq*J9skZzEc?v6W`ThQ;^^PM~H9e3Pu{%4Gqe0MRG?_jAT_tn!8f2_;(cVK9jDGFhB_rxQ*VKw!JM#}%e&%{Jt zc?2~3XWEz!fp2S843mxKaD_W}zxlI_<2G0RY^0V*j~IKNH;O!E{e<##zdxVwGibOuCB*w0F{v^^!QxFJRA$f|4bHkI zn*%%ZYY;K>IFNei)~^vE>nK{jdJ^II_rO z4f_84>aV->r$@esj);uBiP;q&R0&?Z)S(@6G%#F-w!4KxuRf@qN}XI;BQ1v$FA?pZ zr%IcB^-bS)EwvvqtnD7e96%}tgaE@Ns`v!fPsSSsU3WY~Ve}`2TrmRnOYLC|DVcM{ zezVrg-DMGHm+Br7*!a@IfN3qF+4|v50qTFBs2dv{HrCkbg{paw0IsT{ne?x30CMj- z*eO3KZk1#V{{3*n*Vjzw(?u@F>tp+U;6Ta|b_yC_^cNn$vzsrRTnA(X>)sh+wlV0@ z9sxr0@6j*PRD2J8t&TW9L5C^=1ry*@<}noY$Bv*c;b+LOZCKMcD|Xo&yjJBfHA1rA z^#u&XVCVFquHA z6iP83_s_-odl-lQ*|i6xQh~hvngeK5M-`y{CRB;D$szRa$(J)>X4{zS+W-PeKVpps zREq>;aYwKB2Z9#%BZpzd$jnS|xt6*|O~A3>b5Y#kUsP3f{fk*|>ouxFTDx;l(+MZ}G0FY0Bdieqy59#fRnF zU)Ub084X>nG%b4=c4{4<)~k+pg-~HW#0v9 z18*z%I4b}Y4pk3a1NJr0O&1ye>v^C>uH6J=xvK9IFt<@`MLJr}XC+mB7uQ4$_%PdZ zDk`0e7_#zeK@YGgTMfY&db@(h3`(m1-FrfNs{kc_op}*(i)kF%^16B8o~^n7-?e~d zrYVBk&u$aS_7;58H%owiUA|8IT_FH>4FRf{m9lk#lw&$3MLhW}ij=D9&ys7$fUZc| zDo{)^mK_6V=`&-J>#z-J8JyZy!AXX&(bV=EF!|&1V=S|16YOQXs5=_qkov9;6Wl$^8?a5wyZJ&;? z26%iavE%YlGxSdmVL@43^z^iP4}s=WVgK0GFZ}G_H?RMccPizZz=o>&nM*s#_?#jg zsel_Gtdtn3Y5Vu9^3M~vVD1@_KtQAr6*FFk)hVQGp9GZS6)rW{mqF-gfCR+{(%pk7 z7+;s&IA)-V;+ALJA*AsP5VKlSfIxw1IsC0vNh69Do*o2fVa! zQ!q{a1O?piDmuS*wLATtz=7=dSBRKzBWSd})$`Xf`~Z!~@VKXSTo3m_Q##pExMgja zjGXUGMr#9=k+W0rnH^yk!l()rV|lVy#${WzDCjZ`i?ZoH;M%@G?3J4EWdchP=6MG! zxh3?9iRpJAXpmx?{8D&QH8#>L=6kYgEKaS}^~-@?mIAc(?3VT1*yrijAmIH?(=lwc zED}#%N1^TSeq}3B3%_ExQ*TuAaS)tNv>9@?wfXYu*!F_U2A}>h*n^`19-KHqs4Cp@ z+SZ)%Q#Wfg=@eW^@xdOqZK?`u*h<0BIsI0{h1bFRrz=o0F8* zeFOJ=F_60FMd1&Yg;DL0%Y6G;YZSQ2fD?vp@*U&^i|SqybmB3n^|hoXCf*A4F3aP2 z%pD*A9wjS4izgGH-gG>{ zDezcN&u)i;MiYyo_Ptj!&y%Mux_fD{t%BVGj}=R{>>>-nC=C9^xNzf>8amk(b7+XJ z?fLcC{=7OP*>qOf!1B*lBZN%ULe7t*uE+|zl~RRb*hx%iqDKcEHVg1tk_hEy`QhSK zcO%M*23LFT3o46Q&*{$+GNGh~3|}5?prY_&8hek7ulQ3|6ua3Av926z`*G#pHVb_- zrdd@N@9yeEc=9BFVe)}@`u(OrM{}pl7qw$@@}mu2s+vjGKE4{Yza*=~xjS|K=%@53 zffhO~e>zzB1U67ctFRS_%7aN}p|6QNGBs99{;GiO& z5^C*gkH2iN{PG<8>x(mt9R=G!ef4(wx+X-~D8~poOQHhCC1L}h$sj4*Fok@O%ivCV zjZde~%Y)r=pVHld+8pYTfd<;_jN44wGhq3CU$qW|#CLXnFN!xsf<~1RaWIEO=WFcM z#1$468tX-<{Qi#6Z^aUz*E78IfI+qb`qb5mAwR_a0EyWh(D_W~<#PQ=4*KH?(4$?1 zsE!rya*AK=hoX)Tn}XrepBC>X@{vD{n%YpGw*w(q%-&9x`HwF!Q&rq?^J!T)5*xeE z1D`kTGSPX}-HfWj%kA;bjs?)lnH>h8hbl@kOZn5P`hZ-uL!#7Fh19zOa{3!d-A9K{ ze2&?yq;uGqANV)W26XKu+M6(X7}Qg+9{4`RS$t~A~zsXKTD9N=-M{D^sm zq%uYZ-OBKHuLubC-^>mo11dQYx_3;;$hwKM%LE!1rtIWX4ICmz_p+T3%{ldujY5ul zfCoye1Ns(TyTxJTKnK951N;xy$baB_JK-j#<@Fl*39M_HBGR3{a@PZ+th+~Cm%p$x zjHn$7uDvAKx>)^AD^2wP_it`KhUE<1TF zk~#A_^5o(zx`ACJL;2RKQmjO?E&wL^u=h0=_Jq$rq^gG zs+lT(`m{B-)#Mejni$<-QtGfy#1Z?b!$sO@@hUbnqj#<;BlDU&2_omwtx396lz8bz zUFmubqzsLF$s=kvL~a5tQkZadZ~ZuGoLpY&Ew|9>mu0>f_5E*8CkPnp)l>$Tch={# z1{T#v^QKC_O-ld4Hw$BTyUT+&TQs^e1~b*KPneq ztWQBGnUi(yO;_*|InjaoZw7T`)BH5@lp@H^B##rBIrr+=$ls(>a=#Pl<)V@-UD;fm_y{OC?zIE_M3F{N$P@icvL$DdoNW z>wy+R`QIGm6c+*k+%kotDu|B6#~kbp9qb|UK>%f|_=N>?inoOhR)nZO6*XfSAEL*? z=x1(0<+`S3dW+QWm_;&RRZLWJU8+ycxRRt9mE70#IvgkeMr6@AIzYU4UgdxcTG843 z^weYtamA#=N7woul=lraljEdsD*%cED3zq|*l*&nN8va(3!%y%Filb#e%R=J2%UQ} zWo8Yzq>+$%ryc%=F#4Y@UJo1L#gIFf z4>Kpoq6A@vdU?sR78F8Gu+6cmkfQK3uq!;fa(LI!FTZ&bBFI5%a1VBKa7&_60f3#+;0Lc3@}D^NKy`9=(kd z@-{lgb$E$H?x2!%f&e5kUdu5!W(bZSQqKJ@MhZ;3R(-Ok^=pE|ZA7*U^erEvNO-`D zQDm0t6DZ7y_YWuia4q>ekLfgzyTL>%&&;%FM)^?xQmS6_(oYL#T9YAzwS8&5j3hLM ze?ij+{tGmn-!Buu^oiye3Z%A0@rqctwmjh0=}c8pGWy6;me+tU6R-~!+`~pDWzHgY z%@uZbBmXSq58u2nq<|~a{Fdh{01%LPw1ob_e5UZAI=x*CQ##ts{`rCI`s=?5i^F|4 zRtm0`+7|%>Lt=ms;jk(r4Ap)L~B?x$_qE=-U@T$+5vmH z0KnyGmI6)Cl;0np?a2X~qnHg_32gU>c3!U`IX$8!TfCLV^&)+Z@9V z!Z_z?2=Goqq-8y@jOzgEo`0r&>pLV)y?TqAlTX?E2yh72@?AExMA%jqJ_O2$*otNY zVCM=A283242Ttv8j`}^M4L@_n2F#&v0Ec0WC=OCt)~@<8 z+0f8d;a znezP^BwlKNZ>Mb3E^}nOl?j=>;=k2P#J09V3$Au3gd&(VvW)r8}2On`x?yfCLhr z!#6ZC`XWkyhfldIUs5Ufw8>E}u@6&k?2VW$Dz=Dpj=$>YpQr>GDMO zv<}5iH`EO2>MJRT=Ab%Hmmnn%@M;UR(nXn!n1QU;h?QgumI{kF!iAizY}5`aZY<^X zw zpj@8(kpx;rj8ZGm4b5dYu-qjn0sR7C8Mn0`f=-2IWIFcQ*&@K}K%6oPTXV2*Cqm~U zdxFV}&jw{wdoUC42t0>eCm;{e8*^K;~4G;T|g_TlV~EkY%LC=Iw$hHWFn$^bi1&#K=5lVZRcNI|bL zFCv=O9BZ~^0zP%~Wl*ls*mdL>aAG?3mg>fY<&31J5SH${bYNhyU37I&jlu5QP%3rh zlq|FPEU)tPNN#MTictU}_nNceoQBJV6au@#xfV0U-{X(p+i!Hs8ck`shNyO~v`~Uk z5GC!vOlFjWq$S|tY5tV!&3(#4K)O8uCBu-RlE8iKewe~gm zHgqzC%CvI{>Rvs>eHsJJK)C0c9AnxiJV|e9Cg>*V*{JeE6&2&clbx(jtP_X*nQ?yA z4dJ6s^N28jrjrHXDzRh24omp&m%5sA>G*$m*`nLOGDDM&<%!Hc(9#DE=7x-$vA=U& zk3q?(Qqz4O#BoUC_z{N-lzEe}Mes*Km=y5KTKRFmzyGynR{84wCW zX}|MNABX%(J3s7_|Nn=7U#kB*SL2`f*r!N*Y$u8FTaXzXSz1Xl=d63i{gzy~5Q4~s1Edmgisp7{Sew$hR>HT}$u^goQ|(9SJM=@> zk;Myvx}YBhxwZ=g=h7?uaxfi=6mC^<%8dN7JaWo>UHK%(BYJh*{i`0Y)|clH`Z@m2 zG<+Jms^on^hSwhT$=|f(kg{{6q@OIHZtL9}O;I0Z|LP`TuO zn&P!``|nhI^ir{p_IJ0IHUO)u@gb#)lE(%K2$ER*1y@GAMmRd)uW*MrkBG7x*!=7U zRZ0r14tskO3>*t>quY18%bKV6B9dG3!r31kq5)6r36#sANdH~e8jYv>Y=>)vawc9U z$VF)NQo9?`wv?FAzg>AxN3J61dNa4XC&wTLjEwdX_e;CTA28EeXOL|^#;22k`xxp# zK3VY9qf-j=$AzDD{N_QZHB0(k4L-2>biOm?6j$mf^p*d0yGg=f<}*y@9XhCPEitQ>9nR?RN*#lvt0UL{1QOP25&_>?xD|?8nscmoQP0JO(b8I1_)}l{M3Ph z-<>(-kt-E8xVhng2}X_Tr(5DH=9SbiE~FLA{M2hMRTAB(-e=^T<9Xi|x^^)m)Zr^% z`DTpet*P5vrSdAyQ?9$V<;?j%Zx1RrkMt(XtZTyc3l!~g;ran<-SxuT>=P)Kl(U1I zaq523DyvhsX0M{^^=;Eq2fucbU9-su<{C&%T98y@Oxm$zOu12`tkl74Ho?H{&OOO> z;4=M2B_^>bwuNLbLZ;`@&*;ZPsi_PbL{o-a^~t_?JLRjt0w`oGGxkjE#eBaf_byDj z8r}?UNVZt$2T#lpv$Kv&u9k-0?B>mcyR&@SaYpQ^%#O%@K>uq$Na@GGdayS$?llyu zBKj`b(6U@mV7=eGZqi{W`S%;8)g~h*r3WzF_kPEd2G@>Nz!7lOR%O|!PJ@xGDnGYf z!Rpv=FR(zGgr{2PT}EocvzaoaZa*^zd#fJmk>hP8lyY>4JOg@jdG5$ihU)ILW5?B$ zYO~C-73W~o$LZ-e!Ov2WQ0(dM+^8{*T zBCy=nHHPwQ=l-^>0y$@qeDyO(AXy8_PJYtgh%$q!@(tI<6crM|hh}4T0ogbY*A&8n zR~*1T&3oam9S~3R<;-}4{WICzU6ryD$SP=RZ8yiZiiSG0GTTUhw8t|@#M&>t{|FgU zh7zUT2>PyxI`$gMvO3>RsVtM1i^s8TMy%u8(r_x)21)w%Ria> zmpaX&l|@5epNpdTOyqGsdfRY&Z(;8Tx0JeFy2Ie@uJ&Tvp)=e{quqh>WaS!u@$q1^|0(%NT&?QSH;jFQ5mLJGP5j(I{$`<4M_iJ~EVIjxo)ZrrYh>A3 z(EJ3EK~WTZvAzJ6KO)2_HZ=WX>7g3dtWulCIU%eXOFy0xoEDn4#Ak+VG$f}%s`O(T zUZMi}X+jn!uxAZ{a|CjRvbKxVBOVnWUP}1?^~nx%N_{l$;gpb>+X`~>Xjj1B0rUWk z1tOqHN;QgK;gI`%N8HPiTX7yXkW=_}V4VhGZx*oYc3?e0FTnCq~Ygd9H7aSG$UpO%RI^pXj&@r7lP&PM&Qj1(y z2)S5Q27gS1-h>bc3N&uT<|?jcuAaYyp9P<{0gm~coD44iR5+&^K|*FyVWN{2H2C~2 ziqDoeBQ(`x)FVIK)n#Uxds2S%RMx1?Jn!}op;f0v-w8j#RIZRx%#54~gYr)>v?@es znf9=|-e0k|O)EGkG;+eo9DN~ulBLvO_!DDD>AGdd(rlY;F14S^T1#BYH#i3;e9y*j zC;D-;iZiR0vOz9+oPvvU2OsN>VQ)Lb^TO7UzVt1Rj5THFHQ4@9f$A>#TeA^w%a?9; z3=}C$x9KEkdEJ|TGTAS*pLa@Y{ZeLcY(~^~+qNdyKjfvSJG|~Ig=@V&sAh^VVFvp8 z>t(+uktwkbcduO1LlM@jfvmIMg#diiinvPFFk4ZU8fiCmWRp8z_D_4C&=V^sugd`95}$tV1o)Kl+K zaDaIG(-WtSMC3d6GjmV;v)0_VuLvg^fgFqVP9GG`%Fr6#dEM{1G15G0?UD7#2-yG@ zs2-3l0&!vma2^8CfPnQDK)FT-BbmQn26|>X_mJ#l{iiu=J(PLBeEvF!0|7=PB=UTMhYWhR3$0ihbbwf-c! zgwrkd^IhFyxz5<^$J3yDX`6)ng50(GQw}}(O6~nbb!~e69mJTIKC$c+N(}N>bzVxD z=Pu|XHi*Q{{T9allDpcf`~>HH>b{_?={VZEb1u{#51-qU^MLMwg4gm&F{hR5kdlrX zUInih6U_g`27Qj^OSc>$Tz&|2+)kSLN?baSQdSR=SGSXx__SJJJL#Z_Br&?+{Mj+< zXC>91;s;*44wLA*gS~Bnz9$Qi&0hwniy~EVHHmS_TBiz(`P4Bx8w(VJic2M&7&#Mn zMF}ld=lb$*g+OVTS)D)vBS7&%88#*DqCs?gw@$Q4;9V?7bQ)r+*%udsR`Fe1AI28mZ>^gls65cR+eXiZMJ%= zcKWfX5a0vMgEITdR2(SW@N=|PxPr~4{;cv)l0@k93jt1%fSnOp(GWs~S0V2PjlRU+vuoIFH^ z8DF4vZGsrENZWjLOt0aTS#&?c!$9Z9sPsYGoMNib=WU`q^BAEsR3^i>cUhK8c=Zhz z+XIiGmuKwOFH6-uthS;he;kPO*t@0!#7nYoP)h_Ji*A7w`j&_fY}2%sp?@A64y6E6 z!i_TkIMeTC>V>MCYW&0>Sq9r16@Zq&_dLDf^(+v#itw{nyIW6WibkRP z_#S7aTYA(=ynNf=^PHiMpn)EWe~VUOmAde~icUO*!R9nD0lI>84?G7a@2%c*cljRbh@p|Cu$1eVU~hUBpCRNYakL|P3#cD7{vS_05#Th_RRDc(% zhJ3KnDo^7|4&%fz;ypPZKcPG!Rtn7Z1D+WAkPW$-^K?A!bVoGQpH~m~isL?pfdc4Lr33|^?o-2c=(%gHK*?^0%JfJ}Sjy!H|Ma>8+Ui9{^9R-_PFgXKSAM2%W|e@F{L~1gwir(FuZ@X6uqRqg`dpxz^W6HVTivGx3L9) zt78Pb2KY9YV=FnxZ;)-gn&mImC-M*QjeQ3AJj;!6`aK+idZgIVb8Y@GxsR?^w-|eO z3}3BTqJk8-znR+@+QS)a9OQ(~<3y7(ox4wFOZIMXCr1v#Bb^T3s+8{Q$ zYf0m~?|T=D@IJZCyp7hzG3WeY#4dp5N|>jbV|9|Q5a*}iuEHC4!js{?itxzye0eFT zEl~oQHaOUr*nUFVEEED?PShU1Fpr}t?h@$6Bc}RcOfRw0faM;}WwdYCA7>6T?vG8l zoxznMX4AzAwtSN@r6ov1HsWZ2vz+K!;wr1tkJJ4uEN~DD%acLp2ZRHP z^3ej$ke^zB;eX zc24ko`RCmhwn;jH?_&u;LozN67OD4TcV$L}0!}Buk*PyoG3vCZm*Tz|esJnHjK=c! z)-a63baAk_Ea8{n!B~BccicbJ;D_8zhZya=zM)MmD`K+S83CakxONJwOfmP}5O; zcl>)+$x1Kr5&L6KdVAZw#7J6GivZM8}-G z9DQm((_yl`!!$#;x>{O?R^6@tLJIG-Z!0YyAx{;XKIGZ!ZeM@16t=HjLivpNxE1ko z1j%>1f}cTk#6{7osuNBgGWx^c7jzR;t{>AVx$c;zmr}^0_^y)19#X7@U+X{%H5rC} zrBJ9XhriqN8XLnn7-=WxC7WCQD(G}E46q*7LbLRSR=4^+?R<)AZ@=}OMs~J&9NnAV z->WX+;1v<6SwS$u_XPVAFHwxNQQKSzJ7kl(&Exb-#hcSB1ezm9wuyj8nY39E*|p5sZhj zH+OrNQX0?E3Dp&V9d!4Ri^Eph_(pJyRzJN{r z*QeC&PuR4#n1?J2G!TZH0J<0lr6ix(wp0b_(cvtn#DJ|VR6*+3USjL~SMdXh;<;y4|&Fu@HPMHNU zlX=R$U=M#e3uTYn2PlF1syi6;*$f<%}4ZGJ4cA| zF8g6S%d*CKeD5#|I}?2D(aj8tG|KmeJZKa*JmyE)-aRS2|Ky1nv-r7IaWsEppB4VC zkr5hNoNl*^ZN@)0z?l5pWz3hP?SP7UV=nRI_~!~uiSrDU*F;Hfe+P<2Wr9RjZgyW` z_mv^LbJLU_%~PlFdkHMk}5EYr#50|;$RjD-ext>l$s5&-L`O= zV2`cz zh@;)CPH^T{vP$*G+GW2enu!10|1$kTpR9c_>P*J~7aUxkcn5tqbIC3uj0oeTooC$> zS#9}Ua{Q%X%BzFSIf9$k;?u(>7PJCqKIT$>-7M9e#ufjT(93-NhY9Y75qf&^ThHn3 zIA*-imi_2z#WSvVoE-8<;@K2yq#wDP8cH=%xuQd^Kpn&5mlHh4bmRIZo*Mzgs-|ny zmW&fSx!!lgu)WVzW77=ZdPzF)?zpHlucB0{H?j7+6k_+Xs^VKjlwymXOTrqlzAcRf z1FF)iXVuwq7Kn~rs3mq=Vb*yO$WQTu#M^VEC_ZB=MC3+SMBPMp+*7Y`iz=Qg$3)JH zNq3mV;K`4K>tV7IUf7dh3eXh%%ozWT?V0aEp)&n*U0Iq>wZz(fs|pOfx55G9S@Kx9+r^Q!&rcyNO)L7Z`YjGFrKPTHgt@f9iVedPkjs81_ zPdFF9!b>j%i?Qn~p~24+<^2y6Wb`^u-bZ&?fjmL-D!KEW7uf@tqPfLWLVdrC2|IDh z-(Q*W+G%)9ClsdpnqzmY=8oXYw#Ef3r(qn80Jq0W=wT$!&upqUs*K*@T3J(>|EfNB zmC=A=aVZk9ibp=uy(Y+bx*wa|64Uh+aWsF5J~=L#=dJ2#8-9J&tWWvmyS!84HjFk`5$EJCSTE7- z`G#v7oquv5(Huk6Uu7^BJQHY^%**BK^^sooqecPj(;^&h!Mv$O?vxgE(GOe1XYniY z&@7VBL%hgp5h)QV>1Dk(yJ1Gl>o>g~Y5oXjM`OCdqD(-bXMES-!Q(fK-mjwwrXEJR zh>@-I7c>u}Z1H1Bk}%CIbi4&NE@RS&)I=77*&bKQ>SA+=Tit=`7bGyRG5X_4B>|6k zZCWn>HdNh-DzzXNIz9!O)*Jd%{*0A)xr<@CI5=ht-e_e_f{j#Y`L-M#fJ@c*c;NY? zuG?vsd~B|pn9aYhoP71eg(lr>D*LSpqLl$DGLmSs%;?h!(R=-W5&jl*5Jko$*+Vx!9(+N`D(2DsO)<( z$y^P3&QE#m(Spr_<*ZUqaUHzjo-@?$0>^b~!mFRRn5C%9V;Fu)Rx_miwUyjKFG$Pc zFMT7XJ54KD&BUqSm!BJ1BsrVPz@8oO5is<&>hnb<;C~KXt1PnNL?v98R}m`;J{@V+ z5tyEr{!`yEbY}zHY_AQ2so&ii^N}C_5==MY{|m{9q$&+R379Z^8JwAZ4+vey~%icoNksQAX(};*e2@xWXJHERv8HkoL9^<>3Iof1j1+xiAg1C>m1zNtl;v2%r38s%nX~2 zF=-PcPAVE5$2t389}Id0Skdjv%wmVAD!D)l7Z&L{vCK(V%j|v=uwE}gG!qh0hny9M z=V^8$!&RhKoJu zMQbiSX*3XAAr?f=2^1%@ZVv#pCjh_d;5lG^QVOUDJop_*n1qQ6q^Sp_TXI(}gSY^Z ziza{fZTo!?CP>Y?LAd0)8b_h#yw*XP0+}lm`{s!LCh+{0mIFBjmioJUSeGoWQTVaH zx>$zfaIN3HN{nazX0<2GE(np%m3hh%(ck%cfLPBVCF931tXj1ObU2Et=(< zX2|!X>#7l4&jKG-z-lC&G=n_|nVhU!@6f&byubKT2ub^D_d;E27jgf<$~FmkxVq25J7>GEHF5DP{EKfu%#@%Ze2V<`9@VVumfI(^H4T7Y}TNVKiz}He5A5R-U8Rfj* zgIwLno9jqOli+0J6NoRR#lTUohxC`*VYLaMP()OR)XH`$bL?)oT0z$zM^P6c?!>ZRIR;chV?Y%tihQtt!AtQK^r8}`jkCa=jw zlERB5FV`i5ul}+>$a8$aKC%ZQajhi0r(^JU(bLzp{H89ByllQAoR0M95Cucc@!VHi zv<(S2t*1{IF1}Xt81lS``R%Uh2O#P;x{=k~3}+uhJgMYPIH(aK0@A?U25iDfnk#L0 z>J%C`ZmnM%@-t9GoU`K~)ugP9?*s&Q6FIm*2(;tinHeGbk*;n^I1hMZkG@$-6)FM)Jz1adlAsGh-M2TK$O?#E_Mc_dPG+Tu=#ND6=+_IdlYY{sf^|gKE504l?TUW=Ma!4uZsu!(D?-)*0f9Y_w*ntO%#ug~ zQ%uYvp`>3)Bfl=YZ9Kg^u7xzHs~99>U+1rRpxqVJ4=@zkvyJF~#YI%kyjFx5Wnlm=Eh#R*ZT$n>f=|Ql)9LXGQW9 zJ702+^L=OMM0E*=tDsvW?ka_WM>@ZEJCuYQIQSqo54;f0VO`gHIq^>2Wq?>f` zZZeR|!FIB5j~4+Ol;L?;446L+BmS_e$cqGd3AY8&KYY-WX7=G>dN?yIn@v)*^qZYV ze#Gozf1f?WdDG2*?Vr;K3iL$NeH(I?g#XE|^;|U~=P^^d@AuZ@=rn@ZXl(eY|FrMP z{qNDr{5R>S{$GELU(Pn8CL|j%K`-w%I;Y5yr#uPQk@MjZWzTWrFS!!-?SGLgeaFuI zzW+7Gpe?H^eIf+IY!6DR72z@~&btEJ}{<=%yesIp;Q9iB7nDpZ@ P_~(wO%?9prBCY<)qZ0pkRHWprG@?AmBGeAhm1Y2ehl2 ztOQi;G|4gW2GL1Q#}x_+kM{33w7eS41r*fAguK*S4KIV!T!ah_>80>Y#cBDWP)LTW zaz-BsCN3v)ZI!LIz9(u`?InM0=dVr^O^(AD%(tA?Zzv-nh%{)%Mj21NgR_m@oAa(+ zYuPaVGNLZf; zwL^(Qnk;G~+@c1%Q}fO(mP|yDTqbLc;lH=PQ4udzmwD*=PysWhYUJ#AU$TQP#M zNEl~OG&d6oy6h#(_q`f#ww`b75&3KlwTz4(SJ-*lx;`y(r`PZf)jE~w-}xsnfw1&H zQxWUbPT^d-afT=w)>JYQgKv)KEn|6?#^4n`_RG|!tE-4CGKFK!RpG|GPyOGOn*jk2 zvj*Z@E+LTnI+f>oGfe>*kq73i z6cUoT8;ME1K|>6kRtEW?l!hU$YZg^{%!mDY;eD8UX!Bz{%uTEFQT+G+JlGr)D5drF zK5TkQ(fKgf(_`Fo-M($MSTFB3j|^4h;5_n;)6SNn7p&|>g^iNP=|O{W@)_HgvSll_nI?DGR+^Z)hz z;#MF#eK}pxQ*f>dqV#{{P#l&kOT52CKDn~0ihE6lkp8cXJiIj;CG}iLyL^~kv?={Z zp2ht!87iu(m|0SKnR`Ep)am|GF}|+cVRfvY88*rg6aYkmyp!qee`m)P3l*#YVV)P1 zzNLxiV@qe>F?5+wWBgws0@fvg0h+N^YMe3u|D`X$^g}5qW^qADN&lxB{e3N71gsSn zZMpB?k4Zp%3>Z$?{w8>+?A-F7D^rs?S%;I+nSB z5}ZAr_r@z;>_m{)_Wb#&W$5=i7!Fx?xcl*}%W)8upM{a}&2A)h&-3ki$;!pUVZLL_ zq9(8g8~j_o$tj?GuidEM%Z9IwU)i$x9Sxe`44j8?nXBsup6|9)CK%PrPzbs9RRaFZ zdv5tH+l}DSX*ZgUkJINXx?|HT+Zn6MkN3D8&moX`8O3K#H-MNsm{2O2tc%b6RxcZq^f#sa(1lCqJz1IdGFf>6a*nRn~OTfZ?d1}9zQ!w;@ zFhBSMtc2^D#UP`ju>`JN_vMIT!1M26e8Y`m+4xW-E7dY|(R(QLbvS&zi}-*iQ{eMY z=1LW!Az!;EZEISVqS<@A0OhOcILMN3bJ%Ei7Puk!CieQo9p-s7vs0Gs@M$lW-(%B# zxnwz2JP6nx+^h2;Y?XaugxvKO+htg!@jez6v1guI(;Nt)Rkk8l&?Nmu^wDms)egP( zNl#t()x-|5QOE8CR?h_i<8uXJFkzBf8E#T1o~jGVd#QmLh9af<{vOwhNfzIE7A-xU z0sQY8@A&O1h+uRL3JfJ6x;T*?yDDX1P4=gGv5Z0SK_*Kx3X#1nwjHnd6&NlLYlp~A zV!5W4HnR$C;^L(++LR5AQ#1MP7pR{@34F+f?${WtBRwtWU+xV2{QQ3D7Oe?+p2dhs zk+{S|8GkulYx(-cC&)scMS%;pIoV;nj0#x&e}5Ei_C0sseTvyY@(x{C%r%UI+QW(3z1#}{_d5{;5Zdru zx2bo`HA9;)8G13sH18C`k(LE;XU$cWY-~QDq!Y`~IRzL+feGiIo~RmBF|}$Rt`9>J zGbDR^YkOZl$ zm!sY_+`B=byRCp%710M8jQYF$*C)#mR6dIS%BtE=z){u+8oj#0FuvICZ`<-0sxrLC zjp+Mao(Fl2ptbBeZT+aDLkP!JtBtjXWLE8>MMGVd^pc{k-2c(Mmn+=o?raK5=zcpy z$m2wgnJS%9-({TkzJ;y(LV{u?t5)pw;hXEhB&AT*+xFnIj>9~^+f{^bh_&>>xXJV? zwKX-ow%%bxT7-uUkcOZtC*TC^+s@>+l=<<^J_nTPU0fZGPOhwR*l7M$PTpw8rm6-$ z;_B*()MF)Rj!rQHLuWwfyjzm(D#>W3;H~F(@ABT;lcsN?#X&dVUanSaq0)yi;j1xf zq0?q;)Z^v4EyLG8TCY8CrGB9DZ`6PP^eZ(jtr0fbrA#IN?5YQFZ~!Yo0VU-AQ)*-H z_2o`XHn0QQ+~w^MMIWvX!XCUgf8o zS=r4`Vm(gug{4nY!M|#|8~}+tfPTCEDPSiIzjedq>!#-xsc7}+;LAscj<72g!Q&G5 zW&OKV%lsdYy)VDnWyUfs^Tvm}CYY+;Z(C&B->#U(b86HAdK(0T;9>!6m4)_nuF!I3 zY;LtUcS*KgBOR z1pEE`T;48r0vrf>m`*V431WYasKb%0UvAraq4Uv14l+#J;dMq1YMn<=N>975r>ie+ z-uV7GE=O@>d#$SNgrM=F-K2}XhXx(iw0+Mq?670}`{D|@pTMTMVZy3E;{0_YOn$IK zZXAu7&0tRU^nET)5D%skWLOFxfnNYy-+(Iph_@IGVaW(J=5VRHig7 zVCOML@BJW=Ih{1dUhBdAjn;{;-J}@LWc)r~$cP|H|6?^`kA2z-;X&K<>Nc^(kV*4^ zf1`^DJ-2{nOBCDa%yfG=tl+@vwn~p*D_U?9Wuv7ZPNGNW+OvtD0B4p(%k^=6*U$@v zGXacOuCf0w6YZ{RbKIvru@?fm)yONc=XcLB;cK1LGf2zG7BPmwst_hDJ#JFecOFr1 zj1# zjn^l2eI*_3?HLbj$<{*NBZQV5uNGEU&5$^;(D@w}Cdz7$OQ1;bLemVx-&tnV`c&KsBn^^pOn&?h5%v_^-JKkkA zOV!yP@cJ@2eEc3ZWGdW{Ffjhh-@bo9io9F=c^ik&4Gy zLV6U}mi%C!q*r|#Lcq(`>oYmL`Wl(f2{c9unQr3u{Y$o9t`#fB;;_|@XNYitK?)_) z*9b}C#4tHc9;gv&csskN9rS?hN$zjLgPwUf9L-k0{U1*e@ZkA)1PBP4BUK?tr8Za; zrx*%mg^DP}Y6X}Vh-!b3t&Xb1mnrBu;tdn|-PkPV@h_wx2^sz3=T1?Slmyp$U_Sq+ zkOo-1At*i=!oZYpFQXKyWGk+aiM*Ki+iwnYLLgm${UUgZ5y{}NA}rE~y)x6dIK=yC z*Y8xy@CPTHARbI3^a*jyik=ODNV@mhGGElMf+z?U_Pvw)g?9 z2RzkJ<285eCgMpZvs|syBsW5@i^D6;ZB3NUss&qE>AB$?fg6nU<3)Til5>Qfz`pt_ z%p*2|cmi)vm@DprO;I(hr5<$KrS~$K#6z&{)0tId(UD{PQZi$HSVCJM?Qkp4rf|Yc zyW9*#vOKwxd&mSyoU~T`*`m`UY12XC%1_NBg%&xbj@p%t@Q7_2a&A}u86A<~O*qu; z8(6wxhY|9whcbkXp|zh^U5ls$0nPW4U!fbyTJ+pjpM*G`NQ`^mINYAIVSFWM$9Q6y z9w_@XL5}WlqT@qK8<6n0Tx_T+KKZfXtR(foa5*UMwoYBkPELO(+pG<B;J@VJc9xkCop7xLg$%_W=dt(L+^7Lmy0qvThCU1*A53=mGRSRNRboCD} zumY}Ihj~8Jf|v`FZkbu?Sy5~@vQ;Z}V|HcJ46p*%^lMP53T>TiA(W{7UsNL0&@^=p zbrYwc0*@OB$NQV}Ze<{BkBd+GD;AJwYBe`bB~QQS z^MF@k6Dy9P)KW`ttTXmzPQTDRscQ;i0-9Uqz1YHF2}!JVLeGn_z*?!4BEg)`k`ZXq zO~y^RI|fqtft(4;FH)H^Iu#U;$;R<|{pv&YUvAfs!vt8Gj?{(oz`&sXUtP6z6lUiJXse-GY4}T>0r3$ydCT+lx_yCW$0RQ@sro;;SkZY zinIrYV~>xpVx=QPg6w;v9*I0x29Jzi8{`S>rbf2texF>0 z2^mtd*k!(JKbhan>=~q(oq$IBt9>Rh7@qkS&L+*H7|LnQ`>_c zxdZN^yoP4y`%m3|rJU@7TuY*5yCw>Id6%yOr<+RV2*X=HFq6p5QBh58!rd^ z3O1!Z;)p#|g`lu}!Jw{=leL}xEX`cKa)5&JqAb0%JOWMkh<1&b zunpUq?3y5A%)iBUUd(#0pG_vbVQY2?Vs?6Bw~T4u=5aa9)>&53`N2S2dLr${!py+7 zEWo}q?m`6wSz~<~@nq7?iizb#9iQ0xk`U3u13_2^a%(O1oOD^f#&hGQ7R(9Oc>Vsu zSRT z*+*q=a9@^ESqv)DvI^M*Md84N1j>+IaEq1sYUDpd#DYMX?43$)GbnZokrIsIM||Uc z{S6W5M|g%~8AWfkKhC%)uC+5{j9t-dF%vRE(I1Sm=y z)P6p)hhl9K+9xbMoRlcf;MyG(JtPN?_bdsf8AQt}idoM5I(R3eSZ}P z+GFjpRTttWWiPdL&aE6fW#Tr?W+>7uZ*{pz56`4}-wS`lS~Pwri|!9r-u;#hb> zLAjsbOK8cCP)oJsH%tYoCu$}K8pnf1g9ZagRwjco8uE>Tjc+LEYZ&Z2wm1Vn@(tAxi?OxaaHFP%qo<_TSk78lAWP?&mlT1A#CL|i$HUbWX8ddE2&UgvXf_Y zz*)f%i#Z*Tk`nbX={36oCqq?r8+C->5mDiNM}=%Na~1@F=V{`{d96U!NKF)UNIbI7 zeaXkm5FL*s=R4rOf?ijh#65ju?m#%6rvrtW%PJ`DAYQ{)UZD71>Z0q=aAun3Rwtv~dQ z<9$DYRWnJ-#-rfCVxaWEGbD!(_Rs!A)Bj;`5H18G9ZI?Oa>-ni?$wpP{+Eo)sl0>r z%UM|admwi@6qD?ocUl)ah~R9lkb1IBw2#RfVLF#0qBxsj#3^>`86v)X>9wwunly)Z z(9`M^{h3MSE>pI#3|U<%e7H7vTH370z=@*SELr?Y%{t?tK(0fi=mUl_n+Ud4M*XLW zA(fL5V$wY9JXww~bBS-sjFlFAcC;M1r3lX=ml@et1&~tbhG^+eoaiH*krqyyN|U%6 z4HF9#*Y|RZYdK%WA99!8*yrb9WiyA3i%d-9=(juBC#I4LUzqzle!bW*z6yDb2feCr zQV`~IrbHQndx&0a#Wg9fkJRDmCy@H%DVmLRC&gVdE()}Z5OQ-IYTw58Qs>umE51vI z2k)EMUAV!Zp@B?ailW(eWsI4Z21t&WiNI>Lpta#9;%I8re95X$wOH5AkMxkzyrM5$G-?+1Sp7gy9DRu;Q{ z+$-wXNlfn4%^n6vd8WlgK*|qVC-O}&DKFD77A-zfokMm51bSR;IryW^-%_vQlWeSP z^Q3OZ*;Dh1+IPxWH;_k+{y1p-l)bi25mWc=Gp{0V8=|MT=Ul6~ttKt}OwibyEj!Pk z1l?iw(OYoC5+`3ww~#g28^O&#n+H7yY0VN|cyfy|YRLxUpNg%p>X;Q9oz1o0#w6Ke zbQ;Ta4IoouJ>rA711;E9)=OtL+~~gKG;@%rKXhS;6{bA{hb*Bmy& z+JU*Z_36_nRiBGmOywSp?g20bgD4z(Y|=`;Q6x zl?wv5*I|uKrOd(eRGD>Qi@!%RbfUXr9(cm*N2(T>UqX_vs<@pevUitKaMmg@+m~jx zn+7i|Ivk8lHb-sP!QnhpXlE}^@a@Ep6<@1VF;`XdqyP#c?zyM0*uK(kH`X^ad4;Lv zMF*p(z4b%oPqKLj>$@QZ#R__U=BLaj!#>u{*4|P3VOAV`RLT?-txx1Txz&}X=`gT) zdD}`zPJL}BPpVV8!AQGNQ1S3i+Qwqch?ucc2k$i9z*KL3f_=$aDiB6*5}RVw0e zV?$Qpe%IupVqhvC0}78G&u5+IOjHr023D(js;FX9BEuvafqR92J;t(iG{oDdC(lpc*9Ur5g@;!@A4z%$>*@7+2=UKXT9#s5@-2HhF z@0)uQueT9Dc!rouM$Caa&462qH~RqOeA)Y96hWbgCi~NVJzq;jrWTY>82E{qBtcdYQK?$@^E;i8+}4_Sg$bd zoo{EyLrhNmMwnv`l`ML#jc18n6F;rpXnCw~-~$Y~f_0qKFMN1nrwwo7L#5wn$D|&W zu9yRSo%d!Q4ls*?v%)TAQ*w^@k&DAYEoauCc%vM;7(aKj5=Fo$Ml@ad{&_uEAQuB;0%Y7k&clhQ>+OHUU&3LEN z?KmSJsNJL8n)Dl%BiV~k-&ihO&bB?{Ui6?a`;@>Q`z71A=iB~6s)6%?<-b`_sV=^G ztW$?iwWbaRZ97^-#)o|n4?;zu&bBTLZ|B7z@Hf29J(Be?Bvc`J+DU|}f^F;z?T63T z^zPz(4pWCK{OVEwg@-R-8M_+v`u9s9M4l(1uPu;p<;*E^e2&ZNr{6c{Z$kbtM`m!f_$nK+q<4J1hydR=pf zb|0B+bA}V5wDMEu@xSj%dWaIjJOQo;S6=gY`&n`uOpwa!U9x$z|!!a-op*8IFS8mOeL(CSe3Y`;-cS1#kME^}MEN zZmpBp!{q0+)q{LbWMlbllxr2ikY_X-kD+@KJrhr^{kin9{_S}21>wMpTb`y+d&ZOoIc z!`R5)IRL&^>a|mn{j%2|gktIz5zysCE%x)hb6C6K6xQoi^LNKePtdZdxCj;fWW+(^ zI=-h0a>8Yu`VsALOCHqvf;pvV#P6F{SkU;;6EQvl>+dk^fsxkYNPBqOvrOh<7yTPd z2=Zl&B^^-m?6xA;ti&M6l^4PE8*dw2XZX`h* z)UjsD@qy(w8l}$@PZ^Lbdu25&C(0T2YL7wkU8H@X6e`bHOHbL`zM-CY>?JvF95p7m(|XWa7kUNQRkR7p|YNZXpjxlzL56cEa_chErY*PU7rYeLmhp8Uw~Z;QJ?t3fAI~ zYcfZ&KhZ!A*(c!`qYg9#s>~OY0mw{|;<`*ezKkkY#bsMNB0o%c|DaQ_7y^$r$DpVe z>$y4I%nco7u^l~_ZJ%?>`8*rKLVh|rlm!;K^&PcckbsGd4B?POK6w(89&|39^C&w> zTt}wtJvOYbZ%vpkWp{!tMDX&OUGTt!zP7{0k+>g|)Azli==)x6#Ml9qxP)R?q6LBm zBhHIcQ2y@th@~>BCR}gB+b+Kx9r}6-NSG!$fPc z8^0%dXP%`Y--KeN8N>3#-vh?kzXb3%|&>mBTmJ z8@A9eA@io;*mpV5K_r9m;ZG!0j9R(P8ZU|_GxM~#JwHg~c6G+$pf=+gYWm6XD1#9@ zo{VF`J;vt-zE%~6uO>oD=Kub704Lv@Lz%`xwL2R(XjBii4MwygVK#;Z-jt?*VHY*f z%wReuf$=y5T~sdFIdEo$z}e8QD?W@MJnn~(s}^=k~A0Q&>FGp%)9!G z)(Vym(8uOBr6E-2qiaVYw&=uL-?)N-j{49pRFSTKkRXz=pwWQB0T1J~v)5IQ#TU}K z;zUw7EGU?;)+J70ktm3?7^G&7{>cpt6*YhG2^t@%|8$3N9c93Ta6}F{Cx2m>9xIpI zffsr=jm!DC07I>zf+gHrSY#)_hVR;_-GulTJ)xIyW5Y93UmUE-KF4KU$I>v^R1s6e6PE`pyDsk)73&ujX49Y{ zTY^MliDjH-oc>FEj`zGOf4pzV97h@bK7lFpGI5H;y=KlFX)^NGTzl}ISi8SK?&XJk z@8P81goH&78E*M-vIEK?vdEdU=gqr@;xZ_xxT^@n5N?h;uE$$@^Kx zj`kMG@*xjT*Wa)$BR3?xnlHli$6L5jOEIe>7tG*D^H;A0U8madw)ZRlng*wn;F0l_MJ#BSMCU zNY&$vwjEa-dB-uLRD}vaPpH~hnPQTK`CyJk9M64tRF+B zKuQu-8}sG8=%1rvp|kc7IJ=Y0(LWeD3DvWA{JCGXzcvkUxZ!8VND}P4ZKqRc)pnSm zD(b$XY7~xwGp&9!^2Vwv&+_XMFZ<0B{e0oj(1hlaIJQpkjhd#DtLEHHg$NAbJJ5}l zR!X4H*(7ZiRdZ@>GxBbw<^`Xz{>zPw`GMBHaNIp=v*P?q@B9bjv62P|ni{a-hyNS; z5dF&votw72|9?Xw1-OWEZY@;4A6Wk)0sng?Ji_|Z1A0g%HDfp*)VPNJq2qHo)$ZZ2g6AVA=%v!nG!|76n|RR zwgz_)E4-QZ5#Vn&2hrHXr(t0O^+|z5Ypo%X4m>K68Eu9`gQ093i8XykiryzSMWmf_ zo`ilZ&()rnKfh|N!NiJ<*(%#_&=@4vER>q)x=aBQ!NX-Nfzl(%2mFBm_S1y2%ZNKF z?}$Yn{QF9YfA@hR9sH#1#`&eG_3|unQS;+ek4lcfzj8#-o(k&;@1-O=~_La^wsZpwK%pQN0tttK7T4C znG!US$x-8qPa*Ahx9OQStWWBXXhjewo~g&!bE|Eh`r+itd1S-&n~2`Q^wjvaVaGwI)3mzjJ2s%i6LRTD3; z$V#+sJ^WjK1_~vun;z=`cp~V#Sf2OkCqR#g0VVPaouab+7HRrCFRJ{@G;X(}nSht; z{BA)On-N(u@BNEG^urI+mv~h-|B=CQS`0rWeDsA)9<=^FE$eGBe&ptSkabZO!TEkv z#FPWom|5iLEgsrFo&3u}ED=lq9e(mV?4Wk=g>U~H_sQmBzkJU+hr{igu;_rn*dG}vuok{q6$TO@ASc({^gCJOO$+TCfd zr5Mv4=$7?8^{uTxM>p($1!PE1OKa3eD-kb~u~Spu{X@wBP`ckG)$;!X@CW&ps19;D zuG4R>52m73DV|@>e<1j30=x-q<;(qEJn%uAKnC z^XuTs)>!!ffohkkeug@_^&LcnNeWg?b{oJq8du2%zbpMB>`XWG??BzN2yq!VXZ+~G zxjR<~D+XbASBk4L+mI!|i$pqDg;+x!wj3CQqEniUYtkX8O^9SQaGg3OhH6r@%pfN! zOXQsk1Q?A~atp84cAe>d`0zvE!ctXrHeT$d9S}cUyn}m#cZR-~aH#n_)>yA0Iqpk3 zoKLC>>1;K1b>sjG+2wJ{)h%hB_aAnP4-5PfZ)>ak6eYJUUq8&aS}sJDkB6W=^y6Rv ziZ1JA-r+#}>~r@uC2XFhZK)4mT(4fsYSE(rsNec8q{5qtdFH5qz1^oWEjH5Uu*8Z- zOuf?&i~YyiS7#2QA4r&}v}fX(g#bR-CF8bGZ1TBi59j$o;KrF>QetrC67;=6g!^gH zp$1I9_`&mJB~ccpy&FK~Zqj?7N~^15h8-V)DlBCLN#l>Sk9hd_=mZ>4`kep?vB&Uh zsb(F3uvGQ+V?X2r*oLyusfL=`fc+~_<8Mv=;&Ueo6!HO3iInRMsNv(Z9G7KZzuWuU|aQHZova$$#WU?H_Ab z<7}(EQEYNH{Dg4K#CZK6hjP0^Ma!CtZ9S*EERXskFusV%=# zAt6P<1ihs-*gW~BouJ|DP4Lw3XHpYTPynLv`)w+h^lyNs5P7j+rLVu~5V6hn(9Tq3 zuCZ1;)4!JAUi+1!WmmF;Tq0+ZvaOM62r{Z+!)pJC2S0;(!0q|Fvqm;hCAeFcy3?pX z7~jClI9Z9W{}PT?;|~Cm#mH>>oPT+}h!EQbnT%sJJxokY0K8Ih;t^We3%|fxB z?#v7YVz_b1_Rr06 z13N7I9Dv2dp7;V9k;sW-du&aYz488Fqr(+bB0-A89~gEsnxByE5=+L0*IsM|FV;NO z4eJyM06qbvM)rShvl_$^mq!Pl3^} zOYR@$bUQ|zplFYs3|)$JX3FiZxP4QF-V3_SkBs5SwLk2l?p*J%4`<4P;s`7dZi#lv zEkyKFwpXYa^%2`^Pz0QE>`Vu2P-+&J7)luPJ(AW7Y^^m8SPv7Xu`Zgo#~RBpO$j?R zk=};geb%ZopfP&+a*$W%|zvzW>7rd8X{Pr(dpT~VHj^P9CeWC$^U-* z&7e^@dU1N$B{mcChsmQ&qYzXuwzT|i0gN=k;8@G$2=O_fy_;R0qaWmwbrvFuli+vH z2EPy{8Dw;($o%8DP$cy^7Dc}r>d%N7K7Bwv^KLqyb&00U(tpM9r-y1wZ`RqhP-fGP zPVPZ%H5*p>EQ%MTNYRJF`*X~VdZX9I&I_TIn!oiqf~Zz|uIu`xk#<@r3~%qJRV7=~ zn?+)~As?{@&BwgjiXoEqv6Lk?eh%N5v+hCjDAJLNNp9nqu(p1~d1*Q0^;Y}AL(~$p zp148S{y;3r!ksVu&ihUFm1cr)vUpTMdN{$mRB7J^&?L#m#3ZhqM0Qk)JrkHi5YPcq zx9S0#FvJnnR01#TN&GN_v%ME1^nUlLdkp>EU@t85T)~9gjK+z{$vZ|!M3lgDg5nVN z?r;$aEI}>DGUh$hY7op1LSS{s{r~Fe`aA|Ci^CWMgSCb8y~gVilbt+-q(w$`h8i|S zHiu1^i$;(Z`yXFjE<;>UQ}ys?-d99PEt$U#{g@2sz9rJ5>uQ48nXRzJDKg9s&h;5U zVzAF4KFtwLaOi4dCp41On5%NtLP>~+=(Us^8DoyZj$+R@*n$}Lk~gO6a99#iCaX?^ zs5+D31IAJKoUzjclh@o>%cIK5Ui*<+G^kpI@cvvf4n#y*9hQfZemJ~7I`B4TAdIqUM z{(;JyL&XK9v=mO%4gLvCf>0=p{A+sr9(P&$VX*zRJSC3Fd@tVeEmGvgGQ5Q)V5;~m zvol8-!!Z{W9ugg<&C(*FpMcMfQB{6H+Q1FFOBqfjafpG^@%st}0dw|KXzFh70Kt-H z!!$%I?P27-&5N?foQ@x% zc9?OaD@t5j)d@|m-Zc3@{4!YaDJoD>itf8Gq@`4^f=;=SDW*b|V7F}W(b650BdU2& zS9Fz|8iRYBNkAJo{am$`n`s0&f;@xG#{^Oc|N5l~u>i{4*syHY1R&!MSbd`sgZItU z^F&d)eXoNSDEI9dcca?Dxb-BteM>}ka*^UD&iEh-88;FpxBwy$H3jjC9ZW}cYHndTCi2qV_qi>qm4_z#kY#YMvbz6mEI*o+y;N@kVAl1>F?VlWhhT1-DnkN!opxaxlgP> zVdvkDl_^-Hf$AXTCZ$Sc*d)2W`~kX#6<>yTMKoNlmjL;Ln+2e%Hj-r{TF9g}+fLM4s zcMBNY2~BS}?2z7JFfyAJU&GXQh6kWI!80oJ&qev7fY}&^5CDgdu4e+seEX_N>OY%k zeFIS9T%gfd;=>Xgm&k^ROmTO%OTd>T^@0DEDnUfN4v;;+zc&07Skkp+6;d(jGPu7f z#R=#{-UqzLrXfAXG*aYTyLFFs`%@ZOP$Y&+MbAgaFT4rqLNH74$}W_yNkq@rDciMY z7Io&#(CU6M&9qm1iyE@;dB0${XG)#E^8x*E;Od!Cf=X%ppHP3FHK^doM8XyDRvrcD zlyi=zDMswp`u~ZBA5iXrjtS3CpBZ;2i858;l2l36^8pu)pF`F4H`lYvSzY(30Lf`(unl*b}Sw{XTXAN4&IJ&_X~-a5?jB%gOGu_zsTh!ny{E`XxEM z0~ed~LM>0Z4%1pK*Z;KWTm|)=OX1IksOD?a!%2-jkc?-D=?KS1TkKB)V&T9k?XRt& zhN4bMH6sCvWH@wysN(eCBr6_4EO4_B>9^(w2sflWtesfftz^jL+qcDig!}tVG1&+u zUO>iPUh6EJXr*|qf>Eo90m`U+3L|h-AWF_xKF>F@F&x&tluGWjr1*ae@E8|KlhyHy0^(;!UX4mM;3!=+B>w} z0HoT#uu{Eky>t?aEkGHH+E8b{EF<=b15m*jPXFX$kJ3{DoDKojf0X-wHdKa!q0>%H zz-3>KKgw(;)W=sDUR~6;bCuYYqV1)GvD)|vDlI)~8#qF+86prfv#nKA~PU7oMyv_~uq^jL;@VjL8__DnT6{oSEvTZ7Dv?y{m{a9?YKp4jgvVmv^QE!%Z zX$$_FM*#-?My@YxwVi!Q&MjSNua&6DidJajkH46?nRO0j`Z_amz)5)bjy&kX~o z7iC*E+L2I39qX$EsOy7;mbG5$>gKt3nyN-y68r+2?l|pcEMLUJVX_}PNRjo&Yiq^b zgOH~(55esUBkcVmHi&^pQEc^&h5D_~%L%qF1=fi}dZwrJ3g^TJT8H#;-AcTRm_7DE zk9nA`P9$tX=XAqiC+i2bg|F8a=5e0!z-nFFc>$orYO{(eFP2fX=6>|mM zxBG%55}}|AqoG;dot~0pfmq9Cp#t`gvW^tRA)1O5i z`kPpj8+qCxkVjh7GK?+LZ8Vc#sI;8ULEHh_LMUT)Z6>^s`h&KB1jPj;x+vizY;v+Q z5Rn}B7wJk-EW*xFcB*Z{r?UT>%S~8^<=b?d|J%H!#VXdiViMgSf)G!@NmXB?^#@TH zaC0K@syu-R5ojYK<}ecPwzxT6Z>y|i$^|t7jGoVF3;wx|IX5L$t!llheQj0MVD3tx zWQ5np(Bz*zk7rHNO;*Cf7C;`*pgXK!{=!T-Px#IEn0M@;OnC~@ov_SR7oAjkST%h3 zv}>p^HW~bKFxv2+RIW^QFXL%LD;pyMkXL6K>qnUl-8zFWEYHk!-N6Cj+*0!t#6S;T z{2FDm`}BWB-u;VW6RGI7As&nix*km=op_x zyDvYb=_^|o#i3JEH{j(9)LrOZy7Xpc5t*D;1e@g;_fqM7ENg#{LsCJP^9D$j{7sk0 zzni3nPvT|(y!rbev+C9rm#?h&thzkL1EE0ewd8Lqse%W3?{g&V3Sqbm@_a$?cfkHT zY<8~R)&PD0TH43OKHt~pyTYJcxwkJR50Pv+`cF~7!+>~ttXb2$u?sW)41__W5KhvQ zl1ocV!!nTjBw8qCY2UsR{`>cDoOXamFX~@uu%6C&6OGR<^Sh>f7jlF4Jd6cpb2te! zQF4^k*E<1ei9(2SuHfIkrwv@7Ep8i+PiIw{0vr5v3))qzm*M-Tn^6?o=&F!c|3Mha zrR((ESKsrTc+v1%rDJ8LUl(3pv%)c66}~iGBx@(onVH!_?UEoab=TklRt?%h)DNwH z3vz~63geS>_FUDmLwnRF6Y;@F*h3q<%+Nk5$KeD!Kuuyac_Sr{Naza@p z3@P(aq85%nL2QO4=Ae>&a5^I+-?}mK6hYV^685_%MT-m!N6-O4-bvD}ftat)nv33A zD9r6_gK!$WS*zbQhb*T#bOGeQq++WNioV{*@t6k`CupZA!g8er3hNWD^K!AgfmPd2 zl#6rD)Q8LrALTFfCmv0le3e+DRowavjuoPn3zoH=fNp%y_l2Ros!Zw#NS9Ph3{I}vHZh+xr z+o>%2un)VWv=c6IU0|a<)(q59uqKySc$+skM@dYp#*{^VFZ5NRWlw$A0DXV)JSvR9 zs<*6t<5OtDOm>gx?L*0g+>580vh*F9y&K~$w+TWa38GUK?Vd~Uw5E8M?7-2(!b6~o zmTPgDDPJc62NC~;m2hOE|5B;{UqAUOSiIcB9{z?+&u5tK_4m2KN-IqZLjvA?0oZPE z7N?6YO*j$$4yOm-Z5BwHkntj8dbTfU_YO6d78Nmwc8=*9_&@xx%=g2S9_?g&vbHNU zwtkmJzO!z)QTlN;%eF<|=S$g3YOP=a!vPu4r{YI(X}*Il^&azBR>7HVrVyBE!>FaO{>)RowU#-0%~9`pe>(%G>%k( zhLUz+X=#KZVnr+si;^Bl?F)j?V2TFJ%_2lJCV&jyuqgQuDqrek9oT#DI~I_!y#{*e zVn*s0-yLE1L>SIUr^N}Kw(hp@-}PR$mc9HIIEx?ldz7}P_Mm!V>$x}CWxDLfe2gfd zTEb)mlN)?>AV%+majX7nQXCER6846^r3$@>Z}3H{!(p%f+Ye~flb_d`5V)eCL1O!T z#$w8YuyjYf>u*nV@3RM1U5ACK1`PyfwG2*wYEC`4nxcSLUuRZ{i_01G`J+#AyOK_l z`jLs7#?NglC9O0)axQh)U|8+XVF~Mi-Noc^o;7|%dJ?WSm$)5DcLJdbe zzWErclEiCt#J_H?8UZ#Fg7)rg{DNTK`)?<>_%Cd6UQC?P7mUj+2?26rNX^T1gVz*V zW*(~C`$AZoaK-ba%T_BAE4zA3N10Omph+4a5Y2q1s`_tmD-PQj1-0&j5i*+R-|f%T zy?H{|?zAJ(YC^BZ>08V4PJV;JC!wGqQUS%0k9lI{OGu0qU--Au6sm;rzvZ4Zj>dS@ zh^EKZb%!SI7cwE=HlSkJ6NW=3#7P{kW?{y~H;JhIV`7I4zdneYMigiqA0RFR9wvb1 z=OXN^g&i?a*FreX{({6X+K5mK=Sd4c(poj$E1_@l`m_F5Gz|CCtqd!rFox&+1!cSD z{i(aA^moA`B9cY;DmEsW=|?`E4;BkpMG{W@f}1J>@d%|jLEW_Cz7*__5C!^rN+BQk ztIWX}D^eku@GVqwoN6|hXnT@6Nm!Q<@%L_&T5+O(tTbg@w2?DiH-O$wkAwETIM=D~ z|BXD&`i0|bbWQ0kbjqvNO3m4stgQbv@l5y+LUKj4lds`@!%so+7#5t}GwwJu4Prfa4I-~K3CX|z zra~;8c|HQ81-5tDH-?3i-kXSmsX za>ZP8&ednblrZ9#`&l=3_8;y2V=pl;$}3#2+O zk&pXa;K#-+2`?8iyCBms#S4!;;P7LeP8TRHz?eyDAs zLF>g+$qxm^6ydz1o{oWKOI~o%1+)z97ghg2a-aa96kT>s55`CK7kN=<>|)7^vwlM@zvHK{Xi8S0Feqk|18@w<7#7 z-Z?Q7r{yqvPl!VMaOLaUy7J974(7D=%1L~m0XDdCV|i+tip^Zl@Qb)uM3)Y9Tgjde zrY!utp)_OH#}ZvtCEQxZxAc5bft@OaMbAsm6r==-7Qn1Ib{WWuFRX2GoC19N+}O>a zE&dO_QSjLQu^Ozdwx>tUl`>fs*P2xZYG|oPtHCP1BSo9t%0E^{qeka1gV}PQ+hU{&&1afH$SF* z8R4F`K9C^|LN)m`&gaW*I>Fws#?;N_%K_TDmMbUKb(Br9pzZ;&oqwN?(*ywsx27)9SI*TNpE%3hl%YY8R$)7ykzc4@3;O9l+V-W=#t;;Z1JJ?yS!>c(l}?iNxt zG^Ce=h@oOF8h7hfoZ2v6uY9TeNFdjTY2>dwD$X|7G379V1%wd}c#9wdeFg}tvdmEUJORBf@IhqJn^AC;t?k@HSZ zZmX6f@K3Ufq%zEsjO~Dp7s{!0wCb!!$AgzW6DvIPxSEO!ReL~&YY?1wEv9(bwb}CU zN;J>&8s%)o-qR&kkV?yq*q*;@8?+~yufnet5yr@1FcDfVuWG*|vFO)$p|RdH(2^ib z-`2CIiaUdTZZ6J+5W?584#e+N-WbvUMeN4lu|CM>v%mV8-*F@rYi97?vl%`9jpJ*^ zl))Mm>Z~R~To{AhuI2sXWuh{i!>D87n+$-h6dq?!fPpW1J$T#$TLF4kVvar+?KvL=%-649 zyEH5uuXOM@Y)2%-eJ#ZJ%YX8YMH@*hjve_si0I{k&dmms+s4Ae!tCsBf`?i2k`onk z9lJZg3orr=C1cC2owD)-uC6;!3xB>tV6!Q%S>Nz5CTk&kOL0g#y(QC>S`K zC}>;;Ej3-;R9-3NsQ+ALM95X%L6{+fboc6#A3!@urd67m344U2Xx8*+a*f9_f#2&M z_%^)zumYL(9+~$=QRT8wPl%U({FM&cpKFuy=+A>V|6H_bP`gV}Q1&2v)KhFHrgLB( z$wHB>w#a-Ju>ufW$9dbHnM8(fY5<0t0WBOSfKyjjS9iv8egY4Rj8G2HT$iZzJ9eUr zLHg|43JAI|IywrBL@a?VOM8{Fx_TX88&p{@-2>wXy~ydsPe((}sl3#I+J!|$GA@*~ z8ULIaWw5}zcTmj4!09NYMj)`*C6LA=7F~Q{oohg#)4CY2-?~WA(6qB_BQ!NFt77Wv zj@?$KSf(a{Z$kfDd{|5j*IH0nR(SaZGK}NSS(l!`J$z!Ps)y%7_Mz$KkBt%fCyGRg zK3Rwn2IblOOa+Mb#eWap9Tu?`;giCW2e_y@WNDR+$ff%SE|p1#)pNQ%*cZscWCDC%%~|C z8B|jm!shV{806o!T&wywv{Eo`MerTYVoy}J#(b;^5HHB3J=F*^`>efupVA+L&t z###xTR4+4QIn+X|u3higNrI4F3;08hNGz3|7S@*lk}5Ap`oj)J^zHE67R0zWHa5n9 z{-IBUyI2Zf48Lz&odC!&*lWA}`Y_Fv_n(ty@ezOy3VxUZC^S6QinqRi1M>p}Zs7X) z4*J4t1=zkAQ(sM_7}|B9v?s5#l6EIv^UrN^@}7pAq`v7=ob8RIxMMTC1;n@^KQK6$ zzUxE|@0>)V?&j)9OiZ+T}0Dk!6wl4snc6A0vzbY1_bkeQKiV4$(x zfrUO7508LMVzfoSE2$x8dezE{B1+ITj_}FZB?g@WFQxKw6RK8Q+wk5}JBS+)DAHNn zuR_iu1}HLup0j<`WC~Osrt%GcWmdM*B{%-^axX72f1s1{8CATcR?DW@8YayI9TBxp zq6|L!yYU7nBSm(Ov~=}Sf`ngF#eowATK~=~-Rkrv?Z6&v?@o)5Ohy#h5V zu}A^o-yZrj`g6;0$a8n%r_BwiYE;%+cN6DU;f!AN4G$k%X0R<*YB1qp(d$AvliNHM ztVTCE+eixL(CwDOj1N=+SP)VF9JTPusqon@~mYLxq1XZi?48yNRya zZRk&eu*m0(Te+%YE)K`Qr#2@*u*7~_FO+e$Yzyn6f0I3)hLx%UN*>9esdf|Gnf1a%mGfVS^dAT6%#+&AmzhVxhDNVbx922&(_*AIKx# zK%5i}3Zfw2Mfw)H6DP`Bj%RhCaQxp-CP=1{9vlCVu2On*G!!_*#N)C_n{?Rl89jvBK|oUPid8_tWB3Y+9GP{TCE?LR4)QC2*IwZNf3LmAS^q!hgZ2ejD#D9P{#*P0 z=N|(xE>pJMPP%ZBVqXBGw-nuFfHxR#-Nm_`EXbY~q{cT!Qgw11fjRrfb4NWeLa=Ln z((mB+)S|Q#Yj0`*B&i%>bsAkA%+fX-y!U8<%*EnA*^S2M)v5}*Q>=q_0O1lhVRYAQ zH+{{0{WGc-yG)FLs2Q@><;u-m&~q(6dP>m)C)P5GYUV>HtZfSCx8-Y0j5eG$gLn1& z#_5`3mu+d$|K5{G$h0?%|Nhc%qX$grdv7}wS=@u>MGtj;*|xpWjAbKU&!J>XsR zc(yO)^sYrrp&=vuQ1O>Cp|oRU&3-FErBYwNN>SMH-uSW#FEpmUvoiDE=kVjcoZ!o8 zWl}A-U-*EhYP$?M%P6wJ`7R9WsWBXr_|zKT&Q*2_7QO)Ys%qdqR?GIpp@w~mMwIj% zCM{Mo3**0WDMH{kyY^t~JX_dI($A-P9jWI#C~@6Wtll9CD}J{2>=U%oKa#%&KYJ*% z445kAB|pYJbVDGWk<@;G zp^8}GYk@b_Ywug7!g*V1Js8g%%eCC^bdoA7^UEFnS*J3kp*h7?(X@{NBc^dy$iL4O zw-9O2wtiStHNF}ir>at60;^umkUs`eaDRf%dm)yfCtAk&K9hU%q z6q-tMPs27ei)${H4n_l)+#yGhv{lT?56OQ*8tF55SP@(~`-Fol*3!@4%g~7V<^B1! z3B2^&Dg<)@8X|Or^Mjcz*iuN#Z$qFZA7O_K%~5N`fp5hJ(*>t>YvhLzOl%rd`zxaN z-V*S_aRpt~z5!Yqn+(sEv<>vXe%(L(5~|S-MslX8j5at~8mg26gYQ3HqJ-v~BD{1c z=BE}jEg7@(mSHFVid+Lk5RbZ(fBW7`$P;NH(#!|rWRIRrK(}Y-3eiv?ZLOi(ty4zT zX;*}wCBU#ZB+?pMi+H^MIc7D5NSW|yxac{ukfL(AF@i9$sw`t!4Q!Gon`VGz;?%gO zU*|~T`iCcT)o5BCE}mL$oZq=I@yE;~eVk@El)s#zuV5k_L7P=;D`5Iii`r`mzX-S; z;E0O1Of_J)<7A55IZFJhw7?fIa~bSbglqDJ~cIzs#=rA z+p|)8rSidPyBeCJ4S>YvSo7!R$qqafS2TAf$HnW}&6oHF)F_=|3c;2vo7Zq_6olmf z@VM%#?~K(J`;I1HTG^NdwH3whkVK$rHF90WDt{N;>sc;Evx~RcNLcJ$(3<6}TFk$E z*97Y!v#~UMOP~$I+?|E`IJReJqUqG?oB!e-64{wpFT?%Ov!U>n(26tFlY>mTm%E{1 z`(!JXHv5ngnx5|6%zqw<421CsWe>hT4F-M>F5Q7u!8pd1dGxHstuk*%=@?v9hB7v4 z)BQ#*e&i24hyKS>*{YIis0ghduXPN@KL0&%m7V`+ z3mvfn3%!S0l}+1mBenUr`t6iT`(dWuwO10&&r)r5IB!J}e&E)6%<UW_%rm5lg4-C_(>cFocHdeQgwjUD8~;{Oe{HhwihEXER0j{NV{eoWE>2;+>}^~XCs z{Vz!7vNJPpB72+{JyLmLDSpNHrxd^Zp9?PV1|EF6{5a4bhxb}QFK3ufUaR3CAxwj{ z1O@oh?qRA^{)fHr_~kQlX`T{YU&M}dkEg$O@wuIIt=5Kpbso6qpqhpbEQW2PN&3%p z=daVTfD-I3?Q0xfF5{Io)R^Czkxhs^7A;C|E26ghw-#0B{`b0Efe+)vEqP6Sp?<-j zZX|Hg5q?lQgwj_+Q6L$;-JgFL^}jV+#0=~%4t=uM(E(DbTc$Ae3wGIpr~LPFYCjaSa$#trS|e>nCzR^!i;tYU78P=2+4@$>UT>x&kK zEstp(&r^DaLKI&#S(Cp2KtV6J<&eLSV9^`Ibk%!68<9=ou-qBV0`qGJpu-XW4S+3~ zcqVUFbKp}9lp?dhrx!>Q_-~Ip#&YDS+YW*M9H4W@MMv`jv(2NHhqpU508k?n@{8C9 zOc-hd5s@yC>VXUCA|Q1jTa-xuEe7F5(tiAKI^4f9I8?hmJv-o-X`DNzm@R5i$PICg z5dZ#v0k0<$zd=rqi;0;SA6LtJMQaFLlRE%Mps>zuvr)?=R)UzG;<}lDghK~XKPTXZ#QqC`2@oKF zI60Wi{BWp=+j1)CPhWHJb`_6?A+;G&%BDY-vflgDr9iB+>ZNHv#EyjIb@c)^N9Aa- z=@~NKNP#LN(ZI&W24GwOl12BPue15~$Pbs+ed&k$JBhl(`n}T)VA+_=_lZNjw^ssD ztJa3BuRJwE%3vp;0<=4o15HhKe z>8QyNwL`3AP?JNRGx{Lk7Xz}&9>6Uq+#;q0iL?Mz#duf(#Bqq$*h>Jo*~FCP`T@u` zl+6GH1v(_iv>c_VstZRmIyQC@@G3!Vh(m*}@#(OR`fZuXcUL&eYM|~rTcFmhx$W(f zk`9I3HE$v^c~#Z34(DJJf{NcMoU_&y201V&G{mK%VQlmotU<9aPB`S#X+c+$Y6LsV z%00~TYGn}nO<*w|toyG&K%iUkik7q<81P;z$#Qq$Y6C*SB|!KNgBh??jf^$`Jc2Fc z5cwok&C=4cRqZRB z&u1NKz_>`1yi`3F1{$VXrspH%VqV{`>`@!s=NrzgeV z3D{JdKEx<#o5seLfVuLlEsG`u0c7zN0PfZ5DSv=D=3oNrv!Z5*Ow0LKo>ETVH|mNR zI36>HgV~AU={F4LEAaqmgLoJ#GL%O|egiT-WuR@ufS>NgLM(rL!B0a3gk*-w`%+`V zn<`E-E_j|VG|Z7vWYy{;Lm=UXx8qunuqw{s4QMfrpmFh7j}(Kr-G1l$WCiZJ)k6q? z(=Jn-7xiF-k~M%R;ShNE(t{Ut$>X93+y)@O(zdLcsGc!Sq6Yr^;9VDq2d47Ig@{ts zj<4nZg7jCg1ZMeh9``4ZWaoLUu*G+A;B*`il^pikg8LotrS?p==l=ssLw!+`)(gNVbgiylwmPtOsPvQO8u61|p`$+)qC(tl#G!#O2UV_$W93 zPlR2E_x8)r&pK++^nB1()|G=~FNO|Laa-RVjlg22=zl~ae<|Anu%{^kLKEdw51$Hd z??2_|c+DN8b<`6%s42u1U!hQG-B8uH+bX{P-xOp3{bwLnSvs+H`M#mR>$Z6AI8xh> zSY^CSiR3JxWCuh0pw zz;NrQ{h!prEt}SCXWDfcH^ZIbw3rMM@t$2P+0(2n?!`?*PPug28DZr|p`#&(Hwb4O zY;1ZvA5GJ36i$qxJu{|S{vPsC460)w z;(`o4fUdF&n7cak)8s(L=T%izfjHUje_y04K}ecQ$4#a8GPFoa-2E;VzT0>Kbv1fw zSfliRj)cUU*`OOTHwTg9r8V>Y7BHa((6FR~kq%=YIpmV`(n0^h#t#1OWww%miiL&c zz`uGa+i>(v{oE*q9Yb4vLYqb9@wmw40YVQHO`aeE6Ixa(=;^HhV|8r3cr$6~L5R4U>D%|{+-fI^uu&^qE^xfTM1rrt9ad&VSKgEe8QS-pu7tm9ypdFNH zAh%}-1Hc#`Doop{x&DkRg}>R&CA6yjQCaB#T(E%^uAqd3#3fMW{C#}+A=#KR(`E%T z9P7{aL~bqIQ6j&koVFBIy<(3F6{PYIfJ2`KC^x{yg|zO$o`>u6gMm0?7TN5-ZG$14 zcfBtX4li45YkQO@t>CHi}RgJ^>;OiTn7hpwTWc zY4$HtF=7Yph%_*8)I!*$T)+DSOVz)q#@aREbsLZ>m{LN1hX4bn3%~<)KqLfP0FF?- zE<3=R-+RG-w<8CLq0Y9pwhWw_mVYO60pA1`zMNiNES4SDQO}`h)Z7FZ%vv`)CO>`U zN(Uezf)|gk?G3Ds%Ze`$bx(2poCdsAh?Bl0e(FtAF%D!FC?F2~{CSnV$Ms59B+GoNSYs@vYk_7AQYDcF z!V(ae84o3UT@(fDdN$t~YdZ4$&UGTRi0WKbjs_MDqv8-ezvJ4hWq4fI_P;GX;VtBo!V9tq-y&O#Z!PnQ;O_+S-3E#R7^DE zG~%|yP8M!9=2h=HK4X>-uEQb*B#Bvp>DYstn2e0f;;4Mb-vW?e*9_QH@_7v&NG*P! z*1JimCuS+PSSHnzAO`V!yiB?8@j}zUGSsa{nT}<%gSS8E-QUo+7V5$xb(J48?YBDl2DSsy9 zUOj$$DhS_Z`OUY`FQ!IOm-Z_6NVHMkHd@3$T?LY-6vb{!Qd>?uVr@l2AHdYY3wV$3 z?(S;jxJ~?Bxe|f@*z9z`vX6Dj_P!$^!#IfAH=D`YLu1z z*HJedfe-JhH0e!O~jn z&ipQ&R@Y7A;P2IF#Ju_qhLhmcemF~gnAVJP{CiWuL;$ojQcIt5ZoMICV$8MWYXgbP zM}_e3uA}G3rrE-(ehxl^kIx$xMlGmoL5|!5FO)T?IDr%n;_s10zorzRDf0N%zeLY1 zDb%_i&OCi~ly|?0M_UV+MoVDi2wnPpoZOzW6(aG^f~oEEK1<60JU)ap|g!%&oDT!5HoOKqK^I{ zV2BR(TcCY-ItBKB6n<W>S6xu%zJ>5Jhj;r?fgq{7h0DC&4gUOG_&`_0{-e*6YQD z{v-7oC)~@lt>a>f@zs%Sr>*umv5LG#BDLkuR%4J2KIHULf&=2EVshMluQ8lMERhNJ z&^*%uQA4}l;m06gntNRyuV83PbQYvPc8Fu}?G3ClyH#UOY*~;`2Wp%0~q6dJ!btmgC>;CM2}47!I5+f2BChG*M;I zSeHWN=-TU@jI}*TMvDMY^OKEvTZ7HbnmqrvCYPZ}cAs685~Gk)++Wwn^lt<>FLR z()eZ$!I1+008URw(5dmf()cJ~S7CsvLRBLTkxc{g2MSQr(-zmRf+UaHfV+A+3&3ji z`H7(O+`rY2_c}%{ZL045G>kBI?D^r?!Lb3P*R>l^HKnIK=8>BMLav4O)x>^Jz_C63 z5VHn!ZM-{~-}ZT^fnMC=B@}%j8;x(}h+nKB_5L#~dYX5xkAa`V8_+{<8NIH8eQ{6i z3=carMzWYGAkQ(kP@2_!k*BYWjA5#Zi8Qhx!u)~7nl|S3Cm#;bP=U&dAyxOtd7RP7x(P4qs z6;-_#iuKu7i>zA)Y~N)jHuB?{^uA2&Nd`NNYz(re`2`5*pmPBa4p4?qxSnm&v@?}l zYlmWk*sKR#b+$R|wS3sc$g9NhA=HW@%&KLhntOhF-*Wbd7oxMnReX(h+bx{Tx|yV( zp_hH?66+!v^fQR@wlBN;oVHKek80B`-3Bp%%a)u&KA^4(^xSWiY=`0U&0pgkm3E-q zfI&08LFO(Yrxnq2HXeXkev;~Q8pIJZF|soT_Arx(zu}&0jB)KCvhmoCBq)}{=E@Vo zQUWo?=M>6@K%(+7hGC|uKt7d#E3z4&ZT%VSa2x#|7RMw+Jz!({r^KvaaN(Mbsv@pQ z?t-L1yh2(TRRS%CJZ^SWzX>&6( zyV@qRM95PP;_s}heSgnl-DTHSKU~q=pVEvu>uTliY`lAkS3JL}fGYAwHnja7aK4{F z_zdWSSPQG1QT*JdCgR;*>j)I3cBS4w^*a1c>VT3tDI#qekE52rc2XPk;kWq8e@+Up z@4=*CL^?AvOE^RUshK#qSXjn3it*b^8No*NmHpCv!9{E z`98TBq=gW^~tp|2&o1LHh1;Mkey1YH%U&6gVV!NdXN_xElS{EU;XT;+46+;XN{)U z8ffTeJlBQGkoPtu$?>4dhQzzq`2zXG0GU5-GXTiO#I?X)nUrY7H!e zen3vl$vfudZ;~?pYdw%YW4_;}fnK{lnhjWs zZ0g}ROzQ%E1L!QZ!49E;0|kV~ICk?`-`%nuegB2Mrfbo%6RVBNm%ac;xaC<;QRk~r z9n#~yhD4~#l=gz0(ENwF(OIVQa2pC+bsVA1#eB z(zVYJDNJz_PVL8M2MCalx{;Ald7&cr z;}xiY-Q6?yy!E{2t6@msYVJ^(b0+o_ZgAx6o$20`>;RN)Bo>EX4u!WTFz_%uM5j4O zw`(mESO=`K(@7O=)#U;GOH2D?enNrMA{r*A9UMW+NYBf9C2Ht<0IkHJ_%#YiXFH{Q z-jY*Xlp)S)FVu6%idI2;l9&5*Ng zbLn@&Pa#g_VC}Vtllo=QsTRXm0V4LdCyM@>I2r|@=K^{WH#?EI@O_ZW0il0LN=k|w zUyZ{LPDtIBaA%=`v)ux$&+*|}y$4dZqT@!grdT@l^t7INA}_NTP#d3u8g@ci=D~Pz zp@zZrCNymBaN6;*xBBa(gwDxp8fDn@7NVJ@ZsG@o2QiJ$_=JMf(H@{a`tT*}azzd+ z@=lU6@G7nSNC&T6z4q`_h zjf{zUN*db=taIv`5c7H)|bMYs)K^>dve*t34tDSb&wOpo;q+bBEo zxI+CPIcG&?Lh4iB>YLdpy}B5H98A>oLKbnI^QM4pyw@ z<+ko6UmO;%_ZX01zJ#CuhstJtfSWHrw_JF0X& zb?X0|TV71p*mNzOWA#po8vR%R-@cAu(C8=S&?P1PNDLzNg;k`iKcBak!}?_q&Nm7C zWqgLfc(%tgCm@xw8dmNeQ;ydbuzCO+##{gDo7y{^p4C5YpudRFq_d&Aj1V`*h~F0c z48(&n@KS|AWc8cFDFvk+l;_cpha?Hj&i-e~UHRhn+aFyy`dPP|c5Nrd{j&zg8}*r7 zI<~}1M!^lL`ts5}!*WP=ae*8T%A0LccddOY7f@_FAI!$w(I3Api+UZn?|K0H>nmhO zBKHV9yP*N{uH{lQ->+YtMCD<7kO~HHxZfNX#0D$Xh<28VKldl0r zz0@_OM%Ldt_8B}I8qM()^#*EqUgEV;4%sKinTxb2Y?VQ8rwwJy^pc%^T3EBf$DGFt zC3qPIbX&l*!U}Aj1Ee%=9?Ci+RS8ob&msWX1a34l7)H`RcSY&~Zc%N;fx@Wd-2qI7 zU(+Et@xn@^N%ayOtpO-km7ExpSxry~=<41u(Z~SBGz1!fjG|(dJx^C|pB?61n@Mi* zokI{NMXjPaiol8Dr{DlU6IA>R`KW%WO;Kxx=L2vnKCgfMP>L&H`?7n_LAwIR+WyqGw5YL(vL8iJ zgZ?mO!0M}`EXN<{;@V3%9aC&o9Vwz2v&&1y!1IBSCVtP55CptQ3mg;VL7`^WAvd28 z!?NNZxQTA5@#eAva~s_uH(%QBm3amHCqFRqw-W|Y@--1<91^`X&?i}N&6_GJatQHPPvwobXU zskA=)QqAjqqvqsw<@Um|>TicBT?wM8&T1#s1=1C-{rDOy1{OE4Z$3;8nD>*)Im?03 z%7w#8ifX9(kr;`@`V+ZNG4?7i0&o^NQ#N1PtQ@aa<;GMWf03~lVySr38MT0%zm&nWz2p=frQuXTXvcqsepXf!eEYjE$agxOLMK7-z#c zOIC)2{(LUy+ML617i_cKd-Ar$uv-mCyp`Q{TZ7E}sOlf{>`fE`HmXu@{U_sBKJ6AV zs4BeQj`i&zvok@a@waEIWA#*sU&${O);VnHV7>%fH}+&m+PMIpAk?NXmnF1>#5PKr9-|yEoO`%a3qUxA_t`qaq_ke~I#E$Xs3qM$1-n zBcX>zdb^H$0#mndPYoEFek+ADdM8#&rTClpiq+6kyB)G&-#hs{FK{p?;UCf>5ZGd=54;N z=28W6`pD1yit$$7`cQ9EL;oRp!9Ffp3UK%tX@u8B9&_V)wzo$#g`?qg`cgiGg zYguuQ+Exa|yH=`gqLAN_N%l%~UK|sF_uGi>J(Qforolflz9u@>i|S;0_Eq)o0;mVs)qMMm;cN2I_rncsYlg31*6qc8a|#ZyZR)|p zpugGyrJ>%su%)V0kn%sKM4&^~ZOmP*io@Y`1x{82 zB!{!;JNO@P^b--w*1tTlR3TUl>+REze`+x3T!iyd6L1wyI$2gVvPr`w@zH6E(eO5V92Q2lyUiDA z66rTl#kL;I_^;l1V67sCYg@O5WFsO_BHhklJ&PM;owyt#T>?`)q!%2qk z52#;|#)UMDv_564?{JULTvsg@wiFzfnozfzF;M%WI{zK3Hbb|?Gnx6Tf{M%pA@%}L zrIX*()AYVPw-_IaXQs%{cfz`Ag@8^xS5hc+=RCr*u}TEeZ92=;=@MkfCT=~SS)u+o8bHgC z1|w11pIPgAM7F{vt>Lrlk11O&l5CZ%@ucXdX_X-(D{ZbEaPG9P7_S(H$F+PySuF{* zz|jZ^W?MFOPz`+;?5b;ley>1KY^HmacCydgjy-`sEkHivlN*;$J6ZDOo8BR6W*fTy zTJLK+)sJ`%_Y_e~j#uj$iIU!jp1uSQJ1MS**OupQ*41%qGM_Jwz@}25(hug$82u+| z`3o$xKMmG(cUt*|T6UV*qmc3Ds97$ly_C#!r%b*ISaOkj1jcoLDVZmTkHBFnI$6Nw z7|_$-qQ&R*wl})Qq%Z@u?Y=5*VXt!w+jsY*yxgkKQOtZFX!}QCToP_KOvp5&)mY97 z;`I*SH6Trr*VCXOn-1{PMMdah767bBxQL(zfzpHjhZLM9d{R04vh;S6a&;LYJYq2A z`Z3JPtrkvK&}^BZ6B~O$_7eW+?JhYs{p$&06_(j3*p-Wiv|v+4@}WuQ?#-oW%VvC; z11k({pcKqIJJDcpE`vS)#jLB8Dc3i#vB!*yAw?SpL=yWC)fs_s@Uli>Q)rlM^1AcF^ zD;GXz3Z|!&sko(g|0Q^O3H`<^Fm3LDRXV4qSsY)=DfDyKE(`wtcgfcN9XTG;)Ml2- zEi7Z?+S@93pPw_zL{$h1jLK853fl8o&k`2|nU>Wue2%xbm8PcHdM+e52DtO{?sM(Q ze31!p%|6~N$-9K?HO=H>N*#k%8vy+o+6_*D*jfLu*!rki{qT`eT`d5XitD&Py%w;> zb6BYf0U{FwNUeT#xyQNw@I7QYD5XJXWokE0hwHiut-Ole*sv|xsNyb8aTsm?*(ITx zGF0tqIM6wq-s0k8QSoB#U0bT=S?N-g?Q(X2Ln%{U6?f$hv*tF&4O0>gT2jWL>Mt#* z&=yvh3LA=wrPWD`tGCpqzA3iPiku?t2G`{YWcXrCFeLhOlSF+ODWx$#?;IWb=~$Yz zo88=iHGWYPA_l!}1}X{xgs8Px+wX2)pJRFn{ye8Hjea}&dF*9*Xr@WTvH%}PBcAQN{!|=Z-BFIrY+5*+!V@+q40b1jMiUJ3!4jWp-Uv8ndgleCOM;WYG#EG5?P3DT)wx#UDqEgRikk? z3bDkcDW<@SpfI)xec}T_CxV!;Gx|zrZeg7x?>5X$7UTru{pm7c>~z^7iUSm10zcSX z!$&Mb5!&%=i{5>8MdasO_30+Di^v|w>6N&Ndzzy6zB#D^P%8{OCG75@(q96n18GZN zyRS$l&_NGYB&5_ZSuv@1XXX-Z7QPBHc1Dp_IM`w2C_5*={DGzOBD+O9L6_o4*vWcZ zP_%p6<)yUdH2)gFHCv9`ksiR_+o$INEkFV`P)VVJ7a;iv6Vp)0^H?9Y_q@>heR@Xa zp}Oz1jZR$Mf2|syjjTM0OH`9XyQf(QM;Y_Ejt5P_r9Aq4zFeH}K-+jZhHnz>Uf#2!w`w-m`TTu6HMpdAYV}jFtZj`mUHid;}Fx z35PrVme*z}kVXL(o^oo8su6N=NP#0wn$vJ07zP!&9BhoTg8`L`;f)MooX{SCflnPa zY_{@E|9!LD?k!s-s`}H~vk3<S;Y+7p5gY^}FSGvG|7&o{wXHfn&D=7Vwozlk@_D#jE!5Bh4C!3cdJ2Le znU~sfZtdt$p&im|TQXwFVOx$tnlR1Cte%xe zgbs$1S^zDMjP}z9EI0i7W;Dly$A%BX+poTU*E)OXh5cOA#o}S@!m?EdiZzeTftFd? z>?oc0W(QJ9-6p}==Q`>;>1PMXgua?jZ#$K2wq7BPOR}7Coy5=ci8vL*G^>ef(ME38 z>$?8PxnXBPs`}QHXP4Y&)xOd!|I$@rS@j_3^bWbQy}!o)u3EWXsxLLRm6!L0${TBL2wqA&wK}U`qIeUmykqe#nG4NWn>(xNS$FZk^ijq)3_gh zqQQjab!ntA0(nnP><@6LBYXx5VP?&Zf>(r z+`pDIo=URDb5~+gHy%!U^En`iDx|q!xj5)B0BSf5|Re7#&s6?J=CnM zFNgfXbSZu{XgncI=xQW-FYFi=j@>Ri5;GY5@h%GJdfTLexX-|l=JX0o1J1ZjM=4*b zxwpBDDiIJtmn5f4%M$QWuM;Wuw3P(w!tkL`v4(s-dGcmI$I%Hgt&tJg7BP0fei|=? z@jW>+y>&h=yDl{y(M3qC{NZ+s-#whJ|M`2*EXQ*{U0!b}6Vi+>oyh%d`#xe)|u_JuEt?JR@6`UpD5XfeM%2xN>4)XSs3ou}quK zaVP5P3k_9qUy`NHFIRd762Tb5)FoRQ>OJ|;h}~OM=xa?IHd|!MbM?A^lK+ z#&dft$O%&sST$sNX@&VVj_TBq6pALnk$J5w56{)o?x#b~aII;5Am$QDTs+t|=__o! zLQOlVnCNSqbTelC)KQ(l(-GeTz8EoX0N+^UsxaBISj4;fa;VboV_w0R(L#ZitJp68 zoqo2^t*@soV`lf2Az^sFH!tgshV2j?h%K|Oj_;1n3#`=)!*BS4`Jmc|XN_6kd}Df| zoDA1uK|#v2m+PEJ?5YQ>Q$f&u=C~Q1GU7p?La8wn35e0rFaT>a>hLxoQn~9zs;` z3xR2h+}Tf;W`3OFIjR9h5O@n za#9Hh@i&uIVpTQd-tymzKfhW3VQr|Tj{G#xt)ti>B6SB3^^vPl= zdV>So>S{%BO6%Luioqn@7qYuua@NxV>*_xgU2pQCl5E9lbt$yXDB)hplBk**DyR^5 z+Grktw^HvTQ;4mH8eUQb2b%tr1$T&q`TIuNo{tJ2T48q)xnL|qx@uRo&W(v3hB*4E zZ1gH+LYa%-`F%7Dja=jHHX>Xk;Wr9d!Fm-@5U7BDY9={|H_(+7c`z0hi-p}gaOiuv z?F1CQ+MaxB8!?@y%F&P%5g_mx!ZPfaW@m#%ZP+}LZYO_Q$UIr}ZnZbRV7B`ya zM`g6O4PI27yNz&EuWUktd03KB&B8>lOL{?dZW$v}3zU9W)s&Kcra3wXGRW* zb7l(68Pnc29ZxTf=#_?bHS`k6GC@U;57T^-Q-ofQCmSXZ+bZwSa{V1siGU1M_dzU1 z!W*f-TP=i^!LVuN+q(`y8}4+t8AU7^QD>tK8Rh*4)H`AF7jpVYutL|RzbG~&>NmYVuC@}Yi81Zes-vz?!lmc$%S zr&noFW&@a2BImBZ)S;hwrdDhEVo%rcq)qk;dS|;n39Hge=72ZVbe@W`Y(qx{!QWyU~Lo?#6bP2~QTa1FZJIIYk#qsIlmoMQAtbnRO4?kSsg zH0_IgY-dNLk)V+i-tM}jR}8-YO$q(PD|^OzsB<&BIwyQ^yT3*c?z#EPwNU;dig^jC zknbm6W@eoR;ifmaA__vFB{n`_Q7-tmS8!5eO)dr4X^nTh=4gvpeflki!E6I5Qm^wlFi z`Y#J3uQh&PnOZjFwuqUf*I4>h8v%bDQ zZi%+{IqHv+F7a3v{l{&SpB+KamU-QpBZ_w?_g=du!*C(6?v`=AmMkEMW+wGMS# zacSw+NKryNuFw~R)J3-n#9QuspOeK9wcEq$#?ww6K){-QBf*oQc4P4xPgww^o3$^g zDdx_u~Y+(jh$hU(1+iYLGybwyNLOg?HIa;T@qJ(@^efTPC;X*k*}J|GpFh3gi%~;6YoB3=Xs7j z_=DD~5&wu0wA?PYO820{{4N$)J!%l15Recbza)lLZHhd?Jj39iy1=iz`Zs4MpG{Q@ zd^S6Wg+|wWhp9G4XW2^mV?|uB!I5vq`*E}2O)m!*_p}V~$ejPurZAKYo~MW~3E0d7 zQHDb2cJQxMGcub?t(PLgbWM$Rx*SGk9~%z4biNQH+^pN28y?Y7dtl7LtBc+JIj-nd z(YcDf)ddaY(?0Cn_*nmWpaqH$wVOBp^!oR=ERRm0<2G!FH|?8pTV6>Z(?#X|B??T= z+xyKEfBibnTYUzi)C(@ROm>eoD^Gu9`PNR!o0%h{*M|e*57K<>C#%1b^AkTy0KIur zN303*-2eHZO8_OCi5B0tk@2slqWeqhMY$@QWhVpg21N3f74m8)Z9fa6qt{QlS94h* z#+O#M+OF21tDkt?Z)=K!=owu#FNI%``iP(azpWHYC!nO+?hsZa*4wLUdX(25#C0)8fDAT{P5Yk5q0Ac=V^SOMYlg6 zYdO{?xbh}Tx^hzBp?isoo{Ta_H}trz*Kp!j;~F2yQud!HzGOpGn2M&RZk^=7;yVJR z0{AKK!fie}JzNGyqb0;g5`zZ(nw)&e!8EBIQiXt&Y#JLE7rKpvC;`8q7L10T(mq&8 zy!XO9<_O&9{oy|#oM? zwg>whk|s76Lr)5&UwuRAs3hu>rB>ZA2aamaxBbON2 zvdMA)`)Sq*BC62>P1fh7!93bvdrl0DSOgMV)d6AYwbw^hZf|dcxS}1WwB{mab++;% zc_3RF_x!C6StQ6|jpc(V-p6DX&w8c?$T4Kp8U+4n_`V%L09L=r#JT}@dk9enjB{m+ zL5IL$0g{X{R9axf-+jcb6Rt6h1Pu*)WI41wL0{o+GF0^>-hQUQc;`g~eFKauY(6Gy z>*{`WXVgCbW)IM)DY$G8e!dI6KkJxyqh2MUG=#>*q^z?B-9gdWF0q55Rmv)!yRq!W z&$92UIG+^RD_;e~O1Dp+-yaDr2E717m8)UqTX}zQHb{5tq7wQ1ip1pEN;_-rauB_k zR1dtq?L=lC?a5KIZy6GQRz~3}Dk%xi6gxJiDt?_TQ&F%>+)#{JM)UDx8;V=LC-E^# zN}`wkn>ju50e~Mkr+3ZI6Ioc3DR$Y}mxI}XaT|8<5sCJK$hPHJO;yAfVM>nr8mkys zat@lE%2A6<)qtuGgzDo?*=<=oHS=al@3RxLrI4M3?v=#Jt1zqd#}x-7ZV012v$+OH zb@wOiY#UW-+19d0vZ;9rnAJUpWGQoMFygpTOBBs!ntXvpZL3XMQSF`?KIBmlw2;v6 zx6T%mjYnssCL|;TM+!4{JI<74jLIt#J=>h^u_%c)gygo=pR_^nY2e323_Mu&SI1N@ zu2zF+4DptR;zZ_mB+d0LMDB^wqo>+MLG1!73tSlQ&;u&7XzxYAlJgCs=HR{~ByMeg zj1f2dxpEPg_F=|@2`ypPjT;+frI@s%-l@NF{inUPi)HA%(8x>@Z`5#zGGcWb$GBd{ zGRE^P2#U#y6!cMpiI{o&8!4*u!*(6fNQ@ryUiqQZ`I^+;KTV^d*FN$!sdJ@tPZ+0_ zv7x2w9*KOr7++=WcE!2r+)nTX!`cPUVQ(_u;c5F^tY@t}2t&~?t$ywsUu9`S_Hkyp z)7o0Y6?e<@7Nf!6bMJHN1m%a7C9*g_wrZbazE!9wCMNw3&z`SLE`AM~W;bXf_$w<~ zWjIHq^Jr6l`%?}yF0^>zF5RC#o4f7bm=AL3SOPspW0rhc;)BQlC~~OXQzX{fTiq|G z)I>y$w-wOnvg7ddAAT#uK)~4mM)lf^N2_Nu2FDZOaaaA-$C{=8aMd!Wl}(4fCSzK_ zr<%Wp`W&I=@HzLM>o>+F&CWsl3Vrmq^m~LM)Yf;-dK95_@i}MR^V_vg`I`#tFZpx- z*$Lk>bede>ZP`0opxV4XZWP8z8?E^I5r|}ZYzj%vKU!(5esIa#`QEcJGQdq8b$mK! z+(l)P{Z}0kPnyqaee`C3`Niqi4Vt$mJ1w=n7^R=r3G;s6UMzkwNzgSuvaqvi zsv(y8xIilMu>9{9xoXr_Ea;T4Tn6Q!&-cO$aD&Gn579I}*}P8v_MP7LXvc(TWuK1e zn*~+am#d9?a87n`gAHDfBSmAQzol_FcDA$ol*MQMcNa4IP=*lZg)q5X;#2~o&5>>V zV<@vk6`&}v?ounBE=)Wy_V6evcC{iPmfrt|FZMs5~o}b?UC-!BarM~yOH4656?NZanl@(X5s*t)C=uGj= zX9H7)&M6+BtJzAu*PX`Jqx`qLc9O2tOhFy!a!1x%$mr~cwXT1U!FgR2+zN$Y?fbVM zKzD)cV0$msvgsDjMJT%@w)v$7!iSZI_fPK+;OlBD`{a0b#yz}z_8~1VZQ5;_zJnt7 zE5!&4>T}ZQ6~&ZP_wxsG$0iz92z)g0vZMVZff0!;$jQk;H#m;|tKXv|M_XGPi*Y?2 zYqU0fc-U@}#^yNN{HJ^2L8_Z-!aKritJAFHc?%uxsXKmwF=Y3KV2SX|1h+ z7d3a&xcyah|Lko-$JPqiud-z5w?;X3_-KZeGrUJXk&~K~UOMZoD2P!y+H;t~^?RDC zqx56+P-S+nqf4|?4X!gq=jd%8F$Q@M= z4q0WVA9zmr@xCUlF@E??@O9>z3|&1e(pP<&IaZgEL|=i@f*xV{6?bV**)2oc&Ec(( zo@NUz(0fWK!B=Zkwi|Sx)8ujaP7EPV??lb4W09&Dp;K*J7wAK|xC{G z?bdV@?Fej0-V=}0vuJO<{`8iNAzB+g%!nj1^yKJ$BGNqWM(1~z>UYFzQ%+%tFlecm|{yAWaxfj z*)m2VJ`k~5s1x`M<|*KXV7xY$?YS@I;qBD8StBbei%p1!6g}|xMER*=4|}q)!^cy8 zhJOls_?teWY+=rLvb0)NsaMN{xcdJ{+f42ort#PZUlcVFsAGcooc|)d~LKkvbY^3FI5#+Nef+Ac za#FD{I=O%2_Xh2o(=X0%RB*}GQh0T&`Z?gs{~vuWukX%xM2tV`Mr@`cU!|X$EO}v zoLl3!6R(U{E<=_mwO;8=?nmGN50w~Rf0xI3Su_Wj#`4hs_~WaV9PUru_;Yk-c)W(& z`B-8BrgZ*~wM<5dY(at3T=% z2%1b_|H$;<%sj8|?_@x&+hHQ+N0yP_Th>x&|9A@do*qc6xV&i*(T5a!Vt}g z21~niH+y0TE%3`Gf5NZs^VkpqRcdb@BQQdEu)oEnraNHTZl8e##w`>2;<`r@^@^&>U`Q)`ykNjaO{tZ6)apHJ<`fM*VC@M8?n&fbJ_R3#W2!BIY?m z^ese#Sde@y>T<*6=v3_Y$Ots#WpD^jxK#LRESHXd#?t3NU8T$TK)9Mwd;_UMK}S*i zZf^ou(`D1R=Mx=?KCrFP<#~NP-X!K??jbd0#C)Q=>f7G)?sPXnHRyiKyuGMNT=YY< z@2kDjlN8gGZ>>7}fe{Zk5-=(5JSd%@h zFbF<*e;>+(?og_YyLt^1)X;$p!x;-GJo}+nfedjsIV{Hd;TZcnq-fcfNoc9168whH zJz9oAv=T)v#PN-`Dgt~FBt)AS>htsSLqa$k;hk(I&Oh|+dWHQKX6o(`i<4DxV^c8u zJ%LzUNsU~yoBBgpIulfM$9v>1wEs}c&;tW6V&>Yae1(A1AE3xG8P+y3I)<=X2cTX; zFFkTps^yv0OBQIvtS)wc?^W$=M_cs<>>m$ySIRccE*m+0HDJ}91V}={9YH6I(m1#l z&dc3||CGB7L$cB4APYrWIOxx0DAyZLx1;=5PP(y8uYkFNuPktkd>5Z0FHv}0`Xjxu zQe$Yux9WaHd#^j|W!x`b9uZN$XDBB@V^aLE2=LU8k#R{ztIa z@1~VHu3R5yLoHFxa8~Gib$>Qxe|CL&>d^_9Pt?pl;;iXi@trT&ygp+TRuuO~Zp4NL z1k8@>eBzP5H;`s15tduRRi+iPL9 zGi)?v)=?UHdpA}i2qw4m#=vkPP+e1&P60VO(e8G_8vufOQZwlnNa%51s`msi)E+Fx z=|a+D+tP2az=x$EiR$I0J^M)LY-V!F=>9ke(An2!D*y2LuXr7qiV=<%<=;{JhHN(x z0i&MGT`Khzp%QDOGnV*IWbnxwE`7gyj-eED)x>1(aVhU6tKTMu$a^6Hzhb}}afDfq z_tuBwbT{jM4FbTnq_kCQ#6=cJMhfM2XMlDS@|IQ!2bSOafJC!*m%wh1zyTn(Is~Vh z-&x;Bw>zef!bf9dvM?4|-=FgSR6*&WNe?EMD_Zti=r z_wK=O3&uZjItI@p^dF6PdlGj`Asio`$7iXXZ(kVhjeiJ%Osp|?vArieh7YHoSfJC} znBVXHuFRZqHpyRYV|gwvU<$f$yA&??@aJ3`RvH5OSs6QCJ%cKg*=@faz?n+X51_Yq z2ZP*l*$;JY3xG?OUGch)cotM2kAZI?1W-N4$Gq%%0fX)nY@YHJV4dv-C`1cHToD;3 z8tCgMMaUH)<%l}K!aRkEg60DszYe@x3@xH$1P)a32R{K&S)Zz}oX3tCA?COP z@Wi>&Xsyrp{_KrE4V)Y%S9FK(chY`1DPK+>V8|}Zci2BqfO#f?iXe+9w!N=Z(5iUZ zzs-;|Tv~xQVzrU7!e|ZfG1DsBq3)NA*C!nX&@QdN9TV|GLX{gP>fun*|GbDc244>3 z{Tc#zR~Cc$G7^oH+pxwF01W4^rPGKlIG*9--+;vK8{@5iDIgVl)C3}WNWK!`?`LfR zr}ip+aQJCw)JLl7%YjeEE5mLdnGW6gK|YW+Ue+Gw_1aOtc1G^^yCbZZuouXq28aF3 ze;HXIm3y|i_8CKGn?dtvg8@Moz1`$n4Kn-ihvFo@vc{uhQqNSv-xQ@Msc4o-S^nhs zQ%4Wtf>e+Apo3leqmF09S8jOn4uxE31P3Rdr+ToxCX*ODHsqh>k*pIhlE6%5vp7kK zRi)TxQx-YAj_!}SB@l>h7&WY|Wr1xN5f6%|E~*;W;%Znz<**Iac^jt;UPJAKv}BYO zIFeRj;X%xnjuCEyl9=VP-+%(r0(!CXe^o|5L(82`z`CT@FZBBCBLOk0ijQ63Q7;oP zf37k5`5SD%pMk0d_RSG-zZSw!Aa~fBregWpTfzng~KQ zZFX5YXV^xCJgjw9Qk%e*p@_v_=hn$&Lzt|NyyT?!72(;!^)h0spwUJ4$5YIlFs+g3 zgYLB&&JvrO$b&b^!-JF1-b9>!qFGRj@26bPTbq1aM02LHptSi(U@d{mK}$c!iuv(T zd}+;taeIfKJuUMykE@6uB_GL-Jd;2}dCrX=cA1rKG1?UqHx*i~pgYK-xO*qVZ>Sxd z@~%-DL~;}@J^kS`J?d_wBMF^CP9HPHP|zc2>0j;ns~O+Pw}b*2N=2i(Sdl+i@}f*r zHd5e{_H#}HvX29qpi?z65Ln17bjjnoZ}T{Eu<*5bZDw;C2acFG$7aip%T}>ACYje} zd`BTN=a;B}Cu9!K?(I=Wy-R?7KLV`bnQ!{Ug86=iEE*PdirAlh$smFCqIgXFcw)i2 z_8r$Yq5f3usiN8^7=|*2NwRcY$XD`2Kdy=v`HaT@0l&w+pKN|1-I7GQif#r(-e1)6 zr)DTY=NV%!zRz%Q)|qZF(&(4a)ewL?-klj1Q;G7UjYMWnBkSeeauB^eMRZ#I>*U}ZbjjB6n7J5Ie zpEQsHns|FYDROY8gPLmVYG%xeqR&q@#9W`4&bG|{==wma_OFHg-{j#m+B)XuLpvF5 zT_;nzS6Wd^UiqDn3+9_MqKYCI+EX!I6$d8xx_^ogfiYMxW)%GWGtgjGWLtL;E)7%| zPp|hb8xERja>a$$J{ zZW}5X<-xgEVO=bg6cpDn@Eg98k_y&Yn2T)+CQiPWEFp#S2dr((?`CZtxYk1NPfG76b{IMq>rjFID!Saz&_T$ z7nsDpMo4{pc>gVH+DFx(k*XpvdwkV=;-{hCmudjMgzUDwlMjvd!oiVD-ZLk;tk=cr ze2oVDyGAQsUU=J6n06Yu>8AmB+KAtvSyWmJF11l$Mw|EenA|wPC4&a=00!YrYbvD3 z`jq_dhscRlMpU$P$D7)y8MABWBgQ&K{MpWf`2l0U$G5iMis5tE@^aqLmJ5@}g)Fq* zFKI806&TW3?Hg zbKnjtsunE0_2B-^6=btX|6L19MES2>B!gP&Dyf4o61eRIqf#**?nzk?UmvT(?6NOP zAQBwYkqk=u>{TIy2B?yZuBulaHK_suwrkLPk{DwX(pr%P>M*IBYG|B%-tU{%|7_pv z6l>^(OLp?h}lo@c9gv9aMRmw~Nh5KMyON}CEx`s_VzN-7M@Kd35Pmq0%U z+?0^*Iyh~|8s+?)Quuef=3;HleInF%pSo&9|B>*Ppq{35Psrv(!ma}zwWCqO$U*%B zjapi#urLFY0!3s43M2zBCPiXB^4IL=djR&o9}!H|oVT+k(rv!00)kkZp&U&3NOEhanZ`dOH42)#Z z5qldOtS{HA*iDDaigV5PvVhksd}XqR>I+Z8$q0$DsDS54^vZc}NcI2e4YlNmZH-YK zznF;qv3aB;gDvcr1R9g=U(0YNIwhLdzsbnR_gJ2v;UwGN(rmX$zuo!n55@kf;c%nN zg5MSnwd1sj)+PfHD@wLjXGLgdA2o#_PNA>|Gy^5hm9FeI6W0pt6Lp8wwLe?W%pc_l zIZ@~em-bY>DbD`rydIZQeurCJj~(K`6;pWQ{*#fzjLaWb9HybDSMtn3tHM#?Kw-E5 zn_Uo z^SU@;r(yNRJK1z-B{R9UF0&%{tXjZ7NHKQagZhC`p+B9TpD0LUI@ZGn-!YqfI{yV?u$MYB&X`tneS)$k-}KMs3% zGT+2cNztJ6(D?htf%<#?!~paIE=nbe)vwmu!*c8)-i3On3P!U$EjmJTHDS|a*<{Z7 zU_R&Z`{Cx78kJ@5kd&(QgYTdAtf=~Ps#RiE>^EuEPuP*YoY(9>OZXlIv6;=@#E$P$ zy?q3B%ICU+LJCTXwm@xdKk2dYtUAoLK+f2)ilW6c#b<;Y*(4y}u z6{Wnek5vojSXYq|WnXNrj3`XQQ@M(c?lcj1T$tc`tD0-$%NFIPrE1}#U*RJ51i9xm zPKgJrw)D`GQ=n??DW8{9g#R2&0x>Wu#1S@sD`_hFym~63)B8!_oP>AT0rR!!ISC5W z-$z#4+8PPY=$-XIu@(?h)mh|4i6u6F*z9ev8&1QK99w9wIhhh`Z@A+SaMj!|GA(~L zztWQ#>$Cp|NoN$#qd}n_jh%w%C2h3Diw>$a^QM9{! zV$pw2MLs9Qz|4O6jO2268bu@t?&Io5{@#8&AK4tgHrL&GYwC?#m3nd0^ivu-bA6MF z$Hb8o`QlBK6y>;)NQ;7on#j$k1Er6HkGCrdx{Qa0G~yy1@~O{??dLvO2MTt9wsdv0 zSwo1p^J|W=TTVfQRY@92@%|p^7nNE_mFH)|pOqi%iBzGpQVnY-7?y03IE;f{@ zc50KSqY1*^j+aZ$NtCg_$c$y@u--1hUP5*SFs7u#aXsdsw4!+1#uCNEc*{?Yi z&9zeOJ*lt}2@LR-;{RqUB_?zuBiapF?TB-}28F z3}XGY!Uo@8e&g})wnKDlaEjbKaD~ZtaoINp3+im%&RWJf(Tp|na8^`R%F0hD#wVev z-+9K|zQ^H!qb#JYbG`X#?Y8nlf~kLrvz~#b`k~Sj*azyu-jQ((n(WQKN9o*Jmf0mP z`yk$Yyz_3`@(ru~;oClcj(Z+0i#_pqcO2~gH1}T?*SCz5(WUT;S5^szqo3hR{4()> z${IP6{I~h}NdiS~Z6iEy$%UW)77#Nz<`yZ-$Vg1(^3!(>`DGun$X!ex_F(^8wQduc zlA|o00Cq-dv_fC!-N48C+&Ng^|Hul_r~8d)M82{+-0#X!&wj2XR!&f;AtoCm*Rqx` zmk`^NC-*J*kwIFbfEBY-Sd}n`0H!*v9`jHfW@^f;O02tl-5Js!ert>QL`6eQy~ZWt zO5oDyPEy1tQs%r$Vv@Qr_tTj(MYr?aQS7cs=Jv<-K2x@)NB-frC&n4lpQ^9dq;@K` zJV?T!Zn?I9ElKc5R?&B&V2Jd0cue6Cvo`629#W?cH?8@q&u?k-ysaW1*wxD&Eqc_y z;Gg}nBhZ(lH8~&3@H}ty3R~eVKY(es1vFn2BWJ(s{l80%l~92D@!2%9%ZsSm$lXwngd4!q`5=PXO;>*bj10$~ahkd?&)-OJe!G7Zuv;%m%xv18PVA6uw-#EZvK^sSTeIOcq^Kn5sNzWlfF zprqoB&C31zC9Ba|8y$2=FYeE3iupU6e|P~sZ(Q+MOZE>OX3kQhCaIQT@*~RM8#!^h z`hpx|RF~PG-1|_Q6a#m6`|6n)4`vP42TC&Ko}SswvDpK$2N>FN~lHWb8|Yp-ev#9JeEn1)DUrNoRP5cp-`W%r<1eftXEFma4`Q=Yt~tai z1jgp3K3ieDHGwVJDc&psN2S&TJ8o#8a=!^O9h$sfagz*gMLjW#ndJPfP&FR_Q|w`GW@3k z-(b8YpzgWi<08M5&SxHk+kM4xztZm_!6Y?stIG2V@reR($tTU`g3pTQ78LrxO=%8C>DydJ8aQ>revd`Hsz z&Zh?b#}R;MO~X$uB+mT?NehrI){83#AcAGA#;F5O@RuRUN2%}|zecdOuH5865qc8d zwLkRJkN#NTG|AnB`#V%+s0x~!J*+#|)3#Hjw58hfm|+o)-?zDxyXf7_IkdFyL) zt#Gqepfe=$Zt#lG*_^RLq%#!{Rf}-05$*D*qvBfR7hS3+^43s5eZL9EeaesdM=oXv z*Gf$XPLsR0x)Epg{aOFBL21IxvGN5NBvnE{Ab4Om!c3x|^g8*X_)$wT=1gIdDe*oF znt~w4Rh+;`W?A%SF$~RQlt1;2##+-mJ0n?X&bA#i781JB{Z3{Ma<)I2l8)U^=>K%O ze!p*k(;`8an5{6dDPH2Ou%g9TA%ubk7PA2Jb7Y!z;WeBdgE!x>-2L0xvRcYn;4b$k zRf6|6Lsf;b=dDwdk9BJHCot}yxp(GZ>Qxp)<7Vsld+9~#6`Z~>zr4>4-1kuq?Hare zrdeFb#;UjbT|(ws=@a}}nEaXldf3V%1Bj|j9oZ6T=={vL{-=^(_V)P(gfb*ExgGc3 zvr?FrUNdQ`n|b(7yItDge2|Zft`^a5aEZ@zJhJtuNKaIb#R%28B|~{P2=)q-K^ipsvh$fBCOq%)icK}Rm%*QZb>U&h*~t(87SQQLi7s7wm(9u8C@=R{ zTEP?u#W4w8;W@kYFL?C#S6gV86S{y9jqr>9`vWseP@8@$JfAiH@9!Vn3ZcFzs!He8 z*uN-JC+rl=Ek~J0plY&dl1NWU+z*Dpiy$z~1hyvl#0mWIt#bIfg@oe)W7EOGVO-M< z2!4Q2{{rIr?{-`sNTPZ3aDNLNoPPkJc%ZAzkMy9rtSlP;l0v_4P5o8K5Q0D4rPL)n zVatePUP)x4ve$BU;xd#a3wXT9T);&b&B92)G$vxA(QCbnv(Lv#0<4-tqwO-O)WlB& zd0J*5_GgT55g~=bz{m$h;=_w80GfZr7aq%KXgI3=YVrrD4s(@@@rD&SIB3VzEyp{3 z;LMKfM2I(}*clKsk-P)SMsTr33r)%UBcf?ya@%u7J**@@e@>0=>&S>x!)h)NV~in9 z)nF`ow6_^vFkslOL|&hPIT-8a=4{K^#(1UO^oOhd{d7pMWnfqIy$pyda2v0%0=5!u zIFqiPIr^+wC`Cvy@Bkw$#l(RCs&@Mjtp+9zES(cniWxkYhIc!G#QB3l&wU40+c&21 z)eiV1$>+dab=)p56$!%}WgyjkhbKkkwpdyV zXYfAEkt|IZf!VuADa54)Wb?yvl2-Q$pytc z(j|wFr{IWJscb5_43grq^vy56E%V^|*&klulTI!uQum!oblpIeP;Pb^hPxg&nc6J)aQ|vxsyB@|K+zkxCR6CnP-J zafc-?ecRcQUrv8$66fyPNS`V{kL3NAY5HUWH?6(;r4lbY0&fKIrq-0`g@G3#e}r8x zP$dW6lJ$MRr2op*ke`)NCAZx6Vy;!b3d=e$Oprlb3~M%Jt(EmX@v~zAQk^9Qte?tmwb4O{T5o<_L;*BH`qCm`=8l55`K)GQ6a>bWfQ z(cp>acb0$}a}(#Ymw{xqg7KO1>zB&&Rlcx)R(wT2r&0EESIJtPkAP}q%eb^(Mguip zsCA+-R3fsR zc3teI0W(UmdY)jIc|hBWzk$k|!J>#BptC27w^hLK^Ot-`=w;vUFR|q1h#fWVK%Rui z5oWffOyy8}?C^~J=KZBZuWG+(gGdk=EJn?Gb5x?oAsn|i%HBsm zskHt$Z-*M?!*&Lr>2hiNt@saofs}@o+1V{ADE!<^1535{fk+=Qjt$|q?L`#OMWg7h7i7zTw9<--(+1_!m&M6lu_}MsY za^2K2n72>Hgg+~w>&@dj$sqA0TlX}9K>cfl{Umk2L=3@?PA{}vOuF36GUExcZN?Jo zl%ywvY5q$!#-5JkAc5HDYqly9-`1>;>4tzxC$TRW{Ah(ij^*BSwPb1Ox~=HsDV(`7 z@W-B{sv>I1Vl(UP6!Tb8Zc!c1_*f@i7i0Eq9KXFsw5Yz7YBN6IM@pWa{9Tshzy^^O zI*zRHf`m!jRIEeSNQYFd#NHT2ZX4(OOCh1GoAY@4YRRAC`lyoaoPq`31>DU_qQJdC zN-I0$+JcgO#{y+4m5C}Sy&Q*ItVbe;a)spqsc|nQ6V)<1Rm_Sc8n0A>_|U`SUY{kr zbR(6Li|hN<;8HEc(~a@>Y}a9w&`U=D6>(KOjUBa;)4H_Z_GCqp)^C9VtAq52g7kTZ zXPbXw*nB&yw4IC%{a9iOpVFMUXp}L;C*QEf$VatEO04^?d^7Xn6ErIw%NY^^!At3Z z31xgA_=m`=7m}C)JMDyrf1;)OeS3MxoM7Y*g6D;V476OGI=WLZi!^d=LkHR#*?_bv z|A*d3gvyogQ@i*NyG$Pd!vk?8@WDvT&eFQ*qGM*u_u%6XN?(aIcU0~U34VK&d*5+s zh^kg_SU$wldVMew#+)h>qNA668*=ufGP z8jW`9tcWhShGt*AB`+G`h0e|m(sb-!^eh$1 z)Q|ogyuIbxbr#3ks7x8H{gU`ve{CZ7FV_S+l=g@+ZVPvW!zHlHs2VEDry1FgI%MJS zEYZTG53m0tW0D{G@{a7@028^6-GLXf%V8r2nI{cE?m2_Pl!bvUEVRM}kE zu7C2|E*qtXjOBG`Hw82ABx@_)M5mJ=yFUm=X_w}uENNoeK#Kx4nv?RIybKiy>n}O4 zydfDg>7mJJ4wFjl~DX2hSd9RW4 zx3aS2LD8|`4Y7!PieAZ=AQf=vp>I)}#ewO-?~6SfR#>MeG|-f^p-hn2nYDs-)q*6# z5Rd+;>YMl}EOyU#Y63&X$mmvI?^6O)OHum7s_m_USmV!`u!1k?)2BSeeo+wsv7+=t z&v%K}0Tg{<{GVl{-`x2GV!}cMuPIo(zYyO+*8qF(w)(afO~4!~szgMgT9gm{{IjWcE`h*HqN>A;{W*@0 zv9O~*cwz?1@n#d{R$>V}v>eDqC!?hjqVx|kV8xuca23l?e~zZ@gX}}>Q48+ymRS0Z zGRt{flrFsa7;%N?4+o!OI0@cOlvfJN;ki^^*7;O=#1Y%0lU#T3xexKG%$}IJ3yFjo zHl}dKjrQ278ym?*ae*D=A1J6F4O3X&OrVbvuZ#ZHs#hUklqN`VDw2OVQW7prU#4*J zed3)9v z#-lGj?%$+InnwEqr>&A{=n9UEAt*1bxc4IwYQdxxw={L)4FO02n*7o>v=vf7GprKV zZ-9IHQ0{*Dw-GS(wiHVg_-!f9z1Kd^$ALSQB+A!A_YtHbPd|iq&iA)E>f*hQ+4lFR z8-2!3R!PKixnGJcew=3JQtr^kg#oH1G-drnIn8VA?D6`PVsyWLCQ`W`(PwALb<^S5 z5?k8x2#$>=jdK`w5!ZJ0M_^M$4{7A{j}nMZTUE}q<{o!z^hz3(y%z7R&HD&p4sX-)tfjzBD>5Ul5!KPqUFE_T!jr zf6Xi0mF?7JHj?@AQc?Ev!tWZkWDcK=!mJ)BmPc3~J!#vhaHUsgoJMhaHBLiNOv*)9+$c)hMN1 zi{K2U+8>d>SZ8yWQhH!-M>Z|{BDdP}NN@DH-}1_r`4? zaZb0`r_TI*eQ-%WwN!p8H=-x$h6sr<)#o1mb1f0{!LQ^b92#DQ-bMf0`2M%4m0&{V zr#R>5KD71!{Kz9C60&yfA*7-M<%9*U0vHvzEoxi*^LqlpNp;SpD7{>#mlyf}x-n5V zigSdF4+n?r5xN5qM4E{Q<){xw7kt0Yd~x!L{>Ao}J`A(40aJb844?ldS`vslruA+} z{;N+oFCdY>H2OB6VXOB_lK-~;|Ngpz^x*%${{2631Fu5n6j1I&AxPmv)Kwlf4Qy~) zUxpr7d@1oBEif!~Bq0*B8uXvh+B_yrKA=jYC%wb+5c-b+XrO{Ck=_n^Snu}nIKHRA zk@#Q7t!PO!BpwL>g&#mGJ?qa!PzmJUV%at4g|;C#qYlnmL;mtT2Y}EB!^6XYgWV5` zhz}0WbI#xy%-=O*T$qggn? zf#5~z(v`oOr}A3ZWu{5|_!}YS)km%t=%)~d2OZQWfJzc1ybbt3mG>c-#2Q4A-Wz&d z5|(x=@4sXo6z%4dlaoPh1i>oV zRq?qvS9#4^(@%HvfQz;Z+FYq$8LambQTic1@iKI^=E|}P40A3Ja>V;QP7cjLJ_C4} z-1g?gz1*lt$^nM<4kzL-d-U4JSUmaIatL0S@)OpBkM?KY)Eq&EXmYflSYZ5g3ZE;0 zMaFhHap1Gv7GMf+1d=fYeOsN&Y_mN7F?~o#i1J&6(`rPe{0xM(q-5Pll%5($Q`cu( z#FHZh4xWJn{|o4_-vV+n-Qa})I;F;bbJy0szBPrkN&on(u~T_!=`-&h20e>`EQ2|) z6AMcZ{sFPw{MsHEx+FCvW$ifGOygi$?hTy93D08yPTt7%rt_MkQnCL8(>WF^_$H8m z82IPYP#Wh0h(CMgFHIADvi;%e2W{ECogMdyXSwa&5F&-QkGpAL6{oGJsAy#KlK89# z@Sf$<^d~*-A-JLnfzkS9W+*oKFJd8xk0I;{D&M8*P>+ac@kB&r4?0N<0%?wRvqy?m z4qH?8K4io$7|~1jCIOpw^EZa&iguTQzZ|U{aeji>N++$W^}NLu6|cg$n-44$8GpWt zxzI7xvANR6)3Py9&8b31B}5W~-DT)pAA&a6Dt{E>+yDUAkStjpFzKbqlRQVXbv4kr z+9M$M=NE#8eGoql9N)c?qrrmSeh5D3R*umaJJ|?kRS?2KO-=pNXs84}gBvwNmqS$` z5R^qFc^9l20;peK2axVfn5C83pf~lidpNHW`P}AZLP^tE^I0BRg8FHvGb~uu&?+%w+wu3xY3TDgSUM%M5AIC(to>EO?)wczKTM+h|;4@YXAtjA!{wOuKxAl$$^OdL_~Z3%=w%VCgTwk5b2Rcg*_MkxKV zfj21cf>vNPUZW2t>ZubB_1a5G^Fc)9cCu%NIe@x4)tHn9~*AwkRh)|la%`-hEmS-w0hQI4^d z=#p~B^)a)HEQ9$4`NGi`76;!wyx)O=J$O+$^{c7>;|h?rEv*RJ%kXAkCWgPEIb@>x z<<-Oq9tTogbG4H3bo7ba3uNs~{G}k0DZOF6ckrhF6RAkzXHEVmPX+mi%xMwy7nCwH2GZ7sX(>>^aBp8@kv`AhYL6qRAeEit-{O%>Lqo(6tLs zS|u1YZgXJSq5Se1)qncHj=w#0VwLgka9phPLw1k;or}1sb28GeLfm;H{4(`C32?$j zWlOG1%LjTgKMsC@LZ+} z{YDS*Zh)MGprRmCH%Z=cD{s{YT2v(A3O7BB&=v7RZ*GyY`nfGHo`~N_3F3B6D}<$DIq>mg8~P+wjoLpp5G)qHHbC55A5sc2Q4?+ zl0sEm8=p9!%UaUX8>t=J8@kP{N?qRJbiOKxogBIQEZA+KE0Ex~l-)`fc;O5cO7Fh9 zv>E*V1C@ji)ABZ*Tj(=IPwF&o1AEhc&Q3{>vKWCClPBaFlm6^>bn;~v=ud1 z>@tgElkpPlRDz&Cjp%1yneXs-OCik_i)hetKQFb!H;ao2L`zwblINYasR{F;v&CP= z_^faJGoL-{;9$6T#p2co_hF*Y25y3HZ8(=Zup1dMWGFRl_!(q> z7Ddy_KD{8#BgEN|c=rv8>%?4uMGsM5AQ6Y)Q>vTX1hGt-u3sp*sabZ%)Ozx78!;b0 zM{TR`u)LBa>5YoIN-apTNEeCax%;s9Irk%#>^v_la;XC>V`<}!iau`TN!~>FWOCzf zY~^+m!3(`On{AX#_&MgRfvG7nBxo{}7%{}`&q6yKo;ulz7QP@e*17G+^@_Lz6SITE z-Vy|;RaX{PDJ`)lNbF>uR!rZVA8(*V2|Dz5{5838nUv7WOWP5xxs>_O1nN4?2BM|c?p;cc{qdCYC<}MOR;oDbFyguvCui>k zsr!Qqp3Lt8Qt<@73oa7j^|S{4qOwT=yh%+W>OgO64KEF{+CFK#OQ!Nk?ad}5hE5}_ zwNUTh7KR0z*Tp(120ip!k$J@_obWHF2?oW@^ZE2YB)NhgBfppp?I+L6^_?5>RN{tr z<|xAquvCScm^XG?@h<6-B%@Rl<=(i=FOQYGA(H-5t*(j4Cq<^gOn6dMk3Kf)a(jB$ zG41u2LikVdoJobXBp4d3?umqmL@h;Vh*boyh-*XWJbb6Gki?70%DCSrl4oImSF-$JNH(0!_0Grncw)H^(qqvE;eju^I_ zH?;qZT_w7R={kt>jN&;;Bi%%g*2w=@BP~n|NRH|NN9{p zf9Fs9-wSELh4>4_EF=D3fA2GiQs61~R?})f{67~0ONIZYX#V@LLWeH|pI!av8~Z5e z?e|C$Z+LNZ{j$5WCoB_>2qw>e4$yFNm6I44{ys;Ngc;P3wp_PA{y&=mT^=ILGnp6e zM_t8$3qUXlc#Q*-q~C%0hthVeoS8Ncc!<@+D+edOIJJe_5f)m&-Le{cHaz8l9AbkU zekPs{i@ck`C*vafBgg|7Z>JVedDPyf85?C0}g3_#%N>gTe~DWM4fGYagx literal 0 HcmV?d00001 From cefff92e718a7037ccdc9a61b3ac7186afd0ae4d Mon Sep 17 00:00:00 2001 From: Alexandr Tcherniakhovski Date: Wed, 23 Jan 2019 09:43:13 -0800 Subject: [PATCH 02/47] Document timeout attribute for kms-plugin. (#12158) See 72540. --- content/en/docs/tasks/administer-cluster/kms-provider.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/docs/tasks/administer-cluster/kms-provider.md b/content/en/docs/tasks/administer-cluster/kms-provider.md index 601b0fb97dc22..0b1d54be09436 100644 --- a/content/en/docs/tasks/administer-cluster/kms-provider.md +++ b/content/en/docs/tasks/administer-cluster/kms-provider.md @@ -31,7 +31,8 @@ To configure a KMS provider on the API server, include a provider of type ```kms * `name`: Display name of the KMS plugin. * `endpoint`: Listen address of the gRPC server (KMS plugin). The endpoint is a UNIX domain socket. - * `cachesize`: Number of data encryption keys (DEKs) to be cached in the clear. When cached, DEKs can be used without another call to the KMS; whereas DEKs that are not cached require a call to the KMS to unwrap.. + * `cachesize`: Number of data encryption keys (DEKs) to be cached in the clear. When cached, DEKs can be used without another call to the KMS; whereas DEKs that are not cached require a call to the KMS to unwrap. + * `timeout`: How long should kube-apiserver wait for kms-plugin to respond before returning an error (default is 3 seconds). See [Understanding the encryption at rest configuration.](/docs/tasks/administer-cluster/encrypt-data) @@ -89,6 +90,7 @@ resources: name: myKmsPlugin endpoint: unix:///tmp/socketfile.sock cachesize: 100 + timeout: 3s - identity: {} ``` From de2e67ef2ecb1d3adb669545bc45f2b7fda7a2a7 Mon Sep 17 00:00:00 2001 From: Anvith KS Date: Tue, 29 Jan 2019 06:47:37 +0530 Subject: [PATCH 03/47] Official documentation on Poseidon/Firmament, a new multi-scheduler (#12343) * Removed the old version of the Poseidon documentation. Incorrect location. * Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S (#12069) * Official documentation on Poseidon/Firmament, a new multi-scheduler support for K8S. (#11752) * Added documentation about Poseidon-Firmament scheduler * Fixed some style issues. * Udpated the document as per the review comments. * Fixed some typos and updated the document * Updated the document as per the review comments. * Updated the document as per review comments. Added config details. * Updated the document as per the latest review comments. Fixed nits * Made changes as per latest suggestions. * Some more changes added. * Updated as per suggestions. * Changed the release process section. * SIG Docs edits Small edits to match style guidelines. * add plus to feature state * capitalization * revert feature state shortcode since this is a Kubernetes extension, not a direct feature, it shouldn't use the regular feature state tagging. (cherry picked from commit 7730c1540b637be74b9b21d4128a145994eb19cc) --- .../poseidon-firmament-alternate-scheduler.md | 111 ----------------- .../poseidon-firmament-alternate-scheduler.md | 117 ++++++++++++++++++ 2 files changed, 117 insertions(+), 111 deletions(-) delete mode 100644 content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md create mode 100644 content/en/docs/concepts/extend-kubernetes/poseidon-firmament-alternate-scheduler.md diff --git a/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md b/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md deleted file mode 100644 index 709db849dd8cf..0000000000000 --- a/content/en/docs/concepts/configuration/poseidon-firmament-alternate-scheduler.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: Poseidon-Firmament - An alternate scheduler -content_template: templates/concept -weight: 80 ---- - -{{% capture overview %}} - -Poseidon is the [Firmament scheduler](https://github.com/Huawei-PaaS/firmament) integration for Kubernetes. At a very high level, Poseidon/Firmament scheduler augments the current Kubernetes scheduling capabilities by incorporating a new novel flow network graph based scheduling capabilities alongside the default Kubernetes Scheduler. It models the scheduling problem as a constraint-based optimization over a flow network graph – by reducing scheduling to a min-cost max-flow optimization problem. - -{{% /capture %}} - -{{% capture body %}} - - -## Introduction - -Poseidon is the [Firmament scheduler](https://github.com/Huawei-PaaS/firmament) integration for Kubernetes. At a very high level, Poseidon/Firmament scheduler augments the current Kubernetes scheduling capabilities by incorporating a new novel flow network graph based scheduling capabilities alongside the default Kubernetes Scheduler. It models the scheduling problem as a constraint-based optimization over a flow network graph – by reducing scheduling to a min-cost max-flow optimization problem. - -Due to the inherent rescheduling capabilities, the new scheduler enables a globally optimal scheduling environment that constantly keeps refining the workloads placements dynamically. - -Poseidon/Firmament scheduler runs alongside the default Kubernetes Scheduler as an alternate scheduler – multiple schedulers running simultaneously. As part of the Kubernetes multiple schedulers support, each new pod is typically scheduled by the default scheduler, but Kubernetes can be instructed to use another scheduler by specifying the name of another custom scheduler (“Poseidon” in our case) in the PodSpec at the time of pod creation. In this case, the default scheduler will ignore that Pod and allow Poseidon scheduler to schedule the Pod on a relevant node. - -## Key Advantages - -### Flow graph scheduling based Poseidon/Firmament scheduler provides the following key advantages: -- Workloads (pods) are bulk scheduled for enabling scheduling decisions at massive scale. -- Based on the extensive performance test results, Poseidon/Firmament scales much better than Kubernetes default scheduler as the number of nodes increase in a cluster. This is due to the fact that Poseidon/Firmament is able to amortize more and more work across workloads. -- Poseidon/Firmament Scheduler outperforms K8S default scheduler by a wide margin when it comes to throughput performance numbers for scenarios where compute resource requirements are somewhat uniform across jobs (Replicasets/Deployments/Jobs). As shown in the graph below, Poseidon/Firmament scheduler end-to-end throughput performance numbers (including bind time) consistently get better and better as the number of nodes in a cluster increase. For example, for a 2,700 nodes cluster (shown in the graph below), Poseidon/Firmament scheduler is 7X (or more) better end-to-end throughput-wise that includes bind time. - -- Availability of complex rule constraints. -- Scheduling in Firmament is very dynamic; it keeps cluster resources in a global optimal state during every scheduling run. -- Highly efficient resource utilizations. - -## Poseidon-Firmament Scheduler - How it works - -As part of the Kubernetes multiple schedulers support, each new pod is typically scheduled by the default scheduler, but Kubernetes can be instructed to use another scheduler by specifying the name of another custom scheduler (“Poseidon” in our case) in the PodSpec at the time of pod creation. In this case, the default scheduler will ignore that Pod and allow Poseidon scheduler to schedule the Pod on a relevant node. - - -{{< note >}} -For details about the design of this project see the [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md). -{{< /note >}} - -## Possible Use Case Scenarios - When to use it - -As mentioned earlier, Poseidon/Firmament scheduler enables extremely high throughput scheduling environment at scale due to its bulk scheduling approach superiority versus K8S pod-at-a-time approach. In our extensive tests, we have observed substantial throughput benefits as long as resource requirements (CPU/Memory) for incoming Pods are uniform across jobs (Replicasets/Deployments/Jobs), mainly due to efficient amortization of work across jobs. - -Although, Poseidon/Firmament scheduler is capable of scheduling various types of workloads (service, batch, etc.), following are the few use cases where it excels the most: -1. For “Big Data/AI” jobs consisting of large number of tasks, throughput benefits are tremendous. -2. Substantial throughput benefits also for service or batch job scenarios where workload resource requirements are uniform across jobs (Replicasets/Deployments/Jobs). - -## Current Project Stage - -- **Alpha Release - Incubation repo.** at https://github.com/kubernetes-sigs/poseidon. -- Currently, Poseidon-Firmament scheduler **does not provide support for high availability**, our implementation assumes that the scheduler cannot fail. The [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md) describes possible ways to enable high availability, but we leave this to future work. -- We are **not aware of any production deployment** of Poseidon-Firmament scheduler at this time. - -## Features Comparison Matrix - - -|Feature|Kubernetes Default Scheduler|Poseidon/Firmament Scheduler|Notes| -|--- |--- |--- |--- | -|Node Affinity/Anti-Affinity|Y|Y|| -|Pod Affinity/Anti-Affinity - including support for pod anti-affinity symmetry|Y|Y|Currently, the default scheduler outperforms the Poseidon/Firmament scheduler pod affinity/anti-affinity functionality. We are working towards resolving this.| -|Taints & Tolerations|Y|Y|| -|Baseline Scheduling capability in accordance to available compute resources (CPU & Memory) on a node|Y|Y**|Not all Predicates & Priorities are supported at this time.| -|Extreme Throughput at scale|Y**|Y|This is due to Poseidon/Firmament bulk scheduling approach superiority versus K8S pod-at-a-time approach. Substantial throughput benefits using Firmament scheduler as long as resource requirements (CPU/Memory) for incoming Pods is uniform across Replicasets/Deployments/Jobs. This is mainly due to efficient amortization of work across Replicasets/Deployments/Jobs . 1) For “Big Data/AI” jobs consisting of large no. of tasks, throughput benefits are tremendous. 2) Substantial throughput benefits also for service or batch job scenarios where workload resource requirements are uniform across Replicasets/Deployments/Jobs.| -|Optimal Scheduling|Pod-by-Pod scheduler, processes one pod at a time (may result into sub-optimal scheduling)|Bulk Scheduling (Optimal scheduling)|Pod-by-Pod K8S default scheduler may assign tasks to a sub-optimal machine. By contrast, Firmament considers all unscheduled tasks at the same time together with their soft and hard constraints.| -|Colocation Interference Avoidance|N|N**|Planned in Poseidon/Firmament.| -|Priority Pre-emption|Y|N**|Partially exists in Poseidon/Firmament versus extensive support in K8S default scheduler.| -|Inherent Re-Scheduling|N|Y**|Poseidon/Firmament scheduler supports workload re-scheduling. In each scheduling run it considers all the pods, including running pods, and as a result can migrate or evict pods – a globally optimal scheduling environment.| -|Gang Scheduling|N|Y|| -|Support for Pre-bound Persistence Volume Scheduling|Y|Y|| -|Support for Local Volume & Dynamic Persistence Volume Binding Scheduling|Y|N**|Planned.| -|High Availability|Y|N**|Planned.| -|Real-time metrics based scheduling|N|Y**|Initially supported using Heapster (now deprecated) for placing pods using actual cluster utilization statistics rather than reservations. Plans to switch over to "metric server".| -|Support for Max-Pod per node|Y|Y|Poseidon/Firmament scheduler seamlessly co-exists with K8S default scheduler.| -|Support for Ephemeral Storage, in addition to CPU/Memory|Y|Y|This feature was working earlier. However, for some reason since K8S release 1.10 onwards it does not seem to work as expected. We are looking at resolving the issue soon.| - - -## Installation - -In-cluster installation of Poseidon, please start [here](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/install/README.md). - - -## Development - -For developers please refer [here](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/devel/README.md). - -## Latest Performance Testing Results - -### Scheduling time of Pods with CPU/Mem requirements only (without bind time) - -![Scheduling time of Pods with CPU/Mem requirements only (without bind time)](/images/docs/perf-test-result-1.png) - -### Scheduling time of Pods with CPU/Mem requirements only (including bind time) -![Scheduling time of Pods with CPU/Mem requirements only (including bind time)](/images/docs/perf-test-result-2.png) - -### Total time for 10k Pods and Throughput Pods/sec using Scheduler Perf. -![Total time for 10k Pods and Throughput Pods/sec using Scheduler Perf.](/images/docs/perf-test-result-3.png) - -### Scheduling time of Pods with Affinity requirements -![Scheduling time of Pods with Affinity requirements](/images/docs/perf-test-result-4.png) - -### Scheduling time of Pods with Affinity requirements -![Scheduling time of Pods with Affinity requirements](/images/docs/perf-test-result-5.png) - -### Scheduling time of Symmetry Pods -![Scheduling time of Symmetry Pods](/images/docs/perf-test-result-6.png) - -{{% /capture %}} diff --git a/content/en/docs/concepts/extend-kubernetes/poseidon-firmament-alternate-scheduler.md b/content/en/docs/concepts/extend-kubernetes/poseidon-firmament-alternate-scheduler.md new file mode 100644 index 0000000000000..1afbc17c09b94 --- /dev/null +++ b/content/en/docs/concepts/extend-kubernetes/poseidon-firmament-alternate-scheduler.md @@ -0,0 +1,117 @@ +--- +title: Poseidon-Firmament - An alternate scheduler +content_template: templates/concept +weight: 80 +--- + +{{% capture overview %}} + +**Current release of Poseidon-Firmament scheduler is an alpha release.** + +Poseidon-Firmament scheduler is an alternate scheduler that can be deployed alongside the default Kubernetes scheduler. + +{{% /capture %}} + +{{% capture body %}} + + +## Introduction + +Poseidon is a service that acts as the integration glue for the [Firmament scheduler](https://github.com/Huawei-PaaS/firmament) with Kubernetes. Poseidon-Firmament scheduler augments the current Kubernetes scheduling capabilities. It incorporates novel flow network graph based scheduling capabilities alongside the default Kubernetes Scheduler. Firmament scheduler models workloads and clusters as flow networks and runs min-cost flow optimizations over these networks to make scheduling decisions. + +It models the scheduling problem as a constraint-based optimization over a flow network graph. This is achieved by reducing scheduling to a min-cost max-flow optimization problem. The Poseidon-Firmament scheduler dynamically refines the workload placements. + +Poseidon-Firmament scheduler runs alongside the default Kubernetes Scheduler as an alternate scheduler, so multiple schedulers run simultaneously. + +## Key Advantages + +### Flow graph scheduling based Poseidon-Firmament scheduler provides the following key advantages: +- Workloads (pods) are bulk scheduled to enable scheduling at massive scale.. +- Based on the extensive performance test results, Poseidon-Firmament scales much better than the Kubernetes default scheduler as the number of nodes increase in a cluster. This is due to the fact that Poseidon-Firmament is able to amortize more and more work across workloads. +- Poseidon-Firmament Scheduler outperforms the Kubernetes default scheduler by a wide margin when it comes to throughput performance numbers for scenarios where compute resource requirements are somewhat uniform across jobs (Replicasets/Deployments/Jobs). Poseidon-Firmament scheduler end-to-end throughput performance numbers, including bind time, consistently get better as the number of nodes in a cluster increase. For example, for a 2,700 node cluster (shown in the graphs [here](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/benchmark/README.md)), Poseidon-Firmament scheduler achieves a 7X or greater end-to-end throughput than the Kubernetes default scheduler, which includes bind time. + +- Availability of complex rule constraints. +- Scheduling in Poseidon-Firmament is dynamic; it keeps cluster resources in a global optimal state during every scheduling run. +- Highly efficient resource utilizations. + +## Poseidon-Firmament Scheduler - How it works + +As part of the Kubernetes multiple schedulers support, each new pod is typically scheduled by the default scheduler. Kubernetes can be instructed to use another scheduler by specifying the name of another custom scheduler (“poseidon” in our case) in the **schedulerName** field of the PodSpec at the time of pod creation. In this case, the default scheduler will ignore that Pod and allow Poseidon scheduler to schedule the Pod on a relevant node. + +```yaml +apiVersion: v1 +kind: Pod + +... +spec: + schedulerName: poseidon +``` + + +{{< note >}} +For details about the design of this project see the [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md). +{{< /note >}} + +## Possible Use Case Scenarios - When to use it + +As mentioned earlier, Poseidon-Firmament scheduler enables an extremely high throughput scheduling environment at scale due to its bulk scheduling approach versus Kubernetes pod-at-a-time approach. In our extensive tests, we have observed substantial throughput benefits as long as resource requirements (CPU/Memory) for incoming Pods are uniform across jobs (Replicasets/Deployments/Jobs), mainly due to efficient amortization of work across jobs. + +Although, Poseidon-Firmament scheduler is capable of scheduling various types of workloads, such as service, batch, etc., the following are a few use cases where it excels the most: + +1. For “Big Data/AI” jobs consisting of large number of tasks, throughput benefits are tremendous. +2. Service or batch jobs where workload resource requirements are uniform across jobs (Replicasets/Deployments/Jobs). + +## Current Project Stage + +- **Alpha Release - Incubation repo.** at https://github.com/kubernetes-sigs/poseidon. +- Currently, Poseidon-Firmament scheduler **does not provide support for high availability**, our implementation assumes that the scheduler cannot fail. The [design document](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/design/README.md) describes possible ways to enable high availability, but we leave this to future work. +- We are **not aware of any production deployment** of Poseidon-Firmament scheduler at this time. +- Poseidon-Firmament is supported from Kubernetes release 1.6 and works with all subsequent releases. +- Release process for Poseidon and Firmament repos are in lock step. The current Poseidon release can be found [here](https://github.com/kubernetes-sigs/poseidon/releases) and the corresponding Firmament release can be found [here](https://github.com/Huawei-PaaS/firmament/releases). + +## Features Comparison Matrix + + +|Feature|Kubernetes Default Scheduler|Poseidon-Firmament Scheduler|Notes| +|--- |--- |--- |--- | +|Node Affinity/Anti-Affinity|Y|Y|| +|Pod Affinity/Anti-Affinity - including support for pod anti-affinity symmetry|Y|Y|Currently, the default scheduler outperforms the Poseidon-Firmament scheduler pod affinity/anti-affinity functionality. We are working towards resolving this.| +|Taints & Tolerations|Y|Y|| +|Baseline Scheduling capability in accordance to available compute resources (CPU & Memory) on a node|Y|Y**|Not all Predicates & Priorities are supported at this time.| +|Extreme Throughput at scale|Y**|Y|Bulk scheduling approach scales or increases workload placement. Substantial throughput benefits using Firmament scheduler as long as resource requirements (CPU/Memory) for incoming Pods is uniform across Replicasets/Deployments/Jobs. This is mainly due to efficient amortization of work across Replicasets/Deployments/Jobs . 1) For “Big Data/AI” jobs consisting of large no. of tasks, throughput benefits are tremendous. 2) Substantial throughput benefits also for service or batch job scenarios where workload resource requirements are uniform across Replicasets/Deployments/Jobs.| +|Optimal Scheduling|Pod-by-Pod scheduler, processes one pod at a time (may result into sub-optimal scheduling)|Bulk Scheduling (Optimal scheduling)|Pod-by-Pod Kubernetes default scheduler may assign tasks to a sub-optimal machine. By contrast, Firmament considers all unscheduled tasks at the same time together with their soft and hard constraints.| +|Colocation Interference Avoidance|N|N**|Planned in Poseidon-Firmament.| +|Priority Pre-emption|Y|N**|Partially exists in Poseidon-Firmament versus extensive support in Kubernetes default scheduler.| +|Inherent Re-Scheduling|N|Y**|Poseidon-Firmament scheduler supports workload re-scheduling. In each scheduling run it considers all the pods, including running pods, and as a result can migrate or evict pods – a globally optimal scheduling environment.| +|Gang Scheduling|N|Y|| +|Support for Pre-bound Persistence Volume Scheduling|Y|Y|| +|Support for Local Volume & Dynamic Persistence Volume Binding Scheduling|Y|N**|Planned.| +|High Availability|Y|N**|Planned.| +|Real-time metrics based scheduling|N|Y**|Initially supported using Heapster (now deprecated) for placing pods using actual cluster utilization statistics rather than reservations. Plans to switch over to "metric server".| +|Support for Max-Pod per node|Y|Y|Poseidon-Firmament scheduler seamlessly co-exists with Kubernetes default scheduler.| +|Support for Ephemeral Storage, in addition to CPU/Memory|Y|Y|| + + +## Installation + +For in-cluster installation of Poseidon, please start at the [Installation instructions](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/install/README.md). + + +## Development + +For developers, please refer to the [Developer Setup instructions](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/devel/README.md). + +## Latest Throughput Performance Testing Results + +Pod-by-pod schedulers, such as the Kubernetes default scheduler, typically process one pod at a time. These schedulers have the following crucial drawbacks: + +1. The scheduler commits to a pod placement early and restricts the choices for other pods that wait to be placed. +2. There is limited opportunities for amortizing work across pods because they are considered for placement individually. + +These downsides of pod-by-pod schedulers are addressed by batching or bulk scheduling in Poseidon-Firmament scheduler. Processing several pods in a batch allows the scheduler to jointly consider their placement, and thus to find the best trade-off for the whole batch instead of one pod. At the same time it amortizes work across pods resulting in much higher throughput. + +{{< note >}} + Please refer to the [latest benchmark results](https://github.com/kubernetes-sigs/poseidon/blob/master/docs/benchmark/README.md) for detailed throughput performance comparison test results between Poseidon-Firmament scheduler and the Kubernetes default scheduler. +{{< /note >}} + +{{% /capture %}} From b822184bbe37efc5c59f19c3ce950bab0e1e3f47 Mon Sep 17 00:00:00 2001 From: Chao Xu Date: Tue, 29 Jan 2019 10:17:33 -0800 Subject: [PATCH 04/47] Remove initializers from doc. It will be removed in 1.14 (#12331) --- .../admission-controllers.md | 7 - .../extensible-admission-controllers.md | 123 +----------------- 2 files changed, 5 insertions(+), 125 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md index 5dc9f2c31140b..a9514f695fd55 100644 --- a/content/en/docs/reference/access-authn-authz/admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md @@ -334,13 +334,6 @@ Examples of information you might put here are: In any case, the annotations are provided by the user and are not validated by Kubernetes in any way. In the future, if an annotation is determined to be widely useful, it may be promoted to a named field of ImageReviewSpec. -### Initializers (alpha) {#initializers} - -The admission controller determines the initializers of a resource based on the existing -`InitializerConfiguration`s. It sets the pending initializers by modifying the -metadata of the resource to be created. -For more information, please check [Dynamic Admission Control](/docs/reference/access-authn-authz/extensible-admission-controllers/). - ### LimitPodHardAntiAffinityTopology {#limitpodhardantiaffinitytopology} This admission controller denies any pod that defines `AntiAffinity` topology key other than diff --git a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md index 4d6fde6a00e5c..b3acf68fa570b 100644 --- a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md @@ -5,6 +5,7 @@ reviewers: - whitlockjc - caesarxuchao - deads2k +- liggitt title: Dynamic Admission Control content_template: templates/concept weight: 40 @@ -19,16 +20,14 @@ the following: * They need to be compiled into kube-apiserver. * They are only configurable when the apiserver starts up. -Two features, *Admission Webhooks* (beta in 1.9) and *Initializers* (alpha), -address these limitations. They allow admission controllers to be developed -out-of-tree and configured at runtime. +*Admission Webhooks* (beta in 1.9) addresses these limitations. It allows +admission controllers to be developed out-of-tree and configured at runtime. + +This page describes how to use Admission Webhooks. -This page describes how to use Admission Webhooks and Initializers. {{% /capture %}} {{% capture body %}} -## Admission Webhooks - ### What are admission webhooks? Admission webhooks are HTTP callbacks that receive admission requests and do @@ -196,116 +195,4 @@ users: ``` Of course you need to set up the webhook server to handle these authentications. - -## Initializers - -### What are initializers? - -*Initializer* has two meanings: - -* A list of pending pre-initialization tasks, stored in every object's metadata - (e.g., "AddMyCorporatePolicySidecar"). - -* A user customized controller, which actually performs those tasks. The name of the task - corresponds to the controller which performs the task. For clarity, we call - them *initializer controllers* in this page. - -Once the controller has performed its assigned task, it removes its name from -the list. For example, it may send a PATCH that inserts a container in a pod and -also removes its name from `metadata.initializers.pending`. Initializers may make -mutations to objects. - -Objects which have a non-empty initializer list are considered uninitialized, -and are not visible in the API unless specifically requested by using the query parameter, -`?includeUninitialized=true`. - -### When to use initializers? - -Initializers are useful for admins to force policies (e.g., the -[AlwaysPullImages](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) -admission controller), or to inject defaults (e.g., the -[DefaultStorageClass](/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass) -admission controller), etc. - -{{< note >}} -If your use case does not involve mutating objects, consider using -external admission webhooks, as they have better performance. -{{< /note >}} - -### How are initializers triggered? - -When an object is POSTed, it is checked against all existing -`initializerConfiguration` objects (explained below). For all that it matches, -all `spec.initializers[].name`s are appended to the new object's -`metadata.initializers.pending` field. - -An initializer controller should list and watch for uninitialized objects, by -using the query parameter `?includeUninitialized=true`. If using client-go, just -set -[listOptions.includeUninitialized](https://github.com/kubernetes/kubernetes/blob/v1.7.0-rc.1/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go#L315) -to true. - -For the observed uninitialized objects, an initializer controller should first -check if its name matches `metadata.initializers.pending[0]`. If so, it should then -perform its assigned task and remove its name from the list. - -### Enable initializers alpha feature - -*Initializers* is an alpha feature, so it is disabled by default. To turn it on, -you need to: - -* Include "Initializers" in the `--enable-admission-plugins` flag when starting - `kube-apiserver`. If you have multiple `kube-apiserver` replicas, all should - have the same flag setting. - -* Enable the dynamic admission controller registration API by adding - `admissionregistration.k8s.io/v1alpha1` to the `--runtime-config` flag passed - to `kube-apiserver`, e.g. - `--runtime-config=admissionregistration.k8s.io/v1alpha1`. Again, all replicas - should have the same flag setting. - -### Deploy an initializer controller - -You should deploy an initializer controller via the [deployment -API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#deployment-v1beta1-apps). - -### Configure initializers on the fly - -You can configure what initializers are enabled and what resources are subject -to the initializers by creating `initializerConfiguration` resources. - -You should first deploy the initializer controller and make sure that it is -working properly before creating the `initializerConfiguration`. Otherwise, any -newly created resources will be stuck in an uninitialized state. - -The following is an example `initializerConfiguration`: - -```yaml -apiVersion: admissionregistration.k8s.io/v1alpha1 -kind: InitializerConfiguration -metadata: - name: example-config -initializers: - # the name needs to be fully qualified, i.e., containing at least two "." - - name: podimage.example.com - rules: - # apiGroups, apiVersion, resources all support wildcard "*". - # "*" cannot be mixed with non-wildcard. - - apiGroups: - - "" - apiVersions: - - v1 - resources: - - pods -``` - -After you create the `initializerConfiguration`, the system will take a few -seconds to honor the new configuration. Then, `"podimage.example.com"` will be -appended to the `metadata.initializers.pending` field of newly created pods. You -should already have a ready "podimage" initializer controller that handles pods -whose `metadata.initializers.pending[0].name="podimage.example.com"`. Otherwise -the pods will be stuck in an uninitialized state. - -Make sure that all expansions of the `` tuple -in a `rule` are valid. If they are not, separate them in different `rules`. {{% /capture %}} From e528300edb8716f9ff6a7139d1157c6c8bf1ddb2 Mon Sep 17 00:00:00 2001 From: "Rostislav M. Georgiev" Date: Fri, 8 Feb 2019 18:35:16 +0200 Subject: [PATCH 05/47] kubeadm: Document CRI auto detection functionality (#12462) Signed-off-by: Rostislav M. Georgiev --- .../independent/create-cluster-kubeadm.md | 4 ++++ .../docs/setup/independent/install-kubeadm.md | 22 +++++++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/content/en/docs/setup/independent/create-cluster-kubeadm.md b/content/en/docs/setup/independent/create-cluster-kubeadm.md index c69ec051326a1..6e53c077410b3 100644 --- a/content/en/docs/setup/independent/create-cluster-kubeadm.md +++ b/content/en/docs/setup/independent/create-cluster-kubeadm.md @@ -117,6 +117,10 @@ communicates with). be passed to kubeadm initialization. Depending on which third-party provider you choose, you might need to set the `--pod-network-cidr` to a provider-specific value. See [Installing a pod network add-on](#pod-network). +1. (Optional) Since version 1.14, kubeadm will try to detect the container runtime on Linux +by using a list of well known domain socket paths. To use different container runtime or +if there are more than one installed on the provisioned node, specify the `--cri-socket` +argument to `kubeadm init`. See [Installing runtime](/docs/setup/independent/install-kubeadm/#installing-runtime). 1. (Optional) Unless otherwise specified, kubeadm uses the network interface associated with the default gateway to advertise the master's IP. To use a different network interface, specify the `--apiserver-advertise-address=` argument diff --git a/content/en/docs/setup/independent/install-kubeadm.md b/content/en/docs/setup/independent/install-kubeadm.md index cbf1c8ebb483e..8e9ec9682e5c9 100644 --- a/content/en/docs/setup/independent/install-kubeadm.md +++ b/content/en/docs/setup/independent/install-kubeadm.md @@ -79,10 +79,28 @@ The pod network plugin you use (see below) may also require certain ports to be open. Since this differs with each pod network plugin, please see the documentation for the plugins about what port(s) those need. -## Installing runtime +## Installing runtime {#installing-runtime} Since v1.6.0, Kubernetes has enabled the use of CRI, Container Runtime Interface, by default. -The container runtime used by default is Docker, which is enabled through the built-in + +Since v1.14.0, kubeadm will try to automatically detect the container runtime on Linux nodes +by scanning through a list of well known domain sockets. The detectable runtimes and the +socket paths, that are used, can be found in the table below. + +| Runtime | Domain Socket | +|------------|----------------------------------| +| Docker | /var/run/docker.sock | +| containerd | /run/containerd/containerd.sock | +| CRI-O | /var/run/crio/crio.sock | + +If both Docker and containerd are detected together, Docker takes precedence. This is +needed, because Docker 18.09 ships with containerd and both are detectable. +If any other two or more runtimes are detected, kubeadm will exit with an appropriate +error message. + +On non-Linux nodes the container runtime used by default is Docker. + +If the container runtime of choice is Docker, it is used through the built-in `dockershim` CRI implementation inside of the `kubelet`. Other CRI-based runtimes include: From df1b59bcbf1910590e6f1d3f995c2333f5c0d097 Mon Sep 17 00:00:00 2001 From: Zihong Zheng Date: Mon, 11 Feb 2019 22:05:08 -0800 Subject: [PATCH 06/47] Minor doc change for GAing Pod DNS Config (#12514) --- .../services-networking/dns-pod-service.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/content/en/docs/concepts/services-networking/dns-pod-service.md b/content/en/docs/concepts/services-networking/dns-pod-service.md index da5162073b750..41cb2ee4baa54 100644 --- a/content/en/docs/concepts/services-networking/dns-pod-service.md +++ b/content/en/docs/concepts/services-networking/dns-pod-service.md @@ -170,10 +170,10 @@ following pod-specific DNS policies. These policies are specified in the for details on how DNS queries are handled in those cases. - "`ClusterFirstWithHostNet`": For Pods running with hostNetwork, you should explicitly set its DNS policy "`ClusterFirstWithHostNet`". -- "`None`": A new option value introduced in Kubernetes v1.9 (Beta in v1.10). It - allows a Pod to ignore DNS settings from the Kubernetes environment. All DNS - settings are supposed to be provided using the `dnsConfig` field in the Pod Spec. - See [DNS config](#dns-config) subsection below. +- "`None`": It allows a Pod to ignore DNS settings from the Kubernetes + environment. All DNS settings are supposed to be provided using the + `dnsConfig` field in the Pod Spec. + See [Pod's DNS config](#pod-s-dns-config) subsection below. {{< note >}} "Default" is not the default DNS policy. If `dnsPolicy` is not @@ -205,13 +205,7 @@ spec: ### Pod's DNS Config -Kubernetes v1.9 introduces an Alpha feature (Beta in v1.10) that allows users more -control on the DNS settings for a Pod. This feature is enabled by default in v1.10. -To enable this feature in v1.9, the cluster administrator -needs to enable the `CustomPodDNS` feature gate on the apiserver and the kubelet, -for example, "`--feature-gates=CustomPodDNS=true,...`". -When the feature gate is enabled, users can set the `dnsPolicy` field of a Pod -to "`None`" and they can add a new field `dnsConfig` to a Pod Spec. +Pod's DNS Config allows users more control on the DNS settings for a Pod. The `dnsConfig` field is optional and it can work with any `dnsPolicy` settings. However, when a Pod's `dnsPolicy` is set to "`None`", the `dnsConfig` field has @@ -257,6 +251,16 @@ search default.svc.cluster.local svc.cluster.local cluster.local options ndots:5 ``` +### Feature availability + +The availability of Pod DNS Config and DNS Policy "`None`"" is shown as below. + +| k8s version | Feature support | +| :---------: |:-----------:| +| 1.14 | Stable | +| 1.10 | Beta (on by default)| +| 1.9 | Alpha | + {{% /capture %}} {{% capture whatsnext %}} From eb5aaa79a76d666e27474a41baf01409c84d9654 Mon Sep 17 00:00:00 2001 From: mlmhl Date: Wed, 13 Feb 2019 15:18:20 +0800 Subject: [PATCH 07/47] Graduate ExpandInUsePersistentVolumes feature to beta (#10574) --- .../reference/command-line-tools-reference/feature-gates.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 8aae21edce3fd..a27662f116fbf 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -79,7 +79,8 @@ different Kubernetes components. | `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 | | `DynamicVolumeProvisioning` | `true` | GA | 1.8 | | | `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | | -| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | | +| `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.13 | | +| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.14 | | | `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 | | `ExpandPersistentVolumes` | `true` | Beta | 1.11 | | | `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | | From 1588645b19bab82d47091b0d0d290b0996f2aeac Mon Sep 17 00:00:00 2001 From: Barnabas Makonda <6409210+MAKOSCAFEE@users.noreply.github.com> Date: Wed, 13 Feb 2019 13:10:59 +0300 Subject: [PATCH 08/47] Rename 2018-11-07-grpc-load-balancing-with-linkerd.md.md file (#12594) --- ...nkerd.md.md => 2018-11-07-grpc-load-balancing-with-linkerd.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/en/blog/_posts/{2018-11-07-grpc-load-balancing-with-linkerd.md.md => 2018-11-07-grpc-load-balancing-with-linkerd.md} (100%) diff --git a/content/en/blog/_posts/2018-11-07-grpc-load-balancing-with-linkerd.md.md b/content/en/blog/_posts/2018-11-07-grpc-load-balancing-with-linkerd.md similarity index 100% rename from content/en/blog/_posts/2018-11-07-grpc-load-balancing-with-linkerd.md.md rename to content/en/blog/_posts/2018-11-07-grpc-load-balancing-with-linkerd.md From 48fd1e587a3b4b683b5ed4cf774d818c21b3de2d Mon Sep 17 00:00:00 2001 From: "Babak \"Bobby\" Salamat" Date: Fri, 15 Feb 2019 02:04:54 -0800 Subject: [PATCH 09/47] Add dynamic percentage of node scoring to user docs (#12235) * Add dynamic percentage of node scoring to user docs * addressed review comments --- .../configuration/scheduler-perf-tuning.md | 70 ++++++++++--------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/content/en/docs/concepts/configuration/scheduler-perf-tuning.md b/content/en/docs/concepts/configuration/scheduler-perf-tuning.md index 41ce9dfb1ae15..b04d1522942e3 100644 --- a/content/en/docs/concepts/configuration/scheduler-perf-tuning.md +++ b/content/en/docs/concepts/configuration/scheduler-perf-tuning.md @@ -8,15 +8,15 @@ weight: 70 {{% capture overview %}} -{{< feature-state for_k8s_version="1.12" >}} +{{< feature-state for_k8s_version="1.14" state="beta" >}} Kube-scheduler is the Kubernetes default scheduler. It is responsible for placement of Pods on Nodes in a cluster. Nodes in a cluster that meet the scheduling requirements of a Pod are called "feasible" Nodes for the Pod. The scheduler finds feasible Nodes for a Pod and then runs a set of functions to score the feasible Nodes and picks a Node with the highest score among the -feasible ones to run the Pod. The scheduler then notifies the API server about this -decision in a process called "Binding". +feasible ones to run the Pod. The scheduler then notifies the API server about +this decision in a process called "Binding". {{% /capture %}} @@ -24,15 +24,23 @@ decision in a process called "Binding". ## Percentage of Nodes to Score -Before Kubernetes 1.12, Kube-scheduler used to check the feasibility of all the -nodes in a cluster and then scored the feasible ones. Kubernetes 1.12 has a new -feature that allows the scheduler to stop looking for more feasible nodes once -it finds a certain number of them. This improves the scheduler's performance in -large clusters. The number is specified as a percentage of the cluster size and -is controlled by a configuration option called `percentageOfNodesToScore`. The -range should be between 1 and 100. Other values are considered as 100%. The -default value of this option is 50%. A cluster administrator can change this value by providing a -different value in the scheduler configuration. However, it may not be necessary to change this value. +Before Kubernetes 1.12, Kube-scheduler used to check the feasibility of all +nodes in a cluster and then scored the feasible ones. Kubernetes 1.12 added a +new feature that allows the scheduler to stop looking for more feasible nodes +once it finds a certain number of them. This improves the scheduler's +performance in large clusters. The number is specified as a percentage of the +cluster size. The percentage can be controlled by a configuration option called +`percentageOfNodesToScore`. The range should be between 1 and 100. Larger values +are considered as 100%. Zero is equivalent to not providing the config option. +Kubernetes 1.14 has logic to find the percentage of nodes to score based on the +size of the cluster if it is not specified in the configuration. It uses a +linear formula which yields 50% for a 100-node cluster. The formula yields 10% +for a 5000-node cluster. The lower bound for the automatic value is 5%. In other +words, the scheduler always scores at least 5% of the cluster no matter how +large the cluster is, unless the user provides the config option with a value +smaller than 5. + +Below is an example configuration that sets `percentageOfNodesToScore` to 50%. ```yaml apiVersion: componentconfig/v1alpha1 @@ -45,26 +53,22 @@ algorithmSource: percentageOfNodesToScore: 50 ``` -{{< note >}} -In clusters with zero or less than 50 feasible nodes, the -scheduler still checks all the nodes, simply because there are not enough -feasible nodes to stop the scheduler's search early. -{{< /note >}} +{{< note >}} In clusters with less than 50 feasible nodes, the scheduler still +checks all the nodes, simply because there are not enough feasible nodes to stop +the scheduler's search early. {{< /note >}} **To disable this feature**, you can set `percentageOfNodesToScore` to 100. ### Tuning percentageOfNodesToScore -`percentageOfNodesToScore` must be a value between 1 and 100 -with the default value of 50. There is also a hardcoded minimum value of 50 -nodes which is applied internally. The scheduler tries to find at -least 50 nodes regardless of the value of `percentageOfNodesToScore`. This means -that changing this option to lower values in clusters with several hundred nodes -will not have much impact on the number of feasible nodes that the scheduler -tries to find. This is intentional as this option is unlikely to improve -performance noticeably in smaller clusters. In large clusters with over a 1000 -nodes setting this value to lower numbers may show a noticeable performance -improvement. +`percentageOfNodesToScore` must be a value between 1 and 100 with the default +value being calculated based on the cluster size. There is also a hardcoded +minimum value of 50 nodes. This means that changing +this option to lower values in clusters with several hundred nodes will not have +much impact on the number of feasible nodes that the scheduler tries to find. +This is intentional as this option is unlikely to improve performance noticeably +in smaller clusters. In large clusters with over a 1000 nodes setting this value +to lower numbers may show a noticeable performance improvement. An important note to consider when setting this value is that when a smaller number of nodes in a cluster are checked for feasibility, some nodes are not @@ -72,14 +76,14 @@ sent to be scored for a given Pod. As a result, a Node which could possibly score a higher value for running the given Pod might not even be passed to the scoring phase. This would result in a less than ideal placement of the Pod. For this reason, the value should not be set to very low percentages. A general rule -of thumb is to never set the value to anything lower than 30. Lower values +of thumb is to never set the value to anything lower than 10. Lower values should be used only when the scheduler's throughput is critical for your application and the score of nodes is not important. In other words, you prefer to run the Pod on any Node as long as it is feasible. -It is not recommended to lower this value from its default if your cluster has -only several hundred Nodes. It is unlikely to improve the scheduler's -performance significantly. +If your cluster has several hundred Nodes or fewer, we do not recommend lowering +the default value of this configuration option. It is unlikely to improve the +scheduler's performance significantly. ### How the scheduler iterates over Nodes @@ -91,8 +95,8 @@ for running Pods, the scheduler iterates over the nodes in a round robin fashion. You can imagine that Nodes are in an array. The scheduler starts from the start of the array and checks feasibility of the nodes until it finds enough Nodes as specified by `percentageOfNodesToScore`. For the next Pod, the -scheduler continues from the point in the Node array that it stopped at when checking -feasibility of Nodes for the previous Pod. +scheduler continues from the point in the Node array that it stopped at when +checking feasibility of Nodes for the previous Pod. If Nodes are in multiple zones, the scheduler iterates over Nodes in various zones to ensure that Nodes from different zones are considered in the From d22320f00f00704351c9dfd1a18080df050470cd Mon Sep 17 00:00:00 2001 From: hhHypo Date: Sun, 17 Feb 2019 12:57:47 +0800 Subject: [PATCH 10/47] delete special symbol (#12445) --- .../docs/tutorials/stateful-application/basic-stateful-set.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md b/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md index 81a6b1b3566cb..51ca68c4100c2 100644 --- a/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md +++ b/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md @@ -480,7 +480,7 @@ web-2 k8s.gcr.io/nginx-slim:0.8 `web-0` has had its image updated, but `web-0` and `web-1` still have the original image. Complete the update by deleting the remaining Pods. -​```shell +```shell kubectl delete pod web-1 web-2 pod "web-1" deleted pod "web-2" deleted @@ -489,7 +489,7 @@ pod "web-2" deleted 观察 StatefulSet 的 Pod,等待它们全部变成 Running 和 Ready。 -``` +```shell kubectl get pods -w -l app=nginx NAME READY STATUS RESTARTS AGE web-0 1/1 Running 0 8m From 582995a3f579580063fa728f74c8aedb5874bbd8 Mon Sep 17 00:00:00 2001 From: Kevin Taylor Date: Wed, 20 Feb 2019 22:14:39 +0530 Subject: [PATCH 11/47] Update documentation for VolumeSubpathEnvExpansion (#11843) * Update documentation for VolumeSubpathEnvExpansion * Address comments - improve descriptions --- content/en/docs/concepts/storage/volumes.md | 9 +++++---- .../command-line-tools-reference/feature-gates.md | 3 ++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index 48fb78be5f84d..fdda03b775185 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -1072,13 +1072,14 @@ spec: ### Using subPath with expanded environment variables -{{< feature-state for_k8s_version="v1.11" state="alpha" >}} +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} -`subPath` directory names can also be constructed from Downward API environment variables. +Use the `subPathExpr` field to construct `subPath` directory names from Downward API environment variables. Before you use this feature, you must enable the `VolumeSubpathEnvExpansion` feature gate. +The `subPath` and `subPathExpr` properties are mutually exclusive. -In this example, a Pod uses `subPath` to create a directory `pod1` within the hostPath volume `/var/log/pods`, using the pod name from the Downward API. The host directory `/var/log/pods/pod1` is mounted at `/logs` in the container. +In this example, a Pod uses `subPathExpr` to create a directory `pod1` within the hostPath volume `/var/log/pods`, using the pod name from the Downward API. The host directory `/var/log/pods/pod1` is mounted at `/logs` in the container. ```yaml apiVersion: v1 @@ -1099,7 +1100,7 @@ spec: volumeMounts: - name: workdir1 mountPath: /logs - subPath: $(POD_NAME) + subPathExpr: $(POD_NAME) restartPolicy: Never volumes: - name: workdir1 diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index a27662f116fbf..43dc0c9be627c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -143,7 +143,7 @@ different Kubernetes components. | `VolumeScheduling` | `false` | Alpha | 1.9 | 1.9 | | `VolumeScheduling` | `true` | Beta | 1.10 | 1.12 | | `VolumeScheduling` | `true` | GA | 1.13 | | -| `VolumeSubpathEnvExpansion` | `false` | Alpha | 1.11 | | +| `VolumeSubpathEnvExpansion` | `false` | Alpha | 1.14 | | | `VolumeSnapshotDataSource` | `false` | Alpha | 1.12 | - | | `ScheduleDaemonSetPods` | `false` | Alpha | 1.11 | 1.11 | | `ScheduleDaemonSetPods` | `true` | Beta | 1.12 | | @@ -310,5 +310,6 @@ Each feature gate is designed for enabling/disabling a specific feature: enables the usage of [`local`](/docs/concepts/storage/volumes/#local) volume type when used together with the `PersistentLocalVolumes` feature gate. - `VolumeSnapshotDataSource`: Enable volume snapshot data source support. +- `VolumeSubpathEnvExpansion`: Enable `subPathExpr` field for expanding environment variables into a `subPath`. {{% /capture %}} From 16b551c04d1dc6c4ec85d80dab1f53f57926b4c8 Mon Sep 17 00:00:00 2001 From: "Babak \"Bobby\" Salamat" Date: Wed, 20 Feb 2019 15:41:14 -0800 Subject: [PATCH 12/47] Graduate Pod Priority and Preemption to GA (#12428) --- .../configuration/pod-priority-preemption.md | 31 ++++++------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/content/en/docs/concepts/configuration/pod-priority-preemption.md b/content/en/docs/concepts/configuration/pod-priority-preemption.md index 297c61f1a7d7d..7b92b1cd1267f 100644 --- a/content/en/docs/concepts/configuration/pod-priority-preemption.md +++ b/content/en/docs/concepts/configuration/pod-priority-preemption.md @@ -9,7 +9,7 @@ weight: 70 {{% capture overview %}} -{{< feature-state for_k8s_version="1.11" state="beta" >}} +{{< feature-state for_k8s_version="1.14" state="stable" >}} [Pods](/docs/user-guide/pods) can have _priority_. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the @@ -19,8 +19,8 @@ pending Pod possible. In Kubernetes 1.9 and later, Priority also affects scheduling order of Pods and out-of-resource eviction ordering on the Node. -Pod priority and preemption are moved to beta since Kubernetes 1.11 and are -enabled by default in this release and later. +Pod priority and preemption graduated to beta in Kubernetes 1.11 and to GA in +Kubernetes 1.14. They have been enabled by default since 1.11. In Kubernetes versions where Pod priority and preemption is still an alpha-level feature, you need to explicitly enable it. To use these features in the older @@ -34,6 +34,7 @@ Kubernetes Version | Priority and Preemption State | Enabled by default 1.9 | alpha | no 1.10 | alpha | no 1.11 | beta | yes +1.14 | GA | yes {{< warning >}}In a cluster where not all users are trusted, a malicious user could create pods at the highest possible priorities, causing @@ -71,15 +72,15 @@ Pods. ## How to disable preemption {{< note >}} -In Kubernetes 1.11, critical pods (except DaemonSet pods, which are -still scheduled by the DaemonSet controller) rely on scheduler preemption to be -scheduled when a cluster is under resource pressure. For this reason, you will -need to run an older version of Rescheduler if you decide to disable preemption. -More on this is provided below. +In Kubernetes 1.12+, critical pods rely on scheduler preemption to be scheduled +when a cluster is under resource pressure. For this reason, it is not +recommended to disable preemption. {{< /note >}} In Kubernetes 1.11 and later, preemption is controlled by a kube-scheduler flag `disablePreemption`, which is set to `false` by default. +If you want to disable preemption despite the above note, you can set +`disablePreemption` to `true`. This option is available in component configs only and is not available in old-style command line options. Below is a sample component config to disable @@ -96,20 +97,6 @@ algorithmSource: disablePreemption: true ``` -### Start an older version of Rescheduler in the cluster - -When priority or preemption is disabled, we must run Rescheduler v0.3.1 (instead -of v0.4.0) to ensure that critical Pods are scheduled when nodes or cluster are -under resource pressure. Since critical Pod annotation is still supported in -this release, running Rescheduler should be enough and no other changes to the -configuration of Pods should be needed. - -Rescheduler images can be found at: -[gcr.io/k8s-image-staging/rescheduler](http://gcr.io/k8s-image-staging/rescheduler). - -In the code, changing the Rescheduler version back to v.0.3.1 is the reverse of -[this PR](https://github.com/kubernetes/kubernetes/pull/65454). - ## PriorityClass A PriorityClass is a non-namespaced object that defines a mapping from a From 99d3d86132cec04444c056d515e8137fba046968 Mon Sep 17 00:00:00 2001 From: noctarius aka Christoph Engelbert Date: Fri, 8 Mar 2019 00:52:03 +0100 Subject: [PATCH 13/47] Added Instana links to the documentation (#12977) * Added link to the Instana Kubernetes integration * Added Instana link for services section Added Instana and a link to the Kubernetes integration to the analytics services section and broadened the scope to APM, monitoring and analytics. * Oxford comma /flex * More Oxford commas, because they matter --- content/en/docs/concepts/workloads/controllers/daemonset.md | 2 +- .../docs/user-journeys/users/cluster-operator/intermediate.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/workloads/controllers/daemonset.md b/content/en/docs/concepts/workloads/controllers/daemonset.md index 04050174d9488..86448096ec293 100644 --- a/content/en/docs/concepts/workloads/controllers/daemonset.md +++ b/content/en/docs/concepts/workloads/controllers/daemonset.md @@ -21,7 +21,7 @@ Some typical uses of a DaemonSet are: - running a cluster storage daemon, such as `glusterd`, `ceph`, on each node. - running a logs collection daemon on every node, such as `fluentd` or `logstash`. - running a node monitoring daemon on every node, such as [Prometheus Node Exporter]( - https://github.com/prometheus/node_exporter), `collectd`, [Dynatrace OneAgent](https://www.dynatrace.com/technologies/kubernetes-monitoring/), [AppDynamics Agent](https://docs.appdynamics.com/display/CLOUD/Container+Visibility+with+Kubernetes), Datadog agent, New Relic agent, Ganglia `gmond` or Instana agent. + https://github.com/prometheus/node_exporter), `collectd`, [Dynatrace OneAgent](https://www.dynatrace.com/technologies/kubernetes-monitoring/), [AppDynamics Agent](https://docs.appdynamics.com/display/CLOUD/Container+Visibility+with+Kubernetes), Datadog agent, New Relic agent, Ganglia `gmond`, or [Instana Agent](https://www.instana.com/supported-integrations/kubernetes-monitoring/). In a simple case, one DaemonSet, covering all nodes, would be used for each type of daemon. A more complex setup might use multiple DaemonSets for a single type of daemon, but with diff --git a/content/en/docs/user-journeys/users/cluster-operator/intermediate.md b/content/en/docs/user-journeys/users/cluster-operator/intermediate.md index b3c02c8824872..e4b44abe3fe5f 100644 --- a/content/en/docs/user-journeys/users/cluster-operator/intermediate.md +++ b/content/en/docs/user-journeys/users/cluster-operator/intermediate.md @@ -91,7 +91,7 @@ A common configuration on [Minikube](https://github.com/kubernetes/minikube) and There is a [walkthrough of how to install this configuration in your cluster](https://blog.kublr.com/how-to-utilize-the-heapster-influxdb-grafana-stack-in-kubernetes-for-monitoring-pods-4a553f4d36c9). As of Kubernetes 1.11, Heapster is deprecated, as per [sig-instrumentation](https://github.com/kubernetes/community/tree/master/sig-instrumentation). See [Prometheus vs. Heapster vs. Kubernetes Metrics APIs](https://brancz.com/2018/01/05/prometheus-vs-heapster-vs-kubernetes-metrics-apis/) for more information alternatives. -Hosted data analytics services such as [Datadog](https://docs.datadoghq.com/integrations/kubernetes/) also offer Kubernetes integration. +Hosted monitoring, APM, or data analytics services such as [Datadog](https://docs.datadoghq.com/integrations/kubernetes/) or [Instana](https://www.instana.com/supported-integrations/kubernetes-monitoring/) also offer Kubernetes integration. ## Additional resources From 9742867a8db610ab52aa528bbf2f8d54ff362a2a Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Mon, 11 Mar 2019 18:01:41 +0100 Subject: [PATCH 14/47] Update kubectl plugins to stable (#12847) --- content/en/docs/tasks/extend-kubectl/kubectl-plugins.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md b/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md index 387b14c8022f4..05f5e5d923bb2 100644 --- a/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md +++ b/content/en/docs/tasks/extend-kubectl/kubectl-plugins.md @@ -9,7 +9,7 @@ content_template: templates/task {{% capture overview %}} -{{< feature-state state="beta" >}} +{{< feature-state state="stable" >}} This guide demonstrates how to install and write extensions for [kubectl](/docs/reference/kubectl/kubectl/). By thinking of core `kubectl` commands as essential building blocks for interacting with a Kubernetes cluster, a cluster administrator can think of plugins as a means of utilizing these building blocks to create more complex behavior. Plugins extend `kubectl` with new sub-commands, allowing for new and custom features not included in the main distribution of `kubectl`. @@ -24,8 +24,6 @@ You need to have a working `kubectl` binary installed. Plugins were officially introduced as an alpha feature in the v1.8.0 release. They have been re-worked in the v1.12.0 release to support a wider range of use-cases. So, while some parts of the plugins feature were already available in previous versions, a `kubectl` version of 1.12.0 or later is recommended if you are following these docs. {{< /note >}} -Until a GA version is released, plugins should be considered unstable, and their underlying mechanism is prone to change. - {{% /capture %}} {{% capture steps %}} From 5f049ecce9606908ff9951680c3fa48b0773f324 Mon Sep 17 00:00:00 2001 From: Michelle Au Date: Mon, 11 Mar 2019 15:24:38 -0700 Subject: [PATCH 15/47] documentation for CSI topology beta (#12889) --- content/en/docs/concepts/storage/storage-classes.md | 5 +++++ .../reference/command-line-tools-reference/feature-gates.md | 6 ++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/storage/storage-classes.md b/content/en/docs/concepts/storage/storage-classes.md index fe817d1aac5b6..384d0d4e30a37 100644 --- a/content/en/docs/concepts/storage/storage-classes.md +++ b/content/en/docs/concepts/storage/storage-classes.md @@ -151,6 +151,11 @@ The following plugins support `WaitForFirstConsumer` with pre-created Persistent * All of the above * [Local](#local) +{{< feature-state state="beta" for_k8s_version="1.14" >}} +[CSI volumes](/docs/concepts/storage/volumes/#csi) are also supported with dynamic provisioning +and pre-created PVs, but you'll need to look at the documentation for a specific CSI driver +to see its supported topology keys and examples. The `CSINodeInfo` feature gate must be enabled. + ### Allowed Topologies When a cluster operator specifies the `WaitForFirstConsumer` volume binding mode, it is no longer necessary diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 43dc0c9be627c..d645a18c591e2 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -56,8 +56,10 @@ different Kubernetes components. | `CRIContainerLogRotation` | `false` | Alpha | 1.10 | 1.10 | | `CRIContainerLogRotation` | `true` | Beta| 1.11 | | | `CSIBlockVolume` | `false` | Alpha | 1.11 | | -| `CSIDriverRegistry` | `false` | Alpha | 1.12 | | -| `CSINodeInfo` | `false` | Alpha | 1.12 | | +| `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 | +| `CSIDriverRegistry` | `true` | Beta | 1.14 | | +| `CSINodeInfo` | `false` | Alpha | 1.12 | 1.13 | +| `CSINodeInfo` | `true` | Beta | 1.14 | | | `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 | | `CSIPersistentVolume` | `true` | Beta | 1.10 | 1.12 | | `CSIPersistentVolume` | `true` | GA | 1.13 | - | From 98b449d578d683cdc7c7ee9ff53a040ff717a4a9 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Mon, 11 Mar 2019 17:16:38 -0700 Subject: [PATCH 16/47] Document changes to default RBAC discovery ClusterRole(Binding)s (#12888) * Document changes to default RBAC discovery ClusterRole(Binding)s Documentation for https://github.com/kubernetes/enhancements/issues/789 and https://github.com/kubernetes/kubernetes/pull/73807 * documentation review feedback --- content/en/docs/reference/access-authn-authz/rbac.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index b90509b924341..0b99331e5d3ce 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -471,13 +471,18 @@ NOTE: editing the role is not recommended as changes will be overwritten on API system:basic-user -system:authenticated and system:unauthenticated groups -Allows a user read-only access to basic information about themselves. +system:authenticated group +Allows a user read-only access to basic information about themselves. Prior to 1.14, this role was also bound to `system:unauthenticated` by default. system:discovery +system:authenticated group +Allows read-only access to API discovery endpoints needed to discover and negotiate an API level. Prior to 1.14, this role was also bound to `system:unauthenticated` by default. + + +system:public-info-viewer system:authenticated and system:unauthenticated groups -Allows read-only access to API discovery endpoints needed to discover and negotiate an API level. +Allows read-only access to non-sensitive information about the cluster. Introduced in 1.14. From ead0a28ddb6a3cf18256abf31fe72c9b6545dca2 Mon Sep 17 00:00:00 2001 From: Ben Swartzlander Date: Tue, 12 Mar 2019 13:48:42 -0400 Subject: [PATCH 17/47] CSI raw block to beta (#12931) --- content/en/docs/concepts/storage/volumes.md | 12 ++++-------- .../command-line-tools-reference/feature-gates.md | 3 ++- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index fdda03b775185..8e3e887d7af9c 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -1217,20 +1217,16 @@ persistent volume: #### CSI raw block volume support -{{< feature-state for_k8s_version="v1.11" state="alpha" >}} +{{< feature-state for_k8s_version="v1.14" state="beta" >}} Starting with version 1.11, CSI introduced support for raw block volumes, which relies on the raw block volume feature that was introduced in a previous version of Kubernetes. This feature will make it possible for vendors with external CSI drivers to implement raw block volumes support in Kubernetes workloads. -CSI block volume support is feature-gated and turned off by default. To run CSI with -block volume support enabled, a cluster administrator must enable the feature for each -Kubernetes component using the following feature gate flags: - -``` ---feature-gates=BlockVolume=true,CSIBlockVolume=true -``` +CSI block volume support is feature-gated, but enabled by default. The two +feature gates which must be enabled for this feature are `BlockVolume` and +`CSIBlockVolume`. Learn how to [setup your PV/PVC with raw block volume support](/docs/concepts/storage/persistent-volumes/#raw-block-volume-support). diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index d645a18c591e2..ff6cb43dbe647 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -55,7 +55,8 @@ different Kubernetes components. | `CPUManager` | `true` | Beta | 1.10 | | | `CRIContainerLogRotation` | `false` | Alpha | 1.10 | 1.10 | | `CRIContainerLogRotation` | `true` | Beta| 1.11 | | -| `CSIBlockVolume` | `false` | Alpha | 1.11 | | +| `CSIBlockVolume` | `false` | Alpha | 1.11 | 1.13 | +| `CSIBlockVolume` | `true` | Beta | 1.14 | | | `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 | | `CSIDriverRegistry` | `true` | Beta | 1.14 | | | `CSINodeInfo` | `false` | Alpha | 1.12 | 1.13 | From b37e645410b6234b767473be6945b0dfb0ba876b Mon Sep 17 00:00:00 2001 From: Ben Swartzlander Date: Fri, 15 Mar 2019 12:40:58 -0400 Subject: [PATCH 18/47] Change incorrect string raw to block (#12926) Fixes #12925 --- content/en/docs/concepts/storage/persistent-volumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md index ee66fdd81c0b4..4b6606629c146 100644 --- a/content/en/docs/concepts/storage/persistent-volumes.md +++ b/content/en/docs/concepts/storage/persistent-volumes.md @@ -312,7 +312,7 @@ Currently, storage size is the only resource that can be set or requested. Futu {{< feature-state for_k8s_version="v1.13" state="beta" >}} Prior to Kubernetes 1.9, all volume plugins created a filesystem on the persistent volume. -Now, you can set the value of `volumeMode` to `raw` to use a raw block device, or `filesystem` +Now, you can set the value of `volumeMode` to `block` to use a raw block device, or `filesystem` to use a filesystem. `filesystem` is the default if the value is omitted. This is an optional API parameter. From ac99ed4b973f793c219101eba3efa2b8153857b6 Mon Sep 17 00:00:00 2001 From: Yu-Ju Hong Date: Fri, 15 Mar 2019 09:54:58 -0700 Subject: [PATCH 19/47] Update documentation on node OS/arch labels (#12976) These labels have been promoted to GA: https://github.com/kubernetes/enhancements/issues/793 --- .../concepts/configuration/assign-pod-node.md | 4 ++-- .../getting-started-guides/windows/_index.md | 2 +- .../admission-controllers.md | 4 ++-- .../labels-annotations-taints.md | 19 ++++++++++++++----- .../debug-application-introspection.md | 4 ++-- 5 files changed, 21 insertions(+), 12 deletions(-) diff --git a/content/en/docs/concepts/configuration/assign-pod-node.md b/content/en/docs/concepts/configuration/assign-pod-node.md index 70ec7f2938ea5..43de077c708af 100644 --- a/content/en/docs/concepts/configuration/assign-pod-node.md +++ b/content/en/docs/concepts/configuration/assign-pod-node.md @@ -83,8 +83,8 @@ with a standard set of labels. As of Kubernetes v1.4 these labels are * `failure-domain.beta.kubernetes.io/zone` * `failure-domain.beta.kubernetes.io/region` * `beta.kubernetes.io/instance-type` -* `beta.kubernetes.io/os` -* `beta.kubernetes.io/arch` +* `kubernetes.io/os` +* `kubernetes.io/arch` {{< note >}} The value of these labels is cloud provider specific and is not guaranteed to be reliable. diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 5d0ca0d122804..8ec63ef0892a7 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -286,7 +286,7 @@ See [joining-your-nodes](https://kubernetes.io/docs/setup/independent/create-clu The examples listed below assume running Windows nodes on Windows Server 1709. If you are running Windows Server 2016, the examples will need the image updated to specify `image: microsoft/windowsservercore:ltsc2016`. This is due to the requirement for container images to match the host operating system version when using process isolation. Not specifying a tag will implicitly use the `:latest` tag which can lead to surprising behaviors. Please consult with [https://hub.docker.com/r/microsoft/windowsservercore/](https://hub.docker.com/r/microsoft/windowsservercore/) for additional information on Windows Server Core image tagging. ### Scheduling Pods on Windows -Because your cluster has both Linux and Windows nodes, you must explicitly set the `nodeSelector` constraint to be able to schedule pods to Windows nodes. You must set nodeSelector with the label `beta.kubernetes.io/os` to the value `windows`; see the following example: +Because your cluster has both Linux and Windows nodes, you must explicitly set the `nodeSelector` constraint to be able to schedule pods to Windows nodes. You must set nodeSelector with the label `kubernetes.io/os` to the value `windows`; see the following example: {{< codenew file="windows/simple-pod.yaml" >}} diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md index fb66b07cc58b3..d5dc2a1ffe968 100644 --- a/content/en/docs/reference/access-authn-authz/admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md @@ -418,9 +418,9 @@ This label prefix is reserved for administrators to label their `Node` objects f and kubelets will not be allowed to modify labels with that prefix. * **Allows** kubelets to add/remove/update these labels and label prefixes: * `kubernetes.io/hostname` - * `beta.kubernetes.io/arch` + * `kubernetes.io/arch` + * `kubernetes.io/os` * `beta.kubernetes.io/instance-type` - * `beta.kubernetes.io/os` * `failure-domain.beta.kubernetes.io/region` * `failure-domain.beta.kubernetes.io/zone` * `kubelet.kubernetes.io/`-prefixed labels diff --git a/content/en/docs/reference/kubernetes-api/labels-annotations-taints.md b/content/en/docs/reference/kubernetes-api/labels-annotations-taints.md index 78219c3085823..6f958c4060d0a 100644 --- a/content/en/docs/reference/kubernetes-api/labels-annotations-taints.md +++ b/content/en/docs/reference/kubernetes-api/labels-annotations-taints.md @@ -11,23 +11,32 @@ This document serves both as a reference to the values, and as a coordination po {{% /capture %}} {{% capture body %}} -## beta.kubernetes.io/arch +## kubernetes.io/arch -Example: `beta.kubernetes.io/arch=amd64` +Example: `kubernetes.io/arch=amd64` Used on: Node Kubelet populates this with `runtime.GOARCH` as defined by Go. This can be handy if you are mixing arm and x86 nodes, for example. -## beta.kubernetes.io/os +## kubernetes.io/os -Example: `beta.kubernetes.io/os=linux` +Example: `kubernetes.io/os=linux` Used on: Node Kubelet populates this with `runtime.GOOS` as defined by Go. This can be handy if you are mixing operating systems -in your cluster (although currently Linux is the only OS supported by Kubernetes). +in your cluster (e.g., mixing Linux and Windows nodes). + +## beta.kubernetes.io/arch (deprecated) + +This label has been deprecated. Please use `kubernetes.io/arch` instead. + +## beta.kubernetes.io/os (deprecated) + +This label has been deprecated. Please use `kubernetes.io/os` instead. + ## kubernetes.io/hostname diff --git a/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md b/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md index a04200e9a0984..4eb7266466acd 100644 --- a/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md +++ b/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md @@ -293,8 +293,8 @@ kubectl describe node kubernetes-node-861h ```none Name: kubernetes-node-861h Role -Labels: beta.kubernetes.io/arch=amd64 - beta.kubernetes.io/os=linux +Labels: kubernetes.io/arch=amd64 + kubernetes.io/os=linux kubernetes.io/hostname=kubernetes-node-861h Annotations: node.alpha.kubernetes.io/ttl=0 volumes.kubernetes.io/controller-managed-attach-detach=true From f7aa166fa4bc5b90b016ba9de3d64ef65d4c7505 Mon Sep 17 00:00:00 2001 From: Michelle Au Date: Fri, 15 Mar 2019 10:04:59 -0700 Subject: [PATCH 20/47] local pv GA doc updates (#12915) --- content/en/docs/concepts/storage/storage-classes.md | 4 ++-- content/en/docs/concepts/storage/volumes.md | 12 +++--------- .../command-line-tools-reference/feature-gates.md | 3 ++- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/content/en/docs/concepts/storage/storage-classes.md b/content/en/docs/concepts/storage/storage-classes.md index 384d0d4e30a37..b0df83ed47612 100644 --- a/content/en/docs/concepts/storage/storage-classes.md +++ b/content/en/docs/concepts/storage/storage-classes.md @@ -744,7 +744,7 @@ references it. ### Local -{{< feature-state for_k8s_version="v1.10" state="beta" >}} +{{< feature-state for_k8s_version="v1.14" state="stable" >}} ```yaml kind: StorageClass @@ -755,7 +755,7 @@ provisioner: kubernetes.io/no-provisioner volumeBindingMode: WaitForFirstConsumer ``` -Local volumes do not support dynamic provisioning yet, however a StorageClass +Local volumes do not currently support dynamic provisioning, however a StorageClass should still be created to delay volume binding until pod scheduling. This is specified by the `WaitForFirstConsumer` volume binding mode. diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index 8e3e887d7af9c..dc9b092d4b8ea 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -535,14 +535,7 @@ See the [iSCSI example](https://github.com/kubernetes/examples/tree/{{< param "g ### local {#local} -{{< feature-state for_k8s_version="v1.10" state="beta" >}} - -{{< note >}} -The alpha PersistentVolume NodeAffinity annotation has been deprecated -and will be removed in a future release. Existing PersistentVolumes using this -annotation must be updated by the user to use the new PersistentVolume -`NodeAffinity` field. -{{< /note >}} +{{< feature-state for_k8s_version="v1.14" state="stable" >}} A `local` volume represents a mounted local storage device such as a disk, partition or directory. @@ -608,7 +601,8 @@ selectors, Pod affinity, and Pod anti-affinity. An external static provisioner can be run separately for improved management of the local volume lifecycle. Note that this provisioner does not support dynamic provisioning yet. For an example on how to run an external local provisioner, -see the [local volume provisioner user guide](https://github.com/kubernetes-incubator/external-storage/tree/master/local-volume). +see the [local volume provisioner user +guide](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner). {{< note >}} The local PersistentVolume requires manual cleanup and deletion by the diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index ff6cb43dbe647..61e64a5a81709 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -107,7 +107,8 @@ different Kubernetes components. | `MountPropagation` | `true` | GA | 1.12 | | | `NodeLease` | `false` | Alpha | 1.12 | | | `PersistentLocalVolumes` | `false` | Alpha | 1.7 | 1.9 | -| `PersistentLocalVolumes` | `true` | Beta | 1.10 | | +| `PersistentLocalVolumes` | `true` | Beta | 1.10 | 1.13 | +| `PersistentLocalVolumes` | `true` | GA | 1.14 | | | `PodPriority` | `false` | Alpha | 1.8 | | | `PodReadinessGates` | `false` | Alpha | 1.11 | | | `PodReadinessGates` | `true` | Beta | 1.12 | | From f18d21268766726dd70e0f84bb73342f20c1d52d Mon Sep 17 00:00:00 2001 From: "Haowei Cai (Roy)" Date: Fri, 15 Mar 2019 13:12:58 -0700 Subject: [PATCH 21/47] Publish CRD OpenAPI Documentation (#12910) * add documentation for CustomResourcePublishOpenAPI * address comments fix links, ordered lists, style and typo --- .../custom-resource-definitions.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md index fddff0fcbe88d..95edffddfb1ec 100644 --- a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md +++ b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md @@ -347,6 +347,58 @@ kubectl create -f my-crontab.yaml crontab "my-new-cron-object" created ``` +### Publish Validation Schema in OpenAPI v2 + +{{< feature-state state="alpha" for_kubernetes_version="1.14" >}} + +Starting with Kubernetes 1.14, [custom resource validation schema](#validation) can be published as part +of [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions) from +Kubernetes API server. + +[kubectl](/docs/reference/kubectl/overview) consumes the published schema to perform client-side validation +(`kubectl create` and `kubectl apply`), schema explanation (`kubectl explain`) on custom resources. +The published schema can be consumed for other purposes. The feature is Alpha in 1.14 and disabled by default. +You can enable the feature using the `CustomResourcePublishOpenAPI` feature gate on the +[kube-apiserver](/docs/admin/kube-apiserver): + +``` +--feature-gates=CustomResourcePublishOpenAPI=true +``` + +Custom resource validation schema will be converted to OpenAPI v2 schema, and +show up in `definitions` and `paths` fields in the [OpenAPI v2 spec](/docs/concepts/overview/kubernetes-api/#openapi-and-swagger-definitions). +The following modifications are applied during the conversion to keep backwards compatiblity with +kubectl in previous 1.13 version. These modifications prevent kubectl from being over-strict and rejecting +valid OpenAPI schemas that it doesn't understand. The conversion won't modify the validation schema defined in CRD, +and therefore won't affect [validation](#validation) in the API server. + +1. The following fields are removed as they aren't supported by OpenAPI v2 (in future versions OpenAPI v3 will be used without these restrictions) + - The fields `oneOf`, `anyOf` and `not` are removed +2. The following fields are removed as they aren't allowed by kubectl in + previous 1.13 version + - For a schema with a `$ref` + - the fields `properties` and `type` are removed + - if the `$ref` is outside of the `definitions`, the field `$ref` is removed + - For a schema of a primitive data type (which means the field `type` has two elements: one type and one format) + - if any one of the two elements is `null`, the field `type` is removed + - otherwise, the fields `type` and `properties` are removed + - For a schema of more than two types + - the fields `type` and `properties` are removed + - For a schema of `null` type + - the field `type` is removed + - For a schema of `array` type + - if the schema doesn't have exactly one item, the fields `type` and `items` are + removed + - For a schema with no type specified + - the field `properties` is removed +3. The following fields are removed as they aren't supported by the OpenAPI protobuf implementation + - The fields `id`, `schema`, `definitions`, `additionalItems`, `dependencies`, + and `patternProperties` are removed + - For a schema with a `externalDocs` + - if the `externalDocs` has `url` defined, the field `externalDocs` is removed + - For a schema with `items` defined + - if the field `items` has multiple schemas, the field `items` is removed + ### Additional printer columns Starting with Kubernetes 1.11, kubectl uses server-side printing. The server decides which From 90d53c2580a49af0b9b78faabae872ac2cae91ec Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Fri, 15 Mar 2019 22:48:57 +0200 Subject: [PATCH 22/47] kubeadm: add document for upgrading from 1.13 to 1.14 (single CP and HA) (#13189) * kubeadm: add document for upgrading from 1.13 to 1.14 - remove doc for upgrading 1.10 -> 1.11 * kubeadm: apply amends to upgrade-1.14 doc * kubeadm: apply amends to upgrade-1.14 doc (part2) * kubeadm: apply amends to upgrade-1.14 doc (part3) * kubeadm: add note about "upgrade node experimental-control-plane" + add comment about `upgrade plan` * kubeadm: add missing "You should see output similar to this" --- .../kubeadm/kubeadm-upgrade-1-11.md | 279 ------------- .../kubeadm/kubeadm-upgrade-1-14.md | 382 ++++++++++++++++++ 2 files changed, 382 insertions(+), 279 deletions(-) delete mode 100644 content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11.md create mode 100644 content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14.md diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11.md deleted file mode 100644 index 6589c9cbfe170..0000000000000 --- a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11.md +++ /dev/null @@ -1,279 +0,0 @@ ---- -reviewers: -- sig-cluster-lifecycle -title: Upgrading kubeadm clusters from v1.10 to v1.11 -content_template: templates/task ---- - -{{% capture overview %}} - -This page explains how to upgrade a Kubernetes cluster created with `kubeadm` from version 1.10.x to version 1.11.x, and from version 1.11.x to 1.11.y, where `y > x`. - -{{% /capture %}} - -{{% capture prerequisites %}} - -- You need to have a `kubeadm` Kubernetes cluster running version 1.10.0 or later. Swap must be disabled. The cluster should use a static control plane and etcd pods. -- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md) carefully. -- Make sure to back up any important components, such as app-level state stored in a database. `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice. - -### Additional information - -- All containers are restarted after upgrade, because the container spec hash value is changed. -- You can upgrade only from one minor version to the next minor version. That is, you cannot skip versions when you upgrade. For example, you can upgrade only from 1.10 to 1.11, not from 1.9 to 1.11. -- The default DNS provider in version 1.11 is [CoreDNS](https://coredns.io/) rather than [kube-dns](https://github.com/kubernetes/dns). -To keep `kube-dns`, pass `--feature-gates=CoreDNS=false` to `kubeadm upgrade apply`. - -{{% /capture %}} - -{{% capture steps %}} - -## Upgrade the control plane - -1. On your master node, run the following (as root): - - export VERSION=$(curl -sSL https://dl.k8s.io/release/stable.txt) # or manually specify a released Kubernetes version - export ARCH=amd64 # or: arm, arm64, ppc64le, s390x - curl -sSL https://dl.k8s.io/release/${VERSION}/bin/linux/${ARCH}/kubeadm > /usr/bin/kubeadm - chmod a+rx /usr/bin/kubeadm - - Note that upgrading the `kubeadm` package on your system prior to upgrading the control plane causes a failed upgrade. Even though `kubeadm` ships in the Kubernetes repositories, it's important to install it manually. The kubeadm team is working on fixing this limitation. - -1. Verify that the download works and has the expected version: - - ```shell - kubeadm version - ``` - -1. On the master node, run: - - ```shell - kubeadm upgrade plan - ``` - - You should see output similar to this: - - - - ```shell - [preflight] Running pre-flight checks. - [upgrade] Making sure the cluster is healthy: - [upgrade/config] Making sure the configuration is correct: - [upgrade/config] Reading configuration from the cluster... - [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' - I0618 20:32:32.950358 15307 feature_gate.go:230] feature gates: &{map[]} - [upgrade] Fetching available versions to upgrade to - [upgrade/versions] Cluster version: v1.10.4 - [upgrade/versions] kubeadm version: v1.11.0-beta.2.78+e0b33dbc2bde88 - - Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply': - COMPONENT CURRENT AVAILABLE - Kubelet 1 x v1.10.4 v1.11.0 - - Upgrade to the latest version in the v1.10 series: - - COMPONENT CURRENT AVAILABLE - API Server v1.10.4 v1.11.0 - Controller Manager v1.10.4 v1.11.0 - Scheduler v1.10.4 v1.11.0 - Kube Proxy v1.10.4 v1.11.0 - CoreDNS 1.1.3 - Kube DNS 1.14.8 - Etcd 3.1.12 3.2.18 - - You can now apply the upgrade by executing the following command: - - kubeadm upgrade apply v1.11.0 - - Note: Before you can perform this upgrade, you have to update kubeadm to v1.11.0. - - _____________________________________________________________________ - ``` - - This command checks that your cluster can be upgraded, and fetches the versions you can upgrade to. - -1. Choose a version to upgrade to, and run the appropriate command. For example: - - ```shell - kubeadm upgrade apply v1.11.0 - ``` - - If you currently use `kube-dns` and wish to continue doing so, add `--feature-gates=CoreDNS=false`. - - You should see output similar to this: - - - - ```shell - [preflight] Running pre-flight checks. - [upgrade] Making sure the cluster is healthy: - [upgrade/config] Making sure the configuration is correct: - [upgrade/config] Reading configuration from the cluster... - [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' - I0614 20:56:08.320369 30918 feature_gate.go:230] feature gates: &{map[]} - [upgrade/apply] Respecting the --cri-socket flag that is set with higher priority than the config file. - [upgrade/version] You have chosen to change the cluster version to "v1.11.0-beta.2.78+e0b33dbc2bde88" - [upgrade/versions] Cluster version: v1.10.4 - [upgrade/versions] kubeadm version: v1.11.0-beta.2.78+e0b33dbc2bde88 - [upgrade/confirm] Are you sure you want to proceed with the upgrade? [y/N]: y - [upgrade/prepull] Will prepull images for components [kube-apiserver kube-controller-manager kube-scheduler etcd] - [upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.11.0-beta.2.78+e0b33dbc2bde88"... - Static pod: kube-apiserver-ip-172-31-85-18 hash: 7a329408b21bc0c44d7b3b78ff8187bf - Static pod: kube-controller-manager-ip-172-31-85-18 hash: 24fd3157627c7567b687968967c6a5e8 - Static pod: kube-scheduler-ip-172-31-85-18 hash: 5179266fb24d4c1834814c4f69486371 - Static pod: etcd-ip-172-31-85-18 hash: 9dfc197f444be11fcc70ab1467b030b8 - [etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests089436939/etcd.yaml" - [certificates] Using the existing etcd/ca certificate and key. - [certificates] Using the existing etcd/server certificate and key. - [certificates] Using the existing etcd/peer certificate and key. - [certificates] Using the existing etcd/healthcheck-client certificate and key. - [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/etcd.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-06-14-20-56-11/etcd.yaml" - [upgrade/staticpods] Waiting for the kubelet to restart the component - Static pod: etcd-ip-172-31-85-18 hash: 9dfc197f444be11fcc70ab1467b030b8 - < snip > - [apiclient] Found 1 Pods for label selector component=etcd - [upgrade/staticpods] Component "etcd" upgraded successfully! - [upgrade/etcd] Waiting for etcd to become available - [util/etcd] Waiting 0s for initial delay - [util/etcd] Attempting to see if all cluster endpoints are available 1/10 - [upgrade/staticpods] Writing new Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests089436939" - [controlplane] wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests089436939/kube-apiserver.yaml" - [controlplane] wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests089436939/kube-controller-manager.yaml" - [controlplane] wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests089436939/kube-scheduler.yaml" - [certificates] Using the existing etcd/ca certificate and key. - [certificates] Using the existing apiserver-etcd-client certificate and key. - [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-06-14-20-56-11/kube-apiserver.yaml" - [upgrade/staticpods] Waiting for the kubelet to restart the component - Static pod: kube-apiserver-ip-172-31-85-18 hash: 7a329408b21bc0c44d7b3b78ff8187bf - < snip > - [apiclient] Found 1 Pods for label selector component=kube-apiserver - [upgrade/staticpods] Component "kube-apiserver" upgraded successfully! - [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-06-14-20-56-11/kube-controller-manager.yaml" - [upgrade/staticpods] Waiting for the kubelet to restart the component - Static pod: kube-controller-manager-ip-172-31-85-18 hash: 24fd3157627c7567b687968967c6a5e8 - Static pod: kube-controller-manager-ip-172-31-85-18 hash: 63992ff14733dcb9dcfa6ac0a3b8031a - [apiclient] Found 1 Pods for label selector component=kube-controller-manager - [upgrade/staticpods] Component "kube-controller-manager" upgraded successfully! - [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2018-06-14-20-56-11/kube-scheduler.yaml" - [upgrade/staticpods] Waiting for the kubelet to restart the component - Static pod: kube-scheduler-ip-172-31-85-18 hash: 5179266fb24d4c1834814c4f69486371 - Static pod: kube-scheduler-ip-172-31-85-18 hash: 831e4b9425f758e572392976311e56d9 - [apiclient] Found 1 Pods for label selector component=kube-scheduler - [upgrade/staticpods] Component "kube-scheduler" upgraded successfully! - [uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace - [kubelet] Creating a ConfigMap "kubelet-config-1.11" in namespace kube-system with the configuration for the kubelets in the cluster - [kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.11" ConfigMap in the kube-system namespace - [kubelet] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" - [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "ip-172-31-85-18" as an annotation - [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials - [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token - [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster - [addons] Applied essential addon: CoreDNS - [addons] Applied essential addon: kube-proxy - - [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.11.0-beta.2.78+e0b33dbc2bde88". Enjoy! - - [upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so. - ``` - -1. Manually upgrade your Software Defined Network (SDN). - - Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow. - Check the [addons](/docs/concepts/cluster-administration/addons/) page to - find your CNI provider and see whether additional upgrade steps are required. - -## Upgrade master and node packages - -1. Prepare each host for maintenance, marking it unschedulable and evicting the workload: - - ```shell - kubectl drain $HOST --ignore-daemonsets - ``` - - On the master host, you must add `--ignore-daemonsets`: - - ```shell - kubectl drain ip-172-31-85-18 - node "ip-172-31-85-18" cordoned - error: unable to drain node "ip-172-31-85-18", aborting command... - - There are pending nodes to be drained: - ip-172-31-85-18 - error: DaemonSet-managed pods (use --ignore-daemonsets to ignore): calico-node-5798d, kube-proxy-thjp9 - ``` - - ``` - kubectl drain ip-172-31-85-18 --ignore-daemonsets - node "ip-172-31-85-18" already cordoned - WARNING: Ignoring DaemonSet-managed pods: calico-node-5798d, kube-proxy-thjp9 - node "ip-172-31-85-18" drained - ``` - -1. Upgrade the Kubernetes package version on each `$HOST` node by running the Linux package manager for your distribution: - - {{< tabs name="k8s_install" >}} - {{% tab name="Ubuntu, Debian or HypriotOS" %}} - apt-get update - apt-get upgrade -y kubelet kubeadm - {{% /tab %}} - {{% tab name="CentOS, RHEL or Fedora" %}} - yum upgrade -y kubelet kubeadm --disableexcludes=kubernetes - {{% /tab %}} - {{< /tabs >}} - -## Upgrade kubelet on each node - -1. On each node except the master node, upgrade the kubelet config: - - ```shell - sudo kubeadm upgrade node config --kubelet-version $(kubelet --version | cut -d ' ' -f 2) - ``` - -1. Restart the kubectl process: - - ```shell - sudo systemctl restart kubelet - ``` - -1. Verify that the new version of the `kubelet` is running on the host: - - ```shell - systemctl status kubelet - ``` - -1. Bring the host back online by marking it schedulable: - - ```shell - kubectl uncordon $HOST - ``` - -1. After the kubelet is upgraded on all hosts, verify that all nodes are available again by running the following command from anywhere -- for example, from outside the cluster: - - ```shell - kubectl get nodes - ``` - - The `STATUS` column should show `Ready` for all your hosts, and the version number should be updated. - -{{% /capture %}} - -## Recovering from a failure state - -If `kubeadm upgrade` fails and does not roll back, for example because of an unexpected shutdown during execution, -you can run `kubeadm upgrade` again. This command is idempotent and eventually makes sure that the actual state is the desired state you declare. - -To recover from a bad state, you can also run `kubeadm upgrade --force` without changing the version that your cluster is running. - -## How it works - -`kubeadm upgrade apply` does the following: - -- Checks that your cluster is in an upgradeable state: - - The API server is reachable, - - All nodes are in the `Ready` state - - The control plane is healthy -- Enforces the version skew policies. -- Makes sure the control plane images are available or available to pull to the machine. -- Upgrades the control plane components or rollbacks if any of them fails to come up. -- Applies the new `kube-dns` and `kube-proxy` manifests and enforces that all necessary RBAC rules are created. -- Creates new certificate and key files of the API server and backs up old files if they're about to expire in 180 days. diff --git a/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14.md b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14.md new file mode 100644 index 0000000000000..7b4f54ee3c1c8 --- /dev/null +++ b/content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14.md @@ -0,0 +1,382 @@ +--- +reviewers: +- sig-cluster-lifecycle +title: Upgrading kubeadm clusters from v1.13 to v1.14 +content_template: templates/task +--- + +{{% capture overview %}} + +This page explains how to upgrade a Kubernetes cluster created with kubeadm from version 1.13.x to version 1.14.x, +and from version 1.14.x to 1.14.y (where `y > x`). + +The upgrade workflow at high level is the following: + +1. Upgrade the primary control plane node. +1. Upgrade additional control plane nodes. +1. Upgrade worker nodes. + +{{< note >}} +With the release of Kubernetes v1.14, the kubeadm instructions for upgrading both HA and single control plane clusters +are merged into a single document. +{{}} + +{{% /capture %}} + +{{% capture prerequisites %}} + +- You need to have a kubeadm Kubernetes cluster running version 1.13.0 or later. +- [Swap must be disabled](https://serverfault.com/questions/684771/best-way-to-disable-swap-in-linux). +- The cluster should use a static control plane and etcd pods. +- Make sure you read the [release notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md) carefully. +- Make sure to back up any important components, such as app-level state stored in a database. + `kubeadm upgrade` does not touch your workloads, only components internal to Kubernetes, but backups are always a best practice. + +### Additional information + +- All containers are restarted after upgrade, because the container spec hash value is changed. +- You only can upgrade from one MINOR version to the next MINOR version, + or between PATCH versions of the same MINOR. That is, you cannot skip MINOR versions when you upgrade. + For example, you can upgrade from 1.y to 1.y+1, but not from 1.y to 1.y+2. + +{{% /capture %}} + +{{% capture steps %}} + +## Determine which version to upgrade to + +1. Find the latest stable 1.14 version: + + {{< tabs name="k8s_install_versions" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + apt update + apt-cache policy kubeadm + # find the latest 1.14 version in the list + # it should look like 1.14.x-00, where x is the latest patch + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + yum list --showduplicates kubeadm --disableexcludes=kubernetes + # find the latest 1.14 version in the list + # it should look like 1.14.x-0, where x is the latest patch + {{% /tab %}} + {{< /tabs >}} + +## Upgrade the first control plane node + +1. On your first control plane node, upgrade kubeadm: + + {{< tabs name="k8s_install_kubeadm_first_cp" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + # replace x in 1.14.x-00 with the latest patch version + apt-mark unhold kubeadm && \ + apt-get update && apt-get install -y kubeadm=1.14.x-00 && \ + apt-mark hold kubeadm + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + # replace x in 1.14.x-0 with the latest patch version + yum install -y kubeadm-1.14.x-0 --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +1. Verify that the download works and has the expected version: + + ```shell + kubeadm version + ``` + +1. On the control plane node, run: + + ```shell + sudo kubeadm upgrade plan + ``` + + You should see output similar to this: + + ```shell + [preflight] Running pre-flight checks. + [upgrade] Making sure the cluster is healthy: + [upgrade/config] Making sure the configuration is correct: + [upgrade/config] Reading configuration from the cluster... + [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' + [upgrade] Fetching available versions to upgrade to + [upgrade/versions] Cluster version: v1.13.3 + [upgrade/versions] kubeadm version: v1.14.0 + + Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply': + COMPONENT CURRENT AVAILABLE + Kubelet 2 x v1.13.3 v1.14.0 + + Upgrade to the latest version in the v1.13 series: + + COMPONENT CURRENT AVAILABLE + API Server v1.13.3 v1.14.0 + Controller Manager v1.13.3 v1.14.0 + Scheduler v1.13.3 v1.14.0 + Kube Proxy v1.13.3 v1.14.0 + CoreDNS 1.2.6 1.3.1 + Etcd 3.2.24 3.3.10 + + You can now apply the upgrade by executing the following command: + + kubeadm upgrade apply v1.14.0 + + _____________________________________________________________________ + ``` + + This command checks that your cluster can be upgraded, and fetches the versions you can upgrade to. + +1. Choose a version to upgrade to, and run the appropriate command. For example: + + ```shell + sudo kubeadm upgrade apply v1.14.x + ``` + + - Replace `x` with the patch version you picked for this ugprade. + + You should see output similar to this: + + ```shell + [preflight] Running pre-flight checks. + [upgrade] Making sure the cluster is healthy: + [upgrade/config] Making sure the configuration is correct: + [upgrade/config] Reading configuration from the cluster... + [upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' + [upgrade/version] You have chosen to change the cluster version to "v1.14.0" + [upgrade/versions] Cluster version: v1.13.3 + [upgrade/versions] kubeadm version: v1.14.0 + [upgrade/confirm] Are you sure you want to proceed with the upgrade? [y/N]: y + [upgrade/prepull] Will prepull images for components [kube-apiserver kube-controller-manager kube-scheduler etcd] + [upgrade/prepull] Prepulling image for component etcd. + [upgrade/prepull] Prepulling image for component kube-scheduler. + [upgrade/prepull] Prepulling image for component kube-apiserver. + [upgrade/prepull] Prepulling image for component kube-controller-manager. + [apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-etcd + [apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-kube-scheduler + [apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-kube-controller-manager + [apiclient] Found 0 Pods for label selector k8s-app=upgrade-prepull-kube-apiserver + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-etcd + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-controller-manager + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-scheduler + [apiclient] Found 1 Pods for label selector k8s-app=upgrade-prepull-kube-apiserver + [upgrade/prepull] Prepulled image for component etcd. + [upgrade/prepull] Prepulled image for component kube-apiserver. + [upgrade/prepull] Prepulled image for component kube-scheduler. + [upgrade/prepull] Prepulled image for component kube-controller-manager. + [upgrade/prepull] Successfully prepulled the images for all the control plane components + [upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.14.0"... + Static pod: kube-apiserver-myhost hash: 6436b0d8ee0136c9d9752971dda40400 + Static pod: kube-controller-manager-myhost hash: 8ee730c1a5607a87f35abb2183bf03f2 + Static pod: kube-scheduler-myhost hash: 4b52d75cab61380f07c0c5a69fb371d4 + [upgrade/etcd] Upgrading to TLS for etcd + Static pod: etcd-myhost hash: 877025e7dd7adae8a04ee20ca4ecb239 + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/etcd.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2019-03-14-20-52-44/etcd.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s) + Static pod: etcd-myhost hash: 877025e7dd7adae8a04ee20ca4ecb239 + Static pod: etcd-myhost hash: 877025e7dd7adae8a04ee20ca4ecb239 + Static pod: etcd-myhost hash: 64a28f011070816f4beb07a9c96d73b6 + [apiclient] Found 1 Pods for label selector component=etcd + [upgrade/staticpods] Component "etcd" upgraded successfully! + [upgrade/etcd] Waiting for etcd to become available + [upgrade/staticpods] Writing new Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests043818770" + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2019-03-14-20-52-44/kube-apiserver.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s) + Static pod: kube-apiserver-myhost hash: 6436b0d8ee0136c9d9752971dda40400 + Static pod: kube-apiserver-myhost hash: 6436b0d8ee0136c9d9752971dda40400 + Static pod: kube-apiserver-myhost hash: 6436b0d8ee0136c9d9752971dda40400 + Static pod: kube-apiserver-myhost hash: b8a6533e241a8c6dab84d32bb708b8a1 + [apiclient] Found 1 Pods for label selector component=kube-apiserver + [upgrade/staticpods] Component "kube-apiserver" upgraded successfully! + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2019-03-14-20-52-44/kube-controller-manager.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s) + Static pod: kube-controller-manager-myhost hash: 8ee730c1a5607a87f35abb2183bf03f2 + Static pod: kube-controller-manager-myhost hash: 6f77d441d2488efd9fc2d9a9987ad30b + [apiclient] Found 1 Pods for label selector component=kube-controller-manager + [upgrade/staticpods] Component "kube-controller-manager" upgraded successfully! + [upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2019-03-14-20-52-44/kube-scheduler.yaml" + [upgrade/staticpods] Waiting for the kubelet to restart the component + [upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s) + Static pod: kube-scheduler-myhost hash: 4b52d75cab61380f07c0c5a69fb371d4 + Static pod: kube-scheduler-myhost hash: a24773c92bb69c3748fcce5e540b7574 + [apiclient] Found 1 Pods for label selector component=kube-scheduler + [upgrade/staticpods] Component "kube-scheduler" upgraded successfully! + [upload-config] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace + [kubelet] Creating a ConfigMap "kubelet-config-1.14" in namespace kube-system with the configuration for the kubelets in the cluster + [kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.14" ConfigMap in the kube-system namespace + [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" + [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials + [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token + [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster + [addons] Applied essential addon: CoreDNS + [addons] Applied essential addon: kube-proxy + + [upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.14.0". Enjoy! + + [upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so. + ``` + +1. Manually upgrade your CNI provider plugin. + + Your Container Network Interface (CNI) provider may have its own upgrade instructions to follow. + Check the [addons](/docs/concepts/cluster-administration/addons/) page to + find your CNI provider and see whether additional upgrade steps are required. + +1. Upgrade the kubelet and kubectl on the control plane node: + + {{< tabs name="k8s_install_kubelet" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + # replace x in 1.14.x-00 with the latest patch version + apt-mark unhold kubelet && \ + apt-get update && apt-get install -y kubelet=1.14.x-00 kubectl=1.14.x-00 && \ + apt-mark hold kubelet + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + # replace x in 1.14.x-0 with the latest patch version + yum install -y kubelet-1.14.x-0 kubectl-1.14.x-0 --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +1. Restart the kubelet + + ```shell + sudo systemctl restart kubelet + ``` + +## Upgrade additional control plane nodes + +1. Same as the first control plane node but use: + +``` +sudo kubeadm upgrade node experimental-control-plane +``` + +instead of: + +``` +sudo kubeadm upgrade apply +``` + +Also `sudo kubeadm upgrade plan` is not needed. + +## Ugrade worker nodes + +The upgrade procedure on worker nodes should be executed one node at a time or few nodes at a time, +without compromising the minimum required capacity for running your workloads. + +### Upgrade kubeadm + +1. Upgrade kubeadm on all worker nodes: + + {{< tabs name="k8s_install_kubeadm_worker_nodes" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + # replace x in 1.14.x-00 with the latest patch version + apt-mark unhold kubeadm && \ + apt-get update && apt-get install -y kubeadm=1.14.x-00 && \ + apt-mark hold kubeadm + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + # replace x in 1.14.x-0 with the latest patch version + yum install -y kubeadm-1.14.x-0 --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +### Cordon the node + +1. Prepare the node for maintenance by marking it unschedulable and evicting the workloads. Run: + + ```shell + kubectl drain $NODE --ignore-daemonsets + ``` + + You should see output similar to this: + + ```shell + kubectl drain ip-172-31-85-18 + node "ip-172-31-85-18" cordoned + error: unable to drain node "ip-172-31-85-18", aborting command... + + There are pending nodes to be drained: + ip-172-31-85-18 + error: DaemonSet-managed pods (use --ignore-daemonsets to ignore): calico-node-5798d, kube-proxy-thjp9 + ``` + +### Upgrade the kubelet config + +1. Upgrade the kubelet config: + + ```shell + sudo kubeadm upgrade node config --kubelet-version v1.14.x + ``` + + Replace `x` with the patch version you picked for this ugprade. + + +### Upgrade kubelet and kubectl + +1. Upgrade the Kubernetes package version by running the Linux package manager for your distribution: + + {{< tabs name="k8s_kubelet_and_kubectl" >}} + {{% tab name="Ubuntu, Debian or HypriotOS" %}} + # replace x in 1.14.x-00 with the latest patch version + apt-get update + apt-get install -y kubelet=1.14.x-00 kubectl=1.14.x-00 + {{% /tab %}} + {{% tab name="CentOS, RHEL or Fedora" %}} + # replace x in 1.14.x-0 with the latest patch version + yum install -y kubelet-1.14.x-0 kubectl-1.14.x-0 --disableexcludes=kubernetes + {{% /tab %}} + {{< /tabs >}} + +1. Restart the kubelet + + ```shell + sudo systemctl restart kubelet + ``` + +### Uncordon the node + +1. Bring the node back online by marking it schedulable: + + ```shell + kubectl uncordon $NODE + ``` + +## Verify the status of the cluster + +After the kubelet is upgraded on all nodes verify that all nodes are available again by running the following command from anywhere kubectl can access the cluster: + +```shell +kubectl get nodes +``` + +The `STATUS` column should show `Ready` for all your nodes, and the version number should be updated. + +{{% /capture %}} + +## Recovering from a failure state + +If `kubeadm upgrade` fails and does not roll back, for example because of an unexpected shutdown during execution, you can run `kubeadm upgrade` again. +This command is idempotent and eventually makes sure that the actual state is the desired state you declare. + +To recover from a bad state, you can also run `kubeadm upgrade --force` without changing the version that your cluster is running. + +## How it works + +`kubeadm upgrade apply` does the following: + +- Checks that your cluster is in an upgradeable state: + - The API server is reachable + - All nodes are in the `Ready` state + - The control plane is healthy +- Enforces the version skew policies. +- Makes sure the control plane images are available or available to pull to the machine. +- Upgrades the control plane components or rollbacks if any of them fails to come up. +- Applies the new `kube-dns` and `kube-proxy` manifests and makes sure that all necessary RBAC rules are created. +- Creates new certificate and key files of the API server and backs up old files if they're about to expire in 180 days. + +`kubeadm upgrade node experimental-control-plane` does the following on additional control plane nodes: +- Fetches the kubeadm `ClusterConfiguration` from the cluster. +- Optionally backups the kube-apiserver certificate. +- Upgrades the static Pod manifests for the control plane components. From ed5f4594caecc47c651fcda7e31b03d38ee0381d Mon Sep 17 00:00:00 2001 From: "Haowei Cai (Roy)" Date: Fri, 15 Mar 2019 13:54:57 -0700 Subject: [PATCH 23/47] fix bullet indentation (#13214) --- .../custom-resource-definitions.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md index 95edffddfb1ec..264ebcbb31eb8 100644 --- a/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md +++ b/content/en/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions.md @@ -373,31 +373,31 @@ valid OpenAPI schemas that it doesn't understand. The conversion won't modify th and therefore won't affect [validation](#validation) in the API server. 1. The following fields are removed as they aren't supported by OpenAPI v2 (in future versions OpenAPI v3 will be used without these restrictions) - - The fields `oneOf`, `anyOf` and `not` are removed + - The fields `oneOf`, `anyOf` and `not` are removed 2. The following fields are removed as they aren't allowed by kubectl in previous 1.13 version - - For a schema with a `$ref` - - the fields `properties` and `type` are removed - - if the `$ref` is outside of the `definitions`, the field `$ref` is removed - - For a schema of a primitive data type (which means the field `type` has two elements: one type and one format) - - if any one of the two elements is `null`, the field `type` is removed - - otherwise, the fields `type` and `properties` are removed - - For a schema of more than two types - - the fields `type` and `properties` are removed - - For a schema of `null` type - - the field `type` is removed - - For a schema of `array` type - - if the schema doesn't have exactly one item, the fields `type` and `items` are - removed - - For a schema with no type specified - - the field `properties` is removed + - For a schema with a `$ref` + - the fields `properties` and `type` are removed + - if the `$ref` is outside of the `definitions`, the field `$ref` is removed + - For a schema of a primitive data type (which means the field `type` has two elements: one type and one format) + - if any one of the two elements is `null`, the field `type` is removed + - otherwise, the fields `type` and `properties` are removed + - For a schema of more than two types + - the fields `type` and `properties` are removed + - For a schema of `null` type + - the field `type` is removed + - For a schema of `array` type + - if the schema doesn't have exactly one item, the fields `type` and `items` are + removed + - For a schema with no type specified + - the field `properties` is removed 3. The following fields are removed as they aren't supported by the OpenAPI protobuf implementation - - The fields `id`, `schema`, `definitions`, `additionalItems`, `dependencies`, - and `patternProperties` are removed - - For a schema with a `externalDocs` - - if the `externalDocs` has `url` defined, the field `externalDocs` is removed - - For a schema with `items` defined - - if the field `items` has multiple schemas, the field `items` is removed + - The fields `id`, `schema`, `definitions`, `additionalItems`, `dependencies`, + and `patternProperties` are removed + - For a schema with a `externalDocs` + - if the `externalDocs` has `url` defined, the field `externalDocs` is removed + - For a schema with `items` defined + - if the field `items` has multiple schemas, the field `items` is removed ### Additional printer columns From 6e49749b53b5b70aedf5f1d8972408fed1cda453 Mon Sep 17 00:00:00 2001 From: Minhan Xia Date: Sat, 16 Mar 2019 10:26:57 -0700 Subject: [PATCH 24/47] mark PodReadinessGate GA (#12800) --- content/en/docs/concepts/workloads/pods/pod-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md index 707a3d1658a90..d1e1f7e9f279b 100644 --- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md +++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md @@ -193,7 +193,7 @@ Once Pod is assigned to a node by scheduler, kubelet starts creating containers ## Pod readiness gate -{{< feature-state for_k8s_version="v1.12" state="beta" >}} +{{< feature-state for_k8s_version="v1.14" state="stable" >}} In order to add extensibility to Pod readiness by enabling the injection of extra feedbacks or signals into `PodStatus`, Kubernetes 1.11 introduced a From cc769cb6d679bbce2624eb9a0e42c449a43ec394 Mon Sep 17 00:00:00 2001 From: "Tim Allclair (St. Clair)" Date: Sat, 16 Mar 2019 10:28:56 -0700 Subject: [PATCH 25/47] Update RuntimeClass documentation for beta (#13043) * Update RuntimeClass documentation for beta * Update feature gate & add upgrade section * formatting fixes * Highlight upgrade action required * Address feedback --- .../docs/concepts/containers/runtime-class.md | 137 ++++++++++++------ .../feature-gates.md | 2 +- 2 files changed, 93 insertions(+), 46 deletions(-) diff --git a/content/en/docs/concepts/containers/runtime-class.md b/content/en/docs/concepts/containers/runtime-class.md index 861ce41d9e4b6..c2ca8a830f537 100644 --- a/content/en/docs/concepts/containers/runtime-class.md +++ b/content/en/docs/concepts/containers/runtime-class.md @@ -9,10 +9,16 @@ weight: 20 {{% capture overview %}} -{{< feature-state for_k8s_version="v1.12" state="alpha" >}} +{{< feature-state for_k8s_version="v1.14" state="beta" >}} This page describes the RuntimeClass resource and runtime selection mechanism. +{{< warning >}} +RuntimeClass includes *breaking* changes in the beta upgrade in v1.14. If you were using +RuntimeClass prior to v1.14, see [Upgrading RuntimeClass from Alpha to +Beta](#upgrading-runtimeclass-from-alpha-to-beta). +{{< /warning >}} + {{% /capture %}} @@ -20,72 +26,51 @@ This page describes the RuntimeClass resource and runtime selection mechanism. ## Runtime Class -RuntimeClass is an alpha feature for selecting the container runtime configuration to use to run a -pod's containers. +RuntimeClass is a feature for selecting the container runtime configuration. The container runtime +configuration is used to run a Pod's containers. ### Set Up -As an early alpha feature, there are some additional setup steps that must be taken in order to use -the RuntimeClass feature: - -1. Enable the RuntimeClass feature gate (on apiservers & kubelets, requires version 1.12+) -2. Install the RuntimeClass CRD -3. Configure the CRI implementation on nodes (runtime dependent) -4. Create the corresponding RuntimeClass resources - -#### 1. Enable the RuntimeClass feature gate - -See [Feature Gates](/docs/reference/command-line-tools-reference/feature-gates/) for an explanation -of enabling feature gates. The `RuntimeClass` feature gate must be enabled on apiservers _and_ -kubelets. - -#### 2. Install the RuntimeClass CRD - -The RuntimeClass [CustomResourceDefinition][] (CRD) can be found in the addons directory of the -Kubernetes git repo: [kubernetes/cluster/addons/runtimeclass/runtimeclass_crd.yaml][runtimeclass_crd] - -Install the CRD with `kubectl apply -f runtimeclass_crd.yaml`. - -[CustomResourceDefinition]: /docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/ -[runtimeclass_crd]: https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/runtimeclass/runtimeclass_crd.yaml +Ensure the RuntimeClass feature gate is enabled (it is by default). See [Feature +Gates](/docs/reference/command-line-tools-reference/feature-gates/) for an explanation of enabling +feature gates. The `RuntimeClass` feature gate must be enabled on apiservers _and_ kubelets. +1. Configure the CRI implementation on nodes (runtime dependent) +2. Create the corresponding RuntimeClass resources -#### 3. Configure the CRI implementation on nodes +#### 1. Configure the CRI implementation on nodes -The configurations to select between with RuntimeClass are CRI implementation dependent. See the -corresponding documentation for your CRI implementation for how to configure. As this is an alpha -feature, not all CRIs support multiple RuntimeClasses yet. +The configurations available through RuntimeClass are Container Runtime Interface (CRI) +implementation dependent. See the corresponding documentation ([below](#cri-documentation)) for your +CRI implementation for how to configure. {{< note >}} -RuntimeClass currently assumes a homogeneous node configuration across the cluster -(which means that all nodes are configured the same way with respect to container runtimes). Any heterogeneity (varying configurations) must be -managed independently of RuntimeClass through scheduling features (see [Assigning Pods to -Nodes](/docs/concepts/configuration/assign-pod-node/)). +RuntimeClass currently assumes a homogeneous node configuration across the cluster (which means that +all nodes are configured the same way with respect to container runtimes). Any heterogeneity +(varying configurations) must be managed independently of RuntimeClass through scheduling features +(see [Assigning Pods to Nodes](/docs/concepts/configuration/assign-pod-node/)). {{< /note >}} -The configurations have a corresponding `RuntimeHandler` name, referenced by the RuntimeClass. The -RuntimeHandler must be a valid DNS 1123 subdomain (alpha-numeric + `-` and `.` characters). +The configurations have a corresponding `handler` name, referenced by the RuntimeClass. The +handler must be a valid DNS 1123 label (alpha-numeric + `-` characters). -#### 4. Create the corresponding RuntimeClass resources +#### 2. Create the corresponding RuntimeClass resources -The configurations setup in step 3 should each have an associated `RuntimeHandler` name, which -identifies the configuration. For each RuntimeHandler (and optionally the empty `""` handler), -create a corresponding RuntimeClass object. +The configurations setup in step 1 should each have an associated `handler` name, which identifies +the configuration. For each handler, create a corresponding RuntimeClass object. The RuntimeClass resource currently only has 2 significant fields: the RuntimeClass name -(`metadata.name`) and the RuntimeHandler (`spec.runtimeHandler`). The object definition looks like this: +(`metadata.name`) and the handler (`handler`). The object definition looks like this: ```yaml -apiVersion: node.k8s.io/v1alpha1 # RuntimeClass is defined in the node.k8s.io API group +apiVersion: node.k8s.io/v1beta1 # RuntimeClass is defined in the node.k8s.io API group kind: RuntimeClass metadata: name: myclass # The name the RuntimeClass will be referenced by # RuntimeClass is a non-namespaced resource -spec: - runtimeHandler: myconfiguration # The name of the corresponding CRI configuration +handler: myconfiguration # The name of the corresponding CRI configuration ``` - {{< note >}} It is recommended that RuntimeClass write operations (create/update/patch/delete) be restricted to the cluster administrator. This is typically the default. See [Authorization @@ -116,4 +101,66 @@ error message. If no `runtimeClassName` is specified, the default RuntimeHandler will be used, which is equivalent to the behavior when the RuntimeClass feature is disabled. +### CRI Configuration + +For more details on setting up CRI runtimes, see [CRI installation](/docs/setup/cri/). + +#### dockershim + +Kubernetes built-in dockershim CRI does not support runtime handlers. + +#### [containerd](https://containerd.io/) + +Runtime handlers are configured through containerd's configuration at +`/etc/containerd/config.toml`. Valid handlers are configured under the runtimes section: + +``` +[plugins.cri.containerd.runtimes.${HANDLER_NAME}] +``` + +See containerd's config documentation for more details: +https://github.com/containerd/cri/blob/master/docs/config.md + +#### [cri-o](https://cri-o.io/) + +Runtime handlers are configured through cri-o's configuration at `/etc/crio/crio.conf`. Valid +handlers are configured under the [crio.runtime +table](https://github.com/kubernetes-sigs/cri-o/blob/master/docs/crio.conf.5.md#crioruntime-table): + +``` +[crio.runtime.runtimes.${HANDLER_NAME}] + runtime_path = "${PATH_TO_BINARY}" +``` + +See cri-o's config documentation for more details: +https://github.com/kubernetes-sigs/cri-o/blob/master/cmd/crio/config.go + + +### Upgrading RuntimeClass from Alpha to Beta + +The RuntimeClass Beta feature includes the following changes: + +- The `node.k8s.io` API group and `runtimeclasses.node.k8s.io` resource have been migrated to a + built-in API from a CustomResourceDefinition. +- The `spec` has been inlined in the RuntimeClass definition (i.e. there is no more + RuntimeClassSpec). +- The `runtimeHandler` field has been renamed `handler`. +- The `handler` field is now required in all API versions. This means the `runtimeHandler` field in + the Alpha API is also required. +- The `handler` field must be a valid DNS label ([RFC 1123](https://tools.ietf.org/html/rfc1123)), + meaning it can no longer contain `.` characters (in all versions). Valid handlers match the + following regular expression: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`. + +**Action Required:** The following actions are required to upgrade from the alpha version of the +RuntimeClass feature to the beta version: + +- RuntimeClass resources must be recreated *after* upgrading to v1.14, and the + `runtimeclasses.node.k8s.io` CRD should be manually deleted: + ``` + kubectl delete customresourcedefinitions.apiextensions.k8s.io runtimeclasses.node.k8s.io + ``` +- Alpha RuntimeClasses with an unspecified or empty `runtimeHandler` or those using a `.` character + in the handler are no longer valid, and must be migrated to a valid handler configuration (see + above). + {{% /capture %}} diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 61e64a5a81709..3e69ec57a8e60 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -123,7 +123,7 @@ different Kubernetes components. | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 | | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | | | `RunAsGroup` | `false` | Alpha | 1.10 | | -| `RuntimeClass` | `false` | Alpha | 1.12 | | +| `RuntimeClass` | `true` | Beta | 1.14 | | | `SCTPSupport` | `false` | Alpha | 1.12 | | | `ServiceNodeExclusion` | `false` | Alpha | 1.8 | | | `StorageObjectInUseProtection` | `true` | Beta | 1.10 | 1.10 | From ee19771a0e655533c89417a87f426b35cbca5c34 Mon Sep 17 00:00:00 2001 From: Vladimir Vivien Date: Sat, 16 Mar 2019 13:32:56 -0400 Subject: [PATCH 26/47] CSI ephemeral volume alpha documentation (#10934) --- content/en/docs/concepts/storage/volumes.md | 39 ++++++++++++++++++- .../feature-gates.md | 2 + 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index dc9b092d4b8ea..95c597e35dbeb 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -1225,7 +1225,44 @@ feature gates which must be enabled for this feature are `BlockVolume` and Learn how to [setup your PV/PVC with raw block volume support](/docs/concepts/storage/persistent-volumes/#raw-block-volume-support). -#### Developer resources +#### CSI ephemeral volumes + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +This feature allows CSI volumes to be directly embedded in the Pod specification instead of a PersistentVolume. Volumes specified in this way are ephemeral and do not persist across Pod restarts. + +Example: + +```yaml +kind: Pod +apiVersion: v1 +metadata: + name: my-csi-app +spec: + containers: + - name: my-frontend + image: busybox + volumeMounts: + - mountPath: "/data" + name: my-csi-inline-vol + command: [ "sleep", "1000000" ] + volumes: + - name: my-csi-inline-vol + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar +``` + +This feature requires CSIInlineVolume feature gate to be enabled: + +``` +--feature-gates=CSIInlineVolume=true +``` + +CSI ephemeral volumes are only supported by a subset of CSI drivers. Please see the list of CSI drivers [here](https://kubernetes-csi.github.io/docs/drivers.html). + +# Developer resources For more information on how to develop a CSI driver, refer to the [kubernetes-csi documentation](https://kubernetes-csi.github.io/docs/) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 3e69ec57a8e60..622445460f9b6 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -59,6 +59,7 @@ different Kubernetes components. | `CSIBlockVolume` | `true` | Beta | 1.14 | | | `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 | | `CSIDriverRegistry` | `true` | Beta | 1.14 | | +| `CSIInlineVolume` | `false` | Alpha | 1.14 | - | | `CSINodeInfo` | `false` | Alpha | 1.12 | 1.13 | | `CSINodeInfo` | `true` | Beta | 1.14 | | | `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 | @@ -222,6 +223,7 @@ Each feature gate is designed for enabling/disabling a specific feature: [CSI (Container Storage Interface)](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md) compatible volume plugin. Check the [`csi` volume type](/docs/concepts/storage/volumes/#csi) documentation for more details. +- `CSIInlineVolume`: Enable CSI volumes to be directly embedded in Pod specifications instead of a PersistentVolume. - `CustomPodDNS`: Enable customizing the DNS settings for a Pod using its `dnsConfig` property. Check [Pod's DNS Config](/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) for more details. From 092e288e233fa39d68b6d15933817d087d66d452 Mon Sep 17 00:00:00 2001 From: Jingfang Liu Date: Sat, 16 Mar 2019 10:40:56 -0700 Subject: [PATCH 27/47] update kubectl documentation (#12867) * update kubectl documentation * add document for Secret/ConfigMap generators * replace `kubectl create -f` by `kubectl apply -f` * Add page for kustomization support in kubectl * fix spelling errors and address comments --- .../cluster-administration/logging.md | 2 +- .../manage-deployment.md | 29 +- .../concepts/configuration/assign-pod-node.md | 2 +- .../docs/concepts/configuration/overview.md | 4 +- .../en/docs/concepts/configuration/secret.md | 139 +++- content/en/docs/concepts/containers/images.md | 56 +- .../kustomization.md | 758 ++++++++++++++++++ .../object-management-kubectl/overview.md | 4 +- .../kubernetes-objects.md | 4 +- .../connect-applications-service.md | 12 +- .../concepts/services-networking/ingress.md | 4 +- .../workloads/controllers/daemonset.md | 2 +- .../workloads/controllers/deployment.md | 4 +- .../controllers/garbage-collection.md | 2 +- .../controllers/jobs-run-to-completion.md | 2 +- .../workloads/controllers/replicaset.md | 10 +- .../controllers/replicationcontroller.md | 2 +- .../workloads/pods/init-containers.md | 4 +- .../docs/reference/access-authn-authz/rbac.md | 2 +- .../en/docs/reference/kubectl/cheatsheet.md | 15 +- .../en/docs/reference/kubectl/conventions.md | 2 +- content/en/docs/reference/kubectl/overview.md | 8 +- .../independent/create-cluster-kubeadm.md | 2 +- content/en/docs/setup/multiple-zones.md | 6 +- ...icate-containers-same-pod-shared-volume.md | 2 +- .../connecting-frontend-backend.md | 6 +- ...port-forward-access-application-cluster.md | 4 +- .../web-ui-dashboard.md | 2 +- .../custom-resource-definition-versioning.md | 4 +- .../custom-resource-definitions.md | 20 +- .../declare-network-policy.md | 2 +- .../dns-debugging-resolution.md | 2 +- .../dns-horizontal-autoscaling.md | 2 +- .../tasks/administer-cluster/ip-masq-agent.md | 2 +- .../cpu-constraint-namespace.md | 10 +- .../manage-resources/cpu-default-namespace.md | 8 +- .../memory-constraint-namespace.md | 10 +- .../memory-default-namespace.md | 8 +- .../quota-memory-cpu-namespace.md | 6 +- .../manage-resources/quota-pod-namespace.md | 4 +- .../namespaces-walkthrough.md | 4 +- .../tasks/administer-cluster/namespaces.md | 6 +- .../cilium-network-policy.md | 4 +- .../administer-cluster/quota-api-object.md | 6 +- .../assign-cpu-resource.md | 4 +- .../assign-memory-resource.md | 6 +- .../assign-pods-nodes.md | 2 +- .../attach-handler-lifecycle-event.md | 2 +- .../configure-liveness-readiness-probes.md | 6 +- .../configure-persistent-volume-storage.md | 6 +- .../configure-pod-configmap.md | 106 ++- .../configure-pod-initialization.md | 2 +- .../configure-projected-volume-storage.md | 2 +- .../configure-service-account.md | 4 +- .../configure-volume-storage.md | 2 +- .../extended-resource.md | 4 +- .../pull-image-private-registry.md | 2 +- .../quality-service-pod.md | 8 +- .../security-context.md | 8 +- .../share-process-namespace.md | 2 +- .../translate-compose-kubernetes.md | 12 +- .../debug-application-introspection.md | 2 +- .../debug-application.md | 2 +- .../determine-reason-pod-failure.md | 2 +- .../events-stackdriver.md | 2 +- .../get-shell-running-container.md | 2 +- .../logging-stackdriver.md | 8 +- .../monitor-node-health.md | 4 +- .../set-up-placement-policies-federation.md | 6 +- .../define-command-argument-container.md | 2 +- .../define-environment-variable-container.md | 2 +- .../distribute-credentials-secure.md | 6 +- ...nward-api-volume-expose-pod-information.md | 4 +- ...ronment-variable-expose-pod-information.md | 4 +- .../inject-data-application/podpreset.md | 4 +- .../job/automated-tasks-with-cron-jobs.md | 2 +- .../coarse-parallel-processing-work-queue.md | 6 +- .../fine-parallel-processing-work-queue.md | 6 +- .../job/parallel-processing-expansion.md | 4 +- .../tasks/manage-daemon/update-daemon-set.md | 4 +- .../tasks/run-application/configure-pdb.md | 2 +- .../horizontal-pod-autoscale-walkthrough.md | 2 +- .../run-replicated-stateful-application.md | 6 +- ...un-single-instance-stateful-application.md | 4 +- .../run-application/scale-stateful-set.md | 2 +- .../update-api-object-kubectl-patch.md | 2 +- .../tasks/tls/managing-tls-in-a-cluster.md | 2 +- .../en/docs/tutorials/clusters/apparmor.md | 4 +- .../configure-redis-using-configmap.md | 61 +- .../basic-stateful-set.md | 10 +- .../stateful-application/cassandra.md | 4 +- .../mysql-wordpress-persistent-volume.md | 138 ++-- 92 files changed, 1302 insertions(+), 372 deletions(-) create mode 100644 content/en/docs/concepts/overview/object-management-kubectl/kustomization.md diff --git a/content/en/docs/concepts/cluster-administration/logging.md b/content/en/docs/concepts/cluster-administration/logging.md index 7b540f7baabc7..186a6450c9bea 100644 --- a/content/en/docs/concepts/cluster-administration/logging.md +++ b/content/en/docs/concepts/cluster-administration/logging.md @@ -35,7 +35,7 @@ a container that writes some text to standard output once per second. To run this pod, use the following command: ```shell -$ kubectl create -f https://k8s.io/examples/debug/counter-pod.yaml +kubectl apply -f https://k8s.io/examples/debug/counter-pod.yaml pod/counter created ``` diff --git a/content/en/docs/concepts/cluster-administration/manage-deployment.md b/content/en/docs/concepts/cluster-administration/manage-deployment.md index 0288c73efaac2..20ad081315ecb 100644 --- a/content/en/docs/concepts/cluster-administration/manage-deployment.md +++ b/content/en/docs/concepts/cluster-administration/manage-deployment.md @@ -26,23 +26,23 @@ Many applications require multiple resources to be created, such as a Deployment Multiple resources can be created the same way as a single resource: ```shell -$ kubectl create -f https://k8s.io/examples/application/nginx-app.yaml +$ kubectl apply -f https://k8s.io/examples/application/nginx-app.yaml service/my-nginx-svc created deployment.apps/my-nginx created ``` The resources will be created in the order they appear in the file. Therefore, it's best to specify the service first, since that will ensure the scheduler can spread the pods associated with the service as they are created by the controller(s), such as Deployment. -`kubectl create` also accepts multiple `-f` arguments: +`kubectl apply` also accepts multiple `-f` arguments: ```shell -$ kubectl create -f https://k8s.io/examples/application/nginx/nginx-svc.yaml -f https://k8s.io/examples/application/nginx/nginx-deployment.yaml +kubectl apply -f https://k8s.io/examples/application/nginx/nginx-svc.yaml -f https://k8s.io/examples/application/nginx/nginx-deployment.yaml ``` And a directory can be specified rather than or in addition to individual files: ```shell -$ kubectl create -f https://k8s.io/examples/application/nginx/ +kubectl apply -f https://k8s.io/examples/application/nginx/ ``` `kubectl` will read any files with suffixes `.yaml`, `.yml`, or `.json`. @@ -52,7 +52,7 @@ It is a recommended practice to put resources related to the same microservice o A URL can also be specified as a configuration source, which is handy for deploying directly from configuration files checked into github: ```shell -$ kubectl create -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/nginx/nginx-deployment.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/nginx/nginx-deployment.yaml deployment.apps/my-nginx created ``` @@ -83,7 +83,7 @@ service "my-nginx-svc" deleted Because `kubectl` outputs resource names in the same syntax it accepts, it's easy to chain operations using `$()` or `xargs`: ```shell -$ kubectl get $(kubectl create -f docs/concepts/cluster-administration/nginx/ -o name | grep service) +kubectl get $(kubectl apply -f docs/concepts/cluster-administration/nginx/ -o name | grep service) NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-nginx-svc LoadBalancer 10.0.0.208 80/TCP 0s ``` @@ -108,14 +108,14 @@ project/k8s/development By default, performing a bulk operation on `project/k8s/development` will stop at the first level of the directory, not processing any subdirectories. If we had tried to create the resources in this directory using the following command, we would have encountered an error: ```shell -$ kubectl create -f project/k8s/development +kubectl apply -f project/k8s/development error: you must provide one or more resources by argument or filename (.json|.yaml|.yml|stdin) ``` Instead, specify the `--recursive` or `-R` flag with the `--filename,-f` flag as such: ```shell -$ kubectl create -f project/k8s/development --recursive +kubectl apply -f project/k8s/development --recursive configmap/my-config created deployment.apps/my-deployment created persistentvolumeclaim/my-pvc created @@ -126,7 +126,7 @@ The `--recursive` flag works with any operation that accepts the `--filename,-f` The `--recursive` flag also works when multiple `-f` arguments are provided: ```shell -$ kubectl create -f project/k8s/namespaces -f project/k8s/development --recursive +$ kubectl apply -f project/k8s/namespaces -f project/k8s/development --recursive namespace/development created namespace/staging created configmap/my-config created @@ -169,7 +169,7 @@ and The labels allow us to slice and dice our resources along any dimension specified by a label: ```shell -$ kubectl create -f examples/guestbook/all-in-one/guestbook-all-in-one.yaml +$ kubectl apply -f examples/guestbook/all-in-one/guestbook-all-in-one.yaml $ kubectl get pods -Lapp -Ltier -Lrole NAME READY STATUS RESTARTS AGE APP TIER ROLE guestbook-fe-4nlpb 1/1 Running 0 1m guestbook frontend @@ -320,7 +320,7 @@ Then, you can use [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-co This command will compare the version of the configuration that you're pushing with the previous version and apply the changes you've made, without overwriting any automated changes to properties you haven't specified. ```shell -$ kubectl apply -f https://k8s.io/examples/application/nginx/nginx-deployment.yaml +kubectl apply -f https://k8s.io/examples/application/nginx/nginx-deployment.yaml deployment.apps/my-nginx configured ``` @@ -330,10 +330,6 @@ Currently, resources are created without this annotation, so the first invocatio All subsequent calls to `kubectl apply`, and other commands that modify the configuration, such as `kubectl replace` and `kubectl edit`, will update the annotation, allowing subsequent calls to `kubectl apply` to detect and perform deletions using a three-way diff. -{{< note >}} -To use apply, always create resource initially with either `kubectl apply` or `kubectl create --save-config`. -{{< /note >}} - ### kubectl edit Alternatively, you may also update resources with `kubectl edit`: @@ -379,8 +375,7 @@ deployment.apps/my-nginx replaced At some point, you'll eventually need to update your deployed application, typically by specifying a new image or image tag, as in the canary deployment scenario above. `kubectl` supports several update operations, each of which is applicable to different scenarios. -We'll guide you through how to create and update applications with Deployments. If your deployed application is managed by Replication Controllers, -you should read [how to use `kubectl rolling-update`](/docs/tasks/run-application/rolling-update-replication-controller/) instead. +We'll guide you through how to create and update applications with Deployments. Let's say you were running version 1.7.9 of nginx: diff --git a/content/en/docs/concepts/configuration/assign-pod-node.md b/content/en/docs/concepts/configuration/assign-pod-node.md index 43de077c708af..99129cfa0f8a2 100644 --- a/content/en/docs/concepts/configuration/assign-pod-node.md +++ b/content/en/docs/concepts/configuration/assign-pod-node.md @@ -69,7 +69,7 @@ Then add a nodeSelector like so: {{< codenew file="pods/pod-nginx.yaml" >}} -When you then run `kubectl create -f https://k8s.io/examples/pods/pod-nginx.yaml`, +When you then run `kubectl apply -f https://k8s.io/examples/pods/pod-nginx.yaml`, the Pod will get scheduled on the node that you attached the label to. You can verify that it worked by running `kubectl get pods -o wide` and looking at the "NODE" that the Pod was assigned to. diff --git a/content/en/docs/concepts/configuration/overview.md b/content/en/docs/concepts/configuration/overview.md index b7d74b4abea8b..c900a06beef77 100644 --- a/content/en/docs/concepts/configuration/overview.md +++ b/content/en/docs/concepts/configuration/overview.md @@ -23,7 +23,7 @@ This is a living document. If you think of something that is not on this list bu - Group related objects into a single file whenever it makes sense. One file is often easier to manage than several. See the [guestbook-all-in-one.yaml](https://github.com/kubernetes/examples/tree/{{< param "githubbranch" >}}/guestbook/all-in-one/guestbook-all-in-one.yaml) file as an example of this syntax. -- Note also that many `kubectl` commands can be called on a directory. For example, you can call `kubectl create` on a directory of config files. +- Note also that many `kubectl` commands can be called on a directory. For example, you can call `kubectl apply` on a directory of config files. - Don't specify default values unnecessarily: simple, minimal configuration will make errors less likely. @@ -97,7 +97,7 @@ The caching semantics of the underlying image provider make even `imagePullPolic ## Using kubectl -- Use `kubectl apply -f ` or `kubectl create -f `. This looks for Kubernetes configuration in all `.yaml`, `.yml`, and `.json` files in `` and passes it to `apply` or `create`. +- Use `kubectl apply -f `. This looks for Kubernetes configuration in all `.yaml`, `.yml`, and `.json` files in `` and passes it to `apply`. - Use label selectors for `get` and `delete` operations instead of specific object names. See the sections on [label selectors](/docs/concepts/overview/working-with-objects/labels/#label-selectors) and [using labels effectively](/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively). diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index cac58727d7b39..f1457910c43d9 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -72,6 +72,12 @@ the object on the Apiserver. $ kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt secret "db-user-pass" created ``` +{{< note >}} +Special characters such as `$`, `\*`, and `!` require escaping. +If the password you are using has special characters, you need to escape them using the `\\` character. For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: + kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password=S\\!B\\\*d\\$zDsb + You do not need to escape special characters in passwords from files (`--from-file`). +{{< /note >}} You can check that the secret was created like this: @@ -132,10 +138,10 @@ data: password: MWYyZDFlMmU2N2Rm ``` -Now create the Secret using [`kubectl create`](/docs/reference/generated/kubectl/kubectl-commands#create): +Now create the Secret using [`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands#apply): ```shell -$ kubectl create -f ./secret.yaml +kubectl apply -f ./secret.yaml secret "mysecret" created ``` @@ -171,7 +177,7 @@ stringData: ``` Your deployment tool could then replace the `{{username}}` and `{{password}}` -template variables before running `kubectl create`. +template variables before running `kubectl apply`. stringData is a write-only convenience field. It is never output when retrieving Secrets. For example, if you run the following command: @@ -241,6 +247,73 @@ using the `-b` option to split long lines. Conversely Linux users *should* add the option `-w 0` to `base64` commands or the pipeline `base64 | tr -d '\n'` if `-w` option is not available. +#### Creating a Secret from Generator +Kubectl supports [managing objects using Kustomize](/docs/concepts/overview/object-management-kubectl/kustomization/) +since 1.14. With this new feature, +you can also create a Secret from generators and then apply it to create the object on +the Apiserver. The generators +should be specified in a `kustomization.yaml` inside a directory. + +For example, to generate a Secret from files `./username.txt` and `./password.txt` +```shell +# Create a kustomization.yaml file with SecretGenerator +cat <./kustomization.yaml +secretGenerator: +- name: db-user-pass + files: + - username.txt + - password.txt +EOF +``` +Apply the kustomization directory to create the Secret object. +```shell +$ kubectl apply -k . +secret/db-user-pass-96mffmfh4k created +``` + +You can check that the secret was created like this: + +```shell +$ kubectl get secrets +NAME TYPE DATA AGE +db-user-pass-96mffmfh4k Opaque 2 51s + +$ kubectl describe secrets/db-user-pass-96mffmfh4k +Name: db-user-pass +Namespace: default +Labels: +Annotations: + +Type: Opaque + +Data +==== +password.txt: 12 bytes +username.txt: 5 bytes +``` + +For example, to generate a Secret from literals `username=admin` and `password=secret`, +you can specify the secret generator in `kusotmization.yaml` as +```shell +# Create a kustomization.yaml file with SecretGenerator +$ cat <./kustomization.yaml +secretGenerator: +- name: db-user-pass + literals: + - username=admin + - password=secret +EOF +``` +Apply the kustomization directory to create the Secret object. +```shell +$ kubectl apply -k . +secret/db-user-pass-dddghtt9b5 created +``` +{{< note >}} +The generated Secrets name has a suffix appended by hashing the contents. This ensures that a new +Secret is generated each time the contents is modified. +{{< /note >}} + #### Decoding a Secret Secrets can be retrieved via the `kubectl get secret` command. For example, to retrieve the secret created in the previous section: @@ -583,10 +656,20 @@ start until all the pod's volumes are mounted. ### Use-Case: Pod with ssh keys -Create a secret containing some ssh keys: - +Create a kustomization.yaml with SecretGenerator containing some ssh keys: +```shell +$ cp /path/to/.ssh/id_rsa ./id_rsa +$ cp /path/to/.ssh/id_rsa.pub ./id_rsa.pub +$ cat <./kustomization.yaml +SecretGenerator: +- name: ssh-key-secret + files: + - id_rsa + - id_rsa.pub +``` +Create the SecretObject on Apiserver: ```shell -$ kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa --from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub +$ kubectl apply -k . ``` {{< caution >}} @@ -633,26 +716,25 @@ This example illustrates a pod which consumes a secret containing prod credentials and another pod which consumes a secret with test environment credentials. -Make the secrets: - +Make the kustomization.yaml with SecretGenerator ```shell -$ kubectl create secret generic prod-db-secret --from-literal=username=produser --from-literal=password=Y4nys7f11 -secret "prod-db-secret" created -$ kubectl create secret generic test-db-secret --from-literal=username=testuser --from-literal=password=iluvtests -secret "test-db-secret" created +$ cat < kustomization.yaml +secretGenerator: +- name: prod-db-secret + literals: + - username=produser + - password=Y4nys7f11 +- name: test-db-secret + literals: + - username=testuser + - password=iluvtests +EOF ``` -{{< note >}} -Special characters such as `$`, `\*`, and `!` require escaping. -If the password you are using has special characters, you need to escape them using the `\\` character. For example, if your actual password is `S!B\*d$zDsb`, you should execute the command this way: - - kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password=S\\!B\\\*d\\$zDsb - -You do not need to escape special characters in passwords from files (`--from-file`). -{{< /note >}} Now make the pods: -```yaml +```shell +$ cat < pod.yaml apiVersion: v1 kind: List items: @@ -692,6 +774,21 @@ items: - name: secret-volume readOnly: true mountPath: "/etc/secret-volume" +EOF +``` + +Add the pods to the same kustomization.yaml +```shell +$ cat <> kustomization.yaml +resources: +- pod.yaml +EOF +``` + +Apply all those objects on the Apiserver by + +```shell +kubectl apply --k . ``` Both containers will have the following files present on their filesystems with the values for each container's environment: diff --git a/content/en/docs/concepts/containers/images.md b/content/en/docs/concepts/containers/images.md index 8885784e4c76f..d830fcf577b22 100644 --- a/content/en/docs/concepts/containers/images.md +++ b/content/en/docs/concepts/containers/images.md @@ -205,7 +205,7 @@ example, run these on your desktop/laptop: Verify by creating a pod that uses a private image, e.g.: ```yaml -kubectl create -f - < ./kustomization.yaml +secretGenerator: +- name: myregistrykey + type: docker-registry + literals: + - docker-server=DOCKER_REGISTRY_SERVER + - docker-username=DOCKER_USER + - docker-password=DOCKER_PASSWORD + - docker-email=DOCKER_EMAIL +EOF + +kubectl apply -k . +secret/myregistrykey-66h7d4d986 created ``` If you need access to multiple registries, you can create one secret for each registry. @@ -290,42 +301,13 @@ when pulling images for your Pods. Pods can only reference image pull secrets in their own namespace, so this process needs to be done one time per namespace. -##### Bypassing kubectl create secrets - -If for some reason you need multiple items in a single `.docker/config.json` or need -control not given by the above command, then you can [create a secret using -json or yaml](/docs/user-guide/secrets/#creating-a-secret-manually). - -Be sure to: - -- set the name of the data item to `.dockerconfigjson` -- base64 encode the docker file and paste that string, unbroken - as the value for field `data[".dockerconfigjson"]` -- set `type` to `kubernetes.io/dockerconfigjson` - -Example: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: myregistrykey - namespace: awesomeapps -data: - .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg== -type: kubernetes.io/dockerconfigjson -``` - -If you get the error message `error: no objects passed to create`, it may mean the base64 encoded string is invalid. -If you get an error message like `Secret "myregistrykey" is invalid: data[.dockerconfigjson]: invalid value ...`, it means -the data was successfully un-base64 encoded, but could not be parsed as a `.docker/config.json` file. - #### Referring to an imagePullSecrets on a Pod Now, you can create pods which reference that secret by adding an `imagePullSecrets` section to a pod definition. -```yaml +```shell +cat < pod.yaml apiVersion: v1 kind: Pod metadata: @@ -337,6 +319,12 @@ spec: image: janedoe/awesomeapp:v1 imagePullSecrets: - name: myregistrykey +EOF + +cat <> ./kustomization.yaml +resources: +- pod.yaml +EOF ``` This needs to be done for each pod that is using a private registry. diff --git a/content/en/docs/concepts/overview/object-management-kubectl/kustomization.md b/content/en/docs/concepts/overview/object-management-kubectl/kustomization.md new file mode 100644 index 0000000000000..87ec48daea4f0 --- /dev/null +++ b/content/en/docs/concepts/overview/object-management-kubectl/kustomization.md @@ -0,0 +1,758 @@ +--- +title: Declarative Management of Kubernetes Objects Using Kustomize +content_template: templates/concept +weight: 40 +--- + +{{% capture overview %}} +[Kustomize](https://github.com/kubernetes-sigs/kustomize) is a standalone tool +to customize Kubernetes objects +through a [kustomization file](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/kustomization.yaml). +Since 1.14, Kubectl also +supports the management of Kubernetes objects using a kustomization file. +To view Resources found in a directory containing a kustomization file, run the following command: +```shell +kubectl kustomize +``` +To apply those Resources, run `kubectl apply` with `--kustomize` or `-k` flag: +```shell +kubectl apply -k +``` +{{% /capture %}} + +{{% capture body %}} + +## Overview of Kustomize +Kustomize is a tool for customizing Kubernetes configurations. It has the following features to manage application configuration files: + +* generating resources from other sources +* setting cross-cutting fields for resources +* composing and customizing collections of resources + +### Generating Resources +ConfigMap and Secret hold config or sensitive data that are used by other Kubernetes objects, such as Pods. The source +of truth of ConfigMap or Secret are usually from somewhere else, such as a `.properties` file or a ssh key file. +Kustomize has `secretGenerator` and `configMapGenerator`, which generate Secret and ConfigMap from files or literals. + + +#### configMapGenerator +To generate a ConfigMap from a file, add an entry to `files` list in `configMapGenerator`. Here is an example of generating a ConfigMap with a data item from a file content. +```shell +# Create a application.properties file +cat <application.properties +FOO=Bar +EOF + +cat <./kustomization.yaml +configMapGenerator: +- name: example-configmap-1 + files: + - application.properties +EOF +``` +The generated ConfigMap can be checked by the following command: +```shell +kubectl kustomize ./ +``` +The generated ConfigMap is +```yaml +apiVersion: v1 +data: + application.properties: | + FOO=Bar +kind: ConfigMap +metadata: + name: example-configmap-1-8mbdf7882g +``` + +ConfigMap can also be generated from literal key-value pairs. To generate a ConfigMap from a literal key-value pair, add an entry to `literals` list in configMapGenerator. Here is an example of generating a ConfigMap with a data item from a key-value pair. +```shell +cat <./kustomization.yaml +configMapGenerator: +- name: example-configmap-2 + literals: + - FOO=Bar +EOF +``` +The generated ConfigMap can be checked by the following command: +```shell +kubectl kustomize ./ +``` +The generated ConfigMap is +```yaml +apiVersion: v1 +data: + FOO: Bar +kind: ConfigMap +metadata: + name: example-configmap-2-g2hdhfc6tk +``` + +#### secretGenerator +Secret can also be generated from files or literal key-value pairs. To generate a Secret from a file, add an entry to `files` list in `secretGenerator`. Here is an example of generating a Secret with a data item from a file. +```shell +# Create a password.txt file +cat <./password.txt +username=admin +password=secret +EOF + +cat <./kustomization.yaml +secretGenerator: +- name: example-secret-1 + files: + - password.txt +EOF +``` +The generated Secret is as follows: +```yaml +apiVersion: v1 +data: + password.txt: dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9c2VjcmV0Cg== +kind: Secret +metadata: + name: example-secret-1-t2kt65hgtb +type: Opaque +``` +To generate a Secret from a literal key-value pair, add an entry to `literals` list in `secretGenerator`. Here is an example of generating a Secret with a data item from a key-value pair. +```shell +cat <./kustomization.yaml +secretGenerator: +- name: example-secret-2 + literals: + - username=admin + - password=secert +EOF +``` +The generated Secret is as follows: +```yaml +apiVersion: v1 +data: + password: c2VjZXJ0 + username: YWRtaW4= +kind: Secret +metadata: + name: example-secret-2-t52t6g96d8 +type: Opaque +``` + +#### generatorOptions +The generated ConfigMaps and Secrets have a suffix appended by hashing the contents. This ensures that a new ConfigMap or Secret is generated when the content is changed. To disable the behavior of appending a suffix, one can use `generatorOptions`. Besides that, it is also possible to specify cross-cutting options for generated ConfigMaps and Secrets. +```shell +cat <./kustomization.yaml +configMapGenerator: +- name: example-configmap-3 + literals: + - FOO=Bar +generatorOptions: + disableNameSuffixHash: true + labels: + type: generated + annotations: + note: generated +EOF +``` +Run`kubectl kustomize ./` to view the generated ConfigMap: +```yaml +apiVersion: v1 +data: + FOO: Bar +kind: ConfigMap +metadata: + annotations: + note: generated + labels: + type: generated + name: example-configmap-3 +``` + +### Setting cross-cutting fields +It is quite common to set cross-cutting fields for all Kubernetes resources in a project. +Some use cases for setting cross-cutting fields: + +* setting the same namespace for all Resource +* adding the same name prefix or suffix +* adding the same set of labels +* adding the same set of annotations + +Here is an example: +```shell +# Create a deployment.yaml +cat <./deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx +EOF + +cat <./kustomization.yaml +namespace: my-namespace +namePrefix: dev- +nameSuffix: "-001" +commonLabels: + app: bingo +commonAnnotations: + oncallPager: 800-555-1212 +resources: +- deployment.yaml +EOF +``` +Run `kubectl kustomize ./` to view those fields are all set in the Deployment Resource: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + oncallPager: 800-555-1212 + labels: + app: bingo + name: dev-nginx-deployment-001 + namespace: my-namespace +spec: + selector: + matchLabels: + app: bingo + template: + metadata: + annotations: + oncallPager: 800-555-1212 + labels: + app: bingo + spec: + containers: + - image: nginx + name: nginx +``` + +### Composing and Customizing Resources +It is common to compose a set of Resources in a project and manage them inside +the same file or directory. +Kustomize offers composing Resources from different files and applying patches or other customization to them. + +#### Composing +Kustomize supports composition of different resources. The `resources` field, in the `kustomization.yaml` file, defines the list of resources to include in a configuration. Set the path to a resource's configuration file in the `resources` list. +Here is an example for an nginx application with a Deployment and a Service. +```shell +# Create a deployment.yaml file +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + ports: + - containerPort: 80 +EOF + +# Create a service.yaml file +cat < service.yaml +apiVersion: v1 +kind: Service +metadata: + name: my-nginx + labels: + run: my-nginx +spec: + ports: + - port: 80 + protocol: TCP + selector: + run: my-nginx +EOF + +# Create a kustomization.yaml composing them +cat <./kustomization.yaml +resources: +- deployment.yaml +- service.yaml +EOF +``` +The Resources from `kubectl kustomize ./` contains both the Deployment and the Service objects. + +#### Customizing +On top of Resources, one can apply different customizations by applying patches. Kustomize supports different patching +mechanisms through `patchesStrategicMerge` and `patchesJson6902`. `patchesStrategicMerge` is a list of file paths. Each file should be resolved to a [strategic merge patch](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md). The names inside the patches must match Resource names that are already loaded. Small patches that do one thing are recommended. For example, create one patch for increasing the deployment replica number and another patch for setting the memory limit. +```shell +# Create a deployment.yaml file +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + ports: + - containerPort: 80 +EOF + +# Create a patch increase_replicas.yaml +cat < increase_replicas.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + replicas: 3 +EOF + +# Create another patch set_memory.yaml +cat < set_memory.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + template: + spec: + containers: + - name: my-nginx + resources: + limits: + memory: 512Mi +EOF + +cat <./kustomization.yaml +resources: +- deployment.yaml +patchesStrategicMerge: +- increase_replicas.yaml +- set_memory.yaml +EOF +``` +Run `kubectl kustomize ./` to view the Deployment: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + replicas: 3 + selector: + matchLabels: + run: my-nginx + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - image: nginx + limits: + memory: 512Mi + name: my-nginx + ports: + - containerPort: 80 +``` +Not all Resources or fields support strategic merge patches. To support modifying arbitrary fields in arbitrary Resources, +Kustomize offers applying [JSON patch](https://tools.ietf.org/html/rfc6902) through `patchesJson6902`. +To find the correct Resource for a Json patch, the group, version, kind and name of that Resource need to be +specified in `kustomization.yaml`. For example, increasing the replica number of a Deployment object can also be done +through `patchesJson6902`. +```shell +# Create a deployment.yaml file +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + ports: + - containerPort: 80 +EOF + +# Create a json patch +cat < patch.yaml +- op: replace + path: /spec/replicas + value: 3 +EOF + +# Create a kustomization.yaml +cat <./kustomization.yaml +resources: +- deployment.yaml + +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: my-nginx + path: patch.yaml +EOF +``` +Run `kubectl kustomize ./` to see the `replicas` field is updated: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + replicas: 3 + selector: + matchLabels: + run: my-nginx + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - image: nginx + name: my-nginx + ports: + - containerPort: 80 +``` +In addition to patches, Kustomize also offers customizing container images or injecting field values from other objects into containers +without creating patches. For example, you can change the image used inside containers by specifying the new image in `images` field in `kustomization.yaml`. +```shell +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + ports: + - containerPort: 80 +EOF + +cat <./kustomization.yaml +resources: +- deployment.yaml +images: +- name: nginx + newName: my.image.registry/nginx + newTag: 1.4.0 +EOF +``` +Run `kubectl kustomize ./` to see that the image being used is updated: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + replicas: 2 + selector: + matchLabels: + run: my-nginx + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - image: my.image.registry/nginx:1.4.0 + name: my-nginx + ports: + - containerPort: 80 +``` +Sometimes, the application running in a Pod may need to use configuration values from other objects. For example, +a Pod from a Deployment object need to read the corresponding Service name from Env or as a command argument. +Since the Service name may change as `namePrefix` or `nameSuffix` is added in the `kustomization.yaml` file. It is +not recommended to hard code the Service name in the command argument. For this usage, Kustomize can inject the Service name into containers through `vars`. + +```shell +# Create a deployment.yaml file +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + command: ["start", "--host", "\$(MY_SERVICE_NAME)"] +EOF + +# Create a service.yaml file +cat < service.yaml +apiVersion: v1 +kind: Service +metadata: + name: my-nginx + labels: + run: my-nginx +spec: + ports: + - port: 80 + protocol: TCP + selector: + run: my-nginx +EOF + +cat <./kustomization.yaml +namePrefix: dev- +nameSuffix: "-001" + +resources: +- deployment.yaml +- service.yaml + +vars: +- name: MY_SERVICE_NAME + objref: + kind: Service + name: my-nginx + apiVersion: v1 +EOF +``` +Run `kubectl kustomize ./` to see that the Service name injected into containers is `dev-my-nginx-001`: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dev-my-nginx-001 +spec: + replicas: 2 + selector: + matchLabels: + run: my-nginx + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - command: + - start + - --host + - dev-my-nginx-001 + image: nginx + name: my-nginx +``` + +## Bases and Overlays +Kustomize has the concepts of **bases** and **overlays**. A **base** is a directory with a `kustomization.yaml`, which contains a +set of resources and associated customization. A base could be either a local directory or a directory from a remote repo, +as long as a `kustomization.yaml` is present inside. An **overlay** is a directory with a `kustomization.yaml` that refers to other +kustomization directories as its `bases`. A **base** has no knowledge of an overlay and can be used in multiple overlays. +An overlay may have multiple bases and it composes all resources +from bases and may also have customization on top of them. + +Here is an example of a base. +```shell +# Create a directory to hold the base +mkdir base +# Create a base/deployment.yaml +cat < base/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx +EOF + +# Create a base/service.yaml file +cat < base/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: my-nginx + labels: + run: my-nginx +spec: + ports: + - port: 80 + protocol: TCP + selector: + run: my-nginx +EOF +# Create a base/kustomization.yaml +cat < base/kustomization.yaml +resources: +- deployment.yaml +- service.yaml +``` +This base can be used in multiple overlays. You can add different `namePrefix` or other cross-cutting fields +in different overlays. Here are two overlays using the same base. +```shell +mkdir dev +cat < dev/kustomization.yaml +bases: +- ../base +namePrefix: dev- +EOF + +mkdir prod +cat < prod/kustomization.yaml +bases: +- ../base +namePrefix: prod- +EOF +``` + +## How to apply/view/delete objects using Kustomize +Use `--kustomize` or `-k` in `kubectl` commands to recognize Resources managed by `kustomization.yaml`. +Note that `-k` should point to a kustomization directory, such as + +```shell +kubectl apply -k / +``` +Given the following `kustomization.yaml`, +```shell +# Create a deployment.yaml file +cat < deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-nginx +spec: + selector: + matchLabels: + run: my-nginx + replicas: 2 + template: + metadata: + labels: + run: my-nginx + spec: + containers: + - name: my-nginx + image: nginx + ports: + - containerPort: 80 +EOF + +# Create a kustomization.yaml +cat <./kustomization.yaml +namePrefix: dev- +commonLabels: + app: my-nginx +resources: +- deployment.yaml +EOF +``` +Running the following command will apply the Deployment object `dev-my-nginx`: +```shell +> kubectl apply -k ./ +deployment.apps/dev-my-nginx created +``` +Running the following command will get he Deployment object `dev-my-nginx`: +```shell +kubectl get -k ./ +``` +or +```shell +kubectl describe -k ./ +``` +Running the following command will delete the Deployment object `dev-my-nginx`: +```shell +> kubectl delete -k ./ +deployment.apps "dev-my-nginx" deleted +``` + + +## Kustomize Feature List +Here is a list of all the features in Kustomize. + +| Field | Type | Explanation | +|-----------------------|--------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------| +| namespace | string | add namespace to all resources | +| namePrefix | string | value of this field is prepended to the names of all resources | +| nameSuffix | string | value of this field is appended to the names of all resources | +| commonlabels | map[string]string | labels to add to all resources and selectors | +| commonAnnotations | map[string]string | annotations to add to all resources | +| resources | []string | each entry in this list must resolve to an existing resource configuration file | +| configmapGenerator | [][ConfigMapArgs](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/types/kustomization.go#L195) | Each entry in this list generates a ConfigMap | +| secretGenerator | [][SecretArgs](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/types/kustomization.go#L201) | Each entry in this list generates a Secret | +| generatorOptions | [GeneratorOptions](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/types/kustomization.go#L239) | Modify behaviors of all ConfigMap and Secret generatos | +| bases | []string | Each entry in this list should resolve to a directory containing a kustomization.yaml file | +| patchesStrategicMerge | []string | Each entry in this list should resolve a strategic merge patch of a Kubernetes object | +| patchesJson6902 | [][Json6902](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/patch/json6902.go#L23) | Each entry in this list should resolve to a Kubernetes object and a Json Patch | +| vars | [][Var](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/types/var.go#L31) | Each entry is to capture text from one resource's field | +| images | [][Image](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/image/image.go#L23) | Each entry is to modify the name, tags and/or digest for one image without creating patches | +| configurations | []string | Each entry in this list should resolve to a file containing [Kustomize transformer configurations](https://github.com/kubernetes-sigs/kustomize/tree/master/examples/transformerconfigs) | +| crds | []string | Each entry in this list should resolve to an OpenAPI definition file for Kubernetes types | + + + +{{% capture whatsnext %}} +- [Kustomize](https://github.com/kubernetes-sigs/kustomize) +- [Kubectl Book](https://kubectl.docs.kubernetes.io) +- [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl/) +- [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/) +{{% /capture %}} diff --git a/content/en/docs/concepts/overview/object-management-kubectl/overview.md b/content/en/docs/concepts/overview/object-management-kubectl/overview.md index 3987da4a71f00..723df86818c01 100644 --- a/content/en/docs/concepts/overview/object-management-kubectl/overview.md +++ b/content/en/docs/concepts/overview/object-management-kubectl/overview.md @@ -7,7 +7,8 @@ weight: 10 {{% capture overview %}} The `kubectl` command-line tool supports several different ways to create and manage Kubernetes objects. This document provides an overview of the different -approaches. +approaches. Read the [Kubectl book](https://kubectl.docs.kubernetes.io) for +details of managing objects by Kubectl. {{% /capture %}} {{% capture body %}} @@ -179,6 +180,7 @@ Disadvantages compared to imperative object configuration: - [Managing Kubernetes Objects Using Object Configuration (Imperative)](/docs/concepts/overview/object-management-kubectl/imperative-config/) - [Managing Kubernetes Objects Using Object Configuration (Declarative)](/docs/concepts/overview/object-management-kubectl/declarative-config/) - [Kubectl Command Reference](/docs/reference/generated/kubectl/kubectl-commands/) +- [Kubectl Book](https://kubectl.docs.kubernetes.io) - [Kubernetes API Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/) {{< comment >}} diff --git a/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md b/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md index ae529e39bcfe7..f2688b8ee36aa 100644 --- a/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md +++ b/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md @@ -39,11 +39,11 @@ Here's an example `.yaml` file that shows the required fields and object spec fo {{< codenew file="application/deployment.yaml" >}} One way to create a Deployment using a `.yaml` file like the one above is to use the -[`kubectl create`](/docs/reference/generated/kubectl/kubectl-commands#create) command +[`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands#apply) command in the `kubectl` command-line interface, passing the `.yaml` file as an argument. Here's an example: ```shell -$ kubectl create -f https://k8s.io/examples/application/deployment.yaml --record +$ kubectl apply -f https://k8s.io/examples/application/deployment.yaml ``` The output is similar to this: diff --git a/content/en/docs/concepts/services-networking/connect-applications-service.md b/content/en/docs/concepts/services-networking/connect-applications-service.md index ae0160ad9fb3b..039a5e74d0e59 100644 --- a/content/en/docs/concepts/services-networking/connect-applications-service.md +++ b/content/en/docs/concepts/services-networking/connect-applications-service.md @@ -35,7 +35,7 @@ Create an nginx Pod, and note that it has a container port specification: This makes it accessible from any node in your cluster. Check the nodes the Pod is running on: ```shell -$ kubectl create -f ./run-my-nginx.yaml +$ kubectl apply -f ./run-my-nginx.yaml $ kubectl get pods -l run=my-nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE my-nginx-3800858182-jr4a2 1/1 Running 0 13s 10.244.3.4 kubernetes-minion-905m @@ -67,7 +67,7 @@ $ kubectl expose deployment/my-nginx service/my-nginx exposed ``` -This is equivalent to `kubectl create -f` the following yaml: +This is equivalent to `kubectl apply -f` the following yaml: {{< codenew file="service/networking/nginx-svc.yaml" >}} @@ -211,7 +211,7 @@ You can acquire all these from the [nginx https example](https://github.com/kube ```shell $ make keys secret KEY=/tmp/nginx.key CERT=/tmp/nginx.crt SECRET=/tmp/secret.json -$ kubectl create -f /tmp/secret.json +$ kubectl apply -f /tmp/secret.json secret/nginxsecret created $ kubectl get secrets NAME TYPE DATA AGE @@ -242,7 +242,7 @@ data: Now create the secrets using the file: ```shell -$ kubectl create -f nginxsecrets.yaml +$ kubectl apply -f nginxsecrets.yaml $ kubectl get secrets NAME TYPE DATA AGE default-token-il9rc kubernetes.io/service-account-token 1 1d @@ -263,7 +263,7 @@ Noteworthy points about the nginx-secure-app manifest: This is setup *before* the nginx server is started. ```shell -$ kubectl delete deployments,svc my-nginx; kubectl create -f ./nginx-secure-app.yaml +$ kubectl delete deployments,svc my-nginx; kubectl apply -f ./nginx-secure-app.yaml ``` At this point you can reach the nginx server from any node. @@ -283,7 +283,7 @@ Let's test this from a pod (the same secret is being reused for simplicity, the {{< codenew file="service/networking/curlpod.yaml" >}} ```shell -$ kubectl create -f ./curlpod.yaml +$ kubectl apply -f ./curlpod.yaml $ kubectl get pods -l app=curlpod NAME READY STATUS RESTARTS AGE curl-deployment-1515033274-1410r 1/1 Running 0 1m diff --git a/content/en/docs/concepts/services-networking/ingress.md b/content/en/docs/concepts/services-networking/ingress.md index a29ff81515d19..5b8f57c03c271 100644 --- a/content/en/docs/concepts/services-networking/ingress.md +++ b/content/en/docs/concepts/services-networking/ingress.md @@ -170,7 +170,7 @@ There are existing Kubernetes concepts that allow you to expose a single Service {{< codenew file="service/networking/ingress.yaml" >}} -If you create it using `kubectl create -f` you should see: +If you create it using `kubectl apply -f` you should see: ```shell kubectl get ingress test-ingress @@ -224,7 +224,7 @@ spec: servicePort: 8080 ``` -When you create the ingress with `kubectl create -f`: +When you create the ingress with `kubectl apply -f`: ```shell kubectl describe ingress simple-fanout-example diff --git a/content/en/docs/concepts/workloads/controllers/daemonset.md b/content/en/docs/concepts/workloads/controllers/daemonset.md index 86448096ec293..cc2a440c37a8b 100644 --- a/content/en/docs/concepts/workloads/controllers/daemonset.md +++ b/content/en/docs/concepts/workloads/controllers/daemonset.md @@ -42,7 +42,7 @@ You can describe a DaemonSet in a YAML file. For example, the `daemonset.yaml` f * Create a DaemonSet based on the YAML file: ``` -kubectl create -f https://k8s.io/examples/controllers/daemonset.yaml +kubectl apply -f https://k8s.io/examples/controllers/daemonset.yaml ``` ### Required Fields diff --git a/content/en/docs/concepts/workloads/controllers/deployment.md b/content/en/docs/concepts/workloads/controllers/deployment.md index e3ed2574ccd93..8fac6baf6edfc 100644 --- a/content/en/docs/concepts/workloads/controllers/deployment.md +++ b/content/en/docs/concepts/workloads/controllers/deployment.md @@ -74,7 +74,7 @@ In this example: To create this Deployment, run the following command: ```shell -kubectl create -f https://k8s.io/examples/controllers/nginx-deployment.yaml +kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml ``` {{< note >}} @@ -429,7 +429,7 @@ First, check the revisions of this deployment: $ kubectl rollout history deployment.v1.apps/nginx-deployment deployments "nginx-deployment" REVISION CHANGE-CAUSE -1 kubectl create --filename=https://k8s.io/examples/controllers/nginx-deployment.yaml --record=true +1 kubectl apply --filename=https://k8s.io/examples/controllers/nginx-deployment.yaml --record=true 2 kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.9.1 --record=true 3 kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.91 --record=true ``` diff --git a/content/en/docs/concepts/workloads/controllers/garbage-collection.md b/content/en/docs/concepts/workloads/controllers/garbage-collection.md index a2b8517afaa62..4bbd2fb8a85ee 100644 --- a/content/en/docs/concepts/workloads/controllers/garbage-collection.md +++ b/content/en/docs/concepts/workloads/controllers/garbage-collection.md @@ -39,7 +39,7 @@ If you create the ReplicaSet and then view the Pod metadata, you can see OwnerReferences field: ```shell -kubectl create -f https://k8s.io/examples/controllers/replicaset.yaml +kubectl apply -f https://k8s.io/examples/controllers/replicaset.yaml kubectl get pods --output=yaml ``` diff --git a/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md b/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md index 214fe74b41a2b..9530554e96975 100644 --- a/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md +++ b/content/en/docs/concepts/workloads/controllers/jobs-run-to-completion.md @@ -39,7 +39,7 @@ It takes around 10s to complete. Run the example job by downloading the example file and then running this command: ```shell -$ kubectl create -f https://k8s.io/examples/controllers/job.yaml +$ kubectl apply -f https://k8s.io/examples/controllers/job.yaml job "pi" created ``` diff --git a/content/en/docs/concepts/workloads/controllers/replicaset.md b/content/en/docs/concepts/workloads/controllers/replicaset.md index adeaadc469674..afc67e90e86e1 100644 --- a/content/en/docs/concepts/workloads/controllers/replicaset.md +++ b/content/en/docs/concepts/workloads/controllers/replicaset.md @@ -54,7 +54,7 @@ Saving this manifest into `frontend.yaml` and submitting it to a Kubernetes clus create the defined ReplicaSet and the Pods that it manages. ```shell -kubectl create -f http://k8s.io/examples/controllers/frontend.yaml +kubectl apply -f http://k8s.io/examples/controllers/frontend.yaml ``` You can then get the current ReplicaSets deployed: @@ -162,7 +162,7 @@ Suppose you create the Pods after the frontend ReplicaSet has been deployed and fulfill its replica count requirement: ```shell -kubectl create -f http://k8s.io/examples/pods/pod-rs.yaml +kubectl apply -f http://k8s.io/examples/pods/pod-rs.yaml ``` The new Pods will be acquired by the ReplicaSet, and then immediately terminated as the ReplicaSet would be over @@ -184,12 +184,12 @@ pod2 0/1 Terminating 0 4s If you create the Pods first: ```shell -kubectl create -f http://k8s.io/examples/pods/pod-rs.yaml +kubectl apply -f http://k8s.io/examples/pods/pod-rs.yaml ``` And then create the ReplicaSet however: ```shell -kubectl create -f http://k8s.io/examples/controllers/frontend.yaml +kubectl apply -f http://k8s.io/examples/controllers/frontend.yaml ``` You shall see that the ReplicaSet has acquired the Pods and has only created new ones according to its spec until the @@ -304,7 +304,7 @@ create the defined HPA that autoscales the target ReplicaSet depending on the CP of the replicated Pods. ```shell -kubectl create -f https://k8s.io/examples/controllers/hpa-rs.yaml +kubectl apply -f https://k8s.io/examples/controllers/hpa-rs.yaml ``` Alternatively, you can use the `kubectl autoscale` command to accomplish the same diff --git a/content/en/docs/concepts/workloads/controllers/replicationcontroller.md b/content/en/docs/concepts/workloads/controllers/replicationcontroller.md index daf0dfd59a784..398599009fc24 100644 --- a/content/en/docs/concepts/workloads/controllers/replicationcontroller.md +++ b/content/en/docs/concepts/workloads/controllers/replicationcontroller.md @@ -55,7 +55,7 @@ This example ReplicationController config runs three copies of the nginx web ser Run the example job by downloading the example file and then running this command: ```shell -$ kubectl create -f https://k8s.io/examples/controllers/replication.yaml +$ kubectl apply -f https://k8s.io/examples/controllers/replication.yaml replicationcontroller/nginx created ``` diff --git a/content/en/docs/concepts/workloads/pods/init-containers.md b/content/en/docs/concepts/workloads/pods/init-containers.md index 6ee6dd45ce7aa..947d287f952ab 100644 --- a/content/en/docs/concepts/workloads/pods/init-containers.md +++ b/content/en/docs/concepts/workloads/pods/init-containers.md @@ -180,7 +180,7 @@ spec: This Pod can be started and debugged with the following commands: ```shell -$ kubectl create -f myapp.yaml +$ kubectl apply -f myapp.yaml pod/myapp-pod created $ kubectl get -f myapp.yaml NAME READY STATUS RESTARTS AGE @@ -226,7 +226,7 @@ Once we start the `mydb` and `myservice` services, we can see the Init Container complete and the `myapp-pod` is created: ```shell -$ kubectl create -f services.yaml +$ kubectl apply -f services.yaml service/myservice created service/mydb created $ kubectl get -f myapp.yaml diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index 0b99331e5d3ce..dcf48c3f0547f 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -26,7 +26,7 @@ To enable RBAC, start the apiserver with `--authorization-mode=RBAC`. The RBAC API declares four top-level types which will be covered in this section. Users can interact with these resources as they would with any other API resource (via `kubectl`, API calls, etc.). For instance, -`kubectl create -f (resource).yml` can be used with any of these examples, +`kubectl apply -f (resource).yml` can be used with any of these examples, though readers who wish to follow along should review the section on bootstrapping first. diff --git a/content/en/docs/reference/kubectl/cheatsheet.md b/content/en/docs/reference/kubectl/cheatsheet.md index d46e6336bd056..9720587c4f775 100644 --- a/content/en/docs/reference/kubectl/cheatsheet.md +++ b/content/en/docs/reference/kubectl/cheatsheet.md @@ -62,21 +62,24 @@ kubectl config set-context gce --user=cluster-admin --namespace=foo \ && kubectl config use-context gce ``` +## Apply +`apply` manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running `kubectl apply`. This is the recommended way of managing Kubernetes applications on production. See [Kubectl Book](https://kubectl.docs.kubernetes.io). + ## Creating Objects Kubernetes manifests can be defined in json or yaml. The file extension `.yaml`, `.yml`, and `.json` can be used. ```bash -kubectl create -f ./my-manifest.yaml # create resource(s) -kubectl create -f ./my1.yaml -f ./my2.yaml # create from multiple files -kubectl create -f ./dir # create resource(s) in all manifest files in dir -kubectl create -f https://git.io/vPieo # create resource(s) from url +kubectl apply -f ./my-manifest.yaml # create resource(s) +kubectl apply -f ./my1.yaml -f ./my2.yaml # create from multiple files +kubectl apply -f ./dir # create resource(s) in all manifest files in dir +kubectl apply -f https://git.io/vPieo # create resource(s) from url kubectl create deployment nginx --image=nginx # start a single instance of nginx kubectl explain pods,svc # get the documentation for pod and svc manifests # Create multiple YAML objects from stdin -cat < directory. -$ kubectl create -f +$ kubectl apply -f ``` `kubectl get` - List one or more resources. diff --git a/content/en/docs/setup/independent/create-cluster-kubeadm.md b/content/en/docs/setup/independent/create-cluster-kubeadm.md index 2885be638abf0..debccd6482fb5 100644 --- a/content/en/docs/setup/independent/create-cluster-kubeadm.md +++ b/content/en/docs/setup/independent/create-cluster-kubeadm.md @@ -326,7 +326,7 @@ tls/deploy-certs.sh # Label kube-dns with fixed identity label kubectl label -n kube-system pod $(kubectl -n kube-system get pods -l k8s-app=kube-dns -o jsonpath='{range .items[]}{.metadata.name}{" "}{end}') io.cilium.fixed-identity=kube-dns -kubectl create -f ./ +kubectl apply -f ./ # Wait several minutes for Cilium, coredns and etcd pods to converge to a working state ``` diff --git a/content/en/docs/setup/multiple-zones.md b/content/en/docs/setup/multiple-zones.md index da31844a01b9a..7d4a20682e4d3 100644 --- a/content/en/docs/setup/multiple-zones.md +++ b/content/en/docs/setup/multiple-zones.md @@ -175,7 +175,7 @@ kubernetes-minion-wf8i Ready 2m v1.13.0 Create a volume using the dynamic volume creation (only PersistentVolumes are supported for zone affinity): ```json -kubectl create -f - <` with your scale target. Go to the directory that contains your configuration file, and enter this command to create the Deployment: - kubectl create -f dns-horizontal-autoscaler.yaml + kubectl apply -f dns-horizontal-autoscaler.yaml The output of a successful command is: diff --git a/content/en/docs/tasks/administer-cluster/ip-masq-agent.md b/content/en/docs/tasks/administer-cluster/ip-masq-agent.md index cd7c90ac75751..60d53a53cdad8 100644 --- a/content/en/docs/tasks/administer-cluster/ip-masq-agent.md +++ b/content/en/docs/tasks/administer-cluster/ip-masq-agent.md @@ -61,7 +61,7 @@ By default, in GCE/Google Kubernetes Engine starting with Kubernetes version 1.7 To create an ip-masq-agent, run the following kubectl command: ` -kubectl create -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml ` You must also apply the appropriate node label to any nodes in your cluster that you want the agent to run on. diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md index 249265300f13c..78693d4405410 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace.md @@ -45,7 +45,7 @@ Here's the configuration file for a LimitRange: Create the LimitRange: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-constraints.yaml --namespace=constraints-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints.yaml --namespace=constraints-cpu-example ``` View detailed information about the LimitRange: @@ -96,7 +96,7 @@ minimum and maximum CPU constraints imposed by the LimitRange. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-constraints-pod.yaml --namespace=constraints-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod.yaml --namespace=constraints-cpu-example ``` Verify that the Pod's Container is running: @@ -138,7 +138,7 @@ CPU request of 500 millicpu and a cpu limit of 1.5 cpu. Attempt to create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-2.yaml --namespace=constraints-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-2.yaml --namespace=constraints-cpu-example ``` The output shows that the Pod does not get created, because the Container specifies a CPU limit that is @@ -159,7 +159,7 @@ CPU request of 100 millicpu and a CPU limit of 800 millicpu. Attempt to create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-3.yaml --namespace=constraints-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-3.yaml --namespace=constraints-cpu-example ``` The output shows that the Pod does not get created, because the Container specifies a CPU @@ -180,7 +180,7 @@ specify a CPU request, and it does not specify a CPU limit. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-4.yaml --namespace=constraints-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-constraints-pod-4.yaml --namespace=constraints-cpu-example ``` View detailed information about the Pod: diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md index 53edcd7f25c36..df5ec46de5298 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace.md @@ -40,7 +40,7 @@ a default CPU request and a default CPU limit. Create the LimitRange in the default-cpu-example namespace: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-defaults.yaml --namespace=default-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults.yaml --namespace=default-cpu-example ``` Now if a Container is created in the default-cpu-example namespace, and the @@ -56,7 +56,7 @@ does not specify a CPU request and limit. Create the Pod. ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-defaults-pod.yaml --namespace=default-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod.yaml --namespace=default-cpu-example ``` View the Pod's specification: @@ -91,7 +91,7 @@ Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-2.yaml --namespace=default-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-2.yaml --namespace=default-cpu-example ``` View the Pod specification: @@ -121,7 +121,7 @@ specifies a CPU request, but not a limit: Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-3.yaml --namespace=default-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/cpu-defaults-pod-3.yaml --namespace=default-cpu-example ``` View the Pod specification: diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md index aca790e87ac5f..e6a6e1c2b0d39 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace.md @@ -45,7 +45,7 @@ Here's the configuration file for a LimitRange: Create the LimitRange: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-constraints.yaml --namespace=constraints-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints.yaml --namespace=constraints-mem-example ``` View detailed information about the LimitRange: @@ -90,7 +90,7 @@ minimum and maximum memory constraints imposed by the LimitRange. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-constraints-pod.yaml --namespace=constraints-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod.yaml --namespace=constraints-mem-example ``` Verify that the Pod's Container is running: @@ -132,7 +132,7 @@ memory request of 800 MiB and a memory limit of 1.5 GiB. Attempt to create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-constraints-pod-2.yaml --namespace=constraints-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod-2.yaml --namespace=constraints-mem-example ``` The output shows that the Pod does not get created, because the Container specifies a memory limit that is @@ -153,7 +153,7 @@ memory request of 100 MiB and a memory limit of 800 MiB. Attempt to create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-constraints-pod-3.yaml --namespace=constraints-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod-3.yaml --namespace=constraints-mem-example ``` The output shows that the Pod does not get created, because the Container specifies a memory @@ -176,7 +176,7 @@ specify a memory request, and it does not specify a memory limit. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-constraints-pod-4.yaml --namespace=constraints-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-constraints-pod-4.yaml --namespace=constraints-mem-example ``` View detailed information about the Pod: diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md index 94f07c040c6eb..197d61171734e 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/memory-default-namespace.md @@ -42,7 +42,7 @@ a default memory request and a default memory limit. Create the LimitRange in the default-mem-example namespace: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-defaults.yaml --namespace=default-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults.yaml --namespace=default-mem-example ``` Now if a Container is created in the default-mem-example namespace, and the @@ -58,7 +58,7 @@ does not specify a memory request and limit. Create the Pod. ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-defaults-pod.yaml --namespace=default-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod.yaml --namespace=default-mem-example ``` View detailed information about the Pod: @@ -99,7 +99,7 @@ Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-defaults-pod-2.yaml --namespace=default-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-2.yaml --namespace=default-mem-example ``` View detailed information about the Pod: @@ -129,7 +129,7 @@ specifies a memory request, but not a limit: Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/memory-defaults-pod-3.yaml --namespace=default-mem-example +kubectl apply -f https://k8s.io/examples/admin/resource/memory-defaults-pod-3.yaml --namespace=default-mem-example ``` View the Pod's specification: diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md index 4bdc646742f54..9558766410663 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace.md @@ -44,7 +44,7 @@ Here is the configuration file for a ResourceQuota object: Create the ResourceQuota: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-mem-cpu.yaml --namespace=quota-mem-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu.yaml --namespace=quota-mem-cpu-example ``` View detailed information about the ResourceQuota: @@ -71,7 +71,7 @@ Here is the configuration file for a Pod: Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod.yaml --namespace=quota-mem-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod.yaml --namespace=quota-mem-cpu-example ``` Verify that the Pod's Container is running: @@ -117,7 +117,7 @@ request exceeds the memory request quota. 600 MiB + 700 MiB > 1 GiB. Attempt to create the Pod: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod-2.yaml --namespace=quota-mem-cpu-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu-pod-2.yaml --namespace=quota-mem-cpu-example ``` The second Pod does not get created. The output shows that creating the second Pod diff --git a/content/en/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md b/content/en/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md index 1cad0ee7bd5dc..31cac82cf1016 100644 --- a/content/en/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md +++ b/content/en/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace.md @@ -42,7 +42,7 @@ Here is the configuration file for a ResourceQuota object: Create the ResourceQuota: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-pod.yaml --namespace=quota-pod-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-pod.yaml --namespace=quota-pod-example ``` View detailed information about the ResourceQuota: @@ -74,7 +74,7 @@ In the configuration file, `replicas: 3` tells Kubernetes to attempt to create t Create the Deployment: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-pod-deployment.yaml --namespace=quota-pod-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-pod-deployment.yaml --namespace=quota-pod-example ``` View detailed information about the Deployment: diff --git a/content/en/docs/tasks/administer-cluster/namespaces-walkthrough.md b/content/en/docs/tasks/administer-cluster/namespaces-walkthrough.md index 4cd6eba7461c2..3dfa5b2a1328c 100644 --- a/content/en/docs/tasks/administer-cluster/namespaces-walkthrough.md +++ b/content/en/docs/tasks/administer-cluster/namespaces-walkthrough.md @@ -73,7 +73,7 @@ Use the file [`namespace-dev.json`](/examples/admin/namespace-dev.json) which de Create the development namespace using kubectl. ```shell -$ kubectl create -f https://k8s.io/examples/admin/namespace-dev.json +$ kubectl apply -f https://k8s.io/examples/admin/namespace-dev.json ``` Save the following contents into file [`namespace-prod.json`](/examples/admin/namespace-prod.json) which describes a production namespace: @@ -83,7 +83,7 @@ Save the following contents into file [`namespace-prod.json`](/examples/admin/na And then let's create the production namespace using kubectl. ```shell -$ kubectl create -f https://k8s.io/examples/admin/namespace-prod.json +$ kubectl apply -f https://k8s.io/examples/admin/namespace-prod.json ``` To be sure things are right, let's list all of the namespaces in our cluster. diff --git a/content/en/docs/tasks/administer-cluster/namespaces.md b/content/en/docs/tasks/administer-cluster/namespaces.md index ce1ebbce3df85..b369a0f0ab15d 100644 --- a/content/en/docs/tasks/administer-cluster/namespaces.md +++ b/content/en/docs/tasks/administer-cluster/namespaces.md @@ -89,7 +89,7 @@ metadata: Then run: ```shell -$ kubectl create -f ./my-namespace.yaml +$ kubectl apply -f ./my-namespace.yaml ``` Note that the name of your namespace must be a DNS compatible label. @@ -151,13 +151,13 @@ Use the file [`namespace-dev.json`](/examples/admin/namespace-dev.json) which de Create the development namespace using kubectl. ```shell -$ kubectl create -f https://k8s.io/examples/admin/namespace-dev.json +$ kubectl apply -f https://k8s.io/examples/admin/namespace-dev.json ``` And then let's create the production namespace using kubectl. ```shell -$ kubectl create -f https://k8s.io/examples/admin/namespace-prod.json +$ kubectl apply -f https://k8s.io/examples/admin/namespace-prod.json ``` To be sure things are right, list all of the namespaces in our cluster. diff --git a/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md b/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md index ed3fd0f7157c8..bfdd7410d5b88 100644 --- a/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md +++ b/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md @@ -30,7 +30,7 @@ As Cilium requires a standalone etcd instance, for minikube you can deploy it by running: ```shell -kubectl create -n kube-system -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/addons/etcd/standalone-etcd.yaml +kubectl apply -n kube-system -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/addons/etcd/standalone-etcd.yaml ``` After etcd is up and running you can deploy Cilium Kubernetes descriptor which @@ -39,7 +39,7 @@ Cilium, to connect to the etcd instance previously deployed as well as appropriate RBAC settings: ```shell -$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/1.12/cilium.yaml +$ kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/1.12/cilium.yaml configmap/cilium-config created daemonset.apps/cilium created clusterrolebinding.rbac.authorization.k8s.io/cilium created diff --git a/content/en/docs/tasks/administer-cluster/quota-api-object.md b/content/en/docs/tasks/administer-cluster/quota-api-object.md index 971a4901eb0e9..c6cff9076901e 100644 --- a/content/en/docs/tasks/administer-cluster/quota-api-object.md +++ b/content/en/docs/tasks/administer-cluster/quota-api-object.md @@ -43,7 +43,7 @@ Here is the configuration file for a ResourceQuota object: Create the ResourceQuota: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-objects.yaml --namespace=quota-object-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-objects.yaml --namespace=quota-object-example ``` View detailed information about the ResourceQuota: @@ -77,7 +77,7 @@ Here is the configuration file for a PersistentVolumeClaim object: Create the PersistentVolumeClaim: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-objects-pvc.yaml --namespace=quota-object-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-objects-pvc.yaml --namespace=quota-object-example ``` Verify that the PersistentVolumeClaim was created: @@ -102,7 +102,7 @@ Here is the configuration file for a second PersistentVolumeClaim: Attempt to create the second PersistentVolumeClaim: ```shell -kubectl create -f https://k8s.io/examples/admin/resource/quota-objects-pvc-2.yaml --namespace=quota-object-example +kubectl apply -f https://k8s.io/examples/admin/resource/quota-objects-pvc-2.yaml --namespace=quota-object-example ``` The output shows that the second PersistentVolumeClaim was not created, diff --git a/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md b/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md index 516e33d1ed331..2f2008c7a97a3 100644 --- a/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md +++ b/content/en/docs/tasks/configure-pod-container/assign-cpu-resource.md @@ -77,7 +77,7 @@ The `-cpus "2"` argument tells the Container to attempt to use 2 CPUs. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/resource/cpu-request-limit.yaml --namespace=cpu-example +kubectl apply -f https://k8s.io/examples/pods/resource/cpu-request-limit.yaml --namespace=cpu-example ``` Verify that the Pod Container is running: @@ -168,7 +168,7 @@ capacity of any Node in your cluster. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/resource/cpu-request-limit-2.yaml --namespace=cpu-example +kubectl apply -f https://k8s.io/examples/pods/resource/cpu-request-limit-2.yaml --namespace=cpu-example ``` View the Pod status: diff --git a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md index fd8e610a212f9..85aaf9d3a5ab6 100644 --- a/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md +++ b/content/en/docs/tasks/configure-pod-container/assign-memory-resource.md @@ -76,7 +76,7 @@ The `"--vm-bytes", "150M"` arguments tell the Container to attempt to allocate 1 Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/resource/memory-request-limit.yaml --namespace=mem-example +kubectl apply -f https://k8s.io/examples/pods/resource/memory-request-limit.yaml --namespace=mem-example ``` Verify that the Pod Container is running: @@ -146,7 +146,7 @@ will attempt to allocate 250 MiB of memory, which is well above the 100 MiB limi Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/resource/memory-request-limit-2.yaml --namespace=mem-example +kubectl apply -f https://k8s.io/examples/pods/resource/memory-request-limit-2.yaml --namespace=mem-example ``` View detailed information about the Pod: @@ -252,7 +252,7 @@ of any Node in your cluster. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/resource/memory-request-limit-3.yaml --namespace=mem-example +kubectl apply -f https://k8s.io/examples/pods/resource/memory-request-limit-3.yaml --namespace=mem-example ``` View the Pod status: diff --git a/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md index 7b7c912123b78..21e08c5accf56 100644 --- a/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md +++ b/content/en/docs/tasks/configure-pod-container/assign-pods-nodes.md @@ -71,7 +71,7 @@ a `disktype=ssd` label. chosen node: ```shell - kubectl create -f https://k8s.io/examples/pods/pod-nginx.yaml + kubectl apply -f https://k8s.io/examples/pods/pod-nginx.yaml ``` 1. Verify that the pod is running on your chosen node: diff --git a/content/en/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md b/content/en/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md index 3c461a2ecbd86..67aedfafca051 100644 --- a/content/en/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md +++ b/content/en/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md @@ -38,7 +38,7 @@ nginx gracefully. This is helpful if the Container is being terminated because o Create the Pod: - kubectl create -f https://k8s.io/examples/pods/lifecycle-events.yaml + kubectl apply -f https://k8s.io/examples/pods/lifecycle-events.yaml Verify that the Container in the Pod is running: diff --git a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-probes.md b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-probes.md index 36c4f758ac070..f2ba952f7b02d 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-probes.md +++ b/content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-probes.md @@ -62,7 +62,7 @@ code. After 30 seconds, `cat /tmp/healthy` returns a failure code. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/probe/exec-liveness.yaml +kubectl apply -f https://k8s.io/examples/pods/probe/exec-liveness.yaml ``` Within 30 seconds, view the Pod events: @@ -163,7 +163,7 @@ checks will fail, and the kubelet will kill and restart the Container. To try the HTTP liveness check, create a Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/probe/http-liveness.yaml +kubectl apply -f https://k8s.io/examples/pods/probe/http-liveness.yaml ``` After 10 seconds, view Pod events to verify that liveness probes have failed and @@ -204,7 +204,7 @@ will be restarted. To try the TCP liveness check, create a Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/probe/tcp-liveness-readiness.yaml +kubectl apply -f https://k8s.io/examples/pods/probe/tcp-liveness-readiness.yaml ``` After 15 seconds, view Pod events to verify that liveness probes: diff --git a/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md b/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md index cc3f7a3fde61c..d51327390a47b 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md +++ b/content/en/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md @@ -73,7 +73,7 @@ PersistentVolumeClaim requests to this PersistentVolume. Create the PersistentVolume: - kubectl create -f https://k8s.io/examples/pods/storage/pv-volume.yaml + kubectl apply -f https://k8s.io/examples/pods/storage/pv-volume.yaml View information about the PersistentVolume: @@ -98,7 +98,7 @@ Here is the configuration file for the PersistentVolumeClaim: Create the PersistentVolumeClaim: - kubectl create -f https://k8s.io/examples/pods/storage/pv-claim.yaml + kubectl apply -f https://k8s.io/examples/pods/storage/pv-claim.yaml After you create the PersistentVolumeClaim, the Kubernetes control plane looks for a PersistentVolume that satisfies the claim's requirements. If the control @@ -138,7 +138,7 @@ is a volume. Create the Pod: - kubectl create -f https://k8s.io/examples/pods/storage/pv-pod.yaml + kubectl apply -f https://k8s.io/examples/pods/storage/pv-pod.yaml Verify that the Container in the Pod is running; diff --git a/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md b/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md index a34de6eb45bcb..636152826239d 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md +++ b/content/en/docs/tasks/configure-pod-container/configure-pod-configmap.md @@ -18,7 +18,10 @@ ConfigMaps allow you to decouple configuration artifacts from image content to k {{% capture steps %}} -## Create a ConfigMap +## Create a ConfigMap +You can use either `kubectl create configmap` or a ConfigMap generator in `kustomization.yaml` to create a ConfigMap. Note that `kubectl` starts to support `kustomization.yaml` since 1.14. + +### Create a ConfigMap Using kubectl create configmap Use the `kubectl create configmap` command to create configmaps from [directories](#create-configmaps-from-directories), [files](#create-configmaps-from-files), or [literal values](#create-configmaps-from-literal-values): @@ -37,7 +40,7 @@ You can use [`kubectl describe`](/docs/reference/generated/kubectl/kubectl-comma [`kubectl get`](/docs/reference/generated/kubectl/kubectl-commands/#get) to retrieve information about a ConfigMap. -### Create ConfigMaps from directories +#### Create ConfigMaps from directories You can use `kubectl create configmap` to create a ConfigMap from multiple files in the same directory. @@ -105,7 +108,7 @@ metadata: uid: b4952dc3-d670-11e5-8cd0-68f728db1985 ``` -### Create ConfigMaps from files +#### Create ConfigMaps from files You can use `kubectl create configmap` to create a ConfigMap from an individual file, or from multiple files. @@ -263,7 +266,7 @@ metadata: uid: 05f8da22-d671-11e5-8cd0-68f728db1985 ``` -### Create ConfigMaps from literal values +#### Create ConfigMaps from literal values You can use `kubectl create configmap` with the `--from-literal` argument to define a literal value from the command line: @@ -292,6 +295,101 @@ metadata: uid: dadce046-d673-11e5-8cd0-68f728db1985 ``` +### Create a ConfigMap from generator +`kubectl` supports `kustomization.yaml` since 1.14. +You can also create a ConfigMap from generators and then apply it to create the object on +the Apiserver. The generators +should be specified in a `kustomization.yaml` inside a directory. + +#### Generate ConfigMaps from files +For example, to generate a ConfigMap from files `configure-pod-container/configmap/kubectl/game.properties` +```shell +# Create a kustomization.yaml file with ConfigMapGenerator +cat <./kustomization.yaml +configMapGenerator: +- name: game-config-4 + files: + - configure-pod-container/configmap/kubectl/game.properties +EOF +``` + +Apply the kustomization directory to create the ConfigMap object. +```shell +kubectl apply -k . +configmap/game-config-4-m9dm2f92bt created +``` + +You can check that the ConfigMap was created like this: + +```shell +kubectl get configmap +NAME DATA AGE +game-config-4-m9dm2f92bt 1 37s + + +kubectl describe configmaps/game-config-4-m9dm2f92bt +Name: game-config-4-m9dm2f92bt +Namespace: default +Labels: +Annotations: kubectl.kubernetes.io/last-applied-configuration: + {"apiVersion":"v1","data":{"game.properties":"enemies=aliens\nlives=3\nenemies.cheat=true\nenemies.cheat.level=noGoodRotten\nsecret.code.p... + +Data +==== +game.properties: +---- +enemies=aliens +lives=3 +enemies.cheat=true +enemies.cheat.level=noGoodRotten +secret.code.passphrase=UUDDLRLRBABAS +secret.code.allowed=true +secret.code.lives=30 +Events: +``` + +Note that the generated ConfigMap name has a suffix appended by hashing the contents. This ensures that a +new ConfigMap is generated each time the content is modified. + +#### Define the key to use when generating a ConfigMap from a file +You can define a key other than the file name to use in the ConfigMap generator. +For example, to generate a ConfigMap from files `configure-pod-container/configmap/kubectl/game.properties` +with the key `game-special-key` + +```shell +# Create a kustomization.yaml file with ConfigMapGenerator +cat <./kustomization.yaml +configMapGenerator: +- name: game-config-5 + files: + - game-special-key=configure-pod-container/configmap/kubectl/game.properties +EOF +``` + +Apply the kustomization directory to create the ConfigMap object. +```shell +kubectl apply -k . +configmap/game-config-5-m67dt67794 created +``` + +#### Generate ConfigMaps from Literals +To generate a ConfigMap from literals `special.type=charm` and `special.how=very`, +you can specify the ConfigMap generator in `kusotmization.yaml` as +```shell +# Create a kustomization.yaml file with ConfigMapGenerator +cat <./kustomization.yaml +configMapGenerator: +- name: special-config-2 + literals: + - special.how=very + - special.type=charm +EOF +``` +Apply the kustomization directory to create the ConfigMap object. +```shell +kubectl apply -k . +configmap/special-config-2-c92b5mmcf2 created +``` ## Define container environment variables using ConfigMap data diff --git a/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md b/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md index 6ab76afd09f8e..a418a8d7c0bc6 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md +++ b/content/en/docs/tasks/configure-pod-container/configure-pod-initialization.md @@ -43,7 +43,7 @@ of the nginx server. Create the Pod: - kubectl create -f https://k8s.io/examples/pods/init-containers.yaml + kubectl apply -f https://k8s.io/examples/pods/init-containers.yaml Verify that the nginx container is running: diff --git a/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md b/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md index 122f3e0beb49d..cb7e2957e3eac 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md +++ b/content/en/docs/tasks/configure-pod-container/configure-projected-volume-storage.md @@ -42,7 +42,7 @@ Here is the configuration file for the Pod: ``` 1. Create the Pod: ```shell - kubectl create -f https://k8s.io/examples/pods/storage/projected.yaml + kubectl apply -f https://k8s.io/examples/pods/storage/projected.yaml ``` 1. Verify that the Pod's Container is running, and then watch for changes to the Pod: diff --git a/content/en/docs/tasks/configure-pod-container/configure-service-account.md b/content/en/docs/tasks/configure-pod-container/configure-service-account.md index 1777b5e41a5b9..c89c0219fa59a 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-service-account.md +++ b/content/en/docs/tasks/configure-pod-container/configure-service-account.md @@ -92,7 +92,7 @@ default 1 1d You can create additional ServiceAccount objects like this: ```shell -kubectl create -f - <`. + `kubectl`, run `kompose convert` and then `kubectl apply -f `. ```bash $ kompose convert @@ -148,7 +148,7 @@ you need is an existing `docker-compose.yml` file. ``` ```bash - $ kubectl create -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yaml + $ kubectl apply -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yaml service/frontend created service/redis-master created service/redis-slave created @@ -309,7 +309,7 @@ Kompose supports a straightforward way to deploy your "composed" application to ```sh $ kompose --file ./examples/docker-guestbook.yml up We are going to create Kubernetes deployments and services for your Dockerized application. -If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. +If you need different kind of resources, use the 'kompose convert' and 'kubectl apply -f' commands instead. INFO Successfully created service: redis-master INFO Successfully created service: redis-slave @@ -341,7 +341,7 @@ pod/redis-slave-2504961300-nve7b 1/1 Running 0 4m **Note**: - You must have a running Kubernetes cluster with a pre-configured kubectl context. -- Only deployments and services are generated and deployed to Kubernetes. If you need different kind of resources, use the `kompose convert` and `kubectl create -f` commands instead. +- Only deployments and services are generated and deployed to Kubernetes. If you need different kind of resources, use the `kompose convert` and `kubectl apply -f` commands instead. ### OpenShift ```sh @@ -426,7 +426,7 @@ INFO Image 'docker.io/foo/bar' from directory 'build' built successfully INFO Pushing image 'foo/bar:latest' to registry 'docker.io' INFO Attempting authentication credentials 'https://index.docker.io/v1/ INFO Successfully pushed image 'foo/bar:latest' to registry 'docker.io' -INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. +INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl apply -f' commands instead. INFO Deploying application in "default" namespace INFO Successfully created Service: foo diff --git a/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md b/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md index 4eb7266466acd..2ae12d2d48f97 100644 --- a/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md +++ b/content/en/docs/tasks/debug-application-cluster/debug-application-introspection.md @@ -26,7 +26,7 @@ For this example we'll use a Deployment to create two pods, similar to the earli Create deployment by running following command: ```shell -kubectl create -f https://k8s.io/examples/application/nginx-with-request.yaml +kubectl apply -f https://k8s.io/examples/application/nginx-with-request.yaml ``` ```none diff --git a/content/en/docs/tasks/debug-application-cluster/debug-application.md b/content/en/docs/tasks/debug-application-cluster/debug-application.md index 94adc0578c8eb..6b44ceb55cead 100644 --- a/content/en/docs/tasks/debug-application-cluster/debug-application.md +++ b/content/en/docs/tasks/debug-application-cluster/debug-application.md @@ -107,7 +107,7 @@ For example, if you misspelled `command` as `commnd` then the pod will be create will not use the command line you intended it to use. The first thing to do is to delete your pod and try creating it again with the `--validate` option. -For example, run `kubectl create --validate -f mypod.yaml`. +For example, run `kubectl apply --validate -f mypod.yaml`. If you misspelled `command` as `commnd` then will give an error like this: ```shell diff --git a/content/en/docs/tasks/debug-application-cluster/determine-reason-pod-failure.md b/content/en/docs/tasks/debug-application-cluster/determine-reason-pod-failure.md index b684ef2ddfff9..1353420d63d7d 100644 --- a/content/en/docs/tasks/debug-application-cluster/determine-reason-pod-failure.md +++ b/content/en/docs/tasks/debug-application-cluster/determine-reason-pod-failure.md @@ -38,7 +38,7 @@ the container starts. 1. Create a Pod based on the YAML configuration file: - kubectl create -f https://k8s.io/examples/debug/termination.yaml + kubectl apply -f https://k8s.io/examples/debug/termination.yaml In the YAML file, in the `cmd` and `args` fields, you can see that the container sleeps for 10 seconds and then writes "Sleep expired" to diff --git a/content/en/docs/tasks/debug-application-cluster/events-stackdriver.md b/content/en/docs/tasks/debug-application-cluster/events-stackdriver.md index 9f81b3ee900a6..e3e9150f330f4 100644 --- a/content/en/docs/tasks/debug-application-cluster/events-stackdriver.md +++ b/content/en/docs/tasks/debug-application-cluster/events-stackdriver.md @@ -59,7 +59,7 @@ average, approximately 100Mb RAM and 100m CPU is needed. Deploy event exporter to your cluster using the following command: ```shell -kubectl create -f https://k8s.io/examples/debug/event-exporter.yaml +kubectl apply -f https://k8s.io/examples/debug/event-exporter.yaml ``` Since event exporter accesses the Kubernetes API, it requires permissions to diff --git a/content/en/docs/tasks/debug-application-cluster/get-shell-running-container.md b/content/en/docs/tasks/debug-application-cluster/get-shell-running-container.md index 8b97c679f12cc..f3ff92c1964b2 100644 --- a/content/en/docs/tasks/debug-application-cluster/get-shell-running-container.md +++ b/content/en/docs/tasks/debug-application-cluster/get-shell-running-container.md @@ -33,7 +33,7 @@ runs the nginx image. Here is the configuration file for the Pod: Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/application/shell-demo.yaml +kubectl apply -f https://k8s.io/examples/application/shell-demo.yaml ``` Verify that the Container is running: diff --git a/content/en/docs/tasks/debug-application-cluster/logging-stackdriver.md b/content/en/docs/tasks/debug-application-cluster/logging-stackdriver.md index 1a5bc4e8e6011..b240d9d0e9c11 100644 --- a/content/en/docs/tasks/debug-application-cluster/logging-stackdriver.md +++ b/content/en/docs/tasks/debug-application-cluster/logging-stackdriver.md @@ -97,7 +97,7 @@ than Google Kubernetes Engine. Proceed at your own risk. 1. Deploy a `ConfigMap` with the logging agent configuration by running the following command: ``` - kubectl create -f https://k8s.io/examples/debug/fluentd-gcp-configmap.yaml + kubectl apply -f https://k8s.io/examples/debug/fluentd-gcp-configmap.yaml ``` The command creates the `ConfigMap` in the `default` namespace. You can download the file @@ -106,7 +106,7 @@ than Google Kubernetes Engine. Proceed at your own risk. 1. Deploy the logging agent `DaemonSet` by running the following command: ``` - kubectl create -f https://k8s.io/examples/debug/fluentd-gcp-ds.yaml + kubectl apply -f https://k8s.io/examples/debug/fluentd-gcp-ds.yaml ``` You can download and edit this file before using it as well. @@ -139,7 +139,7 @@ that writes out the value of a counter and the date once per second, and runs indefinitely. Let's create this pod in the default namespace. ```shell -kubectl create -f https://k8s.io/examples/debug/counter-pod.yaml +kubectl apply -f https://k8s.io/examples/debug/counter-pod.yaml ``` You can observe the running pod: @@ -176,7 +176,7 @@ pod "counter" deleted and then recreating it: ```shell -$ kubectl create -f https://k8s.io/examples/debug/counter-pod.yaml +$ kubectl apply -f https://k8s.io/examples/debug/counter-pod.yaml pod/counter created ``` diff --git a/content/en/docs/tasks/debug-application-cluster/monitor-node-health.md b/content/en/docs/tasks/debug-application-cluster/monitor-node-health.md index 43b3c8fc860d3..6db5585f92dfe 100644 --- a/content/en/docs/tasks/debug-application-cluster/monitor-node-health.md +++ b/content/en/docs/tasks/debug-application-cluster/monitor-node-health.md @@ -73,7 +73,7 @@ OS distro.*** * **Step 2:** Start node problem detector with `kubectl`: ```shell - kubectl create -f https://k8s.io/examples/debug/node-problem-detector.yaml + kubectl apply -f https://k8s.io/examples/debug/node-problem-detector.yaml ``` ### Addon Pod @@ -105,7 +105,7 @@ node-problem-detector-config --from-file=config/`. ```shell kubectl delete -f https://k8s.io/examples/debug/node-problem-detector.yaml # If you have a node-problem-detector running - kubectl create -f https://k8s.io/examples/debug/node-problem-detector-configmap.yaml + kubectl apply -f https://k8s.io/examples/debug/node-problem-detector-configmap.yaml ``` ***Notice that this approach only applies to node problem detector started with `kubectl`.*** diff --git a/content/en/docs/tasks/federation/set-up-placement-policies-federation.md b/content/en/docs/tasks/federation/set-up-placement-policies-federation.md index cb1e02d8cf8ff..e63106a01155b 100644 --- a/content/en/docs/tasks/federation/set-up-placement-policies-federation.md +++ b/content/en/docs/tasks/federation/set-up-placement-policies-federation.md @@ -32,7 +32,7 @@ After deploying the Federation control plane, you must configure an Admission Controller in the Federation API server that enforces placement decisions received from the external policy engine. - kubectl create -f scheduling-policy-admission.yaml + kubectl apply -f scheduling-policy-admission.yaml Shown below is an example ConfigMap for the Admission Controller: @@ -82,7 +82,7 @@ decisions in the Federation control plane. Create a Service in the host cluster to contact the external policy engine: - kubectl create -f policy-engine-service.yaml + kubectl apply -f policy-engine-service.yaml Shown below is an example Service for OPA. @@ -90,7 +90,7 @@ Shown below is an example Service for OPA. Create a Deployment in the host cluster with the Federation control plane: - kubectl create -f policy-engine-deployment.yaml + kubectl apply -f policy-engine-deployment.yaml Shown below is an example Deployment for OPA. diff --git a/content/en/docs/tasks/inject-data-application/define-command-argument-container.md b/content/en/docs/tasks/inject-data-application/define-command-argument-container.md index f7f2e2035fb40..66ebd69c134ab 100644 --- a/content/en/docs/tasks/inject-data-application/define-command-argument-container.md +++ b/content/en/docs/tasks/inject-data-application/define-command-argument-container.md @@ -47,7 +47,7 @@ file for the Pod defines a command and two arguments: 1. Create a Pod based on the YAML configuration file: ```shell - kubectl create -f https://k8s.io/examples/pods/commands.yaml + kubectl apply -f https://k8s.io/examples/pods/commands.yaml ``` 1. List the running Pods: diff --git a/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md b/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md index ec70cae998771..d10bbd323f67c 100644 --- a/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md +++ b/content/en/docs/tasks/inject-data-application/define-environment-variable-container.md @@ -37,7 +37,7 @@ Pod: 1. Create a Pod based on the YAML configuration file: ```shell - kubectl create -f https://k8s.io/examples/pods/inject/envars.yaml + kubectl apply -f https://k8s.io/examples/pods/inject/envars.yaml ``` 1. List the running Pods: diff --git a/content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md b/content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md index a2533ac9c0d77..ff77fab7d77e8 100644 --- a/content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md +++ b/content/en/docs/tasks/inject-data-application/distribute-credentials-secure.md @@ -42,7 +42,7 @@ username and password: 1. Create the Secret ```shell - kubectl create -f https://k8s.io/examples/pods/inject/secret.yaml + kubectl apply -f https://k8s.io/examples/pods/inject/secret.yaml ``` 1. View information about the Secret: @@ -98,7 +98,7 @@ Here is a configuration file you can use to create a Pod: 1. Create the Pod: ```shell - kubectl create -f https://k8s.io/examples/pods/inject/secret-pod.yaml + kubectl apply -f https://k8s.io/examples/pods/inject/secret-pod.yaml ``` 1. Verify that your Pod is running: @@ -153,7 +153,7 @@ Here is a configuration file you can use to create a Pod: 1. Create the Pod: ```shell - kubectl create -f https://k8s.io/examples/pods/inject/secret-envars-pod.yaml + kubectl apply -f https://k8s.io/examples/pods/inject/secret-envars-pod.yaml ``` 1. Verify that your Pod is running: diff --git a/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md b/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md index d9bcccdd9e04c..2fe432a7a4d4a 100644 --- a/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md +++ b/content/en/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information.md @@ -56,7 +56,7 @@ fields of the Container in the Pod. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/inject/dapi-volume.yaml +kubectl apply -f https://k8s.io/examples/pods/inject/dapi-volume.yaml ``` Verify that Container in the Pod is running: @@ -172,7 +172,7 @@ default value of `1` which means cores for cpu and bytes for memory. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/inject/dapi-volume-resources.yaml +kubectl apply -f https://k8s.io/examples/pods/inject/dapi-volume-resources.yaml ``` Get a shell into the Container that is running in your Pod: diff --git a/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md b/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md index ddb32c380a34e..b808dd9e2e219 100644 --- a/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md +++ b/content/en/docs/tasks/inject-data-application/environment-variable-expose-pod-information.md @@ -55,7 +55,7 @@ Container in the Pod. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/inject/dapi-envars-pod.yaml +kubectl apply -f https://k8s.io/examples/pods/inject/dapi-envars-pod.yaml ``` Verify that the Container in the Pod is running: @@ -130,7 +130,7 @@ from Container fields. Create the Pod: ```shell -kubectl create -f https://k8s.io/examples/pods/inject/dapi-envars-container.yaml +kubectl apply -f https://k8s.io/examples/pods/inject/dapi-envars-container.yaml ``` Verify that the Container in the Pod is running: diff --git a/content/en/docs/tasks/inject-data-application/podpreset.md b/content/en/docs/tasks/inject-data-application/podpreset.md index 10fff8cec432f..0d10d588e84ab 100644 --- a/content/en/docs/tasks/inject-data-application/podpreset.md +++ b/content/en/docs/tasks/inject-data-application/podpreset.md @@ -36,7 +36,7 @@ Preset. Create the PodPreset: ```shell -kubectl create -f https://k8s.io/examples/podpreset/preset.yaml +kubectl apply -f https://k8s.io/examples/podpreset/preset.yaml ``` Examine the created PodPreset: @@ -54,7 +54,7 @@ The new PodPreset will act upon any pod that has label `role: frontend`. Create a pod: ```shell -$ kubectl create -f https://k8s.io/examples/podpreset/pod.yaml +$ kubectl apply -f https://k8s.io/examples/podpreset/pod.yaml ``` List the running Pods: diff --git a/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md b/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md index d74635e42e72d..2ec379cca6d37 100644 --- a/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md +++ b/content/en/docs/tasks/job/automated-tasks-with-cron-jobs.md @@ -50,7 +50,7 @@ This example cron job config `.spec` file prints the current time and a hello me Run the example cron job by downloading the example file and then running this command: ```shell -$ kubectl create -f ./cronjob.yaml +$ kubectl apply -f ./cronjob.yaml cronjob "hello" created ``` diff --git a/content/en/docs/tasks/job/coarse-parallel-processing-work-queue.md b/content/en/docs/tasks/job/coarse-parallel-processing-work-queue.md index ae9577a5a4add..f94377576228c 100644 --- a/content/en/docs/tasks/job/coarse-parallel-processing-work-queue.md +++ b/content/en/docs/tasks/job/coarse-parallel-processing-work-queue.md @@ -46,9 +46,9 @@ cluster and reuse it for many jobs, as well as for long-running services. Start RabbitMQ as follows: ```shell -$ kubectl create -f examples/celery-rabbitmq/rabbitmq-service.yaml +$ kubectl apply -f examples/celery-rabbitmq/rabbitmq-service.yaml service "rabbitmq-service" created -$ kubectl create -f examples/celery-rabbitmq/rabbitmq-controller.yaml +$ kubectl apply -f examples/celery-rabbitmq/rabbitmq-controller.yaml replicationcontroller "rabbitmq-controller" created ``` @@ -234,7 +234,7 @@ done. So we set, `.spec.completions: 8` for the example, since we put 8 items i So, now run the Job: ```shell -kubectl create -f ./job.yaml +kubectl apply -f ./job.yaml ``` Now wait a bit, then check on the job. diff --git a/content/en/docs/tasks/job/fine-parallel-processing-work-queue.md b/content/en/docs/tasks/job/fine-parallel-processing-work-queue.md index 3f0de4e88499c..1a495a1c65216 100644 --- a/content/en/docs/tasks/job/fine-parallel-processing-work-queue.md +++ b/content/en/docs/tasks/job/fine-parallel-processing-work-queue.md @@ -53,9 +53,9 @@ directory and start a temporary Pod running Redis and a service so we can find i ```shell $ cd content/en/examples/application/job/redis -$ kubectl create -f ./redis-pod.yaml +$ kubectl apply -f ./redis-pod.yaml pod/redis-master created -$ kubectl create -f ./redis-service.yaml +$ kubectl apply -f ./redis-service.yaml service/redis created ``` @@ -196,7 +196,7 @@ too. So, now run the Job: ```shell -kubectl create -f ./job.yaml +kubectl apply -f ./job.yaml ``` Now wait a bit, then check on the job. diff --git a/content/en/docs/tasks/job/parallel-processing-expansion.md b/content/en/docs/tasks/job/parallel-processing-expansion.md index b71f1c7c2e6f8..1ed9ff2e9096f 100644 --- a/content/en/docs/tasks/job/parallel-processing-expansion.md +++ b/content/en/docs/tasks/job/parallel-processing-expansion.md @@ -66,7 +66,7 @@ to generate the Job objects. Next, create all the jobs with one kubectl command: ```shell -$ kubectl create -f ./jobs +$ kubectl apply -f ./jobs job "process-item-apple" created job "process-item-banana" created job "process-item-cherry" created @@ -178,7 +178,7 @@ cat job.yaml.jinja2 | render_template > jobs.yaml Or sent directly to kubectl, like this: ```shell -cat job.yaml.jinja2 | render_template | kubectl create -f - +cat job.yaml.jinja2 | render_template | kubectl apply -f - ``` ## Alternatives diff --git a/content/en/docs/tasks/manage-daemon/update-daemon-set.md b/content/en/docs/tasks/manage-daemon/update-daemon-set.md index 4b380f772d4d3..38baee076e8c3 100644 --- a/content/en/docs/tasks/manage-daemon/update-daemon-set.md +++ b/content/en/docs/tasks/manage-daemon/update-daemon-set.md @@ -56,7 +56,7 @@ If you haven't created the DaemonSet in the system, check your DaemonSet manifest with the following command instead: ```shell -kubectl create -f ds.yaml --dry-run -o go-template='{{.spec.updateStrategy.type}}{{"\n"}}' +kubectl apply -f ds.yaml --dry-run -o go-template='{{.spec.updateStrategy.type}}{{"\n"}}' ``` The output from both commands should be: @@ -76,7 +76,7 @@ step 3. After verifying the update strategy of the DaemonSet manifest, create the DaemonSet: ```shell -kubectl create -f ds.yaml +kubectl apply -f ds.yaml ``` Alternatively, use `kubectl apply` to create the same DaemonSet if you plan to diff --git a/content/en/docs/tasks/run-application/configure-pdb.md b/content/en/docs/tasks/run-application/configure-pdb.md index 36a06deddae90..85e73878a9133 100644 --- a/content/en/docs/tasks/run-application/configure-pdb.md +++ b/content/en/docs/tasks/run-application/configure-pdb.md @@ -167,7 +167,7 @@ automatically responds to changes in the number of replicas of the corresponding ## Create the PDB object -You can create the PDB object with a command like `kubectl create -f mypdb.yaml`. +You can create the PDB object with a command like `kubectl apply -f mypdb.yaml`. You cannot update PDB objects. They must be deleted and re-created. diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md index 8cdf150782167..a820bf59174ac 100644 --- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md +++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough.md @@ -454,7 +454,7 @@ can use the following file to create it declaratively: We will create the autoscaler by executing the following command: ```shell -$ kubectl create -f https://k8s.io/examples/application/hpa/php-apache.yaml +$ kubectl apply -f https://k8s.io/examples/application/hpa/php-apache.yaml horizontalpodautoscaler.autoscaling/php-apache created ``` diff --git a/content/en/docs/tasks/run-application/run-replicated-stateful-application.md b/content/en/docs/tasks/run-application/run-replicated-stateful-application.md index 8ba5248b09dee..1c74858f247a4 100644 --- a/content/en/docs/tasks/run-application/run-replicated-stateful-application.md +++ b/content/en/docs/tasks/run-application/run-replicated-stateful-application.md @@ -60,7 +60,7 @@ and a StatefulSet. Create the ConfigMap from the following YAML configuration file: ```shell -kubectl create -f https://k8s.io/examples/application/mysql/mysql-configmap.yaml +kubectl apply -f https://k8s.io/examples/application/mysql/mysql-configmap.yaml ``` {{< codenew file="application/mysql/mysql-configmap.yaml" >}} @@ -80,7 +80,7 @@ based on information provided by the StatefulSet controller. Create the Services from the following YAML configuration file: ```shell -kubectl create -f https://k8s.io/examples/application/mysql/mysql-services.yaml +kubectl apply -f https://k8s.io/examples/application/mysql/mysql-services.yaml ``` {{< codenew file="application/mysql/mysql-services.yaml" >}} @@ -106,7 +106,7 @@ writes. Finally, create the StatefulSet from the following YAML configuration file: ```shell -kubectl create -f https://k8s.io/examples/application/mysql/mysql-statefulset.yaml +kubectl apply -f https://k8s.io/examples/application/mysql/mysql-statefulset.yaml ``` {{< codenew file="application/mysql/mysql-statefulset.yaml" >}} diff --git a/content/en/docs/tasks/run-application/run-single-instance-stateful-application.md b/content/en/docs/tasks/run-application/run-single-instance-stateful-application.md index 275dcfec0735a..87f0b01ad0b32 100644 --- a/content/en/docs/tasks/run-application/run-single-instance-stateful-application.md +++ b/content/en/docs/tasks/run-application/run-single-instance-stateful-application.md @@ -53,11 +53,11 @@ for a secure solution. 1. Deploy the PV and PVC of the YAML file: - kubectl create -f https://k8s.io/examples/application/mysql/mysql-pv.yaml + kubectl apply -f https://k8s.io/examples/application/mysql/mysql-pv.yaml 1. Deploy the contents of the YAML file: - kubectl create -f https://k8s.io/examples/application/mysql/mysql-deployment.yaml + kubectl apply -f https://k8s.io/examples/application/mysql/mysql-deployment.yaml 1. Display information about the Deployment: diff --git a/content/en/docs/tasks/run-application/scale-stateful-set.md b/content/en/docs/tasks/run-application/scale-stateful-set.md index c47fd8f47d13b..462025836dafe 100644 --- a/content/en/docs/tasks/run-application/scale-stateful-set.md +++ b/content/en/docs/tasks/run-application/scale-stateful-set.md @@ -50,7 +50,7 @@ kubectl scale statefulsets --replicas= Alternatively, you can do [in-place updates](/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) on your StatefulSets. -If your StatefulSet was initially created with `kubectl apply` or `kubectl create --save-config`, +If your StatefulSet was initially created with `kubectl apply`, update `.spec.replicas` of the StatefulSet manifests, and then do a `kubectl apply`: ```shell diff --git a/content/en/docs/tasks/run-application/update-api-object-kubectl-patch.md b/content/en/docs/tasks/run-application/update-api-object-kubectl-patch.md index d5c3f68213973..d77108977b767 100644 --- a/content/en/docs/tasks/run-application/update-api-object-kubectl-patch.md +++ b/content/en/docs/tasks/run-application/update-api-object-kubectl-patch.md @@ -31,7 +31,7 @@ is a Pod that has one container: Create the Deployment: ```shell -kubectl create -f https://k8s.io/examples/application/deployment-patch.yaml +kubectl apply -f https://k8s.io/examples/application/deployment-patch.yaml ``` View the Pods associated with your Deployment: diff --git a/content/en/docs/tasks/tls/managing-tls-in-a-cluster.md b/content/en/docs/tasks/tls/managing-tls-in-a-cluster.md index 2180f05d369d6..2edf0486f6f4b 100644 --- a/content/en/docs/tasks/tls/managing-tls-in-a-cluster.md +++ b/content/en/docs/tasks/tls/managing-tls-in-a-cluster.md @@ -104,7 +104,7 @@ Generate a CSR yaml blob and send it to the apiserver by running the following command: ```shell -cat <}} ```shell -$ kubectl create -f ./hello-apparmor.yaml +$ kubectl apply -f ./hello-apparmor.yaml ``` If we look at the pod events, we can see that the Pod container was created with the AppArmor @@ -231,7 +231,7 @@ error: error executing remote command: command terminated with non-zero exit cod To wrap up, let's look at what happens if we try to specify a profile that hasn't been loaded: ```shell -$ kubectl create -f /dev/stdin <}} {{< version-check >}} +* The example shown on this page works with `kubectl` 1.14 and above. * Understand [Configure Containers Using a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/). {{% /capture %}} @@ -35,49 +37,48 @@ This page provides a real world example of how to configure Redis using a Config You can follow the steps below to configure a Redis cache using data stored in a ConfigMap. -First create a ConfigMap from the `redis-config` file: +First create a `kustomization.yaml` containing a ConfigMap from the `redis-config` file: {{< codenew file="pods/config/redis-config" >}} ```shell curl -OL https://k8s.io/examples/pods/config/redis-config -kubectl create configmap example-redis-config --from-file=redis-config -``` -```shell -configmap/example-redis-config created +cat <./kustomization.yaml +configMapGenerator: +- name: example-redis-config + files: + - redis-config +EOF ``` -Examine the created ConfigMap: +Add the pod resource config to the `kustomization.yaml`: + +{{< codenew file="pods/config/redis-pod.yaml" >}} ```shell -kubectl get configmap example-redis-config -o yaml -``` +curl -OL https://k8s.io/examples/pods/config/redis-pod.yaml -```yaml -apiVersion: v1 -data: - redis-config: | - maxmemory 2mb - maxmemory-policy allkeys-lru -kind: ConfigMap -metadata: - creationTimestamp: 2016-03-30T18:14:41Z - name: example-redis-config - namespace: default - resourceVersion: "24686" - selfLink: /api/v1/namespaces/default/configmaps/example-redis-config - uid: 460a2b6e-f6a3-11e5-8ae5-42010af00002 +cat <>./kustomization.yaml +resources: +- redis-pod.yaml +EOF ``` -Now create a pod specification that uses the config data stored in the ConfigMap: +Apply the kustomization directory to create both the ConfigMap and Pod objects: -{{< codenew file="pods/config/redis-pod.yaml" >}} - -Create the pod: +```shell +kubectl apply -k . +``` +Examine the created objects by ```shell -kubectl create -f https://k8s.io/examples/pods/config/redis-pod.yaml +> kubectl get -k . +NAME DATA AGE +configmap/example-redis-config-dgh9dg555m 1 52s + +NAME READY STATUS RESTARTS AGE +pod/redis 1/1 Running 0 52s ``` In the example, the config volume is mounted at `/redis-master`. diff --git a/content/en/docs/tutorials/stateful-application/basic-stateful-set.md b/content/en/docs/tutorials/stateful-application/basic-stateful-set.md index 93fee4e2100c3..3b0b5f7003f63 100644 --- a/content/en/docs/tutorials/stateful-application/basic-stateful-set.md +++ b/content/en/docs/tutorials/stateful-application/basic-stateful-set.md @@ -73,11 +73,11 @@ kubectl get pods -w -l app=nginx ``` In the second terminal, use -[`kubectl create`](/docs/reference/generated/kubectl/kubectl-commands/#create) to create the +[`kubectl apply`](/docs/reference/generated/kubectl/kubectl-commands/#apply) to create the Headless Service and StatefulSet defined in `web.yaml`. ```shell -kubectl create -f web.yaml +kubectl apply -f web.yaml service/nginx created statefulset.apps/web created ``` @@ -783,7 +783,7 @@ you deleted the `nginx` Service ( which you should not have ), you will see an error indicating that the Service already exists. ```shell -kubectl create -f web.yaml +kubectl apply -f web.yaml statefulset.apps/web created Error from server (AlreadyExists): error when creating "web.yaml": services "nginx" already exists ``` @@ -883,7 +883,7 @@ service "nginx" deleted Recreate the StatefulSet and Headless Service one more time. ```shell -kubectl create -f web.yaml +kubectl apply -f web.yaml service/nginx created statefulset.apps/web created ``` @@ -947,7 +947,7 @@ kubectl get po -l app=nginx -w In another terminal, create the StatefulSet and Service in the manifest. ```shell -kubectl create -f web-parallel.yaml +kubectl apply -f web-parallel.yaml service/nginx created statefulset.apps/web created ``` diff --git a/content/en/docs/tutorials/stateful-application/cassandra.md b/content/en/docs/tutorials/stateful-application/cassandra.md index 7313f8c0e0879..f2169a5d8caf3 100644 --- a/content/en/docs/tutorials/stateful-application/cassandra.md +++ b/content/en/docs/tutorials/stateful-application/cassandra.md @@ -76,7 +76,7 @@ The following `Service` is used for DNS lookups between Cassandra Pods and clien 1. Create a Service to track all Cassandra StatefulSet nodes from the `cassandra-service.yaml` file: ```shell - kubectl create -f https://k8s.io/examples/application/cassandra/cassandra-service.yaml + kubectl apply -f https://k8s.io/examples/application/cassandra/cassandra-service.yaml ``` ### Validating (optional) @@ -110,7 +110,7 @@ This example uses the default provisioner for Minikube. Please update the follow 1. Create the Cassandra StatefulSet from the `cassandra-statefulset.yaml` file: ```shell - kubectl create -f https://k8s.io/examples/application/cassandra/cassandra-statefulset.yaml + kubectl apply -f https://k8s.io/examples/application/cassandra/cassandra-statefulset.yaml ``` ## Validating The Cassandra StatefulSet diff --git a/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md b/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md index 63b6b032db012..587d50658bded 100644 --- a/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md +++ b/content/en/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume.md @@ -23,16 +23,19 @@ The files provided in this tutorial are using GA Deployment APIs and are specifi {{% capture objectives %}} * Create PersistentVolumeClaims and PersistentVolumes -* Create a Secret -* Deploy MySQL -* Deploy WordPress +* Create a `kustomization.yaml` with + * a Secret generator + * MySQL resource configs + * WordPress resource configs +* Apply the kustomization directory by `kubectl apply -k ./` * Clean up {{% /capture %}} {{% capture prerequisites %}} -{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} +{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} +The example shown on this page works with `kubectl` 1.14 and above. Download the following configuration files: @@ -64,44 +67,70 @@ If you are bringing up a cluster that needs to use the `hostPath` provisioner, t If you have a Kubernetes cluster running on Google Kubernetes Engine, please follow [this guide](https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk). {{< /note >}} -## Create a Secret for MySQL Password +## Create a kustomization.yaml -A [Secret](/docs/concepts/configuration/secret/) is an object that stores a piece of sensitive data like a password or key. The manifest files are already configured to use a Secret, but you have to create your own Secret. +### Add a Secret generator +A [Secret](/docs/concepts/configuration/secret/) is an object that stores a piece of sensitive data like a password or key. Since 1.14, `kubectl` supports the management of Kubernetes objects using a kustomization file. You can create a Secret by generators in `kustomization.yaml`. -1. Create the Secret object from the following command. You will need to replace - `YOUR_PASSWORD` with the password you want to use. +Add a Secret generator in `kustomization.yaml` from the following command. You will need to replace `YOUR_PASSWORD` with the password you want to use. + +```shell +cat <./kustomization.yaml +secretGenerator: +- name: mysql-pass + literals: + - password=YOUR_PASSWORD +EOF +``` + +## Add resource configs for MySQL and WordPress + +The following manifest describes a single-instance MySQL Deployment. The MySQL container mounts the PersistentVolume at /var/lib/mysql. The `MYSQL_ROOT_PASSWORD` environment variable sets the database password from the Secret. + +{{< codenew file="application/wordpress/mysql-deployment.yaml" >}} + +1. Download the MySQL deployment configuration file. ```shell - kubectl create secret generic mysql-pass --from-literal=password=YOUR_PASSWORD + curl -LO https://k8s.io/examples/application/wordpress/mysql-deployment.yaml ``` - -2. Verify that the Secret exists by running the following command: + +2. Download the WordPress configuration file. ```shell - kubectl get secrets + curl -LO https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml ``` + +3. Add them to `kustomization.yaml` file. - The response should be like this: - - ``` - NAME TYPE DATA AGE - mysql-pass Opaque 1 42s + ```shell + cat <>./kustomization.yaml + resources: + - mysql-deployment.yaml + - wordpress-deployment.yaml + EOF ``` -{{< note >}} -To protect the Secret from exposure, neither `get` nor `describe` show its contents. -{{< /note >}} +## Apply and Verify +The `kustomization.yaml` contains all the resources for deploying a WordPress site and a +MySQL database. You can apply the directory by +```shell +kubectl apply -k ./ +``` -## Deploy MySQL +Now you can verify that all objects exist. -The following manifest describes a single-instance MySQL Deployment. The MySQL container mounts the PersistentVolume at /var/lib/mysql. The `MYSQL_ROOT_PASSWORD` environment variable sets the database password from the Secret. +1. Verify that the Secret exists by running the following command: -{{< codenew file="application/wordpress/mysql-deployment.yaml" >}} + ```shell + kubectl get secrets + ``` -1. Deploy MySQL from the `mysql-deployment.yaml` file: + The response should be like this: ```shell - kubectl create -f https://k8s.io/examples/application/wordpress/mysql-deployment.yaml + NAME TYPE DATA AGE + mysql-pass-c57bb4t7mf Opaque 1 9s ``` 2. Verify that a PersistentVolume got dynamically provisioned. Note that it can @@ -113,9 +142,10 @@ The following manifest describes a single-instance MySQL Deployment. The MySQL c The response should be like this: - ``` - NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE - mysql-pv-claim Bound pvc-91e44fbf-d477-11e7-ac6a-42010a800002 20Gi RWO standard 29s + ```shell + NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE + mysql-pv-claim Bound pvc-8cbd7b2e-4044-11e9-b2bb-42010a800002 20Gi RWO standard 77s + wp-pv-claim Bound pvc-8cd0df54-4044-11e9-b2bb-42010a800002 20Gi RWO standard 77s ``` 3. Verify that the Pod is running by running the following command: @@ -135,36 +165,7 @@ The following manifest describes a single-instance MySQL Deployment. The MySQL c wordpress-mysql-1894417608-x5dzt 1/1 Running 0 40s ``` -## Deploy WordPress - -The following manifest describes a single-instance WordPress Deployment and Service. It uses many of the same features like a PVC for persistent storage and a Secret for the password. But it also uses a different setting: `type: LoadBalancer`. This setting exposes WordPress to traffic from outside of the cluster. - -{{< codenew file="application/wordpress/wordpress-deployment.yaml" >}} - -1. Create a WordPress Service and Deployment from the `wordpress-deployment.yaml` file: - - ```shell - kubectl create -f https://k8s.io/examples/application/wordpress/wordpress-deployment.yaml - ``` - -2. Verify that a PersistentVolume got dynamically provisioned: - - ```shell - kubectl get pvc - ``` - - {{< note >}} - It can take up to a few minutes for the PVs to be provisioned and bound. - {{< /note >}} - - The response should be like this: - - ``` - NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE - wp-pv-claim Bound pvc-e69d834d-d477-11e7-ac6a-42010a800002 20Gi RWO standard 7s - ``` - -3. Verify that the Service is running by running the following command: +4. Verify that the Service is running by running the following command: ```shell kubectl get services wordpress @@ -181,7 +182,7 @@ The following manifest describes a single-instance WordPress Deployment and Serv Minikube can only expose Services through `NodePort`. The EXTERNAL-IP is always pending. {{< /note >}} -4. Run the following command to get the IP Address for the WordPress Service: +5. Run the following command to get the IP Address for the WordPress Service: ```shell minikube service wordpress --url @@ -193,7 +194,7 @@ The following manifest describes a single-instance WordPress Deployment and Serv http://1.2.3.4:32406 ``` -5. Copy the IP address, and load the page in your browser to view your site. +6. Copy the IP address, and load the page in your browser to view your site. You should see the WordPress set up page similar to the following screenshot. @@ -207,23 +208,10 @@ Do not leave your WordPress installation on this page. If another user finds it, {{% capture cleanup %}} -1. Run the following command to delete your Secret: - - ```shell - kubectl delete secret mysql-pass - ``` - -2. Run the following commands to delete all Deployments and Services: - - ```shell - kubectl delete deployment -l app=wordpress - kubectl delete service -l app=wordpress - ``` - -3. Run the following commands to delete the PersistentVolumeClaims. The dynamically provisioned PersistentVolumes will be automatically deleted. +1. Run the following command to delete your Secret, Deployments, Services and PersistentVolumeClaims: ```shell - kubectl delete pvc -l app=wordpress + kubectl delete -k ./ ``` {{% /capture %}} From 07c4eb3942ed8621ee67c50145c4f01e0289f688 Mon Sep 17 00:00:00 2001 From: Deep Debroy Date: Sat, 16 Mar 2019 10:46:57 -0700 Subject: [PATCH 28/47] Documentation for Windows GMSA feature (#12936) * Documentation for Windows GMSA feature Signed-off-by: Deep Debroy * Enhancements to GMSA docs Signed-off-by: Deep Debroy * Fix links Signed-off-by: Deep Debroy * Fix GMSA link Signed-off-by: Deep Debroy * Add GMSA feature flag in feature flag list Signed-off-by: Deep Debroy * Relocate GMSA to container configuration Signed-off-by: Deep Debroy * Add example for container spec Signed-off-by: Deep Debroy * Remove changes in Windows index Signed-off-by: Deep Debroy * Update configure-gmsa.md * Update configure-gmsa.md * Update configure-gmsa.md * Update configure-gmsa.md * Rearrange the steps into two sections and other edits Signed-off-by: Deep Debroy * Fix links Signed-off-by: Deep Debroy * Add reference to script to generate GMSA YAMLs Signed-off-by: Deep Debroy * Some more clarifications for GMSA Signed-off-by: Deep Debroy --- .../feature-gates.md | 2 + .../configure-pod-container/configure-gmsa.md | 194 ++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 content/en/docs/tasks/configure-pod-container/configure-gmsa.md diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 622445460f9b6..7b83640ede698 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -152,6 +152,7 @@ different Kubernetes components. | `VolumeSnapshotDataSource` | `false` | Alpha | 1.12 | - | | `ScheduleDaemonSetPods` | `false` | Alpha | 1.11 | 1.11 | | `ScheduleDaemonSetPods` | `true` | Beta | 1.12 | | +| `WindowsGMSA` | `false` | Alpha | 1.14 | | ## Using a Feature @@ -317,5 +318,6 @@ Each feature gate is designed for enabling/disabling a specific feature: type when used together with the `PersistentLocalVolumes` feature gate. - `VolumeSnapshotDataSource`: Enable volume snapshot data source support. - `VolumeSubpathEnvExpansion`: Enable `subPathExpr` field for expanding environment variables into a `subPath`. +- `WindowsGMSA`: Enables passing of GMSA credential specs from pods to container runtimes. {{% /capture %}} diff --git a/content/en/docs/tasks/configure-pod-container/configure-gmsa.md b/content/en/docs/tasks/configure-pod-container/configure-gmsa.md new file mode 100644 index 0000000000000..844db949c405e --- /dev/null +++ b/content/en/docs/tasks/configure-pod-container/configure-gmsa.md @@ -0,0 +1,194 @@ +--- +title: Configure GMSA for Windows pods and containers +content_template: templates/task +weight: 20 +--- + +{{% capture overview %}} + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +This page shows how to configure [Group Managed Service Accounts](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) (GMSA) for pods and containers that will run on Windows nodes. Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. + +In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide scope as custom resources. Windows pods, as well as individual containers within a pod, can be configured to use a GMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services. As of v1.14, the only container runtime interface that supports GMSA for Windows workloads is Dockershim. Implementation of GMSA through CRI and other runtimes is planned for the future. + +{{< note >}} +Currently this feature is in alpha state. While the overall goals and functionality will not change, the way in which the GMSA credspec references are specified in pod specs may change from annotations to a API fields. Please take this into consideration when testing or adopting this feature. +{{< /note >}} + +{{% /capture %}} + +{{% capture body %}} + +## Setup and configuration for GMSA +Configuring GMSA credential specs in the cluster and configuring individual pods and containers to be able to use them requires several steps described in details below. + +### Initial configuration of Kubernetes cluster to use GMSA +This section covers a set of initial steps required once for each cluster. These include: +1. Enabling the `WindowsGMSA` feature gate on kubelet on the Windows nodes you'll use to run GMSA-dependent workloads. +2. Installing the GMSACredentialSpec Custom Resource Definition (CRD). +3. Installing two GMSA admission webhooks to expand and validate references to GMSA credential spec resources from pod specs. + +#### Enable the WindowsGMSA feature gate +In the alpha state, the `WindowsGMSA` feature gate needs to be enabled on kubelet on Windows nodes. This is required to pass down the GMSA credential specs from the cluster scoped configurations to the container runtime. See [Feature Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/) for an explanation of enabling feature gates. Please make sure `--feature-gates=WindowsGMSA=true` parameter exists in the kubelet.exe command line. + +#### Install the GMSACredentialSpec CRD +A [CustomResourceDefinition](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/) (CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type `GMSACredentialSpec`. Download the GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-webhook.yml.tpl#L131-L148) and save it as gmsa-crd.yaml. +Next, install the CRD with `kubectl apply -f gmsa-crd.yaml` + +#### Install webhooks to validate GMSA users +Two webhooks need to be configured on the Kubernetes cluster to populate and validate GMSA credential spec references at the pod or container level: +1. A mutating webhook that expands references to GMSAs (by name from a pod specification) into the full credential spec in JSON form within the pod spec. +2. A validating webhook ensures all references to GMSAs are authorized to be used by the pod service account. + +Installing the above webhooks and associated objects require the steps below: +1. Create a certificate key pair (that will be used to allow the webhook container to communicate to the cluster) +2. Install a secret with the certificate from above. +3. Create a deployment for the core webhook logic. +4. Create the validating and mutating webhook configurations referring to the deployment. + +A [script](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/deploy-gmsa-webhook.sh) can be used to deploy and configure the GMSA webhooks and associated objects mentioned above. The script can be run with a ```--dry-run``` option to allow you to review the changes that would be made to your cluster. + +The [YAML template](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-webhook.yml.tpl) used by the script may also be used to deploy the webhooks and associated objects manually (with appropriate substitutions for the parameters) + +### Configuration and usage of GMSAs in pods +This section covers the set of steps necessary for configuring individual GMSA credentials and using them in pods. These include: +1. Creating GMSA credential spec resources. +2. Creating cluster roles to allow service accounts to use specific GMSA credential spec resources. +3. Binding roles to specific service accounts to allow them to use the desired GMSA credential spec resources. +4. Configuring pods with a service account authorized to use the desired GMSA credential specs. + +#### Create GMSA credspec resources +With the GMSACredentialSpec CRD installed, custom resources containing GMSA credential specs can be configured. The GMSA credential spec does not contain secret or sensitive data. It is information that a container runtime can use to describe the desired GMSA of a container to Windows. GMSA credential specs can be generated in YAML format with a utility [PowerShell script](https://github.com/kubernetes-sigs/windows-gmsa/tree/master/scripts/GenerateCredentialSpecResource.ps1). + +Following are the steps for generating a GMSA credential spec YAML manually in JSON format and then converting it: +1. Import the CredentialSpec [module](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1): `ipmo CredentialSpec.psm1` +2. Create a credential spec in JSON format using `New-CredentialSpec`. To create a GMSA credential spec named WebApp1, invoke `New-CredentialSpec -Name WebApp1 -AccountName WebApp1 -Domain $(Get-ADDomain -Current LocalComputer)` +3. Use `Get-CredentialSpec` to show the path of the JSON file. +4. Convert the credspec file from JSON to YAML format and apply the necessary header fields `apiVersion`, `kind`, `metadata` and `credspec` to make it a GMSACredentialSpec custom resource that can be configured in Kubernetes. + +The following YAML configuration describes a GMSA credential spec named `gmsa-WebApp1`: + +``` +apiVersion: windows.k8s.io/v1alpha1 +kind: GMSACredentialSpec +metadata: + name: gmsa-WebApp1 #This is an arbitrary name but it will be used as a reference +credspec: + ActiveDirectoryConfig: + GroupManagedServiceAccounts: + - Name: WebApp1 #Username of the GMSA account + Scope: CONTOSO #NETBIOS Domain Name + - Name: WebApp1 #Username of the GMSA account + Scope: contoso.com #DNS Domain Name + CmsPlugins: + - ActiveDirectory + DomainJoinConfig: + DnsName: contoso.com #DNS Domain Name + DnsTreeName: contoso.com #DNS Domain Name Root + Guid: 244818ae-87ac-4fcd-92ec-e79e5252348a #GUID + MachineAccountName: WebApp1 #Username of the GMSA account + NetBiosName: CONTOSO #NETBIOS Domain Name + Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA +``` + +5. Deploy the credential spec resource: `kubectl apply -f gmsa-Webapp1-credspec.yml` + + +#### Configure cluster role to enable RBAC on specific GMSA credential specs +A cluster role needs to be defined for each GMSA credential spec resource. This authorizes the `use` verb on a specific GMSA resource by a subject which is typically a service account. The following example shows a cluster role that authorizes usage of the `gmsa-WebApp1` credential spec from above. Save the file as gmsa-webapp1-role.yaml and apply using `kubectl apply -f gmsa-webapp1-role.yaml` + +``` +#Create the Role to read the credspec +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: webapp1-role +rules: +- apiGroups: ["windows.k8s.io"] + resources: ["gmsacredentialspecs"] + verbs: ["use"] + resourceNames: ["gmsa-WebApp1"] +``` + +#### Assign role to service accounts to use specific GMSA credspecs +A service account (that pods will be configured with) needs to be bound to the cluster role create above. This authorizes the service account to "use" the desired GMSA credential spec resource. The following shows the default service account being bound to a cluster role `webapp1-role` to use `gmsa-WebApp1` credential spec resource created above. + +``` +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: allow-default-svc-account-read-on-gmsa-WebApp1 + namespace: default +subjects: +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: ClusterRole + name: my-rbac-reader + apiGroup: rbac.authorization.k8s.io +``` + +#### Configure GMSA credential spec reference in pod spec +In the alpha stage of the feature, the annotation `pod.alpha.windows.kubernetes.io/gmsa-credential-spec-name` is used to specify references to desired GMSA credential spec custom resources from pod specs. This configures all containers in the podspec to use the specified GMSA. A sample pod spec with the annotation populated to refer to `gmsa-WebApp1`: + +``` +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + run: with-creds + name: with-creds + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + run: with-creds + template: + metadata: + labels: + run: with-creds + annotations: + pod.alpha.windows.kubernetes.io/gmsa-credential-spec-name: gmsa-WebApp1 # This must be the name of the cred spec you created + spec: + containers: + - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 + imagePullPolicy: Always + name: iis + nodeSelector: + beta.kubernetes.io/os: windows +``` + +Individual containers in a pod spec can also specify the desired GMSA credspec using annotation `.container.alpha.windows.kubernetes.io/gmsa-credential-spec`. For example: + +``` +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + labels: + run: with-creds + name: with-creds + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + run: with-creds + template: + metadata: + labels: + run: with-creds + annotations: + iis.container.alpha.windows.kubernetes.io/gmsa-credential-spec-name: gmsa-WebApp1 # This must be the name of the cred spec you created + spec: + containers: + - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 + imagePullPolicy: Always + name: iis + nodeSelector: + beta.kubernetes.io/os: windows +``` + +{{% /capture %}} From 21d60d15a19ced0e58c133d66a3cb749cb653152 Mon Sep 17 00:00:00 2001 From: Derek Carr Date: Sat, 16 Mar 2019 14:10:56 -0400 Subject: [PATCH 29/47] HugePages graduated to GA (#13004) * HugePages graduated to GA * fixing nit for build --- .../en/docs/tasks/manage-hugepages/scheduling-hugepages.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/tasks/manage-hugepages/scheduling-hugepages.md b/content/en/docs/tasks/manage-hugepages/scheduling-hugepages.md index 82b3c34d279c2..50044d907f081 100644 --- a/content/en/docs/tasks/manage-hugepages/scheduling-hugepages.md +++ b/content/en/docs/tasks/manage-hugepages/scheduling-hugepages.md @@ -6,10 +6,10 @@ content_template: templates/task --- {{% capture overview %}} -{{< feature-state state="beta" >}} +{{< feature-state state="stable" >}} Kubernetes supports the allocation and consumption of pre-allocated huge pages -by applications in a Pod as a **beta** feature. This page describes how users +by applications in a Pod as a **GA** feature. This page describes how users can consume huge pages and the current limitations. {{% /capture %}} From b36d68a3b57388465272498d1799fed24ac5d545 Mon Sep 17 00:00:00 2001 From: Robert Krawitz Date: Sat, 16 Mar 2019 14:14:57 -0400 Subject: [PATCH 30/47] Docs for node PID limiting (https://github.com/kubernetes/kubernetes/pull/73651) (#12932) --- .../command-line-tools-reference/kubelet.md | 4 ++-- .../reserve-compute-resources.md | 15 ++++++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/kubelet.md b/content/en/docs/reference/command-line-tools-reference/kubelet.md index 2c2795eb9d4a0..280cfde25507b 100644 --- a/content/en/docs/reference/command-line-tools-reference/kubelet.md +++ b/content/en/docs/reference/command-line-tools-reference/kubelet.md @@ -707,7 +707,7 @@ kubelet [flags] --kube-reserved mapStringString - A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi,ephemeral-storage=1Gi) pairs that describe resources reserved for kubernetes system components. Currently cpu, memory and local ephemeral storage for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none] + A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid=1000) pairs that describe resources reserved for kubernetes system components. Currently cpu, memory, pid, and local ephemeral storage for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none] @@ -1092,7 +1092,7 @@ kubelet [flags] --system-reserved mapStringString - A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi,ephemeral-storage=1Gi) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none] + A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=500Mi,ephemeral-storage=1Gi,pid=1000) pairs that describe resources reserved for non-kubernetes components. Currently only cpu, memory, and pid are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. [default=none] diff --git a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md index 923db9a03c606..defdc6a2adbee 100644 --- a/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md +++ b/content/en/docs/tasks/administer-cluster/reserve-compute-resources.md @@ -88,7 +88,7 @@ be configured to use the `systemd` cgroup driver. ### Kube Reserved -- **Kubelet Flag**: `--kube-reserved=[cpu=100m][,][memory=100Mi][,][ephemeral-storage=1Gi]` +- **Kubelet Flag**: `--kube-reserved=[cpu=100m][,][memory=100Mi][,][ephemeral-storage=1Gi][,][pid=1000]` - **Kubelet Flag**: `--kube-reserved-cgroup=` `kube-reserved` is meant to capture resource reservation for kubernetes system @@ -102,6 +102,10 @@ post](https://kubernetes.io/blog/2016/11/visualize-kubelet-performance-with-node explains how the dashboard can be interpreted to come up with a suitable `kube-reserved` reservation. +In addition to `cpu`, `memory`, and `ephemeral-storage`, `pid` may be +specified to reserve the specified number of process IDs for +kubernetes system daemons. + To optionally enforce `kube-reserved` on system daemons, specify the parent control group for kube daemons as the value for `--kube-reserved-cgroup` kubelet flag. @@ -118,7 +122,7 @@ exist. Kubelet will fail if an invalid cgroup is specified. ### System Reserved -- **Kubelet Flag**: `--system-reserved=[cpu=100m][,][memory=100Mi][,][ephemeral-storage=1Gi]` +- **Kubelet Flag**: `--system-reserved=[cpu=100m][,][memory=100Mi][,][ephemeral-storage=1Gi][,][pid=1000]` - **Kubelet Flag**: `--system-reserved-cgroup=` @@ -128,6 +132,10 @@ like `sshd`, `udev`, etc. `system-reserved` should reserve `memory` for the Reserving resources for user login sessions is also recommended (`user.slice` in systemd world). +In addition to `cpu`, `memory`, and `ephemeral-storage`, `pid` may be +specified to reserve the specified number of process IDs for OS system +daemons. + To optionally enforce `system-reserved` on system daemons, specify the parent control group for OS system daemons as the value for `--system-reserved-cgroup` kubelet flag. @@ -182,7 +190,8 @@ container runtime. However, Kubelet cannot burst and use up all available Node resources if `kube-reserved` is enforced. Be extra careful while enforcing `system-reserved` reservation since it can lead -to critical system services being CPU starved or OOM killed on the node. The +to critical system services being CPU starved, OOM killed, or unable +to fork on the node. The recommendation is to enforce `system-reserved` only if a user has profiled their nodes exhaustively to come up with precise estimates and is confident in their ability to recover if any process in that group is oom_killed. From c037ab563cfe4c26c4132fd60b57fd1c2c037a59 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Sat, 16 Mar 2019 20:30:56 +0200 Subject: [PATCH 31/47] kubeadm: update the reference documentation for 1.14 (#12911) * kubeadm: update list of generated files for 1.14 NOTE: PLACEHOLDERS! these files are generated by SIG Docs each release, but we need them to pass the k/website PR CI. - add join_phase* (new sub phases of join) - add init_phase_upload-certs.md (new upload certs phase for init) - remove alpha-preflight (now both init and join have this) * kubeadm: update reference docs includes for 1.14 - remove includes from alpha.md - add upload-certs to init-phase.md - add join-phase.md and it's phases * kubeadm: update the editorial content of join and init - cleanup master->control-plane node - add some notes about phases and join - remove table about pre-pulling images - remove outdated info about self-hosting * kubeadm: update target release for v1alpha3 removal 1.14 -> 1.15 * kubeadm: copy edits for 1.14 reference docs (part1) * kubeadm: use "shell" for code blocks --- .../generated/kubeadm_alpha_preflight.md | 50 --------- .../generated/kubeadm_alpha_preflight_node.md | 77 ------------- .../kubeadm_init_phase_upload-certs.md | 27 +++++ .../kubeadm/generated/kubeadm_join_phase.md | 19 ++++ .../kubeadm_join_phase_control-plane-join.md | 30 ++++++ ...beadm_join_phase_control-plane-join_all.md | 27 +++++ ...eadm_join_phase_control-plane-join_etcd.md | 27 +++++ ...e_control-plane-join_mark-control-plane.md | 26 +++++ ..._phase_control-plane-join_update-status.md | 27 +++++ ...ubeadm_join_phase_control-plane-prepare.md | 30 ++++++ ...dm_join_phase_control-plane-prepare_all.md | 35 ++++++ ..._join_phase_control-plane-prepare_certs.md | 33 ++++++ ...ase_control-plane-prepare_control-plane.md | 27 +++++ ...se_control-plane-prepare_download-certs.md | 32 ++++++ ..._phase_control-plane-prepare_kubeconfig.md | 32 ++++++ .../kubeadm_join_phase_kubelet-start.md | 32 ++++++ .../generated/kubeadm_join_phase_preflight.md | 44 ++++++++ .../setup-tools/kubeadm/kubeadm-alpha.md | 9 -- .../setup-tools/kubeadm/kubeadm-init-phase.md | 12 ++- .../setup-tools/kubeadm/kubeadm-init.md | 84 +++++---------- .../setup-tools/kubeadm/kubeadm-join-phase.md | 62 +++++++++++ .../setup-tools/kubeadm/kubeadm-join.md | 101 ++++++++++++------ 22 files changed, 613 insertions(+), 230 deletions(-) delete mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight.md delete mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight_node.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md create mode 100644 content/en/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight.md deleted file mode 100644 index d88f71b0d9204..0000000000000 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight.md +++ /dev/null @@ -1,50 +0,0 @@ - -Commands related to pre-flight checks - -### Synopsis - - -This command is not meant to be run on its own. See list of available subcommands. - -### Options - - - - - - - - - - - - - - - - -
-h, --help
help for preflight
- - - -### Options inherited from parent commands - - - - - - - - - - - - - - - - -
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
- - - diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight_node.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight_node.md deleted file mode 100644 index 47be57c832538..0000000000000 --- a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_alpha_preflight_node.md +++ /dev/null @@ -1,77 +0,0 @@ - -Run node pre-flight checks - -### Synopsis - - -Run node pre-flight checks, functionally equivalent to what implemented by kubeadm join. - -Alpha Disclaimer: this command is currently alpha. - -``` -kubeadm alpha preflight node [flags] -``` - -### Examples - -``` - # Run node pre-flight checks. - kubeadm alpha preflight node -``` - -### Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--config string
Path to a kubeadm configuration file.
-h, --help
help for node
--ignore-preflight-errors stringSlice
A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
- - - -### Options inherited from parent commands - - - - - - - - - - - - - - - - -
--rootfs string
[EXPERIMENTAL] The path to the 'real' host root filesystem.
- - - diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md new file mode 100644 index 0000000000000..aed553b8c3d1e --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_init_phase_upload-certs.md @@ -0,0 +1,27 @@ + +Upload certificates to kubeadm-certs + +### Synopsis + +This command is not meant to be run on its own. See list of available subcommands. + +``` +kubeadm init phase upload-certs [flags] +``` + +### Options + +``` + --certificate-key string Key used to encrypt the control-plane certificates in the kubeadm-certs Secret. + --config string Path to a kubeadm configuration file. + --experimental-upload-certs Upload control-plane certificates to the kubeadm-certs Secret. + -h, --help help for upload-certs + --skip-certificate-key-print Don't print the key used to encrypt the control-plane certificates. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md new file mode 100644 index 0000000000000..a5562c5dc4e6c --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase.md @@ -0,0 +1,19 @@ + +use this command to invoke single phase of the join workflow + +### Synopsis + +use this command to invoke single phase of the join workflow + +### Options + +``` + -h, --help help for phase +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md new file mode 100644 index 0000000000000..e65c5248f44d4 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join.md @@ -0,0 +1,30 @@ + +Joins a machine as a control plane instance + +### Synopsis + +Joins a machine as a control plane instance + +``` +kubeadm join phase control-plane-join [flags] +``` + +### Examples + +``` + # Joins a machine as a control plane instance + kubeadm join phase control-plane-join all +``` + +### Options + +``` + -h, --help help for control-plane-join +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md new file mode 100644 index 0000000000000..d2f288fd98c59 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_all.md @@ -0,0 +1,27 @@ + +Joins a machine as a control plane instance + +### Synopsis + +Joins a machine as a control plane instance + +``` +kubeadm join phase control-plane-join all [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --config string Path to kubeadm config file. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for all + --node-name string Specify the node name. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md new file mode 100644 index 0000000000000..05ebd37d41c17 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_etcd.md @@ -0,0 +1,27 @@ + +Add a new local etcd member + +### Synopsis + +Add a new local etcd member + +``` +kubeadm join phase control-plane-join etcd [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --config string Path to kubeadm config file. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for etcd + --node-name string Specify the node name. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md new file mode 100644 index 0000000000000..9a06263e3876b --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md @@ -0,0 +1,26 @@ + +Mark a node as a control-plane + +### Synopsis + +Mark a node as a control-plane + +``` +kubeadm join phase control-plane-join mark-control-plane [flags] +``` + +### Options + +``` + --config string Path to kubeadm config file. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for mark-control-plane + --node-name string Specify the node name. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md new file mode 100644 index 0000000000000..00a10bb606939 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-join_update-status.md @@ -0,0 +1,27 @@ + +Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap + +### Synopsis + +Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap + +``` +kubeadm join phase control-plane-join update-status [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --config string Path to kubeadm config file. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for update-status + --node-name string Specify the node name. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md new file mode 100644 index 0000000000000..1ed4d231ba2e9 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare.md @@ -0,0 +1,30 @@ + +Prepares the machine for serving a control plane. + +### Synopsis + +Prepares the machine for serving a control plane. + +``` +kubeadm join phase control-plane-prepare [flags] +``` + +### Examples + +``` + # Prepares the machine for serving a control plane + kubeadm join phase control-plane-prepare all +``` + +### Options + +``` + -h, --help help for control-plane-prepare +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md new file mode 100644 index 0000000000000..30e3351584f55 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_all.md @@ -0,0 +1,35 @@ + +Prepares the machine for serving a control plane. + +### Synopsis + +Prepares the machine for serving a control plane. + +``` +kubeadm join phase control-plane-prepare all [api-server-endpoint] [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) + --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. + --config string Path to kubeadm config file. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for all + --node-name string Specify the node name. + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md new file mode 100644 index 0000000000000..f429b7536cf6e --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_certs.md @@ -0,0 +1,33 @@ + +Generates the certificates for the new control plane components + +### Synopsis + +Generates the certificates for the new control plane components + +``` +kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --config string Path to kubeadm config file. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for certs + --node-name string Specify the node name. + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md new file mode 100644 index 0000000000000..cecc4b2a80ae8 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_control-plane.md @@ -0,0 +1,27 @@ + +Generates the manifests for the new control plane components + +### Synopsis + +Generates the manifests for the new control plane components + +``` +kubeadm join phase control-plane-prepare control-plane [flags] +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) + --config string Path to kubeadm config file. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for control-plane +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md new file mode 100644 index 0000000000000..cb87677c20600 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_download-certs.md @@ -0,0 +1,32 @@ + +[EXPERIMENTAL] Downloads certificates shared among control-plane nodes from the kubeadm-certs Secret + +### Synopsis + +[EXPERIMENTAL] Downloads certificates shared among control-plane nodes from the kubeadm-certs Secret + +``` +kubeadm join phase control-plane-prepare download-certs [api-server-endpoint] [flags] +``` + +### Options + +``` + --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. + --config string Path to kubeadm config file. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for download-certs + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md new file mode 100644 index 0000000000000..558ed7fd33ccb --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md @@ -0,0 +1,32 @@ + +Generates the kubeconfig for the new control plane components + +### Synopsis + +Generates the kubeconfig for the new control plane components + +``` +kubeadm join phase control-plane-prepare kubeconfig [api-server-endpoint] [flags] +``` + +### Options + +``` + --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. + --config string Path to kubeadm config file. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for kubeconfig + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md new file mode 100644 index 0000000000000..6120e664bb255 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_kubelet-start.md @@ -0,0 +1,32 @@ + +Writes kubelet settings, certificates and (re)starts the kubelet + +### Synopsis + +Writes a file with KubeletConfiguration and an environment file with node specific kubelet settings, and then (re)starts kubelet. + +``` +kubeadm join phase kubelet-start [api-server-endpoint] [flags] +``` + +### Options + +``` + --config string Path to kubeadm config file. + --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + -h, --help help for kubelet-start + --node-name string Specify the node name. + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md new file mode 100644 index 0000000000000..70643a0da341a --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/generated/kubeadm_join_phase_preflight.md @@ -0,0 +1,44 @@ + +Run join pre-flight checks + +### Synopsis + +Run pre-flight checks for kubeadm join. + +``` +kubeadm join phase preflight [api-server-endpoint] [flags] +``` + +### Examples + +``` + # Run join pre-flight checks using a config file. + kubeadm join phase preflight --config kubeadm-config.yml +``` + +### Options + +``` + --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. + --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) + --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. + --config string Path to kubeadm config file. + --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. + --discovery-file string For file-based discovery, a file or URL from which to load cluster information. + --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. + --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: ":"). + --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. + --experimental-control-plane Create a new control plane instance on this node + -h, --help help for preflight + --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. + --node-name string Specify the node name. + --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. + --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. +``` + +### Options inherited from parent commands + +``` + --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. +``` + diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md index da92919353a51..ad59320140614 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md @@ -48,15 +48,6 @@ to enable the DynamicKubeletConfiguration feature. {{< tab name="enable-dynamic" include="generated/kubeadm_alpha_kubelet_config_download.md" />}} {{< /tabs >}} -## kubeadm alpha preflight node {#cmd-phase-preflight} - -You can use the `node` sub command to run preflight checks on a worker node. - -{{< tabs name="tab-preflight" >}} -{{< tab name="preflight" include="generated/kubeadm_alpha_preflight.md" />}} -{{< tab name="node" include="generated/kubeadm_alpha_preflight_node.md" />}} -{{< /tabs >}} - ## kubeadm alpha selfhosting pivot {#cmd-selfhosting} diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md index 360ac57aac704..b5644d854c50d 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md @@ -79,7 +79,17 @@ Use the following phase to create a local etcd instance based on a static Pod fi {{< /tabs >}} -## kubeadm init phase mark-control-plane {#cmd-phase-control-plane} +## kubeadm init phase upload-certs {#cmd-phase-upload-certs} + +Use the following phase to upload control-plane certificates to the cluster. +By default the certs and encryption key expire after two hours. + +{{< tabs name="tab-upload-certs" >}} +{{< tab name="upload-certs" include="generated/kubeadm_init_phase_upload-certs.md" />}} +{{< /tabs >}} + + +## kubeadm init phase mark-control-plane {#cmd-phase-mark-control-plane} Use the following phase to label and taint the node with the `node-role.kubernetes.io/master=""` key-value pair. diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md index c2aab8f261c63..4cabe6b34154c 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md @@ -49,7 +49,7 @@ following steps: run there. 1. Generates the token that additional nodes can use to register - themselves with the master in the future. Optionally, the user can provide a + themselves with a control-plane in the future. Optionally, the user can provide a token via `--token`, as described in the [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs. @@ -82,13 +82,13 @@ Note that by calling `kubeadm init` all of the phases and sub-phases will be exe Some phases have unique flags, so if you want to have a look at the list of available options add `--help`, for example: -```bash +```shell sudo kubeadm init phase control-plane controller-manager --help ``` You can also use `--help` to see the list of sub-phases for a certain parent phase: -```bash +```shell sudo kubeadm init phase control-plane --help ``` @@ -96,7 +96,7 @@ sudo kubeadm init phase control-plane --help An example: -```bash +```shell sudo kubeadm init phase control-plane all --config=configfile.yaml sudo kubeadm init phase etcd local --config=configfile.yaml # you can now modify the control plane and etcd manifest files @@ -117,9 +117,10 @@ configuration file options. This file is passed in the `--config` option. In Kubernetes 1.11 and later, the default configuration can be printed out using the [kubeadm config print](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command. + It is **recommended** that you migrate your old `v1alpha3` configuration to `v1beta1` using the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command, -because `v1alpha3` will be removed in Kubernetes 1.14. +because `v1alpha3` will be removed in Kubernetes 1.15. For more details on each field in the `v1beta1` configuration you can navigate to our [API reference pages.] (https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1) @@ -266,20 +267,6 @@ with the `kubeadm init` and `kubeadm join` workflow to deploy Kubernetes cluster You may also want to set `--cri-socket` to `kubeadm init` and `kubeadm reset` when using an external CRI implementation. -### Using internal IPs in your cluster - -In order to set up a cluster where the master and worker nodes communicate with internal IP addresses (instead of public ones), execute following steps. - -1. When running init, you must make sure you specify an internal IP for the API server's bind address, like so: - - `kubeadm init --apiserver-advertise-address=` - -2. When a master or worker node has been provisioned, add a flag to `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` that specifies the private IP of the worker node: - - `--node-ip=` - -3. Finally, when you run `kubeadm join`, make sure you provide the private IP of the API server addressed as defined in step 1. - ### Setting the node name By default, `kubeadm` assigns a node name based on a machine's host address. You can override this setting with the `--node-name`flag. @@ -296,27 +283,23 @@ manager, and scheduler run as [DaemonSet pods](/docs/concepts/workloads/controll configured via the Kubernetes API instead of [static pods](/docs/tasks/administer-cluster/static-pod/) configured in the kubelet via static files. -To create a self-hosted cluster, pass the flag `--feature-gates=SelfHosting=true` to `kubeadm init`. - -{{< caution >}} -`SelfHosting` is an alpha feature. It is deprecated in 1.12 -and will be removed in 1.13. -{{< /caution >}} +To create a self-hosted cluster see the `kubeadm alpha selfhosting` command. #### Caveats -Self-hosting in 1.8 and later has some important limitations. In particular, a -self-hosted cluster _cannot recover from a reboot of the control-plane node_ -without manual intervention. This and other limitations are expected to be -resolved before self-hosting graduates from alpha. +1. Self-hosting in 1.8 and later has some important limitations. In particular, a + self-hosted cluster _cannot recover from a reboot of the control-plane node_ + without manual intervention. -By default, self-hosted control plane Pods rely on credentials loaded from -[`hostPath`](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) -volumes. Except for initial creation, these credentials are not managed by -kubeadm. +1. A self-hosted cluster is not upgradeable using `kubeadm upgrade`. -In kubeadm 1.8, the self-hosted portion of the control plane does not include etcd, -which still runs as a static Pod. +1. By default, self-hosted control plane Pods rely on credentials loaded from + [`hostPath`](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) + volumes. Except for initial creation, these credentials are not managed by + kubeadm. + +1. The self-hosted portion of the control plane does not include etcd, + which still runs as a static Pod. #### Process @@ -345,35 +328,16 @@ In summary, `kubeadm alpha selfhosting` works as follows: ### Running kubeadm without an internet connection -For running kubeadm without an internet connection you have to pre-pull the required master images for the version of choice: - -| Image Name | v1.10 release branch version | -|--------------------------------------------|------------------------------| -| k8s.gcr.io/kube-apiserver-${ARCH} | v1.10.x | -| k8s.gcr.io/kube-controller-manager-${ARCH} | v1.10.x | -| k8s.gcr.io/kube-scheduler-${ARCH} | v1.10.x | -| k8s.gcr.io/kube-proxy-${ARCH} | v1.10.x | -| k8s.gcr.io/etcd-${ARCH} | 3.1.12 | -| k8s.gcr.io/pause-${ARCH} | 3.1 | -| k8s.gcr.io/k8s-dns-sidecar-${ARCH} | 1.14.8 | -| k8s.gcr.io/k8s-dns-kube-dns-${ARCH} | 1.14.8 | -| k8s.gcr.io/k8s-dns-dnsmasq-nanny-${ARCH} | 1.14.8 | -| coredns/coredns | 1.0.6 | - -Here `v1.10.x` means the "latest patch release of the v1.10 branch". - -`${ARCH}` can be one of: `amd64`, `arm`, `arm64`, `ppc64le` or `s390x`. - -If you run Kubernetes version 1.10 or earlier, and if you set `--feature-gates=CoreDNS=true`, -you must also use the `coredns/coredns` image, instead of the three `k8s-dns-*` images. +For running kubeadm without an internet connection you have to pre-pull the required control-plane images. In Kubernetes 1.11 and later, you can list and pull the images using the `kubeadm config images` sub-command: -``` + +```shell kubeadm config images list kubeadm config images pull ``` -Starting with Kubernetes 1.12, the `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` and `k8s.gcr.io/pause` images +In Kubernetes 1.12 and later, the `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` and `k8s.gcr.io/pause` images don't require an `-${ARCH}` suffix. ### Automating kubeadm @@ -381,7 +345,7 @@ don't require an `-${ARCH}` suffix. Rather than copying the token you obtained from `kubeadm init` to each node, as in the [basic kubeadm tutorial](/docs/setup/independent/create-cluster-kubeadm/), you can parallelize the token distribution for easier automation. To implement this automation, you must -know the IP address that the master will have after it is started. +know the IP address that the control-plane node will have after it is started. 1. Generate a token. This token must have the form `<6 character string>.<16 character string>`. More formally, it must match the regex: @@ -389,7 +353,7 @@ know the IP address that the master will have after it is started. kubeadm can generate a token for you: - ```bash + ```shell kubeadm token generate ``` diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md new file mode 100644 index 0000000000000..bb993fa113cc9 --- /dev/null +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md @@ -0,0 +1,62 @@ +--- +title: kubeadm join phase +weight: 90 +--- +In v1.14.0, kubeadm introduces the `kubeadm join phase` command with the aim of making kubeadm more modular. This modularity enables you to invoke atomic sub-steps of the join process. +Hence, you can let kubeadm do some parts and fill in yourself where you need customizations. + +`kubeadm join phase` is consistent with the [kubeadm join workflow](/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow), +and behind the scene both use the same code. + +## kubeadm join phase {#cmd-join-phase} + +{{< tabs name="tab-phase" >}} +{{< tab name="phase" include="generated/kubeadm_join_phase.md" />}} +{{< /tabs >}} + +## kubeadm join phase preflight {#cmd-join-phase-preflight} + +Using this phase you can execute preflight checks on a joining node. + +{{< tabs name="tab-preflight" >}} +{{< tab name="preflight" include="generated/kubeadm_join_phase_preflight.md" />}} +{{< /tabs >}} + +## kubeadm join phase control-plane-prepare {#cmd-join-phase-control-plane-prepare} + +Using this phase you can prepare a node for serving a control-plane. + +{{< tabs name="tab-control-plane-prepare" >}} +{{< tab name="control-plane-prepare" include="generated/kubeadm_join_phase_control-plane-prepare.md" />}} +{{< tab name="all" include="generated/kubeadm_join_phase_control-plane-prepare_all.md" />}} +{{< tab name="download-certs" include="generated/kubeadm_join_phase_control-plane-prepare_download-certs.md" />}} +{{< tab name="certs" include="generated/kubeadm_join_phase_control-plane-prepare_certs.md" />}} +{{< tab name="kubeconfig" include="generated/kubeadm_join_phase_control-plane-prepare_kubeconfig.md" />}} +{{< tab name="control-plane" include="generated/kubeadm_join_phase_control-plane-prepare_control-plane.md" />}} +{{< /tabs >}} + +## kubeadm join phase kubelet-start {#cmd-join-phase-kubelet-start} + +Using this phase you can write the kubelet settings, certificates and (re)start the kubelet. + +{{< tabs name="tab-kubelet-start" >}} +{{< tab name="kubelet-start" include="generated/kubeadm_join_phase_kubelet-start.md" />}} +{{< /tabs >}} + +## kubeadm join phase control-plane-join {#cmd-join-phase-control-plane-join} + +Using this phase you can join a node as a control-plane instance. + +{{< tabs name="tab-control-plane-join" >}} +{{< tab name="control-plane-join" include="generated/kubeadm_join_phase_control-plane-join.md" />}} +{{< tab name="all" include="generated/kubeadm_join_phase_control-plane-join_all.md" />}} +{{< tab name="etcd" include="generated/kubeadm_join_phase_control-plane-join_etcd.md" />}} +{{< tab name="update-status" include="generated/kubeadm_join_phase_control-plane-join_update-status.md" />}} +{{< tab name="mark-control-plane" include="generated/kubeadm_join_phase_control-plane-join_mark-control-plane.md" />}} +{{< /tabs >}} + +## What's next +* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node +* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to connect a node to the cluster +* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join` +* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality diff --git a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md index 6c6de5a281606..7852e16af1e0e 100644 --- a/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md +++ b/content/en/docs/reference/setup-tools/kubeadm/kubeadm-join.md @@ -14,23 +14,16 @@ This command initializes a Kubernetes worker node and joins it to the cluster. {{% capture body %}} {{< include "generated/kubeadm_join.md" >}} -### The joining workflow +### The join workflow {#join-workflow} -`kubeadm join` bootstraps a Kubernetes worker node and joins it to the cluster. -This action consists of the following steps: +`kubeadm join` bootstraps a Kubernetes worker node or a control-plane node and adds it to the cluster. +This action consists of the following steps for worker nodes: 1. kubeadm downloads necessary cluster information from the API server. By default, it uses the bootstrap token and the CA key hash to verify the authenticity of that data. The root CA can also be discovered directly via a file or URL. -1. If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig` enabled, - it first retrieves the kubelet init configuration from the master and writes it to - the disk. When kubelet starts up, kubeadm updates the node `Node.spec.configSource` property of the node. - See [Set Kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file/) - and [Reconfigure a Node's Kubelet in a Live Cluster](/docs/tasks/administer-cluster/reconfigure-kubelet/) - for more information about Dynamic Kubelet Configuration. - 1. Once the cluster information is known, kubelet can start the TLS bootstrapping process. @@ -41,6 +34,40 @@ This action consists of the following steps: 1. Finally, kubeadm configures the local kubelet to connect to the API server with the definitive identity assigned to the node. +For control-plane nodes additional steps are performed: + +1. Downloading certificates shared among control-plane nodes from the cluster + (if explicitly requested by the user). + +1. Generating control-plane component manifests, certificates and kubeconfig. + +1. Adding new local etcd member. + +1. Adding this node to the ClusterStatus of the kubeadm cluster. + +### Using join phases with kubeadm {#join-phases} + +Kubeadm allows you join a node to the cluster in phases. The `kubeadm join phase` command was added in v1.14.0. + +To view the ordered list of phases and sub-phases you can call `kubeadm join --help`. The list will be located +at the top of the help screen and each phase will have a description next to it. +Note that by calling `kubeadm join` all of the phases and sub-phases will be executed in this exact order. + +Some phases have unique flags, so if you want to have a look at the list of available options add `--help`, for example: + +```shell +kubeadm join phase kubelet-start --help +``` + +Similar to the [kubeadm init phase](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases) +command, `kubadm join phase` allows you to skip a list of phases using the `--skip-phases` flag. + +For example: + +```shell +sudo kubeadm join --skip-phases=preflight --config=config.yaml +``` + ### Discovering what cluster CA to trust The kubeadm discovery has several options, each with security tradeoffs. @@ -56,27 +83,35 @@ that the API server certificate is valid under the root CA. The CA key hash has the format `sha256:`. By default, the hash value is returned in the `kubeadm join` command printed at the end of `kubeadm init` or in the output of `kubeadm token create --print-join-command`. It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI: -```bash +```shell openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' ``` -**Example `kubeadm join` command:** +**Example `kubeadm join` commands:** -```bash +For worker nodes: + +```shell kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443 ``` +For control-plane nodes: + +```shell +kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef --experimental-control-plane 1.2.3.4:6443 +``` + **Advantages:** - Allows bootstrapping nodes to securely discover a root of trust for the - master even if other worker nodes or the network are compromised. + control-plane node even if other worker nodes or the network are compromised. - Convenient to execute manually since all of the information required fits into a single `kubeadm join` command that is easy to copy and paste. **Disadvantages:** - - The CA hash is not normally known until the master has been provisioned, + - The CA hash is not normally known until the control-plane node has been provisioned, which can make it more difficult to build automated provisioning tools that use kubeadm. By generating your CA in beforehand, you may workaround this limitation though. @@ -86,13 +121,13 @@ kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert _This was the default in Kubernetes 1.7 and earlier_, but comes with some important caveats. This mode relies only on the symmetric token to sign (HMAC-SHA256) the discovery information that establishes the root of trust for -the master. It's still possible in Kubernetes 1.8 and above using the +the control-plane. It's still possible in Kubernetes 1.8 and above using the `--discovery-token-unsafe-skip-ca-verification` flag, but you should consider using one of the other modes if possible. **Example `kubeadm join` command:** -``` +```shell kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443` ``` @@ -100,7 +135,7 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve - Still protects against many network-level attacks. - - The token can be generated ahead of time and shared with the master and + - The token can be generated ahead of time and shared with the control-plane node and worker nodes, which can then bootstrap in parallel without coordination. This allows it to be used in many provisioning scenarios. @@ -108,11 +143,11 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve - If an attacker is able to steal a bootstrap token via some vulnerability, they can use that token (along with network-level access) to impersonate the - master to other bootstrapping nodes. This may or may not be an appropriate + control-plane node to other bootstrapping nodes. This may or may not be an appropriate tradeoff in your environment. #### File or HTTPS-based discovery -This provides an out-of-band way to establish a root of trust between the master +This provides an out-of-band way to establish a root of trust between the control-plane node and bootstrapping nodes. Consider using this mode if you are building automated provisioning using kubeadm. @@ -125,12 +160,12 @@ using kubeadm. **Advantages:** - Allows bootstrapping nodes to securely discover a root of trust for the - master even if the network or other worker nodes are compromised. + control-plane node even if the network or other worker nodes are compromised. **Disadvantages:** - Requires that you have some way to carry the discovery information from - the master to the bootstrapping nodes. This might be possible, for example, + the control-plane node to the bootstrapping nodes. This might be possible, for example, via your cloud provider or provisioning tool. The information in this file is not secret, but HTTPS or equivalent is required to ensure its integrity. @@ -145,21 +180,21 @@ By default, there is a CSR auto-approver enabled that basically approves any cli for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to automatically approve kubelet client certs, you can turn it off by executing this command: -```console +```shell $ kubectl delete clusterrolebinding kubeadm:node-autoapprove-bootstrap ``` After that, `kubeadm join` will block until the admin has manually approved the CSR in flight: -```console -$ kubectl get csr +```shell +kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 18s system:bootstrap:878f07 Pending -$ kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ +kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved -$ kubectl get csr +kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 1m system:bootstrap:878f07 Approved,Issued ``` @@ -169,15 +204,15 @@ Only after `kubectl certificate approve` has been run, `kubeadm join` can procee #### Turning off public access to the cluster-info ConfigMap In order to achieve the joining flow using the token as the only piece of validation information, a - ConfigMap with some data needed for validation of the master's identity is exposed publicly by + ConfigMap with some data needed for validation of the control-plane node's identity is exposed publicly by default. While there is no private data in this ConfigMap, some users might wish to turn it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the `kubeadm join` flow. Here are the steps to do so: * Fetch the `cluster-info` file from the API Server: -```console -$ kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml +```shell +kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml apiVersion: v1 clusters: - cluster: @@ -195,8 +230,8 @@ users: [] * Turn off public access to the `cluster-info` ConfigMap: -```console -$ kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo +```shell +kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo ``` These commands should be run after `kubeadm init` but before `kubeadm join`. @@ -214,7 +249,7 @@ contain a `JoinConfiguration` structure. To print the default values of `JoinConfiguration` run the following command: -```bash +```shell kubeadm config print-default --api-objects=JoinConfiguration ``` From f50c664d78726b4345414bf741a734ef77615986 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Sat, 16 Mar 2019 20:32:56 +0200 Subject: [PATCH 32/47] kubeadm: update the 1.14 HA guide (#13191) * kubeadm: update the 1.14 HA guide * kubeadm: try to fix note/caution indent in HA page * kubeadm: fix missing sudo and minor amends in HA doc * kubeadm: apply latest amends to the HA doc for 1.14 --- .../setup/independent/high-availability.md | 327 ++++++++++-------- 1 file changed, 174 insertions(+), 153 deletions(-) diff --git a/content/en/docs/setup/independent/high-availability.md b/content/en/docs/setup/independent/high-availability.md index 10e0e2b32ce37..38f0425dfc530 100644 --- a/content/en/docs/setup/independent/high-availability.md +++ b/content/en/docs/setup/independent/high-availability.md @@ -19,15 +19,12 @@ control plane nodes and etcd members are separated. Before proceeding, you should carefully consider which approach best meets the needs of your applications and environment. [This comparison topic](/docs/setup/independent/ha-topology/) outlines the advantages and disadvantages of each. -Your clusters must run Kubernetes version 1.12 or later. You should also be aware that -setting up HA clusters with kubeadm is still experimental and will be further simplified -in future versions. You might encounter issues with upgrading your clusters, for example. +You should also be aware that setting up HA clusters with kubeadm is still experimental and will be further +simplified in future versions. You might encounter issues with upgrading your clusters, for example. We encourage you to try either approach, and provide us with feedback in the kubeadm [issue tracker](https://github.com/kubernetes/kubeadm/issues/new). -Note that the alpha feature gate `HighAvailability` is deprecated in v1.12 and removed in v1.13. - -See also [The HA upgrade documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha-1-13). +See also [The upgrade documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-14). {{< caution >}} This page does not address running your cluster on a cloud provider. In a cloud @@ -57,28 +54,12 @@ For the external etcd cluster only, you also need: - Three additional machines for etcd members -{{< note >}} -The following examples run Calico as the Pod networking provider. If you run another -networking provider, make sure to replace any default values as needed. -{{< /note >}} - {{% /capture %}} {{% capture steps %}} ## First steps for both methods -{{< note >}} -**Note**: All commands on any control plane or etcd node should be -run as root. -{{< /note >}} - -- Some CNI network plugins like Calico require a CIDR such as `192.168.0.0/16` and - some like Weave do not. See the [CNI network - documentation](/docs/setup/independent/create-cluster-kubeadm/#pod-network). - To add a pod CIDR set the `podSubnet: 192.168.0.0/16` field under - the `networking` object of `ClusterConfiguration`. - ### Create load balancer for kube-apiserver {{< note >}} @@ -119,38 +100,6 @@ option. Your cluster requirements may need a different configuration. 1. Add the remaining control plane nodes to the load balancer target group. -### Configure SSH - -SSH is required if you want to control all nodes from a single machine. - -1. Enable ssh-agent on your main device that has access to all other nodes in - the system: - - ``` - eval $(ssh-agent) - ``` - -1. Add your SSH identity to the session: - - ``` - ssh-add ~/.ssh/path_to_private_key - ``` - -1. SSH between nodes to check that the connection is working correctly. - - - When you SSH to any node, make sure to add the `-A` flag: - - ``` - ssh -A 10.0.0.7 - ``` - - - When using sudo on any node, make sure to preserve the environment so SSH - forwarding works: - - ``` - sudo -E -s - ``` - ## Stacked control plane and etcd nodes ### Steps for the first control plane node @@ -160,9 +109,6 @@ SSH is required if you want to control all nodes from a single machine. apiVersion: kubeadm.k8s.io/v1beta1 kind: ClusterConfiguration kubernetesVersion: stable - apiServer: - certSANs: - - "LOAD_BALANCER_DNS" controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" - `kubernetesVersion` should be set to the Kubernetes version to use. This @@ -170,131 +116,124 @@ SSH is required if you want to control all nodes from a single machine. - `controlPlaneEndpoint` should match the address or DNS and port of the load balancer. - It's recommended that the versions of kubeadm, kubelet, kubectl and Kubernetes match. -1. Make sure that the node is in a clean state: +{{< note >}} +Some CNI network plugins like Calico require a CIDR such as `192.168.0.0/16` and +some like Weave do not. See the [CNI network +documentation](/docs/setup/independent/create-cluster-kubeadm/#pod-network). +To add a pod CIDR set the `podSubnet: 192.168.0.0/16` field under +the `networking` object of `ClusterConfiguration`. +{{< /note >}} + +1. Initialize the control plane: ```sh - sudo kubeadm init --config=kubeadm-config.yaml + sudo kubeadm init --config=kubeadm-config.yaml --experimental-upload-certs ``` - - You should see something like: + - The `--experimental-upload-certs` flags is used to upload the certificates that should be shared + across all the control-plane instances to the cluster. If instead, you prefer to copy certs across + control-plane nodes manually or using automation tools, please remove this flag and refer to [Manual + certificate distribution](#manual-certs) section bellow. + + After the command completes you should see something like so: ```sh ... - You can now join any number of machines by running the following on each node - as root: + You can now join any number of control-plane node by running the following command on each as a root: + kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --experimental-control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07 - kubeadm join 192.168.0.200:6443 --token j04n3m.octy8zely83cy2ts --discovery-token-ca-cert-hash sha256:84938d2a22203a8e56a787ec0c6ddad7bc7dbd52ebabc62fd5f4dbea72b14d1f - ``` - -1. Copy this output to a text file. You will need it later to join other control plane nodes to the - cluster. - -1. Apply the Weave CNI plugin: + Please note that the certificate-key gives access to cluster sensitive data, keep it secret! + As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use kubeadm init phase upload-certs to reload certs afterward. - ```sh - kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')" + Then you can join any number of worker nodes by running the following on each as root: + kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 ``` -1. Type the following and watch the pods of the components get started: + - Copy this output to a text file. You will need it later to join control plane and worker nodes to the cluster. + - When `--experimental-upload-certs` is used with `kubeadm init`, the certificates of the primary control plane + are encrypted and uploaded in the `kubeadm-certs` Secret. + - To re-upload the certificates and generate a new decryption key, use the following command on a control plane + node that is already joined to the cluster: - ```sh - kubectl get pod -n kube-system -w - ``` - - - It's recommended that you join new control plane nodes only after the first node has finished initializing. + ```sh + sudo kubeadm init phase upload-certs --experimental-upload-certs + ``` -1. Copy the certificate files from the first control plane node to the rest: - - In the following example, replace `CONTROL_PLANE_IPS` with the IP addresses of the - other control plane nodes. - ```sh - USER=ubuntu # customizable - CONTROL_PLANE_IPS="10.0.0.7 10.0.0.8" - for host in ${CONTROL_PLANE_IPS}; do - scp /etc/kubernetes/pki/ca.crt "${USER}"@$host: - scp /etc/kubernetes/pki/ca.key "${USER}"@$host: - scp /etc/kubernetes/pki/sa.key "${USER}"@$host: - scp /etc/kubernetes/pki/sa.pub "${USER}"@$host: - scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host: - scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host: - scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:etcd-ca.crt - scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:etcd-ca.key - scp /etc/kubernetes/admin.conf "${USER}"@$host: - done - ``` +{{< note >}} +The `kubeadm-certs` Secret and decryption key expire after two hours. +{{< /note >}} {{< caution >}} -Copy only the certificates in the above list. kubeadm will take care of generating the rest of the certificates -with the required SANs for the joining control-plane instances. If you copy all the certificates by mistake, -the creation of additional nodes could fail due to a lack of required SANs. +As stated in the command output, the certificate-key gives access to cluster sensitive data, keep it secret! {{< /caution >}} -### Steps for the rest of the control plane nodes +1. Apply the CNI plugin of your choice: + + [Follow these instructions](/docs/setup/independent/create-cluster-kubeadm/#pod-network) to install + the CNI provider. Make sure the configuration corresponds to the Pod CIDR specified in the kubeadm + configuration file if applicable. -1. Move the files created by the previous step where `scp` was used: + In this example we are using Weave Net: ```sh - USER=ubuntu # customizable - mkdir -p /etc/kubernetes/pki/etcd - mv /home/${USER}/ca.crt /etc/kubernetes/pki/ - mv /home/${USER}/ca.key /etc/kubernetes/pki/ - mv /home/${USER}/sa.pub /etc/kubernetes/pki/ - mv /home/${USER}/sa.key /etc/kubernetes/pki/ - mv /home/${USER}/front-proxy-ca.crt /etc/kubernetes/pki/ - mv /home/${USER}/front-proxy-ca.key /etc/kubernetes/pki/ - mv /home/${USER}/etcd-ca.crt /etc/kubernetes/pki/etcd/ca.crt - mv /home/${USER}/etcd-ca.key /etc/kubernetes/pki/etcd/ca.key - mv /home/${USER}/admin.conf /etc/kubernetes/admin.conf + kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')" ``` - This process writes all the requested files in the `/etc/kubernetes` folder. - -1. Start `kubeadm join` on this node using the join command that was previously given to you by `kubeadm init` on - the first node. It should look something like this: +1. Type the following and watch the pods of the control plane components get started: ```sh - sudo kubeadm join 192.168.0.200:6443 --token j04n3m.octy8zely83cy2ts --discovery-token-ca-cert-hash sha256:84938d2a22203a8e56a787ec0c6ddad7bc7dbd52ebabc62fd5f4dbea72b14d1f --experimental-control-plane + kubectl get pod -n kube-system -w ``` - - Notice the addition of the `--experimental-control-plane` flag. This flag automates joining this - control plane node to the cluster. +### Steps for the rest of the control plane nodes + +{{< caution >}} +You must join new control plane nodes sequentially, only after the first node has finished initializing. +{{< /caution >}} -1. Type the following and watch the pods of the components get started: +For each additional control plane node you should: + +1. Execute the join command that was previously given to you by the `kubeadm init` output on the first node. + It should look something like this: ```sh - kubectl get pod -n kube-system -w + sudo kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --experimental-control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07 ``` -1. Repeat these steps for the rest of the control plane nodes. + - The `--experimental-control-plane` flag tells `kubeadm join` to create a new control plane. + - The `--certificate-key ...` will cause the control plane certificates to be downloaded + from the `kubeadm-certs` Secret in the cluster and be decrypted using the given key. ## External etcd nodes +Setting up a cluster with external etcd nodes is similar to the procedure used for stacked etcd +with the exception that you should setup etcd first, and you should pass the etcd information +in the kubeadm config file. + ### Set up the etcd cluster -- Follow [these instructions](/docs/setup/independent/setup-ha-etcd-with-kubeadm/) - to set up the etcd cluster. +1. Follow [these instructions](/docs/setup/independent/setup-ha-etcd-with-kubeadm/) + to set up the etcd cluster. -### Set up the first control plane node +1. Setup SSH as described [here](#manual-certs). -1. Copy the following files from any node from the etcd cluster to this node: +1. Copy the following files from any etcd node in the cluster to the first control plane node: ```sh export CONTROL_PLANE="ubuntu@10.0.0.7" - +scp /etc/kubernetes/pki/etcd/ca.crt "${CONTROL_PLANE}": - +scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${CONTROL_PLANE}": - +scp /etc/kubernetes/pki/apiserver-etcd-client.key "${CONTROL_PLANE}": + scp /etc/kubernetes/pki/etcd/ca.crt "${CONTROL_PLANE}": + scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${CONTROL_PLANE}": + scp /etc/kubernetes/pki/apiserver-etcd-client.key "${CONTROL_PLANE}": ``` - - Replace the value of `CONTROL_PLANE` with the `user@host` of this machine. + - Replace the value of `CONTROL_PLANE` with the `user@host` of the first control plane machine. + +### Set up the first control plane node 1. Create a file called `kubeadm-config.yaml` with the following contents: apiVersion: kubeadm.k8s.io/v1beta1 kind: ClusterConfiguration kubernetesVersion: stable - apiServer: - certSANs: - - "LOAD_BALANCER_DNS" controlPlaneEndpoint: "LOAD_BALANCER_DNS:LOAD_BALANCER_PORT" etcd: external: @@ -306,9 +245,13 @@ the creation of additional nodes could fail due to a lack of required SANs. certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key - - The difference between stacked etcd and external etcd here is that we are using the `external` field for `etcd` in the kubeadm config. In the case of the stacked etcd topology this is managed automatically. +{{< note >}} +The difference between stacked etcd and external etcd here is that we are using +the `external` field for `etcd` in the kubeadm config. In the case of the stacked +etcd topology this is managed automatically. +{{< /note >}} - - Replace the following variables in the template with the appropriate values for your cluster: + - Replace the following variables in the config template with the appropriate values for your cluster: - `LOAD_BALANCER_DNS` - `LOAD_BALANCER_PORT` @@ -316,11 +259,13 @@ the creation of additional nodes could fail due to a lack of required SANs. - `ETCD_1_IP` - `ETCD_2_IP` -1. Run `kubeadm init --config kubeadm-config.yaml` on this node. +The following steps are exactly the same as described for stacked etcd setup: -1. Write the join command that is returned to a text file for later use. +1. Run `sudo kubeadm init --config kubeadm-config.yaml --experimental-upload-certs` on this node. -1. Apply the Weave CNI plugin: +1. Write the output join commands that are returned to a text file for later use. + +1. Apply the CNI plugin of your choice. The given example is for Weave Net: ```sh kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')" @@ -328,27 +273,103 @@ the creation of additional nodes could fail due to a lack of required SANs. ### Steps for the rest of the control plane nodes -To add the rest of the control plane nodes, follow [these instructions](#steps-for-the-rest-of-the-control-plane-nodes). -The steps are the same as for the stacked etcd setup, with the exception that a local -etcd member is not created. - -To summarize: +The steps are the same as for the stacked etcd setup: - Make sure the first control plane node is fully initialized. -- Copy certificates between the first control plane node and the other control plane nodes. -- Join each control plane node with the join command you saved to a text file, plus add the `--experimental-control-plane` flag. +- Join each control plane node with the join command you saved to a text file. It's recommended +to join the control plane nodes one at a time. +- Don't forget that the decryption key from `--certificate-key` expires after two hours, by default. ## Common tasks after bootstrapping control plane -### Install a pod network +### Install workers -[Follow these instructions](/docs/setup/independent/create-cluster-kubeadm/#pod-network) to install -the pod network. Make sure this corresponds to whichever pod CIDR you provided -in the master configuration file. +Worker nodes can be joined to the cluster with the command you stored previously +as the output from the `kubeadm init` command: -### Install workers +```sh +sudo kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 +``` + +## Manual certificate distribution {#manual-certs} + +If you choose to not use `kubeadm init` with the `--experimental-upload-certs` flag this means that +you are going to have to manually copy the certificates from the primary control plane node to the +joining control plane nodes. + +There are many ways to do this. In the following example we are using `ssh` and `scp`: + +SSH is required if you want to control all nodes from a single machine. + +1. Enable ssh-agent on your main device that has access to all other nodes in + the system: + + ``` + eval $(ssh-agent) + ``` + +1. Add your SSH identity to the session: + + ``` + ssh-add ~/.ssh/path_to_private_key + ``` + +1. SSH between nodes to check that the connection is working correctly. + + - When you SSH to any node, make sure to add the `-A` flag: + + ``` + ssh -A 10.0.0.7 + ``` -Each worker node can now be joined to the cluster with the command returned from any of the -`kubeadm init` commands. The flag `--experimental-control-plane` should not be added to worker nodes. + - When using sudo on any node, make sure to preserve the environment so SSH + forwarding works: + + ``` + sudo -E -s + ``` + +1. After configuring SSH on all the nodes you should run the following script on the first control plane node after + running `kubeadm init`. This script will copy the certificates from the first control plane node to the other + control plane nodes: + + In the following example, replace `CONTROL_PLANE_IPS` with the IP addresses of the + other control plane nodes. + ```sh + USER=ubuntu # customizable + CONTROL_PLANE_IPS="10.0.0.7 10.0.0.8" + for host in ${CONTROL_PLANE_IPS}; do + scp /etc/kubernetes/pki/ca.crt "${USER}"@$host: + scp /etc/kubernetes/pki/ca.key "${USER}"@$host: + scp /etc/kubernetes/pki/sa.key "${USER}"@$host: + scp /etc/kubernetes/pki/sa.pub "${USER}"@$host: + scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host: + scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host: + scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:etcd-ca.crt + scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:etcd-ca.key + done + ``` + +{{< caution >}} +Copy only the certificates in the above list. kubeadm will take care of generating the rest of the certificates +with the required SANs for the joining control-plane instances. If you copy all the certificates by mistake, +the creation of additional nodes could fail due to a lack of required SANs. +{{< /caution >}} + +1. Then on each joining control plane node you have to run the following script before running `kubeadm join`. + This script will move the previously copied certificates from the home directory to `/etc/kuberentes/pki`: + + ```sh + USER=ubuntu # customizable + mkdir -p /etc/kubernetes/pki/etcd + mv /home/${USER}/ca.crt /etc/kubernetes/pki/ + mv /home/${USER}/ca.key /etc/kubernetes/pki/ + mv /home/${USER}/sa.pub /etc/kubernetes/pki/ + mv /home/${USER}/sa.key /etc/kubernetes/pki/ + mv /home/${USER}/front-proxy-ca.crt /etc/kubernetes/pki/ + mv /home/${USER}/front-proxy-ca.key /etc/kubernetes/pki/ + mv /home/${USER}/etcd-ca.crt /etc/kubernetes/pki/etcd/ca.crt + mv /home/${USER}/etcd-ca.key /etc/kubernetes/pki/etcd/ca.key + ``` {{% /capture %}} From a0b5acdd0cf446d6166402949e65c55f4fe26da7 Mon Sep 17 00:00:00 2001 From: Jim Angel Date: Sat, 16 Mar 2019 17:04:09 -0500 Subject: [PATCH 33/47] fixed a few missed merge conflicts --- .../en/docs/concepts/configuration/secret.md | 25 +------------------ .../connect-applications-service.md | 25 +++---------------- .../workloads/pods/init-containers.md | 6 +---- 3 files changed, 5 insertions(+), 51 deletions(-) diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index 06de31223294a..5b4c3c1b44b7c 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -706,14 +706,7 @@ SecretGenerator: ``` Create the SecretObject on Apiserver: ```shell -<<<<<<< HEAD $ kubectl apply -k . -======= -kubectl create secret generic ssh-key-secret --from-file=ssh-privatekey=/path/to/.ssh/id_rsa -``` -``` ---from-file=ssh-publickey=/path/to/.ssh/id_rsa.pub ->>>>>>> master ``` {{< caution >}} @@ -762,8 +755,7 @@ credentials. Make the kustomization.yaml with SecretGenerator ```shell -<<<<<<< HEAD -$ cat < kustomization.yaml +cat < kustomization.yaml secretGenerator: - name: prod-db-secret literals: @@ -774,21 +766,6 @@ secretGenerator: - username=testuser - password=iluvtests EOF -======= -kubectl create secret generic prod-db-secret --from-literal=username=produser ---from-literal=password=Y4nys7f11 -``` - -``` -secret "prod-db-secret" created -``` - -```shell -kubectl create secret generic test-db-secret --from-literal=username=testuser --from-literal=password=iluvtests -``` -``` -secret "test-db-secret" created ->>>>>>> master ``` Now make the pods: diff --git a/content/en/docs/concepts/services-networking/connect-applications-service.md b/content/en/docs/concepts/services-networking/connect-applications-service.md index f6d14cfccb8ac..073e83abdd185 100644 --- a/content/en/docs/concepts/services-networking/connect-applications-service.md +++ b/content/en/docs/concepts/services-networking/connect-applications-service.md @@ -231,15 +231,10 @@ Till now we have only accessed the nginx server from within the cluster. Before You can acquire all these from the [nginx https example](https://github.com/kubernetes/examples/tree/{{< param "githubbranch" >}}/staging/https-nginx/). This requires having go and make tools installed. If you don't want to install those, then follow the manual steps later. In short: ```shell -<<<<<<< HEAD -$ make keys secret KEY=/tmp/nginx.key CERT=/tmp/nginx.crt SECRET=/tmp/secret.json -$ kubectl apply -f /tmp/secret.json -======= make keys secret KEY=/tmp/nginx.key CERT=/tmp/nginx.crt SECRET=/tmp/secret.json -kubectl create -f /tmp/secret.json +kubectl apply -f /tmp/secret.json ``` ``` ->>>>>>> master secret/nginxsecret created ``` ```shell @@ -274,15 +269,10 @@ data: Now create the secrets using the file: ```shell -<<<<<<< HEAD -$ kubectl apply -f nginxsecrets.yaml -$ kubectl get secrets -======= -kubectl create -f nginxsecrets.yaml +kubectl apply -f nginxsecrets.yaml kubectl get secrets ``` ``` ->>>>>>> master NAME TYPE DATA AGE default-token-il9rc kubernetes.io/service-account-token 1 1d nginxsecret Opaque 2 1m @@ -302,11 +292,7 @@ Noteworthy points about the nginx-secure-app manifest: This is setup *before* the nginx server is started. ```shell -<<<<<<< HEAD -$ kubectl delete deployments,svc my-nginx; kubectl apply -f ./nginx-secure-app.yaml -======= kubectl delete deployments,svc my-nginx; kubectl create -f ./nginx-secure-app.yaml ->>>>>>> master ``` At this point you can reach the nginx server from any node. @@ -326,15 +312,10 @@ Let's test this from a pod (the same secret is being reused for simplicity, the {{< codenew file="service/networking/curlpod.yaml" >}} ```shell -<<<<<<< HEAD -$ kubectl apply -f ./curlpod.yaml -$ kubectl get pods -l app=curlpod -======= -kubectl create -f ./curlpod.yaml +kubectl apply -f ./curlpod.yaml kubectl get pods -l app=curlpod ``` ``` ->>>>>>> master NAME READY STATUS RESTARTS AGE curl-deployment-1515033274-1410r 1/1 Running 0 1m ``` diff --git a/content/en/docs/concepts/workloads/pods/init-containers.md b/content/en/docs/concepts/workloads/pods/init-containers.md index 65efb132a712d..1cf214c7ec40c 100644 --- a/content/en/docs/concepts/workloads/pods/init-containers.md +++ b/content/en/docs/concepts/workloads/pods/init-containers.md @@ -240,13 +240,9 @@ Once we start the `mydb` and `myservice` services, we can see the Init Container complete and the `myapp-pod` is created: ```shell -<<<<<<< HEAD -$ kubectl apply -f services.yaml -======= -kubectl create -f services.yaml +kubectl apply -f services.yaml ``` ``` ->>>>>>> master service/myservice created service/mydb created ``` From 92fd5d402c143bbb280c2cf16ded966f8450f891 Mon Sep 17 00:00:00 2001 From: Mehdy Bohlool Date: Mon, 18 Mar 2019 08:13:18 -0700 Subject: [PATCH 34/47] Admission Webhook new features doc (#12938) - kubernetes/kubernetes#74998 - kubernetes/kubernetes#74477 - kubernetes/kubernetes#74562 --- .../extensible-admission-controllers.md | 29 ++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md index b4ca5a0696466..d2fb12a3e84b3 100644 --- a/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/extensible-admission-controllers.md @@ -6,6 +6,7 @@ reviewers: - caesarxuchao - deads2k - liggitt +- mbohlool title: Dynamic Admission Control content_template: templates/concept weight: 40 @@ -66,6 +67,13 @@ that is validated in a Kubernetes e2e test. The webhook handles the `admissionReview` requests sent by the apiservers, and sends back its decision wrapped in `admissionResponse`. +the `admissionReview` request can have different versions (e.g. v1beta1 or `v1` in a future version). +The webhook can define what version they accept using `admissionReviewVersions` field. API server +will try to use first version in the list which it supports. If none of the versions specified +in this list supported by API server, validation will fail for this object. If the webhook +configuration has already been persisted, calls to the webhook will fail and be +subject to the failure policy. + The example admission webhook server leaves the `ClientAuth` field [empty](https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/config.go#L47-L48), which defaults to `NoClientCert`. This means that the webhook server does not @@ -111,18 +119,32 @@ webhooks: - CREATE resources: - pods + scope: "Namespaced" clientConfig: service: namespace: name: caBundle: + admissionReviewVersions: + - v1beta1 + timeoutSeconds: 1 ``` +The scope field specifies if only cluster-scoped resources ("Cluster") or namespace-scoped +resources ("Namespaced") will match this rule. "*" means that there are no scope restrictions. + {{< note >}} When using `clientConfig.service`, the server cert must be valid for `..svc`. {{< /note >}} +{{< note >}} +Default timeout for a webhook call is 30 seconds but starting in kubernetes 1.14 you +can set the timeout and it is encouraged to use a very small timeout for webhooks. +If the webhook call times out, the request is handled according to the webhook's +failure policy. +{{< /note >}} + When an apiserver receives a request that matches one of the `rules`, the apiserver sends an `admissionReview` request to webhook as specified in the `clientConfig`. @@ -130,13 +152,6 @@ apiserver sends an `admissionReview` request to webhook as specified in the After you create the webhook configuration, the system will take a few seconds to honor the new configuration. -{{< note >}} -When the webhook plugin is deployed into the Kubernetes cluster as a -service, it has to expose its service on the 443 port. The communication -between the API server and the webhook service may fail if a different port -is used. -{{< /note >}} - ### Authenticate apiservers If your admission webhooks require authentication, you can configure the From 3bf2d154ef3880a1c4e9b769e7bd0a366ea83a14 Mon Sep 17 00:00:00 2001 From: Deep Debroy Date: Mon, 18 Mar 2019 09:34:27 -0700 Subject: [PATCH 35/47] Clarifications and fixes in GMSA doc (#13226) * Clarifications and fixes in GMSA doc Signed-off-by: Deep Debroy * Update configure-gmsa.md * Reformat to align headings and pre-reqs better Signed-off-by: Deep Debroy * Reformat to align headings and pre-reqs better Signed-off-by: Deep Debroy * Reformat to fix bullets Signed-off-by: Deep Debroy * Reword application of sample gmsa Signed-off-by: Deep Debroy * Update configure-gmsa.md * Address feedback to use active voice Signed-off-by: Deep Debroy * Address feedback to use active voice Signed-off-by: Deep Debroy --- .../configure-pod-container/configure-gmsa.md | 82 +++++++++++-------- 1 file changed, 46 insertions(+), 36 deletions(-) diff --git a/content/en/docs/tasks/configure-pod-container/configure-gmsa.md b/content/en/docs/tasks/configure-pod-container/configure-gmsa.md index 844db949c405e..c6f43f96a8f49 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-gmsa.md +++ b/content/en/docs/tasks/configure-pod-container/configure-gmsa.md @@ -13,59 +13,62 @@ This page shows how to configure [Group Managed Service Accounts](https://docs.m In Kubernetes, GMSA credential specs are configured at a Kubernetes cluster-wide scope as custom resources. Windows pods, as well as individual containers within a pod, can be configured to use a GMSA for domain based functions (e.g. Kerberos authentication) when interacting with other Windows services. As of v1.14, the only container runtime interface that supports GMSA for Windows workloads is Dockershim. Implementation of GMSA through CRI and other runtimes is planned for the future. {{< note >}} -Currently this feature is in alpha state. While the overall goals and functionality will not change, the way in which the GMSA credspec references are specified in pod specs may change from annotations to a API fields. Please take this into consideration when testing or adopting this feature. +Currently this feature is in alpha state. While the overall goals and functionality will not change, the way in which the GMSA credspec references are specified in pod specs may change from annotations to API fields. Please take this into consideration when testing or adopting this feature. {{< /note >}} {{% /capture %}} -{{% capture body %}} +{{% capture prerequisites %}} -## Setup and configuration for GMSA -Configuring GMSA credential specs in the cluster and configuring individual pods and containers to be able to use them requires several steps described in details below. +You need to have a Kubernetes cluster and the kubectl command-line tool must be configured to communicate with your cluster. The cluster is expected to have Windows worker nodes where pods with containers running Windows workloads requiring GMSA credentials will get scheduled. This section covers a set of initial steps required once for each cluster: -### Initial configuration of Kubernetes cluster to use GMSA -This section covers a set of initial steps required once for each cluster. These include: -1. Enabling the `WindowsGMSA` feature gate on kubelet on the Windows nodes you'll use to run GMSA-dependent workloads. -2. Installing the GMSACredentialSpec Custom Resource Definition (CRD). -3. Installing two GMSA admission webhooks to expand and validate references to GMSA credential spec resources from pod specs. - -#### Enable the WindowsGMSA feature gate +### Enable the WindowsGMSA feature gate In the alpha state, the `WindowsGMSA` feature gate needs to be enabled on kubelet on Windows nodes. This is required to pass down the GMSA credential specs from the cluster scoped configurations to the container runtime. See [Feature Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/) for an explanation of enabling feature gates. Please make sure `--feature-gates=WindowsGMSA=true` parameter exists in the kubelet.exe command line. -#### Install the GMSACredentialSpec CRD -A [CustomResourceDefinition](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/) (CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type `GMSACredentialSpec`. Download the GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-webhook.yml.tpl#L131-L148) and save it as gmsa-crd.yaml. +### Install the GMSACredentialSpec CRD +A [CustomResourceDefinition](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/) (CRD) for GMSA credential spec resources needs to be configured on the cluster to define the custom resource type `GMSACredentialSpec`. Download the GMSA CRD [YAML](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-crd.yml) and save it as gmsa-crd.yaml. Next, install the CRD with `kubectl apply -f gmsa-crd.yaml` -#### Install webhooks to validate GMSA users +### Install webhooks to validate GMSA users Two webhooks need to be configured on the Kubernetes cluster to populate and validate GMSA credential spec references at the pod or container level: + 1. A mutating webhook that expands references to GMSAs (by name from a pod specification) into the full credential spec in JSON form within the pod spec. -2. A validating webhook ensures all references to GMSAs are authorized to be used by the pod service account. + +1. A validating webhook ensures all references to GMSAs are authorized to be used by the pod service account. Installing the above webhooks and associated objects require the steps below: + 1. Create a certificate key pair (that will be used to allow the webhook container to communicate to the cluster) -2. Install a secret with the certificate from above. -3. Create a deployment for the core webhook logic. -4. Create the validating and mutating webhook configurations referring to the deployment. + +1. Install a secret with the certificate from above. + +1. Create a deployment for the core webhook logic. + +1. Create the validating and mutating webhook configurations referring to the deployment. A [script](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/deploy-gmsa-webhook.sh) can be used to deploy and configure the GMSA webhooks and associated objects mentioned above. The script can be run with a ```--dry-run``` option to allow you to review the changes that would be made to your cluster. The [YAML template](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-webhook.yml.tpl) used by the script may also be used to deploy the webhooks and associated objects manually (with appropriate substitutions for the parameters) -### Configuration and usage of GMSAs in pods -This section covers the set of steps necessary for configuring individual GMSA credentials and using them in pods. These include: -1. Creating GMSA credential spec resources. -2. Creating cluster roles to allow service accounts to use specific GMSA credential spec resources. -3. Binding roles to specific service accounts to allow them to use the desired GMSA credential spec resources. -4. Configuring pods with a service account authorized to use the desired GMSA credential specs. +{{% /capture %}} + +{{% capture steps %}} + +## Configure GMSAs and Windows nodes in Active Directory +Before pods in Kubernetes can be configured to use GMSAs, the desired GMSAs need to be provisioned in Active Directory as described [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#BKMK_Step1). Windows worker nodes (that are part of the Kubernetes cluster) need to be configured in Active Directory to access the secret credentials associated with the desired GMSA as described [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#to-add-member-hosts-using-the-set-adserviceaccount-cmdlet) -#### Create GMSA credspec resources -With the GMSACredentialSpec CRD installed, custom resources containing GMSA credential specs can be configured. The GMSA credential spec does not contain secret or sensitive data. It is information that a container runtime can use to describe the desired GMSA of a container to Windows. GMSA credential specs can be generated in YAML format with a utility [PowerShell script](https://github.com/kubernetes-sigs/windows-gmsa/tree/master/scripts/GenerateCredentialSpecResource.ps1). +## Create GMSA credential spec resources +With the GMSACredentialSpec CRD installed (as described earlier), custom resources containing GMSA credential specs can be configured. The GMSA credential spec does not contain secret or sensitive data. It is information that a container runtime can use to describe the desired GMSA of a container to Windows. GMSA credential specs can be generated in YAML format with a utility [PowerShell script](https://github.com/kubernetes-sigs/windows-gmsa/tree/master/scripts/GenerateCredentialSpecResource.ps1). Following are the steps for generating a GMSA credential spec YAML manually in JSON format and then converting it: + 1. Import the CredentialSpec [module](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/windows-server-container-tools/ServiceAccounts/CredentialSpec.psm1): `ipmo CredentialSpec.psm1` -2. Create a credential spec in JSON format using `New-CredentialSpec`. To create a GMSA credential spec named WebApp1, invoke `New-CredentialSpec -Name WebApp1 -AccountName WebApp1 -Domain $(Get-ADDomain -Current LocalComputer)` -3. Use `Get-CredentialSpec` to show the path of the JSON file. -4. Convert the credspec file from JSON to YAML format and apply the necessary header fields `apiVersion`, `kind`, `metadata` and `credspec` to make it a GMSACredentialSpec custom resource that can be configured in Kubernetes. + +1. Create a credential spec in JSON format using `New-CredentialSpec`. To create a GMSA credential spec named WebApp1, invoke `New-CredentialSpec -Name WebApp1 -AccountName WebApp1 -Domain $(Get-ADDomain -Current LocalComputer)` + +1. Use `Get-CredentialSpec` to show the path of the JSON file. + +1. Convert the credspec file from JSON to YAML format and apply the necessary header fields `apiVersion`, `kind`, `metadata` and `credspec` to make it a GMSACredentialSpec custom resource that can be configured in Kubernetes. The following YAML configuration describes a GMSA credential spec named `gmsa-WebApp1`: @@ -92,10 +95,9 @@ credspec: Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA ``` -5. Deploy the credential spec resource: `kubectl apply -f gmsa-Webapp1-credspec.yml` - +The above credential spec resource may be saved as `gmsa-Webapp1-credspec.yaml` and applied to the cluster using: `kubectl apply -f gmsa-Webapp1-credspec.yml` -#### Configure cluster role to enable RBAC on specific GMSA credential specs +## Configure cluster role to enable RBAC on specific GMSA credential specs A cluster role needs to be defined for each GMSA credential spec resource. This authorizes the `use` verb on a specific GMSA resource by a subject which is typically a service account. The following example shows a cluster role that authorizes usage of the `gmsa-WebApp1` credential spec from above. Save the file as gmsa-webapp1-role.yaml and apply using `kubectl apply -f gmsa-webapp1-role.yaml` ``` @@ -111,7 +113,7 @@ rules: resourceNames: ["gmsa-WebApp1"] ``` -#### Assign role to service accounts to use specific GMSA credspecs +## Assign role to service accounts to use specific GMSA credspecs A service account (that pods will be configured with) needs to be bound to the cluster role create above. This authorizes the service account to "use" the desired GMSA credential spec resource. The following shows the default service account being bound to a cluster role `webapp1-role` to use `gmsa-WebApp1` credential spec resource created above. ``` @@ -126,12 +128,12 @@ subjects: namespace: default roleRef: kind: ClusterRole - name: my-rbac-reader + name: webapp1-role apiGroup: rbac.authorization.k8s.io ``` -#### Configure GMSA credential spec reference in pod spec -In the alpha stage of the feature, the annotation `pod.alpha.windows.kubernetes.io/gmsa-credential-spec-name` is used to specify references to desired GMSA credential spec custom resources from pod specs. This configures all containers in the podspec to use the specified GMSA. A sample pod spec with the annotation populated to refer to `gmsa-WebApp1`: +## Configure GMSA credential spec reference in pod spec +In the alpha stage of the feature, the annotation `pod.alpha.windows.kubernetes.io/gmsa-credential-spec-name` is used to specify references to desired GMSA credential spec custom resources in pod specs. This configures all containers in the pod spec to use the specified GMSA. A sample pod spec with the annotation populated to refer to `gmsa-WebApp1`: ``` apiVersion: apps/v1beta1 @@ -191,4 +193,12 @@ spec: beta.kubernetes.io/os: windows ``` +As pod specs with GMSA annotations (as described above) are applied in a cluster configured for GMSA, the following sequence of events take place: + +1. The mutating webhook resolves and expands all references to GMSA credential spec resources to the contents of the GMSA credential spec. + +1. The validating webhook ensures the service account associated with the pod is authorized for the "use" verb on the specified GMSA credential spec. + +1. The container runtime configures each Windows container with the specified GMSA credential spec so that the container can assume the identity of the GMSA in Active Directory and access services in the domain using that identity. + {{% /capture %}} From e15667a0ce66a1b57eb010d698676ccf32516a52 Mon Sep 17 00:00:00 2001 From: krmayankk Date: Mon, 18 Mar 2019 10:08:22 -0700 Subject: [PATCH 36/47] RunAsGroup documentation for Progressing this to Beta (#12297) --- .../feature-gates.md | 2 +- .../reference/glossary/security-context.md | 3 +-- .../security-context.md | 21 +++++++++++++------ 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index b71bb3737d02f..5e9369f38091e 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -124,7 +124,7 @@ different Kubernetes components. | `RotateKubeletClientCertificate` | `true` | Beta | 1.7 | | | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 | | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | | -| `RunAsGroup` | `false` | Alpha | 1.10 | | +| `RunAsGroup` | `true` | Beta | 1.14 | | | `RuntimeClass` | `true` | Beta | 1.14 | | | `SCTPSupport` | `false` | Alpha | 1.12 | | | `ServiceNodeExclusion` | `false` | Alpha | 1.8 | | diff --git a/content/en/docs/reference/glossary/security-context.md b/content/en/docs/reference/glossary/security-context.md index 7bdf99534ae0d..9812304e4dd2a 100755 --- a/content/en/docs/reference/glossary/security-context.md +++ b/content/en/docs/reference/glossary/security-context.md @@ -14,5 +14,4 @@ tags: -The securityContext field in a {{< glossary_tooltip term_id="pod" >}} (applying to all containers) or container is used to set the user (runAsUser) and group (fsGroup), capabilities, privilege settings, and security policies (SELinux/AppArmor/Seccomp) that container processes use. - +The securityContext field in a {{< glossary_tooltip term_id="pod" >}} (applying to all containers) or container is used to set the user, groups, capabilities, privilege settings, and security policies (SELinux/AppArmor/Seccomp) and more that container processes use. diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md index f314abfa66008..39dbc60927b78 100644 --- a/content/en/docs/tasks/configure-pod-container/security-context.md +++ b/content/en/docs/tasks/configure-pod-container/security-context.md @@ -52,10 +52,11 @@ Here is a configuration file for a Pod that has a `securityContext` and an `empt {{< codenew file="pods/security/security-context.yaml" >}} In the configuration file, the `runAsUser` field specifies that for any Containers in -the Pod, the first process runs with user ID 1000. The `fsGroup` field specifies that -group ID 2000 is associated with all Containers in the Pod. Group ID 2000 is also -associated with the volume mounted at `/data/demo` and with any files created in that -volume. +the Pod, all processes run with user ID 1000. The `runAsGroup` field specifies the primary group ID of 3000 for +all processes within any containers of the Pod. If this field is ommitted, the primary group ID of the containers +will be root(0). Any files created will also be owned by user 1000 and group 3000 when `runAsGroup` is specified. +Since `fsGroup` field is specified, all processes of the container are also part of the supplementary group ID 2000. +The owner for volume `/data/demo` and any files created in that volume will be Group ID 2000. Create the Pod: @@ -123,6 +124,16 @@ The output shows that `testfile` has group ID 2000, which is the value of `fsGro -rw-r--r-- 1 1000 2000 6 Jun 6 20:08 testfile ``` +Run the following command: + +```shell +$ id +uid=1000 gid=3000 groups=2000 +``` +You will see that gid is 3000 which is same as `runAsGroup` field. If the `runAsGroup` was ommitted the gid would +remain as 0(root) and the process will be able to interact with files that are owned by root(0) group and that have +the required group permissions for root(0) group. + Exit your shell: ```shell @@ -357,5 +368,3 @@ After you specify an MCS label for a Pod, all Pods with the same label can acces {{% /capture %}} - - From 655aed908886f8be4e8e46e3cad73d609a5f1de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kevin=20Wiesm=C3=BCller?= Date: Mon, 18 Mar 2019 22:42:21 +0100 Subject: [PATCH 37/47] start serverside-apply documentation (#13077) * start serverside-apply documentation * add more concept info on server side apply * Update api concepts * Update api-concepts.md * fix style issues --- .../feature-gates.md | 2 + .../docs/reference/using-api/api-concepts.md | 106 +++++++++++++++++- 2 files changed, 107 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 5e9369f38091e..af853558ea53e 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -127,6 +127,7 @@ different Kubernetes components. | `RunAsGroup` | `true` | Beta | 1.14 | | | `RuntimeClass` | `true` | Beta | 1.14 | | | `SCTPSupport` | `false` | Alpha | 1.12 | | +| `ServerSideApply` | `false` | Alpha | 1.14 | | | `ServiceNodeExclusion` | `false` | Alpha | 1.8 | | | `StorageObjectInUseProtection` | `true` | Beta | 1.10 | 1.10 | | `StorageObjectInUseProtection` | `true` | GA | 1.11 | | @@ -294,6 +295,7 @@ Each feature gate is designed for enabling/disabling a specific feature: - `RuntimeClass`: Enable the [RuntimeClass](/docs/concepts/containers/runtime-class/) feature for selecting container runtime configurations. - `ScheduleDaemonSetPods`: Enable DaemonSet Pods to be scheduled by the default scheduler instead of the DaemonSet controller. - `SCTPSupport`: Enables the usage of SCTP as `protocol` value in `Service`, `Endpoint`, `NetworkPolicy` and `Pod` definitions +- `ServerSideApply`: Enables the [Sever Side Apply (SSA)](/docs/reference/using-api/api-concepts/#server-side-apply) path at the API Server. - `ServiceNodeExclusion`: Enable the exclusion of nodes from load balancers created by a cloud provider. A node is eligible for exclusion if annotated with "`alpha.service-controller.kubernetes.io/exclude-balancer`" key. - `StorageObjectInUseProtection`: Postpone the deletion of PersistentVolume or diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index 5438cd2a7dce1..1d45abedef66c 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -317,6 +317,110 @@ Some values of an object are typically generated before the object is persisted. * Any field set by a mutating admission controller * For the `Service` resource: Ports or IPs that kube-apiserver assigns to v1.Service objects -{{% /capture %}} +## Server Side Apply + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} Server Side Apply allows clients other than kubectl to perform the Apply operation, and will eventually fully replace the complicated Client Side Apply logic that only exists in kubectl. If the Server Side Apply feature is enabled, The `PATCH` endpoint accepts the additional `application/apply-patch+yaml` content type. Users of Server Side Apply can send partially specified objects to this endpoint. An applied config should always include every field that the applier has an opinion about. + +### Enable the Server Side Apply alpha feature + +Server Side Apply is an alpha feature, so it is disabled by default. To turn this [feature gate](/docs/reference/command-line-tools-reference/feature-gates) on, +you need to include in the `--feature-gates ServerSideApply=true` flag when starting `kube-apiserver`. +If you have multiple `kube-apiserver` replicas, all should have the same flag setting. + +### Field Management + +Compared to the `last-applied` annotation managed by `kubectl`, Server Side Apply uses a more declarative approach, which tracks a user's field management, rather than a user's last applied state. This means that as a side effect of using Server Side Apply, information about which field manager manages each field in an object also becomes available. + +For a user to manage a field, in the Server Side Apply sense, means that the user relies on and expects the value of the field not to change. The user who last made an assertion about the value of a field will be recorded as the current field manager. This can be done either by changing the value with `POST`, `PUT`, or non-apply `PATCH`, or by including the field in a config sent to the Server Side Apply endpoint. Any applier that tries to change the field which is managed by someone else will get its request rejected (if not forced, see the Conflicts section below). + +Field management is stored in a newly introduced `managedFields` field that is part of an object's [`metadata`](/docs/reference/generated/kubernetes-api/v1.14/#objectmeta-v1-meta). + +A simple example of an object created by Server Side Apply could look like this: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-cm + namespace: default + labels: + test-label: test + managedFields: + - manager: kubectl + operation: Apply + apiVersion: v1 + fields: + f:metadata: + f:labels: + f:test-label: {} + f:data: + f:key: {} +data: + key: some value +``` + +The above object contains a single manager in `metadata.managedFields`. The manager consists of basic information about the managing entity itself, like operation type, api version, and the fields managed by it. + +{{< note >}} This field is managed by the apiserver and should not be changed by the user. {{< /note >}} + +### Operations + +The two operation types considered by this feature are `Apply` (`PATCH` with content type `application/apply-patch+yaml`) and `Update` (all other operations which modify the object). Both operations update the `managedFields`, but behave a little differently. + +For instance, only the apply operation fails on conflicts while update does not. Also, apply operations are required to identify themselves by providing a `fieldManager` query parameter, while the query parameter is optional for update operations. + +An example object with multiple managers could look like this: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-cm + namespace: default + labels: + test-label: test + managedFields: + - manager: kubectl + operation: Apply + apiVersion: v1 + fields: + f:metadata: + f:labels: + f:test-label: {} + - manager: kube-controller-manager + operation: Update + apiVersion: v1 + time: '2019-03-30T16:00:00.000Z' + fields: + f:data: + f:key: {} +data: + key: new value +``` + +In this example, a second operation was run as an `Update` by the manager called `kube-controller-manager`. The update changed a value in the data field which caused the field's management to change to the `kube-controller-manager`. +{{< note >}}If this update would have been an `Apply` operation, the operation would have failed due to conflicting ownership.{{< /note >}} + +### Merge Rules + +When a user sends a partially specified object to the Server Side Apply endpoint, the server merges it with the live object favoring the value in the applied config if it is specified twice. If the set of items present in the applied config is not a superset of the items applied by the same user last time, each missing item not managed by any other field manager is removed. For more information about how an object's schema is used to make decisions when merging, see [sigs.k8s.io/structured-merge-diff](https://sigs.k8s.io/structured-merge-diff). + +### Conflicts + +A conflict is a special status error that occurs when an `Apply` operation tries to change a field, which another user also claims to manage. This prevents an applier from unintentionally overwriting the value set by another user. When this occurs, the applier has 3 options to resolve the conflicts: + +* **Overwrite value, become sole manager:** If overwriting the value was intentional (or if the applier is an automated process like a controller) the applier should set the `force` query parameter to true and make the request again. This forces the operation to succeed, changes the value of the field, and removes the field from all other managers' entries in managedFields. +* **Don't overwrite value, give up management claim:** If the applier doesn't care about the value of the field anymore, they can remove it from their config and make the request again. This leaves the value unchanged, and causes the field to be removed from the applier's entry in managedFields. +* **Don't overwrite value, become shared manager:** If the applier still cares about the value of the field, but doesn't want to overwrite it, they can change the value of the field in their config to match the value of the object on the server, and make the request again. This leaves the value unchanged, and causes the field's management to be shared by the applier and all other field managers that already claimed to manage it. + +### Comparison with Client Side Apply + +A consequence of the conflict detection and resolution implemented by Server Side Apply is that an applier always has up to date field values in their local state. If they don't, they get a conflict the next time they apply. Any of the three options to resolve conflicts results in the applied config being an up to date subset of the object on the server's fields. + +This is different from Client Side Apply, where outdated values which have been overwritten by other users are left in an applier's local config. These values only become accurate when the user updates that specific field, if ever, and an applier has no way of knowing whether their next apply will overwrite other users' changes. + +Another difference is that an applier using Client Side Apply is unable to change the API version they are using, but Server Side Apply supports this use case. +### Custom Resources +Server Side Apply currently treats all custom resources as unstructured data. All keys are treated the same as struct fields, and all lists are considered atomic. In the future, it will use the validation field in Custom Resource Definitions to allow Custom Resource authors to define how to how to merge their own objects. From 965a801baa9247371430e50f073c80314c694067 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Tue, 19 Mar 2019 01:42:21 -0400 Subject: [PATCH 38/47] Document CSI update (#12928) * Document CSI update * Finish CSI documentation Also fix mistake with ExpandInUsePersistentVolumes documented as beta --- content/en/docs/concepts/storage/persistent-volumes.md | 10 +++++++++- .../command-line-tools-reference/feature-gates.md | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md index 4b6606629c146..6f471b8a228d4 100644 --- a/content/en/docs/concepts/storage/persistent-volumes.md +++ b/content/en/docs/concepts/storage/persistent-volumes.md @@ -179,8 +179,8 @@ However, the particular path specified in the custom recycler pod template in th ### Expanding Persistent Volumes Claims -{{< feature-state for_k8s_version="v1.8" state="alpha" >}} {{< feature-state for_k8s_version="v1.11" state="beta" >}} + Support for expanding PersistentVolumeClaims (PVCs) is now enabled by default. You can expand the following types of volumes: @@ -193,6 +193,7 @@ the following types of volumes: * Azure Disk * Portworx * FlexVolumes +* CSI You can only expand a PVC if its storage class's `allowVolumeExpansion` field is set to true. @@ -214,6 +215,13 @@ To request a larger volume for a PVC, edit the PVC object and specify a larger size. This triggers expansion of the volume that backs the underlying `PersistentVolume`. A new `PersistentVolume` is never created to satisfy the claim. Instead, an existing volume is resized. +#### CSI Volume expansion + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +CSI volume expansion requires enabling `ExpandCSIVolumes` feature gate and also requires specific CSI driver to support volume expansion. Please refer to documentation of specific CSI driver for more information. + + #### Resizing a volume containing a file system You can only resize volumes containing a file system if the file system is XFS, Ext3, or Ext4. diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index af853558ea53e..4e0931bc677d9 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -83,8 +83,8 @@ different Kubernetes components. | `DynamicVolumeProvisioning` | `true` | Alpha | 1.3 | 1.7 | | `DynamicVolumeProvisioning` | `true` | GA | 1.8 | | | `EnableEquivalenceClassCache` | `false` | Alpha | 1.8 | | +| `ExpandCSIVolumes` | `false` | Alpha | 1.14 | | | | `ExpandInUsePersistentVolumes` | `false` | Alpha | 1.11 | 1.13 | | -| `ExpandInUsePersistentVolumes` | `true` | Beta | 1.14 | | | `ExpandPersistentVolumes` | `false` | Alpha | 1.8 | 1.10 | | `ExpandPersistentVolumes` | `true` | Beta | 1.11 | | | `ExperimentalCriticalPodAnnotation` | `false` | Alpha | 1.5 | | From cb0b9d06a39602640523e4c4f5be1d8999a2bc8a Mon Sep 17 00:00:00 2001 From: Deep Debroy Date: Mon, 18 Mar 2019 22:46:20 -0700 Subject: [PATCH 39/47] Overall docs for CSI Migration feature (#12935) * Placeholder docs for CSI Migration feature Signed-off-by: Deep Debroy * Address CR comments and update feature gates Signed-off-by: Deep Debroy * Add mappings for CSI plugins Signed-off-by: Deep Debroy * Add sections for AWS and GCE PD migration Signed-off-by: Deep Debroy * Add docs for Cinder and CSI Migration info Signed-off-by: Deep Debroy * Clarify scope to volumes with file system Signed-off-by: Deep Debroy * Change the format of EBS and Cinder CSI Migration sections to follow the GCE template Signed-off-by: Deep Debroy --- content/en/docs/concepts/storage/volumes.md | 82 +++++++++++++++++++ .../feature-gates.md | 8 ++ 2 files changed, 90 insertions(+) diff --git a/content/en/docs/concepts/storage/volumes.md b/content/en/docs/concepts/storage/volumes.md index 6733cd1b0e884..bcf6abe2d9c72 100644 --- a/content/en/docs/concepts/storage/volumes.md +++ b/content/en/docs/concepts/storage/volumes.md @@ -70,6 +70,7 @@ Kubernetes supports several types of Volumes: * [azureDisk](#azuredisk) * [azureFile](#azurefile) * [cephfs](#cephfs) + * [cinder](#cinder) * [configMap](#configmap) * [csi](#csi) * [downwardAPI](#downwardapi) @@ -148,6 +149,17 @@ spec: fsType: ext4 ``` +#### CSI Migration + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +The CSI Migration feature for awsElasticBlockStore, when enabled, shims all plugin operations +from the existing in-tree plugin to the `ebs.csi.aws.com` Container +Storage Interface (CSI) Driver. In order to use this feature, the [AWS EBS CSI +Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) +must be installed on the cluster and the `CSIMigration` and `CSIMigrationAWS` +Alpha features must be enabled. + ### azureDisk {#azuredisk} A `azureDisk` is used to mount a Microsoft Azure [Data Disk](https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-about-disks-vhds/) into a Pod. @@ -176,6 +188,48 @@ You must have your own Ceph server running with the share exported before you ca See the [CephFS example](https://github.com/kubernetes/examples/tree/{{< param "githubbranch" >}}/staging/volumes/cephfs/) for more details. +### cinder {#cinder} + +{{< note >}} +Prerequisite: Kubernetes with OpenStack Cloud Provider configured. For cloudprovider +configuration please refer [cloud provider openstack](https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#openstack). +{{< /note >}} + +`cinder` is used to mount OpenStack Cinder Volume into your Pod. + +#### Cinder Volume Example configuration + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: test-cinder +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-cinder-container + volumeMounts: + - mountPath: /test-cinder + name: test-volume + volumes: + - name: test-volume + # This OpenStack volume must already exist. + cinder: + volumeID: + fsType: ext4 +``` + +#### CSI Migration + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +The CSI Migration feature for Cinder, when enabled, shims all plugin operations +from the existing in-tree plugin to the `cinder.csi.openstack.org` Container +Storage Interface (CSI) Driver. In order to use this feature, the [Openstack Cinder CSI +Driver](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-cinder-csi-plugin.md) +must be installed on the cluster and the `CSIMigration` and `CSIMigrationOpenStack` +Alpha features must be enabled. + ### configMap {#configmap} The [`configMap`](/docs/tasks/configure-pod-container/configure-pod-configmap/) resource @@ -401,6 +455,17 @@ spec: fsType: ext4 ``` +#### CSI Migration + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +The CSI Migration feature for GCE PD, when enabled, shims all plugin operations +from the existing in-tree plugin to the `pd.csi.storage.gke.io` Container +Storage Interface (CSI) Driver. In order to use this feature, the [GCE PD CSI +Driver](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) +must be installed on the cluster and the `CSIMigration` and `CSIMigrationGCE` +Alpha features must be enabled. + ### gitRepo (deprecated) {#gitrepo} {{< warning >}} @@ -1267,6 +1332,23 @@ CSI ephemeral volumes are only supported by a subset of CSI drivers. Please see For more information on how to develop a CSI driver, refer to the [kubernetes-csi documentation](https://kubernetes-csi.github.io/docs/) +#### Migrating to CSI drivers from in-tree plugins + +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} + +The CSI Migration feature, when enabled, directs operations against existing in-tree +plugins to corresponding CSI plugins (which are expected to be installed and configured). +The feature implements the necessary translation logic and shims to re-route the +operations in a seamless fashion. As a result, operators do not have to make any +configuration changes to existing Storage Classes, PVs or PVCs (referring to +in-tree plugins) when transitioning to a CSI driver that supersedes an in-tree plugin. + +In the alpha state, the operations and features that are supported include +provisioning/delete, attach/detach and mount/unmount of volumes with `volumeMode` set to `filesystem` + +In-tree plugins that support CSI Migration and have a corresponding CSI driver implemented +are listed in the "Types of Volumes" section above. + ### Flexvolume {#flexVolume} Flexvolume is an out-of-tree plugin interface that has existed in Kubernetes diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 4e0931bc677d9..8807d19b2d916 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -60,6 +60,10 @@ different Kubernetes components. | `CSIDriverRegistry` | `false` | Alpha | 1.12 | 1.13 | | `CSIDriverRegistry` | `true` | Beta | 1.14 | | | `CSIInlineVolume` | `false` | Alpha | 1.14 | - | +| `CSIMigration` | `false` | Alpha | 1.14 | | +| `CSIMigrationAWS` | `false` | Alpha | 1.14 | | +| `CSIMigrationGCE` | `false` | Alpha | 1.14 | | +| `CSIMigrationOpenStack` | `false` | Alpha | 1.14 | | | `CSINodeInfo` | `false` | Alpha | 1.12 | 1.13 | | `CSINodeInfo` | `true` | Beta | 1.14 | | | `CSIPersistentVolume` | `false` | Alpha | 1.9 | 1.9 | @@ -221,6 +225,10 @@ Each feature gate is designed for enabling/disabling a specific feature: - `CRIContainerLogRotation`: Enable container log rotation for cri container runtime. - `CSIBlockVolume`: Enable external CSI volume drivers to support block storage. See the [`csi` raw block volume support](/docs/concepts/storage/volumes/#csi-raw-block-volume-support) documentation for more details. - `CSIDriverRegistry`: Enable all logic related to the CSIDriver API object in csi.storage.k8s.io. +- `CSIMigration`: Enables shims and translation logic to route volume operations from in-tree plugins to corresponding pre-installed CSI plugins +- `CSIMigrationAWS`: Enables shims and translation logic to route volume operations from the AWS-EBS in-tree plugin to EBS CSI plugin +- `CSIMigrationGCE`: Enables shims and translation logic to route volume operations from the GCE-PD in-tree plugin to PD CSI plugin +- `CSIMigrationOpenStack`: Enables shims and translation logic to route volume operations from the Cinder in-tree plugin to Cinder CSI plugin - `CSINodeInfo`: Enable all logic related to the CSINodeInfo API object in csi.storage.k8s.io. - `CSIPersistentVolume`: Enable discovering and mounting volumes provisioned through a [CSI (Container Storage Interface)](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/container-storage-interface.md) From f1ffe729c027c1514bb4db58d96af43db5d49f16 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 19 Mar 2019 09:44:26 -0700 Subject: [PATCH 40/47] Windows documentation updates for 1.14 (#12929) * Updated the note to indicate doc work for 1.14 * first attempt at md export from gdoc * simplifyig * big attempt * moving DRAFT windows content to PR for review * moving content to PR in markdown for review * updated note tags * Delete windows-contributing.md deleting this file as it is already ported to the github contributor guide * fixed formatting in intro and cluster setup guide * updating formatting for running containers guide * rejiggered end of troubleshooting * fixed minor typos * Clarified the windows binary download step * Update _index.md making updates based on feedback * Update _index.md updating ovn-kubernetes docs * Update _index.md * Update _index.md * updating relative docs links updating all the links to be relative links to /docs * Update _index.md * Update _index.md updates for windows services and ovn-kubernetes * formatted for correct step numbering * fix typos * Update _index.md updates for flannel PR in troubleshooting * Update _index.md * Update _index.md updating a few sections like roadmap, services, troubleshooting/filing tickets * Update _index.md * Update _index.md * Update _index.md * Fixed a few whitespace issues * Update _index.md * Update _index.md * Update _index.md --- .../windows/OVN_OVS_Windows_Installer.png | Bin 42455 -> 0 bytes .../windows/UpstreamRouting.png | Bin 88719 -> 0 bytes .../getting-started-guides/windows/_index.md | 1333 +++++++++++++---- .../flannel-master-kubeclt-get-pods.png | Bin 0 -> 111844 bytes .../windows/flannel-master-kubectl-get-ds.png | Bin 0 -> 25610 bytes .../windows/ovn_kubernetes.png | Bin 106577 -> 0 bytes .../windows/windows-docker-error.png | Bin 0 -> 81774 bytes .../windows/windows-setup.png | Bin 51061 -> 0 bytes 8 files changed, 1028 insertions(+), 305 deletions(-) delete mode 100644 content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png delete mode 100644 content/en/docs/getting-started-guides/windows/UpstreamRouting.png create mode 100644 content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png create mode 100644 content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png delete mode 100644 content/en/docs/getting-started-guides/windows/ovn_kubernetes.png create mode 100644 content/en/docs/getting-started-guides/windows/windows-docker-error.png delete mode 100644 content/en/docs/getting-started-guides/windows/windows-setup.png diff --git a/content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png b/content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png deleted file mode 100644 index 520f6ae9e6c54b752ef6b60df6d4b11a17741cd0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42455 zcmV*WKv}CzDuBp9TqXiNx1 zdI^eM5u_)%_n!G?-YI9!xh28f->&=pGt0(vPo4VAJI`AN6GBi<%1JpXC*`F7*>wNp zQ#b;Ymnv0i@#4k7=TlQtUw!q}oH-yT<)oaHll~4V3n*{Wq{*X?j{fjxbUiP+KOee5 zPyLLZx*wG(^F!CJU2~v3C*`D^l#~7rDO*r}=DCLD%CnzmPNRLvr~91wIS0yfQclWA zIqC0{vIXU6d_yF0{O21t#{G0XB9xz-U9aqrFW|85J7+&1Tn6pxiziotqra5Y-M75|ksQb=4l{ccHq7}BcaeR?y=1z)j ze~bOo{Myhn*~@n5od28ZHhkq~zy5R5|G!dla&m;LHEY)VkL3hooRpLl{6(6>*x1;= zCL)K1@=~Qrtz5a19!!`pfkU~%@p7ljJ(n*zER+L;R8~Xe-0azB2M=!XH->UHu#ZV3 z%Pw~Q^~An#Vl=NFQ8{;119x(DSKq#9(V`Z+X4jj1V)W;Wkoa#4+k;P{JH;~{%b~fE zR(;*k$~&pOe`ka0RU7uz*{c8l8;Kz&{kIbZ%5Zoc;nM$6P9CZE=%LR)(?1&WWcE`C zD5p5yym|B6w{L&j?dP{pag9@?OuI??%2pPle;k9ivI5zb%vpWjI_3 z{$1%Wmf&B5^4SQT*nR?4s)SCITjYT9JI{><*!1u%^vtmnh%T{e7Su1p)WJh~vls<#BOw-MV$72Zs+I-o9;H?-yQJv3m8=rAvb! z`|PvNLO^*~9Mr~!#=gk)tv+%>+{q|{Asa0y-}%hOC;55n8T*Ra`bM}D;WMo8DD=02 zUIn+&3=UyAuoD&bw~LaMdrMmdAe)S9FZ){*9}%1xeWI*`HE?7iOja!@FWVAzr|)aC zU57TS+QcJang;bjix*ec>P=MYQOJJSY9V)87ipkp|!N_+P|v6fBj$`s%Cn@1aA7 z22dP8Xv~BOR7ekgEKi<1hGA^mw#{}ntXQUx0lA{L$c$ZKMvJ&pTf_tU@Szie3z5&B zb#TJk`*-!NcV?*dOo$9C{0;f7;8y{5DC}|26?Qa|hXOeS25A6TZ}KtpjD?Z#^5Er2 zaLKi--Wg@$sQHjh69jx#mQ@wVnh+(lHDXZZgl$>p*UyHp89E_4X@4n|^S>fTK~lMF zVypg9$TkfnTR6%UwjbuCziIlrK{=9WP7nS?97n-We(>PI#~yoZ{P^)@OO~WRcPAt? zcKdA{vU<%;zf(zx^-)Fbjg3@zq#n?pU<2*bMd?8 z-(I+|b^G=*Wy*Bv(j_h~E-fw1{-xbQCRHL8SxLuLtj56OSi}-JX@)qa9*NnZ1 z^#xd#7A%hXXZAMPtj~!3FbB&2_UZ2i<^Q(?i-Pid@4oxSty>3MH@=>H{pq4-YNG2` z{wPuVkw^OX@BjY$@1t;YskWqM$!WpjSVt=emV?1s(1%@yAG3&ENrdos2Q76qnj!>C zpk-Jw5;~s{>RTb0)~sNZW#U9-gxYY^5k_1OcJL(ZmW@ae2ydOJe5}&Y@ZxPqg5_U^ zaul*@!o7{7s6$)PN2|v0P#(TzgT9W!*Nmfyv(0XVsQ>F=KYR#5(b ztM;U6=gytgt5=^fV@BzcB{O`!;64qz<~qrzWZ*ZSL%dD zuwA)zRZ|x!VX9A`K8uf4vapn^%WP^-(8947NaRpTv_5^%u}T8E?S{j8mV%|V(4t(( zZw0>!Wd)-S^UP2m)4|yW)Yc2dV-~-zm+;>L8yy`zdh}>|{Povg z)2sinGXM8djzwBd3YT*F#{Xpcf6GNkhw|imKnv=q%oW7Bh{&p!WlyBR%?bfYZ^x(k<3zsVOeczvJp84sg=ZapR z(XcO-&Hvlk{tu*_;hK}erJTNzlm2$e3FXRch@UJ{q)5w_^&2)Uzw0;Gz7LYGC-3`z z1IKexPRdC+>3=C@5l$;7<)oaHlXBAEKjlDqPRdC+DJT8UryMBHNjWJe<)r`llmq2C zDJSKmob*4Ra-cjX<)oaHlm6!ugYrU!DkF@M;iCVr5e0ue$YrqW0fJ0F3It3u6OjNS zCN@p_7lDZjrhgH$dO_l^LH`o$qCXIJVeDr1FxW6r04}=-3h=)MqTix-8iw0LJYMAS z8d14$R5blZqM{6M6!N&}gY-ir(?`;8lk{{m{Wi|bG&3`>Ka=<}X_iPJ6S2$$Oya|Y z=Zfcu@chvC!vW1!6f@1i1~CkA4=VwCgnj^?pvMH>z-Kig{;^;5tRF$ypdhT|@;06V z>>|IB~bM1?)e1)wdvz18pE|4&n^{<;4dZXyT+If3D7zhPb+MQ&N zWaFN2nY@#v4;f4%-4;289HIJ<3^_KfGessI#)S%062pKG09Q2O1Hk2mo9W>4Qv_#d z4!sr&;Da7ybt7mO3ZTS*R~dkQhGBSEUk0G32u@*&E2fqGn8is z6x`X(OqyX6Kj!0y_w)emYyjW>0PT3l@1y@r3huNA(tgMe{0!M?hD|>)128dxkbzjw zbWTxLztBo#VT!Z~Mtq=Pt%-4%N(hNv#Qs773gnK#i-b9;gBJ<$h&E>^5Jwu06VWYs zH!z6o5{_ERc9!(Z8Z<@5aje%>mY)kb3ucMb;ogq*=8l-c+#~Z}WD#~VVBO=v9yrh7fG|M6olY{+&D-fH;}$)jfX)U|007+#FgeKd$v)4= zj41>|mH{`E(uE;c&~sd(f=oHam^|haKXpL2(3wfNY*+#+Dl|8g3`N3?F4Z*^=3uMR z#7_x@N?KPkyR9KLiIo^op90Vc5u!SgW5^EccO-XYd9&W9anL0VQd!gU`N<^RE~LLWcy8-BlO`e8*2u+AW!<|~7UMJ-`{6;@ob zM>ynbWWlZ_lvyXkFQFV0g9G$23V~W-MOqyGhM?Ez*~>yw*RSzz2_UXya6^bhd_fad z{KyW>YyZX0QiXa`Hqrc!Q?{Sfk)1?>@1Rs<(h*#sKv@HU0B)fcW-6!b_`NOvPX4N&nXJ)KJBB$J|fI{TZM4$EGjkcsGIgM3&(vtQ;20G(FAGH5JtZLIztj(4`@c5`sAuUpyWT?m}jFffUa=C%u6V2gtS|ipi!J!gv_A zuA}%)dmoc6=)9B3g!e!u>#=@{^;DK;of8ChzSL06o(T<;$;)dssS}HFXrOe8b$09~ z`aRm*K*GH(%cj>?ml1jfiEu64qeMq=QNc3jA=Y3x^4p262Eu$7>$BDW1&*ubkL-`Z z!oBm|IQUd{#P%YSj%rZOr8m}7IY|ObPFFPV;_NSl3o7<9>W~T@8C*P*;I64>m7v;s?XdpD%^ubU&(?>EhkS~*D+$I@7 zwq#O3XRBQb=$zTd#MDp#SwcEY9YDOW!7Os6By^fg$%)%AJz%{@vg#lzqM-2;JV;20 zkrPte>=4y;F4%%0UT+3(HJ$n4^0;aU0!w>q0ZaG+`Ab52sD4L+kR+%)LB}@goQcVN z%7+pG34=t3LE1pzzztPyn^u`@?B~P_A(E@nfG|WEv3>;qB<;pB!;zhl>;}l}oPO~T z17O|lVT(vN9~TtaA?Nft!{9^#$95A`N))n*pTjzk>?R}JG3~kx(@h}^(SrcPcb0ty z?y%Se?FhCAOpKfhzF;5=7C3`}Oyd!p1WWc&j6}E=B4eR%ccPW#UbwWuCuk_LnBz^h z?hQ+whePYgi-SAu{Qv4;xnoZ24pWgyskmT)a)L!+TsG(=HR_xxLTL|XP!60U?P0V> zn!vYkb*Ra~j*GO8A*3&~T^gX%iN6}RZm%6Kk1J#+rh;|VI#R)^%eG;Z zeO5j56`N4u0x1OABUqjyj_fW_BZ0JTaG>|N8I)68cNv_Jf!PRi`jO=@AjKUZ&=Ej9 zli7)%a8)WSDA|~zLXzp{mIVUY5pOxhxpQO}6SGY?c8s`Salvqato0wca0}6(DDugW z&=esL+3H<#RgDxOtKJs3noN%4O1%aOo}!10S1>` z0)p8BV>jp1G5nORXmD~B0E!VHhR0*NsZ{ReCNAus7dTCWiPnS)=9w9ca>=-j(i!Cf z(t3s@(1CIhCN4w*x?&sbaw01)W-O|~g>)uv5iXB&;5NA;P7yCsKNA|$9grQ8c#(f2 zae^|BI@};7rz5$z!F+WCd=|5T34pW?-OJB&2y&iiAgBU@p;HpuIKT7G+%QdA; zROf`d#{-ryE`vcltUKu#VFaFH^VEAKi3jpH6WbZ#?gtUx4{J&v|EXklKz2H^RL4V- zUsBx<%dr-0Cqo=X(n?Nrqn%Lg7D*Tn*Y?i)t!l;*-=n?Fy2X@z+YB;j$u_}){`xHr z9M5(l*|=!@#mB>^U?>-_BMQw0|3FieP)>3tk$_yx6g#Z*nE|j?WPnb)p5I_1A^q)_ zRx8rXjzP8oMlKvH-N39FmaJM z&Y+zB&ESCUgV6%>4O_aJSchOl?A(r~U6>%n-Gr+~nI$OkY3u}%(mImbCrq3JCL6sr z1XUZP4^XE=3+YlFXH$e)T2n*tFc>t=nnD=#E|O1IxDXb$wZ08-!n&x4CC7fmn z@V}sr3V@ko29WOo#>UVFWGa0D?gV8h_XXt*9bJZbqm4HCqmrx7tlOAP#!WF*%)zQUs`0+F$(2niL@Z& zRmOy9U|PgdkxM0*TWdvQ#X#IiA z2+LT5)8!O*+zi|i>-1ojj)XYO;mHLi;Vz~Q#cr<=9VJX$JWEu^DhiBMx^#HBlJQ9&+C{h=vFS+ z<{{2t4YUKVsj`4DuylW*eaIU#;{QXVgV>lkuYO-@#P0W`n(3sZ*udn z0O4L8tRDqHo67JV_;(+tH<1wD!FJ0s5%$TcS$1!NotWyR-Ghsqr4Su~V9}1Vo(ydB zjW#j@L55q%E}k1%aV(MXT$eV&k}dyPD9`d4Bf?b%N!*(iN;Y(7P^afzJF&1dYx*w_A#t91aAX z&FD+FiyMs@9uJBF6Bn-+%oe@O@Bqv=m^DjA2DyEkSu3)C83NF`gf0M`4m^;l8KBEy z&mBVy-hNo*iY=B6v7`VyHkxfZ0!_)W07Y#AaQmcXx`Rvy&7_k$4;I72QSI4pe~D#) zFIYh#2(Zi%hFJ{-1O^FrEk7nMXluX0jVuA|h%I{&Ru$RFn+Aemg+Yv*gGuAZEx30m z44Al!gq&_j5=JrX;_H}y)DqhTmWr z2?uTl<%}?7dLU*I=9aoB;AC7ND$#eiSa;V}Io!k)C^AmD_&EtfMRm}rax(+~bTEgyQjD1X)+JjhXyj^w#R}4&q_k=4; zmIZbaTvnN(2ySd^Eo>;*<#eG7$QD>aGF2qKO2-D{ z%>yViGhp5Zgk)}Vf{);mf+=$*0G-=lC{9BGI+KM7w-LmWAvFwJnj zsQaP662wJyL9Zjb+!}!?%0|D`0U^{%KP1s^JFvKN$z^jk3`pii38-I?=^gZB`}@u~Fp>CQiB5HKanw&8bBq#C8zU!59Yqx`2X*?u|Lm?gCLs zOv^Bx2vP;ebeMEaQ@WdSPKNt2`GxK(0I<%wG*hc`K8L%ZS~HeDhlbSzMrNfW-WI8O zoj)UXhk(`@40)Akz-4t6qIb4CEROv?3(X_zJhS`qJ4W;DKER<|=gQgar!8^$`p*qK ziCgqb?#anki_zd!QK9p)QL`Wa2Yce%9~aD*j`%RMfGd+Hig-LO@DT;~A}>8-H0gZk<%%WQ z-GA(v@y_!fXHYa})H#Ln^xLMNB0HyCd@-HlUN3j9?YYA9AgRNKtwt6%)Asto; z3f!fAw5)d+X#y9xp2}3OGA*ysU?JVsaE?n^u3K5+oR}$RCM*n0kpvgbEL|GFfOu{) z`j|v7PHt z>9L!iaWQ%iGbx@U30A(!SoIW669P5~N7E*%==H5rv9qe9a z)110%+~XGZf3fK4A?-G-%k<=x`n<~>!(PwXhg!c8|lKh)GC}g$Vk8a{ppmS&ZX*a2rbpy z=6Q9CY3Gi$6)?1ZR^9R6NRDUg&5^JCmABawgYrTJDq8`Yv?s9z;@UZ7++u*d+-2_N zck0K#+Mx3m4;X`cg~wytQNK^GowoSJTH{YXw{qXyrUwSyJ$P-vjF~)V@qh-U*sH#c zAK0wp>dI46whn~fC~aAzn$uHahHqHXvl%^;c3^(rmq(|#(DO5{%zi9w&*$gL)N57} zrG2tt*7*ls?)yk7^ke*@H#)uXEnk*m!(({dW|huK>syxkeoyn>2`P*~cN@TTqX!zS ze)Z9&bmj1U>Vi@8#~!_R;*LrEAB68-*wA=(v4nT(r7h@QW9+f6>yqa+J20@&z|~#m zUY*+@Eq)(q*03}}=jXMpG3pqydKQoC;ssT$A?)WQnJ!p1re@v9g(4@W zD>w+*iV8tUa5EFDFNUL}75#!ND?sjT3k3pKOgDJOa*sy0{(2DA4Q|sds3e4xMUduF z5OJMu<5=vk58a8C>7lbMAzq^E$~4n^E|LSLOP@92Yl;w$B7m{|{Q&sjimBQWN@~g} z4J?AddW6?GM*8%|t-poYHkJkjGN=GYNIjp7#l$?48V^>(EHk}em8*lh!JPHL^%O`L ziRr>=14E-3Qpto=HzPzw+FH3jv=1;tP@xnM!Pzc#0(#;;uRrb8>CQ{z=QKGu=$=>CRPUd>rw583U9;1cE*nnHZT9KF0)1Brsr>c)9k(K* z-R3LPsf6B`O6Ze!CJeyyo3tKXY4(*l^-)!o!Z9-KelLX zX7zPn^=!6pUg5X|)cW0#J7zVkkX_-rbIqmN$dJvc zOiK}xVKO1QfKu2Pz_uIe80Z)7pyc8mPss8Z)`;*QA{GNu#}6%tEK`|)0Cy1%3`BU4 z+1X^K)|A4wU8;O6O|n%cZ?3#8p6Q3uZ=!4`GdkY~E2oFx$wRlk^;{54E2$hyuh9sd zUq|!50OjE(3G`pVaU`Vjf>pVR1??RHypBJQjE`Hd&$HrqGo?g4AD z*Kp-RZV&P>lR?ye?C;ZRr!5;&YwDTKi+9dxeCVa3BUV@GmAt!aDReO{eo5T)?S~ID zgGGeeZoVR*Ja)>Sy#vv_MomYhxJb;x7EHKkpava( z8C-tPtZ~opuC(^!PE8N4xO?yc^u&NmQ)AN>4~(67`uP=m<~IFo(A`5unTN$82@b*Mfnl{k$Y6yamJj7mA(&1onI`3viMGa$?-h_qrv0o`B@aZIC{*230QcI%b}H?bpo*o+Yp;$)

%9%0nWiFFKtVmLG7GKj)@))`$gR3w&Dp)&q6iR_cm zP#~3aYZ+-6BVs)UOko0#0>U~#dfus+ZuQ&tE#yIWntr_UXVUJqS{Ddu@vUh%oUlaf z7K%iyibA4oMCK)X1WQnsLiW$dk7hUB36vKuT!YWLbh3q!ELcB{V9}WtOB|v{F;jMf z?A(0x5h@#aiQDZmmGtWJ1^Ka`|&SdDlulANji^QF{fW~{)V*p z6>*(rC83s^uDn4dae(r84&@`0>2)ftGYP%W2Txp?+c1q{`j|7Q3zN{}2iJRcy-{Pr zx`Y?e{3m*hP6Y~Bc-gVVW=zNKulH})tOR|@FY})ty}iYhJzeh8i+y4H^15pauiDh6 z>6aVsdHqY$sQaaH)zg*_i=A@1%i{Ox#51VKh&9hnzVgna@h`=8Tth2|W^z)q_)!Hq zZb#f;90x_$;+12`=|XcWh!<}60+DQ?2E~FGTk&;Om=_u1m7ArLU>po7r|@;9SWCfa zf0lZvkck5p;h6->dOi<_l7~ zrsi37GKjiPSi(9F&Lin{Zrw--58fk`3VO9`QF${hC92Q|1w`O-5gJTpo2X_oF_Bk< z?lepbVGY2fovv_;70y#09ve=Yw+sJ1!OsXZ2cJ6;b_U7i2(JyjUlG|wiNbWw(r8N5 z0C&410VTGZExWvE+|CxYqNhx6o?WZnL}~#WOu=Q*XB~tLpE9#FjSr^)$P&%73$JdM zt5KsypMLtO&+m6UM|)UIOiWTz^1tg_AeG-$6U&y6wn_mtK23}1Q*5GTq=>t|du8t9 z@q@~DTEiD~USiPvN1@JdU7ArZZOMSzZ~ySzqW9-COdMQp%39`l=`%A+#5~hr*h^iS zl|u0^RqM3+=?zyVGbr!0HFlB)kN(#I2w7$Mc&%Kl-R!=zk0`_DrT{Dcxn+u(^$j#*gg$X1ST4^gs(BK5 z%UE@ctFGGAs%hf3dncrz`kj7z{h_qglWNUM>pXJ>&F!F)6W6vIb$P}kX$yPS7;_xe z7?8538{!hWvLY81EuqQ=Ai@gGpwk=XBgYMxZb)lOHukX68Jbc~XM+R@QC$Rg4JV`{ zr1yKMUgQ z@Imr03UkT+LMu?0E(`0i8%5dW&4x6|=b}2qW?_;}09iY1h&LLy^9kI*~ zcQr7fvCM!F-T~sJ;?#ur?Ea@)cVbcP?l6()ygU9m9R+vjY){#5W3hFEF#JtO z6M1p*UxM`l`Sbtz=jD6ux$n{+f2i9#bZCG1^5qK`F6`g`X{l0W{C=g}x^u=xOB~7{ zwmjN}85SWG{0G=(J3@rUhaqy zGj>Hnzhd#P4(Pb)+t|^I6Z+u!tp|>Fbx+>f8vS!ztp&f-7&2*3XS{I0JL4|aSo=YT zrit5&ym<^g`1qk2^~k07peM){VhAG&9+8pR7c=e!6S2Gn<8)I-1pu+#3b zE?;O}Q@Qq@db@dyO}7RiwG{;tH(}&8B65B5NZ-jM{N?$#=xQI zLIFWj$l00;>vn_3kc*g*#l-f4sQi0isxxHlcw0aYX(z)X4oQ<3EJACD?TnNWj@&Ln zG$@HKbYG#0k9i8*$5|&c{YGW-qsyO;?l6(4ygRs5ZnaK8gr2sQHA3U+$qXJ0L0p^$ zo!MgcP^nTSM~@y(50)%h_Wk$YPnB=@Y{5#OpyFrCMe9S8H_RH)>_K)S?YnuiULLjPByt(u*6*6z^Z|6?^Z2xS%^H98 zQiUn+xxCd{4_!31Hdw6u5Wi^Rv*S;pfUm~*4GH}pKxqGiVW zjyY0y9G*PA7JT=Y`0?X9?_oyhz@gub(CL>uZbifT&U&~o`svi3?<+K|eQa>Och@%Q zb!kG4w7rSvO4Vvs;)nQmCw3Zpl7(|&A?qZdBNYTg6VGiuObeyNt@4q!W0~Y$i0}`D z2$2BdJpPvq$EahvM(l(TCBk8#jj*;WNY#Bt5aH-uEr+c#h;4F`u??`GWefmn z506eNeI^VMyHvVZOJ;^UUGwNkY>865#emy)S8}+)=HET_?ows%bNdL61dGl@p?uA3 z&FjLn_iejT776xWcS1Qr_Ku@37Q+$fDxhEJL~7Trb?DGRdepsp&!b0Ej~q#&$Nl>C zU$l71=usn^G-eVMrn!Ie;(xF3#O_(tLx#v1>*|M1e zdU|^L(xuC?GGS0qj<_tqjjLeq0!=*Eimq%qi4e`Ot!lJ!Zx}8Q2+OoHL^Hc@gT+e` zTer|>eLkiT_xa3BW_WJ+eM|)kT0s+Kf&w;RwTL6h!2jI*obBKP@lx1U63ByvZ;?{y z)8XVY4Cy%yJ82*YwP-M}q9};c6ZFw-t74TGmB%~kzpe;ZLHZPkQYZ=Yq6xiT|M z9?m7e0=3Hsy1EsL#=3-)ot-)>E*ZInf)s`dM@Gv(#RL~~6&R20ts%WvLd+iyQC)Rl zeTA-^9hFEN2zuOs<~qtF>kQHD-W0xLO(awtGy*CHIaQ|m1Vfa?n{DFJ@XI!!!wh5n zw0=((#ysI)g(Z{|xhQqnmR!<;5J>@+`6`Qu_=3o0bEg&PgHL%7FBAnLl`Hq*huf}SzcF&;SbC5zUxC}{>4{$*TDx}bJMX-sL%HAYzw55M z&YnHHe*JrA&YYsCO{MatO`o{yu0oeC{XTHuz#ct%Jp6F&UAsQ|=%by53KbeU^tJi( z=Z_dMDq`1VITr*Ai%rOb=P~bX;P_y}D?%VN2NEk{wMHev$PVM68P4QeUy8`_Y;RB4 z`kBS5MJ~1@Gi(*aR(!+TU0FaZ2HAAj zFeeJcxBfz~BNAvt8K5&m7Z=5S7L|zty4UMsv0Pw}iztZV;$a>~!t(6V4!^uyA#KB~ z+6%s8A-Xctxo;8iWndl$LkqYV1n4T7wqryox>n<4m5x-iPv^4{a|Hw_2M{OVtHLKd zDW}_lG6si*3Nxs!eoN%T{^0xU2&kjEcAhApcL{ShYquk0xBrt)_KJj2RbkC#X1*OV#K#*Cd1TuxbISgS6a%^XIC^6J&A<;$0E?ATF>iC_2Y*JswO zIVVq^TD^M3lTSXqckiBx6)PV1U263pWkR#p#beEBfFpe(Ta7PI=_dr;19)!#EQSlrA z-3Mk*0O%qbSEgWl&EPM{mM{z{S$GV9Y}mY!hZ$g-d&xjuE>MTM#SR#-djRa>$h4ry z%Yx{_eiyKM@UV!bY|#;br9*lKxqS;_F5YHwbTiTs+wseX0xVX$DI$)B1a!wpa||ur zh}e)@l*!E}0nG{D&W6vRrpY5|V1?s)BrgZ`Oh_cyvW;o$uW9X{>$fs#^OII9vjC4h z7IJLL|LQWhzSo4VLXemUr+8pw7T$}95H|r>9b&6cst*uxK&*u`5to9O(hlk=INu@9 zNZpX+vGu~qXYAl^sZV*Ibjw&V2+6?f7;}CmAWJQrY+>lRi3r@t!@Wu>My6C7g1a6D&sCO%AojGL>j`y&_V?ZUi$qz#Gw4mv12FMwf#XNIZ}}T zh~8U>7Rbn<^Q=?5_Mt$G56hf@A&a!^5)G; z&u`kadB=`zZQFJjH*O3C>ysx>rlcI%wQKj(sgt&D-QKrvT;s;g`}gnLty`DNmoJYV zJ+@%Mf*m@v@85sm8*fZWN=km@kvetjKC*4w_P5@8JF6PREHYx@yJCc{LrA#>5sE3k zZz0>#ib{zl)4T^XlO=~TK~)bsV~V}tf+EKf^YCGBe?fJ=HXoECASsq0vH&~y?9)1wS}YM@nQz( zz`8`iF;Ffr-vrpUb8L?b*ie)mQ%uh!zI2vte9PajAN8} z6tsg2c3AbuUJf@xmBUSaTfbtBVl-OM{TbeQ?t4VQ`#`#X8&oQ21qC? zNo5FQjRSo|I1FQuls4Sba8Sh+fJ;QVDbW)iC=`|_C9(q8I?ULKT*uhW`JL`s zS_vaSxpkHlDP5&@?FKB6wLSfb^89e}8-AR-c=_L|bX02~1?BgaE`P5#yBrJ2mGATK zF4O<|um5r5+hbaw2qK1(=;}gt0pl6dGM8kP5GYiz!0*4Dp>Lb|#*DFJry%YIWpy5; zZSkX8%G76TWSM(}NMWFyapjKEU@OpGP%US%CJbH^2j?erbYHM5FI1gK_LfTuNC0|( zuVoC)vIPu^#c09K&tlbyuuzclsH%LQb&$dgw$nKf(@{bw=6nm+wgv)xJ2$p{gc*QP zi$1a10tp?-iCgcZ+OQKwer!tRR)BH~I;mhZxR4H*Zir2&VVdEg7HP%|j|WFb(V2#! zd6ZX#uj7KBAGUh&`FMOTlFqjkWpX;~zrg}Y!=^<%=3+oe4VK2z37QVI46-D2_6KBh z>=JI}*yZ3}5X=?esRF)v#7CP9n|x0YpYpn92RK-23rQf`dXf%M3SYbQ8~xmwc5m`C9^&(!+W*~(;n=iuYbtU8V0yv)`C2rsU%g5Ndj3f2@$EZ4 z&J`W~+r<=m_tfcg#*Uv3w*|_VE%kWAM=L*6@t0qJJ$(4+u8%)9O@?3v3lwPAz7;+A z{EIJ6o;*cgde>cdwQ19ezW?CC&(54VOW%_(U+&heTh*)?69@!$?~cEA?RrQkPfYx} zW5@Od3KU39{pO>OcK-0=52|z&{cG2*Rla=rKmYvm*s)_9H*S%php2k>YVF#!DN^LV z3m3j!vu54*-;1X_9#^YYPe1%{tjFV_U)izagFpYgs#Tb(6DRu*P+qW#rQ#49{SYMn z7~qZ^5Q7UYv{kci!E2MNM<2#UrKyoHLo zh|A`{VBmm;jL?<=Yj1Mf*s~8J$w4zMD7PDP3rgAs=mv*%%oU`tAur!P)bM&3<>HCL zEEIufO?Uain*dEd(rchF!MMQ`_(gkZ@3Le^NUPr$tkQ zJG*LF(vXM=5`C})|bQyTu$iYKj?&tAX?x$ZRCcn^Y;OWz6Dpf51%~5vqz(KDpSh$$JIVPrR zQsU?IOz*gU%a^aD2)=Q{nvx|;s%H}u6KmCC79u*7CnY7-tXWeL%~!8p?b);U)@|F| zE>}Xrp8ECc>xDXc^k{43o-(k*9B|Vd&4F@(m=O%e1A=d15#9K1*xZirea405gQJJoR2QO8 zk_h>Mhi5*3L)pU*2=Y9;YI7B9Xg;iU4O`-ZXp-&7)lc@#4}- zM&!~%H+e)VqJXnD^c9<&>nhY~UjD%n!6msn=F$9>9{K%}C9TuURj%>?Kej=+Ot()S z`u3ZYKY#o-_!8~T`HMc7JAZ*Q%|t?*!>SxWYN68yZA%3 z*v1bOE1G)vQ~Gnz;Nc72T}}r`OicB!zf3?3$_K1nx8c-@!w){l3U&7ExpU{v*Qymu z#de-CUF}KJty{Og_~KBZLIpVlr>Cb^toYEk-+lM)!Uf&CcRO_G(C@!rYS^&Bz4zWr zuTGjYnf|+a^-8W>xssEU6B72eZ{Lo-xm&j$J9q9(N=mF=y*hovnl)?bYrA&sQm9a& zUw-+eY}pDoZs>}K5PBd6<%J4VB8;K4p*fcVEJqG-;oc zdkS(i=j=I#;Is_Ty=)_Mwuct%Wx;gZD`itM=C<5O>n~wn zWpF!1B%LF$OZw?>ahq)jz&3GlGgxQY04o=^`<<5oy4C9we}mLc>c`e5a1Bx86nM-@v) z8Zs!7-d*%sRm`IyC2>cec~0rp@-q5g86r8!yY4ofPw~w$?UUFx72>P`t954 z&7SW5Wl}1A`@Q$xUAkoPQ)e#xcHv8U!_>DIE?>R*WYWh}9#2e8eX2w6D_8!c=Lhxc zHgno&dN5=5l9g*VrG6dHPQEgF;i8ok(_*Su`TC2G>6y5`L!zUi=FVZ>r}O47erfPf z`ia7Y3+(-5XVt1z=*jLqdLKPPp*#_>dE#=NI*(DXXAj2pTC`{ZJy^PQSzMpK1q&3Q zz4OYS?9=)4<@@1>i}~{9OGrqdsQu%Q-_w(?y*6~lj9CQ=c2#@UyZ$EroF)pWy{ijOoa zTdcUF0Og+@a945We|O=+FE?&vsFtZBq5R^-->zN_VS{+-%#pJntqWH#QS~~T4^+K; zUrF0ZGyP)RKd_}~qZ67dI(M$Cf1IJ1F?as*mxoT!j9gLS!Ucc3co;E)Wx=V_=T|MA zL5~}?c>drQNs7Ho+`qj>wMxk;$6n|+H1(@p^vs}F$1Pm4nie^x+Czz-eMry5^&eWV zPR$5c1`(;K?K(D&%kZ;l*hD}X6erjHprfykB6@nb2K zDpgELIa0G`?R)OIXXwyZYS*rnJG7lscO`Atg}a}0Ivsax+qP}nw(X>2+qP})*tYE* zCp+ew@%@Ld4(g!lsjLaF*2S^<#w@JPpMLo%jNb>5YIPte~-jF z4Tt#HY&Q=ovs`2c4rt$OoQJ{X!U1J)gvd3&P|>=LUU1(F+hn_0~V|oRG)=n})n67gZVfoERK> z1T*9x6BK$QmxSsbg0V+JGp!^4nVsMMJ9yAE)3gyk5ey6xrC@zdFahP)qy64JI2Nug z?s}XDyaN^5&r@qJ^VU9?d5!}*up}nl0SI&7%pxUzIWmmazsa*c7y++nC8yp`BBb~O z-F&xICCaoV!dI1kPo|jg2mE#P zH1{SHWJNQlwaQUnrp`Ypx+rW1AO)W)g^;GT681w=e-~|G-nZK)Qw_6*5E2#Y z$B67FzjSH1$ZM`&QB@jlg9Rw5;??S9S+_M_p(DYUH^Nx=!XtK^BX^=w)r*`Y9K-GD z{OfGqq;jvQ_f;?$`r{L6LqY%So&z~o6c$f7_L@TXU_7}}a;n>KPD_WYwbKK%OcdKH zCvzyzn$gqSb$z2zSI|z%u+^&>4a=s$dd84y79$Ri%u32m-xleWl1xz(vx*AL0U1UkcJn zr9zXBIS$}t8>Btno88nT3OxnV+Imeqb{ithq+hmUWre3XUl1tw8dD+?ULa#ozsl?u zu4Tlh=Vtc5YrBVLJjTZ5^-Iwt54KUPb8d|{WofBFH)24c@*GFam2h*hu_ z?w0(kENwG&C(8ueqO@U+2hRd4`>q$(WLGdP*la~De=Te!aa$zV6$d$6OBMZIq;!J( zVEq$vA)*oSj-Z5;+{M$*&RJDO)=2JD$7zi;jg6mD>%`O#b zSkab9z1V^A*D#t)NETf)pVyV@Z?}vh*G`*?PP1)gr{)i!vt}(n-S+f&;EanJL5Bav z&m`9YcDI2C`cD@41`Wd3Zzq8!^V}`#I)f9B^7WJ9L*F1&`$Q6`z3a>}Dczx7ji7o9 z!}w$-_iNn5^n$@@xhr3&4??j@QyXU7&m@IRX*Xv|Cs{!ci5Qd%rw5W=FLpG@lB|z_6sKsL1zhzp~0u`~8`8JqNg) zztz_>T-)u)*Xj2ijL0e1AO`ZQZ5B(Nbo(59k4@39n$=&R3CZw zcjTt#oboG$7<#Duzv(xB193h$T^dc9J75r8lOm zBQF{-KPXE}8>3ItvU1X=-=n;NFjE$v;c{yyf0M#xQhzz)K$sLlVTb=ZEx{&iSgOw| zD0rC1OYW$g6(&|Z9&S4h2{`WWBO&&*PA_SP$|1* z*eDi53JiT-n81sS=eVd(GY~t9UvqHeP1lY1!Y`iz?!9+`#cnmlSt=!f>rld%y|TlF z6jGOh?#P%Hushf+OJE#8E)TQSHj%ACiC2OX)xW=zdtpMVPAjT2ANY@JrFm0C+M4H- zLWeam!h!J!@G|l8vsf5dtvRscov2-|IP|UKF5Ar>j>ao%_HMR2rjp<8&h)%fY6q2c z18hHrjmq^DCfDD9{>wIC0)i&7FIp{bfI8d2bxsMj+P15r0QgxbFAy z@U$Mw^YZb;H}~Fbvt&nU6LSG>#+x$w?IC)Hj?O$@S7^09-X4%uDpxCY zJ%8N)ruQJuWUIE?>Ar;Ld#Crf!@BO~%H{psj||-QaYLYco}h!5mF4x`?G>0K$PQ@N zp)8e;37Y@)SdIK9rC$zhvdB^Ow~cnOdKNoP>>E)P;1{Z}U1(OgSc4jhG=e(*XmRF}?7{^Jp`+bKZgB+`9v6%agG zK2@Zn{IM1HO1_{Ptty;RXO0_3D&(kPgI`*PI|NCBX6o#9>mv~yg{_IEbt6F(w9M4==3kDHf`zIgKUE7yAey1plhtKeXM#+1tpB5C>q9} zG{rl7R4k%&9tzgK5adQ9Qr36DiJ|djwl)aGwOqz^7J1_0r#047_^k1|m{8{%9g=Ud zyH?7R*uVTCR+CVZ$?O`BX_#|~QgCs(=MG#79^q3L*xvs}3l>8-y>KR(Jn6N&dJSEH z;;|-w9(gG4$Ys7{=`wJ$*uJ}azsq{=f?g02d5aA%jAEDG-a$eD&xhogw}p|IY-Qwx2S$pr}v|0?nbjB$&(x;c4R*-gXQ#+K-l%2$6arm|Vq zR-AzB_#ug;Ol}H8+N1AL$l!tlO!D{&k7QF=BgsziKbI9><%?=kDnDDd>Z&cf7n@Aa6juDHCzHJB#eQoqfegF_J-XZAh|!ltFut!Ytat3o>!5k2W| zcp8D`>E%nLq-(OOnXb+&dGqE^y@;1;Yd|zz!g`*+?kSiwtlqkgo&b_ij8c8d8KQ2h zDB4mY{{vR_m8xuN{=u?=l)|GD)y#?`%0CN6Vx_b~Je4w%4TkW)$UF#Kwa*+E8_#}S z23sE(M28wo!n}LCT3No7U&umW9T@5r(E)=~8?U>Q2Ll%fTeWA)xbQMk8rnCjA}&=m zFm~Ub#@a)TJmR3y=Za4L>ZW2MYkj%gOBYO2(v%!F2coUQk*K#}DnmKBlrnxKwZtw< zY&I#?n&(cvbT7wA*v4*rD&Bp1?6hlb$LV?Fudmc&^S>-f=Q;Q zw+5s*R~0@07tX6&OOB>8)v^KZw}#Tvmr|*|qJIN}1wEW=PTQTffoqMOpW&dB1<(7_ zw;{C2*`u+Psa9K!+N$aAe4H);u#g7_pWk$P^|U3X&9LVwDU>RLJYM^QK*{9sg}^Hw zy#jgPL#ywXk=>&Nah3f}*Z`omqgGaghl2C4wtdOKQWa)|fr0Vu-x-n1vb+-x4T^2O zQM+~iwpEB>H9eC)xWC+)tW;|#7K*a)%v7pYUv72gu67ABa!iMake-ZBkcWC1Td0La zT14v)Aj>wIXKqL~fJ63x5d)T9Y6$zeg?z9cArq5}ft>6xG9~&k*00_(uWG zxY5X6;uxW6K9ok_;3J4S$Cz1}WtgG1s4LQIMJFlXsO%Vv1L}lGNgwqvnqxmeEruZc zk5UJkJu{kj@aWPaacNe~%N-q`U|9WBKkH&luXkSF7-i!#yLjQ@+&qa8 zd&_BeBA;>l2+iHLbUS}j5)Tql-WrCAP^?m~Z?Vx*DOXHi7LXi|cRAlKROc|4_wxkK z=GXGRy+h~paJpEsS#I9sOD6k%JhT#t#oBJRaq#d6El~m1OI#`;@VxcE`~$z`iR-mS zDxR0y5w92=J_-0!<++!3Gt1?w94fV%z+9a5ItQ=ZHr)I7X`S5n$G2kKtFM-LOSM|7snK% z=7k`rgSMOV+ToGN*WF)MOMsFLU?nT3Na+1ODmdfYE8S%UC$YW-o7PCDSMjVH9J>RQ zQ{zK(W43C4q;IsN;AQyC{v`R^QCB0u=XBc-F`fTPed_Uk`ku{NzqkCbWd(YM4n4ZA zTf=0kCjz1!SkkB0Zyej5{^qz)V8vAko!J7HtdXx{SJD&1>Uo3Pp*?#Sv(f_Q7L>)3cG8HBjv9-uSv0v zN^vn`U)}JcUy14Rnl)QB#%6wRgI>>0N_4V8=-lj-cBM3ex z_57I-*MNtE^5`^p8n4=*k}Bs;z3GK3o|aGX5BIpy0VI`BqFc~=z(_?5Qwhlx-mezh zchjFofAYKy5vwsaTJ0~Iz%D*Pkev!f%#GHaes^|G+Zr2`a}@X#;Sz4cbJIxWlg??Z z>&JEaCIF!c%a>h<(6>Ygf_fdZ){shT}dU<=t02KT;p(hgDzpJuxWSpm1^f z_6E(t;I5bl=nnLeRPJ#(!8r$ECBDDL8=Kf;c_SH8zg)Z4K9Ptvu%oeIYrvYiOrfg- z1MIUts2LeFzC%`8lqtkHM5)fQHYh5hm3ym#`P0}CPy;&y9pRCI>A-`d>z2I>?hsBd z2*x#R&9Hs04M zba4_j-vF^2sRX%0OFGVNmbHh$MQ+vUV@tZ6lac)2WX!U)*k_wc{eaSAN=|a?6Xl{W zD4NXm@Ul7L*fkwPlrlF?xGxe&l}mO89Z*Icm9yqp2<~$-zKS50y06Q! z!;Q_vZ2}n+nVo2?oRz^23t06)#*Axto7183jN%T6I&&C zj8Y`uSvk@ELcCN}$#K0OaAd+YcfaX`mukhIAyB=t)`!-4arLC*fym8uzxD!Jf=TucsNen06B+z+sUVLc%qNq zSs$x&wR+%L26VTLNIsT7yH8%x>>3qojHr2jm6jYmx)byUn=|a_uL&Ac(_aybV#l6Z zM_sX(P3`YyN1D$LS0|@a2_tvzUp_BF!ROO6UaK`-Md!-b4H}IbAEb}stJ&0i zksvPTPDOZj)ig56tM*S4q&@2Uhm8V0)-IuX<9%8cYp>B_Zf?y*gUTFIMc@KIB7s3X z5Ir00vOnhi?&u{Tfb)zKc{)G&@dJ(5UFGDFCER*raDwLj59n5(?mcRYdpjr=1dFcvj=Tv}S&NaQy@O)7e|m%#zw-&^kA<4Hud zr!Yd-rco56FQPHB*x{di45tv-K!#?-qAzAW8KSSe^^C>+pzy~3eDJiAF1+;T(U9bK zSPQATolIg-VEk>wnHg1UN6$<>1ds`WKLh$qC;Y(7E=oU33!(3$7K*v)JQq zs}@%jS1z^nq=ozW6~x!{Zdo*UT?|%!MR;J^EYO%L+s5CE94BI3J7;s#-`k*RmMiXU ze_n-1r<%59XB7!9H5tw_lB3V<^3YA;)iKa<$d!V`40D`WE@669E_RZq3maM(FNR_6 zNC^g+qk~8-v84tTpQZL+vX&UONk6dLSH1(<32Pb8e>jY75!1yP@(P9NqfWuc@(yOP z^g*2aaFkH(niD$FqL7d8a=fZzxf1oUrvBrWs595hBN8w3YYkqQoWT@mp0H|AF7+qy z?n=tG<(1v;jiw3DdFRgN9Eapbwg*;J61f~2)LTlSzlvP9x08SoO)E_$oLn+n?D8*5 zP9_Bd@1JKHcI=p$9eCsaIkFXM{HXoexAnQoK=$|)nou%jA@B7o;}6KcPnWUq{u8_< z0~n4B$Ast~{ej0}wina`(Z&#Im&LKiRMZjK^0Aaf%?Pac{t z3pF5)M3_QnRgjB~DPz zIY~WiVj(Ir;F=NY9gYzVLzBT~zhZ`lN^a0EYP)Rq%~L^+FKF&CR-YiA$`I!nr4g=I zq}w>xenhdbj;Nl&H~AaouZ1poznKZ=fSLP(7vlY|N zXJqIy^g7qoJ=)+^;gn+Hi0lS4NKEa6#a*jv-sv5O$YvV(slETkwJvFA9V$nuaJV`+ zkprcCrcx8PhkUT8Wqw}EmmpWKXV;%pvtiRdN$+R+cgv)d8Y5@c`5~V@U8LPD(DF5x z&Nf~P-HRCP6MFqHlpaE4wo+SAEycb5mr|m<+FUurAGZK3&|hozFxUUot&|U)TKS!0 zvG|9zOv|%+=}Od0Pdg%H3Ed}R3P9Vf7lp<1b)1|6fm!OJ6HvP3eL#4|{wf(cC)Je<|XX75}S zhIf)I$I{Mw#YRA;oL^Sy2dU<|trl(5_AP&BvSZLMp_lShyO#Cj(vRW4c}9Vb9Ytk~ zG%mb>j=C4>KTkW~&}`hitK!Bn`~q}~`q>l5^*Fb7_YlM-j*3pA8s380=|aRVnuI14 z_#lsZ=sA4AFCz670^zdr4RscABpp{qdT^|$15qZVe@y774Ej$Hux89A6&RSvhdPSC znXYEy@LBg;+>-Q|wh=N=_EC(}cP8JN6}_pF1qI)A9S*;wXU9cIR8Hh%>}36N<1#Z@ zinYlUD%IrBe#uhFn_Xjwg;G}|dq5A^7Y|ywO#Ev0}T2>XQ*O7zno%Ye2RKw z@7IbSD{i{BhvoR&z4QoDlp}Bpi*9Sf-K@~GP?1tjqJ+?X4bE!aru%L`eON{eSG0y! zs-`PzxeZ>kVf9qWtk0kXAzE#~DmD=^92(x)e#q5pom2j7B$-7jO&0^~_A_p3aOR`k&-5K`ag0vjdev<^JI2hwBA zxM1;&oFz5&?z257R@5v%mJ%vDA*Qo$0HN(@w{?++HT6uIEMz@1z77K&`>@>?-Ye~f ze1J9Af%r+7#&6sy6PJ3?i0zF1b9{0il*!AKa4)3+;|bolznGL>#+JOW7Buot-R@AG zwBo6Xl{egQv-_9}OL5eQmFCEFdk0R!{<{11_?^)Si}yeI7;vn{+Hbv-?w!dMnfu}S zPvAJP%q*HM!J^$z3|q#$t5TwJPmEGVN?Xs?b;|;U^@66cg8%84CW?+4Nta`d+{0~Y z{n&q&8B1?CCYq;i35L3o6673-4stmgFG zItC7hiZaey4@!O8aq6%<4U@3m=HMyNmSdMB2MOkJUzL|)aYn+O9E?;*Ap!n2aUmSs zYc;`th$9MinFCP?ktw8X)8GF7LKcW=&bR_1Nska+azkYhJJM!pdaebyJAL4& zd*ZmW2Sn<#F^ZyC?@>C5{>lL15F3*E#nJP-KSl7Q#;*pX;|#)6%{pM2&3LV(ed*Bw@B6ETzKgDl#jXBGVc+=$9zUdanO-#gYrYLVs|#TkCO~G8K%|Zwq-!wb zfgMu_A1^_-h7og}Fht&qQR&r&mMt&2xJR}9h(e2=@YERI6-{TA{E0iRH-qW^dXVo> zzIQd3jT6zphRfV52P{H|J25T_51Yel+ckax^hWDwuujd{%*dtZ^92&!H5X=^*TseI z6ko2E+1wLut?n=sTI&~cIsQl-$>0y{!9_wmttBV5D-mf!xrh(}MjkS#RHlK!%E^lS} zdM$c93t0Tim2;q79okLHRfu_Z^gWxmh$^Ax8YgE5=8VWjr_fU>u@?-%Q{Z5#C(1IV zrA49o<#_PvvHqh?;XSVcM-`mE{lAXBG=#iI>tB{LD|byhlaAXyLsKuk^|MUc2;&O_ z`d9PNGLy~muG$dmXwc?yr-6lQAqS&>r)gmxlwuz17gBCGo-hH03iq(Dne zFFmXH;Ur4@io%qlJw=E2_SAto|KI~yIXs1O=vYn`qr098x#T>0-Y9JZp@}$iBS-Lp zt$%y-G98dUCtC5FE}6*>S0idX+r}0Y+C58LEd1yh!@%Y$!wl@PJo`6I5n<1zyh@u!|4HTR0^{j~~A<;*qE=?cUzqgJo;@#L&2GH(DJoAsd{2OMjj%EyVZ^yb z#BCkZ`g9dVgxCr};=0?85E9Br=w$Knm}=M35<|DZNz#(0fB05j<=ED@q2OJ(zNFe0HX>Acn^BJ9a@aNYV!U6s6{O3z<1mk?T6UvSv#4vb z8}S&Rl4)SN6DaM8xug$Pwa)3Hl+|h>k1!m>UlMPG zT?P!@sTqzkeT0#Y*F5R=8ri0V&AydXp8K6x^VHq9_Sh4hXO|;=ea?JtD3tpCN0$7& zX&>?fG`{QRMsB%GR!G$>Amo3vl~v7tZp*OcAHS>Ug2^M?hT-JJ*NT|@hxee}4z0!;0AQ=mVOodlz9yrH372E_Dx+AOod6_JLqmvwGFxI}_*^u~H^EHLAX20)b{Yl?`XwCX za#Ux{r|t|g4{%7!_*SYZQZx$OE6Lx7oUv}95$RmgRmkbKw)U3?bicjlyTbMfe{I#z z9wpl#QP7#&ZE}~t&e>6tBJ!Jhgj3uti`zwDh|bH-{K`I2okUYHKr0nt*0C)G{SBo| zvdx6{Tqd=#zUw_TV^u^bt_0NgT{e&0Rubt`xIRqMwFO4M1TKMBD5*x~z_I$!>}vr#n8C@BPLs_5*M z1ilotl^P#eomhu^J(2o;e(V-by0p)x)Y|Agw(CGsV2mfwdv*?5#PR=G)Uk!yxGFl( z{Yd*j;t(-s{c_|)%Z%Y%(R=AJ7B9Gm89gG$qSURC6SmAxc@8SGL+nk;<2d zr*v(RkrD3wTD$VkQ)iy?VDM)#Y2+O)czf1HlDdtM^oO0~%HOAsn{Q;OU-KjqH5~kG z5DJ~}y-j9<=RV55%Q(8XL+4D1M!{~qLRil9 z7B_I0R#{fdBYESsy9mkksEyR3y3`RlRFk!(Z%ZcHnA9dL?Jw)^+EcxFhb56bna|%F zyc0z9#b$`UrPf7`Q;DuxJ$p78KYZignj))fUXMM{t8}QSNM#D;EF@`pB6-em#Iwsj zC1;a$<7sNd0)}uOl)1txxY=Js08Y#zJvM9+REAw9XxPDofgDZ!vx>}Ve; zT2437=}Z$#PF6%U(IsK&G4j_yWmTud>MuT_>01*#>2X$3#d9G1Ou!VLZRfQ$VA5*4 z-9UapFn|uWnNEE}s6@_2ImlyM(kodxlr~AMtmXE&lpF=%`FX*5`F5K>j@K=fo zL3U(mEy`b^<*)2t-=nsVmxV`9uh3_tm{>4la%R{{(O_-)%GF{_p%o{d>y-TgZe}Lc zOsrnnm~Qhq^JvMy>x5Ff5*)f%bJ&G-$#yO6PBt=|{N6reG0K!4QbB8&Mmx+zIIksz zMNm}d71CbW@NVC$+LA1aDJ48j)Ai0Sk0eMTcHKt2bG$;MntCI6|GVPgL|V%rewX;b zcJ>t|k(2foVF5POvqyA*f!zvbkr;ids@DD?h|5?g&PG;_9bidrgc7xHL}XS~IW3wK?@ID@Wi{T~SeU zoO^ewYu;zHej!vT3s&VP-1a~oqRYFN=}HQUkDet1D`PR?(pG-8aAmu$ceE}JO1@4Y#$Alczw9pH_=Ept2IhPdH0+_V$e4x8`!AK-PVSzjC57)WKd z8@DNNe^lg3fp@MfF=c2u??Q2+)r4r~Qr%K{JhUX3|0edR4Ba36V7c9O9~!U_mt)S- z7OWv7R}@?WkyE(}Cpz^Y?AOSj!RQ_NLDQk>QuIetknxf-zS7N9bIq3YyZRp`%u*|X z$}!rNnRi-;mgHSS9sPpQ_vdZFD;?%t*;x*xP2?K0^KevU&Q#(Z(aKStgOtP{V_1t1 zL|h|E#>I0}K2e+BflU!zX&69mS05#62Fe}xAYew0&F%CL3?()s=kCWLulHsl8eBll zuWYHk4wUcILlbPeOyhX`@OE&mnuAz`3BvWv+_LW^(AV;4nfiUX79Y_d?1L2v>P2pv zmdLj8XbLXfOs#Xnph|DR?oaF$7rZE#Nvae-CECI=Vj#4t@Xh!|S5&9p2Yx7y4gOQg zgEE7Ou%Wh<$kx(aE;k+Q)_`TI2mSu5l%{~jW*E^#62m;=k%WhX%AjjQIVv2(oc zUmrPp+dNu{yoNX)Pcw|nVtKW8d=?O%cS6IHUM7R8N6R>aBfut8&pWR>E=&hmjhdCI zSaP-KL0H$;G&^+KimI2cB$7QfxjH31wc>HJ*n%D2Qq#CdY9^kZ;wY-wy*ZwMwpb%d z-bh1~v?h{*WXc1y5HfZD-g!Z%L|OS>ILaL%H`6g4&UUL}C9z6Wt2!F?idk>xP?2^S z69uQ}d`x3YwYhjjq{n+Sd2drxnQk||Lx*|L?vxrz8W6FaJu(V`l-94!)F>UKEu1;F zbTQZu>Iyz^Z^L^uODsA`d05K6& zF@Mnsu3CD0uL}hzY42AaNMF#f-K@OkRbsxTAu3FQ!DKcLZX0BIzGV!&jIyG6PhI!i zPB|+!75UAGc&T2Zcl3&}xg-Z^dv!yI)-bEvRr!{M_d!sF@lC3NT;wak63!BoMRMZa zR`~&jTvs13`()=>r*3sBNLU6_sbQ26uHYW$$ zinf%MFD;A9jc&;~VQgkIA9%{V$hyC?j`@eZeO~Ld(QjiBV`n6UkGj1 zp@}T9e5z4DdwTr)8g0rrJ9Hk!k4=P)g6_bxAliA)eJ#nAR_|-!wiTVm7D1`NWQpT} zls!!=C9KV(+?iHcNyT)2(PeQ_PQO6tI$ABoC6^1{M9X+ZAgq-{xZMQ# z$UNl0+TseWyXSvY+;_?-8h8F{d)L`kbz*{YV%>+?oD{34FP`@h#dn@p2`e^McH3pd zTzWnuo>fKJ>wG;iL=qUID$tSl{t<$E8NNoqeJ z#;&QcPz{_V9(OHW61W^RiyxAYM8J8`f7}y87D!h4Y##R@Va+4&!+j6$@}rO|griT? zZ3FUR`9H511gB<0o1`}RUP=+x-yu)FO$XAk&>a}3gtUz}l;Sco#*td*n>+K!qOVQr zPPU>Lz)ihD9-y_RFx~De?Pski`dH+2D1C{gP6rdCxTlwn=lqToTXOs~^v3omj1~iY zF^%E#*ycF;QHfzRLxBm;LzFG*d3`)hF3x!YsWx%WNSt)mTn;%yMq;f){|W5PN4rW6 zkSlf}eX>c!O}xMqldY*oNd43?9pIc;%X#JsAExEKuzlho``-xcd>;{#c-jk{H)-}r z+T_@MS8%<0EcLO|yrGLo)ABkSM`)dTtG<|eIWZv!%_-H-#@gpikSmlwN)-uSC@$#|Te!<% z5s^JPGy$|)M$*b}`Lv8Th(xa;iFB%Z2)Kbv&$cYc0tYKzs-Q#C+(g zmK+1K08?eR(&)Gzk_fbx8yv+WxJvJvUew-EuBn<5ss^qn7RC-*E4C9tu`L}>v_Uq$am=-b#$Ejs#$>t;K3PHy% zGDnDGOB+^jB{E|iLicwVb2l1R=Ax=hd<7C-$J~91x$pB|Q6Ni-Xb1W^;cq(D=xdQx zAd_Ls+$8FrWBdd#{70rEj0CAkS2!nC3d8!}hVE@mKRS-iJ_taV0k?$}k%h^SFP#Ml zox(zEaOKDz!S$Ut);8g^+B`ilM%Fb8OUTy`5KnbQjMW;GB*Vn8gJ!jasB zOiTyww^j=*IgAsVi?V2Bl1VOdW6tjTa~F4Jb6d5OwtlC!67>ZQg|tAX#AL9w<;Ek*78 zHZCv9V&Wa~X>-w!gp`3i(d-5VoK_=@BnUW=u~D2?<@NK4205M*aTzLQCYW1;h<44~ zE|J8ZIJxB^zGsMU>o{_J9Rxkw@3n&iSu0V^qf89E&E5{y&sD6qnd|&^ed`dJ^`p=1Axu8?aTpcx~LzCQm2E2aKPzD~xt=O2q$1}bz z%sSFVNvdQ>M%)P$x2g^~Rz;O!Q| z8~4AJV^7aVY03etrkR_(W@)$%yK}f1*7P*9_v3scz@_ctfo>L?yU+EJio^w`R-?G< zl(@!;?sJu616v4u*({M-&Qir@?dEqENxD{=uN;)h99QOngY6gE zvDiMX*}CwH;zeaSBZ(uGBoyw#gI9>o`yi?-OTeVQN`yF1kpZ=%m*w?VK^yG7Eya$4 z+b!6al!V8bY7g71C~q5a{bmV^s>`s~bQQpQ3Pe1zgP3+QDNQP=Qys;rm4r|#q(N+J zy5v(6BkgS3_QJYwJRmxa1ovI4)oVaOZIQ_*&%HJXqax%uxfW}RKjpkrBQci?&gn>w zIXu88E)j2OtH*n?7-yBr^>8UtwC8Uv@BXc1=7h7-$aY zSQlAP7xdcWySvwTLAdahofLxqSx1EFc<-NvWSI@FV{HniI@AhhX8eJO#66#vm$5VE zRXBswO*(SIroQ!R!z!yfN7ZyrXI+<&f>}M$DRE>?so`IXpLKrE*IqmNv#1;sq>xxq z^s&7xi#}Yypls6(4Xs3ewinw6mc`Z8$AYuJM7+qoqf`X$6S20-y{(vH=5jx7UWqlO zX|6ofd7^l&g-Nb{?{Uimtab;)OWL20wT@#b*rTE!8|N}Rc!~`a%*_c))WPFaSh-4f zSb;0m;-m51G~h&?HkXpp86W$O^gdEQy(nFAfGj7QJf^W(QXqzNsXz!!8>k4Z~9oCH_VAgPV?z}#|h%0UOF&Y4psC~2&-QkHGs zuu+~iFe@$}l_64`impxFGA0$eD=HNR$|Shg$dNwSruF-hkhLyTEtNbVW-+@$kZx~J zw~5Nl4#4ZiX<-J?J4`0UTvP4cps#afJ0(qXq&lAIL+V+A9c;J$alH66v?-oJFWky! ztSEpRGQoLwEa<6ANYZUGQ75s<5z|EYnCkMcOzh-Z6|h)trQ3$j;1-XQce*MUFP&CG zqQmMJAQ)cxvxF4TT|a%Y+cX^~t3Yr%z9U$;*7RUx{z22k82HBKa3#Xkr^2fE|ou1v#>P3qOY+yy|LFV z%`N+Ub!3YHVG?r zgVD&U;iKEjqs`vc+@ z`Lv3>tZ!?j7GMG2uiPJtvBP^nt@0P^lWsRRrZKntDP*bOcuZSNsJZJvpfp z&C$jtyKPohv6!wL$Ig`=Na?`d2uST=(oTdhqM{ zx74MXG(Q=_)LvuXy_>xSs>TU#E%@e@37iBaOS;5$+_jQ0;~XOP!puciwt-{o z*LCErAK6!vUHf&0m0cr}k(*z-!|M084p%~n(OqX5dg}U8Fp44Sv(bZ zuuIQZdPhCDni}`I6W9tVA>FcD0H186id;i81z2zowK^?fOxEf=^pZc@1c75TJmY@s zFP|IGN^SdB9L3p$P8&{eZj5wPBUuz)6ugcZm*HA%vZMgy(_nZi?poYY)E-_LPR-Po zCuJ|4MGh)z7X?zIWy6ap{5DI0nyiok=EfJc9}_)HofNV;Np4+ET@`TGUpMg-HDl_g z)-Gd%Hp3ybYA!{Lin!gnM;uttS8r_2UbOZXNnNSz3H7@Y&{fN`w?HziKf39gp8s`V zU*xh#gHxD$)K{mqg2-}GqmNK@VJ{j&FEqF4u$0>Ex@2I_>6Mpm$X~V02SlP4_=h~p z0JLXWE|kr7KgE)0bvgDhK;xaN$~U91aYuC5)6}%G5ER$WCx^VMFR?HHq=KQ;aAUVZ zFWQXGvWOpJ?%34R!~ap}8HYY*u_u(`&q1(UE2hTZ*>Hk8e7)F#Op3bLTl15=-ssRu z{_@5tbkdL>mE6fq)0!2uTe-No0F&=YiMWb7I$roP=3XKYn(0Wx6w%_T~rL>9s~zxk6kZK^-y3C zksX73u8E2#t#iBCZ1#1ljX`jzY#O$&r%m4Qf*2InSz2o2D*+#^-)rh74GkT^p{9f& zTiwhziSM0DZeQSfq&q>++2T;&oWM*}^U)J7^46N{n-{utQ8=lpTbvLeU0Nn8JsJAk z`?%urxW~}&^;jum62Kmcu>En4V;o;WM=4tim$F|0S7UJ)&tUg!f@6p+J$&=<_-dZl z?=Ss$U)bZvEKv7+@v?oYM?!>ij<>+3xPvE~Ai=glV0p_Jx~QvXQ#8i0(w==QhZ%PM zao#jdgi+%(z|bR=>81<3Y;)B}VOdT8|io0TMXQpGLC<-4}+*3P^TFEkVbNN`@MsEkfz)Jr3 zdom3F{9k+D71h)hwF}Y?C?FzDnt+I*7ZK?oAWZ>-6s30srGyfCq)TrBq@#o;0s>M( z6{SdMQUn47q=a5W4JF)-=bZoLALBm!WsLi9Uv_qOvgclF&b7X8&AHZIGn`@I%Kf4s zc*t|TR{?P%>X^sGmn_GXP{c%e2mdc0V>D3lfj%#%c**iO4`B9IQ_qObr< z=cnQ>62`YP?94@rm|5l$pC0M7JHnd74KH+QOBPI;v`GJQIdmcJ`y3O=AL2G3103az&;<7V*p4WRSJ0)%JQ?#4b4?WL^U?GV+UK`SWz#{q!Sq_dZE>=*dA{D<&41&4Z28 zgQVC$P^#9YHP>0t@7WYgoO#=Mpn3-zV7vGm`e_czhs7+_jh%H-AlRM~Yaly}vFSLk zmrf3_lQf7$nfR~MiCEJc7|z~0omKl-$CA(J!w7SX&*_ny{cG=AAB%LP z-BR*;c~+JWa_19d*OzW!^^?pID#FNOA^^F@XH zI%PON^Xy+7Fnd84snUD9g?d;Sitw&Ch%8huuI+OCx;GNa!W`y*AM(y_&;H(Dl84&8 z167basjj+qF&cPG(bL`J+@DGx>A>dfrKbFz9QF}<`4WHV~$feA*hzN3xR$y2NHNJ77t1-=mqS@OJj66j&){PJZanO9wf9{Q!uX8(b)#53Lq zZ=X9Fqav+@+lsD}rneOo6=ADz!Fs%FA?%bReht@U*|W-&#Hk#IjGx(NUsQj?ka$ZN9;>@4Qq%-#|%)Fx@J? z*T)gNz$NmG?<@Ui#&r;#$0_5xBhi?4h#q)D>4F+DZ50&?MZH|Hpv~hEGTD2s#maZArVe z*Uat~n6i1_5?s3ICKWdUT(bw*N-Ec@PX*T)Sn1Fn#n5PirSd8~UWSSZFBQ=bPGva{ z)VvGf9m6IK^A-E|6+yjqcI7~6YT`wK`FS^QNv?5>rTVovX>hm)_pv``<`y@BiUhp@)Hz;Gj2WA7x+B$u>`Tu`Ifu-J{Q zgDd*9{Z2zGdC1DPw`N{`jM~UY>51!MU>#Lstc2oYzCdE&k0Dj4HHL~Toi9?m@~;JV`h&jZ z)AdrQ3GN(+RtjA(!XE*}W=#+W?lS{{v@L(nu1aB*$VLa2bhs{+O$u()`baH&k2*I{ z_CXgWNM@U#{c$}?6OIdNw=A(}f^dvFc4^NocO*A%B@H@M3`g&X(kIutle+H~<}G&n z%^JR|n+j!$-vNv0>&#V)r}pg3&!7+2SFyC4c862Ag%DdpEA{Z2?%J5TL4`DP5gZEg zvq{9YXt$FfV(iQPbjZog3wZvh1~(#ZE=_sXrCb4T9BsC)pEIO-UE?>%N^U*V%O``xew?t zk-bw~J4_){<1A`;3JwK9hqmNyG5e2>%;ECyT5R(^EHNmGpWl{Mb1v@CGFZ8DqZqJ| z`#p2KJHN+$v97*4HcU)tv)w@`!RcFEMAfY=A5WLjhxds)-RC0JQ4(w9vsH8hVZm!L ze8|Dx(jRXSQ<3D${WV2Fhf_a-on{}Mol;`K(5bIwGM4Y_wn?Z(uSHf}lNOcId7q7R z?x|sZD7G{3{Jv05xJ@s0jd2M-dr+!w9z3lmbqAFajpaDVGX-*e8$Li`H!oB<25*M( z>_jiSQ|z=i!XYom6nn}C%mj-k*b(2UiVUuof!?aWqxbHS*5mJgpCW)GA(p}KaD#-I z)UMig=Gj00f-}83cs1UNH?&|p#XYJ?gUI0H5S<6nqda(S{tl|6wxe0M1#+2E-f3=# z(OaVFuSGhFXjEVFt0j36N|$bxicNnkuF>Nga;M!Qp0`D6@kZ;a6FQvL0_W@T{l%gI zA`onT^{<~H55cx!bfo*;Io498%~S}v8#RfZskkGMM%eh*hG%h+c*O($FnD}~Z>NAm zpu18lFx@N|>@#BbAcGyY*XxeoX+LY92XoxD`J>dY?1HO27B25E)2bB9vNsc}1raeM zhTZgT-<>0o$j93r3~bt6bIb}S|AK`KuMD+S32j{`BmP+mE+E?&%L70}y$K?!_3-Bg z3+Z&e)uHMY#j&GUPU8`Erb=d>#Ot!`%YyqW_p`M<{f3(7itfD4Fp1=sEXQ$a9g}ML zkOjeYMc;AX)#y}Uc4M{_wT6LinoBeDCg9q{H$e|bDD*?GRJTbv^5ql8js0LrtKDZI3Hm?oYdRM)coegQ+zBWz~mKda*H zxycNfM+%;uCKAVpu8~1U8@M=X}@%VSJ8l`Q5UG z9yo8V2-wt(_XC!h&~xe#uw?73XkCn!bltLI74PK1ah+|Z)eK2HV_^&77j1RtJg+gf z`Crs?DTdR^nM+?T!}T6dpe zwm*>K{8ZMwYgA`Wh*h+y^Rh}w*0+89EwV)WTaP^t-{@VsW`3F2d zyCQH3N7bWpP&pw^8$Q@Ua3JC|ey{(*&)ky$uFcOV?SBn-vjrE_CE$=qCn$}{xhC8t zQTocB*CV4Rduf!@2ayb?ph@L}DY#-zw+`F*MM!`_bI=8Oya!KXxiG+uJ8sxnOVyC0 z$g`g`c0278G>>A=Zg}`XNKD@?d|p-63H{=|UL?J)_iujnEQ5x(dBP`~}0z41?19ZQdLs)j~R zZ$&MG^SQ9n|I~%^Q$>~|6eiP;LrgJsJ%Y7*@r=DZq}YAzUw`3h2%m-VmqLH84TyPR z3c$ZAnCKd8Srax6ewNC{b1IhC_VTL`P!Y&qt%tv|*N=9#escZ@O29GytMdM{&0B;^ z>>_WCI1(W|7%G9(37XcpCnP3>9Lh}k zHUpA>Ti6at5#O!57;CvQ%`p&dG@T4jp8273;SEeK-u7?+N!>=?tZo84prkKMbM)?? zfNl3Yn|9~domE4ju}2fmj4^R>a0wA|$;mY(vD11U{Z z@b^pf4f>+Z*uTcaZ2&U4R%6U)3T8;1cMsN}!9@2m~AMko_kiB#AgP zCUb8T+K#ZT@2A6N)s^ZpV_#b)U+Xl8xyCiQ64j_%8CEpy<89OxBgi>b)6l9CtWsF| zz*AU6Jq_&)Hfb2|>h1)bFBfxE?UsdPSE7ml)kSHp{N#u3ArxcRR*I{{WdiHDE7-(+ z`xKp}!oVi=H=z>|uV!WXAJP9_K1pO3F{-P&i6w$tzXP|3ccrH4_@vJB<&4$Nom%NW z50&m#d`mLr(krD_SL*VNzia$M%DtV)^y;o;ZfW6($FJWh`g?C~reJcyGw3UAQa4&mO-&tVe&wwJXq5Q_+``S8 zHtp@BaUFZ{dToOL3oO;n<7LG0b6fcK1J}2m*^M0Fi~cci0Q}>v)gbA$sQE)!Lu=5 z7)H#WLc7@aNj4-|G`#Fe^%eUboMguRXZ?G+(4F<@Ps4EMzo{p0vd) zlvOQL@$V#z$G5kAo4huG@PK?y7;)E@df);;&l_;ea};*qIXu8EAH0bU8>M{oNy7pa zl56}P)MWUD6?4^3;wB#sA?Mo=%uSCkP?t3@zBz~{J~4W2@Pp~E86%E`%V2Xr&`30$ zHvYXlpR-}McV*7~Rf#8a1=PCpg`(jCDUcNwQFVM@c;-mCaa_K`ty*z?0)9NQ7*4U0 z5ZIIVLpg4aigk0IWqH(3XQJutLbB=y8b%EyF_>nxW4R0`6+^+jP8#DY2WKz+*Rg26 zbM48?ei6aX!?I0MZ#2MzZ0cV5MYe_Pl)4L^hKq&sOlZ%}V$SC2AIl0}HnyT4oY!MS zq6eGq7eLt*of06IfD&JRM7J6atQO9(`MZHPvEIaf2RwlPTciKC=X`*Gr_Yt@T@$=! zb@$^tB{eTZbRY$=d0KzYln_(t?HV7<@Ii-B^Gv8O-x8vBwxj^rzEUwm`U2zrCDg{`twqxGfG$co_JoU0DP9$`crh zLTUJE!pZ-1$nweLwe=M|Ql+P}IlH<_`EKBQE`F?!7~L6tqNK+MMYV#giqG!ilb5JUu-vLB6Of!h?jd$~;#oQGclf z)c?`iZv@-?7v=Lm=avZ5j7sJPies{i+VM-N{gst`@xy-xqJM4j-$JwhFXVqru|ZK< zJ_p`0jrK&#sR{`Hsb}Q$8Vm*gQ=XTUT=s5ZiDD85HSzV@R7#2f?Fca^!bymTm^pwJ z^S?2-r=;dH8^+X`9VX_!Q8VU+84wX4NM*Ku+t{2%a5s5)IeXc7JEq$I=`wZ z8+g0l2+#qa5o+z@@7sq)S>rr4(v5>aEK=HQepvk2FP1-ZP;0XR*X-3TB3_yVUkg3! zrD@Rdtq|s_eRbb)+O8y@VlhSPsH7=X1+~V7?L7UQ>d^a!hqboU1x-Bhz}B1_P5d`w zy}Cj2nI`-RrIS-n%*I6RV}}9TfgM{_6Y15WiWPds1S>{t6^Eiep-X|x^t&6s z{N8mB>2e^NXn@81mu!5V(?30{hZ%6HZN04QP|$Mbj=60@O(x~>#8Dlh){^Vn| z{X)*K8}0p7C5bZdR&iXAIs2-m7;PDy_?-O{khs3E{sXhr7m1h4v-z-#j!}YrD_$>k zKoJf_6tULclkLL6sj44fR=m~4@MJkCOhp)KVfKY%fh@KuyEvqFX$D_;PaN!c;*^@p zQ-sd3*>m1wtsWo#D9!>eo#7(~n^S=J4l|pX@>4I>ST^x30SQx(kxvJhhLurc{x*_= zo<+XVW43PW;epfErE;b28#Z>G$-={RRe8zYJQk?Ndan_$E2IKSC-%Z2|rRQ^en&*bLiEx=nrpW?Kr=I!GU}yL&LcQqH|o?fEjLiJ$h9;wm1^b zBx5{sZ`aaQUWUE$PNR=zMI8Jj;7ygrWY$bRiJF{)gA`4w-tq40XCqMEGzZSQtnp`7 zoineFa$=wNJ2{Kc`Agy_%rl8=mR5npcu@1{xam)VLeOxX#uSqeO{!>w{B%O%dPixr z?Q5Y$%WhAk>egwmuwwdIwcoSc`+_yAP-D5aMH-=KaSpR|*=C#8nb-5O#-CV4dzFwy zu9o1y;ml~XLyOzK_(41U%)I@v;p_VIx#kCp-CXGhBBC$5Gs{N%jZP$xGxVq5U3&>1 zwWL{Q>>D(>MKW|KQr(t?F2bDqtA4xSPiY|L<%euA21v%FQNUS-ZZ)4mYty_&5Ik9{ zYQL~izS_~6aPn9$VzNim2QeuD=C7c33+z3-TWsdTx3t0@w`Cg`NEk6~nv`hLw8nR@ z9mIH2tMaGUD^0N-xT!E28NCv+5%E%hTD(7+&r3Vx?-eA1J}}$W+r3sry~ye zZQA^q#Ot$YRbp`kzL;jhS5RVZ%eYyhdO`8{aX{!x))->vN01=NUlbIGQ&S%Mg&@sK z;Aw$4xKriygfa^I1Uj|dJ65M~=5v6|oIX9G9*}d?w;CN^^6d||iJ}LF8E-T#T@8_2 z*CM5jN2~@u_iTDUU-y5tUo~dWBoB)b!%0M&A)S`vLjbp!=p89JkWohRmr7dXMDf(h zNOgZD4a5ASokscC0M5W=3SiJ}dF|_UF5olo;EEwi1i5f+7Z0Qv;DFA`0D%vpN0&aM zxPWI)kboipVsWHJumNI=<&Ce>0G~ulSN}UaV~R>kP3_F423DrXS3|d^p)&z#njqa_ zk171c`V?A2)T|{j(VOQN1-U4}f8{uw32)v0c6q+vH5Pd=;Z)sf1oQEnVj<3AQj~B~ z&|QrcazS2h-CmmS|Dor-Bt>XB6-B32X#1w(Xkka+=Y=hW@SD(9C&cL?p(8F=rd4{A zEqi!ffxwpo*PV`i?TmB>CPj~Mo|FiGRXva*a!X~tzaQBzeFy6TTjcA^&JS|yPCJiN zMw#8j@>~L&10G-vIhf-Th?6b>2l#~*k_k8_x_lO#T&O6z+&X+6(EeL}FMdn9olguV3@#lM92S0Yt zJ1e4`YnL|kIm3Ceo6Qs7%QD!#0W<+Nb$+iQE%IAJs_Blzgnl6fewq3yYC}?hS7aA0NcIQ`%9QdhUnGIS=64SbqXy z@U-_^elu@ZW%K)w*5=!s4@y$BrR1tb zzpA@ff;Sy|Ok4t@E93otleF!lS~yLb*CY9IEb&GOWKpCbkx$MTi1?E5++2TgXSA*h z*~u&Ur7{Rt4aNA5;?dErX`JH8nFUxe;A~9fcfx#FFIXLKo$%qqY8 zGml+nIa}`cG|QkPGRLT;qPb!2pSn#HP=#ztsD_C{%*pmGU&nWwQl`X2iou%D08(amQ^zhuQsK@MbN zYh|DJt28@C$ibV2rLS-8R}Ze-*mejeJNas~DQo=Y?&X~`hS%bp^*bx-;>fKRDVe#w zv!;b;qY^QW6i8BTrRX&f-&Qp0ZfukO5Xn~kY`QuH)Q`phg>=U|7*!^0m#nQGN_=J5$I$m)@@c zL30W?o#D|U0u^sHJB~C%rA*oO8Fz|Gzl#JIXGi;ew`kVI8(gC3IUR28t#dUxS#{v+ zX`3^~&dnBzU{PV~H+a$NcE6qF@73qj&1xaVRcZ!T-1W_?x-q{(D?fej}`(PVPd+`B+s7^mk+wmT*VA3`@4xDh?v0=4>rvd5?P1+1NVi3o@uy43lHV`9SX%$H>Lp# zSx>@mVP_xz=!A08sGxxDmo>cAm7NS2S@;`q}!$or*CA&EQ-j5O}Y0TWO ztl;J4p}Pez-uZrqtP0VC61OFQRUWE*0A2{jxjd{!XJuq)P5bXY2F>9rp1SUG$=0L5 vgj|*rqxpV7NDO(&Jeq*VB|yX^bkdtdw7`;OMpR=YvQOa=e|Zm2(1 zeE|Sm>i_@+kc7Vqzyu_ry3I;J z2)wU)`z?Ur?zc`VYE>%LVA_RcDjs1r&((XyYgC|BA?-Q%^ZG^jp1pS^bWVN^=IT;f z441DcE14GE$T%4CaS;2lX9y~H7_8fvbNlf-!TT7V9Tp#tJb`0U_TbHm3b|iO3USC2 zlr&2I3ntF>Vui?4cI(SXJ=M=GRd43lrfIqA}r|!}KU3S#E zw?AGO_R&o2NvnsGz;a_-Uba`s&itE7QRfpjSly<~QzQAc!hlW72|ILza8^aZ<1$V| z(J8HKHB-79zFRQs_g}80@qkI1Pt8VP0L)|SRN#4wFRq{Bgk$cr!MucnfM+@iY$_9b zKt>nGBxr&ory54Ju2GH{>J9}u)ztIMOlQ<<{qQkB+UI&UzeT+)KoT1<^!%V!Bm0K9 z_nYClBwH=US|w%U`O8qb(A9AVG%J2*G#7TdKTyf4_Tt`bDJVYl(_!EY4zMtDk?$f| z9-!(l=yiz_D6wd|(ZD7eaV+{1aa+{^(4tuoSYqh|a825$9K!LQLxRDqwiCIBvl7XLbUDyhx8tg1##y>Iw4R z-SE*Ycv2Vsm@}A5}$R7{IYSY!ysq@ca7j{yd{A( z4SqhAjABOxf~#1EuaEk7C3UXZeBAp6x!8*{ODx*u;`i zbp#+?OGI~;95!u`P6KOFH#5#eTOZapv}*fUy5B3KrUrKpUzq@hbR#X;J~pbGQl_uQa+#I^oNw;&Y-Q(D zxrR0gZu&#D&Nbo8YK;O#oq6&;k+;wQM23@o$em=>MOCRM9NM7CU< z?vP8_W1^t;QhUjnRTCYnwDrF< zsWAhYAovJ~d$el~3t)je^hMCS)DV_gQ?GuZ`Wl;oop3~mkSy;jL|L}E++eXBDA-51oo1t2aRUs}u06N_``9J~zvqs#kszuR z%%jV!gXL-UUXh-%rRqRy)@O9HP<7yKm%F3526+&+7lygV70rjL+Nnl}86dpmAP>9* zlK{vRx0^{JNt-b6_~o$*P0KYNSGC*QveytI+TUssh4Zx;bQr^SLF`Un;%&nSeKRAus zb_e=>J*84WnaR|#cIX9Bm6?lUti9dg(QZ`+N6NTmf;9READowPh9RA^6RK!`IQlLJ zo8294NvEU1MT zI+qrIqKmu`#kLt&x~EO+G)gz3#+1Svu45J@TFMt+j;N;M#mLp|T|6bYB3B+FI+1+4 z;)CDqoQd5N!ZclgWcnF=#x*~EWvcxvFat>L)O?9}Aid@^%)-{l4$_G&Py0jf8R<;&D)@^)$ z(kM4?b(p~Ed@vH^M|~odxRN7j6WADt5FsFdk4)}Wu?r!1fw+?)fCrd%V8sih{#a? z`&8}f$L6;CNbw@Ez?>LgSefsH3*$AsVe}mEpe72#+^*$$Tk4U21jGM}Pt`&=L_hypzJX@IQ662AGt6mNu-TfrMa>h*NceIXp!nZ)4 zLs!~AbS%aWqMi*LowwZ1vLsusNGC3W_(ZbsH5(JoR7Q1?wrKlUKQIG#?a@7#a{78a zAn9|%3T3HkGVWe+BixU9*p!WlQq-P=c{r11@4)JrbgW1#xe60{<_5244#)3o7XuN+ zOl!HvfRe}0&f>-qe-&qtC-|t`tf>S@*r=1G4JqW-s%IAnYUhVW-*uQ7zxUk50hCGC`_!++rf9mfP9%)&j5g1BdS=3#X8`+oDwoK7Q#Rx_MpE zsrNYDGu1ouY;DN9S4^gyJbUd$Ic+N+=-S9{u1Uq-TOH_7;&%aF^XUO47qFE=SKJ_P za0|IyrQoB6!t;mgwBvzxr*?gEhb-n(HjUG@-{Q-;<*j^#K=2&vsUXEstl-CZ0gpp5 zMZuF|lI4R~%r^=`MgSo1l(3N(vTsC_9qJE0FQx%PVlr3?lC3nTJ8a88F^c!gPhLt- z*zjQ^hV?`n#2$ax)%teL48Sq+Gg~V~2>?nzMfM8lNfkxU)hqQRSPKQQ+I*nh3Ex-F z5`;hYVK6*OuI!CH%Z_eB30G?73T;`ub3I*2zfQ|c=uxTm0;pYTAjLG#%cqafbn~&v zKh3Xq1?Sv^`kMTl>BcW(Eh&60vM8TRR{3 zSm3cqs+^1?nZr+34PLcN<`GwTe;~-)=$W+4i!PaZ9y`cDnj|fE(}@IH#4hk641h=5 zPa(yUc)bmbInJOfxxIAL=>q^ZaN9DeXFK_#8uZmGDTsJ%Kl_4-g`TXgA4nhvk0qQ* zk8r4tw8)2+b1qPE@_*#gpZVr?+j>b?@7{^PR|?c%Lk1Vwa^tMqb*=ggv$cU9`y?d! zUd%${{-lCvP*+alhQ7otWr`LtDW>EE?WBO+#TVq}ikPG0FK3}|y7BhDP`yebqv$cb zrwEZqm}~n0%ue5&>eeQ+R~3CT5zDDY$)C?EP#4c;`Usi*1aJ)ipkrt+@(oHHaj)tE zLaGB7&<22(C-FJl0i^FaL(I1YKLWh$nKNCU5RTby8>Pe%zPWT7Q zcIOXCT5R|}Qljja8F|N{YasrHCV*O7GU3ckkbF+QaM`?-+3IIH!Wlu`ZqhAdegZj@ z zDieU+s_wFHH)ym$t(dp-uO%_46a;u3YjeDFWhOUiwgtlu>pY_^ixfAc&ku?ax;;3n zkh7QHTBhHeOxN_4GtHZXyX}C?y(~#@koVGc?8ZnJD*c{G*QC!mGt(Ea!sw>^(&yLlqg-*!_l?Z z!RsIx0x*52FVFzM@?0`iJSW(hu)0;Dwy-8$tU*m4A+hO5&g{XQcD9(=uW!>F_G>;R zpCaD2@p6U+8AiYt{H|L2G(_p`skN6b5$SRmk!i~UUSdlYJtI%4AEyek9<6|^>J`B3 zXE%xsnDx%N0zRbPI8vFA9Xjt@%+cUi(?(w(yQoV>re&u;yp4i^cRf~BU zIlvnnm$4LP9m9*k?mJ2jy(lu%5E))z4ztS;%LMS2XGf%;(yxk^fYAg~kA}xt(C5{jq zo3_{##7yW}5H?O*nN_+!=u|&`tlwr`b~xm29cyU~Xwk&d-j!h9AGl?dG6f_KCcrByb!$XYcp)#UAreF6eU; zEPyu?;2@bjoj#Nu36>2+osBzONK+K`pOV`q3v@9QDSn+rynRFlC4OQFV0X&ivF5C2bub+zkOuG~oCcM0 z+E^qMVxDqnQgsR_uf5c-mmosfJ^MuKf2YsZ{+WMjelof2YEFQjQLrZ!UFQ##jx=Cz$SJ4rk=JnUp5aP9Bc#L`N zG`mLo)EU<;>vU_R4cb?j;90Ilz#17jnE1T(GTie`!}Uif{a8^GUP7Py-!NfQzAQDA zTQ8SqdgHX%$g)q@>O-uD-fdSc^lr=+=Na$SA)4KH$lEaG!QNkV2w2~pHdZ%iDR=kV z^Fa_!hE}{rTAlEm+K=CIzz*N{g-w9ho2L1Vk=DH6T5{@+Bqr<<>%tO2rN0ve5>-pw z{s;)kmjK^-LR1*7bkgQrH7d-M%qFj9{Pe)1DuEXLP~HoOIiI|H_=&5S)uq82l5;V9 zfR2@C8n5T%9-fQQiGTMT!7Li2_h!0dV|)CDa>1(?CWib33zoMYa!P`~4h!IMosO=U zJ`c*{Nt7dq_<8|5Q57u{RHSf4nRaQy6pt>Yoo$cg5C%yKxSc$8vq!vx()CtPM|Cx* zcv5a(DW2>tNn{Nd)wz28(!B)9wU%L$jh;;jm~N9D6ErgK9>yU4(9rlb6pU<@l+%Yq|YFViUH-0m*Z;E!;6 zml*k|J&=5IRG9lt17UGfD6-%%g3CdjmeiVrAVXx6Xw#WT>`6O}5d~nJXnyoQd zK$KlTMGUvyHePM|+REaJac;XXax!?CfFkAVFg`PU9e((OecdTDE~{5i@yDA{S0Nt| z*4l^C3=l(U6vcM3U75qQC*Y8IbMDYIR`%iv4>o6aIz zNme%)bV|xbb%Vrwj;jyPgZnvbDDkUzwSIWanK|RI>GwSA+q1uq0G}Qc?0`}m!W@Br ze+L`VcUUy0}wPmRts z8N}G^4wdE9{u!hkHFOxdoKL-7dopU+-rzKDS_&r_6|or=zvX^;Z=%MfAF`Jrhf369 zQ2$nPC*SMS)2&zbn$}O(>=HMMUL4;1+h}TZAn50Bd2<21_3f5xox+Lq4`Mo_$1a!I zYvD~jgg)i;S|iOvQSea2?nwa?a58$Cb>w$hRYK}_DVuY>8Ld#`Hqci1{SRgZjvDoi4 zedH=|-wnm__d9-C*|PgTwWx11vn;%Md|12qr|=@^`(6pM@z^Vi_8r-T2`a~-fag*C z(3~@hKsC~}|j%D4#~w%vi3$Ms)hc($`N z+Gc>}4FODfO3aFE3=9;ffBgUg@NE1u*hvx<*lAYP-3MCdjYz~A_KyNChn!;(OoY-C zWiV{*+!J+v{LJcPiJ4^53#8csLj_=Qi`+(nyOuym8n5O> zI1mxf_4dfVl6s}l`}|1@eE3~Mjqvm={o5t?dJAQoV?E(3T->^E;6@$#&Z2XI=UJ0D zH@svQ?p$NNkuBd=@RqP~mJInVmAbu*^@b`$fq*qF=&x9Hz>X5`N#@ckRo(B_B7w>h z^dtq}-hI@`&L#yu&Stzpv@e76)rGVPc;U>ci6E8qVd|@*bR8u_U9(|}JF~Vt%)zTFc_(w|UmNN*aJ>$RzV(TUWLuXiOKhzZ$w32#e0;j-q%-eab7q$% z=6>*^)Nxe_bdsNSRCcY%b?O`sz46e1xv-mTr8|UCftpiFMS0vR;Y8!&w7-DR$gK%^p^Up4}GN4{{pzL&Ns9sWwV)p5)k`mcji&ref{X2Mz4n| z`=(CQK^X^rl~CMeagy0o{Uw5InTfB5K_wG_blIGe_NuQ2jL}Mx|7xWFN@JAMd0AoW zFS6nvwNs5J2;erCjXU4ZtB~waEhkwA78Wt~CIN6WC69m5R12bz{lrW6G+fV~u#pS2 z7NJp6uLQ6iR{XmlpM-yF9a4O6+n1&A*DSo&iChXz&V4ZYi5dg%acIcdIjo2op#EYWbd;FmEh_wvp z(E0x2Ww9r&#$D$S)1rJ0%EH2iM35q5Tv7n`gBAlIt( zoZ_cgaju!aNp!|QpZ@ROR{53D^6uy! zSj}DUsKq^1hpY=E+Y%#Za2)+Zo-nAi#jS@&y6RV)+-2+#OL^msTlPcipV^ z?SHA@;JavHTmz@|5<8#voSf^VO9Gp)J6JudZ2v&TJ!`iu0NZHO0-C|yca^gnmA1PT zNsUPKfMa73C1W;+ClnHyO-zvi$?V-&gWp%MVzI!Mra~b$W9ewxVfC#=^M(dGNO@l@LTnbL#mDEw{pa3m^|R}LRpZqNW28m& zlqx-b59<^ek9i&caaiqU5vC|LcQ7403`(hblinx9KW2Eqj(`74+RtxGIh{gf14HW^ zH6(vqATg&V#tWbFPMaQ=Pxzj5o>b}?)Ar{!mh;-xS5 zL|a5QE-mO#PUlFu`YP(c(!<~2L{^1*E|7X_0 zfW8MHK+qqac9!D>+}1+ic4x}Wt5N5CLLU!*6J&tU6&ZlP2pNrT;e9V!tDz#^G~ft5 z<}RqE%3$i@>TyZLFvK#N1p@FD8s<-NIM}_tT%G^Vd)jOIF?a62RkxS~6+p+>d$u75k zg0iO>7Xzo^M5Fw1SNR+Kg%_j&u&VFkONr#3>@e1`b>qXTO~|GBH1cQa5AXF6;j`|W zPhEhJr!GVFeFo^7C2=b`(0o~4pQB4|T_8@9PoDQ=()N$H*t~nxR5r@g6U0WkR2eth zz+ z644>x8VPxaD4Sh7;+1@G{OFv1Rls6dPIjGqjn_cn2;z4-^i9pY2MA}o8_r|Oqvb!@ zT^xRtFbj1(q1&6buUs2f!|l{>L3%XEqmu$8$~`J3Y9x9_M?NO%%d$-9e4Q^oP{?9{ zGpVj24YJ7U6GrElvR+phw>*j23KyA7L&@N1E7k^L2X;pCgzfrFgDM3?IZ072)f>B? zUbjslb|l%4+C1jGt>%hZtZDy>{FubN!EvlIA=hv}rw_Z`!f|naa-EKTN|L!vs)E<+XLne)NaYfl=GsPt58z3B+Gg&<%5BHUvrIg_v}mQl~?4Q>Owp7 zaq}qe$JUkRH~jxV=h_BAhSE9$0{}zJgy58gp;yi^_o^i zoeuY-Lt7cE?YI3bd2Dte15K0n-8we6UcSfJhT-PGgMO?n;Bcq=Lik{b+B=6GPqH4U z;wqLGnX6aD;)nHGW&C!I4O<gKyntj+dE;*FH?#^6dR%mD3Y!$=F6=!b`Q3*S8s&RD7`HibL$O?I=RonXO&CiV?m9CLmk07p&z zLzT?f*{>7yoWb72k1G22lISSQTIa2L!S^*K`$&c^gi-nqOChy51xuD^UPROO6a%n< z9$riUbDi}d!%kxK&F6XvPC<~pZ?b{oWXE;Fn8C&j4&;(``s;txrH;frLa?&Y(YgYq zClAj&@cq4X*OdcI5Z z6{0OzAth-eZ4u82!)zXUc(oID-;j}=u6Tt1udZ9P}{zHVPUb>`}Pt+Q7E9Ei`Uik?bOEW!##jklFv>Jw3a*JVR z<=1xvtPPtGqj0D{zf$-oPIlYuk1n|*l^4;6XJ zq(~p92)?8n&#X*yFbM^C!PB-$DOGA^%fIK4Rd_#aEYZvIszZ`z7hP{0D_*;k<;{X8 z*x%Ot0^}No0-WpO=%8BuZ;zDu7;8QVu6E2sQn#-ZcD@5gkMB`T>$?p41rcCkT1F^w zCOmso|8b}Y*-^ysIr3GUuv{|Q8ap3R#tk-s8 z%D^EyXz>Hl$1GXgmq(i{xrThTb0|uup1~7c2@^FE>Qz1tLE_hZq5=BZ^h3uFG4cYc+zWv%Cqo&_*Za@kpOK^*oFrN%er+f z1h6A{FnBkDQ2*{mSq4k#yn~`FKApdcIOtoP=u{#pCl4>9&2?QVY>r3U>y8#KWldRQ zJ`eAC-=|XDE}DOT_bVkn21rMPfkE=)E?*;#ZKyj`^lBxp+wc9!Vq|EsvqlUDlr9Z%T3U2!|20f+SXMce zhv=F1^>`1f)o$UnK8I#&)8gSSaS+~U|Fl_*^Nj|{^TSaZb+rr-&|km1nVLd9j9tht8kSkK z#C+x%RahiFnWA3MZO<@TYW$AwU|m#3{+`EaVKaKf$=z+A1%_`li|12_Z#HSWcX`h3 zcwV_)muDFV_Epv;ONFEN7j+B0uK*B1tcAW7`Es1iN@feqHRlVna=4#Z*#386#Bi5q za9wJ})T1AMO(i=h|FVRp5{VYAliDT!M)oq={3Pzc;R!8L6i5BZSA+s81Q-J8=&2-^ zb&Al6g5L~4+A0|1JZI)d%R^e{i-*|*KfL&lo86pH$a1-Iv!*qW0OWyzEcmE11+6Ct zS{u+YgQ0gojU&9!r3W>#VSRZ_&_@Jz>#1U?^}+7!$*nh1;!R6Xoy6 zlWKTC+P$q0(D=UhzwJiR`;xu*s4k)>kH^x+QuUi3pJg#PUeWo_^o8R|8%v$#QZ$3S zL%a6^ZWY6yV6dTaMTu2jacyEj8AU1HWvoGKa3Mv9tc<8%y|1h_$_ zM!1Yi5PTE1a${|LJ`Kj4>a1DiKfQm=pzD05=iW3#Uw5WTRjd#U+7h?sX}h5?a22;&#-YzTfJIh+wV!C zRkJP6V=hlzO3@a~2_P>35)T{y-18D;_zHV@Yi$7O@m{fS(;x^YB9>9YD&`x%@-Wt0j_@0epWb=iDWG-cGG? z;|ibK6Z*tB0i-f@xTmwuRDk1*)f=A`*Kn(hb(q0uijVkUF7Nl*DMIleDC;y@UI-uV z;bsub+5$BIESr}k7J_%LI|NAhQv(04cS$-g&mKL7S6mk%DF6%KeR4N{dMNJZUIXFg zTOOH(Mo=y>$oy2^k!H-|^n@Ln@IyP5efbGr8|7^6^Dq^SNO#*U0);vt!NQv(YnMkV zk%!(Y1onx7t4cdxH;{s&Mvh_Xsl?M-D6kb#DiN?(Gf53MJG0a zm@j>d>?YxOjUXIHRmm?|s`}dAwt7_UagVCsHMVad3AjVa=U*Z(YZDQLCekC>E>`;1 z$P{4&RvpY|JTN0CZ2Yn5ZpUfb)v=H>oIKn2TA*UKiZ~mxz{;@Br-8 zO%9nobBDi8$S=@RhM&RgqlV`#gahe9k8W00! zTkZL`n!dOkp(BK2FR6KeGmr1zs2Pw)^L<@U7F_R;ItuTs57_KBcv=@EWyJq4c>s98 z93fn4>%A~^40Jf;I|fveV}FRS8E&qig~?JHyW7cNo?>~q^I0q&Up}W zXQPg11NM99{M$Pl=-&5ChO-?lY#>hSTqx`z&cvvz`tqwy4!5t#0x|TW5IxDcXk#%M zJCAhvI(iRjwVHNeUyULi^mKT{^k&FCXEPjKJB#+u zd?dn4W5crRonb>{0q`J|@p=9zGiR&fCM$kJ(X)UDQnRfaE-RU><87$eWuDxSU6JWP zJ2oM~OJSZ&d-efC@^!OL6Iiw}A%X_giNa_zLC=Z1Fq5wJT6iA;u3hj$$xfa3JSu}E ze%j~HF7}U!jWgQ}6Rx3?)>6&!_g)QZyW;5Uj4c{bWjgOPSfEjYr14UPvawN=hf*6FU*GK z5R?=@B^|dpe8E&i+3jEp-lzYg*O!_r_sT+F?1+$0_flg1jh@AiqHgSn9iVMxm2Y=W zCcCk*1wGu9q2Xp}9sT{M>Y{xf*^aJ5H=N8dlB_Fdar3|p;G)d zJ!JDz5=LW~pViY22NiYV`K&D`hpPY12A}S=;N7W}U|o~T6*}tnsT&;&KdLnfxvLf^ z1F2O5_Y7Ew2K5W(s`F7j`7h5;i=E?^hZ=)w>g$LsM|RizqFCgV{YQo{Y>Lhi>aSye zO8ty>Xt(Hy&ggrJ1F`maAu#?(vyqq@&Lzn z#Ktrl{2MqQxxI$u^yTe*F3UbdmOK}2FKO>q02$*kfRok1=zlOkF@7#?_c!5J>CI2i z){VVBP*gq5p4pZ>aL~lvEu6nsDZ98#+Vy=bHH;nmX7B5K(nyL2h^>C8w8SIEbMIdm zaFiP`bT2Ai2Ak2u-a-uByM|@D;%ui(uq{%_k+!=EyAtv_5NU@9&AQlYd%wnK8-$*j ze;*|~@Bgy_k z5vh6fQW$pOhVaMZ#(stWLqMz^jS-@`9ZhXij}vVZs>mNhCkrVQsw0AsF>7L*dKnt?-LYUBgfGll4Lo&1J zy&< zo_4Q4r==hmcY_F$Wxz-zWIxdry(C{>R&Oo!N5bfdEV;kgU)I_BqiCn^&#HKxJ7B#i z%lam9iKuJW?Re3_lsv|2^Vexui`dbVUe^Ap#I%ZhZ(;&Q^24FKHCt1mfJl6itMpGKp;%!1ZnP1Tt%vzl*kqUQl-?H zYqlz8*K zvIg$WVhYr|tem>}q4J~_giKm@=Ve=tXpGVINfX;j&+`O7$`;ydcoyPV>8N^m=ooOS zJ!p@1j6xep%v~fvw$vqpbFUMd1>1zf6jFx)h{DR6Z%(l+u3TW+6zRoSHJQ5R{%I{WuF+bj znBk7j5vlp{GAx$5*qQJ{S&~zciCRtnmlHkk$P*giAybmm)T|i6f;mxTxL1w0vpga^ zAeBwe&IPZ>f7^Lk3^2{T9V{vMBK;ZvUae)ds4^pn0n&aJUa#}hvrz$6wV3)Um>ZvZ zpq*d@Yi-kF?`n8BXjZZCu@(#b3x4uK@d<^xNC)t<$qlr49Br|)jn!~jMlJFBog}$7 zDYWOkk$Lzi&D>>k61x0!S8!Rzl~5lwF;od1>gsRKycV)#UOD@>jutM6t60egheGwcl>G~BEtVBWt50W&GR8Ex_YWGiKFQOR?*oh0;l>_ z3HtzT9tBR?_FvD(W%69{sY;iZ@ad>wW0xIdIFxbFJx2%N&6RE2M|;#fMGC!Gv$6Ol z`Jc%X+KU}QpOq3UV%#cMX5M_T&HGFLD5*b3pNFLHR;cBf+I4Rc0`$GO%dfCxGEkr? ze_uZ6kY2K_90siF!O->Mpa0D+)y4GL?1~)O3Z^hF(2|(PxlF8cPk8;IYzbHhY?u$^ zK@@ccPFtM(z+P;2lj^amc+Cew&-E~}<(y@mcyX6;6!JjY+Jf{!qt5bfj7IuHkRIJ*-zj_yr65v?WDr}kY6 zuFSZ!d!v#_6fB6o#*fV<*p^HE2;|xIJ^ph?R8oCF2G=wZ=sgJ=T`Z-oH5!Vlsi>&Q zO-OIDepI}BveztAF^eqV&YoSCN0>q@S$3L?cxkTqnX3ghAt;MBHfF5dNzcggozy@0 z>E~a!c$_Cg(Aq1zlzd_O@hd{MZ3zZKxRA#)?E|ZTnDh)I1r_yar_ zE`&{6exJt?CtbWmW(y_>A;u^F@LO8Rgv5NMD-ThAv_ihD$M@)mL#fV+dpno+@jIwXwz#|H=7qe~D8@1C#H5AC)YdYa+ewjy6_YANnsA_qKeUDC1@Pn5 z;US!fPzGf+A$56zxs=3Br{Z?mMsEkxx0RW0*tEdMXgjiOoua&l3`N_o`^@09<(tEZ zNX)0NE&L3Sw8|yLFKqDN>?9DPEd&DjLPyXn;^1FV9SVuhN7~l-fp-TC-Bf^1Y z&aHV=`@_^Bi5|w&ieqd*O}hqQ|3ni4tG?eeXxZ_cHn@X?sR1hMrkM+$0s#Chzi-T_ zi{Qto^m*UbELESi`cFf86Z;r9U+BqvJ5BX=r&HC)0A#t90{YRdlD>eZhIw=zO}eAb z7pf+|;dD2r7UU(W=92%n57o7+4u-3zhHi!+ z-#o^5cRQH+uV8fTjH~*n_}2Bof#TJ-25;hb@n5BQV@T5Q{%=<3Z&DTj_(%I*-pka= zGIjd*=S!iM^0gJaD(!FT4q1n+mBOu;B99-5DsnW;*X<-4jo85#Zy6d5oQY@Ev@d+H zaYCYUf z4jH8c=m^^JHecMkvUbU2q^|{Dc|4@*Fr?WEruQD!v%_*_7fc6o_!2gDlC=lo3vHAw^NtyKMS&!|?Eto>tKR$6RZaTrS4ev^BXS^Q|4 zSHUV5%MV4{8w?(K%$RzMY&PT1{m8$` zb?1jP-b+<$9TmXN_7G>;#KXO^);@Xf?J3!{n8xjHcAIYL@$LV|o>+Gr%V`r4`t%JQ zBbjlFu<*4->5oduzdxOv)@CRw)OWr^CB~jeG96t6!z-_Gw=vWqOdG^E7S32JhG9NV z)wsPXiQQ;@69?}u&-nBvs{Jr*Q^E{%{*f^7Uv)csOWP3;0vJIh-y=0ARf&sWqpa6B zW#?PITm@E*G>yU9B~L2`ojD9byNh6k5h@M7p}6$LwmXe`eYbB!u#mSRXcw}aG8yp| zN#pq4^4ALLa1;1X4q*sPZ4XC>n0SKmnH1qB1&h;tOJLPO4@v=Z^d9bf%Yq37Q7?0@ zww%t*+tzun%{+?siz*pDhi&S${7F{lSj)o9UQv5^u>-j1I$FwqdhXQTt)U_)gS|d> z?$c7@QugWdm*Snmx4LI5MD-IFhQ{)Du8be?y=>y03G5ldJZG=J`x?ha*;Co$E=Acq zYg)={N20Gr{qN*E4oQ|3`0nD$mu0Ot{Uj0PcwD~=o$_b=ExVOL+f4>iU~{J=T`k8a zA!PWTK+CAS;P7%ieI65UhuEK#Y!9`}JxBJ?xhk4?vzfTyrUAyzUFw^f{PBUbYAjvo zb$HLAq%6`Y$N?P}60BTT&?Ij%HY;L~RbBs!w_94qQdZ`@V6GR7_g>@4E4u*SaOZKX zYmHF0LFfyM(d}}!s`=(4V@YiQ`lxT&&=mzK6L(+pQ26fjw63) zDn|FE8%uAKVACBP4Tr3l1#{{#yP6KKdE%O|de;wq-K+B!%y13ol3iR}%8116n}FN# zZ|~tn5l;-r3nTYNnahtr&=?*TgW#z?=7KPoq`MOwUa#Gf_0 zN{xI`0aU(e-}}=Y)gx5KXyfU)A!9G4&lvg2qVgJH`fsN0s@199$>)rb0xdV+hDBH~ z5;78KUc|o2u4`C&DySAQC;ocrEuc?`g2325Wje5?oM!wKp-_9 zgB+3*7#|Llj_2^1whnv-k`LcJ{CG+!K-ky@gb1i@CaVBkgeHy@{!C`~J3*JSpUK%2 zNGG42&kt?=G;uGiAgUTavfbQK%k@ro_nnX$N_(_(-G0>==-Q=&BQj#`Qsqp)}>`ZO!!3121E($?+7>Fu0 zLkeFn5Z_euvv{PgILyTNNcm9$QKP!zCVIR#t<%lY0pt}wUPV{$*(lRW^FEq#%q1pRTo z@-e&a4Ziy6T*0pG@cHjk`!bZbeHr+d?>MW;@@b?!D^D;+RB(8{82wD_6OT4ZHz7yE zWm*Fhgk^Iu0p%`<^4$6*HvJBN=1f4H?Km2gta`2&3eYpjm+4LcrBMH2^V-0Z!70@` zPa}?%?+3r?JBG`qDU`CJ=OTVRc-;b+!tF@PX{IZVh`W6jzP+2?E5X0Lco|iECyim` zp(I-qG7t#4A!A>+ckfQ~l_~;-A_0^MTH9yGqkO2r=r2cF?#_RpL*&wkZ_G{6kEz98L-s_Xe~tUUs)0U^1*Tz-A6X*g})0)HJ$j^>{h^nFDS?TzR|P*?Xx z_2D8ZeKd`@G5)xM={D3*uq_wQQJu!2w>%%|&A-}wDfp=@E;BdiCCAg3XU8Ey*#o)t zXsHzOAA&UBn=3|8*h)zP{sU;V{h*QA!&iVP`Ge7{+zouGTx?P#UdgUh5ns`@O;nZ5 zEG^r;3B@0W_ain=i1l;kGUfWdp4@EO&oGSHR80{K&iUj9S8-dtMSIsEj!+-JfHfsg@0s5ME_CS_d z-{gKlBx8zl%9%h_W8ESBvxqAQ?tQWX4)suuY0!uT&Hzb(i)3?98cTflF>f2 zTiN;owyp5%HE!EqB%l)avgtb}bo(KLKwh83#^;f>kE}uS-G&zp z3|fFe;Y3}|#C2H}dD~GG47^03 ziQm{1jY4BbniHX7soh)SNGJDIrIGT>w9koM5n{5>v&9tV+c^SIC#QBnq?XbRZlB0W zl^+A9;{mCk+@5o`QEAb3w0(PCSrPu+IAHlMWo_<2`Zm=Ge4veQ;`n}W%HG4_@vef! zrn<$)*^SL=XT_1>lEY?0rS07-baNFKCVr&^D!%#mX8j(J@V@rw76s`t=tcyjl@yR>bR*p*JwT;PNofIT7~L@h=^WjiqjS{QJHEg7v%mM* zIrpA(@AEw8oV%!WJ>VWEjvy_|_IUMEmTqDBlFjj+=xWU+XPnF{-o^<0&*5S)wxLNe`~Xc}#xunzf4o&6sg47y_x+)%;|ww?%>Z#~&0VkYnCX+pTY-D!3bfm{ zp8myM9iJ?R%(n5|9>oPdKzIJ@ZWZ8(mKTSEM0|G|K%$qk$_5~kfJ*yg`E2CsC=z&a zvY{#uzYwQvLp9{dA-5q}Bg%4@lRNS|sqIQ4J3Cnn>2N*x7Zc=b=&GiDuH+(8h`|ww z>MC`g@iAS6F7kihf!58mogXerG_x$FBM~O|x013vDrMR5#oMwSdf)A)-O-2Jm6t(n zqa~`76RZDXVdPUgu*1_X_o;QBpQQn0B8R?|lQpk*QmF56vw>&$xdL!>PYlG`0^`E_JS847#BFqruB(!GeBY<{6N3@Q zdNkOikp3<&8wt9YK|UNy-g5TJ_1^Tt?%itr&nqbAH;E;6S7q9-rW@QAw!E7TADdfu z>IZ*b9RF>AOI!n;7=#lb5+J)}FXVvETM_;h=m9p$D>ct>}EVx)~6k?-c*q38PPkv&+ zXsIc-3%m@(pO)}k%uKx&k@F04cc?Rh;D8&XcBZRtmz^^b5(-4D`1Y}Mz5%9dZez1Z zE8Jj4)TOc7Mn{EJm_gae;9euo=K6gher|R}&ni*XMK4fd(%F0X4#>pQd4L$ca0nt; zJdOtQ{MFoTM!kqM|FpvuYQ`>f#`;=U)c)-p%_G{Mylvy`rQyZ5Wjs8~B=NwO zW6_Vi`~JR?hRy|7n&O&$lo$HxSo)*fX2l{v+uiX`$MrlxMhI}T+;KUKAiuDb!BEwo z@`G+TK->7;is5Bjl#BXuv6K5oixE%dK-|coe9dGVAbEn3W!Nii^7V^C$A#kuvk`R# zyYiIRuUUqL<>ysZ5@iZMJxR}anJK@M(002$<32M1cWuKTZF~DuG>pe|>rcO)=4b>h z+l;j9oe_Myem_HKsoD4M&E&?(>ME%)j_F6VQCV+X6S^(muOz|Y+ogOUoyWTUn+UxgTN&}exn0m9gTj?_!C zITo|Vq@l#=%Fl_(oXOYo_~DJbNFnU@MBlFvd6hTXu;i+9L^)MTC$tp5A99tgZ2MyE zNP>gze)N(#Xg^>i$PIT@pRWN^`Q1+n^w~+r3x;z@A`8!^bBH>{+1BJcCbPY5qaP+a zBCkB6Mc5X<>wtT8*R|Fslnu!!_I9YL){kUYZffRQ0+wz(vd>O4uRXi$?|r2oO4DDI z9-&&DUPUP3DeTzvv&Ca<9KQ~xqUXqA|F8#t(&u{CbvwCUk@fW?EoWo<(<|+j8f50YCs7J8Ss`?azx91Wm5s% zwGol%`3f_Y819A`Galxpbk}+JGnPE-ILE4#DZngY7i2Lvx*bqJN!piB8|TD;w$1dP zff?M4DrDO4n!c`Za8@1Y8%`1YwphFtpSdma8@n-*#zFVK!K#cBbR`PBHBsjQNoT@1 zAYg(xpb_OvItLn;>mh-8g#A=E$!}XYsh9YaA4yZ*#y+`!p`S*OC}>s$p)?9XVRcZE;i7OthSX(pk&aBK=!k-SyN4`yEBBtBXDdNVLITQi z{yQn1g{^-#D)s`=XkVlh#J|FZJtuybRw~g7KPyOPt25lA4Eb8zptjOHTs2vjoh_jJKD}-&NA2?$&)1r1@xe{`CJ%c$$*16Niypl)OP6x_iTn8d~|c_L(~e z5bLhbanqepd4}^>iMH5Nz7uFcGC5I{^)bR6k4aKYyDh@$KAc8+wUfQpXhjsQelld# zUKYUNXz1JYR_m7aaMBNap$*!tkpYhn*VVICXx%h=5Lu_FERb(Uq|<4wFF0!2d}_y< zf7UU`5d>_wu`pS3i7G?aCGszc>Jk}~9sU05Z7JX?&vy}1UnJ#d%DE$&W`mXmlmHT% zwBY(+)W1%F;-ddg4OaDO zr)3r5FY#rlb=D^iq2)Uy6-uzJBQRzEFpc)bLWNxPh77&YAAOd=dLPCB0V|iL08{LW z6c>k}4`V;1Fe|AU5q=YYv`LD=#>(kMYMzz<{KoH}<^ZOBJdsHvM~~)gdy)TVl!Yf} z(3D8FC80|OK>NBfBjep^k!!0fDR7Il1D2$AT`f5mnZY9@YO7xncI8g$+8q#wa>W97 z)eYZt__oYf?fmsMDWM`~=-LRVt!zWW)!4#G(i+^LZLWFgWJnzf6$UNAeE*P@zdkK> zFL|Q#CkCdB)GtvovdFa$pR9V2Xg9sWsvKbp23y=CCVEg44bM9MpbAZBpHgK|WNMH( zXo+*oE%Lec0fC{gLe9i`Uq<~!j+)$L?b4dVBW*!d&*?geAEnlbapq zbv*N&!9qZEew9yl*}V8H(H+pLW{N;Tn?q7#C3sH2(&-xfO<<}pGRuS5^)3vq&GyCi zTv6wt^3`l483!uCSJR$$l;EWE*sis4TO(Ze6z^RyU2JF2uB7KSTZ?)>NR6+6)i%Zy z&KuZ<-r2U9Ac&-49)^_dv<=Ge9n{9EXnWJ8#!eyZ0uc-is=MJmAvfJi94IN{kxKFC zRA7Wo#TUC$@3c!{$qy=GR$dYdY|79{InEf;1f1OySRLN)4%7poj@iwxZ-=CbGNO@Lcq82V*GGi6>D%)9nAEKzjL+X+ECfKJ-e()u)yd9Hk^T~i-BWQPuVH#Vk9!WZal(!2VdP*` zBjvSQ#u-jrnpj97kalRR=Cal?3Q+dwU4m~ptX37e#pYh6@Rvr=a(MdlX)jm1bpuP? zkSji;h^B~{w>#kjkx~XzgUN5Bgtc4HXNgW*;K9K~#e1DLmxWGo?bqv3P`~502F_fe zeh*3etN?Di^z!|AaJ!&T?-R4}LFWMs<+8gP9s-=u!Eo@&=%}SX8Ci|RrM>c zspscD81j<(VUd4Og#7$GJ5aFM@v_j(++ve}XX;RQ$d0@N|L1Y*W&Lj2mA(6`0{swY zn}vGEsL<>OLl3CKoR+k5<0O6Z5+g69%E#Vg6hSN#6O$e7)U=gsGn^*S)KkATumWER zl%&Xc@xgyBgkrn1aAonGo(>WHqekz75(t5o`aMo3{XZAW3K~4hM?&~`3i*Fd?z7-* zT!|j_MXUw?WywXYR$L$CjnEGp&H|})viYXwyV%|Cs;WrZsGExk)t%1s3e+sCuSHjj zC)o!zl%keX+OXp3>?BsOe6Ihj-Bn6gT9Vrc8t<13VCd(=sEX;3r(k9@&cHK%Vo7QN6E|D#dFk~W?d}R^>LXXpondHssq-k2Ku(r| zlgC|*v*XBR#!4U(0i=3TVcFE&>=eb_bTPiWCA18l6DeZGs>EN713mabSIfd3ot$Fz z_4VDp{hgYs(De(UXCz{tiHoZ*HTOH~XK~MQm@!&;hN^%hK)D(`ptzIWSLvM@6_6Z$igBGo3%;!iLvN@o z)Iv38(!<8Q4tI6M|F{q;OJPJ?9&prT_+4HccV%qy#Jj)jngKa5WAl%|qj#nqVeCX7 z-g4Ytxc(}h++yWs#LF$lmHj+!+LTUCurGo zW=VKQYNP9#PA{$aq4}o%Xm@@e9JdU*J50m>0JLcBWDT1UGf9AiC2F$Tj#DMM z*NJw&gduzP@!&sWZa0zff+IEuw=mJ8k_EiPdmGZ>a~I2nlHFL*qoJw&y6N4VT`F4! zgtoYWv^pD*Cn)f$RC1v1BFoEoqm18G2W+h)Nx4N?lV{22)LzHY@Z`4)hSXu#!0Jxm ziFJ+Sq)FefOW`S|(9&e;V0v(H@NTMgR{tfqlU^jn-5dBD*ekBmh{D|x_WxmWJW{Rli4 z4!Q{Q@{)dE%+{J z=KcGbpbhPC3G~KK@cibF&_J)Ni|0(y#_J7xxdger( z?6nG@{dKz{{MZ<9%TGKaVxO|@I|5V2<@m0OvCRNFh*%`_5?XYTR@o&lg)b?ufw6J8 zgwFc)KHL|J9!D&L;CGy7My3+BL<2e2Sy3a9)vt@X@D$?!@!Pe#g~;u`xVC#c59bwY zw*=DS6y2H9NktMg!&K6+)<@NilwADbUxKXj5U2d;;1&mu$zIviwX>GhlOsE0x9z*F1QP9xy_&}{xh84pJpCcEnt|QvAd@MA z)5Y`A6h@KvDgm0BnhG?E+Vx<=adCDH*t(wNZj`_aF?Mx;eXFyDg~i2oy0doX^`Wn; z$S-JX)=g}yz8nk! zQ;&hKgNSJ#Mxm=4s#~DM$rj!Im#*o8ZRrMS8_81*qxe^l^8S;5^4Y%36j?>C(}Th- z1p|KvH!3!*w1K!_tA~FdG6q><3{cH7ThQx&%{F(V61vG^8hL$b*4cvs+8@I?K0iY- zx+g5$%^uyB(0~8znb^K{Aw2%aRF$y|0Q=8%tPetV1 zycw^QTWCVVnW}cPDH|ip#$w0Xd^v59hZ)sv-v9#T~92!sykHg!8U zVO8$`8v9cf$ywTMW=G;pEPnfWl5gLhJ3m-^9ey7rp;ujfvUxiy!ypOCak#1IiBkd%Xx>e4xGb~a`;^okpzU zU{r9Pz?qaRjr3mm<-^p{Vkm4yxXKg zz2(juBE~UvA_PGkmQX;tJ;b)uBv25tY3qiP=HBd^u?{>Fx&&V|sFu^ogb#33MAP5i z2QZOAyvmw#ik_5+V7*nC_LD>yVV;l->hks8ai?4xJwZEgu(4s)p8`254^x&||A+8` z^>P{#izeJ6R@_26MEwvkLT(8_u;0!C?yC7*R7LAg`xxLy4S}A4K(F)dMX6b0$p??A z(9q3kfxB%lx12J4)|TgM5wb>Bo0&09mkbP)-nC#WRxJtJH}$B&beTBRWpwcn$5B)D zQR;fndU~^G=<&e;?gdIS%#*W*B4RPY41+s*$;Y!s_N-C^-31d}$ zI36oz`V4`K8V4ju+%p`jn&Zzr?pw}}YZyVw0`%1GTY@fSvg?!d0RBodM4^)yKp zc5~E*4Bo{#MtlKo{RQRkL6c%^XE{$h z=4j%a_uF4nSn3YlzdLR{R}>l1BxeDo7@*1qu*j>DZI|7Mm20`$+KTqG7o2Yn-F;=i|5GL**yx$^aJJ!gUza7lgu%%C0<^DTFao>WpR zc~fV&-jEm@1|m3azdOpvGbY~nI>@&?GuM~)bGN#l47y8{+KXVV<)#+ZTD`#4ShtkZrxE88>NVm#)D*2S*i{;}MFZ_dz)laijoxV1|HH+>c5pQ+YZ6H>t&Dx9 zfY9vwt%_$IY*(n4Y6fI=63xx0d?`BKaJ|ewt(kg*sRs4XG4Tty80+X#Itnu2J~d#w zk-QpDVb?#_N(3xFl#17kK=Yv}T4?V}RL;{TMqg(X;3!)kSv-a4Ms@ITL;Nj)A!0i< zD|1c!`gh$tTUL=^tX}n-3s|~I99Z8|`J#=%p*TWpJZ|_KMqHv}5dgihwcvD5r|yx1 zr8IL+HE$FzyK_mZmzEORJP8{W=hsN~-Pza)X#GRPIYG4&~n4QmwyH#t=LKqEthH2 z z&BPBN1_}C}l+*ZmCJIwbfgdwC_T=4l)Kww~Z z>;00~a%TEgQ*w_{@0`x^t#54!es6xGe{*4lq_6i$RoX~liiuC%W)45@>e;U|HH+3k zsyR)b*f3vqZKDZe{#V{8Qn%e}kx}o~36sSeCU^$eyzi&uu z`$v(dBgo=cgR3<>?bPL2WP9BgrG0_USs|m62CkW)LGGZbbw8yU$0kq9eTDnxAES>{ zfD5Z;5zB1zh9b|PrPiE_d}lZ5I>7~OcssRw-Mo91)w2I8+xX^8#sj4WDQ+*m z4pMTab`PAInvvN+bwlvy7L3!zEmF4ZI~UDcUS-&R3}bd;@75jqFM5w_P_hb{Fuy(O zV1+S;%tBBa!=$vO;BY}1)e?sz<-Cv}Bs<-qV)mTq2lD)|Du>0bMp{Ra^}d>5^&yO5 zcvx50d3`2T3Z1N{Ak{ym^l9rIfrKMP}HPcO&b%n|UkK7Et|yUPYn*G@7972gP9-9W~UTKBUI z&e3AydC3Px2dEA zlZSptM)^Wo%ArsZYIeZk5;g@rN!x*G0FcwufwV?}0XQgA4MvT;WH(H1=Bra$P`EPF zAihGY%e@bIt#+MMt|PYqf)nrS0FV#a$~(+fy0PRdinVt~$5ALsXJ9#ej|h9%I2eTF zGAE1Zmm$0tRCCEvjM~e@PxK15X1r%nicE{sxq{h>iSLFZrc2W7BNz2hzN;G~FIS6; zm3N9>vP=@~;kM=6&gbBc67)Z`AJlG`Ob2KS>+#*SAQ6tDFhxLVuR7@|AH@et83{YW zD>oInk{n=4xkHSxAHwqtGE{FnQD7K0;uhA)lMZOVtUs!b{#!(@DIFx0GYEV!x!{i= z5|Xo@E-SvPU1{7~fF?QW=xkDoEKLj}CH(vSUGDpL?6)~+ z-=C78E8yYZvI<|6DZlETzQ>W<-J;Q&#*t*Y#-dp8>MMjYQF6aE@q$hEZK} z>G5G*^Kl7r-4To!ks~PvzhBwyPDj;UcW5));4N?;2{9#+yMw(0uh~)5^fFwRYN3k1 zYynrVUvpx7Z`pu>7qIYR!`)3W(v~V)?{utpmT5M3lBSdTj3CPPxIG|wgli4EqdL3e ze7{8!Sz3v?$mzEQUGsA-PkGW|L$ z<6>0ij@RX6hlYmH5ea-z6N7126a<8+vS*G})Rsv_2s0U?QEC_%C|R^ziO>h#Vapd) zRK)GPoN7JJ0_l58q@||P`T`xwgl~BokoVw|@W1r~WXm3atbp72kDVO@t=6d-8Gn-N zmO=$@x7XBv62)i3^WM}2hNg*5bL25Ptpo)5`ua6FzWw^$N0;$yIu}NzZ^ZoSZJCrt zmy3>=R(RF<7AQOe+j=z90-*gnyTkIqKoa2R5WN4=#fi5~CU8tH}ush2- z#~k|6*Y~z-zpl2vxoNf9Ho(#JGY*jh{pOX9%$H9Ge?pV%MsQ5a&i?hXjMecDeWnTj zO5DAL$bOjr{pU4=wAAF|_rIfet^{H*3~I+T@zO zs^|AT|KulnEbMLIOYJ|DkX3?_;l}qLSLCm}bc2U+=You5WNfVVfcNxgs>j^iZ29RG zZCeh2<#u}p&o5u9Nsi^+f|iH7Lf?8DSPKz7d2;4{^$I7BHt*`lcrfW-R`5$yz=kjU zGdTFDB%0ZNFNRV1>T5i9I13?8QB~CXOY?(dvhiUZ2v|#3-oda{!;Eh2NyjeB&CSil zkb46iPDjJ?HS<G9q%<7WP1Wd2VjJ+fzsBa4)HxO1q!DJ=Xo0mK*ZTs4vNjZxN?rTPo zFV;7kGPhIstw+^AsN-Q&hM*6=GB2t8$}j>bW4}+Mv)EBmJ9i&lMhu8E)S%6#d=(LC zk1;37D?)ybddWL3qM`JRPt{vX3aV;~^-vmkpB)P@-BlgS%a9;0pG{VT_A3=t<-as- z`-^{liQRGXf}N}Mt<}$~L9gQKl6jOzQ)>+_7Llr>DN{r-1Wz0_p9EFie*G>H+-&*1 zg~RFd=gF^jS?Euq4P~DQ>ESxua9CHge>^<2_aVGyYr-0oxiZ5xwcqSGpfWQfWGRAj z(6e_{JlE|ULLDK@Jj;RU_)#ewO_kQn06$H&Q^V;m^_m)1=#DMpWNug`y$02HGJ&yr)UE#S$b8qH34o5RSbZH-jI&Q%wDFy zpz!5jUiq~soDX1-IEJfO5J`}3#YX=n$fU;nz`xskdz&Y3!g_@D#$gEE)ES@MP@AI^ zbqsNSV>X_B>W1}vXQ-kt_d0`hjeTDUPgb(36Q9-&5PEl>CNP`~FTcL_mcHzieWp6L z*`E1f$>3jncj$h3*6NH7a(}6jZ}W1HINLW=e_@^uL0?U9f17akyS++5_rQ^;gV1EU zi=rVo0Ps#Sg(6yt?Z$_RumgK=1Q8a}N#dmTnvA%mqk@X>OZ(;O>t}8M_pU#@}OAb{esN{8AYRKEb)vtdEYzn#r$BcOI zSqAZ=90)r4me59@PsNw>0q$myXXgaFsDGFuRDj&>PC!V3;u-hRhnSEDD@gCFk3~jn zR6$fhNjBdSz^c3T`z8TL{QI}5KVHr#H*eiC5O#R5iRb@4J!+$?fB9~=19c5giY;wVm{iU}a;1y@#={q}Mu z3n2FPt&Bwr@%J9Y%>}CU%&Em&@^&Gw{98eMqF^ zJNi3whWj}8Pfg1t;|FOZcY6?==NqksMi6trc2y_9q5447O;HbSO@3@H6TRerG@7|D z$cp$Bt))RB&v{kyy9ED5ZuZ61_-?F%0lJHU4sna*0%gz|*s!+sEhD1DcgijwHsOwN zM*=9pC&hbIgdJs*r9>T-V^5mF6OH>om}h1_+KgqDOhA=$o;?elDYJ#rhQx2iU0lOerCLSMq)kY0Uv3KN_tHZjy|0=&OQ;>UWLvk2fK2 z=8!+0(UGaGidV13$Kx4ljK=~9KTygQ8UDB9M79|3i|!ewm)^`Yhh-}n(xDss85aJt z2JkFqGffVRdKn_+F2Pk{y;F_#V%Q!1VDu_U%$Xl6gXdC}3>ds|WZ0$_vj2cgg_R^` zns}C|b>u~dTgP_SG614T+?!B^uWyodWPmP2Q*Q2?7uPW{aeQUZpN`N_(X2I$k0Oqv zz6S`I_}QB=F;y(pbKdb|oOGgjdw>4^1@$@?pp2|>rt=a=!@+L$ai87~dMOk~i_`ZN z>)9O@ohG#kfKWHY?+xZCxl1JSl#a8F#3KNWx1(u(3i&iw9F5mhA4KeB&jr|^CHeCh z+*Cm^NgF#AO=MB^H)Mmey3*zBR8&;;nj#N2j*(T9|dsy+c_{1_9KX=tNn;{y5+K!dP@AdI~OHQdqsM*4(`+^Du&c?S8~Fs+K` z!5j_aX#Cn3lnkDa1>qp`tgFZY)WGE0Hg;=o^FClus+cA~B==!lOB5uclzdUVsz1&}X? zX&NUq;r}f>;T~2ZhFWI7rn&nxB*YSdeAz;0mz{{>NTDtJuW?=XAne!` zWXO^)8r@SR3)+)2)22O(~Zth#tG zTvidp$0_0A;lJ-Drc#bHr7aQyPiPn{4cT6VP}l)+O#5J=Jy`#_vS5T0a>vivR7t70 zMXQD%Y)RoXmIa_(Kr0JD6?hwhv}p+{LtZ44^?J6%Mj?KV;r)*OtTJAL_rB*c-=61v zYR!9ofatRzK8dGqcn^J%F98<*redZv5_ySJ;rrb`^wz0@rf^oRvjaoYrpu~mK|mn; zuy!NMvBRH(YAtr-OqwzN52=)|$p{)HD@yE72tXEu8t-2sdgobR`SM|W{Gn*0tW0Fo z3K}E_ME{XLpYpFm2T=um+YcdEe zFK2xpGpCu*3~*ygBp=7LaqN}0E(jZdVdpB5`X2A7@tsOf5_+VWBladbHekffB-KTM zc#aT-L{-pCy~R5YX*U>$ft>X(pQRdp?9>fr!6uKW%=WOf27D0&2)%89UR=~}o!CCucp`h0jwD zKlPS2b@=sDHx_NyHv;}!R~HTP1z?&-c67^SnfQxd9tAYfLCmjESa-G(6rYqJKa<^( zgL#jNtqN3ZZEkMPqX!+g-bhT9gW&DQDR+`TswkQ&r-Rq;hKg{juuz)o%SA7Qr?8OjViV-zsbYxS;Ly9|;> zLvgVQ)YV#^Ed+<~eD?Rx2=)4ewU`3BpF3vb5;ywK?rYtTN~5^*WLf(FcREwec>uYm zZgypi^l z+<8SsMLx&QR#u@R)0fzbDebrA*=kK;`eWK1Jg9r4w{rkk_o1beAHWYtAIGkIf}RLa zaEZbi>O3@LrorHSDcw*@ZXVc}`1*#jY|lk0OjP7I!B`ZfR%7dize_LHg&iF2_ZmOA zY3y1P+m!p;KLBlp`Cr9+{Q=7tqknuYV_rsLne!+9VE+iYOh7TVX4jqeGeE1Y zji|D+G9Q3r5ea~tP<{;?YNbk3&H9rz6@vz6Vuai4Pu$PmkkhoX?%|;_n&Lrhb;|Yj z?EEqR>@X^84-|Fu7!~5dn*hBajJUh>X zAZBb+fjg5ICmd+rmWQyQJCg0%%l(-J@@vW<2Coo?%nU1l6`-C1u))LG0027R{PRUO z)%8cKo2B5Jp2evoXbce*i2wQ5jWgl*-z9SLRkf)?OVl^409UG2x(!Zr97#{mOj*en zz8n$xNPghl?wEEYd=Yu|jFUu0P8NGo^%lFHmAC^%TXqMMI0!pX_1E`n6mEy}0zW_T zjJ3b@Jb6b%M1)#F+>T#<$ue@79@#D-$Ma*Os1z^b*7{3ERn_>^aoeF$s4Fe1c>rMk zo>Qiot4opdC6#62pE`<_jlfCEkwf}%8?9K7Nt@7i+2>%*@iEpFz>GS&+UqR!OizQ+Jd0E+sHa|ED?(PTv?cmu& z6*&^Kep0!Zz?Q@gs<3%6D(glu+*Lgsv^o$kbalKR@8yMhG|s;te_#!|7QIhF`-S?v z^PU@%y!iDPKLKd7tlj44^>`v;ch51x%>x)Iuagj%Rmc*I6Mx4c#OVFbGtPS{r{z`! zwqjdUybRf9J%Y1xKl;C&JQ%zjmu7e!F0OKpR{VBDZ&1O_54g+GofHr&(5=+y2b85u z+0XBG*62{ae-3;7x3gjiKxvsy88o#Qi26F_(LvMAAo`KgoUl)4KpL7Z5x^MtUQy@z zU{TBu&Be{Gc@2-JQz1TKf~w^46ru{^N+`=%?0rt4&3;JG@waDom<3Cg$zx;t9JQSn zKSMey4p{c~_69IcNL9twp7}Q-eaJhCe~NG@ZelI$kXOGCBT@R#{NX@)f{>Lk@JXuP z6}oA;nD=p*)^-jzMU=Ciw$>*T+EZZj|$R%;Mtm9v>SZ%9)C4g^8s37Z#=c{Ir`W z*30x;A)F}{6hPDA)Ge;%0np^@>gEK!0r-JXPMFN8#>dAy06Ll^RyKt9F9 z#M~QVBxc-OUOcDImWzEugOC`p$!iVXwwIk+U?ugc>hA1efd?t{qH1Om<~ZJIb~3Q5=xG#K04MH zc3sCTce1Mz0<8F)2k5IC|HW8PEj9)!!Iy7eFvi^XuRIXQ%E^t>IJf>ComTZZ+Kxg^ zuDSIcKG$#ZK7F;dN%l+PCge51`m>efW0?JClsbg@V#_g0w>I3kF(3@>-%Ip{^~eGC zEwsiai>w&t508)ZE69A%5-)d`CdH`a|I?oH)3_BWXdP^&<30bjc4--KeeU zKh5Pd>9cutxbU2Yf+tI_h`KqqM2=PL-XD=rW#sqCGcZ}hSa107d5{DBB8i769{`8B zR9ncE+y)1wDn&iy@L|N~Z$bHW!2Ch)KB67!uat@bR1ZWy#VFe+(j-_S=3en>z8IyQ zuK6`1RX%R~#ET zp}-Z^Dwjb$Wpy78K;jFG6QlB*IbXx!FD?3@QR5b6rhJY>>VzPZ#x(5pCy@ag>lU^f zRRXnlP9}X=J28<)x%a<5DybGS1YX?*-Hl&oeS0e+G5|Puy63XrMbYj*^8mQt3%or} zOw4$-NZw@DmO}ecQ6=Bx{!%imHb?UI;+U0+avjJesnAug1`?9#@ zhiH^;dm%G2>Yh%zqvQ4U2~V=#Ie)aENGbcBno0#4IqwTq{uWvnEUBSeo3YSOZ0l%m zqV~A8VBHI+gBn`9->qB`#-CVJ=&b=+3FAMX>yy;{Dj+_B-_h$#l|RwT!VBQs-d;N# z0Px-_eb)N?{?O~;-X}69Mqm<4;PvY+@^c4AM=qm)Q{WaFrSMz-zoDrJRnKc6-Oy8P z%IqJMS|+|nN9mJ`i@BJ9sE~Q4D2xY0p-MK1USdo}pxVO1lXK#WwMUiR8o;aVkzB!Q zjkWU4u+b$rUUOWE`mWUErSfRsCZm$X=It;AtFS;O2tkaTcr)gGawMOaoZNHxR`ra- zJAv~LDwQ#GIQ8`xI78AxI*!*~hb`fo{;9ew)J#cxFdXpuqyA}}gqofXf7jvhn9I&rN*S;JhUf|Ycu%sR8yXoEwHMzQYKz#2M}z zI@2xX$jGm54h6S+tc+0*jYp_{`gC%B^{Vd$E)Ui|=@S7L(VHLDXOUP9q!=zwBV{d< zEY)hBUenPq{Ygvy2g=d+};FS?5&`%w&*k*+K#y6!Z1b2Y%oA; zfJ1b>LpGsEG@-v46QJ}7AiDJK@;sV$s#4zVqYt7Gr1$;JUVU5O@=|ml=TMAn0di0eIxK~0Y*=9M6 z{Gu}&fF}iz)l@AlEw!b2yRNkvm8xKq+wl~_K$cMapf%L0=0M*7>Iv>kmXV4&i4*oK z_q;{zm=%>DiS-(W(M?4=DvY)n5{+bxtb5UTt6To|BFFQU%qqrKn%u*x7xASlF(lOX zmc%|`qzmzXvfY$;gTF&I_6-gyB6KNRm{rBVz*v+JVFH#Nh5mjFGScr>GBPs1z*^V@ zkjiZ!P)GfP&lBa=%9oq?SR<)AKR@)}oOTlFm1_MuHB2t=|9z0*a4Pyuo%0Q$24`!x zc}ctO`0}z!cM_JldY8?0T@-qx?oeanyRMyNH8kE;7D2(0jb8v8YO06I&k8c{PYCp? zKS$)i8Fy4gnXE}H-!C~f{!n{QOWZc^@aXis<-=d^l9FO~dVsW3+o`fy4B^gvhxt^K z9n+!kMPhMs#`QHOACy-Mp?)<&OVV$kRnz$4X7!8jq(Dh=`NUa24=tK5E4gbNJGs?+ zWnSKIUW!gm+`xupD)hH`GtF$mqQTXr8sBNEjf;6Vni!dxF%d`K&DGmVmQh^pSK=q0 zHvdt}6zyE+9&JezhUN{H?^OL$4Vky6nXne^ossXS+;;fgs*?{gZvj3Mk0#9B=%wcFdacjhXRd@O|3RUGn? z1);>pL*G*kU8dI5`32J?)EUfiY7@gX+-CR_0-pw1Dh*;t!e8nL58LU7*fc{ zQO!wr)}dB}&inoz!2-vlt|yQeD{SoS z1LSgK*sHxO=PoA3MJmx{e|0&9>>vKplCa*V@xf=ISjOow3})4G)Hq21)BBE*%K&Q_nFfyGYLcFckl#9q-A&|d9HS0Lpk5zAWa&ai|7LKg}|;j{?&9z4Y;)X zTxn@(R$OeIs8TKEl-=Vx8Y74souo5^2K(l{W?iJy@zYSK2_U3Y`-*)*H8d!j} zAYxLQvOp@iys}oJT7wsFO#2qk+5eUB&GqiPr2Ol}yLi0;z>LGEDtC**!%>cjJ{ArU z;-_Fu)x>9b;S!t>)}7(u>0HkqJ+D6-0&}EBA*236!&B9Z=wJtDXM&XPL&aJ#LVw6m zUAL>#Ivpc3aIWR>=krNP-hUX=B1)j5BmL4$1Fq8+YzWj>{XR*Hqz;XuIr{)jT~37b zJ-#Kh46DQc$*^xY)8vP%M&7sYl6!snwPMcTgU^t`SaSXkc@T&al91SqMU%!)($F{3 zV=JEzHJ?yBSXPROG*#%Fqs2FPUnQl|&tV_^D)Z_0-1yA*;?nxS@vqo`yMb#NsQU@- zYalv3-GH6Oyjv}*N@?11wmN96Hh64$R+Y_j<`W1C9&&+|xr4n(MLs12=~`4_))Wt! zX1#UsQeet$@s=pObvQxl%u0%apI7s*_;YFeLG!=hOBDX~pDy?MT?4a5GrjQvX2D_F z;)P=Lsw~=U$G!QtW*kN2u4ZO+@w1cOoQL9%5+(i48sRsL2Q$e>*Zdrl`M1%6f;Hbt zO8Qgx(HgcIFMa+0IWFmXpWylcd3m6PeuN3QvQ$77dl|oEr5Yi_uKzVvsMDn3&hGA? z`3Z_Q_{fol6P)<;XP=Ku&!ZX)UqLndNGln}Q5opx@BU_oybUB=!Hs8Gs!>+G{^xT4 z)S$wYWmN}A^VVH|{pwXD{g2{LcZd=y7WG49M{Ic?*8mr7nk%+Ijlvg+Z=b$(WjYW0 zXHWZN)oVTel&2A)57S@&=DqXhPr=9Lz^ldld+48jzIh0&%g}ZUu4`G-$k`~9lYK^b z92hc$af^Wp*SNwVH(0rQ^C}pR37|Zg6_F|2`)F!=`U?D76%HdER(A}_(FXplg+{lC zxh2+9!gq&G+w{6liwI5CPTYW{g0)8!6e=L7H^6lRa~m4wBeI`vJHBl@G7e{#dTL^X zP7#OD1sOKr4P75y`u=dSX!eSA#XUJo=tn1C`I$Dm?Z5Jf-eFx`-Rdzn-n+`HjQ8&o z8hL7F;~>74C;-$g*rKRIeexP1ptq1;=R8t8Y-R)0tD4Jkzq0j8DhcWWhS^fe;Z5pOF~Wes*sL_g@u8z zqy98DdnF?(vPV1@Wst!#$8MaW>LQ={HU=@4jAUA=SL)xsyYGM39$TrjkI_}R`<~Z< zQoi7Q-7b;d=vi_k3b&SkEb7hQzHxXpIqq!*m{|l)3<=COmgHyP(6E!iLm3|RzPNZ@ zLF3u^;TeWS&RNC>gRgCXX{m!w<;K9i$c=L|u6e8a?o~be z;Z9a&s!~u+!-zVL=94@$BNZRb{V(g|LjK2hbIE{tw!wtSp6D!gw%-av!D_H%hy z>P)|sr~xPi#lgWdSb0;Rg(4(+-!ba*! z-`x-ji8j9sb@lQR)_CzE3o4F1A|WdJeDFPAagj5--`{_RC}wrC%{=o)231N4*AWxo zEku%ZIA8H*l?Ct9AGVZO?qQl|DX|$c#mFjGA8EI|XD&HMGn#Wg`(GLxeMdzMoY@j5 zA|uguOqbMUE(hBX>wbbj46FXSxVOrPBm&Evmk%urqzKG)KnGgb&^RXkL4rf?~J!rhSe(st0 zCqcDozWckj(Hiqsg_pY`+HXv0A98dTmnzs#ya`+ie#mKHK){axMhz15`d-$H-?u)& z@FyNpp_?TM!!zt zpD2TXj*ULFB=>7^F$WJ%F0{h=(?#$JmwG-2s;k`}f|o zbGgUSx0osX0N1P`Kgd1f(F@`wxT2@ z2?5Y}nWzduq{Fo>?>9GJrG|+M3cho2*!|N7QfOWxt`EVsNU~YBqqj%wO>Iqw@;zR*hNGPZ74#(+E7hW z52R3GRr|zy+ZM@-eQR>xh=*b6wGUzq;5WybeLodMg}e(QOcJs535<96pUY)Uev5YEN@I4eWom&2|L zJad1l^;nA2*o?DUiAkA~-$5CC&!f>yO$}#*g8Pe!OQ1r@)&M{&E_Ztrq4k)+vFI~g zB#x1hDLwqhPKL0WA7#M}{bI!fAB!vDJvVfd>IsEHfME*V=4up`%HnlF?9*nSL$m3h z2Bk>8LT|4Y*tp1#{Fgz0qz&{9Vx#~Oy!Sf#`spOYKmx;a-B(H(9oc9&?edS03 z-vaT>hoWmTX={nr-r#Ba-VDPD?OGatNT_Jl4t8f^7Tg0DN8x}W)Z2e^Q%c82gq1Zj zlaG)1;4U^-MGz%aV8EY&TUI^^j}+-0m~so3N#^3_el#*SKPk6WwN$SJ7CA9c@qjD) zz^zKS9;be!Is3(on3!7TOlSCGhng5BpbVp};}%|%rtEW2H)u-x&WCd`;N{DgmI8() zXl+=0LqosFu3|Fs62zMRS=IrcId3}D`MKDJtCfr~EDX|n#gHCjE+`|Nf@lq-u%=X1 zYSmgInM6%`1hcNE>`nLUH@z3rgx71LUC(n~zLR5Ve~R=F_>#-JEFWMW<+k{F|uj0t0}1$uAajvEC_XZHv=jnIewl zI9R)#sl33JXMg4gUpW91zU)R(3=W30oK5&Rm7oeXMr(srLD=*4N6u|DN4sc)4XMW~ znwkgQz+QP1nLu7k4n~K3i8fiV%fff1V{B}-m{{huZ zs^1``LWPSn4laC@2pL7FMS%eQP0e<~zYy#DPvFp$E|myk&Jtg!TMHNf z7Jauq(w`O4%fmDu4XI9W8FG|O$!}Gf892@`ex&+ua^2d%mQ5z>0vNNI2#625`brZ& zm_LxVULjg)a;`8N;+c6cUlGJBO1loq>e6G~_14c=_uBXVQr($pR2{ERj87(Kk>=M1 z9F%*+?m)7%o|SI3u93t~IEn>Ja@d92dtU%fyrmposy@6#>ek$ck#yAz-qeiQ2Il5V zOseo&Yc%)cRV4)7OdcjCrc#g-Gcvr)z}Zat{I5%ahoK9{7Z^yndrwAvdN|=YMYjcQ z6tzlqKf?X9W2SQcbHCm{CF;ar<0`_;F(V7Wwmn(sBJi?s46YgKS?q|yaD7?K# zNoc{Mw{XSJ_4M@8QyFHp-C~|MH1Xl9*!^Qm;hVNIW_=LmHhKW26}d3>Grnf!+=DQ3 z8VW5g!->)4xLkQZ!fqUL@sW|fXO_eY^T@vonA;#PVC?M@3fEb}#S#I{h=lKIGf}je z^>urL%pLyEp*->+QE~AP4vvoY?(Tv%e1VCi$m6cAu1>+{WCmRJfB&dkS;jy_!I%Mu zXXLaEofN`Wo;=^IDR1n`{PzeB%l!C3StTWRxn78Y{3(Z+5lqTSoPx%i@b|%mwT=!# zP&nL4hAqjNf+a>jKg~5niN#i^&PS#pr@e^-O!>F32F<-93BE;U6jUOjK7amPQsl(5 zpP%<^KL396XO57NBxCgoIr)1W7QXZ{6Og~8-e?(vyKTAB@k{t^(#}+D5`j|Nceg{w z^t2om`-3>l4c_HoE9D9(AW(^pD=+^9zw_h8liwL0EmU~upY$nxb7A+{<{uY}1B z8m61%-6TS$B`Io34bFwc>mxG4hEkv?|@t$eOz57r3~IG^iX(!;sTMq46H3*E5pWq z|5ifbnqcczh#}N_1+CW}C_nMG0G^5b0+|m91a#T9MNbru^|hZ>%?Ed;`Y}M$4c)n4 z#oE}}#m1{a+36BWsDZ(GK{q!yeKWIPet4UyE!ThJZbUWv%p>5r@jKN1{|-PKgs5Lq zot;*45bJ(>KZ_TG(FtL7ey#~TP+Qj&kRiaRe0e7!gLUQe-f)VO;;DW56H)}-;5Mb@ zt%jxsq3CbXbPJowoDUzWCme(iyuhSn<*!|LLKzzT(|ssa~hn(0_HWJ24PhmHymc;{onN$DL(v5C)5P>%HAMmacCteh=zV zG6pzXM}|g1m-prazX#`T=j52!DJj*Bt$b8N<%fo^M7ytapwD>$U6^bvEWgvV za&dPW^1(Lpa;p_{>dba*0CGHO90#wSBeB*%!sPM3%6`uF>a2@5}v4Nr^?czOt@+wR!+Z zY~u^rH(|_X>Y=}=;%nCCHA? zkqoiGW5p|tFLf~KMPab^bUSu8UKpo6LSuLtVcwZ!$>1C6ZHn$7p}w}Q5)xL+x#V;WSMb|bP*u{tbPNlCURX_jgYXyzcHMQ*R&TnKe{cmGBrLsy=B z{P2M@KdB^q*Wbjnq|}TFjQ5&PO7q+jo4 z92QizQ4-9thTU?lU0vUT@YZ%f$lW1oDJBg8__9Fo%DeN~IkerXa|%SYw(CdJ&z2W? zEgd`7o-c?|;pgGy|6*|$>w`XKU=a#RNT`Etqp@tRh7SKQqRbaI@0C{hB%&3w5hIHe z6G|Xy;tf@TJq0jH?EsE0j@d{#oWF8uVZrJ9@^}9u(DCI{;rjU7jGNlI8&oDGH+!lD z|5S>VJ<7u}A>d0oDwOb7p2XJnC67(q-SXC*f~&Kf<#RQzl05&%Y3hxfKBU(KxW|~} z+9-PA*}%{d}}*eOYpe{2lQdSRuONY%`S++A@z^YZ4#Q># zOdnuFWVW{B)%A1rk5Rl)msMmNL%3L&nQ?GIB3e2OA30U|@=JXko%4dEf-h6)#caVLm$q9qnCHR`#LMXX1;Wv4HSAXEHI`VCb zqRXyzcZ`z((j%P%)a0=r-~5{x?5b4NF`4_81+rf1pwkV>hhM`xto%1;)GY~xGBOPG zr>4sT|C*JZuz-jtPPgQqwE)P20&g~P{(zoICkI0y^CY6}hGvD4#(}7wBy`H#Gk)yL z)864I+wCa6AYnIq!KA}kg{l^3(=1jsW8;-Og7&(tQ&G7;T$DC@B!^|pz#2NC`tVs; zHvA-G_*ehAI^uok`g(>4cjyyRPf^XUuDdzIR|)U6EZsPq=xJ~z(5pf$-a*{?dp(w9GXfKnUOjT9&H2mpv^iW6ibqy;%gmhALutx z?$wgow*!KAN{a1_ECn(QCZ;(@Gpd1RON%TJe~zxOGS|^rf%<;EjSnz3XzLjz#V(&; zsh^GQGC%E>KAgU0HqeJgd0`XT1V>%_e5=tE1j^cEBL&`le5XcpjVTW$(IWc>DQ5^H zaL{0^;f^@$kP~GQHt-z~ZAUicM`3 z5bU>>mY2*8r^P9Pz?=dQxiL{!8>oaX6>uK?1)%iH<}8KA??`Hv$+%Dfo#!>>pE=i6 zQTM)1chVjHjcC|PN>SI;Xt4EG2|=H!Y&$(2?i?71dUkGmtJJf#_mNf;4{fmb=`fZy z77H^dwk*aY=s>etTeUyUWH9+b=Fl#}E1icC-AfgyfY-6mf_iY_p!-~QdZ#s9DgT)W ze|tyJ^7QZIq;5}6AOPn=+RF#SRjx@w??q2YTpvfw_qJKkD-{C-U1z zQ{k8jmO8`+hK72Mj$9xNPbzNazanh8ygdt#%WFC@)fVW0qPiOUe_eYTVuFGcKG&#q zxrab^whBQZ<)rt;(2wdQ$i{dVdmj+6GU(GeaJ9=72F%YpKqpQvN3hDpz7-|;uYmj7 zX`?d`Li8XEqjPtsQu1>Ud@ zzBw4(^=d0Wp#R;Sp`oEls?MlnNF@7vB?G6HKI#@{Ynfc>3%r)#`&J%6lvXe#hXCoi z%gxP;y_==16)$C_a1eBBBAvgmBkZ*LPfYl+_v~g7?G0IIE8i|3^jb%A1>`SEN}t71 zYUX{Nzv*~et_E(okfPh&rQ4?~bb5_}QSALAGcB4nC1+&MkkE`HePx|ioBz_3eljt1 zadGj@r0(@rF!?|C5TFSrb_n;&*h(6~9)NXl;%TX@|FC~!q+V0}YjnZT+>kufZxQ=g z5iN>EB!ntg+9Nu{FLzl9Z#R>#`*HAPAJ+c(3EL@4q_!y1-g_!z7B^LLS|=WWv#Ebc;Q{xQ_T zJpLBE&O9&AYLZP;V{FI&pjLvdr`Pzx%)N3_>W>Lqiz-{~+v^Zip`F9>iI?IvWC>rt zvZfxNcX;?T(lu7Onp*-;9B@u1%KSs)*`WZxq~$xk-yL81vM`XamF)!~kb zQrvTgQ6}Jk>tW_Ic0%ylBrl#Dnd!=B&om|THaK7dsLtA_L|!gNeiuCK0cp9rG_LAg zrBQ?M-{MU3KOkY6bZ_iL%%i$enJqyGJOxz-{U4e|ktOg7tZ`-E6@lG^+17v$`CxPV z0HngIoy$a<=LI|gQMmM+9Cf84TT8>V#Ycd0&{Qck@1NBw8=F^S`N5YSRl}rlX7Waa z1}w5?2Go7O!UaN?wjA@pqG|Sr4_^vI#x`)P5DObz7aa{msBY?q4{Bfm_b=PSdS=SfbA)h zZ}d$5irI>kgY@gwp(une!apskP&2xQh|-t3e|z;$$oinY!^GH_x}wyal-xFj8)7m3 zX1*?fkZV5}$AOFh&*_3nD@lLna<}kTEZ!8L#6}?W;u0*(2VXOiH_BXdE_IxIlf3W1 zWvr5gv!sGVSBJ!RA3xH9x%$rZ_x*Xp#wvb*hEHd7^kgPd|Lxmh`b(wOckAP4Dx97c zqf{(hqvpi3SXh5IN23ch+1)rAAhkfQ?`wsn&igzPg_WB|t!zH@E8+uGSv)>D=ERO$ zCMf;2>@rzg(3vnGGX`JXMOAIJC5(#yG(U-`fp`qK{lsKRnVyd zh6TCpqlDE}D^89oyg@Rr|JzLyM8M;B&Xv1!B>Hw#$-Ny?7W%kI<279F@1dGnlP25W z;E&V+<@0xELwhmT%PspQlPq`B%$Y1?M>%LiPv3-)?m`$m|96|b0;w+*!v(B zcCWGd2%7)|0#WO%2*A8hV&FYvsOr z%^b6~UuBpvFO6w!?q7WU>~bb!|6{n*wQ>iYNd+rkOg#UMn}M1v~dM4O7f~N+p}+;FEhH z%}#JoNFl-cvfO{CqHP8t`AnVz9UWATa!>Y5G?C$^zr`x%{_ua>YEFSLtQ~Dcgnr0( zY!J*|VL@ah=EHW2sNq@hGq4X2yOS zU)eF+zKka4j$V<2pMvkvgMrGQAQGqbTu2cSn;37V4Rt3!XJ&BYxBxYODp(fiuA!9E zva(vZNTRNDhv7eEfkot@kQIOSV*_$s+;1ZVfbofhEPOJES~)sJ`u2w(=P0uzipHge zv4{huIZEBTvhBagQ3SqpSN@N$XfOi|Nas5Pm1Sy6 z{+bxBuj2D*#;fB~YhFjlJfdOO(G?p*;WujzHP8}xu6^U?w4Xq-)jmkN z75T0>#QrH-%_T{r{pXa9TTK}ZezU@Eg|Z>JxEK&R_pUJDGbwI1_gKYJfL z5spaw2WfL*$gr#h%6%{|Fp#s>5pFzFsQil+cDR3f%3D}xaoc`RF`{3QUey+FA%Q(v z7J9lKRp-v_X3gg~;r%mnvg;2UNd>^5l^;doR0QgvDAo!07ku>fpOI_Fv~UQac|@>} zLi~%1N7vYgmEC08P-1w+tT6n5BNGoNjXPtdpBg~N8AzWLhZLFnJ1&cwpK>bjCoG;5 z4P>*i=x z5L{!&oM75c@xuHsAlv6JRp>s;whus1TPAWy$Ngld=DGTAuD8V9)UL#3`BL;>rg!oQMmF6yUf3AAM##<=ry(gRLEdEC6&q!X{ULJlvH5E^l zf{$VG0|E~eSczh}pQ^%JLtii9Ei@e;yL;9=RLfE>S@B3=v>nly_g5*7g8Pw(EI(5I z@Lk;X5gNL2w_3oVf9zlAVgy5$5+9(9EN^gsquo5ZRGTTJbvu}Lk>te3^?>YR!-;tIw`k^tn7J+!hJ{x}dnnzRWpT!&=VuGv_G^N* zN7kbH!hv-_Vw97Uym3&^8*?Br;CDw2-;}!+P`*HMnuf;$nf_(SN_MorFHIFnSGumS zQd@Q%U0kTsYL&9LinBF%HE10H{*C~$6@VS`ZmAdGbs4A;BD0u2ovqm>ysz=TOG^kp zWq}-{Bkwrd@Y+|n;F1Ny9Yw$MBcIM9i0wj7(UD;`zq=){p-eExl~l-J^`tHae_mB) zX+wZ5P~Tud(D|`6cgbj+gu5ETzS2az<7>+U4BF^r5gsK+TH+iUP;IW@hHgkcp(xn+ zi1~J6nCGeqFD_^lbHlXc=ac<@(dgSc@rbH!2^HX|eD}4`_IFLTm-)UocbU5(Bf?WM z=$_JAb9~?Lq7Rzx-t&Nw!PM?jy8_LK;|kB+`w`yBzjUk#$mN3#K(I^Cr3C<`58c4k zy_P?zqb$C4g6)k}PF@Xklz=i*(}4`jp@2*7g<>~N^Ejg$PyJ}h9eh{lC0OlcbR|`^J5U<{EtKYq zk{aZkzA1myaobmM__&(rLZo%CWO{;ie_Ncmw_Bt4}BX{)Hb6#}KYh@hi|^j)4dvMmzBnBINV%0bW0b8{!_ zjSk$AgG{}UM|Kh~^kZ2*@+BMD0@C|e8Qb@*e+8@q`GGP*FcLbM5}1v(R%<(iB~DMeElW&@|)Gy-TbRb;G`vLgX1ve_9>+AfBx za2R-+-Ruecu zhHvzk)Q-OqEbob->HU*ClxPNp${dtXF4LA(j~~0AM4fxi!!GARbAw4sSlsSQ>+$Vb zRr^XSgjU1ur9uL~BIji&WG}{g_(w1ox49^JzJcz^F(a;`rJmTA+-HB0&f%&9<`jYk zfN#~VlK^z2Sl}x^x%*3DtB=d~kEb|xJn0HVOz&0pBAmJ_p`gxfIi~+B^AL)n?R+Jh zA;-Q;r!-ttl`H*4b3}%*lNFB^fLBD%s{_l8man=cxOYr*?fXZZ;MfXKE_H6;Y>l%L zSYf>y{R;v)XnLJsxWD9Hn;u;%WKlev+~SY~pr*}i0tEcgHu;^6qb9E485O{M-VKYg zN&=UO_^L|!Uxv&YD0%vKyblv~3y&$tRh(4aRKmirV5s_j*AO}{I3;e`6je=72Cqe1 z;{zyp$1d@-qqtrdl&P}sYJq$V3vwJOS#q49Xvc1*Obb{F1DI8AqkeGX2^IcD$W`m0 z*2;b6bb&YEf59se=jnLL_V@)0@XM!yJctfgvaXVNw0HDAr7>8Msgi=87Y~w-0HTJ0 zR~XAjXcp|#SKJ@9R~g2_;}4}Eg~2qNTtxamVboOx7`N})sM2-;3d`s*I4@-ITq9+zqZjFpjLu0||r%YiHDg`4Nt#ajoQ8bZC`!eGW8zNImq>(JEqT zV3)TC6D@yq3evuPUp;L7(So)g(fz+q>RNy5sxbbF;x$;I|Fg2hnzZn3K?wU=Mw51} z)!61jvK(`xW&2}t;&aoU%Mo3=6dUl{-{LbnzwHHcaa4XVTksF>HiR|8KmBouVvdQG4(^+**L$yyz&{T_b^GtvUG9~bJF7iz09Lf1mjW5+*`lb3 zyOZe$K;;$ID;+%!B@_EW4+Lni0v8t5N1>xr=3FOpmH(rQVF5kK&^^(?Y5%1(wBo<1 zMW%kSRSd z{UnqIkxNEwGhaKn^P1l_$M+5YgMbyS2F9nYh_FlaVg14QAZf+qW1ovqVg~YBAH5XC zB}XTMB1(htw;q9C%Ccm~LVrLuI~(pzVly8pZxs`ugr~x<+WY_i7MC3+bF$(LF?9Mt zz^bse`lHe%VI-+T>WcvRl*Lfk1Vvp#QwTW9cP`=YQhf0mN#+oG9l4ZTwxvsKt0Lib zwWt4^lg%y5{hOch9N=`r-A-xC+X1AjscFYexL+_R;6<<_gTfz%mX;pa=)SVy+#82k zw`tK1y_F_DBzZ%E`k3aw*=fgXpImp!%9FBoiutU9iOt1stzQbn%(G-oHc zjouuXVmiY0(qt?xoj|&qP852G7?XDvDnA-|-*ltz_n_-%Qocu_-GohEyX4(nUA(@4 zTX0b`&Pyp5NwEXl|sirj-oHV# zUBpg;;JM9^-b4^unur>GlyRK@Nr}h!%uK&EQmeoJr^#CrP`myxD6G}MW8U@eIUsWv z-J%Oc?kHPH=u1#*{1f6*iB@a>nL zgGmcX73Pu7!*pmG&Vt|8ZcxaT3pWzL%%78FRw8c6469_ulB-K#W%?nVDi-Qc6dovaD zo`K;N`vKwcm%LBpnR>V0zMs*pHM)I|YG0b6hA*K=VWRN&9O7p1{y}r(C!Zkl7e*ZN zPo3EUe_KAIi);s693W1lQK%<|cwg1ns6;TpKF*w3M% zBUqLSC>pfeycGNIYsjnm?LO6hDSXWJ4K$2Hv(PWuo*%jITNRdeyy*3fCWtsJ^dbrw zK|~u z!Zrg!EhY|d`NW!S62fGjxH;4Q=xzK$XYDIuXfrVvLfkHPxVfr5V)mzsO6c(WY{`uboT zsmU>F-rW8gmZ7+a@L+(D{z{_d6eT1Nb)^@TId}>Kdg>y0u0`{ODcityeRUp=3keK) zya(??`k_&V-jd_>OgDOf~@W%YgGn_7M1?hn$qxpQwo+?+Ce;t~5l-(XGk+RpfI;s9QlV~b}*v=R|A{`T0= zB%H*x6y3teA9o92S9d{gA`G3$!4>jkY$Q+*lMW9~KDDFRggA)GAW6bcAwnB|Ek^F= zV4)EP1iJAsomMaVEMHx|yn?+hL$^o{P>^PV&H91Te#}6D@(*=Bo(PgdCI5f`dkbIg z^`t~>s*;&~A=lJ-tW3v@18mY7D)K0hLw(53z>sPdbZ+pNLR`#qn}~;t7rTFl>)~|4 zJ7%=Fgjgho<$oxHe->5f=)Dfu_H}sy1G%gOkAgV>hx6S zt3AwEQkfX?vHav^);YNaDCn59YeA>PV4HtG&XHO~ zeL;f-m`u>?BQTiaxM%z9s$??x0gG(0iqF*_$ozAKL>fl&*ivX5bhgX@(aOe;(36yhGDoNd9e4eae3=iSeZS+E%jBfNL(>yIFuoKu;vmBxdC zMCl?gpUi9P6&%-ifn?DIS%4DpeawHC4;Vy$()Bg3#oOd2C8(QrO`2YQz_m)S9B&Er z;LPH+5YTDd>Uf1U@vNK}gFY`up3k?kXd}b(>I4_>pcKLneVve5^$Dc^)ac5v8CIGW zTt=dG8h(F!wW#T)lgAp!g~rGDw4zP7et&+@D@^z?$?-8ZgBLbvvVq`Cu(Jod+0Rvr z4D)=$rQI4X4q{`Dp!o@)%uAGgOK}x9$)w7f8U73Sf{G*+XdAl( zstD|rr%?5adLkBGxK}kMKBmY+It$w*2zXTSkx(B@Vup%f42ecFi@`s&tecT zZElTfL82Xh^puRtIBQo;ayJ@5OHEHth_eG43aCs>On?OLuD3LyLPA1Vo$Xp7r-YKj z-%yZm!7jLd!*}Vu!4?azvgXpBM~3JCnU&t&$%)EUaQP==r`tNgu;~W|A`2^T(dpK3 z%syp1b8A6JnQj_rcBT#&ur<;BO{vV2PUoCGFF0_U3Yq2yqHQUUxA{ep_+lT|#w@#H z!j@OZ1b-!cA_2Y#IM943anTEz=KQOYOk41%LC}WPlmP>+lFwU*yrOa~ zR*?i+wb*)7cfkSv<5rJ7KR?&m7%)~~bpdaJ8WvDW(lSWoP!c%EqomqDPY=qpGGe+a z$HowO;PXKbA2dI2`aN)0_#mYe;77~syRlUgY6|f2?YZq?lPt%6o%!TdSFF{hGM1H* zO|B#t+AS%ft)Oy{HgSkH-~$eBLdSqLiU8Pl66^4gt9v*kEYs4xL=F{CHpQJs84pq( z(i+z1Ha6+8|7?lsG>J&(5v?iLU(^6@)QhxtdfQ!bq?TW%A5_d^PX+&g^vSxyQ601A ztmfJ+cvuc_Bd;LlWNnUD-{)?*Kjh?eS|xsz4*IaVx`wX-1G5^?aV)RHIuYVq0PJz- zJi@~pq1nV;2v4Ye#=s%Jtj(Ylz%7aD7F^M%Xte0QYnK+yxF$AV#W1@sC?Qn2p+Tq! zwYRB`_VvefROeL{dHs=aG3v@yT2diedzaLjAw6Y_x*LEIJhqXGHV~q9$cF0cj~!$i zski@98+3S5lv7>}wI)$H_9ZKCo276DNm#v8n99u_@>YyN8@Kcv68{8%8h+rKkG^RG zGzKCEZDba^+4&*`72Ro&WN{LZ&#*>J8~+G%o2bc5gRUl`6PA?j`)RFAweaQn>0z21 z<=!sINQZg)QahkD^_EJR5D-SYSI_FXzf$~C?JUsxzE@2OtKc~n_HStlS(#wMyVcfn zWzbtfIC4u;2|^hjmYJHZ1ZFB8LN~lz+=ZZGG!vuH+E&}-ho(V$5Q=<-dt3e3)gBMS z)KRjO)yF3^t7TQKJI_JMAD9rHPWYtfJ=|y?@sLIy)g!00Uh1E}D%(bwNP~`(2r&Sa zNCZDg3I%CUcWyOm#!9PkM)aCM7M*()hK&rJ0Q+((&5X7h7Cb`MImLkjeQ78PkY8L7 z%B>M&`+`AWM27?$`m#a*%}?{}d*d@LyimhDT;U{3$x&&FkA{vvCuN>KB)}LJGV3#2 z=EQD@nwpwq&w%KShQji9V}gP_e1}X4U*_a3h5Qh*#vul7q`m5dd<>2729mWNp-Qj6@ZWh14*nw5Rv|?8KgtIEf5t1ymF^2RC zoVf1xgS1pn3Y2#)=HZ^Pz(UV0t^cp$fi$*!EiC$7?=(l7afBm0;;lhXOp0Tw4m^d* z^B>6l*!fnv%p=)@Ue`#s%pO{NYXY*NttVK(K9llnh>eW zGX9(ZX55fzO5iTagmGTCcD_PT0; zoS(}}MwUmq^LExG@#(U!&6ae^p{@Ba`bB}pO-H)sD`msBxy4#?ub=_8v{@OC;iV z@e$(V$JrQyY?crE|K~z3%_{VUA4`a}aa0Udw(p zaBjZZ`rw{W(zMO`;Kwl7y`)7$KG$XOl4_*69x(rmX#sGS*XD&%@%G)N500bo<8d1= z5KN&SsTtbCLRxr4QG*lI2cwjx^0%tDM)VjVnK$!`3!t?p_(O{$7I03^!mB}I-@LDj zN`_pVu8qb?P~WP9TXjSxlvSPmRmNTwyK$>P=<+xD4}P_av?Eo`VgX={rfX4gXk_h; zkhLg@?~YZ^p9qVJetQ$nowyPghpqPf`KP)Csj~;Jor&hdjp~iIJiPfyWQJ!cYYu~m zE;piMkQ(UO`q1>fY5H$P(;A8J95cW+Y!qOgE#Wde|94n&z7sj`Lk|W&QLNB{PKebp z1ra-hJgf^0*lpM~sOGbg~Q3CX+h zE9X!~(u`Ue-sVl;qFETkd)YFQb3`$cbYGWwWC8eY{mLC59X+1@yRu@52pZ0lT0OnH zy)LP$(i(4yGP8Un={!@d#QfOF&hC>&&NFl`g88lKX_##9^2Mqs#xg&;1vXY$jxh%l zQyM5T%+U0l_<=|PnWy%fmqt|wEQ{RjP+5LK3Pw%E34(a+x$<`!zQkEZ-m18*zB*Bi zTq5Ot-ze|~IR!b(YV9HsIhmQt!Uxh9plfa2`8sGYXr%&VR`w730@la_H+(>5B{RkA z`sHsrKFH-;=eF-nU>n6U9*jB=0MD^v@`S@n4EO>q?g%hDM323wMT4222Nx*#kKww# zY^j5_;oqZnK$Zl*QeG6aWj2dsk}KWJZ-BJuijzGwk7wzb_O)}Fa6 zz5t7=ub?pT*l(#d$eFc|NWA-GV~~T9QJ#4WPxuCEXqezZK}Ht0tEi%)2Zd%f20z(q z7a-X=rr?)a67cf!`frLbEcW9~?ET0#wkTq!jWg!OR8&;ZFA22vj;U(?XxMy4tzn?V z&bN6J8;`;+%*8-vnzZilZS`1W^U*>Ht_^*zB{*J&;ybKz|blHygI(8;(ZhfX$#ec`ES%8 z95{m+V2{u7@i9Zx(($pI8~r6$L;DpisK|D5a+1q$C@fS&@;sQ_X=|tFv?W5* zGe$w`8;{pkm&J2U)uMyNFcrZIbS9GUI^pR=^76@cbO}m35e1@a6n^0=aTo&pZ_F0w zKnW%%+XN*{d%saw$P6ii zFZz3=Mhn;1*Z)m*A|oRkpPN%>Vq#jAKC2vTWDATLc>$Dq_D2s2N_R%lKItYjKKOafcRnEz%ZuElu%a#ezG*-HMb7 z?(Xi;77bFI;u@U$(%(7f-VgU5xNF_D_>e{3Bzy1KGxN+dvu9(#*3aF=GV{$!pK${{ zy&hKN9IbtFkL>X45(Z~K8X8(+N{WJjfB;GeBLlrP2{#T1Ewj^=?Ao)DSdw@;79U%~ zcO{$|f>_~OCd&a=I=1!R&8?cbqO+@*_V}QV9+APYp=DEOks-_pL6Q{*^k2dwb-gH`TlF7m*tck zvyst~B2R_WnRb zyr3@9Ka-ZiHdwC$&`foG&2Az1e>;d?VCIr6p*}fkt6p32*yhDuhUfzI0l`*p8+A}+ z3x8`rVy^_^tQB%PFJJvR88$BSATyrcd%&@#R+Qbaug2H#wCj_+lWdxb$Mv@lzU~#T zPhMoq0J;&*^rPHg>_hCOR#tlkCINFE*sfei#;@*0 z>VNT{9}3Wa@%YSns0*q;?fh}N_ImT(eD@RA(u2b9>H0w1mfW8G6wKbMl^%lqvF$fC zmB}xr>~jAcDW!|J$-_>k+fMjoNLU`27nlq^^;nX?bN8X5^gW@1yzfIOK5uMpInq#P z;G5v(u}#rob;Ef*3#LO&#QZX6veS{KMr37LHV=pcg#*=)b zZ~I4?y~9x7#>^}joA)ksz8XP-g8zGwqIeLd1uOj+8uCM_;6TY>s9O7)c({&%IIj5#KY!Jj5xp(Z=P)ed(LH<#oDE}rDFoO4Eu?v{ zK@f-jY#D1A?TLONLIqQP&?~)hxk9QO&y#%7Bt6|oVfN~RfkfOmQRruD28 zNvc@05r0~L%sF5r0_E97vgc437ke+rMi(9ji@s(C)*29KxfsNLal)Q4`I;W^MCl;P zuy$T-?q4Y1B$m*gm$R=LwifsMV}gvmI1%{}FZygEI2BNbCCSZRBQME48tyT3aC75Q z=qvR8wALLNa+<05J@{Dpj!B@aYC3?cxDUbnZ@wtXg1Q=t)Z9V(`*%h_e>8x?c)%_| z2o7LTd3+p@;G+PbWX?f(vP9A-i2#G@{SKG!j`uY46~t@@&980SD#r*394wWuR-C?^&1no&GNMrgm#RXO;*d35CL2wjJ4< zN~$5q(F3+3ys`|`W3{D|;qCe=us^1!LbrWO?ejpZ0D%$EMRk)(dvf8E0*c zEPfyz7(`EY@^VSn>Juumfkj>>C0ot#e#F@AL$2gufI#>L4oEdJ!Ox_8%JEl#H%yWp-PfP1lqP?Jx8YCOjXzSdA7mk<@%^9jJfEtSTGd5f#@BK-o$`+)AR53ErZZU>qi zBV4MS>b<&gw#)0L=Ju1*;jE%=4mdc z{q4t(d^LkQ7e7moTdgUhFxvc7E__|4*C#((vv<3p$>9?M zV`;=aMlwkXL6L|6@&~aGPBoc39_ZH#U*m$wodNAf!uL|^7(f;=?Sh~p)e8&{bkh7p z%Dd@NH5M$_v%+g*FzNN`jWAFf=!w15)59#vZdTNi@^F~+8Iw=9?@UYsArieqFcWq2 z;f(oFRwhOT)d_3uYPMy#6atQzPH=w;NGsC86X@KLch&#v*ORWVXuRU$oQRx;AZAp@ znc^ALfc2q;LS3>5xM;oQ4)}t^w~^B#XKdrH%tfVoqbgCxWz$#33@F|Zpstr@vWda! zAxI!IygGfvVA*=rt6?ohwW&g<@uJ&jQfuTOE?F1!z?{y|Gdn^3$QpML5BJ`+O3Voa>sb}o{!?*uDrZ~FFkVX_4%X! zDN+EK@X!r!rA5T?$q8A2TJl2xIo9vE6J3SC1FR`_z-N}_!ZH+)Ul#{%dQ>KXi&JCH zU(m%CW&hyqBgApUzM-DI$TuhVnCwWZm{b?9DU<6Cgm2$d6jPSB8t7c!m!;)`k{#0W z4&LawzMGpl5>f7`9_AEJDz{QoL-DUh;l8X-WYoDiN(P1To~Tjc4Ph3OY8>Y34(c|N z9JJl`xAfa-d|+f}W@3~OJzy` zc~?VhFw6!rwZ-kF47im3CF%xr*%k#U@{qjSWF3|P3b#fT%I606^js=Fl+UafJNjUr zcOXJM3Au}n@DrD#MR4))VtXi=$AUfI>X$ez&EQGmz>+unY#fY*06WLt+A{jWOHk9$ zkP^6!Z+vEk6!p7*KyXNHtzbk%%$GC^br)(&&|`^?p_gKO^Uk2VUdnC{4MYmVEF_e~MAK+Q zk^Uo-LA#AJhYO3?)0ixvFimEP13wXDvCl@YsYXZ=1m%UU7DAhW@S9XRyt}2nkv(By z`9;0LHX#d`G=g@Ne)XcfALTH3IopZDGY4j3NUafd(lwVCk1_xlf8I7z9E*vel%hu< z(pVM=i<{M|n;#gO>N#hd)1$80wX3>_jOs&a?z+EK+R(B$lqF-AwX?m@;F%E&7G_72G#3B~ zjp^A)Oxhh}P!vB8$ zbc%h7uASU~kwPS52P4PhqownJa6tD3D9Sd9{w5lddITE~Y9on!-j}QbBXc*mv{8JK z5NZdx2=@19hI*1AML7(=kRiPd>A8^o;Z}}gl;N1=me5bHoQAlgGY9ut4h1_j3*9pqSck!W=|nRzi5m^S|f4t0h>j zpQ@9Gi4b#8D%K)o3yF>+8A*n)sUKmMvK4t6@wCxi^Vk&+{~LV9&UG9|zDG&Z%pt01AdxGz(BRqO`Od0_Ak94YI>a|kBc^;)1a68J#hZ{TwpNIX#-};*C z%xPes$E)06E~}d;e=I2#)z|RYinp{UfAm(ikr+HR^L&=HQ@4vZv^g7Zh+~K>Pax@D zWMd+AHGRJR11cK_A-wO#TjEdZE78&VHKdmwX`pwrxoR|l`T}atm=o8O#Xfw!DTNt^FOuD{*W#v_H#?a0Z zu1iK!kFV?QDnHTv!vDI;fZ~0!89Xe4v7i=d&4m(`gl-%=i-{8zf1!dmMxR&rk{<@8&^6bSku>BBRB#pA{A91L{r@g?k~ODkt7UHslQsX{v$7nQ zee2~&kEn64PhNmWp}}I9Q_Mth z#RSXL>ZOw+n9~P#%RVs1|7eHW)k2OT9RWD`gS9#d=Am^dY6ziFrlKs2ks=7>_Y=je zqUfM3HRD8RcgE6+qJV2wpv@fF9II$Y1P)hmhi372gCqe~Z3j>Gs@ZN3XTNv<7gkeND}h|A_*gk+yMfvqD2Q+V&4a8w`o{%r#!#Dh*8E_TY;t zF=fj}fV7LOE`Ym%+giYixdygvze8Uh*FER_sWP%zCj^_X!k*ey_qkI4CK2&(mynzN zsM2445mQlQAH@bk3s|M>$}0b&@u|S`s-8$Ij8B_jU&fQ6-h@M%f8Pi4E0Xw$Ia4fG zP)0jU*I4+~i&h1mOM-=(FCJRx#|asAnB{Ai(JsrYA#jD={*HRd_KCJj_xp~OnIO3o z56mdLXY7$qAr*n3FRH^Wr^m|)6_H1Sb$XG~FK({l@~XK6f~mRG*v6MXn24IcTh(m{R2BWV57ymNqrlP+i(i+U4JY$IJVy6P8RuI z8wc}Dr_IfBVr2zF+5@-n#f>0cl^t=#@8Kgf?WJ-zvTQDHdC5{ybLzd2bD&we$$`S| zc?aGJ%I_pg6n`+h=y4<6*|ITag+q^0mLUm4&ZZsZ6R_{&pcwI+ z{m+*Le3vl|4t^I&?qm1E({S;1^e%QIN=H%{=^?42$l@A$mnV9uN46A2 zPohn9XUc#ZLt9z%^@5Qyhcb<9X2&8ut$B+R_M^_DbT)=St~HSujN#|bVt%xp`^K_q zskRJ0;?H#Lr+(TgKy>MBNfxIm?G{TQag>{;dd*9*3z^yKpL*=3NSjtsDr@$US`= zxKJqj#9|WU8QNpbPhUuca0cHcGBa6-M}-#*`PeI28+Lz<-|6;Lf2q#-9x)+VZ3W>y zzHPeePN=DfuZg?Ah?Zy-MonR6pb5k8`|82NwmHZIouz5G6fqxIeo@RIuGsh^Izb7& zHhr@1Y#7sd6hl36FcmM*G!yr%##c?5VY@+&`FY#KqrGbazIihEYYfav%<^9Cf!-&* zN%h)w11~ZIt~p|C$p5zU7I{yGgL z!*W8tOb&MI{JW~2fc=r7-3f8xy?W8dOZ1W9*xhWUG#teDjMp~&@#d82aXS$gp=p?4 zBZGWcs@wVbM18)$V&!P3>FX+{586&cGSA+eyhP&}8Dwtrp~}LG*9{`;PfzUr&_FvT zJU&s26N{7166JJQlxYX16CL@ICL@lLnIDw~I+DhnDrl0GT-MdVk}%|yPD zXG~D46MigNkb&Z`UJ=dPeLIx))y3VWmol-#`0NRo7@RDc6VPX5Jcnj`dW2~a+{e7k zb*1X&A7g>B-O!QGim44qE5$VyZW34;{0Bl+4$LL_N|wQD{S#0wxNpCAL|&gG&~5)w zN+|#4L3xz~W4ST;8&2)5x8-2aQego$C1by7Sy;Z@6oxt`r!qZ+llk4rZUvM2KQkN6+|nEOHRv--uOzQWUA3BhPX#U-E>xNFAcLKt zLDet=t6aU3r&i-JfhmD$I0LpUA-3J(OOm{SdK4wu!|d)z2+F`QZxrMeFBx=&H1IPF zI#(+dAyu9y1zXj%9>6w#M6gkp(lbz;aJn_SVnLVSn+UIF;ac?EpXj^Kl)*T`k~c|~ zze;?`<^CTTfziL|zZox)hvi>KHBk%NeRzh&9jIOXF_)p%?l17VfPeIghlbCwS8A3X zk24s==g2o>9T4e?UOBSMit5bKS^RI4U12{WR@Q6-SCT4_8fYLqkgK1TDE&nME8|vb zlZS&HqQ3Ea>X#MDut(<%#;mpIktA0s!^S$Zp4roX(rU{NW>3>Fc!!9KXNm(nE|F=X zP|ok6g4$@1OuAEwTQE^!S;+_;c+{S281w3r$z&un@|v-I_>=j<$i!FH6a%PY!d1;) z3o{CPTyYLJarZ#EK6fkWK$d&DSL&~bJ~HSrglW}KwD&9uFN(|;krKX^E8wZdRX|Ee zaZr*p*7rqUqil2Jm=;ig#o+MTk}W+Jz@PWudj2FZ4WPPsW>-I6@A`x!nKJb`MnuP7 zX@iP=ppQ!vj|JL*EPs<^LQxaDb6LWhCHhi%Hz+aHJ+-^M@AWxdSQ9~sRJ@zNE{tWMxMzR0eU3L?xjKKE|SU*j+ zwslqqG&=6ON;WVDvs`wP(Q^kU`~gfn?G7~f2B0lPrG)-ly}S-}z%F{yvA^ygVrKaF zVdCbwFwMy^!kT)8atDd-V}8t!1_%)Q@Pt=EQ~% zMLrYlvq%1NtLO0^-52Ll-O%vOl}aA-jOOEgcXtBQ(zDwErNFSWOXK8lDXj(}Leo=I zcmvA7$o!C0n2*U)v+CoO-JvnXjE_D)7?#X}a*KW`ti~kr18d4iegmxZSWESu4Ce#J z6U;Zg4TjVjb-8`;pq7u%a4(?=(~jXC6N50w`MIL(HrdLW>(BoQ^ulMaRD+Q2I5M@z zUXp)ic6{E)!$gqZQ_`FWcPUURPTTx_#r8i-d-xrTdTKYlhPX3IaBxr`yK0kX?ouBs zA{OJ@C+*|T_V$~x8^oA|E9LqJv7mNOk@`h_%>Bq`A00UgZSgz^OnsUdhKNM<%ahMt zI1YRn+M_~mU*Yo_i-1SHQoQ^e28D=B6?rV@jmqfFdKxL}+M@y($y03qw!67`)6;ep zz}@j)2rh9UDsze|~@dK^^Qwq>v?M{(@W9si_Va`*fVD-hDS@z%r6{qP4;CmI3?Mf zhUS%b02q`LjqLqYA31fNZH!G@KJcj?mCsicO0tz+k7g!jDQ1WuKp7|wHMm#7Ug|iz zc&30<0dz&1;PlHo0;A_(Cdaop0qX>Lmv?Jn<8dHh7vS;BksnepS3fKG4g{NHy33q{ zy6>~_PfCKvrw5~v3`?@ToNXyIy7=$iQ8&p?MgIN)H_F0V>(`se#Baf91KMTDv6JErM&#ry_pRGGmKIGf?Fg;-_N2j zro>(Qtxo)-$lmI#qTnzv^JoZvJo=(bbV)rre!3L7H~I;f_&i7zWbGLCRu(yr!wlk zGTO7H`&%X#WgGV!OSc$C(=Wo;5lgM-ZMB4^bp5>hQ@vibg;2Wog0zFnGzsL%Nj|l2 zek5r67^s4+9XwewJlXR*9pfj4en|W$l!3vQ5>*GSbzE!68su$-l>vc9Nct3oq_3v8 z#s`h~(&5|uo@S?Sk$ktBv?~XPUM4$pejb0vyj_p76*D!f`{y}u>t{dDIAtl80}FaA zif`J#j`TaVh`jgPLEa&IDl(7aSEGKYieJ^J;yZJ!3V7vT3upWcl1&%ZO8a5C7Hgnh;pYk1H zrddTHEAZoo4#>e9WK*p~LyYaJLA^VqOKGI8V^oSF>jgJU4JVQo6{oNMvx|#y!M)_m zKp=wkh$9&iW1)5kP5Zn_x=B;P!V7p1v>&x!*qRKGGB6|7K#%}|>7*PPydczT&ahhG z!j2PVSC*#HtoC=!mskmhl{gcfgiPL7hj%jVnI1>2Rr35?I;$vzMgirOV7 zGRm6b8p#MW^5AZxzvXi;l;p6?-JY$Z^e%i{t=?8%+ zda8{YY~c}(EwaX82zP_A5V}LKEZBjT2xp*fJ=^D7gHK9&&M`q#9rNxC=Qo}!FL;mm z09%iz)ad)~(z&j90k~5J3YlYP^dO!-+~-4Sx^~yKM5pl6iL-j* z+k~aqIntEgpNu)TB00lc0E~D*}J9rXosS`C4p~U`7C{ctYL)k{TnwjNvq7Gh45g_CNidx%>IJ=rRzt2yPm`%8u z-EptPm&F4bikp}MR5R=JRoT@&E2$pyzR>9*Y3k7f9PJN^3W%*|Dr`hLX^JPtm#rmt ze?q<2klDy!cd;+w=Hp{QNnY-F4q1vNfe33k#nEEFw1 z1VOw9(7#aY{H%1;D9I|tFHFZN&r5ke@YaiW3CM^8Q#vZgaDV-G8YU-`g0IJ14MZmY zyvMeyO};c6SYADdII*t#a7x!cT-Ap_`7$-A5)``8M)Yb2Ql; zEFTw%`Ua3pRp400Qz?jtEhII~q|Q4oS%DD_p1NXeZ>Bi4*hf|@O5DYHR1=skL6e#f z%VCn;;=@fFP&+a|(Od${kZTKW?q1fIqsL8bWNTemrESR8kN&kV9H&goonJjEFHb3A zS##*ezPQA%V;5BAD4}ID`k?f1D0Bfg{WOaxNUW#T`Hai71t8RgT_av4+xIU@3pYy!g-=Zgc7| zC(p|f?7)E3X+1kel&DT=Dq3`w#%H^O7$i^Lvv=12`m-T@%`ZljO-3NzK)LZ?soTX z9I!;a6nDpBXLbS;N0%E~aMFx+=21DAjz8!cWzU#zKfWf1U6O1~F1WpccZkROn}+lB z9AS%oXZ!e&09rshF-5FVv2sOe>lqd*2`Xx-o71hFo!jH%p<$}+&)%CIEb@Ho4u+vp zcd;Z=94M60EH`JM7*dUk7@4s7j|K$GPYF#2dKueeo4!72;!gMt z^~nLSQZo;h<4B7*(PAN?X^z^4VcUEIKiZc;$jr3a)Z}4B|AJZ;&gKpxV%M`rpi?bC zfWiUSfsdrwyg91o?7UUm#8~aW#$(!w>TMAF!7$vC-}m~W^b*PMQuM{)rF_bl@ZY48 zm4KLQX0cq|{Fz$xMIRF^zXe!-vX8mK(1SKjeQ&p54F3#CLzRJIU$rzDDJMC!IuvV@ z_ZqHA9l900Jo0oM5>-;OY~qA_s{MxY z0rrNkX^z3%j$Z0iftr}j@6e^cWVG(ZzC9j#(clNqn>OJ>*{yiKQd!iDK4UTXp~h!V z=#<=)Ih;kTIDduKqk5Fo_2+cS*frZsc@W)_HSu;9^MDiFXuB^GC zE$kk#@85`C8}8A>8OnHmjpPb}Tc%mC#C-HE%@?a5%dghNSTgQfAVx5b=jTiRYDnR) zhhNiotdk#q=6v?3W#nn9&G?hslD*6aX$xSL8yK#7>_MH#u*Iw;%LJ+)<~?B_XQzyc zv|$p?U@sFOc{gYj@4_b?^I`z5Uaop+g}_RSs%^=QO4dgF{Z8!-X_#VZ1~h%xLx zgG5>1h;h&>Rr}6IwV`Y;1p0KD(>ZqZq+GB+wqehFv)BuM_qqU}CzeOlVGCBm20WMj z8$A63h48w&rfK~`Utr>%RnQs*XX{KEp2K&0zqn#{qUu^l;y2eB1X3nYle;nZ)TE*@;jYerY;T%`WMwX3fxj4+b8Qu~u3y&U6i`kM6k@n>e@vRnlU29l( z2cGvdlLm^6)(p2QjFH8h@hK_lvrvm-JVD9RA>uB#rK+?%3))OdlFepaMA^^!HTDXv zb=u*abJ>_lN-^@_U0JwuPE={qz;v8f&Z&z4^6FxLYU*O5O)+v^!7~kPj9==d;oFwn z*1(bap-42-#{Am`7Ql7IDHfoXqJm3DWGy?Jo}f^cK zW*pe0J$;?1S~q@0zDRjlH>K_5P{D4jV{&asUtQ0)hF9Js=OHT$C>wfPv<%EM2YTT3 z#BbBcA71s_DY97jI%AbV5+!S#$GTy1uL45TSP)E?g%y-iQEOv1TD83>Je0XgsqyT% zl;G{s*mR#3drfPd+i+yX)Agmkfm;4~#QchQm(v%+;}1axbYsuGBo8yhA8iNW@PdEV z_Hp^lrfBylk?wz1ABShQ*PdAf4d5LQS>+w@h{&4cmvIxU@+e$TOlKxw_*4s~sp&1) z#Un@ES^Dko5>erh!OogyA=Tc)XC4N^mxZGRLoc%}QvOAC+pry37)WyDaM|xP` z-p27n_1aS2EqNgZam!e<{i0?yJGAg+8Qs^d$Ewa5DlTdlx(RM~x%ESCIEuBiL3mmp zW#G`Bif5mnjQgc3IYh$x_)az{B~nH4p5SIb_54ivyP3RFYw8Wtl1>cXN1WXDUEj=I z8a(Uk`G6<TJ>rVh*Mx3;3Lj5~3Q@2seoFPV-)C}TSQ zyfVX+*e8C2NPdsXhrDd8`%>Ep7}(-odX4-i!Xn1c!RH`@OR`Ur6=&%J#^1)RV-@El z>J+l6ikA5Ipo1qc_WWf_v~a;l|Bs@M`W*2k2C}R~5dM_#rK8Kqw)cba$er3{8Dn?D zdvkGtNR;ghfnUsxqm%M_e@=6qX9HFqF$|L55;Ah@zu2;AMx|>9m>VUD_yHyh2jlpz z)Zb%BP9oF&0Sgw}>9E%ZY2GWb6?jJ_xF??s;DqzFuB6-6(()p=^TSAbjLwf@AfJ9_ zlyNcA`%A$is=l){=aTh{>takt4rw3$Cx>%|8C=7TzC(e?X z6eZ|T>zIeZ;oj5*5%|p%D_;%qo;18-Z1MOg&;Dk^c#>93{GGRB8g5ak$cs}gEJs9d zIIjk$c=gTV@cvje6?G%!`2xrMgj@tP!+I+1H`1nyFN|79(S_-oH!Ooa>ka``rnn8m z6NaQz9;v?fiqgt49xME|FVG=2p7LnCXe-}d;E!Q-={T|4b^}^xUCN)^HBze%<)35O z6%PbhK{SZZvq2vse9+&1u?X!HN*QQ@d2_t%j^N=laGucnK)a{Z8!6~ob}omx^}1n%rnL4{){mU zK-;dg?RL@%Mp$6CygyZKw;vmp92Fp~Mf3mX^?z-E0 z4qn0m{jPMHOF3uGx2QOITNy4JoC37V=r!MOkQtkDG5i>8255=WP?c7mxtE8@@V?zG zVm64lfv6!}HFR-A1C$M}mG*4{$wyd)FF^M>st{ppB)1=}zdj0kxoQ^MyRqLf&%(-Y;ZCX?>hO5G$&``4cPkZEXLu=Pso5EO^ zUWBL?H9e{Q*^2wFvRRiBQ&|U9Wl1qZ`FYqMGtRuL&^uN#i0cNU(DCmYk@|*HK`~tw z&339dottf9THXj>CJK#lGSQewgUkiAm%cd@c-uCuav2Hk_r#3~I@yYw8N2iAzpj!u zJCHMh=#BP>p-9@Prxwvm2jIm@A^KYuhXEOhk)7fO`0=N9slPoZU$-ZkZK_fC{(y~H z)!X6*CqDOwUR_riv7s0m>?;~LW{QuOEviy~-F6oBnloozOsV0B%mdT)+I;qI)p1O$ zU7)PbXB|F-7H0x2CqN*QuL_)~Hw*!HeMBYmz0~cHPYBk2jZj#_2eE}_@FDA;8C!R2Al0j(++Uw#5 zmy^A(av@7mkQpR0rjcfe#N^Qi5u;P(RJ6dNdwLY_DHjtPH~V;5=9+w@_>vHEe^rlu zUycN;Tw#2Zw1S@n)r$F6c(&6$X-U)JwB0U|8N*^#fAYN0=@~fZpw2+XtK`ych}9=s zd<`tT>fF4wcwn#|2d605@{22|_wOAFoJJjkgnz>HnVpCG4%FD6Zl`n~--tT+B}1iP zwm*v5u8hw_Ey(glia{WKaV1%)H-A+#&R1B)!3k#ybAhX;64~lpWpVX}JVggq$4Xe! zeeat(4@J`hu*`!_!f6I&8f#e23ts=sulU8+dTbp3*fy3VL6t|n*K*RWtQ*mm4Fxb& zF*h_C#YVXoI6UOIrHXZoaqrJj#D=fB~waye!~84l%r9LDJlI%yO( znI6Ir!n4OWo{Prw$c*}?C+8hW{*con9B{@eXH$wYd&V)>=e(rYYb2xZk9R+|1d`mBbM1hOYJg!0RNOm?1qtjYcDSdWMeCsH!#`Lc^c6n^qF8Hs$mSb2yBs28PdVmfT^ z?6=`T8Ocgt;9s5hl6KYRrgZH#*k}dWQMc|dTDRw1J`31+iaG{4lqbxgJ^+XB(zp!Nvmx>YaoksfDzDcd;PxG>*S<_@1I!(ekiu1JRuHI+`_})*ruk zD7Y$V19=#{@TZbrNj7FAJ4`OUQ*fv=T>N?+CqF_eJ@2`j{Kd-InCVJ(fS$h>MGbPrkV`8mD21$`pUbdi9&4Lf7`t^Mz}7z zX=HlRda^sk>d^ieAqJzmEdGeC4J033xV%A7YBpnKV`22rci+}lSD;QOVmR`iKKy}{ zP;=6EsaBCyE%*cai?OrbnP4>DS81dlDt9oD{61m*MZ~GJ(^+`d99mwgDc&?kII`ZV zK1?wk&uhb*Py`#6Jt?ji`=Kp(g#hDB7xzI8Ww*43SuyVh$V^F1O-UWXf}L==*;u63 z1o1x3%fs4fMN}D4Br*ilJ&7FZad5UfV>#Ll$Vos*p}b?Lw__LLQmBlC;g&=Argg7YK1HCF zZp7nUc6SCbvN}Xo1Hm;xXohGL9a$&ul;zX2v(kN@bxWekXZaE`Akkb)rbX3s1szRa zi(u#j&$^ILy$g> zyjLOKDjkM``zJJtJiZ|q`w{adS1**{`@8lvtp`pVrSjFor9q&k-(>L#3!X>mt1sNg z+>UeVPEW=B25Xam5d?W=T= zEi&89&9~UXDMOHnGqHhuWR3!#JDxIgkJA86P=@!3Y^XY7O(`#_Ug`ma{da=464)^b zHKe=WZalXt!u0(rW1p2wGM}etsR9Loaw-Gg2}#yF?vo`JsJR$tf53|hM&`b zym~F`#oOUN`oQagAcv(l^VMtX)q%E1gXtc&k2vWcs$kG+6 z{1Z>@6R;a{nMvqXqPq!6hSG0k%<{g4Fz{E6MKMyHH*=b6x4tBbk{sOl-RUlp=XI>Ez7LT;Zd&#S&YUnru!v-6GXzEsD>HWlMLSqNSY!M5G(*{7dEk!UR~Ytx=J$cMqtZZ)dtlpqwLOqO%I>5d>jN8|!QgFe%VFm|N6YJf zCDaUr11C^0F+>W#z+IUkKKcu){e117iS33KV0_FQxO}wmA!aV^>^)a*N(}KyUfIoE z7HCrV!1MqA@Bg6{sD1v0WNj`$)G*d_pmFFHO{9tDx;x3*kHVV_9p%eFyyRo%Un>9m17RInOzw%t4u0yut%QSR?EQ+Y_x4$e zhkJA?H!jTcgY6Q(`&lqM$<3w%3=LzOm{N!>*)#iI?sY$3t8z~oY&ulpbkW|3P<~sQ z;@(`BjW+j}I|Tx7O~B@@4!9YencVI7W>Df*j$j0rqpg}oH(;-;DLM5%nz!wP-u7+$nXNm0X8;Z6 z7&*&6oMbJLAj;`=BQ;u&cW+EdqVS?oAul`xt1Ihi-cfB_c)yC_u0{h+(lUj z7*^T{E(YE#It+v=Wd=?;^vUFSy&JPjG4d*seno$-E8fs%QgcqT$J(@^_%5)ImU_^I zc0mG~K(eac+vP@GaAlnOPWXe}(|H@|uEcW2ibJM5za`=U#Nlz8J9-H=fPo22rSNMp z_Y)gk-A5BoRAF^o{f=~MFDDOJ=|$-M9jW-`{P+!DT28-8vR7G+UFWkdFw6A^z3xre zMifp~bX%dgjt^FgtqGam!-G!>kG;nG_eLf^$YrXZMFt^u1k4M3p8tY283~c~&%y|V z)m^v~UB_c^87f67|MDX=d%mDz zyHvB;EBmuY*+4CbH)o=pL6i%>0|7ZMLAxx~x~l;Y6hs$4hy%7DI2FZ@pP)tCUUfdt zqxm9vf#CH`87YC!yKb9q#nDwsQ^cfO&zk*qy^%V_M6*MXr2;Bg{KK|<=XpEkYX)T! z_FFxAvpRM><|`pJ8h+J}IkihJ=U$<4#q-)lDnktIKa<<0p~G{Vp9vbE+M}A#sto@v z`23RXkIlV9%5yyt_mCGO{E1FpU#}NrVd^^lvl;7DL)N$$>|@)L^DDlH$w6VWJ`DZ+ z1&6U*9r2gNb{U9n1?2@O4dGSXWKLgK!(_#7Q=z8~O~v%jwV|_Qtnfbn?j`Q{-8G-O z5LPK5O}$_FxEq))Fki?Yz2#We{g!bqu-giG_)x{5YY!%3LN<0o`UPC2s?e1mKMlj* zgOV48Bz)4i$=ZuX2~G%ZC7x`x3KG4`e!Q+9fqkk;-%QeZYrGFmxRz(2vO%dJS6d2b z&`4gGl21tP?T|eUx%Mbc1C1pYP0x%bx$S(A*yFXn-IaVHZrR6twOeL)X;>8=0>!ob z)ULR-&UlU_Ki8jEP&xMW(uNa}xyAc6e^%Aey7zi_Fit?<4j=kkdQA)gT;+d>3^#C_ zW)&K{1b$tv6A6NoHGG_2I||uB5W3fXoD#{#TYYxsS5+wb3P&N@uyJVTDLr-^i_^YV zFuNRzXaeSvD(d!bD5zTay^ka7OQ5DD6Z~{ja#B9Y|AyagLr(G-tft@7|uS6Qai*65v2T)xb0l1 z>ZOb%Uw>UV-=dEXAV<3PA9CF>DGirpNlUvg+*+H(?vsv}M(*YD5Y_5G47xk#Qo$vMwC=k>bp`*ok`4fuFwzKqPd z`U8*#tB|3FruDhl-w~=n=|r`ul*%FM0(o|#jBBENC|vmSOI^d0svaTA|U zdUg)av9~)TY09AN{0jsYW%A$MWf>!7Z@}R&i;J72>3xWKN%CtAS3pHhrTzKmv%3rY zH>Z4CbZEw}y}okwa9DRjw8w&t_NHzhB7_&3XAnc3=2a|>s2K=|jYo*{LgvYZN4R6j zpw}WKn-}&pXm-b^ES*h=`HfFZMZ1;n=hm7b+Ace_qktr`IsEfs#@Vt&nWK@jq{*da z1~j-Lv7DJDoF)eNd@b_r~9jT4=Wh`KRP^U3ChWEvn5ky%xzJ~TV`Mj3-D zdXHdMd`-WO!a2)Gllyb+8AOYdqZ7s)TQgh2=mzr4UMBO)Rz6YDA97C*!}x5*V0EQG!W?FSem9UzOQVzdyb$Tr<@3`6g-VMMNWYijN8@J?|8#WaJ|U z3Bhjn5GwbZPvCi^9a_IL#!<`(R$TQL>XF_r&BwS~uZ{OlvNy!qlcjWV`6CE1SiJ%a zwqs+=Xe1AslC`J$Dm%BLXL14%^~;t1ZhJ~|{>5h+54uz|AGgSSq+|ZuYq|d5Jw;bB z%^FW3q)_(@0WVptV$)nx-CwK~OSc2w2U>GvzIn~yh{#PI>(Yuas|YmZs-Nc@I&>X9 z(BHD?8vrx4IttU9P7E4CE=Z#^U0izbk2@czfZC>0sAi*7m1A4Wq{p`JI2RO(a_?Ks zlS?dJ^-R5!8~&?dr{PpDANire`2jr0y{Gyv z^-E0x6de&1X9T)^d=Ci*6@WnmqQ_`9LwcH{;Wc}x9Wyod7V<*6&0jk0x8EOgZ_Srm zhB+%o&5baRZpTH$OLj+Blj%GlbbcZK07Q(B{jhr~#v-!D2GDk#g%SFKugbJ;Wwvc80BknvD;mQ506%a+aEDPdFc%AgShlE@$nlrg|`Uk6bX4cUhqI z4eS?{l7y7X1o=|%10^@=HSz<0F1LxkVLu_Y?c>YVH-rAoZ}T(VhA;cs=jDP1hB1yQWIK^@{ne&C9?ce+|q+y|~c$?GPR5d-fmG$D0 z<`+wsDYw=&B%v1WB(IaQuiHMJv5iW4mX-%bDonmrtq+P1b=(0d!;9v;gIB>LTdpsu zj+^D$^+BFl@5KYgGuxBN=zx(yyJFb>wxy|N@+y$)wA>&+*Gia){K`nNL*8uHu>C8X zsedhR)`!C&QoU7+l$iB1+Cs1!=8caQt7gQVI!+Qthj|ybcO~*LiZ6`k)rGo=_hJ*1 zof7(Wwg&~Eu=~h}{i35r*GVgq!{q5pz$(OC@I&)ka~o?mb!y~}%D6gD(qm`af%n|Q zii3zAYvJzJ`;UW&&q0hgpw1tWMJg<#CTA+Fk z?M8nSG$zxO(@VRnh&~U+u z%{%JBC=dd%vFD6dO{;S$UNlo=!*N)i<^z2`JM)u;5D4VtH(pPH!V{~k3h_# zE9O%A?Anb(5O02mb1`)p7}W5Qx!A89>ip+-WB+FUz%8EMI0p6ELIc*UOQGf=f-m;A zJv0>P)^z*!Sns(?$HOdKP5A4<(v7F`5w}p}z$e$pG)Q_zp zf4Ux`V8NC1(3h@VF5c*#mOEbcO_3KoO6yJu=H}C1Es$$caF826dK9POR#lU~Q!2_- zPbjw?oxR`LLZR{;y-C=7R(JJ5#;J+rz_je*xy{hitey*wA6QplJXPHfqQuaYHcPC> zMr>*$5cN|7;Vey0D*V$i#L4J0@ASMM{66!~uIH`BR2+@*fmsJ5V_?pp(K0!?2BHw??$%1m_1_}8CG_R zA}azKi0dg)c-Y9YW3l0PQj;67=%QUB?o%kqK6COm_h|QqsS6LJeU9enjfvXfbCi+Z z_ee7YxB{HHO0&3;$ZUVQ*1JEBdt$PVZ#nuJ7wj$45;r@WWmDFCYFxessp3z!+y)Xa})CGcwdBf8r@iS((bQ;|qxfk_cbuLq;2C)VwziC9)0+pZJvZq z2~4+G+Nqrxqute2Q2>R77GdfF8RBmxR&{>Vv1W+hM>ntKxGBxZc7_h4jZ`5;vtj1LLf z1J;$;QmL0*(lkQd+;^i!TMSOqEJKshsZz=Q{sQAjk~SnwtEH{{r%pKh9BDvBN#QS5 zoTSThX_IkYR_u}KdmIOC8w)0+A(pTmDUr{b7i-v-=v`HnwH~WG^XmqQeKbJhRjqaG z<40Z2v2|lhox-zrA?QV;V6=;XEoA46cxe)yL}q4D7$TV-sdq^^_{So;iVCkIbd?Z z^J;S6iSC=4B-GQiZWoHn+G<=isy=g$j!``NV==i{_lg~`;oyy>#3#*$bIyQ^dy@4#snq7-qRNO5j#Eye#b65+^Kn+ebUU_{ zhhf3q=%v7OJr#v%tq!ppE^Xq($q|Sgiez31HFKj-^YjiIEgiMa`=nndkW7{u=p(U# zs_{d$+N<lz5d)i*QycY`7{ zU!P}+JO|VHC9EKfPR4RGR0H~Io``n$;>HrFN^Ss72l5NyJo>-VY_XViRy`#nMv929 zfz;nrTwRl?lv=hs)EVIi#k|~qv}4HG#vn$B*NcqihA}>X5)SF;ZF4Hp&68U53qS4h zN`U5T3RZd}^Ox>T#f~#8and=|@MQ2${oe^#UMuaATIaKyT6H!m$BN@M09>=b`VD|-wjQ1bg}HgZ{<}_i1@A~9Far!#c8ojG%dU+_ z(s}_k%*q&;qyO7j-Tt7@{WJ%hP(C`}Ky`JSLMgw-iY~olt4iu`BbZh&B!U7`t05nS@_Xv_ zrC0;j8z${@=$XOsym780BPs9Vr7{hid1liEZ3`30j@UtVy?V{l4EN zqE z<3h?d_~)=S3gkEisM`k84IS9UNO3u~gXa(FbKv{1GAV@T3ji)K%QrpTa4J7cRG*fw zSVDx_x1$g{_=WhsIIYq_BQd4|)~A7uL>%eP*QJ=|9}Z<`O?PJ-+E83buMSb($o*I-`4;5-A-%#^_A9_8X+cUI9M4szRb?QA*@6>p@W4XhS&FPjm zf4<~B)muhPPNdehh|8P+vtLYLN6|KvYiV)oc74i;t`~sWHF3883se3JR{pQ_gPy{6Ye3acjB8&LvN>*6O`bNI}dEA8)_N5kYg2dgdw*Z(NU!Bk<;`J!t z%YLUb$)W|-=Gl`c51qR0#y!P_d2q31$T9U@QJw;!wp0=UrYXB#LVSMj#>Pjlq=)U( z^hZStRH%c<+0q#A7t-o+YV&KsKF_C*kf&}~xy4VF_O&6lxbkz=&Wm9hsS&>n57;b- zKc{Y#Pksfw^Gbg}#U2k~QCvJcXCKU>_OlP{Pez{pg5jEL$D-G`QLn19c~k=3_mn&K z2DnLZ3fgnnOI!l$-zb>j&5pXa;XxDgz43QS5u{Li@IX?ztFyyd96&u= z_1-bXNU7I+K!KGLfRDPMCAj&P$RAE$E5Z)<-J5eSa za#PWDf!5vB)eJ-A1oWI)!C`|6<5DM-^&9tPbT3KR98VN1b0nx=&Dd}YzuC0#%EZZr zVJoaCx5@>O1_4KG<2Ujn2QH0!lyYQ{dI;EFhAmfwMIhY1%M50#h27Dm>&fh3mfrUJ{ z|G<&bgF{Y8c~U2aJZ}-gwO=MRHVYW|;hn1^rjx_C$u%5b0u04;jWChg9La^74;ujw zFZLf4)&*Q2#izg7sVCLGS@xXd4_+eLgdjxef9WiS^pYS_23r~Z0WbRcXGg4Q1WoFGa6iOOy$yjj( zR1!g!FlZLCQ&u&~xGeoipJ#0+&P;>2WtQp=@;&Jj(~t%BQ$^BLFT3?c;a zrvs(0J$(S>ic)3v(~)(8J47>56mM_Edq+PfNmQDpCr0ok;PCBUkZoLfpeG+~oF2xh z)UDU0JMAd<-F+kk%=E(oe$0~*4}4n%F4}CikhC<#3h>RNk~P7yZNW07f_nHqC(Y5G z>&1{N9%P6cR}8jr|%w>1%P93Ht!XKx|$!PE95|49~qLG)ffJE`)&HXeDy&|qGw2Qqo7{oeHAwdiJ= z-QGk(ZT|Tz1ZNcUpht%40x5W_>Ry-Q##l|(^%0)}e}n|hG=s4IV0E<+u&hV-jfBpQ z#1=O?$I-(DUoTd&QSeAvLwiI9j0KuAcg~upye3OMJf=M>SOa$qJzB!YDgyFvu+p#t zb`;mT`}F~QY}ERl$wzdUUY{J;HiCF+{7Rw%lU4U=$}Hr<>mv0_a>MAmF=k>vLll_^ zOO!S>ME>pqT4E|tg#)=HOy@o8PHSHiP{IXZr@x#KVzZU zC62t2o1B91D;}~ByzW&9MmBYY_6;2(ZkE~_o$%6o=Pdd3EN(;<{$@5m5N_fVIY?JT zTI58Wt?`qN&!{zaV}q`B+Y|phWfzt`P%Lwxc9 zA=ieo{bJm-ab8A|OQLlcFmZK%GHTp7Fy0D=jBO6&>&Ia8GCVy*B|+!{BPyqPOxyE5 z*|HEV5d`l+x%hMlch27A%YBU8@-B~F_D_H-a@N4qXgp$$7QL6J9mANH@pX4?YDcb^ z@aKmie=C#dwLF~|8IHYH7w>3U=9L{}l=3<{Xm2=wSz+*0#95Ux%T}Dc)I*?~y{bBZ z6OYdV)o-fKQIq3B_TC>AfyGP2g=<2p#|EZ3>S4F2!>IqAhBfFtx3p1 z=e;UM9vR-+JR@99DLs7G-}OaJIvLD+t+#io{xuz(lKecS>^SA5?0l;Xqko%edr30~))W3>mH6A5qM(#M<4n`f`i@u_`{@l(}P>QnjU(9<0 z@qwB=kp?LqBvCDasYoEpeB-pN+cRMD?K>MbGB`q9yKY%3xIDJ*xHHpe@P>+=iuoNG zAJ(?0V*TNIHYXJamvA|r-uFRY-tl7cK==`7fc@B!`{UAwsD$TZn(Hm<>Z2HN0^Jyf z%UP{c&Qqe$&%d^PF7|{$0`D=v7PVrC%DP{V+jL{F@hLCKp&>VzS8Q?1iL8@fj|LYT zHLr{uR?+NE?l;{%wfLi|j40VsSDO|i=WC1#6Flk%!c6&}R)xlIuJd{x`;LGYOHURI zm7nUwfRE5Ax<5lK$~vEUD?W$$Bz7=bo%+4lj@W8_0a5?tQ6#WX10M*`iGh&_u;_C_ z7nV?39M{x!{4+H*K5yGDns{`A@7Pp7;6L9@+N7qY-i+R*j@}(^E<5?|_RBsT@Z!P} zk=T;xqaRP%YX#rrWLw7{V8JNDmyMz~Z!9`w__+D`%SaPR8cm=)kG~8P)vB^!wcVp}#7DsTcf!GT`o!NHiRuy~T zwG-fh)M@<(GywV|8mr;l$9YHYAFCBIvUK(dqwK_iJ3Yo^=f z1V@3#a}KWY?5a_;C86$G>~k`UC$+5()_2s z25Lo92YF|&x+q329gJPmeP3H>Y!w~JL=(y*T$8Y!k&t9t> zalHG}hXw;|W61jc3<-OZXjLCo?seTM(#@mgEt`@}IBr zNBQp{uu=G*r$A}sU%<_R`I%w#Qn;65&pLDZhbhin^zV46PfQ)+zSRvv#0y=HU^r-8*th$MUG7^m!2N^3aE=omW);)(u2CEI-J7Hnh!s% zPVsf4>wdWA|L_xHUO46n$r<;Lp{od!5E1Lnu4qI?N_L8|dh9=Mmm|-aGh?(Y>w0#C zoV%$PYHeo}#<&nPhhD%oXlzBUS@bGB+J^5f+C>uHH1D}{+{-8r`QzX!dC*>J=8f1^ zPPbBby@0#~ke$-fBM+4L=Ez|9PHd#p0&#^}^H{`}jVjd3t4hLz=7#ncf%aD(Rjtw= zK72?83ik%CE*>Q56Z|A6Xh>!zChD%tY=3dPzm5N-Sc-VzI_oUMhp%tr>?9DSEH8E= zSXQE5I57KOdjH+Z7P5O96qb(J-Q7J~Utj;JJai-agI0VA;BAKORbP~v06F4@MqACD zwFj=MB84d=|DwAu>YjH$-^3t&Bf5Ypz#H4Hd6uEwt;(&GJtm*+&C%+ zf|mh)u58ucx_-?;Wc=|P#xYA&bhpY2n~Er&{V!NtMbky99KsGnD0~?02!X0U&9Vmy z<;9l-R@*O=_tPue-COVr5mk|&a}W=fGxn9VDHrTBbrAdptf^(EGoRRo14Wkpl3V{i z*vxx@GOm!!$+nqYA-%FYW&j{`~!=rw5g5@F6k;*d!5)e3i!DG!$beZ$3SxYp6ZQM z@_fy8P>9HX%~HhYrFyGNd$a|z0VqipzPQ?N?P%}x1S?X9FT;w%%c|FNArHx`AcyM4 z*u@~_eNgrCCXlNswRzWAEQXAzT2J+%69ri z`OUEZ+NSO#FmwN~6v|DW6n^~&lO~Ea2gbNlO9u|>vMohY&iFkmh<{cSh!YNqtx}gP zdHaBAk`RoD-w2o=;ecE%RCvKN?Zh}cs9riOIErn}+ECvpQ3qjj$Ir`I4W15fJgZ%T zNJfi&`w$G*hVmCQG-1UW&Lm~cXWa-DZ4Xh3?ep>94&|nJBK1_9mk8Q~FycBl0y7@cAK<9?ZSL5jTptZ~2Eb z23p@tKjYva^h-=SHhxJ*hj{J15XKCExDBclUVOh8I zHwx;RNgE!X`!R@sssu9lQ&`6aW#k8*KK9_8Uae}wxpc#X4} z<8n7K@MrTwz)sT{l(Q|=+{teM_be?oVwWg|npfmr=$9pFFvD6Tlf#ITM`YyZRbK0A zyz|YOpqowXTRU`chxyY#3y)=@?Vyj^g;#C)=z^BGM-*Jbcy0ulC6>^8v!P(TTzP<1 z@Bj1>9~DQ!j8wtXv~@InypNBNHAds*&j=Z&G_ano%u*znB6bCT&4~04VD(%ujvm1Y z0D$X^XkYXv>AJ^p)A=LLH6+KRVSvT)Tjuydz2N7qp!g5zWY`9|A0uSip^pV$U*p|Q zB4bw#{tARf`?r`or*Ua+)lr!gfRAIO`|P3uMjMRKU#>z#tK<+tpQnp+_uez(R96=e z%~3&!)A_XtSmIP?&YJsmeC7R?CG$is^3oQKZ@0yE=KJq&s?M5GThZ(mAN4DuHN?`u zRahH(?7Z#P2Z#u<$w{Nr&+Ttpft}RP#O-oT7 zYY7~N=oEEuF5WQZxNLDEBeg~xqEa%oyPOY_iC>tI8F*B5dHz7Pkj5AD>4PJWQkJME zCUFz@IZ*O&shU@>+Q-&}RXWoMDwepb#_I6m5pw}xhl_qOFgVCga`P0b@iug8p51+I z_QWX^}J}7a>QdPlePEDcW)MBe8R63VT zQ`(IBTj3u+lI|Vu?|Hw1vH~htXTGqBd|@Zo;Lag_RAFdQ%XjwFipk{O>u@OF(BeNq zEBFVGOdWKXa@Q9(AN0oBAQY5YPmM&o^Lunt*X)G4_ml?>u0sC6slwdX4}5>aG9-ZL z_8_)uFeQC~jY7@Fz_V4&dkgOd8~yVeJGghPgTH_b<+DYoujPldq@#m+k=JDKdu$Xo zJ@dZbM^YAN@EDBz&=bQO3hu$0~sJheQn??(tU<9qxzGQlF}cU{8zmKv|F0~mydJT z;iB(1UJ@LX6qv3c1s{z+7~!7}dR0+BH zv(^)DWBJPW^aKJ;f|h{-)#UYG=!cB@w{2C}dH|vWkiqHC4H1T?Ff1DG9w>!}p(3w1 z2g^&K&faU%BfWaMh>;!4WEPoyWex!()XhpybzJQmo#Q9$-iCGqu5>`%lX`5-NMU2- zd9T-HIAY6AlnIrYJu1*00z4~^OY;YtJY9UN7n7NnL3fyzg@g*CN2Rb%(*Z2HG28p^ z7$e=IfM{cz!}_Xr8tn8(t@OEQ_<31Kuc-%Hu zd-qt=Co(>l{e4k&Cty*oR>^$`Y&fo{`vQ5IP+kG`z#=EJR44?Fob4$NM2eMX5M-$it2(>{+hFZ=eG zVNB`|ta(B?MsdHru>zQ$Yv!zIa3zME0@?V{sTU6D>j)6+HpLF8&IJB5Mt!aI{Ag^- zn>=I7_V!e#e6HK|Lx}#O>BScedR6oU!R~w`2>38Yy{JTQg#V*I>_;3Kp?zjeA&c3s zTFtu>b2o-aOtzK@d)wp)*2I0H&4@x~Zm>A)L-QBc^+WH0nOBl3JCg1osdX0CTqZ!C z&}ol{8(t4?N&?nTCqLO?N}5Vat@@a=`A-^0mC~tVeOFk1lkTY1cR8s?qMPS_*@vzs z^luBkK0ESkJi0P9OzQ3JJ@^~m5h$_&H`woy>-hT2$f{Hu=zW|!y(s-+uT2L@fs`zt44iW#EeaKnmpzvM>@~( zK|Iywe>k{jOT1go1lE(g&?vc_tuzF9F)C9U=$AqaT+-5Bl*U$3t-%{gga ztn6=C(v2zM&`}dCn*3XAll@F&7PN3gj9s#M3)@YQk<4Qqy@i=*bsIc_GCjBdG^(sm z9MnAD>qjxUiB;7{6yw`le=JS+v0PRj=r7t9JOQ~TS_F6(-}g}2go>6g-Ex$*DY!Z8dB&JGK5JRvpwP)5CxyKi zf%}lV$+qOx_a{iMsTneypcUo0AzcYe1779)$;&2r6JlN933sa9*u>u;%cJr2i52*H z={t!@OR_j?*_GllXZp7W!2e2icV<%q-_{=?4q+WtpxAkFoBh42oLqyxPRZwNM$h=j z&RsE$y%e#N{i2{=piDB5rshY}#W!biDe0iO{|)=OFIkkpKN`dh(u>$K#c!sN-C3{m zJ#C-gK^D>aid1&e?7C?Z7Q}R~{7k*d{+@Pk-3BP3A_#2-$9AiDxJKRtO;}{tFSjq< z@(dF^?BWA#tsocLzm%~4PZl*l(QTMKDvd!{Ok2u>b;pE&B*QFO(9^+>cRVW>C}B1b z19`8n@AdMZ`#$ZK3W)`#i{T{$Zwc=HEQ0QTWKsgery^#;EO+}48Fp1M@EfwY73oz13) zh4Wm;neP@fH@8X-20;KLzYwov>HRIU=ep2NhuATlejp8ijs!xZoO(-s>(*J~BO9(Cb$%I&6K&w23V zzepYQOxm9W8oO*+L^yhqZ?oxaf2&lY{&rO=fqGL0SaRkRy0!h z7_sBbPr&~r&WipK+5hErqkW??u(Okp&TZT1A)LBUA@?K6`FWCcVek4s#Zg_b!!}RL z3r7jwmec|ZZL4zGDc=k!2UD+CDrPOks>~zG4^;@H_PP=V>r3=a%bJ~i`)QVoeuR$? zRP*qaCA5Q!i%|L5vY z&WR0!gU^%Z?4ya^Su5#ct*+5^XfAX@kuT!Cm2%cRC8aFtQclfrJNr zyoELB$eVw#Na;78=nu$62h%^BSaTy}uscv|$|VN0y;FezO(u(hlGn+y@f?zV>(TfI zRdb=j&lcw0s?+}F{loKba0>6pC}BrwOG8FLIInwyqwRK4d4DLk(e@PyVRdQJ1y5)N0 zaCb6fbUX?Q5~m97&e@{WGZfb5HHIbiV6y_FYID8sjbwU?N^D{2H+X($lVzG;IZdKJ zihsp`Ux+HGD=~(XHxPpb+CJdG*U$KF?vcdMVV5fold7eH6`59S%?E5NrI)Ou7?avx zqjEM7sX5rXj^K|`vc(wQ&rJ&qUk8y>UJ3jyDRGVBowm50(}I;f-279IQ6SB7CovYL z&36*e>YSesb18A(FW%u&eW=N20t<<6;ix<1kwoYH){nWTQ__)%X=yk<_zqi(yffR9 z|ELuC?2#Z*yGX0OU_^a>Q2yxrw$)aV4&_I?2w?su)nHF+G@Hi7EyXND8Ax8S$LGOW z(71mPZD7Zfc3ZCp{ytJex%(MG$6EKjlu6IR1}pZ)t^pdK(Lwyj1Y>|XYUL=SDgWaq zu)cmWw9j$r#9k6>VU!ua4dSj`UygfwhHCOxXsZDN%}>@eyI$9QtO>3>jr%HlV3$6J zas8rA@CThPy*ni}R#AA0lO=C&-~O65UO>K}9;a%KgU&vq)U&C%#u6l-h3m~Dsej$R zCIQYaIwALjrs8%$Nx1QB5j&Yd=C6ZyJ(IZU*JsM$h>3h@D^9oSntUso!~Xj<+`u+8 z;Y=%nP@Ml8j&|oQn}&|f8))C*3{*2MIsX1U-ya@=K;&vWF?wzv>Ii=Um{|f;5DCV7 z{&4OfZ_tFGo`X3^X(Uvv8EO_S?!^9ZUCsd8b}qBxNRx-gs7v1J&aSPjr$5pX-TxcT zj?KP3SB_TS?%L6BnkAv`rMuHpC3FD{mf-bX(+Q+P!ilfIB|?>&X}hSDneRYOAUrys zIffaE3Dz$|iE-;c(WFvp*Wy>~Ck2*KwN?`41}H0$p1N->+GNb9YM58zVrP)FeJ6>z zOMc2tdxFs5>&7a}jccmaCe-L-N?}3Jg$Ng2bm*5k$LuuiuWOI5Z&qv2?lNo(PrlJ9 z{bU6cO#Cjw8$p^+P2b!U7l&J?Sir6>Ht5BKBnkwM9NioL5Zk6r%KEWa2mX1j=O{&@Hw8_7Uc)UUI@#sXhswjf1hQ zD~s}-S4QNWv3pwjn;D57|C%Pg8mRQ}MBfgY%0bkZ-{Lpf2)K(gOo&iZps1Js;d)*C zdk6*XOOamN0{;ArqK&;>f{nm!pS*Duv-~8zU_Ik3n8#p<;;Sz}axgZxU415Uel*uT53@Ax5s@4p-E`eyvy%Lh8oA6Aa>&IQ=SDk>sA69$<#aI3P_x z^l%y+=!S)d#cF<_HIj#nt?f#WU(^X#d$pYeTpSUKo%g)AD*;RlSIb&blfD~|GT-UoN1DRuUypZh=Mar#)6;{p^gQ@k3!er_iAVr zjcl6Tii;F#-b4vataBvO%EEq=Yv91C*+B4ih|i+>G%gz8xIIrwtSQLHH-i(}F%9h) zSqhbBFtIAhidFS+0Ftd?1dt$aTwXIdv7Dc7H!w_PXepki?mskgS8~;pCJB6f%rZ+o zduSwM3PyL!qp#X$i11*`LeVU5yxjnXw|W>QBi1A9;QAtYRfk8acCDhZ#vf4Id3?=> z@~Xah+sdVX_K?Q6J~%C_GBe5ld(L>_6jxYa$j*{p9}dtiIhWlOM8~b3$E_~p9u}ia zS*7YbGxI^I7~N2F*4cYbn*EEY^+Fyo_lzgWvp*h&050k(ARMw5b0pCHp<+#1W0IO2 z=|LI{>Q6F)ES>X$G4ipu?4%H}Qwo>JHF8EU8`!%sfQDczWrF%2U;x0M@lX1{P1QTx z{ko{jPsMQe{2ggOoPfnu# z{ZfP(@`HM|EVT6L4Htx8SD@q>2C2bay0v5ur>tPDlbqcuM5uaixL>*v{H>;}DTNW$ zKC*rMcD2pa61D7uw`)S(0|QhIylMJAAn9gRQoLh}5tECattq1+j?8iU06btrV4jq5 zo@orkK%)1<&EbtmjBmwqSCzxmxTYj8mij+316Vho$UZ3z7Eh;As=do+HnR6d{PR;| z5A|8C8@6GHGMXxD1+yGbs$0D?m}09?+ziXxKA1cnBz$}6(P<<7X2wF>qSX)LyW-wF z>@LeL%8~zdw!xb_1+KH^oN|k z1kP$Hn(SOoYJbp$$UCp+o8$AW9F>M5ZIL1Qpjuk&;0GzJg~xA36B7Ou*cqZ;BS7Ua zskPgbMsrCRDi)e$Zbw;nj6wW;q@aRSKxA*@*ZU=wtnZPIYA3T9Nieo$+@wQ`4H% z985awzb{dGb>8!^D=Sm@YmTVMGq3b*S#PRc%O1RXDFekSxJkEX>kUnL$b9mO|45*4 z&SrAf0>MZiad7A4;QPg=6B?{3eK6ZX{Bpt>(&m-os495CA5or5te#q+gs@|B#*w2h z03GRniufj{5&b?#Vd2~F8&D$Fzk>5ZBoo1`jtg1IIrfUrb$ygxbvZ&y4{jTMK|!JZ zpuVAL3&4RYe8+RhZD{eG`Jl0a8=xd$WLv-gg+wkKSTICyrNMd?5Qf-px^itj__$zL zAkfdwwJ2w`Im|wKvY~4pvd|1@@Z=r9TP=SW688H~cWy=o`%qSDcmTlelm=cB73u}- z$Qu%Vj;|_~EkOi(xwQwkZs2jRE}|iWr!%Fymy;ymPGHNz{=cPv{~#}bP`c+ZspdLD za(;Bo>#T>7=F|@780VMWCqL}@EkndA5%Z{!cSM}F{q#YV4S()YVu!fLF zjkl!-N{B`RhKG>VY!n@XBfbkY(e6}L99vK~^or{nn~UTc9E;cTwyU)Y)oMM>^Os_8 zGQ{J!4P3+D&^XFa*i@-8_F|_irDQBir_B=y?}*Q;y+F26_f=-smoNJL6l7U3`Upo# z28D!9X(I1`QVa8kFK)lj?N1?EZZ|@_{Nqk-7+qofBjGh2Yc+N{{GB-?@<0iI)Ys{% ztiW1Sl!Q_7OlyItCP4fA4+j)ae<^u(slr(t`etZmSeGS(W7V&xPV*Inu3`ey63EoldmJ$o-Ul%8W!nP*>Vd-;cPGlckB*qy`!hWuO`0VBlYokPqW-li0>Bw<}jPtVZRfhW#RU)EyAHhe@<4* zram)eZlj)_gYu7g4+(`NCYp!I1d~Oxm>GYmG?|;}|BUuXe-+&I%G_PFhr-PhQBHG1 zpPB3P{dd9o`6_e?7im8W+^u12kW0MWcKn`_x{KyJJ43{z?Fb^_q-T_8TQ9`po{v~R zvdGdKUWyvSE`;re?wgtTvuN@kzk@5oQ7C1Das1i28re)P;}gn*!0%rTs<(a3K_aZs zkGNkHk8W26@tQha=S&e?*L%oaR*>*Iw$&E7$9Zw(-Eo1-=ld6bx}`rC3^coaG4y6- zP;8VYdyTyM-rnfm!RVfN&##FqM{TvHZ_%0GBvOKA?2o_STKEp%=uuApE=R`5_GkZj zN&B+pX3$VOS(3kKVt1Q6`MKB2_V4zOW^+}yzeGE{BrEPrN}VfEkCskE(aElqrjO?P z2W182^QV{DhFqx;Cin|+f9)8nm8M$h=a2b1+*c#oNZW0h|9Y2NqG+;K?EGC@iSb!5 zJ(-2lYFyOui}uEG6rl>di?R4~p<~xlP;+$GU3$Xhoy#M+`n$@la=m25yb`31lXDJz z!=Rq^J#mU%3+WZAB>%yMEaQ$NIHr8oNp*?L1{+SDy}0i5^rzeVv-&?5R-V32Su?ax zDf{q@D<;);3_rLLVauogyn6CvP7tN87SPEQlgVC#wWHXLwSXTzql3LsE%O}i!=O|@ z(R8mGy*LQ!@?FS*woD!)Ju-psIJ!`8c2#4Et#+-kbvy{B#}vb_6$VJgzM7brD6-!q zi{^_S#v$&Ib@4!IL*Ni$18)T_G6%32eh+9RS^@+I0P zT0fXxS7xW|jcpwp13Iv!TtV6VTH@RK<;`T^c%J=p4kuB%?uBxFq94L*>XRgyTed~Q zri}4J8F||71$Od$r`BcuT15iOI~I6=y&Bdtn`*^y86;3Ted6*{Y2&A|D{Cr!|J?1O zi7%b^^WErz7M^YfeeTR94ba_uSEt{waQG8xuSF$j~G`u3fI7VeNDGl5jt+kzADugF4Gl7__>Wx zyc_AAT8na5Lw;MwEL|;mX@A3|lK}~jEZs>RoG&4$g^NO>!d~KoaRC!gk2_R&AeyZB zkhe@RjVm4FwamZ};Eie|D@Gjb1k2S+90rnyM%y5Fswv6(-tJn;?VW#_%T7UjajfS| zj^(9Vxyu)IK(3Uss))K8-cDAmZjYNKCwo8fg}uH1nf!HoedCwIKWErbz5Uj4u9VwR|<5yB#*Xz%5?+<^63(~*&_2-0-Z^F)c!b!*T5{nR|gX_-lN+@K<+ zk6HYwqt+eOz`3}L0|E{d4XS?}#O4OVP>Sxy^gT+b;ep>6BT?j8Cr|!p&@4TH27jMU zULz4amO$IkbOxON|JTn1Sp+#1z zXJ(Z+<*$%;$7AbF?^^SiKk+=&6nLJd8}Fqg1)26&m)e}#H?RVgZ)`Vt6~(QgO-2(e zL99I|o5&jAbriduTxpwr<-4J7R#91bGTGE979OiNGH{?co?*Mg7B~yl3YfWFFewjd zCK?uHeYu<1HfZRvkd+1*N|YYn=us$IbGF?(!Dpvb4|RHQrmwaG3qo&{gluwBB-T_k zIGcg6Gb)82boR>YrKi z@>`=Ad(53s#B1wKr^}xUoY;R0%YOcahYFW2wTM&rp4%+0?f17XGxzT4gNiaZ65(tV zyA>QwszjxKjW>0<8w(dAgABe^wbphBjXZ0fl-mMj=_u){fastQLSVr zc<&Ps>~mW;s^mG~kQ};hF!671QtVDKbc5HFy$ZgyTUu1jgkcWKXTO9i<4NDUfgwY) z7SIU#q3B#G+Kl;eM6o+@g*^0nWsqmh(~&mMKX~VVU2UXF=0@(@K-f;4Mcf4896*Th zwS+tPU-Ee7m^<5k?zRkw+&iP*9PG;nF%-TekqVQ)mmbwh7)|$vX4IMH>pj^obm)hd z>uiHcN0WvoT$P$eN^ewUU-&_6yxjfNf7H?cV;6$etemf z+iE*M_``+blaPrmiUbkP#dS#A4O5 zx1)?Lf(lkbB_S4d7(v0M7#1N!P!nRq0rby1@A$LIK0I z4x|)KY?wHqAGiG|HhZc4DE&VVFOzlz$A0s z$`P^peR}NaR0KU}l~_@wOUUGPv=0x{SO?}=+#xGCs3u*Yed!B;bwGll==mu&u16^6 z?LJ^<#?M2qtl-}^v|BsN{m%V%im3SRWC={~iW@grAUh%9|k}}`&_wN2p zi4vR-M*fM7)v0CJpqfkkm8upyAZv)@^z_t}OA|@C6zGH1EK4LqESxA!C7BuH(#m=F ztyDTE7Z*SBER$6RN)Yk#yzoNhE06}g%^!L6Nl>NkKqPa2)tzm7w6E*x66}qeu}{(0 ztJfBJHeK~3#TczWs43AG#|)5@1JbP1Ywds*#XZXo_!f01Gmxd7Sf1{y+1%3R7;Cn`#9H}RYD>FiXT-(nCny2Yxzq8bWSyKQcV=yBR>OXVdV z^mCK05E6kKN0~Q*U{$VHF%=-C>6jG0*N;6L>?t)cO zh=27POaoqUqx)HX)zfaP*e!H$TaLRSM`^+)I!{S^Ln%E!>eY{2$rC)kXz#ESrg)BN z6;Q;LaHdRY!m%MOw8r*w@mEG6%Zzg~oeksKFw)A5#bN{7+bf)qPhM<%d#HpcS_irZ zHpGut(rC0v48&GW_$RmEVHSzl zQjV+C{tY~n@1?LZGb>F@N)qMnI^i4-nFtxQS+wCWshc`UB_5r_TXN= zNm%;Y{u`2$x-zF^Fqz=91J@)6j5&;anf#ganD43EL(;pQ1nN|`ZR4ZB$#j@kx(^?6 zb=8%zSgX8lcURolD(D~S|5Z&@>2h`uAd{`Zr`0s%A~bSQP4PqODk1%+-*O++Ao1yKp(yl&i@L zBb|?{x9WXiW)Ka#-f5MXj@8BnvSOHpZsfI_nIcfR!+cmHmFsa~nn7OO6x^I5$5sS2 zt*C&9j^GxIL+`*X8Brb{Je))#p%g~}Z;Nm#C@7%x2m~u^hSxG^nXO2dg5W93_O#7f zZLUevtjXGi!VIvom~jog_--rKzlEe^#y5~AL64C}=r;o1U-PYLuYRlfle^?9eRI~h z3#*!|=@$qDLl&qQL@Uc{8#p6XnAV727g2A?8D+20f wnhstTs6SJUEwtdN^05|H011w=Z)21pqYwug?0ifO=HV;Hk9i+`=^m2)AKo8?mjD0& diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 8ec63ef0892a7..3f16e6b1bc63b 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -1,401 +1,1124 @@ --- -title: Using Windows Server Containers in Kubernetes +title: Adding Windows nodes and scheduling Windows containers in Kubernetes toc_hide: true --- +## Motivation + +Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. + + +## Intro to Windows containers in Kubernetes + +To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. + +In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). + {{< note >}} -These instructions were recently updated based on Windows Server platform enhancements and the Kubernetes v1.9 release +The Kubernetes control plane, including the [master components](/docs/concepts/overview/components/), will continue to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. {{< /note >}} -Kubernetes version 1.5 introduced Alpha support for Windows Server -Containers based on the Windows Server 2016 operating system. With the -release of Windows Server version 1709 and using Kubernetes v1.9 users -are able to deploy a Kubernetes cluster either on-premises or in a -private/public cloud using a number of different network topologies -and CNI plugins. Some key feature improvements for Windows Server -Containers on Kubernetes include: - -- Improved support for pods! Shared network namespace (compartment) with multiple Windows Server containers (shared kernel) -- Reduced network complexity by using a single network endpoint per pod -- Kernel-Based load-balancing using the Virtual Filtering Platform (VFP) Hyper-v Switch Extension (analogous to Linux iptables) -- Container Runtime Interface (CRI) pod and node level statistics -- Support for kubeadm commands to add Windows Server nodes to a Kubernetes environment +{{< note >}} +In this document, when we talk about Windows containers we mean Windows containers with process isolation. Windows containers with [Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container) is planned for a future release. +{{< /note >}} -The Kubernetes control plane (API Server, Scheduler, Controller Manager, etc) continue to run on Linux, while the kubelet and kube-proxy can be run on Windows Server 2016 or later +## Supported Functionality and Limitations + +### Supported Functionality + +#### Compute + +From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. + +Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. + + + + + + + + + + + + + + + + + + + + +
Kubernetes version + Host OS version (Kubernetes Node) + + +
+ Windows Server 1709 + Windows Server 1803 + Windows Server 1809/Windows Server 2019 +
Kubernetes v1.14 + Not Supported + Not Supported + Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 +
{{< note >}} -Windows Server Containers on Kubernetes is a Beta feature in Kubernetes v1.9 +The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). +{{< /note >}} +{{< note >}} +Windows containers with process isolation have strict compatibility rules, [where the host OS version must match the container base image OS version](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). Once we support Windows containers with Hyper-V isolation in Kubernetes, the limitation and compatibility rules will change. {{< /note >}} -## Get Windows Binaries -We recommend using the release binaries that can be found at [https://github.com/kubernetes/kubernetes/releases/latest](https://github.com/kubernetes/kubernetes/releases/latest). Under the CHANGELOG you can find the Node Binaries link for Windows-amd64, which will include kubeadm, kubectl, kubelet and kube-proxy. +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. + +* [Pods](/docs/concepts/workloads/pods/pod-overview/) + + A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: + + * Single or multiple containers per Pod with process isolation and volume sharing + * Pod status fields + * Readiness and Liveness probes + * postStart & preStop container lifecycle events + * ConfigMap, Secrets: as environment variables or volumes + * EmptyDir + * Named pipe host mounts + * Resource limits +* [Controllers](/docs/concepts/workloads/controllers/) + + Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: + + * ReplicaSet + * ReplicationController + * Deployments + * StatefulSets + * DaemonSet + * Job + * CronJob +* [Services](/docs/concepts/services-networking/service/) + + A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: + + * Service Environment variables + * NodePort + * ClusterIP + * LoadBalancer + * ExternalName + * Headless services + +Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: + +* Pod and container metrics +* Horizontal Pod Autoscaler support +* kubectl Exec +* Resource Quotas +* Scheduler preemption + +#### Container Runtime + +Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. + +#### Storage + +Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](/docs/concepts/storage/volumes/): + +* FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* [azureDisk](/docs/concepts/storage/volumes/#azuredisk) +* [azureFile](/docs/concepts/storage/volumes/#azurefile) +* [gcePersistentDisk](/docs/concepts/storage/volumes/#gcepersistentdisk) + +#### Networking + +Networking for Windows containers is exposed through [CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: + +* Virtual networks (including creation of vSwitches) +* Endpoints / vNICs +* Namespaces +* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) + +The following service spec types are supported: + +* NodePort +* ClusterIP +* LoadBalancer +* ExternalName + +Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux worker nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network Driver + Description + Container Packet Modifications + Network Plugins + Network Plugin Characteristics +
L2bridge + Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. + MAC is rewritten to host MAC, IP remains the same. + win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge + win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts +
L2Tunnel + This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. + MAC rewritten, IP visible on the underlay network + Azure-CNI + Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples +
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) + Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. + Encapsulated with an outer header, inner packet remains the same. + Win-overlay, Flannel VXLAN (uses win-overlay) + win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity +
Transparent (special use case for ovn-kubernetes) + Requires an external vSwitch. Containers are attached to an external vSwitch which will enable intra-pod communication via logical networks (logical switches and routers). + Packet is encapsulated either via GENEVE or STT tunneling to reach pods which are not on the same host. + +Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. + +NAT is done for north-south communication. + + ovn-kubernetes + + Deploy via ansible. Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. +
NAT (not used in Kubernetes) + Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT + MAC and IP is rewritten to host MAC/IP. + nat + Included here for completeness +
+ +As outlined above, the [Flannel](https://github.com/coreos/flannel) CNI [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) is also supported on [Windows](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge). This plugin supports delegating to one of the reference CNI plugins (win-overlay, win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for automatic node subnet lease assignment and HNS network creation. This plugin reads in its own configuration file (net-conf.json), and aggregates it with the environment variables from the FlannelD generated subnet.env file. It then delegates to one of the reference CNI plugins for network plumbing, and sends the correct configuration containing the node-assigned subnet to the IPAM plugin (e.g. host-local). + +For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: + +* Pod -> Pod (IP) +* Pod -> Pod (Name) +* Pod -> Service (Cluster IP) +* Pod -> Service (PQDN, but only if there are no ".") +* Pod -> Service (FQDN) +* Pod -> External (IP) +* Pod -> External (DNS) +* Node -> Pod +* Pod -> Node + +The following IPAM options are supported on Windows: + +* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) +* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) +* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) + +### Limitations + +#### Control Plane + +Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. + +#### Compute + +##### Resource management and process isolation + + Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. + +##### Operating System Restrictions + +Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. + +##### Feature Restrictions + +* TerminationGracePeriod: not implemented +* Single file mapping: to be implemented with CRI-ContainerD +* Termination message: to be implemented with CRI-ContainerD +* Privileged Containers: not currently supported in Windows containers +* HugePages: not currently supported in Windows containers +* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported +* Not all features of shared namespaces are supported (see API section for more details) -If you wish to build the code yourself, please refer to detailed build instructions [here](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/compiling-kubernetes-binaries). +##### Memory Reservations and Handling -## Prerequisites -In Kubernetes version 1.9 or later, Windows Server Containers for Kubernetes are supported using the following: +Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. -1. Kubernetes control plane running on existing Linux infrastructure (version 1.9 or later). -2. Kubenet network plugin setup on the Linux nodes. -3. Windows Server 2016 RTM or later. Windows Server version 1709 or later is preferred; it unlocks key capabilities like shared network namespace. -4. Docker Version 17.06.1-ee-2 or later for Windows Server nodes (Linux nodes and Kubernetes control plane can run any Kubernetes supported Docker Version). +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. -## Networking -There are several supported network configurations with Kubernetes v1.9 on Windows, including both Layer-3 routed and overlay topologies using third-party network plugins. +A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. -1. [Upstream L3 Routing](#upstream-l3-routing-topology) - IP routes configured in upstream ToR -2. [Host-Gateway](#host-gateway-topology) - IP routes configured on each host -3. [Open vSwitch (OVS) & Open Virtual Network (OVN) with Overlay](#using-ovn-with-ovs) - overlay networks (supports STT and Geneve tunneling types) -4. [Future - In Review] Overlay - VXLAN or IP-in-IP encapsulation using Flannel -5. [Future] Layer-3 Routing with BGP (Calico) - -The selection of which network configuration and topology to deploy depends on the physical network topology and a user's ability to configure routes, performance concerns with encapsulation, and requirement to integrate with third-party network plugins. - -### Future CNI Plugins -An additional two CNI plugins [win-l2bridge (host-gateway) and win-overlay (vxlan)] are in [PR review](https://github.com/containernetworking/plugins/pull/85). These two CNI plugins, when ready, can either be used directly or with Flannel. - -### Linux -The above networking approaches are already supported on Linux using a bridge interface, which essentially creates a private network local to the node. Similar to the Windows side, routes to all other pod CIDRs must be created in order to send packets via the "public" NIC. - -### Windows -Windows supports the CNI network model and uses plugins to interface with the Windows Host Networking Service (HNS) to configure host networking and policy. At the time of this writing, the only publicly available CNI plugin from Microsoft is built from a private repo and available here [wincni.exe](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/cni/wincni.exe). It uses an l2bridge network created through the Windows Host Networking Service (HNS) by an administrator using HNS PowerShell commands on each node as documented in the [Windows Host Setup](#windows-host-setup) section below. Source code for the future CNI plugins will be made available publicly. - -#### Upstream L3 Routing Topology -In this topology, networking is achieved using L3 routing with static IP routes configured in an upstream Top of Rack (ToR) switch/router. Each cluster node is connected to the management network with a host IP. Additionally, each node uses a local 'l2bridge' network with a pod CIDR assigned. All pods on a given worker node will be connected to the pod CIDR subnet ('l2bridge' network). In order to enable network communication between pods running on different nodes, the upstream router has static routes configured with pod CIDR prefix => Host IP. - -The following example diagram illustrates the Windows Server networking setup for Kubernetes using Upstream L3 Routing Setup: -![K8s Cluster using L3 Routing with ToR](UpstreamRouting.png) - -#### Host-Gateway Topology -This topology is similar to the Upstream L3 Routing topology with the only difference being that static IP routes are configured directly on each cluster node and not in the upstream ToR. Each node uses a local 'l2bridge' network with a pod CIDR assigned as before and has routing table entries for all other pod CIDR subnets assigned to the remote cluster nodes. - -#### Using OVN with OVS -The following diagram gives a general overview of the architecture and interaction between components: - -![Overlay using OVN controller and OVS Switch Extension](ovn_kubernetes.png) - -(The above image is from [https://github.com/openvswitch/ovn-kubernetes#overlay-mode-architecture-diagram](https://github.com/openvswitch/ovn-kubernetes#overlay-mode-architecture-diagram)) - -Due to its architecture, OVN has a central component which stores your networking intent in a database. Other components i.e. kube-apiserver, kube-controller-manager, kube-scheduler etc. can be deployed on that central node as well. - -## Setting up Windows Server Containers on Kubernetes -To run Windows Server Containers on Kubernetes, you'll need to set up both your host machines and the Kubernetes node components for Windows. Depending on your network topology, routes may need to be set up for pod communication on different nodes. - -### Host Setup - -#### For 1. Upstream L3 Routing Topology and 2. Host-Gateway Topology - -##### Linux Host Setup - -1. Linux hosts should be setup according to their respective distro documentation and the requirements of the Kubernetes version you will be using. -2. Configure Linux Master node using steps [here](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/virtualization/windowscontainers/kubernetes/creating-a-linux-master.md) -3. [Optional] CNI network plugin installed. - -##### Windows Host Setup - - -1. Windows Server container host running the required Windows Server and Docker versions. Follow the setup instructions outlined by this help topic: https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server. -2. [Get Windows Binaries](#get-windows-binaries) kubelet.exe, kube-proxy.exe, and kubectl.exe using instructions -3. Copy Node spec file (kube config) from Linux master node with X.509 keys -4. Create the HNS Network, ensure the correct CNI network config, and start kubelet.exe using this script [start-kubelet.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/start-kubelet.ps1) -5. Start kube-proxy using this script [start-kubeproxy.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/start-kubeproxy.ps1) -6. [Only required for #2 Host-Gateway mode] Add static routes on Windows host using this script [AddRoutes.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/AddRoutes.ps1) - -More detailed instructions can be found [here](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/virtualization/windowscontainers/kubernetes/getting-started-kubernetes-windows.md). - -**Windows CNI Config Example** -Today, Windows CNI plugin is based on wincni.exe code with the following example, configuration file. This is based on the ToR example diagram shown above, specifying the configuration to apply to Windows node-1. Of special interest is Windows node-1 pod CIDR (10.10.187.64/26) and the associated gateway of cbr0 (10.10.187.66). The exception list is specifying the Service CIDR (11.0.0.0/8), Cluster CIDR (10.10.0.0/16), and Management (or Host) CIDR (10.127.132.128/25). - -Note: this file assumes that a user previous created 'l2bridge' host networks on each Windows node using `-HNSNetwork` cmdlets as shown in the `start-kubelet.ps1` and `start-kubeproxy.ps1` scripts linked above - -```json -{ - "cniVersion": "0.2.0", - "name": "l2bridge", - "type": "wincni.exe", - "master": "Ethernet", - "ipam": { - "environment": "azure", - "subnet": "10.10.187.64/26", - "routes": [{ - "GW": "10.10.187.66" - }] - }, - "dns": { - "Nameservers": [ - "11.0.0.10" - ] - }, - "AdditionalArgs": [{ - "Name": "EndpointPolicy", - "Value": { - "Type": "OutBoundNAT", - "ExceptionList": [ - "11.0.0.0/8", - "10.10.0.0/16", - "10.127.132.128/25" - ] - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "11.0.0.0/8", - "NeedEncap": true - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "10.127.132.213/32", - "NeedEncap": true - } - } - ] -} -``` +The behavior of the flags behave differently as described below: -#### DNS configurations +* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable +* Eviction by using --enforce-node-allocable is not implemented +* Eviction by using --eviction-hard and --eviction-soft are not implemented +* MemoryPressure Condition is not implemented +* There are no OOM eviction actions taken by the kubelet +* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler -DNS configurations for Windows containers are set by CNI plugins which support `dns` capabilities. To enable `dns` capabilities, the following options should be included in the CNI configuration file: +#### Storage -```json -{ - ... - "capabilities": {"dns": true}, -} -``` +Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. -The following DNS options from kubelet will be passed to CNI plugins: +* Volume mounts can only target a directory in the container, and not an individual file +* Volume mounts cannot project files or directories back to the host filesystem +* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported +* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container -- servers: List of DNS servers. -- searches: List of DNS search domains. -- options: List of DNS options. +As a result, the following storage functionality is not supported on Windows nodes -e.g. +* Volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Subpath volume mounting for Secrets +* Host mount projection +* DefaultMode (due to UID/GID dependency) +* Read-only root filesystem. Mapped volumes still support readOnly +* Block device mapping +* Memory as the storage medium +* CSI plugins which require privileged containers +* File system features like uui/guid, per-user Linux filesystem permissions +* NFS based storage/volume support -```json -"dns" { - "servers": ["10.0.0.10"], - "searches": ["default.svc.cluster.local","svc.cluster.local","cluster.local"], - "options": [] -} -``` +#### Networking + +Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. + +The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. + +The following networking functionality is not supported on Windows nodes + +* Host networking mode is not available for Windows pods +* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Accessing service VIPs from nodes will be available with a future release of Windows Server +* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations + * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source + * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. + +##### CNI Plugins + +* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. +* The Flannel VXLAN CNI has the following limitations on Windows: + +1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel [PR 1096](https://github.com/coreos/flannel/pull/1096) +2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. + +##### DNS {#dns-limitations} + +* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. + +##### Security + +Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things + +1. Use file ACLs to secure the secrets file location +2. Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) + +[RunAsUser ](/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. + +Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. + +In addition, as mentioned already, privileged containers are not supported on Windows. + +#### API + +There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. + +At a high level, these OS concepts are different: + +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID +* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. +* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: + * A UI thread will handle well-defined messages including WM_CLOSE + * Console apps will handle ctrl-c or ctrl-break using a Control Handler + * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes -#### For 3. Open vSwitch (OVS) & Open Virtual Network (OVN) with Overlay +Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. +##### V1.Container + +* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) + * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. +* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. +* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up +* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows +* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers +* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem +* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container +* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support +* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. +* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux +* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. + +##### V1.Pod + +* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows +* V1.Pod.hostNetwork - There is no Windows OS support to share the host network +* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. +* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.shareProcessNamespace - this is a beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is a beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid + * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. +* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. + +##### V1.PodSecurityContext + +None of the PodSecurityContext fields work on Windows. They're listed here for reference. + +* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows +* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows +* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows +* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows +* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. + +# User Guide: Add Windows Nodes in Kubernetes {#UG-windows-nodes} + +## Objectives + +The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: + +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate + +## Before you begin + +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](/docs/setup/scratch/), [kubeadm](/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](/docs/setup/turnkey/azure/), [GCE](/docs/setup/turnkey/gce/), [AWS](/docs/setup/turnkey/aws/)). + +## Getting Started: Adding a Windows Node to Your Cluster + +### Plan IP Addressing + +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](/docs/concepts/cluster-administration/networking/). + +In order to deploy your cluster you will need the following address spaces: + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Subnet / address range + Description + Default value +
--- + --- + --- +
Service Subnet + A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. + "10.96.0.0/12" +
Cluster Subnet + This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) +Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. + "10.244.0.0/16" +
Kubernetes DNS Service IP + IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. + "10.96.0.10" +
+ +Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. + +### Components that run on Windows + +While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). + +1. kubelet +2. kube-proxy +3. kubectl (optional) +4. Container runtime + +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. + +### Networking Configuration + +Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. + +#### Configuring Flannel in VXLAN mode on the Linux controller + +1. Prepare Kubernetes master for Flannel + + Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: + + ```bash + sudo sysctl net.bridge.bridge-nf-call-iptables=1 + ``` + +1. Download & configure Flannel + + Download the most recent Flannel manifest: + + ```bash + wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml + ``` + + There are two sections you should modify to enable the vxlan networking backend: + + After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: + + ```json + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + ``` + +1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: + 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. + * VNI 4096 is set in the backend + * Port 4789 is set in the backend + 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to `vxlan0`. + +{{< note >}} +The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. +{{< /note >}} + + Your `cni-conf.json` should look as follows: + + ```json + cni-conf.json: | + { + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ``` + +1. Apply the Flannel yaml and Validate + + Let's apply the Flannel configuration: + + ```bash + kubectl apply -f kube-flannel.yml + ``` + + Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + + ```bash + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system + ``` + + After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + + ```bash + kubectl get pods --all-namespaces + ``` + + ![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") + + Verify that the Flannel DaemonSet has the NodeSelector applied. + + ```bash + kubectl get ds -n kube-system + ``` + + ![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") + +#### Join Windows Worker + +In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. + +#### Preparing a Windows Node {{< note >}} -Fully automated setup via Ansible playbooks is [available](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). +All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). {{< /note >}} -For manual setup, continue the following steps. +1. Install Docker (requires a system reboot) -##### Linux Host Setup + Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: -Setting up the central node and the components needed is out of scope of this document. You can read [these instructions](https://github.com/openvswitch/ovn-kubernetes#k8s-master-node-initialization) for that. + ```PowerShell + Enable-WindowsOptionalFeature -FeatureName Containers + Restart-Computer -Force + Install-Module -Name DockerMsftProvider -Repository PSGallery -Force + Install-Package -Name Docker -ProviderName DockerMsftProvider + ``` -Adding a Linux minion is also out of scope and you can read it here: [Linux minion](https://github.com/openvswitch/ovn-kubernetes#k8s-minion-node-initializations). + If you are behind a proxy, the following PowerShell environment variables must be defined: + ```PowerShell + [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) + [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) + ``` -##### Windows Host Setup + If after reboot you see the following error, you need to restart the docker service manually -Adding a Windows minion requires you to install OVS and OVN binaries. Windows Server container host running the required Windows Server and Docker versions. Follow the setup instructions outlined by [this help topic](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server). This type of deployment is supported starting with Windows Server 2016 RTM. + ![alt_text](windows-docker-error.png "windows docker error screen capture") -Compiling OVS and generating the installer will not be treated in this document. For a step by step instruction please visit [this link](http://docs.openvswitch.org/en/latest/intro/install/windows/#open-vswitch-on-windows). -For a prebuilt certified installer please visit [this link](https://cloudbase.it/openvswitch/#download) and download the latest version of it. + ```PowerShell + Start-Service docker + ``` -The following guide uses the prebuilt certified installer. +{{< note >}} +The "pause" (infrastructure) image is hosted on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) +{{< /note >}} -Installing OVS can be done either via the GUI dialogs or unattended. Adding a Windows host to your setup requires you to have `OVN Host` together with the default installation features. Below is the dialog image on what needs to be installed: + ```PowerShell + docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 + ``` -![OVN OVS Windows Installer](OVN_OVS_Windows_Installer.png) +1. Prepare a Windows directory for Kubernetes -For an unattended installation please use the following command: -``` -cmd /c 'msiexec /i openvswitch.msi ADDLOCAL="OpenvSwitchCLI,OpenvSwitchDriver,OVNHost" /qn' -``` + Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. -The installer propagates new environment variables. Please open a new command shell or logoff/logon to ensure the environment variables are refreshed. + ```PowerShell + mkdir c:\k + ``` -For overlay, OVS on Windows requires a transparent docker network to function properly. Please use the following to create a transparent docker network which will be used by OVS. From powershell: -``` -docker network create -d transparent --gateway $GATEWAY_IP --subnet $SUBNET ` - -o com.docker.network.windowsshim.interface="$INTERFACE_ALIAS" external -``` -Where $SUBNET is the minion subnet which will be used to spawn pods on (the one which will be used by kubernetes), $GATEWAY_IP is the first IP of the $SUBNET and $INTERFACE_ALIAS is the interface used for creating the overlay tunnels (must have connectivity with the rests of the OVN hosts). -Example: -``` -docker network create -d transparent --gateway 10.0.1.1 --subnet 10.0.1.0/24 ` - -o com.docker.network.windowsshim.interface="Ethernet0" external +1. Copy Kubernetes certificate + + Copy the Kubernetes certificate file `$HOME/.kube/config` [from the Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + + Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. + +1. Download Kubernetes binaries + + To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. + + Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. + +#### Join the Windows node to the Flannel cluster + +The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. + +Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: + +```PowerShell +cd c:\k +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 ``` -After creating the docker network please run the next commands from powershell. (creates an OVS bridge, adds the interface under the bridge and enables the OVS forwarding switch extension) + +{{< note >}} +[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: +{{< /note >}} + +```PowerShell +.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir ``` -$a = Get-NetAdapter | where Name -Match HNSTransparent -Rename-NetAdapter $a[0].Name -NewName HNSTransparent -Stop-Service ovs-vswitchd -force; Disable-VMSwitchExtension "Cloudbase Open vSwitch Extension"; -ovs-vsctl --no-wait del-br br-ex -ovs-vsctl --no-wait --may-exist add-br br-ex -ovs-vsctl --no-wait add-port br-ex HNSTransparent -- set interface HNSTransparent type=internal -ovs-vsctl --no-wait add-port br-ex $INTERFACE_ALIAS -Enable-VMSwitchExtension "Cloudbase Open vSwitch Extension"; sleep 2; Restart-Service ovs-vswitchd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+Parameter + Default Value + Notes +
+--- + --- + --- +
-ManagementIP + N/A (required) + The IP address assigned to the Windows node. You can use ipconfig to find this. +
-NetworkMode + l2bridge + We're using overlay here +
-ClusterCIDR + 10.244.0.0/16 + Refer to your cluster IP plan +
-ServiceCIDR + 10.96.0.0/12 + Refer to your cluster IP plan +
-KubeDnsServiceIP + 10.96.0.10 + +
-InterfaceName + Ethernet + The name of the network interface of the Windows host. You can use ipconfig to find this. +
-LogDir + C:\k + The directory where kubelet and kube-proxy logs are redirected into their respective output files. +
+ +Now you can view the Windows nodes in your cluster by running the following: + +```bash +kubectl get nodes ``` -Besides of the above, setting up a Windows host is the same as the Linux host. Follow the steps from [here](https://github.com/openvswitch/ovn-kubernetes#k8s-minion-node-initializations). -**Windows CNI Setup** +{{< note >}} +You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. +{{< /note >}} -Today, Windows OVN&OVS CNI plugin is based on ovn_cni.exe which can be downloaded from [here](https://cloudbase.it/downloads/ovn_cni.exe). A sample of CNI config file is the following: +### Public Cloud Providers + +#### Azure + +AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). + +#### GCP + +Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) + +#### Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + +#### Next Steps + +Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. + +# User Guide: Scheduling Windows containers in Kubernetes + +## Objectives + +* Configure an example deployment to run Windows containers on the Windows node +* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) + +## Before you begin + +* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. + +## Getting Started: Deploying a Windows container + +To deploy a Windows container on Kubernetes, you must first create an example application. The example YAML file below creates a simple webserver application. Create a service spec named `win-webserver.yaml` with the contents below: + +```yaml + apiVersion: v1 + kind: Service + metadata: + name: win-webserver + labels: + app: win-webserver + spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort + --- + apiVersion: extensions/v1beta1 + kind: Deployment + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows ``` -{ - "name": "net", - "type": "ovn_cni.exe", - "bridge": "br-int", - "isGateway": "true", - "ipMasq": "false", - "ipam": { - "type": "host-local", - "subnet": "$SUBNET" - } -} + +{{< note >}} +Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. +{{< /note >}} + +1. Check that all nodes are healthy: + + ```bash + kubectl get nodes + ``` + +1. Deploy the service and watch for pod updates: + + ```bash + kubectl apply -f win-webserver.yaml + kubectl get pods -o wide -w + ``` + + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + +1. Check that the deployment succeeded. To verify: + + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +{{< note >}} +Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows pods are able to access service IPs. +{{< /note >}} + +## Managing Workload Identity with Group Managed Service Accounts + +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa.md). + +## Taints and Tolerations + +Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. + +### Ensuring OS-specific workloads land on the appropriate container host + +Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. All Kubernetes nodes today have the following default labels: + +* beta.kubernetes.io/os = [windows|linux] +* beta.kubernetes.io/arch = [amd64|arm64|...] + +If a Pod specification does not specify a nodeSelector like `"beta.kubernetes.io/os": windows`, it is possible the Pod can be scheduled on any host, Windows or Linux. This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. The best practice is to use a nodeSelector. + +However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers, as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators. In those situations, you may be hesitant to make the configuration change to add nodeSelectors. The alternative is to use Taints. Because the kubelet can set Taints during registration, it could easily be modified to automatically add a taint when running on Windows only. + +For example: `--register-with-taints='os=Win1809:NoSchedule'` + +By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). In order for a Windows Pod to be scheduled on a Windows node, it would need both the nodeSelector to choose Windows, and the appropriate matching toleration. + +```yaml +nodeSelector: + "beta.kubernetes.io/os": windows +tolerations: + - key: "os" + operator: "Equal" + value: "Win1809" + effect: "NoSchedule" ``` -Where $SUBNET is the subnet that was used in the previous ```docker network create``` command. -For a complete guide on Google Cloud Platform (GCP), namely Google Compute Engine (GCE) visit [this](https://github.com/apprenda/kubernetes-ovn-heterogeneous-cluster#heterogeneous-kubernetes-cluster-on-top-of-ovn). +# Getting Help and Troubleshooting {#troubleshooting} + +Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. Logs are an important element of troubleshooting issues in Kubernetes. Make sure to include them any time you seek troubleshooting assistance from other contributors. Follow the instructions in the SIG-Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs). + +1. How do I know start.ps1 completed successfully? + + You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. + +1. Can I configure the Kubernetes node processes to run in the background as services? + + Kubelet and kube-proxy are already configured to run as native Windows Services, offering resiliency by re-starting the services automatically in the event of failure (for example a process crash). You have two options for configuring these node components as services. + + 1. As native Windows Services + + Kubelet & kube-proxy can be run as native Windows Services using `sc.exe`. + + ```powershell + # Create the services for kubelet and kube-proxy in two separate commands + sc.exe create binPath= " --service " + + # Please note that if the arguments contain spaces, they must be escaped. + sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' " + + # Start the services + Start-Service kubelet + Start-Service kube-proxy -For a complete guide on Amazon Web Services (AWS) visit [this](https://github.com/justeat/kubernetes-windows-aws-ovs#kubernetes-on-windows-in-aws-using-ovn). + # Stop the service + Stop-Service kubelet (-Force) + Stop-Service kube-proxy (-Force) + + # Query the service status + Get-Service kubelet + Get-Service kube-proxy + ``` -## Starting the Cluster -To start your cluster, you'll need to start both the Linux-based Kubernetes control plane, and the Windows Server-based Kubernetes node components (kubelet and kube-proxy). For the OVS & OVN only the kubelet is required. + 1. Using nssm.exe -## Starting the Linux-based Control Plane -Use your preferred method to start Kubernetes cluster on Linux. Please note that Cluster CIDR might need to be updated. + You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. You can use this [sample script](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/register-svc.ps1), leveraging nssm.exe to register kubelet, kube-proxy, and flanneld.exe to run as Windows services in the background. + + ```powershell + register-svc.ps1 -NetworkMode -ManagementIP -ClusterCIDR -KubeDnsServiceIP -LogDir + + # NetworkMode = The network mode l2bridge (flannel host-gw, also the default value) or overlay (flannel vxlan) chosen as a network solution + # ManagementIP = The IP address assigned to the Windows node. You can use ipconfig to find this + # ClusterCIDR = The cluster subnet range. (Default value 10.244.0.0/16) + # KubeDnsServiceIP = The Kubernetes DNS service IP (Default value 10.96.0.10) + # LogDir = The directory where kubelet and kube-proxy logs are redirected into their respective output files (Default value C:\k) + ``` + + If the above referenced script is not suitable, you can manually configure nssm.exe using the following examples. + ```powershell + # Register flanneld.exe + nssm install flanneld C:\flannel\flanneld.exe + nssm set flanneld AppParameters --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + nssm set flanneld AppEnvironmentExtra NODE_NAME= + nssm set flanneld AppDirectory C:\flannel + nssm start flanneld + + # Register kubelet.exe + nssm install kubelet C:\k\kubelet.exe + nssm set kubelet AppParameters --hostname-override= --v=6 --pod-infra-container-image=kubeletwin/pause --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns= --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false --log-dir= --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config + nssm set kubelet AppDirectory C:\k + nssm start kubelet + + # Register kube-proxy.exe (l2bridge / host-gw) + nssm install kube-proxy C:\k\kube-proxy.exe + nssm set kube-proxy AppDirectory c:\k + nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --hostname-override=--kubeconfig=c:\k\config --enable-dsr=false --log-dir= --logtostderr=false + nssm.exe set kube-proxy AppEnvironmentExtra KUBE_NETWORK=cbr0 + nssm set kube-proxy DependOnService kubelet + nssm start kube-proxy + + # Register kube-proxy.exe (overlay / vxlan) + nssm install kube-proxy C:\k\kube-proxy.exe + nssm set kube-proxy AppDirectory c:\k + nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --feature-gates="WinOverlay=true" --hostname-override= --kubeconfig=c:\k\config --network-name=vxlan0 --source-vip= --enable-dsr=false --log-dir= --logtostderr=false + nssm set kube-proxy DependOnService kubelet + nssm start kube-proxy + ``` + + + For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: -## Support for kubeadm join + ```powershell + nssm set AppStdout C:\k\mysvc.log + nssm set AppStderr C:\k\mysvc.log + ``` -If your cluster has been created by [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), -and your networking is setup correctly using one of the methods listed above (networking is setup outside of kubeadm), you can use kubeadm to add a Windows node to your cluster. At a high level, you first have to initialize the master with kubeadm (Linux), then set up the CNI based networking (outside of kubeadm), and finally start joining Windows or Linux worker nodes to the cluster. For additional documentation and reference material, visit the kubeadm link above. + For additional details, see official [nssm usage](https://nssm.cc/usage) docs. -The kubeadm binary can be found at [Kubernetes Releases](https://github.com/kubernetes/kubernetes/releases), inside the node binaries archive. Adding a Windows node is not any different than adding a Linux node: +1. My Windows Pods do not have network connectivity -`kubeadm.exe join --token : --discovery-token-ca-cert-hash sha256:` + If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). -See [joining-your-nodes](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#joining-your-nodes) for more details. +1. My Windows Pods cannot ping external resources -## Supported Features + Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. -The examples listed below assume running Windows nodes on Windows Server 1709. If you are running Windows Server 2016, the examples will need the image updated to specify `image: microsoft/windowsservercore:ltsc2016`. This is due to the requirement for container images to match the host operating system version when using process isolation. Not specifying a tag will implicitly use the `:latest` tag which can lead to surprising behaviors. Please consult with [https://hub.docker.com/r/microsoft/windowsservercore/](https://hub.docker.com/r/microsoft/windowsservercore/) for additional information on Windows Server Core image tagging. + If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. -### Scheduling Pods on Windows -Because your cluster has both Linux and Windows nodes, you must explicitly set the `nodeSelector` constraint to be able to schedule pods to Windows nodes. You must set nodeSelector with the label `kubernetes.io/os` to the value `windows`; see the following example: + One of the Kubernetes networking requirements (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: -{{< codenew file="windows/simple-pod.yaml" >}} + ```conf + "ExceptionList": [ + "10.244.0.0/16", # Cluster subnet + "10.96.0.0/12", # Service subnet + "10.127.130.0/24" # Management (host) subnet + ] + ``` -{{< note >}} -This example assumes you are running on Windows Server 1709, so uses the image tag to support that. If you are on a different version, you will need to update the tag. For example, if on Windows Server 2016, update to use `"image": "microsoft/iis"` which will default to that OS version. -{{< /note >}} +1. My Windows node cannot access NodePort service -### Secrets and ConfigMaps -Secrets and ConfigMaps can be utilized in Windows Server Containers, but must be used as environment variables. See limitations section below for additional details. + Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. -**Examples:** +1. vNICs and HNS endpoints of containers are being deleted -Windows pod with secrets mapped to environment variables + This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: -{{< codenew file="windows/secret-pod.yaml" >}} + ```powershell + C:\k\kube-proxy.exe --hostname-override=$(hostname) + ``` -Windows Pod with configMap values mapped to environment variables +1. With flannel my nodes are having issues after rejoining a cluster -{{< codenew file="windows/configmap-pod.yaml" >}} + Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: -### Volumes -Some supported Volume Mounts are local, emptyDir, hostPath. One thing to remember is that paths must either be escaped, or use forward slashes, for example `mountPath: "C:\\etc\\foo"` or `mountPath: "C:/etc/foo"`. + ```powershell + Remove-Item C:\k\SourceVip.json + Remove-Item C:\k\SourceVipRequest.json + ``` -Persistent Volume Claims are supported for supported volume types. +1. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" -**Examples:** + There are numerous reports of this [issue which are being investigated](https://github.com/coreos/flannel/issues/1066); most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: -Windows pod with a hostPath volume + ```powershell + PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") + PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + ``` -{{< codenew file="windows/hostpath-volume-pod.yaml" >}} +1. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` -Windows pod with multiple emptyDir volumes + This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: -{{< codenew file="windows/emptydir-pod.yaml" >}} + ```env + FLANNEL_NETWORK=10.244.0.0/16 + FLANNEL_SUBNET=10.244.4.1/24 + FLANNEL_MTU=1500 + FLANNEL_IPMASQ=true + ``` -### DaemonSets +1. My Windows node cannot access my services using the service IP -DaemonSets are supported + This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. -{{< codenew file="windows/daemonset.yaml" >}} +1. No network adapter is found when starting kubelet -### Metrics + The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: -Windows Stats use a hybrid model: pod and container level stats come from CRI (via dockershim), while node level stats come from the "winstats" package that exports cadvisor like data structures using windows specific perf counters from the node. + ```powershell + Get-HnsNetwork | ? Name -ieq "cbr0" + Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" + ``` -### Container Resources + Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. -Container resources (CPU and memory) could be set now for windows containers in v1.10. +1. My Pods are stuck at "Container Creating" or restarting over and over -{{< codenew file="windows/deploy-resource.yaml" >}} + Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. -### Hyper-V Containers +## Further investigation -Hyper-V containers are supported as experimental in v1.10. To create a Hyper-V container, kubelet should be started with feature gates `HyperVContainer=true` and Pod should include annotation `experimental.windows.kubernetes.io/isolation-type=hyperv`. +Check the DNS limitations for Windows in this [section](#dns-limitations). -{{< codenew file="windows/deploy-hyperv.yaml" >}} +If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through: -### Kubelet and kube-proxy can now run as Windows services +* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic +* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows) -Starting with kubernetes v1.11, kubelet and kube-proxy can run as Windows services. +## Reporting Issues and Feature Requests -This means that you can now register them as Windows services via `sc` command. More details about how to create Windows services with `sc` can be found [here](https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe). +If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). You can open issues on [GitHub](https://github.com/kubernetes/kubernetes/issues/new/choose) and assign them to SIG-Windows. You should first search the list of issues in case it was reported previously and comment with your experience on the issue and add additional logs. SIG-Windows Slack is also a great avenue to get some initial support and troubleshooting ideas prior to creating a ticket. -**Examples:** +If filing a bug, please include detailed information about how to reproduce the problem, such as: -To create the service: -``` -PS > sc.exe create binPath= " --windows-service " -CMD > sc create binPath= " --windows-service " -``` -Please note that if the arguments contain spaces, it must be escaped. Example: -``` -PS > sc.exe create kubelet binPath= "C:\kubelet.exe --windows-service --hostname-override 'minion' " -CMD > sc create kubelet binPath= "C:\kubelet.exe --windows-service --hostname-override 'minion' " -``` -To start the service: -``` -PS > Start-Service kubelet; Start-Service kube-proxy -CMD > net start kubelet && net start kube-proxy -``` -To stop the service: -``` -PS > Stop-Service kubelet (-Force); Stop-Service kube-proxy (-Force) -CMD > net stop kubelet && net stop kube-proxy -``` -To query the service: -``` -PS > Get-Service kubelet; Get-Service kube-proxy; -CMD > sc.exe queryex kubelet && sc qc kubelet && sc.exe queryex kube-proxy && sc.exe qc kube-proxy -``` +* Kubernetes version: kubectl version +* Environment details: Cloud provider, OS distro, networking choice and configuration, and Docker version +* Detailed steps to reproduce the problem +* [Relevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) +* Tag the issue sig/windows by commenting on the issue with `/sig windows` to bring it to a SIG-Windows member's attention + +# Roadmap + +We have a lot of features in our roadmap. An abbreviated high level list is included below, but we encourage you to view our [roadmap project](https://github.com/orgs/kubernetes/projects/8) and help us make Windows support better by [contributing](https://github.com/kubernetes/community/blob/master/sig-windows/). + +## CRI-ContainerD + +ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] -## Known Limitations for Windows Server Containers with v1.9 +The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: -Some of these limitations will be addressed by the community in future releases of Kubernetes: +* Hypervisor-based isolation between pods for additional security +* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt +* Specific CPU/NUMA settings for a pod +* Memory isolation and reservations -- Shared network namespace (compartment) with multiple Windows Server containers (shared kernel) per pod is only supported on Windows Server 1709 or later -- Using Secrets and ConfigMaps as volume mounts is not supported -- Mount propagation is not supported on Windows -- The StatefulSet functionality for stateful applications is not supported -- Horizontal Pod Autoscaling for Windows Server Container pods has not been verified to work end-to-end -- Hyper-V isolated containers are not supported. -- Windows container OS must match the Host OS. If it does not, the pod will get stuck in a crash loop. -- Under the networking models of L3 or Host GW, Kubernetes Services are inaccessible to Windows nodes due to a Windows issue. This is not an issue if using OVN/OVS for networking. -- Windows kubelet.exe may fail to start when running on Windows Server under VMware Fusion [issue 57110](https://github.com/kubernetes/kubernetes/pull/57124) -- Flannel and Weavenet are not yet supported -- Some .Net Core applications expect environment variables with a colon (`:`) in the name. Kubernetes currently does not allow this. Replace colon (`:`) with double underscore (`__`) as documented [here](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#configuration-by-environment). -- As cgroups are not supported on windows, kubelet.exe should be started with the following additional arguments `--cgroups-per-qos=false --enforce-node-allocatable=""` [issue 61716](https://github.com/kubernetes/kubernetes/issues/61716) +## Deployment with kubeadm and cluster API -## Next steps and resources +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. -- Support for Windows is in Beta as of v1.9 and your feedback is welcome. For information on getting involved, please head to [SIG-Windows](https://github.com/kubernetes/community/blob/master/sig-windows/README.md) -- Troubleshooting and Common Problems: [Link](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/common-problems) +## A few other big ticket items +### Beta support for Group Managed Service Accounts +### More CNIs +### More Storage Plugins diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png b/content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png new file mode 100644 index 0000000000000000000000000000000000000000..73da333fcfcaae65b0ec6c81d1e43ac69d02d5b0 GIT binary patch literal 111844 zcmZ_0bC4#_wk|wv+qP|E+UB&aY1?+cZQHhObK15&ZR2fxzkScy`<@eVzj&f*WmZ=H zv9c;FmY#}GQjkP|#fAOx;|GGYl$gqoA7C^8wEsXu{&RM*!CCxAfHf!@>T=5Frl&3Bu@NSa99aZm zlo(nBSy>oC5CWW!m>(h-mj5Y`pMn$I2ZTr*g*_QvibVKN=@sQB*QR&Yc8=f;@FqFO z)`$xNwVNs0q$`VzU2Xox`#V-3)?2i1&>bW(pw^{&%US z#r6vF-2cKWI59FV-0|Rz(Pt*Ri;XV?pMf9D?63E=&yY~5OfN#ej#lWdn;tkdSKHUk zd4C<{Jv8PuZ7e|<@MM3k0iO5jhXkG%P@m&$?hs1vxo%e|+MTUPtjR1EsiT&P!yRfx_c|b^qVECCy(9_#`{Fs3!GDo=)1<_;d`z-9u3hb_YOE84uCrm~EVr8>N>=O;Dbz${K5;~a6 z9=>q=Sa~3Od3mUc-8FBl10-B28ulH$F<`g9HoU%bppxk?EKnhV#xww)!!M#hr|Zi=y+3rwn?sbV3X-i}`XAN%slWr{6dfqp3etV36TffQ#(w?+ z--Q0twup{>U8rR7=yXZg1-i;agGcz-FS_r5O{D0j#ijOhyzPx(f=;kt{uA?N{U>4R zAlSAUY&4d4zF4DAho4m7Q=g{#D)$vPnu0Tla9`qQs-HAIG$XRdGhO{>(C59RDnHsg zi#lGYemgd)$uSC{8YYAwjP(3~A^XrCVaRqxu;ly@HZEw6?+?y0^99gK8dk*9+Bb|^ zi%zV%K5uX)-#Nb^>hpYR98Ir7_jo+6fN=!({e)>k_}p@SKl~aMa5`t~XgfSdN0T{0 zP84$bcl_VenW6UdF@PO(#KVMBN5gNyt&Z#M!}6!4T~g4D0aJA#hlRU>*Oa0!T%2++ z4eFl`Ylm+P`L(A}h3=09sK2d#W9^60J;iM4@m>?FcTaF^%JJy1J^FyT&kKiB`_}yS z%&Nwp6XoJ04H{QN&{7ZLyG`yY$+uf;E&s|JRF z`V!&!q1W4EQ@%rb6%|t}{RR!wp=MK7a{J{KYN{tVs~kV7h~AE*5_>>6m53htX5x7@ z_Hn0ivO8+EYkq-T=ky=Vs z^*cgJ`Et>=IPLedV;fZMfudMlJB2oglhBi^PwBpX^*1qQ>#)}ABY}a)y-;7Ix!YsG zvz-1o&xELHtirIT`v*v#l_&Dk6N1NM%R7s;h1Ua2v)zITu#@>n{{`7j5yxK5ZfaBL zKFOG*{&f_%?DzR1^hbHcr?k$=_XydK9HSFIxZL-PaO<-$D7?9XTGtioS{57FL&3+H z{Bf7nevSi?LDv_or8WP$KxM}GB{jD~JO7{U&i#q}x(06kr>&BwMdarS8Re)6IZBXg znu?*!@yIGQbBYQz`p>M1tK0sLDD5*XbiX9eD~20SrG63I*#v3FtKYrasX~}UR)?N` z!?jAwhVOPlMSUTFhbLL~*W3mSCv#J*3Y%YJza(p#bgGdBNhVA=$>;>o3a)rFUG9f^ zL(^@~ZuSoP$MTm2YK)G3kWq01m6AYCkWq)ZC(MX`A)pSEyY*iSUU9S+I&wA|7*Ps5 zR_fhw6D%tDcSAcku87OV|D37$(@$K(IEtCMEU`d3XnAo82ovHgvl6(!5W;Ih577lvd4km z2~7`En_=|qDD(w8%Q^$YQxx^aC_ScaA>29aSse2ztr)@uT08 zpuPJloRcoHd`J2m(u&i_2D@|2Xa{fkzb3zS5z~0ld*#r8_rTCnaZ(az*lEEbra z+WGG|RBvPb^9TT2r4hN6hOqgca+E5@LkXx1A$#&OUx=FCo67U7Wh$(Nv}VvConY5_EhG0YSwcP6j1UVH*OyU1svgG+autz1qsumDD0T%VBi z%X*~8qNZBRntT58U}6*8u;LH?;RL~9*Hu1VUyB-xV*7TroSCC)@?aiN7E1`?b1z@_ zkzZNC#_Z$dMA;%J8R-G(!ydy>JzNq8=ssg(p7^*)LF2FJEe1Pon)}T!MGeIYzA@kl z&tpqdB=2l09$cC{cO@kihn0uq9Q&v7XbmY}Ukn)XR(<@+72(Wy2}Jv1T`VB;5{weg z->bc&5-mPSfl+Ep&EBW*3VFpi{`e3DAi;A{)pHwTnMk5W@NkmGZjfhx2|UI;w-}$a zEHB*#WM0sPJ~LjsCw;2PDJniyxSKYh=*iBO;rjS>8ulgN<#Bw^EU$$%oZB|)`ib98 z**I6qIaj<#c9dhjes0!xxT4#3T{-CRDXXnVf?#3oE$IMuz)(<(ZUM^ivSoC(-rm)p z%m4j-;>Ll-e$==V*AmM!*#G(V`_|_8;xC1jn>h8cy&iQ-@9KjYXA08b8m$&-eD+dDwznpCo53DZnu`!R9f9gf~KG5{3GOk2&>6U0o+IEn_&#y?O3gh z5=FNpt~U?u{a{)p?E1l!xU>m@6j~~f5@Lp^p&jgUm3USauk@RrN!f6*XZB+Cey#t3 z{}CB%bvEOM+0pjca{@>-wK{X?Wv`#(KyErJ;Jed3LpH1yVpWm%Ij<+VwXimVZ*ajd zT#;;YOP6YW+#&56d8|MV)8x$QJAl>Tu>i=5R*|A@Ve~gDg4OKzX^oO=c=)MrE|e{~ z4h_3jnepn<%CWmjZG3E`L-5iBZ(OnfheNK14it0t7A18|ynCd0*!5 z7Sv$TfFP1Ic%*9RZhz{0ixrzT7o8dA;|o_-VnQKLeBE=Qg>PvlOzxi=;g?04Pv4HR z+iNMPVmz)J*0>Pl9pAP9E&f3%&GejgExyxARsY=|=qR5k)Xm$PLF=Wu_N%)46PTV< zN^DjSYtQe2^rf8@W;t0q$dkq>{FiR^a9^I#1))(4CB#Rts>fCGZhS*S`Kn54K6C(| z1Fovq6AP0(gmmU8U}!$<3TZdydviAwG768ez*ZIe#P{SPoyUZiarUVe9f!Vaep@#x zZ})*7aei!(QLMi^c^KL68teAFB(&Ym57nmE@rrIcAXBgI;QG`$-e(}K!O94cF$+`N zmS1}60isy>Z&v4E+S{!xw{Z6L*8>z0;)LUgQZlktSHz+1?$}ne#Zg9yoj?PJsALj` zw>#L5@BMH7*5zPAywHO)@ND6MX3N%~;pC?to7Kp3*TQ%kS^6kQkl-#nDK6EOqLBAKG2y>W1B{FizRQl`D`M z&j>tj;}5XbB*r+B!xu%A@hHoaIm%v2iPD}wBTGr@p;Sh&0068vEEgTbVfBuRvWESdd?I5voT)C4>5`g=S2>3(qTgfwDD zHi)+1IFOll=v*8qmBFMJ41K;`D!5sKuA9}KPAzRgT(U>63;fh+AWwX(WBlWQ*s3M9 zVK73}8bJr^3lxQGxaUJ6@qXzugmwI><=P=rCqahgS&0NOUsY#-Ul+RS3ng1dSwO8; z6G^Tas5jdaTl3u|O~BLwfu8A#5&_+}XZ^bWS7cZmyMPh#K6QnQP)zzbzH3agxrUo} z-@+RUY4;QU+5Krq1UH@=j@JYv)nECfO&8s9U?5LHa^ty89{6uZm750|TZHRJ!Y_0X8i(;EPm9wx8^M>~KUpMkcPxX6Dn)c(R-HX9 z7dLfrxN&GA{yWSp)H_tUEd}(1tXrV~vyi7dHz*N&1eH?l`q=W&{|?FjUP$PYEL06e zSD^A}Gzm?5f<88I_;JZ&GjG2q2qwe*81Hfsp<8|0`CA^|$4olQ6+JVjdQ)w}`m)Lp z*-0>Now{N-4;_Wyob|@P@tcEx(u80(RCmNV?ye1bX6bLFy*+fO=KQS=&4=`Y^!E8M z@PhsUM!(5xHZQUd77N}XA?r}BCYigx1MNqILg;dE2g(j zQCGt0!y3~9;7}5u%jnW0t}*e7>WX{KkIRxcei&Tk*vBLH@xUX-W4HnSz|i7^;+>n% z*Q`nZho#-(aOZLb1sa9I__u|mS0z;vLLbTpfF;ePHtl7@_6y59f zQM-C}P`}j*p$Df>5TDx-nXMI};8P4;!0vXGzc!Qbub-TDeKeqWz4zR$FOT`#$6&_g zQD}lHXO~1MX;Ich?LQNUA!H1~Iw|M2m2 zTz-L3_&G+wk}D`T1g}Rln6nH0XBE+)%!Tu7+TN=hLx#n`vtTyItDqdG#kERO|lSJYy|V$l=Fk-f)VBtC8}upU=&?9*F;X$kw{12+=9VLw!u~4)s6jy z>V8b?v*9>lGziu4cLc+|ext*+cvBY2cp0U+RI{4@buwqjqNf;y2L}gfJDNwz z@7>y?XHTCRX3^oWMq}?OPbe_e@^p~d98sm|?YaiiX{HzQfl)KG?m*h->e+p6#e@Qe z{NRIcW#77ueJ_Q<`|fhn=Z*yiK~7PnzWD%V>%Bcre~HefNj`|EQV7()v|1ZNbrS?# z$WfqI&P%@iax-0-S*-5(laqVsFy47vQTf*!*`-GhT3o$+;>`ESO})#r*{g~lIxUYr z2R@zTH7faZ7j)mZ6>jV22jgY=IX9;5*zZ|GrD5Q0&*oppUDX{3 zdIE#t_0`$|r)|Qu-8VXQp{tzT;;F@i)}EZ@FDqz^|ATCLaQIpc8ule+?y~~oMd69q zOriO&2nT9y2|d`p-Q%)sqNutJTEZyewvab!X4(7jJvoxaPt>?K)`!!l%M(X zR+$kw{H=a(Y4paXHD<7ndi`TU^rvcTKkCPJPdDRQ_?%Y1NsmkBcSm8}sr@XbAGI!| z1FeZ5jWwpDnSNS;W90%dgjDOYG_Ek=rf|Wpsg~nx(r!RB(_KQtV{$xAp&a?9A;gCE z?C$=@(fy&~f}3&Cd(onT_Bj=%2}0~#*cMxV+;}{`^_><{GQ+Bm^iu@YOyy|0$=)p4 z>&4NFliwn(h(nQM(F2$2*9RM~#dnGdr`XG2iyB?nF#+?U6!yAWrT5i%PGh?1X}u8hDA%WwpZ_GSljI zLJ*Scb_s}_blh*$#AaJCjX~uQ^k4UTpOoq2XOAE#rfC^Ll~Wtr9a;hV7Czq*SkpQf zX))5EAuSy)^5q<(R)`Cma|xj!C!;C=!}!*Ti^a67GIdni{44h9O<|Fd8!&$4ay0T+ zc{eGhIa+CW^s(svO7!gFs_2^=?+P|>aCFkk++hJvo_Tn*-!xWK+h3?sJRWAo0hiz< zxi>}yiKD?+^igAXA)-EvGhJmJ={@H{q3BsV^N*6d3*1iCg(%jrh> z&(YBK*hukpFkZu?Hj<=LAMIZq6cozpo`4d1rw=Uyv_? zFSNWnDFFVb4L#Y?g$XhiQQV^o6fGyAn7um^{U_quI6VHAD&&Rud3a2nc&$oFY?}-i zdl_d5`P{-tB=Yp(Hr)#D%*)Tfcx~FU~uh(dotK9$s_KRBU zB%Xdg=8~4_bWEd>U)ndXWmm6j+@@t^j(5&-5yf!+pk!r@As%?)+()&fOcAA#i6~@nC`&60?k^pSSRN? zS^x1VmGd9)4RO#BF{~)X!RVvl2=}wZ4T%!?(F5)XAKLD8YE^$EiNmY|v_Co^R(`}u z7pxC)R)Kb8r}@T8fH2#jAAIpj0r#1@3!_y<_}#@dRcnkwHTGw=Qp6g!SqO9`rOETq{tfUH2taQ zr`b2yX=Wrmk`=u%X9$DgS{c-|MQ6%Givw$@07Ne|*NuSILrS*G)cCs_W}ABh3^Y1Yw}}LS$Vw9N;tR*I?Mu$)OaxeqJ)#) z1bKV&ENkshOa@kCCp}vrr@lFBE-wS%!~5xW@q}HR@!Z@k_n7vLi?OW64&YB%$@$}L z89NQgyB<9IYa`*`hg?1D}I43Md*{D)cU{i{WN*IGK5Rom205*-@ zUX+M35n)Sv!y|)>g%qQjlIhkL;0w%b=o!@!UHu}nm_N>^`HOE#Ik&r=3&Q3bzZk=@ zro0s7TIKDlP3){;Ed?)o9CJFyTNq8bhtI>7W;fm9Cmxh1+m_)$FvC0bXO;Yi;H zMj?}R9<{SF6bcJ@bDwiVyAG?vJv}X|Dpl8;L<0K`d=>eiPRyO(T*$wDda8{stvAHRtlSeP?z!tX>MXKT8MY0*)x9AKCfq$Aj$L<&ItDb?R&=Atq zbLG}N9yHV!Iv85N=>%Kb{VfT(OXumr9~&!840DPCq%Nk=RvHp#L@5>Jei=dz?0v`8 zL|sJ2z>5N1aO1$EXE$^m&ZlBTa)zmn33BH8EZcU2+weA(?bv5ua&rK~m5sV{OKGze z094HnLR9?dY1GO=@868t9UfSdvOC1Wz-GD-=CWygC%@6+z=;J<0A*A|}^3P~jB@T~^^!z}@Y zNQG6YY_2j!;hPS4ZGxw`1?p85W75lnEK54vts2)(8tv_EA@uM8)m6kX3lCUH%Gh96 z?qAd2U1baWZ)51FzJ8lKv=xCiWtR4vG&TViP7xWjXgeIRYAwb{5X=-=08%spYaWAX zfk(-LzAES=iRY*;C@98o>8`^l*4EzQ^GC{a5Xkb#-IheQn`%bNhcDgsv6^ z2-bWOqprYfPCP!yAd8r?SaedJpyIZW20^7O;Y#pjv{hjL)blk3uk z%=KPSbEIbzD=Z!vJ@NpWFcEZ_wRt{ulQ|t*s){o+D}B(X<;1I7AZ-D--8Hi^1*xnE zI48RF-8XTsOXY$sMJ+ZzDtL-jGvFW+dDQrD0y1p2DN%L4OqT|O^*&pD|+A1f);

?hmWu|brK@QlAxTn-C@fl#g22{hOAF^6 z0KgAOwKX*Y{fHlG_5yQhZVL@a^e4MMZ9f@-^Mx$w6+J6|j7=Ntpx~v&jBr$7x8oZX zi4!B6MA=XnN$%#+{8%h$r!ALa;#v&R)+TJe&)FCJ^8+xu8)LBPH@+8gy03FlH@HgS zKk;Bu%j5LXEKsd*1^DlzXa9L*KscTW70Pht>&70Q#vo|f!Rpki z_l4s(#-ag5@YO5ng$JNwa7j>f!I@nOB$$JHJzbnA5A4j6(c(ZPaiO zbSv(SNi4Krk)J;&5`QCkwYpu z&w=*=9`_NmKP(U%6OD{r_DyR&u4^2JRu)0LP02SBRpSRbYQt)7X^*+zoJJT0Yl#x} z_40KQUbt;JupcXVst5X0>QSWStlSAap{nvwoY!oodOdJ3>ANy|FZ-_)uhYBT?BcHx z0AC?p_Fi^2G0tG*x;yS7mFCf5^3=MiJ#R-pAkSUAxUcx z$YZIQtU>crI*J8#U+Q(XwMHZFOS9wci79T{vfR=B0)7 zy%-v^ZblvSoKO@39JiL|o=azw?TFUZTxrN|@@Tw}SxV|^VKsf;B3G-o=1KE?-d&dS z%u98nTz)an3=-YnI!p+9jVBM|*^RHSmVD*Y8wLN_Q&Ih|K~2zD=+(nEIyCu8L+)Ww zl#^C}_B(h!ZZiQNiMaUDH{=slSp)X_UFA6m#o3dJyh!aHb(w)cZ03|P6lZhTt;kR! zR=c4fw+6vGGqvSh(j%#iYEh00ilLfJp{RNV68rQb8vooSv6isTxJSYj3OE?_HMQ@H z3LDw>mlx?8rgmmpRsQJotJ0ee#)Pq9GGuf*?%g|lI3yAiN;nWII>%`8`!?QZW8eP9 zoaW8d*T}$AN)GW zD?NCGplJ<{_KP9RBPt1kD^8hy>WZM3&W(8aaTF$IWB`x8)?hkM{ zAcH+oz8|d&NbsWOoqo0A+BqK{l;NnS1(6FP6(DAEsOA`5wUBn&|LFPTuqcQ#6Ovbq z3%PqVnE76 zvzU_56%hizI=}?f?Pd?{saj@7j^)oTUt&|nlw*HJ5lUt;jwZ7kJLJPm*RUqUOx*`jF-H-LzE@(LYRuol8#Zi6&IEJuu&uPUCJVP(>r5c}Pdt|z{ z&6%$Z^s7J~(d$QVG1H0sW6BnZw;t?cs`o4!ah4gqZ)v`FxDRFUBBAI$wp%IC5B2~x z5v-G&{O?ax)EJV~27vVocm4w`yJe%$9+vm}-e>Vkh8 zUqa+SC!~&zgCgedy0ZSvZ*5JS@?&|j87pg2)A5lyo^#XCV8q=lHI(^H-f4lb_><`LpLo~3`HgL` z`}oM-%C`aWNi3gKuvd52H>&Mn6;xm zX(FmLR`1F9$IAM&)c2JFeO?pt8&k`zz@pIO);rx%)W{)s^yrE#b{H8xPKA-h?z9K| zL7#v0QL!brbhL9HGo?DdW#fRIAjpQGgx&_lf7f#bExOF zXjU7@27DFYH&kmZm$UWxb$ZI6LtQR8`XXEc7oP3AGK;+U`-?Zu9q`N2i2RT>A!g3*k!07C?Y3A^mq4%o% zPaENYVf@~u)q7Mm7+(yuuH}7^XAo=sS*dtS3UMMoeg}!?d(;O1tAl#33tdOAyF>K#X**mQE4rQ z%=^^(Fx@~IzF(5)v7Pdl&1U%h^Ugk~pl=Ww4YX8GZZ>>~?g zUjVI=I6V~9UzR!4;QLMsdOdy!9G8P;RROy_H)HX%sh@-W3XdyG`HkD+QTH;8;b$nB z86jGyisDvKn>?R3!)y!h9XOQf@5gWPl& zl`qx3+iB zBT)_xZGQKi7)`ib-_2;E)I$2J>77|v3%k0a;a5d6^SLs89s+W8R)w)H+zY&gH?%`L zD+Nc}4r^}BQ{kiqn{9<-aQ?h&Ocj7;zlZJa4;i-onAET($)tqycAe+`e zXvI!oU%y4R(~b676;<@(j`=1Hiya5ARjg~iJ;iVsL|pxl~q zFd6gtwr_mxU0Ey9P+iSU+s5)MqE+FQ^Yn_O=uG7oX0TuBTsx{J)Q!J>(GBF(NJ}l+?Sa#% z(+f5b=m?7wA@Jh0s=wY@br`v-ym+ao72wjk{_7Tlea1$2EMmkE)V6VcBAQ zafn2Ey>nxH?WwWfQRU-#Jh>u@wdh(&WXQ%9L%7qL<8lV9Bq(xKfR~sJ!lgg9QnEwbNIt?zaWZ zrP-V)@!fZtuW?7Ujkf%vBEpwiXQL~OMhg;YIgN+gb>QkjcDKh=_R0@y`;az@%s{GwNBp;F1>DWgU&-vaK$ z)z3!~-Bbcx_EN6Hufi0v+s2bzB};4~RHY{a}LD%J2U}zC-}}RM&^!J}8p_Z(dnHZpol_WY)h4a)=OOVO8~e zE3|Cq{{0&c;mCX#N&sLJ^w;2%_xf!G^Oug;8KUZZicn}?FOuwQHMqWGuen*cKF)e) z8*W@RAKt|(e`F|Ey3{5s@3e>QwztJhBPlC|QZ}w{SGyP2_422Tubn-#mCb|o%YmUM zf!}>w(O(4bJfJ|^PG%H#?0S--udl^am;gY1p?`_RB0zk+NvZFGz3_?zznSdcc0&>% z02PG2_&tf*x?PDbAxDyOUhbcK`!0rO-F&h1RQs4rW!SGj&ku!z{tslC z>YwuH4rV_!Ln;VtO2gldsFua#E4$g$rt8zpUvkr&(iNAToYe%ld7HVwzFFf84)M89 zg^<}b+q7%(FJ6uG3J26uXg*YU5aIelNidD#?gPkMm=X=x^A{944ALn(^0a@&-NFds zFTF!Zo~X_~C|wav{(69I)sL00g>PAnOUlMyUukG=PgG1K(tzDWQ}}6{wr66+XPH|o zQIfhlEPVyIof1L1Y%?r0#@JGT?XhBIjicTz-aTw_t!8=Jsrgd7K=Zm|D_US0(E0mJ zb#L5grWH_n)NM#%i@sbpm%Mdz6SeeK&_0f!Z(ABzT5W_sUOVH*jeV!y>8u;!y@wm2 z3g1?cNZmw&(g0n6J9KpUQ=`x3jw~iuSH)#%*uh|#*&Hjw97-Osr-n@_3+*?nl8(f# zwjCYCA7!p!tTWN6pYuLAcd4L025D$U=pI{3GS7~EW>`Rizl#Tu)^QfWgvDkLZLZK% z^Y4h0LUMwFd_7LB0Vx+KFSF%R{f5E27y`2v}* z9X2E_ttD-*@BpRv1A)i45?-qYu)b7c?%J^VxOcDfJSe|Nf}JFB!-&yG#`(x-A5*-C zy{C=uOg%sMkVv8uaoS(;1_Y^#L zSk9p8qr~55*9VcTJw`cXLdbGnBdzv_g0c89pVwP<7xvc{$4hE9lAFCz)lXiB!3MeRNoA zM(-f0h_aI)zVs=3)5XiGnMdF6J@HNHBu$f(Gd|}9ewAC6B+N)1^eYiCi*sn5O)?8w zWHre*V9>U~eiip`SDOkp(8MbHQ=p`4E@aVky7W`zv>cWie`04|a}X)RV;d3D+v+q* zR&JK`jW2~sXx)IPfB8)Y*+>sfL;(Ms%aY)XhUu5*uh-Y=%xy?WQAB?q)Lu15I=JG984pRlTX&l%lAavRUbH~SD~ zpLxdvB8?_z??BSQAc!eWFg05N-o?E-}EYh1Go7dw(*I@0yEA`{=_2*5Oiax z(GX1rAl{E?xiKGbu4GpNxEfp3f znO~S^9cak5@oV{u^jX9h?|^joTVk9@Xnri|_rrD#8a4y3EAQ+6b4SsF1DD+m_S@>D zgqh&B!YvQ_@oD<3o&yynf2jgwfOBD*a89zP$jAkDGm{9Pd>jCwfWBMvJaQkaR?_(T zraC5yCfh~(qtDWbzG6LXmjcLMwORM3aC=WVxzDx9+9osuG;F+K2yvlN} zhPjK~S73Vt&eh5N6g>q%WJGTz>}r_eYhcORau!f1YF@+z{V$l)gQB5k3#INvIOvRI zGLbpsjwzCa9v6K~zfhVy31^HbPMCt{#g$-bm;7sjIWH)r0e7Q zce&dN`S7XaeEgwOD}2poeP{DkLIAU^chVs+*lLwdDKuL_ezicxzQ5s`i_?DQCOQfF zo@W=S68}#Hy`czn_E*qDNN0iB|37Ppn*;iF$Tl}~p+)6?vNQho3e7lxvk$z%6A9P6 z{coNAZ?6pVA99gk%d1t1^?%oj{M(}bx6Iy$1{YsO3>`=hrC5~3!E7n!cX|)jYZsOLl(Q_mft+kwQhcSiIJX)6Sfr& zl5D#b@Yy{zedln_B80Wbc^4HL@3kH#A2&W`5S$>{Bxt- zNXQGy=GL7rURg1{G0ku!`&Y487Fd~NE62Z>WQmDE&d!6No*z({2TtW-?d-7)FqJ}! z86O0w5%I6*nvQqB#N1Qzb4=QexQ6noXuw!#V5mE}(R%D{`}Yx{-c5;JhBvkL}DnjgRIQ$^k0&}&_D%WX`Z=oHGhmJ-fAKLim*< z*oaDBvFRCD3zED4DtDpnpe(W(a7L=5ld_s33vBKVfY`NMyGRb9W0u@^tBzwqC9P&m zSj!0Y@cU4Dz8YO-H4)9AbQjDZ50dBvQb5dy6Fn27W_=+({<0Z^1U+_$v|$!RSlf8T zUwO+FRU;hlkEW3(E;b>D)0PJF(^s8Fo_g7cD+Ku5Ji8+Xi<0x5vc?#+P2ms>yagZA z@9<>m+c-ENdH3O)Ifo`d9*mU)uFUKZ^T^mvjR8-GPTKZXLPz`4dyrS@d^(n|5IgMH2 z9G*@wNh)6iY}8xxy9#0S5N}+?^TO-bJT)B;W282G(Ch46^1F@V7lS}5%nfEHh(Tlz zH|vddFRU_Z$Hj_sAGEd{q`@I;I29iCQIil|uWf{-BSOJ;CJnqo#(tC41YBu%z&42z zFuxwzfRt`4Mf-AWqi5r|>PYuzW2_n*b;A5(aXxDH+=hfaD?8K%H};_C)NG%*c7Ta! zN&Q_<_ne{kar2DasN2XfD>wNyOK8wn3?7PNC0dw-qTvF=*h38l0rMM!sbi%pFG-)K zzN`@H(?>OOkKgrK&d1V`TH70PA7&$`blL+MGwK+PfjdiOcAyfEQSxMdRk_uksP(E! z!x4lPC5;yWYsUdG6VX;ev`)i89bEwaJgVW6HCB{Tvg^tBmmNcB2_UEmiI1Wf8R8-B z@V*LGT1WEsIzd0)bUay%?6AAaaoQ>0Y*N;v?wA?E9O>Ysy8i&;yxm6zdgDW^zX4Z) zDRYnhvFbk|!U$4f%C+Rkw<^1SiV4JFYBv|S2eA|GDZQZHXRoC`gFroW6+Js7mr)0D z`fl7+eN@Dx!BCy5qbEvPE$G;5TWm^hI#YU4)|sK>DohfJ1>Sex@s|=*A)?c|PGmM` zW8{tXQ?y$6Ii1ZwFEBTCx1tgb(0Rv>bkBKnM+5`cV^@Nsb4WnpR}-PhFV>T~ZWIk% zgMM{8rCo>g4_)S=1N$?aPkCMHwc%ogu|$l#!Aop`!bed#t$; zlrn1Q7zL5?tmu--SOwRv5YA*gppnh(Jq~D;AT1mV1Qz(~0Ym5XQB;M}JsVRgcnIa} z@EaYY80iB5JDOQ?lyqu6G#3O4pAjVl*N}QATpOqro|PFj>m!KzM@UduN7!K{p^YJb z&j)8=kXPB=15d`wg*kyKR^d;-=TX#Y2#>UZ=qE3mr~G+Y8bFAT4P7+`OmK@QELZT1 z-g~~e4U&lcrF^iykc-ssi?+Ix8H9%gmN!`BZj-NaE}t*F4N=*l6yAv*w>}xqap}w# zF{RwcbT%DerrVx)$0|uR2#)ut;IFfxB(ZL6kBmTlBs%1rwjW7{MKUoGni349{BVu( z$jw9eHy+=6rksgR{31~M^15{pEkWFC0%k6XhaFVHIbDWHB$#pG&~R1x%&jMO!H$tV zgo;GaPC`? z!+wSscRX$p;qXOI*U)0|YA|)dj&`H_ICrWq4DSKs|wi#(%hN?0iP?!NZECFI`OO`ne0|U$*1ncw1 z8(GdFWBjAoOP;K&dmppO%z!Yy{ROu5ZiDe&VT+$b{RvcAyvBOF_ku;TzgHkvW$cB4 z6Lb|=sYZgR^#||D>@Ys`{%MLaEmqwE1D54(NC)I#xX^MS!NHLHEC~$J4XDTik`TVL z-|ie*-;EupU@%Q2xE|vw{GN2sv%|@)xtG`VjXB$G05R}0WuyOg1NK8hGMq&l2tyKQ zx7(;YHXzkR!GlbaGrNa|mMs5x@R0X3 zp086qyW&RsHr1bYJ?}e~*RTt>gt~E9t(OC;c$0BjRRg9Xga%e&1WW~FygrvN1==D! zxU#qn`?b49Y@Rq}iJ|QGdaGOBe7PTpQq&5-IX$mse2n&M(fhN@1@#*CoOuXx6U{;@-wf108^^@Pv zclN;wNtC*t{`=ZlbN_vd5h5W@YQDpM#wie$!!|3bc!r*x1D34jIBgbE&bpF~2kmpaVh5#(I_WV;?Yr*ilZ z+L->1RlQUXd=oU3-&;yqQ0GnFkWMazK#v5ye1eJKS`Tzzang-3nN8}Q+0Td_~?uUlfB#)2^#GaJ53<1SMI!2cKLBT`! z3P*tQQ#KSLa}lvu;>;|oJ-03@r^9;wWs2jq=eoA}Xm)bb^8pAUN-(NCAK0gg@CXY@ zy{oRZ20ZHQj8Gajni61Q;gqEDAdjZ!Pjs0tCno(ZwOB4(zz%baef8K*U)|WlGGR0o z{`=(n%WLYLB7{W)>{q3c0fC#rWkX!8xrtyq8VL zv{vkPjCgv+Z;{{nl#dgO@tr`7PU>1O7j{zA7lLDA+axhrj^AWw7Ax zKDY)A?i$?P-Q8V-YaqA=x8UwBgWKTtxboipdAGXieD%*c)u(%RuU>11cGF07%l-Rf zNl0(ief}d;x3ri%%e06#i={l%*pTzkfrT4ZK=;CL_}SjQ2dF@vc|t?|e$FsAFxH=( zEj1Qx6VUkLQT3cgl<|+TheE#%<8iJiG=4j`(;U5~Beinkw?J$f7^B&azH{J`c4A7O zh8bTuJ{c_W-3i6IDSsgP>uCZ4V}=SP?9G7utA_U#q8j`09cdRgb|lPVJVjsG zso4W!Tq(9dCx^SAA3=5mjTBc_f;?}oJ8vU98c|AANd4~gLK{lE1-{;@^&483x)zAt zjIin~jFAJYl~-Uesdw<)ikFPc$o^oe8|Hv32VLge<>3@|L?cxt!0+V&_)_friJ@y~ z!J=^|X9(C=QYcwBRQf_lkfrRWW=5yw-!Lp?60M2@|JC7fSPEZE!Wp?j23~1#2|11C z^9WC?)Rw?b#+DqJqE>lzV~^aY>(Xx|0bQT(R@A;UX>U)7lSSHn%~{l0_nT$u5=W>M z_XiqdeSc2fGtK@gU`#|VbwQ}QwSbjuDE zF+L{oLn5^8x|EZR7g)l5H@_Bs+-U;_JHm`L6r)T)Wd_{e_w;(47z2k!gd8JpX1Gc_ zpkBv)>?bm!_$^b02>--0gLj=0($+#5XH;A~1o2m&6XLVNf)$^b09F)o%{gkxYRmDt zctO!L5#b}@gF+TWRk4cTaUGoqpli^b=>Kc(wlK*_vPH1}%orsk*^1dI6SdI{%dYUo zcSVw3Wl+mniYcf3oO`}p`puQ;fO?nTe9dgh;2CnVtsvj*|1S@A@uF0s~dIxrL_ zHK5H7iSE!C3%}?NV88;C-CU38LhJ(97lKpo&^}lM*iofah32vn_uNw7IB~8b2DiOg z@*hv*+69q9p6Q|xkw>V5BwXvNb zXyOCNQ($Ec4b6rfj%5m+S&GRaM^ZP}ww20?oV#Q!$_HdwSj?qPp=#Swk7>dVGk3-4 zJvp_AY^xyDDMLA_-A-BUczH+^s{sY?|^yTo9AQ4s$|ic#4k^*5234Z=v* zn96Ro(^2@uP^uuB+6vXUoC=B& zzfvMipchC4_rnyJZ@Hfs&k5Ol97E-0W4l}-TI;kZ50h4#|5K5ZgoVsvLwRTuE^xW3 z7qJaI+o13eF;zC13jHdGb}TRrvSSj$!=(-Mp2nUMXDtJQi2ZO;1^%&?9*`_*1mrZz z&n<%mi69{B?dMualai~%J|wPJ;uEi4#bnH|qB&}~+&}r1?f_bb`fYjHfnOeV51(!l za>tg~g2FEEb%|AKT+Dhs;!06pQ>9d*a9QK(e_!prZ-Mx2pbSbOTbaDsD5>f7Hsi(I!gLm_418`Fi(IakLJitw9B z$?}nIX?`x8C`gSu%WZorlMXG_7WIL8NqNU`k1B(dTO!K0FH-zfJ#?f>?Gd2SO9ORY(Ek?!J>h*sRWBj4Js;ZfijdExGSi4Sq5^nUY@=Z!&>4F#Zu5{NVdX`TbG-Z?|B%rP`PF{|mAW zn&Bo#jeRMEAJtM$_ka;ntVkcuS^8VM2`=pu_P6{0CaLYRA0o zstq8YuOT=y_8Zl5utbVYcSJA2(G5PVxk=r0YQSw@Tn~ij^kR-&XL?~TVPe^Co&3@$ zKK_2H>)xN{_YH-f3Z<-yw9fOm5ddPp>sB1;iwlPP^K~tJvl&X8=Hc!_AW$O?H4GP~ znL4e`GZtpxc)Qwo9Ixlk#N~|Oi~8*yj$)_TE}k&-*Nn{yZHYTg9m~m~+k3wN(4=O1 zjfA#UZ>s)FFsl*G+xDaazSN$YOwUVKb!kRi@9psmKB29V3Chs(s^aY_UD>+?k}Ntq z&ytkavyikXsEh#~b=!R1_cn5<9y&&@m6|Ru44Iney|HV-ig$ZYMv|PPCAJzO{qQAP zE~KU9NSxh15ox25RIx*ld+Fw)ph!Nj*(*tXm#{&WytKX5vSHh-<);?{q>aoZmjgEM z{T#o_iyPX{^E8jT5)6ZtYAM6eh97dM6Z&Y?@mI7BZ@cF1K3jG}M4hT{#mflo;D&;B z^BR>I%;>Ci){seV2c^cVg`& zh~ccv^9qH1gNyhotE~eH&SzaI**V;9I56XiyX7Z=oP5Xbg}tr#RaaIWJ0CoasV%zF z5kU|r)91ue@n|`+v$~Q+y%~U5-Hzvt%I!rT{*7DX#CPp&FSc9t_h4%t{$V%G+5d>G z7|b9zpT9tl(tf{OZEml9u=+bV+Tf9HQKURmQs5?^uZW0x_eN@qB`z1qVgDeeZZxk6l>_-0z+ zaD9T&aJ}52Q4#Z{b$bVz8V!3s{7+k(Dpi4Yh?v~R2H|jtDU_$HO<0Ub6TnFzT&0Ur zYzq<&{qR7R9Q*VweCtoVj}Q+DQW@#wo4Zp|^;wD_!Jj(0MoZ!rgKjLIPbxYCRGvQ6 zD7gDt;Uz+Ma(LjpEeO`aGvR+lqnSM0{b%vaPbO_&D~i(h=%c!Oil_mJZrKg?!zc9d znl|XfkBHXb2+|=y2X=?d3E~N$jw^#nx>Te?A zJfF0~vFti@{k11@0;~2I?41?u4%P*Tyqjp}oF zptly^|E1+mp>Zq0^!qKXtcI49xSqakp-t$zVq+NZIw)^xGH)B`9jhQqW+0^ev#AE=9^k!PoCvbjP1!4 zPUgyt-_VJTolu*5=VKs=x->tNC|x-O;fjjZ8txKSfvB(?c(C_oLuzwhc7u&3WxTVw zBjSuDOkb>1_kn3lKoTy(Z(K0~wp5O(=Vohp2sV2;nAg<;DnoBKSSE0 zN`au@Mo_}B!hGi+m$LO8AHBPCngIhf_KBS4FNZk3{zO>vPw4RTW7Tt~ue!T}+HX~T z<|M)HXT93mrrUu$l(xcZ2%#n-OAprY10^gb$uSnWa~wSXrwm7ulf2Ixx`uPprM3+u1)(Imj|~4wiBRP0czfjJPGtX zGAyh|)U3ckvWa4b)4!QG0jrLTqUmmXT#T9j-~=_a0~@==@$HokEK_xJK)*~b-AAXE zaz53AfH$SU{J(#Gn?B)zjT{s3wnZGbf8Z`{Sw(s;f`=;IPZ8K=i02!i1w7%_e+f1S zx~O1@g2KG1;Nam~;__h*eyP;R2D83W#JpkWh18&OHQ7}3o28A5csC$ID~%m~&GtIE zD>!)-+%1>WGjvx$+;(98W=h7_8vs5^BelRc@7VjkwyAiCiB3;ULkdwcHxK3jA>QWR z#PbLcDvhu4t;nx>=;J^nk}P|xlU^U>tF+&+y#u>i(~2wc=ZRW1lGOszafcKygVNd4 zca`I@ib*^VXm!}x%2tbtr!Lu@Pi&+NnVWr|1i*p6s4EU=gqNS6xPh*WmSvDq6cIG` z|5+xd5$hfhGEg0Oo^~9O5i2p-{gYvOYE|2VeY*Bwcst}IxRp+AGRT}edRkfM=sJbc zb#JJz&X;)mJoO!R9^BtTTOt+wbI)nIl^`sOZ)$3aV3?9Wsqd&;34hUr&0SNSYd0)A zAahtKOdf22hU$gaWWyi$)2ZxJWVECwyYWS|iffE|SZtt^5om@S6K+1|vy;plnm+xr zwG+?gB#zrr6>fT2P%$-p`eNZ!+N@Nrx?0|E`p%I&TTw(X5uVi!JJDi^LoUMLwO-96MrR zty9fmLB5Phpe}a^9A&Qv+_aFTH6a;!&7j%AV-^YYfrz^l2&2!9G}hZX={@m+&wXO} zAM0-K5#?!3eV=2m{8gVtH`=lQ&kAsQBI(X4@J9RBkLc@TTIZHY($|t-@wW9Bj(%3h zIboVrxecy4Lc$eTE?0aPy_rctDL9j&`NAG&zlDdKTVQJEleQf1+lJ9v}VAA?2(b)un}g9_i&dCi-ulN=n}OMQNM`h5gK zbZBYry#M`Sq|;B_<%1g#JIf>oGps@ z_;jJqsN+yy7!88j9hyxv6X(4&=XK94)wRyvv)WZ1lcL)%9;ocH_}mWK%}ghFoRB;) zdd#FL3-z82RrqiED1VEF9D4VzXNs_(N?WwH+(+<8G5UV}oeXwp*~Wy2Kd-FW;F8Hy zrPNOfd)UyTCis4-iZyvG->3gYNG9Eca)_+r4EfZY})ivUN5KQLQc>0N(fyxf~cP z$U%qH6|6t~sQLN((La69aCchsVZyr&pHK_g$!Zs|7rY!z>L7v&Yf2Y*a#L3y2v;kL zo;eWHVV+-^k2?8s{xt&b8^(2vVJsx;YD`%cIgJp3AVmcwD1}weDwKr{9~s97*+P35 z{+{=7s~#`<2Hy_f{C6cT(8e$3Irna+pvDfdllr$qRdFkihepS>;oQbESrfrnjnnk( z#(~HiHR6QNZ3q}i<=3|Zt!Q<8ioE^&PkyqvIT1BGX-d;G!9Sid+UUPwE;yE9`VQN5 z0*`nQ!3`moCW;O#zES!E5%ukkd zyx}s!Zc4OOinqiAR)6)QI`_xTzh>gQ^_^Q%`6Quz4LL=pF&}@2DL%6)dI$#LD^(1oDi@dOjyycs9XRVB1A-kE;L?(}EQR?@|TW@DFfU(fxu zaEtF;{^hB4;4;>lIx)}Bp$twtil0)2>TC-OQXFo*I20a-<$K>P$PX+ux1a@WgmD+|e)5_C59+@yz>rL6Bj`#i_7oI;;7M+))#d*d zLk#r@cj{(y`$eyw*#Y(1*3m)HS-)~E) zNjw_}c!7;Dl3~F%E4e$dX=cbGxQq^yRgON`sIW6q?ZQ2n&cayPVu*SWSy2<78?Xm) zUV9zqrx_@V5?7%s4L<+m&OT@^IJodZ2tS z%HroaBa)WWlV#-PL?!XIxu$?+*BxR>`%%<=s8eNOD;^(cHHZM184p2k(udX?(<3Vwmv>N*I#dtZi$^+H=*oEht0Z#eyqg@^+5jyYUNH_ z@q`7FXJDO3A9>mQpiwiOgJVCLT~PsNX?yC*il?20Q^-41e>x@B&qt(YFKKKhWVA#vQ`6pFBES%Mm0akMp^- zk3@w6qBg$C6-#C$7NEZdaqw?&E|5ipmlYF{sOBowGl@40}vHHO3C zchQH^v<_^{$TM>RvcQ_xKLByhwjOqlP|Y0*y4d`d zafDgKOq8oH0Z5=eW0w(JX+djr?1SJgq@Sbys2(6G$byI`UCqzC^z*NS`{f=qU0;n# zgTn3`7rIMFg4%=N1!aBnmNjJqH}AK8=wP8F;V6Kz6Qnzg#9?DoQ8V2pB;amR&zm~U z^IIbhrq78VN;XA6EwSGA=+xZ8n@&$0g}DHpzu&&XUH1e5I>wWKcI;DLtY#l~a-lRh zE6Ve#4j@0iDlT%lrfwjjS(Q^uURTERCtAD~6(@yRHL0oWr{$~lrm*L`j_v*yg*HPD zA|oLY`jMP%1AXnn`uTq|b=J?NN!SP=q@;}dR)yNMI{bGO~u<3tunL>+)JuKM%wwQ<> z|NpfX8Fc$ShqslWMWNy=QD;wDZ%7E3omKdjB0=cX3LtB{B_kwM9Yp<XP$meGZ&K zutG~wC0JQ-M3z7OL?*yN2(lL1Q^9P#sj9}J#%hIsCELQmh?uj#qWi8uRkeObUB#p8 z=pZ@&{n1ZXj5WOt6|p8eVtt$$KZe>Sp4C-i+?G6Ql@4CGKEx(WLb?0k`1EIOcN>ampPGyYQVYkrTpMJ%0mej znNH}?P-FWpZiMM?uKBCyy?+XeoiAJgt-+IXvST?%)T3u`e^z+0h70r@;1bezBgo{c z>D{%W4Tz?Z%BzE+JCu|*o}Ih+D3ga8Pn%hjYm?twB>MO4$f&5`|Ct3l>AYRi=mouy zhg~Io%pH3>fm(}mD#6srNFS+MDyWY#reIy7hT<38lcQOkC<9-9!kqA7;v6raV zAUUqyYoaQkbniuFT(i}v%L>3{`Vt!)X46q=NaRVvsBO@Ii7+uv(e}9-bY_R8pu1q9 zFv(K+DW|p}d5~*vORO*#;jttIW+cp5%d^s63~JBbIg0zv`z!RoATT|2rT?d%Lit_5 z$`Cw=(M!Wi@O}@ZG1fVw(=rz3mg4q4s$kr8XvEh z`_5Phkq``Y6gh?q;B0 z@)z!VOI#uty{@%qa&7M)E|UE%LT@bfGBxXp(b**=kLP_Qz~y>heW;0Y_|wp>Q;%1f z`+^heb|Z95xT#=!E<$R*UuE}a%RAO$upk80KTnOqB4*OzMqSNGrQ6CG>hf&9yUL*) zhiRJh8s?M3RXD1(@VBa^$6|D%GgoK8pS(Z!n$welq@IYvZTB-j%uiKM6bijI@|4J|Nk^Wl911-fGASOHqQYiC^3Q>bdKm#oWJ5^`* zP4S9kREzZ2Ew2aTxl}CUxB)9CsdWEKrKGy+K^PTqd%o4VWVbods*2RPP_EjZo2aA^ zVzCT#OdQ-opI^_3zFMJ-0@Ml@`ptPeR+Qbe@mQV6%UxlisNHqPB4%l2xpokMuZ z$_28rO>VTZpr2~;)j!_=yuz3G{bsD+HEY3e{bb)*fQuU-V!*m`(EH=oCmECb+JAA_ zHMO_nG~BZdOH7{E0ti5%gn7+;L`3PAeEN z32M}*??NT)b(V=+NR)HqN|W);jgg2YwS>Xwa}Jl5mlUbR=xTC~9@`1U|LNe|s~9(^ z293|hPxA1=?qjBha|n=Ed1{+po!#$F)?fA!-P$D%tP-NrYGhAPEk~<5KGZlij0^YI zI)wiF1_ZDBxHLH>=m#3jQur-V`I<|d|^bj zO!yf??O(#k#cwxFhEW{-c~;>`O)i#L-WFhL^A9oonauq2Ghw>JG7TS3x^s~&jJVDHvX@Ax3i_5Pdr?O4L7bADK_sdH{7G!qP1}kff`tbP%e zXIk|a_{Vn#xHm?rUXX8fyYZ~E*wU9h?n?L3u`pu`U;0BU=NBxB_B&_)aS{Vi=% zbqoldhA8qf8EH`z@zH&GO|Ds;9G(mB4LuEr?q04u_6`?!ZeqXC`$9Coo%?<+85MoF z7>_lk6enve+%?^XeToJ>4rftY6pWpCd(-Brn2e8!dM;RxVK~N@ApgvJB?uFIM6)C0 z;PdvUWmnO=md>v~&|!qF@x!QX>SmGXdLk z9{^PX8!?no#LmJz8rR@SW{w|0%rVf=N`JwxRN=~?4gN8fF)swbxU`r=1F=swjlu0^ z6g-u^vdaha690Y89qs+)kF1VN!6LvS3CDP+!)`k(Besin{3p1AFZwXo{j22Bq#>48 z=GwBmp(8Q~F$+rn{gZ5oqVH+U-yT*w(B~cU1Y4{Al9aeD{h{cx_F;Ku#=L!pX8zz) z7EO)hpu3iPLlWKpl zBNY3=y!?KK%GJsYQ1l~~j>iy0+S~y&rR@|#SO3rrI0>iWGU)B#TWguYivgsKez6Vj zW1uD0mp0rkyb9=z>*6ZXElw1{hW`2JB&zICkMTKUevW*)>BIrB52CeAHk8(EIrsY8 zO;lK}xMi(E-EMe7H>iF84&c1m6Smte5BhBkq`Y_!b^!-@?V{kym3e!&O{?ko+c3Ss z`OzI0CQ?P#!C@3@KqH>K!|j)$E5;Br&8u3VP_JKtP`x`+U2-521w16Iz(s+}>|oXW za5K|FqkOA&u^+f17W(_eJBqb=wae}cD&RYz41 z(TwK)^W@vnl+)Y931z|cj!9?Hhl48x3vD50{7wqYlJXY+i9BFGp(z|Br{YTU(4Jpi zzUljUmbH(Caa6eSbLHe)CrY08LkhduKrvao)>CzyQOE(4hSgv6<64z9K^6qg6zp~V zS9I7%$;&nP;zW*Kd$4!|1J1_~Bp@op9~)opOHH2nz?)!Kh(srbc>Vd%x@da8j0@7| zz#-$SMz!SX-;$!8lH;X{V&vr0fYy;1_Z##~(@Ebi85spFM@A?&kzK#Be0)&2)m9?U zt+nuB;YigAL^ue22g(g8VLsMXC++Hj=yAFBg{VtF{`&EY>&*^aAoq8)(S+bf!6z&X zn&_}Op!mg%owQe#+B|er0jfUeHN9cTRa2nOuiv){=~{4q!=}JggWzB}>2n!G4e!K2 z0797x`U@*j&bHIz?wy~MXhgDtbsu*J5c`4!W0Z$;zxiV>SU_$2xi7OxJaCzR4#(F6V2vx~V!WR>XpiL%Oray^Jxj-4FD`iZZP(!f^dQ-z>++)Lh; zmz`K{&DVB44RPO#CGldYMv;V2kALbUT;s$^-`~UG^ZOJri739UZ^r&&xWRa zxAeK67Fg+v^DEL@KfB5P>)9FlrS#m1LqSYJq+ny}eJ|*ccSpp3Q+dX%wJu*WN6bd- z3){?SF|>D0{t&l#kNSKN(Yz64mAD$Oefd}8DXjYZBm`jjcOG@r+9ce{pcuozuMcBy zuQ8+`GO`A+L52DdoSPyTw~RV($5o%^_%!>zS{#d&;D{78$# zPY@DQ!J)8qb&nY?H9p|{#LZL`cSGFalYOLa{Iix>J>#i6DxE+x4uXAmn-<#@o9+RB zZOS-UAGfg69%zV@Vj&TU$VGO10T7A9?MQfLKkxEF@A5n&N`@ROI;;vHd^a#CL|W(^ z4y^xY_BgR+1EzgJ_)hG`-zUB4fv<@eReNnH&~+bnX8-u_{0TYlG4iibjl-=Fu^Fw> z6OWRPcmgYm((b_y)BTX)vs0V_JXdEB|5XZ-PgJ!}ZrkTY9`xJc%U-O4Xas>*+m5Dg z<;nTG3_asR1~>SDof;T@;>-ypG_T9*@)q^B7F1n1$+{;Hyp7i>;=~+le2WPMMgtLU zs}CN~eF7DEgq)ox%V{@F>cc}B8E z2`&1^@8|#?}(aq#QR;W zm#yt;^Mbx6M()JPJ=K@34PF&BwVZi={+r<(jt=v7YOv=i@fE|`>(=k6q~Img`s**E2f6y>q@=(od~tuSCt`fffHV8) ze98?LGg!vO8h4cYao;$wj+8XJ#Tqp=^v z@QWA16q?Om1z=_fc-VQ(Vaubc{LilUK%djCsBg;0NPt@%A-$Z0p(m5d7r>_gJ|!LD z|3{#OI6f}+#4*ck_#Wn7-av5ceB*%C-U$~bSUog7nXJ;FZ`o6!)7kMu&tl+^4VsHd z%Kv(JsEm;&{w}(nXDco%Jz|fLgOk7R3zK8q?MN&7(O0wGtJU9qtAD8gdsuK{r$Yy$ zzm(6{u}u${xjgQQ`Um33sAzESvqQTZ0({d+&e8;jO7|j=sF}ip|P}TpoDi z#q)USMN45pYhr}fCsVw?egP7ADe=1kbcc^jpF1|br`od{*&V))UTv5SG4oI%U;SJU zS9X@}!ZfZoLNB!ynSRRw7sS&kDo$~#4J1*@nexu0v>TeVOD>;x_l{3k8mX9P+GUNQ z)qHnFnm1MEy5P{rELIa|0WS0KL($RobuqMSgbCFp6EcX#9V6Jb+3^orcm#^yY=I;W zC7w~OSJz|J8i}nFl5^oR-iI&E1o@fv(Z{4HE>kFQe zg31`VkAaH;IbjAP^1TfNgGRqRxlnP((Vkobj1-9L3Nu`ZVexTLgW5CD2*OzKEWpdR za0^6M62%+QUw64Y>>E>3P`j}}l++K3aDt6J_dLsHueolu_ux`@%R*vIhZ~1QBBk)_ zi=GKpJHDeRpVAS%*AeqG6BJLMMaX~^SP}AT&`8LOYM2eqlGW;@5NRUU_(C!&@*T#mpOx znSDh7NN;}#ezF(3ji2b|`Gu4%Lxqoz45|#cMo<<#Gb5G#vJwP&I}ybaR*OliIo zwf=;Fe)h?Z4sNvl0X@4K5MM_lo=6y8}GzMTqQ4L1EynIoW}E3WU+(QgQX zhq1cyt%G7%GfwdYemdgIACVX0AOGXkGTG*iT1U*KvXJd~QM1KO&%fnxCQWJS#;}$o zukIZJZ23Sm z*}XQ!JVK;Ioy26j{guSDf>Yp21x&i+WBjtuVD(pok z+Y?|NL3(OG4m^5Z+6>XKTtRhU`6WvKVve1ajrMtjSNV9!Ku}TAE@ZH#P5{*p;jA zM$Tx%PVvtC)bfM1|*AhvHMP{ z-PnX7{^o2$`x*~e5Ym`m{-s;@b-w&WIBmgD(S1jr@*nb_@55+Byisul0bOHy=VQ6Z z>n)j6X6HhktE8LCKfC!HtgE6#9F1^qC|HZbpNDKAiV4#yDkz%I46$yBEo*Y@7+RTFqJ%jr1+E^se%ka zMV`J>M@)Y5t*_>nV|}w1+du^QAgjE_q3!nZl^;%e4eNL&L2Y5?uABwsSs+FeGFY3F z7W44M4Im?i46<{%2X0dTW)aFeUXNz~(Kr0Vg?c&*2|JG8T8&7Io3leB%T zos78YR?m`BlVK0`-IiIM8q_k^9eG@2ixLMGD+82uX^wNOx?;TQGQ3#17%T*_`9n^o zG*5@l_M*c6xB(jBUwt~kRoMLKx*5SU;^W;pdw??)cPsFXcV^#l!Nv~R9I}{wG-`w~ zn0Ml}VR5a$g2q|%+;?D?ChmRW#R*qKucdj~LF`tB zx4RJS8>6X`!WZkow?HyNfgg-Hfr?j03yC>tvEoXXUjUK~oIvAq9}H(2Lg&9~4Go-* z*YP|xJNo@5-&p-l71AdCr&zeSQJCZC_itHB79rB{>1*pdf!pg6_QLjUxFXpPo2+snMEp-Euwuf zN%EthfD_K3qI8Pw6FmUo^J2ewa3$Z=(lUxq&>rCVgTKDTot5;zl=PjH`v`o*WuR97Br|eG(e4M~T%_n0(rCoNI zZ@_jqimd24KwbLAe(QGJ{K(FJQdF8ju(o$ZFb8h2ro^&Ynr~jPk2-s3dpR5^fUF?E z^1XMo4z(6BQ|#H*^-^qoR%iB(Yf6gfxRA!Pnm|MxuK&N{5GSZjyZY&u6p<*j3Ifh; z_Z!m}_to!ufdDsPu9_yUgMDp?bh|oGcO=dDN<>!Mo@v8(>;M%a$^nOiiPQ;uZxl$2 zzFQL0?JDcvwuhB|;z27WvFJrpHyu2?-&bYCu2-!O*L4f=GkA1+QB-$^i31D~Yt#RT zu2}B>gjJnqC)_tgY$z9UFMsULB%Ag;a~kb@F0zl|S8O`0H;_;DdQ1I$5>+a zr$A+Hyt!h_ohQzP2l(~XVlxj;ozIOw;3R)FyNTzjkU3={haYbiI~E?~`x(&w51l1mCwU$+}XpxW)onttt5wq*z#EDc(CU%uN(A~ zL}X4RwQ3}KQP1t2%A_Fojz=7%BP<~#u|?(m`*9PuP;j>R6&*${MqU!j1=VMa* z)2K(m7wO-3CS#`*JWphWpVp1+AJYtuD@{d94`9=y|K6d;S;JAfAXm_o2hmB+=V6DB zn~bYM za}N{VF4fPi#uw=GJot{*?6DuGIpC95B-o+z{%lCXRKyCD&=qtZpJn>)??=*pielrH4iW2( zVNA5$G|~u~d9|@<|E5K4Axf0^rmrICSH_@^FfF8!^0Y?EQnDz1A_xg z^GK&@G<+qoMUsQK(r;ELoo3s@pIK2e@aD}yEr@n6Z~jzpk^o)Y_SKQNyzaByENwtD zR*6xgdRH9Lkg1`FB0ekSgb*ZDPDO2X8wWT_Pcw_I-h_3LoTOj}QPTq4OE~)A1^kZl z$G5?vW}r=#)ub9Dj5%H7pMxBT&RU9nQ~(0Y%mB!@rwq%Z`jyET1DGG=pV4HU%#h>M z;F9bObg&cUScZ*rMU}249)!#+g!diNn55u+q_UJ;8i23-urkD=euD^1JsCXS;_+oO zh7>7Zty{>O_0WP~9=%5X^y-t9{T?{d-eX9FBI3XrbHj8-v<*Wg(fStPCcBUi}z?hhd;2y>#Q7&&uIhmq}aJe zf$mS#zF@I_)}kD=!_KlD9k=8&7b%cB2U(hqC-9Hs^Yjq|camO=Y@O-~$>}kX2RZcT zbkIMAuohgwaKb$qq*o8)jG=4m*Viz9+8H6Ppuom^5;B=RtrCSa3V*1c^hG5K{^sW# zP6Q*OOGrw2#=1BGcF5(M=^&H2ljNxDtGRiZcoyIWE|w@lY1tTkZaPN(!eeQO-BV3~ z7FD$%PNpDT$#U|<8S;C`D{o8_F^C7%MLmw+lbiOj7=pYU4>V22xPKNco6<81-F3A#@3>VUU7@V z<#)k@d!)MDAHUFC5eo&6oyMw|7|zp8b-5bH#yze4!*^#9aH--YCp=2tdnj}*V1U_eOKxN)5D01Q##k%^u=!naD!dt8xu}bxxOQGi zegoBGdg@C9XJWM5SuELYc4URg zOUtZ)#OSbvEl^1zE3cFD{k@jb{fJ<#PeYj?l%PiAltWKG|Hsz4wo<=$#N>%@Op4$O z&4Gu7M8^#`vR|&;g>~q8iL{jdC0cIo$U!F8j|aLT;*Im}QGzk{_fncB_2$sG)P}yV z$3O`=E;jw$k?4V9Zx?0T{%8th7Jcr$?;#UU!;bvMO!&2{Zrf)7N>VCv#L0~&Bsx3v zl%q}k)xdQ-zt~!WmN+S&VtoJ?R^^D4zGoYi`zp_@+doQhpO`1fx(r(aJGptUZ2dNr zm!aJUBuFda?6Sv;?N+(|7dl6ET*}>*0_f>{^(iE2*f3lF$AE_v-B)pXO1~RY5cyMB z>;8a6cesVS=jX*>^2)0Rt3Gx=Y|8bG2082JezSv0%-yqHol`>d?vom-{`Ul$jWZ_B`}(Lw%5M`~T4OjzO9P z?Y8zzPixw?ZQHhOPusR_+cu{4v~AnAJ>5_9^t&TY#NOZjPUMfO9~GGqbyr1JR<3I; zR~MqV#gTk1x^6a39^{1x;OCXV-gVdM#dP21QR}XQ?daru44oEHtzPp_srz=^E+4t5 zpVuR%$JnM)Os3P1$%60eyB{ykUhF8*jgClq3!&P##RhPj-VOC~O^h033sjk^O0^a< za0716)R(3VGEs}_r83HRz1Kd{4esxa5jXrjc(7NoEHSx# zI@xYW`rZq&ryVXo@ia&=IM5>8-XX5FyB4OnxqRcldUOyl=3oC!_!&X~RhZAxD&$CV zQ={o+-mP0WUWED}vR<_1Z`K^{PN3*T1qA$!w;3rCR#BR;LT6778|P*g=0}imEM zunz8iU71TmD3yO8ZN zXZJ`Y+=C`!ndIw^R^rH)Wiz-r+NT6v4fvcbJWGm|-4&p15^o&w7avre>J`<4IJ8cC zHq%YuZ^=ui3Rzw+(?92*dCQ25oRN_H85^j`pXQ1mdZDiD&(vt+dW1v)*QrAFI_Lfz zTH5FeB~Iq}%a#5pxL0GBJHMMbu8}&db`j=GlZC+ zMQs06tW$Ms+T2Kl@eO5ehMT(lXD%qg6j*8azBaYIaR>}I!o4z&vU*U^35bvLQ0M&; z;B{PlM%g_fQ)H?sG_X6E)2qj+mcql5KA7nle6oDL|5Brj%tvAOvJtv3fu+x*{4kI> z8Ps+!kiclBSzaZSt$_wk-&Zi1D}eoA&xIXle}Y=a6@e0o;PklE+& zb+#vlFYcni%8Cl4CL5!_#@ufeBow~3S1G@MdfRDfk}RZCBS~{fr$zbvrHKx^EVmVs z51SELULW_lVYZ&6a7Ho4`J6Mz#v3~NgIEWp>ML4QQwxUsM6Xo;wSOy(^b^rsNi<+J zOlJ5;x9E9|hC0SbfLG8|ZfO2#!^;?UYtg~kNPS~@gog`+6G1LvWV7tm0E^2nG_;kQ zX#lnffhcs4I=wnA(1ihn?$d@L?r?pgt!x%*%G9M4;g2Z-DG*Kn7|OZcYm*u9rA7OJ zRJS2+*c9j0D0|6h6nB(KuQRwAp$f?Jc(7vQqiC>e`*+}bEm*eIAwOglX$ZR;h5ObJ z2uktK!@T07<8e=E{`B0B4KSE~2@WBT-c zk^_6+GKe(1Nxp{K2wn`Bf&Edcn@yBl$K!-2XE5YQAvwyx07qO0v<4x2#nV#PnWrU8 zJzXF|h~#-2<-W=^OLeJ`BN=f7<4uxR)ZG#zRDV|xIvmrbkU~Mwlfnoo7eiA+#1HfR z8y4E6Idqsd@*0{qa>p6Z7)OB5L;E977wY<|a#nGU`vT$e$+W@2Dkl8(W60w=^{1Rt zROE4;qK?y^vnDhW8)OVsfiA*;#O1gt2>#06mk?&=Nb~S#7=*vm-pq+_}qU@Be>?v z9X|9PZV^jv<}d<4qju+ZKYVC60~MfrXIIiS2S}<6W&rkxJH*$Skee0fGA|Hvo5HwW78tBviiR0LNNm6KdwQFEy5GKeWRyi< z-)=O14E2BaMP~!L_-S}+)`Ge7Gr%+Wi|xR%skI=hv>{E*J6jrCyv>aXgbuWpt8b0f z{=X($f$s_Te>VdP$ZVF-0|mO|i~l?W|Nl(~7IHN3Vd*ych;jV?aY;5S$O%bhix6U{ ze?7})`@N!wPYXy#T#JEt2u|T^b>8?N&w|Xk@iN|9h{;P|Y+TlmZ(?R^1usGekpoRESR%U~9_?%EUD-!JsOgKi_CcMrYE&x~iWN8~{u-KXvDHi6jLQPh72WO~=f zMIej0nBz=;|+HH&_p%H>$peB*JFjSI1Y;y|N!Y z!1wn@3OvbZefKpffiSN2p!RLGq?O7Ddx$jh0*}`G{FX+05ZcRun)xT?L{$AEHb&T= z0lm+hfDU$A)7B3K%H#R*ied8&v>4aS>Wl6{p+bQ2pur;q^F2^lUHF5=o%^94eR&!5-rv7y+TEE7Un31UEPK^i;r`@S z{Kbli5fc+R6E+)@yF7;%)6_r^azZz>&8G)(J~7wq+%>a^cSjL0mE9)X*v;6(~M?QAsvb&Cd`IH`IbrO%8NJK`D~T^M;!)-SQ?4h(jh^ z`-u0wWJveiITb!)`t3fs6lXU^S04|U7|&l^^3RiUYp=jp!OM5cmk<#G5~kp@B9Q#O zb|2P^(9p6YLONo2WTPC6XGS|ubxJ;MeSbA8`okZ)CsF^V-8$5#UtK+%!cX2f^F-ge z2{&a~H&G#q)_?nleh!9P+4X2FSR7$PQp&`N2#f3cIH z?|u;fp+F0Ku&6~3gU$@LVx+1@W3^f0@Gjm`)~*SX!VWIaXNk`9!dBW>Nyl;q-NL^T zO`_rOvd3EHreY^zW;|-~s;4N&-7)k>kE?~hE9{MX~bz?PRySoZ3#t`wX zL>CC9z4Hxv%#*RVxvBGj@Ybh8)gRy87*3(`FGF((=+h=sDuyc_8$S#FiiFqg^_pn? z52yiPLL~TA{w+kJzL65khFfhoV2EdEDyVGMDwfUq@idLDsHhZ~vrV2;v4F^GLAdQn z0C%yh`b(@*o*b@5w{7_h5dn=u7F&If{RZtogEt>~bTH@ZfyP#MJ;Ev$w_jdw%jFfE z?zB#&c!RqBu7te)E^zyK9*|*g4B#t4%~Aqu58x$qm8A`@}O9KW+H3qo0SUN7HYKi}$8ChW|u6UKfJ= zQc^?#C3KubdEa|AeNX*FKPonMkUFN29MyG4p2y4m)xO%$lz;f(!U1sj#aDixeGGUv zw41sU&mNtaR%SnK-EBta7c{g$KJR2l6(2Br-#LQk_PEnI>B3FZfTeZT)ggT9Szt%s zBPKIED&iddx}v%?K7nuL91-;!eN1S0>1#z!`07x7X<7^}#iPexbk_&y5Q+k8kDihkuoFZR{hk>=)-vSd#)<_)?rxxBK+bH8D0q+a1Wl01 zQ$mwACWL^&(}*6L@egP6iY+?VF9cF%{QIFceJNJ`SGNBJnpC>YTR3REB z|2(~^Ib+5?ZiN{oMZR}w9m;8IT5k=jPd0YrR@3YE{@dmbx9kdc$xRh;~*Ve-Q}*Mpc?^brM{;+J%u+z z61?hP8W;JP&fRQ1d@TRZVBnQF@v8~I#^Oe(G%Pp3>z?y<-B+C8ke-A{;43t7yi*AH z`;*>hdH)f4T8t%A;r1l0#KRg@N?(`deIDKLNZv`|VTQk;sU8LU0_Ty>ca1(iB_#x# zx%k+>Wy{>I`hJ$J#}&9A`G#(YBIR8s_;M6!L<7WGf}rQc??tvpWx2gZyL7iJ%K|T4 z5KnBmA+qU#Jpy5rKZqyH!8~nvV{K@G%67lrd;B8}Ge_wCMP_iOWD?&7XW|RoR-U{- zHs5g1wi*uj36T1cJMpFS;3&ghNDR`z?+Eq$JO4f@&X8etGub(Js!gLAh>WvZzuh&R zH>=LlJF67js@6$mc*Jp{D9sW6f-%NeP*!|(%gLX3diJI~u!nsKzw`NKZecgHA)O=Q zm)J%uM?d(0bYYcmZ`hgvW+<(Z(u}psb%Xq1@7e31WRSoDuhYH9=G4IgAB=CAg(8h+)8Ir+&A(<;JTdQ zFxqCIY9e>!#JDH!@sU8LYkZE6e}KKHwG~Gn*S2@Dn&7mbIKEP$0827mx@Uhd9`D8O zX?@$si*?sHX2BOUmP0D4+6Lmo;w)Yk3LrGJ+hjv$laAC15Ww46VU$ zJCKUxdq>OeQ0sU3Z0Pd6koA9hnLCrv?*!pL+CQ%@Ve=6PElBWWy^Qq{ZGR7ZIgiE@af9g8@!{i{SJH@m-k=0 z2Spr@hpi{qqZ&nwh{59I+UTf6uLjOYS{AgT)>eR6(a19sNiPK7Vr_d==%?f7V^27X zaFvoh;w|KK1M=}ePX{XO(nW(Wzn=tV6d)Z&hj~Y!)C+wJ+^Du#Ovf{-cH038XR$dv;|jCRPzMJVHT;nq*RX zY#$P6s( z3N2(Kl{jLc)&3(X1NOgyw&_sED7C_xP0j_wf0Wi;|gqxP-)F2PQ+nlf6ALa9OC4 zK35IzRPc2Dc(F2jgme|@p`yD{l*|k!lO4=k@r7Nqa|WB-Qm#Z@yb##1f)ElL5f)s! zS$-Y@z)?%I1}@ButkW^~LP4s(A_p&NQm4fhnZdK9`HSYjB$`}wovCS>Q8oNl3vy&J zCw48*Oegb}N#{}lIweoU2l3&En9}w^im=cjnY>vP3bXKb;HbtCeX1C42E0%(HT9N- z`K4cW$Ked+mSc}k&%y^MVd01w7>KJAyQCkd#T)gJrA=er;LJ#Gh?^7LwQi5BhL05H zL4~|cvW=Wzm}rJXIf>sfEv~Hl(YUK4qQaZ}oIGd^$YqA}EmRRd>%-f;LW%4X?M)O? zZsQeRg5$)3$q2Vk5-=UH&e&p%e02LbSd_^T~=GY*OK?#e8ztk}lbg|D)PcGUzX^^|(R5#=~m%-RLW(Tehr5jnJ~h(tys zLgLd=2TwbozCkrc^DHD>A~L>8na=!y;SEJq-0G-Z~ zP!Az$G@RUq(Rx9<*o?9Jt&K}~-%$v!vJ4wV z3@1lmz7#hEHVNj*nO)}1F^@Q{-G~6yFYY+ue}jn2iRAO5AwSIDD(aF}o5#@?aaZO^SR+-J6}=m#B)xD`#B3kOV%nMGp;XxUkK)E{!|0vN z(S#0?7`>#J0zVEAQICU;5nQ8r;&kZHK|=xEIiWM*g)*8xw+!p0GNShBaESj=y$UL3 zVDMWpF&QUAQfLLWZaZ7Fj;e6O<%K>u_lqAF-c+%kuHWIQJ)p=iUX1{(1YvC3e9`{u z?L@Te(Z2U5F}QBqjN15N_UN=C15p;2I@g+x9&WcBG)=m#U)aISpl^7RWyhBKW;e$q zV&{pwUEp(dJ}OAWbM1NAySJC6aBOb-vKKXi@5+^ZbY4;_5tDL*%N3|mN+9edg3t>6f*SA(=KvjSM-{2-xcmtV5Fx8swL<=VX^D4eGIWouryS) z++8qu-`Jv`XvK5}#NHjB(Vn!v%3L`;Y!=|8Xp8~$h{CQ9U7B);~v>5@VgOPGdir$?Z@(Lqg zP`E~FDR8hz9A-pPKka~^u&jn6!r&&LbZo zY1+cY^0gI~e@|eST$_Qsw9$^%;{%nP$no?23y;K4<~PknAERZ7KXltC@GabA`^yKD zq{E=*1y%uPJTW}}x#!02UaXkx+h2oavfn=KkcV{L*loD<2Lp9*`*|Bw#fEZkbNY<@ zWXO$X7k6YSOmw(WN=3rE;${Iv72?JC|m?bb9+$Qy71#Md7_u>IOJwVc0RC+ zi%Z)rv|qB?BEP~b!dcLS)SIw-JbY+xdQjN6b7Mpo$c>c-H&8S#F(P+iO0fEf%M2^S z6LI&TLx$l62Wn=7Y9mJMtb#jF#jBMs(_l8;j&NAnIvidS(cv9!N8l5$gE0vEgj#*>3dzYF z0uXb9?{z_0YXY&jluC(YWQS?9FHpS@SoX0%|J{UqjCxw&Bk)S(xS$VDP4q=>kQr^Y z5IJXf{FRHbei_un__O2ReqO0O?`k%e2ID@w(9Zia9oLN+1g7Kkz#Fn^1uCY%4e=r$ zjkuIX#8QfA*b(pjrpL7~0!m5Oo~2aO-lvNVyC&5Z=Q|c76Jk9aCAfs#i0Y)zZd-q1 zAy%fGsnl@XsWBeA3oSscNF;3AEpbQR2GZVEGt2&VfNZ39;8d8K1ac8lCQ^74fEZ5W z0}YlvBTF`OZqwRYRIBjLiG_?pljaou0~0OhUDh_c};dl z2b%lzv%La`j9X3psa-p^N32Kl%?G;e&0i#2ncUrIF$~b z7tZ13qy-CpIzAy-BLs0c*Y_G$Fg*G$gv*0UN%?@`D-$F46oQCBA;v%7$;+y(`5~&e zex)_(7V|R(eDVFlxap5h7=Ym3r~r=d;QinGVolY}>jyKS)&uq&9=HE_CZH~i;qB$# zfS8ZkL2ghNXg=BrJ~C=DRHmq|#s@1XNQsf88a5?wEn1a3qC(@tgSh%{Pi)eg2GMX` zW>Up^2#wBsz!b#zz&+A*2xrLC`uK@Fm$qeK)(6MV*ZoJ7-L#-m1>#sF+gO^BkSh(* ztChX`2ivNSxO<_KkUMTx*qxvk#!?$<$LjSOdVyf}0fXe4x<75+wIjQ#!zD-io7?_B zGcu#UuF!Cftn8~4eC)LYWgD{QOB#FF>JtOq^7R!Oai+RRw(3-f$XOsYE$LS&MHo#(C%+D`^@>KfvoKzK*;G3!7oJRD5Sf(73 zHHr`>J$MMIQN;PZAw)Y{rt!e}pPEOpzcaM!t_6n(;f)}AHe=TBJ=txnB&t$sx0|iM zWogzU5H~j|lZ_}#vJ6e+3k;h(s>Tv^A8O20%RI54Xd4Qz19Eo{1$j_dlh;bQ{GZrwj_yy$?sj!Q6Qxs!W5+|mAERN5_Z8A1s5S$F zVV+7>J3fEEH>O{tXx!4Esj#sY_&LISP`H?@zc~6h&bBzrW-4lG1lndjXBvu)t!U+e z!+tB9Hf&EfsOnv*S9%7?G*CJWS(f&u9Czuon8+8n#LeRXcei%!gPj@j;l%~xnJ%N?Bkl4z85Qi`7iQ9Sf>1NHp89c_!XNie2~)vNWxP&p<)JChD9n24}ZH0b_cCAZB!}f>cj3B7v0I? z*_NxA4Mb=E7-<6*hM@h(R7oc{IS4UBdnhkQtRX#m*;lXf56dgb_}A7JvpG&0-7EPL z{qL3Py$T7C6w0-S*ibJ5d30n@0t~@U@^p|PhWqe>zlY~u$~k%4mYkcNKcSaQ3)RV0 zncN@C5*91TRXvD{&!=lj(;OtEPCo2JX?RGG(;o}#;SUizdY3!T`z?!#ZJcpiAD})zy-HFb|KJ;nbuW4_aH4)z1%Ezr@3l7^_`(a zya>6wGwN)D8~bju`S<_}{38#7ibqA7{2DjZ-`%=M0F9Au%sQS< z>_}hiSNC=5b@SCGWZx;u(LAIm4kl1lhc!rtygP%Hag@88k;YUe-3RhdGd7amZm8BehP-AlK!% zhB5_}1yZz*`ckBkw@yO!~TGfNs;&O9XfAy<%DF-NY!-MYGM z!-V$PKjevcuUVR|y7yu1$|Xb`X->E>=V$Gs{f=pM#9zX;W0y;y@=u708I(iH=msZLSjt?lMeo=ZcxqSs zIJOx;uD-eV_w0GRpDi$b+Y%F-ocZnk+q6OiY|%IqDU4xn&qIV|gU5ODbo~C@ii=1ysaNotj$a zDwUojmo_$F;V!9J>+TTd@Kcg3($s5SSY%pZ8#q#@*B>W-&1}2<&`{O2@^iDz;_hNM zEf+R3FrQaUpwcJ`6f+*-QA9?LNa^g%CsX`NH}@7RqQ{aQL}H|ZD$jRT;DTB3%H!_Z zGMNb;$-j`B*Zs-TgC*x*q{o z<^fR^bbfed7`0K0fg#Md_|2=q9E}t73})TbPE=NsF`8Ts5X8X&DP$j}X0kBYF^|bS ze)j=cfHcA^*?732xC z#@X76&9nx`b{xn?}{>jm=W@{rdHZ~cD)lD z1M^Y=6|(498dp_TwnM>Ivp89;rfsHJmq)((OJn{3W+QH}c!~&Vq>!OaXG36v-q$Zn z;-w5Nz80DKOIuNG16*JJC!%vD-deV{DV!X&OPZZ~yA0w5k0x>vTYkgvirT<>>VUEV zDwJiZ;jRHGoCR^d>EZclB#+5#Pn&9d4MK0R&7AMr-PYsEgWoaUdMyG}uJGHRx5t~p znI`EtwCPu|*Gw$jVG1RB!}$RX7nlw9Oj14p5ls>Oi3HV^K&-Qej8}36~E1 z>Fd(!-RRi5ik5|;1i^9v>?G1L5?`xroW=#LlGnAe=0atIxw~7&bNL zOq8<#FJp4P`@^m^O$rB~TDYgApOXHjjmDhqfhiI&{abP=2NBRG97d?5`kVQeBx+)f z*3e_(#G0@_c4Z42_`!axM?wnrPMD*^Q730Q$3Ey{3;3fc(DfhJ7CP;3p~haZK{>$+hhc;3GbkVek@j}~rrc#8G zeOmTslZmv+YpZ=}nPp?)lQ)m-x#{V>{0TltWor-R;MXP#sxU;Uf!wu2GESv%S4B=) zFNp~^`XUdUT1E5hY_uFr`A}?E_%#k`2qiDj|JQ&pV!4vQRKAYTPW{S?0wS!asul6N zYxM{@jGoFo4cekE3Rlb0ZCnPZr^@;%1<7adMmAXX3_8$X%@^62 zBeO0ACM4Op$n${!tr#cN3oq2RJM5ne1j4k1<$t{*ce*U9OFFdTnwyCnKh!m$UXu+} z4Yi-QrF%W60E(+I41cmE&&O4%YJIJT^UE{aKxL*UDT3QOj4Mz6coh{7L1stgcN0be zK?G}95)Brf*fJ?vi$?2v*99EsfU5sis*H4jxXY2)-;h!NM!#}G zpgjKyg6JR%<&1n4J-8+d_Ac3nEWAYk?rUWypv;VZRR$Qlx__7~+zQFRBCS$ifVU(- zJ&}23PU{tl*(`-N-JW5?aP^DD#YA0IrL*?qrr!d{y8!xZ=?muZBi{QpCb4UTgJVqF z1TCAGYoz#4VIl%)O`BHKi$a@Xe!&p91oy4}ZC^fI>^l3FDo5Yn>`c4=z~yoW?@^$@ zpwv$bK6@BuN}1%hH!y=+zNs^dlEac9hhAsTT9vLZ-sRU$wUZUmyG4tjHGUB1qelOADHf24@^LNHnP84`uuJVy0Miat&+6 zV>7lOA}coxuJH2pD4m7vcR`CKjwuOkgN;?=?^Y6UtrD+j6pIu_>|`vw&fta0Fh=U> z9->zoqCRZ{)v!J+E~F^*IA@pviwNM&jfK`Weq_9ZYDqcUssYW6_|n}~G&4z|<-#~i zIM+z8B1UyhUxFC3W$Ud{#^Zt+#)u>vl_VSRURm% zARY#doB~jKts9KZi|k9xi{Kw{N$MC3O^>B=lvL4mx_9QJ$ zz7&-eLkn`cZAu{<23d&@ckl_P4pK5lI*nV5tsEC>&w~=3-7D+9Kc-CQ1RiQ*2fz?G zaz4ZtAD$GJ7V0qlkR?JHY}-r0hU7VEh< zb%>VDifB^~H8f~K%HrRe4j-zmDFC02xq{h7i)lzIHGC~W{;=fG=NFru%>LZ_J(*rc zZ))NbHcw-O3W=4z^b3olDv}Ue&1Wsk#D)EvQh)9U4oSGdliTz}6Qk_4Cy6G;mNz|8>+-(q6pmz z1)hP)1f>SlafANlp7=<}D&o@tbGrUsyys&kSU{U&Hv01f_w`+FE*iuuCUFMtSs%}q z1UDchq7iv+LUjThmEzzdU(p9+U8L3lIx3gmnDmS`yOF5WIDYW_Hy7RRwcNHg0lYW3 z-ah4EvW5oEoXw#>GD zyxxzvo`9E`<^5BKTr}JUCW95S$@epuXes?*mn60O!8U{pFRJ>p5O13HB@4MLutPwW ze*a6BHDJVJ7FFY(mCd^qpWc>#ue-8<1Yi5>9)hF}NU6r#2vYDPJ)u(UkW9Dxm~j1$UU+uwJE0(zJ~A{Nwa|8Z)bJ7MFx{s8u$Ln_&oG^ zAE}ONV@gHEzCr0fNhB-&E@_TDw)mdJMe1czz{Qi-BSdvfX2r}dcq{$w=@`hcdrRx; zk>!)T!_9X1gPTsgi)$Ck=1WJj&rd#zyhGt2yk%VM28*#72H_DF>8UmMqIhzDy@eG^ z7NfTbE5wK18Vpu5!sRJu52~k9o3FOhwsV@U1G!H0TE+k=tOb#|;(N8tcvoVy9l4`b zR(R~Q8!6A zPDd0zy{jL6PXZ#xZxABd{mB&iz4a!8%-F;@2*+R9e=XNCPwGcELsO#L2=0^dD{KXR zFXX{ya$-hs?(9<>NL=1)X}_=^Bt2w1AhYOLn+IM34q|$Y!D2VBtSfOJ5xTkJqa12Q?i4cN$@BWokYj$6qV$;HDOQPNLPU z$Vwx-;}E!3vbqwWEY3N<;V?qk*U-IMsB_2m^ql+qqIxzR!O&y?$nafm@MjBEkJKKQ zr)f>T+FbZH>f6C)+uBq$IjG>g>(D#B^7>zy7C&bWm2dmSd^gGn;{b zXC(e4N@t}24>Bj5?7c5MtLfpzd`gM=8*+dVF+<$-F2ba-;>>{f#So}u25+A~h(4_R z;8I#s(cluyY0F05Uw7K(hoZJ%$~rScuLaqTnc7~-%dXTJ2yOhkvQH5fMK3}vloY4Xo_S?>z1DkoFuSh10D2+?{_L{OhghhU2vI`RraZES4 zLnCHbCMh5l64$HKm1p^~lTwBVl4Y2EEg^`=JAaw9h#lA{tn$~NDL*kiK~i90%~i4L zPx!w?EG)n*b$nZEJ*WGuI+mh4Z$3k&j%kdxN0ac=?5@#Xk4*(~YD7E;7rY(9uhcSW zPi%+C@l&~dsLxt$Ylc5z#9ZMJu78r1a-pMbxKQvnKzA%(6u2Se8=D}>y^)r*4N*5I z^s+wJhxTo~+oN)NPe3b@W8J6{#;`DlEOo=agde|S9n+$BCBDx-rx8+23^&=-c5_j+ zXu_29wIFgsxAoDo#dAHXnnS{Q*1#_m^c@&nmG_p_P2yTE5qmwen?L7KhYD$xsS}m; zN#uEl84(;;7w|!Mu-gep2E#dQI~7!b(yF4yvc1@8V>(IQH1F5U;&|iYv*oB++fgW=L92NwN zqTea!Wbhl$XFUj>{n6lQ=-_$KpnFj zucM)Ix=ZoF`M!}-F%>186w>pz8CsfJ!@Sb_zMXk06a&YKy${vg**4DM?D}i_(NJ36 zYy-Kt>3T*X0f-2U^5bxRL07C;vw6(P+B;9psFSNa-(vvxP&+7tyricdqeofm9iId^u8V5cZ%XoYhUxw)FU zvDqcUc3Zql?t%wDyYum_+fJeOE>KLM03(!gg_(c9pHkxe(UhlkD23}H z5U+)YSS zJJQ4`Cc|zEw&24w@3OKo{$1h!-m+nSa{HKKS3;*xUp^%1Qhm`8+nXXF0P!<2=~L_a z;YQ0uLIqhFQY)yb8+svu{0*UU0t3X3YW(0rhHyKQ8F2TSeR})8nh+c=E~*0_S(xl`5pa zQ}nsx&=&STl<-g>L}>5_7Kc}#NSX5zD#P<9Yq}WFK@BW_8!Z*gOlnQ`a_RpIC&44M zSA64mh9m?M{ok7We~tlBSU=SROQNtqJ#PQ|82|HJmym#ZT9=U6kN*E*P)+_FYYS~^OePv= z=J3^tQapT?uL3UMcIfi{zGUZ6os#5=4S&*05&K;^=hwol|Nv?imw{%?E}3i#Efc$ngM5Ym*blWLpZhbn6v`Y`t6D zdCs%iw`cZ7X&JLPBr#ggqP1_)G%zLlljg5y&u8`wepg0I;^P$a+TlE5S0Hn zQLxtf&AZMarZ2bumVe*R8?|H%^om9o{jFe;KW|R(Z>yw#N~L293K>|M4(-U9hX`PJ z(axioK6x;{yy%YFI?QPOz*1MM8Or0I5Ogi+EZSVb(64@y)w#2Zme@TO0ZO~?e-Jfg z%;b*Ny_}<}*eM#FTnJ+Peb?kkH@JReT%`d=>G}f2`)UOtlq6<+uMDdv6GL;&33LhY zt5ARu6Im4DdAVf5SlJ5e!LRId^N`c3&n&lB+^b(p__`i=IpZSWxa%)K7gnWX`n)j% z9N>Z}rSb(f1?&NI-3)nddv7%+Jx*mMhkYJ===iv238gPX7-wz83KU3)4BfG6b$#&B z266jN=G=m5wsbrS$`n8|C zqj9Ie7vFR#{dhP*a?P3|XCU!Jqp@eoKcVV)zJAA=suwnOn7Q7Y9#X$z1Q0gb_6~-$ z?#BL}j+A9(NVe`b&a`R8bZ6RL3NdSZ zcGNxr4X9@*Pc&kbNDI<^%T&-=3`}i_eKcTh4ur7k4H2Q|A#HHf*~H&nb=NYw;<$FY zmw7EzWWsNz1LdlL!ZOtJV?@z$!!jwwf+y(ISz} zf!W%dQOryW>DuP>Pb4SyTx6-%OpONdK?bSXKxE>IccFU8(~*M>_yJ0>q+qqkfbaXu z&QD$DnUQL?9fbyPqD9js7S}+|blYz>B46{$?3l)(OFI^P>=R231luiFD#QS zv!EIJ_@bAPilMjBYOGSb%88VJW*jX}->g4hC6i>HXDKxj(U?NvU@$U1#5Xskd8*v{ z_A>2^2pIt@#lQF)p{r-gYibw^pzQg3L6rYHwl`gY+44Vjw`fY=dFoH5tL`}_@<>vK$6z1V%{v=SvVr%)T8YDP8 zAi|5J@23#N!?j}dQZynF(0PVI&&-Fd?U4IeS0U7H=^HU+XVi!1+TIjGIG_`$QKtVrpac>`5DJ=;1-m{Nk$;$7O`cv#VqntLiRso3C_k$o;^#| zQbyDr&AlO!h?*h)MvJV!C}7Z5ugth9^@Rl9V&eKUH4%W?j6;t3J*vD~n&{7jh9h|s zFlhwc3d~8PIni2LVdd9ZxZcoJ2^;4_$0QG{4*RjP9618DwXvj1JXWdmJXHyj_ad^j z$ylt24T^r3xa%3&HbX!V6Y#(kfuU&NMgtg?mbQvac7%^{`;D;Erh0 zg_C$-K_If?!NkEL*_PVTgEw@-3nL(+RNem-+r`%IzKZiWzia%t#_8wu9L!T&yOz>e zZ~1?{0Fdw5xuS>hMM$55XjQJB-zVbuAL8y?Sc_+PR4JmZ&J4Egk*Enpm0^ z7N_4vl)ZK;Hg}oJr)kqn)RI_Qad^b5O4{;rXZ)R{tCSk>KY4_2QAT(c?Hk4aSf|vY zUUK-0wX#Ji?$Zm|-WhD__9H2i`h9VX2!qkUniuu-u-9Hky`9Vc2qEz(iU&h`mB;q* zJS$a?l|@7s_jDPvh4*nerPeYu(XVo(Ch>HEsj|W}v#b`8_9-FZ2GfuD4K1Q1gyZfX zOK^bzgHbBfUNXlhMR;&danK2p?VNul=icC6N<=3l^aDsB9YeHzg}ps}VpL5nsK@Fv z*s)pT#Nv1SMJo5RFC1SI6U9V4zYQ#fm96P{R7n>ig$qhpEO4?uOcXN5zz<7@B;%tp(C{u=f?;_|hM=sZ|x(2MlOPPyadji zYI`}bJ&`EBsU+r9?tsW%e6DxO96rKhS%v(>jt+DvlLs8pq5HyUrOwD^)0E|4^Sr2^ zjvIv1Sd4%S02z5N%;9{BfO0Vp=ZMxo`=x}1Rm^|Ds9|m2PaBx>7e%)6+%XI1UJqDg#2KZ;6mob{R{T7D!odQi zN12`Q=HhGj7Cmo2=KwqmJ{}=?k1^e84d*OVUp<(LwDVJ z#!%5RjNt0NB;D)EdlK$p)6TN8f3NkrPkQ6Zd^Sd4FkI99(rv-vvBxjqDr0GNVoO&s znNpg;Sq4dMhxtcG-U}+ibCoRL^9hN9UFECqOnJa|U2&3k!wfrE!H zqOU^x(R1DJlSHYan}+WT{k86m@byY3Zz=r}4x7`0qKvi~j4jUfie)e=th{FUz8B%< zko}2c+91vR>G*D;1=}6|oegdeS*l3Me>c5js8x?Z_{%84vT9J>3U3&KTuWhjCfnef z#!m^~OLu$oGo*2lRYu#b`VI<9+B64+ksEQTQkUYpv-4ho8T(MZJeKdmg{QF*+z?qlk~NK3gJ%S2X+#8 zPW5M(ujGtdp1{lzQJ5I-n1|}79r*e`+wsMx`=ogw>JJ|^7pa%bm&WzF{VqgBMdRKn zVbZu-_q~c^M~~nS>vL)P>re!0I0@`!zU`W#YWnY#QD%o!DjNePY?)PcF!|NbUy`{x#X#YIj#eez=mk0oud zLh`1+qkZ8OG(k?pFlt^(Z8P@$@9*gwegYrmIp(}lqeIldF}Uo`Ut{@bP{9-XN3F0~ zv+&-%f5aA^KIy4Ei)WzL4aN9*S7OdJF8(IyO$8MdC#B7Z-LKt=O$V#6Engwc0}0oW z(U=(Lc!C1g{1bV2^@UGxoI6!EF33dCx72GN!9(gd@QHmHR8d1t4_BT>3Y^3^l)*X# zag&MPkPiew7h*vO7qMjaTr@fqp|@35@63Gu<9NMPII8GQHjYHZD{!rm(3Pw1G3Df%2llw?TPj%KH{ z+~hMgmr2+DJ=20Fvz^y+B-$WMyykw48#@L|hB$VNRW18baQv7Lt|z6x-d>;$g<{4^ z{F<_$E^06e!iTx()x?b+`?6(74{XHlKdmJWC$PSV_^Wjozw}RE|IPEQbeRI7QYIOqUPcdWvtM8#wAArnD@5OCB=v07eFhas7Vd)$*@-~*EqTI73 zso+Mz@RT5oA5@8VAEs&c<*PArWF)TYn@-EM_#j}0)mniQxwU8=M+>gdFeEa7VKE$j z#Y3Xn5W4YUJipaWYboC7ns;35{;+uu)_;76YZ52VpfVm&db}H+;feht_>eM8%+o6& z_=`rXmrVrbWa0Xdi zUw97t+K0ow7^>rx-9GHUzt(CgX~v5EOsccta=FJ zhX!L>?yI=(H@HXpA)fi|4jeD8=Rz+Sb02&S*IrkTY57O+tGB=JHBF^ldpj-}REP1$ z{)`nbZFApm=Ypx73m@rJ(^LX8Hv#rnT!*yu!N_YRcdV|Ju1%SohC%d&iQfMuKFD{R z+yo{JKY7;aEZ2F`{`ZKeflkw|J)|gmcVshOgV;o;Tkz;EQ4*V z!LJ@D#hSNv;HcL#>`^ax(i1ZKPWAC;H-*ei~ z7(N2SmpzEbmdwWHs+}k+^7u+#!oX_|ALp0p<6Iz_Op7SQcAJ^zpuQ?d+!d=a+?I!# zMO*O1%^#w0@J(2}WEiekd^>L4@fbcRO2P2O?CYYg`>HP}MCt$g0!0*HzP0xVwUb`t z@|C*Wlu7p%hIXeCDMxEU+|V5dnh5IJZZ`Qv}%=HK3o z#y@_74Eo^}@)=COcQxk6m14M)zbO<$Fmc&ZOka2j(hsf0t6S<&*+^wLJWldK6}WB` zxNh^{IwWKS);y@koi8~yS_DE0Dp(1N)?iiRKI9$$A2Rm?DBZ7T}axugcn;@#r zx4rb5q^L985nDWrx9)iv2df&8Cl*INEK>CCD_3F4u?O+uTW!**kR&%A`WvqM$@LhO zf0*>TiHl%I(S`<*XIzaQA1=nB*lLaP8r+ zdUx5lD-e>k9=aWWcGIhwRt(#J`!p)-dc#{Vug}AZ{SKU` z-u?{64x5d;pJ_&s(`OKIUCTJZTWn5ui<0$g@wZPESQizKxj*|qEUA1RTYm8JaTYR8 z>|8mE;Kd`N+Of3t75vxT+t5k@+#N5Do^daRg*9P#$#%SO--pPJnvayRsd(`Al~}&( zF=-?F+=dJ>aKk4X??3S(>^z~fM-1ZGW6w(D_>tWBn@PFwDgKh%it>67-P`RYIQ(Tf zj(;7%jrKFcYkStqi{UC-@o8q`>P5*2IPy7)vnh*-`KcW6CrufNL20UPc!mehaktEe zp)eEQJa#jlBY%lo@=J_OiNLK_&&IoXJE%BY(A&5OC+BYtzAxm)6|rR);Vn0=T88Nh zrn==ub(4o4J-t4Q?`S=VIa4q$upWgCv|4ex|0`0iL+a?ESpCpE4AH4zh}WQ+{0)U? zv2Suyr-eYT`P+yYwCpWL#Ao;59~0livdd;6n%2GkGVWZ`fa;njxfl!2fiXWHYd+i# zJAA6P*AAu;Evw3n`ths8jh)oA8?Qi&7*3bycbIP5UCR4Y0}w*v{u&7`&}pD z?z`>vY%d@G{`v%_rH#RWyjCPBnj~L}31bqGq^d&Z{#_7es)Cg$Xg;gtDW-a4DpCXX zpoR4wXT83~dgN!_yQnos<;IMjKEN%73+O`(&ZY@Qj-i#I#H)Xy% zjJy>yVTq1FVj^*^m?+_D%ggn_)mU1E9b10Dl6%Htbl4FJ$%amzVb@&>3k}7jv14I7 z@DFS`UVzLZ(spNNr->7gI4B6I5&8J;-`S|EX+sM)RusH8`=hPMeJ%~UL4}x*NMTK7 zOq4c#2{QKo8UM+sMQM|bQ6n3nsH}x@R3Z|2;!;I}$||R?q>+nK3r`<~`C=>Su+>jl zcGT$jSJ89`KkV6yEt~fttGO9Q;$L5%h&ok_cYRe3)L_zpFHlNrS2o+H zMQk!?wPP`9vJuDL*n|9xV$K5xsJp+}hq%i_keD_OGZZ_dc`P+gH<++qQW8>7dV@5x0sN#;U%5`XCbGYb=$1S zDXW2LNH~Jbu}J15C?_A$@BI)hJe@5uHKU#uufiC@SW}CgtoPQ-d74b$NuDc{XOJES zguv2NPUY6cGjfq%T7saQ5x62UN^&c)*pd;f9p}b1kM0339wcyW7#@b1S5Ckb)gBz6 zxuC>fiG!kPKR$hT1CAUoJS|+U1_w@m*vID)HJaANW3lRO7W_~($+|x@jO01R*sT- zJ~Ooj*`?L6r&6g84=3MOkncN6ZRRdCXMBQ>vzk#uG7QjjGgsdL^|)jVpot}zIig85 z5fjpFDE{IgijN(4^X&t>4#6~TpbxH|^F*%>^~Kx9ACQ-si>wN&C4P7#9xS%qj1Fk@*N>6PP`=8K<hy3zf?~!qlCR%H}w*!q0joi5A=5;5$IMa1wO9skI^YGpqpWzry znOmDHnT9YDwdz5f2MR}8FW0r_=v74bHMjLtgcw0`}a*P4M2tML0QsQ%mbw zAvdherM_~bxR`QdxLa>@g^b$v`$61O^+ffORm%jb}CJ6p{a+(^t#ie0HMXIlBpVg2JSi26DLTvPmS5PUzAC!yYlu1magn^&+1FmQe)3Dzp)}hB(qe3BMF9C*(4cghYC3NgX5?XHiKnuf z^T(ANIq4A`n`n=?#&NNx;5P0|2|j$ZRIC$ zoSQ9*7!6{raooIAp)BJVvMTG5-AiRz>bUctcB>V}=2mEij>Cu)&S&wxFz*s_gSxHg ziFXl}AdST*P|<96#Iaypgf>0{JMmZZIf!TAD#pedw3X$8(^e`rwq-Cg!W}oSbb`kQ zXehf9iJt;C;ujKcAm4W4%Gd+`xOV7_tD(+b`OMUGu@JegdG6xe{PDxpbsskkT1hkB z^lEOdhd7B9w6EdjvG}tSXG3EXR4FtOCVz`}-megS4R%%Lc=eZYTFN+a^4VEj4&OVw z_~a$y!p(uGj~v993!@QP59LlN5wNb8u8iz7<<=~n9`xWTGZ55a`JEiQ6v^$(~!davAR2I&DaG#5h z;c2rlAk>Jk)=KQ$bqofv*yXU#=)%Vv*D1@0>q0+V$#E^!2#cWUZ8TA-;3;0>0^E52 zJfx+@LVV>YnJ7Jal;(Kg>o)9 zs-$tzD#ZRhKKqNqWY*QC-tY|9J>9?3uS^{V?T8!k;1ic3nE{ftt|KG*XKLCq(Oi_* zeHESlO5fk)%P@R=8Xoy>^#aS9YFaj!P61c3 z>*+MTreb_5C^&m@k{2Zcf)Ws(b`w@VJ{PgXM~V+9?xLx=u90TnRMyW}VW2TZ0;x41 z2Fcf~gqkK8iwU=<_~A-Lwx>lAHXPxpv+?kng_4Zpv}EzZRhYE*v@+*)iU87O>b1E2 zfjJmEBnrVU=F5!+rIoHp-v+vdhy~U2A-R+ zY9wa(VCBb)Yn(MU)WgI-cX}ZEag^sA#~Y7+andIH^98CY^Dr#gj`3|f@c15Xp!x8* z{@n8mqi=SGwy)j$3SRsu3zeEw%)aYctQs>5k-NWwmM5IOS-zcLhxc0^{a9P9!3Yc;gWIW@*eTC?7L2by3`p+7g^Gac z=GV%xcGQ{aTH3*z%V&D`1}+2K1Yv(b>7W5 zgrt=w`C`rA8@CaAFL{P{tDU`9C?XlyCjvJ;xD3JH{|+DR&2#6jRm}YvZkcGu!r0F4 z?Cv{}Qfwd=Tt5$^2Po0{@niV8%Ws`0bRn~D!<&n|xsbE2q$!9^O2@hx_wx(K#$avs z+gSN-z9X-98(nR@aQ%V4y$5Q&=N;dZwneM~5pscU<2^22;_3|c<VU%opYi7_V@Vhr#Z+Lf`ie~MI4Q1=QW?Ybw&@`7dzkfB2sHRP38aZWfXPbXTG@h zq)OK{_WC2JJ&=Kih0tPg$T{)MoI%w1yn0s{Um`FSH?6!9am8;VW6N>;zYV2Q6(aaz z+K70pne1DmuZ*Kr0%hk-Pe00-4TCXr_!dca`rgsaCodV-Oj%d)GS?LaPKz4%ZC(f!ExlPee6So`~U8t4YIeZ#l7X3dXr{al9646kKStp48X zKImWKWW-MP$PH!n0o3Jq$&Ef};a~2j}F`SK`+=g@Fie;F{9i#y#cHz}xJN+{EBe2PY%-pN7aK;#H zD&9}?tZqEQ7@R~{Mz?lz(C3YUFzFS44uyq2fMw+f&TYYBn&{FZ##zKd#DX8T>_Plo zo_Njs5$>$3!;x2tQNloB9hR#?*wJL00ft!&lCReHCz>!dS|R1KbXF?8m@O8Xi#H&W zQOc7;%F##%SJ$bZbb*~pyLBf{WG~0$ph1{4bvWKUdceC1&wFmnpN~cC@LKf+sNMM% zUK{)iT)Fgi448BRc>7&!F6W}Xy_#0B)u^pk;nGo45WIgsA27{V2hGE(8yKK1=rG## zj?^SwjbF=?wMjQG$GFNp*pZu$&1D7;uEB%5$5pD7G(g%iI38+O%}~jpGTc&zqdAS3 zKWiZ-Zmma9MXAT{*89$~qo^*AM=|}O7hIEqy_?JF=T7ScsjoL9C~K7Z`!2~77^i~^oep0Zav`&v~QhhkILeQm7D#|A3SeeK^YAhWj@gDeJzGw#H~ zNuyEHdK4|ij>Ww_bWuSj3V->8JKN90&NvpL4 zs#irYqZGu(1|ggQk!s3vXd*6n%NQi4jKg(HheM-q9ia-J(TNy2oTttQzs5T+?)T82 z(-p<-@6JF&CZoa&SNaDP^|o(a45ZI-?V_Ddzm7+smVVw0)>ii|(+D=y@)?96FnAo6 zUpWeKAx9vxx}CAY*aKF}J{&voW6Vn(fgtkn_cM?8O>=ZXu=7vEsqCAgrRxqeWh7}} z%q~Z5rARMnk!Wbyj8RA*9YQfyT1ndU7WaNH=Z?op%@^N$M=@E+LA9j&`OHohf;{nV)KWfYr1Z+D91y4UC;s;~Z z@-c{Trb;^-eeAn7JaVJ@;8&Cz2Rw4aNEgOd#u4ZyPDfd~!J(x&c+_~PgY}3Liwfa$>dxa_hmwpE3>~UN;*fL+R|zcfkMQH< zwHZvB-NU^C_pSZvjmR∨>OilL4kia={yb2{cK~H6KS&9fQi4nowC*2Mq(qjUWxE z66w#IJP0w|co6=i{$meN(eHI&I_Z=Ciqsah!C^G9XLx|@Tojk+>60p+tpnF#LjpVE z%D@|^=9kX2G;Mm6XS3g-IQweiIWr_yio%j4YR`q)=JaqF(Hl?6q#24U(f zyDJxW5Tb%a9#^IoVh-{En+fR?TD@>>_sMx48aD_7*M%-wmXzb)X3>b7u zoowUgQ8NRe*pU)H65}U`9d_oiOip3cd7A#RPH&E7qF6@+!aPSO& zTt_j_uF>O&;Gg%~r>?X9LBuBzx!H$EIf;X4UgJYA!PT%a^@yN>b}C~gkvEreDJp6h zMliiyXj2GJR+-yVX`u^GyK}SjObtTB)u`o3b1{q~k`a;`K)&szQ2NY6`WXj>&{`;2 z%0rou9Ep?|`t)<7G;RC@80yMlrkpr)v@LSMx1xd@(or;Tk4&broG#MXP&RV|Ig&_u zHrzUwaRS9eO%sguoTJsgb5QtJ))i!lO8UvIy$Zggm zS0n`QqUa(L5E`8zrC3u8jz(%+D0wOUqSMA>Tw5)wxhC?>z1>Ac^4HxXz{v0IEfvUO z?2kE91|lq}1%o1YO1a1NOutyiOaM~62|=$B!GiL^^RP3X z;aC?_-uAKxxuFy%y55E9H8mP`Lh&tb^tEB`%wz% zD2xtu*T#i96Q&n_kG0S3L6i5cxVWU^7^*9WBeyyPspSW7h>>tBy{=Ix=+l;xhO2+M z3Jd6$s&QHLlKG9VA?H4lx}zdZ{rc9(NF!pyPrUy@?N~TgQ-wz>#*;u?I>8Y06$)} zh-Q}bTQ_9jt+iWWyQZDy@UHy99GjUzl@uBbT)GyIF7?CdUoP`|$M+JhS6v0`wSKtr z6dXt1!sBoDJ{?u(K7fw)yz@BQ?d8bY&i-V#AoY!v_}LUH_~J6|rlNWi);{woa=GxY zwTmdpGzVuyT2s3LYMwN?H=x9#lIG+sbVHCLXgivb{;l5mB?4;Fuyfif-14{x+0U>2 z@;GzFOd4UtZ37iAU*}e@n%Exudg8n7sLblRuVw6Osa-6%6EW?^`}qv%ALiD_Hw_p+O;4_9dZPR7KM05T)M*^L`>26FR8%qCi|;oc9a=?9aa% zBh8IxuV0Hb*N96Q~*ESt0pS1-8%*Spt2H2F5S zA~5$~xcm8yD63<{V=r8%E?R&^H@N!1S3i0YLCicn#obx28&2ab7enowcdZOTZsJ38 zciCNKC<7!8$C8KFfZ40u8=h`@@#!o5T`ODg?#E;Cw>uuis>MQdk;Y9``0A}~D4K3X zqlBxdoYCj0n3@bqDHp3}RN@&Jq`6_TFpss=59d5&dLdU-W9e%@-Yb@sR{DVd@Q;@e z_sfU)%r3>#v!yE?|9JJa)zrD%u;Cg!DIPLqTvc(7o3_1b>E^Ac??(DAc+;!kw{~J} zCe5`G10#d07|pr($NQJyS>}hIHYW_zq%9bx@%#8VN{%-{J(X5jVj?LR-=Q-ZCwfx7 z8Jj-Yhu1zk=+iGN+bQ|a-?3%d8cdx%8TT)7{@jU-s~9mFG0bWHtEaB<$WMP>ENFuk zU2U8jy^0s&)2p-dLB+i5>C2zQ^7IhKI&ief{X{eDa(Jznqj_isW8bAAt-Ml_<2`I|>>ES+=}uDQ}%Zcwgs z&bj19MLqfDncW%a5si7)Z;P;U?Oew_5^wz{?s;n$TFBqza{eLEBmVZ^A7CeS2KO3C z%nP?%@RxByBA>gW2nh*c?^qa+MhFG1nj!S1{KPZ^welpFyQVq~Bf+};K)I0Pg51jJ zSq$FE(>O8lc^xBZYJ!*!N>n8dfL(=3rpWE+o!?RXq)@0B(}mabVxQ=-==U+os^H>^`Aw2q72|8_byfdhA;J<1II6N#&eCs)$$h3jrXEWB0R{Y?=p~JitxbjcT15p&52P)Ew7?(T9 zpY+Qq{^O6cAR#wyBEABnP78j)h(Fa^A5j{(0!t!86nd zAk%lyIxiRZC>cRjgiYo%lXwT;im1>6SDo6mD@TZ^w2SmK9IkX-yD}K8qGm zj_W$e4N*B|Ts!%ri?*fqPWF#i-vw=mx$UA?5io~qc!xY?-4gE=1S`=S=d7DwaSXgq z;1s~fYG!UiS;fX!mwmNzv%uoS$-jf0&{qdp-wD5RRpZ4oB%URBYk+uABCCL7&buz{ zPp@tn*J*kzL60uK^q~lgpMamg^CL7oy&AhRtC%<3f2H6VnXsr*X_&&zXR^9}7Yd-* z;Gwd`uN+kG`b~cA8UYvm`LB@#FLtbJ1Gvr*aZe=q%gFfwf)_KAse``=%MH#Gu1UmN z*Gk1%%)6fQ3=!*5~rH`+pVB{#V1O*3?l z+$b!pqOW&!{6NV^oJDX5G5|Vhar3oD#gz|{^1hFX*l};`Rb7b-uE+S1 zVVGdtjeqQ50(ztWq!cGl+(4j%bx+47I?%JRi2!KgubY~gGg2rIbWd{@_D|&Wb$#S( zZ~NwTYoEUr3o@(Gw|}A$DIgbLeV;XhKT#=Z4IK`kPxS0o%X*6^eFmC8tK_g5DNqPdH1BRhOW&Fy~o)z z+V{Sr3mm*J;d?tDs73tweSgXyJHy!zw+{S_&xI+RPf|S3$mc>n7hxuC@SeQl0@A;* zzHaF_4M3g6QMkdT7)bMNZU)s0<%B1GEiDdSrC?gW!0=E+E1OZvAYeRvb`}S&C!<2a zw@n_jJ|Q4tMg4E_jeXk6?~Im)vOZlN+Gi(0R#?w))Q6ITzoZ zq4nFj7>eAc8-X74H-DMsCl@-%ICl$Y_l-w!KD+Inv)0t1%<&o#hat>qnv~9b%Bo7V zW@muu72PSQ&ROT=hGhg~1Y`vK5peo{mFZLH)0=?Ak@Wuxbt%rN2u%osDfq~SZC!8!ln2z`5$Hy4FtQ)QyyQkjbAKO<+&>wC{)2$W zRJ;H5>5TRyYT{KGK8Japg;SmI*Z$XLeEZ%uY!|zAa*+{`5s(q+rw9yQ{yQw2G8l_} zgE&a}t~alJ!jbdR=j64Y4n*#jjDU=QjDU>5SwTR^jjN^(#-dR^!GC1AaaPcm8@Uh> zxabsT$ybt5v1#?lLNi4({k+8Ah4^&kG06zX2wX4-2;X%TeJjhMcPb$Tc`(oreZOwC2wa;KI# zy-NG$Zl<CXD5k^WYTCzXdMMIHOdh@?^)xxPpdaF%d&rOpaqBuD0Z z@uVW^Z;(s2kry$YL&g(inDiwfz0Xhkzs9lt@<< zz|1O+bXBqw&c#Ou@`(E@0!ocW^PAJ{oI(+Wkm#|v`T3VIU-1p|4z;4F--Ne6-OglarUZ+qDLi&|AW9dD2VWIUi94<${QE(Kq?#J@0 zFTu~ROvceI84!Uf&uv=vE@AAuAC%0GJ7_t6_T&S&bLH*$$qhH)2L4^1q{pC;K6>WF zb;Z?F&oHjchaNl%%b$G_3nETnLRdBS7WW-YeOr^rbv^_){PuZVK3a=O%47YwuYEgm zxi%Sr3k`u;_x}}FPffy=$yNB~c*BJ@Jb65)g#dF%bIr5(XHVklA779A=LX}%_DnSK zBub9Mb6UX4H_Hh083KKD;;euoK*fb<2y|Kzyr$3kcivT`i%h_vN%Jwf`D<)HQ44+Z zMHJ?ihmk^g)>+grsQbzbKnbNL5L#U@bZUT2^q->UiF058f^{17ACh+{Su=k$8Sx=n zgt^gbMNRf`l$3+Z1SG@4Y* zxN;)Gnhv6JZ!@-*IO=LE%tvLVUrq~kC^XSyuz3DRgjtGVX{y6F8;_!1&6e);INWkPpW0Ayr93vBGw<7zS zjVP>bMY&JD(;ikVUnV1Po*Zf4qlcy=X?Qv&Cwl6Xa-e5@jc+q9vUP+9g424ZP=q5iCIO=_odL39xLGmt z!J{<`yT3buN_{gL`&~vACD&0w2n-HJ2)MRTP*$B566e>=9p-|y6;>bFeSVEc?yU;} z&ssAoEC4CWa{Tb`-6%Af;hjaZvvr2GwH8geJMrbw23V}_6`rf&v;Nvgit}0TcfV~= z7ePin@5i{h;y5x(n=UTJx!*pOi=|^K1So@O{V@fXU$q!1p@9fDJD7|r*oLz0Dr6Xn zaiYFO+P$_1P$;WI5FIrVQ!l#$qnOt*#km-)(HuioVY{z_r=W>p;AmX2Bo+Ag+cpzcOvPEK;@v9F-qncrVZ$(J+$7AMHyp9v zzi~mK3y(u^{TAdNIfP?Ead!VMHuC}zGIS2+ESrh60XBq{Z^7{`C(tA*&h86)`Gy;W zQNs{B_A*?3^K1;L`wAP|EvOQTv$H03Xe<(^UxyW!2f}2r(rv|qQQe+0WMs7X;@Zm| zoc+tivQ3Ggh*20YoEsrG%td0Wg=U0Qp1D6JXzO6*0ep9?9Mx?m`DEnmKOniqvxI=i z$}wQV6_}G2j3jq<9~~^&Cg{s@uqWpSGz!lT&y;ufOhLt2ojeDlqDoOxSB%46N_JRc zDuzy7jK$+zmj^(k;k6`{qp0==n8>r5O|IYM*PbCj#W{8)reA+MmW0)#)xZr?Vk*?o zU|SN*C3QH;Mf=evKCpgM1mVzxzd?_N8Vf27EwGT7&b_K|b^rA`P>Am<8~cUgbav3VfLfvZol+ZyxUiv^bj9@;oTS8zup?;w?0Z!C zDbCu^k%%8M2J^3*i4b7>>+DWee6FtQvk$SG>@7? z*FT1P-_1v>$;Q+5SP0sB=Emz_4BmnAvhO9@>J$|DOBsRl909Ab7296A8{6FD5Eed{ zMnQHic6sruf}I~h{QbvWZxn(; zFT*46J&NlaA49>RLwJ36H@w+>pZvxj0S7N$i{F2gMP3X9hK$6I|M)DfUD1e3P8`C| zU*GM2%Q^hq4!gYooB#3zHlM>@oU5j1-bZ)O!L=A^{s2$j{4Vk_6tSbn;)cgp;jsrx zvHGvy;!r`|x$2(W?x`X$WESGMG5FrfBy89~pSTt}9!%-HvWY8}VMr8>LSDHUcW<@B zn0PHlr;o;?|Fsg!xBmhkWwo4h%Qi`IRwxD_K6MPPeDF?O9;3(pzrV~=ky3nDKMdEd z`6Ut$z5qjM2436cVB89V5Ic4{UYcKx7uJ4)eA2PU|6(AMiy9s&k zyaVf!CGZRjKum8PcCoKpq`nSSeT}>k0(Ue8?(ZWdB?6OO?S1{M%om7A!Ls|;BJj&c zu<1}2YJ{thRw>1-`|;GgZiKqDN;q(e4Hhv}|KeCJrAO>y?8|42SJ9Bp8y@||FxAzGzodJe$niI6-ZTV#xe-{m4xyf& z2$lS+XZBTK6P%F5d3P`89YcKSy%WW1>gF?k1aBP}#Kr#c82%4|QW=iW5TK>08pckC z4-}}*&O=RDFp|@Q5Y3vZ_%C97BGTt&09&5KD?3_IH#iT*(9n4=30rb2(imR7z_J}L zobW-&biiknUy03fc5>iwn4*Mh3306*Bzyy$@SWG6AXJx~%z#A$L z4}_~cP#(3K>+3@JH6K9hvF%b@;#&K>T*dV+4;vqT6*)~EBa9v5D!IrATu%sCsOaoL zQOQd5n!>O+JPt~gSY4eK4gMtzPwwvNxNQYc{<~`EYlhe6v)`=*W@~2}%pcno95xgX=j~lq_+*T`oyqz6{fEa>(TN&mI2@*|@Bx2^&X^9&=oIIbSLJDHs`+YD8B-7Czth z56J*)p`=n@JAh5E@5IC(FToAT`3N$%;q$sdx%zT;Nv`{nARy^w$$m(i*os%zJ&zp| z??pm_7iNx9`>~DBAcwWRFdWzmtx_QgrH*YPG;=B3dsq06+jqL_t(ha!ik$-d=7tD#WBu#N^49@bgk*Q+AD0 zgJXN^lQtVkk-kW_6k*%8VFlG<>Vkn>Ogc!w^vAGu8PV$=hs3x5RCUla+-fK0`NSq6 zDBKfKmIi#(F@PRkulDpsVESB4qtaJ+qz*>ouqnBzkoVch3C!%69mQEVFyM`vh=@Us z^I;rt<~SS5P^us1iwYrf>V#;dXomahA07r@-)UI0C?9{Jg54p)8$9XZON&E9@gbOd zd{OPO2;=8XMrES`mhNt}k552opbNA@!@L-caBR?C#8qmjH6ci)5oLO)1@6WIe38ZQ z-{yYes)Q%UkY_+JeBBh}feu#B&|Bzy;727U$i)mnI>ntcY zkuS!vm9}s;`WRN+d7wfXTLRZ9DbbkVgsUr+*NBAaxN-g|ymPP=HD_}N*qb@)|AMzZ za=eNQg#l?|U=LLaM^QoJ?hW7Y2&65VhT@V#DC@E!&#HrO`W#G1jYl1y(aF{p=?7xG zMnng4-j#6PRl;Hs1C+yw8LABx<_iwZv)S}8(*c@SXvCtFg&5byFqp_Kt23O;E!Vm22#e;;3{ z{gdIZ_M(Am6~ZRAV;sZ=rbqtvY;t$oP(vX^@QNo-3`Jsq1(o~vqpE8e`b4#k=ghaF z2#>LNUh_j*VXCdfwv%>T1g;qY-H5PXcGmyZp6t)WiAZQKz?Pb36xI(9euZ~3{36F= zZiYJyhq6%BI1TO;T1G2@6Xw9RrxCsN+p#Z~VR1g;(E9pf#+pSa5NlR@4_XHKiL<8! z!p~HI%7Zzm>RSfO72dzSB9js9ZX4>WHY6Tie!-YAH4&fHS5V2P0g`h|V0hd7L?o)3 zp+A%}#A_E^p^nlHo_qkVgVks=XmKbv4ofG^Lt0KNRMsw3>C%yz<_*;DK~qsNY8f*+ zfJ#(wU(hPuF?q_3$UM0XxlO^axCLX@;&`a_hiR;7K=ptbwvIv^Ihl&dks%15G8zL^a8EtyE1l>!pSdWw zhJ_wAK4nrIKB=qZzHNoI zryb4tyRpMU`V@0ygfOQ?nvYN@9i0(<67TJOJzdVQP|k22k~3<#9p<#z_tThJOOc*H zqxqm*EOMHJjUSK5q)3FDHEsb2PK`lpEh&24HkA9`hJ;y}Xfbx9E%y{!W=uzLpbB0M ztn7StN~iY5@>V4{Ad}}$$G8v|coc5JY`tS}XHC@hJF#uswv&nNOzcc-+qP|66Wg}! ze{4H>bJttXQ|FvI)gN}%-XD5bcU5DpYhAzL7Tjeza*7*FX|z(k0|9!xl!46I`frd< z!OCpIWs+7$4M-aeUV?+~l;CwA52MeMc@P-0!kkAt$>gK`pq0iMCeB52GwTJ39eiM^ahymi3J6us&>f3ds*r+7Yus z5}@xHdrBU#6dAN9`;*Qv4}!Zt%&2;=7*~OJV2be!dC#(^j%)GrTlt$Y`(6fikb96L zlGQpqE&dzhci!SXY@{^vgH1wDISd_=?jAg^a+jC_-wz=Rvx4mCRXUX8ho z1LA(`@)vc?G_(|4-CVn`I)HlBkE)(7Hm%lG%M~@aRzwgiM*}0b zzMeEi(x5f2^2)@9pfv+MD|6lZp=s%oH#EKo#)FGoq3P_TAbm`%%fZdF1-`IsKnF-3 z@Iz~%IL+cM5YSxB+s7G8SRNn&6kC352n@n^B}S|%k9o;rv@2;ijC{jUPawve8Oec1 zFUEzAOfKlxziQQCR4&x&nI&yk0b#>=(s<}GwlZ#6e}@>%Y5P8S4G%gtd8lY|HDtu< zZ!AN$Zf5!SrnA@y_p`Gaq8IdgBNZ0dKNaFp?u)IkEh4=}NA*4i`zp`!P>A2O1K*<}o;Ks6hKv|6z za3=Fq0Odxwcgk;exZ`r1tA}JS3c%(dWe|1i_w4xg+(B?JqFPyjDRGL!+q^juV!0e2 zuZo=j1i9M32?s4B(LA^};M*CW&){jcYEwvFuaml2tkbe0r716j1eD=mvFbR=)(da6 zqY!f3KefYwC?s=FhxjU{$$4zXP$=6LyHdgLzzt_v&%-LN-8Zy0W}BdVT&&N!z%`+e z@2lRM;WX}q7$Nox3cp1I6lD~WX97~yV9ARX4UT_kY4cVXxwN03s~xY7lb)=|KI`^r zrK^EDn|_dU!O63XAvtqL%ST4)_0({R#X4cCjX$f~Sb07q zW|;wSVHa93E{#yA`46NZZ8&2;X!|WCp65ykf+4>9Ph=thyIB;8W`CL z{%F7Tj9j17B|YwOfNi5gX!TA&_4~=AQsy4Es&wRp=}SQwR&+b%=5QYhGB!wcbJ$~+ zF$aFdr&KqT0i*+DcY_6+>X}|&p{%EsKK_wpdX%)B|h~eW%Wb<#cZMad*M!juG_x3jvB2OEDk{{#sM|;?8iZm{z}Qn z?I8JA*jf?a@K(f*07gV0j&7-I@qScWo@ynd>k{)zQg=j11j?$4;DH9LFHb?(tZ23i za>?IilJhZdN-E_1Fe4h`A{s_Qa1Q!L{S_3?&}GDtT8gP$LHZh;$&H+ml70S%*40yBMPRsdXo2Q+mCe(p&iy@s4E@$VsTTrsY;Q zBw%QlyT(P9Rk)kvR@!5*x%CE-*c6m=Nusy2nwDr(RwHkyJ8hStff8YqBvqa&&OM z1Lyi%#|-&bX0-6CUx+y0JC^FxR)CTi4|6L%7FLE!Iw;+@d|`UCm8$**1U{(`mi)?B zU>!ZLAdZQUbKEAqI}B#v6-MCn^BgfTG4Lyide?uil{W(PT^bTE^YpJ&TJHnQ?4)0r9SpI3B zrx+5oV647TG~7Lqk^P)hlca}w@tE*c9al|oJ3*fn4Wx7D*|^Bv`oHl%OE0bKV6Jxwgw)G9LVh5|MbhdjG(u@m*U}iuP^D@2WNH?dsuwu%&pk zGXgSuW;`KgI-P%&k~-9=oUeYNq%@g1jQ`0G({#e<;@Ihj7SHNPI#dS}7)A>crNZKr z&zM-X=qjnX%dAJ<(|yo{pXI!ZV2ptTzBi@^UTGE7#@LS5m~M@@F~GM6)E*!a8fe;C zmmrhyf?3vmz5m2&CTi0{pOk?4+|LPY-NdD~4as7)CmzcCKpr`Dxqc<41*VpT-L9j@ zi@=-*zVzkljcCr}gHI1z?zdt}>kTm?_owc{)@CY!d}0vn4yDQ^rx=?W+0qpR<~8 zVCI#wft)-2*TWqKqC2eBo{`>8)&}M$-@qwWgv2rg3Dl?~$G_TRDi9MC>K$*i4&v@u zR$E&cM%y8n>y(0+Ip}FoN*Jp0dUbTY;AbB<2KeU^{a%46BTJI6v^FGyYhJ!kVXbK* zC6@MjB!dkumjqk|6S$KAzYvsxfR? z;-==p$xbB6dTN<#Bi$e!R@`C+ zJ?cJ6RApU8zjW&WS5#PT*iB#&LuF2qv|zX<9=Y`wj9NOAxd+_8T>%fMhr9f-R z!&Bp^5-Fkd2I>3Xh$C-iz~|TIZ0Bw7J$$oU3QS%;Qf|Lf@pHHh>};V~G$AOB$?LFo z;3$%z0UTCfANM+K2eAUOw@&IG^U6!Gy-l+!X?m}P>br3seN0P{yYg*KV$bZR<0y_BrsFbfe#tveq9Ftd>1*J{$?$ zJlcu*eSntf%!W!~+fq7vjV>y8pUwh^8Ka?|Jz`96z4mZ%Sr+^KNLC#Q;b4a2zXc44 zOTck=c`-OBiufJ6Sq-VMaV_`3J>T`4+u}THNC~3!;HZ7QT&MTXj$&R0Szq2<6Mphf z`Q~CWD0A3z^-&RwebL9iYCEOFl^-(D({=R!9#XGErW5;hUhP$Y)zoN~B7}7R%T>(g zr@~dl2TTEQf72zFaN=@G@t39rK|w+`$M;;uy0@6ePw&7pcDPFTQM|5ot2fK}pP*D$u--5{28Mh3?8D| z8ld3h_H3o9dH$sj+RX9lfj)pqjaY>L86bB1k*)89=yM+9kmX|7lU>wY;VN6S*GwNw zDA+}L-hB~UIon;I{MPk_Es={5#JUG^il7ATqae2BbJs@P|CBXbZ-H5R<5r0XV&j8b zt#?Jfl9Uvdk)fHF{{w$p-oz`sL_v%2 z%NuIIqc?N!$L7;&sSOE?`AUR229IDUqs{xF0{*aqR`@UUZi({w?*Z}ZhN=K5W(3;- z=UOx9}?oVzm^c~Xi4Il zk?AZaG#7Ntc`2TaW5HNQr(CelX9l_iN|f18OO@NUZ6K*&KuxB<9Hr^{rdWj1L{t?|uHY{X}}5pHkCR2MOW|8Yto z@$!DX=b0s4i+gPM>-!Z~RjyjJQ|;S4q9Ho6F&Lef>{f{-O7jG- z)H9|sFGzRg9KG1` z(@9I@wM*e)*+DvicMdO4ANm;dv&)EvS=y0#wOEm|PeUgDe>h;id_nVf;3`r_rO1CT z>4nN{nUPD#^bBy%7X5(oS!=eHWnZjQbtxgsvmHA3gub8{1QJ=Kx=MWfFXf03o`>`>7UV>r9+BVl_<6KK2F^>%;^nn{>!VKfwsj~ zC;2PsGGaC;%Kzk(Hcy!4kYhJHt@yy@MS`TK`0ud6imoIN+%mAgQAbgLBD z&Vqx3IRucVFp+sV7-KEkYOIR=5eUNQALB-qNmCCcAt5rKges!qY9W+IcE60hRd&!S?r3NWgYmXmh6Hl^H(jtlM>N=>~4&F&GM;z_>X*dPH^P|7t(Z9nv}^?r_Hgd;iVKUS4NHEL;NbEqc$3wqU>0 z@Axbu>h$d6v=rfXHW$e_O6&IEBUA2}6CqQd_tXX;cZ+5~LfXns0lQ_4xOOrNK=u zMzlWuputB$B@!|qv<0qv5_85o9ILTGp;TT-@fCHm=S+_D$^!<3?;)eLgXn7d&*;gR zSY$V@Z|z^rU?!L1Y;g?h&)BBbGp_~Wf%^dQ+kOWUVx5dzKP#&#ak0V zgd)$e7VXu2*+3g@F!|Goz9PRHPe@vnOLv3j%IGD6Wk$Wpw=~VYXE5H~MhuSq17MBn z9RECt890|fFg%?TMHOiycvP=;yMZj`gX=@^viKVHXZd_Lpq6>}+E>v86@_x_f z))1Nj>g6dq5plCQ9oPx!DQXFOPkSnDyT#rnnS`bTpGK8dG-Eqtn07#;Emg@Gw$`=F zU%a>4Y#=3YjyDMr%ykv45YpQLvYKx{|#L4tA% zEP3qn7~ta6g%&R_4)CT5HrVj-dThZfyarKwU#8WmOYRD1kgwY1nm!#>-wb@AbJ6Hy z@tZTEK_~uLq;adS3s=OH%lulpYT5iE6aO9G27kLK?#thUk;{KOn8)uimielQ1|3TI zklQoZurPdI)#^JC7~2!FE6=Vla6HGyg-(949-|?U77mCqcB8oW(cGg}ber|N?4cR? z$1^keC#C&Lw8(cO;vKw;zCDAX-q@90cU6mVaqbD*B*N>IBh2j#LjC(f)2&^B(J?7O zzPKTtA!=qoLC7O@$lX1$U=XV(W}I^6@gB1LtG1`$d}lic#Pz2+!d>KvvpsbeoHM2ObM0!z6XG&28^(_EYy)*S zfql%qznX6-P)_Aa!-qlVJ-od$DobFGTlMZ=4le!XKDG;5qL}ZuC{&Df^!I@mW3ID|*mfG{W&(|3yZ+C*&f83uXY&nx3p5J1fcYGbC zQU<36|MJyt2Wd7G4^dHQ?3%V)5gl!C{m(`3=7*5vADg5)-&eLIJWuR-`BKMfIOTd7 zOM5;KNJ~VVi3g4!x^uo6m~;z^Zn5$DjbcNfmKA1EEUYJn?{RAn<({3txPwh!FxRyv zZa)(DUJe7#$IMmtHsE6zSd4N0HSagNZJhdnZE_x4(QWLcA! zm9h4GZMZ6ImX_!;3H+!qJ8nieN_J0;1^W9JnNJpbj@n8*Z>GV$HDOr|AY!_GQ78yesklrpUK-h9e4&F(80XNw&#b84@PEa{Li1{nHVxy*>hKAyd!jGf#L3WBbGF)O!m0) z>3SaEL&rLw5LMgUCu&iiKj|(j|0*(T2twU_h|^hidc5%uId*FA7(8%(8dAN8iT`#uMt2w_TB#gn6)wAPSF8=2uR%q@f*ET#A(xF$FWqc5ys-&C$Tq z)?ARInHfz~;Jx%-XDQ8h_qnx4zhwGb)*c~y%KPL4vFwz6!E=By^~wVG^#;zPiqef) z$h?e^6d)4rW5$A%i=f^L$(G&!L$V#%9eTJ^VgUD@QyIM1UwZ*VBl5b9>Lk(YQ`wJj zK%zLLJR-jfu}~1H$uR~D8#B#$^8St)`Sl>PN;3W1`A7yv&Pv{s?e5tsF!-4bwVI@V zwIec(wgTyKc)|AvsmbD99n1@SRJd?Gr4Xa^Be~gJQ4C2y!N!+e2;*MnQwa(%EfZy! zc@(CZF*Y_i;-H;emdNr3|LxqAN9{==<6N3YuPUUsHdAN81in6}(GEkM*{y@O~+rE)0kR-IGA^X6joHjEs*euAAf%^S29$NAntMT!vkWs_@Rd74Vp zzZfET9ba3R^+&Fkvw`PcbKBgOz~>aLjR-jhcf1zDr8(Q6H9O4Q?n}uS#+fXqv!^m! z(KPop8>{zCSX(i@u$|Rpog6qBnuhwt^4jTE^h`y-8kbjBIaZepc=J6U{%O)yZx+4b z5|&Z3KjhivR7!;vKC)9J4s)u zorB2XULvSm+YiNj$?^1Rjs2c>=4k z(VzK@NlZpJHx87V|Dl4}V*J#9Oe4MYA;86|u)2~*<|MH*_$Y!~;e6-g44I7o!8h?% z%qXmIa_a;@$g-<3rSIdjOv-s~u4u8;*i+U@Jag+8@p37NVJBE}tPH3bi{Pv%BmFTh z7x2ekJot2#f>>!GCkMG4x+R`JYrZ+zb*OjEHKM~Os(p;hU}dDl@I-fE%9uPYnORK~ zi)X_Vz)FY=zL*W@@5=4nonk2vPi8rrtpK!NCq}4{&pTaHiNEGE^F)hPEFf^J`A+6^ zVKyXSw%eQtKb`UuichFL{7Kk}QTAbBnTax@Pvh1v$x<2-Nj!o{39m7GJ{%Sk%v(^1 zxFgx9yR0&r%uy?gaj1`maKgAIORgQvbXOEZXL@?1w73iy)v};p4gWTJ0~C;xXa;pV z0falxHNy5Q3i^*_za8g$U!bK4)q?mIGa?xh2cQ+0X2sL|{4>=61d=ya@K$ee(r z>%ovI^K4=hm^*2BT9 z*d8p~!sX52Q!4MYxfU4tE8;0tU5;)n1l?}w|E-qsp9u1c&RTmKhW>E5EKMy3Yt#IZ z3KKFW`3gxAJcjL`gZ)t7iR|JW+ds+b#k^qA+%yFH%eakA zcII9T&LOxMNK2=pzEPb|8{u-@8UMdgZa>)+d|={Ap4TGf?q?cWIjF%4J21D5#4g6t z(DF(o3cYVS_8c=o2zjzodoS0^t?*3}EPqRAf7`5)wMFeAm1oa7Sz?s zZv1~|_J3yh|31C&K4~AvX*MD2xUkzRhNZoFP4cxI$ zj@tk~G*-G&I7o>A-v>}yDde4hPAY|!^|;rOF?u6IJnr~HLPCrz!&5#OvhKXLUHBXH zBYUw-4e?0%y_~Uf7po})i9znuN6t~%o6i4tEFgfHHc3cOJ=~noSD#@=Fzza&{74mF z2;H}>fAOM){cN)GQ})3XzFQv#WatNEy%4-ybii8m8_oh z*K(aQ-ZNhBJri?bae0Ba>K$BM?L} zPxA#aQ%{b`&t;kx8-ym`8V+bm)Gw7RTd`p`0-5XWm=7JWlMisJY3ghUJbV0`McDnn z4gDskqFOkKFAnsho||pMGff{`0yA$elBma)uZlXS-LE1g`d{AP{(nL!ZZ;4i74ojz z=5^vWI%pxwTJxs{);&{6*i}J3E6;B>ve_FSV}1-`*cNvwa=JH?tXb=OpeQ-Ec}D*F+B@R(ZZaV(BBrl;WNmudBA`%69HZeI87( zGNMR?a6icVeK+CU_SVoK%YQQS*WSUg{Jas&)Gum93g)VVz8LZipPaH}ZxitQV+1{9 zO#%g_YDGK_B+S4&tUp*!#voFY-6uWXfaLtOmm3OSvAJ;Q3*HrMMowD{Q$|u8-+gW;Jkb z&jV+-Qpaze-|{ph8QoOia~cRANcSjjOxwmNIoi)m6-Z#;FK)Cw-|W0!aX>vDG%&Ah zQ5T65kHNhHYj5mjoSp+LgrHRSrg3Vk!DoRTV|o|A&0_`TQy4;Ar&3QSOr3oXcN^|v z1I6uNZRFXda0izcI&HckaR@>+PQ&XKcspj*vtri+fFYsF3OQfuP=wiT&=Ybw9cwBf zAzX5Wyc>`(Mq--o4GJkp;hL>&r+!4kdnfNo-|veCcK5Nw;%u;QcpC}}^MTx(gIPR7G;YrxX7JYVuyb%%*Hp!Z+T-^D)$nbaT`!Nk&ux5Pbk?2 zC{qoB4WUbTI{$K)P-_{sH= zTwjZ$34ePq@qTq$LX(AQD=8C&M8R0sZqYqbZuLO4fsQlp%I5c4GOqM0QVIp+MMNaj zpsBOj<1a_0g<6D&LQQ9525K@jL$r#zqDim1It+BTx>H^mU5GXkU;z9nZQpHC>%&JO z%}gNwIpPhtqYkzUr5l!U9_t9)<9Nj4t7k1vt<^~sW>dDwu_r-gmBy`PO z8S@)?J1(v$hod_TJYQ18|ldx(NpnM~h5+ZS2b*}#5n)6t?69h4e` z$dkq3Uiy=d2B@ovAO5#3MfDyE`&rgUv}rSc>eEh&BEgl8XbD96Gi$bqml<)N2+%c@;5 zcwI3P(~mmO6#hbB>08hVwTQ)(B)1rwNnDmnU4+UqU6ewU`vPab=*c&L8c3)kAb=B;ZSiQ{lbj2?~g4FkScB>>Bq=@D@!#Hoyi| zEQb;$MN8dH0!zCdL0HPBd{+uj#7m~s*RI^%>kGC{fXMO~xNJ4=M9;^sN(Js%ZzUN1 z2M)`KTX;as{F|yNKTIw&+PxCPC}yQ@(fZ7)cPs^=l`)Q>5+>O5g>~~Mtqe#pHK;9* zjcCXgEP|aZQos&bvK+7{G^MEEd7Cp{5;{PN#NybAN%vO?TN>#2n?Jz>pvJZvhQ zBc|2F3?J0zC@b?f13xk{XhbXeyE-vOpH^=IS#OJ8ec zG*UUf+ViqjLZ^XU?-A*O2pf$7yx6*seh_~Vl@r<%pfVe^;JxR!LqK$do$@v+xu zIAM)L=XDWA3j3%U;DF{%Hy%#O?RD$7g0PIJ2p{CB{D???KWLySj6 z(LmK=NoC~N3qNF!I``Fk@ZHv%5A33+YB(#k^CdK+Hq@}~9_|CpD6LAEG5o?OdZI^5 zlwKB(3cq7EiuqJ4F9OHZL$||UR;GEa_0{6_jK$NMqiUtPrDdv zU1Eo%EdUJ1l`Pm6ExI+|?eZ*fA}ZR+USBGrp}~v=oS}&a-t_rZ{O7B*Sz%^^{^4vD z$)XX|ij0hhOF-ZHHR%c#o5LnvRcu9V*0BH^>F(g(eJAM#L3j{O*fOIByXSe_Log~0 zH&<(i!|Fi5H_ky>TC`Od{VrA*G#GmejmJNZIW6|>2l3sEo|YrQz|b6_?@x?>%NCz= zxzGXFYKJy?S}RO?V!BRB4Md0sD!$kH4(iH*o^Y_!Q-YXKPYE?J+ap!*`dbZP z7a0%cRb@(v6!L+&0RXHb5I|pRTDLZB8vC_pLjCb|XY`w^ok%lZ90MX1AzMepng5c< zda6{|E7cJE1DNlu3_<-ojGrG=82}v14 z;DtzSSuxrO7rR*Slr}m~CfEd7nbH${eZn`lg3`tSKZ!pHs$^);o_W1ecDvZIxLw3~ zk2`;WommN-B|DE#NeOv${Adfa+^g6d7Ck)jk7luteK_EDVh0>Vzh4-6-k9gsYM#E2 zvdI$(ZNwCLpWA)gS~1$Yy@-`M*nIFT^EJTZ^?YM;4P|>>Jta8ZTTxm#)E^uJ)YMiH zoet!gh~^<&Ycc{`#-IE>4;3UorwvuEKS0F^Jn?(>o9bP8LvcWi>Q08SUM%-?Pr3WZ zGMomcUifwU5b)OnOJexNm_QA;2Ws~ro)`1~{W~i-+EbvIz87m`d)`~IkGgQR;HAaJ((Xw2`};bT@3D{XzW$t+(SsJSp~X#LUcb18U}H zvErY@tPBHW^20+dm>4)bnRKeG!+CGi?b2?PSZd1uw-xq=?OAO&Bdrg5UWmX@$x^<@L74qIaF12kezd4XO+&{%FG4t1NQ9p=j7N%Y*{<&ep;kZI)+tcutX@pslQ} zYHe-*=6iy|s=-uM@ryfXxsC zziS||71dQI38dha_vre~^zMrxyRjq2gDH-sX|2P_LP)Kyct-&N8#&23H>Ojc!P3fN zz^8k0tD`?O^{|byH~}@=`?jFt9F!G3dqK8AK-VMP&11%!p2w&bYJEFiy+n$={IPU@#=-C^gl+05B3X@#3cZt3kq3d9+|n# z8C!?9E6`L;TuZJ<(cHyiFEyebse`3pzPZkC5B}!(=^w>#=ZRjY_6%lvN-O4HC&*c~ zVoqklJQv3hLPLg(N8)3Vrvo3#`d=>`LW^WKVKyn^sy?d!g9W@*_}!|*{x5L zpee*$5vFNB<;{ov9n5ZG_c1H#UHfg*kLa7bT-dEk(~hdC@cp;d zl5r6q2-0x0evStiYV7L<=`F`@;a#cj`N=rVkwVDaoQDXYZvAT$6CDR{?*LFPb`L8oCKmFyi!B}0w;rxEgnJP2#OJFy51X%{{O|h<;i~Ky z7&+{oF6_eIqw#|TH>h?#qU%a(UeOAHf&D@G>$@P`3%MAd)Z?WJJ8m_C%f1%_ELVsY zCU9qx-NC-eQ>=kr;bjl;^~y@-jwb}mgIKu5JpX!H1Ob4bqeWw`0N;-WML9pw*EM}k zW+EgYvLQv+93v!Dmqzpw1&E;qs7N$K(EULtNfnu9!0fDd)#GPg?j-;yWfskAud@L& z3+sJ|@N5GyDu5^WgEM|)wHP8bTl&`RB2u@qz5}H4e22#+Fe2`Ru@uYzI!yMb`DlJ@ zW^5@q*s*=%sXreOtShs-1~MZNx@^3Qd}aLhz+5UR5P#@KVi``FQseQUUDaAeO$oj2 zAbV+&jzt`~vy3UOZK{N{ywPw4VZBWps_9s{%}=3@IqmR)#Js68GBRfwSNn7mB^dXK zb!g-aRa?OawiZx;0GBvjg>ebklEvwIvz!B?g4B*cMar0=$N9p*oI5}Ld{DM(PI^Ca zO>kRT$m4^dh3VVcd^uO2#7SHgs%_g^iJ5wXMacF^;N}kB9M#Mn=i69WhCtR|S2KvU z@ne4S50LaOae#7XCye+53OkDMvtdzIKt+UP7D|MR%gT{jktZ6QQ(G(eyf~-b^p>hm zcxK-8_g^e5Rq~0cP*LXR-5b-PvSmz+*w`g3QySsh;uH^1!jmM>oGxX{=qZz5EcYo{ ze=H1s;&2C$c2{rjcQU#w@Te>!lHcyA1(qK+HRo61vsSggn91bN6xDX*+=Z+>rg@H6 zZD$teqH?(3HEDf}4|O*u_|h{&8wn!uhW4D$-|cY@_vypn#S0;?E?EqESAiSqWixpC+lul7RX#d0MA?QKkk;ITM`x%)L(U=Ka)nj@ zP0ZI5Qs;bqK`w_F_4COaj$>Um<%L7VmI(_f4*3EtAdM-k<<{ha7#P*zWO5svar<+0 ze~VwRFrV-0i$C%*n_AvaQKmP5%UiGdp=l%jkzF&R+m3zzz9GXvqu%V-vf6iWxxs{X zDydEVA1{FKOBb_#sd&KzefkoEtO+Cs{YSUhS9Dy@Ohl^*{x60P!FODI-B0gH1OP~b zX4-E<6rbBSdO#9Kq1xbTOj8-8gF4}d3Q$(2cb+HvDsBGtR^;{7%(yh%!0+b)bJo>a5~_AWRC$kB zoiWkws^I(CsYIgt9D9lHJ#cgUoNZl_3~*TCd%H;pD&;X8xRvRUv;4Rx{=2TE{O+uU zXil>{gJ^tLaeE^0enNmYH}rE}oY%i&=WqW~pO+ucMq2N}$$|PBED+xBR+owE8$GQo zt$ij#m}{Y<`HkB|y|meOWQP-4NY= zDfrVcNINxVBRwugQ5lVY3fqPPV7bkZl}!7MM)0o$>%$@;g{cp>D*~75U~fx%TmtoK zfsa(`U#EH>M(K-+P>t>v1cpnbaN23FX5CA6=`G0FE#x|7e)5uPXh2KtY7eV*ckk-n z!dy-a9~kU^6jwX4pyg!wCUqy%hDFrHIe5e6rP@QQ?BGekt9X-gvi?ejb9nhD3}?Ij zy_S~4$G_rz7|clfZB{hCp3;CfB6r!p{#^{;4`w(YahTS0f!}#whV~4-T?bez_%kh5 z%yEq`qbg=NU*&cI5*tqG1J>mcIOuL4(mP&f3GoxpCT1oh-{0u*fj#dz4r%Yl<@F)* zvZ|N(vzXs!_X#U69UV5lOn$pBj=HU)HNCIX$y&!07)>0~gq$&4fpI3AGerHlRfE?_vY;JXz%4^MZh zmzZC8({)0Rz1}@AOQBdTQ6R>XwLTPb%w7|}{{7(w;*!c$OJRB)`%(U1KsZ@YU(ACV zu3Vt?H_Q~yCxD(o(k8l;FfU+XCyTSN~6&ccuO(o zOe{J$qjH6AF|pk{qC94wN7K$@R|cj1VS}|;ALs>X1|!oyKbIKmb&G1_*5h9#!KJ;T z(z#>PM#wXcS5<53?UeCd%vmj_iOV&Eq?&R4F#m2!EpXap*JhnF6x7?HrAi{yMdg93Aq~Ma1de&RkKErWVQ}JkQh9nucA~p-4lfd~&wm69yc=8h!L{ z+|*WAkGi*Ev&o>k3^Nn6cL>6>Tn@p;Htk6WQk1;W>{4g%v20Q~`U(sTZS3*T<00XD zl+0fzyCn##t(G-vJr(A?z{|KqiXAPAbms7ka|NuF8_TM@(M_S5t$l;*hQC7DXxjfD zw%$27lP`Mro!GV~wryi#CllMYZDV3v6HRQ}Hs5H%H+FI|-`}}a=iYm&tGcVY|LN-P zy?3v*KI?g~`dQ%udb&bq?%5*X+4={8x2YT$N0bVI-fkR3OkHMkaP=Q<6c*0Bk%4BC z(!Yrh`zvTGQd{fawSUTP_F(PNFB<6Y!RFbVi}GXQZ*7a6&44bS{(84)qRKjamjA3tU1V6tda7-lIlD;@bw926Jz)c z4xV_(PQ-kJ6&Qjs)3N63CaA1Trn+`%S3aY@zpwa7PsNiIzt!QvhrmCnd&K8*hN?90 zNqe-39hsezV!{3@oaRYOsD~XVWlCTrDWFAZmo@5DXyG<8SI9v3fIN~%jjg*7RrL9) z!uL!ldXi(q2U=zNm3%&2A-k>@AN3|3csL;Wmo-56{@sFcGMZViDc2Kbyv|?yBIC~x z`|OmxGL}u3+zItNwmt^^V9;V4UwuCsiev*-(NbY-q-cLvXF@g$1cP^+sPI*pf&={W zP9i8#?v3O77i4RWI!vzajPwd>-|ZkfK0&e-&UISZ5qtB5Gk>|%CP#>4RrQAa3U_4u zM*|6a2 z(#i|c>czRhZm+HO&I{KHH!y_C!^>i9sKfvda|RH=w>#xvj`jncG`!AS6SmM>Bw^3& zlY&$aET;k{g&dIqTEWbi%1N!85bW+ZnQUE>;7Ku;JE!#6ABGq-T2NwLlx$=;#xO>n zye7IQRK3(vVY|7%nHJu15bK`mu6Y{hN$t+{W%Y3EQ`3aRUM`z_C-<>J-$)z9X$xD+ zo1m4N^ZRCFQc*UyKDr4T)zgZMMevQ177E<#C6FQf`XX!W4V#6=09#SGHw}P&9hC8+ z4)7XL(|`{yJzB0c4bc+3(~%WlQjg53*wHC!F|#MGkg!$*BQIR(spoR5!$h!B`9+o4 z6(&a=)R6$1MTqqX3-DRscTWn*#;g9K(bdPV#`C1r>`sG1Pvyh^p&N{;5}@_Ev2-b2 zwe2k)N>j~rL5#cu?v2i5-d^9=9&06L`%I66k)b;Cb-(rRu{P>sV z@Go^$Qqm&qCKuGzRdqRYuq9O*cbWC?nTZL{*xKP?<01#Xa-j|+jeM-gyc~vu8`1CRZz3-NZ zLI);UBAjo1GkW89mATezgWYp-Oz%ZR05m&g=aJ;o9FYvuyV4*e^aO5589bo!BD}s? zeJoxSZzWb9iM>fJOvSnc5#nx6ao2@w4$fh{SL!KLj3hJMIcgBOIONsQw@{buoiOIq zLZ~`x2Z7goNrw1FBTX`3PVToC!8FFAVl*Y;$6ZPyvP*(D3uAO8-rUKt=_7aldn+pw zMt2|zbZJh>Pj64TiU|$B3VeRgsnON%gQ4?C(2N@MlJS8BiLcC-`9dS_&3R)|9o9&W zMQ6F4pca&;!S#HRDIQa~+ozk(dRdSCX$nx!5e*O#1SP^Ajl0ojWZP@JF>&`n2rhQ1 z(SKeL?+oT@<<1VYYLEj3s_jdr92!kqJ(-%g>mLcg8my8JA!mKPVUW>l_}CmApiYtkkR4FdTKn0MUy^oE45UYXKi zZN?DQv>mzHc|y(bG^yN5s_(`n&*C%~SzJoL2VXMI_C@3J+3Vk1d~yFaOx{4Jd(^w6 z1Pvk0R9mbr57IvjlzVYw_%e{`uX0Bzl$g<0zTTE@(hO|lVt3(Tb+#UF@|W?D%kf(G z$(pq+9B&v1yR$d2fLN~(yq`+jJ-nuWdltfz#=~`VdG$lD&5f=VV9kr$v1qXy9bRYe zFl^hAcJ+8rIt6)^C{tDsg}jbl-VKkQ9{3AZ_R{t44YNWnW8k;TrxRK=&T4(VpZAIt zHx5CZgB4+FxQx{*4hp=iBUjMNWDWwoQ zayGGSaQ{xidhtqo>R|FN556o7)sD8 z!r+1w(i`HE#g$QNm~9!dmAs2O+NF!%pGvU9@Rz+^|b63tvwJ7l`snWoprr$gI= zSJQ4E>)wBUDnd9WTc#!7%|UEJRr*EMKn0wWju_Y}jGUWajzn)J;FRE1FN*1OnBo08 zaLtm70ig#Ocwe1G1QSjAx%CBRJ~iDw0%R_>6lZ6o89PfM9s#C(_%63YBD`}V0?`Gq z2!u>^epni3>&Y?7+Bht7o~V*>j3b5DG7g_zNQN0*V06K+NKI5-umZiDJFBp|Dl@a; zE7otiZyP?pwVczsaH=t8&ELQjYWT&>J1+zDYt_f^AF%$7cfn_5sIdj?Q5B_t1P?8i z?vq_}VwF{V9|tIZw40%OSy-No`WarH1C*?wvP_1%F=Q=^V@tMM^^mesEd({ljtimc zyD?FPWmOH#xTzS_g=wEV%<5}1E~}_i(VKHM*zsKRteaxR9QU*L)75je%bR)( zr`{`;eZ-nV4L#QG_#4T2tgo!MvSvKP9ZxC0(=Hf!6jKjQuwXm{=N&E@EDGeXkD&a3SK~*ZIE$b&SMM zo>y%@$HsbcW=OdooiIic_+Z|1BSc}dltuj}g5MbOlIs9GlkY9je384ZQ|J;?I%o8o z5GDMnKIB+_nVQ@IrA1QiepCH{f4Cns>WQ==`~j028{59jdMfBU!HmsUBStgmhfyyj z)eE)?f1Ctal;9RJpQ!wI-0$Aww@xr}@`3tl?RX%YUK`wz-*jhtbe`-HM`}&5D9w7U5NR%+}XETEam})Pz??ZE+%ar=hjF zWQid>jc3jYzxId14(Psp3k^n7gQj7tyR_~R1AAHK?6ZmXPov71Y(Rdw-wL;}$&0u> zUY_`9p1PP5_NT>UcQ&7Sh?FJ^*YUaFUhX6=>D?i=3!0H(Xh#*i11Te%aW+QF(&jYd z_v;Konr?HbAbD9+FPNV0b6H7nOPvPe&}i2@S9AnS>M*?e*VjXPx%#gv!JqBxdF^2< z0z2P2F=VqyYf`Gzf`Re|(ztba^p8~WxUY79Ph%{1jw-ZSH+P~CvY}!K_}BkV&cfL` zgCRqK`Ha)+64!LaRcK$|X#Xpg2#fC;d2fcMs1{V$V_55t3TrqLXz?;Iutl4P>ZdYX zU-bta*h9wj4n1)m>-iC`rvYOPPy4j=LRQFXmy`942MAuzAaqY`uP#|@JrjKaZ~SA? zQ1jPp@B4i&4P1?7%b9vttAW^v>Ug{1$nhL(Y)mm~3lQ|3^7=YCT^~HI5;e<#LU}8k zH*ApZAmLD=m)Yi6#-+KO*0pfM41Le-s{R+WYOl=0)&^X`7S_o8sn@^MmMmt9d`S?X zJyB>V{|BA^-}^vXq269mN3bZ?6HyWQFa8}2Bz()k)EA#kFEIjFy2DVgY&RSJQ_3Iv zmPJv0Wk_>&r6|xThXs_A60{{}_dJaSqJkCs_$P}P|3 z)sS~z_U(F{)lL)OQvNgZ_-E+x9dwvu6|pDUeLuO*WZz}d--{Suec-Jg;Ubp&DX4&o zGldCPtTt1HCF&nJ-$lIp$MN!FMH|QqVH>7)7iAkyB7T3zupSoW-(sMD$nej_WAi&S z^egN7)ok%k7VE?}(#`L3$yvnz-Ne^zSd;7)T!&?DH*AUGIH48dkjR~#I7_q^Cf3H< zP1UD)ySgH`UVtB0ffeag{%m0dBIl}lU9?UA|IhRPKW8)odcUu6MKf_B zV!hu5nVCru@NlFq*oFzYm&e`qE9v6EKOid*T7?}sA$2*JhK?)flY+Nf2JMxglMDuU zV>6<3$5@&4+lWxBW`yQ}m{W1A9rv>161U<0`|zwI1I8z^3Q*}4=izS2MYnY)B*t8~ zgrK?l1*05Pd|_lfz?yXIqQ3t81A6nJr(wmBeMFUkqi0np*H@H|Obw9UaHds}8-W3v zujMy)eRs#(1NiSdv#Obq`t~&rpPoWj7*Sj?xjoou=JClEXH)MSY#pyB1B*&|(H9{TaAV;U4ysO>7|KYlk>@Hsf(U6Ka=`$L{~D zMu>u!{`P`H`&EWq@QTl9N7WX_KB2bt1kDuINCM)V=ZW~&5+r@L9?n|t1Nr%4n9$JE z?#*wM{ufHCD+)Gx9}YZLtpU(ofk@wiA7l4$*EZ{|NSVoOu7#=kn*aBPM%erd8~}ai z&n|FY@j@JzslreZDHS6C%AUMyx8gofot{cgo)ZHUF%$T39Tq5# zK}2qN1|ZW=KqpYe+j{1V5O7ITNX^C{dBTJgvv^>*kclvwpNbfdez>Rru48=1Gy<*2 z{fM!>Uzj+jy1f$}H1D;jV>S8m^LW?f@jKBW0wWR8lL#1+UBq-LlKeBL8+APzrorj~ zgl6`sMOg*TaHg@x)#HYe*-5|cpwiAN*wWSVy{)ebl?2IG2f-u1Gt#_fcmkR1)L}Vy zGf2;CA#4tXb&oaSITYj%2f}l+tOGbPCpCwm0^_=c&l=REILJzS#8+DDxwwDc7&HaSoR6Kp%w6AQO2HyG_b5HwHUPen?8jt ztZ)_ey%5QP!Oac0UePI0?=6zBF?fN+i>fiQkpY}m5h0jX_821EVa8$EBF2XFF*#1~ z*;#S8FZJD#6C=P@bTV+q8jgmt+yWq?n!)M`+aP|WuqT|{N4D&ND`XH~4fz4- zy{H|d0vW&K?;aMd$}yQXi`O z>BDF^>_sn;+g9PpO1aj%YT#sDrQKqm(1Pequz%W@tn014W*E6GC5ewk>Ufj@m){}! zKt-hogRf%&LsGvnXT4^RG+!ZQ1V43YJbLwu20<0qU8kBYkA1+xV71;akD=oz?9W7G zhcXWY+P(IaM7mtDHdJ3!dkW!V_ikHxqQ6?uwPPIPty>1Y9osIA_C+>W&^{TiL7NRN zeejQ3Tq`Gs&L5)c^I3gL8RIH&NU62z(3ysQ%bKhgFg~vz&>^gin+1TjI&%FF?t1r% ze-V=<`mYhc=s$%dEgP0M^e|{Bp2zra`-$Iew$)%%c-^}bx_{9gx8Z|wT;d?;e-QRO zpWr)H+H{V|4Hfl#KwRqnE($mbCcVN>dO$#UM2PGm{j@&tW2lD>qEzzy(OHx7mK8be zJxEw|O`$JaD&FS{b-+G|S-Weu#X5-gXm=B*tOt9dymzpX?Onb)G4)&K2`s7El5o77 z?SN=$YV_%jz$C%G>1X?F-!NB;qqqLWYrV)10kK~bFGG6eE(fT5iDSN3=COpoHRN(v zav0tADLjnf9?gtq3F6ylVZ1>e-lvxit?5emAI&m;d}Y#;r(n?7;db2GX_TNk zQbAiz!KZz6fmQ8QU7`KOa3;HLjXI|oKvgq7TPl7U6TRW5+>ZrhfgrBu86EeEzz9m4hT%Kw%n@6^u(;}t7QFzxvWe@yTw_@mb@R4Fg8X~zo= zY8~EU{^o$)m0C}mA8VWPBZO~0Yr)ND^M;6&pC2UJ=;9d(ax#d8q9Cgo>39Y3t92j4 zHL>}akub{B-HN;&%US6vv++T;>%*0309{rvK7$qSzIeobZw6`*ThFKFTbo7oUrWHI zwQH9T^?J9%m>6BIe8Rs$Z({(^wU&Yq%6dUydCw^lu8{ipp9O5U5Zb|a zfowN1l!3 z`F#EkrCBAaG@W3|9IBiRXb+M-_qy$=FIc3230jXpFJ^cLQBTI1g*D4>0)2@=@VJ=* zo0W-0VQPHOeuY#zGtGLu zs&=87FCE=ETA!@hN8C|K;ez|$;M(aLA-ujfeApE$$PT7P`LImv0dwBCKG0-?_ zrrX4?6VHsL91pn4e20^>0X%lcv$c1yg!U)uMsy;Py_zKt@@PsY0MTH~;9UCaFUD~_ zEykQbUN!LH=t!gg^poLOKE z>~BimZVIP@o1n>|tvj9q?tMR3zYdhM97+`L)$x))zBF$u567ySYvFK=h)*M=lIh5` zU<;vUegLD3gvd{jhITyyKSd$KU^Y=B_iH&&t0RV zU6qJyuuO*aTNIJ8Rwsfeg3TH2L-X)g*T+Gk^L2mAIB>r`*#fy`Qb5OtGDe(j!u}q5 zV7g#ucnfJpczIj2ock}>`y_Wngj#=9jIZ;;+v(+-tG6gSwJl3%`jwHP7&nh|_n^Y3 zFX+8^&Y)VP;(S6`K7H=GOj)NgFSquh-mH~eWB6fpf%e9dzz6pA30xh4ClY0I(>_sb zH>xfF`%@8c)eZdVtyt{K*x|3EdU4y{DG^Hi+%4g-J0atU{f8^6C(jCYyP9KS3*VBd zb`yv&cFUWRs+q0O#T;y>(|p*8XBCrx54suuX5_$^Yb*`J9qe|T7o^yC!y7n{(t7;0 zk?z3_yvqFO%xHW1E~KKr=L4EuNE@z7gGV@n;OU8}uaa*!IW*Xo9eX&q!K;5|fW7{7 z5@$P)-_zjLeaA50_G*PajP_gxAqS0=j&|w@oE^>E1yOw`9N+AT_C3l_Y>$kd%IWwm zURA#gV$nQKP<7m3wQ2rlSIv}7>^JL$Gk!jEOxs-#tB>&HW4D1*D}6k9sUmV@7q@4L ztxKfyMAyAvuygH|G!lUWF?Ck&`5(%Wf_%N!x%9z-aNW&I=Y4xy1m(3oU^8^@Jec^O z?4d45*^Ar3+<@xxjV^?epXQz-_In_D`Ws%t?Ee&b|7~ePLci_FS3i3EL)!{*b@h}w z4P7=d_4cW+lRp(J3FA7@jBnldQ;hhfGj-;hr__Vrz&gf=2*c{-;?)Z-C?_D&gkACl zUsb#HN%PS8UTcwv|MTxl$_MKl4uHJfWG{VK_;jE!CuH!-W<|4f-(K$so;%BsHbQt zgQSlEm)TSgSl-(qI)u5^AiHv?KfvF3idaEx$^)O;5SQ+J4O=qn-1fd?R&cK#g6q#U z(rTf#XehPN{*P4otZzB{bn*myfh-HHhYEX_#SHN7z@h#)zg1n<1OZF3`J3$l$`Ng) zC664K>ExK*r)%t^Em#82)Kkj{Rh``kP4Vh?@sd>tf2&sx@lwmEw;ve>)rS zuW1LyR{ycM4pK#h1w1g&1%6XUt{Mr}tlwmK0;$_rlK5tohs|MYGrJp?HElCCGn?<1 zFHiwr|A8G`vI_aT&JVWsG>^k8wYh;2WeY?JA0aFnRu+dB7ex4^X~-P3C&Xe6 zXh9B`B3)gA3qSEtL>;n_dlx!c9>n>s)^qWF>zn%))nl{&$iv4%n}6_VDK$zrqoXhv zK*OFKTpVzpl+%#kope#pdP@$GY|;`u+KFIqTSkHvlG){FQ z603<0vzYR$Xn8*zNUbLYn?GJtnS;Z4QmuN~^eNh8aAjae)0siAA1q&4l9D|!^q19B zStaB_;Snq>PB72{B3IU=yiOKl>e@&bx8PF0*uG8z~xc zH!I!}e&0vL^h0yhOIAMZsQ3@ZK(URcJ++9u^Vmk>pyrmMVdh1V&~eu9$WhMTN;!FB zohh?R@ZuXQr6PFP5zzK_J==3qI6t6Rm$h8pc)`qBDh(3Ak2%<&X8H$^ib+WBs7|d; zI>q!OJ6X$=_>37)yU>`-o{-URzTgrX-P2Ok>@hm=E=3Ja&V*)mhIPb~9~)Ze`9*)e zVI>@pLy6vLuj(8IV$sPO0YOo6W&^%=ftZ@JDCu0W0rG!@h{vCHvJS2$@|BCva^Ob8 zI|5w=eVjkG(=n2kuW;TZyP0;;F7^$)kXj0_PxQh8wpWi7*^)ub(vdq#2Cw)vEYQ#{ztWXH>MOBa!1TL$ z@Yc+Rt3O;~K*LpQUr?9cQlhLIR(#Ss(=(X#7-X!#<2wWF_Beb6f{3Y>env2BijecX z5$x%mh1(BMv^PCc&kMQ(Wz*VT)TnjCoTqigno`8NAh2C?JIR#LX;XGb>|9LvnG=+VIA{@YEstvq z5mr9JQI+A;g{hFHDI zp_#afPR-yb(R_&~BLhs1PY0!F{Me%vgkFc9vK3EIG-K(XJv{^+`z*JD`oUdgmGz`E z#5cJ-;qA;IRJeGN5nK-~CZKO`Xv}mah$AbeMH3b!1We>E+e}AlO$pWxBNQl;wd9@Ce1PABia!fwP&}L zg8XgygTsk%<4#7+1}jbz;)$_Y*}#d9oJ{=ubpH5amcSlMU~W_4g~f<@jly`S;yJ_| z&ey5%7}U9(89k!#K&UD6l{zXJXtPQ?-e`7refo5^MS;GLv07-dK>|9Pr8VlS)z{O$ zDo5LBITngp`Er#7h@XV`bao>23Oa-bL1?&`14AJ+pl(VX@d#~RYv`30A(WC|-Ko(` zU3ZU9bCOUFrGq7z90{3n7qO$;PkbNoN1$@^f#_rtJ>3Wh9L?38pegiTRJ@jFHM=$ntze=9 z(gxL314sTEZX0@dXIYBfrbK@T^`lm?iPA@9P1Dj1s#as@p(KphLXVESALuiCVnb#s zI6Z+b!*aG2VU4!ur5EMpsf3LeN{-lTKg)D-_NhBW#PPgPq%y_?dIme2MzougnrC{_ zF*&qpYX53FrC|mx^VmG~Ic~>s9kr{DtGz5FMK||*y}54Cb+!X(v8$Iz*3jYbJs@74 zT(~rx4e@HUwQEtqo$CKB)SN`1u&$s+MTN{Hb7(k3LksTV##ZzEhn(6{)7P`c(7M8=o)L4UWQLA1 zwbCgehQ%6kd$fA5ROA&RRaVEx$qroOVYuk(Yp8x>dl<7M-(vfZtRv#B?q z0CeLC2;+PW%7x|{yCEc@+t+8PA_1V9bOlLT zfhqad;i;&IYar{$I%%JzV2=V-fqnbB>JvT_q{A-7lec7vt+1dsq8xlYw#4M9Vm~u8 zSAGEa7up=`f@Ip$Ek7aP51TR?gia8HI2*3aRMPmkStu z83y$jOfeEsMua%7kkTLsDCmYgLj?Nt6EkC5!6v*urd{iM5bSt*A*6y=c{WI@1^&ku zAbnS1nZ96nzOgU=h#SNfD=$podWCt~zQ>@$5XqJ@QYyQpuwNvmm=1mn?zBwxYi;`o zk^L#s;YzySK~s0;{yL{sI3lkJC zu|teaDmR`miPSwv(k?!+XN$ z1xiX8WvO5XY9LOJnDbv8YKn$rpRGT-DJ@42>gb;UdK%X*ol{^b8^HM}HDp2YL0{7fazlzLkO0Nae`o>ElKVa|H>xq6E!(i^(D3#W-*n4>qgLBD&7q8?yG}m*E*t{gz?F%KH zWVpy_3s=i`e*=MQ>F)t3?((!lxoPUV14el3?R;b1Lx4m)@q#}J1c|J=)Sx03nB7H$ z87LtJzK9?1nD3T}Jt>z{HH|=8AHDm&Ju`T@4zz(T%Yn5L$a%o>Wo=H>wruv1KD zw9H34aXYY!cyAjr0t(Z3^|HDqjKYHQFGHzHGg;o_YE4Rh|1*ybiy+~y=s0SBupv#Wh1h!J4z9SDY?`4K0V|B zX=^3zCe+U3@oLnDOquios>-vPO`l!M?Ev0!Rn^>ZlJ0KG)jQ$g7}KiZsi#)Ily|$% z*`V)=ayWKH?>{kLUQy-hC{t&U`msviX_YuFo3e}xQ86s@Mb8k>J|Tb_X&ew2>w60H z;FZPLbSKDB;Bg1MCgA-57z}$fbE*FU7AatuM92ne;L}|ix?pz5kAmgJegzYMNutN zE2sI_Zo_YH-EezrvvYATsb1Oq$?*@|Doh;rbgHRlt@e4xg6_Be6j&k@Vkij#0d;Gd zZ7dnOB>J+p&AX+5r;`b-MwPSMcFI1!x#qSliL242=ki0-mAxAdwk8k>s~oTJ!37Xp z((=Zvf-gz3yP7Sa{zXE7Heyr#bsNQs6WNvcqr$0$bmf*C$U}Q_{1msVDNzs_e z1Q1y*1hsPKA}Hj^qSI|VVX+GQRN)y*u8W1^6YkZ}S;{GJ&Q~}^!D_z=dN9i-XENM` z2G{`TwKb9%t;)^j9e2@u+%h?EZPU_QRp)*m_r$-J%gqbpp&Q=8GX z!_k`OC4%exa41Cv+aAEc&_dqBlh$4^Db_5SRZ|XA&*5MG{kp0-<$~^Jg~pMCy5lvs zCQ3v2F?6QMR}VV&QA!xp5ZfP?!5K$5C?m&i;jXWa zzQBimI=y-n;G;_aj3N>NyYQf}LS9mS;JVhL^?ZKuZ3}jo-NbAIe=z~MsJ=z;KJwAR zHv&r82Bt+UiM?Eq2qHnq3g#H$pMRjTu3hQycyUn-rEPe%<1qEmHx6~MY$ad9X4kT# zo3qYvEuhX*c`9f7{PQBloZ1GN=uY!3LSl2Glx(4{an!CFXc!)6zkkTkWIGA1!7Yt}C0( z*5@0A4Q^p=1v~2~sKy92moL~akYx5dFnjum?O3uY7CEs=aJj~xbHtCekeA=0%QdEjzJvOD&4h$715Gu)Mqvk)Sx z?M8BIBkUfMj#mJX-l);v>#9C{YUF^B@w?&a=Gn}OOBGx2sIsOHlQ$Rl+2`7>lTTc) zlF|%=aKRy2qY{TUj+w+5re)n0-f-mGz-xpGf#zcwlU#3CBL%uxmreWpPg z+8Xr&nVTvrR_OmtlpveY3#MsHcXaY5SV57;jJ^?YO0$RQxuSzOFwI$iw38Fzv5T|$ zxn&NtND{eev}sT)Y-m7ja-}I=NN&v|vJ?u@#eKo({D_T|itH|ygopX=_}zI1uF663 zIjy`1tyw_^VXO58a(>~Sz1MZT|0g!a30x0dSW5olY0bOCm=b#Bhj@5GiHvxW7aOKP z5_A)3y1Ri6+vUe4AbmC|c0TFL0Nbf}w!HO>+s8SO6LT1Szl+o2^K;mn>xi8&2Mr6* z)`8BKefqN~|H8=G0cl;py)=Av^EPn82Q{}|98idz^i{E2)&&<009@ zRtclI+y9%tzcK4W=R1gef*IyaOkdP>ji=kzh8GUqVV>z1qhtpLPQ^x>L^P6JKXiAL z5lfJlvIUvb-Pa*SUsV%?uxS?*moN z{MNpeIc@c#lF<*!ciN%R-49El=ZTPnqq-m@FZSMia<#`1uhcIqw|-=L_Dkf_JfpuRAWh^Wrq@Gu6&8wWyIEWd;cdz|Z zS=~iBL%sU)dxlG1*6pWSbslTlZ6Jx?$}_$M0$!k`zx2A-ry%gdke|l0wa)(5j?Qn7 z`Rye3kc^C9HdWfj8vrM(HTy&OkNGE?pCNXS6~Xp1E@M%f9nB;`akcyPJTJWX0Vav; zu2q2$ukW5`>wE^@pJjl#e_8Nv5NKaQT%wqt&xG5Wdn~5NjqlIf$xjy_=ee<6=aj6W zZz4YJN4{ip3yhG?>#;{*XE?#iWldsp)p*g54bcwE4$2a}=EOL7_=>(ZcK5X{ z6RLUS5ZQ8iy0GD=elAUPf{S8xzc#*!40%r5wV2K% z*wA7baCWlZ?f_NV6KW(SwbMvT)-uv9t^ zh|;rn!jC+x@K!TDI&wL0=%Oo6=y_joV<_uU8;ed`&9Nr8Hv0H=t+gkcDX$9n$h=lf z;hV=a@m^Ud4pjZuNs~du>waI>kI)?=Q27gfP~!!v$+sg`5Bm$w6RZ+c0yg^1ryH}I zc1YYW(=alRDJf1pl`}kO1b(Sks^n|)=AqQ%gJ^}vB9sT2O!^Kp^_*{dwwzR(Hx%i@5Ww;}xlg?G{O-ySif0jMfcd_xmNH>ay;XQfn%ISJ&z3#>)c= zqA@I?79Wc72n7>gHtOvOlr_&3+{Jpf$ogdevGqsbxfO(KSgn2%xVf_=D**o(aDJ%( zv`k^lbi!5CmEqN|!uir7U2ST^{Yfm4L{MDkPiM{rsat_UPXu-dAGax=Vi(;FKO&$P zjR{-51zLKNcFDzZ<67>Vm9EaZL}T4h?|&>!PkQ2Rtej%)>l;anQd9WnCs{RMuCvYawXsf9Tp6g~!P*LxPk2h|V`{SNg zcYS8NV%;N{4Qp<2L0hP?2n3Zcn6$!qNPW_Sm?zCil;y%SgVxlP1@&sI!spM>Z+6Hu z1$({N8zT+cN+T1ZDeDnlEV!6q+U4T{A)--Ui~0d*wiQ*{1y?TF^K}iVH8{A#Uc5*e zUXtdA7U#>y7ep)^RWSG59S)f;JGSz)7QD5UP`2)>rbXvcSj#VmbGaX&QO>F~*i>kD z2sqg?7>&$!iK;gx&NyMlOfBf&wO7P0;0fEYH)hp*;CVUK^2y5roQswm8@3{sb-eEF z82ZD)0_=1;yvgS{Y>T%nUX7~%`W=zj4{p-%wxQ{&;gmb$1aCO&BWe^lq8uRE6H0rw zwEWn+3+c6Oa4n2BEOmOc4NU>88&4sVv&x2bH%nIzsHcR!6}he|7almxM@Z0kN!>1r z;FTwD)J=&fyup7IROMs&onbVpRmy#k{zu%+@`7^QKx34-8~Im5Hq!7gMq;Rk_aoL! zMIn25BJ>Ty=#_Jg15+`Y;#^-lCGm;0D`6EqY-pPwyxJ`vJCyp~f%}E-SBKlvJ5jz> zO%Iz8e9D~q9rc+gIwyG{uVERznN_TcVODR>zJY^hG#;*oY}gJr`0t56^8R_^DHg?% z8L_aBWi5UYMmGT*0vkEgfEAw2C!-#n<%QF6Yue+ISYo8le1Iy!K#!Yl%!&)<_7oPJ zUQ6KX5rwK!=q6+Qo_jVP@3WQmHloj+Ctf8i&1`uw*kZntl)`L(OA)lVK4#nV0!+b} zDRilPPOPQnfoNrHzpHn)!8CO$v8t_-^@!_GO z*8U8Sbe&1aefz_|h+XhoO_e&Oe2{bTXHJ;<;ygqbvp1GNUDH1Pm+SdZW{F+ajHjmeuQ%0*D$MjAU28tPc$f@w1!7IeI zU5Xw3rS`*qd&DnAQjZADW0?v}!X`(EZD%-1SJFqJ*@s`RM~3sdqP3*9wE6k5=~snV z*Do7^qW@n9=*-OP=>%X$^f|nbFf!0W*^J+DZli z-zMU>YM@(p?zi2r2N``qlOH9FNsL@v|5^6tGCp#iZR4O2}+PfJdEYU4j7cD=s$KFvx+h+ymE z+!dJ@Vy4pwz|VCW3MyHGfUS-G!~F8&p*P)voM%rUq;flvY|M{Ex7;`OR2T_1d+%P7Y7y60k5ZZ zxtY=@+G|O9f7l}s;2)Red%LT~Y(f5aVmei? z`xxX4_H@efV;uxhqx=NK|Ge1$5r4iD6MEWbW-9;!dkQL`MO-zJjs=;nTRNSaEQ+%T z4N3mvh6B5a9ke&N9uY{m|2_Ku+x8W`2e9_eU&I7%y8pjOVQ2bC@64y53g{8yP!4T#5*)OyVp7blKhwxH761%Aq@g*DSwD60A^UFX1H5N zWAildkp!A~Ae@wfT&u7;m^?sx^(YX_TQ{$`MF#xG?NC-d1^;c!z5z8rN>7frXwVWH zuc%kCNBw-$3zCFI+P@MG+YO6^l$4o#4rR2BA)2|wQo*-yzn#Q$Y&=D08+5^Or4e0> z1+j}2+*NYSu;Ky=mgngfR8|H?D1tS;la#|lV}llc0*MNVQ@UHp5Zx5@89*zRiXRhp6VcC~QNfOk~)pMltJD{Nw6Uc}3) z0R-Bta|SFEejbn!O?kwmy;G=ebD}s}H4XVoKx?OWqH0pVrECy&tnBvurfL8@yr{&=X0#5%?y*Kj7~2Dgp{yA=Sz*ob(y6Q7v?AY zn1Y--$b@grFtahN7$bt?I&iqZlLfr1r?1tj+wlK%T!5Q~4MoibDF8N~8nU|=v<>{F zaI0&PXyd~Plp)R!f_mi56B4xGmp!qt39XobfBD(&L2}`g*jN4&$w2j3=?P0Umy(P2 z={KxEpRi&w>#Z2p`lo6 z`R5L#xI?#Em@Cr@3N|MwYu+38UZ0e@d-S4{zoi23-7dWXB?0FhCd&e#K&nU ztwvunzJ*w6+>mJP8x*EwPA}!>vt;%J)o_i>P(|77Zz(@~=V8nuFBJ|q9ia{ySh+FH zhcBKIzp5X-7R|$asJ6bW8jQ2{V**2ze;4!%V$Q=St+|#TTN}ovX`i_ktn~|t$)@?G zYc&a})A6<|gz_bHFgz$uTW{4_1a3?ZU$Oz5_x}JpzROAAJ`E)C?#kPd zpt*vNKat55R2AwoZvV}h>wuw-Tu$`qB*Vj596m1h$WRe#0^c{w&^x8wn$^9~Yyr8F+DB{Y?Mn1`%`fFK~2(r1DKIpj4coI348g}NaY-Nj3c2oG!e@sJb?`G^7| zat9<%=i$L%t2dr6;<%!tadO(Vn+7z76QGp{2VgZsraQklb9Hj!E#2EwhSemY;vOf_jxrL^+U=ta5XEruMrg66smk)-q zrC?XJ;zgteQ7v-fwJM)jr&*KEtyFj4kRBc$CLz{~-OYd2EN%r$UdKl%^sdi=$6>)# z;%n+2@WdmNU(Te_;VAF>0Yp&f7iG2`y_E@;D3a(bgJ?G%F(}!p)d)ZmnWX0$X*QFw zZF+nhewJBcE9;Us`L@qK-8{d}_WggAb&k=QMBke4PSQy_wr$%sJGO1UNyoNrt7F@? z^TxJqWAdMS@64<<^{v*bv)8G8PSuCApZ$A~`itcBt@mT>^CPKJ{DXNQZTnbgBv^?A zfP_2SnnXc5_7oTXX1&AG5%zL<9Yx}J!!`3>FfTUtv+5$ntvgb4KOM)DzFPn@!8OO3 z<&{!*(y=S>m6LwigyZk_yt=nRisdvTn@MBGDxKi5YA51`0i;cdhqPu=(x^&gGr>N> zKrSeq`#?sgT$NMzBBGI4W~QFEyR;!Q*B4#_aW`V^^#&l8@2KJx8ObW}j?4b?&>WuF z4`kbMUs`h?HPse2F4f`w(!MQhZo<;U)@hh5&T48&xF#(_4AXRqH%_63Vp}}SE8T^% z{*k2Yrlg=ECs@>PE}9}N^A;a<*&hS4v=6B_@WRc^ZP;suk|**?6>4R{VeuwA`^cyt zm|FZ3G67}co`RERanXIhspU{CH+fGt9rRCTC<8patAg9LA&dP^y23DPK?g+DR5I*p zxudQa_Ri5>5Yv{(C9**O3e8_q85;>%0%g6(lm2{i7TF8y~21x%F0z$DkG_;~P8S0;&{QP}eBhb2`jKmy%-fMJ#9*92VzB$1gyoDlldI zS-;`HbQeeR>z@M!nr_L+tTejt_DNbGH<@c5K#dg3GGk-DZM1m+jF?p>ps%vszArJl zghKAmNg>Kh`A-6ZiFht7puF06;}Td@b5LIjCbCcfA`+&*K1Hh!I8l`Ipr59aTn@4A zn}LepF9!$9WBh^3oB=&O_-RwA-Pu?2#Pimr(B+YRNw8|GhL*QaPPm|E^uz)&KqZ*f zxxlw#4hrs4n2g#^IlCl~Cr)|=*tJBSJ&evBhtdJ?s>fSe(g{nSlpKgP_?-EhDfm(vz#+aV zHW7~&^b4Y^qAxJah>?d3I(gCbGG}UWyqcX4#7ldNZqTeIVN8LTl&_#7Bc#onmt3tn zSWX_qP*Hq0`wd^9tqo_mY>Gh3P9TgFYA?kT6(By9U+^!u&(AAFUf%vuIwvgY=_J-? z8;6VXp5sL^Y72n`PEvRvmYcCR2KVk%Xn_!R%8Bs`@MfBqi(4b74nwx?g>Onmg;;h_ zCddt5Nr^RdD`xDJ7Q5muX_cposFaW=jmHeje3=#eH|p%As)@^Z!83BNf%xJ+(pT== zqr?51H#{D#Up*?(yV6BbT5u^cQ6oX)!2s4ScO_&||J%JBZFM^@wf30rUxLP?Qrkd+ z=N;p>`>TDK>Vge*no!Z|_%!HduZ!V#!8FQI75V6Qs|anF|rwl&&w6!$V8u zkm~Pzmhd1D1gDt90+AyoJt#>jqjrHCH(OIL682G)(rq$&RA~nnHCQAD?VP_E8#S?J zJ*YzWXIqh;qP>FUHg@I^AUhV^)GDpZMDOMCp z=30Gk?A^qNcv{=?f=MVY_gff!jRaF-svdlR<}8r~bD0ryeG2jXt)>Cx zPgKJ+o179J)vbd|FRtP?wrp6`71_CVs%N`U(gTV#PZ)6S4to=3mh+?l93SBaON)N5ZST;zi z3X}zm-a{ZX61B~u2MfVfj}8=%Ci%(gC$y^SoYf0ml&MTUh~tmK>2nBKF%2pv#PtT) zT{QK*7DoIjY>%rySQ{4OYQzc+1@i;C?j{?wnw{6yJzjtHvy(s}AJHT&{+1>k&SQnTKS$^jQf?7el=@g9~bfw@L^hhgSd<*H;Y3Gy7T$Z3ADj2@u+WkLSy8 z;5vU_Bj<3JV+wxp*i3}nc#dl7vAhuQGUATR!;>#r_=W-9N=)0TWumMD=Z-?xyj|ZT zh)YH*iy6$GOU-vGGj%0O>Pu3+((Ue$u_ zPdD5(_eO>m(eaDBSLfe+!gh?kJa@K{*X%pWj&w}zSXI=pC4n-N>t5lI zpF_6Cq``gIJT+G?SdF`H<~((1X=keXFLX@Q_1?Zoj!q;TmqwdnBS2>`Q5?2I8C8~_H^lF+}ogSsafF2h?P^BLW`AAV{7;>ytE^4{S zE<{%`ANV{E&q6q#Titnm$6@{lhIsDo|<+_pa7fg@vvAo#!#LyubGK4&4pVW+~?l6lSf?W~RX-g?S?)dV*8ZbB zr}8ShS*RubA>iSeYjdy|AGcr5`A`})%G79*Jk*U#hV8)*Jy`dx(7%7F_?%%ql#`NW~0kQ2~siMaWr$=eIm z00=mPU}t|3GnvP@s#{NZ{rMJ?u+8j+XAkF1Iz4M-e`xqUWCHJQo@;*W^G!E#kKN@u zkEA9+1FqStcg@A%*cM#ZZ2HBc0`zLo7jw8*b?Wt4SSei#USFiQde@Hb&EYy?!9@-? z7b6=usR6_1g`K;rI=%Xxl36gY;fVJ)3D4c!i#xq(N{DtZ-}& zgK;MOLlkG;BA2^-*WtL-7G7G{45}Z8jEP9)j!yG5w>RW;(}vmJ#CGN5HSa`cU2{X; z)7+0PmH(WKaF zO{;6AJF_mDO+9P?lMR>m-DHiFrt57f>%r z!GaJXlQHE;{#L~9F*|bJHuF(a>cJD*-JDL6VoF=Rv820ubUy*}d1k=YI|fCJPjFcW z4N3&)(NAAIRs#wo@$#0>%AV>Lakprv=LFYlyi1MtnO$clZp%TO26R({wHVdyVo^2` z8n+-17Y5Z0c2J*#L5K;mzl$gYXY|uMXFi1VufBUv(g>+T(-}NKFQlBCl~zq-3|wz6 zQ(3{F3lcb$m8Vb2@-DlhFdWa??H6)7t?-j4+1@~8`n?NWo)HU2ppg$EZsI#jWgoAL zexe#PRK^HI(u%YS361dSh;helj*B$=L$Cy_CDDu4P3}Aux&ti2@zd)fbPl3oLI^Lv z2kOCeSM;?$EURc0J!}cy+oV;h$w~+rlgpN?4?Y(cF8MPk7>m`0Bgfx-3=an!oTVmJWI>c3f7vd6o$-!C1XaoAPTjYj#rE5(i6%;UVk!A}&V!tQ6inJX{ z+ez%IUW|Y64{C9*DioVF`$tlgRs}iH97Uv{pP~qwE6WVEFv4=Qe@Z82k6uw9Z{y;01HZ$8CA9x zq|**>Fn%;FKhkPKSuUofgaaS$YCa!hd{Kw5-`S$D&LQ5%?Z&6tjo_zbXDuM;%z0Fq zRLE(Y`NkPC+3|r6*X(U)5eVGJn(I%~kSKbZ&Wpx2H*=)59zSWM-`U$sqNpfT(+)x< zZL`D(e(R+sL6OW{gWL3FFaO2S^hN%>jg$2Q(5BVMYmqCNXQIn(lhbXAVs_-X*j|m9 zg+zR8J)GOchL^4)Urg`?2)OUqz>xvZ&}V8L~ON+w5N?oAk=FxlCjCEn+)Md zqDs;n<0=D9xRh^*I3;4umMlC%c&|s~={+sW%4zB~?fc_fJwj2wl!qv)?7KBAid=`U zuOIxg(?>Cfipd5kqT*{8$4ooY-A&tr-iXWu} zq*A{nkeDb{FHFDQyB`4yGb~LBiIA@60wN%*M*iUq!{$J$)Im~LNh+$inXuoAB(Wcv z(d7_&$1yn{IGG1u#yFT*P#$>KZ4cMg_FFuWw zAbTu6eD1C#1wbL0ZHA=Y*kIV~IFxV)R}M=l&|)5~N?*?D5&HfTSK!@%C#2j%;2MUe zCg;EaT$w)y4)hEw^?rItTt1ijN?Vj=L13xALe~mXgSiv)yC^ut9?~hV=ULR~qrL2a zOY(&oVW2O;nA9Mt} zB?GI5K3}xhI^7GI5g^5ahME})=2~c=Uo=5fEUqt1X4`}jAIvKKF5Xhqvt@ z+7Dym05SN7e(}5l8IA{9P3i2e02bQ1Bi^V8dLsHeN)3`mSvvaKdH{fR*$kZDPA?j7 zSXkSt&S>(=;(E^aYd|iyGZ*-|a3m6edI*A&&C*lxWW<41#tp5_!QR0c3~gF0dFGq7 zItb5YY{M(I)@Yhtr=%jg^<#{8zU$i84q>6oI%|e~u^`MylXl43ceF^pcRww3wEl=t zqTI9u!$XmTR9~3_+l_DDI-<5w5bBGh^x5Hp+3|AKb*6A1OW@S8!UQF8&_)>gPLUvG zf8x$ufOIi3cXJ6Q$OQ(l)3&3{JRHl^>LgecH%aH5XfN{#z8 z#>@ZWw-TZ`c66(Dv(k!>G(Fq+lo{R27~9MuMbI5M9d`=pltFp z+Eg)U>0;YP|JRt@1H{i>?!SrORPju3TWG>id~Re$Z|~!M&*qT&y;m+@a+;BI+3TSJXn6;JFEw|M@EjO+3suC8vL z)Q=2cDvp(S2QOdUoz$?=r(;ukAZ-Z#B_pgZU8E{=ypkQyyQLNen=e$AOrTKpKWFZRHD2QuZhh@1Op>+ z5qBmML-tuSN14hpjKLeDN;+r5A;)-Z=28AR2qzPrfMVfAOE5#+_PsF-A)rNJb4lz9 zeDSv-`O&~I0L4k1iG+D7b^g8BA15G&MXVl!ert6~9u+gOWiNUF3D8mNJ0Cactf>>F z#4Txz*K}gLXZ~38iWy5Nh7b^B8nh=1!8OYY64?0R!l`~YI!80J%0bA5nak@K92Bi; z_%F5gi<&^ zWSfOXWfXHhmJY9eSE8j4yiA6lh&zUhivoImVqo@6cB~bd_ugmC++`mfCNgQj2*tQ!%KSm*FL*YQi}GFYQz!TsqP(cru|jjVjY=x) zmR^&eVIk(0D0uQSGQ=m@%>?6r`+o%Sg73|u6B113y(nQe7HWnyrJI6@)amr@K!(DS zOG+TGVzmP;YVaBBMNt4(N$W~IlW+5OI-Rdg=GkK1b{2WvlqL5C-Dm~+L9CVG7rHIB*I~k3YkT6F zdcYxugc&w@&-z%E1DT^1?HP(Id6Jr*>D#^6ku|gxvLIH_a!eDQqTP$S$`k(e*@JY2 zFUn5bL`}tkRtq!8n%?Yk6<{gal5S~%c@ii&K>$0LMq(!GKxppmq)GQG&^&K2y=DgP ztd%59I0FGfI422$wG{Mk(ewR~=cyB7HR+8)PNz#2>==JVu?0ED%N0&lnhH&PJ)l_W z&_Fp7HSV4je?R-vN%c_G^yskY3`$co6A~{glmw50B=$_0hCmTn+`yp&v@nP@9m$8< z>flQk2PF|XYsW$&tN`83^(UYA39hGSuP7bNEx73P(EE?35M<6L9A!mF7;2DYT07O9 zl$Z|$_(~e#k#hcml`Ibz?~*d7I5KbLYP{dUhgcw zc-(tiB)z*^E9n<~p3uTG(yul50$i{3yn|!eb@Sv-R`MPY@B1Fcx^!Cp(rUBbpW7#O z#^{~FH|p_tz5PHXf20LCs(>Gi~Q4pe#0aa=7qg4zm-uQOrJwKD&(q{M_~ z2b1S$gxJ3Ze#8Y@;Nt<^5Lw_tf=nyqF#4q29xl9(BF`$t%wSjVd?Io}jW%Q?-7AK~ zy=$;eaJTXw;lG7wE+#k(g>lRDj=wh7O1{oMp8AIQ7pC%D9Hj@0(<4JZAKZ+MCx-3Z zsLppbu0KWbbKJs(GhFALG!+)*1BCZ6F-l@Q@kz_Zq5K31V|hK$*gs70 zcL@r5KL;@}>|$rslzG{7;c)<{qtH-7Gq`Buj-6gak}$0&sXTSBAwt?;yve;^p`$)4 zO`=qMHK*L{M>0g3u;8xtI+zv1ELy&X%cO^B)Yr3C{27hWpQL()vrS_qIInBA5pGGNi9IQ)_-5ivZw1pbI@bo?;bZykan?$RNRC<9- zPgM6k<)rM+*p}yHZl-W;+b1$D5^014saL4gtz5JWBuoMw(TGIvnB$N!u8b)zSW?2W zf|B5mTilOYi22x6bB(snmOnMfhj?yT@Lq?DZ`7eACtOcY98?%1Wl-ssG#NZDnMB0u z-~%H?mm7v}Znx-q5(hq6%VLiu;zwB0V0;M!GPB?iRa!_xI=$km^Vu)NV0-U_6*5s`cP@EsdGfRd6@!RLRaFr4ht*m_;T zC`@ed+v_hs5));6xR4$K8DS!&p!~F=e^e^}DU~x&5#!|bg{nC+@}gP4buYnoM>sC= z>wNY)=P(dIKYwHNxcSHwHm^LODriTb4LN80SFbVjl8x=Vrv~r9d%y1N%6DQlf37iD z<9$ax1WB&2cR2ZaCSJXp_QlDcgG4g7NFl~ z92FAHvom;CIMNiYb`4xf6zCivI}U`}WmOK+Ce66V4~R3GW}*hU4VF-}|I_>X)u@D7 zi}!+dWLivoCzyV3+I&n_!uMH&OYwdy9XU1sI}&UudtOve|L|jv{QyRj*&o@7x=-Phm7bNa1Ig`W-KI}|N)UL=Mu`xg354WlbSHGt4z39Lg)LEg=UP%jn zBip0V(8Y2^+ao+1vKMOh4F>->Qv9SLXOj1y_!Z>O}2iRhiLaSB4AgW0u zzhtT`H;|%U6zQvDAQimoGY%EIwC=5kYa&IRL;})!Qd1HNNK85RWW=ULQ9f>(KOa!= zwW~GMuDUijM-p5MFxlTPu`{@-cwlNz6d)regoZi?T(woEIjoIF;4&&<^t{yk)-lg& z|NbFILI=)ov0wp{R5{LJSY7%bFh<}_=y10)fs$Wm3`6NU(#htR2_kbg2J>L6gd$8; z&xaxnY}zMbu&2KPOtD-rEHSAjDLd`Rs3WGS{T9+W1B*8(f5KEmaD=n6sKp)QYi%Vm z=UTGcz}+o+fXF8);uGD^Wg>ec440SrUp|vh5DGkQ;7DY2!^B#{`Eh&YYi1kAA}20e z`IY%l(2G@l{TWIx?;Woh)7sXF6`QCaAH@2m6qCk7;5poMkic4!{tT9%f{B-Am0lRX zF&k4yWDLTTbVW7t!>p9o=hGxe?4(qLX{RvgpuKI0^RX;J6aRTv-3NkuQw4?c6iI5F zHWh~**KtXVaBS`1z*#e9aC#N!&-~^**GYz%H*%0t#CEa z`D|X7PP4=M{hYM(fF5CGWs0{x&Mm#BUdFC`CZdF<-|WWIQ0o$A=#Rvyk1wRZLZM1I zB1mTpaCAIkev-r?tG^kg&tUY9M|hGqC;aUf5gs4)Pd`p+iNKMJm_o8QUbai7X&G4= z4EDgEh#;srACwzlI2kdb!H8baiK2r7zI|_@B*!D$8T%)% zS-NM8>&$@VMa}56a*VPi=Fhr&{_mEY&#w~K`NEOi%LVL??NtlQ*fcvBzMp*TDSArv zue`(siDO|b-a^hZ*c)=O;p6$rbI1X9tj_Cis0wH8Ts^DNQRb3WSN^&yqex4Z{zV1f z=H?tjoK0J(dFz5ju%^i=j*xe9(qujyi$1UXMRZ*A8@+-R^mu@u`+9seD$cq2*VU1Nh~1qtVr>Ma5d!1{$vDuehMG zabu=c!x63mI|FJ-+PM)%d_-Ai<7o(l0%vTAzmORBMajKxrQtoJm7udpqm^PaykoeT zx6)VSZn17g4Z?{1J<>W>ktht2a zJH*wDSp6Df3u{_GL2`NlRHN_NW3;@2oK1$YQhXq-PqTQF+(|cKN^#tT{SZr5iwo^` z5xWyjT#|p677dIx3Jcj8Ypv1Kmew$1HpOs6v+iW>U*NC;G@f_^Gk@pt?#)Y91yBM! z3q7LxWy4<11~#jwjK&vLMlz8nUSy;?B6aMJ^2kQTW~o8dhJGgjR;B0Nc6(%n&n^{%d<)i?dje>!kxTsTs9Y8?X{+at!S{WBWmO`A!EHFSEk=N#*z6?_PI zZQI!`?d)!|Y%F=h8eCWR_z%56Bdg; zaqsyRz4q0Qlb6HXY@_7$p+cv>`Gkm|HT$6^C{FM1`NK<9!JKTcExonJs8zc0d2$5z@v`lmZXiVrhiH@4Q5)f%7Jgk3 z?p;lslVILBEqcWFXOl^K7OcT7ay=3KzJENksFb0qMp)3{8($~?XZlb7ZXpc+!kilg zvm+clWs|{Isg!0TVDh#qN3GuWU>NVk<`Ao5bDvLscCq5=2LEl^!Z@S3j_*{L9pXPf zs5dD4QQ%2jT*p2PkWzd7zD}vivUq~k4nt*ZZheb#|d1%59zBAtb$yH><%j^qBm%0`;%Xg+bBQGEre&Cfb4BATy#tRckS~=PsF8&G$-bgw0TUmua7W9{839 z0mI@$DaGBVj$#BL6sgBvSwT|#1m(;I^VwD2fBYZ(KCpy3XlVA{^uU#bTr;^Mtr$rv(mG^AE<1HEIj{JaDjz9dpL(o+P?NiYwppQ5MFj<UX2W z+ZMNPKzil4&1Zx10}9Ch^U@SxC?KE$`m;vW`u+Zr>dYG}umPI~kuWM=a>Dr)Q?fouZxwlk{&(*F6Xw68+J_M20ytu=`XX%o zX_1BW&^a|%2@_GqB;MfMmdh}k!TuAdi?pOH_3Oci4%*n4_2wa6F-Ir0C*w z|4pJv1JU}Q4$_ole1qtOedt`MZAyb^VJ~5B5QJeO!Iiyo05$Nc+M}=W9!m0%y}qsF z|4!+@b_fO`WF*WWXCmRPqD)Ok&l5sQ5qCS6%&~i#yTNZSRxbBEnL%Kpwa~U)D!=M9 zJ!jif>NbzaMq0z$&sH+9%3T+OcOjH(Ph{(EQw^EUF)YciXcN~ySnK8n=|nRoQs*3| z-cRr~(hLx)jYi1Sx@JO`E=;T8Z*OjB9|6wM>tKKQ0VJI0!s)IcmCCE!oj!~AC9{-E z%?Xu$)c?u-f2Hvf2P{|)a5!4>!U%3}N1nRiyNCTH-dR*jmOAUIm^|)@&!AW6?TW>a zEp-F$cEL{8GNt6_TyHoYmO`2S;xlj+bK{Pw_a2pex)IKZdU2UWw;Utin?1VpmnuVf zYR8M~;&U|A-AID=$jo}r#d;3OPTBH||``0*IwfH*w+Re(SvwDV|Vn2v5Mm*7vojk!@#-SO~$Htym x$UrU-AR@;s#QaR}KPlD!*&YAA6dI84{BYt&Uo2X1JwLuLNl{smDj|LU{{@0Dfl>ef literal 0 HcmV?d00001 diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png b/content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png new file mode 100644 index 0000000000000000000000000000000000000000..cda93533164cad8c145cdf8877940bc375d165ba GIT binary patch literal 25610 zcmZs@bzBpC+xIVul!OR~h=7Wo(jb#A6#?mzZgE4Tq=v2d7eLjbsXP1j?eM_@Kr}kg^uPf&6O)x=u}_7(z|lyS|921b1Dkb zZ?uY#6X_3`yPnF+D`kE6R!LW=KfX3`zjB53*5wbGT~@c8hhS7weENG69LK~X}!X6 z>i1_IEPa(DDCW6}wafh<+sC+zvzeMrc!cZ#%W{*hh+q1D?z?=CQ5td{G$mJ^En&mg zn_hwU+TDzQpZSCPqv`Y6AEJN2-&{Bq(($k?x(V0rK&038zZ=)r04x)L@b3yvoKGj% ziPg1pQ<+k*^x}ny>F$EX^ir&sl{)rVXQf&C>HyV>(iy#gLfh*C(#QGl*K$-L2b+3) z$ztiMInmip;_E{*r&2YFx(IZ@;KxJd@*AVSZ3#%oDbixs8;Y>Fw-pq-*%7%Ami06< zjV{!u&n*c?JJPr$77jTsfZWxR-RZ!6s(gfZONLM4zr_aRDv#{;Hw({)!VmC5(~y%| z2s_wNxj;NEX{QPl^&fnn0Vth>&&CD4BR}{mO5vPmo@R_r% z#CeOy8_^B*8$e;1^p9=S28C8)0;~1?iDl0w_wyw6#i6f}@)hunE9C#%5!og?u=)x8dylLb4pBP_G=z*I)hhtc|$@wTd4sc`dayrBP zfEb7%&HC@iETrtx)Aoz8S&KO;Ur4tirydJ`1T%29nKTTObSEluYr5^1(Zl_X1@9Mz z*r;`FUz~3n<@w($+dh2KcL)!(LOXwx+l#}OeGKKNJ*q>>EuA8r|H2lt17lByG5+e2 z8*k~88@FQ+gq?c>qkTt@gBt{!DjCaNRd zgw_TGPqQ+H&i#%J+?b@REj>B3xKnzj`Xu9-uwAL|T!cyHQpCMV3!&AiD*&AW-qGsPWjh|CqF!ubv!adCn;XsSm0SC6(>wb^GmTt{wB zZG(?YlN)nn_ol%}jJ|0uFKDvbd2dR-cwX$>^vKs`{(Y177!m_mm_pGWJUINl7iE(9 z8+}AzJ2~H=5>R|jjS+Qn(!B7b^!>EMI^h%+)ib3eBz zSN^CTTl#VekVVAc+PTj0=45_-?wNqoHsRBk2K3X!K5u$q@J{5i7ink*C}FXb93DCu ztEZ6&LS$;{<*aIdEbQBZ!`R8YXGB*;?UH7>TQ&URY+K=U8FIdi|DN2K%hx6B(|Uu# z^@Nf38SleMh9Jfzx#H8~7NX zHkk{w!^y~VT@a8AtPOuc!?55(7z=t?Zriv0n+m5?$~Ptb6u!w*w^|qmf9$1K+Irms zaWdsnw`Nc-oqkYaS8CHnS-x`wN1VWirZt{zK(>#-<;MVjVLE2>ZIK{4$m?|Prge+r zrWaA9)nzu+SNWdUGj%e3)GWQH{S=Hgo7OucG8r;I1GGl&0ysMo+3dHI*7QY1uhB^W z6Em_-JCT=*`Piw;6nYG~*uJ3KCQZFC)}|Guz5UvhRJr^G%Cy@9*nlN~=iyy#!Th!l zPwB98Pt_ava59U7@PPWUUT5*s)vR;-&SfLWfsq4ICu~T{mkhp_u^muto{pon`<0Ti z$(7v6%h{1VDStu4mcuR}dlC?RBZ@~5;y3Y*DOlz~2~LsgSf?}p?$%NkftEbiIcwc~ zxoB}P;*)q^p*505PJvnD-Q&-d)&~(E7k0S0h~32J(WO@}w><|7!>+{Wk}GwiokHTW zIBM-*o^_obYzqC^7W!HX*Bxo&0#?JR_tD1nDyqq@>WOvgsGZmUR3T z7gkp}n7sJkgYDm=^?DEo`4QFEmsK0ztdFszP1qpLzmwlmH@WbZ`DScmpJ$mqOT5By zjzUqy_s0z(wUL(lKMhuM$s2c~T}nQ4028cVn?!zmufPXP;K*B9$%)Mr#^#osF1eh8 zGBO?o=vi+EZu@7cNp`4zX;JNItNobsgYAk4EU*iZ`I~Qr0L02&$7no!k(x%@3MYr? zV==s;ZP^01q9o+@ zO)8&RMU76$Vv@CS_ImM4JS7BA*={y-Jp4iBg-FHDrVGSB=I9z1p(R4$@s+H((CeL% zSF|e%ax0!x%!j{?+wT!Z|Jc!RRX#)>yUvG~$FY!;gM)dQDb=?inUc&Z7Fo+2bsps+3%hb~3|0g=l#4F1M~4r@tl0i(LdxxsGAHo;=CgCf&#o(xp5 zbZBgKTU3+u5z45!vLSq+m6FSx<)S0V2=z>K^k)=ryNI4k)=re&U_&*n{xzAe!Z^PO ztl`bNf~`pGr_`X<@_uSgpp7M}vA%R4Lx| zXp5q>k>UWGhY&%N%4nC>0c{@y`_pVdS@I20#A!guY zm!-5>FqaX>G&N8rR)%7fIo&Z&+m}h({IOHmxMTT81U^)FkV~mEst8)xam0_<3dI3-&c}FK4%m)aJdL_cH3UcEDcFfMP0_U=Cf&KL6>xEj=w>R$kI<@(IEy&xtLv zqDCs=h zrcccO^mseb)9yyMT`oPcuXczT^~V&amFRNLh+vk9cv!h+J;cHW8cAebH1}&)*{!D_ z>>&~;J%=_*#ylExxX~zDa((^>pIHGZ4orW3dbHTtvAwciZ?5THqfPl|>+Wl!zIT-^ zRemYrwm#toWtMCFvt5;^*jZ-a#Hah;!DbH=RIgd~+j@R|QL6QSObmaDAdV1GHFt8! z&n8Kuez!!&7)9l{?{^6~-s0h&t=S^R`cC?ZGUcEH}LrOdbz`P06R?M&rB_DBiwud1qlCfh1UfR!yAoA@ml}=;!zwCUs`gJs~vFND{bMB+Q;7C%?g3d5RI=O12d(7l-*u+{|4->!G*wMlea;K=%l zoz*nd#4AE8pK+;{2RuJ*v0>3D4);85?b7zWnI#G(?AXs13c5_HQr7l&I!yx1LUS1( zH<#SB@#X4DHsi&!b9U5!8C1M> zkHT{>9w=L7^F^De*GFiznzLQHU-mSAcTA&BadZ4w!={;3Nxhl45Bzf_c?bXs&v+%| zNVAzDvGgEiywdun9nC;h!DKCNwtaV#XAxD%!t~&Lyr#;@Wj3*$l5B_-`;K_ zty2QL(=h@72SZu`ZdCG^S)1&1$i!~{9Hy_tDoq}iJC|Uk`}%e#5&`w#r=a!I(cuk= z^`D$y6J4Oy(I6tj$0T9S3Aa(rY|Tl@!&Ye&OY_@xiLr{RCj zO{K9#X-Kh@39^p=0Q#5eGcakfdt+pK`-I!}FH^Gh4gd9Ne^mIG4WQYXq9VkUP5yAy z)?rLnh|aoI`<~&`5K2&=rbsZYK5RR|<-nSa?N7tR)Rs7x04*2#)C2y%1>%1zD!K3$ z-n7ssbI-2Xdj0eAfsGKras!hYN(GxA({ko9+rgIRMJB~cKf+j=Qr;(AdD z0|GY9$gQrKxo3DAY)RtvY*)4FtW=2{PND^v$fA0o5Kvh)HONU&Q7fgNBNIBd^v#XtiTbG7B1;!l{tkNT&Op*d$P|x21-u~;RrUr!?xiTvEnvS6(@gVW? z$2e|#l>bH`pf+mwT;Jx_yHMMIdZK=fS=Q-3yGQHM{UH2}w}@-Sh^ShC(NlKFTQ1>}+%x=NsnQ#s-5KEDa$lF~Q*n1137jhXMFL=9 zRt}cE7PT8q>FOAw2e}pIgFF!S+KgwHy&wD`$w^DE3kxH7s>t6 z3gtmkgwyKG8lAmD6}o+6;R@&Udq1^h!*a!O_KTiM{&@A;kBk4Uvj5d-sIO8c<@Kvb zciWYW5^4~`LB?7l|9q555Bt&E*8|rg%fF)Ykm^ipMN=}fY~6MA_T#u8Sd4Z6xy8wM z>ZZfpnv=V{@(EiT>Pc=_OM&R5Bt7%q7Cqyg*CLM}!NbDboXP<&lJqqHJbI_>%6hvq z^10TXyaip+_FBb;4o%5?V$n}CGnEO<7xcP_MJ?eyk-d%Bp@&pe@9q$OOmb?`z;ae_u_F_hf;K{T2)c_86x>5W z)Ul!Jg?g6h{mu}N4PL<98!f?%g7^H$NtvLujP@ZOJ;D4WXt)v9T5Xj!AN6zKJDu_` zCe*!Y-j*G>`W%W z&sUz{6zsv15;0&M?ZGZN%QcL%=aZXqyil4I$kS}PfMUh(Nv1m!MztZLjjIT4sb_8% zN_hp1|86Wb+*c)}+M!|UTyN;@gfJWjIT!b|_}nHx6c9JY250SSH1H2U)eJURfRNe_ zGso-`MCZ-RrUE5dqa9K51+Hx8~d_!s5btX(I z2GCgLJfB}3X)@U5z2;4e%DK?XJrGfQcm_EZtyAu+14IYqKQPRVc=F zVg+KY)pyRvbnSFqC}%mDlfrRpLq#J`l(b<}WlFGD68^;* z${7{A<_lRwK4;Sl^rSG%p?x&t$TektTgfJRs`Mb^W7pQ(%w^L2Lok&Gz{HXQ}IEa(EdUEe-0tY(W$$Q0PT&YEG ztK`;ezJ`bFkB(vg8v|0(+|vB@xl#I2Z@^~Zcs`ZKb%!(%#<^l>@1sP^n%4jC4-OD`;gRatO=g;u)Zq5`Wsc&HjUDv4Ot^*A>{m9KnFnBkOL<&`1!PN( zeBoOo4OI0;54vz5Za%E(EMwQ|T)JD3S!R)EQHf2lEecwI*9!|_m2qy`dy<|mfN?ax zT|ed6#stp2PV6csAU#9a?hVC0%|Bg=gY#-6kL^r!Nf}(!wJtNa3XN)wm5-E^&di^_ z-wfe884Ns?l#TK2@8i%A^rx@(vR5A${|W)$az5SMEO1LLF2wgIB_`M`wdVEeFX?x1 z(ONGfUDhGGQW-S-pn11cKMwz$FGiW&kveN$=o>OK{cQ}>FQ+G@Irn-4B4onzs(tt( zowy$N)d=hq2>cv`9qXQdH=2AMEdF}b3Ebs$vH)gu#+cD8iG=RGF}Zz|+4Ux%R6`_` zt@(7krmpnlVS}n(48a2@ww6Rd#sbD^6>y{ zQ?M_+ImTPZSm$w9E1IQ7L}oLPd?DK*B1T|j%~-zVxs=kVfmFBZ0OZgPQiC>-CjU;# zE4>W5=OvynqphA$lVr%Ovd~f90n{fEZV$;Z)AYmre9TR+L|$OT6V=ccU!VDa_U!KEi8rRu=r9Sgc=GuEerd(D2`iGwkVsXF7+#&N}M zeJ}Dy1=2Eteo?$H*2qW|F`iTn7iK1$U#gf}kR{g+PCa9;@WqVOJdTKdbcmd`;jL{TB%+@mH=@;U~8b9b^r&dd_U;A5?$}I>h--o zZ)#VSvxgs5rawgzzYB(?D|zH?NJ@EZp^*V&2Zsg)fTQa&eIId~^;7WFlB$liY^qxJ zW27Ef-9jZaXg}3G8k({Gs$I*}&E$)_^31-!OeWFtd`^kI+;WX|Av=w1e7$x7F~K@W z3~BmOevqP$&JO1^b@BK^YR!DrPCwFBNgh}mVl4O@nPwKg_W-DBl5o4OLGD3{Yk`GF z5dw}Kl3EQ9$7ht4&!nrxx^2=(jnFjUS`x$B+=oVWRXD_uVWMk>6i<30motwV?L23~ zdS z>UqJ2^-&fKALjzT$@&rSpw9jxfvKZh|9lZ!`Rq%w2JToDsLAF%Kq*`1k;gyeRokhY zworryrZh;q7p1oi($QPb^X=t9-wnw{+283L9rzgadE*t*WYrp%!$t~gisoR3L6#epvCF_df(Mo zc1DQfp>^+7Dp1~h3JYlc=(6EsQr`vK61QRPN}rvAOkBC3Jo4(9WBVQyAiB~;aBdPyBm0+k3ENE3>BKQpej z1O`60_6nDo%x)Hr1Z+jN$O{KQ4IA{V76hS`>6Kfl#ZA@f-Q}5`~N$ zhYo|9cFhtNeDCdWW6?vt?t4GqV5`o4yJSWBjQy&YjQFfKFEGNs)i1=d_}-Ahrzpdx zF45V3&yoW0p`l9M#iyNpX=^SiEye$cpJRKYOQLy4$T^{uzxi3;t>H*lW zOf`Mal!6@uY^eelBk*c>Q5;8mUd6Oay{I21)%@PW*a#f}e=zufUC7D*?!{N{wH{5~ z&vw9%j+|WHJ=?q*Ok1WYYuwcv>MqN5q19(f!jbo zPUU)2H$w{X^`kfAaFb*ve^Rr^8p3yNyw|PBYqMNS;B2`5AS16StL@Xo{0TSq1IJY{Y>}zomJ9q{dULZ!f%WF> zU6LBkbIqQ~N5ewSy|eY@wX{ovW9fBMn1bDm#}RE}@woG;YAOV1>E#+(v!ed0)jL-A z^WKmY&1VDB`PPqwCr+b?qi3LiTKj~2@#x4kFk3?5k)Pcdrf%wKJd-GTKYdxY0NhYn zOglVi(l~3U{JwOoD5N?gQ&7CWQjODf-VP+WwRbOBpNMs2`G8hilh2GAO|>^zieus2 zN}}ibYL;2+Tf@^=XY~%j=$?aI&54q%_3Tii@}4f>R8QuT*c$UXs@eZgD}OSE9ZtN3 zdo1g(X4h=1a8R||k@(I~^ZsTi6sv=BZk~{4f*E8L<6$3+ZM_L0g|b}nl|xHXjuX4L zWdME0w_rt72&Xhg*oXRsSj24!;4tlrU)7Og%9(BKN46+k5a6?n{CCJxZuO_wT066u z3GbbbDP_VY_&%Ucz0}>pfDEiW7Bb8W5QNEss>`Oi>4mtzco~)#QIA4a)^!vJ zFvg7oeFXhN;;1A`iH42p10#s@gNAo5rFd%Xq(`@+1pdbVgFe-X6R6aN8iqns4oJkc) z&_$w~$EG@Tj0;73R`}hPXp4G?K0;iac|t3IXW@xt@s(}3H(;$B6hNhy7MaxSbWL6? zt#%PfLj}A?rDH!u%p`nk1D^Sqfi!+sJ>oK<$P+NFoS?bbNh@%B;p@1Lhfg1r5pS*3 zO_UVuoA?=kd>rDE-mT^YB(rrk$Qn!ijkz-@2#YiLX0U|%0PqHRYmAoxzpM_=TY67Q&i!{1KsgqAi2JJFLLqOHO^8i zd!w#Dey*>5*5n^(bM%A2r}JE~1`x0R_TXD+sB&kX*gZ7E>_2Xfl|NqjFnn%rH!!>g z=%!?C#)lTus~=SyeDJoXB#XgYV`KYxIWj&`=^fTb(87RUfm8a(7=;s!=pv@uB@Yzl zzHl2G^xNM8*Y8cQR)u~#%^yW6UR69fIbBw;I!a=c-H_l%KU@RXP)(!t`0m-HzIao% zfhBcF#%-5XT@AfzZs4d}fr6p{p6GtiV`Y#9A^sn)gx76yWMa%RuGIk64c^&9w^4rk zEPEL=(}n*U^)=7bpAeE}YRiLO3Xcs~;1)X`Rh_TfV$#T)h~lb@l|4}_ZvCv_^Zq6; z1_VVAI)#S=6MN#XPuJuk+| zC*&O&^yz7p)Qy!?7=1;+|BJ4iT)p~^d6@T5zrCUhdC7dSCAS?5A(6I&Wlhq$+58_HyAl3s?}!T!yOP zX?8XCKb9fs%04&{Iobw<2Q=hm-ei{J4eWn!|9*^LDj^Vl@Z)Nt@f3T3!p`r4k8Nnj zo}!oDr!GrO!ay#kUUhZ-auT47zIR1eyLvSukFX`G!)bljp3>Edj zO0AaZ>qqY0 z$wTi}k3u^#F-``_FN}&?dHRlN`IBR0w(5LC*6l~MIl;m&bS!xQv3`R&6zG@V=oKF^ zHhRoe5#qG&4@@qK6y7m{C14f|I^&lrUSBF4y<+bQu#FsV z5Y`T~s|qNUJfg^-d!}P&5T$!klVKV;Gn(e4ZIL+LSZn&f>;0gmJAN zTVB1rJ#j5)p<32$GbL{%d%<&8cqVByh9RCwYh%K$O*_SxPoIPp*{+`((s-P z*!}48mg=eQ+jyreVB@?LZ=DE)wdK*ORDecyL%rLkQgZ+5Efuoqd8sffHCl+LiOB7- zhp$GYxD`1~@pB&8O8D=}6yGY5qE}+bVv91rpI>!u7 zF5us02ld?k6&?v7xqDQ%!n#i4Jiar^j#fv@!#&Cp@NP{#0f*mo-sbl>TAY@nti5YJ zsZxm2yWQOD-|eqn;sOZbEwk&r?-B5~isZZ}vx2VA{LV?Y!ne2*5L=H}GDU6dLz;F% zC|-sK7J^h0ztw1%d|q)@54E)M`e@9aB^lz7L zPmLs9!*CwX{S!?(S(5llgD& zPU1lnx#mZ1e89ka5*KDKoTelkKrMp&l!JlSu8+w)L&-ai72(S8&k{Ex7h^{kIEm64qL?!MXg@%10Z?0|u&2RS(t)YM=hT zv6EbpB9q+WX6n0Q{fz%rl`U@p{$+xI*>_s$sCiJ9$R@02Ms^gR4Au9vGXFiVeO{jv zz?i?)H4H9G#I}uF&|pvP{i|Eq@@kv9cHMGL$eGoC98wjYY*bMjGVdg}kIYi&JI5VP z>H&|Ggw?LO7gJZkC{(L?QRbkX16>j!#Zv2^o@`Sz^RW#QS?fllPia-8Zpclg$o0yZ zZCizNgt4*c1oWb@VA6Og##AHk8fP)j{E+*_`oGYp)Yb6;*NY6Wm5jzk1VI*is*E?Lmw8yjcp5Q)mqoVSR39c|H%0C)DWNjivhO?3C&R@v zQ;wFW6`yDJ%=8&F86a46&DLALvDP!nU$R9)d-YDTzCA8%>doX=?+xQOb+$7j-(jGf-Ihz2fA*O7VsZ z)q4fBTwgoRP7;lew-GnrPeU?1Nf6&>j-F+Hl~i5OrpmQw0WZ7wbK51COZxHQxN!Pb zg3ZxzKEnHdpi&a+oT_Ne9kFLG^g9FhZyQ=tlev!*T7~YsA zJn6xiZO&GzNadYzqmQFT{lCARnhR4<;_EmYNVHEAdg#qMwe2@9*{Mrn*4Y&O?>f^0Y)QzT$h|^7w4MgXG+ylKGZ_khYhIWCX)XVh;B%ShC z@9g!``a@{f8%CP80?N1i`Vml|ye}LcAX#!LlO1pQP3Rr1Yoe8*<61;1tw_1>Eu)#V zgEnCgT^Q^Ta>v1%Ks-0rj8^*nr~<%KPzcvtRld98cX>&Fzx7NE5^c;tn~@^V72 zrzsHy6*&6*P4mP9_3fk1D)*(Hd6*w1*T+tgX~8ohp3&!LPQs_#dAs53-h7S20yZ*< zqEE6qGc)3)v-Z-LX}8uUH|m(MeA=!TsPa=3{*qKY*dI8+w_y`W!W`}c37oc6jU;3| zI=)m`EtM9l>JM^lSsJw*oM-W~lnOpRxEof++dN)tmdK?A^N?V;1;^gSPu8Yine>yt zrSd}Hx-CP_D#`w)8A+t;*VB5z!KLw$xU)G{L|tax!2JfnHir%lz^mugM8!*?-d*SRlrZ4+-xiY!Qu_*{7=ep}of)!l{cHJ2> z=UnH*2J#BV-40`YF}7ju8SCc$v~Z=yGUUArtWOu9h_-0Ph(0B>aXmPxT5!@F|CzN! z;%ya}sjG6C?6QnrK9sE`6FBiQP@IgJq80)9_Hmowl(=z4+#{c=79OdO=$($2pN$tv zf9@ENCpsY}j;c3qj{#JCh$QXYVwM^&870O| zernV>$I?D?zBywU`eo`|qyHiH2w_6WgqkY-J-P_rxKg!?i zKkkt^^5s%s8XleWe(kGRnl@T`;CNPL6Vtnwfgg7Pc8Y<%5ScRZAvh8xt+9DDgAbE< zV?rY5!~T>xS%r%0-41n8o(!y_f@J4r2X;A+4QOx^Svp-Ng-@nm!{a{g-9xgvW0Oqx zhK05hMqwG7jzj90fT*+54!4-OBCC9xlmp> zwvc3XX1)eKE!~y9pGodj>R{nO*dz^^)N8iVn>YQ{KRAC3X5YBA^%Qwe|2k_9tIhbH z_Qk$7Wps@HonEa@XI5-ZY+b8+aGBmWo^kal?G}>Ym6Lo76i_H`XGVXzq6%0b}tOm+1Qe zy=o4&e)&6>7fAAg#MdspNfEl?-sF{(9&m9o!!^B^c{B+3nyLpZup3m69g_lH;O2rRvmNQe5w!y%=I6V~S;=e%C;|Pgx-EjE{8ht^MiPQv z4rH9(!jZaBSU8b!Q{};0_l zS@-+x+o(d3G2Q-Isjh@G(YYfMKfjAlD3ArR;-JK9ocK?^$2%;zdb(H{(fh<67VG97 z%6|GYL+6*`csTtS_GS{Oe`xoyoSPejX~n`#gx zIDAy_pVN{u^Cj=F6%{-%A?n5g_PcaQ+`>8%hGih zH1ZbgUtMa|NL_?}9GVJ2%bt(Bp}^)xmqsb#Wa*n0(jx`B-)(#$LIh#D$;_nNNU;|%~IdP{^KV<_V)c$`S#X9!BLBZ06N zqWqy?!@Hepw-tyxW;E}k0XXJRh+)Fs-DCo4H`t``(~ye^pA>(xH5LV4U85`qhWyNj zJ==g`1Gn5^{Wz=|_ZtXs)!y?-R3*7J=Rc6VPgu2fv1QfM#kZSdmo|@jlZqQIzFp=i zdHQ9p3EvPV(4O?fuAE~Ci9%L@cRUu-C9+zv{Vi#v=3bq_*fGX{z-_`A=Ou4Go2(MN zRned>Z&RA$sJDG2lK?WGioAN#(ZDi2se;Vf(!f8+Q3A4!jM9>xbYVBIilQZcquVx*Mt#O#C3Rl{xe`uvWG=!jO675=GW%4 zDF7?Lh6&*&P>o;U&K%APvoL$zcOamib>9<{CzXSI2d^{Z26AO~64@3^#(o+QqBh!Z3W6-{{ATrneo5&Wd3Z&* zqpIW)G_fZpwR|_J@owXyjjrDkP`Bwx_}sw|$p@yv7F=Jqi00V(7;d6#3IdAQ7=q6E z6_g&NBo68Cxjib6tTbMHuqjdh+UMinzJwQvP`70>%Pyh1=&TKNL{0>qFa0!lK_Az; z|0^e^2-I3ta-}4tHEcp=dM5^Uxh`0YWU2L=`CvQk7HsK-i(oeG4ScjVp_{TYW_z?p zcpJPXH`$0@7eyQGnFcHvx=F|^Ud_i9lt>pIlf!@Fd*x4Y3|Q30M@wcc-$EUHvuD6w%ms|+1{qR3B!c}~9wN}*@0}6em6ZGr&_));NodqkY!OY7%sA!Yh z{SGnTsxxrT;&7p6a^C!;m`NSsxpgZB?1+l>+3D2E(9v@7hEMd)4@|E?_HA*k@iE18 zp<)(gJk!~J0GOL-2sYyvKCvx8=1$ZQuYylVIMh1l;iZjfq~re1#@0Z0jz?=d4}9@?9^T0$0FIuS_Q*=S zvWvDXxOBk;=Lzn*L7o7a*y;t_)Gcb94qhQazZS{qm3Mo!pg_Rx)bFuW(;Ul(fSbzD zUWyc(b)RxBm%z_wtu+rHoP`9sy`G7|$UX>skNM8Jfw}T3DUNk5sM+A6FxK`qMC`|P zhz}0w816NS%32VF@2~D~HfxcPj}fmP0pnvY82{SPnG+ z_kfaNG?W>~mtghBG&?8M10{j)NKU9_8Fv|*AGz1)r`!D_?cZIs7xC|Kff}crl#&S& zzJp_rH)$1i@GQ^_DtFL>&;$BA_ZJs<{6)?>BB#UKMbzwNt&wtlX`B* zrX{_a`=PYWL^-^};Muuve&H*U%N4nnNw#yNU3-*I>C>-F*3;ENLE^_Nib+$i*cO#2 z_^H~|2-Fe2e3}kOZK!6sdcnM*^s^H5>pL{Mcb_@$yycB}iRI+NDWwjK>SFHIkTYG^ zv7Op_VSIbrZv(HVJjv$*TnHevu{KxSnqL39UbTYU1)v!?e&m~%>fP3kTs3FFCRwg} z2rj>Oei45!*UPH3zp zKL3&}U@x)nOAbO|OdoMNRdD6`dcWq9AF7R<5q*pHQ9Pc_{i@NTNhpwf@Hub4^@pZI z+o#Z=4yug)*JU)1WoI_wcv|x(VBAe|#_Z`UlYJR7>yAx}K|8YIb3hl;j`Y{i8n*hZfg>+(F`C++<#fQ%e@pLnPL^Y6Yfu~djn7an@I04!n zZ}WB8CG`v@8wt={{F2HhRKVn&`N!Dqi{ApI4R-qXSAZ zLrzm}!b#!lFL1m81%qm>-` zfX;*6*ZI%4jlD~2b+U)h9>P*)LXH*>;@ac0=R(BLCtkV2opbrW0Op&hkkvlpHVdtO z-rQ}6u!Kd;8%zSjFo^35F}*ZiGY_P|@9sJcPk;_C<13*|Y74=rbYZ%%L5ir;U--2{O4!LYh9q0ts5*oBRU6srhdBxNuHK9(%QY zI~Rog{p!kgc>Eqlb}S0Z>!vMd0SUT>k5}-B8p3XVr^-sGuX8wCYO3ZY*ZOuoyiuqK z>w4zN`2vj{4Lm8$;!zJZ%Q^0Yphrf@G|+VUkh6Ci#X?^pp4F`&F=C3Adl9FMpDdWP4RnD?J*nE!%-P`C0isF68^S7ZlElk$9%? zx}HsX=Nt9C*%^!G9g)<6XYoU1AVH3h;oVfcY)`?O#d}@&^QG|XXEuUr=7JD?aESf= z4$i}*IfR(QOtKA%L&=2muA`Vut~}c>wQhHVH0`_sFKkG{KJ(VEcP=7LFvG1E3ns=VcP zeS}5g$`1lRg}tzKe5bfLgwLJ5qG&feLCe=G&mH>QfnA3iURaeWDw;bdg(p*87!-C+ zmTOP01I$S+TIRK!C|~NZxew6VZ8v81eQd=OAc3kwQ)L1<-*A6iBgyZ>jAl}V$ z4D9zk?X?C)CDu_RpKbt#2ssuOFEe#Qq{NJk*%$1@27@1hb_P0sVrLGWm}kcWzw*=P zUnIDW(utGctR0?CCySX+Fg1s%_h}a)$wQMgTSPN_E}LP4TWTf66H9{&KBx9F#)4xk z>#Co+q^BR?=$M*Q{#eU&W53u)e{YFx&$*XCPbbcz0~`|4m=Q^BEY)`wgHD`AHtX|2 zqqBO{Pa+^;W-zOa1-;hu?-0BdrCFp%ZM-9FE0FHt*nNM|eF6c_;+vVfA+Z0DCAxAbh=6p7p#(pOBG z?rB5ybWvvs>n8r`GJ_0BBc7Yp!j{jarpHVFlHK;Y)A`JVO{o5zM(-Qd6L{E05jQK@ z*S7R(7#Xn8YGdKER!!t}VVb-?4`Zis(wS7Tr)}!>$77Wu4TVSwOun1sb)Ci$z*lhjRGF>IwZea8nzZbUq0v)hmITN)Df2z&(EPMRzsjQM5(+6)F4A5hBt0BpKVJDJ_^C?3`cs14~T z!-&6%^ZPy7rJ~YdKI{F6-(e1Z{p0OU!rH7+x}fCBI>nWi}qcJYX!kUj56mj%5Cm}T(KN%niqw|Q<1Ng z90IuxTi=xUKPcA~FCOf%AGwH$kIU6bC7VIC@)+|;Imlf@pLu?uZg^64zJIfyOFS>j zpF_$2{#E_v@2u?izs6TSo^e%d%e_c0FKF(YmnL^s>>UNbz~4%Y@cNsW73Rfp4ZEmJ zh1a2@gIdFX*-x0Sj!|Yp#Hw<&%4$~h0*m97PZxXcHswrz4s^4Q-OXt#HAQp}Sh&m} z^!QLpY#ZiEP-$14<55Euv)3@@s^rYQ_ZAU1qCeq<)FF%d)XX^@V;0xG_Sn<0drgHh zCGkbOr`o5hrPcfBIRctd%YvBFRm*?)P z_&$EWO-o|rp~)gi)*YIi{V$wT$-j$le=1))XLaO(!MZt6TlC1t@5~)5;irXzx{D^aq>N$k>+MHhofA=XU_q^VXabr+pN-_pRyvswuF@zhE~>vv@eweE$ch zZ5KeJCjR>wn$b4Qa8S8V$i0YZ0q)0V+&bG;Rll=Y7<_%z;A1KW*4E&6AJq0}6enPK zr+0_!LCWYDfsztSO>-kn&DUyT!0r{JOdoy31Cwx-E9GN-&l#lytnOV2wyBGJdY^Wc zq|vAIm(J#c$B5^Je9#2o`#->VlJzJN11TuzQ(GZ@3qoVuc^6tZ{Ngd`Q={G7P$GiK zdTuv-GJ3-9**2=Pfz;;)HAXzW3oRRAR`hx zLnJ_lAhNnnWk@u8Ie58h+BOnVJ1gv61mAqa5IYceP|Yw8QIl-=e=Lqs6%BP^%3c4w zpPIeZf8s!-XjG<9u3WT0H?Q4W2JGYk>E#yh^axaOZ%`giy zyI7(hl_CmTDJ(EHX=4NE1QoPv&(7X9s!3m=Uh5a&485JfBh?m8%9h@|pxG1*gcNZ0 zF*G|b0ODugzz+||PIH6jP?(R8`T+<;w9`kV2r4eij!>NOW(+PI1` z6F+D7*q7AqMiJk=0R)Tu$M>xxX8{m3DUSHWsug%8iJNuEJ=KWi+)w{oJhz(aK4;fy<3T&#DzWj*_S|&dJy&)6fYLIgdJ;V1s|D+ie9MnQiEB>~ zXU+x)Zy%T*|U0es} zoP(tPPQH7a0ZYqg&Wo@Cv#bSUBV>5dd4gkKf$Or0*&4M^o0jnd$Manpy_4tS%+MdW z_L7pbQX&%*{yP#7T2{UwS3p2RtO6v;ISzPjh(Y*S$c@GCdHc`iYdf?EpM!4R+IdpA zG;CIgYv=I*H^k*pG?$#Am8XhmqT)WE^X7X;CJKFy?d0{pNs(3OJx;LrVb($!xUb5D zjxmUT0Y8~D{rcyjjl`()22oyA-n;gVmGIm7g)OhvAhz!Xp&h_HM$aEm9_m8IywbS; zWxL%#QZJV{Xhq?zHlPUUFfNsMLxeYDI;eeFuU)tLXKOCvwc6el=J*&)MP3FXU>TNZ zidv2{hcyAFT}IJo)STJJu|ByKLq}t7eNN}G*w=E5gUSP4E}RV|F~TnPM>gFs7itfC zDX|ZmP`k_TImvr3mEzO0-Its(J2?V7lW_kWd#P~S8Lk+taeWw2 zyu=i>)aBL}z*vQZFs!Bc05K_z0?^!DW3$F8Cu|q)02EjE*HL= z!fVUrOJMv73)rjMeD-E~#&Do7`WYxe7_4 z2~}mF6QSn6SoZ3Z^K_Z{`QFs-j#sW8UJyEjIrdEiuSK1GKQ3&OobLX9@@B3}vn^)s z%MLQW-p{uy{%8sTL;ZT>Ia?F3Y-5j;W)Lp{dqNNVy3L6kSp|{Y`l~lo0d}PO%U+++ z4FaR~LB4Bx3|`wywU;p5$34B${JYfPc1VO!w&Z`}Ziet<2J9b(Ns7M=$;lWxObX$V z=ko3y|DER+F69$P>|TOHZuhiMhCY1z^*tsTAGQlo&@`KVJ-dk}gkxH#xTpAGqyC~+ zXAR1pnTTRzX*@w$oprMn8&i*!Er!s4Dv>ANW#Jn}c!`g$!qyY6VC&|z=@i13<(_q@m!X=h+wwj+1Ehae9!DQ5Q(z6xVaP0 zZ$%IZHMi{pdqVAw-L#wZDy+{w)w%m(;#4aGdU>>o1a`NJE>Amuu2Q@tUYHSQgfpzj zi?-nJ5H}S0ek)h^5b?&B{Gxb%!Gi?UXQiG2B!#2!5DA5X9ec zmvZ2^|91vsD=nJU@Bg9y-B$0KYqkH=t*OU@AL0gH+t;=gE;rVFTPyE5jQE-9V7>3@ zi{j@@tQdWk{%CE^z8mvU|NguBwcir53~Qw#@wyurqU1{DKK5DeGSh2ZUDU)( z>Ai&Z<~yV^)^W64&eFwp%zAnO_0xC-`FTn1mK7J=It_rHGRY9=9l04c2EL6dbJx}->8=98K;Yvd&q0;;`~Rt$|K;?iaa@6 zPY~40=*O#9Ss9w=*!-jgr>|OVX}04!5I>9~$5sT2^a=K3Ie%D*_z>`}(iH04B!xvh z<_$kcM*N|zbK5SF#i=RTcSG6y#SsfIc*<*Nk{ddO7%wKHnF(JmK!SFSxn4)CvD?IG z>9+TPota))(C{zLCHHqt2YgFYzFyG~?zIoIu9N6a%yFi((ZR7Xtee1omcf;cJZ$WV z%bIB1@lVWN^CAw75oYvD50rg2-`?U%+Sw@>sWZuG+ZItW#P=^q|>u`jH~*>Sy=B0V7XxfNwM+%EIsk)6$iOY7HRmky8{oQg7Xa^TT4F5w<}Xwgmbtq>5Qvg-i*`Uw zbvxK~-K)qFiqH9-;@_5C84n6fQG{Q^9CwMYxexXW1=>wln19F)*jkxR>)IgCD*^7z zGCy|-ETebrzCgamSbNSsVZWeklKMXResZ}!@x*PUOwZrg=#KezSHp=JY%&7#4>O5< zAH>`G=j_xEy9t*&{Eps99vycwWc_((u%okE4qvf&sYbGr?sPbPKc~78caN4oh#2Z+ zi?XZqa(JCeHc6{hc4@XJL%Tsi3)gI8q;JX?@{{-bJH;jbo=-f&%Eo_SayS1B?TWpY zLE(Y&!PyJH*h2nM>}RA?zAds;3VE*hreH*NXyd-C&Ga-;g7wa?3A&}I3TT~(B5hJM zM7A-$eW>%`$T~>{7v~;x&U)U;ib~#8yY6#yl8|a~pc42;MPJu5maI}JbZMLV7Xg$- z)Y(n9V;#Nfr82Gny)@o-;D|HfouervT4@IGZlWqzzwG&|L#d|Yt)UuP9c`*9liyO4 zndZKW7s`EiECT~e;dc3m*>E}5II^yu>v_i=T#s@E3^8uaHl@cwhm2+3ooJ_-Hjhh( z7quDklynd7RKp(hX{isOHe%#c03J#cutZMkXB=~sk;e}+j3AOl6Xa$O!RNc`52GH3 z22PSunBP70olUl$72LL3*)rXECz=h7mn8SS_KR%C?$nXUe@XCUxuH-*)gP`OFp;uW&-ml9V>hL$# zylwlxU)7jWY2su}GN&qr#L5q%Qa$>51}j6}7H4qf63uPyB(*fx&}@VNTyqz*sdD{h zbVI)>&h-$td0AW-bVsWP)VzO4wULZQPYr;|c7?$AVv@E(JYx6L1LfR^A+M}0a=gS* zUs{s(?X0NIr4PwYadY3k-`AFq0`Ka@~Yk}^E{VaW$VGnlt|eXj8x71@`1rVYwb zAM{`eSo*9~pZ_7}R>>U3Z!~MZ+U(9?JaTub(i<>>xy*snErbC>mkDuS-q|_}(O@}w z3j;k0LzrTB*Qa>&ja51HqhTI@8P2O zF}HBzti7pi5aR5WoB0Y-cIIcs5jMdo@N8!Cs{PbYm9zu}!OvIdUT|lm$P1sH8XYCl zy`l^NCWtAjO1i`s%dklcJo{SCf~(Qi!CsT_=y+$S7-jX};&FW2nv>7=1};2t1Q*Ct|`qcSR(|N4o6aE53c$Ql(* z=cT5%P(UOm37?$Z`u3g9yPU?Z`U%mVbNgk!3EGHtbkEnb?4#;THO1Q{$A?)ywR{qC zV|Aa{3iTZj4`qy+bvwwyG-$~`2QN)5D5x)qUD+o(o|+!@g=tX0U) z!^hZKgP!!#83<-|7Ub5#wL|-i`V|9rE`K|KYv{KGZFO7eF@k}uS?4g8NO_Vb1M zS#^E2B3I$)?dc*Sp@Zi6YB{1C#(b4t3*9yJ#w?9W&iA}HJ0zT6lbhg#CZaX&cKRud(q)>SJJ`IY|W`t4_z0I$5iwp@ZRw^ZFs8p_2z z6Ql!PDtyO8sNk5LB^EM%;Cg5iRk^z}bz=~_t64(U_x}=yxGptB9~j0YRk3KAT-#tE z%#7IAFfhARllJ9fxzeaP`Z6=sEZ-A-Alub}WaPwX)N71+lzZ@eZW|_ERD|aq)b{Dq z`yu4ONit2YnpNHM=hD!{xRQa$FzP*Mxgl5ndT4M&F?#FK13!)``n|Z4gl1Ex{W<6WpLq@@7L|Fa zOF$6KfXwg85A7(2x#3XB(kHwR!wM82LOnjj)U%En8C7)Ype=8_{5Q5>$1YwjFlaIr z*rXTaL`AUB#F(vvYJ~rnOQo9XOhxXy=1|wuf25ZS%W=|?Aja00!hh+{9KZnjwgN)NOY`HmKo^ND}Mh8UYNSqv$j*4#j z5J^?I=c~XYuRueUc#oAcX;R+&GAZD-3!)$_H?_Z|DaO29moK$m9|7F%&v@X_x|TWQ z2Lstx%{~Lc=54?AKN{zGDir<{I94(JGwCzUFJ>c(%ecD+FACa;U7W*XVJZ1Cv})W9 z4D^KJakJX9Pt~__Pq&UOZFWB-KbJdKb=iYh(_?ApyW6 z=Eq#VuL{qJEvsrNKp{k3hy<}&q~N*JV_)FPsS)jS`uxIZx?MaRJvy`~dK#a=tnYeD zZED_9ZQV|=2E}Bn!t&?SjdA9r`Z=tlXaGG$$=^-qUh}0GdYLRX<+en_#Hx(Nxd&la zue$=pQ9T;HqZ!ZEmbL1194QkLIR9j^2`lMUzm@6<@n#zR;wt4i8L&LC(!=_9kJS*0 zjiAWW_pxo?+_@Ae%qz(I>qm~8W8=l{Zj@23LxR6xtDa6;r#A`=)YkZS| z@cM?E<~K?fYqDpAa<~WN$C+!Z!6-4VMgf0f*9wxJbZH1I%6Yxd>xiG^vVWjvLA1*d{c;-pdZ_tml!$4Q#v9( zZ}1bvdjNya4gWrEceUjO{s=kQs>f7jo z)BWQW(M7x}ysf6iAYhc{eAEe=y!Ip|m6=0gp69?JmpLcs82~hzh?pm?63G z3{OO)P4o)^;Wd!8UC+A+NS3wj9adj8uw>Hi+uomw$~>odJ}1uJWP=TJPQLRODFa4{ zq?6KH)oLblnwM9MDES+}_#&lHVa_-XXfoEtF=JKyD3cxAU0LhXM^gp5>(d`2GOvt% zVy>#ltW4*OqMtgJUSpbEuv;-+GE@9nEC`B}ykLn0%)gd9#NNK0Q=2@+LX0mB!h2kK z&odc?mIJIHH?0<0)skDuFqAQR$XVWy|dT0y=<~a{ZH1IU!fP5<562Xdhd#=zwZ`qM9R@)+Ewa+edwIp1{gC)nA#Di*S| z>lODU0q^B``)lvD#XLoBTIwu2(_b8`rnzQpW=!m} zYH+M~f&&Gj?^&-+A3o}p_TH(6eWl8{{uT@o9*LuQ&y<1N#Y*4U-u6yWwAJ^!Q>QvvYVT z=Yq0Z=QUimkE?#i)aCgLO36}mt&eGEz?z>pR7OUEZ@ebI)u~NjB3uox+*(lu2ZVE) z;tys|ClIBevbf&$FS288Ybrl;a2q-z9EDPPq2y=RA$&IstM*#80=({S`X}{C$b<}B zin*yZ6`_4lsFsIV+isf!TIUxPt6!eXJHYEs1aW6Xo$H|XSEb5S=W*c@{uvmpg<#8bd~=#z83r{)DAx& zwh?R}p_c4cD84b^UYI5QUoo6eDm zURZP2iEO~~Gd=E;R=-A7S@2?`nCizj)-!1_JT=`qxyExvD@o}^tHADvAg3LxFad{; z`h4|n;ixY{(*xSEL80mH0caN`Nw;;~QbC!Tc*n{+*92;`Q(ZrU-LKeCE02jY35a_u zpH!NUJ$Bw~gv-rLuvWddB7rfyQY#Z1XXaK(Y0q>$es%oWej_j`9mQj+n^N5g;}JG~ zWAIYetvnrWtWZ6~b{0{`1|UzCT^-dv>ttn92YDn%1bbYY8jGnF=oHLloQPEBt`f;? zC}7p6c2GY6+1oRRhUy`)t-_ft)P=Q;D?fh_U6zmwELy`VB0MHVAhXp?W-8wBI#p>L z`@yS;H>o-9=*iz58$If1m*^)#3!kW<6J3jQ6A~F@;#fJ20q(QJlh*)^&R+g(IC);! zt3Gh}JVKzrI8c3^kxK)5Dby~dF7JW6Kzb2CBa62J9V~wEZRJ7T!Cm0~VDaUa!x=3v z&uabkxs?vK1j}ZiE$xF*NFBroINLBLw8z&d8l)xY^;)4_rTC8O)g#nw9Ik(Nc`DfN zC3=3s`tR_O6MGqGYlIPMky&&ZC=Q*UkC@DSidAv`4J2z$>( z96ufj4td#O&^2qbrEj|(&T9jV+;%=A-{%p>rhqeh zxNL<;Bi1AS*{l;sE}N_WdZCVc1%P~~1Iv;0lna_lc~Ua9MlX+`gM<{!M8LhZv7@+( z$eJelo+(q*fl0p{4h@I4gNB2)K2VnPy`FF7r5U+!c6_sIeO5kvm-vRsyS zN-SE~+bCRgbfaY2Kpr{1=tMd+!-iU+F$-am?VN20~f64k^h`uR0=<}TVy_b$Qj|k&eXH0zOg*r1USI}H=+usH4Rua+xL-U1e zfNzF$)qvqDx5!e(wl3e;X-O(9k(t!l`Ilxh zy?qRkeAB65DeaZ*H?YE&M#%qnZaQ=2D$yxX=wLm z5(7vI2t)Jk0X^q_&N*wnAD^`zKHRs%T-Vi~k$R3PxD6y>hO_mu)B|@r_scJ@}8m*xk z{sKIGoda>QT3@|x6XlhJOZo?~WIC$kRzz?PHi7meb^=21^&`d8U2?qBP~k5#uY`z8F=CQ%RlhZ0_Kapevp0cNtFJ zPk@V{BDfTvka;FhoO>=$zvKm7(v!9tzQ>CqH|IyappUKEv-lale@G}4cfrg!%HV92 zU39F`T|o~gY|mj*kC*Xb2O+%M9y2Kx54b8Pi=!3%e|(b^UTPlTX)$RcdS$w9xY#(6 zPxpy^8_jdbe3=vJ3#)sds`gVT9_t>KG*XnQwpynr(Fksf!6|a2f*-jQx2~t@?ze2S zNHrlSJBB7DalHE)_4n|`3hthyv~x5QvkK%cbcN+E&tT1o!)Dn;YCZ!qqIOBVRazlx zyY>U=Y z^rgON=;rQo1^Q7bzF|rQJsxUG^v(HD6}765U+Tm4tMt4eGpw&KqVezoQ2$~n2?@N8 z7yeL1MgM~~cjtRkc6lUab7Z_O4|O?fXc3~MFbTIADe?sV%@Bt(nMd0j`E7Qe3xb;VD_0Eu$39KL&>}YZ&VXhr-YV|0o}Ta8F{<>o zjRMU`Wbp+f9*c1|zndbhl-3FMn1qr7$;~9LA5Ov7l!Bmdh(4s8xqxFO9Rm@tU-089 zb|9@Z9WKlh&BUYi==1}<@8!Onl{axi1eK1`x z`|UUHO~EQ`Qm49z7n}iX_ANh3-7r?Ti4Mr@G27`$9uS>aHJ#TVZhY;!;bXwf`HD*i z`TjH0J$~AcnJZC@!YZ%Z!(Hj1UtpF$E!D#np~riQ@>IcICb@xIPOf+ejTXBOV0V-A z?Y@A9`ae|4i77!WE(n*Jhl&1vqKB?ZXfJ9l4X2MCYNmG23a=%(8c*z)(lIpmsh!`V zNU}`8{lP4$132{}@gKTta^>lj4PJ>ri1*yB^pI?yjrF)8B?LTqEAS>7YrQbv!$mm1 z+UVKWKJL1sgm`#4tbb&%@Q$g0f93vXp+Kz=wrkXEd5;2naj<|$l|+P%X-() z*tZ@ssfeV>C9vaTroTJJ^B{z!3{j|Xdl}^NM#akT-qMy|-JSx@R2FIfKBZTn-6E(9 znW5WIuReUphf}1*e=os=_8_}umA=oV3wc}cy#3yEQt=j%!$$sZ51E`Mp#K>yICTa; z8Ak1>@Y&~-OG_yom$Z3i45Q44&c=6I3NP7yM%Sj;C@51R;$6x6bzJ#@qYLeP2 zg<^!4e6H;#1}5vYh+b9a$RaZ6{PCqB#l9k6ifk^kX?SwJ=gvnXwxo9q-MXiLAhP9D%3qB7ot+y|$a9 z;Pv8KTk!j~Kfxh`Am=Q7^R?NH4xzzuQSgQ3A6jAfz%z79V~xj607Y__|FBXtKpe-t zH-8*k0K>Q5UXJ-RZwCiKq%w=AqI)9v_Q9>wpduF`9Ih>ht%Jz~wZE_|GrBc%*=;)jJjZM#A4Hs?xm=w$+lmfo-DNGvCE|cbcjoL$3 zD9OpOI6wCjP5Dz%QOiW)N}p}yvNt!*GUAp0Zpp)qXb-#`Oh*>cyHJ48(u*w@3ysNF z)hgh_rigsy@e#Li)IG<$(z~#r<84tf$(|^-|Mlz8oh;yEa!CGiQr!uqu5;rvjMVHM z$%C5LnV($lyjRaswWz%re2LFZ93H}aOSSg;WeG)O_1$10z#u*Of9;P=fo_K;jJ-Iz zb=&(bUBt@nB8`xFqR#Jc_w?dSG#4;gYOfhe53k}*{qMJ4DMDt%m<+T!c7@iM7jqJO zdStKQj3eXmA63c`#*o8FSR2$oGrjJVu2d`OK#pGDFb}n74juFsSYzUizzJISuPKVY zTSkTR256lZtw^-w)v}}E;o`r#67kUE{MEeOM?MK_j~`PuUqc8SP(B6%3;N>$GFlMQ z2q&^L3AqmIq*`|D8nxH=f_PAgn?;sR=Ou#fHNbcPt$F{_DV-x2_i>eh)-;!`Sxn zuuh*R@2QDBXscao*q?oETND!}SaYW(oc@YMYh?Tdp}O}D$>ww;`*PqN@anw|`{kh$ zs8uIj^}?I5ljrwWYlZqe`TnlswV0dD$r9B;qi@U}C9{`PVAg2r<>mF%T}|>tXLIV( z(pU@{{pzLm7T!94q0zr1#gdqv=7q+J{t-rS=2B6uMz`deltGYY?r9t1e}t)kmd1|FNOGP#QGutmVD;HF?^P%1?o;VLxU)OdD#P6)jZFc2FyPJ- zV2bmMA;P%V9Si=U_32%D?;?Nc~C%T2RnVkT8G z?>wPRKlCN^=Z93AhWc*l`IYgWz8o>X$lUt&Wf*(!M+t$IV1)mW#w}Nn+v$ugXmW*C z#iVagkcAp%TfxcTRKzNf7rEt}7Q!l=QWf!|#mE39gWXsS)lRP)k378R9R=JHY}0YUXt1yixupv}Dz552hAV5~NIV?yC|mAT4zZy9~m z!wR1q%gJ}Hsohf(&*d3K5GuJ?EeW2I``X$pXQD+rH%KZD@Qcecwa?*nHb>|m9FTkK z^ODjO{g&jjqewRiITrTV>RPNBw{TmdQ9qK%sQU}{Yh^`^8{yf~~@yJcK?aC_YG zdZVlkvHq`EjTX)Xb#GnF%{&W4{~hF(4l&N3&;C4M}*GA(HdSWpP{ zDR>PhYK5qy^JtV8rbtwMa0|KJnzFuOQY30e)Hc zFeYt|_K*_%3#l?_P^7=Fg;4WBVlMW;TEq+P%Pg;xP%Z1R=Kc75+0>)U!XlaPYE|rK z8C|41WJXjy>G+A`0IcQWk4&oSLC<@bo%-WW)l(}Wl&5zD>q4Dp?;u62BY$JDYA!Bi z;Y{MO4}eMbiOSRKnw2~Ye;LTo(0O^xl21m;&>R&$=mjv~sBKvXfi6hnkR=~rsBr0z zDqI_f&Orj*yKac7gr0pIOBU%+;g#U%U0q!jt#h5oD}WfCDDcJaD~MaJ@t4|O2EGot zeGz@`Jh75K8nS0KnV{_790*OD3On9*8Aa=@XL3%J32ZTmEH)5s-+$;QB6$^w=+NO1sS6?$k-n_=w?9m#$PCZtWP%tjC!O05n_F=wSLtZc zw`?gTQ>rYRIKH(z)_54QQqto)BRgAw^?#qab+1;sYEIL6p-pQ%1e~Fd2(awcY-Aqwwwyk;iJ21XtZi?*HFlo`hZ995$kShp8Hg~NMKI1M3iQ#r4PO#>I2e9N7tADfw48Sy zI`dANzl%?-eO4(y)Ks|{n;!iPnAlvQJ9&H5y~fPl1w6c`o-=Zdbt5ivrX$swrVA4S z`DT81{kEoW*o;>xT`uxAII_NLxN7!|-L}RJjn5}B>pzeQpQ=gBa-F$s%T+r zMXR_vbk!GkGfSTj5nHl*EF7h-lg z2R=3&n91%0F-bjDRD?e3oE+N}q4#UXW#Ty({fDs$QtKfC&ZDue&h7X-;#+ee<;NLv z{Tj8q?A5c+5MvdVskjF=5`7(iPPjs-!D}=hEZeEX4}X7$?>#+iJir+g+CC=)I_|wc z8;7m5ssDN1VWim^Q-_HCU}MoKGYrTuFst44iVm~!2G~B?JLmI~VAJy<*9NvJu+lthOx=Xg z`TJ+-0TpzHBN7$ptqb?iHWv$@ukXv$J{{1mcAof-N??`VVn>!g$jX$cAXvMk2yjL~ z9u5l5s+sM@uHs4pcyJM21!Q%;8Sl?`T0U0!#^P%>234zYWZk3q@Z|0H1IhR2Cl2p_ zVh{h|JAH%@h(`Wm#tP*U!|~Wg65QN6W`puAJ9XWi*mzj6T7)|T7h@=@vv1(T`N;+0 z5IQ5U{b-5+5JILW=3VS)IGnNkykw$ObnK^QWhKSgkDqSA*>Irf+wb0P-;FjG|Adm) z{!FmQHQoG&^7OWhk}Kv0zsAxrS*iPZK8lnlRM&0|7-3kC*I8ZNabkuH!${!U4Zbj$ z=~j;sA*P0%swHQn+Ff>T@0mihs$PsKwyhZ6V}y^9y-x(PS)w4= zJF26N#KyM$39O9g!FsE!`*|FbRr?f>-u}DZD`IcZzB(NTUz|44cb$J0WSuXbDeG#C zy`n5qxl7K(gusRnSq4wy%H=f&%Rz$TOBF#CJ+nA216=}6DSj?K+0t-nG=;(lTp_s9d9b<7D})77{o_L! zRyA&#XKEjzxq);gnVi(apqeUdma2Ncl9k#zGESq#XP@@>0SxNBZ6`hxE;8FCHrY2$ z1E|P&phX5JXBOu*^ItGn5kqx4{qE@3PBk)F`{1Iixv+>lo)1~6kejRX_Pe}S5A0cP zYkYmy3o~D0_VHVNr6zb34q_&bY*ZdQ->x*BF1rN*RASG4K5nVQw~g{FigZ!^Ms!Iq z-OtR=cF)vq*tHA9Q8v66xRG+)?70W{AciD`!OzlmY(|o#WXy-WF>DEH|N9s1zsmKerD_CD1sxt5f^s=jwMyA@WO8pskmg$22}3$l+B-?nZ5k9CQ% z?c|i={>ImUdn zZ|F27I->!=To=7}LoXQI7ubt_aCbtH@4u83E9OqDB(7-jhG*`))PZ?e->Dq4~VWodKU2@V3ZFFCU~{1hxYlg->NYpkf4{ zzU;1HRo?RcWMH1|zMU&khGf!|qNRb0I6$^~|`UgGVt6#mL z04hu2gPm8xHn;C9yX;OCZ6-!`qsnOpgQuBRN2((ipO|dEi=*PppkB1K!Xuj3XpM%? z9SHZ&lInsGF8&*9FfSlABw8W@zBtzF8<<)a zzRy=A*xd*)vs?RaQE)rQ)d!*IUY7=B)fk%hf#2jNoel5i!XvIIu1_I7AJxDy|J5>>xGCiOPKWo!~A(s2gdVSb3n#}2)C~yQP z7s_M*!gMvskQaWCbS8W-8V-cd-XnWlSBI@%>mSDzkJzq{qdL1MDlw(QjijUxi&C)V z{Ki;kC4U>HEc5%plh-sG_GU2E4a_%hLRk6PqlsD3Ir#KjumPlP+ktLY-c&_bc4$=s zKO;D4|K^u!O`6}sJ|HZ^f%#YG^{D#wxUQ}64|5bp3hs+^R6tW7qr#);N!p8KzXwYd8U3sg)6gNp%O%_SDBJ_h(cdfKkTod zi83fw+eE4Q(cKt?kX55TFprkiO~_m_vNtX}`{ifsI|2oU(f+99myBB#}t?hvHsrGmYmwHa6|Egxja%eO0-he7g`g};u z2irk(ATjmRlSoLUqz@4}c0V@ii@0q2MZJ&!3jEygn4iS8YY;(UHRq>wI+ znrG=e$I?$>RkxSuTan8?de!~7<~4)Vb9$Fl(48t|tknIz|4HK9$m=f23k+uq-5@(K7Em9{&Ph4 zruN|H$VlGTz%|yCbxWvS=D(kD>KfUYQJu_<_s#l~MHF&P_TK|9a}z?VA*2byT(IZH zXVx*X+|CRxB$2zlRV|C2;8KA)vA+46w9%HOUAsHfVFvP4-u;pOkQs8%rr*kIly(6u z$giO1gVJJ1jfdo^#%|vhcGlwwb;YE)5J&_G(GE2lCzeK4it(OJa@;}@umG;Hg+wZ0W zh5|w~%|&mTPLS8|nyN6Q55HzK?4obFDOxV;*uVB2JbWrde70B($(8FrS65H% z?xX$(dE^!4sP@q{rr3rTFRn*fNj!N1lYzeVd8Q7$f8FqL&yZvFKv&ViZh z6uIvA@Wg3%RxchlY&e20^;Q8>bKS7621NA?RN1d&r#OeMI`m}` zQ**Z+AFUlPuHw21KXMsRow$5pGBDI@f5%_wV$4P`)Z9VclYj>Vz(}@ccMW7YHsyL= zbaNwXDC(PYbF#tni)HDN*dHLI%r}>8gTp@24rIy0yG_$KWEz{RSfZDScyIjRIK|h- z@lx}ZM?W7we&6!~ZiBkuRw^UnjoenIEyx=sF^(~(SX!Dsvmy_ntB`qF{?#U0ej&l3h&@vP8wVxm5 ztU&Nk=+XRM{Z<(y&*7qM;@H*JS+u8S2jHhApoAtj@8`s5HYwZOD3xCCOJcZT*8F7=D3&KHe`aZEB^x{8XXE8-c4wO{Oj4wH~tzSegj zVQwRBWS1o!0d7QI!2eHt@2zvzQPC3xiKXuLW`7z!2Z!^{f|lnmvDI`2k7FWs#+^|= zxgQ75o=HTzA0}l)SAXZ_N=4kKkpOAfxtsGTE}W@?mOo4p9g)nEmSa^;r(V>91M%uM zpFYGzb1~>m6c=8`b)31YT+pABU$^((FZXX$w>4qpjpnf$$2l(^kETnkIm{r$~q56FLzp+%^RmHZ&__Yf{zL)<>^1R4ip+; z>eqaWfkuCb@|nG|u|IiidXkypamgbel{*JQC-;UOLuDfI0(y~??vo~a&y(INvj8}h zZZja#+6fH%nXllD=v>RN9=rJVuzSP7ays4Y-|N)LnL5vDv_`)2asPP%3IZCt0=+An z1p(i-@fDrBajab;Ji-{tw3?6_PQ)1w^Pjz08`V9&8t!6?BN1W~kTR>T-V^jAccPYk zu(`Z+exW_Ovv}y{Jzs1;tLzm*3g&j{!5Swur3TrSyWaPK;%9kcxQ(7%N!$n| zjQvOB`s%fZv`d!mlX9!Rb}Qm+)D4?C_DC=nCBlSs&!Lj?G04lnYi=RE!=#X2y*JB1 zA^<_O3t3z+ks6rs^AG9@0iJ%RYHu+g^G%txe>|e5!fnNHcc)dh=mcj3fELSjLv~c> z`;K>QPBT51L9afuQ9^l6X!WKxtzLd~JeM|ezVJmg*6H_cc&JF#x^YP@m9jzV3=>IV73{WnVx)!l;;!2Pm=cf?tom{G=kjtN?$G|n ze&V~cai?Vv7|seVFrsni!4*(J;WQRIwii7nx=DzugM(A^;FKZsJ1D+iQI152yUgA3 z_iyxBWjv1A4Zn9z#M*ye%b?6N`+h0?Fn0S^H8!zPXjhU`9Uh(wN_U^FD;^(DTo`>P zv|qpMEy>!#B$<$VPGVGx*}@)-vBebLR)Od1A+p$q-+$RK=4M)_FXE4XA0pz%g=>D- z1uK*VUHuXWMPjFm=1PkB;vqgP48We6CD-b%GzXK#y;Y7{TvZ)UzGnWsZUfDCsvcF8 zKs|!U;E{~}6-@5ydK*QI{v1oD<6ImZE_0nR7X+*1Kr7D%*O~otIjS|Qx_WrqS8RDY zf3|Af+S@NO-E~xccPrg2&LZKd)$zxSOo>_yHMWvwiy4du0x3Ef}h#T%mtf;tg8mx^CjfmlIzJie~pf$gEx=QW7SBxD= zKV676_S?mPj-yWyt}Cr)7i^A`$>IJgqin2s`i|j``J*Z$mIRFdhy&w*Iw$qla#y?f zur+V!Z}&T(0P}2e5TxCupfq3ukSH*Ycu-rta~?`NiOmF0emF18fiy=a9NW}}3uF}E zazR^K;*%=N0fd53@C;&^?y!JB_cw!d(MeH>W!ksbL9QLJalh8B@L+uMFm=^IPSK&} zCpS{mHsQ3wC>RL+_6R)g$~zXhd*O9*R%4?X z=;Abk9&pAh@oaUMZINA<<2mVU^`slC2_YEee6v{Q(15ui;h1_yR>WleMvc#!J|pJ2 zH)~J5Ajqe25EFzJhW20Z9kR{YCU4fnu5aQZ(IV}WjWOp6nlsBH0^uBjo=c~;ytoF zRF_#gWaXELcB*intdW~LyF;(vL|w$okl@|*9sFgcHrs$<-e?*aM^7~rL^4y; z(@F6cudOA@9%U(~Ef4W7RV>F!rWp%~Nmbl#xZxkYDO>8=1&~C&+ZmF zw)u8QW==IG=-Qcqc{>Cca{Dn=vs4s!{=#LPwOf9FcXwlo!vFp$5TFG>;Cdr$j!)Lq z^!GYwwrGB6Tq`nruWcyi5OcS9C0>l2v<-w=PBz+g*X8?j-VliKx=F}OTsvgq=2xL) zx8?YRh~l=bsDgq;KXybeXpDSp)^FU?Ll0efh+Q3rI*i@?hc4I2BXI@Rw^?J%_;|W^ zbsN?MtFTVUa*(HbRp{V4PM%KlGQ%Gl&9>`(VSD5(vCkAjFkfTdqR!HZ9aM3ztSvYeT_UO-o zRm-Ivvq{I?V7@++N^dWsaTTE- zQ`G4@fdvN5meE>HXrAmlW@hQ9p6W&*^vHe)u7e8%VdiwsV>@MV@R7Ha*%so`+jx9` zz+qVLx9}Of1z|+v+T+~6>%9pRjGa&S2Z%0O)bGG!xXe20Ukgs)7W_;nBOh$y6Hl7n z%in6^qc=B6Lu6He>g?@aeG^59Czp=e^VPSFfW6xQ;GTkYw@o>-tV{aouUrIN&aL22?oFAOQ$A79mww^_zCDXgw;kulG4Ja!2?Y zZTe%g-$b3kV*?|-Z@v-1dBHH@uV3p?{&n2JLL#IuE|-9$EMP<{0%nyH+ByTZ?q(Xb zIQ8zLTSR!2aGdA=EC1Q6vOJ9-Pk!qD)-n+9ThltoByt1-p%aFNhL*E!F}-7B{D+5! zxJBs2oio7<<-#fh9^3POZ2e>yp4c8r!}p&{9Dyak{1gxwh%2}u&9qgs36yknMpxW^ zqWi*;PL5|FG$5qM|7f$+ZWuZ~4xwk4D}N#dPVo2w7`#X!#K(IMx|DBDUI7iXs`uG#c* z8oYn-Y}Ek~9+v)S$^&fDcNq-i+@v7D3tSIk{a{PMwOH+Yq`Xpdd~OjG|9?zvk2)se zlH7s+xy`k-(NZ<uvfS%a*dIBdsiANk2a`!sPoF+*`}~R;0C!8{1H}uipx>5JL5U7* z_PmCdL05VFFm?Oun}pGo#{1d(l!IJ2Vj6t+XUo59eE**ZdnmnkU?sjeaDD_o-0-pW zM2#GauV2}!f>9+Piq$&J^IhHch;2=+7L}mio1hucWrG=kv79L>Iy_h?NCsj(W(P-_ z!wnySLYYAAKEYGg-Wo6wwo^45t7eHoqolvl{5NGGWTV?{9|A>`KG?DzeXtvpqb8p;la+e9_z5BsO-HXrNnx$& zMOMsLrj!vQLpBs@Gn)DxYQ-yjbDD%SINBaLIwtz>W&8I6jz0NM#fACW+uP&D2p3jw z_XBhb?`?{QdMzr9C|qQ=@9YbKgI;E7d6^LwB?qpTd~7{B+{b*T)&%Lp|5|J7GWz}p z05F$m3lQHOidF)we)ok~_CAk~T^!2uPJD|8a7X}1eNKk~FGc*PQ3Nb5t*$2Y=j$)6 z2HyjTY=JL45f_1q(i-KvtCzG^ZmIID;No#{ml->*r~bjnjkv6t^e%2)M#nm>)y88# zz)gn#;^xcH#$|7{w4LV5)%NWYxFLWP!{EoS%@gm&%(SEn08|a~v;^>x$1^p1{2@#%@PL<W{U^Zx;$~YNTal+ILJ~uQzi9vq9|Q~oQNo-egzziHXbIg zI$R1m)qws)Rl0|CR$(eolO}X8xLz@^MIU=7zA&G?mXgmi8FwAxzP9QxO=!GoLEqt0 zGtNF(v zNJCsWd$yLq_{%e991_th>ob2 z0@Cj5^wtEkf7EJ5OT`oJG2!%bJ@4vCFa`#@`6v4Hl_n%ye$_ey{0d0B&eHFIs|E6} z!Kj$lLcbrRWjYyx|iT^J#@XSed< zF{9og*$`_7tG-&!G!w(uUc$8*{n?}Q=SJ`P}&G%~?`$cZ_-h4vtp58*0<8>p)dwgfF6f-V%Q?}KlmG4>A=0{aGK!O{c^^R}u zCr~`9lc&e-mk|=LT1-tSo6FNH^b2*^8aH=WZ%6H#F8kA(AKe?H;q6|T-(Qdlo{G|} zf!e(+|+G!!4e2iu#OIXCn$`MBv3>5_V@j`*qOA%iMR-&4T;dxD`qNaw_>1~vCf4seaUVZ@yxy&WwL!AbFB~}{t zP`rS75#n}~DssDJd1fUd6z`o01I;HjeVrHAuiwz-i30;|mmYK^2tXhA zL4K~S4UWfuJ#|ePMqls3`_)2;;JOMgcpRv_?8vr1PCh-It?h0UQ;tuthEO}xRXz-UfRDyad7rpuB6wag6Ds`f5PKuK+*n^n z=Z57vLqmZH!v*FyolL9YQytF0!p|OdG#-Tcta(oY?DK~J$}`Wzyi9~3K0BoWyM}fG zl?5){3FSF2D6nL%u6%5Wb<$u}V)y~J#5XOvlkDgrFC1JZRPumTz;17`s8PT}=^OZK zr$6#C>m^w-PYdW~OdZs^kXa`f=u6O-f#%q7Vs7AL4Z22HOR?dr|LK`rv+7Xl+;lcX z8iwdPV?P6Z$oGi_19%+co6c>Y#OtD#FX-fvO!D*@awaAwP`jaPC(XQg*r@<0&zui| z29XWx-pLBL7eG_8sY7(yyi4r(bhFguwbRxb5vs^13c)lq==+t-d9gXrcqpf)naQWq;u?I1!1D>)0sQvR|d-6nb;aja-OGzVM-JaOVVgt-3D@2#zPxCv;l zKD>Ti<;l95XJUt7At~HhA<>h6jnr;qvxf*3ejYf$z%@T?t@Gj5ATS)rX%x?S1KWHR zIP30m(_3d`ERq+oKJrfVDU5&;?P)X?_qukiYhRyE*H42!YWLm-GfWqm)SMJ=p@CeM zAW71B_p34Pmkat53&Xi{&t&|g=1NpO^+tD&x*)t}@=uO@EhCNOsj3eX$0>xjqHWVq z>JO@vAuk@Wod!%fX^0WzJFYpVkEi_!vmpcvgt90k!UtFKJ_?5jlnE$9u7FEQmoN+8 z-a^fr&KXoYXRQ{U;~o8?x!v;8Ir2s4*`j0{UL?ErhC-6Z#4M>O>$9G_`NsZ*OO+I4 zv#!mzMLS{a-!*rp9$v~3T(XXQIV;0hcQu2;Fwx78d}%(~Yk@~8;73)-YT9x01~OjL z$2dL0w0P4yD$i5eZomEFb6+#YBEMbve%X*vmn# zgdPXm`?4W!UH_8|=$g5^SE{F*j!p_`>7>DKo49K4V#bO~q7>(d3>3jdPS0}!K)Pwo z_OyNR4B-CrB^yw}+K7qrQ9McZzvzn#`t^wgToMaQX?*Qg+~&5~i=ER{L4|vkeO=;? z#7tJ$dmk*;1SVH$7>A$jpC>gO{{rz7J2K(BKx$tT)brXKO83>ZqC!)CNN54$=ho3|!XY~FSjn>{0)=l33_ z`sl|IO72N~qGa29xAyt{ekpGAJdXn3jigFkkCE1OE&ZSbjh*y7AR()7>imX}c>dQ( z;PBfYFNnT~wrnC*Qc?{{bg4trpofAvI;3FtF&E;Y;s8MrHyo}wcFeYe!hN%TJFRTP zOts_-@~vVo7d1&gQTzIDvyxW>uCAFa*ErnHoe0?^c+>N_Pl?Pu^Wzst!0V|^q(K(> zxy~*8q~2I{FvA6W&q;!m7X^E_cRPZCi;$cNVoo-kcUj3*ML{RATB(tzFi3&{pYNBKZXf(r(!6mS>?ZWC9K zMgE#<#++1mXtKaQb-_>94O(n-gp}H*7o}1T{>}o3Rmx4F)W4?OFb@{GAg+6txQg!l zwd*{=1-&v%;0AD$%2f+^G9x+c4_=j%1}aDgSW2I%%_F}4nHmmKvYOgy?cOh%IS)Qt zXq#d_f1YS8b?Y+Hfk7;gnruIc!tCw*Fs0k#)J>6-td{{X{|4aze&7(q;XW4BSUDnL z1dzBdVYD5 zSGs%SrZ83RSp}re`&eQ_dAp8Y>@|gW&%#O=(ENW_AWoC5lXk;x6ZTU+AO#Fc6>&ir zDd}FcTJ-WxF0Cwk%MzBzxS%=S^De=PbffO0ySNE*nVXRSKxtfLguJJvp%eU_{ zkMM>5eBy$>dAao7Sm02C0nZE#3uaIyi!^{&jSDSN98c?FDm00{HTV@#L1QW7uJF76 zMrGpEX0;JlL;4|-i)qqgdyU6BzcX;d+)okqk%9~lL33Kvk=xqZ-c~g-0$E32{C5q> zyI$VjphkER)FXAmS;&+hT*fU@M?#fA0;jXJlDIP6N`*)g zcp`XNiSi-F{Yoe4(@-*a!BU&!q&VqoUViQ4vo*%pD!^?@rMc)h;wU_c)NmF4m|t`) z!m_f7*!h~tdDm_6yEG!;&QYchdjm5-xS#^(2~7K!PbA3H{-yaeOfo+A9qPC4;W~ks zNXgacmC;Il`_Vt4Q8@JDh^OY5xN)LL&bF_qun*FH_r7*)1?&@3f-syS3IA-=nA8LG zRBvx=xcK~DsVl_n=d|c-)*38{xOIEss_(4%oxCJUjEloeOf>rlfd&pc0wNb8U3-u`Ny3#kUvTGy`F;@&=t$=WFWgrvdsOf;baBPx7cmgMa?aAOEqpr@oo3iPhJ4mlvA435jYjy<3 z@9cUC2cvA}#+$A|Lw=N)=m(LE`+4^FClhOq&4V>A;HG3AY#JrLSwrV>C_kaLLPodp zO|C8bk>ork@sas_!)_G+F&-cST-(HC#%aWAy}jKI2tr)2{+DdNy;a6#D5vfvz^V~M zE=+=vLySwexbnl2B%c|^$>DlD{KpU!q!hc7h z8dM%J2b(>KfaZ>?vb!oOoK()B($#jby9xgiO4B<$%#$qUn1H+Cfh%$rly#SmUt$n` z80fPeW`-EAb*Db7NZN{@!yf4=O2wn4fAw5f>J+vv7}nypDHZ>Vz5*?j@)I* zvIEmY?*u|k_l2q)gSvRA5AKb%j(GXhMaFL(1{t(SB8aIW)lr3|O?S3@7VK}z=RQAM zI9)$4z2@|xaWB7d!`?d8HNjDGvs1)(6e!Wu=)~cwJ7ER5fiqqi!74jZ8Nn#lT^YeF zIZzovFVa#O!6H3Und&xT)35?U+?M^@+YuY~0C=lDkOY3iceHk5OK{SySLLc_1+~V_ zTfr2pf>+Z#-dHn&^1Zd>R3NqG&U!Qa^LjHTkXi#)F%yN`f=;-pk_`OmgGw^S8~pE? z-N&37x^^eQodMQ0FT1`Rts?U-5C^#cvtxYsw|}0-)R*tYCOj1G6`KlNpcTZ~4Gsxm zdewyD8xKbt+`L~#D4J6t|<4C|i7MGXnpITMtLv>!lpwpEc2!5>)J+<26WSYLa3 zBY^m(42!wJO)EK_UG^@w+TQ}3?Im9gsYmGwt^OAYpeMJ5d^V5sJoeXaZ2 zw!QcE^17Y0v~+|0+C+VW{bYl0!wR@m@Y@~~fEw(Nj}9AFK0d>5C@e1SsjLULQyNxQ zDkrz?K?|h8{=tKf{Vd+g!n^bSN7mvVzcL)X!ToE*%7^-K=e4+qjb`gcz85cEq^*2K zDKxAAnAEV+7IURx1)z=w+z3KL*W-ho_3E`5AQyIbdwDv1yc|%6BLdfobI!0HE-1Uu zO3Vq7JJzk=_T0rJ<~v(ZO*u&g7^28!pU+<+F6w+QZ8n<%%?g6fZ3ypgGd+90R>#); zYTWllc!sBm&zw0ACnC2g1^Nu}DSC!3!BvC46>56xwekauv3pLnbLe>R#u_6X16@O> z1Bh-QMb9y&a{&}Uvq5+HI_Qv$n*e)ijpRD9rw1>MN-bZdcuc=?ZX&+gW?-GlCA-_M zY1fl@INiFL_|2~|Q%`emsW#%QgIl~5zXpwyFi9WzVBmJbR3|juJuewM(9@hT|Hbvn zD1Fgva1%PQ7{P^T*IT}CX0dFq{w#p*b@tg+j~X?D}+rG3uXdgpG*bGpEPr;2AL z)3+r3r@K43%RXMK?=D8^6bSuDiJibU=;Lex=t<$m?uOZc$2tC@&jk-tEt3byahx&EffwNtW5PEJuk)j zkgZe`?=i{S1lz``FX-CLR6?~yPWu{yU$Nw-L}fA^82dwfJIOtxssds&R5aH*Z_*|f+& z!+hrV(Dj`#<``~L!P{pLP13W}V4h*&_Me8G*EP@r2Y(R&w2T$OUzLH)@Vcze&Hf&w%+lwfJFvsag`WDx)X1VwUOh*Ym?zwR?f*dha#1RA+&@?4|KjI}{Jt+y zq7bL5}Vn~#bkhRSc5shWY5}`$e z5LvQhXOxh2vNdEU#_l~Y<9?p!{=M&Uy!SuPbKLj1uJ3a0=jU@?6ZRIZy^%#~)THCc zmBQe}@fM4qM^!K83bpg^350)WJjR><=SV{YL5LYB*Ge@Z?~dIE9<==U{X?5`4ECPh zDs`JdPKS)W0AR^E`BA>jI)-Q)bT1zPH1o%&Gv=!>#;nFmd>aubjLTpWUg~db{GiE@ z^y<(xSs@3^7_nGD7C+OOKMbY|^(zV}S^>{Q@Hbg?yUD({wsp5eaKzX9rrB5TPU^qY5oZ)VVKuyIVl zXhFI#N*lL>+4l6)mvome$;_O3jCt!SYmRUX4{%hTW3Dkm+uh>%y}K{Bzc_iXWI@`a zVTFp>&dfiyuIlK32NWo>iy!{a3lS1r_gXZ}0Xgp${ik9yJy8@K0)XAAGDnSU{J2vc zUg~{0j}PVQW&iP$x%rX8@8|hn%#>aT07>%P ze^QH7w{E9~TCk==KdINecq{OXi{PUqdbP_X*9YltvXuuXTP(e)$tl8Ulz4(Xv(NUb8nxk?PqV z96j)MUprA#gfGvMU;q8EpWVi&S}X>8Kob2y&qje;$U?;X&i;Tm#-)Dqg#KqMYo7y5 z8j5|jQiI9sxusc+Co{6HJU(}ci2C-Agm^l9 zn^cW4dIuDwpqrW3h=f%&9pZGhoZx@xI2<@iT8wdyKdTI5ZnEri3fggOZJeaBU`z>oMD&-mJ}OT)w!6 zY%1B@U;7%r?GM8iw&71Xk~4h1I{{eV|09HYF7-6cy#tH}F-%g&vu+&C`cQ4WcHwGL ze@2%MKb-{3t{CdGI;j}+CcqS??rj(P|5@O6f7)EpLApadIc>tBx65C&ewBP(n@O7P z^4D((AAM($^m1>oNSoXeQ(^n_xZvuAF2C~v9ml@*$OYk7=G!}9v*BB^;dk%$Z-VWi zEoI$OnwOeP4ny069Og1tr;RK!moEP_v>42OVKEsXkF{Ux=h-dMo& z+H4FLK(0@Bn(9%K67IOV+IcJem4gs?c)r5|kYxXR9RJhQyyvQO@!?#JT4#F;-*B)h zrrYki(A}r0rOIUo=GJy*32$$3lh#q6l(mlHd`nH(=(&-`UT^OSc6Rohd-H#K1`+G$ z`sY&Nz!Tx2C&HP}z+Eyh5R|=(5J--|xfgNR z(^gFMUY(X(ovsYR>^_a(Mq5?1D9Up|D3UL_q3-YBkGyI4GyFQK7b4E3v$Onq*Y@^s z@af~x4WWisv1vbUd8I8d3Or|DeyVrXuHb8%7v7M!G@ftFtVOyg&+hSk(ywlU4c zndaVLv#{6LS>wTMQzdR=UB33IT`j(u%x*Om7F`{}Xmy6Isd8?4z-_fcZ%%1m!KaoU zm-Ikzhep+2zJ-0{)C)S_NAK9%JaXMuZ17I!&83JNd4GbAV+T1^W|GI|J`9|Le|6!_ zP|RiA+Sg_dx3_IK#ys)20Te?YBADXu8;xqwm9BTUy&=;0Q(ZejFib-bDkQq_q$O=V{!4 z?Tlv04Q=(n#`&&R>6)q>6c#cb&n+C!&7WN=9-8yG26RkSMy%#p(+v(fuHz4qL+s^F zkiJ|!C}F0FuIZ?#9++Efnfb&q!Qv&~s2uclW}oEyksoq~`vZ7GWgiGWJP+^MmuGx7 zEj=CQbBI7u7Fz|Cx&t&1KE7vJkQI*YkG%@`JdNDMO zKRyIROeQye@4;`l&`wqkFuKZz*36H{YD9^KIi4_MzO(v_yIyrCmUj1f(P;kY1|9kM zyAH3E9a!R*YV?ak{*bXkk=A$b8o=vK8j=WU$5Su7nbQ3Wn4b}w4a%v4KnzNJcVFl6 zeUkoe%(^PcdRM|NJ+J~C4dJdX#WzQDk_H1B8MN5A%T|ZQTo3M$(86zvy^$CDW6YJo zZoDkK&YCZgcyMheZheMPOlL*W#@3cU@=TB=E1d0}gMfPAa&E+9pMNadwIlH827jfZ zr43g@^y9GHj^PHcu&KlHcR0(Wj$K@+xeHeWGQy;R=Ia|D&v?~pr<2~w>+vlHxs?kl z2V14szqxpM6*DOZ*!@NZogIZMxqw`WsQlFNR`ZIC!bZZxm&fQzX7(P7f~eE`0x|6! z6aAK!njwC}rQ10g*eX zckfffZ{&4p69e~DsQ3&#CaRw;G`+Rfd4f6kf(WzGZy1wQb?84&i0k_+u(?z52)HCf z6hR~y(bvWoK~APU?qq>3ibh+}g186rBSs3KAKKfK=`PXZ#GUn8@m|V_i>y}tAh#9d zY{dnYj<46Su;S8kIGEj7O(yC(k+*ElGuRZB@)pUn7ZH(&ZW!e_BQg_~=-xjUcuqOd zu_=MO8UD~L5OZVEQyj&$ClGU94PSmfl&sEx%S7Ui&!PTR&0Q?MCU zsehLBfHzDrVpFx~*jG+>7{AvH*;BrG1Sw_p!#RL&$<57eOaLL@p+>zjl#VL?{@!G0 z1cULrBY$FP_4>v`{xhqC$IKTMX;TbE&Im<*SAv&3Lm~D~i4~=x!E9X}6H&C8*aqc6O9rs1GXMUM>* z4pxDT)5}pe%ypdEhEBqUdHbYG6W%EH`SBXM!|FEM&uH;Jk_~fJ(N_rtIZH%IW=Q%h zhi&RmRg_&UMnR$B^bZ_jX)4Gs_1_yjHx;chM}|XRpl(t1nmdoCRhmwU+fOV1HJ`DU zPjnxiXsW}XIUKb7$vjN|SxTt<84mBi*xpLjMg|xQ)XP~EWDZ{S zf`e|*q#iV1fN;Jn&)Hf!Mv~F-Te=vTVbgOC;x%$%l=#a#jPh1 z5nVAa4K|oqdT~#SH%2P^w@e5gGNfwyTaQ zlq1ZJi?xPe_DS}kh1gR<{)j}r4$H0n%7GCwcyIjGJRiLE{kv&)X9S*ycXk?y1}yG@}8q^AmnPA<55!_YP9(I-k1F3NhJoKZjZL*P4%U^ibi!^?sL^z4LwaXh> z83Yrh{ofSw8^vTtF$FKnnwZWOX6J>lY;L&4e_z5#b$8#w$t6H2XLzz|2g0oo1-Bjv zxt#WcOG5l%inD=}mR!FBF)bBRXW^v~M7SQ@ss0N==I=NltBQ2Odezk`z$d(EyHOMX zM}H0R)SC}T2~&=xYU&Fn>z@VN-nM5L@j`B9Z$5X#rr~N5n2?aLFx_m!A4)K3j{YKu zrUn|NdT29bcz9npx`75QxH&HInfd{{_gCs2&~(P2Uw7o2`mVreV-_%QSX$IG8V&So zu6k4;kZ3|&t@7#ah@X9qYXm!yHb&a)}x?b-bEjG97I)mj zG4o@>S2FR)IUxVSra?7MPoVNp2pr<$tuvq+(H1v&+l4oWbvKfPJIvhT$Du_td&PJD zN)E1p89CK=ZPshc^UfnL1L~24xK~}{6d|pS0~Gc@PkLY#DyPZevuH`x$QHLWyPTeb zMGKuo9|M5meP5o^6Byj>2~!xOJ*P^p)U=@9bc{7d!G-Xg!eb$hgl+w4dq<5a!Th3< zwElhGrQlT}h+zvVA}FrthHMLF6lxDB_U3_X+Z39SeXUa9;jR>_^*PB zZ;k{#fABBh%n3@nQL5X)YS2R!YRi>HHGwv!UO@CM`$AR+;?XJM5UVDF$JzYZ2b-oN z9@FK!s9{@q4pZ>yI%^F4zF0=r3SPPSjQ~{k^E&HSmxREXL4d>iug#a|;4tW@5j9fV z=FW=@-nG3l6#4W2`Ab6D8_(U^exQ~K$h^cr_J2KToA_bybv6)UQRtB+{f1uAXIEOm=J{#n>L*?yWO(3~_+)sWi;&!4Q8wD*zUZ^zPBHcOqYBWtZ(+Xok^K~=4gw{>+oMg_Ox2TPGjBSS;4 z(ipfW12H2y%8Aj=g@|Q-rYE3|FK;=@$q6ua6iSospZ7uD2CZm?$!?&~m^yuBiq(Ad ziMKxKSZix5*wGQN)z7Iij^aACbwF$-pX|dLNtAtszoI-nOW8}8-93mK%epn*Q%fTj z_5JU{EZRMGd9TcxsYEJ?l_jt6>d++971_k5fu#<%i!BP+j#5uGet$+Zx)sp^dhV?w z6*c$Hn<>kykRN$ zK}anYkU`6;<6Bbb%2Mp*+RrVvD3LLl4P_nQQ6UVeBQP|&OEWus^HQ|MIO%5g>$J~a|(~| zKI_bP3Cmdj(P3i2TmP36p01mEVSH*EN=XQ`2FWeJfNE@+>XzaBL}gK})p_Zz=%c|x z)kA+$3L6j*hNUWspc;z$*O_A^R!HFhw9X3h?)X<5B@PqW80={)r z1*Ga)Y#P)qK>fE%D1b_!oVIj=u50|M%7~r76DG@X&-@>Wy#iyCpL{zD_T4JHV)And z=Cp5X!-hvhE$d6RU(2>gkcP1t`FmB*m41b4!WQVt1HCl)Wb6 zLwC0x{2khhoZ`1b);?1?aX4Z_K9@^^FXYj5v{Zw96%UF3rXdG8;eo6Vae#kY-!*NN z*bWNFt><>k9~MP6+urL`HdqWRvp{wl-g}3JKoaw5V6YBVo*H8hJGOcJU(VNBV>Hkq zAy8?7yu-pB_+iJlq{hc&gA@3Gwpxss=8~CRv;Fo{KMrBX!><>T7dh?A_{B=T(_s|u zHb^A?VY3dzJXC{)T>bLoYjR_A^QIvVL{UYgMW5_DR%5*5%#Q*q<#|^Lw{hn1YKM3? z^Sdq`WOquDV?#rh)NlHmy@e(Q!ZhgQ#;YNh@Nca5O9<@E`MHATvj=Jc2dN?t<;*ib7=(K(nMR)1FfmIq<0Nw{w zzdsTH_JW7A_>X57Z~Yjt#JJC+vnjk+=qSfbar=IK2ZIEqxm^~HcOV<{e5f zC>8bPA@z-cUHXY#JX4?krWw)@5ZO4XnC;OiV}CcK7j*DAOOJDw^E0`n*_|H4ZFir^ zWd?JpD?O_CTYcwY2uO*s=d++$n-fMh zlRtZ11G8_Xn>xKKzOfJExUT26sU5rwIHAt!om03I7B&Zus5zxX+@#rQZ*XqTM&(wv zICr&%n$Y7t-4e9VZi zX0VqVo7TEQ28@mSi>bH?rKxH2&!nSe*@dKl2Sf^CMbh54ca6~5Jms@-E!)A|ivcHo z1`0Efo%L420Wok<1D<3IrDVTZfPY=^Ej)5QllMk+Qky1Sdqh7Co6AwEIcvu}L(UR> z7ekA?yu$J)drsIZyO3)2|x5xAurUW5&8Jc(E>D)JE)B zy{zqR8ZWCQk?{6UtfbPGzM@*vJ%>5d1t)1@YeHVXQnf-#m2H~VoZ>|KZ1t;ZkK+5u zts&tCS4XCgWOR(~(M({q_M9|$v^xkBI`=c#e?__5rBG!T(Q|Na-GgK`HAc7U)mtN5 zI@L2cx8#%KO`nNCv^GJs1$shdV<`<7cf+`LZqy}Wl{JBL_%&b26z{M_R8 zo_EpSt?ajZ3R+87{Sk$mW`!cz~A)h~*5GUY#tab&ywLgDIh@tU!}Dgq*kizQP& zVNPD{+a%*&kPc4H$doImdTr`Ld6>Odl5?@9+t{ib7S2`{0@BM}|H!#)Iw2)w z>g#k8;duPD(_aE!(hK)+dez(>FkTQ6uct8^vJk1&2ngONE&swHv7M5cU6Sud-o5XX zj|Ih3e{N+okOYaoeRQQU?~+k~;Gi6*Zp^kIFv|Zg`||FOy8f9z z#q(!!tq@Cf!S`<5;0#z&v#BPGNP%Rjv*(!Wt=?>tbFv%DxWwEJ!NER(3J>=7`QVAY z-H#TX9d|J-?pxYM>CB|$XUVz!^x<(Zp^Ln!=SAm;pD7$6+2d!%cO9D6)I#HmNmnhg z)k{s^7H#$tjt_R`YD^528RKU>i*G8bsR?r3`IwMO7G(S@|1c%Qvn=k(*wVvmVUBcn zyvrUn;hlU=Hc^5I7!DLqTYG$8D@+(^;P*fb+j$WJZ&bEA)ydo$b6g+hnCR!tEKn)zVz$0J8CCEbsvRp{ zt7n#~^*IhKS(|p8+>se3pVhg1n$X<+$UPyiVXQtfgPW1DZ+hUZ$b6((sa~ledMC#e<>N$Zl~6971qUzCMq5Kuo zj)w|bgmWgAi%Na#MS&RZiuA*BJg4}un#B@dZQ0f(apRn?Z_4E!xQrQbiZ6X>+~DLI z(`ngs=>}T=9bT!J~`9mkibPPLTGD< zm+0%27azS}D!vu8@_f;MKzL$TUTJy8Od+MT&Y+luVp8M2JzOR^%!xdpRxkIwHaq=kJ%!gV z{A#R#Bm_LH3{)$KN}k{Fx}}`MmHTIET_-BRr;p-M++qKjaGdc2@g5Od-CR`qC%5Yo z|5&Geb?=^-D{gAIiS% z7%K_@Nk_SF9l0gqfhJb+s@4`ZeAWdRf=uIA+=BO(B@KEjC)4?bYvIcUp@t=5L5unlxaC1B z=y9}1aiS~hYdk!MBCJ|=L0GBIy_ue3-nPAklKp1w*e!NtQgAAhqt^LYqH)(O5>*ENV1|cXY=*vis zVa#=!1Ej1geD-?UCl$WU6dvubX41~kZoNr>3cU~ZwZz?u#@A4-8bAIp+%h(8k{fC( zNHr5FI9LW^)`Bsk`yBC2V&gwn_f($3qcP!{1P22Fuffx&b2JTdCdoH$XoO{4ioO4} zAnQ_2x#g>f37={`7HoCwFr$3%E|gT=u(O6HB)Bxxuoh0UHBr!Ih_wD(@l%k+fv1eg zjjBtJX%bh)wLCW<#&KoJQDwh{QNMjVPUCNm(F*DV5JboIz;cfCDCGdo?2(zhf zjC7RfyG5mF;^KRq#$)vz@Jfw8}G~qY-myfB~3hlf@OfsGB7-U6IRHfEc z>97Jtf|3wq^6;Dr4LX+G_@&dP0%G@T$y~urD>+X`kF%%f{>4`NNc5cy{X*WmmwU4F zqgx) zLQbTglI`+QoH5xD33AALOKT@f1v&2a7Y6KW)ga(Tui$4$7X`-`?>4$9$4d)zhzJs6 zURWdw9>$ll$Sb+EQ1VxljQSRPb3ey?+X*$iy<6ddxCUWZixB3$Cfbz916{8>*J=G7 z^1ZPIPT#yLj$Wi?z-4$_3J9>VB*hck zmGCslawTDUT+90OKFX~3g3ISP*(Gp&^zugA{O~Qy1iwVItt6;EDe&4nt48#I(;E==& zjN>?$q(~sfSW2vM*_4k$67Rjs(4{2F9U(aAoBf#`w^}{s+nltY^f1~hr@EVaak1o} z1|jpWbp5Bqn(U8;=>)-n9gV@Tvv{Wymw$fUVY01* za`H<@+r)Q|dne9V@_1!DeKx_E3w@Q0t+Ec7jgr%ZAYxO4WcS_c>wjDJC(~WC%zie^ zW6il=sQza{w#Q7V2Y1)8<~+x@SYE;FQj=3`xQYam7yVz^Px7M6NWNoNn|_#R;%AQf zj)bIM-+vL0Jz}5E&-w3{^lA}g)|&EW=PU@ZDsp#%1s}4WUpe9Y_trF4^92hbQdIV! zdz#*tIsL=TB`n`~kCZJ44hHHnXra*#f=KDu@6&%BLQya#YiZ6G&#Aa7+?06ao*MqX zPw-AcOUaAYz%hONo;`F6{Nx8wKju0MQZN1(vC~JVlJh4qRWY?^+SiJBj+C_vw$for zzv&R_Z8<)KT}tO~R+J1ccB&|pGB?MHghnWA&Scdoq3wa$`ZiK zNyp_@Bz7;|TNO>vl3bS+vB-a6Bw*HzpP`XVTzlg+pv^1)kvQlvWs-O?z2jFex!%Kk zV`^JX;*Q5N1rMIANG`Co4(p-Eq~(KyU5r$_ohH%?Ds)$3?p8UGWY{F1LZMh;%Z>n$ zkpM+OU21Vq(QHA^K7QPFVD#z6qc*w&JOZEmf5+R z-De+3iT8_#nkoMc_e96!^CQJxgzqk&i4(rr@)59%2c?9)-a!~;$*3ceVdEsXiNTDE zi`A-HNh9?7^2M|p9V3d-ZeGpA^SISg;^1D95-oHGMf=M*M~&>7O=w}|*#MVqD8I>n z#1+Y)k%C~r`&KaR}UL;QvpJ z7o}REp>Q!x?sF}>fS2w0B^tIGA54?>)q}KeJNv_MOb zfE{#G%d`;cY}pru8c65#tT$Yl_*i!MPKGy$xy;)=1J@W;kRCGSBkrS{EiEFUcWYj^R536Mdkd6JeP@ zx9lK46~fJECUigoVk$Qti>7AG?*!%YqA)DTQJj zMTxpN;x5sXNMy(QpN5tBTx>@z%xs1Fu7no;Tg5Q}8WA zFT!sVTfpuWo$7S@00~$7qGqvrmp&`j{g!a3tWCuyvEt9_PZjEEMC`2-^9BltkmKq7 zthTaHu5&ZuqO2VHphw^EcD~NfhMS=sRxS>%huXv2?0IPxBn_8(RR$`_O7Up7INPXU zt2eH>1$guHGz9ECP545-$=30SwC*cY9r2#Vw^uG?Pac1xVNpieX58SngBmbCquIsb zo`ej6p*93hyjZD|dhozvXyh>Nfz2bDfc*?@P?~T_8*mBn#Y=3zwLsr0t93f335|(# zm{SbiS(AY#`p7ZuG5?;i6#FTLq%tY~o50WXapu!ToheDIoy>7N6RA`_IGnM+`DUV1 z%~|46tvh{Xb+Jmn_r7}S*qT9Ph4{$tYI{_0uJ5^olCT~xWp#?}#M1bC*@0zRdm40i zVyd6_Q~616>-f*}UisofrD4C2Z+@|CzR=Gy|KrD3^E0d*n+@^nS4lEo@7hK;M9(|w z6V7=S(oDhUlQnv>QkF=aA3l#6_1wX4~x)i9bxU zY)vNzOUSWC(`BT4Yu^;FPzL`juIjpAhL=nqn1|I?gse%%|7rcSGMM!6Km?107nXWk z`-@q;ZZ-%TUGZm14speHv1`g}5)SA_?zDKd5GR);zN4Hn;I(2p*-1AU{42qTKA%79 z!L|L8=;cNxtp`!TV{GDGq;$31*wvJfIj{S~{-f7kDe+dX_4t&h$C1@#i4J_nDBs;f z<4EJLKOFbiJ7}rN4u*E`rs$}Cl;8Daq(Z|qSx>=B*1~0Oy*+*(MzTdbWdT-xF>~dC zxjt{LY^YhxXhZD^I3d8Qoqe%#l{Mo1rzoupL74Z04&>vnMR$sLhO5S(v))6vGXs*R+B@Bwrm{YJ&8BT!;KGkby}1) z+q3ts$S~lRGb8eBa+Wq6_WC%M`1VC};tYR-f7b}!G=^Np<+&o(metZG)za^(XYw>P zZoja#)TFc0WbO&GXa6zk)hDsAzWDo_%f+Ta8|&(|*y!KZ^)ZLErlyO1Itq;~Ty{lH zhF$bte@s~T^w~#A9UAwrqd?bi=fX0t%*cue!$4ITNgUqxgwg%9N)OKvzB8MvdY9K| zI-PTuon+Esi?kz9PSnVf{sbu2{=NGo7wEqqum8wNN+|4)UmBoeT_3!IfHIYBW8z#w zzDgQUtY9T?rF~?&$L7s0WHb!o6MWTd95#CA$IzH8?+N?i$1LVlq?>@HrfXJ+c9hhq zPl5~h8I^2ay0;pHBzoI}r>KjmUoYKR63~wo@VXmC@luvtFqPalK|03x_yIBJUNga< z^yN1tg%(G2wZm6wg`62CJSQ{(X|*ps{j;%=w?{deK-o#ShtwipqBs zdrNFcT!&9~TLXHKu(M`7(md?qz4hN7MIK7~+8vHm(pR!(4mWHf1a!D4-|Z^BUJ^>I zX&V{EV_DwcoGPIbb=o6U(2AX$J9U2LNO8sbSq*}+^Uk8v8^cTrB?YCVqwL%L zDW;PIi9Q0Rov1;!+YxncPNd_fhnUD1lzP6bPFgJ-K%pvww(dKV|I4_{%4HuCfo0+R zcQd?^bJccolP@Pr;_Fr?#r`ahPUsjoTbpsD&#snZkNukeL~7vfzDT`Sl-Y-govlTN z6MdYT+@_BjML$@4YBt~#m%FtcVp}Q}pkC@6Q?bm`jSe$URuI1$M$1)7*j_Kk_fro= z7w~(GFA(oO@`c#?`CN9nWVWfK=P63dAKYDV(1H85EP;pEh*%?QpOMH~Aja%ORvSsM zb!`^M({8`eyg1tbsfFw&YR0^9Z&<-GePWuk>CZX0o&rr*eWY`65Zb9NyE4}d<*TA@*>E49;2iE# zNE>vvVdv3lS!CBG6`l$q>A^1{aeumX@bMJ9omkJMg%Zoa+7%qO_&4J`@+ z9zI4(Y>(cz&)w^ndy#k3_a z(`#9hpClzuyAKbyJTT9l^P1e9Bi>r-Xjy%1xAey6=s|gvjflpxkEd=jF5IKD`jp%_ zW=@gsEOLEEg+1|V4iDHYChS9fP-ORQma>g8+@G9>U%H&E*RptY=GDy4YL8Wl zI1h-$Grp~A6cvsoc@13cNBib;PE)&D+fBPN(9rqE^d&k@{(8xb>#_P9n(JY{;?fx< zX`gj_v-0)hA1uly`m!+)@~D>gGcL8hqZnN)O`Sp8%ReM>N67iTrYciMh#fxbzg&ta zU!B6fk;gK*5WLdWzyErIUPzu88?71r9nR;G4~SpS*6geYN6f~uM>s+nN*W)0D!cD; zw`B+AksM1ti)j~$Rrq_G^~=fM`uUU(piuuVKTFK6LT8fH(mL;sD<++sm zYky_mh^uCd-bP-~a7IuMLk4Fd{wo%%5CsGS6fH0xVB6xn-ud@dLL8vzPi zGrb8t7l>Mo7I4vEJ|T%ar5QiLc9zXzYE&*mwGtqmv_vXoP=pz59X)lnB>J1>Q_;D;513!B*vHTeQU3fwEs#78g#8j|ma` zb2Us_A{QN(4oaJb?f(FfcAPyJ=8fwf+43(cLdgU;kaKV)zsLk!Ll(VoSo~hUS8L?E{(zBK3YvLF3ZQuCR zhC{)EJJ_ME3vJKMa-{?njVFH3H2W)q-6`;iH0&x*#W76g#yrZI-XhpEPbv_Sb?+v4 z>^|V(08qUN@Y)M@S|T|l_LU}qWz4OiL)r7m>cZQ~A+E9L{WS-|BOSfdSHE^lMlA;` zAMA22c_H5}yMUj6!m?l-X2fkvD%I6+D65h?$^Ur8&DFuGKw@6mX^pL`)X~F1%*NT)L7wYjtF`75>j838HCWH>*Vn_!C zV?HN5GuarB>E^CxeXeeh8FBfYL0!Fibr%cn;PTm}#k0BtdIFz^7ILphmHG?}=V1Fs z^G$uOH5b|)yP4qJf zZ8IsSA1XyB5yCh;+ai>U6;;W0DtDV-qU24win=KaT-@2=@{WCPuraPlokN?GbFP5q8YunpYvSG$^Px4SNm0M z5Ui_`No?GWRU?nNFKJ<@fa2 zMTD5yzscF-r1!*bXF{8^&(+96t!9Pq^p%F(wx1I|u;YYy;@TUITQw16SXM-=zz6wh zQ<21mLd?Mc@nq5Y1_&r<9fjD%Mi9wM36Me~(Dmnd!Cdjy7vav;XUkU#+EC?e_*KqrQQ5g;!nR>=CB4;GxdG)01{{neU%t3K>I@@TaE+n;j_wZ~ z`ihOHxlENoiTN==B=;b6mJ7%0$aBzEpX>(%%?+i7=OKb~Nv7?l0weEPNTjcW%&Fr2 zWxjd}MTI zxB4_#Sfu)=qlw=WD*QIge%Ij!Z|C(J8^d*74RP^;(T;}?I^r3^&&t%Hn~db%5kIFZ z#RY)R2&aNh)p>zk2Axr)H==%@)>K1FEMvE%l2TI!A`@V%r8NkBoVH&hvmL%>^Tp=* zHvN3l(ZEbh*$!P#hoaGt>hYt4;&S9rv-WZ*+XQ~G3}6=^D$a#aC5=@m&-lHoQ^LNC zI;8KtvBT^*mF*GTFjE4KYZ*%a0%)wj9{?ttG#5Q~#GlnFy?*|^m?OSHU#d#Hn$Kj$ zHw_|o!|L%5E<>Sar{H=)TYy{k@a1LEXrRTyY2cVoZ>Pu6r=8a7?y7ur}?9^+EebNid00 z{Vq}t+dAx#f8ewCl>w}$fnLO%y$B2%@RJO7+fZM=K%4?J_>UA1^mEcm4pCE#Bi~5) zn7OE0*w4##^)Z%#GoBVvHK&IVwOM#9w^8~<(k%qTlk+AbvNEr&_!#l0#|* z-oUQeBu}=p?Sf@Q4L)`BN>PLl{ZeiARldju9JJ=%ivz*XN{1IUV~Y?CrE3y<0Y(p4 zQ_v-X9EjgF%emi8FmLNg0;fJ6eR|<%_Jux^#nK;UH-CR!?w!peNH@`A1TH>aQKuwj z+tjR@pX@fA%#gDe(00c&)L?7?fQO2Dx|xacJ;*B#2Qn0RFH_MmjzdLN5tmY$_KHUV zuL8}<3HTp=pfC>Bf*G%1zc=zyN$fH-952TWk%$}Ya<7>bs)wFMzO!z7dpT$JS@vBT zxe=M+L75YeY0(S}o$iG%t}Bqf4YEYSi#tUz#58fdg*7fAg6haSm1ptf^7Qx7Atuc&(Fr4+{%r#t(g72^`8LUt4r1kXmHZHDW;+YKAtL(XYzQ|fG{~a zY6qzFC_RBz`BH$u1N{Up23Sz<=i(5~pU&Ghp@z4|dFnMP_l6ETcS=}g7`)3{utV;2 zs_nuXK7wBLT#4BxEln4k5zKsOp8@=QbxjSZRZSxMm?At3km&5?j~Bsa`uC=*tl2HK z1StP#wL&VJ(B4L{Ts~udcn+CJ+2Z(lRD6gc0Q(=#jS(~&~?;Y3P8`$^u zAk)gVV-b1*jN@w0gpY8a#a=L%20esC{OfObOR2c@c`Hcu&-7||8{qbp`;kOBV|Ec*M!YbV~23sza+?g#qSIhUWYd5&j0SMHY)R6&CAk#wT> zB*Z<>1gTLO@0XHe=KzuoG>uQMRmL@kT|XH~8fOqQ;WBJW0CYM47}zh*3Sqhp&e{0_ zh7girQD#0_NapA)_Hg+%1461=rU)N*f~`69e8N)BA9}c{ELSxU1trf#Gz=S4_Rl4V zjNZBTx@HP6+X$1AN)%oxhgDu(^zPqh@l0hoMJ1vD22CNe@#Oxts1Lt)^nORq|NTg& z;b@pKcR+gI$jUsn5bgico31Cy*R$huA3x{H&zhlNi`8VHKzJSU@Z^B1cohwgZ4AHb>w2lbuc3SO7-AeV4a90Q6v}v`ox7s#x;BV zy1z@Yz;`7~VVEcepG!*nYg=l;85w8E+Ew%A=2AiTtTzuCCELGh%m%c0EGp#X%mrpT> z$pZTd+|>ztI2Bdj4_;{hP7o`BP6q>+?aQLa5fQ2NS(!K%91NVm?Mb7+6m->qkNdO(caVq8 zsfuA1)(_a-YoUTWRH=wfSo$$Ok%vs5z@e}=AT>3V8UU4;9-q4JE$qiy2=m&8p;m%? zA?wSIgZL@$DbN3|<$Cr52xhXoT?B3oX8+`csKeF+>7?HQ)D3nvzo6tPuF;Qm2_}-O zce;_h!KaLHoViBTm@k!^9FlC~2g32^YDC@PVi93M7(hv|iWU`sEk_`8Ir`=^-M|$2 zr6He?$(br$IkboN`fz>ZY=g!67NZ(aWAIaO)OqwQ&xT?T;J-FAv!MKzI;iiOPoqS{xp)6k#^a)_O;R=DV36?&T-w*<2+e z`FQ-f+({w$!)2hHB2b=Z)>P>pF#<*_U`i#dn(SUe_|X;TNuSe%YuSQ@rlPZRAhjdYKjy;fWH#o6 zk{ju{K@!1zE&^@Qo@2+|zu&YPfaIJ^BgeS_tS)8cYMQBaGpwB&(4dh|I$JX)CO z#`PAtVosjaj6pm7_lV&SP;}@r*16uVM~C*2*7&eCwIR-U!iyJp;5W%ln!u;bfEjh; z2m|eX!5vircCo7i<9_TejS@LdgPL1nCDMJG#casa7qD&(qMt<~$bmPWe@so~FN8^l z#vAeH(oHrf%kyK%_}ZW$4|wA;w_vqm*`OQ)!_t5oadVfQ(~G^cx#>O?H+SFK$e!_J z-@x8tr7ei*Z2>4lVA#D9Q3R$c{*OvF+(im}U=ak7FM9|<@7THR@)ezvagikpUApEg zT^*XUY@>JNBb0DH6gS^ZMyK59tLH;$aks$e56vZR6la*17$d|^pNG&2t%|S+DV*sO zHj${lb{c)F(rxT8&c6-#TF~)scOn(Jj``n9YZUk8cnGP<|EfWLme;Vb^OtSA0xel{ zV7ysfpXbzxm5G8xHm~V&=O*b6jafGAX#z6i5k76B0`s2^C@)@x|1rog}i`z}VIy z8(~e>D+?3Q=ouRcw)&4t$Mj1YMR!I@K&JbXk)0BP-EcjyUZI+ipVx)f1#GvDP>unhWGnm`e=T& z{K=C7i2rsy2sR~2*vIMjfMeoWJX%7-4~7TqhIsEE%NN)P-<9m$%Rc41vEq6#Jw;`G zP$jCP__y?XzrQf)aFhc~ovQxo001uU&~JnJ2)w|zM5KhH^DXarb*lBKHT4*dbcX1o zo;!ez2Z*_5ugIAlW8n$<8ho3BEM`s0=1syAkAmfC8FvD3r+gp^A)ABuuF?Wwz9au0 z42ko2c1^vQ&&<9pY1g;`&JoFjYKd{@(s?%~Lf>VT8ZY#^Ss<|;uaX#IWZ){nJ#hbL zWB(&Dfj?ljp(ts6p@3J#Q3cZLT9^p@t(J(`S&hfL>0vrWKVoHK(vCwC^k0!ze`%hz zNzp@WEZt!SE*NhBbqW+;r&A64FWUWkVY&I7Vv%$9T$vPn z2+b7!&*$rLt92yD*0rc@;auAh>b)%D8s_hni0PK|{&Y^(<8@$d?heua9k?iK6f?6& zXdh;9FEX>FQRFqJ<5SBUHvR;RC|E4`hrL8*quA?L#Czx8z%*!nph~ zpA|nG_kW*H9TzZZ$yXmoTD9>2=5>@WPaA((va;y(;!eWo-5`v8p=6ZU9LR3q`z%u7 zWdWi`z0>E?ddHIOyQ_)&x$gNs^EGb{RI?tPzgtgE=vZUk-f)U05T;h#MjR#(wph;M z?L?NOH|w*_9>rD$O%)*_XP-&VC- zMaFM^F*vJ~Yl<@mjq#DRX%=y4TQk_M#QWb3{Kt0&@%*2%>qq^o*(c1>+`T+E(A@Ql z$OfMF;E0dRFS(MGojWCq0`{x&`rJaT&9Cd`AD9F0I|VnCNwe(y+ZnYqbYOOa2k8CpR}o3~QY5W>FD~?wfuvS->=M zUmp1V9t3tby@ukzCcpc+q`*kb*_kHoMiuBMNKh&Uk@N+M0Ak3 z$toL5L{E2X7Z|rN9w@o5ZW%ISiQHOpZq|{u5Jh+qgoYX~kooti?{M-cYcCB?nmkVi zW}RER-)Q|$#6eXtJNgs_k--I_x@D&NCgHQ;Tg-<2g-%ILBjO_`q~E*qnVjo`@|l#= zvp+woUB1I`{$J4obg=)!3tv^O&fk@|e?qQEB8^|q;pbE^=7C;Y7r z?aLPE4_l|=x!5V@XGxNhKkP^bkYHd@zX9`N0%$-yuYgan^}eXg{0~a;LRG}uq2L1j z+xJ=@FQbBkT6ACVMj>%y?40W`;($2sMWwrRCN0lh$$5L;ETEA4uP}xXYXPKU^b8De z1P>$?ASIa>7lVPYC9!hxu(v2Vo@9vg@tRe4Mwp z7KfU;;zh0>RYEz)Ll6)N(ILhPGREaD!T9tQs@vDcR{z4_|7;A?wO_--15;DUaIG4! z3uJ?9;L6K6JHQNfC<4nsH*d1nUCEhrrg!1F-nkOn&<$$iVV87R8c)ku+t$)13buXbU4iXM3%V(`EccwSgHTNG(SK_JjtQ?T2Qnw` za1ba0rG3NRV~WEjev#0>)Def-!c7=ML8-cy=z_b#8jwdg?vmxCJ*$nktH&ou9ONvd=}Z) z{N5cX-tG^$-Kk$R-G&`RJ@x|Z2owyiy5x}R$S;|Nu5Of^w8ahojM`C_KW{heuYK56 zsXuNBhK{G!_Mr}4zq?-9=c%{emc722wLbambg!vd@-ckQeX+CR$S_LoJey%%`n+KM zGec&a^eg)W#do#AB1}?*Dk#3OMJ!Ai^@=5o`Co-qbr6BihQ=Gu?IaH%YZZronZUvG`E7=N8s`3GDQ?+WglrgHWP z*wgL8p4XUGBwRR6k%bGbu@KUG_O8{H#oD&Mnp7YGz0|Ex6w;ebVoy%jBHVIgIx9Jxgqt_FlPxK@`-H~Y^nW{xV65(N*DT3Iz8_z8l z2S@qEu~1Y8=MeUa=fZ~njNxU(s}+F>0v&q#_Z<|;

;5+pZHH^-q8EoJS2|JDTL zpFKCvpEb7$VATHqyZqaX1TW^$Pa-k}Sspg?8`oPOyd(`Se-<^%G=}VYiuS2Z{E#YsMe<_%FoC;UGY^v;OaN!A+)*vzfK*r7ioz=MknS=>-B! z;s|qB_3gu$7{O!gA4^GuRy=1%FE`y6C5L~Cc!rbMg%m73S*l&r@)yeD6ARickGR6d zr{3$m%Iu{OOJD90YPo<|-;Z>@D$4&@YSZnVdAe(?LT|y(GrQz<0XjS-sK7>uJ-n6h zPzZh52XD#$q)(PHHRqE4u{V#G-)}H=*nk1v+guuj;ss`Zt$Z_e$I`zZybjGX5-vS=bUwP3)t=5gc+4OV_oIr~ zU-0y&JN|S!$!4#Bk*qMW^j{$d7{FBpyY&56tXLbKAs$ggnd^fU2^-0znxz}6=gNL*|=Gkm|9 zktCT58tZS)LWP=Wc*-#L0768BZk!Q{B@EXkq^@Lv3rp#i(ZvC`Yf z(c{%hE!k4%V0EjgfL5ju&|Tmg8J18o!)DfEI^iLDx=)%!-LOLF?N9g?JW+2uBfj@+ z?ypYj9RGF?|76+}Vb}$u+vZ#smFmwIp4*EoFxB3>H+nuWu=j1+UnShO7kJZAvLv5; z4$p|=Vz=zgWVA2Pze?BpAmn3)BO){m#L|b94132^f)bCvFj!C~g?8i&Pd@57)Tt=` zr~Y)<=TSSJcLE8lBYrKT8tALNJs=vGVXw$=U3W|Lx&h-Xt>27T)&lWPkg4?)-P0 z321etju4rh&oBpH2BQWJ;{P=QV8bU&{vJ7en9u*L-*juVO!9HYQ|F_NvW>US!f8qY z>Z_JG;p)PuLv9X%f4jbGv5@H1iqs$DRiR98O*Xw&4cGlpJBmQ%Vh{EEUPIQOsBE6P z!Va>gn)0n?gXyj~l~8PvyIHlKr?{eyy^ZPG?(yY4@d-9>ICjp+C+aGuLtTk2hgwn` zhMztSg=DLQFplv$hCyoY&K&ty%F0H(+j+kKP@6uI`8Pwt-ta1a?^7Yg`^Xw(Fvq|G zKGb5kmi_MrAQcq4RSUV}FMak*DdSKnJ%6|?A}I?q7~U)oum5%mX6Vw+zDRAP#7MuM zkdH54d?s{h#dLSH3GS8KyH{WW4}!qXCGtS6&k57VGs|=I@1ovUWBQQm(0fB8WbDX) z=b}m9^G@^QV&HIpN|Kbv>(vMI!=}}*-zFYfC%$Plzr5T%Bs?T&{?z<(vMtP4Uquw> z5gIWr_fr#bOVM0fL|mB{+4RnjX=POW+D0Y5zaZA74Rpp8lUJ6R5BM{D81>7})of^Q z@L*^{@NjasDgM{qpD&fKH@z}8Q}l!G$K+z7=d-3-4noV`M5&M*r6l@m^*~pDQ&uN8 zeUP=pCCLMKE^uhL{wcLt5&8#1jAd}T-dS~Y!&18lSTX6=dqB9WfoPl>9Wld(%h=(AoE#wMHN*QDIs)d&dRcgT{(f^spIU*0;_KSo@n_)upNGg}t0 zFUN+9XGJ-i7^^2G$a!9q22!&3^@AzSY|^zF`WL*)zWe?e!`@V z;Fg8ew2p}SjOU^>3yX%0PsBT&bGb7Sk7h#);s!EYc z%cWGzd^$61m~0|h+l>mz$5IUoYe1QnY)r5#W1kD{F{7cv>mr1J$7?Pr!dh09|D3WR z1ZG??UYkKl*aJJ+*2ef|x`<$nI;P zf7ZMdk}v;1zbK`;1T4QwwyqGpEo#zXm!@U>pilzl_I zURRVE95LyuLO(+L73`yq?95{v|2m%v2dZ5yUH^^J?*~dOWC&T7#Bz@nde+LQyg|6! zI>!5s`%U4qC_IeB9&#nAg0|`~9%+n6t@Rc}(tU!sRU>OB@HK;uZQI=Lli7KF1E+`7 zilrNTuhAUZnL*vy@`+?Ia?ckI63#g1>Oa`!ye4-zV0&4srQFooo0M-m*HDyE8)L|l zh!M_?l5vWu1*2|ih!W^B%{))n3dBhju#r!Ce)WO7_~@pl^@vuXHv#eimHd2PJ>TKg zRi$Y+Do;dViM?p;Na8OAdz)8ZhWa=-1T^bfD2{b2qsGR6$n;x0l0g5OdTFGr+QXt( z9AzYW7vyn97T|FrtHAF`Be%>eUB5x86NWe@f4tlTnS0C8yc7UU8hOouhXjtPQ9p9- z+IV(d1qnYgW}WsQ--=Yi;=6kMGMH@d@1sXo(mOO}@%*LPmGU?oQ8~~jo4&a)r+<4+ zqThxuA@H3v6R(4SNwev$I%7=5H{~-n?&>PElm-+*QXAdAxf8J99sDUxceJOKR&ow& z2^!*Y&N#-6!#S57Un+zjYOKCInv|33+X{ryT-f(t#K{>##8AMR$L$T;NDPnjkROji zKVts1FYPX9+&S85AoXl0dUnS*`kWj{%Ze?9%l%iR+OvH};}4WVZt zRz9r-3~nE1F;tnu>-{5lI2%&YS|DeO=BMGu^}Tq3D>6OHyKe5#~WT@DqJVHz;XVZ)f38rZT3vkIrUT z(xN`3tbrjXM<63U+uQ%eUgyde4Px#}2^FeU-U9pk>+2*sDNgDkpF+|&#HXIcIR6}T!GhQ(5`?~y!G~JYi>&&6R96izqn`**Gg#_X&RVeKzS1VQ$8Fiok;Epl%tIDV1d|W|!Zm4JLei+Tix?}S; zd0KY{)i)0%BQOTifoSc0EPJ=aX?--wgQCZ5oyPjyQ$32Qt@b8Y&HL85;|z>Fr?w1H zXx>yvblwjNp=2%*sCj7{C%O4YMH`>Vl$JJcE^j;DXP-Looq7V$htHGwK?9Htc>bDH zPsosn3cQM`vQ1Z8Wx|&CbIKC&k=n&!>0GQ?PH&W=Z1?+%dAZH|PJWT<>nK`s%OZP>{Vg+sOc#V|DS*7tk}4{O_d%uUDCm zJG8cm@ndcAIJr0mYj{weh&`i4Oh<2cJ~}1e&;6?Q35pHHhyZe_ zim&E>S*HhZAW?xfv0g0jh+*QsXFRm2M)BM{?yoZZa*7z{mKfhc4lPIc{>_@B(f)04 zFI8Fb%vz1|Ja_QfY8D z-_hWaVRdau6;^Dfj{uvm1=o6_DoPEQ$ zz3<)pw_(fm-8;F^pv; zGJZ901Y|)O;aa^=liiW0dXqIPV&09>BehLAD0*eK-J9s_%fHZ4j?jJv9S%Oa`c?m| zbs8E*o+&&}Cd!8!i!g+&k7c<>1s#1_`n5MblUz7tn#qB+!!=WKbX>KFjG16;q}cP{ z_1%Y|-9W@zvM;vb$Q1zMYe!0QhrCXH8KtT6l^ESCVYQ29T63Rsmm>1{C=y;dsF{dN zKQ_5)c$%YOu2SxquA2YehwYXA{602&(J~%^b|=I432I>^6irn!>7puXJkYDdRXLJ& z4?UTFL2IdUyYh>f_s4(U+~DreE{d?o@jY1~(xJX?8B19)^lW~Vhw73yQwbx*8-jJK z2DLs*Y>K~Cs60fDtipa59P`GQQvAEi_P|VT+*`&JLPe9!%4Vem_fK6HtAx`*=;t^r z-xeJ*z5N~7Z#UzOEF{ow&6p>Heldw2%64m4_nz&EIQ2E@p=K`GU|=-(3LBc6oP-T9 z7FrSZ5wBXL0t{VT*yO;Sw=J!lQwZ8!DrHyCyJ#EAZzHnp(uAfF^TyyWY!B$7_v$W$FZr#_!~&`tzH}sS&1#N zpS!ziU_SCG>^)#P1{6feo6RjN@h%uwK4kTU%xl`j78tXMb_}GH1zJqus~#1@i(t8P zC-16>mKZgyL)Rc!^rDs~>X*)2v3}x`5=9A8=^x2*h>TkO-y~8Gym6S{&a#OamB-`E z)>Nwo(S5+|rJ@f=?p+c9*_JTKwuBW74L?&=#uGs9o#d7%G-2LU-QRxe@_v?9Hg#eq zyi1On>@jb9z4qv@Vt?0hJSo0b%?oLX{;hYi8eAK;Y;9?H5Ki|`ubRXwmW#5Ik0Th{ z3&Q*H`IW$W%F`iiy2UD}eifuso17uSd<64xlfA#F5~79XmgmLmIB@*jLzHrHCkI=% z8*JHN!kffcs?UxLEEzl^7T3aC(z+lwJ?g6ZMRAylXI;uVnw37?nbSW^9aAXf8&J zHnq=Dj=c_7%1LJNAD+di7CZvPSsl*sak9E0qF3d9bQj%Jg z{teQI1v$|UjrM;pG=`>j-_|U%AraLD1T%? zE{wY-7V`BKMI2Aox3c3LW#)WoL*|Z|jV(mAcHgspuOQRn@AhqYW2|@(`aBr*Wp*J8 zZDf0?s#KlhX~vyENPNAj!Ph>o5fDc_HTT3p-qzJ)E+ zxM~mr0?0eK|3q^pR228_TT&-^bm~Ssb3aQfRat ztFu+?D__>2M~H<;kO|GcAGmctZZDhaLir}feEg@v>V1MEWk+SduEQbu7YCgr#(N|S z?^{gp#gVaqrgEYNY`rlTmYKx&QvJj}jZf?8W&cREL2T12oxN3tcB5q1X_wY6w+?0@X8O;s_f z=CkG{AE8zrRhBd+!BEKqRcPq*Ftj0lK8w{QV_QN&9G^1Y*gm*<{9;fkoN-OxudNJ- z_8YkyS|nO^Vv+Ih<5Rx1B}1wG()uqWw>~42lOx%7}|JD9VdaP*8> zQ&6mjH|O!;W1>}speuVRr)j4hfd&kbC@L!TFKd|pfSJ48?`-$w4b9IX z&k3BQ!}K$$43!Yv_s@?c)YTCVQ)KJx?rC{Ne<@4-g^bJuOYI)RMja;2yAilRp%fnv zX*FB_>hv4sCt{bUAl2tzMJ<}NtdCz-R_FP| z{`F7=Z4@`PB^W7ZW|1<>@;x{DziIWk|F~D=MQa52I?}>8;roZp-$%CDBx+zj z8{AYz?;6{sw7srzLyN&OGIo`$JEP+s?Z8 zs~{)8duJ7lE2Rure?TB0Lh(bj${>!3g%rCaH~FZ){Prj(;8CEPJ&J|XjAK8F#f`|DQo9+jrWfZo;-|mveFTIMtZ1%A_TiniEOkzcksJL(GUAY;caBZ zCL#k^Hct0ZT8Z9irW(vmJPf;jTVRLy(I4C}X42#KL3DRFIl_gM_|VHvCx?<^94&b= zsPs<|QJ2I-k-qPIwrx#V9e1<@=__)kB?zpE$eGc_HKbg5nwkFIW8~~wp^?EKRD)g{ zy-ddM+*0dK#8LQdteC!>=WjNE-_!M64bRYBRfd4-z>YLZzd{bM}1$oA! zC8>6pwoliFSFnKKP_%9YyYW>QsJ212y+6|%uU=UxjomM*8r1egkwQH?AwVMMptPoInQG97nIYCFcp)KrI>h)Rp2kJI#v@r1a-9qP5~8B@+hh?c9% zx50CWnCvw-y0KqpEVJweZpyG0eHJSTkYx1q=ykj^G&ee`vhhzoe)coqu-MwRaF9g= zRVcW$L*)60zG<~?1navRMpw2ce#42Z@3J(DSnr$4b1`aXP4X-giQga})<%b>dav*Z zAeM)|zFpJ-cVI}e`S{5I~;aTgf4pQ(tuDyWX^O(Kgq5-w6MZ^9V(lRG4bAp2yTLf63$Zi)!% z85!xqF{iWddcb`v$zmV?(xr)Rg z088+qQ0%LI3R{t-;x~PNj2;Vl{5-uNjXk7;54U!dAR7KPa|q$3YvV3fs>tOi72? zlF>$f@RCwcz_4q*bDaaj`rWtl0KslHJ@gVI14_okA4-A<$ z^L|&+j2)9!*3LjnhU8y)e8H=eTy+ZpWo3-koJCFaNC78vsYQ=H)A*JM9XgW#`3R(8 zgCf1Kh||=#YY_c@ab@G3&{5N{jYYL?S65eCXQw}k8Cu#8U_jvR?*2kRfb?ZTf6g!& zmluh6Mu;3q`8OHSr_YTk3vhDT<4Q&QV$Z;z3T@8k4?k*&;7%4r&SaO$?Y%4~SN8QWkk-LX8eS2*-(!1f;jck>5Xl>WK?$9oN7s*xb7KQtIh2?~r<5Eu+x#`rloIUH^WdV^`aSfFF46SyyP`rLc6X#YS!Ct~aB2&~>MfQ$40c?6)B zTZ~Y%=vF-$85s!)4HX637TB@FfYYK8FbmgiaArzm(+`6VBpP3ztZTP;@&nc4X98wT zBcOrP29__t870uZ^^S1S`-T-*5=Q_nywR^z9_>a~Rxl?&9H_~k0r^EIkSb!6k%gb{ zPMQKEjH~;b!{fWlMbpk8%&9s@8lWH#0sSz>WBH0xO&__uua;3kqXE_x(BB*bqhu4% z-Ww7gF0Q9XUSl^OR`RZPr6AM0qsDgj2e2^*^I(9X^j;g7j*~TF0sjAR+Em(`sYVAD ze;o(&jpZJfc3_!MJuVNrfsObvXbNB5%=GC24%9~j?5#^lhTiS>cQ@re58mW_4hX1N z&%4_FQ60B_QvqXm;$SSwo){WwhqXSO+rPVIe4ox3BcBU}0lVI1U@d$Flza}iSB~T& z-sB8Q>21KO?&#*Ql}1?j`SI~F-^UYLuuB5f3Y3rA!;6WJ4_I4!Ps_kSLq~_q#Kgqsb1$f>rWTW$8dg=s zom)^q0|fXaBqV)(eQ(Un=qoBJq7xDVLGRdmbMw`XK=i(!KSh<4o_%m~%GNBx!NWt! z64Fn+Kcy#v=EAn8j{*GU{XQF|<6KsrMC!o`>3CG|n-v z43j?~P3|1==}lJ982^f7!7EYjKXB^$OH!1FA)?{@-GO8~71AL?B`Ux*%$Q3}ppqeV zXX1+z^hx(Nl_NhFR_L|;M%B!%pDtLQsPHB)r}WNyO}eZvv|)L&wE{U&YJ5+&{{5*J zjZD9@yDM~i=jYj?p7n?NWm~49jovgRElv@Gq*R+a39E|xG;479yGmIYzA>-%0BJwN z+d}m#pyY+Y9n30FbV^8U;20sh&y%v|^vlqZKXYM4d5U$q69F59$G7K+HmlAXm_<=Z zFXk|Jc;^}y9g^c?So~hL*vyhmVRaG??wGZEKY2y^I6C>~bPLRZtQc_sY%Qa!BX9~m z`GD26@x?CKqn-M0^WFRmK7YqDkAN7}7+6|sSA2aWZbs1VQ&aJaJ?F{cFjGgclRV(; z9=8~OBo<`F^Di(@n-8kGn`CALA8+Rl);5N{)tiRRQ4iz|j#o&%Hz@2icXIme6J|Hx z^UGY9-ct<1={%tUkVl@~D~*=~D8qFjQAAbpDLp+>EbnSCsHmu(prMI6IB@v+`C;SZ z2NbFmnC$#1Ool+8(ko}ce#SAFj^@fHb6euJTyKy8n?)Qv2Boe^L!SsVJbI&!0JJ9< z7!pQCFMv^Ql;diT@m!rF@oQI>o=A#t;16nawlzX5^ohIW?+&vkaK*kl8DQtM`ojp! z>7N>U9wQ4s+&X#QUvFORRSq9bn`bTq^xxdL>_5^vrh2wyEB0i86e`@`KOCvYmqAbW*ze}8{;c^RCU zNg4EvA}m`xxMOmXsHLUF{jm9x<9#1C1_|V`KPpyGR1_BIms{H3$F#S%#~|f?f`t04 z3)qM+udgGsv$JCmb0FN^TuK9X@#BNW!yLm_@2$x)%7u@c6ivV+-5qGOM{4a2&-Q1D zy#AhvW(s>9O}w*T2Dao~Y4$ClzhXHX0LTwbC8yy7eQIe-Kub@u$-4<&=Jnw5<+C)j>z70^eDsU{-fZ-?djHd5z(iMz0eFHj~wZ! z=fIX6HN)e8-}!KX0$ASnRt^gT4?#?jp4rVeWWTGm+nT9n78DX%-rf#1&-jP}nrtzE ziuxg2K8bB>G!H$)`>&tZ=)4$i)!e5d&<)8ICd^Zc)L~^F8;u zbrb{^I_^Ngd<2x#WKqI@8R4d1f+u}6;OP9esz#Wh^Myx-G|7IMGshs?w0Ot~ZNqvD zWbTjj1jrJ0ad2@>uJ+Wd?XiT;uz`~&^aIJN)A!!FVRz|`l$3Y)WJccZJC}WIgu`Jb z3wI{zpC$%{gG2LFrIf6=KdJ`ZxEfgLiD%}DA{Y{%c5_PhCrf5ZHd3$|YL@`ohMcNX zEY4X)b?~ZqNvcun56_Z?W(%t_llgqySKI<%>cbU|O z=N#As1W@-V)?ApqJC1O&TEG{EBF8N~){FGg_60SKDUa_ndl#qMR=2TlBhcj8vlnv} zFfc}|yU1Cemhn>cKB9{IvgrH0L6c?HAcXhP7_wLpvl(QG$iUY)=A?TN$;Sspe-X1c zmuG*(i<6U+TP@=UnpHI^xWM60vp$ozC=WK}TbNZE-joVSKj&C1P$tOrR3xFJhIW+( z3#-C(J$AvCq*q8bf z$^->3;hX&YgMt<+z?UuUQn5bnl0TM&*d{`_6EN^i$mTPbRg_ZIt!cKiIp=yb8%3%& z2NieK9TG7qsnzM^7qoYjhlckjMD1;VDBR{g`+$)Mexef%pNx%d!3GF_sY|->TX$0yx`MJPyD&NWJSiO@uxG;V! zBE-i+sJXBt@9mUwG0a&9QPp8pbtP23VXizME`yG zsEJwInV7`AcBER0F1cc1dl^%8V)dGC`e1SAP+S5rA03`Bm5w_N2L)b|zF1(*xDAz4 zb`~OC0;^2l_wF>qf==u29CAT)WzvEx{cBwUP9njn z2nB!VQrRs^dbI&RJ?Ilu4aj#T-#Hl)1Q}M#o?pfZZv!<=tVwzIrzW`dNvqO2U&iQC z>oWvVL-&w;dKwGc$qKv^*b zf5;0HvkZgTaiZ7+4O?~zW8rb3M-PN~Ls1Pk{Z83PKUgizriy0Z1#8XJ*U z2b^ThJ&OjYF%VF$!wJhRk%XlF?-bsLK+q6P_nt+^4ZtoXGrX(cNC8hQeil)9_Z}@p z-gbnq1R<#RxzyA_rQfCQ$^6frYvI~w2@sqP;jW43c*jR;6Y(Rb?XIi5}+9i;A4vlQ=Y^JP5soCWutX_Rti zv`PEl#SBfG2?2yGKv4WKefn0j$ca*(2;FJtR2R4CC<-B_w8C08C_(YB)atEklL%S5tu<3cJN+2p(O zoluX}Rw5FEGfwTd@5u}yx$O52bi@2M23j=+y|t=nj4OqKw%5 zO#j-(#tP`P>i|U_JO8)u(xIPw{64IgT6%r`;VLd3_d$frdM8(nmj86=Wqar6M}PFQ zyv0ei4tdvPNGiRfAy#!9=2#G)rc?7rPeCvr97KqCyP+*m^zH}6Fr&n=*(Z4lcI)Oj zThteF?PpL>+3{Fk6Erd}Q)p&^G8~g#;=vMm%02f{L1i%!m(SWlTSp1<7DaMU`xxYS zRBQ8iwG3Kk!2G3$rQipm)&QwvNfXXjqV<*i&~0MDc?>2lRy^S`XOkZG9E8pde6FaE z;9v)M8?t$gq6Mq!mv|1jn70+u`Mx;Ep1bEwQ8UD1_?!!~O;uH;mvEXPO#1QyzrBv# z-F}??o4t*XCQQDs{AcqxV2xhxkYWQsnucxd35nK0;|lHvj9#E=gI#LgnOvo@&y zds;bpyd=2I&29JD|G6AI&5sML*J0%R?Oy&iBbf_zKSJ}*{9Es5%96I|87|B18h*iP zSO`-{JG{Bs-km}!b`wdb$K$c8S3%6oP{1&EWswA4y{LG?z*WVUs%l*x&mXVt?;pw& zGW@NR2>ru|y{bTyA7tq@D_&vJ&Rd6OG=5x@{HpKBWLWV_=KyLpsfp&q<)X61;S%Ir zB~l6TWjv)hcye>vLuSwSiO9yUQXZk@i5tKShP;K+5n~}WmU1#FDru3^E3tS1CPz1Z zLu$NBCYCo>#*Qu&^tRzzxA!Xr3~_3ebQ}i(oj1txGr6|MjHPzN&d%jkPrnq{EwPyD z=VGwqN^yJ^SMp-=)_l~QyL8{faf`CdZca_(zpQ=5vqPJU(Wr!f>2-T9Crjd*3p*ly zOhR%tTXRH`miriJxSexr3(RMVLN~=B@-8 zdb$zdYw&OBAU(*^UJE4~#J7kHu+`K_9H~MaXT@#vdJ*~|;`0h+WW_F1pXIPJW7me^ zdS088)P3D=-=tQiDn87ys9wFxDOJ$O8L0E` z4c{RAv4@kXb(LV&z+#A4_gFG!np#M00in_L!7g7yUbRwxdQtn~w#(JM5z}8~rC?pg?zLhz`_$l-%JQu^MgY)pJ+p4f1FuZX;SoO8E0FBdtnyhNe z+%lzR9?jCTzre4tRa1fTnybFr$kpss&S8-591fdj6euSQ_X@=eH77p`FVH&xf=5}1 zq|>+b1x46M1Z$`7)4@_>gsJO1h0G=DY5!1NX7kM2Dg<;l^>*g?cQ@I+?x*HaZkw1P z7nn>Pyw;^(^9{67JIG1X0+^z^bir$iYSxvWSo1ry@+DWI6T6U1T_#E#OWZ>|nL63A zhmyUr7DYa@R5;nGXaPM8+aLQnwgWb34;!az#Ry zqQxLFxVBZcvn|UR17qloNhDz)!LPv?$n-Vlw?b4x`+?rw)giLcXr0N?WiD0k-6f4`MJ3|onQ?7+75Nk&|?=hZJ#rqiB|FX|#e4syV1_7N5q zmV~slc+vREm*JM6oy2!3CL4y}bXjN$!{#vht#>(1CrOG9+4*BQKLNe37{&9=BVkcH z^m#9o_3C{{ezgV>+8MinGt9BFB_HPam-SvkD5DvlUc(LbvL5wN}?p=UwX9D}<=c+RRur({0~a$#T7fKKrJz zU?Hh1iw-{1=KD*xv*94TxWl~BrJ`Wd>LZWMUZBGZk|j6XQItRN)h^ylG;S{(e|evl z>02}Zwym;N{o6Nh?-U-0^k%P}bb6NofnQQz=Mu-s3~Bd1E_vEWw?D+w_@w1_{g4vz zZ7W;|)}cefp?^ICxvxZD=4nQ7dX=uxzy+F zUdxMFl-Zi-J>;zgFGOdLDk2(wE*fdEsu`7wN6uO! zj$?-Rbbqh!XL-x{;vF$dq+IhWN)c0Y1)BuzgC#GuY&`R)Z!(;#@xk}!03t2;63h+n zZ=(23yPiGD$okIOn)w-2uiLOSG{Lj=TonZtS{@|Akq6Vpj~rJG${bH~6hDF}M{qexYjCAJ0^`ncEgokl9^e>z#wvT zR283qAUi7yVX{=ebA2EwCMhX6J)IoD!89~9NS2nCGP1Iws;apEux23-!UCl)VxFFY zk(45la3C9Cg53aRb69Fa+?%b%f&=BH`i*cT9S*P0HxP*2U(vj>Uw~nfy)uHs_W(`% z0h))4b*rB;YZkWwmuonk24aS3yB~5gul;js8k&E!L@E!uv9WQou$O?Cm>7r4j=DmI zAPF3X3_!!<@V<42k#M0HdYu!rT&GuN~&R9yO&M?O5*SIgmou8WO2elpt zMxG4pQ%u*idPqYa4;sMUha~MG&yRSm$)rj56HEWxN^6uH_+M9uVrhK+Hv2<|BKzN! zQqDzc;aY42YzhiEsyQ>GtFEDuos;uueSMvgiAhvN1?S}S)bV^rL$ARZjfmZ#D-fLs z&S0FKIp^l*Q}gqa0CWw|BW)>M<_2Pa+tw7j&`?myM)BjSC3Z4M`P zfS*GbAb*Yk0!_un_DtmV2ou4u zLg}G6Zf^Xs0%d6cs^=?x36qVZH(u!q1vq(Eo#QIUr!$LxNcipP z@bPv*<_ch@dXAPmaj>y{FBg3%;i&cbd3Q9GI6$N$J|m&#_&nUh0q4IL`{A_7&W{N0-uuYrc_p;nOZF97qSzK^)-i za0DKX$v+n)2Dtsv>1ikUWutt3K})GHIi=4nr|{jG+CTaLPAhmMk>=WJ1{T_X2_;o*@#+-F4E|z zKs}Zv+Ykcc#a6RJ!5A8`*XfNIvWwsD%A9epX{6*D(6^Cb{)Y{b##B#Q#E88A-gHYAr~lWe~!xZ7mpaC z^Kq?z#0?;HB;e%E(Cfn`a0t465s^47e!sZ7x>{L)dIF~w z;lvgPAiO-m+W=?>15T3x;%o_=uJ*N`aX5f+i;l(~Oy)!aH{25}tX>d`a0mzjKb~$F zgIh2pGO}l-JG|Ux8d9uX{s>NwPZaC;gPBUk;Eenuy}^YF1UW{49-peQCF3T=1ao`> zL69(6Z1LiASVDM4ArN5bb4Sn{Nzn<2Wo$~yC=i@h!OsDqK_nWm#PRX?xp{e1;Etc3 zo`$o&1_saB3|nB}9Kf@I?(S|zR#wT6ANk>lg1$axiDvlUzn{Qf%c<8%8RS0jZOPxn zuD1MdEr0^Z6if353s!ibYgI~k6DHebn~n)o7P{{~gQhU@*0;VX9=Jz;V3Zh#YM|)= z=(*v2OHAtn04-`8MI`kIlFJML3i! zRcl1v*Dph|3Wd?%eNdfFV}cf!2(i&ayDq0CFri#PA{qd4L^7-X|I*g)qQEK!-u<># zjL6Pcuqt=*K2HA5WcqzVLb{lVrZK_{D>00&n``Cg$X&>{YXN z+-q7Nfdu1PJMa~vFpTaTb>G@Fy=EdXP#as~r9mRm+HnA#NqOTXQ_epgmqp2|==EF$ zZycvt;|lm1OBiQ>Ru7BYv^gscS|MNUI(D z7?!EoP)g*%LTA`}@+hXNKh5?UoIRMKVTf+v&%b6VW9pR6o2XIDV62eo|1t6F%4^KK zxM%iNEJV81X81*C+}puFcMS;uhLQ#y6WIoNcufD*i^B0(>DlS3{nF=eFU133l}}09 zwoo`5K0d}m*Cc&wo&;%BvLc{#U@0T?-qy#LmF_a>%7L_h=**Ez8K{`}2ob-UwzY{h zL>0H2_2{`)J>h?v7{J|`~4c%^}P0VX%B~;{_%Z-@`HT61M=Dk5z?{&D-c-l*1Gv>S`_wLbcE{rxfV2q z*N^Qze&>irQOnNwM`CN0CqaV8mzp}DVF1xvsRlHB*t|bTKL4%Z`$ci$GqS3=zk;l+ zL|YscPXPD6|5}-E)5pWd!agPO32PnkL$}ik(@9Rn=qJ533|oDCfjSix`hHyF)01$; znKyfoJ^6Kool%2Lr5=TkVzJ2=SGp~9W_zc@-S2H{EYO$HKYU3!{Y0&u550f0W&XUm z;-?!)Z;@gC%G^tIiSfO>ZMUo)rUzOtc21;*f)|&LR+)ohAwA{%@5r{F^*T3k!q;5Y z3TV&d1pUgR6R)eJi@to1rJ|)=_a?WE0`OnCdplLk)PlM$^@P$++QT$EY)S1MNlqnt zO_|jvobwtc*;dllB}SJ1%);%->61RMJo5bYX=xZdG4n&tx+QTE{K&=GWr@~x57OvJ^ePndl$8 z?CErhs8>&7e+X8c2W-k`_Ws6JvLll*s&8X0Q@{{j_b5i}^d`=F{KosOggYIaFzJLX zw4dZ$d~w^8ryY+oc{+^!)~;y3^}hCSVpsSsCpterAFmj8*%`fkFn1sZlIFCvwQ&v~ zyM&QA`BR}%`_=@vHZWm`1BGuGWpp-g|Hcq?YZStgceY{v>amn_O2U$iIgvtyz5?!i z7R72vau=lPI;3ZbjiaGyYr=ysC zhCp&}t=Oph^i9|}s3PEd-_@zGWoTqU#Rc*iUG$6tKoZR6VxeeFbskH6nXXQjIHTe;%_7T1H2dBbbDL*=t)S)cqdD=ohG(02q&`GNhz?n z$IrQ4ZA27F@*?9`5%%)tTDe`AV#n@{v!>GTv^z%)L-|Ktg%e-2mVAq?$bjo7RXLvY zQrF2?AD+L)DNGJjh1U3ZhTZPY20wV-2FXoSO|8X!){}f$WGW5C^5pZ})uCtA?}YVr zlq~hEFp|WCTE7Q|us~MOowNvo%4O54=1j7y;Y7ZrGz)$?h z0$vecj-d3ZS8t43v~l+`C#}iOG=C>B7u4C1m$&PjPJXqI-V~H5Ug0wu2+Nh9QA(<% zg`W>MpK~UNwz&8CNqB$UrqghvbNfx$y@N0 z<)?Ut@aH>wFWTq}q74}wjqBW~yPj}yn}Nd$R`PwE?zgH*^9)gYVNL#tVAWG-)8n+d z1`)bn{KNv~m|87DdP{#*&MU99yB950>6xLm7h>g;@%2>oFtf|y$Ipajr+@E*C}@l& zeDrQ@d=;eV{rinXXC|-_{Q>-aX-3&2V_-r>;KnTVA~JZ1W%!)5;cOfzP{_p{g}4h- zLbi#p!Y!VIJdzatH))xPjArU1ME88Intc<98#5WW zAgss+x4@TQ5whY`XilGFjwcJN<*^&LDx>G~kvo-=su_AO<8+U`%L&g2-iFWXg|j{rz&Zmaf?o6{UFTs)5HJB?n=}w{XP~ zGQ)1qc`b8!9U~NwZQG!t2ikOLq8%5LX!{|r6lY8xPE?rgpN*_C#x=+OSxy z{A>(|pGdJ4gOi1Z67H9;S{L_G#Pgi`=bjd3MQNl$3U)?O2N$$QFmDayE9Fg?Kg%U8 z&nTosHl#bEWMaC#%pzvWq=I}0B>hn@3FS_)7=~z^Ki}jwBuM`_fdH@g^(4g2tOlA} zZftRpkx8yEs7P}LzNLs2Q^nzNm4i$abZ&bdt-d@l})^l=>S zPI!v9Z1`glV$Z(bb)18WynBYQ_u=5hX$;4CTvX0jZYImC!wlz;@I_Ooy_xjO-QFR# z9%HWvezq1(oz-L@!%mKYQ71m`+|Ry**G9IG*%bxy<|;2;3gl%yJ}crj0&hI0vRQvi zD=T*g_K0Qv{n>zx>#TixS|Q#u1+TCrTxUZ6e$scSy);KfPmlW!(+wp*tm@s^D__5= zsWpDFN=op1L418dZSL-S%(f@BB5LW}#4ve?-CbvOlBNlKfxBVIJ7#73#5Pr4%Y&w( zia}?mns}J-ck#B?J7RkSG^9`C;};f;ib)tX2y|n=wi&zBESpKjDkWs-{Qz|Vv5Ajg z?+Fh|-6z`hAGzb?6#$*-I48}?Eq_r(7!g!UR%VRWQN5?Zna4t(eeD>*Y zh@%R;OZ4H&ZSU9npk%*wD6h6x5~Y;q>e+q8sU?pC`UcRfzayh$q7G!r(ID$uM~F#_ z;O++=Ki^<~(C;H&C$Jm*7F18sY}c;$|~E`6d?PuQy}b_2mJ_$30KZKz3v>i{Ytn zwjlq>ATY0!P*zTWJL8_n#PVI653fqlFL>v|*q5`&3^X?*b(p?wUluh~(lmJFu|IMD z#S?x|lEMNl(|oZetLC$hc~HbRM|5{T@GNX-Jgp&Zwd?^WmpT>W3BXfLu01z83PzASKxD_{5s1?pk5{T>f#$glwiOo(=6{(?pQgt3utizbh*z@0h93 z`0TPyXB+|)8t(4T8zPAyL|hZgj_}@SgQG03bG0di^q|s2Mz>`zAoc@?kfn64Gdy&w zz(MJn6@Bch*?l?fZSfewUNhjWWibq({`T!Sfj4A4{f1$4aj18V5Sz+nOMlcfjrrT_ zoSd+_^jj)zMtDi?Cc&cMTyXP}mZDN>tj6d2=%t5!4k7zL5ZdkU^!n3E*A0#r+qr*VrIV?W zY&=s%&IK_W{ORP&z1Pdw^N@`XW6ot$`;FpPdeo?12jXd-eD9RW>qxAPo#?guCnizj zEf{WnO~hn^ylh+YO;wlf7v;Y@7y#7&2-`fd`1%XTGCFLy=1{C>BBvrHIbn?Iu;zP? z+7FV7x4)qVYczcT5fIn<%mvPp!$E4%QKXl8{PXH%_M-53rCy&D580O7+h>+D*m=+b zP)(1EEDg`Nz1)|DlDE5o@RXwp)ZU`CdVT__Sk5$?2gC_J{Q%nZL$A1kFhH(oM6dH~ zgOI?5Ntv4)B*t-Gz**BD0$B?93KE)to?4>{vqzE<4KenZg~XntJF)k+F) zXpcSsbMbWZ9f5=L3PhRgZM^_EqD>7;?(+p1680vYG=J=y@2J6&J6QI z@@C5m4MHmyz5SoMsKzc!EI*8%2x}}4-Vf?j1ITlA(e_Q z_c@_;u;r6Igid-LncAdb?$syO9eUS-AyxNE`2eSTKA3BBcJ4fjv*Z|Cw=VU)y!f9| zDERPLgn_a(jPZ#GwH;7Xo7AlD-LBhsU2AZk|J(ux)Jql+zp&KH2QlVKBj>yLi-{=icQ=le{1EUq)wzVEer zSz*XxwQ>#ifkIzk%p|6YC&l`j{Dwxi6{1V zL2YYH8ko8rjW{EiwmYxRb@66l(nb71wm8f$Ge}C?+K9!zaNSyD3#B0WPER;1&FU`*g73`*4=>Baxxhk8f3sDvL|rnL4y%-$Heza!*igK$FcHr{;bY0E2xX2 zh=Z;55Y&kUep(WJQW!9YBno~d|!KI7Ln1)kv930N7 z(5#8{@_HG{2ITYwZcB3;>UTzoQ(3gs$y9HfYnPa5Xa?QdDW`(xCy_Vw#ZVc+%pjJdHIP!Zy|jeM*< zKh?K|PTG0%n7pxiSI|UQjZ?0(5S|e^WcI4e$fYhG)GIV{I6`Ypb7frUYDnIF zc2BiH{6>XZdrxKy6f08|hGgs?^PxbQ&|(W_y|ZKExhw49%(mT6YMq%24`Bg0AS}LM zXpjus1SM*LGBP*a=by`a-;@n@Jo$INlu)WchRu|OF!G2Rru&qy@tr9uxAF#wAQihc zAQ9c$#_Zxm+!bjy-MHQAQEGuNDzLVPm}x%kf&UCHorI6c`Z^DCEvdY`oc8C@ zL4~vTju+7yrQx#Uj~Ug~M-3IUKMsq8eG3eG?>i{dz2lK~V3;%0HI}cTEqczY_Ub8O zTKT*s_l0|7d`|ETsci@$bg9;H-JrId`Xw+RLbj-{e+u~oH~4bAC5|^~y)!3s&AGwf zy*VK)P$Gaz^6i%d1a5h<`bWw97gGm{S@d!}uu{CkHYg7^`rj@)RbBZdH!3e@6W#P^ZT2|Xk*AfSc}l*bUP`*3LzWA$%Lir;^V>b5VyPLW&ryrz*jckUc06AO8THZXWZbAhyE!}LsW zp`@Rp|8-%*Ox=Dak}+ugAaODHwfg6?{!j0MTYh-0;=|DHV3~< zZLB@5br;=I{3u~rp_bV(VWE?uvJmO+_TJdL;)f94X9=8XNnKYJK%(D$DFe7b8#i8d z|5{m~(Y1)Dy+UEJtkCO!Kc7M@HTC(uxiMp_FzVRio*XuQ&zt(V4f)W=bo2+e&|fn# zx+k30N;)JJf^u_n8+JEmV@yg&!t%@CaThfGIB*82B^qX^r?^M6j9gK zr7uQU&RhI^B+n(47zSEVw6K3Rb-=M7fGmW5k5=JSlZYo-+MM})W3ERezzGa&JDx^R zsKrownoy>awm={#lqKoB54JPeZSwKBLwz#ni+1DRwB>kYu-?|ko0()q=T-fJOE6?` zHmrC=4B|J}e7(v66+5;Z;u@x=n1R*DaniJYoOA2mH=#XpB=PmU^gxn#V#dlkD;hdO)91 z$5JLKB`}cikjTxQK8@7SChzciJ$pg{gWe^;Ai6=^agSNK8x&hyw@c7d)7r zq%OqZ-?8UpKU#VUl&%2U2H!!Ni_;d5UeHSuN-t?7FcEg22EZk_&YcfaflYo*ave*{ z#w7R0t&Wt){WwPxn2f*l!2VefY6b~wz@?s6TH4q97X0oB_%usWxM?N&rcDuUT{17SXoLqQi?t;E-sEwQviXn_;^~pyS_Z$X>Qq!7r0>7Fq%yZ zgux}{(-&&p+%qwo2!+MY%4OA$jlEcUh*BPQ9wy%6HH5W0;lKo5q7dITVP32HeUjh{qB zJXj1B)~RFK2DCCWM0+!QyJYD4H4AI9l25sb2>)s!P`f?%8R?|BW z&|)Nh;1bVoMh~};%UQI!UjpdJU39LUo}Wc!yvuFP!t&qGSk5JUUTsBQi4%W54P^P@abyl?A0ek zoTrhCGmfl~EWcp|d?d}`eP?jz*Ir9xybwkzFt=veyv({(?R#L&H+lcG5S=QsTASF~ zc9QSK`G6zO%kJ&RyL-O@b_a@YBk)0EFd}iv5sdec$$D|TQ#>Ou_~i+l+atdE@)b~~ zWEsLt9VNE}(O_w5gSOO+jH_P-(a_%;2GWN@CKF?9NqZ=HVE}Q)AaWC7Prb9M_kHVW zpib&z_5j+vU14PKWxbZy-1YaK8W+;8p7uRD)y@48n(}nX8^bh7awR5*>robPszCjz z*jZUmfP9auOr8s@_!OxCBJ!rLWHEfL;YZKqg0tL!L@$AoW;rLPk_@*17SZ!hk-^VX z#bfv_!UeyD3$gLCgk_Skl7g@iez39T%Rx}92fkmrBMQO4pjhy?RLOA5kZX!VthiX7 zfw$0hpYnIT7S{{SFqL1r;uJR{l}cNrc&G1z!#)?hSwixsr~A>Dg2=u&YQh;ThC$>E z{q?(i2ji8{4UqW4=dz%QhfE-JteUadnL{-pxeqkHM-Jm|;_D~E1m!+Neewgn{G=b+ zUu>d|5?B^K7Nm|Qm1h*h!zOO6!m?F+Yx53WEwK_h!PW%2mybD;cy z0Z)H2mAqgNVWH8nh%3EO3~r17}Pt zXp4R2dI&1d!4K~~e9(5jKn^Oq4IS&j^rYcet|QLO-}l`>x%cS$;`p1Q(ROJnbqxa^ zv?c#f|uw;7x##7A=5m-^H`h-i3>AEq__p0GR_fvYzIB#~(Aj`4yi8Q<1iS_}=xvqwdMt z_V-%DKk9i42`)y;7@~c{x=8)wTbUepxe<+>vILyQbY!CG<$vS?Y=ndi27epZI&d-+ z3{{jFE^8P)<;B{-bGrH^pA49$r2M47&Ttg&Fu3s zzc9ZrWie$b(Nlss@?n&V&&ws$VDj3`e#-jJ^3J%c%uztdo#lmv&}u?L7VJ$5Ss3I4 zm}fXPKAyqD7EM>0jp;t(7xs^&O7GMh#=;MHTc?MyFk8<1&7Y6bPe&HbUYMW{)FcWe zDWa^BIfV!c5R|~eeOU+MWn1^u~bNODovkn|1;TO;?|PxGhnCZ$cDI zJp`keI0u}dXg@Pe9nRU_uI<_mCD_0d^`oJ-D_$p zmsGXs-F(eLHM2c!XP00;I8@fDQ#V_Cf6CYyP>5iijHa^PgqDJR4=`l2BWCOOFJVuZ zH!9}(N7_-XWY2P33P*5n}yZgo?C|6t}^#LoKacTY}4aSCsW{XPL8^ykGy z=!wSaOwUmS)yO6wIls6bDbJS=QYum@USI(jrm!Fi~L-OCh#75>U6)T=+iE>)Gbbw&)Ti)%OZ&!b|&p@FY9W`Qu_{% z=)Z>`O4U{kYbbU^$mD##@eT)7qQY;0NlAgV0hw4n;)20599Sop(z8;TSN63p_oW^> zgmmz!zuFgaSY}pO98=&7pzdU1*gb_n`lMrOo3qX`jRc(95fzkK9vc}CBwRLD9aQCY0_d7V+5jj_u=QItxI zJDOGCJV`lM@wn&dQzo4F(O&;!k0h@~k?Pg8yPsV*K)xX8>JWJ}`xt>ay~WI}`Q)&~ zWkPj=?+59jB~LmTgn2Npbc(8FBON0~x&f4HpZoqactM@c}r5n4)jcsk3T^QNbd0%(ye~oci+rbe7)vdzQP)r zYbIuD%WC_6%vfM@A$h1gV>;%}b9I)LccZGYiyeOP%ATD3JFV}l&Ay&{?2cL5yXv!? zSQ0&aykc?pgXSX-KvDdAZ_nqpE`!@^h^uYB^z16d=`DsZ+UwZOg;yoqyUT*rtpaM? zRcl27A<~|OIXq4xG&OO@5j9ijdy%M6{PGQ=^rpPhXXc!oDc8F zKi_c0#*}mRLLy-xVr}a6cS-~QY~GimoM45okenz|+7-LP5y2~15s;#UORpAOVo}?VaAYij~wSorJpj=Hswl>O*k!R6>C3cu%qQ!7+hsSCP2dw8YsNn1v%_J>+=CFt6;+XPoB`1|fe*PV4bbQ<^`qNy zTf-rmL=d|6QZBVb0r(QaPxm5z9b#B55olf@YbVu})kBhDj6!XL4^b=gbyG z#F`~7&_|r@n$^mfrBj{pycK%@GkvaO>#6(Vfe6|>QBhG{6cKsj zer^RdjtUGH^IM?CL9Wfv+p8PNtIq)`o;KrIY#f zfT@sZJ*~JC5C|PtvN{b8LL$uxt_Kost``e3`CZi|G3i;|*esAueB<|1WG$#oArJ+Qy4haNnn->6zpr$m_=IMW*m@1hq4xXj0W>7{ z(YiYe42lK>2w{_#e2F!CS1g6pn_~=j#<@$Hh{`JmM{9Li81SHkEw9*3mATh6C@Sj} zJ&W1i$;+B?h8e7SpiygfB(79wGP#7W5?`AyPG2XYBX2nFQ?jIT9H+z;s* zNL_{Tl^)OyTE3^xIqTXeS@f70NOnk%0C-Lm7b7F1R-E4-PtCT;udS6>LY#reZITe> zH$nH`#V%2EJxo{q@k2lTbULQ2VtpA2&;tSy0PG66q|zsLXkgT5f`6nngKR=BA@ND| zEXRumP%FcI_YlPP?69!Tf@Yhc)`fbga3L3FEZk7^Wg!iDv^UK1336XvC3i4>3*9XJ9)Qo{mH;>-%zq38HI;8sW@u+Y<3KY7S3U?*MSw0ij|GL`aKo z97ZVo<5?DZu^eiNXI){BZ$Xs~vT081qS|@|=73!DrPRHUC0vof7730EC6X;BPC}t9 zKK2>WXtxMRBb5LA2_j8iSr`k`ZiHgShNP|iF<1CeH`yJ=<@>Q(Z>g9WuwqGQg3peR zpL{GT2iu1xf0c~T5;Hp)Xdbmc zJPQj4A{wT_yP@3wf6wU{4WZ#T{7wu!0Ro)(e<9WHlOcZk=ol>_@{yWE($?8FxYAdD z-UgUb4$coK5qKG@1+-7#Tm!6^J{O|~Lm;YHU(2w8lZO1CdwbLaMeCFN@9jCsarP^N z=Lg2B=b#fU0d9s;A79!-#f(d}{q=+Fhu`ss)dmRr8HZX}HKqlJCW8g9M&qumTWgW& zDv$H)MK)w9Jomm0XUn*IUHk4cEt_@kA5~2mSK8lO#gq7~ZVRz6^2uLM`k!PJV7W9Ls6Ol>o258UD9A$qPs+L9WEv?vaCo(y)5v7iqC$HA zC&?05Jw?zqEnP>cz{7*x+zzEm^UzO;OBSE*30@u*|sfe1*>d8 zNd60LTl3UwDj*#q?aDEBx56z9SZ_HpbfDjsc}?Ij`8X>&Oik9W)iX!Rw|D`a#SvuLuTKYfENJ);Men~Fux`XES!^5>(I-Qurj37uA`wxLeyr7{WZJAAM5kWtM!ilT-C6X?E~b&E&Z~{Su!dPi0?9 zQg_V@;9za~GQq*77-p9~P?>w*j09nG@ zRwt)6t7KG#3>%->@xXSGQuVl0Wz=iQJrknY^gi1f)*`9av~W#%;`x`_fYB*vgMnk=vxfvS@$}sT&&$!s5j~U+2xlN z5`aA+f&YzB)*QoUO@oI8%)Y|%%qW$YPNVlOyX+ONPuEgBQOu>$jkH_84b@w^Ym!pk zStLOvwB~Ar5Q$7{sjyVxSWZghQl(GT%r1t{<+9G*yH&BRT2Nv0l;1T0$lx@J|A`Vk zs)HFQPcO`p7S{(TdWjSkd>&Wc=5ptI`5QH(FT+d$|Dm+~H*(1EduYIJpX(&+*g{t< zGpuZ(Q&t1~BXY-gG&FO3rqcX~UH@OGXv_w~mn_a#nSlP}r1*wT>TrK{Mb;tJ5{~{{s`<*Eg2B33W zspM8VrO0_+sZXJ7F2ECE3wlRB&8(}F1QrL-UDcdljnePTpBMm!h_toK2qgDHIvEwE zcl*ir$EtMN=A_S#k&)}5w&?D30OKQ!8LjA6kDTj>S%?iNqI;UTIop0USzYIY{Fy(W zl5O+#ITd6H&th_-$sE`dXO5L_>2F*nb%s{SuCWoqpP-DM3+bW@X#rc$Qo+!?owe|4 z0SGrH-`F0D&so?-6Wk6e`#Jum)(C}*ICzkdBXw?i7} zEO@PjN&i3PmH>n zwer0_a8JRa9mMO}k!HC$Z(#ETe$oH8l=N#nmg_)ogh15rM#g(Hz1ZrvZ-LM}mZDS+ zwGzQ(I%kj`U4qDLUw=_@x!_f5h8Ji3%4j7BxqLVa|M-iiZ!ZM1DRk7 zk)BW5d53Smdb_prlO*}IKE(76%Rk;QHZ}&d!C!B6z^Q*Pn9@xy8OmfnCZY1LGN8U0u%OlT21d5WX{j?*C2S zV8Pn>;I*GnF`bc5P#fD-B;h+bW_9|zo&pOceA+gGX3 z3u%A??+1&(ziMM3G5@S(*J5XlENmZZ_LB`wdgAfS4^F~sa;MP@Y-Zx)JNY@g^OGs+ zY75C}UEqM;NKiu9fHv{37bh*!=}62r*dGVmhBw;=aXeanEg*(n91iRPpI--m^;LY& zeN%t73)1ioP%eu=zW`bfZ>jy#IR0ik(UOEcdKXBt^h)0(n-=G;dg1ob7W#o&O5Lm7 zofMKRs%+Xm)de#N7=-O_iW@~o>A=JUqbm&fH}GzNbn%IJ{&P;jh;6^jUst`J$RE_x zN}aT|Ju*gl4ZAry)m!(b{aR_xn;cZ~tIH=%1OG`mf4f&c*|T!ztxRVOQQ2?WYhy8r zQJ=)ES>xgBvt*7*GMcr(IhBh1z(<;4nv`Lc)b0|QdBQImI9jEx7hUwTZ4`_E*IDz` zP4z+p5e1QWnPd$!M!h;AEsNLSAP|z_-rmMUgf;XJkrf(faYZ1{Q})aG#z-EEcYH|P7rXMJ-Zn4heZwBu+)~l4 zQEd9H#g;17h1oz6-#oRpZ+;?Zvhk{kiom+SSID|~$CRs;T7GzMD z!co_Iz7S3qaXQJ!nU%YpXpD16nOj~^#7INepkZ76+SiJqH3l9R_i?5Zu0LL`krl2v zzLr=Ry+OXMnSJnZ+h^)5LBPhk(fW4diBN~E04TaCwf^h+yXE+17}z-7`%*4fH#cBA zA8S9qy&zgRs~7|VHvr|gWo~{u>%>=&mO48ln}9{;O;1JbEK7G;p%4g|PKdoWTX)17 zU&a}6iZ3*{UAId#oh+ejSa?XOq?w|o^y28pqbZY_LzC{%ggvg5H` zC*w<`^-Cn^Tf=8T6BsMbjE3o~LYA!Ckm!yd>a1TRKIkT=t0vF$9*W^SiP{6m(1saA z{CYZSRT#{z+oOG))wgbY>~EnTrZ%tHxkajPLH$spcSTGK#Z(C{ngcDI-4tN*FLnnv z4~!k@J1dNlYwGVr2NuY_lktTyHY!Nxn8h#FGuSI9C$q{XBv}zV7?0jk9!={0J|d=i zQcUBpxxkx8XWlxqF%Z!#gdo{Oox|-$6z6~APw$d0-t$?Z;9e#}6Zt$WDt4htSKYi{ z+}CC?V6=F@+o@>P4(C4gElEPYP*lV9Fsu89!UD^^e|K4FIk`>`)1g1ToQy_j*C&`v zzzvO_XwVlehBgHvjGx%emnmnJ;`R+A%Q)7%`j;ry)AM<;BxH9X9`%Y6Q$nsp-rs9? zYUC*9uK^ut$!A?`?1I#@kB^ik(p5EgSIE#cigVbpU7zhA4myKY8);GRkX@dH2qXK{4J>>hq%nG<%=OIey%J}Hs|Gh$xAuf zqP%3fDVV+@C+dFhgNDn(WY_jC4mc5?gT@Y3IBA$&$E0IE+DQ)5<96@5`Np~%2P}W< zI`>g{d5gaGvv~b}89B&~7F7d&GRR-vC#s+{&5X$|@tr-Qh>+zsO+F_X)>+ylPeoar z#b^-Qj|ifjzb>tC4J~P9ScMcRzMVOZu2~ndQ%pNw-)mSQ*G)$x=o8N$3d1QSq-&(! zK6q79@a>EwcJs6faB$G2V`g>Ny6+6ngIJv}0E3&B|B!0Hj@Sa&03~!?89p3eGiI#R z?mrx5<6a>jsP!Lo>PelR@B0Ako)R*RyEO zme+QjZDA_aqFTy}Wl8iX4bQ2(N4|>N(v>21xB&{Zaw<&%=B+|~_q|A0D=3;u4iBgV z3J}?ZA;n|2&@ma1y=gGb{8@47AaZ`~PK>v2|G0#0YtC$Gv>i?8DK=_UP#;=G@hMHw$v| z_TRKm$ON0@WZ2mXu1|Rv@nYeFpGMj(64{R^)FabcmlHd_4~>tiaR#)JrkHoHA2MCU z7Bja>9;QuUL)Y@iP{3=MN*+M+drgaFnT48dvx$h&Ml}=5`rw9c?cuYL5k4f~XaH0o z@P_1XC~eNa{fsmw?2|1!Vd+5&DZvA(w9R@Q<7tJOQEA!+U)RG2p|$BqHS42?Dg!54ln@Njdu7~JPXUnU6mBOoN6HvgND=-CKD0LO4J8Ss)^!}}BY)cBXq@BukeF8Q|w z0!^Za3-9Rw#y#*q()sUb*|Fh;_pehl&!V-ZeI3F!%^7$#!EmO2(*DY-@;DFzxtbht zC5-$r+SgIL4wFUUW>ahV@89JbY6AzhMy*Kwec_a=MsD%@pJ~X>*|G2v&>ef3z*>HL zx{sk?WCKbQCL_zP3O~gR*G|E`a||SJy}lOpLVX>5XAIv?p6xBN{`?akfcE#F zs`+ma6aJdK)^U~AiHM>KbL3+AFdZ|+d8S*s^+C-Nyt64#Dds`Y{Hia{z*F28?>8ZD zH7aE3AmM*J?!So5Z^W_S8Io4v6U=!x1o4nfmcXAph!XwLuIuy5G52A+U2%r~a3Gzo z7TwL~Bjrd{I~Vy3)piZR(dqNlLSG=8=VT&4yij7i$NK~uBwcm+Z&&!~Vw_XqIkvo? zn%R%p(B2Bq14+>SL#2^pmEnKn0^}KbDTvGgX4mrUs{NvxyMIf>jiY@4EzOVjXZHMu z%J+-@LrL1J;W3v__un6+#tGP~!Q6yD4Q5|q*gP%&aailXi(@v?nJWuxcjUN}=RSa8 zWqY=1c$!$+0dm`f?(T^zcz z)J?mq^Q5gkSC!Lc<2AGU z3Z0Yg=GwF{*tOkp9z>-yaF*YnD3dSs~^nck~iy`o)qMe~wXYXS4+ zmXF>LNGk!|HHsk?o%i;w*b?G*)aV!j8d%OXr6evlmLpPK9kCr?XXO9$iXj8H1=)2M zMRr8_H$PSV#AF(BOb(waKZEyS{wuynbFRS~%^BYj7P5o8X3IUn2b{eB!KOFWIqwf@ z>nwhG?f}eV2xNL@t6yXIDZ2_oH~W5$0C3v#;Xm^WeV!$0egPr00nlmu5Fi!=!W1F7 zXKg=OGrDP5>Z=Suh8&opf7$6ABI%tVdC(PD+VXg_z;U$P=9%Qd45f}l>Pl)KV1#Dy zU}?O`y|%V?Y;q@j4n%-%7yXx|e!M?^1<#Z7+M~8+oMr-TQAV3$RH9;U#LnWBdKmRqW#G>Y$b6w}j(2 z-9Ui^C6dcY(^cG~QduXcaX|GZlM6QEeD;HY2 zw>jBvCa5aZ?+q3KGZ_L=5?w9t-vY@(UiVbCHEg7Bebvi?S{%$F5ExH-3YuLNs|(K%8a)_A*V#WkMA1>5lT9!M zE5L^&H~*Af;Pa@bA1qzpv4$+@)bGWBh(;!e*nwsrMp|*FAPu4A9^Wjv^-ASI6BR$; zz*HAo6;Mk+usf#W&sLr_4z6KfNgE7QcaJ&jH6+ebW&G}=z_+z*@8N{hc=YbN-ZgJa zER7cnM^#`q7;I^kY}zf`S*VON45pwUqVr*J{=uN#9qiRqj=7OH&If*bU%L`XcLwbC z5Iffl8#UtX2&Vy(AK&1g2GJ$ZO_?;qvaovTiqEQ@Nk8aU|4NQRL_T$IAV&b?V1XP0 ze2Ru*02A}ijSyEbBw!g&r=XpFzVG3%FZp+gWI#}Uxwpcx@Sw9XjxTz+=12v@R&g5G z?U#Y4V>Fu&4SU`_GuPER*EB-#*m+}yLQ|X|)0`9Oj&n82njPuV9?Z7QR1Mt|SHKC& zC48za9lWjWi(jkV04GpHl}LfjJv4Ow*yet=qS@8~#+3lcZTr{Co`X(A18&ZEa(nTK z1}Cg|XIHg-4$AeBHC()jwCJ11;4B4`p-kxfHA6v9HL)*aym3xMZ0Qj+*>!a3s;q`i z!NvjA3ZR4Oze(Dj#9x=5s@W#eA8Qh2PDygmoaEU4wdjLa7@r&8r*qkr{*>)i5(+ig zh&z;a{zKT!mqkDbG7?oaCGrhJ8;)IZAinwv9uPeJXFNjMPWhNHWkV3gjq?1muwnhH z2}w1I(E=RUO;TZhxdf{3K_qDLd%y(1$B6!b0=&x!qK`V>Y@c5=B50oeEY3Yb)y9}} zRt%YqXisR@7nFNm$K{x*y67PbGgbPVh!wbqU0h#xkY?{a_AV8K0m*|0SdgI+OotQp zCmEIuCr1;#$yUwXqkEkVV)T5v|AbIe>vYw64i~zmBu!GZ=b#1c(xSaQx;X&Q6{P$M zKt$4Xkm?krIl;pjN_(IL+kY_bV)h+#k%Ss|D+J!U(NdQ>uarRdeGrPq?R1@AJG)l2 z3Zy_o)E{{C4;NrhB3L|UAQ_tUIU=UwmN!9sdJ!B&;WyQ3A}UKjX(#%m~G_>=mJL#)8}#~yz`_d|Jao&2ljC+ zBjrpv`^RUYx}>Bss%BxORQ+)tOc}1=UmBIiGQGiU~ zqo=_~HU4l7{fb{cT6Ys504m05GIUt_6N_?Hhe)yvR1gCm*db~7=!U!be@4a6Gk|mv z)9jiQRd^Kq9(RFQfB#kdhW*-rraAqXg8t7SIt$D;1o1l-r2YOUoZOH1f4bkm>jeLj zbN?cw%d`JY=qRX+*LuAHE#nG~_KJ@BihK|4CfsMks}Hxwzo#DkNUc8lx&J*!>hNZ5 zZEYgIl{!kH=(oRk2#XhdyUIEJ2%t8Urq^o1-6jb*ud41v26W$@6y07N|oZ1cK z9{czQ1_!g44;K^@g`GY{)uTv`b3=YHJH)#L%J*lSnJ#E2S^$iGGIDA?CyICLZ?;}o zem#B<<={}Xx4*wEIRsYp61ey$oIALyLC-ALzMGd9-?2pw#9y<(ez5#LW>+-mD*nqJ z_=QpslfS$E<;sA_nE*-6cv*Bw;Pk zJ+m-Eu9{B`{Qsdvy`zp7I>0Q&a{-1{gjvAG z2KxImhK;?{fO-AH7VE)SzP3mqS zKEksIK0g4SU$DLXz~@JY$g!NXn-KCZ}u@?>yop%$I?J1Jn_m(`E-KS3^`)rTmuh`|=2O**FhGu_W z+b?AOOUqF}sV0kRr|y58f5Bs+$>i~wn$e|4CdCd%76Llg>0U5$iI&`{>Rtqy$8@px z_m0hHykPtr_}bdpJ*mcIFRZN%fu8vwA1z=TT;Kv8B*>b39$!w$1@z`NVuv5_vnAyF zO=xfEP2JpEOSQ5;SM_hiMAfco36jF~U*An&^4^dEgR5Nkw%^nj@OKHz;gu^q6&$vj z90Y;3nU2X$Z7{7kQS*b(m!*2~T3YLq3zYj+B=`{jOW+BZe*BMo5GQwLytWDEBxQ6- z>=-gSzhe~zbBSEvv&Sufu{8+}%66%bR$cp+5( z<3n*0?_JJk9kd9b(!UPO5csag5eGa3s|l;_KVBhE^rz1uf{~+lJ&tZ&=bb|YS$sxB z#2@pDl1V$I`?9)al^Wq!~qAr9#u$ z=Ga>zr#5Nfv%_uYv1gl@bf%G{2Ki&7OP%O^Sz5Q}Gh}FE&qa1duay!tDSYkeb`a*pO8y7s7E5XpU^3yroXT;j|Z41KkO{k&x&V9;cr&Xb( zbj+n>XB=F=^v+FG_g}ZC@h^D?En`4HY>iL-d@#~&u%3v>issf%zp2fMitpo!aaFt+ z^dM{gu=$*h8gN*?!&4vWyy{^O7)iI=0I9)=vNnK9kfMS|ckUCjOE%uT_A0OTx~eAUthfUDjdc#M80ZUI z0j9(SGj@;tc%41R{6PHSn`w^Y6#9FOYTDzkk{yIrJ_4N(pYHe{K+$|Csb6Lpt}eQm zX(o|lv<>H+Akgx)zaX|K#W6-4lV^p^7heV8XA(b^S z4__A5=>vgo-yCVT>iw3XrqlChx98Wn(Yf|l^GAl0ZJa=$PzeI|OZg+II4x+xshtro zX**_A;aCqam~AVF*IQ<`E&NHPEX4RYBy4U2emq8bGO|W6^X(;Dq&O0vX; zMBuSaB7lJAhm)WIvXPIEPxC`#fi}E@0kkTuvT1)48S7y&?s>D1etd`@%yEa5pT%Pb zpEYPFAA(P?02&LW_w-5pGtsmPs4ro}kaCKCfx*d1$(8xq%{F>hAfw6mJ+8R`Byn)T z!E*!-#n*ZfnE#Kx_l#<4``$+JaMW`|K#m2ZdPGHvAYE!aprCX`K&1B)iu4kS9tBhc zRGOj6L3#;AY6t-lkWd2B2?PZ~Co!}DA>>_~U-{pAzr1(cG48jQF&swB-h1u2)|&H~ zb3SX%cVNwz0bKv2;JirFD+E+5sjs*FPtmE)`W*8v|m7?WKi| z@B6#>$PoyFxMYXdE-h3gq;z>(9?G@f_douD-MDu5buij@!o}HVU3$~PnvWmH+9pA&LkY4Xz$6xGyL~#D>&U{=mV-hW3hnjBYzi@{ zLibYtW+^c(`v&$&Nu@*QG5|jUwHp)vdKSwkh&uV-X}xd-*nSR(egeJe$#l>J)opdG zQh6c6?~})PRbltj1kj3fISpR^){X~)XY$vtUzb?87MEgoI28GRIZx`;mxkAMuGISC z#zu~Upi_}Y#EY1oGx5nd_ZQmhN=+d23IF_dZ5@|?^1PPLUvH2fLv=KVs4Yv%XtBBf__cdJTb7Uzs^fA0QmfeXAX4i*o}Of;kbM72;yU?bZ}R8&PvS?N zF~>AV#*Fg)o1(F2e{;Gx_$o)Q3-pXF1?6~`K@Z76E^YoCP@8+B5%jr@4x7}uI=j`N zb=5clG_!RB{WSOJSSCF`E9OwTXCY7vj;`c@?ztdh`sAFwkbo?$cQjz>p9Wqv@5a82 z-RF{7Fbk_eUtYDyls-y&evEZU1OL}mfialJMrW>igI@og*G;|+tpR7wDNC~b8O6Yt zSEKV+d=oDHPPA4FM^=Z6r3VBC&dWq8)gg7LG-pHGc4HkXXHF_G58>=%=MCx>xJN2SAGebO75&5)m%s}?e zxjXBP$ctwUfu!-}vsyi?)A&N<$o<8y@UR$E$?1XW+~&rOZ|8|a6ToClu89jw_ZfAJ z|89-Yxkji-(h#7Jc<2;)5JiGQb1?_J!G^!jua0rEIs#8MMMl;x@p5SbYS=uH{Jl@uU5W^Tyhz zR`{->w?+5){L0--w#Lo2vV1dhJ6vo6jLyVCirMCXWb@CpUszad-$Po7#V~I`nw6C` z^h?;?h2FG(%EyiUohg?X%i~THJ4BAVQ31}|?5k3B)3q*jURH^ti%W^}p~RD!@(dsS z;E3efwQ(zT@{{*{5~01nJMF8qhvyThf~NNz&=`krC}BcL^`J`dZ``PCkl zbpCQ+Tp0U)e*5|fuZ*n_gIpvJr5s&ewD6O^((J&4jq4(gaj+psa^XC$ zYs`5rtAt2KaA*h5oo>v(|5nd@p4855GX(knpq1>O%lDyB9pIg_u-sUk#@f(hbGp*e zfy;aQCo+{Bsv76@hLOg8ylO#>2jRWT>&nvG@(!yjeLZ2}&m_&|v~w2>%tkXr!HTdi zs};jydJ2(+@(z1d%kqCkR~=~eZ~x$Q%E&Bgcn!zpe5ko-$w|BV&!2`i^C#4sv~WD7NCCSn|H{m?U z{G#pc?ZWOimmoeU6j(}+5X9Qn{NxRJE+ao}JWLtKxmXw=XBu$Xio2zh!t>M0tm^cW z!g&wM?s>E=g052EfC%^l08U}i2i%zdacynik3W02>y63r?#<2{@GEfJY&yS3eixF~ z?1PEe+x#N{hPgA1@O`>h=b1cr(swm7B48nqvAUGEoHkrCu;IKoX>Pd4Ij>9d8)FqX ziT!?i9_~#WYYpPfFj_dV*dOGba51S!q9W6{L#_SI+8ELJLx^v7fZSRF5i!4{q+j zQ7H)yLZZfd8^mz>X21A~e*~l?RIFV3-j_06hGi!z{Lq(NUOclqXK%M1s^#-*poZx+ zNt=Mryuz{>gyVJjJ*PC0_m8{dLeyQfJs&S1hWFStL)d>Au`3cuayv+qsR=ozSw32k z1IN`*>>PEA5a!~iAN6lSYnz$W34D3+@!Yo)F!6(BGwe5ju+$_LPK0IGYi&j$3`3r0 zxBpa3ylYY>pQsb^>y4a|q~8x#;mH92A{G>AgSrXu!z7>Fp@#_q^nca`opunKj7-ge4gD`@(10sM(&>kO}D1Ri7 zo?KKRrq2uV3CcF%Dq8R;LqVEbKk8{`rC4TL9=uEd_kfun=2TqvLqODla;8?_WuB+# z!E6A>K!?iQRcpWD2TpluO`mI*->M!EJZr`#hB!9Us<#L4ywl0^2aT>dyBqekTTO^A z$)m+1h~ld3jjghMdP&n+oz9@+BE#9IO_(Vf;oBiYyl+80aZP~NoW7WVtsn>TJS_k9 zU;A$Xg*busw%NrqYluT;3%&h|A+kgAh*uHYt1?JJ-Pv0B2h}tu{6Y8x7JKSL55gh0 z?|qsvZ7|k<_uX#jc4l37r_@oI?eIEsgiT#p*Gep;N4%pudcriA)EU3fAUvHEuG9JE zi~ab2xBwm3*B`RxjWqHP#}qQsN1|Fjj43Vp7<5*`Jy3$J-z^irG~B4=J%ln$nzm278(A|}O0!*Pykedf7w%&(_u zjZ$Pd;vGI&ANs$9 zbD)-nHNv(Vw7IqBK$Dc3jyOJUH+CSiUMQ1s^Oy00lY}Nj>VX@{H{54$_7HHbr57Vc z%LnLmnvQQd-Ck&S{Y$i2z(EsI*_*64Rk7?Amno}nRUNwZy&GPGl?y<2`a8dq3up_q zQuVIY!l##m<+zDy-`JcS(K*$Wa8H(}czsXm9``SD4i$@_T7 z>BC=8P)YB~>3?Z9C`ohk^H|&4sB~g~&^f%gq3AX&RkD9QNFlY3pp8!2Ce+fyry8AW zIwY0`qhg)mUGsI9?urw~OMBjh@NNwK!tf>eVs?oJcfUojCuw8HnET7|L0cQi-9z#v zW{^HO>Q}ImfGQPFAlfO*J}1d5I~lRnu}Z(`{-ibL`tOPhnr2o3$>rFCJ&>h;1^_m; zUn+tcdzd$O1^G6XtpA>dVVC>x)c0!@eA=4fyvC*spKyp;!a1v!r>~2DavMdw%NTqy zu07mT-}`M^3W*|gHt_CX;CmfS=8t}k@R2rBSp^B7+|V@2 zV7L?wKA9n^3~!YP=v^L$m0Ol8sx7nZhv@Czy6}ukv_LPmsm|hZ($dPxAb0c6C}^l* z`?Er$xMXp_i~o<-wJGEBHn`ZQvlhe=W~lGe zzW4hg(CG4F=iSMCd}=GenT|HyHK$Jc;fFyr8o_|`JpV)Ev_ka`5&{$bMIJUn!3mp#G1mnDIb>i3(XsS7+t-j8M0sZUmr2>@I?+^LS zhbKba6@TroTK&<|;O}HuW5B>7OXSPd98Es~&ArP_G+9JUh{QSTof;vJ=}DLxkIXB6_Pa>|S<>3rW%^^Qr;_l~O@yL*`hucibbH+Vte^k3$u0qsl?X zWbgI&|HgQQzEI-n`!miFN(2pEsQWY_S=GLOM@88C%vn(UoVKv`E=*#NeZ{|WEtg$&=f-+$%Alro^GmG zvd+>wUCDt%{c`->IVtN>3$KRTR#sL}N@%k>oAJ769z-GR|LxYd4sqUmJ*Js33D0jH zQM9rGIIP_*;SiqoeOC7zyZ4aOdHSYP*?GhVX{XsxX!apg!bG^m1yZIg0#;jj`frA8 z#@5io8GZ-np~yw1tV0zP6*!n4#=9E(B=tnF2gegDfy2AHAs)~%lmXcwZ02x@icJq3 zs16dZ?$a|`f*MGz3rV6GuZ;5FK4Q4ELwQ#y)3(_rbYKKxU+!Z*Hla&-(E{S+K=Nc! zZ@S_Nz-XYQSJQ{fx+#kwNA*o#aq1%o&(M`Yx)eIVwFFU?K-`g4KTB0<84CMdgg`k^ zYo|C_S(8uAuF<9kZ^Y&ci7|n``aiK*t#=s@2_x*Le=d;bA3UwQu%DRoDFN z9qp!%Kf6HBM%Y-OV!8W9z>XY-@XqGuADH@Hv1zuyk@I4|az=Ohn?fumneo#5?VcnK zS{O;G?Yg6*sy!RwjCquH-ZS-7X?}tjn!C?@+*JHjQLdI*LAa!`Rh`;%H@!G=Z7txK zh7(V;YLjYkp}$HT*=oSM5$2n%UDSq+6O-}AckOVV`_smPL0<ct3EnHvj_8CP_%PO{56Z|GnziRxMGkq^W4hT2 zOP`|nLzDn0y$a@`|GE3@EJ*pi0qI*PYu_W?xmZ6NKX_Lp^CJ}FO||rW2{K~YP~P+# zsPFj+6rL&U2A+c}IHLP+Ee@UQXF;%31`nq1p^y5VuxrmK+Vh?E*C*~g3Zd^S+Kk?2 zTX6097J^g9R;kL6cEN6=>CP7;b~PBA$h_pOM;^ka$GQdcRX5ikWda%ZrK#Ocn8+9B zXfQ5!*iB4@0U!r{#?@J%rH(&WPW%C9K0Dkrb!4`T=EQzwcmO|K5t z^QtMYY7Q;oSb^2V^@AbLCLz0#uB;11cw`Ls?uXj(^YQ{w2Z4eIJ3xEk~9?x4*_S zAfXSHWMR3Guk)iV7u8%!Rx*Y#m`xh>c{6=ZqpXT3S|=JMjKbDw!fdEX9TJ%Z%&oa! z7zcR~R`sq1c8ygvQtrT-zvGp&GN@YUmBIJ1-qdsqfNI+}T%2!55fg6Av6e)rCJ(#L;t_h?}uhc8Lo9aZr@fOSG&u>B|ae=7z?&B1lmP{CbmIC1Yz0p;GDt~yyA-CV3Yu<|f`1yfD-23uU z$99$Ut<1}Q^7CE0kbSHQq=z@8AZwnQsQ3gE0LN28l9vN zi11k0S)1UN3*DRhoa707gBi3%$?{Fsp;bBB@+n$+d>4A7=`k;5DbGEiG&LbZ|ERym zsEvc@EgoQQ>UrToM8xny$m?RyK8L6hDOa6qSW#@+DR4-KX4Baj`KZ)#}4(|HpFHMiC7L*|Zb&G$!mbWd1LF>aTn;(KK%Ri{T zto#94k(Iq+{9@URzcc;VHfQLB4C2&!=hli`==|ySC7hUX?08!aqjo?7UT5C8j1++) zZH%_6+mA3LPyB#n9^<&&2YPSK-ty#j6R&oCVnu=C-b(wRxT=+np9ZWiYdXn+=?l&8q~%CiXOyx zSDgrs20^J->8XcKj1PL{JCc(Y!GDE4zTGF~$Znn9A-|T+o^@?>2V_`DppP=xmU845(q? zDui_#d?cJiZ8if8$tO#5VxyV&6|&6~OiFV%E&FN!bsqt!`(o({q#>uv`=t+m0=vGn zkub(+lW`k8<_T^oMjEZz8e=eU_{l8+5THuTb6o-E@V#?tJaD7lpj|pvZDXqy4 z15Io00=^%>{H3Ob!OgFs#_2(r0s=jI5Gbyd&qu32EtVz>wS%@`C}2arg@C{f4hm^G zaYn61X3|B2e~RK&<2^EQU$z0*uRLM+~GeivWaBpt1mb9T$_ z=pheZj$J5(2cpXHsD2B|ngqq0Q)R@f+MiU_zHHrmXBIdiE47~2yf-Yeooqk+QLehT z+|8?kc-7H|EQX;Jy9wLl+UV738^N{pZ)l4Ek}=ybWAma_1Mn5kjs883dg`k^^2F1> zXB&gwA_PbkqrHopKe>W926?!Qfrod~(PEwPA;%w<_{E&+YiV(ri$?f_>^|o($()EP z%GSyJIeg^r>4>fP`JxQ`)DasDPt)2MiT9bt`_`dFu0Ng^;%BdxpZX}HZ}#1%czHum zbXG0Xd}*R2!NN;+(dde8v5eUrd(H~6L8M8%l>l^FvPZdD0rf!!BNJ49VC#7VbpW%dB}^>xHmOCQfZc zH01lfcYrhZAt8fZtrnTz{3$qI(o)XCczVnz;F_!YLYlyE=0O&A&4wJjZDH7s+1Ar) zD2`v#NiQ~P#R$elZvB97TI@_ku$u^9-dSyhFLoQ8ylQ^QTmqF0oB1`$;5X*k zUE0x8Tu(dRpCVye93G!n;n}T;W0#JQ_GwwR(le)Q*&c z$V=_Do`e*%ZVf0M$OD}Kmbj4h-5JcQ4p9n=X zd3Fj=+jE0D{T8g3yc4qpCFs-HYLSx70n4{6LkOHRR&`TnGLM7xR%ZDg8NY!!XbS!j zW{GIx^PURTEyd2x*NY16UCI|v&&rC&1}{Dho{lHDXlAQ;zhpk1v(>}=3}fyDn5ec) zD7uT)CwpfEq?(o&6&2O*uXm@S`NWBU2FkS-s6yP#S8RvvX)~`zY`a7%Gy@Jr2WWR& z?GdgVvhElLY8S^twBiIs%#uEJZxpKzfy{PLT|KqTkcA}`lm>X?4^Hv44-F0Z2C)|2 zV|R++K_lQLmKjLN2MLq=i<(pv2tAptPVjqA1;Q;cK?wc`GIBi7`B-ZQXsOMNj9iRb zm>uOBA`1m6bM@T1wHmri4Q6hu%)FWk>W~jwi!DGH$KJlBr^d7l zv!7nwbQPM$$Q!64^1oRh>?B~<@9#U)jP|Puk*A;sQW`f#c1AF?9ybi1ZQLEb-xWeL zb4@NZ9P}*znS?}p)$!TTCq`$0=lOV_fo0NW0oYD3Ejb(c^LXSb?F2!qs#!txup7|7rR9bynjmK=YK~}w<5r1Q6GqG}aAjW|)pFZQM;*}sJMCkyo zCXJ5F)NaOj8ma>cVugvd;k6p`4)maoR@rAtyC$72mkU)dkGXR=j`Tm0Iq+_eQUW!! zA#&-9>|JE`%g7y0rrrJ*!~I)Lz}bsW05ln@ICfo}3aBvZ5CyD*xo5)^2WWZZM(|Ht z)t@b_RKWc17_WA5aCa92^@q6u#nms2f|!nFZciUrSo-zK17bR*w-{(OwHvDqDZijb1~|yt1;Gc~w^TB~pnP zR}eZ_px>$YBbcQkB||kt#;b|ivC|jSd>Wjuc?GdNEA85%gF#bgAt>h|m)^UBh@?>3 z;no{zJL!=d-W{-=OOE5+O6Py!tw!B8@i;guip*|U8kV=ZpPVPt-eOAT}v6;*tFfNs@g{c!DxD6`z_`5_Owi& z_VR1g95sT&#_5DD81@aDUe%lVqEwq#%&)irNomo)!gn z3IK(Ip3UDG>6-OvR?IZ79nrn@BY3!mKk zs+k-SAQ*BzLX7P((4Pkmw40Ok&l?Q9zS*&gbv+;+6Emxt$tmE-ntW`hSYjr*4=c{MI|Mc}zyU?`Gx799U z1n%NTS>abA>?q*(#4_sAGlc!}ZZ(&*3S(^4Krpt>3nM?`4fZJQ*)vgNuh5;=V0?@P&T2C{kq-;Q6K<}xGK z3va7$Jh=5y6S=h18Y=CA&yHoP2N*WZ_F2r}!1JcSU~HP;Hcft=YgDOi?*y7BR`_85 z?QuGNdo&VxzLdE>6SZ+@VF-bfT+F>b!VI038E>OfA%3v?G}C8`?CG=K;Np^yUec!o zsN_2}&k(cOQ$EJ~GeiNOtpfpSd^q9oQOoG<4(vGQTKS}(OH=sDHR`xSP$#QYamta0 zMNr)MI_%IOuIKdNDbrj``vrkY%98(8*-ScZpc>yU0#thtq>U%)uBkT#AttF`9H{H< zY(7((v`#}$^fh9Qw?&f!;To0D$=TT^g}F}9k{s$XLwSVnzYQMsguQ^~gIKjYzcWS7 z2_{d9N3A*AU$I`&_ul>)EA<6WCh}6oYAzES5V}ncV0iR`_;%#R!pzvX%WNvg+RGqv zgDkNj2p;AN_K$^E8DHzk7Mw3Q)JGzN+(N1He?~t{5Bh=*^okG9(?Not&zlaB)P4r_ z0GJ*$%`0w8h4KQQz1Z=r!9D543s$_UKz2PGzp8+!?ZB^1aUuFtrZTA*A}q(qVpe z*N+-UH|R9N0%+G54 zCM?@j9&%|*HU1-OXi?DC1fR<+AdI7K-|~oDuiR-z2XCL?ApHD1l!;tF_)%^BTkL>( z$R%RkMtr?Hb9-kALzuw}HA(eZ)xTL)VM&ygmp=>gki!7uu&|g4fJAqx2E%Cn^X|@2 zs}(hJjrhlLM2_CAFTfUe3Qa|d9pF9dI*xOYUo#OvCr>OnFx*<4Lzz-e%4Tcp-*u(F zcnheVVLIb8sRyhoKxk9Eun?e5o3FuM3#s}?MrKP~K=#!%P?khyjE@JkW5==A)F0bw z@8iJE{oeB-p{>|zZ>?8Pd*KItHWyLXe)uTA(Ro)P7=J?3zCClJaf8Kn2~wP-RGa4i zDo&OXBlV=+8coCuD}wwQ9cuhS072HX^qaE{dpy0p^R+dT8Vf`mUy!{>QBl)+A)Q$A zP)RXdTA6c72v!$l5#|bn(^B5+(`$v8ZD6Y&mgIJE7I&z6LrPwXrMhquxnUSTzp$PD zzMb#oz0~8htQQ3~Aq^lHITF zog~*=@6Z}tW)z!s&a3{13qYPYEd&6Z~EW=!uZ-seG*Y1pKqG#H`!l4j@WUN=CG>e^CuB?Ew zz}-_In*A`~KXwu?I3XZ3<%8HC`N5#F(Q7-0V`v@GV1PDi>$a9nH_**J?MHt-H#j)R zz@@lYhbT4sF}rr^&~;xxt>d#o(>0fYbh+`Fh|9IGt>7?sX8g_$n1>B858Q_Q@pPLT zDy}X^h9!2dyU+#=zo3M`<6xh})dRtLFs0dMd@V~9eh(}Ri>Vm2F75F)szQ96V=2iQY$2y9z2`1@Q$Exv&)oU5_!$Wx)ua>n40Gx-I}_f+O0+Br+hH{aa;&J-*l4 zR%a-X5Ey_wP=C}_cZ2f1}4nBqkj0a{`sdgM#0Q3+rmZr-&x;T%HxEkF#V{0WIXac(tJ`UIqZ}_b*8<3 ztukh25bRNu;J8q>YK3rfz}`dE-F4mAP(AR3C+(oJ;1d%GnEvQnm+W|{NsMB|8d;6H zgrE)2dj-DdRuXq1ZbLZ2_Yz5lM5=0;8HC3468 z=vkV!v7g9afMLvTeTf$liiN~O@eV)+C!UZwVBXHR*BhMHt>UVl`OEZCAQ@N0JD z!+tmUf5zQ!`wiU;=_}@Rnzxh27m(2z^EC=TEF++5B1`F?yY6r4*^!b5Kj+@=tWF_j{j|5W(P$Wl+QytM;jHqoSwvYHy)P>c zmA%-Pr5P0Ip&V#7xwU!vnWx#J63d3M${QG}IAOmz&NU#E^@l_JV>YLA&TCOJ!sP64 zG-+KY=4G59J{1=&)}5GBdrICvxligD@|k3k*9s+84IhUiUEy zW&uLrs;tt81MnmwGT$ZNp*xqeotuLk$Mjz{+MmyvqKXv6cMeKnRncpI=%*f&K;`}B zwEkCHMgN~AfnW1;-9>5zT+(&Y!6fR?O=>CZ-xQTx%uf!ceo zJ?I8Ukq>ZT*v2P&Z(hChd2npbn3Yt`N+%uJwcokkr%=?Esu}HTA#ZGdb}y57Wh$^C z?*7$8OSU|I)nO)jf>~I0K~&Itn;$od8jA=`pB!0&%NPHh7sh##eSR6+?UT<{^6Ble z#gxB0$-O8C{tak~G)Pm#r6bSlZ3O^LHAV->oFsgFCJ0Ow){oY_b1>8uyq=fpT-O_Q zL)SAjv@xL=H zWAl@394krQIQQ(avCi=;IpvKP({)NES4EGVswO<>3opI?k8=2U#X*6_y9Yd`t|iWD zNqeV+E#{i#qQ(nrY}{d}2K4~?uvHybXEtb}%#ouyIDZH-M|6C6WD1Y)@Q2A74|4U9!AudlEc$A^4$?_2$ z%GrAdJ=c za2pS0pBoX(pTzpD9QtgO--2^prg@s}6|6!Ju~R4xp1}V~ABd6}I!aue3=+%gGg*_M zJyL9OyykvY_T#&ck27AH;U1LOE{i!iPuqkf%M3@nKH>Cj!5q`EQIvGv&LCMvvwWd& zMXm3FzcArF-Uo~Xl!6B%!I@=e1kW$+2x)V+n;G!OO9`OGn?V$jQx*2G)2Z_BxBEk` z_@?#ylaHB8I}Gx{4o+=qXZZ(fC7r6h*O``;WnE?T+rtK}C>cLwhufmRan#Y-R2O}u z-AcQ}c$$pg38&?9yCpP_NYdS7f+Vpw_e?IyXD683Rrkv~X+=NC)o3vl*%f#_TCQ`R z#?oo(U zj*kYG7;>rLD&PI~L9Cg3ZP6ra`$l#CNtTugkk5UhJLxaw(GX0v=MSD40K(*GA2ke| z71!SGv@w`E4Fu?Ws|WVJYg;MkhsNaYSJuj<@8q3liBt8pXeqDA#pYn@=iSeNEqU<3 z3e_z!&OJ_{QbF_Ee+-MIuBVBt-8v=Lr!XAhNRSshqVLr<6DnHtmOj}Mkvs4@5J4@F z>PEH6*4L71LUa~X=F?=7{XA-OEq*u0Eg|3_Tz{K>8f@VzG?V_;gK@^Q z`Y5xBzi>`7MOF%XrcT}8 zd%qQ!{&F3x`hFiO5A$x_ zL`qgx)@KfQVF~g4uV7iqg460gL6h6xF+TZkriLglz6E%;wV#+p{y&{}|O5h=r+yTq3K`J#O7n-CB?J8Dxme z8X5?`T*;5`w3$Sx8f1nvV!fw$K@}`;mlM!kQY12zf~Xp+;j1}2eFNcC#&N@rEfI9( z){ml{SRf2KXXY!)l-~`n$nXBDbX+%s@!%_THDK#MQTl3zo}^96Qn6reX%rY&q(Xpd zb0qWS4ih|7*icQ7+a;e)U~_z8Qbve(&gClW^9^$JZCso0-&m_nhX8;|uy9&z@KdcC zo87Q-d1A71pUr7LtQm9DzDv@mh7t8#Cet*R_swQsgYRp* z(H!noIl|OmLVWV0(Anji&?%Gm)yVftX1$j6!P0`NbdRRs151+Z6BEO$vhFb^r*S>U zuE`HeV3yxIr(|6EJMHsGS(uZaWYS$L6(BSvoVbJmWUXFIL(8~>6rlxf8T}$l2R@dLTfnGY*`}5F4k3oU57BMr$ zui0#{J-cq(H{pS&)D<5R3C{g}7tR!NIyDYI-O;GIYma$*bklQDA-UoLm&Aj<$}?K8 z?}-|hJ~(eBI_Q?Hj{lsUwwwx{Y8-2#@z!ow*1S+&f=ATb_#o>917DZC;xMy!0_=jX zP~Q@k5{q)&MVhm(a`DjLeQ>)~*H*f5RY$JQ0g#CEvu<4oM`EAhea_#x^))HP< z6N_)UDU^7Aq(9`wCH46|_$h60{k{@yv%!RtI1`v00Eb>;4lF33RC48xnn@2`<$S%s z8f$;OU-9Bco@RrtH~0YC_!%(NH=yVxa9|r|CWNb5=l$5_mq+-K;gPPu`mKN5-pD)Q#4C@o zyejKqm3;Ykr}fUY+T3vu?K+xu$sqb%1N_saoSv|JsdUfa*X|#`$S+1c>kTx6mJC#4 zlI7uW2eKCKWQv;`^)YYML0WpJ6x_e!JFJ{(>XU{tEvTCB0ojL|9E+uRH&)R4|$+=7)>Wq@txym4Bk7Ij{(LK~Lt!csE1x3!X(EP?cW^EQgR=z5-I)VrF@v<{Ev9KD9ng7WMlhu4Th z?>!l^t|gN<1_Sd(JVnh=AM;tdkE@g1dO)r0p`$Xpp4$30DJJ7XWyXiWlKaqz&UXKu zbT4)iWl>jts@4M#E&quBn9sz;$czs;k5|s~;!av*=ZE#!wdw};k+{L2T6A1~Wo0p~ z+>Mqo|L|^Fs%Bd^#Ql@R^{zT;gR6;0Ma+LD7O&nlS$6z!&z&9l;xD6*pF4xrRO@)-&U?WP6oG0J>23^cJ4Wh(!WAX;jK(UidcB z>1k(S`10r1cE-8GW$eZZ9{TS+1m5p2ko*ea)n1K|0ezBu2s6N^!<7o%;K}cY$2P$y zy(f@{06(_BKzj%JIel0f4t#hID$gDMrsdbe7dte1=qbstX0VvRKcIBr+`-ByDgmrS z8gt64E_Z;3$vgwr{pMG735d!r3D##G7 zJXFiY#^zMzi9(YbKhwc~r5jgNLrt*2sA_;BZ#j{2^jguI%O#dwf4>X6S`8S=xa|#g zr|7Le?G@g4)uA684!y-4K(i-jJ;1)wWQ7j@Z@0aZQ0@AhvM%QgzKx^j?Y)V*Z2tH@ z$79@6oe;54zH~78FWC7MHpP7uJjULfbgJ^Z6Ll|Op)P{4Hz7)d-aQ30D`hdQ052Se z@zQPn=dwI$JWLbmGZNorw)$}|0~UDh>s*~E%@aH|dFdN2N3WQ<5OGar2UKmb1rHV?Y${?e24#B3t3hLSG!uN|H9dPTUE%=FkP(62*`ESgs#} zjVjGO+%IFVb-?S_zA?H2%QXK2vK+oJoSlx<7QWEdWh_kw$X-g%!IUV1%`Aedf<7TZ zVErug5QmuGNY^jf8!7pMzSc+eZ4^LELh4wuCGPQp=?VwNJHXw&*`OWedw)&Pvd zD8Kw~5&1Q9Qvu`hG$>^FUQYNlOU2*pCFHN_CFu$hiBVkUHxkd+-On$d>H&IBEJwfA zu=&1-G57i$-U;+G9WC(StsaW_zYd`u%$r%1<5NBLdY*Gxj&|)~+!#Y>w%-)Nh3Tb| z6^`~jgx`D-OvT`2hBJV1SC zThfyCJyX&&pmS@s-~Knd1-j?|!$d&8`Tw%5K+Z$&7(x%w9Jw^jaM+c)brE0~$y_ZtIuVM7&;5$on()@*#J3$$e5CDW?^` zG_av0e%uRv))uSGqpWgO?KdkN)4JXZZO%V-8h4#j_cYFtw(#b{NACM0>Zj#d_s!9M zp(&trXZ0DZ=IPphG?7kC&7_r?e?7^*HAnAU$9`WNmOmT&!#$@*H9Tm6dv-(75=0Vb zMN+P3aN!;=Jt{W3!ltpDRWgoy`X>!;|0L4-sb0C1xC-SIPU703wQbQ+pnxwqOu%*= z!w#ZL=u$a7`;Iw!+wRQoiMpryhB!x{ghVZ&+E`lt57xd0vq;((mv%F8Wzvz=@!YKh z*)hp7RmOyE=%*R=@e6?gI<-SeBE*&2+y?vO=H@4L&*8pQe9sF)aq?Y|Vs{)pE>q-E z6tue9RArQJ6{b)UgE##B{UV}HpjS(Lg0UdRln8o7zf$f-ZRmxWX=X7dKgBF6_-dlyd+}yPm7k^pj%BE%yJlzSj?=`Fuam433X_m)h>(_QIn0BIn=)*P>y+JC zvb?vbCeq_W!@6sn@x8ax&WjIRW@BWA-J`;$i{X>OXs)e?b)6?(y?yq}A%&rCZ*M6lTg0Z7H zlLoz%`xn2w?-owu;Ch8MT%w3z^&7o~Szq02{cAn!n=$NMB-6PLN!YqJMVJ5U$0Eh& zb&+UHw2VC6Oye$g7|cw|gn~>`*XQ@!oDq3Kr}l}x+3^AeUXmWEpcgV5!YN13xw9yJ zmgaTfU+z0^cJ5T)>))KBPx=oV7Rja>IY+<+PO>{Ki*cQJ_Nx79k3k7nnZW^O^QH*A z`&+cktclVkQobLr9(xLJzmQ_mT~*Eo7XX>XEVCU|auaMUF!y;fghW_gT~$wQC~D~l zGg@h;w0ck7_%oo_yY0n^!nbyo%X=J*Yq|m@awg;Nb9#PKt_uCl&iTpRph-RHJXH-} zyK=ZcAJXUViEjL!EYp2obfa6>M%4J4Vo|wnx7d|f3UvJi{R)(oi3aF z?q5B%hN9SJ{IA}=JRHh5Y`gMHWr>7rrA4wu_AL}8F&JatlV)TuTgftHNkx(oW1A?$ z*t2FA;b$y^31yp9$T~5W1~c>Cqxb!eq3qgUXqG{-W)wRVFnws#IgrWl4#C!Em;{F(cjBSq!}^TOg~!py z7SrR4XA3~tOWSXaw<-V1A~{IGJup#EqZKx$VL6YweU(A&mdDzfBVufhdE(<0H-^qe zDjnt?E+Pj6?ITX4@24$OmNu1egUwDlv0AeoQKkZj`q8Wb%(`5sr)?!Ez!LbT~bFUokHj}#3Khlp4 zOT3jL$ATy&1#j#hGjVZqoPQDfMSUyQO{~2Ax-y(!9VG}r^@;a1E2g>SIozm+hNy!n zv)7a#FJml_jJ}ZvIsZk%R9LANDqh#$8P~!sDulmw`?p5j>#keI&-~sft(6gNkBjpF zkV9K=%cgn@8H9XI-uT$ELySoQ;wr5V>CJKn)p6Rrpr5V37g7-mf3mQxR-BF~CM8@W zt<7bnNtF&U{7A6T54l^DGn$z?PjdK-sar-Z`Al!@u%Fo8f5p93OSQvpx{)nKqdmLqb0r9iv#X1yhqPyR z(YGase-{L8fA}<}*q-W*rcK_RLkhnlA?LRWf|^n$sy!0rhiztr64|uYXs0TCOulPa zwq*`&7*FnWknd)ak)Wp*GOCIDw)ZC7k%H^&a0PbzIQq~`{eGG3)sb4J@gC7_w+{9I zdm91p7jt*tn!blkfo<^~t^#iQe{N#b{S(0SxsMN)gmWk8pA#xEfn$ItJwac(5F^F~ zE-8+su*4SuQ0*MpUy9Z990NcsLZ__RkO_>{y=jimC*qxJztZz|`kxWKZ}?AyggEsj zt}X?P4;BY+o{ha+sTY_F2>twpTT8O-eI##HBZ9;Hu4c(9vR$Bk&5`ugO=`zCnq&`3 zdn@obzW5RWkiv6oZB-2>+~FVfsg>$St7Mf>^PI10Jr3o%9hy#m%F>%{zw$*_FcyEH z`MeOMzwPyX0FUh;w88rQI5Wl$3&lR5tvzwfrnCgejBk{Lj)wa(7mQ(JiOM#wu`0>Z zy4iHKkj?mJom{Q&FN(e_zF+$C~~GPd;yU&&&DX`eLH*hgp-)IQS`Z}!t_rl zm#>@4Ry39BwMZk!KMES)1#F4JcwW|y<53AQ`*#|56cLpV}=cXRnw1V^i);QyPMUU+B zQ9x9`4+?(KP|aL0dZB8Y(a)NENHIdWD9Y~X)xoRcgHoK|&tv(D$Tltw>&~uR>_GGh zfJ3MqXKf#E31u~%oZf|Mu^h-s8Fj7#+k0#06U{1IT$;Gfhk4qjoicY?*oM$z-RSE^ zUUlg*Fs50t!TqMKX}HufQ!wtU)jO$NC8(RxAR>RWU-(Rfv_$L9}^em=XVwkG~`U{OQHnB81WB|K4n*Hgkk*%Dcep*5_v{%>GHh><=b~m z7tOcGJc7X}3qNr_^CssTK2{-5Z6lMg*KG1b#J36QBNAEzs`LPl`N-DkD9?^7@Lq!X zbP^O{Y4;2&j@0Q@25rkTdNd-R%vif0yFv_+P48Q~739lEpKE*=Z=vHypsKMfrG$&C z8vIj_d-ef@fXX{wOn;HmTw8p=RhHzvdiW_RRwh$ms`h)Jz*~mvR)oD^`=NVP}dZxOit7j=RM{+zL9UQ-yltN0CAF}?7efKB zU1v&EAY{16iLWfU&-1$?hT3}oE8oL;IdFVXhEr(k&|M>zrr|(V9+n{R_D+wGng>4) zNxH@==pC|PUljN`YRZi-KKNW1Z_%<79HU@XylrTio9C>DrT1v1W?7MKXzuK8NUm3w ziq$j`tBt`pM5TJTjhPe6I|WXwKF>Nmw1C5t&kvyTPrxb7%sGC1e7)&Vi{*^6uf~k_ zi~45QNgbmTcnfmf_brt_zGkXpeP2BXy;VanTO(hSx|wZu{4B~gQpJ0Ww+u*uoREwc z{P%IRh0PFBu66{%pqa7sDzo^t9~zH^_*y9*u1(8;kv|vf7!Y|@Dge^og1k`R{^8a<^PH@tE2dHe}JI19s=TNrC zU*9%HtJgX|V9e=dpRqg><^6;s-HnAc!rZU_koHQ$RH$D&}ww=6$tV=vsN){PG*-k(a@yhVEohrM$kh?)y zdGE24Ok2iA42RnwzAsv# z=VAD(Fyl<;vzI~l-{P>^sVT^TIO+&>Y#884%LUM!MpK67&D~Cp{tJ_-W|5u0cHT9^ zu-hkJ=x8}HC^=gM7;uGnT5Frs^(}k-jIhJD zDP0;?KFd>L$-2MDv5)K5ML&sTPvjRNl^B8{OFVN(<~>oEnQwfyd~~HJ0DgU*TFiNx zNHCxZ;6Cn{ zbeYfTeI|VAitC>+7{%U_uGNdJ==IfH-^M0p)m!sxp>A&Itlr97*$FnTWjd|PuK?)J zz%ISDT3`VX+xOj*1UUY^ZX-*W%!fj$>dyXwjVf??pUon`?zo@25A(Zv6s=X=Ilu&( zBaDDBDf7SoYao2@uK(Hl!@Tsr4ej-w&n0?XV{#i*S6!I<>~nTmPak+53wS%}b+4Fnf?kbNb z=`7{Zr>;d|>tMWv;#;ddAaAH-fB30}X^V5vbz9_a^QqS>kl=weXTilbDs0X?j^cnwU-m!+N zLrJM4OAk<$a-F^*(2XTLY;?er0-> zGP)qPoqo_nZ)F)zvB~Nz2{nl_a^wI|6xag2#SFg3w6ys`6~~s>s3}OfuHe|79p08F z0iAwVk%ftA8`W`1of0O~NO2t9saRR!i39XXCtdo)(1&YoYk1Wu0HvwF+ORL_f=5 z2rxQ)C$D%t%Th|3f8@`B(V>51G@5oQgDocAyA@l7A4j|z-s;6HC>yPN|LeQ-W&CrD!c$M1 zUprq~lG%4o_O_*|(_#~gQS;SiAzYT2(PGh=a?=eaZeE@S`poA=r>%Or^Omf>TC!+y zFY6kf#Xm|!Od0AZbPYmFSrs6@;TvD!e5jmJ7g@b~#nyP{sz>XC;=;$F*2m4a-<7ui zP8L)UuqAE{$-j!K#X8t2%wOHPo?h?!k+_eajK+^CjYhLUH1?_AxgEiuN+{5U>7eatJ9 z)ZOvtB!s5w7ErEy8FiD4A>}tBFW4m@lqjSJwI_{RIzX9P&k9SUzJ9px>hg@Ith;f~ z!ud@G8eqe#=XBQ2-JeOZ?gWS1X4kLhx4m3<)*ChbXi>r==q6NUc&?77F}PqFIT9kr zXc?`sKDk~*KTr8%$v!Wc)R{Ks@$1%|NqWa(hR8Y?dy6-t8ua|9u zd2)~TvCO(@!E!Zyv{4+0w-ICv^B~uF^CbZ54;MLj9WWDEg0if9uXu0Dp~fe@!k(Gr zG}RAyT+M;tmcQy`_HQBMp>FXX|6QQ#qGw>IEM%MYE&Sr)$MWSCRnZySIN8GnO~CoN zOBoW5UfG;l)JfJG6~%2<(ogwtJVw7~ttpzb$UY!Vvs;0RKUli<;gyxc@$=Q4gYSU; z0!@UfiLU4OXPk5Zj?5|#hN zS{#h8CrCwJnY^-EfRCbvO=0Msy@qHHk|)0``AKfn)-#r`&jYyfN4f+h+3!B`j;BIo z+$7BByIzKPWa8$AB6|cPzYKWKT1hHyKTrs~I7`=5TQx*~+W1w4zdEF=X9Y4Fq4YmC za!wnC*N?a=%-UeCFRT20tS>${^T7U z6LcL2c|U?WhL>r|*+TTyU!%w`H3-**8&7JbmK6%X_+ELs{u(oFa;qJdB0cFFQnqUh zc~~3>m+~VJ2kza81nMZuI|80~G0rmGn^yOK7Ufnn4;P;>cR21A@9j~DS$O>1We#ea z>;+z8`xA;-2XKdLEh2xYx0Wap7|P5)mAT|NZx5y3W`^45@4Vx2h~&q2G3tHE#AgJR zMq#mF2WUu_Ol|5fSNLg7EpF>f*#gx#tp&MON*BTL$@hq$)lfE;uyd@TJyFHDkI0hoZ*W)va(PpA=JmT@T|<%Q#vb+A>pH#&PWeIZx)NWSMgE2mR+kT!|0GkJDr@ zMjM)iu{F;{@t;1b;wMH>Ma-%J4)PyGENmKw%3hO}XVq`gdA%6qr z5Y5xB&I$LjVzyo?nK@a%j({R!Y?lB$wj`HJG+*W&y==hc(65NP$vJQ|<9os7FpKGZ z9XLX#J;9~i`TnEo?eM((QYpFLS!pZSMx@6#Gl|Mi`cDEV8Mi&ZoGJ2r6CW-cYw4DP zr3i@>{K*`#WaaJGu@qDSrtpxK1Fl@6$f0sU5$bfJz-O$@u*1GjQDc*0{mWh@#X+N3 zU~5OV>?(1Aw+Z4x@O&P(#O0ba2UA#&F_PX()`^9+tCQKQG;sB{A4m!&-=sp}H$K=!v-VJ>H{mtNA zCf5q2)4CG=-GC!@d%g`sHQT$iegrOiOivH(qnVzd&-)zyh);=TE&WWiwvaqCHeZtw zBRP~_cL%GMl0L9!)9=q3EX>?R|5d>^(8e+Md4Hc)&2LezYWG*z+>5ruL% ztaui6v&MehM4g*C^#P{W4Y1qD(hk#L3Y>f*Q8khI&Sq=1;F$Ld5EdcqJ^+S#i~8!o z_FyU~s3E+gCsY@G=X!r!E0Yld&Qip^*F`4?t8TVOg3m|D17yZV3w@NGh@2rc06DRR z=0dv;$#%msUBjV-pvqmR(gc~y=o=D>nt8VFnEIN%hulgqll+^BDN6R%C(^b(vPd*@ zH=$)!_4_0U?041*zuuN=D4?(tuK0eS=X#Gv`WVVN_a*=m`T90>U)X7c zzde?4{ttaG$2I_xGy3#N4}G5PQK!x>KzHjhI1~BLqiknA_p;OqG_Pd=u9ME>r!x~I z4s^^q`u5_F1m93sKpT4q;t~jqIwNVh)mmFngv#Z+>(0XwZ;2q5GP{sQN!w0>g~x#V zb+CajR2g*NNVGg+j9=#Ozn~RntEt*#O%;LVKvpw(Xhjb7p~AMJhNC_MxVs}8Edf3q z16U?zYPbB6USc&_oi-WtXG6}{T$`{q*WP|{FE^cFlYE95ZT62Ra=DC;m52nPK>`LJ zqt#;+Y#+W9?!|CQvqn);Ha*4)%Dx*|#|PL&{op^4Xc$LiKe~O$AV#4>`!yj)1dq}o zJbvYpA^{BF0fM3MQ%dPq#62Hd0~njB)aZv$W7ctw7uG(ShNCs3`YZLlPCbMB`SxLej&q$M@2>7 zJ`Fo;;jyi$)GJk+#F0KUJ$Nf4-4o4bh#wb=Do-y={g|q`t069(*7;}8_TDGpZj#dr zq7dIWx)gG8WidZ|A)kNd`KcBdHhiBpNxy|B&nE(zxnW|s|BCv46aWPCnvGI}n1QZ;} zfE1alhtqe>W34RylXS=rpby<*fI;Y6;6HQza@%k0Znk5l=(Mqu@+JIXpg#Y=oycxA z(EJm#Dq419LzZ}paREVmy!^(OQ0c#Osf`*iEBrt-^Dg13-?4X<5TmcCK&-6#u6Lp+ zKE4tQ8B+svQVo6pvfGt-NGSN>i`#^xaLRD}nVy%*@K*pn(3Vj{;TlR~{DtLEH#e1w zK6M{5dn<+H!6X)z?@cJTfa!Anwrmb0_;gDP5?QWoX{?B0d-*XuK|gQ+X>s0YHFK|z zKA(ef%HuJK{zuul;JMCl3v{g4@0i{k7#0C!qeX=~UcK|kvw)}9d)#6IZTtR?9dPCX zu_aMTf~oS^+?J=d$#>a27aK1X2}kKAFVxFXUy6gqxzJ*Y6UE_Qt))x7)y=DWqClnm zyV269ZJLvGe-wptdW&eV=giWdHM3tBH4m(w909ySSGAm=l}ph5jRU z=BF%acPK&si3Mg{Btt5u@Mf20`>6#f7;La%7vgtxsKx-lS&t1@$xa;;3Lp+>s^xXKXP*y>tb6G^tEqCm@k2KA$@_K#q~KH6;^nKoHS20gWQ>huvaG!;XI)#U zXBn9Tj-C6kzQt&QAEDipBKm4v7;bsJYeEhyh%jp}t(t1sUqi(CrUXU5zSKy*lULV3zVpH%1vkC& z_uLU)T=0rY^9q*5vf4u#FDQ5@*5M>7u^P}7S1$`&Pz3e2-fB8?64+0u|DMc##h7=q>j!qz{Yj#}_c5`=p=C-=` zMkzv+Irn#?9*{*GhG7J^l~cOquHd diff --git a/content/en/docs/getting-started-guides/windows/windows-docker-error.png b/content/en/docs/getting-started-guides/windows/windows-docker-error.png new file mode 100644 index 0000000000000000000000000000000000000000..d00528c0d4cc4fabdf9c44969f52cfb64621e313 GIT binary patch literal 81774 zcmaI8b980RwzwVJwr$(CI_TK8ZQD*dPCD7KZKq?~b~@(Q=lZui}q#y|og98Hu1OzWFC8h!d1UmKS`!N*6pZ94!MBYCiz|Ja?B0$wsc&C3Z zpdF+%oq>QbQU37)HqV>;bBhp=w3x7}2k=EMq>rlFADwKE%jW|+b zX={FjE&341S(IsA$CVaFUE!xKRa8_|;heJ9H5e4Jkkqv=i|>*DRkk#FtdaKAA!{b* zb+dEN_2kVI|M3r6SbvViHfJ|Ho@XjYy|Ggl4S=uxOq3j6wBVd@FdR=x)O?;J1^ zKXtZEHDi4t`|By=Hs@Xx4qbr5TRhhthS-d|d zE5WGZma72XMZKGnd`F83Vg4$~Q~OJJNL;yIWC9I=3!P@XS(JfAOuh^cp5T^N*soyN)Ke_n)T1JyrF;d(^Mc&?6F+l2DAm?WbYvf-64R3J z=*FFl{#%bXkjM#iQv?E^O56a$`tQoduCgL942@ncGnxq+hGCluFqMjIJn(oSq3$js z*{6v}CKiwM?FczH8*}=8>3Ndl$O#o#d*@oym_wdlmxC} zQW=##|D2qsuKaQVZ+_plt1M;qa3hS4y%q?RRP2iIFUwHUvyS|lJml&CrS#gX3r|Aw zG863XHWtw1c6G~ysab@AI}ZhqM#W)YR`)CFe-Hc*HN6p($e&_uD{(YE zI7ob82Wt^m2r;Wd(jpcawo}8rzem|#!#ehg%(~zvWV_vw)~DJ1E_F( zEz@9r$#$XQ>*(E0jlll)wqH%nk5srIqNf8x&vHZB=9!JI_Y>hN{FL*t|JSW!M6Fk! z34bI%>{oCmEq+9s9|pm~b#Gc1<;~a@jkId0R`ib+fe_4Fa69d!SiU^JR$Cdt4Sog; zV%2^_W>V|bbF3$6feQL2inTO})dN1wMcdQxS^;k|9TF=O4_oT@n zhLc8*J3kU@3I3hhkl|iTVCzHLj}!4t_DX%xr8i{vjgToP`aJ{TuX10c-TdS>T!-KM zfI3z#D8qyB%XP6|rG&1AvslkNe4RWDO5-SZ{H?<$Zk&jc$HiM7W}j4W4jMKY+l};} zzy8mr`;VQ70VEdPT#^f=sRMAWMk55 zu2kPQ@PP~bP%?R7ny1R4fR2e7_5#8mIcu1@0`x)^4UAWQK2&=$iaW=e)5exE)JX2^ zdLJYZz(anu9;eL5Kcrl$r~1d+0Cilfkb%Vex8uBsMvvt!H-4eOfpy(b_p(Ah?)X=J zL{Qq-`k{2O7^d7qwW}Y@wpy5jOL!y8&ONcG19HQWGOU|lU;%ek=<&y6G=mq89 z+ZTmVL3NpryU7OA%G%Z#7y3vYsW2vek(}$d`@Ea(URp@DgLRQ|vcnil8Am`5f~p@* z;xM-|<8HOPhn=#)W#pM&-86_u{Qrp4jgqNFU!D7bC`Z^yFw$%{9By62Y`g=t@q5ic zPHsEOn?Nrf4W-G?MHp)FrJ!NN3og?UWh!oeQ{|Dp) zw4`iTVUBTv(|9PYW1q%vZ0$IRq~|AwKCWzp*y`Y_;v~;0_z<4Jc+vy2lA0l?BPzFJ zORS>>eiL$lI*xtKL3bj~%XgI&&GJe@>We9Z5O1*E@reNW0--4c+>3)fUmE=|zpghU z4>=-`<*GqcfE2f28Cu}y@}S}OJERR-qa5lBDNj>sKO(}*tgYOc?X2j=#^mowDlvS~ zAX!=P-+w${?U9@x0+8>xr_!b|ass+@+Y7#g&`kyy1|~_eT1Dcgy48zSK2lFbl(=PB z8kGDz7~PH&`xOHh(mLCaKGEI*^}~Ur)_%k1-h8*VNQ)g#WP185u#1w*dvS_!1wt(S z8bpH25lzvEM6@Gd=9UyNc@dH+Dv_eZ%n`CDVUD6j`IlJn=jHx);gZKlw0AsIb#*xc zb3Aqm|8h(IZL5Lkw433=5edU)Ee6Z-{LWNztmV)KWebGDrSL@#WlXBZL>;D~BGXqb zO7nHALWWVYS(86h7+8yP=xW-)ML>Ut^zDQQi`q@Wtoe*X^QeC3LWezF8 zw1Hyib5})Elx!-&kyg1*En*cgC!?={rC_cKg=vib!uWnd#54|yZ`v5fQ<6nDvl~H{ zXEUBuD3rI>fM`7ttc+J0NaM$Jv?Uy!)PT7A@X*Gzes)P&GK|al6%qW zW=;NRKP8NSy>Qw6VE|{CKgX4 zD+sIf3rR@~h;d8CAcLBM*11i|xs zt;Q;q)M3oo#K0R=cxyglM$Z1q`(X0~&iT57j3q0J~o2t_@uNh22@^g*zuH-Vuk4iFnRXlk_^;SRd9X$ z%__y$vO{TzR9xTZXS1XnmlN+~wK)>?7&LPZ2|iDRJ~&fqf_pI3CdVWnCXZxtxRQbh z)2{}O#!K-VzZy1eM1~(@Jx&9_yUKJUfrV)2K`D8*V zNm5&Bm6|EFhq1rk7YSzvJXZwrs}@KM!c#>0O<~nyTR(eV!cD8bdz`&?UR|A~DVfB4 zeMc0gt-TfvQq*S`brE_0oiqVyFR(|D52(vx+eDXIGZz5k$i)U`s2rJrf*cvp3N%Pb zNyJ@i z`xi(~V+bi(;ILrES#r)C?I=h*HRD6PuuswE)O+P3@9XvdpVj@=HyI5jo9 z4|FNU3}h4|iFJ&uxhtFhn%oG|KC&6!$|+(x7Vi_Dtp|wQJD7dzWx&l;iv=}=PVe)w zz}8#mz;A)a2^pz*2ujzDf2ipR*C)gW>X=3S`HENL@5pP{dbj^q7lvWT;jWTbUdrNB~+nmpO^;Ra^9hc;TR^CB@neCje{<(oTIRIZ6524)PzBnVWY*zm|F~+hHv)Emi7wu?kovTAv-`~Lh5i;)7NDIkMgxGgIs1FVg%YbI^ zdvloVPM7k)ruBe$yRN>(j>liLNpPdFqm{2pXypySg(oj?f>V3SDE>6%sIN$xXi27< zH(7V#86A~hD-ZJNyrj8npdiO@?AEGMN#v1%;VbV$ddMZXpGyRAUVdyKNS^;j{b9}g zAFg^vZ;8at@^s$tpZHZPiw-=d0{3%2UNBCQz*Ed=zM5AW67ymxhDIgLwx5Qc+bS8* z3=;pkQ4RYJs*QfAk?0jdaC$+oGPd}sB(lw>xs_& zJC&6iyk^2;vCuaQ8y=MeCpnrX6BCMWY$mFU)Rgp@F2;2PI3}rKau-PSdi`^BjsA>Y zb$4<|T>njEdnut-OV0F=$*2A#C@={OQzbFmx|}q)>0+E@T#n3Se3r3dxl35thV#x* zRG4Om=``6FhLQ{|AX{Cz;}fBrGTS<#H&N&R9^Oi#v^q?xTC^uwH+hgg*%L;0wVv3Qa~wV!eZ6`HxxHfF0Wk!KpG zHMCA&G!FV2z(n>GBW~UUoBY-Spbt+vh&jcJ#mZ${b8|ZkBw7QZVP-}OysUJb8nXCk zTjRwV>q41X+_v2mJeFwf|DprVI#KZeFHm%%bb(C~b?xgx_-ZKD!ovEAQYJVtCN4@jcRdkQMu&V%URne&{I4L?m0?^dA6-xd-Ur3Dn@E}!|rjM z+Ot3VIhks4nzM48`53rlJ<~bT{Sht4pIW4C(t+@r{4sqQgN zkw|%AWF~~|{0HHM^d(1Y*zwv?URh_(iX}2ug?%RCrsP@(?d?{7`0XzxdLMRwf>Uy7 z3;OWk_4r5Dr(nh*sf0AwRu+qT8Q7low|-nbk|UAaXCoFs(|damrkl`&Y>skpok5=s zALlqEe%JcC4sSJltOUjU+=147T~iAp!*WKzO2^iIkpDGq%UIsOT$8{a9N>;k1VCyt znB53qilR`}dd7MMOAgN+-A)D#xk}ga_qn3Mv=@p7UB@>UYbwP*j_qtOF?Ki^Pr$!+^uE_}0b5J>P~Dbq|LzbzMq8+9Zx6ddTrP}+ z;P$^MfWu)Vg!{n_nHK|^_PI~a=ROm`68(K`H}a;ny7hVtmzf;x=7uM(%pxWlFsTyJ z*ZiAtZw60&`DsFCLOsOdQs%Oa!^(pHZKvuwx%m9abaQ2G5g5}-MCg4hK6edzAUXH= z%X_<6{&VzSO7Z>xrK+k*#K>5q8?;P4MQY~@)k3B!ns-N0c+EdoJ>KI^tobKf@|hEs zDEPI--_p?2YT|OSjm=uoEnK5`hpUF;IO5w%J_S@042#VA`+HGmJ0j)NKAY8z-aCB; zcM#g~5!-uvzdQmB{EXH@#KkgdRIKF8n+%b+K2g6YS^~%b^w8?}pdkEhgJosWxZ0eJqhJO5HYpcqJU$eccm2_cx zl>j#!xe|@7&&3bl*XnaWHl%wg2JgPY2}NK0?n?*jTtgVU1<(*}T&Uing;7$c8nAN_ z63j$tD7?FsRv<22weYtAGZ-!2&3J7IY~>k+F@7NC6WnEu)E5O9JIL`>=eZIRNV~y` z?i0Sx>6xTw&iXzZ+$&ziKL65z%i@MgER^~q@y8C14Slt+nh=Q>d@G#2pxE-1Zr4_p zLi3f`-B44Tp)$rDz-ID@vyw6Eey(DMdyr6bHP$?Iuz0Ys4;pJx88}uwPWk+8Ph7bm z@O{r%R(gZi*Xt#}V}!W#eR_Dgx;oCEB#FV^(}zDou?OQBkM1!PvC7-``9%z^8oFOT zIjGpo+0P5}$=4GH^6pn72L}+bw1&}X&xTF8n5eb8gB+X0HXAr}_&oDLpdpIC=O+f= z!+Xv5bS)6?dF$o;?)oPzxeO2Xs|$wksc(^n=iWP-#DVKtJs)gHo0{Kk$`XgvH*6(K z-u3}j(d$OCWm>6>c)4phc_-H*NeYO%CM4CPd?CjQp*xS%{4=(ez~#Riw~k6*5=j|KD->(OzSF8g5F5Q~+pk^PrZr3&6e<*QF1yM17z{iH`Y!k_iF6t`u$ z=}DE1b`Tj2fBf_}q1XHJ6U2B=qNSg-So7H@urGW1*i}&6~eY#Eq?`sYH zR6H@|2YIVj^Ds#c@;mmDy@P)$l*T}zHa@4Re6>W^TN5Xw>JDbLYaHxBr5Dgpsf15$ z$I7IJJpCg5YbwGbJD^yZMwExBupQ5QoW^lY>N8Y+xqHofZ@1%(sFVa=U*MLzn_;P! z)e%d;+W~>#mmj1(0VSZ60Xh98y^zV5JWOtyqNShUdHRiWx7*f!=kgwvOL>iOvtM?G zGZXDt)aqwp$4*6kp2Kf-S{cg@vy!lssVf+DL-T5) z7XFFY>5H$F0k@)z9}KX&2{t=kW(wD#mJkMzPSjaX%HXZG<6eil_I1AO#y&?@cfer> zIu0Z=cc1aL`$-N_TfTduvjqxC7u*S(m_SK{m+jAEd~*`)hYU}Rz`=^AeQW#8T0&vSsyfqz9OcVbZCUae7BP#( zlaET_{=4*T99Cco(!n4mUnPc6?-?lC{~a!#A%5_~=`R^=>*QcbY%{w%oyDRs@VSfi*la`Zh2C!^GuEXI;uCnc)$iVs z@8n4E?CNc{>=-yDTeg&qz!6Og727;S)t1yJBka6+>>(G4kHU} zd>&r_E|W&X-p1@%b~+5yBt?VIzHc561^)ZGCDD0}HNLrWdN;qXBaeSXjdYjk^=`9T zguenO-xxX(yIpdNMA>tjY}F}E>@$~!1$o*~+wOkOtjj)m0t`QVRH2rX1g8yS(hR2uK23=k z90~5%C0}(Nm&3z;98G!AVM|jWrj(Q!`NMu_$b2OG09P#vhICauY^PpL{QAaagcYq& zcdwly3^ManQe)3SgK%WD$N;|3?(pl=9!2G-GmP`(%_M(21wau-;yF&G(`8NSw@ALb z2rkXV{Kd|fWhN0S-)bdUjvKPW!!+4mS@lwV+Q-kW7a+eLfy}rY4nOCuYZQ8iRz1x`WBk8%EBexjiCS zcW%w}P9!B2P}Z#WLzP}CLimM43{?ztQotw(KQ$PWMk4#XjJGW8!z}r>9<1nVBk5v22)UXB*3X(bKC1!td*^3BP}F0YI&~!zyKe#|YjY6Y3H`0@0<bE1%cc{)kA`0~w;;wc>?}RTZPh|e@mSn+ z{N>0}9P){P2bNu9^-!>2nvyRp%$#+Cu5IwxZshALBC= z`HW}EMmqgkd-(B_YAd$xJGujbi~yq8tatpumTM6daQgd4$*(IK6JMK>u&k2TqSOGCz&@q%1UYA1(=v zAC0u2yRd5U6+~Z!&31Y9zm*f|h&JWSkn;4!p=!Qxp&Jd@In#bvuT>ykG&Rrpr(&CV z5_8OfZFHqW3MZt#xqZ1542YJqvhOu<>O1PdwT#tM(PhI7YNhrb;OKeBa%}d29 z8#}vD#*D4UM?%6lcBX&?a0M&Lz^!vv%>m`Q5zjYj|n;YooxVX~Znndt?#>=XrM51jOI`NQ%HX4*Xvi{PW8(%5HT{z%n zuz&{BXsjfHd^lLa&Rwf%JtBIS7`B_F_(#2BV%YTXsmYR_AB=R~i=03!*z}YVP>5}| zZ7GvhEy+zYWR{|~CCIa5hmGk(`({C(-AW+5WyZXd&R#vdmBkDTjyM1)?b;6k3g<+N z@j(V99A#`BQLA+7DhN6<4P4(mUPBI|&g5o8NtLOkzl6j_yfpAEzXu-rsB1=eR{?VL`ncOs*%E>z^v)UI}0rR==y4d=b zY4T;oi0_264(pWC`Wli_{zh%~SSCFjS{@?9a!yp7ky^tZwkt9{XI0OIv$~B2CR_~Rwe0FS5h6Xj$07fg)uCtZ4+wca>H?C_}0x9aRMI#r2UAUn4J|`bWmc* z%)b4VM(VkeC5!s4YN>2^bfSFdQ@nXNfK*#Sn1dL?a9eY>0|2rb9_@IiN?tLhby@xp z(35$}I(3NCB}Lzwpq+d}qsGy84$K2nu&kI3FsVH)pB;dyn4(Ia2_^Qa4pY} zL2ANT^HBpO-#qY3^2V&fWcR~5DLQGCmidhB$ypl>j76ChMPg)u3adR@UX*E!yD_?S zJlcE2EsZ~s&^{w}z>eW}U%pl&H$7MvtJx*hU)w`ALp`>7o8052`jm_$}UmD#l&dUa`0#T$z4 za`6pfUjP+jiun&AE$Uc#3jL!;jy@fmU>+W1(8AC?UxOfOH| z1cyuc40l&b9SN9{4YNT3m7F2G4NppypScpK6&2C7x9fjQy}1~ z=61s>HlTgjkTW~6ixZsE>`?;KpA;e_Wd`Mg1#g<-3!B`Q$f7t>%Ne_wK|k`a4I{x% zC$I6|A5&f|!{;8VR8tSs7cz(kf|xF1YQAfp>Ls+mzL;QX&*mU)G55Ak0$ z;NCBsKijj!6!ZmuTEy7xZ3b5r%6a-satm)Jjf|2?N~nvk{~%e0qjL)jUE&fK;&5v% z+k1}u5`?9fK6tKPywKVkhsrthw4pEa=#N0x6h?w~)BAi68USn|kEG$Csu$3wWnH5} zb93I(_K?6Y6KUl)l9VleG@j>3KO1%`I*xv{4N%{psKg#`MgeVClrk&aq7S_;nNjEt zUBt(G1JjbGHW_{%O6B#;dsUh0L=vVYO;pgPOHMCFapg>q!%_!0tl}YaLFh6W_i_1w zANyk&c-aBgU+Te4vUAqXM7JelkX{_ANgLl_edUgSud=dsNTQJ7y}x#+%{N7eF%^JGy`7&M+J z6m6tCWfdv&ELZ~Ztf&DR~VB*aY&dD|{=1_o7@E`LCug(wv8=w&wqfe_z|k!0y}&B$t9qf;Tk=*=w@@0Nc3iP<6-JJ; zq+rZF<5k5XqVbehk&(uGJ^9Lt=ZZ260Kq6UcJ_ws<;YNp$d6uR#CUs`>`cOqQ~Hte zpzRGZN}xqbXQ-pY;>s(`m>{=Ro(&1?7C*&z*)n;ZJ5&GsW{a{;x_YWLbMW1XsIVLn zwJH+RI%kq?w@3xBi@5`Yq#Fn3(-{jCz&|KU84jFDQH%`!#y$wl@q z`4-n{&93IqXYHsOy>5L9<&DW23F$)qDUd)bX^3+L5!q-icq0&i=Vc+nYaDP4-1$1l z$Rz^b{#vxHKuF(-GySc3CfDJsIlq4=UhLI3N)E1aQl@CIZ@YalTeR zc*pRGW6si>wek*ZSR=_fDQg9cS*r1N#qyH&pL4GCEp-lTji)Il>V3$n3DIMWaphDt z;AY(WMNnZ(8&d{;=mw;$Fl1o)p$X#nFqsXTV$JKr*HorR@bkXK4?!Y6NbKHm-uhd| z8C!l}{#54v{5K`4;{~P@)j&t6-}yrAL>V)`^-dDL--dZ?_{uG@n3kCR zyEz5b;n~w*cO~(p!wtN-4K#2}DTKVnH*g~oZPn{c)dnRRY_nYXz@pwQJPh1mW3*c8 z?TVVZ(9O1OX$xPy{ykZ3VP(+Ayd`6_UBuXJ&}iYHyVX@f@g4;}G3iIA2Z7n~lH`y; z`zaG1x{MBoKLv-p)6)_WO;auhcuRtsmY0E>`EvJ|lly)&x?2tlLVtQt?qDNSo*>(w zvTK%--DOB5+H6Pl7sSgOjWlyZvtEzeo~Rb7!jm+6m8c-^A!&_L@O86Jn7e*PICY^A z=*u*NzQ07fn_!LTl&w9ntRoz63d-S`*QWslk0JvtIo4W{UN zE7@-F1dhwoTFt=Tv_8sWWZ%XHOe^I2A%N!CaCeXPEXAc{IAXwM`{U-&&PPw51>1ucI!*8iSxr8j_xf{9E%q%PLM0~kx8OkYrTJPJTMJLO zRZ8mBz=k;pHO&KGW#{H45b-dj_~w+T<-jfHg@1U*m-=}bam(VTuEwy8^{<}QoY*pg zlhC4Qzfx%YcI6V2g6*e|R(A!aF;2*BIZWjSYPBCC&#VR?(*2$Q7MpE>pEVYD&TF-3g#SiP(}{pJpBu`jf(~nX^)|Z~ zz2vdSE=+XETrV<1`SaJZqb3P2hR;evH}VD;J5UB*-TNEIuN^N7ISAFXEek^WM(q%zs9pBXqtZ7hVmR8fxE)-KlPIw|hl;&n?TEDRBae7T7r{7s_vr9Uhu3YntbE6Q?n z=At%dlNh6fHbw~*gg_A)5yf0pi`YtpqQpMKqX$9W0t~M9Np82jcHtaFf&JN&3Yu`_qgS2n7#_YFpc_T%^G|8P@Hw6T*Apw z;CGJG{gz+Mcgr(krSr}x)Js=Yrf7>7e!@t^8SUW+rL+Jkiye1i%~RsxsCBIVuOjU~ z0&G8Tkh|?}*sDK0ao~135O`eSjV6gyYD|CA#2O~X=M#FOxAEUed4FP%O0KU^28`&} z9>o9`-GXbGn#UM*8x_?r#RUi2$v@=%FA>M)d4O*;_}V;S`roGC03@9RSUrbv2ry;b z-3SGxn}zz9{x!sJ+i`gYtB)e!XXlwO9NknLNfzb#AzLHIw?JGq`>Vzggduu z{C8TzK>%!J&qrXP72*H3_s3DyVFCN@*lohVj+pWv*mN)0R5;L^;}1mk>Vdzm?|-sN zmLOhT1T30w7_#+y@9EtObbrkz{&OmG5P?%=z;hLrt1B)lHW}n}BK}K13~GNSPQOCq z$H?Cpg#Yd6lB74vxr51(`0sN4&#$ej(6xI$<$9h3oc~3-#%LhgsmuPs(0`8RFXu;g zRLFayewTP1dT#v7VgEOeHN)^{L@ltWnE!apX$ceH=CA=Cj?ySMTG zE2xZyUTJ{Heq`+o5ZEcuYFpfg$a$W%zs?Wn99ZB?JeDTN{(cbT1LENK9QzyR)0l~W zCw%_#m&t%_L^XhDG9Jfq3I=nHdqS~s9qJ)&aI|j5LT9U@QuSp3L;e@rhxyF6YJRCX(jCaO5hNNe5^9G z1v0j&&5qFjZ7Qkn8 z%<DoH)qQ(!X>Ki1skeaM zy9eeExz66M~=Q*3JYtyop4CF{)^L z@n>1co?w7jWV7g>%=tBGzb^3)>Bq0dfKUoepdJ`{v!ksX9(I)Y{7Js{5XSzX1i7-z zJ{Rr|8G%_Gt$B+tp-X~*zMd&)=2PcI^v#*;1M`gb;+q=M=Mu8=MW}&-Yi654MHl~; zj}9m5g5A2muS%>yo*~WFI4ydN1yx)nYRzv%u3{<@Zjm&@*jZOb36b*P$ZG9s&=q3PBFRC*rNqpY#$O zO}doISy-T}sUHpxcWU1?vlpk_%{>G+xQMY^V&l^28W8~4+=5+_GD^U37?he0`^;`< zrmc=vocH-0wq~eqolkfKt6~QsnpPNk#}kxmEur-CONmEI5}&C~^@kWEq~JCOAfNmxev9edQOTVn z2jO;jiC_~31$1_O&*DV-<^>v#(G&D#lR)gTV<7j#2U`N-yCDl+A1$YE?4hcL4m9(l zb?LCta|9IDBe+4og+C8$P-YefN0D80R9e-K(M?fO}B7HMr50}gJa!aC5(}S$M&~hK>OoxU_ z^hcT9He`5T*mI`4vGX7coZo{(71pKqawgIoEvo((FTAn}JTHi-=#7HyWy4({KCI-< zY7z}i7Bg^|^pI0*8$xN43N;ZPJ>rx-ybC(@ApRODizAe1nYe%uMq=tY|xfUtr9i1?^h*J))}6UA7tp- z&b?2&QS>m}1^sbRRJw;5I}{9uEE%7{DR;N8^@D-0FdlvGVD#3M!cY%|lvE+%dJIX7 z;&X=4Ss`VX_4R5|zx-TTIdZ7P1D6PeHzD_vJ+Hij*G9EJppX300|&sZT%=B7c)ysj zQAGw@$kp0=(lt+?D%ID_&X%7Dqn@uETdyOz&^}P4p8SCp8bgX5CfuJ*Y-zf=zU!{T z{K5VHVxV*i!LpXUEUSLWC@)BZAjt98+))Y&#BG80G)2$V$J)3?9qg$`Z6 z+ra2VD2QmpP0&`4LrtBeom4@EL0=&73JLQVC>s;`p2>|Lu8^#Pg%v4n{9fmjs-0~C zupf8tC)^))mk44(T;JLZXzDjOap+Z5g-BMTnoRN6rgULDHr#jizG0~9SF_%8e9D2w zYBL63TCJQp9hhZQ4vZ)yeSU5er&0wl`@F`sR)0z0t?$MHv@G=_s15{uq7D!(^ge&u z;qR7Hi5>QdQccGU8*U24L}&%?uLg`E$7`G43%RT4s|c(FU^;~Y+(-zr32CUi8y)Zr z9k-xvnT;3w_pxqPfMR$WKnMwNgCh$*XU^{&T$T}1a>fQ34IMKcG7$Mfm0Tlr?jG=G zxLH8-%G`IhFr9WU9JuvxHld-nF$>$9A;D8#)7-NmcFAWdC`H-j)GCPbJ@9J z1SmH?VY%JM3^!tbt~_jLy^}<#9u;QLnOnY2yZLMZ zEJWym@yN79&iIp%#Ryc)mo`}3Ow&h9{m_T^`lhIZ_?kM`c(iiW95ELiPVxZDZPwc> zVwMwsQU|_7=2(bm1(XhF0qC5dRtTo}TgtB??ole#r+EA!ZpxcgTz!M0nse`hqF(5S zZl=J9s}*eb4LyDRjqP~(oRA*1%HAkn7_7z5h^Uj830|8)LH)@fVk+#Xr%h3wb&OpaC7cS_Vp&pOR?I@A#ZOn?`!?j^mKxA8bOLZ zy^N)t$oi!m?G|B{eqzGXvC!WO7aM3vd5*0wuS6YSMhZyZp6sy|tPLbDSb(dZISjhp zi!Ar5tx)m*q%{OEh#Q*Ga9r^Q8k zrYDPk59eR?in+RqeR2W>{N&QPvKKp@g?n#&;A&2V9@30Q@vb$A#rUKDYCjpM`r1h) z$Y|uLR$ZXNlf#YbW#HR3;_eDTys(v33P)mZEX771`hw2xNOCruu(Y2r1~QSulC(u< z1Fu4ji&s*cwYEWU#W&KtUr8ARV4yvDZ^rbJ)^q8&HK`^Gyu|FQ1tA(d)QlB8QMSgv5RCCx_dClzDg zt{gms%VP4LPH1hlBNP=^;5`Xw(_uJ5VqI%eCy31f|BkRN_gHBT(sAfq!iUsE{yA(r z1skF{6<-{@i+{wmTir6kV44O|$1p;84X9fa;~t9fY%Cx0;D>45^4C>_b+X@J2p%J0 zRuWXnBQDvO5SUn~Q2+@f}S*CCBm|?kD3C*lt&(Y&o|sCJA8g*V+09hJG|F7Z{a`u zptlp4k3V-@)(TNbvg@O&9yRr(O1Sw~`A>vI6M(Ij``V4rDNTvXWpOa^{a;@nBQg*UhK+&l(R*sm@!(cp`Zf;3-68D^23~igk|APllDRzG3rS zYK%c3tSgg8rzAbtPL{f9qo)Jk%X#KN(bJ8hIY)YM<%e>_X7wP0qi8GK@dG$60eDsc zY#j+3DcHHRr2s8^G9&HXz!n_q@K5nZ8(0@D*#6-AmDY0Z63xbw5EW~YUkUSA5nOU! zD~PAXZ1XB^y~$^9%S1o;P~bpeq+?x6#*MvFw9uJ4x_B$ivKCgZDY0Y3BU2tC?LMzy z=({tOb(I5CNYyeHSn*!ju}`+<5y|g!C(4-$$4T*cdJG1?k$qGMM7qv%q*@*>^psTl zXAecqhsO_G)&>}7FU=Rn(t3`{IP53^S9g;j5BwsRk|g)+MzqFA^{vlDm4aD#EjTeIqfQMmV&J$u18Mu2LPe|`za5dGqAG- z8f<=s>*p6N4!>GhYtz^Z_E;?JXy>|*^LS>{L-g_Xp zrEN^;EgC$VFv@?@@$*zcgwp`vW%&W#X>ii}0~Qx=AIvDRkMa4H z+Ec1-O)sc7GTWlr+V%Gtt+yf9+36^0zwL$tjS)9tOn?5@1lf*GbChA3s2)7OsjHI; zDakr-ADQ}3FQp&K64s%h(%2RUaciX!J(ht<#&2~=dgq;;v+ifP-=BSo2i26qVVPUFzHyL;pA?tJ9Fd*8b! z=X^hV>>hj6u3CGpIoDiOdqtkPN_rAcQsiWveG9d0MkFSSu}qPx)#X^fS$IYj38Z(s zn!=e7J^Aaq(ISOZk^fBoph*+4b>jw&+!AA}iKNRH#xp3^r8P?|^$;{j&^JLF_!m)7$Di@);u`ny!d zh3*i8P~T_cpc@L$xlwH1)5jGQo^{?7KiUj~;djxk+K*$ne~JX$y0u9h&vf^0oDQY^ zP*tfrt!s5swRt+b!<+t?uyK3;#Cf40cR8cRRAi0i3DrWGMoI(?&0|nQd(USO>)vmZw)OfxL?iJwEU}Ucvo^gW9;xBdl+jZ+bpFlf$-QwrWpp2@7;MH+&c2bkUQYXRd+M1Wm-rs zV6IbhfP>3T`uC;F2R9+)a7vw?sb72wk5#mSatW6spt;!@6y=4m0p;_rezN{pWGqot zxI*mF+f-O2G1VZLFq8+82bWHexwGb46JZL+q8@Ai@`IAQpdMxSF#~@`qW4jksojkX z>6RkhJ`Ec3G6_b^`NsL_62Lk*y^o>>|P()Q|@|HxQu&DHyIB(vP;(RkzV>9HBiJLJ+a!uCAXL84)At5`BcY7ciTI7U>8Ta1Hn_ay%Qaz7ZNG ztB#>i5X!N|9x1dg7U`s%2wAnUzycQvOUu^A$hbH>GGBoeu@=OV5@G*%L+C`2|_TEza9j4byOPE`k=Zr zMo0MlO8PeGdv4bE;im>cXmy4$1}sfpmQK4xM{6#&?t(fZvItaG36I_7 zz>cisjx_$cOJVEr&7A5u)EUPAT??+?gqc!H)xd4AYjg1Mv}VvmAvrW8j$&3%3z9o_ z#b8MPDSt{mJ0Jh7;Gs@?e?x2lwn4XQy(36%Eo|KkOxRgHMrZrARd*z{DXi^j#}mIf z+6kGRp!Z@HO}>FS^z8DMAdU4sVHqfHA@eGPP3?B~81sxwZ8oe%@tEa;LQm5U>szk& z{>4qygh997qj4+4apRfY(DRMz5UL@b0o9;(P=DQHz!95_G*|)m$~$%UhnR+`PF2V( zhBfg^>vSg8I0qJndbJurzKMQL8qgu4TK(jt$tLZ40(kMOQ&|dBQ_%_Huxf&0kHN;( z)(*3@k5SiQIX<3zwLo*--yGk&GvC*bhHHX@{Af!%!Wl-;|C3CebkoAT@0PJsRNRqYaL+- z?td|CtCn(JOmiPL^5(SPYM2VR^I*``tp)5!KHj#! zXXX{(=>uUAF0&ysoJ3Hf`_YpSq2uqWfm)3m z$}v%)Wg)Z~H7&~iMw$`~gX8M%uc$|J+cB!3v=V!O9aZg&jBsCHimI4~@3>dZrYvnX zk&fB7Y>ZhSgX$y+{MoN<%p}t!aLjsSQYnzay|a6<6*xni$wj$rTg3IaYMa5~$sZ&z z?$y;yJlMW@$TqSY^k;7u@)a*WB`tOEEg!`cS48i>`qp~Lgrya^x(k@|h8Ux1n$eH(jAuI*T zkxMkzDV-`wAq0!!^i!OFoYF3SLL(xx^r5R|;F%>Q$uK8tFmo@^bUZTpaGK}TVHG>+ zn9weJXBX$c)N5}22D^lu?2BhU7oM{*a|2|0`t`lJiAtN`%Exc84XNj>>fDTz%+T$T zS>~a&sh3YRs)o_V!O}J5z)6nrwA7C>jXla>DvH6Hp7*&jP$CBxpMk(pFU%Flk6ptl z^a|N0K&9w)M3`swkU1TVm}3EwWovd6NT0IE5MG#AfFjF7C|oFWw-^yp=)DeZqt{2v zMd5bzU5$BZe#ePlo)pXO%w$l0F;+yM1Sjt=7e8&5WuC;4X57lg1ika5I2wK;mo&UZ z`tQ1Tn@-$sOEmno8;Wt9#n3%k!`2JxdjH}=C3gOR&~R~b?F$tNfuE!H?y9MXUL}fA z=H_$UgpSrT2-Q43?r(uvtL>e}#(}xHBggm+9g8F*LLcb=vUTp? z{+9HroaC>l?uOn9TPy)R+T(rgCJ4leyDJJt_cYA17Vr0eo>f$JZwI=%?b7Z*vzBQ4 zNea!*U-Nd*`v9@Q^KZ}m+tK>`OV*Zv+Y%$s$(DF`$QbML{0BE@UI=xpn%U{_!^yX; zEJ}wHf}o_EJ3(cYtY<+$d_*jpT4KExl!oEcU8p^2!nM!LUh43*r|tdfUp>s%IeWDp1tN&}WgdsG{?@r#^GsNZ)$AuP(1*5nSLysmu+NN%{$viu6;<&Ct*be~hqC zYY|H9uKXeCD^@fu0^F4ZXtxUHcZgkfBEyqkEwtBwH-|l-d0o)k9a(LovF+xC| z8Se23O#1^V4Q{G1o!`>V?EKdldhPrh&=E_vi&Q2Htxaz{H26q@<#765hRzInrKDUB z#5tfg6<}Z>J`ueO@Igj?D=hf$A8klPx-6+z&ugE#*cAZU?Y@4ZoZV@o-0GCvsiWG4 zgZo*$*ioqBf*gh=^-*?KA1hb5ah!}QP$1uXzUkbF__lkjb;#a?f}J2B$c(YE!Dv{{KHT z(lIN}CfC&!RZ$5=mTAB;60&k{8Sr3Ug7Qbde?0@)t_yY^5qU;=*y_4nM9Hvj%7%&(gm!P$|}@*~{Wb&nJz(6@Wwi`F($n3I~A) zrC7(CENK&-Q08N0DMPTx4f4^*N-gii`_ypmh1i?s!hH5L%Poz6T6iD)cMHxe#)JmW z=>kk7LADRW3*%Y>w*6Gffv%{KG1*B1_q}~i-ShJ)eSPVMH9JwQ(F_Unt4K_Ibx}?K z8$SOT@bAEq{r-Dy%7Qu4-NOAE6dS%hzx?DWFO>?Ui@czY^V>h;N)@0@r1U4Ch>0jH z7CoJ94%c*^{ZPvW|833w=xV&yjc-x~Y3Hm1sOh{TsSHX0@$U=|Cy?7OqA}QHZ`;-u zFmdnKu{$8l9(<2*s6B@3p|HbwIRRp-j%6*aFAC_+Wj7U?a<_k9F8)~fUm^Z~W3(}Q z=kN(BUoBL?9mie^fgICVb6L6`D+1QEh(5o$KR74>ZbbGy5Lz8B9?)I%wq#f)7K3Bb z!m(>m#nm4lcyEKk1ps$9On&AGO1*3sErFfw&asdXhf4Ms`UFfCI2G-C#zHUbMG z62pm{Q7FGRUt4-lVVoKlu|hs9Uv|toYnxLwpBEyN)gGK3L&ATI$O=$WES0^BC;sET z{MVp=@%UON@OI7VF|o3-If9lC965Mqr4>cejugEVE-;Fyr*?84_H`MG$%UumZZyHu zxut4belz@9&W&0%Hv&!~*aHB=SWJ8YSbKXC$Aul$&W&;lps(A-iras$mjjcPSPQV@PeXMbRz`L9^=uRE+#d?E_Gkn@ud_$Rbsh!d>i z8!>MGXz7}aKlRCgn|4@+6_4lff%dDm(#O9K#N88YIM>AU&p&S*jt(h*EV$I zAL7rZ7Nufv!(*H;((cP*LdinvKnjn!g*_{0GM3xXQ!`p^;6(=5PzuhmRz~}hPqZzB z2gM(?;lR86TbT+8uFfOc3mC^j+w))-uHJZr@fe%XrNrM!xjvr9t1d*w5TPZ*VP#yz zeeczj#(J(~{0>pO`7M`L?G{gt(1bgleTXL!Vv@mV!lsd*h(j-y;>(*@vxCE)%s zMp2jvbO)jHv~Bmckq^6(&)oHC%!uEsfdsP7pJYZNq1yH{R}u!?)zjBX)WO4xUfX_F zYeagl*y37F-SE_o;?Qjt>vm>-hB6U>N4z{~f_8kAyCv77pu<^%B3`gzoD6ljGq^kN z-3s+M1OzO>godsqYfxl)Us=Y3?Rg;H z#}zm0FFo&j8(n>F{uBG2kavv;u2!m?ikagXa6;Sz2&o_dRRj2pt70BgpV+M}eih1Z zX_5O;4bX5IJK;gbQQAwffI%;)a#sH2hIL_$1{m^gV(%%fS67q#VJeDJa(UD)yNs?m zfa9o~v2deO2G0Qyw?)tYmq^FQ_J>nbjF=2G!) zU@Q;Yl2hGB@tciJj#~A_Etf#F1lHh}q>cWFg!uEBDEc$dE*w4(Z>}~b%YU!Fw$V0R zJ=y1&#mefJ=)>GGHX}E*eWxl1fI%+1F|&JH;CSUR=b(MO3(+U|96nt`QBDz71fuFr=Xld3(Y5@FrsI+#9lQiO&T6f z(hi2O&)YAjWi4(9-}f^b!axv#`@(g1$fPm;#f_Pm>(r$)LNHGn_p_a<*b6raB7c;0 zk~_VkJx9fM0dAD-4@qy6C6%F`lfl=s4j7#^KW6FxelD9?ag^d|+T6f>`y9=XJCYCi zlEf@ZqnvBFuNa!|tqGRI#%Jmww@I=`WWX!QE1Rwr^t?WUJ8K7zhXFS!p_8@5lWYlQ zBML|!Og@%bxdAaC0^Cx96|JQwHpnYEk+ibEQ=pL>Uq`7r|S%3;&q&=kzh4Cb2KF*+}@~xm*fiEaAgpHcq1lV z{bW_pTKB~#nW0O6BJXO=D}LFC>hz@#VW1N81&7~s+Ut<{c4nV0HTgXaP+GA=F}cPw z3x^JJRk8b9V%h#CI@UcbJ)R8EDQuA$Ec{l(oUuk1BcSW(o!u^0Em{)3xLz68Ed6!Q zvuR~JhhFVg-mjnc$Mx6119-->b-!s8PYkrJj@_88PlZ#(#b&0_DCYm1(h^-NHHT}9mk%2M*vNx#*4#sz@qk!RN2JFa$epkpFMgJ zcyn2w>9r+r$;sJ(!sZ0S#HCYNsf6v}#A*Mulx7QH5MGGgnNf7TG!Do8tn_45yNN&! zI5^phj10mY_ab18{P2lboJDi_ETl+RWdu5>Xk-C<9f;BYp135+MpSkO{9C^2f_#WTGcwdhk`XT0HOdF*lHDrv4>WeG4r6u(? zD{r8X*IF2Uluu_4(~@pX-f?k-8WQ?N@u8ju)zA=`^^SHGP=`9!eQVuV&9vCmNX3lo zN6bc&rxv3;F2L?3VPL_stQw!&NIC1CwqL$0VXJ~_1BNC97%x+^ZMn5ERh)>D6UMhV zv-GysQf1{(&R)3%E#8m%10*rbbfKGLFGjdVT5o2!>!VXPxyXRTyG!z=md*xG$v5C; zr>~_?5_E3O<1 zx^*-=;%uQQRRT?&M2tIEKy2CbBqncSc62&&?}1CrGX2$bv@TzezD->AKbrcvDf%0I z&p*3lBRrMxgtPQr3wZa1iHQn+GE22=7cZ*_UTzDD1M8uXVPB&azsNa)68vYDPW63v z$eudvju^!4W`D7ij?au zjSD-c-1`S5b2P6(G8>Rgk)v0zVH|SJ&Nd{$OXL-?@ zcA>2w?E5C>Rp3F>y2t9qOvIK*B>osNmV78zTH|`Dt-;G} zN=;|q#rkUROY4kCd6-dou*pb^1Hbo=h3;wRGK2C)@ZILellczsno$<@1GJFq$C>S@ zRy~f%*TszzL;7AhLSx4YpX(yds9gW2%d&rQDVP zH(cq0hrJ|~os@$1uE}=fv+bMx5IeQIiE8);XTAnKA$a+oXnk+uivh|Af`KtTCQZU3 z9NaXfp3&87dr8Wnx(Ty<If_JD5Ti=3 z2X?r{Sm+csid<90m>nIU47)LKcsjS;W6Is$-CRN8X!exl@Z#7nmUk z5@vLS$GDq}>3AY(ZN~q}2|##n)AGW#Sh#;GhRHcGftn}-f!^Lt#gVdi*U$H<92`2y zLzZ&QZQ;pZ9EItZ%X;`UP4pUW1UP~&f}l`Mi|Y!+kH7IhP1^74<^j+}m(>WRYlI?W zBt|c%J6)S?=w_)#*K1SRmYy2nKux-DkwC6YNR&ufr7!rA7hSDZu72)V8din=b5mT~ zF*~wb12p6|LO$yUhr!RSm~)_0pAW`fkw~v(9}idTbl1g*-E#e!Eniedj61`tEdQ4s zEko<|TezwF)t~)v38hM0zi^egi$!NjM{`zq;}a~dl06`sv^Bb3j^#gHr3KnEbgEBt z9cKr1F}*yRyuC!B)nF;^ED*@^mSFG%E+%^o@;m?fK8H=V>|VXeILKaxi}Jt7Nnky<`bzIq|Y z;{3EL=PqAaJ^T8SKP|k*TCCYa%hri??i$xTFO?ghk(*YOrS4dnuH;?i;iy@Ovj{5} z!|o>c6bEk1jmuL<_bZhq`?q3>lUFUjtcG$p27T|{ z0eYF4HpO8SN$#6`g*HhFH##3WV9?z_z=m#*@T*P%ch)=9p9Q(3^4v` zk(PRT#p+mM3m3OMpP^LlR78WlMLn&iQsY^E9=`8jWxTY6FBdGkn+M7h(dn+eUcOQc z2l7ssmC2Yr&phuxM3*As*niEBYI1K_b6P4c0+Bjh zyDl4kgr9~mf7J>^?_Tp5r#o!$n#XlnnhE{ypMPlId|w}|k$i|M_)q_E(U<{(DOJw! z=vA?>KXA7`yP&)zI#J{2mi~E{*MX*%zKf8Gm;{r)jUi`r-FNZgsgKX~cKr_8GKWn8 z#)|w{y4Z!!Lx3e}77^F5N7K-D4G<^^3S{>#yI(dOl0_uzZ>jbjU;#d$k@Lq$TG}_I zMkKS`Nad@j#Vt%)HKd|8usBPmC9Bzz(7tlnXD@>4mWWaB=i$PgK4`nA1oeKouj#Y-~nkm;vg~ z2J`45$gDlP8%3SvE0<82|LPd2%t`v&YOFe-Re)`-Kafu;iwS!2(;)6)b9@T?i8R1j z#5(gBIwt-_{u8uQZneZofPEAXRNaXF?i)zihVYMDn+m~60BGa9y50Vzw03e0(DRGQ z%0OtIi|z=Y6diNb^ z)$b!FGiYJx{(PhNw!v%9B(o|f0McE(Z=_g%oebGi(jTaxtZwmOvg{Bc`wppDu!UEC zcEQM}f^nThOM>y^#rW)=hjUlds*glKub92;Be&BOO=rVd?EBcBKM4wq@1$s(Rp-2+ zAXcjz%}7HK=T{s-OA}rZnMEq)_oEX0`o&P@`uK6fN1~2FYPX#fTX=n&Nk6ch^VTbL zut(_LhY{#$I?Z$9NCGZoY7ry*#6{up`x^RvZ)tQ2rw_X*6O^1bKSqJSeRA5Q>~Z5n zomTQS)nzQ>rh%~fv}rkzl>_q#P0r|LL0XNbX=*wSe}WNG>~wlvrp`zs!oVD+=T9Pz zII*!8FS7UGK0nJw!a*GKp2by|lVwBc1z3VIlE^Vb+P3MBh zNWC!;zWNg{{zPJ@fH~DNEcFQnn>8$@?Ama;cG8%$Sl12lL{5>Ag7;}7agMEAvB9RJ zdpK>^MaLsd^czX(p#(#|TBY+3MB=ehbVWTx+(;~JWX#bp1C9lpw?D!dS5xzPP&)6F zbfq-@L?>Ai2p$Au=yg;QCTu&(r5Mr4sQ0zWVl4K*d>so1LM;}vEV|~G@jxK(iCWzPhKc!Xjdh)&O6O}DDP&s zF0Q~FX8p~Xa9%Q?oQHpg9j6%ABp7CAAf;@byY8xl6IrNB zjeWG*ROYkFpEK!&^VSJx?^X$rbhWk8n${|_5U8%OO9PsygeOr=D8-FJkxo<2) zW~%cFBX4=qs7?(R)ky)FF>NP8#(A1$#C(bC1sr>GV_KX*XDUm)^-kNCnYG;nvS`_$ zzT~;Qc0=ZAqP%uv%!`NZ&ztzXsAtF?ff^6k8-}3X_n(>e8W%a67a-X|B2)f6hb-yd zZHb^c`hCOqG&dDzt=M6acgfvs=&S{uZN$VyT(<+n+aB2}R6CC-m#C4?a$;DW_FC%e_%NP^l82AQ%e#h-YfcqAF4r31e zDkU}2cWLg<{h^jH?GLZ9?YHoU zdAzcAKLM9b03>^~4=&G! z0#@~mQRal{ZCmO~)nE2p9nhRtnga2kNJ;pqkbvBrCBV{Xpd6i%j(y6xne%obB6-hv zrPfR2#+`otV=D0RjL#XP0B<(**_s?~T2Dv)1;N`T-uRkB(XxE4B+S8o9EC%LBK6QM z*A{P^@Nq+xV7qb%hH-t(vg3BKcizJshhgQKDI;#GP}fyC){8qE7KsBG)U+6*PZmF~ z60uf9109nCJeb>f%zsd+0;CbB7|ZTlFd)QEMXXn1671}=ql=zswwc$J8u%BL-;L+@ zn)*wk{1GIAFps?d?PXY7383j!X4cQ3%WG>{^L)`z{E|P5hKwF*?aH1MM-LyYERkw< zP)J|2WgxLoIMsgZo@jHzT3<4tuHc$lhga5ZQ8{U6cilF*82VWNn);$z;(-5WOunS; zrbL0Hpv48U`FRS>Tn0cE7=4l}3w1LUVO2&)lE3{qabM}s#oJ>Uk7>SWifVS-D1_Ng zKB;CZ;t1_PIU8+LgYOaM#-3tG3b!Ty*=pAew}84x-s5r?;TRrgTeLf!SaLZ2+H)R} zzTUkN4R>Aqi&3lPAsXA0s~7Is`OPQFF*xwX(t+dVAx&OQt_)d;Lbnk1CI53y0H z>l|4>sC#T`%3xO432Vf2a6E~JZmo4u;-3icD^vIV&D8Umh;F6ZNVxx*sk6QP#+iY` zU`qEl7K;29#Qb{kWdK7n@1Lxde9>29MR9|y^!wjPyzr{Z?~BK9R)g99u|f{CKh6FX zJO1VBo|=>CzC_Id1jvVyJDR0N)|%f`$J@Y$=7t~uMOJ;MLNUYh%j$!gfcnA!pvQm6Zp?U4g^G?qRBL986vqUR!Jq&htfIN=ff8?ZK{B?_EFfQVknCHLW-vM60!J)mk!O z03L`SoqA6)Gmd%c<-zw|GTJj~{vJ!P=uf?LtBm$qhn)#RFghnPPNk_*dl(|>vQ*1wG=bTWJ!to)BGLY*q z|BFKtOJVPndXbWgF*9=|t`cnahT#bLjQB)OOW#&}<(=YSn}6Jygg=jaYa|28`Pzec z4%{A;b=ulR%Lc7Rc;0 zF6~yJR$?__JIbdaoHfarf#H&aK^$Ja+l;6D&5{m=*?$ngb?rBQp zr6=b@fPD>(0$QpyK{L2{E=TF+cUevS6+08do3g)xaJRPKvgfkvhhz8Y%SK>1IwgYH z3^z>)7X|m{ZO`>4;BUR$>Ct5@9~D*(<~rpU{(K)!Cx6eS6E0`)XML)N3FbQwIs8^V zCirs>YRlN(J6(R)D|&cwoQ_Rcl%Zhz%v@#5G$$MVEOYJ$a6eggkFZA2(cI+6k`W>4 z^tfPKV`{{QxV5EkZS5psQVfJ*B70^tcr$A#*xkW;kV&bi!JuGiQX*B{rvrxFSC zyyrpnNi7R>37_=QAuZ82RxB*L6a+PTNV zC$wDgtgLw0A}d!QvUNyj$yhJCCxrKvy{Y~N1-^tLuVxMxa~~W9dXwgYs?3ja2K`Zx z-wwlR_wwvekTYM0e$tO6Cqq(#d3VN=3o4!v=W;Or%5EOI4rwq#K>M_k|6fL?R1_pv6pll*>OfiyBP4;(v0qJygedePXT;{TNd)MxG=katS(;TPfzSOFg_TioO z**z+N(I;T@-Lb|;htw*7BKYEA@J9VYumb^VbE{-0i{gVVz6*gl!KKR6>*QQ$fhYl2SGBdCzrd5|iNf5wo&Ie)uo=xfaWd;tusR zB0&!u3KK)Yl}xPV-f5neM(Ukt*f`8TCD6py+@`*LRtj81l@>|#m+SYrZqyrU66=HReZU@Hv*713%y5oiHjfg)Jx^RMqmg(s zmg4#wi%DjmDQFwEHUr^FB=I?Gl@-M%vzbFZi>vA_;;uKOsWBYKQaUnO)_3>)f>KBT zG3wn$jxed))N&ETON9{SCzCGS7)Z;3^zLLQ$BErxZy?F1;|cXRHLmto8{kGa7Urp= z*B&^quX?5FJx?V7yl8DL&I}tV>uyC4!K%B&h4vkte172J2!mk_hH-LHdrX{$KT27` zt3kgJMRt^?lY}f@=nmMGY%ZZ9yOz;tKnou69fV%Z6wVU+U+!M9ygK!sX1U+Hm9x)X zYEt|K!kKuXa{<*w^Zdw#Iz1^>33_LqAzL(au& z!X=F(oebXO!G#%SYs22bkPH?3s6Xp+ZRI{b3quRuri(Qhe0i#Whe^Ew=RG!f_6rYnw3-ft?+ve&(6Ylsv>VjPtl_e|sFd=UG3g zrH{ZD6e|v$75dzHXnKRpW|?{4+ygpDS)AlV2Phoj1ebeMRj*S=+0Y zhL$_1Hb@AzH*TLgqrC@Rs1+b~npqYbbP}d-B|Qx*E$VR=3+i2OajarnuO1&L%w5mu zG-Wk8#(VOfZ=PPgkN zdzojb5Ai#?DA}ucGBQO(xVT{_p4#$yAI5qwJsLf?-I;FeGhyK?rJ?rAokWZXs>1x}SOHFyoVMe$g@BXZY zw#f+zVxHS118=MInP!!*Nk-#*bmO8a=VWs2_oY#$T#IVYshb{9w)304w3A-|X~dRR zd6XmxnueE@EQ_t{hraoBm_NJ_m9~vzX0*sCNp9RSID2kYE!QOdS4XEq*doRc+AQ~X@0mfJZI=xEcvJef9!EJn?IVQEpb_;U0OpEq42|2qp$eRyQT zFE9xe#2c72DaJS=CRJw8ZBeMVbzyyRy@s)0 zBa(n1il?;%i+Gt=#9}TFO-q9!orET8*BqBNYWeMH9!4HK`e;;qhrr9TV|*1x#BU1Y z-E4#mVP+{W0c`cK>aPS&&q(ENo)fZspWXgaQ?9)yOWp5v$DFA77Al!lbqzq7U##Tv62DNOR2y+YOn|Dbj_G9>yB}c;mEl z(UC;%02EoMO^dm{m<;^m=(+UX`KZ-C-A6v@dY-B1d(Tfn)s4xkm?$#!##m>sc5%Jh z4>^K9m*VqRW^OpRroPnxn05N7Lb!Eyd1L5PZ07OJ`+wl#%DG3rxK_1bfakM1nJO>j zj~j=!hYeeMKB3^(%mNe z0@L2)co#`(Y^I)cxT)R&IN@TGKx|1=r+=T~)t{P&s5+oa%p$>Np$jA`-hy10-6Xv12VK%uAixzSmv@CqEIC>0|G-Y~{i@>C$a$CuRKK)I^? zF`en`K=IfpzU_*kFgGDOD3RQU@b|aj>D?i7stidF^9s=CGQ7$4bw}Jt`pRts))b}D zzT`oH)tSNh()^HY1nGPoy7{0GLDMGw%E6fa)c1=9eFq{~NIV;-DJBPbT9q1L$FW@E z?d$i*hCSU$*_gV;Muen}2{!;crlgkd9B%}uK) z1dA#I52Fl#K)Zi+ja$o)*;0GnO-y^V6Pqy| zJ!5ua<`B-dn_-Q#IFqlYRHwW&>GN5mH?1afrYSRk2RmxST&0JZiB_byXA3PBOZCqu zcYanFG0pBg2JXZ~?f$ghtzOyvX`BLnfG7IIm3ecw%p6=u6~D4$4Aiw!erP{PF+GN{ z7O*0I$t7eOP$c~IHu+%CoD%WF`n@|k2gv$%G#y!(4VQy79)?h^=d;Vk*{VM;yOQFR z;9XI-=Dj4jEE>al-rf(*sLhDink1TYg;yYIe|kX0flQ;eprfjv;rJ^({4(3LcI@0alwVn(_bwGXG_cEiSj9a>_zf_kSlG@|j z6;R0N2Ih_Ta%di3;_`p)Dc^sk^+aO4nsIfm$AU9fb3z&#FH!Jm8-stJnqM4mov=st zTn+2RdZLkYgu{o`gRi}_l@#Q)#e9vhr0yhO@u@t|a~mC)o}5#akR9m z0jJ({8hq%vwC&I!?~g1-sXy(+(QI=3qWjw62~fM^KJC}}v-Bj|H`ppsbwlk>olF`D zHeB)vXb|i+&_3M^Ke8(*J`PcCIi2NB>X80qN)RGn2Ef5wo&hCbCxZjEdGPa|;QPq5~-;TL2Afn;2Q z)`Y?b%DZlk{b76Cw_Hhua z44{nRpLDsSy`{59Hx;q3;pPoIy1*UeGV`+a9J2PVO$N8|Z_h?Sb5o8%%ISM&r?1}Gg19TV}(;(!qR)gxGE3n$*iWAg4OR==J?Rq z$wt35?iT6M=>Y=OwVCzKD)vI_2V_|sx{fCK3wPM6fX3^p~?a(3tg~>R`#%c{~a2%AWM_ulZ zcnnJq<;EN9LQ?$$D*%8nmw!U0Sjou|p@{>Jyc#e+r{?Zj4vcU1!x+H9yE|+_Wsbvb z^f;({Op)9#0`2fQ-rJX74d<2JIg+jK>v@SyOx~ww&>>ykG(ShssBN_jUxI8wzE#Z@ zP8JqhijHk5L6+T;w{AL>l8c6bbPX2e@2)vk)#ruh+{Luowb9j7DK$mx$=oaMtg}kd z4OcuXUq?HClY`-2Xl)z@h{vp$;Mqj}R=5`N7)A`r(-EcQ17^_w`4O8wRYg{ApS zW{akvwQBY+hYK5z7e%xa|G>asdutkg_xIS(in9Lc2mY%;$mg|%$GD9+_`_cp^>eVul2L zGSqSxTxYET4lowxrbajJFRT5Q1rAD2VH0YWjO)AWvNpdsl&MLSjVsqX|F?Z!d1dun zx@6DdS8M5KMnhSw{xg6Rf8CF(<$bTi+*hYSPV-~$&o(Q`LKOMJqF1U8YmJY% zGXWM|`x!O5GCDc;tPjnb31Tz&2m@ z{K;mvRV@bXmcAy1439E`d)Z^peO7~9%{%sK?h*A9g* zS5>2@Z4cMtlsS>4h~?+|+~~CG07_oR&4+mGuN5%w0|exlAwD7U1w0387H9A7$aV?X zR1UIep8-)gOw~1>*T}S1P%OaH_!R;`FwT%uE zGs|Xi=@8u|ETsLoV_Zl4ixh&eq-3*4;jEE{HhVI&MGS9wYDcq^SRm`b95yn5uA@pZA zc~5U}+e+*`3lz?8=9OUeI_g~lEy@)VX%<~?al8B4$9zw~+gN%$F1`2|84#H7z z#2-@VsS;jA%n&*R#Ndo84qv|L?Jws@=1xi-SiEsqb}DOmaqNo z@s9KQ6k%!E+}KdCcSVH^dDuPJlhxh`JG(HP6h>AlNQld}sf2^}buuor#XN%?!j84y zeeR|#&xQnqelKbk$)VDi&BC5Bdv1LFxO#}0TOtVR_0-cQB|yOs9Hw_c8wV}{C}(ts z{Wb*CFP5B}xyRx^AQ9~EBITg93-~@6&B#c5} zpuLqeoW@IQYW_9nI{UpOK!7Q#e-JTR%ews|T7TkrWmx&*0N=~PNT$_>v(~7P#>_g{EM>Ly*pI>O%bRR4k+4SBXO`E~^x1ZNp{F+Z1xO-yO~7@F9c$|Izi9QE_b1w(ubW1lJIp zKyY`5;O_43?(P~iNMpg>-JQlgxHazX(9kq|+<>gK^-Bhonhx0m1^k_$#+g0OvS}H|6 zbQwPSi2+MRNZ^K~hc%9EN7L#0NGa<}0a%UGbfPEVvIkPVx>qn(TzF;o+*$f%(QUqK zN4>zInzSE&3rF!#8)}csd?emJh{rFpwae-0uV&+*DYzVX>M>ZV^j-49g8LX=?t7DU zXNoapiHgJE%(ypLfc>KGBa|yWJD)xwNSQI(tm(Bs!^V?zyS)p73gJGz(-8-V5i}Iw zKbdYv&{@rzu%m1}K=r_p}5jhV8NT}ye28o_`wJ7py=WcwfnF3V~0P(gu^&R=7jgU~g% z)@Lw_zb%!(vt=Si=8C@Jbc%>o=d&w?JVOHA2^Q#HPr}a+`RQ|aCNF0=ssKYD4@G9+ z3ybv0p9R`?GN%6wBHlxm|AjfY6Z;PcWI0m%7Z;UQ=Ld2c*XG#bRgstb_JuP$>mtE9 zDGBOJ!5&TAvAiGFMEhdHKFJVe#R|wxQOQ&ACx#9;5|yN?$~G5V;`{kg>mgA2!$(?^ zT&)!bLAx(xeMOPMo%=`uY{W~U$G(uibm4xlxSRKIxq@QCepfCuq#ep(krjG-bBs;} zZnqIM1Ylrw_UWcyQk4v$qjKJiCDCNst=9DmAH&Ouo&Xh}=;Ah2y>Ndzm(+A3``Cz# zq`B*BiEc}GcD_K&K{d=-``MxUq7YC~61m(jHT_*n|Q6if!Y8pIrKO>BP8wC;RJdg|iJ_<#D={YQBUCgJ@t55&z zky>ss8C+eP>0Dx|oxhWInlkDPN47|<()MFM2tZQ~RgLZ&9WcbUuJ!Z51E{%u8tg#Z z-Ik5^PDngFpIivgHr;*P4^r%e#KE*6SK%Iny(P1lZBHjL4yV1#-QIrYMe;>9h`zCN?siS?K_bX6*nBy zgd?jS2E~&o1#K>8C)P}5DhtG()&!%cIp0qlUu;!y8quG1*JbX|6SG2>A))fue*VLg+&PHGI=`e1CdE$sw9aXc>h7p} ze&6v+A6lJkJ3IboFZh)sy5r(0@m_+X!8z+o)}gGvZh?ULJ%!or(o4q=H0)7-X))Fe z3DAQDQQQhJi;+z^xA{XW?H4&~+*4J>`;XBMrmMvz-|h{+vjzxeSh-8K(0thr39omY z(PfzMO)9nG#e(2~&sIpXJx$3C2o)_*m%mG7{NJg1kOA%c%Q)Qqr>W_0N?i`S7&3MsXzYBwBk!sf;s3ltdyu*Kkt zn|dN2I|vM9I;gdF-&9J3y>rDkh;;o&Ibxn@+ilgM0ikE3k8`bh5A>6NYSrk_{X*mN z_u{>oTK9!Z_$TxLc`E9Q0&YHoTb0v=Y6G|-MxVsnccg!WhQ{(kxrf`yWxiaPMGdHb z$fuZz!5tZLiZ`;>7Sy8BaMcnvM2TG;+1wkXNjV__({zbGWqsFjLuU zuWr40NQT%aq4dz+?B&Q#l_T|9N?nkpQ2YPRa9*OmxMp?uNF%9Im5ZqI?S3ey8f$U) zBwCOf++g@r!QaY|T|MyzC6`qc4oEZG_`~sERg=rMZhnP3-IP~|xj+7j%b%RfYK{QF z>@nPgpc0|?fi(+FhzucVvGC+6zIHos^M3Wq6i<_c#`*c8j*eBCgW`}QKI=tynhU{# z{!QGMW4bU^HDV))SH-C=AGD$P?kyj)l~>hQb6WdQ*ie_bM#*M+NYwe5rTRgE-e4!$ zA3ith=cyEJga-UF)_2jOtUka{72R9)ul$ecd+Ln|hu_AQVKOAo2Y+IiM5w7~ndg<= zo(J;yfdcjj1iT#HXS>w>1IUYe@(HaUx1$+dc4JW!oL9(X+aILNH(t4QBoD*Za(1R^ z%SV+r9Chk6xC-8c(I^4GOXO|7L7e_rD; zy^kX4o|E@4cA{TBUZ-&?Rm5GoRyV8NnoMz2>R3an<`sVzfvq5D6mn+Sw?xgC<;I8G zC{Q1WvJyH^$QMetNL@oiNO==S`IXlj&xvZKpPrlp;ePjjuR-F$bewBftmg2!yH~E7 z@P&1_scQqyYcJE^uEg|cL)z7b(0C3*A zy6|-u)uB&3iM7k|6{^*%VhXnA1}Z<6?v#3Zq;Sdi>KSFc^mZj&`uiVQn)KV0QU4c@ z%JK4FPy*$DmT}A?va9n|c$3x+1?49N_Y0pMOCpqTjlJo^lo-X50!VyVn7^pBJqIME zFB=Xf7RVQ<`^Ix8ugxEi0V=h8en&g7)xThy8Ll0pFWz94Wb!5+zc;?LvZe^X?u6dn zKi>3(t#n@ZN_Q)j=l~+b(Ad~AaG(A7p6pC|D6KqlqN=%*YI@j}HZunF0@_nu*ladB z6807R$BGMR96bJi^&>kAHY+-il`^E|&07(7Ei1f%rPZh?n7=&&12tNBO2FM&hD?W8#+#D{|QgRE$&uKkq8=Ah1@ z#cdyJd4N2F#B8P~=RL-S=aK%%{C=fA@hq5l9BYK*L6|Di@wr;bi$ zGHae$R33iZ+*kQqtTE(72*-K36+Qb;+$SDmE32Ys#q2S^Q|Xk|y_ND47u9Ey;Z^5) z9>7c`BA}#YtTN`z|FlUSnI@St%fZc#OSEEHFZv{)Fr^vg&kDt23Z*w{P0y)tan^QS z)=6VP1^|GW27FA~+b_Zy;dE)>8l{dGA>z#6#Ox>I1lADPzKWXh2ptV}i=;ECJT>AajMnxan z?!eGi@Of*?!2TO~-EQmP`$Zh1r4~X_K>)hkuyt*;589oSt z?{Dd`+1ciD*y+XkxY5RnbBxr`*eAbdqw?CVn^|@!pDwMu&loOn zJH693Dmw;0@-KVgL;H<=m^19cGHy1-d3pur?Aj@mre>xHppScf>sIH(4wn{%wLf zpTeu3TjP3{mkniOu7ew}KPoft$!~PigGpuZoh8U_FoT(l3gI$86DYTqx^{MUVG%-& z#e?cR&(Yb;`3}gCFNy4gOSJJdB(br=N7580u52VuIN@p|zDF>K&-S9S;y|qXr3h({ z5r4TcN4{lP-VJd-{NyDIKHjCu5&Wc%Wc4-BYzdO*=?6Q-@$0vYpsq5LdFtD;mGYZT z>SEwQ-1os49#mLJOHJrGElv@@y*3sv#HWPmZ@r}4yGFPVM}5UNSef=-M`LNuiB?~P zL|vNe^hRKX@c5r{*T&5Z>yTKo@zQ4S!SA#l_V=YIBZm@F8+5{k;}n22seL>ez6H*Dt=$ zVEIlhOFYT2CRPxi#P&@g#>?dl4LqUFJ6Q-0=}YC7g+ZK0_t`-Cm)BbU%*{Uzm-)f; zmkl$PhKIJOzpgLTRn=SaLY738dANWxqv#CM*U?Kn8A`fKFnZ06v*$+_L54owrMJdD zBFLJ$pfWji>E+cmpom#W^C~Qx;^Q0pkD?@mxJB#bQeMS5QZ42}^R;r&RfkQnnHKAHMuX^fPXTs2JWby6Ez|XnHf|kXUfXBN>b4u^=9W?}HF{o!v{!&L z{4h)M3`6Zb8u@K%Yx+75gb^Fvb3Ly_IufO4%M3a+1Jd}*t}S^|^wo9I?2CETaA!1JnI`{vW#f@ZiUPdQi4AEML_s3**#CXb7-#gB7UJmdwLMiEc!-e+) zc^XgOgkpzf)63JSp0>TC{rAIj2zY&np|+KyO@hRJ)w9z#nzDHVLi#Gsd1oMkkmd2Y z`b)K#;ffHby&DfjHLydQ2d(2qp0DZ!3DwRr*cymc*=kMm_4&%mlI40Nv!ym=3;u{L zasY^3Q0qDh&qnOnSLCwZ=A-|sU5?S@__U46s&MucGd7tTv+lXt(^CqsfIXJL!b$Q& zT1D^2TP=a}9@O1z#?x)KM}$iFaxuj=r`Ol|ynl{Q;D5+vMFwnEm7rqTdE$<5(h7U2 zv|KRLSh_lij@?MXzwFuBo|y_R><`Fh#1)Ny-8#@*|6KOkvsFEfub9DwN;~{{XVFvQ zF7z4LbHOD*mlnAh*DzStLNpZe=fqJSHzc_XGp1Rgz%eMI0x?k{d8-W$g(QbB@*IhO zozSx2PpjirZ9Y!80#KHZsR}-xjwe>E0n;sJg!tbsn&pEa#|IJROtKH1jt{mlH#g(n zPuLZaxNX?*Y5Q?r4z?E=ej)M5XM@j9*(M1qo=@)Rt3&L4w1WVt^GTPD5WO4@{5Z$?vV ztsle*HfO{3@GpnTBh^dgJELmX_wM@KXAon$FHL@4yDoKJ4H%2 z`tNsKz8XxoxL`L~BG(7kC{XeFnOx0gP}vq4`-Y=o0aWt~x=@BWEBmvNb++~e#m9(a z;!wLjgSJeXV2o~A@_uQ{`kJ8IXvBEO^ac+~Y4R1p<$zonv&XS%>rJjN9z?Acv_rnp zu}(~DSdaHS_<#&*-^Vj;tjd+r_G+s1!j4@?nJqH2UkxuBHEfL>4x_nEd}^Vi%C4vP zR_5ksVDaa-XVtyD6|+nh>&g==5ITFhP8iezonFfW0q*Cw z0V-YPTAVrO=Thsf5Gg13s{{RM;H-S3hpHh&iI$I__MhoJrM`<~Hj6!rOcDDN7}NUF z_9|o>;%=NA_oh5G!s(Flc}u!c;0C<~1pX0{5^>HuWw^OEajBe7S%csuMQlk$A%`mC9~5;`(NW=Q-eQmZY;WXRnw?0@#O3ZH|%Q%`yAvn#go z0v9HK`JPU_6#=<<=JAX60lL3b3L@-lKnyXnAOhRx>538X5A^9SejE=m^DRM(dCQ}R z-ej(TiFY@!L|pW!p)G8jK!6dN&YHj7YDsi)Qnv$REPq9%APj`)IEj{UJ(e!$lFxSp z+WcKuEO)_f4v$siKe5JB(ljhZ#syCJmF_jD1O&5aO!!n*ev6Nm&K9sb;#gbwWxgHo zVj~T@tjdGbS`^YUl(~q_q;kWf;D^*2+GyIegrLG88%xOY{;-?R7;{0rR-*` zn7~15r92&lFuR}HKhVR%Nn6dU=IY=n0e$$+2)2t0Z+^I{Y%+;@(xPvu1ZQbM2@A*) z3%0Tw-bJ0eV3!1Mh%UTskuSVm;p9I-z9)wjHFQs0mHwmfIOP_E3ALhBCf9-J35tnl03r>zLrNfrq`An*`5Nh7OXafvk z&Vmb}K8HGu?;aYR`_AX0LEH)lCKJ<&beKl6{f!~dhb3<&Q4>~foxH$C z@^E7nxhrIt@|;aV4|ZT#>JGPN1ElV<`J$gv19E2xqm;Jo*k0$iw>WvPZ+72+`;Tup z9{ksWpr---!sf%>h6Uo?Si5~LW7BJ08L?MdGLnDUl?Vw_A@&6{8D-KhHo8Vr-%;|5gIlNaDf!yIj3@yhrryI5Q+*A(d=Z z009%b4V*$dV#mMnEej)RZx21v`9UPPiV~}ZPRP)NNMPOb>l6J!g0kvNtx_ov{*4Oc z8U2xhHj_EOfj~~T9{UxB^leKE8w3ie-B~4vFDoe;Btzq>#az2xRb2Zy*tWh%7f>*w zBON7JAc7d2--)3maig@k@%b7I6@Ed(J&2x~SRYAN_Z^H~E&PdnYAF$7{-ap8?$aW& zI{bsJP;{h5bY8=! z{@_Q+(|Tb_z#dpLTk^bOiQ{;7RVi$eQSmxY;IGwboYXauqg55~cwYEO?UP;qxuHbS z_l8mwv8HE0uYJ2|s`2F%Y>Zo;`=HzP>MZG=j#@#-443YT#H`~0CwljcQd-7@57Lfg zh?2|gyIOK_<(I@M;a8t|WG;YquyZ!wVg&(nr<#fzcbr9Io?)P~S?8j`*aB=a_R@E< z$uCOxW>oL+2G$aoB)r>%C9!_ECEG42G(mEoEnKdeYXwQonT^7!$n7x27VFmbq@3k~ zb!zq~nNNU~ZD-<_a`J3gPemRY?s2xGY-;H;I5r;>ol z$)BxQTK=!wnV?TyRV$|4I^RlrY03+C#@_U>VBm|G)XOizfk3JNlqWmar)C#1)mBQ3 z4^;_IZYa-jt#g7s)>sEPWap~zKwtrL0s|DA7j+At*n>VGc7joD%T$4^od>|>moIzL zFK5O#sk0JXJjQ}m$eV6!fJoSVYC}`!p}_EUGd;2_Z`GT1kr?PPz};hDfFGEZE%u}$ z{_|h9B_Z+?{R)gLH<&stw64oZM}cKM-rhoC%9GtT1fzDm0#1yQnX0u;L>z@jLWPm* z<umby+-vv-2X2(Vu%Ez z<-`#lu(NAx#G3tcUVhbJqC3WYj{9_rga6FvvUt34N;E!+P#ZUden9JfFK+)^$ zG_smp=o@BbBQ&LbW#STCPZB$;Ph?v(V3U|jAdmg_I(qoSH?t1)trXnLOIP;rzM0?<)lT#$nFN8YRx|Ou-f7GnpPJ9WnsL=Yg%E zK_g`d*8i!&0ORg#2?@{zlj<&z0a;^oXS`Zbe%utsN6330V+1d@!kB+4m2&5Y?hfK* z0iG=|g*S8x50{p@5t=X0uGUgVAIwngb71|`+Lmz^kyJDsEB8K-Q7`vSjUuZY#D91= z8_dSb)e*IWkW;`Z3=B&MtL#NKPF&Um=@%rSl~{+Am!TPCSrZD2A;3PV7!B>K{5~@Z zIf;QvPHy{5TNrU`^=Thd0OazSM>5tkg=lb}>o6$Y35Wglexk-&AXRIj!3s){+s5qS zFBTvmh*;+0?C{F(_BWdMR}w#Vbiw7D0MYfe;)*c^8E6F$SMAj7;fV;NtxjA!eN}NMfcE{6g))Q3hSU#|GU78wnw;oRWpOG^YSZuIB85N2F48&!~I2GiA z%shfhxcZnWfn`eBX)Hjme+;#8AAY7I1bxwmzgJC^ z;jF_Ve!Y${m~ounEl5QrV>i5QzAdY8R40(O3GU17wrxVwx~ zq2?fDl%TKb-K6vjkL3K5>HEAyY~T)iI0b9;u%`)Lv~jGbz=xD)p^rY$%RZ#89`5g< zCNCCrbbZ2=v!*KJDw)uU)cM#@^l%S9$dFohEK^a&^`~lsBq?mQJi(n5F&3a_NoYIG z)ar3$0FbYS$7e-fnsD3pF^r!HqlBz#P_9aR-c*I~NGHrJ+ZFqt}~S z;j}%4!V)kkjh_fmm+v+6WD0&-h+qqAODA+SeE>kUPa=DdBxMP4VhS<2!LQv8c%wbY=L)}HrraQ3vOhpSjCnYA)6t1$ z_@UO*BVrHH5Cfa?t}G&=X&Jf5yvz}RW7DKHJ2>x}^QvZ^9tNSIa7NbooNhSSq!Qe@ z52Cok{8dPQ)VBu*)4xr~FTQ`45r3Qf=XDrFhhCL%iB;Qzb}ILxEm181^tOXz5#k{a z;drX7mDoMNKCRE>9POm4&-k4bGbN6_y5sv|xGrVHemY!S+$y4>mS2+SL42cn7C5Vac>YdRAcPTi zzSz#FZ-jpBV|~(au2;_=hJRCcbXVyct;Rm*hP$43AuPS*OtLxFp{~qR)ajqmFGay~ zZDGsJtnkWz%7@Z48x%S87)DEhRQ{tj_`}MkCjFUKz3GgAaGN6VYgs{hy-!4QWfMlT zyZe>vg3+{Xkb~SGSbn@}{W5S4Fsi*Db}BAdu)p1oZchez3(*eIL*a%5z)@J!WoXyW zqpJsZUE=B<)X;_h!k4ur2{V>O+tHUF`TcE&^SYtADI}gZM@EhxuT`4Px;dH6y*rJ| z0i!w{2kEUp$MB*j>|LDYi%C?L(yN_XwQuu9$`ih%bFTxfO?6D0H;HCM4N-uNj|3Nw z7s=n@FDPdoM79C&Uwx%GJ;`K5gto(R{~_p*jyP|4f1t5)I*IpNoh#LHCww^i7;sF(|bfM<}XEMZcl5`ee%)bZGWS_!ID+&LI_&h(UbtHb z;!ZRQ#B(_>h!7frsS34h_sjS8+jL1D^4~VfuWu4}xWxNib68WB1^WRihwwS`D1B=R zMjWrDLwn}$>@RULguF-#w_f~gRHTv1w=|B`O@A&Ovi?nOEfVz_xznW z0L9y%t9K~s@$PEf=!s{8i7ozz%H934O-{}G$Z%y%Nm6H1OJ1=UpQLl4>sH5csTzTo z*pJwD{H&_UQfsB&g>h^ex3BtsPgr<1+J6_vlfOLc6>b)nFqWq8DD2&n7rF2;NZE!w zYjQVVY&V?yad249PDbEO%|67TIM%j=V?Ws_dv1?)l;qwU6T)BYSH)K!J6OBU z^xhp5Oz+CA%c+x5)+)peAhH52eR+{%`@iu$L%8NUuaREsy1uSFIDJ!yk3YQ74z28R z*tH80Fx5 z=71|obVfcRm(GM;BtJ_?l>FFSUcMqiK6Y)+Z*SIH69m8b@(~!(KBJ7=HR}vpup(-lV|nLzZd)67M`-IBQN}+2c3R3iUI$#|=VXmjyZ#n=@ zOGbZ9d~#D(&-H`M^alFFKneym-*W1GeVS^!fj|w?@47*LVDIVC9z0GFSZq6xMU$Do z{s*p_?kuIT;V^TGTJEpm~BzDrG`G-chI7)4W+0zOcNAto{ z1|g58SfcBjh4j$;n3wM(-N+HF8p^A+XvEQiLM2xU&-K&tU2a>knuYa3oL95meW}Cl zx0-L2AxGngguV4KcG}{Xb#9?!aqZEbjDS0;3wx0yZCw+bgKw&oCpgBx!%U?m>J)7i zo8_Gje&)ptCel(GEiBYU?l=Bjp9v~(c*Sn;|; zJ%!B(r!{c|1}xi&)XT)=TOrV+{+5hDVE2ggfR^n}32ec21f^RA@f&|Iz3=&Xmh#o* zbQ>xEA-(TBD5z{tP{=Am(ru08)q}llm(xQx!faRM_s&M#;xiIoovoaMt|2{?8D7=9 zKZOCCm7*hGqDp+dIFi z;u%#X<_sy4L=LLu>}jhYy9Grf6;dV| zSlWwLH?#oeo;DQP5($$HcmYa0?BdE_gKwBWyq|Cq>65y6JChEL`;)ep{ULK;ov(n~ zyiO#OVPn}=><@?!JK1lU;Z0p1Gi`s&z-A#?Zb)qlzmM4|y-FB(5vt2Z13MLMZeOh0 z*se8TBzn+fyKag2iuyUv@8O(=Q{}GGxd>%a^rCcjDlPxk^@Xy}fJ1T<+hJ%8q{Lj7 zv2@KT-hO7&lJ1J{YzGYGdneJR=%4ff7faWlzFv60(ZzjjveMJwcH$Xg7|^I8mjv^> zIOj&U2Zw*riGi-ueX{e$-)#PSwNS%8bn91^R`E1Nb8ZFBzlP~+xXN8(=5uxU;#?8- zY5mtu<(%hrO^Hw0K41aJza0A^GA++7k@~YMJ{~$(fK*vY$45It{-fi(z-Rth4b(&g z@0Ix*=Gxa>t5!x5!f9v~n$MKw`p-YsH&-toy}CXl(w=O6I}!aJocP(*-%d5%Z}QbRe`fTSD!B>vH6+{*t>r`9znk z^&qgA!X7+@A)7L`%jkf`PpnFhezT82x?SBM@L1AIf z*X;8Arm*V0q3khD@u7o|B1N7)n=?{d&!`KCuSJ-p#ie4T9o*+PRkrs-A^5n0T(i@4 zZgIV0MH7!lD^=I^z!<-?;mHob|2qEimC?_ifbsH(G7q>qMf6K!J+f!gL-;g^f4Od( zw{l8jwv_9uLQgl+Tqb}mLpyJ8q-DAJ37@a&Pkuxfp+6)Qj_KJDZ%Cj2s}O^)hIX_g z1po^ErN>3%N}MDWLw<17U?6iVRe$GuIDM5HD7L$q4h7po+(Fk?;sg^ z9|GCKuy~v6I%tR?OMZcB2Fu&o0k1;dulD7(o&JX3GrPvwHp#Rf>7!=Jcr zt=INvq;CV{{!c$bvsOa%(z%z(j-s7R=E;|@v`IG7-zWqu&weIhw=B?Qhlr{8BtJQU(>Mq{eWJ6&KQO0K7!}&Fv+>3oHnh@B!NO-nv+uo)s}XM{C5k6g z>!J~0MsyIhewwl&>N{WKe&mYlBV*JH$L)>-)f;1P{V|uS3RC~x8v7=q< z$4<4g$IG)JJgLRMw|2;I#xFw!?KcF7f242gE<@h7y6M*~PjN#I1ti6x?x?a-t|2Wg zgzeTcPVRGWwP)vv`j`*1cNQa7XyF7yq{A9rW^bjbzB!~U#p0XpVq`O zBdE!Eer#p;ObvrP9q|0Iu{2Mewz5i`PE&zbSnmdQSj5Wu@J%~>pp&76RK!?}pu$qJ0 zC(rHh9?&oB0uWk$xzP3~8(+XM4p>$rsOTmfJW1x?_wj0O4P{Uh_cxY(A(YK@aAHX1 zab^okUPKVb3kxB?e6(;lQZnQgZftom`FoQ2bibL*;nvAJpYD2Q2XzR!fENLBJGHi= za;*c8m#4{dY|HNbXFboiSDY(Q8A_ve{J>5H#ZEh*E|M%qSOSeD*YnjlVfX!4`rRO{ z*kF^~6udpYtkJy`^yE?5`46r>*>%emO&(b+$Etr2A&3l((~eKSdk|CS(oZSTsOS`D z9~Bvv!gKx>BN$sl!dOX@RiNF6 zUqF4%(hfTk^5%v5p~oBc4WtxJ$2+%gLTysRMr-0R`d!m%wPeHl8>)S|ka_IWSA-&Nrq$LsV*<=Mji#uEA!5!KZj`B#*{dDU z(p42Or6LLQs)vwshjX+0mxATWVlOha6UPn@kT4e^5JI(25l6BrpLSg$9z}2fgSv*0Uq?rmuqoXu+wbNIP%f6zR^liCa%%-`dfFt6_xAhl)$vtLv>n^)63+zB>^qR1WjFfY z+b|)Ff2B0KPA2kop6l|A6E38%X1<2*nje?wWl5xbs+x!)Uuxe*og14_eR*RJEwI#k$<5h_pu0)F z55PpFU+XOneM(c!#qK!b?+DT5Yn9TPOC9&RL+ck{gud{Gi1tGiN9B;*+c>Z;Si02M zxJU4roToqLiz*B3fo`4lLE%eWt?kYK<^l*=>PoC7!3rAIFRD`}Eyv3w<{@_At4A9r@Y|Yi z#I*UtPm+94BIL`!%VQ{8ST{sMt{Wh@k&zJ{Akd7wnOQDQZByrhG(dJqzSBDv;bdR~ z2id36^+MEJQ>Po4T{lqt2gfExp!GqT7UX`4x!m7%ynUN$_|S?4VhV}6MF~NG^(zvZ zq=PzG=3-~~^Hn2jhtw?*3+LT>f|^GVS$7N2Ay)kL1YG*Fxo&$85l){EJKF0~w-u<> z(^g%=qf)=__UKKEY=d9kL_(_FV>f>%^xZj-L$xrVc$w@&o0A}ce4Burz{?13lPaYv zGi2vmxA%EU%JzoYx-KrzAr9-zFM6}p$X>Wp9_N|YIgB-f$$@K1=Av952p{lA*CcyVwUzrj;J@{zH0(6>Cz2_S3MblcY-g33K~w>SkF(E+||pK zoWVXuPi9`82fqSjpwfisA>$66**CrB1k1u9eQ(hc2Mqzke#dSjN$Rx_@H}rWm06%%Q?bJ&pPAo3W4Cu>l2qM6r%U?n#^=`q%l-I zIL5dMjKDBp);wy!d4ul3e?31BGyt+ycCeyL>GGky=%hFgkVfF-iySo*&j&&AA#L|k z?3!aOpW>fxv|l$hJ+Pvi*_`(oKfgU+S--gbVcJPGx&IiyWyV|``6%7t&6LYCx1Td| z(tk-r20q@0=`&Eh+Iq109U3422we2|_2%KVtW-5DC>=2#_!8d7(tM{c)+p?@qZYcp zXt7817oH0)rgwr`V|Ss|1U#7;JKJ!2kdEEL$A`ec_U*-IDxeKqm|Eum#MWsAi=sv% zCT;sUK|_jqN?2#CDvcHVdighTtc4ca_U=@!4U+Hul# z<&{*9^dZZH;FxMTJDw+A!CeAp6;zU>mWpHH=7(*cYbyI~+m@oQjG$8hha$PV~5VWb`bi_KLXN&A@jAYfMrO?!!_XQikeq>ud>`}uP z`{ZLQ37qr*A zOOE9E`=caKJ+r3O^#bIj`1XKahQ0F~1Eb30tmqwRth zEY#u;MQU+Z4er4`f&tpP+$<^rx}PKBe$Yh{MF*biJ|$>k&~{I9WgCR*may1D_t-`4 z+<(3xqe@OIY<6c)_$@=L(jUxZ1_}km*C6vul749*VS-CdxUP9pV1ve<&LN; zCqzl_^x0mwUQ`5Zp_fH2Z~Tmp%A6ZP+5en1f3@CD&qblD>m~KAQT}oR!A6QI2?6(w z73+CnCq3%%mTFT4FY(kyY3ckItb>Orlf-Ovj0*A2Lf_qKM`z>Rs6kxO!{KRpIxDKi zBH3Mxw5;1v-jO2DZ%n~OZw?Nb;fQE_NNtBqBA<4)x- z$pNl*>mFz)Mhjn~0jYuL%GOi>ACMKR+4#1jt8;JrfEXa08ENIv<{<-1tQIx{pWEmC%Zh( zb~ru?u*yJF_6ylEpS5bcLTDe=^x=_9I=aoRGYf67IxN+Ki z>1hC8>I~OH;VnAsvD>3%rC`D15(}om&CZ>KUK#VgM>rUvP-^Zt(y-ZxW z;dzaZTG1Z$$d7WVHOf$P-Xx3xvM$ znt?a)m{^$%<_w0Kx#uWFF4prgkC3BmdfLgXt{oCQx%X>bB5H5q93V(Uc}|ijQUeoO zbI-@{aRfoPq*VQgCiqFzguVGl{6C&Ib7HFYH;|zEuf-y6IyrIkHP9WuO8y8;gTtNK zD%}K5&B3MFp1(c)sWbGWtq7{Sx<;6!JHxv*6*;{z3I=^U9*~I>(f|)}lzGs_(@U!- z)uY9B)G21|TSJwl!-c5>hrx#NIQ{66a0E4jgqZ?&cW&N)qTr^)MyF1nlpk6u@T;Ul zzJRxCl*3DC@?B7382y!#u zl{nnUH{j;`4S_jzN;#7R9tMh&s!No2ibIGlFpUtOF0tZr(nI!lQ+B3nCi>S0${Hw% z13IXY3C~5+2#9I0F4A$WaC&uR*L=lChqi|# zoA*W3`94s8r;;{78~%PBr#aW^anP7X`QrfYW!rzW+PZR0Id&gWcY7GfK``yzk!qOt z!b>yH`+G=kZdD^A(uuuE>)TMWwlmOAsr4e-8PET)4o5^LU2sFl^+8^H4W$~Hzk?AxqlE$Dz&(G&oV z73_w%vYP#-2uT|KrD8!D*WHCVI2|uOUvg&@b@@}qo}9y>dU5jbYdSs<*}8Go@_XWe zDm9H~u?2)LFFgva@W$K~T zaiS<3B96K#|EHYHbGyxiD_O1L|D)?1pDO|Sv^|qdY)x$2wllGvoQWp3ZCevt6Ki7Y z#I`3kPK=Xe^VHV+?uV`Y1G=iKy1GB~@4oJ3eZ+fqDG;1x zq+Z2Wovol07^Z)|;a95kdp5N`#XjtBidkFd?+?2l!B`jA(3Er^p-HW#kpj1qDZ~(d zUhf-tv48W}YL0~sHn>W{TZqMjZ<>5Nlz>ZP39g*6Gz=`+e-X<$cGa696mlkIkoQh@ z2&BEkjk|@HnsAfi>Of}%`w!nSrh5iNq*-bp@3!nt#}kebOcKAFM8+)iF#V2Uq{;lf zGxS8d)?*0}>VDx{H+>!QW}M^|&(V_KF}iEV#mxn0B+oLAx8kJ`3I{Zq&({T;7Y;J( zg#Ml0w5VSX2xZO@v4reOY8Y3(*o|t8MhEHHL3L4p8H6S-_i-tWOM{1Qq_T>8Xh8P5 zQudfcL<>5DZSWiEV~JTNl*4$olU`(pLY{UZyT->fYkYrAoKzqy2!sCNj?8myS}Ut- zR=-YTNnXaAe00{SPeJlns6<2|_mcsVc5~^>M!tcmy1#QCV3vAsPZ?>F&prmn*HQyj z#GITE2Cs;+sV{~~qW;J+Ik+CYlP@tNhiCZT_WHc}Vt=S%Bt(F6&1iV*;QW2}1vl=W zKCZ)uxr}TXAEA-H>OnO)(k(;9*?moC*E+W+OsL45nP8!6E|M~l{Bk>(Tbp31O|U%? z3qJpeU4f&?;lSb=w#E;;_jd0q?&G8;#9ync7O)#-r_S*W|EM<2Kyi!94i@pWYvv<5 zhhAXUd?z)nrf-teMe%}~^{!{}T1(68s}>jG3@0D1I|EBlJk4wD(AO=_$ z3%+Er@fQo$LN81lTDQ_2W1~jUGw*#>%R3k2Q}BT&veFt8C*x}+9?MK_j!q*6GQKhr z$yE#r=WPKOd#O0)P&q>`6}Vb&Ub^O%n-=0=iY8hK0NpQNa?_1q>@*fi-tWy_bc@QG z;53>TIpFVmqh9|K66RP&_TVuqRrcvsx?83GQrsONYEM#Q;SJ#@_k2<=*Z#+|ZK^F4 z4}pwTKsT+Dj-?xWBm2fL`&FxT-rZT=l;-bQO|0l;rY(yN0CIa9!H&2|iSt#=)#lq_ zBjJ+EtFGs^{sip(zc_6w+8)9tkcs!UHQJTi8cnX;znL(rb_I901M&-fn%@jN<%M(g zX{DF!7@PT8Bze&<`o}KiQS`Jf<=aDZ#D{I!=e#cAEY$SF=DRni} zVoK?bCA0~`sPDbNG4%05^84U93h40(^S2R*yokjX?PnVW*aBW@(@7|h8}*|cSvs(q zI7;v2)Y04V;&()RF;#(s#=kWsOrWp}{F+bT`UfTLB zL-@t4#}hQgj69|-v;Urn=om7Nd5~EqE3tH%h_iOReiKS==1b6=p^$b13%vM%H>^!llIsiGKrX;%SwGWeHuRaV87}kxm}loSYF4W#bRNPZUt>OseY| z1}|K!U$5!Xy?R^kpza`4H&)@oW0tC@MmtR@X~oqA_u#nei~o~U>fu!pAm10*^0&=C z#`4(Dq^M>vD_z^F+F2mRM64~gm~g3<^kXvX6{`{BlQwd3;1;NQy{4x->Ju5Xx7hPx zmIn5GlQ5~$BVRyTy%N@h;uErc%<*kkzev zJAi+CQj+=+BYgd)SM0l*OX~d0G^m{pncXfTY_DZKL6JPyFuY#fP_GdV_m%A0zTK?f z|$~+yIAh{d;Bm3(p98{~7^$l!_UH$EbAzAE=CSN>6{_N#4O^eVVpZ9aw0SiU1`&FfJ6|LcJGIG&@X+J(bTB%j)ow$sVqHS}2)_{f3N<}CVsionrW6;$KkjJ-Z% zA|=s_s@{5M#n$~($|P%7_t76!g33{1v{Q8_V2B^Ahd)3SXxbjP=;a?4WWFlxp-c;* zNHj}5xnhy74^pyDIHx&n5F??`zD`aDfs8RI8_6I>7=9zYi@b@0S4jyHOTNFY5m$_J3UG$QuPq#}mHuVU)cLcbo!P z{hwv;OuD&Wy0GT*O)s!QXc5n5nqu{oUBWT~?~mBtohBDYwJ%RT9g`61=34o)q&R5+ z^yrYEUL5i`DDkFvF}?HtYPSi$b?MsN9+ph*qIp=^U=g0cgFY3=kJ8JaMjpp1)C@v5 zfohH~ay3!Iu(?I3CT9pol}w@{lE}!}H2sNc{WoT%0-HBkXYh4)pOs6kK5#@4Wo5-P z(YjHIQ#WN}RcHcc0>)>mZEO0m3}Jb5Ez@1(+hVVOW^NKHgvuDnWA{d@swI!=+Kj)~ zn7<}HUp_|*N((4Q7{p!y*zpji{#~#)I#9lLGjG4ywY$HjW&>&Mwt1C@K(&p?-rY=t zlxYS*-d$~Ybc#{60^wI|<2X}t+yQV<`OV*8+zAG-g?=EGb0Kt-&p9&i!|09OfZh*v zH(30I{D?OpEnod$4D3!mUMFkBgvt?Q?(U9lIHdF51_(T-N(8eZW!D6skfr*QQKVnr z9Ty5Z`XU8!c{b1kKIz?(BjU0f(V4;w*tp37xX)kHJB91v8JUA2N!8cN<5Wy;PTZxk z?mk?i_eF*m=^lz-{Zi+=FaiSn$V7|lv-$>%lZnO@%_?ljw+*y71IHL@5a(@rK5V}| zpnBg-al2pFNZbVT&Q?M!)DQW06Q+EVRRvx@b5R9Vl3o`$o&!r2Xj#JikrSG1^Ip(b zepq28d%ymLS$MIvU1Msl6J4XG27{8(jk0bDZ(6OS_^T5aLf&}sz(SOGXcxFL z!WuF#Vu><6j3~smm3VL0v{+E$Ha^hNeFLtbwx1a=s2 zO<&I3HTNo39G?`F8IlIUjGb#%O>8sI9DSI1MZ-gV<)@f8Q69&|Xcu2;4EXbvG^$NL$9Yt_$E zK5bXx71T+gqz?DEOH8MeGJ9{RU5bOgQ`5Q`wZru`#F#?K86%P6Ta0=i<5NIrhpP}# z$srx5W%7VXO>hwTh%_;Csw_@xuM4cP$KVUI#1)*zTo>nK){g%Abp&ZYxJMLRJC&1_e!QbUdDrd&%xM;a@F+Vif=0Ip3Xk|SlQ?duWW3jT}( z)A(r+6{CS;gBJ1!EE|jeK}pUBk!4N$OP2JXyLDsyG45LYv7r`2SSIA)!lj+**|;tx z;jl_nEf*^Z!cnk#^FY+%WJRns)sR>)C`Lu`9VyeNB`>#_oKnx&vMUkkXflyEDVoX^ z(@g`Z$+ws_cXrQo_(KMhBS*PL_;j$kUlm%7IRB-f@<_gM>E9p!v+NJN#5p-5g-h-a zU89bnr`iB`R>j2)k(H)pr1(C4L-wZbXXJxd3t116(HHbF2jF5NLGfgs2DpVnQcX|; zjDj=?L7M}R0Ge!825qb^*oFoUbu$U{=U5)+Ld+5Y^t7)=6Nm1%TN5#Aozw7<%Q5Gb zc^BJVoG?QZw9`zztf7KR54kgGwR=hne@J3q*2KjMmqpKHJC8eoaIHL(n>p)uU?X=?0688&a4tskuWMw&8-=g1_y(DXG@y(ffAE ze#Js?b;gQQ$rvv&-RMY~`mr=WjG-pYPiFGA+V@(`xX{gaKF9`iylU^A6KnLgg= zL*uqr967Otk~o87YGDMtF7de_UVN1A zX`$P3GBk+sEpHy#&sBfZ7jAvW;PF_sk-u&dB@YfDmSZf%0MYQc!&Al~0N@gnZpO_h zXr2x0M`=prY&?moUwm+Y)mJWUe>HzhD-FGJVoGp#IzxCjR8njwA%(C~686!7GOYJIXVf3sDEPS|DD=>XD zB%&K=uY6rwb`iV7p1){3fY&ps2z_v66_7m9soGAApk8UAPRxn9@2Fd!f*dlIH}ykE z-FN2-{rL`WuzmDn|5b=5>LP|bo6eTgLVC?DSFFo|2p9+2%NiTxSqT-$@dY3&#a>y7 zZe>86FhD3c(iv_Zj|L|fqT-DD4mO#CT#e9{d_7RrR^M48T`DmS^k@RsIZT+bj_}%f zHTScJEQ61j>~M8Yf4v|Bo1gEpyf*wo}^Jx}DPn)SfyD`UQNbSnEbrycqQ zk1#IR&4l6B;^dh-*E&!mfSAnS#FPPKAJy$Q!8(xF0O#$VmT!0vI+VQW=(fp=se+1L zieo|>%sQBbOWsCPmb7w4?c6@6$4|nbh#$UM5d)+Mh1n1f#BA@+d&A?Yrq_m9 zLvQp-Ss6Kk>f2K5+ciyf%b+=bp+bWMKSh>T%O45nUiK4H%gmOyBK23!K)9+9W5C^? zOyMm;C_U%I=?f%|aU6v*#lu1-0r)n=f@DWUVs?@95v)6uA9qF4XZ7Ye|uDY5&=3zd1wssT8Z+iF9P5@>Pk|u3}*Ivot~w`bQLo!MCzPuM}JrCZx;r z*D=pNpSL-Toi|0;NR;r7h;RABA4M+NDKw5XFT1c(2Ex#^1sp9C(a=7 zF_Z|oEbV}=)e-*~R?a=or1szJorw6*!6SbDA;|lbjE0*ES7?-Aw%<4REnH5V9NZ}3 zdU^>OwLK%#q^a&=Uxp3x0+73l5Z%Qg_tvjUWM3PHZeuC9FmM#(y4@{)mbre$ZwI#? zqTA)uu*>Y84$117Z?5J?XSj79 z8_#1HKd}bivEg*S=0`v`Wbp*|JQ*$-vRjoLD94jwn1HA>U&Z_4%jQ<3xWy}s`)ZLh z9y)sM_3janM|_WCa*>8h zs68(=waOaY^)2b>McNxeNd+0L5e|5td48GcO3!kd$q+{c3{P9ob^F9Yv`kg;7aRL> z(;`0bJQ}3-;F9HMbQ0tl*oL3}WvE)bh_5rV$fI=M4#&;-=(o+oJTVr<`<>J?4r_rn zqpZ-8fHBH>nHZrI(Mx>PytCSKISVJ|d#pQl)uHyzCGhPFWAs!#yoqttP8$EXWa2{$!%j?aHYImaHWV^ zX<$DD4OaH!3%75n*3DG#rLujKV}Qwmi;oY=^*-c!qAW`O?U}!L^|5!ml8qpI4ms%K zG}+rB#XF^GZ1qunyEd-sVZjzHbbqEPCTSKQ`YIe!OklgkzOhfsp13b?OK`#WUhi|u z^H1Dz2a+kMj+wqw7~4N#Qr#WXSD%X!nCuJQjt0h+uD0Gm^DrRk_~N-2-Sy>@21c)tZMjf#C zl`qq-aFHQimG(xkqU(Q}!EYIqlamb1=tU2rM9=UPL-vQM)$1Ro1qRgBILV1eb8Q_z zH~;W3&E6los@Md|>5g$5%69X)d>a%M-n2M4NghzsX8H@B;eET`Jo)B+W!hPH=;S4a z`{OQv_T7%WR4~to!Z{*s&9iQ7YkuX$e;jm&zjxePB`0~p)9TKy>6a(l_$P{Kw7RV2 z=V;DLl>e{1J4}^*yS}Jbzh6EdRVxR5wgh>6Cxk|hu20?;X*`VJQWyn{<`nz(VyggPLm%>ufwdEa(YW) zs|-3oA}R-Q`tN++w04=?cv?{0)<*+?ggF6@Z!g=FwLFi*;_sCI2M2kLApOrrD|_e= zk9YKcwMP9%7^Re46)YgG3bTRUA~w zjb1kF#*e?T(D!~b$_lmvhZ?rdJOC`70W?)kjh_fTEv!Wl)y_%Jc5E3=na8i0=~|62 za8_(1_||$YfoBOQ+70#5>5E+~{C!*O) z0MT`nlHPF=K8oSk+u3_vI>H)*;Axn;4$8+Smd_M~29X^`%ftX^j0xrHgGz9${~MF! zvVFLIk7`Zvi#a=vKYvt9qz$#NlNd#)w*jQjK1A}&`qdd*WI^N}|3Qi~irjLzvHf|q zA9xZ?MKUU>l?(dtGJ!kWqhUXn+S1h3z=4v;B0&3&A1RUh1%Izt%H5o|xqg#Oe&`x` zZf5>1(l^tlCwF>hw~X0eD38ppSlH^plr)djcLF%uB(pT)O*)1nhyut{Q!_PRSa z-c{^g=)bMpx4w;_R#usCUoX@dN$G{1xg8E50^zSc$FF%bsSUpF7(wzIX_{^%_Je(@ z1ld?bKFvPdb=&I3kHeNcqce={5$6)NDj; zg5q`w9}mAcFthuuy+Rr01WBayC%# zvEwWeL65<4mTx#XKom8TUDVep7Ap>e!3`gy_LLI>&=ytiyFS&8>}ldUKK!IhBr(^p zgTAGd?P|c&k=HK^pGOq9zH}8UnulX%!>Z|MQWF4!Va#mXXN=%>^N~>;fA6)-;i8PB z2r$9w$YU~xLTwIz>4*LU(jHj<8GDa5@qpgGP6GB33hl7ATB*RBz_Bl7J`o>4^W*10 z(+p|Ti(9pWJQ~Dn7xB27$sL9m_Y!R60^MPuBwwW{73*A&S!X8E=^YlYJ`w>b>M3Myi8p5xi@@I^--9aJj4 zMZ{0|3Z?M3=ds3UcUkXUpxXj9LQadyD5(d*XSyi6UXN3K>^yq|C!7s>9vDBs*fP;? zKO8^kGGK0B_0Q9wh-9B2YCQG<2~Cj};&UCzd#45R$1ia(I7~Lo$Ua2~O?wJtau|Yh z@q{+M5*DZ^Uh;ES2&yVoF(LwkV|cf8J9fy!oL@?jL;gs(6z4b5lYwyQgd#H7Z#X3o z>tn*-8YkOh6>K_@!zTL*9**fGh8O#!ZE<8dy!>*U z@P-?0`7xYmK5Qa85?>)cQv95s>KOT|q3wAWOly_jzdw}B%0EYFgc$#>CWp5|%0or4 zmy}#*1LDy)lbyP-5YaIrom0fVj~Dkv!*gLZJ&*1U`+<(#pXb;8x@BgOyz$YBD-4DE zwi_2YfSc^s%G%~Wv6ou!j(Z4T=S#tPn0)0op1rNvY^d~|6k zD$#Jkp+8&~DL`G$uxAwFoH&Y#5@O*DRn?or{-6wve%>TROcs5S1#&buHHQaRGYWIo zxx0lR+|JHN0-FnJEp=yAk1!NOA19zGgl#PpHAMy$G~Kj{$ZTQWQ!1o723xut&z{nF z)Y5kVe*+zb%Vqd@Rv$vKW|LV#tII;a%i^pmeE++0v0-e@pQs&OZ zipaMr8VI^PS68&5ps~w_@9GjlS`y395rt%AlHZEmVHqh%DZb6gT(Mgw%d>qPb+aeS zQ?Vz{==Xd~y}c!6cwTu=3m$E_O|>0uSeq&IZO)<@`~}a0q#=L%G&LR&L)q90lJzK3 z)>N>n)bE&ZbGHsY03)gxVSV>f3~La%n%!)crT(y??3IMVcyfxL88ot~@7`@0fcXQN z-;C>hY+DU=HnkjyD~_p~m&5WV@Rl$G2rio5f`3YWlpB4hRIXALuP*`NCnxv2mr&<2 znQ?lze!OQ?0)9#2AU`^xsq={-?W5jRfED%Xd|Ed#sc5; z*8MJyxyOl-5a&PmcLCC1YSSsShnB&;hXz5M$um}```Y0IM=-Bb+}u53_trwbL~sRM z>?A}p76C5|*Ah*WmZIe$rYpvYy@iB=8I>l}3u@kVw{oBVn_eL2Tar)WA!Zz@x%5r^ zUSJr3Sunh894HRMJF1ECN_XL&n6)g5S1)T~mw9U^iy&Ch>sA-RH+$YJ>I zvI#Gf_xFnMqCz%19=^)-X3ijC;kD@=+Hb(J!MN!-&SI>Yp(h-p;8FPt(C;Oo=AOsNd@o(19J(?Or9w(PUO ziW-$u_CkN1WFma;=7N0D>aMUFL&<5Pslb=NXY<3nvrDs)x0!-AJn!c@1T#aS%gc$~ zRE8#6MVMF(!g&9tE7qtW!TkHgMwKh?FJNngnSW_teK@a1G-*?37(j(r^}Z|d#hyy7 z{G13|j&XC=#E=nl)4!&abV3iVK@R~St}DGc^oW&o){(;ulJQgNeFZ=xd) z7j=HS%!lUIvsXJLo7NS2(IsPdH$(QmFI5-3?hXqGx(jR1>Odh&g^c0AX-eMFd>`|Z zv{SBErFnOWkGc|qUsp0kITR+2wg))s#|8#glDsoRqiC){K&}gNI#g%8W#%b*JlvX$ z3$5Bzv`Mo3QPa)1^Yy~cm<`l3Nxk=zqej@*9#S8C?>NyhTudkm-1(Fk8qm@fvLXQh z$yMLHgtlMcU5u;FO0^LsQAqPAWaUt%5<_#{7!{*<=FIE6Za0! z%*J}GlR`E~Zbs843%WU%a9xx)!jX37j2`khwy)t9_z%C}`RQs_FHV;C<@i$4$74@q zpzoVLMujZJfMG9uW-c}OVlDOcszoXtL??&x^kcmDVi85z=5o9`H-qzJW%Hs{q3<$; ziW~Pf!=CbUj)VM+Y|ZJx{0Xx|J|lb_d;zU`hE?Y0HaRkxjz<>V?_AfMBCb!L0V}TB zzY}^UM-#)@tZ1!*%BUlKB9l(j9n*V>1}?s;K%J(%9Sl3DtPHv$UV* zvh4!2MWCAozw0JYuy`U&Y0UDz`NuVp)CWI67gNG!F&hSEug!921F+b;{kSC{&;Z%G z7b@vtnS$LP@^_NM_R+&jnYLWBPw4Vd)J0GKbKVYvo`kBX z&!5mg#8EU>W`on3gXlf4_4likxsqZ{*)1RCJ5`z zd=6V@BrQDo!7yEb67`0B^Lpm5-5h>97@`d|MdA%|a_NeYAPjf9Cx9E;ivH(Elz|Tc z?|}h}6WvLkS*~9r_^hszUclF`&%9?Ne0J>=#rH32?Ym~w?SYR7wrt)L+)A?zCPdS7 zuVZ9ou7Sq!$vIePQ5+Tt~$|hVFtwp#Z~u}qCnB6B2i0+ z@YeUMTR$Kzac=L9TxLI4&1Hn|3#U(U=ysUjB~JQ5e8x*j74q{ks}DcCz?+wgxSt^@ zR#0 zrY$UBujrH4qkOr4RH*0-^+DQ8pZSEr3SagvFu@PDvjO4EDSUTnOYx6z2b3PSU7xUG zb8SzFPkWf~hwe5?n*YolbG-~UxEq?-mN(p=c$xMO1j_smnmG0?eWs?seG2jS&W?AA ztxv$%x|4BXC%HcLPMX&;#y#!P+L52m0$*g!xcJ3f{voWgk&|xvVz_48Z8tJcPM0ng z?po@{tkHs6fwjVtx>WEr@HFk(0>x=8YVW4}ex}?D;Hre?<-i?<9hY$xs=Rae;ZAH?cLPnf-Suu>P=_`Hdg@U&aHs2)^&mNVIiv^qU0D9QHVC|K+bgV6J!={wjHP3_^1cf5 zG)_cHfz%r{$x8FQiQYs4N+?x3NLi|2Q0!%Dhw0vJ*7z2zoZG zvcpZwsRR)6ecfgz4)MUz z5ednqMoyi?Vox324Ve6Cj47r(C!xsi<-tJX=fYVW{Da7vxeh#?qELV6XW+kh-*e`4 zS8EEps~=xvq4r^xey|l9Ee5ra6Z?Gw$p0DEQtFQNH!NnnhMmpJk-H!d%E&mMU|Z&Gs={n4W}_L${=*P{Juv0=(l+(>n;{<|#XDM; zv|)jvmv}JhG_^%IO#Ku$I}cG~Y!1qm=?Uey_#wcmMqBM}F=4gdc2q zsS~~1>AlEC@T6%?+vpl3cU8Y~_ekw9-N$^5VX5g{5#vrT)wg;9o1Ko3W@u7(P)-{0 z{`iYRhBJgD?m0A)A5DN1d#Vd)Jl^Rc;jc3Y7D^WuhW;9Aem#1QrL8AJTKQ12lcX~kh}W{&T_a5+}l%(@#G)Vq&1iyF+iPFbZ5IR_0x*T_FY77 z`}sO5XS6mxDDgZS|7bF{lUG-w7-*c_ z1i9lbRNU5?9k^|5zWTM6T{wI4tpK0@I+2HRtDZoJE7Smv;EU*M^XGF)wg(s)Z-720YQ(K z~Bm?zprb>8zc+ zjGO*ghB_^hUqU;?Jx?4Lv87PspjUt`#p9HF3_8|amc1EoMrrR`?TH$Zm6Rx5&ZJlCKq8OpT_whrdzH2<{6hP-fg~&y1bwXXiJZD<*m5%1C|t&YL?i4$y|~N zzxNbhvG7YISV2;z5yt0*<0ojP3FmR#WiU@S z*lblCO%?@8IFDqBc&7PXq%SWr{q!GF88Lc&b>wdgozEfHGdc8DY6RWK?9;Uo^Apq) zX?7I*fo|gun)k<^Cpsi}YgUgj+>w*f{B=iY#`!o!(9{0B1x4or->)34!v3^y;aM5} zlf>|A{XV6qPIV4_;R(biGz=o4VEyIyboMEv;MXwn%SS1mX+P-g84_wYXu@kuE=4Wp z+k8BzlOxbu$M#N9l|0z_L4YCAQNMu)Z!!nAbH9XHSI_UP|wA*W#*|y&ZVbBp0Ck({v_ZVDh;B4sMhOyow;*f@{ z)qo^k(?U}{TTkOKZ_3~+4UbD>wDm0KIClW}7Jy;`jI+PS7*~sB$tb=*uf|!h(+>5F zc5=+u$C=kPi*Z84Bs9DAKzxd+s0J#%a@07jOMu@^ZC6ef^CGY*#MYY9dKVf9FUfR96aj7l_^!}vpuTbE#~y|rkT_`rFTAJh2P{#|#* z%o{t-h}$-N(cakV&53<2XQngODfLjFPzT4*C2u%;q!prpz!%7Prs2D67?2Xcer%Jm zA_Vz>E6?g7ZxuzFG+(R|a%QQ#hkT2S9022&A2&xf5IMd*5-${3T*rBSl%Fp<_bWFC!|5G#UwrraSwG_l=U&$^v9r=Gdkiii<)vnK zli5n)ig5#jXnces{AH@cbIuX0qxqXvAH7yfN^eshZ;6PBGr@V)10OmQ)31nuaa5xC zlNKizrxC0kcX56m#u3=ktOh8y7dvMO;)x;KI_hBr1On-CF2ri(Ka@-eF`IJAqQ7vA3KJ9z+P}1-x)8D)SAZ~T{;h^K(OAF( z5$pxR(_;bFAqs>(Cyj`_yjV{=dyNTNl{6NnKGFs%FO+mjA5J zn}2JJa>m#+$WqVjo|jo}=8M~=`)x@t(-fXJow^c!>1e1PWixS2O`Fxris;mdomWtzzNM2qpt`UvzOZ~I8qu1ysOIQg3@So{TM$8cd z`6MUf5p#O4|2Av8AYW@QD+hARV{ACe084Ia#oyo#bH=HIee(IdDE6aYi>n+yNs2WU6(2mEO`ikT_UKY!HO!QPKpgG$}d-J|HpJ-Og4|QBo zW+4n7PDnPICJDXLAQF=dPuCJkL&-B6f2a>3n_o+qA~h7^o9U>j)mxKzT-aBSvZ$h{qd0-_-N_zC}-b z@}GT>KisH*{V7=hC37nZrnHI~5OXgQo7+oiNA>Q|YlTS=dnQQBfdhH!n` zc(yA$nuoJ6*k4&{*;zbFRENKNAHTz2llQl&UBx)$o*&Kt!nz3b+B}V`_agq`RI(Fb zPgp8YotCi*IhrB@O$mlKM^j~(tEG$DyET6Q6hgewV4E8b=Ae9mICk^yBWQ=bQVzQV4%w6UePTE16k1z5dElgHAI z@wNA~oDdHJWWDaV*NZmF@MXQ9NPIx#Q4OVM)!hja73OoGu~K?6X0p_ zlN=vhs9xQZYl^qZsDXlSn3vWg;<`@ohCX{F=se#`7KQ$pfJ0NfcVr;qs7uH)oO>!X zBNyei`r--vT^S=zHOd|}aBOt1`BNpqd^Gu5nzv0E7i3;#2^hFrCh4`|!XqD2+Lg^7HXs2zTZ zVVk4^#7JDaK`;)Q!Iv*Wdp{&Z)nf@_&7r08KbG!2eBoF&HeiA4VgQUpJ4R}Q4Q3co(hJTlC;-Kc5`M0e&oOsGjUKAcewjc?Y zw~wHmAd9O_iD_P+>#7Lxom9C0LigBR>MWi+L`C9}I4Fv(}He!?Am>lsdGI z8qDqxLtRbzq1D3p)D#kp43!!>?sE^#0%fe&>I9Xg^$Uixx|I(9Ww52!yb9wMOY9Uo z@k^{a&?2+}3-PeuQhK~pb`^HgM@)_yOQ$VK41aHv56792GyP>w*+7ysE!iE)pbW=k zCI63zUEgAE5dHNLaxpI$ciesPwt%*HU65O?CzkNMl6hz4!G~ZqYv4pB4No~mC04AF zJWfHSNCYa>A4|#RTxS4ERL2tuJiBPQuQn(|)25e~5+C0qSMZnQnS%@4bSEee zAqYls_%K!RPW?Scvq~M4Rw75A;ZMGX2E6fV&)^jmudJL!x!OEuqv%4Od7+;$5WvB* zQAmKz?AFVmk}8T0rlZ3dq)J!rRs_$f@8(bk2S3qJzxiMX#Zc4~m}1t(QI* zPL+B^0l9Mq_pqcmp*Pd(%mb?{wobCEGD3&qXxP2X1ZLJt#rp2uU z46R5TB^2$bA7hbm&huy~rZE=u2i3nRFqo6S585|I-m$)~ZIxnDtNxk5lTC&21ZwhL z%g52x@Xuv@jfvIZa+*{{^OJ)@QvLWI^?PL!!-K=wX6>d!b&4~1Ntapi8tK6a6D!Rz zZoz$-EBxoDvUN{;4l@0D*&J;kKo%=BpdZp4G+w)U2;V%eri!D6PTZ$ca6a>UbgpKYE8tEpL54U6bJxd$5Qk07ns87qCMLH7BGm6)I_2#Q#yMJzKfZsOxp)`#+Nzz_4+ELI+> z+>;&uIPkJeOBfjYhQ1}7f-x_-=D3m%cjMbirI-A3OW<2;+{Ko>j;JW4*^wFs)8#V~ z{S=RhoV!v8a5H+6*!iCtFbgD!cN7@Mr)+LDmsS9mB{e98<*6aD8q6217$ziw%U1@a z4+-DUnwxQ|%6Mhj{YPT^CvoBn*79KHjjCl?`)0~dWyM=HVqr+a(c{-o)14OZvQA)F z&k0!-N7eakpXP4M3C;v&`R8krkGhkB&95&j$6t+FeMubtMK3;)0%)4i?yPQY2~E6? zn_tIXCdZE7(wVKpG$8N$D?eq7bZnr28x_4Ln|h$`6m$QVKZ*YGDI71_9j0w$BWX-l zys0v>KL#S5un}>b>D!~kjbgrcjD@Fem_6JD6T5?VH*Xx;*S;?qqTwtw;=wc7q+tAw z3`bynh$Uh>bWeAw{ZPq6f4_7%x|E?A>ZI?SJ6W=vRn4AWq{RvnT3wu%4h{(F?+{mG zw4s~(w5P|Dbtd1dJ5q;9CFoWjS_5kXgRH-PMBNg$rfnc?#eqDEYl*#901~0aJZC#% zM)*dF5ze*!Vz!%F1*0DVF6gBedKOm`EL#E!-5PvLhl&Q* z@S^Msa}t>HoDh{rezDCiQE#ClKK+vyqF`8}g_K%=aF@t=zX_{-I(GxI{qRz>msag@ z&m-~c)DM|M2qileJ-E>d=Sn!=e>4nPJ4)gE5y6=gpewH(=ZW>TR`oe@bA zkEbs@D(RMsYU^`b-V($i?yiY$Tl|APlL$=5V>0O01uU*ktYy&AzZ~CCOB}plsGfJEk^hp;w(8E)kU_$13;6RdjIDfHxA9vypBH) zK2MIM{Z`_|VVW;x``iPDPLxdv5TZiB@4`SR*-sPT1f>17%b>LVy=FgiVXfKdZ2%2x zjI;g%cDdX9sZZRfN`IDr1UZeJX;<4xP+*VD=;9nA&8-w4yM}qg2rbFg`iSG(%0tVK z_qI)(cidq6ZKRqlK^(&&Kl7=qV#ZRSKU|R_Z!MCVcTtZX@8-gMfkTP>-f8^58+_Ov z82jHp_0pUfA4*k)z)KEZa&^q7r&nk(eTI?hG!_AW@2yH|v!7DuJT4A`-wm=HE&Y)* z!PRJ}hbZ=0y2X}%m1%Ao6MNx=8~ZX~+E;taTj-%5Kt{x)7N92;80o#fuYL~YV`6+q zg>P*@9pjgB_V(7u;NmAKbMC)TzGjPm{+8YqF^H(RF~wOsav8*nA~QZZ2{V723#JX; zE680Ai_2Vq5#_7@4B`DK;r_IDJDGCv^-V?Z1PWSN*pM^05;fe|ONzL2Kkd(C%^bJk zBhkne&_7ao<+DsZPQer=-gZ5_44e&Z2M`S8ZA9DjO=oSPw9e@iWsy=~^xR)FbM${q zF*Wt8feuGk1X>eex?LSj7?Io}aMv}ZY8YunpmmZ56sk8$Ypxy7gQY#r#ND%^TL+<} zimq1DhoNb(H%=5)_O>;&8g;tk1Yk7&vFR|>9H5*^A^{#GLo1}|6T zP~u9_`&iIm-Df4vE~ef!*A?v^9ggnZRwXFvcrN_q2~h#?xoUK>sr2agJ_aI*&xN@u z3?<3}9lWIq{gvk26MU8CpZN@uH61ncqb`@xzWk34Oo0ENU)AN@r!t{580+n zQ41mZ9i~w!3C1ssh;d@CGbwC}6T~ypBG+$SYX8`ljvufXt|twbix@_jWWZmBxccd` zD7GO4k+t^?l<<2=dJK%mY26NjD(K93Rhd!>8YCUL4en^S z+r#I&DsID|F2fdJUpm)jsc}~n)ENb9XbRW!3Bz2@0$EMS6a92w*+4xBhEoPqL)113y<=c53lj_#A zO}B9a2%$Kanke4Lx(d{0`fbtdWZw)0cC>uuClf=K$(POo67Az`KrQKVpnK_d!5l&&f@cZhP2ob<&aw6ktsBH$fTBA3A~K z8CW#QT4IVPLYtI0^Sj=lLJTE&yh{|oYgBWGBNqX;O3S~4wzs-kAMS@=ZkmpzFparql9n|7LyyWY02_GOB$IY+spP%xLs#Rb-f0QD z%a}9w1b>Mi6_^{^s;nOBgXd>uId7|})kxeyVx{~o?8V_RKdK{l2!8*#^GnPuQ?6r~ zj*fbO#IRv&*4{wQn>qNJ2-c}6tL?k6+LPRF&Pom=V_$iaC=Ry}IxVJ;1T5=Ssd!>< zEjd)~{WA9Vf3PMr#J|>qZ2?#K(OYh2e`x7Tt?7-L3=Al%_&(yF7O{5+S?N1H%sIjw zC2KIKEtgq*iX{4SjBkX6u{$!ucP{%9EztQJh*To(n?muG*oBo>o-<>5XcgIA&EzX< z7yP!|4DzF3#Sq;aNz?YwL-&6fhOTTD5cE*~B2gI4L554f5Qhb$CTK(%2R9=Tjt1V`76ws{1Rb9sJVbDOuq$r*U4xpJ9!5PkgyMvOWneti1Rt9uRCP(I zVHY3Io#&5@Ii2gE|4-GO8V}+<-w2M0B2tY$AyyEs)3gR8I@TQ;7wT|uAjLLGd78lv z=^~QopX0`4D@yLl@x)gdDVUh#S9hSB;LHU zJ&2LyxG__-?(yF^RSqm>Y64;Bc~vC67TTUWDSB9z4ZA-{Jo^l+N4$B&!I5kXiQK)o z3V{;aK7%9n%EyA5-`imhbLl_8nvNmdtpd<@BFu4@!%z%yC^|d+xrtx=1bMD`1LXx< zsd(OWwYiu|=Y~0lyS_JWC3%0Nw)CN@FGvW4u_2%2ZDh={l+5xAkcId$Bj`heh%kmZA4#Wy3bWhu@XL>-;skF}zfN2yY&B%QJOB)eb9M?nh>s=lv%}eNjJ7U| z%y$gGUdbR|Sw@*qLhX)57kSv=Z4t_)(QlwLx%0BMw6c2&-SE&BYo+1t$vJ4HK}Q(d z`tv2M_?X?oiwv7S;{a#dl&aC!N!Xpla`<`2q#5OJTN-36|unCifM+fiY4sFP? zE%oY{9~nO4eNQ~W`HPR)_sP-hc>G4rXbBIhP8&K~OfAY^r(5PbUO&nVp6hhlP3(=F=nItY z!-IJ&_b!Kqz5hmR%IqYh7tLhcXAgn9x5HT7+=-7E2_t=dP?YM{LoYz8x}X!6#Styh z?asS6j|vg@-Q0s>I>i*q(2) zFQQyT+>bfsJ>!&+VptOZQ~-YE@CZo`eXONf3@&Jn{qALKqN&lTpJ~GOZU4Qzp0wZd zL0(Op{%s6R#w6DodB24d?qRS&(xk)4wW%lgiEQt)tDr<>M$cydcH{#Zt4@&A5De^> z)!hu9tC1K{-M_2-G|b8phUp@(Ngz1I+4}u@K2SD8p}uD5d5r`kxCcqIR|&LHSKEKW zyQSlc{>E%c$r~A{Yk&+uA%M_8JG=0DK z7rXv)*ZaBiv|}=A04Z1&iFBmIt>5$#FIwi82?>e^9YfvHnY7%;Y<23{a=qmGGhBL$ zZUJj=0JP?G_EfQZR?D^W(QNG&G7y%(Ap2OEZ>=EJDOgnF10k_b3CfRP86`xTfs<8T zvT|g?X-6iOYZ!!Na)1#?pk!KxsGQGRE_iHv=_woROxx4qMA_knq+vnTSt)b123hArM4&sse#y+}qge65T8GIE_lN%L2u6SRoI zOCshP0Bl4r?Gixgdp$wt#iM)8JI$YK9(MzNX=i8b3P2|9-b76tC-4d|rKJhXlR}TY zKbu+o`H`It3ec8=f%)7%!k;X!8IEUNw}#mO|HyqoN8Gx zRAY}SBox&TDmPAR=ZI&@!G82bQ&_rXsSE>}3xSmVM@TrJ;e|l4plZE(J|VW&^uf_M zcY}|PA4l8}{7sVQ5CA)&n}!o^&*FpVTEop_Wp*4Acuk5EVxtV$<^GHA>)U9Hlj`h@=i<9M3l`?nasTh+_>R07E z@q8bH+W5)g#vyNx?)L}|-*2!6qaM;>;T2$4PyG3qpKP(OtImMT1BcD10E_~YWv6csUF<$=gZn08>2SJ1uo+^)-c70Nam!EX&z_M9X zbbXKGiu!x_jGLkA>@R$WA4abJvnVq2qWwy0reD@MXQ9>25-mXBjw0qYpm0uA{gjd1 zQpsFzJVd)-v-6IW^Vdz+CzED(kI6_Ph(*ZZAqXTmM&b?(VrTb=vuC&@wr)hXg0+Oy z9ubvangLEEiH+?NMKdpd1kY87RV-w2QS}AjO1g_2Os{X>+CP`2K=quStoNHZE71M*nbosOkvzLV&Sbp$KRf^Ds5mGJK%g?=V=p&Wbz7Vr zO8qasVZXF?(-=t`ZUEP0bM?X3`}3FQ$B<8)WG|X-;7&=KJ~>of!*=I^e=M#mgvuZ} zK0E#aGo*O@NqMPdf6(auL~RbInldvdHzA=E@}H|}a4w2~avx2ibGotj2NA5ad1d50sUF|||vt-yG9ASel{ z7VhUeTylfD!#}O^pXT}hYz!2pLpcaef@)+y%R7e$Fxv$}Y(C_P79w3lx$Gc2x^{G5 zO5OpxF8f}}n_maU>emIwMo#xaGdx6~_?-}#$OtI#C^5R1ny|YcYYq#|&PFMF9?Khx zB|wqfV3P}3O$u(Xm;XapF<-w+dYBuW22=9CwhWK~LckQGIvcH%eq26b;(RQ)I9jn= z4I|wyZ?D}$Q=qSJoLuNf$g*neO^(-z5@$%F6t?bq>KC2_iH21- z7*0diYFyQCNtKwDP6*7SZVxC7tDKoG%DT^% zC5QUMwK!XP@28RshqsR=a)&q3r{iClE;r9d^8Qr*tuZz`3l5%j{OZX)(%J}qsW56J z<#iKM*?xW~QWNZyW$_6&1BC4tZDk;692UyDSQ2-*XEq^SbudMSE^o-XO(>cUD?+Vv zVW(aZ#_#M=^6ERN<~b1-G6gezJWm5dAtLl}AUplmKRu;(izOIYPe9hVuEF>pmqO5Y z1$|@;xI!^O{V!C3&(8!kx}357<)%_aOvJUrtZy$j-tMkcj%-@(y!XYLA)!AJ(`=d3 zxS!gnuat)%xL}4VKIGGvcWw>0WQn`E7FcW{9q+rE^e)G~;wXrSaxPpSjb>I%nEZT} zi{)Yzjwj~9vhnqqKdH7*$@wl0V8;{hb+qI6nf0fLVPNVq9L5hjJ086ifydEp&8-O8 zgtcx{z38(M9=F4(-7SRKVS6q*SAqyPMT4fO=QRuPOZ8fu-uMD;u~nd1VTa_6?a11 zcG0Zx^A1d}K_vVXL=tfJs*E-4Q-9_MjVAy@JAqJLlwX7qS(t7|rz`Cmm5|ih&#Wz` z@+qaI-RI`FC&&oSiO)^eRf6*RVipr<@Dc>m6)cgWZ&4 zEqyYltol6@*3h;DXDo}_8s5iqi-z&7uqew*F@t!_cqY#1Hrn3%@79j*!|Ao9Q;wAr z-4WeS$OAtkOZP3T1qqCiDXwRS)ejo|R@OvKaNZ}L8@N(DCqk*B;f%RZ6<>Rn$*kXt zGoN%dC{au21LPru&D7YytGQY!jNu7vL(EL}qb35XuiMPvS|g4QI;UqS(BA?5MFUX@2pzHeZ24VAgg-9;T$r-2I*s@kGScwfVS)!?t=9WXJBo=b z6Z%=$K%))}j!T6d>vqs{(;;s_+2aQtxtgr zK_fjoBaKdILVwm3Oyz zn6RI~7nU3u4zONqmq)Z)P&ILhpY==2zk?+s@pH55SK2U7#Qwfw+Wkwvvb|OOx?k!! zf5w)`y?1S7`81yJL;2890d5OJyVBNQYy;o6a-*a@KXFxA>*l--E(6d|B}uc`x5C&p zgqni9(Tc(OGpQ6)$4G~|=fRs?e%PBT`*Yi$`lR^aUgJASyte&l3r@%IzLWi{dteI$ zQS@+5Aeo2}TIIC)2@20o;!Qk|B@4bL4r~ft4%yCcXNU-A{YML-QQWh`iF-=F1<5nG z{SkY3kYiy8y+~5?+UY}yK$j%HgwRY?v77iS3qrfel_Jt^8~ft!piMW;*{gdy3j?3s z`4a{E9ouWC>PDeeR})fm!A1-ebu0WSxzQy-NY?J~^`GkYmYt866vwhbYnvUT`ORw# ztC6`O`t~D-7lwbj0BRyCgi?+6cda0Xh>K5c?*VIVJVo^#xjP1|G%%XGx#ip@P!V4S z6JZ#P#17g9c_B+cAn7pTiQq!D?{G&S+;$>b{{Ae4LWZn=mut zN(nllL~;1Y+2`5g_ZR~Jwp;Fg4w}nMZE!x%)RxDyi#L#O31I1I<3xnf3%EXc-@@!7 z`Gb}>hS;}?;g5h1=JR?O_$~R7*sLu!4Kr{g4NZCHnwqaCY?yWb1@9X0)qzyR{hpw0 zvt#r9rp;TizQ_6Q{=O5Y@ZFV6Dpruj;3eVNY{m0p*KTLEql@zKbh*L3E7QD)zx4>p zzmEgujD_$=yrlaJT+aGDx9^>wHse0X%5ueTf|UYiQn(QT zsaqIe5V+tYm=@R9a8+kO?quns7xt3kJoxf8)!Qk`InXKh^|v=6*w0IglXx}uVf$hf zj}LIOJm_`#H{s3D7u5uA#^hXnAN~BRxaJLl|J{^{|AX0==~kF+5MDa2$FsRTb%3f8 z|Gvp*cBR50rM^v6FX8TO&6} z2v5f!?%)%!d$k`ud&FrEK8FHYeBfz%yGUzr4Hu@)FK}ePv(8bptnAba))Ni-FGjFL z+K&qdD!6pi2vCNIs*Q$yD$1c>)8h71EF+Erae)NZ4dwC)Dxd7MFcpyLY2=gs% zcS9prrd-+@IOJYnsgXVp&8X7V89&3^#9z&sZ1-FE;m|%m?E(m5zCG^#DEHcJS>$Hp z6~6PcH|JIV(X#b0PuRG;E8q|~eihhZX3f(UPx3dm$=P>UtHaGBy3N7NSg^mtqSu@8 zH$)vb!OA}Z2@nN@09Bkvz_9v@*eR383ABH|Kk;6#wZ!bVs;WwfzfY6Ye7_iPG8F#( za{lK_2L_J6mNzl~PS8?{b3o{Y61p#|O4RV2cNys{K%|HL|Kj3n{>#N@6yViIkx$p+ z|Nn6MaA<^_PJfo)-mN@>%=x4JfV#mzS(&&|X%XQ_zsI03ls_o=z!jtKMwAz3hxgy$e7n8-T0iO6$E>l|qU@iN($z^o6W-!vL+}iB_qVcpElG=CE>^04o zAzO{R-i{$wMCOavfb*#0+2%duz^pemO>^5O4}ob1L+)E~6y>;|Lqa8qglB;1;o%f? zd}+{TB7IcQPzL|!EP>&fat44e?LK{9>Tg;v79edI>UzBV+vsEaDKPFG0-u8q6)TDd ztKUaE*#XMqz)7BFlG-$rV6U*MYpgT+T%*lYz9;lePHhg8Gv=x?h zbvd4|4ukn*KNcb0-KZ`D+{j;E1b-?cGfXV3FQMdUrfuqqG9HmJ9{w!%@Z$zQy&od+ zs!~c5&Lj3Ub!uQ+1{CdWsU}NT5E2sNeIV*&@8eG@+)?7A_JNb8JsV=YHy8)n^$md6 z`$a;>ssl#=l&dRFQjM9SgJHG_yQSIV-jmd*h4u+zerg}AQ7shPtQl137>yiI=gFOJ zXcI9x^B93=_!T3nbX!uiMc--%>F}zcGjWfFs~Q0um+^Hfq4`-gFFQopFej>>lQ3Hy z+#b}AmHMsCjMnFE>Hm%4^OosI{bSToK`$iR9Re9}sP6^-ZgIqEd>M<4`_M}}9Z%+6 zW6_M!W^G!~f3DvHNZ_r-UImmkTNUq}tu7?o#anP`{7G!Ylo#c}4-6YKUG4ddKYfSv zWhsx+fyE@hdMCgL0UXbTQn7T&OEfGC&W_|cnz%EDojnu7jh6NUeGl=XCfv!4r>H0O zzMN7yrwS_AU6+$E8%zP6$O9)>3I-kD5!VCCRfjlmuX=GpHd}7_WXHUuc-9-mg1jyr z1xEK%m5YsLG~MN3Z*Go(RwWHe5dVJWIB)@IX_GA94o8`504_5pPCc zD1p3vERaz}uK982?MibZH|Wt|Oe%hf_`&<}l|s)Ow|K85;@_{5z*nwCLJ=4~7q~qw zUVbD8l3sreu=!n_>@!b^w%Zw6cB{ zqR&mMpBoFDCxj+%PTYRRx!?A{<-5V_J~mk|y}wdj0uIGY&m(sin6ACbep@2#U)|qi zl^9Y^n2ZEc2Qb=2djE)tqMb=QwPhI`eTuIs%- z00sAm6=7n|V{vcSBP#~pL;i5fp{HSf-A=>%^#y~Cwm~C+$lV8*0E}MW`lSKmFF|-H z953GB%FIT6+%PTSxU|RT^*x%v)(nxlYiWf%)IfyY)JKas8ND`Wq?z&L3$iFtD2m1w zX+)a(CAy`HU7dpecqD+Uyt90xo%DoZ#kF(l?gVdbwBpnGj0P!l7P#WYtPOkY(mMLx-T~CF+ko!!Sv>NeXCN$I7`?a;W=V;J1>{V+loh94Z}Q;c-0@zG$E({ z2da1KK5YX{u_?UcTVO|M#A&hx?Vwy zR99q{JX)~ClMtAQo2oZN)ba89d}7-Y+vgHs`TenWdaUW(=OqKKVl|If%|Y)Zl6*ej^GqG!)Hg43W{m> z+WB;OJlhi6rD>*T4^u!5?pAeSVjb%2f<+1Y%`q@~QZ8CX-r)e#{~+GMYl92ju-rnZ zafw2jiEAeZS@I@N5fK$3p6D~UM?P|EiyTaodUf}8cm zVAZZSZVvaNHdI%JLBB|y29l8wThsP_4%yAh+k<3woU6Xn;1onCAhA9MF+bQF{OUS5@LHrC?{EzVRaO?%mC7fDvNa4x;9)GV^GO(jX z6&>NPtzPo}OHtq0U5$v3E;qtm8a#5BX_f8NjtVrMxl+r8=eC9sb>$3z^_BX@bJv z2qP87NZabGzdtno5NPBu(_#5#VmFK)n#8+-i;Ggo5_-cJUuR3`l&?>Kn3ftDdrt0` zn`7+3k8^g2auT6X;y5D_t_!RkvC_J4$-wX3^BR>o>^tE)Ca4$Gu+L7puCkMpfC8!BHdkDh8}UF%0p z6=J4a9Ale4?*)E!$)1=BlTCnoZ5czGz6}ZypwR{!3GnTYOO)TNbJjVgEaxXyWGg{az;?oHX3=jSuGj*VMas2KJt z)n7Co`^}b!L1GnitU}vbhurK^>1$*b&VO!&+57a^|aV}$qMPq z2cFkPr9WMNK{?_3RcoplTSyMse5E=qDg^CzzdspP+AVR8&fO&jiYm3=e_)+6 zUyg}&Wz*c)e_{ZwvLETwF@4+nERqrs^V<%~*0w7J)paqB>qrSJoe%|RSpmPIi;o-k zXB(oWZI$9kg}6#1lJnBCRaww~QUuejykmbwtNLaNXK(@jx8Fj&8|_(BZ_T0{U9h_jDeL~8cd5x5hB*3wN|_%k%L%{YR>271tGubyS|_b zh`Q|ezMi~DQgPr)q-mTEPTr8f6><7=u`0ZVN?OK`l9~t;K!1`{w$KcmF}Qm1LFAn$ z{;>M5>SSZ_&)tQ{cNr<_x&J|K)70nhk`?)ksuCnD6h{Y01s$gX?G7Pz*f@C{k zgRCA2P`yp=)osTDdV6AQ6=+k86L=dG>Ej?dA#EnxGpH^+RlN_R$xFcZP)k;B1)4Xk zEKT&`*TiiHi@>%Oj5C-xU&(~2}d7Cfo1luN2h2T&} zjf`^Oul`QT2&aCJ=r{MmOo9ls&4v|GyQj}ZJ~=bzvNXgxOHCnB_{+ojT|-OV85P3? zB3~AzqN>Ct!A!3uCFj_uVx_JYctO`+%zr-_`|LpCUoaS=PF1oI8wEag8JP<orMIOVrzkdT@ZNvz#!G5 zN2$KirZQto_hr;EUFU?vN)tWdH$uV`mo=TzunFSUtL)VGvJF##`!+AyKx~bU zGaEsd2UwG9mFW7v&Nt<~!0uBW8lA+d^+$y>G#BnB=K039C(x*Pe01 zd3}K=CP5hKf}$Gb=Y*rRF#;GUOBKzwk&1jTnHKl8c0qLIkhaIe+-L(0b(OsOvP=_{ zkneu;VnIoe9P#wEL*uPlW?fYE87^L-WM0AFrptHf_Nm_z2w-@AD4ZbvNf%Q!j8WGh zj!dYEva*GoUYJ-w=*>pwhcMDgjGmz(#F=nq-d8C=0h(`ZoW>8I%aB2L8A{=Lkb{=u#4R8G23RE#O+=w(h=sL2Ygv)Ss7ycHa%=}eLPVc^yAf!pQ*lc)9V2P?x^hUiKwq9_LN*!(qGz(vt> z9~f#)XPfdwc}SBL9l*CB?X`SD2wQd2;+oEGK+@NNvq~;WXD1}^y=y?XMI;?|c(JBR z5|rGlEtR?XSW!+_~8G-z7ivyRUN;#;Z+j?nvDRFr;xDCKLyW&HEjmSCc| z{pcMzJ%iRgYSZvxTr6+K@0ZVQcwR9E1HJxjl<76Mgz76%gPr_Pj@Pg@1G>pKno$o^#uBq{c_?BX=VE#kh$r_6A<;;8@WP^h zIKrbng`%DO4HELmDyokvWP8=`08Q*rS@-SU<-oQvEz53y6}czE7j;S&*=nyLVTdpZ zX_EYYj+jvRTabJ8@)LjY`(lE6v^+<#t}AUZhy za$dbd${Tm6P~R7dKrtg^tm=Z5%T&A_Zz&S>2rcI>#}Bp<|Cm=ocCtt49LfycFf}|L z8{|#)r0>%}mL8=l9dJqFeZsXwpH5uE?Q_aB9R}fPe8>8$NmemxzZmhP zx=i_Ns9(AUm+fLzFS-yT=I|{v==CN1bd^NNksuPUgQKnaAW=PUG{16lXLmlov2N?S z$xT{YA3Cyi_W1XiYuDgHguq#7svL6%9*}LLmh^EC+g_Nxo;Q=CyaJK;C_)(Q>RsHnyb zh+ayzpSdKF@qeQoxwUk0tPoXPedsY4NZ8z5c@F9~f2`dqbif08xEVd6A1m0bb>n){cSx0rI@_`oDn3N>hQrvLdAMj#uyk^hx z=Y(SXe`K)Pn=3!_rP=NxNsJ)$x6(0sN%mv-M+vHE+DtA_sA_zRE~(nW=Mct}#l+H) z_~0=y14!@_sQ5pW^3Llib-h!6Dr#JUMQ+ICfM(Lr6u)|LPciLpl=A`&6`_ied{Ghx zW*Hyfs@Mtd@q_Bt51o9LSMb~p<9q9$YLdG%OQ~h(2*MlNB`IE@IcY_CeyOT|V3een zR&7Yv_ny=SVKaP>L!0OAJ@Lf*((ckpdbNOkiM&fg?eE3v-d0Txi}ty`+uDR*PLscB z#@&A_5H>Ul4mZ>Ec9G+Z9G_63O}MS27gvgg?CfHN>MGg)2APrRH5@axk`eKRH-B;< z`rDUQlAU_#i$6h!r!$Hhn*t_ev9gWH&Q)HcOv8}q!_|-%)bYtNA7mrLf5^sgR1{NT zWz+f+Q>F>G1c5XW!eOWQuT>mgxP0X|9hT~ohaKvRTQak-vM#UgAe?hY(#TVB-oDX< zHaKy4p#839b~My7$=(;GBu~kDe4}ZW!0Wb;pm!4JrWza3hjqYGMi|@HmrDr+Ku037 zuPxOY*AF;llz!6OaEWq+S5u(<{Rx&}3T1tkmg;EKkF|0_P0lX5YB}e56(9TIo@t;p zl3#-#*SWYDD=#1y*ntt#?94ZNy}a2a(AC{B2$(56P7W{XDTBmgb_H=n(ZqAv9y?yU zrR`f!Q0p6?rvfZzk=p|y;D7&0zvRXvU;M0|cNHIH^k`^b+ekNkv|>Bn{O?2p2#dJk z)V`FK`y#4+!C3Hlz`cfe^ji-=EWi>VDM&lufO&>2s2W5U17W%svKoOX`HXl?Y6825DkQ<(IVaSy*2 zw-n()GxVg&Ck=JgXAPr$p@}_T?5#T)3+ayYRvMImwng&zxow5+XM<+P;g!CvZ-S+> zp-@{{(cP{0)QbcM@_H_%2Uln^pB0+L*pks(uGXF8VX8#7f^vYlHKTFYM&1r+3F&_t zd-1&_wScZza^ao+I&*yXt0>rr$5PpTYd&+jlM=Lz_2@=37;4L)TOD*nGdb0r~yRp(|ZSg zN8TpJsnR|E=o~aPvt*wY1vl(=DnyBi0=#?Bur9dOaHjy+OhKs=8?zAt2zR*gN2_&R z>M@E=j-#Fad=njddY)yZL2h?LPKnb1<5QeuFw7FoWU}2)Mfapd_4N0LUA#}JxPsqh zCC6^2=fhU~lIuz@UQ00#)&Cy26REQm@cb9Ni^Mk^6JGxgwHcaBI}LO42_y_a#y!m3 zd%8k1{@qV&CYguZ{4Zz6o2@2?H*VkcC1I>t_w}}o^ypFxkIDZ=_#e>D_`jgt{e+bj zwdu>TLBn5<$L)1Vn$!&8%D^cs4)D|<54YpPF;y4bvek}CCEN`r)X{`i^Y(K4y&p=l!%cOS0w4vg_hwkH z`3B@&TP~?X!42}qvhDXW6cREV%ZnScbLMhXV5(s+rA;pKoQ)i^+N{ znKb40rRSPR@u#DYZbzArKYO2-+Te?_5W}ek1O<&e#gB~Kn|XuchkM2b8hW`lz9R-o(=%?+iZQo5=o73$UN|_pe)vEmU)2&s zhs^ZwUuR+e<8)bTG#%owQz{KT+h;Bsrnbje_O41vJP<^;s)|>r@j%y!RJ8nP=ra-H zJCXrBGfove^X7?IqqaiHh+?Bhiuy;$7R;G^8W&^xJ2q~Yva3xhh0C$d8S3!dY(G*h z%p_u_^lY7ydWYRhpj!`+A{yP|XIKgj&~y)Rx{mqw=~p_^jBN5J1m2K=*wVM#@Oi2> zYFRgqi0&;*y2gZJ1Z%vyJ%EpDZ``=S=R*{OowC(Aq=_BbU}%{EdgudWk%9@5<8=hV z4~pE2clcUcWQZOVeU_GPo=5c+lFFFhR0f}F=Nn|@n0!a``DibxkAzZFe{<3&gn!Cc zEBK0H(|YH-dA&yEio5wg^G#!2OG)+roca}VlVU(%dXr+tML?=ZA3L`FJTuo1zSzvf zg&dO{0+T!hO0z8D z$>thvp|A1=E7K-_1<9Fk(M~`gD#1&za-t79Gs5>*ncnhd#v#V<3t`89CKU-aN#*?( zfAd)n6l*%PQAj2|wtvD9vm`!aX28ceRT_k@mi*J(w|_amQiv1{mWET}j=sb#{*}k8 zjqIxWCRWo%Ah#J{M8b}q!S$U4pnZb3r06JZCt(Ybro|p!`$RO0Vv*FEaTue_Jx#fg z)g1_Hmpkd*WN97F^vAQ;xVqOB0*;OUQu=Yz%Kn^Rrkm{C3w#04a5zp@Ec9+ywu=xM zH|dMKp~3nJin@siWl%Z-PIt>=bnr(a@^m2@zJ<;BS0abz^rlG~y1_KlC1# zH#TT!Jp>xcig&%tcdnejF^p%P5~{Xi5K1hx6)>3pz+}v}4$fQXju0pD+HR}muYB>? zMs$tF%Ijw@eYQ2ZyfaQEHsdIxIgS$DF@I(hu5lwhJ-WyeJF|k(EtbU6WeR;xTsHl7 z$*2_d^VWzL8zkpLhs#LnN%yKUkJ*NkCa2w*j}=-0vnC%M$4%Z%e3=Nink*~x3s{zK zcdT@I!3q`UP zxYwW8)B=P(&7r#4q`c2jSc;DjwUw}AoB!9#y00D9e@mSiMLv~Z&GH)hYOh;AFWyO+t&UvqYzx*oxZ?!yPkz^jRCZUnWu)b}9 zT(!9S`?UE~_Nxl(BTf#;RT+YWQAYi<(?oee?tQc8H`1AHQdKQB3z$83=dNaV{ZA{9 zzbgEZhk09fjZXjD_|IJ;NSJbEeZ>pAwL0dJC-sr#4E5=7b5J=SanWl!n3udn8> zWu8BSpKIC z^SASQ7=5+(Q5F?wLAccx5_f#5|1W1K*Mf(_ifZ@QiedZeqJn45=ignD_@rG=;;+x* z=dXTy)`YzMvtQCM(-93Qiz;nP0N6&&^7R=BR-UsFxt?=ke4hUW_s6TrfUEmm)?X4@ z2Lq7qx-ilk@wc5j?L9~*KK{2un#~LsswEm@CEUqisR9QYa5muCoXnsNwVQnZAf4gX zgU@d4`wgDE9IoI{kw>NS-*s2Em*eFpYRqa)I33QKcKrk;RX)GFUtxGwoNoS$4eru> z{%8lf1{wD~Uro2ewK99~Ux8#e&XKwpkQ`1Y{&+8f=7KLO@jI}0cPuTP#1mzP*R6O= zQqQ=g*S7@&&I!wOF9X;|NS|h=ELs2lwEVLDK4W5RtdB3zj!p$z60?Ul>G z%bWs2$$Ln#XGWa=9ph!tgMKFwEaQVs9J@rnX+=9YhX`7-VDPZ}O}l{?SI3h9(hjIo z9+cjd!LWF-uadUJTljM&asSKnt-Hdq@w&>TbE$0bC|wtOL&pQX>m$ACr$#FO>mD;j zA_$ieQZo<%e!S8dwYx9YrROi_POCvIg44UnGt~dFe$Izi5OVtLEN{2dj=Q-!g315v z)jZ;nhmZr8$`K3t-GwYMCrWNO*=xeX!NkNUVBLi=5Q6C{VfQ4YxKO|V8Tto=?(rvv z?>1iwEN`F=a?vH=@&WOoyuuZT)fBI54kkDLYlZU|!RCyg0^iDQCiQ7&N_zs%I+(N< z-S}rH*n~x_RxWJAXeYb^M;_T%0a*Pf>z$TLluDoEh25G5UnxP!x z?rYk9+HnA5uIRA+KqRsAy4Zg&REuv%v&m5Lv;87e?)$%N3WW+JK1HqBu)_SieY@cY zQ-^9I_=o9w2DTrSR+wMnY}Ru;a|0T+vR1-WXdPZ4v;>=!!%v8^h$hR8Lk?KsHm^Md z65|io2k&ESw+3OFCe@?j4+O#har2YuR4X&OoxCuR190sBNg4jrf530kmGiLWj;x>7 z*Q=!%!Gzdp#VG~8|4*~R|DP!;j?PQ|YEw^Q-e;>_OF(itc6v`~YGEgKy5@S#WzG5L zr~TCX=6yc4l~i&=T!qvEXRo}kPZ!VOM)$0-W-nIpE_7q_t!Vj4Vu(G*8j%-U5?ArB zg4JJHJ{)eb_~ zFuaiuy(gwRRMJOwbbS`kjR)nZzJ1u4UbyChE9Z!u1P6L>jf~z!ly;HGNRd4m!WzPM zL2OUzG5Tz_AoM)1j(@tme^CFMB;X7_@gT0YM7<;6`ZVCWq4?T+^?2)Lz(r}14ko(Gmil(aUDhE|#FB&sV)F7NTjEXBM+v8BQAFPEOx3}c=Ng1KS%JIr zhppF@Ps}Ftp3j_mA|{(guNlT7!Q{%77J9zh&|>;o2q zIS)>^$XYIEcaeIFn5-C-2)_moTUqJ}B5SN1NlsOLIC_l#VZ}PqMXY866&EgojVp^$ zaE;9%oQG}?uMDl{r5}fiBH9LgT^iigMqGo|EDsqxW%pWh%jC(u}JS6v4VxWV}Cu0;%gQNcr^aI|*g@_j%d<%pCGahq0KIyJx{I=dVyZTssR4 zY8VKZE+zR+SrU)8?i;NxgRXsU#XOm$EirI!?FPmZOItC>^*r^wY4Z#332!S%C9Mur z@oXosXCP*m{?rcLX6{YT*4=}jhg-J8HwQ9gZ5tpo2}X<0G@OPMrH)451=Z-aAjHjH ztZYQB++`FhExEmWBe+pu*FgvEM#F;3nr+UckP|qAZi(hZ(do*{(+J!*-+*~Fmj)$w zgFi|aM^U* z7WyjgJpHH?Z7DF(zGxOp$mWeJI9i&WG)k#wktE5RL>kI$HSdY9jtDlMeL=3=dE~!| zn_Rb$q~g7~D}1``zNn3%*R+@Ajs0-{>*^#At{bmsX#rZg!go7h5JHDDF?DFWW|S#! zVtD=R=MXLZG6>fG5#tzjcjs6^5w{GW(36Qf~}UYdGg* zCuX>duQh?sK1%0KmxUbZ(#ojK$jmSBWqgs1H1qiG$li+z{12aad?k7tm&UD`9L#Ol zA)fl^nhpz`5o0_khs^kFOQB#}`MZbsMgNo{)Ny;^1S-vI`2KdV42`rlf`F9)aS&C| z6SgwX<$(9+&KY7Z?#vFov75HWQKB~Dosb021lW_nn+t4wHy`Cma<*J@wI;8W`1LR} zoO-LSD#`Z1Z!K9SlHe9Nkr#B(ru`NizD-Cuhx>9z9K0W!?4cJZTr{yiLBEwpSc*Y88T zsOt$h07qYXDc0f~7AD;rzgtNdp8LAGzi3rR-PkA+)GU$s;)V_GoNwx}?1fN8N2}FGPo}Z-X|u(RtFo1d8|C822Jo2|M8*mNlqh105g-U zEtRFoSOJ4L);|VF5bYFvYTL4M+`Lr`8;I`ba6}X8amqS9JCN7N_C(j!Cc{Eo=~_+u zaegT9!fPoZJT9G8M`4!nCq0vpKD*%uJUOY}FP}z_!UwsUbZI}iE={vWMN}eEF^4Y8 z!|^lj1Mm5KKi)4zJEF4!L_oX)25?*u*Fx_79D!d!m<3dK{}%Pw^JwRwB#MPTGcT@! zW89+swZ`*M2};bM4$uEkukl_PN?zwIPx4{4j4f#uee)@%PN9Oiq6~2>yMI+%(yJPe zDbleWa@hy!9Tkcr31}-z>5X%qO`?s@_LIV5sCZ@A_a0}bc2T60qU~{Dlj&nPQ-+B? z#(P7K4D3ABn$sQqAxk2s`{`BuCR%9My>k1{q35xc-eJu(hh9qyR!L%e65Ma@{aN)F z*3Eoa@K+&^Br%WDs*bEo*WxPc5Egll#|^W|9&m*m6c&_wzrxgjOLbLLNo&Amp}M*4 zsc3E`^O<4$=({)0{W7gvF0KH$i0{dN82{I*+lpXVE9s3nMKE-P`J#Xo)2OhCZjRX2 z`Q-emouYb2cpy(yBOodl0x&OZRU!$c?;!69ZyVCZs~EZy2u6 zQ8l}k#>A#`7wq+u^o?mHs6T`Q5@d1UkrZBTxGx#jfEB~pB>Y`p@;oKezvlsnA5wkx z#B^{$)?Dr3Z4IbflwZL^^F{R00z%`>8CCVd)~iQ3)Dvho>mOshiS2%AVeJW(_9?9# znOY>LlRl*8<3p?o7FkhPj*#}EZyf24?9Ec-k+nFlUq$cYypa`<6hC)*`D1tX)%9Au zjG$Q~mf6&5-BF<8YR!OCMwlo9+9--ux3a?qnVhecJb$R*g*-leI%>mE?g{B5m0)kR zXvgA{fE8K66;fjxANT!m@VWEJHTuiW0K>_n;QZ6#1V07h){h4S{Z^CkOKvh;rxF3I zG0Fb`(&OzZXv64~6~6LRfUxC48DsZL1#R_?f(|YC1M4liL~#3Owu^9b@^w!N4Go`a z7F_AX}$scz!h0DBdMar zp~Yg@5cE~^iR_kd^s2-iyOGpyMP89thKWHxGaM^EIfl`r=_TAJt*GfVt+R0uA(J5Z z2RYP>U_(jiy-E&vdoo@G*!gfaj5&>qAJNEh*^wbe1wq6w&u#KhRG1~@rPZ#mkCbUL zk=5nS91r;uZ+bow?2@^@xD?9DE#dBV-M-(#SvBXUi05;Xl4Ubclkq56^Uo#Y!wAh{}tYjO_b5%iyvBErU{>4kfI`0b}>WIUQ0balaAwg*%@CwXrnb8wt z(KljUOVOPUDU~hcV;1hW%79CJGm$-`TSjIP^xCTeV{FGVx0{vAs{%` z^T`iy`D&NTCSOAAJOyYKEI6r6pNq-(x4vn0q1>~voi+%4?U51^azkoHCRFb0Ddksx zkc2ZnBt)HQl#215PaQr?8}?WHcF*QjzH66^sc70*_b5~>cy9_ZmFabYw@*O*l0l%V z>aeq|gWbC4WQ;rUg3&=H}b8{G+G7_0VtZ{te4@EqlWRWR|P{jXsVOf#4| ze?op$k$5f@>zi{tDhQiBUySZM6I7k>xvJS{#5|}3wpA*{&n-OUYBMVid9b(RVs}?$ zPF325Uqn_*ifc&J=IU-KJ39{aW%-X1E3vAL+9KGv=I?YOGMqq`z* zy>Dz9-wO^ffgAnLcfE=#s8CD%^}BE{D6!+HA(mc*ht_2)=CB7W^?$z0xcM$jl;~O5 zmrJe}mMcP60<00Sn%zGxmJq_hS@Hk#U9}6xWiCkk)vwbq`FLdap#S^9h08F3n{39V z@rUT82l5vLb5cl+;sAAdov~Rp%tLf2|NLdGP?P@DfYf-gbwarid(In+dfmO4`4_`} zYj+#^894{pN{F>v`g>u8N&9upx2{`N6IwrU+3=gz4vqV&mR2PP+OR*Fci2vFUo;yF z{c>qSO#R0+zzE_VBc$uM z0_MW{cIjlF?p6AiK_7hdfOAfIZ@0RyYa=UEF@-gtD73W8lT@Px+`_DssD8fTw03k* zzZyH8@9VX~WMU!bk>J>iBL5$E?wd6q{c6*vvt<{)Qkgv`ti5ryYRxPb8UO z?==IXs>6B*)pSp^SV45?cdlFxBZ z6E22z8{<%B%F8_MC8vDJ@Zn*fj?BGPB~<~D#6)|1N2OW6yPn9vxd@u%lQDWnWwnk0 z*-O)7xn$}nD;25WN9#NWR0FRts^gEMoC=hma<0i;Yyg1a3=+4!RmA*d@M{+>SC<9v zLS}+|v)a|ZMAGxDRdkAXkD?R8WoM3dH8<|dtp>Y;1cJ6T_)*tP` zScRj$g^UYY_pCr`#JY@;IQZClfp-UKl1v<|lL#)WI)3H6%Qt0k%t;$;+y$rqYaov! z*nER}qqm;(F%G(k9a(-*7M!V&~?=I=Szb@y3T7D%Pox_PZt!yvWwy2xK{VN>F@feIM7&&Q{tkP zC3YTBKVKgVZObk?shv~PJ%{IGsmo?%J*w}+1eK=fIBx749W?JD#>cKWeCd6F+P2bS0&S4lt6NZj#>vOiIgCuiPY zw3*SV%}-gnlYDJ3jd>l!*hHPG4o5_=>wu7t*z~0R8}O_S_W8FeaQ5!X=U|erSQsT% zOf?8{>d1}jjG!eF&%L$9MdHe);wfWNsy_TdG|3(nqUp)<07blhwHom(ewPbgO3FaK z{*CbSHQA-mpu4zkd|PV9hsLMM%zjAgBO66s9`JeMlH8Gmyc2!HSXWU>{7RvsT*H+d zi`OikVy28a$ToNADTWr+i0ewZ;FVa0u7rfvnhSCA@Y5>@9mQwng+n|s`dk9*BJLL$ z>KHg2N^J5Tnt?N{RdE*YoLL}I79Tw@6Diy9RJ?_7b{_lXKhe+*xb2Ay4~@wP&!F8Q z9jXg!sxUJ*tkh^!TQV`xQiylwoUe?yd-X(=fitU^S3{xRq|_7R!fjy1R}NgG-jNV) z!MIjzMUF{o)5(haly5A9W1%se*=}k7woEE|Yp3Az3^uJm@>L#k&i$wm@&(fRW4)%i(7vRI{jJaIoTtevLIna#k z^>-)}kly*UoI^_Sdu#qRsVEO3oF(%nqoz6}>DS$d1)?^RPw*LYZz;zH2$@lEu}5tR z{u;38)#?BRc4sXt3a5*CNn=4w$|q4w7(X^vv-Km8MKo)oG+#BF=q7Nk{t6PqPsrWN z3h>WSQ|ief{f|eith=l|lIDvg+w-{QAhM3jTBnUwpAw^$4igk4;8I`nReid6Cq)^` z!n|O!d@u1N#bQ90=})ZC9hinj-cLtYk7uv8bGz1^Q=)3h<+hyb!(1 ziwM?0#MQ!q0*gWy5SzHi!k81o?F}a$dEil*R&zzY#e9A`-1;IvAx8hv50ANPz;kI* zKb-F1Z{DugolR$c%I`<)5`kt{2*=k~u12)t5>T_DN%r3Bop>^*{pVB%`#%`(aBJU9 z4WJFyN~)*W>qmTmJq+$|G93NNaV-b=l0a`+i*Tw5ZwyJABM~zEp%I*=!2LJKl+2-W z-W%){Gk$ja)Qsrtg8iHeCiBu~<2UZVuY~(#N#9w z3C8qaePxf|l~IC*i+;=K%C%>n)W;-PR=pLG9c5!`Pr{Jvz1ozlm+9ax+4q<~7}_fR z(Le0{p4)?-gzm<;FiOc37qwM}l-ofuuZC{h_TwatZ0-34}St8esy3rH{iE zri2Su#AKP7q}b=TZGIQSuoq1x`~V5G$_-C$eNxxg#{FR&OC!oOskAcmC3@etEg~31 zZQ$P)S^nTZUbguYD^HS#c<@)RO{S_TOxAImM)vj1TVpIbwdFy5_AKV}BI$oT;L~I` zadCo1Ur4Wi!EZTe1__&KO5AxBk`^dV^{c&U=0wpUH;+<3Hq+l@Ipqk^VanyWT41va?lG8I{o z+=phKSWqXbMLuoe`btBap;rt3CHz65#wPSjERq~FeJoDY2F9q9EW8a^N3`I9clz$_ z2@lMeV92#=Bpe?VHcQl}>xjKyGv*eAXry%pwyAeCf5JNc_NO+w5)0HlZQVy8Ahicp zir8@Sy?KO>n&0Dt2Ur<~tS@1fAs;l^OXuq^ zxi2Gm7&ad?HFMW=`Wh!`aabX*zP$$J(_+dB8H};JI=qZ)vHj%k4bcp3547oS*!)Na-U5#<$@MX70w)Dj$GNK z6@_XxoHtK2Z07etL2~GF=dOxQk+|Cg^*WPK%#znF8}g`K;ZZ$}c&}Tm#DfuRwAfU7 zS)I?Fx6kV3XrOGPTqVSz6f3;pb?U0ow=6O_KfcGuw7mUHH8O|satv(VISD@U;%4#Uk^$*|Tup?F9{Ej0RpCG)shvrW}W@37H_-_vc7Q^d|&a;>gAnh%!{# z=9m~27`o@ItcA(>W+)x-K+@q9C#2?|J03zB9T8D~69(m#O_uTSITI1eVvjHaP%7^g zmG$EF@#desumKZ%Z>uz-WR@NPU7^&;_i*NJX&gwKeU*JkQ9-NGmlvDkr2|60S- zajjA9(-9$3dkD^+)+5%qEOqA<&@(6HYU`{~OJZsxrcr|8V6cWKgs8sSh;J~ef?F{uNy ze&jhJ6{G)Q$p7K9gdSX`>wVC-L4s~G+deuV4*$Jh8ULf@Jk-9(Y1ILkgC9mU3BzC2 zv!M*|=l2tOUd~>EK3$qJ&cAk!(l8SKvwB8gOO%YFVZ#hW{r|QZqx+!TDQJzcCkA2t z?<2$qDpB9|&2_fKAdqGM+bhUrp6=~cI~j8RpFaCpef+^$dRLDH)BEpH0F4FFT1Wvb z459{gB5a?Q%5H$r14sO?OPpMO)&ip@^#;QJI@ce`6E%0hCX(>i=>IwDz#h<-l?Q5( zhD|={|6VpDNY1D#Be_=r_P>`cBmT3|7A3y?`?DMGCcsu)$!UfD<+zN50>(#(tzED) zrN66B7i_vvlSgX&=bG^4Jmez}QAU{FBNv=#)}GbQzo*8Kh7QG=v5TrD7`5p~j@`Ex^38=pbHJbw#FW2JW9 z>A27GMcY9*e@bxcvjY|E%IEE@aZ2Ic*D?2k03nhLXj5X5Y;YfBMGaT<4pZnnun+&Y zw^{}cS{(yX1s|AI4CBVx7-0phOMLFjF=*gsA*G*B@KH{IsDCo;Lv45aF;}GpVl8In zpbhiJ8R$EZnscd(ZUFCOrl2;h#shxKZIIOKcS$05_|;cU9wGDD!}33o*IEgtDfB(b zX*W;^(YzR!cXa`52UI<3{Ex1~O910SK4iO3m@1DSOFS069cHdAK##93h9akidFrZ9 z2#RBDjxaoh>Q#q9|J~z1=Yz9x0rmx)1F%yZpPpe7c{QHd{g6wL4t&6Pg?Hr;B4FJB4xMFs1U?vK4y*t{o(hGPZ+Y5^a?_OTVh|}Rk1WaMyscU@^?Nm}J7%vt4*-iv-`c%(8B zd(-kTf|I!FHwptr6DI-G-==sQmyMk$PG3%^gU3>;D`(4L7ET}f*eVLx`6<@q$J+R1s1DdZNO5OSnn87{PTZ}#ss{tI@s&!> z?e!h}nBRJnvbYs1IICaV6047(Lh)~^6Nl{Po)LX4t=BPfsZmz0-dKGcs)ZTA`7T~z zK_oT9D6~^o`ie+Lc=nFPV1Bt*_dQf(Su_u{ix8{y2B&sy)#aS_q??9d#e%vy7Y$2) zT_YF^Xw)^w^QYRle-aQp!hAsWsvJ1W_OJPF+JgD13jA8MV47|?Qz2zy6gZ~KZ@jz5 zew@LZV4|Q`0p!`2f<<_sH|Y($ol3wYmZf~Ra7IDG@|fuM01zi0k*&o8+KQu&%E;|{ z;n-BZZ?gN-&A;>Ly6pi>(U$RLo9pHdGVh<*4d!onBnH7lKe2^0x?C$3c>^B?c>J`J zPX1EtZt?wB#>36PYuOYnKPeOzj)Az3>=K~NZ0upcEJ9`GMa~c`zUb;_w!6|H+ma$&N*pW1K&4>4?*G zd%H?Z=?g8+1m>beBeWZDoRthMN%ZIm)}Z{A;oF13w zYIOy|(QV|%?I)rv$qZ$(C5>gEE$1fWW#j@QuzppEJ;brZebeqk)6+YRG&A5#0a5T% zdyQvJL`>+z-#{0KXE$Q3VPmNYnvwi}lK9hc0;9(u_dNVQ#zB8MzPk&O!^QK0vO&Xc z^gmy}YJbopZ`GMe8YSl89(ZuGs@eLq86h|(bXAqD%Yu1_rO1kKAK+_}Zf335+C zX3d^A;j%Ipiv^L9&0zN@f$1`Vv^xCY37yL4gC!=)oe7EP(#KFuzjN{;c`EP*Hkk z6g`n#H)}oMLcV>X;00hFWN{zB@~kiKnE$c1S$j;oky$;-#S=lShhWR}_vo+o+&74@ z_kfAnOEH2_0P_gd))7Y7{Uw5TSdr0XN0$xrW-)yL{J9wX>5&C5FX@qYlxV%Yf&Bew`Pn8+ulj zSO3rpnOy(#9l%eO3ij27_WMM>OhiGhjLmK}2XDoLN%ydR#rKY1 zKl=`GsIPps%abO)?k(UjppztIIkq%=2ACQx28c;bUF>cu(&Y~kCpW8}%v3uQS@a7i z>VO7rS(=S`N1u_#Y6Li9U1S z+P+#uFX^5L_^ciB?`o(nP;&o;p_=d&?t$fWC9oS9gcI`b8_}nT2^Zbw1V#I;BU)KO zNEL4z8$d4s{M)gL|RALx$6h% zLeoi~XGJ6v`1|VS8|p{z+}41PWQ$sdU+=LDzsP2>OPW1gSU&ld#Z%>KTIC2CS55N4 zN3Im4C&4cTwLuU-PaBXW-;vksZ@51x{*IX;*Lz=%k&-Lg8(1Kw+R)-y+IAE4g-568 z-8WXZCoW%DUU+#e4S}&fVZ#dB^n4B~h{Ke`!rQ%>p*&0~%?>cIl`Z8&g}y@Bq>51% z-L2%7$^5FtauE=zTCIf7>Jmp34r^x5g!}aGzu_`dm+|}pxY&vZ;19%j2DKA*rkY4(ZC*JJ9f6vJLZKK|v+$&=@T6C<0zFaQN>*PruD}{_ER{ae zd-qL0vIrWWCXw!SujG%1K7L!-m3*`MMnM|e9i3V$4a1ay0uKUqgU@?Fc_(uaPaJ^p*Jmpoj|O^Tb07w5hT6!^9f>u{UVmmx}`eD-p$n z#>@qsr|Z}O>GT=&(*Jx0llgTSlYu_{$KcT9GXbXq5NxB38a5UR?@LB0M{)hId`Yf^ zXNMHkP(52hhbdgt3?!Bse4@d-8qW6Kqyasr(|8khy)e!devxb-?My&dI`uU+&@I7e zekQB2OjqShSh~ufBM3@7rIEb;1ve`p~ zMu8Y#9_^O?yB_32sgZ=mJVa4QX&d>o%yL})cUf*92-3dS#+MWcE2A*U)dV##eap7c z-=-j8o5)*s<#Wi5DUF+t@}q|weMSfX2Bh}_S?>y*$x{L!mWW2t7YoDq?f&odDmlk+ z5_1^JG?h(s&feW~!w@d4*aO7(`^W61T`*ez8fp4Q9sey#{t@G;%IDX>2pe%7pMktl zEwU;UCq{2lDD_I6$N1}XeXt&g(6=Frc5WN3Pr9OmlUrf zATS2a9Y(j2xk>0I!Tk-P>p|JZv);oR;5g3{UcT(}kYE9<4u^3^wxKhPx6W?VH z9u25wl|=*xWK8G#F|t1GJBH^D$#V;=Ph?A|WP6d{gflDT#KT4#H)L~F?>{YdWwokK3Vp~2uPc94!2E{%g!gU)CFg0v z+0FA+hlB_DNj{koh((2cq2p3Kfg%hZGwt5$OresK(z4Kd8YA%B&?x0SGC}CwJNg@7 ztW%(>zknyOb22!4kF-r^7;l1O8B>a7IkDM9y<@HoZ=bLtoLSF<5%>)^P9(9+mSS+Z zH0?QQ52)G)@;qT{iftrwXhz-%0>;3P!x1N(ByX9K18MGdEztpb+46&!;vtGI1hD`k}k_gm}yo%A^J$d^NO@ljP?PWw4;Pc*;qMll3rZNuw2%1T<&hk z?1!*uJXUsIZQa#km~g0-`UqZvxUhdQk88A7*p;>IJN#I+qE*bhZ%n3=(2Y!-o_`IV zwp7_L*(Z4Ba}_RaaOdp&CH$^f0NpWHNK}Z4#=%Scjo?@?wFQItDyzeDAP%?G0W~j1 zWt3VPqN;>&7{m#XKz}ef$QZ;{t(G0s+KTp`ZZcl#Prbbl8v%kuT&A>OU^sSP8`}u8 z?26M?DitCCa5DUIFaX{3GuG>&MxRp3J<+U9)G!Ocqo4k}=Iz=n_=qgS{9C(>MOJOv zBJc16j5#m0v6_gMdB45R>gH^hszx9BU*=pk-e%ul34`D&jwDp<)Pd-8gd7F7y5(yV$;Is@2vc( z(?;G8G`DxY6R}quxf$~`((5Cq5S?2KhHw9h#26MqaeTf%8smd%L+yIiGTrLFuicVC}D-P0kz-l4q!2( zDYT!biCGdV4@dMb-QQ3-9~*y7O=jZrJoF{@DUW^2VG}b}V*)#PGv3%ISdM;U;*N_I zsFQkck#CURCOk@^<+8h+P$scE_A!VOReqYJF-o%u$bjk7@#w~}C;wg+Z^*~l$EWT? zL9KxW-d(#Cv0Q%+^(nIfmS&;3CPfK1+Xz5G9Nh8%$GUqH+ zgJ7Hb4%w@Mi|rCCy_~y@8$vAaIeb_XmU^SfVYt3#FlPp3XcwQm`f8bW)-*Q#aJsYtF%^fEUd4du^R@n%d*1cvtrpAvcsnS&nPXzP-4^ zb|dhmrimMu0#kg4uLT&h#YnS7zWS(Oxfd7-$YHYbOL|Z3C3Z6FS_g5o`HGNds&AF*cvE#i|4q$B_2e zJ(TyDr>~Up0l9fBly8lBZG-^#D>OCmBk-23+mO+i*)zIqgV5)hIy$xx+C6 zrT`q;`bmPwx`2eUrIl3&3UtQETkMI2VPLUT6r1mo<&8#bt0-ugKvjB3C1c4A zbVJnzAdHCb*gkkh^ua}{n^`48x$ee#wx=Rf@gm)C>fTT=2U#7EGD2F(NOL?`fU=Nw zQMviw-T?4>pxc@>x-g7Xl4Z15T8;WY^6UBScX1nu)nS)}q|tY&=Ev`!=to#- zKZ2Tv?*S3v7n45uqpo-v7Dg|{SemBwww}*eBd794`QK7|1={6H1EY$$VB=Rx_CG4p`lJ&h1%|X}P@(q9-OeGdIZPe{GJii&K!ZFg2tB>ZNNb251j^#-N6G1 z%Rmp3Eau$ok-r*kj1f>}NhUvD3vf;qy&Ha~({<-<&7)~vAE035D|gb~PYi!2YQ?>XK5Qw~l=-5co*=)EC(<5CqdVQqS~_G!$Jw%$C_3iS&C-8M z1skEa?Dn-RWhGweqjQZeNy_v76R5}`x``_o>&D+w)!unZa52>KVe(!bFE_Kfi|6%y z%Z>c@@7bOWxc}i<(nH_kPefhkWcO)f75k}88Uh?~`*H(XMHpI(PlVzOoh`RME)+KD zwwnD5T*B|romg{c{O+T4`8*-&zFi+thq>{>T~S;b3le_zm>{ zO~R2d4LCrPWU*OxhXjDMr`My$w06=-Q= z!%+$Y?Nj;@iz$$Pq5I^`;Pm@wUoTTC@BdzDVZ_m=Iw$SpUfLmNku3Hs>AMDr6tVQ~ z{!wngm7f6*ukLL-+2=uSp9x;7%o;%KqqQt=QvE1e+1>fETc@3p^y2Oj&=|QX%D%#; zlN7iiUsger1^3-M`|AZfj(U@}>ohRd^_7M~p{o0YN7Q=#+nVhBO z3_NtzboR3Hm*u@+y+z9Fo5C}66oX0C@gtz3*CalPtljF0==Xh zMW!P|d_GSj4aLT_*y<T-L#^vz=r7IF#&{ z$-Chl#E6Bbj~|lfZ!>i>=_BRDQatu+3-hf~8%ov0Aw1JC*n2)W@o>664tn*tCUvW) z&45&rS2yPv<}jCpEX)2q7U9e{hNc){o053U#YL|aQnzsmECpaqrFRorYy&KQzLjNx zW#0F%ad4?{DoYWsnuZc@;cLCSEd7Fj#_6e_d98M=TtWx`hZe_KK=KN;({n4^(eS* z!5o%RKRKxo4i4Lv0n{f^O;e-8HrXZmfg;+z1ZX`IR$!#uyTuD3jC6}SJ_+jnSG6Fb zuY%Xf<`#*1fR0RJrk+kCWs1MgJFdZ}|{q)5Z-G zODx^pu!PbL(%lVG(v75ubhEUubPEU)iXZ|4f^-?Qh=g=1DX9qWtX^LC^*rxi@O<%$ zu$((H=ge{ZYNB0>*yVx))biLE{LLUxfPr50DDhj zuBn%+REN%tZZQdDj`QQV6mIP3Mb87dq$z#7_=2G8o=8RH`=K*{#gt};+isYPulhz(wL>aF(% z@HOqp4PCFQgejGgS&eeFs-DVMy;0@l?%Qk(YZY2$0aRCXLHWv5+FZXaInAjDfHq;n z&)X6qM+?K&+(d*8u65cSWeLM7e^_LVA+CtLCEAF5)N>6(GvP!!4PRBFw}`blT;rWi z1bQ*FcNyzm{pYdtKGk~>P!-P9Ywls2XaVs^;PB7yAJ zIH!Wm(Ad;<`WhQCwJ}Mp^Uj_Kod3=+3nLdGoRRC8GaMI3*BAudLB$mPYs6krs2kA|Yx+c#(RKMyI}7 zT~_-oZ!=->SW*oJGK{rwH^m#R@6a-7tRFOMrT`xTNe`3JPIir{tV64T&? z3_yZjbm)7%K21ipw9jglX1h{P{l9(T7|%vY$@&(|T##lG))9K#JBrjXq#zlDRuKZ8 zZhNfa?}{YG4#63CrqjNla&BMV-~qHpgITmrI6!fHnG_pN2vLV{E|jGxcMy#Z_>M4R zG;9qv@dW+2Hw5L!`(1jl*YXS4`Kj-DP=^+MeXX@Z-q=y-()h9(#DU7sU}mTnZKa7m z)eI<7>dkBtoLHHOsHlKYn1KJ<4HExP+y8iIeL6zU~6vAtE#)<6#$fzs>yN&i;X zPRsod9)g};r(p*N;?@uF$eyq19?|2qgaD2J}3J^E-VtPUhk1Y6B{S#>e_d!s0 z0BMd7pvoxHlthU@ZB2Tj)jWx41`MudDrUNv4j`F4q(zWi(S<5Wk@sBDt@KA#5tPTu zGXoZ{eu&*hq28gVxnl2>H^mNUzbwiE)0k?&=?;2$C?j*}w+{?&9TUqe_u3{!2S7_D zS||^yJDw~p7F9~niSe)-446MI=0U?ot>r(q{ur4=b0TWh*=4yJuIj&K41E` zt~sPnKJ?|ZR#!COrBro0mcu?INq*IKHd=@pw&rb0;ml-7XoWEMR~tHixWTv?uQn0< zD~_b&?(oEC=MniB0KrGTJasw-b}n5w(Ds?MCYzGg+{wjy>c-1wW^qr$OXV@aaGsp6 z$s9UTPvJ0?SfId7GNRc9str}MgZm_lbS3Go!ufz5xbr{Kpb^ii*=5;HI#DhebEV1QThZLaN2=$inXMLIp&Z}-TQPemgfvo8QRJ4J ze+P&CR3ETVRwe;)PnlGHt98nV;*9jc7DU>yW@USLar$Uf@Oafi4F(?r#NjC+Vmz=Y zi26Rps{2cxiw^W_|8XS5^UQAsG-SW_U70^gb{t1XIj9L$rv-wnE2X_~+O*D3{#DYA zx9%u%UG;yzjK$spEOP0_hfH`-KYySwfWUG8J>T(?>&{*H_yZcZLB~;*psYx9iV7kn z&=1GE9A7Z_vvReQOq7Oy#N1WZTK=*L%znGabsYMI^Map!YpW^zsNw)=9=MTp=0cHK zVf})cnmF@Dd}mBY{4vwL4peo|qVi?X;y-o?#p@x^uI49~vz+Bh1&5ALX@_m~BlD&D zyot0#=I-6nkOH|)r{4xqHl9gA{u#5m1owzVY+?JJq|rRUwUo1{7iZ z&5&eyOr|9DwrxNg(G;LMU^Uhm@-sX$&~XX!f!WR?k;ip02|eCp7X$dSAtL`3vfJAW zxe8muOv)_I!D+?@12;WQr7#&2NKN(uyj z>yEw=Qr$=~j!O`RxUdgM^}-EbXfQh!t48V^ZIRQlKC%!W6iOBzk-I0h%7CdBD!p1zb~i+w>siJDO-!p5hHZ#?&J_bkk{C_7Wde^%t!U8G+Ra?=Sd+4L4{?Tdh}o8`cu=S}bM^nHi0QrX2>EwKa0P?*At+KYMk zjqJy>gAaFCe&s|RU@EUI%0{loi|M~3lQWjq&w%b^2kg?Awuim!xyO|^mO3;zpwVj* z23Gm8&Y#Na7bM*dsO|LQVw0L}fi0eN#+fsw6$4X>?6Z0rjOaei=h9*ELBT&>mf}fT2`nNanH8z^Yu>qHR9C;a@EO|4sHms!DP}7X zQA)Df)W@=u+TB1{u9V_=d?fg)f3NnzGI!^C!YRzLn0NWXj+e{O^HR~+8h(H{#-zpR-Wg+WFzAeAje9Hw$#F%5l{q@MYbS(0KLAxskb4 ztwR1<{`I_VFJQ#g5)Z?GZ31w>>^ za!Kmb6L3(=!W8GS=3fLe=BTxcM)HtWQO^DVC*6|5pSE@yLkZ6}MqvL@00D-Y9Q;Li z1z}=jKK1uwCN1aS7{IydzLoN$h#l-QoRMp0Q_FtINxN6{-d4DifW737x{j;--AYi6 z<&dw*vxPXvwNWN5`@Tjp4>dH;a);;Hi-CA&BV8&a8hf7pqZ$hqrW5^4I9S^2FEtC~ z>Ky-`DxUmzX`d31x?(dCQDLGEmSy&HxFtY}52;!wVxjmO`keT#Sehk+Z}_Qr&`V!v ze8Qm^fKz|VX~lT~&W)V}h}H@Q9|VJsqV?8fI2w6N*pVy^)n~!S-JAZYmUEo0@rL8L zM%9rz#y7ol|Mai!kdeefyO_;aX9Xy5y|B$^shqJxdzGzdqJU4Z@z%I_7UgR;p*z_5toX!xMlEX(80YZY zMEH~5QN%ndz5>;$k4 zy%d02cLTi_nP*74plsFm32(4T4)?fodqu zp)H0#XHHjGEl5V&@s{37$NMgrGgPYCs}eX;FBkr2a}n2L!s+J=%c7vV*|hpp~b~>z|Ulb#BP_<{sUhA+D<*l+(t-sE)aDN8=sm^q)b?p)01)?zsk*W~Mt- z?QUKG8$Mdgtr~<90p9!a)l)ERfRrVqdIfN&1`u&(e;)K%9Gw^LkcU=h8Rl`XxCEd0 zx3Cc9aC|NG6zv0Qx*wkG>{p;|_dstWx=)4XLuXTV0D{?m4yxP#HlG+Mf`Xc}`%vJ@ zr4H$%BxNR=OCgH=qw+q92Oknk^*!}e5-6(+mND$ObLLPfT9|SE*jn;c!7uaosRn}| zp9%XGdf62iF60HclP^H%{^W8uLeBmWNb|7nX^0?zL zrXvyk@qqIX@~`^>-biSA@bq{sI`z8cYw0hd6+o_hc@b<)dPS{YLJArfXnq)YG$1Y9 z?j?=8d!P2NHrTMI(>J3KrxEWk%pZs_?@BZ}<|;*j$?)1uDFDLhWPoHJ0_(`(hW5RP z{KeKy;=%SqYYxo~d)_P8irk&Ikp zy4vuI|5)C1@ynD9MS4T>Dr_3rQi%ROMb;9AU1cdH6%QB_X7*~HXSbCm1xFNW8e?H1P5%=i{bT(9tOnNwPT zoQ^XK#DFb=xD5)67w|p4hjh{}z}R4S13@jy(T)KzP0J0d5?*;QrbMoUL_hmggIRH& z+-R8!Zye+n?YnLlYXf6z?$_x!12y0W2RAYv1-wC_04pKQD2Mt%-L;N?0I5$q@P#2Y z;7HTTa2wzW{|M7hQ5u)N)Lq&7gfxmNY#om?AV5F=jQhNy%M?06#l0 z&||{&n?UN0qyiSa{8BgwIxkT1D+Z4PL`d<1LP1E$WJsydU;oxqGzI&r4VVq+RZRIO zv%(v(ppRttd)NejYk)~77X`Ud+hSrxEP>Ia2aJH>^qXH;*3zf?>38uCL844IcLT`o z814pE6sYqHr%=EmhlY4@{rmCA05SV6b_8aO{gHw{czABV>v4u$;3E)_Hda>ar6}9C zfWu0j0e!AVOW-@O(wr8M!bSZ=uVPl$wZ{SGMt68Jpzb>P%-!K&H;!iP;G z?R}SlPyW9b4ofXgK=O-1C18+f=uk;^{t%6-xl+Tp8_D}x1h}~BW2^4JtA`w{f|`9S z7K|P4Kp{|20#)%+za8U)5llSKU67Qf3PEm6nSR?Vuq_+9tWNAEP)I1_%AEALN9*_g zHKCc41EbZeiLX-=@rUD9wPO~u^}H{kA#)up!u&V0?qVWsMD-q2YuUD9NJ<);%$)U66}i4h2UnZv2BXPuhdhy%G+w_u-`2*0e?-NN?pH?npR>eTR;fcYboJ%FCb;z4C>98$DGb!9*J*9au9YXvD*Ohcnvy4=b^!s ziBW~391T#DGMf0?Lw8b{tJowmGerXaHNnB|&IN{d$~Y>2uHQ;YJ-vY%RJZzAI?^g) z7}ynn@2?q0dk#EG4No^#ipGTc=!=ld;%F`#3vV#5u-XO4h{57)pLo=rV9W8Pyy$TO+6a%jkdw8R>oWWxg zFk;A)2x|AvJ4DWU9|++88lU{3jZ;7>r^Z72@Z6;it59}df$SczYe0DaNUfITh%Mmu z82aJh7k*>v^5u7s&6jMrpN;3~73c#RaIcm?&40gEG$@i~fO{AD^GMb6zrMqVqF@m4 zUOYIu_JsZ8huqE#Sat4naxGHAG{^g;r+;aY$wfTj9Rt4kYQkSvYY_uowTeIhsEN;Mf2qbT#4p)CKrJ=+wbyi-Y6k&u70Q?z9(dj<@E{ zCjnA>5-^w}{|+WeUmatr(8`06N-!Pcir^1}-}z&^ZG;@kP7ct$FFjl&)&yx9$3$RG zAA%E;&zw{s&Kg<_%k`xV%bWsqiTApia2q-BNA2;$YxNN={|{)LVyhZ07%<` z$Mdk86pPRrsFQxb4dQlSD&+p2CH_6Y&;{UAPZDaXn_HDhNaG_YY#zsePXvaIKilbU z%+tK--3Q300JfeGVERe3HJwZjD}6wf2j=J!93O~dn@*zQv5?2sdTq#349J|t zdylVgVFdmK-VDhFLh`-PnI^oW5&Xnl3&`$c^7=d<57{5!Yt!s-K#?NL=Te8?5P;6_ zTm9q|6^2Cr{PzMKK*M!>dr|DPmsADg7+2{Ou=d?9Nbd-6QekU3r$0sVJW*4rz&%^xOi#7HzUHQ7qsFl7)`jLuWv;0b`wM(+2Ro_2oM$A*-5h zr53@j#cM{e7>-7CaOU3vA-lnbalh+M`}j9Rt}XJn>OqlF@8VTF1|AR$4$^oUr?Z0o z7^C&b?@I=@t_!|i92mF>#oKVCkLDrI6ZP_C%v#jqF3HlkJ8Pn9y9YA2P%X&zEG4ovEukNT^uR49E_9!c4z;c0TYT zF?+}yg!ZnXLsklD??6sj?*|K{J6(N@wk?p#Z;){B>4|kW(yRt7E&4d&mEQ?mMoV

(=WtOZ#KGW;fsu0HSHgqK%4LP{>!!1;YY}6a zCU93_%TX4E`MZhs1QFSV4`)T1VQEsaHmebl?W3R%iFKx#74PRJlc?^oxw?AN_7vMQ z3774f7VN_>8+|YpbRM|03KndZSaz0;{avn)FoR}=%?k;WAwEbUtr}dh1#XYr@b3iB z;3h+AS$BryA=`z)E+&(Rx7QWZsDDdQN+b}F81+fmGWS*X%l+#&v`RWR8Pho=vxYw7 zor^{@!dJZ_Ig$2+q00$b^R{!Na0;6Lx-rWp`kh}kXm*It@H(>fCR;;S&!+_F z<%;*g-uUb%y9hexutjGc-SfmF9i&QA84-};`7gPIa?t}F>IDA|MuXQgSwVE3-A$aA zDe+k647~XZIzh^}+I&6*B}NeW(L9T?`f;O0W&~nSx;9w*!<~IO=NFge#OCZoK6EP3 zrzVI{K7{2M+=>(!9Jg72L={Bv*MX3p=49 zHAAH`7RiHj0;NKcggolJ6D2w zaHtCt$X%$8)1DkKZS6$anj=3aze;^CfkP%Cs)LIvja z@h>PaZ3#+FzZ~%4P97M|U%7t7_FHnij>TngCj_D?hGin9Z}y63mCx#$DGX-|5Nd=? zAFVP!i z>q<>qU9#RlTB)ve%Y-bRO*LJ1j1cQ!rJ6jeA6K-hc2$9XzPz~~tkN52crA})Ax0#)&sTk< zMyq&ts+H_{Ej}tZvs9M#ukIOL-FQ>ZG#8`OwD?sSS-5)PM#rpA zQs_TQyX4^26#Fak^jRG|2}wS=ClPt$uX&CdMSH;5kakworl@D1$8GZ}bO)=C;g}Jh zqHNZTnKUSt8S6dI1MDus|1_Kaj(V~jhtG8B20oc2(3L9t0Tl4N0DKZ0)&1(b)xuXs z-F>8q7Wez7SM`7zvU>{e;{Yz@S9ULcTM+j~ zF24_#8Z`RBRnPYMubakVhxkAKUiq=oG}QmP#sGHG>fhHjB<(ZeXNZ?1AWpFU>ymZ* cvwQweI52R(7j*6^CjpnXh5@cg%|7aX0e^o#-T(jq From 94c455a80e8a8f624d8cd71c86411101787d0d8d Mon Sep 17 00:00:00 2001 From: Sandeep Rajan Date: Tue, 19 Mar 2019 15:08:22 -0400 Subject: [PATCH 41/47] add section on upgrading CoreDNS (#12909) --- .../en/docs/tasks/administer-cluster/coredns.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/content/en/docs/tasks/administer-cluster/coredns.md b/content/en/docs/tasks/administer-cluster/coredns.md index 00cbe26aa685e..7055b21f6b302 100644 --- a/content/en/docs/tasks/administer-cluster/coredns.md +++ b/content/en/docs/tasks/administer-cluster/coredns.md @@ -29,7 +29,9 @@ deployment, or by using tools like kubeadm that will deploy and upgrade the clus For manual deployment or replacement of kube-dns, see the documentation at the [CoreDNS GitHub project.](https://github.com/coredns/deployment/tree/master/kubernetes) -## Upgrading an existing cluster with kubeadm +## Migrating to CoreDNS + +### Upgrading an existing cluster with kubeadm In Kubernetes version 1.10 and later, you can also move to CoreDNS when you use `kubeadm` to upgrade a cluster that is using `kube-dns`. In this case, `kubeadm` will generate the CoreDNS configuration @@ -53,7 +55,8 @@ customizations after the new ConfigMap is up and running. If you are running CoreDNS in Kubernetes version 1.11 and later, during upgrade, your existing Corefile will be retained. -## Installing kube-dns instead of CoreDNS with kubeadm + +### Installing kube-dns instead of CoreDNS with kubeadm {{< note >}} In Kubernetes 1.11, CoreDNS has graduated to General Availability (GA) @@ -69,6 +72,14 @@ kubeadm init --feature-gates=CoreDNS=false For versions 1.13 and later, follow the guide outlined [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase#cmd-phase-addon). +## Upgrading CoreDNS + +CoreDNS is available in Kubernetes since v1.9. +You can check the version of CoreDNS shipped with Kubernetes and the changes made to CoreDNS [here](https://github.com/coredns/deployment/blob/master/kubernetes/CoreDNS-k8s_version.md). + +CoreDNS can be upgraded manually in case you want to only upgrade CoreDNS or use your own custom image. +There is a helpful [guideline and walkthrough](https://github.com/coredns/deployment/blob/master/kubernetes/Upgrading_CoreDNS.md) available to ensure a smooth upgrade. + ## Tuning CoreDNS When resource utilisation is a concern, it may be useful to tune the configuration of CoreDNS. For more details, check out the From 30915defabeb05e50b2dffc6b9515a4df4ade819 Mon Sep 17 00:00:00 2001 From: David Ashpole Date: Wed, 20 Mar 2019 08:37:11 -0700 Subject: [PATCH 42/47] documentation for kubelet resource metrics endpoint (#12934) --- .../{core-metrics-pipeline.md => resource-metrics-pipeline.md} | 2 +- .../debug-application-cluster/resource-usage-monitoring.md | 2 +- .../en/docs/tasks/run-application/horizontal-pod-autoscale.md | 2 +- .../docs/user-journeys/users/cluster-operator/foundational.md | 2 +- .../docs/user-journeys/users/cluster-operator/intermediate.md | 2 +- data/tasks.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename content/en/docs/tasks/debug-application-cluster/{core-metrics-pipeline.md => resource-metrics-pipeline.md} (98%) diff --git a/content/en/docs/tasks/debug-application-cluster/core-metrics-pipeline.md b/content/en/docs/tasks/debug-application-cluster/resource-metrics-pipeline.md similarity index 98% rename from content/en/docs/tasks/debug-application-cluster/core-metrics-pipeline.md rename to content/en/docs/tasks/debug-application-cluster/resource-metrics-pipeline.md index 18033665e9d64..494877776200a 100644 --- a/content/en/docs/tasks/debug-application-cluster/core-metrics-pipeline.md +++ b/content/en/docs/tasks/debug-application-cluster/resource-metrics-pipeline.md @@ -2,7 +2,7 @@ reviewers: - fgrzadkowski - piosz -title: Core metrics pipeline +title: Resource metrics pipeline content_template: templates/concept --- diff --git a/content/en/docs/tasks/debug-application-cluster/resource-usage-monitoring.md b/content/en/docs/tasks/debug-application-cluster/resource-usage-monitoring.md index 805e77a847f42..928992232ad39 100644 --- a/content/en/docs/tasks/debug-application-cluster/resource-usage-monitoring.md +++ b/content/en/docs/tasks/debug-application-cluster/resource-usage-monitoring.md @@ -46,7 +46,7 @@ monitoring statistics by default: ### Kubelet -The Kubelet acts as a bridge between the Kubernetes master and the nodes. It manages the pods and containers running on a machine. Kubelet translates each pod into its constituent containers and fetches individual container usage statistics from cAdvisor. It then exposes the aggregated pod resource usage statistics via a REST API. +The Kubelet acts as a bridge between the Kubernetes master and the nodes. It manages the pods and containers running on a machine. Kubelet translates each pod into its constituent containers and fetches individual container usage statistics from the container runtime, through the container runtime interface. For the legacy docker integration, it fetches this information from cAdvisor. It then exposes the aggregated pod resource usage statistics through the kubelet resource metrics api. This api is served at `/metrics/resource/v1alpha1` on the kubelet's authenticated and read-only ports. ### cAdvisor diff --git a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md index 38d615293d7a9..065ce4012453a 100644 --- a/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md +++ b/content/en/docs/tasks/run-application/horizontal-pod-autoscale.md @@ -71,7 +71,7 @@ or the custom metrics API (for all other metrics). The HorizontalPodAutoscaler normally fetches metrics from a series of aggregated APIs (`metrics.k8s.io`, `custom.metrics.k8s.io`, and `external.metrics.k8s.io`). The `metrics.k8s.io` API is usually provided by metrics-server, which needs to be launched separately. See -[metrics-server](https://kubernetes.io/docs/tasks/debug-application-cluster/core-metrics-pipeline/#metrics-server) +[metrics-server](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#metrics-server) for instructions. The HorizontalPodAutoscaler can also fetch metrics directly from Heapster. {{< note >}} diff --git a/content/en/docs/user-journeys/users/cluster-operator/foundational.md b/content/en/docs/user-journeys/users/cluster-operator/foundational.md index 888d8b47f88b1..0615652e81d33 100644 --- a/content/en/docs/user-journeys/users/cluster-operator/foundational.md +++ b/content/en/docs/user-journeys/users/cluster-operator/foundational.md @@ -80,7 +80,7 @@ You can see the status of the core of kubernetes with the command `kubectl get c Some additional resources for getting information about your cluster and how it is operating include: * [Tools for Monitoring Compute, Storage, and Network Resources](/docs/tasks/debug-application-cluster/resource-usage-monitoring/) -* [Core metrics pipeline](/docs/tasks/debug-application-cluster/core-metrics-pipeline/) +* [Resource metrics pipeline](/docs/tasks/debug-application-cluster/resource-metrics-pipeline/) * [Metrics](/docs/concepts/cluster-administration/controller-metrics/) ## Explore additional resources diff --git a/content/en/docs/user-journeys/users/cluster-operator/intermediate.md b/content/en/docs/user-journeys/users/cluster-operator/intermediate.md index e4b44abe3fe5f..5421b5822b091 100644 --- a/content/en/docs/user-journeys/users/cluster-operator/intermediate.md +++ b/content/en/docs/user-journeys/users/cluster-operator/intermediate.md @@ -82,7 +82,7 @@ Start with the [basics on Kubernetes logging](/docs/concepts/cluster-administrat * [Logging Using Stackdriver](/docs/tasks/debug-application-cluster/logging-stackdriver/) Like log aggregation, many clusters utilize additional software to help capture metrics and display them. There is an overview of tools at [Tools for Monitoring Compute, Storage, and Network Resources](/docs/tasks/debug-application-cluster/resource-usage-monitoring/). -Kubernetes also supports a [core metrics pipeline](/docs/tasks/debug-application-cluster/core-metrics-pipeline/) which can be used by Horizontal Pod Autoscaler with custom metrics. +Kubernetes also supports a [resource metrics pipeline](/docs/tasks/debug-application-cluster/resource-metrics-pipeline/) which can be used by Horizontal Pod Autoscaler with custom metrics. [Prometheus](https://prometheus.io/), which is another CNCF project, is a common choice to support capture and temporary collection of metrics. There are several options for installing Prometheus, including using the [stable/prometheus](https://github.com/kubernetes/charts/tree/master/stable/prometheus) [helm](https://helm.sh/) chart, and CoreOS provides a [prometheus operator](https://github.com/coreos/prometheus-operator) and [kube-prometheus](https://github.com/coreos/prometheus-operator/tree/master/contrib/kube-prometheus), which adds on Grafana dashboards and common configurations. diff --git a/data/tasks.yml b/data/tasks.yml index ab03eec6bbd44..5ede25f87e42f 100644 --- a/data/tasks.yml +++ b/data/tasks.yml @@ -89,7 +89,7 @@ toc: - title: Monitor, Log, and Debug landing_page: /docs/tasks/debug-application-cluster/resource-usage-monitoring/ section: - - docs/tasks/debug-application-cluster/core-metrics-pipeline.md + - docs/tasks/debug-application-cluster/resource-metrics-pipeline.md - docs/tasks/debug-application-cluster/resource-usage-monitoring.md - docs/tasks/debug-application-cluster/get-shell-running-container.md - docs/tasks/debug-application-cluster/monitor-node-health.md From 8f6852160c706ba96c7ac9be8368c1030842fd95 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Wed, 20 Mar 2019 10:38:59 -0500 Subject: [PATCH 43/47] windows docs updates for 1.14 (#13279) * Delete sample-l2bridge-wincni-config.json this file is not used anywhere * Update _index.md * Update _index.md * Update _index.md * Update _index.md * Update _index.md * Rename content/en/docs/getting-started-guides/windows/_index.md to content/en/docs/setup/windows/_index.md moving to new location * Delete flannel-master-kubectl-get-ds.png * Delete flannel-master-kubeclt-get-pods.png * Delete windows-docker-error.png * Add files via upload * Rename _index.md to add-windows-nodes.md * Create _index.md * Update _index.md * Update add-windows-nodes.md * Update add-windows-nodes.md * Create user-guide-windows-nodes.md * Create user-guide-windows-containers.md * Update and rename add-windows-nodes.md to intro-windows-nodes.md * Update user-guide-windows-containers.md * Rename intro-windows-nodes.md to intro-windows-in-kubernetes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-containers.md * Update user-guide-windows-containers.md * Update user-guide-windows-nodes.md * Update user-guide-windows-containers.md * Update _index.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md fixing the pause image * Update intro-windows-in-kubernetes.md changing tables from html to MD * Update user-guide-windows-nodes.md converting tables from HTML to MD * Update intro-windows-in-kubernetes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-nodes.md * Update user-guide-windows-nodes.md updating the numbering , even though it messes up the notes a little bit. Jim will file a ticket to follow up * Update user-guide-windows-nodes.md --- .../sample-l2bridge-wincni-config.json | 49 -- content/en/docs/setup/windows/_index.md | 4 + .../flannel-master-kubeclt-get-pods.png | Bin .../windows/flannel-master-kubectl-get-ds.png | Bin .../windows/intro-windows-in-kubernetes.md} | 665 ++---------------- .../windows/user-guide-windows-containers.md | 140 ++++ .../setup/windows/user-guide-windows-nodes.md | 273 +++++++ .../windows/windows-docker-error.png | Bin 8 files changed, 460 insertions(+), 671 deletions(-) delete mode 100644 content/en/docs/getting-started-guides/windows/sample-l2bridge-wincni-config.json create mode 100644 content/en/docs/setup/windows/_index.md rename content/en/docs/{getting-started-guides => setup}/windows/flannel-master-kubeclt-get-pods.png (100%) rename content/en/docs/{getting-started-guides => setup}/windows/flannel-master-kubectl-get-ds.png (100%) rename content/en/docs/{getting-started-guides/windows/_index.md => setup/windows/intro-windows-in-kubernetes.md} (58%) create mode 100644 content/en/docs/setup/windows/user-guide-windows-containers.md create mode 100644 content/en/docs/setup/windows/user-guide-windows-nodes.md rename content/en/docs/{getting-started-guides => setup}/windows/windows-docker-error.png (100%) diff --git a/content/en/docs/getting-started-guides/windows/sample-l2bridge-wincni-config.json b/content/en/docs/getting-started-guides/windows/sample-l2bridge-wincni-config.json deleted file mode 100644 index f3842026ce28c..0000000000000 --- a/content/en/docs/getting-started-guides/windows/sample-l2bridge-wincni-config.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "cniVersion": "0.2.0", - "name": "l2bridge", - "type": "wincni.exe", - "master": "Ethernet", - "ipam": { - "environment": "azure", - "subnet": "10.10.187.64/26", - "routes": [ - { - "GW": "10.10.187.66" - } - ] - }, - "dns": { - "Nameservers": [ - "11.0.0.10" - ] - }, - "AdditionalArgs": [ - { - "Name": "EndpointPolicy", - "Value": { - "Type": "OutBoundNAT", - "ExceptionList": [ - "11.0.0.0/8", - "10.10.0.0/16", - "10.127.132.128/25" - ] - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "11.0.0.0/8", - "NeedEncap": true - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "10.127.132.213/32", - "NeedEncap": true - } - } - ] -} diff --git a/content/en/docs/setup/windows/_index.md b/content/en/docs/setup/windows/_index.md new file mode 100644 index 0000000000000..b79b7ed36e9b1 --- /dev/null +++ b/content/en/docs/setup/windows/_index.md @@ -0,0 +1,4 @@ +--- +title: "Windows in Kubernetes" +weight: 65 +--- diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png b/content/en/docs/setup/windows/flannel-master-kubeclt-get-pods.png similarity index 100% rename from content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png rename to content/en/docs/setup/windows/flannel-master-kubeclt-get-pods.png diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png b/content/en/docs/setup/windows/flannel-master-kubectl-get-ds.png similarity index 100% rename from content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png rename to content/en/docs/setup/windows/flannel-master-kubectl-get-ds.png diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md similarity index 58% rename from content/en/docs/getting-started-guides/windows/_index.md rename to content/en/docs/setup/windows/intro-windows-in-kubernetes.md index 3f16e6b1bc63b..ed841d0213c1e 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md @@ -1,13 +1,21 @@ --- -title: Adding Windows nodes and scheduling Windows containers in Kubernetes -toc_hide: true +reviewers: +- michmike +- patricklang +title: Intro to Windows support in Kubernetes +content_template: templates/concept +weight: 65 --- -## Motivation -Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. +{{% capture overview %}} +Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Organizations with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. -## Intro to Windows containers in Kubernetes +{{% /capture %}} + +{{% capture body %}} + +## Windows containers in Kubernetes To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. @@ -31,38 +39,10 @@ From an API and kubectl perspective, Windows containers behave in much the same Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. - - - - - - - - - - - - - - - - - - - -
Kubernetes version - Host OS version (Kubernetes Node) - - -
- Windows Server 1709 - Windows Server 1803 - Windows Server 1809/Windows Server 2019 -
Kubernetes v1.14 - Not Supported - Not Supported - Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 -
+| Kubernetes version | Host OS version (Kubernetes Node) | | | +| --- | --- | --- | --- | +| | *Windows Server 1709* | *Windows Server 1803* | *Windows Server 1809/Windows Server 2019* | +| *Kubernetes v1.14* | Not Supported | Not Supported| Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 | {{< note >}} The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). @@ -123,7 +103,7 @@ Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubern Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](/docs/concepts/storage/volumes/): -* FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows) support * [azureDisk](/docs/concepts/storage/volumes/#azuredisk) * [azureFile](/docs/concepts/storage/volumes/#azurefile) * [gcePersistentDisk](/docs/concepts/storage/volumes/#gcepersistentdisk) @@ -146,86 +126,13 @@ The following service spec types are supported: Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux worker nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Driver - Description - Container Packet Modifications - Network Plugins - Network Plugin Characteristics -
L2bridge - Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. - MAC is rewritten to host MAC, IP remains the same. - win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge - win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts -
L2Tunnel - This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. - MAC rewritten, IP visible on the underlay network - Azure-CNI - Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples -
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) - Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. - Encapsulated with an outer header, inner packet remains the same. - Win-overlay, Flannel VXLAN (uses win-overlay) - win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity -
Transparent (special use case for ovn-kubernetes) - Requires an external vSwitch. Containers are attached to an external vSwitch which will enable intra-pod communication via logical networks (logical switches and routers). - Packet is encapsulated either via GENEVE or STT tunneling to reach pods which are not on the same host. - -Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. - -NAT is done for north-south communication. - - ovn-kubernetes - - Deploy via ansible. Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. -
NAT (not used in Kubernetes) - Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT - MAC and IP is rewritten to host MAC/IP. - nat - Included here for completeness -
+| Network Driver | Description | Container Packet Modifications | Network Plugins | Network Plugin Characteristics | +| -------------- | ----------- | ------------------------------ | --------------- | ------------------------------ | +| L2bridge | Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. | MAC is rewritten to host MAC, IP remains the same. | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge), [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), Flannel host-gateway uses win-bridge | win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts | +| L2Tunnel | This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. | MAC rewritten, IP visible on the underlay network | [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that [Azure Virtual Network provides](https://azure.microsoft.com/en-us/services/virtual-network/). For example, securely connect to Azure services or use Azure NSGs. See [azure-cni for some examples](https://docs.microsoft.com/en-us/azure/aks/concepts-network#azure-cni-advanced-networking) | +| Overlay (Overlay networking for Windows in Kubernetes is in *alpha* stage) | Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. | Encapsulated with an outer header, inner packet remains the same. | [Win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay), Flannel VXLAN (uses win-overlay) | win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity | +| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which will enable intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.
Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller.
NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. | +| NAT (*not used in Kubernetes*) | Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called [WinNAT](https://blogs.technet.microsoft.com/virtualization/2016/05/25/windows-nat-winnat-capabilities-and-limitations/) | MAC and IP is rewritten to host MAC/IP. | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | Included here for completeness | As outlined above, the [Flannel](https://github.com/coreos/flannel) CNI [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) is also supported on [Windows](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge). This plugin supports delegating to one of the reference CNI plugins (win-overlay, win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for automatic node subnet lease assignment and HNS network creation. This plugin reads in its own configuration file (net-conf.json), and aggregates it with the environment variables from the FlannelD generated subnet.env file. It then delegates to one of the reference CNI plugins for network plumbing, and sends the correct configuration containing the node-assigned subnet to the IPAM plugin (e.g. host-local). @@ -412,501 +319,7 @@ None of the PodSecurityContext fields work on Windows. They're listed here for r * V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows * V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. -# User Guide: Add Windows Nodes in Kubernetes {#UG-windows-nodes} - -## Objectives - -The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: - -* Register a Windows node to the cluster -* Configure networking so pods on Linux and Windows can communicate - -## Before you begin - -* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. -* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](/docs/setup/scratch/), [kubeadm](/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](/docs/setup/turnkey/azure/), [GCE](/docs/setup/turnkey/gce/), [AWS](/docs/setup/turnkey/aws/)). - -## Getting Started: Adding a Windows Node to Your Cluster - -### Plan IP Addressing - -Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](/docs/concepts/cluster-administration/networking/). - -In order to deploy your cluster you will need the following address spaces: - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subnet / address range - Description - Default value -
--- - --- - --- -
Service Subnet - A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. - "10.96.0.0/12" -
Cluster Subnet - This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) -Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. - "10.244.0.0/16" -
Kubernetes DNS Service IP - IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. - "10.96.0.10" -
- -Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. - -### Components that run on Windows - -While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). - -1. kubelet -2. kube-proxy -3. kubectl (optional) -4. Container runtime - -Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. - -### Networking Configuration - -Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. - -#### Configuring Flannel in VXLAN mode on the Linux controller - -1. Prepare Kubernetes master for Flannel - - Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: - - ```bash - sudo sysctl net.bridge.bridge-nf-call-iptables=1 - ``` - -1. Download & configure Flannel - - Download the most recent Flannel manifest: - - ```bash - wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml - ``` - - There are two sections you should modify to enable the vxlan networking backend: - - After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: - - ```json - net-conf.json: | - { - "Network": "10.244.0.0/16", - "Backend": { - "Type": "vxlan", - "VNI" : 4096, - "Port": 4789 - } - } - ``` - -1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: - 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. - * VNI 4096 is set in the backend - * Port 4789 is set in the backend - 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to `vxlan0`. - -{{< note >}} -The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. -{{< /note >}} - - Your `cni-conf.json` should look as follows: - - ```json - cni-conf.json: | - { - "name": "vxlan0", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "isDefaultGateway": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ``` - -1. Apply the Flannel yaml and Validate - - Let's apply the Flannel configuration: - - ```bash - kubectl apply -f kube-flannel.yml - ``` - - Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: - - ```bash - kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system - ``` - - After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. - - ```bash - kubectl get pods --all-namespaces - ``` - - ![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") - - Verify that the Flannel DaemonSet has the NodeSelector applied. - - ```bash - kubectl get ds -n kube-system - ``` - - ![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") - -#### Join Windows Worker - -In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. - -#### Preparing a Windows Node -{{< note >}} -All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). -{{< /note >}} - -1. Install Docker (requires a system reboot) - - Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: - - ```PowerShell - Enable-WindowsOptionalFeature -FeatureName Containers - Restart-Computer -Force - Install-Module -Name DockerMsftProvider -Repository PSGallery -Force - Install-Package -Name Docker -ProviderName DockerMsftProvider - ``` - - If you are behind a proxy, the following PowerShell environment variables must be defined: - - ```PowerShell - [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) - [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) - ``` - - If after reboot you see the following error, you need to restart the docker service manually - - ![alt_text](windows-docker-error.png "windows docker error screen capture") - - ```PowerShell - Start-Service docker - ``` - -{{< note >}} -The "pause" (infrastructure) image is hosted on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) -{{< /note >}} - - ```PowerShell - docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 - ``` - -1. Prepare a Windows directory for Kubernetes - - Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. - - ```PowerShell - mkdir c:\k - ``` - -1. Copy Kubernetes certificate - - Copy the Kubernetes certificate file `$HOME/.kube/config` [from the Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. - - Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. - -1. Download Kubernetes binaries - - To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. - - Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. - -#### Join the Windows node to the Flannel cluster - -The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. - -Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: - -```PowerShell -cd c:\k -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 -``` - -{{< note >}} -[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: -{{< /note >}} - -```PowerShell -.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir -``` - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Parameter - Default Value - Notes -
---- - --- - --- -
-ManagementIP - N/A (required) - The IP address assigned to the Windows node. You can use ipconfig to find this. -
-NetworkMode - l2bridge - We're using overlay here -
-ClusterCIDR - 10.244.0.0/16 - Refer to your cluster IP plan -
-ServiceCIDR - 10.96.0.0/12 - Refer to your cluster IP plan -
-KubeDnsServiceIP - 10.96.0.10 - -
-InterfaceName - Ethernet - The name of the network interface of the Windows host. You can use ipconfig to find this. -
-LogDir - C:\k - The directory where kubelet and kube-proxy logs are redirected into their respective output files. -
- -Now you can view the Windows nodes in your cluster by running the following: - -```bash -kubectl get nodes -``` - -{{< note >}} -You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. -{{< /note >}} - -### Public Cloud Providers - -#### Azure - -AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). - -#### GCP - -Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) - -#### Deployment with kubeadm and cluster API - -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - -#### Next Steps - -Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. - -# User Guide: Scheduling Windows containers in Kubernetes - -## Objectives - -* Configure an example deployment to run Windows containers on the Windows node -* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) - -## Before you begin - -* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) -* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. - -## Getting Started: Deploying a Windows container - -To deploy a Windows container on Kubernetes, you must first create an example application. The example YAML file below creates a simple webserver application. Create a service spec named `win-webserver.yaml` with the contents below: - -```yaml - apiVersion: v1 - kind: Service - metadata: - name: win-webserver - labels: - app: win-webserver - spec: - ports: - # the port that this service should serve on - - port: 80 - targetPort: 80 - selector: - app: win-webserver - type: NodePort - --- - apiVersion: extensions/v1beta1 - kind: Deployment - metadata: - labels: - app: win-webserver - name: win-webserver - spec: - replicas: 2 - template: - metadata: - labels: - app: win-webserver - name: win-webserver - spec: - containers: - - name: windowswebserver - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: - - powershell.exe - - -command - - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " - nodeSelector: - beta.kubernetes.io/os: windows -``` - -{{< note >}} -Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. -{{< /note >}} - -1. Check that all nodes are healthy: - - ```bash - kubectl get nodes - ``` - -1. Deploy the service and watch for pod updates: - - ```bash - kubectl apply -f win-webserver.yaml - kubectl get pods -o wide -w - ``` - - When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. - -1. Check that the deployment succeeded. To verify: - - * Two containers per pod on the Windows node, use `docker ps` - * Two pods listed from the Linux master, use `kubectl get pods` - * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response - * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec - * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods - * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) - * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster - * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec - -{{< note >}} -Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows pods are able to access service IPs. -{{< /note >}} - -## Managing Workload Identity with Group Managed Service Accounts - -Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa.md). - -## Taints and Tolerations - -Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. - -### Ensuring OS-specific workloads land on the appropriate container host - -Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. All Kubernetes nodes today have the following default labels: - -* beta.kubernetes.io/os = [windows|linux] -* beta.kubernetes.io/arch = [amd64|arm64|...] - -If a Pod specification does not specify a nodeSelector like `"beta.kubernetes.io/os": windows`, it is possible the Pod can be scheduled on any host, Windows or Linux. This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. The best practice is to use a nodeSelector. - -However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers, as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators. In those situations, you may be hesitant to make the configuration change to add nodeSelectors. The alternative is to use Taints. Because the kubelet can set Taints during registration, it could easily be modified to automatically add a taint when running on Windows only. - -For example: `--register-with-taints='os=Win1809:NoSchedule'` - -By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). In order for a Windows Pod to be scheduled on a Windows node, it would need both the nodeSelector to choose Windows, and the appropriate matching toleration. - -```yaml -nodeSelector: - "beta.kubernetes.io/os": windows -tolerations: - - key: "os" - operator: "Equal" - value: "Win1809" - effect: "NoSchedule" -``` - -# Getting Help and Troubleshooting {#troubleshooting} +## Getting Help and Troubleshooting {#troubleshooting} Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. Logs are an important element of troubleshooting issues in Kubernetes. Make sure to include them any time you seek troubleshooting assistance from other contributors. Follow the instructions in the SIG-Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs). @@ -966,8 +379,10 @@ Your main source of help for troubleshooting your Kubernetes cluster should star nssm start flanneld # Register kubelet.exe + # Microsoft releases the pause infrastructure container at mcr.microsoft.com/k8s/core/pause:1.0.0 + # For more info search for "pause" in the "Guide for adding Windows Nodes in Kubernetes" nssm install kubelet C:\k\kubelet.exe - nssm set kubelet AppParameters --hostname-override= --v=6 --pod-infra-container-image=kubeletwin/pause --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns= --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false --log-dir= --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config + nssm set kubelet AppParameters --hostname-override= --v=6 --pod-infra-container-image=mcr.microsoft.com/k8s/core/pause:1.0.0 --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns= --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false --log-dir= --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config nssm set kubelet AppDirectory C:\k nssm start kubelet @@ -1076,8 +491,10 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. My Pods are stuck at "Container Creating" or restarting over and over Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + + With Kubernetes v1.14, Microsoft will release the pause infrastructure container at mcr.microsoft.com/k8s/core/pause:1.0.0. For more information search for "pause" in the "Guide for adding Windows Nodes in Kubernetes". -## Further investigation +### Further investigation Check the DNS limitations for Windows in this [section](#dns-limitations). @@ -1099,11 +516,13 @@ If filing a bug, please include detailed information about how to reproduce the * [Relevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) * Tag the issue sig/windows by commenting on the issue with `/sig windows` to bring it to a SIG-Windows member's attention -# Roadmap +{{% /capture %}} + +{{% capture whatsnext %}} We have a lot of features in our roadmap. An abbreviated high level list is included below, but we encourage you to view our [roadmap project](https://github.com/orgs/kubernetes/projects/8) and help us make Windows support better by [contributing](https://github.com/kubernetes/community/blob/master/sig-windows/). -## CRI-ContainerD +### CRI-ContainerD ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] @@ -1114,11 +533,13 @@ The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. * Specific CPU/NUMA settings for a pod * Memory isolation and reservations -## Deployment with kubeadm and cluster API +### Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. -## A few other big ticket items -### Beta support for Group Managed Service Accounts -### More CNIs -### More Storage Plugins +### A few other key features +* Beta support for Group Managed Service Accounts +* More CNIs +* More Storage Plugins + +{{% /capture %}} diff --git a/content/en/docs/setup/windows/user-guide-windows-containers.md b/content/en/docs/setup/windows/user-guide-windows-containers.md new file mode 100644 index 0000000000000..1d2e8afae6b69 --- /dev/null +++ b/content/en/docs/setup/windows/user-guide-windows-containers.md @@ -0,0 +1,140 @@ +--- +reviewers: +- michmike +- patricklang +title: Guide for scheduling Windows containers in Kubernetes +content_template: templates/concept +weight: 75 +--- + +{{% capture overview %}} + +Windows applications constitute a large portion of the services and applications that run in many organizations. This guide walks you through the steps to configure and deploy a Windows container in Kubernetes. + +{{% /capture %}} + +{{% capture body %}} + +## Objectives + +* Configure an example deployment to run Windows containers on the Windows node +* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) + +## Before you begin + +* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](../user-guide-windows-nodes) +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. + +## Getting Started: Deploying a Windows container + +To deploy a Windows container on Kubernetes, you must first create an example application. The example YAML file below creates a simple webserver application. Create a service spec named `win-webserver.yaml` with the contents below: + +```yaml + apiVersion: v1 + kind: Service + metadata: + name: win-webserver + labels: + app: win-webserver + spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort + --- + apiVersion: extensions/v1beta1 + kind: Deployment + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows +``` + +{{< note >}} +Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. +{{< /note >}} + +1. Check that all nodes are healthy: + + ```bash + kubectl get nodes + ``` + +1. Deploy the service and watch for pod updates: + + ```bash + kubectl apply -f win-webserver.yaml + kubectl get pods -o wide -w + ``` + + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + +1. Check that the deployment succeeded. To verify: + + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +{{< note >}} +Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows pods are able to access service IPs. +{{< /note >}} + +## Managing Workload Identity with Group Managed Service Accounts + +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa/). + +## Taints and Tolerations + +Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. + +### Ensuring OS-specific workloads land on the appropriate container host + +Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. All Kubernetes nodes today have the following default labels: + +* beta.kubernetes.io/os = [windows|linux] +* beta.kubernetes.io/arch = [amd64|arm64|...] + +If a Pod specification does not specify a nodeSelector like `"beta.kubernetes.io/os": windows`, it is possible the Pod can be scheduled on any host, Windows or Linux. This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. The best practice is to use a nodeSelector. + +However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers, as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators. In those situations, you may be hesitant to make the configuration change to add nodeSelectors. The alternative is to use Taints. Because the kubelet can set Taints during registration, it could easily be modified to automatically add a taint when running on Windows only. + +For example: `--register-with-taints='os=Win1809:NoSchedule'` + +By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). In order for a Windows Pod to be scheduled on a Windows node, it would need both the nodeSelector to choose Windows, and the appropriate matching toleration. + +```yaml +nodeSelector: + "beta.kubernetes.io/os": windows +tolerations: + - key: "os" + operator: "Equal" + value: "Win1809" + effect: "NoSchedule" +``` + +{{% /capture %}} diff --git a/content/en/docs/setup/windows/user-guide-windows-nodes.md b/content/en/docs/setup/windows/user-guide-windows-nodes.md new file mode 100644 index 0000000000000..4290832b03a0d --- /dev/null +++ b/content/en/docs/setup/windows/user-guide-windows-nodes.md @@ -0,0 +1,273 @@ +--- +reviewers: +- michmike +- patricklang +title: Guide for adding Windows Nodes in Kubernetes +content_template: templates/concept +weight: 70 +--- + +{{% capture overview %}} + +The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: + +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate + +{{% /capture %}} + +{{% capture body %}} + +## Before you begin + +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](/docs/setup/scratch/), [kubeadm](/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](/docs/setup/turnkey/azure/), [GCE](/docs/setup/turnkey/gce/), [AWS](/docs/setup/turnkey/aws/)). + +## Getting Started: Adding a Windows Node to Your Cluster + +### Plan IP Addressing + +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](/docs/concepts/cluster-administration/networking/). + +In order to deploy your cluster you will need the following address spaces: + +| Subnet / address range | Description | Default value | +| --- | --- | --- | +| Service Subnet | A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by `kube-proxy` running on the nodes. | 10.96.0.0/12 | +| Cluster Subnet | This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate *minimumsubnet* size: `(number of nodes) + (number of nodes * maximum pods per node that you configure)`. Example: for a 5 node cluster for 100 pods per node: `(5) + (5 * 100) = 505.` | 10.244.0.0/16 | +| Kubernetes DNS Service IP | IP address of `kube-dns` service that will be used for DNS resolution & cluster service discovery. | 10.96.0.10 | + +Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. + +### Components that run on Windows + +While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). + +1. kubelet +2. kube-proxy +3. kubectl (optional) +4. Container runtime + +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. + +### Networking Configuration + +Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. + +#### Configuring Flannel in VXLAN mode on the Linux controller + +1. Prepare Kubernetes master for Flannel + + Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: + + ```bash + sudo sysctl net.bridge.bridge-nf-call-iptables=1 + ``` + +1. Download & configure Flannel + + Download the most recent Flannel manifest: + + ```bash + wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml + ``` + + There are two sections you should modify to enable the vxlan networking backend: + + After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: + + ```json + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + ``` + + {{< note >}} + The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See the VXLAN documentation at https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan for an explanation of these fields. + {{< /note >}} + +1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: + 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. + * VNI 4096 is set in the backend + * Port 4789 is set in the backend + 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to `vxlan0`. + + + Your `cni-conf.json` should look as follows: + + ```json + cni-conf.json: | + { + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ``` + +1. Apply the Flannel yaml and Validate + + Let's apply the Flannel configuration: + + ```bash + kubectl apply -f kube-flannel.yml + ``` + + Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + + ```bash + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system + ``` + + After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + + ```bash + kubectl get pods --all-namespaces + ``` + + ![alt_text](../flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") + + Verify that the Flannel DaemonSet has the NodeSelector applied. + + ```bash + kubectl get ds -n kube-system + ``` + + ![alt_text](../flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") + +#### Join Windows Worker + +In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. + +#### Preparing a Windows Node +{{< note >}} +All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). +{{< /note >}} + +1. Install Docker (requires a system reboot) + + Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: + + ```PowerShell + Enable-WindowsOptionalFeature -FeatureName Containers + Restart-Computer -Force + Install-Module -Name DockerMsftProvider -Repository PSGallery -Force + Install-Package -Name Docker -ProviderName DockerMsftProvider + ``` + + If you are behind a proxy, the following PowerShell environment variables must be defined: + + ```PowerShell + [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) + [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) + ``` + + If after reboot you see the following error, you need to restart the docker service manually + + ![alt_text](../windows-docker-error.png "windows docker error screen capture") + + ```PowerShell + Start-Service docker + ``` + + {{< note >}} + The "pause" (infrastructure) image is hosted on Microsoft Container Registry (MCR). You can access it using "docker pull mcr.microsoft.com/k8s/core/pause:1.0.0". The DOCKERFILE is available at https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile. + {{< /note >}} + +1. Prepare a Windows directory for Kubernetes + + Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. + + ```PowerShell + mkdir c:\k + ``` + +1. Copy Kubernetes certificate + + Copy the Kubernetes certificate file `$HOME/.kube/config` [from the Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + + Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. + +1. Download Kubernetes binaries + + To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. + + Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. + +#### Join the Windows node to the Flannel cluster + +The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. + +Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: + +```PowerShell +cd c:\k +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 +``` + +{{< note >}} +[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: +{{< /note >}} + +```PowerShell +.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir +``` + +| Parameter | Default Value | Notes | +| --- | --- | --- | +| -ManagementIP | N/A (required) | The IP address assigned to the Windows node. You can use `ipconfig` to find this. | +| -NetworkMode | l2bridge | We're using `overlay` here | +| -ClusterCIDR | 10.244.0.0/16 | Refer to your cluster IP plan | +| -ServiceCIDR | 10.96.0.0/12 | Refer to your cluster IP plan | +| -KubeDnsServiceIP | 10.96.0.10 | | +| -InterfaceName | Ethernet | The name of the network interface of the Windows host. You can use ipconfig to find this. | +| -LogDir | C:\k | The directory where kubelet and kube-proxy logs are redirected into their respective output files. | + +Now you can view the Windows nodes in your cluster by running the following: + +```bash +kubectl get nodes +``` + +{{< note >}} +You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. +{{< /note >}} + +### Public Cloud Providers + +#### Azure + +AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). + +#### GCP + +Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) + +#### Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + +### Next Steps + +Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. You are now ready to schedule Windows containers on your cluster. + +{{% /capture %}} diff --git a/content/en/docs/getting-started-guides/windows/windows-docker-error.png b/content/en/docs/setup/windows/windows-docker-error.png similarity index 100% rename from content/en/docs/getting-started-guides/windows/windows-docker-error.png rename to content/en/docs/setup/windows/windows-docker-error.png From ae5d409df5c72f3ea03e5c5782394d90b5dd81d2 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Fri, 22 Mar 2019 09:58:25 -0500 Subject: [PATCH 44/47] update to windows docs for 1.14 (#13322) * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update intro-windows-in-kubernetes.md * Update user-guide-windows-containers.md * Update user-guide-windows-nodes.md --- .../windows/intro-windows-in-kubernetes.md | 94 +++++++++++++------ .../windows/user-guide-windows-containers.md | 4 +- .../setup/windows/user-guide-windows-nodes.md | 10 +- 3 files changed, 72 insertions(+), 36 deletions(-) diff --git a/content/en/docs/setup/windows/intro-windows-in-kubernetes.md b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md index ed841d0213c1e..4c255149bc76f 100644 --- a/content/en/docs/setup/windows/intro-windows-in-kubernetes.md +++ b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md @@ -22,7 +22,7 @@ To enable the orchestration of Windows containers in Kubernetes, simply include In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). {{< note >}} -The Kubernetes control plane, including the [master components](/docs/concepts/overview/components/), will continue to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. +The Kubernetes control plane, including the [master components](/docs/concepts/overview/components/), continues to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. {{< /note >}} {{< note >}} @@ -44,6 +44,9 @@ Let's start with the operating system version. Refer to the following table for | | *Windows Server 1709* | *Windows Server 1803* | *Windows Server 1809/Windows Server 2019* | | *Kubernetes v1.14* | Not Supported | Not Supported| Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 | +{{< note >}} +We don't expect all Windows customers to update the operating system for their apps frequently. Upgrading your applications is what dictates and necessitates upgrading or introducing new nodes to the cluster. For the customers that chose to upgrade their operating system for containers running on Kubernetes, we will offer guidance and step-by-step instructions when we add support for a new operating system version. This guidance will include recommended upgrade procedures for upgrading user applications together with cluster nodes. Windows nodes adhere to Kubernetes [version-skew policy](/docs/setup/version-skew-policy/) (node to control plane versioning) the same way as Linux nodes do today. +{{< /note >}} {{< note >}} The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). {{< /note >}} @@ -51,7 +54,7 @@ The Windows Server Host Operating System is subject to the [Windows Server ](htt Windows containers with process isolation have strict compatibility rules, [where the host OS version must match the container base image OS version](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). Once we support Windows containers with Hyper-V isolation in Kubernetes, the limitation and compatibility rules will change. {{< /note >}} -Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we talk about some of the key workload enablers and how they map to Windows. * [Pods](/docs/concepts/workloads/pods/pod-overview/) @@ -131,7 +134,7 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov | L2bridge | Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. | MAC is rewritten to host MAC, IP remains the same. | [win-bridge](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-bridge), [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md), Flannel host-gateway uses win-bridge | win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts | | L2Tunnel | This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. | MAC rewritten, IP visible on the underlay network | [Azure-CNI](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) | Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that [Azure Virtual Network provides](https://azure.microsoft.com/en-us/services/virtual-network/). For example, securely connect to Azure services or use Azure NSGs. See [azure-cni for some examples](https://docs.microsoft.com/en-us/azure/aks/concepts-network#azure-cni-advanced-networking) | | Overlay (Overlay networking for Windows in Kubernetes is in *alpha* stage) | Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. | Encapsulated with an outer header, inner packet remains the same. | [Win-overlay](https://github.com/containernetworking/plugins/tree/master/plugins/main/windows/win-overlay), Flannel VXLAN (uses win-overlay) | win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity | -| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which will enable intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.
Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller.
NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. | +| Transparent (special use case for [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes)) | Requires an external vSwitch. Containers are attached to an external vSwitch which enables intra-pod communication via logical networks (logical switches and routers). | Packet is encapsulated either via [GENEVE](https://datatracker.ietf.org/doc/draft-gross-geneve/) or [STT](https://datatracker.ietf.org/doc/draft-davie-stt/) tunneling to reach pods which are not on the same host.
Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller.
NAT is done for north-south communication. | [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes) | [Deploy via ansible](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. | | NAT (*not used in Kubernetes*) | Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called [WinNAT](https://blogs.technet.microsoft.com/virtualization/2016/05/25/windows-nat-winnat-capabilities-and-limitations/) | MAC and IP is rewritten to host MAC/IP. | [nat](https://github.com/Microsoft/windows-container-networking/tree/master/plugins/nat) | Included here for completeness | As outlined above, the [Flannel](https://github.com/coreos/flannel) CNI [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) is also supported on [Windows](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge). This plugin supports delegating to one of the reference CNI plugins (win-overlay, win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for automatic node subnet lease assignment and HNS network creation. This plugin reads in its own configuration file (net-conf.json), and aggregates it with the environment variables from the FlannelD generated subnet.env file. It then delegates to one of the reference CNI plugins for network plumbing, and sends the correct configuration containing the node-assigned subnet to the IPAM plugin (e.g. host-local). @@ -182,20 +185,20 @@ Windows has strict compatibility rules, where the host OS version must match the ##### Memory Reservations and Handling -Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. +Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. -Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This reduces [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This also subtracts from NodeAllocatable and prevents the scheduler from adding more pods once a node is full. A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. The behavior of the flags behave differently as described below: -* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable -* Eviction by using --enforce-node-allocable is not implemented -* Eviction by using --eviction-hard and --eviction-soft are not implemented +* `--kubelet-reserve`, `--system-reserve` , and `--eviction-hard` flags update Node Allocatable +* Eviction by using `--enforce-node-allocable` is not implemented +* Eviction by using `--eviction-hard` and `--eviction-soft` are not implemented * MemoryPressure Condition is not implemented * There are no OOM eviction actions taken by the kubelet -* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler +* Kubelet running on the windows node does not have memory restrictions. `--kubelet-reserve` and `--system-reserve` do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler #### Storage @@ -218,6 +221,7 @@ As a result, the following storage functionality is not supported on Windows nod * CSI plugins which require privileged containers * File system features like uui/guid, per-user Linux filesystem permissions * NFS based storage/volume support +* Expanding the mounted volume (resizefs) #### Networking @@ -228,14 +232,16 @@ The Windows host networking networking service and virtual switch implement name The following networking functionality is not supported on Windows nodes * Host networking mode is not available for Windows pods -* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Local NodePort access from the node itself fails (works for other nodes or external clients) * Accessing service VIPs from nodes will be available with a future release of Windows Server * Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* `kubectl port-forward` +* Local Traffic Policy and DSR mode * Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: - * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations - * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) work as expected and without any limitations + * TCP/UDP packets work as expected and without any limitations * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source - * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. + * Since TCP/UDP packets can still be transposed, one can substitute `ping ` with `curl ` to be able to debug connectivity to the outside world. ##### CNI Plugins @@ -243,12 +249,12 @@ The following networking functionality is not supported on Windows nodes * The Flannel VXLAN CNI has the following limitations on Windows: 1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel [PR 1096](https://github.com/coreos/flannel/pull/1096) -2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. +2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome in a future release (open-source flannel changes). See the official [Flannel VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) backend docs for more details on these parameters. ##### DNS {#dns-limitations} * ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution -* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, you can resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. ##### Security @@ -269,15 +275,15 @@ There are no differences in how most of the Kubernetes APIs work for Windows. Th At a high level, these OS concepts are different: -* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in `/etc/groups` or `/etc/passwd` back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. * File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID * File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. * Signals - Windows interactive apps handle termination differently, and can implement one or more of these: - * A UI thread will handle well-defined messages including WM_CLOSE - * Console apps will handle ctrl-c or ctrl-break using a Control Handler - * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes + * A UI thread handles well-defined messages including WM_CLOSE + * Console apps handle ctrl-c or ctrl-break using a Control Handler + * Services register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes -Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. +Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) are unchanged. ##### V1.Container @@ -300,7 +306,7 @@ Exit Codes follow the same convention where 0 is success, nonzero is failure. Th * V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows * V1.Pod.hostNetwork - There is no Windows OS support to share the host network * V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. -* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.podSecurityContext - see V1.PodSecurityContext below * V1.Pod.shareProcessNamespace - this is a beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. * V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. * V1.Pod.volumeDevices - this is a beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. @@ -420,7 +426,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. - If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. + If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file. The configuration update will apply to any newly created Kubernetes resources. One of the Kubernetes networking requirements (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: @@ -434,7 +440,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. My Windows node cannot access NodePort service - Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. + Local NodePort access from the node itself fails. This is a known limitation. NodePort access works from other nodes or external clients. 1. vNICs and HNS endpoints of containers are being deleted @@ -446,7 +452,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. With flannel my nodes are having issues after rejoining a cluster - Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: + Whenever a previously deleted node is being re-joined to the cluster, flannelD tries to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: ```powershell Remove-Item C:\k\SourceVip.json @@ -490,13 +496,15 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. My Pods are stuck at "Container Creating" or restarting over and over - Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service expect the image to be tagged as :latest. - With Kubernetes v1.14, Microsoft will release the pause infrastructure container at mcr.microsoft.com/k8s/core/pause:1.0.0. For more information search for "pause" in the "Guide for adding Windows Nodes in Kubernetes". + Starting with Kubernetes v1.14, Microsoft releases the pause infrastructure container at `mcr.microsoft.com/k8s/core/pause:1.0.0`. For more information search for "pause" in the [Guide for adding Windows Nodes in Kubernetes](../user-guide-windows-nodes). -### Further investigation +1. DNS resolution is not properly working -Check the DNS limitations for Windows in this [section](#dns-limitations). + Check the DNS limitations for Windows in this [section](#dns-limitations). + +### Further investigation If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through: @@ -526,13 +534,41 @@ We have a lot of features in our roadmap. An abbreviated high level list is incl ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] -The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: +The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClass could be implemented for new use cases including: * Hypervisor-based isolation between pods for additional security * Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt * Specific CPU/NUMA settings for a pod * Memory isolation and reservations +### Hyper-V isolation + +The existing Hyper-V isolation support, an experimental feature as of v1.10, will be deprecated in the future in favor of the CRI-ContainerD and RuntimeClass features mentioned above. To use the current features and create a Hyper-V isolated container, the kubelet should be started with feature gates `HyperVContainer=true` and the Pod should include the annotation `experimental.windows.kubernetes.io/isolation-type=hyperv`. In the experiemental release, this feature is limited to 1 container per Pod. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: iis +spec: + selector: + matchLabels: + app: iis + replicas: 3 + template: + metadata: + labels: + app: iis + annotations: + experimental.windows.kubernetes.io/isolation-type: hyperv + spec: + containers: + - name: iis + image: microsoft/iis + ports: + - containerPort: 80 +``` + ### Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. diff --git a/content/en/docs/setup/windows/user-guide-windows-containers.md b/content/en/docs/setup/windows/user-guide-windows-containers.md index 1d2e8afae6b69..0928f394f8d92 100644 --- a/content/en/docs/setup/windows/user-guide-windows-containers.md +++ b/content/en/docs/setup/windows/user-guide-windows-containers.md @@ -87,7 +87,7 @@ Port mapping is also supported, but for simplicity in this example the container kubectl get pods -o wide -w ``` - When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + When the service is deployed correctly both Pods are marked as Ready. To exit the watch command, press Ctrl+C. 1. Check that the deployment succeeded. To verify: @@ -110,7 +110,7 @@ Starting with Kubernetes v1.14, Windows container workloads can be configured to ## Taints and Tolerations -Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. +Users today need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This likely imposes a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. ### Ensuring OS-specific workloads land on the appropriate container host diff --git a/content/en/docs/setup/windows/user-guide-windows-nodes.md b/content/en/docs/setup/windows/user-guide-windows-nodes.md index 4290832b03a0d..454e67084b33e 100644 --- a/content/en/docs/setup/windows/user-guide-windows-nodes.md +++ b/content/en/docs/setup/windows/user-guide-windows-nodes.md @@ -20,7 +20,7 @@ The Kubernetes platform can now be used to run both Linux and Windows containers ## Before you begin -* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to configure the Windows node that hosts Windows containers. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. * Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](/docs/setup/scratch/), [kubeadm](/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](/docs/setup/turnkey/azure/), [GCE](/docs/setup/turnkey/gce/), [AWS](/docs/setup/turnkey/aws/)). ## Getting Started: Adding a Windows Node to Your Cluster @@ -29,19 +29,19 @@ The Kubernetes platform can now be used to run both Linux and Windows containers Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](/docs/concepts/cluster-administration/networking/). -In order to deploy your cluster you will need the following address spaces: +In order to deploy your cluster you need the following address spaces: | Subnet / address range | Description | Default value | | --- | --- | --- | | Service Subnet | A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by `kube-proxy` running on the nodes. | 10.96.0.0/12 | | Cluster Subnet | This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate *minimumsubnet* size: `(number of nodes) + (number of nodes * maximum pods per node that you configure)`. Example: for a 5 node cluster for 100 pods per node: `(5) + (5 * 100) = 505.` | 10.244.0.0/16 | -| Kubernetes DNS Service IP | IP address of `kube-dns` service that will be used for DNS resolution & cluster service discovery. | 10.96.0.10 | +| Kubernetes DNS Service IP | IP address of `kube-dns` service that is used for DNS resolution & cluster service discovery. | 10.96.0.10 | Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. ### Components that run on Windows -While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). +While the Kubernetes control plane runs on your Linux node(s), the following components are configured and run on your Windows node(s). 1. kubelet 2. kube-proxy @@ -225,7 +225,7 @@ wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/s ``` {{< note >}} -[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: +[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which downloads additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) is opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: {{< /note >}} ```PowerShell From 74319b604ce61674676c1ee4c502d0f9a03d75d2 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Sat, 23 Mar 2019 10:09:06 -0500 Subject: [PATCH 45/47] Update intro-windows-in-kubernetes.md (#13344) --- content/en/docs/setup/windows/intro-windows-in-kubernetes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/docs/setup/windows/intro-windows-in-kubernetes.md b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md index 4c255149bc76f..69d32e2f0c9be 100644 --- a/content/en/docs/setup/windows/intro-windows-in-kubernetes.md +++ b/content/en/docs/setup/windows/intro-windows-in-kubernetes.md @@ -237,6 +237,7 @@ The following networking functionality is not supported on Windows nodes * Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 * `kubectl port-forward` * Local Traffic Policy and DSR mode +* Windows containers connected to l2bridge, l2tunnel, or overlay networks do not support communicating over the IPv6 stack. There is outstanding Windows platform work required to enable these network drivers to consume IPv6 addresses and subsequent Kubernetes work in kubelet, kube-proxy, and CNI plugins. * Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) work as expected and without any limitations * TCP/UDP packets work as expected and without any limitations From f902f7dd902524f6461dc5f301c35ba992551d88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kevin=20Wiesm=C3=BCller?= Date: Sat, 23 Mar 2019 16:37:08 +0100 Subject: [PATCH 46/47] server side apply followup (#13321) * change some parts of serverside apply docs in response to comments * fix typos and wording --- .../en/docs/reference/using-api/api-concepts.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/content/en/docs/reference/using-api/api-concepts.md b/content/en/docs/reference/using-api/api-concepts.md index 1d45abedef66c..b9aaada90cca7 100644 --- a/content/en/docs/reference/using-api/api-concepts.md +++ b/content/en/docs/reference/using-api/api-concepts.md @@ -319,12 +319,12 @@ Some values of an object are typically generated before the object is persisted. ## Server Side Apply -{{< feature-state for_k8s_version="v1.14" state="alpha" >}} Server Side Apply allows clients other than kubectl to perform the Apply operation, and will eventually fully replace the complicated Client Side Apply logic that only exists in kubectl. If the Server Side Apply feature is enabled, The `PATCH` endpoint accepts the additional `application/apply-patch+yaml` content type. Users of Server Side Apply can send partially specified objects to this endpoint. An applied config should always include every field that the applier has an opinion about. +{{< feature-state for_k8s_version="v1.14" state="alpha" >}} Server Side Apply allows clients other than kubectl to perform the Apply operation, and will eventually fully replace the complicated Client Side Apply logic that only exists in kubectl. If the Server Side Apply feature is enabled, the `PATCH` endpoint accepts the additional `application/apply-patch+yaml` content type. Users of Server Side Apply can send partially specified objects to this endpoint. An applied config should always include every field that the applier has an opinion about. ### Enable the Server Side Apply alpha feature Server Side Apply is an alpha feature, so it is disabled by default. To turn this [feature gate](/docs/reference/command-line-tools-reference/feature-gates) on, -you need to include in the `--feature-gates ServerSideApply=true` flag when starting `kube-apiserver`. +you need to include the `--feature-gates ServerSideApply=true` flag when starting `kube-apiserver`. If you have multiple `kube-apiserver` replicas, all should have the same flag setting. ### Field Management @@ -363,6 +363,8 @@ The above object contains a single manager in `metadata.managedFields`. The mana {{< note >}} This field is managed by the apiserver and should not be changed by the user. {{< /note >}} +Nevertheless it is possible to change `metadata.managedFields` through an `Update` operation. Doing so is highly discouraged, but might be a reasonable option to try if, for example, the `managedFields` get into an inconsistent state (which clearly should not happen). + ### Operations The two operation types considered by this feature are `Apply` (`PATCH` with content type `application/apply-patch+yaml`) and `Update` (all other operations which modify the object). Both operations update the `managedFields`, but behave a little differently. @@ -401,9 +403,13 @@ data: In this example, a second operation was run as an `Update` by the manager called `kube-controller-manager`. The update changed a value in the data field which caused the field's management to change to the `kube-controller-manager`. {{< note >}}If this update would have been an `Apply` operation, the operation would have failed due to conflicting ownership.{{< /note >}} -### Merge Rules +### Merge Strategy + +The merging strategy, implemented with Server Side Apply, provides a generally more stable object lifecycle. +Server Side Apply tries to merge fields based on the fact who manages them instead of overruling just based on values. +This way it is intended to make it easier and more stable for multiple actors updating the same object by causing less unexpected interference. -When a user sends a partially specified object to the Server Side Apply endpoint, the server merges it with the live object favoring the value in the applied config if it is specified twice. If the set of items present in the applied config is not a superset of the items applied by the same user last time, each missing item not managed by any other field manager is removed. For more information about how an object's schema is used to make decisions when merging, see [sigs.k8s.io/structured-merge-diff](https://sigs.k8s.io/structured-merge-diff). +When a user sends a partially specified object to the Server Side Apply endpoint, the server merges it with the live object favoring the value in the applied config if it is specified in both places. If the set of items present in the applied config is not a superset of the items applied by the same user last time, each missing item not managed by any other field manager is removed. For more information about how an object's schema is used to make decisions when merging, see [sigs.k8s.io/structured-merge-diff](https://sigs.k8s.io/structured-merge-diff). ### Conflicts From 3459d0212e41c2358835998ceeda494b8558a402 Mon Sep 17 00:00:00 2001 From: Jim Angel Date: Mon, 25 Mar 2019 10:23:12 -0500 Subject: [PATCH 47/47] Update config.toml (#13365) --- config.toml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/config.toml b/config.toml index 071c527e98a16..0f85a554e7eaa 100644 --- a/config.toml +++ b/config.toml @@ -64,10 +64,10 @@ time_format_blog = "Monday, January 02, 2006" description = "Production-Grade Container Orchestration" showedit = true -latest = "v1.13" +latest = "v1.14" -fullversion = "v1.13.0" -version = "v1.13" +fullversion = "v1.14.0" +version = "v1.14" githubbranch = "master" docsbranch = "master" deprecated = false @@ -77,10 +77,10 @@ githubWebsiteRepo = "github.com/kubernetes/website" githubWebsiteRaw = "raw.githubusercontent.com/kubernetes/website" [[params.versions]] -fullversion = "v1.13.0" -version = "v1.13" -githubbranch = "v1.13.0" -docsbranch = "release-1.13" +fullversion = "v1.14.0" +version = "v1.14" +githubbranch = "v1.14.0" +docsbranch = "release-1.14" url = "https://kubernetes.io" [params.pushAssets] @@ -95,33 +95,33 @@ js = [ ] [[params.versions]] -fullversion = "v1.12.3" +fullversion = "v1.13.4" +version = "v1.13" +githubbranch = "v1.13.4" +docsbranch = "release-1.13" +url = "https://v1-13.docs.kubernetes.io" + +[[params.versions]] +fullversion = "v1.12.6" version = "v1.12" -githubbranch = "v1.12.3" +githubbranch = "v1.12.6" docsbranch = "release-1.12" url = "https://v1-12.docs.kubernetes.io" [[params.versions]] -fullversion = "v1.11.5" +fullversion = "v1.11.8" version = "v1.11" -githubbranch = "v1.11.5" +githubbranch = "v1.11.8" docsbranch = "release-1.11" url = "https://v1-11.docs.kubernetes.io" [[params.versions]] -fullversion = "v1.10.11" +fullversion = "v1.10.13" version = "v1.10" -githubbranch = "v1.10.11" +githubbranch = "v1.10.13" docsbranch = "release-1.10" url = "https://v1-10.docs.kubernetes.io" -[[params.versions]] -fullversion = "v1.9.11" -version = "v1.9" -githubbranch = "v1.9.11" -docsbranch = "release-1.9" -url = "https://v1-9.docs.kubernetes.io" - # Language definitions. [languages]

{>V{k_u(+QAy%&Q-5R1AY`MI7LNb{+z@!dhi zyJ3=sOw1;cML`PEu~`zh2kWIGb!5Sd37Vn}Ak)%|12zS;@QB$O8O)QCb?V`TdUD5) zs&0D2;7s6YaUeeHx8CzP(9O3ofII*X|GV>Mi_f(61;t^nPykKW?o*kI8xR)OgyHB& z!;eityG(*fV1%Ql>Rm%~GF@CW* z!hjgRr64@^mD?`7trc$K7&1YrXtv%S^zAWlwB{;h+jACo)yH)%8D0zBeDBd{A@*wq ziYzhK#!@y|9YY^zQ=XsYKwm-{db=ZN9UNeY_21-bzHWJDJekdKHw~?q^Qqll`K(Jd z_-o(50VpOj>Db_E2Sj(RtbM8^vQ$Q}3EK~qzf#^_>(^cKa74M~yGsqhD|7h>1F%?4bAEcbnuw!S zray%9ntcnxA+5$gf8py@{5xu}f>@u+r!yjs6+4|?hDA4Dz+SRWed#^=ScoCor;i=p zslDlNnn*=w5Q;a}@^zE{3DE830RGHD@reIE>T8HG@em!L@4z?>I< zJM8TTSy#tX#{?!mh}H#nlvxWCnba?N(iT20iTj{tJG{{ke73w49(b5@#17>BO>F4p zudF%JaY<}u(r9tHP41MJip%C0l3MEJ2pxD6^c(8>F7X{Ee8QQhUpG)kQ$)Z^+(rrd zNloLlTdC4UUV}6G(_%fMJK+mS-FSW9V zPLZ$o$2jj?CN?^?>xocFWwtv5W*mvh|xB3E=MfxV7wh4|tmV>gGFh3_fqS}Mz|MfCJ;dTXr9 z(fFhkl6auzrPEGI<-`;D=)s9tBj?8`VyH!Z9Vw*yRtJsnW{ry(%4AbW6Avme;Wg40 zBB9oDvI?Z?p?wc3&{Ij1N<0g<&!pHvZE0wDO{fM9R3qU20Wqw0Ed9QwnNz;b~oaG%^l00B_*p z#(|M|{gmXcNr~%UGv9Pi^JSjR#PwM4v{7<*(R_Gr7_C%MT$|ZqZF7|0V7VdQ_EB78 zMJow4pORrZr~tDvX`2A{GJ(V!nrBKdyNKWboZGvsWSRcJMwvMN?V$N+{t|JVk2;mP zmKdL}G?{b5s~O07Ip*^9s_&^6{&6^{^=_BBjhbjLQi387<^T81KzYhvHT5!!U#73l6nQSjK>giSL`! zht>5=c5H9Qn>oiSQ7AbTXcL?(eO!w%z(@ddG5GpgVJy0Q9FLiQeT*+4>c_|#n&sm! zXA?wniYhQa0Yl=jGDS`HZjNojkVV(^l7L9#NVSx=_og4+fV8Exb?08GU}Ac*C2(PF zBPp||Q=Z1Ofj`m)SE|(84kN|p0o`o$Y0-uPi3uq0^2)NUR zhNQ# zaNRyeX5q;jkgoQ4jWt5Yj3X_2K2_L?##dt)#j}Kt>3z&FS9}%}RiJfx8CHU}2A^zj zQq#f5G!jhULQOyxdQH|e*`2oRufF4Alc5L%eTYSgajb0rxiZO)k5Nb^Y0vfSm$LFK z%vWO<1g%y+&n}7os+rA0YdNpgd){Rw{@o47qW)S9i2E-~G^<2A-W98MC`yJOp@pmJrOxc9!a+lPfFtgH3 znN9q>FTScE!8r#s1cOaz!|}GUPnZX|Ue}NgY4mz<)(3yXL@u1!6VA_Gk3Xv~Rg)00 zHkSvI6NT*mY$ezE0uZy>r>zvcO;RbCA1i$cyTLwNc{EVnvjdaM61-mN=$(j_YuY7Y z8v*u>X?T;HGhNkA_Nu=nJXi&Mwj-|QoY%-FNb%u?qo#J7a> zzQ&u(2NLfhJGH9W)VjDH88f#Kix;ZTGpyia{AZn6((EWdzeG1<_gcy8BtLk~eZ(*) z!tEzxWA*Us%V*1E+|_1gfj9E*q(9Jj7by&~cwPh$$_8l2H9P1Kt6$pKh|R%jp6ufu zmn#xF;}6N4(Ax&#yE+mIb^-ORLn4db?~zL={4lu!_yAKdXjddAYzLu(WoR>8mhQkA zn4g|PipxxX^NOD3GW0(Be>crYMnU6E#vwsdDnV{1Qw;r^*M5XX3nEj3R{-1{PEnL? zP;<(e86%~le9Jt#2H)F8JWF22BK-48GDhww9CPgAX)i;ExLRX6#4wKCB57o|!IfD7 z@l8?^=P9-)&jLQWjJ=Mtkyy(M0XYg;w#CEJ@q@0mOSaPY1&nqqNs#hc_g0|cT7C?b*ip0cM*MF%x ziLQh!+_R>yFW4n9o;<@1>WW#iua>I=_--S?DAs{7*S z4rci%GKbFKwXw(An}`>^eqTS$h)dv_vz(MrpMAfoe!*nI_T^EJ&@P2kr+m=qI*v_1 zdU9Wk`riSRm-@EOrA2Tdr0}{@wLuWhDD{ouwR}ZiXv`b2{7xHYdZmI@lAy@9GE0-+ zsjKh^13`L)*`2v0N%h5xFU}Kvs6+VE6EI*JD5Nu``Wo5LHtM1mdgF{J{`MkuhT^wl z8P@{?V_nbfym`edyzloCy7^A9;Qu)+A|z<5h_sZblbo8E3XD{hO&Pc@X%U@8oHZ=A`SVF#Hd z!Fx~9$%^_iAG`gKiL%u-G(@G=-nHiJhLx}tmFaryT1-5MxLW64P&F0ej8l_b`Sl}9 z?Sdp6`qez`nBKV-zLucMRXl%rxl_v1+kW4!>xW$F|5;>(qH+&fCJ70J_LPasLaG9d zpx#CV?J zL}FrMq{4~_iQg|~7}oHUCKF!7hg_qPt2|~V-Q}KrSRqK?4VJG}0;>8Var2vA55I)z znS4b7c9Y|>z^L((A4bVHh`d6vGA!_YZdfWj&vo`i|K2pgv2jz1U(b`o5be(z?i7Z! z^nidM(@!h$mmR?OyzvaBGVd&gRzJ0y7GZLsD(~e zMOTlGQsdqXO#CL|jb%+FkrCBNmv{QSlI5&MEM(yl2MUq{5*AP&gL-$I6k=W=lkPtn zJ;1&8kQY_RSHcR>cRPyV0~_LlD&ap(fIsc@0kN(^5D~p_f98HGF%q^{O0*w$5QQws z?S96#bTkyV$8U>Pw!MQ%aPxa$hU`6bYQgy2apmH%k~=G|q=12)5RwSYx7r3H_LeH_ zfC?(cAHO9zPS!DMHo7zhmBl1%_Q zf`MDR4!~^$7msv<0Z7yg(hjsP_gNy58DNpB9Bre8g}+Aq*W}q9l;NP=qj{?KWa5P^C7)>-8cMPonbyeevj$ zeFPbTq`l#Q3^-3m=nm^fBU)WrrOaxpc7C^C1IjcY9wVjrR6zVKI3X-sTn<5l{`1-q zE%)919e@>`Gj8obd`GT-Fzq2*v0+AJXw%gQG1map z00L*@SKvpFEscZyv@HAZTiooid7UDDHJh58j09Rhg9+6}ebR<&yfSvfm)EdL(RN zcR7j9tuPC7DQU>=kcIE|NO{x7BZkLS6>8VyI1D(IM?ntKS0-Zay;7X91ph3osSjp9 za_Cwv0a@f-%ZATnF(SyCmb}7AMqF4Z0b#req!m+cGa^8vl3?d$(iqdD-bv9*dZl2BXC&Bl=T1VGJHF| z0p@rhfSHu)5Fw`*uRu(n(T0hwRLOYYZ0ViImFEE4IjCKI#J`tr5e&lnnS|Le&?$U| z%`6HMY^dE;>SJl80)wVxnY87$*W_gIsBdUBRcjrg*rI^FL#|}fBy+D-P1BQAa!p*j zwnOoWM9a|h+;O#T9tu6X*nuI#no8;tW|^I2{_{^E+JlIhD-ZI|zPXh50$49y$=MmF zZoKS-@h{z&FKV+Ij?m?&@}^YRf~q0=r`q)iBC(zdZ^QP<(a)SHQe961TN^f9hem?Y zStIi|ACaKZVbc$oNqtNug+ma{P$l{yx&dbHMUljqPvVW&#or>u-1QKFAY3bS^^>}# zf*HEikuNSdh>%5BZlT_VIa{utl8&@Y<_sw>` zWiPT?iR9{$(S~}9N~iG#Q(FEnAEdT?EXS`WWd-*eBc2l$d6ts?w^GIGh5YF0&9m;9 zOr+iIX4%89W+8=YW>AlB8*#)rWD1B5%eIObp|QRrD3woP-&wt&W7rrwj#SM#9-29v zjD*Bd1*iSf6{Vd9Mz{pepUNW`qWAABtMcplg`xeC*SxINEk^<$oY`Z8w@MKB^SUczY=^8$cIN zgoRO9Pb#DhAX>A5i@qL20up$2A@-NulZ_8npdc>9=@$smYY zf%W~jXTxMmgnk{>;UOrA(-gWA-bUH@>JDhxL|Y3-gNq`iH5^EJAE;?#FxFHOgxB~3 z8zMBxdEJ`G9eyq|;E~M4$qDL!q(Pd|=-IUuz4BT^eJHoC#5?R|Ul*gVOHwVCH`u5- z*2nHqd~~y^ntiEw2w|?f%tZ(KmCpnc%26N$P8@}9Ex47)^6Nsf1YzZhf@JXpaYl6oIWk+R+a}g0*n-q>tnh4G`$kBWI_}v4$;yYb7$p2-e*?eb z;<()l1b7zqccceW62c4Gh#|w`h<1MYi2AOq3ejUpjMy^l>RxdE_vXg#)6k^*OhBLc z35yal98Z*%>DScK3Y2rqWQy{$;(h9uTpLo)oAT<2 z5(=`SPw*T?!mq`FVzyah*Q5#YGhT^iW%QiQ6LYuAb&RVQ^5_+$%g=T>nlcptIuvmR zC=m@qaV*%Z*j1QuRS*^7DUH(M5}h%abULkagm0iesY*XS2%08}ZKQ3A;@KuPsl195 ze2Vr1w?d?X7c!hV$o%<7ii+JDG=P53xhVGKG8N21LLBNTx6o!3T;_NUVl)0(Kq=M2 z5Iu6^KqG55a7zS;2 zzB4?$-(`&+C%*In4hdDbYh`Khjb-zFC-JNYcoB>>1!{TUc3_`25G{FFg+s#Ip~j>< zXYK;%D6s$Yl{zB^iga;?wP@#tkw6gK{KV~%T)QLyV=I4W_n%3fi^p9F96lc=yhLD2 zu79LmEnEBef_EFCpBmEvLSIX_6qdZgHHKpT4@-4xNwa_ZIU+N$1i{ zg4}{^IK8hKUK?sMND1^NzsS7DEu!V`_N2X>!06=nl32Zo|BIc-Pw@osPgRN?)-xRw z8UxU$*%#K=mYP%Q5pHZ=!YmZ;22BNZj%>K3*2`Lv6+3ef2=t#Yn;jr6A?#}trZBuC zb_<`uVQ(S%{kBg=mX?HxWYV2Zwz29X)vknsz)P2-UCz$!p_KaOLme3uy*RcfbpPp$ zWzZH+-x9JBV7~ioCI0d*tODFW;xQB8I<&$aM|W6i8VvR0q-5|- zTHfSKlk&7N4B=S14Z#0#fLKYI#T5)LD$?n(3+vVxU7?(Ky&JMQbe2u6;z zgUj2C-2$Ra^wN58G5wT{x034>>I|Taz=#+m3>%#L(`g+|5Y>r;kfbydzr-h49VvZy z@=`bNkOaps>7^WNUM+A5o_S)vOk++$HE5uUWn>oI)}df%p)=}d9`@5*4%Bae@`Cw*LZ>D@+OhlsTi{IB}2Ntss#`c_<$pOF}tIhOhS1f$$Zw;$9sQdwS2 z3#0t{L3cDYNtMV{LHtYy_SC0TGiZ&XsTD0gxqZA46xi`*>rSwx85cU+EeFZmR8 z!J4U_@OR7v&b8XlVbgvv?n z`pxRwIs~Uo+{2$_`g7zz#}}=kt6JSEsyNtMf6Rzn{Ok%4N*?eV;UeTQE1^0%WPA%9 z7H1~48;X-^jq!;JcAc)Y6m&N04d}YIktBtvVF`}Dq>|uRh4g&nQ}%(1Y~FZUnRc5T zSqFe7_Glu_c2p3d_Wqrpqyi#go7}*MsFmwQq}sky1dOjkHgG#V z$cfSmYA#fsRMfn+PdvWCjOgJ#UIBuV5qMBdB0WesPWKlOyhkMNFvLX)xii6<6t1(q zU5ZH{wUnXVIzICNInYv+-+48>9^J?; z3Xif+|0qrPTVoOWI!vl3ol+%Q_;B__%%j-{&2(#NJ@Z|n(mVQocj)@74;a3p8ssgM z{Y(b6aG)T1iguqs_v0(c80&UIDo%v&_t&Y?(a+pE5WfFgVax=KoWck{7A;eP=h26E zQ`1hGo!PnrlD(}067FQE<(hGSu%?<@;fl}Kn%Etup6}Y$CiMT7%hl-iapYN+YQTo%?i}FtJ>oL}x-VIQ&82`6>vpa7jU&ciJ zXF1`zQswggzxN|v#Rnibcfo)2Ay8#=zjitSx{Zm{Cpf=5@%O*L_0kyt4zNDblnY)M zEz}_e&|3PXNe{5Dv8F392KcdD>{1zkOCVAWFLyU?H&m5(-dYCgMb@}WZTf=CPTRNb z2WLJcfaI^Z?2_#nwg6uVIwvmt1LV|>PY|iv&c42TwCD?1{Q+bO3h7L0*Z5WyL=*4W zFc!!R=TrrIk?%t4Hg$5<8b`HHCQ#_Kc#qq;tz2tUcWra!7y@}hlqA^|O$OGhY^?!H z1-zULXz$GR4|<`qSz0l!d-+2vw@_u-!S!r}4bnij3N#|1)HR+Ig1ZJj??FAzu>X-_ z_?p!&{klZsK^l_}VS819N-l{WdS0+WH1BYsq#o(7+zO~F)g}nXpD>iX5AMHQf2$?i zRFp>ZDIJc6aR zMA%^90qOH15Y!Pc9QKM4Gg|1^=(*ypdK^U9o)IA7wMK2oRUJc;!^#gptRN>i>x_mC zkhg$op%x;QOc--gEVn-bLGaKV~0)D3*tY(~Z+y-~iq6 zM?WSK76c4*BYLttpU_iZ!#1B^&I)|VE$$>Je2}~ZZ{}OysLu_0l+S4iNLA|0k8*yC@@pe8rL!H`fXn7pjf@Glg?;z|z1@;czt5kldo%9eYOjfMYkOoJ8`MWml=Q-yynf6k` z6&K~!C}-qmW13Jg9A&y!I5zruEuk~8Y?XWDJy#*!*^}lz^mHH2QNBLJ@bzrrdF>FY z*>Fd1)qGC1B0+U>7Vb~-FHAuyQnI4t5lIVTE)EbAm-A6wb$nkz>wJ9)@$15V@ zz3=y;Q)JTCYGVS|PzPqX0xFt7UV~e-9 z4c*5Gna@y)Tp==D+VlY_RFbu9>Pw~k>#7GwwMya3YEVfJ9ha4H^D$rc7ku8Jr!1v74aZzp`LfaJaAmo7|pjhfDg0GgZ`Tf!1W zxm0|qmpJ|g%b~y4XL@s9y5&X!7vN(e?z0-OTYJ!aUa4+BgGj}gz|vby1@d)qEx1bc z3>w6fNNN@F5F=Glq5I5lO ze0nZTsPDSI-_~!zWY^u$G{ShkzIm6xZ1pqq5_b|Q8c`01X;(+C)?taBr@UeGnT0gl z$-J5=Tb=FGeo>}$#iQ}k$YU+Vw9bB)BI}m6$1Z9rPd|s47)Cu!&m}R^cvesmntl$+ zHzS*Nf-oqsWyG_HJlfc#5wQA#Bay~sz@Tt1khfW@RJvC`fIN23$&S4!2FN^0DGB6o9EUBbCT9;F^-q`tCqPEZABPBw(JM7-*YzvQjRkrPjq+=r~; zPc%K{B`gT4w9YerjJ?znTfgLE5*TLdjNFmOO;fq&4)Zqtm!7K<&h-0^p2e?ySFh5I znDyE|^u4gUT+0;yiPskj5Bh5(`5buT|@*3T;sH!7AyA`ijxyOaS%^GO(Cn+owpH< zkC(HKaKDf!U^%d$Ef5#=72OX$knK&ZzVoAj^uQyWXKj=@%Q+Gs-5tXbjlf(EXH1Fe zzK!S$+*|T&`-==*5ZCnOMf`uZzzKokhGYIIrk?W2?a)B9DGeIfbU_IucmIjyXMe)C zCzj<2z5t2RgPCXVJ$VUq$moUwl2e+O3TqY2JT|mqLEG_P*xt*Pu)lAf7yrV!Yx-s& z?C#OYFRqGMC!8bQmCAowhiMnrstaAcPx;lYrJ_AUXy<4O<17;e|hT3a;4i2|U`5dCMAv<%mN?mO`olh`f@aM0M2Wz~(kbP#93 zhwMD3N3j~yQFO;O5{;}^p~4S$1>fFm;Tj03Y)v_C)IwYBQ>fxQcNg&EJt^m2*(RtR z4~^PeK=H0^r50j|Gyje~t6DxgPcNm@>Yu2lla=AL;#4HZYC7jnsG<8`e6TP5K@?_7 zULe}n9Z&42m(QlAH~6D$iXZB*tPkj(JA8I5Jzf_Wz1T-=_Vh3u9k%#^-8g!;f_LA)0Yp} zz1hWKW)<&9TdduBcy2N{M?ckU_C40C3VBE*Y#1Y4h?YgN$;dhPoO!j-aC-g#`!Nm2 zKvwO8bps_q3yX5BURtlA-lTCUPBH3(DI&BAadxlPOb$DZQWLE&3)pBHXR9%a63 zh8~vyWQ&sU7-4EOVqeT8!`5}|des}1NYL+^z&+0q&C_~=aORf!b|iQyXqR3k6R<2B zz{%04i!md5y}}}B+DpB5dSa zLqujSgNLjCh}OGczG*5vD&|A3s*Bt?#psKHWvdp;uNI4T@G$jW2shO?9w2fx2m=m* zg%;GVqV@vU{Q&~hkA`S$5Zmy?fWq!U>=x9K1X>sS`x;dq9xPiV#tE4$Nc>yGh(>{; z#cBCwRZF#(r;7NhSzWp*%_a24vXLzo`W8Ioh;s^o`4*OvdbmxE$yP6*l6AmrQLmHW zP^kC4{ODOhQ?L@(aD2XR^0;`y8D-S#r&HP`Sn^Bi&KmqQW?RuxtV};IT`DnL1h#t5 zh)M0s^5Eid0QP=%H6>1_%&(uc8z|nsiW_(yJi7cL-HLlp;+* z1f)w>5fu;+P*j=Hg)f@a$yFo_Fz?Pqs=8VJJ;hwxbcR6b_JH$9&OFgk|aJZ+>(9lqGkbS zTVmdxT7}H&uLLAsn$cP(`!roB-JnBYCT5*HeP)^|EcwDOet?o6)sNU+Y~QFp+!A4B zYVRQ_P{|zLidOm^@x1Ef=TmPVyPz2HB!UlD4uYM34SVOcD4&Y{RtT!^R`7hSskSPjx zvf8{Dl`+0AR?g?833|j|Ig+8MYewLGdBqlv#eK#9^_$>E-60Eb86lv(W?62ISyIw;(nMjZ8GwQv13rijEe9SvBG;BQI z%G=`)2WDm~T}y?I6kai>&J17lnBg_Aaxh0#{e?3}XU3UdX8+TdC-hs_Ep*&wT9&h6Wl}AhpX<6cBaS{XV$Sf5 z`qj@Y%`wJ}?IVK>8nZU4o~flj>!;IlhHk>)N`@r9HX;>i{VsbXMNtPeW;~w?d21u; zv|rYVn=+&S@Ez%!^xe&s3%*t(k=NAge~DN%H;UVii)rh=dTi|Eh@uXOX*LOA*m_IT zr@!Zt+|(MJ<>$tFbWv05m0(z6o{}&x@pn67i|k65OvF%B!qMsLWt;yqqh;eANR`MQ z5e&CB0X!%@x@WK@EoZ3#iy_B)91Xigxq}vnqddkW$LNW?U%US96{fE8Iv>+?X*g`> zxc-cL5BWzYzF*B;QrVq~mHi_vXw*cR^I+(w;e z_Mw{JG_+Qg&SKdqPY15}8`+V=O0e8Yp>%_IjX|?mC&_@mojLuAX1dLHnfS<`Cpi<# z#@TqSD;x&Tvq@7l=%XT@(x0`gn#5)T?#9!#Tg6`gs1Iv(2u~{-ar8Kay%}-a&Rd)M z3=zc067by}%f14T<_C7aOUidjn{R@&BJfj6XnEr}FpH80ngkv(TGbA}!l@PngT<9c zP2a5b>|6VMo`7h?QBBZW1W`N`P$a>PqGk1@4dI)S#j7(kEz#*|F;JclJJDhtl~*74 zsiaoe1^sFOBUb&$0EkejQQVjGGV#$GZz8uC+;j;J9e&i}`l|Mb^Vd2+cKiA41LJ|r z_$vyagvZ(aOXG*yKN&9mV>R$+RNi%igU=u-Ezh~>*)gDBDIWbwJ zlu!ud<>Q< zMDQhn56xqrZkD_tE|9SlhEBPkH|02D6{Zqf>E%2gCbGS!P9kg(K`9zDi%D{6*h#FH^j%m0 z2ZPu{YL-p_^!XG*Oi(g=BOrl1kH9+;67r+sCur8Q@!H@7htfg8Uac*Dis0#O4fk8X z*7&Ddr8XxA#&#L3bogjzgY$Iul zXX~ZM?~FgC3N7QrzsPdy^sT`|1Znz2BS1SFwt_R@&ihbzX(h!-_=~X` zlRkFx^m@2zAsE1l=VVlmuIb#d82#Gh3D^veif|!TcOZ*P97%B#U*pT)>Oc9Y`m1d1 zdL|8MYG!)DyOQHas)N*D3)2^{Q;5NC~7IE5sA^DMCTlrY&>E&MbP_ zFB1n>7_q%erW!LnS(^_?_;<)2G<%w4Tuh4LKut6`6ZtZM+9Hj-+_jGD8JMD9 z`8&i=7bKGOQ*S*J@$YQCgKgiWpIoferZ+iW+T_NuKo+^4s&;C7&6PGG@AZqw>AZgs zTFRXvwFUFBlNLKlE9^ZxT5($JXR2t$kBZvo$URqc=yUl!5A(L1mhpH4N+7noWw?K7 zletOb+tCt3$7ywgiYxB$>`fe_e8ej4n&t;n^-mLIvDrWR)`xS#eCT_M3(zn&qqzx9 zeg6N$=n3u*fQ~qc*CZQ3YiCV!tL0*EIXZx-PJw=>Z2mPsRo81BcZkE?qRKd9>*4qX z=)8>2XHq-$JJmHqJkhb~*o?uCLrba5SJgBY(nM_ZcN3({3U2gJu02|a*v4*|y?ahQ z5ZV?w<#6SZdY`%L89ujBHHISasAd_kvDg2$;fNs{rc;Q$lE$&j+B%_`N9TCV&+8EQ z$o-PQ7TLDmAYL<1ufszjs*6#aJ;sL&XQGfT;hag)S#CX_S8FB2r=ix@&H@vba}v-Q zyf;L~j9Xt1G>iMPEab;img109slyBzPPr{D$KdK9lYr$5e&4J+S3>1qxB;I_8&7Xh zV0Ja}YcG@(kZbE*uP#>|V@S+tW1)^JG-ZzQH*quxUiRPLjq4u`9p+^G5+HHK>8mTp z-02*WJry>5@gL{}79q~{7X*==kQJ;Z6nT_N4R9m)7v>Nt+TEO)J~ZKVmPe)=-^Jav z*))EI2tArusP3}OMgK}RhHyTI&IJ?bHRmt=vhVi3buwZ-%SMJ-e`|RaoH9C5761y0 zb5fPOcBWcDeK7pR?~SVREw=Z=F@ajcjG-I&ysmW8<3uVR$plpa*Dtww%R_bkouX^+ z+-~d~`KG$c#PXLYSH#y4RNG$p8)l^_R~uq=2A%^rypH0G*KojkToX#peNfPEHpSFD zsXYh$>w!e4_U|;(%NXwH{%03b0ks1mCxRSKVcjqEkBI8IZ==f^#VQr3u`UR`*%imi{-(4b%h=aG_PNs>&cHqwAO7vs1O5ii@>^`ytt2;9<6=2Wv7Nl>urS|q8-ZCF z$?~atEfFXGaK>oJpwCo^z+#I;d_Mp6diyTriCeOfLaRm&^n6MqTH%cmd3eV?w>*{K zpD)oh9cDxw{Q_IB3{w9c0I`*v7CL7hS%P@?-HmF+Kl5&@DUp_Y*xLOU9m|^LG*X!< ztyf}fq62!~=rPw(L;YC^*FY-~9EZ$^qBExxU_&F~H)YLD938rVc5ze!?zv@s3!z>u!<(9SLz%ei*!E-VjnalV})sQ27=i7Ybld%m!sk8N+1S z>$FSv3zUhQBgzxG|J+CYhAc7Dnu`!eNyVeA{E>livzs%??28Z84D#iff8^pHr9T8~{ZK3JnfD^{ zo?ZuY9HV;zO@U3Q!5YG?_AOr)1hyFqm=Si4Q6^O9?~{5#I@Ny#?ZjG1K*-YK7L!|R zw(TvaDWnM__jr{CJnY=>#;oT&Ucw1~Jb%y|@|mY7Wn-_?xA9Lkr*SM+tIAmY4(>MZ zU9GWN?g0F+n~Qs71nI!R*abzupyCQT=7~M^8U@uI?@nW3e{n2b0P3x~Fa!(Dk-M>3 zP8^RX^7Q*de!G^pS^tldRZOW6Lu^4~;PB_Ww`bHfBUo3a0#cnSl>MBkK8n9a>h4kC z)gL;C?0;MBi}vtrs`46Nn(=f!vvE1LPQ)*!dA<7JxCHC)^kdvMiXw*6K^k&llUJ(R zs#{gL);#Z*j$g}&Rhc|XBR7Uu^E$EzlVT)5aVrQQ5G=wDcg17~>LW}@=l)nK53MBi zz()#`pZFmxQGBK?BqIoB`X9VVjY%h6PeyIBO&sciM%%o_njS}@+0HlK&U6~aI(ftzmCtpVy|x0cC}`utPRBp3m0IzK zf3SfuN1oJ?wjjdISt|>J<;K>9O;=C8J7sXr08ljhx0}B$OUqCS=@<}{W2<{A?QIHs z&DZ(b31d{`e7C-AdYHX4CwyqaJOfeO&s;xN_Y9;s7?^}M0Wjs$_Yqc@2F=d3A9pls zsKa!(qbp7`XLt5Nt-*SV>2~KpLkp8D#50~l#0(z)O!xYC znLpKgnwr7QtGk^Liy=Sx)5TjOD+z1&AD{nFzM9piH1jNu3HF&cu>ji}bY(J{yqrUt zF1*pD^L4`(|AgO^u)L&17RAlc-`nqgCue_4AA%#|G4%p+d084tkF~u{+O)10;3hC~ zqZ1WRR=ddxE=ZGR_sAGV|8&q>AIYDr7;9*;H?h$xPVf$}5uQaXMR|vJmCV$Uz7z$} zv~vbB*gS#k(re58=a^TvV4DIBU)KS!Q=Weh9^`K<}G&nyPj3{?L^>RDN`F zyf9TKS3`EkTvQJg8h0$<_Nt`Nu@A7kJaXes86;wE&(M*jOyV4cZBF6sbyYYH8$A_T zsascgnWM5yNLec{`|h6ImuL}$cw#&l6F*7yZu@FN1Cke>vZ|ksuX4Zv#Y3Hiae3%Hh98;jWw2m!*G!387 z-Ft_z_;t@0uNef`R@S1Qgv!X)v_0OC)`fZ5Y7`1f+*W&QM$3F|n|~yQ1cm{e3O@2R z=3C_h0!l}k&^^$NPC73es1XvTr;N|*o~=B;K(mH;^xSY07pq)Lx|$k#uw(f0(>zKb zxjQpth&`=$G_qp9bi>%;*cf*34KKHve!que(3;w`O3hi130ZtWmz1wY2m3cnK-4Tj z!5cj%V3w0+$Bj!2xN_19=Je!J?7jqgb>J^F)?x+j~4$>@CVRGLK*ZtNB^g2mtP zC4-B*0K!(nir zb~)#-G%*&Ve@75=87feqz@+ZMBa_8B6L|@d5!zZ%D2=NFFIoO5b$-4-JC)osd+u2G z?Dvyv2I+JFq40LaSuRTZc9bZ=kyXqm=~M@$+;OH?S+lZkZ^{0OXJ*DZJ(Th$W#~Iq z(={1o>{0mLV%#MG~*jD-g)24h^^t5GOFzj!D<*!B)tmy&K1y%t*05Q%|{_LPy zFlFS$IaQ9lA?fuW7+PLIr7)-}i%}e__AR{ve570G3+(T@FctOHBi)`CDOs-EPOMQd zV`s;^)?9&V%K3KGa-}q88KJw!o?wAceC7JRMFV)i4VXF;wkR`CZBwod+b8`^xh%miX!NK>8Kkm3cP>&>Qmxyz17Qyy+@iaa3 z6k1E4i;(rL!q>LI(=O}|^Dzm;Vs(-7*F#y>wSEHV5~{?bZ6zkJl5sfa(ubjRSH4^( zAe9lR8XS%k2V0v00~ytEWOp{F%-X_rMG?p`&GXEf^t>g?%pIWM(h{^OGExu838iQy zcl+!Y>6aair4D`n?b~*ekTIEv9?7GRIUx7ekQ`<3l>_?lVNMNniSnlYFCV0XC#gR^ zdbT}?`cUutz7pEpb6-9cXkYO|Wm>mm3}An|6E^C2h=Zr~cks+2+!Bx8Tx56Rm_7Jf zUQ7?&BxyQ)!+Dg*Z+takYgV|%Pe5G}Cnqi@X)YCOO3P=wU1qwe!526eecv#OAQ`iB z&79#OX}0DeI`OA2b)MHg(b)_37z28xVv~k55hx&xgyr^&AF9$I`4U#HRgrgSQB{?| zZ`7mnnbZqTPMcIYbiekkmusbHqkm}Zvwra|&lH&al}Iscxe!;V!7^XT>`<+0-&=cy+H?W^v^NJ#<+S zi*{y)OS#U_tbEnPvH^hKVg4c;$)J&5z~V)R=YaCD(RunUF5jjc#U}IduQ4X3b^u@I z!oa3=a~aJJgPs-#w9xdz;DJ~$dh4oG06#igmEl!!hDgn@RDKBTW9f|hi{z0fMscX+ z;ZeY$k*+Lep;|AC?PN_cn2vE9C+MuDVl>AEO}gW1MRAE=siWKP_w?}^hKkasscbV! zBK_}tJO?TSOYjlA*OduG4VuE8N0AIU)>O)FTI&Eo)1Z zGe$Xw-^ZDQcXx8LnwHpqI2lAoTO_Ei(z-iNKh;)m2B3{i_=sXP!!?;uDi|=XXeDbi z%&~Ogs1keiY^Zxr8%d-rGX4Y*kVmGyGp>W|fIBWF1X~=WEOJuU}2F zL+V|+Ay-AkQyc7M8O)1dzHm{~G`n>-q78 z6UC_ZOiWJa!Mzvuv@d#3RWhdc&UTzZ?ZiK1FrQIh^M3LCg07bC<>~%Cian%cy4W03 zN>eU_Kym%{uC%9z1pUCwND?8uYKi!N0T{xL4MALxLg=)7+QNC^Zd0_$kid8JuQxn_cG(u zipcahr@K@*#)>2XU8yBN3FFgOdDKI$FZ8UqqH2l(aA%tz3ttPM>r8{?p(u4d#d(G0 z27FD5veLxpe6fW-J0~OI)dW1fNr9~}&FrGBE_dxY4qdhQh3b+el?$1@3jKugEZTXV z>tz81`qvz-&*Fnn!h1*;=4>=#M;qFe5j44YrHtii9a^p)rvyznF2jr@4P+<=mfDx@O@o%y=-PLm+*B*^J({Kj!ZqP_t#cFfMT`FY5Q4rNU+eOFyAg& zK?8ctw%i;F!N${A2caS5ddDY=TosCL5D$so2Lsl26n)lq=7tZ5%B>NRk(P(H0(6GbOkVVpB&b9etGK!NlUzl`8+|ERf5KL`DWYAqghDZ zdGGZ^Htb2P#Rchev^NWy9T6~P9{b&KN2AnhhF(-})`J=B{Ms2nZ5&BUJl0^-CZ20R zfy@U02{|aqLe%lkzym1s_rwMqki28~PcdDU0Jc+dG18z0(x~P9_is7V{RnFvV!1M7gFu9SE->j;D( zbXU);UI+!{eZ$pKaG-R~#=gMF{Nm4_soF|ql4c{%1L`jrsgTWO$BL+X_}81ZB>%(z z3?(Pc+^ur3VtJf0QL<$jaiilq5C%`$iPo=}A!T6bh#MJro(fg99qbPQ0`F2gCriWv#R+=$S!MRQ9JyE-mK=7Ba z-K%fB4z#^Yd#I-;XQ(f<{fMUs>xm4Sl7bv0;{X+tGG4LEJuwj+E`VKr+(PnQDR7}7;~KmFl;nRf!(C)qYM%}lB9iSy8x&+i ztL=#AF*r)LfL(y&7Cv`s3wrJcuMz~E`1`C~l@ggB@TZfKTn`3V%M3ipB|qvBE?={zOj#UgrFd8;6Ud9XQ3jR*63mxfm^=RrrcJ zwF1yy6M!}FhJni5XN<=HsP_MIj@1NiGk{Pn@}^k$WabAplG;i)bNOWsqu7cr$%DEa z7a!p}fLbKcyIE1%@crA8g3Xmb*`T0VJ10-;V@`jy#pU=G*fTkj#?U1tku+3rOG>m* z-T<9}F@QZ-`E8f31_%$#Melq>pPMgq3Dk#-NU`^A+Z>zBr17co{vxxn2XNfjvgv=R zeJ+;Kyx>r1)%PQZ$9E`#Zwyad!#Jc!C|d};R^sOsNo8D48)S!Iu}1<|jC^hS08}(8 z+ax0vc;|Lu!Xmbe;-QN$Vy*WfrMqt0!!%?)AsF zcb$DKpvCPG&im z-kxR7_f{b6EvZ*Fzy=v=3|a#_8=1JkQFtbQe8oixN@?8ch}nB$7II2iXJl&r$>Zef zyoQOE$(r3P$jchPtv^0>d{U-VofT)K*-vR^4{C~(K1i23&`y76^v)BA4AEtc>*q$l z3HoHQj>s{lzRHj`!#NyzPqiSB}mqvD?`wwPoA=F(g~5@H;yFU z9?t*4m5Z;rv4$#?&)0Q8U0>3QRHfe)yyBi}j8W^OTm!(+D&&AJ8~GHKxPw%0tt^xv zIW*q@^IX0Nv|~_FfRw^@S>m#0bL)3J(0tF;=NW5nJavm;=U51u3#1-P|(0p<--B#rD zl)r;34y=OTDj2#4(C&ymE_@EcYeW71STEBE6KJT zBcaJ2Zxi4vpiyPorQ@C&IUeC$$ESZ)w}Xt2c5tSeTDAY0I1A8n#V{_ z3?M?5QRdj!_3{r*N)*Ol>UVottwi&zc24~?HL}pb-a$@cl;h!*KFn@-J+^bvD-OC6 z{IHI*JI)NxKHCrA6{qI(SbZ)d<+c-(l=F>WGAG$!`Ox3JKVz4xv*)ucFO|0FRoo78rlEutrzZU!HXyk{n^MHB~Q!b}EPnn(UWP_MxY0gS>Fh{%*|Hzy5@I zL+y_{&uI2{LVrl>4(!emNfQ#0vt`B}d5I@Q8Cx!qd%0zCk}u6nCL88|lr8b7Z-?m{ zq1|zwqne`aO0fPAYpdSBHENJou*Yg+;(cw0qF1pJG_VAFnHh=8XQ~)vAD{8|!4v41 z1SE8EKgnM0Go>}>=b0X{owo_eMyVm>`WeyXZ&}XDViqsEno0 zbq43Ibh=kaTh}!aZ{vzHvJfvRw|f!T%71h#ufoM`*xvcj3X2D@Ii9)f8ZTWims~?$ z$;oM!Ohz}TuOrCw4nD?qy}i)620TsAgQJ)Z$nsA#DA**ppycRyqr!D#AX=@IG^QNW=zHov)&Ff%49}+8cc`M+TwmkFH|%;p&Q$Fn zkfD|=NnK2IX`3e>`nrVxZ3=zcFq)#jLf`4$t2mN)lN72#>AC)Q78!j3$m1CS<;WLL z%eDniz9hb=g(W3@18}eFe^N(Z^