From 79c9f3f0842a9c617d856db61ea323606049b55d Mon Sep 17 00:00:00 2001 From: "huanqing.shao" Date: Sun, 6 Oct 2019 21:18:49 +0800 Subject: [PATCH] =?UTF-8?q?Kubernetes=E6=9E=B6=E6=9E=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .vuepress/components/HomePage.vue | 2 +- .vuepress/config.js | 34 +++- learning/k8s-bg/architecture/com-m-n.md | 42 ++++ learning/k8s-bg/architecture/com-n-m.md | 18 ++ learning/k8s-bg/architecture/com.md | 18 ++ learning/k8s-bg/architecture/nodes-mgmt.md | 107 ++++++++++ learning/k8s-bg/architecture/nodes.md | 183 ++++++++++++++++++ learning/k8s-bg/component.md | 7 +- learning/k8s-bg/what-is-k8s.md | 1 + .../image-20191005230605496.png | Bin 0 -> 86162 bytes .../config/sec-ctx/con-kuboard.md | 31 +++ .../config/sec-ctx/pod-kuboard.md | 18 +- .../taint-based-evictions.md | 2 +- package-lock.json | 13 ++ package.json | 3 +- 15 files changed, 461 insertions(+), 18 deletions(-) create mode 100644 learning/k8s-bg/architecture/com-m-n.md create mode 100644 learning/k8s-bg/architecture/com-n-m.md create mode 100644 learning/k8s-bg/architecture/com.md create mode 100644 learning/k8s-bg/architecture/nodes-mgmt.md create mode 100644 learning/k8s-bg/architecture/nodes.md create mode 100644 learning/k8s-intermediate/config/sec-ctx/con-kuboard.assets/image-20191005230605496.png create mode 100644 learning/k8s-intermediate/config/sec-ctx/con-kuboard.md diff --git a/.vuepress/components/HomePage.vue b/.vuepress/components/HomePage.vue index 79f5914..dcb19d4 100644 --- a/.vuepress/components/HomePage.vue +++ b/.vuepress/components/HomePage.vue @@ -213,7 +213,7 @@ export default { height 240px padding: 1rem .intro - margin-top 1rem + margin-top 2rem .intro_text margin-right 1rem height calc(339px - 2rem) diff --git a/.vuepress/config.js b/.vuepress/config.js index 56dfa67..96dee03 100644 --- a/.vuepress/config.js +++ b/.vuepress/config.js @@ -21,7 +21,7 @@ module.exports = { markdown: { toc: { includeLevel: [2, 3] }, lineNumbers: true, - externalLinks: { target: '_blank', rel: 'noopener noreferrer', onclick: 'openOutboundLink(this)' } + externalLinks: { target: '_blank', rel: 'nofollow', onclick: 'openOutboundLink(this)' } }, dest: 'docs', plugins: { @@ -62,6 +62,7 @@ module.exports = { // zIndex: 10000, // }, // }, + 'vuepress-plugin-smooth-scroll': {}, 'code-switcher': {}, 'reading-progress': {}, 'vuepress-plugin-element-tabs': {}, @@ -193,14 +194,15 @@ module.exports = { ], '/learning/': [ - '', { title: 'Kubernetes 介绍', collapsable: true, sidebarDepth: 3, children: [ + '', 'k8s-bg/what-is-k8s', 'k8s-bg/component', + ] }, { @@ -221,7 +223,31 @@ module.exports = { title: 'Kubernetes 进阶', collapsable: true, children: [ - 'k8s-intermediate/private-registry', + { + title: '架构', + collapsable: true, + children: [ + { + title: '节点', + collapsable: true, + path: '/learning/k8s-bg/architecture/nodes', + children: [ + 'k8s-bg/architecture/nodes', + 'k8s-bg/architecture/nodes-mgmt', + ] + }, + { + title: '集群内的通信', + collapsable: true, + path: '/learning/k8s-bg/architecture/com', + children: [ + 'k8s-bg/architecture/com', + 'k8s-bg/architecture/com-n-m', + 'k8s-bg/architecture/com-m-n', + ] + }, + ] + }, { title: '工作负载', collapsable: true, @@ -296,6 +322,7 @@ module.exports = { title: '配置', collapsable: true, children: [ + 'k8s-intermediate/private-registry', 'k8s-intermediate/config/config-map', 'k8s-intermediate/config/computing-resource', 'k8s-intermediate/config/assign-pod-node', @@ -339,6 +366,7 @@ module.exports = { 'k8s-intermediate/config/sec-ctx/con-sel', 'k8s-intermediate/config/sec-ctx/volumes', 'k8s-intermediate/config/sec-ctx/pod-kuboard', + 'k8s-intermediate/config/sec-ctx/con-kuboard', ] }, ] diff --git a/learning/k8s-bg/architecture/com-m-n.md b/learning/k8s-bg/architecture/com-m-n.md new file mode 100644 index 0000000..2ea2057 --- /dev/null +++ b/learning/k8s-bg/architecture/com-m-n.md @@ -0,0 +1,42 @@ +--- +vssueId: 120 +layout: LearningLayout +description: Kubernete教程_Kubernetes组件_从 master(apiserver)到Cluster存在着两条主要的通信路径,第一种:apiserver 访问集群中每个节点上的 kubelet 进程;第二种:使用 apiserver 的 proxy 功能,从 apiserver 访问集群中的任意节点、Pod、Service + +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes Master-Node通信 +--- + +# Master to Cluster + +从 master(apiserver)到Cluster存在着两条主要的通信路径: +* apiserver 访问集群中每个节点上的 kubelet 进程 +* 使用 apiserver 的 proxy 功能,从 apiserver 访问集群中的任意节点、Pod、Service + +## apiserver to kubelet + +apiserver 在如下情况下访问 kubelet: +* 抓取 Pod 的日志 +* 通过 `kubectl exec -it` 指令(或 kuboard 的终端界面)获得容器的命令行终端 +* 提供 `kubectl port-forward` 功能 + +这些连接的访问端点是 kubelet 的 HTTPS 端口。默认情况下,apiserver 不校验 kubelet 的 HTTPS 证书,这种情况下,连接可能会收到 man-in-the-middle 攻击,因此该连接如果在不受信网络或者公网上运行时,是 **不安全** 的。 + +如果要校验 kubelet 的 HTTPS 证书,可以通过 `--kubelet-certificate-authority` 参数为 apiserver 提供校验 kubelet 证书的根证书。 + +如果不能完成这个配置,又需要通过不受信网络或公网将节点加入集群,则需要使用 [SSH隧道](#SSH隧道) 连接 apiserver 和 kubelet。 + +同时,[Kubelet authentication/authorization](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/) 需要激活,以保护 kubelet API + +## apiserver to nodes, pods, services + +从 apiserver 到 节点/Pod/Service 的连接使用的是 HTTP 连接,没有进行身份认证,也没有进行加密传输。您也可以通过增加 `https` 作为 节点/Pod/Service 请求 URL 的前缀,但是 HTTPS 证书并不会被校验,也无需客户端身份认证,因此该连接是无法保证一致性的。目前,此类连接如果运行在非受信网络或公网上时,是 **不安全** 的 + +## SSH隧道 + +Kubernetes 支持 SSH隧道(tunnel)来保护 Master --> Cluster 访问路径。此时,apiserver 将向集群中的每一个节点建立一个 SSH隧道(连接到端口22的ssh服务)并通过隧道传递所有发向 kubelet、node、pod、service 的请求。 + +::: warning deprecated +SSH隧道当前已被不推荐使用(deprecated),Kubernetes 正在设计新的替代通信方式。 +::: diff --git a/learning/k8s-bg/architecture/com-n-m.md b/learning/k8s-bg/architecture/com-n-m.md new file mode 100644 index 0000000..f901067 --- /dev/null +++ b/learning/k8s-bg/architecture/com-n-m.md @@ -0,0 +1,18 @@ +--- +vssueId: 120 +layout: LearningLayout +description: Kubernete教程_Kubernetes组件_所有从集群(worker 节点)访问 Master 节点的通信,都是针对 apiserver 的(没有任何其他 master 组件发布远程调用接口)。通常安装 Kubernetes 时,apiserver 监听 HTTPS 端口(443),并且配置了一种或多种客户端认证方式 authentication +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes Master-Node通信 +--- + +# Cluster to Master + +所有从集群访问 Master 节点的通信,都是针对 apiserver 的(没有任何其他 master 组件发布远程调用接口)。通常安装 Kubernetes 时,apiserver 监听 HTTPS 端口(443),并且配置了一种或多种 [客户端认证方式 authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)。至少需要配置一种形式的 [授权方式 authorization](https://kubernetes.io/docs/reference/access-authn-authz/authorization/),尤其是 [匿名访问 anonymous requests](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests) 或 [Service Account Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) 被启用的情况下。 + +节点上必须配置集群(apiserver)的公钥根证书(public root certificate),此时,在提供有效的客户端身份认证的情况下,节点可以安全地访问 APIServer。例如,在 Google Kubernetes Engine 的一个默认 Kubernetes 安装里,通过客户端证书为 kubelet 提供客户端身份认证。请参考 [kubelet TLS bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/),了解如何自动为 kubelet 提供客户端证书。 + +对于需要调用 APIServer 接口的 Pod,应该为其关联 Service Account,此时,Kubernetes将在创建Pod时自动为其注入公钥根证书(public root certificate)以及一个有效的 bearer token(放在HTTP请求头Authorization字段)。所有名称空间中,都默认配置了名为 `kubernetes` Kubernetes Service,该 Service对应一个虚拟 IP(默认为 10.96.0.1),发送到该地址的请求将由 kube-proxy 转发到 apiserver 的 HTTPS 端口上。请参考 [Service连接应用程序](/learning/k8s-intermediate/service/connecting.html) 了解 Kubernetes Service 是如何工作的。 + +得益于这些措施,默认情况下,从集群(节点以及节点上运行的 Pod)访问 master 的连接是安全的,因此,可以通过不受信的网络或公网连接 Kubernetes 集群 diff --git a/learning/k8s-bg/architecture/com.md b/learning/k8s-bg/architecture/com.md new file mode 100644 index 0000000..6a7db9a --- /dev/null +++ b/learning/k8s-bg/architecture/com.md @@ -0,0 +1,18 @@ +--- +vssueId: 120 +layout: LearningLayout +description: Kubernete教程_Kubernetes组件_本文描述了Kubernetes集群和Master节点(实际上是 apiserver)之间的通信路径。用户在自定义集群的安装之前,或者调整集群的网络配置之前必须理解这部分内容 +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes Master-Node通信 +--- + +# Master-Node之间的通信 + +本文描述了Kubernetes集群和Master节点(实际上是 apiserver)之间的通信路径。用户在自定义集群的安装之前,或者调整集群的网络配置之前必须理解这部分内容。例如: +* 从 [安装Kubernetes单Master节点](/install/install-k8s.html) 的安装结果调整到 [安装Kubernetes高可用](/install/install-kubernetes.html) 的安装结果 +* 将公网 IP 地址上的机器作为节点加入到 Kubernetes 集群 + +Master-Node 之间的通信可以分为如下两类: +* [Cluster to Master](./com-n-m.html) +* [Master to Cluster](./com-m-n.html) diff --git a/learning/k8s-bg/architecture/nodes-mgmt.md b/learning/k8s-bg/architecture/nodes-mgmt.md new file mode 100644 index 0000000..06a5f80 --- /dev/null +++ b/learning/k8s-bg/architecture/nodes-mgmt.md @@ -0,0 +1,107 @@ +--- +vssueId: 119 +layout: LearningLayout +description: Kubernete教程_Kubernetes组件 +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes 节点, Kubernetes node +--- + +# 节点管理 + +与 Pod 和 Service 不一样,节点并不是由 Kubernetes 创建的,节点由云供应商(例如,Google Compute Engine、阿里云等)创建,或者节点已经存在于您的物理机/虚拟机的资源池。向 Kubernetes 中创建节点时,仅仅是创建了一个描述该节点的 API 对象。节点 API 对象创建成功后,Kubernetes将检查该节点是否有效。例如,假设您创建如下节点信息: + +``` yaml +kind: Node +apiVersion: v1 +metadata: + name: "10.240.79.157" + labels: + name: "my-first-k8s-node" +``` + +Kubernetes 在 APIServer 上创建一个节点 API 对象(节点的描述),并且基于 `metadata.name` 字段对节点进行健康检查。如果节点有效([节点组件](/learning/k8s-bg/component.html#node-组件)正在运行),则可以向该节点调度 Pod;否则,该节点 API 对象将被忽略,知道节点变为有效状态。 + +::: tip +Kubernetes 将保留无效的节点 API 对象,并不断地检查该节点是否有效。除非您使用 `kubectl delete node my-first-k8s-node` 命令删除该节点。 +::: + +## 节点控制器(Node Controller) + +节点控制器是一个负责管理节点的 Kubernetes master 组件。在节点的生命周期中,节点控制器起到了许多作用。 + +* **首先**,节点控制器在注册节点时为节点分配 [CIDR](/glossary/cidr.html) 地址块 +* **第二**,节点控制器通过云供应商([cloud-controller-manager](learning/k8s-bg/component.html#cloud-controller-manager))接口检查节点列表中每一个节点对象对应的虚拟机是否可用。在云环境中,只要节点状态异常,节点控制器检查其虚拟机在云供应商的状态,如果虚拟机不可用,自动将节点对象从 APIServer 中删除。 +* **第三**,节点控制器监控节点的健康状况。当节点变得不可触达时(例如,由于节点已停机,节点控制器不再收到来自节点的心跳信号),节点控制器将节点API对象的 `NodeStatus` Condition 取值从 `NodeReady` 更新为 `Unknown`;然后在等待 `pod-eviction-timeout` 时间后,将节点上的所有 Pod 从节点驱逐。 + > * 默认40秒未收到心跳,修改 `NodeStatus` Condition 为 `Unknown`; + > * 默认 `pod-eviction-timeout` 为 5分钟 + > * 节点控制器每隔 `--node-monitor-period` 秒检查一次节点的状态 + +在 Kubernetes v1.13 以前,NodeStatus 记录了从节点发出的心跳信号。从 Kubernetes v1.13 开始,node lease 特性进入 alpha 阶段([KEP-0009](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/0009-node-heartbeat.md))。当 node lease 特性被启用时,每个节点都有一个 `kube-node-lease` 名称空间下对应的 `Lease` 对象,节点控制器周期性地更新 `Lease` 对象;此时 NodeStatus 和 node lease 都被用来记录节点的心跳信号。NodeStatus 的更新频率远高于 node lease,原因是: +* 每次节点向 master 发出心跳信号,NodeStatus 都将被更新 +* 只有在 NodeStatus 发生改变,或者足够长的时间未接收到 NodeStatus 更新时,节点控制器才更新 node lease(默认为1分钟,比节点失联的超时时间40秒要更长) + +> 由于 node lease 比 NodeStatus 更轻量级,该特性显著提高了节点心跳机制的效率,并使 Kubernetes 性能和可伸缩性得到了提升 + +在 Kubernetes v1.4 中,优化了节点控制器的逻辑以便更好的处理大量节点不能触达 master 的情况(例如,master 出现网络故障)。主要的优化点在于,节点控制器在决定是否执行 Pod 驱逐的动作时,会检查集群中所有节点的状态。 + +大多数情况下,节点控制器限制了驱逐 Pod 的速率为 `--node-eviction-rate` (默认值是0.1)每秒,即节点控制器每 10 秒驱逐 1 个 Pod。 + +当节点所在的高可用区出现故障时,节点控制器驱逐 Pod 的方式将不一样。节点控制器驱逐Pod前,将检查高可用区里故障节点的百分比(`NodeReady` Condition 的值为 `Unknown` 或 `False`): +* 如果故障节点的比例不低于 `--unhealthy-zone-threshold`(默认为 0.55),则降低驱逐 Pod 的速率 + * 如果集群规模较小(少于等于 `--large-cluster-size-threshold` 个节点,默认值为 50),则停止驱逐 Pod + * 如果集群规模大于 `--large-cluster-size-threshold` 个节点,则驱逐 Pod 的速率降低到 `--secondary-node-eviction-rate` (默认值为 0.01)每秒 + +针对每个高可用区使用这个策略的原因是,某一个高可用区可能与 master 隔开了,而其他高可用区仍然保持连接。如果您的集群并未分布在云供应商的多个高可用区上,此时,您只有一个高可用区(即整个集群)。 + +将集群的节点分布到多个高可用区最大的原因是,在某个高可用区出现整体故障时,可以将工作负载迁移到仍然健康的高可用区。因此,如果某个高可用区的所有节点都出现故障时,节点控制器仍然使用正常的驱逐 Pod 的速率(`--node-eviction-rate`)。 + +最极端的情况是,所有的高可用区都完全不可用(例如,集群中一个健康的节点都没有),此时节点控制器 master 节点的网络连接出现故障,并停止所有的驱逐 Pod 的动作,直到某些连接得到恢复。 + +自 Kubernetes v1.6 开始,节点控制器同时也负责为带有 `NoExecute` 污点的节点驱逐其上的 Pod。此外,节点控制器还负责根据节点的状态(例如,节点不可用,节点未就绪等)为节点添加污点。参考 [NoExecute](](/learning/k8s-intermediate/config/taints-toleration/#污点与容忍的匹配)) 获取更多信息。 + +自 Kubernetes v1.8 开始,节点控制器可以根据节点的 Condition 为节点添加污点,此特性处于 alpha 阶段 + +## 节点自注册(Self-Registration) + +如果 kubelet 的启动参数 `--register-node`为 true(默认为 true),kubelet 会尝试将自己注册到 API Server。kubelet自行注册时,将使用如下选项: +* `--kubeconfig`:向 apiserver 进行认证时所用身份信息的路径 +* `--cloud-provider`:向云供应商读取节点自身元数据 +* `--register-node`:自动向 API Server 注册节点 +* `--register-with-taints`:注册节点时,为节点添加污点(逗号分隔,格式为 \=\:\ +* `--node-ip`:节点的 IP 地址 +* `--node-labels`:注册节点时,为节点添加标签 +* `--node-status-update-frequency`:向 master 节点发送心跳信息的时间间隔 + +如果 [Node authorization mode](https://kubernetes.io/docs/reference/access-authn-authz/node/) 和 [NodeRestriction admission plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) 被启用,kubelet 只拥有创建/修改其自身所对应的节点 API 对象的权限。 + +## 手动管理节点 + +集群管理员可以创建和修改节点API对象。 + +如果管理员想要手工创建节点API对象,可以将 kubelet 的启动参数 `--register-node` 设置为 false。 + +管理员可以修改节点API对象(不管是否设置了 `--register-node` 参数)。可以修改的内容有: +* 增加/减少标签 +* 标记节点为不可调度(unschedulable) + +节点的标签与 Pod 上的节点选择器(node selector)配合,可以控制调度方式,例如,限定 Pod 只能在某一组节点上运行。请参考 [将容器组调度到指定的节点](/learning/k8s-intermediate/config/assign-pod-node.html)。 + +执行如下命令可将节点标记为不可调度(unschedulable),此时将阻止新的 Pod 被调度到该节点上,但是不影响任何已经在该节点上运行的 Pod。这在准备重启节点之前非常有用。 +``` sh +kubectl cordon $NODENAME +``` + +::: tip +DaemonSet Controller 创建的 Pod 将绕过 Kubernetes 调度器,并且忽略节点的 unschedulable 属性。因为我们假设 Daemons 守护进程属于节点,尽管该节点在准备重启前,已经排空了上面所有的应用程序。 +::: + +## 节点容量(Node Capacity) + +节点API对象中描述了节点的容量(Capacity),例如,CPU数量、内存大小等信息。通常,节点在向 APIServer 注册的同时,在节点API对象里汇报了其容量(Capacity)。如果您 [手动管理节点](#手动管理节点),您需要在添加节点时自己设置节点的容量。 + +Kubernetes 调度器在调度 Pod 到节点上时,将确保节点上有足够的资源。具体来说,调度器检查节点上所有容器的资源请求之和不大于节点的容量。此时,只能检查由 kubelet 启动的容器,不包括直接由容器引擎启动的容器,更不包括不在容器里运行的进程。 + +如果您想显式地为 Pod 以外的进程预留资源,请参考 [reserve resources for system daemons](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved) + + diff --git a/learning/k8s-bg/architecture/nodes.md b/learning/k8s-bg/architecture/nodes.md new file mode 100644 index 0000000..b385919 --- /dev/null +++ b/learning/k8s-bg/architecture/nodes.md @@ -0,0 +1,183 @@ +--- +vssueId: 119 +layout: LearningLayout +description: Kubernete教程_Kubernetes节点_Kubernetes中节点(node)指的是一个工作机器,曾经叫做minion。不同的集群中,节点可能是虚拟机也可能是物理机。每个节点都由 master 组件管理,并包含了运行 Pod(容器组)所需的服务。 +meta: + - name: keywords + content: Kubernetes 教程,Kubernetes 节点,Kubernetes node +--- + +# 节点 + +Kubernetes中节点(node)指的是一个工作机器,曾经叫做 `minion`。不同的集群中,节点可能是虚拟机也可能是物理机。每个节点都由 master 组件管理,并包含了运行 Pod(容器组)所需的服务。这些服务包括: +* [容器引擎](/learning/k8s-bg/component.html#容器引擎) +* kubelet +* kube-proxy +查看此文档可了解更多细节 [The Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) + +## 节点状态 + +节点的状态包含如下信息: + +* Addresses +* Conditions +* Capacity and Allocatable +* Info + +执行以下命令可查看所有节点的列表: + +``` sh +kubectl get nodes -o wide +``` + + + +执行以下命令可查看节点状态以及节点的其他详细信息: + +``` sh +kubectl describe node +``` + +输出结果如下所示: +``` {16,24,34,41} +Name: demo-worker-temp-01 +Roles: +Labels: beta.kubernetes.io/arch=amd64 + beta.kubernetes.io/os=linux + kubernetes.io/arch=amd64 + kubernetes.io/hostname=demo-worker-temp-01 + kubernetes.io/os=linux +Annotations: kubeadm.alpha.kubernetes.io/cri-socket: /var/run/dockershim.sock + node.alpha.kubernetes.io/ttl: 0 + projectcalico.org/IPv4Address: 172.17.216.105/20 + projectcalico.org/IPv4IPIPTunnelAddr: 192.168.199.128 + volumes.kubernetes.io/controller-managed-attach-detach: true +CreationTimestamp: Mon, 30 Sep 2019 06:30:16 +0800 +Taints: +Unschedulable: false +Conditions: + Type Status LastHeartbeatTime LastTransitionTime Reason Message + ---- ------ ----------------- ------------------ ------ ------- + NetworkUnavailable False Wed, 02 Oct 2019 22:37:33 +0800 Wed, 02 Oct 2019 22:37:33 +0800 CalicoIsUp Calico is running on this node + MemoryPressure False Sun, 06 Oct 2019 13:44:41 +0800 Mon, 30 Sep 2019 06:30:16 +0800 KubeletHasSufficientMemory kubelet has sufficient memory available + DiskPressure False Sun, 06 Oct 2019 13:44:41 +0800 Mon, 30 Sep 2019 06:30:16 +0800 KubeletHasNoDiskPressure kubelet has no disk pressure + PIDPressure False Sun, 06 Oct 2019 13:44:41 +0800 Mon, 30 Sep 2019 06:30:16 +0800 KubeletHasSufficientPID kubelet has sufficient PID available + Ready True Sun, 06 Oct 2019 13:44:41 +0800 Wed, 02 Oct 2019 22:37:41 +0800 KubeletReady kubelet is posting ready status +Addresses: + InternalIP: 172.17.216.105 + Hostname: demo-worker-temp-01 +Capacity: + cpu: 2 + ephemeral-storage: 41147472Ki + hugepages-1Gi: 0 + hugepages-2Mi: 0 + memory: 7733524Ki + pods: 110 +Allocatable: + cpu: 2 + ephemeral-storage: 37921510133 + hugepages-1Gi: 0 + hugepages-2Mi: 0 + memory: 7631124Ki + pods: 110 +System Info: + Machine ID: 20190711105006363114529432776998 + System UUID: 841EC123-F92C-4A3A-BEC0-DAADDD625067 + Boot ID: 70c08b02-45ed-456f-8deb-b5c0ebeab414 + Kernel Version: 3.10.0-957.21.3.el7.x86_64 + OS Image: CentOS Linux 7 (Core) + Operating System: linux + Architecture: amd64 + Container Runtime Version: docker://18.9.7 + Kubelet Version: v1.16.0 + Kube-Proxy Version: v1.16.0 +Non-terminated Pods: (21 in total) + Namespace Name CPU Requests CPU Limits Memory Requests Memory Limits AGE + --------- ---- ------------ ---------- --------------- ------------- --- + default nginx-deployment-5754944d6c-8lnlx 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + example gateway-example-6f6f45cd6-mhggv 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + example monitor-grafana-ff99b5b6f-sxppz 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + kube-system calico-node-qjfqd 250m (12%) 0 (0%) 0 (0%) 0 (0%) 6d7h + kube-system eip-nfs-cluster-storage-6c9c7d46f4-lmxql 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + kube-system kube-proxy-4xz9h 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d15h + kube-system monitor-prometheus-node-exporter-t7d24 0 (0%) 0 (0%) 0 (0%) 0 (0%) 2d20h + kuboard-blog cloud-busybox-867645c5dd-7l97b 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + kuboard-blog db-wordpress-79d88d66b7-j7kj8 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + kuboard-press svc-busybox-6cc877b848-2kl28 0 (0%) 0 (0%) 0 (0%) 0 (0%) 3d14h + kuboard-press web-kuboard-press-6d6f8bdbb8-c4q44 0 (0%) 0 (0%) 0 (0%) 0 (0%) 2d3h + nginx-ingress nginx-ingress-hsv26 0 (0%) 0 (0%) 0 (0%) 0 (0%) 6d7h +Allocated resources: + (Total limits may be over 100 percent, i.e., overcommitted.) + Resource Requests Limits + -------- -------- ------ + cpu 250m (12%) 0 (0%) + memory 0 (0%) 0 (0%) + ephemeral-storage 0 (0%) 0 (0%) +Events: +``` + +本文将逐个描述节点状态的主要内容: + +### Addresses + +依据你集群部署的方式(在哪个云供应商部署,或是在物理机上部署),Addesses 字段可能有所不同。 +* HostName: 在节点命令行界面上执行 `hostname` 命令所获得的值。启动 kubelet 时,可以通过参数 `--hostname-override` 覆盖 +* ExternalIP:通常是节点的外部IP(可以从集群外访问的IP地址,内网地址) +* InternalIP:通常是从节点内部可以访问的 IP 地址(上面的例子中,此字段为空) + +### Conditions + +`Conditions` 描述了节点的状态。Condition的例子有: + +| Node Condition | 描述 | +| ----------------- | ------------------------------------------------------------ | +| OutOfDisk | 如果节点上的空白磁盘空间不够,不能够再添加新的节点时,该字段为 `True`,其他情况为 `False` | +| Ready | 如果节点时健康的且已经就绪可以接受新的 Pod。则节点Ready字段为 `True`。`False`表明了该节点不健康,不能够接受新的 Pod。 | +| MemoryPressure | 如果节点内存紧张,则该字段为 `True`,否则为`False` | +| PIDPressure | 如果节点上进程过多,则该字段为 `True`,否则为 `False` | +| DiskPressure | 如果节点磁盘空间紧张,则该字段为 `True`,否则为 `False` | +| NetworkUnvailable | 如果节点的网络配置有问题,则该字段为 `True`,否则为 `False` | + +Node Condition 以一个 JSON 对象的形式存在。例如,下面的yaml 描述了一个健康状态下节点的 Condition,如下所示: + +```yaml +"conditions": [ + { + "type": "Ready", + "status": "True", + "reason": "KubeletReady", + "message": "kubelet is posting ready status", + "lastHeartbeatTime": "2019-06-05T18:38:35Z", + "lastTransitionTime": "2019-06-05T11:41:27Z" + } +] +``` + +如果 `Ready` 类型Condition 的 `status` 持续为 `Unkown` 或者 `False` 超过 `pod-eviction-timeout`([kube-controller-manager](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/)的参数)所指定的时间,节点控制器(node controller)将对该节点上的所有 Pod 执行删除的调度动作。默认的 `pod-eviction-timeout` 时间是 5 分钟。某些情况下(例如,节点网络故障),apiserver 不能够与节点上的 kubelet 通信,删除 Pod 的指令不能下达到该节点的 kubelet 上,直到 apiserver 与节点的通信重新建立,指令才下达到节点。这意味着,虽然对 Pod 执行了删除的调度指令,但是这些 Pod 可能仍然在失联的节点上运行。 + +在 kubernetes v1.5 以前,节点控制器将从 apiserver 强制删除这些失联节点上的 Pod。在 v1.5 及以后的版本中,节点控制器将不会强制删除这些 Pod,直到已经确认他们已经停止运行为止。您可能会发现失联节点上的 Pod 仍然在运行(在该节点上执行 `docker ps` 命令可查看容器的运行状态),然而 apiserver 中,他们的状态已经变为 `Terminating` 或者 `Unknown`。如果 Kubernetes 不能通过 [cloud-controller-manager](/learning/k8s-bg/component.html#cloud-controller-manager) 判断失联节点是否已经永久从集群中移除(例如,在虚拟机或物理机上自己部署 Kubernetes 的情况),集群管理员需要手工(通过 `kubectl delete node your-node-name` 命令)删除 apiserver 中的节点对象。此时,Kubernetes 将删除该节点上的所有 Pod。 + +在 Kubernetes v1.12 中,[TaintNodesByCondition](/learning/k8s-intermediate/config/taints-toleration/taint-nodes-by-condition.html) 特性进入 beta 阶段,此时 node lifecycle controller 将自动创建该 Condition 对应的 [污点](/learning/k8s-intermediate/config/taints-toleration/)。相应地,调度器在选择合适的节点时,不再关注节点的 Condition,而是检查节点的污点和 Pod 的容忍。 + +### Capacity and Allocatable(容量和可分配量) + +容量和可分配量(Capacity and Allocatable)描述了节点上的可用资源的情况: + +* CPU +* 内存 +* 该节点可调度的最大 pod 数量 + +Capacity 中的字段表示节点上的资源总数,Allocatable 中的字段表示该节点上可分配给普通 Pod 的资源总数。 + +参考 [reserve compute resources](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) 可以了解更多关于容量和可分配量的内容。 + +### Info + +描述了节点的基本信息,例如: + +* Linux 内核版本 +* Kubernetes 版本(kubelet 和 kube-proxy 的版本) +* Docker 版本 +* 操作系统名称 + +这些信息由节点上的 kubelet 收集。 diff --git a/learning/k8s-bg/component.md b/learning/k8s-bg/component.md index 5f511d2..cd6c257 100644 --- a/learning/k8s-bg/component.md +++ b/learning/k8s-bg/component.md @@ -1,6 +1,7 @@ --- vssueId: 117 -description: Kubernete教程_Kubernetes组件 +layout: LearningLayout +description: Kubernete教程_Kubernetes组件_Master组件可以运行于集群中的任何机器上。但是,为了简洁性,通常在同一台机器上运行所有的 master 组件,且不在此机器上运行用户的容器 meta: - name: keywords content: Kubernetes 教程,Kubernetes 组件 @@ -115,7 +116,7 @@ Kubernetes 启动容器时,自动将该 DNS 服务器加入到容器的 DNS ### Kuboard -[Kuboard](/install/install-dashboard.html) 也是一款Kubernetes集群的Web管理界面,相较于 Dashboard,Kuboard 强调: +[Kuboard](/install/install-dashboard.html) 是一款基于Kubernetes的微服务管理界面,相较于 Dashboard,Kuboard 强调: * 无需手工编写 YAML 文件 * 微服务参考架构 * 上下文相关的监控 @@ -125,7 +126,7 @@ Kubernetes 启动容器时,自动将该 DNS 服务器加入到容器的 DNS ### ContainerResource Monitoring -[Container Resource Monitoring](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/) 将容器的度量指标记录在时间序列数据库中,并提供了 UI 界面查看这些数据 +[Container Resource Monitoring](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/) 将容器的度量指标(metrics)记录在时间序列数据库中,并提供了 UI 界面查看这些数据 diff --git a/learning/k8s-bg/what-is-k8s.md b/learning/k8s-bg/what-is-k8s.md index 5cb0fb7..14f6270 100644 --- a/learning/k8s-bg/what-is-k8s.md +++ b/learning/k8s-bg/what-is-k8s.md @@ -1,5 +1,6 @@ --- vssueId: 116 +layout: LearningLayout description: Kubernete教程_Kubernetes介绍_Kubernetes是一个可以移植、可扩展的开源平台,使用声明式的配置,并依据配置信息自动地执行容器化应用程序的管理。 meta: - name: keywords diff --git a/learning/k8s-intermediate/config/sec-ctx/con-kuboard.assets/image-20191005230605496.png b/learning/k8s-intermediate/config/sec-ctx/con-kuboard.assets/image-20191005230605496.png new file mode 100644 index 0000000000000000000000000000000000000000..f7a48e8cd3d413324de884aa77ffd3f37034e014 GIT binary patch literal 86162 zcmeFZc{J4T8$Ue8PNHl@qNK%I*+LkEN<#K^NcJ^*7(+rOv>}u=`@W5=BNACcjIj$@ z2V)z9S^VCjK7G&mJ?HuRIp_H&bKc8+U+?R_?rV9yuDfU2ch#8~xEMen5Yw%jH|~Kz z)WA=04;>BgryDkA00L2+bWl;zc2ZGSadUR_&~>-6wo$inwefJUzNfAX0$q!W(l@t1 zrO&2N>uJY-?z^tDM3`5OB9j2q8v}{7iW>OXn3QYWEvezN^AEOGzQ6nS{hD|!DNRdN zJMhY465AJKRWRR09P@}mg;*?uz;Hj`MTLs(Q0@81EKGu&c!EPs>A1~G;Km1Ra==Qp z9hQ2&I?pKX6&nRdVvz{v)hW-2n5XhWFP}uDa?+$3>hK7e=iUKJX)*d%nog)R1we;T zW8{>=Dm5NKpTGzYo$5Kn(u~y_1m(TWL8!pY+ z-3ciQPq0>I1R+U*xk;Tb8hNi%)QEIbPA)LSsh=ZpNw1D6(!3lUPb|(lhP`1{FhZNx zkn*vx^7)ydxhGN^!c!toyQSyabw3a0=e=op|JmnDm88k~x*S#Gvl`RHwN?*;i*EAz z+{~h6Vn@KE8^qnZM>n@%9w{=*3xV?+PvS&qiJ9?lL)pKCK82^LDQ(S7kxNH!vrwLN zr## z@0@`tfnielA@ByKa(e2E?=DBwGiVx79(!;RLNmcJXrCK;l;$d1A=}C4&@@|4?zzV6 z>#`LIU7s78-jdteprJdTzE=o7h){UUQN~4#F5u|1S<4SIvu0Hc5|#!loWr z;_9ufR}ZgJoPG5Cy5`oKQ)R3Vu)Bk|omDNaOAnChUWnhzN>Uw@si;l0+!GhPW2TEP z5I%|s=kK^gpf;~3eub8rEeK2NAf`@!s4@J$1Kq(8uWktu9Y6kr|1w;w@@O^btS!6K zyyR@;>8sD>LNm>=+MCewtc7Re;o2`lX0@QWZwYh7o95Sz-9(S76~t5TI_?;pyc>0+ zU^8?xqC&X-0_-B`Yke229o7Z=4*P5lekIrOVY*>b)ScH8`gO~3gUe(hfaB4LD!YX^ zr-IvO_?_8Lb9gjKP3l-(UB7UI&RSV#FeI)JL*PgeOP1$3YRx;FO)zT^HK2G#C*+a6&%va?|P!Uopzl1+QyUNvXRd`uWkl1 z{_MvuZ6SBB`UR2t7e>E$7R-qRS4zu$Ku%!21{5HB`5?O}I7MnopgyG;BNhaLfNtGT z((|KO8l$!}(;xo2CY_vho85##guS5U(mjS24x_;^^9K((d^yZFO`mi68lU3u6|yM! z#CFM5ge^b7tYPE*<{h{5;-zM$gyXNF8I8n1$U#BfJZp@NFQzU=Wy&@1+_zOw}gt zgFZV!#%yA`8Naig>nbFy(IR4-J;is55*T%V=(s}2Cic;q;zfJ&beo!~8y(Z}A|rCs zOLQNLA)Bz1aLzSsd5H_rV>y0a{uKPW1^@5Cfq%T|SwI7s&9Vo>{I~(3P?CV$WIKDV zhW&Ba4MAa*)JIh5*pAg8RKireIy6FPvYzYQyR!$cLv*R=KuPIe73h8oTX8j{-9F-U zgKvyrM`x#*M=ZS~Ma`EISwFhI5^o}=pNZ250ZWb zl+#d9nVp??S`j37bbMRin3UHTY@MUse-n89uv(y|1>t8uV+kkp`%n-34;D`_?vPeEXVCljE#BDK1q67)K|7D8w3Mn!|}T zmX~`xv@8~HL26~#6+4-G$;}@7ZBr0X2p76X(w%S>snIlwa~^)@ z@`fjL1{mcs#YA>ieo4|iEZ*L@IlA58Kt+ItD?t=|DfEY{NI^kOHOW7ES3=_HcPE&6 z@iaPY`id$jB<>g;_VZ0vot z#eItLl)~*vcZb8(CnR_5Cck9{r22SYaK zRxO-Q8%94ru)F{cV6JYhlmNhFf6v9hr0kx0`EsXvwpGI!>G5|i+#c5vO8YneEQSp~ z1oX*yR7U7vnJ=+F4fp;w%le_Dw33FEC)8$Nu8^;Fa9v-6=qJBt0fAl20ZS-Uv|3@_ zA1KwF?uJU}Hg|MU<8nWE$-k7Ba7T3 z3P!Jj3)O=0_wygInb94H;cx*0dgl}Kg7LS~Abiyj2|oL_z;%AfK+VnTOcRkJf2`@Z z1ew6THocv=ao~e`UVs@Um038my8L91MuEUx!YnXe^|_>-ic_Z#zkE0cSXgdY$tcJE zd=SEMZ3v6<pJADffVPrYJg zsoVWI=-~YWDPEoio?2LY|LOL@yIjI7j!R(VNL-C&!kQA1KSyc_=x+#?H!YdYsSnRj3kH=hMJT?f~{)%IZdN6H@tfLn6m<>8Dz zFf`2&`yS2@#nrLL=)Q)oavf^*x1EYYK!aa-FIPqEKiShjwa7poj;HdCJhYwPb1MO( z-Mp;&+YVEs7%!fB!Av&|y})lj@AGZTPUgS{4x|*81Ga&UU3bF42i~j(DVew5lHvR3 z83!@IShiwbav#_+$0wai*@-G|S}@-16H$LlKsr!E(P|s>ID+Uizzm3Zam8!E)xH+)eyw zeW-C3K^NbtilV~cx+>lamp^LJ-&&GpN1%r#;YUP8r3st(MObC)b93FP-IZ=80&YfB&ja8(~IxFfg9~o zU<2nh6W_Y;Jzzvz1h|X@5tf|_MMXss#^ts{`Na*6z~|Z&;=D!PDZ(41dts!tR$c^g zy#rnOsC^*z?b|`$3D}&ax+b$xx^`Rj|51Nnx|Q`__o)N zIVrDIK1|Q&Oge8inAR>i;+s_9AeXl@ikPpbqBTL8WD@7Imz5k(V!4?K3G2XGkkgvN zx7tclW)o*@FE!?u@y_WDl_(_mOk~d>`W%h7T9xD3zQ(4P2?mT)!<=y6R!3sYE_L{` zJs6bdjZb>qg0`<8wd_9YljZIC;g!K+F)_ZaB@fXapO+tEy zVJSho4#GD^ZIfJxrC(!sv6P>e5hLH(zKFP-yyl+Tl_XvK)r#$xW{ScX0|P^WU3aqN zz(Px^QfS~!{7Nl$zzALKX@?|+GArbG-*LHi{|g;vq{=M{#^x;8ug8+Ts;f&n>(_oM zyMM5#+M*6n;?~YwiYa!yo}_Nwow2%^8E;Y6-hLZ1Semg=?PP&`NhVC}xh_o(f7z<> zrT$!Q*S+<*Tp=QEHl83A(xl1P^BC-Q$8Y2-a=nJ<;k?oc#&3$Hq@<+HwPwbrqpQn& zmLk=jZp~zs^@(n!Nyw@A?!swD0*q+t?b1+b&{i=qYq&?TJ@=?G6geODpymjvINxr> zhP6GAsj>D#oM|Z|3-dT%E5}>CA@db)D~H%9u9q_n7u4|&{y13{`!R5#0_aE}L!Giq zweR?&R$8YFwWzX{vDygDrRurljmp+0aM*`8{Yvu+JL=eJ~KGoZhY z7wSfR+6JxS&`^9OTa4VwHK?g-NTQ>F;EfJFLcFbLl3PQy_rebW+nmGz4^jt|d=Hy| z`m(!RHL=yb{xg(0+8hhRkJ;&F-!1grtC4y+slqJ(U~jusadEidyLaxj@Z<8 z#Dsx~L*~c1{+$Qe-JYnYM+7chXq6gzz&heL9YqhOWYDEb)cN@nzB1P=PaXJ7xsipu zaQvvO<%DhB>sgtKhJjV}u-Vd?oCT59=B3-FMJnO2O{Yv|lI)z#pg6SFr?JS(yDNAi z$;4r2=%iFSd}A*#cKo%O{GsQoI3Hrb3krwc?WfZC91ng~j3f`EJ+$9(7A|C;&q&J| zTD_1GI0aoi;Z#@|=a!ylo0n#vu*>>h&bMgnVJi<}r3N#cLf*_SsTtU;L|bfh-OCWt z#!o9)FjnnRp6s4V}(npLo>q_P&Ci!s3;5?286;DdE zx|PnPuK50Hdv%Kvf^tM{kbxz(j?nQd>}IZRSo_Mo)y%B8ec80*5)gL+!FjmspIQ`_ zKw`eh#zI=VVPEll=k$C{qnFkVvlGEHS4CpnJ~O2~;699w_Nw4Qax14KT(2j4 zwt}He;#zo6sm}J=7gnwQ^nL_GAlr$&O9jeR(i4Gw=kLBZavCYIEbo%qIHQ+tTVuto znUQwKsOWq#jyjmZjcqjNR&gRe+vEX)1GH znfIzh8EjByTrBt@Ghpf_KLU8^`!K`Ylbb@tbyF%Ii_B|>zsq5lVsf((fcvddjA**> zLH$flH2=naIrlY++YTDI7FIl&ZSuDJ`o;^=)`**wWg{r*`lGTGN9fK{4W?+^gs>=+ zV_b&l;}i6^&1=cc>aH61&xc2IJC}qMXXYsEJvb)9Kw3%nra%t;na^e&Z8<)b?pf&l#RRc}AY9W?5 zed3j-jpr8mv+S!2Dw9ruy_E|xYATD{E}JGP7bZ9E;Byiq84TI)VYnnw{w`H015*K6 zsty(iUl{nAGK9w>B=xq_kv(FVy^Vi&K4(6+U!%P)9D-BhPaKmRN<`N7p=AN$81L2W3`Fx@lAuj`pJtD z)a|;70_pK(@j331@OVi~|K?^3CvraW%Qf#|j_tsiiz9$XTmGRThO?RiBKTZPT2^P? zXO1SVYPX7BHHD9TG~XN<1qbzdy&ZWa9~!vGq6Uc*dt^IW9rZhM;(zhr`V1zzT=u##b<*gshoSQwd3OZ0qd5}tWVTZFh<5Ph;qyAL z(v+vP**NkXDw3PCl3X24olC>ycYeJIszm5Q5}dUY-H!kzW636X?TqEM`!x~pNriW3 zd*Y}NW&(XoWF3bQ=B{-ZC{GLNZN?j{1=qLAF#J~b?3GT?o3SdI9Y2^ynB3i1P3U!_ zo2B{2IU$fNv4U}pjXw|ugzp2D2@I5Do0;a23+4(_WQdmNiFm&2t6P#~V#r{0Job!A z_!o`{@@jg=eIZPO4ih4rDrhZ2$30VlMxTG>mHO#5%7BY(&zV8`l-ePQyY;#gVUCOW z+BYkwr>de9BOE(;Jlf7Q#HBQyi2?;SGf5BXsPoLIvl`@NDje6ZD0DQ)OHq(C)&KM{ zokGV;lsapzOCvOiX8z>|$6<#G8}s7ljwiw!d&Hg+)FnxJth!w=_8*tt>IP?8>Ij@t zbd}z_mzJewH4r3NqkxKL3@y5Ny+6>8T%(0L@j{GCU*?s{wX7z!upCE&(@n^2Yl$sy z38IFc_+|gP?NrllbzZ^s=)L!-EvjH0rP*Wl3KU_%1Z-_~RQ;wP{B_@58HI&LzAj(( zQzt2?7Fmtv6Ujav{J8LYOEoLHa9GqO<02=d1&_G!h-SoQXT?g9VxwUGDhWJWZGB0* z(+#JnBt08F#PO%53WW?4x6^|**~pjb7$`61>|{47is<^q=9s}rIECxap}uP^oUI(W zYH^N@lD;~hd^UU42_?cqZOx1Lm0_piC~9klss8@ThV;~%uycZ+?!C-BU&qkZ-f$3Ng3TuD0&P>c1CVpR=({})$!hZcz zBLfN2id)ix4qMyBoW9M;2;Qww75fq@cBYTVlykRhb@l=oBAX%xgx)a}OBNRUm=mwW zZ+VxkikXchIu)Ii3v;ZI{Fnp3F_e>&P^Qe!PW`b)9jC~tmWEo#PrxUbh0`8MK4el2 zG4V=$>)u%sAkZ9qaZ;AuHg}?NJN@$AGikTIZv51?zHAH+?45qXcQrwU zZoI!Wxk>wjxCA?MD}5_nF}JKf^hw%m3b>I4e0~_2n#$LEAIh&&$u&)TLdWF}0{|W& zA;e%_2C`m1bLxN&01M#gh}UY{4VGRn1f5@>h7X?N9PsWiWNKJkuaYb;{OAvv_{do} z+noKPeT@=cFeKNv>)VxcTKmg#n(Y_fTH7z>V-JByepr6X(tp$heOk=R-!<`XJsnVh zHN8vf&DD}&k9y9<6p_vh3B7so2|cf4Q-07=lanTj7wUA;5#hhlB~38#V0f?Bd{@(3 zGFa8T%gK9rky5KGO@-bnF=tR^ecqlvW$n>$QC*B5HE$%TZf$Eve#9i^v+#iRy>mOS$0aaq987UxYTJ&g2}h>MNnP zC@Q@u-PrjnP4*qV8<~z4nvJaN^5r)^Td6d4-)Obo2j|TA6o|UIKYK2uMk~_|x@#bA zqzX_;Ft}syp4_h(i)NwWg`*Vzre6CPG1_%q}a)y&zK<4kdC#_MQ`e6{PEi_mGg z3>Q10Dfy*;Z}RCeen*~JAR*b1oM$t*^iz*d+HciTakyB@;LT5#*NfK})Mh?zGyuht z!ew3iD%^l6!M1U?;?sJ&5X>*DM^93ieKhw`X`*$9N^38K+eFk!o-@qDv8+Hzo$Zuh zsvJl_#icvbPL{DjKJOInXfqLgyf1Aj6#)@BN9Ei%L-IOBnb5~kVS^GEC%xU-I zQ)nQ)lJ|g}^oZ(s7`#^;Ri#klqS2Y(Z3tWLL(9SJEd=^sqRX_K>Jaq2CY)Q(L>US8 zTw9T%j2l)HtBIGu9m=Uqqz~GYW1UTcm`P<>rhzo=%Og=V=~<18xATbejSM?ek!rgn z@1R&_rVI>6we1&IJeTIP42-S})JV^E$XK6#B63omBTLrJOCc8hx%3b=1SE=^!S4d~ zhu}87CX5o92o~z3mrPaI`NgUm{89Th^8I_isb^%)WP3%p)kIBJcCvpSuaaS!k@f8| zikoaSC{B>$TPRa%T6&|FTdKq5L{gz=UfRP&A{Eurm)TY?buwwjO;`0o1QyH1j6pfe`iweV)fuYc zXHFgMz>oP(7)5<8d2tDV;|+e+aJ#LUgZoivC>;eZBHlViR=AS0r!7N(5rnJMgGy&W zb(`zrBA7qi-LT@CB|UE0dqPU@XbMbUZkFB0!Y_x|>}V)87riVzRGy{7ALTLlG(Dkj zP)karK(iC=U($z#GQ{W|kD|gDp4(PO_Fp`A+eYVvwCm`#3EKCL6z2u=9Ppju-P^DH z^f!u&(m@Wy?X`w23tct-BFtb{_1&}&G$lRtf`Pi?BM2ilNWO!&xvEvEf;vVp4+bRc z>5}B8t=&_o`HnS7qh^0VHUQbZl>&DNrDZC>$MEh_eyf_;vvgvHB0|?$Kv^q8p696I zVjIhdnU=<5;&X>^ojkp82NvgW41~zm3P<=A19fLjJz=Gm9B(f=V78wuF#op5V zq+hNtDXt=N2i4P`dI=ZRFxu}~#tW#l3V>ey6%~t4Qvf4D8T|erc|AmM$9jM~h2@4K z^!raLi85DNl*zBOeH?w^Jb>`IYQ4ayrXu#`N!>z~P#vZn_e4sBk!Z1nW7ko>Eo&@K z=~&3Bm*4#h{T)7Nq79(d)TJ_i35|o$a)|nfhyd{5kE!>+A?<$v^4~9qaIm$xe)fDQ z_^0SQAF{sA(9zab(%C7vm-Z;OK-jaROHe5PzTJS7;PCmtCul3KEi^{EDQME$E76`X z?+;{OjNskt-R)D@IhRRe59Wi=Rw2EQ@^5{qhVBm?B6Uf7iN>_Ov#sFh=2cED^VRst zIGY-@U_t^aE!EU9=-KPfEoV{(B3QKgE*HFe)YuD4cd zn3-L*_A>R$8l^l??y_odirH|-n^}e5DC%$pB>VAEg$mu9*)c3_VLSGIoU16Nd2MdT85;3L;E-Jd z6j^bULXtxCVq1Co)a!wVN@mo59_|4FpGm`4O8@5qpnD}q7aWB>Pkp#NEH^oUXS^QW zGrRE5Lw^zg03&1p0C+H0?O{gn2l+e{Msyz@U;p^&?mwXQ;eG=aGm#HiTq+5lf0>Uz z(?a;nsml6hl&k-|dQ()}z`(V-T83Uar=XzVilx$EQF{6hfCVM08~DW8*x8_lk?HA8 zQ9dS)JdEp3g^Y}Od3gm*A5>b!rBmYLoia0Rg1oO84#oivHxd%Nb*!Wkno;p z>dU)lQkgfeii`BYycP#Pr(~y>wHJ3hJOfp=3A2f-r2&a<3keC8kG?-8vy~bmgjR&1GY2lCpWXbLD)ZCj!~oL~$-n|aT$H|`a)7-*qLTGp{OL4#si(t3a))hHRm0ZS8)9f|z;60JcEOQU z-SfTOI+FOJ34;15^pKZ_QTEH@T9$2g&iHL@ZEm4{%y8x#_FB+YxeFa0W#yWmt-Mza zXI0c(3@t3I%w>H&(yYQQfC%>AeoCd@ryE$3bPwpUp7&t=qO6JZru#zkFWq?7H|}TO zn>Cp9K>qmAaw{dEkgq7cu3Zu_UXoROZ4qfips4fVcVdMUvJ> zl2N};TU9BgNf|&%Ryh;7edk}!IkMRj62oNU!MB=_gZx$i?fOTM5Ds>u^}e9Udd`+xPI_b_^+}`&Anv4M6rHii#6x(2>t6U`0u!J}*pvHgUGb1TLenE#y1- zo^j9YT{c8Z$uf%(TUI7<@g`1S@kA`wU^CXGLF=>jMzKF5>RiDJZ4a90+1k^%3pk(amiCDFN6OT7W~`ahADyV5TDHQ%(GgjdzMB8axcSyQv?FvglpQ zwyolNp(43?HP39hA$kWzB8xPXDRXk=<-{fLZs@+u{(Pg|d^P*0wpFS!@*c9F2C76I z%CNa^E^ghGuLVJ|=`AawIQk)cv96EesfIQJMH32=R0E(hs0|tN{dRqfm`dedJ86r$s9Q0Ltzh`E zZZWgR7pGR z?3}eMclp7F#fF}iIHq^P6@6FwTcM~aP*0aWufdyh32Bbx1r-uFZy;@#UXOlmQ*4{| zU#l_E0~DoNEd!J!`_8S4KUD!ASZ=P5>r?-jL+?6wm%4!_#c?t$G4N5*PH~fLSm3a9 z!^OIM1v6YtNeVMHr(K8@uOwykX=TkwT$-oupG~N0t(?}PfPeTk~-v4tk_K!jYcql4~)iV5lb@HEf zfL{{jfFl;C^z{4pt-tTbWr8Svmi5n#{?X_E%ex^60c{V_JbX4YdpXXc-RduYDUk$Htd`&wp*bNGW+Tl-* z1(la|#tfPo8?)D*aLKqQpIEH6+4ZzOS`^R759FC=Bkz|_o+zd6)zEC;ihp57Wofs z4QOGmxjO<36AUOl7veAG`($cN#qqP48?F;)s+uy|O zuz%ndl`Om0s#3DDEbIwHv{Svg_HwaHQ^ZkjpgM_67X6)DG&f92{_m2>gEuJ#{gbH; z{|Qz9=^fGz#0=fL?G*oV+4hg;S@5AyIl?yG2D~7cT6OcT55mSq050|sQ~z-6&}@1TfR&AGZOp9v zwvOQ_2x>~s{QbJIA5WIf(;FS>m^WS0-pB{7*1#YF+QtqDORHBiv$m#65p|n2eno#_ zP@p-#qZ^=i7BSKJhgF<85F`+o)|3Wm zWKPLoR@XageSOF1tXbDx`=Ts|lLnK+#EZ`T>T}W51GR=#n=RArhnvqbm#UxEQZ>wp z`Oe>L`p1n_{Y^{aklh;~UoNmH`|;ymlEgyfpbrCFfxOKsBq;b?#HlFZ`Ev%sY?50N zX7yCnF)#y}?9OWtYc*8FzmhywYqZxO@6r>@PE_A(s3(>!EfuJpsw~n}DVdk;sJfGc z%;`D5M~ncNMUA%r*ZZ}-15-SigYT)D5ZyV2B1}h$AuFb)rfiXS>J@|DU#}kOZl?dU z%m42D)HQI&br5j|4P9=}FD`%BtpLTM6xV+B`LyVx2Va~NUn1}ZRlq;EKR5Rri;{8~ z-t@sBDVCs}vbyKF5D zZEf`DBDxz0LjbLcg{oI+;E3wHum`4Y8yDnAo8tFi_R+uFR{p1Cy~JWPOY!qLX?JKm zV8v>L?yxf84h5_ zEmI@CCCBlE;Xe3P6|b4+#B{X$@K@w+9+q;oLRV|6^{FCqm$Gg- zy4EbkPGF!I%i#0tSj5nJ2mWE2PMG;zA~vsjt*&~bAcOIEz}CEL1dsnqM%>lq^wRj@ zx}A+e&$+t@?0CQsK+R#8VTDc>#OYs`L(4th zKmQzz6f0euhL&QAYX>X>7X$)+y;5HWnqW31LDOO?B#P*ho<;k;LQ;<9T}xkBV|=ln zlgXrq(^1mZWH7R9pT^w9LwjkCp0Zcx_5Nt{sW(PTW@n=48;NR9IM8gWAuYGoda3pSmh6^a-S8)53085hcYn34TT~knQXJ zE_-Ip=JR7}pJvUf!Dp?!cAQYJ2GZ^b)~6fByxnCH=uijSL7{!V4KkVymVM~@Acr0> z^JL=O_AcEJ{nUmScB~llYL+Z|<`y^h5Iq)@qJA1SYQ8b&v(UmhI1?Y0xl?Rt?6Y?f z)PEB>#?`YVJ)|$%)$lDkVWH?&*K2MQsZn>8Bn4OvX}6=;r!NXkSj7U}H26^890x+T z;+}JHJvp3buXx&dLnmXDU~NtS6kXVk3f2SpzGnQ%W-o>$u9M%Y&@dxN_z84`k7JfX zH#O>6d%9}m(xCO8jiFgkf;_38Rcf+J+FaW&W@0l+`urz_YboX2MaY4>*C+iHOTN=^ z7r1>e`w3gR(mG@ju(`*nTrw8_Xm`Ob@aCfpxLcX2TYa^Xq#vs}CqUSz zPJ;Ja560Y^nS90{&Fw4z?K~Dvb7#@&j%CAjyP;;c9B{#=nXWZCC2cUQH!gt`L4L3F zH_!kc9mr;1u7ljSR~LtsOr5W^8$e-_ax)*N>&Gyx=Lfe&TrhL$wcdm!67xjL#AVJe zsvUPlL7iTe(aAyn@1ev=bygQN5__LVj$<%Sg;rg<@XFpV-R^D6U$dreRT^T*AL!wv zt2WOkWdWe(FJ8cB z^f~i3@fn?t5kWA*E@|6th;E(}?ZFx7-BygeuOnI=-5h?q`> z4fqT_vO_x0_oM|Gr^AzBD>AxtehW77L-6mXrzvZF$6;u<-C;~IK_?tX))p~i4_oFk zQ?H~+30%A+xAyT3%%uftE@HxT)uW@ZYPjuH(${g`Maq{z^4)bIbrrkML&70F=u@OK zN>JMLGd}^$NrBkME5IRaq=$)N6%eo?2Uy>_<=||dMre?Rla=uiwTqS|J1fEbe_JMi z)TObE?dBuapW8_~BI$uZ!a^S5RS53et=SdV9W1S3yrpOD*8VnS6j2Ry1d+Og;GUA? z8m|>+Yq9HMV39SwaL0f*N?aHc1xR?X#h%3!dv5HO!u4rsdikn_+|j-_-wNytVsgbg6>(zBe6^H zOVyj}`OcU^gmaH;e!1Fpuo6jh?JtKi5L6iUI3u{0X`G;_-%Y^UcLd^;QjVm zs}(1d(S7PmOrd(r>8;PSykFzQf!wo8D3z?t8awY1<(YZDG4ETEZ6hNmd&{o8exV|& zsM}j}r+idGNT?4fs;h1E601U1{bH3cHg z-ehPuT_t%OZx?h0Jr*^WC6K{Ye=gWYL0T)^y})N}bVf~_0D*=>ES-y=s9?X2np z9$LlRbNY)iR>nc}4VtZ_C91=lp#x zT;O5lEEn&c?}_pqydLR{lbbu4Ca}r+ROq-$?^PIEb%VHyPSj^fv{7@=9?2K|5!P2S zC~bvil(aFtBxFh?yJJ~#7jmXg1-4mb{lo%2dF8cc@OXxG34n{U2P`mbxeBY$pq9R6 znDPW>-iLp4SGFbD8%7nhJ7njxd(y5tt0RB#=!lzLO5koTcj_E1eAEp|8j!s8esVk` zY&aG$w@Vy12Z~e3Pg!o?jV8$EGUIXgpyG1B=4ytkjaTGN7HH6UD|wJJsTzcWbhD08 zv@U)|1A_w`a7Z|PXQE`S6?fTR`lRPMRoT~1uiG(~e31|AAt6vWsf+fZTLTV3a*0Ro zzVhyt-#e>#^Ru2b=<(xf1(^RxOT5M8E?d%cb7-ug$v3e++(qX;F~Owjps#vC9-;iB zL34X~w8wVHw5C>J?151YuU{Vrh$Sq^N8Gk^b41fCgJSQBOCrz1?K6n?`8#-^v$^(s z3v>wMT0%)3x+td2&*)b3?P~+JLQ9d<$<(y^0Y+|#UoqLc@ARpGk@kqu(6~oNMFaV3 z(n?UWFH$&`z;%4r#wn^rl9m*#|d1?5F$Ov6-!A_)4zubFyAWmd4y; z8Xki)qd+&fEi`B+HW%KJGlr6QiI?BQT`iAN z`v~sr>;$nbzv5TlMKe%V7OHLQPs9O%w^T#4z7x-yg*J7oj75Iuga&?-#-naFWvBQg zdM^*RL=BUk$?wiv`=oG(Y;TQVOZLckTh21h;qxn`E0!~{q%E-+Ubnm*-=!<+BbL&u zZ9wX?tS>EyFD&ZTjJj7~0(dIN2UvY`U2DKaeKde5!OE`sZ`valb1$Ssqn7eL9$CZ^ z)Vns=PtVpUre6Hj;i)T$7Q?4O!+1wq(F|T=j5!9WU=?=nTP!sKtBf3bZ|seYpy-+s zCS9r@=0C;pttAV6*~Z8qQo$f;O%_FBjIVZYkj*Y8Pv76HKQV4?CD<_^STo{5I^4~) z01aBN&`fQjk;nWIVye{mN}YF31<5o3?WXnbRXW1u&p>KQch{mkEs>QIp6sZB^O(GK zku$2kKa3;Pxp1wxZNB%W9r*t zg2(Cu@QY-DH>c!=?$;}N2~&qeUCK+##>YNh(-y651?l7gVZXR*YHsA)sL1Tq6;Pf>Nx}JZX7<63$qK`q z(Ado>l$B~xQcVMSl=mLncCIZx~jSaHB^LF-z;K#^txT4kvM`n5AQ#ky{smqN9=H59oHI@);>^y;AXFGfP zQe!_MbXALs4LB4S+@y&5*%#4Ne?t}O*)L&K`3grX2Xh0?+zB#J1I<7$jes5)jXHLX zKS*H6fKboo8GY8#H-fAdk5Jx0T|&hTD=L-8_@!=^*mQ_+UAJck@<3g!nDW*XzjlfH zi>XSK%kQt)RgS89E75lwR2U14bK&q2>zFZ3N%Hq=8^XNATaG|>89iA~D8MkNIf zR?~)}TKZ9)!7FJ5D{$mH7IrF)!(A`re4`H2>_{jia2x3T!4ihC`L*Qqxlcv6?7^d_ z6&OFM9~k7l3njuypzP~RPFsNohUq( z!v)_B^KmVgAn3#8M2V(F8ugRb=@06lE4w<1ZoJ3)GZ*M( z&7rXj!>CkbVDMV}l$-!>#&zOGW+MuG$0571msLCl!o_foVXww(!I@$2IQ1_Fzeuw~ z@{6v5KjbZK@N!$Uskz#I@AxqhyYIfDp4b&Urv>JSw45Tbyc9Gmnk#5{XZJH zx#Y_YV_X}U3vIjz@AuKan-^KsR`r*s>gpD`0?&M0g?ZN`1}}1Jhr;G7^XKP~af>m6 zf+idYEk7{F*`8>s*J1GH2tp520Q;b7DHEYJR}iCVe(D&;mJR^BmnPJe1xbp17Tnnm18yX8r@cXI1VTz3*d63 z^rK0CE>KVnKY>^`AmFf72J!uh#Ot@{(?r5q@RNToI1SAl(H{GIi$<6+4o< zQjm=RW??QQB2;yG-6y~1jObrN_~zM0KE7L)Mlb&2Rsa_4zd64GMjk6wAcY?}d0$^& zzZ4B9(_+aR@YUQh9=gm|;Z|whZQV{I*G72`Wv|#5Pzrag`sDs%hHMFHo87ZbNI0qR zsjai~1@(!91mn1bS5~eeWV`@>Mhyid9BNP>V=(XiF8mSFa!pazwd}P$;lW7RsSq!A zp!Z<266o{x5SEVM&FI6)cpM_t73vg09u6^D9|8_el!k)!Be4z-+wCU3->JFD^p?%< zKG@J46B}AHiiY^p=M1?;5Y0Fd7nqy-Fwvj>99p&)189@wnOmMIzqRRN!lx*PM*q~k ztW!>7>Fv^JZ+UDsmtrtWQQ(uzVK~_bRPKX`J6F{{ANjjle{}{xlP>#&^0K_{%HJjX z4}$^p@eVNU7mt7I=FgJ;y+51`+#CtW8a?)Z9r+5N*b~&^|1JDKzbfQ`n+W`!YW{!Z z{Lkp_1K)Xt!S=rk|NOEK0B*Wq6Fk)a8SlTAjW574N^7>x|1SLVt7i+iIWjIj6aCM4 ze?N!iDR55x>&18fA{T$ZIdvJhiKw@0=lQ!I|DB$Nl@Ihn=kgy2|KD4|kP+afb3pf7 zxdU?V$7VDi2z2m&0sLje4y52a4;-`3u>5P~|H-xwqFexYudU=uzJHGN{_iYz0M6|H zd6D^Qm&cC#_FGT^4NuOWo0OA~sXezl+LLgI@~h&7seIiv-U|<^tLt16*^@$nL&|Re z!m(XgT)Y`*p&6Cv)ACO3>=f?s>KFx+uo`M=xQV?Am+c;gt_X*Bcp%fvm_9G`455V( z={R=NkfL4{XeCPKG{F|3QRz_F&}dY~wlL=cD@ zVoQ%BMRQAqdn1_@6YclvcMvA|3VTx>G|Rj`flF%_mM7IuGm2r}kNfqBNUcq4Il6d` z?^wG4V1%Ox`f+;tS#Hl2YAHCG_yl7-csWEhtVPOZkypxdtFC2oVrs&X8xg=?)n4+v z{Wh=EU6M z8sq}hbq4^cq-=W+fQ9eKKpMC zeY`c0t>tFwHs%c+231ayc1xa^ZT^N6E>MIrC8DUHcs2};plqEG%mK9qT@0ct1l$Y!0B|6m;nu2<5tQ2~;tax;(hF?Pf z4`^DF)An5BwkB5YzZSNm;4UtZfxiAwC3@lkK#oL(x$W1lV~^1CJ}oxZPNe$x1z1_@%eH zcX5Qfe$$fp9sd+_pB;7t&^J9~6F&f@M4Y)$zxFk02{D4bTyGeDlxHdw2b_=@oY+G| zE|)ZK(KD|BN1cb>d48{46GPgM)uM^-VMQM%8&D^U+ZPc28?0u>YbQe)LM|^p)RE?bYXfVZdkDI>-d6L$Pxk4Exlx6mL zy<+%KZ_wT}GiCy=3Z=|8G)v7kk@=7B4UWj+ESB4=*R!hv?j3`KlkJ*B9uML48|_&7(0V8Gr!|m`#j(0kKcbTb6xkj=bUrj z^FHs_7S`sy`lHd67RCsZSYFvjDV!u_I(P0| zVe8#+n-24@_Phw?HNM+Z`MDk@E(ksY1d~IwZko-w^}|`1+Br|jnHWs;#`|e+>xR7X zy9H-{IKM*pdPX%SJA8swS82~(v2MyQ5IG>;uT6-Z#_)LVFZ+j*^k<>)?s~~?KkG^A zz>4G+z*y@LG|AG@pIh~E^72H)fH#THwGOVc3H9W}R4LH4x+F)ejj(m=#LY$ZQ79z+ zR`9`$2z5UB3TVHScMAS36a%0Nn_#{tB@tCKQWm}A8VVB{pmFJ?=Pz$py8nd2w|qpu zth{!i$Il;)eGR-37kjKLX>I3=)YuN_*S7~lX`JV#le$|dKsCBVy5j!r4tD}+inHn5 zAuXnJEP*#uWsK)i$liBRjN;gt8#3kA>%>Bx@@FF&Q!2dZ9zDtSKO(2Eiq1wXrv~$vc`aav zS?A-aj~rsyXMxUD?Ju;m^Z|Fq4lqg|&@pnX2y;p~Ey2m^e;V}Q@6`(4y%wNZl8GL8($3Wd8^ z_Vj)iNjwBw=0z~GBIM|tI);-vgC0|mYL&%CAONRoRl3jJ@!bS?(maO6{Rf-RZ1T!- zb53$&tR*dZjYK4{QSMdrzX#H8*!KBt((QH)yPWU2bVbGnjf2<&w{##t7$t3q@)c7T z@e9#&n>64HH&;#NcR(ELZ8#9M8U&u;cGvACh7)4DS8{Yy@71qIf}NLy8Ec#nQ#TVA zmb@ja3##}5dfmLK;vnH*|rc9l)?zEaREoi@ZNPX^EsAV^2O;IDgc^=zq=e z$mDV7x#YdpqeCGb+hgR@idtVcIJ)h%l~+O^kIpSitHlA$X`|19xaWu=M-i`y9v!mR z)P->pvZ`SZ$BDVS$8bU>Ofhqt=ku^6B-VB+kzvh{o7a_fZ+5XivBx2sv>7&JTFNe7 zu)N@t$mk~_OL*}wMGbN53l^M4UiUloX13qZI4ZF}c8q9AaJLsLu!OAFWhSHdXEEA*~*iL{s*4Z}c zr;#pmFMhyQyLKl-pEh^S84#{=n6R~ZgHYrNf>YUm^WgmOGCMp)vdk1M+Y(k z8^udMSuAN+oT9Q+trpMrdtewlP_w`m3RrC^K7wN=WRTdVWqZ0CP$?tsmV)M{FW zTD(OGM2Fer`Vm%}eUCVqswb@ZNwlm_ZRQPfh2(D^&Yvb}q5fHG+ZQDBSvb#4~d>?plb~+C)*$EX(58NDWk%y5cpi z#pe?N9ExMs`{_1=82H+*x|z(xvAQdPduNjiQq2cS+OahDLCH}>QL2RI@u@xB6%%Fh zbGNzQ-fl)Cqu$2t)kspPC%k>~?V|P1jI!~A#0ua2ndLl>1GXn6tFH`IZ_mQy>E&s* z^_FhT0b=s_N%hK$tY%1XJL+CJ3_ zvs-vg=TVk}y~BjgP>%0rY;Rf~(j8y(dbno^96wXs+aBKQaEp6P**3X617p3M8;2m} zm6UxxvA9iE2#*?ZC}?U`A04hZ@T3eCfNxZDgF8?3h6=?}DneB6M_3SckWD zTb%$Ns>0c0Raqx}!gnz>*jv15cB!^bTQy@%5%-V+7kLa8`3^;JHPrgzAKrR@|Fpc_ z=l|38*;9wr^G|)3ecl~#ro9rnKpCQ>2yC48tyqlVSW{kw)`&>w|zE5lIRpW8)P=_yfkRem>vhNMNvKud=-B3MOE~=ZDnAiveI{HAe z(u?U^Bm*5;%o>6&)v$$e*aUU!y7U;ogGtI(*F*C@fY#HfTfO7qXhlO?OwflOf^KW| z*6am=&S0`~+|?hlcZM7rm9ff4@}~B5o`5Z2`im%o27|{CJz6?z@#@uQ|uzZP$-ldoY{#Y&do57P`CCDZ46fb}fZcN4qa+dOdCREO2ZMgc}Bi z%_1)9fyEGF7bSW5es61Z`ggDGiC{K08* zi_bMRO9GM-k@zVsz`As7BFdmm;-uH}+IPwfIyw;60VIJUJ$e1jubWlwKSOMIwN0iJR<^^-R}qU)YG+ z2DUS>->g@k``874nk?y;^h_$05WAqS(20uT#@ePmZOvUzwQi%)sS6U@L)`@tc1PDk zhT137?ru8s1C(DvEZM4{YCX=rHm{mP8le2swde~rI3LPVBVnogtlq--uMj`-?yz3Q z4cDKaNC$iZf!B2cRGop$*L|y+9 zEKni*8sX^UDL%!K`bBE8EfEGQP#oZ>J#5`Q9X-Zv3^q` zW*Mo3J{qpv5MjfEgRHJmkr7{1C9s|1O^X5USqrsRKSoYsEW%oHe<-H0gj>lUFifG> zX*O$^e+}Z@==bGG_{k!hv#?;-5z)c@38^ZuZ+EwXJ1PGzcJWhpppPZ>T|~Rw$`vS! zBMSVIZ|E2~3w|Z~^7br$iYXCYNmFP(JskFe_@UV0@jG_&2XV!)PM>462~1(O>QvAH z^1{o<=vi7vA{t`AVlZJuqg6wzeRl5 zs{atDj?sj2umq1+2%mGy<9XUeIagcHWFML5@7b9+mRX=y!#D=nzPdo()@5)_7Qo8d zvUapdqCF)4%UYgUW4JFOEWu|z#(6udVi*Ij8~m+CKjW}H{N#aeY45x^owBnc6c0#T zcKUgrp>JaBVjyjXTgr$xqeykK25L!+bZ+(x=#2J*AF@enao0;>om5buR=jgqKob+c zAQ)aHoE3g9M|GNA{b2Z9viWBoV6Na?x;EX{rS2@f)$R7Fx*-c!xzlh!y2$VpxdYg9 zdDrwNx1m*u;mBqK?_^-Bk%#A0l)KUkgS5Kjaqg|jBpKyJgIf= z76m>7-VIC50&Xn9FQ*EVa;2XOE$p}w1ITmVsfUvkEvr9%jILO4KEODUmR0VOy(O&v?6J1d zOm(mh&K{-IN0kCam)B*Rzh!dz5kPHhlsxMDy#U8jd{B6{?2 zA=Vmm()VYPv~}6){9v<0_4IaO2*j;UO~$?B6ww!JYu0?_=oZsS=k-|WEhaGui6X!* zFD^J-TD#nA@Q!^S78~czaKk^BUXMVeDlzyyRvq1tS_7w;MK&CSeB&3lDyE>N!Ti46 zu5^-mbwo|!_P4Z%5?gd%f1sFr@SW=OMa)X9Q9fI%WkuXc+yx&QINBEw4yTgw-8=CAJJFi6HQ8K=F zOQREOsRO#9bv%fgi(B+5j4nsG8rnVq(KKcr6*GT1xWFa@yy-oi6{WLC$ zBjSqH!^a1{Y$An??oFjGitA67JD>afW*yDF)>&1*aCE(Zw3&U^ep}#3t#2Hjvi*s8 zIpVrz3KG{72*1Y%|A1(JS#VzPcn7TY9$$D8u#Q!ASOtGTjm*7-z46y__52!WWqJKen&Qh zKqJ4;=K|@^HJA0TG%Y@7D1A?s!c;1@yNP{6$CgY|aYOC#xNjKOY-9!g(NS{b)?z#D zCRw!iitu*VT8@YHxgSiTV!5!K$;w+n`_(ZjzcEU0xG2pWR5MJaIGNSq9Mpc0I#Yyp zxEl*~4kLcMlr%NNYEtK`xO}tUJvOUTPEF8`^`hXgt zKj`-#khh-xNs5@*n>8LQ+?Zs+sQr7=2|ynmc98J|5qR?OUznJck^ct*lg&``#57s& zx|%KEWRR?jp6LoubhiFrWn|E0&eXeD>+6{NL@$iSF}m|0QDa9@n{|*Y>!!nv$<~eM zH=g2NST_uO@GELHa||GBpXy!)POJFGEEnG$Y(AuWI_0ipmt~79;#9L6qLMVd1u^=$ zhag%uRE24zPnSL;ZB1qE(#0J%_zR;^^Ow|A?eod*DO7{ zt4Bl(Gc5ppC$77MhL`6Uj5 zxwSgVEVx?}SF4u4Nf16&zW2|f&B|>D`<;K6$vBXUhuYbN=l03A2Rcp$)UdLLdb16E z%;xKAh+xizaupYsJY<1pZ8}O4A`Z3sb}?37$^YIpv`S{4Z7jo5Z}I;PyiGZ`0?3%8b*Ch=;+M zU#0)CtN3LPble6@FI-#1`=9iKnNxr+b5J7$cKh!|{$*RHgn;!{dub;7_rCb`20Cv5 zFr6>y2;uJ)|7BRe>qmj=F#fkjyI^u$%Ldd^gl)ntimV}M9-`Xu&0pOUu+!8e*&{80XNA?1(VjmC>$RKW{evJAk(tp;xx%hu60#Eid`~U0eKqb=0s{eV< z2n&ajsoS8BMu7b!osGX3oERz^)(dc#zRc5yeWatLf8H@SPgjdwj@*GIycSdMS(7gV zqz=10O9EhbEf1-|$U9b%I=3Pnl}`Gd3a~QOuHn9E8F3A0?`)pb!t*^wf%QcEICFEXR6CM{S+=U#rYPQ0e%AuFad_@8W|x$gJr=NnlC0QT5Oq& z_!4x$pvyk~-8&N+wct3>Uav(AaMRW4loM-7Tg9pprRwuWw<^Zl7@Jf%DxqJyy;)L}Cy!7BE zu+H*GPoL1%G&FUdl60a#-n}r$*7tt1zYDPf(XGtN>eV(XilA0nw~Z8yM$>_wh&b{k z07kwzs5qRHBTDMZ)X0a!#eq5l1&o3k@cJ-!NIVJy-yww#Vq8%Y5X=T_hn4_blk0-^ zXWMqoN+hx0G(OMj8~5}%3&v7>;&JaE?)!i4?*32Ln^>*~Y9{;Ym)z}Jmhk@8+KPf9 ztG>8WsS>D@K%?j`R_M7EYpDkM(EZMCUb8cf8RKvumcc9iUp*QO--c~ z$f=mfNHc`nRAp?ZQc=XYtajFB&h10Ui?j52^ z$2xuYF##FhOl|AzBTb|HiigS92>U`Gv>0v>(!4B5v%tUclQ3qh1LGmFJK>tVBe`*d z#GxH0MKm2wu&Ng0|zEP*HF!PK$n_EC04-wc}Ik!k1R;2U;l-&f7;jH!* z4Es{~!}*ug-fd^qtR4n3auPY=FUSt)roi>4W2K>6cxm55-?H%V6(X z*=au%0VDI=HXmLrn1UogRj+74sOdgW|F})905lO{jU*dRPR{jFwuK5RHPcqf`a`1E z{BbO0h&or?Tu=x|@=X%h)%Oia;pD?0Cc>0LK|Z0#Mr?Cs6O&yP3@`rjG?DdBP3%gE zBMx~|6ZbymEEm$JEJSJ)_UJ%c8Aljns*=PMtvy>j3c$M}or6U~ew<;`mQYd66+fwU z>~ezhx}L8Qs-F&@`%#S_^5A}h3g?sWXOy^c`)Nhl3p5tMi;BW7J!m>Ow{CCzsoGVr z%v8kn!l%!s7hKs+xyqh1c4HSkaHat>UWKI2T}ucnF_mv#pj8vEP0dU>H!R_Xk<{vY z!=5GbL0TJn6exSEy8PN%bQQ(6zqtT&YVM`UE%REkTT@4BV-sjR33Ef7Dr|rf_VV`X z(`T!_doPcTu?s0yVS_?b^Ye6zoYDb2EyCl=KLs)EXcT0d6RGmd=Ti`eU|LxHq}?7o zeE30L_{~QhsMoD(`j&xS_Fxi=fyv|4ye3037wuEe+jyH|$B|i?l>rQm%W5KVvaS>D z7Ka-vK(dz}>d0Z?me6}lun04>6ig{FDAYQ$KAqJ0jTUde0vIPvAtDK=**f* z)H&zxEiE6;M?zglz`t)-1uZ;;=ZQ!YXy8Awr8ZO-UhI0&GFsRE_7=yr+mmgvxwm#H zh`0?(KgJ7O?ci&p8y5m~Gj@tHm{b6+PC6tVWS>}7Rs{PRkPCUTVmz%ThnRVqsah3{nE(im1iJ(@79$955l7rOM<8s zZ+{-v*7&M#%cXl*h;s6^lGNZVIF^k+;q1chm+mV4RRsNVUoQ7n8-B#xVM^x<^r{P# z$%_4SX{h_Hcs-di*7*|C`h6A8zNX71S^1iA)UE%!HhHOOtmbs+Mb{j*-I!aUPjVX1 z+8d{cE+jJ!Ds@z?SNC1@#q$wh8VYM~bp5U_Pm%^dQRkC?HZWD%e61f6?%{v>9*e0- z3)N;!%t($ftkE^+4%`Ku`Ul*Ltx2?WKt7V7`{apsAnV(nL-FFS-#gPUt70ECSl9Qq zq6cyy2UZ})7V?UW+GF{pJV1+{w4HyW=~-go*;|drOLEc}^mq|hpE3qZB>&;~Yj~u2 zCLfwGADvm@BksMoY(6_P`6zEe3r4}fZIF0(aIVaL7L6YACGgeG!*j*izCXUlFTrbH zn)kXsX?>3RORhFhM66$28^H;9{hH!>gHym}(JV!nbK z;_iRad-2Bnq45R{hmZN-y&jqSo=?{GjRC#Fb*;=H4;wUypl@a}T*?Oe!E;E4PAZ;I zaF_IOTz-~+gl2g8a@2R=P(N0CnOEK!kfDo%=?c26kXBdX^d~M7 zd%Wu5K{B6wDSPkpavHHY%n{Um%ln$IPn%N}LA*p8#Wk1TCoEhE~bL2?#clq{S# zMuSoh|Pi|4pvTqxlq^9qN$ zdVmowzn*1H>|U#V@j<+-cc4|qW;|7odk83e+FAEQeb-P5^q*bDKN@%+P)e`3#eDH1 zr%v&n!cVLvx(!FKw97Y!rCEFoRDndE)nlpW*H`JzbhD4e8T)&0{1Ab$`fn)zJ^iZ}y; z3StdCzX!qxb94z4FC}0RKG6mK=B?|CpQ(m-#`UHQN3>h%V;45PC&l>E$h*0X^!=WZ z0Z|k#NKW$FZm+U~4T~|Az7)Q8-ZxRQRha#G+Y%G`X6;&BoSF}S`RD# zX{y7zv3MrpL156Mh3b_k1>oA@L^~k+IuH(U;^2p|m$fnwTSaYS2^WI-d|w)R)K5r! zz-+ufZ0AK{_6B|H4J?NKm~&5t8}upbl)v6Y9ty{x8!&A7&fq7!!?pJ-ZGEdNj^2Ya zYj_h0HuF81USk$}Zi;(f`k9}AC;0vf4Q)2)Np2P$R`2m^hRHl{0~rM4$Uf#aahYMm zpab$l2I4wU=R~@}n~x&=h!(A6ewRf-yIOwsDf1fJ4fbA>J&qw!fLnjPoo+G!;t_HX4|{dP6_$UCy)q-%_awj> zW??({7VD-F>D(?4m8jS_EnD=iiW_f-S=w{W_?y2|-5TM0IM2Ld7IlvolX1o2=KmL(6_0LPRRj^|Y;>RM{ggMOb zy!uW*b_K;=o3~}V^`?DdBp|3%<23ISvb_8@;40jrpfp9~&vh2f zRua~&KEm*M#6@sK5}Sfvy_rj^cKVViE+9)kSh4*YX2_ZXcRZ=+S&1X2tBJi&ct2OG zOyYs{AXHRBoMz99V337VR-A9)6JA?=Q-g{FK2!aXzv;$w;SkCM+EVvZ_4m02m;p6E z(~oy=T`4cL&~n8qIt7JCS_qojk_H;qyh~2lW3AtA0Fp>kyWEclt&#?IBwK91zDB;L z;YEah<>J_}d{2yi=arVi>#ord*CXugwq-xddTnH;F2hkv+jx|;`7oyK`NH#C@vL5W zb!D<9L5+ZE?mx?eqpip1=EPrvMX{UWI_zfRVXs_?`Dunib0Fqma@`C|u@6&vVYb!BeIB$zz-5KvCg$wa5V;y0-E!uhRR5%TK5#>JM~ z)u6`C#LHOLM5?gqCObpy>`um|p)5jPS6e%(rF*`Hy09RB&)Pbtt)VKu60oe1rwhyA z{(~@>QMaCD(oF3m-u8<^^|E`?Vpnr6XIE5JAzS;D*u*|mt(E4(Ug8xq*+Zi0@MXmbwGTPHF-@uH)3ErRWjczqe>YK<`edDxw~u@ zz6OsiThWW&Wh{YV6sQnd^oOg*@!B) zi?D|DFxcW3w?SDbXX5i;>jdb;t2x&7J_$GL0Va18K{IpUz ziNe1246PM$qf%X)vLW!U&@3DF^+Kx@CVP=gsWX{fsO433OtV zf*3^gG~8G%+v}az-iH~{H>QB&y|wgEq@51C3Ww74DYA^>9d)J6v$R{c-VM`$kM%pL zb~(U>;`2-}bY9bFwT{Ju2|6j{aqh8}pvfEl=LcbIJl^C+*&T$@f|aY-outzv!l z!n5WZ@z_%iulD#ASa+BUHlN5${A8APz?Iqy%e`2Ptj)A?>uu!s=umraqUCbwQuWfl z!62>Syj&9qr^-+nUa=#tbDl@wNvkJLsbrk+ER<0GEyx-80Q&;ji zVFW0ooQG=G))hoV?qRRe$rxjOzhbBQ2jpt~X^cUEVa0>oaP0~`Q`kH~+lXyXzU@R@ zoF|`*OomorYxkv%N{gNx0mOEQF6YSf53`9cYzxs4x4wDl({?dv|notupt+Nz5E-Ck_WN#m@ci0MlMUgQJgJERmjF+1S0_9 zY~T47Fn7O+vzN6I+i$L8`hnTfQ+p=e=n}Y~(!zlA&o6BAZeNJ*e0A-x%tYTD>KsV4 z$p!IU`27aP2t)UkFv2RwNj8jKzc%NLv~w28d&qUjOiOsK>gT`vbN&|Gzj-ii0K=%J zHQDeF?qnxeq(&uZOkJKWE9$Q*OVP8RENV=4lG@0CFKFlU!aivW+g2{!y*x8|55hUb zCD)K7&0dq&Oxm1EBx4vx@U=C&?V1I+LSbCbt1?=ohVq3-e$VbCZP%txnHvz2jTy-oCYS)PE8SNgCoU_iV{_LuceR9c&<4-i*P!Gz{jTvR z&SQl|XES-&i*c6w^^j+?nkm$%=1JB^wR`-IF$OZr86+AJoi3tX#m&i={!uF|IlBiN zkugW&OPfqR&AY5(mZrw&r3ZN%9s|lM?4ZitMUoOqNa~ru7$=^lW z4G!!U?#gUmZ2w>@I3~eky^g;mW6QN@OtP7@&#gouIJA8%1uMfMEyWG$=8W@G3TqIO zWkVQwq5ywh&*V0cTr>d|@L8~lLI=FN!g@p_Yz=S3>uq2ca0Kfy!TGD}|#|b4ge5y>MMiLf1hG4``VN~ff!pZMFeiM14nWUF&gNBr^9y}R+Z|VUt zB`Anfaj<%5GvB%yBTAGc$(&haxDtCFXeNup5NhK4!2vI~xg$=naLxP_FJ#67ye zAIe+&JOEvE;dS`y_n*IRiHH=vu8O}mG}aJPYFBA+u)j8J-0}AF(gn7`B0P*@u3gUPsH;Byr0G$2c3!o{#Pn94Wh90&U z*j9Z!sJiIK8_=Nylj&@)+hM(HX++Ih65F==RBqMm&d^9Uy6_dWe+MyB8C60dmrRZv z&F(rngL9V5q9l10*qSYPw8EvMu`F!fD|j}sW#xQWBH~OE;1(q^r<-$b4G*ChVg2eu zxJwI{9P|>|%!U4J6_%dx$8X#F!~`Ar*m~Y164L9Az{}_&Qnb$;i1goTb~i48#$-P9 z>4STfF7CAD23yL@!dkUqQoD&?Px_OqsUj6A^T?2K7H+KLni!J;sin)D?SSaq_EV^5 zeHg>?DD#^WKA{MzhEn3FFz&eQq&7tr+q&O7C5Ra>zPTnlbR<{1^lc4E-$t+wLK#>X zW^6mRyPAAL+~Cs?dsw)%E|xNl7f1C+!2$eVvM+P`^KNOPnf~Zi)qp7Wc4ZxwSX&r! z9arYql{eNY$|s4NJAxjtxa7N9Br-9{TM#L~P_04lzTQ#$txH3(50M8P4%PWR=Juj# zw>XAK92_(@y9p5)b_Z?OB=y}-1Zf0SXl8CK&Z;6v;Xra>TB?YO1}SH}yhnfu@20?> zV`GD>3DM2tX`u)EK700=J%ggzH8B0iiN_~ahd)v5 zTf9os*p%$I`+ENhkk;2vk!BbS&+STS{YI@m_}TtOoLbvsosy!qArFeriAn;$o%TcG zx>kNE(UT+&saGGVmTACSlew@&q&%C15vhW9gz-JI3!*h@@V$>)xW5YcX}D&HTvReuGy*2>RR){gee zwc`M}+(O0P=23etnRK2Jzmq$3n%AXIW_`F;=mJlvZJliAPYuy@w{|=okWm$qf$yWbdZ>Uy}BJyy+Z2C%b{n@CahID?a*sl%t1NJ8nvS7 z22M|cIT&;Iri($V4Md*lEv0CBL~;56{Xs%M<+ z*U6F^jZ(R@()Roe{s%#{=Je?^UmHS7=NkvHLT;~{a0j=~e9iy0f4u`|cVq+IxO@+B z(9sT$VWE%*AvUhYyu2M2Y-N4tFSxvqp0trMdH788rMkkAiJQ2W8@-bX3XOkSIsbiM z0BOAm0Quuirs{_t>|*~3ys^)>6#XAmJf({LC7QxJvh{yH`5mfFaRm@@zpd_nOU<#| z03oK>3(Ee@kNEXWa-9qyVid9PzxCy=Ad-MDM%>R7pzow{Lc~l`Ek~c3x$#(h)4hHYQKyP7W*`D3FQoi?byfMcWv{1yw16L zp>#n-FL(EtuZ{Khot|)qgoNyysknOe-&4Y;ck1V^5zuKAk*vIW$F7{tGj-Lo#r=fb zs&1b{z?yvV1qz;-`BsuxR26|E8n&Jzf3iv9$O(pC_M2reBs1Xk;c8m>ZpLL=aJneFUG0u4jiKv$^ zU+Pmp4jTGd=naGWn$JFbh+^eXjy!TyNL)O>|B`mTzEE1@n~#wiaw=tmuDmB?eP4iR zTa6$-gg1(;KVILN-h5VBx!^|T{4fr8`%eC*?6LALvj{~AGo zn|Hcy22EQcdHbnENn6Or-&)(|sh>12v)}P_dCqHc$0P9DNaK}ko9m(7B*`l2A)NW+ z*!wEi9b%wQ&M&lPzpcm>6;d3be>!v9l&}Q#R<}#d(~V7!g~seLKCJ&S`jlhQr6YV~ zd1Doo*kfFrs!`f(Q6E_i-!Mc8^ZmR(*Yamt6Fn3gA*WC^%DEvgom%=CRMChwYfAOP+pcT#d7t_ zPfY*%`~cVk{)WX`S#5H*XL-m=U_(|H_&G2tD9`ZR(57ux_R46d4*y#}mqe1@5BoCe z#7jg^<~Ho*-~cV!Ar;Vtea0wLxN+)C!4tc!EY0_&HRPo<@6lRu{U2`4jXe9T?+p9$ zYID3277#dtRWv*c70-D~OFH+S?O^D;kE}|KS-iPPy9?=;POD3Jm*^@b*+BXK2Tw0@!YrXsCQKe$A=}?(lVp(YlkIV^l|b3 zx#xSD4Cd+4HovlW{M3c!RSTZJJnX`2U>rjKY+(J#rDw6gq6Fm2+a$sd8^y*xb&iDl zk_#^7<$c%;m3kIHuflKYmYETdkckS*xE3VC=0Hk$8YP9wBMZHLyNX+a5@}9v;&cvaLuC6X1 z<3++Hr&^OG-3H-kpx{+O-t6S^mGi;q);}|jPZ53!jpHi+rifcDzK|m>)m2cP0I@wG zc~hkDrZVr-H6UWnjQn3(oaRw0I@3jGR0{xs7%Fqzy>VoLd}hN!<5a}bJcFo)Ecbqy z;PyqxlsJr7NVFSNq$r(A_ECC@aZ%}jRz@t_<0Le+L9Ha@puEW7Se@b9Ubv?JvDt_Mx5~OC@uSQcP;pTL)1#krd}nAM!y~+(=IlyQKH_XyqNBa(zRIOP zrlaab&xGeTl~^m~ZnJkW3<`cHK}29gpb ztrHZ$xw6u+f?ihuroXY5&2z9XLFRpvBH(B6_M>EQ_-6g=_xL(!AzdsEi zh+qRenPNBZ*bx=5-5ezet=49m9;6C!Lp8~|{*p$BaW%c-XDTD7lY(_?a=b&EL{Sf9 zzlw}4{?EfdzdMdb*v(69XJ341hR>7yc`1LM-6k`^<;C^_0)`3kAeolxpS^fdVfI_y zL}RjV6lfoyRCcAnwRjaRUgQxn(Qcyr#8f}6Q8LB-UCWP}`A?8DLN`iEqEWDgvAG9& zaRxJ(mHu(9g^x`yS$uX4vh#TN=_2s>F299&z4YR%nNPxrmv3fRnU92G=r6PDo$BWw zJEihV71rMitbk@znWM=9LiTh$iG^(~VYR(Xp=(a`OwN!1&yAd|%5ma2)w!wu#XT68 zl0NbFh0RKno|c-MO>wOlnxeA}nbY*CuO7CuX!6pFsy5xCe(|y<)VE?XLewq*z5(Ryk%l@y z{&5Kg%&cvQS=nqsOe8U)KG{fL$*<)EYdA{cU@*3OZD2!dD zYb?d*@nki#WS`R|YTVTlO^IQ}PSzKav?sy^w9#DO648pOh|qTtE@Cy@!Fc{CR(`3) zO)P>MUUDZwnnto{EqH4N6>}X7$d6m>6+biaJwpQRBUs$Z;$StdYqfxU} z5ZAstjT>H%cU-bJM`)DKUT)Ap6W|bM{-rk1>BpUDtDa?M**(TKdD=&tkdb@AEk8|UMUP_PO z8T%7L+IM2!6&Zr41cM4dp*Slcp>AzJnF0}uoa0^dm%&RXzdOL7$XGqfe*&kX>`3#w0{QTawAnGD>@JoNu`pzNR!ypxF?u~*X$j5 z)qRnIymw}IAOE<#S-G#mJK~(jc*NxsNQh5+&s%a&r0GEPU^=TU!$SK3U~?Hih?&d% z_!6II+R>k=e_~_VzWTuz#XYybWzoDjU*dZz119w_1k2M-_=G=o`M8I8%Pj!1u;GUBNiDjUr_0y6p}FLe6H- z*jUb`4IWR3lx3S!{Cw$n_%hJvZ@FP@SC1F9e|)N;sQ2XQ6A05)+x{!p78IZ{mS)3! zGWa~6ML(AHXnEnSpmT-h%Cyx;7Y$YCT`5)T{iRiJR4dspR5Is~-HOa%k&P;NB?b|j#B@>@PF)caHCd1Ci)63G=F=Kv-U*!YOYJ_a*s&0Ulq6FHpber@6RVL0CRuy5kI;U$P3t%R_eaAJ;&WHxD}d*Qbh3% zO0`#?l2W1$u!f-WVY3_lboLRI+$C=xMaZ<$bZ)T3$vgIWv0+3RA zSYKqGRVx?cwU=}_i94OxinaimL5^CoLr%FzitMcLbB^8Lc+J0>>og(y16!DH+gH}4 ztNP&HdQ$t$a3F5U|7jthXD&( z(A9po@j2;Cq1tA>j_rhaN#CogvYS(}h1YF@*J{n19l@=2({|Hs~UhO^y=;hJ5lRf?ii2dY+U)~4FprE1iOQMG5SAc$0z(yBdbwnb|t zW@5#zy_F#LiWOUI&fh!rec$Vx59hkhhjY%iTuJ`px1Z;Jp69*`$Rl6nRV?+n+Gm-J zzXwv}coB5K@acLZN(f>)ATX{@dm9M zo>Xi6DrWUgC+y0ivpvAp=4`rmu-4)*vUDi#0LneEy}7VtgK@$o_BPxsBnGqH;(uZL-1SW^3nEHNTN~!hrE3LCDGKh&2{hftH6@dhe z$LUZR&w~-bz2D;8!I5S z)ch0@j;wuhUy=Pud5a{<^_WgivN1j0ex3#GAbqqJjO|0B5M1z$w)2ZQsD@-HyrQlD z)g-A-84hP7G6lrvAKLc4SQg*|@}~8-02^r=wRPxz9P#WeZO8ISj8PUz_dVaXn7nwn za)4S|02c16hTL;<4g;GQ(1LW#)~%a2<%9?O!BP$kAOCTD+UXdpa%u{ICI>7o#*`09 z9CcOn7-`z6R93mwjR(w60m<_8t_#ugN%S$7%XljYHTAV(KC^ji6H^&Z3$v?En7UPd z_m!lzKJ0RHjFI=vz2!;-)?&I@D}RAk98=ORd>)fqg#;nFZ|iT;ef|(JH_#FpG`9DM?u&v%8B6ne|`)G&If z0tFEfeitOvLpsmO*cx;hK{vIUKUCngb)g5F!_x!(?tQ!Sb@aFd@90C>YWl(fekOW{ zy1?+MAl(l3_qnc+6FRCCh325q%5R0X7s*iJp5-7~t^<%43hSnSOYKCm56+=}`#jI%}-+7It9*oiNY*hWAu)9#c~U{%m1 zB_&S2Z@rl83O_@9255DZpPGavcy-_1qCnX}R|C0*UOkbVeu$whM!LEk;$70m9|hC5 z;AxhlzkeUAe%iJ$<%*?tS0zPnF5eE7V7}2&Bf@0Sp{J6HxYKTaRK$xGJ{wpB+RfQn zMW(b36412^%v>GFf^#(nlJD_mG=a}o?oU9&@*zi#y6}#@C%38M$);enUqBdRY(+yX zNnVO$_jp%+k{dbPE|K|YrS0Za%zLGQqjxtrIVou3P5RA=kgqQI6)74;z5C$0jR?`2 zrF}IZq>4%DVHe7=oFheIFhGtoOvB!ZiOx(;@}iu=0Uw+r3+bS+9V?=u}a*1QoP+V&O}Upm+t z=92Uzgl6!mM%*)PD48$Om;VsyPT2<#KX8FZTu~Gl?#qR*$kB)@1~2p;kbUQXmV_f{ zUIE}2(_v;!ynIMFfUN3w_w<;x&SDLUCSJ(}%(;7wHZh~r9IHon#7I|NF{5MVOf0S~ z3gFq&K1$IsBFyFh$&a-)evdI(BZZRnc5#mwE&M7_X%r5iGY^5ZVp5cZw%kJ-AX%o- z|J~^e3=@Xy|2#_Z6hA@sKVM^@n^7_3l2})afv#N%Wn*Q-(ouw{^HG>fPWNi&X}hoJ z)5}^5rOt)?tHq`t`|eftUAUE%=u2;>G4^iRt6)!0!VTS?YXdSvn}f^{o*nE9x4}k8 z2@p>6z5)mN>Y(q`-8{tyOI>+~jNMXQabUlqjt+Q**ZPKnD5&9bLJp0aZ73uA!G?rk z!8--OZP-z(&Ck;T03dvK49x&QB>x_>UjLl(n7|v zGDyY)S4~;Qv0TcyYdN`))7l!Hoj@{I8X`b!F>R?d(3I4(6Q>9m)*;V@bzy&S5z5i_xgg*}TGuWzBU6&&OIv>Pxaw+#n=+U}2Viw+) zRkI)EzB;n)GuX3Q%K7|BYeFdXprTyEekZlgKS+Pm;Mu+YQ15u>_zs*_BMX3;R;pge zSE*ba@pRF3b^y2CiBK-$zo%)p)6C7;n>SHf*B~TD*4nq?U}pZL!0^*>iNE2&9-;G2 zvCxIh#Jc*jcp)3)Vi6{3(@xJ0-S!46$FZ|ge=$+O0xm_5pD!~h!Y}>+k3#wM?MkNg zs$*5p@q09D4%l=^zVxFMc9c!^w};Fx^x10nT5g#|B#_zs5Q9a0@U|QdutS<42HfB1 z+vb(jH8eni-EE0sfSyR7C!ND^=x3Y~BGpmx{Rc;_FC!f}lrWPHe3#9Lv;LCzfS5ya zmDz|CVHQtc+zMI3FQ8|DG&M#(b@k_&&^H<9cOAO+L}nxhyGWBo4s93zRPE#8>HKt* zbJ2sSzdJVJ;;~9}N_MsZ9k1bM8k2_#AD1{OS->6jhx)}YAFYEFdc$gjvS$Z{WHlma z;t%?-Qo)eiWBy*%@GgCMqAMx^W@ifdfZUC=6mP{>MZcfNg=)vi90#AAdOZ#w0iep;?JYPC@(`%&J-eDmO~cH_AjY2Zp&&K}QE&@Kt7K(W^2Au9 ztL`gi2t+E)Y{B;+>!Mv`<=UFkTy*&Dcc2Mt`^Nteq4NczWu&3~fW)rw%%2nE7i&u93=mb6^KHKVucsd4R+d~qgwAd{aZK!&C4Br+$3LHe0bOxMUG&yJ z18l!N!tN0ezso77F*yDE&#F|nIqBbhIB!#Psh{@GTO8jB6PuMyI z?y20^MtFYn>?qMa(PYLuRfuzxQ7^=Q|86i>M(JuV)NUI;-hJZzEVY1;r1ms!>X(N8 z8AE)d4U};gR$Tq17WL1oVcN%X?pi)i{yUOu2?Uts7FxRgyRZK5d+ZH4hOr#H%wAVB%C8QR=@s7!POYe^XRP4$*0s!Oz6mVYh?5%jb{9P?AJ5xhEE~G^k*-g zIRb&MGr3X3)WyC%4RhAfQjpD1c*#Lo9VE297=M-BYL!xCJ!AdEqJni&ytzfR!MhjK zBCnw2ln>ci`T9}W&_2n)XMk= z+dP^!;RkD_*<#B~Otc>xrbXI}k5)y#wOfADU0o5S9oT9FntRZ5g*|K8c$pXVSH?^s z^tjLrC@Bq(ylg~tg^A{?UlP3{5Cz<~zI4gvi0>t~K9fWQAQU`u6G|?>>yat0-8NnR zr;0&3Mcv$ySgw*()@<-aDJA)$h?lflO4jAlhS^AXL3v;|RxOCO=}vYe3rNg?YEXB? zVTtC?9njK&@i=c zhsh&>MN>EO-41_0os|mF3%cd@4zX3ZBgQ+kMw?}3d^FOFEHZt*5H^xC==59lK@O+! z(GD*ncXj_v0pqUJ!`oUV+9bbhm^R06fYC>MtgCxi20@;cR8m$x#u$D4dKu51vI(Z= zi>^G}74N@;YJL5XktByFG$v-5_qvEkr7UsE>_@xYWYAVm>qi%x%EW|gf41w7zz6IC z7gaaWN@RrE2AG&ddS>vQ8owufWC=7`l}&x+z5$ znZmle`E~Pc{p+k*LC-b0hc(LPReB%sraW2tG`qy@>>8qNuc@$Q-=vojlVOsm08lVQ z&Q^e^Cx)cP$18a43C`BEzCgCXlDn`rz*K|=OdoACb46K`ymm+Cj7ej5#RugC3L9hn zk~_-4CNq5BP+Qk>PrqQnFl}Mc)0VL4k|R;rFjP*`)ZWxHz)_p_z4+lSVeWcZm<<@= zFg7=E{vYiGj%tJl_i#8x%gG@fU#Ixu!9bGd=a{CI+pgR2LRygaN0ReVysPn?|Agl_Bi=wzwLNl>h14OAZtU?x*3WNK8(Y_ntD`$lv( zD*bvYsAWDI;KHi6?kwguje2O4Vu{OJs%t4+aID<)EX6A+DS@t7Rp>~@zi&Hl2NT#%aQV(rMY@0j1+Mois$2*>|mKKdrs=n zDr8I!wOmRg@h3et13 zvZAb3EU|h*$y!IQs`C@=Pg6}&{bMsYL7+~H2BeZK#hsi1KzY#BVZ~#<^i1uQfI&+?LE!7lqElsesq-mC&)tQyq(cYwIrcDF6(G0)5rW~E)0yA*J z@E+QiBP+>0V6YTC6P!4y2(EZ`NrGXJd;pmTuN7_zbmc%I1x?c+8xXFleb$$l!MA;rqqSyn_M2P6qP!~kuEG;lebQ_O8kvucx2>%FBXx|J zi!=JkSoF65t{(;+(sA;?Oe~pzE75A+?{?wo^csyGjO+Sy7o#dLYgn6|!^6 zn-{5Vqz21>FwftUlO||S=_qBed+wy&SYY!XkWkJS1gqAd?q+GcxLGSmv~d74>)Ss! z@L8>R$~u4yYaefDvNqYRG#7P+{oO9=GatPUV6uNtrndh(8Ie^zWq`Em{dCKZJ49Qf zfG4!B2}z2Gn5+rgFPESc_%c-LPeI>wBk^DhsC&@CM$?~pqg3@kh+>`F638ma+_ly9 z=Fzb@Qth;_)Skl$QS2?=7d|z*@82@?+?y~&ahWH(fVJa6l~z^(h}Puc%VMU0&OVQb zH~mvLfi&Cj5y>CY(aBn;2VdT#6V^kGzLZ4x2f9`GENrgu!T>R}*(s8OqO}ewK7QB0 zZZAsWuQgmR)jx*lb|Fni9d{ma?XC&6>VGjAnE{w01<8isTc57IjsZ%0=H_|c^&S0K z-@3zmQ9BDBEW~=?mdAG+6bZ_x<$d!m=i7-1-uaaL(*bnJhcKY>uA9L#fCa1~RB%7h z<#Voe_s2^yplO8RpmWFYup6H$F%(u@8K=5Nck=!-75RyyoBOHuyy^icFkpJ|O zyTj#rihjzd#67$>i#5tcHhFEY?P&agV1yeU1`0w? zt^p)TiOQ@`j)LLWPA?VQ)Po$=Kg>BO!LU3$Y|4%_Dhgg6kH?Jo?-W2=%&ZL44js-W z=77pbp!dHSxXsbSiH%pP))7%r#3tW;qHTn?i?sLgg@(nmqc1Y`V*B0VQ;XC@mU-Pz z&^WQi$`qXT1+so37fTn~d1KE=j00tL8M~{OOSs8$D0Le&`V^$gy4~ zp;JOgr>GUlVIMN0T_?^Xxa`K7S;Rc#jSGz1ZG=9Ww&avL7#|6xar9}4^uIC{JX4q{ z8GohD=hbE@Iivw8gHT&`SvD(@r(nQm&Ab9K@#-o7ld`jf9ND|la(E?Iuc3NjgiS?Q z#V%P^JL9c$Uk<85__m}$VXRuT6;;1vH5dUiC7q!~%w0%Gf%@f5(rLMVXy>GUhdCm@ z%(PPZda=Y#{sc8s%FT0R`)Z>zW$4Xa&5L^0ETaAQp`4seFN_4q^z>LYd!1dGF`0zE zqF&b_S4sB0>%KC3^v_dFM>f^0l0PTUSstaR#$urQ5Y6vfmYuFK;kA?Ea{dz3z!DFM7eW}!SW*E?aUnag zL@xCfIYW|=9BGy0={F0pJ~yOi-F@d6FY93;2WJ#NIIH>j6lBUCI~;#H&55djZ%}}q z9QsXYPA1@TKdX>IzVe_$sp|^+C42T!X&uc*H8Jt!&KxgOA~?fW#4ff^hijY8Dk??m zG`mjQ22-)W>rN2^l(bfc=>iho&3U2qpnPQE5G5BX>JG<$S_i~i-Njex7pyfciK*`i}+<^;68Uwjk< z{Nxl#iZ}BGiyx$$UHIQSa%P{2NZjkamQtiuD>e8CQ!#H-!nolPabxEWQEh6>lZn-C zL`5E{X<@em0#*@nf$vb0w?vF9_XGVlAOWlWbzn{8@HR$KuI6QbUj@8DNO=6u(w^f1 z!t418rhzKG6LAv}rFAXMt+sQ+1^T!WtEJ0;d6fE_BcB}R-BXK!jB(W|KR9tAaVosBtzp2m9y_xD5lvX%2b>{zrhsda7zE&n|c&bS;W zWw&o7p<2Y3K1BlPOBz44Yb|ttVu<%?u_XXrfJsC>$f@a>cnEQQLp-9|Wry=)9wrrE zP%~0q@nVKLXiQZfn`c|rcUE#QL#kqPuB4OOZpm?eKW1+jzAP-sGvG?v&UM=svsL{A z0J?Crvr$RS>ZcO7@VNF9V1T92G4k*gSGRD(*pw*!F$cT_zWA4m@z)eS}dARm97 zZNsw4Z4W4+C%0X46N$3RnfvMw9rzK|&2!!0MmgTw#^zvzi_>5xJNu`1?JeO(?((9g zewg;ucipr>wg!(_=GmEI+P~f$_Rj(WBTITX3{-4+j@EGQwTyF~nTbiMN+mbzh7h)X z+BR9kZp^oQo z)S>X0G>~h;+4}cqe^NF+h;*dftr1+I02>j8^orAcMx2%nkROBqOw|KHdJXR(7w_-u zT{b9swwlqp-tEN9Dvb197V(W1W5WGIm*P*KhVB?9dTRgV*EG&Q`dOw0pz}j!i&&i4 z6_3%f-!D#i1VAJDk?|2H=Gvco8*qB$1FM*4p>5#r0YCA{@+mOC=l}uY6Yu)>;1*^B zJ<#ImEd1xA{(dO%Nlz2lHy@RV{-VwP*TpeYV!&N?N;dO`fH}x))f`w(qD?a5$K^3N2V;wp zeV`;L9H?s25ZeEGJUaNNRXW61@UNx!RFu_}?LVTbh5nvzfX^X*89(4brH5M8?ian5uo1`& zP?PD`{lOoZ_}I95KIn-vV(9jXWA%*S6V_W1zTAfSb>v{mlE}XhqxioOqoDJQg^xPz z%KeYEExgw8V5iyZr^_Bqa;QWC`Hon9JXGSKFv6@u(rv49<_}&_W?2~y<(M!0VeagT z%V!)ow*H>$zA^>J&gBMt*z-E#ha9KFy<9Pb6q{)uYypaJij@@$ibe zpf3h8fBb!!%E;3Mc78f^QYQYDjYEd=AJEUuM~uyz01G(uECBte%^PE%YmKGH+b)j6 zXCmm?)m$6aqAPa?nSdgJ8-UJx(DTmw;CAWoPBvL;YU-B&5A=p`L~icgBWJ+Z93%mN zKWY}1aKr5!Z<~LCBLKV@Dx*MJb!LPctR?{q zUN+7e%5Qr1Z3m-EKMo$+7m50R|RZM zUGbGx7DlU=epAdt&KI|s% z^Foyl8pM|FZL?|Gr4h(1(#0RF>GjXfO6fTRtg7tJ-0Hzr-Gbr!UIYo}O>0hW?nt02 z+Jp~OuzE-me_T`F{DVG;1Mn7A$1?Sj^=Ds#N@;+4i2LmH!&_0d_7bh@we)cMJc(#Zuk$u!LC}KbO1E<+25m&TfHEq?X|eW za8OiM+QTdmk3wtDN?T1G@qwpe*rAs`fY&>J96<>Vx7)ZKhKFms>yzmqX=rRbqnkeb z9$#8!E%Q9P;dx>dS01B;-uCm%UIYw;ZP^%oP;x4?k2|n%zJ`pF^sCUL)(*a(-p++( zuXL7OB>qVo<}1TN1%M>QFXuGmw}3RC-LpJH1;T8`z;um6b(MRp5BGc!fqRosIp{Cn zQ)?h92U4gF9M`Amjhb-D9pSS2woBSad!taNK2du2cx?)$eF~5646;(Na+rHgy^R6@ z)qxte3beC{4L)mccw9FMaoa1JeE!I|{FEnQP~QTpAC>42mh34jNfw8Io*HIoy&gY2 zCy{lZ`}T(anBEkJx92x3+}=CcaQFbLoA$;3jW%H6lE?$F1yMHQhmHGyTp5$T{%0fY zA_bz^``iDtGi1J90-9$zxvFb6QX8?fF6RmIZTN_8tIRg1AM?=KW3xp4c#FKBGnJ1= z^}i4punJ&)3Bg~m#j%K57pA7CH_M)88I%6G&Zk0<#wp@12Y%T6pg0g(wpEWPw9C1H zP~alT(RDS>)1LFUDjEhLv8>FMJD^@87tKhw4pkSBTaGxK9NGjbE9NbuJ2P0Joo7+~ znb}CkCe7rXI8uvKufV>-P-J*wLIc%W$_r`BJjxc!yWWP}{FK;nhZZj}vWj;7k3nmo z{S(=W3Oh!&T(r?K2}8w8@8}4__e`=E3~fzMhm@NYLWioS;GnEF_I)6w>qE&^B%X{! z820{OsFwwClF&kQe7ycxDPC{34?w*zLc^s)gJMj<9Soiv*2GDNuAaStqR96_vT84s<&E#xcV23vEAmyS$Pyg48(^(RT?wam6i7+h# zx!KRM44ym*p^#rI+Ov<;R?$5cznKid3PM-TWh6LDA~@87ZwVx zmR|1w7!#o)S>?Nsc7p-i9@R994wl1diMa%lSFi5D7vNeybg3-0yph=z(OCsYgZF)Y z!?VT#Jj?zV&$^{ocCk!RuCN6mM1iw?5z^WlX8)Q>-<%dk#|Yr67&IpOv~bqXf_D$J zbK2d;lRhk1$QoKJg=1TR{0ft?YQ{n_~SLK`$)!{q4Yc2*-KzpM{qq6c}hPhot28qX$ z_h%h0^l+(0n`JxUHrmbhJZWJ4u0I!(Y!+;9bY1`EK?s4{B z9#(qH5bc}$qpc4bWoBbPGOyr|h0C_+-zPlN`0`-(fmGOG{0($DuCZViQ8s>uR8HF-fdPYy5q% za-FX1Zg=T5j4RJ)G3ka!$K}+FdvO43bfezInH(nm4THI;%e?RME>%dM(){pr?7*a& z1wA8)>X2G)>GMeT2Y42|7rU^0j&WNl7aq;peZ!YS7SH5NCUA z$jLzHb36F=RDLtr|9(9lHo&9N=uY^ic)Wgq>fp{))7)d){7yQu|CzZBgn#v{!(W== zY|cFIPo4bzl20TA2J>VyLfqqDPg^}DUtM2)rBCaEimd$n4?H&&q5#eU-3tCJ#fBGv zCm@qjL`FSfI&2Z=o!<4!i~?eKfZM@o)!y?GHan{@7njsMHR(w7uW2WfB5<~oyjTE@ z9pd_DpB^{<8x1SbqKkv5$ou25>AXaK$MwrbprbkcQs6Sr)(N{#=Gk%Q-Dy1hy^9Ko zVRzdOUoiB4r35lGNKV|^?zrq4kLEDA^!t||=&pp;K)abf)L;0!ch9&`6Z`1T-f|E` z{g!ponMZzOo6obs$FJm%m& z5^n#TCBIFYl$_&&{Y`M-!mlIpM<=J81zfHF3m)7=V|tm0=yxuF6C2Y1X6t2M>Q~CZ zFT!MCK|xBKoSacLU&5u`+KCo9g@rCT5cv1+j=d0@ zobRSEJWcYb=`9JoRe(a#cejoM-QA5jo?trOa1F}l-OU9q)R32-#NH4E|6VZSWi4f2jP&8Y za(8!WQ-9ajscOZKjib&p3LYLM4u*xg=@8_UYVj_~n7lBYxp?pyjCOj}g!cIIbg@^`J>D|6%}C{9f-%b03P; zp9a{eBNi8J^OovGhFpS&gy+qVO5D3W$jfu@b8+Z&YeXDS(Xr59rt=rvFNnx#Zw}io zzM}YHX6SWdLlYXT=5l?kKaa*>I>i-Hw6Y9;N8@s}@=|!7 zS4sI%b-*Fm_Ozsqi%Vf^;@-z8Ybp!;2Y|~LV1Vzh{2+PkIj*8cIm?#vBUH*w6B68O z)Z;`KC_JnNxp+4Ulpd79S?1=Ph5(lG&~yX87G`k2VGMms{`>QyGv9BTje4I_eq8Ug zGx&gP!rLGKI z{KFHA2@7b_9sZ@26al3=i!k>{M5Zr%(3tY)n9#Zi8T zcz_zajyzcI!b;+3pZvpzjqf|8!0~Sa{5|4#vncFjot$*=N>@3ohD)15^zOL>oDV~8 z%F*z%7W?9Bsj3vu1I>q#JXaUOsSwi7!os5xxsG!gjB|2xpHsVl00?7iuypNw&-0M>x?4fxV^0R%Gj9X<2FM0Zddc@G~l-hvhaGO#adh4ocItT5Nmak!-&QUnEZMo(ju<-JxpH6u+PVukJRiQtC z==7(VnVCV~x)I5}*1LvADLgl8Mc(MNSUbo%=s7OlTiX!mh%4E2!VRTt);WkY8BbXZqC@pIfv2OBv#g-1q( z6g4=hggy`0Dvh*$-NHzgEks;Dl)%lD-NW+wk^hdyQ(egbq|JTsxjV!HrC zwF2gfrTKG3JPgl_-=j1G=R4ggZ7pJ#dls`>)xU)wE9suUt!|NiufK3W zq!PY2oWtR%K_#-08wI}F{Q{6T2a~jlFhcM6YFeD-4RmyhJUvbvmBM33+G{Pd2ij%A|*avl1 zB^=lfVUA~~aJZ%#a(QgSYg1f&(#j8W`%w*Ol6X4Qh4tilBC|;Gkelc`g_Wh}!1?Lk zR0>;5BDIM2CS3TbWtT&=_nwz?G$3*;E_~&fKwEL{&Drz@&9tGdg+09b_|Y!mgLz;& zVoMv~A<@*@ov|*Pt%0I?0Z|*(!iLZ6%+VQ&kSn};E^jH3$Lx*5YL!6PqWLv>!yvBo z#R`F0JQWUq0+gte$Afdf)YuQ_DtmvCJTFwT*O~I6?<>a8bVlOVj|$&Y(+1rK8}E}? zlUp!3rxphXJ!kf9gk+^-5Dn#k9chWvsXT4^}1uP@1l(09q&$Zzr%a8R%&kcbJv4#QsmGWM&SRC#LaErvdiDgcJq zusxr3{hh`DzR>ROvraAH*zE9jJj$yCAu>W6V`L6F&0FE|ZfK|W8g{%q2DIzZ)Z7f5 zm1WJR_Fbw&j1K29PCpYwom%g$Pw%0IP5kUX?jJm5%H`tXDsuH&qq$bFIqHEK)-W=1 z*s64%Z0ojrtLH-yNDj}zA_soRz|n^b1WzgO>NmT%f)2x%uc4bx!#ei4l4ph1<1CU< zm@hj~T3Y!obNo9$(3RbCYtSRlZeFo3a^c{(&&}Xif=ki^jYSI0IFAFDrAj|qA-5z+ z<}Xa#)3IKZ8}l!iTsJ>x=z_TB(osnSw=QSF*>A!Av!TP15UzbW2-%A}3?gpX@9)*dm1k6E-^gAsxAK*5nVYZiQ|#>(($LhrANwUz^gOH$OK5(dkyZZ@QP<=chEV&-#j<8j7_W#iWs8*-qR` zmI&5Qb7j7x@JBFxK>1nlVlx+_P+GYVTq-qmnbzJ2#S6%EOtN^YY!x-E?^4DaJdMYg z(>>_kQT3zTNfdxYAMD@;*OMDB0GpU@N`~&JO+^Q}r_EX3%4aIkS3N(xT>T88tHH$Yb$R&SJGWYrUQ65_9 zzJ_K}Nn6zvzu3DrS;gfhE9y|eduD=;e064_;?%;%rPy+h-OpaTKa*G!+Bs+KI7CFS z=XIBLr|R`%;19Du8aL@%7&9^cY;8)SS`=J6-hyP$TJlYKI9p(={E||7E@c}QXwP)S z-?SM4@fBEHyDkPrDD%e7CKa6YSAjm7ox4Ew)~07fLArF01IeDK+(EfcDc7s{XF0~r zTPd=VTb(`+ZC03mSK%&aG$188Qx_}~vr{`#ad5izTvbH|#l&=J$&-^F%PbF7A5n^S zBG{64WTb87JZzSNYCrhUrivDr?p|kYvB=u?N`1?jamr{n{D^6~-0ge{FuC{>mXl|1 z-CG%evY?@!=N0WAj)miWk{mm`e3MCYD{JfUIDzz?EPmy;3J^%Zkw=kkngr*&kJLU? zCj+8^Phq)RMDM%yrt<%=d5x(^?AW)z1$(Q+-hE=;o?wsLcm768N7p#$%G8=UIp_9c zz4g5cU`&X&)17ooUp(_AGPbSYHPG^v@$}3rEOL#d{j?KJnKI4^bV!^`_7S(Tni`7h zFg-18Gc1wc<4a^rloA*mgWrky^r`#Xd4?0-5i1phOxWcph4r7sO#7r`fJf*$e*b&x; zbQ`ExkZCVA$Vn4g=!vS3FGh{(92Md$3xQkP&@-tXBK?|4)2+ z2rx_1 zg8gM_1ya0!9r`0MzMJ*eAO85?y_>)kH#a=T3zYW#Ig9@O1X}?R$Mcn(|E)VpB|!3u znP{l^m8n8wZSz zhRe)mTI1FLMfjjo2j?g#%$g%P*EV|8uta0UuO=T}gUtczZsEJTo+aaNnMf}F__9uWN&45|i8N{t1@xk@gjBiQ#vPxhEMMXt^i}tIcxCCc_ zTBpbCW2T*xQ@+>ETFaDl`0) zQp#A@ZBjNjH#Z{ZCcTmn8F?AX0ESD~E&`%kac;AS8FIpVAR{HBM@@Q|4rBNRx?OwC zc3CFgq{7noRd=f5l2s+Pz5NN~qbI&rb?~q~Q5-+_Ey*)8!A(!Cqo_(O*<*&mWAcN@ z{(z^0=aDBfpaK+z$D&&N=?!lK;!3MAimA*8N!B(tBC_r8rBJyeB(KqzjF=MLh zG36Z{mtLtNMP8t+O7vQ563*Rfy!o*)nn&N3ull0*tQ`FNuysd8!!_v8g^P#%4N~k5 z=*{TD!ovQ~g_YYs_@>ay-Ux}K{dIy^#o;Cb>%38lK^Qss*`}qXt<9-H2TvWa0HSNy zXX*hIxS5$|S{;L~ES}{Ett{;UH?#+D|2N{wO5j4b*!(T`u?oVzbG0<3?>t&HUbszf z{;owLD);l}YB3|P)gOKLazosG4*jsp;o3B;BW2*^_sse?MEDLv(1|=V6;Q7ZH8u`$ z`T6+;FO>W3`d(o6<=<{o4#yx`!xyeOMBLL=T+8_C?a;=QY#&oH89u!~AW6K8?;Yk( z`_2)F`us(|Vt-3}KxdQ(#BRSmvZuG0GwkU3$!qeR8`I^V-HaO9LIL*oC2u(FJ)fA; z``7+cb+Z!%Ny3dex{25g-fD^Fp`nxkLGVRis--Bu&t3Hzlv52@GIVYe5;pRCBgTarKQ9~%~S9ncjkq0FBX1?D>1`Xe86eb!vy&5&H#dw2%= z*g~)g0EJe9$2g=`&qCm*2!g&k1_rht=Y*`fedAA!@Rlv|ivla!E_XFb$1soh0cElG zj6iZ&7QFOMZk$wykb4IDoNN1ot%1J^rE~&hD;p_|%0|e-!A*yxr)|{Sc^L&5EtKo7 z=OOdFpe3n~jcP~rCT+#?I3nQ_ds$^1Ta)CyT0`9Wzqfj7ebz-{8A^hgnOPi*o@q`3 zA-`uV^3-aGB;mQ}Qt{-=x$ZRKMr|!EGe6J4bu~yKk6vM;lps~QoX@d~HTn(4pSY|B zIa?a#HQcf`(BY#^$7^uA;i~g{%3IdCPjEF9QH42&Z@1<hRLo&aJ>t}n%QhlCn734+U3^(0PQ<~m)7qu_BHn5?TyM6> zD)bo^ABC`TXF)YBosfoFI3>iZ&KH!}Av z*&5ZP*mS@WEEMl-!LIC`)tIq`Y`mG=6uO|=`J~6AK;z}6t8TcJ7+zJl))(a^sa)aW zwant>+`!R75o6Z8I?Wkw@%ZsVMg4BzmhOX!lSl0F$#8d`+*6*qrs}htIvVzUuIJmH z4G$-0*ytevg``g*^i%Z7sZlIk^(rmJkDwuT7iF2Pvx40$ji36xuI^qOC;;fUMkCwe zMX=-b)y*3*^wt-onOO|9warOgU^ttxr`Y|T58yQPJrLea^{GFvb zoRISKbDa$a4iKegr26Oi5Zc97FJpG>c@2Y?AvLr|$l+L%auzH+p~L zu({a_vDF-vwKrrBZP>jW0(*b8XHJd&$lVI^jr+E0G)`4biju6t>MaqUAaPCB6Qu&l zeHV9!T$kKDeRlfI^0Xd}S<)-5?|Ru< zO+2%G*0k$wI17day8AsNBac{^2iM-UYmo93H{Ub%mG|lwSDWs2v_1x+4%xJFl9j`E zr4UO}YFLYVCM_i1cb-uZR~rS?k!^5yy=FfLOaWpi$b<{vK2b`(lBsaR%>fR-?JpEx zEms`wTJ3MI%KD`POa0nX5(q@YuHsmBHqRSSrNw*CE^GjTNPAmqQggS;j$$e$U!ZJ8 zyfOCRSgoj02toJy#}W*NE-;J_T=DZd-|}oY3f>;xd%AQ=+`K|s6>5a#l>d|jy;wfX zJH6AihIaO@^+U%D4_?=>cuRFnx0`08WmZ?DPCwEcut$v>NfKwk4ncDzYA00$VB43^ z?0wr=?~pbM3JS9IRe_{g<>GH%+X=+)e5>`*$$oxaO=>3g-~+U5Ngqr(@Z4uk7s4bq2s-j*v*I=aS&0Woj~qYuD_ zjir6-+I2y75YGE>V(=$XQeTd&G9LX+?t>28z$$>nW@q&1aLesb7VrHHCJUl`juJzB zW|zc?RPKBLy^$le4?AB9q{^I1#HvFc&rfiUr1BoL`OWe$@$KQtw`}*kSBHO~8VPvu z#n6J&*LH)?4)wLneM@{n_i%v6XnTTot+N(dfZ8Bnxl&8gM5pqCnww+GHsvv{jd|&~ zQFM!VYFk|{pLn}SD>x}`64CYEEBUGIh%}@uwH`B2gxR#oRo5Xp>>s+UuYGaGe1nV> zLi<~q^4*8Tpzq4ii(w}ZT~;abaFsEhZTFhm@@x2vH1xX5l9WUD{?L#?d|Gw2O2K!( zQ(bpdWghE{_ZoVZQX@n>I=T!YV)QA>jG;Y8k;P)5LvOFNnrogFZ6BOY1T0Ob?$1fD zc=;|NchR5GLPg)co$?gw%#bxx^~}!8YvLXYckpyW#$q_J(3S({b$YSZ#3K*1T)VW> zHfSknWQdbq`X_tkzCx+N*7JCkdlWwV3*jnpZWaZgjmeK(;x9F1^Rov=*_J@IiLI7SgJZ78zyQ@8Jied`G_2jx6(Se~UV$ zpCWg3b4pvB<+}-UO_}Wg|50XTb@Ro-@LW&t`De-bl9!4azOsXu``OSel&ndBvBb;u z89DO9Oz_OC>WEe-x>}m2XY`%}bJq~m)-Gl?6a?A?JDX*`7a>MwfCaHB!%x#sj{#?< zSq=l;es7P)^r$)Ef}m7+dTlxMp^uYnX~M=jos|ehK;)-&wS*~(kR&lS-S$sOwscqS zO}va@a91Op`G2tYmH|<&Pxvq(DH4JT(hAZgT}y~choE#S-Cav9h!_Y+cSv`4 zD@vDiF1_>uOXvHbqMUPnZ+v;b{m-ZMu+Khs%sq3@%r)0s7y6b>?gi-Qpbs{74+*w3BTu-SOq+QbCwz0S&~hAC z5N?(nt;?-8Rt63VU|?P0=Cv-go4*>B5OqNNQh(jX!Pui!>>ZRYZC^ zZ8ZO@mpge;k6Q{6h-T7tjQCwG)a`KSqPYlt~cQ@EIudEgRTcF~{`{B_S8}+RR z!B#^{OYAxDbXpgQsJ(8h5)E6pEBf4O_^jDYQ9UZ;_!x236C5o|?Vi|Q@y!^&nre%l zhJk@z>{~bkxGh(qoO<)91VUO5?Sf0Ws?h@Jr6Qd19B8?|bZh7a+sisVg3|H=uJThV zZtfi@2KQ1%lbDZ}d(PDfil8Km%(V1?Y|=0vYfo2h8>pA3Xi{iLR*E&EaJIuwB{r$4 zSD+SJzfbMo_<{JXX)lC0Y6>4p6RHE|rh30pC-um)iwOH=%;Wbb$PyMiDxce4>HiKn zHeZAsB%PFGfJ+b`f$kR_ORU}SN^4pFz`f$E&&mlSBP=jVDO8*Jc~h)^Z5HG! zksjve45`vJl;Zl&GV*a@_g&L7wC<-{AToRo36)Z_@-!J^3AS*n=&l~)3qd1L1te#- zzID_wG{B$A={p!j6BYAJ{Ug!pd zlFhv<^7&WZUh4wyJCMuzcT3Y>k{WdrI0Bq(Xha;(A>8nM@)d@#t4j3uw4cTU$LQI9 zNXt16e4Va+_QU{_a5n2=v4#5KCJEUgCNsne$tLy`$>o zeIJ79{0&5t+6WMfQ=hx6*|xQHM`UL+o`Zxp8@z%ebzS9*x}#Xlhw~ysLLS&Iw0ufI@I3})M(I%XQJG%e`_nFZ$RAo6jL5)e}*3;jeMKXhS| z@UX=PZL6wAZM#7gZBe;2hXZ}}6^kDgDmo@?+w9KP5|9@5R;;3x1_+zS75i9p&%ilr zIq(QpLSA>c2g}~JH6KW>e(P}!&UG_W9EPD7ao)J@anDp;-LZd1{itG4I+2OxJjN(W z8_O-n7x28?6wl^Xbw7<;)jg5!kUoV)goR1U$b7IEt9{a~;gH@L3l2NkfIvG0nN-@f zohNAbCp;o?P=KD?>mlLM4Bx(eJJaz})phinpEu~>>=C9LBW2fE#xOeA_>#!eFEZ%e447Ry|~bkaNvZ_`k?Fsv^J&(C)3qvODj? zFeoE-b{zT+&$-A!UJ2(@Q|I;e>t~-i6)NfuggyHF$|a`57(xM<2QW5%pf7vcPXC;Ysl6T0!0qzIlL?hnQq}H{Dh?K2`iRd;ZD5Kp<9m{sBF~__cVQIg^ zRPHTx5A6tp7yy4r)VKvGvVVPE<{~YYP zi(_@pf=`KbyhmABw?8rH23zZQJ?Ansh*}y>9vE7TKIon|O;YFwg8S=3$4`8HV|c7b zXS*o+PSFh8wg-qf76#fFw#!<^7bH5y4By;c95)r%sw+-WK6B82vzE0QG3w0Q0f#PQ zx>*XE*BEG(_dEjQrf+WGt~{pww@plu^Tuy70e_p@@%-@qdRlpY_uc?$CrfJdlSfYQ zsX4Y7JCnZPt+|$C#64c&H@?^DLa#Kx|xG;~ID zj(1~MT0=c!FWS7k#YGba8o`_x;!^OL>;s)qo(R?+G!wdmkWbN`y1=?41?CsXwYP@` z)r*frBi&m%_cNB^=7I~7{RlXuVmwVqM7`cQ-`b^ce_KN?qfvnK^+9V$LXz&&p6Yv3 zpVuxjr?xD;Lqk?)RL?1QC>+8MDyDQsSNFwweZ;%CkQ?8(uOuftalNwTFP|pu8@zmI zudaoOQimolxO>ZWwk=~p7pO{90G;NhrlpN}Pf?y9Byq(|Q32rq{jAO?VQqQ78NRAn zAm5R$8PPf$8`%oX)8G_{la8h(M&{-+dwn}U?bjV~TUjNYe^a2%W<_7r(1-~as?HY= zu3Urc}cP*~fce^$e#b>PFV>yyDpqHGFbW&8s z@WaJq$KL9x0=vy?YrjR{QUxi*;^M84l(WnWlV2M56)e0NPw{fLxmZW}5o*ND)i74d zGjF766ZgTn&4gVMN9g&K91y=i&PY3SYg~@=8p~l*Ywzp~){LBB#$aMh%`TR%x0@WC zjptSDIqa@zV9+)SsRN)$P1(eKwHdt5(xJN|u zmo>COl}Jfv_lze-Lhe;GVO=p^G(Z(X<6|#B!nLz)1j64z;wQFbYQWZ{wQ%v?qg*{?%NdbK>oN zkt!-}`6Jg4rLlhE(p`siG2Th(${92r>iwaHZT3w>ctw5(7aR<)@iX)DKgHMVy**p& z?CIbJJSFLE@ z6?6*F#?LOvQRcB4d$}sl|J+&3Ga=7>aK+iMdrjTR>-3FWi1jueSth%PLd}y^M-bNT zSUG%TAyL;!_SvVp7TdY+W5+kX7j<;9kY?wT3p(HZAOO~|wf!WU@Z9QLGHpMpqc}&R z;!q!Cy+Kw};8+$j(;0nt`MYIECgqhI732cy5D><^`#rTW0R&#a;tWvh2ZB=ARVUjr zhA&-R2MTsK@Y35Vy0`1d3qWbcfers~Ptm+C+|#BTctc508Qu0$aY#ng?bqCO_Hq$R zv-j_&uVBMspFI9iXI%UfD#@HARvgWlAtmor{`|#@W1?4M#f~*tHV@kR5JAPt^d>ge z>(w7Qyr#(d8l;yH>Jpt{`<-!CD1J2t>qj3sj$5hM5Fqe=bkeL9zugdcO(@^Z;zzR` z!(C;7Jz&s{ql6=^w)VN5y}dz&`p&EFHR`o*W{pM3$24ycyjFMW zaB;#ez>}AE*tf3%Nteu2GVZ)C%Wf|@Y1i=)sFOSI{Vq)sJBK}1wR$*T+tdJp#a3P8 zmSbGgmMAjL7lqfG`(9LYu?Ksj_X1ahd(|YzQL`_{!3w@wBsa7wr-@00`UOgjnG26e4t|J6?okaqf39ZIu~NT>xyBP3RUSKKL&DV`W`*J~wawFy_@-Hb zzQ&c5j$Ey0UlkDyj#ZkK~Ua;}%>e`dL%dM#?~SOMO!8T`cXMfmyybyZEaqux}JDpC^CwB9i4D{cTj z7Nkjn_+Xxa;tyJ{Z%Kvw)O$_oT8|ruUULN#6Ai)e?u|P zoJs+_uw3gq7W*s|SKW%k{w6NBsrFb&(V$j|P6PQP3tx9oKflZBz*JDRTU|nmA$Gtk zP4n3G-6fWmi%`rZ5@_bu(jmf~&peIwx8-{aMqW=*HNUgd%YX7isox@~n%X#8KaaL6 z?%`m!zP3F%k z1m^2Fm1ww|jtA-s%apt0qZwblG+udJe~eFj8wH@l#C1*F7y%NXroNH_G%A!8&e|E`6rPu=R51;!ghE<3YuE%-Bh*kN!e}~b zFa!u!(@{2zjPoS@?=nbivLU_6zzje^UY{glR7`7PC9fw9OciTxoK76d5evM*NvFr> zOFr(r#)SqW@b%W4GNpWN$BxA(*AO5skSbBgER9^^566TqL`2-+)*4`fzd02ZT3U*+6ep*`R>CNGPyr0Q&i6d z2pRapzN=q(Fb`-$10FE~TgzKu{j=e_niP zo&L{K|COtspZp&$GU$K3v$VDr2B74mY?7{KgdI>}n2Y+#4LCVO; zs5#&7{ncjjxq^rAu zd!dN*!mv!d3(Cp{_f8N~)##_R@^SP)fwYpc@|;L2L=;5F9Ug@0dFv{OU6LJHc%5zp zyZsjheSj4*&gSw<$}vPwEYJgIeU=hHM)8`e|IBRuH6rhr@QLh^R8(TZZ&X;37pdy^ zB-9m~?{9pyvhH7GQPQ65@0cxQB3roq{Do@A3OD@e%f z_*i62I#9%OX6D8B3)3rl12ZfvY-GxFN+w#sG20_M=Nh;lK&sX%j9!gFLr`zMHA5;) zH3*n+?{}WxX49qi^FtH!^)fsACc}1f9gVon;W%C-#Bp_~W4PWfuQMJTW@*+{V{YkP z+`cn={2fP^yztQX_H6(Q+tZ%Gdg83P2M~*e|KK2$r6DhGBx0>nQ^{3x9oa?A(d&!O z=m0=31`FAP08G?bGAXO-NpT4W_3X{IYHGWt=kG-Wumi{ihq@7}nwqN(KlE}=@7%tP zg)Ay^^C~u$CReoi4N^r#1>SWz7|o9`pl3nxNmyIx!pN(@4abQt%YnhcK_)Lg1+LzV zrUrG1+7`-_ez(9FPE8|9{tgNRF38am41Y$asJneSZn(bzI+N+0GFUJ)JcC`66=Yes zhlGTc5!t~Yh~_QT_tDXp&Vm3N4^2w7XTzbAJbM06HY zHc?pnd%)efhI^-=!O_u@qryFcIDY%|bH1y?rwXn_(T5{visgRe_2{{gEJqM810PV9 zkB|}GzuPxcUoqw6KQJ^XrK6MYzW7<8?TcRvE`5#u9PMF$B4sh84D59VwSyLTF?HyA zi3hs$$oBE?IqW{N6bEBXZP$$(YBy*FG&jtj@SYgz{XZt+O>u)9NfgPj%dDr>JEeU}(!@ zv74b2xo4bU>(;P;tG%ShFYrr%h{!>q(D|1SJoJuXcZEGCxmDZo;AhtAuNJYG>FF=R zR|dMA>y!M}Q_mI;UJ$I2#UuSJv80Ld&R@w96UEsX93CFO*CZg4bT-Av)o@UyC%a_&Gs$0B1D4phU@G#reAX!#;vqS!R_uOasX zZgwAq?U=n-zxs#n;PP@F(xsZ2)!~ljZ9CV)aMksPI9z6pxp{SR^6d8e%W*#B{%(Tq zvvZW;)W+oc*PK~s57L<^RyOBqYlTQ@eq3Lh@G4JFU?X%877cZH7Ca~0SPWoDSl4Vv z(;{0ha5m@SX#hG_bj7Qj3xBsR*18nA{pbk2zaCy)hA~5VzLVs>P@S`|K{>?=e~8?9 z>~-7#SeqeFI73*5PQQtKK};1%Wc^O@gy%Q`5V>R-vrp22YFMwX1^oCvc_;Y;o2f-d37ttmAh>B%*;_Y$o#rv zU;{fKqxd(GarWeRK+8b_EA-Kv#(}cY9N*B-@BbhU|A*C-z5W`6q^9-U1iZjQq|T5dVeqj)WI4tv1y~7bWWSoO~}u_2QX~hj_McSW>K@rl}+T43ly}1 z;2fEHvvYE$sCq0fo7N@hIxgJi+1!skrVM7&wT<=~F}7=OydhvA4SNoBN+2W;0osZS z9e#m{7%x8V2pP;7-Z7I%1ZWVX<(+yM1H6vMMJ)8%wa@)U9O^+5zW%IiBOo-yTK@=r z=Rr%#ITz@B%n<0x*74QrFn0Z0@kH)yPTirr@bcsFx#zHt0L7nb*D7~gy;XAeT|ak! zj}8GcH8Ae&JM*La(E4lPOP7-C5ro6 zQOigb!a=8Qwc&`;?(1-VBoMzF{m|gp)}>Er6&A5lgSLLitM~&cd2bdBBu9#Sav5{& zPfUO4O$L$+8p7*6%3Go;5`f^-ScY=C?4Hr_KAk*sWLG*-qD(Tn^5DQg<$b4|CK;Th z=PJ9}6U|_SCL!<(F6qQ28}s!U*RDa`4eHIlAT6pf(#=l|B4#=OVgK?6)>6YG!3>25 z2Cr}R&cKg6nOGUw#n!n5bL&4BfA3@&dT@AHwdnC&-)-$^@ovB6RFuUyf@gsL9_j4w z^xR*|iuwA9-gLgTxW!XgN6o~Iw%UUdqEV_QHu&*Jk={L^O7YOVA8Dc^0d{sRAs!0a z#1IThqBB>lN%nyNF}7l}K@!39Pq;0EqHoem?!=o`bjVs4HKu-j${p{t!T|AKLtO9g zU>@$wm{-a?40FgV!qpz)N6{_@Wp?)Fo++{SoV5oQwiu5%zuW26`s7x(cLFL+~|gU^f-sl z7kC}lF!O>oH!4@H__rmYaqe!r5V0CwsJo_))=@}UgnXg+`^ol7t8ovLU8qqB=382F zl(@)9>wR5baWU?Z{f#ll@+l+Ed9{9Rk!p#vb!c}HqIo%ZD)DTMh)0*`Ry60aKHzfBFHTQ#aI6w#80v$x61C9QyPM@3PKtopfZFy7R zZhqtCtk3pGrejt1k@4f3r;Bb!H5qyd2l|x3@Sv%&I(OW0j0hR@He# zfWpr1@GP;$I5H^v0i?T#ZX4}COL_l(aPdg0%}}nmSE9?d>1dUCWUcvLkFfbCtevi6 zY!0BuuM&^N2z@oxcL`zl`T$P*6_%=93?8+l59UIro%Tix6JDdqu?0YOzq3m9We@mh z+1N5z)_=KvcTccfHHnq$^9QGsb@+LqSUFJNXb%+Dw7V&vYY-lQ+v7O(zqkPUd8VRT zu~nd7aEmbUAoEs?>-EHkKqF+YM)Z|HexrJADK%eLyz||guIpvP3so@P!eM)$e!Xqb zXhU?kM4>-H`-DhhM#ZJ9UpOXbHBs=Bn*oy zSqN9vEooAjOpmF(pib%D%G~EP{qeZuB|_QhZ6SIh_cHs29?XQThc40c`wji|(t@vB zEo`L=gv&CHa=y2S7IBUvs;jHJu2118>Ag8HGDscw6CN8ASlfh-jiHxpDwNH`49BOu zvKEi)s?(=%u_y%7d+TYBVwQcVn!5Ww*g2X9i4mZri0Ng*0hUHDVVVx074}+@*BK&l z&pG_8-VP5my*CMe7zr!is0446Pi@C!FsLQKCC^*5?gG`sy$zyZiO56kF@)#!-7|-> zo&5v{!;#C_&>H4rgtJG;^6mh+{Pp#B8OUtwXc@?Sa126Fx%Ihcjh!{$_>J70>gw;g zHfkn!NKDI-n;Yk@fuL54A6I#hgR+z}b{LKpa`H>Q$~fMOt#U11 zv%)g;uF*q6kXO<`B1{w(_-3v;Sk}o&K5D~CE{66TPNA0tU4`>UNz~zqGc|qZq?UbXVkyWU+BRT zwjdH1DFau;cd#d0N5qN)Wy4KAUf1Gz;_T70L+7p-gI|6lz6RAA2uYmx_PK<^vrs(u z>C?TZ4hftDR|437pDDViro}Aiwei1&myGofpZt%p!B;_kgXA9`+WxN)#jk(9WdXn{ zMZ0b`K<@f6)oAYhOr|{`5d*lwM>+%hG*?n!fF>el0KQE9Ku!?z@iQtWCh-;0n9nX~ zTps}zcv0wwqXe3(S4bojYJk_yCN=sN$&N2lHg-2qG(S!sUbqADr;r?Dt z`T$9UPXu~5gFl6&lLMI1;Fy^EX>%XaveR{NpAS6Vk~SfM^sxko#+&{>zY7~6qiug} z`{Y^u^_bsI8l(x6#&z*JkfK}EYX9S(Lx6ft+*|+15C2_SEE>SshUmyz{Z+wKwrERO zQI!QO&c9ijQ!j9R8c|1Ag9w)<5C1K|^4>^4+kcfdUkBNmO$1(FapU;%MU9HUZ{WTN z*uMN9fA;MnUD5mr_zga{qRQugg0_%mq9mB^Y{U17-woNQfvA8@>Nis$9dNnB5F|+c zhLx1`^;RwgEc89@dll5AcUY38Ix77EC3c43o>R1g0mMj_ zh1*ke0RBMK24dBZC`d`^ppcas+BXWe@@`UiKy*1!;!r-pX~)ES?8m6Xacg zs-(0-K8^sABXkw(3|*HwC@OX#KxDt#&oTd6oR>05HT{owIyc4oV_SuB(RSDBaZaP@ zeMNeP$6F1ez&3bwK$sNo)&4|TO4-Y6h>TI3S z)b^D7-sR3int%uxS?;Zc-=|6+nTV=4Z+y7JvF94Xhuq$9f*(?`8i=u2Q|+^GQQ9dC zY1|LmuX2XEqIHmVK2&}4hlX+*Anacn)ce((48nK2R}aFgH@&A_56-WE?Oh8(Tf|VR zoP!)r3HXvz1Do!S(ljN`+GAN}km*78XFM|(4C4SQ=+Em>* zHwBwI)#vJBxRhK`Hejji_*{PWYXI08u2Lk=N5@tT?L&T)Sh0Usc!)1$w;{cApNsgZGRpaR3!Zfvx?hM3@Q z+UD+wt#x!kI5srAf*862GzG~}&g3bXajdaj)$)c{ z;F#otn@48e4FDN{-Fk0i<*`v2HASa7J;s{ILwzE_f0o-_Bvu zycGpPuLA=-(qX6R)s@-E*W;Dcf~nCC`KibG@_=?Y&(YqHHj{3+KC4qF zxm03Nw*VkyC>u7BpQsBONvuX{ezH`%OpBzMnY0U22GC1^xKva^B4Z7tXbAP^AC2}E zwq{4;R>VKBfmOM~?I)cNs~vkLhZaV!`PZX%*tZ-DF18l}T&_)6o1P?bglWIkhu$Vi zn=hNR6cAcfg^=_g7gVwbP3zXyduus=!8AeA`J;UyC?p5e2Sk})F7sHJ{=k8@p;y8{ zdC1!Pa`6P)**b-|!H^XX5_P+G|8qT^6d)_!*auZC_x}h@Dk?Dw8H4)DFNxDbMbkoR zsu^6o_J1d+mpTrpDxem{Yh0@AXZ)Y0k@`Nc`;VhcX-H6j8%<=qp!1Uy)3HCo@%Lw5 zKJ~uW_!FBtLttWR8m{SOj(dIygJGG?&@jOh(Jj zHcKn6=5as{{9~OipKN>!V9Q;aGfkIlP$>?eBCQ<-wX{I`KeB9fNJgrSxC(HGw@VVw zgDgfWp9u&G0wwZt`89it(L9dQiRp}tj0;2K8^L4M0&N`~;XPVA4Cbh@C!UCL=q`i!QxjzJ z?ivr6&Zt+CQu+D_^)AlG^3A6AW(fC!u5qtIMgw@~we+}z0z)QQxafZ`IRSBiL|r6O zzv8=`A9t4-vk4#^4tJg;as^>q1~mdugxCbHEZWRSX1aKn+NBA5fI6xSpfo7A2(PYo zQ$PB_ak%Gf9TKrJrq&PLd{uv2LEYP$; z*{--GwQo&zcwj#(wLD*pge1lynoPO8TgckNY(qKl#vdblX~o_KAc=cZ&q?R$-;tD- zF6K5eFgP%`GB-!SSG#>)1%1j$bd?9NiIYrTC0IyiKkj|aPtZYg;V^*|y?SrasG!iB z1kmxn31DK_jHcWQ*EQ{AO+Mu zWO*z})wOdnUIz|p*t><$>IaAtPF<_*2jWKe4w;N_#Ul6C$F0Hm)i4VTy5Q*O4YtfW ztKuC?_WxrK0su*u_#Ul-t1L=%*gIhH242n8g1V=Y ztM!1SGnQSywiX~MbE4nO%7`<7T^q0?HMpQ@eu?YbNE6BwD4F}%QG71gyjz*Si=P&7?2E$ghSo@SrF|x9frFr z+}rPhyav$GD1i?2B}lE;fC}U(>o?gHB-H{O6`ySK<`)kZPjj;K2|Wged8Mr6of3~b zyShTs)9++u+M{g7oOz~UZA-VLv=KY#;T|tIJkdNM-u1ib8HINp?zVv_B-H>)7BJ<5c34H5 zG;DSa9FwT;hI;4r;^_Tq`Va5M$5Iz!y$PobyJLL2K03MT27>PYC<93HbwKN6zWiTM zdqDC6fsRw(`#yY2`(xuS)zyWfV}B0Z1jKKr2>o0A{rr;c#mzcUhne*sowYBQ6L>LT zEVGFhF0V3|=j`VYftvt|x9!eL+bql*s#GA*3&1OX0~P?TIikd9J9U|Gsej5ZyAptj zkdTgX0t}0pASCWx_;q*#Cg{f?SiDP)~5n#N@;Ia%-;@95|xOA#`u`wasD+_ ziq8iEy<8}cIC21Tob~_7(ZL1|a_LuZ(wLYO_Xk`-jZ3%b$yGZyp?$~O_OL5!^cd(3 zr#G+!P}zJU>UC{--;a1&udneR^8_#hv19!F-anS%_jW;A0iKr&1@P~a@)PO=P$;2z zKTFBb|BuSLc>F#aunXJYOD|DTSH=c71p~nTKK+>R=6`QOEufTJN&Bx-asPeX6Ox*m znsj{D$qoldXgKKy|LGL|{vy5%uraTe2dDo_9{~*RX_|M1s$L~BCeja*V63_$UTp0Do73W%!pMZ2O`}-ZoDa)j`eF&_gQ-T`WV`1uMZmv zKc|V6_>qivM|-j4%^CN@HdK^JiH|hLOf)%f}kOoT^|H1kuxDzFPw&$2>d6!mbAhcP|Ln z-Noz)aW=($ZdZgm|DL&XPcWLoMzXfE6_k4ZirfZg0&x+SDWRHz#J+21OB=hJ5&Mh& z_K8S(eB4>sKerx2k5!3>Q|)-{#<1b4r&IVUKR}RfQ)ObS(Op%w(0%*L_7KaVO!ahH zK`rZWo36N$25LQkRwMz_yX5187CFi~Y)B&7o(840Jn!C_%|uTS6?Ym2k>yG@bIjl3pFseVJneMH9gOyU_pu~ zcpm4-!|l&(y-@QERTzrbweSyT@irH1YCk0fpbM?+d2W@Xx;E+T%swKddS+9Oii9T- zWPkH5A>@6wMq5W$$VbIO$fQHUVUr({WS1Q1W>f;f$2LFDoqsCj$ z3ug1TD|90r{((AUuVK<0WPy4s4oQ#Zc@`mrn6NiNVuA2`^T-QZe#`)Q$jOAoXkCGw z!<3M-hZ@S)(`mjDM6FmuQ$h;wJP2NB6&!l0Eg*aZ#7hXJ%(*G|Q?dn*jY&M-Cte+g zel;vB;z+hiPP}1MbrGCGaz7C=KcxM)m>GSWj=VcK_Doh~ZVr6>gl}1cu9F zg4vuc$|sEBDw5;6Pi@YuwoLYUrwbyH?;hS79KP0tWNly}SE%UduI zosF)D`%$+{$X*~T)cMV6szC3mK<`##gbUzV|5{_3;KpRUmypDkT4xiHSB_3HZW`|o z0|s+aE7Y3zv3{1fetA#`u%Whfc81Lb=@RENW?h7xB#9vbJI@76Ir;h3cV^CFmi8Q1 zL&k?WHj-N=_yJK0w3>9C5&{CfjyRH>E zh5a$r=yz-qyEtU=70*Ril?o}mnzpqLzmD#mSWnxS&1j+CXD&4E(WyFjK4;p+!SS_{ zf^x--jgMn^;G&6RbMcf(YLZ4I`|(|bDVhVl(KmOl8TlWYmz?I5kopqL6HIQ&E35R} zJ0L=R_d95WFFMVRI$_Lt`YMN(r~q@K0)u+TkHY(=Puke#^$7%2Bs4#t)pcp6q5b>E z*woL(O669Qw6DJ3>hSWML(j_252^8V3A!ksTW-3)y(h>7fbV6U)+Y?zI2~H&+d}8l zNgFKLR)A13b5FzOXRI4etuG|>Qu>cckAHeMnBU#JD1aUAI7w4t*^&voVxeFbW?eq)GV8#b6JwqdQ zU}&ISHNW9I`uPRrT8>KICskc-RvBG4b*l!;cUrcGM1~9PFSfsYkdfHYnJp>;pdFU* zhOuh&(K2uY7Z+DsxArl3vK_cSThybgI7hvDG3Zzf_=SiO<9+QJfPQSWrr=Sz74%id z;4p8sxW!LZ@`YY6V^fgpOY^bnVk7O5;2pJyD|e``gn$_McBCpODg*AYY!tl?fl zM+$;8E|+QTkL7FtbcwjWf26YXi;vbg6Afqo4iYmfyZu9>k%VvoW;JDH`wxH$8*@Kx z8q{~wHY;T3rPKWJLn$r2Tqj0T!*UcL`~6|$^BRcegha&L$6zwI*c_sm|H%g~I)XNV zAw7u>Hu24u9U;wlbb0oXAi^jcC6VKM4ET^6Z;&LA!WpUQg6E^dw7}OqR|P+;7f!$T zy=}L_Z;WB7=IcjNI96kvI50FcrvGJF>vSQ>u%I-sW?ktJ~r0=OJ|eWQb>Znr23Tej^= ze0k+r|9yAIx}PN0peXJ|?fL<5b5dCy{k0oAU(Oelv2QN@H z^ksW_dHMME7`39W56MY?Y60HQ^aIriN_tOX-g7S^^kZ!M%#%%BtSiKZE@&tsu{b*u z;0>ESEF@fskM>Wss9J737%Vm4w^DEL^ldl|@;nfCqF;GjGA*HpT9=(Y76Ar;3hR5X zC{GLHTuy8O252_ksU47do!iHgmHK1D<2~}TqmgCZ#*_2D#L||8Gw*Gjne~W93irH( z+rEw>AnL9geS3}qtap{^`!gcOTS^%WIm%O8b=d&)2XHuNZf|-<4S2x6md&%wZC~c? z0DbdVM=w>_{~;>hcEJOd*J1$W5H$bbxPUGpL_56#nyW4`qM-m3(-Afwe~jCQ?C+Zz zj&>BZRy(dPG&cEef5OwH0*J{0l$p@+3HIj?J`=ksV1u#JtnIGz1C2!cwk4+Emnxy9 zpwqEpIV!d;bS+280#?k=n%aG>u|S0B3DJp(HM|sYZE?|H)V`EAX%A`ONTBNxYk2yE z8XlpWW z`WOX2H1|7G%Kt^pBN|f0h{cL|+m1>

mxgA4TqrMcdiR|98JE<% z+4`vIdI;4!a;l=;eNeAQwYv*ak+4v3V&dY=l=BAAe)70#Uo1%XdNW-Rx0l!7e0D11EuR@Cc_osvJqAGdllIDfq zLkhej^<7F3Vz9-gA!_^VS!svU4XpXaz4O&;Th=$4IJy2iq_?P;$Q1Y4tHm$J33&%3 zDmxV5%4Kq?<}dU94*oOYTQABF@Ss6Q;61n1zx#=z-)!CPUD~kvQp>RvQ5Yr|(_;t;V84N{{73TnNRbfL-}W^$`^xsUI^o>)%57`#Zr_D45>MwB7Fi z>tWzKlGKnmuI_Ko|Mh1pTATHl(L;n03yYEZMq=;eiD3;`Z0J_` zA5_%TMqqq6DWanHj zfTimS!*Hch>e|t;*J%kAkJZ$PN&8%dc1m*tDX-g;N>_xE|C}`DfJ|~V5o=VuFzASQ z{-(=X)M)k#BZ7PWrbKKyrL(iMul1O>1V_=`0zcPlvq}#Q4QV`i;s-STecEO5d-~MC zapZgX`o^Vn0J7do2?010Z6tkKdG=Q{E1asHSf0jn8n)l+U~8?2TO%XtWMtu`<9*9y z+>?MaE4dJGx7;2kFX*x2K)ed@B9{UnaCLckxT>b>IzS!Cd!xZ}9IT?EW0bQ|$6E_6 zGp}&mcfd$aPa6bvDyeyT)`RK{Kb#IK=oH1o5SE+teYsWV7F(??YG!R-atw#+g`UK!EBzkZ`$u1325Lo){^3h z`?Y@0G7q?WUa2W6>bW`5pq5wee{P5TIv7T zJYb6eX*bU7lvgW>g^|%t+u`7g$r{0^--QBz*j}tuH?Q~dm6IeYit_Gt@v99>$0J!? zg?zanp^(jl_bz1ocFj8>EIPF#Pu{82*zIN$*|LvUoO{dJvt@PXclX}euQWrrdTu0t z!Lyn$fw9F^ykEWzU|{cQR@wPUJ&xmrg1W8r2|(48q%t}mu!&fSd$AS80diCNw>(*I zEX~ZWqv&P7ayE#C`cffPXTXx08!$s&KZ*~fNqFKfQTl?u7(5mIp~IK^oyVt4rhDuJ z=QOC&qD(9-I4ETa{Gd>Razk=*^7NjsT6kiS01DpkY^IC;%*1&{ed_h6uF#AHr1Xgx z0B$B$8Q_($qaK{GUTWHp&KE2G^N0j51B#9F6t_tDk8QOf#pm-nd$buGDxo_;6GrCT zcP~7$?_}k$+^I_g47B?C$^bCcRxCeIwrV=&%~g0ypS;yish%LCI0Yf#A|WNo8>x$$ z@;r{m-_~?qcyDQAU6=kn{eZz^56{Jl4@*EU!FMBa<5O8PTB}2}P>1k|jlW=O-nPK) z8ecvdhb86YyJ45A{FOl!=U&p9fS=7OF@{q@tX1P?^(0H%s5;VuMCLIw7Q z?S2>Z;OR8r!ueB3t)k?D>jC1rr6vqs^d2d{1jhYjR4Ug5DQ4{wBe_ZgKNxp6fYyS)yCjDfwM2*_n{b+?s}X#M(FppKVu6sIu*bCcAZF! z7uCAh89GVwI_9;6#w*`=KGz>lVj0H^Jw5aeVqjchCc7sHUCi4NFH8)_!SGQSg_jVf z5J5bT^_0c>x}_M`4U}wbC3wTR7^W>N3rh*LL=dWVxjwcxLFFwwL9#8j&$;#zMyU+>fgs9Pd|G__Z00@?XD9Tr~eWWm$cCmJiignt9w6?C9(=A;J-n#o>L{|lY zPvRI5K)FL+%%Yhf?V^+Q?8&X?Hy+PKUT@N_b$NzKr?QkL6pLP*lK9@2NelH;t4r%w z{|A`ao04Ol(V(NHbgD|p#$5hquN)&+eUK`h;W}&~9OFEeZZymiD4&GNX$HRKeG%tL z^jM7UO}&4c0JmXlS62Zut(sEA@e^=VD2ko-w|@{56x`Zo4&sg;Gpu_#ETmbOGzR_H zNK;(Zxcq*76XR}M)oIttFvaV(v%n0K^VY9lsrBW0DigS0q^k%wEZq%7%G^|U4eNH8 z;b6sOgeA(}Pn2!BP0Ji4?7Avt@G;O2_u5IYab9y(YiYiR4vhqDGM|gbQ;g8^>x2>e zFAW&$Q+BiEdLYf;OvtzKpCAQD7F{S=_99FwB>CLqZ)SgW>}zV9-E7#oJzGZ19Jd(N zJ6+NBw6QS#+Le@Aw{34_Kdn)FiYZ3C3UPm2u*q6J)ng$SvJu}%;? z>mx7bDc0(oxwUXJb91s%Dpjg{)ZU0LhNiULd>f!-{qQ*UxE8H1r|)Yryn2@wii7EK4s=DAV4G%fzs-@ebr+5?Abf9?$pb&8* zeBWe1D1BV&nhOJC#tc7ROF*pM=>yFKaPX5meo74hWj*UtLy0bZriT(fb0s~(gkQi9 zG#FHqgnryAKLr{rjDN?Vz@)H(S4T0HXS)emkWP=i0WI>y(a*^0_q#n^Fr@2~_lZt; z@i1I9DM8g0Ra$ZgK~@0}?9yO*AKl1Ils&E{BDncrzKwj((D3RIaUwd3wGD6?Ru5+RoVsoQ#z;R*6a&X>v@r=YZH-~p^adhhQ z;Q+oLI>hHhXrHWo*J}i4ozgBw`kXjm+wEJ1iXb}Vov2>=2TZpIu?efx{y{r8k#47J z!YRyIC|HlaQl5_F*Qkb}hDn7MKce7xfpT^NOT@Gs7n#uS@tUcMZ4M_T=Up3UQ{EeS z6+78yA-zdce_HUZh;n(@_)5;-GOYj z-5b@4Q8Z>-vsG0T_1502!|sdF+N<^|rKypcsZokrRincmsaYjRDK%+liE#;4#2?qUaiuvv$-U|w2UuH%3KP5Su! zm68ad9+QkbTw6Lt&eQ+Y2<&uEo#&p-BgLTFJ_H6f#_VQF{}p@_D;NaCMBhryPL8%F zl>fE3D&jiFpeCJ0un-T4EhCVN+_<2P4esU zO=th~6D)6lxgAljXqSndXMJKq!oarAQgNe_Nn=VtTa`T6Tx^taN=CK|e%xeDCX1Gx z{;6Ju1U-&_vSDcY!DioE1V31w{jPY`f&v$tnUK(!P_0`IgUZ^&6e z`t!YT=`tH8W10#^gfo{-+!|By$KV%NH~ z?ZA@MbVGEQpIvpVX&`WIl4Dx(cD2w0tDas18q9}CI<4T2Ee3#nOzVDrXCoTfq%H7K0uOys0Yk&1fLKbXSztf-|;DA zaVR@Yxr^~Y2H{%k#CdApa?0py8b#4SHo4FfX#>U`YIB9#otxa9NmVSr5{fJXfIQdW zSjr+%#jLJwUhg^=AlcS36-J{2#rh}#z(MjsKqI}e=<%{|{uc7i>y$y$u5Z1Pt&=W^ z0nz7nvNBJAm{K0yi`{+Epb)6$7-ZcVo@o7N)(l>qm1H{<{TuTs%}<>nohX<2Xks_9xv zJ9;W!4d_(qSF_NwzAi@nb8<))I#IwHM)${)OcDNkeZExD{3>@$X_R{T;6{T^TdwBl zHqTOli-}Dp19f^)fjD?({)t?A;l9w$68T!8i;jJ}XaHDlo7Y1_T9u#pD@IE_1hVSu zNf*v*2sqNCh1B(*j(g>no8I5>vA@0cIFx-c)2cL%!f z5@CO^XS_QQOm02H6(7J0unH;N;#0UqMY=O4f_)|WtuAr#@qhB_g5oc+FxL&;rlt0k zKbPOX@ssy{@8;rTqcVKr$S8Pcp1zpKkENs*+0GkW3b&fhE?q2NUrA~nOrZUG!wIur zy*L>@Qm~AST*`1~>bqPeDQfjf^^PTb3r`N4+1149n%{gZRwp0#?saTk7=)1;#1x_4 z^y5J6g@PBW$`TDVC_#pr9>(Q?I0-$2#eQLoMCII2#{|(;-#9SIJI+{2a-kH4xG?w_ z)PHyk8&UwaarX@3OEZ{Gnm+yA@*jiy-JhNfm`^(Z6LJ{#=k6$b1~i&ehaDutQ=9HC z1ha&0zkx2$^Y(Fk`T(a9+s%VdB$jq>4n!Lz4e^e=#cMuMCZx~})(CDG%{`A&%_8Ux zLULOh?24ouvf?I0<_SO=sxfMo>5H^oe72=^{Dx`B8#O&MLB;n7?HgIjPFVV4kCeAO zStDZKh!Brh!qEeNJ{04iyHOl}C!2t$=G)R>Fq>Los?id9d$+>bq33!cecCePA(eK| zc~w2vXo7zF+Cj-r>h~^MI6$mb9-NY<2QI_7$F_rq10>lKD<)yxoGiRaiQQVJyT(6m zI1S5>Cuugm4lAk0GbG_p6e_A_%2vqTiDY;#!u1kQrMox0dEu0wriyLkdso7t+|vLI z1f!a^mwVCs>s)@*k<2|>A@Ir08Zk!%`YX=6@9w9>tfr={rsnOK*-jN2ET%Am-|^Ir z*nnEahvspsZ)arm8H%iDIUd2?@nEw`-7ICg3nvocZln#X=ijSNEJXbxJyn7L1(&rt z&G9e6jr;K_#btWrAucck$?`=p>q23MuB;Xs&3cU8uy%k;Dm?b{WOwd-;1lIa* zy)c~q8WjtQKCpcajU|)$4_@Z1PfEdX9X=12)5VD&SYV#kIXOE;lzp{_ahZHX^VVIu zmvIyOn_Md|>Ey=cTF4#{^Pr9v3Y^k^Mj4?G^nW9bBgkHswXQEo>(^oShrKON{`@+& z!x97}7;<9>%2ca=(JO4@---6&2LC?0hCcdP>Ic~~vlCdn(BjR-rXjy}Sx*a>pqaWa zifIDlt2sgMZm(h$iOsNm$rb*Vt=(pe7v}N)L=rA^h7T4}L+a+I1aqCNvA%k6tGIMz zsm(qkFL=7Fui|!S-ev1*?Wrni5P+-pMFTeaTZ7H=p*tz}19zq)I}16L{MS-)6#YNo zIxyO5el5OL{e~|T`3Z8+)-E)qt)S7jzhG2h$glqYZ6M(C%+$(M*Wu@1CtL|X2pOPb zt3e_sKQ@(Mokympy=RDWl#wtZf3s78a{(|?wvDkzW^Cr*fV6(7GX)xnPmPa*l_@*? z@~$(4Cy0s3_x|ATZ->>wC0Mf3M=yT!NiiQBhG>>*7Kb|CH(#!J(=a%^GapUz*uK-G zCPqcYxOY=q!}JNn2I7$MbJ@Cfwf0Mj=D^P>`;2B=dwY%bxs`QbN~~^Nd4sDiCDoty zf0)22peD?7O4YERmZoef9#@$rwu1VgwUdJ*SCUd;2fRw53!WC^yREy3NIMSOA61T@ z+9wVo4j%kLY!?#nGfq#F>1HUJx4dO<76G*+-shskwUw1M_4enM)uoT@M9rGdwb^x` zzu5PGcKaXO2h?N*QIRjT^AZFF25Ov?0`?x0MtqtVp$B0y4+=?RFp>rS8sE10WcWo<0@cz4qkxJYUH6$-Y4R)^V1f&0uBX{6-PcY-W(XE#v~Zd)%5mL3~E# z#1)Xb-2tfUHCN<+Yz^=OZx|p^Pm_1|>KoeT=2CotJJ4(OnB9u%NH{Z{UrC=9pruam z+en72iV3dlQpl}&W97Ha_!1Sz$P;;#E(x1PC;z(x^{pZMun9GaOY2#J`&&TioQN<` zlsK0H0`56pzIah7YP0i4&aGSC!$oNd!#k`C!C3c5v;NF8jiwKp+9I8Af&3n{v;3`R z{YMS`q6zqAt=-*}WUw(a3fr3zEj5E9_p8<6@%MWB`|BxWHL^4liE!3ujGwfT7ggE< z(4_!Z;<$M$Ph98?R#VLEkK8GTK7+m;bG3apc``qFQ7xHD#Zsm9swgS-3US6%1aktFC%#9Dg_?qRR?i*sf7MxjIqTASscw~fgig~! zpRl_TsHY&SCJ1iMHmiFRk)JQ{qRfFEe2imG$^WkNIm!#>Ws7-g`8ToNHT|EAY~Jc% z%+5E8(nA?GF$gC5;2xY@P+);Mq`xY@&io+Pisci7Re8>pX7hZrZ985Q>SUnP=>Us` z9Uk=SZ! z_4*Ijvp@r79byUL`lr!E{_ynrv+1cAOO#u_*d55p|NnKgw!S0l*Yf z-t<(`SkND#@Whtu7ky+NqGh+T2)P;{Ut8f?Cn@S!7=Y=+VSwK3Xk{j2;^QODYqBRP zdymGsprg=SG+V*(PU&5fx&^5J-9jdkwG<4} zA}C~m`Dx-<<}m==&eIEsPbR<1iI4f0(E_A|2>_!^LAeO$BN(`rO*Kb!Wph^krxoez zAM%>bmMWmycKGAK3Dv%Px4Q%*5$-Dmu4If14GsOUKo5TT;&9RMMZz?*doXfAyQ^2R zxIf_Eb*Ii3R0>p|c&@M=E!UZ$?zQSX(d5%wal5$(xCQ}^zmY;of$q;Ue?VNrf7(uWLzOb@7knDrerV zt*sfGl@}Ke8aBdh*NTp(vCEck78+!`gDF6NhKh&e0|5aDq<`H(y&yd=4>qg=bYZ!z zrRDg_z@Jw&%nkY*g~{r7Ku&v>r+7pT>0o5rL&LU-^DB3uMgCZg4bGu z*fi`S*jzom>j24O*hShJ0*nTPC-H172}8-PZuR!0#*gT!wd0vNInLHCPqfv%E}Rpd z_z(%N*ui77p9966v@T-MFg48N&o5$3va+&J33XbOlPdC;0R1~v0G#Ep2%0MEuVKeS z|G8L%(H_-T;q|?Np)dxOW03FOiN3h#Ms1pGlFbhBtA`rE^-8eIrL1eoBc*wiBN0WGgG>-Do;=Zw_0 z-MrI-rUNV+wWAe<-xtjeX$vNsI_l$9dvIKyf0puvPRwm?tLQTRYl)}8Z0tu%`JZ`y zBWL&(;kOTlXp|mqWg7JN@}l)sR8&ULlMX?_(Y73n$;KJk*^Xn$D7oTW1RNTT_I&<& zZ`gR29DMKJxXb*TTBX@t;kQ7*$mzILqq1@=tIs5p*Z zE$SpA)v*lx=aCTzu|qNt`YjO?h+K%ed5|sbtow@UhPg`-cIP~mgmvS`1@jpm8!Kbu zr}y||Mw(blzNc>D39Ic#XMg0O0xE}f?)I$PN5R8UH@~S#2?QMnx_nyN-|{(?C_-oZ z8a`iNR~OvU+A%VxIa}wkUGFyB9xJo-B7KB2J4a1vh;t@Ou})53e!4I;dSCYH)jR2M z*6YGJ6fnAdT$<}7kURV%YqmQ8tS*tFVt4%LI8L#-?u3Lj1+K1bFZf^ao<_cxdvg0v zE2sEo-M2{cG&Cq1kkQZ#Q$!pdt9TeQ?>Fw|2_a8w6^}N-DAY#4i8rgi4TAw4LKo}OO&6)2O<`+FGY zXMAFkVl~}1H{}(7JY$6FL`Q2}P3V7uuz`}bJJVzXhV5dmiwzO9gh?{H#{TnI3uxvu&yj}RO9&LuWgg^11&ar8@3>J zYl@%gTZMR7!m&=UohflLuO+eCH5Z9OO@wO>5Y(t(oyq0xwO}F=|KH#~( z@sd^uwHrn4bB1R2(F1wV?{72ZX;XiJ5IK6W5KtQh6%IUYUVUn_t>PmlT1uFD^h%BMGJO}hlaz)bfIjBQh; w)(_?Y<KJNQYT8BoAMk*PzW@LL literal 0 HcmV?d00001 diff --git a/learning/k8s-intermediate/config/sec-ctx/con-kuboard.md b/learning/k8s-intermediate/config/sec-ctx/con-kuboard.md new file mode 100644 index 0000000..4b8d050 --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/con-kuboard.md @@ -0,0 +1,31 @@ +--- +vssueId: 118 +layout: LearningLayout +description: Kubernetes教程_在Kuboard中为Container容器配置SecurityContext安全上下文。通过 Kuboard,可以直接设定 Deployment、StatefulSet、DaemonSet 等中容器的 securityContext 的内容。在 Kuboard 工作负载编辑器界面中点击 容器组的更多设定 按钮,可查看到容器的 Security Context 设置界面。 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# Kuboard中容器的Security Context + +通过 Kuboard,可以直接设定 Deployment、StatefulSet、DaemonSet 等中容器的 securityContext 的内容。在 Kuboard 工作负载编辑器界面中点击 **容器组的更多设定** 按钮,可查看到容器的 Security Context 设置界面,如下图所示: + +![Kubernetes教程_Kuboard中设置容器的SecurityContext](./con-kuboard.assets/image-20191005230605496.png) + + + +上图界面中,各个字段的含义逐个解释如下: + +| 字段名 | 字段类型 | 字段说明 | +| -------------------------------------------- | ----------------------------------------------------------- | ------------------------------------------------------------ | +| privileged | boolean | 以 privileged 模式运行容器。此时容器中的进程本质上等价于宿主节点上的 root 用户。默认值为 `false` | +| 允许扩大特权
allowPrivilegeEscalation | boolean | 该字段控制了进程是否可以获取比父进程更多的特权。直接作用是为容器进程设置 `no_new_privs`标记。当如下情况发生时,该字段始终为 `true`:
1. 以 privileged 模式运行
2. 进程拥有 CAP_SYS_ADMIN 的 Linux capability | +| 文件系统root只读
readOnlyRootFilesystem | boolean | 该容器的文件系统根路径是否为只读。默认为 `false` | +| 非Root
runAsNonRoot | boolean | 如果为 true,则 kubernetes 在运行容器之前将执行检查,以确保容器进程不是以 root 用户(UID为0)运行,否则将不能启动容器;如果此字段不设置或者为 false,则不执行此检查。也可以在Pod的SecurityContext中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| 用户
runAsUser | integer | 执行容器 entrypoint 进程的 UID。默认为 docker 引擎的 GID。也可以在Pod的SecurityContext中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| 用户组
runAsGroup | integer | 执行容器 entrypoint 进程的 GID。默认为 docker 引擎的 GID。也可以在Pod的SecurityContext中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| procMount | string | procMount 代表了容器的 proc mount 的类型。默认值是 `DefaultProcMount`(使用容器引擎的默认值)。该字段需要激活 Kubernetes 的ProcMountType 特性 | +| capabilities |

add: array
drop: array
| 为容器进程 add/drop Linux capabilities。默认使用容器引擎的设定。更多内容请参考 [为容器设置Linux Capabilities](./con-cap.html) | +| seLinuxOptions | | 此字段设定的 SELinux 上下文将被应用到 Pod 中所有容器。如果不指定,容器引擎将为每个容器分配一个随机的 SELinux 上下文。也可以在Pod的SecurityContext中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | + diff --git a/learning/k8s-intermediate/config/sec-ctx/pod-kuboard.md b/learning/k8s-intermediate/config/sec-ctx/pod-kuboard.md index eda22a6..d4f1fc2 100644 --- a/learning/k8s-intermediate/config/sec-ctx/pod-kuboard.md +++ b/learning/k8s-intermediate/config/sec-ctx/pod-kuboard.md @@ -17,15 +17,15 @@ meta: 上图界面中,各个字段的含义逐个解释如下: -| 字段名 | 字段类型 | 字段说明 | -| -------------- | -------- | ------------------------------------------------------------ | -| 非Root | boolean | 如果为 true,则 kubernetes 在运行容器之前将执行检查,以确保容器进程不是以 root 用户(UID为0)运行,否则将不能启动容器;如果此字段不设置或者为 false,则不执行此检查。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | -| 用户 | integer | 执行容器 entrypoint 进程的 UID。默认为镜像元数据中定义的用户(dockerfile 中通过 USER 指令指定)。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | -| 用户组 | integer | 执行容器 entrypoint 进程的 GID。默认为 docker 引擎的 GID。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | -| fsGroup | integer | 一个特殊的补充用户组,将被应用到 Pod 中所有容器。某些类型的数据卷允许 Kubelete 修改数据卷的 ownership:
1. 修改后的 GID 取值来自于 fsGroup
2. setgid 标记位被设为 1(此时,数据卷中新创建的文件 owner 为 fsGroup)
3. permission 标记将与 `rw-rw----` 执行或运算
如果该字段不设置,kubelete 将不会修改数据卷的 ownership 和 permission | -| 补充用户组 | integer | 该列表中的用户组将被作为容器的主 GID 的补充,添加到 Pod 中容器的 enrtypoint 进程。可以不设置。 | -| seLinuxOptions | Object | 此字段设定的 SELinux 上下文将被应用到 Pod 中所有容器。如果不指定,容器引擎将为每个容器分配一个随机的 SELinux 上下文。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | -| sysctls | Array | 该列表中的所有 sysctl 将被应用到 Pod 中的容器。如果定义了容器引擎不支持的 sysctl,Pod 启动将会失败 | +| 字段名 |
字段类型
| 字段说明 | +| ---------------------------------- | ---------------------------------------- | ------------------------------------------------------------ | +| 非Root
runAsNonRoot | boolean | 如果为 true,则 kubernetes 在运行容器之前将执行检查,以确保容器进程不是以 root 用户(UID为0)运行,否则将不能启动容器;如果此字段不设置或者为 false,则不执行此检查。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| 用户
runAsUser | integer | 执行容器 entrypoint 进程的 UID。默认为镜像元数据中定义的用户(dockerfile 中通过 USER 指令指定)。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| 用户组
runAsGroup | integer | 执行容器 entrypoint 进程的 GID。默认为 docker 引擎的 GID。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| fsGroup | integer | 一个特殊的补充用户组,将被应用到 Pod 中所有容器。某些类型的数据卷允许 Kubelete 修改数据卷的 ownership:
1. 修改后的 GID 取值来自于 fsGroup
2. setgid 标记位被设为 1(此时,数据卷中新创建的文件 owner 为 fsGroup)
3. permission 标记将与 `rw-rw----` 执行或运算
如果该字段不设置,kubelete 将不会修改数据卷的 ownership 和 permission | +| 补充用户组
supplementalGroups | integer | 该列表中的用户组将被作为容器的主 GID 的补充,添加到 Pod 中容器的 enrtypoint 进程。可以不设置。 | +| seLinuxOptions | Object | 此字段设定的 SELinux 上下文将被应用到 Pod 中所有容器。如果不指定,容器引擎将为每个容器分配一个随机的 SELinux 上下文。该字段也可以在容器的 securityContext 中设定,如果 Pod 和容器的 securityContext 中都设定了这个字段,则对该容器来说以容器中的设置为准。 | +| sysctls | Array | 该列表中的所有 sysctl 将被应用到 Pod 中的容器。如果定义了容器引擎不支持的 sysctl,Pod 启动将会失败 | 关于 SecurityContex 在运行时怎么工作,请参考: * [为Pod设置Security Context](./pod.html) diff --git a/learning/k8s-intermediate/config/taints-toleration/taint-based-evictions.md b/learning/k8s-intermediate/config/taints-toleration/taint-based-evictions.md index 56640a7..fffb6e4 100644 --- a/learning/k8s-intermediate/config/taints-toleration/taint-based-evictions.md +++ b/learning/k8s-intermediate/config/taints-toleration/taint-based-evictions.md @@ -10,7 +10,7 @@ meta: # 基于污点的驱逐(TaintBasedEviction) -在前面的章节中,我们描述了 [NoExecute](http://localhost:8080/learning/k8s-intermediate/config/taints-toleration/#%E6%B1%A1%E7%82%B9%E4%B8%8E%E5%AE%B9%E5%BF%8D%E7%9A%84%E5%8C%B9%E9%85%8D) 的污点效果,该效果将对已经运行在节点上的 Pod 施加如下影响: +在前面的章节中,我们描述了 [NoExecute](/learning/k8s-intermediate/config/taints-toleration/#污点与容忍的匹配) 的污点效果,该效果将对已经运行在节点上的 Pod 施加如下影响: * 不容忍该污点的 Pod 将立刻被驱逐 * 容忍该污点的 Pod 在未指定 `tolerationSeconds` 的情况下,将继续在该节点上运行 * 容忍该污点的 Pod 在指定了 `tolerationSeconds` 的情况下,将在指定时间超过时从节点上驱逐 diff --git a/package-lock.json b/package-lock.json index 49b6dcf..39503a6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11505,6 +11505,11 @@ "resolved": "https://registry.npm.taobao.org/slash/download/slash-2.0.0.tgz", "integrity": "sha1-3lUoUaF1nfOo8gZTVEL17E3eq0Q=" }, + "smoothscroll-polyfill": { + "version": "0.4.4", + "resolved": "https://registry.npm.taobao.org/smoothscroll-polyfill/download/smoothscroll-polyfill-0.4.4.tgz", + "integrity": "sha1-OiWRMdxpMObKgAA+HLA7YDtpq/g=" + }, "snapdragon": { "version": "0.8.2", "resolved": "https://registry.npm.taobao.org/snapdragon/download/snapdragon-0.8.2.tgz", @@ -12884,6 +12889,14 @@ "sitemap": "^2.0.1" } }, + "vuepress-plugin-smooth-scroll": { + "version": "0.0.4", + "resolved": "https://registry.npm.taobao.org/vuepress-plugin-smooth-scroll/download/vuepress-plugin-smooth-scroll-0.0.4.tgz", + "integrity": "sha1-ZEcilHbmBO+L1usqVtN3xpdKPY4=", + "requires": { + "smoothscroll-polyfill": "^0.4.4" + } + }, "watchpack": { "version": "1.6.0", "resolved": "https://registry.npm.taobao.org/watchpack/download/watchpack-1.6.0.tgz?cache=0&sync_timestamp=1562782917067&other_urls=https%3A%2F%2Fregistry.npm.taobao.org%2Fwatchpack%2Fdownload%2Fwatchpack-1.6.0.tgz", diff --git a/package.json b/package.json index 1e5172b..9787e28 100644 --- a/package.json +++ b/package.json @@ -25,6 +25,7 @@ "esm": "^3.2.25", "npm": "^6.11.3", "reduce-css-calc": "^2.1.6", - "vuepress": "^1.1.0" + "vuepress": "^1.1.0", + "vuepress-plugin-smooth-scroll": "0.0.4" } }