From 8cd37da8f8cf1980aca78df28d33785f200b593e Mon Sep 17 00:00:00 2001 From: nurayko <88191393+nurayko@users.noreply.github.com> Date: Sun, 13 Nov 2022 18:54:30 +0200 Subject: [PATCH 001/139] Remove extra on --- content/en/docs/concepts/architecture/cgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/architecture/cgroups.md b/content/en/docs/concepts/architecture/cgroups.md index 6347c608b53cb..377c073b42b36 100644 --- a/content/en/docs/concepts/architecture/cgroups.md +++ b/content/en/docs/concepts/architecture/cgroups.md @@ -106,7 +106,7 @@ updated to newer versions that support cgroup v2. For example: ## Identify the cgroup version on Linux Nodes {#check-cgroup-version} -The cgroup version depends on on the Linux distribution being used and the +The cgroup version depends on the Linux distribution being used and the default cgroup version configured on the OS. To check which cgroup version your distribution uses, run the `stat -fc %T /sys/fs/cgroup/` command on the node: From 795035376d610004fffef83dba80a9ff1b21ad6f Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 11 Nov 2022 21:21:24 +0800 Subject: [PATCH 002/139] Make layout prettier in /configure-volume-storage.md --- .../configure-volume-storage.md | 137 ++++++++---------- 1 file changed, 63 insertions(+), 74 deletions(-) diff --git a/content/en/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/en/docs/tasks/configure-pod-container/configure-volume-storage.md index 69e665b42ea43..3b6bec6def564 100644 --- a/content/en/docs/tasks/configure-pod-container/configure-volume-storage.md +++ b/content/en/docs/tasks/configure-pod-container/configure-volume-storage.md @@ -12,17 +12,12 @@ A Container's file system lives only as long as the Container does. So when a Container terminates and restarts, filesystem changes are lost. For more consistent storage that is independent of the Container, you can use a [Volume](/docs/concepts/storage/volumes/). This is especially important for stateful -applications, such as key-value stores (such as Redis) and databases. - - +applications, such as key-value stores (such as Redis) and databases. ## {{% heading "prerequisites" %}} - {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} - - ## Configure a volume for a Pod @@ -37,71 +32,71 @@ restarts. Here is the configuration file for the Pod: 1. Create the Pod: - ```shell - kubectl apply -f https://k8s.io/examples/pods/storage/redis.yaml - ``` + ```shell + kubectl apply -f https://k8s.io/examples/pods/storage/redis.yaml + ``` 1. Verify that the Pod's Container is running, and then watch for changes to -the Pod: + the Pod: + + ```shell + kubectl get pod redis --watch + ``` - ```shell - kubectl get pod redis --watch - ``` - - The output looks like this: + The output looks like this: - ```shell - NAME READY STATUS RESTARTS AGE - redis 1/1 Running 0 13s - ``` + ```shell + NAME READY STATUS RESTARTS AGE + redis 1/1 Running 0 13s + ``` 1. In another terminal, get a shell to the running Container: - ```shell - kubectl exec -it redis -- /bin/bash - ``` + ```shell + kubectl exec -it redis -- /bin/bash + ``` 1. In your shell, go to `/data/redis`, and then create a file: - ```shell - root@redis:/data# cd /data/redis/ - root@redis:/data/redis# echo Hello > test-file - ``` + ```shell + root@redis:/data# cd /data/redis/ + root@redis:/data/redis# echo Hello > test-file + ``` 1. In your shell, list the running processes: - ```shell - root@redis:/data/redis# apt-get update - root@redis:/data/redis# apt-get install procps - root@redis:/data/redis# ps aux - ``` + ```shell + root@redis:/data/redis# apt-get update + root@redis:/data/redis# apt-get install procps + root@redis:/data/redis# ps aux + ``` - The output is similar to this: + The output is similar to this: - ```shell - USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND - redis 1 0.1 0.1 33308 3828 ? Ssl 00:46 0:00 redis-server *:6379 - root 12 0.0 0.0 20228 3020 ? Ss 00:47 0:00 /bin/bash - root 15 0.0 0.0 17500 2072 ? R+ 00:48 0:00 ps aux - ``` + ```shell + USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND + redis 1 0.1 0.1 33308 3828 ? Ssl 00:46 0:00 redis-server *:6379 + root 12 0.0 0.0 20228 3020 ? Ss 00:47 0:00 /bin/bash + root 15 0.0 0.0 17500 2072 ? R+ 00:48 0:00 ps aux + ``` 1. In your shell, kill the Redis process: - ```shell - root@redis:/data/redis# kill - ``` + ```shell + root@redis:/data/redis# kill + ``` - where `` is the Redis process ID (PID). + where `` is the Redis process ID (PID). 1. In your original terminal, watch for changes to the Redis Pod. Eventually, -you will see something like this: + you will see something like this: - ```shell - NAME READY STATUS RESTARTS AGE - redis 1/1 Running 0 13s - redis 0/1 Completed 0 6m - redis 1/1 Running 1 6m - ``` + ```shell + NAME READY STATUS RESTARTS AGE + redis 1/1 Running 0 13s + redis 0/1 Completed 0 6m + redis 1/1 Running 1 6m + ``` At this point, the Container has terminated and restarted. This is because the Redis Pod has a @@ -110,38 +105,32 @@ of `Always`. 1. Get a shell into the restarted Container: - ```shell - kubectl exec -it redis -- /bin/bash - ``` + ```shell + kubectl exec -it redis -- /bin/bash + ``` 1. In your shell, go to `/data/redis`, and verify that `test-file` is still there. - ```shell - root@redis:/data/redis# cd /data/redis/ - root@redis:/data/redis# ls - test-file - ``` - -1. Delete the Pod that you created for this exercise: - ```shell - kubectl delete pod redis - ``` + ```shell + root@redis:/data/redis# cd /data/redis/ + root@redis:/data/redis# ls + test-file + ``` +1. Delete the Pod that you created for this exercise: + ```shell + kubectl delete pod redis + ``` ## {{% heading "whatsnext" %}} +- See [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core). -* See [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core). - -* See [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core). - -* In addition to the local disk storage provided by `emptyDir`, Kubernetes -supports many different network-attached storage solutions, including PD on -GCE and EBS on EC2, which are preferred for critical data and will handle -details such as mounting and unmounting the devices on the nodes. See -[Volumes](/docs/concepts/storage/volumes/) for more details. - - - +- See [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core). +- In addition to the local disk storage provided by `emptyDir`, Kubernetes + supports many different network-attached storage solutions, including PD on + GCE and EBS on EC2, which are preferred for critical data and will handle + details such as mounting and unmounting the devices on the nodes. See + [Volumes](/docs/concepts/storage/volumes/) for more details. From b105ee8b02c0a2ae3b236e97277c8a3315c22c17 Mon Sep 17 00:00:00 2001 From: Akshat Khanna Date: Mon, 15 Aug 2022 01:37:39 +0530 Subject: [PATCH 003/139] Localize /en/docs/reference/glossary/addons.md into Hindi --- content/hi/docs/reference/glossary/addons.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 content/hi/docs/reference/glossary/addons.md diff --git a/content/hi/docs/reference/glossary/addons.md b/content/hi/docs/reference/glossary/addons.md new file mode 100644 index 0000000000000..499a12906dd7f --- /dev/null +++ b/content/hi/docs/reference/glossary/addons.md @@ -0,0 +1,16 @@ +--- +title: ऐड-ऑन +id: addons +date: 2019-12-15 +full_link: /docs/concepts/cluster-administration/addons/ +short_description: > + संसाधन जो कुबेरनेट्स की कार्यक्षमता का विस्तार करते हैं। + +aka: +tags: +- tool +--- + संसाधन जो कुबेरनेट्स की कार्यक्षमता का विस्तार करते हैं। + + +[ऐड-ऑन इंस्टॉल करना](/docs/concepts/cluster-administration/addons/) अपने क्लस्टर के साथ ऐड-ऑन का उपयोग करने के बारे में अधिक जानकारी देता है, और कुछ लोकप्रिय ऐड-ऑन को सूचीबद्ध करता है। \ No newline at end of file From bb08847c5a78764ae9dfc22dba8412fc6c992ae0 Mon Sep 17 00:00:00 2001 From: Ritikaa96 Date: Fri, 11 Nov 2022 18:22:45 +0530 Subject: [PATCH 004/139] added annotations in what's next sections --- content/en/docs/concepts/overview/working-with-objects/names.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/names.md b/content/en/docs/concepts/overview/working-with-objects/names.md index 52586baf3e120..22b0403dad1c6 100644 --- a/content/en/docs/concepts/overview/working-with-objects/names.md +++ b/content/en/docs/concepts/overview/working-with-objects/names.md @@ -99,5 +99,5 @@ UUIDs are standardized as ISO/IEC 9834-8 and as ITU-T X.667. ## {{% heading "whatsnext" %}} -* Read about [labels](/docs/concepts/overview/working-with-objects/labels/) in Kubernetes. +* Read about [labels](/docs/concepts/overview/working-with-objects/labels/) and [annotations](/docs/concepts/overview/working-with-objects/annotations/) in Kubernetes. * See the [Identifiers and Names in Kubernetes](https://git.k8s.io/design-proposals-archive/architecture/identifiers.md) design document. From 19bb3cefa10102baff141e02da298b3f65f6a8b3 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Sun, 6 Nov 2022 08:47:52 +0000 Subject: [PATCH 005/139] Improve list of default namespaces --- .../working-with-objects/namespaces.md | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/namespaces.md b/content/en/docs/concepts/overview/working-with-objects/namespaces.md index f28a82fba2087..0694f5fd809e2 100644 --- a/content/en/docs/concepts/overview/working-with-objects/namespaces.md +++ b/content/en/docs/concepts/overview/working-with-objects/namespaces.md @@ -32,6 +32,26 @@ resources, such as different versions of the same software: use {{< glossary_tooltip text="labels" term_id="label" >}} to distinguish resources within the same namespace. +{{< note >}} +For a production cluster, consider _not_ using the `default` namespace. Instead, make other namespaces and use those. +{{< /note >}} + +## Initial namespaces + +Kubernetes starts with four initial namespaces: + +`default` +: Kubernetes includes this namespace so that you can start using your new cluster without first creating a namespace. + +`kube-node-lease` +: This namespace holds [Lease](/docs/reference/kubernetes-api/cluster-resources/lease-v1/) objects associated with each node. Node leases allow the kubelet to send [heartbeats](/docs/concepts/architecture/nodes/#heartbeats) so that the control plane can detect node failure. + +`kube-public` +: This namespace is readable by *all* clients (including those not authenticated). This namespace is mostly reserved for cluster usage, in case that some resources should be visible and readable publicly throughout the whole cluster. The public aspect of this namespace is only a convention, not a requirement. + +`kube-system` +: The namespace for objects created by the Kubernetes system. + ## Working with Namespaces Creation and deletion of namespaces are described in the @@ -56,16 +76,7 @@ kube-public Active 1d kube-system Active 1d ``` -Kubernetes starts with four initial namespaces: - * `default` The default namespace for objects with no other namespace - * `kube-system` The namespace for objects created by the Kubernetes system - * `kube-public` This namespace is created automatically and is readable by all users (including those not authenticated). This namespace is mostly reserved for cluster usage, in case that some resources should be visible and readable publicly throughout the whole cluster. The public aspect of this namespace is only a convention, not a requirement. - * `kube-node-lease` This namespace holds [Lease](/docs/reference/kubernetes-api/cluster-resources/lease-v1/) - objects associated with each node. Node leases allow the kubelet to send - [heartbeats](/docs/concepts/architecture/nodes/#heartbeats) so that the control plane - can detect node failure. - ### Setting the namespace for a request To set the namespace for a current request, use the `--namespace` flag. @@ -106,7 +117,7 @@ By creating namespaces with the same name as [public top-level domains](https://data.iana.org/TLD/tlds-alpha-by-domain.txt), Services in these namespaces can have short DNS names that overlap with public DNS records. Workloads from any namespace performing a DNS lookup without a [trailing dot](https://datatracker.ietf.org/doc/html/rfc1034#page-8) will -be redirected to those services, taking precedence over public DNS. +be redirected to those services, taking precedence over public DNS. To mitigate this, limit privileges for creating namespaces to trusted users. If required, you could additionally configure third-party security controls, such @@ -116,7 +127,7 @@ to block creating any namespace with the name of [public TLDs](https://data.iana.org/TLD/tlds-alpha-by-domain.txt). {{< /warning >}} -## Not All Objects are in a Namespace +## Not all objects are in a namespace Most Kubernetes resources (e.g. pods, services, replication controllers, and others) are in some namespaces. However namespace resources are not themselves in a namespace. From 57c3c97775502f247ae9c7905294caf1a23eb75b Mon Sep 17 00:00:00 2001 From: Pradumna Saraf Date: Tue, 8 Nov 2022 17:55:40 +0000 Subject: [PATCH 006/139] docs: Update projected-volumes.md --- content/en/docs/concepts/storage/projected-volumes.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/en/docs/concepts/storage/projected-volumes.md b/content/en/docs/concepts/storage/projected-volumes.md index a7c74349f5c08..321ee8d8ae2e5 100644 --- a/content/en/docs/concepts/storage/projected-volumes.md +++ b/content/en/docs/concepts/storage/projected-volumes.md @@ -46,8 +46,7 @@ parameters are nearly the same with two exceptions: for each individual projection. ## serviceAccountToken projected volumes {#serviceaccounttoken} -When the `TokenRequestProjection` feature is enabled, you can inject the token -for the current [service account](/docs/reference/access-authn-authz/authentication/#service-account-tokens) +You can inject the token for the current [service account](/docs/reference/access-authn-authz/authentication/#service-account-tokens) into a Pod at a specified path. For example: {{< codenew file="pods/storage/projected-service-account-token.yaml" >}} From 6953c3298b646f52ee1daadacda06d2a3a95cbbb Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Sun, 13 Nov 2022 17:17:48 +0000 Subject: [PATCH 007/139] Signpost readers to Kubernetes images Help readers find Kubernetes container images for download. --- content/en/docs/concepts/containers/images.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/en/docs/concepts/containers/images.md b/content/en/docs/concepts/containers/images.md index c696fbb3ea33d..a19c981ccae82 100644 --- a/content/en/docs/concepts/containers/images.md +++ b/content/en/docs/concepts/containers/images.md @@ -19,6 +19,12 @@ before referring to it in a This page provides an outline of the container image concept. +{{< note >}} +If you are looking for the container images for a Kubernetes +release (such as v{{< skew latestVersion >}}, the latest minor release), +visit [Download Kubernetes](https://kubernetes.io/releases/download/). +{{< /note >}} + ## Image names From 7d0e13d9ccc73c423d3efffdfd488acfb357e325 Mon Sep 17 00:00:00 2001 From: kadtendulkar Date: Mon, 7 Nov 2022 13:50:20 +0530 Subject: [PATCH 008/139] Update content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md Update content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md --- .../tools/kubeadm/create-cluster-kubeadm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md index a963fb08dadd9..0aa004640613e 100644 --- a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md +++ b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md @@ -590,7 +590,7 @@ data and may need to be recreated from scratch. Workarounds: -* Regularly [back up etcd](https://coreos.com/etcd/docs/latest/admin_guide.html). The +* Regularly [back up etcd](https://etcd.io/docs/v3.5/op-guide/recovery/). The etcd data directory configured by kubeadm is at `/var/lib/etcd` on the control-plane node. * Use multiple control-plane nodes. You can read From 80093bfcb4abd67e90af0287a51b08fad0ac18ea Mon Sep 17 00:00:00 2001 From: windsonsea Date: Wed, 9 Nov 2022 09:39:10 +0800 Subject: [PATCH 009/139] [zh] sync /storage/projected-volumes.md --- .../concepts/storage/projected-volumes.md | 45 ++++++++++++++++--- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/content/zh-cn/docs/concepts/storage/projected-volumes.md b/content/zh-cn/docs/concepts/storage/projected-volumes.md index bf61134654ca0..286e089e2473f 100644 --- a/content/zh-cn/docs/concepts/storage/projected-volumes.md +++ b/content/zh-cn/docs/concepts/storage/projected-volumes.md @@ -51,8 +51,8 @@ Currently, the following types of volume sources can be projected: All sources are required to be in the same namespace as the Pod. For more details, see the [all-in-one volume](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md) design document. --> -所有的卷源都要求处于 Pod 所在的同一个名字空间内。进一步的详细信息,可参考 -[一体化卷](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md)设计文档。 +所有的卷源都要求处于 Pod 所在的同一个名字空间内。更多详细信息, +可参考[一体化卷](https://git.k8s.io/design-proposals-archive/node/all-in-one-volume.md)设计文档。 ## serviceAccountToken 投射卷 {#serviceaccounttoken} -当 `TokenRequestProjection` 特性被启用时,你可以将当前 -[服务账号](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens) -的令牌注入到 Pod 中特定路径下。例如: +你可以将当前[服务账号](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)的令牌注入到 +Pod 中特定路径下。例如: {{< codenew file="pods/storage/projected-service-account-token.yaml" >}} @@ -159,6 +157,39 @@ ownership. 中设置了 `RunAsUser` 属性的 Linux Pod 中,投射文件具有正确的属主属性设置, 其中包含了容器用户属主。 + +当 Pod 中的所有容器在其 +[`PodSecurityContext`](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) +或容器 +[`SecurityContext`](/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) +中设置了相同的 `runAsUser` 时,kubelet 将确保 `serviceAccountToken` +卷的内容归该用户所有,并且令牌文件的权限模式会被设置为 `0600`。 + +{{< note >}} + +在某 Pod 被创建后为其添加的{{< glossary_tooltip text="临时容器" term_id="ephemeral-container" >}}**不会**更改创建该 +Pod 时设置的卷权限。 + +如果 Pod 的 `serviceAccountToken` 卷权限被设为 `0600` +是因为 Pod 中的其他所有容器都具有相同的 `runAsUser`, +则临时容器必须使用相同的 `runAsUser` 才能读取令牌。 +{{< /note >}} + ### Windows + + +**ServiceAccount** 为 Pod 中运行的进程提供了一个身份。 + +Pod 内的进程可以使用其关联服务账号的身份,向集群的 API 服务器进行身份认证。 + -这是一篇针对服务账号的集群管理员指南。 -你应该熟悉[配置 Kubernetes 服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)。 +有关服务账号的介绍, +请参阅[配置服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)。 -对鉴权和用户账号的支持已在规划中,当前并不完备。 -为了更好地描述服务账号,有时这些不完善的特性也会被提及。 +本任务指南阐述有关 ServiceAccount 的几个概念。 +本指南还讲解如何获取或撤销代表 ServiceAccount 的令牌。 +## {{% heading "prerequisites" %}} + +{{< include "task-tutorial-prereqs.md" >}} + + +为了能够准确地跟随这些步骤,确保你有一个名为 `examplens` 的名字空间。 +如果你没有,运行以下命令创建一个名字空间: + +```shell +kubectl create namespace examplens +``` + +- 用户账号是针对人而言的。而服务账号是针对运行在 Pod 中的应用进程而言的, + 在 Kubernetes 中这些进程运行在容器中,而容器是 Pod 的一部分。 +- 用户账号是全局性的。其名称在某集群中的所有名字空间中必须是唯一的。 + 无论你查看哪个名字空间,代表用户的特定用户名都代表着同一个用户。 + 在 Kubernetes 中,服务账号是名字空间作用域的。 + 两个不同的名字空间可以包含具有相同名称的 ServiceAccount。 + +- 通常情况下,集群的用户账号可能会从企业数据库进行同步,创建新用户需要特殊权限,并且涉及到复杂的业务流程。 + 服务账号创建有意做得更轻量,允许集群用户为了具体的任务按需创建服务账号。 + 将 ServiceAccount 的创建与新用户注册的步骤分离开来,使工作负载更易于遵从权限最小化原则。 + -- 用户账号是针对人而言的。而服务账号是针对运行在 Pod 中的进程而言的。 -- 用户账号是全局性的。其名称在某集群中的所有名字空间中必须是唯一的。服务账号是名字空间作用域的。 -- 通常情况下,集群的用户账号可能会从企业数据库进行同步,其创建需要特殊权限, - 并且涉及到复杂的业务流程。 - 服务账号创建有意做得更轻量,允许集群用户为了具体的任务创建服务账号以遵从权限最小化原则。 -- 对人员和服务账号审计所考虑的因素可能不同。 + without many constraints and have namespaced names, such configuration is + usually portable. +--> +- 对人员和服务账号审计所考虑的因素可能不同;这种分离更容易区分不同之处。 - 针对复杂系统的配置包可能包含系统组件相关的各种服务账号的定义。 - 因为服务账号的创建约束不多并且有名字空间域的名称,这种配置是很轻量的。 - + 因为服务账号的创建约束不多并且有名字空间域的名称,所以这种配置通常是轻量的。 + +## 绑定的服务账号令牌卷机制 {#bound-service-account-token-volume} -Three separate components cooperate to implement the automation around service accounts: +{{< feature-state for_k8s_version="v1.22" state="stable" >}} -- A `ServiceAccount` admission controller -- A Token controller -- A `ServiceAccount` controller + -## 服务账号的自动化 {#service-account-automation} +默认情况下,Kubernetes 控制平面(特别是 [ServiceAccount 准入控制器](#service-account-admission-controller)) +添加一个[投射卷](/zh-cn/docs/concepts/storage/projected-volumes/)到 Pod, +此卷包括了访问 Kubernetes API 的令牌。 -以下三个独立组件协作完成服务账号相关的自动化: +以下示例演示如何查找已启动的 Pod: -- `ServiceAccount` 准入控制器 -- Token 控制器 -- `ServiceAccount` 控制器 +```yaml +... + - name: kube-api-access-<随机后缀> + projected: + sources: + - serviceAccountToken: + path: token # 必须与应用所预期的路径匹配 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +``` -### ServiceAccount 准入控制器 {#serviceaccount-admission-controller} +该清单片段定义了由三个数据源组成的投射卷。在当前场景中,每个数据源也代表该卷内的一条独立路径。这三个数据源是: + +1. `serviceAccountToken` 数据源,包含 kubelet 从 kube-apiserver 获取的令牌。 + kubelet 使用 TokenRequest API 获取有时间限制的令牌。为 TokenRequest 服务的这个令牌会在 + Pod 被删除或定义的生命周期(默认为 1 小时)结束之后过期。该令牌绑定到特定的 Pod, + 并将其 audience(受众)设置为与 `kube-apiserver` 的 audience 相匹配。 + 这种机制取代了之前基于 Secret 添加卷的机制,之前 Secret 代表了针对 Pod 的 ServiceAccount 但不会过期。 +1. `configMap` 数据源。ConfigMap 包含一组证书颁发机构数据。 + Pod 可以使用这些证书来确保自己连接到集群的 kube-apiserver(而不是连接到中间件或意外配置错误的对等点上)。 +1. `downwardAPI` 数据源,用于查找包含 Pod 的名字空间的名称, + 并使该名称信息可用于在 Pod 内运行的应用程序代码。 -对 Pod 的改动通过一个被称为[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)的插件来实现。 -它是 API 服务器的一部分。当 Pod 被创建或更新时,它会同步地修改 Pod。 -如果该插件处于激活状态(在大多数发行版中都是默认激活的), -当 Pod 被创建或更新时它会进行以下操作: - - -1. 如果该 Pod 没有设置 `ServiceAccount`,将其 `ServiceAccount` 设为 `default`。 -1. 保证 Pod 所引用的 `ServiceAccount` 确实存在,否则拒绝该 Pod。 -1. 如果服务账号的 `automountServiceAccountToken` 或 Pod 的 - `automountServiceAccountToken` 都未显式设置为 `false`,则为 Pod 创建一个 - `volume`,在其中包含用来访问 API 的令牌。 -1. 如果前一步中为服务账号令牌创建了卷,则为 Pod 中的每个容器添加一个 - `volumeSource`,挂载在其 `/var/run/secrets/kubernetes.io/serviceaccount` - 目录下。 -1. 如果 Pod 不包含 `imagePullSecrets` 设置,将 `ServiceAccount` - 所引用的服务账号中的 `imagePullSecrets` 信息添加到 Pod 中。 - - -#### 绑定的服务账号令牌卷 {#bound-service-account-token-volume} + +Pod 内挂载这个特定卷的所有容器都可以访问上述信息。 -{{< feature-state for_k8s_version="v1.22" state="stable" >}} +{{< note >}} + +没有特定的机制可以使通过 TokenRequest 签发的令牌无效。如果你不再信任为某个 Pod 绑定的服务账号令牌, +你可以删除该 Pod。删除 Pod 将使其绑定的服务账号令牌过期。 +{{< /note >}} -ServiceAccount 准入控制器将添加如下投射卷, -而不是为令牌控制器所生成的不过期的服务账号令牌而创建的基于 Secret 的卷。 +## 手动管理 ServiceAccount 的 Secret {#manual-secret-management-for-serviceaccounts} -```yaml -- name: kube-api-access-<随机后缀> - projected: - defaultMode: 420 # 0644 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace -``` +v1.22 之前的 Kubernetes 版本会自动创建凭据访问 Kubernetes API。 +这种更老的机制基于先创建令牌 Secret,然后将其挂载到正运行的 Pod 中。 +在包括 Kubernetes v{{< skew currentVersion >}} 在内最近的几个版本中,使用 +[TokenRequest](/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API +[直接获得](#bound-service-account-token-volume) API 凭据,并使用投射卷挂载到 Pod 中。 +使用这种方法获得的令牌具有绑定的生命周期,当挂载的 Pod 被删除时这些令牌将自动失效。 -1. A `serviceAccountToken` acquired from kube-apiserver via TokenRequest API. It will expire - after 1 hour by default or when the pod is deleted. It is bound to the pod and it has - its audience set to match the audience of the `kube-apiserver`. -1. A `configMap` containing a CA bundle used for verifying connections to the kube-apiserver. -1. A `downwardAPI` that references the namespace of the pod. + -此投射卷有三个数据源: +你仍然可以[手动创建](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount) +Secret 来保存服务账号令牌;例如在你需要一个永不过期的令牌的时候。 -1. 通过 TokenRequest API 从 kube-apiserver 处获得的 `serviceAccountToken`。 - 这一令牌默认会在一个小时之后或者 Pod 被删除时过期。 - 该令牌绑定到 Pod 上,并将其 audience(受众)设置为与 `kube-apiserver` 的 audience 相匹配。 -1. 包含用来验证与 kube-apiserver 连接的 CA 证书包的 `configMap` 对象。 -1. 引用 Pod 名字空间的一个 `downwardAPI`。 +一旦你手动创建一个 Secret 并将其关联到 ServiceAccount,Kubernetes 控制平面就会自动将令牌填充到该 Secret 中。 +{{< note >}} -参阅[投射卷](/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage/)了解进一步的细节。 +尽管存在手动创建长久 ServiceAccount 令牌的机制,但还是推荐使用 +[TokenRequest](/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) +获得短期的 API 访问令牌。 +{{< /note >}} -### Token 控制器 {#token-controller} +## 控制平面细节 {#control-plane-details} + +### 令牌控制器 {#token-controller} -TokenController 作为 `kube-controller-manager` 的一部分运行,以异步的形式工作。 +服务账号令牌控制器作为 `kube-controller-manager` 的一部分运行,以异步的形式工作。 其职责包括: -- 监测 ServiceAccount 的创建并创建相应的服务账号令牌 Secret 以允许访问 API。 - 监测 ServiceAccount 的删除并删除所有相应的服务账号令牌 Secret。 - 监测服务账号令牌 Secret 的添加,保证相应的 ServiceAccount 存在,如有需要, 向 Secret 中添加令牌。 @@ -217,57 +277,374 @@ verify the tokens during authentication. kube-apiserver。公钥用于在身份认证过程中校验令牌。 +### ServiceAccount 准入控制器 {#serviceaccount-admission-controller} + +对 Pod 的改动通过一个被称为[准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)的插件来实现。 +它是 API 服务器的一部分。当 Pod 被创建时,该准入控制器会同步地修改 Pod。 +如果该插件处于激活状态(在大多数发行版中都是默认激活的),当 Pod 被创建时它会进行以下操作: + + +1. 如果该 Pod 没有设置 `.spec.serviceAccountName`, + 准入控制器为新来的 Pod 将 ServiceAccount 的名称设为 `default`。 +2. 准入控制器保证新来的 Pod 所引用的 ServiceAccount 确实存在。 + 如果没有 ServiceAccount 具有匹配的名称,则准入控制器拒绝新来的 Pod。 + 这个检查甚至适用于 `default` ServiceAccount。 + +3. 如果服务账号的 `automountServiceAccountToken` 字段或 Pod 的 + `automountServiceAccountToken` 字段都未显式设置为 `false`: + - 准入控制器变更新来的 Pod,添加一个包含 API + 访问令牌的额外{{< glossary_tooltip text="卷" term_id="volume" >}}。 + - 准入控制器将 `volumeMount` 添加到 Pod 中的每个容器, + 忽略已为 `/var/run/secrets/kubernetes.io/serviceaccount` 路径定义的卷挂载的所有容器。 + 对于 Linux 容器,此卷挂载在 `/var/run/secrets/kubernetes.io/serviceaccount`; + 在 Windows 节点上,此卷挂载在等价的路径上。 +4. 如果新来 Pod 的规约已包含任何 `imagePullSecrets`,则准入控制器添加 `imagePullSecrets`, + 并从 `ServiceAccount` 进行复制。 + +### TokenRequest API + +{{< feature-state for_k8s_version="v1.22" state="stable" >}} + + +你使用 ServiceAccount 的 +[TokenRequest](/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) +子资源为该 ServiceAccount 获取有时间限制的令牌。 +你不需要调用它来获取在容器中使用的 API 令牌,因为 kubelet 使用 **投射卷** 对此进行了设置。 + +如果你想要从 `kubectl` 使用 TokenRequest API, +请参阅[为 ServiceAccount 手动创建 API 令牌](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount)。 + + +Kubernetes 控制平面(特别是 ServiceAccount 准入控制器)向 Pod 添加了一个投射卷, +kubelet 确保该卷包含允许容器作为正确 ServiceAccount 进行身份认证的令牌。 + +(这种机制取代了之前基于 Secret 添加卷的机制,之前 Secret 代表了 Pod 所用的 ServiceAccount 但不会过期。) + +以下示例演示如何查找已启动的 Pod: + +```yaml +... + - name: kube-api-access- + projected: + defaultMode: 420 # 这个十进制数等同于八进制 0644 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +``` + + +该清单片段定义了由三个数据源信息组成的投射卷。 + +1. `serviceAccountToken` 数据源,包含 kubelet 从 kube-apiserver 获取的令牌。 + kubelet 使用 TokenRequest API 获取有时间限制的令牌。为 TokenRequest 服务的这个令牌会在 + Pod 被删除或定义的生命周期(默认为 1 小时)结束之后过期。该令牌绑定到特定的 Pod, + 并将其 audience(受众)设置为与 `kube-apiserver` 的 audience 相匹配。 +1. `configMap` 数据源。ConfigMap 包含一组证书颁发机构数据。 + Pod 可以使用这些证书来确保自己连接到集群的 kube-apiserver(而不是连接到中间件或意外配置错误的对等点上)。 +1. `downwardAPI` 数据源。这个 `downwardAPI` 卷获得包含 Pod 的名字空间的名称, + 并使该名称信息可用于在 Pod 内运行的应用程序代码。 + + +挂载此卷的 Pod 内的所有容器均可以访问上述信息。 + +## 创建额外的 API 令牌 {#create-token} + +{{< caution >}} + +只有[令牌请求](#tokenrequest-api)机制不合适,才需要创建长久的 API 令牌。 +令牌请求机制提供有时间限制的令牌;因为随着这些令牌过期,它们对信息安全方面的风险也会降低。 +{{< /caution >}} -A controller loop ensures a Secret with an API token exists for each -ServiceAccount. To create additional API tokens for a ServiceAccount, create a + +要为 ServiceAccount 创建一个不过期、持久化的 API 令牌, +请创建一个类型为 `kubernetes.io/service-account-token` 的 Secret,附带引用 ServiceAccount 的注解。 +控制平面随后生成一个长久的令牌,并使用生成的令牌数据更新该 Secret。 -Below is a sample configuration for such a Secret: +以下是此类 Secret 的示例清单: + +{{< codenew file="secret/serviceaccount/mysecretname.yaml" >}} + + -#### 创建额外的 API 令牌 {#to-create-additional-api-tokens} +若要基于此示例创建 Secret,运行以下命令: -控制器中有专门的循环来保证每个 ServiceAccount 都存在对应的包含 API 令牌的 Secret。 -当需要为 ServiceAccount 创建额外的 API 令牌时,可以创建一个类型为 -`kubernetes.io/service-account-token` 的 Secret,并在其注解中引用对应的 -ServiceAccount。控制器会生成令牌并更新该 Secret: +```shell +kubectl -n examplens create -f https://k8s.io/examples/secret/serviceaccount/mysecretname.yaml +``` -下面是这种 Secret 的一个示例配置: + +若要查看该 Secret 的详细信息,运行以下命令: + +```shell +kubectl -n examplens describe secret mysecretname +``` + + +输出类似于: + +``` +Name: mysecretname +Namespace: examplens +Labels: +Annotations: kubernetes.io/service-account.name=myserviceaccount + kubernetes.io/service-account.uid=8a85c4c4-8483-11e9-bc42-526af7764f64 + +Type: kubernetes.io/service-account-token + +Data +==== +ca.crt: 1362 bytes +namespace: 9 bytes +token: ... +``` + + +如果你在 `examplens` 名字空间中启动新的 Pod,可以使用你刚刚创建的 +`myserviceaccount` service-account-token Secret。 + + +## 删除/废止 ServiceAccount 令牌 {#delete-token} + +如果你知道 Secret 的名称且该 Secret 包含要移除的令牌: + +```shell +kubectl delete secret name-of-secret +``` + + +否则,先找到 ServiceAccount 所用的 Secret。 + +```shell +# 此处假设你已有一个名为 'examplens' 的名字空间 +kubectl -n examplens get serviceaccount/example-automated-thing -o yaml +``` + + +输出类似于: ```yaml apiVersion: v1 -kind: Secret +kind: ServiceAccount metadata: - name: mysecretname annotations: - kubernetes.io/service-account.name: myserviceaccount -type: kubernetes.io/service-account-token + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-automated-thing","namespace":"examplens"}} + creationTimestamp: "2019-07-21T07:07:07Z" + name: example-automated-thing + namespace: examplens + resourceVersion: "777" + selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing + uid: f23fd170-66f2-4697-b049-e1e266b7f835 +secrets: +- name: example-automated-thing-token-zyxwv ``` + +随后删除你现在知道名称的 Secret: + ```shell -kubectl create -f ./secret.yaml -kubectl describe secret mysecretname +kubectl -n examplens delete secret/example-automated-thing-token-zyxwv ``` -#### 删除/废止服务账号令牌 Secret +控制平面发现 ServiceAccount 缺少其 Secret,并创建一个替代项: ```shell -kubectl delete secret mysecretname +kubectl -n examplens get serviceaccount/example-automated-thing -o yaml +``` + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-automated-thing","namespace":"examplens"}} + creationTimestamp: "2019-07-21T07:07:07Z" + name: example-automated-thing + namespace: examplens + resourceVersion: "1026" + selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing + uid: f23fd170-66f2-4697-b049-e1e266b7f835 +secrets: +- name: example-automated-thing-token-4rdrh +``` + + +## 清理 {#clean-up} + +如果创建了一个 `examplens` 名字空间进行试验,你可以移除它: + +```shell +kubectl delete namespace examplens ``` -### 服务账号控制器 {#serviceaccount-controller} +## 控制平面细节 {#control-plane-details} + +### ServiceAccount 控制器 {#serviceaccount-controller} + +ServiceAccount 控制器管理名字空间内的 ServiceAccount,并确保每个活跃的名字空间中都存在名为 +“default” 的 ServiceAccount。 + + +### 令牌控制器 + +服务账号令牌控制器作为 `kube-controller-manager` 的一部分运行,以异步的形式工作。 +其职责包括: + +- 监测 ServiceAccount 的创建并创建相应的服务账号令牌 Secret 以允许 API 访问。 +- 监测 ServiceAccount 的删除并删除所有相应的服务账号令牌 Secret。 +- 监测服务账号令牌 Secret 的添加,保证相应的 ServiceAccount 存在,如有需要, + 向 Secret 中添加令牌。 +- 监测 Secret 的删除,如有需要,从相应的 ServiceAccount 中移除引用。 + + +你必须通过 `--service-account-private-key-file` 标志为 `kube-controller-manager` +的令牌控制器传入一个服务账号私钥文件。该私钥用于为所生成的服务账号令牌签名。 +同样地,你需要通过 `--service-account-key-file` 标志将对应的公钥通知给 +kube-apiserver。公钥用于在身份认证过程中校验令牌。 -服务账号控制器管理各名字空间下的 ServiceAccount 对象, -并且保证每个活跃的名字空间下存在一个名为 "default" 的 ServiceAccount。 +## {{% heading "whatsnext" %}} + +- 查阅有关[投射卷](/zh-cn/docs/concepts/storage/projected-volumes/)的更多细节。 diff --git a/content/zh-cn/examples/secret/serviceaccount/mysecretname.yaml b/content/zh-cn/examples/secret/serviceaccount/mysecretname.yaml new file mode 100644 index 0000000000000..e50fe72d71cd4 --- /dev/null +++ b/content/zh-cn/examples/secret/serviceaccount/mysecretname.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: mysecretname + annotations: + - kubernetes.io/service-account.name: myserviceaccount From ccce564631c7bf9a462b01854ee85916a23b4e12 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Sat, 29 Oct 2022 18:14:31 +0100 Subject: [PATCH 012/139] Redo index for Containers concept - Mention RuntimeClass - omit container image and runtimeclass from links as they are already mentioned explicitly Co-authored-by: Rey Lejano --- content/en/docs/concepts/containers/_index.md | 17 +++++++++++------ content/en/docs/concepts/containers/images.md | 1 + .../docs/concepts/containers/runtime-class.md | 1 + 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/content/en/docs/concepts/containers/_index.md b/content/en/docs/concepts/containers/_index.md index 746e1b7fc9ade..8c681ae454b59 100644 --- a/content/en/docs/concepts/containers/_index.md +++ b/content/en/docs/concepts/containers/_index.md @@ -6,7 +6,6 @@ reviewers: - erictune - thockin content_type: concept -no_list: true --- @@ -18,7 +17,10 @@ run it. Containers decouple applications from underlying host infrastructure. This makes deployment easier in different cloud or OS environments. - +Each {{< glossary_tooltip text="node" term_id="node" >}} in a Kubernetes +cluster runs the containers that form the +[Pods](/docs/concepts/workloads/pods/) assigned to that node. +Containers in a Pod are co-located and co-scheduled to run on the same node. @@ -38,8 +40,11 @@ the change, then recreate the container to start from the updated image. {{< glossary_definition term_id="container-runtime" length="all" >}} -## {{% heading "whatsnext" %}} - -* Read about [container images](/docs/concepts/containers/images/) -* Read about [Pods](/docs/concepts/workloads/pods/) +Usually, you can allow your cluster to pick the default container runtime +for a Pod. If you need to use more than one container runtime in your cluster, +you can specify the [RuntimeClass](/docs/concepts/containers/runtime-class/) +for a Pod to make sure that Kubernetes runs those containers using a +particular container runtime. +You can also use RuntimeClass to run different Pods with the same container +runtime but with different settings. diff --git a/content/en/docs/concepts/containers/images.md b/content/en/docs/concepts/containers/images.md index a19c981ccae82..d7d037d21b59a 100644 --- a/content/en/docs/concepts/containers/images.md +++ b/content/en/docs/concepts/containers/images.md @@ -5,6 +5,7 @@ reviewers: title: Images content_type: concept weight: 10 +hide_summary: true # Listed separately in section index --- diff --git a/content/en/docs/concepts/containers/runtime-class.md b/content/en/docs/concepts/containers/runtime-class.md index ff4bbcd57a653..b43bde9a2fc40 100644 --- a/content/en/docs/concepts/containers/runtime-class.md +++ b/content/en/docs/concepts/containers/runtime-class.md @@ -5,6 +5,7 @@ reviewers: title: Runtime Class content_type: concept weight: 30 +hide_summary: true # Listed separately in section index --- From 3e6d894601a8559b22b91d477814e3f732e8f263 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Sat, 29 Oct 2022 18:30:26 +0100 Subject: [PATCH 013/139] Switch self-healing feature to ReplicaSet Don't highlight the legacy ReplicationController API when talking about Kubernetes' ability to self-heal. --- .../en/docs/concepts/workloads/controllers/replicaset.md | 7 +++++++ .../workloads/controllers/replicationcontroller.md | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/content/en/docs/concepts/workloads/controllers/replicaset.md b/content/en/docs/concepts/workloads/controllers/replicaset.md index a282b8455a4a0..da0aa76ddc420 100644 --- a/content/en/docs/concepts/workloads/controllers/replicaset.md +++ b/content/en/docs/concepts/workloads/controllers/replicaset.md @@ -4,6 +4,13 @@ reviewers: - bprashanth - madhusudancs title: ReplicaSet +feature: + title: Self-healing + anchor: How a ReplicaSet works + description: > + Restarts containers that fail, replaces and reschedules containers when nodes die, + kills containers that don't respond to your user-defined health check, + and doesn't advertise them to clients until they are ready to serve. content_type: concept weight: 20 --- diff --git a/content/en/docs/concepts/workloads/controllers/replicationcontroller.md b/content/en/docs/concepts/workloads/controllers/replicationcontroller.md index 90a04f6f174c5..1360bd69f0a3c 100644 --- a/content/en/docs/concepts/workloads/controllers/replicationcontroller.md +++ b/content/en/docs/concepts/workloads/controllers/replicationcontroller.md @@ -3,12 +3,6 @@ reviewers: - bprashanth - janetkuo title: ReplicationController -feature: - title: Self-healing - anchor: How a ReplicationController Works - description: > - Restarts containers that fail, replaces and reschedules containers when nodes die, kills containers that don't respond to your user-defined health check, and doesn't advertise them to clients until they are ready to serve. - content_type: concept weight: 90 --- From 9dc8089aab58b53856b112546f1d9583f31a2d80 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Sun, 13 Nov 2022 20:54:50 -0500 Subject: [PATCH 014/139] [zh-cn] Update roles-and-responsibilities.md Signed-off-by: Gao Qian --- .../participate/roles-and-responsibilities.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md b/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md index 8df7b4cddfab9..21ee1ac9d5cf3 100644 --- a/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md +++ b/content/zh-cn/docs/contribute/participate/roles-and-responsibilities.md @@ -183,7 +183,10 @@ After submitting at least 5 substantial pull requests and meeting the other [req @@ -356,7 +360,7 @@ Approvers and SIG Docs leads are the only ones who can merge pull requests into 不小心的合并可能会破坏整个站点。在执行合并操作时,务必小心。 {{< /warning >}} -- 确保所提议的变更满足[贡献指南](/zh-cn/docs/contribute/style/content-guide/#contributing-content)要求。 +- 确保所提议的变更满足[文档内容指南](/zh-cn/docs/contribute/style/content-guide/)要求。 如果有问题或者疑惑,可以根据需要请他人帮助评审。 From e270cb5691826f5bf91c9b8ee5af708b7c842d9e Mon Sep 17 00:00:00 2001 From: a16su <33782391+immortal-n@users.noreply.github.com> Date: Mon, 14 Nov 2022 15:55:10 +0800 Subject: [PATCH 015/139] fix text order --- content/zh-cn/docs/reference/glossary/kube-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh-cn/docs/reference/glossary/kube-proxy.md b/content/zh-cn/docs/reference/glossary/kube-proxy.md index ef7b661715896..f49d3d90c807a 100644 --- a/content/zh-cn/docs/reference/glossary/kube-proxy.md +++ b/content/zh-cn/docs/reference/glossary/kube-proxy.md @@ -31,7 +31,7 @@ tags: {{< glossary_tooltip term_id="service">}} concept. --> [kube-proxy](/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/) -是集群中每个{{< glossary_tooltip text="节点(node)" term_id="node" >}}所上运行的网络代理, +是集群中每个{{< glossary_tooltip text="节点(node)" term_id="node" >}}上所运行的网络代理, 实现 Kubernetes {{< glossary_tooltip term_id="service">}} 概念的一部分。 From d34a3c9548eb5d7350a752979641c1058af6cde9 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Mon, 14 Nov 2022 02:25:06 -0500 Subject: [PATCH 016/139] [zh-cn] Update working-with-objects/names.md Signed-off-by: Gao Qian --- .../docs/concepts/overview/working-with-objects/names.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/zh-cn/docs/concepts/overview/working-with-objects/names.md b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md index 69f088c4df596..4ea3dec20f208 100644 --- a/content/zh-cn/docs/concepts/overview/working-with-objects/names.md +++ b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md @@ -178,8 +178,8 @@ UUID 是标准化的,见 ISO/IEC 9834-8 和 ITU-T X.667。 ## {{% heading "whatsnext" %}} -* 进一步了解 Kubernetes [标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/) +* 进一步了解 Kubernetes [标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)和[注解](/zh-cn/docs/concepts/overview/working-with-objects/annotations/)。 * 参阅 [Kubernetes 标识符和名称](https://git.k8s.io/design-proposals-archive/architecture/identifiers.md)的设计文档 From 92ab6c860c40e77301229b643aec9e1da2b029d8 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Sun, 13 Nov 2022 21:08:30 -0500 Subject: [PATCH 017/139] [zh-cn] Update flow-control.md Signed-off-by: Gao Qian --- .../cluster-administration/flow-control.md | 79 ++++++++++++++----- 1 file changed, 60 insertions(+), 19 deletions(-) diff --git a/content/zh-cn/docs/concepts/cluster-administration/flow-control.md b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md index 0efbecff6f5a7..2a1c5deb56708 100644 --- a/content/zh-cn/docs/concepts/cluster-administration/flow-control.md +++ b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md @@ -907,15 +907,16 @@ poorly-behaved workloads that may be harming system health. --> * `apiserver_flowcontrol_read_vs_write_request_count_samples` 是一个直方图向量, 记录当前请求数量的观察值, - 由标签 `phase`(取值为 `waiting` 和 `executing`)和 `request_kind` - (取值 `mutating` 和 `readOnly`)拆分。定期以高速率观察该值。 + 由标签 `phase`(取值为 `waiting` 及 `executing`)和 `request_kind` + (取值 `mutating` 及 `readOnly`)拆分。定期以高速率观察该值。 每个观察到的值是一个介于 0 和 1 之间的比值,计算方式为请求数除以该请求数的对应限制 (等待的队列长度限制和执行所用的并发限制)。 -* `apiserver_flowcontrol_read_vs_write_request_count_watermarks` 是一个直方图向量, - 记录请求数量的高/低水位线, - 由标签 `phase`(取值为 `waiting` 和 `executing`)和 `request_kind` - (取值为 `mutating` 和 `readOnly`)拆分;标签 `mark` 取值为 `high` 和 `low`。 +* `apiserver_flowcontrol_read_vs_write_request_count_watermarks` + 是请求数量的高或低水位线的直方图向量(除以相应的限制,得到介于 0 至 1 的比率), + 由标签 `phase`(取值为 `waiting` 及 `executing`)和 `request_kind` + (取值为 `mutating` 及 `readOnly`)拆分;标签 `mark` 取值为 `high` 和 `low`。 `apiserver_flowcontrol_read_vs_write_request_count_samples` 向量观察到有值新增, 则该向量累积。这些水位线显示了样本值的范围。 * `apiserver_flowcontrol_current_inqueue_requests` 是一个表向量, 记录包含排队中的(未执行)请求的瞬时数量, - 由标签 `priorityLevel` 和 `flowSchema` 拆分。 + 由标签 `priority_level` 和 `flow_schema` 拆分。 * `apiserver_flowcontrol_priority_level_request_count_samples` 是一个直方图向量, - 记录当前请求的观测值,由标签 `phase`(取值为`waiting` 和 `executing`)和 + 记录当前请求的观测值,由标签 `phase`(取值为`waiting` 及 `executing`)和 `priority_level` 进一步区分。 每个直方图都会定期进行观察,直到相关类别的最后活动为止。观察频率高。 + 所观察到的值都是请求数除以相应的请求数限制(等待的队列长度限制和执行的并发限制)的比率, + 介于 0 和 1 之间。 -* `apiserver_flowcontrol_priority_level_request_count_watermarks` 是一个直方图向量, - 记录请求数的高/低水位线,由标签 `phase`(取值为 `waiting` 和 `executing`)和 +* `apiserver_flowcontrol_priority_level_request_count_watermarks` + 是请求数量的高或低水位线的直方图向量(除以相应的限制,得到 0 到 1 的范围内的比率), + 由标签 `phase`(取值为 `waiting` 及 `executing`)和 `priority_level` 拆分; 标签 `mark` 取值为 `high` 和 `low`。 `apiserver_flowcontrol_priority_level_request_count_samples` 向量观察到有值新增, @@ -1020,7 +1028,7 @@ poorly-behaved workloads that may be harming system health. @@ -1031,8 +1039,8 @@ poorly-behaved workloads that may be harming system health. @@ -1056,8 +1064,8 @@ poorly-behaved workloads that may be harming system health. * `apiserver_flowcontrol_request_execution_seconds` 是一个直方图向量, @@ -1065,6 +1073,39 @@ poorly-behaved workloads that may be harming system health. 由标签 `flow_schema`(表示与请求匹配的 FlowSchema)和 `priority_level`(表示分配给该请求的优先级)进一步区分。 + +* `apiserver_flowcontrol_watch_count_samples` 是一个直方图向量, + 记录给定写的相关活动 WATCH 请求数量, + 由标签 `flow_schema` 和 `priority_level` 进一步区分。 + + +* `apiserver_flowcontrol_work_estimated_seats` 是一个直方图向量, + 记录与估计席位(最初阶段和最后阶段的最多人数)相关联的请求数量, + 由标签 `flow_schema` 和 `priority_level` 进一步区分。 + + +* `apiserver_flowcontrol_request_dispatch_no_accommodation_total` + 是一个事件数量的计数器,这些事件在原则上可能导致请求被分派, + 但由于并发度不足而没有被分派, + 由标签 `flow_schema` 和 `priority_level` 进一步区分。 + 相关的事件类型是请求的到达和请求的完成。 + + + Exemplos das tarefas de operações do cluster incluem: implantação de novos nós para dimensionar o cluster; realização de atualizações de software; implementação de controles de segurança; adição ou remoção de armazenamento; configuração da rede do cluster; gerenciamento de observabilidade em todo o cluster; e resposta a eventos. From 84f4f9a0d1d1bcd685e3ad87f07dbf62fb531983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mudrini=C4=87?= Date: Mon, 14 Nov 2022 12:03:20 +0100 Subject: [PATCH 019/139] Add November patch releases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Mudrinić --- data/releases/schedule.yaml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml index 464df4c979ff7..81d1d600109e5 100644 --- a/data/releases/schedule.yaml +++ b/data/releases/schedule.yaml @@ -4,10 +4,13 @@ schedules: maintenanceModeStartDate: 2023-08-28 endOfLifeDate: 2023-10-27 next: - release: 1.25.4 - cherryPickDeadline: 2022-11-04 - targetDate: 2022-11-09 + release: 1.25.5 + cherryPickDeadline: 2022-12-02 + targetDate: 2022-12-07 previousPatches: + - release: 1.25.4 + cherryPickDeadline: 2022-11-04 + targetDate: 2022-11-09 - release: 1.25.3 cherryPickDeadline: 2022-10-07 targetDate: 2022-10-12 @@ -26,10 +29,13 @@ schedules: maintenanceModeStartDate: 2023-05-28 endOfLifeDate: 2023-07-28 next: - release: 1.24.8 - cherryPickDeadline: 2022-11-04 - targetDate: 2022-11-09 + release: 1.24.9 + cherryPickDeadline: 2022-12-02 + targetDate: 2022-12-07 previousPatches: + - release: 1.24.8 + cherryPickDeadline: 2022-11-04 + targetDate: 2022-11-09 - release: 1.24.7 cherryPickDeadline: 2022-10-07 targetDate: 2022-10-12 @@ -60,10 +66,13 @@ schedules: maintenanceModeStartDate: 2022-12-28 endOfLifeDate: 2023-02-28 next: - release: 1.23.14 - cherryPickDeadline: 2022-11-04 - targetDate: 2022-11-09 + release: 1.23.15 + cherryPickDeadline: 2022-12-02 + targetDate: 2022-12-07 previousPatches: + - release: 1.23.14 + cherryPickDeadline: 2022-11-04 + targetDate: 2022-11-09 - release: 1.23.13 cherryPickDeadline: 2022-10-07 targetDate: 2022-10-12 From caedd543ba44d6c05c1f9abee87b28fc6c3d92f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mudrini=C4=87?= Date: Mon, 14 Nov 2022 12:07:54 +0100 Subject: [PATCH 020/139] Move December patch releases to 2022-12-07 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Mudrinić --- content/en/releases/patch-releases.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/en/releases/patch-releases.md b/content/en/releases/patch-releases.md index 919b47fd52108..b5d9f308a78ab 100644 --- a/content/en/releases/patch-releases.md +++ b/content/en/releases/patch-releases.md @@ -78,8 +78,7 @@ releases may also occur in between these. | Monthly Patch Release | Cherry Pick Deadline | Target date | | --------------------- | -------------------- | ----------- | -| November 2022 | 2022-11-04 | 2022-11-09 | -| December 2022 | 2022-12-09 | 2022-12-14 | +| December 2022 | 2022-12-02 | 2022-12-07 | | January 2023 | 2023-01-13 | 2023-01-18 | | February 2023 | 2023-02-10 | 2023-02-15 | From 89388ba3d40c9739bdedbe36a1eebc383d3b637b Mon Sep 17 00:00:00 2001 From: Dmitry Shurupov Date: Wed, 26 Jan 2022 11:30:36 +0700 Subject: [PATCH 021/139] [ru] Small corrections for kubernetes-basics index --- .../ru/docs/tutorials/kubernetes-basics/_index.html | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/ru/docs/tutorials/kubernetes-basics/_index.html b/content/ru/docs/tutorials/kubernetes-basics/_index.html index ccdaefe8b8696..05cd5cc75c5e0 100644 --- a/content/ru/docs/tutorials/kubernetes-basics/_index.html +++ b/content/ru/docs/tutorials/kubernetes-basics/_index.html @@ -26,12 +26,12 @@

Основы Kubernetes

В данном руководстве вы познакомитесь с основами системы оркестрации кластеров Kubernetes. Каждый модуль содержит краткую справочную информацию по основной функциональности и концепциям Kubernetes, а также включает интерактивные онлайн-уроки. С их помощью вы научитесь самостоятельно управлять простым кластером и контейнеризированными приложениями, которые были в нём развернуты.

Пройдя интерактивные уроки, вы узнаете, как:

    -
  • развёртывать контейнеризированное приложение в кластер.
    • -
  • масштабировать развёртывание.
    • -
  • обновить контейнеризированное приложение на новую версию ПО.
    • +
  • развёртывать контейнеризированное приложение в кластер;
    • +
  • масштабировать развёртывание;
    • +
  • обновить контейнеризированное приложение на новую версию ПО;
  • отлаживать контейнеризированное приложение.
-

Все руководства используют сервис Katacoda, поэтому в вашем браузере будет показан виртуальный терминал с работающим Minikube, небольшой локальной средой Kubernetes, которая может работать где угодно. Вам не потребуется устанавливать дополнительное ПО или вообще что-либо настраивать. Каждый интерактивный урок запускается непосредственно в вашем браузере.

+

Все руководства используют сервис Katacoda, поэтому в вашем браузере будет показан виртуальный терминал с запущенным Minikube — небольшой локальной средой Kubernetes, которая может работать где угодно. Вам не потребуется устанавливать дополнительное ПО или вообще что-либо настраивать. Каждый интерактивный урок запускается непосредственно в вашем браузере.

@@ -40,7 +40,7 @@

Основы Kubernetes

Чем может Kubernetes помочь вам?

-

От современных веб-сервисов пользователи ожидают, что приложения будут доступны 24/7, а разработчики — развёртывать новые версии приложений по нескольку раз в день. Контейнеризация направлена на достижение этой цели, упаковывая ПО и позволяя выпускать и обновлять приложения просто, быстро и без простоев. Kubernetes гарантирует вам, что ваши контейнеризованные приложения будет запущены где угодно и когда угодно, вместе со всеми необходимыми для их работы ресурсами и инструментами. Kubernetes — это готовая к промышленному использованию платформа с открытым исходным кодом, разработанная исходя из накопленного опыта Google по оркестровке контейнеров и лучшими идеями от сообщества.

+

От современных веб-сервисов пользователи ожидают, что приложения будут доступны 24/7, а разработчики — развёртывать новые версии приложений по нескольку раз в день. Контейнеризация направлена на достижение этой цели, посольку позволяет выпускать и обновлять приложения без простоев. Kubernetes гарантирует, что ваши контейнеризованные приложения будет запущены где угодно и когда угодно, вместе со всеми необходимыми для их работы ресурсами и инструментами. Kubernetes — это готовая к промышленному использованию платформа с открытым исходным кодом, разработанная на основе накопленного опыта Google по оркестровке контейнеров и вобравшая в себя лучшие идеи от сообщества.

@@ -63,7 +63,7 @@

Учебные модули по основам Kubernetes

-
2. Развёртывание приложение
 +
2. Развёртывание приложения
From d6ab946dc38391b193b03b0a686923a7df126997 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Mon, 14 Nov 2022 22:20:48 -0500 Subject: [PATCH 022/139] [zh-cn] Updated replicaset.md Signed-off-by: Gao Qian --- .../concepts/workloads/controllers/replicaset.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md index 62aa1b9c1416e..ddf1c38cf53ae 100644 --- a/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md +++ b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md @@ -1,5 +1,12 @@ --- title: ReplicaSet +feature: + title: 自我修复 + anchor: ReplicationController 如何工作 + description: > + 重新启动失败的容器,在节点死亡时替换并重新调度容器, + 杀死不响应用户定义的健康检查的容器, + 并且在它们准备好服务之前不会将它们公布给客户端。 content_type: concept weight: 20 --- @@ -9,6 +16,13 @@ reviewers: - bprashanth - madhusudancs title: ReplicaSet +feature: + title: Self-healing + anchor: How a ReplicaSet works + description: > + Restarts containers that fail, replaces and reschedules containers when nodes die, + kills containers that don't respond to your user-defined health check, + and doesn't advertise them to clients until they are ready to serve. content_type: concept weight: 20 --> From 1a4c7bea9f987f1802ce9cc1aaf3b2ce45f636e3 Mon Sep 17 00:00:00 2001 From: lakshmi prasuna Date: Mon, 31 Oct 2022 18:00:42 +0530 Subject: [PATCH 023/139] Retitle Confusing punctuation in Kubernetes components page --- content/en/docs/reference/glossary/etcd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/glossary/etcd.md b/content/en/docs/reference/glossary/etcd.md index e6c281f3b9d64..474b923caf16d 100644 --- a/content/en/docs/reference/glossary/etcd.md +++ b/content/en/docs/reference/glossary/etcd.md @@ -4,7 +4,7 @@ id: etcd date: 2018-04-12 full_link: /docs/tasks/administer-cluster/configure-upgrade-etcd/ short_description: > - Consistent and highly-available key value store used as Kubernetes' backing store for all cluster data. + Consistent and highly-available key value store used as backing store of Kubernetes for all cluster data. aka: tags: From 01cbdad14eddc14216f3d562a903c29caf0b83eb Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Mon, 14 Nov 2022 21:14:35 -0500 Subject: [PATCH 024/139] [zh-cn] Update services-networking/service.md Signed-off-by: Gao Qian --- .../concepts/services-networking/service.md | 100 +++++++++++------- 1 file changed, 63 insertions(+), 37 deletions(-) diff --git a/content/zh-cn/docs/concepts/services-networking/service.md b/content/zh-cn/docs/concepts/services-networking/service.md index 9bd5cfaca3ffe..67a85e305fd37 100644 --- a/content/zh-cn/docs/concepts/services-networking/service.md +++ b/content/zh-cn/docs/concepts/services-networking/service.md @@ -134,7 +134,7 @@ The name of a Service object must be a valid [RFC 1035 label name](/docs/concepts/overview/working-with-objects/names#rfc-1035-label-names). For example, suppose you have a set of Pods where each listens on TCP port 9376 -and contains a label `app=MyApp`: +and contains a label `app.kubernetes.io/name=MyApp`: --> ## 定义 Service {#defining-a-service} @@ -143,7 +143,7 @@ Service 在 Kubernetes 中是一个 REST 对象,和 Pod 类似。 Service 对象的名称必须是合法的 [RFC 1035 标签名称](/zh-cn/docs/concepts/overview/working-with-objects/names#rfc-1035-label-names)。 -例如,假定有一组 Pod,它们对外暴露了 9376 端口,同时还被打上 `app=MyApp` 标签: +例如,假定有一组 Pod,它们对外暴露了 9376 端口,同时还被打上 `app.kubernetes.io/name=MyApp` 标签: ```yaml apiVersion: v1 @@ -582,7 +582,7 @@ thus is only available to use as-is. Note that the kube-proxy starts up in different modes, which are determined by its configuration. - The kube-proxy's configuration is done via a ConfigMap, and the ConfigMap for kube-proxy - effectively deprecates the behaviour for almost all of the flags for the kube-proxy. + effectively deprecates the behavior for almost all of the flags for the kube-proxy. - The ConfigMap for the kube-proxy does not support live reloading of configuration. - The ConfigMap parameters for the kube-proxy cannot all be validated and verified on startup. For example, if your operating system doesn't allow you to run iptables commands, @@ -603,7 +603,7 @@ Note that the kube-proxy starts up in different modes, which are determined by i ### userspace 代理模式 {#proxy-mode-userspace} -这种模式,kube-proxy 会监视 Kubernetes 控制平面对 Service 对象和 Endpoints 对象的添加和移除操作。 +在这种(遗留)模式下,kube-proxy 会监视 Kubernetes 控制平面对 Service 对象和 Endpoints 对象的添加和移除操作。 对每个 Service,它会在本地 Node 上打开一个端口(随机选择)。 任何连接到“代理端口”的请求,都会被代理到 Service 的后端 `Pods` 中的某个上面(如 `Endpoints` 所报告的一样)。 使用哪个后端 Pod,是 kube-proxy 基于 `SessionAffinity` 来确定的。 @@ -639,7 +639,7 @@ In this mode, kube-proxy watches the Kubernetes control plane for the addition a removal of Service and Endpoint objects. For each Service, it installs iptables rules, which capture traffic to the Service's `clusterIP` and `port`, and redirect that traffic to one of the Service's -backend sets. For each Endpoint object, it installs iptables rules which +backend sets. For each Endpoint object, it installs iptables rules which select a backend Pod. By default, kube-proxy in iptables mode chooses a backend at random. @@ -701,7 +701,7 @@ The IPVS proxy mode is based on netfilter hook function that is similar to iptables mode, but uses a hash table as the underlying data structure and works in the kernel space. That means kube-proxy in IPVS mode redirects traffic with lower latency than -kube-proxy in iptables mode, with much better performance when synchronising +kube-proxy in iptables mode, with much better performance when synchronizing proxy rules. Compared to the other proxy modes, IPVS mode also supports a higher throughput of network traffic. @@ -874,7 +874,7 @@ endpoints, the kube-proxy does not forward any traffic for the relevant Service. 如果你启用了 kube-proxy 的 `ProxyTerminatingEndpoints` @@ -934,7 +934,11 @@ Kubernetes 支持两种基本的服务发现模式 —— 环境变量和 DNS。 ### Environment variables When a Pod is run on a Node, the kubelet adds a set of environment variables -for each active Service. It adds `{SVCNAME}_SERVICE_HOST` and `{SVCNAME}_SERVICE_PORT` variables, where the Service name is upper-cased and dashes are converted to underscores. It also supports variables (see [makeLinkVariables](https://github.com/kubernetes/kubernetes/blob/dd2d12f6dc0e654c15d5db57a5f9f6ba61192726/pkg/kubelet/envvars/envvars.go#L72)) that are compatible with Docker Engine's "_[legacy container links](https://docs.docker.com/network/links/)_" feature. +for each active Service. It adds `{SVCNAME}_SERVICE_HOST` and `{SVCNAME}_SERVICE_PORT` variables, +where the Service name is upper-cased and dashes are converted to underscores. +It also supports variables (see [makeLinkVariables](https://github.com/kubernetes/kubernetes/blob/dd2d12f6dc0e654c15d5db57a5f9f6ba61192726/pkg/kubelet/envvars/envvars.go#L72)) +that are compatible with Docker Engine's +"_[legacy container links](https://docs.docker.com/network/links/)_" feature. For example, the Service `redis-primary` which exposes TCP port 6379 and has been allocated cluster IP address 10.0.0.11, produces the following environment @@ -1002,7 +1006,7 @@ create a DNS record for `my-service.my-ns`. Pods in the `my-ns` namespace should be able to find the service by doing a name lookup for `my-service` (`my-service.my-ns` would also work). -Pods in other Namespaces must qualify the name as `my-service.my-ns`. These names +Pods in other namespaces must qualify the name as `my-service.my-ns`. These names will resolve to the cluster IP assigned for the Service. --> 例如,如果你在 Kubernetes 命名空间 `my-ns` 中有一个名为 `my-service` 的服务, @@ -1145,7 +1149,10 @@ Kubernetes `ServiceTypes` 允许指定你所需要的 Service 类型。 {{< /note >}} 你也可以使用 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/) 来暴露自己的服务。 Ingress 不是一种服务类型,但它充当集群的入口点。 @@ -1260,10 +1267,6 @@ kube-proxy only selects the loopback interface for NodePort Services. The default for `--nodeport-addresses` is an empty list. This means that kube-proxy should consider all available network interfaces for NodePort. (That's also compatible with earlier Kubernetes releases.) -Note that this Service is visible as `:spec.ports[*].nodePort` -and `.spec.clusterIP:spec.ports[*].port`. -If the `--nodeport-addresses` flag for kube-proxy or the equivalent field -in the kube-proxy configuration file is set, `` would be a filtered node IP address (or possibly IP addresses). --> 此标志采用逗号分隔的 IP 段列表(例如 `10.0.0.0/8`、`192.0.2.0/25`)来指定 kube-proxy 应视为该节点本地的 IP 地址范围。 @@ -1273,9 +1276,17 @@ IP 地址范围。 `--nodeport-addresses` 的默认值是一个空列表。 这意味着 kube-proxy 应考虑 NodePort 的所有可用网络接口。 (这也与早期的 Kubernetes 版本兼容。) -请注意,此服务显示为 `:spec.ports[*].nodePort` 和 `.spec.clusterIP:spec.ports[*].port`。 + +{{< note >}} + +此服务呈现为 `:spec.ports[*].nodePort` 和 `.spec.clusterIP:spec.ports[*].port`。 如果设置了 kube-proxy 的 `--nodeport-addresses` 标志或 kube-proxy 配置文件中的等效字段, 则 `` 将是过滤的节点 IP 地址(或可能的 IP 地址)。 +{{< /note >}} 来自外部负载均衡器的流量将直接重定向到后端 Pod 上,不过实际它们是如何工作的,这要依赖于云提供商。 @@ -1439,13 +1451,13 @@ LoadBalancer 类型的服务继续分配节点端口。 `spec.loadBalancerClass` enables you to use a load balancer implementation other than the cloud provider default. By default, `spec.loadBalancerClass` is `nil` and a `LoadBalancer` type of Service uses the cloud provider's default load balancer implementation if the cluster is configured with -a cloud provider using the `--cloud-provider` component flag. +a cloud provider using the `--cloud-provider` component flag. If `spec.loadBalancerClass` is specified, it is assumed that a load balancer implementation that matches the specified class is watching for Services. Any default load balancer implementation (for example, the one provided by the cloud provider) will ignore Services that have this field set. `spec.loadBalancerClass` can be set on a Service of type `LoadBalancer` only. -Once set, it cannot be changed. +Once set, it cannot be changed. --> `spec.loadBalancerClass` 允许你不使用云提供商的默认负载均衡器实现,转而使用指定的负载均衡器实现。 默认情况下,`.spec.loadBalancerClass` 的取值是 `nil`,如果集群使用 `--cloud-provider` 配置了云提供商, @@ -1469,7 +1481,8 @@ Unprefixed names are reserved for end-users. In a mixed environment it is sometimes necessary to route traffic from Services inside the same (virtual) network address block. -In a split-horizon DNS environment you would need two Services to be able to route both external and internal traffic to your endpoints. +In a split-horizon DNS environment you would need two Services to be able to route both external +and internal traffic to your endpoints. To set an internal load balancer, add one of the following annotations to your Service depending on the cloud Service provider you're using. @@ -1667,7 +1680,9 @@ TCP 和 SSL 选择第4层代理:ELB 转发流量而不修改报头。 In the above example, if the Service contained three ports, `80`, `443`, and `8443`, then `443` and `8443` would use the SSL certificate, but `80` would be proxied HTTP. -From Kubernetes v1.9 onwards you can use [predefined AWS SSL policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) with HTTPS or SSL listeners for your Services. +From Kubernetes v1.9 onwards you can use +[predefined AWS SSL policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) +with HTTPS or SSL listeners for your Services. To see which policies are available for use, you can use the `aws` command line tool: --> 在上例中,如果服务包含 `80`、`443` 和 `8443` 三个端口, 那么 `443` 和 `8443` 将使用 SSL 证书, @@ -1777,7 +1792,8 @@ Connection draining for Classic ELBs can be managed with the annotation `service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled` set to the value of `"true"`. The annotation `service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout` can -also be used to set maximum time, in seconds, to keep the existing connections open before deregistering the instances. +also be used to set maximum time, in seconds, to keep the existing connections open before +deregistering the instances. --> #### AWS 上的连接排空 @@ -1879,7 +1895,8 @@ To use a Network Load Balancer on AWS, use the annotation `service.beta.kubernet {{< note >}} NLB 仅适用于某些实例类。有关受支持的实例类型的列表, @@ -2066,7 +2083,8 @@ spec: {{< note >}} @@ -2091,9 +2109,13 @@ Service's `type`. {{< warning >}} 对于一些常见的协议,包括 HTTP 和 HTTPS,你使用 ExternalName 可能会遇到问题。 如果你使用 ExternalName,那么集群内客户端使用的主机名与 ExternalName 引用的名称不同。 @@ -2219,7 +2241,7 @@ fail with a message indicating an IP address could not be allocated. In the control plane, a background controller is responsible for creating that map (needed to support migrating from older versions of Kubernetes that used in-memory locking). Kubernetes also uses controllers to check for invalid -assignments (eg due to administrator intervention) and for cleaning up allocated +assignments (e.g. due to administrator intervention) and for cleaning up allocated IP addresses that are no longer used by any Services. --> ### 避免冲突 {#avoiding-collisions} @@ -2374,8 +2396,11 @@ through a load-balancer, though in those cases the client IP does get altered. #### IPVS 在大规模集群(例如 10000 个服务)中,iptables 操作会显着降低速度。 IPVS 专为负载均衡而设计,并基于内核内哈希表。 @@ -2386,14 +2411,15 @@ IPVS 专为负载均衡而设计,并基于内核内哈希表。 ## API Object Service is a top-level resource in the Kubernetes REST API. You can find more details -about the API object at: [Service API object](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core). +about the [Service API object](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core). ## Supported protocols {#protocol-support} --> ## API 对象 {#api-object} -Service 是 Kubernetes REST API 中的顶级资源。你可以在以下位置找到有关 API 对象的更多详细信息: -[Service 对象 API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core). +Service 是 Kubernetes REST API 中的顶级资源。你可以找到有关 +[Service 对象 API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core) +的更多详细信息。 ## 受支持的协议 {#protocol-support} @@ -2437,7 +2463,8 @@ provider offering this facility. (Most do not). {{< warning >}} @@ -2483,7 +2510,7 @@ HTTP/HTTPS 反向代理,并将其转发到该服务的 Endpoints。 {{< note >}} 你还可以使用 {{< glossary_tooltip text="Ingress" term_id="ingress" >}} 代替 Service 来公开 HTTP/HTTPS 服务。 @@ -2522,11 +2549,10 @@ followed by the data from the client. ## {{% heading "whatsnext" %}} -* 阅读[使用服务访问应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/) +* 遵循[使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/)教程 * 阅读了解 [Ingress](/zh-cn/docs/concepts/services-networking/ingress/) * 阅读了解[端点切片(Endpoint Slices)](/zh-cn/docs/concepts/services-networking/endpoint-slices/) - From 786f0b8efbf9b16cdc3be77cb9c37da915177463 Mon Sep 17 00:00:00 2001 From: "hang.jiang" Date: Tue, 15 Nov 2022 11:49:50 +0800 Subject: [PATCH 025/139] Fix typo in api-concepts.md Signed-off-by: hang.jiang --- content/zh-cn/docs/reference/using-api/api-concepts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh-cn/docs/reference/using-api/api-concepts.md b/content/zh-cn/docs/reference/using-api/api-concepts.md index 9898b63e593db..8a9d25f67681b 100644 --- a/content/zh-cn/docs/reference/using-api/api-concepts.md +++ b/content/zh-cn/docs/reference/using-api/api-concepts.md @@ -1722,7 +1722,7 @@ Start at Exact the resource version. --> 从指定版本开始 -: 以确切的资源版本开始 **watcH**。监视事件适用于提供的资源版本之后的所有更改。 +: 以确切的资源版本开始 **watch**。监视事件适用于提供的资源版本之后的所有更改。 与 “Get State and Start at Most Recent” 和 “Get State and Start at Any” 不同, **watch** 不会以所提供资源版本的合成 “添加” 事件启动。 由于客户端提供了资源版本,因此假定客户端已经具有起始资源版本的初始状态。 From 98d2336aac47cb8afd126a36ca242ae829fac0b7 Mon Sep 17 00:00:00 2001 From: Julia Furst Morgado <52685951+juliafmorgado@users.noreply.github.com> Date: Thu, 3 Nov 2022 16:56:00 -0400 Subject: [PATCH 026/139] Translated kops page from EN to PT-BR --- .../production-environment/tools/kops.md | 202 ++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 content/pt-br/docs/setup/production-environment/tools/kops.md diff --git a/content/pt-br/docs/setup/production-environment/tools/kops.md b/content/pt-br/docs/setup/production-environment/tools/kops.md new file mode 100644 index 0000000000000..3a00f936bb634 --- /dev/null +++ b/content/pt-br/docs/setup/production-environment/tools/kops.md @@ -0,0 +1,202 @@ +--- +title: Instalando Kubernetes com kOps +content_type: task +weight: 20 +--- + + + +Este início rápido mostra como instalar facilmente um cluster Kubernetes na AWS usando uma ferramenta chamada [`kOps`](https://github.com/kubernetes/kops). + +`kOps` é um sistema de provisionamento automatizado: + +* Instalação totalmente automatizada +* Usa DNS para identificar clusters +* Auto-recuperação: tudo é executado em grupos de Auto-Scaling +* Suporte de vários sistemas operacionais (Amazon Linux, Debian, Flatcar, RHEL, Rocky e Ubuntu) - veja as [imagens.md](https://github.com/kubernetes/kops/blob/master/docs/operations/images.md) +* Suporte de alta disponibilidade - consulte o [high_availability.md](https://github.com/kubernetes/kops/blob/master/docs/operations/high_availability.md) +* Pode provisionar diretamente ou gerar manifestos do terraform - veja o [terraform.md](https://github.com/kubernetes/kops/blob/master/docs/terraform.md) + +## {{% heading "prerequisites" %}} + +* Você deve ter o [kubectl](/docs/tasks/tools/) instalado. + +* Você deve [instalar](https://github.com/kubernetes/kops#installing) `kops` em uma arquitetura de dispositivo de 64 bits (AMD64 e Intel 64). + +* Você deve ter uma [conta da AWS](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), gerar [chaves do IAM](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) e [configurá-las](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). O usuário do IAM precisará de [permissoões adequadas](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user). + + + +## Como criar um cluster + +### (1/5) Instalar kops + +#### Instalação + +Faça o download do kops na [página de lançamentos](https://github.com/kubernetes/kops/releases) (também é conveniente compilar a partir da fonte): + +{{< tabs name="instalação_kops" >}} +{{% tab name="macOS" %}} + +aixe a versão mais recente com o comando: + +```shell +curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-darwin-amd64 +``` + +Para baixar uma versão específica, substitua a seguinte parte do comando pela versão específica do kops. + +```shell +$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4) +``` + +Por exemplo, para baixar kops versão v1.20.0 digite: + +```shell +curl -LO https://github.com/kubernetes/kops/releases/download/v1.20.0/kops-darwin-amd64 +``` + +Torne o kops executável binário. + +```shell +chmod +x kops-darwin-amd64 +``` + +Mova o kops binário para o seu PATH. + +```shell +sudo mv kops-darwin-amd64 /usr/local/bin/kops +``` + +Você também pode instalar kops usando [Homebrew](https://brew.sh/). + +```shell +brew update && brew install kops +``` +{{% /tab %}} +{{% tab name="Linux" %}} + +Baixe a versão mais recente com o comando: + +```shell +curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64 +``` + +Para baixar uma versão específica do kops, substitua a seguinte parte do comando pela versão específica do kops. + +```shell +$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4) +``` + +Por exemplo, para baixar kops versão v1.20.0 digite: + +```shell +curl -LO https://github.com/kubernetes/kops/releases/download/v1.20.0/kops-linux-amd64 +``` + +Torne o kops executável binário + +```shell +chmod +x kops-linux-amd64 +``` + +Mova o kops binário para o seu PATH. + +```shell +sudo mv kops-linux-amd64 /usr/local/bin/kops +``` + +Você também pode instalar kops usando [Homebrew](https://docs.brew.sh/Homebrew-on-Linux). + +```shell +brew update && brew install kops +``` + +{{% /tab %}} +{{< /tabs >}} + +### (2/5) Crie um domínio route53 para seu cluster + +O kops usa DNS para descoberta, tanto dentro do cluster quanto fora, para que você possa acessar o servidor da API do kubernetes a partir dos clientes. + +kops tem uma opinião forte sobre o nome do cluster: deve ser um nome DNS válido. Ao fazer isso, você não confundirá mais seus clusters, poderá compartilhar clusters com seus colegas de forma inequívoca e alcançá-los sem ter de lembrar de um endereço IP. + +Você pode e provavelmente deve usar subdomínios para dividir seus clusters. Como nosso exemplo usaremos +`useast1.dev.example.com`. O endpoint do servidor de API será então `api.useast1.dev.example.com`. + +Uma zona hospedada do Route53 pode servir subdomínios. Sua zona hospedada pode ser `useast1.dev.example.com`, +mas também `dev.example.com` ou até `example.com`. kops funciona com qualquer um deles, então normalmente você escolhe por motivos de organização (por exemplo, você tem permissão para criar registros em `dev.example.com`, +mas não em `example.com`). + +Vamos supor que você esteja usando `dev.example.com` como sua zona hospedada. Você cria essa zona hospedada usando o [processo normal](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html), ou +com um comando como `aws route53 create-hosted-zone --name dev.example.com --caller-reference 1`. + +Você deve então configurar seus registros NS no domínio principal, para que os registros no domínio sejam resolvidos. Aqui, você criaria registros NS no `example.com` para `dev`. Se for um nome de domínio raiz, você configuraria os registros NS em seu registrador de domínio (por exemplo `example.com`, precisaria ser configurado onde você comprou `example.com`). + +Verifique a configuração do seu domínio route53 (é a causa número 1 de problemas!). Você pode verificar novamente se seu cluster está configurado corretamente se tiver a ferramenta de escavação executando: + +`dig NS dev.example.com` + +Você deve ver os 4 registros NS que o Route53 atribuiu à sua zona hospedada. + +### (3/5) Crie um bucket do S3 para armazenar o estado dos clusters + +kops permite que você gerencie seus clusters mesmo após a instalação. Para fazer isso, ele deve acompanhar os clusters que você criou, juntamente com suas configurações, as chaves que estão usando etc. Essas informações são armazenadas em um bucket do S3. As permissões do S3 são usadas para controlar o acesso ao bucket. + +Vários clusters podem usar o mesmo bucket do S3 e você pode compartilhar um bucket do S3 entre seus colegas que administram os mesmos clusters - isso é muito mais fácil do que transmitir arquivos kubecfg. Mas qualquer pessoa com acesso ao bucket do S3 terá acesso administrativo a todos os seus clusters, portanto, você não deseja compartilhá-lo além da equipe de operações. + +Portanto, normalmente você tem um bucket do S3 para cada equipe de operações (e geralmente o nome corresponderá ao nome da zona hospedada acima!) + +Em nosso exemplo, escolhemos `dev.example.com` como nossa zona hospedada, então vamos escolher `clusters.dev.example.com` como o nome do bucket do S3. + +* Exportar `AWS_PROFILE` (se precisar selecionar um perfil para que a AWS CLI funcione) + +* Crie o bucket do S3 usando `aws s3 mb s3://clusters.dev.example.com` + +* Você pode `export KOPS_STATE_STORE=s3://clusters.dev.example.com` e, em seguida, o kops usará esse local por padrão. Sugerimos colocar isso em seu perfil bash ou similar. + +### (4/5) Crie sua configuração de cluster + +Execute `kops create cluster` para criar sua configuração de cluster: + +`kops create cluster --zones=us-east-1c useast1.dev.example.com` + +kops criará a configuração para seu cluster. Observe que ele _apenas_ cria a configuração, na verdade não cria os recursos de nuvem - você fará isso na próxima etapa com um arquivo `kops update cluster`. Isso lhe dá a oportunidade de revisar a configuração ou alterá-la. + +Ele imprime comandos que você pode usar para explorar mais: + +* Liste seus clusters com: `kops get cluster` +* Edite este cluster com: `kops edit cluster useast1.dev.example.com` +* Edite seu grupo de instâncias de nós: `kops edit ig --name=useast1.dev.example.com nodes` +* Edite seu grupo de instâncias mestre: `kops edit ig --name=useast1.dev.example.com master-us-east-1c` + +Se esta é sua primeira vez usando kops, gaste alguns minutos para experimentá-los! Um grupo de instâncias é um conjunto de instâncias que serão registradas como nós do kubernetes. Na AWS, isso é implementado por meio de grupos de auto-scaling. +Você pode ter vários grupos de instâncias, por exemplo, se quiser nós que sejam uma combinação de instâncias spot e sob demanda ou instâncias de GPU e não GPU. + +### (5/5) Crie o cluster na AWS + +Execute `kops update cluster` para criar seu cluster na AWS: + +`kops update cluster useast1.dev.example.com --yes` + +Isso leva alguns segundos para ser executado, mas seu cluster provavelmente levará alguns minutos para estar realmente pronto. +`kops update cluster` será a ferramenta que você usará sempre que alterar a configuração do seu cluster; ele aplica as alterações que você fez na configuração ao seu cluster - reconfigurando AWS ou kubernetes conforme necessário. + +Por exemplo, depois de você `kops edit ig nodes`, em seguida `kops update cluster --yes` para aplicar sua configuração e, às vezes, você também precisará `kops rolling-update cluster` para implementar a configuração imediatamente. + +Sem `--yes`, `kops update cluster` mostrará uma prévia do que ele fará. Isso é útil para clusters de produção! + +### Explore outros complementos + +Consulte a [lista de complementos](/docs/concepts/cluster-administration/addons/) para explorar outros complementos, incluindo ferramentas para registro, monitoramento, política de rede, visualização e controle de seu cluster Kubernetes. + +## Limpeza + +* Para excluir seu cluster: `kops delete cluster useast1.dev.example.com --yes` + +## {{% heading "whatsnext" %}} + +* Saiba mais sobre os [conceitos do Kubernetes](/docs/concepts/) e o [`kubectl`](/docs/reference/kubectl/). +* Saiba mais sobre o [uso avançado](https://kops.sigs.k8s.io/) do `kOps` para tutoriais, práticas recomendadas e opções de configuração avançada. +* Siga as discussões da comunidade do `kOps` no Slack: [discussões da comunidade](https://github.com/kubernetes/kops#other-ways-to-communicate-with-the-contributors). +* Contribua para o `kOps` endereçando ou levantando um problema [GitHub Issues](https://github.com/kubernetes/kops/issues). From 3389829dff2887b6d22572235ff496eaa499a9d5 Mon Sep 17 00:00:00 2001 From: Julia Furst Morgado <52685951+juliafmorgado@users.noreply.github.com> Date: Fri, 4 Nov 2022 08:25:03 -0400 Subject: [PATCH 027/139] Update kops.md with suggestions --- .../production-environment/tools/kops.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/content/pt-br/docs/setup/production-environment/tools/kops.md b/content/pt-br/docs/setup/production-environment/tools/kops.md index 3a00f936bb634..eafc558a50438 100644 --- a/content/pt-br/docs/setup/production-environment/tools/kops.md +++ b/content/pt-br/docs/setup/production-environment/tools/kops.md @@ -13,9 +13,9 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW * Instalação totalmente automatizada * Usa DNS para identificar clusters * Auto-recuperação: tudo é executado em grupos de Auto-Scaling -* Suporte de vários sistemas operacionais (Amazon Linux, Debian, Flatcar, RHEL, Rocky e Ubuntu) - veja as [imagens.md](https://github.com/kubernetes/kops/blob/master/docs/operations/images.md) -* Suporte de alta disponibilidade - consulte o [high_availability.md](https://github.com/kubernetes/kops/blob/master/docs/operations/high_availability.md) -* Pode provisionar diretamente ou gerar manifestos do terraform - veja o [terraform.md](https://github.com/kubernetes/kops/blob/master/docs/terraform.md) +* Suporte de vários sistemas operacionais (Amazon Linux, Debian, Flatcar, RHEL, Rocky e Ubuntu) - veja em [imagens](https://github.com/kubernetes/kops/blob/master/docs/operations/images.md) +* Suporte a alta disponibilidade - consulte a [documentação sobre alta disponibilidade](https://github.com/kubernetes/kops/blob/master/docs/operations/high_availability.md) +* Pode provisionar diretamente ou gerar manifestos do terraform - veja o [veja a documentação sobre como fazer isso com Terraform](https://github.com/kubernetes/kops/blob/master/docs/terraform.md) ## {{% heading "prerequisites" %}} @@ -23,7 +23,7 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW * Você deve [instalar](https://github.com/kubernetes/kops#installing) `kops` em uma arquitetura de dispositivo de 64 bits (AMD64 e Intel 64). -* Você deve ter uma [conta da AWS](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), gerar [chaves do IAM](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) e [configurá-las](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). O usuário do IAM precisará de [permissoões adequadas](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user). +* Você deve ter uma [conta da AWS](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), gerar [chaves do IAM](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) e [configurá-las](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). O usuário do IAM precisará de [permissões adequadas](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user). @@ -33,12 +33,12 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW #### Instalação -Faça o download do kops na [página de lançamentos](https://github.com/kubernetes/kops/releases) (também é conveniente compilar a partir da fonte): +Faça o download do kops na [página de downloads](https://github.com/kubernetes/kops/releases) (também é conveniente compilar a partir da fonte): {{< tabs name="instalação_kops" >}} {{% tab name="macOS" %}} -aixe a versão mais recente com o comando: +Baixe a versão mais recente com o comando: ```shell curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-darwin-amd64 @@ -56,13 +56,13 @@ Por exemplo, para baixar kops versão v1.20.0 digite: curl -LO https://github.com/kubernetes/kops/releases/download/v1.20.0/kops-darwin-amd64 ``` -Torne o kops executável binário. +Dê a permissão de execução ao binário do kops. ```shell chmod +x kops-darwin-amd64 ``` -Mova o kops binário para o seu PATH. +Mova o binário do kops para o seu PATH. ```shell sudo mv kops-darwin-amd64 /usr/local/bin/kops @@ -94,13 +94,13 @@ Por exemplo, para baixar kops versão v1.20.0 digite: curl -LO https://github.com/kubernetes/kops/releases/download/v1.20.0/kops-linux-amd64 ``` -Torne o kops executável binário +Dê a permissão de execução ao binário do kops ```shell chmod +x kops-linux-amd64 ``` -Mova o kops binário para o seu PATH. +Mova o binário do kops para o seu PATH. ```shell sudo mv kops-linux-amd64 /usr/local/bin/kops @@ -163,12 +163,12 @@ Execute `kops create cluster` para criar sua configuração de cluster: kops criará a configuração para seu cluster. Observe que ele _apenas_ cria a configuração, na verdade não cria os recursos de nuvem - você fará isso na próxima etapa com um arquivo `kops update cluster`. Isso lhe dá a oportunidade de revisar a configuração ou alterá-la. -Ele imprime comandos que você pode usar para explorar mais: +Ele exibe comandos que você pode usar para explorar mais: * Liste seus clusters com: `kops get cluster` * Edite este cluster com: `kops edit cluster useast1.dev.example.com` * Edite seu grupo de instâncias de nós: `kops edit ig --name=useast1.dev.example.com nodes` -* Edite seu grupo de instâncias mestre: `kops edit ig --name=useast1.dev.example.com master-us-east-1c` +* Edite seu grupo de instâncias principal: `kops edit ig --name=useast1.dev.example.com master-us-east-1c` Se esta é sua primeira vez usando kops, gaste alguns minutos para experimentá-los! Um grupo de instâncias é um conjunto de instâncias que serão registradas como nós do kubernetes. Na AWS, isso é implementado por meio de grupos de auto-scaling. Você pode ter vários grupos de instâncias, por exemplo, se quiser nós que sejam uma combinação de instâncias spot e sob demanda ou instâncias de GPU e não GPU. From 7c4819dd7668fccff13037b8cea8542b83341f63 Mon Sep 17 00:00:00 2001 From: Julia Furst Morgado <52685951+juliafmorgado@users.noreply.github.com> Date: Mon, 7 Nov 2022 08:38:43 -0500 Subject: [PATCH 028/139] Fix kops.md according to MrErlison's suggestions --- .../docs/setup/production-environment/tools/kops.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/pt-br/docs/setup/production-environment/tools/kops.md b/content/pt-br/docs/setup/production-environment/tools/kops.md index eafc558a50438..4e7667a6bcefd 100644 --- a/content/pt-br/docs/setup/production-environment/tools/kops.md +++ b/content/pt-br/docs/setup/production-environment/tools/kops.md @@ -15,7 +15,7 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW * Auto-recuperação: tudo é executado em grupos de Auto-Scaling * Suporte de vários sistemas operacionais (Amazon Linux, Debian, Flatcar, RHEL, Rocky e Ubuntu) - veja em [imagens](https://github.com/kubernetes/kops/blob/master/docs/operations/images.md) * Suporte a alta disponibilidade - consulte a [documentação sobre alta disponibilidade](https://github.com/kubernetes/kops/blob/master/docs/operations/high_availability.md) -* Pode provisionar diretamente ou gerar manifestos do terraform - veja o [veja a documentação sobre como fazer isso com Terraform](https://github.com/kubernetes/kops/blob/master/docs/terraform.md) +* Pode provisionar diretamente ou gerar manifestos do terraform - veja a [documentação sobre como fazer isso com Terraform](https://github.com/kubernetes/kops/blob/master/docs/terraform.md) ## {{% heading "prerequisites" %}} @@ -23,7 +23,7 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW * Você deve [instalar](https://github.com/kubernetes/kops#installing) `kops` em uma arquitetura de dispositivo de 64 bits (AMD64 e Intel 64). -* Você deve ter uma [conta da AWS](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), gerar [chaves do IAM](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) e [configurá-las](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). O usuário do IAM precisará de [permissões adequadas](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user). +* Você deve ter uma [conta da AWS](https://docs.aws.amazon.com/polly/latest/dg/setting-up.html), gerar as [chaves do IAM](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) e [configurá-las](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration). O usuário do IAM precisará de [permissões adequadas](https://github.com/kubernetes/kops/blob/master/docs/getting_started/aws.md#setup-iam-user). @@ -35,7 +35,7 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW Faça o download do kops na [página de downloads](https://github.com/kubernetes/kops/releases) (também é conveniente compilar a partir da fonte): -{{< tabs name="instalação_kops" >}} +{{< tabs name="kops_installation" >}} {{% tab name="macOS" %}} Baixe a versão mais recente com o comando: @@ -133,7 +133,7 @@ com um comando como `aws route53 create-hosted-zone --name dev.example.com --cal Você deve então configurar seus registros NS no domínio principal, para que os registros no domínio sejam resolvidos. Aqui, você criaria registros NS no `example.com` para `dev`. Se for um nome de domínio raiz, você configuraria os registros NS em seu registrador de domínio (por exemplo `example.com`, precisaria ser configurado onde você comprou `example.com`). -Verifique a configuração do seu domínio route53 (é a causa número 1 de problemas!). Você pode verificar novamente se seu cluster está configurado corretamente se tiver a ferramenta de escavação executando: +Verifique a configuração do seu domínio route53 (é a causa número 1 de problemas!). Você pode verificar novamente se seu cluster está configurado corretamente se tiver a ferramenta dig executando: `dig NS dev.example.com` @@ -141,7 +141,7 @@ Você deve ver os 4 registros NS que o Route53 atribuiu à sua zona hospedada. ### (3/5) Crie um bucket do S3 para armazenar o estado dos clusters -kops permite que você gerencie seus clusters mesmo após a instalação. Para fazer isso, ele deve acompanhar os clusters que você criou, juntamente com suas configurações, as chaves que estão usando etc. Essas informações são armazenadas em um bucket do S3. As permissões do S3 são usadas para controlar o acesso ao bucket. +O kops permite que você gerencie seus clusters mesmo após a instalação. Para fazer isso, ele deve acompanhar os clusters que você criou, juntamente com suas configurações, as chaves que estão usando etc. Essas informações são armazenadas em um bucket do S3. As permissões do S3 são usadas para controlar o acesso ao bucket. Vários clusters podem usar o mesmo bucket do S3 e você pode compartilhar um bucket do S3 entre seus colegas que administram os mesmos clusters - isso é muito mais fácil do que transmitir arquivos kubecfg. Mas qualquer pessoa com acesso ao bucket do S3 terá acesso administrativo a todos os seus clusters, portanto, você não deseja compartilhá-lo além da equipe de operações. @@ -182,7 +182,7 @@ Execute `kops update cluster` para criar seu cluster na AWS: Isso leva alguns segundos para ser executado, mas seu cluster provavelmente levará alguns minutos para estar realmente pronto. `kops update cluster` será a ferramenta que você usará sempre que alterar a configuração do seu cluster; ele aplica as alterações que você fez na configuração ao seu cluster - reconfigurando AWS ou kubernetes conforme necessário. -Por exemplo, depois de você `kops edit ig nodes`, em seguida `kops update cluster --yes` para aplicar sua configuração e, às vezes, você também precisará `kops rolling-update cluster` para implementar a configuração imediatamente. +Por exemplo, depois de você executar `kops edit ig nodes`, em seguida execute `kops update cluster --yes` para aplicar sua configuração e, às vezes, você também precisará `kops rolling-update cluster` para implementar a configuração imediatamente. Sem `--yes`, `kops update cluster` mostrará uma prévia do que ele fará. Isso é útil para clusters de produção! From 39c4ed00b841d280c78b961cd8a47f7ba2a49bf5 Mon Sep 17 00:00:00 2001 From: Julia Furst Morgado <52685951+juliafmorgado@users.noreply.github.com> Date: Mon, 14 Nov 2022 11:15:58 -0500 Subject: [PATCH 029/139] Update kops.md with stormqueen1990 suggestions --- .../docs/setup/production-environment/tools/kops.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/pt-br/docs/setup/production-environment/tools/kops.md b/content/pt-br/docs/setup/production-environment/tools/kops.md index 4e7667a6bcefd..051b142cf6960 100644 --- a/content/pt-br/docs/setup/production-environment/tools/kops.md +++ b/content/pt-br/docs/setup/production-environment/tools/kops.md @@ -33,7 +33,7 @@ Este início rápido mostra como instalar facilmente um cluster Kubernetes na AW #### Instalação -Faça o download do kops na [página de downloads](https://github.com/kubernetes/kops/releases) (também é conveniente compilar a partir da fonte): +Faça o download do kops na [página de downloads](https://github.com/kubernetes/kops/releases) (também é conveniente gerar um binário a partir do código-fonte): {{< tabs name="kops_installation" >}} {{% tab name="macOS" %}} @@ -149,11 +149,11 @@ Portanto, normalmente você tem um bucket do S3 para cada equipe de operações Em nosso exemplo, escolhemos `dev.example.com` como nossa zona hospedada, então vamos escolher `clusters.dev.example.com` como o nome do bucket do S3. -* Exportar `AWS_PROFILE` (se precisar selecionar um perfil para que a AWS CLI funcione) +* Exporte `AWS_PROFILE` (se precisar selecione um perfil para que a AWS CLI funcione) * Crie o bucket do S3 usando `aws s3 mb s3://clusters.dev.example.com` -* Você pode `export KOPS_STATE_STORE=s3://clusters.dev.example.com` e, em seguida, o kops usará esse local por padrão. Sugerimos colocar isso em seu perfil bash ou similar. +* Você pode rodar `export KOPS_STATE_STORE=s3://clusters.dev.example.com` e, em seguida, o kops usará esse local por padrão. Sugerimos colocar isso em seu perfil bash ou similar. ### (4/5) Crie sua configuração de cluster @@ -188,7 +188,7 @@ Sem `--yes`, `kops update cluster` mostrará uma prévia do que ele fará. Isso ### Explore outros complementos -Consulte a [lista de complementos](/docs/concepts/cluster-administration/addons/) para explorar outros complementos, incluindo ferramentas para registro, monitoramento, política de rede, visualização e controle de seu cluster Kubernetes. +Consulte a [lista de complementos](/pt-br/docs/concepts/cluster-administration/addons/) para explorar outros complementos, incluindo ferramentas para registro, monitoramento, política de rede, visualização e controle de seu cluster Kubernetes. ## Limpeza @@ -196,7 +196,7 @@ Consulte a [lista de complementos](/docs/concepts/cluster-administration/addons/ ## {{% heading "whatsnext" %}} -* Saiba mais sobre os [conceitos do Kubernetes](/docs/concepts/) e o [`kubectl`](/docs/reference/kubectl/). +* Saiba mais sobre os [conceitos do Kubernetes](/pt-br/docs/concepts/) e o [`kubectl`](/docs/reference/kubectl/). * Saiba mais sobre o [uso avançado](https://kops.sigs.k8s.io/) do `kOps` para tutoriais, práticas recomendadas e opções de configuração avançada. * Siga as discussões da comunidade do `kOps` no Slack: [discussões da comunidade](https://github.com/kubernetes/kops#other-ways-to-communicate-with-the-contributors). * Contribua para o `kOps` endereçando ou levantando um problema [GitHub Issues](https://github.com/kubernetes/kops/issues). From e0e6f5037f869093bda70677ec2f77434caea0a0 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Sat, 29 Oct 2022 10:42:31 -0300 Subject: [PATCH 030/139] Add pt-br/docs/reference/glossary/aggregation-layer.md Signed-off-by: Mr. Erlison --- .../reference/glossary/aggregation-layer.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/pt-br/docs/reference/glossary/aggregation-layer.md diff --git a/content/pt-br/docs/reference/glossary/aggregation-layer.md b/content/pt-br/docs/reference/glossary/aggregation-layer.md new file mode 100644 index 0000000000000..d1b581b9a6a46 --- /dev/null +++ b/content/pt-br/docs/reference/glossary/aggregation-layer.md @@ -0,0 +1,19 @@ +--- +title: Camada de Agregação +id: aggregation-layer +date: 2018-10-08 +full_link: /pt-br/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/ +short_description: > + A camada de agregação permite que você instale APIs adicionais no estilo Kubernetes em seu cluster. + +aka: +tags: +- arquitetura +- extensão +- operação +--- + A camada de agregação permite que você instale APIs adicionais no estilo Kubernetes em seu cluster. + + + +Depois de configurar o {{< glossary_tooltip text="Servidor de API do Kubernetes" term_id="kube-apiserver" >}} para [suportar APIs adicionais](/docs/tasks/extend-kubernetes/configure-aggregation-layer/), você pode adicionar objetos `APIService` para obter a URL da API adicional. From 78958a9125810073fa23c2931a7edf107f265775 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Tue, 15 Nov 2022 09:25:11 -0300 Subject: [PATCH 031/139] Fix tags Signed-off-by: Mr. Erlison --- .../pt-br/docs/reference/glossary/aggregation-layer.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/pt-br/docs/reference/glossary/aggregation-layer.md b/content/pt-br/docs/reference/glossary/aggregation-layer.md index d1b581b9a6a46..d627ea12166b5 100644 --- a/content/pt-br/docs/reference/glossary/aggregation-layer.md +++ b/content/pt-br/docs/reference/glossary/aggregation-layer.md @@ -8,12 +8,12 @@ short_description: > aka: tags: -- arquitetura -- extensão -- operação +- architecture +- extension +- operation --- A camada de agregação permite que você instale APIs adicionais no estilo Kubernetes em seu cluster. -Depois de configurar o {{< glossary_tooltip text="Servidor de API do Kubernetes" term_id="kube-apiserver" >}} para [suportar APIs adicionais](/docs/tasks/extend-kubernetes/configure-aggregation-layer/), você pode adicionar objetos `APIService` para obter a URL da API adicional. +Depois de configurar o {{< glossary_tooltip text="Servidor da API do Kubernetes" term_id="kube-apiserver" >}} para [suportar APIs adicionais](/docs/tasks/extend-kubernetes/configure-aggregation-layer/), você pode adicionar objetos `APIService` para obter a URL da API adicional. From ea219b830d311185218fff0c01c3536db54b1858 Mon Sep 17 00:00:00 2001 From: mtardy Date: Wed, 19 Oct 2022 15:40:48 +0200 Subject: [PATCH 032/139] Update echoserver image in tutorial for multiarch The previous version of the image did not support arm64. This one supports amd64, arm, arm64, ppc64le, s390x on Linux, and amd64 on multiple Windows versions. --- content/en/docs/tutorials/hello-minikube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tutorials/hello-minikube.md b/content/en/docs/tutorials/hello-minikube.md index 96eaf037bca62..c3a48105148ee 100644 --- a/content/en/docs/tutorials/hello-minikube.md +++ b/content/en/docs/tutorials/hello-minikube.md @@ -94,7 +94,7 @@ recommended way to manage the creation and scaling of Pods. Pod runs a Container based on the provided Docker image. ```shell - kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4 + kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.39 -- /agnhost netexec --http-port=8080 ``` 2. View the Deployment: From 88fda9560f85c5dbb9f73b963a69324687968fd8 Mon Sep 17 00:00:00 2001 From: Thomas VIVET Date: Mon, 14 Nov 2022 15:52:37 +0100 Subject: [PATCH 033/139] Update topology-spread-constraints.md Fix typo MinDomainsInPodToplogySpread -> MinDomainsInPodTopologySpread --- .../concepts/scheduling-eviction/topology-spread-constraints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md index 3474645d14f02..62098a0928f42 100644 --- a/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md +++ b/content/en/docs/concepts/scheduling-eviction/topology-spread-constraints.md @@ -98,7 +98,7 @@ your cluster. Those fields are: {{< note >}} The `minDomains` field is a beta field and enabled by default in 1.25. You can disable it by disabling the - `MinDomainsInPodToplogySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/). + `MinDomainsInPodTopologySpread` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/). {{< /note >}} - The value of `minDomains` must be greater than 0, when specified. From 3abff19e70933a4d92af5d71bf48b88eb6bf6281 Mon Sep 17 00:00:00 2001 From: Zhenguo Niu Date: Mon, 14 Nov 2022 13:03:54 +0000 Subject: [PATCH 034/139] fix a broken link for connect-applications-service --- .../en/docs/concepts/services-networking/service-topology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/services-networking/service-topology.md b/content/en/docs/concepts/services-networking/service-topology.md index 5c5429297cccc..3778bb4035682 100644 --- a/content/en/docs/concepts/services-networking/service-topology.md +++ b/content/en/docs/concepts/services-networking/service-topology.md @@ -201,5 +201,5 @@ spec: * Read about [enabling Service Topology](/docs/tasks/administer-cluster/enabling-service-topology) -* Read [Connecting Applications with Services](/docs/concepts/services-networking/connect-applications-service/) +* Read [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/) From 58f1be30a66d79a0461af1480ab3a13fc5eb551f Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 13 Nov 2022 21:26:36 +0800 Subject: [PATCH 035/139] updated /kubernetes-objects.md --- .../working-with-objects/kubernetes-objects.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md b/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md index 6c9ce3fcb280e..53969ab025bcd 100644 --- a/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md +++ b/content/en/docs/concepts/overview/working-with-objects/kubernetes-objects.md @@ -2,16 +2,18 @@ title: Understanding Kubernetes Objects content_type: concept weight: 10 -card: +card: name: concepts weight: 40 --- + This page explains how Kubernetes objects are represented in the Kubernetes API, and how you can express them in `.yaml` format. + ## Understanding Kubernetes objects {#kubernetes-objects} *Kubernetes objects* are persistent entities in the Kubernetes system. Kubernetes uses these @@ -32,7 +34,7 @@ interface, for example, the CLI makes the necessary Kubernetes API calls for you the Kubernetes API directly in your own programs using one of the [Client Libraries](/docs/reference/using-api/client-libraries/). -### Object Spec and Status +### Object spec and status Almost every Kubernetes object includes two nested object fields that govern the object's configuration: the object *`spec`* and the object *`status`*. @@ -86,7 +88,7 @@ The output is similar to this: deployment.apps/nginx-deployment created ``` -### Required Fields +### Required fields In the `.yaml` file for the Kubernetes object you want to create, you'll need to set values for the following fields: @@ -116,9 +118,9 @@ detail the structure of that `.status` field, and its content for each different ## {{% heading "whatsnext" %}} Learn more about the following: -* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/) which are the most important basic Kubernetes objects. -* [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) objects. -* [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/) in Kubernetes. -* [Kubernetes API overview](https://kubernetes.io/docs/reference/using-api/) which explains some more API concepts. -* [kubectl](https://kubernetes.io/docs/reference/kubectl/) and [kubectl commands](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands). +* [Pods](/docs/concepts/workloads/pods/) which are the most important basic Kubernetes objects. +* [Deployment](/docs/concepts/workloads/controllers/deployment/) objects. +* [Controllers](/docs/concepts/architecture/controller/) in Kubernetes. +* [Kubernetes API overview](/docs/reference/using-api/) which explains some more API concepts. +* [kubectl](/docs/reference/kubectl/) and [kubectl commands](/docs/reference/generated/kubectl/kubectl-commands). From d4eb5841c37d33e91f036c148021c159772739ec Mon Sep 17 00:00:00 2001 From: Shubham Kuchhal Date: Tue, 15 Nov 2022 13:21:01 +0530 Subject: [PATCH 036/139] Added Hyperlink to RFC3339 --- content/en/docs/concepts/configuration/secret.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index a58c1a3322756..2fd58938ec109 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -1195,7 +1195,7 @@ A bootstrap type Secret has the following keys specified under `data`: - `token-secret`: A random 16 character string as the actual token secret. Required. - `description`: A human-readable string that describes what the token is used for. Optional. -- `expiration`: An absolute UTC time using RFC3339 specifying when the token +- `expiration`: An absolute UTC time using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) specifying when the token should be expired. Optional. - `usage-bootstrap-`: A boolean flag indicating additional usage for the bootstrap token. From aea96808b803de5d04ef37c245e033dcaf69a6e7 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 11 Nov 2022 20:35:07 +0800 Subject: [PATCH 037/139] Fix typos in /service-accounts-admin.md --- .../service-accounts-admin.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md index 73867e3c73c35..332e757313e8a 100644 --- a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md +++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md @@ -96,7 +96,7 @@ Here's an example of how that looks for a launched Pod: That manifest snippet defines a projected volume that consists of three sources. In this case, each source also represents a single path within that volume. The three sources are: -1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver +1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver. The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token is bound to the specific Pod and has the kube-apiserver as its audience. @@ -105,7 +105,7 @@ each source also represents a single path within that volume. The three sources 1. A `configMap` source. The ConfigMap contains a bundle of certificate authority data. Pods can use these certificates to make sure that they are connecting to your cluster's kube-apiserver (and not to middlebox or an accidentally misconfigured peer). -1. A `downwardAPI` source that looks up the name of thhe namespace containing the Pod, and makes +1. A `downwardAPI` source that looks up the name of the namespace containing the Pod, and makes that name information available to application code running inside the Pod. Any container within the Pod that mounts this particular volume can access the above information. @@ -232,14 +232,14 @@ Here's an example of how that looks for a launched Pod: That manifest snippet defines a projected volume that combines information from three sources: -1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver +1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver. The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token is bound to the specific Pod and has the kube-apiserver as its audience. 1. A `configMap` source. The ConfigMap contains a bundle of certificate authority data. Pods can use these certificates to make sure that they are connecting to your cluster's kube-apiserver (and not to middlebox or an accidentally misconfigured peer). -1. A `downwardAPI` source. This `downwardAPI` volume makes the name of the namespace container the Pod available +1. A `downwardAPI` source. This `downwardAPI` volume makes the name of the namespace containing the Pod available to application code running inside the Pod. Any container within the Pod that mounts this volume can access the above information. @@ -262,6 +262,7 @@ Here is a sample manifest for such a Secret: {{< codenew file="secret/serviceaccount/mysecretname.yaml" >}} To create a Secret based on this example, run: + ```shell kubectl -n examplens create -f https://k8s.io/examples/secret/serviceaccount/mysecretname.yaml ``` @@ -273,6 +274,7 @@ kubectl -n examplens describe secret mysecretname ``` The output is similar to: + ``` Name: mysecretname Namespace: examplens @@ -306,7 +308,9 @@ Otherwise, first find the Secret for the ServiceAccount. # This assumes that you already have a namespace named 'examplens' kubectl -n examplens get serviceaccount/example-automated-thing -o yaml ``` + The output is similar to: + ```yaml apiVersion: v1 kind: ServiceAccount @@ -321,9 +325,11 @@ metadata: selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing uid: f23fd170-66f2-4697-b049-e1e266b7f835 secrets: -- name: example-automated-thing-token-zyxwv + - name: example-automated-thing-token-zyxwv ``` + Then, delete the Secret you now know the name of: + ```shell kubectl -n examplens delete secret/example-automated-thing-token-zyxwv ``` @@ -334,6 +340,7 @@ and creates a replacement: ```shell kubectl -n examplens get serviceaccount/example-automated-thing -o yaml ``` + ```yaml apiVersion: v1 kind: ServiceAccount @@ -348,12 +355,13 @@ metadata: selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing uid: f23fd170-66f2-4697-b049-e1e266b7f835 secrets: -- name: example-automated-thing-token-4rdrh + - name: example-automated-thing-token-4rdrh ``` ## Clean up If you created a namespace `examplens` to experiment with, you can remove it: + ```shell kubectl delete namespace examplens ``` From 183b7fff908751da4777e37422499e9ad341fd8d Mon Sep 17 00:00:00 2001 From: Shannon Kularathna Date: Tue, 15 Nov 2022 22:17:06 +0000 Subject: [PATCH 038/139] Remove edit steps from concept page --- .../en/docs/concepts/configuration/secret.md | 47 +++++-------------- 1 file changed, 12 insertions(+), 35 deletions(-) diff --git a/content/en/docs/concepts/configuration/secret.md b/content/en/docs/concepts/configuration/secret.md index 2fd58938ec109..52408e6022bdd 100644 --- a/content/en/docs/concepts/configuration/secret.md +++ b/content/en/docs/concepts/configuration/secret.md @@ -101,9 +101,9 @@ the exact mechanisms for issuing and refreshing those session tokens. There are several options to create a Secret: -- [create Secret using `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) -- [create Secret from config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) -- [create Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) +- [Use `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) +- [Use a configuration file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) +- [Use the Kustomize tool](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) #### Constraints on Secret names and data {#restriction-names-data} @@ -132,41 +132,18 @@ number of Secrets (or other resources) in a namespace. ### Editing a Secret -You can edit an existing Secret using kubectl: +You can edit an existing Secret unless it is [immutable](#secret-immutable). To +edit a Secret, use one of the following methods: -```shell -kubectl edit secrets mysecret -``` - -This opens your default editor and allows you to update the base64 encoded Secret -values in the `data` field; for example: - -```yaml -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file, it will be -# reopened with the relevant failures. -# -apiVersion: v1 -data: - username: YWRtaW4= - password: MWYyZDFlMmU2N2Rm -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: { ... } - creationTimestamp: 2020-01-22T18:41:56Z - name: mysecret - namespace: default - resourceVersion: "164619" - uid: cfee02d6-c137-11e5-8d73-42010af00002 -type: Opaque -``` +* [Use `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/#edit-secret) +* [Use a configuration file](/docs/tasks/configmap-secret/managing-secret-using-config-file/#edit-secret) -That example manifest defines a Secret with two keys in the `data` field: `username` and `password`. -The values are Base64 strings in the manifest; however, when you use the Secret with a Pod -then the kubelet provides the _decoded_ data to the Pod and its containers. +You can also edit the data in a Secret using the [Kustomize tool](/docs/tasks/configmap-secret/managing-secret-using-kustomize/#edit-secret). However, this +method creates a new `Secret` object with the edited data. -You can package many keys and values into one Secret, or use many Secrets, whichever is convenient. +Depending on how you created the Secret, as well as how the Secret is used in +your Pods, updates to existing `Secret` objects are propagated automatically to +Pods that use the data. For more information, refer to [Mounted Secrets are updated automatically](#mounted-secrets-are-updated-automatically). ### Using a Secret From b6415535108428907557483f7f9ff8f0c529c7dc Mon Sep 17 00:00:00 2001 From: zdxgs Date: Mon, 14 Nov 2022 16:04:29 +0800 Subject: [PATCH 039/139] fix the link for azure --- ...00-Caas-The-Foundation-For-Next-Gen-Paas.md | 2 +- .../2018-05-04-Announcing-Kubeflow-0-1.md | 2 +- .../2018-10-08-support-for-azure-vmss.md | 18 +++++++++--------- .../2020-05-21-wsl2-dockerdesktop-k8s.md | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/content/en/blog/_posts/2017-02-00-Caas-The-Foundation-For-Next-Gen-Paas.md b/content/en/blog/_posts/2017-02-00-Caas-The-Foundation-For-Next-Gen-Paas.md index c613e8e29f64d..66c810591b393 100644 --- a/content/en/blog/_posts/2017-02-00-Caas-The-Foundation-For-Next-Gen-Paas.md +++ b/content/en/blog/_posts/2017-02-00-Caas-The-Foundation-For-Next-Gen-Paas.md @@ -30,7 +30,7 @@ This then points to the other benefit of next generation PaaS being built on top Kubernetes is infrastructure for next generation applications, PaaS and more. Given this, I’m really excited by our [announcement](https://azure.microsoft.com/en-us/blog/kubernetes-now-generally-available-on-azure-container-service/) today that Kubernetes on Azure Container Service has reached general availability. When you deploy your next generation application to Azure, whether on a PaaS or deployed directly onto Kubernetes itself (or both) you can deploy it onto a managed, supported Kubernetes cluster. -Furthermore, because we know that the world of PaaS and software development in general is a hybrid one, we’re excited to announce the preview availability of [Windows clusters in Azure Container Service](https://docs.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough). We’re also working on [hybrid clusters](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/windows.md) in [ACS-Engine](https://github.com/Azure/acs-engine) and expect to roll those out to general availability in the coming months. +Furthermore, because we know that the world of PaaS and software development in general is a hybrid one, we’re excited to announce the preview availability of [Windows clusters in Azure Container Service](https://learn.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough). We’re also working on [hybrid clusters](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/windows.md) in [ACS-Engine](https://github.com/Azure/acs-engine) and expect to roll those out to general availability in the coming months. I’m thrilled to see how containers and container as a service is changing the world of compute, I’m confident that we’re only scratching the surface of the transformation we’ll see in the coming months and years. diff --git a/content/en/blog/_posts/2018-05-04-Announcing-Kubeflow-0-1.md b/content/en/blog/_posts/2018-05-04-Announcing-Kubeflow-0-1.md index d60dbf22f6651..1be435c931a00 100644 --- a/content/en/blog/_posts/2018-05-04-Announcing-Kubeflow-0-1.md +++ b/content/en/blog/_posts/2018-05-04-Announcing-Kubeflow-0-1.md @@ -94,7 +94,7 @@ If you’d like to try out Kubeflow, we have a number of options for you: 1. You can use sample walkthroughs hosted on [Katacoda](https://www.katacoda.com/kubeflow) 2. You can follow a guided tutorial with existing models from the [examples repository](https://github.com/kubeflow/examples). These include the [GitHub Issue Summarization](https://github.com/kubeflow/examples/tree/master/github_issue_summarization), [MNIST](https://github.com/kubeflow/examples/tree/master/mnist) and [Reinforcement Learning with Agents](https://github.com/kubeflow/examples/tree/v0.5.1/agents). -3. You can start a cluster on your own and try your own model. Any Kubernetes conformant cluster will support Kubeflow including those from contributors [Caicloud](https://www.prnewswire.com/news-releases/caicloud-releases-its-kubernetes-based-cluster-as-a-service-product-claas-20-and-the-first-tensorflow-as-a-service-taas-11-while-closing-6m-series-a-funding-300418071.html), [Canonical](https://jujucharms.com/canonical-kubernetes/), [Google](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-container-cluster), [Heptio](https://heptio.com/products/kubernetes-subscription/), [Mesosphere](https://github.com/mesosphere/dcos-kubernetes-quickstart), [Microsoft](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough), [IBM](https://cloud.ibm.com/docs/containers?topic=containers-cs_cluster_tutorial#cs_cluster_tutorial), [Red Hat/Openshift ](https://docs.openshift.com/container-platform/3.3/install_config/install/quick_install.html#install-config-install-quick-install)and [Weaveworks](https://www.weave.works/product/cloud/). +3. You can start a cluster on your own and try your own model. Any Kubernetes conformant cluster will support Kubeflow including those from contributors [Caicloud](https://www.prnewswire.com/news-releases/caicloud-releases-its-kubernetes-based-cluster-as-a-service-product-claas-20-and-the-first-tensorflow-as-a-service-taas-11-while-closing-6m-series-a-funding-300418071.html), [Canonical](https://jujucharms.com/canonical-kubernetes/), [Google](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-container-cluster), [Heptio](https://heptio.com/products/kubernetes-subscription/), [Mesosphere](https://github.com/mesosphere/dcos-kubernetes-quickstart), [Microsoft](https://learn.microsoft.com/en-us/azure/aks/kubernetes-walkthrough), [IBM](https://cloud.ibm.com/docs/containers?topic=containers-cs_cluster_tutorial#cs_cluster_tutorial), [Red Hat/Openshift ](https://docs.openshift.com/container-platform/3.3/install_config/install/quick_install.html#install-config-install-quick-install)and [Weaveworks](https://www.weave.works/product/cloud/). There were also a number of sessions at KubeCon + CloudNativeCon EU 2018 covering Kubeflow. The links to the talks are here; the associated videos will be posted in the coming days. diff --git a/content/en/blog/_posts/2018-10-08-support-for-azure-vmss.md b/content/en/blog/_posts/2018-10-08-support-for-azure-vmss.md index 42746f49e264e..ca942ac013674 100644 --- a/content/en/blog/_posts/2018-10-08-support-for-azure-vmss.md +++ b/content/en/blog/_posts/2018-10-08-support-for-azure-vmss.md @@ -10,11 +10,11 @@ date: 2018-10-08 With Kubernetes v1.12, Azure virtual machine scale sets (VMSS) and cluster-autoscaler have reached their General Availability (GA) and User Assigned Identity is available as a preview feature. -_Azure VMSS allow you to create and manage identical, load balanced VMs that automatically increase or decrease based on demand or a set schedule. This enables you to easily manage and scale multiple VMs to provide high availability and application resiliency, ideal for large-scale applications like container workloads [[1]](https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview)._ +_Azure VMSS allow you to create and manage identical, load balanced VMs that automatically increase or decrease based on demand or a set schedule. This enables you to easily manage and scale multiple VMs to provide high availability and application resiliency, ideal for large-scale applications like container workloads [[1]](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview)._ Cluster autoscaler allows you to adjust the size of the Kubernetes clusters based on the load conditions automatically. -Another exciting feature which v1.12 brings to the table is the ability to use User Assigned Identities with Kubernetes clusters [[12]](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). +Another exciting feature which v1.12 brings to the table is the ability to use User Assigned Identities with Kubernetes clusters [[12]](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). In this article, we will do a brief overview of VMSS, cluster autoscaler and user assigned identity features on Azure. @@ -22,7 +22,7 @@ In this article, we will do a brief overview of VMSS, cluster autoscaler and use Azure’s Virtual Machine Scale sets (VMSS) feature offers users an ability to automatically create VMs from a single central configuration, provide load balancing via L4 and L7 load balancing, provide a path to use availability zones for high availability, provides large-scale VM instances et. al. -VMSS consists of a group of virtual machines, which are identical and can be managed and configured at a group level. More details of this feature in Azure itself can be found at the following link [[1]](https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview). +VMSS consists of a group of virtual machines, which are identical and can be managed and configured at a group level. More details of this feature in Azure itself can be found at the following link [[1]](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview). With Kubernetes v1.12 customers can create k8s cluster out of VMSS instances and utilize VMSS features. @@ -254,7 +254,7 @@ Cluster Autoscaler currently supports four VM types: standard (VMAS), VMSS, ACS ## User Assigned Identity -Inorder for the Kubernetes cluster components to securely talk to the cloud services, it needs to authenticate with the cloud provider. In Azure Kubernetes clusters, up until now this was done using two ways - Service Principals or Managed Identities. In case of service principal the credentials are stored within the cluster and there are password rotation and other challenges which user needs to incur to accommodate this model. Managed service identities takes out this burden from the user and manages the service instances directly [[12]](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). +Inorder for the Kubernetes cluster components to securely talk to the cloud services, it needs to authenticate with the cloud provider. In Azure Kubernetes clusters, up until now this was done using two ways - Service Principals or Managed Identities. In case of service principal the credentials are stored within the cluster and there are password rotation and other challenges which user needs to incur to accommodate this model. Managed service identities takes out this burden from the user and manages the service instances directly [[12]](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview). There are two kinds of managed identities possible - one is system assigned and another is user assigned. In case of system assigned identity each vm in the Kubernetes cluster is assigned a managed identity during creation. This identity is used by various Kubernetes components needing access to Azure resources. Examples to these operations are getting/updating load balancer configuration, getting/updating vm information etc. With the system assigned managed identity, user has no control over the identity which is assigned to the underlying vm. The system automatically assigns it and this reduces the flexibility for the user. @@ -273,7 +273,7 @@ env.ServiceManagementEndpoint, config.UserAssignedIdentityID) ``` -This calls hits either the instance metadata service or the vm extension [[12]](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) to gather the token which is then used to access various resources. +This calls hits either the instance metadata service or the vm extension [[12]](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) to gather the token which is then used to access various resources. ## Setting up a cluster with user assigned identity @@ -304,11 +304,11 @@ For azure specific discussions - please checkout the Azure SIG page at [[6]](htt For CA, please checkout the Autoscaler project here [[7]](http://www.github.com/kubernetes/autoscaler) and join the [#sig-autoscaling](https://kubernetes.slack.com/messages/sig-autoscaling) Slack for more discussions. -For the acs-engine (the unmanaged variety) on Azure docs can be found here: [[9]](https://github.com/Azure/acs-engine). More details about the managed service from Azure Kubernetes Service (AKS) here [[5]](https://docs.microsoft.com/en-us/azure/aks/). +For the acs-engine (the unmanaged variety) on Azure docs can be found here: [[9]](https://github.com/Azure/acs-engine). More details about the managed service from Azure Kubernetes Service (AKS) here [[5]](https://learn.microsoft.com/en-us/azure/aks/). ## References -1) https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview +1) https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview 2) /docs/concepts/architecture/cloud-controller/ @@ -316,7 +316,7 @@ For the acs-engine (the unmanaged variety) on Azure docs can be found here: [[9] 4) https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md -5) https://docs.microsoft.com/en-us/azure/aks/ +5) https://learn.microsoft.com/en-us/azure/aks/ 6) https://github.com/kubernetes/community/tree/master/sig-azure @@ -330,7 +330,7 @@ For the acs-engine (the unmanaged variety) on Azure docs can be found here: [[9] 11) /docs/concepts/architecture/ -12) https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview +12) https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 13) https://github.com/Azure/acs-engine/tree/master/examples/kubernetes-msi-userassigned diff --git a/content/en/blog/_posts/2020-05-21-wsl2-dockerdesktop-k8s.md b/content/en/blog/_posts/2020-05-21-wsl2-dockerdesktop-k8s.md index 1166d8b766a99..9a1d4760306c5 100644 --- a/content/en/blog/_posts/2020-05-21-wsl2-dockerdesktop-k8s.md +++ b/content/en/blog/_posts/2020-05-21-wsl2-dockerdesktop-k8s.md @@ -16,7 +16,7 @@ New to Windows 10 and WSL2, or new to Docker and Kubernetes? Welcome to this blo For the last few years, Kubernetes became a de-facto standard platform for running containerized services and applications in distributed environments. While a wide variety of distributions and installers exist to deploy Kubernetes in the cloud environments (public, private or hybrid), or within the bare metal environments, there is still a need to deploy and run Kubernetes locally, for example, on the developer's workstation. -Kubernetes has been originally designed to be deployed and used in the Linux environments. However, a good number of users (and not only application developers) use Windows OS as their daily driver. When Microsoft revealed WSL - [the Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/), the line between Windows and Linux environments became even less visible. +Kubernetes has been originally designed to be deployed and used in the Linux environments. However, a good number of users (and not only application developers) use Windows OS as their daily driver. When Microsoft revealed WSL - [the Windows Subsystem for Linux](https://learn.microsoft.com/en-us/windows/wsl/), the line between Windows and Linux environments became even less visible. Also, WSL brought an ability to run Kubernetes on Windows almost seamlessly! @@ -31,7 +31,7 @@ Since we will explain how to install KinD, we won't go into too much detail arou However, here is the list of the prerequisites needed and their version/lane: - OS: Windows 10 version 2004, Build 19041 -- [WSL2 enabled](https://docs.microsoft.com/en-us/windows/wsl/wsl2-install) +- [WSL2 enabled](https://learn.microsoft.com/en-us/windows/wsl/wsl2-install) - In order to install the distros as WSL2 by default, once WSL2 installed, run the command `wsl.exe --set-default-version 2` in Powershell - WSL2 distro installed from the Windows Store - the distro used is Ubuntu-18.04 - [Docker Desktop for Windows](https://hub.docker.com/editions/community/docker-ce-desktop-windows), stable channel - the version used is 2.2.0.4 From d55c18e0dfcf36a84ba93cea289d7cfdf76eaad2 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Mon, 14 Nov 2022 20:57:55 -0500 Subject: [PATCH 040/139] [zh-cn] Updated images.md Signed-off-by: Gao Qian --- content/zh-cn/docs/concepts/containers/images.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/content/zh-cn/docs/concepts/containers/images.md b/content/zh-cn/docs/concepts/containers/images.md index dec9281533f27..3f04bc17c1f56 100644 --- a/content/zh-cn/docs/concepts/containers/images.md +++ b/content/zh-cn/docs/concepts/containers/images.md @@ -2,6 +2,7 @@ title: 镜像 content_type: concept weight: 10 +hide_summary: true # 在章节索引中单独列出 --- @@ -33,6 +35,16 @@ This page provides an outline of the container image concept. 本页概要介绍容器镜像的概念。 +{{< note >}} + +如果你正在寻找 Kubernetes 某个发行版本(如最新次要版本 v{{< skew latestVersion >}}) +的容器镜像,请访问[下载 Kubernetes](/zh-cn/releases/download/)。 +{{< /note >}} + -本教程提供了容器镜像,使用 NGINX 来对所有请求做出回应: +本教程提供了容器镜像,使用 NGINX 来对所有请求做出回应。 @@ -157,7 +157,6 @@ tutorial has only one Container. A Kubernetes Pod and restarts the Pod's Container if it terminates. Deployments are the recommended way to manage the creation and scaling of Pods. --> - ## 创建 Deployment {#create-a-deployment} Kubernetes [**Pod**](/zh-cn/docs/concepts/workloads/pods/) @@ -171,16 +170,15 @@ Deployment 是管理 Pod 创建和扩展的推荐方法。 Pod runs a Container based on the provided Docker image. --> 1. 使用 `kubectl create` 命令创建管理 Pod 的 Deployment。该 Pod 根据提供的 Docker - 镜像运行 Container。 + 镜像运行容器。 ```shell - kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4 + kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.39 -- /agnhost netexec --http-port=8080 ``` - 2. 查看 Deployment: ```shell @@ -268,11 +266,11 @@ Kubernetes [*Service*](/docs/concepts/services-networking/service/). ``` 这里的 `--type=LoadBalancer` 参数表明你希望将你的 Service 暴露到集群外部。 @@ -344,9 +342,9 @@ The minikube tool includes a set of built-in {{< glossary_tooltip text="addons" 1. List the currently supported addons: --> -## 启用插件 +## 启用插件 {#enable-addons} -Minikube 有一组内置的 {{< glossary_tooltip text="插件" term_id="addons" >}}, +Minikube 有一组内置的{{< glossary_tooltip text="插件" term_id="addons" >}}, 可以在本地 Kubernetes 环境中启用、禁用和打开。 1. 列出当前支持的插件: From 5ae1aa8edf3757ea96bb5e8587b97d48e6c71a71 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Wed, 10 Aug 2022 15:07:35 +0200 Subject: [PATCH 042/139] Adding the translation to brazilian portuguese for authorization --- .../access-authn-authz/authorization.md | 248 ++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 content/pt-br/docs/reference/access-authn-authz/authorization.md diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md new file mode 100644 index 0000000000000..8ad311a0b79e9 --- /dev/null +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -0,0 +1,248 @@ +--- +title: Autorização +content_type: concept +weight: 60 +--- + + +Aprenda mais sobre autorização no Kubernetes, incluindo detalhes sobre +criação de politicas utilizando módulos de autorização suportados. + + + +No Kubernetes, você deve estar autenticado (conectado) antes que sua requisição possa ser +autorizada (permissão concedida para acesso). Para obter informações sobre autenticação, +visite [Controlando Acesso à API do Kubernetes](/pt-br/docs/concepts/security/controlling-access/). + +O Kubernetes espera atributos que são comuns a requisições de APIs REST. Isto significa +que autorização no Kubernetes funciona com sistemas de controle de acesso a nível de organizações +ou de provedores de nuvem que possam lidar com outras APIs além das APIs do Kubernetes. + +## Determinar se uma requisição é permitida ou negada + +Kubernetes autoriza requisições de API utilizando o servidor de API. Ele avalia +todos os atributos de uma requisição em relação a todas as políticas disponíveis a permite ou nega a requisição. +Todas as partes de uma requisição de API deve ser permitido por alguma política para que possa prosseguir. +Isto significa que permissões sao negadas por padrão. + +(Embora o Kubernetes use o servidor de API, controles de acesso e políticas que +dependem de campos específicos de tipos específicos de objetos são tratados pelo Admission +Controller.) + +Quando múltiplos modules de autorização são configurados, cada um será verificado em sequência. +Se qualquer dos autorizadores aprovarem ou negarem uma requisição, a decisão é imediatamente +retornada e nenhum outro autorizador é consultado. Se todos os módulos de autorização não tiverem +nenhuma opinião sobre requisição, então a requisição é negada. Uma negação retorna um +código de status HTTP 403. + +## Revisão de atributos de sua requisição + +O Kubernetes revisa somente os seguintes atributos de uma requisição de API: + + * **user** - O string de `user` fornecido durante a autenticação. + * **group** - A lista de nomes de grupos aos quais o usuário autenticado pertence. + * **extra** - Um mapa de chaves de string arbitrárias para valores de string, fornecido pela camada de autenticação. + * **API** - Indica se a solicitação é para um recurso de API. + * **Caminho da requisição** - Caminho para diversos endpoints sem recursos, como `/api` ou `/healthz`. + * **Verbo de requisição de API** - Verbos da API como `get`, `list`, `create`, `update`, `patch`, `watch`, `delete` e `deletecollection` que são utilizados para solicitações de recursos. Para determinar o verbo de requisição para um endpoint de recurso de API , consulte [Determine o verbo da requisição](/pt-br/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). + * **Verbo de requisição HTTP** - Métodos HTTP em letras minúsculas como `get`, `post`, `put` e `delete` que são utilizados para requisições que não são de recursos. + * **Recurso** - O identificador ou nome do recurso que está sendo acessado (somente para requisições de recursos) -- Para requisições de recursos usando os verbos `get`, `update`, `patch` e `delete`, deve-se fornecer o nome do recurso. + * **Subrecurso** - O sub-recurso que está sendo acessado (somente para solicitações de recursos). + * **Namespace** - O namespace do objeto que está sendo acessado (somente para solicitações de recursos com namespace). + * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o _core_ [Grupo de API](/pt-br/docs/reference/using-api/#api-groups). + +## Determine o verbo da requisição {#determine-the-request-verb} + +**Requisições de não-recursos** + +Requisições para endpoints diferentes de `/api/v1/...` ou `/apis///...` +são considerados "requisições sem recursos" e usam o método HTTP em letras minúsculas da solicitação como o verbo. +Por exemplo, uma solicitação `GET` para endpoints como `/api` ou `/healthz` usaria `get` como o verbo. + +**Requisições de recursos** +Para determinar o verbo de requisição para um endpoint de API de recurso, revise o verbo HTTP +utilizado e se a requisição atua ou não em um recurso individual ou em uma +coleção de recursos: + +Verbo HTTP | Verbo de Requisição +---------- |--------------- +POST | create +GET, HEAD | get (para recursos individuais), list (para coleções, includindo o conteúdo do objeto inteiro), watch (para assistir um recurso individual ou coleção de recursos) +PUT | update +PATCH | patch +DELETE | delete (para recursos individuais), deletecollection (para coleções) + +Às vezes, o Kubernetes verifica a autorização para permissões adicionais utilizando verbos especializados. Por exemplo: + +* [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) + * `use` verbo em recursos `podsecuritypolicies` no grupo `policy` de API. +* [RBAC](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) + * `bind` e `escalate` verbos em `roles` e recursos `clusterroles` no grupo `rbac.authorization.k8s.io` de API. +* [Authentication](/pt-br/docs/reference/access-authn-authz/authentication/) + * `impersonate` verbo em `users`, `groups`, e `serviceaccounts` no grupo de API principal, e o `userextras` no grupo `authentication.k8s.io` de API. + +## Modos de Autorização {#authorization-modules} + +O servidor da API Kubernetes pode autorizar uma solicitação usando um dos vários modos de autorização: + + * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/pt-br/docs/reference/access-authn-authz/node/). + * **ABAC** - Attribute-based access control (ABAC), ou Controle de acesso baseado em atributos, define um paradigma de controle de acesso pelo qual os direitos de acesso são concedidos aos usuários por meio do uso de políticas que combinam atributos. As políticas podem usar qualquer tipo de atributo (atributos de usuário, atributos de recurso, objeto, atributos de ambiente, etc.). Para saber mais sobre como usar o modo ABAC, consulte [ABAC Mode](/pt-br/docs/reference/access-authn-authz/abac/). + * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos de computador ou rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/pt-br/docs/reference/access-authn-authz/rbac/) + * Quando especificado RBAC (Role-Based Access Control) usa o group de API `rbac.authorization.k8s.io` para orientar as decisões de autorização, permitindo que os administradores configurem dinamicamente as políticas de permissão por meio da API do Kubernetes. + * Para habilitar o modo RBAC, inicie o servidor de API (apiserver) com a opção `--authorization-mode=RBAC`. + * **Webhook** - Um WebHook é um retorno de chamada HTTP: um HTTP POST que ocorre quando algo acontece; uma simples notificação de evento via HTTP POST. Um aplicativo da Web que implementa WebHooks postará uma mensagem em um URL quando ocorrerem determinadas coisas. Para saber mais sobre como usar o modo Webhook, consulte [Webhook Mode](/pt-br/docs/reference/access-authn-authz/webhook/). + +#### Verificando acesso a API + +`kubectl` fornece o subcomando `auth can-i` para consultar rapidamente a camada de autorização da API. +O comando usa a API `SelfSubjectAccessReview` para determinar se o usuário atual pode executar +uma determinada ação e funciona independentemente do modo de autorização utilizado. + + +```bash +# "can-i create" = "posso criar" +kubectl auth can-i create deployments --namespace dev +``` + +A saída é semelhante a esta: + +``` +yes +``` + +```shell +# "can-i create" = "posso criar" +kubectl auth can-i create deployments --namespace prod +``` + +A saída é semelhante a esta: + +``` +no +``` + +Os administradores podem combinar isso com [user impersonation](/pt-br/docs/reference/access-authn-authz/authentication/#user-impersonation) +para determinar qual ação outros usuários podem executar. + +```bash +# "can-i list" = "posso listar" + +kubectl auth can-i list secrets --namespace dev --as dave +``` + +A saída é semelhante a esta: + +``` +no +``` + +Da mesma forma, para verificar se uma ServiceAccount chamada `dev-sa` no Namespace `dev` +pode listar Pods no namespace `target`: + +```bash +# "can-i list" = "posso listar" +kubectl auth can-i list pods \ + --namespace target \ + --as system:serviceaccount:dev:dev-sa +``` + +A saída é semelhante a esta: + +``` +yes +``` + +`SelfSubjectAccessReview` faz parte do grupo de API `authorization.k8s.io`, que +expõe a autorização do servidor de API para serviços externos. Outros recursos em +este grupo inclui: + +* `SubjectAccessReview` - * `SubjectAccessReview` - Revisão de acesso para qualquer usuário, não apenas o atual. Útil para delegar decisões de autorização para o servidor de API. Por exemplo, o kubelet e extensões de servidores de API utilizam disso para determinar o acesso do usuário às suas próprias APIs. + +* `LocalSubjectAccessReview` - Similar a `SubjectAccessReview`, mas restrito a um namespace específico. + +* `SelfSubjectRulesReview` - Uma revisão que retorna o conjunto de ações que um usuário pode executar em um namespace. Útil para usuários resumirem rapidamente seu próprio acesso ou para Interfaces de Usuário ocultarem/mostrar ações. + +Essas APIs podem ser consultadas criando recursos normais do Kubernetes, onde a resposta `status` +campo do objeto retornado é o resultado da consulta. + +```bash +kubectl create -f - -o yaml << EOF +apiVersion: authorization.k8s.io/v1 +kind: SelfSubjectAccessReview +spec: + resourceAttributes: + group: apps + resource: deployments + verb: create + namespace: dev +EOF +``` + +A `SelfSubjectAccessReview` gerada seria: +```yaml +apiVersion: authorization.k8s.io/v1 +kind: SelfSubjectAccessReview +metadata: + creationTimestamp: null +spec: + resourceAttributes: + group: apps + resource: deployments + namespace: dev + verb: create +status: + allowed: true + denied: false +``` + +## Usando flags para seu módulo de autorização + +Você deve incluir uma flag em sua política para indicar qual módulo de autorização +suas políticas incluem: + +As seguintes flags podem ser utilizadas: + + * `--authorization-mode=ABAC` O modo de controle de acesso baseado em atributos [Attribute-Based Access Control (ABAC)] permite configurar políticas usando arquivos locais. + * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função [Role-based access control (RBAC)] permite que você crie e armazene políticas usando a API Kubernetes. + * `--authorization-mode=Webhook` WebHook é um modo de retorno de chamada HTTP que permite gerenciar a autorização usando endpoint REST. + * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por kubelets. + * `--authorization-mode=AlwaysDeny` Esta flag bloqueia todas as requisições. Utilize esta flag somente para testes. + * `--authorization-mode=AlwaysAllow` Esta flag permite todas as requisições. Utilize esta flag somente se nao existam requisitos de autorização para as requisições de API. + +Você pode escolher mais de um modulo de autorização. Módulos são verificados +em ordem, então, um modulo anterior tem maior prioridade para permitir ou negar uma requisição. + +## Escalonamento de privilégios através da criação ou edição da cargas de trabalho {#privilege-escalation-via-pod-creation} + +Usuários que podem criar ou editar pods em um namespace diretamente ou através de um [controlador](/pt-br/docs/concepts/architecture/controller/) +como, por exemplo, um operador e então poderiam escalar privilégios naquele namespace. + +{{< caution >}} +Administradores de sistemas, tenham cuidado ao permitir acesso para criar ou editar cargas de trabalho. +Detalhes de como estas permissões podem ser usadas de forma maliciosa podem ser encontradas em [caminhos para escalonamento](#escalation-paths). + +{{< /caution >}} + +### Caminhos para escalonamento {#escalation-paths} + +- Montar segredos arbitrários nesse namespace + - Pode ser utilizado para acessar segredos destinados a outras cargas de trabalho + - Pode ser utilizado para obter um token da conta de serviço com maior privilegio +- Usando contas de serviço arbitrárias nesse namespace + - Pode executar ações da API do Kubernetes como outra carga de trabalho (personificação) + - Pode executar quaisquer ações privilegiadas que a conta de serviço tenha +- Montagem de configmaps destinados a outras cargas de trabalho nesse namespace + - Pode ser utilizado para obter informações destinadas a outras cargas de trabalho, como nomes de host de banco de dados. +- Montar volumes destinados a outras cargas de trabalho nesse namespace + - Pode ser utilizado para obter informações destinadas a outras cargas de trabalho e alterá-las. + +{{< caution >}} +Administradores de sistemas devem ser cuidadosos ao instalar CRDs que +promovam mudanças nas areas mencionadas acima. Estes podem abrir caminhos para escalonamento. +Isto deve ser considerado ao decidir os controles de acesso baseado em função (RBAC). +{{< /caution >}} + +## {{% heading "whatsnext?" %}} + +* Para aprender mais sobre autenticação, visite **Authentication** in [Controlando acesso a APIs do Kubernetes](/pt-br/docsconcepts/security/controlling-access/). +* Para aprender mais sobre Admission Control, visite [Utilizando Admission Controllers](/pt-br/docs/reference/access-authn-authz/admission-controllers/). \ No newline at end of file From 1a2e1b86cf67af74f2f0b93ef9820d1f34c75d90 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Wed, 10 Aug 2022 15:54:05 +0200 Subject: [PATCH 043/139] moving links not yet translated to base doc --- .../reference/access-authn-authz/authorization.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 8ad311a0b79e9..c3a6f9ec0bdd1 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -49,7 +49,7 @@ O Kubernetes revisa somente os seguintes atributos de uma requisição de API: * **Recurso** - O identificador ou nome do recurso que está sendo acessado (somente para requisições de recursos) -- Para requisições de recursos usando os verbos `get`, `update`, `patch` e `delete`, deve-se fornecer o nome do recurso. * **Subrecurso** - O sub-recurso que está sendo acessado (somente para solicitações de recursos). * **Namespace** - O namespace do objeto que está sendo acessado (somente para solicitações de recursos com namespace). - * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o _core_ [Grupo de API](/pt-br/docs/reference/using-api/#api-groups). + * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o _core_ [Grupo de API](/docs/reference/using-api/#api-groups). ## Determine o verbo da requisição {#determine-the-request-verb} @@ -85,12 +85,12 @@ DELETE | delete (para recursos individuais), deletecollection (para coleçõ O servidor da API Kubernetes pode autorizar uma solicitação usando um dos vários modos de autorização: - * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/pt-br/docs/reference/access-authn-authz/node/). - * **ABAC** - Attribute-based access control (ABAC), ou Controle de acesso baseado em atributos, define um paradigma de controle de acesso pelo qual os direitos de acesso são concedidos aos usuários por meio do uso de políticas que combinam atributos. As políticas podem usar qualquer tipo de atributo (atributos de usuário, atributos de recurso, objeto, atributos de ambiente, etc.). Para saber mais sobre como usar o modo ABAC, consulte [ABAC Mode](/pt-br/docs/reference/access-authn-authz/abac/). - * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos de computador ou rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/pt-br/docs/reference/access-authn-authz/rbac/) + * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/docs/reference/access-authn-authz/node/). + * **ABAC** - Attribute-based access control (ABAC), ou Controle de acesso baseado em atributos, define um paradigma de controle de acesso pelo qual os direitos de acesso são concedidos aos usuários por meio do uso de políticas que combinam atributos. As políticas podem usar qualquer tipo de atributo (atributos de usuário, atributos de recurso, objeto, atributos de ambiente, etc.). Para saber mais sobre como usar o modo ABAC, consulte [ABAC Mode](/docs/reference/access-authn-authz/abac/). + * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos de computador ou rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/docs/reference/access-authn-authz/rbac/) * Quando especificado RBAC (Role-Based Access Control) usa o group de API `rbac.authorization.k8s.io` para orientar as decisões de autorização, permitindo que os administradores configurem dinamicamente as políticas de permissão por meio da API do Kubernetes. * Para habilitar o modo RBAC, inicie o servidor de API (apiserver) com a opção `--authorization-mode=RBAC`. - * **Webhook** - Um WebHook é um retorno de chamada HTTP: um HTTP POST que ocorre quando algo acontece; uma simples notificação de evento via HTTP POST. Um aplicativo da Web que implementa WebHooks postará uma mensagem em um URL quando ocorrerem determinadas coisas. Para saber mais sobre como usar o modo Webhook, consulte [Webhook Mode](/pt-br/docs/reference/access-authn-authz/webhook/). + * **Webhook** - Um WebHook é um retorno de chamada HTTP: um HTTP POST que ocorre quando algo acontece; uma simples notificação de evento via HTTP POST. Um aplicativo da Web que implementa WebHooks postará uma mensagem em um URL quando ocorrerem determinadas coisas. Para saber mais sobre como usar o modo Webhook, consulte [Webhook Mode](/docs/reference/access-authn-authz/webhook/). #### Verificando acesso a API @@ -244,5 +244,5 @@ Isto deve ser considerado ao decidir os controles de acesso baseado em função ## {{% heading "whatsnext?" %}} -* Para aprender mais sobre autenticação, visite **Authentication** in [Controlando acesso a APIs do Kubernetes](/pt-br/docsconcepts/security/controlling-access/). -* Para aprender mais sobre Admission Control, visite [Utilizando Admission Controllers](/pt-br/docs/reference/access-authn-authz/admission-controllers/). \ No newline at end of file +* Para aprender mais sobre autenticação, visite **Authentication** in [Controlando acesso a APIs do Kubernetes](/pt-br/docs/concepts/security/controlling-access/). +* Para aprender mais sobre Admission Control, visite [Utilizando Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/). \ No newline at end of file From c8902db67befc7c81a176ad774f0ab8e0426540e Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Thu, 18 Aug 2022 14:44:26 +0200 Subject: [PATCH 044/139] addressing review items --- .../access-authn-authz/authorization.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index c3a6f9ec0bdd1..8d06676767396 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -20,10 +20,10 @@ ou de provedores de nuvem que possam lidar com outras APIs além das APIs do Kub ## Determinar se uma requisição é permitida ou negada -Kubernetes autoriza requisições de API utilizando o servidor de API. Ele avalia -todos os atributos de uma requisição em relação a todas as políticas disponíveis a permite ou nega a requisição. -Todas as partes de uma requisição de API deve ser permitido por alguma política para que possa prosseguir. -Isto significa que permissões sao negadas por padrão. +O Kubernetes autoriza requisições de API utilizando o servidor de API. Ele avalia +todos os atributos de uma requisição em relação a todas as políticas disponíveis e permite ou nega a requisição. +Todas as partes de uma requisição de API deve ser permitidas por alguma política para que possa prosseguir. +Isto significa que permissões são negadas por padrão. (Embora o Kubernetes use o servidor de API, controles de acesso e políticas que dependem de campos específicos de tipos específicos de objetos são tratados pelo Admission @@ -225,12 +225,12 @@ Detalhes de como estas permissões podem ser usadas de forma maliciosa podem ser ### Caminhos para escalonamento {#escalation-paths} -- Montar segredos arbitrários nesse namespace - - Pode ser utilizado para acessar segredos destinados a outras cargas de trabalho - - Pode ser utilizado para obter um token da conta de serviço com maior privilegio +- Montar Secret arbitrários nesse namespace + - Pode ser utilizado para acessar Secret destinados a outras cargas de trabalho + - Pode ser utilizado para obter um token da conta de serviço com maior privilégio - Usando contas de serviço arbitrárias nesse namespace - Pode executar ações da API do Kubernetes como outra carga de trabalho (personificação) - - Pode executar quaisquer ações privilegiadas que a conta de serviço tenha + - Pode executar quaisquer ações privilegiadas que a conta de serviço tenha acesso - Montagem de configmaps destinados a outras cargas de trabalho nesse namespace - Pode ser utilizado para obter informações destinadas a outras cargas de trabalho, como nomes de host de banco de dados. - Montar volumes destinados a outras cargas de trabalho nesse namespace @@ -238,11 +238,11 @@ Detalhes de como estas permissões podem ser usadas de forma maliciosa podem ser {{< caution >}} Administradores de sistemas devem ser cuidadosos ao instalar CRDs que -promovam mudanças nas areas mencionadas acima. Estes podem abrir caminhos para escalonamento. +promovam mudanças nas áreas mencionadas acima. Estes podem abrir caminhos para escalonamento. Isto deve ser considerado ao decidir os controles de acesso baseado em função (RBAC). {{< /caution >}} -## {{% heading "whatsnext?" %}} +## {{% heading "whatsnext" %}} * Para aprender mais sobre autenticação, visite **Authentication** in [Controlando acesso a APIs do Kubernetes](/pt-br/docs/concepts/security/controlling-access/). * Para aprender mais sobre Admission Control, visite [Utilizando Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/). \ No newline at end of file From d60397b424f3875aa4c47cc14a54f08aebb95c4c Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Fri, 23 Sep 2022 16:55:36 +0200 Subject: [PATCH 045/139] sorry, I left lots of reviewed items left --- .../access-authn-authz/authorization.md | 40 +++++++++---------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 8d06676767396..31fbc55c95073 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -1,5 +1,5 @@ --- -title: Autorização +title: Visão Geral de Autorização content_type: concept weight: 60 --- @@ -26,12 +26,11 @@ Todas as partes de uma requisição de API deve ser permitidas por alguma polít Isto significa que permissões são negadas por padrão. (Embora o Kubernetes use o servidor de API, controles de acesso e políticas que -dependem de campos específicos de tipos específicos de objetos são tratados pelo Admission -Controller.) +dependem de campos específicos de tipos específicos de objetos são tratados pelos controladores de admissão.) -Quando múltiplos modules de autorização são configurados, cada um será verificado em sequência. +Quando múltiplos módulos de autorização são configurados, cada um será verificado em sequência. Se qualquer dos autorizadores aprovarem ou negarem uma requisição, a decisão é imediatamente -retornada e nenhum outro autorizador é consultado. Se todos os módulos de autorização não tiverem +retornada e nenhum outro autorizador é consultado. Se nenhum módulo de autorização tiver nenhuma opinião sobre requisição, então a requisição é negada. Uma negação retorna um código de status HTTP 403. @@ -43,10 +42,10 @@ O Kubernetes revisa somente os seguintes atributos de uma requisição de API: * **group** - A lista de nomes de grupos aos quais o usuário autenticado pertence. * **extra** - Um mapa de chaves de string arbitrárias para valores de string, fornecido pela camada de autenticação. * **API** - Indica se a solicitação é para um recurso de API. - * **Caminho da requisição** - Caminho para diversos endpoints sem recursos, como `/api` ou `/healthz`. + * **Caminho da requisição** - Caminho para diversos endpoints que não manipulam recursos, como `/api` ou `/healthz`. * **Verbo de requisição de API** - Verbos da API como `get`, `list`, `create`, `update`, `patch`, `watch`, `delete` e `deletecollection` que são utilizados para solicitações de recursos. Para determinar o verbo de requisição para um endpoint de recurso de API , consulte [Determine o verbo da requisição](/pt-br/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). * **Verbo de requisição HTTP** - Métodos HTTP em letras minúsculas como `get`, `post`, `put` e `delete` que são utilizados para requisições que não são de recursos. - * **Recurso** - O identificador ou nome do recurso que está sendo acessado (somente para requisições de recursos) -- Para requisições de recursos usando os verbos `get`, `update`, `patch` e `delete`, deve-se fornecer o nome do recurso. + * **Recurso** - O identificador ou nome do recurso que está sendo acessado (somente para requisições de recursos) - para requisições de recursos usando os verbos `get`, `update`, `patch` e `delete`, deve-se fornecer o nome do recurso. * **Subrecurso** - O sub-recurso que está sendo acessado (somente para solicitações de recursos). * **Namespace** - O namespace do objeto que está sendo acessado (somente para solicitações de recursos com namespace). * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o _core_ [Grupo de API](/docs/reference/using-api/#api-groups). @@ -54,8 +53,7 @@ O Kubernetes revisa somente os seguintes atributos de uma requisição de API: ## Determine o verbo da requisição {#determine-the-request-verb} **Requisições de não-recursos** - -Requisições para endpoints diferentes de `/api/v1/...` ou `/apis///...` +Requisições sem recursos de `/api/v1/...` ou `/apis///...` são considerados "requisições sem recursos" e usam o método HTTP em letras minúsculas da solicitação como o verbo. Por exemplo, uma solicitação `GET` para endpoints como `/api` ou `/healthz` usaria `get` como o verbo. @@ -79,18 +77,18 @@ DELETE | delete (para recursos individuais), deletecollection (para coleçõ * [RBAC](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) * `bind` e `escalate` verbos em `roles` e recursos `clusterroles` no grupo `rbac.authorization.k8s.io` de API. * [Authentication](/pt-br/docs/reference/access-authn-authz/authentication/) - * `impersonate` verbo em `users`, `groups`, e `serviceaccounts` no grupo de API principal, e o `userextras` no grupo `authentication.k8s.io` de API. + * `impersonate` verbo em `users`, `groups`, e `serviceaccounts` no grupo de API `core`, e o `userextras` no grupo `authentication.k8s.io` de API. ## Modos de Autorização {#authorization-modules} O servidor da API Kubernetes pode autorizar uma solicitação usando um dos vários modos de autorização: - * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/docs/reference/access-authn-authz/node/). + * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `Pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/docs/reference/access-authn-authz/node/). * **ABAC** - Attribute-based access control (ABAC), ou Controle de acesso baseado em atributos, define um paradigma de controle de acesso pelo qual os direitos de acesso são concedidos aos usuários por meio do uso de políticas que combinam atributos. As políticas podem usar qualquer tipo de atributo (atributos de usuário, atributos de recurso, objeto, atributos de ambiente, etc.). Para saber mais sobre como usar o modo ABAC, consulte [ABAC Mode](/docs/reference/access-authn-authz/abac/). - * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos de computador ou rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/docs/reference/access-authn-authz/rbac/) - * Quando especificado RBAC (Role-Based Access Control) usa o group de API `rbac.authorization.k8s.io` para orientar as decisões de autorização, permitindo que os administradores configurem dinamicamente as políticas de permissão por meio da API do Kubernetes. + * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos computacionais ou de rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/docs/reference/access-authn-authz/rbac/) + * Quando especificado RBAC (Role-Based Access Control) usa o grupo de API `rbac.authorization.k8s.io` para orientar as decisões de autorização, permitindo que os administradores configurem dinamicamente as políticas de permissão por meio da API do Kubernetes. * Para habilitar o modo RBAC, inicie o servidor de API (apiserver) com a opção `--authorization-mode=RBAC`. - * **Webhook** - Um WebHook é um retorno de chamada HTTP: um HTTP POST que ocorre quando algo acontece; uma simples notificação de evento via HTTP POST. Um aplicativo da Web que implementa WebHooks postará uma mensagem em um URL quando ocorrerem determinadas coisas. Para saber mais sobre como usar o modo Webhook, consulte [Webhook Mode](/docs/reference/access-authn-authz/webhook/). + * **Webhook** - Um WebHook é um retorno de chamada HTTP: um HTTP POST que ocorre quando algo acontece; uma simples notificação de evento via HTTP POST. Um aplicativo da Web que implementa WebHooks postará uma mensagem em um URL quando um determinado evento ocorrer. Para saber mais sobre como usar o modo Webhook, consulte [Webhook Mode](/docs/reference/access-authn-authz/webhook/). #### Verificando acesso a API @@ -121,7 +119,7 @@ A saída é semelhante a esta: no ``` -Os administradores podem combinar isso com [user impersonation](/pt-br/docs/reference/access-authn-authz/authentication/#user-impersonation) +Os administradores podem combinar isso com [personificação de usuário](/pt-br/docs/reference/access-authn-authz/authentication/#personificação-de-usuário) para determinar qual ação outros usuários podem executar. ```bash @@ -153,14 +151,14 @@ yes ``` `SelfSubjectAccessReview` faz parte do grupo de API `authorization.k8s.io`, que -expõe a autorização do servidor de API para serviços externos. Outros recursos em -este grupo inclui: +expõe a autorização do servidor de API para serviços externos. Outros recursos +neste grupo inclui: -* `SubjectAccessReview` - * `SubjectAccessReview` - Revisão de acesso para qualquer usuário, não apenas o atual. Útil para delegar decisões de autorização para o servidor de API. Por exemplo, o kubelet e extensões de servidores de API utilizam disso para determinar o acesso do usuário às suas próprias APIs. +* `SubjectAccessReview` - Revisão de acesso para qualquer usuário, não apenas o atual. Útil para delegar decisões de autorização para o servidor de API. Por exemplo, o kubelet e extensões de servidores de API utilizam disso para determinar o acesso do usuário às suas próprias APIs. * `LocalSubjectAccessReview` - Similar a `SubjectAccessReview`, mas restrito a um namespace específico. -* `SelfSubjectRulesReview` - Uma revisão que retorna o conjunto de ações que um usuário pode executar em um namespace. Útil para usuários resumirem rapidamente seu próprio acesso ou para Interfaces de Usuário ocultarem/mostrar ações. +* `SelfSubjectRulesReview` - Uma revisão que retorna o conjunto de ações que um usuário pode executar em um namespace. Útil para usuários resumirem rapidamente seu próprio acesso ou para interfaces de usuário mostrarem ações. Essas APIs podem ser consultadas criando recursos normais do Kubernetes, onde a resposta `status` campo do objeto retornado é o resultado da consulta. @@ -203,7 +201,7 @@ suas políticas incluem: As seguintes flags podem ser utilizadas: * `--authorization-mode=ABAC` O modo de controle de acesso baseado em atributos [Attribute-Based Access Control (ABAC)] permite configurar políticas usando arquivos locais. - * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função [Role-based access control (RBAC)] permite que você crie e armazene políticas usando a API Kubernetes. + * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função [Role-based access control (RBAC)] permite que você crie e armazene políticas usando a API do Kubernetes. * `--authorization-mode=Webhook` WebHook é um modo de retorno de chamada HTTP que permite gerenciar a autorização usando endpoint REST. * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por kubelets. * `--authorization-mode=AlwaysDeny` Esta flag bloqueia todas as requisições. Utilize esta flag somente para testes. @@ -215,7 +213,7 @@ em ordem, então, um modulo anterior tem maior prioridade para permitir ou negar ## Escalonamento de privilégios através da criação ou edição da cargas de trabalho {#privilege-escalation-via-pod-creation} Usuários que podem criar ou editar pods em um namespace diretamente ou através de um [controlador](/pt-br/docs/concepts/architecture/controller/) -como, por exemplo, um operador e então poderiam escalar privilégios naquele namespace. +como, por exemplo, um operador, e conseguiriam escalar seus próprios privilégios naquele namespace. {{< caution >}} Administradores de sistemas, tenham cuidado ao permitir acesso para criar ou editar cargas de trabalho. From 8c0ee1f2ae738e63645496c8492f2eb1bb91eda9 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Fri, 23 Sep 2022 17:04:11 +0200 Subject: [PATCH 046/139] missed caution admonition fix --- .../pt-br/docs/reference/access-authn-authz/authorization.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 31fbc55c95073..65ccf289e1e4f 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -70,6 +70,10 @@ PUT | update PATCH | patch DELETE | delete (para recursos individuais), deletecollection (para coleções) +{{< caution >}} +Os verbos `get`, `list` e `watch` podem retornar todos os detalhes de um recurso. Eles são equivalentes em relação aos dados retornados. Por exemplo, `list` em `secrets` revelará os atributos de `data` de qualquer recurso retornado. +{{< /caution >}} + Às vezes, o Kubernetes verifica a autorização para permissões adicionais utilizando verbos especializados. Por exemplo: * [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) From d5139d8d3abe95cefd359b2845e2a137b314dcd0 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Mon, 24 Oct 2022 16:12:24 +0200 Subject: [PATCH 047/139] still some accents --- .../pt-br/docs/reference/access-authn-authz/authorization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 65ccf289e1e4f..039f055412f5d 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -6,7 +6,7 @@ weight: 60 Aprenda mais sobre autorização no Kubernetes, incluindo detalhes sobre -criação de politicas utilizando módulos de autorização suportados. +criação de políticas utilizando módulos de autorização suportados. @@ -209,7 +209,7 @@ As seguintes flags podem ser utilizadas: * `--authorization-mode=Webhook` WebHook é um modo de retorno de chamada HTTP que permite gerenciar a autorização usando endpoint REST. * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por kubelets. * `--authorization-mode=AlwaysDeny` Esta flag bloqueia todas as requisições. Utilize esta flag somente para testes. - * `--authorization-mode=AlwaysAllow` Esta flag permite todas as requisições. Utilize esta flag somente se nao existam requisitos de autorização para as requisições de API. + * `--authorization-mode=AlwaysAllow` Esta flag permite todas as requisições. Utilize esta flag somente se não existam requisitos de autorização para as requisições de API. Você pode escolher mais de um modulo de autorização. Módulos são verificados em ordem, então, um modulo anterior tem maior prioridade para permitir ou negar uma requisição. From a0a352a9d6eb127892d4d9f49812066acd66857d Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Tue, 25 Oct 2022 09:43:21 +0200 Subject: [PATCH 048/139] group API core order fix --- .../pt-br/docs/reference/access-authn-authz/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 039f055412f5d..5f51012a77189 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -48,7 +48,7 @@ O Kubernetes revisa somente os seguintes atributos de uma requisição de API: * **Recurso** - O identificador ou nome do recurso que está sendo acessado (somente para requisições de recursos) - para requisições de recursos usando os verbos `get`, `update`, `patch` e `delete`, deve-se fornecer o nome do recurso. * **Subrecurso** - O sub-recurso que está sendo acessado (somente para solicitações de recursos). * **Namespace** - O namespace do objeto que está sendo acessado (somente para solicitações de recursos com namespace). - * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o _core_ [Grupo de API](/docs/reference/using-api/#api-groups). + * **Grupo de API** - O {{< glossary_tooltip text="API Group" term_id="api-group" >}} sendo acessado (somente para requisições de recursos). Uma string vazia designa o [Grupo de API](/docs/reference/using-api/#api-groups) _core_. ## Determine o verbo da requisição {#determine-the-request-verb} From 7056f59726ecc7b6830b9ec077d78d97c065592c Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Tue, 25 Oct 2022 09:55:15 +0200 Subject: [PATCH 049/139] GET/HEAD request verb fix --- .../pt-br/docs/reference/access-authn-authz/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 5f51012a77189..5ead89c8e7907 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -65,7 +65,7 @@ coleção de recursos: Verbo HTTP | Verbo de Requisição ---------- |--------------- POST | create -GET, HEAD | get (para recursos individuais), list (para coleções, includindo o conteúdo do objeto inteiro), watch (para assistir um recurso individual ou coleção de recursos) +GET, HEAD | get (para recursos individuais), list (para coleções, includindo o conteúdo do objeto inteiro), watch (para observar um recurso individual ou coleção de recursos) PUT | update PATCH | patch DELETE | delete (para recursos individuais), deletecollection (para coleções) From 973f65d6fe0de5ce8008610433ac5d8fcda7a2b2 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Tue, 15 Nov 2022 20:27:47 +0100 Subject: [PATCH 050/139] fix latest reviewed items --- .../access-authn-authz/authorization.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index 5ead89c8e7907..e0de1403a8085 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -77,17 +77,17 @@ Os verbos `get`, `list` e `watch` podem retornar todos os detalhes de um recurso Às vezes, o Kubernetes verifica a autorização para permissões adicionais utilizando verbos especializados. Por exemplo: * [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) - * `use` verbo em recursos `podsecuritypolicies` no grupo `policy` de API. + * Verbo `use` em recursos `podsecuritypolicies` no grupo `policy` de API. * [RBAC](/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) - * `bind` e `escalate` verbos em `roles` e recursos `clusterroles` no grupo `rbac.authorization.k8s.io` de API. + * Verbos `bind` e `escalate` em `roles` e recursos `clusterroles` no grupo `rbac.authorization.k8s.io` de API. * [Authentication](/pt-br/docs/reference/access-authn-authz/authentication/) - * `impersonate` verbo em `users`, `groups`, e `serviceaccounts` no grupo de API `core`, e o `userextras` no grupo `authentication.k8s.io` de API. + * Verbo `impersonate` em `users`, `groups`, e `serviceaccounts` no grupo de API `core`, e o `userextras` no grupo `authentication.k8s.io` de API. ## Modos de Autorização {#authorization-modules} O servidor da API Kubernetes pode autorizar uma solicitação usando um dos vários modos de autorização: - * **Node** - Um modo de autorização de finalidade especial que concede permissões a `kubelets` com base nos `Pods` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/docs/reference/access-authn-authz/node/). + * **Node** - Um modo de autorização de finalidade especial que concede permissões a ```kubelets``` com base nos ```Pods``` que estão programados para execução. Para saber mais sobre como utilizar o modo de autorização do nó, consulte [Node Authorization](/docs/reference/access-authn-authz/node/). * **ABAC** - Attribute-based access control (ABAC), ou Controle de acesso baseado em atributos, define um paradigma de controle de acesso pelo qual os direitos de acesso são concedidos aos usuários por meio do uso de políticas que combinam atributos. As políticas podem usar qualquer tipo de atributo (atributos de usuário, atributos de recurso, objeto, atributos de ambiente, etc.). Para saber mais sobre como usar o modo ABAC, consulte [ABAC Mode](/docs/reference/access-authn-authz/abac/). * **RBAC** - Role-based access control (RBAC), ou controle de acesso baseado em função, é um método de regular o acesso a recursos computacionais ou de rede com base nas funções de usuários individuais dentro de uma empresa. Nesse contexto, acesso é a capacidade de um usuário individual realizar uma tarefa específica, como visualizar, criar ou modificar um arquivo. Para saber mais sobre como usar o modo RBAC, consulte [RBAC Mode](/docs/reference/access-authn-authz/rbac/) * Quando especificado RBAC (Role-Based Access Control) usa o grupo de API `rbac.authorization.k8s.io` para orientar as decisões de autorização, permitindo que os administradores configurem dinamicamente as políticas de permissão por meio da API do Kubernetes. @@ -164,8 +164,8 @@ neste grupo inclui: * `SelfSubjectRulesReview` - Uma revisão que retorna o conjunto de ações que um usuário pode executar em um namespace. Útil para usuários resumirem rapidamente seu próprio acesso ou para interfaces de usuário mostrarem ações. -Essas APIs podem ser consultadas criando recursos normais do Kubernetes, onde a resposta `status` -campo do objeto retornado é o resultado da consulta. +Essas APIs podem ser consultadas criando recursos normais do Kubernetes, onde a resposta no campo `status` +do objeto retornado é o resultado da consulta. ```bash kubectl create -f - -o yaml << EOF @@ -204,8 +204,8 @@ suas políticas incluem: As seguintes flags podem ser utilizadas: - * `--authorization-mode=ABAC` O modo de controle de acesso baseado em atributos [Attribute-Based Access Control (ABAC)] permite configurar políticas usando arquivos locais. - * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função [Role-based access control (RBAC)] permite que você crie e armazene políticas usando a API do Kubernetes. + * `--authorization-mode=ABAC` O modo de controle de acesso baseado em atributos (ABAC) permite configurar políticas usando arquivos locais. + * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função (RBAC) permite que você crie e armazene políticas usando a API do Kubernetes. * `--authorization-mode=Webhook` WebHook é um modo de retorno de chamada HTTP que permite gerenciar a autorização usando endpoint REST. * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por kubelets. * `--authorization-mode=AlwaysDeny` Esta flag bloqueia todas as requisições. Utilize esta flag somente para testes. @@ -217,7 +217,7 @@ em ordem, então, um modulo anterior tem maior prioridade para permitir ou negar ## Escalonamento de privilégios através da criação ou edição da cargas de trabalho {#privilege-escalation-via-pod-creation} Usuários que podem criar ou editar pods em um namespace diretamente ou através de um [controlador](/pt-br/docs/concepts/architecture/controller/) -como, por exemplo, um operador, e conseguiriam escalar seus próprios privilégios naquele namespace. +como, por exemplo, um operador, conseguiriam escalar seus próprios privilégios naquele namespace. {{< caution >}} Administradores de sistemas, tenham cuidado ao permitir acesso para criar ou editar cargas de trabalho. @@ -227,15 +227,15 @@ Detalhes de como estas permissões podem ser usadas de forma maliciosa podem ser ### Caminhos para escalonamento {#escalation-paths} -- Montar Secret arbitrários nesse namespace +- Montagem de Secret arbitrários nesse namespace - Pode ser utilizado para acessar Secret destinados a outras cargas de trabalho - Pode ser utilizado para obter um token da conta de serviço com maior privilégio -- Usando contas de serviço arbitrárias nesse namespace +- Uso de contas de serviço arbitrárias nesse namespace - Pode executar ações da API do Kubernetes como outra carga de trabalho (personificação) - Pode executar quaisquer ações privilegiadas que a conta de serviço tenha acesso - Montagem de configmaps destinados a outras cargas de trabalho nesse namespace - Pode ser utilizado para obter informações destinadas a outras cargas de trabalho, como nomes de host de banco de dados. -- Montar volumes destinados a outras cargas de trabalho nesse namespace +- Montagem de volumes destinados a outras cargas de trabalho nesse namespace - Pode ser utilizado para obter informações destinadas a outras cargas de trabalho e alterá-las. {{< caution >}} From 38e8cb00dc94740ec967cdb1139eab92c258de84 Mon Sep 17 00:00:00 2001 From: Jose Almaraz Date: Tue, 15 Nov 2022 22:27:41 +0100 Subject: [PATCH 051/139] missing kubelet and pods format --- .../docs/reference/access-authn-authz/authorization.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/pt-br/docs/reference/access-authn-authz/authorization.md b/content/pt-br/docs/reference/access-authn-authz/authorization.md index e0de1403a8085..efba8eb731188 100644 --- a/content/pt-br/docs/reference/access-authn-authz/authorization.md +++ b/content/pt-br/docs/reference/access-authn-authz/authorization.md @@ -139,7 +139,7 @@ no ``` Da mesma forma, para verificar se uma ServiceAccount chamada `dev-sa` no Namespace `dev` -pode listar Pods no namespace `target`: +pode listar ```Pods``` no namespace `target`: ```bash # "can-i list" = "posso listar" @@ -158,7 +158,7 @@ yes expõe a autorização do servidor de API para serviços externos. Outros recursos neste grupo inclui: -* `SubjectAccessReview` - Revisão de acesso para qualquer usuário, não apenas o atual. Útil para delegar decisões de autorização para o servidor de API. Por exemplo, o kubelet e extensões de servidores de API utilizam disso para determinar o acesso do usuário às suas próprias APIs. +* `SubjectAccessReview` - Revisão de acesso para qualquer usuário, não apenas o atual. Útil para delegar decisões de autorização para o servidor de API. Por exemplo, o ```kubelet``` e extensões de servidores de API utilizam disso para determinar o acesso do usuário às suas próprias APIs. * `LocalSubjectAccessReview` - Similar a `SubjectAccessReview`, mas restrito a um namespace específico. @@ -207,7 +207,7 @@ As seguintes flags podem ser utilizadas: * `--authorization-mode=ABAC` O modo de controle de acesso baseado em atributos (ABAC) permite configurar políticas usando arquivos locais. * `--authorization-mode=RBAC` O modo de controle de acesso baseado em função (RBAC) permite que você crie e armazene políticas usando a API do Kubernetes. * `--authorization-mode=Webhook` WebHook é um modo de retorno de chamada HTTP que permite gerenciar a autorização usando endpoint REST. - * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por kubelets. + * `--authorization-mode=Node` A autorização de nó é um modo de autorização de propósito especial que autoriza especificamente requisições de API feitas por ```kubelets```. * `--authorization-mode=AlwaysDeny` Esta flag bloqueia todas as requisições. Utilize esta flag somente para testes. * `--authorization-mode=AlwaysAllow` Esta flag permite todas as requisições. Utilize esta flag somente se não existam requisitos de autorização para as requisições de API. @@ -216,7 +216,7 @@ em ordem, então, um modulo anterior tem maior prioridade para permitir ou negar ## Escalonamento de privilégios através da criação ou edição da cargas de trabalho {#privilege-escalation-via-pod-creation} -Usuários que podem criar ou editar pods em um namespace diretamente ou através de um [controlador](/pt-br/docs/concepts/architecture/controller/) +Usuários que podem criar ou editar ```pods``` em um namespace diretamente ou através de um [controlador](/pt-br/docs/concepts/architecture/controller/) como, por exemplo, um operador, conseguiriam escalar seus próprios privilégios naquele namespace. {{< caution >}} From 6d92bb4efd30eaad99e40e7f6f0ad371fe8dcf30 Mon Sep 17 00:00:00 2001 From: "Rodrigo V. Del Monte" Date: Sat, 29 Oct 2022 19:48:23 +0200 Subject: [PATCH 052/139] Add pt-br/docs/reference/glossary/workload.md Signed-off-by: Rodrigo V. Del Monte --- .../pt-br/docs/reference/glossary/workload.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 content/pt-br/docs/reference/glossary/workload.md diff --git a/content/pt-br/docs/reference/glossary/workload.md b/content/pt-br/docs/reference/glossary/workload.md new file mode 100644 index 0000000000000..c21e1ca1bbd6e --- /dev/null +++ b/content/pt-br/docs/reference/glossary/workload.md @@ -0,0 +1,22 @@ +--- +title: Carga de Trabalho +id: workloads +date: 2019-02-13 +full_link: /docs/concepts/workloads/ +short_description: > + Uma carga de trabalho é uma aplicação sendo executada no Kubernetes. + +aka: +tags: +- fundamental +--- + Uma carga de trabalho é uma aplicação sendo executada no Kubernetes. + + + +Vários objetos principais que representam diferentes tipos ou partes de uma carga de trabalho +incluem os objetos DaemonSet, Deployment, Job, ReplicaSet, e StatefulSet. + +Por exemplo, uma carga de trabalho que tem um servidor web e um banco de dados pode rodar o +banco de dados em um {{< glossary_tooltip term_id="StatefulSet" >}} e o servidor web +em um {{< glossary_tooltip term_id="Deployment" >}}. From 45b16ebb3154f5b63c1874865768cc4c2abe66ac Mon Sep 17 00:00:00 2001 From: Arhell Date: Mon, 14 Nov 2022 00:26:49 +0200 Subject: [PATCH 053/139] [ru] remove unused repo gpgkey for yum repo --- content/ru/docs/tasks/tools/install-kubectl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/ru/docs/tasks/tools/install-kubectl.md b/content/ru/docs/tasks/tools/install-kubectl.md index a5ab438012460..56c8da12e94f9 100644 --- a/content/ru/docs/tasks/tools/install-kubectl.md +++ b/content/ru/docs/tasks/tools/install-kubectl.md @@ -72,7 +72,7 @@ baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 -gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg +gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOF sudo yum install -y kubectl {{< /tab >}} From 32c5a8bc6d6fb807a7fc8714f5d940c3c11d0db8 Mon Sep 17 00:00:00 2001 From: windsonsea Date: Wed, 16 Nov 2022 21:27:19 +0800 Subject: [PATCH 054/139] [zh] sync enabling-service-topology.md --- .../enabling-service-topology.md | 47 ++++++++++--------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md b/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md index c646046c05128..102fcc6adb804 100644 --- a/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md +++ b/content/zh-cn/docs/tasks/administer-cluster/enabling-service-topology.md @@ -3,22 +3,28 @@ title: 开启服务拓扑 content_type: task min-kubernetes-server-version: 1.17 --- + {{< feature-state for_k8s_version="v1.21" state="deprecated" >}} + -这项功能,特别是 Alpha 状态的 `topologyKeys` 字段,在 kubernetes v1.21 中已经弃用。 -在 kubernetes v1.21 加入的[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/) -提供了类似的功能。 - -## {{% heading "prerequisites" %}} - - {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} +这项功能,特别是 Alpha 状态的 `topologyKeys` 字段,在 Kubernetes v1.21 中已经弃用。 +在 Kubernetes v1.21 +加入的[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/)提供了类似的功能。 - -_服务拓扑(Service Topology)_ 使 {{< glossary_tooltip term_id="service" text="服务">}} +**服务拓扑(Service Topology)** 使 {{< glossary_tooltip term_id="service">}} 能够根据集群中的 Node 拓扑来路由流量。 比如,服务可以指定将流量优先路由到与客户端位于同一节点或者同一可用区域的端点上。 ## {{% heading "prerequisites" %}} - {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} +{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} -需要下面列的先决条件,才能启用拓扑感知的服务路由: +需要满足下列先决条件,才能启用拓扑感知的服务路由: + +* Kubernetes 1.17 或更高版本 +* 配置 {{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}} 以 iptables 或者 IPVS 模式运行 - * Kubernetes 1.17 或更新版本 - * 配置 {{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}} 以 iptables 或者 IPVS 模式运行 +## 启用服务拓扑 {#enable-service-topology} {{< feature-state for_k8s_version="v1.21" state="deprecated" >}} + -## 启用服务拓扑 - -{{< feature-state for_k8s_version="v1.21" state="deprecated" >}} - -要启用服务拓扑功能,需要为所有 Kubernetes 组件启用 `ServiceTopology` +要启用服务拓扑,需要为所有 Kubernetes 组件启用 `ServiceTopology` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/): ``` --feature-gates="ServiceTopology=true` ``` - ## {{% heading "whatsnext" %}} - * 阅读[拓扑感知提示](/zh-cn/docs/concepts/services-networking/topology-aware-hints/),该技术是用来替换 `topologyKeys` 字段的。 * 阅读[端点切片](/zh-cn/docs/concepts/services-networking/endpoint-slices) * 阅读[服务拓扑](/zh-cn/docs/concepts/services-networking/service-topology)概念 -* 阅读[通过服务来连接应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/) \ No newline at end of file +* 阅读[使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/) \ No newline at end of file From da92a4f6637bab37e51505e8476e08b1ba15c234 Mon Sep 17 00:00:00 2001 From: ChengXiangdong Date: Thu, 17 Nov 2022 17:31:56 +0800 Subject: [PATCH 055/139] [zh] add some spaces to make it look pretty --- content/zh-cn/docs/concepts/architecture/nodes.md | 2 +- .../concepts/cluster-administration/flow-control.md | 2 +- .../docs/concepts/cluster-administration/proxies.md | 2 +- .../zh-cn/docs/concepts/services-networking/service.md | 10 +++++----- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/zh-cn/docs/concepts/architecture/nodes.md b/content/zh-cn/docs/concepts/architecture/nodes.md index 515d9caf205dd..8e4670e3c4307 100644 --- a/content/zh-cn/docs/concepts/architecture/nodes.md +++ b/content/zh-cn/docs/concepts/architecture/nodes.md @@ -1117,7 +1117,7 @@ the kubelet, and the `--fail-swap-on` command line flag or `failSwapOn` [configuration setting](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration) must be set to false. --> -要在节点上启用交换内存,必须启用kubelet 的 `NodeSwap` 特性门控, +要在节点上启用交换内存,必须启用 kubelet 的 `NodeSwap` 特性门控, 同时使用 `--fail-swap-on` 命令行参数或者将 `failSwapOn` [配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)设置为 false。 diff --git a/content/zh-cn/docs/concepts/cluster-administration/flow-control.md b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md index 2a1c5deb56708..50027f7cd0d11 100644 --- a/content/zh-cn/docs/concepts/cluster-administration/flow-control.md +++ b/content/zh-cn/docs/concepts/cluster-administration/flow-control.md @@ -484,7 +484,7 @@ incoming request is for a resource or non-resource URL) matches the request. 当给定的请求与某个 FlowSchema 的 `rules` 的其中一条匹配,那么就认为该请求与该 FlowSchema 匹配。 判断规则与该请求是否匹配,**不仅**要求该条规则的 `subjects` 字段至少存在一个与该请求相匹配, **而且**要求该条规则的 `resourceRules` 或 `nonResourceRules` -(取决于传入请求是针对资源URL还是非资源URL)字段至少存在一个与该请求相匹配。 +(取决于传入请求是针对资源 URL 还是非资源 URL)字段至少存在一个与该请求相匹配。 -与一般的Kubernetes名称一样,端口名称只能包含小写字母数字字符 和 `-`。 +与一般的 Kubernetes 名称一样,端口名称只能包含小写字母数字字符 和 `-`。 端口名称还必须以字母数字字符开头和结尾。 例如,名称 `123-abc` 和 `web` 有效,但是 `123_abc` 和 `-web` 无效。 @@ -1918,9 +1918,9 @@ the NLB Target Group's health check on the auto-assigned `.spec.healthCheckNodePort` and not receive any traffic. --> 与经典弹性负载均衡器不同,网络负载均衡器(NLB)将客户端的 IP 地址转发到该节点。 -如果服务的 `.spec.externalTrafficPolicy` 设置为 `Cluster` ,则客户端的IP地址不会传达到最终的 Pod。 +如果服务的 `.spec.externalTrafficPolicy` 设置为 `Cluster` ,则客户端的 IP 地址不会传达到最终的 Pod。 -通过将 `.spec.externalTrafficPolicy` 设置为 `Local`,客户端IP地址将传播到最终的 Pod, +通过将 `.spec.externalTrafficPolicy` 设置为 `Local`,客户端 IP 地址将传播到最终的 Pod, 但这可能导致流量分配不均。 没有针对特定 LoadBalancer 服务的任何 Pod 的节点将无法通过自动分配的 `.spec.healthCheckNodePort` 进行 NLB 目标组的运行状况检查,并且不会收到任何流量。 @@ -2213,7 +2213,7 @@ The previous information should be sufficient for many people who want to use Services. However, there is a lot going on behind the scenes that may be worth understanding. --> -## 虚拟IP实施 {#the-gory-details-of-virtual-ips} +## 虚拟 IP 实施 {#the-gory-details-of-virtual-ips} 对很多想使用 Service 的人来说,前面的信息应该足够了。 然而,有很多内部原理性的内容,还是值去理解的。 @@ -2468,7 +2468,7 @@ assignment of multiple interfaces and IP addresses to a Pod. NAT for multihomed SCTP associations requires special logic in the corresponding kernel modules. --> -支持多宿主SCTP关联要求 CNI 插件能够支持为一个 Pod 分配多个接口和 IP 地址。 +支持多宿主 SCTP 关联要求 CNI 插件能够支持为一个 Pod 分配多个接口和 IP 地址。 用于多宿主 SCTP 关联的 NAT 在相应的内核模块中需要特殊的逻辑。 {{< /warning >}} From 85f22c926d8db96beddca306b248a8f3d28c50cc Mon Sep 17 00:00:00 2001 From: Arhell Date: Fri, 15 Jul 2022 01:06:56 +0300 Subject: [PATCH 056/139] [ru] update links in addons.md --- content/ru/docs/concepts/cluster-administration/addons.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/ru/docs/concepts/cluster-administration/addons.md b/content/ru/docs/concepts/cluster-administration/addons.md index 5c6d6446b6bd5..53be662b177dc 100644 --- a/content/ru/docs/concepts/cluster-administration/addons.md +++ b/content/ru/docs/concepts/cluster-administration/addons.md @@ -18,16 +18,16 @@ content_type: concept * [ACI](https://www.github.com/noironetworks/aci-containers) обеспечивает интегрированную сеть контейнеров и сетевую безопасность с помощью Cisco ACI. * [Antrea](https://antrea.io/) работает на уровне 3, обеспечивая сетевые службы и службы безопасности для Kubernetes, используя Open vSwitch в качестве уровня сетевых данных. * [Calico](https://docs.projectcalico.org/latest/introduction/) Calico поддерживает гибкий набор сетевых опций, поэтому вы можете выбрать наиболее эффективный вариант для вашей ситуации, включая сети без оверлея и оверлейные сети, с или без BGP. Calico использует тот же механизм для обеспечения соблюдения сетевой политики для хостов, модулей и (при использовании Istio и Envoy) приложений на уровне сервисной сети (mesh layer). -* [Canal](https://github.com/tigera/canal/tree/master/k8s-install) объединяет Flannel и Calico, обеспечивая сеть и сетевую политику. +* [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) объединяет Flannel и Calico, обеспечивая сеть и сетевую политику. * [Cilium](https://github.com/cilium/cilium) - это плагин сети L3 и сетевой политики, который может прозрачно применять политики HTTP/API/L7. Поддерживаются как режим маршрутизации, так и режим наложения/инкапсуляции, и он может работать поверх других подключаемых модулей CNI. -* [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) позволяет Kubernetes легко подключаться к выбору плагинов CNI, таких как Calico, Canal, Flannel, Romana или Weave. +* [CNI-Genie](https://github.com/cni-genie/CNI-Genie) позволяет Kubernetes легко подключаться к выбору плагинов CNI, таких как Calico, Canal, Flannel, Romana или Weave. * [Contrail](https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), основан на [Tungsten Fabric](https://tungsten.io), представляет собой платформу для виртуализации мультиоблачных сетей с открытым исходным кодом и управления политиками. Contrail и Tungsten Fabric интегрированы с системами оркестрации, такими как Kubernetes, OpenShift, OpenStack и Mesos, и обеспечивают режимы изоляции для виртуальных машин, контейнеров/подов и рабочих нагрузок без операционной системы. * [Flannel](https://github.com/flannel-io/flannel#deploying-flannel-manually) - это поставщик оверлейной сети, который можно использовать с Kubernetes. * [Knitter](https://github.com/ZTE/Knitter/) - это плагин для поддержки нескольких сетевых интерфейсов Kubernetes подов. * [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) - это плагин Multi для работы с несколькими сетями в Kubernetes, который поддерживает большинство самых популярных [CNI](https://github.com/containernetworking/cni) (например: Calico, Cilium, Contiv, Flannel), в дополнение к рабочим нагрузкам основанных на SRIOV, DPDK, OVS-DPDK и VPP в Kubernetes. * [OVN-Kubernetes](https://github.com/ovn-org/ovn-kubernetes/) - это сетевой провайдер для Kubernetes основанный на [OVN (Open Virtual Network)](https://github.com/ovn-org/ovn/), реализация виртуальной сети, появившийся в результате проекта Open vSwitch (OVS). OVN-Kubernetes обеспечивает сетевую реализацию на основе наложения для Kubernetes, включая реализацию балансировки нагрузки и сетевой политики на основе OVS. * [OVN4NFV-K8S-Plugin](https://github.com/opnfv/ovn4nfv-k8s-plugin) - это подключаемый модуль контроллера CNI на основе OVN для обеспечения облачной цепочки сервисных функций (SFC), несколько наложенных сетей OVN, динамического создания подсети, динамического создания виртуальных сетей, сети поставщика VLAN, сети прямого поставщика и подключаемого к другим Multi Сетевые плагины, идеально подходящие для облачных рабочих нагрузок на периферии в сети с несколькими кластерами. -* [NSX-T](https://docs.vmware.com/en/VMware-NSX-T/2.0/nsxt_20_ncp_kubernetes.pdf) плагин для контейнера (NCP) обеспечивающий интеграцию между VMware NSX-T и контейнерами оркестраторов, таких как Kubernetes, а так же интеграцию между NSX-T и контейнеров на основе платформы CaaS/PaaS, таких как Pivotal Container Service (PKS) и OpenShift. +* [NSX-T](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html) плагин для контейнера (NCP) обеспечивающий интеграцию между VMware NSX-T и контейнерами оркестраторов, таких как Kubernetes, а так же интеграцию между NSX-T и контейнеров на основе платформы CaaS/PaaS, таких как Pivotal Container Service (PKS) и OpenShift. * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst) - эта платформа SDN, которая обеспечивает сетевое взаимодействие на основе политик между Kubernetes подами и не Kubernetes окружением, с отображением и мониторингом безопасности. * [Romana](https://github.com/romana/romana) - это сетевое решение уровня 3 для сетей подов, которое также поддерживает [NetworkPolicy API](/docs/concepts/services-networking/network-policies/). Подробности установки Kubeadm доступны [здесь](https://github.com/romana/romana/tree/master/containerize). * [Weave Net](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/) предоставляет сеть и обеспечивает сетевую политику, будет работать на обеих сторонах сетевого раздела и не требует внешней базы данных. From 880ad122f026f71a7567d28ccc2a13a96950bbd5 Mon Sep 17 00:00:00 2001 From: Mengjiao Liu Date: Fri, 18 Nov 2022 15:38:10 +0800 Subject: [PATCH 057/139] [zh-cn] Improve Chinese translation in names page --- .../zh-cn/docs/concepts/overview/working-with-objects/names.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh-cn/docs/concepts/overview/working-with-objects/names.md b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md index 4ea3dec20f208..2786c19e7a205 100644 --- a/content/zh-cn/docs/concepts/overview/working-with-objects/names.md +++ b/content/zh-cn/docs/concepts/overview/working-with-objects/names.md @@ -26,7 +26,7 @@ For example, you can only have one Pod named `myapp-1234` within the same [names 每个 Kubernetes 对象也有一个 [**UID**](#uids) 来标识在整个集群中的唯一性。 比如,在同一个[名字空间](/zh-cn/docs/concepts/overview/working-with-objects/namespaces/) -中有一个名为 `myapp-1234` 的 Pod,但是可以命名一个 Pod 和一个 Deployment 同为 `myapp-1234`。 +中只能有一个名为 `myapp-1234` 的 Pod,但是可以命名一个 Pod 和一个 Deployment 同为 `myapp-1234`。 -## 为一个在五个 pod 中运行的应用程序创建服务 +## 为一个在五个 pod 中运行的应用程序创建服务 {#creating-a-service-for-an-app-running-in-five-pods} + 前面的命令创建一个 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 对象和一个关联的 @@ -119,6 +121,7 @@ external IP address. + 输出类似于: ```console @@ -126,20 +129,20 @@ external IP address. my-service LoadBalancer 10.3.245.137 104.198.205.71 8080/TCP 54s ``` - - 提示:`type=LoadBalancer` 服务由外部云服务提供商提供支持,本例中不包含此部分, + `type=LoadBalancer` 服务由外部云服务提供商提供支持,本例中不包含此部分, 详细信息请参考[此页](/zh-cn/docs/concepts/services-networking/service/#loadbalancer) + {{< /note >}} - - 提示:如果外部 IP 地址显示为 \,请等待一分钟再次输入相同的命令。 + 如果外部 IP 地址显示为 \,请等待一分钟再次输入相同的命令。 + {{< /note >}} + 输出类似于: ```console @@ -170,12 +174,14 @@ external IP address. Session Affinity: None Events: ``` + + 记下服务公开的外部 IP 地址(`LoadBalancer Ingress`)。 在本例中,外部 IP 地址是 104.198.205.71。还要注意 `Port` 和 `NodePort` 的值。 在本例中,`Port` 是 8080,`NodePort` 是 32377。 @@ -198,6 +204,7 @@ external IP address. + 输出类似于: ```console @@ -225,13 +232,16 @@ external IP address. If you are using minikube, typing `minikube service my-service` will automatically open the Hello World application in a browser. --> + 其中 `` 是你的服务的外部 IP 地址(`LoadBalancer Ingress`), `` 是你的服务描述中的 `port` 的值。 - 如果你正在使用 minikube,输入 `minikube service my-service` 将在浏览器中自动打开 Hello World 应用程序。 + 如果你正在使用 minikube,输入 `minikube service my-service` + 将在浏览器中自动打开 Hello World 应用程序。 + 成功请求的响应是一条问候消息: ```shell @@ -253,7 +263,7 @@ kubectl delete services my-service To delete the Deployment, the ReplicaSet, and the Pods that are running the Hello World application, enter this command: --> -要删除正在运行 Hello World 应用程序的 Deployment,ReplicaSet 和 Pod,请输入以下命令: +要删除正在运行 Hello World 应用程序的 Deployment、ReplicaSet 和 Pod,请输入以下命令: ```shell kubectl delete deployment hello-world @@ -263,7 +273,7 @@ kubectl delete deployment hello-world -进一步了解[将应用程序与服务连接](/zh-cn/docs/concepts/services-networking/connect-applications-service/)。 +进一步了解[使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/)。 From 7033dc3fe465219a33843ab329ef363f86049ab8 Mon Sep 17 00:00:00 2001 From: windsonsea Date: Thu, 17 Nov 2022 09:49:33 +0800 Subject: [PATCH 061/139] [zh] sync /concepts/configuration/secret.md --- .../docs/concepts/configuration/secret.md | 89 ++++++++----------- 1 file changed, 37 insertions(+), 52 deletions(-) diff --git a/content/zh-cn/docs/concepts/configuration/secret.md b/content/zh-cn/docs/concepts/configuration/secret.md index 9dc4b86434fe0..b2a77a02d2b43 100644 --- a/content/zh-cn/docs/concepts/configuration/secret.md +++ b/content/zh-cn/docs/concepts/configuration/secret.md @@ -60,6 +60,7 @@ Kubernetes Secrets are, by default, stored unencrypted in the API server's under Additionally, anyone who is authorized to create a Pod in a namespace can use that access to read any Secret in that namespace; this includes indirect access such as the ability to create a Deployment. + In order to safely use Secrets, take at least the following steps: 1. [Enable Encryption at Rest](/docs/tasks/administer-cluster/encrypt-data/) for Secrets. @@ -190,17 +191,19 @@ the exact mechanisms for issuing and refreshing those session tokens. There are several options to create a Secret: -- [create Secret using `kubectl` command](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) -- [create Secret from config file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) -- [create Secret using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) +- [Use `kubectl`](/docs/tasks/configmap-secret/managing-secret-using-kubectl/) +- [Use a configuration file](/docs/tasks/configmap-secret/managing-secret-using-config-file/) +- [Use the Kustomize tool](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) --> ## 使用 Secret {#working-with-secrets} ### 创建 Secret {#creating-a-secret} -- [使用 `kubectl` 命令来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/) -- [基于配置文件来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/) -- [使用 kustomize 来创建 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/) +创建 Secret 有以下几种可选方式: + +- [使用 `kubectl`](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/) +- [使用配置文件](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/) +- [使用 Kustomize 工具](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/) ### 编辑 Secret {#editing-a-secret} -你可以使用 kubectl 来编辑一个已有的 Secret: - -```shell -kubectl edit secrets mysecret -``` +你可以编辑一个已有的 Secret,除非它是[不可变更的](#secret-immutable)。 +要编辑一个 Secret,可使用以下方法之一: -这一命令会启动你的默认编辑器,允许你更新 `data` 字段中存放的 base64 编码的 Secret 值; -例如: - -```yaml -# 请编辑以下对象。以 `#` 开头的几行将被忽略, -# 且空文件将放弃编辑。如果保存此文件时出错, -# 则重新打开此文件时也会有相关故障。 -apiVersion: v1 -data: - username: YWRtaW4= - password: MWYyZDFlMmU2N2Rm -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: { ... } - creationTimestamp: 2020-01-22T18:41:56Z - name: mysecret - namespace: default - resourceVersion: "164619" - uid: cfee02d6-c137-11e5-8d73-42010af00002 -type: Opaque -``` +* [使用 `kubectl`](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/#edit-secret) +* [使用配置文件](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/#edit-secret) -这一示例清单定义了一个 Secret,其 `data` 字段中包含两个主键:`username` 和 `password`。 -清单中的字段值是 Base64 字符串,不过,当你在 Pod 中使用 Secret 时,kubelet 为 Pod -及其中的容器提供的是**解码**后的数据。 +你也可以使用 +[Kustomize 工具](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/#edit-secret)编辑数据。 +然而这种方法会用编辑过的数据创建新的 `Secret` 对象。 -你可以在一个 Secret 中打包多个主键和数值,也可以选择使用多个 Secret, -完全取决于哪种方式最方便。 +根据你创建 Secret 的方式以及该 Secret 在 Pod 中被使用的方式,对已有 `Secret` +对象的更新将自动扩散到使用此数据的 Pod。有关更多信息, +请参阅[自动更新挂载的 Secret](#mounted-secrets-are-updated-automatically)。 ### 以环境变量的方式使用 Secret {#using-secrets-as-environment-variables} -如果需要在 Pod 中以{{< glossary_tooltip text="环境变量" term_id="container-env-variables" >}} -的形式使用 Secret: +如果需要在 Pod +中以{{< glossary_tooltip text="环境变量" term_id="container-env-variables" >}}的形式使用 Secret: Pod 的 `imagePullSecrets` 字段是一个对 Pod 所在的名字空间中的 Secret @@ -880,7 +863,8 @@ kubelet 使用这个信息来替你的 Pod 拉取私有镜像。 The `imagePullSecrets` field is a list of references to secrets in the same namespace. You can use an `imagePullSecrets` to pass a secret that contains a Docker (or other) image registry password to the kubelet. The kubelet uses this information to pull a private image on behalf of your Pod. -See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core) for more information about the `imagePullSecrets` field. +See the [PodSpec API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podspec-v1-core) +for more information about the `imagePullSecrets` field. --> #### 使用 imagePullSecrets {#using-imagepullsecrets-1} @@ -1137,6 +1121,7 @@ For example, if your actual password is `S!B\*d$zDsb=`, you should execute the c ```shell kubectl create secret generic dev-db-secret --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb=' ``` + @@ -1949,7 +1934,7 @@ A bootstrap type Secret has the following keys specified under `data`: - `token-secret`: A random 16 character string as the actual token secret. Required. - `description`: A human-readable string that describes what the token is used for. Optional. -- `expiration`: An absolute UTC time using RFC3339 specifying when the token +- `expiration`: An absolute UTC time using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) specifying when the token should be expired. Optional. - `usage-bootstrap-`: A boolean flag indicating additional usage for the bootstrap token. @@ -1961,7 +1946,8 @@ A bootstrap type Secret has the following keys specified under `data`: - `token-id`:由 6 个随机字符组成的字符串,作为令牌的标识符。必需。 - `token-secret`:由 16 个随机字符组成的字符串,包含实际的令牌机密。必需。 - `description`:供用户阅读的字符串,描述令牌的用途。可选。 -- `expiration`:一个使用 RFC3339 来编码的 UTC 绝对时间,给出令牌要过期的时间。可选。 +- `expiration`:一个使用 [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) + 来编码的 UTC 绝对时间,给出令牌要过期的时间。可选。 - `usage-bootstrap-`:布尔类型的标志,用来标明启动引导令牌的其他用途。 - `auth-extra-groups`:用逗号分隔的组名列表,身份认证时除被认证为 `system:bootstrappers` 组之外,还会被添加到所列的用户组中。 @@ -2148,7 +2134,6 @@ Secrets used on that node. - Learn how to [manage Secrets using kustomize](/docs/tasks/configmap-secret/managing-secret-using-kustomize/) - Read the [API reference](/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/) for `Secret` --> - - 有关管理和提升 Secret 安全性的指南,请参阅 [Kubernetes Secret 良好实践](/zh-cn/docs/concepts/security/secrets-good-practices) - 学习如何[使用 `kubectl` 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/) - 学习如何[使用配置文件管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/) From 628ecf5bff87915c990c53c65b33107b59e77651 Mon Sep 17 00:00:00 2001 From: Arhell Date: Mon, 7 Nov 2022 00:15:36 +0200 Subject: [PATCH 062/139] [de] remove unused repo gpgkey for yum repo --- content/de/docs/tasks/tools/install-kubectl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/de/docs/tasks/tools/install-kubectl.md b/content/de/docs/tasks/tools/install-kubectl.md index 2354fad25f5a7..53f04a90473bb 100644 --- a/content/de/docs/tasks/tools/install-kubectl.md +++ b/content/de/docs/tasks/tools/install-kubectl.md @@ -42,7 +42,7 @@ baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 -gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg +gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOF yum install -y kubectl {{< /tab >}} From dd789f629907c0df650106d1f931418c4c5f9cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 12:09:54 +0000 Subject: [PATCH 063/139] Add initial v1.26 deprecations and removals blog --- ...bernetes-1.26-deprecations-and-removals.md | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md new file mode 100644 index 0000000000000..f63711cf48ddb --- /dev/null +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -0,0 +1,116 @@ +--- +layout: blog +title: "Kubernetes Removals, Deprecations, and Major Changes in 1.26" +date: 2022-11-18 +slug: upcoming-changes-in-kubernetes-1-26 +--- + +**Authors**: Frederico Muñoz + +Change is an integral part of the Kubernetes life-cycle: as Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. For Kubernetes v1.26 there are several planned: this article identifies and describes some of them, based on the information available at this mid-cycle point in the v1.26 release process, which is still ongoing and can introduce additional changes. + +## The Kubernetes API Removal and Deprecation process {#k8s-api-deprecation-process} + +The Kubernetes project has a [well-documented deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API is one that has been marked for removal in a future Kubernetes release; it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement. + +* Generally available (GA) or stable API versions may be marked as deprecated but must not be removed within a major version of Kubernetes. +* Beta or pre-release API versions must be supported for 3 releases after deprecation. +* Alpha or experimental API versions may be removed in any release without prior deprecation notice. + +Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation. + + +## A note about Dynamic Kubelet configuration {#dynamic-kubelet-removal} + +Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. + +As mentioned above, the Kubernetes release cycle is live, dynamic, and based on a set of principles, including the [avoidance of permanent beta features](https://kubernetes.io/blog/2020/08/21/moving-forward-from-beta/#avoiding-permanent-beta). With that principle in mind, Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). + +## Deprecations and removals in Kubernetes v1.26 + +In addition to the above, Kubernetes v1.26 is targeted to include several additional removals and deprecations. + +### Removal of kube-proxy userspace modes + +After two releases of deprecation, [kube-proxy userspace mode will be removed](https://github.com/kubernetes/kubernetes/pull/112133) in this version; users that have not yet done so are strongly advised to adopt supported approaches, namely the use of `iptables` or `ipvs`on Linux, or `kernelspace` on Windows. + +### Removal of the `v1beta1` flow control resources API + +The `flowcontrol.apiserver.k8s.io/v1beta1` API version of FlowSchema and PriorityLevelConfiguration [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v126). Users should migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1beta2` API version, available since v1.23. + +### Removal of the `v2beta2` HorizontalPodAutoscaler API + +The `autoscaling/v2beta2` API version of HorizontalPodAutoscaler [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v126). Users should migrate manifests and API clients to use the `autoscaling/v2` API version, available since v1.23. + +### Removal of in-tree credential management code + +In this release, vendor-specific authentication code (i.e. used for authentication against GKE or AKS) [will be removed](https://github.com/kubernetes/kubernetes/pull/112341) from both `client-go` and `kubectl`, being replaced by a plugin architecture. Additional guidance on how to proceed is available for [Azure](https://github.com/Azure/kubelogin) and [Google Cloud](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke). + +### Removal of `kube-proxy` userspace modes + +The `userspace` proxy mode, deprecated for over a year, is [no longer supported on either Linux or Windows](https://github.com/kubernetes/kubernetes/pull/112133) and will be removed in this release. Users should use `iptables` or `ipvs` on Linux, or `kernelspace` on Windows: using `--mode userspace` will now fail. + +### Removal of in-tree OpenStack cloud provider + +The in-tree cloud provider for OpenStack (and the Cinder volume provider) [will be removed](https://github.com/kubernetes/kubernetes/pull/67782). Users are advised to use the external cloud provider and CSI driver from https://github.com/kubernetes/cloud-provider-openstack instead. + +### Deprecation of non-inclusive `kubectl` flag + +A part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), the `--prune-whitelist` flag [will be deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. + +### Deprecations of `kube-apiserver` flag + +The `master-service-namespace` flag was [already deprecated](https://github.com/kubernetes/kubernetes/pull/112797) and doesn't have any effect, so we do not expect any impact from this deprecation. It will nonetheless be explicitly marked as deprecated in v1.26, preparing the removal in a future release. + +### Deprecation of several unused `kubectl run` flags + +Several unused flags will be [marked as deprecated](https://github.com/kubernetes/kubernetes/pull/112261), including: + +* `--cascade` +* `--filename` +* `--force` +* `--grace-period` +* `--kustomize` +* `--recursive` +* `--timeout` +* `--wait` + +These flags are already ignored so no impact is expected: the explicit deprecation sets a warning message and prepares the removal of the flags in a future release. + +### Removal of deprecated klog flags + +This change completes the [deprecations of `klogs` flags](https://github.com/kubernetes/kubernetes/pull/112120) which are no longer supported, and have been removed from Kubernetes components. + + +## Additional changes for Kubernetes v1.26 {#additional-changes} + +On top of the described removals, this release will also include some additional changes to take into consideration: while not deprecations or removals, they introduce new features (or a new default behavior) through the graduation to Stable in this release; some of those changes are highlighted here. + +### Support for Windows privileged containers + +Privileged container support allows containers to run with similar access to the host as processes that run on the host directly. Support for this feature in Windows nodes [will now graduate to stable](https://github.com/kubernetes/enhancements/issues/1981) and will be enabled by default. + +### CSI drivers migration + +Following the GA of the [core CSI Migration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/625-csi-migration) feature in the previous release, the effort continues and both the [vSphere](https://github.com/kubernetes/enhancements/issues/1491) and [Azure](https://github.com/kubernetes/enhancements/issues/1885) in-tree driver migration to CSI will be graduating to Stable. + +### Support of mixed protocols in Services + +Currently, the API validation in Kubernetes that currently rejects Service definitions with different protocols if their type is LoadBalancer. In this release [support will be added that relaxes this validation](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1435-mixed-protocol-lb). This feature depends on a strong interaction with the different cloud providers and for anyone planning to use it, a closer reading of the implications and risks is advised. + +## Looking ahead {#looking-ahead} + +The official list of API removals planned for [Kubernetes 1.27](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27) currently includes: + +* The beta CSIStorageCapacity (`storage.k8s.io/v1beta1`) + +### Want to know more? + +Deprecations are announced in the Kubernetes release notes. You can see the announcements of pending deprecations in the release notes for: +* [Kubernetes 1.21](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#deprecation) +* [Kubernetes 1.22](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md#deprecation) +* [Kubernetes 1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation) +* [Kubernetes 1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) +* [Kubernetes 1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation) +* We will formally announce the deprecations that come with [Kubernetes 1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) as part of the CHANGELOG for that release. + From 5bd794f0d62b93941d9b4047c8891ace3ad0a21f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 12:18:01 +0000 Subject: [PATCH 064/139] Update 2022-10-18-kubernetes-1.26-deprecations-and-removals.md --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index f63711cf48ddb..d6cc77fe29295 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -112,5 +112,5 @@ Deprecations are announced in the Kubernetes release notes. You can see the anno * [Kubernetes 1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation) * [Kubernetes 1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) * [Kubernetes 1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation) -* We will formally announce the deprecations that come with [Kubernetes 1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) as part of the CHANGELOG for that release. +* We will formally announce the deprecations that come with [Kubernetes 1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation) as part of the CHANGELOG for that release. From b3cc7848c97aee3623d0c4b173ae55e389f27616 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 17:16:37 +0000 Subject: [PATCH 065/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Mark Rossetti --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d6cc77fe29295..d7dfd6c90d3a6 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -88,7 +88,7 @@ On top of the described removals, this release will also include some additional ### Support for Windows privileged containers -Privileged container support allows containers to run with similar access to the host as processes that run on the host directly. Support for this feature in Windows nodes [will now graduate to stable](https://github.com/kubernetes/enhancements/issues/1981) and will be enabled by default. +Privileged container support allows containers to run with similar access to the host as processes that run on the host directly. Support for this feature in Windows nodes [will now graduate to stable](https://github.com/kubernetes/enhancements/issues/1981). ### CSI drivers migration From fc6d4641cbf279ae09cf35bf786b2dd5a1db318e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 17:18:38 +0000 Subject: [PATCH 066/139] Use more general word for graduating that includes beta --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d7dfd6c90d3a6..d9abf26f088f0 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -84,7 +84,7 @@ This change completes the [deprecations of `klogs` flags](https://github.com/kub ## Additional changes for Kubernetes v1.26 {#additional-changes} -On top of the described removals, this release will also include some additional changes to take into consideration: while not deprecations or removals, they introduce new features (or a new default behavior) through the graduation to Stable in this release; some of those changes are highlighted here. +On top of the described removals, this release will also include some additional changes to take into consideration: while not deprecations or removals, they introduce new features (or a new default behavior) through the graduating in this release; some of those changes are highlighted here. ### Support for Windows privileged containers From cee444f984398953d77367b768903611f76dcbf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 19:17:35 +0000 Subject: [PATCH 067/139] CRI runtime deprecation, reordering kubelet dynamic configuration. --- ...-18-kubernetes-1.26-deprecations-and-removals.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d9abf26f088f0..5b5b26953fdf7 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -19,12 +19,11 @@ The Kubernetes project has a [well-documented deprecation policy](https://kubern Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation. +## A note about the removal of the CRI `v1alpha2` API and containerd 1.5 support -## A note about Dynamic Kubelet configuration {#dynamic-kubelet-removal} - -Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. +Following the adoption of the [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) and the [removal of dockershim] in v1.24 , the CRI API is the way through which Kubernetes interacts with the different container runtimes, with the kubelet communicating with them through a specific CRI API version. Currently, that version is `v1`, but the kubelet can also negotiate the use of CRI `v1alpha2`, even though it's considered deprecated. -As mentioned above, the Kubernetes release cycle is live, dynamic, and based on a set of principles, including the [avoidance of permanent beta features](https://kubernetes.io/blog/2020/08/21/moving-forward-from-beta/#avoiding-permanent-beta). With that principle in mind, Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). +This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd 1.6 must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. ## Deprecations and removals in Kubernetes v1.26 @@ -40,7 +39,7 @@ The `flowcontrol.apiserver.k8s.io/v1beta1` API version of FlowSchema and Priorit ### Removal of the `v2beta2` HorizontalPodAutoscaler API -The `autoscaling/v2beta2` API version of HorizontalPodAutoscaler [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v126). Users should migrate manifests and API clients to use the `autoscaling/v2` API version, available since v1.23. +The `autoscaling/v2beta2` API version of HorizontalPodAutoscaler [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v126). Users should migrate manifests and API clients to use the `autoscaling/v2` API version, available since v1.23. ### Removal of in-tree credential management code @@ -58,6 +57,10 @@ The in-tree cloud provider for OpenStack (and the Cinder volume provider) [will A part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), the `--prune-whitelist` flag [will be deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. +## A note about Dynamic Kubelet configuration {#dynamic-kubelet-removal} + +Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). + ### Deprecations of `kube-apiserver` flag The `master-service-namespace` flag was [already deprecated](https://github.com/kubernetes/kubernetes/pull/112797) and doesn't have any effect, so we do not expect any impact from this deprecation. It will nonetheless be explicitly marked as deprecated in v1.26, preparing the removal in a future release. From fe715de7b8a44f7542fe7416ec37c68906a682fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 21:23:40 +0000 Subject: [PATCH 068/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Sergey Kanzhelev --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 5b5b26953fdf7..76b7a4f316bcd 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -23,7 +23,7 @@ Whether an API is removed as a result of a feature graduating from beta to stabl Following the adoption of the [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) and the [removal of dockershim] in v1.24 , the CRI API is the way through which Kubernetes interacts with the different container runtimes, with the kubelet communicating with them through a specific CRI API version. Currently, that version is `v1`, but the kubelet can also negotiate the use of CRI `v1alpha2`, even though it's considered deprecated. -This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd 1.6 must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. +This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd version 1.6 or higher must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. Note, that there are tools like [stargz-snapshotter](https://github.com/containerd/stargz-snapshotter) that act as a proxy between kubelet and container runtime and those also might be affected. ## Deprecations and removals in Kubernetes v1.26 From b4d1a4bf514e3c3b90589e16e7c0c8a1224d0fec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 22:20:02 +0000 Subject: [PATCH 069/139] Remove duplicate kube-proxy entry --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 76b7a4f316bcd..22f16dc49fee6 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -29,10 +29,6 @@ This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/ In addition to the above, Kubernetes v1.26 is targeted to include several additional removals and deprecations. -### Removal of kube-proxy userspace modes - -After two releases of deprecation, [kube-proxy userspace mode will be removed](https://github.com/kubernetes/kubernetes/pull/112133) in this version; users that have not yet done so are strongly advised to adopt supported approaches, namely the use of `iptables` or `ipvs`on Linux, or `kernelspace` on Windows. - ### Removal of the `v1beta1` flow control resources API The `flowcontrol.apiserver.k8s.io/v1beta1` API version of FlowSchema and PriorityLevelConfiguration [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v126). Users should migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1beta2` API version, available since v1.23. From e9f25684cb413a3b03fc6bc24159edad886000a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Wed, 16 Nov 2022 22:25:57 +0000 Subject: [PATCH 070/139] Corrected heading links --- ...2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 22f16dc49fee6..98dd7ce803e62 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -19,13 +19,13 @@ The Kubernetes project has a [well-documented deprecation policy](https://kubern Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation. -## A note about the removal of the CRI `v1alpha2` API and containerd 1.5 support +## A note about the removal of the CRI `v1alpha2` API and containerd 1.5 support {#cri-api-removal} Following the adoption of the [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) and the [removal of dockershim] in v1.24 , the CRI API is the way through which Kubernetes interacts with the different container runtimes, with the kubelet communicating with them through a specific CRI API version. Currently, that version is `v1`, but the kubelet can also negotiate the use of CRI `v1alpha2`, even though it's considered deprecated. This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd version 1.6 or higher must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. Note, that there are tools like [stargz-snapshotter](https://github.com/containerd/stargz-snapshotter) that act as a proxy between kubelet and container runtime and those also might be affected. -## Deprecations and removals in Kubernetes v1.26 +## Deprecations and removals in Kubernetes v1.26 {#deprecations-removals} In addition to the above, Kubernetes v1.26 is targeted to include several additional removals and deprecations. @@ -53,7 +53,7 @@ The in-tree cloud provider for OpenStack (and the Cinder volume provider) [will A part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), the `--prune-whitelist` flag [will be deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. -## A note about Dynamic Kubelet configuration {#dynamic-kubelet-removal} +### Removal of Dynamic Kubelet configuration Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). @@ -80,7 +80,6 @@ These flags are already ignored so no impact is expected: the explicit deprecati This change completes the [deprecations of `klogs` flags](https://github.com/kubernetes/kubernetes/pull/112120) which are no longer supported, and have been removed from Kubernetes components. - ## Additional changes for Kubernetes v1.26 {#additional-changes} On top of the described removals, this release will also include some additional changes to take into consideration: while not deprecations or removals, they introduce new features (or a new default behavior) through the graduating in this release; some of those changes are highlighted here. From 0b6e57967c16e3284c0d28775a69e919086d3eb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:07:32 +0000 Subject: [PATCH 071/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 98dd7ce803e62..4f014d8815234 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -21,7 +21,9 @@ Whether an API is removed as a result of a feature graduating from beta to stabl ## A note about the removal of the CRI `v1alpha2` API and containerd 1.5 support {#cri-api-removal} -Following the adoption of the [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) and the [removal of dockershim] in v1.24 , the CRI API is the way through which Kubernetes interacts with the different container runtimes, with the kubelet communicating with them through a specific CRI API version. Currently, that version is `v1`, but the kubelet can also negotiate the use of CRI `v1alpha2`, even though it's considered deprecated. +Following the adoption of the [Container Runtime Interface](https://kubernetes.io/docs/concepts/architecture/cri/) (CRI) and the [removal of dockershim] in v1.24 , the CRI is the supported and documented way through which Kubernetes interacts withdifferent container runtimes. Each kubelet negotiates which version of CRI to use with the container runtime on that node. + +The Kubernetes project recommends using CRI version `v1`; in Kubernetes v1.25 the kubelet can also negotiate the use of CRI `v1alpha2` (which was deprecated along at the same time as adding support for the stable `v1` interface). This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd version 1.6 or higher must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. Note, that there are tools like [stargz-snapshotter](https://github.com/containerd/stargz-snapshotter) that act as a proxy between kubelet and container runtime and those also might be affected. From a113c7408db30ee941f440bf0d9dc19ca7fb2ca8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:07:56 +0000 Subject: [PATCH 072/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 4f014d8815234..1426f8e5d6f3d 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -25,7 +25,11 @@ Following the adoption of the [Container Runtime Interface](https://kubernetes.i The Kubernetes project recommends using CRI version `v1`; in Kubernetes v1.25 the kubelet can also negotiate the use of CRI `v1alpha2` (which was deprecated along at the same time as adding support for the stable `v1` interface). -This version will [remove CRI `v1alpha2` support](https://github.com/kubernetes/kubernetes/pull/110618) entirely, which will result in the kubelet not registering the node if the container runtime doesn't support `v1`. This means that [containerd 1.5](https://github.com/containerd/containerd/blob/main/RELEASES.md), which only supports `v1alpha2`, will not be supported in Kubernetes 1.26, and as such upgrading to containerd version 1.6 or higher must be done before upgrading to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: users should contact their container runtime vendor for additional instructions in how to move forward. Note, that there are tools like [stargz-snapshotter](https://github.com/containerd/stargz-snapshotter) that act as a proxy between kubelet and container runtime and those also might be affected. +Kubernetes v1.26 will not support CRI `v1alpha2`. That [removal](https://github.com/kubernetes/kubernetes/pull/110618) will result in the kubelet not registering the node if the container runtime doesn't support CRI `v1`. This means that containerd minor version 1.5 and older will not be supported in Kubernetes 1.26; if you use containerd, you will need to upgrade to containerd version 1.6.0 or later **before** you upgrade that node to Kubernetes v1.26. Other container runtimes that only support the `v1alpha2` are equally affected: if that affects you, you should contact the container runtime vendor for advice or check their website for additional instructions in how to move forward. + +If you want to benefit from v1.26 features and still use an older container runtime, you can run an older kubelet. The [supported skew](/releases/version-skew-policy/#kubelet) for the kubelet allows you to run a v1.25 kubelet, which still is still compatible with `v1alpha2` CRI support, even if you upgrade the control plane to the 1.26 minor release of Kubernetes. + +As well as container runtimes themselves, that there are tools like [stargz-snapshotter](https://github.com/containerd/stargz-snapshotter) that act as a proxy between kubelet and container runtime and those also might be affected. ## Deprecations and removals in Kubernetes v1.26 {#deprecations-removals} From 5a4dd46bc458f849b3cb45ed273808f350bcb1de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:08:22 +0000 Subject: [PATCH 073/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- ...0-18-kubernetes-1.26-deprecations-and-removals.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 1426f8e5d6f3d..d73fcc6983ac6 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -45,7 +45,17 @@ The `autoscaling/v2beta2` API version of HorizontalPodAutoscaler [will no longer ### Removal of in-tree credential management code -In this release, vendor-specific authentication code (i.e. used for authentication against GKE or AKS) [will be removed](https://github.com/kubernetes/kubernetes/pull/112341) from both `client-go` and `kubectl`, being replaced by a plugin architecture. Additional guidance on how to proceed is available for [Azure](https://github.com/Azure/kubelogin) and [Google Cloud](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke). +In this upcoming release, legacy vendor-specific authentication code that is part of Kubernetes +will be [removed](https://github.com/kubernetes/kubernetes/pull/112341) from both +`client-go` and `kubectl`. +The existing mechanism supports authentication for two specific cloud providers: +Azure and Google Cloud. +In its place, Kubernetes already offers a vendor-neutral +[authentication plugin mechanism](/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) - +you can switch over right now, before the v1.26 release happens. +If you're affected, you can find additional guidance on how to proceed for +[Azure](https://github.com/Azure/kubelogin#readme) and for +[Google Cloud](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke). ### Removal of `kube-proxy` userspace modes From bee2bfc268f728bbd2cb611e30b728f0df6d1133 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:08:33 +0000 Subject: [PATCH 074/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d73fcc6983ac6..82fab9013534e 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -67,7 +67,9 @@ The in-tree cloud provider for OpenStack (and the Cinder volume provider) [will ### Deprecation of non-inclusive `kubectl` flag -A part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), the `--prune-whitelist` flag [will be deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. +As part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), +the `--prune-whitelist` flag will be [deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. +Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. ### Removal of Dynamic Kubelet configuration From 235a8379ff7bad94294a0dcb33b24e2e2f8019f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:08:59 +0000 Subject: [PATCH 075/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 82fab9013534e..e47f5e63b273b 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -63,7 +63,11 @@ The `userspace` proxy mode, deprecated for over a year, is [no longer supported ### Removal of in-tree OpenStack cloud provider -The in-tree cloud provider for OpenStack (and the Cinder volume provider) [will be removed](https://github.com/kubernetes/kubernetes/pull/67782). Users are advised to use the external cloud provider and CSI driver from https://github.com/kubernetes/cloud-provider-openstack instead. +Kubernetes is switching from in-tree code for storage integrations, in favor of the Container Storage Interface (CSI). +As part of this, Kubernetes v1.26 will remove the the deprecated in-tree storage integration for OpenStack +(the `cinder` volume type). You should migrate to external cloud provider and CSI driver from +https://github.com/kubernetes/cloud-provider-openstack instead. +For more information, visit [Cinder in-tree to CSI driver migration](https://github.com/kubernetes/enhancements/issues/1489). ### Deprecation of non-inclusive `kubectl` flag From 9ae8be338cbe2c90f6a6dd3b68f5f2db4435f8cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:13:03 +0000 Subject: [PATCH 076/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index e47f5e63b273b..9b630a93efc79 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -120,7 +120,7 @@ Currently, the API validation in Kubernetes that currently rejects Service defin ## Looking ahead {#looking-ahead} -The official list of API removals planned for [Kubernetes 1.27](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27) currently includes: +The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27)) planned for Kubernetes 1.27 includes: * The beta CSIStorageCapacity (`storage.k8s.io/v1beta1`) From 4b95d4fa2e9e828b33d7ba075f04fe7698521691 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:13:26 +0000 Subject: [PATCH 077/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 9b630a93efc79..9226804c196d6 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -75,7 +75,7 @@ As part of the implementation effort of the [Inclusive Naming Initiative](https: the `--prune-whitelist` flag will be [deprecated](https://github.com/kubernetes/kubernetes/pull/113116), and replaced with `--prune-allowlist`. Users that use this flag are strongly advised to make the necessary changes prior to the final removal of the flag, in a future release. -### Removal of Dynamic Kubelet configuration +### Removal of dynamic kubelet configuration Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). From 9b5738c907a84e4b11f28a29de9d24755051119a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:14:16 +0000 Subject: [PATCH 078/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 9226804c196d6..29ebaa6b4ec31 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -77,7 +77,11 @@ Users that use this flag are strongly advised to make the necessary changes prio ### Removal of dynamic kubelet configuration -Dynamic Kubelet Configuration allowed [new Kubelet configurations to be rolled out in a live cluster](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), by enabling specifying the source of the node's configuration for the `DynamicKubeletConfig` feature. Dynamic Kubelet Configuration was removed from kubelet in v1.24, [and will be removed from the API server in this release](https://github.com/kubernetes/kubernetes/pull/112643). +_Dynamic kubelet configuration_ allowed [new kubelet configurations to be rolled out via the Kubernetes API](https://github.com/kubernetes/enhancements/tree/2cd758cc6ab617a93f578b40e97728261ab886ed/keps/sig-node/281-dynamic-kubelet-configuration), even in a live cluster. +A cluster operator could reconfigure the kubelet on a Node by specifying a ConfigMap +that contained the configuration data that the kubelet should use. +Dynamic kubelet configuration was removed from the kubelet in v1.24, and will be +[removed from the API server](https://github.com/kubernetes/kubernetes/pull/112643) in the v1.26 release. ### Deprecations of `kube-apiserver` flag From 3e194324ded14fe42940ba1ebf6170c8cf12f70d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:16:11 +0000 Subject: [PATCH 079/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 29ebaa6b4ec31..514fd2c53d48c 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -85,7 +85,11 @@ Dynamic kubelet configuration was removed from the kubelet in v1.24, and will be ### Deprecations of `kube-apiserver` flag -The `master-service-namespace` flag was [already deprecated](https://github.com/kubernetes/kubernetes/pull/112797) and doesn't have any effect, so we do not expect any impact from this deprecation. It will nonetheless be explicitly marked as deprecated in v1.26, preparing the removal in a future release. +The `--master-service-namespace` command line argument to the kube-apiserver doesn't have +any effect, and was already informally [deprecated](https://github.com/kubernetes/kubernetes/pull/38186). +That command line argument wil be formally marked as deprecated in v1.26, preparing for its +removal in a future release. +The Kubernetes project does not expect any impact from this deprecation and removal. ### Deprecation of several unused `kubectl run` flags From 57a40b19194d2251b57e31832d6bfc6e67ab0c77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:17:23 +0000 Subject: [PATCH 080/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 514fd2c53d48c..4cbf4875afa26 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -83,7 +83,7 @@ that contained the configuration data that the kubelet should use. Dynamic kubelet configuration was removed from the kubelet in v1.24, and will be [removed from the API server](https://github.com/kubernetes/kubernetes/pull/112643) in the v1.26 release. -### Deprecations of `kube-apiserver` flag +### Deprecations for `kube-apiserver` command line arguments The `--master-service-namespace` command line argument to the kube-apiserver doesn't have any effect, and was already informally [deprecated](https://github.com/kubernetes/kubernetes/pull/38186). From 5ebea7d57f7c05eda359d5886b311eab12a7ff02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:17:42 +0000 Subject: [PATCH 081/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 4cbf4875afa26..62622a5fcad76 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -91,7 +91,7 @@ That command line argument wil be formally marked as deprecated in v1.26, prepar removal in a future release. The Kubernetes project does not expect any impact from this deprecation and removal. -### Deprecation of several unused `kubectl run` flags +### Deprecations for `kubectl run` command line arguments Several unused flags will be [marked as deprecated](https://github.com/kubernetes/kubernetes/pull/112261), including: From 73b7c904ebe5e6ab4925d0f68935356fcb88e3be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:19:44 +0000 Subject: [PATCH 082/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 62622a5fcad76..d56c96a3c94dd 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -93,7 +93,7 @@ The Kubernetes project does not expect any impact from this deprecation and remo ### Deprecations for `kubectl run` command line arguments -Several unused flags will be [marked as deprecated](https://github.com/kubernetes/kubernetes/pull/112261), including: +Several unused option arguments for the `kubectl run` subcommand will be [marked as deprecated](https://github.com/kubernetes/kubernetes/pull/112261), including: * `--cascade` * `--filename` From bb9092fbe24e0657ef1866fb0356e54b92b97522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:20:27 +0000 Subject: [PATCH 083/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d56c96a3c94dd..d176bd3a9a48e 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -104,7 +104,7 @@ Several unused option arguments for the `kubectl run` subcommand will be [marked * `--timeout` * `--wait` -These flags are already ignored so no impact is expected: the explicit deprecation sets a warning message and prepares the removal of the flags in a future release. +These arguments are already ignored so no impact is expected: the explicit deprecation sets a warning message and prepares the removal of the argumentsin a future release. ### Removal of deprecated klog flags From 2914e03aeb0459d8a31e0e47bb9fb816460a9080 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:20:45 +0000 Subject: [PATCH 084/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index d176bd3a9a48e..07f1327253451 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -106,7 +106,7 @@ Several unused option arguments for the `kubectl run` subcommand will be [marked These arguments are already ignored so no impact is expected: the explicit deprecation sets a warning message and prepares the removal of the argumentsin a future release. -### Removal of deprecated klog flags +### Removal of legacy command line arguments relating to logging This change completes the [deprecations of `klogs` flags](https://github.com/kubernetes/kubernetes/pull/112120) which are no longer supported, and have been removed from Kubernetes components. From f9e77cfab08dfff3ff76814cdf6f97ae634116e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:21:22 +0000 Subject: [PATCH 085/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 07f1327253451..963417de8abb8 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -108,7 +108,10 @@ These arguments are already ignored so no impact is expected: the explicit depre ### Removal of legacy command line arguments relating to logging -This change completes the [deprecations of `klogs` flags](https://github.com/kubernetes/kubernetes/pull/112120) which are no longer supported, and have been removed from Kubernetes components. +Kubernetes v1.26 will [remove](https://github.com/kubernetes/kubernetes/pull/112120) some +command line arguments relating to logging. These command line arguments were +already deprecated. +For more information, see [Deprecate klog specific flags in Kubernetes Components] (https://github.com/kubernetes/enhancements/tree/3cb66bd0a1ef973ebcc974f935f0ac5cba9db4b2/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components). ## Additional changes for Kubernetes v1.26 {#additional-changes} From 3e4cdcf8a96984d9b9f6db9ad1b2fd35a57be0c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:23:26 +0000 Subject: [PATCH 086/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 963417de8abb8..1b29947dd5f6c 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -133,7 +133,7 @@ Currently, the API validation in Kubernetes that currently rejects Service defin The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27)) planned for Kubernetes 1.27 includes: -* The beta CSIStorageCapacity (`storage.k8s.io/v1beta1`) +* All beta versions of the CSIStorageCapacity API; specifically: `storage.k8s.io/v1beta1` ### Want to know more? From ccfe18af3c6d0ab8384a164c9ef15194fd03c2f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:24:11 +0000 Subject: [PATCH 087/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 1b29947dd5f6c..2911fd7ff927b 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -143,5 +143,6 @@ Deprecations are announced in the Kubernetes release notes. You can see the anno * [Kubernetes 1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation) * [Kubernetes 1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation) * [Kubernetes 1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation) -* We will formally announce the deprecations that come with [Kubernetes 1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation) as part of the CHANGELOG for that release. + +We will formally announce the deprecations that come with [Kubernetes 1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation) as part of the CHANGELOG for that release. From ad48ba1a01ee254cfebf833ee0da195755d26877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:24:49 +0000 Subject: [PATCH 088/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 2911fd7ff927b..609dc4176120d 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -35,7 +35,7 @@ As well as container runtimes themselves, that there are tools like [stargz-snap In addition to the above, Kubernetes v1.26 is targeted to include several additional removals and deprecations. -### Removal of the `v1beta1` flow control resources API +### Removal of the `v1beta1` flow control API group The `flowcontrol.apiserver.k8s.io/v1beta1` API version of FlowSchema and PriorityLevelConfiguration [will no longer be served in v1.26](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v126). Users should migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1beta2` API version, available since v1.23. From 9d573bea6494ff677b9524ad1a4731fb36bae6cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 10:26:56 +0000 Subject: [PATCH 089/139] Update content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md Co-authored-by: Tim Bannister --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 609dc4176120d..7074461d62b12 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -5,7 +5,7 @@ date: 2022-11-18 slug: upcoming-changes-in-kubernetes-1-26 --- -**Authors**: Frederico Muñoz +**Author**: Frederico Muñoz (SAS) Change is an integral part of the Kubernetes life-cycle: as Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. For Kubernetes v1.26 there are several planned: this article identifies and describes some of them, based on the information available at this mid-cycle point in the v1.26 release process, which is still ongoing and can introduce additional changes. From 2859b7327c7954330f930667a05837dfe7d00e88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 15:03:47 +0000 Subject: [PATCH 090/139] Remove new features --- ...-kubernetes-1.26-deprecations-and-removals.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 7074461d62b12..1d8a85c2f3c25 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -113,22 +113,6 @@ command line arguments relating to logging. These command line arguments were already deprecated. For more information, see [Deprecate klog specific flags in Kubernetes Components] (https://github.com/kubernetes/enhancements/tree/3cb66bd0a1ef973ebcc974f935f0ac5cba9db4b2/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components). -## Additional changes for Kubernetes v1.26 {#additional-changes} - -On top of the described removals, this release will also include some additional changes to take into consideration: while not deprecations or removals, they introduce new features (or a new default behavior) through the graduating in this release; some of those changes are highlighted here. - -### Support for Windows privileged containers - -Privileged container support allows containers to run with similar access to the host as processes that run on the host directly. Support for this feature in Windows nodes [will now graduate to stable](https://github.com/kubernetes/enhancements/issues/1981). - -### CSI drivers migration - -Following the GA of the [core CSI Migration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/625-csi-migration) feature in the previous release, the effort continues and both the [vSphere](https://github.com/kubernetes/enhancements/issues/1491) and [Azure](https://github.com/kubernetes/enhancements/issues/1885) in-tree driver migration to CSI will be graduating to Stable. - -### Support of mixed protocols in Services - -Currently, the API validation in Kubernetes that currently rejects Service definitions with different protocols if their type is LoadBalancer. In this release [support will be added that relaxes this validation](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1435-mixed-protocol-lb). This feature depends on a strong interaction with the different cloud providers and for anyone planning to use it, a closer reading of the implications and risks is advised. - ## Looking ahead {#looking-ahead} The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27)) planned for Kubernetes 1.27 includes: From 36a1f8a8f9b55d36cd34834521252db2966bd3b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= Date: Thu, 17 Nov 2022 16:34:49 +0000 Subject: [PATCH 091/139] Added GlusterFS removal (from Major Themes) --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 1d8a85c2f3c25..38c1f29423c64 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -69,6 +69,10 @@ As part of this, Kubernetes v1.26 will remove the the deprecated in-tree storage https://github.com/kubernetes/cloud-provider-openstack instead. For more information, visit [Cinder in-tree to CSI driver migration](https://github.com/kubernetes/enhancements/issues/1489). +### Removal of the GlusterFS in-tree driver + +The in-tree GlusterFS driver was [deprecated in v1.25](https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#deprecations-and-removals), and will be removed from Kubernetes v1.26. + ### Deprecation of non-inclusive `kubectl` flag As part of the implementation effort of the [Inclusive Naming Initiative](https://www.cncf.io/announcements/2021/10/13/inclusive-naming-initiative-announces-new-community-resources-for-a-more-inclusive-future/), From ef1347ed1f16fb6ceb63a9f265c191a64b6aa1ba Mon Sep 17 00:00:00 2001 From: Arhell Date: Sat, 19 Nov 2022 02:22:27 +0200 Subject: [PATCH 092/139] [pt] Fix feature state for ExpandCSIVolumes --- content/pt-br/docs/concepts/storage/persistent-volumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pt-br/docs/concepts/storage/persistent-volumes.md b/content/pt-br/docs/concepts/storage/persistent-volumes.md index 01d092e673c4d..506612fde29dc 100644 --- a/content/pt-br/docs/concepts/storage/persistent-volumes.md +++ b/content/pt-br/docs/concepts/storage/persistent-volumes.md @@ -231,7 +231,7 @@ Para solicitar um volume maior para uma PVC, edite a PVC e especifique um tamanh #### Expansão de volume CSI -{{< feature-state for_k8s_version="v1.16" state="beta" >}} +{{< feature-state for_k8s_version="v1.24" state="stable" >}} O suporte à expansão de volumes CSI é habilitada por padrão, porém é necessário um driver CSI específico para suportar a expansão do volume. Verifique a documentação do driver CSI específico para mais informações. From 1fc6c2f0f29ff4a2411cb9ebd3171161456e41fe Mon Sep 17 00:00:00 2001 From: Tamilselvan Thangamony Date: Mon, 14 Nov 2022 17:38:45 +0530 Subject: [PATCH 093/139] added hyperlink for persistentVolumes in Namespaces page --- .../docs/concepts/overview/working-with-objects/namespaces.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/overview/working-with-objects/namespaces.md b/content/en/docs/concepts/overview/working-with-objects/namespaces.md index 0694f5fd809e2..1eb96fe4a632f 100644 --- a/content/en/docs/concepts/overview/working-with-objects/namespaces.md +++ b/content/en/docs/concepts/overview/working-with-objects/namespaces.md @@ -133,7 +133,7 @@ Most Kubernetes resources (e.g. pods, services, replication controllers, and oth in some namespaces. However namespace resources are not themselves in a namespace. And low-level resources, such as [nodes](/docs/concepts/architecture/nodes/) and -persistentVolumes, are not in any namespace. +[persistentVolumes](/docs/concepts/storage/persistent-volumes/), are not in any namespace. To see which Kubernetes resources are and aren't in a namespace: From d9b78fde3543366029d7e72424acee2097cc552f Mon Sep 17 00:00:00 2001 From: Zhenguo Niu Date: Fri, 11 Nov 2022 03:33:22 +0000 Subject: [PATCH 094/139] [zh] localize blog 2020-09-03-warnings --- .../blog/_posts/2020-09-03-warnings/index.md | 555 ++++++++++++++++++ .../kubectl-warnings-as-errors.png | Bin 0 -> 226605 bytes .../2020-09-03-warnings/kubectl-warnings.png | Bin 0 -> 303626 bytes 3 files changed, 555 insertions(+) create mode 100644 content/zh-cn/blog/_posts/2020-09-03-warnings/index.md create mode 100644 content/zh-cn/blog/_posts/2020-09-03-warnings/kubectl-warnings-as-errors.png create mode 100644 content/zh-cn/blog/_posts/2020-09-03-warnings/kubectl-warnings.png diff --git a/content/zh-cn/blog/_posts/2020-09-03-warnings/index.md b/content/zh-cn/blog/_posts/2020-09-03-warnings/index.md new file mode 100644 index 0000000000000..ddbf764f61b5e --- /dev/null +++ b/content/zh-cn/blog/_posts/2020-09-03-warnings/index.md @@ -0,0 +1,555 @@ +--- +layout: blog +title: "警告: 有用的预警" +date: 2020-09-03 +slug: warnings +evergreen: true +--- + + + + +**作者**: [Jordan Liggitt](https://github.com/liggitt) (Google) + + +作为 Kubernetes 维护者,我们一直在寻找在保持兼容性的同时提高可用性的方法。 +在开发功能、分类 Bug、和回答支持问题的过程中,我们积累了有助于 Kubernetes 用户了解的信息。 +过去,共享这些信息仅限于发布说明、公告电子邮件、文档和博客文章等带外方法。 +除非有人知道需要寻找这些信息并成功找到它们,否则他们不会从中受益。 + + +在 Kubernetes v1.19 中,我们添加了一个功能,允许 Kubernetes API +服务器[向 API 客户端发送警告](https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1693-warnings)。 +警告信息使用[标准 `Warning` 响应头](https://tools.ietf.org/html/rfc7234#section-5.5)发送, +因此它不会以任何方式更改状态代码或响应体。 +这一设计使得服务能够发送任何 API 客户端都可以轻松读取的警告,同时保持与以前的客户端版本兼容。 + + +警告在 `kubectl` v1.19+ 的 `stderr` 输出中和 `k8s.io/client-go` v0.19.0+ 客户端库的日志中出现。 +`k8s.io/client-go` 行为可以[在进程或客户端层面重载](#customize-client-handling)。 + + +## 弃用警告 {#deprecation-warnings} + + +我们第一次使用此新功能是针对已弃用的 API 调用发送警告。 + + +Kubernetes 是一个[大型、快速发展的项目](https://www.cncf.io/cncf-kubernetes-project-journey/#development-velocity)。 +跟上每个版本的[变更](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#changelog-since-v1180)可能是令人生畏的, +即使对于全职从事该项目的人来说也是如此。一种重要的变更是 API 弃用。 +随着 Kubernetes 中的 API 升级到 GA 版本,预发布的 API 版本会被弃用并最终被删除。 + + +即使有[延长的弃用期](/zh-cn/docs/reference/using-api/deprecation-policy/), +并且[在发布说明中](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#deprecation)也包含了弃用信息, +他们仍然很难被追踪。在弃用期内,预发布 API 仍然有效, +允许多个版本过渡到稳定的 API 版本。 +然而,我们发现用户往往甚至没有意识到他们依赖于已弃用的 API 版本, +直到升级到不再提供相应服务的新版本。 + + +从 v1.19 开始,系统每当收到针对已弃用的 REST API 的请求时,都会返回警告以及 API 响应。 +此警告包括有关 API 将不再可用的版本以及替换 API 版本的详细信息。 + + +因为警告源自服务器端,并在客户端层级被拦截,所以它适用于所有 kubectl 命令, +包括像 `kubectl apply` 这样的高级命令,以及像 `kubectl get --raw` 这样的低级命令: + +kubectl 执行一个清单文件, 然后显示警告信息 'networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress'。 + + +这有助于受弃用影响的人们知道他们所请求的API已被弃用, +他们有多长时间来解决这个问题,以及他们应该使用什么 API。 +这在用户应用不是由他们创建的清单文件时特别有用, +所以他们有时间联系作者要一个更新的版本。 + + +我们还意识到**使用**已弃用的 API 的人通常不是负责升级集群的人, +因此,我们添加了两个面向管理员的工具来帮助跟踪已弃用的 API 的使用情况并确定何时升级安全。 + + + +### 度量指标 {#metrics} + + +从 Kubernetes v1.19 开始,当向已弃用的 REST API 端点发出请求时, +在 kube-apiserver 进程中,`apiserver_requested_deprecated_apis` 度量指标会被设置为 `1`。 +该指标具有 API `group`、`version`、`resource` 和 `subresource` 的标签, +和一个 `removed_release` 标签,表明不再提供 API 的 Kubernetes 版本。 + + +下面是一个使用 `kubectl` 的查询示例,[prom2json](https://github.com/prometheus/prom2json) +和 [jq](https://stedolan.github.io/jq/) 用来确定当前 API +服务器实例上收到了哪些对已弃用的 API 请求: + +```sh +kubectl get --raw /metrics | prom2json | jq ' + .[] | select(.name=="apiserver_requested_deprecated_apis").metrics[].labels +' +``` + + +输出: + +```json +{ + "group": "extensions", + "removed_release": "1.22", + "resource": "ingresses", + "subresource": "", + "version": "v1beta1" +} +{ + "group": "rbac.authorization.k8s.io", + "removed_release": "1.22", + "resource": "clusterroles", + "subresource": "", + "version": "v1beta1" +} +``` + + +输出展示在此服务器上请求了已弃用的 `extensions/v1beta1` Ingress 和 `rbac.authorization.k8s.io/v1beta1` +ClusterRole API,这两个 API 都将在 v1.22 中被删除。 + +我们可以将该信息与 `apiserver_request_total` 指标结合起来,以获取有关这些 API 请求的更多详细信息: + +```sh +kubectl get --raw /metrics | prom2json | jq ' + # set $deprecated to a list of deprecated APIs + [ + .[] | + select(.name=="apiserver_requested_deprecated_apis").metrics[].labels | + {group,version,resource} + ] as $deprecated + + | + + # select apiserver_request_total metrics which are deprecated + .[] | select(.name=="apiserver_request_total").metrics[] | + select(.labels | {group,version,resource} as $key | $deprecated | index($key)) +' +``` + + +输出: + +```json +{ + "labels": { + "code": "0", + "component": "apiserver", + "contentType": "application/vnd.kubernetes.protobuf;stream=watch", + "dry_run": "", + "group": "extensions", + "resource": "ingresses", + "scope": "cluster", + "subresource": "", + "verb": "WATCH", + "version": "v1beta1" + }, + "value": "21" +} +{ + "labels": { + "code": "200", + "component": "apiserver", + "contentType": "application/vnd.kubernetes.protobuf", + "dry_run": "", + "group": "extensions", + "resource": "ingresses", + "scope": "cluster", + "subresource": "", + "verb": "LIST", + "version": "v1beta1" + }, + "value": "1" +} +{ + "labels": { + "code": "200", + "component": "apiserver", + "contentType": "application/json", + "dry_run": "", + "group": "rbac.authorization.k8s.io", + "resource": "clusterroles", + "scope": "cluster", + "subresource": "", + "verb": "LIST", + "version": "v1beta1" + }, + "value": "1" +} +``` + + +上面的输出展示,对这些 API 发出的都只是读请求,并且大多数请求都用来监测已弃用的 Ingress API。 + +你还可以通过以下 Prometheus 查询获取这一信息, +该查询返回关于已弃用的、将在 v1.22 中删除的 API 请求的信息: + +```promql +apiserver_requested_deprecated_apis{removed_release="1.22"} * on(group,version,resource,subresource) +group_right() apiserver_request_total +``` + + +### 审计注解 {#audit-annotations} + + +度量指标是检查是否正在使用已弃用的 API 以及使用率如何的快速方法, +但它们没有包含足够的信息来识别特定的客户端或 API 对象。 +从 Kubernetes v1.19 开始, +对已弃用的 API 的请求进行审计时,[审计事件](/zh-cn/docs/tasks/debug/debug-cluster/audit/)中会包括 +审计注解 `"k8s.io/deprecated":"true"`。 +管理员可以使用这些审计事件来识别需要更新的特定客户端或对象。 + + +## 自定义资源定义 {#custom-resource-definitions} + + +除了 API 服务器对已弃用的 API 使用发出警告的能力外,从 v1.19 开始,CustomResourceDefinition +可以指示[它定义的资源的特定版本已被弃用](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#version-deprecation)。 +当对自定义资源的已弃用的版本发出 API 请求时,将返回一条警告消息,与内置 API 的行为相匹配。 + +CustomResourceDefinition 的作者还可以根据需要自定义每个版本的警告。 +这允许他们在需要时提供指向迁移指南的信息或其他信息。 + + +```yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition + name: crontabs.example.com +spec: + versions: + - name: v1alpha1 + # 这表示 v1alpha1 版本的自定义资源已经废弃了。 + # 对此版本的 API 请求会在服务器响应中收到警告。 + deprecated: true + # 这会把返回给发出 v1alpha1 API 请求的客户端的默认警告覆盖。 + deprecationWarning: "example.com/v1alpha1 CronTab is deprecated; use example.com/v1 CronTab (see http://example.com/v1alpha1-v1)" + ... + + - name: v1beta1 + # 这表示 v1beta1 版本的自定义资源已经废弃了。 + # 对此版本的 API 请求会在服务器响应中收到警告。 + # 此版本返回默认警告消息。 + deprecated: true + ... + + - name: v1 + ... +``` + + +## 准入 Webhook {#admission-webhooks} + + +[准入 Webhook](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers)是将自定义策略或验证与 +Kubernetes 集成的主要方式。 +从 v1.19 开始,Admission Webhook 可以[返回警告消息](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/#response), +传递给发送请求的 API 客户端。警告可以与允许或拒绝的响应一起返回。 + +例如,允许请求但警告已知某个配置无法正常运行时,准入 Webhook 可以发送以下响应: + +```json +{ + "apiVersion": "admission.k8s.io/v1", + "kind": "AdmissionReview", + "response": { + "uid": "", + "allowed": true, + "warnings": [ + ".spec.memory: requests >1GB do not work on Fridays" + ] + } +} +``` + + +如果你在实现一个返回警告消息的 Webhook,这里有一些提示: + +* 不要在消息中包含 “Warning:” 前缀(由客户端在输出时添加) +* 使用警告消息来正确描述能被发出 API 请求的客户端纠正或了解的问题 +* 保持简洁;如果可能,将警告限制为 120 个字符以内 + + +准入 Webhook 可以通过多种方式使用这个新功能,我期待看到大家想出来的方法。 +这里有一些想法可以帮助你入门: + +* 添加 “complain” 模式的 Webhook 实现,它们返回警告而不是拒绝, + 允许在开始执行之前尝试策略以验证它是否按预期工作 +* “lint” 或 “vet” 风格的 Webhook,检查对象并在未遵循最佳实践时显示警告 + + +## 自定义客户端处理方式 {#customize-client-handling} + + +使用 `k8s.io/client-go` 库发出 API 请求的应用程序可以定制如何处理从服务器返回的警告。 +默认情况下,收到的警告会以日志形式输出到 stderr, +但[在进程层面](https://godoc.org/k8s.io/client-go/rest#SetDefaultWarningHandler)或[客户端层面] +(https://godoc.org/k8s.io/client-go/rest#Config)均可定制这一行为。 + + +这个例子展示了如何让你的应用程序表现得像 `kubectl`, +在进程层面重载整个消息处理逻辑以删除重复的警告, +并在支持的情况下使用彩色输出突出显示消息: + +```go +import ( + "os" + "k8s.io/client-go/rest" + "k8s.io/kubectl/pkg/util/term" + ... +) + +func main() { + rest.SetDefaultWarningHandler( + rest.NewWarningWriter(os.Stderr, rest.WarningWriterOptions{ + // only print a given warning the first time we receive it + Deduplicate: true, + // highlight the output with color when the output supports it + Color: term.AllowsColorOutput(os.Stderr), + }, + ), + ) + + ... +``` + + +下一个示例展示如何构建一个忽略警告的客户端。 +这对于那些操作所有资源类型(使用发现 API 在运行时动态发现) +的元数据并且不会从已弃用的特定资源的警告中受益的客户端很有用。 +对于需要使用特定 API 的客户端,不建议抑制弃用警告。 + +```go +import ( + "k8s.io/client-go/rest" + "k8s.io/client-go/kubernetes" +) + +func getClientWithoutWarnings(config *rest.Config) (kubernetes.Interface, error) { + // copy to avoid mutating the passed-in config + config = rest.CopyConfig(config) + // set the warning handler for this client to ignore warnings + config.WarningHandler = rest.NoWarnings{} + // construct and return the client + return kubernetes.NewForConfig(config) +} +``` + + +## Kubectl 强制模式 {#kubectl-strict-mode} + + +如果你想确保及时注意到弃用问题并立即着手解决它们, +`kubectl` 在 v1.19 中添加了 `--warnings-as-errors` 选项。使用此选项调用时, +`kubectl` 将从服务器收到的所有警告视为错误,并以非零码退出: + +kubectl 在设置 --warnings-as-errors 标记的情况下执行一个清单文件, 返回警告消息和非零退出码。 + +这可以在 CI 作业中用于将清单文件应用到当前服务器, +其中要求通过零退出码才能使 CI 作业成功。 + + +## 未来的可能性 {#future-possibilities} + + +现在我们有了一种在上下文中向用户传达有用信息的方法, +我们已经在考虑使用其他方法来改善人们使用 Kubernetes 的体验。 +我们接下来要研究的几个领域是关于[已知有问题的值](http://issue.k8s.io/64841#issuecomment-395141013)的警告。 +出于兼容性原因,我们不能直接拒绝,而应就使用已弃用的字段或字段值 +(例如使用 beta os/arch 节点标签的选择器, +[在 v1.14 中已弃用](/zh-cn/docs/reference/labels-annotations-taints/#beta-kubernetes-io-arch-deprecated)) +给出警告。 +我很高兴看到这方面的进展,继续让 Kubernetes 更容易使用。 diff --git a/content/zh-cn/blog/_posts/2020-09-03-warnings/kubectl-warnings-as-errors.png b/content/zh-cn/blog/_posts/2020-09-03-warnings/kubectl-warnings-as-errors.png new file mode 100644 index 0000000000000000000000000000000000000000..5171eca6bcacf132cf96a420e5cc77255ab92369 GIT binary patch literal 226605 zcmZ^~1z40{(=fi2NO!2f(jkosNG;MKARy8#9n#&qfRxnIs7MGX7OgZaok}Ru-QBSZ zyL*55d!FZg-~ao4|2@}z-6v+wnRCvZx#!HxzI>vqPC7h>lhK_GHl7iHxqn##)TPkcNbUECZ%AdQz<#>6Iu{fznM2Aa;1PfDWaRnl%N zYTXo$ig^0ysS>RQzc?=;gY4Zei_@y~g9+sc^_$zIeP+~EP5kGrCQtOoyQ3(wq&V;_ z!`DJLuGWVN?m6KMC43LaK{9(`uZ5`o5V1qe*b#`EHpx0Vc4=(*w1prEF=Df@NTr^a ziHSF!+_;1fSu7v`<58vrdVEl-U;Moo(nktiI-tdF{MXGOkS+h%%wvJn zPnFEJ1P{rnmv7yDTh=r9RN64P?tF&3$Ctwc6!CcFWNixMT&F1icQ!l%}$+Hyinsj&D`uxUZDPDfFnb!Ae0u zApqpm-@x*7)~vO8p<uF7=pmFTF^B+Dk=XT8fZ7nR?PE;(Ds%jI4#_90yegmE z#dbKwr5xMT%9D({J;}t)xsz||pV)1g9v=oJw+KPSQ$?R~W*^$#uP;)3%lxUFs@AaW z0I|TlER&X*alehrASs!xPnDmP!f+$ydqRoko3N^;>ZsJ9pR*pOR&RUQ_!5sfpN6=` z>oCNSylFu7;nz$5!32H#$}XbM%9o$k31%owAr>VZjUZFPBjdLjB+O8xO#K${C$Js5 zo#xd>?2}5N(q>eA>s8t>2xrVN;S)k!lm;RFixZ_wb=5-ZZ3xBlKYGTge;{U)5H2RU zC~2@tq#Vk83ZgBuDSS&V`gVWdJdxPA+~iZcg&pZ9bY-Lb#6hMq1le6;w*2Dh%({LZ zI!B7LU_|V&_2jI#q2foft5g&AZ_)le_42Ey z9m4(^WQ*cjkG_@?-JK8`oWa5Bf}76_O9qFj>PH z(;3%PRin|0o#K=SzLlS6+tWO;zR1rt)aUvOX0~Ki;gg!X`~kORUiut^ZT+-xxlY6p24NhX3crif+12hIVx~kq{+@ zG~Pt+llA12?55nNJD|^=36~Gf5~hGM#aB+Pn+Z??YWCfo9a)qr6UD`;C)uJT{8V+r zi@B9D2_$XA`(%LZkBr3`ds|&3<*Yt$8~!9n{Z*Rm;SC%+b9AIWJ0o}0Q!%`8Q}T%# zmdAMa+AN;n541^C-u_CE+s0T)fWbeH3h|<5A>wN@^}@5jt6RL>0u3ul1rdbM5OQ$% zMMu73&yHtZj;iN!qy5%ebQH~ccCz<2(e`lmu6MDFSZ z@8p@=zKQWV#x&TvB_(#-x|lHX_Bz_UH+lFh=8tXiVL@y3cRS0;(6{mTycqXMC%m}x zqsb2YQ9@zjt&|Iq6HCG<9t_)jGMsmW#F3CG3LL4DZOR9#k~oq0rxwQMcSAC9kk8O@skL`R!Rda0BkBYktqBC7G-)EL(stp8d5x>v* ztnOcU;|blThhq(6q|b%Vq|YSJva++Yzh_sBGYh{QXDK5slQ%2yX!f^JQ=%@4fk_P{oTk9tbvN&uFW!R;}~4EqNiOXZf2M zr+a6er!ki&XLXz4-|)6JW=V1p<+fM7lLOL2n_}#@rI`=OeaHvMVdBmYHYLZTPVYaK zeEZzQC8)15@1^+OYdJ?YUjbjyle;G`(i&)bHSE9jeH`B`8Z}?x=xOiaTrpUg>oHD( zysCWM@z_TvJ9jL1R=is$Pp9{luK1jD$m}=Q_;zZ5BZ}j_@;POLOYED6x!t)sQZu#z zLtlGmJLEbn99zdRuYz-kesfN8_S$B3+a&60$2t_g@AAo7qZup}Qf7?H>iul}y|S_F z$5+m>%xAe}W@RB|tY0&}CYA-7FI2sou5_<5jZ%c!5 z1uVF!pM%1~?q6ogXfCJ0eZ6Stk+kluVye+Y(}pRBIbE@xh97L~886mN9C*Tw z0Sh1xr>7>9M4vn>bNnd69|W=XRSabp6yrK9Z98ZG!VY_4G=jCxwYE8|UF>Dy)1`D` z+6ay}kC(HD_nDW219|HN=*g0A3RAdK{HD?-HD?Ntnw620ZRTy3?GUsLQ8DD^khtp; zy!s&jpfQ<$Bpcd&(7)Ycv4!$$KV84|?B4oNy;R0M-xDGGXX{_rrzC4OhWB65i97XLY|qX%!0DS9 zD)?dYq7GIoVJB$cb%+UdRpAGfCKW56Jz@YXDcr@R#aJtHZ1OE&bi=@A>$OB(^>H;K zktlH(BfZ?40KUq$7k07SZt+`@SeDqT{xbL?`@rN~U6FJ5i>zYf@iN=8yOw7mXI+0v z2jvH)%HEahm%CKNmphxdHU&&gBX+uW%AdwQ-M8|rg^ga;-HE;<;z2%d($pVjIQ4-F zq6uqkeQ4`znH6q?W?ath5JuGUddj2kU2SZ;f0!Al4WAa7n{VZUscV1N^FPzA$eU;;KXBnzgpfJ;WPXjdJoppDD~X)MB%)3dSMr4jx4A`exv-9 z`)tBewA|BE!`)d{Y+KQ{7`}pAh{LvG3;(naD96TSvwdL8hu0ryjHc!Dni@`w?iN$M z;gejDkvyMV%N7?d>n%NWrk{wtR-+C)`2yrBBaWfe=3KW6bERq`e?hs z-amS?1uVPd2hE3mv%gcEs-0RadEi^v@3@AQlLZ_l?#kj~azBOXm?>P82`Lf$9s7M_ zXFb0@zsd7>;j~pa-09e(H}w1}18krmx1V>Mc3QQZ@w>EVSiivYV(sFrALRoB^g%Bu zeh%O-t_6TLKY_$V+D|46uL&SV?Lr&Nzg(5P!*bX_T^XuE-F{hpGjbKL3fY5)aga&(UgvLu zi127Z1lKvd>jc8P4I=s{4+3f7-TAM)0UrOqVemnqI2RD%zhTU--+zCp*UvTfzuyGu zu^{5>67BU9U5Ni5Xu``vg8$_40c0LXc9=^_=erfilT-OyOUK*yp zAP^(Z-v>|Afcp>x!uNA|YT{?2^H|2t(_O^I-qY4WB*@+CZ$BWpAerl|yMvz%dyu=E zhp$YKJm)_UGS~UP)uNp2|A6?p%5$3NJYiS%^l@N+AaY+sj8lP>ot<6I$KFxKKt=7} z=+`BAPG>(qFBwtMz`#I}zK12l}tyzvy%ba{2F(JbeE>t?LPj{%sKz7ZDTv zf1&xgIR5{j{cZUd+CTI9*Kl%wJCiZ;b?{O4ba!{~@KgBj6_@*Gr2kLjf7AId#3wF6 z4sIqYF4vg8*K<-3myo*uZ?ym2^#4RP{clvsdlLT>^MADb56r)FkkRvTxhB-+?;et% zIJnIDV50cuOGMG&-7g)D<$yn)v9T)6qtEHlv@#_ZGW|d7CDvLl0PGOD^=iL4STxz* zU_GqAIrP9-_i89`s9~cvTF}5J*T-(=YFbbIH_1yC+uOAnv_pT^X;J@;8 zl?|WXc&Z{Sai6A*z9Y?p#QG({$z%W*?0qX_SUe@**h4_>{dS57D#aS2Tqk%?8*}- z8cjn~B~nIOJSV@0QU1z0@vR#&zZ-1Y7iQDrRWDiqpT^k1{&sM{dsXWA0r~UjgHxcV zjAC1}3a1obt`7FSNFFM@s4+y7L%&4sZi9u$XzM2|ZH_6DFL4XUM%)3O`11!#eWt%GqIJ3^x%y^? zE)S5(*uvU+dRD9ySo~2kZg~^2^zf(i_Cebh{&xx%+=Ebumu6ZLdHg;M!clbZ=95v{ z2CZawnkQ>TS}awRS&+M~s)c+IWCCPN{UnyOWq|Q}Cbu7=0B-XLeRGx>uz|Vb1R@KW zZ1^g``iWa`5|YVFa1fJbiF)emMynb~stWaBM3Z!p(R!d8mgtH_^F!Bm@ty=$usKnX z|BZ$yK=)Y(V9!8VK26I;vzo&nDWuuEVY5;rroc5wM|g2_QhB9aP%(y+BG3PP&mEGhV>Jj&r0j@uMs{056{KkyQ-7j11lx9|3r%QY(epHxbFlACFJMNcXLGa7RH`T z9P+FdaqI0)Pfv^N?QJ#GxSlxbJPDTjF{L>`)k|KaWE+p>e5fXIw|VDoK4Ibl$!6-e zj1mS~Yw{sl&7>~MiouPDh~BXKulV2Rkvw8M4ASeSn(p)Drh-3yW128djO#BDwJ}II zSFcOQ*kL@nMGXmY4-+MFw5T4gu%#CqcN!f~kyzzn85hA0F@dpCYT=nn>iqHJ(P523c)jG{Onod@$rD(eaUga)pl=scGALQ z5ALx&?Z>jqD5GhtgX$O4WuthbB8AW0&&|ZbTE>!3siu?=xYe%+q3oBt9~X^Ca)M_n z5?WJt%AYw~*)slMngbgLq`9#Tlb1>wXWt;dIthQat4>a9@tUGB8Bai-W z!Ct|?wxEmubU|4JS9QJc3**Q#c>eF#*VBQF4FNv^3U@&2BRVIDO?Wl>*#F3a*8H{c zv;po@W8>wKiuM_C+NSx{(a_Kkm^SmnY-OnzLn1LF&qt6nUeAhU0#B8+bp9gOq1V|9 z_vQ?$Vf6YEbvZbr!d}n85z$`3eRd_>4_T$3zNFw^)w~_ciHCo@CK>W=0{Ij96L@kC{{Z|=Sfw#)JBoPZh<34=3iL_~f*-#s8$MLk@>6A1sU5|K!K-s7Sv^(Fzg`z;H&xGAbDW30(Gob)J3Er za})70)7=w%iu)OS$FxC-2XQjzYcT0`$wTmVkev0`oaCepDlKNFbAqqZZ!5vIyMtJ- zAMO!!+qDS`#0@eYH;0f%dJm36>`ox7yZ`V^8N3GWLo>09oB}u)fn4Ao;Dj5-6rdsH z_!tWDE75V$x4<@@F9$~s?Qn54w$j0KKhDmhjt8K<3>~W`SqZ8XMqOQAroSX2WBf*7 zQbxYW8iuMcd_^oAp;=OKcbx4ef-XBg9iC441CbL`lyt%6C)!?+leB-fg6BiZGZwc} z$q>BEE>dF<{!s0*cNM%C?aq9sHs)+e+Kq^fGJqaRTGSJpe6@X9hps~p zo1>S9#!s(#dZsKSSHHd0G%Za%b#cozEQ`tRzFmKa!oin@`sQ3NuU2xgl<3aa2ixY& zZ4S_&p0ifmo56Cct=SK{V@{UUALe<^?<^UVWmrxv{kE_jt5?hwqq2^=__>@@afwfB znA!1CPfkmOlD~S7%)$eEPoxRQkh5d8W)avl7`0&^+@k#~#qVVg)-q&LU&L5mchdlO zLZU}&nFJrN=~^3DVK06Ht*5Y?MEF1(T_QuP_HJEV#^%gzmos=6eqdFkyT0`7#2O|0 zWo%P=#nrOxsTrjtThpoW;QG^@SnIh*ayIGi0*yB4%dsR=ms;wO)w5e8~My|%4azB8p)%#6f2%D zsg#t6&1;#~7nFQA6W!fyaTub>%Zi>~tp>HNhk0H>STa)-5D6{9n&oO;B8hOawG_DlP~V5Bu9a?;&fIN`#D57oUit>evAg6z#+r zys=%dG+fbdd+B*>O!5lnqUgReyo>l6pSKG9T}BG=cj$u1qf#{V1eqD}cOmecx{Pr(mUuKbTU@KX7F+ZBJMda z7cl^FWmQ16Q3|ni(Lx-7k`KTWgu;&najy7Z7hRp@S2$op?Ws|dUpVXZtC&n)^vj+B zX%-s`=#^TX&u>R#*wB?__Yq&e8DeFn4dqR!ynVHTxOdALffz0en{-&mmfji7^kty< zLuslgDVSVB5_lTyvKSHeaH6KFv&0TO!7A~Y&<(ZOm-Qcd^B&+1X1%#G70xN@>!BKk z80jHpW;#z%7Qk^;5B2oZ*9oR2Sq+vSEv8tyAgd*O(U{XaungoDbe>I>ad^C73e2p2 zBuFHAf1m0HE+++k&H$WXPKKM**@C;0Z{6$3^B*@A;bFQJ-i%KnzyR!#;)1&`;lKsl zk~hQq>Hvw9JuD<3W`NsZtS=$;C!WU#U}P@tHICu~_WPOB&hRpF5>0Enl4>5mp!*Fkzo=eP%+O*tr&WoGm@+(wj2Prdd-#g= zE&C}3H&MR*ZlPgGM@Pii^rfyFF}?lZ&GbN^>L!PeQhQ(>w}q+Qi#soHd%y|Q!`G=v zQ1;AitF8qVL;Opb1w|t_$@CS~FNDeZVtyfL3~B7)xhvQvaG6e{P{iWQ<(L+el-|ye z?C)XWP%%@#%r-Ildp~_;_@y=R6rm0ATYR;f%T}#jGp2V^8n7$XS94%V-1MI$7cYiF z#C=WttW^Pht-H>QB9Eky(MH6Vje;SwSXcPE%)L8v0>wiN(RcxDp={8PWZ^}^M?t2$ zZfG*+D5eI*R@87f?|jt9`6L_(c}KB@yxVcVUD;E)*aA|@PeHd{V{`yF?5M^_#b510 zl#O6IHFfn@Uf{d{LOni81+rUwgpm97gX?3;2hA$Py4^y+SJ~q}E*Hn{@qJ;OXl{Q4 z6tm3a@%w{F99g?ZM>NTPJXZ=k(|jNk0tm!Lg$C~=VYw@Cj9Pk{Yt zj7njwngJKVE$WSG1)-ktEaUpdY{s0R!wU~z_ZDqEcyGXxvAtI2%~*~)6<7&FAcF`{ z^934;{IWoGK>Rq;edMhjr_Lr<-kZiud+vj6J6ejp=Zlq4{q@`Du3j&VE}D`Z&O{z; zbCYwrg{zrSVyYII&;m%(7e&lLEYtZGXHFM!wa}*6rJo{}*|CpDb6y&BoFcn8s8IwV z5AUUqLA(LZH`M}@pNgRR*y{9WNty9fX}4GCKF{M;NIvSFw}&&EXXfNI4GrlY4KqwS zZ4CqaRmjY;fxwGJV+hx_H7-ue24_43e<~`3TP#XF(`@Ps%D-EkGX*j8yX}*R+{1JZ zL3S}@ygFKyPI84-(ZU7NH&s{qsf~%RO2a!*V$XI<;yRDs|xp; zjo2(ScYbO2aN0-TF37u}B8L}XUfg2k-CqI|wVStcoL{f|p!n6QXnDCGJKGeDux%Ur z3Hw9Bu}$TU_5|r+YwWjBXGlLArF4e$X!`jshF}Lf^#KWv1J1{fV7^SlK5_STeEru_ zp=k#3knLsDb@3~=9n4@*Li~zf<+ETk8N{F%f(IXid{aG^!tla>L(JhCsctU-eY zuP!CR4ewS2yF2Tj0oafOHo+o50qAT)zieN-3@OF!JeHt z%oX5H3m3ss9&cwyd#$;;3Yu<1a_AhYn^6Cu$q^n^+%vw5L_@$E`ys%vufAF$R=dyc zwBpY!(N03LP538oH!{^>fWavY^3B(rRQDrdB}YB5)4Jh6L_{w3BhK>qQr375%B(PgIntohG>- z+V54-kPKw6!(ES=K0kuEJac+~%-Bb2<+b|}cMB)HgX{-~xLsa1K&?BjtefVP4 z?E4%mPMiR)22ZoK0*<}2jJTGEVi&C!EmA%c@4)VqxZ>UL^Ekwg?pta7UEYWB&P z&Du=Ok@vcoo2CJ0A=T!)hRwy=w&m>|o=1poc$K36$l1c_@O46*L+EROc$*tPfj3xz zB)F1@`j8+G;}%lE6j_EYDE$5YSi=oogL-YA2Fi+dcqLSPF7__k9c8E5oZs-CycKhI zZ!o)FVK&k@cPRx*8Tas zr6qT^Uw{1U_SOIOAGm+Rkm|H-tf4)pv>a?p|I#UV!uDeK64_{W_``-{R4pvZ5LRE| z%l@+ZBRH6dZ9(0~XYoa4KEV%$+?-4`ixH*9KzkgCW8yK>fV_mBQ>tfSZiXjH2loL! z;|X`izQ&4QH4y>GI28ECbL|`AIor?(Um)<7W;dRJbhcLeL7uV$e{TRf}2Jy*AfJvf$ou z?AgR@&9L0g_*YxmyNQbj+uO95JCbhHm?PMo2;ZN#7wM;&qaA0f*9K?r`R03{Yz+4{ zVI@fvC}JPfW+c1de~HPU{dR2>K(3+zwq?NKeJ`e93fVG(ODr4Jw3jQbeSOZ? zC4jw9mUyxb6NE(TlRL5yKZ;(l4Ob4`r0cB+JY9Mw{!C(>fZs6}Q{`bg*wNIqsw<&6 z@(zM?SReBK>90|QJ}7iCiHp!t6GQY_$teZ(M9>03Sr*S<$1BsZw$9u1Qm4$(mcK6_ zcMpT52;Px@wv93*M=GwCdARY3C9Sb7+=-7fO%_Do-i@oe=LNo{om;zIyk}RNS8L#LobR zjrG7j>nj73xU@ULTj(~JmCl96;MItDBPb3sruh~ zke@9S;Jx@Oq>ETJpp*O*`vRhqra|1?#b3dgP zqG2SbvJ1kd)m`#OT^Z%2rRL5yZzY0{xi8*Ph4=j#8;guxs8EstK!P@1^zjnnTQ&aB1pd(%;DZr5M|)mztz^7e^fu&Pgm zVRvLUw{zG=|AAj=zRw%&6(hc<-|KIVX2j!j;Juzl$FeDa2Agqrqq?70 z?-Gc19JSx_oazLq)BD*DiZUEKMv!mi<^{Lza-V=mB5jR~vdn>=FCsC~rpS(f5r)GZ z;W=qFk`CHmCPb(Pii-L-W?}7&k3KI_eCwyiE$R_|Y}zeZG)2hJ{}Qd#lv<=#@%N80 zpTNEO#o01K6`!b+A{ojYrA^4*-xi!F+LT}>cP!+W`mkHCT|cFSXrFm+a>8a-HJMNM zF3C*BARa$MP-X~hBA5ya>nBD+MHDmOPc zfr8#)Srl%?38Fk15x`qvi}UR4kwiDT^H>@CpqAp)TeHL0z_m#9PtR0#3-Bjo4-`j9 zId%gF4qm0H3lcAgc(T9&W56JBmpl8V5cJDt*+bLWHNJj{G*;0Y4y%;Nrv1ybtJ6}5 z@WC1vr&b12LKJq5HFQ;HS`O*=1OdU-hh-VxKBPnO>A*3aVAg}_-2M{Q=_mk>sp_2z zzrboeSBaJI$7t67%xzlTX>86o>PQsXje|_${SxKd$j@(sfK*WOp&zZGiIC-E#7;ps zlo38)Yi!5i8ndJEj4PA(D|}qF8-p0=-$i_ko`RM$dfTqUD|x#XK6g$@VMU#C#bcnr zEEUhSW|n-0J`W1hz!ML6A)cHS1}$6lwqZ3lVe;ylsf&iNmM8TPQ=2d%){hfJ(W4PR zhVvIvHPD+k*zR~|X_Rn0QMQO_y$)1bWNK0wdcz%Gtgj(~vfWglq^G4b+SLxW5rjua zARMLJ7?;JBYAhzJsU-1`61_*w#3?hNzJtID?}iT&-GZG{Lz2I85ANKg-d3!sO%)?- zw!fiz$wl%~Yj!G5@Q>veOq1;~9c>QR1)7Oh(VDt;agD}gwz=p1n|9YiRsEN{{L)1q zF!lvO@AGEZJ=;pj4c}_gi!S&D-$qP)oxTf8;T-mULpUcn1dOkWdi4`JEcwUs(d5%u z|3?k`R*$YO!}ab`VM%_vdIL`9#^Gz_hmdGZY_VwZ+lJB|6S*q$Z_a5=8~LH!{k3pDZih2l;F^Tw5oSk{}ymo4&;Zm#5fx=8_z4!L^JUBM3LwQ8<^L@{!Jbp}8d9+8x z)Y~19)Y+m*g9&pGgeL?n@2DZ@1@Q2RtMrWq$@FOHu}fri{{J0A$&7C z+kju<9Q7*fuLyQi&xB$My!go(^`3Vnj$M3fB5X|=6tiH7JP`3>en9V!kvF{fierNrRihMwG$H%7zekvt*ei1(^ z(n$%={nbN&Tgv&??@BBJ_jmj0kS#H-C&W z{o>v#OIcSAkA<$i%3(WGL~vs7p$*wn6SoS=AT^L`W@}d$@DJQ`MFuxshZ=Vr@jD9Q ze#JkZG-~XL1HWUB5J5?`>ier#Bj}ALt`un{Rm6h0T~GbxrA$My=tNG2x(8a-RG5tx z1I70qQ5U`ZD7)E45F^%LG9XJpV?qPJDLptiILDJ?wXK$Xn~0i3-6ZVp^0g;4k+~7I zoM`Fl`lXOrKIB`jm`(H5c^y(Xq|%w@;KtMD7|f1k1o`TH99LKmyjl6E7>xaxE8&ok z^j@LmYVII_l{IhwwbS~dd`M8>LbXFVp5|jl-Xk+Uoph|r?+*=jDGzyXOL@!&O##>g zxajdl=nZvFn|_qxzS0XJ(j#ItF=XTY4QZ9Mi$wg?2hL(wOqwLN*S?i=PxZZme89VE z>T*SsNjQbE268vKkjW9=0(%8aU13E!DA}-#N~a+3(qD7;fe0A>9iG z=)T4gN9k1I!laH;7M;d*qEv6BXerPTcE0bbqUs+hOy7GfqgfwkO%>iAEymM1N%v#$ z#tKixM#fXOQtQLsD4W*86gxR0j@Q|C$HNzE@wTXk(H*vpy3<6QHZJgf5eeA@yK2?O zdN9Mon<&kPfB=sbxl&E#i$}lm6mQ05@poy5yiIOC**;T`I2qS6|75|l1ZIs*ngiO&#i zwbDTJUp2bO?gP9Q_XGC|yLNZ-3>O!8T9u?~pvU%8_z?cs@5n>y63L^@qz)5jgMY8B zZ6rurEnc&QG+qW_7%&SZ{TW`wvl>*&T=858IRlY_U%>Zo-|AnM(c$q_0FTcfJa|Ad z`+aAez8lE{Kxm-rd2$ZNAVAiAng&1dwA`{u@)%iiWWdb@i9{A76wD6O^A~{y(%{Ne zAWP6V%Bf4tQ}UWgP5`T(b>Jh^5#W!p^aSe5i4bMiSLzX>eAAlAOFD7#L-->R?`z+I zp1-5(kzPNBN~Prli~Lnmv$>MP`U9Yj?Sd!_k%)Cl{(x_m9xa@&eVY;8r6?bN~5MD5vaYl#Z9fqYUBGgb(7BU z7g;=Qx^yQ^M(k#riZ$f{LUU})np_t!UE-`&wDrWH2k`^!OX^*Gbz_vQob%8)+8au0ZIqT)6&5O^dAN zw6R8og>$6!*$q`!1idWa&+-|#k?ghsCg%B`Wrtp(wr~y%m%n9fY*lB3NiXE#PvVlt ztO!rx>(eHxERzKgy)TVB5q+>J)RNG@(E0nz0ljZN(|)8`+oU)49wxQnBGze{|4`O-2ucS<8#K@NiCsAgs9vI+2zen)#2|0Mk^_;eliqZ zrkeQG;NbPtHV7E8CVO-fnQAy#}RqQsA!xw4;JqZcMgpt4Yt1NG7YTCTq z*`D5I6g6Fy^bcq#FV`s#J#n0vpW=8VxU&BY&Wcxlw#|7!0;%CL2 zcpl|+7mOv~?LZm7L4ZP~s=|~%?YPOy6Q!y%z7YLW%*^s|5e^}^^|K57?VuKSBN&Tk zIg9g#tm;M6b_vsF9JMjA#m$m_S>C(WQr_t`r<`?@UJ(MVWvH|~93=xUIKyl7HPI(793pcKs-$}$2)oilkC>MP0X(YF#M%F$OUGDk($A3`Fzv%-v? zamRx@Hej9w+V_vro?*y_sft5DFv6H}ex>2bL zc0+Y`-MVs(LJ(G_SXS`}f9+5sok8(SZ2GR*af?x8be*$z2IWzX)jk;(2Hpt9HDrZ< zv1r6U&H#b28srJ{=uMZy`&#LG&+1F{)5Ex_54rURGU7@GPfr_`7_L-LsjcpNE^;h7 zSr$H=j%|f0EF@tfjdYz<-Ykj^LtOhda>tNmKafjOXkXP=xOT_C23&%LB3Rq?#pxJQ z$)7~>O2tkf36i}W?svO()vIpapl&q>u&l&2BT9E-srI|$1fP{z@F3>zTAYnKtT~Kk z!P{4^62UxH2Y^9XsrZf0R8DU1?jM({VX=S=Pf$f++BcJms3<3Q@~0M`LIx7<5AR|E@vCMPP0|s^&|Nb`e2)x*tA$WbyHn<Zm*-mcua}ysyDQFa3G)gD4_KRH>^3y(CN-qi*TN z@sa*)Rvsdj#fdxA`UeCMoa3o5E+J4C{`3J=njIjUIIOwr{4%4b+2-fxpHmA6gu_TA zonPD~A(0Urpz;W5 zf!YOtQ2i55o$h%%ZZmOUOWC))@x%1@`*qHA@GZV7$%iR8DU@idlU{+NqAV%4;@hX+ z2(&({EH(0&JrVlE8S;`mER65a7L!4rUDgBNrAHsxqR6nw8=YOfaK%N`e2eTsGu=UO zkE+2i+}*uw1-!s#5}BA+vCPGpUxGVQr@<(gC9OK)AQ~yhAL4)Fa)DybKKu>RU*BoX z0W=DJwRf!`k&X}2o7X@b;VK+m3$L+r8yG#evba~tC#>h4l4Ak@2d~{;_HG4Kc3!f^ zGZVfPDT=2)SuL|0=l(HqMNj=D|D@1uk5(osz>(-{%THNCq85r*Z^c4m zg%uw=Dy}sxu28ZLOx69%bB*jOm|KBa=&Mlct?+V~Nk-DJ_~C}pb6tWXIu8Gs`l=-` zoG5?cxHeRvO>}Q6X{Nb+kX8E3>(d80ttHX7aKABeJmRAjh$};2`(JMaOC0)E1Q>)i z@#DbljYB$-4p^ywj?KL*15B@6R}kA#@gw?P*d z5I;F*Mxe805%>Y1P);8w7Ye!JRh3A@ZzHG#8cfN%#aHgTOuRwd)-3a3Njq+?PIQNK42K}{qd|oirtK-vMLzUpscaYjvNC*r zbRzPCfb~~U$sK*X`MRhAX@7;x^>|4aiM*S z)!7<;r0hp{?80ir^VNj1Yexq|N*QEQ;#wMb{={9o6bvmb_ik_B*?c;89of^hK;@4$ zuXld838g*Ykh}U?V`=$<7kzDe*!w=gUb>eA`FS15A_a)<3@jH!Zd`|im|}XnZH_9s zk+M8EQWBb~daH`Cxs+A-O|@fDEA?VbA|z$Qb5e@Mw?OqY!{D6DGl&3Su2%9upVsR?`~tc z8M=IUZ%*4&ZX@KgWYckimep;hDZyvmf?gm+x}w=5_-up%?awf4DJ!2m)43Jh{G!uq z_n9Jbp$3Uvtv?R?@z-%2%PIl*ttW=g)T=Q(HudDx@pSmm5Z`-Tq z4fzViIhEZqt`rHKfSm#l{(ScczmU;fci-Oi%gT!Pf1=^E@qzMU@ded@w>ah(qFV6> zyRhdh(fy()C2U zH|yQczbs|7XAq?MX#FhhksTp zG*l^Plp^knT%XAq*W#PL@dgEI6XV+ju7_IS2cEd!gN-PK#PbztZ~ne?>(UOGebE2ZpmBg;YrhyX{=MOzdO;kO zcM>hV_w4&aVzWtI>B!bR9(c!lyfO29hE{1r#H)@qfEo772Ib!}+F-!OGf~i2`wf@- zkMIAlv*Zgb2j?z^8BV(8q#==bexXMtzY06Afd~4o|M33nJfTuJ<^P9DOII{PzF?v7C*vcD@9^~4uHTU$@&K7#POmzY<0wx%zBd~jE zH5YKUvu~r>N#VeLM!sli>jPXbLM#4+M63CyqYm@_u25t-s;JIlUw=fw*5zC(~2qf4FTz`F+* zozJY@-lgoROR{ZDUrE+ODuO}BUjo;R7(`+M323DjVwCl1UZir%HowrDsaioDC8wO- znbUmWRA2lig|9C@1qBm-qtwLDXd^NDC4(qzMjB8>AqJs`QK*}cp!oAF5DkiQr(mg+ z{ykyC8%%?vpXD3eBg$Ibv1ISAo)zP_+usVlVdrt4bpY7*Jm)+bFBkRrDDAn^)67QX z!Xb86mC3RMT&U>dI=*Y_G5*!mw%Flq&Qzv=;jH)XQtg&L@EJbdj4&FiX>u$d&IYf% zviZW1`^#VeS7n83Bh$VQ_@wq07+L?~>wjeP0Uw-!%K~%--*^C5oYO}Xlv$hC>OO{_7JgdyzP&tFc+Yi`Y9`2X za>7LIs%NDW#eAN;Jj9Rd@1&|+Hs2rAu@z_YQa4qL;={M|>Lvtd`1eUhnh^Cp`bHqc z9ks&E;QiA!l;C_*0P1R3ftEQpv1+el# zj!|{qKtkj%E_)LB5MmBz`b%o|l($Rc4+=IIMfL;cc8>DpH4B$u4@daIHL3VAAgfgH z)fOk^rX%TZW(mN@+HSvwiE9dHGx(u49v!{B|*D-;$Op-m2^M4{ga?c=Jep(ZZ z^n!WIJL+RE(8-q;lLh@5d`$>TjCgR8R5^TiVRm+R{@NeisE5NYG(D9OK6C~QKRu-f zxPOOKeKWx@v`!8(-v!Qo;LZ`1^*FRuvox*^g0_B|rUJ=cgx^FQLGi29IfJyN?b?DC2T>?5SIskcz?mm5qt80ehXci`VMsaF|Jxf z2lt%Mi8`4aaizFS?%rv}az60p4?PDm8g1i;gstX5b>E?2JD z1roxS8#eNZ$y@F|_SRn4Q?83Jr|y(kvh;7>p-8$ZO5TjggZ|3MvH}Ta%UoSt%2 zEVOmLfB9POO>(1J;gz4MT>f-!d)AzehkGw?ST-fJLVoN1hFZ$}L)0}daH)hVL2-Ol z!Jo7%P%XYYj!oG;62^uvny6wFc)7)eUTALZ`Q}RcH$89MKR<$n5bg^u<`3E-m3}|GM`r+-MlT}{yVIV6~;T;XiSNhiGUVnYQ zj%9gi*&ypv2n9*&y;=USNjvkw?86JG7J44%nS3-Kjd?00=0}_5yi>%U?gXUM^H>Ti z=yDzK^;hWsAGY2*8m>2N{}m*9CkQcmjTWLaYV;B%h#nCsMDJzPXwkc1f*=T@6Jm5x zqDC)+(V~t%n3;X%`@X-kerug|*8InsSiYbbFzJk>gJ%{htRZbP;l722s8DjKdSAn8gp$V6)>88zxG{%^4A z1$vw|P3_Jbak~dMUs}9I80D`{t+Oq};B8G+HZ^p1Sx)soNaJ8x>tp&ZK5Z2-GScr{ z2(4(={hZgRqSAfud;+chiaB_sTTgZz^)_g%RBlyy!{Z4SiB-(7wygGY`cfMTnKOro zb=Hg!!j-Y5^=o|N5S2*qqnXv()e(rOmldd7SwnNGxVHxk#Hg3nzrnu+t`7zxbMKP*n| zYwUBu1U&28NY;{h4H?BA#iN!E3>*9Y8=}(SK!n6GNJ)SA!vu&hwh1N8{qqNVGY3F# z2X=tL%WT45+Lx?M@Kqw^pA{RvjQGvsN#vJwGD*b!I2Va%-}gs= z(t{Q&Z_zJV!gbdfGAxLW-nFliFcFiJG9)7Ghvy?nm@fIz+~U4OAnn(2bNyFMP5wdR z*xO_?k}CuZZ!T*sM(P8?y%$TlPNc0Ch)sli28vvO|1cqa0I{BUK$VLc{Es*IPi=7^ zLfRS5{cyZ=!=Vy+IDP_$C*a1a(QOP_DJBBT*#oqPOZkwZ%*>1j!XF^k#?Oox%S(SK zo{Z+pwhr1u2>TMjJDo8yg0kBeD1&{PU(b}gVKJ@?p zdia4N7GUvzXchP@V5A60-%2+gf=O>m% z!C^Ewo&YfV1pEPV|Bpc*j=Sn2Qz3VfdeCFDNjw)OoIrYx#16C1jJxfGm9`PXcCo)| zf?L5*4=?MXj@uw1$KG|(J@g1)Q_4M6iG38DYHi|9pJrmvV=QO#0jUIvV|?_oe)D<` zgX+^FLig=&V9pL%S(3a*#QSgReT_aNY>^T$08H58mh|7Efd5_84&r&#OCE$M#hWJzJvVEabF4*xWIs# z%64_ROvdWK@rYcbl&R4vn*7T=IPUS0S-2M4!4OItIyI(fSoK@`%97Eaq&^ipy3~(y z2H(GQAaQK9`!4d^?xvo~&j>&1$GB@4!=f*5sKXs_;ekTvEJZl(oLAUO;W(H^N%339 zefR-%0pfE~=O5N-5j>zo3*-QilQ=Nr1WMJV_DNXI0ap&7NX`ZzL)H7k8*Fk<7lbA% z_UY`K-8&YJ<75(g7~6h` z$1XOAUFSBZ(^>3se||H#+CNy8`5lq-o&413$7DIq_v^+)u%^fiwus}kymqE=Z9jeS z-N0!89!&C>eqn%>Ac*>D*dU@6y_Eyz?{{aYTFON+JZA+a@*oJvn_9?c+&*F7J~Nw# zDbZvV#QqPGWQFVPw-9a(I8FAyat1xPPA*~tCXP(*J?i%q?%y+g?U0c~A>P-#4e>Sw z;4fR_XZladNg^1$txo%`S-+8)e9ZYq$3CwE=55|A2xc8xGh7OYVY@w%$#yVI8iy!8 zPY+SCRQ(Ck1v=!Fi{EI-oninFHg zSD(S!PpB?%#e#TXp$A<3FR=z~SuXULz79eMk?iYDL3wpeH2hxE-%5p85Y{NGY3nlZ{F-Zr&XWJ&vCc{n-dThk=m(nEM z{usi_YdYFc6#n}(I$jEYabYXmv-hhZDZI3z>pGmB^J<~&czi`i)3M-(cw4@-Dn zk%gp({cag?2vu+>nnV)i=Am=nQ{EIW7Q@OQ0dEPf=WinQ{4w1LPu)0Xs~EnM$)&r^ zC7n3_H{bXJL_K+hV_%Z5;cK7{t5kg?j{@=GHiU!x3>Fa5Rak)QT{NszSZG|Hz7jPW zqy;ylrZ)@|z`c3%2^-@<$G`mO8P6s)L4W>yVOY+~&c6TS#y!zjo!mf7>BNzih$rFZ zjp6kc#^y9Nm-^C!RlZUPp>^_B@`b-hPPH)|=0RwxHn&wenBghFPlm0_!6^wPw%?T0 zVXqX)2`de4AflPJ<4FG z%lw4DNhKxFMi$)qZ;7PVw(sKYY2qPcpJ zk+0#sNX;HG+z8jm+S$#C}eT%ZZX<;i&;Vu`MJ z8gB4+!;JwyE5?q)7ptNjD|Ya|9&j$Edx~>E&P0Dw+?NLyNp_&N8Id`gj;b`!{{GrQ z;c}uMsMWm^TZ3ZGra5;3Uw*n;S^1B!}hwKq_G5VS!emdv}r@NRt4272y6BRh$=2kO1SSIX2g@LOPzr{LCu4 z54r9aZ~fdj{37-AAci!DPergt{IgnW=Ex^gQ~!k=#U>GS@qikSb>XKHjT*6%7VoJ- z{DCWS6n#$qp5~wW-g_zxEJDgSEyT`;6P<@U{gEQEa{n#%Jy!EMfkO3vCy+_MqCBH@ zcteyXrXN~NVJrIxOL_CCKr`2<$swsp>d8ojW{=c zHE)Q`=*NQ|o8?KqqCy#oH|26oOe*p6sGq?WySGm%9vg$Q9c;d7wgi8jaFe_lP$)nD z&r>uhJq>;o?N2gN0Vj>Gm9X(>#`3qcTL0IcCgwkb&HP7;xvdVrK;P*l@%UCE4t$;? z_vjV8&yZ?LXsJQLDT{-kSe$4#BODWeNU>31cacWd5j*$acZO-Zi$oaCzyU+Q(*)kB zSTH~NU3d)|78YS-J&wZ?sdG+B=RjIZk|W~k$ByEKYS&WH&b=4#j!xx&eKx6j2Vb~+ zQO)0asT3cDAUTM#ahA#QtF3IiJq-ytqir<1Si;&G6%8%%9;UFlE}g!=*59bk41FBD z(=PZliM9J{Y0%9-%U`vfH^W~xvRj-2q^zv?O3Mr(RiYh0N+|y6JjSp5W1~dXenD&z7FJ3E9}1uG{B`+CdV^i9h~9;r(e(e;;JhK%AWq#9mzARs;5GqB!BkU%#L@P_@l%CX;gJ9GX&Rsszc-a z#SNd#Tcok8Ry$CYVk!yo^8Dw*kwf4yE92?1hXRJrt6wz9$-keSR*Z~;_?@|-`tuK@ zFiUiskV{Kva|0JweFxd8=xZ0e@oW#JRu>QWFIY#d(06^8($z8GX2}8Y)!N zN~`lJo#WX=)GhC+v*|oF&YqH-A|v!%q!abB;L8+qdccQw<|j%lZ>9)DnGrhGQ%0ubsd6~l@cMbkewLeChB_24RjDV9IuCE+ zN7CJV&fOR|*RbQF99A^+1iCkv3?j0nJvxG}PLr&EphoH-Loi~9G;0aw7R?#2hZTcXr5Xq59ejI%SnbZJPEA4(E7}0o1Pe0T3em3Ho%zplOg*C}+ zCnHz*pIwLks~<#XhDm0x?y;D1eHRpIuzNZrJj37jV3wz#H}MS|CkaR zLjlV2pBpMSEuE^!AK7-F^wx&s{4`S~>X9*=H`0hv=FIGn?Rq&+spAXj8>U*)7Mk)P zDnMngT^B1K0sJ}+G2C*>=J*iau`~V|j;p`X8D5Ci)cN>QN(cmFqXk5Nj_P|o1rfgr z11pi~13WvCf{9u}m+H6eT>Ew|nKJC_h3Ja?Seccp9S|$ghbt27TUf}Ao^Ph?p5*(c zC_-Bqk+yz;?|9)4c5Q)^NeqK=;z64n9U$x&z7E+_`uIYjx^rfX{OlP!KZ5@nyyghwSi2o! zH4P>0J)+9`90%e=<#`ABZLkQ?y#bPZdgF|8+Ww``tOP7ZuK11Jl%wwm^guIp6^b=a zO};_e@xlIa$Q|+h!gYAlC43fsWQT*=+XFDYH?jA>N&9>Pzp-f=n+0u#xvL?@)hHFe z9zbE3!|jY#c8J5$ASk#{B(-ncmLBqnSwh6;AD>7?&{f;c^UUmQui<{?PGnDlqSkr! zN*bWen^wuQX?NN0d?=2Fdrwm&n$0}PNsYR_^uxAc5(C`U3_^+~Z>`wkvW`o!*^LOp zO;CZ`q4+701HBY6J+mgu>~-ERYwRn-97NWrpjFW1%@y}?>5XAsiCEa+HB@PQRAB8@ zS9!o0Ygzv|D~qqItDQEfOshck?(Rd##K0S3*E?Wy z0l=AnfK=#X%-4G9brKiWy*G-lo7S!zo5{e1ZAKe}@n2$lX;a>CcG^UMk(|WHR&vX< zgOZ&LLh}2e8Z(Aj>agjPvlA;pw(Gu!1fO$uxq$e0BPbZs&~9GLW#0Xdn_BXi{IQyu z#JF5T9u@0#z0DaY8)#lLXO%Yu$YH~tRy&aFA-e-Ab32#yfat}!SvcNpRlMPc?!Bxz zXnfzf-4^?>F~39un40ptJcegv76X>oHlK!d+d}Nn<)Yu;Gb`yG=^=)}#~oC&qxk`^ zGxan>jayqr5FoQi#U(6q?3i0C!)VrNrI!jQ-7m%6oNxvt!f3Od$*@g)Z8GrKUu%@-c< z^Eh-M*X=y+0b?PA7~b=!6tD2KqoJ7|cw?M;0pfbh{ONj7;c)Ww%2@K2ih}l`pbxf6 zZrjZDcoMc!4fFwqzdPOX6)$a__&nQvLgy9ilHBe093Fw(=OJcmx@`=yh-_r`W+;~mrg4@4*K<5!o1*mw@8EmQmc@V4Z*IZvK8V@4Mdp}j(sNG25;ol{WayS?p6!oU= zpw?4T*y_;MXHJ;xe1Aefv*Rv?V$|y(85e)|+@QbLl>+FwCJQ`?6}h+ftt3hAL3WXV zbXe*+Xk7DK9KPwR7}5pLl-P_va>qYs_FQ{vzj}soP6&4skA7Q39xI+g*83R)0W=aS zJx$-K0VY_oSsLs;L`c(f$X#$)QU8QXIp0LA`SFbJK@d^EKp~&;|q}SFAUR zjbCA=2Uvz6*q*zVSdR-;OD|23K4h=*E5WhB^xZ=rKWH476U&8deg>4Wx#J;hGxBe* z$AN~k_jb37PZi4uEnf|p6x6{kP!dXEr|=hOE~B`oG}qTOf5p*ONsy#`-&YGO;9o%& zoTZI|GFU<4?mCK-@&T)1fgTyk0jP1SGqP48^}Z-8j|Zp@CW^b)jzfV@SDdPwXWM^{ zSI#zJ&U@gDa2%e=moM}0@q!RW)V3*o9lFF^P^`BPpAem2KbqHj*9K~T(SDV z)!M~z?>(Qddq!qHEvG`-3g>N`X}VvXGv=3iWJIF>Lsu+>0;nwKAKpp+&V_yF9Zw3W zV#~^TJ@2D`=fRnn%(u!)9a~5*MPfNZknzhZ&M(B80FWqlw6DcTdrj3 z*L@dco0#mqrjt+qlnzDpslL2E7D>k6Z9xm8d_Fw%nV8^9-M+gO^PS<&E^hEa@ybHu z^a&k5=_KMOSLs(G&+>J4#8vQc22p2k)_KtZD^|cvb>pr>F5wnL6G;$3{E2GzRlQ}r z{@X`I5Vjb-MzP@&Tim@5suoQ~TTgJqH%|dp7gePeI8}Znr*#AT?oD>th8COIu;xc;g8ljf zl%2fU|FM31qGrz-#|QPVw~DIIt_FsOht+AdJEK@JTezr^56kq{M>qDkWARa?xEe2ixoKKD2aG&QWBn z%+&e2Fgww7Bu};F#|7qQ0dDge5=I}dmq&U+#$0;TLDu#?1&NS4i1})#P&6pTwogZT ze%*2Q&R%<8L!pL~{sA+OE^(i@vKE<>V1d8)MRsik_|TO5`fGNhZdZ5F!QbiW{o!f< zma@)o25S*^-sk1U8Q~H4o<1LeVEu_BOckuf(R~q|yLF}foM_fQIakKlIEnlZ)5D%+ zgDyjB)qBl(+;?vtMIOZB2-H#3=A@fqeKC$9SGpQ)2*FVZd%fQdH(;f0JOM}*qVmB{ z57P%2r*3R>a%uOPN!nklPNRp$h&P#84uYFs(5e@9OX}w7DZ>K9zSaPu(G&3A_`kXvpf(m%5dX zoT-i`yZ?H-Q?kXc_l6?a`yC!O)?f;+%l5u1MSqvvHHiOFSF#j5hBb_MJDo<;=oLO0 zA%bvN|Fcwe@J3(U+f(Eendo^9{D%tl(+SKoade4hqTa)Rzt3=f%dI%safN9K2vz~m zYG=v|Mctud%G?ZtezBZhUe3=Kb5IRjp0BHTF$({AvET6idF@!|$s)@aXT^5dTWm`d z2+4IlH#f(_*KDAZ%qsi%$@ey%I$zAawA z$wYCFS!tv9BvjnGZ$1aEg*#POTQKVD$7KpVcd`w_WPX|tIW7Bg`v+`JY(+>n7dx1I zVJ4O8{(vRD>Uqs@$IVSuNWvO8>T$RR=j{l%K&Kr;H4oN*IPBEWR;rurWE*n0)mg~K z{G1;Ah1eI5>&*)QHgnr(rC#hSkBX#+(J{s-pS(AN6Z!!K#J7IulbV@6u8W)7 z3b!uD^`*K*^RO_xLHZVOb;^FKCY$AKQ$Rz|>#_Vor;)5@H7Y_;Vw@V!4%om_2V7s% zJ#0N*p|^x4Gj^avkMnyjE@OJ@gl=}26V459iFW6Um3IivUQQrT3!h+Vr*poNgGe&5 zjUDCdWQ_5tGheu<)%eRo$luG}+K$wAm*Se{r&(2B!ahkg_s;z`B44D$wh+OP+gr7s zjybKa=yWZ={(LDGgdyX9$zkc;@pk`_6_|eh?l5K4Cuq->AG{3q4SpGS45#^Wi8I# z$l8AR9TmfLx8lbyA1p!W!`_SHOHGToA#j8)M(yN{&OUga)6tY8I$EZ(_;Fk-!DVRh zLa|1|&GyE!eecIae4W4mj0sYXH8$*7T_UTZTy(qoh>##n%V=R_>s>z!*PR=>mCF-w z92weB(fys}e%}zP-Y10A?*38GVUzg`)c}$#@h-YW@(CZM(k68uspHhSooMIzOVO9? zdsGRY$37G+!v?u0K7BYLJ|kboLG|78{K-(>&vzH{Rpwi(DgKU%rgky(y`UW!&56Z+ zR9r=!n9s^b9NBL>Dk$PdGQE7ZTujiQ}~0>2*xd=*_L70`2ZeGyw13M{71ak2MJ{M908kK}AJbru;0|3q0O0XRD!C zHjg0P-};1J;B;n2ef}CqDuzsst{Pmc)GxgXXe26>@lfy_!~`nBok5oAMN46>c{_Cc zQC|sfN#Q0BoazK>`u?_b@L-O-;E`9aCj|MH=?s-7LvH=t++b@FWR*CotmG!kZKeKX z5V%ZF!oeZ+=tx}8yO(YtS3#;G^mMQwKc;3RC*=&)TRba5fD}rdg42<+38)qRa70j~ zX!6q1e!fZukW?4h!RVgQ}B)jJ`_ zLGTyeEMdUNoV5vnJsaya=g+_GC4kJMlYt%3oKQu8b(B^^udLijpP#Aq?M$uIr+Lxf z75x*$ChzTqTd-^Iap+Z0s9e4z^{aV7tz@7F7X)!}l5A%z9SmC+c*Y3N{3LAC+(_l! zqIj{HuE=(85a)I?eu*IuWF-=LDsb2qaLCZ zb{%#*!ta-9IvlxwPh%4uKtbQ9u`(0QsQiq9T6_Ff;(L{tPNN~UBC(#f1|%qOx9A^$ zz8;UElXK|AMA1E;_(uy$-7s%zB*qR`>RkP`1LPhb!Y94{m1cj(Rn1^~RaF%&W9Vkj z9^L9mQYEgn=^)PyRlXxr3lOfZ{F1#opKfTc?bsWps4}mPmv!i_%(*Z}j^{mjZ_04Q z{RJ1(ztUu5W78(od0zUFfciH{QTWTXfW09;DF7}SQsFvNX;zHffdWN&Rka;u;iz2V zzV_(ZRnL(>`Y|A->hIq_9W(aW=K}e+Eg+y3ljRmtr52IM6ngOV3`pFsd7tBP!#u;S zH~$ix43sk3?seydgIa@IEBy>_+wdL@ntUTAu-}I(*Ot{q9Csd= ztxqUwL~zUEHs^zLW4Pt)AoNG)cIq8@p!S7oTVE0!jNqYn1-yy>pm03?rPivfdQtG{vC8;sn`5`! zKz3B|{craC3w$6*@hvGb`a;B)&}=t#L_c4q?%;Gpv{v@;e7e$vL`j*tF~&md_;;1! z)pEnHoU2PdXkfgbxyKv+pD>2&_dCMl;LW^_-JS${D#LFI2S0j;agK+-JO`CnkIzwN%X|3OwhuqrYrV;reJlUvj+I%|5&wjLH2uB692f@Nhie`SlfgDH->b?U6ajgP8U|#83NEyuNUq zZHd}Ve{9dxkiyp?VN@xq^<}(kvLJphO@K;Y14%~8+0EU3|4Cusuz=ZLI&OZ6@9m%g1vrXZbtw^%-Ml4ks_-;bICCzfz6SSq~2^cjQNtHu)GTJ8?XWYth%26 zH~5@-5RSd{mhO~d?uULmJ-~%hU?2KPLj9+-GrtEo9FZx4P+df`HwJCE6i26{pZhgQ z04f>SwT_qV^}p|=Y{?-n$ii%Djm^LR?;f^7ny<5Wuu3aJvoiW*f3{{k7{g)*M|B;C z#)!%YEh{G!m*Hhzl8LnbxS@lh{DoJ0M>TjoDNgO`U9`7_epIav5Dg7mbX>Kama(|G z#M3IF`5q69FY4v{CNn5 z1^!0i?32W1UEoYVeb$3?LD`rq^~>N*u8FwdbuAsUUxb$;DCFH4b6X!XE^TGjnFN`4 zD}P#+m;L)_G&8bGX+DyOpxM`XJ^l)}c>i9b-9N4#?5IBYENu;!j6XZPfR3K@Y$QrA z|2VNJ&o@3vqFc39F$lexhWbt!WN$$3qwPyk-BGua8@>AeJ6qYE-Wpt@?SIKNUS=zdRnT8>QJ6QAoXXpJJ~T%yXINZ7DU4+%@|9w?+{=hDjU{gu1Sk4KuLL@-*_CU6wJz2&xZ(cHD=+(`#nYm3v=;m*X zF%&@Wtiy@vOYndi(CSR+2pB$fhq{RHH}_0KiGu&^x*hxQgl?EX6QNN&MDoz|ngxqJ zGjtWdcGCdVw|?odhFu8%)I=es-p}fs6IAI<^BYTbf^S zHr*NI=6kgLLlhIPTCr7InY@?Ewx7ckN>lLL;yKJhKB}n^&aYZ|pdK^dwl^%qq7>Y% z`R+F(vt^^Z$8n~)&E&Rl>{@Lv32g)rr8ZVn(=1|53JQajl}Y8k2Cr3CS5bK46wFAh zwoysMXUPEL1;0)&D-(^owz(y=8599;T;A%1?pp!Nk`CzV3P{`8m_Zmz7eu1wO~~12 zxQoL2A)l$IOx!vYORGDZ$R;6&DS=?tf5>-22A>jsbl)>R-I!2`8z|%TJ2bCxmBXBy zRK-F`h(bLq1^Sr^2TS%^TVTKN&Am*L(OWb!bSg3J`IQP61Sjbno~&;o90n>9D8EaP;O?7E05Y#(bPabjKic zXUJ?PKghsL!|AS}P-)WFkJpf;y20m3EMSpDI!Gvw=ra==t}g<=*HP3XFzl|~XR4fF zWlL)y>N!(ua>#+Bk5)5JE$m2cRmVI7DEl~IYW5_Z`tK4`DBjx-Z?}i)p|%{t@H;Wz zD{35;zvjsWqmX}Ls~06%7(T=9pr@0Wdhrj4{jcg0l%B`PpQp{)Kvo7`-dr7dt=eFk zYD1ce$o)?4Vm0*ea2YW9=z%%dD)*2YIWKD9ZYq-24@Q0VPIl?I;0M#DBvwH`rydhF7#nzK1d$ zh3l(!tL<>cP9$Vj@#3$Eoq3;d0W4NYN%D`Bu{}xsgeDmzg4|cnfbPNG*AKt|u zC=%mCRS8vjeEC`!eA+HJuDG+j=UI3CrEtat(T7+=ADbquHw8amZWLVe^9F_|aW}CiGub{PDl_+aGsGP&D)Ag&{`^GYngw{*e@* zg&Z1zL4ByLc<8eKa$OOL-X)W`r~1^mJX#)7RKL;wHP9RTlsFci%X~0_aWs(M}MT=N61$VS!-Jpb{iS9riJ|9=8&Q zv2VACaMI}O-}hw{(pRwuL`&ztmSA(9xY#LI-2D@M%{$I6m$?m%BjBW~AePEBggua@ zW{O+DiO_|C4-B})-$(|7x9ib$d~D?_B7#7}xRS0?O4qerqrZn}TJRkk?Q4R99!|xd zRK@hLzrV>n-FC(x`V=)oX@WCf?%Xg!A;wzQF`K>uSZ!{=@%x+to0}ytKX&!o0DNSj zoyY1k`fRK5YP}akdgqq{;B(;ILL znKIU4jc$&^R`G<;dV=$QDrw!;7MRlaA_g2~^9#{_2yR6X6{HkRMZxzTMD5pL z*sXu_g*JhkW@3983K)}@cuuGUC{9HOAf0V6AYla7Rv|u=@J1ZqYczQtyom2!5v}4& z&&6zZr~zvG(&uYRrN;S5>D}8;78RL#n$Bj~=~WVNI_4kN#^Z=S*a$$e73BguV397JCzC-dQ^ZYvo) zme66ZxA_+r`tMvs;M&nX4VUby?Av`-VhqI`?Cd$-lyhI7iH^ZgD*24)Q`oVvn)Td3 ztB4+v#!$j*IlxjnQCrEf2cPX!tDVISRmQuY*{p?SwDa^>iKN2R1yPEm(7b(%T_E-k z)1{`C>=)f*ryDIo*~LS^i++|nw%t~y6g2&;C ziJOMcXIpW})+EZ5H-WdFhb)^?Hrf4CgVZ&Ku+Xmw)+bI7dYh&L?pHK)U8k`O;%MV% z_~3RONbK@7H+zP8>2op1?0dU7E$0Qn(OA`Ga>ma&JLp`{$)Hj*W%BF(T2pFRF+-ZW z5h=`AF}u}CLifUiNMA8lbYx&u=1O+i=4#$C z*)X+`HR=!mEQD06WtO)5Y1 zSn+$#yb)<{7XDI!1M%x;wLkk3`y7aB+_)R6oJia1Y-Dq|sRH(DmHM_QCC6Cr>}3$%Ic!6d6VG;Y8(7%g$gY zyCvsV;;2U2Cj z{?iQU%Oui}$%xKu+u#bnP2~DeZ<0(gzWHLfW{FvVh;3~R9n9R1noxbtHptbHE!<1Ld_V5fSLBlm?zqoQ`BhM}AT`zTcxhT1M&bx^R zqjnJ+ZXN1qc<|XD;ptR&vNQPfbV10CTSK7v`cdmMi%7Sv!SEFK*S>qFBVa3O=dt_` zvdl(zNRnhii=Xv)9(7RVo71hO#cz#dIWH|OH7Ka8M{}G~;gdLap&O#D>uB8FrL0BW=F%)Bz&88rONjnLKZY6qyM#k@^5oRf zGDUiDZ-l;n`M6Ao8B}Rl=%)OD0gB6uUc>zU8%8?_*KOXpo|v zG>1fVShOEV>1G%4S$;|0vv@q6uN)bL=LY2o{b2MG6`;;`=5?6Mn|4?LA-~IiYG{pO zH+?OBFh;6S`Df08)pvKDp+ijNn{e+7WBBdSRUSNGN?T}AUhZ~1=2Mi>crk+OhI{XB zhbgpHH781Q8Sc4e^(t{=@7)G&tn|U3)lXjJMU*BengQ%#|7eu%WBc%_j^rjQsEsRs zD4kbD%A_C5u9DEsO+TjEqq0B?EWHGX2~bYM$FQr_F^IA;bm;9Vz&8JLkPQ<2D@_RY zjYlUNq4Dwgd{Gzh3kVT~YNZs@4t#j?)&7*{1>_qo^F8zdzJqcS>kqFT02f2LcRRub z={C8mVn4U!3aZ7 z-s!Y*Yt7GPZ=7Crrb*H$q$%M;vF~Y)Tv(+YUM{F0Wz|2m|6JJt*1af_6|rx|6TIxY zG$ODHtNzpa`Z&Zi_?0WOa<5V;Jz>3d6OM2x^;?qu(D%fI^v^zZx`Q2Nv5A8A^Ormn<0FfS ztBn!Si=-|M(&c_T+m9>{BCsTH6^4xY`|P41iICPB_p1sNSz1D^Z2Q)^UBO|Sc*!7- z$7J?f9`&f}y#O3{C z5zIF&@2PgL1b6zaQJdPBS%Pm7hW3STTn`Q84>JPTshE4ZUc7h_=)M&zG$8_cQGNW7 z$A~t9A`~FHly*r;Mv14^V4pJIu;hek?@zVq@|q8&8_=uMh7S&0jDsdXC6-j8jWapw z(2Jw*g3Z18VgGutOr!6Z@SIwZCNe19Jir$Fl}<}o8ktWHb28`l$IXxbb964yrthU; zai+V>Tct&MV?)`1K|c{%dpip(GDpk-pD%a!t1J@Vz=ZP@czDVhXwpDSM|H^$t1CK4L}fbTq;IgZgUKZ;X-nOc+Ic zUCgA6d2!6Eq3@$??6S|U{k1@ppK7b3b0h6?;v zEWP&x$~S4b?n)h3T|db&n>RAH?lF;NS!-FLx~G{5Lo9zoqJ#E+lgdXY5vS6XQKV1s zJy1YSM1C&xM|*_c>E(Jr&MYT+wO3U$^-hSF_310(2Z5MYs!4ITGZ=M1b$(FJCh zjl*st(EK@WfWF>mV!Zc~-xZ~&99yUWOj31)C6>NYc2c4G1*5os{H?T`u_9W$D(3o43bTaiblVM3pl10a(|4d>*y5%J}#| za-A8&=gOjT{(3gmbw{&)h}YSikQY}E8HRciq|YR|Adg~o;&Lw@vx4X>WXf5G&Fwj zmkcE+Ugth$<@m$f0POY7d#hln=h6jY_R2NSdyV*Ou;Oo2aJnx@sNWEzO^#`S+_s=; zxN7)K&$vGI3GN`dj3clP`5+EbLYpTSPbR_G^<*Bzz*{nEt$6hh-I{W{Lr&_WUy1k% zCBO9N?6~+OX?iSdW$!pUy**N!dMNMfvf$dX^1OJAw2MlaZ>I*fydo%}NWe3S+KFkk zsCOYqErYN&mVzM?&cCc=gHbmXF0QjxMK#`Xsw<&nru&D?dbL(g9m^-TES?Xho zSNY2@N3xe{=-VqEI~)`YFL+Y&4&{b*4QZ@N+Q41#2W{r#uqry8q zYf>@|ypbw`%^;?7>o^JQ2VwoKh6X4ac?PEL%9KM3C0ynw(E6X>Mrw-$o@(=L*=r=- ztL$UE_vs@gOXn&=^!Io&dJuwc@`2l(|0z@QdJS32CGdi>oaI-K6-hBkQl;S>r4H`8AfH56!jvRh2V zb`#CSy!u@A;a-nA(ViM?QHc%Ar2HtJ92Ruc*1lO$UMS+Fpi#>zUc4p^yVk!$=YEUX zQWF_zKg_av#>Y?7{a(1LPv<=4o@?pqS#}WKj(}bHU32@>q>BeU{h3_5?VE7leOK!( z^6w-DwfLXJ;+G36#AqApAG5*UJZaK^*n1%_8(V}N0;6?hB5`L-iX|jWQcn!em{<=D z^%%$%j?Ml4gAx}q;O`dLw=RkH_}l*`0Rd(MS76!};g$`r%}#eVX#`v>sk`s6KD;)V zJ!(B0({BLhB_3WEVPn3s?8KoZC`=ZGl`69X-eFkVPq4n^TIYwMd?1uk1J; zvXA5}Y0~dDzo~Ys^-FsH{((;As`ci5&mGC{bFZD?$BW4|_bOYDV9@(Zcg=HggA z99Hf)Dd`RSc~gGR326vX1(Ra#_q-zO9*QQLNPda`y)!=F`!pYNWMe6HO-sYgh|1541& zOQA3lsl)ly)WE`znR~q-$p!c`DO9NA0LRb(J*noV_bJJ5XGHA$Y{Z+t&2d`zynr+= zUBQDudNcRegE(lrHpx5vzJZ@-vW&40Gfc68dFh25-q{n}u+X!2XuR_l&6#Q4El!w7 zz9GFCdd(2UV#4wM_Nc`Ug}D&n{q~Up)SUX0bO)jS9rKev`Ep7TE0!T{V;$W;1UlBg zgjuUjTH(tVPnQ`Af!F)!Jad6T`zG$a9b#UyXm&Ot-mguMKcn7pWS=1HHkF|Q_mREm zr+EH8Zm^5jGhpDvg_*Be0AdGBs*~MJ2B^hQnFs9LM|q7soZmP${Pr*dD?yi-`9|z2 zLA3I%2ytk)P_5oO_+2`iO{nJs?@5jQx8{L|KYi|IQ?OZwsat5YiSk`)8R}r~f>O1z z`UczQAlaHq1WW`5wfFVK|IF3Y{QwC-ChG`bGhq2m(U7GytTvj~E9p6bc?-vYxYt(#w@s-1lDBnwY< zQ)yZCe7{b@$C`ZE*L-o^m_*@6pvN(j$rxITJPM6NG1u&BBd6g+8#MnOzUf>`#Md6w zyda=jwj=xudf}rEnQyB6xto?S=arJo{s5tA2)*+&?RzUxrOZRrPP#1~eb0UD1erL} z;mDSR>w(^9ticw1;_c(upHEM0l@KeIlGgkdgKT~-Qq5K#Jjt8mw-<9ZMDohpQXlwh zKyt5kKk_7GzvER$(VQzCSTFkw+VJoWv+vGUTMgje2lGaV`%y(P{(YC!)CcJBBaTQ> zxR}qPWTDYJ^`B^fG;y^neCIohoOkSTUqC$t&vnc+S+ow3N+23pR30H5t~fpZa=%jM z&sp+QDjBohtV(2DlJ-( z-+C(R&O3=%Q+&FxArfK@6$bU+H2jZ$-M;a;3-_ph;t=c0oM3S_95j7n0o zc{@x!ro!&LmsO);@*akWz6#XKL3uLYyZ%d3gsw2Sfr_PkSTIn*sD@DPcC_J- z3=6HW#g8A`{}~OO7s$j;_c8=B$CLjbn$G$ys_yHlkhp9~CIh^@I@OS^1FTwye!)zvdJ}%6qv%0X*(2L#1g4QZ5(ZA&J z{^Y^tzj!A34#)n;O!(Ls%HEH-or3&)Ui^)YE2P`Ytj;*yCHft#-tNScC6alU960a3 zwUcE9bgd~43XZtzg+V`EYz8GkvG~tKMbYo< zVNwpWZPbL5E|QLYmt}eg;rjhVg3= z6Z#L>EH4xVcSV-;5ICv-*)yge)o!L1Hlv8EF}!s zO|%d(f2$JBHYCVR*iE85G-FmS=!O#?28JeVj_hD_vZ?nIg|}`5bi$92efz!dNX#YL zNC;V|$R&O({7 zoegLDv`ID#!vvUK&XIu4)0jSOhP8a8_N>s&@0Ur5Onn$PLU=b!#puiCpf*ItdqVgiBz= z2qdX5CGiP1DFvV%j+*|BXGv?e$@>0zf7$s1KaZVY?=(};h^N=L`Xfqz!T_1iYZmlc zXbp}iy{n0cj)cG3B-=eSphOVJjL2fG&rc`jNEpTiO4F}Ju zqi5OteBJ6Mzj{mp;4Q%heEaB@qy^M%#L~d5yi8_q zBezS=EX{w6xGr}@)ps>$t>w6JZ!9YrWpDk#@m1}Y)jGjxuj6AzUI$hB=KF< zFt|KVXN;{PY}ePq!pg>Z7weX1!s;GVa7k)#^XfI*U0n)_xFPAMWXm}kX;QK|*H0ay z-YpGi!-I@H>M&LiYEgTz;%{*wxD?Z&%FCNg_5zBeLJCc0flm!GQ6X@8@ZTB|wrY{r zB*8~RmwRHD`%?_#jllB(W);eZ`gMWS(&nfH8bd;N ze*Bnei01@1Ze%zrj%#Opqe^e<{ur~$he+0=-umkWgJ^!N_%@c!KXFkY9A}8DFDDU! zhgUZw#wK>_Tv3G9DhTn_YM*m1#?BDipdAAdOz=@^a0!k~Zy89U-_NPlHL^CNvNbG! z3n2(?Oj_-UpryWt$?g<}ol;4=J$Xpbe8B39eJ#eOynW#M6h&?Q$^8Oj;a~8{YE0>O;{xLS`DJ)w3cpx%I1QqR?~w z#Q527{#KZC5$E?ijDica;`KAR6*mRzcxn#JcmqFlz_TK_W~yDHn*0BG<-GsRieWTON%pI$shqoNkYpM- z2p8RnJV+jXPJA>#e4cMrj>eO@0;gs4QZy-VrV2O}PB{kxT9kWZv>WU_j5niwuVK`; zo-o`VRzOtDWD}d;X7cH0PK!@=&&QJ%5yNx}=qUG;!(~cdJdnwy`vZhynLWzGr6l@e zPSAUr!S$6`k5M{ZR1bny>Yp0n+Q@%kN5meka3(&{aY6j)qy$moriArINJO~f6}Oq! zd1;)5$7Nl@F0rhx&SA3=HmaNebJro%)3DXhjjkK$s*QE!ZyTp-6*aIJIqQjPR}= z!Dp;q@^Q7*y!*Jg>7zz>M~~67$~*Fb0LtivJ_qDpD!jYlzJJk>@U}oTm9+(Goq@y< zMp|J9Wt9j6?ptC@osCv?V3fL8LN7_SYb{@)TSKF(`D6Aj$H@TLi;)-cbR8!VV6Q*l0|l* zU5)cuYB;EfE6^_+I+T$>JcK+=$?&IErDyizmiUc1j$`LNEfa@GrBs6ktBM90QnlrA+WCI%YmTCM~WI3*>8?D+_wMk0x--)*y-!G z>k7M0{Fgy)Z`DfFNzL$rsd4*ZBQyd!`a)blN;vaIk{7~9u|u9ldS-3^cwXNNRs!O+ zANaI(9;vegm;SLbDD?7ALe#^VfiTlIv|r}GU-o~xi9Z5};9N{&IQ=lN5QP8H+FaSR zoM_AYYwIx4N8~EH!%`qor6gB=jX>yw)vwPJ!mvOAXcLtbBhf#Tv(@SI%GYMyRM|b} zc+9L_gLYG*E$w2PTlVW;1~`F#*Z`*?&yP;tcL>4B&l{d2jNkuM4`~It_G!gRqkSt8 z)=4B*WMH+k<%4U-f91E^UZ11N^<`>BRKCL#ImP)yJa9?^ev9*sx=kInz7!hw>z#6G z`GrY6QLfQ;6uQ#j&d4`+w{{k#wqaQGI+LYzue=J*aEqSl>@M^}s}S7wGwdY7$lS&> z#zg5OSTJ%*1;Z*rdz6MIe3^RUd!a^>e0#A$o@9ughiqmV-XzKMpjK-296K6_{g0<| z(%W&Hn(ETAudrg(3*|AIg2x=YdS$YQ=sJdAQBd5laOKh&O-FuRwu13fg)bX+-2nMD-^fmB80BxDuU1?_G{ zf9<$0tl?D|))i$N*wsC?R#v9`ZuwZ-{&-Ai^+bgZ8% z4tqS#7_qrgV#HPR@xUX>iyRmO*?YNUZcyReTKW!TrMZ&Qg7HL5@8N8obDNuKobN~U zGBGxuC0_Ut^7P!o+`t(?O|f)TlflDIzme;hsP8XGp-#nwn#2^)50f~*8;5!5?Sli- zR3`-yAOW6^rH`WTM}d`F5M^Q+e(w08LLV7OsPl67JsDOr$6f@n|7%wV1hs&bp-D%3 zwE~o7W*oHe{Uwbh+#Pu-iFxb<>b$_ytt`*Mo)-D4UiQ`dhtnj5T7>=dTF%ecAsd!h zwEuN=aIY23)CBa`W-7*Ms{3ZyFaK1%*-v`ZP`WzL`B1x#5=_*pE{bdJv{ed~W4KAy z>Qu-z+|*VdbUymF6~O;Cg#|wvS7MiWwY8*KX>0)30@zH>IMpKO{#5`!-i=#khFCpw zwtP1?HziMN=Xksy9U%U-(iCXWlu2Wb7)4n~F*U&q{4fegf_NOqtLjXB&hS>%Jl%GG zRN)CT2S_9TKE(X*9EmTy8^0vme)v`(>hjp7w5t z-Y3)E2Scnv4BY$YS^3LJiERI1Bls2i&2OzZxA&TJXM0HPHIp?Y2>9;1uZ;B-wzx!ua%tl+}BvAJjO>*Y>fwZ9pFGI_iDAtnYfv@m*7&<&~gr8 z();x*+9WZx zu)Tyu9G2^q$y|0Zn(a0OH9;@O`RkhVeA#h`KNNT&yu0p5N0TV;H0{HUX^7x+U1`U+v7AmQ(Qur=aZJTdj_3j!#)bNll@NmephKpnRQ!-xVk%arBdXzc(Y~%0&zMZi`Ap8*GtS@{lbYZ)WW}XoKR;ynNc!ntCo@&cY;qH&SHJGS zk*tM!Zs1Z;bW2;%;p}ZzRASYeS6F&@@%Yr+BTeksy)X56 zM&^Bde0+1$3{%$AX%j%;%oiqz8zO11T~4eppGE=h-V$NjYs{_tCVaTP-bhYtLHaVu zG%}vhp0VPNYQ3wnw6>*%D<_-Po6N!*Do$@By7-G zp{i0gJcZ2+xDT#X3A=S;^6E{Rtbm_$ z4hb|LlQRW?!AA&4vm_LvI%r`#eq;(6^y82Z7ZHbT#m+EXY?Y*KK5GP<7F;ZX6#GHA zob-E*CEv4(?jVVw{0cu#dO?Mm1-thgt~4?@T!bxy>Y|>Y7USfX@40UNW7!}|Dz-cb z<;Bd~8ANHvjKWh2&--G1<^h{OU7jt7TMUxm9z>fQbM(>yUH+aDH#1_c(irG2ml z#@ci~Ao#Dy6fsC{Fcfz(<9g%sPu?*ZqWmI_KI-U#PZJFhy;mBG{G-2AY)BPd{8L`h zjm;>sSZy?6u#~Ae4>280CGhU2W^fOhLd0!z|Y*vqyRSwS6@0n4%07*U)^5k z>#_tqV5|TA(&T{Irsy8M6csu396qyTOg0N*Y9ytfCQ)$si^JA^f4o-INu1u3Jb>)0 zOwh}?T7=+Nzm|vvfg%mEf-nPSz!_7QZ$(B2#(pyEfDg2Ec8M-gVzEz_c`-C@qXHj0hLm$-%nv1sZfrly%nab3a4CP` z;bK!%P9qJjwk{-89zb##l&O`&S;(Mkc(juMb;8v~nR2qS$scG2x=WvzFH0z=hzmZa z9NqSYQ|7wZ&Pjpfhx$j$xWeB-SCt~kJy@$|4iC@?q0VyQeN+X}=p~BgNRq20bnjCU zTw>lth##jQAYv321f_ix@KgHFZC%U`N>mkHqV$IFiqSH8R5dJa+m06k9 z4Tr3MA+%sH2u4#Z9kvrNi%wND98@AHQht9J^m{qPYw)m~0l95wo-kHFqS!nwRw5HN zQT!0e%z=u6P^vT|2qWkwkz%}LrzEEnCm;^L6i%!|K2!)l`m?I^MRl0qKg7g39n2+~ zT;Yik?R(#5viX_1ING&3uw^HC)E(4TJ%E#?g~jbws_u| z0OQ#lUttekJ{tVI5FY*V7pnY)B3v5xC9OKzQ57}j^}N8dxS`U;_^$c5e?7`Z=g#hf z+j^(7(BnS+uL?QF9P9y+c(H)nMP94tHCOoYJdK)b7RGR!rXa*KEP&{Fk>{~WQ_T~_ zi2=xp!F#`C6J->vtPC;r;bs5#w@gR*dB9`o{H?llJ6?Xw7N<2r8iax}XEIUnMnx=? zCVW`d`YeigTc{G=`U^nk49BpCC5#K66d)6%m~M;`IZVtI=Av~2j|EYD636iCzELl{ zO7=WChFUyFn5Ozj^eM+EQ}Z9B{M07sX!{MCTGG)w^!@AO%x~-GaBNy-j{gNs&5Qte zyrn;BABf~o%idx7CZ>XumH|6bl?V#4NJJEc??ol=!WUY}Z$|C`Ol+}ey;o8h9MdsW zaB^H#jka2N>*zwRDH?!`DaCj+a`lZz(Y{-)72J$hIl)EV zW+{1QZHj(cn(f-EulydN@<1biSX+K?zjppgG2A+_>-cdG_g*Eb?oKQ@oj2Kcuf zDSyxMIrmhSGtHXA$UZr)ki1Wv#8p3FG)c_d)~pGfu8Z1tESf5%Z=POEQY$o0(Dhz~ zB+%w!rqd0EaxXdjnZ=c6507!L9*Bv#!g<%!zr!->LsPn!H=8HUB3k!$%m$7hWn?#x z-}eQ^NQ9^7xBXx+IHNw6VxL_hC3z&`d3-2XOttvcTrE!yPAL`E^ z-m}2F1xgmm`wxtA;eqCM&8BF*8A_T2bH=c|5P)<|Y*c)uqNGH_waHF$slJyZ@Z;E? z8RFBPfso`Mv9u9clRO_l^95%H`4RT<3+IngD_QEk|10|ydOa;Kg*=G; z2f1C$l+;iD2G%#N737H&6fq8iC$oK1ev~MJu%URuwnEdknLiJCm4bColY3zb<_C*S zM3t45`;$Va|DC0v<{BP1qlovj3SYt(%!t7x8rvAFt~9-+?CkQ5$oh45@Z)Ko z|3CkO{UVhf)K&GH6h&JB02I~S!y-(KuII>Wh6uIZ6{9OmnJwK*+M_UH7l}<~4f~l& zN4P)rgcq@6n|(CDFbk113bRr7H6{KQ!4Zc=$foEgEi4e5m8}>2xk{_k%%Hfumo5zVyQ`RY@(wt9P(i%!mWnVTnQ$qNb+G6mdPM z{Sktu;{V$jff~;erbC!Z%DMtvT^ZAB_kB=7e5mrwlBZ1`Xu13I@xq6ztP!4>C@MmC zsHzf;##98)?rPEZNmWAo_D8K|Ez)-2QJ4!-J8FA}m(q2q-!}Ls5>fM}wZ&~8sR`5= zSdtZgE=|>c?>W&o5~6H^iV?(P}3q9IL`(KEB~O84(jB z$u6YZgJNLrpERr+M?078g2|))=u|q9o{q`D8D*Q1orL{h`MM6GTfSDzCK8c+iln9i ziK+fcvG=n!gl90WbnuQeQy+P;h5Uj95OZsC0||mo<5R0zmV=7pu^l1>Qf6TY<`u>n z6YU4|mR>`|bXgj7uVs(-gjtBf!$mH3tJ6u!26Z};Y9C_P^YOg7d9E;x`=@c^KG}u$ zx0#0lb!HmZ*9a^O``0}LR+Pf`v zZepvSmkqg5l)<``cZI12T|WKK^kIz?_(fMUV4fDqwNjJVJeaiaKzP{%85 zI)hI89b{ekJzRuBz|t2ZtrtSjcs0R_5_GId0N%)=U~XheRP({La_ur|W?PMld0U=d z5y~<@(%evyl~NdZ|BqJAKZBcJoYX9Du`fBK+2mkdoM`CChqzpx=4PcTvjq@=JLFnK zf8Q)=qP^Iav_YK(0V>4cW|vd^8S_oY$u`nOmVl=-Uy3}>;UieF9)9U<>6p=?A!1Vd zGs&nPrv5GGx<@{Dd86|i^6P?bh2!?iiVD~#-NT!t9OW}Fg-|-K4=fPHk|x_DlD;Pa zoxuWKKviVR@^v&g1@g%;-qm(%+-}oBOqz(y&|;sL-p8d`(19ryCR)6U!dfXThoy6Y zqJlmSJQM)0?$BKK8G?TsNk=n=SiESZ`8@Q~icAS54NRa`fu!x$)hvvUEM>vm0S384=yd_(<5is3re+$nVRMYV?BDX`jK^*u?deRq zU76SP*6ab&Z7fwKewFt-&ZIP4I;^?#UsvZMQa#&3#RWbTJh+DFz}dx2B>K;PI2GZ# zeNix(p{eR<;q!wPX}l;ZFy2@2(rSZ2pYK*Jku{ENx-D;qihQL~RlP7`{czSQ&(&nQ ztr^XML??ZUhFLZ@Q7jwUu}dzJAZ}w_vM3m(3MnaNn!_y?6ARhzBMj3<|J19mg}Lkk zzBaw7JdH<)*3- z7$W-hxOp%AR!^2Cye zo&aySy+`}&JMJSOo+kE=BAIb6h>emJK?CVG@Dli`)9Z1qBM8}TLNP{6b6#xFK+j%F zzSQ2TkNpCICsX0DcpQ_v7i0eS>twQ)j@0Pz<4Q|{ZKDb)2{$U3E1EZel4OID?9USC zAT!$t`YL{rd3o7>0djGQso|*wh{KTszVDyoD8couoc)YwhQ}QLJUXSY7HA=D*I~~I z)HV#}p9fPk_8B~3DX+SpdMQv>7{78(8$o?Ep-=yy&8pxy?)w+>;OUHp=YBixJ&nz$ z+xh{bnZLxAZ)AOsBNxL|`Fqe@gY}@-wX(16L?>R~jOgmM79sG(*>C}ez6H_T7*w|$ z73u95c5e?4%b~F!1$z1^n>z+?%{@s~bQQQDT^eqEzNq4Ps$Pv$`_?a#7-cigY-2L| zBgX`Tsei!RW#%U~K=*JR5?!q4}iB+k6qTl}U{DZ4`oyV7$uQ9~3J0F4wqo zT^aHu9PS?)FOVN0;|dJ;XEVcj{r4?+vg-T1<;QWS#G zLHApdE!A*d6E5?$r_4YXj2EDrdKLa9Pd0>*h#8{O(oGPyemEx~@f!zBxHSL0`fZu> zGMmrW^iZfnVBQP$i=Oez`s6>bObXPm*mk{tP|XNTUw=sK7`#q0MJLU*$F}a{twlyF z-!Q^(^yQ34w0?1vANZ~Z|M!XDrs(Q}GNMoe7Q1E?36B+e(?LPmb01oSL}PSpUqEo37avidn4p&;KeJFF4+%el(GhSvV`O3 zi&f@WuD5ocX*Gr0sC)&s$+Htsasv7f>FMmJ$aCk?&6>Bvr+Rcn&NS%y=ZJ2q1!aL7 zqYZf{M5^q24*`eB-qLzZL=F813Ndy@610+Qe*#Dl(*ioA$Kl9OjFzd4zMs|x$ciIp z_=>9({*srJm1_~)PbLwZEM7Teuv^e*MDvmRLiEdqyUmMFVW%E;g$Dd@wL(XdqC{Li z8)Ay0;o`R#X^npJgkz^%%{PXovgObySs?Yfau=sf*Z(v9u2D&^xseifd_D^|^?2&- zg-mjUN9a=!{g5x)Eb#oceLmkVu0OuVC%-G@wKLs$&ZmSvNV|=J7{ffJc&yX<{*il< z0;Z!gal%b+)94&ZUMfCK3#uO)0zFG|W4FvDCt?-e54GIR>~Hp>M(jADzcx95in1S- z4?-Qsd}UZI=CKz$`|2ePoH=YVM*6d|fQI@s7-Oe?Zm8oFPADDrR0dS%T{hZ}sa?qO zm6NM11LCppjb-h&el75NORsIS!091+4^|kiGYp-9m`fpdwMR$BM>emP_ie9s$I_cq zF}76SX+9&#br;V|HEQbJmfk<|nq4PMZ^R!@SGm2XoxPJa#z)>>yDypSAaB-$>!Y4_ zAnWhW^NvoMFO%IxUU9OMklgSb(ke)Ez;HAz!11TOKRkm*rzpW7RwN8~v7{Y!YHsz1 zhTqIfF`G=vrIedksvnKH+saAIbP@3-B#!@eEg zfX>@T_dU)q2#S6hl;dp{gdilei4?N}u#eH?Svw2eH~>n`xzd?~Z$w}3PX)YluO{Nt zcy9YIzZvs=X(7Tq@8n%7S=MmrKJyu~5e)`+A=h;QAvcHqA3Gj!_@b=KVFU{&{0)N4 z$}U7nhUlN?cDRDW_VNU{<+i}@WR9!Q`b|$bzawUm7Tl34OK!|he-zRJHnaZ$#1E4> zWXXpp*(wh!o)%OA4vucL&{X=$H8!C1zX_Y=*-!wq41?dF7I!a}>=`ovgWCRIP+L@R z70i%gWAv6q<+z_=9vir;Lmw%tzeQdhMDraptFxcvUbq+|CQ(lym8}Pla7P{&013e< z)zfV7)Fz~0pMu}o7tZ8u{?z3bk6G=4-^V)`%gQ{YkEPcYpB2@9T5~yQ_QuZ73%nf4 z+}#6R6Rs~M^_Q|g8m*}*rbNMIL32|}m3<-jA@87Uq$@s*AP-xi72&L~*+1SlmK{#B ziJn%_G9!e8q0rahfK5ey<&VQ1a!XYqHh>R;x zGfc2I(}M5PzZevhL0)92{j$L-om&n^@zXSA|3(;#g7;0CjsVb@iDrkQD5D$7O3O*U z?Ht3|*xa$bJpqkQw1{ivd{&uPg?1r8!E1SE{kM{W;~qMfS_JAo4x&Cc6#Sq09W|6wKdZapJZA9O8+lTbF#uw znV^_r$G8dVDw*B(MOXrg^+`jXSH#D>{#B%d%`80C^}`|y+5#<-De|2kRLbv57W6(0th zzu#IvRtVy$F4W_Sb{0+KqE?@LFTzg*3XRUUP$LFpVQ+&0kzxjGNEgTgL#)$f1nNZU#1`j-2G+Dj;0ZHRMg&#(sJ|Ju5vxgc;1MUm~ZF?mAQcdfnUOG5UWZ_jm zr-#*TZzk8Z4f8<8A3kYLonnX~_1iCDQuTMkZ8%0*BeVm;%-=EYDEhtvl{dt8>IQG# z2ufKkkZPj=)69SAxNY%@}e-E7&D;j@wf^Rnuzf* zKxBd>ur5jHWN?N$l6U39fR}raz47#4#PaZq{VMfDffv%2&#RR>+)SG+O8CtsUp2S) zW_*)*wFRvg;K%}S%u`rejPhwM1N&+TDPJBng9K;!cp1iJYyJwUap_zmI}qzND<#qX(hpny_Froh)v zG+BFbcEcq)KY=ol!a7Bi|Fn+BC9YOTAZ$RShC>-SSId}#@iYwPTC}J15-c@Z|5>o8Ib#4tbW;I3b47jSh=Vgfqt)2gJ-p0)a$)6 z#e4OQ;25YB`Q-FypRc?tzY-5B@6fpeHa$3aM)4PmuAoC%^75_f@H^y?p)TrZZBq%C4XTPJhe!#r_7~OJB$1}f8*|hdM%DW zM$fs^VuETx_?FIhmbvikYE}ffKB#ACa{}wY=7pa}Us)!R5RIIl2VzepdUxlgu5VU3Wni6fHoPp0pgnY+7Q6;5W(6VF@y@yumBq9G-xX zuL?J!V|-j~W_9a{g2jdxd1y_5;ZcMsFsRxyIYXI<+}JS~+xz11!$_l|{4b8E+c9oqrV_cL-puD9i8q#Bjf zu!eD@+Hu3*KXm9B!gQ4X>P@hlB%^6vmO*S^kAvzJAMli&UJTYXu406QUzAPlP?MtQ z!U_I>NnH8X8M-fr>Fb?`eW}7XGc4Ud{+g(j^Wh@}-siGuY=Z*QnZ{yn)(eKekv}kd zY=^p<$<-R7QSQhh)TlmCPCF*c!`ZiAId5~6S`4W|#2BO*M@lB>J=^6y!fF~-erh^S z9ZTM3wQC%V(XmY`?zO&O9yf1EfMvo{NJ?R5Q84ZOIH z?(NE-?~)(PZcp#Q)x~|TVn~fP_7QsO)d3&Pyo)MkN)8=L?^m|%B2)e&qT*iZXNN-) zn(~pP=7Ij4PxoUK?1s-yE{O0xw8@%SMe?msApa5io#}p>8Sf#a&rTo;Qj`;;2m3E>qdxWtJfl(t1N5m z+-BN>{z#aI+$-}~W%z-OUr#(U635oX+S}g26AFuUZVcsN1+Jkv6${2$bD!$x27aJm zsV}X z5&pwSm7MWbfs}hso}qTos7h{HZSK2K@I3b>_Dj>}sXfS4j^yn`L)qjYHK9mo%EtU+ z74J3kWPOd!FoYq*=--Wd)dRQ9mkrqcBUBRZP1*JzP||Qqh7B_m)pgWI$QferuX)P@ zYb{p1D$7jZJ$y5VN9ww=$QHdTZpm;#%vklF$M;NTMuv@wxMkrACA-|4+&zXsdJYo> zx#`dBhx3+Jc1{Lks-Fs^kC~0;QNRvQS0j-kG1DJw|62NTDLoO% zYIA_;e*a#)O7kT8@dfViL57UAV+TN{niiY-Ur`DJhe-bP?Vo+pQNbH4`CpufOhHRl z`pm&3)7LKD4aylm_Hv96Hhv*in5U!R8Sj!)(n)DWY(rb3QreNJuf-jWIS+$C4IgA` zh`4#&d$R)N_SA9mz6L2HVL9>wDXJ!*`-{6{wqN~cfzZ53-KKusJ7}~6dKJj0yPVvl z>9KY>vX|?(jk46HevNuGog-RBW*Jl&YZ>*w^*W#D+Ya>zbc7hfO+Ik$a~t0@J#NCF zCBp@XPlHrev9oyM&SIN=^~PD$vT|NoLW72g?Vbk^?~UwI29oKZdLfd6kQ#|pl5pFk z+VwSza?!oZRCIMxt~E$4A_>#5gY`QXeke0y7<9TIU>hl8bD>@2Lk z{1av0?dpy>C5#!DbRcGkosmr7`Cn&8x`iFVq+gOP>LBgmXZ}Fi^hd6|&du;^Z->|Y zqI3iCRbj5ZPu^l0z-Fpo)=8WhHUA9i9<&+BAGKGnPe=0@<3G9^<_K?GlcJek*&^m+TEF5@7$uc}Dud@7|CYRBbWGVPg5Wzs@QVb4}A8 z)*jyivmS7MOXM8nf-o!>p|Bzk7+Z#9K_^$3U~W%^FU@ozSy9RBRK`E=@L%LI5^dc+ z7&HJ`@C~w%!gNHcz|fEnHo^jNo(#Q7({8|gE_uwl+T4QvE?Q8rR}=#tNd8DqtMoW( zUWPj)$_gDI)ouI%*Hcn51nmq>q_RGd-Heze*iN2pH3Wfx~0^AI@O<8AsSYrZ$~pv8fQv_rVOX)xewv1ZgQTf_1|_kaD7`6-9NsN%SOBg zu`vqxVwvT9#BMR|_Df<49i@NNh#mi|B=0cdU0rvelQmMhR(~C#DBVkLrcAXn+(qnt znTW*as3L@EC#Pk|(+gr~~RaC)wgAz9XSRy$bJo7^Bs`+@LE$RtP*ACKKY?&1DL zpqFKIpCpqKTEcQczzVOl!*INdy!T@~k@C5pvT?^~_x+m5_Cs{k$>taoJoh+SlGwZx z5^RmSHE+y498eZT*n;DCe1{1qAz z`_N^Q^V=_MTcT_clm8MbH2&T_t-k&|_=lA^;gS%eD5g3YQm#R>Mc=C3>;uD<9IhSP zfMdjGo_ztD44los@5;*>5$&2@7Dm6XhCSijrNr|^o-n^iRd`;iYcrnhkFs&-{4DU~ z*0uGe|5H$X3Nb(*wCvQLY3=2ipUMBR)K(yogf?0TtM{^Qkkx85t9?oL!GRadMz6Vr z9EBKgvZL7}fB9{^5_HhQgIvagpCeeg(b$7ObzR4X*oWQEwl$$u3V&f%Vye7WjEyE% z;^EK-{EYWa48T$HzzfvnTA%OD&iVcwdeKBJKHt9Nx-$iPPq2IX#R)@t^}@++3apph z(iA=(|Gtyj2r{v2bz8T{kWr`>+yOml?HUxrhF%vX_n@6ZEtHL%1UlEa8$JUqd z8v=6%Mj+EVKntM;?ZM$bxSD~DTzPPJT0ERI2Uf&ax_7UKNa(L)+BDF*X95;sWbKz< zPCUs-!FIh8NgAOA-3GyTH<Z>&drufE;WW z>3{w3fss$?oo4(3?gC;5c-G*LKP{m_qpC+-GXp#yW0=p0QrK}~yAfZ%y&Z=l^%%77 z(C5#A$BJMknFc{HDt$a|Wnmk~&dPx<4-IpL` zZ4-kkaR1g5+eQX-zWr5rIw=+0oU0j&2`FKVv>G%MQ8&Ks}f@T{dO#FdIP)Ng z+KuV-eiEE-w_XQ*@o}{je0>9+b3ZEVlWYlgtxE!-VGpo=$%OXQX!VgqN(6wQoJr zk>KBLYw#O!E#7zd8fqvwvNy+o>DZiZ!h6(5?qIvp#A2*31}=lGvk}y z4@}hPTLaAxqizz9Q^oGKvn#FLbDQ_Ah@SfHPpN6z0&S&20IRM8YZ~-|ObT*A$st?? zg5y*)*#_!wZuEcN%%n(f;uE*FW69rr90|R+hgup5Y>pHLj5^`g?$GBaC(Svx|8Wohj(}*eJ?Eh#`vAMxCIx``=3chuWSm_yZW2 z)ffiAHFMc@J>5`SxzxaKnz;!NS|Z`xG}x%-vqyo1uoN@#Rp+8&1;kN1O3g`r23B|*%^UoPY0g0=O5exCTd6KprzB#ZKf_*75I76_@cwyc01X266w_0JrI}R}*}YNBWjs>Uo!tsvYqP{qKKKtFRi{ewZC`=>@f; zMT~%2mM`c(q}5yTK!C)~5ocPmK=()+m%;SiVRK?BP9SEW>*_K@49*OJS56m4!&#J$ zHD8N3?CbhGz7kf(PLw#;n3B2)+0Oa%duH_Rh7!s8j%Op z&fj0bzY`0*IdrQS2N5~`A5CY$71h_bVQCPMl9CuYr4f)C0VyeIknWa{Mi@G!Q>775 zX{14h?i7)hZjgqVVP?)V|97qT1HfYT?9Do7|L*&`UK3O?F`7)%7IW=@g$IrySMdE7 z>k5wa^sfjlBDi8(teH855D&L85zG`_ilH!vVrdWm{x%RFZa-VBddJ-8FtRWu+<}B` zr?%=n(Cte#3-@}VE~2w2juL~++DWNBh?pI`D2f#%kdGoypEc38C?>}&*wt>Xg+yC% zs9C;j{Q1w|o3VTek2eI>%vEml-{bwIo_$ngQ$$A%A@}?K5WD9(kaT#x9>SwF&ucyZ z?CILA92%i*VUe`Dx}oMi8?Gg@q{WK%gxG3$N&jr7FjsLP-He1_}8a@79Z4OroO`-{M$@e-~EV0ACNloa!zm++^sW}$zXIDqd zgefv6#t+wU++L7g1IWy^NnrLqAe3R$z7webTWCAjJ zFXZp9M?c9PX1B;DceZp3N?8M_AI?RouY(lNJ~dYz6*7nod9IaInz+B{JOZ_V$#EdO zFk`Psq|1~|Wy;8%Le!-o#*xt#LrnX}8qZz8W1@Lvyg#R`|IJC$mG;}+K=OKzm)-hP zTx_Z%I_Vgjh?UWOf53RPJg$%`bC~ax{qHz2r^)I_tw!rJ%Mhmt0k@p&s&IuwilW z{;1F@_!B{Zcd_HXwa+paMJE6F*Ss)b6IXX4{E0~+f+g$^WI~DI11I;li{ZFu*0Y?E zo<1mU2HzBA*=PE|Hr$Di42SH3O~NzasP;&Z_$CPXV_UM%3lBJhoZH+;FM{OM%cC7U`_*?LflVF3~I z6V(7QC)w4ZsPP+hXDebIsfz)|8)I+s$L_t3aF3_%swLBJDVKj?yYD0~Sk?8}hwUn$ z?l%YaSQe>nj@laRR^H3+Uw!hNwHjn4(q5lE~8+1Q&)-Q=-iBt|v%JySp|G}V;Slz+u0WUiWL%_?!dYABZO!@l z1>_~V!kYAI{bd8H?g^pSz-x8gwbu?xoGoL2dBw+3cVBt<`1p^^c6N^XbKc}zrARk+}V|UH{C6+Jc`v)JFGh(Uv_ku(vXHH2rY+r{BS2tUWF^o2aK_tnaqAIwz-(15%9mJ5DI z)!u{JAXkxf&|6Z{pbDz!W6!p3y2=MM-};jyD4%f26`x_5B6%Oaeqz*P`>K29*+vmF z-3||Y?i7;382VV-T~C_fb-yZ+w zb-cq5W5Z&JnktYn?v9F(-{O9>s;L8G9MW^%=?*zt`4F+F=?))ynm_2dQd?8;nFlBc z_{)jYD$KgIv2`5FA1DVU~K&nhy;TM1Gd^Oc8w3)z%_|->61@ zp;IJnSOpsaOWPTmT*PzRlfJBfBEe%5M_Hw7cWF&~i9weniMXxc<4n%z`8NhkN}WYs zU2Wfx4MEGStXUWe`2R(`#yPT2ON3;m)DG;6zDlr#WsZSBgdZl|704_KG&sdrUb&yW z7rz!iAU1kWCzdG{h1u@nm1eEXboMFJeqU@frL;xQ?Tt67#QUnqtXaTJpw9D#z^x@V z5$pnDFWd)@FXlSrTAkZEW^JW|-g%)glL%AbzzXEnyz)<+=mCMV^!0-P{|$)At&)dw zkZBWv<5#Wc9yB147_wOsaBcjfFD_W}4@5=I-$uDya)hy`#x=HO@_y7VyvTUaTE2vCn-Gn(_I`dA|dM z4aZ;jo_R*H^GpaK?aV>{^noY_YWG&1Y&|9k(}|}TYqM2W0PCTdQ*wz|9zyp;sKYh} z#_|ueBvS>$Fqge%&7PhWv|rDLneQ}6Z`IJzWQz<*l7BGz=>rU-_-*gwB}y)4Impg} z$yWA8vBly%CS?f>-FrxCwB)^*2Z#%K@5WQey3F^}hIL7P2Dq+3uRTlU zfo*zm9(T(?^6|Iyv@eQ&qSLjG)>qrD4DOEOdLO1Ku6Y;$J;N7dMx|JerKN`-57R?$ z*M!`PP*M^5jJ6Fxe>Pmhn%lVhg^Dce=fGQ7yG212$sGoGUmc2-BrYmQ<#jB=#VILZ zscGi?H$CO|DTrI7VT}3oP%vdUcoFK6L}s1|Ov#+~H9mEveE0I4-Sa10WgbDwaI|8r zoagZV&H3dxl}p=Nd&LD#OT^Kj zo5(&rVOOlnP9&1Cv-QMxr%PhWNK(8KyMf4ta!^cXlp#M=Ll|Y^O4on=G$SKz4Ac&V zFLWXV;>!Lds7FUSFH~qr<0Iiu?lDWW%p=(u*A@D3oIluX_!8SCW*X8}~qgoSB2|ICN`e&7O^Gk96f-m}o zgsUEyCYz8f5UF{H_jAM8$cPzrIo|F}aR1JM_@&bu+Enn46(tLguIu}aMCQ!Ggd)G{ zv=X$9K)6%P$4c2P4qL_znfLlan!cwkU~2C?%xf zWcA0i#a-MwP=Y)3?;BPQDmDT6nPdy3Np4A}ej(OwJ(!_7Lr3rP;;AZU3=2VjRN@%j zEmP~dt|l8U4pS_D*gXT?#}o?D-DX}x$u(d72FFB$D^ofr@*F`^^N_)Keu=P)LG#)| z>@4S=)BxG#DnrZJM!lMN)o3;0v+>4d1=>i{Np{fSt_4xOtoTyUjA}RK;zVB!c*TLixnf%EI6yX}a>Y>%rA_ z!*Ek$tE6@a*NhN0+@LKifzVYHu(9u=@lXC^L+k_Z!y|V6J~GX;n^;jNW-}6KGYIz1X6(-xv2yv801-6W44hci z>!z#HilM82zTL5Lj7P_YPnjmXe>IH>C+Q@>z^LoFC+_rCQ2PrurW3Y5?8&7#c9R9SM|Ut3$T7f-gF!Uw*Di1X~b>c>GF8zU`Lx;_$v zUT|oGejo@kD$y|EX|R4)wjoQyg%Dw4H1XLcSq}^4w`Y`M>{YKNdF3t3bpp%Kxk*CN z9HYRc=m8T?>FOB2m*}TbU2A3oa?=ibm&u_0g3hRL4vKA_{`f+=Ld&=Dp26DMYah#7+ZGJ%P6y09umb$ucVd=mw-G?ii zZ|Cf*Tj6W-zjX8|6mi3=COWz*^121KwY~`s3|`6EQG}*;N?C%r<|) zKyoFyfq1yPt6-=7xisSlrI|qD;%{&mi4fdheKM^?Numq*+v&QV&@O6<@$cmmDs|ND zPuFceU^8C?$nnC>x*FQTcH+|+3WE^zb>x^gChghzdbb9j$`AZaz3R=1H z%#=141R)82y%Zts1AOzW0%?+vxbmlHNTpfLL zkfcbbB3qj$PUP)QhUB6p(h=`MUXCBsM|QL!_OsQg;Jw|-=%9^)jl;zMwr*eaE7+}0 zsdApiwq1#U01glfXt)4D-HG= zNlUIazR-GLmXUlRMrDEl6Nr{G-u_s!N{)MJf}AB1JbvjuZ+?&Agm@s3SI?ihbDMe& zv;u#M)P4g+Wx%#Gn+;479wpY7GN&cM4bG&gkq_8)`rdLlws4hD!m#j7V2y@VhR zx#x39yD@M>+b4nAGvGadvZ;UKj_fbcLqi*GqU|`mUB@HD%@YcFK`{D=MVTG(x1Vag z7}EBJ@2P*UId54HDDyW>l;>VwoD{kNQO}IZYF_kvJ(RuEpm}p&gkw43EJ3{g*&AFVMC_q9{HGF4ss0;&*#5{uSAg$(-xwAZOKUE!C#<|L@>F z{R@$V|M<5#ZC-|$hI>NI>=!Hoz71OUJt@xGnepcI3(WbW{I6~Mk&rHYPO_rTaztSV z1DxgA`lI1qw~EoCoyd)dsM@AJk&4Sj@elM6wUnO=M-XKwZaHoSxX{yv9^ig4O9r*T zy^dZBxjUQ|nwp#I-Sx(SjNTo}T8rIhTtYdK^;c=|BpkAdueIM3Cq7;UJxJl6l@?=ETpzl%>b^&6!>%`_F6yP~H zeabG?!`kxz{Lv6~wHXKU-}zSf^i4fTANgyXO8CvkE~H(R+naqsi#Zv8=iJ#whjjeI z-0l7XGbM>Fjw_RFH3dCm-{Hx^)@HPrlo4R-XXBeHcN>mA!9uw(m^M1QtU0}tuZoyd z`$J_G1A4D49q=!IsUbA(I;ZB1^0_koE~eVzLPF6$56v=5q%o?E4*=6`_om=kE?(D5!Fg% zmJ4J<~<)fl75Z*yZPlj}JJhIFbI`dU`$NqE@Kzvf zZ$AaCbBP!hm)8Yc9NF1rh;Od&?NjCES74VKBAprJbwZL|a}AHy z_s)c(sCrp_VqDfb?ew?ox+>ayR1pyTS zJFR@@+tx*`{HlxJVUD9<0XcyUiAy}&WFX?YhWVd^zTVJoroVZlFgwc=Yo- z2ArcJol6vXaELPju)(8>fnP{qJsQMxMCddC6YGAD-tyqTsZ+qNgYW^7dxDd*;L1j` zasbdj&&|oPab+a-VqyIQS$vpxNB}oEhg#h-8MQvE)+T?EpvYFwtv?OgioHpFRW_Q- zk{8%HQp9xPNh4V8hfsPLCLVVFcw_jRX+%8#?%k=kplITI&_EK`(7$ylk zOdGeqYi0Q|mjsG5paGn6z`5lB`#p4Icw|dC=_u#vn}PXQa0ie?ZGC|<{2nJnti8EC zuU=AuMj61NWdPOK>QN|_`!58vi7`snA)>0XOaU78+f(G~`3T>#{A%GYG|)~Rr3#v? z{fL@XHIKyXeZdN)K-ceR)8=49Ij&P!&2Ooi7nl}W+pC!yvnSgDH_(W8FHAi@#scoU zK-bmO=wyGiD2$s*D%#H6*{J0CjgawRDXH%|UafZP_rgZ(n+z#InIkJ>UiG+^N;JP+ zzzE=U2E@(d+!V#QFkFKiQb%>sC?ylCUZvd+6fK=s_oE+-(|j=L^$bG2(eH`ivbDks zSDR`g@?vel!7_cHwC|RuxS@3O7B@U5!FtQ&@+EC~IkDc+AlkSg?l}t^(hGLHl5^Eo z9O&q;T1zf}$&!C*(79YDM5UgRR)Pz0k%?iuE!QCC>E1?=O=ZWR)|;@rthyJt{L$m$_k zMbqp2r9+!`!r_rb)Ku1NPFNI+BYSHf3*gYRpWh3Y zdMLGN`X9UN1jOVX8~XXh$ZZXMXdjWIfOAiD=ff{FQEkqQ^g;3e01tkE?OB;s`ja3a z``nW!VIEutD$8-^9~?K<1fYKRAW{2zFgN!?5+~g7vqW}>e8O$&QeJmeZ3kaec1Fl7 zHEm8bjiAYfwn6+MWPb_#=z}JmT(IU76z4G)S>1+>cw4idZ_+8*m`L4Mkv)jZ#U2@W zPjC;gL$9|zZy+*jb>{u-0dQ$`6nreZdbRmg>VCBp>Z1tyCR*mPrwSL&5?2;qksA0> zMO-o9cD|DMkBF5>TAI%xNCd>}HGaal^iuBEG{w-gTJ7nO(9;JQ$D6h=-iHqjclmAi zJv7lG_et|mt6u<#^gk&eU6uI|iV2&~fd@y27VSh$O!OWf&D2JbMTLh6QtVvIhW!ma z=#8rn5CeA)A+06=jjFF`)4GORoer$G>wOYdNC&I_SQQi*hqKUteUyEG=6#$i|4-)G zTvk=y6$zw|B5U66UuDG~!rgP%V7joQG^I!CC%kbFZgOxs7L8dvFbS2a9ZS7fGxUip zoS#AjNs3tiO?0DN=Co*YD>P$=P*qmmCD++VM7DAP3Q_p?sZz*zjuYxa^k`+#yqD(* z+hMEkH7UL9V$n)s9H^(zT9Zs3`I`4uv}J{1;K+*j7=(UKfqwo?vc>FIzw*InL#DY3 zErH>eHzuf5I5ZCc=361l;VsvOx4}_K#gg1_U77;Zx##AhG&T?XePv<^st>p3yXw1< zM^%RJ8Wtu`o?Ch2I1xvhij#fDZ(p#@=w*R(o|{EtWxTe78ODgfhfjozfP*ssVqjB) zxg4$`sc_D~Z-JDC% z>>9dtL&(1e@QmaEsc=X$&NnKkH7b{nsQ9bPueML<>6SlWMhAZCq8G0LJZ3?e8Z;b)WPlExhXgQ* zjfZhh_6LT!15>1s=NxEtRHaS^;wyC)DrX;^5T;R$J`)E5FmQa%&GUZyIg=OO?hx52 z2>L#3zUgr8bW`s4lWeYkhRyuXOSD%Ql7B+<0~>BtHL**>g}*coBf&2l`tLz(=LKH9 zd*?_|&fX61TbX%NHEwNCUeuZcGG2LvUBkJ++i?<6y|;9z&rhqIQ%>K|@I{K2rfGMn zaD-c=&*o7yKm<1Ac%x?$?8lDT#%Xy-yW2{~p6`rRkY7b8Jmhr7payoilzLjHpUC+a z8KTRHxnTbOOm3aOzW?C+v>VZ;j)|jSM+j!e-s3=PZr3OB(+X1!eCAFUhtLGtbK*=w zt(lGb_uyaIILi4!nglUQBZ_rhm#%}-y{^T;p_8^XBCfg@-Y`1=oK z6zF#^_3xqk;QXzOt(oz-9V!86z=R`z1}k8lMN0ONC+bvtOD5&wUSO zN*;07))F`dU4#p}4}Tt*X?_V7OHp_lm!PZA5z0fsH2DW-nv#>rG&IAx&*3d9c{6ns zbo)S~L~ij#e?pl5cFpV};b>*LtveSpMplM7`b=k#jaAv7!FL~4%HPpiz12=xIJ*m} z4|wIg)aVeA&2O~v+Wq;6wzS*U<)YSy|Bgs%GvrS;z_koL$#?f8%U>q8?PrkKi8HD- zXC-iQce~Hb%sf3#p*mXvMyIETiKh9FSmF!*pf{smS>;X@gt|kBA3of**SOGWxXry? z5*|Q6)6{%biBlWUP>)&mKaqJ>0YE11?a2~tMo7!BxjVL%%_ul}Rf$H(4tO8lQ%I4nlkk<^qB#VUx@2)5l?d zdH-W(3dKisC*KT=q;GtsB|kk*FxyoAEQWFrxseq8z@HK6ifZ^^&8=@yjW=n2Tt)y-Odg?G}vn@q)98gw@@MSV_^6^iO}w{)xV)()6IbW3RUfj_CLsDY$eTWEiP40gQzh z{kOi*Enzzp*~(cXv;hrTNy4vjsRj%IRQOL~*o+B~WJ}IFfUpuz7-1kT`a(H~D9R$n zEtBWCMH5%W{{)7I!03@}uy2Y0sH?EP(@(bH^CRIEZ)tAb_yn=ARU}ItN_23HKS+Eu zGF~`}?o@rNSi<0){HHA+DvO@K!{@_0pdT18Ss7SZo^=m0P&S0D^DwbJB@3C<1KXYo zB`a3No+_G%QD6-sK#wtBHuZliw(doKP2nzYdj?X$hoxH=IGv#QZ_zObiV#4xM%Yg= zgtj8HcMP+*uDQgQ2{+(DmcWKRw!7en@Kv;vfp5}Z6{aDD&gL*nmwEx#!swa!L8XRO zP5F$10No`E6Vk1+@9MZ8dG~X?@yPMcC6fV9ef*t&zj&Wd^}>x9k4SKj`kct_?L&pX za(n4@A4#%dmy?GHA^9OY2dUoxI-s_)SbfDh85Lj!^m>WciJ%R!XGMEaXA8jaHRuOK z|IiLS9SlXtix^=ZRLK1LC5T)(D(rgV)_sAZYkt)RbX__Qq||}33TQxps(`oIGjAxb zAhnsWH5lY%c3~>YxL{&J^LLdktGTfeBIYfxFAgM$MlZ5%&SZH@g9{CmQv zDya;esb?Dg5^OTgTY9xJtMmaD>nNWJ);#}8{VW=_t@G+Uxc%+Yg#vlnlR`Op%`XGq zp}Ln8v*Uv*!#hG-n=vYE(5~FdJk+dFnEuUKJbS8|`$|VmEC;Q7#Z|`;DV;FOY}7Lx zsT2PHf*}iZ#2=PGxC$~#FbhP{={JZ9+sy!F6$BazM9t;Ph2H-w*paeyvO~vqJpZx( z`%M`jw*>S=;80z5>pYXpa++T)Qx3JuJ2DjnDc}+B0p7rhl1}e{z%Wg%spvwO7F#+OS!?8d`DV`_6w{ zNoZsJq$`k(LG|Z{SD*Up?4(&<1;DqL zt+vvLL7HhYnOw8jR7)pyqueItz8ahR2RL5JTnc)RixbU}6foNTDruZy0U>}ctaa){ z6K)l7>UUV+fA~RLZSkW7YUy%?d(G%pV+p{B_85+M1agA!s=`rre5f!tuQ=tsH zu)Ev;4C!AmMe%oxtyZCq%h!n*>8*!on0F^^_<>2^#x?=B-@zhp_q$4MO9aq-{Aa$# z;)gWs41%gWN)m!vJ6$duLt0DGMgB*;=p><^PYc#wE>Bx8k}OP>(IDfxN1>Oa+|MRALE`pa zzc}qw%H)Idv-yp2OYsq5cQ>gW#c!(D8=wZ1eU9*Hm-(@f9ST+0b{C8-UVHB7S(Q@J z6tby;69Mk@J=%~%4`iaMS2)senpjuusGQPB{AZH3#BM+jV|F@sJI}iHn|*fq!m4eA zvj=Dv{m~xAUu}RNoG@A@qN-(GJh5Lk_szc{>1W#4;FTm`M_*h0C$dpv?)=|I^&8ex zpYD+yN496ZgasALNb=lU|d&Rw@XW&@*k8qb~HAeQ)#GYo~QR5!jQRt!Bgo8ic zktTtY%SA_yVMr1Af!`ot$^2f%{(R$0HwrNvaQcaM{hOVtm4c1U8rjtz-ahJF=@e6y zc%yG_Fu<840ua9lWNvpnN#L|JiIG_LxR3u>k&4vI-TlJN0|PQC|x5sLprT$zk`v=;wc?G z;gOA<+{%?^SL0wv5Dqe}aJUFjq+`PaM0fRgxSvB9(Y;9RY>37-^xb6v{V4A!vVK<+ zGg9z{Us8YNmzhSt`2?va<);Oau{+HqYD3Db2*OP77lep(=Rf0$4}r2v9F8I5V<7im z{mTp2@yON$;AG`xj$OW4oHN1uP%ejxTyzVJu4}^=-o9 ze#=dX*1~F({&eU^rz;_<$z41*1DV=tDLQJ8@e?pIa5xspwILOJ@7ykn@L9pX)EkS& zO~mm9B;fD!=j=;GC*Cu;?RS5n*>xt}vJdolH5%0t%`}12m4NHyC(lH82dK0)wKWI6 z*i+F=6j|MmPUxJo75kcE+N(mY5Y!z*p4Vtz(i|yQ5_an2DC+oj-Dc@QOlyelVB6is zeyQPB2$z0vM9wQiFq+8`*mx*~n{>nxYgJz2v(5)k@?nvDl=q#Qh)_1(S$EsuE8A{? z0iZSuBo=LNSM%d%s2#MsA8j(af_6O?8D3tT?Z;^@^;LpJ_w1 zTcWQ3KNy&TMP1Q~Yk<@KyH18WzhskWf66z=@*6tjS1N(z_21yls|7t^IpAP};h9g? zbs449y}E4Wu&FRaLEv6jzyrVxUg8;^`xuNRa2Mv~XJu_D7;Ak9M0W*YmXMk*plu1U zUg3fH=heEF(*U6F?J8P`!e<-oD%*bEF7s1ZL}V2~-WW?BmFg;w=Lm@1d~rBATlflb zF=M-#epRgu*}fKgqBSY~6yE$&O?h&w= zy+=|Qzn=NZxStR|{0{e?#uwp|6;A@GX+f$I{(hNt*N2rCsbmPuQpgGr!&``rLNzL7c`RP8;CO=1yA=d*Zwx*Ts7BH-hsm_06(i`D8GhR4_ z4X-IZO-q;)w!@>yG!ZMI`dtwD`{|exX~!nHS94r1Xs)hriWM3 zn1)4JqR`u(1zXrC;|?R(cHnE4LR8At{lq`!SZ*7pf%91-F&g+Fj9VDj7+uJ7UrGMB z`C+tydo7y1%yB*9_DruG2QEp{`W210e+ESbG;@_5{i*Lko+Uywi)alShaTEh(?JVv zr#ah8!m{X_^^7y$>?hYDlzv05_fdbyO2I;>gLRn@yV&a`^Is*1D3KQHd*W*Mujj4r z&ZErcC#Py4YazZ@$#f#39y1#X>hg7DzaAK}s5AH?2(F(SDt7UWBKTd!yg$H|kE~Mv z$-QS+N!C#FO!I`~qBL%v8OhwQ0$;}-1+plU#5iz%e&C4> z-fE6wPzaad9e<FRK<8A%Mu=OvJr=3a{5ZQO3n0vRdx(VsaXxZjwZJzKb zsUC3E@S|bRUAs1pRs*s&z-|P>eOZ@5m$gk8*4XuCPwE7L$VBa3NDEW+xG zU%uFS)C%A&jvv;v{*APt0DZwmfkLiD5{QV1ET_<5*`bXddSj>&k`NkdLCz2=U zmn=6p0b|E!nGn9qI}5mSt8PqzKRck9Q+YKKYP8IK<^2enA~5e zg2vo|>?$K4ja-^Rod{Ove%>`=*=81i2C^Q8+G;pr%U$Ck`mUhM!Jpv1%gN9DL8tx+ zqUfe>F*=0@JzJOb88PwO$fSZlyGa3vGmGIVFzbPA#?V%HrRhwH?mW)T`mNRO^oss2 za$<7yrtoGTT*>HjuAn|pl>Tw^v#^cg5Qb%E6t1db$`LEe`g+@67=Vf*St=cH@DVSu zW;&$=<-c!e5l=|##nr$P6WtV_KUZID#FJLcIbk%lRn%(7YBh54)h)a>@TH{3wO{Pr z$kErMw6+t1hZ|VXvw!L(dr-~r$G!aNFC79C33I zRS3oh`tG%}0PS9#FSco~rNb!vKcR?jt+2v^=}eh;EfkI5R#WJ90y?y7@)zEV;O@gz z4#;+I%^LlU=Vz2R{>QIzOpgyvJC1Al;h3vP5ppietoud7r>2ck7zOHYbN(ar{k6`( z3#)RqLejWpl>erx>6~l)TvNB@4c|*-BO1s|1%LYpznB;iRaetl^Bdn-H^0w~OKwi> zVU=KeWo{X~TRzs<=<`h>u$tR0sG^C!v*1!^=NDy)JO$ks%Q%HKjC>U8iUIv;jE#)E z2I1q5So_)D@GI{qXs9BK_F#r^@Cd_0{7hIXd4^LEd9zqp+!4rX=qD`l?S)KPEkPVhu(KS;tW z?p+QMK4{tpC)P(~eNnQ&!irS%Ii@P$MC%--}}tfIm`icJ11bNzaF^mP*ny;0`b zhanC3TEJ<**<&($E$3Xa3Hs$_K4GGQ{5_gl1+u*kLU%sA=BTKwv=annvHxj=qjmCy zrk;Dkf*Jv~n26M=&5}w|fgbfn^K#y%Nu<5wDbpg&ZZxZjNJO4|=WW6nrje7+*aai_ z1rDr?FO6D;_-YdWeOFAjHOwElQ@+AUCiy+oocN(z*W+48q$RJ@5C;VBM zZpTO1ufQl!9C={vkCVpJ3(97WjR^5SO=n(cfA{9SOORIJsg7X;$T-^$rgxFada3j2 zaVj!RK3W(Se|5XYFPZLTRP&U$+R}oe+AcW(H>e)j`Oi@G0`G(HD?VPA2ZMvV>sthT zv4qwlq@gc^`Y6zIb5yb+X9Wdx`&WU+wW8NARA?ZNacP<7GBUQheuk8D`!93OcRKo+ zt|5ayySjvj!tM7yCOq zf%hjZW{RpO4)u@X9$D*rUyej#SO4TH`O+!^ zK~oy7#UkZ!D_T{V6SqHgo?!RE^o@`Alda8C@h@8BoF9To6>Z#Wkl%QA)gk5&&5>xw4#aonXOO>|D3ISr2>AI+PxhuBX`qXSpP zdpxf;B_r*KVd+n2ywV?j6GjKX-|@c0q%CHKd~Y$dE&}e!KLVy5;wENEKOU3gy5PV) zlhHz5=aG-M1@k{GKiU7rUAXl@JstW>(D(%xJ{OC+@L1W)i(iD$k;Vp;7zn_Ib=>`v zIWqubTp|wq*8S7k5Q$1pXm>*XnzGPqkg^>-X`a`}loC6ycw+l-u|bJZq9&CLFKQ}a zJ(M;)HMVF`0^Sb}@m~pTg*`fz8DIby!y&a)%n_Bm=%vG0tO&PbNH0eo3n+evKoi55 zQQV^FH$b|$v)^lI=vw=w-LKpE)r;nbwVP8RDCAGMxjeU!a=#^HtvltX7#}IdL zH(X-Nn3R-)`SYe#g@6f4X^kcIlb`?TPd9VRRzdHN^rn_B&>TV1|5}VEeiHnUL+ADpfxRaAph)lr0t>eXSQ9{XR@_S}%6=&X@3{SoaumRusTs4v? zuJLrHq>N1HZDDC?sj$mt#&zk|md6o5_wmVuSzM6=k0vW!?pGF_jF#kE)rqAgQ_E}9 z_e{OUu5UiIejz+nRtQ_Wq#j?gG!ds@oIHTq+&kUqjCtIXg$v#ctiMKkn6;KO4OLcD zU_Q~_XO_ESTl!1YGgkTj8ib-{bPGPx$!QmcIQhffZ5OBA?RN}$I8`JGHhKNp`d;gE zHuNxt;v)+S8iTTgA@0s{O)M;^(6^XACFD)(lwN}=G6zyqcLcnE5;xt|c5?0P?!rZX zh{-W5c#<^8nI#7+ynoA8&Ju~^@_gy}-?e}!$PhlNn)XV#3S;p7DR-%(eH#*ddqlrZ z3hMfr{H$sL*SOlm)c65I{X{17Uwwi$Zb|x)8`WLVMEbPbZ3!QQ)D>QGJe-_R+t4oBG-?l9hc$FM9V;5VeDFK;PUvaxi#NgoTH0{O zFV4Ks*SGsrc^{V&3R$D1E3VISGZ)+6@sU{hI{1Eb#sX=m2wx(L{HTSx+P+seJ$)d_ zzbx7g-}a`YVmxd57T1!Hnp?INoz(0$hO_O7Y&lQV2$(!slVP7NidN#uejn-gr@D%8 z)pxs9IYwC)OX_6R|J{1Ne5a$2G)|##CRW2jYEdR+cEs{ykcHj_8}aCCDZ=AFhWOlC z=x*mzoowfwa$K7z4etD`og3{C{3h7W0Vyw~M;R`~0|uu8nX7&48YTgIb*$4d;MNS` zaP}~mgC=3|p6@*h){a;9R4$eVap?y(4lfKUu4D^l$!7V;f0A?+Sl8j+dX0r+#(6*S z*rJ1O3z)t?=Hv4YzMRny5MjR=1J>>Yc@XY@@C!Ek_*5QlCZDs5JK7J~SrafcQKk78 z7X144!a_IweHS&E<3(BZV{y$4efmRDSz_mRXP0&9l>E2c)4H%}>Er4w@9klyG+=j} zhCq-`r19Wi=h@VNV=>Xi1yMMaqRnHx7Ve_=rTGN5)*!)f-8>$Z=DctQBp74D(pO2L z`} zEX86SI5+lU6C|_#dkxGEIcX0;CQU^WqE^5oJt6uW{Zt?HoNU%uAA zo)KH?lW46)LObNoX9J+NWAErUajaFbh9YaU z5ENFrhrEiTHI29!T+P~jiucnK8{(qQi*M3*kp*^)YKRXP_L@lDK8$>HmnTA7Ns5WL zKo{bc$qTUVSfy6apg_qj8VdY8xf1H$I1uCPgL>>0?UwdZ#g4^pJl+#%UC#+y6&c=? z4H`*4Y1p3r05c1B=-SU0d)l~K{1K6xUby)ab!+zHk^IigOOo4kqX#8g(fP~POuKJT z3sAHlm1S3XK?CgbCHRdVk$ty>$8w-oaMPkxLdab~0KdeZ=kHv9duwJrLKtQco_Zm!FEEwPLEah`RWz5o3IH{8m_W` zIB6?OGzAx7n6SX*AP!nXRP@5g!kw@nN{LM7srMGCqrR%!8 zznLvVFR8k)S!CG(8z-_WE8(rara$fNvMt&;&X?zDb$(z1?hha`pql#ygVg0aBoQ~q z`m-R6=@3YkNW;*$g@|_?mE*Y;Q{VL`OVU7LTS===&3YrWpx{wrcm?D8^Immlx0&sY zbiX$XF)R3(uY=Yy$-FgBAVJ3e9!Y&I;A~X=2JbnT=sDPFcVg>>hUw7+%Yz*3 zSr}GXL@G;p@-Ao+yvcV-h^}b>|JI+2Pk;JCSA25Isq;frkTB=}XgceMCL6bl)7{;p zL%K^C-Ab1rAuS>$9itmYH5yydi z7ZS^kqzywS`Fg$k4B^jKH8AE4m9Lyf(L58Iluv)Oq>kNlJt!?0B+<2=FN$+l`@Iy) z4@&!JY3bw7zd1oaSA!LpA_G7ybo;&|Et^3AOGAx@g6%jIdI9Y2iae_luO@B~tRHe3 z&vsam zIo~&g#}UFROwv;Mpu;|qe*H09&L>&lV{LVKo#an)AlxXnUtRv)D}*C8boM0suosp+ z|8Ja4apj`gp7y;5_1m1>v!E@IA>`HDlZ1)bu9OfShQF#UJPh*&wC>-Q_8^fTAMb*u zg}a@}n50&`uTrZpF}7-kujyvU$rKM+9)Anpp`a^vwi0+xab#-czeTuBX8M*Y{~I6# zOWz~TknN(7Qd)NW1ma0&cPU`{0Yv%^@B-m8#|>XlB%DLF7N!t`u+h z(^J% zFO+XGV{-zx{Ac6j0QLM7TK5pow{M3!4riKGw*siwOuY(<2xp7{FeviyR_PJ`SnIRxMc>iYoe`A~L_5IaOEswa9pXAcAC3x7c0yE@c-a{iRp_N+> z+vF&IfghwYzE#bz;lTFrY({b=V*C%q{9@I&qV6et$)6%~BujR#+kz$W+?_aPfg+1D}j%f%j^o==fiyM4Sw{ z_99Fr37!+Ip?iut2azsn!Tq)R7p_^39+Gn`aJcv?E>$Fmk}$bfZN@HVyC8icArg+( zahMU|=w|u4>D?*K{t2OnhoASuQZFwtvDPh11K z*16pJeLwbcmK-P>c@J@V1GL03-bj~&CI0wK&ePcj8M z!{=94f!*&*jh#KX6$H-FFF@Qc$-2oO*S#VCExyPYDlaNJ`)@B}9bIm}pQ*tGQiqrf zHl8Vd1&5tpY5M`-O$S6F!!QCShgcpt;{bTT>)&%?$Hd%X4X z&uEhVV^4~H&VBZ7TeG6Xp`XrQ_0eI1;BvKSNWMfwsJ@+VzAZ8Cs%hWh1*WQMQ zu*wDs736r}2@gvdYPsfv%M@(LHCnMmPWN|DnoPK$d{!5jTg#9M`Ty2tCN^F1}OCOMOUi;b+tEMyA%KXH*}U! z2mRd|K3pI`N_#HhC|?xYUOZ@2C@rDLfq$))0--hk8+Xt%(st`(huIH3p}Dk3QO zD`@slklXOm6dO8*+3t=MMy8z#ZSCuJyRm$j;DE|ZRl%v{`Ua3bYCaq2bKu9+pFsl1 zDe2b_i641D>L`7JM%3C7vD6i0p$uom8Ad;0^iZ%bwuZdxN2AMx{)~ddM*vNr_f`?x zs`xzpcgLPh&HaCmcSRv^liC-8MEL|Q_V<$e;oT$@6fwGLUOa&dqqezP5%7yruA~2F z0Z{!QdB2hd&)UpI(uy_5uw#wyg7bljY(&^KI_Yz2YTK@td(L{gj%DxC10Sx&*{1(x z6g8)D=NLcU&$YZESMew)83Lg_D12MtzkV?KUR@n!XF03j`k7=E<(>U^yJXX`J9qcx za*pql{cq>VUzsRp;LJD$XmLlIyUb@-SMGpe%V$+hfWi_bXH0QsS^Ev1{t$d+fl{}R z#K&WmpU`JwsQIk*55natK1k-z1{=qA0YASXI5j$vXwPP;%s~1)cA`a()!-faC#QPe zb_5^zc?m9{j0&s(t*aop(QSVtEhHDUSE5iBNsCNLqr@cUTDcofRc-ITX^@jgq>73Y zywABUFyi44?2@x%)OE*kf3Rd3imCCOe7s9!3}(A+(8COHjp38!({Ci0m061)X5Obs z_5SrefMtzXiheZ{yo4*cH}V^T&-&rxW$@y>HeNpr>JJkebQ(A^RY&A7tH11kF+)L9 zUut=`f`5@RDqnLX7Q(cBiY{NETb=}E>UlhqqT#~D2{3^Y-R`Zd00O+qxL5n{jzDY4 zi04`Az`MCv@}aHe0$_Nyd*Q*n9q(qu>>onH=U;lGk@71E{cnFZb^rPP@8PigaI>Tt zvD43nii8PPvd$+0LYz4t1HQoBwUrq};Z@qBphkLDV^Q?!{xM+3ht4(UWei9ewyl1} zVJhEoH!cx}4Pm?=*#k$nB#r<}-leFu>P-4*S>zvnW_~}T@K{*=qhRb2Hu-%07(p(_ zP8b_?#W1l!k@am4lkMW5!2aV)cP(U0xtTR;Ht=Wwo6H~--3?FOERHOSV+XI;w*yCS z0Fx=fUtR0GU8n+_A3UL7z^7M#uBgr zDvzMrPMiZzY1g8)_`=tx^4l2U4sTSC01f>$fOx(^l;q~Wb4}nBQE^Wrx0S{%n3)TZ zyiWGeF|l+xTNHG^5sOUV(Wx7uVPzXS_zH>|Lyo(`LE|r3Ke4(QBfVAz?k%vS76nD8 zP>-aA80>c!6ZqoOklik`)(V_3r*)u)Nhh2f$uzx1~V;|}rz#ue9n z#F{YfoGJ4rsNUH)k)f@QCei&}-C!<$eeB!O=}hbI>s|hOi|hc8dxbx}wT}CPUv?cz zj#EaTzjRb3bt@G&itgkW@yJys`_1#+XeL|tO5c@_M}9MG2^F9pwmpc;QxijxmVlWQ z&qGIe)5ReoeCOiAb9~6cOUd9TK=)h{m`J!t=OGePlxOSjiy?q1iNBcE)Fhq`cdHo> z11o)2ho;F|3=1&teyRwLIMAiQGNgt@YdHx=R=L#ifjG1zs35HST#-%S1W)I^if2bx zv%yZJOaTYDWqX$%wSl^$GXpq|EDr=(Ng;m}9t24z-Z4^k=|J$@aq^v2hdGDoGu>$- z={dI8)6!m31^*I4)%Z)oNTm&C)tqvQCSN+QSoa0%`kbx(jz%l5BSFIh>7&4##a}rn zUlg`WiJm?erx>huBP?hvDjNHP0#)#kUoS=f(c=4oX$b}Deso6}-+ZDhE1A|MM$AS3 z!{@)(qF1AKtM@|VX|0B?ktV`1sw|{X2bp6uqaXggBk+fzD$z9OI8=GIYBV)=AA+I( zZmID#>;BdL2hXs*+!rJ_$&+shDPwo!cH@%)zt+X6DlAf5G6SXyS~8=R0~5}_on(+O z?yKu!?VU=@1QNIY3>cT#EZtz~GYq~`Tbfd2l(frGx?3TY`(f%=t-%F%;YnmCigdYrHVE z9hJCi@f^eacClC$$_0&?>quC?jK2Np+|SUVGR4DDr#TfwdKG)5u__J(gT6Do+KKaF zR*O$}dbeS>N;A64a~Y@CfhnZ>{M1KB@TfF&%0u8Dg^2bO0;o(UsUTIT?Z3VsV+YvD zF>(4aHc$%6n)s}+{XT)9%Omo*|6ap~`%-6k8bdVv+ehs-?{&=2$G)%Rpl2}l; zgc9!_d8Z?f+D~=4!#}5J1+mflw6ew0evYvOkB>6!a<~{icZ*;rUnpqp*!*82Q7F)6c+TdU+}un3A~#0 zsOf`c{a!;>gl>Z$7L&<_v@qumcMU0TfGg`z-)D9O^&l zopQ}qWRCRXp`+8*dxM2g(9!VJuPew_T`II7joCNeGcn z=BtOTSW!4W$v{D1GJ(9bbk|Og|KZ|0s}^L)7UC}c41)>>G|5x&dA3ZkJHMkq2!(c& zkuCsp$ka2cW2IlAcFM6EmYWAV9Vm(WNO|^r>4dF?0I~wa$wsO~wEN(JNZT%nZ+OTz zf4<)aL<&i+d(J9Ri@PVUx@F{)m7I+dhb=iKvVP5adZzYuh+eO~6Q@mjLc+2X9{8|`%q5BcL4qgfeMO&M-bDO| z6n{@*PQ>Yw^gfkd*cb8k{{8C%%?y*VO5h~RBENuuF(m{1rs0yg$oIQX+%y-9P%Wv5 zZ72KOXLFkiyNG)OBgF&?qwK1Rc$sm?v{KTTki}K>F0Eq`u<1#_%+7*smpDl88E_yO zo~~PgL9r2W_{aJQAcoPPOrswV5KxG~5#l2G>bcDE-u~P(Wq{G0f#l_|N368{%+R~% zbgj~O-Lil9kw%aCogk7a{GM*(kPuB)yOiDU0cXc2zk7pX++)}@rmmmKQvI+Q&>eRu zgbBHFvcP_?rKGeQiMTQco~`{@?zI$s7?|dz$ut`yBFH5GPr|yxuy)+ewQYuXYkh znNO5U9z0%zXlmA(pRfpxpRz57SzeB+K{*6t?Bz^Ck#0|XsQ+2o|M={U%mm*ca*>%G zZyu%w7F_hPSo+qS?v+{}%r$hiNQMlCAA^=(w*p9Vtt}er8(4%on*Ne7-28F?KKYK2 zy}2F$zs^>^FX_RAiCc4G+o`4}Sv5B%?*sBMEC7Lj9X+_<6p#OfT=l-;W%IayvoIKU zMZM7T7JJ&ft;Tj=<3>n0I?w!V*T2J3|9^->)p_sqvYh!OGzQYzQtuol(RM5=D)WA4!6a> z1Au$OM2PE;N8o_XPdOx3&U?dL;f8lR=pS`I&GQtM3g@G*fq(hjMSWW2p8w>)XD#J! zriG)MR8rdWBV}sviJ}13ZRCu~M@dq+`M-f~b!Wg!j86NMs$xkZG;;pa=7VEYWNbN1 zo{PRi`WK`~lKE`8pbJM>Z!Awx^L=SB7v94M3HCOhRaiEUKK2UPaQD-BSPH8NiwFv8 zO{>Pv(jXo~Q&d!f2bI-&f8@sY$-0t&ork#FVLUc6m|aovS1O?uXG33K^O3fTPpt?; z1(&q5Hr?;9)<{B1D{IT1UHE=-DcOD#C;3Su z1gj0L4R*n23$GH^!EZbz+$S7RztCb(jslKl97=VZ^~BI%``&~b4ZP1<%wG)y);p{fPzOgVbEPDzSN#u$&a0WI9N0Zs-^J zz+8kkUu5=j6-NeVRbW+Xv38QRfsx4&v#dh|pIGL@0EMy9<{(@#o|qDA^yhZX&wEWyW_G9(RzV% z0*Qz*$HXq($h(JwPot&r+HZ8^MJ~m|@5Oj4SWS5gozoK!78esrYc!gtoDaXO= z#Ue3LJSX2qHQi3*%bZyg|TA3y?hGc`c zCB(Pu259@X-BOb&250#Q2cGq4>ZNfA@0Y_o>*c-WPjwB{utf#XoP2ah#7}%~JX%|W zJ*$t+|3fd$u6q)swL+$_`1sn9w^}#lvGN^(lpZRnjgz`~n4|gQn<9cpsJ9#yT<49E zgm5iyLc0s}?*l$1T2mLcfS-mg;(C^rc=vbhqZfkwmVytj_Qum^<*pkg#e?^Kv*F1f z2h|g}mC&l9pH9wl%A@X_@UN^6^DG&xHK%Uq0CUdqN>Z3qE^bJWJggLuzYWgAM8A_W{2GQTMx1bR3#~Tn@9&3rockPpId13YEB(vREkdVgIX}m!R8O=!3|0+X z?hF&l_Jqk1cHf>}prI$iAlQz!`w8cTxRZ$9fBV_fbJX$kmoD<0N}J*(wjq2Tbw)K~ zV|YGVbHd#l?@qOkZVU>=lo2zMvw9pvLaR9mDD?W*kSXzMt;c61UZBvJ&_Czxzdk5b zpO%_$)99Hnoful*p8$qH%ZhvpDfzyIWVOj^dR=NS!~rUWhA?+2Ou-;^rAk6nF0;d= zd5Kzjrt^sDrY%+wR=&6i5=YAhpbS@=u)Z5p$0Uq8^tB5{#!vkc%c(Rh|Kp(U=th!H zeD((d8ltz7h;=dj7;(=^0XnKogcWJUKKlNKZvQe=VtqKGtlaz+bP?I=MvHd9M!brc z*QBR)l5`LZ<-EN)|D$-m;duC2Xdtq11PrGnfVSSkso9X$7lVpJrdYwLh2v}yIFb`= zzHVmeY)T5Z3;LojsHx4>(^cHDP*>_1hEv1HcREx^`Wck6nBTr;ya^;KI!w;-PHjn9 zt|G3{VY1*NP4ed@>be}&c!;*#fP`4bg0b;tzJzQC!{^7RG==i1sb|O0g&4nut=q*` zI^4Xi6~j;4#(97bG(>64NYVQAN!JAjS71d zn7BK)uj;IwLLqYKTUrNF1CoNdtpPdwwwIwV(~-dtzrZ##1QC;_?6_?#`|k#-pGWQ8 zN7#`uZ>^EBm%&^r6#`{ly}I%>L9HO$;#ZlFO$h2$2=eyg8Htc@h4G`4Gma!-j!2)6 z#;euO61`h?usSZV!5T`1Yym^*Qq&ehvG1<3^iFTIxIO~O%239jDd9B?*b-N9RW+H$1k1^Kry(sii&o{VJ zr&Q%#@cYDPtj!jp5rbZsuT!_jn<;_3VK6ENx9MbrPm7L(eB>$YhT2d;0Ekn@8G8i4 zcAY{)B(k;?&-*$)97`HnGLa3x8`lCeav>AFwd(W*sQF%Qr$vxf@UNljvb#QdJ{<<2 zp8&}6&xc>>E4)+)O`Kiezg$yzHQMekFgosMBf3*gjpvX#dk3Nueq|K)WycaK(Xd>1)&3a8YU7_k3Y; zN2vWA!*H{BPFZFwWwQ{)wNBJ{`@P3TKb+j#n$Ea#Tp|=ZvT- z6TjW5(!6B0EI>QvCETNbiJbQw+Ra!FaF9k#G?Bl2epQ2YT!uk8w9+7(hs_(OUi2cu zHB{b$V{#@;BlIQEsScGuDC_FiYUE6$;@FE{sv@4v+llvBz%b^i^4>8u@MKrpfD5Jm zifwGuAJ)MBXGF|(rZ87uq@VjW9AcHBgOyn_=Dni&ea)WruCw>wXB(OS;81-9AG`r- zJ_8-#wIN84$6B{=ULknGp>Nzbzg{9?$O4%_w4Y`)+xufz)~u2R|7AfHpi6G9!Oi=f zCUsx}2~&2QvM@SFh!h7*lc*Jc=+5%~U%svX!8N03o{vHny!D!KFi7S@b)1afU%Zh^ zO8#y&~HytoNV?z+L&N}n7D&T?3tP*ocz9UKQ7_(WzcCSaiWk^RGvkXO~{{U zWgogTkk#fsjdJH~bRFF`sCHsYY&{!T_j9Qn>SeMzx{ z?}Q?tAqqje$bh*d+}MpXMc7`p@1?pPkutF28wN&Z4E!0RGkbnJbj`=uIN(o13(89Q zad%eM4*34%AlmfAA97bNI0Xp*;P~&rGO`HrIPQmFdKTv!Qn2^o-9>FTwvL&kY5bKF z6Wa?)nF&Iu&}$1i23g0KgVt`KzMV!Os4o&WF}nnTP93)&7k?MKn=*|o%4-pYrV=+% zxQJIU^ug;}h!RLqAND*YmvXhQXV1;wXRxpgnS32eXlPL1F?MqGVu;*vV-{t&S{>Vg zt$%CN`>adYLxaccu@epCWJ5kPQD!b+DocHdd$agDa~ER8*Iq9+^f%Lv5^$mETXOHlD-S1jsuy~esMI` z{7?<@W@fBq-|F8LoNvUQtJ98Mo-SAOLh z&$!PeWpdmTG^ON1OG_J*uHqx~?cI_7J{?MW*)AOs$M9`d)0cp?sOmt_CDV`)8z$=d zgJ=U?zO#Z-BMuy;|BS#pO(i9IE!K?0r5Rw3IWT5e!9uM7b?l^cEzAD|=8^Ty;lfM* z%#n|GIo;WX_kQ(~hoy6i5x{#dzT!i$Vx`bYs7fz4<#1%kVUN8l_TZWrzNOx`9@%It z-H?!;5p%OC!jDNL@@S$En|*(jah}JO}1 zDv@XSawA6@`X4H$`53qJLIHQN)Yd`2CW7Dqfc)Et}=X1i*(2 zChHBF;3kNp66xg;wdP|ZmuG$eJ+bbGpNlC@EE50~ihhP1ezdvVy63`Pd?IHl3_i%S zblt|~L1e0v4{dUDkL`s&PR<-l&OWcL`2KmV{Q$c4J;2jDG?dBm2f+(~;}YN{gY;ju z&LQwHX3ojDojnviD>(kmGyktjA6eV`~~;ox&UL|2+#qVcR$?B*VaWX$=zbKF{zyK6cqT`Nuy9neUO@{4`Mt@&Bd zb^kaq@J#O?Wg(>`5#;)37cmATJhUM2D6QRto=#H|9P?)b`LiR+CXQ4sar!* zQWAhvC>pw0r1IcI-b7(%E1L!Y2L9R|U6_($f3K!LKtPi;VIIMa@OU$CmrhTOzq*RqR>!!?X>?WlaEI|>kzrHwEo`f4G6u$VJS zPEBwxIm!;ex5UtV0HMpb>s@DpSpg`sPn;Ac>jTJ3UrzN0ZD4;Z_XxQ8(upOGQr0vK{j9j)4Yx0}(jU@`^$9FVEE!%}Pu~5E5 z%JcJwJL2j~p>Ae#_+C7tW#?ZMZV7vSzscQ1Ac9&(9w@9*MZ;rnHvQjTC$1bMFiXi_f5021Lm zP)Y$iJhmq=O%_Pks0zMpgbSwqSO>1PkW8kgJ=f9NrmX%Hi7*v00=Dw|pd> zG3kc2(QHm1>LTWjV;PitkASSNF^(_s4qmW( ze*{JA3t)HVdnABj%S}yjhUqRndC{mCf0GBOpu~h50dd$jQGo090)L#|&&Y!pQYZtp zIYAKfB5<1m;hl^M+6?KQT7vuu8jns}DaP{|{h&FmlA6bazHyv^2fc`fW5JpiJ+Y^1 zn*K2P3Xe5_db1#xIwQm#rH5Sw>6~=eT7;A(qxz5Cm1~>o4X&@>j(l=~qg2wvJJtA@GnQ z*My)rMJm@oOMUcjM&BfwNl8DaNZO3pfifL?>7~kul$L-KZZn);yZRpI-h9(Rd%nja zdT-IkvVnm#Wi_qnkZXM``n1w6$F-Y-PkH8pM$3Jju!zS)Zq^91Fx2**!XrNU@e$fc zO@wiCRzryU&Z1$%A}fM|rrpc|*YnadE%rr{e*L&%sZFboqlZ@j=^?4#^+xgB4M;>3 z__Sdt(`aKknqc9Tx_5%3W6zrwRw}z`ZJMn5{ksCotE(Y>!D+ddls`cAY%-jqBrN~Q zMsa2&O>djm#gMuRy6T0CL`KhK8*t-3*3*olO1zs!T~B|@O^VZmUVSo`V^NvftAYlR z1I1y!6UpJKP9mwOX;Ekc5bj>~fo*y^w(<#GLKX+zePl8F@BlZ3HYpxFbGjqs^zJk6V$;`2 zir#K>9uEJTr#)mQ)~AkFDac9TQH9fGTa#wwG385`Ij772-qH=SdvOc0?{C%IUiR0NJAl;S=NLdk+kiR>B_zIa5M~VAR;Ed6=o*_;;E{m zA}_XBk})`2h8g4K-l->#|K632i^1Rc2dZsve|9r~jS?%f!!RnAYOrNK0oWIqx5IV@ zamhDODu2bb0kP?ev?xpai1b+51bRP0+8yZ;ux;GT=@jmJ3X+%W4U}0N&Ek;)H9UE0 z`D2pRpLb7MqBWTqX+>HZ2dH93Lt#XE4i}O#kJ$9!tW+a+mWtfTF^iB zdC3q20VlSyL~7u3|9Aux$eUCnzPp~0PwyJ^(rY0eTZ?Z~ajjpq9D_C^E|mI`o}pIO zClU|XW}Hxky_9IJ1qsq^H)QwoHQnVa4;~8dp*PKe3%SQ^*MJtfS)X&RC$AXU&ZtNT zpi1XYhj%EQ!QV9)*TT8rNm<|AABOWc9!0;<_3kVUP`;XA&9Xub*B01En8VWqro*%8 zv3sF@=(fe-g=TaGw@)wbAh>0q|8*-#KBEW75UA8urE)Oyff?r~^ERmZ)G$R`?58z= z^r1lQ6%`dl5&u1fq&_A)D(Us5Hu`#s^KL)ho|$2MK*DdfB&1N)>tS}%D}KJ^?-@C+ zb-r2xQ^<5vs!wbTmf5y9Yoz+9%qnD*d_)A*NxcTRBG$DT26m)w|3>)?hx<|d0BO2t z7GfLaQd0-VI7=Z#%C7q&&%@9?_MnGP1*>08snk+76?eULg}8XEBYm@yc;OIX(tg

3ztkMC`|HZ5Yms)pc=^xDl3k6N2pm$OVU@tvG-UcSHZ%4Q(HqJu<2epl z{K(qxDd#F*T%)Tq6pE*5N=CgY7Wc|)8=l!7pz5k|GtmDtYB+Y5(PYe{o6}cDAaSw7 zgej7znGn8&@+JhC^Za4JtXKvEPL16S_%noyK;c-nkNJ!1!$c0ljToE9&y*7k}Hu}W)jopID7 z8avp^^_|`+I=w0ay?}~dp^d7$3{^XIBU~`ekr~c+;@x9bw&CJ={9jQsvUwN2H5l{x zC_UI)5)r2sGn!%4SFbgR4$|8zNsBkf>szi@f}sT{+08=Z_%;XU<;NiS_MUHRCeFwg zK?aFnACpqUF;v_lx`t|E951y;9wk4^ht#~r*3 ze^H*~Rh*qj#(E4q>-+_WyhJdM8Jt;(B;5 zgu|Y0P}$hhE-QoDUOZDvCl_zayeAP;!ZBACclyeGU1$^CZD@TbLXMN+aFnsV>~8WY z6g|QT(UQG+Ys;^nUp}cdO}G+Uof3b~oMesJi95h7=b*xApLBKmu|!P-&Rav`tK%v@uQ;;)Q5~KgL(ros(GN>^ zjSm%H6ZE->Jv|S6WQo!$DI;HYfv{>b15U=U^^BOf3kve$BZt0ZHL6Jjr#J8nNTI6>?uz-vW75xJ2A<;j5(n zDY~HF0Wtvve9v0?kvzHrnuJ+#$f(!K)=IBdjZ(G;_6Gmnv&mZx!OE@eBSkuVo8Z+~ zAmx*5rgOpSV6nmsB~o83rV}o8u7~RPVF_iiMIa0{$wB3hU6MdV+~sSyfurMp&%Tn% zX*m5n?df_tOy_xBKNEKb|Y$*YfYi3snZ#g!_2>St=>rzh83vE;8+8U1X%QLU>hZBKXLqb&zmH zpr#xtOjfD0YW%T!;dsYw#~pFKIwuU3{Wr9+v;s1Pclc-^Yx0~^yy?EZ*df3Avw$(Y z@Z77Q2?eePX=>uWYnewT%!^DP2j)^|h4?_()})_fU|u-^Z6&Wel_N>$@LnN3OSF=Byy3`v1DEK+ z;0p%8@wb8^iC?{LhVQHX-T`;W+X^syCVVGMMv%il3+y9z?jXs(cE|s9N7vWa8?^%&@d%!l zD@D3d(TrmYvo-%2$ywU@ny)2Ma%+&eneM1>e7iJq9`SWNz3b?uOZ1%m7`Yf5z4#-e zKbKxRwL53NBZGaHh=Ab^JHjW3YQm-WgRmO&X`wx@(;Toi(5~}io#cGdpnt`D>r0vP z$p0SxGMn2Bc^`PsE$;!4tNuUb-S{q||2tXh^kQAci&eM!Osv*=!QadvmxCm5iN$8K zqSfV=e{Y78enC^=m7t2wptw3djoR-zeA`WFSZGUorMx(;7~lHrv9?`FU^k&%VQVoLD12hgvuRw`spl4TW1bgMZU+@JRr=% zqIlX|)}hZ=xUmht8Wq649}l$7<-NufzrKdh>PX!E>O1&b(pHR($0=>0L(S;K9J5vG=UFD5>K|k!d|X9-0o3S4VC#;QJE} zY4&g{%`gp$Hg-Kr&igXN1zT0ah*42hg{RP^MPPIm5=8RoC>*^(G8w4Y_BW;x7~AXO zV*4?`lMXvxVCeTXfg#`IqAYA;xXpIvwrN;)Js%RwsDWQ3eQbk;oEMU|2$F%$Q9Zh~ zHb0{}HN<1Nmk%Lz45A|%F0d9=(A-pcmaoE%v%Bx}CjSpci=mWNHoae``kaaMv+oZB zXe*n`=DpMZ+F$CkEqHjV6z!HPcrijAli`$HJ~agXo=Lm**_7+0aNMNrN;V#;R^Uhv zY}7P`oIvrpPLwIsc!l$g@1T8bx_1^g3oIvFPXDEq0}j)h)ytysE`Mdd2Sfc~LX#m{ zwoJygUycg%^!8k%c&v@dyiM8EI>LkVFynl&EPnf>;PvOIEzo_$8HZd}dfI8%z1`y9tDYpCtHuC6sfdQemRa)OQ&Y&2y@0u zcpj{IxP-Ls#FjDn3g!Ds%DimK``IS~nMy>A_DMt&Q1O@vKEwRMpF4!of|1H4Yi}kY zWcTeczM!(^H74Jk&8pxf1kbEI#|}$)0lKrE$@WE9=KOE8PO7_cHZuqS? zxiGZS$nF^G1tOu#kQx+#%*7E$CNHBma>IT>3*28Awl4PVaoof26FOL;S>4p?L*xnn zRA9?1daZgo+3qtqw4DeDH$n`hikj2-GY03vyAwg0fI&zA(q0EIz7_j@EO!bIan;XI z=*8R@Y=z6DZ1WVyzQQTXPz;{~fq~57obuVncx^R|MzS)6Q1Ll8&JB1oJaL;novh4R zfU7;MtoCE(f3e3q_(IZ(dEx>zoLiBHKc*t?&%g-ZD~>8{aPZGetMBg^UlH~lb$K4H zJAwcB)_==}-mPEwU205a6$-Bc`oHPhErEV>>PZif`_O%4Z$l#y3c3_#zI;qits=yNs+EPGp(>{svv;^88ZdYu7CU4u0 zv8tDGK+0Dr&8uFZQm^4Ph}6npDpGj6ulWVJ&z+mPy&O_9QlH%l$A25!i4g@J@;2i5 zIEW6TsBt2-@te6>>8EgV3G?!auefn$3}E6A=-hKu$)KnT2`UQjd*fFgzf@RH3!sRD z2loNjy`b77<S;z*-p?$2)#v%{)NOUQRm1;tZfmfJJYD$qgs9h!+b(`332-=CHykrNoWP_VEOVV zLA5DR}uX==_Bfh`Y(+K>CA7@XNy6jMioo+RsQVCQD z3ppf)2J?=Rm>_+(PoGdilfgG1rl--tDe|f;)jRB*((HK6;12V<#Iqn1@yy}`>zHS{ z^gs>*io(2@eZv<40ZLD)6ZR*N{Fv`?3I~|vBr_^QBml|>Nzz*;nFc7mMW(Ru>mc}? zLh2g~41_~kL7z6vF#p#yZD``%+3^EljU$UoY6wirp!!aL3(#W}R>(7jE87H$t~MYT z`usr8*3Az}v*<Qo?h0A~px8%K~0A84T6u>n@QYW)x!YNWNGLv=x*cFw~l{&CrLrf$rjcMXZS(`837 zkPIzhY}l8<@dp_&7EwTF4`4@>v8&1nP5Q z?uV }@oCxQaA&zPvMClGn$Xh^*iSF_ic_tE<+fKU!)(U(60^kzzgmGC&m&1hNj zmp__L=F_W8C(oDo)L#y9Z51-ot#k@7yj}lEUTEjmqSQh4a26*_oLx4=Y0zX^_pv{s zgF5kJf~qnvdzppE(5Mpqu^#Bf(46>&>S9;wEt&?EB%KDVV{R)woOS&Wt!&b%hI#sFcFrx({_iesg~N}cNs zQYfl+?CDR%skwZ`-;4{l6Gc{t8&GkeRx4o9CLvk&Iem-|o_2#ZE^#V5=;#d0N2A$j zAk|t=B2c%6S7XPG1SpJ^%Ys1}4=_D(!AQ@XKn*>h_qSNo>}C*#h4~-UmTWu0s^jG5 zH(cYQs+A>7qW3IKF}<{2tlx}42urU9Ih!uBf!(UNU0pG+G;upqh-h6VNKDxYxj8r# zL(tH=C#A#wr|bd@BD0&1`+vgD<+rY1ABK%7-KQ}g0#=gEa)8}Hr#MLZ21wIe6I*w`1R`k}W+jOXj! z-c$#`z?I9~pRW}PnqSAh2vdRrQSfV8D>aq@-kpDwleRHx+P`=AH2689tc?l(5A#3_ zzdTe12cM)|^{ZbMFIg-zQz?Pa6Rxb-yC6S6BrSN?yp%h!7_!DAPXG~KC7L?KJDFHE zf#TE8&Cb!h6a+yBht3F}N`UF2^rh^X`iC)DSs1hj0Og0n#n3lAjva?D{?cCxI2+cl zuf@zqoc>2BlkM;}mH#u}e5>-7TW^gdCh+@P#2I976+$2Mq7Y5 z@>5l6tMblg`pe95rjDi0=ce+X!0JSq2B$JFtTJ*Z^od@x9n}XYfiH39Cj2x{AH6;% zg5Im33lfZ{e{|VFNJ%jdg$~sT`so}*vjISbdKFLc?Vq!Bh==u$c|}BuX5}Xl4D^{( zGm+M-f3N%^1Oi%PwkDyh`+5mJs^Rda=Il?k7zwQ8er6)5kfk~T&%N+`Irpc%_S$RH zl9Nrb6qdPfZDQb%gAPgL-n(PY9g~XFSGO%%w8*YjAnR`aKmWq>J8<%_bItf`(i3F{ zzqWtW9S@K=_|StB55_)IW5%2dJmZ1qEAFvmL?J5jv~&3tD!%^J$f$71Jfk9y{+ZZQ z|KV|`^j~=Hh4RF3qBH&)Z7+z_>L2Zha~QTw!Az}$bI&_Bb^Nc!Z(9ugG)cdi^1n0r zv$8TxM^NdPZZFlE8N@^kPyM&ObUR)aI)G2ei}w%WrqL3Tvo{$a4$+I2EU96gfu)sr zg5#AML;_q{F5qLBgFVJq@Gus5RsRe(rs81#V46H(8|fdXyR#`H7oz{1R_GJb#nHdF z|F;2qkQx{yWMUP`(&w|VieSp+?f)!BKcOBU?nH2r9I^-o(F(hj=PB{a*PcnOsEKcMg_1CLAo>jt4uqiPtC^4|K`lMDshlf1c#qU;TkdW z)Rc!Ge28^S-q;y zNgIzou#%vn7aCFhBOj11zW&|vkIWr=(Zz+={`xm*+^0H()5wXCm4?;@5jmCo>8GA7 zz2^_V&!!Z#|8F*J(((@apMLgfbsaj{)T0dDh^^EITIIG4_UPFICoC%)SnW|6E#TyU z{i8@APxjYjTEvQw6qtY3?T-B9J~sdNs{SpD`}mH18$>6KXq7T#aO)JMXYgs43lBgg*vNrYE#{fXfR_`zBwp_HdF7EO zF$Yr}X*8}FF0i074Oy{@{J5atN99+(Y;!`oLIXDzVBX|v4y2OACIAuOP8l+=E_*-( z$D=RN9CTKch6g|va<&Z~nTUHtTyxF%B5vku0dcp9qIcAWB*y?aB#ke>G+q{pCZ)tp zGJR?&|K}KdvG&)!dsnP9P6`YfG*CuHxbF`JS0bIdbPf+3G$=Xv;6r5xW5ZMBB;qVs zu)tlyu?@4Ly!11$%&aN;+@x8V<40%gw^kIh_mJgR^v?&i|A@1rf)m1;mY+C{_@4YX z*<g1=(R$`g(U3cA;N&P1#CIlaRa8lM;XPjMFQ7IqFV(1G_oBu>Ev8sQ*lyV{# zEsrmefF)fz4}BAYK)zfOk|3IjN#uzaO)ml3StTUUBZdT&NBpTuIc%eo$Ja? zz54f8%8wm(eA3XNLy`_V{P4ss*vHMb{{-cSNSu_Og_C>pO??PzLrjyo=C z=-{Erhher!mo8m^$EqEBAOg=lf4C>>bUo=*c>p&i2Mo`ay{7G71Oi^oSD+D04fCH+ zQT_83%B}w-&y5b6p%1iysn4Ljc;zK&FNPj_Y~mq@9GcX%YZt6QVm^~_1l#yfKlfyf zf_^v=2+qh7r7vM>W>!GL3FOY?M?D`?|D<873i)Uer~jLtmd4>~m0aE-z>BbiS>3cB z5M%vMR(^f$HQQ)EO5gCTdes!J9D+gkHkdJnsO=Qx=T-&OH4-&Q7YT3=F_vE~7pPZD z+yiIg%Fq56d8@#wwF)47S-e&_NBhboKkgxqt zYya6f*`cl5IM^pHE`61nT&oYV1}5G%QC1Gn{;|Z{dF0_ow!i$+%jM={la@|(#Jwjv`wJ0De!1@+K9e>J0?3A_R%)M!jhham!^mh)IaMK`ZTs_{hQRgEq`h0cAWM- zw`%zC;n;sJ;+%5QNy!gA_#pRlaJT34-_UGQ{^sl-Y2ljAe~sVwSF@2SR3_zHGFLctSz+PR zIHwRxcTMIXT5UiIG~&5Tb_-6I6%58a2up3Twkz6JEuS*@+_`faTOp{!=n{JQ?-zwt zcir`+J-$;g^z5FFb+TxH082Kc(E>6=GTxgJ@>VKMo<%8DgJ_&=(8*1saYbd}4F|YB znm`&fm!Sw@6Ge8JC>Bt8v1FB0ls8F2-fcNSV(FGD9+QmR306MSkuGjb4STlo3$$gF zkp$xnccxO)CnA9?%&)5H)6+?y{w@6@F`IJbD(t0aF}k%!Djhkbik-C;awuWrTkEuV4+UE#okNb5YZdxV_%)R>Z<*vl}33rtPn~NDNS4@mvDdU%{MD1-9L%T z?44tW3{5)eXD6mm|6MwFNtk&1?HO1iB^&a92tkBC$^m;_;1yU<|89~)4uq9P<$p8w zhGR1Ru|(T_3xUfbq{wtQiMA|)y{IbQn8D=^kpNFvJ^SpllP|jHqBMJ`Np~D_ap>WP zCwyT~kd9OS@Zy)Gr}h!Euce)FpQ9Dfk^w@#WHXS)#yr`$euL<%5q;3OWZWfK>p(c!8?x^2 ze}A<+9(_YZMIqBbZyqAp@2i{xeWcZ?W2ewz*z~*%hY}swyAK9c)#$Knx7>J{R?&I# z-wk7|k)Jmu0&qU4vv-%i3CH9*>J6ay!!o1*W^!U5Q5>iY0ARvJ>wgZCa*sA!|6qxS zTmP(CorlqJ97+K^MAxZP$1vh`gD#@Byptn+aQU%u2)E2ioWkLXCtLmjOMV#7XgZ6B zm?4KgcInbNl+NY%3gi6o55F&Y;l&r_5FbOwMg=-_>>#uGD8D&mPvWBVn{EG$M8q1U z4KN^8h*gt0~vOeUGaadj%KIfdXQ!cvr;#Aa!&F$WEAqz7nWnvP*j@zDUbLWGs86KN-yI*NIJmj+zh9W? zqmtfB-_3u<><)dLu#FGm(fX$i`broCz|5Xl8bq6uog>@82my^3FwhHd|7BbMlbH@3 zI)yfF{KmH9iY|`)N(Cu2PV^tZ2RB3C;RoDM2>UhT#oGvMqXM~@!DmVZ;IVXWqkO<_ zQhr8Zv9GZbR!Xe%%s`flgYp}AxoHHh4ccGgB0Xy-op6W+W@V%P zkCop`AK9!w99!fBeHAi>JT%BKM52aIXB=E0>2|XnmkG2tzb1pDOes3@0%e??{`yNmMk>jYWCjZ4VA zX&G+qU%ilpP9mHDmigE6_vV{38_Ca^kK};%zoig|SVr>$!DKyd{{wBF_J38Q&C|Cy z1xg=wUw*?^!~6$2b;kbq03l=KN03X;WTg9S;}G6B|A}lLJJT45!I3l><&S*R(WI>3 z*}MfC-$|$eVfMny0lQ@@wpXvtE5(VhFa(=|#tZ;H78X?6@hu!r%|jwIEi;z!^XG4^ zq|w4_kmF?2Lo+d(iRp!iE=fxWaZAj4XZGy5RUdrtfpp{vf7MmLY-#0RxpGx4W|Z&+ zS@0BKu&J^Npm-wvf!NTR!r-|P{XqiT9|l=}z<`q<$TJiIs1KZ30D$cvzc@*_xa z5UoWg`ls>Z)dPp5xG(f~-f_qFO`J)ID8ipU`t;P1BS-MdSws4Yjwmh1;^!lf8m?uK z!4UP*M|`aOh(r*GsyzS;!TB?ols@%OkSG`+fNDJkRIL`6=w~?DmN7`};-Kf)p~oiS zG-D+N`C*9`Kch*^`y4sxq?1#|jvJdccI?=+aTi}Kze_K@yk)z#*t^Pgma+!K=$|jn zbikS~vttzf?RVZ$vXN8h%}~YZr=Q+pKJZ(%L5I{dz}tc~uz!K)-eVk)x8?7cfdi9b^zWg6 z^nd{n&J`X=`4-w!i%=>pCRSeD1V>*CQD5Tk$f6T3?A-mLek zO3TXFu@bVUoH{b))KgD0v+VJ86^GtnIk27m>&kEN@R>i8VNv}{rYds=)M`v0Eq!@{ z{4DFl!up5k1`QgNgc}nfG%Ej~0fW5tkAoLrxBih2F>L=$`RmtL>gQdeFGO)smW?j;KCo0yfB0nBj|D1@^{Ya-F{h`>xf`{TL3Q3`OnwB4$2Z*Wvh>~~_5<_2u7^C)| zw|W&;y922T!+rwyXma&LKyUs7n;WM|4Emkuf79kowGTh?Na?SC^Ba78(aM(cbEcor z&>(u@nx?;Li`J{ZLA`3rAMs&Z1)jVLW}@X!FiDsoCA%)~B=TMD&r2VEGX1UTqrIp@ zdr^Abb-%$ruuw8E5n-1uU3nsMl<#k;e7Bbjf>L5Y|Mld z>N*-|f_3NwsG1WDLZAyZ>^xeG_}%LNQU2ZsqR#b@n~C~49{sfRmcc&w@I^_PX&xIVIDa-jT>aym2)F#V#6GbA z@xnFIKXE`m^8TghB2M2U`=Ose+`Cu)zS*!Iug1t!QiL18!};RSKOD1yxi_ulzWMrB zPzgpbWaZ^EfA-mxpU|LhIN(#W@)JOuCNSvYPPv;O~R?nkPpIQdUH08?FIVA|?StMFL)cZEJCLuAjMGpE%Dvp;By zUz_*wLqEaROClz6OXz{LkhAp7^LLgX(zrORJd_jRmaaVR%M1FTp3k0}gcxX;!OokCp~O5FkLPq{X9guKW^*3;x|yz)L^A z;Ao&r|FciGRz?#j{oI_S&|Sann{~>`9a1hC+cSO4xn0tPEdeAuR(|~$WT}{F7hQ|g zU@(mF!4Q`CC15@ah7JR1snX|g=^IfjPKH}_$}q{n*+57|{FW2mW9-kyAp(md&@V6v z^(#_*{R376B5G;?IOv2v52C=Ad3>P-6qNUii++)onUP@!L7SwHmkXn6!6k4&Y3@J< zgxF&QokY~>0O{5Pr$;QT_YNi$6~<{0LLY=gpf}%~^en?|)Q( z_gLM93%|gNdo2C6d23M)mHzQ33{TF<&epXV#BJn9ryzI|mh@TqIh(JF1BB{C9;-0n zNy0UgqM}fF)MqUHC<^*C3#fl8fll*Gyx6$4wEmV`ZZ6^}azw`8op;=sfrCM0HWZ-@ zeYxR+f6JLfp}4?a8AMKWcg|=k1WKAH(+Y{J)_;PQSm`kja%V9_Vn)!T19XB5Pixn% zsoS&(Guns^m(im~;om>NTKv`Q>4ng^7}IGeuNREt?{gt0$(^#KPwq|#5?Jn-bXXP=ePRzt$elcEz8Od(MK)BML$ zM(4eE->tIwf8x(hOg2dNR^k)KQPIKf!A7S|FnnCC9f8Zz_54*dNqQ z+q3l#IXv^sGifIl9q-~Fb^2(x{=r_EI6%Pe-NdE4`E?sO6UEp+>*tJ&EPj+~mVOfV zC=_RIASG!$^f5zB$}P)(S93ZdfSAB0;yot+>oBX9(Gr1lJR#k{LzbxgmtT5W8b9v1 z@&if|dgv23e&SpYP-FfdesG`+PYiv8N|fM=CTCa-eLM+VRFuZ@YZ_d=o(A&cQRy4~ z19a!~t!0_~7Xr#q4BennU-|9R(~CuK%aPz8)d zbkp)nq(E6{Jh&V*ke^YE%g547&cxAl0q3G$&<yLUG$iH^&+S(oEm=I>{|Flu3 z**Y4u+~k3C&OTc|q*$yC`XAVW0QQ3qY=|dw*xM>KBP&BxL)}I(iMnifK=v*r0GtU# zav7>d8kPTyGtVGTKoKkd=uxAw<&pOPc;Hpusx@qvEh*luA0A*ALlHVIeZp8Em%j3X zM;wxa(~)Ins{lbR%(Tp4|9L0+$4Acw^wH*(@2Fpi(@RN*zY|XQNy>qJ`fy-cTqF7r z4ku2>)W3B#x{yUAgX~%9Stgk&crSP*JJDtUxk^RybFCEOj3c8q1B#2L603@E2cTS&B9!yLiiKHJjYnGfK#`1sS&wiGC;>jnP zLnj<(&WCfV(2rtL!cz=$$8)pvU1~06H^k&WBIpF4jT5HKMG1k3i3CCTc9p*1W=ct| z-#dYk`d1u6B`$rV8vx+n5N{wq-+%6yczdSJf2>4uraUushoot;{t=$Y5;PqnxLf`h zZlXvW|MBT#MNzm_Zf>}BZku46R&7Gq-XX}oxun?{{hjGwS!!qpE^ z7o!LiQx#k^$_r-n>ApS^0`oHOi>p@ibX#>RR$^JGu|T3D3cf9KkkIIfC%;PPT^dlr z;{T}rxhYp)d0_gGA#IW`yr6r_>#sjFi(~!7L2}Z66kZu7L6#(=B_C}7>1!%69LAdj zR#-}AY{~?QsM1{!{D3Ejw0@rSrZh-{8#Y}8ggTF3TpI9QcZ6oh*_YN0@8@nOrsazjqQ)&hF!#SNw*?54TPZJC6+$( z$sm?N4+CN7PnvWumNhDO*aSQEdhQ3aXSa5VX<{pw z1e5-zEt^fR!*R|&>#Wp+4nCMTO|qut|9rvcSOQ3XWc8%LFTgTJtl5lkgXPaY{Zy8& zi5`sn*egPJ7>;6ho|*Pn^bAz4a5x-z^s&dX(=)LZp142&rv?WfLzsS@RJiA+JuCZA z00aSX^pA2y1cdfvoIVO(y~OHYnGhhJz()`nFB4W=G@pI;dG%zR&dPZ5jh%*{aM{O1Nn)ex$nxdOd76!JkpO0+gl5f})dq(|q~jD{ zGl&idBR@YBOqehsT@tYVf#<8mU%{T^*dL-r9x3oF*9yP|H`Yc?7*@<>YoyM_}{tx6Z`9Lyj}tJkuc)4ZPO;yu~R4W!W3}+ z^{;%Ds>|j=Qwu4i@gIHb*ZnXUKKoy2%XX1zb(|9VlW~ZW| z{KzPw&k)Lg+;PVxj~zEo2WAX?*iXyjhCyx>(Rt_J@04>dQYNwbpET({S;9{xq-UfB zrcRxl6Faj`5(g4lKaU!f^5Tmx=FFKpyAA0Ajj$p~)bQZ|Y z$)XPRmzf<%l*4KW9mHOm$*%r01SSg~-K9cObVOy@QNLU%w7RC{2MdH!3xfw6!v|XD zwhCaM%piV&R;^m2jlk>>GHu#(WmXQ>tIwcb#o;Un!be5q^=%U;rlZW5dX<8}8T2+CSfe+F zzC5t~X&}FsKKuZSE&uo3ci(nv|Cq5Em@;*04rT>$rX5il%8sLUcv>>;aQ2+pZ5q<& zlEhiF-fP2Cce~^C@n}lH6v5u8&V*YgVAIcN{r}Zhi?}S6&aHoeCp_!jS*>roZ6Z!b z=fFeMQE05`bSB(1LH3ih_0OWki?LdOj%pMwx%n@_w*1GDzaf2r*Gr823=+%|$3x7} z=9~Ht{b_@yY5Jm{_aGPAP3{#7G?K>BM}Hu26WR+hPP1V+4l6N(FhVqjenb7c5W66M zCH4t^^|imt30tJY1EX%Z{stVxqdXDU>8GEWJZki4IYO4tVhHZ%$*BE_{g7wCq@`vA zr%ZH)Vm-zrmLL|L^E)ExsQlRSB>DUcE->{f zAsy$ctFBBvX23C+Jtj$=H{N)oqNt<@50+R%{VSYpe}ICpWS$8m(m=TOM>=$nOX_C= za=&Nn8JXSZz~0O^xTyRrv!h3!uH|C(+_v%TZ_>S!N=S!%2ZJF8ees-QhYd3`77aqM z)CDK>KKI=7InO-vSFRvp5)o|K@@4Xo+}1xg-F#C9%OjoguYHzZ{QP2^OpPS?N&n9X zCxiu>;IZ;!pcY+5ZU5L_9L)B@g>@AxAw+GW0+a5$zr@-<_jr7I$`sTa2O{4EN;M4N zaAG(x>eNxm*a|}G4KMw23^u>=D!1`a`fRIixZwub7#K-K{xi-vBjxlnPL~SX$}cmr zjp$Z>FerZ!<}|~i9`^POZ7|F3{NV* zc$AcZZCd|8Ajk~`lWN!Gf8!1ImDIIHKZ;v-SccwsV+KFO(h;?r;|!3T6;A|9`m+P* zL$Mu48=n)v#_Rl+CqOueDcG?6H;Eg`FGP^BmOfQu>pu@gQjOC0ls`=$WM3|jotYB? zFZgALQd(f8k*dgPk(AI_>`f8Iu|aZGZ4ilYZ4Nf7z1#KNBVL_w3m-{QPsz z<@7(QA67Ham?F-5v)-@Z76^jGRa1QZGYR3u3p`cZM+B1hF!f zPO64Wq`aZQY^?l1h?!&xKtuvBW~E^*)53ww%tUGCRY3^1Bn=yeY3#3&0I{f7m7o6f zj0C<26B$b}f8w?BQ*@VM!hi{0_#$DkAOVx9)QEom#nom1cgNvq?^s6}YAm}%O>7_| zvWWcfOE?k=eL{KVmlOmibDZic`ETi~%!u^RhhN}@n5zs)ZWyr9cqA)KOCN9Ik53;v zrTK%fiuXz1CiX9yj98K|hLmZOWwE#;RgO)2Y@^ylJ>5B7CPq#F74pEx-yU~Azv zj1TGRv?rf@vUK+BIh>8B34w9JXA8LaolKkHfb-#;54qG%fbjBAHSGA~*jl*d52qN} zrFepe^#Aqx>lIgCc}2_4ov<-CU=KU&@WdIfzuxA*|NU)lkVlGGx8+~Zk#ZoWzQabxgnd#O5p3&vzK(5sqZdbx`&|K zEa6mDi81MjGjZZ=C546D^qD(v5FM9ulfH3Og^EYS{6|*sC~G&Ed2JaM#r^24Xil3305ll)%Rxz(kEyl!7fGoJ;AVB;SM+gaw(kC#{ zk`?+J(T`_;pru+z3R&}kI~)ZPRDb&OBV_{z4NSsmw~3S=wvq7bYk!?K>48b5LI_HH z@csu%Z@+yaUKEx7rI%jX5(hdYfA!^8HP{$Fa_~V1CU)!IJZQIJ8tyB?aqSmg-Tf-MO zqjZn`31SeG@*cH+OP_@4X#b)#;PBd?m4Cv7>(hJm=!G``07~aF5`_JPC5wO-9lC@k zu>=6Ap+BVt$a=hdmTWC7q^Kxg|E#>~$}4JFzDSO`oH65Htrjf!q8b|Z+Q^)G1SV(oNIy3l2atNu2uUxnC~)qGk+fw^-~KO6hcz|6eq)2FxM(!i~#AL>y*GVxQWpFfyA2ZMVm z{d(-LxCXO$IT%5m4m*BW^2`}CTl4FFGCJ@$1wGueXK!784e{wHzgfCVfmD^e;|Uvk zCr!Hlfouj+SV}Ebg?Z+Fl^=chQ9Dhf_^!G3nxc2#d6)Hclli|h`xibG9RySCr<`(1 z^1b)nnAz{bnPiM$H`-9nS$r_VVfZOl5qxjWVUd5~jMaDR~dgO^@Kky(%35Yi; zzh;ltziI(UNRJ{5{B8R5ic7|gZJCRKMIt!pzylNBfB%EFoAWo@A0;#5y#4mu6`y?aX^R0^63LVY_UR2f ze5uu!Uwl=aw{~?c2VgpN?iA_?JLG2hWTmPS-&l!NkO}=jT8oz0YpzX*bs>H&mMvdV zvnFqK9rh)x!xHkq(4j+eW0pM8G3TgBSi?l%I(jBxq!R_+W!U#~vI2;TsM# z5aCA*yh$=?5KE9dpt)Mp z^RNVR^Onsu$ykAK?2sWTSgMAWLhJvvd6WyY)jY15{5N^A>+(;TGPQinIb&Le6WCk? zu${`dmV*WlN?g8tS#3w`>3qcDeG}Oa7Ucjt^^Mw(h9*K<`=kBLoA+@l_g!Xx1+&!> zaEMRt7qFkTYq_+SdzW`c{n0bb1DyDb)fK=I+x~IzT(zh2v;LomLE}?#8u+?(>uON1 zCLV%Q>{Z9m5*jd^fXNR`NM zGK@2(AAjue+@(tv*Q{E-S~i91+O;b-|L+q{z%nApi-{*JX_}r({@1QsU&{|$3>|jd zu;kZg%xH}Rswyx`E_len2PgLK-CHMJD1Gh!kp((Rq{te{|DXSSRB`y>hsi#-n9dt~ z>2K3p@g&i01=}!R66OaMv_C%^eBw!Q2Htx6t*SBe&aFK9m;oXa>#>(!p5E%qFPZOa z@Ie#xMyHMmlJ9K4kgYgG1lS~xa9905Gj(d&d1J=3!1q|m|8dybg$MPmShljJeW&(O zJ7hBa2*r6SL;%Tf%+ zC!WX=WwI9K)=B94PrP0F;Zhex>iN1%2;9W#g^na4cUFGxH)vI&StQ)T%%k~F{^-2= zhyPp4|MAD4ROJ^G;6TgPD9~U<)E2=h@MZPyzlT*5z}y`DlW}mz{gWQZ(ng)aS!N(Q zaCPh6Ej)Mbf7+5k#u4AOw0uc_|M!A+la;xM83vfdu`Dy^y^3;kE9hCJakAR%5(xgD5P)xW^*k*BGh;8 z)H!VXU!4ELT;ZPF*f(1~lt@wvEqLPFACn0cK*=N`VYK=Br=k8SkF`JH7o-#^F*i>i zfCQzSf6S&@A87Ig_?LIffOILL!Ox{v>pU-|K%f{K9ya&<|VM-`$E z!;mlmczqXRF0d{jWoTa+6T_D$=8DNwLc#!uN*P1~rqP=bN}mOd8zayzRVHV=owvrC zikKy(m0xW^C?QjYErk(WmSpr!cvMJ zqJF8xvlImigm*QqsucmFq7pI8I6SYWeqtLHLy)RY~gPaB<#sl+lM#RTo!cMKiSzJr`+%KXQGLU{JkBXsATcVPZMhytFS4LuM+;$8YYt@GAfZY_G~p@*_D14CXM za&lV*Px$FivCB6|k)9yMNxQ|x^|#)7OELBx(?H=wq!vgEO5_xib4r8|BASw4Zr~WgVa?5{w`$LC{^&iti>54>U5u(`iICA}U*B8I`k5^lzV#XPzym;)z zEkFKbUe!k*&6Ppr7hZg!oP#Srg}qq%ojP<3ckG~@XtG8d668q#;hecuPd@dO{mMz= zbf^(Y->{9IXHRTq+#4^+*8T)a@{dba%Om5jxtb?!F||n;ul`|0tM+f{lNm#ZC|&w| zFpf-!J9g->Bn(p8FY+#Xf&f&RLqmoRk&d}U3V#6yO9IL;(8t-c=&(j2x7>1T@k0+j zl+~&Y$`|P81)0<_2j9D<**S=@JulVtE|<1BjM? zmIn$UNst}`FT}zh9oj-MKzIoeaH?x?$WTIJ;1CS%ar1nprDH}>!UrCBVEfl!e{Emb zB@r&b7m1*LF1p9m&!nG#k5)(aJ2J5!egY!-18Bj?vMRL6i-ZUv0aPE6PM$ou?6lKP zZP5`2mXHc(r=hM6b!gB1ZnRU*JZgi8WZPYNT0Yq&U(?(g05x7ei$Xi7?REA0OiBAIp-7!>xY=MwBSTEe%0y zuo9lm#?d46H4I(^a8~NB(D&v)@>6;A(C0@#`G|rn;9(q~LCNT1=-W^xjaUD2k69c_ zu@xuuWq0h<0s56{%4yrW9hwiI#Q!?H)K_4(ORqlo$OAE8M?2|%@byUhU&@kE1vw*^ zmQ(dLDt|XmKtBPeDdW^|Y&0Hlc(Q3f^b`8^M?ZlY6%nZ+_=R7haIuQ~s7qNVDmW7K z?$r~64?SI|s48)?J(la?q-k@+x2r!xDBAxazTUliC14N(bsFiD6lo~=^76`ho>+}Q zafoG%0?|vKms5ReB)>^6^aTe}dhKtpw9EMTW9hr1GbJeo9lRvUDH_6>L5O``%VeOB zm}SzxG6dWKk*iNnUSUdn!uu}DzZv_; z{`PnOSA6Fk|Cf<~Q5GueK2VjE~90TpExj!p0mLm3_>Mxk2cj1A`s6HPWMf^Z~N-i zdHQ9U2;dsaPk2P&XB5Y$UC#fTZn~-H?%&;&#Y5F7KlhdH*SB91_MIg;kJIv}_94N_ z3MDi2G3Z@OG0t~8Z3E0Jo5w}#n}&M+d$Qm zQKe`(jYD6H7$XEPtO6AA;LU&HQ#wM3-YCXs9D&F!Vbx0?A*0arNgw9lZ@*oB;m#JC!xny1h(u^wCxWkDxNhqwSBVi$oajp`Vx}-BP7*_~QdX!4Plq{zZQH zs3Alk&UyqbLQGPPW513{_rCu(q_6g;{U6GPG*L2w27xRx;DhZS`#&8zbpR#93@Fh4 z_)+v%zx>tK6)RWRKAq)_;u4zA>ZK0>U*JHcF=NgtU^`JE+`nT>2^u~MpnbOFk|Tv6My!Zcq2Q^ zfdLH0i9@Wv5U<0#UiuXk6=FSPs$BNDP;C=d1>iw31@)I-e#N%iZ@;~GGiJh&fI9Qu zz{CLFjzPFLXU?c##|DWlPs&*X`W00b5p)a+v3d0NFBdMX-i#Suy4McqYZC{4%oY$r zjOZW(Za6{C3~B|jIsL}ERotjpsYJNn%hz8o<4i*d!v1{N&xc7H%a7T6wK#C0;KR9d zDmjZ!(MRcXp#IZ&^Qz7`V{`$(UKs$~T-k`3goIeR)g?m9cF35HOIgy!(Z4~)b|J#S zF7ZHq924d0pU9Pj6Ir)mW8GbM-7TlYqDdkrIC$h&T-r%mLa)4nC(o+<62#KLKLQKu z2$e2?vd0|9;Q;mvxhSf<3iTLa0iye#2p5JYK_c`jA+uOC@RwI2jXEiRmY+OqwvDf? zg*+t{U$JZX6`l0?#rd_@UMs)i^2@ei*{gt)&!XZI;ECFwSAIl0Z^Z=B`u_^@?(}((e>9~ zU$ky5H^)~5yt24k{eQFRo4T7(9xlJ)imi+yef|`W6W}bVS6+U(ocqjZFfbVVxB8D@ zfOjTN2R`@Qa|%|jS_QbM{>hB_k$;ha`&3%`5+n=-BGs75)sVgsCPscNi&YXP|E*+z z1@k0lU9A3PCW1yu{-b+}U#~Ad|end+m>d?ennI{>(E*7k>Q7$7a^8Py-Ro z|8ZEpn#kEA5EBEinAP@_VNPVFyp7~Xn9%1PKhHH<|NZmzf4VcRB+r25brIN6y{3e~G7IjN1lE)7LsLRBrflKnAgA}wsy2XpWs^JFu+qP{*{(!zG z|4ZZ+ctUf6rFV<%*5t@L4HB~WtU&RZ6fODd~S(Ak`3q+FTNnxzxCEzdh*}Y&w>MZC`<%pIlh|?@(T1=vQi|8hGT3K2gS{zoQc7 z$rwmr+hvkhzEw8XrDIsHzQTHS4R+w-M;z{rx~}%`s8_MC<+dPKDj5Bjlx&xeID$2f z{NDCQ?-$_(?LZS|XPzFB_GIb#Y|tz5~5n~}_G{^%l@5gmEul~;DG zUAGo<;;1(KA+5Lm;fJ%CIJNfNbI#hja@9)q(cy#|@Wtl8l4xFjBzEa*=9y;=ji9Z> z7bYtQtzRQZk(C0IOF8kBe;$fsX08bUmeki%F1DTV?4P(O*NmCAy;#Y;=M*_)0-2ch z2N5y)|2Fc&{wglN^2)7S3i4rJQTwMnCEJT5cTAjEJZJXY3afuc$XZ(RfIqo?T7h)(@nQkLti!i#DbPUzL|s)_lwGt&Q949K zK!l+i0ZFN$OHx3(r9nVCM?$*0JETEUYUu6`>24T$hM76@pXWKxx#NP1{eAnJz1Moz z8{AYC49Q3h``bVcxrSW%3C+ZKP5kBELO)gXBglJq>&)P+p8V`3>{@am3Aisjd}%eOkpKMG%SWOG3LP4C zgP*?lC{=xVa@5(PQj@VjKKylGflGJyfi?nh4`Hirv8TAN)_TtPSseTZ#<`=`w*A*- z|G3ioH|ay1QjtABQsJjT7kTGeJHxZo&OTxsr!kQKHzNM%rv=2zpYE)u6}}0-d@XQE(3Nl8Q8l+IOKIKqrj7!Ue$k1nuRmAcN*jp`+b55amWm|7Kdh+?~6z#rNuS|IGlTNM| zsTvK%Irr4a=WlJVZ5%N%{rdK5dPqXu5PoeCK8O&hb#wn(!2a0+Z~SSb0=WLitKJoX zZO7vjdjRy}Zau&+x}n7|Z--_0zvWjP_!7jGqGB5DP5sAaX8;utd9k`bB{kbd$y@`5+P!icln1H!@mkKBRwEEsD|R!513ULd{=W1C4GxQ9 zOC+DU1?}P~h1e6zbR&yDQPd5$*q2g&;esiFl=c#yik^J!Lm65PTivl6ZD#q?($k5U zSy>1Ct0-)*UK@`}P}8qFUIRW0P);m;d)yYYHBh|2{ZnH%^;oJy3k)s{RXGJxQly%* zIIx}f4~U~Q0K=&~tP-z(i}|bFI(nS8&0h>5u-zKx$#`MUy>hKEsDB3-j)J~_+i0`8 zsGT^*7o-qy_`T8K%p(?7SuXQZnS_FbRZI((Qw8EGzx_t} zZKb}WOb0Y}(N(wp4NZTu00dw!TU+N}%XD|tYpRc3gvwUUJmGg(*J-n5fMP#oII|!*A+=e7pG+D6<;jd<+lKV?U}$>@|yGt$d1O{En<}Xyf0iHf#;iYyM6= z_C`d8=;p|7(Pa2yp{i1QXAx-P)O@q?#xHM!4W8>R3v|$H#px0|y?0h%fcy-hIg+q@X#nAmEv4b$%xLJpm)!o6FL_Q*FLtQy`ohg_oL!bjKrD0OCsca!bBubcLa7~5pnGp#g1`)jh?TmQOR z3?VbQWNWX;&wzk($(OIied1p*uCswhSgJsRURc-DnKpxTAqxm*DvwNzJ7D?J#qCNAyk>n+)xkmjX04IcY&F4=3Fd!XP<)V-I zwc1GQ`lXn!`K3kkA%#)Z^PLp%S|g~**zeN6TT1l7zdJ~;wn|lWg|kdRsU%MIYG4)! zHSO+{dmq2_kwcUVfcdcXiY+^3MhQ8(X}X`@zWNt&AMzvyhZ`f8J}05ug*&WLz8aet zCvfalEc=C;M4;x3z^N8@8Q5N-CX>%9qPi85TBbwPC#tze%wlKoeeveFqQ>;5!5NM# z2$6F-2{tAka=O|!d-*W22e|bS?gUy`TAF3a4E^;O?W_LhpocpeJ9hP+pf$+^@5ZeQ zK~2HGqtHgA?wLFpL00uXZOREN_g5$mTKSZ$glsep#V^-cy1-NJ935XMFI|P|bYzA4 zbi7v5;fU>Yk3c@kVERiB>WCIU>5q(L+weZfgvc0wulm3-n;!OQS)qHB^Ca2%X1c2O zjSQ-xXnC`B>SEN0KTC4gmClb=r7}y z0M4Yy3nL^5aGFaZmSv2rpz^$31#0zplp`@r>;hOcN`6TBPakrAc=FmhxIQ?U`LvSR z#9m-0{&2?>kr3$!vi-O*jEM3p`ARCGx$BUryU^t5IBU|avn&LRFH3!zn$;sj|*%bGg>!^2!uVf^u3KdV` z1^RKG0szbe55{;m!y&unEIL5V0FYL}3&o#)mJM!DnJ(fkjB$TPw73Cz?NJj3BL}>f zNmI{vySHXHuAzjXK}*fu&IH1|Y~--ZVKJt?J-1uFMmIr*NS_z!{{jckpIz>y_AjZe ze~WTY#ojvrHs(z7n;4sj-Oa@_!mYOs-t z{0`>(56Zf&-&j-_1;nW+p|=}3sHacSs$$gV$+v<5mOTN_0{wt%#HBPns8;ADh zY7MAL?CEZ>%6>cwO?8bXo7Gma_mqUDTMNWNwP40N-=v+EPQv5k=K01KfpJE#=Md zOU%*YpkWnxOVVK{wldn7Is&x;`RzE|9g9Xm4|DHIe?7$Z!A1 zuD=hfnx>XNXAQ4nUU}u9hkv$j*&$gD&L)ZF1Lmk z4MFD6e}uqq9eRchZWM&d*jXamNpF7)y`kTgosAVm=#-rkA00b@Q*&QRWoK$6g%ghH z{H<6FhThgx018P(F2Hw$RUzrEbc~U5_{Qsuf0AVut*KmhsmoK>ZH+wY+py3rX%T41Z<%qYE(A z|H;lpVLYD2ZXlp=!UaZlQucQb3iE$9?!nC1kv?Rle1xbN_}wj(LZEWH?xtesvf6v%X4YxtcIp;($O^R z#qvCDlnI1!kBF#85inCo7s8coJv}hU+CQLJ$bNYK;mMiNoQi!k|Lz^RR^ybKafu zsxX8`HBmmA4sHA%D4F^)EKjkO3Q`X>Mn2wxH;@t?CamD>MWo172?&V@CqFt`@(o6Z zeea<4&sx_(4)qeIs$}xx4?2BjrUL^Evb2Aj-#& zJg=W0kzIUNB*1J=)m+>o)m$(Iie*}LBK% zcEiJm?AG8PKmJISm2qT6Q-I5i>wd_bWuRm;SxKdy5yOvgRqzvh^CUMbD@&X(>ux;8 z+f?G2%AsMjAB!LC9tQA7_FjM<;GC=EQ`P(THOTN@L4tN#PMgqdXfw@+YK*NJTCdqD$DtM*`}XL~devM-webh&{n;cZ$RED5 z2=<2+as=|@=j^XIe1_jGo*9Rg|E4>synTQZ)&UkREB&7kq`an4eHS2Ex2=0198tP~ zyn*HVBWLfZpAgzX{w1ra*00WEkxw-kP?1pQu=#hh^PQZwF8mkmwY_v6&^?8P=hRA( zZ38sVL>|gZ4kXff`;HV=ou*WvUz99gUCTP@?hUmS-J)6zEQbfEb{phO^|s4wClv@r z1du%3)@&fGac$py0mGBUUR21pU(Fxng2Gkx1s>pzU}W?__XP+BcRZ8mKLgp3ngNV0E{JDdn6K0XkvgQh+g{EGa-=)I z=5*4lt5dUEOw;Oc_dT8SI^x#XaS^b7_!LEuA1MAo%+DBA)T9?|{J@z3`|tr(2V zmqEQu)L%9#)&%}YsZ6}thLIvhFua)mhDqC?&*T9u_TN}Gzx2KN1?czNyDJha9xhH^ zxd!G)Tl=6RNcrdz23X0ygc%oL>is&hZgne}%R%ky z1!z{V!SEKg(bPHR|7!zz2ix#RuHMzbuLx~E7Pls`&Wik*__+u|F7@9NY6rk(i02ei z)=3A*AY;nlhnxCOMRedRa$(&?XY^|uEMv<+9rEom!sE9NmwW*s9 zdaE2P694q{1bw_FoqO1utN|(gwP||lwWME9`k2BGMvz#@qsy%MRzL?)Ki@~#hrNs7 zEhhTL@3TVE*O_1w|62%(By^_zE+v9dUJa-Zu27zK^ zq`$NJXb|Bi=78SD1e-Cly8|cvHcMrE4Cu&xGD20%OBzz+|5)KVW1QXGih=Hzyo+3& z(*8>zYc==oz27CehtYb*$|7~@JifwaZ1lOm4X98R*wO!RwKK~sMFsIgWm7yR1SJg! zj;o94xOr~Vy8=@-h7`k@U&^?iGRXbDz z`70Zh51k@n()F__hEgbG#od}zQAHkSJGgk|_GDp^!=R=1UC;!{Z9LTSjFSupBZSh! zV1|0rW+PwfH~bmqi^K$tz|79alJ94&jc)&0ifxxw#Kv#nun2AU#2A&QhB71uy$7RyvJR6_(XRh=3fhS?l{{Dew~w%VsdW>SE1?nt;c7 z)`*`3SgMp@OG7Rvh1Tao0QDZ}-V5i7np6Z~tHh<;bBUXBa-hrpSOlNl!koecP1pWb zb0cWKxfyv29s=e1Hy}?=jQMIgM{?6T4SeB|ow}K12Pej>vR`8!A~z8F7H2!c!s*ru z+(S$bfodN0Dm)Y4a{qi!w_4qHgZ##?$07%+FzVaDlncar=$*t*W)~UL9GacWy*l2_ z)38Ld7B| zA1e<|S7JF1ggCIwbGhb}P*jlQwYiKdZIbtz98r{dT|5x$QHGV_B zQ!mY4q2=ZdH}`F@vKmfcm?t}2wVkWi-UFNV1UJmeWiQaOu~GOr7OS?7MXF>Ancp3A zPv{qdwiEH70u{G*)ci`ry=M z;yd^E(-xFN-VWgNrCC0YDG5F6PAoH0%k?i5B8A^T%DnBPi@0dJUmr_)TPFBavF>%* z9okf5)L4E#xQ?iQu6B})vMp!8Rj&QUV!~^#i@E|fN}?2Y#z9rWywa;6{%DvZjI;*P z+_SUp`xyGp9yu7EhkWLVaaIkt*#8#l?{VNbtNJjE&GKiUKN0so$c~U)Wa$%%CHn;k zy(}CFZ&qbr{$ugk5YG`7k0?_+Vo`5A^bUL9W(ra=G2nH)%X<=7bJfs8BH)P%<|hkP zZj)ldRh89EDgVwJp|L@&smAVJ$2O(Ww(&_(&SHtkQ%9#fRXjV+nNlKv+pc=}PEF@K zfUm^3IcP3OK;CN_kB#+1c`qg$0&sXN{eF49hm2o9`XgX>$PN~y$u4N~lJCok?5f}& zMiVqj$EP}%vTm|y2{m*w8zuU{_~)wB%J$O=?XqlmXza?rz9~9Xybwpn7t8Ie05L1y zP8zXdf~IhTSTpC5_yYgbX3DkLdgNtuP;n$>Y1nC!XRHL&t8!36L5cjLZ21V85vb~2 zWw&*U(|i$p&2uMOriv>wvNtJh=glXNu}>VbS-b@=>$r%n$VFgaxcYlm{DiOt=4|Hk zL2ZQh-6?tJ>7P-(9AC&VOTGyiqXFk%4!DuIBIC}zHzM|(m#rc{#sR(0ZlD1X+X9g; z#X4#_5eyWC9%MP255Aqq*saRihdZ2rlv@C+;3Px& z$(10IUuB=>Dzx79ZqBlAR3S*~tVuLt1q}LGw2g{pO{{UUt}ed9DzL#w=z$W`CF=^- zi=y&%heuuX4bVkVQ~)|A{b$Q1iMI{ID+uaL&Ao|D8mR<;|6%v$BdJkKV`sI|Eyt&J zA9XvUNnn~txR}(5pqeDzftcK zi^5Tiry=xr0$e9Xai}329#!IlQ9fZME9NcXG5(Q212_a8>+P#XI!b((B*)BLg3MRX z_+rW+y>~SeYFqV1YhwcmQO*2G4RwSJrEW}u%&%<+Y;W-G^{G28U~D0lkr9rlOBto~ zK6Th=t1UaL3doG5no;>9u?5WF6^R_SwdqP$9dIT{mWC|fzWS1Z=HS9N5$(oCP8u5y zIpSf;ds(RT&-@nbd9|H!4}8c=Q2uBsljqUbF(yX-_t3hUAVCF=ze(gx>%mL-YsVYzeMq`{auS=vq;78`JP66h3iZ zb%@I-|Az<8_Rpgb?0K}EL1<~7&a zKZn4pUA43Zs;L)@I03lo*svZ(U*kDo(TL2)A~35 z-J0UKwg1=I49xAU0onQ04)_@%AMct0tHyIqcV&dLrn|p%g(M}HT?LO8w;1_#eYtL{ zkK!T2IxWx!NHPA3RS~K-sn^>NrB1si7IGNST>YQ|4TO(U~Dxv(B=-y7b< z+P{KpT%{3MsM+|Ry1_@;rKLU}?)(Xb7+W#f-pBla$DI;#I(Rzo{81ej3B$}yV!wsU zj~IUxYM{Y`*klJjTWi&`TJX8hdha*(v*_lg!TQDL39;XxV{ufT^5=?Ne_KdQx?_iK zcZV~*)ew!+oIb`=!A3l_?wyuy2)(;Ogotd(NJ_~+(6{3*}o z=<&u6F5m!S$1^KwIxk%dYdo)m0uD1ukfNucOF9Y^wT|DbRC~qpYW1sLZy6_x**iSW zxnZ>1bops!v;DCgLs6><`*V^~?n=@E@-EkHGDR|mm^@MG+@X6JIPOR1z1aLo%%AGM zbO+x@K{x7hOv5M>xtw~vPE@>7gyp#RfgGbeG>>i6`fi(uu_~ zq6sgIRSU8hmGS)u^=Ng6>p#Rv5qzdUEuZ&tBW6@$W^8`Y2x77V?n5{~^%?{Y%!SKV zeogb??@4PG@lS=Ow%munc^3JEj|xf1P;!R;rMA0++56jz)m;7KPKQVH+gephBQbT? z#)R77ak^vTW@CEz+p_~S#q!T(-_cly)!W3sRe93$uME9v4jk4BqYmcL;3XllUh8k! z-ThYTxZ$sm-R4SAW87BlKE2Jr$G{--wBMltwc(fzGMpx|o-HvHY}Qgi$;K9-dxySN zy3GWzXTz^?XjEh5bJ?+)d&1K=bI2u;6T5?GWmq&U+as#}t)>?#{AVjKU0i+yX6^M( zPzx*!Ch^cX9I=`ISd)SF&=IRewcKc3INtznm<>A9!n-65uJ|}XdZP^{snu&z4y#Sr z2m6wf`pq&aoJdp{ZibuA?}E=-!K|MOKkj{Ju=rm1E71F|M;!jy&tA-!W00nqp`XLI ztsYLhh3a21?z0GX?(U=V(r13?b6iMrdjon*FE><0%@kMqA4sI%?x{Y$&?BkQOOd&Z zey7@~^T^?hah3u9`~0;s@grw{T(6-tn|4x-_=dk6z5B@wM^dx9^4hk{XWdTv7&WI$ zfm~#ujliCjK%~8`jg0{!sUcPDXEOO86gL3omVZ9 z^Dycz%+BaxL`Fs&U*qDOpaj;s`Y*sA*>Cq$R&!5JvtAuXJHgObLIoVwHQTJG3o<0< zD8{D+^zzqqFunSs3f|(88^SP?-o@}W{(jO#Hz&GS0bmZq9xig$=`U92^ZnK!4Ju7I zW4LWgMEU-H3XmcYV!rwrLn)OBek^$_Xp4)}Y=-0>*QuS8M`BR}c+KK|c#)8QYU=ka znME_r%DPtn!abq<3+ut7928HXL)|{)IHewo+9c?ZCN06#5h`o*IYdk|wm6%@NfCy6 zX4~?L3Vgr3Wd#@=9?s$$Ko_kw{ST8|bmEpiF&-XVruFaD#+_yi1hzV(x^Bm4N=Kq+ zxe9h93<+{aQrZd9eF^Ue7|JQB9g09Bzkfs$QrAHSM?n(XlI2ed3f7!4r>Rp_8VA9A zCyVnR22S%{r$ibSfyCR~w>ssh($R!n-?HndC8nkhE}QyPA{g3)6ODO{YUcDbZmOPw zUpbHm^|=&jPZ|l1NfA3P)z-N$uz!*svkau)OTimW;ix*Fg>^}1P|pmNHD(ZA-GZ4; z0CphSt>z(+BBtEvE=Pm}m3zk%jWcyt+TqRNf@nT2^y>8Z`@fdD@BNUy#xI?nQV3)B zN0KrV&aPj~TJu^HNo5+N^05}vY{2JA=i%>@^gCRN?!!yn{Nc3SM#w-ipdPb=#){eVAQg0_;KF}hLLF?)?s?#?5 zHFdu8#vVKp3fx4?TKIQABzFg<*AAjNcaR^Dyc*Rf}xA_;xj@t!1aZ@KNuQOe%oPG`C<=?cN2Jhon z9os~AP_3aNL#xMzU-J|6q?#??z6mOV48;B7*ml;07gC4rw7i!}vMz9hsHBS#6yc_! zkyv4?s(Nn)Nn)`e6uT5>xzo$Hh$ncjug#Q@FhhHJor@H?T`~`40JtyZhv%z>IivMh zr!3EOmY1_a9<6evtS$b9wa#95|~QqVIMjVx4r$SRR?1zFU4pwj}@rBpxmIM_ie!(x_?@HZ_>DZ zP$$}Xr&75f_3aXJ0^7sl?qU(Bo0KwuyE3#N-f6p6j&nGnjM;NaC`A`h!9c9569%^v zj1bSh{Fpkxh6T7uKnxF0ooq*Hc;BAm3wtPb5#;~ddGiX7k>G}v^O`fn$Xqs-WvSB- z^Qq@b25*~!5_WTx=(_6AY*8>9mjhA#IxZ`nkB5 zq7h7sKogy~>9c#h-0$c}j@Kx4;v6tZd&VsxVvRMQ4A8FC(pXvHf~G3!AV|CX!>7`f02(Ds3Q?>fK<=Jm1gm z<=3>;?>=mjgiNZ-eMW(D5??-ARy%h9zO`p$*ji0>J<~^lSIoE*izUE4^stOBO;T8p zs%hPjALNj`kSFi=1?m$nL&0tJ&2l5i9Y@OCn5QqX#n-54U$%~|5Q`>|}1TD-r% zpK*gFg3=fNydBUkS^r&ypm|}C24B002#gg(;1;!?T;CiR`&YmJWVTxkV?r=RYG7T7 z^9^9qh*gV3s~08$u>5jbb$j{;UD)?#h*C?WIMZ(r6?m+6N}{!zV*ucTNY2{c-+CeL zL2c!FOxg||VJoH-YK#SWEu0!)1%`=L zdo{U{iY3U@1DzcZQdGBo*SCxK+iHVEpuVtCcYnm=!QQTPWkVF+#+rxn(CKWc2W`&y z_8|II#br8Goj1-Y8J0`W-z3V6}bv7GWVfk%VZHj@t$P}MQ`H17STW#wUCP8Q9m!LKsMNsjwE$~J@l_#d+`@b z2>||Or?#rXe&N2NzDu>)Z-GRQIC>w$;B;Z=IXCK@+Q`5_QG*X;NHHdE?r#1DCoAbZ zt}qws6F}JRcI3}DF}gp+k9#iHUePTY5}zx|2@{`Ctdgb0Mcm>^9GD+`fJ~|sR^?+& zfT)YWKv6nT%bs9tazF1|g_uaI8MaTcTFF`y1vQ=Q6g;-B-4lk)lgD^K?WMdY$1_#0 zlY@gnyweT9#T&Gq>x;AIgH-#~Cglem-w@GXcfPUbqP296_$$|+S*O0QJ$u#t3|#w! zd@zr-xcyX32%%lM23G$TJjim%tB}>Hw{*kb09t}?z6_%v^s@vO=5=|?A|5uZ53e1r zpIvR;ts-8_6-Z)jRXiBM3s(V7{+4`0y<0`FpP;;TaOJujV3v=lO}DUJK)Qg3#~L0Q zQ<>p&(cv)}&Xg55M{K7p^q?kuoo*Eg@Ltkb*K!QPv2C}-c$y%Js!l|$ zCtc=Pv!f}#AuY!<2a%}zE$KF|?#0h9ICb0F+KYmy+J{XJuJyv`9BX3=ve>R$-|}C- zZUdh#NfltC*Fbx9_EB>MX!5hSmk?<1u%{h|9WYi4OF@7-pX6qd)M5z%k0C5I#RkVj z>(sEnd+YkhFpm3rgs3%0)p_XxdI3^JSn)%1o$l~4_jHd*%JfZs?Az^r8{g%(3hGNu zN!gE-JJ2$)&*G#L&6Z%)**@fpDJv@z#z!u&W5S}9aAOS>VEBU# z?kWVvgzd4Nrh1R;+0EstpYkmlCHlYE>&`GZzBG%%RmatQTAANj%29}8LU~72CxuFk z#6i7IbJOF=H3*v&t5df>E2@Mmbbo3z5-l}S6g4Jr50Ek#C?xj%`x;Ocwo65i<$4y2 z@yedl{~hk2^+S}rJ3a+p#NXo#yIEntvhJzA*H`8GEyp&%`!b(h$*ONh`>ZAq`riLnCa;$nzsILUL0TJ6D6UJloYJu1 zoODrQgig@&2U*%by!Ka(AB0y!<4u>%r{d!>Gf7XzL1bq%!As5@?kf#Pe?1TD^A+^< z4LQ>#qP4i((RJxFZo_lIx zY|lsMLur9KRH%ka2)^9oyM7gkcpx)UU4xFf#&g*EN!Kc{U$thBYzjFD(AHXd0?ox6 zzP`S`9{;}4Bl$psW1jD?U_m9BJ_SMUM3Af~Fs6xZ?2qf0Gpb~@cn}MzMWICu3~fuO zwBu~@yrBM$5GYctZVg^GCbyQB!g>o*0!4AfG(t7vqB8|9-N9Ga*Azp)U(0?Y*l4if zaoF4|T>No!7~A=Yvom}rTDt;KcX;@@2NTa`r636S)>0e=n<{kzJs+h9Lc>4{h}$n3 z=4Mk~#GzIZUgzTY&Jqu0EM?rMUEz_DZZoqyN;+Jqk<{%@jt}DRKNR50uw$|C?cXMp z=`EDfzi%s?>E?_r@&cWO9scNs2p`NHB9A0AKHYUm4)rTC>Pr`vQUx8CWsRyk{tVdX zSLUht*SNCrDr772juD=C8CCnhY+N^6syrzMJuECvjHS=Hxvy*A*<)VoE7g&BAhX!b z6C0BZ)n=3vNaV!cHKejycbVI6IGS~t>i%``M-XBfm&iVO*L5xM0?-VdtG$~F^pdt*gjgpeRhfDE?*LUE1(@_V4ZLc46m;}TIw_xncY|cp$-Q%!&$IjD8ZFu zJ3`iIgBZ%#|0lb9Nl;#Tvrf4;by~m(#D*COAC$5Rw?-3x8<1pGQr?-`F8aVoJJ^p@r>@3ak7J~gQ zj8*&w8{g)EPsbnTq2ry^)$y-&`0hec22rXxAqUEZvMa-Ko%~4WZ)2!CW=!a4H}NW( zzaP`U*wT^_f3)RE-6y{611u;-h0EFUeMd@RDWVs{drgSeoT;$FF0KNf?9 zDnsMp*dC*&TZ#qk<)_>zS2?(e^BMUWes0ZGezYkU2l7GCS`5b)QHb(+Rl6lz?*995 z-uU2oOE@6ly6%anjH+CE)4-BWH9R~fQ1%^0r@cxMCnAU>em}7{TP776jCz|q7s13T z;!J>XlOSHW`PO2ERZY?2hOa1K4;Qe|Kh0igBtK?6cLNZz_w0C(e#7}X0Eg21V+LWf z>uxW#6+_AlHSsoJd2c8fHFsCP23nTparm>pZJCAU+7U;*2o`tWX!mlt-3=$kZA_f3 z0MFQcWw1pvE?xq{q?|@RlzUwbYbCu#82NVZKFfKh93xc!e!X!A@cW)~JJ(-m6gFoc zwcZcID*7qCfcR%(-xJ)%qsqHSX~D#ZP6r_)1h&@Rs4DHch*uO6Lv!K;&xUQ5$;L?? zM*(!@6Jn*p$MXY~+M;)p6T>lHkZ`6ym-+f)U*d&+KNapf1Rs#*j4mVFC0DPL^p+B0 z8OwoS3Aj!rX12=+bp!F#d3f;T1kj!!F)X{~aXL_BjN1eWy`|_I^F=&n1?=|X%!%;* z7HmBDv_N_yyd5@y&6MLw3k-`?Mj4}jkyQcx2{6wJd$?i5!wyzFO8V+|SN25nZYRwC zn?+XYq=fG~naWr4$e=r58uA~+>hrj<@4!1hMtxf%OPaTwWp+iDahOz*0?ct<$p(E% z3yE)i|5}l4+mt7)XvvDj^bRUXOjB?5*O*xs4Om)QBy{waHD$e?&69m`=xly(^9rh{imXa*))h+_UGmq_Umq3bi9L! zYz;{&*8*^Pm~d4U2&!k83eb!&>0o0b1H|5dvrQ*au>{g0cP7QW;za0#S30Wvk zTnz%68*6K^h|nMYpi@0cf*?KGj#<7Fu@AQG?q?UtwaUIeN(x1X_P-5%&fJc2IrTI{ zrunj1L&(NZ;3DUjkpRUm=7-kdzcP%V;3GoM`7vt{vM)USpK`4Iu!QW-4~P;o3R&a# zGgulCv7g>aLZ@3|ovV8SS2s)*duV;Jd7n6H{F*?_V$=>)besxE3*eJldVG9<7zuaM z?EAJRGgh+B#hK>`@F)@k!@$c=)-yOM*~#RYzW~IK2f1Ihs`bI0LDla7i2jd9BrZs!lNF1?QW z>f}hqjU#rG+THvHe*l}yM z+xTxUeH0i6)OL~oJV0OXsn$^RAVXbp*%(gKjym*P*+QKnQlUye9gUfTw&QZPS+F70 zuwUEwL-~u2=s&S{q#V7MK{u%l)NSvWc<9(d0AW~x#k8yfW_q?7N?x|%Wv&G{&$(zn zKE}&YajZnzwC{db8er~JxK~XgI+q2NRu;5l&~3AM*l!s1lhV6W&n%IpZyLDGYuRl0 z!yI19@hqVn)KZNrfbi4$kNpKo{>F|`dBi?axAS%jnhzvosdJq~wRLD@XCc zk^E39T01Ncq3z2DLb0b;79nOBr+^|L-F9qtJwKeg7)PTPRFUxf7nf50zhl6aV@Fng@U6bwW+sTQEh`&#e_%e+Wr7dRZpnbut zVP~ubwZ;*XSzhujbjl!<5JwB?Ih%_kHw%0Nc&?wGp5}@Gq;OVN+e+WsP{EL##n@DT>*;u^_+#>`$mQNMkHQKH*rkoivsu-yljlu7cOglx1 z(2LD|qCSDLo|CXi@XcJqQvIY5aUnYMAHdO-DS66iEnsRNl>AuBtpgcC zrJ789iInn8g-JAjRgDESGx69|b(NZYX?}NO$sJU<8GGkQn>d z4Y^;oK3?3dexHnsrN;mXuVCW>^>w$1a`YRR3pn*DEh@aJXM!(Z&zjlbC??sL%pFte*?}6ppLJ1oH;)S>a z)ecG~%QpJ~{Pe@OuK#O28PWay^~C3N#N4dsWkvha+8^kF7Er6nX0%3@Z{nu}dV-}$ zWFyM{dxMbDFDW$8aj7By-HBRSP1D@)MGZ4&#d=$F-hL3F7`xBb<3Xf$Ag6P5kRUgr zf_idj^wVp}y{*qZJckcq-$0dBT2H%kOp4a5mzReA{Ul|mCrEb9n6m`UNGcWKucUqd z^BdmJRsLc~x=CmjT-nebVkaDK#3^DNWz!4!!dQYv%)D>lw+H^h34V%jEr3LB{XNJ^ z?Xe*=@+}E1YVSTkp*#w|RF!i-h}OKpnr+djX*+Lqwd87w<7~5+hVp3}_m;_RvVZ+C zyRl6d6)RWEqjxP9fsnOOdw@T^UaYdy=H0Zx26SQ|b)0vU1xV!SX5=GOy84C_sk+)+ zFk~$sv(?Q9zvcKt$yZUcp82FG)(Jk|i-MJn$eJtWRxTnp9YjtV^xHJCs>-|wPBFsk z5qM%4E{lD2MMr6<>5JkZJemhJl(&u`FF;72$%>kM-|1lM{U{0n{+%b>iJC!3YLt4- z`z>C(h0pzs$;g#cRi6k=Z>QVAQL{Z&W=zzKa*vtZYV+r_;gw7GBSSbQ!TUJtD}nDz z1|6#q=uKdA9Yw;prZUj-Wrc6!>nzR>uE#!Yut zgTU6wJTAcHR8;5pSINHRH0&X0h4-o|$-91d7<^f#1X9!rvI#-`r1q`l6xk%bZvuWx zTHeUDsC6mTeQb&AemILotUNV6j0Gx<`t=HI(_j>qvBSbIQvKQX;d<9Vqtn{nXVh2< z&*+Mf@!7&{*%G)wV;%kCm4~Mkxbx?~|v2 z?u5R|(g6e?PKKdM;H}U?msbJQuq~KHobD*HtQ1diz}xf-QVqE`3aadKu}IYoolXrQ z$3n?}Jl#p7&4m5Wg(Hg;=tb^l4&aaB?L#3B+lb%Cq3)ctrNeEtuH(lfr0)G~zaYGQDK8u0)pceIWL^HSy^AyhTUvhrF#}n~gc0Vb~hw6yvmN0`8}ozeYvDG0Xz7 zo8R4b@szj>uOb4t5a{a2Dc4#OnXO-ZX`epZa^WRdBS>@gWhk0r>}^3NWauP zEovPlfYAY=b8$qF4HQE*A*z`EGGAN$DxmeXTi1l)p;D=5+OOBwf}^CCBx;t`g?{IM zt(ZCC_^=Unro5dBcO@Nwjav9^H+TL2dWh- zS)+xS?IO*PlbSQo0?`HXK4=Ez;Ym3fWF~6!uU;uPBtDoV#ogj9gi1em)%!>a1<+NwD8hE41RN#Cic180A?PXEw-@*d+d?1 zpsOMKOL6ugF!IRhhH|0W;XTB%WA8n7#P5P=D%3xYdufK<+z8_Wk?p6D_|%I82F-6eVZQ@q;($8I5e`M0LwqACZ}>%4 zbyoUpjuJ!Oa2|13_sP^d4nQ^>cpu(k38~7(Qm8eMTPhd z7ANN-x5_qX6?QuOtwRE)U|=|Su>P2yqfq&iz2jg({Sv4HMq(S$ zf5V1N{%+lRY{7Jpf|Wn5!b_i6#bDu801JOV1bMLVca>Vn=N#2VrU{WHiEFjL7|-DI zIusvX@D@0eros4(z{P_lrqGE=>r8(vVq1d;PU#{B)tb2-3fA-xHE_?GG{o zh0Rj1l*Okv+S|gL_*77N2IEtIwULJ2bmL9w%zu<>_pV*lSnPQ>UTVDy2>Y-ORRz`= z*=r&?ty{K=>xwl=z$pk{ki__;+&6q7cWK2~5z}7`qkxop;{hrV)}IFoiAw zQ=w&)t>|I&$JbL|m!pnJ;=3k`=ezH|BQF7B6)j`Y@u3fzxg?diJnl>Sd+{0PKi_m$3#JdKZAB((Nlg_@p;Jv(VEXaLpO&FcHhCqG{``=EsrZoE;}m*w-K057xXG}_G_ z4^>2g^Dp}H3)CC;>|yz%!>F-1bO^8$4IcYpe^ns}Us!m`KVLs={--h+)l&4zYbftV zcnXe}o5G@^VtJ_1zfnVsKGLLd^}pf9n=)UiCF_Z*ZmPd(7;Jxv10&U`|B}Vup)(wY1|>F~NkARt>fa#0zVAqEyn|_Z z@eLX_M1W=uB4IO>1e^X#zGH{F;tv@*G!?SRZFxn7Gjil*C_db5MP)54F7o4J;LhR_ z^jn$wXXub2T&98bAr1k2xBe4$?87CA-+AH1S;bdhea)WTyL3@?%Fagi8yL}yXJK5O=D)A_7sVCTG%kd~$~#O7c^1>`!S{So5DXJnz5lehjC z9T7y19GM^MLs`fkJoq&2OaIY&`_Ma9K6_(;90xTr)Dm3A3&$quR5_D4r3=mf4-`~&g+g=K`Cv(7pP>vu5A_?=Z)J9qr}ThYl! z`BeXR-g&!h_RBA`9j6WqPQV*eX%x)JO6A`-%P7VNCS(m%UaV??oqhd@S47n{xxea0>L=%e!Lnra0WKc(fnBH9}TZ@lpq+Z!|}9JSQz+S1>IiT*wUj^dQrn4D1Vr!-;?oxR*_?II{(-#0T)%Ji@BiBTCxzgz zKgbk0&3LvfO65XHtOu`6-HkS&Ja5E{l?H>P-sJ`F)X5{(jgNYUVZ7&AerVj`%qIeG z9cSju=h>))3*Z+Q7yB`lx010*mtP;#0u&#-P*9}Oh>Q;)_&7{Xyd5i|}6kArBY* zRjvF^PHv8_ZJ~VCAWE-LAhdRpk30q+eBt&VAA`BHx}{)hZfLC55GX~p9s*+VYqdXk zEytH!>cz$rccDaN+JTaipN!GdN3yVWUVEJ*P8eq4R3NPLryWCx8i%i^ty{HL!`G7j z+5w<^0T|u>BB0~vG`+@6bXqsZS3EoO*&^(&Ya0btAYu5{oVUuhY~5OI?cbq8dw!(@ z&HmdT3>h;h|Ap$WHX*b)CX^VF_((IstrcHij3qKZ5I+0tGqf|)L4RO_@>OF;z*2v% zm55-5(*^0jPwB7maMUs-NSY3Q*ss*&HTd|Q(@q;~);=?|fWru*B>C_w$S7ZLy=n4* z)t*vGV7UIMPh{zEqT8uzstNM}uNYBv=XpQv|3~!4Xn~{)F1R3-_Gd1^dOuYUPJUpo z$gv;z;FE~ae6q$H(|;p2A;D$}7;#LU0{O4YkzL}?I_s=tO!-SW`>eB4a4kP9H;_as z)_-|&nv9oQ5B^9O6TZP{AG zmwqok^fE3y{Sok|?2qp?ns{~Qe}$2kH*IPLrGFVVLh{x>Tu(}6V?4UL^M4-djV4?U zg4*Nn8I1nM4)3{6HtqpT*xS)=`Kc;8a%o{Qu;W zkI~t_i*H+u=IYP(#(VGLgM`taA0xQ51c^fRmv}(6`j?ax*GzfjQL~{$xc=ZFe8@|F zk}EYf?w$C=BUp@!UWCCB8->zDUXRkH;FHk4||c>*RhXWAvS( z)6T<(T}nHX(g20ybGT)JyJ-?hEe9O{Xv<##I=EukXi-i<`X7k;M{R>V<|+U1vvTv2 zwiCV0nPK$fS$_ys0~=abU86thD|G~sCz#$wsef8w`k~byog!sBckR+tS2+Zq_0NCb zdk<-kTYz(FegdY=f-!z74aBp+*26jPoO6=6)*A!({L{7hYS(}6+`0UKBQjI^Q?xxV zEXW3Mer|S#CDR0l?Vq=>gij=V(pzP0`NO@~SNsV;o~|=CRUgvvia3@oy!_RoKjVes z!;5^u6K7nJx!7MY>&8D2?_bTEG>^l2<470H|F6A**&^bC@n3u873p-f^)JM&U4Kat zH6Gg-QyzY#ur~b>CU#~0ugeF4J(BgA8P68)*eSc-Gd#%tTykma*3I(#qR1UOb}}z^ z!pkWwvwf4`h1e&acoNs(0~Zkv2k2<*Z}BBu4gvjH-fjDj`k$uQ zkNA``On;kaL=Ulzg;V_{o&m?{AikK8R@uMw7dsxb|H1qxWz1%xK*9Q}uI!4!rmm36 zkl0KZbsW@a%0BWqS1j@b3W+2lvp+6uJgqfwr%xgAmV?sa$odl}R-znH@!N0uRmPwS zEwAxniNVr%41-V_1?Vj>fyzoF_%ICHci}%SOzDW7cexlj8~kW=0*Cu^VS#XLYCy?} zmyjTBJYLetiEGVa$KA@KF|~jm{jk&RV~;&vgo5qrk70=&;Yceb zCt((5fSHvI36A$ms)fMMKVPWpm8n)P{vzytC~?s%$?s@b`-Xb}!2FTZUn24#kwh3C zY!;Ji9yAz7%3_sQbyf)*~OR@8wane_&6+7r_eB5A$=v1Uln>PBwuCzi0 zf2*S_1unwuuk8cAjEU1zi2fRcqqRS%6$Ip(i%8<)89?`5;*%7ARW;TAHLKUi3!2j5 z2>nUCbJq^$;RNcB-FW%7XIKe`06qiius`^D@#PxK1c#jhOO`AtKf23Nm{t+v^uyxJ zk4J4ActsbI3 z^G3gZCvPJNE^U}6wxkjR!ool#>2G;zBw-ZfUzh!3WS2v70Yt6&Uqzspc!$%uIBE(B zp#8UR+gXJUPcB>GbnDhNaqhgix%210UAp+|Zz`89`=J6OzN{XK6_Wlf@KQ^b)P)DG zBZ^&0Q-zFL;cb+=pNhTk@T!-J<=g0uzjm$L=qS1apa0zaUtL*^se>|ADXjk6u^qcq zn))|B0d=)aGYF5)G%lD*QK`3c9rU_%#AVQnH5Th1_6s5mBNRD;o6}vT%;C_s4b~WP z9NRfW(F_}oSK%rnoz?xTG5 z=X0lV%+R1_5pT)t6tDS^~t7XuSVv)i0Grg@rY#X=y4M z+391Q!E_cP3?F1h8Zn)v3)A2707GOwCN^`h-#Pz0ECr+bOXHxbvQq6_UQS+7@$1*m zk3k1h4m+GJD0Ntm^)J~@z~(dA%&Xyf3av0JLyF>+%ikk$q8$dRh)4K z)}Ev<>JfDI#p*ICmOMbqD=anPzvz-nQbj@BuUzqCCD#9Bn^9FE5w6XRfpUDcd)y95;jgMR5~1?e}7EdO^~{BQFgc}iSiCHU0H z#Yb$bP>}x0Tp|Ven=&RWZCsHc3O>S=l@Rd;`I{UqhdS}4NJujL(f2QwcQriGeU906 zmU_Fg;ljtZTybG>4cgCA-hB=R0<%b}?0V8t9grT3k=dLDAAelB8%r~hr+P&%|1Da! z2&#XszwWxUkt0UblgNgFq>2b#gXb~^i5el=v~JB0NfzIawc!2Rw{5S^tDhgs0^GfO z*Ti}A=H<up$Ua-&gx11c_}Sk5tK<5a9VGpHAPyjK3Vrm z2a3K8AVlkKA(5D1Orjmzw%O;WcnhUs`YOuGkW;uaM-0||vm3CIjQL0LMqmqdtb2fW zSnOPG9W?)g~jKzZqquxRqIyqTm+jy z4I4I!?bxvsUuML;^Uk~awc7CT>VMhDktvsr7?I8$azpV&WNmdyOv+Y?^^}Ygd2p?E z#5vUdmOx2tG_nfV1F@NC!b9l|J7a${;z=b3oz)-QEc=M~BSwtGcJ(9Dxc;8t12TXr zTo})lo>Qd4@M!>ko5g<#rg6v@FT_xv06y1UWcfoI*zgc8qOR-|gi)-V2oOsJ z@P)=IWXO#E*0)9T7MKcY!pIr9hm8@d8_^_G5)lnvo{i(K$G9|+$uVFF_||HFi;wui z5KO}KH({Ri2h#vNp>Y?izk5%7Ixyx7+>Y%#(3WHV7b79SWkman67;H<#+hmoX!Y{o zBcKlZ2jRmYbq=>O%CFw>cA}Yd?qKN7A1$K)4U~-*^36wQe0d<*_N*35f~lq<{r*xaF2xb}w78 zT&9?SlMz%eqT#dt!6=~|tY(eOjoDOK+wGQ7x9nan>&A(Cav-y?{7(pk5?}Lpp#Jk} z>&^e{oDxHp{K&+@OvL1Gpw`d}v zF}unP0`vSy!dg`t!%*Qwi4BJESFioGzlnv@j@>(}q`c!=84@2?P`0cb&puQCq7H+9 z0G}^PUV2`qL0+l%*vV(OF%DyS^~VBQ>Pe!g^&bO7TM9%caMASt_WSQDkMGk5>nZx3 zPMwZOcopjnwr~Hpc329zc~|`vf5#4V zcB%`*-@0`hUiK-TCibC?8pWZbPZ-(s*Qin?-CVbR!^S`-K~()gE{Jkakqnktf;q!T z6dxbw!>HSo7oUFt%Y&$$Lh<3Pf{L`B@&J4|DcXVZ4gt!DB*GPW;g%`NyTU7k(uDd?X9aRcK%;qSWaQB40 z9BoNql9N-MTW+~2<6Nx&Ok`{p5I1V{s0{4tx!W~}(f`lZKfoj8KIu(MP;6ICOg~Yg#Osz3^PmvXjq3ccFpS5>^u&|=e_S# z>{N;k6woe^^;h*7xN-dkccgr@ z{6|RIzd1H44 zJT{*ajH;??|Eix>R^kIs=}WU_l@%21ft)5khS>k9X-^e$2YcdE|CX&<#9w{&)xxJ5 zd{(afu?kaqOJ~14y98^ynwpr>9hmyhs3Xd1h9qloauII-fCX9pK_ql_**}{82k|vO zGqWAEKl9!H-TbG;?yo<_u?x*LJ8M1nMhiP`nM?HsC)S4aka+s^HM!V*=qeAeWq+33 zfP(*~qA>Idj1`rfa=cs-14QBY6b}_71MCArc$sJDsi&NpeBHIz>L@HDdu3&%!>Lqw zxKvkGqO%F{@iG_3FRtWM54*$y&DGRiV4c3Q(W6Fjp>lBdJA+R-HEHq#4@kpe@ZeK1 z9FNh!0UeK=ib#>+3@_E6ixOkx4qhT5GZ+)E5*s1x*tWd}4WMd#K}IXVhuw2q#HXjF zW94|=xWaHExpl%ue~On z8j*ys)G%m` z742=-qoH9ntujSlVZl_Ux6wt;k@dHboVrUr2+PLjkN8^5^x=jfmc4|M4I^PxAA2bg z===HCpKb4~0nzjana75;;|o*rwHG1!GYDaVZbX0=uB6;~VhM{7e70-gMPZOOYBRNt z6-rSh{ow_bYoMP3NRZHZ@y)gJvIbK55EOzRV1X-5|99Vhr*!O?G3ngpj=`KBkMf0S z8IHs9g_GoOc2dldX*9w5*NzX_$%qaUCG|p7z@<0;i9Ic)khwQ?*uQps)gS9t#Z8|& zEhi%_(|o=5J9pi4_a01H(vhpKy;MRTBjI!XEAYw21~8%vmAm_%347jq?>+1a7&-rc zgU$|lKQ|0HJqN?LeB2oiQ>(CxEW!QGqAwO<9T;43Wh_bw^T6;JRsEaote{w8JfpKU zn)pS-H>wcAI3X8ri4!URnMe|$4*M%paH=i;GpUIW)!YwERFF0^_%FWjLUBTT0(Q{8 zGCdJf4GGKqPZy85&R+sY8E65(v>Hr2Kg+(#kS3>s84GLE@6&>1R`jz4O9d0gU7)W6uEta3)a|c%vK~6Zx^GA}Ffgs(mVZG%UMgKtl(-<1j`~0B~0qBT- z(+xMKqXV;o8w*6jS4u0IiVZ(wVhX7S1urI{oBzq)#FdlWn1Nfw!NXjYrx->gi_bHE zl$)d6%`IBj^G+cbn@qLa@!Uiz0zyH1#Yg`8G|7YtT;U!5!^;J$WxYz;r zt`0_jczE%Rog^|39`Zn3$^V8SH&9bLISDTheol5ayuigU+Or#buZT0TJox;8t6|D8 z3p*G`#5Z~k9X1T3|1@K)UAL|pYdl7M{wc?R{_np1ZW-DeevDj3E63;HT_NcKZO{8p zWqTeGG#~q&IrHY&P5!KSB0OZ{Sq|o!w!lzv)P+_{xw0k-;JdLr`UhB97}snh57^&C zj)sp?W6<^4?b@HdlHBAkDp-%u@-GGN&%A$Sq^FB*G~NA9kuC35G7r8?=@(`AfRq?6 zm3v|I7pX-(pTiNe9!(?&2dRJQ4<~+5+J~hC0>e*{9DFWURr7I65;#+v@I8ffqDZ0F zG4fmvu|Geu#Kp$@@ZOV}l*kdQbV?K(7whZTzC!|k=l%V>)GM#NYL|Y11%XE)CdTtG zJYR}k$g#ukRp~mjOc*i9i2)x@8}87lWBhs8c=D=${cE>w?4f#rM1(g=$_a;v`hzQx z!|>@XakQ#6tc(mMlH7&p&!B_&2kpU(h zJ;$NvE8v1E0+f0@9Z}LnY$H2T)6|bR&IL-uj-Y zEQFKgg)@Tzr=v_1M5ba9pY@MA>;#9-Clvs1TmFY1dZ_T_S6(hDEYuC?fG@-oCQQJN zhi9gUIx=;Mj~jt88afV!Yu7AX^m$p|FXegU;fMFmdUoB#QmjLejvOOO3Cr{jv`Vuj$;cYve?-aD3=BcI-Hr?nnLEarDr`kL;a2dseCa zqAjez;qJTdhMiA?o!N+z6&-`{CCd{MuTOTWi_s$tpEy`kM+C+8ZEPSK{Z%`QiL+Hk zFKA}*iL5^YnR#X80`os#s_3q{`s!U+|4eYmz?=UKhQ$|p>u1i^kK9cTtsOr!|3$Sw zI7{o;X^q1;HqN<^&_#f0Ci+jh+m@y-}euF%WK2^c7lVRZtFTCJchmw*|Gos)+ z0)7rQ{ds!EjGX!n>T?vUxW~cg#TQ>HW<+o{z7ix1d4*jK`B9?SRT?*d@gLE-a{^?@ z<=xtKYpaG28?l=K9(KKRi$Buy+gHId0Lw4Ik z0PVkxc@t-;H^B0$tFJEDv~iQ$(c^*w*W&9Xru8#t(ufP_A71}S%3v-jOh5yYt0op> z>Xnhm$9ll_SUN3QwZbxXiTfR0mE z%FSoh)uz81ThpKD-sjJZr)CuXw&u6$yY9RzllF(cK70tt#2T7Az@N;croVxf6Y=>m zk9w#vt%>yxp(fpf^p_17m^)PwJn8W-ObDz11|J-laO%k;8Dp819lGwJDSz2H*|D&_ zaP?g|5+s{Gya~Q{&dmm-`7;p z&csi|&gk5n1M8G-FD+9$d+}T1BMGLE!b|I)*D$gaoqQfyRez$tJbQL=7i>btK>jeL zJ&qlHye3ak5@P+C`Ug5FJK^ctOz(&is=uHzSn-8IF2P1k!axxXM-9OzeanZPA_g#G z{=<5g0nT8Mk;%=D=#2e&CHFoD3VF<8?z zkm#QD=Rg2bF^T=yWE(MeO1BcO`A;F zqiL9pnO6EQ#YpiP%|M6=aV_LNtZiNN+H0?t^yzb4V(;EP6FPM~Jh5rBrZN*wG62Z( zu~sQI>&qH^+G*Q3>mtnl$S7zRqP;;ry_0(N?48*0@JEAxH)J(Ax<01&-gDo* znWtd~dv5$uYyP92>L@qmcU>4hLR2}cCMe`m)Kp_Jwq6;cI`Y4ZCae$Q2ka4^{$g4Z z9JIgY#Q)3r&y!L9!pk_j-I-vr_`8K2m4IAJjm*+4bp>~);{{uV2}#(n3fVePQ>f%1 z@MBFASucUlKvN5lg~{o5%29d{hE}=f-h1}WdTADEDIQNocE7K&>;h)=r!SpH zQHeq@a5CBp4{ia^3u%?3v4kiQ?T-NAX!XYpqA5PxC`NxLHYQ&9Dm7vWCS#MF2cHj% zY{#Xufo8n!xfgbR33dimDE=YPtA<-{P)g-ONpK^vIU*D(Li=Ot52gSoCM5aFWp_GI zc=YF5fLsHJ$wvlQ(B8aoSsQAA*Zw3VJ@XvaZBl%b{ubXoLn5pVQ_1{C{s~@`0mum1!XV(Hs9JF3z+F{j3-7Jo+m+sWknu-k8vmwRt;(qZ_bg7U_ts?)1i&qVB^j2`P=QL^DST=j0Cr5xh{P4rF(0??1Mz=0<{!?fkRRnWkMdGby6>CY7i6$l? z=ua=BgHQ+6e+;LKjBoT-aFZpy>=3aQ{IU`>_$6(zmZWZw5HbI;(Op~pL-Fu0`20vQ zZ{FLb^XAQ$?J>Et_c`aBlY-qhQ|$-@OxKG)yyM~V-+uS4bUIQ0-_~#kcVtvPnZSxW zw407Ts{j8*e+n(UYqLL6hUHzJsZsJjt7TjNYR0z7={W3U5){cK^8Aa%uJ(8>myA$1 zJ_Uq}oc@XA&pzAFw24xs!|$_84i2^^LkEcIebeI{Fr2ZC7rd!Oq!s zhqdFbzX>Vzl4U*}SNd3r^^d@hviLS`*nnq80Ka}7M(H7dq6W;V_;}eeT@VPz|Aq}4 zVNoQr+yzCzLxurr9UCr8X)aL|!Fq*Yaw98q#vS%{zyMsIjH2XH1@}+7pBwD>d!gf5 zJ}iQ!d9&v68y?aymQ(gX&L}QEwyE&RhG_7rtNjNgA4Y5@cJ0gUIwe4@CtSoTm8iS5DFpUDG(Oj3vl-2Hvxq={0O_U_d);iQxMa~%?= zdGqFR_-LFlcC6T$mJ{m`pY1^5ZA`Lt+g7$km|Mf_ziIOpq^W8DfT$rxcuQQ5{2Wrvfu{BgQ2 zV~Hne^e&KL0{SD}wKD}|gwM^z$SRE;mjBtAVe20OsHo7#wk>{aZ(up11~F%!b6)b0OD;~6_697}vUyAJ=>$ICR$6?u zFl7lc7^MxXe}sktQBwy01^G|RByf5NO@H`OcKocd_s{+Z^%n~tOn=ElHV;W@{ok1X zwUGS9N4%;a|7fM4#Zd(?nTjE(>NSK^zRL0n_PmLev$D8W4t=E{>lKceGUjXAxT$$j zb!#1qB24+7q!CaPna{c|7bA(04E44l*0n+?8!LZ*+qUg=VPxU#cix`=wq1OW5}EqJ z@#7^t1|4;>_8vLO6I#$!6duKa^G6FlC@a);SHJ?(cL$%6bjqoNWXC0vRa8{^F@1oG ze4ElIQc@;#RuF@m+yfl>@!fac^>p&NC=NT#Kr3rBh@gBb(dp5>63!v^M+?fezb1@O z*_c+7ApM0m)i$oENT$@tT~2nEE?~<$%f(z-{I-X+k#trDSU>HZwl=ojy<*qre^827r#gMZg`<1HI7LCjhkc$KPi=k1egQ0h1S zgXyfVxzZ5T|H&tw%*Jk|^*{Oell)IU`J}<8pMIK$4hf805h@$ga@sHZ?+bo;S-Bze zIhZPjMZl$f4fFs$cg1YdVRpndxTUi2q6ouxEa7Qg?%{z*fJ z4ow@*->~8Jh7TK>#!a)ZZnBQP6ehyKVg!{xCWW%ZdeA!RP>{xtAHR3=CakS!o_}YY zaYo81r$}2*!YzJDskWDtIXkj)xQUk}j~qPsdFVv8?H}sHon}QckNy%@J@rxe*8EvJ}r@De`H%j~(r+c?!u&yR()yHxb{BAwEV|0KK1vzUI+jZtv zKZ5__i!T-fgMs81gfB=E&E@2#|AGY{mKDmBQitFT)8;1*n zLJt>T!$rYp_9r#y*dWPJ5CBG?BKIP&pUUCj@x;Kn=rWo2ba1^~6u1D-$`dD*3@ z_0qU-w9;`@G`ua15aAxAjvwm#B`^?TAuCnfjqhiQcfrvVmz_GvlSmP2Gl zpqG2ZD4@Vg6xd^}I(b1Pn28QzpTiv*F>Muo2%$0L;jH+$Aq|h@%^$A=_uy;o@0!$= zLSN!RY;}{kI0WIZUAs<3?h^(ZoW$@er$X3x!T8lxNI$SpVW3xLCXGklE;6q#8*y2^ zG%UD_Yc$UIwUF_I(8XsXPv7~-(&wCY=9%(EJrw`+GtQ8&u;c}N?7}K*;wc{3N5aQT zS*2}6Vq*zkd#tq;if{BFxStC{Z`!y~JNuyDkfB5BWn^(JKvy?aS%u@Z;G@w(Lxt&2 zp77MSXNGD#61w{H5=`i2(}*{Qlx*diM~la6^iA{QoQaK#eZiMXnCv2yKNnwwQO+cd ziXV`NR1xh@o)ETH{j0F?%=;gFfE_?UiQh>lo|HVGe}AMk)x--tcGS~p?jicufe!;o z*<rDRytRwW;V^gv^bnIw5A;4#Wmrq1|mBt>U*&n4*)DrQj6h+#v{C6luMCV~NMt*)C z&UrDpxp{HfSYOE^(A9d#6dxaMe;|FeY)E57>bs|pNRk_X~3N6UyN zDSzL8|GkXngPgAZtJiQBV#Po1xZ{$uvU4bkI6cV-bEhA6;#6P9*|d3cRXH{TgCj`< z{f!r`A>q;W2Z7j{tZ)HxGuT3I7$i~%Bi4VTMvvajk%hTyn%?b<5tc1j6Z{xIde9-RFy zY=rSS=l%VBS$9oxCVZt4s?3Bf7<=##V8B!u559utAZ9(rgKj>0qgI=+=FSAjs{$?+7d^#+lwj7n+n2Msz!K3bXj$HDrF zvOb@QE;wL}xY6@}UG)!T^WuXO7~&5i@keLyrR)+6f7Ayqpg%5+kNV^2+Fv@dr1zJ; zLTK$l;vjr-{{8pgrR_!hzI{(f!nAE$Z%`t^=jL>%qmym@gV__+Wo2c`U4?P+FT)0V zw*D1{%}jjV?_JI+tN5c z{>~!ozcq%YD!Pj1LC2>aWOhG&1d*{zfL1QjY&K`CqJb5FdHv zp#71H_q+W4wfUdL_pf*IaRv1>Yb&DjDTGok*LtspQ^`pc8u?eyf6jcz0_{v%Dl1qlwQ+db(i+H2cM07N2hU!0W?i@}X6k04~ zAImAZj7iJPlWB#NL7w#VR72om<;tHqY+JkSa2_>kbUI#2Ng&eDKtqQPNo9wUblZ>^ zp4IZyB_5Tj-TsI|HgM2`cJ<)HlWJ0OSAV4p;3L%c>u%yLsNS9?u`bs_&M+Y_rIm+VCGO2>TZ7F_W$|kU#hrt4nJ1X5Vzk(y&7O@ zcd-5lcGLg<}yS8?^4Y5SeIPA`M+G(dHW6E;wC!c;&AKpRw zTe&DPezn@)i;ruX0Z|xJ;zcZf6vWz}m-~PZW~Tf(GP_+2hj>OO1BpAUzoZR}Md6Ke z^_TlP><=26y-xk-&YfFo)1T|0HEDv;zXo&OoVi$RyLNok2|jc(`7p9828-qUGBLsn z%Ls7i3EC1BFv$8=WznHA79H~XbhN1dXUV&3g4qi}v+%sq6sPU+s-18Pct|<`X zd*FcwGmh$d3|{=;gSbDgTv>7VJ@*vm<>dJC^7CWRDaH;mUtVs03^sAVeQqpXe$~bb ziI_3|2OgN5)wOHaM2o+2)yj%{@434$7ko4xcww`IJa)86XIrk1JC2IUJ#vX0s)Ea% zG)x###waT~8j5|%e-IK3JSii_5mV4g#wPog{@?_g0(?L4IW5qOf6X;l%-KTXJ$N;%~9H+_^kg=M}0VJ z*6i$$F~Sq!WFNKsZ`-m>dP`|j?o5i!PRxjZ_=t33E<$^AnQ!URr5ru3&V*oEQ$=xc zQ4L?LzW(ZKyu=%cP5J+3$zn6@Nux3SXFfBt$m-8co}PT-v8?no>BJQLl$7L{DO0B8 zq$aatN>lOKXP=c3`2qYu`crC~90tEu{XO<4o#cP9KkjV(3x8MtZ?L(@)M-=Mxgnsb z^-^OdO`e>|{G?tX=^tW$W`}*M|G~^-f0r~nLpE0ZDdtl`BClE*^FeqohOSgzX zma_=~c{SzWf zy-G&rnS9ozOP9nOZn!=*PG}UL&m@cpuh+M4-(*|=aA(e+eny*+=m!5l)j!mP!ck?e zX+Y_1`M3BGNtE*9gGzLgG**?p>F?%0wTBWY4xz+^yu~koPyc67RxExjHXe9<%H#O< zp&LmNKP5TE_t>LTvSoKu#Af=>oH<-GdpDuWCiMKLdrpD%Hh|bQ z#*tB$-T~uPk6|nqs=FBO3=%I)A5@#*#ykT8slS7-x&Yf78HfjFb^Ya&C^c8j}_O-_% z=xy7z<$`*mm#PB;NNb9g@ZjT;y3>isK)dPYn=<-iRM#3TklnONv$(^tP_3p8iTwU2 zr%jV}&Lk-$rbG?1Kc?Z-y#M|OCH+o1Np{F%`eW)w{&wuZTvf$qu+N$M)|}D@A9_%B zYN27?d+*)yFTXmkoa;Z4Yum#Pi^pazx!-^PL*?&l*H-d#;GvD1ARo1g&A=k=>>n+c zX<(2{6fjCdEr?1J1Y8vRgFxtrFG8u=-12wR%{QjEY}p!X))9guBOOfjZWAl^MTBO} zn#Vmk^+}{VCx*VFNdPpx`yvT(j%__umhcT`FMhPe#1MKL^q1E#6IOTiis`KQk*mM%Mqa(t`Z3 zc84XPftXK@UVOR7ffin|>c>hf{Jz7m_GMyc-Q&3dkO%*;!~T}=!G{a-C8dNB`?(>L z$%XnwX~-Ha|M5kT_^khgR$_~~!p-=)`H$+rDTr%-t$)Q9$aIn}%7Rwn zRaAVBB@AoPiU9kJzXl_+R<2l4LA$VSz)14MIdkXam5wTspg0iER>yuwR5;xgV<`_y5AB0yL@7I zO#y9Df1=*_vZ8C(ZUTB3)`@%Nm05Y;FI!%|cFmenw3h8O_1;p{;SR$;EKKtl%VJaz@a*@4Z)g-dA6y zbnVui!QYEc?EE-S6w9v#xQICh@J?w2s5Bi(Kv1DW_g_r2nT2KP|^c zK-s#G_Lx0uc0NXbRc*s_77MP4GEYu>vJg|l#Yifb&%YQQG3dC2tboAUXTCmBL;{18@a+jjhuo~-` z9f=KV^6^oRABqsn4OePr&wja>H^ij#ray0mkn{|v{$g%Y8mAtD45s)rvkQlmCNr?gJP(mc6q`SMjyGx|I z8-|H@p6@umfAec*&)#d@d);wer|JYV=&O6CWOTHb49Y6@rQm0J?h_z9L8q7~_*+cG zOKb}4-k(aI+B|HCI@>AkEz%Q-%8{^Uux!iY;STzp;f5vidsQv}Z|W~~U(l6M?g@PW zQ)K79=TC=g39+So5TvAX&szYGvv|y+Fbh_v1{;_BzCb#hu^rEJ_*p2#juygccu6)} zPbyW?McfnX!6K+f!I&%;G(a!^!evx1s=%Ym`kxw7Z0O?7dTxW#&p*y~KA9cUs+pf; zvuV?=#}MT>&qWlfmVnW5>B6S*){mJz7hqKuN ztw6)h$DCKEj7x4dgu>h?CBw|NdEH27j-eFZGuNte&Ih36PFjEiLQVxC2jVL2KmG3T zLowwZNVHXb|7k)2z=g&6K*EH`{0lal-Bo(X>mY(c$(V-;p=R}$H(_@r)Nr|+vXy_2 zFV65v)E%0DxpwuekN>WP-KM*D5zqrT=e`-=8_U_P@R{^KfzP)jfsq*6vb=%N3iPUu za6Btgg<_)gD7Nh@T#BowDXl`qtqagD(C=P_sgLiMlrT_(IQA@CLkf&nA824dU9EYFj%cR4^RFifeA+9D7A)iY zMsz}4xQWKFIH2kfDj2Xri>48gm$n4&WS+j)i^**-a?`F7*+MhzDu1T0&WOT1HDlG1?&zyu<<*`J}hyDzz@_5O$qfJ5IOhKW4)rANbs?*nie> z$u-BuPBk;86wz5Ka(+MdmXD*==Dle-_$=Zc#r4LimB<^8exQnKHpKf^xuT9Lv%+~P;_;L1YxzrQq9c>go)-d-h9sY$V zF|oM(XDV!`2!`7sY{%hUawUcAc*-(jgI9UcVpqXRVSi^kG-Wx-xr8popISs$uTXns zsRZ8&)9;&)7ti=zHgGRRsBuRQOrXNy4>;Sq_IO|K<;|^~5Cmh%`oprx*SZ37GMCox zm=3qp49eTK4{njMM%+T74By};=68vd*%6o!#}-lVKnAKG8E%~}&r=Sk(r@{HF93RW z`BhRR3Q8)6h@vMMix1yaY&=qR$lgPd!8nAhlnr}uD>>bjyW6FQQZnu=STj_LMM&u1 z(%vuw$&Y>wE|)Wc*U=FoB1+jYWLSZP+av&UH6WRhOUUWPK$8S3p&`J}DZ5{&!e~@Q z7O7}8558tJf@Af)>q+@5GdEMzM}~4MX~FFFFt#v&e}s!V?EilOEJNRc# zT}p4dicq_Hv0~%nov_EE0RCu%;>kb?)yP){uIXUfDZr7l;SSl8IYaVq@<7`D+-qf8THc!l3>GboiW~~eRQECdZ zNJd>-DhR9TQ61Ur3DIt@LD{jSU@h9B|Gr&q7|ikhrcliinB!9^`-U#ZsDFBAq{NuEMe*2fKUy zSst@d=Q<_=MJp>EZGUWTi)Y$AO@R8eL~D`EN3M4idAW>{MTJq4GOF@F*RYHlFCizc`vvC8Z=OK>9*V2EJe|b`w@5mI5X|rX=+|_q+}O)!=tC+&O7T6N zj7EL|qc}b>L14>klUT2BtFMyu5bud2o%CpDKpr}MiA|a>QkY?)WF+Y;r`_^|%c+s+ z26nKqI57vM>^c&h> z(Q+4eh#B}{$E8X;J0qMZCp0In)D1}`a1?ubKlIx`&AA@kArzuffW4S~HlA$fI<20V z^1b*|F}--~Vw-K1)f$|UV3m)BrRn2pT2S(}pqFZoRT9sScX_=nqAjc-*vHNf;7{-0 zp06~tVW=39Ch6<(zSj!9-HrKjY2$#yY=yH8o&CRZ!iiP_l#9X8rapvD1-NALMkDFXWvbB6Es2!QIpI%fo&Sj z@st>5ws|-L_S{N$llR=FkI@{j0ArIx^SHl8Nker8n1*hK#4M{szII{4o5|k#7L?Z? zZy@AAxi|>}pPFC>k;*Ner)5s0WxPzL!$|rQncA0$f=hRp_KR^p1EntYOFLrxt32*O zCIV)wr^8G5p|*Or*~#i={2aRRV5&Pce$IJBNYrZP*IH)Up;Kk5tFJF|0o_8Ml6qGC z@}`nGz-2!kqMlFJhWZo0?(Xn-F8O$c;$$XCkz3;UWlQZ{K(F1?&C<(+jlaTHCIM#K#YVtVXof7l=xdlS5Tf+R%X+pHxXelz_CBe*@YV#%cOAk_Y@qsxG9@A@ZvQ~* z_Yo6S;kjv#VC9&n?Y8!<3SgOx?fstQ^s68V$;&NEZ`xD40{Z;-5qlk%*JC_8@NOL* zRN~^VctR13y!^RTQZMp8ysB2&SYUT|L3<`S{j)#waC@>T^w)p=i4zJfr(Bub4;Gl=&6C| zl;UgUwjrU}ry8Yr;oP|P%Q~y!108++7LaOuaJBKOw)i%5D=g-kVzkzfMu~Y{M-Ox)fnN%Fr|0H1!Qdq({T8 zKXNN9zswFDO|ZW}YfBD?BAmO~%wvYs#P zIR?P1Vm$gvSs_kW*AzV8j4c;6(j*1~={-wlUI^ubqJ9!nD!>n*{B7haX3;UxG0O=t zIUp@9EwJD${2q$)cucK<8s$Nv!=|390>vPpZ8zQR?F=Nu9k3&Pm8+|}-)E!qL_tbA zzjGP3?f!T@!js?>T2dOm2kOizha;pQ8>Q4ORdM_aky5pMlY=qk_tNoi6B4(mehBzr_Eb(LZiB~caV43vPA19izdZKyCf*g24??A?aqdjtJ7=$1m-62aM}YJS zmFP08B%rBr#^@&_Op7BDoROsk^vsW}{l3Udlzt#g@Ie`bz4>a88j@|s8yPUvygI$> z+zY2l2J8MR_kSy{r;|ueJoXZM6g)10J=xE>us4>xHDJ2^yB@g9Oe^eWiNqSN@64}m ze4ekHVyL4RQr_Sv>1nmTtq_q&BL%!sc5rmC9L+`}eNwrWO)>HE-73!pyKns6?4x=D z;G!<5Wr);RtjzA^gx}lV#q9-b#l1h7pHnyKa-&zz^<1E22-biOqEnEriv=2EKRoBF z$@l#BYxLZ^L*V!e|8)zYeD_!EDR`QT;_ru)I&GzF^TV}!ovjKTNPZyAAi=T&O|jg! zS9We<=tv&h_s-34+wM)V5kSu3rZd3E+O=)qxpP?O`@Qc=8z0}ko_ChNL1!({0DjrV zW+9h=FI!pzr=Trf6I7>nG2h7*|CTnPvK0Te{l3J4dC6}b->g?*VA!OnuCMbXs_g{- z+d@BwaN{LO-*Z))EYQ$F4ysfQ1mmECG$5_N>#C`efwuU8h&}?rB3zo)C< zAPV3Qk5;fD1@79RgXU`-Zhdxh4r6UL_@~ci_N)RN8=7|nMes$nR5$Mu2fkCrKQmoO z3Nb%!dG}7=7Wor^|5F?dk7Frrz;s2wX~d!yd%^cuMb{M>)z{8Zyd&3f!3-?&@PX8s zuaKjnD)2?e13NE?uwviK<~paN+G!-*#V8846ip2EIY`mla938bZZI)^8bNnn9Cba5 z6BsRZjO`#~jqdcd;2h4Ks48b}YnBsL0%_-3LIKZs-s_&;ls(Jv9lZ6H-PxF$eD$}x zUkCP5C`|nB1P3^hc~UxU+Tj!rSeA&O010|5$fx4>D79;|h!=T(DmjNjh0nlitdXPe z_i79XmT$$MjGq`_8huAL^}zWq!<9d*37%BPOKdCzhCut-e1|NEBhJ7*lF<$e98LO7 zUxdq+3SHl&im#Ez+L;l4gK5FUd?fs7)&~hyq|4Y+c~@+R<%nhXGFwOs0T2H5X8X3E z_yyKW0Bk3_5qL36VWoK&H+5NbiL2bb3b+~K0FQC3+I$lJV=)H06rKidBUkb^qtv{o zcf7Ub?XMr#v2fx?Gnems6OCUHZ{_E&TDvl?QhKA1saDSeaFrH~#n1n;$B&F6mQp)( zua8c}Gc8NW$YZNewB$45IHi&QJw8;qJ0L~vwD6=(Vo#51`YQmDTa%1_L(m} zc(bt6aA!T`^|PuDWOuG)v;P@rm{J;(f6lX%KI`k8Fa%q;BVtc;+AMHc=UWA&8Z z{$9~sO2#zA2G&4i!CK^HE-uBSSJ$t@jStP~)^K5g97Am)Xk5_fUS0g7plL*44 zYc_h3+#|By=BaYHiiDAANEtQTX|7KR*eq^a_j|CQlks$62P7CiYX2Z6hDvdE;Uc{< zn7TV!$>F~Nkf(#Ap3hD%oI_U&uZ8mwMn@aj@tYnet6VkI$)uLqgg}gUvU5dKp~jV2 z1s@ud0`)nYc6+#cJ~}@h*b97nilG?elq#M-R;qX8wgBIjHA0&Tpv%UC8#F9p-e;>} z*`NE$^eRe>!sebXzeU~X-KqwK-#2j`$p#xaA!q}<)?d%RZJdYqkCURnLW;n;k>c+J3Z%dlU@>pTN^Q5bUwH&xN0JV3J@NgWh;(Vl4$GI-+RJqYawjfomCA2 zDvkM2Q9s72F9$DdI4nQ~Z@@}Q?vkL#mRqj?P0d|3-7uj=dLUtX$CUv>wkx;_9%a(z zxs|2Vsav)*UomJ7gdURgb|ucs5F0sxD3NzKPJw?5x4fsjD(&YS{o|$=aQG>Z! z%Wd!v^R!IAvJ%wrRhQ=eE8bO@srSi~UlmdUjI=E zo|gpZVLXbPr?Efy?Xa%ZTC2#4WYC3D7CbJp@5s0j<_fQIOFKkWE91F3BJu|EXemDk zDQ)=VvU*bEu64t;wGxkT&{Da+pGm;*@2l`9vw>AVLK<_)_*h%M9N8Z1Lx70exkdYB z+aJnE#M@LUU-5So?VqwMJDxG88g+)BxP{`Y-5Xom;)Qw%?+;y-U{k}2U);(YyNU_X zzBrQe}C&?jM=zWUOH?y{a7kXVx zZf(ii+gi86$xA$j?TiKnI(GlG&jHRGHzw-ablk`>vD=H*J#o`e zC`e+G8%tW>Oj(GUPAcltuD{TrKv;FTDH_O5L&SVq zY?4;~5?VEb6ZnU)3U;-MbmZd;493sZd=9CQBnJ6hg^?eN_D+i0W*dok9_y@l&r~R9 zAv|GKGf{`c4>Mh=tMd5MUBgp9F*}N>j={h2i>*}%RdC-g=u%$rSHllcC4PvrQf)H$R=vg%JWB!?WX*0 zL>e8h-+x%7>JJG*>@!%b!$BSxeit(o3=g+e`?4JT;Rh>#Up<=(K*3j!xKoHo=}1EZ z3U&e^n=+W|=g*0Cu2rVzQaSHhi?Y8upkX{oJl~v7IU+jX8VrarG_*}hW-pbvOnrv`C@~9FrKFUjFP-MnZdTk z`#Sv+0@hOS>V{u*2Zv}iBk0u)_ffAEhtRx5MOaTt9jnIXnLhqii zBFlK%o!lKH$ZYoI@7;_d>R0%R#oQz%ASM>q?Q<&$o3pdygal930juCM;O_4}aND*= zkjq$nthKj9+)tJHeI5fs2-dSsE@>l9Ko#5%K6Qftm*2Z?UWI7Ii5(9ol~s0%ovbNs zERG{QrMXg?w}Ps=uR<^ij<*a}fB7R19HTW$fQ*WHi9aJ0K6K&u@9WOQtCEG^Hm+AH!p92; zy9OV)#&`(De-A|C^!>>Y{yxHK#p&N;N_2H*RjNY;q)!+2>g_ZV=4_m`cdS2)t}fvI zQNu(apdMes?ROTnv-w07*~B>Uhw}HMVNJ9Fd9VHp8A{eY<$_gk`vO9O5Th%SEJTi0 zV+^7IbP&}6O_#LwstzjB@`G%+Kpu{Px?DXc;P+&YQ~wt6oxwPPnE>_y>^m_GWrYFS z?;ev^Cw=xE3tP|UZC$tRTYWfpP8IMnSW z+}UBtotNlyX-;Oh(wFwC9uj$JBZF6I4?_Ja41s9Ks2$BOmeX3Sp&7SO0&DoxI0dyf zW2PRmrJj2BvF~@?l!R$3Vac=Tq!fWI)fWp-s~Y&9$3fvfLWOKsbI2%hoLxgdg-DIw zegc#r@1ZW3eSu+hD%wJo13;s3WB&X5j=+U;WJ-AR@_ja%PTRvF(P8XQ`}8Kea}^b( zn+oHO+`z3~xt@WTn-dv&(T;ywHT9gCKJOYMrGoG@KI}Dg$;INn*EGo)&fc6EGz5trH21ndgGuEfF4zmx^ngU;jhYn|^rGt4Nr+n|&-}O|7`> zGKH-*9E1AqmpBkKbx?4Zw)dJhR)ukk1s5*E>Pj_9w=Ev@ontF{q*HTCR@ipc#Licb zs5$7&BetVGt4&;BePFpuF^j|CT$e4_0^1aJ1J#g?V3U&JLH=V&pEH76v(r#ZZYN;w z8im71BOl&G34O*A+~=%n2{HZYEvS-O@3p7s=R0T>d*4mhV9)l@O_%BOPD7U|BG0^Q z^aLz7=)dgn;biDI{7PIGL4p?0HC57fc%j|n6ssCJUM?ScZ~sv#fs?oJXP*N4y#MEc zun{fA<_~UzRlDRtz6{lx0&9|xEVwyZJ?j*_9dhsl*fG;&a65Pc*~ct@jg;EmZUCA- zpWFdIlC{J2b+Ttqz_TjK9fYnW4|>w7H;|3hA0Nr)f4*aGKJHjT+(I@Ae-ummz<7%L z{19=E*jKd8(-Myd4PAwuALXX8?iju%*mg91$Di|RxF0Gue} zreC)lb4tM~Ifxz=^U#aJSbd3l-jP$ysk)ES@HFx|2d{k*c#7pRPNH%}U(CBW%GP6G zwzhHiy|+EVFH8OBcQ+-5FGe$k@PRKmg4^#?I%iJ6#pEBznvqxJ%vQf1Dm8ty+X3~3 zX{^P5g}Ih+{CkdgfYWDbABR1_RZM&?K#gaY|GL^AG#bLVzzFiH+76yKhaoI|hwWZp z6*s&B$72L&oiRte$WUbe6w}2Omi;-WOJseFw@Fw3X3vnT+*_xxG1uj&Wx?|f@HcYB z=bq(PR703&M2~K=lyYW6lqrnF)#@FC4I_N;26*f#i8%T1_Hvl&7#A)fE+HUO#L@|3 z%`{{QF)#IV332}q*#5wyjq^CU*8yJ9SG|DE36UFJ!OuEVU8bnJ7Oi5bSr5eI*6`0L zBY2qAD|x8~0G({VgKVG3*)@I4TK`hN#&Ov1Q}GJ!Nyh+BWGjH)p{z@r&!;V?GYvv!DW00CGM!LS;1hU60oEV}fY#TQOx zA&3GD_I%(GdOJ^`<&e~uG*K1egYxAiJ}>~Q{6e1C^(tTn?JUe@=dP;+d!9i%#i?V) zpbDlLfLzqeA%gf7;-*O5WvmGCB7KQsd#WFNH9FMqpO!sT5RCk8wf8*oDU1E(tG6p< z;9P>THw}O)IAwYcwk9x_HjkmK^bmp>e+ED;jF3j7knd~9>BFPj>_yz7iltzA<2Ea| zO1wxtb4wShK!OvF())KkPZk$6GQ|XkRTK45@bG=z#D#w6W0e$F6z~|g*ximG7tux? zuwty(*2o0$L*lqNNyypg*$`F)ztwi@`G!t!Gb6{#GfS{}}-^ z*n&-AbFbc3O1dCi{UF)>`HbL{N)wW6F>n0c-Tm61XkR>g(b3Vj{!`;bdpc;}b*Y^! zBK788ixphO=|av9ZvS1M9s+ytqv5Uta1_5a^3rSlY-bCMnKmX4gax=bkBo_kN=?YR>`kM+HgNyV?U@a zo9Wc(UO%ihPlSG&G+Kmb z@cSsP?%8?U(XO83ej>1@e13w#HvajY(}-*jGideRnS<2SJYhFH?H|pZboQh_Yn_3@XMz-$^EGj;dKvfa*Rhb zCnkd#-76_1-e@5Q`S3{ZTaO@9@Z*9@>Oh@trWgv$IDkm?W*i;RI z5`GazVUje{1?sX&UZZyHH1tJc*OQh%=NrgN>~t~7mn(vFye%>N0g(JuwZDc$)kKorns}_b-)YR9L)>ffWu#2NI-=kme z82;XH%Z%jlFl`?JJ7Mc!1Z>6L{wTGB+>18gHlbE7hWsk#rtl2R(g-a1Tb^@mTSfw? zx8NIS_Fm{Ep9kg=a{d5x2085KK|eTLR_20-H6+E%k7eHFl&;7;rSH8{X@*s<)%}n< zKGZRj=5-h_u^s>Bj!(In;XX)t^s^II_!ZiGRp7|?MWy@pI${>ssU3DgpS_{)daCfQ zsqYbi)SPj*fx6%$?@oGqds|aLz6Ja`6p3qdOlph=H|F- zqiUP5)pU)fhZzfT&iqzJv=p_Nosp?7J6sCyyFAiS~ zrSLQpH}2?Bx$F2>FD$9?tqU?!ZdT-1b)bdxAp;w@>=cO})lej%{#F8hj3Zzt-{UD= zlX%|nJ>%hY)h*8{)-%wH7C&y3hHZ#F9f?H7S2;4D*4|~SYh}>Ec+NlY_ycL~`sVEqPhAzZ^9&u6yGr@TJd#w{*VCUABcev4xUJRR|G7c2(gR4@W z5<=pNlh*M|kX9Wb1@^F!ANF81NHzyA+ElV-hxUR0&0YR+%a?t0jxzR{NTef7b+;ZS zabq{!sbS6h81(bnwH?8A?;N&*`qW_h-cjhnRT)&gaN~$Nf<1!V2(ZFyzY8F%2Wgw2 z(Cc7*_;#)FFQ5A+-5mljF5+MTVbTV7)ZIXG=)m#hDKxA*{(>0o-K+&aH8jdQ4KXfq z{p)!-N9qp7OJGQ7P^l9g0j zT}=0w9Jwe_N3OxJi~0MZMQpuLD(j;2+R7EW20Q{IUBv!)mi99eC84*4(?t+c%I~Me zOSHvZ2!1|ixQ`fZ6TBv%7UT5nmc}e_Qw`_oq8=UVo07U&s^#f|)MA9xPX?i&C33gi zCZ7Jyu%V;y`g*p;aRlA!n=|!+KPhV$8|@*Q8lh@Zt)~?ZVC0}58RU43r_4V4DdyU` zi{xuIODB61Dm>DtBhY0lbc>$B6qk=IOY1Fs`U4 zQE{_7Nw`VlQb2<#Dx7MSAbYXb+Hf1J@D5eE%>dS9;dfo;EXav)S@+V&=bP1Rhb^v= zA=wEECHFiPgZ(<+dtCm)4~09S*DB`+2S%|4Z5UkGe)qO`S52kh+3SxxwYZAKzL1U9 z`?z}!A(gg<2jV*SXG~7C8y`pn@qgt74fbybh>rUys$SO__{<3$KloXw#xS13cWxko zmCczf6&Cm#SlK?ny<#2wZ(<5s!n(*Iasjq8ug6Z2ysMN0W0}-_bTRFZQ6W2f{76Z>OzAsDTv=tyEfN6 z#vsK{Gqu-YH2~dpY9tobCePcpKh67S(xkxu#o# zha2Xey0}WfSX#qRmX5y}!tG1x_ym?+EX1((-vP9l>g#*_V}4 zRx!KYb%)<8cGh|jL26oCud~(r3JL!Hxb1i#aDYE>{8t2rOa7O+*_mOUBH)c@U2G3$ z@DRNFg4wHpIN`z>!Ly*rC^~K8DUe70W54msL}8A<%eea~hKzWZuXh9(P+$B^kP0Jb z+`l8Mj_yxMOgz0knqy%j;89jd;jGBM87p7i#w+L_>r$I_U8>APB7CGql$1s~Dd%jF zB^J{+4$)E{KLwgVWFm}X`VaLjFj;4? z%Wi|7UVx(yWUQmrRQcym;8ic^BwAT{B9V*&gbTBK`Vw69rAR&MO#C!C{#V)-2RmCO zsL9L3hwnZY`8lWh(1Wr8D!(_CSfrd|q>o@5VUuEeXrIJZ`7?*CaAB&%jFmgcA;#Th`mI%6b$25EatzM)I%*UO0~#-Q6+B=;=LAlObAy1p}y))Mp2cX z6~rEp;mmk905B!2vxh0n6=9_69+u^QAk9PMhrR?Yt+%0zd5)?S6D)~x=$Ds2lUbV@ zX^+(sU+XD-i^{Mw`@IYh{pC;zce-FNH+ol{8+rs z|1wo0seP@;I~g&mtYU7KuFz$Y-iRFlIZshU2slIP>1=#M%c1hLktMh3N!d)4*p+Yw z8=?~g)o7I^qn3euhy{MXoom08$rBL|y18=F(U*|-IT#)4L7MiRMY(o#uvIqpkdT6ij@@%909vB+AoU zka~19RBG+rxP_WJE~AKm4b-^JYJ_-(>}IeGVMu8hc+c~x$>rBH(kd5tua3);3IsNL ztninc9sF?C%Xr+oSnOg&%(Z+mHABGsSoCxk!fnS>Y5Q}8Z9aM<3l-Ye)C;J9_a)XxOs$W|o**XUH05eQ41`08Z=QGE>@EsC|OvJJTamS;e54RGYbdo}Uw zDUF3bNW5YPlPw_4M_eTMS*f`dMDxMT0-(rat7ur8Fh2^3g@*sK%l-dlk5n19;7VW-e>((|W*Lr2hWfm0bB0)K1da~fcUc@& zdL>?3in&%3G*Cb^gv@4BWcZT`r`lUiDzR6FXu+yfpIqbxULi;wCQqLlkTrh2ob8vd zD1<$~vxEvvNig71_t^gIMrM;Q72+sOZjp0e`=`jF`|j?CHxfz$OzQFeTLTnh0N=+g zywgyIS>A6R0ZS}0$TKc1@jT7VRUN7PCcZ2#-;pe6E^a>m_k7MF4mr%z#ut4wOEV9~ zo8idvfx2hdVWalqgIwHXiGl);HMH0A^9zZizRbu`km>2^iVAP|XfM+G-71n|Fy>8r z7pi7y1htUQTcxq+tl30G5+YSy)6 zC;QN>aP_x50n_s8dG4FXogW%%mtSsV`)U;N!mmvEZw}IW6aZkSz6TLG?HLZ39nAYY zBgJiGfWns6yM3EJBYIr?bYB;A0KFb7|E&P7Kk z-cEIcIoo&N@Mvf7#{}~mv8P(u~G5 zxuLzKU!I=<2&ShYcB9aR|7TmaKdhO@*PH`Ez@OO``V??^$VnaSRNc6YQ zqo(aR+?R#D@BglTnUri|U4@4+#`Nht3rvX#1VESFFR7($dveixaO6!tK2C=a2yNJI z1SAswOe8A14Q7Bs$ENfpkUr$rwJWW<8ahvC-j6|O5SDeniw;re)kb0v>mI>TbWF?% z(s=P-ZQh|Uz9eH91iZJPFC=llY)N*t%kq^dUdBcKDP~gl%1RbWU}_{yS@dTPzDu@z z2vmlbRdtFvzQag}g=Yc^p&upvA1^IbfNY}Jm?M9jQhz;PC6uwkb`lcQHQkB+{NZB! zLa6Y{;6vmcVr>-Bd~E**%x}A=pK1V6OnTd}2VOGq-rr>0A}z+!Z2z#Djg)s_Oi3PO z^iIrx_4EqCy`k8}pa>RBRP1jt%5;ORX45@U{R_hD{@U0W!R4Wb!NSfP^&fB+q&Yx>F0;kS^Kmm!ouE%-r3fckOqOkUk5Ay*UzUh4?eVJ0+a(+>a$ zx}L<=qc&3nEw&udH~pfk7vXh=CRI~N?oH?Y5$o>%!a>$fLu zR&&3DCtnqSz;~XvPS%P1Vt*KAQh|Ih0&TrqS;oQXgPXxo#N$q!M$7SNnSi*5UG{tZ zw_!3yGHEw?d)^yrmA>e(Y^9$D=iiTPt!-IUn{m!2w+c;PM826rToI;SFoX5K+^CgP zxQS}QH9gl@x3K1{d9H--IGq<4HC>uDsx!0SC~A$n%uHoIT(_K0#VcEQpjxLM{JaICp5I5p#$8|*F ztX_LA?HbwX(?JdoH862X*REGXi!?G9g|K1R${ts86y$n(dSROKhLZQE2_M+|( zo?Nc2*np1=i=Xpr6_enNmq5&0U=Zx`w9$F><#>~H4)VOKgV+oqNXqGAKk+n~)x7P& zds-=m?~L&5=cFZ!Pd6h+h&GzxzQ}&4-~GV?@I>4BdFKfL@d`CrM?@1hBADo$IV65U zQ);ItUm7IP2AN|g9BT5}70sk%{>+R|{yj)Fk(`FzxUuujH7le?=!4zNwLVI|CkyeA z($wa?-0$gH-LcSvY`+}CrAm`(Oq};j*(126dGfKtii5Zv*d*uN4Y%mS-I)@PyGd)V zT?{Nr7}1e5i;Tu$nScKpdl+AgUa>HnHOpv_j8BXtSEeNLe{R_h?_(>O)nIsgFw79A zO2hBtrfflM`X`Fg$C@r$bsLO8BTzl6HhTVydwUe~#_YG?m|8RPC0t7&dHS(kT9#Kl2p^@LPMP8ckVio?Q?vDhfKg#MHiT`)NJtyq{c-qyY5%ZxPA*eR@U!K7yaq@ zdXav607S5f@=x1Zz3uCtt8G9m=!5KMat(1h$$rwyhZyIZ5fh`TSDAJsBA`WiGB$sv z_&>b)J__<7gMO1`!`4EvH6@F1C*t3_eHV*I4XOClsQ9?Hk>$9EWPW^L?cQZ zZ~lTofQ@ek{1A$rI!oyY{_rC$u{sLdCn_{cI{d3%vEq|uxb0>O!ngA2rv?yP5;)dl zg15;_wx_x{%!z>;I>8FTAUt|s`ZkDt6u|S{|I2-a;Y5!~wE7#VBG;;aQQ3iTN>E06 z(gvL;FK^gGRuC>BvCqV(BOem|X4|POrPm)vkqB?DW1^#*Qg-Hmq+f9%8i4laz%gXM zyVd7-K70H{Riw-tzFTd+VcW9{4Fv?-Q~pm4Rh3@cn8WL)Yk;b-M3jnys|~jAtM=8_73mnXh*GrI6J-@%eLr{n48b`U1QK z-?tw`Cyd@TF%XB6`9S%bnbM;vQJF{W7uuOl55S+y3JGmE1lhqG!&?jjTBvMqc)8@V z?EJ6a?e6~6b`9C+re<{%Tn?-J4%^Gc-|&1`7k%?`_TA9PpbGDcVLYDeYzjYHyLgj5 z%@|Jkz&#UswH9{HC)@f4a0vr<{V@1u!m@5k?BLYHA;cqv%aFYFs*u`HIElEH2h`bK zsXe6rnvz`n&is8JMd?odP9&5xN4rSf!bsJi(?Zmrq6Ehjr)>fnS31n}LJW&;=_5S+ z7DdkV_228Mp3}qmc^y6(r59A}saWX@-`!sn@d|k}z$}BLu4;y|hMm`1J%jFt%+9hQ zL*1=?kUOMKw4r_fcbQ5c#NGkVqg+Hd4;m3C0z?yH>TK++{O5~=)NO90Cj;u3U=L=O zo71xRN_@&F%^a0s#}nl0x|$czaD62Nh z2|0m9&b=?`k;1jb9NAud5cqpA1_l=xh%Xv%M5jP~W=p-$VdQ;Fl9b_$C=Mq&h#OXX z#W;gm7syxqBewGE`JBMjmBM`745B$u$7$_g8W9|q^soW0T0o-bjBe-RfW2{1TqFb- z2e+2gH}3aImoIvgSm-ys&pQtO84ub&?JOCLAhAdMK&0gG_fe{$ZDQZ!i&USzJ$;)f zBy{m@yZP_EDd}tE$&NK`FYv5ki5!fO1okTNrq0+{eSm5pJ2#2NzuV0Y0a0NJ& z>W=9Jvt;|1K83bja0lE>2y@_4Ce8)DF|tIcJpmq>5j0I339ti8_?tT-xsjH=3q}!4 zK2-Sat{xxd=qT|8HBw#{t00`^%Vp)W{ zSx7SG0q#V((wmfh;I31`C*k)U=1&3vj1W&_-{3$KN|l7COBT7r-^orVwJO;XhR-Ah z?;Wte(ZUOu=1fVI!Mp5tKo;SlZ2W(3_cX+3FW4r23x~AV+$PM)W6A8^;L%Em+%<}y z5BEeiY)9p8a0)MhA2Pl7F?e53zBuhXcMRf*<|NjTJFdji;{rhf$DW{fWYggBY(x$N01eGC%cI6`!p&sw^Xd&=Mp6MHr%|fV>QuQ-sVgutDrE z)Ax>$ImVPr_zDeaYD~9J>EC>%jrsV%v1Bfi*7pj2rwuHHhIG^{9fpRaahEckE^V+z zCmK$jC*+$H@cVXRso`%iAS9}DGEBH`^B{A{Zi%YWoF2jA_4O-G*nVzfDlNy zfw@zh3?=ntr?iV?ryLg-Zw6jJ|H{EUeRv{)PT%ZJ-^5bkhnK>_0=g_jNAi_G`ZcVf zqT{NfNMqT=Uz*uw(TnUw9uzYdY< zp@Kwtn$IL0Kw_mX4P+MKlo&N&z~5oFCF9Gshck^7lV`6tnzX$PaKE*@*L7cSZ}}o4 zH6Mm_Kt!+pt7_W+$>Pr~9P@lk@;=paX~EnJ_apYn)!|x7gLVX-itzOq-Og`8M;Yo- zq0o}5+gp!1%*0Ji!y2#)@TGty{>O4&?B;e?U5>lJ(y%f z3_z$nFXkRM%M+?JZL))xah2HWdvmaW3~;L( zMfyBWIAIiGmv$$B4b6`fxWc3p)?uZ*r0xtBj#S&0yU6|n3v-qyu7J@8g#6XF;otiv z-v1H=Jq|xkUJ~}>P;ldJ$+b)$t`x+Du$8*~=5|U&+iHQwaJP%>U_YwSk<{md&s+ND zRxJxt?z)y4YJPvF>{QY>Yx;%I^nH8l42$_u1jRcN$TfdL@c%qh$6upQpj6>4SkHky zc@%IGrESNjzm_C9@ARV`whxh(;sBm(7>{FE?JNX5xI|4%#J1{P);#p20KSa7JD$ii zn4w#b(8bExVWl+FNsXs{>kG$MtGjJfXh++xn(%#D)&<3>_9`9#+lSS0^^T2y1I^)S#vr-weLa=&l)l+vWBIFccpLx-=GCFbkpzg z$g%jp5S4o5GHDd4cUrk_U2xRHeA+6cuzB)4T}~jQ1+b?-XCq|^HVU-v{h#U+Br-#j z@}U8#CY2gK@^3IO!~SKg)P;;8D|23xvPP?x1Xn{*{Ju?&C-sD$0QE|WxMcKinYQo-*j6pnhX9?Pt)eb;@HE7?7B)leqsUW3*uCr3iI>8AB!zEvxMtx z;96sGs?Bn!Ynkd%P7$e!ModJEZ2Uh{suit%hXfWPeu%paMF8-x?Yqf|=v{)RUja(} z9*)2Bx$5A^rWr%77P_tbuSpgVJb_kH&=#Qr|57#QVwH&s-)XPZc0wqm@#DgR;7N@5tV(tQ=g$d}er z{Mx$^N_jMceDz7d%1m0kENKV+NIYBa@p&qfg_P+dEKYlGz}uhgX>r9X5V}{52we=; zKPFT(zZ}WR?=*jl-ebR`b*@qKhC`MRY={#OVw7hg_Qu5jis>lD)C*fkt0%;ZW8rv6JQ0uK&0LIIZ}d>c6qF+mUY}7?stJX^@lKa{|Bt7$@M`jn z+c@3bATYYSOGbB#q|&9Jq)2Xb$mo_BsdTEK($bwuNp~oWkd3ju`@QG9?|<-|``qV# zzHwcj>#v(3`V=FPbz=6X&Rb?-!oJ+D=GtDrnwct=4VUwLBe+YK8AEbNajSAx#8VNo z`fD=+SA~(m{{!(tD0W%1Zu(=KLvkSS)z1b+YLz7ZNG#&w4JpFd@svl#DWKPCjsjGW z{h5Dy*V4R{n=!RbjR)LX|w3iSdn_}`lb1djoc!H9}>WmV;GGwyjf5+WlIX!QUq@oke*L) zj45JJGA}&gk$0K8<3J22UWlRPz=y}5r^*HCXICsVbH11AE~YeyFnwy9Lha{o;k)WEGBBR1<{mRMqdcLZN^g4~5WMZK zGmPy|B$*JykBVh0L*=swBs9I=xA!5qYl41a-cjmt$mkZGNcFV9k3Q&V zKdYsZ+`jyh{=3u{Osa4A*27J2FPj7kyu6(GPA&C!das#x!x>a# z!31C?!)>V+Io>*};g!H#t>F&O9sI}WkH09uDYGsJ!+)B6{2+IGOz+`Im-zgeE#xF7Z6A1pEB^T}8@* zcsFuhq>i9^FoI_UhnDr-Y#DCkvc^jcIVp%-h{p4WZyNLCZ4b7b|6>8L*q7$%9eX$p zA1%zNF8H7y{$*pMgO|Ne#6MCPhd-psyCBn@S77=9dwp-GzaCasyF0BH#bqMSHc=j- z`|aM~0e-2z^lHDnR65a!-D1V7m(Ab*tY#r26xErk|0)o&hd9k^QUYWAvwfK3A7Kdc zw_Di+&CT`ADdk|QRZIY!RAtJwp@HGa+?Sk)OL+d>T@(?EGU#?Sym?UhZ>MyTbnz&m zSQBb!kr`L*9aSB<(!~s~f>GSL)Zn#Z2SoQl=>bCav)6L5IXaf$Ll1n|UJ~UwOB`#V z>^hr*d&Hw0ek=Z2A-=P-O7AxMjnqZvS>Z?M*ng@Y%+LpP_G!VyF!bTg;uB~6;OY#R z=fgd7_)Qv%?6-_-AmUfA-NF7PH%G{zC(}`v-{V_}z0%Lzx~Vx~oAqzSFNboXkLv2` z24;2du4Yu5!!Vtk5GK6MlQ3RD)aF_-|2fE3X%+W1!C_T(HR8znYX_Gf5z8F80!>a7 zXJnh-Oys{;|22gQ6BcxYD$I<}L(KCyhIRSw-e23dK=Li4aQn+7)9^@XFsF7poYwvIn)EkxK|4Lb^xIY1_qGK$ozG6xVR%e3USBC6mnz#AR2w9kJ3#KjaSQY2ca zaLIPr`w9R0v~4;A#J2X&5?!`S_@Sq~o&7nycWB-P+4|~(g+x^8IaJC$;8B121g4S_ zeApfVoM8&E%q_QG^9S9cC#W-Y*>6d@+5GWNGJx$E<(c6Xv0$wF-{%kMgTch>c3Kwx zp^WEK7%-!trh|)CxTFLev-o+z2S_8*{_s2BmbM?3euBQpyvtx|M#evtWRhjE!u`>` z$AzyAsSoH6!BYVvFGrrs-Il1h`JLeVY)+ixt-m@1o5?SH9ZITBN0>$5 zE=*Sai#Hu2?67~`E6d+MGWO5yIfrOxYHOCIj4{Tt)2ziU zhtv&rpK!k@V&}t&YBU&)dV90>x9d4) zMKt>*R>?f$tt*eSD$f&&7_ZeL-)>vbQm(b1nHHBm^x-?@2Dta+E_$T-kUcia?aRgI zU(bYN86rf)M4G<)O%`xbz$7Va3{Yct1L@t{26tL;#aMFjz;7GTendzE$iBjL>A>7C z$4J|$$m>0GC!V2xvZ`-IzTdvy#Zqp3{KF*3MZ)n~GH?uSKt$n(qL97qYVko+xeo8d}WD(&{1rlw;o8yV8?2)QpdX> z2>qk+cp35KoKkNaraeN&&CkD{XIGDJt3tHjEbq435WtCCk4%R_f&Vs1A4}t+-o%#P zyUOuiP&Lwv2H}t3~#S zXH05c;C>Uc?s0F4-k+K3QnxB#RYj^a9b&(A=4T>H!1$QBjE;mqb1(FeOiJ_{y7_Bs zD{e~j7K2f68^T`d2hty%Sf%6r6SnYNYX{;kC9lSDqC|6sCEOP?%Ry{Om{^PG*wx9A zKE3IeA$OUHfeNGinR*!WBlG9Ol5iBlf-F9M-M{MD;~pLr7sQED*3Yzjc2RasocfW7hf`*tTAbRPNaRD`ULC#Y@S*=6C(_ z53{6j-I(4Uk>Gw8KF^ihUk(28M!w(+Ve6&G!sIhs)penOb=lWRHvrS zz#Kfd;7JcvZR=m~g*vY(S)M{B=a~v5@`P#l+tTyRk-bjl4fQ>gmtJtzvtu?AP&U#hHE z0Bp`iNy8QSlbo91a;1=!?sJU0=yfL{3SsyEO|aB8&rejX9qKp z8AXjP;JvHgeh+U7V`yw7g<1Ah>+~iba{>QE*!}tOv(hvsm7jaa#6t(dBz6;{Xd{jl zo7}{ETVH{x&?C0B1)AR(JehSKS>*NLbbqL}ra88G6gdq9B6aaGEd}7xvi<6Un=Dx~Od2GVHna3=zQ)oAoR!mdq9*7xTsaST}m4dgfdw zp(Nnlmp6TJsM51uual$;_+K#EcWSU>Q;^@}p;7`_F*cjjlPXt>NFt*~V3pKIE$ZpiXU&2jYI|kR*Z_IuVfG$vkxtK;lWNRae`?nh?(T)xn{e}%V6F%dlEOVENeQR6tIO=tzOqL^_%&l%g4bD@8 z)N5ZE_b22)_Q+L6G}GPbv7_a-kakckDe8N$NZ3F-{N`+?9{h!3j)zGFjcYtBzGl!~ zfA1)pavpNy-MnE25hMy)__UopAjym8%V+#qRKjDg`?J^Aevc3a&U;T-nIr>5nUh+X z(MpH}gbk6!b7U&%mmpwsql$yCeR{<$vh6U7X`uzxDW}W`_-q($e>}-cez=uM@WS^WK?9@ysp?FK+ zt7G)B=^f0J=$5@G0~#cNRetTjl>|yT#*NPSa_t_Zagf1@kLM7&@2*^wl!0UAU~b;) zv^`+AO{LYEW06nGj93i(m{#I`i!I%CJwK5<+s<~El!>7u02>BimRAEifwu!M@*ZVF z?{diVfJ5mAy{$+f>bml5S8Eh9Ne2G)`nfr3@<8F&rr&cpkMvI=H%r#`PI8=bTR-FS zMD2M$ZKJ}m+~BUw+`mal;;z00$=-V)O2j1v>}}{?0S%xC_{<2vx{Xl>)Vk@)p}4}< zo16(aavcY2YHQzJj+BbX4-9<Z;OpP8y$YW43`0g?LQFUb}04Y6aE`lW4pn`5C3EUxeok?u!dc8nt%VH)3IwRA)n^!buM% zoUovZUi8MmW>*I+kfxBrO}g#ij=UOA0_ywU_t;)rPB@)ku0>hr3~79Q%4S*QM8PtL zpe`mF=9R5}F4M<1Jl753uO(3 ziOOilSoQ3XAx>_YY_zQrNtuz-w6{Y-`hIN`jg?xKM#NdcoXm0xHH>UTI!3_Vjm^ym zeUo-F7k-M@7v9>uhmJlLA#C&JAZSr>9SUb{82baz(!0 z0*3$b8IXQ1ZjKn~Ub?xoF70l-#L zOmx`k{O6S4=wI-itC@QL8e(L7jXtNDpO^g)G<*i_{GrU{?=q+ZZ$;UXt46D4El$?^ z*Eki;O)oqD&oxB4ru3OEG2ypt!L%IU<0rT8xP@b$3EBi*o~Nf}N$-AUxhpwXX2IU8 zgeezfR4b?0B4{^r3y&CD{R}Ja{E}4@Erw7%Jxu{8t@tUXfUWoaqoy?p*YQo;$%6`` z^Nrze-_|jElvz&|$`>iAd-6pZx-9R~#WCfN&aB}nr~p74=Hpm@hg6ANUk9HRr! zcR+Mz51sT5F6$Z_%m+Uk+uj>Zr;B*AhX-b8sOTaA2wX}M;~jxpAr6EHIlf-AIqG7s zX9REJRBJm;Q}_89~4K9X>va-prD?tc52Vpj$2DuWvs?NV`){&b<~54aKZWz$!!V@L{b z>7A{Fo$CBWt8Ct*Cr6CuRP5nB228|UnBfEn)@ zi0i|_E*{naR&ff2DFcSk@q7f1!3%hg8@ySm8ve#ibUr>K6MUfU7iGq#kSyc9SYuvT zp@x&P{X~9n`v+t&h_yw~tN1qtuNFq=3b<7X2(fUT$ZK?$TZ<;VHAV5~i8!xV+@v!x zA>0ojPOqpU-7CTK9h`QcGh+q^QsBO1{%)Qh??zcFR1dM_Dh^{U2d zq_AR-5G*3*AlHl(eTC9l_=sYz1`E8s4GP`D+B=Zi(@t?i3k{g@zJ@b42xDX(5F-j6 z=ir1b4nxd7_Bki1Uztqpczx41A=(Lun+{IiJLj*JD@qpE#*bY!a-3b8f4}W08qIL& zf?1not&zbcQ(Dpt_X679fX6qw!}(p%pEy1poTf`v-l+`3`cQ;?&c3gJ)7mwE*E-}q zuFQGUo;-hUk0!;0IhBTUR67L*Y-Hcj6+?(Uc7FDbZARKptTeb7L>;h)dwg}|et1#~ zBS_d3ZwYFYY1@-7MdA@qQp5XuV0h1=!H5@aRjVgJ%SR-Re*Falt1PaXd&OZ3tj0gV z&dFu#&E}(-^i)&>t=FmMNdsl7iy{X#Z~gx6iQD;j5_4MN9yf~*vPb9O2xQZ`w+E2$ z+$jeQlF?Lxe*%5J{hhACb9~2+F%eHu2H1jv`S{a!096CB1KfY)o}vo~pHY7_bi8vS z+kF;v&~JvGa5Txbb$ba+oBYH2ILydDr*z0)rfRe9sW%!!5S(o=v=&1Xm~4q}n%VWb z42>&6)Zi^0H9*??(ab-|n6c98#~Dy^rB14V-4~z2-*##W%b2~P;a=j0b%g0FGv!&o zXZML-T)m%-rC#BB4Sxm}>*Vw`V%?FLz~NpLst(`;wOj8Pox!&i}aO9jpL}J$t1C&oXHZLeKGUa;Wrqi znMZp!7RmJFz($3t$?SlLRiBeG*`HSJIf2vCRfo=7jE3CwizD|d)Wek{x`9Tej@Y9g zKyxPU8sb}drzLegL(?L{J}m?Uw|3=8OIN;1(3q~kOl9^)dP3e0Ju8y+-Zsp8qK2Iw zH0_k%ASS8Bg4hHpfAtv6C~tdAs52L#z`G3XRd5`QW<%D2Ue>>ilb&y`-G7Ywfws2x z=lY)TQe@^c!qXmLiaKi$*<3j+E*Wm5?flDfVu(ZGK0l{Cnw?dJ%aB6{!cB5LZ>ETq zcPl|9@?QS#*i8N_Co)QTPB~!|y4o~qYP0w~j#=8n#{wObbL3z7ul2eS6_2m>W+;*K zWs-^{qbkP4RdIcJ zsiEbWgCjwVmY+kvumJVrm|`Jbd&PisM+GEwc(ZRZ80M^HBF`Q%32BFCCf{m&`_aO` zKTj2FQh5)=;kg#1)}V`&lu9N5ucF4Y1=MFrK8?;aFkH9K0GoG6uuce^EBAXFk){|F z&sM%3d4yW&Shjyss+|ql1JrYp=;>3dgeR>cr3d(M^W@Q*y|hfnovND8NNi5E%RTE9 z4qO%+w45$TO}G5VlN{7zM1}t|m4}6#$M=;aE<#4!=#e0TW|X>h(KfhNXa;>AfO0$; zz3nNhH*$PEYVb5K{7G%$0Gz{OjM&`}zgbnrA`qLVtCdvfIBH^zzzJUiMk9D-kkK{& z%F~U>ap%`WG@)44{BC7Bp-7yfL|n$StwI9hj@PfI?iGdiwa&%QzFFN3EVb~#bxA== zql%PNTf}m2@;_C~=po%ryO~1VpMcbresj|e%#Xmy?R`YS{}l-nmU8?-{Ot+&{m+B* zj*Zu#{sKv61x`z;Z7zj`4M<9{kW7g^f50Nkv;z|aE>FLTvp)fD(;X#U{9MkhB~ zliCNANytdjYP;{t)B+bIMJMU{5&Nq;&C`6RAS+0X_E!{S2o2`MwtDhp-@|k!=c)AM zV6R`kSm-k@;R1Zc*V2~FsD?>0N4~!c<-TVf)nR!)S l9c-sya_p+g!3}hE%@_w z$vA`Pc`Xp95`oo%h|{0j+V=V+3QB7c%&l26v%pIFzX7c57%60bS%+MHs_b!yo6?2} zokM>RL);RWLvk+BJ?fjdP4=~@C|p)c)?|;q@Nyk5QcF61Pccr|n^eCS>poy9@iL9M zR?&*a(O8z!fR}tx^l|O456)(vVy8K%tHMUfId|tq0t|e#%5F@Z$i&t7?)GUCRV{W` zf&O|9+8;U+q*?5O;PqIYF{=N7O5}t9j-sOqL4>tqq`QapPs&{|Dq55}O%-A4?VmA% z;QUx@;WwD6+f;Iw_M4KnU0wMT>DHdZiv8zuBu3I&Q$uGTOCtI&%=<}I7tcmcam~x@ z8&gS5Q=hjY$qIFnrCo&*b&BWcJRwoHO+|#O|Q(mAZK=x&6JdsItc4jA0 z9n^Z+%leWtqf>2$m8eZ3p=MxLjhoDXiWCPFyp}o6|82UBxw#G?vu+rjP^ZgW*#IHn1nv+|$QEp@N$>Of+bT-4 zp+sAs*J#3a1x@l>w&3J<;9=VKogmN5z9AZ2&>z}*wP1$QmNb!pYD32rs!v)|cL^`_ zWCRmbxp{0x39i@Pdg&I)V5ALf9{F~xCc`u{68{iSzOYyd|REO5tD#e(TAIFt|BE2JC5^!2k{ zyPYN5qnWO&6#)L`hPngAV%YxpPW1a~fb-HuC)3fx;?JR@&sqv82I}tTSzFXT1iWQ< z->-Wklrjm`3fibhTs}iIWGlp(_8-XKhK&-w;kgbSC||~dUZmgWV;kIg01b}?JxZL* z{5X=MOqjx5^8#cd`3x_V3y8V@CWPcX<15cZ8Xb~h&tY?{j1*x=^cif=gDu9s2c=;r z39yz4m8i9pk@+zc%$D`(pur;!!o`M3dM4p-wcr-XYkx8C^BeP6^4?(Oo0Wann z96PTQEqMeuxF)5+JL9ItBbCiug7;Bakxp2V5I=VtP37N+C~GPn$xp)# zyf0%)3=+OB2MWcl;L;2c?a^gZi}jo5phE2gv*^LaFzY2+Vogi5L(5B%CP|nnRH^ay zLX*WYmA${mLU) zsDespD23;B!6e7Gd3%1y!bibs)tI7#0&UHbpe|kyY6|ETAndFD|I(G`QiCYlH%Y!$5g6^D4FRJU6mPH|H+5 z9rs;Ww)N2FGAiolZ0~{65&R>x%u~$pwGs4V{7wroGyO+&f9W%I)?qV}duy@G+PXTW zh>6CIyf;I{#gT|>{SQct#397s<8%ow#uB*QpgR9UmURPDFJA4Z`+{{&7eA9@CdC0S zDdj);*U@m6qKYa(`mHV4eI>PyLTwJ8nK&?IA?rH?fNSE_uzL8=)Mf$#AQ|EI?G-vt z+@2b7w240bBfpk|F+_G`at2W}&7uyswmz7#t!GP^3Tjb&$(#pesC09cb~f`k9tqYj zL)UKg_!0p#&o<}i9`0_S?#-M`bZ8%_b~9gcxA@Tyt!->1 z7C+WjlNkY(?mqv!b&n}Yjt{qqIu^uOIQP~t2jXZ^mk(&&E_d9$NnIYbW2O|WG56VI z{;FsGL-YZ&31u$#v}8)fwh8-dZ;IJwEcSnr+P3uq@`uK;EE|wqj6+K(g15KJK-jbr$-e^6K@ zQc;nm@IA|l(>EUSk9e*q)bl8zEh?1LYn?SQTDqYOFx3e zRzIz`8cXb&5=3JL-vMpyLzuy7-#R80ZDBy^sNDuF?3Q z`RJWI5&7OP1&aXEN@7IZO5P17QY7m?x?7WE$gS>EnL6};+?|=Gb8vOz>K{fp3&e^x zwdOc*OV`NU)>+#f3h7Qe3Wm(hTWdZ)06)9%bP(-CQ`$cnQ`Z}4d65@B#n=7h%YM@0 zK5asb)(ejVU5TIzy30p{bYdb~D0hzPBus$q`+L%_Zl+wW$G;Lq=&J?ENc3H}8dN0S zGwlNet)4zL@SUnMP}(gt9IHc4b_Aa*y+zsd)~EF)7bUWWc?JA+=%!H)9yrd9YRUTaa!F`=gZSUxj?6ZW$eN4QHYMY} z@_d@Gl|vyNvttE|Kt-L|l`upQ+`~#GOjzQEWg@ZSlQrYU$5JVJ?|tN|FP&i)kc(~; z78AGq9FV(=vyC{BD}e1Q?F+VE37~`bo7jw`1EwWI#^W_PR~fS?xG$?FwIpV>DD|5Slc;ts(#Q~ zL=hTlPB3C@!d<7+%7MwU8O3|xqwT~ZayF%gvTv(C+f_Tnkt{^HjiU`Fyaoa`_uQ@= z+CpO5!yJxUperuHs2FPf%X7-w3RMoRS9D(sgwJ-#Trd=x(WzJ4v72QXJfe)klKJ97 zn|e!cZB)5znu@BL?})xi!trTqEdWeuscpSBkCjcNJXqCdzG5VO!drqB{{yRD~v+>>5eFY5n+wRi zUs5eT<3uT^0QkVUG_qV6;ahSImk>}Wh}8F#gR zvsZgx*~8ThZd{qoBJ5Cu?#I%uR~}PN3o3!pGLQ0m1(KqS(tq}TsoA5wT)mDq;ePlb z*T>lEm)AL}6?}0P*Vh9b95G+f;TUFjp$G0B&_BMl4b6yLy z;I7t_gcOr+fd+xRcp{x`%`)(_D4hi5L1cElPwXr_#$_>=WAF&@wGl~xEvs5t6IMZb5iWqhua}uD&ij8HNv0_l_%I%?DiJTh?uZhl#U%dgT1PNhV-E*BS%q93@3+$R`^WZB0AN zRdSa$>~uo_(I}o&xpi5@#W>MsTkf*udpskf``}mSYEUZdoLNF&)u1T%6$ZyB=41eg z$)99HNhZo4gnuAzF8jI_8OHN6rVwP+XE*;IpO{zSV+uT+>V$}$F>$^3AH>J#9-lc~ zJzVGl9_mlPm%4~&1VJY+K7J?xZ-g=zm+Qj62cOa${Ra$L@SL1|Q#K%B!?-UP$(m<| zZcbON8-V)w;HjW6>TFCp*VXh?A4FY{=nTxboFDRGrjJas`Y*|=J>Xf(kL-K4*_qdT zx&~%O3dl3*nJqKb-@dk7si;gLC4!>6$yfYXvnHdV5f8Dow;9HhMk!x_)Fm$TNGDsM#i%|Ra%}*Yo`ME)udgVpOoD5L$Wc{ z!#)4apWnjCE4>c~MK4eG&P+V3}u(J?EPQTn12ExC-2=;TbdJ!)ArM zx2?MgA9KZV$IIUaN|RNl&Q?u!g6+pUW2WR%dcbFZf_M$8&w8BcbGPD`Slm^U4bBf& zyE3cjdJH<5(7pX{ETw8EqH{ORkdx?^h!g^lmkU4Z^e^af9q>4Uw%h08BK`8TbH1tD z9O+Jo8@LkiYy-48=mSy)d~HyAY96hsTzP1ljV}>}$|OHd=9-?b;V~b1a{%GnMyvy7 z;T~wIY8?u#KmuVHdm8pNuGy`CwSqkCBCOay?4QCXHuVScobYXAhLKa+>;jpW(vvs%3b8^vJ4ctLtqm$_LFk{EM(dU_woZuGc zyYzmEMPE!!Gf!GR!;vQAOCxfI6XSzj?A^p3JDF3|pJE)QliPGeAFhz+(l7UR6C>vK zed+WSeo7x#tDb+LqhSnIuBsLS2zZ*)njNVokVm6G^vTlhDO zenL_~WWTzAJaTv|XMxO|d-g(&h^%E?X(8cSJuZj`=$p59xG+MK-O_14k_JLZ;#LvQ zX%&^3Hl*Z>P|WQWT5@qVL(jOLGUSHRYh7N25+w~QGm@%wx;s<%86?qYxDw)k7Np@=F@;SMq9qFp4s7f zg{|?z4l(}K8y!`y5m5qD!k4HKUdm_pz_?H`?;@PfG-j#zmhs~J?b?)4yN0rMEEiR| z9_g|SWmCxL_!!J}^C_SQKLcP58u-!|Z9d6;{Fc+o|MPXtM2 zr$1a`Rm_gA_;;icD?D8~0#IW#cEVOoSSn+46XjiYpK^xNd9=JR3Eg(;V)09(^un`* zPY_%{N;(%0g6}V}S@1lle>e?@b@z#6YUID|oP*H>!B~xA;Sje?|2$^l6$g%OfW5R=REi=L~%X{q$8zEv+!Y@vhexV|i6pdMosq=hMD4~0- zX1Fw~2AcematDCv`BxaJv-5tWqYg~z#PJfZGp&-zg9@!#Vbr;{)j*GTl!=a?4J6tT zEGv$r5fJ`Y1V_moT=B@)4M^hIIHdg(RD#6BK&9_Q{{ry*>7@R7TPwQqw-?K#xyXoH z)E}0Az-R+DBbll_es-<@l^xBX&%#iNs!rbt7JdpD2Uk&fg&;Ml_&xrtOn-ZE?H}Ya zSq?t%E_K^|L>Q}}`1Md)*@8fFCrM30SfJlnY}nvkS>9{v{%ZQR7aCB*sshuDXcY8P zYSJ@~36aQ#LCMQaOFe)4^X^$X=39A z$8L`|zjxDtR-h@_K~38mTJMi0%l}3=l629S_raJ=Hb86mVw+n^2h#U9DU+F77c%LS zf=xS>_>648MkMm~PXpKcpS=uUU|NBYhdVKZt187GFWfzu!Cr?(v0(2xZ?`4Gr1oZ|J5XZ#WXPFdYe36f9!{&cE zj`s4=F-3dQ)-z`s!M9 zj$bt#jp$U*SOXylazSvlC=8Gg{e5px>oU`geOIpO+muO%9*!#`AsWG+UTa#Qeo- zYZ+}=IGMc`o=?7IP8G=>CbE*!YC>_Ttw0`I0iP0J_J{;^zU;@FKM~N~a%g7dk+6nkI$V`$X!<>7^1Pww4eEWd{UT(3)Va`SrC(8 z7lq5M`xIB@y(*FnOcIqT9To}eY zpjv#-Opiqfe=fNB1tKo+Asu>poH;Z*vH^OtBztgSx7dsQKv`DWxEd;4Obx=Ch$176 z@e5f(x4&h>vZA-X@9F54&*L&yBC1*LYjVQ1Y~g$FBCQk5h%xfrrL(>Kcw&On~`XCzZ!h z8C;Q0H1NU_n50*n3I`wE`ATKtC(obg?n^{bm|1dkzEP)}r$>C)%~`UP8Qk5?Oo5(g z4yaGkOhbQ5@yJhL0`lw*cGZpMe8`TcmJ1=O@5Cqin%Pl+guN8wiBhA&=Z+z`HfGu9 zpAzt}x<}=IHBr2={GR@COxPy*tNsHw`$WF{;;*vbt>@?{?8NtBa|M_n3ku`UM*j0c zw-O$J$$ZC@IO>-4Fp5XMDXR3kVq{h08+xEg8M=oP0j^vZnX;+~#5?`bM{*s;n|rMh z8NsZP<9cBgL3%+u$@~|C40AxIvF_PJgXBFob|z1*P$7L>xHm3}9{}V^HpVIKKf=Cc zqj=-9$u4L3+r}r$C-iCpuo8jx{OZAaDH*Pb5MmP8cJ_n=kZQJ`4}dWWCJD8F9Iw^D zzy_{<_9d!9pMKR(FC|j&gn4kZ!|Q;wGRT+O$kQpL`^C$k@SAJ&WHP1mjbM z`@ox-pYaC|;zmPoz#+J!{(-uq?U9(z%N2olt|PHZAy@9KyCc5ppRt#WAY?q4X!-*+ zkB9gi@ucL>iyFzTAzL$RZAPih1f-RB26O?x7=t31qW`FKl(wvggq^Q`ej}wzmPH1T zQ%QYPKuVyE)l&2JkK*Bpez{u)mkdWrdzam ze||P+@m7)C)H{|yGqbbLP5mGfY-Qs78$*6H^`^R#a5rR#N?gmw>_YVAQ&G7s;tNv&Kz$3l z0sg785!Kx?ea*#sIq_of=-JPSD&;O{dSU9aU7Q3fOd{3Yg3OnEjm^SxY>Y72q2mui-WE@nt z?Y5{hLntb%dY#`GU(sW>wHDqcUtp>u;I^ffNo%4a`FnguJ*kcb!Ye1-D=9!j&lj4W z+nbBqYETpXu!0yd%A*|!$bcnmrivs76w3QV*Z8u&brq9)D<4+b;}UxJLA_!K6}3jV zB|@q1tG3w|F9V9S#yI-hBt*}%Yv#C2k0<(I*>w%U7_BkUuKTD?>mRHmCVHT-ZIhi$Wd+Y<`|608=|kJr_{A*n6trmFMddDeaKXZWcWBCesE?$ zJF2^jNVnnrlnUdg!F@DfMV48e!uZP$9lp*X_%?hwo64f15xG6Q)wa1F!SN9UXeZrtFw=KBC!FeVD%ZLQXwN zF!-Ivzj72a4ZO6#zrVeSNkkY9whm$34O9~bcb~5l$(W0?#P6R8{Ug5z4*EFpLT`YB z#Fmh?FUZ-YX&6wr4EnB)$7A^vAJ|{FqcO}$-8Kbl_#XaX*}nj9lqD-FY?~ zV#Svl>`Wn){^CuT;CIdcOOMM>&)qy200NNi zIGx`TLWUC3_|DUej(%IFM+M4I_(&fG8wa*`hAmf#xW`mR$=fw(6b?mSUgSuqo5EA5hf*6g*l^~okh za#Iog?_gN8Hy&G5lmmqOP?Z-Jh1KcV+?xM>gB`{Gwc=16@8GQjVE}-CrbbX^6|cvE z@Ya#>Orhfhr4&3tBW)d_oaQ^)16(zu5#h=QAhvwKOO=I7_XOdWO4|`|&*@@^`z=j{ zrNUOCb>)kuWZFPl8rm&;vPk{8h!`AV2$waiGU_LI5N|oP^6wSjiY1F)+}Su0RD_V> zbGoGfcE^P=f=QxsvyV?Ggs7=>FPr=a3@$R=^0Gly zH7`TxZsS=Eljd}@sw~pfSWM)9J~fW}6sDsDPcwn4b|avaDnzBs)B|UgXR}&Iijvgd zpC|Km2>|t4SH8lcmvJSxkZYSLxkv8UbP1|VhmarYOj=)Hzm^uYdl4_A*$MEjqsY!h z(3)_8C{yTqw(GiRBrZn)P4RW8CtqO4i;$(e0u*^CjifCWH+DIo4B>BwK*hRjZ`|Iuq%0qnMt+Ei zZNpi^G&w?{xH2G>2d1GxNLz97><`Mv&t~g&O+iRfw!rj(^w1wB@qqA?G348iMlaa1 zp-MOgHG#-G;440MmsruzntXf=Unz)$np5W@Q`J;-1lt%tn;qPsmL-#Vtd!Bje8C6N zS6QI5g3}<9$|XMJ7=0V1DUo@R2sQqA8UMX%%G@!_Xoq_nb}J2) zO}YSngKBn*(vab8P2KnGw%o;0o&681v;e+shq`aAXP#JxFB*9C! ze@l{HKDm8gwH|v7D3SR(85KS@JJtQqAan(kxR?@dBi?owOH`ZKHNqYac|$B?iLM%m zw2$*T<08xMktjDx4sXBdbq3b!W9nga^sia|o=(`IvP+101_4Z(x=;(Pj*d0POPWA? z>-Dl1nV6O$1x)7{5O91^8a~rfkq4vk8PGw&oR4@-;E(8*a@T6DhN^BVlkSn)_BeC& z+oh-0o`!4^*Z0@w*&#pP{Mz@T;KDBEnynwm6j9d#3F;OJwT`+?;Qv)egjm670I=W$ zbZt!otQ7nww6_P-lE@#go;L0G%Mb7zLxWeDYkwp{69ChFc4{E^{2?x%@$PaI?h8DA zqhchCr3Q@CUIL@#gefC1FE+WtJ?$aa4O#AwUn!RK)@Utpb@VBca=rDc_Y*1J!k+8` zN?@|7cSnLEm>WsaxG8b}^tl2f^I%`U3mvYJ?Q_XBVq-aJgHj9|V7#9qh&0?4Q2QU1 zAze_R1c#J*R&iwDW9#m4p3icNInlW3<%h_9RYRSiucWf7g@h#}9Qq7t!MwFheYGk8 zKvTS^ol`S3;}_|DS@+fS_r`Y;_FVkp@{^GZ0u^ec+|Ob@vPp2u6WhLwaU8Qy+9vV$ zKc?|M#uZ;67Esv0B)QbpE~wU?fc?;xTzw7isys_Ub^9Nok>*!7zZ`!BI90kPQV{?C z_SSHG*avvfSeFFg=K9hwd41vV%8nm-whnbiofQX4Gm6-leRn&aM=W_;|8oD}nUJQ0 z!P#3i+Vijaw(d{lFNyBg7Jdk<7SXOeW-i>8YqaB~8JU@WEFXwM;(wlKg)Xp6^7LPi zTwp?G3g;6H5997@IwDpAcIIsPB;kU9O*#V}IoUPq)KGq&*gg8jO3S-28pAtq%WeSNj+?kL`j z&r4<%q}MkR67V|h^_@d%pl7V!jyG*H772oKsmk*z;% z?N=PmEoT_*d;ANtOnGdZ<~;$$b@)WQ=)0%Y*SUQEmlQIJ-UxqEm(CXAV`oG+QzRGp zeg!J7gRW+Dtoyc?Wq7Le=Xa@N1-sIeU~>;Fz>ti^>ete*LSOGlIRJnE7tm^Si-O>ZUz(xy}1;s1%idchcw)+%rVD!D?1jXY|V1v!b za{0mA<28Bs`}(G_VhMj7LUtr9adUJqntI)x6}viJh8>5qi=%B}gN+t&H-Zb#B4hZP zRU9R=jdy63|Kj?@dbzWwjkncsHUG3j;(q(UE$ZpmjkVD?Rk7t&mGIcE9xoOTz7EVb7 zvuHVR-QE8Ni$C&P#!}2ktX;fXvUbdNzcq?0O3^_h^MStX%E3NqH_bLWrO6Ku7C zP-#oWPdSHy7ps2s?r17bjeDtwOQ!w(?P)@Fwo!Umxa(;QcpVH@B_XS(B-$Gk(Wea8 z&8zsmElxI{*j`UKN@Mkj z@$s!b243=!wD%6yeuAOhy8b|C=sIwEa#3hxB#;`$a)!I!$C}oGFx;HFG{xHj%RDgq z*&XJli54Vc=m=i`tGy;{%Dny7e0+So33;N4(0q+-v|8PQ}>^%O|V!tFxVIm_xu5I4qb1P{ilw{fD{+9vqtaHn)>-_ zR+AZ60Q}q^q@T`wG(D;ET>}E4&Q$xRgLuS^eWk?(59v~W3-r+8i{>L$J&2R~_<~o@ zQzPd!y2JnJ|Cytm2*-CWLtQ@K%OdQrHc$A%lkm9Mrz8+Irn!(OivHFV_;Ff467xZA zH|dGnDtCRjEu;c<$uLHelSF*rW_*IU;2SYXx!+xbu+Zw z;a3MU_1l71i>@E1pVM4w+E{34Sa{(FQI{FME6;ZXwZhsa#Kul$L4URCUT;1iczR({ zm3rQUC*jO?kK>oRz=7wfEMAT)2A8<5D8I0i#$Iz%N=|VZLWa{$6iG z!rm-umNaxyoyY%ita

F*ozf(b5u{5|%glLmEPml)EoZPUJg4L7Z5Dk(Ja#r9B;{ zRPV2|REMJpZwx{3{d}{{-kRyDY5jGKX+AsaiC-FH2rVhYy8ecM>$ zS89L?0lT??ppS59A|SK|$$yCC;ikUTo@XotJ0D=|W0_r8(nD*m324y$UnqoJbmhZ6 z=g+^CcYrFAQ=R;fp=^@MncM1eq}4saL-2U>Y?|t|TB`Y}3EDEI9q3Bbgs~j%BAfkF zdaS+HQ3NUk54wTplncR{eNHiK*EA!q309o*?EDwu2h8rClcV={}+ zD4;S)GF~#tEgt9B^u}j`taUo$5@^j*4j4%tQ|rAG56!+_nR3>p{2!XmIw-35ZQ~-X z2-4jRN=hlPbPFQg-3=nm(p^eRmmuAO0!uf7bVv%)-OKKt_k8D_-#^UGzzolxJ8HqX0{jdoug9Q$Z{x}%*{BYvWa!^Wn zBkcTL!#>p;OV-RxSU%t1myTC}jF{3N*z%D_cBU>9fETNaf4T+NS-mfi{A@ zHF?^x5-vN<$Q+cE7};@>we!0~k-$r(md{#0c8g^$ZjV&Y*r2+a zQ2qrUzFC{6)DtZ*q&s7_NzdoVp}dVVWm}4%y0MYVa{#p9uET0FVEa}oBj38D%ByPV8e&8fU zr|8`z_+J*ls6?+p#Q+p_X@dFEg96*(pB3Lh+g}d~^f_5E?MHRZZ7c#{*7epGs&DVR zkero^bG*<>$?l8edY zr;mm({g>V!o86h~6$u0A0;6=9q;Z7ID&9jr!Ai?pPsO<&Z|ZI<(214Gr59Q7VVAtacXxj^3U_avIGAr@sx~b6*mKLH|< zmL5$yk27faZUW57uis}(7#%lmKQ$zAU5W{nJfIgVE*VPTYCoKWjyMglCKOI4--6+{ z_}B5WDjAsh)+X;E{#Qz~yvR_g3d-V|m1cDs&uL}-%JMS`(aJyXnoX(5EI8fKFmU4m zVl0*k&pkip1_W~6$ZbSyD~6eWOyGc(jnxl{FUnVD1`F@*M9~x<)AN1mnsWYu>`8Vg zgLdpBuXS7TTM=(q=quNOS#*3^151B~tt*8^WybnAV%c;t1XoRB9?ci*%iXXpt;NLN zu+Pik;XEngJ+oS?_{6LVTx7zwy&y_(vtMnH&3G z+n#cMif;~tM?H(xO3Gs2PNWv8y~>z+xyCtv}bu7`F}}8-^sUe-c6^8BKI_XpyAL@lf%zWbrG^(!}x@fjiCt;%nVneN8=0 z&3*6FBx!k;N*G~c|41@r<_qjxO<6Ao47qzm7tUE|_ylG>+dO-#pCx*f=l?zZt5O7ssr@ zAUtr}YuX;Ur}to}r1_oF&R|=0OyEt4E=08^drdz(RvW0GVfuscl`hu`m+{G-^`fY_ z5?UO31;@}4fwHFietrF`-)}|uzdl7vm}XAx$*_N`LmEK#xv9|@ipM7NAt_61EAcEW z>WZ72`|P-HvIS?;5+CPzFQEX>03*dN;;Q_xAm9eFquQ{5*R>ZRslHI%hZ{qhY3zAE z=*|>eLH4oNR9P9fU1%wizHw(}Xh>pTDNIaWSUtEj27whi8S9r^YX)N!uk2~j|W z^CP-!G5MH(qp&CFVZ}6>lpBRAzlA4(*a5V3>m|Dy0azFy!~K%V#vu#~>a;eihS%L9*< zhrrDO%mszGoOGP8H8M(;$VgE(C_^!p5A#08l??ilC~+H;tI4fbTb&t{y-oWdvXu!% z{79tCs{}wv#dvCQ=>Ke8Pxhf@DLl5Z@nqnj%gI=;SAEw#GbKLT!zEsUu(6>bc60{PZj+%MW!eHv z>@KJ{?%-5qalAtM8X1$;3&E&J4${O&cLE`#=eT~jiEr}7%)2SoS`nJ`pQ1<*ymi}h z3X+IFbx9o-O7-&>~Md;M?S3$e)FY506 z3D637*bH?N+nHbC)XsWlr!#Z0j*as}l`0C>t&8eF7kzQ`1M-Sg)gP%mo zwBRU&@EyGZO7^740d52QX9x`z!({kGANSV&Q{q9?*^3LSSPCqL9yTDt$n?yyi7<%Bj4qt{)vBrtuv zGk+^3PPa`-KK)du{v`tq%B2QS)VEEZUGOBZgrW3wbyRY`?yD%&m0IBu$Kq}IxRc9C zKL}o7a=Zf!P@+oxRke*SWpMgda=X0inYTcXfDT>9U@%+XD5=>(V}Y1uKPxpc@m)aN zsF|T*@iQv(=bYVYfynEHDuqNUg9K8n6zO8Zc!y!WLe@Q4@#+iIMbqRlhhr0xKBp

)&x%B2m&5fD|M>k z@N~59)mCR-Qv^1Q4{&`mEYyA1za{NhKQe1=N{wrM^T{VFPX;0(D46>t_sB)gZe;`S zZ5~|t@QCKfDav&!tDz*m0E)uA+3F&Ovp7BX`%~j(9e7&(DaJm=r`p2!^t9N zkU1B^+w7cNdwU9sP7tU1oH_+g4W$(^l*yL7mD4L)R1Gaczw^KylU zKL+B-tOU{w%CIP1ik<>oP3bP>iv=&={dvh5U+{W`5&rEP=jKVuH^t-=<*Yp7Eus^! zM4i*MoHD)x==PyTH;S8tAC*v#d~@+h=YF+7T>F!?h&$ir#A%XicWRXf{~0{`w3kRH zfz?D-kev7;aPkONgz7P^c)QZs8(=kJ8I4bCv%fq_%I%c7*}S0RG@m6+$XvmdCc}&| zAxyPwfKv2;!ba(@#}0qfHkAc@9CD4eaHGTeyKB`>DVgtb{ftXiZg^ti26a3Crbh7n zjI|8H$gNYydw^7rL}V5wZ%*Razut-v^Yh!x*RNbDa}sf$c#d1s6RIVeDBMerpFl6T z)9msv`D^0Z-~8e6*48b*`fjaBv#*7O?ZzVghnTVXm*FBDjbc2Kz+70+RyVli(T)(owT#Bi8e5QT-{-i$s|sQHLCyP;$SlLIYy_5vEP|;d z5z%@j*zi)tlWXPazTK0t8OiMBxB#rwK@Jz*qgJZYiH)cI;eYERL>i11PLy-Lrzw05 z7H^?4(k_(L$KRm~)Wi!GLpyt85BNj@J)e;n8u{+1Ov zLnm9) zu(O3>jkzD0lRhd?pRv=uQ_}}8IAC!A142-o$&v{B&>hq+3^6chAZUA$rR>ku9#e2Z zPw7;Gj9xtfa*<0!X&0M2MlBFMV?UeuvP=`U@=f=EhJt*rd90(*Mf0dyZm2F1m%m0M zjJo!xBysddYY(h>grAp_1_X&mxu>P+U|5SXGC7LfNtP^K&lI}o>2Dctx9ROWvJ*ht z%!B~?MQ3SL%1lPc^UIoZvne@mR+9s!e~7)+xfOfM39m z8^zU72d0l^4?llm!TH9*kr;m|Z467ropz;P3w>5E*km7W(xsEcLg13__4T#&5830D z6ZZ#?%h9o17Rcooucx4<7-hBmJpZZIb?ArMv`cD~7Nn+9|G4?SU>n_5f&Va*Mnb+Y znIl4e*b*_9Cqs`Bs`kStZ1y1HDmy|+fq!Bz?)8e_1$ukQ>6M$aYW3UvJfuq}>KU#0 zs}^|+>Am}1vuZG5Fm3F#LPYl~hh2ZS+r}%$S+joE-Y#vg-SJd#w}y8QruOWu&O!IW zDlfeo%a`fZyYMIS1QoGv$aswP>%s$T5m3Ax-T=EeqfoPV*c%5hZMeibs;nSe?|Ja% z4mp=drYrsnTHAn6IU!5=OVc5R${cHLoC0fK5=ESAieBLwJJTI_)sKvKSn?uo)RR@AU{{Am2jcP1@Lqu5q#&Jd1;%utOL43sM4_&kWdgrZ622#es z;h?U%kL0->6p|1389Mekd*xt+azygkToQP|~ig}f}ZR3D<`jP-yrtfTvD=-Eb( zLpT<`8WKE*+d{#-BAurVG%Z<3HJbUzV7BF_G$$orH&=atPG{Z^20!|Pe2`||QUP74 zeX|7rvR{}5CJ%?Bz|a&5!$tD$=xBWj)&$VY0a`hSCV>Oryr$7MO|gAhyf2A!x}0`R z%58Bm3~C3Nbzc(iZq%?}#x zVp275&&d@^p1XozmN^Z{b2-+UqlZ24^Mo%v`&f#+*F~+5oFdk1uc1ehg{NB&xaELJ z74#rL_vt=5`mjx_fi_LW1BpG8dK5 zEOqw_4$FvYf=R5P%$=GmR&9Z#t{GSpL=RY8J4(9o`7cI!orgf&`+M+Q<=o*}S=EG+ z_*3}xm}#Og|1#`14-cczYRBIJHEa?VwacHc;l0_nL<5tKyi;YP-*9#x6oSDPx$EpkhB1ur?wJX znFBbw>0C^HdZ)5}IgF1hR?T>^Dd{}@?+p@q3m1{7G^dZpY#Y0pq>uP{F zfqXi~6kb$-5FcZz3)aa(Qt=quPz8s8p%LHUMi(SO`RM8tqP6*P<+i-!6mC|FT)$ia z+*SbnCfn;1G4JmtE3Mw#dNqcMijmzJ!^4(t(+d305;ICwoOZsO$MpHQGh;g?tZmOE z_%`gZrfP(~qoN7g>)D&H%zAC*4%Y)I57pG&l z(BqAoHeFzAncl^|BBf9w+ehf7aUM{lz#@T8)oH*RyoW_AG}p5o z5AwfxB=pepD>0$nF`RYOHGGuKdC!kusj&RKgtXa&X&K2>PyJ#sKlWR5)L!=K_!s$4Fi=a1ARPbAfGagD*?~BktHcyj!I7sdD7m zRu}Bg?ZOQd`rGlNNB6g%^Fa9(7p7FaFNGmmcC`}#=-e^jU@!V3vm07!E9$k)I{tGFXIZjsmooY$eX)8Lvr z>xE=bIvCne<%iH5|Kghv@&zF2x4`I{l@4L0{Wq!&_8-WbN+yY7Y`>;3Ocp;tMJrRdLk_z z05o*0(hmoJIQgk!{R@KN1`}YBz)*e(S)T_eR*EC}rndW!asdyNT>v7v34EJmlY~F* zL1(sH!4AC770Qu+2mSyElQ7Y0#or9fC18E!b%GZkgEeqVmRTH^+$i?xSS9it<4pfdI}6`2>j?642J zpCC1$`**=((%9^}H&t{9bGUcPYb=`>JvyK_{zZ2T{UwS_XkJJBTUh$QUP}d~_iOA&H+8K(n2YgpgS5>#sjL{k&k+ zJyK@r_GV*)`vpSV0oG7~gO}H-Hf*8ZLvs*&G+-caSOZP_EivkJ=mdIDLTIw6pcvO< z$uZvMs+o1(7f7~_=&J$VOSr!yJ#d}vJJqtJOVg?DZ)K`QY7S(1-qNlTz!03FRX}|J zr=cBCi<)_!3tozX#4ab`ihHyLaAteU9GbI_U4M=Uy#+WzodA;uSn31hRn;nCuYmaw z)o5+5w*DPY(jTSt^f>Oxv*YQdzmaAih2{AF_P~)i`PnSPXNC0Rz8kZWQp)uuGEsa+ z&vGJt&Iyc)G|X347&0GW9`;f%5#4Ngs8loZkl-bJTKrwE^1TZ2)B7;vtQ>;myq#Du z;}t&~ZxVR_{&Uf#{{6y(4fPAHa%k4#?I4P8&%UybOgGTPujpee$&_*_ zV6{`q>LY-&5`wCD5f>1EXFJqJ?Tza!$8w2a)`$K4xJuQHgJw(S{)maG!kuaHb3sqBz>rnKibz0Fva+9<6S!>!qJ zta9k@@PoerHc+qKUp3hRJF8syQ!k7d|wYX+W$PDdXT7BpVZS4_Z=@7=S!U;%Y$G%Ud?goq<2bGj0QSl zEKRasMA6KKr4Z+E@3aD?rKKfU2dsB|r0x8^%H0p%2g^$j<*m#_oPh4;9? z*%%hVO{&2txFr;RJRF^Na%xqUtMy36edHUQrv&5unCoSFXW-U?5bWnnT<$~PQiGf0+3yO`>mbguts-b*l3 zc7`PK-;9{rMfDk0-mA2TUK&I6U$x+5Ahu zU(EIs-&C;mznF~;Jl5bC#!&IkS`SCp2TO0hX_e#0irxEdULVFWJtgC*M*81-LZcWT zVNzZa3CeKri~T-aE;D*xouWgE_$lkck%S*Y3xd8%Sl)=5B$!*cm(CPnV%5znE46)Mo2xuR>)piFEF+tSl=# z-i{DZJ=^n2nY=tWI4r4y-8k+*Q0J44tg2)Sz+nS)=k`s7S)Ar;+)wz5=#hKBN_czS z{SynZ35DAg_ynk@6uqu2?9;fqv+ARLMso8&zkH`pc|S;VVsEzBe7@G^VfCR$@2O+v zOEX=KpWDz+8j<~8URUk8#vYXt+&K~fw<-sJ8ni53U0vHMDmWeo)RsvY=@;rCDhOhT z@5hac?HwH*E7n2$?#;;`P7BP7@q0^G6AuS|u}|VFtWd%0I>Mk5rVX+OX2OF!yb(d3 zjiJ8%PR_h{5b!_JWnb?6`SN~D!wXI@wO$31i9vECA15m->#Km9>Sb2d%oE{8vH1A?Sm(}b4)DJKSIB*V}QxG`4pHc2ede4w%N`dz(Ex1tgAjOG+yhw^7?Xt zd*|v6eWAuC)g7#6jF*yX395B<`SgMqesz*J)#|cR3Jy4DgT!`K_iSW4MPot`+fw$z zMbLTge5Ty|d_wqDlZMlODU>&ul-l~7^)W}kzoTD67$B7EPl8gpP}r06e0Y89>;S>P zF6DbIDRvl{3-OIz^WRZ3m-Qvcv)($sS`_r~hP^^v5BS&yY+msu=HIa{pze{xKREWR zAK(RDZ$J~$9Hd5hE8XLh$jzOD+D+b|O+HNVFTJ@t`xTUN!4)@_a8IxK?L|dQ1G$dy zbj63Dov~ zRz&iY+fAA(lMPzJK_Y3DVltIZV{JtYx;GvhC)F1*E8WA{X6>$ku<}YS0mrN1T)J*z zMVjYYkbFZS&+Xy&cx~oRV#EwkeB1I>{}mT8P$JEup8A%^SZznv#UyW=TF76U6DySJ zH?~qPqRH-;Yu=YHH2-k6cQQ?XG!z#z#dU0y+kKXLY^V?s5_B+|T&0lo7(x-lB7yOF zyG@FN20uXXtA<-%f`Rwz2#iQ8h1Hav@OZvQ4p=XO%76C32}akA?|DsrG^0Ri2v@*X zZ26d8ogpFP;WlA-XB6F7)-~z(M>3cz{`c73=zdlg=;a+(Co}B#`{e}=(hOYt70k)T z(Vl$hWJZ~gmoHz6yDT^B#%5(G4HJ@^G@paAlS+laJ#rYr<{udPoA>9t#yUwUHDQcy zJnYAh*H4fO33P&AttGH>37<+Eydo;iZD!G7Z?YYiYcC(MUuDfSZTuGZQS|f9nk?Sv zE(wJs%G!~1T9}-)rV71%>OYBU&{39$SXv5tC^I->oQc3C_Pky3Sx+n7w%%0U#=cji z^D8~71=$#3W#`@7R?qhMwpTsJ=sne`#97`-d`k*8pH%yH1@`Q|MIKStFqG1BzafXC4L{Pj-d%b%hA`7PSJWbKt?S`9GcC9DI{aP?>u!%Z*)?0#!_puke3>Z0 zF+}?VRweR*{&V01tl~G$5cdL$k#Wa2RMMN%#lSz^(hiC=9@bBGphuv~0EG9z z(h1XhSVVeSNRdO~~tSTa;+mBuVpb8uiNA?mjH$Hj#)aF#nBcpHv4s+ZYg?s!R zOjpZ$oem?p<6=igsY(Ii*acu`PH4fp#bqU*y~OAqEs-fK7=qX|#AX|HO@0n9AZs7} zeJx|bzpj%{Bm0RikFd)hk~~oh%UB`a!CthLQC1w%ANO#2s|r8(_6iml6LdC)@9?>u z^PU!2^I%pEbu##cntjv1Om9?I9p&qDJ!#+fUm1=Z-B_mofwh2&qpjf2l8ilswxO`Q z*s9C<^6*yVqrNSYI0?l(&%q50%OX>BMLUx+o#?=xhZXMqJQ5>x;;~|^W!Mh?6->X} zDC^*8Fl+*$vtnk#B8I5V;oZfSCmUw546@6Om5^AGgunbkoP~u?mG#7C7@2)mQ;l5Y& zEz3j8w3!Y)DoSB}Er=Mn_zv6t?y!nQpTY#CLH3tooc@QY4MIUC*-gBT-Qw+jWm(uU z;u?Imt(Pe`Pf0$d!4Uh%uuUZ?{w$o?Labl&y{|g1O+r`!+Bc9MxNeCB@BTDJj`RxC zijKH&Bwk-tOE(P$KUY)JX; z+3{TK+uk`nlXO-Jb7&>IX~PGN(ZTS1EtzO~54lljKD2h=dSUHdZx11eklGN1JM43E zh!kzpitK@xNL_+8PZY;?AH6f8Pygh2CEcPhxxeIFmO-glpQ%Mv1}=f*mAUBxkBL}s z^wA5b7EoV$_Md(%;+gOFHUBX(Wf5}NlqSm0@17CgmMgp?%;XE^p4C5tF!x%Sr$O&E z8D0XQ|F1_Sg)B0%D4O1%4+dJGC_=F5tM%e2KGIzLf^8tGx6`)IK)~aVY-JUts^@0W z1dx}<|8m?$->RtDo-5bi6l4};x*yWJO}tfW{D~XU(a~Y-sLapVb`FU%DPdVPpUEmj zC_Oiqwv=BPL9s(1kjubWmy=VvaTmR_sh|Qfv*a%?3i~b;t;dCv!MRlm?{d>Rr)<8LD)%645 z>3DsgRKYNKkVk(Hrtn5)S06GEGHCO6Aq)%*Hv2YLbpBL`*qwA3%18&tZm~ijydS_$ z{6AWcZ9)MGie^Y(^Fl4{6=DPO^rZ8)YvOh-z)ft6IvoI?51&vEIl%;P)QS^&3(k_@ z$&Gl(%?!vt)(B0Z1e7$k22mIB!_y2%1%;+Ic=LSvwyd_lhy|byG{CWG#U8wFb`J{Hxv1-kB#lgc&-0QlAzfU}$mW_?#XE!zUsau7Df2C$ zdM4jLJA$@@ofb$nwIS5_L3QZ7?*xb~U)jlY$1o9rP~67*$T3O3?h@c15j9KrB**-( z1lvshZk*d$GfRK5k#F4K#mk*Ffj`CaV=4Wco$_NDxcmG2Y_R9y6Bn>79uB_PZFlsp zrb+QP60DTyXpjHOgHF$I)}K!g_^9zyanf1aW7)NRC^qQZWj6Sa^1SD>DLFyJgb$NZ zVrV7i(|-#(X_;2Iw2B|Xu1F_op+A`G-g1NataAKg6>X@JI71JsIXXSFy&A(`&bTq-F0hWwZz6EI6dh-21uJv=t0UU@Tm;#b1vUg5N3f*G;H&FHT??}6%lzd-V9d%ESiCaCl!&8H$3he zcf9EX&!p!BH6SLai!olk7iK6S+p}*^8ZZPlPr)$@gCKW2A<-&H&~kw_+HAJn{(ip- zdi1n;>}FWxrPJ8hXa&Jy>X^fDr#w*?T)_?)Exu7 zyv_F^3bm{8cWBo$MWZ=NRY%8VyCfM>>5q!s<(AAA?o?0+BAjIH)id#sp9j7FEJHKw z+&C$F8IV6=(p|)7V~PoH;V_Xk-;&2aDszE3#A{d9Zn3#$#MdJ?#9eHA)~BOOEiE0= zoufH&(>slwD~B1r@MPk8er9UHNGS4!sJf7Jq|!YUwM6dSWH(WJe>I~~ zWjBec_P07$n4{U9jms7>15Ew*2UMug2qXF3g+J_>Cs7Sy{B3Fgh&9AHg>cJ#1=BY{ zOH8#j7mGGO+MD3seq;O#FuM6TFtbI#l>F%5*8;6A1Ltgfd zkUenbt;jzXR!i1b#rlAKA6S6-?~t1XYxec@VeCaZAb6>CX)gW=9W)!(FDT)N!H$=-P5pIm3#_%zwxi4mY78VlbKq-34e36ZN$VUp+94ZTUDYIQB3fVFwAJ@4 z@D#m%a}!zo+AuPoc%R7-AVjemjDH z`T$KAS^c2JdB!0aBl%1)UcvYklhfG032S3f%GV$49odg2zqa?TfxZaMfDzVA=jJOx zL4m&i9I2>KY`U~@10|RGp+y6`{Jfif7+|tLqnE8M_ntVeqr%h|OjAOcVcH70tTij& zOAAubN(TDEV+ffAz*+Gp8aDP8CU}o8HX+3e8a}DGVMU_HWf$BrVO(sT0&E#ym99OJ8@PD&!Hf5=AP?5Dwe zP9^VB$kkTTU~cPO6yx0td>fzv$O~FBP+1vgzyI&^Fi1kuorBRqI|5ON``oe-hDP_L zHBvpq>%(bPp48u+U=Z~wyIn#0IT&i1DQ&%1!5{R?ukpricEGc)D_;2pE+ZEK9 zs}CkUAls@7P}}U;Y1z@Oc(k7H;lvt}1{P;HGPA&V={Cu4h#eqtIo`Ab10`Fz_v}`J z;TlxA{zJ4r<_sy^{@#U=5Uv!}DU15X^Yj{S;xDtXZb!D%^d&GYj6r>CMo~pYN#V)h z@ht=$`o@KEA=;W6|~EtU5}cY0ceoI*045#rYyH?QaM2m!f(+coz43?tWxLCM%f z327G1myd0y3PU-gpHZYZ9)nsvKcNK^ACuTk#S8ExTEw}*o*W?GSe!&D$Y!@#Z*l1N z`Umc8R2qOz&>eg>z(YLR4tU5N1L+%&f0kb}`VrvotNa=@Qs-x^$i^tZJ5A4Ncp$Z1uU@jp!2O~1725oC$fkIx~fy%g2v%)aNs{(VQCyvD~!OE!#>t_#IOG_6 z(OC27m7i2-B8GRcA<&0U>rfmHos@mLjOWa&o%`&|o&#jW^qK^YaS4KaT|746|R2jgB#8f?wrd<2(~i9}yFxK)()4@_?E! z+6yR&qGVWTYANM?KQX`sJE*Ku{g9%u!`?`4>f7ZBQU~Ng)^ml8SAN_D7N%2dy>=&)6 z`u)*uPb*j+5LqmH()(jSnR>5tmSL>2p+4h)almSe*gR^#Zi87EoDM}iycCGpl0@y5 z7~-*|8{WV1ImrE>1RXEdqM*NuT3=0Z*(o<`+Y2M4<{uuC-WR>!9nUuM8qBtH-9{zL zurdJG3+pKpqVV;%Il}ThU3XiSXC>I$IPSv_dw-LiPTKzddaucN@$q@B|?(w*NTYk^v}x@eKn z5{*Rdid1cc@JB_9T$O<<%LD`Uddk758y}h%Q?G(XZiZn(@JbPeCsSx0IAJaa=jNm9B%IlgH7jL$f0aU92Jr-` zc@J!CY$JbuI2jH4CkKd_r~GXgqI2WFKOZtopp{U-5+9bbuo!!nqg%tjJpTOJc05;; z*bTa^v*@A#Xr7Moc6BpUk1iD#Vm@hYK%%v$L8nk-d<;If>lV?)Bt;s+R7(XK^r^{d zPwr#4q~b=5s19H>q7Avk0x^rGprqIS=S6WlMkEdk3Hl9h)7>LZtuOipgzkOe;v$^T zgy3PYGtH2KsmXso#?94nZx*CucSxUc>}8m*0X9RuK#C4Z+SCA1Ii5uYa=S|NtP?D_9 zwNh_^zAz_T3|z$X>X6kKs1k7Io~+o>izP&OY6AQF4x6x~fB*lRG;!1>PM2rwONG@R)*IlButYsEe5`TQ3qbb4%79}3H=~87IY7ys+B2k?4E3=6Fg=!PMx~tx->y@1F3(IE# z=-76-MBK*!CSEbItn336bh$_sjB|!7m_O-Oyd-Y|%sWQrDiEG<1xqDy$!e`su03c)@ZEqk$>IyPrE4o|;mq z4~~l(kVSPonNZ(|TA&|^ORM~O|?h3#%B3;?UEk2W42-vX&+2X__3%n+}V>f#c;T8yJhM@3g?u-+l6CdqNfEO$&0G(ge?M4F+80M3_56N4Z?C z|J3nvduCgYO>z0}cLK;t)gIw}`^<6A$@wx}$lBND$;davs9qDiZfL6Ke2CtRMTWys z^2y_NE`jH6O7x{=B&|FUcaErI4(Ma1lrGAyK{*~~wJfv!p29nhul4wRsX;^A1Yo@E z)_^xFYuTqi9W<1b-I75g@npQ!at3nPc%u5YnEXZmX=f?KW9AnWWgh6KG;SD}eS~!8 ze)CEKxlNb$cU>qiPtRTmFfcjuaJ8TF=gEUgtLy4(M$B+6t_A47h(z1t;5{)nhsrD;E0Ad{8d7a zM@PhB?Zwc>&w*V1z}wm&(_OO)JR-?A9uqhFqlZ;%NQQh+r!+(ly%{@ zQj~WTpp5iNqEpYR?RlvVM4%jd^n`Nwy@a_1i6K(%jr@hueF8LT1!o?*EqNEr^x>qr z6|e?if4b!^F;_$cgbIVMhXVO^L~DaH0JZ6lZ!|IIVo>%BK4mn zk$3Y^qcocWhu%M^jWgJY`}H?kWDsr^gCnfn!-A25jeaK?{+v7=(C^edGn;mH_>H30w?&hJ<%moi7}y7JyD%D*2v4L$Nlks zAw|AbdbQi;6#R?~(#q%ZdzWZEr(%cPRv566EkEv9#S7P*;D^>@If7D+X=-8TZ4pix zD-d!+e*Y;AMyuY{Z>~n`AjAl9Kg$t3sL^kb!Lm)GHb#5v$YK$`IXnDIzktMyBws`6 zxeoS)uq^c9s!lZW(Yur9L424sMfUs@-&%_h*@r$dz$It`6$2~e_ul~I%?fX=zJLPKo+4|CSg#^zB;zXr33{2A{t<;*&s_p_GhcsW2 zBrXjl`^~4)(;91PrpIm9^mfN=%NhGCL~Ze1tyu8oN^QM%=QNB@twm#8LKhu&IRBbR zu{YKmf@hboS**_*@Ti$EsMi3At}p!zDSH1&=AF#b=e++yw?Fm+N1Z-)pW?0UffwR< z`3{6||5C1qkcw6O)-nr9hY&Nj(_aC9mF$1e_C|M*nt8R-UBu$W$dsCY8v1$&tl8=| z5=2Ljk2{}PS%!R3lTzzpYY6NCn(@T8Gn1{mF_fE5WeV8rvIS7|QaHt$?T0zB%tZ^P zL1mxOgI)k95z_Kzn=jh%yw}nq+c|0Hifu>L z|CwkRuCn? z_z{=CV>IeOb0&*lKYujLT1Y=uFE2KP$S{Otn%#V#+pyz)8{Jb3Zs`5^hZo!jj2-AGlvh0+W&Q4VOyk+T`Km!Wu4%gU=f)BeFw4+PTKK@&~_AgBEvhM z*6#r4d=oVf#l~mT5DLLN-4caxii(X#7R^cn7PR-K5{!BquMGcuDR({{*`*sf>jm=TZA-Z|c5G6(dmXY_=qgT&%$ZH0Evkx3k0pANXuJ1qykwe z4auGD*{a(1C(%#eX;B>5S`Xy5*PndpEVf_5W!4>Zqvt?`sta328|g5RjHG ziBUSGOOc_G1_1#DhVE`e9J)m5P=TRKq>)s*yJ47_`@1~f_g%9V{4=ob{ltmA&)G+4 zQN}D_Dcbxw3S46EE&!Yhp^JyAzzkLkHem7$9N~iBu~E}v7@sCH^w2$ znpvKY=#}NcQ*zB?x2)DjOOpbni+4i(@TPOyUV)PxwORd)8Ht4&8(Kd{h=>;tn+6B| zz{CB#>sXN3rV;~>1Dt?D>cqQt01C_msN8ZNl`%jY=kL=Nz-VqGCNlX(!hawRg z)ob$8(%72V%_h51yLZ*d$JS8#gnsR|WN{VQlDOwB`&&GpvW*RjmPdTrUJc#uoTp&> zp?aOM`gIesb=3T_BG&5^b4>0W>GBCXDH5yXChXvTPNS#lm-F_l(gYw)>)si-f}CyN zw5!}ybYeuYqau7`qaJ&e_G}Y+U=6QG)fXImlzBvu)(fRvSKbHZN;@>9St}G=?{d0* zuGkXLp=%{6&lWA8)$!O<+-2wgICU%P-t-fW5q(2_g$5-=Uz8klKeg2_>FSgk?i;2- zd^=k#&llCraApm=dW+jANt;>aIrvbV#AIg1dN>1FsBqu-&C7t42;@TpL&E`Oo0Q}0 z?LWi|F9P`JEZjew0nS@`47#hUU`ajHzbE!37kp%Qwq9N61%%|NOIH^Ls-nP5Ovv}D zynDOkNu@+Y(HYt^vMm>?V-zRNTeVG41Uapti0$CCsnn`|45iCWPqRzFdRYnBsFF7G z{1%l--_O1CS03S{44I1DT1WU03D|Ed|$SdjC-*7lqr^1R##gaUeQdO zcPIlZn0#DyfpRtr$rk~?IYoTP|1LdwuU{9pB`kwip84Bg+2oEA)_EI27aJQdD;fmd z&InsQE{^;#Ay@R5u4*SdH7xED?v zI+u&ITq875;tNJ>sJKM}p}{=M#KDnF3!^3s7M|5mK7VEyqP4%{Qad=?`8_ zA@jfqFL7HbL3^Wscrkyufx0%IF_XgS-Z=EMQU0{rv$5d^-UoDup`2WDZ;I%}9OM@e zh>Jrwc>uqBPTh-p4kF53^7pq8pFXGC+8ry{y+DLvmh`(H3erZJyzlF-IclDB{poxH zitgzLJ(mqMeqM*3>pynsic<1*?7(U~Ab)sD?Sp?dd_-(pZvf6b8zGVO0Md4OZHhs5_)xNlbDywqr6~*`wxFP(WgVdI5FpQ zA-zK0llP=n<8A2XJD&##ja!b(Zo@U$Z{O*ff~yMB^gj`BKc>v#18B`|rFi4)>ly0* z9)s0b+kd6AwzRE$9dRzysa3N_iy0ZSQ5RgH$x`tBJe60l??_=-mK6)PNSB~j2lbm`5Z;)@{ME_zP6SjsHgP{>3X_A|8Tzjq{Jd+;7jG5;(I9d2mBq22n%wbvJF>V>=y|M&TDj3Ce!_^Mbg&$&ha5frg1R9c{(x$BDOvNp)OYi9Cy<6HQXPHDe>g`*LoWP zpMbn9knl+>dLEbbSo4X-blD!XTBzxKxE>I}nZi0cw@tcc)3Ux+J{$dpoe`TqgLmn~ z`0p+gt#4$xy0AOZEqOB%8?|0(e5$s>pvd1`*Sjpn7QLbpR3$5b>0WZLmwf(nXBMfC z-@HOTiW20wYE)WyBt{)65xh{GjQB-Q(kW;C<Y3MO9!BqD3Q*N~UzCF+ z(Sb_+t> z9ZVLJ;6M17y3kvC>s1=`mSa{zLFJZGPOD)(PCK3KBS|*B4^^C&#^kknTT_#hzOVqv zl0RcVH#^AbqEuDu@LdN$xw?g%V;9kk`ehl<8Ji3nI?RWg!b%?gmA5j-w1j8dqm&=q z$cdPB(p_6!wDjYrpmrCh+cQM9cd}yObr$|z4~I2pA<2mymJ8%pikx|O@6;@()!o%Q zR5~^cSn7!oSiDn_!R*iI;?VP*v$halczWa6m6Z}Aa4ejK!(^Pfyp8oZk|YvKGDb^v zE4|VbEs`9UaU{KgUyMZuN3qQr4uL9(6?cR3l0%&k{X_?Bqb@lHiENT1N2 z-N9?LfIlPrXKeTw{w$!N=v zyo5NR3|k;gJ}3IB!6~W=&Gly_MN1XBX3aY%dPd56p~HKWrsu}49*A8oQm?8oR*yI( z-Q*E}P@|_Ov3R?CrN|Os5G51iD>ZW1q#U{%b%d zUo)WKBagl}F|acFm%yiQJN=n~@I?GcH21QtKtYUv(n!}o02TXFfU*RySpxWCFmzLj z)V=i-P^Vd%g?Ob_^N7^M9q>c`a97S8kj@da^pcJNsO0@+d>4l<)ID51*H-$XAo?hVow&?*321@^5^TpVHj{0B9SZil;|@!mPg{*0pB(2V`k>~gFIe?yb*exFg%An}*K|sLm$YDf zZ?0UX((l&(DzLRs7rLX?FHTlqWvK zlNsN(W%lEbO;E918`IxA?l|zvH@9r#;oFh+ekI`FhJ>atC;Z`y`l4qP=J1*CHP+dc z?kFTU970$~*f*I2&)J?rnm&VGL~<|1mxiMC-EW*n>?RbVjm-=%V;^gpu<%%wXiR1) z#JZ{hBD`#ZDfvPKd{0zsX%y6i{yae`mW9-%hT4a>+LCoSz%M0kc?p|psuYSE0Ea7P zxmc4Q&HS*|W|!Zy^*@a0=X(#AIxT)kjOvGI0VNw~{TDB)j#u0Wi&cLNd)A)D1qzxF zzi%|8X+-fd_Y}u z^VqAVH!K&_iugGwK-ZM437`ZIH@ExyX-wGL+6KpKrZD>vc0k&}^? zk;8h7yTvm^i&?eCz8f{Y>K)%O3;6?7bJLn0=bBzNu(_Y>zSg7ky@mswBBs&%z8s(3 z{I(O@<#li5OF~G$2$H>N$E~F}mfPW)a$p)OJUcMjxY4}NC@5gahZM~x2B<}Uig)&n z`DWbO+}g|-(L-Q90m2AAPbpN11O=~#!Bz(1sL{Lqz{5Ehqkku*dQ$T}czi2Y-9a%H zY=8$lWDygRH>TSiJ9X1%rwH_&K}`W1Ot8`dFl$8i_f6x|KN(88ytg_ywPy_{%BC;y za}z-&r&=o%AlgMM}PY|Sc znwUwTlwLWGF)JrCleXjrk%5NbJa$KIRIo|Ok=H@p3gjqW;tU|_F6kqaCGH3e6%wgu z9^;WlYUtv4DnXVAsM>BX-)%e=)~tSo`h&f5NgbS-#=b};?EDO-N-pIb&)k+5{`kvM zKXI){Dq=GXUv-7mUEnc&StY3qi2P7nM;pJQT8#ij%1s01A6P4KdonQz+v=YSDnHC2 zBnT`;kACd~LFtk6vxN$@f~yZJ*Af9Z$PmGNdtvSX{#YYZ+hLENM~Y`@NttQjV6+zh zMO0kB*3+n{{w0gf@FJP3u9T|-t*o)+E^=c3e+B;(7A@J0O26^>o>UzN?9TBvk3^^y z&uMQ0qRQl}07$pkg+c-jlY&2ICe3MMSGz(-$~s?Y`cu4Zx!$Mhqb`62VT2ICFnn=C z(U5Uq}`hr9K+=Z-9?AzfsBoyn-PK zq0UqYRkeLi#eeJq6r^h1quwC0QsPw*1dJ1o)dAH8{f1(Ch{#^0qbvi>{Tm%fD<`Gc zj_H_>kze2ytQC^(7*f#pP;J0t<%=XoUicV|xBXO=PwmR`6yz{F+(7f6EzTljYA|_! z4~_$6qU*5L$JKaa&g0$%4WmPcQC9y}{|2bw#3MvFBa|VZCxX4{?k8$|R8YP24W&~3 ziHVmI_Yly`kBad$iEq=Yk<*5zsK9g+|7FT*JJ_}}^AE-czHyoPcFIYFC8}rj_*7M@PYnP$xoQft8lKXzg#a*u zgEig8wufk`{dDZ;lJ@O=7JA6F^RyoQ({n31GE4GnJ#E=$sdu-55e@Qe0Wb`PM7NC; zVjCl51>7=C20YgX>FVDeR}6mBLmjjLtwoeM$Jp!1UM3F_F~IKekaEoX@e<9AX9z7| zhx!W^(IS4kskVG5Y*=#PljO6^j!d#(6~$b|7Bak~QIi80&!RSd+rK$8Ix32w7axsn zsu~>5{yaT1RJ2#*N#l0NlOs?m7YZvIpz4zj&}%)A0#2kI4=$QHV2?vTg&yv%HXnSR z`nU6X$HejA;9)ofj*cS1-$lakzk7G6a(JzLJUFWb(8E|4C-Y@irksd}(Lc*QMcV@h z;e>RkB^GKH!(}K(C!tQ?dwO9W7OGR$VzcSIQ&QN+$)D{_z9PZ=QI@BhF)d5lAEDd5 zwPTCW#vq2YX#?V&PDraYx^7GO>2zLCNWQ%7VB0$37kwW5hkn}EG_pWgznXc~>au{? z+P7wOw85|R6&!*QB)!<2gt;g={sfJbcKTD>M`0sKT0!n=;}c-rYhl-a;rgHWy9=4( zy6Pi!v$sCIS^=n(mUP)#PXd^{^U7bN>XJVDe3=c{Uo=`Z9+SH1k-Dm%^tu>vY+^$N z%mk7s!dCviLx11G7e5;YFjqL0?j-)|Kv-77FG+*8letu-cz8i{1BtH_rKA{FS;qWc2}< zxHX|ZFR#JD1G6)ulLo%T-fC~>xj4^5vR&wX<{qBln;i`pz0<)~^-o>xxxyV2!jPBU z;R|T`Gk4KIcV}T+#@Y5t6|1qdAZ$R#8YddL+6npSw#gzqTdx!U4o!HhZaWlvLH5Xh zq%LF@3V6e&;|2@jk6td`Ul^dyfLou{*!;TEiCac_bewDqLriO&w))I2<+XjW=#D+D z06$@51HvZ0x;Ri5pxdC zXCOL{#EfJKKYgqbDdmAL$bTA{)Gg6h!XK~&c@Hd-{u68XnzOJ`X7umm^F=%WseEs6 z0d{GKNO%D_vkB72Hm|9)h1f`LPfnBchO`QZ42982E0F6k*4$SVd!%_{C)vSyWyLdT zpdRmiiXI(0{SE(xI2*pSLKhWPVe)iRC)vfF;FOfBiiv#3Ty6t)>8#U0Vnra&a_F=T z5L2FNYyo)uL@nfn@yRxfdswS{p)zym!QoidFH^YU*1nhgY?^bF-0}JQrSBXHZjIy( z_a+$Ho4&~J)av4TwRM|14ONGFbFwVj1%++tt%9A8PET(Pc4KMem zvZ$>hlk2dh`Vi#91MbMD1zTUVcVtE_Ycio!i5Da0c%w$RQsUeCQqr&Tk$Wc#6#j9z z5kvQ#da5k*E5%F##5^!RpGq}G0dsPQhhI-@wEYSMKE} z>Ftlnm~Lv9YWX1ncj|DXwZyeoL?mNH2b<@|_`<8^K}JbOKvS)}3|g?+qU$-<8M#MeWCGr=n<4|2} z>_ULf!E>@#7FDfUYx}$7ulE_Dcv8IYmCoy4Mz6Xt!FS1c?4PxjkqQXa^+oNLs2>LmGRz;vT`aTJW{y{h$tV z&UbLs#}4u2URj=aG>!s3&BsCV?-KSBlavWk-(na#dDZ#olRQmqe?KBIY@1Zh_%z1! zLBr%%Tx;A_!jU0>Db9XBEOWv5Ptj-u7)@~5XP}KONzWpA`8-}vU*Ds`6t$#o^cyp+ z%)zAmk<;GMwf6%-`-WA#Lq5dAO5L6Jy~-4@)g2Ro-5mz}&Jfrw#EY)i>+ea{HJqM8 z!XejGuOvo9vPGEQDM-KY7c{E(wWVVy76!G-8HQmYu}`#(^yJev^}mh*;&5Mm#%>0`PagUv961@Vsz1A`r99Us%tuUXAMEX|@fqUMnbG2%HD~Q0zg-6Jd6a0qd@k5?1w&r4 zAB<39N*+K3PYGIw`bFgYx5n5z!5OJ4YpXy9jCa1x53Ng6VOWMmZ+N@<9DG=)-6d~@ zkg&(e9nvyDn^VBTx?x!O&m@#VJfVNf4?WJQhuuKyzgABVTCsav!`q&7>kEm118xGn zL+l$Z`uvn0BUl1S^&s3uAwLr-?Wc%`dQWr}LxQ_YmS^bFEA4DAAiM=J>nM|IR-w)N z(b{OFVbMDs+WD^h4n0+~ZgVAErco?yW-fcjUE{lD3u*zt?Bqdx<{-R3u_*Yy|EW%Z z`R!L4v|E&5+2kod;OBqfyMbtICPDl&V2FKt_E9u1G&>VM`qj2;ViW9ui=HSj?l>yM z&fvMPN*kd~et2#P^afl}XH>qdS*7!{pnZt1Nv?CJ*{ty$rY~**S$zQN61<|ueGWO2 z{)URC=260K!ZD)*zn)~b9D{uw?Y4AxP`cjI!og+pV4{j+1oJxkIFZhwKgq}gO3={B z0?ikdO~(T~BfaC*KRF{Bu27Y)8;b*0;-H(|5DCM()NweY1kLB!1;g|v@d~0_P}szD zB`HI-(#e@!56J??1?G~m2JXYS)z6P~uhQca8!V!%H2&dq&s8^eKLuTB0&3)d$Yv!f z;gw5!0r0$u-%Yw!F6SuMWmIrQVu=xL_h>+A7-CaKH^+8o6#qmI#vSwa&&<#LlYFQ7)a7cDH_UuiqTXnUfOtWr*}C@e3UODn3m+K~GRRjPlLa=IXu zf02Z$+n48I<@J=K2isfU9=_WgY>+<+;F-5E@O2vvk-y;o0hfovr0+lQ!DS}>y!-ZK zqkD8RCaOoo>f6uNv&topx(E$u;a;M=t*6F}Rl;m1fH@rDe}J_lV@OLL9>e{|zJXY! z^@xdy9e;E>drXMi*S# zpotVA1I`bkXio6V8Z()4Vj%tQ{Oy~l`is<|E1Zb=O@?J9*xUCXKjo1z#>>I8BCX%h z7DZ$Y{>mF|U@?!A{u9ka?|Y?NuJXdDfEc6fH7*YD!NbmXJ5b)cJn?&%5uk5NAm%=h zzL+oa{@X$(rPGS#58olJ?7Cd2Dr$E_{Qf2)XVrk!uQHW)*C zm}|@#14+`Iz-Ankj0mfQVqAk`j(RVNxcc6)AwU7U;%O`e7b{iG?WHOpsnMJPTY=$! zL*$|~&BEaCH%Hmm*{@!SC;#!zF9<1TOhNLzO&s&8y8CB+DD{IOD{ebF8ooXw5~fEF zIs)sqvVkxaRWnX07GHP$v11P0NBn(-y4ph2`*o;`Sz*{5X2`qMWA`prG$e$73kdC} zET@6_9o=0&X|!A$NcwQFVU*;Lq1;Y>wMBsxs6-yYG7|9TpaOXnKm#1Nkn&g9Mvz|* zbOn;8IBSWf;c)`)lC{Sqk}#&Y?bcxtd&oUFh2AwZubzqk-3%N(ItF~!UNIepnLJH% z6Y6|>I4sUpPU-O-`f#R+p7U?%eItZUo7|*b(I$s?NqCvvE0E&sgP(cpc~P9`6%Utw7f50z8r6-yx8|WQ>|1Y{NNi((6u8{!m{d!aVyX zY<-s`iQ+M?*9+%JZyi92M{?rt&VgG|jdNdxAoz9-{Mi2425jJg#wOTa*g-T(nyB|_ z&VN>c1pl_OTF|@wCJ61>8tWT;0SCp0zwbJmLr$@&E}by#xF`#F*YE4etNE;q@hql}DIxt7e?Y9E+rNuO>OBrIE%b^d|xK-cCk zjcT%b;B(MxSa2v!9mY|@gMF<5_(hZ*0-kWFb^AF&qfgD^+7yA?A~!T@Ywc7$dh*xtFlob3TPt#(5A*jr*BxwF*c} zOua?uUyb1#jAScGq?v;dsx&m30fCexE^ISjFrF!w=2Ss0jeL{_=jt@7iG;$|$JuIeBWxA`WuR_Pg4%JS2 z+y$Oy6Cf7avryOfBD~|g_gs9}>XP|XhISx8q06fdumIFs%N6b}S^z1tmO!>Cvs|is z=S~8iRx|bx)d|{1Xft-2X@~SB;vv~#e5-&@ohO05n{5~iaY-PJ>6PkvZO|b6cl1jq z+Sk<$vm3~FM=PV;>wg<9w5K1R*`pQ}=Sy9%>W_Khf1pc>%r{mu+bPVCbPhsK9BK`d zS5Iufq`jF2ssMKQIJU(6&c9}iYkR>I#0>6>QFSUDPW0ohL`Egc^>tBJLR+w*DqZD7 zLbqpp{{4ZZ);}b7@TKsxV+wxujK6wfbyb4qigyYkH5MIgKf%eJ#L@Q)`rr@>CCWS= z@vw!7{PJ3gNsJY0H?9-#cPljKV_i+W(h@Vq)|eXuYHF5fLG0sCsiJvDEY`DNxF2r% z-($Vb5AT@IN--aIE=PYQ}m_T3o80WcEN2NklP zK(Tt1Pj0-N9a#Uyj#HmWhG&P`$QtJ|?g5}y~t=6|n_&jNR) zy2xJYUoR}-Z$fAp#ti7D0kgpfIb{ zG`PdKoii;d{|6_7siAtuq$&K%>7-qq1*9;o#}3u>VjW&9&1G{{5N!;Ar(Bv2-bT7? zM^_n#G|>{X0_4KGgcY3OU8FA`4kYa*?70em=CrwXymkaSu^AN#OD@wu@^7ae^=sHn zNezHo@O&^(odr-EGVpoHB1{IkMs%bus;Og!B|U6Uj?{KNgCN( z_3WtfSNVv!n$d=_4VCO!&{L7pRiRa5d~&6Yfxf$M+b=u4-r)$xAty+W3)(582xq7) z)Xz!dKF-Zx6J2{2c%^$_TjXg9<(6nsY`Wk$xIrANc{A}YE2#0Cts;)`yPrjS4Le7^ z3k2>JcWzMcd>gR~4i1z2k-YHBf zpL7Uy{G(4Nbq}pXTv(Sgy{Xh~gZl3ADI|c*pylfrX=`!~7%HSgw`-}?Dypz_@K~gU zYI4>+dF$)(Dxd*r)3%DBTRWWwZoS%ti!vI~>h*=9FGD$t>M&Y2PG}E42b`k{c3=2l zs()2N-S83T2;1S$EvjgBtk*BCdh)#}_8(*lmz=Zn@-OUjlT>_p+u&E?PNnbD1_=H# zu<3U->vz>wm^DE)lveUX9_9CJCwNV`KH>3>l)!EzmqyfWe|b$iGlBb4$p1*g@xihD zAP=pv!XSKr3{IR}GMJrOMtT1dq0S3mq|UU!5XnAciiO&Ek-sVw?m-aKOKmwgwkljmrt{1pnn`e@#@M_#2G4esc{={)?Ojz(nD1HSnCS zUrrZ~YD?F|VHX~x`5T+jYMRIE<}QL2s4dEqf&Szvzaa8Iqpqa~ zYe)|;W*a+Z7pQNYW7(>GvEZI{ItC0(Mim<0QlR2@{|0z1beVk=~Iy4i9&6z zZz&jl0Y#ykOT&;)MrH;6=ApC#tUg>rgx2D|mWE@~_zZTI_gK5Xu|^&rch0nZxf_*$ zPQamzepA7_zqM87=l8E!6%@mJN$UN?U_h|Iz}s8vY|%c#QzKip#p+MR%1`KF5R@K1 zBx%QggE8QFW+p1dO$Yzo>QX4Kq*eX0GJ2{rRIOtC95Sr&=1pJpE!GU6xHoPVf*e0@6UBCXyunXq0cJ*#U=05vtBhtx$jvdd z;NQ~r#ju$9U|2|_oBJNI)ZKCj6%6{MZR%46*aLdO%&e~{Xs;JWl5_q6J!E;a&F}Qz z^mwbZk@$BdD`e|*Nj_Rvi29fOOT_WW2uT6?E3sEM{ysX|0r4tMKU|!6S<8J?$Fqp= zX|9Zv4xlKKu{y6G&-SImNZ0?*azedjCbu@8|9+X`p(mNlD~`p7_OWC8 z*yo_fw?7GB)zmpDiA_>&&gso3l8C`dUg!rMe<(zaN>neKvl@d7>64#>T|>^1$xi~w z&yjbD z?vLHW0q4CAjX}_Jr0=g9BOJedx4kK?#hgklV7{$^ZSPhPxfUccL#A|x>N))A=>F-~ zp>e?o4yneF4C5(ZLrz;Rd4jlc!3Y-vy9WA)C^#djRh8Aslh2CV43CMu&a9-5 zM$V_s8xxawsi}A@Dv!i>bT;GnNH5K=Q>to3ci;hU#jU(+(SkqE@^Z=pUkk@_;}suu zGfUE^4!Hm7{Kj-7g&ZgEtS~}dqjqQl4m;8u|9ty~#O!*MpCxVD_*gf+-3Z3Txg_~B zJ6q1$$;#RPN3D^6`Br|^nGK3Dd?2`w6D6qepywj!_9Yq?>Hbk=KX`BSu2++2Y138; z$vP5zM`cguWHN)hN*zhWOq@bk0v>|gVIohi4|R6@=Ac1WFKod>XX2f0OdPNzlHffXZ0*>8PMNNr}fi4@r+ zpe?KRe;a#qejcrG7-~r`g}zYO0UH&n_tITY%_-|`Dj(&)-MdWEbsDWUB-f`DNhF_~ zc49@9#eSv~r}bEf-D+K%pgRHctcXl-_VT?6uD9~h7GMds=ibp>@@t5tlKUY_t0FftG;&bo?jzWmxsRflJ`09<}eIUuwp!2J`b#yFx`1Da&z|J<(`=@$sm1 zmdn9kSEaV7EIQ43oXTVic9;SCQEFN6Ft1ZpZIUZC#tzpptp=^*(w8zwQ}`7Qes9(a zH2EUhhL4g3Cc&*4PbB`haOXufSz&CgPWO3)AI}M{J@~p1E}fI@_M7VyRMUXeCa+@6 z?Kp2_p$m@Je8ednbEn%0-rpz$OAK(IU1&0hm*UO-hzu<+!go1c>Y##qt+binI&CcW z8}%7N4*Vsex&QC|4*Y)C-iNe-iL&cDn8#kpJE^r)y&satl(xUOJ9=PKq4!p4Hz6nd~1+W>nW)zPX|#`U>xX5ZqzzzEn4TmS{%yJea>P>dp#(7LM68HZ?Sq zg3>7|Q(OPWGTwWX8s?X7%KSUm?;6r!at)aon#St#ld;h>AWfdMC7H)!ND1+MEP#SS zwuwyh7!0XEaQSibB`j4~=mGLE#_GLtD7^y2ireK;Z*ZLJZ0Dtj0?EB4O-S;uJ25w>I1h+Qt zu85O(Kn%)CHz1E~ci}gQ!*hcw;NXl@GZa&~>%CTs;U@^g@R#>IIENYUViI!ZfON9) zi6u3$1NhN)z3d_-eREkQfklX9+w|Vbv$bxTe3HOSUSa%1s0k{Zp%1 zyptSolb-4R2a0KvZAYH*=ROBVHYT-qUe@BGwFdKVu@j49lR0YKHJ7PA<#&_~g5m7{ zJ{fPaoRlfeXR)>^7S}{qiLfN=M-`5~IHA;SPg3WA-08a!HH2ZzN8qJ|ScYCent`!= z497?DJw>q{m^{xbhA$S1+3m@8^B%nr|f(LUghk#j$mU$QkdX4P&o5tQ@u)?s%gTXU2m@*0?Vb7N} z==dqI%<=(V@id@9{0RIrTDy@M@Q#Z22T#H2WE*C%Y=ucrRog?MTwr{^WyMI3KT;VF zL$kBzh?a`%-o2}G^qB@Pw|()@9PBjmvTO$@Rn?%VQx(w_V6FyfXV*A=3# z9-#Rohz<9%j^$f&OnYB1m?%y;vk){FK01Y13CbqSNdfdAXW_}S9VTW&^>JvJ*wdxa$3@7sz6ZrpDm1aVv0Kby;3LI1`I zY26(&XldC=vNoxIdr2PAC>)ok& ziId7xHdocnfn$D{cCzKwoD!xHOOCt6NCz){{hwP{(8jrjEaO-NwPRsbEGC545DLO; zSln3#X1I{b3~=5-F%UQc?&XyVr6xTYS77>{n^^s>UX8)e5!+bteHu*__|KVQ9Bmz>0`YTiZQ1gOR*?T??nZ~I>XrcOpnU@e z=zICq!og?)(Scvpe)DW*aO&L6Goy2cW^Ax_bJY~$rKIy)K=t_Fwmje8=8RZ=O|A1@ z5vr#S^GK^=!uXyD(SPR+jTfHp-u3Y62H?t!x`dS)ZtGqAZ6rz9ZBXQ&9Ka!!75IeW zY_>RixawmaP)Md~L4}zxJ{xcsQ8fEOSshu}Uz$H4l%oVZ7u-T0&X616rs_^-)@^syuweHbY*$XTFrSsm3nR=88A4P9B_{$v+l)eC4T~W z8rYG1u;n$5ne``4%R5f@x_)0J4HTUNaY*n0AsdigiWXKg8=Sp+aHmyx*l&^#6z)vo z4g4hPwK-Nko<{d?rJ39oSC8`rZa|TC-r~mt|_xIGuvjaF@ZgZVh~o#H&vatz~k29v$oW10Fn_(ggw z6jzmA-=%3?QL9Z?TE5l)!GayiE3Tc`D3%6jb{#PDuB~Yn8?MFXzSNFYzN9{G-i6Nq z8V#ack(dKx?HLd+=-lC-Rj))gV`mMfU<_B`WEVX>Frmn=(nnu@-g?OUb}Y{C&~PdL zh*WOIT~WWP@N4b1Rf3G{#N1p2M*wTeS&vmp0vFQ+qhN7_JI8|80&4w-mg!kky-t_u z*@K^9)iDu+6#hwy;snpXXUU$BH}!Givrm2?wpbAwQ&$%s$M+b7t3|FQaQ_!b9U@+m zLsu$2JI_m;fP2}Xg=&xRs{?Mo0MR4~s+dML#tyw3#4cq@Q?we;T&n^!P1=Tc7Ayf4 zKdqVZ!{+78!Z5Vu4T;~Ue8eNzd#*g+R}pna>@z-wfxM2HW?gwRaIMwd_L6R?ww{*Y z^l@fE-j?gxfYB2`sNX$B=WOTOwe7-1>j(LT3QAkA98fF&HU2|4?du85x&4CGfSGgs z%lfgYDI@shlCl`@`$cSCCF~;Z>|)^qfLAx!T<~j?Qg~Qovi@z9Pf~}DB%=YPzqPA= z1Va%mE#ak}zhU(Kx8B?d%cWMRMV#+Ni4t~LSGHHGpVf}FMhE0@{{*?GLqW42L6EGi zux)|XT+B`R9MR7lBkXD}j-ADZo~1=KxiebPcO1k0Loo%89R9ADROmQr8Qf>+}xOY;c{4WvdUfd;LQp`xBktjJ?ixXXZOf zhqA>Jeg>XCzN6;8y>n2BzD5FWfzb6aXv_KR7ml0&RF(|vvSVW^0DA&6j_^C}S8^Yb z{PJ*4Wj(rP^D~u1GAM=GbqS~Pr?BoNZ{q7Oe9HSsqaT-W&}vcyUkNn)8H`kKQ}6cv zhmX+0!-ymfk$b~R=L_dX_alf2+B>kyHJ`^a4taOsVVztHl5E{rJC?`)1GMn)OUVgU zMgIp~C(s@cmLH7tyr;_;yrDd>^*m=?@2Ou<8t%k>PJ#;xhnD|i}Ofu zha;p-MJrdV7%M_cyiU5N(@!+_AtDlgxijBR2mTByAJ0Vqv_bzS^tfjTF%ulz__|fD z{{>Vg!WHly#GQ4bSTS(b$ylA?TY}7?DO~TS0W$fn2Vkp1NY&_J$1f~|Q2z~x>~q*C zBwGOsI}o+t#CB}SjW6g@yz3Aej5&Bc2=u(#IaZ>{)q3Yfd6~fv|24FyFN5a43%0*~ z=bD*z>wJ@`!jRe@D;_OLw`=H7LOQyX8c$Rzw9d9NOzYqXB+jUw5upa7mja( zV^+=bAZLAl$LBu^zRP2^Dt5(|*nO|n2U9QFr^di7vfxj#%sr45{)%u7CiakYg(v}D zm93(>zD6(uF4DeT>M0zQ#ATBx)CvxHh?;>~ayL3eV zj=q7P#g?paV8Z5XI;wrMocy_B%05HxqDqf8_Qo!6wD4j#_9FiN{hL^9{#=&EbUwVV zp@EK(kr=x#?zMdg%ClXGOlxR!q&$~ZHsIJ_Qddr0N^hxyw~hwtnn;SHI{or-U8#BZ zU)r@~a>Y4@l!CakDiyn0I@BTRObdiZX+dnr32s9t_7ptuVyWLPff$eg2l0}ZvhOiV zXBkrnZCraC;;^X&3%(X$5tGrpRsZ?|@qj0?GLko<``htfv$w z<*I+_BW4smT;j@g**7dfc2!Z*@{CaNE=pT6o{{g_G$N2~V8q0U`4OoMzKp(3t?ATh zclBZ|81jd(J$pnrX&Fjki6LsR?xBUN$ytJEj;aKU;~n-T_zjkjijTf=Y^jjvMt7jy zYev%mhg26;CA=AXf|}YPU9>c_z59d=Ok`NVf8c{Lph$K$f%gyW2FjDPLi&rf%Iv8% zskP?ZUrMm2ZHSU^u&7Hp=5fE*rt`=B(_T4mmttNOq0d1eJ|*gZ*!ds-c8lSjL>%;X zUYDkO_a%?i^Kpy+a2b&N@Kb9qWK_FG2z_qHd#fOL!{(TQja|&7W^h%A9B9c%LYYI~ zW46vpz_`%fIRaC8D<>T?x03KzLCWE&UB=_7zQx?cEMlCC)4MUH41teoM4vK^ecqTz_GG@F2y#KR5E=ve3|0C%GZKo6QJ+jidJ$a z8#VfbO_9~Q$UNalykE`4EEZ|`j`RAM;Xz zHVn*(ssI}>()PYh5FAC*k79lNx5kR^>v67Y0qv(jktK;cetu5$rItf0SFZ zI?4`zAVDO)nYwDe=d@e-Sm=oRG85up8wBoQEtb4gPJEfSC1^}!N0Zyime7IHo-qz2 zF>3~=u__6x(5ev_QV>Li?!s-d+iG_o$J*BZtpm9JC30~^+9majVjD3B zHABrh|E#+HzZQTB`k;dNtE^Q)0&rKi@bxVtdV+a$^Gd87=17cGhaoVGDdJyofDft8 zw%%;cPkgSzvbFCy(V9@_wh4kif8XJY1WTUzyPWeS;OmtIg_qH68w;QG@%se+`X;( zApm#t=+2H9^gi!v=Nz{-K$nNzS~^Qr{HJNoUxART@8mZWN2csmx=%^%6=}FYDy~|M zemeaxh-W_vUy!Ak79@adni7o(gq`3uzt<#t8OY~g1DeSX!JjG*l56BtGX`{7O=>Wz zPi?@%r)NkL73SG<&e0il!^fqE)v)K?uqT*$%wHP}sp;&W@N@L;x4sUt-=BrEqw&~N zr(mGg!Z#`*d-i6@y(wxndM}5`I|D^OOIn{eQl3mH|rE3OW4j@BmYUdMl2kf(4hQopAHwBe9CN$ococ^PomqlAa0 zg^yRVUH3Wm3`aRAqg5Ntu}%AX5s(0%jgBxPd{784h~#TA!Zi1x?8DvqIcLyT{3 ziG3XlAMV}wJ@*EPq8~$z$mT=49(UN&R7NL0p$d<=i$65V%G{%fyHZUV*&>qu`NRHq zE7CH>IDFz zG&|VEFd9u}BPKZdXeryZ)%O<8ij!pCYZvT+#Kpsvq4#?xGDfhRZ&DmT;=nO0r5TNg zw*&Tn@foXNy#d#IQ(`XYrtM`88dB)_rB$bR0MOHVb>fPDU}ijpkZbySlA&RpWZqc_ zk5)DHIYc+&!uwho2jP9cW2oR>B>aC-q>fdm0 z1r?AI5NSqQK&2$4Mo9q?q!FY;x;sX?yITY$rMrgi5F`cZ?iym4nSD0T@0|Btti@jg zY-YZ3$8~+~yYo56-EMOT=wZ(UCMI8uPH*@srcq%Z5idLl)kN6itrql%bJmE~SoQsS z_4uII*x+n)#I#KQ)kUb&*Y~|Y#R7#cRud^$_%+@(e@RULDVjA&avg`1t&xJNlSCDg z*;%ONd@SUBW%xG0_q;Qk(v=b&H~0=@7OkaE7rXNcH;@{ylDsuuGTnrb6>sd7QQ4*e zY+3F`TOfCk8`GZxnJe18Mlw|blSKz`xBbeb`ZmNbW7}3lG6tWk<%_AEU3r;@b1T*L zyj&TKdW|Rn`iBB%7-sn%+lz8+wjpALn02tk2EBzCnVCJcyDk{Tp`f(t4@N+|Ni0Lz znv(&llux1kh2=0K+z(VVFMwp&9&8)ix$}z6(vQyFrQg11_V@8@I6x}D^|`+u8I&r>q~Ley#_*1!ill3ddy>cP zx&(3_gziK|M%qWd__1_)?G#)^Zqrga-wn96-uzpO7Tw**s{A}0klr z2)#Lj<^(1dE)Rzjh#Vm7UIRT*%L8?%FwJS`8LV$L=h_aV`oJ|2U5mQiC%0WJZ;8Ur zmu;8|AVX7nz6DbSC^^saUqbeQeOe5$p0KRR-+LI|+y0DXM;V?BIrg6`qgYx(oWYR{ z(ftGc`?g`~v^m`Mcdr3QAPGVrnd=l+k%j+Yb1VmH51=pY?!YbWe1>$q^v=>%oAPQ@ zJm|K)uOS#iw9n-d6u09`JUr_JS?>=R&`5X_$yfED)p-*dk@|(oLmNxyE-bE;m{edB zYS4a4@u2&PE#tQ^&>L)23a!VwVxpld zSBJ#9_P!gLPD_>6;G9)rRu;9Tfrk~ZcVu~AD5buceU5(C)jvsEo5v4d@MB1pI1l-x z$glktq4gEH8{~1tc9w{IBVN2ACz~hwxo(abO(<8U7Twyze^-Tr+pk6hHPmG0*WDod|N{qWzl+&^*B5T$pWs zc!X#^sGENLUQ;8diho&{ zL}Go;ua+>a>CUjf!5y26|AS#bh|jf$JVj}lbqUw@^O^udiJGi(iioZdA(2g?TaBCY z2#MtzX6c%^t`C8WU)eWy+dchV1Q@)3JW5ji{w>D2qfu8i>){ng((RoW&UMG_L(k3P zleN)KuOsx-?};BnG860BIDo^@87p2#aPuw@LXUS(Iy5~a8)ok1<${c) zqQjweHqh~L&&N!vDiK1D+XEU5qi+gu!+dwk`-jdyuDw13PC>nk^X^Uo;`c)Q6pcR6 zk=r3JD{F2n?;J_LFt@d$0+T8P{`!x%#xmnF{0@Sz>d@Diu{!2npJRUKwCQ zz)5Ui^fn%UFMB-?ylU{ZV}(S`0k%Mn-!k7d1}o5c()FNJC7yp%u1)83R~`dZ8XA{v%X=AMhi-0OC`RnZqVttFVvl#pJ6`!;}94fi`(4rSOet+}Z5} z3(^K7`>#v1FYJVPxPpCWhtufneE($hJ~Anu?M;K-(4k>Bf;oC2&Go(6E}P)>x>C}t ze?6Eo4RIRgp|kUvpYO|bo(L23L8C2cKij9jGfFAgPLiN(6lUrntO%`sGyW}ybe|zb zcIn*;euWsQn!o8&N~^*V3|3Kh4J2%0%cg8Q9URhJ`}h6 z&r4Sn$gtG6BPSo^-OSlQX;8bG@FvW(j@+rF1@0}s5@}|vV7p9#*eLb1-XE{QK5(makTOTs{_W}>2KZsh;Rc{b* zct5|mnBTe_OXKsJIwc5Cwnm>c@%2CW~&@bA2b8}O9^g7)ac+-!KlOCMU z!&G*Lxj7nR%SrfZ?}P|5jHdRRQ*=?)Tet1IE{OY2$&deo3{nci>+C07Q}T{|L?|B!n4sTzgF4b(85OxB)s$khSeB|u&0UZXSlTr3^7 zN4&7z*NC;8K5KjV}j1oDRR)-Vt!WB(h`ob0}~If8TiZ zJwjskJKu3D%Z+F;?DDX-cB;6mD?i!%r$UoD5Cp$Uo+#> zaQ;DJq2)VbhYC#1psPI&oPlQa;Z%CZi{HO$*Twqu$Kr3CW>&oG%F^_k5pzVle8!J4 z#s|O6`8~#SQ0r{0W1Yd8KbN3FLZ{U_FoEMNnzm}+4*&ZB?vqLUoV9gzgWv!F81D*s zISN9zYeIGoMW#Ta6vZ9xG9LrEI245FjZ&v9dVTiC8CEGqanDpWGl5S;N=#b{>rC1*0}|B8h0VZtN4^8g{26_a^*fD7s1fls zR_`(#L7e$jO%&LJdP=VI5ldH~{Kzk$9rtbvUmI5?(zLm@i70a1sfl-9wO7u8+m6K1 zu6Vw*ehFP8PvvQUX(m7SV6|&fJJzz84`a)oz5bJf>AN!(#;@YjbLy8>$hZG+h1QC1 zM?YNtk$OhA|8KMH0u>E2{UpsCNBON1Jp{B#NbToQGtfo|LH-WWxE()1TY&W1DAAkp zIN;Y*$`*1U&F=iA`4aAZ(Jk0=qBtaT`ocU6!}Su)h9K7^u}i{ix5XRH zQr%j|d)iarC^B{E<=mK}_@-OT&Z_(6oZC`eJ$h^jat452N96A|_U?8bzpZwlAV-^b zc)+o^;c$xVgHYv7GSKca^E@uC40_*ut>VRbb8}O%K5CW1&1)`>Ywt0MGe{t?ZP>3G z(vXJbM`usq;hkjo6bvWIIOeqr)2=wB!QRfE_c(xB_7t@aq-H0u^aLO^A!+gd1t!R$ zHoefw;Va^mO4P@obZnPoZo{rc9nrIxSyCZ#<3Mlw)fBJ$fs*XpvZND33P5xP!;4% zk3^*l+pZS(=-bTxWVf#xZh!0iNR?W9Hz!{;b81pNN^&DjT=c@? z{rWViYb(bMb1Dl#9~tq*XN~mTtczn#;Gcd(S5&^X`FkF%N$d4oAn|dcA`*f;4q@dE zQ7v5a_;=ZQ)XE8VrTC`pcVsm?0tkVnBLGu%#?@eOzoei@I%?81`yb)b^(b-=jy_nV zWT2OlzOgE6Gdn;c_Nb&YJnusYS7bSbh%l7Ju&Xk+7)9(gGefjL{-{o+qp9_2ZbO?b zx(Rt7(qO=X>^N%}ziD1Xgcy%M!9)CrK4ti0&Ts>(LxJ;0yaX%K^w@B1b)!cH|BMM? zFH!Dv)(7Re(Neu*9Ak21RPA{#<@gxQ3G9!t(ibU;*Oh_gg#DA;%eF0Io{c2ynQqu* z?Bl|&Z3SnQbmnY+^dxKj9}k^%u92Q|kGSrjr9)%}FoIOl_=GVDDU6r~e!rZ9ybC@d zRxw0TEI$E7i{X$u-~zS|m!qDzE5U&HX8$xoIM2BoKZm9M&wo;fAskIhu*-HTx(~yB z`;5eoC7k&UL$?X-M{(l*_gE&VyCQn`t`vBly@WZSX5*I#N*fPtmP2w--cDFZm#M3fvUiKkJu56!TuJ z64cN$2D=yOYKtz{dm#7UsB`}oD|lZ-=lMTjM2x%JlK`y$6wrsrBvLV}=ZO1w z>LhA#K+ywAH_2T39VTxfwYv-J%{w8$V#XHK1@0r#)GYkb{2WDN0~5h4fpjmz`UTIu zuLOE7`Ml(AkMz6{{0T}PBUVjvKp@$N?M|1YG;ZIPL(}!Aq$A!Rj3J7^h@J0QsvvwP zszHpmSQOK(DtYAHCzAZa7fE&e3`^M1a2K0BUH1V|VHhy%joGq8Zo>1UR;9Y;;<1PmUWpjl3rvLW-T9u~-Dwft2#&J|=O2?JRjH|e)JgyVz=`RZXF83DV zV5U(?HLdp(=pgpB?>ul@s2l?WvVAdFhkxtI$I#Y8tqOyj=EEkZ^80QtXT8eBE-mpF zH914*Jt@Tvhy0{~KSbHn8XYq(Oa*$4D_%M}C|cOT}gnW~)`_tG~XEl!7tY-lB9jR13F4J$&H7;E2o*rGuDB2}NJ zFXzqse@aIaOm7hb`-;Cc*=dSQi%VYZ*`)*3CoW6Crz?FFx6JvcCQP||Pvz$sJ+FiH zoPWMIiw%bf1^eo{m%k=pLm5lF!A{Gy9h;^bFkl=XG2kgzZ^d1zU_Pook29vnp{q5{JEtVx;mJW@$!k}m7#kbi@FMot zakjX3phS>Gi3J>exppb2tQs;%`tL{Rhd4Dc1jTvE%g^6ShXJ&G2uoPyLvtE)`iz|t zHeNTk{>W7zd}By1fO2p~i3>O(@ew`Qv^O}HA(IfRv8(L0Y-RxP{LSpkGd6P4_Z|N~ zyyI3ze4nWQ;G35Lfc@UR4eW~PUqBCF1yeXucUx{X?x5-E+<;97u-Y<8xZw)Is^^`^ zwq3NkBh!|_B}0;}U>(LI%cOKi_4<%d@O&k1w(Vkcbk`iSX~#O2&aa@~_8IQ_uOFPC ze2sw*&Q^kYxz9d`d@!tu8k#QGNpbB6XWz`GIagRD-6=9Ft0nPSe9`Z?2%kE^cF}F3>z`@0oF(_#&JDTJ`f}LVwngt{@P`}Mk$b43=!YY1 z_$TH7lWf@Q=mpUbiG2ZUN)x@^SI-I(ckL5?MQ`a@xet9V>p44YKG0aO81SFk!LNVL z`NzZ?Ofx)f=(mPQ_S;0}e_Cwv6phQAf5gj8g|AwuafD&(2w1WpTMkh!F0SfOv|vuQ zHwv%1Ne%|G;}9paUswXb(Kb4*$X%rmo=oDNotJn<&n&jr9Z8DU`l8FHxo zA9hGbg!j2fr>UPkBlB@qsw>Q+m3?yNxD=)}NVcK)M^?!?Wqy;d**p~U9@=1niJ5@n z5|}>dIK^Sr0+{jVDPYyZc+4w!mk9d|kIh7- z(&R;C;-dY2LPsip2EV)$dy#ifKbelUv{a{B=F-{cw75hAcGF~s@UcGZW8G=>**47a zxv+qO`M3yx@LG!K6PIQWHNx>roHX_)j%F;Ve+L_gXYoYUCc9sCK(Cj>*>XJNA*=m9 zjsc9TZ>wo#{a8y{ehj7TVAFfnP$aAeQym&awAJwfQj+^rE3J|J%k2t@a!i|@-rd)@ zf=7Vy2#M{~2K6jj$4`XSrQmb=%)N!&P@_ZD=vC-aQ0kVF|JC#I-puX3H~u(^=dW=| zrSGdmSIRKaoc`{uv8PP?uzvAyCZVUZ02Wzx31|`q_Y+zvH|*AFD>8!& zcoKb)V_1XMbmb&&x`~h+e;NPGs>CXfF1F??UVV^!&+GM~XJY=@TEl2gTa2#f&W{q$ znO`%Tkb;|uF5;Pp?RN?z(QHFj8$<31iZmVeH#F(P$lAq#Y!Oy%Ct&$CKWYVA&e zv+w5#(E8BRz1eLA9ci3>*qx;pq2G+xZ4EJ{VGe2$^E;^|IvSBYuf}El&ou8|G{_91 zV5?zlQtV=@pXaOw^{&VD1iq|7k1U7J%=6fC+!@6mb!O*zjVm{&Dj$M1J$;|uc$^}B ztC>l2eb2dF7oS!hC*=v37?M{bIW`{X6Kg&;HC-Tgg(3P>dk7-;Rkz0G8D+K8EVIw! zc*uPpnK%I-Trw(>=l^OjEaKAq%-|i9W73I~eUE4IQ3_{G>FIqBrbreH+e<1K+233D zqdfFh+{Rq}HZt+;c=4NAIUIibS5M-K!w6P5@STE39V)=jAeT9C;f=*zaZc-vq6M=G|k=2)A~p4p2PGP_^TgZEbBuY;bBAb>SSmHJ#{| zHyc;~^s}3-Niigh#PiAzJq><#U1J1Z;gKrjYB&=_PUo z?&tP{fm#;P{NuX7Rfs>md&Dvme`{VUXP{=RPZN9fXG6tCX|wZORjyx0$N3|dR>%F4 z=mVAVjBmi8W*ey~4=g*!o7C-9yb+Uiy!cjXIs(>JA zRK-bh32eN)mKct{ikY&{n&5uaj)WIn|)Y6m?T zUOFGxY1jl^CR~rX=zhU;+TqF>TjB6t$YA=3EVcO!#bIcwUjTT*RBHo#23=P=dNAg! z+|@fOYlSU}rO?>1r%`+uR=rS~aPvhi%rmBSiPW9Yo+|RRY3QE5F@Vj>NceC)EbmnB z%@tXE8Pk@^G>lmXGJ&07P^E<*6)?TS;>MHQ|KcL97?Bq(T)YNCw&qhmw4@NLyORrr zrIM&L9!&aN+RU5hw7S$&ajk$Pz|g2yE`8WECz-w@=i1Sb0P1B*i!a!GP7IKLpHY)W z3s_I47SV@pFlS%bh@M^ zfSLEQ{}=J$?RUK{`1>5XgNVJhOYs|jyG-TQ)8&AZm))t^(V~xM;H|$}eb+y7*+Ex- zaP0}LhB67ef^m7xbt&GuS>9E-3W>!g^u}!NObj+Y9}4t$UA>32JZbJA_^k7vznjd6 zSwPecY@a@|$vA*IMZ$0O(V)B)bVPwU@Pn$x3uqyU2bBpBfS;h19T;uhg3)|=m1HeP znv>WZhJZI!gVH-IzC9q8_?>p(DMo3~@<0wUd}rYKazjL9v~gsNM2!1(Xw`0#>W9}q zZo)Y+&J)D2^E|O7a1>-r*Ue=`n&vPLVKKr21o70u&_x4u2XsZ>^csyj=xD+%)naAJ zOaDkgtMA;;+pdnB=n+8qtS02>s?K0nCk?u{3>^;XV; zT?HSOgTqd}7959Q`;F{K%@wpi6D^+3D(VurJh~Lx=}tJ`nB8W1;Pbl!$Ibfy0xTVZ zrF6}o-D*;@H4`EHzr~6Kw`B`Tzkg*>h>VSFKU^-n2BBN}+909S;%K|n_wY!(c|I^~ ztu}1n+Bl*7B5lmq>@vIZYFjQH(1atW5Zj*vA{PafV5(>4I(h)*cS_A;0G#H%(}Wr; zTXtF6^Ev8q>ASg9E+4cRc@LRsT?4B^=O(A0c>S^ubt??G5h=5|Y7XcE#hht}gQ=PQ z+p4*L)#uI-fT7~24T;cCv21RKinE00-HAm;!T5ZGj<`iINi;6K~- zJ;=TPLTsFHga3Jx_l*RiGtOZNBa|Beo3Rn#mWN=wHUj4NVoC)QAKWZa8STR!i0(6E zWcSZDB2;@}omvW#UgQ~4lwoyQQdFO?r|`_xCDjr$CBvz5HM~B|e!JFmbJz+Cpzb@L-bSSpS>nA-`hd*S0i@x^KT9hVeOcMTaq4+p@elJApt=J zEGqXs0M50fy4s0>O~6hE*uHa#x;D+{|1}rCO#25W#chN!qUX2*93@E>e~4_M)|-ZO zbXf;eOQ=o3mOUbL{%4VqWc`%(#8etDvkvYyBzIe9rw1cFs>lzx;^59+WGQ$wfr8)s zqd|^AftHm3BH>4Fed?TCBCDoZOTgmgWsBF!7!H`0CFMo?dTi-=9R?|CIL9Q9iB_9j zf$LC)Yj^V`w#|KrBwmlqheY+jW)((fhgo}aoG9j6{@M8?i0oz4dMBRMNzy;CO2z~& zy8%Zb5pXOpMqR@WAn>|qeF+d>q{|Sk#q~-`!P?WYhE`8^+W@~nPW);84w5P0mo|It zy!e@*&wu-w4{X;K-5=QH4$lEaFrc2W{|<`#MjwwjTN9Z7pD^<_SZ{lSQt}K!=7=%b zM)WI5$?Qpr$o&yEpZHrFmVaTTA}*+T9@%dk1Lf(yJVKmDDvBf`1}Uvi)gA08xcsOc zRPjI}iR|tS>_(?G=c+`h?8jF#>eB8JcC-8ifAMP4Z#MDbH_9|NmxV*f5OL?7-58&J zu97|ov?L)en*Q%(B_v5ITFl-pf^Icbb6xrah7u>F+f|tN=k-i+WnR!ioTpD- zpZfSc9azd(qxS~?jGltg<<`G~{f{CD&`Im>P^80r{NrETYe=K@)YCTK$fvvc zxv7Qh&1vE)!|(D|yB*&MBpBEq-VN)6z^n`F%j?C>-YYFchK|S32;L=clnyz<*;{Oz zU8kX@FVY3ZX3BwXeIKlu&rF7}jJ%wO{a7uf%9qchf5y-bKscn8et;W`6qx!wQkK~|m3&R9%ad6$$sn6FAam=_f7_Q37`o7> zHbW0BmYlE+*F*>2ihn?LlTg_J=ZZfc&Ng1c$ew;V(1P*O*n`^g2H8i|LA577x%aN6 zcwF@qM=3lZWC&}1kZvuFZnE>OK57y8ICKlamsPcAd*#k`NSp^U z^xnrExzfbXsgb>cZHrz@Xa_b3c~F)a!a^&n-#jj~N>3tJaa@)T5wP1MW~q?!l1luj zS=soF7BlB0Ch(XyjwxxdC;P6TQb}m}z z*)X4Hc-^*IbA02__<2OUe@@T$ms*F?{fP(WUL^y@4#ab3Y%K_FjCxXPU~eF-zLl?*nEf<^j}_%}Yh?B?|JSUH{7|lm-#?pU&$<@c4oEBi(1x%eOiV`~=XEV))HBmgMgf z_UF|H^WB8L-Jd_ zPyG5k_Coj~j~;efnJWwNbpCSkCnALAjI)gG3^Q5X036GLU=6uvb8N({B1dFkFf}v;wGS&}TU@Zue|MuI-{RG7s7| z&IHi}#1n7May*T$x$^EeoGhG-A>kHaJY!b$2M_FwYmGpQfM!F?oOo{< z5%wt)GlSvx{s8_dNE&J8D`t-Rw|=0;QJ*EPXf#_4=OP7Q|Cltm(C9?PzHSH30K7Rq zDUeHGH59xrjeA|%EkG||n{ed*x8b#3`OoJqc}f)WI*X4^UWv+!V1oMBlnM$tFa17R z13%(*N3*XA+06xbdEamRCQvS;Z!n~EaVgQ@vEnx{-c|Um%$BPkTI}*Mm^!0i?1M`4 z?ru`a9_k9m*E?BV)Z(|D{b$8ld;Ig6Qf)rRt+6B8ma{SuM0CfJco;VEJOm8F_~w{_q_DTg$Rk`NbC!nz66q8bN#=3tJ-D=42LDf! zdLIYG=s;%8*6gbK>!5}-pAG=C2op>OQ1d<+K3xX=1zRBoF&t1X0aQmZ4JfiO_~0{% zQTigY7jrQ1V&jlbRy|9^PVeu}HSRyjOqUf#zZcdyU29?s9$JV0dzEQFM58~QviqHc zx3Ui>D&|i63-@m?o!-99u|Z%#1imczwyGnGfCWebZN`qBIcAH3E+p34x5QsdjiOK=_3Zi}UG&k-&xTIZ)W|{N8qHBe0hE5*hGc%VL z(F>O)UI?(wWvW1f$ou@^jP~w}JjpCljg8Jk&B+B}v`l&Uh67JW!;aw9(+6>!V>rOf zFC88DR<@VGf80fdl-(xt?1IDp5WK{^u@2iFQ}8I{i#^@fwkSSO$G?ID5@PPYlf=T! z-iKNIqWn&>Ft9)VdW}t})&iWH{rH9*I435*<=1E1)iNoUFx!IqX!t#%P1Gr!hI;W#fAM$@$Z!lac!#q-xV< z|2T(M%+}`rn%T$Nm19R0sh;pev*mcRB2u08gITJCLfy|be3;TZ{9Pj4c`6If}hgV5cL-6vxDVpQL-o5G6HU5FQuD@osw%4Qfns zOuJ5JW=-lbNhc2$ZhZ&%&89c1v&vMn)_OKzwPF^mc3S`kZbkqtPA7DK*PX|r&l}0x?*viD}Y7vB46-9{M($ZD;??{;ozSj zn?~RAN8lYER?7N){!bqXXMes8M}!lFhwdc6Q9Q@im%D$l*~d`nSIKL*%2q`j%n&jF6`c!&pwdITDuE zz|bcXpkO%|4Xu!9B7K-ZW&EFY0lOExAA$ob^5@D{t--qjG$!nOvi8hMqm($jtR!vj zm2ygSRTjV`VzR$VMs&-s@>e-xPxUesMA)9weT{)y-@ zYjgJ3w^90EpawWVz-J(HFB1uW&gd^cOntNXD(F`!G<~;@!;c1;{<%X+$m6Z9!ORXR z&j{X0fe=2(btx1TFnulgoKH=tI5KG#M^ehEBr{_$&IClH|BvV*pK?w70dz~TB;q|7 z#0fxf)d}~fM0qeNlcaQWop8lBnpu*u^g@pPGI=ofh`aH@kdwH!^8)96EEzj)EgDb3 z2xRprP<{Kg9K)~|jE-T=#)bMzrl}T*%7b_!;`PYen>6w602ZSjpul7A?spBj>-tM< z`k8>CpYx=CM_j^vd5NSq!44S8iffI@fyVtX81HoXBs-_$rC_akpmx|3d@AQxK9#x4 zFFbl_F_cQ8ufWedDAJ_ptF;#J?O88GKG2@I0{i2w626MA4t`JG$aEskIldFL>(D%$ zmq;@tf<>}X-TDIaZhrELLtoz1Cv4jvGr>S--MM{+l~= z9%9EjMMqSa)Sv3xLGV9hUOR})E2D;)O50bU+4rA!GY$kD*lE86>$<L!5HtpO!nrZk6t511+KYlEy|@DFjQrqjBO)g+SgrUpBQbW*jZQf zTI5MMx6)v~iKCJ#%eoVZD&wc{>KA2M@ek)(W^Sx^`-TMma$Ls|8pnAij0WPIijWwO}qV0hbVgT0nU^KDoPcJY}Zs zuZD3rKKyab?!XRjsKu5oI03yb3%2O7ws`zg5aC?sHd)Mn9?W_PDowu$Af4mp2!Ofr z%)38hLu@2Ab|0;)jJzjKvrPZ<5nB92BqUC4s^+9Hb9?H%qq$rCe-*23O4wJt-lYn* zI%p7{Vlv~r4wX9fo*KgyIo`a!V*#^>qh){5zDKOmt%YV5@RxbVe(Q|_4Rv7G1GMzq zK&l=J|JLSk<*0&(Why@*mvIOeIMf}WIKck`wH!2U}lH!y&YGWszr zW#&3qhvL^Vy2jVj0t(rBbIwx?cmo*P$>Xr}N!Zt{%Ty8zn%>dC(i>!5wnKzg}ROUX&vZqm}cO>dvGVjY;IFX;NOy>!vjkP#uz84m;R0P9Wx2%i>r0tw3~j z*?g{L|2XUcvA0GlT1KRH&J}6-Q+)Ei2)?jd)OLg{5&LP9LGlh8YbpqF+smPF1#nm zLiy1zL27@u>&KzgHgV!!reF2D#Lo|0em*)?Hx@Nb6BjbXC+>nUp-m`;xv@SKG9iD z3ES;*O3>p1;-L{tIf5HOTbh4*iq(RHgE;`?zavE33Zb3WDGW1)qbZI$W|I6Epy(tx z&ZSZr-_F#kWyTwZwF_t57<}EPjWoqc#EujnZ1Xr|{Bjmb`-g(*w*PSposN8k3AXsc zt1;(3i?Qy-%wr~EIr8rlZ1iDpUdN;121;wUj@<&2E)0AIst1q|g(X`YSOR&5><{&B z!;SlB%2wc9;u5M*wK(xb9EWN$ zRcO4EFY#3K`W!>7D7!Bt?#95(|Nf2f=tso+uvn6TZ>y6g3R))MsWtOq1tw4F)}DLL zLsTR;L5|d3X!?_e!x28J#HA;S8YmHO6o^W)lX!%^mV_&N}zT?B;tMY zp!BDZ%vN^fI8L#}63GFX&qm(c-%;g$slI9Oj@Ps!FkXgP!)tsEWt;vu);h4)N-rAA zBg|KpcoI@|YtO`cjayrRzAto#x+;qN>pP|X9NfmpB9+E(njx7sC~~jBW`oGlu%N)@ zSdl&bW538s!0JDc!kl1+COTW|({Q>hnJ(lB0EKaxeF%Zq8=9?DI<%&0~uI z?vuK!&@IFLL@Rb;U);yX!{-VV!02*lgENcl8z9ezd!}R&{F{*_Ca?I7^eiDwmd@F?Ya+1`fljCGY(9) zli)$KVCheeOyV116bPeK6U#}a09hl|Sgk0mw*nt_h93;T+5Z;u7gt2|OW8I0p5Hv* z&V$vcJGrJHdC>m#Y2%x)c(CtxK7uqyF-YO|N5SW8L+OxSQ+0o#{|}&b@8@lpH1yLG z{qgFF9;{np=GKd70%^enrl5^^Yq$SY~5OiW4O{873dlzQH^twE6 z6?`c)XpWr`gwK%7Ln=BhQr^dk#VK!BFzwp~c;eqOL$KZ$r%S92V3`E2`T1x*F8N?m z;p(X&_*b11^#})pXItqN>KP@z_Mw$GVM?*Mou1m|OyBqW($o4E=Tl+5oWeq{kgt3k zRlPgX-g@%`EGEhDsxmDgpXN=BgwnScI(^Vd8M3;h>=gqP9(_DhWEhtT2i98J+virt zgQskZp~hiK>yT7tdT9m)!78}X_bU$ZwcpD{|K;LxT%jVkDtY-&dvka}bvp}9?^1B~ z|M-U$fb@F;dy`>|xg#TP;yDAaS88i5noGmZqFqM+Ink+@`#ZSax$j-UE;?a^Q)?y1MJ4C1@a9kD~C_3?yBun;^fEKSU8?X{Th+G7D(3Q^shlE{)Thf;b=l)> z+r=EyAM58o6KqYT%F;_Hg~yzbVs1!UVqw*#$PDqu*f|4?D))2Ps=sqLGNn?s;w1Bg zOD^Sv%`o~z^Q-XnhzoaPgTn&h&MNkGI!D3m8HJ16Wu!5TRGIb(BJQ6Rx z+KYm-#A|_kwR6kSo9vrtV*M~I%~=z1KU zD%pO*0kH_2pB+okaHA3YEkQKKy%J>qjD# zwE)|FycTB7TM3wnh&2p0gn%2cOdsFne*A2WtCB@4VJ%L_)Jt8@}OVIZAU!@|!k3?n4d-kG1br z6nchJ1NU1dOGm2ArJ+bEktn8GL3A$*513?3LsuVS@yK+5;S`I^pn)>u?bCp&0YL5{ zLuR1=o0rVgE6EHGtvVw^e@J9H{>9|n@**dhEyHdvQx9~;zvs8u3owl5k^n>^ZebU? z$Te85`?t*a=P09o8V!QQzP)R=rw^vb|cpyTk7q$FO}6 zLB5lDAeBJd6MQ82gNa*9$?b7-8`JWa`lFTp_Tc^|s9Kvt0vGVg(_5}Jm*>15>_1=q zbk@Q_uHgxWxUnJ+t1UOK{;2b)>&+dNIJTpZ*q|2YU(Z_P^FA*`Q839?T9%M4Fo$}g zhHM837>7d_m37e4^Is^nhcUml*?0#3{pW+J#*oiS?5`+=nt)p%_+X_nmZaMTmd`Y{ z2!vCc4(f1jU20QGMCZyoifYMXzI6OTXRbq(JRF);8` zxl5*cpTi7tPd=?oyp3T#r;^_qsn(f81>RV$4l!LeXk05=z3AdP_f)6 zZ6Iy&s*0QS3v<+Si=R%TjhAglh<8QmGI@0wZxZj%o=eURFPw)2cWe?-{=;1aX|#~9;3 zTU@!qFQUa{`#-Le&jT$CW3a#T0!zbJ{VQEoY{|(V{4Bl%nns3{+Oi7TGMdw!`hfK6 zeatCSOpAagu^{c*mF#Q#&c5DLW*WykcbKc?q~5AMev5@EQbPa3R}wv0zyDli>F>sy z3xj3q3_U3EfsqM?@xx)dQ1a7D({3oyU zzy4v2LN1NYSL2tdN0(AAnJwk~({IGF4dA@1B z!7+?5TuWWqf||2^($@ai6Ue6DPYA8-WMO2`ZCjr^)U7I^bjW9X=u+_{=@K_P>z`I0tT5%g5);tJS#qVqkA+!Y}Dh7 z_$1aU((ily@Qw1FOvD(<7<1o3sseqNsHcb-4}7a@fjHj(p!4YR3Uc0zo}>$CnADZZ z%s+5#)&X?F>uA`OR#@;DG+e2NRq#8YeKgskib~g`%zXDHu+nYJxJ^`OhzUw3^00l% zX=`Rzrad%wp%Mkb+$%mcWYv7d-GHx zNf$fasOmyL&YsNTsJX_#8KuZbXivu}+f)VSzGUq4vLVbM!p=BzDucR7NuD&}~JiaTE&ZzL!v6l|0b zjsfI6UGic1A&9U*@FMC`Z#|BJ%Y6Ykc%h7HZ>X5zsBh= zsz0>=4J?=XLqkLJXH)-XH{K|B4VYHm;|;8*=P(bT|EJnVYW=gNK{1_<0^wpE^D>uU zKflbLirb!Y4H0Dgm8n#VwJMGSzvU|#M{zVe*V@t$>7BQa1Q_goJ@-@91QVI^6sofr z_j~EQ_PkTQC`sMN*1-QB?dzj(veeTmpmy9Agko9G0tEAEo<@L<{Tq(kJ(aih{s?L! zYoU<9srAz|N^LG<37E9{8;q-8JmoZH8e@_fYO#oKKtH-`2JQb%ql}KPccg{14ZlA9 z7rs;Rc#!hXrWzlIC4I7o`W(2@;_vTQGSe_9kp5t0ONP@E@9D2SB6%MccHM`vy1^E& zMJqBfdfs_zYOH0u@D|#QQA!}c<*^uk_#t`$3=sQceaxIUnZszV{eF}hH~_+h!OEC& zu$k%)`od@QhK)N!*F6|n&=b1?OKeSb6V?vVy-%fD%52Z#{QmkpRYHT~Z6Gl9o#)v$ zp&`qN?h>7Pv4Ibv(Wh&MHAI+>5k0$&^3?^nN@{JgLyV_1OA*nX?0N3 zSE(Al{UChQPQ|UW?8&=U3Atp?$-p1r&W;JZZ9vo);Lqz91_}MSs2>gk)dDf`L5m4b z?U>zWfu|1Oug(ou@SL<22k^OU+6?_=k-^-O-B(N$D_8h?_h=WNqf_si5}2t%Bii~N zB{+s})2x-yn46LHs*~fmqXW}Yslbf1Mv^zq-w=(>+|Ic2Xo!2MI`q0A*AR36aeUIF zRIFZ*$O!^Z+^g06)hvOM{f8>Iwz+*+7&!-)q&r{^kgaQpQfYw2Z9C~!;L8_x;O?`0 z&RlLn%H0v&E|bp?sjYN}{a&wCbliCCOc?DEw_O9FvYnLXLTj7Rz<8$V)4L}8$?TXl zqo0Ze>Q;2o=g3}&gwb^XZ=&A$Lt``<_a=nY0x}F&zJ(L%dx9vaFCvuN&Ohi3pHS@W z!$?AKFJP+T`+$PxJ}g0e#~?}fJkStOZJ!06BTFYSY?Ix$qKac|yjKYS51Jba>YK@{ zer7TfWH`BzZATZ=pPn}mAI#xO`UAS2@a7|@YRWm9%b>}xDz&3g6@zG zq#ZhsK>4M>;Dez263M#!pO)2PpN66Be*KSF^ak-I`JeIvkH~`Kna^Ut)oP4k;j&(T z5HF<}VqGaSW#&~gi@AftD4FQa&P6cwwf`a{l{=An4m^r(zhWr_90Nj)7RLkYN%r$o zcf-CZvG1~Kca_{CgKnk^^d6e8#{DR>ow$-Jq{24+O$b*Q)Fxs4xR1Cm*_E7H9h?Hj zsFIe~R=g^OTEH-LQ~wKgf0cDa0~tw<_){1o_!piX!?}&#Hax9DlT$|Nu=AC!^mq@( z-f9~X;^H3`CtXu~d7~Y!lP?lF3`RZ!S#@ychmK&qmYPDHztv(vVmM#&e*uvmA%dB9y+CkYJ$GAZ>m9DHZi0?#Wazb2iecg0Ym5>GA)m>AK^o{{L?w+cmRutujN1 zD6YNB4kde(ktAi`tn9r>*NkL~RCKMBt?X3xCa&vV?!E4P|K9i0@9RGJi+{Y|&*$s; zJmaBpQ5X%}4^nF#G&77eiBJ~Rt*#S3^dl*(>g7&k88fmvEyu0IU>H`n4 zCy#yP)q;+_@Xu9DH%a;X0V(>$B%$HVS&9taWujOH3-=#*2(U%;WbO5H1MG?laIe`r zavR}IDP?WZ$45ry4L7Yq=ayui==ydn52x1WK=$zjzw=FEL%|=YU;pSC+(^eyj)7e! zn_&prX&Ke+L}cfn39@EH@XRFNtawuC=MdKM6WO>4qk-jCHk)ch;TD{MIrrEn%>&OZk-!dh4LOn! zO)gT?Qj5;G_(jML!maXbxrI-Mtqo=!8gCMLMMP~KblkqLPn{6IXIhg;L}<#33fj1{ z+-{>@8%FlkeLd%n_G8byWF7V8bpC)=P3uaDJiz!ZA0ATZ+g?$tI3*8IT$+at#_gG+ zs#C2V>JX$XioE-x)oJwzld(}+lqSv+rRMi?GjuxDUum3OfG?h)<`=NoVklwut3$xi z=Kj7FqPF4e2WqZmn@iW=8x);~7|Vex-bHtg*DxzgppoqrGIDo1ks*q^@}U%UBRfX) z<3*A(KricJsF6^zmuAwr$9!HQa2QLYVRj|{+hWv^QW0Fs+94P4C0zw9s#K?%LFuyL zs~r1p2yHjgUbc=T+WQ(H2Nc3BbMx&dKv5|=4fXZfQ5L^2mGqdEgH5~3N1@5qIG?xB zwL7T=F4+R7Lo~1IOI zAJAEMt`V%9VVKo9G$=^&ackLWLq>ibI)=;rA?Zg|_mOCvKxm-zxyvGweCCmxIvFAj z2R-FGvlNl1Za3Dn!!NI%<;O$1b5+G#Xlkqmf8PUtJ=jRQ1ltS``T@I zw7JBnXzmImnFRshdZ4rqXp3w>O}nafIZdLa8y;P*dm`TNte_B5%!HF~b^v zAATz|*GOSL`o{FS-52?{Ew8Nop?B}VE-lR#CgC{E5&#Fp;u&iDepqbpq4FkUlarYj zah?J=tH?V1yz+VNH?TKXO6P;9h9EV0!TVuv05xEE_W^8phU9`5rNSaDxayIB-dEA= zWwuGivpHTKB3}N%K;9-xT8~Kx*9nX0kfVz;P73peS+H7DNaJ$eT4v?_5$>G18o+&|3ayQ8{I2b1geR2KK zqJ}yL&E4R&0RJxmGbYNZ1%o^7&4j_hL`nbgXH+!dVz;7iqMW3*k1pB|FpkNf-i92x z1#sr*PjrSJ-x44#b20w{NCd3O%oXv^AKp3~;;%7Nz)5LYH%=D6!b!jPBlaIpN~XTo z$wD`|MpQmP?|fZcH@R;(JeV!y@FhLrL%G8RmMB&K&SeTo@rEnRB!9@7j>X zV^`WQ)cqjQgkL8(Zk-=G*9sV78_6mb0`sHDe<5pr=YY^p5d0-Pf!qJ^%ZjXuh?{^) zt?JT*5OfDKca={)^fZ950Ea?wlS!=9i(Rs$6g@6k2i}x}tADn{;f5Y5-kBqHWA(K5>KiUb@H_9vl-%WlU)LnY{^U-<;`k_J0LZ6I-u3)f6P zVb=6Nhpk_DhFn>71V$Xy$k#?!PPezWpI~~Pxx* zHoEQo?^c$5T+ovU%&(&fIIzX_`S|z#J>I&yB-Sp52@Iwcr7#vo_@Vt(0FQk38GWzn zRXElz!Z$BqN>V~mQvT-=-e3Er7(zFh$6Hv*`+`pIOH@Vf_V>}Qu)qU66Md<$PrRJg z>ZfCvWHK4C%o7!^9Ei8>FeqC`EV2mqfEw*vw8LB)>kHJeW~@qD(*D8`XABQHQhZuT zl`OI1hOb0zYTHN{d3UhP^5I_?L>Xc#Ac?X0PaCH&tEGiy2=MvGQRig}cV~d6g|FFi zAm?xVP|%6K1;$6+jA7{3GT79SPo}ONhV{JYvAWhtkF$||_=**I*VqYVOcyELB93Of z?rjByrj-4~_yws!@MXPg#(7mz$V4dN?nZ{t0;^=;@k@FLakjWL<^z?0vDeSbbq&EB z52S5s`1Eh%3NRlYQ8z#hcz|qn@W^ET(J6 zZ5>b>;Vd3mgxNCFBCcaz-uiojE=?jFoBjpeEq?PxFRV_;W{wZ6Flvv7*;b@N-c14aHq_(Y=+th)IDPX!YeH$CY;+8&m(=7TI$%KZ2K$&jDggNyId&vI8eC zz!=Pldj}MFWgI#IN!V%fE+I)Z5(B2QETNePDe6ZMFjl3QqB$VZMs6cWnBvky=a(x| zS|grAKSR7It0H0e?`blq-xAen@V_S{8i98B{wuZ6Csy$=^ji?NStHpL6{!HsiFKf}LV9_Erwry=|Zi=?Llk0)3)TW|p=>mNo6nmqPEd3^WC_Jzmj zN3!DsCW?V^>S48A+h53_Fn9O08(kt1j~-CD>WUBO&CJN?RoyDSgWReA^pyCA?@wb^ zG4}Fb#EpY4%FuvDSEt3#kL^Qa#O4C=;MwJ zAmg6v%Hxtcyb+~+cde`w-_i!T)=3Kd19xd%GCE1;hP$w@N*82yNw6v9h*+@NmNT$g zg3`RSOieo{Dn$>R^8Bm=SIagcFc)@4Q+gO+OVU)5~{nxC$15k<2ixTWEFS z&$FD**?(B11BV#dKxWjut-=vxN0hObB-~cujoPH{lT~4@4lSAP(ds(t+e?YdSEpwd^Xt}~0sfikrOhA< z^UHMt_onjR%qWw{Y&}ljhdVod_S9J12ma&rU?x4w&qqA>bQ;$OUw61IczFI3qj|l0 zFp=cM*-u+do~L?A`qj}^6dA-c4PoD!JwJn(MKHSTjtj7}j)vvsI|LLvh3;8n_v?F4qQ=>wg` zP3-ju&#yfc$a62Ri`1(0XN7~_0YzNu_>8pEX@v#S=oibX+Ik_N~e0$=Km|+|)WkL#&B5nW|u|ft}yb%-M~|&dT@6IZzeSZcHV6Byvl^ff7 z>6sN?p9a$Q-!z}kXE4%c{;4J)`uAt6_bC|l`R6GZA;0VVwZ(I+UiRP*( zcZ3}t#=(x3Hq6IxMrUVpN=LYKv){Kz@Z~w_**(j? z(Q*;YF}OL|Twxk(R56S^qkn@easy3L`Ae-rBJDH4Kva2&%$vA{1dminpFIE~>`tIu zDhXqu-A5)q(6WwUC`}N4WOP%@g($)sYvMF{P(y_G`gXBcuOlFk>S9dVHLUinhS0Ta< z2d41(8;jk&*B8)#j<>x(8}jZJPV|R~TV1f(I4yF3hVxvzv~HEWlv0+R5XZMN>Rrcs zoag`(1I5fBc&UH0k(2=;4^WLtX0&cT@NZ0QNFC7MA4d;*c_XO{8Ub$rA-zR36#z%} zn?wE>q8Q!z$ox6r5(s5WK*&U0-1}e=+`{A-2pgDrj%%4!d}Fhg&dDEN6ipb!>X<(H z)^Ls{Uw(A++C6B)OBDs;Ff44{W@EH?MI=1mR}~-q{&NnzwwzxzbwCAvb0?rUKk?aH z!Wdx%j|%DdjH=3y*|j54Fl@CbiUuCKZz2D~r(-$KP?4MLw@4y$4drvP7|HVU3nHAB z!o8aS-3LHg;9iOPX2$#^gMcBGBb$(-vtOodXCIDIH3X0q--G|@BE1(4;VUzg$RM?u z@(P`v_tZMKmbrM)mY>nQ7VL1Yrl zBszK}5TvfS^$!~ww}^QIia1%wRMZ?$!8r@8+JS`EKFpyX$3C^uzW_(cycbz~`$@HG z#axAQliKqcT>wR%euSz!0`y7w%>YMzhb?^ao_Q!x5}==4dY`W$&3{<=&Wy>*_fqY+ zOAXggJ{A|U!K+rpV8pFT`$(y!!Se-cT1EDVVt?^&!Ybe#ZtX39l`){kdw8@v%$Ii; zLl;*fM*>gV^qp;_Xg}T)1hfC4>f*o{i3=uWykOC<7*0<>Xk6@IP-Vsn}gF)_8a9;ZIk~(D;1fe#ss3!S+xIh^FsgIt!N*X&0g6dN25RsgAMVE@xXA zze4ysA8?9Bzz+J@7eaoE0oW`8MBwyyaenlKiI~dKO}~(p9`Y@~85!xt`Hze{JLOe~ z;6j@4m!dM_52Q<|=I;EhoJp$+nd4bmRa}&aY~N_ttmm>!5;S)jRFYZ5Fi?U|Bw9=H zUK5FqY0>$8XZK6MB z%tlAO_WY>eC#FEF-G{_TlndKay>z^*S<1?WkB$?Zb5p6Ra94^RVc8Mc4 zPeb%RZ9i1-$>Zrp&HlrgE!#8Y`K;Ol?BMT^wc_j0trs|(8nZA~D=o0Pec(b=ZOD;a zrQaI;B>fFnD!D|SD;x+pxO*{?IYXwYiO9-vQC7$(o0r^pX(RVcSAM+a17YtcN*>_y zH{NzSbx+-TOj-NMd1W2pxAGC!g_2T z87vog?X<{E!$MG?9nTUNZ~$xDN%&lhW10{8u7JE4ZIgm*F?YeiEQ<3fJH0b(dL6m&{%2;XZ8K>13Q*7zjLCZj4EnyV|lv$8y8uHOqKp56-S zG{1wSH$k%otiHaygNbFlLKl+^D>=hS-dxiut+fYPja*0{IDsPg(8mnRqT%YUYMu-8 z2x{Hxd@wz`L3|qI@yRe1C?^U9mdG6E()9&4LPOild~c8Dddhu!h2OH-i!VwvyLPI0 z2DLrUqZzkH_T(5QA`WQa}h z!{8g^G^DNSYc`|z8u=q0CfIp2a7+f>k8Hg$p?!H2chD04tv+q~nr{0CFSk0ax*o%i zswrs#)~FMVx;7b|Av{uveX?)=X; z`OAjk?j~z%U&0*qGRAt}sc*-|2_2}-q3*L42fX4=>JGatJfOjI+Zq~}cyT;ViYdS^ zB>WHiM&F}*zbiV-|KWd^t0~UMe#}(OOyC&9i*fV5FMx|mv9Y>js6M#}=ojI*mR$+j zDj5P2ZNy5*9O=?CkocgzAGg;qt0_QNCO!-PzcuXy>DT<^7V^x&tQ}nm6AFnhSmc>R zqU<0=rN~h~iOav;`Bb)3HX!Zk?gA2=UKOM~1KbnixGSVA{f&GkN7dVHp>|#EkFmdw zXcmB_N-&gmdl@|jTgXx*d>haPcoD7v4kP6TdsqCV{Jg?tqJXQ}5;MciGh&5Q;#WYG zeZ_!2NAs^3@u6H~Pr{SnSVqH|=Fgg6n=uWK6o3Li+usO2jO-E-Ofc#1i8HrR0yxw1 z;l}X%*ASukM@^v2lp1GskpRY0WwPbx!?n#U)WJwyrlM-;BDirH@0dZuFpQ0ljMN@Q zMwx~6OcIdGDG!0;@g~=#FhK}>ob&!U`y8WUB_7|W!(WoPw2hge>dkHMo-A`1RWt?7 z%5kpn#br5nIQpwgyG*3kIcRhi@1`}?J$ttyPIoqR)y$(D(u-?dEc^nF*+UB@7eR~e z|Di>3paW<2Al&PfWsnsXnRt1qim{7ZfiZWAR3)eB27GdheM82#D2+ALex~N)mx=ot zWy{R-h_ft@^|Nx9ISfR<;Gb4>3C-cq?tS^+Q*huZ8?ox<`i}& zNxY{0?4Hbv_Ty%A(p0>EKb}s$4MtI}o0%QyYR-&lCNgEv>AJki+he}i3%btKxZ*6+&g4 zn3LGYw(~JPge%+{5q>w?gSK1B-3|7H?5E`Gt}VezcWycZK#eG<^j zJQHIjap{`(r-re$@GlDM(Cu?t<+t6I^##kiPmLcv2Nw-7QMQ7mH|&Xt|IR-m^JC3{ z$RMHi9 zLj(K<^O#2DJfizZV*Y0z#4t611N%`}Gnw(37UQEi%4gm#Q1G z?C2ZtI+joUEWM%*Dyl4#g>X&GaZ(e^)g9oPoer*N+q9T-GwE{r&(pO$YvGiNxobteKD!Ml9?bZLpBJQ$hDXxd0Y+J)#ki@G#*{fB&ES#_>?70}xfFx|+>! zvCS-|unpk%+9)dODwlG0=RGczfUMO(csieVpVcw`T#-8@&!+NSp@9k{4P0y45wUB9 zS6}!t8g+g~nc6j;=HMr(D;``3)UC0`+kO<)t)b1??(6TG#OKX|+(L3NbtSm=nhr*R z?_KXH<-_N$NwzVP_3`$(Nya*&=SwX{d>9MlflEq#<#MjCG~eK6PK%nINSE=T1c8st z+qNMei|@jpGgBn=m50%(u>Jd!qGmOc&F`^}34kVQXX*SjTFUzj_+_YjOQ&ATDeC_K Da|Rf{FPt_qz=f{T?#l)wwYWRHN zp|9m$%af~c32|UkNk03%wxC2g^r`Gq!`=a5|2xvkX0GctLml0jo^aw+F=h&5H}2-VoU*q#SC)XPf$)=3}^r~%3!aZsuK0PNAq z(sPksM3QpKOFajHlL*Jc=ExR?m{u@^BrkYIkHBa4k6{-T?ys`xnT#i{gDka&aN(N3e}*9<8%8GqUb4^Z$aHBt4Spec>- zYn^u(9Nn(+Ar6$?cBE127gl*M?uL0)#YwCh-i`lE!ZgdXJCRRh;g#!ZG?U?$@delq zG}4bOy=!Y(Egx)C%FODXI5Ve-^~XY#$9BhXlj>u%7e^*-(MH!Yi|TA~DE@R2JY*3P zvul4<_SvAvjY!Ct?F+u{h4sD>?9Bg5E3dgwg1}prv@@&c4SBNJv_H#8>h#-B<5y`n zBob4SpSQE>eg4AOuf#=2tiKyq`{{@3*Wk+Ls_+E=ktJ6nv+Q0*&R7`B>p-VyO{z$O zuZ{42%m(pkgnvy56TdD4=eNWzAXQNuo&felD3Lq{5troQ3g3;8=`rSGH%AmV?fwG9%cLGR{3tTa;L;y}eP zDY)@GNL^x&?}^lhrvrW~ID#`$bFZye55;vTN+-DR{EZ~A(z*q$xP+2uwY)nu&t;c@ z@gK)5=9WA}Pb5i?X@WXg<>}UC)(LZS+^zF|7@{!aZ+&_jq_-|R70v+t zk25_uTnSA)wD+PS@Z`qKbcUw8O9ykV++g&>Yrnrb9dWr*rdTNw6pDvP>Mt5CIwdH* znJ7QZk9*-&@oT9g(GBSZ{Z&nRt-Jcpim3Aaoazym?^DU>X)J1AY^U~7%c$4>?!?kZ z<_cIV8~2+7ky1&gi1QaRZ&F`3OgH#6y`TCVhB+~XIgPuim86-hUe$xc`xrqOZ7B8A zVooQmIjflt@XPJf-HWSF^XO994EwgdPv%&pOh<=@l5iy&;+so1qBT+QrP8iDZQJ9| z0P!~*I)g;h5++wn?e$@gmvlMWG3Nlv8Hti-xF{yt4`I4Y)NJ9e1u?+4U|xp@x|7o5aJCz{W0+vnuifnf#$?6(u>#4knVG#mgk>g_ev|h!I-|msuV3x}J<@)UDUh)RwxF|z%rD@x1 z1Uc*?8?Br_$M#q`8d7ug*;y7CzI+=wZT000()OX&+H@``J6gn@`h;-So$cEPqO$=w zZ?I6?wm}8v44x1(%7^Y0C-p`@IoI*NCu!w(8(6{b-z|_J_9;1V;ky#Q61_@IOG~RwE1#j|iB`lSGS5$N2*jlvzC)?5ForI>UvHYTz zQ{M9T*1SLa*OwN7Pg_IVKA35OUP0BtMI+;kg(H8c{~4Ppn=1R$R*W=>%Cj!&n#laF z|3km5T6?!eE1h3y)-3(^&}>eD@y{UHo3F0%j0$ca%u3AKR;*fc0*kJ`?Im9xUv*tZ z-d$YP?*adS+uLbHAMq=+XY|btijVFIGCdWiJ$vN&Xz)>pki&~T(J8UZ=Nh8f{}?*@ z_gCb^2pwli*)e)?dkI`TyNF0^B9b_iUmafkou zmA)$tEM+K3E{QGmGhVICU8r!Wa(+Aie9?RH-9lVlj-|16(4RP~zB-D<(n?9ko0*jk znI070ec(OkH`2-c*zDa@d&b>6}4Y8{bmZ$c{7f*$g;3Jt6S@%=hS*^PqP~kZ5%CS z1MW921Nw2)b5jz1!RI4(A^t<6PH0TyE4CydCE3E!BH77f6{x7s#w`5IGhpk*x0l-O zzju7%VNYIoy;i5>d&c~a=@imo*CD`r)4}_)c!EcHHLfx?v3II3+|cZ3a8AHUf0MM3@JdZxYcXv`gx`7Tz=L7mY@dDKpilBML;`h*{f8ic;<4sbW}YHX8we*8>cu;H&FH@dfh z4*cfy8_M5Wq>Q#|$;)jAFs_VoGo%uw+z?_B@er+Qs(!0-`?d0Vf6D7mb`js#>jtit zz1@AdcgN+7~Hg9)IcIHK^cgIdLD1_|$Ob(Wo8o`v!ROMVD(gL<- zo52^iUOON|(#r3Jip`2iQT_+1~Z7&Z?C>(3XGfK)@8+Fn|D znWnyfb4$IE*2x!N$KfV@D{{Yk;8M6aSoeN`e|e>iHAGpxR@>)Ft2#&BY5b|J=5E=g zDNP6gvLJV+*7w47=cG#7BHnZCkGV)lYm?YNZWl7wZ40YMA;wThCA8-8&#bqzrUGSd zZYnMgl7a`aUisin)M^y64f%b#V^HB^R2pL;<2P`_smes+Hx48H*@>fklCPYis}iEu zbK7Y`e5HN)aS#czkc~Oj(E-*XOf3efW52uhC)b&G)hqUgqX9XK=%`uXy>YAY;ply~ zTfVB}wYGn2je zVX?r^`!r?sMYHi$(H}_jV(TKwGEuAFNk}Ksm;{^ToAhfb#GDYC45@o-J=8a?y#%2@ zdUV=y=DqYM&c4dN)s!8)kE}&CZeFaS9;5C}ZstznXkaw&1!$nc0kz25-NT)44d0sG zV5^sHeDCdHu6;q*_sKv#8L5*TSmI^nM)IGc-Z5Q>+s*dP)d1Wx1g#5*ARZaST-){q z?EM4?^0!}fiC^WEo0DEi*8;=PAEs|QL(Xx(Q~Unfl&B{Nm9Cf{3tQ>{6vrLJbO5f- zXq}(x+5|NGZge>7Rq&sky&0qj=&=GITkqeu(%s$3bVxq)#R@GPIA|_Zi#~Hb)2|>j z6`~%+SdG48yn7S3dM!&8#tE-O)BKu_t`rJ5Qh#td(rgV??KCw3&mL%e01gH@0PBIm zct`+@rvRLP(ExxN2HpRr^)R^p!-EL`L^%Sm|HJd{;raJUc(@;=|MSF3`Ut>#cq4zf zKYYjhFK+C+?^ypuV+1^u0p#=*R8=3I`qrMdwys_dZr-~#!M`6e2;5bSyZ``d_P;lV zsvg@J0D$T3_}b9hP*X#~+RcUE(#FlomfzpS{ck-0DSwFv(#6)>lF8r2+0{$JUz+7# z91;)o-)sRErhl<`J4v$`YU(g4xOv(#z2JY&FUTT8$i&1X(ku?% z-tH0t0)Bpe{C*<*Zl3l6LN8yw6c7{^5EkZp;NbHLaP_wI=X3R9{dXn*Rga>rm$j#( zySJm8E7RY4Ev?*qyro%K{xZ9ld29n)#Q=|B?M4DJg-!^YTCD>EDasU%3yfK!#9C;D4_u8N#m| z@hAX57NDvq_u3!hs1+~N^i8c;+v$>IE1O8NnF>|`SAvd$?hkxs%2ZA%oUka;#OvVG zpQ~7yEN~iZN~LY?PsHEG#0qXP_4?C)Jo-65qIFG5md3k@r)El9@Y$0avjuwh-H@FZ~ z12x`lAs#pyX|_{nAm<$S{jkgqtbx`75{BKHThPi;fKk7{Ww-mSTpPOPybt~rwTM_%z1AMl(9YV_92=E+ z5fOSDqiCn)=Ld^9c)fvARO(4G$x{hP5zf@eb5!_qTeg_9m~$di(%ii0W8Y+2*la(} zcVO`(IaIZs&4OHzAOl+ilLO=bezj;;2V|X_=<4digP!7p-c_W&l?b-im8*`*d381A3Mm3Ylw#Kui~U$o z;VEu?gaUP%>TZ$~qyT);58P0;7^FCcc( zOBS1|JF@8v6iq_t2zsSig+)4i*n9uQJ(enV<>f*T*@!Tt@|Nbvi!BqgI=*h`QoxVK zK<9a)*){1WO*B(7od1`~P;l>#d4e|ElPoX}o5gkCQThBT7k_>=+nlaRCYpx8a<>GE zbMzMc%&xt>p}`Q9G_dsr|N1?it&=M28-iFLj)}P`e+2{O*;!*_W8DmE?@!|##CUX} za1w(h*?FGII7vX}oM;v;U$;+TG+#}5)RWpb6+e2Y*gpkY&CSE**!J~M1MkvplagO+VYi{9H`yV);*8fYa&QS!hddqQ|n+I1V@@!-&q=`S{) z&F=?t=orJ4?if=Ag)W>N28R0jx?0E3!A;9yE%}g!LJBHOh0intFT!=#O%2YO41+np zD~xM}zr_!oc&SdA%PEX7mBGSp*~#xv^gMthF{bx;pfHQEmC zf{ef(Mr9#MJcydn3`{p@NfuP6_@~w9ADvhHwOyqbg(6{9Rl){(dZN~6YhNMkGbIC` z2W(~#tHh;rk0X}lSsj02fcASk^5rN_UxiW%^+!g=y?v~W$I8@W8aO#|qaa8!&Ai5n zoM+@F?U2e*pf`G&bH^Sca7JpP-!u>gYxjHdk@7&^I4yZsXC(_gu0IxVyE+dSlEDf@ zd;!y;!<^B7bygGIqr846y@mj0p+z4wcoDHHoih)rMq?eLR%f7Lt*GO1xVlsvwUzvQ zl|OGx?PnerUes${-E;4}wv9*FcQe721qIu?*aggDTa;y1=k0j_DgbA@e~W4x6SZU? zRxmbW2-1SV54Qetm6yKr>U~wD^UvW+I)s{DytN#PxkzU=Ux8m+Z$Bd6?B~WY0qX|H zZ2ba5*_F;Ls%go!)zXy%6()n~MYn%Li=sqPSOG{8q}W3`UC+Y>{!T|nzCD=kyubSn zhyMHf>u-V0xzF$W`Xg~WtgXW0GLY!@Qt&y(^=9U3bLwFqB? zlWbj$U9LVPNXTyq_shQSJ~}2;`3U&m1D}Nyxd&QNVL2if9nWdri19*KR{On1BnpFt zIA_-1zlUm>c@D6zVyCR@Dq!!`ux?CXuZ2~}*ibP=gvrK%C*y$Q_#KjMeq&-Y)pfQX zB+VG{6_`7M`nWHTqu`N)C9+r}TQM!zD;u{uy>-J;PT#Q5xu0iS?*ivlz>Ep<&;*i- z4R?8&?D@1?_Ytp9ib2tsRmsK$H$WWpT>Awq(0UWJb_DsWvm@YYFpRbA?>fgCM%Q1B z&47&2&dBPk_-X(cYZw)KMRWrV>@ZY`F6iFmVg`;nj|4aD1bA%-`dG;h6~QQ-tG*}?VL{;}w(0F80{WBypDZ_yVaAqs4x{vaa%&zmExmVWyd(^Es!X>s}h?XF} zkN(wCbV=$MbndT>5xb`eK_D$|!FK482Mvv10$reCOGk@$ZimoPG;sI|lL6~WGEK;+)}a*beDYI}tH!|AULS+-Nw8Td1SJBRM1?cfyyYma%`xb|D& zc5!lF`O^k69Y{lQE(x=A`TyD1#1DfcdG9q@_R%}aV}@LIH!9rtuy zPvNn9=BG;ebQpx#KWQ%*QJu}rZ(xS^Boemdwb$jFaz9B-v~)-;(CGJcxA9Hs(DFxb zick&{+h2pk+`x5?x8VNwH7HrJDrXJsEJ1m~v#zVOjnx$x&7Gn_)!h$UNjn5FXv-CL zDx|H6E~XGgiwg~-27Ym0L|j;@&!RO;p?2UA)WY4LKiV}{eKSB~@CaHE-Gvai0Nv-K z8}m0nPitfPocF-7U{Xv8@oE_{6!k9!*q>d-Sy7g2CVnXB)-i^3@1|!dL-G zn1ForHR7q0g*3}Qw|cXv8&KnDy1DmNYHC?a$x`D6`EJrvF7IX2Xv{)WC#P8BKa)G3 zZgP&);y?pbUtYDBlbjJTFp{nUY4_NV^=7N)3TTi6KII`D)5L0xgP-)q)4i3r@ssk_ z3_eKyaaC~2GH&HRPEvU6{qr2+S!U&}jf(h=czFgK<&7KSStD7Vk%Z*?cG`$=T3D3lV`xeiI3-!udoxFz6C7RuHK-R z&R~S;zka@A$WPE?k18&|?4r8!c~R=eBU;m#q>ma%WeiCfz7m)5{cNr*_@jjrC7v91 z?T;S*)MpxqLi=<%iIjQkL@H1wOslavcE-sF5St_j>`KgtHE%nS^S?OvHh2zm$YpQm zFl`jytRZv{E0>SHu{PbK8yzbR8Adv;pPJ}OV;$9PQE*waJ0 z++bqJp@sbZjd_H~J=P}Ip;{dAmvTHiG|@c>m~yo{ZD8(GZ8zeXuN?2ond62eS6o z{$dOPokNlbZ;~2E_i2f1i}s=SUqGZ<06g_FHxl)x{G)KgN&$T}N!`R+K+wE)LgPd44et!@U0UN2eYCp7yKmc z0}rEA|Cd+yg=l1ilar%oPhSr2aUCV}Og1nY3$G)h#iEC~^-Q}g@EBq;QmmHF#e-Ai zp#BOT?fLynh7$Fpxh-H3%~Fiagyal!uaLliADIR^48+MS@dpYd zFQ+s!g(L0WIvGdcJG1n#WdNk@jnF#8;dxNf$*uj}LwZoC_<2YPngS7OL3huB zqDU_nmlP)rX(uaR)kAO}^D6sngjWyB(qnqt$iAUh>Cv|}hL>`scslPMzG^PB|K@HR zzjXTR<4p5OUJB0!lALbxUY<$El$AR%?%{}Yd4;ccJ~gH3;4U!TA09IM_RXfAKB!I! zPL)Z{9-ceI_YLUSQ`UI{^m^fR;`O5IETo-n4tL}U?&JrV$)CCE1g|^|fDsPG23S$S zj+J!JofFhcTEh0 zdk_jM8RM!E`~k)&Fr5JcUka0thx@A!s-N$9vNto{IUvIbj>DpF>5)2ZRfm zh&nhg-B55hH55P#+o3R)!^7Qx%2BuS`>O^2kOyO62`dVT&dCkg0HQ^54ToBh6R^$; z^OWIBZJT1@2gP{sJx&W}fMu$uEyz0B>~Gh~$K-6$FWI3j6VGBy2@emt2`Fqe^U;+& z^T0c5c6Ro%f&!(PUA?W$Kp52PNWk_tZ22YJCx^_Z;wnnb^00gfU2K+t?oegENcK%c zNxiY5sRq~VJ>S{^FCwFs!E;C&jjul}#{A`4@$F?iNR#f8JIWtlYcGC8<(AK>l0+dD zq%St3)}Z%eO6Bpl4SS`H4+363}~ zlf=%(SC**c{y@qW$rCAeW0eemtt7KDL zU{8N~XXpov5f_RBg!2nOmOew*{ z5FFq?pe!(cf^+X(esAxQwvD#e45%7f^(^uYhi3*$K;&1cLlWD1_jMKn1B1f@r$hG{ z=-@B4+3`6hX`XY&4Uf&f#=xoRDn{++70cg(j`v@Erp3TFjtATCf!@a~`z{ir6ek({ z$1z+%!Gd3!sfljEi$N$KAD?Dr#sI^!cm~P0zLyj8_^93M-m!hf%p+bDF?3+{a_qqb zLMn7Nov&ACK&QK|=qt!g-X(QVA!*;9(XUFPwC%$#m^{*uCTRuDGwLrhbzy?9#TCDq zuI#5^Kkr9F!)W>%&0l+_^}Cpl)?QztGKU1wL%fM625;aW!hDo{YgmqbuR^^W{U_E$mpdfW zPTG(B({y*_WycE?yA58BPMGJ6rHAE{Pd{E7aSM2K9WE^Y>H&Mkkc7!h@>StS$7Js{ zTE7C55zKmYC=1JPN5IcsRkh8frfqmwg<6J+cYG!<+UR<*kMAuUJ&>C#Uhsq;-ep7} zvos;|V?-K|VXxJqG9z-{N+O+YZ^cUf*#W*wjH|CLaHe%Gx`7 zxL6sQ1H4zc4;cYfgY3Yzt@DU0Jf5`XweSnu_n&}I$+ntLn%o8g5fkwzhgy=yA`_kr z3llqQpvf|OFudUee!kh`niK&q?`=u*+Yc9W#|2skm4gn{$;t;QPxr_nPRi?I=spBA zBfqKZ>S3-PQv5ZDtr~r1={tAlbj>-7Ca9!uET=U8v5T;|-RT8~YtejStqd_f7pY@; z{ER?d#PHRzr7XejSzoySOKWw<;M+F`>3klhb72PIH%9}bBA0*Wk{y_rWL-1$3sU+i zv6Q8&-Qs}-p@d^ql0eMfQ@f#iNjOHAg1#H{a z<2PeBH%~SR?iitGN{x4C%1jU8S`sB^ai>3n{7}s&Jv8RtPH)TO5ak~~;?@{%HcdK2 zU8NqczP~YD^Y1BrSF1K-7drbPP$uqvRMM?E-8^u<)NCM-a;IZ;Vc{8^j*boo++xb= zUS>v|El-y-USoWX626(tPG1T-ZH@A~cOeZvc=X$i6Q}YDM7)wN5VZPW6rD~|4N_MP+qAzYBe2oQ?waU(C~7wjR#a`qOuq479eXym%~vO-#;Tc9)CzAv7^V6`*0ZSqVV2;TQY!QVbeVDgxp8s<&sBxos~wN(*_2OSLLG~J^8&VPe^Xhh!kCYtfj+p1-ydYm>BJp z65K=?8#^R#wfB9Cf`>!Klh*J$+Y(YgErCyP|?AL!Ey>d7f zTW#MAMIMLLyDmT7C%-H&v`dgg!L^$d&L-mEclDmPgnpZvVwRtUPliRt6fI6n#e%M5 z$&d2UK9iTp%ep{xgK?#2Wb=L@-2{J_FT_thjn`vL>Z0Uu&w=LMUXjMv=M(QwydYkw zsng%r1x^MyA+IIz0~;yI>9qmb0Xs&nW741!3AtAlDD>?Z*mq3kzGU3zkER&W@+I_b zso8d$SJ#)SK`^8EY>CmA@(Y=mHM7`HSTB^mpHnDLwI8e@PRH8vA|*aSzxOWPJAXW0VVX@CQB2RCsVy%Q)~8ZCM*7NTySdjabdj2{00?kL-7T$-t{N%`i)U%d%O&Br7o(z330#FNzVU#~X26Fm^Ds@0fQq{M9 z7II^-ZATc{^li2D45R`@4n>6a`0&3&SHl}4PQfAf#tp>9_Gi!PP%p~d63Q3T)_vIT zkL%5AW~xdNUAF?@TO!O4hb&hH=%Ld!S;sZ-Oo@@}xs?n?u2WRW?=^Ie---wH_Nsh) zIZVJh9fCci=!+2I;*&&#oX1KoDbbj+oo=(Ts3n6aaqfp0g0?gdq@X6>zlGd6-aadT zy+#V>)FhFHCv29r?mt?{2(Ie#NDkf#!`(Dg`~`tOn(g z+ksyi+mKaX;d#l=7@NAwWE=`8XURlD(8E!b2#8J}%=!Hi=tt;Yb4Nz6UR^0QOrrkt z3tl4ejVrn?2qE-yuOz9V7~{ycK--owgD@x%rO2|KPv`I4oywemt4th1wUFdb9?n{& zIGV&ls+_N*xEosrwA5F5^tzI7JF*%#cEY(nGdv`^V z_+9LbB+HuU>n9uIOBkAe1Zr!)ytNSv9Hy$dAo8`Y&BTlmku_uk!~I`-x}W+sQj6>Q5TW&^Dizt z^?-ERp}md;Tq;Y!i*64Ht<&LHs3Ewqz1WX4gqXy#?;8x#3Vwsu&ceB;Sg3gZE#2uZ z?sh{UI<>;ZH7K%W8?FzF1_B5Lytfj%8?A94Ke6&kQhCfX32(;%65GngK&6VZX03x3 z1x2Z8kB0jE+1L8|fe0lTS9!ZjIWy_1%Fwrvj4w6X?)>Zcb^u95X`*#bdcuf- z+YFlgVda~X#Oaak^_2dTG2Y)_;m6mKTZrR3U)y5DJtD0#C%p6(Rl*w0OX#$~YcgcS z<(-PGDjdBkD=cOl9{_N0b5Bc2 zX}Az*X#Yb0lAMV=t^)qLyY*&;PRM&DV7HNgf&>4PZvLxAk4;~%`X$fUy^cJkCE{X# zuiIJEQ17iNG;8o3cq!Naq;a=t*>BbKP7fk;^;5fXXNUS`Qr+u}QM#qsZC+RmUrvJq z_nbo`o9lKUnX@_Ku>{wFnD3Em67&IqP(lTdt>I(y?t=&UpZBxSfD^!myDd|ID6Xo* zJb(?svxh@ay>LV42c&QD-F?vwINMni?f*w9Hh=OER$;~1?yDwln+&h$Mzqn={d3SV2Q4)n0uHSYYEOtJ#Wa$omLH62RJO2jzKZ}!V;gHs+5{C;*(6U5kIogDdYmUxkhtxoQ_&dAG+k(HrR8d z`t%!iUe*khk_eNcq{Gx&zn_gzk*!+y`=YkPG zQ-}4%*bdM;%x^|R6s`EEbq30m4u3d6fE)}LA|T=C!04vaS#W`>^2EJ>@e?%jqjPWz zgu>#Z7cF{R3kl`x6M&?JIz{@^0xKgMw$9&)8|L|V*M{F=P*t^T2>ev+p*72E`3jNk z%FhQxvhj0Z>Xq1!t1^X3blRCSPv8~)pdw{wbN|SLOFR)8*8XS(m|R?<2)u?77@75) zs}tN;5S;smafgIZH#>_o}h$yV%l%@ zy|^v<^r9DfKXvPVN$L<=r z34rLsfeWSv$_sDOU%Qb*u^k8qkt!tU26kg6HH$=*VEMN?fq~*Ez3|@2XAp$66!I#^ zY82K+yaL3D|kU@`Zh4_e(`db{ueRZ||Ucvt0GFegpSlLktCn-TilNV$9RF4X$gvNok}9*RRMxF6 z+d(UZ$=eRlc^7~Pew685QPSEfeTr~$aq)^x=k=s}_s-Pm5O;QEX6Ng>uRZ$(=v>f> z3qAA}NKd8mQW?d&O{GTNs8~mX%i5y?B#Lg)aYn_M zZ9SZDqeV{d`Z84LOsKoMZN9} zpazJrjY-Po|5G_dRiHL!ycU6xJ%P)~NGom~M0}PANUP)?{Sm1ou4=^qRKk5X_x zXqjLLw4oLF6Zej0Fkr{rbe^<6E?RX${6EuSGqZZaqS8?JUf_N~pwpr`Ep%9t41 zm<25XT%P-J{9-lUhKeNXN}IThm?3F6U-P{j4*R@}w@6AnC0Qr2!A2+}d6{}$w5Sm3 zVaqc1#PSX=%k}}mC7Gc%#T!Ps{<*`7m4}4NJufstTXU}{7rCnAHeaPRv4dMA?NPTc zzNw4NtZ4-|SZ#kwh3%DgPQPes_#u9`ZGHy7u8JcsH%BK07YRumJk?s2cigDOUPk;O z!@j~0d4y`oFvKqdrZB9~UO9(S~V%@@R0;!uq zi{56T<`J7)Lg*ocb~Ac;dloosQkv9Lco-d^+^7Bw!At&p|U=FGSt2n+`9 zWO^QAX6y8MwS1n1AMk4*9gPSPc2+TFB=|of8p!fK6C>hM(OT$o@!t_L2uoMQ3uoWM z=E79o&h2KV?P-6);QZjLP(d4bgjr2&e!P54cgEvp1;wJ`AR<~**8E@)Qfq@jMy#K%PRbyRd!0!pPlDis2jAYpXyftgVpoZewwy+V%ewW`Xvu5L)Q`b(XSMlbCJSQ3Uhf@sXm zucodk<_$2;!P=Z7SLmbpNZAC!;%p~}-Z!t`HrzD@ zmTn{-vh8r(dmxDqX;!O?v_-x%#vGPU?dJiFm22JH5Q7mKA#%CL-6ChGoc7prZM_W9 zeRQR6P26r5q#5;FL?al1haGpi+>E?lJpX2oP&v3Q|Mklgv3ZZJer~;M43CcH{8@xf z#Dm^Yv)<0%0ojxT^t=BCgyggIWA8qiY$VS@8==8N#}D8g;mi=F{a*x6k=dqI#yE0LGd)DWQfmRr05( z^QZnsiU|KHTOY4#p43+;6rHa% zH#s;U1|2|q4C%zTbbQhzUSA5vGp@6*J`DUKcIJ9z&#P*ghRxIq%HwUGIQ890|GxGi z;ccCre)KaH^+W=NNd4L+i%?WCWp>Sm_vN==*t<5TV-sJR8|Z13;~G*Vf-$kb3;r@v=l;pmhd&w=?FZP%4ly4!RsKB&F|mSJRCi6cF&R zSJ)zg4g4B z)PdilEEBoA5ry_eTi%#A%%-tD3%k;HZ3!v^nfUAQ9g=uiJ_J(q-Gi`tP`C_X0_1vU z6aIX@RJ&{Tk)kc5vvF6t2&{nGp{eJQWT&i=;#+Aw%_rpVQrC{ia-Q%i2r%PI-ooRgknPxm zv`YGihY}b(1R1XIe$CCOq;=?z=ML$Q0ZL{K?e>Ff?z0SQ3s1kUr%(X>dm!#>x`gkf z@ui1_CtT7*3c5oOQNhO6v0hhr4H~z!J)4n=jbsAJYn;R{XG^S`1>0Ex*3hO16LkfO z-=UD=P&|uhbC|asj$~ZBHtb4Uq?>C)A?Re!srNoiM%e!oof+YZSQtdyM=E6}S`hq}|9aA`G(7?Vna|vZm4S(9_$ZM)ok958GW#|L(kc}fp?AH47n=K%9p>i}(3v!{MD+8mgC-zDI&<6vu6AMFY_8J^rr(ITktk2*| zh1l`^8$d}WjRJQZsr=v%k$`v;3a0YgJ;DWc9E?1NV^?-YNj?d?r>;w6LLA>T*YL#U zDNC4{ddOkyNM&t59&^ZH@7uLjaDo5J7vYxV)=B151oSS_A@Y`_U!H%m5*%B5S{~qV z>^?O6-42q>g3^6jz(heU2(%gSay4?eKhNcC5?guSEQ1Z!O4G@Z} zn0XGC3X>rp@wbpP^UN`uUXNQb-Cv|fggur`q`Y%Jf!~`&Za;vPcrxNEaL%eV_j`Qi zK1buru`_*4x(VXXMSEQNdqnWoqe+r z6T?c@Cjk18r-cax&|5@afeyjB(0Ybk5+rdQ$@`5%?J*zIMGs_oNwMeQ!mOI0n}T{Q z4^KpSgrbD8==0_%V2EMa#d^AL3QjO?$NsrG-tn|L>I0ocCff4vdDI>Nm5C-+Cs-W+ zqg5$es#@{H7oFe4a?{GfNDo^=2mQ=MMl!*Affc0lcNZ9j;5{8UrL$tgnN`^;z(<9J-ZJHlzXqkt+{F?BT0L`dB!+^_z5myj=K$O3ys zmRt3C1ofnX6q%_!B+V~9&V9cU;`8P3>sh4nwr1PeP$-aq6d}%fu1BL_wx;IL{iL13 z-_n=W7q_Vry@fBr)^WT|cGfqRE0dzzcK*D@IVDR5<~`d|MkcuoM?HP<=ox)dk!M~d z>ARQzkpKMQor*WPtaMxI;?5Z-!2sN#<>uOGAX+D>srcrO`TjjSxU&Fbif@e2oH{-< zqjMWg8!~AL_i6L+D3Br?1tq#zBE|l-*%7(7et?)v%iJWbkeQ;#*aUVHC>hvZ{z*L) z=_Y1BN-ySjVsdkqAFq;7PG-KNX*~i$RCIyP4p*aOYNATujxAreN6~FV()UNzCnI93 z-r7<^L(6v&#>+|U>MZE48Sn*o_(5^w>;53jFVM%Rz7w?X4zgUFpB@vKPujdilu0ss zJDMvq6$w`heKOj3HF1YWL96#ShQ?mTWLL6U!}pSa)I_kjN7?u`PW;YZ>4urZuZ=2}Bq!I6F1H$7qZMY#D5-4XT@x zpW?E)wh=|;vEVYR3NLjOUG# z7f+AT)a4JMf2hfCGt~bj@<^`Si(Db}g2MJU^ zU@OZEqCUS;ViCIhr0y$ocRU#CZAD|7B)*{RXP-yE!O0CNGTIy-TsUosLJdLpGg;p}1`8IlM`8oFdlV*{oZ24hv!!09uu+-z4bVw; z*W2gwvi)(BPZD|TbibOdu2Gj89e#}iP1}<0u_hZwnD3KSePCRc!+#nnBOc9K*jVdR z)EpVRXnHTvVy}(qFeiX__k(YL-2x_yI#XVee46!RY+>P#Y2eoLT zn0$bA!kQL168>a;bgf^f4(2b3WO-f6a(`_JQGcz#;v>0nqUEm?sYBlgaKd|T% zTcGP5XJ^H&@*)x4Ch-2RTKgH#LS8@n=|%J@RSkB<+7y19T-I0tO6Jh?M0>74`>k6% zkk?j1+ME=I=(_2eQVYt zj%o+pemBtl;HzPYWR|)E6Tlfg(Ao%6-UX9-98tJMtT;N1|L!&S8P(C)o^JkfLAu#N z?-x2w)T4WR`ZbBIafM|Z8k4obEj+6`u}|hm;lQ|dOtR{h1hnei{Hw9{f3D4KnK!Mk z1t2JWbTQh@g$22bn47!@PD_#nJVzG{ZwXvXZk78c`3lUL|9jhc*Np6G`LZlIjz`FS zc!P~D-!(b{?MN>6pgR#H?wy(2%qXfThSTO3aEkI4*fWd0@=nTnMbwlJQ3H+;FU886 zK2tXfMgQE*ZNCszb?QJ2Uh{(`Ym%nnrF4_`wvjx)i@gaXs#Y?+m;I$`MZTE(iZ#3# zp*u5@2yVSD)|L>ndcC^FDNX-*?TX<2yh5JKPjx=%YGZA+DRRxq-~q6Yk_TcX?WOg8 z_x5chrdwD(_{bkTY+a>Ja{puK^=Dfb?C4Gs`S{&@T)Ke@;Jx6!kswhEmCMkQ^>5UH znOpYeC#NA3N83go-1qXVXZG$Qnp^%CS8oB-))%#V<5Jw6V8y*?kszfwl;TB;Qz))QQe0Y`;t(hl zDDK6Bdx27%Qi{6-4G{VAfA4!|?tGJ(%p{X!PWCx#?Y-A}e$Sb~*jGfCc>dGn3AmtT zU;oo5-(CXKc4sH29C1@vGQBoEj|#!|MI4W~y)vmcj~dPDvI+|;6c85fuUc0}R@9=} zkpF3NK@pF@|MIyQ${D>bw#<5Z8hM8bo%nTL^Tbl)k5kAHhyzEFvyriXhTcGG*j^7B z+NLIz-B(J@*fuyokEJgW{n=UUVAQ4+2Ij+w!UeB zVXTzui@3XUcE`l(0`xdZhP2n^gEUrx2xk99@5 zVua4yTTiS1#QHUVHc+ctUC1W&-xdfA1XQgqB?(TVzuGshs#5a6x*H~m%ufXs$PYqT z_Q2!7*Nvf9z^WG`Xembh%o2L%^NYIqeqW8^3dpgU^PdVq0q)rh{6+m=7^9_UEx>6Xi9UPbuWHC*!s~ zFokK_x#I&gof5N$uioTC6agrO$ExU%3viU1{e>#ajCVUb#2BVL_mLH}y)gn}TLbFLHlnTEIDrw> z))_HobHyqT?!%Q8LE+la@;`I8Y+3rBS&|XY1xtUg`rO zDm=e~Gz;$~q3D=*#TMXT+Y?T9a__nAxeZKR`rm&Lag6$ZxfSV0>4sClmZ+Q*5-aA4 zPZ~+JrCy?V$9$v;T-4S%{FZGqATW1PjYD+7Ln6;Qa2D?I*PlP#58}mM-J@}FE zk5sN7u(F|TXDzxrO;5@GE7ovQ_!Qk!egv}LbHBvTg^Hoy5R$aU=;=?$hpGw0+{pe=yUoL(2IHiPPdp7zK4BTu17rCX^RLlS4 zOH$u^9IdxGe_}}l6{kR;z=nND5+n(wWc|M+Omnz^Wn&~V`+3Vz4LcwJ)NGr5gO>QL z{m;c|Q=7;96ZvbFEEP7Y^aCY6r$B~#195I2Q zNgDRMqs!>7u6DPhd;c?pokOE=%(~$wr%)w0zyf7^?T$e2V&(qzkJ1*3qNTSfdTA>l zE%r|7mYbA;J`hE8{L8)ZI(iiS!7)%hMSOV^&7b63kGde(b!8jNUh!O~+d8B_bDC=B zuK7#J8`(IQy!;*?BSN-~OuB>d)f{7I^PJ+Xup;u!xcKd1mLBU9y@$-|xKk2)j6Yy# z)EAf3FQBa1Hi7#42_q+YC&Sc|F{w7u2HdweLEXudHg&;D6LA7I<~CcVX5MgYH+T{% zLIL$2{vIB6YGUDbnXGZl3Kap<78H-7#&?_G@mN*JRy0(Hx_J*OFhNgva5=l zKP969-P2_&>4;{Vlm%OBoQ}AL07>{}Vd#$7Bq%isPwWfmvYM}jXfByd$Av0xQoL=P z2Nl$XAsz0dc%4m5TGA_WL3WJ}y_?CE`PyPrY}fyxeX3(55oi=?5fQPC%0YLIop1FO z-2Q7PU-vGd1F{1R&Uo6^gXF}K=~gyPVuiK+;CC+Wv&&?QLWH;XHiyAq{%Nauaf^>6 zC&H{13M6+bhzfB^$zj{FTuxy%d`}pgk|Tg&4s;~Tu?Tsc@1qg?LpFpDB1oCL9Zlc} z#Xh)uN84T1JeC?y%rfIx_X^Ss{hy=UX3Wt?0hg~fMm9!(ZiBk0kb005>Mdt?qL(h& z>Sg~0XbL@96EPNUpj!W<@lL>h7jn@hEDD6huD#=_j(4=0nYTId6`>BK0$i z#x1rov@*p=<9t>zS@GJ@ymEA&oa>k5JC&AMQ^I)n9!sZ3Dq4OLQ0n(_aN}OFNR`kB z3B;rp=h)~Tz+qqm(Cy+!)QEi3-&Fi;<->b=h!lFRU0MW-#E3q`-vi(4#5G?Q@!{D~GeJ)26f8bfvO7lpj^5eEeQ zi;zEUh^`Gbcg3s@Tyjw#`iHYk1>yF7)l`|(mdSY+IIiv#xi%W^Ua8FxGLiSPG-f~2 zT;S=iUl*TrI9BrD-$ftP%`Z~M(d|^gjmi!C^E^bvt0BCQHGW@wbPwJSk4rO_qwywg zHKL41cJ)EPuHlC6UH|<6P%9d=$!Kl?5;KU@F%tJ_xxrUKf2>pK^uiY({q}o=Bx+Ef zkRZ~KV=8Ugi13QLskRLn#Dw*0<)K=jM47PLetT0tNK@{(i_#`w@7^5 z%6ps6#2nPq-%*BxJPX8@IViORn7?rgF8&qJ&y~RinGI%^yUl!UF7Wy<;uU5ymxgk? zlfQS!N2n0CA};rj2ZL4zGxkcmFx<*b z>HBKE=+ggG!3U9*QU4un8*Nv; z-vLsi)=_FyF|mVZAhgV`rlPYd@$|a7Y8XAX0#8C!8NMR?#h98{nwNj^)D;Oj&FWdr z+u`t?H7q)=t87SBr4~K36Hlth<~b_Fu=f0tYV*+wK`;I3!k!@pjp8dr3qMR1!{mQ6 zptVLmpC*UV=*5PM*pXPse^Ddt=J*r!aWh)RuLS*~nxTof+RW(1YjOt~0<)cao;I0xR-WM63^o43}MKyvDb4jml1W5w*^p%(MufOYBC8TDJfB83pW z{qA5-zpsoWyuRV&IhtMQlNnR36O_)X$BopjbgjaRil z{{AU}?Y=iJ`iT~sa98Lll;OPK$?Ac~BVeT|ZG6~kDJYq65v#<2xN(p+6#UZ%w)lU& z075Uvceh7V^zjN`S$!4n7)t;4sp|}}t&qtuOiLZD%9Nhz2ChM>y(_nRkVJ*mqGEPH zXl3Ulw+=mcfH@`rs~Wk-OZleLPjd-?3i7O`Yo_~=7^J;#!w#2whrE+S&TXX+MXv|y z>(NWswYLR`4)vSn26Pzp)KWOmzJFhhD9*(kxw5;nZ z<%8sG;c-dy1`>{!JCwp10>y#NHlZbhJ0fU$Z4L8bpDwzv6FCCMA(oG0aiYH^IM%{C zHhnnjI`{a-e&+TFoLvHL13TGQzCVaOoY8ww{X<E zh02!p)Swc@IU>nX*)ETD+F}laAaCjyPTJPYF4DaMk$ZKt1V7T~F`jp_?3huekK_`BM z;&&=mDSgzeT(ubM$uvFaYt}s34hStUGCJ$I`};I!K8KK8pTcLIoVtmKc1pdN%*Vto z>Lh5fgy?C$Eb5og8YfoM_CCNsdsXWmbeS=ljo1ev!Fd#%aXbukPw6S1OlxNg*%y1t zZW?~|xxFR351&M#wRMTfihDV8MpeuHfq~oH!LDdgZVIOtPeAq`oYfd(ajCF}mZnc4 zo$ayr_vgK9F-jW~GAUh@s0n776}@BqdIoIeL$1{i2;gapK3ZrF{l3?Ttl`^ zFJq*A_;RQ+qntg}w@h2(#q`B5AoaVbLMDizg}F7K_pyb?efaOL^WKcb5(DHm_0HCk zn2KqdKE!4gj#TRh|6<<8jZ$r%gkUbLW$0%K=uW(aK zZ(N8bJu?1Decl*t^_1>#Qb^tMFm?X&ADCtB`_GHe{pHGRsq+JM>}$xqv1Wk2_}_Fq0# zVN^QDCA!;6x?9 z+lE0NTI;1q8N`iVCVudHI0OrT!{-uc82D4mg&0xoaA|zV*NfHahcU6WcZlP982f%~ z$&IS35Lco1!{HYmJ>d6()jqy$DmP#%93L+jFUldP^mad8TjV?6S8p`|oHu`{nw?sE zkR!*1weR2Cp-cpAa`C9gh)8@+!CM!V9}XxdrHCNuygwa>q?V8+VB&ISuf|8#kg{Hh z?Z_i4J(&_gjz(O90WVMD!c z#61SA;@|I&y`C*eUSL{)5MZq;6Uk~kF&y~{8i$}8UN&RksJ7OtnTxw5#N(xk85a(2e^-ngHzaOs|HgZdLN8Zv$FmEchviX znlye%Z4pubuG|B4WI+(x+vJ-{F<}SqmuHFJ@P3Np1N^+kuQMvL&pY;uo`!@6>B~Pq z{*x^Ne|>{S4PGOWkCSutz0ZGKb?k%PK+qVv=f4kI0&o>0s!Z8GJ%b*xdu@8^uEf&# zI9bRB-&SYr z8wtY8FGNB;m3dfy#kjOAVd69MresfuzAL6x*})*X=a6HtzfIk#_W#4@&=wPrVPCO(W1p+O> zf4bFMqzKTwoE1wW8=`IoqE(>}fqj|d!w}?8E7kPN<2b-8!eaY@aJz{b~pTfwZ5&;>;1}`TQx6aBYQI$)c z(LCGT-BsJ@-Hh!Y1zol`eO6qeH1M%W zb-LGwK(?98&`%nweoy)t`_0H90ki~L7iwL`7=&vR(dnivuMzKt{kJ>JhHLJwm%(FF`vCoUx}( z6OXmSRQ0lm2KPi09cqTHh$9TI#dqYdE#R+oro;^NQ;Ef6Ue8E4?ll99kO-OG1=L)+ zk<-D&+e`Up_n^HM=jUv7-M96?W5B6rTFTC^*c4O*p0ZE6vOJ#ghXr@xS zMA8i52TVld@jKIGOn2%|0}UpuW{~b1(52Q-iQIdH&IS@Rf}b959;zKyVfMvFy6ARQ z4svoU{~W0uQ{mfpy)nc8>wB@;JKD%~66bsnM?^QWek}ea%^PWQ1ZW%JJ2C<}zXmi7 z$$!;PKSqsn3AS7b4>hUurR=AYDMNykQvAF3tOYm(aOiAy9Q+-g{?a$HCU~L$G4(^$ zM~SV4sp|Tw`yFqBOHG0AqxM}~8chCvew~!vFoh_gxL&H2mxH`Hf*J(Cb_J}MAL%7= zV|>8yHf73d8Em1PYuFd7h^P;5U&>-|bhxGbVxJ0b{via@{FKbYX%vkk?aARLiX+CbUHYg)G|%x~khgqaHdRzJ}fY<&pd_buiy_w{iaA{n?-Cg=$l5 z8(N4%48}wS52}(=LB&>0E#`4HPSL1)lr!}M~qn8^WlTyy+{d=yhVHzf`y;*zaYn`{=;l3j7@m?(~3q?>z5Yg&)&c?uP!l5r?Sgyn8 z>WN*Dz3(Sz(J3g;FVwzFc#0L1zCYHW!Bz?PkH?^qtWkQ|rNNZ4f&Gj2V==b&0VeIG z&r|0VQ)n~Q$4O1wCzNdh^2ig8_gDY!=o3^K`E+_N?^$6ATzpi*(vg7Iu>+XcWmX0W z6#)qV1;QVV-aRk!y_4RM3PL^6R@nU_WeH{&OdOoyb{N86sqRBQ_rU0^GF~32O0r{I z6W#KxuY9>b-uTb#1B`45M#Ar{P+|L?$2@=r0OTu?6xZ{Yf{|iuJ2bXqPv_}jF>XVb zj(;a|k{J}Fg8TaMGt0Z?a!swn8GP+2Ze#~U%;%Dc`zV+M(xMIc>PP>qI)hWnMn1D< zShj__emJYH59~jKjef<&>bl+mUsA}t=A6Y9j%oXHi+`mc_I3_7fAN;nP&Ia*2hAg8 z1Ro1c-Ng`fHDuKBgm2-g?5Yt!=M1c);9;MVF6)_#A7Ac>ynl86t)j*g3#9mHXkwC= z^SS;`j~*!2;q@!zu%jNbxYAyiHswx>OygANu3#4JC@U+I5Oba`APuK~(N2evPGv1U z0y&bxf09>5T%yn2ycBn*rHmX`j(V3-ZBnNNL7=&!hSnB0YG391rG+KBFb8nhYx|MU znp=b7>*!V6^CjipJ9Z71jLZ7!YTeIF(!#B49`=d+{M8vG$Bc96-#7_J4k+HIw~G&GJs;Y3xVQJGoE~p?D@}WwVdPiCb^v2 zv5#E+xS2lXv#B)s67I10o%!!^S#7PY{y@b1@6+S_24zOX(GgxLJU)HPXrd>&)xAG5 z=2|uyUxAP+c!$ijfj#^QHT8r$8T^e=4yd2w@{s8syJ(ZHJ z_aB}HY;~1F8Iek%B6UR{o2gFg|74CAOtqruiw5}GeM@lbcWV35a+y6GE8*3Ky&88C3TIIU5u3ilS^umtj^-UZ2JbN0hz9Hg(4{v{)I~N*@okqLT zNTc_AH;{+j`g}5ZFRgI~XSnaMfjW!vbf9HPPhk9zsPm?P!}K)#Miv%Udg6{}+rgR5 z6!137pEb8V#wQMTj=J@f+y_A;`Rjf}L#LW&TET&TAvHGzj>!AZ&-m*LWShC8vWp>z z={1&$!hlsqeM2&2eeY3K9%!Iznqa#hpVj^G4h6gOALDTJHppYPOa3(qL^jU3_1^zf z9*iT=e`3svT5UbQunyJ3~@Fm+>I^=V7Iff1QgybZ$!r{#~gN zIW`TdDDd%FA(0NP$TIDK$%bw~Zt(qaigqJ29sfwzbvUh`gHRzTTr2(8SubzNf2J3v zFtQoZ*ZktLZT&(`FwTKx`9#%#OaydlnhM&`wZME4Y#t-GU(hU&BEJ>igt*;+$e0fW zk!8dsTdF&&-vNtI>Z3HK)+_BFb|<_z8Q*AJX$yB$UUGzf%Zw5E8Qg)$hP0RN^5YCa zg;nkuTPpD@-*kL%d^pN|#^kI3#eoC~z_)eiBQLf-30L*P(zUCC@8=3uSOVdf**{Hf zBz3DRv+}3lrDUb)B7?-uEB)Kj0(mY3a1WEO`uuUfZVsG6*|}0fem>&yj^+ zM0IYH&pMAceLD|i3H;Mo9goKr?L1r(yal-!AgUIAT$+4G9TK=V#tCeT?5B!2xFP$< z2}?hZy04%2Sb>3%SI#EW1;N8?eOJ><&}!qJ zwnTB7aq)3jsOE>gscOa& zpd~)h1PC5Y_+4ALxAFnDUGasd@k){oByBBrdGx2_v?1&#t4TEYx&ePQ6b?gwOr*E$ z2?y{BV4XDCI$+yU#;4w z$hG~s0>{=`^O+Q5plr};y)W6;0j?ww9CrJPNGRu9@RC+>FP6S*=q5V)6sLn5H^PV2 z{?H0K1oJDsmD|I$9*l%`G6Tr6s&Uh=2v&UcM3=Psn{W6H~)YU-*T~)3byDR-9ZZ*5xxK;9WbO9PzK=sx-+Sde_L-eNU=`GzGJb>EfO$!jKYj#@BK+i0A z(Je5j68GAKc zYWn>I1mt-75PNf0GZV&oX)Exj%&&rK28c?T-bX=G@Iw2WD3-W*gtNZ6rAnG^(CKp&!Q7k>sH6AWGqc~|9j2Tb9@wJ_1c@VcRJJJmGli_rs2k6m0hbvWcW} zTk)^YGIMT*1abUvtiBSbU_Xgs^<@S!aEz7^i#&|h<_8GY^HxaDRJmjGk+<_2-K#3! zYZ{V8>ZY~ee?Mmj&DFKeNh@V7Mi(#i+^Yj(o~}2;)RP!q41bE}&pXtLTOmX@7hXjGa>}74Y0E<8Gtg?>ygggqt39r2KmKsSI=f z>Kb`v$Jqm_9(o5sSP5{cO-0z82v)y-5&=Su8*24FriHzWfMmntHl64&Zy%05+j}?B zOgfNK@Glq2g?yRwUK!~PcTpaRVLkchnxO=^{qZ@rfVA*=>rQS3*u(T)$Yn~?)c1-4 z{?1`2$g_VyA|NulP;7@nNo_*LaTh!ZVg|l(1$=J87!%jfGwWH{wlOd#B~Uh0PFsS6 zZl}0%<79sMVj!cl_Sq(afQ+y=<@D7_DEp6~6ua?;w}Xk~V^8mTVD(isddvaKC5{uI zA0ddFC6$lh#LQq6V)roLqw~A$D?W0zr=bow>NI6jXmt(r&V^|NXcE6}I}C*N-yK)Z zJnzRcU$1McYdZ*$2GyS}u7@`uZ`V9$+(5RY=?(UhXn&kCddh)f1YhC`_?P`C*LnMP z@&f<`Yb#&#c=T>|N!*8soX+s#)CqT;*tq#XM@JzoEfU_a&A2ZJ=vhc2h?}Mk)cA_rXGb8 zuF_bVQCpDP)jfG(y$ziak-N~`91M#2F|@a(mqADlNd;y^-ar=VC}jHWJm_A z@e>RfRYu80mzqH;}ez zJTvfg6`mU+ZQZd7{40yobuk0r=by~aF zioCka=fsAqT|pjHgKJ95nz&Ccs9$6D!CuGL-<;|GaB48e|i!QDK9&^_-=i-XA zD{ZI6WpDcqTovKYiy$*YPEb6qaQlPh!U51tTXq2Yg$ zr2{6GiNq61l<595w!nw`^`W;qtIErTrkemh|MTu=kgIOceRga0MSPWK+}}u>>1h5+ zqD{IJu7T}Ko&Z{g1m2rST*r1-t|{riLAAd91GrY(Bf1)AJ^O#-G1!%zP>JjQUejwA zFp7Z0G%8P+m-m&f^aAVi8__@WZn|=;sL;2!L@djvsjSc5`Cay5lL-zZq6M_LSpp&! zriv803_bWA%A#M`rTMM5Zq)47pN77C>7k?ayZgt+NvJ0hu6Km*xfh5w+o2BNNwtnp zVjTY~ci#Q`2DaV2T4FXJ^c@aMQ@4}GfAeq4N}jRZ;gAwlg74=j7Vz@Y8!#+98o5o@ ze(A^7VWbxmKoOlN&FJ=(+uWTz38FL_QKP9yhMJ3MO;lP{KKvB};-@kZ>Lco-6S2&+ z?%hJv`QXUht%FeM>m$j-OWzB(OMe4^6TiK8YsQAUh*>W6Ms z(&*}bPG~gh+?oyC)@S$`=IEh*`fnA76&@!!#l@|cmsz8RL1Jp8oD6xD%&B=E19npw zFGVnX#+d*22B&0}u%4A1iH6p}c`c7zjX?UKyIg%x`B5AYZgBN5@-iT457n?a_<94r zCrLR*b%TS9`9$m2gIqnf;*2FLRS*;s7Um9zWAmxdvul{ReBxIvERcM2tq)dUvC(w| zUgJmJW%qzRJUotAC4Kz79gUxA&E^aazKh893evK@D2d}}*OlRQk3vp`D=+mM*f)@} zdZpGxr5bKEX$#l(3s62U3S*R0#SW*8D_RP@%2RG7xQu~!nh0UHmVL9ZiHjGOl>fQUma7-i2M zK)@KC)TP;mnnel5Z zH|SlLWvRdMAnTf={unoI==W$VZ=ErfH^5l2l z{*NQuJNldD{bTUTMv+^=%0{>Y$TyTq2Xg@gS6B>f*s2P`l;cM6XZO(&GSrQ^t(#k+qE*^! zK$qq4M+gW*K7c1Z=$=Sz3+ITHZf#H~u?q%t|BDn^fFDDwMn>avcY-8XlLpYvZ7Su6r)^%S_D1#s7D@=xay#y~V1VRrR zN0~nb^7CVp95c;5tMC2_O;cyxO~&QAj+MATLbi_UdIG#0znt-7QyQHS_rR&wb(v?4Ji}bV~4Tyww zBwBwSWaRNed( z`q^#ssbb1m@yZoqA+QZYwxLtGbCf6fricVG=Ax8yY@Smu>^V|j;l@GEW116D&tOy- zberp}URhA^czd%XjoiN9H>TtD_ffugJ9-OxmARW1+;J(i?H_!dQu{Z2fBm}q$DaRI zHNZNp9we_ z2u1DOf+bKp6~JGGIZ7A1=n7OPHSlkIB_D{!#{u*$`deOuw5}0WbOK&`-Lzidss9pM z7)l084IZ<3tSbm!D4q#B0}IF&1sVO;9d%r-@G#H9oQk1123W zIS(n?GZUh6N>hZZtE#jlq~nrWd9SZS_kLF-kl=I6x2=6a_kFvh3DoDfHl%pEat>54)x7!AAHq-#2}06UyJX+4gKRt~992AZJ1*(4 z_u@W1p<3M(3{Dffg60KT0VX#t)G0;pRjJEC;w%5LC<(;a;^u3%w{+Z*9+Auk-l8cj z{>PBpFZL!QnLiF~bR^`|QGTh8LCyA@5A|g?1dGF!-#!tVPWF@0+7z9_c*4WFt@Id* z$`e;d^VH1$nnjRT7VzVDUS+9grX{sV@N#tb`UsC)F_ zWPSHs_-)62&D&Hmwcv|wk7ybnqn5FE+{plvGLnyW7_UU`2H!;A!d#*}`|Ds^yY?wR zpnEbHcI8a`q*%aJ-Ro zoY+~`O-Kgre~yo)#yE{4Q(R7Dvmpo|MEyWsEbi@tLDrGlIR2O86-Gv;+y0@}$P*2r z9hvXw87TE*6dQN|3P&Bp{g6^X{qbci!(!_mtod5inJ1?sH37=mQRq(BJHS+a;7oK9&A5_vV48fl2s_3^HSM(!MMDncE`OsoUb%Bs7Xy`Z*HA zkR0-FC3%|+RxIOop&^<8jjlEt*bSJ4d_;MI5KI6FZ8sWK4IKBdABkRHpcn#$8 zp6y@m8Hy!e*+3x!@m#x2nix=S7WxpNt2ueo!8>;(q3EszBWgCSQU;j= zIf7N5W$4Q@1gLeErYM%XN3V*h5xhZSx2f;p_FaU9+vIs~GUB+>)3Cq157}F(ScCW? zNZ=~b*ZJ{en9M!|ftZ>KDT(63D2&Wb2FZ-iEjJQ)uQ?He>h7KBOnWeqYihOdkqu0i z?sSt9;Xn187KcM}jEJNB1gN$lNjs`<7t{MQ1CnT(EZ>lEQ7762QxLupc5*Re1{3{CFbB<9{HTD2G z@41fV;<_fCQ>L&Swl*~|7-~DK>f+~L4pEy&nBayWkdL))bXHd6UAEbF{gK5IhZ-V> z>^D8#=;HTuZpZo4vIwr?znXu0d@Bm1oTsM><#4fYzt2;xf*mKbjJL2=DDdtr;lKZa zO%#JK%P5^F@Rh{T2nPJH@RI2 zods`$LbsEo2}c)zx{F@-oGdJd+Y7@p>XX#=+`4&|b~iu@3!>tgsFWxVMoq@-)PDde z;@g#v`7u<5zCONu_SqoTvuMoUKes))Y6(t@1waEF;n!{)`tryZ&_rW1Ot!Za&IF{n z9Bx5UToJk@%W?hpvYpZNJ_9-md?GLF-ZVbXiBeW{NVGKp3nq*@E8+tL2nSn%FECA$ zKrVS2k%R{NyR@GG3AxrTX`i%Be~)hr0)#;N$RcF$%}g_J7W0R4F`#aI6*zqbt5y@X!?MB&jLAOAh09Kl%2l->5dVED?-zXW4ViisAf&iB1LkjS*QlUm!X{S6`!62EOp!agac82IhUpLko zTdVE8%VU8K8`?gD4z8m#+K>lh&?}P23w%AG{u~_TsMd=@Y@pr;pLmbHRZ;NQAOagV!hi2n;KtN&CaiW?s5;&9V*zi4qusXzYIw)C+`;jT%7&{-?VA)SbQ%#ROS zOC1-7f7=RPg9@UJBiN9(0U0(r{aj7eV@Q@Ww&njKBW1Eu`Qocs*8 zdnwk&hwp$T9rCo?FnikjajTE|q~uHAw}A^DdXRi}Ig}w#bC6^=H^8Rsi+ubjt8bze zQBwG()j4&jdgIjESB46$gpXy5qxo2Q>$ z_rKNUivH(1+Q}$4vQK9d6mF4Bih;f?;GQFt8k4Ax5!kLMwxrc#NIIFk#7_OBztP7i=8gF zgZ~vpY8%k0ipu_A zw^Yb#Ca*-~Z3ce(W3K&lzK=s@8i2U)K0dq+=p0T_pE483cu#-mytgenxE_Q{i~j21 zOhX?0%2w=>TW2fzRMeI%*SMgsSR@OSq{1Q1@RbHbbtjJKoMekf5dAOSg1aZcOLl9- z-ippUV}@R@-k{F~0-BP*ywh?6nm9I;$xoS%`ArXZ$ETZ8mvi}NFF=%;v;d?e3yLQA z5&VqoI2FIhNr-2N3bj|8|Gjbmq^Bo5K{-nvsle?x+YyU2&4AG4ZJ91N!Z5QV1{g$W zf!%(>?=LJ~>4*R=xje&QBrY6YSHUnotwhy=u~bEUWZi)IX3&H4)6E5R?uq}BylPMx zyG%NRGy$O^f5mHQ)l@B;OiaM#AG=1|fG5muvWHfzhiYsgQmt^&P9A7Ls)$t5PoDPz zmm{PYTLwk;zegXogC26rC@$KS-o0Wm5dLO(qhsOwnla%si<}gIr>2#;``ngwpQoyF zAXx^VSV7dAS1)y^DK`a(Ec1iIplZuz7HzCPe4oT;idyIuqGJBx5{`c-0#ea`J$wor zt6M?B_aXmYSbiMh#Iy(WU*w3%9M-F}(Kfr_M1K^6L9GS6yZO2wpoR@Y80tFLqR~yJ zS@em(6YvO0wI+F8Vw5WcektIW15JFl=jDGgZ=g*Nzw2WKYS_cbtuj?c0$|6uR4N{o&`APJ>6q5Hg+RYW0-931b1(kLvWjhWadgQSdVK^k2Jq z_#60z%FJyG-#knAX<=@l5~`?=FC*;XdX6qg1w-Ns^*J|2Af~HWJ7MVbjSPFpszk1= zv%UR=zVHnUOYm;KdUkupvf;Mn1a%JTu=lEa{HnJfv%G zpJMptNJ(GQTVK5Y<|iTP!)H~Be`zb_3LkD}DcBM&WtS{{-#^6AZSMGPu~~@PyUdEl z3U;0iHhHN!3?2UN3haLJd;;>;AQJQ)p{YM}0rowU<%_~QrP`=_Zvi@%dcXBLz2l2O zmDHZwQ*Q2D|FgHmWvaU``lHhboZzh|gH-m)jNc8XZzg!SO;**oxFeDR3z+I4ilCzw z*QOtKgAXZ*6Hi#9z^U;qc}VXJOI2NZ?PsR7Z_JG?5QF~`3u|}(DG|SyBLNi31rB{b z+tKLAOH$_QV{3Z{%N91L6y)P0{h_f-EK6RVOB_|jnXX1NxC>rDZR-PtW@bc;a5Rk2 zl=uY{t1D5QraV)2x^>CYc~!Z%NgR_4)Hjo`)GKiU<#AP}x>HTsg|xfmH{(X>^E&_1 zEZ{GQ?(bhLpqV6#0K#QNjLZ{`9IkB+vjs$iQNwC#Zv|y*-~DcD{oIa*>Sl+~MgFdZ zkaJyuM|AIv-+NB@pHb?;%O4=>A89^Ou=kP6mmsRB3sb9a+6U;x>np6a(5XECNkGV5 zLRdLm+8(qqqnJPaFn+nJhddOTB}Lv8P&0RC^&uF|rPCYK!4flL>6tb7s*RacvbI8A zFI@kG)89adv8zpxU%q@v#jg&CeiV2Y!NEDF;mCRSCV-$u9a&?pGueeGX8dHsF;3xz z2dFv*Q}z)Ib_JC+QC4~1{9AI*`&foSMA!s7z^5mJXv7X&?92!k88E$hzMxGNneXzc z40^3Uq`V+@6aO$M%9$Ix3gmRGM+V=sLkuK;F{C&G`D))A7{cE74tK-ZK*?F^-K zzEMX$v;Cc`b1R~n#+aFHimY%ipE^5eNra@@xIA&XYJGlCV8R14t{l9?M;74lZuGt)_*+2sG+xn z5B+~Mon=&8ZIp#^cc;Z2N^xtU1b26LDK4cr1b26e1T9wFDG=O?J1tJ};vSO8H*4m1 zvQ}=cyzf0{@BJKG=eFZ8#U#f^=HwQnG{cWitNkYH7~?}0SO}ON7NIaWiA}{1j&rfO ztZ{_|YR)_JrN}Wj9)SAYDU$h2#fQHivDv#!@9dnRdi!E7ALxJ>hGipli#2$Nl8JRG z7wb&Xd+8RE`#TG7^L!|SLY?LqRE6xwuLw#NBC14W(Bg1mRU)b+(Yq_B%P=osGMMte%4iX$Qx}HK0DnJ!lQ0!=uW6CJgp8MeK!gBnxqQ7^ z$)$L4I!BE>?ED5JM)J`k9x3!432%G`$ztApwBlugs5*U?*P9`)R3O|vDMV$KVfl2p zqpiPvi8p|OCOr*b@9@+>P{TE#d4W!x?Ozleh282a*rGOUQ^@w z;yH7ZE&t)l>hm2^j6NorLrOJE+)Hh4Nckf19MYB^QVuz8*Xpn8{vMH=VwPec4JA^+ zQJ}xWugW0+qur{fu_NBTf#Ad(fHd7P>ZrjOiI_~KWxU6qAa^T3!gN+(TY^oX7!dCd2=}no~w3u|h2~_FOEBf024h)!`Mr|Oh6=y@dGtY&X z!=AJAVj`VHl{CTkfRdT1;f8f;v!NeP0{aS%F6pQlaZ~eeklz#e!Fhd3je$QhDm=xn zhKS$er>7fGN9WzOE9@0ouHL@Q69U|BBj+-zQ|1n;mcZvTxW!4vG%c>ty+k?uG-hCf z2hddgdrb|X?Ak%}DPDhN

Zb5{1n`;)g%o-eq$d5>;aZ=u_U9@enYII3AiG4CkWd z*s}ZO;C3>9uxv zP0hw9KPoCAsiYo#hD|PSM+qF4U>cP~{Pc(jNLI@~ek>ayVq_q;Ub%fmZ@E4&Nf$DK z8gP;4-aY-eE=~HVbPxP^RhF*x4|s{l1&+`Ecnvo!i*zS9kMXFw&+m^@g;Y}m7{_qe z_{Th&y;h4p-npI60HWu$wZHb|k*ax4M4reac}c{lY?I0;L;#cI9!17DRtelvWv_@M zFteNHJ|g?)8ZQWkLS?T+Q>!l2-~GI6GxmsMQFl(Vz#mOdrwzW{aghmb;yNIe((s<% zxac-i>&O4`_~;(duSFH%+LBDQLJvfa}~_ONOo%DemW2!t(jRpiw~h(>HsDn+pTO2Gjl0 z(>wVJ)g0oJ@hvvud-fhS?Jpjip^%CeID?VHXD1AGwJtOVr{_Dw96AG3dYapV_qCPO z2YSmBT3?eTO!DzJ?1%O;)*k^NKfCnI5fe17M+Ei7fd&~Q9O@y4=>rg9>&}YJ z+;et%bF1UushMGM;xTv5D zFg-6d4x-Z12o^*wqmnoGlnG(cBS{rvBJ!xPPWBO}V6^6t@LgIs$dy%g#PH;!)B1P7 zpA1FYy^CJfz2s3E#<#caZd<(nVi=Q$h_ZbqRsZOtIAWsEApNk&D536C=fj*Z0|i0X zTxvYrhfRI9meLkkEY=RBlf}~fMvf~EvNAjEEmDGag&x_3AkCwHZ+}RcQN+N2dlfxDTy$P1Y&WCUE zZ90Po{W&`s5;dRlSmU<_1jACu5z!00{z`Kjk(TP}dDC$V>sM)f8^)&-Wdde)9t#pT z@0kCSO5Lpxi3JNmRcQobNkXXwQ9sBbJEj9UVKP|uPd*0~^of1=-R*l!O23YLIKunK z;QF=R?G{Xp<4;>{PKL4{VgH}K(LI?xZS6--Y)4tUus_?$vRut-8ftUbvDdVh)*3RK z4qgLVl9H)MZz7p^Qb<0a3aSCfiYd?tso%rr5S4zTL-NML!p4wKpZFR8S>&GsJMJrE z@UPDroze>3bAPz5Eam-zA3j=Z^aS^^SE6vv)ruUKrFT|kldR=m^bQ6GuWo4~wT*J$ zR_*76C8-mIh4^1FYND`qk!^n`Na5u$kL;%ltyszN4Qu3*H-S>chZq7dbhywgJxVsZ(S@E*bHy>jg(Cy&+dk$eUh#zIRKlABUP~gxvFgG&hY{3bm;peOMuWKa&v-vT5rv<@yS6% zY&4)N%{fKEI_O<}F9#4A-9N)lF6QjGDhh}*Ip|tF0uh@g>`5(iXqstypN4cOMxg_FX@>D)Z2x=QL~PZ zeiNK)9*L0yb7h{jNn33ITV}f#HD(YK2IZJmB2dn4dM&Jx4nE~X!w1gAI|;*myZp95 z3N1oV3tE;gxbXn_GLzXY<$BLs_@CJyMT>t#E1Sl*(>2yz*&tKt%n)zS$ ziu`9eKA!e^1nY6|*84ja7%w9yd= z(_`;*zNw0{^L#8L7-hw@|16S z<;I#!Ct&bAc&$O{%Z1+H%ryOae^!)xZvTWoufsfWQe=!9BSH;yQF!HJpC9F|G0#Cl ztlE{U0~<$)$F)j9m{b2=CQpPZv7<{kM#G|_$qJhlsk$f0@I@inVN8ZDa<7~`%kQRq zAK$;&ful+G)j!?d;%i-=n70I#tX-WY+XH*<<&7{Gpm{>t{-Qj&;7VBYXe+oO#BMh6 zhwLc;qjsj}8l-;`zj-X;JkR(m&8ti?QNy-hk+4rnad6n{_S#f3A*=ISiF6T9gdl04 zWzSPq9=1J=7;->B#Y8sHxsC<~XE#`WaVw~|(IDU}7^W}aO=H@A6ASqGZ}-c0)qwi5 z{uf$KmRV`MPh~jh;TE6lhK@ITj3FHx7oT}u&sG^ibjNtH^tA@UJz5jhFqqu4NMnnd zTQFhg>tjTU#Kpp$y9{1mRAUJZJe8Vg13rDo%slv4;W`PxAfq?crD_bWIB?F|s{g*-=AXtlayg^<3lFw!O5k1SQ4X5xZ zI2Uqfs!k8r%UH<3bUR}?vqOkIMiaCs>l$EgiOjMjO%$)CeYagEIZGpFIjG=cJwC9# z?$7Q*qv8kn(*Lk2T6~$QZ?=PWoA#azc&J8w#TRpJvF5po%tZ#c4q^F=E&3aVt)|9d z^U;0pdd5%*sWhX81otVEVMQ}DCY(|Tfw*rULlYe#ISY8Yy!LE2p|QPP6&ry~ z&>ds_v|xQDoz0ZyWlcu2r@&K?*%(17g0(vID~GqobMmh$z4P{rVc)bvMWV`Dm#uP# zetn_mEOw|$E(5FXaxCpp3@D6&rb}*5KFJZn|K$gS)Zi5&9Alo!rdg&@)zakP4`Hi+ zxa8fZz`1Qa`na=idX`D5uhsSbcRN1*sb)bj^&d^>+)+sId&5D>&KhIr_WC*~qlLs= zOREI*;)IBF`duMv#fz$INK$-W+MOaMm6uxly?L(`nr%*a-Ir`GXyRL;v##qc$(Myz zV;{iL9rhi?Xg<%*W{JLekgR=Cml8f&Ke`QV1H`&1KUKE{nhG+l0~(p5f(PXNzCfh2 zO;_rHd?5o?A&+10>0FX9HkW}X0HV*Y`+)&f+9k*(d#A!b(!)PuL>l^q@u598tmL6| zJa*!UiPkXVYU_lfxEI{vH@YJXJ*$Jn3y8s>mllWxO+fynv>= zi@TKry2|rQpY!EkTMVVBjq!Xc6oB4G(pqwx$*jc7t#WO0QRF}ULQ_QC`kg5n-r6mp z0=K*>FWnX>($I;-@7eASKv^RO@;RWUX=YkHC_R;3G7cXX?qq6iLUCp)3eF`Mis#mY zp~?v0ht3&NshG0{tI9cW*x`dG)app`S%Lreax(+1w!B>jZMnQS#RZE(|FjYHB>eSy z{yQ_BsHb);dqt|g?rf5f?*6zoK1XKCs8FXkG+huF#9D^&v665~OS&H48-E4oUv25D zz;M|b)B7DL5kv{0-tvq#XEa;6-{X+lhs^bN2fGXe=fl_ivBe#Ok}y`0@q^vNA0)-3 zn9Un484uX$BP=63Y2vi%(2QP|o1ZWw0&>pneie#rN+z-W6lo&WXyVIqkW&7%Bsw)y z-alfp>;`9p_M|^{M5Km|SlnZ`mNK!jyfzs4p9l+2QUMFfD+||5`?V&W69*tVxqQz! zPOw1tS_{`WQW@cax}C`OuwG(xC_#YBV`>;TH=23|%m5-A8L7hwm+1m0<;-b5lywSN z2=Z#5!N(42kwbffUQm8OVu2@%51o?YA77WQzPJ~eZ$X=IQcEes`ZE>>I-l$BvYG*b zY6xyjZ01S9m*6+SR6610-1{WVaTe@(QyLxz$s)Vi`4qQacpr`|vU>Kn|15)xrSVl7 zuH`$LX^?|($7z+v4Z_n-3OI@VVQg?ojyFq zOiShNxd8GkxsEV}DvZD!A&m8Q1UkEi&65Dg#yIE-=kU)pK7iWLGT(!(olQL~-|&P3 zmebOwUZ+6ygiJvggZ-_LWrUmaQT*w4uW8pM=YYNPb$Z;uDENAu)eiGC5e4wr)ss(+gUxz2@kJh$D zDQ2T!r9B2*7)d0gx@|sRcdCC!7dQ!ga9!QfGY!AChwHUMQH8#{zd@vox6s|}0T@`+0D@w(W?32(kiu2*8usQ*0LjW^o1cq>}DOc(5$clp=Y zEu-Pp(vl|0MTbk|0*Pw7{H~tjrKcALZHZgI+}nQ3`Hl{qiECG-oSOV&tX}^1;doDv zDz%l-d!WAx18+$jh(2Z;K)1(wIrrnVsB@^vnVn(H#&8!^uize3Bj@~*o@jW0QX&$Q zScmtjeb%S(6O!6!^eSI%cMMFixVgC$E`b=TX=Uhmel>fNW|1T7@OxIL&jC@;R^$9i zi1NFGvzXCoj7>;9N#@b|mVvvxa+N9-~vcHF3@7xaKLEFwZCeCPGOTf-go&~aU zt0fw72HkKO%Y-|4|7+{7U2+Bqfvb1U2UQsGRAJ}AU!;G!)_=}@e$O>A+D#yoGc`R5 zyRC69e1E*BxEy}Ee+xmUVrRvzn1sc$=I5+(h>F@72UPd$n2%Xi?Y1a|MTr*~dZ+<# zSvO@#!*>Q?W2uad`>DqWG~sN@URl(wW6`#LJBg>lR((X5sr%hG)9OySbMxJt&NJXK z+WxCpHsaq0w7I$MWj4k(!%78)(v(y|x4i5@FL#V?D%h;T?U2rK!&5!~5;{o*q$L-Y z{pK-1^kg?v--X437e7W(w{CP*Zmyom`vY+BAAeVq=p&4Ku<{N58GuKUcPY`_edq*~ z(rW!!Q*E%HL4$w@v}1Wt{A~u~qWSd3I(Ic4o8+1`Pko*|oK}|YncD<`1@A}ST=#y* zN0`A#=70cB{Q!-^yR7=OPzUWd8mL97o*YJh3jn2lFzHO@!{hNG7$Dvdw1G1Mcq%e7D)OCeKLX*u-5T(rACy* z$AZU4->q2I!kAopiUfFfS9|N7Fst!OEQkQLjZTnCzqB=~CyzS(4BWlAnX%V(9xOUZ z+72 z%C&^c!Q_*~m_LvPSSe|#avIJ&O`7iyu|_i7nImAbAW}rK`wn^X37WjW2NgG7XA2;- zp}Jf@CqhDsb&^V;HWph$XeU61wv(6vlIjS$fhv61KxF)7E4LBMQh)pcZv}>mO=e}S zUsO^Y!D_%vY#iI82YIZHF%0-7L0M3;NDO+(5pAIjAo20TE>%055GO zIXK)2@J+J7%KBlv;~5&MB09k!M&HS}fm{W?tYT#GA&wzv+8nDGu6xKKt5 zU}+NmP0E;F4P6NXy`qdKbm;sb=?{)G;c!8~bd41{GJ*7sxPNWEOpYP;e>kE2i7mK)K{Ve@L)}a;()zuaTwfI_it1KGQ2;G2>66fLlIX=0`^^g`$`F znljwh)c3r3f$lNOo0h>spjYr@5u@7Km*WgBmK$u?Wll>6Vzy#5GESO&0U$1%Z;GvZ zuOvT-fH{%qYHdv!~7$=`TwyzTw`eOUU+icUK@bKyNjDIcY#VRXyK$j*IO_?W% zQSHNr<0XCbU*80S?2OClCjeLCkA29IS->A`Ukii&9{*rW5*zr@&hH>;_VDiyGB^0v z>K>cBdv;>BW;=pyu&^I&xhHpjeMRdr4Oz%#M@GYIXr@i6_!z86G6*0>D0l~S?oMte z&U|+OJlwjN`n*zCTkuQb&B=S1(Z0IHb(q~hrp-*i4zKrd+OTiBcCW}M)bIfj!(}+4 z%GA9d)nNW>FvkLKITwEkfdo(Swi?6) zPsI7e@s6`4fFJ84g4d{G$giF8rSZeUFG-vS83;wa`)SJaQAA0pF!)08{yirr$!n$n z$JF_wd9SmdMhiAc`ZYW^#aQZMoXTHF0{E;SDuaxnwGXx&9I39i1Daa8r>H`1xD#xD z*2}85)*%CSIsh6K6bH*}kg)bBD6);qU2;+T-qx_{$CEy{Q!rVs#eTWsZ9Nxs%kPkS zDq+#;^G2I$k#ROxOC!;B64!?8^2xKkFL4+>gSnob9$m9-7Of9Z&n}CbH#OjhePl7i zhV`B3Wb{EcH0zPKmXk2^w-NMSf`O1!p}){h@dtL}eKda*9st5~^u4zSc-tRsYuu1; z{24yl0l^zbH7-NTKi&)WWkx(ZGPlJ;@L(o1R$J`@^HZk2`E;SUwZCXe$q<(6#w5`G z3?JWG3o(>l0(@Y%=(DOmTz~G%%BV1S3Kt-7 zIl~uQh8Brsu-b;+g@{KfS~&q*s^w2<(XUw50)z9)WU`#k<{ozAxormJ8j`M10=8B+ zT$KUvE|M1lrUoTmU_||Dgc7p0^lCZ5kQ_|Fh58QPf|H6p1)avXDCTdRLC3>!^Nc1? zWTUAI8s0X>&Zwq1u#7zmn$ZE`1l#?aZ&m(X0Sa8V`|Yx4bk<6)c2gS)*v1!W-wY(i zbC|maQ5O$4UpUTc%tViw6maMs-EHEx7h<))J_aXAJfb93w~4HJ;KDzrkL$Sbk(yeai|*92jISlbm(??Q#Po~ zxYN`2Gkxz6K9vYvA>zyVLv)1CmS4pk{>`Djon71Qd3=!f_T_X*&j zKN}hwn0S(0Zj;Wc?)W;`P5TaLcEgY6%+OnB`V+a8{i?(()Pp~H#G`HvTT*>xC<~xqiwH4$F6;Dk3{AT}OZ*px}GT?p0 zZBi-T=E^{LW5HsZaI%Sa(rO;a+Pc|cY0bt;&U)*C{AE7?UYx|+Pv;PlNR`}%@OV36nm4U*frNZMd z7V(pHF=7`mOhSRUS=Df%M`*QE`_OmF%Ogo-H)g-;qL&MGkSpy~!MCuq_dD8_vQ-2jEIb3qrsB_+ zgH3x$Z=(#q6IN`6AY#JtnhqPaBCUiKhFE`nHiO!4=j3Sx!>6RsNp$H`%2qtsMvKuW zJ*~<~V&FC#GLseyOC9@@zKi*(eBOf@_wYfUi-}Cn$|#_I7C1A$Bzr#Gpe3k`kZeWe z(fSGWDZm>Qf6if{OE4?zOP0VQf>qz9)y|CgYer^%S-Qj^QmZV@{*y1&Z@5x`Z}}yN zrRf}JulT3JT+fEtmB?+WDQ84YUGK+>y<~B|@D2)rv{$Os(cRIFXI0@pIUZv7Vy3PB zx|L4tbsjGRNwJGDq<~f46I_tVx<>sZ_}SlkI8+)x!#4YsM}gmAK0^-x6%p?6znh`w z;y<77R5qD0>)GXZuNLIDa;ywhP-xADO|OFB1f;0t61=bfev=|68f^OR6Dn#~sJaM# z`8zdHR%T-_0fWXGY}N#*eS2nwl;X`h%+@snY>2o#2UUg3t+@qh5}1wUX2tLSEs2^% zU_AK@6V1c%JBnWnkUZ(aqIDA9`WRcnZHVZPhEUBH=}IF!l?jIAAUV5B>Be2h1;f{u zi<)#L`NS?Z-1C5t`wDYlzYoa_v{RDF|OFSGrXVRobmWRxK_U!7}l102SZ-1 zS=$Os58R$bwxMi1n%N(({rfAA9P(t(c^(SEtl8G?8=U!~6iX zlMjda1rxcCHTt!9F26e(IhfgpeO6PWnJw$Z@x(EUK*f7MxQ$Tswu?BT;6{lyK!+lI z_4Ym{A}1RrJ^L9jhgGqTP^BD|GWYs9gJ_LwXxsi3=5U;55%kKvjD4;Ap(&rI67;ya zSXB#_5Y36{L3@!#f4)DC6vrMXn?8!vOtTc8r+XY$FqC2n_4Z&2UDd_=#*a@F3ba&M zz%)rrL73DRgbKU!m)@c7Mo2jWn-hQa@OGAu(d5C z-m#E2^fMIsz>b#Sck)A7p^~1>UnWe6!L&6DH380mZ790ew#3J36gL?+F@;|P z1dxQt8e*`VGLc=XS6^-9IBP5tr-SNZpiIMel$XCG-O!P@wF_E}#{ydB?$9R(^Ps!0 z!{p{u)eVoJpnq#t-E{Vbw=Rv8PYvGZ?w&jvJCR|^f0v82f7hFvd-;E8_)M7QYl%oM zg-p1Q_HZ5NiLM-*-}68dlm2u+lBP3~?ga_w%C9!;-md_i#Up%~!;Hvt?XB7_4EQ%L zmhl4Fi5FHg`Wkg6%oGYxlyZ&;U*rI$n{J(>MnyedYKhcc)&=~#r~bM>r#Ll)_X&Lw z4Ub}Mjqsbfcn|W=awG-EEU-rOWb=&J&qRLrkJgke4Jgkay-oS zmeImX>1;^-GO=Q}+tR}nF^QvTZc}Ll^Nr@_?{ZzGpRBmjoVcbBkjX?(H=S`oTpZTT}8Q%<0WEIG2$ zWjgHsTr{UVGvQA!1TbKsVPSRT9?p&h6FsWbV=XRe~Bn|srJ zT=t2LXU2t^mI9+`{Xc8X^!Seug8AxgWftY2z0&xfOzc9i={@^{zt4ptYYL%~z?!Ql~OIE30MUg?Fji;Kjm=3xghfS8eZ#meK!zT1W!cnzQEes&b!EAaa$3eHvy#0q>~j z2Qb1L_kXnf5C|OB)!+YlrU8{o(JHSZz%F5`nFHj}RK=JZkfbDjhKWBP?Zy3ubXT8c z8RoaL-N6dlw^9eCE=}GAv-P;0tu~?(v#L#@$?acXZKrntU4dV}XH> zVwZi$ns~o0!?0?S4rZR2)p_*~G7tw6KV%J-Srb6ZbOegcC^;$HvSHHr038AM3&bPV zhOJ_w(d218=y_+oCGN{!SWP&Pu9?r30DQ?xK5lhfW=3D{SQ1UU8zNy4#i7B-q7H3c z2K?8*m*2B=rm2l@eYepHNYEj-b|ctc15x<--fuO7e|Ek~suwNa&n#~~Yyr3Y^A3`P zkxn8!=#uK)$_TikG=eNv%M{a<@IO4Jyw^AXqPuyjZN^=2^ZFo?_(eHpG8m(>`-fQ5 z_UKclwppH*=Q5@J0c2(iR?&df+=QS~0}3I_;4)e%9pF838g;{v{`R>p?%Go}sYuIf zp3v69K!Xtd<)=;}*gg<3mVhFs+++A4yRB$T>RZ&WYPX)d<*+y`m2bSJBqJWn;~ZyS ze1lBUHvL6|&cN_&6soQBTk2zBsVq8WImDf?H^`jjMG|O7_Z+6Ill9rM= zdES7VDgKQd6BAtMhZ_6aqd7kVjsmdmJ%J5}DwE2$gpIiPLG6lOeecO%?c3#28WbbH zaAR(6ZWy!8z5O<8+kfYSDJv?l#P?UOet zG8|rw(sF-;?In|j7?R>y{v+fcn?ZltK0^zS@gs2UU(;bBdl{`YCm-mI{9q7f(&aUt zW?>tN_gMk$vyEYH9}yo)7B-eUYUu=R@NTNtZFPEx(bddTu-ZYTW~rxsoslK_9|3Z6 z6lrAqug!B`SX_P&=|IYPgT1W zgz&(KY7Jywi`vq#+z}QAUU$zyRG5(5z~$xSWjZ%b2__H2j-^zG;M-t6^nICMpqpi5 zw?>mp<icFX?1)5nM^b?rsd52Y0}7PA|vWu zu*$1k)(SvHjodk{|H*Z6TmhP2aLO%`d)j8`vEeZ~O?*$vA_Fj7)T> za)rJ+uGKClA@&?-MKA-SB6dsTp`pi2l8ukfmCHz$oiYj3 zq#EVx!HPm~Z5iyiG*R6={j80bwU=GjXQ@WzYH2scRPVocC#=+{Z)`@FgdWKzyDEfm zuJ{Ln%*r5%JwMpnpvsfs7>pd1-*Ltm6`YE+(XTv`F#Yq@`(%b}RSGF2Z7sobG-0L0 zWvA*w_5II-?|E1xeA@G}`S0_D^?QV#TGLvcfNiu(5pk>6hbmqtTcDZeh2?|EY;E=S z1@NytVLdo^$En7n1d^C0u0H!D!9UzA&>{O0BT&=PUhJX6FsZ48Z*_Y4hrY zbiZLrwf!h;s7t~G=1fAoPNdZIE^2(y1_7KPqHznqg1bz9W!kv(Vs_q$vp1ifJq!x- z+O3{E*U)D?xnecostPB5qNQj|?OPPWrtFm?m_mRXozuol2H*B^77$gOh*3c+vlPGo z9Fd(mSZpMbQb1efi8u=L*7DwRsftnkSASI>^BL<{Z-W#Q*CRLguyDnj`)I;3b8gsB zC<*TFij4}Z!Y@WRjTvcp&@DdxI`n4$;uxe4)4=^PxBch2lx7AB_hq@9l)YcCgGoAZ zv@z*9$z*rmk1n#e-Tdr%P31n(V&ZH(Uk9KG)!ckNS>%m)J#Is&p(r#S-BhCQ=hhn) z4u<$Tr7-0eYX&eQ*>+#RohIY^^U9p{oCAENL^Z`@Bzv|iIloWALu?|UE+WFg7GW(Z zotlrTX2p?=%)AQL-HC(AJx}f@RzObMbJAq;wdyrPp@hu!L)ToPDcqG5eZ|M?GV3ww*Y9svH zk5`5dDB!m&(j}M8fZZl|(Po{DJe(}?_tkbFzKi(uTk5T_<;ADa=9hi2=;fDXlbN1- ztlOhCei~(#*GXRGf1`e1!o^g{Zf9f7mUW@Rzul45RH&Hw>BwL$BEIVm6^A^;SsAEk z_>}p5xqJW%39q|q-4JvQB-}`yQb;{`C+Zd(F`5v7nZM9Rq{hwZGK7=W5!d7yJ-Mvs zVVE0g^-pE_=(-*oNMd(>Fk|b=Z>Qpxmo|ay!#K?f3f78R$>_cFi zR}Uv^{7L**99LI%oB0>T(M_DG>nba3Pxdw~w|B=IqJ@)dyp3E<9)G@HKC8a1*4yp- zu8~PO8X6{4{yO?Yc=4go<5R$WjMJa4L{PKUVKAWG(>OK(tUT%p$k2MtX+WH0xm-A^NL?@#4R*Fok3Ks&iEu>MxBN5BpNTX2MN@~f5b z&f?Xsq~HG-$+k5ww!l%`pvr*S)IAVN*f|Jb;(-}J($!-ncIwLa0wY3&H|+NyF`O5!7VUU z3b+?IdMh1#5;umpInoL!X)Eb0u}l01B<`(%i9SG)*Cco69`Kh;)S)Ti6~K=?gZGis zE$o#Jf}23X!zDl|4+Fct9s@s`W|Y|rHg4Rp*RXHiCe*?frSa$EMFCIon_y?ad?;!J zw1h0!jf7xBvi&wAuO;2f3|rXZL?wig?r2>)s!pp zQ<(YZ%y?yY!T%l*tKm4hV5)rjLz{1|(U06?+$qwk?hTj^qAib@G9hcq){opAoCy~9 zX2b1U!SZ}91SlotZV%(;zKoOu1~(Z1doN3Hc{TIurSX+AeP|5aDOpRZY2}jd*x|-* zv0I^B(eiuTpx{|uyG)HEDIU1iWGe~9aZ$0IG(Q22GqsOofHiZe=K)BE{qIELi1T+p zk%?CKh(CSJwOuxOw8q$c|KFXvcYDhLshr^eF5*{x=f#>$f$ku@IeZ%^){oz8Gkh!X z^R-{DWc4>tk>D+)RL$>RJuaEKI#N-21lS13DNkasjm)Oonk|;z^LVbtxh{V7>A0{| zxf1q!0ht?6MEyen_amAQflHr9lMNpmahZYL=NV9!b$I&EZ^7=~*G8ygKs&?})g434 z5}OOou6l9Hfg1w{=|Af}{q#+lxCc|n`}_q>EA@}xu_-G4Qwcs7bOI61@&r#Y4bkg< zZoXtB{84-$0J^Gj^{f4`ke zxzKQn^N)HXdqdNsn@xa>T!0!Z9Tl0?mJu~t9AC7M=d&4X;S|Y*fDji6~RHyoHM>&Su)5`q=)K@j@gyC?yF-^ee1rbC>a>^C=;ZmEV5TZ+)X9DXO z{B&ndy<{xl8GVrKZxxDw;PcA|WSuzTeW%_)e_Xc=?7n5Cg@Ym$d*C^?(}mG|6poC? z{A`bJLU_Ls9X-rmosgcSoAhYCm7fA0fxv6PP6Tm!@`vZjveUYs;;%Q{;`Q5>nmMxi zOO4VmeeOf8yAHDqSq(QcuorvYdu#r#&eQYc3gF%8*5%Hiwgu?GB6Tz9d3%&%ElRWyD+$L#>LL_kUH#Kyry&f!%KchB#tEH3NEYE`SXS4Ic|%x0YVr>R)TX zuf$KEF9sLjx1c1F9OWX(`Q=Od=R7KHMB_?Vaxjpx@>gJb&t@M{4pFa++B|6-pMyUt zM$Ed0*b#%Q00HEo2aXZ7-I{r&fBcj0<{KA=N-vcr(1x3;7Deg9Tk@OqQT544P7I>; zy`(J#b7CwVyu8CQ5AZIuox*v$E0ho zNyu!_jy~O%CQq6LKiRJF4LHGipvfyRV(h4i@qZ}XmyH!e=nIzN`e!*qia3ddE6~@? zbwEAj?m+S+yaKlQGU^%#gVe5>yXbv`#bNsLE~J#@rr#&47Onf3s0OeN%93=`r{7#r zyzA_RT*t@3GiHsq6~llvTe0tJHjc}r<73@OZ^;?R0DIeKr$`&-#M6=}K`AJXK#GcF zUikio$(#CZVE$yMLM*{VwyneW+UIWS^Cb5ya1PMxGW; zS|X2T2x|y~1m=JIP=339TKB#(O;}m`94@_}5SAi{YC?6$VsbeUiZ9p?>cv9e%n#F= z3jQZLZ>hc95UcUOAHp1~4&%K1{Az!kotY^Q=g{^J+;Df$aZ`=xxh`VVLodERCsPJ+ z00oW+D~gJWPQK=21)jGy%vgRX!j43q_g(6Oi#Av5z|80|IROK~wPtXgN%wv9_hizj zX(yNriKd6|h4~_0{cAeeFqYJ5oF0YoSNP}GAvtX9sbpMcFHSb}T>~`x7p1R)XF?ah zRvN8GInEB6Fh9#)Rfg~~#b}L)8P_kG$c>2bzG&>NTJ%{7>x7lj-6@8}Mpxba`%iWX z3i+-<`=fMsNc`uHo`Z8p*@A?o5OGq<-#PHvk28t-%};w{eap4RHNJ5bvn}C|%}ve7 z@OPfH9{zSVs zW7>Dx7w~Q#+`p7qs;Z=@cJH#682lGN_CROd{y+Z1%j@Xyuf8a=|8F>>`@e+7l7ZZLNe)^&Nb?-IfVXTpi7)wM zJ#6O=&<&MW0Sx;0K+$m`NTXWcn!)1r7EXbFul44VFsHqdKm4=y)6?7f=Da1IquM`s zV-u}2clqr=RRx;(bsRQw4sR6u6dnKN73~j3hPpD0?D3MJKcw1qmkIm4of#tfw?j_& zE$s5Y@?;TP2fy91e{Tuk#FLO%Tzqw=o{**?E+@1+;{V?v!jJP5r~tqo>2Jlh;^>BE zj}4y!;me}Khx34>2k4+bB76&>N4cl#hPFRIEjhv$u^oinuQmZz2`J1r0sb(J;5^vL zD8*YZ^_5xeUA+^>`bfG6-S}*Y7AGB(W??`N?}tYw$+QtRA&W6rJ}Tmj&`&IBaRfa9 zkL;sw=5O~eP84-U|2vVixG@TniHVKynRPd3_>mIu^QgbhQvZ6jZccgl@Jwq4Q#OkJ z3|_dG?t!vyVAsPG*|#gEPk{liZZ){~NkT)Xz*2wTSGS;L-t#CEqL)zjWKZ>}1Hkg*3MF*UxI_emC0{M}<@ z$Tbyfr2O&Uvbpu&(mzK-k+;1@+gJ(j=kspE`}rxM%lP%LwDy3tR_I+RR z>tP3X07GgG-fpOHgoNa!eZgJ81?}bw`ZwZ>S8~$9Ma+dO0pW;%SMGC9332#UM_W7v zYGSov7MoK`{f1WHI{gcnvZVUaz7%WIpG!c$_(+H|{5Lm#ZvS?e$;WaDL%6HRWc@b_ zC~q`V5~t5x5Gqegxn8Y&m?83^gTxsvTsQR#Ovp)_jU*{`#w{CG`Q}x8a%*p^mE_0# z@~i6!fFkJtj+|yDct`yB>4jXEm~_^y{PpH`s|Gf5vB?s(4RzCw*aHqA~Nvi73{80_gF#B{Q7{Y) zO+8*xjn;0ghBqZ!B5<4~7<8INou4?`2o!rk%29~jQ?}k`B&uQ|d#e09ZtjI0mip6? zu2Af?v<^~zvNbnKRj^v8DhklQ1it*q-<~g5K0qpq2tr!_fZb!wK?O? z6!2HfA0ezrl~MRxP}ebk2MnU$^8U7^2j!2IXNdH6!~sf?@2l1UDAWZQD+;Xc4gc|y6y3Z2MB z`Tf9wv{lK>2V0qTvZGV^0jeXZZFE{!w)gNrX*_G1$Ks^U%kw3+ph7Gs73220`ECj} zZ2~bUHr*mL*5=-I9#e1pkICbQX9SZu#S{|MN(OQ;I<$&^;(dJ4)4|2g7UMo}AyK&8 z=ifYOK}rn&Re5%MBFJ6+s%{>(peFkMDehgJLIt5gkE8DA$IBgK=bm;S4%**tW-!;T zg2=gv^Nn###))tA7P>4Mi5*r||nrBS=L>d_#+ zI7i;=owGL!yT92`^;Q4GpG`{qcKHd|?Sh(WFJz)--l3`zz$yj&+^}T#cG=tdh2Nqt zq+>8ygn=C)4$j9Zum=Uy4Ux7?w2tp@RqM9Fl1Hi1_fe32B!`fg%3V9ny|~lyoRajdV$OclXdR%zXPj_>SguuDzdYKfhS(UgLw0 zERyh5>$4xYu1zzrk5%IxMIZ_)su%ool~1A)PP=DnB|)bqiOv=%@uVvHE0a`llGX_T`aC5k&R zSp#AK`V|XhNrCJ;*pHBld#W9vRxoQ07`6-gn=(l$ z0egF|Yxg}r-Kl8*H{`2NJ|*?Vuzc{YDX+{-x)oS2vGFo&hP| z7p3=U8)x$c5s-iTs*`{}!BZvZeIc(B0-uVT!0LNV-oQ~;k~YJ%cMf>gPdW1Fn>Feb zhU$n<-zJAfbO1W36Tyi48WUw+T;S=Jjwp72{f;QBf)W=;BHBTF>q8mC&dLXr(gaWM z*oDU|1-dfR)zK%^f8P8Sy%WwiV+=jPNxcvNs%~FWQrI3U<9|1y7&~F6w1w}H{eDg0 z7>bk3RKP>FOUlo!nX1hFu9076Y8vdqO%O62v)ku(2tEH(It?SD6UPFk{)|s$7^5Mi z!v|iJ+$J9eLq2#NLHZNvwiJ@+)5NTLqSJr;zyP&;D(u0h;=-}|&eNaOEp`N1@;yOp zo&90m`W`{lrRK8rtVp+X)FT3mP(@Dvwa?ZAp`P_y>a?bydrw`>97WVk4?OcXvk|JY zC+C{J6gpA%Y1U$Jh4c-D&(W;s)2BGrDj6wOPENksSLneC?8&PRHM`_-sVVeP+e%>% z8V%ijQmmzUpxa6^+b-GmyRhl2rcVdzIjL2Iu&XJhdSDMe!yj*mZUdD)$* z!NuW0!jHhQk$EJFO_Pz5W(`NRA%=vB;6fBgGhiWX8lQM@(H&Xb)0?e~iWIjT52C9i zhC!!%_0%epzAvU84Mki1PW@Hi;MX^SEB21!o3%&ZgWm@vYreNm?Bt%`YS2~{e@F9k z^M(ypuVgPoFIAGVB!EXvL$~uI?oO*EvbuAqpl&$kN8%EUX25t9Q0y4;RcOHLn1L`& zZ>yJ~-e#x|z$}{$hXHlP%@U+(+UCOw2W1vY{UYh$QYXE#uInXdUrp(gmvXhC)KL7V za^qB^y@aX<(`m@nURo8M9K>ufPBINr6xq07GFh;LZR^~3LuIg_wbAtXJi?eecf}YL zc(cgqe$iWGoaerYtNa}DZ1S1jYh@bmMeHk4z4vV#gMpb=0+s{|%-1#gV`gD-{qe40 zA*S_LM>v#%xFkRD8}7KRyjay|&RLmR?twmj=Of)>6Sl0%%LS{`Y(? z)r8m2CY$_GD58L|#Prc{HB+nQga+i2qvEr3hZcXU-wanWn$PPS9{d*}5{-^%2ow|z z;RJOv|FOLYeO!w|_%Wh598-P|m<&JoaR6)&ifje6K$z;a+eX)yPU?Q+8C|Mj@{u@&Z!1 z+9Z*0#LxdmkOF4lSjuc}fv1qH+F)!#m6txqvh-4D0N{D(MWS=Y1(crC#Qypx4dV@s zbF^4r`gH@@*p%-)5GcufUhOs$o6!k;Le8lt!d$rdHc*@RJgx;vY*DF`=K#gqKt=40 ziE%w?g6gjuefdUfIH-Ot-3mN=B$nD5e9WrT5*C0muFQQYazX6&+z!`?g+#z5~jduD%|+nmd6OaIf6 zJAg-EGNXCsn4qXEc}fBL6jh*nP%_>SWWKJSnT3hzPE=fk98aMn_*^Dii)l?eXf*uG zrHdqqBlQrj3~uHov&1kU1LX-i8HKZw&?8G~AkLYkkQ+nM5lpP9h1=3c?ysI z<7Jud6|-_xLv9(6-;}WCC+(@{)IWRJ)Hoc|mcS87`=Jd)2%U5;sg@E)$Wbqdf;ULV zugaFf(a}48@!;0Ap7DaoNXf11p~-z>bBKBhoVI|h_*k>~_3cP36c4>=X$jgX8`)z$ zBhTqul+M77w$wKK(X4*6Gd+g8;NgncQ4KSqrW&sA%z&*NZl4Z*@bTd3IJa`*nxc3q z^Z;JwkUMaGhLWc;O&^kx>IM12@$r7r2kfUw!MA$>-$<_Ke@@5znNbet+T& zD6eKw)56Jlb!Y8JmN)c*-Sr~^6=1s~{H9(k#9(_38`ULlYnBh;SaEAY3^uZ{WtH?j zt=`%1y}zg29R#;3)Qjn~{8tHYtw#L8ei@PxuEysUg}N<-Sh=!Czk;ukAVnk8VxuI< z(w6{HJ^TjA5R4XT^y{G7|!s=OIB4E`}SZ-V3Z){P=$sz!^@+ zGr_9JmxNA7F_F*ZEW7X6h*C)Vl@KRd_hUJH6;`|P*%P*@$=@s}liyaeberox&e730 zff8h$qqE+Bld$!4^tcc%m+7jJLwF*&k#cXjH}=WGWV`fUPCsp@X$}#ItcU)Hk0&00u(1)398j7-HYsbZ>7o~8OnRCE8* zzibizxEokbPYyQhd`WPpMl0d?6$h&42b16#`JWPkDB1t5D2=49LJM#YxcO}i)H?)z z#^3S(*JU*!sQ#Fl9!)00H(mONwO!GB~~mWJC-|v4c07fQQM7?+~Mvl^_O@aqAv?n zsw{~PY-0OOwq={IIZ0f-G4M{0<~Sv*o#rSne9Urkf<{G`?Gqm{|uJ@a3SEM*@Rs$uWt0ft5}*rdncyBgaO>egSi?vliO2C zG!cG@THE2TKW$Yrzl4}wdL`7{D&bUrvE%>?LI4kP{>gg?JGPF4t1FBRR zsc<1j|6Bok4fl&pX!z6PbsVdd;QmFkp~!h`8tqq9Wo5kdoU0@vU%P2?(&+9IAKq=; zwEdrcr4jwVv0;0o-tY7_-9`Mej(XiS>rU$q&%lM4uinDukv*GxI?+HiSdeh=>Mzop zNF%4psKwc^te(`K{V(q1E4Z85y}9?qmvUzTC0}{lFPF;#V;+4>dcw27YvJwUR-`c( z4@ud%dC+7-U|#sREl!v30M)R~h06Z?)@O(*V)x86IFnVCuThTA0dTP74H`vhXtjriknmmSqb z9_|t20cY|MFN5^tWz0+_NvVD(yHjzR=rT`^x?!+)0tzn9c{2k+ZQAQ}i1j0cPr8W{ zSQM2^k?53>T1L=oZjA8Sqgr+P}kpUo_6* z5xP35!R?P%iEH?vwlWK+xk^HyZ2ifBE%v=^$A}Q7vn9gK8#;l0Wvy8!?R0hE<#pKw z=6+(ox*T(QPxPCk7Ln$;ghCgz9T6-mY-$_7&?x$67p@+I0e|nYj{DC4RU^#M0fu#R z2L0R8V#&D51K{6ww_AK=FUWqPWmHHrt0W}2Lj^nbew36v0B!)|KSB4gFAh>1Mh3WC zll?#Ko3|t0g_;jaGx)$Al7$Aq^~t>Y$d4#4H;lnBepD+`w z+^R|U_GyG`$ea53(AMC_srEhN3j=|>S)##Kk@OgZP}^%ICG)N zO~J~Ol&IhX9Cy~RwSegk41s25=Ju0?GLA~3UgoX9%vnkW)^P=>Uj!aCiyHG#udp_J zZW3%8&=F#)Xt0!Zbm$5O?^YR`$10e4z7Tf$%)~x;2E9Xbz&+n58Du^uuMWovPiPp+ z{loXcQ4v2|*P<05%+DoPhJ07#vtl8SWOk#w4IX`|npE&5u+`EUci-??po$f?4z5nD zz>B?0bHAC;s{-ub8n{{PErNVKs0mgY6%~&_ICZHHALI29DuS42=y7v+M6CPE7ezeF z1b4Dm0{mNiwGo7iy*9(cX}TZCD~E>DlA5eKxk9!x;vbK?u{eCcpuS zosgRa`_ffmR}-vz^SU7A^R76>JxO5bkUdWz_(n?VxnN`pwPDx^Q134Eq4U)eQ~hOA zvx(!wu^ILlmAqY^o}fz7=ysI5yXnNxZnAue90%w@Y*~_z!{6~_H;@cmJ&Df)`qn0b~u-@5qqQJr(9VQ0iFk|j|B11t3!yf0QVNL=Fx3Qb**;J{1c&dZf zUEYFu@bhMC{JYKnw5mXFJ=e#dUKf^4@3kUZj*LwFC%!m-L^jw%O!+=dV+Np!mLSeL z_D*J!GvhbkYE`wT%?2T zBKYD$dENhwT=>XFJ=PDub@S-D=x2RIFC(nOT_^5dN8W8AhFIw#ZFdz54WbWfG3QO) z2my00|1PbC7kOQ6P6)|^evqHUXj;_r0KGU;EqaZCYwPLA97SpBs-^iftTc9>1cLYt zcN2jbNFsuNP)HlFSeEjCkpJ^_&2yOhi~q$}-@eV75u}3#bMnFBZMZx%@Fsq$^$I_~XhyPwb`$_;%^@}yW zv8rVyFBF(QhW7pw47d;208mOb=ks8C{MNu1MEGz~D}B)C_zKofJCM=5Gl0VEJ7}A^ z`!zFNzAuq3ceT~c?Vp)&xTPH;_07$p0=Ort!7%4E5FfuKQV!m3;{mf=KcGH84xKiM?PXs!Sq)>$o%wbtC}- zPlnU&n5rF~V1O2iUsGhG$0p9aL9zBI30!Y6(KWt?e9&K{*+4V2A)G4eBPB#XM4WN<6?$OM0ce4Wk zRd=H{Jv$cg_nj!#Q}JijY}LPSSDS8CC=T!_wR*zmTgfry;!C0nt>W6Z@kd^%hLfsJ z8<2dadW6m!7oyc^%f+gk?VMaA$1d}-+iyDvmEiY;ZJ+(@M@7d(?d|OC?MnsK+E0>f zqf^n;UW88gPyRsIi(lqluz`zD#z!$EiKI~ag`@d`+1K;-&Pusu7$|f14a@*4Q-4c( zGC&|SoCA1)egqAr$9yS1S?u>S`)k_hx{?z)=up!#k*<7apIalg$%5$ZSC-I za&iVf99TCHi(e)GlYG3@)Ku@}#_NnZIm^k(nXg=E_%!aj624b1nMrmY1?80>%RM*< zcwJTYax#NZwEdTh*k=G-avPKr91Ya(x5Ir`wdKSzNimhWgEIlQatZ} z-{imLNVw+kdn_bz;9c;ya4F7tp*M0w(i@RB-Y?KUz)Ryd%ngu%-e(2Rhdr_2TWOk7 zo$ZxB<&cD+fqr?B~+^`^S-pDFq4 z_ZPq35Pbii&wmF^!8d6h#&?Y~q3(7)lh?3#o(=G=j0R@eyK$eEpD#J4vQylHY*r#U zDv={-mO^qe1!4~j?SXs6KD|n!pNFz@Z|2+CPO!bNcJ@5vKwg8J6SzH8*pUWMQ#iju z(qZH%vl2F1Y2A9%ur6MN+_s9W`Nj)x9C}}asLD8=$DoxyLIZ}ORHg7|)ed<37HDJx z|0U;UQs(np)})%XdtTJ?2MJ8#_@3tFf6Yy!lvjj)>WL@tRVfU7&+pQ635W?Po?=y1 z1$5+|EoB@j9W9G;UK77N)eStoM;REKj?@LSfNE1dL|a1eDi~HN*y=@Cwu)qR9^aH_ zYAps5S`uXR@DV<-Z(Du;kFCSrG+^gj?}-Y30ku!qhg634OAXO+d+9RbfFGO=^$kT6 zF=RI!t5t3?ExHkdLwdgPM3Nz;CJ*_}~xf!O>WA)um7-v}Das{aO&@^95HbN&b`XNe@1SCBd0vF72g6U@Ak-dQ0 zP;0q@N|8L^ReiLi$Wdj3rvSeI!@Cvlsaf8I0j8qbT9LqE?spVG9#{eOD2hRs!6v!U zD|57*SmJJO@-xy?bD{lq)k(Lm{Mm=mf5N7DEtH(z@IF=S&jZ^$9+(3(!E`Z|X1`v^ z$2+ib4@3b574fGPzqP9O1gItln6&%6^_b)ZT83-5OottzpH%UW*ZVMgRHLJx8Yesf zErW^)2N%Y^|6B?vE&0s@FM4nEO+0!_3>)lb?%;~l>K9W29>93JK1t$m{~wvA$QxEV z#`W}W!GF`tPQ3enJE=|mPKQWBT7t72z6k~y^@`BH^oKvz&xDfw!mm zi-IV|m&XFG%Z7ilv#C21-oY)IAKTT;dKKbnvwc>4<|t|-7TUUtGGK*;h5I1D%*e~l zJ#wng7RjCrFKUQo$lrZom(6sq<4$w0iSWn0wAut9C8fKs*(mPPSk#BQ@dK)xpp3~Z zYFW`^#U2P?v^3*)w5TV}XS2y^hQ}e~OQ1_iR08ro0dUZEcQ|>^{S9s;5+we9rlR|( z-S!`&act4Q_vLRmF2S5DowqOQ zdETa;SWHhsiOQW>tvW)|;|#cB^X2nv&v{S$4pq2!agBa<0@Sy>`^jORQd5t6+g$sR zZwc}-ru9!lN%1L~q=>QRhQ5Shb;WE3N7+iLW>hD(NDj{xcx(`UvV89|J3)mD1aGWe z0Uq1+4rBE0oF!;x8kKyMSL8vb&+M)z9o<(kgg3LbP4jE(CO~{X?bQH@=#pgXc{s=i#!-ggQ_t;Y$ z>(ub7b!&T-;#x#gzt=tRRcAX$NU4thk%D^ z<^#3Pa}931xY!~9X=JU<0Z@k8vSup2a^;lV*xMJ}iR>gvZ4Ue+)1VDAO}rq?)MO(g z-39xS_gp&dP5U^_ZS>|+VA$7@%e%>xGKvS3qet*Sq)@FE1O9xU2(HFe!>Le2KTQ8=zLI<>)kC6r;m;uc-c_B+;LzQ0No7 zPZmaG?0M`>(>BUwV+wzo8XK9EAa?NM*r}$qY0V`H?vb~cli`3=6C3t ziaK_dHU72T2VQR80lbL2i@DxWUSuobUhK3OhGjL!f|Rr#)7sPyb35=Nx`jrXxc=FBh!G%^qKEU#e*oxnpO`rCmTns ziQmXC`F`5Z@sE>P@tRxrl~V5K>uTO;B?XLL>Q?vY8ds^RZwE^SGXbOd#}4G4*Z%iT zY}=0W&A0>omWPEu3OitN&i-E@^#-}em>MUhm?&(0RD)zJC(F_LFi3G}6$3>ZxkuHY z98?&)2UaL8l>*kR%(oVF+n-TzD#<;We$>X(yTc#a3v(KO6kL?+Rf&lI+OPblal^nF zWf%NmC6}Q{rD_+(tg=Vffx;gbP0NTlgLfcAhuNzdn=x+PmhKDWr->m}B4gPXDzDR#H3VE2#9m`Gd5?(ESJAb}>V77=9>l70Z6-X14O$ zS*l-xzWJ=}pdqBzC~>@D=POR!yVIo-~M{zm?(Z(|W6A<{ps zfb3HO89u-6CiTdkblO8HbI_RDW)D2cUwOAP6Flj;z2eeT(7r*zA9URL1rYWj&;^!2 zRqK8Wf8xGv+3c+42nD$nOP5N%p+o+hapHX@jU>L3`M2cOY=%F{c}Ipq$TFD@qb%>E z%nExa($bt;kFg7eWm&uAzIghFm!X7EQFq~}d*Xe1UDhhEH&uEQ88qG{T)ix>oIdex zcP`5$QM8t~O1ADWdBZ0{9mZSz=mY7)IedQ`nrXW-&DVBBGLF7{t;DS26k@yp?1O3Q zqY2D=WHfw@t}jewM5C0+u{dN4{7o8i z{|+(4#U+zns4f;;Z--J?!)efJ7_(gSC?!wl^Xu(9;A9-O7kHSS1)rksw=Y`a?VXSN(MptUhDC1Ao0InKskX z9_qwvTu`}0udgG=83bP!S4yBL zj6WBq#pSSWF=g!7pRVp4=6^-T{&?EzrhvEVJx|?9h|>X-=bw-l)E)E26VY6K(X~lZ zh%%!@%h~Qz**h&(5#;63DBPCw@Bo`Q@gO(_b1hh36LFno)!=-udAgc}4eM6{~)o%@5ek&N6IBjMORHZhKt)EQDP^mUTn5g?SS0H8$LS#B=*SVhM*0 zay&ofCDOi<39d|u);9c)5BwQr{(0pW=CQ=(O@qJ#5MW!)&dC$!b3D%ngwiEVO9lJ( z3ZTb&I*90Ph1vTKflSy33q2Ndo>WM{Y;4NT-f;)LSv4KV68eN`Bf)qX68x5e4z~An z?~VV3MKhaM+@*xxs+DTc>9#$!p(y{EYmEiI@X-u(bS(cQ7t)E^s)BGx0I15jO=O{# z@@x#8MXobu0UG7_sYn5uPS(xJm&^yZ^FH8|;3~j6I&fKtn`Kofp7dME)KiAC>RyGrOS*<=5sKLcW$HtIAh3 z^qoSc$9%xt=8=}2K!yU%ifCu}m$ic}7N0N$i?o=@@Eh%65X8U;MsVFbluE~Nc>I|0r&SIq=v!WjgD>)!{%?yC`|kblDI>2x zota5qGbr*{PeGl1KRK_qEtsqifsgd2X}**Td;B-Ws8xeB07E+4T8K`>6mDOQgI9+5 zXcTbw zDv4#wtE&_1@4P7(xt4W)|j z)MDPgogPpmC3r{BD^AIbSe2o1XPP!Euow{E>*&PrSm|8?eC8~5`- z_N(W|A;VDv4OHn4^v3US{>@H~Qz>~#!HNCDJ1kX7o~p-?i7qi;v+Jb>5G5?uK6RLp zdVw6J33-1nqnJ(VQTDSMk9XvE4x`1mhV1*Wo7cNTwBIf9} z7DcT!q!uI<_wNmA1FwHR)YsR~YvhY(EXf;~E{AZu6m+OP+U_PL6ViLh z_pa4|2NYfOfHoQ74ooA+5-LhG+m1a`e*>YRs39OJeNOX zsU1(8RQ5SGNd$2|V{BPO8?L6XIva9F@{Nk4yC)h0D94maMB7P@$WYSe75P=Ua@WpG z;XVWBGK#C|Tu>Bkf$#eFPX7>UIUz;z(HyjUuh7=8f61fJAdGqXYmuL=w(JN zU2o}NvZZW8i6+!FLM&$#gIEP$Ctf&(wb zwzW0Uf7L5qd>k+GB`m2O2?DRB6+r`VFPFE^gB3%4jw-4=L%4uw)>ytK&1c?xJ~wkOp|A|C8p@Sj6kUWxevjbqzOrFBs-Z& zeXs06&Z0tPXRl#)o9KwmVv_VQ*Ly2RF)R04lFxOoX=rRJnzAFq*dr66PdD5na*7~M zw2z+A_zVVGFOKkL1uf*h?Xy+Cpi5*iktU6IqIeLI!r^|VHw`B(D#Jek5c@*?-2DvH z+5Ueyzhv7W0cE<5_f_2%35n8=s($(@_NbTY7w;--s>Vjtl{=LbGSkmx*R&koBN_Wz z<9)jh@+9TIiAbIF3(ZhSrM^^CkJHDn-Zy56Tf{KTDP;DexeID}C6!B0crDaKvn^XO0l*XdLA###gT5!omYGY?B7fD3(^&WsZIyO8@f^4TK+SBqnym&>);v{7z zSJQELsBVC+z%%m!&pcqV)N&fPL-;2nu5LY^1}&ebDObrRZLXxf##6u^v~_TS;ql`A z(jblBVb4yF^FQJ$$(4{I7x{X!7CuXe<#fd~&-3oeFV;kZX3;)a_>6 zqG~s~1zP=%s;M|8NAn+DPVO#%AfhprRO~-@cu^@az3AAd6_NI(8u_}sR}$FB4Sk!x z5#`EA&R5tAgQss1sK+HpMV{w~k8zXh>cCRCpSE*PwD!W*m?W#;(bpoNizA= zi|`RV*#J61*N&atE;0=f5?Pt#qGVCG)$kUNtv;7|(&`N+r?eqJh`wSTvK9=nHOz$Z zG_SWUuOV-&8s!QE&A)CfUdG#q!POj_3v7zxs=DcA08mCdCs+-a0YF|3flnIEcVD3C z-dwFi9u7)5mD9>9b${CCB|1@Q^(;@p7>C@$~a|g5Gd^UQ>s&F!U)@47)&tLU;a|rPnWwPrT|7IfW{jV_SH$m^6LFW$NcyImb2g)o|W&?VmdLVsXg$l=FfhyIN`;AMN_YzKcD}se>|BA9q~txK<9ZIRQl|0O9!i5k1baWMWH z7}dI1QQhWwnaZp>@x~z>dt)bH@uaC>4fdjDpbqd0;43D+`ja@-Ny6Y|H&!n0ck?F? z=@#a>J9_jF{{epEI5o5i(5OEbloZmN?^(S`hQsijEb7bxAM{IFHCdB-!rYPd+yZs zn&Tg;BiZW#kXKqPa-DhMyJUc)lA!*$lk#3cDT{BoASP2}kT<{yg=YFq$Y(n2CPvw> zHX0${xIv$n36LmVPV_@3!8F$Xy9U1qzziLl&=uYO#3%LY2F@Pr!3vVl}%WW9}F zG||R~kqu+?(6q0gM%Wasxst8F3D+e9=k4!S5Ls2hsQfVbvmh_iaJZ5w-j=UDNHpw(3o3JD9u zVo}S<0+XKDYruTPhC|}(Rr_(&)kzATjD=ks<%~a10R!RTVuvoo8ktKf(ACwww!|>a zLe1!9B$zysfrcvRb1w{b!p|u0I+-W22;T%%!g$XRUfN(r8(Uk&`2zrBNZi0Z7@DMH zKAZ1%`p4wiB-h_TM1a4U(s1-=v$lvE2`@Q8dQhhC$t4ImXu}Gn0vu#$(=__dW-b1X z?NpfKg3RB8#Up9WErJKtM z8;&yA`@dBiMcpR(CzI6I#B*8Op^;zDTaTABOerZXRDh*$p`{{-%c&TdK{vY_$^nje zLa`$KT<=98?tbO<3@i=uU;5T2IfA+B2kwQAJ{>On+WeIAEPo*j;I|(97MQD%P4wsc ze%hw{@sqG{$iQId9(Jwjv;Qj1^@}yI3ez*@`h;C8UHvb1K*M9ObC44R>~ZrTewx#C zAH$lNzUBq+BQi~H7FwVoTun6vI`LDj;onvFxMqD{#4P<=>ALeErdLg&Zp08=j-_rc*DvjRNd=lf}Rex zq|6>C|Jm-u+%yE}85JhT4(zzi8~FHGA1~uenF^d9YtDZ28D(|q-*7uwwDhq{e^j=jpE)v!e`s&6$ zn~*}OV=(;47nCE{rM8@W&DCR-w^z4cawE`A9in#kArfWPIV@ma<(?muuAt7?q}f_k zSy=eqfjr!$^VfHtPDx~jzG>L?e=nOydrK4qZG_*N{nU`sCD=sWAC&quEqmh6!g%|> z-E}pho!wpfCk=MpDAJLZe| z+U&hcwRnAgyIcf`$s?~rAI`^?@ZUx zW7ID-$e!8VV~AJVCq5`j=e^jt6vwNFksmb6AsuCZGB40qpEkxRBP0>hh7f(kjeTa~ z$oc0^sd)sBO>h03*5qH_eJT%l6luUqc%-QJ!GZEMpNM2~YBBL^bT!?$czPewU6)+c zg?y7MJe_^{4`UDHa^zhFz{kzTjRdtNE8GZB6s;X*bg> z5SOtgXqI!Pfg`hNEJW+X;c2U0F56;Mpx5Dh`M3Wdec9F%><%|`a~H^#zhV=PBy4|OQW;tpAt<_D7>$6&6Co`}7rvEucqX0ioW2J}59Z4f&DPEm^Rs&9p#W#vEV{P#xz z50fo5^o)PHw0`|Lf5?63Ib9LRXkFS6yy8CDgZAI@=O_MPwU4K7rY~>V%$Q_?Ic-0pc@u?>y+q`c#O1h@IK~HC^Li04p%meR>4=sTY`u(ruqI2fGp^EAu>}bJl z1uCGG_&haPe7H?UpC;m|vNOK0hR;ZK3zptV#x%NV>SsGcm?Rq2og*L5W|}pmHW)u5 zQLde6T&3raBRper!OR36ZRp|2t_@jKG;vdi?#BP#g> z*iyo7_?R{X-sAR75J0zil|H33UBeaGzZXmBEZGk1Tb&n`89Wl5=)x^BO|gJ%#R2fh zIqcEZ?5QW_d`y+6LiW2)P^|C0=9SBO1f}3d)V76VhBj-$2T8RzCS&CJLB}RxNl3JL~L=xY_Ae5n;FsZ`tz;MHv;84uqEhAHWvZ_2bFscT*%IP=@JduALOuQrY8pzp`-}RfJB~1gaciIp*;2#zqoV?gZUCU=B&iVjTG}<1Liy()wJ%AY47Mv>2@%q#B&^+sF6@^gev3sZo8#D62BZmxh$aiXxu*D zKe~-c*1ci;S`ubLVY2~WY{}Z%=ztHU%Q?N@nkEe1zH+NW zoFt=`x>$4mX#ecOdcb^+ES2FRu4;tUi58r-MSZ40uL5zeZo`w9U3C1;T0h@;Ktr8B z^An%*;F|kuV5OCZ-omc<6PZvnV<-)zsxRlwBLbCl-id&aT&WOP=waOba$Y})7m*vf zj5lem##@qES6gkOT`Kp|P_+Z_$Y?%B zI$#>^U%$WXY`TF%6SVpB&V)>u>$}3f?F@=N(6ptwz?lZ40 zDbvL83tIDY>}?k>0&~bLxsb_`9pG&VTHQ$4ei3{E1RD zVE83cQn(HaZ8AYzKz5dO^dW+~LAsvU;QjYLsM@e$gS`bL;G+|?@o#VajXeDZAfDL$wundD{#P7oZXZ`H_Uh-;27CgU^>$&G79&A``RCyP2V zDpp=ufhh#v+2$+Yz}jbg=qnAsLHF)GQuu|@6o>_3N3%%}%Rd@ndaH#!#%;Hnu{n9T z;I&aW{2j92OQvGbh$5K(TpRH2yZ%ym^s(@>Ne@2%;3pCg)6uz3W{V_t%X zWxg3cVicF?f0U*0{#U9;ch)*N(uLL$#MeK(dj7>1RnItH(uo!wyLvfc{gZ;JUAyjz z_1qjjz5=Io#WYwFviwb-KBHp2`I-9pAUUtV{5l+A;p_0FS z_)d!*D*qlIz@hytCoF%&mrC1XKgs2ItADs)J}pSJzoN1t#tta@i3!|6G7-Ofw;s_f zu6v6};y?e~^L)0`6H>*_1J$=wmXS)=1E`G>@r9(Io%5v_;o$ zT{Uxs6f+*3QMQ5Y1PkP0pg9qiLvB?9cU6;X_8)zW_!O0?WbI|pVzLo_dk?>u5at{iItO`6Ws;N$xuH6zy0<*RdeUh z6@8-pq~#w!7XF0YSaI%>lkJxjX%7lBBg}thFE(=F1}>6@Y3|Hp%Hdy_|B3d~>B?bJ zh)cgbSd7KlxsI_IK5|C7b?c_VE-e4kXG|~Ouzo#HNs-7G!_?0jt*`Cu@7J#%r(es0 z9^Kf^MGB;zwy zG0EkxReXaF?SJK!nN{cu2D#mT!-o#X#zG2+v#Ma&(4m>BDeC`|sxxQK)W-&o+!nqR z59@zZ6nr5*&-E|C{-*e%!NCQWOq~t6EqqZKo%qm7i{JnBcpLaDu{_i2HLKmArATnh zF-K={4Qi){@VQpx8x@^&^62c7MxB&}rG~ObpNv1ykRF>D{jcSJTlUi;v%qP#GR(v8=I*!kMG&N9R&x>(<%^?zXE8L*m|hVF;OPqA?fw$9sgY+$@v*R=<&if6ztl)omVhXqOdsURlkBav`0Q z@yYr4lZ(orH?zk|vouqGajd>x-DI+zK*Df%?DXQ@_U*Tu*m0sXOyP}GR@OD-<)(%9 zXQtab2xt_X-m29Y0mZ0>EU-dPMX>S>E=#})0p#=c&z-vwqaWDq9>d7N zhFICw+Q$5R%n^1@#WY;r03m)!NjhsIaWI;H=;ZU2l9HDGP*%V6hw|DU-E%olMl=#g z)ulaR<$ns`so`^^q^3bjid4l~8fE-S7UGBY``RSI|71g;WCo8R1)Lw-#8*jU7D581 z#>AE^UV^eE-IDOR#v5Z9uyF)U;gurL_~G`v@Gn`gPSj~M_S514@1%)Fxz2o>6O|2|n+OQu}h3hdiuCYkd&$Q5TI@aK*BJ=)( zFe-p$0rCbNa6krMi1GEFi!rOQL}S?S|Mu%|<^R%>(kM3{F{?S!;1kQ27Vtm)$0xN~ z3k)_jfUVd7KGqbt<5(2;Y{8u9tk&t`pX{TyRwLA~W zHMO3G0rxpKZ002M$NklPc;6;dUfdg`e;EWXka(RH;ooFciQwpN?F z(P0eD@Hy1}A?!lds~0yY0XI}GFDq+Yfn6neKXk$o)E`sdTn{-M#h-v5dC|M>JDHC$K5aL}2K zH4U)?8t+GjX8y;$9Xb6s82JYwEGAgTv-ZP}Kcf5)pDARvqoJ+ACK|J6&8gjYKa5U5 zb#pA%kh$kxuBjNef9TL*cxg87h2JlzUA$Fqn>gG>94(d^8uXak1pk{{E`q#T=w;U!u_{#<9a@? z@%)Y9xvbgk;FHTD*m)1nHCzCI_*f6ujXX`pM`vLjKMLjM<Qmcz5p!J3$|6LGB7L5p-)6T^o(u4QJ%^xbt= zE}|B;KT#iIExol39JxkW2V!mDS6_Rr^!3+YtC@uzv$@7yU2Pr2L7>BT?xakdn*SlE zk!#nrM`t+6*e-bWl~>!n{>E!n_-I&*dKJ~G>UeU5_|Q~$6AeS4Nepe;-x9tt8Ly5w zIKL(PpMD`C)2)-LO?<2e7p%ud4}AVG|1ljp;}!bnwO6ZQSIswHe^Xb3U9BmPKIe~) zIJAh*_&e&urUjAdjXP^BuY=0Be<74;Rx~i(G#_X(Y6hM@J>*@;I9~fb*b|%XU zopafxm*<^x&Uh@TL(ig&N3q`@hQz5}1uvIsUnK?+d58uB{gULBe)H?>eptJ%L&x^19nd+1X}VAZ>yF}xjx)7K=o@VCz*~_@(&A?KzojVy z?3v*J+rlRapI`hX2E(P7UY?I>)cR1bcM6%R{AXrIahuI#tWy`xB#Gl= zQyt}bQ~a;6{7)r5qGW4xKz*d4IO6|o_dnNl_4Pl??>6ySWxMi+k?(iju=_d74l^np`Nfo`_9vEqmo5oAV*hHa`#Wd$Z0s02FrE4zkItw2{(2ubu>dAj z!P+QkUh+JxApZ6Aw!2`aTzFPo|Ke8tb1RhCM@$X za^Zy+<_tOz%Vp7c2t{>$TP3Q!s4fcc77Yq7>2M(N?# zC%~JyEW_xqit@U~jvccxJu(*Tv0GsV_BJP_ZVz;lHC9&Qeh@Jd8drQuDd|g zs6CZ3%kVfppAe8BDPY8}a>11kh*lB7uY%H{7wKy-0CDl6G6Ld$r4|gJaQKMlwNHRa zJWa;mw5bkHZ3QJ%VbkCoY~t(fM>!`xwR3Vpd1P{F#CJ~O4-FtS^$hu(NUszLl$>n; z#!Yx3CX}f`KZvO{2?yHS52upAQo^V0S?Ir zvj-x(@N2N}Es|tGR%Rwg$;kvp;6bbfpSfK-$8*yDygck6C97}&V&tB6(<#6B8mTfE zU`{l36(vBu!io6crA#F13lUG-w*Tv|zOFqKJF?M`z4qQK?fK_lsN%>JE=+CZ1#3R# zvo^?QZ{B`Tr^M$@ee7T9Y?F#7oYL^a5a{EFXy>@1)g#pC?RAL3_VZr#{EyBYGFG7D$oSKiT{Z#w_+p^%7|`tN@0#u7|A0VfuW12^4ynyvhIY1l)e9n zwr1^W`ou9O+rM$c26XhHBZ5jvYlD(#Mu7|eo8dcgiU)1H{5Q2XOi2@~+pHd)w(HSMC`UaXh-daTJZf8PB1 z_uhTC`k7~+tJuV8;0gZ!ckDO#IR5t4|56zmq8xA;BxNj3PbcSLqO$+?|1fN%vD40)$_Vmk@W?}2J17Ys zvaHydkEx-QeEp4AEBD)PAlAplhlpKvN#h8K?-wn?Qvxq~ojRrT>$fL%6*pC0fBj8% zo`{diY^(g?i@Ruf|64ACs|h~Dd3gfy^$$l5<33`VMTtr#VZFPp4XC4o%yjfm!YuBZ zi2N5tj~>0k@}~wLD6(^NZ0NlV0S8FQC&2Lj2OXx}(Ns}{YC*F19QmCk7&WG@OMseE z+bDnI&mEt8?)dX^v$8Y67st18n?yBFc>C*W>sbOIJ^|lBA)X=hKl(!A^^bL2DIEv; z1e!@pZ-r_S3MLVL+^;U$w!am8332vA8uaqHt;lWSb6r0gLrvDNTaV{*qE2!9tE$-W zH`#nHQ#$_3|JdQ)eQU%I*w?OEO}qHl41eP$)T`>~gG(apdH23(@%~p`Mv&!LS1E}W zocJ$%Xo)1I+Wp@H8}<0|=bwMMx%|kHT>j$uZ}v0)@zPCSgaTRq9(>@za<21BL>9xI zJ$j^Ha?!EKk(oK<&!4-z5sko(v)>9 zrJ*);ZEan!@VkYz@33Bd=IKiNC>Qs?HSY|6?O>R)^iY|QS0`apJ>KFAf}_vqde9W_+I@|(HE zkA6}c7kK~S))Gi%c|!>Umjdk1$<_=evM@5zpmbhEf-PG&W5yG!79T=GvGF0ENqX); zF0}5{5j(?EGGQcMB2BA=_V4oL%WV@Qirhy2_vqC#sr^IU3-a>i0%!tb2u3+L5{}UL zq^Ivkz2m!Wiziiy5|Iu3= z*8ehSoA@a2uKcZAw*jBrQCO)3Lqhq(Mi8=@^=}rIb})kG_Pcog&^OR`$L)Xh^;atg zvK@u{uMgT#yY%jzhINoNSfV4_QG0O>bx22(=*>4@_akZnnVkPE;p<}u5?KE5kL8Ac z+fn|u&;O9+!*iMnd9nOa6dbnsGECZ44vSD92EG7YthWScDFmzQG^J~Gh+lE^k*OO#IR z;E06BqKFq{Gt0z6iOznTuty?B z;^5qlQ;-TDFwRH<@}Cce4@k2`zb?5I{~N84j7JK}-WKuk;fPj&A&OB->boSU3kmp) z;ipB2;)VoZ5Fa@)v|b%(ltlaI&z)aeTVIDum0B82g}|x@vBcwC0v0XAIwjOpinm}t zsADXZXLx3D@ijkbLRZ3=8!`V%Vhb-+Iwu+V)x!dY+-8hx^UPbho;Z^Vs;H) z+_7jZ@(c0Y$qZ1kt+?2B`}Fu2x!@ZH&G5HuDT60rh+Gx~Ma89@-b^`Ep4x~0mvBZP zb|qhw+Oprfh9X@4E5|4mGE5N)Kr#dqAM3s3eSzu63vB^qQj#>pSFt0xPQa8<{y2gN z-L)b{&n)@k_g@R;uQ8zdhTnhD2-6v4clJA@`9pdJkI%K|y#IOsm6dab8Hwm2 zS2UdcoZ`zwNfnJlluS>{)F$|(Wvn-w1TEN4)ulBdD4H6C<&W1c6+f3>c}2k&v%aYH z)7qJ+V(jcMDJqU~$^wN@)Vz7~>n2Q`uoWF56e4_#U--BZ z+&pitMy7&n`}051eyAv3vk9llXnMrKx)WU?QMxLbQt(cul1-wP@k@(K$fQ7eY&t{P z&MrpB@pbRH`iCh+Md-ArMy8IG6TZ{&%yIbQul7K6EVl!V6g@Vrc%vhN1v$z;>7$n z7^24Q$Nfoe1wIF5LKA#Mx}f?KGAV)|0o{&U(ra0jMndea+?UbefaRfbo)-nqQbtTLSF%7=Hq^U_a!9{)Zy2y$tPy zoQzLbND<<<;s3bI*6o)8W=Dum@jn0A(t@m9Hm1!tbg1qA~;l-oK4N}rO0x>Yo^qR`=8>y z{W1a(?J-(YO3Q#CSTGMC)v$R}TjkHB#3GBho>>$7AAjieRbov-+t?7E6|5w{y*{L6BXEbIJo$ti}TYpg5REh^c^>l z*rVSb>3d+EsZ&q=1>{@=Ip1)NC1;AVL(ZX{bTHC*-OPT)de{W~?J9p{PN@HIxlQ~h zAAhnkJvBYJ=wf?b(Cyy;c#Z`9v1|%PYNh?+v|r?0bm2uC=fXc!T^1>i+RXoL;`{tB zDk^jhLBlWGT4psfpkzkE{kOGjD_$15$ccRaKnTkpM{i0k#bR3jym@u3GcdK%ROV4P zwX%Tsg-Sn-{(jN-+>8aMmhDvD6_o(%2eZhNmfT79V|RB}O;&{A|B`lS6Ed{m|HSs+ za;!n>Xn-28|2;k=gyoNR5rjICX)f9cjredU!&Qn1`dVX|h*sx)J1D_uZ_{g7D zSb+S6V!7FFaIRd~TKN~74stg2ZUNt@ltZuyvlwW(EC2J5?{)S37K{Mkw(@_`Lap&C zw-pu@L#cQuS2=7M9~&M7onu`jzd^+dBEox{xN^8o>|p-?Z{GjPV)>ssZwsHJWl%og zvO27F3}sbvjFGtmeeLKKX90b=J!91 z+A;foX8)UlKl>5uHYmgCHGuQn-CXeqDy6JgyB70B;cZt^5$o?CWbTsk+KuaL8V@i+gcLNFa=|NBGZ#m67uY#Z~m+yfEPfe3pFlWx3a0}?^Mb~fO=&q#lCw#Q*L1C)kNYA;7!_gw5 zWqd>v(aTK07c})UM$%D;j*0pI@PiMPFUBr-H{I}uLQ-S1hhW;Drxju&5%}5l_axx= z?%gXjiZKR~1^Sm>c(DSVDR$We|EZ^+s@!|PUg%lEKWNzpQ`&$0;Ya^amo|JHKk~>U zm0UyS@WT$zIQWo*GWNo>^X^@{p`+S6JIbB8QvZ1C&4nXQ9I+15@x4PRW5?|GzM^o7 zw@gZuXFihSoc}RJP{geNLod>`3Q71}j9)G{etxAV5ox{8>=!Yd;_2(3C|&^Z#oeBR zplEvkA92Lt8GZWn<{EVp$F-cC-;?lt`SWyA100+d_{ql~*Bo)gkyxKE5*&BjaoOnT zD+gWdI85dB}!AL9yyqMJ1$L_e}&t=a&_iP2fU?Vcbzv&M* z6^uM-q-`i+RcE3+QF{9&&f&|ck|JF!NlLkVYI6Tk4^Wbr!Qnevi#6w2nx|_OUre?tI7o6mpWj_`EQsRjSTl@M+T9O)HTFBU_msq$TTpeZdbj-V6OS>xr3J;3x- z2x4Q8^^b8tE{G5uhsXEjpM-e6xC+M6%5`LDp8xCDu2VZfBH{mwF1mQLYbP*@!6O^4 z#U&n@&NQO~#G^AFEr0Qa=PM6A?1+p*4mmiZ|6Y5gcgH$z{`pT*eu%_Q=|$MNcde@r zAtk|nc**M3XDbgo{P2uJ4mu>WKSrB$@7^79yxXw`BIMk3%S}b2Y^PJx0b*PZIGw$E z&F!b&EdMen5nqzpE`KOPYA><ko8~BzQL{QHs)jxSyszM(vS}6bdd3o%v zHZSQN0tiwGqqM0-xrelAsjUnhn} z#qH-BV!VItzCgXYCERdEgrqb^^A+1))U67;)*69id3{3s#PYXp&Dx~)&!rb%0=v*r z*gQ~<>QTvD8}VIw>H6k5awGXk}?GuRrLG;xw<4zT=Vig$45 z9d~Yh?%C%m-NzM~c#ZfKs-v z2zc)03n4N84U);N+MlQ=&Os|_$@cSpXM*q{4WUhZ`*utsbo2p%pLD=XWI-M&AnIr7LOvHn~v7<&BinSY)(jqAB`DzB#PGJZCe z5?B)-ZSIBO*U2>PlkhoRK^aerWkGX%2xxA8ix)4hKkd}h+;TNoR;r>>OZY&( zJaXTCmXM_2n1^-*R zN&Vj_|J#ipD)RH3xP?^VGUcx?DCR<`z?;v~g7uiX>oNyP&Wl#?0#1`%gWY8%!IG4b z^f+s~O&e?VDTCMDy5;dHq?=Z9P%i)V<@%Z%Z~WSC-zf>Z^vcIPSv-J1OEvV+f-od9 z-7+302zo2kBhSTxhcqnlRGC3PmW(5Amc)2R@2EfxyEqL+z|MY}+SGn0mq}hPoW*q$ z3w3w*9{JTQ#V`IlHZn^aUNaCEKjcPv_V$a~46{U%A(H9jvZ7BxqFleWrmpWUK^pz< z@dsiw<)Xz{OV8P#f$tMsPm%L0=wI`agh`<$_OtQtykQumL}=T7qX`X^woUxs%zopc zygNc5js55Qi@X0T#)04Yf73v2-i|otl=8b$14(@3r>; z-FHvj|A76|x$7%s^IHBeUWq~To&M)wP}dF#%m0cME9%W~ zdYS9ibz(=K?~UH2fA?EpcaU!3{>O`7hV9x%$(ChUoIBuJ zDz?k5BAek;2`SBE)B4BjiyO)soGxElz+bjvdH5`&C~WG(=O{l%J5%HMe94xUkjqS8 zv23~g)eIlLK5N`rnCn0~tqs}m!V51}s?b^9xGZVA{>6GsSIw$0R7{^p+KYy%{ft(i>{BKhE6PJyih9fXy9Q71Na$+4( zY^aPxNW#IMzw9LC8g0J*!4!|M{`q0aQuK~vQwpF^T-UBUry|`J=<-=CqD zr=))3_)sAs5&AHl$qbGKX9@Y=y?eKmd``a?Nf6w6%gtM!eCjD};^Rd5q)3;YyJ$2Y z?RT5(DJ_nl-2MPQrFwkg+GPShqMF@*PL+Sd{xR$YhHitb$zv=oH3Ad2IOR6-ALNq8}(}c z{{2<2CfnO+(69c)*K3LPJ7?KXa{2dm#a?^k4fnhV_`HbXd67-KP@kyH z-wPk5*tz-DzrJ+CN9oCUz5*}I|9Apoo7Vp=;A4kvd=QVR_J6l?L)Gvr|Y(?2WG(YK@b-!kM~ zB0e_}L`NUnna%J^N=wvZLriq6w^jcp<%=t0t=do1p+i#r+Y-L3gUx1H9V#hZ36N;N zddCsR@`pAYbvF{6D7gIRk2x7){7BePv`b332Cv6Uva>0^r)z3I+NhOBp`(w_pPhE@ zin_C3DwZIL_3hI~AE&9CtG9{MV*Zl`cuDw-Q-c7pr~u-&+FiwK2I;P|gz|sbVTWey zx8MHQ9Z1;#TFQvUuufh@Ri!rm^?adRoFw5}0$JVjpI;{s=zmTj$ElGBoL68s5*nG5 z|Cr`q&%Za{e50BD9QjBqSpL_n$0nBX{6KU9zPHsd@XWLJuX(g>d@oZ}cCq93C*#w0 z1}~>g`xEGz+3(XJFvY6lIk=8e~4f&`*+`O ztzELT3_HT2`L*%1+^2+6r)!HA<4v47h%b`uxlM%K?5&G^d;I)?F@&A-=<6gwiqHqH!*!58Gud7RjdBT6zT){B$>S@`klflX4v7y4_aOxe1MBPo$Y z`cWfC0;+r^%^cw4&mk{c-cAEt>!$*3u{g8$zfLeKg6w2qHlVtexKS|r2AI5R-%T8)k|@sqEavSkH_(7UdRQKLp>4J;n}sfBzkD;DH%Q{!hT)f6yS@d$ga-oz z%Mb~k#I!uFUDp!6NSy!eoYKvLci(xprmVc24J*M8Jz;p(2`8NBM%m-*DmJ~rbYMUF zH?-f$;WhtUhQJ(dHpR+ zt9BvLevG&X`tY}@l_GhB}5GErzqB|vL6?$e~!cMe#B{te+ZVa;HEex zLL4Tib^GCYkhuDfA}JR!N%$7U6f6Hrmn_C?cL+6O*iPUYO`)Gin3(^N7N!}C6Tc1r zuUfsT{*F8EEW7lw%kc5VDqGsmk$%FkD4rs;j=yS+)vK4GUiJ4MvqB{cq#rdC`F9McL(-UxsyH;bcgn!0z39a7X00-v6fmo$a9< zOk>6KosywBzz*1d5H}5UA&!U9m}yy96O@)I*z;Fc6t-l^Qk7@3JQD1)&j4$WnXeh` zIY}Pk71|K+>ZB{VF^+8e$9|~FDhV}1?75Ko^die{v0p2z~!4x7f zb@VxE{_L~QKE9n9%HT<8UhDXrju*E7NRM6Pcc}eG`}^#MIyV9C4b;yq;pgS&M*HH! z7cFI`C6sZJ^Uvo;=zr`J5#Il~SSJ=FiFD2UPZ{u!-oH#-EEq6wAG8xFd&lm-mCKjm z)fkydM1(=yoUaA^y)Y`6Ytwq|+pd2lN)n-vx0l!a^VgyMqz1mzfLCqWPXYyFaN=6X ze?+lHmb8dl(w~>coml?k_B$05^=#4ql(8**(g4ikkz8`$ednE;EoEh>uKW zroF$c3Qx9wd+;$BqWFUkKWz8@2k&>pUx)YbhjxOmmt-b#OL%}5oX2<9|FQkBCY0gr zp`D2LxVro~4`_oX+`XoVSBAgvtp#4JU00!jz%fhIQ+zxM@!8hoxn8sshLc ze@Yk*>#)9`XTp?HeZBED2i?Bs9);S{5?o?A@PN|H-o5f%@45F7in9^m$7`l2T=2g| zTW-2Mr5;E_N}|$a4h86hf)xzITkeUJEFqR(wBNDt2V^QdBqvTnl1ZfnyvHqo+X{m& zJqAe-AtF@LI1n{~;IT@*H1qEHcFZ;`0sFaR$RLEy+l^@wx#;Lx*(9I_u0` z@=yIm_dKa3LaO8Kw~s*{#U+R0vU8%*RP+y~V2WQF#Oz|=q@5PzI zghTL=u!{1%Cj3n*e?AQfm>hw2fn&6f=K5I#4ez?XS^p#>G3cly}V z^9lD>LKC9)ZKBn)x-@f6tx?g?uC0^W<@qb+UBkn`PKjNq(GfRq#ZEgl- zJNwZnh#rqAecpbK=Br@`p#|CF9VVR=ZTBC~>s< zPhu&RC+sOGADJ$e6EiYQZ7rRrHKMAKT;#1a= zr5MfN@Q*s;h>YUmB3i(h5TA>I4;^xRmVrltRV!E3V^kYy{2xy30vkN!@SND(@Z|Bw z9#e0tgGkiL#7P7>lms%%e@tZz-hKP+8lV5i9eZ5n5a{5`-zT4ZT+Q8+!RJNCPh9zv zR43OHIiDCD-#QYxbdga0;BJ;ZU;j|U(W6JRoOp5k)%l1~Bg6U!Yh_{s0l#(=r|zz8 zSk93suKcrpE+{DCN2xaPGq^^fg8KoKcoOh2LQMB9@BbcdcSI18!87qUDgPTVs+P%0 z03UZqcl59&ZvXhR&&lJ*ozQ+zi7^46vhk-7oR{?kr7P4|q6pbMCaIv(NHF$vmP0Lv!KhaK zpMjD2#u~+RA^g0e}5@{G^HfKmPb* zeMKb(gt_v6;)oM{9Sy9IJ#xyJG4>(FOKsBrz!C%~Kls3gbSj6nt#S&A3gjB-kswL# z^6?R^T}lE37YTNCRfEUuKWX$y)CrQ4?H@T}B$hm~_8&LATDtfLK9{}HUQ@|d=~O`x zPKZyro*~3HU2us_aGdSeyq4O2M4+GaUL1PVj;L=4bGUjBILq_Y5!u%JFWcxh@r7!TPHFZaHZPwSVNHgWEs+z~GM4@!P(AhF=TO^uT-g{r4W!;o%1lLOOmQIH&{YJM2HOo&RD8 zc&%9=I|xAgIe$t1^yV18gO9sFmLYcjg3a~w=WoHbv)&)Z*lp*$^mEScQ#gFs&fM?b z45kT*_D3)iK~6E19aI87*j)ab`A!VAaXtkaPsM8dK7o=&WeDI=uuS7A$eWix#yfS9 z&MDm{+&v&9f`?>$=93ewP7g=n@TX4wBc?T)c31>F^3Wp>7xzU2qbYt$YHBcI zBj#+zxWMukpMS2YYx0A$A8SR}3d3>f!SorAqGe!qrKYAv{&LSf#rcI;3Qr*t!LGs4 zdk|+|Cynm$8INfl3XmY81^?r|q5x7SWSm_}t{sy7Z%T-WJMfW2{bf=m6!XOwvuYp0 z?yO9w-e`$MZ@+z7A*QB?MF%9s^WU&U9(Sztwn13MDKlowDCww0m;>yBof4TeX;L1hnqn#?gWV%BZ1PEA ziV(gM&2XGre^osHnM!{ACE+t3fk}x{?8?=F)YlU+;fpW6sC(f42g_+Y|Ii~5ojP@D z5z7c9NzJ7{{=gR;*W;j(t{E5|l7|K4Y5({0&7A{=K-E3TlMKBsA z<(+rl>3~fl^0AAr>qG~Iv!5RduD<%}d@->8!O1sszd?C!q5L6P_UMM^eQosQ6{N#W z#7C5D(jjzH96yYr5Qh)lK;Ak&VIQ3_quk?jqmg^>y|*|&zd#QR;`7V;-G8~e80#pZ zx5OMfW5#3Ugn{hPe&SN7jislFs^h#E7h?o_ea}!;e1bKwOBCDmv3O-N_J%tm2e& zr1Jj9i+c8+nBp8NoPZDF(Er#CwU!bX!L0e+)&G-^`^GL2$AB;HIb+W}J=go6aoqk= zLX@41G5^D7k>Zjf`q2IgizDgUtcKK4tfiS5`oBOlMfm8h3dzJ#lvl^jb)?Z2TDKo6 zkjhFJPOvb1qR774+oHQvP_l&Do zX$XQ7@A;q_Pm}OQ39h%~EO5!{3yxW1h?)Jj&<8e+&ieYWk;OgIBjYU7>_5U~De9LL63}O8X zIjQfw{Z9Ld6DMJJbap(%1C7R<&fx0bU9I&bef{(8+_{)7z(6<3OJV*i+TZ^z*xwXi z^ma(HpHY&mG;U&sXTGcdxLJ;|w2m+TybHVV+~iuZpcjwFM|&XhJ3KF_IExMAu~~`h zgbAhFNelTOQf!C))mSI^#g|^t4qL?GhEZ2uaV0k5F`X!D)Tq&!BSwzY7P7onK?pxj z#>=0|4|N7jUQR*u;fGLu`eIaBSaOg6|D!$$P8=~J^XaFbDaLwNtjEaW0Ws;E-w}yp z_G8JD%wPWMSFTpf%5$l|`c^Ga6<3P zFTaxc;*0<03L<6^#+EH#CWGYG|J;1b&8aMpyp(=zvs`+~VWNc<(}Y@YfyxA9Q?tgCLi=_c727+Hn?GtWFT{){uv5QlB~ml@fHb<4lf z1>808OSm-{$y1$wBcfXRxA+yVg)ZW2(EnTfy1Lju@l!O`|3zRV)-e8v@~8QIY|D8w(lY&^1%Da- z_ynvpQW1F)V&gq&+7>~ZPTPL~#;hiV)<5{BNxAx(Ym(UhGf~2ShYlU0UU~WD%$`Sf z$7%)|Q^@oAXJ3?Z3j_h;h^cP*GYiv+8A=k#Pzyf-6dVcDXTi@GK3Mw~I3|H+u*vGi zuZRhS@PCc{3k-sxDG2K7_-*|D`;F3N*#@Clj}WHx8Huxc0->RDtiCPWSrJN3jwSqjuL?&PwYL34+U;~x0+UZx{Y%M*yj~?2=0RYBxg<}6d zHBIc_ziGJA61Bq_6OO>*ffOtya!E!}hejKO#EB$Kg+GAclVrz_dB!h87;b{-jHQvP z;SwodXfPYgKLGMv4UOZSjao4)4NFRn@}{N5NHwnlLbyd~$S_1>e~oD5rd*YOKBuHc z^Fx@xSc>^4kCuP3?hq`f^~Mhg3k4aNO}R!iopn@Hf3(Gs?(UQZ>25~4LAqN~x)h0_ zyE{b$K}tFWhHfMU1f;v00Vdx3-dpb<*09#BnLGEM8|QoW-k&?J`a0gO(-h`+n{z5u zZrs06wVdB7lw$JEv0JC^QX+#? zC1prB`fd^`x<@($2kDiX_ar?bs-|?eJVVGG(BZIHs=Wx0`Q+BdV8FBcTKORr!281l z6v{)rV&zG5HaA;pj{%?t&+F=1F{)4`ZaD+hoBH&>V&+8?F`S(eDhT-8mGDb&*#vpe zKgas{uOb@kU%n$r`9;Z<`LDcT?YEs^IukXz$eu5Mg`9k=io3UWOS>=Q*&EutCK$8@ znl!HSV2mxrDeheoR^~R_%{k| z$MRJP#3A#HGw1D_MhH`>R!Qe=Oj^|b`j97Yg8W}*8##2#*$H=ke|IeM{vO%=I3=fPdDT2AH5hv`@d_d z#`-K&Xh9J04z-9ctC7;6jEdsbbn=Q$Zb8OZ5n#j|MK_t5dJP4FGT@CFHX+Z$6{p2 z0i;~${(ks003iPd8@NS@7P5QVZ6o!VbC!|3KJ1q1(*m+x1 zge2((;U?JO>RbO^99_!S3q}^kRA8!Zkl4*ulbZ|6)J|Xkgm!Djer43n-qVH0O1qan z{%zj3PX@E%v&S8TAofjlFiTGIWBOcwDzVr}MWLR~z)ipj2rp;Nc7|W`oc~Io1#;#) zb5mB3VXF-z2!UL~vuBEh+L2-TDz~4(-jI<+v1W1zSYh96s-vGs`b$ooIoK4|2p~xi z5w+#xbBgBhI++I`1vyPe0Yx8567mD}D>TOs=KIdC2;{&jj-mLlr%5WIxz5UU&puef z2Z6-gVxlaUO_G-pEx65R=9G)k(pRbavt^QgN9B|CF2WsSAk!|57=tXxFpcO#3Y}P} zJUYsFEoQ+_dET>`n2GG?epzUXf4&W&()C|=)7uMg5AjGYLW=pry^hyb6 z#rZEvV;R&bjK8B|Nf-g@`fro?oP-%&rqt0#HoR5(*Yr0>YBA78#I59xqM~Eik|~v5 zr`o~{Ww@>156U?!o?rLMI;bCKN7k!O$d5AF6CmpS2yq0O#&g`wBdCt4=!-;gSde(X z8DP6feSHPXrd*`(BkrJuJuyX5zEl61Mj$HxB^3bc@cUf^XS*B8P(6_D@MT}wrumB# z3a+x7?)qbR7UuG&D;tDzmR7i*3BM6cYFyd^NHAgrO^ZA%Q0(y8B2opj5tv$h8|wk2 zoV1`+sf!Nr3rp9lAm`oFr365&vX_ruM7zsvMN}q2K}^BIW8KzGEHwK@%mX43*AwK8 z{Oo-lWk0!z$bHy0UY_kjQi)Pd`B(^atWGb@f!g+=7pI*6eKo*GtNMCK4mVg$u!cY* z&Ah)}w(vJ4R}NCb>Pln#d7lw|(bFE;ld#JP=x6{ZlehP3VCef~j&WT-@feSJyTOPp z8Up@EPm}uH^#^Akw(EiahcODr8YK(7qs^6_i(7!pJPzw&Nl>Vsfp85DUz8zw z$|$#WZ*4W}gWttx#dgZJNG0(w?Z8RzN9w&S!0OC;=O&BKrbC-Czc~+eEciVX>BY1? zMI)&5W8epHD!#6CU;L$s<*SB2r+|PjHFsIS9QfLtOE9)JiZv)SgcahdNl|21FBp^c zE_@qR6Q7@vCSC|6&;Ny06?2&_VW>HeU&8axwF+g@5gfi%ayV72kKg;g%Ifg98$f6J z*`+@sLFB`dji&_PLxTJ9&u$74MUEd#C~#MjPeoV^pvAWyqBrGwnOW z1XG`0-dK9-g(`jaV!u-GFg#8l$r3LcUJrs*-^DTGzm6Nk`~NI}+z=0e;^oJYQ~jpE z3}-8C`U8yt$lHjvL#Ht9?sVO^kfYtyiJ6ihE7SV2&p0}F_MY7mtU>+ACm}rO!rNkI ztx4oP&9DeF?>Nk89UPxM_zn&qsiha}35zn73`#Jv#4G*7bGRuxd)i!tV2!bPJGDw& zCmQK3MkttlV#zv&e+vCNncC3yA_r!=vBt3Y3S&=vvxM;~T=e@hyiHvC(0WEXle6zg zsnegh0M?$G9e@zdze_8b)C^~6{9M{f9(p0>tn`fqyY&v90vkuJSAE*0YCx^H;h7=L zU~`Xyd-mq*_wuk~V3>)@N18R?Qka*ag21#jY)GAq5EL)3QLs13{ID^WZw_SxKJhBu zBCqRGZGB43Dt5%>C`i;;8`@`D5{#@-qOJpP%U~y zUY$$ggpa$+JG!p*THY-;JBo=0?mG?PiR}Sn0_ZxI?-(xyM(JoG1?iGsMQ8B4M3&$>lE zzmd;zo&@bsXmS|H=Ts1xkUM~LkGESe)p_H$lP}qlbVOA{<265JYHLfXPJ)=0#Ev3| z#vR<&NX%L~zCwNng|3I*{@|tJ92eMWV7jItGeljk<*k;6T-})r>oDb6b_u_#?}8C= zVqHB&V6x^ZrQ>d!Ygx7;zh*25(_s=h43|)=aoi)(kI}!4x6tUua(rV&9BU@0$mcDp zY%7>N2&ynf4Nx=hP9d^lPoEl0Pk(K^u|M~7{q=)~C!9)?J z$ZJ{)A&L~Y)Bnq?$9q|R$VT?x8R?y;&P}H`HQODi0c<|t*^}1CMxw*k6>^L!A9zg( z+xBaC{ZLVT7N(2HlHQsDL6R6|kqhxk5&bR7Ej*m``0vUr3K7dj|IC8q=(;2ud`^X7 zx(^rk$!lzC;^7`akZqh4dq-4)G_3Xu4Xt0m-h-#F*PfaqYcU59o~iYllSna4mjOPI zI?%{(%O<^oToB1`B7glOi^Im_%{i6G$q1yqqNlJpPFcp5pm*nH2>u&d9gL`FZtv3F z*_F#Mt%+>3_vBDa0VK|3{7dgqdUk}9Zx1p(F|je8BFp3unLuG!nfdfSmlA8> z!B{1bll`u1P?f*{X3k2;vOCcET|PPzaY7LuFDz`}Ex+*1NIKfWMxc}wk^M8j{)8A?JUH1AaoN9_+5$UFQU=9dO(gGlf^v-o-(hoqoRoJ|G%Yj!JzP zDTtAVX9j;|s)Ix}qYjEC_YJ^n%7c~M0h9dFqSSz^qmK2kc@?J^^2I(?%82@anDZ`B#)SA?REq5HFG`Ujq+Rz* z0%)nSH_o2}?6df`W~QcY;7>D9|9oyWLNS5xh4{p(a+r*TZUTo$m)Vzv<2QDPo&% zYw*hNGyKe>EH<%np=F$&nOCH7Ef`NPmCG(@wx z&oqlzL?JK!e8P#v<86awFD`}GySn*J;_;WQNJUUV;8uwmF0U=6(2pB-9oR?mg-i_E zDMEil41%jl>sQRr>Ww|fj<$`y#2*@tT+7XBV@kTOv%HCj?c<`tM_^#RTu39gsWT%% zA77Ok6^tlh*!F$u?3KfAUR-(MUDVFCm(d&jOKbp%IaHw}f>I7Y6#serHMT+Dpm^BE z{5w1lp2JcXgzqtLxRi9wTi#lE(un7^wYUBkw&a3u&q%5e>(ta|y{UlX6{<*S8x-Wf zN-vQmDyuL-J6+v0K|L4FKkRntpGeMn9E4Y~#I>j@W9-Yk>topq15~6+gLDuRbzL?L zLZb3n4MKbaWhNT)c-7LkJ%}jWw}%QC?1m;;;(zHU@4e<*BzDZha4^@AxYl8e-3SDU zav2GVY%(}LL7X&1P0cio-AG7?Z%9y?Gv#FD<$iGQY2KASgX-nP3V`qmOsVZ87 z;8ZftIgl3wE1Im5do&#h1eiz^b#zPp@{d-1u-0VWFcFEnTX$>T936&*(tIRAGZm@* zgYsfd`R#!8j>Oj8RY&Z{TB{yql^jESRD(z$5|boE%_^iUikf7yr6O?KVvh5<6NTRUxVk8S-OM2>`!m^7Wuis0+ItdItwt9{#b9 zs<6?JDw@KD+Y>v9CbJ?la>h*xm9Iws9uSl@OjVa;&u(9X!~0fdOyfE?I|mI2xgMR^ zSOMfhB;8r&zfzP`U&A53Gh`*fH{dNHIfQcfukP|g%Rfl%*w=v z*GbeNzWpc!>m>nG0;3~y@V;dqfWo46-qR3Q1n?e2JTb+@fZYGu;0j^UjXGmS=%R6?qmMXQlj-pWNSsHBDyJz?qG0jIo2 zhXTaoP|h&F3F0yjNMGF!^hFz(+(djjL5#^mC{3=!MY_*AiuB9 z5s1#sOv(u)%h@2SNVaFv`!K(ot`nh1QXtk?34a0aW+d`;a>U;(y|Pwk?9hqc0lxeQ?9Eu2+mcG0XA)?g*^h{MVS60%6RK_`vz8l7u)RqT}4 zaL$t{KeIoEJwvGC0hC&Q)T_>llZslMl6^_pw(wM3~2090aAFJ5P!NN?cLq(TSNPE7M; z)4!&XTQcJ2+ZrX1z~8q!u(FklKGS$D|5i~>F7O97L++;`R>7+jpr3AkO?~|^ZrU5& z_#fJ3GKP6a5+5GgGOkm(4^&EY3#7O9Wb@ImnZN!t6rt3^GBj*@g?2g!j5Is z5>*OT<8oOh{B($|z%Zc7(WZoBt3fhZvGsFt{EMdfGwnu?TM_yJhXQ- zMX3Dz-cp(oyN)H&+bYSA5ioeIXZ5PSjxQ_;YB+GmAAV)+u|OlpHQ^9StcUWoFa6iY z@tuf?^fJ(7{@p;rKs{)JQ*P94f7#bp-8!$^b#%IYYLbVuM*cF+(FR}7^4+`fR4rM- z2w?C5Lp|Y*>emtHChRFP`+!&dv}}Cz#}t|yUHkQF>B=`${T#9}SM}5|J6{{5Nbem& zD8)`|5Jfy4OhZFsxL4I6{>)dG2FR=I9)nMpBNlMB62X&)g<^6bxQRD~OC0c(9t@tt^kC*G`hH z!7D|f`Zi=@Z;ZGZFCLrxjs<@UXT3g~iG>E|wTi;?dW@q{D101e3QR{#gRy0kO6cz4 zh_x`tl#tHM_EEN47(=X>ywO2==g zLShE;)<+QPFLL$mbXn7hX{CL5as!BSx41a>$D55Hn078(05Z+4a$t&TpS0d0)0<8MD6qXl1;OFQrp2zmO+x8u{UWk zSYk)oeYGXSRv~uJ_HPXfd+`%mbeR4>xCtyCgi42&z~%A>B$zo$(* zUCHL7_h+&WQtxmG)+^_Ca$hr!(NyQ8QR^D(Je zpH-f!`+V}(O@$nDBG{k8QdhiZ}fT0fxw7dI!mf%X|2t*i(%dE1IC+5Aw zQtZz(WUvhU-Bz@fR;qC85ewWH;US7^LJu7n#`L*DL~p+7+|MxwU(Y0dM6PjwJLI`X z_oTGV0pO_cZvRu!sl7;*q*>7Q3^IyWl<8TinfLG(mydB=v3lASALd)i3E+N%?O;1F z(v&v`K2O}hW@ns{mdFyV=y)S9uBfnmT;JUXA6JT}Mq(XSiXepurOgmMHo)-2$Kw!p z=lIR?bOvz1HP5dBzBbg_DT~?`gF)+xWY;T3=I8RC+D{a@{nAt@CT&*a+NzD)$-Q^M z&wr}!YCbfgP+)j>h@CuFw{ICY);oMjMJOvPx0*BAdzgI9dwu>6Skvm=98{%L~ zvKAPMyO~k&o|+ONrWnY0e*I+kZ~WQ%C*}(~_sxC3pSgAI-iB|t7kvL=lMvnjnlBxU z_1r9I#(O}s3X3ngvg#;%?KgVfPBB#^P_uYqed0ofa+w12^=VU+x_wx42CRGw6DThb z3y(F9LL?f%3q5YBD~vKKr`$R*IG!Gbstm#OPmd@ z0Mdut@`$^!C6$EX!robhh7!`DKHY7bw;wpO%i%%wVenxiz7-$EwfJ(qqx+cN5_rh) zR)6GniSdMNN)lo5D>V*MLb&w%v9xXp=SOUuG4m3*ZXOe*C+EY`Fn#jcmrsyJI*apW zw0pF*+lZwsz)7()*l9>@sk>8RP5zF?gi$vQrAK86nEvbp6)C=7p8f$sZLp_|A}M%Y zGG`r(!5iP*XkCJ_P+eUP!6wBQf7&cfnM&5s@1RM)C*h@81caMEas5m2K)k{*J`+v(Z}Yt&e~SFh5C0a238$z63hEjRV0qztPBgt?AM#`ikA7DJ3|(%ps=)!g zqOyrF0-+%x+)W~*GaUWJZ4(@S2Baz_cP|m@Up;b`hGyw8a$VxY{igp#3<4%YKZ1fEJGkm z>5Wyfg#d6n4kFOX_VFek36^(u(-*~7KT5-J`Pkx|PWk6spq+udd=~J0wK$v0_1eFvP+j_dMmAY+-u}Jm8+((e80*LB zB_8wg>zNj#aBXj_!L$|YS~#>Hm`8S#n5X<6K-4!{0|DN@-kz^hn8p|;Y+u)_Q=*g-gL24r5g4_gKeLC`@bCc?-rN&ZzHF&d~i?>5SKWpP}u$AL*jSJ zqSi5Vx}0%?pMS}X4@+Vlx|6@7vQnX;^VnYi~{5?H(3SKF?|Jl2PDb8=3mXZZR; z>u74Oh^&XTUuVuZ25g;GK~4ufw_Z!0!NF5VzUdd%Q4AVlGDVH!H^U)|9a$d7P2aPf zAtc|ftVw{_qP(Met8N#=%H1ozHAxIkEb@YsdYZCEtr*>K8O#?C|I0Zc$#;fC1AdWmSGef1f_rsD;kIsH-@_h(hgAN1!S^^ua1h_%G z((R!Cr#jo2-KIP*q4ME$0hr0ARkqsp;dFB3=6#Dq@KYd~_PkE$Jt>Hb{ZYI5@{L<)Km?gG?G4yG2HNKx0)PzgzAhzdrI z;R`q!&`I!nD1^56B_w(L`=!Lr&Kd+N0WiphN}yZLffU>myR?8q9xDt`zyrx0+>rY552ntErRkkTtOBS|A|I`EZhcTdd`R2tH=7XwnWb1^SOXq7mG0A^y1bx5>&aTJMMjsKA_KpSt|d zsWY>Rc8X(BAYO6V+8VYDW4u?F@sLL}I4|s9JAAVm(wOUvN%uiOt3dSD;k|?6zU}wL zQ~<=F)0+gtnYs-g@*Q3iYn>TKCbzC&7!!AN-C?<~=BcA_c?`P+;$0KKH?lT$TwGj^ zoNU!%8>Z^J&kpJw>76$0lOf_qdh)Y#%g8U0ZtD?Z?#l1fKUV?Ud3n!@s6KEEWoi)^ zr|*Sm2m>DK8nS|oV=4isv$Y53!6;P;+v|75cjNN!iTchYPQb9ZUXm_y!` zIr&j$*P!OlmPi@&%-eOBvHo7U7(^}%F$l(gW_Yz+n17!6*HUpa*7T{5Wny7 zaPD5HnCBPXVrGz@tEMGXYHza+So(37@O2_U@#&Be*BG}~?*#YwNb0uM!X6I9gjvEp zTc#QAJ&CVW8iB^}pRnZp- zgkP-v?#5&G>?HT-zx4r$B4X6SLY!K9{1n-k!lvIyX+|niGi&jnWP7y==9Fvl#537+ zfFFAyW#58V+WU7UAPsloXM^l7MOj&>5!r^XiZX^}B9hv!Y#xzJ8onaYOwbHF`{q|! zK=rXdcRmnETyf2H!us}sTVLh8O^@?oA2)%ONt2@-)af|yGYSeWdR+EYB^Z-Y#4HM$ z-d__JX?hSVjm_QzgErw+Ys8H3gOid^MXp`WbMnV4gWS;*B`ujc7EL)^v**v&Tm)}GeP?p{7x!!UOI>O!F} z!<(NLk~y25fQBg~Pj4FY-5OjL$YF9Q7(>1;Ioc_BfnPqKj2AoV;Moi6O_g)YnV3~r zz$Y`_Lvc`tR0=ZJt0yNE^H?iOrr(3ztflUFHxg;%2N=y;^?BkA{sFlTbTPU1B^bZoJz8mn_qf1cHels8 zrMR|m4o^UE-oxcbyP_`HKlMC7IP?LuU$2$VRA}Ek*7^ML+`6dV{^A6A{pJ#3$%xyf zxo(KP-|Xdsd%R${HrXvnCjUG)ZioK}u9m{C6nT`oj_L?y|3X>0g=L}ZlXHidYUY3t zg0X`k&*Z-};Bfh{^n|#{R=}9j;-nEXy~Rsx{u#5CzlBs8}FY_pQXXn{1$R`rx%-bP_h?bH4=mXcUH`owazw50dc&z*E(x5RBS zm%B4ZX2k=d?uXo0n$@O*vsWxv?%jdj*NL?OjPQtvgxR~}!UU-R&3KQsoDcq0sJ?Pd z(it**^-K+)yyYY$pAvk0CjX98l)9V@Wdm4tR;{B9JN5x*z#JZPqrc5gsg!O%>)3xa zLykzzWCJI>3J{YWnMV5?jZBGb+Wqk*=AUqqSDp6+ZUfhRC+_ZXSrW@|<*`vrW($}m zlr)DjSzSMVW(iZe>zqJz5FbIECuliFe5|IcI<_doc5HN+ap1^ta{nkpklW$jc&0aQ z`;cI?RYBgzb|@BO$GKE+tAxbx=Y`OGSE=)arxU;6~D@$Cp?r7j{8GG$_H;)ZQ#^vSD$S|<*t)~dPU zP257kv6?0P@EKU8`|p|0f^vOqwH*39ia&!cfkdR0hib82E z8hw=htp54nCC;gH9ra`Vp%OYkWb15bUqef!X6taV1i%14syI4Uw99C}RFq9kkN0Es z)HL#a{{Z)RLR>d>vDaa-uICub@U_o`ZP$f}WHZW9_{rkG19AV4B-;P71CUP%4x4z; zQ57FhtEP&W|FCwtD8$(^_JtcVTez~|lz4aJQnRPV#4v*|b}9)uu+k~qma;)qI~4hg z4ML+iu2H`p*yra9&0z-kKjB2nJ6TktiWcxouths8+_2+5l@zZXIw;z_2J>2DXhSRg z$@s0y>x8%+x*xo0vbk+gZ}i#YWzZeiM_wejOR1_D?z6^_mcYsH0Xbx8xSoms+ zf$ihWg(iv zM|ADS42*lu4Ze8Pc#vf@QngqU`K0*od$y#pcGT&|_*}p0*OLB*c>d*Npkhfb>SmW| zKKMX8ym?4Qb2)KR;@U9fbK>U~MQca$}xVr?% zih+&Oi3w2lZpnpC@wvz4n!~Fplgbq>faTA|9h;kCMbmH14H6BE*=AfTouwy$hVe<3 zF0RuNPFn0Bw~saRgj@tyNe8*dcuef6d&E^MQ z1)9A>r1diVM}C}}1zZEg`;?&_MkZyGk2v&M$h^Bk!$Do=eC^OIl{W-kz6{gR+c_L!df876pP4~K#M((BwIO3wm}QK)PC zoqnGt!l^&CI_*AkS30V`ljP)HOKR56{Q61l5G~ZbV=IlarxR@X^y{JW`w$Oshkr<5 zF(djESpIMS*}6__{aGb3eyP%qjET6{oW>R#vA?iPJC6#-v_1Z}8avJj5W5}py0>3^ z#%$*Q3KZS#-$@&w{Mio#FE&#AG>Z9wImu_udUa=~*k?{mU70Tix^ZGXxfTi?rVrW4 zfOrmqjDON<+X|K3dW7{W!BL&5{(g(rKLC~i$=V2qPM z5XsB1NVv4TGk7YtC^x={6Ze|&4T(4Z;!v+UoDk*bW;fh@p7ddX>;Wa*ZLNz3snf9Q z9LS+9JnFNz1n_|R+AIV9d)@;~G?>F1l{Y~50D+6;N&1oSP>N$@WS_E6_OA|T((eni zuvrKP`x5bdF>{227qYrltlEUqOOa7j!<8~Sz#nyBPG9^Tcl?(vbLC(CwCbtAF1C~~ z8oM8dH)-%`NVZHe&J|g5tCuDG{W3h$)%pPuN@3gt+5_11eeL*A-zgdmHm*0dj8Ewm zoQG>%aaqTH6L7^#(fNdah7cSXX`xsfi7JKz-Rv0B9zH%(Ik6;B3NYnM*M@KC&;8uljJ;5Ei>W!QKivmuK~S3G50jc|C!*>B#Sj7OKl<_4sTz& zLv+L$ADsJKHoirJ0-GIsS2{jz9+Uv_Yt2Et4L1GA(Il8gyPJZXf;*E8ns8qDn^(s0 z6B>Nd7m&-{kF2FSvqrpwK!jW%;R3i7>UVcu{6KMp)K=Qa2!pwMuP>b%3;Ho&ism-I4TTVY@$9`l#Nc4vAeD$mvKDpzRNeKFKRDE!K0^BAE?W$M=Sz^a(E&sICm+;!^v$#@7as2~&K?ZnN zbx!xw_u#uf>!Dt3bvWxd$ZcCm=Kg)#99mn9&pfo#9 zbFVRg&0AcF{3pgMM<%~$yj6uMiOWJzBj;gqLYOm*^#paUBRVCrJ$~n_t*_>2k!$gR zRZ#uS^z(XnG|UpR{ZP*Z%a!J#(!oluIHStnMq)p6+V|++6lBNmdjn4Zn0mOO!pd*U`EL^MF0bmZIEcML z%I}qtKI!X*11oHJH}E-LGOO~+X+xB{qc}tStfB>!4O1bA=E)+S2xnmjSRm$k!64~o zvg1I8!B zIcEMIeku0)V`$6-*Xg*|f6hGjj?%+?(YMN9@^W1d`08`&3RLbTt8)*F zd}q`sgNL`ufzn_bMp}=p45Mucanff3D|+ zd*+XN4(>D9HJmf(V4f3{JI#JswKj8%fp17%Y9GTZVb^EESra3Ka~1A|KkQQ_Mtu9x zC|E*8UTT`wMmMZF5XgbIBCGhXpY*@Z>wR;cvm%jw=!50;TiE_PQ-XQ+J{{~KY?mWM zqYvk6D11G_ogD8Bm0Tb5;r5jmvy2KP2>fnK)Qb4sZNA>v1G?1nP{RXbDD`!^OiB`! z_dkEit2z&0mcskA`ES^hd}9PQZ$Wzm<}gkgNGAj?2L;stmtjDmeTFCq0dJDB`afqb zmCwlNS33mom5xQ5yOGyFl&PyUSt8OizQhYRqp@F8*SVzi?JQnF!kd6s6neaw`u*FHT6YhDFDi`754+C#Ie^pvWdYWYvgfrBskOzK z!ZW2m@Kf^|{P_SZL%_*rM%;J<^zBmgkGgMXv?%@NzoN?9vJD7%;RnAkOOaBG6IG>4 z5v?=SL;R0s8C}QH7}ZeFapN9ezS#`O&9$}sO6H^*zVwBb1l(|5QymqN+>haz5pgZi zo6>AlXcZo@e}On1Y;pY@D;Cqqk^3vi?katrrN8UW&cMu1T~E$!7LyXqSC66br|e7U z$#~KvFDO`Q>+8Z*Y9+8{5l{_fh=cqmM8ImheMUIocuZSAX9s65bOWp4%SjjwP>sK6 zk9YKbq$9pZWnIEC+iHfrD(8Iix)dZs6h8;Dq&(-H`Ndg_12@W^jfG$j`!o64Uk%H* z?-Ob^>|w{@qX1#vR-KX!?{ByZrwl*TlrAI=R_u4_gYJknqbaPrWhgPLyOjnp zQXon;q}05cip$F~O#oXHMKr>oR_LGmIOcDNU$YNC;o{3RD9ubQC#C@6?es)|2IbDn z{+k&45wFqY`SZPHzVnn!jSnu_!Z6s6yuo-V0DoAuo_ai1`O5GE&^ha1 zv4!{>L~$q9x$d3e1_*kiQ;5X;ym>UXzxfB$7${;d@=V>v!x?G|<%)4kO!xrwcxr}W zJhZ{F&c!v}+O@myX~o$l zhIO>wVk_r?>v-WxiR6Z%*Za8+wHX3j$aOTXv#RyeCoy+FZDEy-( z`HzLL=@w)c(i#!0>zqiLc|b06niwm9^yF`uO05$TYiuC1UHNa!T@x z5*UqG{BJfylz7W`~$5q6^g&#K>PH3tUG~1TxeX_f8Rj_=%k>AoSzhVWp2{|KB!6?39x72&|OJHKyVT;6>AW2lg! zh854j%Zc9$nW(X)s`;#_5>y7e+~`rc1I=w**=GOrN~Hnvgtje8a69p)6PJjDUM_<) z$oYN-!=aBFbN`eVZ@jPIu+5TPdwYRFLgK3GYRr(k>(TGu$Xs$!d!|q_5VxE%+~`v3 zO#p7J8>f@+Iq=07(O$JLVSHG>gw3>qP*z|AG0oN`{B+8)dEXgX^0Xo|XIB3Wy-DO7 zxhx>(+)Ro-&6KoW{TiYYT5c22<$#acsChI@*hx7dEIJUDYfJ%9de36N2SDUwG?{{5 zL~dfK6=9^(6$(`Es#8OFf%(zS2$9tKLk7%0;G5{>*z)B#>}oCs!8d&|*bkSHRvVwM z1gJhGDnu@&YRlep9?jwz1j@cZZs)C3?o+hX)bLdr_RcWiBuFp^ja&n1`1;V!F++&S zM31+kP&pwRc%F-otmpcG<}Xh{d(yX;!HO%GeTppGLs=?dzK1gzUQ=C-%VXKqVz+Zk zk_do!Nj}^n{7z!iJ@viPo#1=1O2<~`In9SC*QG446!fChS1OP8VPymyF@$h z!({VS(>d%Mf9L5UC;_+^WR(JUIJRi~B^J02)JiE|d!kDE9%JEX1(HwoF(rJe$`5!Y zK~unb=AdEqW$c_U3p|^M#J#7IkcZBHvWzW`_a}W#4wKbvI-#72Wda6zGgdNXb90qu z&j>k@>UVnROrAhl@W>QZ({vPes!zp=<}Ohx-d_gWOB`tXhvkvYdTYShf*dOSjJf_M zcmLP?V(z509&`Bc$ndAX_yFA#WBWJ-37mlw<1e zr;5t6=I|WePLFLaw4I;oT6WRW54O}8)ng^m%XEb;?vzkVbG|U=0_SjBQR9zUi5vAw zAKan@JOiO3u-t~nXsG^awYKaWb`t9t-`|z?hr^wZ`l8iEKn3|5%*}wS?7kz6Z$BNYE;1$Zf zk>@-gwjVs9teO|U;;o(Eqc`cYhh_)S-8?E`S}0FN*~;@lnHU>C-SuLhC-I*}K;$&pMAT1wnY&r%`4*RjnQ+8Cz{q1}T7-UMWy-1n zm@s_fnJ(n~cs663W^*zJB2@_ZNL0J7+uQxG>tnLZaz!z4x~nx@2`9H9SdCVHd%$<_ znL;&a3{YswqOYNGepC5_`I@TZ-PU z&_zppe?7`jMQM1mfk-5gaT-mb3l_Se`1Qvmij0)}Gk>Dz=x!>YfRSpOh(LC4);VP( zvn&SUX?}zND#5b*6}gOm)^^a)9grvZglX2Gql~|U z{ds0=>MlTHFD=iJ$Nae+0`VoYG1%Yp7=_tao1__Nz%XCa3EO@3aVDex+dlm1U;&A- zDC^eHN8tB(G^X^W9&AADYgpj+W>^_5meEBpldgdH+rzI26KiP@kWfQPY$xjhF^4oT zGBBWoAT=jGt6-8=kINF{l$Fl*7Zao$5Wlpv_!WKn#o7@(tWLYwkkWi|CvWG&pbO9M zHhMP@NC|k)Y8u5e$M0c#jO5Jol&P|B{w1wk67GL&9VX714PP-?q>$-SY5(v?^7DDj zye#M*kQg+z z6|j9paa6Lt{mtQq9aqjO00d!d7JI`sve5faZq9u+#Yz7o!crJcHkoUz_Vi5l%pmAz z!Zdd4!>Asp)af*jFwhV&Oxm%)G5J?XWXDpek-nVF1EVgq)F%OKyUb3kIp{iYa9M^^ z$&)dWu|fCUJXgNVXTMZ53(@@#+wAxU`fd;xN`QXeht&OgdIBY478IVwiNT*&HH%}f z1Pe}=gMqrR>4NQ+0}mOyj@a$T+e728-OY5VA0D4#`M*Qr$y`N=kIwzP4mp^zQp-%B&*!&ge=sX`AR^#h`uXKuaB#$9h6b;iGz{G9jd;Q{N!q-0q9raBn{;!r zwz8sszF70*3ahs<_ee32w)=)Wx?3#lZKr%G+oS6eB(oXvX!-O#*RnuGJBm>us(iU3 z@^QTK%S0b%VdHw8{oH^OnNx``{^xMvz+n0AM?|)`))~%ce5qQTUiQ6rGVv@^giEPe zyIBo^x4m2-|Eauzq9WQud%bbFdCaHHAb5xiJ9NMNldTywpEGkIb;xnXce1VGSp3Bd z0BSNfey%}N7~vC!MB-b%a0hy=cOno~zUS0b4C`F009@N#C)Agin1pi3_B5nMLI z6bpHLtmOKA{xe18AVoIFj&x<<=X&0XeA}L6mIS3tDI$zS*!yUfE3>Jo85)M^nx~Q8 zP%4Q~v_d3&54@;Q<(8s1BOKPS^3P8%wv9U!X>QhoW_qe3(eaZ|P+c0anU&!hIowrI z8@{Jon@qTtevFe86P$gvoG$x_rub$=Mw%CTfT zwV^m$mXn+P4CC-}H4>rcy9*MHD0ng4^2s6BqU#?U>dXK&n(GtrF-BwWXXt)jtr?b1UOHk($BsFkO~0zy*Kx(1TLleYz7|9XCK>qbff-5l z=@9r86oOrf-^dNGGjHq9!TQard$iXa`qc^nPmp=o6Qb(ma#(AtJ3jkl`qFMwv#q0{ zbKmMV$CMC=BKNhwUMsHqO^4Sz9!QbD@a39k;n1-CKK0{E_%>SPtC_FiC~Y1q4QirA zo^il=43;;@ySxvmfcRmy$Lsc#P7$)C&$)cox`7XWoemcr;P#i4g~&l_?~fsSnW-8o zDc$kSG_Kp83l;8*BFmPU(pxMSw;bqY-}vV-4bZmMC~^SL;9Vu(-lv!zKp4}Kqh8b` z9MPl{@%tUkmeGfSV}ZtecFAz3w%EU}%J1F>VW_NQ{kkdwTqNQQfp0R&Z7{grjoiGaM*7cGEib(j6w z%7ABYKUUcrstKixBA*FPZvq+cyRJGQ5q{`+Y$jbF5( z&UZBWRx`+qV@La6oXl_eRgFp@@yn|WZi_GHK=>L9wrmPG7MH3Eia?{jVQ1M<*Vek1 z^+FgHLSE<@61z+XJ~6}I;OfgQ|H$>^T>nxy+CPjw36T6*Ff=@Z!;T1)xqq0?$e68b zPgXl#Y-C2K9XKc0A?s-0Fl!KTDqMgO?)80$`+5dG94pxtOQFs8+0Qm+!{YfAOP6ge z@X3qbG^GU|bg3k@&C)_5{wYRK{jcd$S?`aIy9|vq6);i1%8}lzwcoYUb$fCrPx8$#H*m|@(zhUoBew&0A$Y;~25m=A2PJ^DH_>Uyj=zus!=Si*Y53|Qam&cUyIN(9<#g-pswx0v~)a6s%(tG@TgY5Ym z40j#vCKz^9#R*#7B9MR*z!Gwc_xle0*`@!f!K-CJ3eMGeb~H=q`HWNTKVpM0OdbIG z?R6k`GKZ_5STp>$3<>%OZ^;1B0aum&t33Xeo5H$BG`GP2FAJ&Z+?#;>nFmq}Sa(9b z-(3fOKLrJBh%n{4T?_8NVSBszQphUp*K4Wl5cC>#VCl3!8LAm-YHC97QpKI2cz|xz zJ#@hqd*+cNik<4BPL$Gmrmv-y`8=t&o$)195rr5NnmbKSOIN`zUG?7~LbP((ybSTD zl%>l_Di10GV#X$OpSMW=%3S{X=4T<_*`X?Bz7itmp57$j)x)V%M%u?em)#v1=WC3n zznEOy97VjDQK-*YL~aDpTw*}@1{tb2YYlrs=Ed!UazD5McD zYv26y<#3w?Pg!Ng%9kj-om-lm7*M#pyx7*fQ}N4Qj9nLvVAmIrX{kpat1V?HJXp%+ zOH@6W!38UA(GIi;L;8YY(|N88qt|axSk@5EdU{eBit{lFuUGWo%0xC2%hVq(&LLtF zLQcf8l9Pg(Z~8!Xx6yv=ZQYbjjl)q}UY$&dTDyKGA3N48*ue&1C1w?o6?MURUE z;{M`?g|UVT^}oBXikT3E0feHUkLr`PSLng}>}i0rp*K~60s1`oC4GwNhx`HB79XRBazp z=aKC(5}8#8q(aAZf3q}$ymlwQ{CIB8QoNKP`yvXi`bOGMwe<5*IkG$KXES0*Roo$K znp-d;l+Xb2tZ zFhpheJda2<2z&gk=Y7vgQpR1a9O=AvJvofbqspjfRdn8Sl8_6&5bEd^il|~kRzKV( zjeC<5vlU_B%y9Z17r4iQa76he@vvXUEZt`*{rce$hb>E4d+@sAG;OI&l8J!pPOYSi z0D;!2+P3Znci+sCXoH3Nwpd@$cW~!{s8*GJG1gT8Ye2rmo5!BSc zVy7US^M%N8lHKwD{wpvb6Nc-x?q^ZqW3s&%ApEmnLhDCM$^iBS_nod-v+dH zlWbrVXxV>HcS+Lnznu+vAsW;sEml_k2Bg$Ngw3MJnS}AdH$v=L2#ZO-W%XmC+WNXj zs>Qk*#r*>hX>Ef?PTeiWivGSQDj8w?`8}JyF}<+I(hKC%Bf53evDNr92sn~1ci+>~ zy%YK$#S9(ZkE1HfQ`^Eq(A_yIdDwzSW3nnljKZW+)zI~3FOP0dbfyF6jR!fw_4}(O zg*xNviMvgpd40u;2x6%oQ`Eu$VH{RfWUt?Lzl^BEub$G)X}W222HuqWhiF8tO4rv-#|zQ`9uZG5a^sggP{_7x1K3E!%{uT~*NOJGNNy%G&j#b1iHHmQ(oiT{ zC)MKLMk1gb${(O7WUzl+f$LBhW{E^&1=sp$zx!NNtSY{zCyBVhU-+MY4+A#;y-R_w zlq1J51G2PhP)oVNf6DFs#SBYf40@7!Y>kqob!(Zw1wd01@+yqVMS_&+Ddj2@{IPfc zk8P<(Y?ySEgW5F9#dKec2#ry44Qj~8yb2N8*1|kM*A>@wmUZsV${l1Hew$e(l@JG{ zlXu{#SL4uXjxTE6)z{Wj^e5>0^h#Fgf09DJ!~dr4M!_VsToQWBkVJpUw@>_hmwfSq zv`BpPOD}W$R^s|(W-LO&fNgZfhodg|kNNV!1m2Y?0N#E@$m`87AV6tbbXod-=f(J> zp*Z331?gOkPRQOkT`~!_b1^j$3R?^t$Ih^VK)KK!hJ3urBgYfjv$Goe^x@Apub*Z< z>#f4AF0(%bf>uK_08P5yU(5@WV(K)_UGq_myybJJVf#rH_}H7pwZ#a~gNH-t2MyW5 z)mmnTk<~kQ$<&RRT}pL$mYi=Ew16NEKkh9pn`$ng23s0om?z5AnyZ868g!6adV&pp_Pxfr~jsSx2ao97ET#kbS~8@Ba#^Oo&FvU}pFa z105Vz8G*J7j;YUE-gI|SwkIi4>r!gVGJ1lZ{_L0xK0N#ppKIPT5j(6HfAte=#4jz5 zS!o}XVTtDDrJ z_${El_Q+3qLP^Mrrr-G>eT0&SPim_g3i!g(sHnI&S&@b!xBi8J&$x+b>Q56a#|VvQ zq#|pOz~vflAx?$w<>^3yP&hgm@kiRb!4s_!M<2s$!lNalu7$j%kZ3j5dQy=KZ91;K zM~wUPd~h2hKWaDTmXPpjQ0}WYB+sHEyi$gQF9we!dAy0-w?aSQrX8TdTPn$hDUmrO z`HczM|8M(|durlm{Ppbm^I_$ic0-oA*G7nGEmXzpCOM$z`Cs6yDmf+SEJh<77yEfE=sQVvh?QkBy7!F1` zu{f{`QubFieC^qnfvu(%{gp#N+QG`xODI&9K=&+`M$KNs89`-;=y1o+zozV?VCV>$ z1j-w@_Anw9TxgDz=Mr1cFk$09KBXKvzxSLTNCjQi^tnS5p1sintKRqq9Rc*sxAD&W(FL@q-% zLq6ywvWNn;F5`8V!EI(4J@8rQ8TEc^tYTi+8y!Whdh!l^fZTKZ$JotoKi1L9ms&pW z%*|KP+;JhY0E}>9G`Q((SAIo;u(lsEI+QuN=n!L5Pd@|omwo>PBCRkWGqGjrS3>LO z2hvfP%*%8tC|y908q)jbSKz{Lez($K9=yEHr;cZ{Abc{G)V$rj>BTGrdV{D%S4u=c zRzNy>qAQ0frF^QUV)_o^MZfgS7Ve-@!XbQzdk1zLpGhWR{E5F=VXN5iG3>TNTzx8# zcGJnQLV;F{ih-cNOe3wM`fuOO-=KH5nUuC(KbuK~Z2Fow7+L#m$bhLay7Tlccm&!^hYD+?s(Gm7Ybzl^)`w`10mAAoQD4 z?Yx}$=Op?jWm{j?bAdj4VF@$E-Q3M&?!8NXg4k1RRuyr_L!RHa7!eD#oUoE9#xmHX z)s`w#3xVhlzo_JFZVjqx0=NEqW$@0m>uL|}=X$y+H=H@zqZsq+966Ew1J12+Ms2v2 zCT(DH$>4kpH;;cIcflq%GJ*g<&j05U(?TzV|IVMyZLtEAP^2HivB@}R^BZaS98%D8 zN-ufEM~MKTe*fF;PBqIe7WG+!Ph#L~p~&+BpPs|fXDN&3%wTe!26j2_S4r$CI(gqv zA8s>ZXUL3U*>niE;yjW_dz4(tU9>hAQe0R(!{zicY_q2H zskP8Y1-)Ly&nXR@@3s7#RufW(A?3Hp^otNYgDI)^E|cU~{TWtjQ$jx(F!lojbELVz zkxOma)$xMhq(Jp&bT&=npFHIy-{Ik$?2p+S5Tep?UfOPp)OHeyzShmJ7`Vh>fr|!( z3SRGUpJaLJVVf2DXr~FVN@E$bLxT0bG=)~_a zgfh|UKNm!09T}SbMTO-C5Zwyhl8t1W251qzYO=9X@Aod@@q_R}ra~mGwEF@6d(ql8 zua8=|*h7?P?WVXOZUiH80&^9-kqV-Jd;e`mH=5Sx6BxzrL~JoP(m6JYu8cXvFAqgw zAJpp=jf4=5zro`jtZo&ZB7xg|@OUfsJhuzVixm=RciQ)-S(imI9H8MHuqxy_Rtnk< zC0sBpiA}aU8$ZjBI?^pLdv`HrTwUQdRDl^Ff?x~-tq!B?7MCrhg#WBrbq9hch%M4@OXhF{tmgk8Xb*{(Ic1Rl=-m}g+1%`;&N2*&&@4(fd^>#J(? zCc7*f;wTvsFs@&%L8HaFY?N#;v`%=yI@}#7;OZJD-~CI9=kj)CVV#y3=T+{UKmn)w z;F=&x3sIa=LqzV7aCBw2plEvA;#OwHh->4kpnsf6xiBKQp}b^J(CFv}+E z__vE_ec62WH8GPYn=RwE!G{D?6gs2w8i6L{N$1LeEtH-Vy#%@{^4t2Mq7;SR8tK6R z#vMNu{C$Yg7LpLl81^O24(p{{)wBvgOyZIsCAR+Q94*+;HWFnQE+zS1K1tfAFv`kE z^`{q7MU>M3GNBn0AH6yTO>U&um?x(0;@9YiqpK~ramNk|rsGm4cFG_v-~Cd`d9-Z) zvP7t|ycPYl+@1haUG`Jo@>@h+J0wt%Mn>~#+cQ60ZGZi=!XWwhWy1v>|6OonXjS1d zEky$b==r_w2u2J{Muo~A5v6c{^{>8Aaq@N;@5wnK!pUR&^pggyy+lww678@oFAO-~ zt*Niw=Q0>#ieY%`RuVALr8HzP_KON`F_|GW>l_%v9%%Y4Y!>+?|p< zJzbI2l)gQ0gfQ4sL+C`TtkEOP%*%P(&%uxkhC=m)eZ%1p`4W%Nr^G+C9oYW#sbIXB z@+wV^+s9~{cmCUf{|4mh3_f-@eh|oWH)bSP9<2OD-tKb~3!RF>kCh0<$ZJYFsm*E3^Cw@YoqXTz>n> zjo#*Qx}u-yc`FxTcjq)K|6m8saNeb_@vI?BLBi@?ASFF_KNxE=X*&mhcq^6!xQb*V zit-zX&_fBefF!!qLl6R-$7bSc{xmaZaojVrFqtU-Z~&qELEg%DWe+K}IF4fkbB7Pz z%Lmov$Tz86D}0B>nc>zHJ-VZZMjHVwgAblBQL2dGGZY%C9mQG15h}#h#E4v@>60!e zw=MYrh>%Jd&kkOR|RY_FIRF)LM!o z9N{Yh*X4zO4$JpoUrdp6U#!N{U3TL!G2$CO+-11eBcArJTF|0aasKw4tFPVL0(}SR za_^Uqr{~bT--IG;7q~1Yu|Aw|UsPFO`&yVk?;HH*J@DfgFY2Gina%s1xJ%`>a>;G0 zI>S-D5eLW@`cf%>6?P$tbcNy=Kb-i~lHZ|JU00R^6EdOlV?NG2dWD(kQ9N!wjlK2Zhkph&R6Nv2x#6}wR z@~OPe+&CxH`tG!xgL+XQpoXgJ4+QvZV!Y*T=6_D0W<*-(k3CdcKRRNpe(DBRoN2N;SZj!=`W^e6`)GFlz z&K9T)(UCmQZ{ZE(VEj)xfmAlyHJJ*PXMnTpEEx5DkW7s(alXC1Y)CM&O@4Oki-jQo z6#XxxwK9Tm9g{694T2t?EmUp~WNb$tvEl0GzZlmn*Baj)smG8)MiAfHA6yCKW&d31 zND!jp(BknmLUPE*lrOxz<|G)7o0 z<6)T~mn^aDP(rro%yKQ})!C0~M#aU?2fV)AtTNYV9l2|+0t#^>mnK!X{`jk7fo7ph z=8Yl_!*+`u3h?_eW+-!{n3~JwT7v%4CrTgTY~)}*X^1q_crJHdXUyLTG|4M3pc`^s zfWsQnekrY|d~6VCU6>-xSz6hvxHr~xFr-xa9B(I@1Sxv^52E{)_bb5{gQpbxTz^Zx z4V?6N$moAxYO<(rUWt0;9er7aW~7z$|N7Tn(-W%+e1`h|N!n@Un*m~C0+X2kJPS-& z8@qOhW{`o0l@yMomMU~HwTt4j<}gu&)9vb3wOb1y!mB+b;&v$kO2KBbByJ9jfW){8 z=jhmOzt==%q1PIIH)!s?;n0<|g=K+pJ%)IIXsCMiQaEBr+he0YPKd1bzJ5^bTWl$H z*1h5Wa16ahFmjxQB6h$Yt6iBF>mCCLWf*!OQoG+&KxFH8tnz{Wn+38BiM|Y0y*K=i zc046kyFqK5LaF*f19?at_?jc~e{&ddn6s0h!&4v|wl4gpen8^uTqGOuUdcTWZ3T7) zS^c2Hg%zsT8!H;hzoNvoIsGHEGvtRD$UMrRb4^pPRE;ckCs@aZ3lgnCh!W9Sk_9p^ zlrvt(>*VclqNCsBh9lPj9UTn~mI5#1rM;3jG(SI2KxIj%>2w^40D&R^^i3x3tH^4F zJPB8*N3eoW34eQukYpos_7LvJBmut}@LNk8Bp1HQCO7J4@Da0gk6hAZf3b)j#+QKN zNqZjl-@z`k&}@qDawk8>s$?QzLgkp{)52pE^La7~D%h-rnI8pkZfgYSE^9hu70Q~4zT@;eMTQp)4MF_ax6W5-)nfYRxj8?72k09iKzbftQ z$WkDYC~ouiVw7e3oS90%P|bFvdE*4yTa49Y`3^X8Mo%o;fI_gg{q|Ym9rPL&;}u(E z(fd&p7GSKx3L>Z{?)MTw$!1((Qm7&M8AEnR7w)X<-jQWDcmuKYu(!ZfkLZLNK`G%oS!7K14NBfih%FOIKQMF?X6}-b<12`uS zB~U{513c*#HNsg%kR@^RWSbk8YHFyUFJ~GBO~3^z%@-We(pIfhkRrUhZ2~rqddojP zcoZF#V@HA>xAghFRsF9V-ymJ9F5fQU(jDdI-Pi|L&am72!C4)GyWtj54H!+SP5J~L zRpP2bM_;{|uPYke_k!0!ILO(S9;O(h*C;gq6W6R^H6xh$A-(29N^(jJea*a}umDA^ ziEx44JDC}01z2NfHOO}$22;C;c6N1V{>cv>je9zlF_dBdIc^Ddc`q zB~2MtCf?j;^ULNrJbFho(3+Rwg9^W0(rlgm-2uD>%#1@-&d6Q4BKjGNbQ-us8JG~z z=1{NM@)}0uFjjzQc`Q~|ESu4Voi9NZVu>O-D7sl05q9uMv_%j)FZ+k-Vn;cLFf`xs z>Q|f7l@c%OnJE&DTYlL1cVfkGu-x^x{ z)TFmXe{Mtu`N(jvlPyOiUw~oKq;TR7*XRK#>mU5(V_KYDSE9seIW{K!pu$mQzPRfpWOtdWLif zB?q!|OGPeBysswVyGz4a@(|TQ2(!ZK3SPAtM8Fs(u1mqtgbC&dD^AGTL6JP%MM@wb z?wXE{E}=EIJG-~2+1N>l$OsV`7tLW%?Tf&0F5%8Rc<|VZ*7VS|xou7BtUy8?cdN%^sn5t@_yjnKd>nGNuV7`_OaN@|Fhb?CNs9 zP5aCOx9W_BhVr${G+V|nSx?VB6Obpc@jq?{0bl>7W%5_aYj^~dDPUzd_79cR!)y_$ zvXE!o;-;iExe({{GV^JyA2&a?N&-dzDF%ciil9xg*d}9oh0Ddkm}i5SPhR+uBe)|E zMgP-5huyivq!v77tpY8Jg{k#==wR~ihzRdo;Y?c+H zsH6C4?ap}_-6?XY+JdN(qwRh2;Itq&9Tak$hJtv#Au%E-o4Ae zYU)@>1wNK^926ew)wswqeWori&9kXTs=Dtw_P%Gscj2T<;IMzP_utC@svL2vxsPvm z{P`etBY)_t^)gkIO_fA@S48CBNGLMA+F^ZU$Adi}gFCjl=dZz*SnA;Ks+ zzyTxw-7&^0qsI`nCs%nszx#0`RF8IWAIHQnooJlakreZMn|va=gZS`R z$6Ld3tH;S|H*_G}s$82C0iB+O4m!e<(Id7Tp0vU=jOzrKg7w)B{ZHl%PDT3R8Wh3b z3yNVoF~DDaxJaW&e3?J#gWJ}4t~h8ckgDQggB!K;QJU_Kvn7+4<`Jvg>wRWKLktSt zqF2A4d)ZWA_d$jz>|b3Jo?|r7?=Xh!0HbsjxbyL`bY4XbOW5Vx9V(TVv^NCX#}z`OyK)sSnVaeAbiLZF2c`GibNN?U=MxXKSvFA`w70W{BUKK>_{kO zr2VSN_@;4b-Dv61R4ji{ANo}7?%2}iD0!dFVV{&7nOuRzq5lEj%Kp8>gLfpMHxnw`u7ezGGz~SJU@6a#fAIgyUtboz@jkiq?cn*$7k;-o$wbeC zlb~6Ze~Vl^-^hcoD!zi^=y#vBuT*6^!glEHHC?coZ&pFER()r+7qNbUZcL*gKUp2k zhIqctHt(_C>o8|&5!Gb`ua~n}M!3T#E41MAi0~J|wW^R6B;sV?pV55?&RgN{hQsYv z7!!t#n4z?7B>uwkD1_wSy9t6WP@lBj6T+}aJdV{r*3|@5cYlJ5GmK#qn^5X7D>*!h zTmZMl8FC=>{EFJ{$QC&42zjwaf=aU*<3*W2jybKYHG}RT3*px=3bmfdB)M=LVJKY* z$-xfYm7R@TFo^>=AUEY4^{K__TVjtT!fz1SN8I=Nk?8H86FVKXxJku{YBB}uSFET+ zs@`SfpL=DD49BOfj)lC7b^iKo2}KR$ueTm(m~1&B>kx^JS4<}tg?=?}wP_Ej{4IaF zaQ-`t&!@s9yo;7T>=%Ues=?hpc0U23pyZLpau6>19A)mqELagSWhm=)?H8;8Bj2zL zngJh5Oa6mI}ZvAd|@^N_D{>NazN0T-sN1C#_#X^uZ;o?&pd@C33W( z9NbCN9BZsBpA5g^m37i&+xNQ5T6+Kksws|Alh?l7eMub_@Hm@H;pWk;X3$VMqqgrH zQWN0&PCg`gF~kk-<8s0<*gkSSyns}%5X#G!6EVgf7-5?jg!A(+PgWNg`2O-D<^3C< zF|v$>SCX9L%NlmkGTyK*jIuOO{N0_0mcPS!<~WydqZ^S^Zc4H`WCl)5i7iR%3(BW^ z!_T6rP4x72vpf#M4JOJ!6*-~PRHbpMQ|RnCP-a>3UI3md>YXdd7=lw9$4@Ya=gR@Q zOn=Qp>9g`I8i0^b#pNAzCC0D=;J#>lc_ar?($0OGl^$&%kfx~kK7w7 zhv;!()ngvNg)njh@MHvae3iYk)cTKP0V5JdRRDHAR2L@{>$jw#0*X9O6TGc@lkwLa z6~!6-gaP^#c((=!T>vl$nvSO5zQkk^RlRVov1qY<7-{z4rWtvWAxr~V%?96-!NhqC z`~nbO)XnBdt*=^{*54Aft;6vuABEsW)F88$YgymCe#{UR*NxI3B(CQX%&U9U(2SK3 zc$b?JVJu&Sh9nzk=w_b|7)i)N`fTo#bPKxEHGQl-xgtsh+!zyR@Z_aZ zJ(Rj*9|@wl*QKm8le#TK$63!I~bED`_4#HrB#90xS5r(csDV`osm^ zF2$JE>y<7$ZgzIh4k8dKkScXM3&)9qBh`TMJdkw%DkWFwUfg5ie(tiKwnj5VYG%by z-PXOo*xB(>3h$uBaKTnK#dqgV`4`mMo~ICVZmrI@i=FgKK<)DS&LQ=>=NnfxmKcv; zqIoshekVMT;JYcWA-Wf|mt>Q;6bTH;CBxs3noUmp&wdky5zC}AGgY}$6SFN<`(wtC zS;zbIOWB0OTPB1?YyiWO_>Xf-NV4Za?$F|wo7+e=vQ|nsx{+u}9#b)L*u7@Bk{M6J z)l{AKp)2$ddWq zwasCF*6#E9OAMq(~Z@;Rlc&$l6%hGI-zbcb^$Kw%&J{UGJ>ygtT>3 z_7e`1K}^wz6(TY#f~sf~WxadmpUq-rMFWL?w0 znBG^XtVYqg5`{NR{Gc>xoJP5IxCLg~x{q?26&v`je`5Gf#3SfUX=uVQU ztZ&KI&ZZC zC3L5-YtJG2rDnNV`suu}NaI3_aL$)?=kE@8k72 zU7np2+2xEoP3ilBlmd#*ZduxIzuC&$+>%R8UMBdh$d6OFfCXmjymNGzrI z%Wp;KwAQ>TiJF1Fb$|B$n80yIIt)WF#~4Jtqs3I2{*eqqnvyg7m6LbKkeNoMhXuD- zXJ25nT~pjtoF<2`)x*zFa9leu#DNf?5O$~ccd0{DTzZ(Ns>^4Kn}l98Q$%8aJM_fn z>9vo22poL8=_S$3AS3>X_i*BXF8kY0ei`jI^pE@uythLwZ^smDky24SZ5spv0%V7- zm4w9lenSlKPYi}SGRsy-%_xvoNi*4l_6CS*$p zsoR#SIvB#95U+L}xTAh-s2?@OK8F4>fmFe`^;(7F%Si-Tuc*N_ZNx>+@gT;{uU^tZ zagqVC#Fq|kV^9rmO2N29Qjx2P>s6-^eOHxK9jwZ`nVo&j2uuRDZ!qbAGARBc--oIR zQz6t}iR%?iQM=uD-aAo)Om}v%u>^GFMNTz^zKpYiIVRj5T zn$l040qs)SR~sD`;;tS%Uvs%H3@~&d(Fx2EmRb@xCGWS7O&&HM46)Y6uSNUo7$k`hYq#HO$qc2eKzHWusUCHIA!y(p()#i?}Zwg-6ek zr`2S$b`kKrcAL1kixVQ(-GZ=g-`~!y2KeOUgt_|u?fv6C)X&=lziZiVmP=lk)yn7z z{L*S0W{13NXoE`k`fnMxcIceTA)aNz_OLsSXxtxDpW;YVL#Tmvx&3En3s?h={{T~N z6=Gz8q3}t(*UzWaf;WL01l?ST28(OssOUJmI78VzoQrz;06bE8p(BzD>GhT!_G!Q+ zJ@(h+@-R>UgNW;u8PkVCk8(_O%y*n#aOKM18rqByL^8{Xt~WN*B7L@?kak08XRBPN z7u|?bIY#?Yi&d>o-|OyxmE%)3<{NNYX8uoRD|@V_-VNY1fe=2y zxeKrO`?QF8{a?U6m16e@1-`(L<^pPLn1^C96#OG8_HV+BI z{@)nusKrudIs-LIeFCCEO#bmSb;jQ72@)Qc#V?uU(;G-4;8$fX8WDi>hrF8xzC z_>1pFNe-T^t8n@wyy1Z;O_Jd?r4Z;DZwjvtFv>@noOPs+`vAf}Y;0!640naMiz-5L z2M{xYM{#lgDb+7c0??9^RS9+Z;WF4X=pW1PY|XUi-2R_2-8R~5%`BJS+@E{3|QdX$C$kq3RQZBWK?xn7IeI5IDEBxlnlsh zkc!C0$DStGQX&vqi7yL2wmOr3y6=`Hnq6ceO<)$TRXH$WCUt5hgkOu(?bBI|cto2z zMtwh8{m^P?2k&Wf>NS?B&@Aa#kQclhe7q`1AK!2*k2?#Q!y}*%IW$qrCU&#uNBzpB zmv|4MBrL`(gpB|Q95lD@p9e*LzQ$!3h{Z5ixXdpp%}XmixZ8b(oizQGst1cBdCaH+ zDoyAF(KVrqPr@>SS;IfkeaMRpaQ%B(9=oSsf z)AjNm?^GQw+d!2&FT#b#e>&!qkrB7;a_8F@5_UWQbdsiqlFbA!PMeggjxwBC7=C2f zMN&53ja@JBjS;?6#fsj|`EWAL&9)Eeu!~`%jA=J6Y77!GPBxoiRkrWNL-1oIWe3?J zCR$pXB6Ahh#`iL!BMoO!zq@z%KZ!tr;AGAj7@jQH2PVRPQ&=*48 z9pGQ$s3pW@pHtB8-kq0Et<>c@|5e3?wy=Vs86Ur>7y{w1Zc3W!j{gLY^*+s`Ia6nC zx8^>m$+J-X*z!j^Oalof49@<{UhVhWZGQ&-ZI3oaCf%Wkh~G^;_F_&Q$rKLK>`sSR zzK%0>PLkiBLwZZyM@41GIc4c2;zv(5ov*!Xjdo6g5HFa!Q<~F7j6O4_=bh%ZgmNtd zbF{_LTN&JET6br_lw#O$@ncjHv56}lN>^miGCR8@nyRy9!C>4(wW=1m!tHbkAOoH5 zpfYobM0#4MgMaQAwK`8b2DZi~W4^=g_^@~<9lk%5JmXKFW0>?~%49qNBk|`QCuLa2 zvTtDtB$V~}E^84^9E8#W)gLcu?Q1^Z`F5BsG#5nXd$)-(AIpm++XZqYYx901P#dd$ z$*Pnx!kAr>_r)A?R911$2g2d}K~1`1)oE@MAv>%^6W`)xfU`jRv} zTiLfq>ycA^R*UO*r$=?16+X)NX@#kHX$vVDOK_Tqdf)x4I1O`7hearp09@Bu!@ofw z!NHRyU^L`N(f42o;c5AGIIQ=JgGKUqMt)k9%L>tdquD1j`&%B$o|!ZLj+H%V=)09X zgk9hJ$*GB$nDfOWP>RSz<3_OfHH@ZxhBZQVnGJULH_oBT|0W-tvakz2`tha%41>-> zj|5vMI~W`Nuj$>>R|*&84~QA2dARxu6DAFrz`6!DFJZGYI@ln@0gC4SbV(w1BmA@n zrzFP!z)yld#D!KDvV>V{9R2SxAH}V%dY@-N(KCg)AWRky!U?%%l+kvzm7lH-RY#F1 zu~gKZ9rCow!#+uS#j`1iMZTliy`Tx;DZmE;cRfq6=Eeyp2(K9jHLOFqT~UpWO*^fX z&%@+@Y#{l^_)u4aPrfn_j1+U$8X~;AyEg2X5tj>^^Nt`EhF2M!^Jv3Bdji4=8XK}W z@t<{SdHc|-fOVDGT3AzJ73{Y)3$nUG=(&Zr9!nm0+L|t6^?8iVmahepIB%aP++i4R z>?f!(1oi#V!r)!kl*X*WKK0gvFaOPM0r%4gF{9S>Ufo-Tcu?i*bs|8C*q=SMDu0T{ zS$_Z__6nvqH+gA9^1l6l)@I+2^R;(VU+#rH^QkhbL{@ap20%|V^Nmd2Vq7T{c{G-^ z>C`7>t7u1IK0VY!-tUQs%=IH57@>FALX;u&jt>2heIge?91|~MJM*jHEDm{f3EQs! zhCdp$$rc$K&XKl$Zxh9GQ5nvjMDACZ%P33;$A9J699KS^t*QSN)5Tr1=#W1hqydM0 zgqupIE>GzPO*?@acwyZij{dNERRRRF3m@D#|NT*j&1z{#5yNS?b7wYQiSt&K(^*;9 zL?=w`k^M&QQ*9@yELI{-ui3KovYljJyz%?E@QNI3dSs+@NvXa=k2*0DNT6VBz~@ru`L3x=$ka4uHH%M(>xw3rz zsZT>o&zunmD;9OA68gu9Vgh`CR3^L!Kb#A?+^2L!V#R9b@F>p%6G}FcvYDBkASp9c z+_vQxCUm2kFA!rf3c;~POgj^#ReN^59e{xDxrPMC{LC=~XZDPs1YH9vys_%PfYpZZ z3lL8T!O#~JUc$J@nNMNwmZ*yK^VdLR$P*f*h!h%dss@SuGWBFZYU5m+4hk832(=)+ zn}&+Oj$HJe;CaRHJ^zfO9W_g&k8FA!W7$bN^_hLIPax_ht{ zgiUt8!Pa#98u#uBz}bwmV27Uh2i|JqS#89fqpGnxvM7|%dlo1r>gmgV3 zS|~PwNiBCe9M4PcS0R3OflS0Lb)QifMaF)P8!tJRpvHB_zeucI`Kn3g?Nsnwri@pB zSrorCD+em0nIf2JfVeE#$&h00*6fVgye;DQ zbrz1U7DdhdiT<3>I9qvw`BC}0UD(}PHm5%U11Eem`<@*C;gna;0lo5+zQ>p614Nz8 z=#?jOmw|?7+{Z=u$B0A)C^epW^mr00p1lDuQHv2!q4l-@rK;dXmek2#B+gHjD~6H+ z8tfJ&Dn$985#7{!aV`ZMftIy->xy2OZ~^a`k35>i<`@@iHiGkgz5OWQXn=XvQ2vZ- z!|zl5)wz-#oBugvWwG4i>5(bs3=PJ21QDR9RR7x z*%!G{B+twEowi?~?)LsS;tvfCooE)Yy?DtoR@S_v@-G+2izP~v0*F@aQm%QPiStnJ zS#eK?eQF|ncUJDOwJ{iTDPB%JLQ?I^_p8q(r7?_}WUbJp7G;t~4eVf`=1_rghhl`i zp##H@8Ebh<{2k91D<|uTnf%>7PlQWdxJ&pjvcHYk)&iPD{#}%#AM~p5Zg<9cDn25NLsx}C6fdY?Pz!ze!n=iPzQ-lT_Q_I019MP! z`zS%8oshU!$NIA}15L89IDQX6>oZU0Z`3+6lxnT@Nf!k}Qj3U~W(YANk@zy!?ei{x4s?B{Vp8eQS$_>D|se2R!MO-ZA0eDS?0(n@E_J8i;|Ec)=>QYaop^T5obTt zO{K1W-eHGl+z&mZd4E+w5H=dy2#Pff4Z2tri;Yt3K&3cH86e4%jx@z5c6pfqIu=nH zcNxPl>Ck|BHG0<=*x{aCjznHQx_lz16US#e{rQApD8`_2K0TQDueM57!D3A|)wxiF zD^C(jG~-0Z-1URB&w1{$!>GYn?nWfKLwJ&FwdHU*+p+%r)pj44_EpSd1qRhL-n`{g z3lR{)x0X$Ebv_gH0x=Rj5^u4=AbtpYRZ^8o!I5?}@SM4ew>+eZpx%FC72F4Lb8*3M zO)%|9XO>e&X}>hs8=GsxXZp@Lbu%({q7rksBZ{0qfDL59@8|V5!B|PGSE{NEm4lg*JgG?(Hj=fgZJKKG3MPy zt4@4?6ckjAinyc^mo>9cIS*SIy&}cd8ycbkT*Rk&;7B%m|R7ma4p=LuQAH$FL9;Sa5 zLB%d!AhR}~09jJ}BAgVyq)w1FV2!2asEUB(fH%rNY1ZzVz`YH1y_+f4jG%jgc>c!3 z9B@|XkWrMszH@rIip0jBQQGmoxSSc4006e?{aDK$K4mX)+5A`usLz0}qX-~cy7o79 z`tEX7us7XfLJDe`s|^4epl#P2InMqy*ki?2i+WthP>f-5N>ruR=>V5+oI91{^~XdW z$!PKS@_XL+dP5{rLOQ-?{%9KECbD#joLGJ~LA~Z|v(^jhL&bBfR|u#yvj0z1?e*9~ ze3Wr>;1QYkGVN#K)sYNhV`SyLIBeuUz^G-()6t}yqZ11ImeZIT#WOcZG3uqV)rGcE zaEEEl3kgRsnNnn8FOjbrp~woc3fqcgVW-2(##u-!G zh=traSw(C2?CRgIu#ENPO4W2j8F=pAuY|F)&2L@=tZ9KfdgL;uZ#kIv-GD~+j9K2Z zTN8r>-@fG|y1k!hT|6IvTC21Y{oE}HppaU%`yWV*GTNwNpz~=a^(nCKYm|)#q-{fA z|Jx1hAfq5Rf2tBo4B8FDCDk(a?+N|GTJT4_07pDcQJsco1~_AbZ!F7pwS z$7$ihNNn5Tp%skDvDb+GRi+%MBtd6Yw_a2vk2x*ONgb1 z=wtYhoSFYe(^-Z^`9)hC>29SNQo0oogrO0TmR5#FO1dP5lm?{{q*Fk;B!))18|e;# zp_#h#zt6p2Vc=zk^PIEK-fR8VjYJ(HExH`h6N`Pw`hdr>D+iW!AR-mix4@iA#i7J^ ze*eLnjh6=UCb_PE5=*|e%$yGVcEH6>u)CQs1LUr3r$XOsuORyAz@6J}Pr&%X06k?v zZf_T2z?$#tAfac`E7+(5IMHlPE4-fn$W>0^Z@Uj(PH0F2i}Ph=gqlWt_Zt@h7`ww8 z@>jOk!Baqrl>AwZzz6o!#vS{}zmg9ycw7VmO2b(%#nE&VRgN-MyS;i^!#f3dNodNH zhEen`KD1(ywv;e}kM|Yyx!%P1p7|@{wAd=y_jNY>Q*GAvSB1x>OmWH~P#HC`Zpy65 z--6VNF$Kgvs~iiR3U3$^z{S4jvcE;@> zv?upgO3EQWKH}{u|2`*_vv~NoY+w4re}T?pn=%D$T4Ohs?bhtlJfq@Oqr&Bj4v$*H zdUbvI*LVGf7}{pcNcx?%`gEElqTZlzw(^APk2_SAY$OfxEWWt@l>nCroXEM}<-L0y zf5o@5{c#U(EHhaX?m_#@yML=1BPLHQP>sIpT7STXK0bOIvOx;z;4$)sAAt%Pr%J4v z5{jFN(*KP4$MqmIsJbD>1RAN*!KZr=|G2kX_UbsS6#ELFwtUX5P#^X-Uej?7QHVqq33@{_|;Bl3SuzKPy!> zgAMlod}9}zb|26%?c2-C{r2xQVlHL;^X=);0;&axFg#*v*{CB5Brs6%=`H=E6vkGHHP*KD(xQIu&cPBemd6Ci(nH#IU4M)D*|Lh*To zsFE1i7z)6cX>C>1RDVDg^zdsUpW-B_b|)A4*!*U-AY6E20a<91Mlc*g29U&1%w{8@ z^}5f0hq1zSo3#4jYoK|9XaliIGGXDFJ|im4z#tS2cQjbK1w=8}a9R()gaI1tg5S$p z558qA7<&8MafXfMp*NeA^yBD=4F6Q z0uR^$f_{z~-G>{DEgV7QedT=!cptS+qG z%6=yYNT?&}4>F6uVL>my87lI>>j7Wa4O#evu;P4gibP0Vl|Q5 zs3b!@B>YEyi{hHcF09jqPkW`$9l?EQ7R{e0 zBUU${@K69~G%G~s)#muMTRIgDuy=b0yS&)&e)_$5$#D44?@KWf$_q@Z{vrDXVC$Dl zhU(Oa^x)yiQ$m8I-Li?hngj;%V`8^0sqGvOD39SU5j4GsDfW2c@z-reQTJevb**ss zK+R>Z#RsUpV{ryiT~7fJU=2>BoB{^#;GtC0^5kdpdJvFDabCiFr`1TVf-S zC^6lTdu)adV0({G(+9zAGbYxNV!X* z12m>hHin0Zhy7X7H+JjYA#&vIDhT~&5`t!VOeJyG`FVIP;m5#U(5FwoxH0q?WXbXQ7tKAr?NazZ zF;*W*^3nH*CvfzNB}-A9(i{ff_e6PTQ&T{x8Ls$ zHC|Jit#b$oirg>OY_N#k#o*%QpyinQx=Vp|_m!18!59VoAvL9%Jg<9wL}tO`f1JMC zSoVFmpMJHosIZ?BAsFlfz5bEJf;AyDA+6n2KC}ZoSo7TD@J8iG*m`<_4M)9qMYFdJKm|p(+>1mRWI6x@@>URQ2 z0;qm2dDAnmE+}fQk_F^j#%5)G8Nn^f@yF6vF=$} zDgyYyS%~sYKbLs8e1{#im9dICE!NRN(!^dKS11s<1oCXVPHBCBZHAML3?=~1Nher6 z!}s#Sf+CpFd)OLUn6@O3-<|a@GKCzXXIex!5!f=J`H8;KBp(z*`iI_~U&2ncDL^JYp%EPqhlytW&l>qJ|^92}%PLzHx2 zktc(xkUuuV+nk~S#;U*zQQG}yW*lb0q-4%Z9AY>x4xyuhqhotr#UvNn?R72ifXi7> zC31(utP;$z@Q&-V^@HkQIYOE0Of9y=_>0gNsfnjX@0YP%G8^aoydKIn;sAKh=^o}j zAm1A*lULz?u$jG`OfPsCP@zCVwVQ|x;& z63yk*vAYV@%0Rtz@+Yj@2BKS2v!2;6xp=m(pNozC(08XSLq9RS+N_e-jh2=%g=2FA zTbG^^B!POvQvaOW@9Wyz=C61v1Wz%eZ(UDY-EnfV-t6w8?!a(sttish@08xh!(DiL zIhYjU-oFUwyajAxH?;jkq>$S+M~HO4j%&RPVHqzMY5fI)bj6naNLE+?^834D+CzvK ztS~1cAsugSKTwS;m3t{X%?!b@Ad^+1wNa19gM78&rsB1FP$k~N$gIQ0|^1lYK`PMYGk2p5vHfDAXhJSAXk$P0y2n z1!OvPnhFxxOZ0kr^+JaMGB_^?&WS&Mi@LxHj|kT-D_ym1=kL{)MHXX@)@wra)w~!nvS)rOkrCgW*<*;gEZSkA%hcE9X6}xuGM*sm zmai`G8#}C9R^#y?r#2xExgS~Hg^t!Z7haR&ieC=q$6S0|ia!7!r?#|u>C9NM!#D(o zZMD?xe)98ikj%`8>EJw>theQpbTNxMa|1~GycaiD&yp)I2vLb|WlO1Og8I+^v%%N!}v5blVjAdlYkNEp&T4?JZT{;EFm z6qRO__=i@?i(6`pa=!zWhf1{!$S1!W&Zcc(%tXwLUGfW9gNA3Y z#{41RvQJxtg~(IAE8-?8!uVmf9q<0h*c?#RuqAHu>*R%v&NjMl z13SsUItxm_^es=r9(v9$<=uM<3imuV)306jLEKwXVbaZq$c4=_ZAU}s_avtM|cC9!xxwlkTRCmr7qmMaVAaN@+ zavJd^H^_ z&bW4dY`L2!RVe?B{o#*1wj(KO?r40>WfFOTR=@I`xd0K`%%0aUG@nJw@AQ+Ohv(N; z-28zja7d%0U}+8|v>)Vuz)Adus>FADnQ~^Pa{&rG$ zrH#~RpYE%yZ-4=S09el@u5Ys@1DpiU(z*uiCUH4|DgHrGIHWZG&`B0J%`b@WfkXV_j$oijp4_tQg0)$Sv80m*c+y<;T%xY0&H7_STCuM4e zrW7L340>YOJNVT&x`1Q1_UFkD>Wy%JwN^H=0^YAmKM#!=&5Qo3#Af{hOa8MG_PdE^ z*oX7UiqWd5VO;h%)s60$R8Q`QSQ*o_Wf8>bn8I9k+1q^wL3e*=U+}0IzSBr2IaxFq z9(!G6ugd7IbS%)amP42PA~w&3(k?;*ZN@YH-2{A{<@rE(O%U^UbHnI1D(9VCURmSTu zru>}ut-jP(ro9?x&U7FwoeO8$pwQJywV=r@ORsU$-fruSb1l=6TyqomFa) zJTf_H2fIL18Q3-q5O`pnX-^uQPpVdT4rSUm}3(-Fp5#aj+iu5$?HCW1uZ24#w==jPVt~9$5T@6<2;jq8{*h>Mo0%!1>6eCDD+jQYnu{6M}m5fI& zQOe&|ClHdmOBnR-M*9@MGOTs!(O&WHoC$aAtZh0z)?bvmm!W8nRkdlo zjaqA7ZrA~_l$8#z`GlFEX=8akPggGS>r>$l&y$MpGYiwP+3AE9{8!lg(e6WeVcHRS zZCPJxTrZ|BM?$*4BrsG;e0mQW2&$v?*p5*|qqnmbl0io^Gqa2{OB(63Jh(m~k}n3c z>{=;+Cf3EhFW_MDgNE3%Ro}TyoF9C)ni-`kT4~>rJzip~WFpB_CNF($uJ&){{{zDv zzx}+a#Ue9X+H_BQT^yd+W}1^P9fG4 zuP|X5Mt?aP@kq^J=ObCep?O|-b`^xwp^&8ynEXgl=cnwRAexJGSo>+MSry>W- zU)q0&5ZNJYWpnMkF?>LSh8nZ|7W5~w#UrG>4>`Det*loX(Na~X8v;AfR>Za(&^c_q zUEB3jIaeT$G;+c?Wy{CvS7l6Z;X!25$hGEW2C$ zjBp>V;i=9PyXz(Vhf*ryI=$pK1Q&jn z9gFayU;~d^a_tA|8)_*mEq68DaXdg!|DN9$UL}t1q;TmO^d^}5o-dd)5nJ~!QyG_( zU0yI$jiDv5dow{|Jrjjytf`&|($zw_SY)^IQa)Z&oR_8wFduJ296tHz+@k8{*!3ZnPL$7&7KJ=+_2BRJX6gQy*IJmUAGs?R2M3?H}&!bZgXBQ-88KlQMZ z3W6?38{L$#1LDB~b~XZL^~K2^1uorhp>r*z9rJ`|TFP2lvzwM5eI*;>@zE$AwBBrT z><=M2O+ox3CpC@l(Ww&yk4;XMmkQ60qU8s2%ZHYJ%D?Fi_TS}Dtq0iBO#Da@xj(d) zbfLSg^&R1>>0E%GC=>CCSFN&ydoxLUtN&ZBw8t+K^k^|E3k!UygKUt^G6+oy@$h2Z zyFBKrY3@C(`T4rBVaZK1(|@~yE4KE<`-oyM95#>@3oceh{!{MSJG#s9?>8~0Me0bj zG{UZAPX0da1LJNai(8fgrWe)p%IURpg?QmX4$#Q%EHL^oeiVqvj2e4F?mX);B6I?Ta-~d9+)#cc$a2 z0L`RNcluGtAENN^>wV8*iZ;+ebNxbyIKc|MgLN&@pM&O~*-Sfo zZ{96HW+x?O5JKQK=?r@QFl#NT*TMl@OD!g153KZZnqjM-U_o2iuG<)N1MC&wvLktR zFG(|M5%vQ5Z<{tC_$c%rDA-A;afA;3+R=h;NY$I*9Uk-z$B#chHSy2Ik;qAp%HYl z92`p5JlgsBcIKAI**fXM^!~xJM03?gjRtkRJr*~mZQSPJzqj%-vnM);Ku%GERZku@Qg zJ2*K4w+M}07aER$s#9(cC3iqac>kuzBzmDiuJK$llfVrHyM`yEc&tLr*TPhrscEST zn*%&(oB-{6%)sU0iSWFNLoLZqZyb|y|4#XH_~c`pDUd)fvcy>3tvE8i$@#Q~f!AuI z-o{zc9j4f*{8Zvk(^cy{KnBG56$i98FY%k&kh_~Uef)(b^k%8+gS0|Qe@8q(`V&pp zLKFVxSEB80%O?={-Ts;}OcKa1Y7^4YCW-<>ZCl`u*4q!Y{I2{GBJ zldvd_Ne^{2_Wa%rg=A&v=ZDSW-=GIFy|f_1RKC15*5OYm5mj3)me!J8^N68aJIvU~PmRQ~9uuyR`<_-K+3IqXs`o`|WLdE&ll)~|o6Vfl zkH;2rJhk_3Jvh>Ca+<}p`Q)2&Eg9hbD0YeXIWBX~kOur5bo}UOOk;5mdO9Isy}=Z- zYswXz!cl%S8~l^Ix7~bJm+5ABnsAY2Kn?M>*D(;U-AG z3im|X7u-*Q*`&U)`kpgo+6gI;Cx%48H}O(kR>tr2DlYl0MD=X>>6GX{|4DE(q>fOd zqm}vWyj3jyY4X*-`yJc;r)0g79#a$*s*J(tkkb*bIkaZsLQdx<9Y~tVBLh2a5c8{j za_yRYPcpeYE+Q{q{=Ugx7FwisO`1{LoEqQs%@z%N> zLN5?7gPC>p>+?O=2bzMy=Wp`UV>-j$+NBI(KTf(aoRxY#91tWLGwI$Zf#H?5&(ixT zkbCUE{(MI)+ov_4Q(Jn|QI}lAYDd%60kJM9neA{IJ2DQ&r215=A!R6Q6^_d@yWq@) zCv~g9@`A)$wr910>9|KFG$7u-{NR;IEo9alL0Avv2FLaJdl)$W{X2Bk(JCDM@~(O=pGkq?GyJR9DvE=6 zq|X29nexmewqpf|YLI3<>Tw{;&ZbrQ>RCCctT31Wl^SBRmIl%ZuNENW>rIRQN@@AI zcR(IbtuHDsk&3j@&0W%b*~hugsxT{FtMdDkN>+Z|!A!382s$|&eo~ANpO;JOZF2mg zPl2@2J2U1dw29yhW`E51xm254Gc#1j4X_I_WL`+kWkFXSp+O#oWt4<`8L`nXR+&O< zN^JcL!TH?}o*YG&PkjiRqKX3OD48cmU#8DUBI$%^-O?D7N9_cL*4r{bB37`SBvjKY zQlk`E3C}k{TsrxGBZkRJBwuzIxdsPf&>2rgT8yl`KfK(wrxyUPCr}|1fVp0*)9I)~ zks_jhtwDOT=qN2x!~@Ht+PyIM*&@XfH+iJo*O1ct5BDN)EFm`Ix2>UeIk`V(Dt!SX zax=Opmxu6{?+m{ntQ*^SUO2JEQ09+xa=GjG7t?Wg(x#s>_4HJCJKg5W8CrqD14L2y zvF1O{`dMiIfuJ`TZ{DfI5ny{qAwQ-_0}os zea<`RARNZQ$d!?nL?_)mC69fZe5YL5Rjm*}aG?m&r8 zl1u-UbqYpJB*5R&UQMT)M@YyMlF5QK>*1h{4i1T5YWqCSYa;GsLhk4HVA^2keZS%q z+DcW32>Zl#%OvI#VR`NQ5kA#Z z4s#qna&A^Zw8Fx?>F4oxCzbt4d9In@6+xaMS;hF4eujq>Eur92i^cEpDNlV)k6uGn zcf#rHA0uOR-zeh`ZmE61{&A*haF81`;q&%`kV%)-t6Pp=(WOc$dWLo*Z$+_l{6`iO zU-B89d@*2#J6|qTeIV)j^;hJe;ngisg?=KgFf*7(OWlU{2=x1-8fSVp^)AhB13OJP zq_(zp->zTgX3Qq=MzcQ@`!@wIHCHcZFgl@Qf^>@r_82NcT|~kCH9akhEISvv(G?Ux zLJH!}j26m+Qx2D`%{Yp0lGeUxzoXyi@T_;=9tK}^AxEg zH7B_9NvzX4Zik5VV5WRu=MDhluSe*R*@PC4%a`~<9PM=f#glmtTeTo-SzNkJI&^su1Ku?&fbzXg4@Dv|<;P1i1dH|Hjbip_NzQE) zbD-N@Zw-xMFiha~aX^Jg>C=E&7}dM+hA$^6;n$+JUu&D4SKfD;Y8kylzS4JosJAsJ zMQvF;7a!gDnG=_n|7;AT6N5$5Jo)Hn_{!dLAOmPmI)Q*+#a;!we`2<0Vz_2@tAnb7 zl@4tXL#l$wLkAIXBK{0MRz5vl-dj@-3kPm7zQ4JTQTpIYF3sQ88R{b290k*mtuG9s znx<+=WKjwAK#oRSX>-F=I(WBPY$s`TX{tH{-QId~2e!S8cRTJ#s<~njxcZ)|@L$+>L&zHt+oKcrw{=N4_psdt>VE?%p z)GdO#c0QzsX);KtgT!=EaRCu^;BMJm7VKbwcOe)nK@MOHUAc^B*1g%c5EpV|TX241 zI)X~&9ls!I8d+B0MYaMM*{E{X`T9o+aC6d;m)E|7-eLt0Dj>}|&Zsy9y0gCjE+=5U zZ55b}Fu|EJ=8C?gr47ZZOV+<;5O9BuxSq9`nBt_I;}#cL~zLm_9}EK`FyM3S9>`B z&6d$?b+Jc{{P4DyskuQnNag7Aop~B_udNA*b+{_Q2C6*3E9dmG28<}${f>qb3_&gP zOC;GQe*MJ}b(hqA5Ca@Hy&$$}G}cOZb}2m4C;#_9>_Y&0v?4}#1?@@;Z{R5E(H6c= zKNUZN8oOjr6i4eI&01V4{ddqgQnh*h-XG2Y4>mC0t%pOdDwBb})aWn5{5=#4cM=;q zlIh^MjTPYS%jK3=s4ya*U#2*c?vFG$E%xY9GF1lW^XC%io(@tLSzgSdktA8PrDF7c zI`%77DntkjLcQlK@V?J|pC1IfozIqVeMl#CV8SmVvA}TX|GValiCufSuUDo>`ii5C zt5m+BLEQJB{Znb53l_FaU5CG%fUWMBJQ||$Ugb>XA>){qC&|O(1=Gn&(qwYs)N2A5 zqZT>2GM_oT&!@$*xbmt^JAZ%PG6ETG+xB~L;ZO^05Cm_T9O}m=Cx<=ZhY;T!P7CyR z{x+$LDI%_NY#A}!_3;(I03M&{@%r;Z>a7G9m&8&#*-HH< z<8{14bl6Jua=o|4%iGV@+eDrJ7Owh!f-4*__99^$VPv(asD*Hw=!209zX5V7DQ_<1CuiDyrjsSsEQdqDt z-H(9ad&^h2O(GVK9^C#N;_9du*#mnDScD9AmF?LxxU~JU$iX?(*cdV1kR#reua#Vq z3&q-6TVBg__@mAS*IR!00T4C3{44tM`|7z0^0h^c@8m~tZrR^YD(xMgZ@vqYdSO#E zw^Hrc%bYDViQOtXr_8;eK}5hYoo5@{2mv&eM9?ddK!L!e&xuj}XF@I5Jw6(&RlyqD zJ_0y6?Nb{|#tom&eqT($f9%T`6k8EccB^Qq=dikio6&1XpLm+`;*2aiqZL_G`Q7^v zvfyo$O{xxy3q>`<-KH8H^j}!b@%`yrGYAgwNtm?mf-a7XJr(f^y=7W4a9MBUBnzhJ z9pD!+O}wVJ-|6&KQNF?_))N@~v6Z~=x%=DUmoH+xvNZ?GhZIzF2LmTzN{omF)`X;u z|7b|%kb)mg1+5&#b z0DMCNWbV0mQn*mnuOyQ8Y#^h8?OsD2{-DqH<_(N44>OZ`GKbfo)@S=cNCbK`1E7p< zID}@vd-TS?$AU8C93o<|5|6b;P-%lgx8`LIf~RQhGz!0N;EPIkwh9U5Tt3drLff2 z9jZ8yF$A%JzNWD!zyRB+wt_54KCd^OV#Dh{{l4)vd2EidZI6_$%n&f^bxC-;N|DlI zcYA`8H%1i*20u8RUEZKnf1*SN-GQDyC(?V9p_(yTv#Ork z%U))!wN6K8bM+DD(#rYuCE2Fr@_m8O zSOKaQbH-xEpPiyTRLNe7Y_(4eipWts+_U0QbP9oWsSJofC?(Pk9qC=c?X46L%Gf9n zcEz;1!Ksn{4&>JJu&Rt_x!{h0BVKWRGg$+EhY3N-WAfrvumq#<5~!QwrjZ~*EoK=4 zEVO1rT2~8_I@!TElQKf()^#8FiIZ%cQif9GSUFqDln#OjmqgqG2*cF(@4z3e`+Jn6v#1mAr-0bftxpZzn!8}vkOe#(Pseu z!X}}6qkXTb)TfTFWvPa>GFPB-tCzJ!M{LP3141=2WPQ?#yqApj@#n1lH$HqfsfzWDEqZI8D`kz1=EYYTVu$@72Tjy^YfK-3&&l9`dz1XelI zB8!f}R{7_!SKc&;Ai~UqZ|>7s^Y~M;B)mL@oC!y}7rIoAvTfVFA9*<57Yb7ud1Qz9 z7dgm?tp>rn;00K7+#nSE@n98TZK2D)iGEC@va^g5v&ZEs0D`!I0m=!3QKPeE*RZ_C zWIdsN)1MoJ(eA-0vsH@NFpuOxY@-_(LK}i|IgaLy*g&CKdv~bvALJ*YMDyW52;${U zBwLsgH{e^`>&gvrsd(w76#)Aegl`{n(9fJD(gBN?Sm1ly0#=WClR&gz5%c1k3Xv9( zE|e|AogY2r-=+o#H4D3hu6l|+#0$KqX6Q^_7(%ZvQ+8fkJNJi2`xDa2%tyqdJqcby zqANHMcG3b2hH0!G-T~hcvJt+ABQu(*S3W5)A9~FQ0U;=dY+VRSz9iHCL}Bag{=5Jb${nt#|wk?hRPa?#!onvMcum`40TBEO#6IwHllFI{Ijz= z?e%nyQHdRgdE0q**k&cV{OiT(&fVVm&(uSrc|2xa1`w)Pw63}K-&9-gjA})L_)HDh zDk0uRDWQKIeUMiFas?x9hg`t}v9ZI~FaY}VJx4tvz^hIdu)Gy}C~N}>i$Wo79iMEp z!S94%u}2W_%Al3dI^-|SEaHg3QFE|0RPUF5OTmUKXvqAQ(Hew)gUktZA?XGKHs0Ku>Ar z8=q)wa0vsF$H%JL?zRBg@Q#V*2hYL!l;x_Wg3F(a3W8xp(2G^jG+rg6sW1F?XpT;V zqe@Zlo1aMVx{GpHo;hKH@72{=(i=<iAa98B z2L;oa*I6m2Rku{tuaMEK%C)mFo8J~An;d4PBoAx*^eucaSE10K`{Q|_Hi_GVAsrO! z!Q6t&D(;W(-!V?@2S%Rq{bW`C(_#sOS#JWQW8>K0lr71=dez%o94mEnI zxHBZ=aiAm~YnI3u;Y{sbT2lWqt!FVaZSq=N%*LYtT0(dK9iXQ2{f%6ws55O?N=`E6 z=|X3K-lE_K1x-)S<>AoZQs2&2TU6K4IlQ6^6U;Cj!M3Gc`;l>N|8zHpZ$%SWZ^9_`39P{km24} z&QO2f`swe=#Zg&a7Z%p0qYfuSyOkjQmuPG5Iz-F;lee{-&#%c_|Es;Z(`&$0#ORMc zSmJTvRFFwJ3V%D2CReD-bLK~T!gRikOAr;0L^JZoT^y)*!|m_Q@(aw9g=(7io}ZOB zM!!0Qu`h6x6=31i0g))VdSH=i((v(Ig|%o_&{iZ(9M|7h6@Q|wYVHAE{rOWzWj}J) z(Q!mNuv;dJ6DIqseE|aoiK-gpBpNm}nI%>RmD>i5wz;28`lG24B7|q8^NOoK#C+t8 zRlr?f*kX+hf#BRxyiw^0+4Y#@0C^u>l?gT zApfF=CF0S25z;vg6wsJ%0dyc9STDfGJX~do3=)D2Sa8;6%Bn-&`;e=%7PCt9KM(8B zsqZEaF@Ity5mp{@vha%}&*$-I6^sv0k$`HH_HcF{H&{t_!ypjkxT`20!22EV=-Hl; zIZr1-8&xxv&b};qN(U2oLK**JGvyRn`(R`jL2=3a@pdBvyz>a)?gzX>T%ie1KfYmA zmjIC#E4tr?%@a{9HMI6?&OsMLpkroK{c+32KUSZZi%Et0iPycGN5V{f4hWmX($_4J z5yE9QszGf5Ebo?K;GRObY83H=pG-%SwSx~V(y{ZRbX@< z4dfvz`rYEzwBLU-6y{rF-uWGr!?1t?)FIXO>`2n`sdZNcmt6HqJ70Hne%fAH#IA;UuHi-2rxScAwU=BxIcqD1-}^``YU zPx~9sNg&A7-~(rzTyb<$go)fj5Cl5(tMlvg^1bYrrUWJD`ORQ%+B|T1q_I7rBK2Yu zPvD9ZOsIBF?qxX&t)n3Od)JMX*^6iD=x3WAO;wE|UT$~<5c5jE{ZMq4C`T27NxNox zb~g&nI|4?&-BCT#u&fBGt6#*t*%Q)(-b^;i1|wGOZ<3x8&!2Rkf%B{8YhkyGH7MZB zqfnX~%3Q%w5vM}Dt;*Jp`VE8acbtl#)=aI`=XVnnqUVR-6NNy+oX$f65?1B+7L_#& z*1w(NMPu$LA-AN&!~lp8s&fV+HYp{h=!O3ixd1^K)PEj7K9-q90cw!SyVbETspknt z)whbAcaBl(m)d>uA%P#n{^eJrUL;##JAk*S+Af0dlPJw=5HE*W$J@^l8WU*4V@9c{ z!4Z_#t(C8`gF`iECrMiNEEJC!-yB*AI;;9sK|%fICOjGPm1vNSmhq+)s}~87a+8DV zsv?wdAGlE&=6<@k4{OkOVI?0oWps93*D>Fr%1Hz}1M&muqUOjTsGga| z+uiOth}79+LT0G_Xx(6ik8IYBJ38ZWBSK?TeL5POF|fAV5O15l0NlL7Bz#k&g*-V2 z#|4|&(f2?Wh~A9vBeX7wn(2czS)}Cs^Oqs#spwr2FEY`pWdxV=Vifc?osSZPx^;wa zMOmV&AF$gZxcV4|8rdV8*{;X3jj#C<@{GI03+fOvFFv~YV@QRlhqBY=Xl5i!%s$Ah!o{Kw%Og#FQ3PB-|NAHRw3UO&1bPw zyK!>1lefRqn13$lKNROFF8ZT<8ZZik61CtaKJNW)fqU9<@Z~P}>)De};ng(m$Q?*g z2?Umdeg(t<+?3e5y}r(aN1G=h$A*CqcZbt_StD;0FIOsS(%?thDA$Zzq3V7mgM{9N z8gL_nnBCZBaBygo@o%SY%DNh`AqAxJkxPJ#Q*bl{I~%=tolxbF!iG7slZ>yAHvosD z%%Kcm#O8nP1wD#D*m(>3C%WQplML?y+}2uR#=|=PWD6!@t2yxXo!;pq+)HTMy|O2| zj-VPpO~mXC17CX@mQ-@q{)o7(o>${FZ+7Z8~z*Z4j<@|U9?FHbwtgKC= zu^>Y;GDkn&Xya5FeWZ>UFaLceq(6gXx=AV0>l_R`&8))#1ik1~8097J34S*}3NbOi z>5T)sCVIJ19Q-LtRQI=oij}-G4-@f8l{_N-h{!_+&%Oe4q`IW6kz&9mNe-fZclLw3TxcHbn6hiLQYDC9)xj%MdD`#ZYWsxb+QOG>2BajWV_ zu{0$&Cku=G9~xWh^FPvTK^Iw&K4&X9WWYcjM|E|_%}N}Q!7r2c=AVLa42L7{OCn}H z0mdRw3{!q|##Yedt=hkpCNpjc39dgWE9e`xNs~L`(UJ4V@O!^N7W^%U$)^Sj2ojOJ ziq8F9`R(mApFE(^yXt$2VIhGgU^@`vFv{b{gxZaN$C2_q%2_K2iYl%;9kY-Rw)9@V zJ$vb7R9!V8v}T)L)rxkZ20TpS)=6m*5UPI`Fuh0fEZM~C zcf4^|5!8NIzZlKuLN(4chNK283aXv3%yMdEMEE{EZ7zKJAf_MmxLD=?DIW|$7ThvP zMTonuzYkxwO7(2Y08jfqt*BQg&~Wd=>Lm{B-xB#6fmv&dVer*2L7|SEkW2G&kVpX? zVoL+$?5+v}z2eNLeJJDL#QA-9OmV!{=A@@tyt3Tk;CZ8->Tj#eIjTNo#!A4USD5Ht z2rhp2vu&m(mA%+CZ@u8x-``(6Jig=lIvWL4@ z&n~Zvr_jhet(^gm(2&ohrd(@NF$)(XM*=iv>6Zap%eOh^$ZirAt~5S^y6t*o zu9e>w*;ee%FP#rF7N8Ed6KaXu(ZQsNaZVN!{}#qrImgL@%e>Y6j%U##vfrP}e5>G8 zR8;+2-9Fha@nVQ5M}$?&`qM*P?ktNLP=;FZ`vf2*_V#p(>$hsTdOvl|!*-Xg>Y^xO z%~{x|%lxneNTCi2ar^k?1*rN74_5+mt<@~5a<*JsXB^u~1!l?Rx=oD)Einuf;ARQ$ zzVIVo4n<|}pKoc0{(6awiDyk}PCQa%K zzO2P?NCvZI^1`ESws$et2il!#_lAX@8)%U|dwcwo-+NwUrK}5!wmYo1iEz!C81*`% zu8A-aqz^%^a9$DKg6xvPx%ioHNl^jM!Q@gWHQlcH=O~#vclkl%StGu92pP(PX=c%W;#v$CtiY_>^AX?Cb>b^GdRa-+opPcwF6k zz3QwRfB!!1|5*T$xlU-*9|-HNz-W|WcGnv35HSC0M7)GU(sf12zEmk=ZvnU#0QY_Z zg1`&Sh%QduTGv$WJ}H912a8=FB`9GqoyKbvrElid#W=h9-VMb$00BBU=jP#Z9ge3< z-z*1SSu)88Vh7kv+qjO8{G@C9Zm{*A=U;681a9J&MXPjSD(}V7$+TbkY?c2K=GqZ4 z>)P<$r(QmY{j{NtBD- zZ!rbUey)HzNT=ILmfI#A=D2jdfS_-_o47XXQ>WZE z&8YMCJZ<^LXk0$*^&+&Tf^|Jdr;`ZF%*_;1Lh)fQdU>pRm%|=!N^(HAC|K!nTKeo< z_@82JJtwP>=yeloA&5Zw8EKD{mIrNt2n>hb5TMufJSwgR20`WOdT#Yqhp*8sM-!OV zZ#^%ECR8^eI4C6}fnRp+W&n<;dFYp;i8@yY6V;3uaPd{~p!aV#6NTLV%?kIpdEYFX z3c**KjNuAT36h0O*;?ae8XH((q5Z?9Dcy$s9sH+Qd|T zV=+R0NhzM^b>a7?$sgdz=m*>=18q^DyfMI1uI3IFYSoD$#eA|Dj^S-~Ro zt{kwrb>F-@c$k2N*Gj8|GLgnz-F4qMaoY{%yJPC??8QVkOTG*%}YeCZ<)hd zE3pB`A;Bd!Hg**pa@^@bP`pX$;zxZ5hivEb`5*$0Rf%ta*8_~18zHw8nbkWg;VTSX zttdk3vgNQbuKL8@2za(*kGL-@Mq(@^cjnm77_m8zM2P{giJ)VS71(E_zTPBq#zSsK zW!QTe87dihHue&;ho&W!a;t=H}qh%Zn4 zY(L|%Jp7}DG*dmRe&I#OYo4zQ!65NfN{VHpoD0&RbDsYtyy*#%G)<nTO56F zEsIQ}+qYF8WDeAlQGi-pk^byXm;dv_-lYCJx4=;hn>l)av?;3Xytm}e4Y(7o|9vLM z_lnDuxX5IZ&g(c&sL7_T`{}Qc&A8mzkM5Tx5w8MeY!=X-Z!R{D<+1r+i+b0Nh0Ti7 zvoo_}g1G?WMjxw}k0Z=^Fwc#fSM%m|akLx(f5nSOO5L01hlij2&r$p1@0+g(|EFM$ znKT}s>;IoM>M_mWhcS({lh^UV0S0@{^;uV;T)4Gk(?x6MiLI?^bq%^%9~txV*JY6a zF$ew4(3}0Qd?OJAHq9jvPmHx$AuvX*G=Wn z$Vg8(f_!_~^1WJ?jE2pmyi0#rk!z&{nr3b$u%zWAc)md+pa#K{e z5TAnbVF)6p;pOuUNlfI^1MT8W^^cyzqa@fm{^+R8dqoeoS+QqSuzTB<&lxq1VQP&U z)+jAbfIFnl1p!>p;Wm%pbKdRW2y1t6E0%A4Ob>CuWN;%?pZR$VxJ5Z0UDPo$atr+K zIh5>&MupZ?e=%7Hgov!st;#)P{g{Kjzi8H6!do^m`P(BmaxV`-#8^^0w!^}syPsBZ zpp#7Y2(N)8O!@H2Q3$|Y^GZU)a^4^ka2ZgB; z_(z;GH5t+eq#WgI`S|E*iJyr@dqvF~IfiN9S|@R@p?L*0HIyL^*Yzcbbwm~J?8%Iy z6UUDV&=)9UKPzYGxRGV=q1s|%%~3sbH#T}{Bl=_xRlE4XJ!|-2s{AyYcy9a z_w-*GqTei{Dpk6lzkCUfJ6rrS7b}dbvtk>}_DA8=hbm=(OG}h|Vp;?6Gd5W2X+y|n z=z4dRD$^_ItZd$b4qrAwnRvw zxE>L>k@4m^j&Rr1juVOOBtBiSM_eh5`)G$(n>}8+-UyCN1@hf@?-6UO>b0OYHO0P? zI-zD{y-6xP^-9*MG3gD+r2Nc@2*+j_C%W+#At7O~CEMLuz?qTWe%!d5=E|3bvWWI^ zX^*nJ0bqvsNy9Iio}~36=slEwytUS4E$dwdr5j;bxnItU)1mrbD#+aV7^)+mRWvd` zt8$p5@4t=Z6N9zy-*rQe&4y>%o%cC&Mz_3D-hI_KBp#dEXY8;-O5fnO7=DK)DUWI0(O@UnWcO3VLCCPzNNhuV3?OuSd2 zJ4p0%nq4H0K_^5fSkUi5WSP{JaC9KJ0E@4mu|T-%AAk=wZT8tPc`k`t1(dwWVbnp* zb6DOs1LtI6YPn|+{oyxv(+kt4|0TQevOQDRdoZu6`ycL`ISOvw+1VCVomgD1d`12O zqDse|lKpm=R^j*M+HnJ1-FheFQ{JMOy7EoShxkkmG$ef5ovhPsQUptE%7sxA?w&nT}26p%OA%&?k&(Z)CD4AvG5qNAJBQ(`u*$i zlqm4^b=}dTAZU6X5G{xAhI90-xY)kf=jrrkKyd%dW4tw`|NKA5K1)|n%#1%5jfX#OWWf@ zWLZlR!Hr494|h5u+|M6_|5^l8WEbfeJ6p~5yk2Bq6Csk8?+NCEjXV`Pim!qQ0w%Kd z97FCqpq_2%9z*BWd~e-vPSV0VEJblsq~RNP7t`wq%FL1)azL@>EHm7C_%fY`8FRekMmJgc4yb*2l-u$ z#%g>mC;SiFpE=1V9fyt{R-I_}}fmK&8mKAv|` z#;%LnY$ues<)}}}8fGg5Y3kQ;WTd3>f`Z?+u%wS}?1^;hLY>M$0RcZ!9?QbRUeLqY zhwsg4gOaThQgfqhoaFx^jL2NCJ979_a@kk*7O)=Zw$*WNDh!gK1g%^ys{+M|K_WLM zcza_n-aP;Z_;`8ZZdpuHQVD{He&qi$STaHTl9cu548C;RTQRCNeZz_i!P4U6L+6>7xcHjTBoK!HDBVznY3Yh51}=?XC`EsvyzqI zk;Bv>$n8Wmh-VJeSPdVFu2ODk{9Z8-jzg8?kE>(REmXYRS^{RVfqr6 zBC=8MXc|593bWk3z&0EF_+GmaL9seR?M@~$u#O-717Q!Fou0s})nX+@+%rotU(HDcCZ9z`xe@c_R==T#@W={OnAj`rNL zvN=z+VnW2pHBc>-FJE)nmB(e5UeqtBXIe7!*913BOEv|n((s3b@{#QwS#|8S>5!(H zdtj0sG4tnfidv1o7a4Ly%#Hd4E8k*%wGIj6$nTek*2UZ;a;KcN=|EaXF>pS?OI3CL z0=(pG1 zo)zaEXe53{YeMw6`(FlsY<8ACoks=H*uYuhBn6-1RFao!^twB!U{-F`FvQi+L<`d=@oMvB*|q<%N6YC7BvOTpt#r(9`dd^iFfD*8GdI*reL3|5Ksf z+i$GT0n<4h=rQEZCw$yBI=EJ8tGY)DnF8O7&E|^29uRtCT=F-qbhG)W{)U_@WDlofhSb>v7;F3k;(cqr zVMC42+(F>8&;BRTl=I$g*aS8IdyE=ZAJu1=)dd2yc$WjCwlqZW5uj@#-z}PTjE(cw zQC0k6Db!e|jE)l2!sRqVxavBp2+hohs%E+mWTK$>CEotAPH}xc^c1 z%ss%t*lf_EQH`nRrdq{)1g7NPqzb=zAs~`tQ~hjnjUGpD0t)j%oml92`j@sn(pt=eZT69q?VaOb+REn_eiDw|6g^xF=29_WjFM(UVyVL4gZppn! z7O_FO*k0)4x=$BJotp>#jWfRjnfihP{gI59%KiPq^k^^Y!`qA~o*ST;nbr^X$@|*} zzDMPnGGp~0d(j@6i-0m9En?j)4?@(ceELrd@Vl9nOVTE~q-ovYN{@&aK65Usu~D{& zA4%tG9W=F_mF=h)FI_NhP!m5*!cUzm>2AUCjo1#43JXUWqn_;mOm2sYx-br9Rf#v` zBMB+(eSqQ2V3v3>=H=sFL>u1ZgP$Jse)$V{JCtfF`yp4_BK)*rieKov z(s^N|w@0EI?vLECRm*%v+za$G9CmC4AxL#ymwwZZr1ZP`gT^1cr-F@FL2PAGzE931 zYm^f=SQmAtlqrcwA-8kHxOswb(A~qi#N>y%t0l6-Y8xOK^)S7-i{&MvH2hAR_*My^ z8Yuh`IrO88{(*As{rHFO@rF-BI!)Hgf`>j2ri3`JOkBIUWEjZeM;E_|S?Sl4Dpyl0??-3a^S&b%}AmHk(5+f6i{?A6SuIm=t?|GLoU)-KZV}^%tZCCCg5QfTs z^wWGd;hhz!3El_UF3C4ghK=D6^!&(pS{%wp(66#$j@hv3oqcE7F_686BE2`OG#XK? z6>r~Hv>2M@8iVywS%2Q+wCfzLa#Mk5hiEV+16y%A{PC7Kfc56twdb`K|H4J;tlk0a zkUSR+d+`*g=|AnBG`KnQJ(0**rnO{IOm*DPKwPjfGpIe)H@z@;I0 zK`0Dy@T#lZx7rzw8^wZJobZP0c0sG~ei3b0(yc-jOfz-jT=psE7wA)WKCB8ETQ@y3 zZukMC^|rz~&L8DY$>4l2#P_P(aT8IHC-@fcV{)8_;S;Y@nQ#J{%ANiWl07pb+V}2S z%DXE&5p<-|O(CE~ZJl2M;FEH9V(RxMByZI?BraDhL_*l!zZVs>Uy)r+W(OJr@gt*F z8b;r-=O;x>x2BTR`y6H3aPf7X3r@Z@7Zr?bxC8Cui57(n>##kJy_CZ!GL;Dl|C`&k zG-t&8Zxqtf3;T5%%@tq}#O8lq6{O87X8(M>(NLa~)no+@TU5TcDbzp0R5GoR-ebjV;&*6R*Dk9J92vDy61J|n^{ZcS zPg~dg?3+AszpBF88}{7K*MBB6a~7?FH5E8H$579`+l|V!(AUqj)z0}BFQR_12gc((VvkAQx3PU$p zboH$op{Wq8i&!hUQc1HEmO?{pVZZ0d!v>6>vbN$YwiduUzK~Fy9z@47)z#Iu<+0we z41a91WB;|9Chy`C>j%Cm7s<8&%8ZhmV&I(PwlP7&h;dq1tqpjp&A_0?F?MP(`NYU*$BOEBBj>}^@4A_PweYLneatc16=_@lC`A7lP5Fko-2 ziYP;`VKL3%%kQ0LxTjCQ$GT(s4TAgd*TuD#&T~cJ`;(N%@{Sli>bcF=r)vg!4|h&~ zT#DrtL|;2_pjO{INJKxBay{e*OXIk9)Q1;LnRV{l$S6&VL1VkNa~`rkWMNbed4*a8 zM@0y@od?EuB_P5_bPPhG`!Xv;NAg^-TP2Nt{hb<#ol|+*FzOh@U;o|*5;_-gzen7S zFz4HY67WdW`5`MUTO z4IM-d6Q`ovUN{U4JN=V!`M+AXIQOf#>Nxjs*~f!azk#gW!GQ^!f0vigEAn;r`H5O5 zJ_`{W{zr6pmSJ(H2Xpz{6HX`0eH=9ge7gw1r1Sf%E{f~pjFek1WD{Tuf{3}!ZKbdKVM7w5tP;oY|!~1HnuV8xvmT1vVOVw zLPRLICxmO?tvGl`*(smggG;H3$V!6B%Qkm*7NaYVu->)(b3To zj%5JU?tNO%7qX0Zo9RO2q{q036zdy?Dg}q&OK^1h&Rp7!RKO?sdMc#Q4~tMjc2e+8 z$gF%E;$8YPX!{P8#O_D5(qAEbwT1U9`NY0pv(@ucn>=s*2fjNLuzT1@mC4AX6uZxC z(4foP^%{gu(X*kM5@erkONv`Sp#XT^f#UDQPq;4|>j=27X#rL)+*!r{IDUoA9o2Lm zOE z1rT);G2OPmt5-nR9g#d7EeUr{kK+RE zh8^3!_xY$mv_~$KUKFMfMti8mVGYr;NQieE?%NCmZX$A>8i#Mp+)nnRSW{jE`Z5y7 z=Yn$oJ=7dL%0e8{VD~9#GriY-Y#1;01^uD1PJrR@mNT>|oc~IXsmUdvJH)?t2JUdC z#5N+FwNW3vxR)6jY-wSyD~^}LXJ$5veZ9u@cZ`!|Xbg=HRev01GBuP+j7LwI*ac5X#2STTt$N?b3RQ zu&5)O&@}&NF=VbBb80p@v*Jb<`!2kuPu5|$xR~8WWW#6u*B{!0WcFZb=za1U2~f;d z0UeW7G!KRmHR^#{>xH}*lNiFdPPh%2jlWXCX2fDfY?yGgX-nkni!tL3e)L!wv7O@e zY$XIVsb|oQeVc~;_Ws>Z#1cQsBz6HO!$;p4K}Ji)ga_*&-rSEW%k%bBrTubX*hI*e zq(z?%uT7szhBb4NNRNp2CRl=kj{inVq!5u&rH#!0+F3Gi_B0fK)$d|+t4+p*_v;j-Lp#(dmD>E3vsA>g{mEx+0AtKaU-UjdQkn87{(^MQ*SkM9`3(+? z8Zlst&%oDifnsyO>TpAO5&dA{n>@ao?GgJc1lwV{JGYpAFqY#|C5Ews5Wa`Q=ixx$ zM|6`iS6(xOu%Htw4~#G=w5-6tzpONr*D|A;kB-3v)L(+jU!>s!IA`AG^^g)d?sl@* zvahu!Ba4A98Fb_GX9o#+i5l#2178BTK<*D!BVwb+5#ts)sd3N`6I{zWMFJnRoWyQQ zNbdS)WefkFh$KrV?(9H2UseUN6%ey z_t{7*QS9C6QGIM64MFktyXx;cydfDi7&`V~L5LnU)+C%hfPk-j9fHi_CjJjIA~TW? z_Y$|w0M0?aEVrra?lznjCHctxPK0qNK^wV?jg9yDiYLT(b8o-|0=)sjbiJonj|+P3 zLQeA@!;VdK0ro5PhZ{7r93iHfe*qcqC}SxFHo&`m`7bY%5{L+o!<7_WhWRREzg>m< z!FMIDZzRUqH9!lC8e)GofkM#If(cNGit=YUJ8O{5JBHH(m0cmwO?+JMyVnWQLJdnA z!)w6gNFzz!rXwf3bUdF=Zj#uo5{#K<+I@~Q1@eV{U)^KxQv9WJMVL&CvMK!iIYo>& z>~nTy<>Q;-$gU@GebE)%86iu!8o|;2SUU;vZ&$O@h8>E&gIL0-LLth*f)ET@%3iq< zeBw7x=7`C8S@^y1Aez^a`1EOicZBSrs$W;Vj<+9dxc-BBH@hN^E!B<{8(A6^V=NzY z?;tW6d47xc8Q4PHfs}pi_5jT(4k32Cbvi`Y1|D22ZlrWsZ}(LBwE6l~z8QmXA?+!cNfP{zCE!1zcM7ewjg2>F2;);~DAJ!V9}UzGu5FKNjXG=}ky#`m z*DQ!D8gQLh0*^stuZA5~UWTy|+lMW1i_I zumn(y-mgGmq8qx(;(*}9H~g3JDH5-pr@&#|!Fqv$N`jf@r@+2*aar`jH*?Q&TzHN^^=Ru} z;05|2v%I4`L(dIorLln5i~Ri?fuHTcy4dr+8#eYYa`1+Kx!9 zZ{Vvon@GZ5{77GX{eVi3*n2-cwbnL8D_87xOw|%Ou7puIwnFd+P_)NA0bL)ixA-?(_C=TD3Cu8>4 z?I_WU3sSr`nG?U2AJ|4EkgoqB2ex2nYpylw{PxJ}Ep>a%@?Ga2Kf@ZgF^uxDoWi7L z_=^JG2aVlduMQzzE`G629>xeeo$z7g^F|+n{hL{0({4n39`7hclqX2zLq!zPVECiq z@oH{_ey*p?eDA*8zh@vx()ugdLa$i5FA<&YVyV~$q0n}`KB95d+W$=QcSbN-gK>AZ zb=cVVf-mFUw~bD>)10zyxkFi&fsJV%y$&roF!5)$7e;{votsgElse(DD z$$A8t5s$}Tzq8b&f2#Ruk5$+7+*{9m%I$ahZr)smNR zB4xVM8GetWQZeOk_&M_WUbkcH6r+KxUx&*bMp=TXqP)dSHSL3?{lTo4rnLQeO2|Mv z`}Njt>n1#UNsco%ZoPrV(o7Fb8k>)^47UQmyVD*ecmST_u*a*Y~MSM4eV^`t1z!&dj&GfXQFc+YMwr6mm#Tx1UVNB{0-^-gJh+;EC8ry zTVICQz6yNIFvpOFJpuS7d)7CAC>s@Tq5fMXvs=hbe;^SHk@M|jNGAQ2aKxT7qWg{i zEu#ktf)(7O<2!^kNglzT4s=Ag#7GYj`Jw|@Dv$As3&F|!O=*42;*Wo8vTvtJv%}t6 zl_a2|BBKqPQa+Xmi)8$s7Qf12Zly5o&(vEn5FU7=pYaEq+CHLRs47TIvbcZs_V#TM0N`RbLUgs{h%6 z1lW8xR{RBf+Ir=Yw1Iw*ewKs+By!*+=Wn2`)_x{s%6cKW!5Xnx zoD(+c*|+<>udvRRK>~.>gnK5sYj)0#NLj(Ej%$r=(sr!@TgUz#+j%-b)Qrv?s! zrjXk{CkQE2U>~rG^M%L9Q+&xaR_tShY%9adwV{8|MUb!MmazjU{&7&-Bt2aukgswP zF}z|d=@fKx$oLjs^4}(_ob;J448h_fLxDech_6$}4)9)Tpo__|jIBj!u-H=-6VU!o z&RV1bhn@d2VA)l$lfSk?e^uo}XlIY1PtK7)59?VWK)_2$j~x`Oi=XyK$X6Cb%8XsL zq5_@(syLhwU=y{J^d4eio5mepjr=1xMf33bSP#NBAs=D00$Cqw!HVA`VXHNP<9FRE zZ!ry^k>K>QkBcC<`$O;eD9~S4C)53Rh_=R3H`ia>T|YuHmoG0`{nZ3Qm7RfawpRXp zq;u+a2>ePKty&h#Ro;Hux*!zJcf;kjBdcudqX1{PaXbEF`_)ruj>47gT2*Ih zvNrkrO<#%Ifp<`_%8xdBXJ3`Uuwp3wBZxgP9%%HeB)!MxByBoR+==g&@iWL-oGm6# z?qkB@U#+mYJM3n=@Wf||v$^8;>7&t28Tv@SWL%8hRlmkXo#u}4oiTxXfiFXY|L8*W_ zF}*%Dh`TK^Lm}c~yZvlvVcn)KXx%(?FN*GjF8u_Mz{X@?%(9=OhIt?7YR)Df4lV*f z18G=@%Wmci?LmY2&~60Zw#AH8y7XQ1HUUYKtmrm39s84=<6;@uu?jq*Rl0VhX1lrm zi$KF?Y`Zi^t!3`kCdZ7u^*wzN`m1A)_pxwUNgYT`NbTspf%rO|CqBR8)2ju8`VrNa z)^G3-0{XN;)GR+JJR$%x5)4?2`B5=Kn3DjdHR*Ga*YE`-H6 zCCpIjzD!IFQnD6dqo{RQEG07Oy*8QBtA9a=N92)I_cW=+K31ue9uTPWA``goD8 z_vK5hHu5SFbl2^6=vK#I#7F!$ETX~;8q$4TkE1y8FjIB-&v6t+$}`}gM0`q{tb^S3 zkd{b(?G83j7VN>nc{SP0xQr&SgX9B1d8-{^5Wea5jKlj9gY-7Cd@!GZb(5jNfC)n3 zEhSXc2Di?YAYv#PCTLn2fDu?bFNv;tilJ#kW7!q|oJ`L%9?S>BHrSUUA>5KtaU4m4 zL!tshX*DO?!ni@aL%R!d)0+SFUp2p2PbSB46LSxqf0-$MC*4M5<~jzZ08L$!yaG;z zG`rHS$ySRxAJerU#Woo*{OvBH#&1m4CrOt|C7`EITJVBxb13b{@OzUU+$KkZeiP)^ zXRv1oID}+nZjxsSfXgVW`KpQ1&QRL>k2cy|1@>%&4X}c1!BkTL+Co(^y7anc!qp)E zseY#pE$G5WsN--V-hSJb-Bz@f<*wse zFo<>{PffJDNP3RUws^zotOMsVC-IgEeTVbluFGSgHFf<*x8$?#T&lKPNMy`gZQ8f7=lo<@VAj1ZJ+nhK>6nPYV% z`{mE1gooRzO6mD2Z3v+;Vu_k76KRU#M4rK4QQriIo7SZY+avu<_Qr7*WJD`~v@>Hv zUmw;bn*Jw59HH}7!#6e_2Vmxr634W|;CFy{?NXbPpc%ce)m8DVw*#w$ZYQ=Ui4LPS zXAXk#;zyLU6}Q>iCVtbU0Qp3r4_@syu;vN?&n9tCrR81-%JU8qVjhbsA0S#-xs9NT zdTj8No~3yc{BO--iI}Hfoo$o*TwFVT74^0V)0}fc`J-}*DJbu2wCVo#2XOYuSSW8H zh_Ci2=6e#10hq7R`I=BD&P}XFz#o6{pIe)~DqqtZ6U}hkRi5u_&GB}vYaJ$O(FBxJ z8L&6=v6If@R(h5B(HsTXUCMjm{ceq^n-~H)(w}%Ph~`tw$nhMO8lm10+yf-K$Eu<^ zg|jg!>E}#6BbckM8s9uBPaa&2y9pk)@_JE>*lPWzt+w)WdYtnHQ1t+00G(n6&4pp z%2*O)hQ@Q;>#!RCR|BvTflb{ptVlra_(F35U@VWL#)G40NgmROPv5k19ta)}ss_z) z$wuLC*_gGpwMTdnZ+#+C&M3zS{Crad9HC>#+eAPQ?!C7`GkX3*gCgYXS`Rbv%e{w? z;~I4XUy8Qgj0K-|Gy3v(yZVhFs`2!sFg&D7!xzES3%fBSs7BA{LS3kwHCridGXi1g zUxMyc?DR;5Ig07;y)xTR|YUbvdCtGjzuKD6olGkhh+Ww~9fp#&g4jGYZ7 z*3YYyF_CWK{}MtF#qQOfu9@kpJ?QilWtw~N_5x!%&Zf%cEbPO@)reICb>PP(6CVwu zGso-clD)eMI*{&4)xj8nTF~ zjQ%Zw3S56ACvB#Z<|#A?bNKa^c-J`xDYal+?Fr^Z25kkZq9_$64! zVG$TGw`|&+^-bO=9~Cej{T3UC^VRa)owe2C{;LU|RVLiIKi{`y2L`bJL>7`#VzyA@ z8&kIRZr#Oe?etI3?pi&vg`Kw&a1V1Z^IoT0;O_1nYY@#$LuM(?h8?f5&MiqO&FLb8htMB z0XT~Kjv`HDo~T40;I-*0R%8C}($^A?s>5KZRoCS&9^c_`{DH2|LXQ!+W!cEYoc*aI zT}X)OMRT4~eW}LpsM4nDu`epS6OSrM1fd>}s>8y(L#hpRQG_U-29Fd{}9e>62jojQ<&o#E4sp=F~pLZFGypqkYm znw1T+$@5=2Wgv$ZbRmHTpIicQ=3dacpC=c@N|&3bX0QtM@#h;CO67u6fB1N2m&en#eBQh(EjOlW@f!fu<00LZi2p3^E~mrpa}v0E-@ze<&81zfz{Th<50{*p)wVf}QN?D}-b zhL#WKpe%?aW}e5q*#mb{s1QZ71nWY`ADo! zQ74ejm$iY_;;Ab=;9Y6(M>L>hBLTK2ueF9c*zo3sZ*^KWA&g3?-gOKi8ce?<)kx-w zo00SP3dGby;Hwcb?4^Ax5@3O?IlSCS|41h1^b@pFWm~#ie70P#XbYBI1G7aop`0Ei z`~=qgyyfjDB_|n)g??Y+w3YQ2OJ;4Y9m}tv%Hl+i<5w3{=a(fF5fbIF*t&jGjsC#$ zt@X%Hwfd%RkT+S!2>aFM6K&RJxnn-=HVnGE3(zY1QOu$8>}LwwCqUPd3TMwx=AY=G z-o;}$3l_d_0PFx4=IWQ_E zFV#JS@*MGYgo%nBr2LO8gSKm)MG!>vU+UYyyOU-;CBQ5@;paCDjS92KON~4|NDCwY zt(^JfbY~|KT!wa`q`SrVF2YY{MQS3*q;q(tztJO+AaEG?B=jUXgJzWJ__&>qC-TnH| z;dB%4Qf$!L3YK4y61}(9WfXf}LOfN-N33&DdJoTwALNZSC3QeW^8)DK>}He4hOJU> zCT*f=hVFS@=hbkbU+Z?GWG@92>PDFeviJ@FX9A2|qDM<#ofb})UQA$&ETz^<^$-PT z>I;*lZNIyzwR7KPBhO#bJAtT;D#20%^X%%BCc*&&XlmQemr5)7O$MJ(AWmrt!M~BY zA@WcwVMQ52m$XMNUyg?l9=X0E5i2AGBSdhp9G2X4%Wb+)_Of{Y0X^c{iCUPAbi z>uWj{HCw_Vtx)r$$Pc_8iBkb0y&R(eb$jQno@uLK) z-ycjYXVQGp?U~F$iL@M6^J8A4qM8xfM0D2R)?i?* zYj3{64EIR88l2atqXY!K5S1j7{F~2#7Qs@4a;-|U!g7DC=1WuvTR;-Gn2<{xF!=LD z4N3RB9#S~vipqi|gX5cpC~%ZpFio{W61{NCl1f6Z4-wEVrwOJx2yBEAYyZO5N?+6-IzJ>)?X6cbTB7;^ZBUC2^T%Tx(F_`7Q=OAy@ zXKH#mEex(MZOF^YHlpc;sBPEhDq;#mHAl)G#B{_6= zHwXd}(g-RrARW?3cb72a0K=U3JiqUI-@j(9nYGv1bMC$O9s9bki$Qc#rjQONVRK5r zd1yfayptqmK@8GbEk1l_6TuGV5bxX2pW}2mn0fYI3#Kc?@p&rl@!M#HJ)bRP2iFCO zbVDU{Cxs-^v{}u)@iu20{sKv(l|-7+Z$r&EQIHx&cWR5Wpxee&DH{V##W?_(rN2PSSFjuFU$n4e{1b%^1>3$ zSXr2rcUyy{Pktk0-tu)9|7|{vXjL#IMy_ zuto7)U$EzJ^_!&a?I770c2ffU)8IzLDuDJr9EBG8f2|6zI9{N-LyO_?twUTp(c&D5 zwE0kn={?j$2}06W9SvT2;!9X`_JE2k`B-XwwkM->#h!OY7P;zHPrW|hBR+O-a~V95 zPhy(;;CB?DgxI&Q(e-D2$g{*Y&Xb|yK%2c^Fcv_mNQ)yZ0nmty0GF4S^&p(KSd$sA zC*sz}et(XY;f=bFpXy~=%j#q&x0d|N&A6%h&r}whK#O}vFSDTW3kPDlCDFe#7B1pg z%EIEJ-VAj<Kl5ujP5T>%v zFUvgn5SKAY*kSrBM*1UEf`q+J7l=}P6BMj)DkIfHxrueZ4w1n4accI|=3pRh&F`jX znENqMXRtrqvPU*Y2!ML*HY?iif`TthT^hOM#~LPu0tXP!Rgm;ir?oa|$E1XCuq6mH z_Lh#eu`tyD_#-0~T`$O1NF|S@!~%6h1}G3dcF8nBk~kEhkkf{fOAgya_;P13EoRFq zb1G8dZW96+L_duk8qh#IB^n6BT5#DtE5dM1Z>l$oJjOY=z}-}k2oHYqtO<%KC4F)u z3fkmj+JzVm?l&eZX}9~_4URbi!MGIK^caI*vl7z#zi&B)E-#`sPU~At*M;*)USs3q*SE5;zYjuKq{UQVugU{Gc0SV~6)cP{ zj;pRlW??X&OA*PhJrg|S&%ma$WWJU;412R%M=R}=7`ZEsFIMUL&*!X9N7aQ@$qvTA zrw|RLF*%*CJ$54?RV^uRMf-YCV{|6>3=9-K>L4gV_r#gocp3mgf0;qP>uZFETW@-v zQ4?&tn>cWW$ktDyNzw@teQIOo%Nw*54{^4DOBF0r%IN(R>Y1JFfQA zA8%NMQ*rymwF*=x6@Z^%x8;z-VWP<$unpu>^>oV)hxSAo2>EK13T zrW`B1J}Hh-mU(hn;}B7@qx~%#(v3&&W@l#P1qZiSnTo9Mx+SN9*lg1tT=lL8!&(Cz zT|Qpy)V3P~aZS(jTA;%cj4DU0O))2_!H9JQ5{p>d!Q*3yf^!-5{(xyYS&936k&5>x z#_;U;-d;sY%TVOM3th|9BB+!cYMZByeyJ2jax@zz02!fM|3%j)=;L;d;DF4&;qX1K z>n8Sn{ktPru%PW`{cg%ZaE2_Z-mIU&d-?%}Jv5(ew1W__JF+cpUpBz#car_Svb{@= zhIwmUCi(tq6*_x3CL49|F7D~~O8BrgR(cXDz8pS_*?}|72Hc$WE1Qr{eoQ(mj^#IG z*c5Wv!fxnr+OY1OTUwrvzl!N!PZjs!0fN1iI}I7}T|!QJ<+4`JmDxnnpvWFh*jILKZcCY#+wi|RP^Y|tf=4R5Fl{qA|YdEa(5E|RV1@ZZJ?O4n6 ze7T>{OECkrMlBr(L_cHybdLZTX;K`dF9L6P!UT1SX+t1x4-5Dmjjj09!2BoKeWR;T zOTTEKL5is^?cJ4;s61)G-M?R2qaaCzeJFMTUh>H6YUS}7b>Wshs)Jg>8kEvtyE_K^ zCwr^08GxyLgwUFDMX>`Y@Om-Uezhd|E9=r=APFhU%P%SVyUR40nf$u@Tg|JNI~TYS z^2+_Kw`|g+WM?{` zw^I9|{$C`clndPMBNN34F+c1?PuaTtM0w}E->2WUGeNIA%FwC6gxs3QoO;K_u78~z z_}~8;TT%6f&7}s#RVZ!?7_ zSP~~c^=K^kqh{Gyz|$7@Mif=HISjAGBU`FO_w_!WPl?*t?B8=Mk^J;i@+5IL13}jH zeel!`vG@et=5zie(4b8r^sE{d3Gt%&?xKERix13gCb-*cmVNwl3W@`BOE;NHB=D^S z-Z5n9rOa-U(0Q5ZRb2gezMp#q8>gDYxN70#v>WL zI5qK8LKWQZAU%aU{ z8(>*uyd)9xycb&A(Czeb0bkX0=nlz3&m#61;+DVSN_7Sb^j_A^aD%_*i(9FR_>6qH z?WPc}9BcXvr%*@#ZB$ZUKGhXlarzl3e#6}@9Ma81_HshWR@9_R27fRtJudNv(&B-y zWe<;72Dg*slPLh?Ng@Fq4bR*;Tv5r@q)PeXq9SsE1_wSMjble(n{=;@ivBf}I3n zW*i>A>+IzFG41Onu=98?gExkqQ(k1*ujPt4ugHI16sr;RWHY-8LxDU@*l#y@+b#s; z?I^m%A_5D%88~3>BNn?r>d_JpF6*flE_OOMZFdl*$6p zgYod9Sm&10Y#So|XoGz{vVkkd9y6YF8EZX1v$K&n8~;(;Q&EJVS)VWF+c|~dQ1xQ5 z;Gb!@Pm;tahHLv13$^R+#+OC3AOD30=4zeV<)C{+KWGvFGSS-`NW3?km&$nE`+eUl zqtjMK@yeI#?Wf9SmSC%xN!g5KBhuV)OBj;n<(4fxhAdHtaLU~LT>8^xM$FOOd~Xxx zNeo_kX{_D2?smbbqs!XbZ;1hyGqYYaq;sJ{4WRcwP{Nk;SJjF}93mKkFWAHpH^a*R zW+T@pP@7lYTR0oVL9ehfIv-ozLgPHHk^2S?i48h>I(y$;FkSLK(5ZtZ*GVZtq`^Hz z{>C>?ZRRBgEFIlm2iXPhN4WVCr|V_! zF&0*26a?YpAWm$@?YD*KAELA}Cu|A!hz;U+#14y~{Wkd2AE`~7srt@_M0$`yZ4m&EdIM+R7!oM>SyMy)`|X;RY*fl>&0X&!Td9W7p%j|P8WNEKRDtgR4^$U()@D|$3EI;6QF|N zpt$%BBMgP`X(hP?Wi6-9aO_`k`rvjA!vcQ{5ql?pwim(=#k=jwC#5xoX$q{QGF|k) z%tuj70e!h2-WUzY5aMHlWMMM<+7~{g%j*JcI4mhgg$95b#ltgvAZJ6=Y-%6We9kJjBY-zmYb=x`N>>K5 zU)n<5QDWbzn|`FqSj-u4(b9R4c2!)9d1gG<1M&l|#KXBUiQ%g+?kD+wu7$9~%CZ*; z<9LZk{7zB0Q6RUPEbIBaC135OT@}8MjM*yGDrbO=jJ}EWvee}cTHWTNjj2~ zdLV)uQAg|DN^9M;3Tor4J=P7%>h~|2VRAHsDyd)Kj1)tKc7b2eR#8YURN8&FR1$dG zVyrW&EhhKt>(?(sg-0m{K-mFAr@!Jh^9Ey7#OGTR^ws&4sT&RMFEaDU7fxB-#m@#y zLxsc?;>?38il}WQKM&d{^zJYJ$|UwOYaS=MQwA4Tz*EAmeM*C36Jc*SqhUCaJv;vzBB5KG#@0ny!mmH{245DHJ^+#FT-R1_&`TEq!)nReO%K^%IO3(6B!L)Vd`h1|@CcEdd zJkVc=+x|$^%kIgwx~fEP`b;vne;Dp+kATK+tFl6^>!e32ROup-GmKd09uZnOpvE!3 zt`fxEW3(tA$5Fs$n6G8v)4_iELg3Y)t>@}kp*}7fp`M3I_wXkhw`6CeNoc^uSBz&@ ztCQ(b>?|0ofp^O}&aP{Zrig{1ELtxSI*X9Uz<3bRs9+6YqYUo9A6Hk4E{@_gS}@{I zf?7rXtnBoCy=CfT@fRRt8+`WY$83SPn{J5NK~u#CSce!o7Uo;;do(w7@XPCPM0Dao z{!X>NNniy74w2&l-4hnf7P_pi`))g}4S_-^qQ?pvt2`d2U$lMu1x2E3|71K_rxl&a z`1yV_qpZurrndJ18H48xf7Y^F|H-oP(qx{&XyJz({U1++k?!PpoEqM7Hm!zO z(b()A<|Z*@+IsQXd(ZOqT6ykVIJJqvbd@*%=qouvE1bBV z+lznkrKyC8*voaEUG3LPZ)33J4?-~n1=WN)SCXmhypiF|R~v;UmC^x6`7wTh@UHj#Pf1AJ ziiYxDBc99_DvoVKIo!9JXVGu&yKt3e2>+7nHBkq&41us=a0Q}!%SGIGN4q0{pGsFewQZA+8^1Z$X}z;L{B~!3wTvr z6p+)fcfUcpUXyCUn)sT({;Hhluu5%eZDl+D_v_!Yd=WoAKCSF>hF{lv*$E`(wD$J2 z$=G#@7|+O9`P(nbE2p#|M&qUKEgm@^7SZ=Yrh$+4FA;H1)cDf~j@ow=yU>M1F#nBc zRps?)Wb_>xn(gu52&7N3V&5ZAUAY9jf?d`sV^8gR{Zevkcwsiu8sn z?%&^$3=E9?7B@-K5H~pBm{&SV#yl2nf+H#B^GKXSNOa@ARnsq8U5?4aKGmJ=StgFE zDWO>|vR+%Bc`tjmjMNIgZ4bTP@TEm~@IIjW)=<%i@;rBFk?5 z4kfRkZ(t>w>)pgnG~Wsupz)wHd&c@@2!!FQ%)o2j5juwN9J|QHciomWUqzZjL%YpF zAQ$96Ymeqr!{5|s6*-LUM-?*5d;K|>Z)`D{D@|k-!M{;(m2>*;S?R%D81Z*VfTrbR zFFs*Z5hN_z>VS-sZMsd--^+b&qC4@65bHZ!e6@flS`u#4sw4i~hYR6!_PGkjl1*yo z$n(d%)wLCs3cEEfKQ(g9UAn#R!ZarK={sJMt7qXCLqe8G7>#kCT@XrofP4zCv0tEw zT@8Y5$X`tfhcJ9!edg|m`q3e6P|vR(_dci1$KXlU*?H${fmms@Ft5G>V`0;n6;e~YpVv7t50f)i>HyX@8@-Nkci;Dd{H$gJF zAxB5uFTYW?)f=+{_x87(yZuSB!?(f@z@jinZPr8@RZo1mYjd$%2l!mO+oQFS1g)9~GSw#MMc zP=@Af%H6t>UxN-T9EW41Vs0`~c$X};JKc;H24?}2F@FDkw0OAxi|l!=xMfFlMk7Le zY+zvezP+Pfzfd~+pW@qM$wzYc`GZ+fL4t_ZYVB+q6B|kCbHzyx)8F3&lbR;!+&q+{ zX}hL_AhY_vc(}*qx0Yp-$pST+ z;IYi>fa`hO?O1tL6RZNO_MhfUt!mmGN0`Cm^mdU643m)zt`9N}XkX$aRO;~>)kG+= zJT;b)HJgEv%b1(|W@^P6UakGHb5OkOMHgb2QP1>}m6fJ-`N|Lz_uqs4WA~_L*qVaB z`S&ICn&rD*U42ukqh<~prx2+a^TQM)#eNuVya{oOe9gh&s z=j;f%ClMC}xI~jN^Ip$kf{DyO${ z_uJfAfNMeTnm(K|EtU{x=|sTR)KuiSda_8RtVM`~gT#{rAHd946qvj_TR~C6zy6Wk zB?D%g+pCuA`r4DR2Fx84@`3DRn+hS(6dZcS3_m31EJ+B@ek)GAb8eo|%l;2HUA6#4 zs*nY6*Go1sR3IK=|M}gj)}OiRd*@tw{7D9%{?>8g{%Tp2V+A1B(N3WF%HQs>oQg|;<`JYT$`%%R&@le9hF?w{d-zLbor+B8J1Y3Qdw7qfwQNG-{TlVU3*CAAZb2p zUmE-Hs>r84ADozW4fcgCc>XeD5N!KtNR~C z9rh=@^t67?0I7Vc`P`u0SEST);weclJ_7Mkiypi6tySuUQq+Yvp`6N+yVK1XRXkXl zR29eZ8v4NzTUIEx>F_ER&ojq*lLr=9dax18&!yGFu|L_Xc2MYZyMKAUGuE$?Tn2qQ zIfo@oi@MC7yg5OjGOJowqIgmIpU`n8E+r@k)l)s%(p@k=Ozj zc*(CjCvT07wA-QNdZz|B5aJDq3DNGEsg4?dwYZJ?MZiR{OUg9uxrgV6s^l*FCC1GA z0d~9o^<6-p4I8lx`wo;v=&umHiQ7;`-FZ)RgS+Dm$uKP)fI6r;2Y%cyS@`C47jpCPAOG;QrAz;lKr&_dXa{Hql`NGXLR@Q0)!n)4g9tLSWeEnnn8l1s?~N47ixInrLuMi$)B(>!G4^RG;O%Nv z&Cj25WMrv6=n-L9s+P1zXQFNiuiyQCw}Or=>%$eoq}Wf9tzY{1|B0J*(yB|}zh)$h zAVt+yZz#N4c`XUk9T~X2{BVTtu+d}0&BM~4;b!4pmwf+P3DTUh9qPwA`PYNs@kkZy zpW!rJdBIP7wJqj^ba+e*eupqcTkjdXqe0atgT?2t!Ppg2m2ryAe$zhUWg&7|`-<`W z3ith2AmoPNiC}Ac&Ku5b=7nsyxV%?JNKx;{x*4!c6)3J5)7xQ2N@d?A@CtFYyW%=` z?Lu|P#fJZfC4uQP7;+`nV?IOc3o_(PL*wgl(p(r#lH>T9jnUoh7yaadgfepKXq9&+ zu7}l&Z*I!(opJKindHZ^5N^xstgm=senV-M5wAr579;@{N&DR-($(T}+lQEZ_E$F~ zgm|N+1wJ%MsSomMKs}Rd$3M@kJ%1{{fPF@{*)j#5Dt+E&8P4E$6x*Jz-=<(sFl~1l z6jCn~aUf3_*oFG5+xc&&>sLMdft>v4=89kd`OMxmSFQv3h}@4&TvZcSO*v>#M&R2I z@I2)iSTP$xi`~<>j6|4PTPv??T-I7Gf8&%5`uHv6kn(pTw(DUCS!I8jjwsW1FQ?%B zYa}%9R+ca0g0J692^mP;L;=ZY^ta+1bvyNk_ztI{O zEh8}_iKHs&LG7L@rfH+I(PGMMUn{PhOJ|@?{0UNLS-NB9+1w;1meAA>>mfIuN45nY zhvw4v?NJ35xB5EO-*JeZpHd29g6sq{2WtH7U+8%Vi$dGhW9>oCZTE4Q;x9umBP_gm zJ*{^Km9`NXW?{?%%wWc;m*sJUUhoDe%nQ3p12vMe~ z*Zct-2vBX#w35Gv4mn`|Nr@N79>wST$QF=~v7YbOHwFTvk?-giA~fM#{<`x`*gP*6 zo>~KX2d2Wrwa-B&wn6eo)HJ=;OzC_XhA%@EZieU8w?}W7nbLu_0Fd31Maz4|6K(5v^Fscl0Z-o&^%Q9HrySfzf39#1UW{j-2 zOMU+|Slp)=`&jh!!hmsZZ2&RVfM$^Jiu-72`Rj^dvW}kTjY&r(8C|BRKlJ)8B7OV& zm*nJ`9;Z(9)>Mh(b(0svLYcXb7Nx(%+FO31)-I0Ij%?P}%T%OmIK4JV|> zD_mBkX|wVv*2(|PH`>hTnvWZw0gwiu?+lV2c^7%1#iZ5nxqhMPCXo)YIo)G6Q~5Cs zTlfSQ(zZHroJ%CSEDVy)kB=js#=igQF*Dg5PVo3|K;o1M zHJ`~5j$&T1jW#z?W|p&MGFa`PIRT9J6VIqFjzi}sjV`)AL{6AJ#@V#B{6T9{5P;Bl z9-+he>=_~Y>Nc0*tik;`Gx~DYv{w3jM0hxNVO7`_$Me9&7${Cj*?VkIx!9=h;siG0 z8OC9jyFPJdh0?eBj+9RIox{xC+{URFsgtNz6Wt`dms?f?rh;h2(4oXWHx1iJ_DcH4 z`XJaP@Oei`yp^rBQmfSCW3wkV*NS$V^QM1lcGs4)g0(*HPZrw?I!UHXP&i`|mqu-D zo!@Ff(Uj$dzuKu3XMUooja?sV&M<}tUn&du{XP2Gt;EzlH++k7^j8(g95^`>FuR`EJ{Bn3O{ zmPfT3qQ&nSHp@_@CD$l@#CbiRs?CcgJv0J({N*$&zmW zS5*tI>Hp-Lg8pPzxd_v_RYSuKHud4i)+uA=d;jK$dQVuOgF;EwR&2m8`L z7I*QsoD%XkHrb7YL~mrQN7oQhJHFN zio*p?BVWjc&~Tt`^?6Ri;d+IY&isWi9`x8Z7(TH32gY>=*e<}v*JKSzpck&$nP`0u zl<#(2V%d3?%3qzIUkmVE_7B^;a|_$iYTMAl5LJi?y7X#yq;Zs6?D%5J^9gYawdBqm ztG*dY54*6(+x;;)Ie8%EY*mrkI4e6{@v55tkQj=>Bf7}09C=r9cH)dsQ-@tJ zcXw1zkr*yb<{7a|^#rnGu4y7?YW3DS`D(u4Z5j-~^#FryDw`(KRj|o1d>#JvtcCfm z{2~+k&3>&7M>_ESm2x_ubD!$~tCn!p=oyh$~P#CEz4K=R$JpGE`gPchIo;Qw#pk3eT?bG@6y?V1X6#g(Woz-fy*J1nfr`*H@h zo|J>0X!>?l^+e0xv;2DlK7zmc@0^6VKRjGR=>7SEPC9R>m3K*hXtVUF7D;qI{p4_k zVE-~a4AxnP*#HKdCwcB;(DFTy;qx2%pvvVy&yvfbUo*eBJA!D~aj}Ns#RE*NE88EA zlV3a+4qYfV=&A~}07_{-5DOW1+L#7D9Ob=Mhxzep!LiWk$d=mAb|~!$FTY%SeWhEY zX8t6x)Ls#N!PYki61{f6$z{hTQ%?7s8U2pmlq%d{+?57Dto>C`u5x$La#UCeGawE` zT#{%~$(kxNJn@M5@&SB>SRe@@5RA*1)p%{A0JFgshx>CNds&fm7HbJ9(q!H5Tz}p*8 zM*?8IE&OW?^yueFloR7!OLX#0EOWf@`#$Qd7!)*dVDW@3H@xxz7X4fbqgE?;094C zP6B=|-t!NfSVB`qim@j>^4lF z1%kGk>U>s#>pR`+wt4Hpx+1TWj_d+r-IjF`xX3i7;tkg3|mya)H(1pLr8Bkoh9P>jITlTO$PBhHOG#Swcp$U8*c2XQ_~ zR0hUz?It^29uH6n+J?7oH$SiI)C``lE1kj^oJ`By_V|{geua)zTN}hSQh)Bx9XY$1 zO{ehXLq`ic@&|?Ox`niAvgQ}%>~g&E=rq&N_M5VG0xjs~v`=%h?}kPG#x)V;Poi;j z(5e_I5^mnNny8EJ$P@eQFj1_y`JeNR)0L0SQ2U6!xxcpD z27XQgpYQvEi-5mybd}m%Wb-~UYnLtWAgB|#9D@nGi}9657E*Bd8@A&GvP&A>YrV;% z5pd(`APhMCBg!vDbtPvCdu75~EegzT;+Jaq^igmprYkS+c==t3@$ISj^f z8+qh-)>-@SFPL;(WM}Q?&{k-L{0ZEj$%+;P`izY;n*6=v30fGmWwNM$NO*PSU#o63 zV8*x}UpuGt}dXlz(bqYxqgN8ePVI$O$G)tRB=L#)W)Wkey7 zoAcS9-_}#j&@~bi$yv+oZKSW|FyHr~f0N(b^$zvEy}h})8Qcfy-!*R!s&cqeIcC>+ z%G=WGCl28P=x!v*ChW2w+8>{qr+Wr{x6a@UW)|U$6L~Kk^?c8^2K`BLodVZ@+gbiGnE zeA`3s6dx1XXW{afnB|ZE^3@}wW^ChDq%jzh>m-pDTk(CIYD*XluuIFLnFvh8#J>DS z65QgRtttLadydup^fYbam)^5IQ}`#InI{Y(_k!~B5k1?3?{n?eX)Z{_i%BnB>Y!a{ z8N;4SMSo_Fxk58oD6oG23`UGrDiQtLR@B+lcln5quO<|D_#*6vKWi;KR0v^t27NKD z@BQ{e)9X*qW0+o%k!0h%SP*evo^xkS;6jpx2pI;ErSAs6Uz!9rTVna4LF?d&^NJz3}Z&X-V2yMed>-T-g;!1Z-5@}#gP-@lwIYxLj>mEYr zu#uFne)i3)o@(;BOP{#y>#+H?SNJt)r5H8j6sJ=dRYKNu^kVIygHoE5!GEGmf}YAa zaKDZIW6sQp8>wr+wnklo0WcGh$1}kw@#-*25(w+FEQvMIId@LZ427lty=0C(Qx_XC z7Rr$ONB^6AreX<;V^)^?kc<9LNM-1EMSO5>QFbM}g?0hH`_!j&bbB-M4@?$9wr#yBIh6^m> zM0>o-f@%AuFiVBq=x4#c-J)XOO!Yi8UA{aRK9WAQOfj=>K!0DKyyACPe9;&iV87ff&VsHHqn7 z80#xrNeC^ylu56%5G(V$I!K?gTy%B^6;9rYtPek$c^*^qT$X~U>#kH*o+<0M7X6O8 zK>SlOnY5wC)1gx%vJlzV44CLn7+&ZX<^j|HRj0xE*IWuZ<; zbtu`ph>=~Ev*p2nEZQl_9xDQzr`CUy#Jc0*kdv;a^1W-Y!BM#yws&2C z(2FF757iSqms0p>II7;afgBtInm|>lGi#i8v(5o*8Kpi-oc-2?R{r#&_5L$bm0S3V zgo}>F>eq2NQ&>|czI(T`Rh&vG21UHV9}BnCXE!lF(!4J&XG|KX-YEgAfb=hYJ#;mkzcIT$h)!S?4mmuf5R0jEYV$8a#!EDJ zP7O-nCFrS@7M}_Ph|7}v@BQ~Od>~E~KzD`}!9vhPSCKnia&_>P@~9gqxJzBJ0D{n- z#MCvIswoz*I9Ftu1q-{OzLZ}o#5>n=1&=rDm-&BAH^_EOKU9B;(2hp$p|n;Og_@}q zH;&D7bDmpCa$#zm>3Yz*8w)%Uq~}Y#_H8DStYw0V`_G+j$P-J8nX)rb`FEe4ou}lw zd^dan1F!CES$tNo`8354Vd5xdTqB!ry{}2|s=mq5_b2M8y$!cU{8Gn!O3J2@?%&Qy zLUurblh2FU9|UJK1y4srl$GL}sVJ1BPmC4eHh54zaIbdj&Wn4rS-T=ea2pvTwzp~q zLxzxIOZK8j-agHk&jQFUYClmNC7$nh#+$*M$Fc4l9ax{xMNLl$X9QcG0*8pFNZ^SC zB?%5R;j3XrHn^c!8Rxa%Jl`|zC*&6;b0Mt|9R+7l1Uo=%mzTq;L+P&IM44sKvQ`-- z3wj4BO?C9Jiv_tT@Cqe7~EY{4ouj_==-D(F{hH4Z{ZHr4{}2!fs5n z0Glmlw{~IsAmcCA! zyEXH|uyX6a$kg|o7&~i6`30{Kjd^Ch6_4@wOh}(0#Aq1P$T86B`nc%+o`ex?ytDp? zo47<{!*Q^)N3_U9H@-Ni0P7xPD7J@n&r~#GX^`;Ee?iTs(!s_=Tb3@gYbR2++r18I zh7oERqbarqC5M!)v&=y@G5<5}7F)^_OXdG>K-d32V5zmf^+e-*7cluwF$T-{@B8VN6n!`CEvD<|?6E{?`JlA0A`JEo0`?Z#j71 zzbok2N--Vlw)`Q&h{rQsdPoilyfB}sg`FRUOP(xw_aPCRRT{ifLe(7X&5q+bv9-op zWTFX$RGhjU_@l2hd6^dyqcZBmM;h=S!t1%f2nuvPGz7B1r*u2j$wS?|P;_a=MOn8X z&W_+5fqXBU1;BQnE=`y=t|8RJt}bx zh6Sj->w*+9hX6O5r|^m)gc9p&6rg0i+Qh6&{Y?U+UWF_?`XaeRr?ss}oV+X7YlRYW zYW7u4XI8I#_%YvPx-@gO-sdNW^)G514=>1wGh{`WH)(+oIg_s)#5PyivdZxriMrbM zB_fz1^+ zBhZD$0lMQ8z*rgdovY?(@F+1y)9$Q-3as_2D?rd6jLUWHB()k zlmL~Pmc&75k`e;?DJ9w>8wt zpQ#nN4tFmf|MNydsY$NgpGB4tEb3?07K#Bc^I02 zH&MrS98MZ$1`D~rl$IOOJq?uKGQtAnEfslL`16Q~{&T)1f*YkF4kG{0Ci~7jy9jf% z2Hle#(@}4v&j|EF!)RC1ts!|Irtv!ml>~yu7sekQ;I=6w9eUPi#c6YYAYi&q6|}5e z1$7(or>qAR$`kS%K0w5aFM=>h2KuXR$o-Cf*sgR%(x;ft6$@12Bz;)VG{YjsO>B@3 zWRn-f!urt{>G~!=PE!R7bp*#m z^~C(Lxzp7uq8{4bxZZx4 zK0W`FDdDl(4=Ke*525qxNbZ8o&IJ8DA3QL@=sl@g{u88-ZZ*>;H3S(XtT%}?;O+*N=alA-cMr_!HO%}l3xhP zq`N^;Y^9il`J!u|iXf6>UCC5^AS^@tXl5<70B(zUvr~}!!%<5b@kLzUSnv}X7d+AR z^mJ#|7wHECwZo#6K2d<0tjb+*^iA!HfZL1F*U!$r;mOovzW1r>EqEJO@vPhpHDIgj zCFwYq$dg9<2}i{MD}9!nfQS4P7ma%p8&6FL#up)ILBS$U&Q~)FQD`NTaX6?40=4mr zr~cpepT^k^W=5JOMS*b!c?iI;1ED8+Luihs+A$R%q4nD@4Y4iznYRYZA&Q^d^r1kx zoQsRT1KtvAv!WAyKVs6?jdPT%V-oaq87e(rc(lv)adUKtJJ}jk!#<%ZFLdi$dVhPB zfAe?IMR(!WTIjW&UYQrUcA#wF!S}@v{2x||6$!Z;1XVs#IR1`3CHPeRrRKiXC1`cl z-4ko7)F&i-!1QY=H~s(q4Z)_?P*7wMtP{&l@ol;+5JH6*|B7vHk@h)@57j#rdLOK# zs2EZ@DdsUsI1|hGp>4RV0d8OUl&s{=5nLT{l7asBfWGcIFF+Rr~z*`L-=b zvH;D4Z_Vd93_FvaeWjyzk(W+*q5Y3kWR}YhI23fLx$9pQ?`%#i@~dLxE1jyvI{MBWlq7q$I*`z zpY9bF!73Cu3DCShIz>V!LjjJLbVrFT!d>W(#!Sl3z@z8m!vq@35I}bQ0Y7+Bg3l7{ z%UFX2kE z=0%BOo7o=ZOtWxrf-gNS3rJ{=V(+Ye%y(f6wnCLO~DVWzuCS z_8$&nL%s#ip(zO^k`L2Ta&LOrWq5;fJWRC5YR?T3rD~aFyMOYH`llsOAOPX*5-;93 zXQz-8oJFro`P6NtkoA+vujh}ITsis-9@uVG$+Pdc$TmWz(-S$fN|jS$IsdFHup7^@zLc!jK^u|J_Ca*6YsvH8E*jX$mii-n-w@F_RDEdD*=*nd;5dK{);ow#>< z@qf7hgx^+*?7zGf-u@qDsgZOAQ8OBPU{zp9( zJWwTek{|`P1uhbih;pAKBn8S;)IS6rE`@cMI`K0*i;b;BEzh@};wY8l?4 z&eUp~7(8~0cEC;9vk5mImam$w^CZ9-G<@LRzC$pwX%^%qn`EHNZn36)M z$1v2bkgctCdVV6S+@e)s>-^p#;v{_oo&Al=;!A`Q|p6#)SW z6$xpO5Rec_kr4vYT@nLPx{;27bR*p@9is9XIc zR7^2qD%Je`RRtZDZXVeL?hj#235# zk^B!g)M?0zDhkwn7BOu}9~%gZ+t-B8Mqa%9#9+D1fiO?_jvd0w1?~jqS1ByOdZKy^ zL-N1XL2#2Q4wjh>9B= z@Wl#-orCHd7jot}1*%0HQkUh6?= z=0M`Hm7+V1rMtJK$6f!^yB#OQ1?>Pk6olG>?{0ML6ESf;1_bi}tyIRrACI5Ua5DZ6 z_jP!S18^bDKl};;`cEvRxR5K_(s3;GY}MKSK%j!IC)V8mKoqIZ@8md#ApR|9WG|Kr z(O$MW?{wyz&$1Mq#I)|`KRW4H0dw9>L7bY~b?_mC5XC(*9!9Y$qpgsl>GyCsdF;Oxzc3>QwK-eZ7 zAA>h#4aQ|SCy*(5j}F|LVlw;fhEfUtorUbA;GKgDP~{Pebkv;anFBXfQ$Mzy;*`Y~ zt>`OUBXQ43SjFix4ik1QJHy=4G6EuzPrp}x=R7&p6ftN+jcd}3ENI8ji+yic;Xt1P zsO?X5E1!-PH75zDA4=xtKPV?2z5kAUt15{bpCXZ~Ic9I460b`8=j)lHzy@pHg+nSm ziVjKp(2!YtgJ@OjbUWD;Mns}wkJyJVCZ#h#Pgy&ZgnA<}Mn>j@_|#6BAffXs+fUxt z&vYH=p^R@H1G?;)ZI(Ec!9WhQ?_Nyyzx_>cNrxTyO&kfe`0~s8-(er}$HMbv?+^kX z!$(pe$j6nfx%FDK*T#`J-YdnrNM?NnIRH9t2BS&9FM@C(;*ng?e6HK=r@t1Z862VzgPY85i`ttE^t@YECgE?kF+=d_T|B%7pe?{WIW|7U73@UymBI9E+AU;~* z2E-~oO2j+Z+1UKj_3o#z7>F{-_@p-q8=P2a+MhfL$n7>OCwHi~LO(a9AotX%`SM+c zoNEJrHL5cayZH!9d_^!`(cZm4Nih#MujrNj|A9_sDA>$1d{bqcv?yDK6T9bY>iKCw;D zU^IQGLbF*QDzWwc(CLHyJKi#Zz}q-6BL%`!KHE4t>WtcHcuezS%zvY#V2&Mg2b|GR z3!sQT7)?R-Gsp9Um6c9!9v?+SC0?%cc^CO6aX$)DVB;!2+~rtc+{Ggu?3O3E!#4W$--Zjk#0MYQ*JrV- zAS}aR;>I~^UKMCo5fx^{;G!0Uj_%Q_gnwhe{dX3307))1D3`PtQ9v}3K%d>axqohc zbO6W}vsUfpW;8W1iK=5_Ld_Y1F^r)e2iWkzY10<(D$1Hhbuw^t6u&3DHaaV6^H@%L zKCg(VN%Dgiy`@jy9IYAt3*qVtEg8XlF6+K2UPIo7|Ba5E{*8`;QFDD_miQYw55k7x z*2n1A0@jkxS;ylG7o!sS-{)Bg+Hw4=48VaHS7L+(6g5k39E8SV3IaA1WyHAtO%0!` zPbW8=6Nd%P$|liCpxA*|L2 z&5B4=o944JTZPP#Z^l}KrHdR{0@!-}L#g>@&5KoVpvn`?V0({`Nv)ycWo!6v?$(J4 z&b#|&TtLG_EQDhS9)i-a*!9kstogK8*S7zq!-xykfs93KMgY|@XO1)A}D>mD=a zQ2(@SRM+$wdi03#Gmk(8wS0rqPh%6cR_9n(a-1Go7oiZI^^0HRJLAt@fD_q&jqS!W zSL_fmRY@t=OAe(N!E$S`(NkeQC;P&?V;(~v!^-sX#0{Kwh4TGtah0Wb|J73X7&Qbu zGxv)&KBfT7g^P?6SX*-Uq3r-JmuU(r{;1}xLX|Co0Ij*o_)fRevvYWVFbVlf`Y0bps=Q|&@b+k_4OJgWM&m+_V=Cx=UmVyh}Ym;sRp4FooW`k($g zu-J)~weZ0iCU|tpu!1`p6LxKDD;Ny?{e16)3kmyJW+Tn8W^hjZU(cNYq9EVdU7cLt z%D|q?SYmjlKrD`#?;jcm8&4g92aUTnSsl*6?|21&Npkses3pnsl}^U3h%~z957|J= zho@pZx5OG>V)N2Wh{Qu6wulv089he!+ui2ZXEtk*m7$a!!vSoWchoqi#h;Mkf{!rI z(7OYFLqzJ?zfx^xSKWw;k*)Z-Ysd@|_m=9Q;%#6)HAIB2g|1(d=idKz4GD(tVUSnN za}iz0m+RQsbp~)`oEC@kZ|pWkan8M|HFo`D0DQRH>IgUo6BGC9AJbhY;n(82krQ3b ze`QEa>`sd&vhK(`_P)FyQ9O`WF(i&8NDD5~;~@{UCUON1Fxlg@g26^ zSFds>bJrta?;m-9VEX?}FP*_PC!4(*vN*g7Wn}6j?Pli!r+zN{SOjNe{mQLXlw0QH z(V_t1KR|}?OoUPM!{h4J>4s^4jEzQpf9zb{T;P26rAQXN_@)N0Pl1@CAJUaFgjT+@ zPg1c_*S>}TTW8m-)%UMc^Kjj856bKL)E5FOhe^u6kuRbc?%K@K#6NY-bLw5Z`D^eM z3P)eLOt*c$E&XUJC+j=3Qygxt?er4m5LzoRSN5sC)YNNEGBtGqnr3#pweO-|9Y1ZA zWvc$rm8BLEvl7tU#;Jem#?=X(wZuLH#l+bmpIF`o`kJ{*F5V)KZjbk}KOJ3vNOcm* z=_-4QnbpM^p#R;oA|ZF(Q;dip;$nu3rv-=%5Mza-uo6=WmM~6)}>NS}_EJooJ&Nz+(>MdAMM6IBOTi zEdFu2G#x>uR78l8#vQsQ{3aJKPhQIoW&UJ|!bR82-+1-Kbvz_He<@l$9=_HYD&2+& zLgf?BapPlcn7$w9u`=B2WXum$h)J43N{TTM4P~5X1`$B@poqZUd}9f%5E~dGR&CiCDs(9t@UC@(E;&?G5wsz0 zIU9xNkf(-&3>E`;NQhFe$S9e(S5_S)2Ifr>HB9?%{F3Na0|E0L*d4AvtkS9>PNtSA zdFZh>$tZX(6dDhD%I24#GXE9rG)IQFW5Q=*o<-TP|w0_LWT6&;{$E92eDWZU`aAPrj--}PdT;`JsLpm&&*uDPhIdfl!33Ei(t=@PrUy_v zeEoYRUn^rW5X@Rj9qRd<`_%Mw;kd2r^KDtZz*m1C;Z`?PHAG)LOdN6p{rmwihhgAR=27a4Blq)2*dyvGT=nLQNe!$Lw&9F zsy$%a6KmiIHC%;)kywV%H*?4<@!Gb(u%Jl(^Y4(_ochab{CgG+uTNNcgjBxwAcl}pikU9y_vdZiSlqQ9GsPu!=cs)% z*b&Rw^L*OM-U{{f9k(knimmcEyH6}br$D|fxCo~F;ET@N)*Ca#+1l1-$u(`>n(~^Hd zJrFA&&W5`|vQ}CmHx<_rebvr>zxjgmYpyx5}fJ zg~1Z{uFt9;GhCr^~NgLjF0OV?fZXv{|5_? zB~64@g;|Tc$>T63YgRE!1_O<8!5n=$)+c6>``9s*E}`|KeY2JYaGdb>JY`(HTJMyS z2{e+xRB-s8Q;(e%W^>Unpi-6DjuySPZMmI}78`40A*ZtmdyLL^h z*SqOCJJ{5EWha?qc4`LM2jYc>s*U1?F}yu+^b+ceAyl>2cO_&`Ddq}xuwSJ z_SC;7Gn2YG3)vIPWd1XxZHgHPXpKU3X476S`Pd0kXRMrpPEUeG#YIN4fI9vzh5I6^ z)1zx10a^ABz`h?A^p#vXu+JL6Ba39~%e=#3uSBjQ3Oo zg%0_d2*=EG8T0!ev}exbdoZ1+UI)WbFmoxkfTf%tvRUP47PzAq*MzsQDFl1~S*B2B z^tDPrwK;cj42eg|e7~*IO{4|!`=#(XhnWs0{vz=`5V{5EP(Ulp6l)s$)QXCNxfL&w zRGPo~>O*h5ln2-zer2ketg?SjwF|d7T&cb(Fc>wHZ4MY6$`$fnKj9l#Jdv)d-YLU&UvNshmIT z)p&eYnn&|;_OtZCUGcxGJ{nsu0RlNWcaZ7Z*SVQPldYZp%Gf}_qfSO6zL&MMKIR{`WoP3)Oc8j>my*!r!38LOx^N23 zu$^Uz&0t3=o**|&Hr=C5!~jM9(u}T*T@`9l;%w;t8;l7ZA@DS5#muQL8Q=OV#h zDivQl!9d%L;lTovtTrtkse+)_{`=DjoTFnX49eV^)7q@3jKPliYT1!wjGx ze4ES`i)m=8qa`Ydk8#g7RvsO6s!Z#z7U(?g(+1rcix?P1H}Ct~hW>ph0J3TWZ3$GS zJVKM(r^(@tY4KdBdxgT$^5Zc{yq!8$3NJGrmZn~6@)-eDOa5-!3Wf}rqF4D-T3K== zb@NC#DCXMB3awn`&Mtk~Q+x?=B&d=vC5Fp%F_OaRjy%QzZd;bqmHNTW-cY_DgTg|I zCoremKQC*iBpb3ZZY>0dV3-}-$LTrWhjAzY^Ediepe5PKNvcO4aL3kk02sJ|E;hKm zc4@i3=V`-Dm3UH&BbCR066rX&1{ej8IH>!IK7O8*oc#0T4Z(&4Kk?1BS}v3+5%Mv6 zm*cHfL2W7R?Oa%GJY1wFrpzBbJR@MyH1Vq7)cJhW0C>kPpP$eVvV4G8#jRP?QbS+C zUVqm*kIgOweWDZD*op6NZB@VI)!&E+iX@EGjCgep@x40Aa-ZKVpiu}gU_jBMW2@r8 zbVxFeZv?{oY+q2p^64CfSpY4e^G;B2#KVFxu4jX*UXf2!>9fr(L!$eEYR@UV_W2#y z)L#f|*eK{X(cheez<)nH^1qxcyUO zc@BMrfM;U@n|dxntDuau)aRi{Npf)7K1^c&!d3tIC_#cQzuCK|%}*Y4^PJqbT+d(Y zj3krWT=n~=G%?zTQ`pjidRu>#vHfwysV1}aa$e#XbiHx;XHYl9Dq;J4>yP%0qtq#Z zwysKWr%PN)?8@u7DhqSYLJ1qrH1(iTBM>gcAM2hG!W5!InPL}L%^uE_1PsSGyiZ)k zBhZ@kZ_qI`vjM1hK=zpu@FJ0X)$d*UsJnKQsXoSJw-DGs@sX6ouEfJbPwTT!j!X?o)bnNQd*}d}37C2*f)`0-|4G4DLf+ zTCeq|GF;jip!F$BnF()xBkZlv#}_(R!%cR_^?<+6Q&^YY+1z$E7c4nC_m}qJiZ3gm zCy|d8gyCRIsC-2)5|5Tpw;pY(l)BtLtY0o}ABB$+di(cW>hP-Bl9q@1+$(W}dhR*O z2W*<$SzZ+=PXqQGE5hMB<>%BbcqfAdRE`bzlQs{nKJIJFA12+lW0MKm*a5T1QQYUK z2M_HZE6m$>8eA?cl;_Vts^xDF6Gf~lrT(eTb=iUzvK3zJ@lid)*`Emle0+TR^=R)s z_@;q2Hb~WOx!fzEX+EgdtVszGiVyr~X)NYHPxgeI-}91&JB?`(`0y*xm{_hX8WYZ_ zp(o^vPsQ4BP1evg_-{Kr*7+XCfa|{|8_f(Tk3SK z0A}_kROQp<_n(#5w2Y1rzb_iwe3f#yaagZEd#yiM{?obf8i(bss??CbhI$727KFm~c$Z8!DF(Uq)bXosTI)VU^|ch0$7?veZ}&XGxAU zO&@pYx#WzAsUM;PZ(Bmy$BIpazDRRYf98k#hi|gDLzKmP`%Jo;PZ@JW!@6;Z?IMNf zAg3z4jxXst#>izcMVGid6Y+NouvG;Uuj@#LfYKwm4ze49lrnaO47@nnDslq+45#XF z*3^YrLW8Li3Mr7S{&L9bn{Z)oDW!?AoHtOpb^}X~G zcHGm$AFfo?Pw5+PeLQY6l5%fDZ!LW5Pb`=mNtakS<}B=mx}^yHN(oA||K*ldJeD%D zH1^VnHu`CA-c0L)ic2zK^ zbX8dQk{W&XoUJl)uCY}Y)Hbl>Ts1dQMG^}(Y9Ni1!FqGHT#fWbY5(>ZUeS4!2io1( zou%ja9>#9)SyXjDvwQJXQdgs{-@^ov6xgx8UyAOE$&p%Tf9Vs*KH#dKJ$Og#L9HdC zgy|9eCRyNlc+dN~WnMgU_=qsSu=+?B-88RurXG4&diL>NkbQl1#BUBQ&%7s(pB(;j$)8#kQ@o@Jw%Bkwkph=!f<}`^TnBq8RE>j7$;UmphH60u7-_5hFVNF6!|$mMH`i$g`Syqd4MADVe` zLv2&pai7=5jSLP>%}6w_?Qi~*rL$ah&+c6l(N*7pGF4z6N3zfExw;BFkiVW(5lzQ-zIcXX7uHyjEsDUtIhsE*^NWRT4E4+V}!B z$OK(*s@3wWKQgU}h}5jM9lptR9{*8MT%dJpYlMz?rwW@(mx8BaK!xx41<<=`9(6BZe*W7z1f-6hf~?;HV)-^l z&_wpnOQpxZN$syve?do|H;MHylt%in+McEUZn0kVS$;;oCm0lBTWdIbb5NsG zlCPBr?eGhIhB+Aj*+|66bD&?QQ8NTPPEusSpk_sSe#2ZA0ovy*k7y-hf;kfM1n8N& z;)khUK8TSaeZ!alcFs`8O@RDf&aGK-QMoqi%p4GgUu8o?vZH)(JSzs<67elR;w4Ox zL#XtgM_Uq-l(0cL4 z7}FR%_>*g~Kbuxti!uUIQiP1Tw@1x&<(bUM0LErfmQ2+X=^j8b9V*Khf*p2)u^ddX zPu)@90EtFtW92eHKb--z5k2a6;w*dUbrAwp+exjm?lnkF6`Ar-sNevY93cZW*<{&u zuX{!>D@uVHgk>HGASjf8hIO(n>8I$cl@7D#L9Ju0R~Ip`=*V+;S9Q$3JbT76-3(7* z56z@MKOuAJ`xu%bOMdfltI`Hgj#2^a4l*(-$K)Z@478a0Z8u7@dA0w?|C!EVD@#pOSg4wC?;!)OPT<2QawEy`$e@tbX47(W@e{^5tNX!R25{ zVY`~%l=JVGU+lgSkl{9d+<%_;;!g8a2+SG?jtl!C#a6rZ%MgMS%+uvi? z9doIJ_B7m*1v1XxezuJfDsxdd|K9YoNP7>7ag}Wv8ca)cwAa9^5Oeg3I~;)r=SI6 z%KBH0-*m=KhnpkvYIU5p9t7zfP!luv3rV7EpDhMQSd(c;-0-3|kZAMFDu(l7A(r?a z?P*}t6WmP0;C`uW!Z2<`lyS!e8po~jo-gq$5n82{3TGI02P&G=@0bG|F7T*27nI*G@o zCzS+rk}{=voe4>&cAb>WanlWhrL4SWwB}oE>rJTm$%11=7BD%Xvr&c9*=?c+B4PrL zK*VM&f;?(axUKve&WnUFpxr(lvGcy0l~t%`HkV{kKn`%WsIrF%Ci1O&pB@!n351!* zzU?SAs&V9p8t!Okei+~%zFKyyXfbQ8b4k%~bLOM?-QO^zQW&drQ@B@LQvRkL_l=`3 zXBB8~Wd|I(=+vH|Rvbqap{rrE`XK2d`6tnCo(hMOs9h7s|^NkB-kr zOO4!fddtla(+ji1laBy`EJq+(dQo@rcue_P)q~p@%E9Z_yCFMOkm+}7l41}P@5sZn z11oo(d~7_ZOeTwSOtb#GKxjZEWUbck@_PIA*n6A21INsgA;9yneLE0cdmGS+05B_% z0lVRBm20db&M$VlsoL4zD1zZIv(K+7PISIKtnwY33*K7t-9PMZJyGIZ7IYuBeeG9u z70BbY=znWfUjAMD?Afayr}TfjL&qTtR|n~5lPlRyoz83I^B_E7H`3YgC}~FT=jaR!;JqLl*#np=;8n;m z44PfwnUxoz z|IUi4e=?AcgLzFT{o`uM4z}nBy^|CgmWKf_$3V(RrsRUIA>{|+ggfi& z_o5<|Z!QuO_}(&dWcz&Fuo{U#z&@^rUn`e4X}Gfro2*uy$<{A>I;z9W#!6(F*@7OV zD51uJBVFJmzOT`bs%LSi$>C+2BhBZ-9j{z@4i~&8oBMg7_obmn;KA+E_-+k@$DG!C zjoYDg+GlO!wIus;0eI2Xr+$ z&OQN{x&@=YpN+aKACFA(UH=p?CY`=Tvcez_I<+X&{8X<`%0%h;@k|kuEn3)7Pdb{5Dna`A)uCkfo_>y8N zo|F7xx6YyO$cS~t1fbUbc7b4Pf*|6uk2s~e2po;Yp={Qs^B zRG2g<0LMrw?Y=NY{!qeaI$hB}Kv#0oeIW+SCsdjMHCP9_4P(ipK}y+c)Rr_nUFXfL z|8Qz9nfe=M2>(wslTT`yrtTvYDr2~Di?K}8BDk}7mraT_*X-6{1lo~57AKK}R{*4s zpLftg)Prh+_hD5kx;lAW#EXm0w}o|at0z^Ss9P&U>UPQqe)WE7R_ zyZ~q&I}TbI9m>0-kRm1Nx%!&8M$IHVdtC@Fk~d20MH?^fL9Cv4#?q#7q?dQ&F&hRW zmwHvA$_8|}%bOhRHHA-&u0MiKUGSnthrZQoR+5u?`#%cFA#|6vd^HK(4a)n)rw0i3 z(93%JIq{+o4QEEPlo&~bglS{bYNQp7x>McU)*P2=j38+88BBXkTqySawYvKBA!vE| zVPtOmm!a9Mrlw|%D_=G8!F{*SEu13^;)KwwN~*tYx5qA@mwmQRKI^jI!`XajmZ&3O->>e7oZW zBInnwx%_$t?_R|*2C~R|4z&S+x5lQf7#|@8{}sRxXWY(a9ci?J?0FU?QFxG%6jDj3=r3Hs$FOsUu33ZAC&j{Qh=?sM$uDg zqWtFMs&k0J+45ohQR9-QtcU{eWFMPUhCH%*GtwcDAS!6^*#cDs!M|AB1;jnBXNH!5 zH3gGDsm9v&MJVkxzK|3~{o1+tP_@+(yPac_M7%Bnn)&n7lSzhfoSQ=Xv2;7j_|bFV z*SnQz6G>z-uBta06ZW~IME8F0b=+>y+cO0e`$CSG$}L%f38bWG+M;gs0{R$hvp0Hh zx>6P_Kh1Yzyw4{G*&H~2$lRr}%XU*Gl9@?@*&s*jSbe%EaIco!UG`(%Y~~%D@VyNm zPZ%#{f?hQz1S7b^*q}Tr-W4pp`oWhKQ2@?jCBP!gtM=xe{6LrZ%8m?clFmjb1MT&_ zTErnt&f^V!0Q*V^gs;2Xl5z_gj>Gri(_y2*GRUYHyB8}d zZ(LuB;b<+VeJon++OumXIU29@#ksIVT>-I*w)wrLfxL`mk*=GMg&f&}(LskF{=z}~ zxNt?!6;pF_9>6CNua6T28A^K*sf8DL!j0>EU~>+COSrVv3n4g18nNlAo%T9vH_QzZ zd*ATbaXZ(2SW`ENzJRK~Q=fhh9%gbo%&lRSX19tM{qCPdAid@lKdsFwTU{M4+nv}2 znD*fs8~B<^&UV=nSl@m^ohx$XCydeipRk;U)jhqL*@tai>#97Hmbsg1#su{4h!=y= zp1E7o3(f+!v^u4trXS;6(nx(#;W$Gduu;($@Kvc*$O0K$<+L+9SFx3is3F_&$u0v$ z=V*cKH@b(Z+95HM-m7Uj+3%N{k}t%U|x&_`|v7#4F95nY&d3ZT?2j zJ`@}AEc+PB@s!cUjGWZ1lXnXP635@TG*0OcGmgOfpz{@4(uc%G5*9dk%?V$aQ-~W+ z2fj}un%7Uad)ZL%gWKcgf{SazF2}F1L!8WypQ3_$SwENlT4~3^WxOBV$97?Pye$8S z%@;DTDY6W_pRdzYyxhr~EWu5KV#^q9Lsg}-W1d}xR`{<5;#pa)Aec{>{BEq*9Hpey_sy#m^B2O`K6{inV3YS{A#?=;Szj)puq4Ny7~Q)4ql z)WgwbBxb;PsPtvdEjwFDIdldG&XuKQu8OJr!?7Jgm+j)wj={5tCtEppXPg*h^V{28 zZeaKti(Q-FYEKLu+`{d5a$;SLUZQ=YM$z0??|Vbn9Bl*Dm71f}F$-k9(ror1(0doK zBJe#5BX;Y8#?QW6?>l~>YrO$gIh1D9AA(*sT!$ZYdjs-)T7JKY>E741uLVhMBuqac z#tr=ON9@ZV;jHFIM!Ceo#lKiikhCtvYek&ju{Y+rEP!bnVfR8T&id&b1*T3^e`dwi zRE#?1X&4$9{#7Ko(W_JF9E=;Nw8)T~CF%WyvDq2FE5rt|;<+&V6Qrhn`X#FS+SDiv z_t-&U{MAAcD2B@NoR>|tC9Y4VqBHTfTuakYD)M!iynp&tH*qI&PkP0NDVFvzG50|K zLodB+4D9q`^4oFSZHfqGT_`&?hvM#F_>_~tUlCESvh#~k zpti#$N%JXXFYBl0?owtX9hN<05)O#<3pp7BSiS@xy?gX~>NJ!&5Huc1v9+TtScSh0+}$@gZ4nH)BL9<{Al zM?*?}14`bRF*u@#Kf1RMl7#u87d>!%Y=05=llu;WV14jAw%3J9jqQ`*a*@LZ0LJuI zWJX-Qq9FBOSO1J67w=^nSOJF-`cV19g*OWGF9r$l-~lr~-R)}O9`8yf+1g>~%Q>$t zE5DCV%GMrRIo!g$)zKL8Ry@Uo-vT4PeBtt4fN;oo<6;z~kkEyJvNSf#sg zSSEXzNc8}EG%eOJvy^2o_osf_h_Ah&OucEG$j?#O0GP7qEKhAkK$tPTV%E1 zY*gE3E`i6x)$ditTGeq`{j#b#53N5ImE;Qpa$m(lXH;!~#9gCbBGABWX)|b<-)U06 z$uG`C#lY{>+#AX-a}r3fDiid}61so>1f$pfcB#kp9v3%z?I$d;9JlaX6+&Z__6mcV zk1^ zSA*>~9HX9&6=JxY?{O-DW-@N|X#r)3kAmb$$wI}QB)<-}hI6IkdWB#5NK^CRq~Q2k zXc3UBVa%au5*62>zb=(WGnHAOiuN8VdML&srS3tTonK{X;SYT2yIACR7i%?VGAaG( zg9L`_zBa6%kY%#cv%-E`c~zaygUl@>w9rTDRU4PkE1pFE7k3Oin2egFsG_i zh>*HFsM=(5zW-bJ5!K687$NlUpa`FyC6-t-m{A~WqOfUi3kerVFcFKr(9ujb#TF_g1g4a zSVUbdSj~j0y3RnV)d8x%_x3e+?AxssbCf*lRkb`V;~L~+Azs+pR`cVj`@?rvEdq$Q znuVX<7C|%m>AK1*PpnJe=~5ui>d9r@!f%+`yPLCA6F>E}=HnJ)+*|#rO2DOYqwf0> zNF9#dh{LKF8H+(0)!0otkGmz7X5H)&9oqXma9dLWjFJ6(F#YJ8JI!d8$L2aW#i7Rt z?(HO;&KA&tar;L9c{<8t*lPuP{9djP5BkFP_tSHpAjZzGl1|ZRwrM(IR(0lZta4ur z9$w(A8fGr&Gd2q6_k0j1el!AJS*dbbnDn31IPdiqx4z7rlLR9LhmIELBCnI4IN>!Sz7uhTSr<2UJ`6UWO_;%4zG)EPdGqw` zfZ$^0r|qSy2LrUJKYb+X1h|tsl_#P{q`Z+%dsvNtpr_s8dW@*PDyhm zQB`2+--wJ;CQT19U2}?gie-c|bP|RmOCh*ih{4rJQIYC}L^e);M;VwyU*BFXjD;!P z!SBQW>xpQ$Q!MPYNtQA*wyZMpb9R54Q$eGV@nkh#$C zb;vj$ViBfzBL4C`Lg=|_kXt(4`WczGSG0~(c=GJ$%jISUW-kAZ=Zilqt0LqWYly?- z5*~FaR;s6YuzM>9Xij@|5H=GDxX@8-e^d|CeWOP$L9p!d;6IC^PBI8{tPewiNY!j; z?>huF;c_dELz08h-8`Z2C&%iBv~Y5@=ecvP?Q{3_tZ%vEB7RVEsV!ISfXYbYyJG`g zQV7~q)J?(@8|8?Ro{Mfe^OgXb6Om2tr@UVEre58@Go#BvXAc8&&u$tbg!3K7_wiMO z<;{O%8a6H|{lrP-JI2$v$@t~g`^<-W){7r8rT3q+emY3`)Q*L>X*`h-9%2u?Rt^*N zMtk@#=@bdV7R%Mh1bt1-6Jkxpt?-K;WB9zoh8wq|%q-r?<@d(2%}^xjMW;}39h)Hc z1VkpPEPXoPhs3YH>Go{AlwJm&OIqpHvif8Hy%`kVyMjy@E+H0@HH{fC5~Ffd&6x); zXx5>Z>2|3m?uWIJW3fSFY@~l(?@Kv#Qci?m%Rc%WQEABO*6xqDc^D%_Gf7~eE)0Q`Kgamwb^b`A@?+1n#{tV^}$_jj}F$ZMItCxV3*xxDMK z$>U9|o6Co49l@xJo!>^_DI6 zP2Fk?pUs-<%IC$;0gLqhaox~l^`Gqd<)RDbrlyJQ0xahP*wfgf3Cdw+rry6#dZqbZ z9xQ8-(vLxo`{5W5{_qP+>pu`{%29-$K}KRW2IsU=m(fJ<_?SN0)5Cc|k&!XM5@b#}cR! z8CBY9*f@oGuM+@;j1g14$GxzZ{ZCQwFEg$t0Ql0=q*sQR2bp~~<9&ihluCH?yPu{F zM6OW^25~jF{C_Wi1MMgKPE~hakt3O;Nd%O@f#=0nhREp7TaOWiv(iQ)x^Kb`rRb~0 zGrPVs7(W*y>$VlM$;Ur{gWy+DWfj-xL0A{wq#U~U3T6rh6B3;a5XXq@!gDJndX@dZ z2E+=I?Lb72D|D1zI3M!uJY5%T!6rJkbC*f*n^QboeR3lKy5)>1pE>`w7EenGBIhDp zQX%i5^?aatBcT6MEJ$x1WDj?ns;_NGmQbWRWWaRlh2179Ga^VK>y>vafZomu`Hl05 zZ6T8%UWQHIieadQL>(bT!pMyU=Y?QnC#r38Z-33B_8tL^otk`~nvX6Dq{3E#jsrR6Z}9{IQivE0_~f@DN}=o;2CNtobX3 zVx@3pD2YdGLsnk(zt&8%ijx;PEpRzSiJreMp--Ya( zV4q2{#%F%TbvPQ}izVyMOZ65^`Y^Qm_SMOGI|hB`2S8(Ia{a__sFn}jO3#6QkY6>YaShOSZ zEHgk2dDZKzzWj^MGl@ak-{j(ND#+kA5BU3?Z&&N6>b6|Ae#u|$-3tno&o5Z)CYw*! znmeM4vS0nwGy!~8Z(_^ipXvYJKqJT=v-AL8<<*3J|Jq!K367Gl87SmKXQlxPf6CQh zUuwFP9wtNK5gsB(nBiAH+V`aZ(+2QQ6!hD3HHS5B*;TF`c%%pciw@Cch zs`86U3PVwq)MTefO5*bg$XH4EzDq;L{?tRX@^X^G8qTcEok7Qx)B{Kk6az}rf1s4B za2e9}Ev3I7J}E#!&IGsU49siDv0n%({94KN78)P!Zs@QQkmr65c_L~{kRsWoqS96a zS+`qH22cg4rhRC$Ju54R9ml{v1sE)R$H*ygSjH*(De{p5XUnbgCkwi7wM1u;dtelp zA7-;ZG0!W^G5f>q;cVq_x7LtAmGKFk8mnwZGruYMNz1!o$CqcUsQbvEGshEqn8+7* zO6lh{I^A5qow*|SN!Vkfp+`|v)T_Q%rh8Log$5)K{~rJrLFvBfMvz`T?bH@ujQt{- z|Hk`&UHCt~|9R8V_xrnVzf*C}xzzJf+eO#5TW_6x(kZ95K)dL}lbP$({t;ileuvCF z>Zo573>gN10vSi%2u~lcoAHyrI)Ke{RbM#N}$M7CXyn-Q-;0>hX zjyo3q*k8**P0apSTjX&&gpK2;I8nl=L?m{U2Su>RSqWR^H#V^dAItCH1#rY2Bg$TR zt5};zj&ExsJs$7<;1yfKyX`}-zNV<(A%{Trv?k@t`U)te))I*0w~MgXGFVie zAXRP!_?2&;qABHsn9JRBy$mt@5G6>|I$k@EhKbu zj|-DfHuLxbP{A=!c-PnaRl{$(X(4XgXpw`D3h%OWU;h{(iy|YPxcu@fqD4ho;4=rE zHTU(`UdIk356xQq#n`d6e9y_b=boeYTt&GVhD0@d|FaCouZmdf$qD`#gx_EA%7T(J z{qG8}ttzs*{ZF8Tv6}d~P5$VkjxO-je);93nyat5hFer4O7Vi>il;H@F)7CGQRHxP z$CJZK?1@V+`wiZ+#Tff*e%(3e44MbysYO2D{`c|T0=%a~Z|Y{*&AV-u!>_=p5)KX~ zK?o9|5icdq@M}4n$-b-yZPcu0`y2LuWB7$kP4#Fk#g*Nl_^E#wy!^wMl;Qo8SOd_@ zf0>1OYFz@4{gvaffLZt`hwf~Xd;Ivr?z`^x0~S#ha*(xpFzCq?z@+K_0?qU zcqRXL+@X)Vi>jL z|No92lQB}3ZTyV&zv`_e|EZgg$GhMp)im}HR zKFU!~{y9-pedlxF(e~tsk$04EksUJMC00@gX6+x;E2^?9J zJ5N~J!$c$wfq8T;vG#;yM++XWEXN`roLdFyKRCSDXbbrv(fGmF;Ejn0KX-m`G0byn zB6i}-4zj#LGV!l}{j1`cr=Kd5{X?4CA2kdKj2qdaOVvcLhpPN|a)cj=f&^>^(Wwhw zv9@$8;_&OzBkvelLj558X!EC^eO7tuDW}*XUnBT2w$rDbdiva#d4r6V@WX;j?j@J} zs_@cZ{iaBZe1N@Xp1>RANWA zd?F+?+WvpyeN-F;EZ<}M?V91H0qztK`|?aeoJZkN92Z{yu-;p*zfp0YE%HTp@YKcp&AaFHm4E1)lcCGestiB=kxL39 zy5jhSNAxka_Wn;CzhDz<48Lw*i4?Zq(I3OlvZm~!+9cizI{xRvZ#e;vDti8Z^wEbE z_>iIIKr6#9s4@NvwHyEN35j9F_^D4pji`tJ{rn5C%lJ~XgDc%UV#FOV%S-A!|2uZ< zM2Tb@)DAo{ocP5ret}&R)*vooUvu@v4Iu;9BVf z&Zc@*D(mnvF4c|>N$kR+UL8E2zPy7F$Ft7nUq%o7Lm*-M*)D!$ z!i6X@4j=2o0x11Mv$do~9h>QYr67@63Q=uDT>rZq6+x;Mb@I>MXnYs^!3Q5S>-00u zoQrooFRff!PO_r@?~dL2S6p^k@tbeH(f*Fx?s0W z>3A)T$6sAjoxsg5_+xl)s}d7w_+#mF;g8`1BJi#)5%$;ou~_@%!1=XPM_|MD8-9#_ zH~-bi5#`FdnvO*AKa+&ib>4o5o`8ucgN(6Q|ASU$F9$#Knl?DaB*g-v#26?*lO-LFJhkC~#U>xl#O3 zoWN@Ih??c#M|~9aNTCaa9Y^bA5iBSMD)HQN&*_snu8jmO{LerC>{2bNg1!_Uz1?EV zt(;?!Nb?a1e$mY@5o2P!7+=@*UL{*9VByb1{k2^EYA43K|Vr&eKOm+E6i17Og4oB2} zOLt6?xDkwXB?>V^c-)zB2j9}Iq_2XCYk1o;7HHWBnh;k1r|lk*#dJ*xk;(dN=FUyLWbPoO}1~oztsVuN>qv-mG`e z-i+rUk7t(0hsEqE=1n_y&Qd*;>*>qmjCUCU2Fl}yGw?VVJ$o4*!Ue4CW?Tzxr2id< z*^VV;OY44r7eA09nOZ&hTOR*0(#MYb0*(jK*Ck3zwI!Wb$&Ww&7$1!g=dr7(B_8+O z%=LdVam5u^w0!LG$67yz_c`H19!07S9BtaR$>MvSC>8Ag4?q6c?dV%k|Et{uVPNcB zPyR&33i=;AFbeQq7U+5#CJ#J--NgbZUa>hIzRtLc>4l5N$iPo+8 zPOK1%T$WI%kDp1F zr8Xv)Vkf8PKO=a@3U^s}_&OUvRa*u8q!EC?|6k%!LcT*#6yWfH-X&BYKM)vt(WR0o z;LgZ-^pQu(8sg_8ER!Zq)FT=!ibV%(5wJR_lH8c|55|Q)e@pT-E;idtk0O)Dyy5id zV~@6e9AjhX&>^__WNm2Mrfmv4@$l%NU4Q)1N1V*DFCYiqv;6qu&8fL_=h6L>3TT zJmZDnnq}B%wk#tA#}()wBQ3`N6||ptBL2${HT%c+n&Of5(t{2;D9_{n@PiNG*PT9J zd|m;5PMq;L8|22wWHWvL10ON!v|!=F+AO{!$~vZA`|&|JVUYbtZM?Hr{k>k>-+=!j z()z>DB4HW)K1WTmcCCp2-Me?kqOX<1lR4%1m`!cN_EZ17^wPh%LsmsQZL(=L-d`(n zmccKPK}pCTZWKUyBN80pz5$&J# z!%X@5Bo^=V(~4bd~Y{@)*ibamw@m{`>S!VZm7$ez1Yf#LrlxU3^F)nU>0QWjnG&CSj}nh~Uh8 z(?9(15H1)Z{8;2mPn^id08tL9?b`93k`5*Ccfrml>Q!SXe4l49=WC?>&piFC*)B(z z?u|M;4j*yy#~{|Kc}Q8Zq%3{c-LPK`_zyBbNT&UW%m3`$rL&$wAtxSwJ1cdCamhjo@dds}dC|$9w*Pk#z*@ z;DZk2>!p~0qS2Xg{uq=l@VEf}b?X0A&_8sT*#8F|jCb%E&gJ446|2C1k_#YYS=4@{ zxn#AAI80nzJ9&)`PxH}f?7UpC=iYn$aLqN>F8D8=D57HW{O3*Pe*O9tJpAy(t?==V zHiHJ8)e;}jb9f>gYlNRPxL*RVhJZgu?kDkDn%B$c&v*0OSo^v7{jY!jD|)1MlTAB$ zdlBKsr$5n9k;fL3K#!wA`>`y~9G2I4+5WH3f5%*bH279cy&B;+gbsfr^6%(jfru{F zLEtsTP8SxzG1h*TK_M1Up*Vh3+5iXtR(Rha5KNjKiH<^Rn>7$QX@1=fU%x5F%Q5wZ zEX!xpk_oK*=indPfM8-* z!1p4SsDO%zQH-M4&3i9KjlW%^u_yK(V?j-fMv4tl1W`a>=$#qb^m702`_|s)-aB(= z7!U{4dtlBzXYaLF+iTae_uB9&Cq3}pa4MYONUCLA{&_C_8 z5m-@yDE1XViN`!&FlJ0qMFso04bx|oP;Oa%qfRD}$Z?@JMfjVeKY7Yz4tzv7mi~ty zeuS;A6oGU@Asi>}2eu*1(lcKaP4O=K-R}x;3SmA67{oz*GA(}6L6{wS0VD|Q-Mcqe z)d(jed*DRMc9vG$v-aH&al%ozsofJ%ONtDJC z;jsbz>kFHJ0Av4SC^bl*xS3_1zkoM}H-&ze&Yh%Z!6Nl1SRsj&%9W_3q43-}v*EX? zq*hK)NmUeG&VxP%qqYSe`X?@~7NC=G!f{mwe77j;c-RTP4u#EU8~{P7cOT}L^1)$t ztRt<-puVONHLc*8QBnE!H4r5w zoW__Db-#p_Y}N1;R@1ToK1vY3-~Rh%z-I(j|Aj&a9dwX6qJs=S!xuJm{KMS#fGwlx zcDh*z{x-`aGiS|kU-TQxf68o<)|Fr4Z^8bt#WsA_S!d(m7vO;Yxt(wl{7NycQ=b1d zA^FBAr|E(g1t~lw5GU`Z<7;OcCMv^lYLEE{EvDmv9IS+tD#H!_nB1`ps;IJXH%kmf zrcBle!$_bsq(Wej!_j1z>B z-c*UugyoM71><)WD7q6PefLBIQ9 zTMqoxY2bSBA%|pm`#%`vB86vfK-&HG-;W2~D7z}kE9AG1?`>PRO~JM4U{U;&lrQPk2tYguuN|cir-@W%a2IJOWnCk)bPvz zj}tF}{4Od&NA(fs+QSJU7|~w?|B2*;i&@}j%%L_#bV5hmFoOhwa4I-Xgm-8~Q@ljr z_pf@>rp>ka*e-(ra9O~mU$kwTQ6RQ1383) zcq5^W8{wN3CyV3IAk}wRiJ$rU8*j9I^Nlyk`O#;_jOkUVI4lJjaP-NSF@}JIN*ZJX50Echm-nIQGYAAXpy|3m!juMQs$ zUwZ@vY$xD(2*n0R(;6&e->QNaDf0*1BLykvFXw;!b0JdD_7QX zOV)u09U$Lx#~gEP_Wk!iV3XJ4G8Dln!#dHN31;JB|*AcouHnCI5%iol8SF_}o+H9FO6iyX^+QF9=ot z2Y&q2KRj2fB59IPgZdkUrAl)1xCji0k)%)WKHLFNcj7&UzGqYtlC)iVN+iF~B9;J= z@V54U>dFsfo{?Dk?pdoSHFg2nM)RKu$Qk{^opsJxSP5k1|7-Zno-}C^?Ne71=@XUg zU;3xA$%@v+6OA(j`xUH0abvb9YjCfvsfG_w^DD_j24nfZb`3u~F(`sXCMZk(LJ)j7 zb4&+;ja!};YnYipX#@{HsMVX{`&7#wOj_*5Cn*(@X%(X zlAkGh_S)T@u1f%nQ!f2o!FlJMn~y$uoc&Q_n5&N9Fca1DwEsT6d7^K~+ac=1jkWNH zS`D9d8v7h_2BTbqm0~eaDttEQo_OMk+7ZZnBNP`2 zUHZGr@-eYog53`eRbu^b4gIz_Kqw0b6p{!z`UvhXtQ3g9IQc)C@^Qr}!?9Zq7b80D ziuPh*A=^|d|1@$w5tkK8JPTB~qw;V4_*dMh5Q)3M{nB8}502G`9dCkg43hQCmOI~MdKe#9~WNWZkC ztd=Je6 zoW`crD6#VAx4>Wsh-p*&c44|=B64UNVMgX=t1nD^yvT}2Bl-El{8zDLyu}hWpzo5n zcS*ze;4*5oo5t-Q3F7HvAQwyD*`F`K@%c|4g}~@jV02#@B)I^c7ACL{G>wORT*3?!^!jju@XU+WipDJtB>s+`C5!2wW$fcvAMR zIGI}z(Enfm`k3>X<~bA?qj|;AhwqJ?UtcgLAAaFbPD~dhMZ3loLl1%YUxlq-j$Z)? z2sdB<6s=#6Hr;Q_h^LP)%VrVQ{)9ThDKwB`LQ=$x0H5(>K}MewjtV4%wyha+0Rsje zm;Vnx^3djMuDPzj+h4C-#Q^i9hUU>dRbd-wJB?$=Ep$}@J zf5HhT!jDR)G;54Pp~wIFxL*N4fH?Zbp_iY1X&^=Y107)Vi}g^Dh!Qa=MG2R~aXU#f z6ixv7==2|o>}>T9wyjnjIcN|D6*!Ost8?iuZtuPK%xI01=6S3xMaxBdb^x}vPn|lo zlB1MkChjrcV3Ea3ILYNJoF;zjL2{>S*Sd6<<{>lm#C98jP^JqWb{%q35>!1CfRjaY0 zr~&!c7Z=rVqK~Mt)FzfGXOAXbECZxZf?M1E;Ls}OX{yiv*!CwqJw1HtfB$#xQ%^sQ zNg%P2kp5+tUDl!pT$%_1^1uH2KT2@QrEO(~(D1z)zVfOoThOUJ%YWxCol~#6_Uil# zfAbqSYmAmZ(!dtYP1nNTq0hBmn7|o3b}UzJ<)bnW&7Cv15HDmX&41!1Z&Wewdc|Fhquv#gQ2(5Wi0%KZS-Z}c1=mPN0eLGKEemOCV zk4~DYrV+mN)&!I@@tH9HsRHr{wq<`jv&4a;1TdYnX{w7p2l7LY8iul2D#hw4tzNG z^VnmqJ#|DOf}>~pr-&AnSbnu4$a?F4sz!;b!n8`QFtO0E&rbcb&RK)im#A1Rt`7Zj z9Au#+2&aFtSp8#sfqs`w+_52BxoQ;%`yK+>6;9F(7ioOa!dAc9AOZ2RYsEXZ?1v$^ zX#YI?%E2`%Kaq9s)-B!lKWPzc$MW+)lgR4Y9}J$uTgp#u@c=e~@oovi55r&bHQ2Et zrV!o>+epWby_gG4@~iRD5(k%5zW49@e?#&^U#8m_`vWP2HIV;K|4Xp*?(Vzq-uU_FUsU|z z#y_-b*S3vDSInoT)c>*e$27QzS;8cu&&5cwR=aMsK0YH&efd|f!7f7~GyCt1MK$P; zc|VY$TI^!9iceh$g7Qj8Kid8qSAqgjW0Y@E`i24_hL#ZoNLc?NnDlrF4!;TMTfC#@ zei-H+B?Z zK>y6fTz~}u9zA~P?+)96D)2>`9g_y=V=Sw0DPl)3iRddmb!0_~aQHJ~#D~tD`0zYCnxsZK@T!ZTfNw1S4ML*3#kDSVU0gzlKt{7{3wJDi z4QSY-vO%sxye0Z&afFxmZ~mq|f8Jz5ZD<;6zoy;#N=o>}-C?fc_-_k_A*l zVVw4;*(!2DE%NI%PNm}un4}i@h%{WSp>*oh(V=ey{*YK9x|B`=5)u=pe$Mor182||2BX6`Em&U?~g_`0; zF#kqK>DJuY_5bVkNOrr6y`a)z!5T zocJ9nE-K>JT7*GASju03K?`YT!RIA;jl-ok(?==%sqqys1Y;6jN>g3U9b;eyxSK`AVVT}tu##~`dngK61&9L9#tp~vQ`KSh+{gWN`(|9G4KRq)Grx7AKN<2%e zz#J||F(G{fGFs(Nsbc8ky>1%AtoDM5EdM#QRRuy!pg->N%L}Grt2p$`FAO3Oi>pnW z)+r|(e?qqJ|L{PwtFO6sBmA@l;H71yq2J@sk)FMJrT6E`Qb;}c$U)iNx^>$G7bZcQ z!t($0)6bNoVuJB^V=u|e%y#vL%YPi`7210*S8tqtdd_bz`fagu)J|IDZL8%^q<>(6 zZlFdeMK(f)WAty6S4e3FB-#zp$4Qs8G(;0+3Qn^QCMTu;So%2S8-P~-FcVv&er8Hb zY@E1v!i7hV9+j_HMB$WD)Q4|z;=4)tkF96r@W&OwM|#4Cu+lQ?t~>6aaYs%#@gy`d ztg>N$Fb1r~_8)^J3BX0))GZElV_H1$TM)Anmu`HZtaxdl{Ig%<><_cU4c0$Il$NUV zUVse!d7cdKF8U@FalEtq&BDiwnrdtp0A~0j0~}N-E&zomZZ&uPhw!)a|Mg#?A!1n0>SgsSFJyAwnB*8HE=0vlAfWA)yAW0sV1~2Eb-(twn zZ&_OX)>~>%DJX)0rUCn}N8h+W68mVa_D8Ha?h%t94Qk6Ef*&v&(LY%U^iOJm{QTHY z)o6f<-xByQW2CXfM_rFJ@1al$Wli>L|{E<~oPKh`h3 zA6y)rHey8XZ!f;c>eZP1-`?Y|r=NPNEFFG#@e!v5{Y3im4?SU}X*v$A?3=L<{D<;@ ztKa_iw?(sf!Zt1^P@n~d`3r%JZnFI|U4!`#G(CImmPY^b#~puMcE@%d?4S2>`go^^)F~UGF-+pk145^jHI-p(=@9tsx8Jtm`4?U)yZNR+77W25 z6U-_)e;$0~;A|}Im4jj;5;eo=2r48lxT*A!h?d~4NQk~b78Ne6;t8^(k1coMJMOr% z^?&{Mf34+dk`2)(5@SHMD0Cr6VHOQgfd42^W8F$ZIB||w9GQ-<^Gu31 z2T0qZb5{)iaSnk43zEeJCz4-ONrI5XLJ84hAqIrW!eJUzJ3(UbBfu^n$2Y}mur7o^ z!%>dvLmHT(dGomVhzlSw_J;t$FaaKD!=8o^1o2FYcpr%EOhBX{A)s#HTMx=Ih*Y&Pj!dI}fSj}y^D=r{I7iIjvY;iwPx zM-F+49P!|Bi}{asCw%?&*W*j1k>dp4z4zX;5i7V#G1(jBKiT@@A8%~MRm;p^cwLU8 z&&fMVNcz3t2NQ>0q#SYBp(xP!3cO}bO(`7bc7sop!*F``UE!3?d*aXzaz_)NhQmC_ zFaE^04mZ8<;)|u5H*I3Dj|$&(^UW=W4I64(w9q3mgwgWHL5r_{a%?3~Li%Y~0Ul@q z5F6ny3-VJ?$&H7E@?+JH^K~R1FL#Y)KUKF?rXWcNPpk z<-gX!=a0j$q@v-O!i#?l=(GLv_Q%1gPZdi)R(^bTX_EZ|sau|nRV~u5FpK_Lv|nET zB*;!VR!^dKRWxr@jDBmm+S2uZq%EJ&fSOeQ3M=6g$R8W5f}#M+i$@=ObTd|wRo{5y zA6l{$WufncljvJwz_U*EKR5$!%g3dHJOmO9r8C9dN`Enf>*e9Bo^u5@~R-)e2)uGq<;bl%q*~O`zzCAybwp%pC_bm{*??L0b1gN zmLXSak40(oTi_sQ7ee#FibX4%3G#o?kw<1=%c<3+Nc}g|wLH9ulyGfPe(rXeGI?_O z;2}rhaGOvFKEJc?yyFhdK4aT%mbbrYQ$MS~hbOM`HQaUbAIfAnb?Rwje9B?FNuq)l z#5bgWa$xXs-NIL*OrZbDstOw)0Al_6X#KMqE4j!5``_%d{0{v?9Ck(h)#Xo2#0N`V zq!`FhhrY8=VMEtOta%;R#gAAV-UEGYkN%G+CdhxN1`V;*U1S7hj(qTsm*fZ?a zy)5N|X-s~y$1Sp~9ohdRZmhmrzYK@cIX(#DL=MQ&>nJ$xYIFhedHS{<{(a=VYenDLLJo_`T?4H`5sd%(bf>HYfdli9s{4|8M0 zattXtz_;+9Zv9gMb~a+kCyH|;_6J%0l|X*#L8{lytEF!KPJn*ML4A9mOWoMr9Q7s6FQaFDeKKBt+DhPG$ z+$9wged^FOq<;b1jdYYPWMcugS5SU^iUbp#yLL&N`|VsV_ja5JoNv}U2FWJrU-APX z+i+3~jKrish~dPKgCHSZl3%ed{}n+L!YNNC29rSlTPr`%Hb{Tz(q*WfU0ngdU9dEn zhiKH5p9t_Z!&bIIRt)0FGJ_>LbX=`xytCEiwz1`y=tCGa(;$6cVN!X5H6(zSGL`ve zOvGY{JWh~ekO=S@7l3pNf<3JNWjwBW`frrJ*Mx+39nTZHvH6f8@b5Woq$q z`(MQK3U}+)BbDXP>;F$UVeGl*o-0wVO3hLIckR-ZQ&nEsad|oOs~J@l<&}}l%#3h) zS{nV6rtjTv-%MuAvm?|UVHDA_On9{%E-m`2Xe~#YU)%R!~rq;zZy$$fGS5YLKKf6k4_dA2ym$ z{#oIA`e33-`48U6acDD~X}|Htgt9l@c(WW_L^{BI!Y{EMaMZ|=IFOqz5F*%)(kpG> zzJ1fbm_EHq^20Qg7-YpcUPg}|Z6}c-Yz?;HU?RX~oq>R`MC8*j8J_KxPeh74L%2qk z0deI&D1V4U3?*~}R6!H*&Q|}-K)EQdtc+yg16wM-j2{Bue0}%Dc02GoY4YSsp2&7a zx9)j+?73I^K?fb0fz|&MnOPb6?6Ya8OEn~paJ52g{l}C3Vs%MvQGQ;STv3auQ4b=P zEM3}Q{Y#ze&*`7(g;xk0(myz){Y(AG6lxzYZ%=r;^tRh>(_tRi(U5WUF-PYxs#}ll z={MYPUH&y#K_=WrRHVQ%{#*LG<=<9Dg9xOll|?vfU>Z-~;Q|KDc?g?c8nu5>wKi73 zNK8(+s&Of|>f#aMP-v%)9n&x%Mg0`t|HGtuxE;%>q(E`y6Vka$Pq-|Y{tn$WmEr_!G*Hl%9AA0aXoG*h@3mc&CaS@@ne?AgB^-M~9p`R`MIH~H>XBjaK z0}TJ$THhA%5RxG=^!d?)m{k7&=`xi~0Fi=SdcrMy{`sTxU{-=%i~8^tOt5+&{08#d zlcW&KOhc-q|N5J6lnp*=2v0I#|2M5)-@a*^@qu8^K6_vSh*ZKMZt>-#y8`;e!WXK+ zAnliMwL~aYxF0&Sss02A8Ck_8O4?ywRic{rIP7E!tB|0134#e?UeWmUB_edUA1z3z{ZoIZWJU)AT?GMz$71Oz&x;v15mHB(*v zr(%oiAnXVlHf&hVfI)+@v#`*}*MGu<{4cL8i@f`D45qQ_CngQw5sLpr#wTGhyzX&p?Vm(&iI^b*?R1oB579 zM*Mj$RVW?PlGn;L^+3LzG{z(q&csp=KH4BV@o4DeG;-ZK?q5d`!r+{naJ*a^{KyV0 zf$pkr1Yj^C&eV<5CtdDx;lFij*H{~aL^z#h!*VpJvJAuzA3iJxThh3M&KQlMufsa* zt5K*;yEfEAJ^68R6HfH&BB#z2iUW4X8y;Am!GUKNT=3iZ;fEcruf&KGFyJN6p@$xt z!CnFNPvcyQjsaq%qxqd3!x#fsW{@4a`^W#h&biI9`OJ0@+ECIS8aIFRaq0}jaW?awpt8K$-b z37FgXaXdRiwbwZMtp90x*cU-?!t)`n{zE{t{;{r)>L`p$jj(Am7VBZ!XFO4odLyW2IRQY&NL>4&`AU!l+vy zKM@~t@S$03|EX|B(0&@yKeL_mefcLg;bkV+GhgHM@7^t?BSJb@F;7_hg~K=8aKna` zTB!p7)Gfn?!BO@JC*qV?UJd6zV+G?FcF(d06#?>M{1_Y)APL~`=Z3^vuz&QK39kAF zZ8z}g6#)@Vib`~6e@7pCtnY6SKiLs|PO#|Ha+U3xg?*yFR$#U%L1 zQKR$E9d&Nr=+UF{&L4AL-Y&cDf)C75`b^+=&@1O0A6XKx{%H#zMvfE!{e3`dsMf-2Bn!jLJX%{PUro zUCC#I_9t{P^zjZpO#e(IJ%GM_xi%&d#t2>x0IoH#a|F9eu-=iW!l6SjDeC|XCPsc7 zq?6^f!AK0;xDC(Y;;+$1eVD#~f3!QG&l3JL>cjF1I_0lV9{{pH&lKN0efsv=i~~@J zh53K{i6`d3-)xpl0;I4CKl0Xu33QLZGy#34$K~*lCu7pn=YWS~8LBej*kTBS>_-67 zKW;(&L-`Ls>@eww&`85%qJQWihoXaM^$&xVV-gkUgl`@{wzJ5Q0O;-CABPw+X(RFr zFXHvzXeevNCn9l)K91nA7vM*K#VTBb7c~J2BC7xG)&Gf=A0#25#3eO;*#muJ$J837 zulNS!@87?FdVjR1jHZN7KlAkF3OkG;q5Ou6&~@lDxzj&UVbi79rT**Ie~1=2CUDP8 zBKnLWa=ay`@3LI&e;~f$S-iw1H<(e(|D%uA_=30ri65c{KZg%E0*ki+nQTi)z zTJJq~-?Qmb)Q7?iD9YcxdpFjHE)9OjNF(&oAFH|hp1U{w?y^hQ!<+zbGIzsi#`b2o zzSsVb(=zCVjh}lqORlK?Lp{3pzz3zM{Dj3Hh4cDk5as68B>B;E4qtuMRrxsCw*7s7 z{&Sn7e({TJ7>VNsXhDC@oVisu-*VH&K?4S@8bAKZ4bwiG=3Rw+XZqli_8v&dcl5_< z(YH0R5OdH$=(C%wkSSjN!%!dk^3T<{%cH)KB|oc;d6L2I2OmC>LLcek@J@tUfI2asEU3APz~z)77rR%0kYSsGOlseEkhK zwCe0mLyD!pa^(v4cf=f5A)v8w15yMz`Hws9xGZ!Q%|{Ir$L6EuyH)$(z(<{O%J3W^ zHI~Sm*yf}od7}P#s?(frzTwv&$&V%0HMX?h2#*{!GPj@rzDj*!2j}HyID)XUC^!|= zaus1b0v;71R-*tludmrN%POP%~@daMNV zUqrlK_#1nLS99W;bP>v<&H0NUyOAD3MDYu!p8A?nc|GiD6Tfj$b2Io2(XfVk!}zAV})38;S# zJn#U0nyQ9>KWsg!_yng?u}Cn;O#lEu07*naRQ%Cseg@~_8j~ZX|N8gc*qFc4ZjzmW%R(>30f<+E_rWD8ze?u<1 zuKp41>Yw2_C5*`270|~A2-TBBz{42k;{ydA`P!)cF;86nH$tD(1l1(@IZ5S7GXeNv zKZB2ADE9gMF=KK){Y@pCB2Pd4lun2=MI^RA;&B(`cjCGF&qoCDUVb%hcoAa5Zg;p2 z*a_<&^Fb+gyw&~9yL`V9Lj9;1UW zx5QHEly&fsAz5u&w`S)pE-$ikbHc};a4aU&5DdT-*p7sbB#{cvGA)|_zTG1Idi|dm z;&>$41op>Zi*Wr7yhS3|$q>5g>Z^+3f6L`l1pSTcTe7o?cqSr0mKYCuHV%EbMDS5T zW?Lx{q)Qw;H`V@ao{vqEVRv_7hA+Bmx|$$o#E-2}IjHyeXn&6W8E2p!WQau3u4STe z7~|_7CA4(Ff;U(G4VtmKJOptFvkSK$WR4dUncyEooD9D5s;kyxJE-8u&hP){h5|bL zcIn08>~Frdfsdnq;t415Lta2!&&GY^gyWA3>L22O-@hi+KL9lh$p5cq&Gfr6BytT8 zZ{j72_4A)>(f*_aSN>y}b14(pUz`>L`a#AZL?V0bHb9^F3kw&?|0v7fkRgM!aFCP+ zM`RlpQ-*VMb3(_X@5?vh#mDn%o*FN-G4hlC`4^zwar8?|H`k&*%|3{uPG7tTE z>bX(+=06rN233zH>GJ?5NsacmhkcMjXv6X&F1$VaKcq#1_`z>f|2*^|h?1fdM_8ve zrl~Lg7)*3422mxOOCnF=5XHvi2W&$6MkJd5TpjK8uMG7>EVbv$;nF-oz@FTXI697b z!TD#e|5|-O5n=@`T2xrgmBPOM8#Z)!w)&Gsn|I~xnW$I&_$O95iYH9n{C8@0ayXvj z^n+aX}bIn^sKYa&TE5{ZY8%7#A@O)tdRbDDf|Pj89r>-nkS!paH5_a9mt`${&l1r_YFHzu5C58{THgp>byt8KWAi8q85g{XFaUzrVgEmWp=ZmwJ4i z)A>1Xc+_8tLwCL6BU!yAcrSZYhZ+q`OO` zyPI8h_x$!d^S=M=?9Bdg=Ios3InRCH*L8hdny=eVJKMfe(R}^<>fYvwY10zKPo3B~ z&W6S>q@QhooiD6&hGTj$hE5=nQK^_e`uQh-3jS>TJIH%KkJNbS*Wd*Hn%6)M_Vp^M z0*K81co9akIkm;5$}aFEkU`jHjTL!$q5bO|k3n!8lqA8;C@<&zs5^e0SoGWZdZn7p zVrXA?ES;dJ^<-i&Z&#h@Z7zVY&SY_amYVd>V+H8FHJAF4o0WTsrn5G8A5y}^`Mg;m zdLO@wqP>p~4l9u$MZ2?u2mu8;_)IS9*U(6Al%`O;#HGyZ*z!M z-_vI8L#hH5VP@;@vc2B3Z3Y2M{*7Zg6`%?5T)`QZN)CuE61!Y9ALYra4M8Oscn`hz zC!iMPM5DxV9k(u{U6sk1%*@!ar%f<__m_#dAC^H!mqxNz7?s5Qir!G^R{{O|WX}1B zHIe-+WZj?4Zox6s?&uHoA%;R8$QIhwXd+TSat*e-F8!Oh*i**K*y}+22=N%6`}U+^ zn9XklK*z_mldeeaJiD7wDbX5a(+H}h-$>z{50#jq9)t8aR-ru48hu2y^F*ofHl7di zU*il)*k0tvzL5jL>xi%j5yKbSkXHC7VbNsaEKC~lrE)?6J9us{~Mw!Qp zh(2grqoRU~0#Mi#1__Y!Jh*7-WqcK>CH1%8-?cr1;Nef65~~hh>llR`YngL_A8 zoQ5FJOKwSm&JAw7SE_&-!R#pgR}7Wuz#~6+_VXu4tm%CL)e9)h)@F#v+LnTRi|NC{ zJi!K&K2@ksp5QrTvy62IEB1tEr5h>^lg=Wf6;&0=`<3#Gw`t%-*Zk_CG+F4%6dNP= zs;ha(E6QM_gudSh>nGTc9*@Yq2g6HMiz)h3W;MD=^ls0d@TP_5{Ac>wU(iAJ&Yhy+ z7qSXz#{J1CNt)t7$ENJDK7C<#42eH6)SkNjdgWgWO5OK`#q4HF+Zn*%sCTp)z`Fa* zAWf@KBIh>63T;~v@}UFL482`GQguEK^AMke?iZPfT+MCOj8m{P{UjE!_A8QLo*@%N z-H$|1wD|JU89rKg(w#uuwN5pGR?_k~1z0#fKY{Qk<^4w25U>rm$)>p=2^IeT0(13D zsmqONXuHd5HXcqN-0XcX%uLCpRO%Jy6LVc{JU`dSQ$L29JrB~o8wank@8xNJ zcqO*#v2sG)j=Ulk&K~~fJt2PGEv}4uQ@I>CQFCma>(exb3sQ7o&6gvhKNw7r8vO{_ zDNmj2L{hpQMr5PM<@%0P>-nNp1^;RMNm$oIfA`8}xV$d0u2OZA@0}MroIm;w`*122 z970+nW=M&e)F3RY_zy|k;EO5r3VgxVv06%p;v?JIj;{hZMKPZ2Gv+89Mi(%6o~TG7 zXN=lWj&mj{5^;wFdB~opDcd+V94{ipF8-`7oA@&P5&pyPej>Q={8{0s>rSpi1m&<~ z`&!@-rZQ2)8FF5ugpbb*%q z@9e=ol_-*QUI2U50^ZMh8i+)mIM-TZZ*`?!&z@sJynbp1!aSH?JMc)}0kF<__odx$ z=9H5IX94g9ax%b2CdWx{&RwlW@=Ws1ii>^v_2dOV`r8h zNo1n^Daom6%kymAW9@bI%eBo#^Y}52KNNKL0|65yevLTkIRwW61mcKusdMqIG4(R3 zvv#ENQVFBPxWvARLna0dYpjtks;|j-Ji|z{#YIh!s+t%PUUd4;`tJG#4ErUmv?O8} zZ&*Xb*lR)1cDgX?Zq0{iJQmkl4TVO56-l@NSdK0ZUONb9Xy2Dp7mH>(@fn}HgV^4! z>E37x?%5_0GAYj*`(C0-b%|_^f6ioQVnbzzCs;HIxxSnD7ng^Sj;k8}d!b>g>Yfr^oF*st^?9ymcziU^WYO>!NQyb7 zkRJ~ze(06hg(ih6yK)lxU6Nn59+}^rC=u@fKKtwDw$kJnu57^+;uuYdE)Fmy z#SM4&&lWM#q%Pd#15=QP9M54D*<9gB4Nt|37u=O$lwFVf7JjYz+$fv- z^Qnx~agCWePNG|`m}N9;_3gn7 zD}nCgzpCtXa=l>##pceCb9SvhLfRb8x~{sfS#P|OSS~YcrvF5e2gi$%=4dx*>2yTb zs(@h{6*BEeb(){a2Sc=VRgDLhB*)h~&Oo6b7@1dJfa*jwS8<{;F+S^{n?R4*^1 z1)g58_k-^2!B6v)>z`Sa1UE#a(_Hv19~fTeBS9bVqY{G(A9McOG!*J+8CAt(c;&K> zUdu~=s^YFcNz3~^+$un?J=1?eT_0HDgI(@jGMasO2$CXx+)Igjo)uM{`<@2&nwm^h zJyGzndKcRy7}7l#_NscD?*|k14`kGQ$Zg4q-Fn;&(Iu8lFbi&72Jynxgt)OcH_O?| zFMC;VL|(`3q5u+n*0DySZ)LC7#3{EyNZ8FkO`@fh85GeI1T*;_^nO&cy#;Z11EQA$ zk;)vfPJ>DDC?_#qmS&?!*edT8U=$vl zUWuY5xWgNu@pG7u$rR9Wmc0+GN6SwSwo~?pj{NRcn_KfMX%qt3l21vLna+Z|H)4!) z5vchk{Hw_Z*bZthJjj9 z%SUfbc7m^gsudo!pHy;1x3@RYfL3dK zT(kXX5NYzQr0H!dA8ch=*pjpLqu6t4a#z-2bSU0C9a4oiw@C_7YsdxYFhlw*n;b^; zGv_By;8*xBv^)pi_V^=jLy=GUlmxHO3o-(Bi=@3JA*homm5BT>Q@}2nC!SBL`w}h{$r7>v}Ie4@z{Qe1Zw?fA2!iUotqLuAMBIiI9 z1AODPwnmNaSk-AMr%6}sqoZ(qO}2V;3n1k}r}9=h(_ZF!mSVVZNEzp%X3t4HZ|@Ur z2Z|kFhEnSzYCHk*d!542AMy2{UK(jGzPis?p6TC-pQ{^WI3d@Lo4``?x@fL-DMZI` ze;+kNE}-em?$?kJPxIcbR0e!nz^B)A28_;j-MSdNM8KexDy< zhQMKaxjfXdRj`v~S4+}MT7TO$2mq$luF=)h54gZ?GN+Po?croJEs}Y1arlD`;2OtZ z!}22LR;X(0S&h|^ayB;**_>7RLMX9q603f@E*$D1jJCPu%S3-`cgaY0ZZn^5#PF|7 zt!(6}ua7e`fA(FRKrYZCm+`^WH;@E3W< zFSt_-l%^q-gzV5a@&=nJ4qLN; zug8R-O*_lcm-zl}AHLpIug(&kwW+Kr`X<=M_Yv&J&xO?9NCbx$NAU25+~(i5TF-)# zkzVjnd_4P3xRutgWwU0#4+i0QH`ZGT)(4fFhdw2Uh6!}G)IEv0M0gUh0+Wdy{@AMMz)*xte|b= z1p6Pn3ksBVTQ@Lsztz6;FTFb7>{D>DGtvz)p4ObjNRR&{(IY_lnj_$;l;HD+;SnCk z&YLEEA>9=ECkl+OWF)pQIaG`vbG;$)s}GJ26>C|PVSP2=@eC*MC-ighP}A$Ei_lU( zryn9y+uE%vXuhJ^bP9V$1V5anbQR4gDEAUU*u`T)-k@x3w!e{O$8m=ud`=r#5gtR` z?OSUt{B)xnFvV(gXua(0jW$Zw!L z-*u*f_)0{ApDI1TUqrOfI#;~@o`*<$vK$}5Ly8MzZ+Ye!)w{cX)wT5sAv`jS+RcJOSFLZo{k`%d5988wC~Ky^i*KU_0~>HQS*%r5HEp{8$xHcXRH>H`AK~y zKPQWnk}9;;#`88|M*BL%ZmW_&qw97Vof-$~|}7shQDzxTscy$g}4DQVKR-zzQ?q=`~lrZi3M;A&d`y0Hnx2ALV`^`P+LK=ue2gN&;6czbPYzdq|qWLtN zRRN3(iqWLOD8L;3{H!W;NHhHRY(j3yNKsKy`0biA)E&jXM;te?>0+u%wmBS*?Jh_! zJxfF%@gmdXzKgNmV~<0OF^qS_^CQQT~{H$wA?y;z$47s>#kYTDt~%G~TAy*c*Z+P>g10v4hd%D@9Uyhe(yV z^}>~ZotcM}l+Q+8m@R` z&70;EIiG&Hb;g+uKnCLM4+aQ!^;Nva(fA;O6SijyI)aSO;KSn zcmVVcsSks^wn>y`6YA50$ZUNJP`VR0{TvzpO5bH8;C#tlpE8&&8`EQG+s6AMLxx^I z5#Pj#e2z`329Nn;>CiV>viu&b>^~Q-qv`M|g7|4BDdbg9LLe57$@_TEkW7s8;J?); zAARo=P<%iBcwE`P{p+!{mg0x!( zMYZ~Cpy)cvCQ|+1oKbPF3^Ah6lCBo?*PDqA7^JoaUa9c_pI{rZbnGGrg~|0(AVqVO z`llR^CBdpI?l#G{0vV?nG1(FR!Ykl&JoQC?BEi&D8n?^KHN6{go0exR$+H=Bhbds3Wy>U%LtuS9Z8@=ET=#Ar3u3!U2~v*rXPWJ% zrIQ&&V;9Q01MwO=JkP3T>;h$Xa9r2BPAz&P8IwAZPhWOnEn&Z5Fz4xDAKwA)EBYyb zi+*Z-f&f~6enDpOzrcIy5?%&VX0UMtcOBvp`R=<1HJ`4##+vCEinjE$^!d1sZ=49a zqt&&)_wg)FH=sGRDd6ZI8Kh9P z!H+kVZTPoemCD~jc+7wV`5xx(Lf%en?Kk5GAihEpAr!W5u5*wz2vL|PwSX60b3^?L zdZLo+-u-0p*E@d;$o(zZ@7+WD1vInIkjs@feVGp4iNs#PmrV9a4>{=*Trg1A(2XU~ zcvj5_m=l?I?!>L|v0KC9pU!KbNYdH;te9L#92PwnBt(7SsCB;3C)ZW@oOTRKDHTY>P3p`U|0%K8Hg1zV8IZKDR>=gVc zBgSqO9-8>M3oXUH+>MQ?{9v(z-|A{668fH6M@{4HdPJ`_>NKfN1_C^+DRgGs%Jdy- zzMk5{#CwlE`rDr0ZASB?{Se(uxAzAgfF-$Hbk=uonLnB{C=1${R(%D3g8zz3f~K3@ zUs45r8A%>`@vVn9<2$u8d<&;|FOv(V9XdJA~ki>#;r73l#!Q&(y#NQWP_ETrq@ByR@B1AHeWPFmhUriXC32r zPJee~(7ar>^q&3$&{R)&+~=DNzC8+K$ST2+c8#9nNHeAxAw{Y4zh8Wq{}j}w>ZaB7 zR{sk0y1el?359ml-lKWX9J|^S{7TP)q!_Kgda+$E&6bfj|BI^X^q?d$rcVH#S$+Sq zEf5DY@;ej1bIKOk8j(M39Y|?S4kjki91R)RnMC^wf+QfT#!U4V7fIhYdR26KVswZ2CzM!=JFx!~5U)`8jys@w~Fo#gg{Dei7h zhBRjyYqx!T<%$w`>dP-3_T!EFSjXL8Eb)m-dL!kC$C|P3y*YM&CIEdNXaZ$C2S68| zH@i9u6F-3HA2g83to&r}CZe7DYXK`U_2KILRXtbuIR>e&x(gn8*OXF?yx)qiyLs^@ zfbzAKV2ei+w%jzn?6;&0qw}z2N&DT2@ELO)dQ$ywcGl)|FO4$*f#Qkv_uz3#2(?1l!^>Qo=S*5px^ee00&9~oNYZZ`9DD2}9sP)_MPbGS z9UbDPl1mXJj9L>}Lh-naPdS@V-9rIhi-$O*2}a)j8KDW%*!E8iL=PX4yl~`I?8i75 zohl(zW8YW#r-WyJ2e1#^nk;Kc=t9JGu z=K4J^PcpR>Tm2PyOED#px#4?H!Hj+0nsR?dG-*A=oLpv+v=irxx^cmsYCb0V^$ zx!sWjD& zhmp`V;+>YoY_|Wht-Y}~tY|t^EN|**tHo5(A+&%Nag$+OqomaA>dO*2d zX3e+pt<~a~`N*q_P>a8e?gb|Xrd1w9Sg*!vEdp63ja(zwkpV8FdD2blXAW=Qv)Mx; z$dDjkolMm*E-CxHiR7wxZ#f@g@)L_tux?Sw+u>2p+yTuH9<4 z!||-yS8ybIHbV}|QWx2Q?g&_B1dwF4A4MK7N1x)ENBGdIXlYXtrwkbi+TQbyr#L`B zeF3ZHQuR1HLhAM3=ovd*o*r3?Q}z8U?Vqg40)F{ilf6{b+xW6b=>N6sWJetnIWQ09 zh)?^+=Kwb7c+)diQEFbH)BhEC zf6+PgsV0BJ;FB7bp|JslPRNO;Xj2V*#Q4YWQ~le5XUbxd{-}>y-QgPwHN+EUb7N`z zov4lQhGxD_TGvC{ioHCd4GTtw^@t|$N&(RDWiE=Ug@#R+YDSBexTUBq&BgCuX`Jje6jzsn5sxRK6> z(|1A=XyL8hwmBJlED0ZH*q_%ungkl`L9+zuY3KQ6^Ew(Is0PCK1xWr;?pi8a2V_>U&1XCDq-2Jt$`6Y3`+-cg|zZ@@tYWYH&<}a$TA`P{!`C*H@84y1_Tt1m@ ztXyMIOYicQ=y4lH-KV|J-|*`2$UNMuML{L(b6sa@&k6YK9MB#B?DO8~ ztd?&HIQ8j1yL_cJK@&uS>{vUoKvoKXZg0Q)E`gj{uW)=qE4n|s4Q$V-h;HwgTjNQd zr(#w-F^WBLkW{%jsnPsU!P~5rbrzYR<+dUG@Ev=w#?Fn6dXW?q@OugYaNkbm)rya{_# zWsMba`q-oi%f-xPx|Ug}Sa2$HtlPwbm!U|>vL@pPf{iPFVc}UBmO};%{dFapt9fm1 zkDbevMbHk;^H!mzu;Vo#U^FVKe(?IhSc^NT4TIiJ>)|Y-%0t}SU14i}0zFzOHj&X8 zBh6-MEv>Efpl#}xGDH~Hpb8joAiePl${ugCvdq9!jr|s|VEyM@?o_+wm!$%_8#eM~6=6#hp zve`Y9-{>9SKHuoK;(cuV;pn1{qTw?^I^cK!@iV?mR&WqfI0($aF~}R`|NRn6(P3;L z&*1gCAO@o_naoZ`C3P?U}SRjNNtYPp9-Bi^|E+E=s)1vQCrv7V(i1$My)af4ioNQg?5P z+@G-4(9&8^MsMaE{`4PtlZ3eh8324dy`t+6fQ!)eUhAgW(q*dPh&Fc(ceW5{&r3r{ z0Wi1T2hM+fSX3EsxWC)XPrv);M{#n{Clh;+>$T3UQ$()U?wpFEZJ%rj8Jh;WnzUyt z4)XF}!5Cg3RnSi|qo2@c)Ddr|NyoCmr8+vpA>0*DS-7t{d1u5vJr5KT->TPMS9Af^ zx+>m~UY$jc`}0AX#N6CQ#v?@k@F}><6GxtZ+W$qnK+gunM0)PGD9GRaXe;t?Sm2Jm zImDT(SjPhWjEYjLd8-P%NdeXxfnKiP;*(k~p4t^!*c-0~`-r~%6^(hz=TV1SUyiyz z8!!N1oT1fyJvjcO_T`90QrfV#>g!cLmc?3EbAn;Xx#dQC z>SKt{@~LMD2cW}-Bc(}+lM^MG3U0r?EWy8d}>R%nk^sd*W{b_2Z z0pgBCxG6K~DJzK!@^$%$PZMEQtV_MQK(|X>8I8xF zD2b$S=B!53PE=k?kS(eO3aH_%Mn1?KFBU{N-!L0DySNQN^_xCbXanD3)fdi zHKT?9*=`yrM zz(FU`C1+pA*%Pczo7d*oYutT?iP{H+1}Kf2CQ;{wH<}e%4quT%m)UOXt(a{wqw?G4 zsr-&yeqE579biBQa3Mc?=3AD-cQqof4SbFrjm%L7^y|U=os1_Cg=-;Gd(ya03s_NA zIFZDCLd*-UOWiJwVc}2xvZVlS9z+8|a*tKrZOny;{fuy&275?%h0hKjf(nq`LZJfo0*Y1*==WvPMD||D zNE~Vok8+Qg-D5i`!|J5id&qU}$?#h;Md}gJuS3@(dFFv=E{K>WImC(5b`q%9V(gMr zs>nHKK*Ux+yw2$#ES}7l`^v5^zqoltHp8kS9STO^TuY%BNQ2p2lpbP=ApYn`=HMO2 zvo2#ZIQaS&%6>zH5Hj0HTE-XBCfx@m&rd2O2oUT+*tH(3^eIcCWUff`iac`IH*uYx zl{!P-rK0$-_6TV6)x8Hih%0~Yb{0)ZUl?;R|A!eE>X0AnXM102sot(`|K>X{+pK@k zN|l`TRPAhaLMd;C?~@Hy(~oVF0TRLOR+!J8tdROy8)1-rtguMBE;}nkS>h6`tUYDT zPFO8gT1kPJr2Y$w{hOxX7BbWw1e?3LbWJ~USHq#8sH%Zc4OHlVHIFFUDnyoTGmoqh zRzmhm4$MPD_@b|*fT;dU~#u=`Nz(X|G9LW|KJT+B_DBE;XFxMMPQ!g zu@gfnAbc^At+EUd{sIb7&@5yg?PxwUN81=FOWCwj4_Jw_Wq6DP1o%8qk-A z;8b6BbkSTzRONDp@c?2U5*7Xt-Gjx#KXL$DFoS_G|G9WwU?mtIj< zhk78*r+f~sF#Kfa&P-%M(wbgk*nlxdB1gt=hKa-#C&W%r@)iK9MFJ_8Kyj8Z1P9Bi zVnOv`FXp!hBzuc5@j8_w;}0XMZL>H`FYztogo%McRbW=p^tbU){*VIEE?uUzi+uNQ z37A1IDXQN{(=#)?0MLCmrF`ccM1V<>|7Sp{35s@~y!9DWld4~b6!oRBCv#X$WU3n) zXc)}2s_#AjK`6g>R3;zwy#98o=iklJVzfxenDAQjDHIFEEdDlZ#_r2 zghsSerFsvOA?+Rp$Pp`yU3x2>gB5#KwKihJ;}0vGkY{mcb10|IoflOp8u)uu^%k%@ zk&#NpGyr6V9GDS^7qydnt6a^M5hKN3JKb7e+VXP6(DRe{#UC=hr;GE-Gg3HfK$lf56=q@VaZr>u1oGE;>v{Xv4$kziNPwtTM54rR z#bfcdtNabkZ*&a1P`65<;>N%$bfIGblimIPDrpB`H2}&?&H|_r4P}B_AKb_4Lo?Jq zzBXu7s*}nJ(4Uj7K_F80t!Oj-E%{f+Y7x<_yvsrkS7Sfnt2h*b2?UWJgGL)=i%Qn@1E;9*2@ubxTCXoHU)$~ZJvhzJbIQ0_q9eoA$rxPfHAe#xQ59 zA9jl3RYnag^*>!cXkt2giPt}pn+JyA#t8WY9JX2SfCm{d8UuKAI#lkb8gD6q15%}DpuP{ znryfFDMr%gMzii5Z-THx@0~txb!IU=fDh$nxRbVwGn52kA!Sa7+2A2m$;_YIGswo| zciJz9PUsqMd~PI-%P@5GtGWy6IRD>2noVssYpuyQOEh%m_s=zU<#woq;%9(YJ*qgK zOlArGN!LYx3Q>lsTLc`o5Kgsw+^e6;LCdVVsGo$sobvPFA-K>I>i#gv(Y_w-;816J z0988|jlUrHW6b;A0(d>HRq0ja?;9w83;r2n0WdBB=x@nLXD#ef;^Zxe(4kx$IBBb< ziV|{K8rk_q=>4mjYG?D*%;j4fYurFR|AT0ek>AneVJ*reuOdcE;!Z5Qg%cY#B7&8s zJ@FI{K~X=E--7=zQl}Ln)kvx{mC~RV$mB}M+;^rG&>CrjhbryHk-WWQ@=1*%Q?+wKn<92VSzsPHgX~_F$9T=2 ze;t(|ZhpqQT!^_GKMGY1Y zQkqOFYZidih(v*3tOcNOQ%X)aM_$gO+OW*Sn1n?C1loCwv*8#7MJO~uhi--R(tGG# zhTc{}N!smQ(j6elNFp6v>a@}^rWND40ycKFoZ3ai;Ii@D<9F-m1QC7j1DlF3`QEGV zW@%_&Uo;q{$bJnF%Wlw5k8^7w3}<#Rp%3+Je=JNMixD4=j$}Uj1pkEe(Vw*5DMWe^ zFpU^1iYHb=G#Xisj8o$*9>{*>*_rscegE&e@fH9+GSUK=xp}1_{+^*TzVGhmsma6l zV*s})=@`N?0GZF$V`Xg0W_rjSLRrt!B_Su?Q)rnOT%mu3d&~<$$L^A~qB(~7gU3Ws z*gSR!*p2+?#qN)#%e>x7@__AGnX(TShc9Wk@z_)Q?eT41j=x&3C|J9hoAZ+Fs@;Ilu5E01ny#lcH zSQO`aE+2^wh}hF~vzn;3lLutQ&rf(!7T|XDeek!C#3D;4N|Y)bl;J6is@~HmOwBjx zNah)`&)gzsu!Cgzo%?je~s`GkRx1#g;)iBry~u&Xqa5M;>?qIo!rP2S?i!#R-dvNl7tf^&G)^oJ4BLgqVPE^RWL5sCP~aHx6l|Agqrm4#0wQtFoJs z+SD$;^rL67RKYk9=R>^Z@vDC&LOU~!jamD1x`8zTRDqbijhlrep_G3DXbtQ_y-)LL z87BfQ`_~v66IyFG^;rVgOR|&v(5;(B`p%xvP)*is7X(#WX-*+Rr~+x|+LsD5Z2LNe zx5=9OZTcEPdkF-fkOFaN+2iOqdNBRcqxOkyL1Y+gsda925%g88r7$%K*5S&r!bAY;R;#AO#5FPRhb zcyX;^mLid5sE6Z9F#=JVYaKT8c``({XC#fg>W8qanWg!49<&l4;*&SL6@;z@c&EZI z_o>^goFQ3_2*(O!v;6}1*TDqz<4{(1n9Hf(^a~ywnaq(@0L-A3O}~;=Bt)o@Wc567 zQwvWnxC;BMQIx3bAfWd=;`t-R4Bk9n(~W$p`MtV@rePu<^e|E}lWl3T?1yI@T=uVn z6jI3H{yZD4SYQL;Jm=sv=<@#Bc=$+wGV{Ad(IaHQ6(9tKDgB!ugzK_IkGoBPn_&Rz z3?lUTRSNc6cM0BVLu$>puc+D`+`H~nPJpd-^nf-2_|=OA@la)v-Kp(O0v>XK0^0gt zg3(9Bg$;m6-azdFK#dX(me8crz%5+Us&P3X|P^8-fjpNa8C(dlVgeu$~VFTIZU zspTZ_n4TTit2wK3Q)#Pc{vq${M|(;9UJ3t5=H5;J$;zkaGNcDQOU`tKWK8`)LvnGu zc|2ueWbfXia_NxzfV=$%We>uN(@Aunw$&DefC)}xIz0)R5-dTU(7^XFNUqpk3Vi0` zG*Tx2rPz5f!QHpPqSw*pZSHCVe z=``92Hl(MI;E#~tfBr(zO12Dr%DO}YwV=z}W!B}_m6m*PyZy-7-qeQJs(ESbLX49% z3sIX|UM~6ZEx)k-w`eVJ7L2OSn57li4f>lWr7}D;*tPg5C=pdz11xRa)B&*PUPfpDw%n9P+6|kSz)&!|em_^q9E>vZ&CPBW_HTYa~bwG9qSc4yQ z`_a(!lnKSF>)>`Q*{>tu3kq`b1+>6wiGZ~?eXUL|F@OgGS| ziOFxjkG;72^2|Nb5<@wbZ&*{Wf!wFi3bGF`!AJ=-j`BZ5675#GZ=7;Sd{{LJJ;Y4| z_9vQ0hsL@~;#IfD+fM(sW1PsCpRC0t=QavCCWY5cX+}&Z!X42IiXpB zos4y4OU5P2HfuaB^v?T3tb2vl79k>I1CQueJbif$3zA5()YGij^dDx56iQOA#;KEq z-1mnL7rfvNo!>P>BPGCmEA)P+{;db`5KiIkNvVdEs*sTP2%Q#ZsDEZ{`(LyvPj|m-a15=IQdU zAN5LkLv{{6)be`0oEPBID=Z<+HhmekB}AjwT#cC={LO^fq(H3`L-H=B^)1a~;s-%u$Bey+!9>R7<|Pk(_sglDQ)ovOU8U1{ zJrN68FcaAhp|dClWSHo)dkzqcOYrFwp`4GeRQHXa=fa8T_=UaD zK7vf2_|?~pe0+VJA027=!7=Nn6jRVDq@}W?!dHX+T0+@Yg^a+9owdZw_Isok!dYqw zS^;;K+6DkZi51{q?1CYH@Z1Iaf@eu~dWP##=64`E$b}|ETa~3crx1(}${pGx*1ZH(YGQseB-`E-s|E1f3gzoujG{(DQa$~>gSpcW6q1hd$H~oSx zYUZ;#(@F&YlqeFdFNE57@1$xU$-!=3eJxMIHYCgj zni26~H>iO`P4GuRictKGRF3a>#GL&?(_i0_vAG)PE!7JLo2N}{P7f(VB{^xyS?LpA zzTHoJhu+<0Z1Dpg3psQ0(;rX*0>qUwVU>^tS%|-(ANnGPOP|^;_^2;Lvn!8o!EVN0 zb+FZmQXrCy)gtpv;?Li|MWe#B2ogpUo>wLB@l30tK-)lptYfP0ncv;lhPPQs(UGaj z+f-3iw1!&+OHW{xDD`miq@fIe9d=d$dSW?}o)I=G3oB-4PrNYiJFs?u#Qd|zp zw;;}7z_fHsH6{CAln5n429Vx6j;x{O+|;>#yP0}+6IygawkumgJ{E;VMeJ)-RMZ6k zVh>Dw<_3PU>knfVm4z4qE2_876;SzVOC-(^0FWclCfodjIc?*bB2V+@&p&!1tmgr+ z2#}Xs{Q75Yc@%>32p~{Hp^FPGzq1Yy5 z>_sMvUm`?`rA+s*p_BNkTIEBui)Mv(P=c=EMlP?Zq*ktk-{cUk zB;xh!3Y$*&az#Zgi>>)xkkeCHIzQ=MG?+U3BQP>HrjQ}(sCSwdP7`J6A_uJLqw)yd zq+q=x8FT(R4+GOq_r{#dwo2abv#9>gyq-rVU znvS9ELgyw|BCD(%b>kADN&Lp7)=fr+G5kxEvIGmwZ_mB^ko7?6jUuNVk(@1cQCNXb zi?IBFeAl)$>JEPsd_K6~3;U`^Y?Sc^fzyqv*j^N(Vu}KxcpM?#G~%Q6KRn+^!~yKU z9g4!lQHW#wEM}3dC*CC8d79WJiw9d=<$Jcd6 z5x?-u)=-bL_9Nm7F^8O1%Oa0_2A;-xhtaEuU4sU-Q{oYp&f{s z#{E8)ag`B>M&_5?d!ce*=r;UI2G~l)s=?tID2egwriSR=2!-DZ943Ihk zX_?KZVlldfq{R_fL#i*rz|~8Y))Xh#Ks+LS27YWk?g>LES-u^SZ_%_h8CHDh;Rt;e$b_zSJ`@X_>}ENB zZy#cjN}}L47*sON2FpJa!NJssvQfFD4`r16W{(h7o4185FI-@qgk3>u)qTL&8B7zVKt6NAVmLvm7!in0?cD;ryuEw5?*=G!Xc8pngZ&=8aLH4;)e251U$ z!l;pjDT&ylc=0!tjo*E{wh5z?tk2Wr5uMi`0$3c<;t&&%IYZzC#weAc{+@-SB%Kb* zfWzM#JpyvFQzD~A6=18ANaUMus+zuCTGNOZg?9F*?9`ut!H77kPgBK^^f86mDFW} z!%t03i{R@;N>Nc!;y2%X+w$d?a~syIDc3lO^~EnJEKC@_#TH3@H`*w1#fs(4UwrXp zQ%Ok)2VDE3o&HdVmP5Q=ldW!40#vTFt%5Bh@Jp>g4FboM(adkoKaDw-;@53|gEoBQ z=YM^!21!Xt2}6bqNgOa>Kw>jqDwnTV*8J61Uo|z<$M#X6`1tSfpo;?hJ^1s|8Jc!C zlwi}%H%}Vae?W3xer^JG))U`vzx~!vRW`0P0r}zKM;ty>e0lLk_4qOsc^fi=dH6H0 z+u1)R7NZHIUvO|-$*qn5Q6ko5UJp|80gc^zQ?O}B(s$o|*EILb&l}6vR7x5rhd9d; zaRDB`cke!lTVeBxRIJ7EF@~&T4J%FwWSVyP3XS98BsHy>g6X>Se-YVFm@S4Du{b1XTHtw64lamuED=mu_7Z*2UjkKnU@^WT{$1pZOLjSJtO&a|E zEcFjnwIeApDKccp;H3W8YzB{p02@}Y95gpHG@|a2IojD@p=K#D=_vmvo^V1IM}5&K z^$qpG-|oI^EiT*ne^~z*KmUtlt?lpir|XkxTmLuXM}nq?#^8k)UZ}b4w!ccl-B5HLg$0F?VZ*mb?$c+Z#P3-@V>DVxF+LhIrPrL4@*StKDwQx+ zF(QSajM5*XS^o+Iktz+MR7i+V&Lqmp%1IblG$65O@7{^s3JMd-%1fj3=Pzvh?z?ZB zFm0+8KFFoNw?A*mq^Yq1cK%1rt+(D<&5@*-?$T|mt+q~KzNo(J0$(6b@(<%kMnuq^pbW)@#PDH4Go5O9!^g-#?TS7S&*de^^DpOp(YU5! zjp&R)D5=LlFaVtXeR}s!+G_OZl;qTu;FCEYH++MI-hZh6l1tLVKjZY@Y_rXhi;9Yp z3i9(JE3wY#!i8ToArCqFEW}4LD&h~BIzPWKVc4)OlG#r9e))=KtX-_Ji6#UdeUoACFHte|G-^(}Mhb+9zpa*f=XY8)dA#1!cV%8~ikJjmS{e zUkJag{d@N6nXnZ`J!fZSMLwGIapTutFS60!W?`T6Ce}LgpY6=e@$B4qdu8Z9ECcLn^>WbfMlK*PFEWsda?)CkMp zW}9xBTr_Y%QXWR_uU@sf`Kv`=HKAQ6|L&^%7Zw&qw%B3|yl3=HLMK4emtTI)a-q%u zlLo(W<H{KTikxr6-A&dN!| zPRI$pdi6*wC@4%UD=%waxL{$^x2S(w`1y&+<9Nj5)5gvcGB)q&-~8h>J83lQk&ima z6>4Ps{4c3-ty^P(OUM%0e3<1s+6j0^nb%lSQj8ZkQ6h~$6yWa}?T;vSvrZhj<*1ab ztjx&ApM28r^`b@1Du1BxbPy1a-uC!375*DPPmFYq(&HH?P&!bfw;LUG|4Qa9PUJ9DVM& z=WB1h{nlzc8=CIJ?2XY|jmEkm%s>hq<~J@|<8R!56k+1lh zd%8zr=WsM&*u%e5xw%#TTbl#bho6NM4 z?%mQ7rcN1A;L_@Gcl`}>E0%my-I$llj3y&YS_N@wDW(AHhz5DNsR{dy+bCnJ(FJM! z`)Ao4U&N`;}?y!^_~DwZv);X|JGGie}lT3TYleRuEN3;ikz zHZ;@UaR^x zy#80s`n>$@cZ%Iq9kZI_DHG@BC9`AJ^^Jld{$aFcQ+YW*-s%YPTc!3Hq)BCUXjD#_G9`P{p+iw_yoh%3 z?z`{S{rS&R)~sH=DqKuV6|<|Id2$si62^2o`|Pu`Cvd7F;>q*YK1b%wo7;Hw(MOk#AA#BS(!)#-RctonV!_?z*S?nrmiN;pH7t#bgyL$9l||ZBwqeVn%MSUcKW!oGp=0o>)m%x-+AX9Q|JPi8d-hab=Osea<%2ziTx#bTUv+jl$3lDUcwQ9?d$gX zpMBQZ*%MEgkR=^K@ZP(y^YPoPeZ+3`Z>@`^PrT>P0$%9K|e>}ubJ@u3@_#!e&L`Q>5F1|E(pRr@pG}o!0>WFya?!Q$%_`rj;%a(f#2nPm zCWc`ucG>df&C{o&ety^LX9oeOXt4i&`=?(qb4EVR8rHvv@ei--uD`B;3WbN`d;SF% zR6PFJW17xt5(iOiu#|AjF~?*uzcF1s1#1|ZbS@2rudlC*e)!Rc_2*5Qx~8~zby)w! zFrvZY#Y>v*zVoiC2Og50UAu@?A{gP9^&?*7$rVS)oKh+b7cS0mHIgtMbiBr2`}}vo z>-0Y&$YN|~gs|a7hxkVvaU`D0Q*(hG)~i>~nw2*kQ~Oh}E>O(=(cqrD?yj13&8%uv ztKt>v)?wC#v_uhM7)%Dk1$Bu9w z?ew2B=c8U}sdD=OFA=46HMP+x=lwZ%C^|GmZRup$ciw)d{?F%4sj%`!@dV7D$T3GB zopHj%3EA8wnZb&6B+Hk<56_=o0Y7x3*gCfVfc`~^lTSG%Yp-#r58*>?@mrdjgHONs zyy1rHP#?bg9-ikhe2VE{g8>5uBuqZ_)a<>+jzzu7dODO<*DdH!$4-b1*Is{J73+AW zRqFMqe~gyDAy4Vg5RY${AxZSoOD@gZ8*6)##;3D9j|Ow+&TTmM7}iZly$<{$bX=W+ z&0)swt#v|G9^&)Asihfueco{0_19NIFYN$Mo(`1YycSR^=^10e>-K-q@+X4P>f5Hw zm~nY-Z$00QIn7d5THXx*uEhIn`}gEd@Q*s`=*)>|&d7=AS>bKg-2=Q>K)!TD_Vg@USydAAQu(>1cnVT%i4| z!;qQ({8)JY`P0hZ^S-=}{2#mb*z_~cIxBl4bQaRD)ogU-AJ@^h(8j$N8&bXT#v65U zP|UC)vARTi9Z7epN?!XN zuwUxTD`pnZL0ajL^n7MqkLQJyHuaQ+}%f5eeTWN>;XgTBHC7QDxm z&boS5-pCOnQ<75f+D#xlf7tZC8|{*-uf7J)3%xfB-vk zp|vYerb$muQLUSZ>}7y|9rbbU49ZUP-}CqU$dY`;ovAzz3&*`V65AVSCssZ3&_gv# zA&*ZYq4)zzm{qr(;SVSpfH_%A338m@d`s_{7GOLW8(F=2b<5|Uf7Y<|*4Tv{jCcR_ zZ_?1wS0(904Km2;U>PFZ+`PO*Zs@@~*vTRJXx)lGLvW!qc8OnO7RI}9+{en_y6{7u zzkvNISPY*x8}?9V9jqjScxYdr;@-@Mi{g@6j?f813i8tQ_BVJ)b_zS{EG-EVg3UM2 zOJ4GAbyHS$vS`?i%eThT(gx-pifs^VIy5`^;DfDmiD|_e5qw%2D5_)xCZW$}?B0Dd zcip*r`Wa_^P+W>pfglGDmm9cz|rN*N9n;H|~%X&OUQk-tb`?#OJlt za0XFgFv3|xy6QlG#)Hfo$Yb-Y@XU-%I)G$mgZs|g?#v%FWDxw&d4@~Lhs1H?kIzoV zBBGaFda2EMGbSNEzp(LTeV1K#!S13E-GeLt@a+%hzJ2>7-hS)t-EO(%mP))RuXQML znKbUMOR3x;=s3w^`A^}&-;5TdA#<2y)%UBc%6H+Tw%ju1#g|@UgCUNKWA60#_``<} z$IB)+&o%*8tr9QUfB3KwN!MQcmxA7X@RB55h#td_z)`uL!jpf0GWo2t&o2MyqYpK_ zPwv`*{ZrA&XKW(DZ+^2!>V8d)O z#{)m-$Rm!(^7iLwpYx`kSK)|o(xC(#3Bg^B!4fVTnh6(?ps=uj<^hDlon+$5AIX=Q znMQ$d7Y(|1>z;V~?RORo*<>(Y_}b(@QXD`2_^hMVKM@hVr zJmavFSn?;BI(2H!k?1I=lQ8zXZ@z1qGG%ILXW}niw!DcW?^t8NzXNn=MDaDyvorlc z*stG4$>IaM;p;RyhQyOWq5aumg>~f$3kve}Mr&q=CvbWqrGv59`L`uTQvPO--=y-z zjiHGAar!G0WB6nQRs!-&3kvcgR{nel&J+xKKv2G@#6^gK|4}&A+XAC`(CE+a)yvi_ z@dOeYKP;CjUr+wM``Kszq5Q)SKjicUuM|BEcM8D|&vwxM3>bg>@mX9nSxp{Hp}qa~ zJ2aXPRAzsq;l-C2(T4J-`h7IMg7@svBVkoBc0lgH|1-0*B0KD`JsPKGe~wmmwh{Qs z@4s)Jb>&snP9QHJo-+`afe67!fmZnK{0~ON!L&Mx1{EcvGYwzc_}z*!lZoNyW5mui zv#!a%uHW@*ZoBPPb<%kKky!Zo1qBH+uDC33=bd-af^lT62wG6ASU>koyz|aG3U9pe z=IUE+xw#4iq5q|4U>c250JaT2L!6ytRk@B+J_DmkAOr4V2kO#<)6X~~SNP%u0vRPn z#s#Z)+;PXWzyJO3Dd(K?hw}H{dk-Bf%2NJFl9emJZ@zNYtSSRnoIo_t+2IodM~rdo zex3G@*WVbl#wP@<=h(;a34uEcFvaxzV?E#wvg;H-Gc%J}B9rok_Rc$RFBpVHz`cz_ z`-A4V@#C|TQc@D|>|GPDrpG_g6 z{LoOyi-y#XP&m2|epqnhO*d8Fa`RuYWJ~+@PcPMn_jW75nnu#wl#*4ID-f8Sf1^fP zeTa^}PzHd6_V3ZNd%^<`+~1ue3oTe8m<1#t_@G|J$Ey^qx9ICti>F}z%4N5urlrCF z$Hm9!9O9cTL2LTU%q-8D85!Y6BFQB#d@dKVEp7hM1%9s{J+Y8GpBIIwhuQu@qBi-T zl#mo`iFVQ+zu7$A4{elao=Orbf-^=Nu z6F3(Z<|kfq=_UDbAH#qkf!pEp`FA-wX?ERZmo$nS+CMJ;(Xo|yC)$}expt;8lil@$ zonMuX_-rR$J?pB%loWhm^XemM$!8*8cVO-+qVfQ#abUUou9E;u#GMU}yMW1UPy4_@P}mkuWS$6q=}b zfls{Sjyt>Ebn{J>f4%vZwG<}QKXf;)>y?{u@kJNq?Xl;c=q#ot9ppbyciM5MRPr1* zZft$L|8f1WGfqDv$LACEYTN!!$45+VAoj$QPj*NBT=Cv}@1uOtGwjGnRlN_XJU*SN zb^XH_=3#vKx95e$AVHY_e12Vi1?vsk$I?*y`1TKVKSKr4JlKz7V_S~kef z&rM9{yO^Qi>|$_*5vy!Rb%~#$_c(*;-lKa0pBLN=OftvY9}*pZ{P=8qOxAmx$EP6i z`R_!gYlZe-U;VMpTm$QUDnEMk*2z6k5AprQ>FrO_KO3X3cOWe_hn#c2oTqmukN^G3 z?^|Zgx|+{-gEy1PrI^O@pBFs5xx+gjV1}_^|110-s{hKBE1NLVj!THaFa}5?ne7b5 zPu&H0hxi-!-IxQ6AUo0V-nw#Sb7%HnxeC*H-O;TFJO0IzKT3;p`|>ZtI7(4@QqM`} zAEp0#;X9bl^moxe3BQ#l8}Np`Nwm4;wB<^9i?<3_l&=tAL4!NjtK?m(uhnvu+rW=j~6$ zO?9T{blzmjlQDbtQpkft$)nLj4jz!b+0finS&KOqufJ3>k=xoo&Pvk4abyZ{CVf1< zG_~gnNIaELtzKg?mxzeQ#@VVv{XGw}qPq+6kzUN1G!G5@ygYQCAa=q01&zy=Eo~|q zFd%8*Aa?u#7L9hY=Ycef(kl>XpSU?BLsa z>#b9{h$%;JoQ4euFtV-DeX(bf$RbQ>cmr$1AvLgIIsD&cr=7J%0r8h$TH>;0D>!sn z5LANtFIYIABW8ltcqzw-!6tppK;q%}n)Tw#=;$LuX1ra9J?<6i{U6gzp(BH$L3u@m zra&qY_{^L+Bd<56l~I4HRB}po;p2SOtSj^O++)w;rY7sp zC#oT}!Vl38J@im?6ycW2Vx;8v=pd-7u5Q_=Pv4|WOebKwh_U#I<-bB&If+aGg2=^} zT#|Fh!G~nZcG z`0@THuF?SOjlzEl@RA5|7c5vv|7kA5l)OO$2dNW_Ob>=^*I$3b+RDmG*V`rC0yYLN zx)_~&?A>=#e)HY8jq|>o*TiW)9LbW5olE7d=#}RNq%E!i29>10JA3^?73`vw{kPy>O~%cef8Cs>vlq8 znCuJl^Ab-v>6GjnZn_~{Yn1rM9(!Cy-@Y58jx;;I`r50p7g7ef{J-eJ3vw|93!m0a ze{@DSzxCFeb(K|>uwVCtq5%VwHrsqNb+R%)l{BUeu8bKNhM`^RFX$M)B?6DQ{Kx3Q zMt(sg71<9QSd@qNo*y88@#RF~@XWKbN$2g#Gh-0vFL;I2e%nk& zT8PLx^gpJzSYFXoK`J|IAPE}8nA-YXW510zO5PkDr6fcHGdT0CGjiX0>y1V%wV=+> zc>GzYpV_GPEIDEhqfqKmZ#MVo-8X5QZBRc$Cg>iSJb7~V#~;tBw~>7+BauZ|q5$i6 zVxu0QfeB85UP|R@sB174Z29tKHX7a+NyKqo8HyjLjQJ+*fe8L#8d%fPrAwQ>|9(Yt z8rH!XIecVlzyAFaS^n_BA>pQ*ZYtPqw_mNQszTpsoc~#B4;HgO?JPYVQd@inO9@1V zUoRikQW(x&WZt*Re^8LK{qMs6WF&Dj|Fg<17TOiQl0koVyz!6uKcCO#70a9Y_v@cL zc<^9rGeVL>4?Q^J#v5;_cJ(TCkPqr!i)0o@dTjc7zvhq^G);o1qbTD9NY&kg>XPSH}{BX|4@+{y1DFN#8i*jO}e9>Ul>f)w1 z-*~g3y1J?vAFq-I4jz=q(e|`Ip3y9S6#NI~zwl`?%LF?MUx97>@AJ<;*K-+waGZqb zfB^%N3(z)WPN019myGOxC;oTAg%{=)paV^EgMRg@mCbLy`DQ)WChgg?XJkN8Q8K5M zf{9?9NTF>gm!w53uHy6m2kX!F(*@^G&*x}uGULx8OxH!7(!fsLVOtDKwN5@n5J@NX zCzF^-Li|}*U!6N<+wIWFM@B(VS63T+Gzaa>RmIJHH|m?X4cnOk9+PZmPCnJQGh2=3 zw4_wSR8%J)?zoxMcgvPF7WFSm-gMKU_&S6^2jFww)Tw!#;qmRa-!(&$&h%%tNZi8? zIUMBz-1!F{oSIivT@~$%T{cxNBmi48rUiZ@YCrQslgoiRmW%g4Xe=%*X~LBIWayQG zGNI1v(@s4-=i@n_HoW`p+tiCG2<%b@5snDm{WrVggN}1l;C=Pgf+kMoqg0rRn~3@Y zO)A(4{^X<}6VF4oq3q=G4VI8uw)DHE6)RRYXJn*DMxbrouU|jaKZV^25^uWs#)92; z{q-v7s1#)M)uKh#o`(o*Gck;vbf!8smBF-eJTEZE%KB{>&)k^*)dJ1-akmU(k_ew) z+ikZ4>|^a8jF^mmH0PuGRjXIo`^D&OxL|9Lh-dd{r%twfw^Q{VU-&|5!+nk%5k}z~= z4!)?8H%v<2pxteko*555w73#${V}DhK*)uX#PAhKwJb*Xl%gK{MW$o&D&t*Y)1`Rv z%4xt8Zz+2nrnTZalAgw4dNKV;J!b2|G<5V~6ap!2d{7gnL#`^WYf4GBsg%$*l3&2K z0AISz4hF?Eg5g;=?q1AdVKMzlUSHqLr8yu^BHt$|5z~W1Bp9o^MCTVPH#B{t%DzI2RD_j6YBAD8nbHwkDfc~&WdRl~2Js)}aVSX*c zVfdW-v;FpX2&=~^A(%UVZsWPGNAY~oY@xo8NUIB8NT)<+-j50_%{P4rmAAImZ*{>sfDn=ZiYqbBr{_p>4F1+x<%JT9u<}nLMUx$1vWv2jdnY_$KaCdd0u|S zjJyN(-#3FcVvca9%?aZtl$Ni-T2OZIEc}Naez^AFgAU2qeDlpxsQ<~Qo{~Lkt1VOB z!IW%_?2B+JlSU>ukisT@m%AjW%A z5W&ky5_j$WaxQoBq!N_l$LSwKwksfc{|k-IHB-1Qnxl=Ja>~h>lTSMxBLM*H8pK`U z@3YUo=>t)|WJ`#O-6b1OI%!fV){T;4Sy@>L82zjA#q!q&qiPR5SyXd6;nqKJmA0*Hv$ze(;qh=Zbez_S(m?wts#1N4S0gbL&+n*Hf06{zdCwBysKMykC!Fyv% z`=cE2hW@AQAce*1%3Zd?Hx?js^-oh{Q*hBG7gzip&t)>_tLW6}({q3SyCX7b|Maws z2&Si}J^b)P;b>KmMNc?kLJnS}0B8RH#A8paz2JiL@jyW$2!m&N+LbeB<|Xn23x$#} z6xXXn5$!;T^k-7mztROE#Q(qld#UF93(l{qz(+Dtv)zD^glSkl0?)51hLK@p_uYS! z#?EHqAXzXM%R~I>+&`A%W!sNpj-V3|Bdlf>;DeJIC)1`*Lp$LB`l0ZB{<9vXz{G#^ zt+!o$=mx$!O@^Yg=D1^z&%nBW@gqfCEF}%N7O|#AF_0Z$Cu2>c_)*uOiEfGxv7?VY zHghiP)t|NfB?qE$@L$H4|NZsWzplj}>na68rtH(u`Ofl>DR-dZQ-DY3{x=G1+%h@y z>8&^4sGD^1N#!kCk&T&#U_?MKJTH!+Ua*gz6T)X?+k-L!9_Iex?N3a#%uIBnMhSiI z{r6R0arqS(sY3~a;IP9FPn$md{Cuq6t$X5QS9(T;2l0Qi`|fGmjTwWX#n%2o{nPkI zYiIIfFX^K@?65-$rY)jh6dx>cOr1I{=fDH@FK*U!Kaq%#aXd%_yy(oCS5@9~&s{a3 zpl$iFBMZ+n)jvsS=Zv2)G4sOd)A5D7GyR!TZwW9I?H39D^{;=`U3B5aXfE3Nj&x|q zl78YzlQLbqPWHx?x1~&djxDHw-Is$Xqo>l_Yzf@ZUKidC2zNsZB z7i8t1WgTsC*v@5$8a!JKwk3ELxF`hrL2cH*5 z@Oc4MGw>ca4)1XfKm0KLoyvQmescM@cGUdFp+m8h1CFt1@1vv7)nyLNo%V(duKWed zm#=8TJ7A+lL7X-RWkj6nANW5CiiN11DfvU6VPellNi3RS7VJ-?b0J8hs~@F*g4!5J zPy1VYgVL*x1z!rvdk|pyJ=QEIh~Z#z zpLm6JhPioG{OVQg=wk-p7JsR!iP+pBDYEg#85)V9>|>6Crcdw8R7XjXH|7W3rG0<{i$!OPdeq@Rew6~;&!z|j^AfKZ=d<25paU@e*qC>IejI-Y_K4$!zE1#PEEed>0e=3zW9zXHTRVSSI7M8Q9!>W9eN_G&cew0l3;LS7tcu-whIy@LqR@T^j z`dJ^89CzHCE1!INX|+AtfK6WbE6CUSX}A%uV7FiQO3y?ddHa(e_Us6*zj1!WiId)1 zHDS`*E5l7mP&2pHADCVyTu4WfAdL2BETd!ijzNeY3h$_R&q$o`7aG7Z5i?%%(79`T zQW-fP*t4ISy%wD`?BoSjv)Fz!csmwb0 zD1_<%?mO?)&z!;OMX0n8G-%L}q%qr#(P&Yo6eKRdn}@@<8>&gyLZG4< zkFeefnutoY`DUA`Vc_vG^)X@eR-;m|XlimVtr0`}8$&L7?74sR(Z?K7MTp38#~qs` zW`Mycy(k{QrCi+G&A^6SB$mq*vK+5AQu(Kny`|PFMOEV82sfg*A(oBsUoyL_5bwKPaCiX zRv8v*ho`p12TACEVng1}61a!?h+!p-QLzJh%idmp-jbE~`KM;ju5q1wOvH%bnyY73 zSFeTtKny;v`u5$3LIT3<&yJXb4mwCLtfXJK;Hw5Sw$RDv921OQc;WdvG+NZT6Y4K9 zTjxK5Omq{O*A&8s;lha@hp!OhrBv=7Cs2ox*o-KNcD^?E08F*^_W$(LPa2TlC9ac? zX*`yoxeMsA#~xGme=ojR>-A@Y{>-z^&OPT3=jLFVJ35RcX7J`4uh$-N#1SQRZruRK zOEUHB-Xnq2aVQR{Uw-A)dTs^-`#T90%uNiMrkpor%~MZ4$&O|*{t5b{L#R9ElGU44}{-y#GP{=bwGrx&suEjKiTTtlwAT{eRf7;VJyeZ_)M(+Gw}JZV98e z-Ud5rF)YeWAiS*+62nI%q45**KQ&Mh!uk)NtK^08_@sCDj+eg!DOkVq>Z`T4-*y|z z0eMsA=xylqd;N{qY!oQU|8BeQmX0;BD0hf|&bjC0djErcnyDis;i5}t4=2Qxqjq1|8Sn8y33{u4#8CX~%H886 zUXHz;5U6NIA_RY}{okcw91lCAP%x3VKQ67(>>6LmJ@?s9J+<};JeNH_M;POySrvBd z!o_*g){5u>Ws@Y#X@1V^GT{NshXM;?7tA2t2+51vVK z{B^9q__^l~$sT;@;c9d&udz-(!zaX(Pd-_<&$xYx7k#ym9eql6?zw-+;U)dQ9Daxo zdu8b4bMb@?f_KnPm@#uEI;x=;f(BwF%C_5VtB>Be6;XGL0ME(hu8XG1E3dqQ`cTbc z;_#101Tzzw&YSY*$|s+EiXG7H^1nyV9tk;a2?*-{>Z`Bv0}L_n7t@~|9aE=FsQ@3@ zijm|GGRb4tVVV#h;nc#>w#OF-5*aUDIEJn8jk9^Ly%=|m-vi4Ia9v@g1J_qxeWf1H zqIUYvN7EoZTe>f_y?QzZ@&&?(`=Y|9$HqMmA#&=?rXSB9S`LAN;KSMWTlu zdSLCDXPjAHfsePimDogn@~Nk4@DZtm9U`(IBF{O8^)txu9}Av0n_jVz=j6xs^NblY zE4=;#F;jwTZ!!*t@rTcz`^R%p#t;DWa+K|a2`7|WCtqv-`vRlB(K%Pb^#mgQGHEL#KL58oe6LUuMsBbb>{&6y0o{z3iBcS>1Qj7%m7Mnju?Z2$3+o`_)8 zLWaut7`}-SD}S(0j(`56{oOKw&#$jpZ^X(U>y0aB%*0L;*8U%adSeXg4Uf-u<{<|k zsL}nz=QL4#Jhrdsk}n#djal;)-hn7EgUB6HI1weGt{E(XIDFh2wZ$0&d$u_vN7!hNqz*-jUt5;(_aM6|4>iWS|^{l(6u6e!SkY~rdq9g>W@*^>Q#5#yR^S} zuN$9YN!J&if1%cwzv07%u^pu$l+Ki@w9$@=VDz>|Xp;XwUwDD-C~s`fi$URmK#2?a zLsl-5xIPW9dFTv6$%K1cD0%q&BZWfDmP+LAJuij%9|S6zkqBdIyZ0X@VE?!e6r=%B zYy9uNU5ZgpOo~7J$IKC~#mWGZdwHU0e{KnUy*-@=u|UT5aXQwHOD`*L1U;$sU&8g^8g&+6 zvJsHQo_VYP%nM#df{#Bgub+0&oYHyoDjK<#9*+vF@%P|^iz|;l_Vtx3zOP}R$R)QZ zEHy))eSTRLMzwZg~CM6httR}Ja`0$~sAR7L(wg0sFdaK}5| zGXL+r``+r3QchuPk3akAXX?Jk6cW;L71hnR7-kijIZj9UPY8hlpL+6-M~IJWhEbNt zhws0SFG5C=ot+aIG-wbyCC&bS{?nhbv1Uy-?#MU|>#HdVvc5<6?g_nmV{vXT3Gq=hru0RHV6VLVa$Vf!9w9#M^Ur_&6LvHGv9nzg*5M;F%G56Z0SOq>e{FS5 z%Z=DLK>_RXf726A4PnR?Jg^IJ1XH#OxI2@_XNSi4@#9O;yQXsK^@l7%rC_|)9fjfH z?QhrkrF@}{Nl!YSU0REy$t=pw_ug|4{fD$yxD0plEP^?D5BH4WzaIKlbP&Xb6~4)E`Z1^5;QvUgNAF;d=ZZq`v{1|AUL&1_9T2 zyYYtWX=g2%Oz02Zf8W`eA1gb@=kOPdUII6t^RfI_Dp&q6Wt`L63E8Ur@xBJbsD1gP z$zuAuuftT9 z`eVI1V)1CDKN|KL1xhxQZIhv!pguPIZasQL`t|FNGH1wl-+Rwm?6wGF0=kX~A_s9G7mr@F_B2C=4npops5a$FUyx ztlJzl65M^?z3hZwx)8qxoqP+_NlF+#hgq-cTDbi%T?^}7dGO!~?Cyt%I3Boz{*OQU zSPet{^AAB?>TkYiK3r3?w&jK!v~dS9$%Ufu2Y;qNC>4mQ!U^<4nw)-m&%Jk7bJtHM zP(a-C@0q8cu7w|Jv?-&94Ik$HQ2N)^*75@uqi{rnJ@)vGE2j$M5B^%?8zp7bpGazJ zuu@1|`)7|m_7ER|{K)#xu-6YCRHj5{<=dT@9 z7=g8bwXp}TTj{^P_)e#|v|ZyHz1hDXmhbTE*D>eOsi+rvNfxL7W1K}2A}~U2X^PL# zDA$ngw{ibu?|=8+1OF*yJ!bKCCV3Ej`st@@R<6VbKDcGb7F!JS9mPW6k5=(#B=Y}> zzdyk;pc;%ZibwwQ!#7EZnTkyf1`itSJJvd|zxg$pumk@38*k!>MHFP&fov#?@O8sG zsLA$cf9#6t%iq1MpQTs(=kM&1L-_@A*@e|-PEpv;lr-uv$1fEqFJ`qL-b4)^-^?4^xoNJFhGp=lTTzf(wJh>DbU zbg4hu5j7}Q`ocv3tV7y|sHm&NOZOKZq>*etFAEEK%a?AB&fYE(gLgro6k7xNfoEb|=e^lg%poRf{|YM|pw zH3zJ-lZsH{4XV+j3sUzT*Dqts5qVrK8&gE^gGkb|q^Sgx0V_(z;XgY1T(^d9>5WQ* zUnULlnf9TFzpiXR2Ol{g4ksPL*HUB>mBEMwoSKQaYk_wLw81PQ$TnHev=`n}eY6FAZ>S+chAn{TQbiw0yR zhxYf@ipzhfsO&%z#V-1~sxgDppaIRgi%x(rE}}1mTIuiX;Os!_EUXYnj9E(Q~RkHb1qmF{V*m6hDcEYkmg8;Yz!1 z5U)J+XU5|&-a^40@S9N?a7{pCXxZ)c$1trXBv6NWil&koPcqu5Utg@nWzs?|jOcim z)3b49ZsBn`A_eQwMRTx#FH4HGzbu^!I!((oO4%B}wfzz2${+DX?(`=n!-y{;v5yA7 z{q1kFD4Qk>A+n*dF~Ah=vif?sicIf7+u);96AL5XSvYtg*3*&|gJ2ETNcw*Ha(*R` z^ypgb|JPKAb+u^tZ7_Z5nP;Ev{@ioV z*M9K9`;AyD4@+Gs&wn=kfS!_?5Hc`iG0k+b)Gj5B=YH z8|w{)g(Q|O) zM(ix;M!j{O|5$9f`9rK*r}ad^a?ic?O2?w!>L8>Xv;(K~Qb!_k&9p^WJ5+MS;q%g! zcnR$NPmMsP1t*NQAPZW{G8$)Ix}PxE_#h1^-+b#$UkA0a|J!fBt0_=SP1$|NW$oENzFY01Lw%-o$WBE@b$ZmMRVHtXA z32x4`RCzthKVYag^Lah>kH@EFg(y(slM8;ua9#LZ2uw*p&X;jF#aeQZ1rF(7Qc}v7 zbnr&I#n-F44%IcP^>?|%j3(oXTO3Y-zATWx9 z$W6FLUJ&?>%7E*Vt}ZTVW+wnGF=ov6spzEdj*;Ir?|t||!{?uV*3`(xw)8dpj`F_> z&lBtzinaKR&vx65Nqy#-XS+T7+_QBbefU8=>eWWaho&Jvs=!0`*R8Ik86!K@zaxAx z!Vej{Lst$*!Q{zaJ9;$hKXc=*@vADU@Sd=$h0h-**nYe1Q=Wb1neNX&|9tIxAAHdG z1=i-p14Ft<@^#=-9_jWY^ydr^@BcK=yYIahw!f*f$N%J$Pa11$YPjPoJ^?F*RQ0$+ z_|X=&HgiV;E>|#N!iiZNK|>z`F=xi&m!ANmk!+0Mk}o1?)1jNPqnL;MU-Z1AP4Qmz z)|+qp9qMHX>PydiwLs&Lmdimvgtiysk9M1nc z%YS@~#>XzCrfxW)T;u>5LFT@o4ZvyI$bXFcMi@U3VF4%kK~^UBSu^`=vI+Deuq$)} ziw0uA2(z3Nn4yCYH|xSza+8$O>Iy#!&PM%w^ifAFO*q0(Iaz z{nJvlUt^d4Z=ynWb9mlTlWoD8mOD*d6o+yS(;^&Hf%BXY{Ar)6)q z9hbo{P~!1m{X>iKJ}o0X;o?g!%9puhMT=+on}*$~pLpU44XR+2J9LE~Ffq3@ZmsQ) zxYqi+`ey^$-^;r}&zRTgj7(VCSSMLt`K>HB<7w(`ehxbNP|TQYho*CJLdGwZ$(l#r)pT zXYi6-k7f(@sP*~_&*RIV2qiSi2mpDmLLw+o1d#ZWT%<94iWqNyMANA~H=fJO8e~9{ z;)r6DV$??D0}lEpq2JLR!Y?eu{At0Em*Fp4R-=c6#B=(uSXtXVpeQ>zUVp*^JWc{4 z>c1fFy>}6JAmt$}oZMOWx{lYM5+HRPjaYZC|2pu2t4222mg1!WL-J#yIGKo#g>N|! z6J(J9Q-WII4;(NMTU7DGIDHKVc(5~umpE`{hRB5}JQ4YyPKe!%@lr;Ks&pEhtxBsq*2F(QRikvRmKyH|l7IAD#6jLd{l_#%Quz#B#mAAuH% z@B)k=X~g=Fph5@KM%W-B4uAD(em(9Oe|5AwsMKLeTI zPVYAQBd&w|hn2{~WVSME_UF!uhaGZQ#sd%B@27cn>3_iWT!hcBmzIlOBnn5FWPgfD zahrs^vk*Pn_hkOmD)!he7J^Fi6Jgk`$75N zTL0GgWJU{st+N&50na)_emHrVmQ`Hgxrvw9Sca+Y5pTgEB!g;Njj66ROOwH5Fd94QYhc-fMoSw z4MxV+)oMt+qoqD(|H`V0pbi_9=pzj5kHy>BNFZ3`SY?pQr}p`;GQ$2DS2>bYEIdAwy3`?S3U=b86EiVIEemCUlGp(uLo{AM z7hnIQX96_q@;{K6z&PpJnnq^kR``s@(WU(@K9mTz>xVDKl!QhU0`*V;{lR1-Q78CX zg`H-E{>8PJvLPF^?$mrSDpRc5(!8nOJI`;>>w?9dXi5pGll(72eI)_t4J5?#Kik>~A)x$Eb|Qi4&-~}k z@Zue(|LwQmR(;-iQ**uk1F<>DX_HUSIStIY)-V>>Z$O7j-6M}YR8wBAMdu9%jEol` zaLK9f*g-v4H_)F`JT#jyvwG#4-+8QboKl1$t2OsgoxspN523^D#Pq;rzyz zU!r{;fnMbZC1J<-j502*{jV#0&@)M7BXsmBJ*7ne>hf0YZ{sW5L`#axTKe_N6g>sv zLH+qV0MAhjhyX`5QlNP>KxeSJLEs`0*Z#Ef=CA~aA9UJ~6+&?UQ1!6bMgz<_N4v!@ zRoYtr(&CbM(x7i|PLJ0i-M}o&f8RODGP@k>wt~QDK;f(x;xob>(IRY&A-6_=${(oI zerC3VSC}P~U#=I^AMIz>C!zn*MwZ6FzvJd1>%e!iP_{U*XfSEgq^yY(CTfja<37!K zZQ$P|>qeI6#TCL(3Wl*L!NNgMQc~YEWKe*uRxEgn&GNO7Kb!Pe>#eb3O=AmoOVbP7 zmRmB;xg|WH1nb>_69XcnF%t05gZrzKPYyy1SIO~`2g@A)DS>$q<-qzynj$8~PGI_x zmJL$YyTG*=eFrW|&UCnRF}f25ew=2ILQg8ORUGkcEh$`hDkcCIuRkMjxI_+1seO%R zVSMgI`H+VQF@Z$rIa{#t5>u-;9KF*Y`+Nuy#KH_;ZCGC*m3nOA@VQQ+NQuwl418>e zWfb-+{0z*#Zfk#N>Sc;q$EPc9UH9yWo%S8z=?k)=6u1S3U+0utF9bbNlX;`dz1 zs~tWfWB#vrM;^mRsMk!koAb$>hFx7p-!N^m5kz*{c_*xe20~Go@Vo4?YbrbXhK(3u zQymch$)}&-fg>AZDncQu-xxj@k9Tp73+2%fSyNF3B@xW*L!!ch0^cAc0cGZ|sX{q$ zOaI3%!oGz`o(jc}(T8BpCwwA`M;I|AH9dr1lnnnItb>Hn2n~EeAx9j>&*S4>ti;74 znNo!M7AoeO}ySS=Qui6G?pX52*-)TM&D(!fOP19=eLp|5z%+|HB{tkoy7r zX90F>>j)ns))L0;vyawK2H1pU4R^rXax^#Fhz7gvx@-D? z0sX7K!A_(`XEHtT;Dc)ulanH6Ogy!WSoS_7z@vc#))Un z`UyLsqYg3uv&atcp$6+80D8In*^A(T2q8)K+jrmeGtW3n%P08!hfsLYFK#Kp%XJg3 z*%%pw&Y^5qKX8pDK*Wm}<8PcjE(LON%o<7VVTA9Ph$#L#)YVcuuyyE9{%!H&^9P3X zKyWD5k>1Wem@?|R6+S|kMHo_MaT2tR{*3YV=k(5ybr8ws8f`){=2$0H*rbWqnb#Oa zCCkz!qtS52Y{&Y$`j-YpM<021t-lk3yQdS2BJs>M!nhuu!f;O$@;X!kF_eeTi-j0< zXpu4fA9&!wnxv$Z;Plf^%Spp#B+6-K6|T78{uWpp3L}wHes}oqvQC|RY8f^t;)r1$ zt@OvnSv4GGe%j>Ia?t6__aGAx=Va8k+=-Kazx&;9GfzGB)bcN_UiD&&pM;MS-Em+X z52N)~YJ=}|HpzThvvl$H4^vqq-SIR!&pA%=AaXxG_VIaf`sB&5Pa3n!9>h3HuPuhB zV7FW7^*d~!bXwWx*a!(Kcpl^&kFWHIcH*uZ-$V-n?#eFZ9KKsjo>}38!|Up`m3V`R za$N)+24*s0YPxlZIsfBE9Ne@Ijc&LIzu`hQ1rqjO}759YbUmsFFul% zv-{TeXTqL6d${yGX>@)Ao)x%cuP?tDcb@;)`PV+SBV~R8HuoV2et5>HSK3C`ZSk?= zHV4mQ00ZK!MsS2?d6$gId4%@Ybr!wUSFN(StUajf7Y)9#XE2r|J z9z!U+3+$hH<{2%6B?Y|xUEphkvuO+t_Ua{Ome$Kb^>}!7y(_Pu{ky;qd5S%{zBQr` zu+W9|js=Im?eIYu9CzIDrDvXTM%MAiAD@k~9hQHe16YHy@eX{tm;nx)#nl64-Nhpa$20(LRiXyz^cC^@gC zfVUTJEY3-!oAu9sWQfDvacJMGvL1wkATfh%%=y%EREVN|fwj=fSNc{IaD*Rw1}9z?ex11R2QO_ZR9p$^hXj%5))* zkQG&v{`e&^{*=ZPb`29!E0!0=#Qo~!MBJ1LKk_UxA_aIU0Ua3!L%;|zgv8mZIKwww zQIG%^7OqrIe`u!|vJrElk&j~m8z~{ z1QflPk`1{kHA4ugFa;|m0x6FKcF~4!B#g0mONU>E;OJ6+aTHyL_(W#sB_*>V9^~i6 zi^Jz7r2?IaPGq~phyyfgTqyLPeER9-E0$vo0){!^B&Pdu7GVNFQ9!!_xuop?-`E?3 zOQ%!{X{$dv@9O1;kazIlLCI+3MzIrFD%C8;G@TmkDApfq1?{l?c4^lpBvfy<*=Cw^ zz^=%TKKjT{D?wSqNQ#(jL5{s}c8HJ04jX`B0pm_*x|c>WPH2CIi!Xk$yO~`ZU1$1R zfpPYc0M1B!g}m#|d#V>NUet8yrI+ThfMfl#$TfetHt&#w4=Sm(t=vs!q;CU&TZ%<5 zkWl=^B|juH6a(b#wiUieNC-7ZMb9CD9yG=WQB11TJSoean;ET=6BQ%)iia$w^7<6tcj_AH^C(Y@B)k zLKsT);m01S-fFAS1txqX7&2sN5<2>9StVeWiB=iDQ;%nYHEQmHyP+>2Dmol_a;cbwc9QkefYtgx>c)Ip;v@YBXe=5 zFBL~p%G*YN_W+ULdQnkYZ&^{}C$v8sw4P@+N8yR7LU2g{LYV!r>;RUXz(7QVV!g+( z{^68w()sd-jT6eOekLD5w#7Hb7U^{$Ul9vZ3?V1f$k^;eKfj5m4NhGM|v zcFju=#W^@`Wjn7~o9G|m{|+B~DKXh&^D_-3m;GrmhPe#JRmb=(Y>gqk1Sd}(UP^Jb z5Zd3@zc%zpbohy&(-iC9NenXJCS!$(WvEv>(jOffSk}L7X8N?4x)_s%Z4?yYJ#ACAIjlm%7u= zJEx5pIU;#L{{cz<`A_|Opo4M74D6JCzyZa4(`lza_+VGawOG8q_E)>2Ufp?@)L|I4 zJ8%H_5XhmjLuMxG)&2LwPM$3)UM^Y&l1!eK_J@Q%E$K+~{IhNHW=9TSG%U|yyMQPBS(%%>0jjZqI^ipogA;gj`j!ahn5i+o8jbfb?@%p3ef-@s5bj_MdW_;)R^Z5t1HJAY-6Oqz{ z>oos0g8_8D{6Vj>#n`7iW^l_RjG3<#J~KC%X1Gp;2>;{g@19+D!{=CVK$hdJ-$pL>rgDp z?kq1I+xZ`s4KiEOE1?(OFDh1;eaIJy){*}bB#4w@v?v8A{Y?W#cA>vzjflvqBYX~#^!ATK^WwL|CmKuSfgC zDd-FlYUe?^)E~R8N4bmnuXp=3){Kh=d+oV*`d{$Dl$OG7y9%S&AAb0L{VJ|IX*#sa ze~`4p4}+j4pMNf`ckZMEN zpXzVWgKG#d(^)4#L%Wm&&H~Pobf8GdDs&LZ4tjim%xpyZudrrY@oF}n$jpAiPmBmC zDXHZMQKCir_s_ykq2^*_$H31%DX+iq(of2~r!sIzQI6I)U^+)8?_dhJxnyDlSF(556Mq0)AT>sX!WAVLNbI>d_CUkuGaLI9-rQUv_tuN}NI4mcqd32ATi zr+XUR>xR-Zo@y8yawRKNp*&fyS8eT2l@-c3Ty~8w z>q<^Gu8g1K+Xi2h_O=o}FGauj8?4Lb4(2~Lqext_Twfm6jSu@v-#8t0Pks*3Ol~qN zl&Gep$=llhBAA16m99UrEHw&#>CZcOjipe z0l13}Cp$d8rEVPu3ca_gBOX})z)n@OuD-I8GVX!}UGXr@AU+m%PM$VxdfwD&Q?*G< zeElN`!5so-N<-%M=4+M=Skt1C>F5|M)7Ur86vR%$LYaK!n48vQp`b!(YA( zjap-&cx;T4gpNM0^+#6x)q$^87-fks>fl5D)vzSHHu>-IciwsD)G=6#k+57M7m`M? zb8_U?TW`hgV>Jk-5S{y<6I?>e&a-Ce!Mf9qJJjyE*WMWV5eeAIhE9v@so1$t{Nn0= z>@=oP*%A*;3^Zmm{Zm@S=?_&RD_5*kr!rNg!W(hgX&e2?A4h~c7(e^$bG7)>#tglB z_f9zcu){Kr!)~-#KLhh%Q$POX6Rq9WQT}`T$iB1&z%c{`HiQNs0turw$NzC6c|267? zsa$W>GE9vU1%BG#M<$G)kVSkl;c^6c(bXm{plpSYXhQff-s&L!|Hs~U09a9EYxfP4 zb0B9FFoFaHM9c{==NwQl>stc~ioW;M{ar6*FS)fG;vQ>Ut{EBx!tH>!`s>9r)LOXn`ZzWen};Ebp~ zy?corVPU=b=9@B`uOWV`e+HPSk(EE;$xk?>D4WJFdC5PykSn)2Nb@CQ&(LZN=pl@d z1PbwE38bF~09pI9W}Vnyk>K*BST4h)rey#>u+Qt{{F9X) zUAqNjwwdr1ad47k`E$=bXGY2myA%M3>)fRa25jjir80Q8E&UTNZCfUJS;FK$Dr*}c zPz@QxC{CW~6Y0rSBlOxT{Jd3 zocyH?A~V1bv*dKd{$jGpe~j)>s+{_S+3Pav3dz|IATHuzN?v1~;J57$P!qpGWTqJV zCz*&E9)c-YUck0hXvHJzRiJR~I@-iI9P-R`E#Mc*m;!Fg)-Cl|CRW8C<$--3{b!tY zX6nTkU6jEkn(?*%_19n9+1HX6D9Ekg=Lz2ij@nho>&(;7NW+YaRI#f_ z*|SIYgns?@Px$)lZ)6=g@wb+Lq_nswhDP`ai>_JznM>@Scw89U!oRhm!ui*mZ&m*b zZ3Y1Na3Z(=%(E$=|_{Yh< zSlM7wLjSvT#rws&=G%V?jZzT=rl2W}wS}^r+QrZPJuz^i{e5OJj`;Iw50!9yT_%IB zi{qc6vGQ-p{vlM7UE!ck-ziA{SlTh23f5C6{39y;0HS(8)M5J!J_{YAW zl}8G0Qpuearejd-cKlwBV<0!Uu4WVw?oiZ_2+Z{L&Wyiy|WSGL@Yc z+aKW{P!An`XyQRU?bkZw4oAYy%fp9zIxM;5k& z|5*IZ)xYNW7ZS;hafalU@!Q0^_^ty0+Uc?+^DcfRT(1mUUsM^k1Hh&_x+#||DX%M7 zUQt(9hc9bx7SShJu~uA+8GV|`m){1XOF%(8&&H48bLMTrW>|t3fr@|szBzgdi?LUd z-Lz>;6m{A<$$CWu8vHhiz!Nn#_>n|?MyE&wRg7p2D*9l8m<+*&4asB%z$He*NrvDu zkIDr@)d?1<+Q>w{4Lm`IB*#&We+=eC7GQae=5n0NF26hjOH}|S;>?^iqw1p>AJ?*7#KzywRaajv>kWv1*|H^d z75HK)FhMYvkYQgaLwLj)GIXe(blL=dY>Jv}`KOUxw?;Z5!jA$lU?>P8Fpal@B6e|- z-r`s3*(iBpa^YXnfFC(M)9^p>jypG_Gb3fecpP4kG71ev6Zj1ZqyH`nm8_T&q7!P| zNItpv;U^3{b1A!~!DImHzs)7-83PZ}@~Tm44}8$<3J?uNGXp9G4_XnPGr=mQAwAM9-WR~#^}+P;C@NQm@#A0c~F6*KpLgUJP{I{ zz=WUB)sGJ>`c<6xB6m)_tGrN7%~HgtopMSV<=hZIX8FmCJWFI=ejW$1n8~1s;?L)j z8_Nh{`O>M>#L*`Br4*D*0lmJku>O%p9;v|QaQM_DexxHm_(5~D(3aI%Du3JalLxU;IRL$bpwf=Ch)8@gFeYfQ0@7`^%v_4CHcWY&tLCgs2$)85n~C zkBX7`xVKjY_D7+gSg~X``NWgB+yo)O%7ahddgpCD9Xf{pmh~TyxU7RfLA{JT3w-w? zLJb0%OG5v@xma z|Fy`!fCOR#nm7F7?XRI(I49bI<;%36z|<%d^b^eTB0Q_xA@VO=Ul{%~PO`uG=9`OS z`RB=|K+}kSi(KMx5uT84{W`$;^Pjiec;k)Ozz&d%{psF~dtOR1tqCfIZSrpbw;DfD zS|?xkto>t0^k?8N+<^At;YTX4^+XBlpLIQYbR%Cb|FQTHY(*JY|0VY}_{T>XH z)Pr!~iNP6H|1jGy$O8~ak|>|C5jHIbier$hZ?vJZZc7f6Ti#?6b&U35R`thXdb@@MC7Cv)5iYOwZ7X zrXbG#m^{p=;^37WlQ5KRdO8mkiF5MEXgJsY6cj9n-9VJl|A7MrajP9B+phY@*`EY# z@edg?q)GdO4+04(y7!?XQ8c7&oAPf>`v;(g#pc@|sqerj30tuL5-(~4;ea~PKZP#z zl3fL3fFX$hg(UbM$3!ts9u0A>{7pRLwwwR=c_@u;IRbmB#v0jggbB2&Gppll-dtN>R8-AvOClWXVAB{i6QYtRq`)D-*uv5|1`4;|7rdCxsEX&AMgMLMyrhCqhHNvI7XJ{n}+;WG&2 z!5C(V;f1|vNzR1K#l&=aHw-IArjTI1jngL&z{4t{piGd!GHGMLF{wr7VrYP0s6nIw zFP#PjK@9NWhowgJDFTfYW`!PocB2{g#hfCJw39sn&&>IG$$@+R`+)r8M|4iP?9$#D z=bzg{Pk0o_7Petn`QcSjnBD*%uxh{`#5Y48020KG5CI&mm6|4pLrGfA;F7vc`8VXB zWWy;{P2fk1YiU9%^&>IUH^LA0#hF5uG%SBEJt!Q(?xwQBXKm72N9NBwMsE{<|pEGSnj>M8a z!#_HMVQi94P%-=oV0|WL{Z~wKZJK`rz}$=q+b4q5{UAt7gv;K>-*#Imzf3a;`Ty^` z?#k-YrHeFRc+{LR`iEq6$RC4Wpdk>|*`Tr*8|fd;yA!pL1nvsHX#G?0gikEeHls}9 z>)(o%E9y3^-+)fMCOi3*Q&Q4!SPHYm;^)b?0>*;lm#Y@)KX%y0P;QJf_yJQ8S*DNz z&oTUKyacFM=|Vc;A99Y2zioUemJyql$1!s5Y=*g%|Ah+|hGOxbcmg^&bWO;A)W}gB z!PIEneq4w>so-My=c7r%D0<`g|6$>RT9ZKX;cF4o(b;SY&f;g{m`ZK&oAi=)d+-Y| z#U%JK2xPK1gCB^vJb?sKkVhPGcnW58P&o+2#gCUi|8XO5(yf7w*=phHYCV*qVfkM% zW~}H4GjGAn$G<)MEcbrVoUPS=q_4%`;QQ}?fJ)4)5$Bj=j!8N0xZ`9;ch)P+46edQ z0g|l=Bq1nNOm6#w%yd!weAPfEawiN*G~*lVpF~N4Dp>M=+Uci*1_8&5TmBeqcI^-M zmBK*;)E_|s`y5)!trUQl;4Z!R($uW1EL*pU2BD4dC&E4(8ZD_ty`uPwFaR!u07%b0 z_b`W_G*|zXo^S{i2M`4)n99zzt}A2W7LdPauq%cmTpJ`3h1_*WjH@+UY-jrC7n znsCRX@?rI#Vd|RXpHYT!a})6)G|GQ#${*8(^aaz%ALSqbEKmg)FMrrBgPlnwIqps2 z*O67il0jrmD*Cr##ftET!u49e5P!-^r=+FRt~S7b-g)QgCg28-6058?#lKZ@64V<0 znT%;SVv~4TGLB4yehK;s&_fmx;^X;8n4so`dWaictIHo5eDmkekF&qwIx(pvTIjJr z0k=i`^M9DH1E!LTOBn?YpGY+C<`>mJ;%7X5bei*L>L2UB0uv7}KMOzh8pNQL1?qF~ zfz-ekdWCkwfaPPmKV_oGR_01&Smf!WTL7j5Fk;tB`~cVUPd} z94_5mhkmBjzl$(qGcyM(Ot&F_&U6+RD}Uq?{D%KCPdlAkC23F$>Qhd^2Kk_bwAA9T ziGpQj(8;8UD}U4fBQ62t-XuG7XmA7llm7F%Lbw0Jnfaz(G=vi;fAEEYHGxg?D6z=a zimmlLy_ASZ^)bgBowCn9`^W$;9vk6@q3~g)3c{oHPxd_|L`hEjta~UkK!S-1;Kz;` zlK}%QVSa5tyt1J z7hQZ2?FQpp)c>R;j!TG>oU2!?3Ri8#N(F;o%htw6@t=9-nKFw?u^XfcCysvvwTPeb zn$1Y13He9kqxgXlU2o!Lc90wGN41PUUjIZsQTPJNXbYnF&lKu_EFM3CCDtUdDO<)* zW1`}6%RhvZ&p-U=L*0K5azFOyV^T)p1YW@pB(rADsL|!%+lL>AVhSb}rBX`Fjqxjc z@$#4V59AZ3tWp7x8`MDmTnrSF094crM>am-H4IU$kw5b{sQ(O6P=+Kt^Zn*XTRoT=jdLm z!m?ak{u|(T%U|#bf0Clr_>o%DY6e4hy!;L5U3)_ji!3dJd_`8_D#Zvl&!Bw$2F&P# zV;+$`VyUppmT$FhX1-<1Hp`48cDkY)NMQP=UAl|#b?d6?;y$3`lkS0o@>8z4YVWLJ z!`mmFf8HJ$H{G~T4u!>^;3B0_b+u8rGh9=_>-N-B_$7jwg(h>68-R7{n3gbo%CNT6rykO7+LS}uPM?DN69>0%-;SqUAXQYf&J%w* zxb3tjhP6j}q>+1j$RNqep9a$sCqD3BFGqI~k{cxyx%^8oqa_WF{@z^o!-7(j2O&lA zW9f9l*voolpD?O3mx{@H0v%c89CqebD*$gC{|Z&{3r&cnL|ptTQy0JDRiXr_z$SbU zqiGo;KU{ckQU3(9WX7y?c@-jVhPuNN0s~0|yx=!-Bs%4au~Gc@-+%uW{YoPz>G`KV z`DE^1dvP{~5ajY7Obq%?I{Bm&EY-^U=;M#uYcy##y1)#E2YL$eqGI@W&N}<7RGgk` zrcp9BiXVQ`3_QyJ+Zz?3KTouL>@SbyW@TZ&Fm(~02KeZskLKX?Gd(B~c%FIoS?og*RZ`Lf7;Z_$ z)IUNYEc}}0U*#?6tVVCI|t)RSBFbWI2Q%H#*0 zdG_htcJ10p!;**%*ReD<3j?ikXc51vxQ^&!_#oMM7W|O82wjj!u)z;n>2TF3xi=?& zmOk>ubheo5%P+sIoicR_MtTTIPNMctnlvdV7!1mbE6ac7%9Yq7RkvXvjDZ6OCEaxM zO&Nipav=C2 zUVpTMa9025M?ll~5&qQEPj6)!=1NFRmim>MnMM8tGENfpJ@)8hIXtPEfEoC=XP>FS zjV=y94>TEm=%F%jPyDaE^or~$)DnKcAXxkwm;W1Y{IiPonSa#9?%lhKK9Ue@9?fNN zarg;`xERjzXIsF5OB~D-$ji<1Wy7D8nuG`y8U`@@2n%qz8a4{|^CJQQ5DsC`!|Fx+ zbiDFo!=;yAVrL->er)QT4!+G-a-Z|wd;hN5zT-`M`y{QKe7R{o&+xP^F@8%efO2wC@tB)g+Kmi z`ajC#t>bRZ4hA_f#G-I~myI4ROVO?Ti3~a(Lk>e!{*W`4p62+ovngkhr!NtwSu0&Q zcnos3^3TPdRg^W$Mnua*@@riFihz+qmnANae*)3`3I{a$xy3_%+qS;8ZQ6=IIguxy zDVmhD6dw++3bbj9H0(g5GYyBxc>LTrTk$hz^Z4WKuhcpw7X9O3;ZsjPwM8-GfT+BD z|I@ImZLtp!VFzHVCg8N$Ls4fM)PF@yK=?JpuhvTi*N}hUa`6)g9m4=a_?h(J1Lao# zF-YL29%?@!o`2|}13gUn8}x7%^iaVVZ~(|Xc0c^^gSK}}xIL45p_+JBAHk0=rjgrj zy)9GeXQ0pde*O>K4gyX{;nmj_%M?HO@Pl?ZbvKg-3kU`SgMQBTx^3KTI5Z|2_`?t1 z+kQHUwo!!a;%`a+WAPiX$Q#c;!UZxfq@C@LFotKN8t_Rb-UT=B@JO;Q-MjfecprS- zaYrUk5w`M|SY+egbK}O16ZsGT%U|Tf2Lpp1i{FGXh~!w;D*mf0tDM(feGPVA?aw~@ z@0*C(gc*QMNb)=N)YDQ}Oj2!y#V2C#O!g{Y-&lv-uMfBh;Vg zpMM^9Y(~3={F4E~=8x`}V~1U*KDJQ&0(z5e^G{4~W;ZPkv%02n-FT9ZZ@y9dxe&OP;tg4E<`ueNrXDa{u;vkwE zZ@P(f+r@wC>8GZgf)yG94H4wu>|IXubi%)Sm2C+V7}5IobL&6LjV`AB+XjBTamMIh z^Y|fW!#_WSM`>?a{w5ts+HU^e_{Tpn6HQUI?a(gJxmy=`FJvjaq1(?OvU&Vmd6k=+ z&3=-feI>N@zN8fM5fVU>lT#YC|2V}=3t0(w^^as=dm0i0jQSJ5P$0p4q(}1eVi>lO zQZ$AZUv5s0(3F^%;J*Ly;G^ukJkTWcO8?K6r$AQF4s3JQl~-MrL7rmy@3m*I1RSK4 zHwfZ7?+( z4L6GtX$kM>qdKJWXVAM9n*u8>^CDhmwUjU+-&gVB9m!!B6eBajf*^zNg(n3? zkFoWLk~mc>O~#XQt#Kh*8C4Vfq?vm;0f4}gygsY|au6R4M*25T@rft>K)9;1BJj=nWJV1V;K}Ep^H+W3;fM3+ zQj;m-d^zU}xBglDeA$OFPUk=ibN1c8U*el@yxC?RW(@L0s$akUNj&994SB>_zj1vS zolBgsAy|bR#cwEc^`DbkY*~{<}7JBO2E~hN|PrIr?JDAImtm3>`8wY5%_ap>yYR z_QU;mH~v@p1Cu6ISpJD?+%4lWcb}NB&%a7XjG-o}H1t`|qFlU;lMO`lLw@V$Vdec#(%5dT7hUiFaTCPVrxU z>17$m9&=pE{Q2M3V&=Ak(;O3ebl1Z)#1sI@qmMmWUR_O9RLAm9PtR~VbnFng;QR~I z&Oh(`w8hx47c+J+Q>!qXnwH|{Ch{HHw}&lMJgb(k2rXZ+TxX~%y9O8#@Sg-i67td{ zB?k7S@PuplSToelG}b>2=Zj*`p3om;1pkz3WY1oE$_oWeXpbJ<1Ct-0oC|Y>>QCs9 z0`=#PJIb*Kqa5w|#y|g2dDWFyq<6)OJ5xygdh?BZ?15ERUmuF}?|(p2+jdw|!Q4QA z4gJH*tr09mmwyD|38XTY`b;ElzS*-s zuPG|pSdYON7eDonU!Xtu=p%jq_4L z_xsffj#uN8J2M)A5(<@BLGb}(;aQ#Froq6D#&oEqmpaS1@oaa0wHTSfT*QyjpcsOB>?HGZ9n%7-MW?f1iKhg{sk)jm~V- zh9_L3-23beyZUjvjT_d7v$J#jNy+RhkpqCook+Ap-#q^=_spj9a`_if3~iu)giQC& zJMY$gNGa>11S4onc#~rzS!owZ_!V{%r9ia;2ZRC&t8ey_@GAqamWla$MK(< zmd?HA0vMc0Kli-z(sBA|-AWvkv>MCv(o@nMEHg^!(4oByXcERs)Rh%0F&j&uh=>{N zWTdD1Is(r5=bx8;!TINmOxV^wy?aalg9_2DTaV!6$&cr*7p7|=BTA~93X zVKOXa7MVdJH#|v{2E)tpfA`&YYUX@#cJ)CA4MG1o;`Bj1MgKYf+i$Ir>!qrg8j6SxM$BE!M$K( z6Y$|3{d4NGQiA)c)vH6W&tceS*{AN%!w*fy_6qs4X3eZkN=){tea4bq!v%M zi!V|+@JjJ>e{I^0Z@>Mn7WFkmYuUY9H~$`c?vaQOh4O-j?KPw>#L9o#)ahH#!YSMd z2~>TbGv@Nk(hoWK;H1T{A6>h43H0rIKoUN(h&WvPtBY2&mNvA%WDqV^{t~bq<$ud9 zH)Alqm(*{`2K4BMi(w}1-Fx;3JU;pHY#~^xMg-eIM4XB2N16H#8zH)^?F=Yr7C*Qa zfnbUU`)p!k06C`onOiuDk-x1YC``>EOiDiSwZ#ADvuD?CDB2L_KFjR?Xr-&i_B31T zKmO=L?H9Cw|F{vyC1J9H_M?P$wF^pu4r zy7%4pPr`=%OX}9WYw&6e_F?;-P+56deb=tt9W#Ql}TcDF5(jkusEg7*{ z_*dXe!_=gXJ`ket)z3O27&VnhT?2%FlST9JK?0ZouTf-I22TW{scnw)!-BH9yZ+~! z;@igUpOcZEz)$dT__3#J{qlk>b$$Eh>N)|TK6N6Hhofg&PzzBib`;D&8@O zA5v@iV@Ypd*36j}DDMuJu`a{jC;Zy4GV(hgefY8LsYU!Bef&}NU3cCIWB`cg^%y+F z>_Pbu5{n-jlSd|uA7A#TKmIYN4Nfy94|&*6jZ66~eikmNEh{UlpD=zx8JGPr$ne-m z{=zzihZM%#n)HqNXEH*9qYsW&Tm%Sl-~~@V?_1L+5gdTL<>s5pUU}`cHauvA{9kg( z==9IgLH_iUPwG_ujx+p_Vaa=NU{7)p4fP*ATBH}WNQf65?ER$#7=E1m{5D%;ppS`Q zP?()bbT2A}#-LdKg-?P(V#&ZepEb9G0|p`&U3_Wrf3F;h13`{H=2%QI0t!Ijro`A#TE9kv zetMxi*BTen88yZ*Y8 zSovF-0KIE}NRLcZL?Hdd&+>=7ET2*Q1SW)OVq zLAnu;6cz~qN$FlG32CIHy9Go#mhJ`#LApUYC6;apX;8YGrP+G-`OUn4@66u!?0)lH z=lUGkj=0#O6q=w>H!fvc)tm22lutU1${E|ei{d*Y8>V;VQOK+W8PiG6ny8>XoJ6Vp z!(emE^0k7&qlDY6S%cW8Ql?`0%^kT;FZyRA4Bjtoe-%nI@BVB<=o*Gg3169GVbm$j z?3wk_W~;m|N#F%_1$W<@?qMC6F;0Y_>e?37`>7O-)>m|7V_(CyA{EOSvI-V$$$k9n^^`B6&zJ>+4XRqkf2u-o`YthZ1V7oHO2!iCY?Jx>@clHYZM7wdZ=H5$&piz>DE?dZup8 zA}t%w4eEPW`@$*>Cc=dbXI!7gB;~O;%Ie^N$x3b&!LC|eVxs$!-f|45G1_!Fz(}*K z-+xL6W>dii)m@3O#p*x$ldB(2ob?N*H#}^ye4^>HgqyYay=eVjfq$`5O@i(0fHYK% zrFY2L%kQ_7-R6g|eLcYh78Q~1_FW}(o-Oj{l?9B}Ta4`jn#6vfFE6zrdu6bJ6Z!Al z(UHy1Z}46dMHIO!MKvm@lpH0H6SSBl=Q0V${c0@Y|ANA|XC{-E?MEbDb_5o=g>Z7^ zyViC4StQeVEey&P61_@ndf_%-tKwByVeyzlz5aaa!l-AwMSc-)4REt1 zYQe)f@nab#3jSV&K=e?lhlRjHa6O-UvlQ_N9h$_V*(t5B4yBO5u8jq*d`E9BzUU$Y zENZ~>Iq<0(=LV%ck+6Mwm5ml$zs<;h6ap35;Ul%uCrU#D7$H>3oIsbe(0YR;>7`3NZ)=9VjSh+CBZq#bvy4k$VuuA zj|vPg6fqFe3=1PljRA9@ijA{mg9GW6I&FEuKMj9xh)+r^T^|Vu z;T3SZ4*sM{q`Zb<#d@+zOu`(n@)hn#jh4&;ShwzL;m>ST4hQD$QcOhIuUUJ&87k^}h+O4P()z1#08fSTny=#dcW2Z+zo}NBv4_{QZ!Q-s7~+SQMeFD@ zd&%cz{b+wA_X$lA8&dxMeKnbu0XxL#G%m6mXsy98On~$hf?d8(C#)J-r)tE)hv6!? z5xL{5QHGSgKuaZFU#c*D7^#s^>{g-rF|+DWSezljb5#*dDE;Gja32 zyw{=yGHHy)Udr4-#l>FTeYDRTSFUE%=(|`>$C=6fvjXburL~Zz!OH=@ZSBZ;!zss@ z4;l_xgETrmZw|&Gi($?znj}`&tnr*MbHuz{VuvSOrZJHIDS~AW!whC*+d3{6aX~h^ zSZJ|&qPmjqN-=F*?J%p=&S2K$s-KPca(pY{;U*tHeoQhH8X{*?=US_`D9$db8n<8E_hy?>~#u4)K5iOFFIdPw0$iTy5T!$frb2L9FBn+ykT zk{oy<7UbSfd%o*S*L=mwGIc{^uFE9x0t}=SG0uPM-!|G`ZIjx4PXPsqEl|IX{xbj> zQ4aJh&+}S+9WYz7&-fiTg^&jJKztN%HFWx2M?=bU4y8Cx5yx)2sv{P3Ma7K9WZ816 z1J2TpL2@u3FW;~ceUlh>#xTH0F|E?9;3OEI?fW_u>R)fHQT&$iuyg;r)7Q$xS@2JG zoe5xz*{z1nn~n;q?FRM&;>~>Cq)?*1Wq+K*LndP4d~;c7+#HZ_M){3t0k9S!(6I-? zx|5Sc#g@jRm?8^5v9c0|SCj{nc&E0OO#OdCVmXJ?H>(>6jrnza$85PZB2LF~lS=wV zsHktN+Oy)rUL}Ll9YfTPvTyuFGSz|)9m{=jG*|utciqh^17HLWNXT%aezX~ z-&ueMrchTq!x+|ch2`=nw$3=!$q11F;!U|zqggi*R7_W$jxG`WN6K{O zva(KMw4pjfn!^4$mPvWV$0fmJq{zl(wbX68j)(=A(pj_mXb;~}neXH;mB;>kp4V}u zLO$q@##V$qD5J4#I7A}rRcco6)rOzLz4hIY@PnddaO^Q4@8>S}@+i;@$!7QIRjj&i zz%>Au8Tj_$%33siaB{QQrNx&UiTh4d&`R!6|Fh>wa!F0i=D6(;a)9L8$@S@9LTTv` ztKcVd-IF)u8Q(G&H{#_m>YX>3Ja08{2gpx7tWRI)r*GPHQV9GiDWKgxFnCTJS~()a z{H;wE@DuSI$Cw#z_aiEh$M0ba=<-PEpKFQD^W9%P*V3{>+~60EpMrEP;y2XM6c?wD zg4d{r0wBVnkC6EnoWIvi$kuG?KD4~ed+FW}F-v$NG&P1ZlUZs)>ud%f<#9vP2a%Av ze&rHETb04LVkX6q4N9aiGbA>PlaupfEvD@Q+h*hg_xo`${+co$QEnW#3Lh>vj)nWC zx&mXH_6pzxn&rV=QyP=NthxoE+73|o3Y~bvux}`IP5!lQvL);3Y;_%28nMmT=(S4)h~3o% zjS#_3DcAfCXFlsGX{BkE$H|hg=0&7gz~higvlvr;*-g^zso6!Bq3@Jf^0cyXB=n6hWN1+OXIh^CnTp+G39wCa( zz3I}KRDuU8?oXN`3;_Fy36H>)UZN%gXzE zv_Ant4~=B<}_=`js#HS z{eyjK#BHE_7YNyZQGmx-FqZ0I(V7C=S1 zlqXjy;39+>*ZtaX%)ex}1p^MGzG+Yg*#!q{fLX)Si2XJ%Z(T*c&%t0LjeuQI0*MyD6fW(hHdHE1I6S-&h$&@k(83xk-5xBpSGsy^0cAP~ReD9Or?Y!tA z3A~556$&}&wTL1Zzc^_kp!ffPuUJ`MY(%lk%AA-lx=h}h0_Z>xfCR|PTYz~OxqGy*~q!G=Uru09VMR&B1|-&rB0`$?*@ZEEH%Hg zJ9W*>puKrfvuxaEeMG4m6uf=$48{^VMXFp!sxs}01tQZU&yf+;;n#X(W5o^t`8wOL z{dMMHEweIPjmku<(Aj9b$Na8()7NP=VWx?qU9o_;h#*&-PzL`y)y>YK$bO=&mXoE( zOm6Pp&H{;cr&0?W6+P73d@4qE#)3XyPNWTAveLS~m)_V0P%Ux8+%4#_SxT3YX}hjA z&m7LbLap4-ln`?Qf8c-f>zZrAcjTV=-BC5I*;%@>RgH$PjbwHsR!>%q-eR6A!3LE$ zTZ?a!1UOf{j}I@_fBKW^+}Ui@e&g(jcgLdLZL!ar4bv;n%ITYCb@C6cpfGUw z1>YI|3kbTjkjP6{)Z0LA!mCbdJBitBXzw|mMcTu?9yO=D(UD+GM04|3;Og6evytG2 zEkIMZgxj{Knd z(?($!7{}SM^X?2*kA*&2L$Wit#h1C9kxp^KD1erO`iq@@mq5b}3F%?~_;MfN3+dTO(h_Ze}x0#{-|eooTB$7YrDU5cxy!AqdA3oBqk;b|c_E zfy+B_+-@lYq^F(%sx#f3SU!+lwqv+ybzb4mZL@tXpc(S15R^@m-6L(UbAOtUZB_BS zdZ`xw1s4bIRroPGsFtC6*PX~bQn+;o*Ah97c`A0iQ!voB5rhHd0R?&7Ckd0 zGET4!_;<0Q;PZ0Quc(PL%gV+9EFUC^s|d_r+cVua4&%UA6(k2$ioKMfid!u#AQfR+ zu+uHcm$cN|%edBev=XKW8C8pYj_I>CZ`}QZgU5E(g#f}}tD?x4%TFKDk-GY(+3x>t zMXU|H3=wTsM$!6a3iWL>|E^BQj#pX2cS#Ohq}KqEmG>8?oWahrI|kJq~{?n z5^q7H$$c?@yMAo6*zfYRZ}zL1{f5SxrAt9a91DeQ+nSKn^Am&8Y)4O5Lfg3>cPk38 zA{rNbla+S8<>rP~csk~t<@PD_g(>u;1qfcb^S+b`ODhB7bvpi4pfYWCIM-j^5k8iL z-`^lbN|8IC88Us34nO>m3bL zNZJG)fBIUf+mI3_XO&*~`$S3fyIB-Rk;Dhd!)3gbg5Ob%^A!5hH|!(3l%F-9M)_xL zy_a9CnSwp`)*N;ZWSe~nMpsEOcBr3sF zq;Yz}X$Q48nO48y-8h~4TnwL>9KZVKv!h01$?eX;!A-<#+>XXuT%^5didrgDNq<{1 z%UUVj)475!g&6!Rcs930rMaf-b{GL2>n0Cu)!I`Pgc8;8>n8ws9kEoA!d9|-u=`{N z+PQUH)@=&ctqJGl6d3WI;})^8_x^K`-e1dO5IyHm__0=9rmhQuyv;zm{zD)spi!Rr zFw^LoQpN@Loij zthIM>!f^X@N1gS3rHbl&o=-GR?#0vqxM`O}D=xa&QbPsrDa~!aA^j!R^s{eF*A~3* zMzX~{In;sa{M!qhAYBVx|4})q+9?G}s_lpf+B|79DleP3D$+%Z8g@H()wSRtv|%IB1PjX%q%UnWAo6W>PtURF7;e3()|K6 zb>c2c!v5Tuo!-@gHwRxjAeZ&fB;dAgytMDCNJsB56E|X(J1swry&)YOF;KRebF6s5 zzvC>fTuGD>au<>wS6fI2i*w|i8M$Q6wk(J@hnhiK+RrTwI| z0Nvs$I^B}Ye#??EhXoCB~5Gg-xA_vFWH zaDp_DRws|H4G84J&h|`57;)9~=%5ANIO7}A_F*6n?2Wtl3Ns0?YwxH$f4$0UstJ?_ zzh4C#bZ)jFnTS4-h%?hZc=n9+j^fa*XR~(NdC(fNcSRjgLp=d9@`{ zF)2AGQ6s;{Bxyscmyq#kar($0`rGNZY+*W?w*uYE_!saGyIZSjb%-3{!T%o8#?9t3 z?Aii{I-dXiWf4Vaq`|O-usQ*!ww=_8#ut0wvKhLB^HT?sGSw7V(vi~HR-`M^MM^-4 z%9=_GiFVk75^IOWeH*i_nErMR4}2A#WJyDP-Wdflf{fU=@iI%z=4aE~l$T)!*w}bl z5S}i0BuP`|v4QlT)tb^Im4i&-P2#g9@ILJ7l=VPAlnA{j6|7SM8&e(&%B`pP6gsz_ zK~*y|_gxBlu!1z;baJkB=`ubcM+L@02@11XD~FyAT9Dx1h$Mgz8r#}-^94g6tVT+MS&|Lm3AF> z6$||!_cznkAgvr`&(PsW&w;-**as^BA*uxDNIQ_O%&D&Dh!d#mj;+Vmz~6Gs_&Dx% zO%!ins0o+{PguaK!py7WN%$IhWckAmR3VWEzddyg_+5WHwradcbJFHc78z#;GK~62 zoQ{`k2l{A2d!*WxVfgRrG|3LMEi|ym=Hy{eS+g;$OwCER^WPgLoB&>fU`*xbmdfF& zEK7$~xTNu}?>`2xnu-=|%wzFen_%oG&qdHk32O-~?LXokqh{?-WQ+` z-7BS3;LpsiZpZaGmF@LMf3DJ=i)AEp@P${W&9^Vxk;jKmj{J?5c}+)Bx4UOThNnvP zGEWkg{vw2=KM98dO2iYFhB69ebb&$V5Gj=r}2!qUO~2Zczokhmp;=IgI|D3csW@Tj)?$!>a(s zE7&Xm8n2i*^21Cg zppS|l`M=!Wki;^1@|9^HQTf)P*6^qdIidzTQ1=~bCY07$_%S&0bt9ri2hY}g{~IU@ z37gX=pw+zB=X@x{fiMN+>M5Tzb_rSXUQ;6eEO^NudAknmx+l?LwP$zWRHKineABw# z-ujK-N^LtSh@=^d;`{Uri&N~DG4rS9$SD+JFoQ6A^p0)0R z`tjIadtb~lqqS2erYi-qY@2nq)}Oa5nO3gq?rn4{-fzwn%8^$RoGeldKDQu7Zpd?s5)`&N%zg`<4WUM@IApY#Y^}wW>fK1Mi1)gFOR~q0 z(dAYeQ{tzTo*q>)^hTGny_92?MpJgio%^vubod()i_ZrIrUDO{8egdClm zh&gpBp}p0U+UXKwJuWi_TCp!5Q{FoK9!D0%@v3Z~PH*Jw`aquBbS|uDvp&d+SM-N# zLJ)wMrS&*UyiSw(J3)Yd%r~Qt!K=J>4gnvg#?9UTv)jPjePLVi5g)f+zXrD(^5mpj zvj@h4OWZc==+uJmo>bLY*j$U>Cve49>vp=sozgNdfKORgspez#g~`B1zlEx&>?T{? z;@y>q)uTPYB~I=@lBlG^;pQvlAL8D3-lxlNU$Kg<7`FBBH9PKAU7{|cM)#{Hb-IgD zVwl{CRd2$#rm7f|Ld^NTEL%je0^&p5awGH5L=oxf)&T6mf$F6i{J{I)-kxjtDQaVB^}Ui;gc#7S)RL96(^OMK|-_cHZHH{j0<-XHYZYE8m+A6?%Z z%uH{AdV@n^nBOzx|7rQKWPUL91LN<|=YPLE>u)&+F5u7&-6p%~S}XJ-OmAgqlfWse zxzFxRGwa^!R#Z(en@!Y<@!KkD&K=*OkaNGBa;F59^4nlMa!XG z*3idCU!$-=`qw7tzF7&M+p3VJNVeKCzrBkius+fO(}LQZbdOtw!Ta9>`N<}aC-q@d zt69qi-{9#^6SJh!TTCL{SnofG_H#*xZ#pPWY)m5x zlS>D{p@zIHHl3H8NZFz!EB2rdjqBgMFun!I5I=>V)TtqlmEZ0%moi5%M$cF?DDECR~;@pt*r4hI>?_8iwKNxZO& zjukQVxDB$Ejt`leGC0IuQ=&VBb~lH!NB8ip9*BnRRF#F6&^*|EXV@n93q+Y?MXUo| z=VJ}QN5k^}m_V<>NL0jk;st(ucyIO{5d}rFquk^R@$9sC^oOnWkHCRlunSbETJHS( z$5#(YByjhM#=VLDqMoFcNwIFy{T0j;!s;Is4hP-=Uv&QpCPW+d64+Q(!W<&ha zhY@%#mJ|D-e_HZ-a#2&%T9ZRI70kT1@jUDoN_|(BI2ugTPD@J*XoZ2^fvhOktjs;$ zrtQ$j=WD+d^wIo-TB&npHIaOi2ZE=dWX#y^=8|Rxj6e&@5=Z9RPA&Kb%@dmfz0NCx z#m*vFi)tI{(gC~hf$n?*HjmGNbm-lkY~V?@%PrD`H_CJJ-KC1>&ZJ5{=@eQ{Y4QXA zn!lTQd~aY*OL7d(f3}U0Kd-3uWF2dVa$#lEgVN zF+GCz40tOxWoY*!O&H~;rI*0-#_;58m#ZKbBl! zRW>ioQ$pW~12PKBEt8X6_k8|572+k+ebcj0%$34Dm>v1T+i{a>$+fXR`5ddT_mE2M z?Uuw35DAzKbQr9AYkTWT(Q0Vk)c@=9>7-7do6~?Yb^#Rn&UWG7k7WdDlDVTMQuUB$ z=pys+wwJJ`*-#=2ghg2S6o{S?hmu$xNj5?H-+)+Lv3ShK_?8lncHpBBWfE(8N$ZM9 zredl6UVQW~#V65^qw>a4gmf9Oav*#R)b~h55p^QgV<}%Z3ZjRUtK)C2B7*J3zw~PQ z?SAgRQ68eBOSG2gK`zv}g2QFPh*cXy0}&UXrmz5>z{pzqP_RDljmU7k8sP2r!>;)| zyDOB{fp2nxXEVQ8IW!h)CLZDNHiUth@wWv_zj?;G*D*NcXgu=}D_x;A?g2-=?_}#9 zbtKJK3ikY?=h+s-6dnZg>VmV1qum_?u?oMet3NsooA~a%1K_KIuMGwv-HJ4t*DlOA zJmZ7IVP~}B?{XUw=bzp<$pnF1M~G0P8iJNTW=Fd1}--&}z-o-8szE#$+uFMF|j7W7Lo z^1Yc{J1;K#Io}!%!8}hkLa~7JL9p48#+NPT4l+L8KS3DS#7aK_mlYdBV>a1l=TG<2REMQ#Uis0!j~It@2#rC-$cV9Q*cBthZ&;y|gsd z$biP$(mRbt^uMlsh=uClUh&<*Qm^;85~0XP;3P>P?CmPSsOKYO?}72%1AkTpZEVy( z1w^_`E`r9wnFMK<>+W}~NeHP_f#&`+;$%V*zm_u$n`{@uXEA8Rzbb8eE}7({e2d8b z$3FU>)4%H>^~0YswVY3d-{B{zKxnpr^miF}jGI4Ibq*5m))i$MUVg&b$D*D5;6WF+6(Ry zMAmDx?_xF%B=)nc($Z3`*PP00Yk45&ovv2XE=QWdhtU{DC^;EvW(CLi&0>_Ey~nV_ z0&AN=xFo@EAG}#NzX6Yj>U5F+wEqqu`KF`+aunUz4Nyx|NDSX9qa;iJ3N;o|*+Q8xbA>6?9z;5O688V9w?8 zdvZKgXVB`SZFwe$og$ITxVhl->U`x3*KW9%F6M_CEr!s{Somp^hJFw1Pn_=$aZfx; z$Ar0Blab!~uqf7^>vM^Km`2(-n|E8IMG*wYW$M{_S9fc!`b*bJG-r4Xf=-CL$+>US z;0Mbb9+O{gwzUJl_o9gCG9FL?^p;5^xE`&Xoq+M5ZLg}G<&OY4_f7qW@0>bGBt*N-W-IsFA%r=mY%e48bpO%2^1wgti^Z;mjJUcj_TiDT-zxOl z!viC0PY3LCmDIwiUn>YbQoN!Q&oUJIiyc%ZQ1p)BN~qt}Tzk|Vl4+^HkgXU#K;SI? z*C+xgAT_X5Y&RW#cgA=C3jn#hE5noGK!jET$E4J8=;iAMF#hKs29F0)sr)GHGI@SH z3&W;Qr^b)Sz373eTMt5J?D_56g+z9pQbB2^X>=-;1c#C+p)B)?Znsr0 z3bC%K7Qba=rn-u6nVn0Zf!}>BckdZdQggnTf9H3Vn-(dLxkTE(D*ZsKnUxVHpHPv=? zbs?Q*J<{~cQwk)*BNY_~1XfYQC3 z6E-!!0vL(~hW-*;Y^ulqVjx7iYw|;e?FmREw;hh^P5Z96i#3rkkJ|MXN=M0GL_A|u z3e%UTj@sCCb5&ZihC8wQV|*WW|sq@zlzip{z^3)!qQ1zhRnew zA9L_sZ^O`5@)%~oAld2je_{4Gas+RgOPW8fV}#79tuP_}c6IdzLC>j9=TWZT`g*>b z0oY?agLIYA+hXm-=Q1`l#34jfRcp94u4 z5pJJg!Qs}EqTfX>PCiZcXNK_!`b!3}E+~m+fLJm>nY!9*;xJXE%D9_g9>(p~-I1L( zm;k}J&O=ltW59nfRn1pdmk~l1gpex=t769Zn1`O>48k}{?wU3Ki*E9EgCY?Kp8%sE zCz9R)6pmk-X>YPb7L=xB5N3wSe2-Gs2L}t9Mi{!u?2QIeo<>)Ns!u@1jm*6^19gH;)J|W!)*zLJwtU!(sl3*MpxkG! zT%5ST>r(;WFgNzNZ5=1-~e<9t+P%pQ#vJ#R&ClZ;- zWlHv`!;#fChrja<{5=&!{B#X1G}&i}qr+c{SkC8t^X9!7=O={xGezrXgwoqAM}+r# z`}>9YGeXOyPIjPApWYWVH#g^%XL}IfHljf(M#j4b{1zsC%CPyjK9 z!4v#$M3^QrxWi1i6Yh|-n{C!K$GEGT%pu&@fH(jL(cI*^A3_SoWTj7-2a|#e&^DN$ z7{TEtfg{S+mb=PaoIOJt4Cd07!0tG_1XK;S!=X(hD>;Vxe`XDf;zzYb^Q^zmP7-6< z?D7H^4J&iEAc!cy$MuKKjj=T>W;|%u_0)&%okWSoXpgIHR!^%sY9k0*M$7Gq|2s=< z?a(YnVUxpfiMcY3x`!P(lFwTP^oV2tc2=M@+6QIjE3<%E1&#p{DZx_SyK`LZdKGm| zb|Jxqg%+Wd4wO6eg6^ff?dX%z90Ms>?pE=ZmUak=!P48+_uR(y_2>NryqG`7 zvjti1_1MyW!W z71h*S;Qy&@iBY+InJG=O)?}gSx3M=guqb*jdx(iQTtm9OB%CnEP1?&!tj0mJ{SiV` zrU4c)TWGKf64AqODlQteZup%eNnsk-i z-3Vy#3X_%8UbYSnFk0B2JPA{inPVE_BiAx^aTjkoa1}Bcx};i zqFn-zC`Fk|UEo8CV(TWwZ`x|m=CcNK<}!rY*DWlLOp_qr_jI|#6|B6y(TjzN>adGW z6+4tsRWUh;AIZJNhCKL@boceyv4kdSgCM+xH)<0S+R+E!369#BkUp>6uGkUmdI`MQ zlrysLR3;C)96aJ0$c^J^=R1QmWR@Nrv_+h23I}zh#t1#2eK{D6u}LO+h#k+bSC_mh zNe9BVdS3RMe`*E&QRgFjLh@mE(;O60rif4d@K)#Ye=Nz1~D zxV$YL(*7HO>2d{08p==2-41wbr#@m%N^Z6_Y%E>&FgGndgf6-}du3y7`*;C|cdtaz z``K&rjW*EXQEDF_JN{V7|6QBy1`TiA-nQ)8Xmdu^E86<^P^XP>q9$m2W8)is3)n-A zwEx-A6ZZo*vI&Un@`JgweREy5UsFhYYRG>3us1` zovzMiCazOdgLaV&H{|bM0?D8wDYoOC>jxwcCqLW<+stSCKb^4&)`1RwfPz-(+ce&R zCJ(p_na&i(!t8lbMy$-_J1mrgIm=j`BQO;$2yDH6x zB#C;7v4+Ov&wj)y@yNvYgph|B4B{!{1FMF$D{{7IUY%uY`c}#sbLbw@Hk0yn_b39x2_8${8hDF zl$TFA%VRI@NZ316R2RvfXzy!0fBhohiAP@0Q{~T!i`E@$GDU|-69u!dgMSaXoOQp7 z+8e8Ay>44;x}Q#eFmemZ6vJqcG|te6wb$vN2mRA6;~}6v1*(#SZf9q|pfzEiw)&48 zzgk3D>2UVz;r!5-idPuoE8AKSpaJ0t>fV_5PfF z;DE@Dx$~&%>EUeyISWlT#-+HIGvGfufB>pXD*y1_Dp`Y3`I@nL=5_gNHZcRQOxSUC zT{B9f;{!i2eXAcJ2-14Avpaau(a{dzsC4MrO}7qEQ}NW+P9x1Yp4i!kXSju#xk6$R z>oGe!oG3OwjG%?cV_kj!+7$yN24WnEe?25^X9&1O5g?eB{}`X%KC4p2AEN(qM?xno z`1noVYz)Bf6TLOjPxZ-~GT+uK7Zs4jvRTSoE|u}>lW=t0{6T0N4)Q@$7`tNTk+NS2 zyoK&_OBD0!lUs?L?gwovzI4L3-Q77|pPA$xBzvlGUTYwnh_OSPAZu>PyePMxJgMlG zkf`tY&ZEAG=ZixJS|C|tgqP^Z_KIWiq2%Pr5Amfk-!qsSkzXuCJP_eOubEi>Pw3?Q0OkCt|N*Y-iY68VxNY%-0|AA^*igy8sy;0c4cXO+Mpaz|tH=BV9PXXd}oR=i5S4E99bk1&?#n(@GXdT;aO zi!TnYxG4hsv+pg0Yqv9NC|*{K%J^ree&5zmQ4b`et@Ma{Con%?LTqmN!ZtjiAPM8ZBg;t==&fexl2#^#w4r{VThhbiX^pbbyNYsvlw zmf0k;xjmrY&7oij0hFA0K|-fowK950Llkoqjzv^B)r(^7wU)Z*8MhCe05|OF!A1U> zq<6go=4uomi>)U=LLb**#(b}BybzWzgu{2BO3~O$wh1%y<5ELJ$a1{`j7cQ2-isqB zM!{GPz7(LxqAlVz52d=w|1!=|sZ&;}0R?#^itR6dTxGhm@n~vt z7QA4g_Fmr&)itpPhAWJSZAUZfFo0lJUDAPfp;C)aY)*1nFChTG%RXh3Ulv9b5$q5g z^^M)JG>_MRU&DR9pM@M3^&ieRSh5p56pd#E&E?$|g0tEUhQa<*vok7Q(~J zE^(e6vfW%{e!ZDhY|5Xper$7E5)MYZ&q-m6SHZg!sD!9cJj^P*{OU3@b*q8-l2B9e zR%3^iRqP{AHg6g1`BU6+e$+-9kmcP{34*R$=oiYC`g}wsShSL$Yx6#55meuPLjS9x zES%lEt$vV2d!1d>NSfC5gM4hdR++sU72rdR^JO2cpsLJHvFASe7z-AcJmEg!N;Cb<2Td=%m1u>K23XXi-6mQDf7iLiEFyNuv5HTmEEK&{kv_eu$g5j z`BAP5RM(ftv)4pl_PQj<G!rp2vT;j1!8HqJ)i*bp}_&Sjr6HR}=&@ zswE@X>)N2mo{P!Te^7Cio6KFFuI^3&yD9If?8c@h0lU>Nn(4~9WT}fg)45_z&jdop z?IyEKrHKT>7VC`c%w)5lA&G=SF4SZ!2FZcv`dl>5?|8a#T+o0i$P$ge+{W$oe&f)Y z6Tmd3S{7g7*Rky(+OA*(x|!fb$3hiWv~NSa-ZGa$*s5lM@Y_^F zvp`+t&a1r`H*m*|2zT3>m(d+9tFZkK$L*XFU?cGl22GY|`IFCmvWh<-_oy0LQn zD&`1Crv2F$<|=tNG|9_Zu9mO&mVV+#7BY(?_zXIUP|tmTmB3bt`^>BL3DsdOBW5@K z!{~81C+)+*G?MamqT=CtVkb!--d}o2qht2y{fkez_(2Okk_0d-a!tbxPq11J(P5Tn zFw<;iYA2=_Z&naC<#D+bWl*ICHiTb^(*6eROT}a%-vHb18h@F+zph9_;(vwFXg~#= zJ&wS1rov25IQbUJaV6xjVUE~{sm{|>m-*Lwc5}`CygCpKyIlExI^)AAeBXd6T-(jE z&9uU-(3GHWFZFGY%dQeaD}7+^px5L8D%>7^Mc|R}CtaZ*6`@8r4#Bplo8mIwdyJ1D2On9!7$L;h_!f3o)?>C%*!M7~0 z?8UVGk>KmB*)Ku2VjyWjTA_Y_|6#9V8%{A)@23@vEPf zFSdVJQG*WuOZ#!=5`(nw*Lex+_bhfm%X@{@=WB2>r|-;m12<|-~T zaxuD2)sG$m{*4k9uKZD=n-l2uILdcW-JK&{(OB7*t;u+%wFkz(^#TNGD_VV+9gzSR zQwUG*1MU{|#h`Aa3-QWMdyGw3z?u@B;INs8pZ)kJco08ak&Cy*4vhhA^7}@{n6iM7g#MJZaBs7V( z=NV4;L$r~MDV-rYuf{Sh2w8K?=D-?mgGhkP7ilUATK_&DP%|fP_uNcNub}l^ z<1y|076$7V(5ZfinnlKoPP@#Nty9u^7h+v>PfYQ#SG*^qe8{VYiTd0DnitjGvB58W)}GQ?b08g#l+v2IlQsa|2I#*qu=f!(|%$-^Lnmjht3Q!1`23V<$m zexF9MaSEdCp-zk8ZP{lK{O$*whg1$k$!}`>=D1~9twI}F(^>V4HaJLzF=iZ@oFt|j z#Fbza{?svsakV{2uH}+aLNlbs$cGH^f3;T1(^^fqiWG0&fLeg-gvuRl6&0rfnL3RS zzvBcmEYd`4{u3G$yFCV$+3j%DGRnKNKPgx7$Lo6oB9ccz|4n?bvmsz(X09PR+KdA-YS zmSb-yr1%mseBiM7@#EFj1}bBD_zjdOtyB~-VukX=a7!NS>tAQ%o%+uUjb`4Uu+G-8 z(L~}r?`bmoeiNgJbDbvl4_x2)P)=-KIvjE$%8^3s;J%ks`w$5{QJzZgE7n8tbw7}(>I+wvkEBiB$G@u_=K*_Y zR0_gyVHFA>F~~G+%dd$dL`LmMW_joa`?_?9MSBAE0n~BajijzL?==iQ>Yhz2Ilfb{ zvttWIl~2PJp*L@_50NLZPJDr1g}u23wv6);(9DHv%rlZhF`Z|p`=6^AD*X?$c7H*r zLp*8^1rB5>RZs!P{cxBB$s6zmJB8d9{7ZyH`6&184$I-!SzP_o#Cx%PBCvO$bOOPY z8RYs!o7dhJsw=T%?^Qg#l*mP@x&S(py8pk?6n?>O=&t;xX$&wjnBC6M5(yL z>GIZZm3Sy>AUn1hoFv;cL?s(qw_|Rvf$>8{MvDIqKOCw{S%aor> z>a$+9-%G^WIa!XsL&9pX$U&;KT@b)G_ht6hL}jX$`{c zDCJCBM&`Nw{Wz5e*Hr954{paI0Q*PRBff_$ES?Q2}IR_CiqLypI;@DZI09s)ofau z#LNJ3CP-`;aUiu^mJF-LcKqI(kXv355rO>Y)*XMvRKCG2%V>tPDI$$6q=njQrEU+; zzTN9Ys*rG~p>aqo$6tR`<@~icB^%jQFF|e1#+-oPKj75Uuj_H%x=;8JS+Q5dXM^p^ z;+dnZj*GNRm4$C1_J2HR{C|!;(J3d{`D#(l1F;&_b4#m=MGzfZNTRz9S?w!BvHLY= z(}EzpZx!|QK|Z_SCCgQ9S$MjfK`fOTMwY?9ZmwHTbl}Xl&mNBlS#`>RNA^X--yax! z3uRpvX~AVzXy-WV1B=uON>!47^fanv+!iWZGP#Cv?)!RK%&(Yt8GJVzNGGbKaO8D! z*jd`XfT6d?qC7&*I`id1ICEoX<+&C{w+sP7Rx1Rc1M_nCacr82Lyuk96~gj< zylFn*>_Q@*i_Wr-@c)9$%H-Hz_AxPES>JEbpA)ar z0_R&$3ELfgYL1F}GG3g2pzSa#SR~V;Bt}jLjwtu21LNAjasR9h3^f6f`RO}jp6jFd z+XOgWLmew#Sg%tJ*?aWow|+pu66|9Cg&(YWJbFs+w2^ymhqHZ$lUjpS8&Rg&f^Rb> z6?(MyARM?N7m@9NEh}o1Sr9f~CLz~l-$glG0MC75y_#!w{#ZKRg6&`rc{9A@cYi=;%9wn!N%rGn3S zlAbsfWG0^J5#cl4&W0zJe0YhXkJ2ol=4b-a$<*>W?vi&Ql`g9mk@aYzeV^! zzd4F}QY3A&osqCZz{IE#Q|B1<{fHkWhxXbqNk{uEVvr-W^ih$l@%Q=1qg`j@} zW+JouViB+czmT1F0=P0zw0v=HguaU>@%>mOTsVz>hKv^uHU1cacs#7L?ZFot2mUUG zBu9qG$K?R0Um%5yspOEpE0!ZJTZo`b#Ix;TfkajPuiONFB6Tth2*JI?(J~cj)SSxW zhjA4|8sd--#0^V_>mMZf{I059bOItxa&+aWN7fKc^rq!FHsfTidZen^Y*NA10-e}`XyQKwZwI#(qOEXI^nt>=VAe&Rv#M;?!y;b+5Rv&0xny>cu7veCh_8PaS8hScu4vU8hRu+@ z(e6c+NE;?p=F=Bman^)#Hd%`P`Y zL~D(xGUA*29Y^W`MwN-GfWDjE4V9IcN*H{%7fV0#TqgZ|N#vo>3>V$Wqc>8!GcOJ7yYS(!Lvf*&BQJv9EXLy~FTR$0>w<=X%WlCn zi>bOTy*fHDp_0uW^ameI`j7cM={FOYoxj5=6WiE2cSUqY*2pR(KVsGe##`6M3YmCk zf^gWd9~;S+kj|lN0+4;LZPHO#bo+)-vAk!e<9t}Hp>t~*zWiQI21ix;!v1D}OetPd zOl=;cYvwS7j3hG5o3(hVNB7>I|J>q^Be<3_v--;`H*2A~6)<_i?`5c$ZydIIkOf5N z{Q9%i-F2$+Mv0T~TG)=quIUd7?m(xJ?Kj(Dv^DwJcYP|uZG1uIc{$oGc4)w6sU+b) zHUfZP4@?gi>+#J0KOq9Hp?_^~tp(pnAurDXk6(6=rg-Z9LkC&b?lIVQoqc1Ha*Y%r z9cWGMgNrKzTb~}MBsMxXZ;ls#`u_a_zWPLfAJr4H06?AH^E`G0-)RJVE7->)mJHlb z-t&(?#G#=k&FrtR9H^}+*dbsN;P{khd!XH1XoJv($R)_7r5{Z;&A1$|L&pCbw^*pW zS#lz0jYbi@C;%5mhd=l&K?59bZ!}6Rozg@Gm9sm_N41v3!&oNZ8GPqBC#3-e5i6 zQl5}4r$icSk)d;a)Z}m~M$7?tk2>82yI`JUUNe9hM8Yw#qU1X>J-ta)k3pPYKIg-7 zsWvQfnZe}@fiMs1!qPA3LGY;`ZU264SsfCkQpJfKVK~ouXqXO|Km|X6 z7qsU|KLPRu%n7?-LA}=!vr6#L2SL6&E$RD}JyRS4sMp`=+RlH!PQ^wK`N)-n1qUoZ z4RxSQ4ogb0Pl){E97|M7tO2PU%sN%Xo;z>a#b_t0=(c`<$Se#chHKd(d3C5_`#i(1 zjS^HboUc%DjK}1+SjfCr5?ev!PdDYDt?pnEtczc~Te!Ft82|Eq<89A;MBlzcH9Kco zCC^YXGEIiazkI?yZF}Mp3-lvRYU=jl$Xy0qo4IA6B-Vk5rw+vMFVqsA;#v!+{4)P2 z=rq5@;i82|6B}IiQ2>o_MM4@uRWK8N+*6qor2=P6mdTGDm*JL@#&Kjbz)jdbHjp^T z_Um>)rS#6HfoNsinCu-rZ2MWgz*G8@VXb(bQnB=KoOfJH(R*3ge7(v9&qu`sjHr^j zjhYtB5DyQJsXtO)Lb7Xv$CwaYB~8^o&iR%{@#H0s%ABcG%kRQJI6ZB?d;Q9Bs}@}H zFebDC+KtdFMK9|QXG@fMkr-Rxu7&(SEG>pjRQsMe1}&ij3p-Yso=O*+X+Qp_LTB&Q z0pC{x4bW4JDABI`+Ywn(?IXm5z`9y}PCLh#@d5h}6>R6lm8JEye@U+ZEhqLqEH@?_}nP|A=$ zL*vADEbWrNeGva`Kb7voKeIIp_C}vSZ61o%%kG?5MC#71p)m5{B*8s008{;W>$>Gg zOS0C2q;L#K^+2!+khblv8Z1&s!&pq)*mFHbMjJtD`gW!g9p;AyWXoqb(v1M>eWHa( zD~oEqQJ;8B)&JxQPtg%EWw$>43wS}-TLI@xceiFR6eKGO$pQ1Gsdh?zVBdJWFQRGN zrz+J*b^uZ65O=TP?8{^~Y3y-X&Z|5&?UVJ9zhecBtwf!`33r7bFyjw(`BUxs#kReR>h8=XC_DB*vweig z_Y*#>Rgy?>V`PU>^tEu_f2<=rbq$~2itCK`*-;is%TZmGvbcVECSsUnUR-2iYG~(m zygON}u5MU&dXr_@hZ`_8oRDqs{?xu;U>Z1zTW*zU1U?tp zqV7~9%o5l?*yFIvT=F6Wp8_Tz8K4sY5z$QFB2fj%L)9aHLe=)e=Q5xZp?!f;2G%Mu)O$Ebxl z`x{P;j9 zmsL+`W!v9xJ%9F2#dqU3_tf#qyjY%Cnmr~b$M6tOSv{>%M3t{Os2KDC^s>xoOJg6&V6`35lMw!-|6U=ooSnS#brD$qn#@8r>~}k}!T@ zYWv`2vlDF<&_HLOmY1*@JegsQGze7L^(SFiKB=?R3U4virLY&TagQa2NP%8`Cdc)b zy<}0F%`2iRRV!r$`7FC*`!V8P!sR03w z;MIXi|Bf&5|1=44~i~f>*#svXg zaQv`QqtJhAV3En#aNdfZ5-}4!sLu)DY*6GM|A}bo`$kbM+`RHL2oGrNE{WriOLpbE z(N41>`&VwXYm>3of~I^awS!HdmT?wS5-1XLcXJ4a&h}9ZZ&K`}#DXj3WTwQ+0}d>JaZgr8PAh z=5VBD)o1O!d_|N$YAJ=CAiP;zW;3X)l>8sGtx3HsWk=@O9mc2CqlMxTnQjuT_-6sD z-}?N^C#rx^Fb%FaU~1)enY-Ijhedy6XBdAGqewLPunE$Z{X75A?QfkBcSxvu8 zWtDXX9bPhqx&LA;Na3XTebV3fo39#;%89_yX0A_*lMo}fwI{*@2l~AlM8OnHPR^MA zapnBqx|^;cN|@>;RQ>Ksne}P03gj~mN$cVcq83m^9!zA7RA?&0*Zi0HtcpTf+EAwZ zwojk2@08*F1o$8FZ|=^cV7oEp#stOf@pr2!+9~*1#cVp^WNR2>w z#MK45nk@#~5BG1tl%GW}%Tmr?mIHYh3jPE>KU`d_5st+=a9N3-fMT@E-1lr#6Zs5m zhOd(tQuc0od=S+X)oEuvc-==1%xm1_bikct%)yKKYHiMT9&*xv2E_ouIlNob zkR-zKQTam>(4rI6R5S){#&_538(YnK=Eiml>HB)X!IQ&@vUo`c=no&u;H%j4$jwui@`LlaW+bRH7TiQmxaod zYToeyT&rR5-0pX;&JQT)r@O>lxi4gMg@2kLso=MB+o>crTF2MZ)I>R^Z}P$+gH8D~OrxGcWRu3okOlc#*bJ>|6hs!LelpS@8t184R#VykM#QF=LT8n6RmR8BW& zQLru3LhKH?UGhEiLT!Jx0AYOc>Fb&BhzFM(L2c2b#Vd3p9W;Jih;ivo=rJmD8u=>> zgG*p2V#XOdhkuG`?agfJ;z)lh;Zz>{Wb%k=g03p-kEZu@|JU`f;rvgYeq(kZ%CUrl z^RFJTSuhA&n31UG>m%_V%MTR}Y5@<0D-ZHaK-`e5l(LI4@EIfAZb$ii#-0tI27Ph# zsu(v2XMiAc7H|u%e$HI^G-`aw1+}PZsU~9&*X}t*^(-vRO1xbMrGGj(!lSM|EB}fB zGc$I+c|6xUZ0v3Jd?a7olEg$mwQGjAQ~U!>(+IyvATZW9IzWr!;HFEIarwj1=OJ6T zg(fj;f4>!j4qvP`G_Z?dl2TT!fP}|=T{A%gQjMQM>jn#O_XK|U4;kL92 zW5zbq#ChctE$@h7x(5TN&DEjonlEBIiEHv7`bz|MwP9^vKh9xOZ#V(Q*b&YjoE<98 zx|i5Te#RpMwG9OJHk+d4sT7mW_TgraZ+F>^;#AvEzBu2E+Q%Et*-%MH07{$U#nde`mKLX z&!01b{Nd<>b|=ZCWPP(}2#S+?IY;DNswOmF#WG58Sfo*;GkGyON$~LMdK^#cnga#> z`20xl@Pw+49xZP;hV=TTkcos{OaMtv7rU}#|BzA~8jB&Qniqy&Puf*kV|yx7T8G|M z*53$AoZ=;6VznRDerqeeCjQ}+0mu^2NWf=a%K_7g6xV@R0zbb_@b-op>hjs#q1s87 z4_yzEUwDv(`1`k43EvrY%Vei&1Z1K>sI=gqVt)RC5klyI(9x&z6#R6y;!aQ4tG8Lndg+oPNPgo zhIlIjWq-LZP1cF^qKz5j`^LTEz0G zw>>?~4uIAr?QV~j43bk&Se~iyE&VUA``&vHDHxzEGI_R_MkZCZOLoIL$jz=m>tvF! zqF1}`CtyKsNIjD81qZs$jzkfD&n1ZsmEyce79yztI~KWl{ePoRJ)m*+miAO^D-VLTGY zD?FAUG^Uy8qhjp&Q7skF}-I$ z@d&VTlZ4zuds^`Ra?pHfI6$#XPp*WGZNbKO+jZe3-gpOh7g)Y5Tb|bSN)rIsUC2WL z9ksIx=!CbZ?5&o=TtQWR6bK=d3d&xkmqujuOa|`8a=F;ql|b!8g}>e(ws?f6KGk4D zO`&7=%MXl})|48r-r7(Qxm;SuJN_{C=l(_|Im)xfWKE6b`a9!M05^YmKE9YL4o5C) zamQq$&oaJG_uY2v?*e{Hh9GV0Qszdsu=kz&DhG|ZwF-}EYNZ3pTPs&1kmQHKG-F+> z*6+G@Ldo4|URb9yNH!vAK5TI1Un?}&j&l+(d2Sg}fuQ{C zKZFbf1m6MW&DcKe**(>M?yzy`*?8wwf~LsTB|c{dQR5;1mV25xzE}$q_kSO8lD9KH zs^Ca)mR|~>jwPs2I-e;`*i|M80-4|2^RPr=5^f`*4|M_?msg*o54h|en@GQ#AxYZ4 zYFcWBgrEb$9`9pvRLr(jz94Ci*0)eDl2qusjdzb2?cQe_)l_Tb^FSpm;QgV=xk&`! zv|3AO0tKndgizly(bet&2C}g&VUwF0DKR+!rdw@~|K(f&g_U0F-)m<8jQquo;9f1)T!@`kBZs&B(R`3swfu9$ zd9PZg@P_A&1rs_gd4K$!-+U1t`#UDGMP=!)S2@@jlKk62=;3|Bt61JDF>tuY-45GJ zQ%NC}5;i=tof+uMD>fnk>tSk~pnwJM>!=tDw)i^XH~ECdCaPH;S7=~7n#Y&?SB1FY zfAZ-&E4j1J+?h!c^N_)8=ix!o20CixjJ8ga?oZ9CSne+0u`!GOWj{@k@|5bGs$bzS zjSvCbFXzD~mifY8o{YAugLZOTK4!~))c^P~cK?c+E-(Z=Q|6IcOx}wA?igYNau=g5 zeDejwmG6-mM5F*ke7BM5t-*z{)qAaSPyu-kHyZ(|mx@k=nKeI5yI9R5jWFyqF3h_` zkJrPKPCf;uq?Sb^8%QF~{h5yr6WI zT#n-;p;v2K1=3@PpfOf-U)Yb@Dy4rqTI{wdzn%2|izn$!x;*91na-0oVo-{d?$aRU zR6x^?cfkavhP`8tKW`ET z@0?jP4JBzR1Jj`N%N8$7F^fp_M!xW83;+A}$>%iu?3d-U=x5Q}kx=g^FetE+;cIEc zN5U6^5p>(g5g4I3IYg8JfnqthZfhs%zq0MkbNl7Eaaz|iy-Hy2J-iLUjnb4GZ+TCE zqamwj^_}~x)P65dnI(>$ScaFDV7Wx!e$dveF|+UezQxN4GGfGKoyk2m%OkaHNGzD{ z!TQl{P6^|MDA5tcbUKQ&#y5LavcfaX$>8{h1*Z=1Wu=wnKZ;sMVfjVkB;?>0(mXdM zhqU7;93TIZua{^B&BAKd({ZbH{YzS8L3a}h*S$~KBZq|fP#Yhh@$bL-SVL|nVrFUW zK+vRNw=4X?dN&iwGg8jz6&+$CMVAOWoGPg3+tgeFglnIVPK59wJzQyGW5&nFmCoFj z$ivPQ4DTVL%?UrJ2p;jIi*6prYKk>W&YAAGh(Fq7ALO;)NLJZJKz&4hF%jDwXg7+p zAuDFG&7;EPTnNI;`bLRi!zd0MFgT_usQjf>A1c3FFc8*#-o|H2HW*GLx^Do4x~@0R z;d6UMpl7r6+ho3PdwAMoZMDSsq`{&l`hjG&mEo&>tBpZ6kJ3ctlPpO4Ol@FUG!K**GrF?0;6L5*5+r2Bl?*O^?VQ|2+$cc}P39gRn&$0JwnxlD%3 z@1hxf&bD+OA37gTiSNU_QLCr(2!o&tGv=D$X`II4rzO;J63FrEjcgfVrh&?6|Oa~-w1M=OV zK>YPXI(?i~%WZ^PPxTi{F#QUzO{iPc*i3dwa`;%G;2>4n;vIXRC2AKeV*H9bbq!e2 zqv$<2&V5CZMSFKBEKO4fi9M{7L<6Wq<7k=wCp>cw{kLEKYEK&loY%$rH0G`&kX4;o znOgvkzr9^SrPoEVzev2k*-z7&e7<{0Ra+qCWq12QK#^2>;USgpvK=jtt)YkIFVSmW zHc@IxhYk%F)(rpOxLkiNKMb@0r}K|D`8D$Xo@nod{*;uy|7Smc3b^wH-DQH5OoImQ zh{d>rvbgFa;SUc9nIJc_EC}HG5&H|zJ(jBsT^)!!h<6=H`8?4ExEt#ZEo5$^bsV5} zL2<|ikwJLt^MkUg#$$I}Z?}T2RE!(I1g^1P%4poA;=N^5hB?>6#kPhvQ)&py*-3-C zRG7J?2b`vJR@|Ar`KZ0lTYfZD#yHm3{2)US)cs|HIR8LLC?e2fP_Y!_2zI~$RQ$?ebiLr5T(p3kkU?K9p zfKauk-1JGah&6vLz24d-RTiF?&S-#`1UTwBI}!AfPd5-`XW#M5ml_UMf4t`tR>D#O z<}hLk(=M;V?TpbTX57YztW*r>AQMhPE6Qou&dYNRqIKT)GX7L+kj?};4ZPn`w^aCp z^E26v;0-+$pE*UUAD{1KVOlA~)S?u~F8JqZe@va%a$#-{oa`K~cw2LO%JH-f00m1@ z--DT&?So1t2qJ_*ZrIyKzA1qt@hBW^mIpuOMLSsXSUa>5A=Y9uM6-iH{VKiX?yxrP zqDP`EXf&Bc%Eo7Owy2%@Xnwl?LxW2ey$LyL=@DHLoUU<{3&~A?hX#;HCQmcM6 z5p|&j9WCaAtlyT>a0w1n|YxXD~&%wl;PT zzL0@@#k=w)`|9;rq_Nr*Lvb)kh=0WWPqV1)8D}jlN-}ej)|~SmZ-agzB>4ekhm&a{ zanTkt@=2Y5MB#i?s5M#_-Z1g-%XXrB1dY)z=9N_R{Q{xZHs;4ENvo-tHE5^(qZg-G zIF4YJkSeI{cW;0iFEaS~VQPDFN%rB7eurn>r<$It%JV;dqJwxKLMDpG5=xM{?kJa@xSy{j0 z`lviR#GrSjuVqp%o$IRw!3)T_jE@~m<_Jyk?W1rm2r?vj;}Ed6RE(-@GeC_=K%oWB z4u>l!cfjU-+a9RBF<#WXfWJ}(G4gzSoR^W=C&)HS5#Rp(71pB$muaF67Tv(vH!GrB z;dmt0HU>WSQ@$kYhyR!s5ooI>Ijrn^f$xi-((sg1;hKLinJV7v!9_{_lGZ9P7vwAy z4~jDao4yuISpOcvAV7;`2+3fWV<9YtkGLA8w^@e&SGA%~8^a%`A?#i@O0*2=gf`17l9QMT||6=^|U(>MKsj-nHK~Jf;kSUoz8IWU_>CD zvp~m50jxB}&XRlwL{VcZGP*l!PiB1J40##912S%(4jCuW~wr7ZR@+f(UWpT-4xh&F`&CMTN1H?2M?u03^;W__Q@oi8&Bxauj z=jd5^BEAw7U^?(*mVsW=1n_vt^KBvY4EF7l_do!z?GE>8Jt{9(0tm z7ivh8_YZ602uif@wS1Agz5gW(*2jR6f8}lhL6|F*x%47p$nAd%8R6)ffz<0nwZrJG zq@TUE6OU;JMkWYvwy5znUj$~8KwgYiHHsde{_Vl7_rHY*d063MKaG;BpNL=)(x&Ui z3-)2Ot>O{op1qpAG)?uJ5VHk!7yXx6m6NM^01$Q<34U0Wa9-Z{I`!V9w@pF=f8N8s z`I)J$r>(SfP}unsXz95Je(vV_!G4xx4>yQ(I25YHE3SYS=kEZD())zb7e|8Cv*Xgq zKW4m{JoP9BChMexs1ce_z90- z;ZElg^g_`y#x27JBO0_;QpTP06xL~rW9qXoxf zcRk%s(l^6AZcqrj4aTvD{;KwXqu2 z$hzg(&Swrqdn$RVU&pcaSkpj%K5xr5LcCRl_+nbM4tjwAf?0pV6H4; zWofWN^Eo~-$>3*O3c-MENc4Sn$|_n¿}3c`29U(~zJ&ax7vHe>H0o})tSS(^z* z7iKQ0Z(TxcZe}2=b=`Ua>#jdtE&hZAUVQYt?2C4gnE2KeXcOP{Rikf3*m~Kl5i`X4 z4yfH{*Nl`yUa1K4kEYwch|YNRS#9dIoY(4^0+`p;@THZE-*TUL7bN(7^Zf0YA2Rr%#CcdbawqRy`lNdhLSJuO z%kOMoOWJEb-D0Neo=@6)rO1zR2yEUJShmOJ+LtZ7EJU1oyA`gkzerg0`wcY-Ff0VT zBHX)oMcch&xZT1qlvo6f4q?pv#@nkGii7Pag>i!20#MUHEHw_@ulqu3KKl;+YdFI# z$@i#xQ{xmXd)bRYr#|cZ%2f71J6uJ)LI~qz1)@%CLFB>WxpDpTwu8fgjUpOqJo{Zg zFd-=N-YDIq1_NeK9)*2=v+=uZZE!S0WXAmGzzoB;i;B-bKDU(reMwL+LbFObeOgzo z6S@zx2knId3wy#0%v>65vFt4^?awWGL(!?@TON{7Fu1|!&R88~5SIx*+|g+)%w}Pd zeb-GSgmw6~;z*K@TQIj71V^Q{(zYW72`UNjBU2aqw+JqP*V?#fK$$j-x8h~;n&<*V zNi$EI-L8RozrPe;xvU!3Avl{)lFebG@wXa!KVedx)DU1Pse1C4x!^c4f?E%@w~_Db z#||2<*7=@q3Ve45jm9~(@*_UdT=`MmlWW0j<3y(=MIq|<-vQz!V>ZCA!|^ng_+w9j zFjkipG16c{n1_$@Y`gm5Eec^Q{7@r0GdVH6Q!ds}sEvZnhzeOh#nXuM18Hz}?T!Si zAVn~#U|U<0W^_2H67E=?j^I-ix#Da=(V_s2u!^&u)d`5klm0i674{uKTsYtl|9F}# zC-roH*+Y$5%^W8BlXOF&>-yJAiQ1F6>By>%>7$sTU%nSC%0JX5)2d;=*zFTPwCO;< zS&fALL>(#?Ysi!HRr`ROdv?8sW)mZ{fW6Y4Fd;{>tP$>|mixjFc%2cbLy{fup-YBp zLiNgJdT-Rt@)#=5!g0x!5^cZ5wPgAKy8xszsTf0S1k7Kbsgu_8@>K2q&m6|4PoWg+ zpNcSZee-U*S>pv1?iWdng=25?c2BO5{N%@#Co2)o(BywucU-bW#jAm}_9J!g#G-If zyRRa(DC$d z5@+y@HlTu*-Pp3X8n8AevWD4kQjmZO8y^xCLm{AE6)a0UxCa1 zZNO~-F_;xo+^_eJqWfu_$uF#54RXYv5!u$XN4}fZl+rh?HnR?bAkw(B1-6Vk8_GGb z61nlSe%(ZFP$u<*>}+42WSRXn)qWlj`1S(S&r)< zpU14h29oUzCb(?Rl%1o67!>lUT#0<;MeH#l+PZ~<%9C1qcB$q7dWIw~%Uf=#WVQa0 zpdXRZyWjM}AAT~_x3v7cM}$sE4<~*`ZU*Wv48Mum`UIyNs2Fe>O#sgnv_c&Qc1y6L zzGfhT@GPiYp9}Xe^xQ6@}-Kd5G|^P0r+m#CgVH6%SoFpuZ9 z*u}bA17nO7Yj+=!i-a5kM~;Si_XOA<(CI`e_uYNL8C2{Kdm0CY(j>`X#`QUM;DFsN zbMGch0xNR?Z7|-GpEaaYa=y*te>B7pdnP7uphe!8tqLA_^7wb$L z`a~UM)qhpFb#}p@8`#8GnO}ZYni|pLq3qc%@Gak#O8B1|G_-toGsC0^QPv9-$RwTM zkJy{au{&59RLWBhwYy{lHzBT)D&D-DsY&hK@~V@)B#?lcbhfc)4OeP|c#~lYm|o88 zF+qb3@1OOR@WvWnHGnJxM^o8C&Rcpm>NmcE8#{c?!*lu^`x-{**LMeq%QLkHy|Tup z+(V1MpBYpj*g{Pz2fV#=MFw|7*CNAna;;lH3tN>k(Upi=$r6}Z2P^H4ph+VpSbWm4 zJn>~Ty|)UHxI)nd1wAe-_UR=S4{;ZfQLG9OJ!NwuMuLUdRQATY&;T*s_O<#<9@mga<@8T@|N7o>iOANq# z859k?Sg(TGo&#+FFG1E()y$XTrLqqzY!g2LVg#9co_GcfFb3a0!p>CF@!kRd=k2{+ z)fiucS}?9{4Mp8)!wFq-<(aAsE^*p$xCI)<@H(SGXHecW&d9t@meE*@?RqT5i5`~A z42~KkNn^vca-x=ixlT0aIq{Ry6-SCafgV5Ppw5JAVQUuW#4|T*zmsOOC)?L%WW4X8 z4ooa3`G9gTHOpzsKT+G&+gdX7ri}RQ;WX*C?zsBB!*>RmAfSBV%{b0ak0pmxu{lIE zjW>zX_B)S?$SNBfmCgtk!`6XW_8>B5&Z4j{WY8@^WcL%QXQt6(_;!Z3!K&oPa*xr> zw;WMBjh_b{u?wB7J#V2CJwS6Gls@S;xNUI|{IIb_DMlfEgbM^yABjTrHB9k=`3|Hb z)KmcHNA;bGGo)852aD!%FOS0sx3VQlt1<2a!#`;e%oJ$Oa~40$2I}$|#2hLC;?2F1R^Q?< zips3?5FE#XcO=6&#qN}$0+t{^o24*;kNk~9F<_tss-ESLlS5`fsgN5)XR;P>_2^?f zm`;u~Yw6R9X$zGni-XZbPQBfxV_@K^0Q`!}B)VdeqrelZT6K*-P|-+42366inE4F1FO z^>tpvlAEJNwFr(7kT2!EeFEdIUOOxxO0Odd-}vEMxpzIzWXWfw30aaut(*rjdx6FX zr@cVc+Jqf1$H%UR&3U`oLWWzGu;aOq^nM8v zyX|Z|t61m1Ve;=3-ukLc)zrj8Wgj-z?Y0ZU0!Ueh=-fJW1E$^#E8hYZ5IXE)tYwwh zOpPSrDBZD#zjcMRge?euMJ%neTNfPAaqr3@J#Ru@e%m(WhVl46ad{p`&Th_Kwd=Kr z$mO3^+mV{JJJ3qefG3pf-#Qb{tMTYKrE{hs$eTDhPX|18gGkLtZ`7EcLtee-@Jn8^ zGoK{gxzc-dapU_~s96$1%4Chg&|r9j*}JuwpmrId8#IT;TGeA7L&AcUkPb2#Z0VVn zEJ|2mv@)b**oz~#qut-5DPMI%{r4za{l^|!u&W`&>ixyH;FeolW*PaQPwFs-XKB|b z`yh|s4X4x67%Fl&VD5`9v#T*KeO}4E%%q~vUmIwEHbQ$hH12BSXIhu$l?AdiWcX2M z$hds*mDvv(Y-0S|`u8Nwiss0REdFYqIvstExsT(YKNeTYAyJ{yH#VG?KO~UvQw)%r z9@a6`mBt>ezDMY*viVMC=a4GygdRrlz44Q!Xk}}pWy!;WWUF77kYbg#5Tv&JDnLb!aWFh z9Mp%2LUc7|z*MkmeZ)Y(*-1~#A`+KeVhu6dOd+qPLW@ycO}XMP>q~Qg4uGAttQ7}J zIE>a zhGW#|Nsh@&kv%=%XHm?ic#5N9H=w&iDGY`M4fo-kik~iuTbuR#*%9Z&DU~(SR;wm| z?_WI-7(QC(6D;5$jDRz#&bWpjmH>R(_bz$OJzVUQM%U>1N1*Hc*@XIX~5qq8GfRs0H`PP%L3eaeZz1QA}{(nrpcRbbq|No!yvNN-iO$b?K=VW9g z6v}ptPz|$yLUT5ltD}QGY?v5V*c@v(TZsQiYOr~bF;pMUwAHt48H0yfwf{gT|j+zu7F*AI5ze z&PXd2C9Kml-n`i+T=C$9`L)BG{JB(tvf3%Dq|fhVN8QnjYmkl;qzp=T1PxVE<7MU< zM-KGDD{8*Q`umyVs5vF>7%WV5S5hp?^ZzhxUqnlC3~KpeNM5T9&rkura^U6cKkne@SkO#4t9k@ zGDT_Xd-#izrP*xrxAWHZTt_L0N55RVKUBS;WHKYy?TxRDzo8^++P!Mp?z8Gw!W)XE z+u-f4e(ySuPrU!RS`HjRvxDa`2?jlM>*ih(S%%ncIRB_T>i9Vk)%JI^Gn-Ohx+?*6Pmn6QAaDp|X(Tqc({RMEU`pw{ zG1&csk!;s4J5`MLk?s64S7d_tFOWu-IoqWg#e)CU>P&l7RO9q9TB-2wxAO@X(oac! z@J9i<13EIRjRZtSZ&}Q>4}QJ~6z`tpE)F;$=Jd8vebnm|p>~+`#j_FT={4zPn0AG& zfB@FKZ&~QS**D8wTM0LH=P=7EGS#sD;=_L|TD9Je3XwYH&%hVk83IQnt{LwJ7>%qN zxPH;nd}11t5h-Q3e)Kcl_C}MG_mtC2yB??XxYqSE&#knA$wU*(1kz#lSqrO1A$Ap6 zvecCNQFeYo>?lQp)3s&hmFukRf3JlIMV0{GBzgHO@AstXv^kK82z`$Z z2z*LE19hWHK{BUkp(`GFZE;FXOmPHXuQ!{yMX;`X)n04BLH0`vJl1PFh!*>F6ZHgD zT(HOMnCZEaO+DHBuxuB4PV3C{wn!+RKMkQ*_dSyE-5Cl%#j|c1e>4tDP}$%NzRusU zs5B0Yv}E8YRw7gW;h z>EX<>cRG3xZ#!V4@Jjby;4Pl2Uu*WN+R|@A{{9?#?%DHrg<)WT>(y-Cq8Jl5=ZO5@ zx_9&Z^M{1+qPLqIunvn7-P|@ut}lt-KJX9!hxywg7FZn9w7KXGOq?hSPrBCw*YB7q zPR}H0qsAw(L;6r+ZFg3)TVFRw)aNhWgt-9=#mn!Oa;tWK^&cR7*S|W7&}}ok?C@Fe z+o>GA-(Jc8W>___R0=JDQjNqC5(O1QmLbztd3vMdWsrOsBMi|iyw%`(ve$J{d?d)Z zVzTCdGpqmk^NM=-fhBVqq$!u|bc^O~vi|cwR_4Rs_aLsztvsK2BhhKB?KGTKCn?>6 zHzE=iLJ>9s{r6NIU$JXZ)*g@8D z^8n~4uSvbe9uv<|Kl1k)iXvGc#(_NqjZ^NF*Jmi2kcHLgrom?(_%kt??Dodbxotg! zN_WJ~gHoF3bBI&8yC!F<0NRfl>^P^*Z2dyjgh9`F2ryZrsR8hWaS9GcddV%c9SWa> zna=~7+EW|li$_Tx*o|J@yt@NGgCnL9bys4k3D>rp9K!ZIcMIIshlU>g{^FXQnZqeo z!zxw$!Ef(K?5E~temGa+2IzKvSz&z1?YuxZ!H|IWL6tjfZ3H4M8P{|CcB!g)F_JU= zy#a?(ig| z+jZKZ z%UoXc5OZ*Q?d|qYubdlxNSpYQS*fq;n)u2c4{zzZn6_y3#iu%7%TQ#+gavV{`+M(R zbVlZ&?kG=@4_+k9&?=c}53CR9WIVHWL2f+JE@uWQHZz?8K0zTXZU~&`UEMpYr(ifM zwrTioY*Aok#V;o$&s>^BaAMS*~*u0 zI_bpKv6+ts2W_=e9fUcqjo)QDUUhriO5CP#^@Wv2>BNf7K|#pir2!)b%-=0YS7nXq zZ0ia7(m%;!#LT``?kC9LO+0=oM>TTcrROKz&&)n4SjQMVOxMzZ7{4+nFr*eUY#7oXCI_Za07`q^SZ{a(6F2CUNk^gmhsGlJxGeDf-G(@h_5$GOQOO zHg}+bmUZsyq2Jou--9#%uL|cb$XXXiPkax&GVS2-qWe=SsbLK80vd(BACD8 zqO7d4w^shM`6)RShdusyA=ErX(G4CN~02Sl*Gyt3x}`r%z`p!jRtxO506s~bbny% z|K^nc7svF{%3DiEH!f!$k2%bkD$+J`Degr&oPOj_qZIcf@K-ri!#Ct+$zS%LfdI5h z?2wi5b_3ws+!rrqZzy8gsL2`Ve=#rF31VBanu(+`VqVrO8@i5oY?KK@2UEXa?$Ko5 zU6)FW4R85)7U~zaKT*`)|AN2wKgl0&$Zsks7T}&_?z%H?cpB{_L9n%f;+KR3(yhaR z+iea@o_l9s2jZGU$S2HpXT&}wUVhK-=rE6TEydEoMli=2G%6f)9q*M7<~=7KO}Xy< zvU}*9%}w&<<>`DF%`)ON*XQ?T_8ZNHiDDgLheVHyAE~kb85F;1YrPnHFLc1=)vX-+ zdF@jYBqiqsP9Prs99aR)g)W43iE$rsU8DPMJRV}5DtWnf@cc)j!eR1}5BuE=#!O}O zg@N8@B3Y7Y2biX=rjVGI;~e%(4`U$oR-MY05e(sZ#TJ9E9@VcmkSkCRg@q8cjD9=( zIBNRaf2qoxLjZ>YgB2st&yyv{uMe;&+A1UPxIU9lj{>|W0#ABKmk6mhUREfFbZ+`u zI$J?{*7r4Rrb`J?{)eL^{1F~^1*261Ezhl%r}Q8e@`3%)>Fnae8to^3Xyno-1zV!* z{n_j5kGWZIyT0}AAQ<)2jN7R$eIjQhRYU3I7V%sae!l0F2qnx=zSPlJWeP>i1O4p@ z7)pDRBj7NF2yhXED~r3gAJv13SRd2JGdM+V(|}PTGQoDpa%p5U=|dtZr zdz#f#F~Gx6G!V2nCZE_IWy_szeiAGwtbXUVPo$7RbK4&l;3Am0#_f*213I0wls3EBV-f`BHx%?o~j&oyRr|P?#j}2y__eHIt$6O0<-1k-u@gPuqJxbu!+NN-zIEintOD^hAO0NI{JQ?VH5-0Jp`fl@9 z`pVQE131I->K=_9BO|iE(b?|(fO-f@LN{3UsB!9CR{__^Nfk8)}f&$J?%|n=*_N7 zZ@uGpj#r9GPvb?pNq7bxLW57AY^|;MOx#U+(50yG@?DSW1P?y}G3RUzaDMp`*io2&+u4`Pd1vc&hmmg}s_7iz4&s@>`H@3N>ugRvoYq2v!r(34Qp z@2rZyV#0hccM-?GFoSKTPt;;B7P~q)o393 znsag>^rQYfYBY=S&I2jTD46{$hh*&q9fho>`P!@7JJZT95Rp>%>YFWDeA-Z{TmyFu zmt+IRovW)-Itx%q;`KJ+2I3t5V0?2^LayL)3U@Z+U*wVeZp5uZg5FDa?{7jYX-4LC z_$1ghQDDqrTn6$p*CVM%^W;SHyE(mjT(mRi;(Uo;Ln37q_t(taS?2O^1=kz4Psv`_ z;E-c~=USk}XCS}Yt2N~qvk})a1Gx-ICOuMUT>22AwD&q)2Gj5v=jmERt4G3G)2Elt3)`GiT1w1 zKa6)%RHm#K8JBd`vnacREA0?fWC#kULMR+M*XI+W| z_HL|0Xz*{QdA;^R=(vSKNdZFw`!7~n%Ijs5`akXERV}|ql!~9rn~Fc6B%(i}VZ-6g zZVs>Iku59G*ro+;#T0FugPi&KthDKnMIa@LZ%~q8%QtWv zLPznB#?xhg@hz6Z=w&ziSdqUzX6RLP2cszcuWMc{809lp*c;gAlp}bB$6)`8717Xq z8lug4W-FMU|hheM^HUCvuB86LUuLTr~kAydBt zj;n4a-%1D=i8mQ~vMcah>(tt`334ZP)9%p`;tT8}y}%XpFq+7a8VxGPWL4~WmMfsi z`b&c3qVG`@qFld!EdThc-WR~*8rNwrYFdEJ(-*W3ohweHa19llz0e>Ty72LTJU-U)6b7dGCo=AM)RRGz%1_Qegdv@P7<&&<7 z!rdk7=W#^BF<8Au;CO>~ca;OpW?#uahxoC8e@-52GZ0}!9=L`0`swr~U#1WpxL@s5 zvy7i-pT7XfU>)usjJMbzpzIdhzDlZW4iOZEWSiUQ<2jl@zyFar88MIhc2g;NRL?WY zoBbC}uT?3dx&+^-mBqTeNESz@<%B=UC;qH8W<32=q_x$Le(lXcbFguyV~jUZmy8n8 z(76@IOa2zyBl|NOUxPrJ?!7I6SK~>VY*Tup8ubNKqupL4CI|z&3VA0pqOgQZ$S%!; zST_~^IUu?tVS~3yZQD(~_*;`^Y@R(5CMh-JtXjqwC~n0FtRF*DOFBA4WDmv~W|v_A zQR(r@NgV-|^`&m;+w7gXcPo4Ts9*VZXbs4Vwo17de~37NcT8s8%?qgiK{IStq_59;93+>s8frD>+i5-^n*uNWaIi{ zQG$T)XhZdj=FYmXxx1aF^634^2)o_sQ_l*qE38Ow?z4Y%&L$RPPj>GI;YEwn$y70q zl_ZurGf>g2`tvHeG&crjd&LGu`FL3@)JujtysK{VW2m51Q8b)&_W$^};^y3SRafz( zEM4;8DjIeqr9izZ7oCz5tKIiizlud%?Ok;RaGf!@>BRei$FQbbBG@I+n=i+O>lJMu zRd{*B1V^1e9*Z*m`*iYjCA|I|Jo?>tAG%qlO?zOYCz$1AgR13smR~qQK1eya0bl9S3PS*y(w$N%Vp4l)5CwRe ztt}=jVs6HQj^Kf8)QFiwgHUew%`mhiY3!8yd4-eM8W)%>ag7|h)b-}G z_|gH-jFK)*$3HN7`_?4)jMVq%8mnk zM5VIAEZMtx9{eq^wg2e#{l2_@OF%^&YS71hcXBqV=K1jDZSS!TaL4j}+E&gVyQste zqEV~kJDw#cabmS^NlbVvTN_<5Vaj>eQXt5%H*2nGl#?L^dh-ikjjn&yACN_B{BT09 zfmC#h#HdtNa=6Od_K%;FY?wc4gz?UO=8&PQEt>2JE1w@)Med?6$U-?QVJ?C06zA}x z&qHEDzoZ&|qm2yBsZRa!ECjjP2TuL?J8i(V;8=LT-(gU{SiyURV$4|}gkdo_LAm>; z*xgRFKlz2J2K^9K;fpU632EtR19j6rTPr>*o$t^)aHC*EAnWg%?$1p_Es!@2$?0h^ zFxfl~!nI8EQP1!1S<~HN3KQN&d^53W6%{*US(H1PuYh&9o;H8le1D$ox6evJ{`^?Y zDnHDM&*H3>(dwm0D8)`BTUH z5qRUn)w~C_ak-h0RtVVaVxl0whky7M5)Uqifm%j4l>X8ZKCO+jeSCX9p#{eAMderN za?`B6&F9L2za~0ChQXSD4kw7auo?NfZG_=x1~AO|Q43{-uKa1?%ZaWNb8`DVVYlG~ zF|1g}iOu)6-6UliK?>(xgf)&t-fUaBkPk=4Bn632?ZJh_iVfLqHNvKj^vFjzvd$l) zc9ICrpPIKhuD3f5GC|oS?O6UCC z4WnKR$0CQ%7;KRF7mv-@I+@ISAiG4Nkqw+zR9Srmku<;C!El7G~|4`BYMeZ0&{8rFp#Iq97e-LQ{ehA*{`~F`sgNotLC*#D42~)-`aCOgamY zazte(>nMx@Vg~@bXG4TosXKMmE8kv zs7MEup$;a{pFe$x9{#=3)!KLzCn3;)%|yF=yWd86n%BHBu3O=EqU+W zsO?nUGv^*c(TuoaUN^;J`mKouec$1S^q*Vf&&Y+??!k<|#+BiSB+kce^*Z&LfL&uE5l+yd$wcdhd8Oho6w)4rTtrQDwA^RiV&q+*C z%ZIU9yDI_6k=^Ao1NjU_rfLf_aNLxChLTyN+_Hh>c&|8Pt9|B3eF^k)i-nh~ z?GP3fST=>B-1@V=)!g1MR~{7+dbTqS5s(pRX0-P}_EFF6v3PwIYg&L#RC{qUb#j0& zC5`E`B9{ve-QhfuuE3*C0y0x_>C9SYC+<=c9_p{OaUqIw2oeX%5&?|F^7G zZ~&1dj=o1Y|~mWRn*g2;8MCQD6=qaaZb1w)zz2j zL;(%lEBeK04t(zR$y`tR0?pKl@{#y)56=;Hs+|#(M5BIwk}wk_<@yKLK#2{!QiBk5 zkxrTRJev8|+jI){bgOS?)4Y6wChvD@#OMFG0sq1ZiYGr)h4H$uA2zTkFx!^7Ufy2Z zhZNzK)G&SbW6%elTZmR{03$C#2(%T(OL~3Sq-_WZzI}skFu_zVHJ@h##=BMYeRT0H zy^e;5{&n+1DiL^@N=Z;e9P;K%K2_TA*aX!M-uF3;Uvzmk?{-|h5?~=CqYvROIoOQS%it<3;SlT_M9F`(INL3)Erx+Nt@qVS&5W~A$q%z4AmGn7`F$q_dSD#s2NK_F2b~{!tQR;ZKe(^Zds}`_RI~vhA|ZC|33|^ibpw zJHT)>;Tq;M;ScJeESgD>g@P5spi2k%JEAm0%)v;An}!wLtr#E$e+&ZMjotAz!4V1j z#`HElS^{5M_bJEJ0O%xuXu=*#`?_xzBq=RgF2s&KI=Ya06(oIR01=jcF>7!Mz`o*I zv?9uOAO}Q=hA0_@6D$;phgE|d1gEKv#nKRy6YL|0W0aGU8*jwNV=-=a9-b@dQ{z36 z5L*Jl<;}Z)%H9ym5}qcV>44K^$D``y*rI*-LxDg(wI#OYqD44N50m{VEsX@on$J`| zc>NlM_w2dQeuEiN*|g&7ZYK7Wo^Om#UBsoUBIXx9o8O#6Vkj%?YHN~fzVe~ zQ!vkkqN?d+u6j`GcKe{FE4J$*$}TD)upD4TrU3^S$h?WXlGCgaqm;vs@<325@adW( zp{otv=fX&4&=MO2zk+fJeAvL(J9c48EZndq;z0b#A_Xe=QU0TQHch zNM4%FJ7eYl|tRujLPGRXvw{x~X%Wl}>!X9Xl66 zEs>pPm#|*@nZ+5P2zk7n?N$s?`dfRDWC%=rsljt&VD&g~72xNc>8s_@V9&Qb;0$gQ zTB(J8^upZ5x=)*l}S@*#$kO_lv_jZhknNf zLrl`3`JiN2(HB^Cdop-xn6F^YE9#2FV*_z5ky{xf#H^AblTr@&y2VM<0g?`f6e^ChqS>0HD?D?oMb z<_epPo%k%*;K<}X`~|f&R?awYG5h)45Hq2l<&Vc@kAj~~K?qQ=h>-K_Dx0r;N90{) zLz?vC0mi?WaH7a=;MB~u%MZ8U0B^gk;8o6BD$PFwoTHwN7NKEf_*Ix1;5NQ2mv$h- zw;!N$r{G%TyT|~5=&XpVYxq`uWto(q^QhXu-~~{K)mkeLN!2|0Nce({P~R{@iSK1d z^R0)+FX~d2KAfxPkv{=toMw^vrTWt?c_e7+@LnQH(>bW|^IdH!6{>m}{?uk%fo{SP;GWr54d0%n*?@qu5ptkl^SFo>-j$xfZ z#$E%C0cuW-tO-DrWU}oK$x^Qw`PdmwvBj}*?NZtB72+gw_59zwV7{-_R*sU@IV4@%?6kOm#aGLbA>}|0Ih{r5OL~0a8U9s?%|xdRA^UCyT?>oAJI8!I`U|#0qUfV~ z5vUAbcR7Kz#TW6cQ51wZv$8M2NuJ!`(;lrns_9_Zumbw<88|)6>Tj4Yu!SqR0>23W zs#esN%sg9u+>TtfRU?=wg#frYQ}&C5Yf1O^{6B#&++j`);TgBY+B>DwOiEsiak1(3 zt3m(rs90=-TRz%-p}`+FA1YMN-`REAg4J>=1!v&SX=b=pJnV$)a*Qy-vfI!v#|wBe zq9v$A8Fj6`lV%wb!o_lnw#_p35XSgp5#XVJO^xB?qdbQ3QF7C0v4}jD|D5}zN!p{d z5t!_Y7+$Z(o#GKfDL5JoRGGqN@?p&N(5+s8@;0*`w@s{nN-IT2yKlSy6S|x)Beut5 z7nT|gnbr&*mOm1rDR<;=_bnK2OT3*828oWqm8@538SQDWdoh$_o)G7@nF`@|_kN%nuAUB(rBryZb1 zW_rYjb!~{UO46}tiTovU!FJpwJj^*0@!T1f3ZPDm8=9Sw+Gi<nTq_y}JvX6H9 z@A7aq+S(HFToRw_Y>Y28m_=+b@mS-9ip2r_`_3?DSUw#R(wh=0rv9Li1&JV2n}CWM zX3~HC5aU{bo9I`GHJqOZzP_FZ>VYS6WG1zM$uqi4arK0wnm=LE5pVLio+a1e=vYKQ z780uwFuXhfvT!b9-XpAcE@DcFMXYq>3@wgd(O>OWpbwXBKaiy2JSY#|$lbSp*@VBR za{nvda`jr9V39ckIk6*+u0)pC$mF3gDc%wdEHR1vH2Zu1PVNLHtSP{iT zbNyGh#gT{)KlwLdOx(I+Tgsf_MY-P$k~O<;acv8~d^AE;K6mPKL z0C-`aV|*^_<#+V$WG8p-V7u6Jr1=NEuHdfknN2!Xm^1WgBrEKD=GFw-0l$~RhmvT^ zm&J!(uVRJUHATn;MN5y8o^>A4FbcmPLy|szE)lJHMHi2Q^w5>t;5$FyqK=Y|Xyl4C zM4J)Kh_?=W%S~KL-=yZ31x@epM$igbt{ z1bkGIP#NV`7+Z`mXFlp75<*Dh7X;pO^>eSR>|`3{_ul{oiO@%fFgjuk6bU(kEdkWj zmw3*=H^BKB60vvZ86-Z^R%v=JbeSRbnwBrsKnXfqwDXA^JuT31%kpBDmnv+s-%CPF zKD;EH(=jx&A+s;dI$vdL0v0qz+w#g_I@R>Y0R#1>8>#^x!Zl1+D0Z%A^Fb|tcnTZP zg`_zFOV*K3!};`LOWk`1kwf4WwSS|t7N=Fe%b>pH0-jbY$#GjiE8(6~L1SF0do!fF z4><>38D2N+jM*?tb-%nkd5sM{xGdW&eckOm?ow|VzfzdUpQ)jub$nUi{l`66#&TWc zcJCXWT2f)!vM>@gnsk%g%kt^#b5qFO^|jC13@^ilO!6ymWIksI zlcY@8njJUaY=sqt-69z#up0yKyVf^xpxCs~^0{_6InTM94FMP5{S|^6tZL6=v{OeV z=~48PpC#_ijHw%D!NwpTqmuv2;y-|%>Dt(U=Q&+B6E+%{;{;F^X{qGLaJw=Pq&eF2 z-gfr`vTo2N^;WtYI08d>=q^Q!?92}R93mA}CeW9w;B)`Sk00#gX%Y7BbPd0H4AmI- zNoJ0bORlRYGZ6HC@k+ao+kDW}->l1nIU0y!o$POj4B`OEx7_8j4@qA^D`r#KdG6 z64qrQySoHqd9%@DIlbQhAZ2SosOzO3pC?lq>84J$bOHx#Bc|#qaO-cvCgVk-+u!mG zV>koX$prB3BPnO#8Z)R>H>f{-PhBRV?@yp&HgwMdhn6swI$XekMA`LbQ_o}@013kBS$2|@u&^C`{izJc#`GG!>q8Snno=cNOf+W58W3UHS4-;xv)g|i-mhx!OM5Ad)X)&gzn_?>^=@Zw716uFt3k&?id zP@;S7HLSrsxgdmj^zEun6xzlX6)3VhA!sE?jonzaazFc1)^h{8$xd@dgFJ1lkss6- zw5=T{XsTyYN3EP#VuK z#?8Bv4AAn9!XF5F-84CX{-Pe}!}5N82)GV zCI#PkJC)uEJxG>hfobXY z@jngGS!1vn_iwtitA^8ZGKFgM7eR@^zwuGH zq;2oUF%w*pZhLWNAFt2i2mLImKN^)U?%$5y^q5`=JQqEXAPI^J+l=FkM_kUWqPN&; z5bqpoJ3?<$-%d1ol^zB1?>-qM9s2!&xwao6!;U-7sS(X=VK!-ow?)4yS6Dz?qdU({ z)O6?yQtTRLm8Uz4uL}(?>pIYeq&2HUUT#jLeEZ~{E)caa(#mD0IVm*nZ=3~-(9twp3kN|;mqOj#^4qJ1Jo^Sh^cB8YFnvoh>PwAx z8>xPVOwMU`J4r}D6xJWzZ30xnxXBq+1;-%&{H{0;60o!Ep>|k=8tTfNv^Vhx;M;P@ z{7#~V&cCX^yQA~UCePaQPQ}`h(_!69+J1?pm{CfQ06B0o{{3tq=j8%v3 zzk_KecAn$&q?3Ce$Zw=r(D@5eiWbw|X96nzI+P31pl?ts<;JSY+`qr^gKCjp$^OPn zepr;3#}I^5vE6QT7u-_oP_aFcL0#9iKi;OY_!;C3{m-K8T87ZjD+FD&}^W$1q`^~ z+&zTRlOF?ul&u|r#Sw~VfTRcSu=c!8k(z=b6ju|s1jPEh9XTcIB{0sDAjREp8yW6B8A8e%NKtSAzj<9eg{aqEVsVUh`7#zJ}miZr@u=2lPCWA2HjN0D}>T% znU-zGmnZs+cc+#+m1Z6ylDfBdH!mpziU*-@er`nirY&n){baHmhUqoyr;EU1vWUs^ z$SR1%84h6NA5j{g?eQ(Rf~SA%FuZ*KV#p)dPX|Fn{+NC05sW;EP~dtBFK|N3cO&Xr z5YA#}12o(ca;e6NVW78SIu2nvlK|o26wQHs%h+EFV`Eurbv~gDP1R*%x~KBXr9r8{Rx}x;#?DFaycPC%K3qdX&V;vM1U=gGBBL( z9Ytm8XV8`NGjGG!XwTlB!?dCPLJdVG&we0o5cFV$pC&~6Hs-9o;QM>Ca@r9O+E4L* zf#_1zZMfFTTX_Rn^1EM|TC-pblo&*jI#``1k!6)JQHewWp7@pX;V%o^jkjqAmD@HW z@8z~OBnee|kA43n@Nmi<9KF%@#9VRSJ9_NWVI>_^NIY2@_IYrr*@f*9=5Q6ZJ-ga| z8T;mz3JWbiN4nUi+j-~3F9av3oII4ofgf0BRIE(wk(EoNtx49dm2#{IdD;5aH}UeJ ztbK*wJY=Zpy{!BfLqqKf4WmoD{eKDVzp$2$jf9^^8lb0Gf;X1c7ZQd`o2xU^Rkqa& zi7m7&m@GjtoJhoHhs6t?%m@iW$A6Bj7NFbbN_+eo;7!)dcEqsJbITsW3e)F-Zx`4J z6bi+zSh)1<{XvQU&nUNF`uE1ke53W=AJ{vz9D}qft z@7<|J#&=cUWItcVFRm2)oORfYh-22eaf8lKOHJAEZP5OQhC#3F_+8^m7eQhFkb!R< zU8f~)o()q`q$8$*pKQHT;`Mm)L~5EpHlGxFghTEGJh>9_2{LxUlY7y}b!#S@;Qd2+ z$?wHi!a`L;RpC9zRWKL6d7Sn6h2kXd)UdsIP(A0T?-HeTfGvhWpF2M*nQn=*XVUBc z;@Tl($)Vta@|(kj26erQqvbYFKUdek&sWIwKN`BopiUpXY$o(ne!HvOJ`~n}lTDfm zR3%%OSO#}R*%nUc>uiM^vK=%w34-&9R(5u1L{_evFo}6z&eI5Mg;le~Vg=zlXczNP zR=X7o>Aj>?$A5Mx;OrTy78{YCnr;S+L3RcJt@;?#^oz3RF{vo#wP=Tb53(~XmN)gO zSh8?E7hc%QH5L8Ep&!)-ASb(T*nzn=#<8~b3b@NtXrm~SqW1sNG6ZJ zZP^64wZ3QhI)a@FBXV@W737%z#d=x=2P;4rvycoy1%){J{=8Q4{}TS_H{|~{v@8oM zL6`PleHik+m+VRP#ee_!H_#^rL!D@gbv7Dvo;$C0d2UyW1!+Ogb$(gRRq7a$V2C3@aYi8(90w*D=@&0Yzk4~vc;&n z*5ddnkdP50vY1+6=6g5}iUD409mCF&g>oEC6B~{pTBT(DV|baAT5yT77H|O+I)21` z2a1EMm03dM! z2>dTKV>Z1(`|lQTlOiFd)HnWxSbC`2NPwFx^}l1V5_FE|^$J1fX}B7Q`GTZ8t?-}W zomw`RbUQS=yEsH%Bj87eS^c>CFj~Dx4ebJdpmNO^pz`0=$F-B@%#`{qKg);Dd8HsK z8EFK%)C+Eb*z40%F#uyEyW6K04GZ#SVi)%mbkSX4?a=E|DvmGEsG87UX0v=2tg`#h z9O%h2FA_xL{i?OX5mEHmo!q@24#=9DVS1;r47Z%|O*pOGTF@ES;qr^f3~Vu!T!)}B zs0Xw}Yk}_##Q(}b=G`Eod}m`7c6xt~XRV@LzGU--9MLX`gAchUVTMMqydCGN|3TFO zaKQ$vf7=%+?E7JyT_WnT2LV-2SP7jCTC3eIK@rM{m!$C16L+J6Wm zomm8}+`BRqr{UT|vg@AswM0Ji<a;b&xI z+*a{sQkh{>@fva$;21vm2ue+02ho?;&G-98M%KWbY+adCAcpekZAwAq=5);NhyGzR0tpc$MnIp{$W|}#s$F9#^8^(;+}_m7`nsh$F?PiaVcU@z zo=aDVXEEHAZ8;lW>oN_Z)|cXqyxoV*dT+@|_FpRblXZSt^4p zc?>6yg^ewSSMaH&N~++)W=J!HmT(C^SfnEZ)~xmxGXHrar?ZOo!16C{k-PU?qt#y7 zVUNPGYYCz81)E?D<@WZp-v)cs8OSU%;kuo@pnh|1;3VyI+xojv zgVGK+D=v+V4$P zD%hfV&R2-o&PcZz(+gjmFMyV1)O_~;g$5G9NAC8Y*OD&OX1Xo><*K*t+!i|cpZz+5 zJ*Ly0%hD1RUXcJk!vy&Iu-PClc>)(%JPxO&h_>6DOeD!+$4a|P|F4`~nt6mcsu7&U!~aFE z|4L#3|5Dp4&UFPS6Q-tFC)3fs@hj1>xzvhS>RM!;a`%CrRBF`ty=~U%>?LcaLF>ko zcDCJ~cXxi6JYWtGuc&)=%E>I{BA=?%gU+c8og=OO-{Ih$x&=+~%5;bYS~DepTP~kr zE--z_>$ZteypIasOg(5;oBrCgcwFN=Ljl>D~%A8b}O$LXTvQjK-mY zS)VA;OrcAeIU>8SUPpz!@EZ5C5g|D@iQyx%GkzH~EtLM4vwHeR=l-RiUJgUw`^&pq z31Gj%4OQT%%vdTooi?5Ftk8EB((|+R2bR|)C7L#FI$sI}SsX*qaxQU>#9V0B9f`dk zM#{AHfyLU#3eKN8E+Cp}jsInjtyBNLIwC*f(0)-|n7nOv2&W%P)Aiq`DGg!e(rg(xzwm7{0)6xfB!W@@?Fjs!yXJ@ zMa=LN0>8GvCSutLnuL9H7Sa0y>wu>j5W-0Sgh?OxBv~mr)jR7^Ex!F&Gj!jB_hbu^ zaYuSkw`9GS^?V8=^{WfjVaVSU8PqNW#XWU}c(-TAURqb|M)J}v}zOE z9WLSM4C_n2LHRW#R9txwX=K$nj5K=wTutR!-s61L7fJd}3wV0grB&^5ytEzMBNC>c zWTjQ7pJHrdAy)YN33SF`bvBPx<>V>r0?o>|Tosv$az8@Lo&!?jkdo75K2`c({gpGk zQyC3{CirMQPUh4qm_r)Ja4f21*GN*;pSpAmGF@OPTS0tzIfhkz@c-+S0Gb8&f}dsc z)YSr$CMK-Lx6*k2nuZ%2!XvGq6V9-h$Rn|>VligH0KoIr(J9{HCd#N#dPWeYP!P1Q z_JsR}GTRgQbb70=r~cg_#W2Dy`}nTtu-C>6LFG!Md6t{Br`g}D7!(}Ls@B0ccT4r` z`Z!G2*YM(_dNTsNGE7crc zpZJL{m|<=LA5|KE%O3<`Z2hA;h)z0M(qVO|0+h0;dXICfetNjl` z)3K@j5Bpyw4V8jJ?0=C!?0=Cg?0-!#W`o53CvgF3gblI(W&i84_diJv(+{KJm=E=} zAjU?C=kwH0ma{Hxd?u)`lUWL{`b1N9Z&PZ5@TA9Mj3N244~Hw$A5eL(Z~P%2mcP^y z>I<$eVU7SHh0a+2I%tYQSQ7y?<{v^~{TRH_pj15@i?VnaL%Gv*nTnt#kcDGTPGq7U;AxB-qWViBsiB63+SE)kJbgi1BD zF=Wd8o7fPK!i;$arRHDrZ_0xCx9G$C3vMv~+Wy%7%Av6T0X_&M5|8pFY#%9*V2_V5^9Z&dxARZl2QK07h>Y-lQ z#(ZTtOl^#+S~kt=6C-7@~<1ate@@M@s{{%?} z(}Ewwlfj(kU)vwsU%FdyDYpL+gh4QhD>9|FFxdYJ7=lHUUxg7O;$#2I{#QtX_dnkM z1t~xty#ECh;>lo6`=2C<@I9E?{{Ra1zdqLgl4+TCG}7P4OnD6|lkA3{2;tTLRBVbe z8#3@sjebh0_l*>l0W)UG5$RvHF&d37F{9!<>Qf6R^ZLeL+#$iDJXrop`v67L6YC$K zF#ni;ZGVy;Y<~fS{SW(J)CU*`1pA+YA>aT%$a}E=?fr+uLOSC8SM65`hxeb}e|!J! n{daId@WH2X{*Y#Py2<|nYh_Nemx-+K00000NkvXXu0mjf?x4O3 literal 0 HcmV?d00001 From 69d79ca78cec77451ff9719f7b21ad9321b65cf7 Mon Sep 17 00:00:00 2001 From: windsonsea Date: Wed, 16 Nov 2022 09:24:05 +0800 Subject: [PATCH 095/139] [zh] sync connect-applications-service.md --- .../services/connect-applications-service.md | 634 ++++++++++++++++++ 1 file changed, 634 insertions(+) create mode 100644 content/zh-cn/docs/tutorials/services/connect-applications-service.md diff --git a/content/zh-cn/docs/tutorials/services/connect-applications-service.md b/content/zh-cn/docs/tutorials/services/connect-applications-service.md new file mode 100644 index 0000000000000..861c3a838c61e --- /dev/null +++ b/content/zh-cn/docs/tutorials/services/connect-applications-service.md @@ -0,0 +1,634 @@ +--- +title: 使用 Service 连接到应用 +content_type: tutorial +weight: 20 +--- + + + + + +## Kubernetes 连接容器的模型 {#the-kubernetes-model-for-connecting-containers} + +既然有了一个持续运行、可复制的应用,我们就能够将它暴露到网络上。 + +Kubernetes 假设 Pod 可与其它 Pod 通信,不管它们在哪个主机上。 +Kubernetes 给每一个 Pod 分配一个集群私有 IP 地址,所以没必要在 +Pod 与 Pod 之间创建连接或将容器的端口映射到主机端口。 +这意味着同一个 Pod 内的所有容器能通过 localhost 上的端口互相连通,集群中的所有 Pod +也不需要通过 NAT 转换就能够互相看到。 +本文档的剩余部分详述如何在上述网络模型之上运行可靠的服务。 + +本教程使用一个简单的 Nginx 服务器来演示概念验证原型。 + + + + +## 在集群中暴露 Pod {#exposing-pods-to-the-cluster} + +我们在之前的示例中已经做过,然而让我们以网络连接的视角再重做一遍。 +创建一个 Nginx Pod,注意其中包含一个容器端口的规约: + +{{< codenew file="service/networking/run-my-nginx.yaml" >}} + + +这使得可以从集群中任何一个节点来访问它。检查节点,该 Pod 正在运行: + +```shell +kubectl apply -f ./run-my-nginx.yaml +kubectl get pods -l run=my-nginx -o wide +``` +``` +NAME READY STATUS RESTARTS AGE IP NODE +my-nginx-3800858182-jr4a2 1/1 Running 0 13s 10.244.3.4 kubernetes-minion-905m +my-nginx-3800858182-kna2y 1/1 Running 0 13s 10.244.2.5 kubernetes-minion-ljyd +``` + + +检查 Pod 的 IP 地址: + +``` +kubectl get pods -l run=my-nginx -o custom-columns=POD_IP:.status.podIPs + POD_IP + [map[ip:10.244.3.4]] + [map[ip:10.244.2.5]] +``` + + +你应该能够通过 ssh 登录到集群中的任何一个节点上,并使用诸如 `curl` 之类的工具向这两个 IP 地址发出查询请求。 +需要注意的是,容器 **不会** 使用该节点上的 80 端口,也不会使用任何特定的 NAT 规则去路由流量到 Pod 上。 +这意味着可以在同一个节点上运行多个 Nginx Pod,使用相同的 `containerPort`,并且可以从集群中任何其他的 +Pod 或节点上使用 IP 的方式访问到它们。 +如果你想的话,你依然可以将宿主节点的某个端口的流量转发到 Pod 中,但是出于网络模型的原因,你不必这么做。 + +如果对此好奇,请参考 [Kubernetes 网络模型](/zh-cn/docs/concepts/cluster-administration/networking/#the-kubernetes-network-model)。 + + +## 创建 Service {#creating-a-service} + +我们有一组在一个扁平的、集群范围的地址空间中运行 Nginx 服务的 Pod。 +理论上,你可以直接连接到这些 Pod,但如果某个节点死掉了会发生什么呢? +Pod 会终止,Deployment 将创建新的 Pod,且使用不同的 IP。这正是 Service 要解决的问题。 + +Kubernetes Service 是集群中提供相同功能的一组 Pod 的抽象表达。 +当每个 Service 创建时,会被分配一个唯一的 IP 地址(也称为 clusterIP)。 +这个 IP 地址与 Service 的生命周期绑定在一起,只要 Service 存在,它就不会改变。 +可以配置 Pod 使它与 Service 进行通信,Pod 知道与 Service 通信将被自动地负载均衡到该 +Service 中的某些 Pod 上。 + +可以使用 `kubectl expose` 命令为 2个 Nginx 副本创建一个 Service: + +```shell +kubectl expose deployment/my-nginx +``` +``` +service/my-nginx exposed +``` + + +这等价于使用 `kubectl create -f` 命令及如下的 yaml 文件创建: + +{{< codenew file="service/networking/nginx-svc.yaml" >}} + + +上述规约将创建一个 Service,该 Service 会将所有具有标签 `run: my-nginx` 的 Pod 的 TCP +80 端口暴露到一个抽象的 Service 端口上(`targetPort`:容器接收流量的端口;`port`: +可任意取值的抽象的 Service 端口,其他 Pod 通过该端口访问 Service)。 +查看 [Service](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#service-v1-core) +API 对象以了解 Service 所能接受的字段列表。 +查看你的 Service 资源: + +```shell +kubectl get svc my-nginx +``` +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +my-nginx ClusterIP 10.0.162.149 80/TCP 21s +``` + + +正如前面所提到的,一个 Service 由一组 Pod 提供支撑。这些 Pod 通过 +{{}} 暴露出来。 +Service Selector 将持续评估,结果被 POST +到使用{{< glossary_tooltip text="标签" term_id="label" >}}与该 Service 连接的一个 EndpointSlice。 +当 Pod 终止后,它会自动从包含该 Pod 的 EndpointSlices 中移除。 +新的能够匹配上 Service Selector 的 Pod 将自动地被为该 Service 添加到 EndpointSlice 中。 +检查 Endpoint,注意到 IP 地址与在第一步创建的 Pod 是相同的。 + +```shell +kubectl describe svc my-nginx +``` +``` +Name: my-nginx +Namespace: default +Labels: run=my-nginx +Annotations: +Selector: run=my-nginx +Type: ClusterIP +IP: 10.0.162.149 +Port: 80/TCP +Endpoints: 10.244.2.5:80,10.244.3.4:80 +Session Affinity: None +Events: +``` +```shell +kubectl get endpointslices -l kubernetes.io/service-name=my-nginx +``` +``` +NAME ADDRESSTYPE PORTS ENDPOINTS AGE +my-nginx-7vzhx IPv4 80 10.244.2.5,10.244.3.4 21s +``` + + +现在,你应该能够从集群中任意节点上使用 curl 命令向 `:` 发送请求以访问 Nginx Service。 +注意 Service IP 完全是虚拟的,它从来没有走过网络,如果对它如何工作的原理感到好奇, +可以进一步阅读[服务代理](/zh-cn/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies)的内容。 + + +## 访问 Service {#accessing-the-service} + +Kubernetes 支持两种查找服务的主要模式:环境变量和 DNS。前者开箱即用,而后者则需要 +[CoreDNS 集群插件](https://releases.k8s.io/{{< param "fullversion" >}}/cluster/addons/dns/coredns)。 + +{{< note >}} + +如果不需要服务环境变量(因为可能与预期的程序冲突,可能要处理的变量太多,或者仅使用DNS等),则可以通过在 +[pod spec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core) +上将 `enableServiceLinks` 标志设置为 `false` 来禁用此模式。 +{{< /note >}} + + +### 环境变量 {#environment-variables} + +当 Pod 在节点上运行时,kubelet 会针对每个活跃的 Service 为 Pod 添加一组环境变量。 +这就引入了一个顺序的问题。为解释这个问题,让我们先检查正在运行的 Nginx Pod +的环境变量(你的环境中的 Pod 名称将会与下面示例命令中的不同): + +```shell +kubectl exec my-nginx-3800858182-jr4a2 -- printenv | grep SERVICE +``` +``` +KUBERNETES_SERVICE_HOST=10.0.0.1 +KUBERNETES_SERVICE_PORT=443 +KUBERNETES_SERVICE_PORT_HTTPS=443 +``` + + +能看到环境变量中并没有你创建的 Service 相关的值。这是因为副本的创建先于 Service。 +这样做的另一个缺点是,调度器可能会将所有 Pod 部署到同一台机器上,如果该机器宕机则整个 Service 都会离线。 +要改正的话,我们可以先终止这 2 个 Pod,然后等待 Deployment 去重新创建它们。 +这次 Service 会 **先于** 副本存在。这将实现调度器级别的 Pod 按 Service +分布(假定所有的节点都具有同样的容量),并提供正确的环境变量: + +```shell +kubectl scale deployment my-nginx --replicas=0; kubectl scale deployment my-nginx --replicas=2; + +kubectl get pods -l run=my-nginx -o wide +``` +``` +NAME READY STATUS RESTARTS AGE IP NODE +my-nginx-3800858182-e9ihh 1/1 Running 0 5s 10.244.2.7 kubernetes-minion-ljyd +my-nginx-3800858182-j4rm4 1/1 Running 0 5s 10.244.3.8 kubernetes-minion-905m +``` + + +你可能注意到,Pod 具有不同的名称,这是因为它们是被重新创建的。 + +```shell +kubectl exec my-nginx-3800858182-e9ihh -- printenv | grep SERVICE +``` +``` +KUBERNETES_SERVICE_PORT=443 +MY_NGINX_SERVICE_HOST=10.0.162.149 +KUBERNETES_SERVICE_HOST=10.0.0.1 +MY_NGINX_SERVICE_PORT=80 +KUBERNETES_SERVICE_PORT_HTTPS=443 +``` + +### DNS + + +Kubernetes 提供了一个自动为其它 Service 分配 DNS 名字的 DNS 插件 Service。 +你可以通过如下命令检查它是否在工作: + +```shell +kubectl get services kube-dns --namespace=kube-system +``` +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +kube-dns ClusterIP 10.0.0.10 53/UDP,53/TCP 8m +``` + + +本段剩余的内容假设你已经有一个拥有持久 IP 地址的 Service(my-nginx),以及一个为其 +IP 分配名称的 DNS 服务器。 这里我们使用 CoreDNS 集群插件(应用名为 `kube-dns`), +所以在集群中的任何 Pod 中,你都可以使用标准方法(例如:`gethostbyname()`)与该 Service 通信。 +如果 CoreDNS 没有在运行,你可以参照 +[CoreDNS README](https://github.com/coredns/deployment/tree/master/kubernetes) +或者[安装 CoreDNS](/zh-cn/docs/tasks/administer-cluster/coredns/#installing-coredns) 来启用它。 +让我们运行另一个 curl 应用来进行测试: + +```shell +kubectl run curl --image=radial/busyboxplus:curl -i --tty +``` +``` +Waiting for pod default/curl-131556218-9fnch to be running, status is Pending, pod ready: false +Hit enter for command prompt +``` + + +然后,按回车并执行命令 `nslookup my-nginx`: + +```shell +[ root@curl-131556218-9fnch:/ ]$ nslookup my-nginx +Server: 10.0.0.10 +Address 1: 10.0.0.10 + +Name: my-nginx +Address 1: 10.0.162.149 +``` + + +## 保护 Service {#securing-the-service} + +到现在为止,我们只在集群内部访问了 Nginx 服务器。在将 Service 暴露到因特网之前,我们希望确保通信信道是安全的。 +为实现这一目的,需要: + +* 用于 HTTPS 的自签名证书(除非已经有了一个身份证书) +* 使用证书配置的 Nginx 服务器 +* 使 Pod 可以访问证书的 [Secret](/zh-cn/docs/concepts/configuration/secret/) + +你可以从 +[Nginx https 示例](https://github.com/kubernetes/examples/tree/master/staging/https-nginx/)获取所有上述内容。 +你需要安装 go 和 make 工具。如果你不想安装这些软件,可以按照后文所述的手动执行步骤执行操作。简要过程如下: + +```shell +make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt +kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt +``` +``` +secret/nginxsecret created +``` +```shell +kubectl get secrets +``` +``` +NAME TYPE DATA AGE +nginxsecret kubernetes.io/tls 2 1m +``` + + +以下是 configmap: + +```shell +kubectl create configmap nginxconfigmap --from-file=default.conf +``` +``` +configmap/nginxconfigmap created +``` +```shell +kubectl get configmaps +``` +``` +NAME DATA AGE +nginxconfigmap 1 114s +``` + + +以下是你在运行 make 时遇到问题时要遵循的手动步骤(例如,在 Windows 上): + +```shell +# 创建公钥和相对应的私钥 +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /d/tmp/nginx.key -out /d/tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx" +# 对密钥实施 base64 编码 +cat /d/tmp/nginx.crt | base64 +cat /d/tmp/nginx.key | base64 +``` + + +使用前面命令的输出来创建 yaml 文件,如下所示。 base64 编码的值应全部放在一行上。 + +```yaml +apiVersion: "v1" +kind: "Secret" +metadata: + name: "nginxsecret" + namespace: "default" +type: kubernetes.io/tls +data: + tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lKQUp5M3lQK0pzMlpJTUEwR0NTcUdTSWIzRFFFQkJRVUFNQ1l4RVRBUEJnTlYKQkFNVENHNW5hVzU0YzNaak1SRXdEd1lEVlFRS0V3aHVaMmx1ZUhOMll6QWVGdzB4TnpFd01qWXdOekEzTVRKYQpGdzB4T0RFd01qWXdOekEzTVRKYU1DWXhFVEFQQmdOVkJBTVRDRzVuYVc1NGMzWmpNUkV3RHdZRFZRUUtFd2h1CloybHVlSE4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSjFxSU1SOVdWM0IKMlZIQlRMRmtobDRONXljMEJxYUhIQktMSnJMcy8vdzZhU3hRS29GbHlJSU94NGUrMlN5ajBFcndCLzlYTnBwbQppeW1CL3JkRldkOXg5UWhBQUxCZkVaTmNiV3NsTVFVcnhBZW50VWt1dk1vLzgvMHRpbGhjc3paenJEYVJ4NEo5Ci82UVRtVVI3a0ZTWUpOWTVQZkR3cGc3dlVvaDZmZ1Voam92VG42eHNVR0M2QURVODBpNXFlZWhNeVI1N2lmU2YKNHZpaXdIY3hnL3lZR1JBRS9mRTRqakxCdmdONjc2SU90S01rZXV3R0ljNDFhd05tNnNTSzRqYUNGeGpYSnZaZQp2by9kTlEybHhHWCtKT2l3SEhXbXNhdGp4WTRaNVk3R1ZoK0QrWnYvcW1mMFgvbVY0Rmo1NzV3ajFMWVBocWtsCmdhSXZYRyt4U1FVQ0F3RUFBYU5RTUU0d0hRWURWUjBPQkJZRUZPNG9OWkI3YXc1OUlsYkROMzhIYkduYnhFVjcKTUI4R0ExVWRJd1FZTUJhQUZPNG9OWkI3YXc1OUlsYkROMzhIYkduYnhFVjdNQXdHQTFVZEV3UUZNQU1CQWY4dwpEUVlKS29aSWh2Y05BUUVGQlFBRGdnRUJBRVhTMW9FU0lFaXdyMDhWcVA0K2NwTHI3TW5FMTducDBvMm14alFvCjRGb0RvRjdRZnZqeE04Tzd2TjB0clcxb2pGSW0vWDE4ZnZaL3k4ZzVaWG40Vm8zc3hKVmRBcStNZC9jTStzUGEKNmJjTkNUekZqeFpUV0UrKzE5NS9zb2dmOUZ3VDVDK3U2Q3B5N0M3MTZvUXRUakViV05VdEt4cXI0Nk1OZWNCMApwRFhWZmdWQTRadkR4NFo3S2RiZDY5eXM3OVFHYmg5ZW1PZ05NZFlsSUswSGt0ejF5WU4vbVpmK3FqTkJqbWZjCkNnMnlwbGQ0Wi8rUUNQZjl3SkoybFIrY2FnT0R4elBWcGxNSEcybzgvTHFDdnh6elZPUDUxeXdLZEtxaUMwSVEKQ0I5T2wwWW5scE9UNEh1b2hSUzBPOStlMm9KdFZsNUIyczRpbDlhZ3RTVXFxUlU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + tls.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2RhaURFZlZsZHdkbFIKd1V5eFpJWmVEZWNuTkFhbWh4d1NpeWF5N1AvOE9ta3NVQ3FCWmNpQ0RzZUh2dGtzbzlCSzhBZi9WemFhWm9zcApnZjYzUlZuZmNmVUlRQUN3WHhHVFhHMXJKVEVGSzhRSHA3VkpMcnpLUC9QOUxZcFlYTE0yYzZ3MmtjZUNmZitrCkU1bEVlNUJVbUNUV09UM3c4S1lPNzFLSWVuNEZJWTZMMDUrc2JGQmd1Z0ExUE5JdWFubm9UTWtlZTRuMG4rTDQKb3NCM01ZUDhtQmtRQlAzeE9JNHl3YjREZXUraURyU2pKSHJzQmlIT05Xc0RadXJFaXVJMmdoY1kxeWIyWHI2UAozVFVOcGNSbC9pVG9zQngxcHJHclk4V09HZVdPeGxZZmcvbWIvNnBuOUYvNWxlQlkrZStjSTlTMkQ0YXBKWUdpCkwxeHZzVWtGQWdNQkFBRUNnZ0VBZFhCK0xkbk8ySElOTGo5bWRsb25IUGlHWWVzZ294RGQwci9hQ1Zkank4dlEKTjIwL3FQWkUxek1yall6Ry9kVGhTMmMwc0QxaTBXSjdwR1lGb0xtdXlWTjltY0FXUTM5SjM0VHZaU2FFSWZWNgo5TE1jUHhNTmFsNjRLMFRVbUFQZytGam9QSFlhUUxLOERLOUtnNXNrSE5pOWNzMlY5ckd6VWlVZWtBL0RBUlBTClI3L2ZjUFBacDRuRWVBZmI3WTk1R1llb1p5V21SU3VKdlNyblBESGtUdW1vVlVWdkxMRHRzaG9reUxiTWVtN3oKMmJzVmpwSW1GTHJqbGtmQXlpNHg0WjJrV3YyMFRrdWtsZU1jaVlMbjk4QWxiRi9DSmRLM3QraTRoMTVlR2ZQegpoTnh3bk9QdlVTaDR2Q0o3c2Q5TmtEUGJvS2JneVVHOXBYamZhRGR2UVFLQmdRRFFLM01nUkhkQ1pKNVFqZWFKClFGdXF4cHdnNzhZTjQyL1NwenlUYmtGcVFoQWtyczJxWGx1MDZBRzhrZzIzQkswaHkzaE9zSGgxcXRVK3NHZVAKOWRERHBsUWV0ODZsY2FlR3hoc0V0L1R6cEdtNGFKSm5oNzVVaTVGZk9QTDhPTm1FZ3MxMVRhUldhNzZxelRyMgphRlpjQ2pWV1g0YnRSTHVwSkgrMjZnY0FhUUtCZ1FEQmxVSUUzTnNVOFBBZEYvL25sQVB5VWs1T3lDdWc3dmVyClUycXlrdXFzYnBkSi9hODViT1JhM05IVmpVM25uRGpHVHBWaE9JeXg5TEFrc2RwZEFjVmxvcG9HODhXYk9lMTAKMUdqbnkySmdDK3JVWUZiRGtpUGx1K09IYnRnOXFYcGJMSHBzUVpsMGhucDBYSFNYVm9CMUliQndnMGEyOFVadApCbFBtWmc2d1BRS0JnRHVIUVV2SDZHYTNDVUsxNFdmOFhIcFFnMU16M2VvWTBPQm5iSDRvZUZKZmcraEppSXlnCm9RN3hqWldVR3BIc3AyblRtcHErQWlSNzdyRVhsdlhtOElVU2FsbkNiRGlKY01Pc29RdFBZNS9NczJMRm5LQTQKaENmL0pWb2FtZm1nZEN0ZGtFMXNINE9MR2lJVHdEbTRpb0dWZGIwMllnbzFyb2htNUpLMUI3MkpBb0dBUW01UQpHNDhXOTVhL0w1eSt5dCsyZ3YvUHM2VnBvMjZlTzRNQ3lJazJVem9ZWE9IYnNkODJkaC8xT2sybGdHZlI2K3VuCnc1YytZUXRSTHlhQmd3MUtpbGhFZDBKTWU3cGpUSVpnQWJ0LzVPbnlDak9OVXN2aDJjS2lrQ1Z2dTZsZlBjNkQKckliT2ZIaHhxV0RZK2Q1TGN1YSt2NzJ0RkxhenJsSlBsRzlOZHhrQ2dZRUF5elIzT3UyMDNRVVV6bUlCRkwzZAp4Wm5XZ0JLSEo3TnNxcGFWb2RjL0d5aGVycjFDZzE2MmJaSjJDV2RsZkI0VEdtUjZZdmxTZEFOOFRwUWhFbUtKCnFBLzVzdHdxNWd0WGVLOVJmMWxXK29xNThRNTBxMmk1NVdUTThoSDZhTjlaMTltZ0FGdE5VdGNqQUx2dFYxdEYKWSs4WFJkSHJaRnBIWll2NWkwVW1VbGc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" +``` + + +现在使用文件创建 Secret: + +```shell +kubectl apply -f nginxsecrets.yaml +kubectl get secrets +``` +``` +NAME TYPE DATA AGE +nginxsecret kubernetes.io/tls 2 1m +``` + + +现在修改 Nginx 副本以启动一个使用 Secret 中的证书的 HTTPS 服务器以及相应的用于暴露其端口(80 和 443)的 Service: + +{{< codenew file="service/networking/nginx-secure-app.yaml" >}} + + +关于 nginx-secure-app 清单,值得注意的几点如下: + +- 它将 Deployment 和 Service 的规约放在了同一个文件中。 +- [Nginx 服务器](https://github.com/kubernetes/examples/tree/master/staging/https-nginx/default.conf)通过 + 80 端口处理 HTTP 流量,通过 443 端口处理 HTTPS 流量,而 Nginx Service 则暴露了这两个端口。 +- 每个容器能通过挂载在 `/etc/nginx/ssl` 的卷访问秘钥。卷和密钥需要在 Nginx 服务器启动 **之前** 配置好。 + +```shell +kubectl delete deployments,svc my-nginx; kubectl create -f ./nginx-secure-app.yaml +``` + + +这时,你可以从任何节点访问到 Nginx 服务器。 + +``` +kubectl get pods -l run=my-nginx -o custom-columns=POD_IP:.status.podIPs + POD_IP + [map[ip:10.244.3.5]] +``` + +``` +node $ curl -k https://10.244.3.5 +... +

Welcome to nginx!

+``` + + +注意最后一步我们是如何提供 `-k` 参数执行 curl 命令的,这是因为在证书生成时, +我们不知道任何关于运行 nginx 的 Pod 的信息,所以不得不在执行 curl 命令时忽略 CName 不匹配的情况。 +通过创建 Service,我们连接了在证书中的 CName 与在 Service 查询时被 Pod 使用的实际 DNS 名字。 +让我们从一个 Pod 来测试(为了方便,这里使用同一个 Secret,Pod 仅需要使用 nginx.crt 去访问 Service): + +{{< codenew file="service/networking/curlpod.yaml" >}} + +```shell +kubectl apply -f ./curlpod.yaml +kubectl get pods -l app=curlpod +``` +``` +NAME READY STATUS RESTARTS AGE +curl-deployment-1515033274-1410r 1/1 Running 0 1m +``` +```shell +kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt +... +Welcome to nginx! +... +``` + + +## 暴露 Service {#exposing-the-service} + +对应用的某些部分,你可能希望将 Service 暴露在一个外部 IP 地址上。 +Kubernetes 支持两种实现方式:NodePort 和 LoadBalancer。 +在上一段创建的 Service 使用了 `NodePort`,因此,如果你的节点有一个公网 +IP,那么 Nginx HTTPS 副本已经能够处理因特网上的流量。 + +```shell +kubectl get svc my-nginx -o yaml | grep nodePort -C 5 +``` + +``` + uid: 07191fb3-f61a-11e5-8ae5-42010af00002 +spec: + clusterIP: 10.0.162.149 + ports: + - name: http + nodePort: 31704 + port: 8080 + protocol: TCP + targetPort: 80 + - name: https + nodePort: 32453 + port: 443 + protocol: TCP + targetPort: 443 + selector: + run: my-nginx +``` + +```shell +kubectl get nodes -o yaml | grep ExternalIP -C 1 +``` + +``` + - address: 104.197.41.11 + type: ExternalIP + allocatable: +-- + - address: 23.251.152.56 + type: ExternalIP + allocatable: +... + +$ curl https://: -k +... +

Welcome to nginx!

+``` + + +让我们重新创建一个 Service 以使用云负载均衡器。 +将 `my-nginx` Service 的 `Type` 由 `NodePort` 改成 `LoadBalancer`: + +```shell +kubectl edit svc my-nginx +kubectl get svc my-nginx +``` +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +my-nginx LoadBalancer 10.0.162.149 xx.xxx.xxx.xxx 8080:30163/TCP 21s +``` +``` +curl https:// -k +... +Welcome to nginx! +``` + + +在 `EXTERNAL-IP` 列中的 IP 地址能在公网上被访问到。`CLUSTER-IP` 只能从集群/私有云网络中访问。 + +注意,在 AWS 上,类型 `LoadBalancer` 的服务会创建一个 ELB,且 ELB 使用主机名(比较长),而不是 IP。 +ELB 的主机名太长以至于不能适配标准 `kubectl get svc` 的输出,所以需要通过执行 +`kubectl describe service my-nginx` 命令来查看它。 +可以看到类似如下内容: + +```shell +kubectl describe service my-nginx +... +LoadBalancer Ingress: a320587ffd19711e5a37606cf4a74574-1142138393.us-east-1.elb.amazonaws.com +... +``` + +## {{% heading "whatsnext" %}} + + +* 进一步了解如何[使用 Service 访问集群中的应用](/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/) +* 进一步了解如何[使用 Service 将前端连接到后端](/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend/) +* 进一步了解如何[创建外部负载均衡器](/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/) From ed7547917744d603c9d19184f6ce963c39bf305d Mon Sep 17 00:00:00 2001 From: windsonsea Date: Wed, 16 Nov 2022 20:54:44 +0800 Subject: [PATCH 096/139] [zh] sync guestbook.md --- .../stateless-application/guestbook.md | 122 +++++++++++------- 1 file changed, 75 insertions(+), 47 deletions(-) diff --git a/content/zh-cn/docs/tutorials/stateless-application/guestbook.md b/content/zh-cn/docs/tutorials/stateless-application/guestbook.md index 25274ca7ed2f8..7f10de59eb52f 100644 --- a/content/zh-cn/docs/tutorials/stateless-application/guestbook.md +++ b/content/zh-cn/docs/tutorials/stateless-application/guestbook.md @@ -14,6 +14,7 @@ source: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook title: "Example: Deploying PHP Guestbook application with Redis" reviewers: - ahmetb +- jimangel content_type: tutorial weight: 20 card: @@ -21,23 +22,26 @@ card: weight: 30 title: "Stateless Example: PHP Guestbook with Redis" min-kubernetes-server-version: v1.14 +source: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook --> 本教程向你展示如何使用 Kubernetes 和 [Docker](https://www.docker.com/) -构建和部署一个简单的 **(非面向生产的)** 多层 web 应用程序。本例由以下组件组成: +构建和部署一个简单的 **(非面向生产的)** 多层 Web 应用程序。本例由以下组件组成: - * 单实例 [Redis](https://www.redis.io/) 以保存留言板条目 -* 多个 web 前端实例 +* 多个 Web 前端实例 ## {{% heading "objectives" %}} @@ -64,7 +68,7 @@ This tutorial shows you how to build and deploy a simple _(not production ready) -## 启动 Redis 数据库 +## 启动 Redis 数据库 {#start-up-the-redis-database} -### 创建 Redis Deployment +### 创建 Redis Deployment {#creating-the-redis-deployment} -### 创建 Redis 领导者服务 +### 创建 Redis 领导者服务 {#creating-the-redis-leader-service} 留言板应用程序需要往 Redis 中写数据。因此,需要创建 [Service](/zh-cn/docs/concepts/services-networking/service/) 来转发 Redis Pod @@ -169,16 +176,18 @@ The guestbook application needs to communicate to the Redis to write its data. Y --> 响应应该与此类似: - ```shell + ``` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.0.0.1 443/TCP 1m redis-leader ClusterIP 10.103.78.24 6379/TCP 16s ``` +{{< note >}} -{{< note >}} 这个清单文件创建了一个名为 `redis-leader` 的 Service,其中包含一组 与前面定义的标签匹配的标签,因此服务将网络流量路由到 Redis Pod 上。 {{< /note >}} @@ -186,9 +195,10 @@ This manifest file creates a Service named `redis-leader` with a set of labels t -### 设置 Redis 跟随者 +### 设置 Redis 跟随者 {#set-up-redis-followers} 尽管 Redis 领导者只有一个 Pod,你可以通过添加若干 Redis 跟随者来将其配置为高可用状态, 以满足流量需求。 @@ -196,7 +206,7 @@ Although the Redis leader is a single Pod, you can make it highly available and {{< codenew file="application/guestbook/redis-follower-deployment.yaml" >}} 1. 应用下面的 `redis-follower-deployment.yaml` 文件创建 Redis Deployment: @@ -233,9 +243,11 @@ Although the Redis leader is a single Pod, you can make it highly available and -### 创建 Redis 跟随者服务 +### 创建 Redis 跟随者服务 {#creating-the-redis-follower-service} Guestbook 应用需要与 Redis 跟随者通信以读取数据。 为了让 Redis 跟随者可被发现,你必须创建另一个 @@ -280,23 +292,30 @@ Guestbook 应用需要与 Redis 跟随者通信以读取数据。 {{< note >}} 清单文件创建了一个名为 `redis-follower` 的 Service,该 Service -具有一些与之前所定义的标签相匹配的标签,因此该 Service 能够将网络流量 -路由到 Redis Pod 之上。 +具有一些与之前所定义的标签相匹配的标签,因此该 Service 能够将网络流量路由到 +Redis Pod 之上。 {{< /note >}} -## 设置并公开留言板前端 +## 设置并公开留言板前端 {#set-up-and-expose-the-guestbook-frontend} 现在你有了一个为 Guestbook 应用配置的 Redis 存储处于运行状态, 接下来可以启动 Guestbook 的 Web 服务器了。 @@ -309,7 +328,7 @@ Guestbook 应用使用 PHP 前端。该前端被配置成与后端的 Redis 跟 -### 创建 Guestbook 前端 Deployment +### 创建 Guestbook 前端 Deployment {#creating-the-guestbook-frontend-deployment} {{< codenew file="application/guestbook/frontend-deployment.yaml" >}} @@ -351,20 +370,24 @@ Guestbook 应用使用 PHP 前端。该前端被配置成与后端的 Redis 跟 -### 创建前端服务 +### 创建前端服务 {#creating-the-frontend-service} 应用的 `Redis` 服务只能在 Kubernetes 集群中访问,因为服务的默认类型是 [ClusterIP](/zh-cn/docs/concepts/services-networking/service/#publishing-services-service-types)。 `ClusterIP` 为服务指向的 Pod 集提供一个 IP 地址。这个 IP 地址只能在集群中访问。 如果你希望访客能够访问你的 Guestbook,你必须将前端服务配置为外部可见的, @@ -372,10 +395,12 @@ from outside the Kubernetes cluster. However a Kubernetes user can use 然而即便使用了 `ClusterIP`,Kubernetes 用户仍可以通过 `kubectl port-forward` 访问服务。 +{{< note >}} -{{< note >}} 一些云提供商,如 Google Compute Engine 或 Google Kubernetes Engine, 支持外部负载均衡器。如果你的云提供商支持负载均衡器,并且你希望使用它, 只需取消注释 `type: LoadBalancer`。 @@ -422,7 +447,7 @@ Some cloud providers, like Google Compute Engine or Google Kubernetes Engine, su -### 通过 `kubectl port-forward` 查看前端服务 +### 通过 `kubectl port-forward` 查看前端服务 {#viewing-the-frontend-service-via-kubectl-port-forward} -2. 在浏览器中加载 [http://localhost:8080](http://localhost:8080) -页面以查看 Guestbook。 +2. 在浏览器中加载 [http://localhost:8080](http://localhost:8080) 页面以查看 Guestbook。 -### 通过 `LoadBalancer` 查看前端服务 +### 通过 `LoadBalancer` 查看前端服务 {#viewing-the-frontend-service-via-loadbalancer} -如果你部署了 `frontend-service.yaml`,需要找到用来查看 Guestbook 的 -IP 地址。 +如果你部署了 `frontend-service.yaml`,需要找到用来查看 Guestbook 的 IP 地址。 尝试通过输入消息并点击 Submit 来添加一些留言板条目。 -你所输入的消息会在前端显示。这一消息表明数据被通过你 -之前所创建的 Service 添加到 Redis 存储中。 +你所输入的消息会在前端显示。这一消息表明数据被通过你之前所创建的 +Service 添加到 Redis 存储中。 {{< /note >}} -## 扩展 Web 前端 +## 扩展 Web 前端 {#scale-the-web-frontend} 你可以根据需要执行伸缩操作,这是因为服务器本身被定义为使用一个 Deployment 控制器的 Service。 @@ -574,7 +601,8 @@ Deployment 控制器的 Service。 ## {{% heading "cleanup" %}} 删除 Deployments 和服务还会删除正在运行的 Pod。 使用标签用一个命令删除多个资源。 @@ -582,7 +610,7 @@ Deleting the Deployments and Services also deletes any running Pods. Use labels -1. 运行以下命令以删除所有 Pod,Deployments 和 Services。 +1. 运行以下命令以删除所有 Pod、Deployment 和 Service。 ```shell kubectl delete deployment -l app=redis @@ -602,6 +630,7 @@ Deleting the Deployments and Services also deletes any running Pods. Use labels deployment.apps "frontend" deleted service "frontend" deleted ``` + @@ -617,7 +646,6 @@ Deleting the Deployments and Services also deletes any running Pods. Use labels 响应应该是: ``` - No resources found in default namespace. ``` @@ -626,11 +654,11 @@ Deleting the Deployments and Services also deletes any running Pods. Use labels * 完成 [Kubernetes 基础](/zh-cn/docs/tutorials/kubernetes-basics/) 交互式教程 * 使用 Kubernetes 创建一个博客,使用 [MySQL 和 Wordpress 的持久卷](/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/#visit-your-new-wordpress-blog) -* 进一步阅读[连接应用程序](/zh-cn/docs/concepts/services-networking/connect-applications-service/) +* 进一步阅读[使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/) * 进一步阅读[管理资源](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively) From 6b56d9c83214983e6e820fcfc0c86224b94ddc40 Mon Sep 17 00:00:00 2001 From: windsonsea Date: Wed, 16 Nov 2022 21:44:16 +0800 Subject: [PATCH 097/139] [zh] sync service-access-application-cluster.md --- .../service-access-application-cluster.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md index 5f966ed09e011..6023ebf0f429a 100644 --- a/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md +++ b/content/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster.md @@ -3,7 +3,6 @@ title: 使用服务来访问集群中的应用 content_type: tutorial weight: 60 --- - * 运行 Hello World 应用的两个实例。 -* 创建一个服务对象来暴露 node port。 +* 创建一个服务对象来暴露 NodePort。 * 使用服务对象来访问正在运行的应用。 @@ -51,9 +50,15 @@ Here is the configuration file for the application Deployment: +1. 在你的集群中运行一个 Hello World 应用。 + 使用上面的文件创建应用程序 Deployment: + ```shell kubectl apply -f https://k8s.io/examples/service/access/hello-application.yaml ``` + + -1. 在你的集群中运行一个 Hello World 应用: - 使用上面的文件创建应用程序 Deployment: - - ```shell - kubectl apply -f https://k8s.io/examples/service/access/hello-application.yaml - ``` + --> 上面的命令创建一个 {{< glossary_tooltip text="Deployment" term_id="deployment" >}} 对象 @@ -118,7 +117,7 @@ Here is the configuration file for the application Deployment: --> 输出类似于: - ```shell + ``` Name: example-service Namespace: default Labels: run=load-balancer-example @@ -138,7 +137,7 @@ Here is the configuration file for the application Deployment: Make a note of the NodePort value for the service. For example, in the preceding output, the NodePort value is 31496. --> - 注意服务中的 NodePort 值。例如在上面的输出中,NodePort 是 31496。 + 注意服务中的 NodePort 值。例如在上面的输出中,NodePort 值是 31496。 + 输出类似于: - ```shell + ``` NAME READY STATUS ... IP NODE hello-world-2895499144-bsbk5 1/1 Running ... 10.200.1.4 worker1 hello-world-2895499144-m1pwt 1/1 Running ... 10.200.2.5 worker2 @@ -238,8 +238,9 @@ kubectl delete deployment hello-world ## {{% heading "whatsnext" %}} -进一步了解[通过服务连接应用](/zh-cn/docs/concepts/services-networking/connect-applications-service/)。 +跟随教程[使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/)。 From 4686bd64326cce731ef1d84e7295f7e345212eb7 Mon Sep 17 00:00:00 2001 From: Olivier Lemasle Date: Fri, 18 Nov 2022 23:47:26 +0100 Subject: [PATCH 098/139] Fix markdown errors --- .../2022-10-18-kubernetes-1.26-deprecations-and-removals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md index 38c1f29423c64..8574208d87f24 100644 --- a/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md +++ b/content/en/blog/_posts/2022-10-18-kubernetes-1.26-deprecations-and-removals.md @@ -115,11 +115,11 @@ These arguments are already ignored so no impact is expected: the explicit depre Kubernetes v1.26 will [remove](https://github.com/kubernetes/kubernetes/pull/112120) some command line arguments relating to logging. These command line arguments were already deprecated. -For more information, see [Deprecate klog specific flags in Kubernetes Components] (https://github.com/kubernetes/enhancements/tree/3cb66bd0a1ef973ebcc974f935f0ac5cba9db4b2/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components). +For more information, see [Deprecate klog specific flags in Kubernetes Components](https://github.com/kubernetes/enhancements/tree/3cb66bd0a1ef973ebcc974f935f0ac5cba9db4b2/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components). ## Looking ahead {#looking-ahead} -The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27)) planned for Kubernetes 1.27 includes: +The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27) planned for Kubernetes 1.27 includes: * All beta versions of the CSIStorageCapacity API; specifically: `storage.k8s.io/v1beta1` From c4db32252b418455001466c15540793f5de287ef Mon Sep 17 00:00:00 2001 From: windsonsea Date: Fri, 18 Nov 2022 17:02:58 +0800 Subject: [PATCH 099/139] Fix typos in cron-jobs.md --- .../concepts/workloads/controllers/cron-jobs.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/content/en/docs/concepts/workloads/controllers/cron-jobs.md b/content/en/docs/concepts/workloads/controllers/cron-jobs.md index 1f64045422249..d2795e0efbb32 100644 --- a/content/en/docs/concepts/workloads/controllers/cron-jobs.md +++ b/content/en/docs/concepts/workloads/controllers/cron-jobs.md @@ -92,6 +92,7 @@ For example, the line below states that the task must be started every Friday at To generate CronJob schedule expressions, you can also use web tools like [crontab.guru](https://crontab.guru/). ## Time zones + For CronJobs with no time zone specified, the kube-controller-manager interprets schedules relative to its local time zone. {{< feature-state for_k8s_version="v1.25" state="beta" >}} @@ -101,7 +102,7 @@ you can specify a time zone for a CronJob (if you don't enable that feature gate Kubernetes that does not have experimental time zone support, all CronJobs in your cluster have an unspecified timezone). -When you have the feature enabled, you can set `spec.timeZone` to the name of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) name. For example, setting +When you have the feature enabled, you can set `spec.timeZone` to the name of a valid [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For example, setting `spec.timeZone: "Etc/UTC"` instructs Kubernetes to interpret the schedule relative to Coordinated Universal Time. A time zone database from the Go standard library is included in the binaries and used as a fallback in case an external database is not available on the system. @@ -121,15 +122,15 @@ If `startingDeadlineSeconds` is set to a value less than 10 seconds, the CronJob {{< /caution >}} -For every CronJob, the CronJob {{< glossary_tooltip term_id="controller" >}} checks how many schedules it missed in the duration from its last scheduled time until now. If there are more than 100 missed schedules, then it does not start the job and logs the error +For every CronJob, the CronJob {{< glossary_tooltip term_id="controller" >}} checks how many schedules it missed in the duration from its last scheduled time until now. If there are more than 100 missed schedules, then it does not start the job and logs the error. -```` +``` Cannot determine if job needs to be started. Too many missed start time (> 100). Set or decrease .spec.startingDeadlineSeconds or check clock skew. -```` +``` It is important to note that if the `startingDeadlineSeconds` field is set (not `nil`), the controller counts how many missed jobs occurred from the value of `startingDeadlineSeconds` until now rather than from the last scheduled time until now. For example, if `startingDeadlineSeconds` is `200`, the controller counts how many missed jobs occurred in the last 200 seconds. -A CronJob is counted as missed if it has failed to be created at its scheduled time. For example, If `concurrencyPolicy` is set to `Forbid` and a CronJob was attempted to be scheduled when there was a previous schedule still running, then it would count as missed. +A CronJob is counted as missed if it has failed to be created at its scheduled time. For example, if `concurrencyPolicy` is set to `Forbid` and a CronJob was attempted to be scheduled when there was a previous schedule still running, then it would count as missed. For example, suppose a CronJob is set to schedule a new Job every one minute beginning at `08:30:00`, and its `startingDeadlineSeconds` field is not set. If the CronJob controller happens to @@ -137,7 +138,7 @@ be down from `08:29:00` to `10:21:00`, the job will not start as the number of m To illustrate this concept further, suppose a CronJob is set to schedule a new Job every one minute beginning at `08:30:00`, and its `startingDeadlineSeconds` is set to 200 seconds. If the CronJob controller happens to -be down for the same period as the previous example (`08:29:00` to `10:21:00`,) the Job will still start at 10:22:00. This happens as the controller now checks how many missed schedules happened in the last 200 seconds (ie, 3 missed schedules), rather than from the last scheduled time until now. +be down for the same period as the previous example (`08:29:00` to `10:21:00`,) the Job will still start at 10:22:00. This happens as the controller now checks how many missed schedules happened in the last 200 seconds (i.e., 3 missed schedules), rather than from the last scheduled time until now. The CronJob is only responsible for creating Jobs that match its schedule, and the Job in turn is responsible for the management of the Pods it represents. @@ -146,7 +147,7 @@ the Job in turn is responsible for the management of the Pods it represents. Starting with Kubernetes v1.21 the second version of the CronJob controller is the default implementation. To disable the default CronJob controller -and use the original CronJob controller instead, one pass the `CronJobControllerV2` +and use the original CronJob controller instead, pass the `CronJobControllerV2` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) flag to the {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}, and set this flag to `false`. For example: From ba81c4a7f9e60b8643b5e363240ef82c734b98ec Mon Sep 17 00:00:00 2001 From: Aldo Culquicondor Date: Tue, 15 Nov 2022 09:13:15 -0500 Subject: [PATCH 100/139] JobTrackingWithFinalizers disabled in 1.23, 1.24 --- .../command-line-tools-reference/feature-gates.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index f790a1fb7b423..63f5b442c323f 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -117,8 +117,6 @@ For a reference to old feature gates that are removed, please refer to | `JobPodFailurePolicy` | `true` | Beta | 1.26 | | | `JobReadyPods` | `false` | Alpha | 1.23 | 1.23 | | `JobReadyPods` | `true` | Beta | 1.24 | | -| `KubeletCredentialProviders` | `false` | Alpha | 1.20 | 1.23 | -| `KubeletCredentialProviders` | `true` | Beta | 1.24 | | | `KubeletInUserNamespace` | `false` | Alpha | 1.22 | | | `KubeletPodResources` | `false` | Alpha | 1.13 | 1.14 | | `KubeletPodResources` | `true` | Beta | 1.15 | | @@ -296,6 +294,9 @@ For a reference to old feature gates that are removed, please refer to | `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 | | `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | 1.25 | | `JobTrackingWithFinalizers` | `true` | GA | 1.26 | - | +| `KubeletCredentialProviders` | `false` | Alpha | 1.20 | 1.23 | +| `KubeletCredentialProviders` | `true` | Beta | 1.24 | 1.25 | +| `KubeletCredentialProviders` | `true` | GA | 1.26 | - | | `LegacyServiceAccountTokenNoAutoGeneration` | `true` | Beta | 1.24 | 1.25 | | `LegacyServiceAccountTokenNoAutoGeneration` | `true` | GA | 1.26 | - | | `LocalStorageCapacityIsolation` | `false` | Alpha | 1.7 | 1.9 | @@ -789,4 +790,4 @@ Each feature gate is designed for enabling/disabling a specific feature: feature, you will also need to enable any associated API resources. For example, to enable a particular resource like `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`. - See [API Versioning](/docs/reference/using-api/#api-versioning) for more details on the command line flags. + See [API Versioning](/docs/reference/using-api/#api-versioning) for more details on the command line flags. \ No newline at end of file From cdf2b41be33b5e50f92b3b07412d66176952a35d Mon Sep 17 00:00:00 2001 From: keyu-Li <49513303+keyu-Li@users.noreply.github.com> Date: Sat, 19 Nov 2022 22:22:17 +0800 Subject: [PATCH 101/139] [zh-cn] fix misspelling in pod-overhead.md --- content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md b/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md index 046a27cd99f97..fea91a658f81c 100644 --- a/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md +++ b/content/zh-cn/docs/concepts/scheduling-eviction/pod-overhead.md @@ -154,7 +154,7 @@ map[cpu:250m memory:120Mi] If a [ResourceQuota](/docs/concepts/policy/resource-quotas/) is defined, the sum of container requests as well as the `overhead` field are counted. --> -如果定义了 [ResourceQuata](/zh-cn/docs/concepts/policy/resource-quotas/), +如果定义了 [ResourceQuota](/zh-cn/docs/concepts/policy/resource-quotas/), 则容器请求的总量以及 `overhead` 字段都将计算在内。 When using client certificate authentication, you can generate certificates -manually through `easyrsa`, `openssl` or `cfssl`. +manually through [`easyrsa`](https://github.com/OpenVPN/easy-rsa), [`openssl`](https://github.com/openssl/openssl) or [`cfssl`](https://github.com/cloudflare/cfssl). From d232e8d76e286fe8a29412a160065d35feef0124 Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 12 Jul 2022 22:04:26 +0800 Subject: [PATCH 105/139] [it] resync /partners/_index.html --- content/it/partners/_index.html | 113 +++++++++++--------------------- 1 file changed, 38 insertions(+), 75 deletions(-) diff --git a/content/it/partners/_index.html b/content/it/partners/_index.html index 270dabe5693ef..0787dc644314f 100644 --- a/content/it/partners/_index.html +++ b/content/it/partners/_index.html @@ -7,85 +7,48 @@ --- - From 4bfbcacca4c2f17041544828d1c66ab8cae0455e Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Wed, 19 Oct 2022 17:03:44 +0100 Subject: [PATCH 106/139] Improve EndpointSlice concept - add links to API references - tweak initial text --- .../concepts/services-networking/endpoint-slices.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/docs/concepts/services-networking/endpoint-slices.md b/content/en/docs/concepts/services-networking/endpoint-slices.md index ef987438bdcaa..09d20a3597978 100644 --- a/content/en/docs/concepts/services-networking/endpoint-slices.md +++ b/content/en/docs/concepts/services-networking/endpoint-slices.md @@ -15,11 +15,9 @@ description: >- {{< feature-state for_k8s_version="v1.21" state="stable" >}} -_EndpointSlices_ provide a simple way to track network endpoints within a -Kubernetes cluster. They offer a more scalable and extensible alternative to -Endpoints. - - +Kubernetes' _EndpointSlice_ API provides a way to track network endpoints +within a Kubernetes cluster. EndpointSlices offer a more scalable and extensible +alternative to [Endpoints](/docs/concepts/services-networking/service/#endpoints). @@ -274,3 +272,5 @@ networking and topology-aware routing. ## {{% heading "whatsnext" %}} * Follow the [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/) tutorial +* Read the [API reference](/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1/) for the EndpointSlice API +* Read the [API reference](/docs/reference/kubernetes-api/service-resources/endpoints-v1/) for the Endpoints API From b5e97973a56ad126dd97c4cfa76606ef36d1118e Mon Sep 17 00:00:00 2001 From: Mauren Berti Date: Thu, 20 Oct 2022 20:51:19 -0400 Subject: [PATCH 107/139] [pt-br] Translate the kubeadm init page. --- .../kubeadm/generated/kubeadm_init.md | 267 +++++++++++ .../setup-tools/kubeadm/kubeadm-init.md | 431 ++++++++++++++++++ 2 files changed, 698 insertions(+) create mode 100644 content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md create mode 100644 content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md new file mode 100644 index 0000000000000..7c6a0f16b2306 --- /dev/null +++ b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md @@ -0,0 +1,267 @@ +Rode este comando para configurar a camada de gerenciamento do Kubernetes + +### Sinopse + + +Rode este comando para configurar a camada de gerenciamento do Kubernetes + +O comando "init" executa as fases abaixo: +``` +preflight Efetua as verificações pré-execução +certs Geração de certificados + /ca Gera a autoridade de certificação (CA) auto-assinada do Kubernetes para provisionamento de identidades para outros componentes do Kubernetes + /apiserver Gera o certificado para o servidor da API do Kubernetes + /apiserver-kubelet-client Gera o certificado para o servidor da API se conectar ao Kubelet + /front-proxy-ca Gera a autoridade de certificação (CA) auto-assinada para provisionamento de identidades para o front proxy + /front-proxy-client Gera o certificado para o cliente do front proxy + /etcd-ca Gera a autoridade de certificação (CA) auto-assinada para provisionamento de identidades para o etcd + /etcd-server Gera o certificado para servir o etcd + /etcd-peer Gera o certificado para comunicação entre nós do etcd + /etcd-healthcheck-client Gera o certificado para liveness probes fazerem a verificação de integridade do etcd + /apiserver-etcd-client Gera o certificado que o servidor da API utiliza para comunicar-se com o etcd + /sa Gera uma chave privada para assinatura de tokens de conta de serviço, juntamente com sua chave pública +kubeconfig Gera todos os arquivos kubeconfig necessários para estabelecer a camada de gerenciamento e o arquivo kubeconfig de administração + /admin Gera um arquivo kubeconfig para o administrador e o próprio kubeadm utilizarem + /kubelet Gera um arquivo kubeconfig para o kubelet utilizar *somente* para fins de inicialização do cluster + /controller-manager Gera um arquivo kubeconfig para o gerenciador de controladores utilizar + /scheduler Gera um arquivo kubeconfig para o escalonador do Kubernetes utilizar +kubelet-start Escreve as configurações do kubelet e (re)inicializa o kubelet +control-plane Gera todos os manifestos de Pods estáticos necessários para estabelecer a camada de gerenciamento + /apiserver Gera o manifesto do Pod estático do kube-apiserver + /controller-manager Gera o manifesto do Pod estático do kube-controller-manager + /scheduler Gera o manifesto do Pod estático do kube-scheduler +etcd Gera o manifesto do Pod estático para um etcd local + /local Gera o manifesto do Pod estático para uma instância local e de nó único do etcd +upload-config Sobe a configuração do kubeadm e do kubelet para um ConfigMap + /kubeadm Sobe a configuração ClusterConfiguration do kubeadm para um ConfigMap + /kubelet Sobe a configuração do kubelet para um ConfigMap +upload-certs Sobe os certificados para o kubeadm-certs +mark-control-plane Marca um nó como parte da camada de gerenciamento +bootstrap-token Gera tokens de autoinicialização utilizados para associar um nó a um cluster +kubelet-finalize Atualiza configurações relevantes ao kubelet após a inicialização TLS + /experimental-cert-rotation Habilita rotação de certificados do cliente do kubelet +addon Instala os addons requeridos para passar nos testes de conformidade + /coredns Instala o addon CoreDNS em um cluster Kubernetes + /kube-proxy Instala o addon kube-proxy em um cluster Kubernetes +``` + + +``` +kubeadm init [flags] +``` + +### Opções + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
--apiserver-advertise-address string

O endereço IP que o servidor da API irá divulgar que está escutando. Quando não informado, a interface de rede padrão é utilizada.

--apiserver-bind-port int32     Padrão: 6443

Porta para o servidor da API conectar-se.

--apiserver-cert-extra-sans strings

Nomes alternativos (Subject Alternative Names, ou SANs) opcionais a serem adicionados ao certificado utilizado pelo servidor da API. Pode conter endereços IP ou nomes DNS.

--cert-dir string     Padrão: "/etc/kubernetes/pki"

O caminho para salvar e armazenar certificados.

--certificate-key string

Chave utilizada para encriptar os certificados da camada de gerenciamento no Secret kubeadm-certs.

--config string

Caminho para um arquivo de configuração do kubeadm.

--control-plane-endpoint string

Especifica um endereço IP estável ou nome DNS para a camada de gerenciamento.

--cri-socket string

Caminho para o soquete CRI se conectar. Se vazio, o kubeadm tentará autodetectar este valor; utilize esta opção somente se você possui mais que um CRI instalado ou se você possui um soquete CRI fora do padrão.

--dry-run

Não aplica as modificações; apenas imprime as alterações que seriam efetuadas.

--feature-gates string

Um conjunto de pares chave=valor que descreve feature gates para várias funcionalidades. As opções são:
PublicKeysECDSA=true|false (ALFA - padrão=false)
RootlessControlPlane=true|false (ALFA - padrão=false)
UnversionedKubeletConfigMap=true|false (BETA - padrão=true)

-h, --help

ajuda para init

--ignore-preflight-errors strings

Uma lista de verificações para as quais erros serão exibidos como avisos. Exemplos: 'IsPrivilegedUser,Swap'. O valor 'all' ignora erros de todas as verificações.

--image-repository string     Padrão: "k8s.gcr.io"

Seleciona um registro de contêineres de onde baixar imagens.

--kubernetes-version string     Padrão: "stable-1"

Seleciona uma versão do Kubernetes específica para a camada de gerenciamento.

--node-name string

Especifica o nome do nó.

--patches string

+Caminho para um diretório contendo arquivos nomeados no padrão "target[suffix][+patchtype].extension". Por exemplo, "kube-apiserver0+merge.yaml" ou somente "etcd.json". +"target" pode ser um dos seguintes valores: "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". +"patchtype" pode ser "strategic", "merge" ou "json" e corresponde aos formatos de patch suportados pelo kubectl. O valor padrão para "patchtype" é "strategic". +"extension" deve ser "json" ou "yaml". "suffix" é uma string opcional utilizada para determinar quais patches são aplicados primeiro em ordem alfanumérica. +

--pod-network-cidr string

Especifica um intervalo de endereços IP para a rede do Pod. Quando especificado, a camada de gerenciamento irá automaticamente alocar CIDRs para cada nó.

--service-cidr string     Padrão: "10.96.0.0/12"

Utiliza um intervalo alternativo de endereços IP para VIPs de serviço.

--service-dns-domain string     Padrão: "cluster.local"

Utiliza um domínio alternativo para os serviços. Por exemplo, "myorg.internal".

--skip-certificate-key-print

Não exibe a chave utilizada para encriptar os certificados da camada de gerenciamento.

--skip-phases strings

Lista de fases a serem ignoradas.

--skip-token-print

Pula a impressão do token de autoinicialização padrão gerado pelo comando 'kubeadm init'.

--token string

O token a ser utilizado para estabelecer confiança bidirecional entre nós de carga de trabalho e nós da camada de gerenciamento. O formato segue a expressão regular [a-z0-9]{6}.[a-z0-9]{16} - por exemplo, abcdef.0123456789abcdef.

--token-ttl duration     Padrão: 24h0m0s

A duração de tempo de um token antes deste ser automaticamente apagado (por exemplo, 1s, 2m, 3h). Quando informado '0', o token não expira.

--upload-certs

Sobe os certificados da camada de gerenciamento para o Secret kubeadm-certs.

+ + + +### Opções herdadas de comandos superiores + + ++++ + + + + + + + + + + +
--rootfs string

[EXPERIMENTAL] O caminho para o sistema de arquivos raiz 'real' do host.

+ + + diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md new file mode 100644 index 0000000000000..969425de72ecf --- /dev/null +++ b/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md @@ -0,0 +1,431 @@ +--- +title: kubeadm init +content_type: concept +weight: 20 +--- + + + +Este comando inicializa um nó da camada de gerenciamento do Kubernetes. + + + +{{< include "generated/kubeadm_init.md" >}} + +### Fluxo do comando Init {#init-workflow} + +O comando `kubeadm init` inicializa um nó da camada de gerenciamento do Kubernetes +através da execução dos passos abaixo: + +1. Roda uma série de verificações pré-execução para validar o estado do sistema + antes de efetuar mudanças. Algumas verificações emitem apenas avisos, outras + são consideradas erros e cancelam a execução do kubeadm até que o problema + seja corrigido ou que o usuário especifique a opção + `--ignore-preflight-errors=`. + +1. Gera uma autoridade de certificação (CA) auto-assinada para criar identidades + para cada um dos componentes do cluster. O usuário pode informar seu próprio + certificado CA e/ou chave ao instalar estes arquivos no diretório de + certificados configurado através da opção `--cert-dir` (por padrão, este + diretório é `/etc/kubernetes/pki`). + Os certificados do servidor da API terão entradas adicionais para nomes + alternativos (_subject alternative names_, ou SANs) especificados através da + opção `--apiserver-cert-extra-sans`. Estes argumentos serão modificados para + caracteres minúsculos quando necessário. + +1. Escreve arquivos kubeconfig adicionais no diretório `/etc/kubernetes` para o + kubelet, para o gerenciador de controladores e para o escalonador utilizarem + ao conectarem-se ao servidor da API, cada um com sua própria identidade, bem + como um arquivo kubeconfig adicional para administração do cluster chamado + `admin.conf`. + +1. Gera manifestos de Pods estáticos para o servidor da API, para o gerenciador + de controladores e para o escalonador. No caso de uma instância externa do + etcd não ter sido providenciada, um manifesto de Pod estático adicional é + gerado para o etcd. + + Manifestos de Pods estáticos são escritos no diretório `/etc/kubernetes/manifests`; + o kubelet lê este diretório em busca de manifestos de Pods para criar na + inicialização. + + Uma vez que os Pods da camada de gerenciamento estejam criados e rodando, + a sequência de execução do comando `kubeadm init` pode continuar. + +1. Aplica _labels_ e _taints_ ao nó da camada de gerenciamento de modo que cargas + de trabalho adicionais não sejam escalonadas para executar neste nó. + +1. Gera o token que nós adicionais podem utilizar para associarem-se a uma + camada de gerenciamento no futuro. Opcionalmente, o usuário pode fornecer um + token através da opção `--token`, conforme descrito na documentação do + comando [kubeadm token](/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-token/). + +1. Prepara todas as configurações necessárias para permitir que nós se associem + ao cluster utilizando os mecanismos de + [Tokens de Inicialização](/pt-br/docs/reference/access-authn-authz/bootstrap-tokens/) + e [Inicialização TLS](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/): + + - Escreve um ConfigMap para disponibilizar toda a informação necessária para + associar-se a um cluster e para configurar regras de controle de acesso + baseada em funções (RBAC). + + - Permite o acesso dos tokens de inicialização à API de assinaturas CSR. + + - Configura a auto-aprovação de novas requisições CSR. + + Para mais informações, consulte + [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/). + +1. Instala um servidor DNS (CoreDNS) e os componentes adicionais do kube-proxy + através do servidor da API. A partir da versão 1.11 do Kubernetes, CoreDNS é + o servidor DNS padrão. Mesmo que o servidor DNS seja instalado nessa etapa, + o seu Pod não será escalonado até que um CNI seja instalado. + + {{< warning >}} + O uso do kube-dns com o kubeadm foi descontinuado na versão v1.18 e removido + na versão v1.21 do Kubernetes. + {{< /warning >}} + +### Utilizando fases de inicialização com o kubeadm {#init-phases} + +O kubeadm permite que você crie um nó da camada de gerenciamento em fases +utilizando o comando `kubeadm init phase`. + +Para visualizar a lista ordenada de fases e subfases, você pode rodar o comando +`kubeadm init --help`. A lista estará localizada no topo da ajuda e cada fase +tem sua descrição listada juntamente com o comando. Perceba que ao rodar o +comando `kubeadm init` todas as fases e subfases são executadas nesta ordem +exata. + +Algumas fases possuem flags específicas. Caso você deseje ver uma lista de todas +as opções disponíveis, utilize a flag `--help`. Por exemplo: + +```shell +sudo kubeadm init phase control-plane controller-manager --help +``` + +Você também pode utilizar a flag `--help` para ver uma lista de subfases de uma +fase superior: + +```shell +sudo kubeadm init phase control-plane --help +``` + +`kubeadm init` também expõe uma flag chamada `--skip-phases` que pode ser +utilizada para pular a execução de certas fases. Esta flag aceita uma lista de +nomes de fases. Os nomes de fases aceitos estão descritos na lista ordenada +acima. + +Um exemplo: + +```shell +sudo kubeadm init phase control-plane all --config=configfile.yaml +sudo kubeadm init phase etcd local --config=configfile.yaml +# agora você pode modificar os manifestos da camada de gerenciamento e do etcd +sudo kubeadm init --skip-phases=control-plane,etcd --config=configfile.yaml +``` + +O que este exemplo faz é escrever os manifestos da camada de gerenciamento e do +etcd no diretório `/etc/kubernetes/manifests`, baseados na configuração descrita +no arquivo `configfile.yaml`. Isto permite que você modifique os arquivos e +então pule estas fases utilizando a opção `--skip-phases`. Ao chamar o último +comando, você cria um nó da camada de gerenciamento com os manifestos +personalizados. + +{{< feature-state for_k8s_version="v1.22" state="beta" >}} + +Como alternativa, você pode também utilizar o campo `skipPhases` na configuração +`InitConfiguration`. + +### Utilizando kubeadm init com um arquivo de configuração {#config-file} + +{{< caution >}} +O arquivo de configuração ainda é considerado uma funcionalidade de estado beta +e pode mudar em versões futuras. +{{< /caution >}} + +É possível configurar o comando `kubeadm init` com um arquivo de configuração ao +invés de argumentos de linha de comando, e algumas funcionalidades mais avançadas +podem estar disponíveis apenas como opções do arquivo de configuração. Este +arquivo é fornecido utilizando a opção `--config` e deve conter uma estrutura +`ClusterConfiguration` e, opcionalmente, mais estruturas separadas por `---\n`. +Combinar a opção `--config` com outras opções de linha de comando pode não ser +permitido em alguns casos. + +A configuração padrão pode ser emitida utilizando o comando +[kubeadm config print](/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-config/). + +Se a sua configuração não estiver utilizando a última versão, é **recomendado** +que você migre utilizando o comando +[kubeadm config migrate](/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-config/). + +Para mais informações sobre os campos e utilização da configuração, você pode +consultar a +[página de referência da API](/docs/reference/config-api/kubeadm-config.v1beta3/). + +### Utilizando kubeadm init com _feature gates_ {#feature-gates} + +O kubeadm suporta um conjunto de _feature gates_ que são exclusivos do kubeadm e +podem ser utilizados somente durante a criação de um cluster com `kubeadm init`. +Estas funcionalidades podem controlar o comportamento do cluster. Os +_feature gates_ são removidos assim que uma funcionalidade atinge a disponibilidade +geral (_general availability_, ou GA). + +Para informar um _feature gate_, você pode utilizar a opção `--feature-gates` +do comando `kubeadm init`, ou pode adicioná-las no campo `featureGates` quando +um [arquivo de configuração](/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration) +é utilizado através da opção `--config`. + +A utilização de +[_feature gates_ dos componentes principais do Kubernetes](/docs/reference/command-line-tools-reference/feature-gates) +com o kubeadm não é suportada. Ao invés disso, é possível enviá-los através da +[personalização de componentes com a API do kubeadm](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/). + +Lista dos _feature gates_: + +{{< table caption="_feature gates_ do kubeadm" >}} +_Feature gate_ | Valor-padrão | Versão Alfa | Versão Beta +:-----------------------------|:-------------|:------------|:----------- +`PublicKeysECDSA` | `false` | 1.19 | - +`RootlessControlPlane` | `false` | 1.22 | - +`UnversionedKubeletConfigMap` | `true` | 1.22 | 1.23 +{{< /table >}} + +{{< note >}} +Assim que um _feature gate_ atinge a disponibilidade geral, ele é removido desta +lista e o seu valor fica bloqueado em `true` por padrão. Ou seja, a funcionalidade +estará sempre ativa. +{{< /note >}} + +Descrição dos _feature gates_: + +`PublicKeysECDSA` +: Pode ser utilizado para criar um cluster que utilize certificados ECDSA no +lugar do algoritmo RSA padrão. A renovação dos certificados ECDSA existentes +também é suportada utilizando o comando `kubeadm certs renew`, mas você não pode +alternar entre os algoritmos RSA e ECDSA dinamicamente ou durante atualizações. + +`RootlessControlPlane` +: Quando habilitada esta opção, os componentes da camada de gerenciamento cuja +instalação de Pods estáticos é controlada pelo kubeadm, como o `kube-apiserver`, +`kube-controller-manager`, `kube-scheduler` e `etcd`, têm seus contêineres +configurados para rodarem como usuários não-root. Se a opção não for habilitada, +estes componentes são executados como root. Você pode alterar o valor deste +_feature gate_ antes de atualizar seu cluster para uma versão mais recente do +Kubernetes. + +`UnversionedKubeletConfigMap` +: Esta opção controla o nome do {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} +onde o kubeadm armazena os dados de configuração do kubelet. Quando esta opção +não for especificada ou estiver especificada com o valor `true`, o ConfigMap +será nomeado `kubelet-config`. Caso esteja especificada com o valor `false`, o +nome do ConfigMap incluirá as versões maior e menor do Kubernetes instalado +(por exemplo, `kubelet-config-{{< skew currentVersion >}}`). O kubeadm garante +que as regras de RBAC para leitura e escrita deste ConfigMap serão apropriadas +para o valor escolhido. Quando o kubeadm cria este ConfigMap (durante a execução +dos comandos `kubeadm init` ou `kubeadm upgrade apply`), o kubeadm irá respeitar +o valor da opção `UnversionedKubeletConfigMap`. Quando tal ConfigMap for lido +(durante a execução dos comandos `kubeadm join`, `kubeadm reset`, +`kubeadm upgrade...`), o kubeadm tentará utilizar o nome do ConfigMap sem a +versão primeiro. Se esta operação não for bem-sucedida, então o kubeadm irá +utilizar o nome legado (versionado) para este ConfigMap. + +{{< note >}} +Informar a opção `UnversionedKubeletConfigMap` com o valor `false` é suportado, +mas está **descontinuado**. +{{< /note >}} + +### Adicionando parâmetros do kube-proxy {#kube-proxy} + +Para informações sobre como utilizar parâmetros do kube-proxy na configuração +do kubeadm, veja: +- [referência do kube-proxy](/docs/reference/config-api/kube-proxy-config.v1alpha1/) + +Para informações sobre como habilitar o modo IPVS com o kubeadm, veja: +- [IPVS](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md) + +### Informando opções personalizadas em componentes da camada de gerenciamento {#control-plane-flags} + +Para informações sobre como passar as opções aos componentes da camada de +gerenciamento, veja: +- [opções da camada de gerenciamento](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/) + +### Executando o kubeadm sem uma conexão à internet {#without-internet-connection} + +Para executar o kubeadm sem uma conexão à internet, você precisa baixar as imagens +de contêiner requeridas pela camada de gerenciamento. + +Você pode listar e baixar as imagens utilizando o subcomando +`kubeadm config images`: + +```shell +kubeadm config images list +kubeadm config images pull +``` + +Você pode passar a opção `--config` para os comandos acima através de um +[arquivo de configuração do kubeadm](#config-file) para controlar os campos +`kubernetesVersion` e `imageRepository`. + +Todas as imagens padrão hospedadas em `k8s.gcr.io` que o kubeadm requer suportam +múltiplas arquiteturas. + +### Utilizando imagens personalizadas {#custom-images} + +Por padrão, o kubeadm baixa imagens hospedadas no repositório de contêineres +`k8s.gcr.io`. Se a versão requisitada do Kubernetes é um rótulo de integração +contínua (por exemplo, `ci/latest`), o repositório de contêineres +`gcr.io/k8s-staging-ci-images` é utilizado. + +Você pode sobrescrever este comportamento utilizando o +[kubeadm com um arquivo de configuração](#config-file). Personalizações permitidas +são: + +* Fornecer um valor para o campo `kubernetesVersion` que afeta a versão das + imagens. +* Fornecer um repositório de contêineres alternativo através do campo + `imageRepository` para ser utilizado no lugar de `k8s.gcr.io`. +* Fornecer um valor específico para os campos `imageRepository` e `imageTag`, + correspondendo ao repositório de contêineres e tag a ser utilizada, para as imagens + dos componentes etcd ou CoreDNS. + +Caminhos de imagens do repositório de contêineres padrão `k8s.gcr.io` podem diferir +dos utilizados em repositórios de contêineres personalizados através do campo +`imageRepository` devido a razões de retrocompatibilidade. Por exemplo, uma +imagem pode ter um subcaminho em `k8s.gcr.io/subcaminho/imagem`, mas quando +utilizado um repositório de contêineres personalizado, o valor padrão será +`meu.repositoriopersonalizado.io/imagem`. + +Para garantir que você terá as imagens no seu repositório personalizado em +caminhos que o kubeadm consiga consumir, você deve: + +* Baixar as imagens dos caminhos padrão `k8s.gcr.io` utilizando o comando + `kubeadm config images {list|pull}`. +* Subir as imagens para os caminhos listados no resultado do comando + `kubeadm config images list --config=config.yaml`, onde `config.yaml` contém + o valor customizado do campo `imageRepository`, e/ou `imageTag` para os + componentes etcd e CoreDNS. +* Utilizar o mesmo arquivo `config.yaml` quando executar o comando `kubeadm init`. + +#### Imagens personalizadas para o _sandbox_ (imagem `pause`) {#custom-pause-image} + +Para configurar uma imagem personalizada para o _sandbox_, você precisará +configurar o {{< glossary_tooltip text="agente de execução de contêineres" term_id="container-runtime" >}} +para utilizar a imagem. +Verifique a documentação para o seu agente de execução de contêineres para +mais informações sobre como modificar esta configuração; para alguns agentes de +execução de contêiner você também encontrará informações no tópico +[Agentes de Execução de Contêineres](/docs/setup/production-environment/container-runtimes/). + +### Carregando certificados da camada de gerenciamento no cluster + +Ao adicionar a opção `--upload-certs` ao comando `kubeadm init` você pode +subir temporariamente certificados da camada de gerenciamento em um Secret no +cluster. Este Secret expira automaticamente após 2 horas. Os certificados são +encriptados utilizando uma chave de 32 bytes que pode ser especificada através +da opção `--certificate-key`. A mesma chave pode ser utilizada para baixar +certificados quando nós adicionais da camada de gerenciamento estão se associando +ao cluster, utilizando as opções `--control-plane` e `--certificate-key` ao rodar +`kubeadm join`. + +O seguinte comando de fase pode ser usado para subir os certificados novamente +após a sua expiração: + +```shell +kubeadm init phase upload-certs --upload-certs --certificate-key=ALGUM_VALOR --config=ALGUM_ARQUIVO_YAML +``` + +Se a opção `--certificate-key` não for passada aos comandos `kubeadm init` +e `kubeadm init phase upload-certs`, uma nova chave será gerada automaticamente. + +O comando abaixo pode ser utilizado para gerar uma nova chave sob demanda: + +```shell +kubeadm certs certificate-key +``` + +### Gerenciamento de certificados com o kubeadm + +Para informações detalhadas sobre gerenciamento de certificados com o kubeadm, +consulte [Gerenciamento de Certificados com o kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/). +O documento inclui informações sobre a utilização de autoridades de certificação +(CA) externas, certificados personalizados e renovação de certificados. + +### Gerenciando o arquivo _drop-in_ do kubeadm para o kubelet {#kubelet-drop-in} + +O pacote `kubeadm` é distribuído com um arquivo de configuração para rodar o +`kubelet` utilizando `systemd`. Note que o kubeadm nunca altera este arquivo. +Este arquivo _drop-in_ é parte do pacote DEB/RPM do kubeadm. + +Para mais informações, consulte +[Gerenciando o arquivo drop-in do kubeadm para o systemd](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd). + +### Usando o kubeadm com agentes de execução CRI + +Por padrão, o kubeadm tenta detectar seu agente de execução de contêineres. Para +mais detalhes sobre esta detecção, consulte o +[guia de instalação CRI do kubeadm](/pt-br/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#instalando-agente-de-execucao). + +### Configurando o nome do nó + +Por padrão, o `kubeadm` gera um nome para o nó baseado no endereço da máquina. +Você pode sobrescrever esta configuração utilizando a opção `--node-name`. Esta +opção passa o valor apropriado para a opção [`--hostname-override`](/docs/reference/command-line-tools-reference/kubelet/#options) +do kubelet. + +Note que sobrescrever o hostname de um nó pode +[interferir com provedores de nuvem](https://github.com/kubernetes/website/pull/8873). + +### Automatizando o kubeadm + +Ao invés de copiar o token que você obteve do comando `kubeadm init` para cada nó, +como descrito no [tutorial básico do kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/), +você pode paralelizar a distribuição do token para facilitar a automação. +Para implementar esta automação, você precisa saber o endereço IP que o nó da +camada de gerenciamento irá ter após a sua inicialização, ou utilizar um nome +DNS ou um endereço de um balanceador de carga. + +1. Gere um token. Este token deve ter a forma `.`. + Mais especificamente, o token precisa ser compatível com a expressão regular: + `[a-z0-9]{6}\.[a-z0-9]{16}`. + + O kubeadm pode gerar um token para você: + + ```shell + kubeadm token generate + ``` + +1. Inicialize o nó da camada de gerenciamento e os nós de carga de trabalho de + forma concorrente com este token. Conforme os nós forem iniciando, eles + deverão encontrar uns aos outros e formar o cluster. O mesmo argumento + `--token` pode ser utilizado em ambos os comandos `kubeadm init` e + `kubeadm join`. + +1. O mesmo procedimento pode ser feito para a opção `--certificate-key` quando + nós adicionais da camada de gerenciamento associarem-se ao cluster. A chave + pode ser gerada utilizando: + + ```shell + kubeadm certs certificate-key + ``` + +Uma vez que o cluster esteja inicializado, você pode buscar as credenciais para +a camada de gerenciamento no caminho `/etc/kubernetes/admin.conf` e utilizá-las +para conectar-se ao cluster. + +Note que este tipo de inicialização tem algumas garantias de segurança relaxadas +pois ele não permite que o hash do CA raiz seja validado com a opção +`--discovery-token-ca-cert-hash` (pois este hash não é gerado quando os nós são +provisionados). Para detalhes, veja a documentação do comando +[kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/). + +## {{% heading "whatsnext" %}} + +* [kubeadm init phase](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/) + para entender mais sobre as fases do comando `kubeadm init` +* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) para + inicializar um nó de carga de trabalho do Kubernetes e associá-lo ao cluster +* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) + para atualizar um cluster do Kubernetes para uma versão mais recente +* [kubeadm reset](/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-reset/) + para reverter quaisquer mudanças feitas neste host pelos comandos + `kubeadm init` ou `kubeadm join` From e4611a889cd7c77071eddb13f48c5b58677461df Mon Sep 17 00:00:00 2001 From: Esteban Cano <58123463+estebancano-dev@users.noreply.github.com> Date: Sat, 19 Nov 2022 18:04:55 -0300 Subject: [PATCH 108/139] updated nginx version to follow examples correctly following examples https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/#scaling-the-application-by-increasing-the-replica-count If you update replicas from 2 to 4 using the last deployment yaml, nginx version was 1.16.1, so 2 containers were already created and 2 new ones (that's why the table referenced as "The output is similar to this" shows AGE as 25s and 2m). If this deployment has nginx version 1.14.2, all containers will be recreated instead of just adding 2, so it can be confusing for the newcomers --- content/en/examples/application/deployment-scale.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/examples/application/deployment-scale.yaml b/content/en/examples/application/deployment-scale.yaml index 01fe96d84565e..838576375ef6f 100644 --- a/content/en/examples/application/deployment-scale.yaml +++ b/content/en/examples/application/deployment-scale.yaml @@ -14,6 +14,6 @@ spec: spec: containers: - name: nginx - image: nginx:1.14.2 + image: nginx:1.16.1 ports: - containerPort: 80 From 23f3d0f89f1ca96312df0b129b3a429ac2cb7d96 Mon Sep 17 00:00:00 2001 From: Gao Qian Date: Sun, 20 Nov 2022 20:56:14 -0500 Subject: [PATCH 109/139] [zh-cn] Updated /labels-annotations-taints/_index.md Signed-off-by: Gao Qian --- .../labels-annotations-taints/_index.md | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/content/zh-cn/docs/reference/labels-annotations-taints/_index.md b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md index 036c5ac45a077..8d11ab3bdca20 100644 --- a/content/zh-cn/docs/reference/labels-annotations-taints/_index.md +++ b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md @@ -1,14 +1,14 @@ --- title: 众所周知的标签、注解和污点 content_type: concept -weight: 20 +weight: 40 no_list: true --- @@ -626,6 +626,24 @@ StatefulSet topic for more details. 有关详细信息,请参阅 StatefulSet 主题中的 [Pod 名称标签](/zh-cn/docs/concepts/workloads/controllers/statefulset/#pod-name-label)。 + +### scheduler.alpha.kubernetes.io/node-selector {#schedulerkubernetesnode-selector} + +例子:`scheduler.alpha.kubernetes.io/node-selector: "name-of-node-selector"` + +用于:Namespace + +[PodNodeSelector](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) +使用此注解键为名字空间中的 Pod 设置节点选择算符。 + -without the API server observing it. \ No newline at end of file +without the API server observing it. + +Static Pods do not support {{< glossary_tooltip text="ephemeral containers" term_id="ephemeral-container" >}}. diff --git a/content/en/docs/tasks/configure-pod-container/static-pod.md b/content/en/docs/tasks/configure-pod-container/static-pod.md index e2eab5088e096..23191e1ffe688 100644 --- a/content/en/docs/tasks/configure-pod-container/static-pod.md +++ b/content/en/docs/tasks/configure-pod-container/static-pod.md @@ -38,6 +38,10 @@ The `spec` of a static Pod cannot refer to other API objects {{< glossary_tooltip text="Secret" term_id="secret" >}}, etc). {{< /note >}} +{{< note >}} +Static pods do not support [ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/). +{{< /note >}} + ## {{% heading "prerequisites" %}} {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} From 50ba7f8718dc18f29741aba58e0e04ab094768aa Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 20 Nov 2022 14:33:02 +0800 Subject: [PATCH 115/139] Fix indentation and typos in kubelet-tls-bootstrapping.md --- .../kubelet-tls-bootstrapping.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md b/content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md index b0076eae502d6..71beccb53f5b0 100644 --- a/content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md +++ b/content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md @@ -65,8 +65,8 @@ In the bootstrap initialization process, the following occurs: 6. kubelet now has limited credentials to create and retrieve a certificate signing request (CSR) 7. kubelet creates a CSR for itself with the signerName set to `kubernetes.io/kube-apiserver-client-kubelet` 8. CSR is approved in one of two ways: - * If configured, kube-controller-manager automatically approves the CSR - * If configured, an outside process, possibly a person, approves the CSR using the Kubernetes API or via `kubectl` + * If configured, kube-controller-manager automatically approves the CSR + * If configured, an outside process, possibly a person, approves the CSR using the Kubernetes API or via `kubectl` 9. Certificate is created for the kubelet 10. Certificate is issued to the kubelet 11. kubelet retrieves the certificate @@ -126,7 +126,7 @@ of provisioning. 1. [Bootstrap Tokens](#bootstrap-tokens) 2. [Token authentication file](#token-authentication-file) -Bootstrap tokens are a simpler and more easily managed method to authenticate kubelets, and do not require any additional flags when starting kube-apiserver. +Using bootstrap tokens is a simpler and more easily managed method to authenticate kubelets, and does not require any additional flags when starting kube-apiserver. Whichever method you choose, the requirement is that the kubelet be able to authenticate as a user with the rights to: @@ -176,7 +176,7 @@ systems). There are multiple ways you can generate a token. For example: head -c 16 /dev/urandom | od -An -t x | tr -d ' ' ``` -will generate tokens that look like `02b50b05283e98dd0fd71db496ef01e8`. +This will generate tokens that look like `02b50b05283e98dd0fd71db496ef01e8`. The token file should look like the following example, where the first three values can be anything and the quoted group name should be as depicted: @@ -186,7 +186,7 @@ values can be anything and the quoted group name should be as depicted: ``` Add the `--token-auth-file=FILENAME` flag to the kube-apiserver command (in your -systemd unit file perhaps) to enable the token file. See docs +systemd unit file perhaps) to enable the token file. See docs [here](/docs/reference/access-authn-authz/authentication/#static-token-file) for further details. @@ -247,7 +247,7 @@ To provide the Kubernetes CA key and certificate to kube-controller-manager, use --cluster-signing-cert-file="/etc/path/to/kubernetes/ca/ca.crt" --cluster-signing-key-file="/etc/path/to/kubernetes/ca/ca.key" ``` -for example: +For example: ```shell --cluster-signing-cert-file="/var/lib/kubernetes/ca.pem" --cluster-signing-key-file="/var/lib/kubernetes/ca-key.pem" @@ -312,7 +312,7 @@ by default. The controller uses the [`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to determine if a given user is authorized to request a CSR, then approves based on the authorization outcome. To prevent conflicts with other approvers, the -builtin approver doesn't explicitly deny CSRs. It only ignores unauthorized +built-in approver doesn't explicitly deny CSRs. It only ignores unauthorized requests. The controller also prunes expired certificates as part of garbage collection. @@ -435,12 +435,12 @@ controller, or manually approve the serving certificate requests. A deployment-specific approval process for kubelet serving certificates should typically only approve CSRs which: -1. are requested by nodes (ensure the `spec.username` field is of the form - `system:node:` and `spec.groups` contains `system:nodes`) -2. request usages for a serving certificate (ensure `spec.usages` contains `server auth`, +1. are requested by nodes (ensure the `spec.username` field is of the form + `system:node:` and `spec.groups` contains `system:nodes`) +2. request usages for a serving certificate (ensure `spec.usages` contains `server auth`, optionally contains `digital signature` and `key encipherment`, and contains no other usages) -3. only have IP and DNS subjectAltNames that belong to the requesting node, - and have no URI and Email subjectAltNames (parse the x509 Certificate Signing Request +3. only have IP and DNS subjectAltNames that belong to the requesting node, + and have no URI and Email subjectAltNames (parse the x509 Certificate Signing Request in `spec.request` to verify `subjectAltNames`) {{< /note >}} @@ -460,7 +460,7 @@ You have several options for generating these credentials: ## kubectl approval -CSRs can be approved outside of the approval flows builtin to the controller +CSRs can be approved outside of the approval flows built into the controller manager. The signing controller does not immediately sign all certificate requests. @@ -469,6 +469,6 @@ appropriately-privileged user. This flow is intended to allow for automated approval handled by an external approval controller or the approval controller implemented in the core controller-manager. However cluster administrators can also manually approve certificate requests using kubectl. An administrator can -list CSRs with `kubectl get csr` and describe one in detail with `kubectl -describe csr `. An administrator can approve or deny a CSR with `kubectl -certificate approve ` and `kubectl certificate deny `. +list CSRs with `kubectl get csr` and describe one in detail with +`kubectl describe csr `. An administrator can approve or deny a CSR with +`kubectl certificate approve ` and `kubectl certificate deny `. From e69db4a24c4e0e1b91714e2e879772a0ad2d0fcc Mon Sep 17 00:00:00 2001 From: Kundan Kumar Date: Mon, 21 Nov 2022 17:04:47 +0530 Subject: [PATCH 116/139] Updated Objective in hindi --- .../kubernetes-basics/create-cluster/cluster-intro.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/hi/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html b/content/hi/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html index e1ef116278b65..3e5147b6472ad 100644 --- a/content/hi/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html +++ b/content/hi/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro.html @@ -18,7 +18,7 @@
-

Objectives

+

उद्देश्य

  • जानें कुबेरनेट्स क्लस्टर क्या है।
  • जानें मिनिक्यूब क्या है।
    • From 1ca0b812020d859f238d204c246eea041136f432 Mon Sep 17 00:00:00 2001 From: Surbhi Pathak <42321035+surbhiahuja@users.noreply.github.com> Date: Thu, 27 Oct 2022 00:05:55 +0530 Subject: [PATCH 117/139] Create pod-lifecycle.md --- .../docs/reference/glossary/pod-lifecycle.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/hi/docs/reference/glossary/pod-lifecycle.md diff --git a/content/hi/docs/reference/glossary/pod-lifecycle.md b/content/hi/docs/reference/glossary/pod-lifecycle.md new file mode 100644 index 0000000000000..166a53a0331a1 --- /dev/null +++ b/content/hi/docs/reference/glossary/pod-lifecycle.md @@ -0,0 +1,19 @@ +--- +title: पॉड जीवनचक्र (Pod Lifecycle) +id: पॉड जीवनचक्र (pod-lifecycle) +date: 2019-02-17 +full-link: /डॉक्स/कॉन्सेप्ट्स/वर्कलोड्स/पॉड्स/पॉड-लाइफसाइकल/ +related: + - पोडो + - कंटेनर +tags: + - मौलिक +short_description: > + अवस्थाओं का क्रम जिसके माध्यम से एक पॉड अपने जीवनकाल में गुजरता है। + +--- + अवस्थाओं का क्रम जिसके माध्यम से एक पॉड अपने जीवनकाल में गुजरता है। + + + +[पॉड लाइफ़साइकल](/ डॉक्स/कॉन्सेप्ट्स/वर्कलोड्स/पॉड्स/पॉड-लाइफसाइकल/) को पॉड की अवस्थाओं या चरणों द्वारा परिभाषित किया जाता है। पांच संभावित पॉड चरण हैं: लंबित, दौड़ना, सफल, विफल और अज्ञात। पॉड स्थिति का एक उच्च-स्तरीय विवरण [पॉडस्टैटस] (/ डॉक्स/संदर्भ/जेनरेटेड/कुबेरनेट्स-एपीआई/{{< परम "संस्करण" >}}/# पॉडस्टैटस-वी 1-कोर) `चरण` फ़ील्ड में सारांशित किया गया है। . From 73091e270421be12baa2defaa535ff07b5d74bdc Mon Sep 17 00:00:00 2001 From: Surbhi Pathak <42321035+surbhiahuja@users.noreply.github.com> Date: Thu, 27 Oct 2022 23:36:02 +0530 Subject: [PATCH 118/139] Review comments incorporated fixes/37535 --- content/hi/docs/reference/glossary/pod-lifecycle.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/hi/docs/reference/glossary/pod-lifecycle.md b/content/hi/docs/reference/glossary/pod-lifecycle.md index 166a53a0331a1..a79532877104e 100644 --- a/content/hi/docs/reference/glossary/pod-lifecycle.md +++ b/content/hi/docs/reference/glossary/pod-lifecycle.md @@ -2,12 +2,12 @@ title: पॉड जीवनचक्र (Pod Lifecycle) id: पॉड जीवनचक्र (pod-lifecycle) date: 2019-02-17 -full-link: /डॉक्स/कॉन्सेप्ट्स/वर्कलोड्स/पॉड्स/पॉड-लाइफसाइकल/ +full-link: /docs/concepts/workloads/pods/pod-lifecycle/ related: - - पोडो - - कंटेनर + - pod + - container tags: - - मौलिक + - fundamental short_description: > अवस्थाओं का क्रम जिसके माध्यम से एक पॉड अपने जीवनकाल में गुजरता है। @@ -16,4 +16,4 @@ short_description: > -[पॉड लाइफ़साइकल](/ डॉक्स/कॉन्सेप्ट्स/वर्कलोड्स/पॉड्स/पॉड-लाइफसाइकल/) को पॉड की अवस्थाओं या चरणों द्वारा परिभाषित किया जाता है। पांच संभावित पॉड चरण हैं: लंबित, दौड़ना, सफल, विफल और अज्ञात। पॉड स्थिति का एक उच्च-स्तरीय विवरण [पॉडस्टैटस] (/ डॉक्स/संदर्भ/जेनरेटेड/कुबेरनेट्स-एपीआई/{{< परम "संस्करण" >}}/# पॉडस्टैटस-वी 1-कोर) `चरण` फ़ील्ड में सारांशित किया गया है। . +[पॉड जीवनचक्र](/docs/concepts/workloads/pods/pod-lifecycle/) को पॉड की अवस्थाओं या चरणों द्वारा परिभाषित किया जाता है। पांच संभावित पॉड चरण हैं: लंबित, दौड़ना, सफल, विफल और अज्ञात। पॉड स्थिति का एक उच्च-स्तरीय विवरण [पॉडस्टैटस] (/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podstatus-v1-core) `चरण` फ़ील्ड में सारांशित किया गया है। . From 3effc6c9b4d4c7bb99583a011aee684fa0d3b5dd Mon Sep 17 00:00:00 2001 From: Surbhi Pathak <42321035+surbhiahuja@users.noreply.github.com> Date: Sun, 6 Nov 2022 00:27:45 +0530 Subject: [PATCH 119/139] Update pod-lifecycle.md --- content/hi/docs/reference/glossary/pod-lifecycle.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/hi/docs/reference/glossary/pod-lifecycle.md b/content/hi/docs/reference/glossary/pod-lifecycle.md index a79532877104e..97f5c0058d68e 100644 --- a/content/hi/docs/reference/glossary/pod-lifecycle.md +++ b/content/hi/docs/reference/glossary/pod-lifecycle.md @@ -1,6 +1,6 @@ --- -title: पॉड जीवनचक्र (Pod Lifecycle) -id: पॉड जीवनचक्र (pod-lifecycle) +title: Pod Lifecycle +id: pod-lifecycle date: 2019-02-17 full-link: /docs/concepts/workloads/pods/pod-lifecycle/ related: @@ -16,4 +16,4 @@ short_description: > -[पॉड जीवनचक्र](/docs/concepts/workloads/pods/pod-lifecycle/) को पॉड की अवस्थाओं या चरणों द्वारा परिभाषित किया जाता है। पांच संभावित पॉड चरण हैं: लंबित, दौड़ना, सफल, विफल और अज्ञात। पॉड स्थिति का एक उच्च-स्तरीय विवरण [पॉडस्टैटस] (/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podstatus-v1-core) `चरण` फ़ील्ड में सारांशित किया गया है। . +[पॉड जीवनचक्र](/docs/concepts/workloads/pods/pod-lifecycle/) को पॉड की अवस्थाओं या चरणों द्वारा परिभाषित किया जाता है। पाँच संभावित पॉड चरण हैं: Pending, Running, Succeeded, Failed और Unknown। पॉड स्थिति का एक उच्च-स्तरीय विवरण [पॉडस्टैटस](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podstatus-v1-core) `phase` फ़ील्ड में सारांशित किया गया है। . From 83c989f960b50e3de5b8a4ba493f1c8a4016e62c Mon Sep 17 00:00:00 2001 From: Surbhi Pathak <42321035+surbhiahuja@users.noreply.github.com> Date: Mon, 21 Nov 2022 10:56:09 +0530 Subject: [PATCH 120/139] Update pod-lifecycle.md --- content/hi/docs/reference/glossary/pod-lifecycle.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/hi/docs/reference/glossary/pod-lifecycle.md b/content/hi/docs/reference/glossary/pod-lifecycle.md index 97f5c0058d68e..afd36d316b45c 100644 --- a/content/hi/docs/reference/glossary/pod-lifecycle.md +++ b/content/hi/docs/reference/glossary/pod-lifecycle.md @@ -1,5 +1,5 @@ --- -title: Pod Lifecycle +title: पॉड जीवनचक्र (Pod Lifecycle) id: pod-lifecycle date: 2019-02-17 full-link: /docs/concepts/workloads/pods/pod-lifecycle/ From 29b47497bbc8d749747594691be56f969f9d937c Mon Sep 17 00:00:00 2001 From: "Rodrigo V. Del Monte" Date: Wed, 9 Nov 2022 23:23:57 +0100 Subject: [PATCH 121/139] Add pt-br/docs/reference/glossary/statefulset.md --- .../docs/reference/glossary/statefulset.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 content/pt-br/docs/reference/glossary/statefulset.md diff --git a/content/pt-br/docs/reference/glossary/statefulset.md b/content/pt-br/docs/reference/glossary/statefulset.md new file mode 100644 index 0000000000000..f032eb9a77d8e --- /dev/null +++ b/content/pt-br/docs/reference/glossary/statefulset.md @@ -0,0 +1,22 @@ +--- +title: StatefulSet +id: statefulset +date: 2018-04-12 +full_link: /docs/concepts/workloads/controllers/statefulset/ +short_description: > + Gerencia deployment e escalonamento de um conjunto de Pods, com armazenamento durável e identificadores persistentes para cada Pod. + +aka: +tags: +- fundamental +- core-object +- workload +- storage +--- + Gerencia o deployment e escalonamento de um conjunto de {{< glossary_tooltip text="Pods" term_id="pod" >}}, *e fornece garantias sobre a ordem e unicidade* desses Pods. + + + +Como o {{< glossary_tooltip term_id="deployment" >}}, um StatefulSet gerencia Pods que são baseados em uma especificação de container idêntica. Diferente do Deployment, um StatefulSet mantém uma identidade fixa para cada um de seus Pods. Esses pods são criados da mesma especificação, mas não são intercambiáveis: cada um tem uma identificação persistente que se mantém em qualquer reagendamento. + +Se você quiser usar volumes de armazenamento para fornecer persistência para sua carga de trabalho, você pode usar um StatefulSet como parte da sua solução. Embora os Pods individuais em um StatefulSet sejam suscetíveis a falhas, os identificadores de pods persistentes facilitam a correspondência de volumes existentes com os novos pods que substituem qualquer um que tenha falhado. From b2511bce58f43bc53ec1b1677189e7ca7c3d8046 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Sat, 19 Nov 2022 11:04:41 -0300 Subject: [PATCH 122/139] Add pt-br/docs/reference/glossary/developer.md Signed-off-by: Mr. Erlison --- .../pt-br/docs/reference/glossary/developer.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 content/pt-br/docs/reference/glossary/developer.md diff --git a/content/pt-br/docs/reference/glossary/developer.md b/content/pt-br/docs/reference/glossary/developer.md new file mode 100644 index 0000000000000..bae29e15c0505 --- /dev/null +++ b/content/pt-br/docs/reference/glossary/developer.md @@ -0,0 +1,18 @@ +--- +title: Desenvolvedor +id: developer +date: 2018-04-12 +full_link: +short_description: > + Pode se referir a: Desenvolvedor de Aplicativos, Colaborador de Código ou Desenvolvedor de Plataforma. + +aka: +tags: +- community +- user-type +--- + Pode se referir a: {{< glossary_tooltip text="Desenvolvedor de Aplicativos" term_id="application-developer" >}}, {{< glossary_tooltip text="Colaborador de Código" term_id="code-contributor" >}}, or {{< glossary_tooltip text="Desenvolvedor de Plataforma" term_id="platform-developer" >}}. + + + +Esse termo pode ter significados diferentes, dependendo do contexto. From 9f529cbe425a8da771296093480b1c03c1e67a25 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Sat, 19 Nov 2022 16:37:42 -0300 Subject: [PATCH 123/139] Updated title. Signed-off-by: Mr. Erlison --- content/pt-br/docs/reference/glossary/developer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pt-br/docs/reference/glossary/developer.md b/content/pt-br/docs/reference/glossary/developer.md index bae29e15c0505..0d8997ebb5241 100644 --- a/content/pt-br/docs/reference/glossary/developer.md +++ b/content/pt-br/docs/reference/glossary/developer.md @@ -1,5 +1,5 @@ --- -title: Desenvolvedor +title: Desenvolvedor (desambiguação) id: developer date: 2018-04-12 full_link: From 65b074011fb828e61f70983056d3ae34b41f6ff1 Mon Sep 17 00:00:00 2001 From: "Mr. Erlison" Date: Sun, 20 Nov 2022 09:27:47 -0300 Subject: [PATCH 124/139] Fix typo Signed-off-by: Mr. Erlison --- content/pt-br/docs/reference/glossary/developer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pt-br/docs/reference/glossary/developer.md b/content/pt-br/docs/reference/glossary/developer.md index 0d8997ebb5241..a1b3e7210d884 100644 --- a/content/pt-br/docs/reference/glossary/developer.md +++ b/content/pt-br/docs/reference/glossary/developer.md @@ -11,7 +11,7 @@ tags: - community - user-type --- - Pode se referir a: {{< glossary_tooltip text="Desenvolvedor de Aplicativos" term_id="application-developer" >}}, {{< glossary_tooltip text="Colaborador de Código" term_id="code-contributor" >}}, or {{< glossary_tooltip text="Desenvolvedor de Plataforma" term_id="platform-developer" >}}. + Pode se referir a: {{< glossary_tooltip text="Desenvolvedor de Aplicativos" term_id="application-developer" >}}, {{< glossary_tooltip text="Colaborador de Código" term_id="code-contributor" >}}, ou {{< glossary_tooltip text="Desenvolvedor de Plataforma" term_id="platform-developer" >}}. From fe3b80abc7108ac8f0ce8607b8712077761fa3f1 Mon Sep 17 00:00:00 2001 From: windsonsea Date: Tue, 15 Nov 2022 08:53:44 +0800 Subject: [PATCH 125/139] [zh] sync configure-volume-storage.md --- .../configure-volume-storage.md | 60 +++++++++++-------- 1 file changed, 36 insertions(+), 24 deletions(-) diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md index b468a6943e3b5..a0f6fa6b0ee71 100644 --- a/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md +++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md @@ -31,7 +31,6 @@ applications, such as key-value stores (such as Redis) and databases. - 2. 验证 Pod 中的容器是否正在运行,然后留意 Pod 的更改: @@ -67,17 +67,21 @@ restarts. Here is the configuration file for the Pod: kubectl get pod redis --watch ``` + + 输出如下: - ```shell + ```console NAME READY STATUS RESTARTS AGE redis 1/1 Running 0 13s ``` -3. 在另一个终端,用 shell 连接正在运行的容器: +3. 在另一个终端,用 Shell 连接正在运行的容器: ```shell kubectl exec -it redis -- /bin/bash @@ -86,7 +90,7 @@ restarts. Here is the configuration file for the Pod: -4. 在你的 Shell中,切换到 `/data/redis` 目录下,然后创建一个文件: +4. 在你的 Shell 中,切换到 `/data/redis` 目录下,然后创建一个文件: ```shell root@redis:/data# cd /data/redis/ @@ -94,7 +98,7 @@ restarts. Here is the configuration file for the Pod: ``` 5. 在你的 Shell 中,列出正在运行的进程: @@ -104,9 +108,13 @@ restarts. Here is the configuration file for the Pod: root@redis:/data/redis# ps aux ``` + + 输出类似于: - ```shell + ```console USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND redis 1 0.1 0.1 33308 3828 ? Ssl 00:46 0:00 redis-server *:6379 root 12 0.0 0.0 20228 3020 ? Ss 00:47 0:00 /bin/bash @@ -114,7 +122,7 @@ restarts. Here is the configuration file for the Pod: ``` 6. 在你的 Shell 中,结束 Redis 进程: @@ -122,15 +130,19 @@ restarts. Here is the configuration file for the Pod: root@redis:/data/redis# kill ``` + + 其中 `` 是 Redis 进程的 ID (PID)。 7. 在你原先终端中,留意 Redis Pod 的更改。最终你将会看到和下面类似的输出: - ```shell + ```console NAME READY STATUS RESTARTS AGE redis 1/1 Running 0 13s redis 0/1 Completed 0 6m @@ -148,7 +160,7 @@ of `Always`. 为 `Always`。 1. 用 Shell 进入重新启动的容器中: @@ -157,7 +169,7 @@ of `Always`. ``` 2. 在你的 Shell 中,进入到 `/data/redis` 目录下,并确认 `test-file` 文件是否仍然存在。 @@ -168,7 +180,7 @@ of `Always`. ``` 3. 删除为此练习所创建的 Pod: @@ -179,19 +191,19 @@ of `Always`. ## {{% heading "whatsnext" %}} -* 参阅 [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)。 -* 参阅 [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)。 -* 除了 `emptyDir` 提供的本地磁盘存储外,Kubernetes 还支持许多不同的网络附加存储解决方案, +- 参阅 [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)。 +- 参阅 [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)。 +- 除了 `emptyDir` 提供的本地磁盘存储外,Kubernetes 还支持许多不同的网络附加存储解决方案, 包括 GCE 上的 PD 和 EC2 上的 EBS,它们是关键数据的首选,并将处理节点上的一些细节, 例如安装和卸载设备。了解更多详情请参阅[卷](/zh-cn/docs/concepts/storage/volumes/)。 From df4938cd993fa66d590cdf92c126f5acd78567ea Mon Sep 17 00:00:00 2001 From: 4TT1L4 <2914096+4TT1L4@users.noreply.github.com> Date: Thu, 17 Nov 2022 15:05:32 +0100 Subject: [PATCH 126/139] Create Secret / Fixed the raw data example Based on the description the example is supposed to create a Secret that stores the username and the password, but this was not the case. It was using the devuser username instead of admin. I have changed the example to be actually doing the task that was described above. --- .../tasks/configmap-secret/managing-secret-using-kubectl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md b/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md index 35448df260c1c..db24f294c21f7 100644 --- a/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md +++ b/content/en/docs/tasks/configmap-secret/managing-secret-using-kubectl.md @@ -33,7 +33,7 @@ Run the following command: ```shell kubectl create secret generic db-user-pass \ - --from-literal=username=devuser \ + --from-literal=username=admin \ --from-literal=password='S!B\*d$zDsb=' ``` You must use single quotes `''` to escape special characters such as `$`, `\`, From db5788b9b96cb080803eeba0b6d7cdaee1d8b622 Mon Sep 17 00:00:00 2001 From: Julia Furst Morgado <52685951+juliafmorgado@users.noreply.github.com> Date: Wed, 16 Nov 2022 14:19:43 -0500 Subject: [PATCH 127/139] Create explore-intro.html --- .../explore/explore-intro.html | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 content/fr/docs/tutorials/kubernetes-basics/explore/explore-intro.html diff --git a/content/fr/docs/tutorials/kubernetes-basics/explore/explore-intro.html b/content/fr/docs/tutorials/kubernetes-basics/explore/explore-intro.html new file mode 100644 index 0000000000000..724cfb8bccb2f --- /dev/null +++ b/content/fr/docs/tutorials/kubernetes-basics/explore/explore-intro.html @@ -0,0 +1,140 @@ +--- +title: Affichage des pods et des nœuds +weight: 10 +--- + + + + + + + +
    + +
    + +
    + +
    +

    Objectifs

    +
      +
    • En savoir plus sur les pods Kubernetes.
      • +
    • En savoir plus sur les nœuds Kubernetes.
      • +
    • Dépannez les applications déployées.
      • +
    +
    + +
    +

    Pods de Kubernetes

    +

    Lorsque vous avez créé un déploiement dans le Module 2, Kubernetes a créé un Pod pour héberger votre instance d'application. Un pod est une abstraction Kubernetes qui représente un groupe d'un ou plusieurs conteneurs d'application (tels que Docker), et certaines ressources partagées pour ces conteneurs. Ces ressources comprennent:

    +
      +
    • Stockage partagé, en tant que Volumes
      • +
    • Mise en réseau, en tant qu'adresse IP d'un unique cluster
      • +
    • Informations sur l'exécution de chaque conteneur, telles que la version de l'image du conteneur ou les ports spécifiques à utiliser
      • +
    +

    Un pod modélise un "hôte logique" spécifique à l'application et peut contenir différents conteneurs d'applications qui sont relativement étroitement couplés. Par exemple, un pod peut inclure à la fois le conteneur avec votre application Node.js ainsi qu'un conteneur différent qui alimente les données à être publiées par le serveur Web Node.js. Les conteneurs d'un pod partagent une adresse IP et un espace de port, sont toujours co-localisés et co-planifiés, et exécutés dans un contexte partagé sur le même nœud.

    + +

    Les pods sont l'unité atomique de la plate-forme Kubernetes. Lorsque nous créons un déploiement sur Kubernetes, ce déploiement crée des pods avec des conteneurs à l'intérieur (par opposition à la création directe de conteneurs). Chaque pod est lié au nœud où il est planifié et y reste jusqu'à la résiliation (selon la politique de redémarrage) ou la suppression. En cas de défaillance d'un nœud, des pods identiques sont programmés sur d'autres nœuds disponibles dans le cluster.

    + +
    +
    +
    +

    Sommaire:

    +
      +
    • Pods
      • +
    • Nœuds
      • +
    • Commandes principales de Kubectl
      • +
    +
    +
    +

    + Un pod est un groupe d'un ou plusieurs conteneurs applicatifs (tels que Docker) et comprend un stockage partagé (volumes), une adresse IP et des informations sur la façon de les exécuter. +

    +
    +
    +
    +
    + +
    +
    +

    Aperçu des Pods

    +
    +
    + +
    +
    +

    +
    +
    +
    + +
    +
    +

    Nœuds

    +

    Un Pod s'exécute toujours sur un Nœud. Un nœud est une machine de travail dans Kubernetes et peut être une machine virtuelle ou physique, selon le cluster. Chaque nœud est géré par le planificateur. Un nœud peut avoir plusieurs pods, et le planificateur Kubernetes gère automatiquement la planification des pods sur les nœuds du cluster. La planification automatique du planificateur tient compte des ressources disponibles sur chaque nœud.

    + +

    Chaque nœud Kubernetes exécute au moins:

    +
      +
    • Kubelet, un processus responsable de la communication entre le planificateur Kubernetes et le nœud ; il gère les Pods et les conteneurs s'exécutant sur une machine.
      • +
    • Un environnement d'exécution de conteneur (comme Docker) chargé d'extraire l'image du conteneur d'un registre, de décompresser le conteneur et d'exécuter l'application.
      • +
    + +
    +
    +
    +

    Les conteneurs ne doivent être planifiés ensemble dans un seul pod que s'ils sont étroitement couplés et doivent partager des ressources telles que le disque.

    +
    +
    +
    + +
    + +
    +
    +

    Aperçu des Nœuds

    +
    +
    + +
    +
    +

    +
    +
    +
    + +
    +
    +

    Dépannage avec kubectl

    +

    Dans le module 2, vous avez utilisé l'interface de ligne de commande Kubectl. Vous continuerez à l'utiliser dans le module 3 pour obtenir des informations sur les applications déployées et leurs environnements. Les opérations les plus courantes peuvent être effectuées avec les commandes kubectl suivantes:

    +
      +
    • kubectl get - liste les ressources
      • +
    • kubectl describe - affiche des informations détaillées sur une ressource
      • +
    • kubectl logs - imprime les journaux d'un conteneur dans un pod
      • +
    • kubectl exec - exécute une commande sur un conteneur dans un pod
      • +
    + +

    Vous pouvez utiliser ces commandes pour voir quand les applications ont été déployées, quels sont leurs statuts actuels, où elles s'exécutent et quelles sont leurs configurations.

    + +

    Maintenant que nous en savons plus sur nos composants de cluster et la ligne de commande, explorons notre application.

    + +
    +
    +
    +

    Un nœud est une machine de travail dans Kubernetes et peut être une machine virtuelle ou une machine physique, selon le cluster. Plusieurs pods peuvent s'exécuter sur un nœud.

    +
    +
    +
    +
    + +
    +
    + Démarrer le didacticiel interactif +
    +
    + +
    + +
    + + + From 483872f17a9db01d839815dd95e31130412c819c Mon Sep 17 00:00:00 2001 From: lakshmi prasuna Date: Wed, 9 Nov 2022 18:46:23 +0530 Subject: [PATCH 128/139] Expanded container term in Glossary. --- content/en/docs/reference/glossary/container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/glossary/container.md b/content/en/docs/reference/glossary/container.md index cbf1f80fba266..db89cd543bdd9 100644 --- a/content/en/docs/reference/glossary/container.md +++ b/content/en/docs/reference/glossary/container.md @@ -16,4 +16,4 @@ tags: Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. - +The applications that run inside the container are called containerized applications and the process of bundling these applications and their dependencies into a container image is called containerization. From bea01db0cf8afff36e32fa39dbc333cffb70cddb Mon Sep 17 00:00:00 2001 From: lakshmi prasuna Date: Fri, 11 Nov 2022 12:45:53 +0530 Subject: [PATCH 129/139] Update content/en/docs/reference/glossary/container.md updated container term in Glossary. Co-authored-by: Rey Lejano --- content/en/docs/reference/glossary/container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/reference/glossary/container.md b/content/en/docs/reference/glossary/container.md index db89cd543bdd9..2034d8ada33b9 100644 --- a/content/en/docs/reference/glossary/container.md +++ b/content/en/docs/reference/glossary/container.md @@ -16,4 +16,4 @@ tags: Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. -The applications that run inside the container are called containerized applications and the process of bundling these applications and their dependencies into a container image is called containerization. +The applications that run inside containers are called containerized applications. The process of bundling these applications and their dependencies into a container image is called containerization. From eddfbb9c734fcb22e610d237095eb35cd46641e5 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Mon, 21 Nov 2022 16:13:02 -0500 Subject: [PATCH 130/139] steering: Paris to Emeritus, add Carlos Signed-off-by: Stephen Augustus --- OWNERS_ALIASES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index a34ed8d9c49c2..b7b8ba80d60e1 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -245,11 +245,11 @@ aliases: # authoritative source: git.k8s.io/community/OWNERS_ALIASES committee-steering: # provide PR approvals for announcements - cblecker + - cpanato - bentheelder - justaugustus - mrbobbytables - palnabarun - - parispittman - tpepper # authoritative source: https://git.k8s.io/sig-release/OWNERS_ALIASES sig-release-leads: From b91d0c2b883c0a7932a734aeab3abd15c2bb55ee Mon Sep 17 00:00:00 2001 From: Arhell Date: Wed, 16 Nov 2022 01:56:56 +0200 Subject: [PATCH 131/139] [ja] use $HOSTNAME env variable instead of hostname command --- content/ja/examples/application/mysql/mysql-statefulset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/ja/examples/application/mysql/mysql-statefulset.yaml b/content/ja/examples/application/mysql/mysql-statefulset.yaml index b69af02c596b2..bf9aa6fe35f3e 100644 --- a/content/ja/examples/application/mysql/mysql-statefulset.yaml +++ b/content/ja/examples/application/mysql/mysql-statefulset.yaml @@ -22,7 +22,7 @@ spec: - | set -ex # Generate mysql server-id from pod ordinal index. - [[ `hostname` =~ -([0-9]+)$ ]] || exit 1 + [[ $HOSTNAME =~ -([0-9]+)$ ]] || exit 1 ordinal=${BASH_REMATCH[1]} echo [mysqld] > /mnt/conf.d/server-id.cnf # Add an offset to avoid reserved server-id=0 value. From 7076f4a5b84c073f8ae663b75ba1cd8870e113aa Mon Sep 17 00:00:00 2001 From: Kinzhi Date: Tue, 8 Nov 2022 01:21:31 +0800 Subject: [PATCH 132/139] [zh-cn]Update manage-resources-containers.md [zh-cn]Update manage-resources-containers.md [zh-cn]Update manage-resources-containers.md --- .../manage-resources-containers.md | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md b/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md index ba4c150eeb1b2..8feb434297132 100644 --- a/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md +++ b/content/zh-cn/docs/concepts/configuration/manage-resources-containers.md @@ -26,10 +26,10 @@ When you specify a {{< glossary_tooltip term_id="pod" >}}, you can optionally sp much of each resource a {{< glossary_tooltip text="container" term_id="container" >}} needs. The most common resources to specify are CPU and memory (RAM); there are others. -When you specify the resource _request_ for Containers in a Pod, the +When you specify the resource _request_ for containers in a Pod, the {{< glossary_tooltip text="kube-scheduler" term_id="kube-scheduler" >}} uses this information to decide which node to place the Pod on. When you specify a resource _limit_ -for a Container, the kubelet enforces those limits so that the running container is not +for a container, the kubelet enforces those limits so that the running container is not allowed to use more of that resource than the limit you set. The kubelet also reserves at least the _request_ amount of that system resource specifically for that container to use. @@ -273,6 +273,7 @@ MiB of memory, and a limit of 1 CPU and 256MiB of memory. 你可以认为该 Pod 的资源请求为 0.5 CPU 和 128 MiB 内存,资源限制为 1 CPU 和 256MiB 内存。 ```yaml +--- apiVersion: v1 kind: Pod metadata: @@ -382,7 +383,7 @@ limits you defined. 而不是临时存储用量。 -## 监控计算和内存资源用量 {#monitoring-compute-memory-resource-usage} +### 监控计算和内存资源用量 {#monitoring-compute-memory-resource-usage} kubelet 会将 Pod 的资源使用情况作为 Pod [`status`](/zh-cn/docs/concepts/overview/working-with-objects/kubernetes-objects/#object-spec-and-status) @@ -431,12 +432,11 @@ locally-attached writeable devices or, sometimes, by RAM. Pods use ephemeral local storage for scratch space, caching, and for logs. The kubelet can provide scratch space to Pods using local ephemeral storage to mount [`emptyDir`](/docs/concepts/storage/volumes/#emptydir) -{{< glossary_tooltip term_id="volume" text="volumes" >}} into containers. + {{< glossary_tooltip term_id="volume" text="volumes" >}} into containers. --> ## 本地临时存储 {#local-ephemeral-storage} - {{< feature-state for_k8s_version="v1.25" state="stable" >}} 节点通常还可以具有本地的临时性存储,由本地挂接的可写入设备或者有时也用 RAM @@ -633,12 +633,14 @@ or 400 megabytes (`400M`). In the following example, the Pod has two containers. Each container has a request of 2GiB of local ephemeral storage. Each container has a limit of 4GiB of local ephemeral storage. Therefore, the Pod has a request of 4GiB of local ephemeral storage, and -a limit of 8GiB of local ephemeral storage. +a limit of 8GiB of local ephemeral storage. 500Mi of that limit could be +consumed by the `emptyDir` volume. --> 在下面的例子中,Pod 包含两个容器。每个容器请求 2 GiB 大小的本地临时性存储。 每个容器都设置了 4 GiB 作为其本地临时性存储的限制。 因此,整个 Pod 的本地临时性存储请求是 4 GiB,且其本地临时性存储的限制为 8 GiB。 +该限制值中有 500Mi 可供 `emptyDir` 卷使用。 ```yaml apiVersion: v1 @@ -669,7 +671,8 @@ spec: mountPath: "/tmp" volumes: - name: ephemeral - emptyDir: {} + emptyDir: + sizeLimit: 500Mi ``` **示例:** @@ -1235,7 +1238,7 @@ Allocated resources: In the preceding output, you can see that if a Pod requests more than 1.120 CPUs or more than 6.23Gi of memory, that Pod will not fit on the node. -By looking at the "Pods" section, you can see which Pods are taking up space on +By looking at the “Pods” section, you can see which Pods are taking up space on the node. --> 在上面的输出中,你可以看到如果 Pod 请求超过 1.120 CPU 或者 6.23Gi 内存,节点将无法满足。 @@ -1347,7 +1350,7 @@ Events: 在上面的例子中,`Restart Count: 5` 意味着 Pod 中的 `simmemleak` From d1f7f682c89d72cb0fe21c2865202085f559d16f Mon Sep 17 00:00:00 2001 From: Arhell Date: Tue, 22 Nov 2022 03:11:49 +0200 Subject: [PATCH 133/139] add Arhell to sig-docs-ru-owners --- OWNERS_ALIASES | 1 + 1 file changed, 1 insertion(+) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index b7b8ba80d60e1..2c1452beabb71 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -212,6 +212,7 @@ aliases: - ngtuna - truongnh1992 sig-docs-ru-owners: # Admins for Russian content + - Arhell - msheldyakov - aisonaku - potapy4 From f33c57e643b2b0c0e0f0d6ebfd199091985fd8f1 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 20 Nov 2022 13:06:18 +0800 Subject: [PATCH 134/139] [zh] sync coarse-parallel-processing-work-queue.md --- .../coarse-parallel-processing-work-queue.md | 85 +++++++++++-------- 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md b/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md index a22279e6595d8..5982367c609e8 100644 --- a/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md +++ b/content/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue.md @@ -6,12 +6,10 @@ weight: 20 --- @@ -26,11 +24,11 @@ from a task queue, completes it, deletes it from the queue, and exits. Here is an overview of the steps in this example: 1. **Start a message queue service.** In this example, we use RabbitMQ, but you could use another - one. In practice you would set up a message queue service once and reuse it for many jobs. + one. In practice you would set up a message queue service once and reuse it for many jobs. 1. **Create a queue, and fill it with messages.** Each message represents one task to be done. In this example, a message is an integer that we will do a lengthy computation on. 1. **Start a Job that works on tasks from the queue**. The Job starts several pods. Each pod takes - one task from the message queue, processes it, and repeats until the end of the queue is reached. + one task from the message queue, processes it, and repeats until the end of the queue is reached. --> 本例中,我们会运行包含多个并行工作进程的 Kubernetes Job。 @@ -38,12 +36,17 @@ Here is an overview of the steps in this example: 下面是本次示例的主要步骤: -1. **启动一个消息队列服务** 本例中,我们使用 RabbitMQ,你也可以用其他的消息队列服务。在实际工作环境中,你可以创建一次消息队列服务然后在多个任务中重复使用。 +1. **启动一个消息队列服务**。 + 本例中,我们使用 RabbitMQ,你也可以用其他的消息队列服务。 + 在实际工作环境中,你可以创建一次消息队列服务然后在多个任务中重复使用。 -1. **创建一个队列,放上消息数据** 每个消息表示一个要执行的任务。本例中,每个消息是一个整数值。我们将基于这个整数值执行很长的计算操作。 - -1. **启动一个在队列中执行这些任务的 Job**。该 Job 启动多个 Pod。每个 Pod 从消息队列中取走一个任务,处理它,然后重复执行,直到队列的队尾。 +1. **创建一个队列,放上消息数据**。 + 每个消息表示一个要执行的任务。本例中,每个消息是一个整数值。 + 我们将基于这个整数值执行很长的计算操作。 +1. **启动一个在队列中执行这些任务的 Job**。 + 该 Job 启动多个 Pod。每个 Pod 从消息队列中取走一个任务,处理它, + 然后重复执行,直到队列的队尾。 ## {{% heading "prerequisites" %}} @@ -96,8 +99,8 @@ replicationcontroller "rabbitmq-controller" created - -我们仅用到 [celery-rabbitmq 示例](https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/celery-rabbitmq) 中描述的部分功能。 +我们仅用到 +[celery-rabbitmq 示例](https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/celery-rabbitmq)中描述的部分功能。 ## 测试消息队列服务 {#testing-the-message-queue-service} -现在,我们可以试着访问消息队列。我们将会创建一个临时的可交互的 Pod,在它上面安装一些工具,然后用队列做实验。 +现在,我们可以试着访问消息队列。我们将会创建一个临时的可交互的 Pod, +在它上面安装一些工具,然后用队列做实验。 首先创建一个临时的可交互的 Pod: ```shell # 创建一个临时的可交互的 Pod -kubectl run -i --tty temp --image ubuntu:14.04 +kubectl run -i --tty temp --image ubuntu:18.04 ``` ``` Waiting for pod default/temp-loe07 to be running, status is Pending, pod ready: false @@ -130,7 +134,7 @@ Next install the `amqp-tools` so we can work with message queues. --> 请注意你的 Pod 名称和命令提示符将会不同。 -接下来安装 `amqp-tools` ,这样我们就能用消息队列了。 +接下来安装 `amqp-tools`,这样我们就能用消息队列了。 ```shell # 安装一些工具 @@ -145,10 +149,9 @@ Later, we will make a docker image that includes these packages. Next, we will check that we can discover the rabbitmq service: --> - 后续,我们将制作一个包含这些包的 Docker 镜像。 -接着,我们将要验证我们发现 RabbitMQ 服务: +接着,我们将要验证可以发现 RabbitMQ 服务: 如果 Kube-DNS 没有正确安装,上一步可能会出错。 @@ -227,7 +230,7 @@ from the queue, and passes that message to the standard input of an arbitrary co return so the example is readable. --> -最后一个命令中, `amqp-consume` 工具从队列中取走了一个消息,并把该消息传递给了随机命令的标准输出。 +最后一个命令中,`amqp-consume` 工具从队列中取走了一个消息,并把该消息传递给了随机命令的标准输出。 在这种情况下,`cat` 会打印它从标准输入中读取的字符,echo 会添加回车符以便示例可读。 -这样,我们给队列中填充了8个消息。 +这样,我们给队列中填充了 8 个消息。 ## 创建镜像 {#create-an-image} 现在我们可以创建一个做为 Job 来运行的镜像。 -我们将用 `amqp-consume` 来从队列中读取消息并实际运行我们的程序。这里给出一个非常简单的示例程序: +我们将用 `amqp-consume` 实用程序从队列中读取消息并运行实际的程序。 +这里给出一个非常简单的示例程序: {{< codenew language="python" file="application/job/rabbitmq/worker.py" >}} @@ -323,9 +326,9 @@ build the image with this command: 现在,编译镜像。如果你在用源代码树,那么切换到目录 `examples/job/work-queue-1`。 否则的话,创建一个临时目录,切换到这个目录。下载 -[Dockerfile](/examples/application/job/rabbitmq/Dockerfile),和 +[Dockerfile](/examples/application/job/rabbitmq/Dockerfile) 和 [worker.py](/examples/application/job/rabbitmq/worker.py)。 -无论哪种情况,都可以用下面的命令编译镜像 +无论哪种情况,都可以用下面的命令编译镜像: ```shell docker build -t job-wq-1 . @@ -367,7 +370,7 @@ image to match the name you used, and call it `./job.yaml`. --> ## 定义 Job {#defining-a-job} -这里给出一个 Job 定义 yaml文件。你需要拷贝一份并编辑镜像以匹配你使用的名称,保存为 `./job.yaml`。 +这里给出一个 Job 定义 YAML 文件。你将需要拷贝一份 Job 并编辑该镜像以匹配你使用的名称,保存为 `./job.yaml`。 {{< codenew file="application/job/rabbitmq/job.yaml" >}} @@ -380,7 +383,9 @@ done. So we set, `.spec.completions: 8` for the example, since we put 8 items i So, now run the Job: --> -本例中,每个 Pod 使用队列中的一个消息然后退出。这样,Job 的完成计数就代表了完成的工作项的数量。本例中我们设置 `.spec.completions: 8`,因为我们放了8项内容在队列中。 +本例中,每个 Pod 使用队列中的一个消息然后退出。 +这样,Job 的完成计数就代表了完成的工作项的数量。 +本例中我们设置 `.spec.completions: 8`,因为我们放了 8 项内容在队列中。 ## 运行 Job {#running-the-job} @@ -391,14 +396,23 @@ kubectl apply -f ./job.yaml ``` -稍等片刻,然后检查 Job。 +你可以等待 Job 在某个超时时间后成功: ```shell -kubectl describe jobs/job-wq-1 +# 状况名称的检查不区分大小写 +kubectl wait --for=condition=complete --timeout=300s job/job-wq-1 ``` + +接下来查看 Job: + +```shell +kubectl describe jobs/job-wq-1 +``` ``` Name: job-wq-1 Namespace: default @@ -436,9 +450,9 @@ Events: ``` -我们所有的 Pod 都成功了。耶! +该 Job 的所有 Pod 都已成功。耶! @@ -456,8 +470,8 @@ want to consider one of the other [job patterns](/docs/concepts/workloads/contro 本文所讲述的处理方法的好处是你不需要修改你的 "worker" 程序使其知道工作队列的存在。 -本文所描述的方法需要你运行一个消息队列服务。如果不方便运行消息队列服务,你也许会考虑另外一种 -[任务模式](/zh-cn/docs/concepts/workloads/controllers/job/#job-patterns)。 +本文所描述的方法需要你运行一个消息队列服务。如果不方便运行消息队列服务, +你也许会考虑另外一种[任务模式](/zh-cn/docs/concepts/workloads/controllers/job/#job-patterns)。 - 本文所述的方法为每个工作项创建了一个 Pod。 -如果你的工作项仅需数秒钟,为每个工作项创建 Pod会增加很多的常规消耗。 +如果你的工作项仅需数秒钟,为每个工作项创建 Pod 会增加很多的常规消耗。 可以考虑另外的方案请参考[示例](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/), 这种方案可以实现每个 Pod 执行多个工作项。 示例中,我们使用 `amqp-consume` 从消息队列读取消息并执行我们真正的程序。 这样的好处是你不需要修改你的程序使其知道队列的存在。 -要了解怎样使用客户端库和工作队列通信,请参考 -[不同的示例](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/)。 +要了解怎样使用客户端库和工作队列通信, +请参考[不同的示例](/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/)。 ## 在 Google Kubernetes Engine (GKE) 上创建一个 Calico 集群 {#gke-cluster} -**先决条件**: [gcloud](https://cloud.google.com/sdk/docs/quickstarts) +**先决条件**:[gcloud](https://cloud.google.com/sdk/docs/quickstarts) -1. 启动一个带有 Calico 的 GKE 集群,需要加上参数 `--enable-network-policy`。 +1. 启动一个带有 Calico 的 GKE 集群,需要加上参数 `--enable-network-policy`。 - **语法** - ```shell - gcloud container clusters create [CLUSTER_NAME] --enable-network-policy - ``` + **语法** + ```shell + gcloud container clusters create [CLUSTER_NAME] --enable-network-policy + ``` - **示例** - ```shell - gcloud container clusters create my-calico-cluster --enable-network-policy - ``` + **示例** + ```shell + gcloud container clusters create my-calico-cluster --enable-network-policy + ``` -2. 使用如下命令验证部署是否正确。 +2. 使用如下命令验证部署是否正确。 + + ```shell + kubectl get pods --namespace=kube-system + ``` - ```shell - kubectl get pods --namespace=kube-system - ``` + - - Calico 的 pods 名以 `calico` 打头,检查确认每个 pods 状态为 `Running`。 + Calico 的 Pod 名以 `calico` 打头,检查确认每个 Pod 状态为 `Running`。 -## 使用 kubeadm 创建一个本地 Calico 集群 {#local-cluster} +## 使用 kubeadm 创建一个本地 Calico 集群 {#local-cluster} 使用 kubeadm 在 15 分钟内得到一个本地单主机 Calico 集群,请参考 [Calico 快速入门](https://docs.projectcalico.org/latest/getting-started/kubernetes/)。 @@ -73,6 +81,7 @@ To get a local single-host Calico cluster in fifteen minutes using kubeadm, refe -集群运行后,你可以按照[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/) -去尝试使用 Kubernetes NetworkPolicy。 +集群运行后, +你可以按照[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)去尝试使用 +Kubernetes NetworkPolicy。 From 205d4d20b3b31a40b7b5a40f906fc336150a30a4 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 20 Nov 2022 11:38:53 +0800 Subject: [PATCH 136/139] [zh] sync cilium-network-policy.md --- .../cilium-network-policy.md | 118 ++++++++++-------- 1 file changed, 68 insertions(+), 50 deletions(-) diff --git a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md index 051ac153d12df..43e057a911ae4 100644 --- a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md +++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md @@ -39,11 +39,11 @@ to perform a basic DaemonSet installation of Cilium in minikube. To start minikube, minimal version required is >= v1.5.2, run the with the following arguments: --> -## 在 Minikube 上部署 Cilium 用于基本测试 +## 在 Minikube 上部署 Cilium 用于基本测试 {#deploying-cilium-on-minikube-for-basic-testing} -为了轻松熟悉 Cilium 你可以根据 +为了轻松熟悉 Cilium,你可以根据 [Cilium Kubernetes 入门指南](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/s) -在 minikube 中执行一个 cilium 的基本 DaemonSet 安装。 +在 minikube 中执行一个 Cilium 的基本 DaemonSet 安装。 要启动 minikube,需要的最低版本为 1.5.2,使用下面的参数运行: @@ -55,58 +55,75 @@ minikube version: v1.5.2 ``` ```shell -minikube start --network-plugin=cni --memory=4096 +minikube start --network-plugin=cni ``` 对于 minikube 你可以使用 Cilium 的 CLI 工具安装它。 -Cilium 将自动检测集群配置并为成功的集群部署选择合适的组件。 +为此,先用以下命令下载最新版本的 CLI: ```shell curl -LO https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz +``` + + +然后用以下命令将下载的文件解压缩到你的 `/usr/local/bin` 目录: + +```shell sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin rm cilium-linux-amd64.tar.gz -cilium install ``` + + +运行上述命令后,你现在可以用以下命令安装 Cilium: + +```shell +cilium install ``` -🔮 Auto-detected Kubernetes kind: minikube -✨ Running "minikube" validation checks -✅ Detected minikube version "1.20.0" -ℹ️ Cilium version not set, using default version "v1.10.0" -🔮 Auto-detected cluster name: minikube -🔮 Auto-detected IPAM mode: cluster-pool -🔮 Auto-detected datapath mode: tunnel -🔑 Generating CA... -2021/05/27 02:54:44 [INFO] generate received request -2021/05/27 02:54:44 [INFO] received CSR -2021/05/27 02:54:44 [INFO] generating key: ecdsa-256 -2021/05/27 02:54:44 [INFO] encoded CSR -2021/05/27 02:54:44 [INFO] signed certificate with serial number 48713764918856674401136471229482703021230538642 -🔑 Generating certificates for Hubble... -2021/05/27 02:54:44 [INFO] generate received request -2021/05/27 02:54:44 [INFO] received CSR -2021/05/27 02:54:44 [INFO] generating key: ecdsa-256 -2021/05/27 02:54:44 [INFO] encoded CSR -2021/05/27 02:54:44 [INFO] signed certificate with serial number 3514109734025784310086389188421560613333279574 -🚀 Creating Service accounts... -🚀 Creating Cluster roles... -🚀 Creating ConfigMap... -🚀 Creating Agent DaemonSet... -🚀 Creating Operator Deployment... -⌛ Waiting for Cilium to be installed... -``` + + +随后 Cilium 将自动检测集群配置,并创建和安装合适的组件以成功完成安装。 +这些组件为: + +- Secret `cilium-ca` 中的证书机构 (CA) 和 Hubble(Cilium 的可观测层)所用的证书。 +- 服务账号。 +- 集群角色。 +- ConfigMap。 +- Agent DaemonSet 和 Operator Deployment。 + + +安装之后,你可以用 `cilium status` 命令查看 Cilium Deployment 的整体状态。 +[在此处](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#validate-the-installation)查看 +`status` 命令的预期输出。 -入门指南其余的部分用一个示例应用说明了如何强制执行 L3/L4(即 IP 地址+端口)的安全策略 -以及L7 (如 HTTP)的安全策略。 +入门指南其余的部分用一个示例应用说明了如何强制执行 L3/L4(即 IP 地址 + 端口)的安全策略以及 +L7 (如 HTTP)的安全策略。 -## 部署 Cilium 用于生产用途 +## 部署 Cilium 用于生产用途 {#deployment-cilium-for-production-use} -关于部署 Cilium 用于生产的详细说明,请见 -[Cilium Kubernetes 安装指南](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/) +关于部署 Cilium 用于生产的详细说明,请参见 +[Cilium Kubernetes 安装指南](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/)。 此文档包括详细的需求、说明和生产用途 DaemonSet 文件示例。 @@ -129,17 +146,19 @@ production DaemonSet files. Deploying a cluster with Cilium adds Pods to the `kube-system` namespace. To see this list of Pods run: - --> -## 了解 Cilium 组件 +--> +## 了解 Cilium 组件 {#understanding-cilium-components} -部署使用 Cilium 的集群会添加 Pods 到 `kube-system` 命名空间。要查看 Pod 列表,运行: +部署使用 Cilium 的集群会添加 Pod 到 `kube-system` 命名空间。要查看 Pod 列表,运行: ```shell kubectl get pods --namespace=kube-system -l k8s-app=cilium ``` - -你将看到像这样的 Pods 列表: + +你将看到像这样的 Pod 列表: ```console NAME READY STATUS RESTARTS AGE @@ -163,9 +182,8 @@ to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the [Cilium Slack Channel](https://cilium.herokuapp.com/). --> -集群运行后,你可以按照 -[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/) -试用基于 Cilium 的 Kubernetes NetworkPolicy。 -玩得开心,如果你有任何疑问,请到 [Cilium Slack 频道](https://cilium.herokuapp.com/) -联系我们。 +集群运行后, +你可以按照[声明网络策略](/zh-cn/docs/tasks/administer-cluster/declare-network-policy/)试用基于 +Cilium 的 Kubernetes NetworkPolicy。玩得开心,如果你有任何疑问,请到 +[Cilium Slack 频道](https://cilium.herokuapp.com/)联系我们。 From 6b706f1c6e6d5d656ffa97c16f807dea8cc1d608 Mon Sep 17 00:00:00 2001 From: Chris Wan Date: Sat, 12 Nov 2022 17:16:00 +0800 Subject: [PATCH 137/139] fix: zh-cn learning environment page redirect --- static/_redirects | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/static/_redirects b/static/_redirects index 1998e43fabbf4..037f64b72cdd3 100644 --- a/static/_redirects +++ b/static/_redirects @@ -542,7 +542,7 @@ /id/docs/setup/minikube/ /id/docs/tasks/tools/ 302 /docs/setup/learning-environment/ /docs/tasks/tools/ 302! /id/docs/setup/learning-environment/ /id/docs/tasks/tools/ 302! -/zh/docs/setup/learning-environment/ /zh-cn/docs/tasks/tools/ 302! +/zh-cn/docs/setup/learning-environment/ /zh-cn/docs/tasks/tools/ 302! /hi/docs/setup/learning-environment/ /hi/docs/tasks/tools/ 302! /docs/setup/learning-environment/kind/ /docs/tasks/tools/ 302 /id/docs/setup/learning-environment/kind/ /id/docs/tasks/tools/ 302 From ada28464136bdeeb1ad1bfe2cd74f76e070ac28f Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Mon, 21 Nov 2022 23:28:16 +0000 Subject: [PATCH 138/139] Update doc references for KubeletCredentialProviders --- .../reference/command-line-tools-reference/feature-gates.md | 6 ++++++ .../kubelet-credential-provider.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 63f5b442c323f..385cac1b2a096 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -117,6 +117,12 @@ For a reference to old feature gates that are removed, please refer to | `JobPodFailurePolicy` | `true` | Beta | 1.26 | | | `JobReadyPods` | `false` | Alpha | 1.23 | 1.23 | | `JobReadyPods` | `true` | Beta | 1.24 | | +<<<<<<< HEAD +======= +| `JobTrackingWithFinalizers` | `false` | Alpha | 1.22 | 1.22 | +| `JobTrackingWithFinalizers` | `false` | Beta | 1.23 | 1.24 | +| `JobTrackingWithFinalizers` | `true` | Beta | 1.25 | | +>>>>>>> 555bc1622f (Update doc references for KubeletCredentialProviders) | `KubeletInUserNamespace` | `false` | Alpha | 1.22 | | | `KubeletPodResources` | `false` | Alpha | 1.13 | 1.14 | | `KubeletPodResources` | `true` | Beta | 1.15 | | diff --git a/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md b/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md index 16547f0bf4507..876abe7d1a501 100644 --- a/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md +++ b/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md @@ -7,7 +7,7 @@ description: Configure the kubelet's image credential provider plugin content_type: task --- -{{< feature-state for_k8s_version="v1.24" state="beta" >}} +{{< feature-state for_k8s_version="v1.26" state="stable" >}} From 68c1e1e941d553412d48dfb44701fa0405b434f8 Mon Sep 17 00:00:00 2001 From: Dixita Narang Date: Mon, 21 Nov 2022 23:47:15 +0000 Subject: [PATCH 139/139] Formatting and changing some words as per the standards, and removing extra spaces --- .../reference/command-line-tools-reference/feature-gates.md | 2 +- .../kubelet-credential-provider.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 385cac1b2a096..b48f49d0f6a88 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -650,7 +650,7 @@ Each feature gate is designed for enabling/disabling a specific feature: filesystem walk for better performance and accuracy. - `LogarithmicScaleDown`: Enable semi-random selection of pods to evict on controller scaledown based on logarithmic bucketing of pod timestamps. -- `MatchLabelKeysInPodTopologySpread`: Enable the `matchLabelKeys` field for +- `MatchLabelKeysInPodTopologySpread`: Enable the `matchLabelKeys` field for [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/). - `MaxUnavailableStatefulSet`: Enables setting the `maxUnavailable` field for the [rolling update strategy](/docs/concepts/workloads/controllers/statefulset/#rolling-updates) diff --git a/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md b/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md index 876abe7d1a501..c9e788a4e5936 100644 --- a/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md +++ b/content/en/docs/tasks/kubelet-credential-provider/kubelet-credential-provider.md @@ -54,7 +54,7 @@ should be invoked for which container images. Here's an example configuration fi ```yaml apiVersion: kubelet.config.k8s.io/v1alpha1 kind: CredentialProviderConfig -# providers is a list of credential provider plugins that will be enabled by the kubelet. +# providers is a list of credential provider helper plugins that will be enabled by the kubelet. # Multiple providers may match against a single image, in which case credentials # from all providers will be returned to the kubelet. If multiple providers are called # for a single image, the results are combined. If providers return overlapping @@ -74,7 +74,7 @@ providers: # Globs can be used in the domain, but not in the port or the path. Globs are supported # as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. # Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match - # a single subdomain segment, so *.io does not match *.k8s.io. + # a single subdomain segment, so `*.io` does **not** match `*.k8s.io`. # # A match exists between an image and a matchImage when all of the below are true: # - Both contain the same number of domain parts and each part matches.
-
-
Kubernetes collabora con i partner per creare per creare un codebase che supporti uno spettro di piattaforme complementari.
-
-
-
-
- Fornitori Certificati di Servizi su Kubernetes -
-
Fornitori di servizi riconosciuti e con grande esperienza nell'aiutare le imprese ad adottare con successo Kubernetes. -


- -

Interessato a diventare un partner KCSP? -
-
-
-
-
- Distribuzioni di Kubernetes Certificate, Certified Hosted Platforms and Software di installazione Certificati -
La conformità del software assicura che le versioni di Kubernetes prodotte da ogni fornitore supportino coerentemente le API necessarie. -


- -

Interessato a diventare un partner certificato Kubernetes? -
-
-
-
-
Partner per la Formazione su Kubernetes
-
Professionisti riconosciuti e certificati, con solida esperienza nella formazione su tecnologie Cloud Native. -



- -

Interessato a diventare un partner KTP? -
-
-
- - - -
- - +
Kubernetes collabora con i partner per creare per creare un codebase che supporti uno spettro di piattaforme complementari.
+
+
+
+
+ Fornitori Certificati di Servizi su Kubernetes +
+
Fornitori di servizi riconosciuti e con grande esperienza nell'aiutare le imprese ad adottare con successo Kubernetes. +


+ +

Interessato a diventare un partner + KCSP? +
+
+
+
+
+ Distribuzioni di Kubernetes Certificate, Certified Hosted Platforms and Software di installazione Certificati +
La conformità del software assicura che le versioni di Kubernetes prodotte da ogni fornitore supportino coerentemente le API necessarie. +


+ +

Interessato a diventare un partner + certificato Kubernetes? +
+
+
+
+
+ Partner per la Formazione su Kubernetes +
+
Professionisti riconosciuti e certificati, con solida esperienza nella formazione su tecnologie Cloud Native. +


+ +

Interessato a diventare un partner + KTP? +
+
- -
+ {{< cncf-landscape helpers=true >}}